Lightweight secure autonomic control plane

The invention claimed is: 1. A network device comprising: a transmitter; a receiver; a memory configured to store instructions; and a processor coupled to the memory, the transmitter, and the receiver, and wherein the processor configured to execute the instructions to: establish a secure connection with one or more network nodes of an Autonomic Control Plane (ACP) network; initiate a connection with a destination network node; receive application data-packets from an application for transmission toward a destination network node across the ACP network; determine that the application data-packets are unencrypted; end-to-end encrypt the application data-packets to generate encrypted application data-packets in response to determining that the application data-packets are unencrypted; receive routing protocol data-packets; determine that the routing protocol data-packets are unencrypted; end-to-end encrypt the routing protocol data-packets to generate encrypted routing protocol data-packets in response to determining that the routing protocol data- packets are unencrypted; and cause the transmitter to transmit the encrypted application data-packets and the encrypted routing protocol data-packets across the ACP network. 2. The network device of claim 1 , wherein the processor is further configured to execute the instructions to perform no additional encryption when the application data-packets are encrypted by the application. 3. The network device of claim 1 , wherein the application data-packets are encrypted according to a Transport layer security (TLS) protocol, a datagram transport layer security protocol (dTLS), or combinations thereof. 4. The network device of claim 1 , wherein to establish establishing the secure connection with the one or more network nodes, the processor is configured to execute the instructions to: transmit encryption discovery unsolicited link local (NULL) Generic Autonomic Signaling Protocol (GRASP) discovery messages to the one or more network nodes; establish a secure Transport layer security (TLS) connection for authentication; and unblock ports corresponding to authenticated network nodes. 5. The network device of claim 1 , wherein to establish the secure connection with the one or more network nodes, the processor is configured to execute the instructions to establish multicast link-local communication connections with adjacent network nodes. 6. The network device of claim 1 , wherein the processor is further configured to execute the instructions to determine, prior to initiating the connection with the destination network node, that the destination network node is reachable via the ACP network by employing an ACP routing table. 7. The network device of claim 6 , wherein the processor is further configured to execute the instructions to: receive Virtual Routing and Forwarding (VRF) addresses of network nodes in the ACP network as flooded by an ACP routing protocol; and populate the ACP routing table with the VRF addresses of the network nodes in the ACP network. 8. The network device of claim 1 , wherein the processor is further configured to execute the instructions to employ an address mapping service to determine an ACP Virtual Routing and Forwarding (VRF) address for the destination network node to determine that the destination network node is reachable via the ACP network prior to initiating the connection with the destination network node. 9. The network device of claim 8 , wherein to employ the address mapping service, the processor is configured to execute the instructions to: flood, using the transmitter, an ACP Generic Autonomic Signaling Protocol (GRASP) discovery message across the ACP network; and receive, using the receiver, the VRF for the destination network node in a GRASP respond message in response to the GRASP discovery message. 10. The network device of claim 1 , wherein to trasmit the encrypted application data-packets and the encrypted routing protocol data-packets across the ACP network, the processor is configured to execute the instructions to: tag the encrypted application data-packets and the encrypted routing protocol data-packets to indicate membership in the ACP network; and block all packets except for tagged encrypted application data-packets and tagged encrypted routing protocol data-packets. 11. The network device of claim 1 , wherein to transmit transmitting the encrypted application data-packets across the ACP network, the processor is configured to execute the instructions to multicast the encrypted application data-packets by executing the instructions to: create a plurality of secure end-to-end connections with a plurality of adjacent network nodes; and unicast the encrypted application data-packets over the secure end-to- end connections. 12. The network device of claim 1 , wherein the processor is further configured to execute the instructions to protect the secure connection against a man-in-the- middle attack by executing the instructions to: exchange interface sent/received packet/byte counters and corresponding timestamps with adjacent network nodes in the ACP network; and determine an intruder when a difference in a sent packet counter and a received packet counter over a specified time period exceeds an error threshold. 13. A method, implemented in a network device, the method comprising: initiating a connection with a destination network node across an Autonomic Control Plane (ACP) network; receiving application data-packets from an application for transmission toward the destination network node across the ACP network; determining that the application data-packets are unencrypted; end-to-end encrypting the application data-packets to generate encrypted application data-packets in response to determining that the application data-packets are unencrypted; receiving routing protocol data-packets; determining that the routing protocol data-packets are unencrypted; end-to-end encrypting the routing protocol data-packets to generate encrypted routing protocol data-packets in response to determining that the routing protocol data-packets are unencrypted; and transmitting the application data-packets and the encrypted routing protocol data-packets across the ACP network. 14. The method of claim 13 , wherein the routing protocol data-packets are link local multicast packets for an ACP routing protocol, and wherein end-to-end encrypting the routing protocol data-packets comprises: converting the routing protocol data-packets to a list of unicast packets; and encrypting the unicast packets according to a datagram transport layer security (dTLS) protocol to generate encrypted unicast packets; and transmitting the encrypted unicast packets as link-local unicast to neighboring network nodes. 15. The method of claim 13 , further comprising establishing a secure connection with one or more network nodes of the ACP network, wherein establishing the secure connection with the one or more network nodes includes authenticating adjacent network nodes in the ACP network according to an encryption discovery unsolicited link local (NULL) Generic Autonomic Signaling Protocol (GRASP) protocol. 16. The method of claim 15 , further comprising protecting the secure connection against a man-in-the-middle attack by: exchanging packet counters and corresponding timestamps with adjacent network nodes in the ACP network; and determining an intruder when a difference in a sent packet counter and a received packet counter over a specified time period exceeds an error threshold calculated based