CN113839863A

CN113839863A - Inter-domain forwarding path query method, device, system and storage medium

Info

Publication number: CN113839863A
Application number: CN202010580898.XA
Authority: CN
Inventors: 徐恪; 江伟玉; 凌思通; 郑秀丽; 朱明明
Original assignee: Tsinghua University; Huawei Technologies Co Ltd
Current assignee: Tsinghua University; Huawei Technologies Co Ltd
Priority date: 2020-06-23
Filing date: 2020-06-23
Publication date: 2021-12-24

Abstract

The embodiment of the application discloses a method, a device and a system for inquiring an inter-domain forwarding path and a storage medium, belonging to the technical field of network security. In the embodiment of the application, the second path server can feed back whether the corresponding second AS forwards the first message to the first path server after receiving the first path query request, and in the scheme, the AS can quickly construct an inter-domain forwarding path of the message through the path server without reverse flooding query, so that the query efficiency of the inter-domain forwarding path is greatly improved. In addition, the first path server can also verify the information fed back by the second path server according to the path storage certificate stored in the database, and the database is trusted by each AS, so that the scheme can cope with the conditions of malicious AS misrepresentation, information hiding, information tampering and the like, and the authenticity of the query result is ensured.

Description

Inter-domain forwarding path query method, device, system and storage medium

Technical Field

The embodiment of the application relates to the technical field of network security, in particular to a method, a device, a system and a storage medium for querying an inter-domain forwarding path.

Background

With the development of the internet, various network services are layered endlessly, and network malicious attack behaviors are also complicated, so that an inter-domain forwarding path query technology for a real message becomes an important requirement. Such AS inter-domain real path queries of Autonomous Systems (AS).

In the related art, a hash-based Internet Protocol (IP) trace-back (HBT) technical scheme is provided for requirements of inter-domain real path query. The technical scheme of the HBT is a path query method based on logs, and the method mainly comprises the steps that when a message passes through an AS, a server corresponding to the AS records a message abstract of the message, and when a target AS needs to query an inter-domain forwarding path of the message, the target AS needs to sequentially request a middle AS to backtrack the inter-domain forwarding path of the message in a reverse direction mode. For example, a plurality of neighbor ASs of a target AS are requested to query whether a message digest of the message is recorded in a server corresponding to the target AS, if a message digest of the message is recorded in a server corresponding to one neighbor AS, that is, the message is determined to pass through the neighbor AS, the neighbor AS continuously requests a plurality of neighbor ASs of the neighbor AS to query whether the message passes through, that is, sequentially queries the neighbor AS according to such a reverse flooding query request, and finally constructs an inter-domain forwarding path of the message.

However, in this scheme, each message tracing needs a reverse flooding request, all ases on the path need to participate together to feed back whether the message passes through the itself, and the query efficiency is low when the query needs to be large, such AS distributed denial of service (DDoS) attacks. In addition, the scheme cannot deal with malicious AS misrepresentation, report hiding and information tampering, namely, the authenticity of the query result cannot be guaranteed.

Disclosure of Invention

The embodiment of the application provides an inter-domain forwarding path query method, device, system and storage medium, which can improve the query efficiency of inter-domain forwarding paths of messages and ensure the authenticity of query results. The technical scheme is as follows:

in a first aspect, a method for querying an inter-domain forwarding path is provided, where the method includes:

a first path server sends a first path query request to a second path server, wherein the first path query request is used for querying an inter-domain forwarding path of a first message, the first path server is a server corresponding to a first AS, and the second path server is a server corresponding to a second AS; the first path server receives a first forwarding record sent by the second path server, wherein the first forwarding record is used for representing whether the second AS forwards the first message or not; the first path server verifies the first forwarding record according to a first path deposit certificate stored in the database, wherein the first path deposit certificate refers to a path deposit certificate determined by the second path server about the first message when the first message passes through the second AS, and the database is a database trusted by each AS; and the first path server constructs an inter-domain forwarding path of the first message according to the verification result.

In the embodiment of the application, the second path server can feed back whether the corresponding second AS forwards the first message to the first path server after receiving the first path query request, and in the scheme, the AS can quickly construct an inter-domain forwarding path of the message through the path server without reverse flooding query, so that the query efficiency of the inter-domain forwarding path is greatly improved. In addition, the first path server can also verify the information fed back by the second path server according to the path storage certificate stored in the database, and the database is trusted by each AS, so that the scheme can cope with the conditions of malicious AS misrepresentation, information hiding, information tampering and the like, and the authenticity of the query result is ensured.

It should be noted that, in the embodiment of the present application, the first process is a process of storing path information in a process of forwarding a message, that is, in a process of forwarding a message by a border network device in each AS, a corresponding path server can record the path information of the forwarded message and send a path deposit certificate to a database, so AS to store the path deposit certificate in the database. The second process is a process of inquiring the inter-domain forwarding path of the message, that is, one AS requests other AS to feed back the forwarding record of a certain or some messages through the corresponding path server, and constructs the inter-domain forwarding path of the corresponding message according to the fed-back forwarding record. Therefore, for ease of understanding, a process of storing path information during forwarding a packet will be described first.

First process, process of storing path information in process of forwarding message

In this embodiment of the application, in a process of forwarding a second packet by a first edge network device in a first AS, a first path server corresponding to the first AS may store path information of the second packet, and after the first path server stores the path information of the second packet, other ASs may request the first AS to query an inter-domain forwarding path of the second packet through corresponding path servers, for example, a second path server corresponding to the second AS or a third path server corresponding to a third AS may both request the query. Next, the first process will be described by taking an example in which the first path server stores the path information of the second packet before the third path server requests the query.

Optionally, before the first path server receives the second path query request sent by the third path server, the method further includes: the first path server determines a second message abstract, namely the stored first recording area is only used for recording the related information of the second message, the related information of the second message comprises the second message abstract or the second message, and the second message abstract is locally recorded, wherein the second message abstract refers to the abstract of the second message; and the first path server determines the second path deposit certificate and sends the second path deposit certificate to the database so as to store the second path deposit certificate in the database.

That is, in the embodiment of the present application, the path server may record the message digest to represent that the corresponding AS forwards the corresponding message, determine the path deposit certificate according to the recorded message digest, and store the path deposit certificate in the database trusted by each AS, so AS to ensure that the path deposit certificate submitted by each AS is not falsifiable.

Optionally, before the first path server receives the second path query request sent by the third path server, the method further includes: the first path server determines the inter-domain adjacent AS information and the second message abstract of the first AS in the process of forwarding the second message, and locally records the inter-domain adjacent AS information and the second message abstract of the first AS in the process of forwarding the second message, wherein the second message abstract refers to the abstract of the second message; and the first path server determines the second path deposit certificate and sends the second path deposit certificate to the database so as to store the second path deposit certificate in the database.

That is, in the embodiment of the present application, the path server may record not only the message digest to represent that the corresponding AS forwards the corresponding message, but also information of the inter-domain neighboring AS of the first AS during forwarding the second message, determine the path deposit certificate according to the recorded message digest, and store the path deposit certificate in the database trusted by each AS to ensure that the path deposit certificate submitted by each AS is not falsifiable.

Optionally, the determining, by the first path server, the inter-domain neighbor AS information of the first AS and the second packet digest in the process of forwarding the second packet, and locally recording the inter-domain neighbor AS information of the first AS and the second packet digest in the process of forwarding the second packet, includes: the first path server determines IP address information, a second timestamp and a second message abstract of a second message, wherein the second timestamp is used for indicating the generation time of the second message; the first path server determines inter-domain adjacent AS information of the first AS in the process of forwarding the second message according to the IP address information of the second message; and the first path server records the second message abstract in the corresponding recording area according to the IP address information of the second message, the second timestamp and the inter-domain adjacent AS information of the first AS in the process of forwarding the second message.

Optionally, in a case that the IP address information includes the source IP address, the inter-domain neighboring AS includes a last-hop AS; in the case that the IP address information includes the destination IP address, the inter-domain neighbor AS includes a next hop AS; in case the IP address information comprises a source IP address and a destination IP address, the inter-domain neighboring AS comprises a previous-hop AS and a next-hop AS.

That is, in the embodiment of the present application, the path server can record the message digest of the message forwarded by each corresponding AS and the inter-domain adjacent AS information in the process of forwarding the corresponding message according to the IP address information and the like in a manner of recording the area.

Optionally, the determining, by the first path server, the IP address information, the second timestamp, and the second packet digest of the second packet includes: the first path server receives a sampling packet sent by first boundary network equipment, wherein the sampling packet carries IP address information, a second timestamp and a second message abstract of a second message, and the first boundary network equipment is boundary network equipment in a first AS; or, the first path server receives a second message sent by the first border network device, acquires the IP address information and a second timestamp carried in the second message, and generates a second message digest according to the second message; or the first path server receives a sampling packet sent by a bypass sampling device of the first boundary network device, wherein the sampling packet carries the IP address information, the second timestamp, and the second packet digest of the second packet, and the bypass sampling device is configured to obtain the second packet from the first boundary network device and generate the sampling packet according to the second packet.

Optionally, the determining, by the first path server, the inter-domain neighboring AS information of the first AS in the process of forwarding the second packet according to the IP address information of the second packet includes: the first path server determines a port identifier of the first boundary network device for transmitting the second message according to the IP address information of the second message, wherein the first boundary network device is a boundary network device in the first AS; and the first path server determines the inter-domain adjacent AS information of the first AS in the process of forwarding the second message according to the port identifier.

In this embodiment of the present application, the first path server stores a correspondence between an ingress port identifier and an ingress address block of each border network device in the first AS, and stores a correspondence between an egress port identifier and an egress address block, and the first path server can determine, according to a source IP address of the second packet, an ingress address block including the source IP address, determine an identifier of an ingress port corresponding to the ingress address block AS an ingress port identifier for receiving the second packet, determine, according to a destination IP address of the second packet, an egress address block including the destination IP address, and determine an identifier of an egress port corresponding to the egress address block AS an egress port identifier for forwarding the second packet. In addition, an input port of each border network device in the first AS corresponds to a previous hop AS, an output port corresponds to a next hop AS, the first path server further stores a mapping relation between the port identifier of each border network device in the first AS and the AS information, and the first path server can determine the information of the previous hop AS of the first AS according to the determined input port identifier and the mapping relation, and determine the information of the next hop AS of the first AS according to the determined output port identifier.

It should be noted that, in the embodiment of the present application, the information of each AS may refer to a number of the corresponding AS.

Optionally, in this embodiment of the present application, the first path server may record the second message digest according to the recording area after determining the information of the inter-domain neighboring AS of the first AS and the second message digest. That is, the first path server may record the second packet digest in the corresponding recording area according to the IP address information of the second packet, the second timestamp, and the inter-domain neighboring AS information of the first AS in the process of forwarding the second packet.

And under the condition that the IP address information comprises a source IP address, the inter-domain adjacent AS information determined by the first path server comprises the last hop AS information, and the first path server can record the second message abstract in the corresponding source recording area according to the source IP address of the second message, the second timestamp and the last hop AS information of the first AS.

And under the condition that the IP address information comprises a destination IP address, the inter-domain adjacent AS information determined by the first path server comprises the next hop AS information, and the first path server can record the second message abstract in the corresponding destination record area according to the destination IP address of the second message, the second timestamp and the next hop AS information of the first AS.

Under the condition that the IP address information comprises a source IP address and a destination IP address, the inter-domain adjacent AS information determined by the first path server comprises the information of a previous hop AS and the information of a next hop AS, the first path server can record the second message abstract in the corresponding source recording area according to the source IP address of the second message, the second timestamp and the information of the previous hop AS of the first AS, and record the second message abstract in the corresponding destination recording area according to the destination IP address of the second message, the second timestamp and the information of the next hop AS of the first AS.

Optionally, in an embodiment of the present application, a source recording area includes a source start time field, a source IP address field, a last hop AS field, and a message digest field, where the source start time field is used to store the start recording time of the source recording area, and the start recording time of the source recording area is not later than the time indicated by the timestamp of the message corresponding to the stored message digest, the source IP address field is used to store the source IP address or the source IP address block of the message, the source IP address of the message corresponding to the message digest stored in the source recording area belongs to the source IP address block, the last hop AS field is used to store information of the last hop AS of the source AS, and the message digest field is used to record the message digest.

It should be noted that, in the case that the source IP address field is used for storing the source IP address of the packet, one source recording area only records the packet digest of the packet sent by one source end device. Under the condition that the source IP address field is used for storing a source IP address block, one source recording area can record message abstracts of messages sent by a plurality of source end devices, the source IP addresses of the messages all belong to the source IP address block, the timestamps of the messages are all later than the recording starting time of the source recording area, and the last hop AS of the messages are the same, so that the number of the source recording areas can be reduced, the storage space is saved, and the retrieval is convenient. The present AS is an AS corresponding to the path server storing the source recording area.

Optionally, in an embodiment of the present application, a destination recording area includes a destination start time field, a destination IP address field, a next hop AS field, and a message digest field, where the destination start time field is used to store a start recording time of the destination recording area, and the start recording time of the destination recording area is not later than a time indicated by a timestamp carried by a message corresponding to a stored message digest, the destination IP address field is used to store a destination IP address or a destination IP address block of the message, a destination IP address of the message corresponding to the message digest stored in the destination recording area belongs to the destination IP address block, the next hop AS field is used to store information of a next hop AS of the AS, and the message digest field is used to record a message digest.

It should be noted that, in the case that the destination IP address field is used for storing the destination IP address of the message, one destination recording area only records the message digest of the message addressed to one destination device. Under the condition that the destination IP address field is used for storing a destination IP address block, one destination recording area can record message abstracts of messages sent to a plurality of destination end devices, the destination IP addresses of the messages all belong to the destination IP address block, timestamps of the messages are all later than the starting recording time of the destination recording area, and next hops AS of the messages are all the same, so that the number of the destination recording areas can be reduced, the storage space is saved, and the retrieval is convenient.

In this embodiment of the application, the first path server may search the corresponding recording area from the stored recording areas according to the IP address information of the second packet, the second timestamp, and the inter-domain neighboring AS information of the first AS in the process of forwarding the second packet. And if the corresponding recording area is found, the first path server records the second message abstract in the found recording area. And if the corresponding recording area is not found, the first path server creates a recording area according to the IP address information of the second message, the second timestamp and the inter-domain adjacent AS information of the first AS in the process of forwarding the second message, and records the second message abstract in the created recording area.

Optionally, the recording, by the first path server, the second message digest in the corresponding recording area includes: the first path server records the whole second message abstract in a corresponding recording area; or the first path server records the first N bits of the second message abstract in the corresponding recording area, the bit number of the second message abstract is M, N and M are integers greater than zero, and N is smaller than M; or the first path server sets the value of the bloom filter in the recording area corresponding to the second message according to the second message digest, so as to record the second message digest through the bloom filter in the corresponding recording area.

It should be noted that, in an implementation manner of recording a message digest by using a bloom filter, since the position of the bloom filter is limited, the proportion of the positions set as '1' at intervals may be high, and if the message digest is continuously stored in the bloom filter, the bloom filter may be disabled, so that a new bloom filter may be created or each position of the bloom filter may be reset to '0' at intervals of a first time interval or each time the proportion of the positions set as '1' by the bloom filter reaches a specific proportion.

Alternatively, only one bloom filter is stored in one recording area, or a plurality of bloom filters are stored according to time periods, each bloom filter corresponding to one time period.

Optionally, in order to synchronize bloom filters in the recording areas stored in the path servers corresponding to the respective ASs, in an embodiment of the present application, a time stamp is determined by a border network device in the source AS that forwards the packet and is added to the packet, so that a time period corresponding to a bloom filter in a recording area stored in a path server corresponding to a respective AS that forwards the packet may implement synchronization according to the time stamp.

Based on this, in this embodiment of the present application, the setting, by the first path server, the value of the bloom filter in the recording area corresponding to the second packet according to the second packet digest includes: the first path server determines a third timestamp, the third timestamp is determined by a boundary network device in a source AS forwarding the second message and is added into the second message, and the third timestamp is used for synchronizing bloom filters in recording areas stored in the path servers corresponding to the ASs; the first path server determines a first bloom filter from one or more bloom filters in the corresponding recording area according to the third timestamp; and the first path server sets the value of the first bloom filter according to the second message abstract.

In this embodiment of the application, after storing the information of the inter-domain neighboring AS of the first AS and the second message digest in the process of forwarding the second message, the first path server may further generate a second path certificate according to the stored information of the inter-domain neighboring AS of the first AS and the second message digest in the process of forwarding the second message, and send the second path certificate to the database, so AS to store the second path certificate in the database.

Optionally, the determining, by the first path server, the second path certificate includes: the first path server constructs a second Merck tree according to a locally stored recording area, wherein the locally stored recording area comprises a recording area recorded with a second message abstract; the first path server determines a root node of the second Merck tree as a second path certificate.

That is, in order to reduce the amount of data stored in the database, the first path server may generate a mercker tree according to each stored recording area, store a root node of the mercker tree as a path certificate, and send the path certificate to the database, that is, store only the root node of the mercker tree in the database.

Optionally, the database refers to a database stored in a server provided by a third party trusted by each AS, or the database refers to a database maintained at a block chain link point, where each AS for forwarding a packet is a node of a block chain.

It should be noted that, the first process is described by taking the example where the first path server stores the path information of the second packet, and the other path servers can store the path information of each packet forwarded in the corresponding AS according to the same method.

For example, the second path server may store path information of the first packet, where the second path server is a server corresponding to the second AS, determine the first path deposit certificate according to the path information of the stored first packet, and send the first path deposit certificate to the database, so AS to store the first path deposit certificate in the database.

Illustratively, the second path server can record the first packet digest or the first packet to represent that the second AS forwarded the first packet, where the first packet digest is a digest of the first packet. The second path server can determine the first path deposit certificate according to the stored path information of the first message, and sends the first path deposit certificate to the database so as to store the first path deposit certificate in the database. Optionally, the second path server records the first message digest according to a recording area, the second path server stores a first recording area and a first tacher tree, the first recording area is used for recording related information of the first message, the related information of the first message includes the first message digest, the first tacher tree is a tacher tree constructed according to the first recording area, and the first path storage certificate is a root node of the first tacher tree.

Optionally, the second path server may further record information of an inter-domain neighboring AS of the second AS in the process of forwarding the first packet, that is, the first recording area is further configured to record information of the inter-domain neighboring AS of the second AS in the process of forwarding the first packet.

That is, the related information of the first packet includes a first packet digest, where the first packet digest is a digest of the first packet, and the first recording area is further configured to record information of an inter-domain neighboring AS of a second AS in a process of forwarding the first packet, where the inter-domain neighboring AS includes at least one of a previous-hop AS and a next-hop AS.

Optionally, when the inter-domain neighboring AS includes a last-hop AS, the first recording area includes a first source recording area;

when the inter-domain neighboring AS includes a next-hop AS, the first recording area includes a first destination recording area;

when the inter-domain neighboring AS comprises a previous hop AS and a next hop AS, the first recording area comprises a first source recording area and a first destination recording area;

the first source recording area comprises a source starting time field, a source address field, a last hop AS field and a message abstract field, wherein the source starting time field is used for storing the starting recording time of the first source recording area, the starting recording time of the first source recording area is not later than the time indicated by the first timestamp, the first timestamp is used for indicating the generation time of the first message, the source address field is used for storing a source IP address or a first source IP address block of the first message, the source IP address of the first message belongs to the first source IP address block, the last hop AS field is used for storing the information of the last hop AS of the second AS in the process of forwarding the first message, and the message abstract field is used for recording the first message abstract;

the first target recording area comprises a target starting time field, a target address field, a next hop AS field and a message abstract field, wherein the target starting time field is used for storing the starting recording time of the first target recording area, the starting recording time of the first target recording area is not later than the time indicated by the first timestamp, the target address field is used for storing a target IP address of a first message or a first target IP address block, the target IP address of the first message belongs to the first target IP address block, the next hop AS field is used for storing information of a next hop AS of a second AS in the process of forwarding the first message, and the message abstract field is used for recording the first message abstract.

Second process, process of querying inter-domain forwarding path of message

It should be noted that, in this embodiment of the application, it is assumed that the second path server also forwards the second packet, and then the second path server can request the first path server to query an inter-domain forwarding path of the second packet. Assuming that the first path server also forwards the first packet, the first path server can request the second path server to query an inter-domain forwarding path of the first packet.

Next, a second process of the embodiment of the present application will be described. Taking the example that the first path server requests the second path server to query the inter-domain forwarding path of the first message, after the second path server stores the path information of the first message according to the method, the first path server can request the second path server to query the inter-domain forwarding path of the first message according to the following method, and construct the inter-domain forwarding path of the first message according to the feedback of the second path server.

The first path server sends a first path query request to the second path server, wherein the first path query request is used for querying an inter-domain forwarding path of the first message.

Optionally, the first path query request carries the first packet, or the first path query request carries IP address information, a first timestamp, and a first packet digest of the first packet, where the IP address information includes a source IP address and/or a destination IP address, the first timestamp is used to indicate generation time of the first packet, and the first packet digest is a digest of the first packet.

Optionally, the second path server receives the first path query request sent by the first path server, and determines the first forwarding record according to the first path query request. And the second path server sends the first forwarding record to the first path server, wherein the first forwarding record is used for indicating the first path server to verify the first forwarding record according to a first path deposit certificate stored in the database, and an inter-domain forwarding path of the first message is constructed according to a verification result, and the first path deposit certificate is a path deposit certificate determined by the second path server relative to the first message when the first message passes through the second AS.

Optionally, the first path query request carries IP address information of the first packet, a first timestamp and a first packet digest, where the first timestamp is used to indicate generation time of the first packet, and the first packet digest is a digest of the first packet; the second path server determines a first forwarding record according to the first path query request, and the method comprises the following steps: the second path server acquires a first recording area from the stored recording area according to the IP address information, the first timestamp and the first message abstract of the first message, wherein the first recording area is used for recording the first message abstract; the second path server determines the first recording area as a first forwarding record.

Illustratively, in the case that the second path server records the first packet digest in the first recording area according to the IP address information of the first packet, the first timestamp, and the information of the inter-domain neighboring AS of the second AS in the process of forwarding the first packet, and directly uses the recording area AS the path certificate, the second path server may obtain the first recording area from the stored recording area according to the IP address information of the first packet, the first timestamp, and the first packet digest, where the first recording area is used to record the relevant information of the first packet and the information of the inter-domain neighboring AS of the second AS in the process of forwarding the first packet, and the relevant information of the first packet includes the first packet digest. The second path server determines the first recording area as a first forwarding record.

Optionally, the first path query request carries IP address information of the first packet, a first timestamp and a first packet digest, where the first timestamp is used to indicate generation time of the first packet, and the first packet digest is a digest of the first packet; the second path server determines a first forwarding record according to the first path query request, and the method comprises the following steps: the second path server acquires a first recording area from the stored recording area according to the IP address information, the first timestamp and the first message abstract of the first message, wherein the first recording area is used for recording the first message abstract and information of inter-domain adjacent AS of a second AS in the process of forwarding the first message; the second path server acquires a first Merck tree, wherein the first Merck tree is constructed according to the first recording area; the second path server acquires a branch associated with the first recording area from the first Merck tree to obtain a first evidence storing chain; the second path server determines the first recording area and the first certificate storing chain as a first forwarding record.

Illustratively, in the case that the second path server records the first packet digest or the first packet in the first recording area according to the IP address information and the first timestamp of the first packet, and the root node of the first merkel tree constructed according to the first recording area is used as a path certificate, the second path server can obtain the first recording area from the stored recording area according to the IP address information, the first timestamp, and the first packet digest of the first packet, where the first recording area is used for recording relevant information of the first packet, and the relevant information of the first packet includes the first packet digest. After acquiring the first recording area, the second path server can also acquire a first merkel tree, and acquire a branch associated with the first recording area from the first merkel tree to obtain a first certificate storing chain, and the second path server can determine the first recording area and the first certificate storing chain as a first forwarding record.

Optionally, the first forwarding record includes a first recording area and a first evidence storing chain, where the first recording area is stored in the second path server, and the first record area is used to record related information of the first packet, the first evidence storing chain is a branch in a first tacle tree associated with the first recording area, and the first tacle tree is a tacle tree constructed according to the first recording area; the first path server verifies the first forwarding record according to the first path deposit certificate stored in the database, and the method comprises the following steps: the first path server determines a hash value of a first recording area to obtain a reference area hash value; the first path server determines a reference root hash value according to the reference regional hash value and nodes except the root node in the first evidence storage chain; and if the reference root hash value is the same as the first path certificate stored in the database, the first path server determines that the first forwarding record is verified.

It should be noted that, assuming that the first path server sends a path query request to the path servers corresponding to the intermediate ASs included in the inter-domain forwarding path expected by the first packet, the path servers corresponding to the intermediate ASs can feed back corresponding forwarding records to the first path server, so that the first path server can recover a true and complete inter-domain forwarding path of the first packet according to the path information fed back by each intermediate AS.

Assuming that the third AS also forwards the second message, the third path server corresponding to the third AS can request the first path server to query the inter-domain forwarding path of the second message, and the first path server can feed back the path record of the second message to the third path server according to the stored path information of the second message, so AS to instruct the third path server to construct the inter-domain forwarding path of the second message according to the fed back path record.

That is, the method further includes: the first path server receives a second path query request sent by a third path server, wherein the second path query request is used for querying an inter-domain forwarding path of a second message, and the third path server is a server corresponding to a third AS; the first path server determines a second forwarding record according to the second path query request, wherein the second forwarding record is used for representing whether the first AS forwards the second message or not; and the first path server sends the second forwarding record to a third path server, the second forwarding record is used for indicating the third path server to verify the second forwarding record according to a second path deposit certificate stored in the database, and an inter-domain forwarding path of the second message is constructed according to a verification result, wherein the second path deposit certificate is a path deposit certificate determined by the first path server relative to the second message when the second message passes through the first AS.

Optionally, the second path query request carries IP address information of a second packet, a second timestamp, and a second packet digest, where the second timestamp is used to indicate generation time of the second packet, and the second packet digest is a digest of the second packet; the first path server determines a second forwarding record according to the second path query request, and the method comprises the following steps: the first path server acquires a second recording area from the stored recording area according to the IP address information, the second timestamp and the second message abstract of the second message, wherein the second recording area is used for recording the second message abstract; the first path server determines the second recording area as a second forwarding record.

Optionally, the second path query request carries IP address information of a second packet, a second timestamp, and a second packet digest, where the second timestamp is used to indicate generation time of the second packet, and the second packet digest is a digest of the second packet; the first path server determines a second forwarding record according to the second path query request, and the method comprises the following steps: the first path server acquires a second recording area from the stored recording area according to the IP address information, the second timestamp and the second message abstract of the second message, wherein the second recording area is used for recording the second message abstract and the information of inter-domain adjacent AS of the first AS in the process of forwarding the second message; the first path server acquires a second Merck tree, wherein the second Merck tree is constructed according to a second recording area; the first path server acquires a branch associated with the second recording area from the second Merck tree to obtain a second evidence storing chain; and the first path server determines the second recording area and the second certificate storing chain as a second forwarding record.

In a second aspect, an inter-domain forwarding path querying device is provided, where the inter-domain forwarding path querying device has a function of implementing the behavior of the inter-domain forwarding path querying method in the first aspect. The inter-domain forwarding path querying device includes one or more modules, where the one or more modules are configured to implement the inter-domain forwarding path querying method provided in the first aspect.

That is, an inter-domain forwarding path querying apparatus is provided, which is applied to a first path server, where the first path server is a server corresponding to a first AS, and the apparatus includes:

the first sending module is used for sending a first path query request to a second path server, wherein the first path query request is used for querying an inter-domain forwarding path of a first message, the first path server is a server corresponding to a first AS, and the second path server is a server corresponding to a second AS;

the first receiving module is used for receiving a first forwarding record sent by the second path server, and the first forwarding record is used for representing whether the second AS forwards the first message or not;

the verification module is used for verifying the first forwarding record according to a first path deposit certificate stored in the database, wherein the first path deposit certificate refers to a path deposit certificate determined by the second path server about the first message when the first message passes through the second AS, and the database is a database trusted by each AS;

and the construction module is used for constructing the inter-domain forwarding path of the first message according to the verification result.

Optionally, the first forwarding record includes a first recording area and a first evidence storing chain, where the first recording area is stored in the second path server, and the first record area is used to record related information of the first packet, the first evidence storing chain is a branch in a first tacle tree associated with the first recording area, and the first tacle tree is a tacle tree constructed according to the first recording area;

a verification module, comprising:

the first determining unit is used for determining the hash value of the first recording area to obtain a reference area hash value;

a second determining unit, configured to determine a reference root hash value according to the reference zone hash value and nodes other than the root node in the first evidence storing chain;

and a third determining unit, configured to determine that the first forwarding record is verified if the reference root hash value is identical to the first path certificate stored in the database.

Optionally, the related information of the first packet includes a first packet digest, where the first packet digest is a digest of the first packet, and the first recording area is further configured to record information of an inter-domain neighboring AS of a second AS in a process of forwarding the first packet, where the inter-domain neighboring AS includes at least one of a previous-hop AS and a next-hop AS.

Optionally, the apparatus further comprises:

a second receiving module, configured to receive a second path query request sent by a third path server, where the second path query request is used to query an inter-domain forwarding path of a second packet, and the third path server is a server corresponding to a third AS;

a first determining module, configured to determine a second forwarding record according to the second path query request, where the second forwarding record is used to represent whether the first AS forwards the second packet;

and the second sending module is used for sending the second forwarding record to the third path server, wherein the second forwarding record is used for indicating the third path server to verify the second forwarding record according to a second path deposit certificate stored in the database, and constructing an inter-domain forwarding path of the second message according to a verification result, and the second path deposit certificate is a path deposit certificate determined by the first path server with respect to the second message when the second message passes through the first AS.

Optionally, the second path query request carries IP address information of a second packet, a second timestamp, and a second packet digest, where the second timestamp is used to indicate generation time of the second packet, and the second packet digest is a digest of the second packet;

the first determining module includes:

the first obtaining unit is used for obtaining a second recording area from the stored recording area according to the IP address information, the second timestamp and the second message abstract of the second message, and the second recording area is used for recording the second message abstract;

a fourth determining unit for determining the second recording area as the second forwarding record.

the first determining module includes:

a second obtaining unit, configured to obtain a second recording area from the stored recording area according to the IP address information of the second packet, the second timestamp, and the second packet digest, where the second recording area is used to record the second packet digest and information of an inter-domain neighboring AS of the first AS in a process of forwarding the second packet;

a third obtaining unit, configured to obtain a second merkel tree, where the second merkel tree is a merkel tree constructed according to a second recording area;

a fourth obtaining unit, configured to obtain a branch associated with the second recording area from the second merkel tree, so as to obtain a second certificate storing chain;

and the fifth determining unit is used for determining the second recording area and the second certificate storing chain as the second forwarding record.

Optionally, the apparatus further comprises:

the second determining module is used for determining a second message abstract and locally recording the second message abstract, wherein the second message abstract refers to the abstract of the second message;

and the third determining module is used for determining the second path deposit certificate and sending the second path deposit certificate to the database so as to store the second path deposit certificate in the database.

Optionally, the apparatus further comprises:

a fourth determining module, configured to determine information of an inter-domain neighboring AS of the first AS and a second message digest in a process of forwarding the second message, and locally record the information of the inter-domain neighboring AS of the first AS and the second message digest in the process of forwarding the second message, where the second message digest is a digest of the second message;

and the fifth determining module is used for determining the second path deposit certificate and sending the second path deposit certificate to the database so as to store the second path deposit certificate in the database.

Optionally, the fourth determining module includes:

a sixth determining unit, configured to determine IP address information, a second timestamp, and a second packet digest of the second packet, where the second timestamp is used to indicate generation time of the second packet;

a seventh determining unit, configured to determine, according to the IP address information of the second packet, inter-domain neighboring AS information of the first AS in a process of forwarding the second packet;

and the recording unit is used for recording the second message abstract in the corresponding recording area according to the IP address information of the second message, the second timestamp and the information of the inter-domain adjacent AS of the first AS in the process of forwarding the second message.

Optionally, the recording unit includes:

the searching subunit is used for searching a corresponding recording area from the stored recording areas according to the IP address information of the second message, the second timestamp and the inter-domain adjacent AS information of the first AS in the process of forwarding the second message;

the first recording subunit is used for recording the second message abstract in the searched recording area if the corresponding recording area is searched;

and the second recording subunit is used for creating a recording area according to the IP address information of the second message, the second timestamp and the inter-domain adjacent AS information of the first AS in the process of forwarding the second message if the corresponding recording area is not found, and recording the second message abstract in the created recording area.

Optionally, the seventh determining unit includes:

a first determining subunit, configured to determine, according to the IP address information of the second packet, a port identifier of the first border network device for transmitting the second packet, where the first border network device is a border network device in the first AS;

and the second determining subunit is configured to determine, according to the port identifier, information of an inter-domain neighboring AS of the first AS in the process of forwarding the second packet.

Optionally, the sixth determining unit includes:

the first receiving subunit is configured to receive a sampling packet sent by the first border network device, where the sampling packet carries the IP address information of the second packet, the second timestamp, and the second packet digest, and the first border network device is a border network device in the first AS; alternatively, the first and second electrodes may be,

the second receiving subunit is configured to receive a second message sent by the first border network device, acquire the IP address information and a second timestamp carried in the second message, and generate a second message digest according to the second message; alternatively, the first and second electrodes may be,

and the bypass sampling device is used for acquiring the second message from the first boundary network device and generating the sampling packet according to the second message.

Optionally, the recording unit includes:

the third recording subunit is used for recording the whole second message abstract in the corresponding recording area; alternatively, the first and second electrodes may be,

the fourth recording subunit is used for recording the first N bits of the second message abstract in the corresponding recording area, the bit number of the second message abstract is M, both N and M are integers greater than zero, and N is smaller than M; alternatively, the first and second electrodes may be,

and the fifth recording subunit is used for setting the value of the bloom filter in the recording area corresponding to the second message according to the second message abstract so as to record the second message abstract through the bloom filter in the corresponding recording area.

Optionally, the fifth recording subunit is specifically configured to:

determining a third timestamp, wherein the third timestamp is determined by a boundary network device in a source AS forwarding the second message and is added in the second message, and the third timestamp is used for synchronizing bloom filters in recording areas stored in path servers corresponding to the ASs; determining a first bloom filter from the one or more bloom filters in the corresponding recording area according to the third timestamp; and setting the value of the first bloom filter according to the second message abstract.

Optionally, the third determining module includes:

the building unit is used for building a second Mercker tree according to the locally stored recording area, wherein the locally stored recording area comprises a recording area recorded with a second message abstract;

and an eighth determining unit, configured to determine the root node of the second merkel tree as the second path existence.

Alternatively, the database refers to a database stored in a server provided by a third party trusted by each AS, or the database refers to a database maintained at a block link point.

In a third aspect, a system for querying an inter-domain forwarding path is provided, where the system includes multiple path servers and a database, where the multiple path servers correspond to multiple different ASs, and any one of the multiple path servers is configured to implement the inter-domain forwarding path querying method provided in the first aspect, and the database is configured to store a path certificate, and is a database trusted by the multiple ASs.

In a fourth aspect, a computer device is provided, where the computer device includes a processor and a memory, where the memory is used to store a program for executing the inter-domain forwarding path query method provided in the first aspect, and store data involved in implementing the inter-domain forwarding path query method provided in the first aspect. The processor is configured to execute programs stored in the memory. The operating means of the memory device may further comprise a communication bus for establishing a connection between the processor and the memory.

In a fifth aspect, a computer-readable storage medium is provided, where instructions are stored in the computer-readable storage medium, and when the instructions are executed on a computer, the instructions cause the computer to execute the inter-domain forwarding path query method according to the first aspect.

A sixth aspect provides a computer program product containing instructions, which when run on a computer, causes the computer to execute the inter-domain forwarding path query method according to the first aspect.

The technical effects obtained by the above second, third, fourth, fifth and sixth aspects are similar to the technical effects obtained by the corresponding technical means in the first aspect, and are not described herein again.

The technical scheme provided by the embodiment of the application can at least bring the following beneficial effects:

Drawings

Fig. 1 is a system architecture diagram according to an inter-domain forwarding path query method provided in an embodiment of the present application;

FIG. 2 is a schematic structural diagram of a computer device according to an embodiment of the present disclosure;

fig. 3 is a flowchart of a method for storing path information according to an embodiment of the present application;

fig. 4 is a schematic diagram illustrating a format of a sampling packet according to an embodiment of the present application;

fig. 5 is a flowchart of another path information storage method provided in an embodiment of the present application;

fig. 6 is a flowchart of a method for determining and recording a message digest and information of a corresponding inter-domain neighboring AS according to an embodiment of the present application;

fig. 7 is a schematic format diagram of a source recording area according to an embodiment of the present application;

fig. 8 is a schematic format diagram of a destination recording area according to an embodiment of the present application;

fig. 9 is a schematic diagram of adding a third timestamp provided by an embodiment of the present application;

fig. 10 is a schematic flowchart of a method for storing path information according to an embodiment of the present application;

fig. 11 is a flowchart of an inter-domain forwarding path query method according to an embodiment of the present application;

fig. 12 is a schematic view of a scenario of an inter-domain forwarding path query according to an embodiment of the present application;

fig. 13 is a schematic view of another scenario for inter-domain forwarding path query according to an embodiment of the present application;

fig. 14 is a schematic view of a scenario of another inter-domain forwarding path query provided in the embodiment of the present application;

fig. 15 is a schematic view of a scenario of another inter-domain forwarding path query provided in the embodiment of the present application;

fig. 16 is a schematic view of a scenario of another inter-domain forwarding path query provided in the embodiment of the present application;

fig. 17 is a schematic view of a scenario of another inter-domain forwarding path query provided in the embodiment of the present application;

fig. 18 is a schematic view of a scenario of another inter-domain forwarding path query provided in the embodiment of the present application;

fig. 19 is another system architecture diagram according to an inter-domain forwarding path query method provided in an embodiment of the present application;

fig. 20 is a schematic structural diagram of an inter-domain forwarding path querying device according to an embodiment of the present application.

Detailed Description

To make the objects, technical solutions and advantages of the embodiments of the present application more clear, the embodiments of the present application will be further described in detail with reference to the accompanying drawings.

Fig. 1 is a system architecture diagram according to an inter-domain forwarding path query method provided in an embodiment of the present application. Referring to fig. 1, the system architecture includes a plurality of ASs (also referred to AS autonomous domains), each of the ASs includes one or more border network devices 101, and each of the ASs corresponds to one path server 102, and the system architecture further includes a database 103, and the database 103 is a database trusted by each of the ASs. For any one AS, the border network devices 101 within that AS can communicate with each other, and each border network device 101 can communicate with the path server 102 corresponding to that AS. The path servers 102 corresponding to the respective ASs can communicate with each other, and the respective path servers 102 can also communicate with the database 103.

It should be noted that, for a packet that needs to be forwarded across ases, a source AS that forwards the packet further includes a source end device 104, where the source end device 104 is configured to generate the packet, forward the packet to a border network device 101 in the source AS, and forward the packet to a next-hop AS by the border network device 101 in the source AS. The destination AS for forwarding the message further includes a destination device 105, and the border network device 101 in the destination AS receives and forwards the message to the destination device 105.

In addition, fig. 1 only schematically shows a system architecture according to the method provided by the embodiment of the present application. In some embodiments, the ASs 1 through ASn in fig. 1 refer to all ASs through which a packet sent from the source end device 104 to the destination end device 105 passes, so that the AS1 in fig. 1 is a source AS of a packet sent by the source end device 104 to the destination end device 105, and the AS1 includes the source end device 104, and the ASn in fig. 1 is a destination AS of a packet sent by the source end device 104 to the destination end device 105, and includes the destination end device 105. In other embodiments, the ASs 1 through ASn in fig. 1 refer to the partial ASs through which the packets sent from the source end device 104 to the destination end device 105 pass, so that the AS1 and ASn in fig. 1 may be intermediate ASs of the packets sent by the source end device 104 to the destination end device 105, so that the AS1 does not include the source end device 104 and the ASn does not include the destination end device 105. That is, fig. 1 only schematically shows a system architecture, and the system architecture in fig. 1 does not limit the embodiments of the present application.

In the embodiment of the present application, the two processes are mainly performed, where the first process is a process of storing path information in a process of forwarding a message, that is, in a process of forwarding a message by using the border network device 101 in each AS, the corresponding path server 102 can record path information of the forwarded message and send a path deposit certificate to the database 103, so AS to store the path deposit certificate in the database 103. The second process is a process of querying an inter-domain forwarding path of a message, that is, one AS requests another AS to feed back a forwarding record of a certain or some messages through the corresponding path server 102, and constructs an inter-domain forwarding path of a corresponding message according to the fed-back forwarding record. The functions of the devices in the system architecture will be described in the following two processes.

1. Process for storing path information in process of forwarding message

For an AS, if the AS is the source AS or the intermediate AS of the packet to be forwarded, the packet is received by one border network device 101 in the AS and forwarded to the next-hop AS, or the packet is received by one border network device 101 in the AS and routed to another border network device 101 in the AS, and forwarded by another border network device 101 to the next-hop AS. If the AS is the destination AS for forwarding the packet, the packet is received by a border network device 101 in the AS and forwarded to a destination device 104 in the destination AS. The path server 102 in the AS can record the relevant information of the message to represent the path information of the message forwarded by the AS, for example, directly store the message, or determine and store the message digest of the message.

In some embodiments, the path server 102 in the AS is further capable of determining and storing information of inter-domain neighboring AS of the AS during forwarding of the packet by the border network device 101 in the AS, where the inter-domain neighboring AS includes at least one of a previous-hop AS and a next-hop AS. That is, the path information stored in the path server 102 can record not only the related information of the packet to represent that the AS forwards the packet, but also the inter-domain neighboring AS of the AS that forwards the packet.

Then, the path server 102 can generate a path deposit certificate according to the stored path information and send the path deposit certificate to the database 103, and the database 103 is used for storing the path deposit certificate submitted by the path server.

In an implementation manner in which the path server 102 stores a message digest of a message and information of an inter-domain neighboring AS of the AS during forwarding the message, the path server 102 may determine information of the inter-domain neighboring AS of the AS during forwarding the message according to IP address information of the message, and may store the information of the inter-domain neighboring AS of the AS and the message digest in different regions according to address information, a timestamp, and the like of the message, where the timestamp is used to indicate a generation time of the message.

There are various implementations of the path server 102 determining the IP address information, the timestamp, and the message digest of the message, and three implementations thereof are described next.

In a first implementation manner, the border network device 101 in the AS samples the forwarded packet, constructs a sampling packet, and sends the sampling packet to the path server 102 corresponding to the AS, where the sampling packet carries the IP address information, the timestamp, and the message digest of the packet.

In a second implementation manner, the border network device 101 in the AS copies and sends the forwarded message to the path server 102 corresponding to the AS, and the path server 102 obtains the IP address information and the timestamp carried in the message and determines a message digest according to the message.

In the third implementation manner, the border network device 101 in the AS copies and sends the forwarded packet to the bypass sampling device, the bypass sampling device samples the packet, constructs a sampling packet, and sends the sampling packet to the path server 102.

That is, in the third implementation manner, each AS in the system architecture further corresponds to a bypass sampling device, and the bypass sampling device constructs a sampling packet and sends the sampling packet to the path server 102.

Each border network device 101 may correspond to a bypass sampling device, or one AS corresponds to a bypass sampling device, and each border network device 101 in the AS may communicate with the bypass sampling device, or a part of border network devices 101 in one AS corresponds to one bypass sampling device, and another part of border network devices 101 corresponds to another bypass sampling device, so AS to ensure that each border network device 101 in the AS may communicate with one bypass sampling device.

The first process is described by taking an AS an example, and it should be noted that the border network device 101 and the corresponding path server 102 in each AS in the system architecture can implement the functions of the above corresponding devices, which is not described herein again.

2. Process for querying inter-domain forwarding path of message

In the embodiment of the present application, each AS can request to query an inter-domain forwarding path query of a certain packet or certain packets through the corresponding path server 102.

For example, the source AS and the destination AS negotiate an expected inter-domain forwarding path of a packet sent from an address block corresponding to the source AS to an address block corresponding to the destination AS, that is, both the source AS and the destination AS can know the expected inter-domain forwarding path of the forwarded packet. If the source AS or the destination AS wants to know whether the forwarded message is forwarded according to the expected inter-domain forwarding path, the source AS or the destination AS can send a path query request to the path server 102 corresponding to each intermediate AS included in the expected inter-domain forwarding path through the corresponding path server 102, and recover the actual inter-domain forwarding path of the message according to the forwarding record fed back by each intermediate AS. Therefore, in the scheme, the source AS and the destination AS can verify whether the actual inter-domain forwarding path of the message is consistent with the expected inter-domain forwarding path according to the feedback of the middle AS.

Optionally, if an intermediate AS wants to know the inter-domain forwarding path of the forwarded packet, the intermediate AS can also request query from one or some other ASs, for example, the intermediate AS requests query from a neighboring AS or all ASs. Optionally, in a general case, the intermediate AS does not need to request an inter-domain forwarding path of the query packet.

Taking the example that the first AS requests the second AS to query the inter-domain forwarding path of the first packet, for the first AS, the first AS may send a first path query request to the second path server 102 corresponding to the second AS through the corresponding first path server 102 to query the inter-domain forwarding path of the first packet.

If the second path server 102 records the path information related to the first packet, that is, the second AS forwards the first packet and records the related path information, the second path server 102 may feed back the information to the first path server 102. For example, the second path server 102 records the message digest of the first message, that is, the second AS may be fed back to the first path server 102 to forward the first message. In some embodiments, the second path server 102 records the message digest of the first message and also records the information of the inter-domain neighboring AS of the second AS during the process of forwarding the first message, and then the forwarding record fed back by the second path server 102 further includes the information of the inter-domain neighboring AS of the second AS during the process of forwarding the first message.

In the embodiment of the present application, in order to ensure that the path information stored by each AS is not falsifiable, AS can be seen from the foregoing description, the system architecture further includes a database 103, where the database 103 is used to store the path certificate submitted by the path server 102. Based on this, after receiving the forwarding record fed back by the second path server 102, the first path server 102 can obtain the corresponding path certificate from the database 103, verify the forwarding record fed back by the second path server 102 according to the path certificate, and construct the inter-domain forwarding path of the first packet according to the verification result.

It should be noted that the first path server 102 corresponding to the first AS can send a path query request to the path servers 102 corresponding to the intermediate ASs included in the expected inter-domain forwarding path, and recover the true and complete inter-domain forwarding path of the first packet according to the forwarding record fed back by the path server 102 corresponding to the intermediate AS.

Optionally, in this embodiment of the present application, if the source end device 104 needs to acquire an inter-domain forwarding path of a packet sent by itself, it also needs to send an inquiry request to the path server 102 corresponding to the source AS where it is located, and the path server 102 corresponding to the source AS sends a path inquiry request to the path server 102 corresponding to each intermediate AS included in the expected inter-domain forwarding path, and verifies a forwarding record fed back by the path server 102 corresponding to each intermediate AS according to the path storage certificate stored in the database 103, so AS to recover a true and complete inter-domain forwarding path of the packet, and then, the source AS feeds back the recovered inter-domain forwarding path to the source end device 104. For example, the source device 104 wants to query some interdomain forwarding paths of the secret file, and performs a query through the source AS and feeds back the query to the source device 104, so AS to know whether the secret file passes through an unexpected AS.

In the embodiment of the present application, the border network device 101 is a forwarding device such as a router or a switch. The path server 102 is a server, a server cluster composed of a plurality of servers, or a cloud server. The bypass sampling device is any device having a data processing function, such as a notebook computer, a desktop computer, and the like. The database 103 is a database stored in a server provided by a third party trusted by each AS, for example, the database 103 is a centralized database stored in a third party server implemented by a server, a server cluster or a cloud server. Alternatively, the database 103 is a decentralized database, and each AS is a node of the decentralized database, for example, the database 103 refers to a database maintained at a block link point, and each AS for forwarding a packet is a node of the block chain. The source device 104 and the destination device 105 are both any devices having a communication function, such as a mobile phone, a computer, an intelligent appliance, a wearable device, and the like.

Alternatively, in some embodiments, the functions of the path server 102 may be implemented by a device such AS a controller, and each AS corresponds to a controller. In other embodiments, the functions of the path server 102 may also be implemented by network devices, and each AS is deployed with network devices for implementing the corresponding functions, for example, each AS is deployed with a router or switch to implement the corresponding functions. That is, the functions of the path server 102 can be implemented by any device including a processor and a memory, and the embodiment of the present application only takes the implementation of the above functions by the path server 102 as an example, that is, the path server 102 in the embodiment of the present application is only one device for implementing an inter-domain forwarding path query method, and the path server 102 itself does not limit the embodiment of the present application.

The network architecture and the service scenario described in the embodiment of the present application are for more clearly illustrating the technical solution of the embodiment of the present application, and do not form a limitation on the technical solution provided in the embodiment of the present application, and as a person of ordinary skill in the art knows that along with the evolution of the network architecture and the appearance of a new service scenario, the technical solution provided in the embodiment of the present application is also applicable to similar technical problems.

Referring to fig. 2, fig. 2 is a schematic structural diagram of a computer device according to an embodiment of the present application. Optionally, the computer device is the path server 102 shown in fig. 1, the computer device comprising one or more processors 201, a communication bus 202, a memory 203, and one or more communication interfaces 204.

The processor 201 is a general-purpose Central Processing Unit (CPU), a Network Processor (NP), a microprocessor, or one or more integrated circuits such as an application-specific integrated circuit (ASIC), a Programmable Logic Device (PLD), or a combination thereof for implementing the present invention. Optionally, the PLD is a Complex Programmable Logic Device (CPLD), a field-programmable gate array (FPGA), a General Array Logic (GAL), or any combination thereof.

A communication bus 202 is used to transfer information between the above components. Optionally, the communication bus 202 is divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.

Alternatively, the memory 203 is a read-only memory (ROM), a Random Access Memory (RAM), an electrically erasable programmable read-only memory (EEPROM), an optical disk (including a compact disk read-only memory (CD-ROM), a compact disk, a laser disk, a digital versatile disk, a blu-ray disk, etc.), a magnetic disk storage medium or other magnetic storage device, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to. The memory 203 is separate and connected to the processor 201 via the communication bus 202, or the memory 203 is integrated with the processor 201.

The communication interface 204 uses any transceiver or the like for communicating with other devices or communication networks. The communication interface 204 includes a wired communication interface and optionally a wireless communication interface. The wired communication interface is, for example, an ethernet interface. Optionally, the ethernet interface is an optical interface, an electrical interface, or a combination thereof. The wireless communication interface is a Wireless Local Area Network (WLAN) interface, a cellular network communication interface, or a combination thereof.

Optionally, in some embodiments, the computer device comprises a plurality of processors, such as processor 201 and processor 205 shown in fig. 2. Each of these processors is a single core processor, or a multi-core processor. A processor herein optionally refers to one or more devices, circuits, and/or processing cores for processing data (e.g., computer program instructions).

In a particular implementation, the computer device further includes an output device 206 and an input device 207, as one embodiment. The output device 206 is in communication with the processor 201 and is capable of displaying information in a variety of ways. For example, the output device 206 is a Liquid Crystal Display (LCD), a Light Emitting Diode (LED) display device, a Cathode Ray Tube (CRT) display device, a projector (projector), or the like. The input device 207 is in communication with the processor 201 and is capable of receiving user input in a variety of ways. For example, the input device 207 is a mouse, a keyboard, a touch screen device, a sensing device, or the like.

In some embodiments, the memory 203 is used to store program code 210 for performing aspects of the present application, and the processor 201 is capable of executing the program code 210 stored in the memory 203. The program code includes one or more software modules, and the computer device is capable of implementing related method contents of the inter-domain forwarding path query method provided in the embodiments of fig. 3, fig. 5, fig. 6, fig. 10 and fig. 11 below through the processor 201 and the program code 210 in the memory 203.

The inter-domain forwarding path query method provided by the embodiment of the present application is explained in detail below. Based on the above description, the embodiments of the present application are mainly divided into two processes. Therefore, for convenience of understanding, a process of storing path information in a process of forwarding a packet is first described, that is, the embodiment of the present application provides a method for storing path information. In this embodiment, a description is given by taking, AS an example, that, in a process of forwarding a second packet by a first border network device in a first AS, a first path server corresponding to the first AS stores path information of the second packet. It should be noted that, in the embodiment of the present application, there are various implementation manners of the storage method of the path information, and two implementation manners are described below by taking fig. 3 and fig. 5 as examples.

Referring to fig. 3, the storage method of path information includes the following steps.

Step 301: and the first path server determines a second message abstract and locally records the second message abstract, wherein the second message abstract refers to the abstract of the second message.

In this embodiment of the present application, in the process of forwarding the second message by the first border router, the first path server may determine the second message digest, and it should be noted that there are various implementation manners for determining the second message digest by the first path server.

In a first implementation manner, the first path server receives a sampling packet sent by the first border network device, where the sampling packet carries the second message digest.

Optionally, the sampling packet further carries IP address information of the second packet and a second timestamp, where the second timestamp is used to indicate generation time of the second packet. Wherein the IP address information comprises a source IP address and/or a destination IP address.

That is, the first border network device samples the forwarded second packet, constructs a sampling packet, and sends the sampling packet to the first path server corresponding to the first AS.

Optionally, the first border network device is deployed with a sampling unit, the sampling unit is capable of performing hash operation on an invariant field and a data field of a packet header of the second packet to obtain a hash value, the hash value is used as a second packet digest, and then the sampling unit is capable of constructing a sampling packet according to the IP address information of the second packet, the second timestamp, and the second packet digest, and sending the sampling packet to the first path server.

Exemplarily, assuming that the IP address information includes a source IP address and a destination IP address, a sampling unit is deployed at a port on the first border network device, and is used to sample a packet received by the first border network device and construct a sampling packet. For example, the sampling unit performs hash operation on the invariant field of the header of the second packet and the data field of the second packet by using a hash function H256 to obtain a hash value H (con) of 16 bytes represented by binary, and combines the hash value H (con) with the source IP address script, the destination IP address dstip, and the second timestamp time of the second packet to construct a sampling packet digest, where a specific form of the sampling packet may be as shown in fig. 4, or the sampling packet may be represented in the following manner:

digest＝scrip||dstip||time||H(con)

in a first implementation manner, the sampling unit is deployed on the border network device, and the sampling unit sends the sampling packet to the path server without sending the entire second packet to the path server.

In a second implementation manner, the first path server receives a second message sent by the first border network device, and generates a second message digest according to the second message.

That is, the first border network device can copy and send the received second message to the first path server, and the first path server generates the second message digest according to the second message.

It should be noted that, for the implementation manner in which the first path server generates the second message digest according to the second message, reference is made to the related description of the sampling unit in the foregoing first implementation manner, and details are not described here again.

In a second implementation manner, the path server determines the message digest without deploying a sampling device in the border network device, so that one port of the border network device can be saved, the performance of the border network device is less affected, and the path server does not need to construct a sampling packet.

In a third implementation manner, the first path server receives a sampling packet sent by a bypass sampling device of the first boundary network device, the sampling packet carries a second message digest, and the bypass application device is configured to obtain the second message from the first boundary network device and generate the sampling packet according to the second message.

Optionally, the sampling packet further carries IP address information and a second timestamp of the second packet.

That is, the first border network device corresponds to a bypass sampling device, the first border network device copies and sends the received second packet to the bypass sampling device, and the bypass sampling device can sample the second packet, generate a second packet abstract according to the second packet, construct a sampling packet, and send the sampling packet to the first path server.

It should be noted that, for the implementation manner of generating the second packet digest by the bypass sampling device according to the second packet, reference is made to the related description of the sampling unit in the foregoing first implementation manner, and details are not described here again.

In this embodiment of the present application, after determining the second message digest, the first path server may also record the second message digest locally. It should be noted that there are various implementation manners for the first path server to record the second message digest.

In a first implementation manner, when the first path server receives the sampling packet and the sampling packet only carries the second message digest, or when the first path server receives the second message and determines the second message digest only according to the second message, the first path server directly obtains and records the second message digest. That is, each message digest is stored separately.

Optionally, the first path server directly stores all fields of the second message digest, or stores part of the fields of the second message digest, so as to save storage space.

In a second implementation manner, under the condition that the first path server receives the sampling packet, and the sampling packet carries the IP address information, the second timestamp, and the second message digest of the second message, or under the condition that the first path server receives the second message, the second path server can determine the second message digest according to the second message, and can also obtain the IP address information and the second timestamp of the second message, so that the first path server records the second message digest in the corresponding recording area according to the IP address information and the second timestamp of the second message. That is, the path server can record the message digest in the recording area.

In the second implementation manner, when the IP address information includes a source IP address of the second packet, the recording area includes a source recording area, and the first path server can record the second packet digest in the corresponding source recording area according to the source IP address of the second packet and the second timestamp. And then, the first path server can determine the second path certificate according to the source recording area recorded with the second message abstract.

And under the condition that the IP address information comprises the destination IP address of the second message, the recording area comprises a destination recording area, and the first path server can record the second message abstract in the corresponding destination recording area according to the destination IP address of the second message and the second timestamp.

And under the condition that the IP address information comprises a source IP address and a destination IP address of the second message, the recording area comprises a source recording area and a destination recording area, the first path server can record the second message abstract in the corresponding source recording area according to the source IP address and the second timestamp of the second message, and record the second message abstract in the corresponding destination recording area according to the destination IP address and the second timestamp of the second message.

Optionally, in an embodiment of the present application, a source recording area includes a source start time field, a source address field, and a message digest field, where the source start time field is used to store the start recording time of the source recording area, the start recording time of the source recording area is not later than the time indicated by the timestamp of the message corresponding to the stored message digest, the source address field is used to store a source IP address or a source IP address block of the message, the source IP address of the message corresponding to the message digest stored in the source recording area belongs to the source IP address block, and the message digest field is used to store the message digest.

It should be noted that, in the case that the source address field is used for storing the source IP address of the packet, one source recording area only stores the packet digest of the packet sent by one source end device. Under the condition that the source address field is used for storing the source IP address block, one source recording area can store message abstracts of messages sent by a plurality of source end devices, the source IP addresses of the messages belong to the source IP address block, and the timestamps of the messages are later than the recording starting time of the source recording area, so that the number of the source recording areas can be reduced, the storage space is saved, and the retrieval is facilitated.

Optionally, in this embodiment of the present application, a destination recording area includes a destination start time field, a destination address field and a message digest field, where the destination start time field is used to store a start recording time of the destination recording area, the start recording time of the destination recording area is not later than a time indicated by a timestamp carried in a message corresponding to a stored message digest, the destination address field is used to store a destination IP address or a destination IP address block of the message, a destination IP address of the message corresponding to the message digest stored in the destination recording area belongs to the destination IP address block, and the message digest field is used to store a message digest.

It should be noted that, in the case where the destination address field is used to store the destination IP address of the packet, one destination record area only stores the packet digest of the packet addressed to one destination device. Under the condition that the destination address field is used for storing a destination IP address block, a destination record area stores message abstracts of messages sent to a plurality of destination end devices, the destination IP addresses of the messages belong to the destination IP address block, and the timestamps of the messages are later than the recording starting time of the destination record area, so that the number of the destination record areas can be reduced, the storage space is saved, and the retrieval is facilitated.

Optionally, the source IP address block is an address indicated by a 24-bit prefix of a source IP address of the packet when the corresponding source recording area is created, and the destination IP address block is an address indicated by a 24-bit prefix of a destination IP address of the packet when the corresponding destination recording area is created.

In this embodiment of the application, the first path server may search a corresponding recording area from the stored recording areas according to the IP address information and the second timestamp of the second packet. And if the corresponding recording area is found, the first path server records the second message abstract in the found recording area. And if the corresponding recording area is not found, the first path server creates the recording area according to the IP address information and the second timestamp of the second message, and records the second message abstract in the created recording area.

Optionally, in this embodiment of the application, there are multiple implementation manners in which the first path server records the second message digest in the corresponding recording area, and three implementation manners are described next.

In a first implementation manner, the first path server records the whole second message digest in the corresponding recording area.

Illustratively, the second message digest is a hash value, and the first path server can record the whole of the hash value in the corresponding recording area.

In a second implementation manner, the first path server records the first N bits of the second message digest in the corresponding recording area, the number of bits of the second message digest is M, N and M are both integers greater than zero, and N is smaller than M.

It should be noted that, when the message digest is a hash value, the hash value can be represented in a binary form, that is, the message digest is represented in the binary form, so that the path server can obtain the first N bits of the message digest represented in the binary form.

Illustratively, the first path server is configured with N, and the first path server can store the first N bits of the second message digest according to the configured N, or the first path server is configured with an interception ratio, and the first path server can determine N according to the configured interception ratio and the total number of bits of the second message digest, and store the first N bits of the second message digest according to the determined N. Assuming that the configured N is 64 and the number of bits of the second message digest is 128, the first path server stores the first 64 bits of the second message digest in the corresponding recording area. Assuming that the configured interception ratio is 0.75 and the number of bits of the second message digest is 128, the first path server stores the first 96 bits in the corresponding recording area. It should be noted that, when N is determined according to the truncation ratio, the rounding-up or the rounding-down may be performed to ensure that N is an integer.

In this implementation, the first path server only stores part of the fields of the second message digest, which can save storage space.

In a third implementation manner, the first path server sets the corresponding bloom filter in the recording area according to the second message digest, so as to record the second message digest through the corresponding bloom filter in the recording area.

In this embodiment of the present application, the path server can record the message digest by setting the bloom filter, that is, the first path server can perform hash operation on the second message digest by using a plurality of hash functions, respectively, to obtain a plurality of hash indication values, and set a corresponding position of each hash indication value in the plurality of hash indication values in the bloom filter to be '1'.

It should be noted that, because the position of the bloom filter is limited, the proportion of the positions set as '1' at regular intervals may be high, and if the message digest is stored in the bloom filter continuously, the bloom filter may be disabled, so that a new bloom filter may be created at regular intervals, or each time the proportion of the positions set as '1' of the bloom filter reaches a specific proportion, or each position of the bloom filter may be reset to '0'.

Optionally, in order to synchronize bloom filters in the recording areas stored in the path servers corresponding to the respective ASs, in an embodiment of the present application, a time stamp is determined by a border network device in the source AS that forwards the packet and is added to the packet, so that a time period corresponding to the bloom filter in the recording area stored in the path server corresponding to the respective AS that forwards the packet is synchronized according to the time stamp.

Based on this, in this embodiment of the present application, the first path server may determine a third timestamp, where the third timestamp is determined by a border network device in the source AS that forwards the second packet and is added to the second packet, and the third timestamp is used to synchronize bloom filters in recording areas stored in path servers corresponding to the respective ASs. The first path server can determine one bloom filter from the one or more bloom filters in the corresponding recording area according to the third timestamp. Then, the first path server can set the determined value of the bloom filter according to the second message digest.

It should be noted that the determined start time of the time period corresponding to the bloom filter is no later than the third timestamp. In addition, in the implementation mode, in the subsequent query process, the precise positioning of the bloom filter can be realized according to the timestamp.

Optionally, in this embodiment of the present application, since the memory of the path server is limited, the recording area is updated once every second time interval in each recording area. For example, the recording area is stored in a hard disk or other memory, and then the message digest recorded in the recording area is emptied and the recording is restarted.

In the above description, the record area for recording the message digest is created according to the IP address information of the message and the timestamp, alternatively, in some other embodiments, the path server can also create the record area according to the timestamp only, for example, one record area stores all determined message digests in a period of time without distinguishing the source or destination of the IP address of the message. Therefore, the sampling packet does not need to carry the IP address information of the message.

In this embodiment of the present application, a recording area in which the second packet digest is recorded in the second path server is a first recording area, where the first recording area is used to record related information of the second packet, and the related information of the second packet includes the second packet digest.

Optionally, the first border network device copies the received second packet and sends the second packet to the first path server, and then the first path server stores the second packet to represent that the second AS forwards the second packet, that is, the second packet is directly stored AS a second packet digest. It should be noted that, the implementation manner of storing the second packet by the first path server may refer to the aforementioned related introduction of storing the second packet digest, for example, directly store the packet, that is, each packet is stored separately, or store the packet in a partitioned manner according to the IP address information and the timestamp of the packet and in a recording area, or store the packet in a partitioned manner according to the timestamp by creating the recording area.

Step 302: and the first path server determines the second path deposit certificate and sends the second path deposit certificate to the database so as to store the second path deposit certificate in the database.

In the embodiment of the application, the first path server can determine the second path certificate according to the recorded second message digest under the condition that the second message digest is recorded. It should be noted that, because there are various implementation manners for the first path server to record the second message digest, there are also various implementation manners for the first path server to determine the second path certificate according to the recorded second message digest.

Under the condition that the first path server directly records the second message abstract, namely under the condition that each message abstract is independently stored, the first path server can directly store the second message abstract as a second path certificate. Or, the first path server determines the second path storage according to each message digest recorded within a period of time, for example, constructing a tacle tree using each message digest as a leaf node, and using a root node of the constructed tacle tree as the second path storage.

Under the condition that the first path server records the second message abstract in the corresponding recording area, the first path server can determine the second path certificate according to the recording area in which the second message abstract is recorded. For example, the first path server determines hash values corresponding to the respective recording areas according to the respective stored recording areas, constructs a merkel tree using the hash values corresponding to the respective recording areas as leaf nodes, and uses a root node of the constructed merkel tree as a second path storage certificate.

Optionally, in a case where the first path server directly records the second packet, that is, in a case where each packet is stored separately, the first path server may directly store the recorded second packet as the second path certificate. Or, the first path server determines the second path storage according to each packet recorded within a period of time, for example, hash operations are performed on each packet to obtain a hash value of each packet, a merkel tree is constructed by using the hash value of each packet as a leaf node, and a root node of the constructed merkel tree is used as the second path storage.

Optionally, under the condition that the first path server records the second message in the corresponding recording area, the first path server may determine the second path certificate according to the recording area in which the second message is recorded. For example, the first path server determines hash values corresponding to the respective recording areas according to the respective stored recording areas, constructs a merkel tree using the hash values corresponding to the respective recording areas as leaf nodes, and uses a root node of the constructed merkel tree as a second path storage certificate.

In this embodiment of the application, after determining the second path deposit, the first path server can send the second path deposit to the database, so as to store the second path deposit in the database.

Optionally, the database refers to a database stored in a server provided by a third party trusted by each AS, or the database refers to a database maintained at a block chain link point, each AS used for forwarding a packet is a node of the block chain, each node has complete block chain data, and each node is used for synchronizing the block chain data submitted by all nodes of the block chain, that is, a path certificate submitted by each AS through a corresponding path server.

In the foregoing, a first implementation manner of the method for storing path information is introduced, in which the path information stored by the first path server is only used to represent that the first AS forwards the second packet, that is, the stored first recording area is only used to record relevant information of the second packet, and the relevant information of the second packet includes a second packet digest or the second packet. Optionally, in this embodiment of the present application, the path information stored by the first path server may further include information of an inter-domain neighboring AS of the first AS in the process of forwarding the second packet, where the inter-domain neighboring AS includes at least one of a previous-hop AS and a next-hop AS, and this implementation will be described next.

Referring to fig. 5, the storage method of path information includes the following steps.

Step 501: and the first path server determines the inter-domain adjacent AS information and the second message abstract of the first AS in the process of forwarding the second message, and locally records the inter-domain adjacent AS information and the second message abstract of the first AS in the process of forwarding the second message.

In this embodiment of the present application, the first path server may determine the inter-domain neighboring AS information and the second packet digest of the first AS during the process of forwarding the second packet, and locally store the inter-domain neighboring AS information and the second packet digest of the first AS during the process of forwarding the second packet. It should be noted that there are various implementation manners of determining and recording, by the first path server, the inter-domain neighboring AS information of the first AS and the second packet digest in the process of forwarding the second packet, and one implementation manner will be described in detail in the following steps 601 to 603 shown in fig. 6.

Step 601:and the first path server determines the IP address information, the second timestamp and the second message abstract of the second message.

In the process of forwarding the second message by the first border network device, the first path server can determine the IP address information, the second timestamp and the second message digest of the second message, where the second timestamp is used to indicate the generation time of the second message, and the second message digest is the digest of the second message. The first border network device is a border network device in the first AS, and the IP address information includes a source IP address, or the IP address information includes a destination IP address, or the IP address information includes a source IP address and a destination IP address.

In this embodiment, there are various implementation manners for determining the IP address information, the second timestamp, and the second message digest of the second message by the first path server, and three implementation manners are described next.

In a first implementation manner, the first path server receives a sampling packet sent by the first border network device, where the sampling packet carries the IP address information of the second packet, the second timestamp, and the second packet digest.

Exemplarily, assuming that the IP address information includes a source IP address and a destination IP address, a sampling unit is deployed at a port on the first border network device, and is used to sample a packet received by the first border network device. The sampling unit performs hash operation on the invariant field of the header of the second packet and the data field of the second packet by using a hash function H256 to obtain a hash value H (con) represented by binary of 16 bytes, and combines the hash value H (con) with the source IP address script, the destination IP address dstip, and the second timestamp time of the second packet to construct a sampling packet digest, where a specific form of the sampling packet may be as shown in fig. 4, or the sampling packet may be represented in the following manner:

digest＝scrip||dstip||time||H(con)

In a second implementation manner, the first path server receives a second message sent by the first border network device, acquires the IP address information and the second timestamp carried in the second message, and generates a second message digest according to the second message.

That is, the first border network device can copy and send the received second message to the first path server, and the first path server obtains the IP address information and the second timestamp carried in the second message and generates the second message digest according to the second message.

In a third implementation manner, the first path server receives a sampling packet sent by a bypass sampling device of the first border network device, the sampling packet carries IP address information, a second timestamp, and a second packet abstract of the second packet, and the bypass application device is configured to obtain the second packet from the first border network device and generate the sampling packet according to the second packet.

It should be noted that, for the implementation manner of generating the second packet digest by the bypass sampling device according to the second packet, reference is made to the related description of the sampling unit in the foregoing embodiment in fig. 3, and details are not described here again.

Step 602:and the first path server determines the inter-domain adjacent AS information of the first AS in the process of forwarding the second message according to the IP address information of the second message.

In this embodiment of the application, after determining the IP address information, the second timestamp, and the second message digest of the second message, the first path server may determine, according to the IP address information of the second message, information of an inter-domain neighboring AS of the first AS in a process of forwarding the second message.

And under the condition that the IP address information comprises a source IP address, the first path server can determine the information of a last hop AS of the first AS in the process of forwarding the second message according to the source IP address of the second message.

And under the condition that the IP address information comprises a destination IP address, the first path server can determine the information of the next hop AS of the first AS in the process of forwarding the second message according to the destination IP address of the second message.

And under the condition that the IP address information comprises a source IP address and a destination IP address, the first path server can respectively determine the information of the last hop AS and the information of the next hop AS of the first AS according to the source IP address and the destination IP address of the second message.

Optionally, the first path server may determine, according to the IP address information of the second packet, a port identifier of the first border network device for transmitting the second packet, and then, the first path server may determine, according to the port identifier, information of an inter-domain neighboring AS of the first AS in a process of forwarding the second packet.

And under the condition that the IP address information comprises a source IP address, the first path server can determine an entry port identifier of the first border network device for receiving the second message according to the source IP address of the second message, and then the first path server can determine the information of the last hop AS of the first AS in the process of forwarding the second message according to the entry port identifier.

And under the condition that the IP address information comprises a destination IP address, the first path server can determine an outlet port identifier of the second message forwarded by the first border network equipment according to the destination IP address of the second message. And then, the first path server can determine the information of the next hop AS of the first AS in the process of forwarding the second message according to the output port identification.

Under the condition that the IP address information comprises a source IP address and a destination IP address, the first path server can determine an inlet port identifier of the first border network device for receiving the second message according to the source IP address of the second message, and determine an outlet port identifier of the first border network device for forwarding the second message according to the destination IP address of the second message. The first path server can determine information of a last hop AS and information of a next hop AS of the first AS in the process of forwarding the second message according to the inlet port identifier and the outlet port identifier respectively.

Step 603:and the first path server records the second message abstract in the corresponding recording area according to the IP address information of the second message, the second timestamp and the inter-domain adjacent AS information of the first AS in the process of forwarding the second message.

In this embodiment of the present application, after determining the inter-domain neighboring AS information and the second message digest of the first AS during the process of forwarding the second message, the first path server may record the inter-domain neighboring AS information and the second message digest of the first AS during the process of forwarding the second message. When other subsequent path servers request the first path server to query the inter-domain forwarding path of the second message, the first path server can not only feed back the first AS to forward the second message according to the recorded second message abstract, but also feed back the information of the inter-domain adjacent AS of the first AS in the process of forwarding the second message.

Optionally, the source IP address block is an address indicated by a 24-bit prefix of a source IP address of the packet when the corresponding recording area is created, and the destination IP address block is an address indicated by a 24-bit prefix of a destination IP address of the packet when the corresponding recording area is created.

Optionally, in this embodiment of the present application, the source recording area further includes a next hop AS field, and the destination recording area further includes a previous hop AS field. The source recording area includes a next hop AS field for storing information of the local AS, and the destination recording area includes a previous hop AS field for storing information of the local AS. Or, in the case that the information of the inter-domain neighboring AS determined by the path server includes information of a previous-hop AS and information of a next-hop AS, the next-hop AS field included in the source recording area is used to store the information of the next-hop AS of the own AS, and the previous-hop AS field included in the destination recording area is used to store the information of the previous-hop AS of the own AS.

Fig. 7 is a schematic format diagram of a source recording area according to an embodiment of the present application. Referring to fig. 7, taking the example that the source recording area records the second message digest AS an example, the source recording area (RZ) includes a source start time field (ST), a source address field (Src), a previous hop AS field, a next hop AS field, and a message digest field. The message digest field may also be referred to as a Packet Records (PR). The starting recording time of the source recording area is not later than the time indicated by the second timestamp, the source address field is used for storing a source IP address or a second source IP address block of the second message, the source IP address of the second message belongs to the second source IP address block, the last-hop AS field is used for storing information of a last-hop AS of the first AS in the process of forwarding the second message, the next-hop AS field is used for storing information of a next-hop AS of the first AS in the process of forwarding the second message, and the message abstract field is used for storing the abstract of the second message. Wherein, the flag bit in front of the source address field is '0' to represent that the messages corresponding to all the message digests recorded in the source recording area are sent from the address or the address block, the flag bit in front of the last hop AS field is '0', and the flag bit in front of the next hop AS field is '1'.

Fig. 8 is a schematic format diagram of a destination recording area according to an embodiment of the present application. Referring to fig. 8, for example, the destination recording area records the second message digest, where the destination recording area includes a destination start time field (ST), a destination address field (Dst), a last-hop AS field, a next-hop AS field, and a message digest field, the start recording time of the destination recording area is not later than the time indicated by the second timestamp, the destination address field is used to store a destination IP address or a second destination IP address block of the second message, the destination IP address of the second message belongs to the second destination IP address block, the last-hop AS field is used to store information of a last-hop AS of the local AS in the process of forwarding the second message, the next-hop AS field is used to store information of a next-hop AS of the first AS in the process of forwarding the second message, and the message digest field is used to store the second message digest. Wherein, the flag bit in front of the destination address field is '1', which represents that the messages corresponding to all the message digests recorded in the destination recording area are sent to the address or the address block, the flag bit in front of the last hop AS field is '0', and the flag bit in front of the next hop AS field is '1'.

And under the condition that the IP address information comprises a source IP address, the information of the inter-domain adjacent AS determined by the first path server comprises the information of the last hop AS, and the first path server can search a corresponding source recording area from the stored recording area according to the source IP address of the second message, the second timestamp and the information of the last hop AS of the first AS. And if the corresponding source recording area is found, the first path server records the second message abstract in the found source recording area. And if the corresponding source recording area is not found, the first path server creates a source recording area according to the source IP address of the second message, the second timestamp and the information of the last hop AS of the first AS, and records the second message abstract in the created source recording area.

And under the condition that the IP address information comprises a destination IP address, the information of the inter-domain adjacent AS determined by the first path server comprises the information of a next hop AS, and the first path server can search a corresponding destination recording area from the stored recording area according to the destination IP address of the second message, the second timestamp and the information of the next hop AS of the first AS. And if the corresponding target recording area is found, the first path server records the second message abstract in the found target recording area. And if the corresponding target recording area is not found, the first path server creates a target recording area according to the target IP address of the second message, the second timestamp and the information of the next hop AS of the first AS, and records the second message abstract in the created target recording area.

Under the condition that the IP address information comprises a source IP address and a destination IP address, the inter-domain adjacent AS information determined by the first path server comprises information of a previous hop AS and information of a next hop AS, the first path server can search a corresponding source recording area from the stored recording area according to the source IP address of the second message, the second timestamp and the information of the previous hop AS of the first AS, and search a corresponding destination recording area from the stored recording area according to the destination IP address of the second message, the second timestamp and the information of the next hop AS of the first AS. And if the corresponding source recording area and the corresponding target recording area are found, the first path server records the second message abstract in the found source recording area and the found target recording area. If the corresponding source recording area and the corresponding target recording area are not found, the first path server creates a source recording area according to the source IP address and the second timestamp of the second message and the information of the last hop AS of the first AS, creates a target recording area according to the target IP address and the second timestamp of the second message and the information of the next hop AS of the first AS, and records the abstract of the second message in the created source recording area and the created target recording area.

Exemplarily, assuming that the first path server records the second message digest in the corresponding source record area and destination record area respectively, the source record area includes a source start time field, a source address field, a last hop AS field, a next hop AS field and a message digest field, and the destination record area includes a destination start time field, a destination address field, a last hop AS field, a next hop AS field and a message digest field, the first path server can obtain the index field index1 according to the source IP address (srcip) of the first message, the information (lasthopID) of the last hop AS and the information (nexthopID) of the next hop AS, find the corresponding source record area according to the index1 and the first timestamp, or create the corresponding source record area, obtain the index field index2 according to the destination IP address (dstip), lasthopID and nexthopID of the first message, find the corresponding destination record area according to the index2 and the first timestamp, or a corresponding destination recording area is created. The specific form of index1 and index2 can be:

index1＝srcip||lasthopID||nexthopID

index2＝dstip||lasthopID||nexthopID

Illustratively, the second message digest is a hash value, and the first path server can record the whole of the hash value in the corresponding recording area. For example, when the first path server records the second message digest in the corresponding source recording area and the corresponding destination recording area, and the source recording area and the destination recording area are in the formats shown in fig. 7 and 8, respectively, the first path server can record the whole hash value in the PR included in each of the source recording area and the destination recording area.

In a third implementation manner, the first path server sets the value of the bloom filter in the recording area corresponding to the second message according to the second message digest, so as to record the second message digest through the bloom filter in the corresponding recording area.

Illustratively, when the first path server records the second message digest in the corresponding source recording area and the corresponding destination recording area respectively, and the source recording area and the destination recording area are in the formats shown in fig. 7 and 8, respectively, bloom filters are stored in the PR included in the source recording area and the destination recording area respectively, and the first path server can set the value of the bloom filter in the PR included in the corresponding source recording area and the value of the bloom filter in the PR included in the destination recording area respectively according to the second message digest.

In the embodiment of the application, the path server can store the message digest through the bloom filter, so that the storage space is saved. Illustratively, the first path server is capable of performing a hash operation on the second packet digest by using a plurality of hash functions, respectively, to obtain a plurality of hash indication values, and setting a corresponding position of each of the plurality of hash indication values in the bloom filter to be '1'.

Based on this, in this embodiment of the present application, the first path server may determine a third timestamp, where the third timestamp is determined by a border network device in the source AS that forwards the second packet and is added to the second packet, and the third timestamp is used to synchronize bloom filters in recording areas stored in path servers corresponding to the respective ASs. The first path server can determine the first bloom filter from the one or more bloom filters in the corresponding recording area according to the third timestamp, and set the value of the first bloom filter according to the second message digest.

Illustratively, in a case where the first path server records the second message digest in the corresponding source recording area and destination recording area, respectively, the first path server can determine one bloom filter from among one or more bloom filters in the corresponding source recording area and set a value of the bloom filter according to the second message digest, determine one bloom filter from among one or more bloom filters in the corresponding destination recording area, and set a value of the bloom filter according to the second message digest.

It should be noted that the start time of the time period corresponding to the first bloom filter is not later than the third timestamp. In addition, in the implementation mode, in the subsequent query process, the precise positioning of the bloom filter can be realized according to the timestamp.

Fig. 9 is a schematic diagram of adding a third timestamp provided in an embodiment of the present application, assuming that the third timestamp is determined by a border network device at an egress of a source AS and is added to a packet, where the third timestamp is used to indicate a time when the packet arrives at the border network device. Optionally, a timestamp marking unit is deployed on the border network device, and the timestamp marking unit determines a third timestamp and adds the third timestamp to the packet.

Optionally, the first path server may also directly store the second message digest and the information of the inter-domain neighboring AS of the first AS in the process of forwarding the second message, that is, the path information of each message is separately stored, or the first path server may also store the message digest determined within a period of time and the information of the corresponding inter-domain neighboring AS in a recording area, and the recording area does not distinguish the address source or the destination of the message.

Optionally, the first path server may directly use the second packet AS a second packet digest, that is, the first path server obtains the second packet, determines information of the inter-domain neighboring AS of the first AS in the process of forwarding the second packet, and records the second packet and the information of the inter-domain neighboring AS of the first AS in the process of forwarding the second packet. For example, recording according to a recording area mode, or directly storing the second message and the information of the inter-domain neighboring AS of the first AS in the process of forwarding the second message correspondingly.

Step 502: and the first path server determines the second path deposit certificate and sends the second path deposit certificate to the database so as to store the second path deposit certificate in the database.

In the embodiment of the application, after the path server records the inter-domain adjacent AS information and the message abstract of the AS in the process of forwarding the message, in order to ensure the authenticity of the path information of the message stored by each AS and enable the ASs to supervise each other, the path server can also determine the path certificate according to the stored path information and send the path certificate to the database so AS to store the path certificate in the database and ensure that the recorded path information is authentic and cannot be tampered.

For example, the first path server directly sends the message digest corresponding to the recorded message and the information of the inter-domain neighboring AS to the database AS the path certificate of the message. Or, in the case that the first path server stores the inter-domain neighbor AS information and the message digest according to the introduced recording area, the first path server may send the recording area to the database, and store the recording area in the database, that is, the recording area serves AS a path certificate. Alternatively, in order to reduce the amount of data stored in the database, the first path server may generate a mercker tree from each of the stored recording areas, store a root node of the mercker tree as a path certificate, and transmit the path certificate to the database, that is, store only the root node of the mercker tree in the database.

Exemplarily, assuming that the first path server stores an active recording area and a destination recording area, and after the first path server records the second message digest in the corresponding source recording area and destination recording area, it is also able to construct a second merkel tree according to the locally stored recording area, where the locally stored recording area includes the source recording area and the destination recording area in which the second message digest is stored. And then, the first path server locally stores the second Mercker tree, and sends the root node of the second Mercker tree as a second path certificate to the database so as to store the second path certificate in the database.

It should be noted that the first path server can construct the merck tree once every third time interval, and the third time interval does not exceed the second time interval. The first path server can perform hash operation on each locally stored recording area to obtain a zone hash value corresponding to each recording area, and each zone hash value is used as a leaf node to construct a merkel tree. The first path server can determine the sequence of each leaf node according to the recording starting time corresponding to each recording area, and hash each leaf node layer by layer until a root node is obtained, namely a second Merck tree is constructed, and the middle node of the second Merck tree is the combined hash value of the left and right child nodes of the second Merck tree.

In addition, it is assumed that the second time interval is equal to the third time interval, that is, the update time of the recording area is synchronized with the construction time of the mercker tree, so that one recording area corresponds to one mercker tree, and when the recording area and the corresponding mercker tree are subsequently retrieved according to the timestamp of the message, the retrieved mercker trees are constructed by all message digests recorded in the recording area.

It is assumed that the second time interval is greater than the third time interval, that is, the update time of the recording area is slow, so that more than one tacle tree may be constructed in a process of continuously recording the message digests in one recording area, and thus, one recording area may correspond to a plurality of tacle trees, in this case, in order to facilitate subsequent retrieval of the tacle trees according to the time stamps of the messages, it may be further necessary to determine which part of the message digests in the recording area the retrieved tacle trees are constructed according to, so that the time stamps of the messages corresponding to the message digests need to be stored in the recording area in addition to the storage of the message digests. It should be noted that, in this case, the method is applicable to the first two implementation manners of the three implementation manners of storing the message digest in the recording area.

In this embodiment of the present application, when the first path server stores the merkel tree, the identifier of the merkel tree and the identifiers of the recording areas that construct the merkel tree can be stored correspondingly, and the merkel tree corresponding to the recording areas can be searched for according to the identifiers in subsequent queries.

Under the condition that the second time interval is greater than the third time interval, when the first path server stores the merkel tree, the first path server may further store a tree building time period corresponding to the merkel tree, and the start and end times of the tree building time period are respectively the start recording time of the recording area according to which the tree is built and the timestamp of the message corresponding to the last message digest recorded in the area. That is, it can be known according to the tree building time period corresponding to the tacle tree, and the tacle tree records the message forwarded in which time period.

It should be noted that, in this embodiment of the present application, the path server separately records the packets from different addresses and sent to different addresses according to the source IP address and/or the destination IP address, that is, records the path information of the packet according to the source recording area and/or the destination recording area, which can realize that one or part of the user data of the source device is stored in one recording area, and different user data is distributed in different nodes of the mercker tree.

It should be noted that the database is a database that is trusted by all ases for forwarding a packet. Optionally, the database refers to a database stored in a server provided by a third party trusted by each AS, for example, the database is a centralized database stored in a server of the third party, or the database is a decentralized database, for example, the database refers to a database maintained at a block chain link point, and each AS used for forwarding a packet is a node of the block chain. Optionally, the blockchain for path verification uses an existing chain, or is built by each AS together.

Optionally, the database directly stores each path storage certificate, that is, stores the root node of the mercker tree, and can also construct a corresponding mercker tree according to the root node, so as to ensure that each path storage certificate cannot be tampered. Taking the database maintained by the database as a block link point as an example, the time interval of the block chain for constructing the mercker tree according to the root node is the same as the time interval of the path server for constructing the mercker tree, for example, the time intervals are all 12 minutes, the block chain stores the root node of the mercker tree constructed by the path server corresponding to each node in each 12 minutes in a block header included in one block, constructs the mercker tree according to each root node in the block header, and stores the root node of the constructed mercker tree in a block body included in the block.

The first procedure described above is described again in a system architecture. Assuming that the path server stores the path information of the packet according to the source record area and the destination record area, referring to fig. 10, the source IP address of the packet generated by the source end device is 8.10.9.1, and the packet is sent to the destination end device with the destination IP address 4.10.9.1, that is, the destination IP address of the packet is 4.10.9.1, the IP address of the source AS1 is 8.10.9.0, and the IP address of the destination AS3 is 4.10.9.0. The message passes through a middle AS, AS is 2, assuming that the border network device is a router, taking a border router of AS2 AS an example, a sampling unit is deployed on the border router, after the border router receives the message, the sampling unit generates a sampling packet according to the message and sends the sampling packet to a path server corresponding to AS2, and the path server records a message digest carried by the sampling packet in a corresponding source recording area and a corresponding destination recording area, that is, in a recording area (RZ) 1 and a recording area 2, according to a source IP address, a destination IP address and a timestamp of the message carried by the sampling packet. Assuming that the path server only stores RZ1 and RZ2 when constructing the mercker tree, the path server performs hash operation on RZ1 and RZ2 respectively to obtain H1 and H2, and performs hash operation on H1 and H2 again by using H1 and H2 as leaf nodes to obtain root nodes, i.e., root hash values (RH). Assuming that the database is a database maintained by a block link point, the path server can chain a certificate on the root node RH, and every time interval of the block chain, a block (B) is obtained according to the root node submitted by each path server in the time interval.

Optionally, the second path server may further store information of an inter-domain neighboring AS of the second AS in the process of forwarding the first packet, that is, the first recording area is further configured to record information of the inter-domain neighboring AS of the second AS in the process of forwarding the first packet.

Optionally, when the inter-domain neighboring AS includes a last-hop AS, the first recording area includes a first source recording area. The first recording area includes a first destination recording area when the inter-domain neighboring AS includes a next-hop AS. When the inter-domain neighboring AS includes a previous-hop AS and a next-hop AS, the first recording area includes a first source recording area and a first destination recording area.

Optionally, the first source recording area includes a source start time field, a source address field, a last hop AS field, and a message digest field, where the source start time field is used to store a start recording time of the first source recording area, the start recording time of the first source recording area is not later than a time indicated by the first timestamp, the first timestamp is used to indicate a generation time of the first message, the source address field is used to store a source IP address or a first source IP address block of the first message, the source IP address of the first message belongs to the first source IP address block, the last hop AS field is used to store information of a last hop AS of a second AS in a process of forwarding the first message, and the message digest field is used to record a first message digest.

It should be noted that, only some implementation manners of the second path server storing the path information of the first packet are shown above, and other implementation manners may refer to detailed descriptions of the first path server storing the path information of the second packet in the foregoing embodiments, which are not described herein again.

Next, a second process of the embodiment of the present application will be described. Taking the example that the first path server requests the second path server to query the inter-domain forwarding path of the first message, after the second path server stores the path information of the first message according to the method, the first path server can request the second path server to query the inter-domain forwarding path of the first message according to the following method, and construct the inter-domain forwarding path of the first message according to the feedback of the second path server. Fig. 11 is a flowchart of an inter-domain forwarding path query method according to an embodiment of the present application. Referring to fig. 11, the method includes the following steps.

Step 1101: the first path server sends a first path query request to a second path server, wherein the first path query request is used for querying an inter-domain forwarding path of the first message, the first path server is a server corresponding to a first AS, and the second path server is a server corresponding to a second AS.

In this embodiment of the present application, the first path server is a server corresponding to any AS that can obtain the message information of the first message and needs to query the inter-domain forwarding path of the first message. For example, the source AS that forwards the first packet or the server corresponding to the destination AS.

The first path server can generate a first path query request according to the first message, wherein the first path query request carries the IP address information, the first timestamp and the first message abstract of the first message, and the IP address information comprises a source IP address and/or a destination IP address. Or, the first path query request carries the first message.

It should be noted that the first path server can send the first path query request to the second path server according to the IP address of the second path server. If the first path server does not store the IP address of the second path server, but only stores the number of the second AS, and the database stores the corresponding relation between the number of each AS and the IP address, the first path server can acquire the IP address of the second path server from the database according to the number of the second AS.

Step 1102: and the second path server determines a first forwarding record according to the first path query request, wherein the first forwarding record is used for representing whether the second AS forwards the first message or not.

As can be seen from the foregoing, there are various implementation manners of the path information of the first packet stored by the second path server, and based on this, there are also various implementation manners of determining the first forwarding record by the second path server according to the first path query request, and one implementation manner thereof is described next.

According to a first implementation manner, in a case that a second path server records a first message digest or a first message in a first recording area according to IP address information of the first message, a first timestamp and information of an inter-domain adjacent AS of a second AS in a process of forwarding the first message, and directly takes the recording area AS a path certificate, the second path server can obtain the first recording area from the stored recording area according to the IP address information of the first message, the first timestamp and the first message digest or according to the first message, the first recording area is used for recording relevant information of the first message and information of the inter-domain adjacent AS of the second AS in the process of forwarding the first message, and the relevant information of the first message includes the first message digest. The second path server determines the first recording area as a first forwarding record.

In this embodiment of the application, after receiving the first path query request, the second path server can obtain the IP address information, the first timestamp, and the first message digest of the first message from the first path query request under the condition that the first path query request carries the IP address information, the first timestamp, and the first message digest of the first message. Under the condition that the first path query request carries the first message, the second path server can acquire the IP address information and the first timestamp of the first message from the first path query request and determine a first message abstract according to the first message.

And under the condition that the IP address information comprises a source IP address and the recording area comprises a source recording area, the second path server can acquire the first source recording area from the stored recording area according to the source IP address, the first timestamp and the first message abstract of the first message, wherein the first source recording area records the information of the last hop AS of the second AS and the first message abstract. The second path server determines the first source recording area as a first forwarding record.

And under the condition that the IP address information comprises a destination IP address and the recording area comprises a destination recording area, the second path server can acquire the first destination recording area from the stored recording area according to the destination IP address, the first timestamp and the first message abstract of the first message, wherein the first destination recording area records the information of the next hop AS of the second AS and the first message abstract. The second path server determines the first destination recording area as a first forwarding record.

Under the condition that the IP address information comprises a source IP address and a destination IP address, and the recording area comprises a source recording area and a destination recording area, the second path server can acquire the first source recording area from the stored recording area according to the source IP address, the first timestamp and the first message abstract of the first message, acquire the first destination recording area from the stored recording area according to the destination IP address, the first timestamp and the first message abstract of the first message, and determine the first source recording area and the first destination recording area as a first forwarding record.

Optionally, when the second path server records the first packet digest or the first packet in a recording area according to the IP address information and the first timestamp of the first packet, and directly uses the recording area as a path for storing the certificate, the second path server may obtain the first recording area from the stored recording area according to the IP address information, the first timestamp, and the first packet digest of the first packet, or according to the first packet, where the first recording area is used to record related information of the first packet, and the related information of the first packet includes the first packet digest. The second path server determines the first recording area as a first forwarding record.

Optionally, under the condition that the second path server records the first packet digest or the first packet in a recording area according to the first timestamp of the first packet and directly uses the recording area as a path for storage, the second path server may obtain the first recording area from the stored recording area according to the IP address information, the first timestamp, and the first packet digest of the first packet, or according to the first packet, where the first recording area is used to record related information of the first packet, and the related information of the first packet includes the first packet digest. The second path server determines the first recording area as a first forwarding record.

In a second implementation manner, in a case that a second path server records a first message digest or a first message in a first recording area according to IP address information of the first message, a first timestamp, and information of an inter-domain adjacent AS of a second AS in a process of forwarding the first message, and a root node of a first merkel tree constructed according to the first recording area is used AS a path certificate, the second path server can obtain the first recording area from the stored recording area according to the IP address information of the first message, the first timestamp, and the first message digest, where the first recording area is used for recording related information of the first message and information of the inter-domain adjacent AS of the second AS in the process of forwarding the first message, and the related information of the first message includes the first message digest or the first message. After acquiring the first recording area, the second path server can also acquire a first merkel tree, and acquire a branch associated with the first recording area from the first merkel tree to obtain a first certificate storing chain, and the second path server can determine the first recording area and the first certificate storing chain as a first forwarding record.

The second path server determines, according to the first path query request, the implementation manner of the IP address information, the first timestamp, and the first packet digest of the first packet, which may refer to the related description in the first implementation manner, and is not described herein again.

In this embodiment of the application, the second path server may also refer to the related description in the foregoing first implementation manner to acquire the first recording area from the stored recording area according to the IP address information, the first timestamp, and the first packet digest of the first packet, and details are not described here again.

Optionally, in a case that the recording area includes a source recording area and a destination recording area, the second path server stores a first merkel tree corresponding to the first source recording area and the first destination recording area, and based on this, after the second path server acquires the first source recording area and the first destination recording area, the second path server may further acquire a first merkel tree, where the first merkel tree is a merkel tree constructed according to the first source recording area and the first destination recording area. The second path server can also obtain branches associated with the first source recording area and the first destination recording area from the first merkel tree to obtain a first evidence storing chain. Thereafter, the second path server can determine the first source recording area, the first destination recording area, and the first certificate of authenticity as the first forwarding record.

As can be seen from the foregoing, when the second path server stores the first merkel tree, the second path server can correspondingly store the identifier of the first merkel tree and the identifiers of the recording areas for constructing the first merkel tree, and when the second time interval is equal to the third time interval, one recording area corresponds to one merkel tree, so that the second path server can determine the identifier of the corresponding merkel tree according to the obtained identifier of the first recording area, and obtain the corresponding merkel tree, that is, obtain the first merkel tree. And under the condition that the second time interval is greater than the third time interval, the second path server also stores a tree building time period corresponding to the first Mercker tree. Based on this, after acquiring the corresponding multiple merkel trees according to the identifier of the first recording area, the second path server can acquire the merkel trees including the timestamp in the corresponding tree building time periods in the multiple merkel trees according to the first timestamp of the first message, and determine the acquired merkel trees as the first merkel trees.

It should be noted that, as can be seen from the foregoing description, in the case that the second time interval is greater than the third time interval, that is, the update time of the recording area is slow, so that one recording area may correspond to a plurality of tacler trees, and in addition to storing each message digest, the recording area needs to store a timestamp of a message corresponding to each message digest. In this case, after acquiring the first merkel tree, the second path server may further filter a message digest that is indicated by the timestamp recorded in the first recording area and is outside a tree building time period corresponding to the first merkel tree, and determine the filtered recording area as a recording area included in the first forwarding record. That is, it is ensured that the acquired mercker tree is constructed from the recording area included in the first forwarding record without other redundant information.

It should be noted that, in this embodiment of the present application, the second path server only obtains a branch in the first merkel tree, which is related to the first packet, that is, only obtains user data of a source device that sends the packet, so that it is ensured that path query and verification of a packet sent by a source device are implemented without revealing user data of other source devices, and leakage of user privacy is reduced.

Optionally, when the second path server records the first packet digest or the first packet in the first recording area according to the IP address information and the first timestamp of the first packet, and the root node of the first merkel tree constructed according to the first recording area is used as a path certificate, the second path server may obtain the first recording area from the stored recording area according to the IP address information, the first timestamp, and the first packet digest (or the first packet) of the first packet, where the first recording area is used to record relevant information of the first packet, and the relevant information of the first packet includes the first packet digest or the first packet. After acquiring the first recording area, the second path server can also acquire a first merkel tree, and acquire a branch associated with the first recording area from the first merkel tree to obtain a first certificate storing chain, and the second path server can determine the first recording area and the first certificate storing chain as a first forwarding record.

Optionally, when the second path server records the first packet digest or the first packet in the first recording area according to the first timestamp of the first packet, and the root node of the first merkel tree constructed according to the first recording area is used as a path certificate, the second path server may obtain the first recording area from the stored recording area according to the first timestamp of the first packet and the first packet digest (or the first packet), where the first recording area is used to record related information of the first packet, and the related information of the first packet includes the first packet digest or the first packet. After acquiring the first recording area, the second path server can also acquire a first merkel tree, and acquire a branch associated with the first recording area from the first merkel tree to obtain a first certificate storing chain, and the second path server can determine the first recording area and the first certificate storing chain as a first forwarding record.

Optionally, under the condition that the second path server directly records the first message or the first message digest and uses the first message or the first message digest as the path storage certificate, the second path server may obtain the locally recorded first message or the first message digest according to the first message or the first message digest carried by the first path query request, and determine the obtained first message or the first message digest as the first forwarding record.

Optionally, when the second path server records a message or a message digest according to a time period, constructs a tacher tree according to the message digest recorded within the time period, and uses a root node of the constructed tacher tree as a path storage certificate, the second path server may obtain a locally stored segment of recording information recorded with the first message or the first message digest and a tacher tree corresponding to the recording information according to the first message or the first message digest carried by the first path query request, and determine the obtained recording information and the corresponding tacher tree as the first forwarding record.

Step 1103: and the second path server sends the first forwarding record to the first path server.

In this embodiment of the present application, after determining the first forwarding record, the second path server sends the first forwarding record to the first path server, where the first forwarding record is used to instruct the first path server to determine an inter-domain forwarding path of the first packet.

Step 1104: and the first path server receives the first forwarding record and verifies the first forwarding record according to a first path deposit certificate stored in the database, wherein the first path deposit certificate refers to a path deposit certificate determined by the second path server about the first message when the first message passes through the second AS, and the database is a database trusted by each AS.

In this embodiment of the application, after receiving the first forwarding record fed back by the second path server, the first path server can verify the first forwarding record according to the first path record stored in the database.

And if the path certificate stored in the database is the same as the first recording area included in the first forwarding record, the first path server determines that the first forwarding record passes verification.

And if the reference root hash value is the same as the first path storage certificate stored in the database, the first path server determines that the first forwarding record passes verification.

Optionally, assuming that the first forwarding record includes a first source recording area, a first destination recording area and a first certificate storing chain, and the first path server stores a root node of the mercker tree as a path certificate in the database, the first path server can determine hash values of the first source recording area and the first destination recording area according to the first source recording area and the first destination recording area, obtain a reference source area hash value and a reference destination area hash value, determine a reference root hash value according to the reference source area hash value and the reference destination area hash value and nodes except the root node in the first certificate storing chain, and determine that the first forwarding record is verified if the reference root hash value is the same as the first path certificate stored in the database.

Optionally, after determining the reference root hash value, the first path server may also verify whether the reference root hash value is the same as a root node in the first certificate storage chain, if the reference root hash value is different from the root node, the first path server determines that the first forwarding record verification fails, if the reference root hash value is the same as the root node, the first path server obtains the first forwarding record from the database, and if the first path certificate is also the same as the reference root hash value, the first path server determines that the first forwarding record verification passes.

And if the first message or the first message abstract reported by the second path server is stored in the database, namely the path certificate stored in the database is consistent with the first forwarding record, the first path server determines that the first forwarding record passes the verification.

When the first forwarding record comprises record information and a corresponding Merck tree within a period of time, and a path stored in the database is a root node of the Merck tree, the second path server can determine a hash value of a first message or a first message abstract in the record information to obtain a reference record hash value, obtain a reference root hash value according to the reference record hash value and records except the first message or the first message abstract in the record information, and if the reference root hash value is the same as the first path stored in the database, the first path server determines that the first forwarding record passes verification.

Optionally, if the first AS and the second AS trust each other and a pair of public and private keys is negotiated between the first AS and the second AS, the first path server does not need to verify the forwarding record fed back by the second path server.

Step 1105: and the first path server constructs an inter-domain forwarding path of the first message according to the verification result.

In this embodiment of the present application, the first path server may construct an inter-domain forwarding path of the first packet according to a verification result of the first forwarding record. For example, when the first forwarding record records information related to the first packet, that is, the first forwarding record indicates that the first AS forwards the first packet, and the verification passes, the first path server may determine that the inter-domain forwarding path of the first packet includes the first AS. The first forwarding record records relevant information of the first message, records information of a last hop AS and information of a next hop AS of the first AS in the process of forwarding the first message, and the first path server can determine that an inter-domain forwarding path of the first message sequentially comprises the last hop AS, the first AS and the next hop AS under the condition that the verification is passed.

For example, AS shown in fig. 10, assuming that the AS1 requests the AS2 for an inter-domain forwarding path of the first packet with a source IP address of 8.9.10.1 and a destination IP address of 4.10.9.0, the path server corresponding to the AS2 can send the recording area 1 and the recording area 2, and the root node RH in the corresponding mercker tree, to the path server corresponding to the AS1, and the path server corresponding to the AS1 can perform hash operations on the recording area 1 and the recording area 2, respectively, to obtain a reference source area hash value H1 ' and a reference destination area hash value H2 ', and then perform hash operations on H1 ' and H2 ', to obtain RH '. If the RH' is the same AS the RH fed back by the AS2, the path server corresponding to the AS1 obtains the corresponding path certificate from the database, that is, obtains the corresponding root node. If the obtained root node is the same AS the RH, the path server corresponding to the AS1 determines that the forwarding record fed back by the AS2 passes verification, and determines that the inter-domain forwarding path through which the first packet passes includes the AS1, the AS2, and the AS3 in sequence.

It should be noted that, since the first path server can verify each received forwarding record, the inter-domain forwarding path of the first packet is determined according to the verification result. If a certain forwarding record fails to verify, it can be determined that an AS corresponding to a path server feeding back the forwarding record may have a problem, if an inter-domain forwarding path of the first packet determined according to the verification result has an inconsistent link, a malicious AS or an AS with a problem can be located according to the inconsistent link, and subsequently, it can be selected to trace back the malicious AS, or an AS with a problem is selected to be avoided.

Optionally, in this embodiment of the present application, the first path server may further be configured to request a second path server for a forwarding record of a packet sent from a certain address block, and the second path server may obtain, according to the address block, a source address field from a recording area as a source recording area of the address block, obtain the source recording area and a branch associated with the source recording area in a corresponding merkel tree, and use the source recording area and the branch as a storage chain, and feed back the obtained source recording area and the branch to the first path server.

For example, AS shown in fig. 10, assuming that the AS1 requests the AS2 to forward a record of a packet sent from the address block 8.10.9.0, a path server corresponding to the AS2 may send the record area 1 and H2 and RH in the corresponding mercker tree to a path server corresponding to the AS1, and a path server corresponding to the AS1 performs hash operation on the record area 1 to obtain a reference area hash value H1 ', and then performs hash operation on H1' and H2 to obtain RH ', and if RH' is the same AS the fed-back RH, the path server corresponding to the AS1 obtains a corresponding path from the database and stores the corresponding path, that is, obtains a corresponding root node. If the obtained root node is the same AS the RH, the path server corresponding to the AS1 determines that the verification of the fed-back forwarding record is passed, and determines that inter-domain forwarding paths of the packet sent from the address block 8.10.9.0 are all AS1, AS2, and AS3 in sequence.

Optionally, in this embodiment of the present application, the first path server may further be configured to request, to the second path server, a forwarding record of a packet sent to a certain address block, and the second path server may obtain, according to the address block, a destination IP address field from the recording area as a destination recording area of the address block, obtain the destination recording area and a branch associated with the destination recording area in the corresponding merkel tree, as a storage chain, and feed back the obtained destination recording area and the storage chain to the first path server.

Optionally, in this embodiment of the present application, the path server corresponding to the intermediate AS may also send each stored recording area to the path server corresponding to the source AS of the corresponding address at intervals, and the path server corresponding to the source AS locally and quickly completes the query and restores the inter-domain forwarding path of the packet according to the requirement.

The inter-domain forwarding path query method provided by the embodiment of the application can judge whether the inter-domain forwarding path is consistent with the expectation, and can position a malicious link or a malicious AS when the inter-domain forwarding path is inconsistent with the expectation. Next, taking the example that the path information recorded by the path server includes the information of the previous-hop AS and the next-hop AS of the local AS on the forwarding path, several specific scenarios will be described.

Referring to fig. 12, in fig. 12, it is assumed that the expected inter-domain forwarding path sequentially includes an AS1, an AS2, and an AS3, after the source device sends the packet to the destination device, the AS1 requests the inter-domain forwarding paths of the query packet to the AS2 and the AS3, respectively, and the actual inter-domain forwarding path is successfully constructed according to the feedback of the AS2 and the AS3, and is consistent with the expected inter-domain forwarding path, that is, the actual flow direction of the packet is consistent with the declared flow direction of the packet, and the declared flow direction of the packet has no contradiction.

Referring to fig. 13, in fig. 13, it is assumed that the expected inter-domain forwarding path sequentially includes AS1, AS2, and AS3, but AS1 does nothing, and the message is forwarded to AS 4. The AS3 requests queries from the AS1 and the AS2, respectively, the AS1 declares that the message is forwarded to the AS2, but the AS2 feedback message is forwarded from the AS4 to the AS2, and the AS2 is forwarded to the AS3, so that two contradictory links appear, namely the AS1-AS2 and the AS4-AS2, namely, the message declares that the flow directions are contradictory, and the two contradictory links are avoided in the subsequent message routing process, or other processes are performed.

Referring to fig. 14, in fig. 14, it is assumed that the expected inter-domain forwarding path sequentially includes an AS1, an AS2, and an AS3, but the AS1 and the AS4 jointly do a malicious action, and a message is sent from the AS1 to the AS4 and then sent to the AS2, but the AS2 declares that the message is received from the AS4, so that two contradictory links, namely, AS1-AS2 and AS4-AS2, occur, and are avoided in the subsequent message routing process, or other processes are performed.

Referring to fig. 15, for situations such AS traffic hijacking and a large amount of packet loss, for example, routing prefix hijacking in Border Gateway Protocol (BGP), in fig. 13, when a packet sent by a source end device is not responded, a source AS1 may request to AS2 and AS3 to query a true inter-domain forwarding path of the packet, and it is known that there is no audio signal after the packet reaches AS2 according to feedback of AS2 and AS3, so that in subsequent routing, it may be selected to avoid AS2 or chase after AS 2. The destination AS3 may also request the intermediate AS2 at regular time for a forwarding record of a packet whose destination IP address is an address corresponding to AS3, and according to the forwarding record fed back by AS2, AS3 may find that a part of the packet does not reach AS3 after reaching AS2, which indicates that a part of the packet may be hijacked by AS2, so that in subsequent routing, AS2 may be avoided, or an AS2 may be pursued.

Referring to fig. 16, in fig. 16, when a packet sent by a source end device is not responded, a source AS1 may request to AS2 and AS3 to query a true inter-domain forwarding path of the packet, where AS2 declares that the packet is sent to AS3, but AS3 declares that the packet is not received, in this case, 35820after an AS2 packet loss may occur, AS 35820may be trapped in the AS3, or AS3 packet loss, \\ 35820may be trapped in the AS2, where an contradictory link exists, that is, AS2-AS3, and in subsequent routing, the contradictory link may be avoided, or a responsibility may be pursued to AS2 and AS 3.

Referring to fig. 17, for the situation of malicious packet injection or source IP address falsification, in fig. 17, when a destination device receives a packet, a destination AS3 requests an AS1 and an AS2 to query an inter-domain forwarding path of the packet, and finds that the packet is not forwarded in the AS1, but forwarding the packet to the AS3 in the AS2, that is, it may be determined that there is a problem in the AS2, so that subsequent routing may choose to avoid the AS2 or chase back to the AS 2.

Referring to fig. 18, in fig. 18, when the destination device receives the packet, the destination AS3 requests the AS1 and AS2 to query the inter-domain forwarding path of the packet, and finds that the AS1 declares that the packet is not forwarded, but the AS2 receives the packet from the AS1 and forwards the packet to the AS3, so that it can be known that there is a contradictory link AS1-AS2, and the contradictory link is avoided in the subsequent packet routing process, or responsibility is pursued to the AS1 or the AS 2.

In the foregoing embodiment, the inter-domain forwarding path for requesting the first packet from the second path server by the first path server is introduced to the inter-domain forwarding path method provided in this embodiment. It should be noted that, in the embodiment of the present application, any AS may request, through the corresponding path server, to query another AS for an inter-domain forwarding path of one or some messages.

For example, AS can be seen from the foregoing, the first path server stores path information in a process of forwarding the second packet, and then the first path server can also receive a second path query request sent by a third path server, where the second path query request is used to query an inter-domain forwarding path of the second packet, and the third path server is a server corresponding to a third AS. The first path server may determine a second forwarding record according to the second path query request, where the second forwarding record is used to represent whether the first AS forwards the second packet. And then, the first path server sends the second forwarding record to a third path server, wherein the second forwarding record is used for indicating the third path server to verify the second forwarding record according to a second path certificate stored in the database, and an inter-domain forwarding path of the second message is constructed according to a verification result, and the second path certificate refers to a path certificate determined by the first path server with respect to the second message when the second message passes through the first AS.

Optionally, the second path query request carries the IP information, the second timestamp, and the second packet digest of the second packet. The first path server can acquire a second recording area from the stored recording area according to the IP address information, the second timestamp and the second message abstract of the second message, and the second recording area is used for recording the second message abstract. The first path server determines the second recording area as a second forwarding record.

Optionally, the second path query request carries the IP information, the second timestamp, and the second packet digest of the second packet. The first path server can acquire a second recording area from the stored recording area according to the IP address information, the second timestamp and the second message abstract of the second message, and the second recording area is used for recording the second message abstract and information of inter-domain adjacent AS of the first AS in the process of forwarding the second message. After acquiring the second recording area, the first path server can also acquire a second merkel tree, where the second merkel tree is a merkel tree constructed according to the second recording area. The first path server can obtain a branch associated with the second recording area from the second merkel tree to obtain a second certificate storing chain, and the first path server determines the second recording area and the second certificate storing chain as a second forwarding record.

After the first path server sends the second forwarding record to the third path server, the third path server can verify the second forwarding record according to the second path deposit certificate stored in the database, and construct an inter-domain forwarding path of the second message according to the verification result.

It should be noted that, the implementation manner of determining the second forwarding record by the first path server may refer to the related description in the foregoing embodiment, and the implementation manner of verifying the second forwarding record by the third path server and constructing the inter-domain forwarding path of the second packet may also refer to the related description in the foregoing embodiment, which is not described herein again.

Fig. 19 is another system architecture diagram related to the inter-domain forwarding path query method provided in the embodiment of the present application. Referring to fig. 19, the system architecture includes border network devices, path servers, and databases (e.g., blockchains). The path server is deployed in a corresponding AS and used for recording relevant information of a message forwarded from the boundary network equipment in the AS, recording message summaries in different recording areas according to IP address information, a timestamp, information of a previous hop AS and information of a next hop AS, constructing the recording areas into a Mercker tree, and submitting a root node of the Mercker tree to a database AS a path certificate. And then, the path server can receive and respond to the inter-domain path query request sent by the path server corresponding to other AS. The boundary network equipment is used for sampling the forwarded message, constructing a sampling packet and sending the sampling packet to the path server. The database is used for storing path certificates submitted by the path server.

Optionally, the above-mentioned scheme for verifying data by using a database trusted by each node (e.g., a block chain) can be applied to a scenario of forwarding path query between real domains of a packet, and can also be applied to a scenario of network fault diagnosis, network security tracing, and the like.

In summary, in the embodiment of the present application, after receiving the first path query request, the second path server may feed back whether the corresponding second AS forwards the first packet to the first path server, and in this scheme, the AS may rapidly construct an inter-domain forwarding path of the packet through the path server without performing reverse flooding query, so AS to greatly improve the query efficiency of the inter-domain forwarding path. In addition, the first path server can also verify the information fed back by the second path server according to the path storage certificate stored in the database, and the database is trusted by each AS, so that the scheme can cope with the conditions of malicious AS misrepresentation, information hiding, information tampering and the like, and the authenticity of the query result is ensured.

Fig. 20 is a schematic structural diagram of an inter-domain forwarding path querying device 2000 according to an embodiment of the present application. Optionally, the inter-domain forwarding path querying device 2000 is implemented by software, hardware or a combination of the two as part or all of a computer device, which is any path server in the foregoing embodiments. Referring to fig. 20, taking the example that the apparatus 2000 is applied to a first path server, where the first path server is a server corresponding to a first AS, the apparatus 2000 includes: a first sending module 2001, a first receiving module 2002, a verification module 2003 and a construction module 2004.

A first sending module 2001, configured to send a first path query request to a second path server, where the first path query request is used to query an inter-domain forwarding path of a first packet, the first path server is a server corresponding to a first AS, and the second path server is a server corresponding to a second AS;

a first receiving module 2002, configured to receive a first forwarding record sent by the second path server, where the first forwarding record is used to represent whether the second AS forwards the first packet;

a verification module 2003, configured to verify the first forwarding record according to a first path deposit certificate stored in the database, where the first path deposit certificate is a path deposit certificate determined by the second path server with respect to the first packet when the first packet passes through the second AS, and the database is a database trusted by each AS;

a constructing module 2004, configured to construct an inter-domain forwarding path of the first packet according to the verification result.

the verification module 2003 includes:

Optionally, the apparatus 2000 further comprises:

the first determining module includes:

Optionally, the apparatus 2000 further comprises:

Optionally, the fourth determining module includes:

Optionally, the recording unit includes:

Optionally, the seventh determining unit includes:

Optionally, the sixth determining unit includes:

Optionally, the recording unit includes:

Optionally, the fifth recording subunit is specifically configured to:

Optionally, the third determining module includes:

It should be noted that: the inter-domain forwarding path querying device provided in the foregoing embodiment is only illustrated by dividing the functional modules when querying the inter-domain forwarding path, and in practical applications, the function distribution may be completed by different functional modules according to needs, that is, the internal structure of the device is divided into different functional modules to complete all or part of the functions described above. In addition, the inter-domain forwarding path querying device and the inter-domain forwarding path querying method provided by the above embodiments belong to the same concept, and specific implementation processes thereof are detailed in the method embodiments and are not described herein again.

The embodiment of the application provides an inter-domain forwarding path query system, which comprises a plurality of path servers and a database, wherein the plurality of path servers correspond to a plurality of different ASs, any path server in the plurality of path servers is the path server in the embodiment and is used for realizing the inter-domain forwarding path query method provided by the embodiment, the database is used for storing path certificates, and the database is a database trusted by the plurality of ASs. Optionally, the database refers to a database stored in a server provided by a third party trusted by each AS, or the database refers to a database maintained at a blockchain link point, where each AS for forwarding a packet is a node of the blockchain.

That is, any path server can store the path information of the forwarded message, where the path information includes related information of the message, or further includes at least one of information of a previous hop AS and information of a next hop AS of the local AS in the process of forwarding the message. The path server can also determine the path deposit certificate according to the stored path information and submit the path deposit certificate to the database so as to store the path deposit certificate in the database. Any path server can request other path servers to inquire the inter-domain forwarding path of a message, the other path servers can feed back forwarding records to the path server, the path server can verify the fed-back forwarding records according to the path records stored in the database, and the inter-domain forwarding path of the message is constructed according to the verification result.

Exemplarily, assuming that the first path server is a server corresponding to the first AS, and the second path server is a server corresponding to the second AS, in the process of forwarding the first packet, the second path server records relevant information of the first packet, determines a first path deposit certificate according to the recorded information, and submits the first path deposit certificate to the database, so AS to store the first path deposit certificate in the database. The first path server sends a first path query request to the second path server, wherein the first path query request is used for querying an inter-domain forwarding path of the first message. And then, the second path server can determine a first forwarding record according to the first path query request, and send the first forwarding record to the first path server, wherein the first forwarding record records relevant information of the first message. And the first path server receives the first forwarding record sent by the second path server, verifies the first forwarding record according to the path record stored in the database, and constructs an inter-domain forwarding path of the first message according to a verification result.

It should be noted that the inter-domain forwarding path query system and the inter-domain forwarding path query method provided in the foregoing embodiments belong to the same concept, and specific implementation processes thereof are described in detail in the method embodiments and are not described herein again.

In the above embodiments, the implementation may be wholly or partly realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the application to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored on a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website, computer, server, or data center to another website, computer, server, or data center via wire (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that includes one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., Digital Versatile Disk (DVD)), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others. It is noted that the computer-readable storage medium referred to in the embodiments of the present application may be a non-volatile storage medium, in other words, a non-transitory storage medium.

It is to be understood that reference herein to "at least one" means one or more and "a plurality" means two or more. In the description of the embodiments of the present application, "/" means "or" unless otherwise specified, for example, a/B may mean a or B; "and/or" herein is merely an association describing an associated object, and means that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, in order to facilitate clear description of technical solutions of the embodiments of the present application, in the embodiments of the present application, terms such as "first" and "second" are used to distinguish the same items or similar items having substantially the same functions and actions. Those skilled in the art will appreciate that the terms "first," "second," etc. do not denote any order or quantity, nor do the terms "first," "second," etc. denote any order or importance.

The above-mentioned embodiments are provided not to limit the present application, and any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application.

Claims

1. An inter-domain forwarding path query method, the method comprising:

a first path server sends a first path query request to a second path server, wherein the first path query request is used for querying an inter-domain forwarding path of a first message, the first path server is a server corresponding to a first Autonomous System (AS), and the second path server is a server corresponding to a second AS;

the first path server receives a first forwarding record sent by the second path server, wherein the first forwarding record is used for representing whether the second AS forwards the first message or not;

the first path server verifies the first forwarding record according to a first path deposit certificate stored in a database, wherein the first path deposit certificate refers to a path deposit certificate determined by the second path server relative to the first message when the first message passes through the second AS, and the database is a database trusted by each AS;

and the first path server constructs an inter-domain forwarding path of the first message according to the verification result.

2. The method according to claim 1, wherein the first forwarding record includes a first recording area and a first evidence storing chain stored in the second path server, the first recording area is used for recording relevant information of the first packet, the first evidence storing chain refers to a branch in a first merkel tree associated with the first recording area, and the first merkel tree refers to a merkel tree constructed according to the first recording area;

the first path server verifies the first forwarding record according to a first path deposit certificate stored in a database, and the method comprises the following steps:

the first path server determines the hash value of the first recording area to obtain a reference area hash value;

the first path server determines a reference root hash value according to the reference regional hash value and nodes except the root node in the first evidence storing chain;

and if the reference root hash value is the same as the first path certificate stored in the database, the first path server determines that the first forwarding record is verified.

3. The method according to claim 2, wherein the information related to the first packet includes a first packet digest, the first packet digest is the digest of the first packet, the first recording area is further configured to record information of an inter-domain neighboring AS of the second AS in the process of forwarding the first packet, and the inter-domain neighboring AS includes at least one of a previous-hop AS and a next-hop AS.

4. The method of claim 3, wherein the first recording area comprises a first source recording area when the inter-domain neighboring AS comprises a last hop AS;

when the inter-domain neighboring AS comprises a next-hop AS, the first recording area comprises a first destination recording area;

when the inter-domain neighboring AS comprises a last hop AS and a next hop AS, the first recording area comprises a first source recording area and a first destination recording area;

the first source recording area comprises a source starting time field, a source address field, a last hop AS field and a message abstract field, wherein the source starting time field is used for storing the starting recording time of the first source recording area, the starting recording time of the first source recording area is not later than the time indicated by a first timestamp, the first timestamp is used for indicating the generation time of the first message, the source address field is used for storing a source Internet Protocol (IP) address or a first source IP address block of the first message, the source IP address of the first message belongs to the first source IP address block, the last hop AS field is used for storing the information of the last hop AS of the second AS in the process of forwarding the first message, and the message abstract field is used for recording the first message abstract;

the first target recording area comprises a target starting time field, a target address field, a next hop AS field and a message abstract field, wherein the target starting time field is used for storing the starting recording time of the first target recording area, the starting recording time of the first target recording area is not later than the time indicated by the first timestamp, the target address field is used for storing a target IP address of the first message or a first target IP address block, the target IP address of the first message belongs to the first target IP address block, the next hop AS field is used for storing information of a next hop AS of the second AS in the process of forwarding the first message, and the message abstract field is used for recording the first message abstract.

5. The method according to any one of claims 1 to 4, wherein the first path query request carries the first packet, or the first path query request carries IP address information of the first packet, a first timestamp, and a first packet digest, where the IP address information includes a source IP address and/or a destination IP address, the first timestamp is used to indicate a generation time of the first packet, and the first packet digest is a digest of the first packet.

6. The method of any of claims 1-5, wherein the method further comprises:

the first path server receives a second path query request sent by a third path server, wherein the second path query request is used for querying an inter-domain forwarding path of a second message, and the third path server is a server corresponding to a third AS;

the first path server determines a second forwarding record according to the second path query request, wherein the second forwarding record is used for representing whether the first AS forwards the second message or not;

the first path server sends the second forwarding record to the third path server, where the second forwarding record is used to instruct the third path server to verify the second forwarding record according to a second path deposit certificate stored in the database, and construct an inter-domain forwarding path of the second packet according to a verification result, where the second path deposit certificate is a path deposit certificate determined by the first path server with respect to the second packet when the second packet passes through the first AS.

7. The method according to claim 6, wherein the second path query request carries the IP address information of the second packet, a second timestamp and a second packet digest, the second timestamp being used to indicate the generation time of the second packet, and the second packet digest being the digest of the second packet;

the first path server determines a second forwarding record according to the second path query request, including:

the first path server acquires a second recording area from a stored recording area according to the IP address information of the second message, the second timestamp and the second message abstract, wherein the second recording area is used for recording the second message abstract;

and the first path server determines the second recording area as the second forwarding record.

8. The method according to claim 6, wherein the second path query request carries the IP address information of the second packet, a second timestamp and a second packet digest, the second timestamp being used to indicate the generation time of the second packet, and the second packet digest being the digest of the second packet;

the first path server acquires a second recording area from a stored recording area according to the IP address information of the second message, the second timestamp and the second message abstract, wherein the second recording area is used for recording the second message abstract and information of inter-domain adjacent AS of the first AS in the process of forwarding the second message;

the first path server acquires a second Mercker tree, wherein the second Mercker tree is constructed according to the second recording area;

the first path server acquires a branch associated with the second recording area from the second Mercker tree to obtain a second evidence storing chain;

and the first path server determines the second recording area and the second certificate storing chain as the second forwarding record.

9. The method according to any one of claims 6-8, wherein before the first path server receives the second path query request sent by the third path server, further comprising:

the first path server determines a second message abstract and locally records the second message abstract, wherein the second message abstract refers to the abstract of the second message;

and the first path server determines a second path deposit certificate and sends the second path deposit certificate to the database so as to store the second path deposit certificate in the database.

10. The method according to any one of claims 6-8, wherein before the first path server receives the second path query request sent by the third path server, further comprising:

the first path server determines inter-domain neighbor AS information and a second message abstract of the first AS in the process of forwarding the second message, and locally records the inter-domain neighbor AS information and the second message abstract of the first AS in the process of forwarding the second message, wherein the second message abstract refers to the abstract of the second message;

11. The method of claim 10, wherein the first path server determining the inter-domain neighbor AS information and the second packet digest of the first AS during forwarding the second packet and locally recording the inter-domain neighbor AS information and the second packet digest of the first AS during forwarding the second packet comprises:

the first path server determines the IP address information, a second timestamp and the second message abstract of the second message, wherein the second timestamp is used for indicating the generation time of the second message;

the first path server determines inter-domain adjacent AS information of the first AS in the process of forwarding the second message according to the IP address information of the second message;

and the first path server records the second message abstract in a corresponding recording area according to the IP address information of the second message, the second timestamp and the inter-domain adjacent AS information of the first AS in the process of forwarding the second message.

12. The method of claim 11, wherein the determining, by the first path server, the inter-domain neighbor AS information of the first AS in the process of forwarding the second packet according to the IP address information of the second packet, comprises:

the first path server determines a port identifier of a first border network device for transmitting the second message according to the IP address information of the second message, wherein the first border network device is a border network device in the first AS;

and the first path server determines the inter-domain adjacent AS information of the first AS in the process of forwarding the second message according to the port identifier.

13. The method of claim 11 or 12, wherein the determining, by the first path server, the IP address information, the second timestamp, and the second packet digest of the second packet comprises:

the first path server receives a sampling packet sent by a first border network device, wherein the sampling packet carries the IP address information of the second message, the second timestamp and the second message abstract, and the first border network device is a border network device in the first AS; alternatively, the first and second electrodes may be,

the first path server receives the second message sent by the first border network device, acquires IP address information and the second timestamp carried in the second message, and generates a second message abstract according to the second message; alternatively, the first and second electrodes may be,

the first path server receives a sampling packet sent by a bypass sampling device of the first border network device, where the sampling packet carries the IP address information of the second packet, the second timestamp, and the second packet digest, and the bypass sampling device is configured to obtain the second packet from the first border network device and generate the sampling packet according to the second packet.

14. The method according to any of claims 11-13, wherein the first path server recording the second message digest in a corresponding recording area, comprising:

the first path server records the whole second message abstract in a corresponding recording area; alternatively, the first and second electrodes may be,

the first path server records the first N bits of the second message abstract in a corresponding recording area, the bit number of the second message abstract is M, both N and M are integers greater than zero, and N is smaller than M; alternatively, the first and second electrodes may be,

and the first path server sets the value of the bloom filter in the recording area corresponding to the second message according to the second message abstract so as to record the second message abstract through the bloom filter in the corresponding recording area.

15. The method of claim 14, wherein the first path server setting, according to the second packet digest, a value of a bloom filter in a recording area corresponding to the second packet, includes:

the first path server determines a third timestamp, the third timestamp is determined by a boundary network device in a source AS forwarding the second message and is added to the second message, and the third timestamp is used for synchronizing bloom filters in recording areas stored in path servers corresponding to the ASs;

the first path server determines a first bloom filter from one or more bloom filters in the corresponding recording area according to the third timestamp;

and the first path server sets the value of the first bloom filter according to the second message abstract.

16. The method of any of claims 11-15, wherein the first path server determining the second path certificate comprises:

the first path server constructs a second Merck tree according to a locally stored recording area, wherein the locally stored recording area comprises a recording area recorded with the second message abstract;

the first path server determines a root node of the second Mercker tree as the second path existence certificate.

17. A method according to any one of claims 1 to 16, wherein the database is a database stored in a server provided by a third party trusted by each AS, or a database maintained at a block chain node.

18. An inter-domain forwarding path query device is applied to a first path server, where the first path server is a server corresponding to a first AS, and the device includes:

a first sending module, configured to send a first path query request to a second path server, where the first path query request is used to query an inter-domain forwarding path of a first packet, and the second path server is a server corresponding to a second AS;

a first receiving module, configured to receive a first forwarding record sent by the second path server, where the first forwarding record indicates whether the second AS forwards the first packet;

a verification module, configured to verify the first forwarding record according to a first path deposit certificate stored in a database, where the first path deposit certificate is a path deposit certificate determined by the second path server with respect to the first packet when the first packet passes through the second AS, and the database is a database trusted by each AS;

19. An inter-domain forwarding path query system, comprising a plurality of path servers and a database, wherein the plurality of path servers correspond to a plurality of different ases, any one of the plurality of path servers is configured to implement the steps of the method according to any one of claims 1 to 17, the database is configured to store a path certificate, and the database is a database trusted by the plurality of ases.

20. A computer-readable storage medium, characterized in that the storage medium has stored therein a computer program which, when being executed by a processor, carries out the steps of the method according to any one of claims 1-17.