CN114143113B

CN114143113B - Safety tracing device and method suitable for IPv6/IPv4 access service

Info

Publication number: CN114143113B
Application number: CN202111495152.XA
Authority: CN
Inventors: 王桥倩; 韩国梁; 包丛笑; 李星
Original assignee: Beijing Indirect Network Technology Co ltd
Current assignee: Beijing Indirect Network Technology Co ltd
Priority date: 2021-12-09
Filing date: 2021-12-09
Publication date: 2023-07-28
Anticipated expiration: 2041-12-09
Also published as: CN114143113A

Abstract

The application relates to a security traceability device suitable for IPv6/IPv4 access service, which comprises a stateless translation gateway and the traceability device. Based on a stateless translation technology, an encryption security real-time tracing method and a history tracing method are invented, and a unified stateless security tracing device is formed. The device can realize real-time IPv4/IPv6 tracing directly through the encrypted API without inquiring logs, has extremely low consumption on system resources and can greatly reduce system overhead; the device is based on a network layer stateless translation technology, so that the device is applicable to all applications including encryption and private applications; the device does not modify the content of the data message, is compatible with the existing IPv4 firewall, does not increase the security risk, ensures the end-to-end information hiding of the traceability query by using the encryption technology, cannot be intercepted and tampered by a middleman, and greatly protects the stability and the security of the traceability system.

Description

Safety tracing device and method suitable for IPv6/IPv4 access service

Technical Field

The disclosure relates to the technical field of communication, in particular to a security traceability device and a security traceability method suitable for IPv6/IPv4 access service.

Background

As the internationally recognized next generation internet core protocol, IPv6 has sufficient address space and advanced protocol characteristics. However, IPv6 is not compatible with IPv4, so that for the existing IPv4 service, an additional upgrade technique is required to ensure interworking with the IPv6 internet.

One possible way is the dual stack technique, i.e. the IPv4 server and the internal network are modified to be IPv4/IPv6 dual stack, so that an IPv6 user can access the newly upgraded IPv6 service via an IPv6 link and an IPv4 user can access the original IPv4 service via an IPv4 link. However, according to the description of the IPv6 network safety white paper of the Chinese communication institute, the double-stack technology increases the safety exposure surface of the network node, enriches the attack selection of an attacker, and brings about greater potential safety hazard. Meanwhile, all internal network service systems are required to be upgraded to support the IPv4/IPv6 users, and because of the wide existence of the dual stack client, a great deal of extra work is required to connect the IPv6 users and the IPv4 users for user management and traceability management, and the cost is high and the management is not easy.

If the dual stack technique is not employed, then IPv4/IPv6 translation techniques need to be used. Translation techniques include application layer translation techniques and network layer translation techniques. The application layer translation technology terminates the IPv6 connection of the user and initiates a new IPv4 connection to the background IPv4 server, the new IPv4 connection is used as a channel to transmit data of the front connection and the back connection, the adaptation is needed for different application types, if the connection of the user is an encryption or private protocol, the application layer translation technology needs to be in deep coupling with the protocol, and the security key of the user needs to be acquired, so that the security risk is high. In contrast, network layer translation techniques may support any application layer protocol, including encryption and proprietary protocols. Network layer translation techniques in turn include stateful translation techniques and stateless translation techniques.

The stateful translation technique realizes dynamic mapping between an IPv6 address and an IPv4 address by saving, tracking and searching all connection states. Therefore, if the original IPv6 address needs to be found by tracing the IPv4 address, log information based on connection needs to be saved and searched. The operation requires a very large amount of logs, has high resource consumption on the system, is difficult to trace source in real time, and is easy to make mistakes and lose data due to faults or attacks. In order to realize real-time tracing, patent number CN110351396A provides a method for processing IPv4/IPv6 data transmission, which receives an IPv4 data transmission packet with a source IPv6 address and stores the source IPv6 address in an option byte of the head of the IPv4 data transmission packet, thereby realizing the tracing function. This function requires adding additional data length to the data message, which may result in the increased message length exceeding the MTU and not being transmitted. Meanwhile, the function has the leak of being counterfeited, tampered and attacked because the IPv6 address of the plaintext is stored and the function is not verified, so that new security risks are brought.

Correspondingly, patent number CN103856580B discloses a method for an IPv6 client to access an IPv4 server, defines a stateless translation technique for the IPv6 client to access the IPv4 server, not only can support any application layer protocol, has good security, but also does not save any connection state, and realizes translation through an IPv4/IPv6 address mapping rule configured in advance, thereby realizing static mapping between an IPv6 address and an IPv4 address. However, no technology for security tracing in stateless translation is invented.

Therefore, in the scenario that the IPv6 client accesses the IPv4 server, in all the current technologies, there is not a source tracing method which is safe and reliable enough, has low cost, and is suitable for all applications.

Disclosure of Invention

In view of this, in order to solve the problems of high security risk, high resource expense and difficult application adaptation of the existing IPv4/IPv6 tracing method, the invention discloses an encryption security real-time tracing method and a history tracing method based on a stateless translation technology, and forms a unified stateless security tracing device. The device can realize real-time IPv4/IPv6 tracing directly through the encrypted API without inquiring logs, has extremely low consumption on system resources and can greatly reduce system overhead; the device is based on a network layer stateless translation technology, so that the device is applicable to all applications including encryption and private applications; the device does not modify the content of the data message, is compatible with the existing IPv4 firewall, does not increase the security risk, ensures the end-to-end information hiding of the traceability query by using the encryption technology, cannot be intercepted and tampered by a middleman, and greatly protects the stability and the security of the traceability system.

According to a first aspect of the present disclosure, a security tracing device suitable for IPv6/IPv4 access service is provided, including a stateless translation gateway and a tracing device connected by communication, wherein,

The stateless translation gateway: the method comprises the steps of configuring an IPv6/IPv4 stateless flexible mapping table, and carrying out stateless mapping on a received IPv6/IPv4 address based on the IPv6/IPv4 stateless flexible mapping table to obtain an IPv6/IPv4 address mapping record;

the tracing device comprises: and the method is used for sending a tracing request to the stateless translation gateway, and acquiring the IPv6/IPv4 address mapping record according to the tracing request so as to realize real-time tracing and historical tracing.

In one possible implementation, optionally, the tracing device includes an encrypted secure real-time tracing facility and an encrypted secure historical tracing facility, where,

the real-time tracing facility: the system is used for inquiring the IPv6/IPv4 stateless flexible mapping table based on a stateless translation algorithm, acquiring data, counting browsing amount, user portraits based on IP addresses and performing real-time monitoring;

the history traceability facility: the system is used for inquiring the IPv6/IPv4 stateless flexible mapping table based on a stateless translation algorithm and acquiring data to perform user tracking and behavior analysis;

the real-time tracing facility and the history tracing facility are respectively connected to the stateless translation gateway.

In one possible implementation manner, optionally, the tracing device is provided with an encrypted and safe tracing interface, and the tracing interface is used for a user to obtain real-time tracing data in the real-time tracing facility and/or historical tracing data in the historical tracing facility from the stateless translation gateway.

In one possible implementation manner, optionally, the tracing interface includes:

at least one cryptographically secure local query trace-source interface: the local query traceability interface is used for querying traceability information on the stateless translation gateway based on an administrator for identity authentication and authorization and a limited set of request parameters; the method comprises the steps of,

at least one cryptographically secure remote query trace-source interface: the remote query traceability interface is used for interfacing and realizing traceability query between an external service/query system and the stateless translation gateway by using an HTTPS/TLS/SSH encryption mode; the method comprises the steps of,

at least one cryptographically secure management trace-source interface: the management traceability interface is used for real-time traceability and historical traceability by using a standard SNMP protocol.

In one possible implementation manner, optionally, a tracing MIB library storing tracing resources is configured on the stateless translation gateway, where the tracing MIB library includes a real-time tracing MIB library and a history tracing MIB library, and both the real-time tracing MIB library and the history tracing MIB library are configured with an OID tracing interface, where the OID tracing interface is used to call a management tracing interface on the real-time tracing facility or a management tracing interface on the history tracing facility.

In one possible implementation manner, optionally, the stateless translation gateway is further configured with a pre-judging component and a log recording module, wherein,

the front judging component is used for: the method comprises the steps of receiving a tracing request, judging the facility and the interface type of a tracing interface according to the tracing request, and distributing the tracing request to the matched tracing interface;

the logging module: and the system is used for recording the strong log record formed by the access record and the query record associated with the traceable request on a local or independent log server.

According to a second aspect of the present disclosure, a method for implementing the above-mentioned security tracing device suitable for IPv6/IPv4 access service is provided, including the following steps:

s100, installing and configuring the stateless translation gateway, and normally operating service traffic based on the stateless translation gateway;

s200, installing the real-time tracing facility and the history tracing facility on the stateless translation gateway, and respectively configuring at least one local query tracing interface, the remote query tracing interface and the management tracing interface;

s300, sending an encrypted tracing request, judging the facility and the interface type of a tracing interface according to the tracing request through a front-end judging component, and distributing the tracing request to the matched tracing interface; and verifying the user authority of the encrypted tracing request through the matched tracing interface: if the request is legal, normal decryption is performed, and a source address and/or other parameters are generated according to the input parameters and a stateless mapping algorithm, so that tracing is realized; if the request is illegal, refusing the access;

And S400, recording a strong log record formed by the access record and the query record associated with the traceable request on a local or independent log server through a log record module.

According to a third aspect of the present disclosure, a tracing method for performing local query based on the above-mentioned security tracing device suitable for IPv6/IPv4 access service is provided, including the following steps:

s111, a management user logs in the stateless translation gateway to perform user authority verification and authentication;

s121, inputting a tracing request containing tracing parameters;

s131, judging whether the tracing parameters match the limiting format of the local query tracing interface or not through the local query tracing interface: if yes, carrying out real-time query according to the IPv6/IPv4 stateless flexible mapping table through the local query tracing interface, and returning structured output data; otherwise, discarding the tracing request;

s141, acquiring the output data and returning the output data to a user.

According to a fourth aspect of the present disclosure, a tracing method for remote query based on the above-mentioned security tracing device suitable for IPv6/IPv4 access service is provided, including the following steps:

s211, a remote user logs in the stateless translation gateway to perform user authority verification and authentication;

S221, inputting a tracing request containing tracing parameters;

s231, judging whether the IPv4/IPv6 address of the remote user is within a preset allowable range or not through the remote inquiry tracing interface: if yes, decrypting the tracing request, and judging whether the tracing parameters are matched with the limiting format of the remote inquiry tracing interface; otherwise, discarding the tracing request;

s241, if the traceability parameters are matched with the limiting format of the remote inquiry traceability interface, real-time inquiry is carried out through the remote inquiry traceability interface according to the IPv6/IPv4 stateless flexible mapping table, and structured output data is returned; otherwise, discarding the tracing request;

s251, obtaining the output data and returning the output data to a remote user.

According to a fifth aspect of the present disclosure, a tracing method for managing a security tracing device applicable to an IPv6/IPv4 access service is provided, including the following steps:

s311, installing a traceability MIB library on the stateless translation gateway and the network management system, and configuring SNMP parameters and SNMP modes;

s321, a network management user logs in the stateless translation gateway to carry out user authority verification and authentication;

s331, inputting a tracing request containing tracing parameters;

S341, judging whether the IPv4/IPv6 address of the network management user is within a preset allowable range or not through the management traceability interface: if yes, decrypting the traceability request, and judging whether the traceability parameters are matched with the limiting format of the management traceability interface; otherwise, discarding the tracing request;

s351, if the traceability parameters are matched with the limiting format of the management traceability interface, carrying out real-time query through the management traceability interface according to the IPv6/IPv4 stateless flexible mapping table, and returning structured output data; otherwise, discarding the tracing request;

s361, obtaining the output data and returning the output data to the network management user.

The technical effects of this application:

the invention provides the stateless translation gateway: the method comprises the steps of configuring an IPv6/IPv4 stateless flexible mapping table, and carrying out stateless mapping on a received IPv6/IPv4 address based on the IPv6/IPv4 stateless flexible mapping table to obtain an IPv6/IPv4 address mapping record; the tracing device: and the method is used for sending a tracing request to the stateless translation gateway, and acquiring the IPv6/IPv4 address mapping record according to the tracing request so as to realize historical tracing and real-time tracing. Based on a stateless translation technology, an encryption security real-time tracing method and a history tracing method are invented, and a unified stateless security tracing device is formed. The device can realize real-time IPv4/IPv6 tracing directly through the encrypted API without inquiring logs, has extremely low consumption on system resources and can greatly reduce system overhead; the device is based on a network layer stateless translation technology, so that the device is applicable to all applications including encryption and private applications; the device does not modify the content of the data message, is compatible with the existing IPv4 firewall, does not increase the security risk, ensures the end-to-end information hiding of the traceability query by using the encryption technology, cannot be intercepted and tampered by a middleman, and greatly protects the stability and the security of the traceability system.

Other features and aspects of the present disclosure will become apparent from the following detailed description of exemplary embodiments, which proceeds with reference to the accompanying drawings.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate exemplary embodiments, features and aspects of the present disclosure and together with the description, serve to explain the principles of the disclosure.

Fig. 1 is a schematic diagram showing the composition of a security traceability device suitable for IPv6/IPv4 access service according to the present invention;

fig. 2 shows a schematic flow chart of the implementation of embodiment 2 of the present invention.

Detailed Description

Various exemplary embodiments, features and aspects of the disclosure will be described in detail below with reference to the drawings. In the drawings, like reference numbers indicate identical or functionally similar elements. Although various aspects of the embodiments are illustrated in the accompanying drawings, the drawings are not necessarily drawn to scale unless specifically indicated.

The word "exemplary" is used herein to mean "serving as an example, embodiment, or illustration. Any embodiment described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments.

In addition, numerous specific details are set forth in the following detailed description in order to provide a better understanding of the present disclosure. It will be understood by those skilled in the art that the present disclosure may be practiced without some of these specific details. In some instances, methods, means, elements, and circuits well known to those skilled in the art have not been described in detail in order not to obscure the present disclosure.

Example 1

The invention discloses a real-time tracing method and a historical tracing method of encryption security based on a stateless translation technology, and forms a unified stateless security tracing device. The device can realize real-time IPv4/IPv6 tracing directly through the encrypted API without inquiring logs, has extremely low consumption on system resources and can greatly reduce system overhead; the device is based on a network layer stateless translation technology, so that the device is applicable to all applications including encryption and private applications; the device does not modify the content of the data message, is compatible with the existing IPv4 firewall, does not increase the security risk, ensures the end-to-end information hiding of the traceability query by using the encryption technology, cannot be intercepted and tampered by a middleman, and greatly protects the stability and the security of the traceability system.

As shown in fig. 1, according to a first aspect of the present disclosure, a security tracing device suitable for IPv6/IPv4 access service is provided, including a stateless translation gateway and a tracing device that are communicatively connected, where,

1) The stateless translation gateway: the method comprises the steps of configuring an IPv6/IPv4 stateless flexible mapping table, and carrying out stateless mapping on a received IPv6/IPv4 address based on the IPv6/IPv4 stateless flexible mapping table to obtain an IPv6/IPv4 address mapping record;

In this embodiment, a well-constructed IPv6/IPv4 stateless flexible mapping table is first configured in a stateless translation gateway, and a rule for constructing the IPv6/IPv4 stateless flexible mapping table is constructed according to a preset mapping rule, where the preset mapping rule is specifically designed by a user. The implementation manner of the translation gateway configuration interface, the deployment position of the translation gateway equipment and other details are not limited by the invention.

The IPv6/IPv4 stateless flexible mapping table represents the IPv6/IPv4 static mapping relation of the target address, namely the static mapping relation between the real IPv4 server address and the virtual IPv6 published address.

The construction method may include the following construction methods: in the IPv6/IPv4 stateless flexible mapping table, each row represents an IPv6/IPv4 mapping rule, and each mapping rule may be one-to-one, that is, one IPv6 address corresponds to one IPv4 address, or may be many-to-many after aggregation, that is, a relationship that a plurality of IPv6 addresses in one IPv6 prefix a and a plurality of IPv4 addresses in one IPv4 prefix B achieve one-to-one mapping. The IPv6/IPv4 stateless flexible mapping table may include a plurality of mapping rules, and different mapping rules may have overlapping IPv6 address ranges and/or overlapping IPv4 address ranges, and if there is an overlap, an optimal rule is selected according to a longest prefix matching rule.

In the IPv6/IPv4 stateless flexible mapping table, each mapping rule includes 5 fields:

1) Mapping rule type: including a fixed mapping type and/or an address embedding mapping type. Wherein the fixed mapping type is that a single IPv6 address corresponds to a single IPv4 address; the address embedding mapping type is "IPv4-Embedded IPv6 address format" as specified in RFC 6052.

2) IPv6 prefix: the IPv6 address part of the mapping rule may be an IPv6 prefix, or an IPv6 address, that is, an IPv6 prefix with a prefix length of 128.

3) IPv6 prefix length: prefix length of the above IPv6 prefix.

4) IPv4 prefix: the IPv4 address part of the mapping rule may be an IPv4 prefix, or an IPv4 address, that is, an IPv4 prefix with a prefix length of 32.

5) IPv4 prefix length: prefix length of the above IPv4 prefix.

Any two IPv6/IPv4 stateless flexible mapping rules cannot be completely the same in the 5 fields; if this occurs, the system issues an alarm that is not configurable.

If a mapping rule is configured, the IPv4 prefix conflicts with a certain existing mapping rule, an IPv6/IPv4 stateless flexible mapping table E1 is newly established on the translation gateway, source IPv4 address ranges of the two mapping tables are distinguished, and for a message returned by the IPv4 server, a route based on a target address is a drainage of the two mapping tables.

If there are multiple IPv4 prefixes corresponding to the same IPv6 prefix, the mapping rule can be aggregated into one mapping rule, after aggregation, in the mapping process from IPv6 to IPv4, a plurality of mapping rules are searched according to the IPv6 address, the IPv6 prefix is removed according to the length of the IPv6 prefix in the searched rules to obtain an IPv4 address, and then traversal matching is performed in the searched mapping rules according to the IPv4 address to obtain the final mapping rule.

When the IPv6 client accesses the IPv4 server, the IPv4 server can issue an IPv6 address freely defined by a user to the IPv6 Internet, realize static mapping between the virtual IPv6 address and the real IPv4 address of the server, and insert the virtual IPv6 address and the real IPv4 address into an IPv6/IPv4 stateless flexible mapping table of the translation gateway.

The above IPv6/IPv4 stateless flexible mapping table only corresponds to the IPv6/IPv4 mapping algorithm of the real IPv4 address of the server, and the IPv6/IPv4 mapping algorithm in the other direction is not limited. And the upper layer interface and the operation mode for adding the IPv6/IPv4 flexible mapping table item are not limited.

Traversing the IPv6/IPv4 stateless flexible mapping table, and configuring a corresponding DNS AAAA record for each server-side IPv4 address in the mapping table; requesting to return the DNS AAAA record to a DNS server through an IPv6 client, converting the DNS AAAA record to obtain an IPv6 packet and transmitting the IPv6 packet; and receiving the IPv6 packet through the stateless translation gateway, respectively performing secondary mapping in the IPv6/IPv4 stateless flexible mapping table according to the IPv6 destination address and the IPv4 source address, obtaining and sending the IPv6 mapping address. The stateless translation gateway receives a first type IPv6 packet, firstly obtains an IPv4 source address according to IPv6 source address mapping, then searches a first mapping rule corresponding to the IPv6 destination address in a stateless flexible mapping table E according to IPv6 destination address and a first longest prefix matching principle, calculates to obtain a destination address of the first type IPv4 packet if the corresponding first mapping rule is found, and sends the first type IPv4 packet; and discarding if the corresponding first mapping rule cannot be found. The IPv4 server receives the first type IPv4 packet for processing, and generates and sends a second type IPv4 packet to the stateless translation gateway.

And the stateless translation gateway receives the IPv4 packet of the second type, and firstly obtains an IPv6 destination address according to the IPv4 destination address mapping. Searching a second mapping rule corresponding to the IPv4 source address in the IPv6/IPv4 stateless flexible mapping table E according to the IPv4 source address (namely the IPv4 server address) and a second longest prefix matching principle, if the corresponding second mapping rule is searched, calculating to obtain a source IPv6 address of a second type IPv6 packet, and transmitting the second type IPv6 packet; and discarding if the corresponding second mapping rule cannot be found.

The data packet sent by the IPv6 client passes through a stateless translation gateway, the stateless translation gateway maps the IPv6 address into an IPv4 address, a mapping record of the source IPv6 address is saved, and the obtained IPv4 data packet is sent to an IPv4 server. The IPv4 server processes the received IPv4 data packet and forwards the processed IPv4 data packet. And the stateless translation gateway receives the IPv4 data packet, inquires the address mapping record F, obtains the IPv6 data packet and sends the IPv6 data packet to the IPv6 client.

According to the configured IPv6/IPv4 stateless flexible mapping table, traversing the mapping table, configuring a DNS AAAA record corresponding to each server-side IPv4 address in the mapping table, wherein the method comprises the following steps of:

if the mapping rule type is a fixed mapping type, using the IPv6 address in the mapping rule as the IPv6 address corresponding to the DNS AAAA record, and configuring the AAAA record on the DNS server to publish the IPv6 address;

If the mapping rule type is an address embedding mapping type, according to the RFC6052 address mapping rule, after the IPv4 address is embedded into the IPv6 prefix of the mapping rule, the IPv6 address is used as the IPv6 address corresponding to the DNS AAAA record, and the DNS server is configured with the AAAA record to publish the AAAA record.

An IPv6 client in the IPv6 internet requests an AAAA record of an IPv4 server from a DNS server, the DNS server returns the AAAA record of the IPv4 server to the IPv6 client, and the IPv6 client sends a first type IPv6 packet; the stateless translation gateway receives a first type IPv6 packet, firstly obtains an IPv4 source address according to IPv6 source address mapping, then searches a first mapping rule corresponding to the IPv6 destination address in a stateless flexible mapping table E according to IPv6 destination address and a first longest prefix matching principle, calculates to obtain a destination address of the first type IPv4 packet if the corresponding first mapping rule is found, and sends the first type IPv4 packet; and discarding if the corresponding first mapping rule cannot be found.

The process of the first longest prefix matching principle is as follows:

searching an IPv6/IPv4 stateless flexible mapping table, matching IPv6 destination addresses of the first type of IPv6 packets, and finding out all matched mapping rules. The rule for judging whether the matching is carried out is as follows:

1) If the IPv6 destination address is not matched with the IPv6 prefix of the current mapping rule, the IPv6 destination address is marked as not matched;

if the IPv6 destination address is matched with the IPv6 prefix of the current mapping rule, judging the type of the mapping rule;

2) If the mapping is fixed, directly judging that the mapping is matched; if the mapping is the address embedding mapping, the IPv4 address is taken out from the IPv6 destination address, and whether the IPv4 address is matched with a certain IPv4 prefix of the current mapping rule is judged;

3) If the matching is possible, finding out the matching item with the longest IPv4 prefix length, and judging the matching item; if the two are not matched, the two are not matched.

The algorithm of the search is linear or nonlinear, and is not limited by the time complexity or the space complexity.

After the mapping rule searching process is finished, according to 5 fields included in the mapping rule, the mapping rule with optimal matching is found out:

if the searching process does not find a matched mapping rule, discarding the IPv6 packet of the first type;

if there is a matching mapping rule, the mapping rule with the longest IPv6 prefix length is found in it.

If the above process finds only one mapping rule with the longest IPv6 prefix length, the mapping rule is recorded as the optimal rule.

If there are a plurality of mapping rules with the longest IPv6 prefix length, comparing the IPv4 prefix lengths, and finding the mapping rule with the longest IPv4 prefix length. Since it was previously specified that there cannot be two mapping rules with exactly the same 5 fields present at the same time, only one mapping rule must be found here. It is noted as the optimal rule.

The IPv4 server receives the first type IPv4 packet for processing, and generates and sends a second type IPv4 packet to the translation gateway.

And the translation gateway receives the IPv4 packet of the second type, and firstly obtains an IPv6 destination address according to the IPv4 destination address mapping. Searching a second mapping rule corresponding to the IPv4 source address in the IPv6/IPv4 stateless flexible mapping table E according to the IPv4 source address (namely the IPv4 server address) and a second longest prefix matching principle, if the corresponding second mapping rule is searched, calculating to obtain a source IPv6 address of a second type IPv6 packet, and transmitting the second type IPv6 packet; and discarding if the corresponding second mapping rule cannot be found.

The process of the second longest prefix matching principle is as follows:

searching an IPv6/IPv4 stateless flexible mapping table, matching IPv4 source addresses of the second class of IPv4 packets, and finding out all matched mapping rules. The rule for judging whether the matching is carried out is as follows:

Finding a corresponding mapping table according to the destination IPv4 address route; if the IPv4 source address is not matched with the IPv4 prefix of the current mapping rule, the source address is marked as not matched; if the IPv4 source address matches the IPv4 prefix of the current mapping rule, then the match is noted.

After the mapping rule searching process is finished, the mapping rule with the optimal matching is found out: if the searching process does not find a matched mapping rule, discarding the IPv4 packet of the second type; if the matched mapping rule exists, the mapping rule with the longest IPv4 prefix length is found in the mapping rule; if the IPv4 prefixes of the two mapping rules are the same, the IPv4 prefixes of any two mapping rules of one mapping table are not in the same mapping table, so that the lengths of the IPv4 prefixes of any two mapping rules of the one mapping table are different, and therefore the process can only find an optimal mapping rule, and mark the optimal mapping rule as the optimal rule.

By the above stateless mapping, it is possible to realize:

according to the IPv6/IPv4 stateless flexible mapping algorithm, a plurality of fixed mapping table items between a designated IPv6 address and a designated IPv4 address can be added as required and fused with IPv6/IPv4 mapping algorithm table items specified by RFC6052, so that a unified IPv6/IPv4 flexible mapping table based on longest prefix matching is realized, and the application scene and the user requirements of various IPv6/IPv4 accesses can be adapted. The static mapping between the dynamically allocated IPv6 address and the server IPv4 address can be realized, and any deployment scene is satisfied. The method supports hiding the real IPv4 address of the server for the IPv6 user, supports the IPv4 server to release the encrypted IPv6 address, and achieves a certain degree of safety protection effect. The method supports the fixed IPv6 address release, and regardless of the change of the IPv4 address of the internal server, the IPv6 address released outside always keeps unchanged, so that the stability of the user access service is maintained, and the method can be applied to upgrading the IPv4 service to the IPv6 service based on the cloud service.

2) In order to obtain the correct source IPv6 address and ensure the role of tracing in safety protection or user quantity statistics, the system sets a tracing device to request to acquire different mapping records from the stateless translation gateway.

In this embodiment, the tracing device includes two parts: the encryption safe real-time tracing facility and the encryption safe historical tracing facility can send a tracing request to the stateless translation gateway according to the tracing request, and acquire the IPv6/IPv4 address mapping record according to the tracing request, so that the historical tracing and the real-time tracing are realized.

When a traceable request arrives at a stateless translation gateway, a prepositioning judging component judges the facility and the interface type of the traceable interface and distributes the request to the corresponding interface; and the corresponding interface performs user authority verification on the encrypted tracing request, normally decrypts if the request is a legal request, and generates a source address and/or other parameters in a stateless mode according to the input parameters and a stateless mapping algorithm so as to achieve the tracing purpose.

The real-time tracing facility can be used for counting browsing amount, real-time monitoring, user portraits based on IP addresses and the like; the historical traceability facility can be used for user tracking, behavior analysis and the like. The real-time tracing facility and the history tracing facility query the stateless algorithm and the stateless mapping table based on the stateless translation algorithm, so the method has the characteristics of applicability to all applications and low cost. According to different use requirements, the real-time tracing facility and the history tracing facility open a plurality of encrypted and safe interfaces for users to use, including but not limited to: the system comprises an encrypted and safe local query tracing interface, an encrypted and safe remote query tracing interface, an encrypted and safe management tracing interface and the like, and strong log records are made.

As shown in fig. 1, in one possible implementation, optionally, the tracing device includes an encrypted secure real-time tracing facility and an encrypted secure historical tracing facility, where,

The time tracing facility can be used for counting browsing amount, real-time monitoring, user portraits based on IP addresses and the like; the historical traceability facility can be used for user tracking, behavior analysis and the like. The real-time tracing facility and the history tracing facility query the stateless algorithm and the stateless mapping table based on the stateless translation algorithm, so the method has the characteristics of applicability to all applications and low cost. According to different use requirements, the real-time tracing facility and the history tracing facility open a plurality of encrypted and safe interfaces for users to use, including but not limited to: the system comprises an encrypted and safe local query tracing interface, an encrypted and safe remote query tracing interface, an encrypted and safe management tracing interface and the like, and strong log records are made.

In this embodiment, the real-time tracing facility and the history tracing facility may both request tracing data from the stateless translation gateway through one tracing interface, and obtain the mapping record in the stateless translation gateway according to the tracing parameters included in the tracing request. According to the tracing request and the corresponding different tracing parameters, different types of tracing management can be performed. And installing an encryption security real-time tracing facility and an encryption security history tracing facility on the stateless translation gateway, wherein each facility reads data from a stateless mapping algorithm and a mapping table of the stateless translation gateway and provides an encryption security local query tracing interface, an encryption security remote query tracing interface and an encryption security management tracing interface respectively.

Specifically, as shown in fig. 1.

at least one cryptographically secure local query trace-source interface: the local query traceability interface is used for querying traceability information on the stateless translation gateway based on an administrator for identity authentication and authorization and a limited set of request parameters; the encrypted and safe local query traceability interface is used for directly querying corresponding traceability information on the translation equipment by a system administrator or an equipment administrator, and can be command line/webpage portal query or other forms without limitation. The interface is based on strict user identity authentication and authorization, and an unregistered user or an unauthorized user cannot inquire corresponding traceability information and needs to be authenticated again after a period of time. Meanwhile, the interface only accepts the parameter range of a limited set, so that the interface can fully ensure the validity, the reality and the credibility of the traceability query.

And, at least one cryptographically secure remote query trace-source interface: the remote query traceability interface is used for interfacing and realizing traceability query between an external service/query system and the stateless translation gateway by using an HTTPS/TLS/SSH encryption mode; encrypted secure remote inquiry traceability interface: the specific call form used for interfacing with an external service system or query system can be Restful/gRPC/NETCONF or other, and the form and format are not limited. The interface uses HTTPS/TLS/SSH to carry out end-to-end encryption, realizes end-to-end safe and reliable transmission on the basis of low cost and suitability for all applications, and can not be intercepted and tampered by middle people, thereby greatly protecting the stability and safety of a tracing system. In the application scene with large concurrency, the interface can use asynchronous design to increase the supporting quantity of concurrent requests as much as possible, and realize traceable query.

And, at least one cryptographically secure management trace-source interface: the management traceability interface is used for real-time traceability and historical traceability by using a standard SNMP protocol. The encrypted and safe management traceability interface is used for service systems such as a network management system, a monitoring system and the like, and a standard SNMP protocol is used for carrying out real-time traceability and historical traceability. The interface uses the SNMP protocol of end-to-end encryption, realizes the safe and reliable transmission from end to end on the basis of low cost and applicability to all applications, and can not be intercepted and tampered by middle people, thereby greatly protecting the stability and the safety of a tracing system.

And installing a stateless translation tracing related MIB (management information base) library on the stateless translation gateway and the network management system, wherein the stateless translation tracing related MIB library comprises a real-time tracing MIB library and a history tracing MIB library, and configuring the OID of the MIB library for calling encryption security management tracing interfaces of the real-time tracing facility and the history tracing facility.

In a preferred embodiment, firstly, an SNMP proxy end is installed on a stateless translation gateway, and an SNMP traceability module is loaded through the SNMP proxy end; the SNMP tracing module actively reports tracing records to the SNMP management server through the SNMP tracing trap.

In the working process of the stateless translation gateway, the SNMP agent terminal can collect information in the IPv6/IPv4 address mapping record and store the information in a tracing MIB (Management information base) library. An administrator or a user can send a request for acquiring the tracing record to the SNMP agent through the SNMP management server, and the SNMP agent searches a corresponding result in the tracing MIB library after receiving the request and returns the result to the SNMP management server. SNMP is an application layer protocol defined by the Internet architecture Committee (IAB), is widely used for managing and monitoring network equipment, and a traceability module based on SNMPv1/v2c/v3 protocol provides an interface for accessing a unified network management node, is convenient for remote traceability query, and supports real-time query and history query.

When a traceable request arrives at a stateless translation gateway, a prepositioning judging component judges the facility and the interface type of the traceable interface and distributes the request to the corresponding interface; and the corresponding interface performs user authority verification on the encrypted tracing request, normally decrypts if the request is a legal request, and generates a source address and/or other parameters in a stateless mode according to the input parameters and a stateless mapping algorithm so as to achieve the tracing purpose. Access is denied if it is an illegitimate request.

Whether the request is legal or illegal, the related access record and query record form a strong log record, the log record module records the strong log record on a local or independent log server, and the recording mode is not limited.

It should be noted that, by default, the SNMP Get is adopted, and the network management system queries the traceability device. The SNMP Trap/Inform mode may also be used in certain situations to report to the network management system by the trace-source device, but those skilled in the art will appreciate that the present disclosure should not be limited thereto. In fact, the user can flexibly set the network mode according to personal preference and/or practical application scene, so long as the tracing request inquiry between the tracing device and the stateless translation gateway is realized.

The encrypted and secure local query traceability interface can be a command line/webpage portal query or other forms without limitation. The user can input parameters to the command line tracing module through the command line: the input parameters of the IPv4 address can be single or a plurality of IPv4 addresses for batch inquiry, and can also comprise other needed parameters such as time and the like; the command line tracing module queries in the mapping record F according to the input parameters and outputs a query result to the command line terminal, wherein the query structure is an IPv6 address corresponding to the input IPv4 address, and the query structure can also comprise time. The command line tracing module can be arranged on the stateless translation gateway equipment, an administrator or a user can inquire the IPv6 address of the user by inputting the IPv4 address through the command line of the translation equipment, the inquiry result is visual, and the IPv6 address can be rapidly positioned when needed.

The call form of the encrypted and safe remote inquiry traceability interface can be Restful/gRPC/NETCONF or other, and the form and the format are not limited. A user initiates a tracing request to a Restful API tracing module by a Restful client based on a Restful framework, wherein the request parameter is an IPv4 address or a batch IPv4 address and can also comprise parameters such as time and the like; the Restful API traceability module queries in the IPv6/IPv4 address mapping record according to the input parameters, encapsulates the result and returns the result to the requesting client. The standard Restful API traceability interface provides single query and batch query, has good performance and high flexibility, and is easy to access other traceability systems based on Restful architecture.

The SNMP version used by the encrypted security management traceability interface is not limited. The SNMP tracing trap set based on SNMPv1/v2c/v3 protocol actively reports the tracing record to an SNMP management server, and collects the IPv6/IPv4 address mapping record and stores the tracing record in a tracing MIB library; and an SNMP tracing module: and the SNMP management server is used for sending a tracing record acquisition request to the SNMP agent terminal, acquiring a tracing record from the tracing MIB library and returning the tracing record to the SNMP management server.

The log information formed by the access record and the query record of the traceable query is recorded on a local or independent log server, and the recording mode is not limited.

Although the above example description of deriving an IPv4 destination address from an IPv6 packet address mapping is described above in terms of an IPv6/IPv4 stateless flexible mapping table, those skilled in the art will appreciate that the present disclosure should not be so limited. In fact, the user can flexibly set the mapping direction according to personal preference and/or practical application scene, the above-mentioned IPv6/IPv4 stateless flexible mapping table only corresponds to the IPv6/IPv4 mapping algorithm of the real IPv4 address of the server, and the IPv6/IPv4 mapping algorithm of the other direction is not limited. The address access is realized according to the establishment principle of the mapping rule and the realization principle and thought of the address mapping. When the mapping of IPv6- > IPv4 is realized, the mapping direction is the IPv6-IPv4 translation of the destination address; when mapping of IPv4- > IPv6 is implemented, the mapping direction is the IPv4-IPv6 translation of the source address.

In this way, the encryption security real-time tracing method and the history tracing method are invented based on the stateless translation technology through the stateless translation gateway and the tracing device, so that a unified stateless security tracing device is formed. The device can realize real-time IPv4/IPv6 tracing directly through the encrypted API without inquiring logs, has extremely low consumption on system resources and can greatly reduce system overhead; the device is based on a network layer stateless translation technology, so that the device is applicable to all applications including encryption and private applications; the device does not modify the content of the data message, is compatible with the existing IPv4 firewall, does not increase the security risk, ensures the end-to-end information hiding of the traceability query by using the encryption technology, cannot be intercepted and tampered by a middleman, and greatly protects the stability and the security of the traceability system.

Example 2

Based on the implementation of embodiment 1, this embodiment provides a method for implementing the security tracing device applicable to the IPv6/IPv4 access service described in embodiment 1. As shown in fig. 2.

When a traceable request arrives at a stateless translation gateway, a prepositioning judging component judges the facility and the interface type of the traceable interface and distributes the request to the corresponding interface; and the corresponding interface performs user authority verification on the encrypted tracing request, normally decrypts if the request is a legal request, and generates a source address and/or other parameters in a stateless mode according to the input parameters and a stateless mapping algorithm so as to achieve the tracing purpose. Access is denied if it is an illegitimate request. Whether the request is legal or illegal, the related access record and query record form a strong log record, the record is recorded on a local or independent log server, and the recording mode is not limited.

It will be apparent to those skilled in the art that the modules or steps of the invention described above may be implemented in a general purpose computing device, they may be concentrated on a single computing device, or distributed across a network of computing devices, or they may alternatively be implemented in program code executable by computing devices, such that they may be stored in a memory device for execution by the computing devices, or they may be separately fabricated into individual integrated circuit modules, or multiple modules or steps within them may be fabricated into a single integrated circuit module. Thus, the present invention is not limited to any specific combination of hardware and software.

The technical effects of this application:

Example 3

Based on the implementation of embodiment 1, this embodiment provides a native query tracing method in combination with a native query tracing interface.

S121, inputting a tracing request containing tracing parameters;

s141, acquiring the output data and returning the output data to a user.

The specific implementation steps are as follows,

step 1: and the system administrator logs in the translation equipment to perform user authentication. If the authentication is successful and the authority for inquiring the tracing log exists, the step 2 is switched to, and if the authentication fails or the authority for inquiring the tracing log does not exist, the tracing inquiry is refused;

step 2: the system administrator enters the traceability parameters and begins the query. If the query is real-time query, one or more source IPv4 addresses are input; if the history inquiry is performed, on the basis of inputting one or more source IPv4 addresses, the information such as time range and the like may also need to be input;

step 3: the encryption An Quanben machine queries the trace-source interface to check whether the parameters are in a defined format. If yes, continuing to step 4; otherwise the request is directly discarded.

Step 4: and the encryption An Quanben machine query tracing interface performs real-time query according to the stateless translation mapping algorithm and the mapping table, and returns structured output data. The output data can comprise IPv6 addresses after tracing, or a plurality of IPv4-IPv6 stateless mapping records, or other required tracing results;

step 5: the structured output data is organized into a user-friendly output form and can be derived.

Example 4

Based on the implementation of embodiment 1, the present embodiment provides a remote query tracing method in combination with a remote query tracing interface.

s221, inputting a tracing request containing tracing parameters;

s251, obtaining the output data and returning the output data to a remote user.

The specific implementation steps are as follows,

step 1: and the external service system or the query system authenticates the user to the traceability device. If the authentication is successful and the authority for inquiring the tracing log exists, the step 2 is switched to, and if the authentication fails or the authority for inquiring the tracing log does not exist, the tracing inquiry is refused;

step 2: the external business system or the query system inputs the traceability parameters through the interface and starts the query. If the query is real-time query, one or more source IPv4 addresses are input; in the case of a history query, it may be necessary to input information such as a time range on the basis of one or more source IPv4 addresses. The related information is packaged in a message in an encrypted form and is sent to a stateless translation gateway;

step 3: the encryption security remote inquiry tracing interface judges whether the IPv4/IPv6 address of the tracing inquirer is within the allowable range, if so, the step 4 is continued; otherwise, the request is directly discarded;

Step 4: and encrypting the secure remote inquiry traceability interface decryption request, and judging whether the parameters of the inquirer are in a limited format. If yes, continuing to step 5; otherwise the request is directly discarded.

Step 5: and carrying out real-time query according to the stateless translation mapping algorithm and the mapping table, and returning structured output data. The output data can comprise IPv6 addresses after tracing, or a plurality of IPv4-IPv6 stateless mapping records, or other required tracing results; optionally, the query can be performed in an asynchronous manner, so that the performance of the query is further improved.

Step 6: the structured output data is organized into a standard interface output form and sent to the traceable inquirer in an encrypted mode.

Example 5

Based on the implementation of embodiment 1, this embodiment provides a management query tracing method in combination with a management tracing interface.

s331, inputting a tracing request containing tracing parameters;

The specific implementation steps are as follows,

step 1: the configuration SNMP related parameters may include a unique number, an authentication user name/password, a network management system whitelist address, etc. And installing a stateless translation tracing related MIB (management information base) library on the stateless translation gateway and the network management system, wherein the stateless translation tracing related MIB library comprises a real-time tracing MIB library and a history tracing MIB library, and configuring the OID of the MIB library for calling encryption security management tracing interfaces of the real-time tracing facilities and the history tracing facilities.

Step 2: the mode of SNMP is configured. The network management system queries the traceability device by adopting the SNMP Get mode by default. Under specific conditions, the SNMP Trap/Inform mode can also be used, and the traceability device reports the information to the network management system, and the invention is not limited.

Step 3: the network management system performs user authentication to the traceability device. If the authentication is successful and the authority for inquiring the tracing log exists, the step 4 is switched to, and if the authentication fails or the authority for inquiring the tracing log does not exist, the tracing inquiry is refused;

step 4: the network management system inputs the traceability parameters through the interface and starts to inquire. If the query is real-time query, one or more source IPv4 addresses are input; in the case of a history query, it may be necessary to input information such as a time range on the basis of one or more source IPv4 addresses. The related information is packaged in a message by using an encrypted SNMP form and is sent to a stateless translation gateway;

step 5: the encryption security management traceability interface judges whether the IPv4/IPv6 address of the traceability inquirer is within the allowable range, and if the IPv4/IPv6 address is within the allowable range, the step 6 is continued; otherwise, the request is directly discarded;

Step 6: and encrypting the security management traceability interface decryption request, and judging whether the SNMP request parameters of the inquirer are in a limited format. If yes, continuing to step 7; otherwise the request is directly discarded.

Step 7: and carrying out real-time query according to the stateless translation mapping algorithm and the mapping table, and returning structured output data. The output data can comprise IPv6 addresses after tracing, or a plurality of IPv4-IPv6 stateless mapping records, or other required tracing results;

step 8: the structured output data is organized into a standard SNMP interface output form and sent to the traceable inquirer in an encrypted mode.

The foregoing description of the embodiments of the present disclosure has been presented for purposes of illustration and description, and is not intended to be exhaustive or limited to the embodiments disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the various embodiments described. The terminology used herein was chosen in order to best explain the principles of the embodiments, the practical application, or the technical improvement of the technology in the marketplace, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein.

Claims

1. A security traceability device suitable for IPv6/IPv4 access service is characterized by comprising a stateless translation gateway and a traceability device which are in communication connection, wherein,

(1) The construction rule of the IPv6/IPv4 stateless flexible mapping table is constructed according to a preset mapping rule, and the construction mode is as follows:

in the IPv6/IPv4 stateless flexible mapping table, each row represents an IPv6/IPv4 mapping rule:

if one mapping rule is configured, the IPv4 prefix conflicts with a certain existing mapping rule, an IPv6/IPv4 stateless flexible mapping table is newly established on the translation gateway, the source IPv4 address ranges of the two mapping tables are distinguished, and for a message returned by the IPv4 server, the routing based on the target address is the drainage of the two mapping tables;

if a plurality of IPv4 prefixes correspond to the same IPv6 prefix, the mapping rules are aggregated into one mapping rule, after aggregation, in the mapping process from IPv6 to IPv4, a plurality of mapping rules are searched according to the IPv6 address, the IPv6 prefix is removed according to the length of the IPv6 prefix in the searched mapping rule, the IPv4 address is obtained, and then traversal matching is carried out in the searched mapping rule according to the IPv4 address, so that the final mapping rule is obtained;

(2) Performing stateless mapping on the received IPv6/IPv4 address based on the IPv6/IPv4 stateless flexible mapping table to obtain an IPv6/IPv4 address mapping record, including:

Traversing the IPv6/IPv4 stateless flexible mapping table, and configuring a corresponding DNS AAAA record for each server-side IPv4 address in the mapping table; requesting to return the DNS AAAA record to a DNS server through an IPv6 client, converting the DNS AAAA record to obtain an IPv6 packet and transmitting the IPv6 packet; receiving the IPv6 packet through the stateless translation gateway, respectively performing secondary mapping in the IPv6/IPv4 stateless flexible mapping table according to an IPv6 destination address and an IPv4 source address, obtaining an IPv6 mapping address and transmitting the IPv6 mapping address; the stateless translation gateway receives a first type IPv6 packet, firstly obtains an IPv4 source address according to IPv6 source address mapping, then searches a first mapping rule corresponding to the IPv6 destination address in an IPv6/IPv4 stateless flexible mapping table according to IPv6 destination address and a first longest prefix matching principle, calculates to obtain a destination address of the first type IPv4 packet if the corresponding first mapping rule is found, and sends the first type IPv4 packet; discarding if the corresponding first mapping rule cannot be found; the IPv4 server receives the first type IPv4 packet for processing, and generates and sends a second type IPv4 packet to the stateless translation gateway;

the stateless translation gateway receives the IPv4 packet of the second type, and firstly obtains an IPv6 destination address according to the IPv4 destination address mapping; searching a second mapping rule corresponding to the IPv4 source address in the IPv6/IPv4 stateless flexible mapping table according to the IPv4 source address and a second longest prefix matching principle, if the corresponding second mapping rule is found, calculating to obtain a source IPv6 address of a second type IPv6 packet, and sending the second type IPv6 packet; discarding if the corresponding second mapping rule cannot be found;

The method comprises the steps that a data packet sent by an IPv6 client passes through a stateless translation gateway, the stateless translation gateway maps an IPv6 address into an IPv4 address, a mapping record of a source IPv6 address is saved, and an IPv4 data packet is obtained and sent to an IPv4 server; the IPv4 server processes the received IPv4 data packet and forwards the processed IPv4 data packet; the stateless translation gateway receives the IPv4 data packet, inquires the IPv6/IPv4 address mapping record, obtains the IPv6 data packet, and sends the IPv6 data packet to the IPv6 client;

if the mapping rule type is an address embedding mapping type, embedding an IPv4 address into an IPv6 prefix of the mapping rule according to the RFC6052 address mapping rule, using the IPv4 address as an IPv6 address corresponding to a DNS AAAA record, and configuring the AAAA record on a DNS server to publish the DNS AAAA record;

2. The security trace device for IPv6/IPv4 access service according to claim 1, wherein the trace device includes a real-time trace facility for encryption security and a history trace facility for encryption security, wherein,

3. The security tracing device for IPv6/IPv4 access service according to claim 2, wherein the tracing device is provided with an encrypted security tracing interface, and the tracing interface is configured for a user to obtain real-time tracing data in the real-time tracing facility and/or historical tracing data in the historical tracing facility from the stateless translation gateway.

4. A security tracing apparatus adapted for IPv6/IPv4 access services according to claim 3, wherein said tracing interface comprises:

At least one cryptographically secure local query trace-source interface: the local query traceability interface is used for querying traceability information on the stateless translation gateway by using a limited set of request parameters by an administrator after identity authentication and authorization; the method comprises the steps of,

5. The security tracing device for IPv6/IPv4 access service according to claim 4, wherein a tracing MIB library storing tracing resources is configured on the stateless translation gateway, the tracing MIB library includes a real-time tracing MIB library and a history tracing MIB library, and both the real-time tracing MIB library and the history tracing MIB library are configured with an OID tracing interface, and the OID tracing interface is used for calling a management tracing interface on the real-time tracing facility or a management tracing interface on the history tracing facility.

6. The security traceability device according to claim 5, wherein the stateless translation gateway is further configured with a pre-judgment component and a log record module, wherein,

7. A method of implementing a security traceability apparatus adapted for IPv6/IPv4 access service according to any of claims 4-6, comprising the steps of:

s400, recording a strong log record formed by the access record and the query record associated with the traceable request on a local or independent log server through a log record module.

8. A tracing method for performing local query based on the security tracing device applicable to IPv6/IPv4 access service according to any one of claims 4 to 6, comprising the steps of:

s121, inputting a tracing request containing tracing parameters;

S141, acquiring the output data and returning the output data to a user.

9. A tracing method for remote inquiry based on the security tracing device applicable to IPv6/IPv4 access service according to any one of claims 4 to 6, comprising the steps of:

s221, inputting a tracing request containing tracing parameters;

s251, obtaining the output data and returning the output data to a remote user.

10. A tracing method for managing a security tracing apparatus applicable to an IPv6/IPv4 access service based on any one of claims 4 to 6, comprising the steps of:

s331, inputting a tracing request containing tracing parameters;