This may sound like a form of network DRM.. however let's motor on shall we?
Idea I: could an app call the local host TCP implementation ( An addtional API/feature? ) to write a bit to the TCP header similar to TOS/DSCP/Precedence to define the *Confidentiality* or *Useability* of a packet and would it be honored in transit or at the endpoint? Could you just reserve an existing 'Class'? or have you used them all already? Is IPnIP a possibility for 'intelligent packets' or must it be an 'intelligent network'? Does this all go out the window with IPv6 or should we be building more security in to the type of data object with our v6 stacks and be more in synch with our 'shrinking permieters' ?
Idea II: Why not use intentional enterprise 'sinkholes' to achieve TIA ( Total Information Awareness ) on your cores.. and watch everything realtime? Lots of negatives here but bear with me a minute.. more for Enterprise than Telco...
Over-ride the standard default route, or force edge traffic to the regional or local core first... whereupon you can watch and/or look at session data? It would be too hard to change hosts default gateways and not practical/achievable anyway. Why not turn the IDS / Sniffing mentality inside out? Force the traffic to high bandwidth cores for inspection cleaning/recording/scrubbing? Combine it with edge IPFIX/Flows? Cmon' BW is not a problem anymore, only in ASIAPAC ;)
For real life examples ( only from a 'billing' perspective.. ) Cisco's Intelligent Service Solution:
Service Control Engine:
But from an Enterprise security and assurance perspective.... anyway watch this space.. I will think about this some more....