Although H.264/AVC offers major improvements in the coding efficiency and "network friendliness" in terms of flexible mapping to transport layers, it does not offer any security features. Authentication schemes to ensure data integrity and sender authentication for H.264/AVC streams are therefore needed. Existing stream authentication schemes carry out authentication at a packet level and thus take away the flexibility of H.264/AVC. We propose SANAL, a stream authentication scheme which carries out authentication procedures at the Network Abstraction Layer (NAL) to make it possible to handle H.264/AVC-specific data without interfering with the H.264/AVC features. We implemented a SANAL prototype and carried out comparative evaluations on playout rate and communication overhead. We show an improvement of about 40% in the playout rate compared to existing schemes.