High-assurance multi-domain network switch

What is claimed is: 1. A method of implementing multiple domains in a network switching device having a plurality of hardware ports, the method comprising: assigning a plurality of hardware ports to a plurality of domains, wherein hardware ports are assigned to at least two of the plurality of domains, and none of the plurality of hardware ports are concurrently assigned to multiple domains of the plurality of domains; loading rules for forwarding packets between the plurality of hardware ports into a data plane for the network switching device, wherein the rules direct the data plane to forward only between hardware ports in a common domain of the plurality of domains; and assuring that a packet received at any hardware port assigned to a first domain of the plurality of domains is not sent in legible form from any hardware port assigned to a second domain of the plurality of domains if an error causes the data plane to forward or request forwarding the packet to any hardware port assigned to a second domain of the plurality of domains. 2. The method of claim 1 , wherein the error includes a corrupted data structure controlling packet switching decisions. 3. The method of claim 1 , comprising: executing, on the network switching device, a hypervisor to control access to hardware on the network switching device; executing a first forwarding rule custodian for a first domain, the first forwarding rule custodian executing in a first virtual machine implemented by the hypervisor, the first forwarding rule custodian maintaining first forwarding rules for the first domain; and executing a second forwarding rule custodian for a second domain, the second forwarding rule custodian executing in a second virtual machine implemented by the hypervisor, the second forwarding rule custodian maintaining second forwarding rules for the second domain, executing a port assignment manager in a third virtual machine implemented by the hypervisor, wherein assuring that a packet received at a hardware port assigned to the first domain is not sent in a legible form from any hardware port assigned to the second domain includes the port assignment manager cooperating with the hypervisor to restrict access for the first forwarding rule custodian from hardware ports assigned to a domain other than the first domain, and to restrict access for the second forwarding rule custodian from hardware ports assigned to a domain other than the second domain. 4. The method of claim 3 , comprising: executing a first software implemented traffic forwarding engine in a fourth virtual machine implemented by the hypervisor; executing a second software implemented traffic forwarding engine in a fifth virtual machine implemented by the hypervisor; wherein the first forwarding rule custodian loads first forwarding rules into the first software implemented traffic forwarding engine and wherein the second forwarding rule custodian loads second forwarding rules into the second software implemented traffic forwarding engine. 5. The method of claim 4 , wherein assuring that a packet received at a hardware port assigned to the first domain is not sent in a legible form from any hardware port assigned to the second domain includes: the port assignment manager and the hypervisor cooperating to deny requests by the first software implemented traffic forwarding engine for access to hardware ports that are not assigned to the first domain; and the port assignment manager and the hypervisor cooperating to deny requests by the second software implemented traffic forwarding engine for access to hardware ports that are not assigned to the second domain. 6. The method of claim 3 , wherein the port assignment manager only assigns a hardware port to a domain in response to a command from the network manager, wherein the network switching device receives the command from the network manager over a network link. 7. The method of claim 6 , wherein a first pair of hardware ports on the network switching device are not assigned to any domain and are used for network communications between the port assignment manager and the network manager, the communications including commands instructing the port assignment manager to assign a first set of hardware ports to the first domain and a second set of hardware ports to the second domain. 8. The method of claim 3 , wherein the first forwarding rule custodian directs forwarding between all the ports of the plurality of ports assigned to the first domain, wherein the second forwarding rule custodian directs forwarding between all the ports of the plurality of ports assigned to the second domain. 9. The method of claim 3 , wherein the port assignment manager is configured to: direct the first forwarding rule custodian to use only memory within a first block; and direct the second forwarding rule custodian to use only memory within a second block, wherein the second block does not overlap the first block. 10. The method of claim 4 , wherein a first set of hardware ports are assigned to the first domain and a second set of hardware ports are assigned to the second domain, the method comprising: executing a first one or more port hardware controllers for the first set of hardware ports, and a second one or more port hardware controllers for the second set of hardware ports, each port hardware controller of the first one or more port hardware controllers and the second one or more port hardware controllers executing in a distinct virtual machine implemented by the hypervisor, wherein each port hardware controller of the first one or more port hardware controllers and the second one or more port hardware controllers implements a TCP/IP stack for a corresponding hardware port. 11. The method of claim 10 , comprising: after assigning the first set of ports to the first domain, re-assigning one or more ports of the first set of ports by: removing the one or more ports from the first domain; and assigning the one or more ports to the second domain. 12. The method of claim 11 , wherein removing the one or more ports from the first domain includes: destroying the respective port hardware controller corresponding to each of the one or more ports or revoking access to the respective port hardware controller corresponding to each of the one or more ports for the virtual machine corresponding to the first software implemented traffic forwarding engine; and instructing the first forwarding rule custodian to no longer direct forwarding to or from the one or more ports; wherein assigning the one or more ports to the second domain includes: granting access to a respective port hardware controller for each of the one or more ports for the virtual machine corresponding to the second software implemented traffic forwarding engine; and instructing the second forwarding rule custodian to direct forwarding to and from the one or more ports. 13. The method of claim 1 , comprising: executing, on the network switching device, a secure kernel to control access to hardware on the network switching device; executing a first forwarding rule custodian on the secure kernel, the first forwarding rule custodian maintaining first forwarding rules for the first domain; and executing a second forwarding rule custodian on the secure kernel, the second forwarding rule custodian maintaining second forwarding rules for the second domain, executing a port assignment manager on the secure kernel, wherein assuring that a packet received at a hardware port assigned to the first domain is not sent in a legible form from any hardware port assigned to the second domain includes the port assignment ma