diff --git a/sec/security.go b/sec/security.go
index 95c8e6a651fbd022c4ec0580421204ee7250e5b5..42321d189c8434855a417f84bfa245e47ff8666d 100644
--- a/sec/security.go
+++ b/sec/security.go
@@ -24,3 +24,17 @@ type SecureTransport interface {
 	// SecureOutbound secures an outbound connection.
 	SecureOutbound(ctx context.Context, insecure net.Conn, p peer.ID) (SecureConn, error)
 }
+
+// A SecureMuxer is a wrapper around SecureTransport which can select security protocols
+// and open outbound connections with simultaneous open.
+type SecureMuxer interface {
+	// SecureInbound secures an inbound connection.
+	// The returned boolean indicates whether the connection should be trated as a server
+	// connection; in the case of SecureInbound it should always be true.
+	SecureInbound(ctx context.Context, insecure net.Conn) (SecureConn, bool, error)
+
+	// SecureOutbound secures an outbound connection.
+	// The returned boolean indicates whether the connection should be treated as a server
+	// connection due to simultaneous open.
+	SecureOutbound(ctx context.Context, insecure net.Conn, p peer.ID) (SecureConn, bool, error)
+}