Secure communication session resumption in a service function chain

What is claimed is: 1. A method comprising: receiving a connection request from a client device, the connection request including at least an identifier; determining, from the identifier, the client device was previously connected to a communication session with a first node; in response to determining the client device was previously connected to the communication session, retrieving from a database a key associated with the identifier; determining a second node to re-establish the communication session based at least in part on the identifier or key, wherein the second node and the first node are different nodes within a group of service function nodes between the client device and a destination device; and transmitting the connection request to the second node to re-establish the communication session using the key between the client device and the second node. 2. The method of claim 1 , wherein the second node is determined by uniquely associated with the identifier from the connection request node. 3. The method of claim 2 , wherein the connection request is carried by a Transmission Control Protocol (TCP) SYN packet, such that the second node determines the TCP SYN packet contains the identifier, and uses a Pre-Shared Key (PSK) associated with the identifier to decrypt and process an initial flight of data contained in the TCP SYN packet. 4. The method of claim 2 , wherein the connection request is carried by a Quick UDP Internet Connections (QUIC) packet, such that the second node determines the QUIC packet contains the identifier, and uses a Pre-Shared Key (PSK) associated with the identifier to decrypt and process an initial flight of data contained in the QUIC packet. 5. The method of claim 1 , wherein the second node is selected by performing load balancing at a Service Function Forwarder (SFF). 6. The method of claim 5 , wherein a Pre-Shared Key (PSK) associated with the identifier is stored as an entry in a memory structure and the identifier is a corresponding entry lookup key for the PSK, such that the second node is configured to extract the identifier from the connection request and obtain the PSK from the memory structure to re-establish the communication session. 7. The method of claim 5 , wherein the identifier includes a self-contained ticket containing an encrypted copy of a Pre-Shared Key (PSK), and the second node is configured to receive required cryptographic keying material to decrypt the PSK from the SFF and/or one or more of the plurality of nodes, such that the second node is configured to extract the PSK from the self-contained ticket to re-establish the communication session. 8. The method of claim 1 , further comprising: forwarding the identifier to a Service Function Forwarder (SFF) and/or one or more of the group of nodes including a publish-subscribe mechanism. 9. A non-transitory computer-readable device having stored therein instructions which, when executed by at least one processor, cause the at least one processor to perform operations comprising: receiving a connection request from a client device, the connection request including at least an identifier; determining, from the identifier, the client device was previously connected to a communication session with a first node; in response to determining the client device was previously connected to the communication session, retrieving from a database a key associated with the identifier; determining a second node to re-establish the communication session based at least in part on the identifier or key, wherein the second node and the first node are different nodes within a group of service function nodes between the client device and device; and transmitting the connection request to the second node to re-establish the communication session using the key between the client device and the second node. 10. The non-transitory computer-readable device of claim 9 , wherein the instructions further cause the at least one processor to determining the second node is uniquely associated with the identifier from the connection request. 11. The non-transitory computer-readable device of claim 9 , wherein the connection request is carried by a Transmission Control Protocol (TCP) SYN packet, such that the second node determines the TCP SYN packet contains the identifier, and uses a Pre-Shared Key (PSK) associated with the identifier to decrypt and process an initial flight of data contained in the TCP SYN packet. 12. The non-transitory computer-readable device of claim 9 , wherein the connection request is carried by a Quick UDP Internet Connections (QUIC) packet, such that the second node determines the QUIC packet contains the identifier, and uses a Pre-Shared Key (PSK) associated with the identifier to decrypt and process an initial flight of data contained in the QUIC packet. 13. The non-transitory computer-readable device of claim 9 , wherein the instructions further cause the at least one processor to select the second node by performing load balancing at a Service Function Forwarder (SFF). 14. The non-transitory computer-readable device of claim 13 , wherein a Pre-Shared Key (PSK) associated with the identifier is stored as an entry in a memory structure and the identifier is a corresponding entry lookup key for the PSK, such that the second node extracts the identifier from the connection request and obtains the PSK from the memory structure in order to re-establish the communication session. 15. The non-transitory computer-readable device of claim 13 , wherein the identifier includes a self-contained ticket containing an encrypted copy of a Pre-Shared Key (PSK), and the second node is configured to receive cryptographic keying material to decrypt the PSK from the SFF and/or one or more of the plurality of nodes, such that the second node is configured to extract the PSK from the self-contained ticket to re-establish the communication session. 16. The non-transitory computer-readable device of claim 9 , wherein the instructions further cause the at least one processor to forward the identifier to a Service Function Forwarder (SFF) and/or one or more of a plurality of nodes with a publish-subscribe mechanism or a modification of Network Service Header (NSH) metadata. 17. A system comprising: at least one processor; and a computer-readable memory coupled to the at least one processor, the memory including instructions stored therein that, when executed by the at least one processor, cause the at least one processor to perform operations comprising: receiving a connection request from a client device, the connection request including at least an identifier; determining, from the identifier, the client device was previously connected to a communication session with a first node; in response to determining the client device was previously connected to the communication session, retrieving from a database a key associated with the identifier; determining a second node to re-establish the communication session based at least in part on the identifier or key, wherein the second node and the first node are different nodes within a group of service function nodes between the client device and destination device; and transmitting the connection request to the second node to re-establish the communication session using the key between the client device and the second node. 18. The system of claim 17 , wherein the operations include causing the at least one processor to determine the second node is uniquely associated with the identifier from the connection request.