We’re building an opensource alternative to AWS. Among other things, that means running a ton of VMs,which we do on Linux. We rely on Linux KVM for virtualization, and keep each VM in a separate namespace for isolation. In a setup like this, the networking stack has to provide encryption in transit, dynamically assign public IPv4 addresses to VMs, and allow flexible firewall rules. For encryption,