High-assurance multi-domain network switch

What is claimed is: 1. A program product for implementing multiple domains in a network switching device having a plurality of hardware ports, the program product comprising: instructions which, when executed by one or more processing devices, cause the one or more processing devices to: assign the plurality of hardware ports to a plurality of domains with a port assignment manager, wherein hardware ports are assigned to at least two of the plurality of domains, and none of the plurality of hardware ports are concurrently assigned to multiple domains of the plurality of domains, wherein hardware ports can only be assigned by the port assignment manager; maintain first forwarding rules for a first domain with a first forwarding rule custodian, wherein the first forwarding rules direct forwarding only between hardware ports assigned to the first domain in accordance with the assignment from the port assignment manager; and maintain second forwarding rules for a second domain with a second forwarding rule custodian, wherein the second forwarding rules direct forwarding only between hardware ports assigned to the second domain in accordance with the assignment from the port assignment manager. 2. The program product of claim 1 , wherein the instructions cause the one or more processing devices to: restrict access of the first forwarding rule custodian to hardware ports, wherein access is restricted for ports assigned to a domain other than the first domain; and restrict access of the second forwarding rule custodian to hardware ports, wherein access is restricted for ports assigned to a domain other than the second domain. 3. The program product of claim 1 , wherein the first forwarding rule custodian is executed in a first virtual machine of a hypervisor, the second forwarding rule custodian is executed in a second virtual machine of the hypervisor, and the port assignment manager is executed in a third virtual machine of the hypervisor. 4. The program product of claim 1 , wherein the first forwarding rule custodian, the second forwarding rule custodian, and the port assignment manager are executed on a secure kernel. 5. The program product of claim 1 , wherein the instructions cause the one or more processing devices to: forward packets for the first domain with a first software implemented traffic forwarding engine, wherein the first software implemented traffic forwarding engine forwards packets only, in accordance with the first forwarding rules from the first forwarding rule custodian; and forward packets for the second domain with a second software implemented traffic forwarding engine, wherein the second software implemented traffic forwarding engine forwards packets only in accordance with the second forwarding rules from the second forwarding rule custodian. 6. The program product of claim 5 , wherein the instructions cause the one or more processing devices to: deny requests of the first software implemented traffic forwarding engine that are directed to hardware ports assigned to a domain other than the first domain; and deny requests of the second software implemented traffic forwarding engine that are directed to hardware ports assigned to a domain other than the second domain. 7. The program product of claim 5 , wherein the first forwarding rule custodian is executed in a first virtual machine of a hypervisor, the second forwarding rule custodian is executed in a second virtual machine of the hypervisor, the port assignment manager is executed in a third virtual machine of the hypervisor, the first software implemented traffic forwarding engine is executed in a fourth virtual machine of the hypervisor, and the second software implemented traffic forwarding engine is executed in a fifth virtual machine of the hypervisor. 8. The program product of claim 7 , wherein a first set of hardware ports are assigned to the first domain and a second set of hardware ports are assigned to the second domain, wherein the instructions cause the one or more processing devices to: execute a first one or more port hardware controllers for the first set of hardware ports, and a second one or more port hardware controllers for the second set of hardware ports, each port hardware controller of the first one or more port hardware controllers and the second one or more port hardware controllers executing in a distinct virtual machine implemented by the hypervisor, wherein each port hardware controller of the first one or more port hardware controllers and the second one or more port hardware controllers implements a TCP/IP stack for a corresponding hardware port. 9. The program product of claim 8 , wherein the instructions cause the one or more processing devices to: re-assigning one or more ports of the first set of ports by: removing the one or more ports from the first domain, wherein removing the one or more ports from the first domain includes: destroying the respective port hardware controller corresponding to each of the one or more ports or revoking access to the respective port hardware controller corresponding to each of the one or more ports for the virtual machine corresponding to the first software implemented traffic forwarding engine; and instructing the first forwarding rule custodian to no longer direct forwarding to or from the one or more ports; assigning the one or more ports to the second domain, wherein assigning the one or more ports to the second domain includes: granting access to a respective port hardware controller for each of the one or more ports for the virtual machine corresponding to the second software implemented traffic forwarding engine; and instructing the second forwarding rule custodian to direct forwarding to and from the one or more ports. 10. The program product of claim 5 , wherein the first forwarding rule custodian, the second forwarding rule custodian, the port assignment manager, the first software implemented traffic forwarding engine, and the second software implemented traffic forwarding engine are executed on a secure kernel. 11. The program product of claim 1 , wherein the port assignment manager only assigns a hardware port to a domain in response to a command from the network manager, wherein the network switching device receives the command from the network manager over a network link. 12. The program product of claim 11 , wherein a first pair of hardware ports on the network switching device are not assigned to any domain and are used for network communications between the port assignment manager and the network manager, the communications including commands instructing the port assignment manager to assign a first set of hardware ports to the first domain and a second set of hardware ports to the second domain. 13. The program product of claim 1 , wherein the first forwarding rule custodian directs forwarding between all the ports of the plurality of ports assigned to the first domain, wherein the second forwarding rule custodian directs forwarding between all the ports of the plurality of ports assigned to the second domain. 14. The program product of claim 1 , wherein the port assignment manager is configured to: direct the first forwarding rule custodian to use only memory within a first block; and direct the second forwarding rule custodian to use only memory within a second block, wherein the second block does not overlap the first block. 15. The program product of claim 1 , wherein the instructions cause the one or more processing devices to: encrypt outgoing packets and decrypt incoming packets at the plurality of hardware ports using a differen