A framework to handle authentication in network protocols.
Only a single "layer" can be installed at a time. If a new SASL authentication is allowed and performed it replaces the old one.
Client/server exchange a handshake to authenticate with a particular method, then handshake based on the implementation details of the method. On success the rest of the exchange is considered authenticated.
SASL does not take care of means like ensuring packets are not forged after the fact or are encrypted; you still need a layer like TLS for that.