Authentication in transport layer

We are adding node-to-node authentication in ES. The authentication protocol requires a regular TCP connection, and need several rounds of message exchange. After that, the particular TCP connection could be regarded as secure for further ES node-to-node communication.
I'm trying to implement this as a transport plugin, and would like to get some thought on how to utilize existing netty-transport.
Idealy, there could be many different authentication protocols. Looks like it would be great if netty-transport allows "inject" authentication hook on per-connection basis.