Devices may be communicatively linked together in what may be referred to as an “L2 cloud.” Networks are typically built on a multi-layer model, such as the Open Systems Interconnection (OSI) seven-layer model. In this model, layer-2, or “L2”, is referred to as the data link, Logical Link Control (LLC) or Media Access Control (MAC) layer. L2 technologies may be used to implement local area networks, such as corporate (or other organizational) intranets. L2 technologies may also be used to transfer data between adjacent nodes in a wide-area network.
A local network (or other network) may be built as an L2 cloud, in which several devices communicate with each other using L2 technologies. An administrator may define the structure of the cloud. Conceptually, the structure of the cloud is a directional graph, where each device is a node, and connections between the nodes indicate the permissible flow of data. Different devices in the cloud may have different roles. For example, some devices may act as switches that transit data between other devices. The switches are generally given access to the graph of the network defined by the administrator, and these switches maintain an address table indicating how to reach the various nodes in the cloud. Thus, a switch may have a table that indicates how to reach nodes in the cloud—both those nodes that the switch is directly connected to, and nodes that it can reach indirectly through other nodes. The switch may use this table to direct data to particular destinations, and may do so both for data that the switch generates and for data received from other nodes.
Switching is inherently an activity that has security implications. A device that acts as a switch handles data on behalf of other devices. Thus, a device that is untrusted has the potential to cause various types of mischief with someone else's data, such as directing misuse of the data, or redirecting the data to another device that could misuse the data. In general, switches are under the control of the network administrator, so the administrator is able to trust the switches. Thus, the administrator allows switches to transit data between devices and to make switching decisions. Other devices (e.g., client devices, or non-switch server devices) may be able to participate in the cloud, but these devices are generally not allowed to make switching decisions. Non-trusted devices may specify a destination for data, but, rather than determining the actual path for the data, untrusted devices are generally given a default path along which to send the data. The default path generally leads to a switch, which uses its address table to select a path for the data to reach the specified destination.
Sometimes there are reasons to allow a non-trusted device to make switching decisions. For example, the appropriate path of the data may depend on the content of the data and how it will be used. If a non-trusted device originates the data, then that device may be in an appropriate position to determine a path for the data. However, allowing non-trusted devices to act as switches is problematic, since doing so introduces the possibility that the non-trusted device will change paths or mishandle other devices' data.