Distributed identity-based firewall policy evaluation

The invention claimed is: 1. A method comprising: intercepting a first packet incoming to a first entity, wherein the first packet comprises metadata; based on determining that the metadata of the first packet comprise an extension header, determining whether the first packet can be verified, wherein the determination of whether the first packet can be verified comprises determining whether the extension header comprises a signature that includes an encoded identifier of a sender entity of the first packet; in response to determining that the first packet can be verified based on determining that the extension header comprises the signature that includes the encoded identifier of the sender entity of the first packet, determining based on a firewall policy whether the sender entity and the first entity are permitted to communicate, wherein determining whether the sender entity and the first entity are permitted to communicate comprises: decoding the encoded identifier to obtain an identifier of the sender entity, wherein the identifier of the sender entity was determined for the sender entity based on the firewall policy and differs from an Internet Protocol (IP) address of the sender entity; and evaluating the first packet for compliance with the firewall policy based on the identifier of the sender entity, wherein the firewall policy comprises rules for communications of a plurality of entities based on a plurality of identifiers of a corresponding plurality of entities, wherein the plurality of identifiers are unique to respective ones of the plurality of entities and differs from IP addresses of the plurality of entities, and wherein the plurality of identifiers includes the identifier of the sender entity; and in response to determining that the first packet cannot be verified based on determining that the extension header does not comprise the signature that includes the encoded identifier of the sender entity of the first packet or that the metadata of the first packet do not comprise an extension header, performing one or more mitigation actions. 2. The method of claim 1 , wherein determining if the first packet can be verified comprises determining if the signature also includes a message authenticator that can be verified. 3. The method of claim 2 , wherein the message authenticator comprises a first message authentication code (MAC), wherein determining if the signature also includes a message authenticator that can be verified comprises, determining that the signature comprises a first MAC; computing a value based on the encoded identifier and a current time relative to an epoch; and determining if the first MAC matches the computed value based on comparing the first MAC to the computed value. 4. The method of claim 3 , wherein determining that the first packet can be verified comprises determining that the first MAC matches the computed value, wherein determining that the first packet cannot be verified comprises determining that the first MAC does not match the computed value. 5. The method of claim 3 , wherein computing the value comprises computing a second MAC based on the encoded identifier and the current time relative to the epoch, wherein determining if the first MAC matches the computed value comprises determining if the first MAC matches the second MAC. 6. The method of claim 1 , further comprising: based on intercepting the first packet when outbound from the sender entity, encoding the identifier of the sender entity to obtain the encoded identifier; adding the signature in an extension header field of the first packet; and forwarding the first packet toward the first entity. 7. The method of claim 6 , further comprising computing a message authenticator based on the encoded identifier, wherein the signature added in the extension header field comprises the encoded identifier and the message authenticator. 8. The method of claim 6 , wherein the encoded identifier is a numeric value, wherein encoding the identifier of the sender entity comprises encoding the identifier based on an order of the sender entity in a listing of the plurality of identifiers defined for the firewall policy. 9. The method of claim 1 , wherein performing the one or more mitigation actions comprises at least one of rejecting the first packet, terminating communications with the sender entity, blacklisting a network address from which the first packet was sent, and reconfiguring a load balancer to cease forwarding of packets from the sender of entity to the first entity. 10. The method of claim 1 , wherein the plurality of identifiers also comprises an identifier of the first entity, wherein evaluating the first packet for compliance with the firewall policy comprises evaluating the firewall policy based on the identifier of the sender entity and the identifier of the first entity to determine if communications between the sender entity and the first entity are permitted. 11. One or more non-transitory machine-readable media having program code stored thereon, the program code comprising instructions executable by a processor to cause the processor to: intercept a first packet destined for a first entity; based on a determination that metadata of the first packet comprise an extension header, determine whether the first packet can be verified, wherein the instructions to determine whether the first packet can be verified comprise instructions to determine whether the extension header comprises a signature that includes an encoded identifier of a sender of the first packet; in response to a determination that the first packet can be verified based on a determination that the extension header comprises the signature that includes the encoded identifier of the sender of the first packet, determine based on a firewall policy whether the sender of the first packet is permitted to communicate with the first entity, wherein the instructions to determine whether the sender of the first packet is permitted to communicate with the first entity comprise instructions to: decode the encoded identifier to obtain an identifier of the sender of the first packet, wherein the identifier of the sender was determined for the sender of the first packet based on the firewall policy and differs from an Internet Protocol (IP) address of the sender; and evaluate the first packet for compliance with the firewall policy based on the identifier of the sender, wherein the firewall policy comprises rules for communications of a plurality of entities based on a plurality of identifiers of a corresponding plurality of entities, wherein the plurality of identifiers differs from IP addresses of the plurality of entities and are unique to corresponding ones of the plurality of entities, and wherein the plurality of identifiers includes the identifier of the sender; and in response to a determination that the first packet cannot be verified based on a determination that the extension header does not comprise the signature that includes the encoded identifier of the sender of the first packet or that the metadata of the first packet do not comprise an extension header, perform one or more mitigation actions. 12. The non-transitory machine-readable media of claim 11 , wherein the instructions to determine whether the first packet can be verified further comprise instructions to determine whether a message authenticator included in the signature can be verified. 13. The non-transitory machine-readable media of claim 12 , wherein the message authenticator comprises a message authentication code (MAC), wherein the instructions to determine whether the message authenticator can be verifi