WO2024087688A1

WO2024087688A1 - Packet forwarding method and apparatus, device, storage medium, and computer program

Info

Publication number: WO2024087688A1
Application number: PCT/CN2023/102915
Authority: WO
Inventors: 刘翔; 王海光; 李铁岩
Original assignee: 华为技术有限公司
Priority date: 2022-10-28
Filing date: 2023-06-27
Publication date: 2024-05-02
Also published as: CN117955890A

Abstract

A packet forwarding method and apparatus, a device, a storage medium, and a computer program, which belong to the field of communications. The method comprises: acquiring a first packet, the first packet carrying a first BSID list, the first BSID list being determined on the basis of a first trust level, and the first trust level indicating a confidence level of a transmission path of the first packet; determining a first intra-domain path identifier on the basis of a first BSID in the first BSID list, the first intra-domain path identifier indicating an SR path on which the first packet is transmitted in a first SR domain; generating a second packet on the basis of the first packet, the second packet carrying the first BSID list and the first intra-domain path identifier; forwarding the second packet. In the present application, the first BSID list is determined by means of the first trust level, which not only implements cross-SR domain packet transmission, but also implements confidentiality in cross-SR domain packet transmission.

Description

报文转发方法、装置、设备、存储介质及计算机程序Message forwarding method, device, equipment, storage medium and computer program

本申请要求于2022年10月28日提交的申请号为202211338787.3、发明名称为“报文转发方法、装置、设备、存储介质及计算机程序”的中国专利申请的优先权，其全部内容通过引用结合在本申请中。This application claims priority to Chinese patent application No. 202211338787.3, filed on October 28, 2022, and entitled “Message forwarding method, device, equipment, storage medium and computer program”, the entire contents of which are incorporated by reference into this application.

技术领域Technical Field

本申请涉及通信领域，特别涉及一种报文转发方法、装置、设备、存储介质及计算机程序。The present application relates to the field of communications, and in particular to a message forwarding method, apparatus, device, storage medium and computer program.

背景技术Background technique

分段路由(Segment Routing，SR)技术是一种源路由技术，支持在网络入口的头节点处部署转发路径来转发报文，从而实现网络可编程。Segment Routing (SR) technology is a source routing technology that supports deploying forwarding paths at the head node of the network entrance to forward packets, thereby achieving network programmability.

当前的SR标准体系将网络划分为多个SR域，对于一个SR域来说，默认域外节点不可信，所以在该SR域的头节点接收到来自域外节点的报文时，会将该报文直接丢弃，这一机制造成了不同SR域之间无法互联互通的问题。The current SR standard system divides the network into multiple SR domains. For an SR domain, it is assumed that nodes outside the domain are not trustworthy. Therefore, when the head node of the SR domain receives a message from a node outside the domain, it will directly discard the message. This mechanism causes the problem that different SR domains cannot be interconnected.

发明内容Summary of the invention

本申请提供了一种报文转发方法、装置、设备、存储介质及计算机程序，可以解决相关技术中不同SR域之间无法互联互通的问题。所述技术方案如下：The present application provides a message forwarding method, device, equipment, storage medium and computer program, which can solve the problem that different SR domains cannot be interconnected in the related art. The technical solution is as follows:

第一方面，提供了一种报文转发方法，在该方法包括，获取第一报文，所述第一报文携带第一绑定段标识BSID列表，所述第一BSID列表是基于第一信任级别确定的，所述第一信任级别指示所述第一报文的传输路径的可信程度，所述第一BSID列表指示用于传输所述第一报文的多个分段路由SR域；基于所述第一BSID列表中的第一BSID，确定第一域内路径标识，所述第一BSID指示所述多个SR域中的第一SR域，所述第一域内路径标识指示所述第一报文在所述第一SR域内传输的SR路径；基于所述第一报文生成第二报文，所述第二报文携带所述第一BSID列表和所述第一域内路径标识；转发所述第二报文。In a first aspect, a message forwarding method is provided, the method comprising: obtaining a first message, the first message carrying a first binding segment identifier BSID list, the first BSID list being determined based on a first trust level, the first trust level indicating the degree of trustworthiness of a transmission path of the first message, the first BSID list indicating multiple segmented routing SR domains used to transmit the first message; determining a first intra-domain path identifier based on a first BSID in the first BSID list, the first BSID indicating a first SR domain among the multiple SR domains, the first intra-domain path identifier indicating an SR path for transmitting the first message within the first SR domain; generating a second message based on the first message, the second message carrying the first BSID list and the first intra-domain path identifier; and forwarding the second message.

由于第一BSID列表指示用于传输第一报文的多个分段路由SR域，所以，通过第一BSID能够实现报文跨SR域的传输。而且，由于第一信任级别指示第一报文的传输路径的可信程度，所以，通过第一信任级别确定出第一BSID列表，能够满足该报文进行跨SR域传输时对传输路径的可信度要求。Since the first BSID list indicates multiple segment routing SR domains for transmitting the first message, the message can be transmitted across SR domains through the first BSID. Moreover, since the first trust level indicates the degree of trustworthiness of the transmission path of the first message, the first BSID list is determined by the first trust level, which can meet the trustworthiness requirement of the transmission path when the message is transmitted across SR domains.

该头节点为第一SR域中的某个SR路径的首个节点，第一SR域为该多个SR域中的一个SR域。第一SR域可能为该多个SR域中的首个SR域，也可能为该多个SR域中的非首个SR域。在不同的情况下，该头节点获取第一报文的方式不同，接下来将分别介绍。The head node is the first node of a certain SR path in the first SR domain, and the first SR domain is one of the multiple SR domains. The first SR domain may be the first SR domain among the multiple SR domains, or may be a non-first SR domain among the multiple SR domains. In different situations, the head node obtains the first message in different ways, which will be introduced below.

第一种情况，第一SR域为该多个SR域中的首个SR域。此时，头节点接收第三报文，第三报文携带源地址、目的地址和第一信任级别。头节点基于源地址、目的地址和第一信任级别，确定第一BSID列表，基于第三报文生成第一报文。In the first case, the first SR domain is the first SR domain among the multiple SR domains. At this time, the head node receives the third message, and the third message carries the source address, the destination address, and the first trust level. The head node determines the first BSID list based on the source address, the destination address, and the first trust level, and generates the first message based on the third message.

该头节点可能是第一SR域的边界节点，也可能不是第一SR域的边界节点。在该头节点是第一SR域的边界节点的情况下，该头节点接收第三报文，并基于源地址、目的地址和第一信任级别确定第一BSID列表，进而基于第三报文生成第一报文。在该头节点不是第一SR域的边界节点的情况下，第一SR域的边界节点接收第三报文，并基于源地址、目的地址和第一信任级别确定第一BSID列表，进而基于第三报文生成第一报文，然后将第一报文传输至该头节点，这样，该头节点可以直接接收来自于第一SR域的边界节点的第一报文。The head node may be a border node of the first SR domain, or may not be a border node of the first SR domain. In the case where the head node is a border node of the first SR domain, the head node receives the third message, and determines the first BSID list based on the source address, the destination address and the first trust level, and then generates the first message based on the third message. In the case where the head node is not a border node of the first SR domain, the border node of the first SR domain receives the third message, and determines the first BSID list based on the source address, the destination address and the first trust level, and then generates the first message based on the third message, and then transmits the first message to the head node, so that the head node can directly receive the first message from the border node of the first SR domain.

为了实现报文转发的机密性，可以在第一报文中封装第一信任级别，该第一信任级别指示第一报文在传输时所要求的传输路径的可信程度，只有可信程度符合信任级别的传输路径才能成为真实的传输路径。In order to achieve confidentiality in message forwarding, a first trust level may be encapsulated in the first message, and the first trust level indicates the degree of trust of the transmission path required for the first message when it is transmitted. Only a transmission path whose degree of trust meets the trust level can become a real transmission path.

头节点基于源地址、目的地址和第一信任级别确定第一BSID列表的方式，与边界节点基于源地址、目的地址和第一信任级别确定第一BSID列表的方式相同，接下来以头节点为例进行介绍。其中，头节点基于源地址、目的地址和第一信任级别，确定第一BSID列表的过程包括以下两种方式，接下来对该两种方式进行介绍：The way the head node determines the first BSID list based on the source address, the destination address and the first trust level is the same as the way the border node determines the first BSID list based on the source address, the destination address and the first trust level. The head node is used as an example for description. The process of the head node determining the first BSID list based on the source address, the destination address and the first trust level includes the following two methods. Introduce by:

第一种方式，头节点基于源地址、目的地址和第一信任级别，从第一路由表中获取第一BSID列表，第一路由表用于存储源地址、目的地址、信任级别与BSID列表之间的对应关系。由于第一路由表用于存储源地址、目的地址、信任级别与BSID列表之间的对应关系，所以，头节点接收到第三报文之后，可以基于第三报文中携带的源地址、目的地址以及第一信任级别，从第一路由表存储的源地址、目的地址、信任级别与BSID列表之间的对应关系中，获取对应的BSID列表，将获取的BSID列表确定为第一BSID列表。In the first mode, the head node obtains the first BSID list from the first routing table based on the source address, the destination address and the first trust level, and the first routing table is used to store the correspondence between the source address, the destination address, the trust level and the BSID list. Since the first routing table is used to store the correspondence between the source address, the destination address, the trust level and the BSID list, after receiving the third message, the head node can obtain the corresponding BSID list from the correspondence between the source address, the destination address, the trust level and the BSID list stored in the first routing table based on the source address, the destination address and the first trust level carried in the third message, and determine the obtained BSID list as the first BSID list.

第二种方式，头节点向第一SR域的控制器发送域间算路请求，该域间算路请求携带源地址、目的地址和第一信任级别；头节点接收第一SR域的控制器发送的第一BSID列表。In the second mode, the head node sends an inter-domain path calculation request to the controller of the first SR domain, where the inter-domain path calculation request carries a source address, a destination address, and a first trust level; the head node receives a first BSID list sent by the controller of the first SR domain.

在头节点向第一SR域的控制器发送域间算路请求之后，第一SR域的控制器接收该域间算路请求，并基于该域间算路请求携带的源地址、目的地址和第一信任级别，通过存储的全网拓扑、每个SR域的分段路由策略、每个分段路由策略对应的BSID和信任级别，按照相关算路算法确定第一BSID列表，进而将第一BSID列表发送给头节点。After the head node sends an inter-domain path calculation request to the controller of the first SR domain, the controller of the first SR domain receives the inter-domain path calculation request, and based on the source address, destination address and first trust level carried in the inter-domain path calculation request, determines the first BSID list according to the relevant path calculation algorithm through the stored full network topology, the segment routing policy of each SR domain, the BSID and trust level corresponding to each segment routing policy, and then sends the first BSID list to the head node.

在本申请中，头节点可以先基于源地址、目的地址和第一信任级别，查询第一路由表来确定第一BSID列表，在头节点无法从第一路由表中获取第一BSID列表的情况下，头节点可向第一SR域的控制器发送域间算路请求。当然，头节点也可以直接向第一SR域的控制器发送域间算路请求，而无需先查询第一路由表。In the present application, the head node may first query the first routing table to determine the first BSID list based on the source address, the destination address and the first trust level. If the head node cannot obtain the first BSID list from the first routing table, the head node may send an inter-domain path calculation request to the controller of the first SR domain. Of course, the head node may also directly send an inter-domain path calculation request to the controller of the first SR domain without querying the first routing table first.

为了实现报文跨SR域传输，需要将各个SR域的分段路由策略、每个分段路由策略对应的BSID和信任级别在全网进行通告。本申请提供了几种通告方式，接下来将分别进行介绍。In order to achieve cross-SR domain transmission of messages, it is necessary to announce the segment routing policies of each SR domain, the BSID and trust level corresponding to each segment routing policy in the whole network. This application provides several announcement methods, which will be introduced below.

通告方式1，头节点发送通告报文，该通告报文携带第一BSID、第一候选路径和信任级别，第一候选路径为第一分段路由策略对应的一个候选路径，第一分段路由策略为第一BSID对应的分段路由策略，该信任级别为第一候选路径的信任级别，或者为第一候选路径对应的各个域内路径标识的信任级别。Notification method 1: the head node sends a notification message, which carries the first BSID, the first candidate path and the trust level. The first candidate path is a candidate path corresponding to the first segment routing strategy, the first segment routing strategy is the segment routing strategy corresponding to the first BSID, and the trust level is the trust level of the first candidate path, or the trust level of each intra-domain path identifier corresponding to the first candidate path.

在本申请中，可以为一个分段路由策略对应的各个候选路径设置相同的信任级别，即一个分段路由策略整体对应一个信任级别。当然，也可以为一个分段路由策略对应的各个候选路径设置不同的信任级别，即一个分段路由策略对应多个信任级别。另外，也可以不为候选路径设置信任级别，而是为候选路径对应的域内路径标识设置信任级别。此时，可以为一个候选路径对应的各个域内路径标识设置不同的信任级别，即一个候选路径对应多个信任级别。In the present application, the same trust level can be set for each candidate path corresponding to a segment routing strategy, that is, a segment routing strategy as a whole corresponds to one trust level. Of course, different trust levels can also be set for each candidate path corresponding to a segment routing strategy, that is, one segment routing strategy corresponds to multiple trust levels. In addition, it is also possible not to set a trust level for the candidate path, but to set a trust level for the intra-domain path identifier corresponding to the candidate path. In this case, different trust levels can be set for each intra-domain path identifier corresponding to a candidate path, that is, one candidate path corresponds to multiple trust levels.

而且，一个候选路径对应一个通告报文，也即是，通过一个通告报文来通告一个候选路径及其相关信息。比如，对于上述第一候选路径来说，头节点发送一个通告报文，该通告报文携带第一BSID、第一候选路径和信任级别。在为候选路径设置信任级别的情况下，该通告报文携带的信任级别为第一候选路径的信任级别。在为候选路径对应的各个域内路径标识设置信任级别的情况下，该通告报文携带的信任级别为第一候选路径对应的各个域内路径标识的信任级别。当然，多个候选路径也可以对应一个通告报文，或者一个分段路由策略对应一个通告报文，本申请对此不做限定，接下来以一个候选路径对应一个通告报文为例进行介绍。Moreover, one candidate path corresponds to one notification message, that is, one candidate path and its related information are notified through one notification message. For example, for the first candidate path mentioned above, the head node sends a notification message, and the notification message carries the first BSID, the first candidate path and the trust level. In the case of setting the trust level for the candidate path, the trust level carried by the notification message is the trust level of the first candidate path. In the case of setting the trust level for each intra-domain path identifier corresponding to the candidate path, the trust level carried by the notification message is the trust level of each intra-domain path identifier corresponding to the first candidate path. Of course, multiple candidate paths may also correspond to one notification message, or one segment routing strategy may correspond to one notification message. This application does not limit this. Next, an introduction will be made using the example of one candidate path corresponding to one notification message.

该通告报文可以为边界网关协议(Border Gateway Protocol，BGP)更新报文，BGP更新报文包括网络层可达信息(Network Layer Reachability Information，NLRI)，NLRI包括至少一个类型-长度-值(Type Length Value，TLV)字段，该至少一个TLV字段用于携带第一BSID和信任级别。也就是说，可以通过NLRI来携带分段路由策略的相关属性信息。The notification message may be a Border Gateway Protocol (BGP) update message, and the BGP update message includes Network Layer Reachability Information (NLRI), and the NLRI includes at least one Type Length Value (TLV) field, and the at least one TLV field is used to carry the first BSID and the trust level. In other words, the relevant attribute information of the segment routing policy can be carried through the NLRI.

可选地，该至少一个TLV字段还用于携带生效标识，该生效标识指示第一BSID在第一SR域以及除第一SR域之外的其他SR域均生效。Optionally, the at least one TLV field is further used to carry a validity flag, where the validity flag indicates that the first BSID is valid in the first SR domain and other SR domains except the first SR domain.

通告方式2，第一SR域的控制器发送通告报文，该通告报文携带第一BSID、第一候选路径和信任级别，该信任级别为第一候选路径的信任级别，或者为第一候选路径对应的各个域内路径标识的信任级别。Notification method 2: the controller of the first SR domain sends a notification message, which carries the first BSID, the first candidate path and the trust level. The trust level is the trust level of the first candidate path, or the trust level of each intra-domain path identifier corresponding to the first candidate path.

通告方式3，第一SR域的控制器将第一BSID、第一候选路径和信任级别上传至该多个SR域共享的区块链中，该信任级别为第一候选路径的信任级别，或者为第一候选路径对应的各个域内路径标识的信任级别。Notification method 3: The controller of the first SR domain uploads the first BSID, the first candidate path and the trust level to the blockchain shared by the multiple SR domains. The trust level is the trust level of the first candidate path, or the trust level of the path identifiers in each domain corresponding to the first candidate path.

由于该区块链为该多个SR所共享的，所以，在第一SR域的控制器将第一SR域内的分段路由策略、每个分段路由策略对应的BSID以及信任级别上传至区块链之后，其他SR域的控制器可以获取第一SR域内的分段路由策略、每个分段路由策略对应的BSID以及信任级别。同样的，其他SR域的控制器将各自对应的SR域内的分段路由策略、每个分段路由策略对应的BSID以及信任级别上传至区块链之后，第一SR域的控制器也能够获取到。Since the blockchain is shared by the multiple SRs, after the controller of the first SR domain uploads the segment routing policy in the first SR domain, the BSID corresponding to each segment routing policy, and the trust level to the blockchain, the controllers of other SR domains can obtain the first SR domain. Similarly, after the controllers of other SR domains upload the segment routing policies, BSIDs and trust levels corresponding to each segment routing policy in their respective SR domains to the blockchain, the controller of the first SR domain can also obtain them.

本申请能够在全网通告各个SR域的分段路由策略的BSID和信任级别，从而可以保证报文能够跨SR域进行传输。而且，通过发送通告报文通告分段路由策略的BSID和信任级别的情况下，通过该通告报文中的生效标识指示该分段路由策略的BSID可以在多个SR域生效，这样，在当一个SR域的报文到达另一个SR域的边界节点后，该边界节点不会将该报文丢弃，而是解析该BSID并引导该报文进入相应的传输路径，为报文的跨域传输提供了保障。This application can announce the BSID and trust level of the segment routing strategy of each SR domain in the entire network, thereby ensuring that the message can be transmitted across the SR domain. Moreover, by sending a notification message to announce the BSID and trust level of the segment routing strategy, the BSID of the segment routing strategy can be effective in multiple SR domains through the effective identifier in the notification message. In this way, when a message from an SR domain reaches the border node of another SR domain, the border node will not discard the message, but parse the BSID and guide the message into the corresponding transmission path, providing a guarantee for the cross-domain transmission of the message.

第二种情况，第一SR域为该多个SR域中的非首个SR域。此时，头节点接收第一报文。第一报文来自于第一SR域的上一跳SR域的尾节点。In the second case, the first SR domain is not the first SR domain among the multiple SR domains. At this time, the head node receives the first message. The first message comes from the tail node of the previous SR domain of the first SR domain.

由于第一SR域为该多个SR域中的非首个SR域，因此，头节点可直接接收来自上一跳SR域的尾节点的第一报文，第一报文中携带了第一BSID列表。Since the first SR domain is not the first SR domain among the multiple SR domains, the head node can directly receive the first message from the tail node of the previous hop SR domain, and the first message carries the first BSID list.

由于第一BSID列表是基于第一信任级别确定的，所以，通过第一BSID列表指示的多个SR域来传输第一报文，能够满足第一报文在跨SR域传输时对传输路径的可信程度的要求。但是，一个BSID唯一标识一个分段路由策略，一个分段路由策略可能对应多个候选路径，每个候选路径可能对应多个域内路径标识，在为候选路径设置信任级别的情况下，该多个候选路径的信任级别可能相同，也可能存在不同。在为候选路径对应的域内路径标识设置信任级别的情况下，同一个候选路径对应的域内路径标识的信任级别存在不同。换言之，第一分段路由策略可能整体对应一个信任级别，也可能对应多个细粒度的信任级别。为了满足第一报文在第一SR域内传输时对传输路径的可信程度的要求，在不同的情况下，确定第一域内路径标识的方式不同，接下来将分别介绍。Since the first BSID list is determined based on the first trust level, transmitting the first message through multiple SR domains indicated by the first BSID list can meet the requirements of the first message on the trust level of the transmission path when it is transmitted across SR domains. However, a BSID uniquely identifies a segment routing strategy, and a segment routing strategy may correspond to multiple candidate paths. Each candidate path may correspond to multiple intra-domain path identifiers. When setting a trust level for the candidate path, the trust levels of the multiple candidate paths may be the same or different. When setting a trust level for the intra-domain path identifier corresponding to the candidate path, the trust levels of the intra-domain path identifier corresponding to the same candidate path are different. In other words, the first segment routing strategy may correspond to one trust level as a whole, or it may correspond to multiple fine-grained trust levels. In order to meet the requirements of the first message on the trust level of the transmission path when it is transmitted within the first SR domain, the methods of determining the first intra-domain path identifier are different in different situations, which will be introduced below.

第一种情况，第一分段路由策略整体对应一个信任级别。即，在为候选路径设置信任级别的情况下，第一分段路由策略对应的各个候选路径的信任级别相同。在这种情况下，头节点基于第一BSID确定第一域内路径标识。In the first case, the first segment routing strategy as a whole corresponds to a trust level. That is, when the trust level is set for the candidate path, the trust levels of the candidate paths corresponding to the first segment routing strategy are the same. In this case, the head node determines the first intra-domain path identifier based on the first BSID.

第二种情况，第一分段路由策略对应多个细粒度的信任级别。即，在为候选路径设置信任级别的情况下，第一分段路由策略对应的各个候选路径的信任级别存在不同。或者，在为候选路径对应的域内路径标识设置信任级别的情况下，同一个候选路径对应的域内路径标识的信任级别存在不同。在这种情况下，头节点基于第一BSID和第一信任级别，确定第一域内路径标识。In the second case, the first segment routing strategy corresponds to multiple fine-grained trust levels. That is, when setting the trust level for the candidate path, the trust levels of the candidate paths corresponding to the first segment routing strategy are different. Or, when setting the trust level for the intra-domain path identifier corresponding to the candidate path, the trust levels of the intra-domain path identifier corresponding to the same candidate path are different. In this case, the head node determines the first intra-domain path identifier based on the first BSID and the first trust level.

头节点基于第一BSID和第一信任级别，确定第一域内路径标识分为以下三种方式，接下来对该三种方式进行介绍。The head node determines the first intra-domain path identifier based on the first BSID and the first trust level in the following three ways, which are introduced below.

第一种方式，头节点基于第一BSID和第一信任级别，从第二路由表中获取第一域内路径标识，第二路由表用于存储BSID、信任级别与域内路径标识之间的对应关系。In a first manner, the head node obtains a first intra-domain path identifier from a second routing table based on the first BSID and the first trust level, and the second routing table is used to store a correspondence between the BSID, the trust level and the intra-domain path identifier.

第二种方式，头节点确定第一BSID对应的第一分段路由策略；头节点基于第一信任级别，从第一分段路由策略对应的域内路径标识中选择一个域内路径标识作为第一域内路径标识。In a second manner, the head node determines a first segment routing policy corresponding to the first BSID; based on the first trust level, the head node selects an intra-domain path identifier from the intra-domain path identifiers corresponding to the first segment routing policy as the first intra-domain path identifier.

由于一个BSID可以标识一个分段路由策略，而且头节点存储有各个BSID对应的分段路由策略，因此，头节点可基于第一BSID确定第一分段路由策略。而且第一分段路由策略可能对应一个或多个候选路径，在第一分段路由策略对应一个候选路径的情况下，头节点可以直接将该候选路径作为第一候选路径，进而从第一候选路径对应的域内路径标识中选择一个域内路径标识作为第一域内路径标识。Since a BSID can identify a segment routing strategy, and the head node stores the segment routing strategies corresponding to each BSID, the head node can determine the first segment routing strategy based on the first BSID. Moreover, the first segment routing strategy may correspond to one or more candidate paths. In the case where the first segment routing strategy corresponds to a candidate path, the head node can directly use the candidate path as the first candidate path, and then select an intra-domain path identifier from the intra-domain path identifiers corresponding to the first candidate path as the first intra-domain path identifier.

基于上文描述，可以为候选路径设置信任级别，也可以不为候选路径设置信任级别，而是为候选路径对应的域内路径标识设置信任级别。所以，对于第一分段路径策略来说，在第一分段路由策略对应多个候选路径的情况下，该多个候选路径可能具有信任级别，且该多个候选路径的信任级别存在不同。当然，该多个候选路径可能不具有信任级别，而是每个候选路径对应的域内路径标识具有信任级别，且同一个候选路径对应的多个域内路径标识的信任级别存在不同。Based on the above description, the trust level can be set for the candidate path, or the trust level can be not set for the candidate path, but the trust level can be set for the intra-domain path identifier corresponding to the candidate path. Therefore, for the first segmented path strategy, when the first segmented routing strategy corresponds to multiple candidate paths, the multiple candidate paths may have trust levels, and the trust levels of the multiple candidate paths are different. Of course, the multiple candidate paths may not have trust levels, but the intra-domain path identifier corresponding to each candidate path has a trust level, and the trust levels of multiple intra-domain path identifiers corresponding to the same candidate path are different.

在第一分段路由策略对应的多个候选路径，每个候选路径具有信任级别，且该多个候选路径的信任级别存在不同的情况下，头节点从第一分段路由策略对应的多个候选路径中，选择信任级别为第一信任级别的候选路径作为第一候选路径，进而从第一候选路径对应的域内路径标识中选择一个域内路径标识作为第一域内路径标识。In a case where there are multiple candidate paths corresponding to the first segment routing strategy, each candidate path has a trust level, and the trust levels of the multiple candidate paths are different, the head node selects a candidate path with a trust level of a first trust level from the multiple candidate paths corresponding to the first segment routing strategy as the first candidate path, and then selects an intra-domain path identifier from the intra-domain path identifiers corresponding to the first candidate path as the first intra-domain path identifier.

在第一分段路由策略对应多个候选路径，每个候选路径对应多个域内路径标识，每个域内路径标识具有信任级别，且同一个候选路径对应的多个域内路径标识的信任级别存在不同的情况下，头节点可以从第一分段路由策略对应的多个候选路径中选择一个候选路径作为第一候选路径，从第一候选路径对应的多个域内路径标识中选择信任级别为第一信任级别的域内路径标识作为第一域内路径标识。也即是，从第一候选路径关联的多个SR路径中选择信任级别为第一信任级别的SR路径，将选择的SR路径的路径标识作为第一域内路径标识。In the first segment routing strategy, multiple candidate paths correspond to each candidate path, each candidate path corresponds to multiple intra-domain path identifiers, and each intra-domain path identifier has When there is a trust level, and the trust levels of multiple intra-domain path identifiers corresponding to the same candidate path are different, the head node can select a candidate path from the multiple candidate paths corresponding to the first segment routing strategy as the first candidate path, and select the intra-domain path identifier with the first trust level from the multiple intra-domain path identifiers corresponding to the first candidate path as the first intra-domain path identifier. That is, select an SR path with the first trust level from the multiple SR paths associated with the first candidate path, and use the path identifier of the selected SR path as the first intra-domain path identifier.

一个候选路径关联的多个SR路径中，可能存在信任级别大于第一信任级别的SR路径，在这种情况下，选择信任级别为第一信任级别的域内路径标识，可以避免低信任级别的报文占用高信任级别的传输路径，最大程度地利用传输路径的可信程度，使报文转发能够获得最佳的效率。Among multiple SR paths associated with a candidate path, there may be an SR path with a trust level greater than the first trust level. In this case, selecting the intra-domain path identifier with the first trust level can avoid low-trust-level messages occupying high-trust-level transmission paths, maximize the trustworthiness of the transmission path, and achieve optimal efficiency in message forwarding.

第三种方式，头节点向第一SR域的控制器发送域内算路请求，该域内算路请求携带源地址、目的地址和第一信任级别；头节点接收第一SR域的控制器发送的第一域内路径标识。In a third method, the head node sends an intra-domain path calculation request to the controller of the first SR domain, where the intra-domain path calculation request carries a source address, a destination address, and a first trust level; the head node receives a first intra-domain path identifier sent by the controller of the first SR domain.

在本申请中，头节点可以先基于第一BSID和第一信任级别，查询第二路由表来确定第一域内路径标识，在头节点无法从第二路由表中获取第一域内路径标识的情况下，头节点再向第一SR域的控制器发送域内算路请求。当然，头节点也可以直接向第一SR域的控制器发送域内算路请求，而无需先查询第二路由表。In the present application, the head node may first query the second routing table to determine the first intra-domain path identifier based on the first BSID and the first trust level. If the head node cannot obtain the first intra-domain path identifier from the second routing table, the head node sends an intra-domain path calculation request to the controller of the first SR domain. Of course, the head node may also directly send an intra-domain path calculation request to the controller of the first SR domain without querying the second routing table first.

域内路径标识用于标识SR域内的一个SR路径，该SR路径可以通过SID列表来标识。在某些情况下，该SR路径也可以通过BSID列表来标识。比如，在该SR路径比较长的情况下，为了避免在报文中携带较多的SID，可以将该SR路径划分为多段子路径，并为每段子路径分配一个BSID，这样，可以将每段子路径的BSID组成一个BSID列表，进而通过该BSID列表来标识该SR路径。所以，第一域内路径标识可以为SID列表或者BSID列表。The intra-domain path identifier is used to identify an SR path within the SR domain, and the SR path can be identified by a SID list. In some cases, the SR path can also be identified by a BSID list. For example, when the SR path is relatively long, in order to avoid carrying more SIDs in the message, the SR path can be divided into multiple sub-paths, and a BSID is assigned to each sub-path. In this way, the BSIDs of each sub-path can be combined into a BSID list, and then the SR path can be identified by the BSID list. Therefore, the first intra-domain path identifier can be a SID list or a BSID list.

在通过第一信任级别确定出第一BSID列表之后，基于第一BSID列表中的第一BSID确定第一域内路径标识时，也可以基于第一信任级别来确定，这样，在保证报文跨SR域传输的机密性的基础上，还可以满足该报文在域内传输时对传输路径的可信度要求，进一步增加了报文传输时的机密性。After the first BSID list is determined through the first trust level, when the first intra-domain path identifier is determined based on the first BSID in the first BSID list, it can also be determined based on the first trust level. In this way, on the basis of ensuring the confidentiality of the message transmission across the SR domain, the credibility requirement of the transmission path when the message is transmitted within the domain can also be met, further increasing the confidentiality of the message transmission.

头节点将第二报文转发至中间节点，进而经过中间节点将第二报文转发至尾节点。其中，该中间节点为第一域内路径标识所指示的SR路径的中间节点，该尾节点为第一域内路径标识所指示的SR路径的最后一个节点。The head node forwards the second message to the intermediate node, and then forwards the second message to the tail node through the intermediate node. The intermediate node is the intermediate node of the SR path indicated by the first intra-domain path identifier, and the tail node is the last node of the SR path indicated by the first intra-domain path identifier.

对于中间节点来说，在中间节点接收到第二报文之后，中间节点对第二报文进行更新，并将更新后的第二报文转发至下一跳节点。即，中间节点从第二扩展头包括的第一域内路径标识中获取下一跳节点的标识，将第二报文头中的目的地址修改为下一跳节点的标识，同时，将第二扩展头中的SL字段减1，保持第一扩展头和第一报文头不变，从而得到更新后的第二报文。然后，基于下一跳节点的标识，将更新后的报文转发至下一跳节点。For the intermediate node, after receiving the second message, the intermediate node updates the second message and forwards the updated second message to the next hop node. That is, the intermediate node obtains the identifier of the next hop node from the first intra-domain path identifier included in the second extension header, modifies the destination address in the second message header to the identifier of the next hop node, and at the same time, reduces the SL field in the second extension header by 1, keeps the first extension header and the first message header unchanged, thereby obtaining the updated second message. Then, based on the identifier of the next hop node, the updated message is forwarded to the next hop node.

第一SR域可能为该多个SR域中的最后一个SR域，也可能不是该多个SR域中的最后一个SR域，在不同的情况下，尾节点转发第二报文的方式不同。接下来将分别进行介绍。The first SR domain may be the last SR domain among the multiple SR domains, or may not be the last SR domain among the multiple SR domains. In different cases, the tail node forwards the second message in different ways, which will be introduced below.

第一种情况，第一SR域不为多个SR域中的最后一个SR域。此时，尾节点基于第二报文生成第八报文，第八报文携带第一BSID列表。尾节点基于第一BSID列表中的第二BSID，确定第二SR域对应的出接口，第二SR域为第一SR域的下一跳SR域，第二BSID指示第二SR域；尾节点通过第二SR域的头节点对应的出接口转发第八报文。In the first case, the first SR domain is not the last SR domain among multiple SR domains. At this time, the tail node generates the eighth message based on the second message, and the eighth message carries the first BSID list. The tail node determines the outbound interface corresponding to the second SR domain based on the second BSID in the first BSID list. The second SR domain is the next-hop SR domain of the first SR domain, and the second BSID indicates the second SR domain; the tail node forwards the eighth message through the outbound interface corresponding to the head node of the second SR domain.

由于第一SR域不为多个SR域中的最后一个SR域，第二报文还需要转发至下一跳SR域，而且第二报文当前已经转发至第一SR域的尾节点，所以，尾节点弹出第二报文中的第二扩展头和第二报文头，并从第一扩展头包括的第一BSID列表中获取第二BSID，将第一报文头中的目的地址修改为第二BSID，同时，将第一扩展头中的SL字段减1，从而得到第八报文。Since the first SR domain is not the last SR domain among multiple SR domains, the second message still needs to be forwarded to the next-hop SR domain, and the second message has currently been forwarded to the tail node of the first SR domain. Therefore, the tail node pops up the second extension header and the second message header in the second message, obtains the second BSID from the first BSID list included in the first extension header, modifies the destination address in the first message header to the second BSID, and at the same time, subtracts 1 from the SL field in the first extension header, thereby obtaining the eighth message.

第二种情况，第一SR域为该多个SR域中的最后一个SR域。此时，尾节点弹出第二报文中的第一BSID列表和第一域内路径标识，以得到第三报文，第三报文携带源地址、目的地址和第一信任级别。尾节点转发第三报文。In the second case, the first SR domain is the last SR domain among the multiple SR domains. At this time, the tail node pops up the first BSID list and the first intra-domain path identifier in the second message to obtain a third message, which carries the source address, the destination address and the first trust level. The tail node forwards the third message.

由于第一SR域为该多个SR域中的最后一个SR域，当前已经完成了报文跨SR域的传输，因此尾节点弹出第二报文中的第一BSID列表以及第一域内路径标识，得到第三报文，并根据第三报文中携带的目的地址进行转发。即，尾节点弹出第二报文中的第一扩展头、第一报文头、第二扩展头和第二报文头，以得到第三报文，从而按照第三报文携带的目的地址进行转发。 Since the first SR domain is the last SR domain among the multiple SR domains, the transmission of the message across SR domains has been completed, so the egress node pops up the first BSID list and the first intra-domain path identifier in the second message to obtain the third message, and forwards it according to the destination address carried in the third message. That is, the egress node pops up the first extension header, the first message header, the second extension header, and the second message header in the second message to obtain the third message, and then forwards it according to the destination address carried in the third message.

上述多个SR域能够传输多个数据流。不同的数据流能够通过同一个SR路径来转发，也能够通过不同的SR路径来转发。而且对于同一数据流来说，该数据流的不同报文可以通过同一个SR路径来转发，也可以通过不同的SR路径来转发。The above-mentioned multiple SR domains can transmit multiple data streams. Different data streams can be forwarded through the same SR path or through different SR paths. Moreover, for the same data stream, different packets of the data stream can be forwarded through the same SR path or through different SR paths.

可选地，头节点获取第四报文，第四报文携带第一BSID列表，第四报文与第一报文属于不同的数据流；头节点基于第一BSID确定第一域内路径标识；头节点基于第四报文生成第五报文，第五报文携带第一BSID列表和第一域内路径标识；头节点转发第五报文。也即是，不同的数据流可以通过相同的SR路径转发。Optionally, the head node obtains a fourth message, the fourth message carries the first BSID list, and the fourth message and the first message belong to different data flows; the head node determines the first intra-domain path identifier based on the first BSID; the head node generates a fifth message based on the fourth message, the fifth message carries the first BSID list and the first intra-domain path identifier; the head node forwards the fifth message. That is, different data flows can be forwarded through the same SR path.

可选地，头节点获取第六报文，第六报文携带第一BSID列表，第六报文与第一报文属于同一数据流；头节点基于第一BSID确定第二域内路径标识，第二域内路径标识指示第六报文在第一SR域内传输的SR路径，且第二域内路径标识指示的SR路径与第一域内路径标识指示的SR路径不同；头节点基于第六报文生成第七报文，第七报文携带第一BSID列表和第二域内路径标识；头节点转发第七报文。也即是，一个数据流中的不同报文通过不同的SR路径转发。Optionally, the head node obtains the sixth message, the sixth message carries the first BSID list, and the sixth message and the first message belong to the same data stream; the head node determines the second intra-domain path identifier based on the first BSID, the second intra-domain path identifier indicates the SR path of the sixth message transmitted in the first SR domain, and the SR path indicated by the second intra-domain path identifier is different from the SR path indicated by the first intra-domain path identifier; the head node generates the seventh message based on the sixth message, the seventh message carries the first BSID list and the second intra-domain path identifier; the head node forwards the seventh message. That is, different messages in a data stream are forwarded through different SR paths.

第二方面，提供了一种报文转发方法，所述方法包括：In a second aspect, a message forwarding method is provided, the method comprising:

头节点获取第一报文，所述第一报文携带第一绑定段标识BSID列表，所述第一BSID列表是基于第一信任级别确定的，所述第一信任级别指示所述第一报文的传输路径的可信程度，所述第一BSID列表指示用于传输所述第一报文的多个分段路由SR域；所述头节点基于所述第一BSID列表中的第一BSID，确定第一域内路径标识，所述第一BSID指示所述多个SR域中的第一SR域，所述第一域内路径标识指示所述第一报文在所述第一SR域内传输的SR路径；所述头节点基于所述第一报文生成第二报文，所述第二报文携带所述第一BSID列表和所述第一域内路径标识；所述头节点经过中间节点将所述第二报文转发至尾节点；所述尾节点转发所述第二报文。The head node obtains a first message, the first message carries a first binding segment identifier BSID list, the first BSID list is determined based on a first trust level, the first trust level indicates the degree of trustworthiness of the transmission path of the first message, and the first BSID list indicates multiple segment routing SR domains used to transmit the first message; the head node determines a first intra-domain path identifier based on the first BSID in the first BSID list, the first BSID indicates a first SR domain among the multiple SR domains, and the first intra-domain path identifier indicates an SR path for the first message to be transmitted within the first SR domain; the head node generates a second message based on the first message, the second message carries the first BSID list and the first intra-domain path identifier; the head node forwards the second message to the tail node via an intermediate node; the tail node forwards the second message.

可选地，所述第一SR域不为所述多个SR域中的最后一个SR域；所述尾节点转发所述第二报文，包括：所述尾节点基于所述第二报文生成第八报文，所述第八报文携带所述第一BSID列表；所述尾节点基于所述第一BSID列表中的第二BSID，确定第二SR域对应的出接口，所述第二SR域为所述第一SR域的下一跳SR域，所述第二BSID指示所述第二SR域；所述尾节点通过所述出接口转发所述第八报文。Optionally, the first SR domain is not the last SR domain among the multiple SR domains; the tail node forwards the second message, including: the tail node generates an eighth message based on the second message, and the eighth message carries the first BSID list; the tail node determines the output interface corresponding to the second SR domain based on the second BSID in the first BSID list, the second SR domain is the next-hop SR domain of the first SR domain, and the second BSID indicates the second SR domain; the tail node forwards the eighth message through the output interface.

可选地，所述第一SR域为所述多个SR域中的最后一个SR域；所述尾节点转发所述第二报文，包括：所述尾节点弹出所述第二报文中的所述第一BSID列表和所述第一域内路径标识，以得到第三报文，所述第三报文携带源地址、目的地址和所述第一信任级别；所述尾节点转发所述第三报文。Optionally, the first SR domain is the last SR domain among the multiple SR domains; the tail node forwards the second message, including: the tail node pops out the first BSID list and the first intra-domain path identifier in the second message to obtain a third message, the third message carries a source address, a destination address and the first trust level; the tail node forwards the third message.

可选地，所述方法还包括，所述第一SR域的控制器发送通告报文，所述通告报文携带所述第一BSID、第一候选路径和信任级别，所述第一候选路径为第一分段路由策略对应的一个候选路径，所述第一分段路由策略为所述第一BSID对应的分段路由策略，所述信任级别为所述第一候选路径的信任级别，或者为所述第一候选路径对应的各个域内路径标识的信任级别。Optionally, the method also includes: the controller of the first SR domain sends a notification message, the notification message carries the first BSID, the first candidate path and the trust level, the first candidate path is a candidate path corresponding to the first segment routing strategy, the first segment routing strategy is the segment routing strategy corresponding to the first BSID, and the trust level is the trust level of the first candidate path, or the trust level of each intra-domain path identifier corresponding to the first candidate path.

可选地，所述通告报文为边界网关协议BGP更新报文，所述BGP更新报文包括网络层可达信息NLRI，所述NLRI包括至少一个类型-长度-值TLV字段，所述至少一个TLV字段用于携带所述第一BSID和所述信任级别。Optionally, the notification message is a Border Gateway Protocol BGP update message, the BGP update message includes network layer reachability information NLRI, the NLRI includes at least one type-length-value TLV field, and the at least one TLV field is used to carry the first BSID and the trust level.

可选地，所述方法还包括：所述第一SR域的控制器将所述第一BSID、第一候选路径和信任级别上传至所述多个SR域共享的区块链中，所述第一候选路径为第一分段路由策略对应的一个候选路径，所述第一分段路由策略为所述第一BSID对应的分段路由策略，所述信任级别为所述第一候选路径的信任级别，或者为所述第一候选路径对应的各个域内路径标识的信任级别。Optionally, the method also includes: the controller of the first SR domain uploads the first BSID, the first candidate path and the trust level to the blockchain shared by the multiple SR domains, the first candidate path is a candidate path corresponding to the first segment routing strategy, the first segment routing strategy is the segment routing strategy corresponding to the first BSID, and the trust level is the trust level of the first candidate path, or the trust level of each intra-domain path identifier corresponding to the first candidate path.

第三方面，提供了一种报文转发装置，所述报文转发装置具有实现上述第一方面中报文转发方法行为的功能。所述报文转发装置包括至少一个模块，该至少一个模块用于实现上述第一方面所提供的报文转发方法。In a third aspect, a message forwarding device is provided, wherein the message forwarding device has the function of implementing the message forwarding method in the first aspect. The message forwarding device includes at least one module, and the at least one module is used to implement the message forwarding method provided in the first aspect.

第四方面，提供了一种报文转发***，所述报文转发***具有实现上述第二方面中报文转发方法行为的功能。 In a fourth aspect, a message forwarding system is provided, wherein the message forwarding system has the function of implementing the message forwarding method behavior in the second aspect above.

第五方面，提供了一种网络设备，所述网络设备包括处理器和存储器，所述存储器用于存储执行上述第一方面所提供的报文转发方法的计算机程序。所述处理器被配置为用于执行所述存储器中存储的计算机程序，以实现上述第一方面所述的报文转发方法。In a fifth aspect, a network device is provided, the network device comprising a processor and a memory, the memory being used to store a computer program for executing the message forwarding method provided in the first aspect. The processor is configured to execute the computer program stored in the memory to implement the message forwarding method described in the first aspect.

可选地，所述网络设备还可以包括通信总线，该通信总线用于该处理器与存储器之间建立连接。Optionally, the network device may further include a communication bus, and the communication bus is used to establish a connection between the processor and the memory.

第六方面，提供了一种计算机可读存储介质，所述存储介质内存储有指令，当所述指令在计算机上运行时，使得计算机执行上述第一方面所述的报文转发方法的步骤。In a sixth aspect, a computer-readable storage medium is provided, wherein the storage medium stores instructions, and when the instructions are executed on a computer, the computer executes the steps of the message forwarding method described in the first aspect above.

第七方面，提供了一种包含指令的计算机程序产品，当所述指令在计算机上运行时，使得计算机执行上述第一方面所述的报文转发方法的步骤。或者说，提供了一种计算机程序，当所述计算机程序在计算机上运行时，使得计算机执行上述第一方面所述的报文转发方法的步骤。In a seventh aspect, a computer program product comprising instructions is provided, and when the instructions are executed on a computer, the computer executes the steps of the message forwarding method described in the first aspect. In other words, a computer program is provided, and when the computer program is executed on a computer, the computer executes the steps of the message forwarding method described in the first aspect.

上述第二方面至第七方面所获得的技术效果与第一方面中对应的技术手段获得的技术效果近似，在这里不再赘述。The technical effects obtained in the above-mentioned second to seventh aspects are similar to the technical effects obtained by the corresponding technical means in the first aspect, and will not be repeated here.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

图1是本申请实施例提供的一种SRH扩展头的结构示意图；FIG1 is a schematic diagram of the structure of an SRH extension header provided in an embodiment of the present application;

图2是本申请实施例提供的一种实施环境的示意图；FIG2 is a schematic diagram of an implementation environment provided by an embodiment of the present application;

图3是本申请实施例提供的一种分段路由策略的结构示意图；FIG3 is a schematic diagram of the structure of a segment routing strategy provided in an embodiment of the present application;

图4是本申请实施例提供的一种网络设备的结构示意图；FIG4 is a schematic diagram of the structure of a network device provided in an embodiment of the present application;

图5是本申请实施例提供的一种核心网场景的实施环境的示意图；FIG5 is a schematic diagram of an implementation environment of a core network scenario provided in an embodiment of the present application;

图6是本申请实施例提供的一种SD-WAN场景的实施环境的示意图；FIG6 is a schematic diagram of an implementation environment of an SD-WAN scenario provided in an embodiment of the present application;

图7是本申请实施例提供的一种跨AS域场景的实施环境的示意图；FIG7 is a schematic diagram of an implementation environment of a cross-AS domain scenario provided in an embodiment of the present application;

图8是本申请实施例提供的一种报文转发方法的流程图；FIG8 is a flow chart of a message forwarding method provided in an embodiment of the present application;

图9是本申请实施例提供的一种TLV字段的示意图；FIG9 is a schematic diagram of a TLV field provided in an embodiment of the present application;

图10是本申请实施例提供的一种TLV字段的示意图；FIG10 is a schematic diagram of a TLV field provided in an embodiment of the present application;

图11是本申请实施例提供的一种通过区块链实现不同SR域互通的示意图；FIG11 is a schematic diagram of implementing intercommunication between different SR domains through blockchain provided by an embodiment of the present application;

图12是本申请实施例提供的一种生成第一报文的示意图；FIG12 is a schematic diagram of generating a first message provided in an embodiment of the present application;

图13是本申请实施例提供的一种生成第二报文的示意图；13 is a schematic diagram of generating a second message provided in an embodiment of the present application;

图14是本申请实施例提供的一种报文转发流程的示意图；FIG14 is a schematic diagram of a message forwarding process provided in an embodiment of the present application;

图15是本申请实施例提供的一种转发不同数据流的示意图；FIG15 is a schematic diagram of forwarding different data streams provided in an embodiment of the present application;

图16是本申请实施例提供的一种转发同一数据流中的不同报文的示意图；FIG16 is a schematic diagram of forwarding different messages in the same data stream provided by an embodiment of the present application;

图17是本申请实施例提供的一种报文转发装置的示意图。FIG. 17 is a schematic diagram of a message forwarding device provided in an embodiment of the present application.

具体实施方式Detailed ways

为使本申请的目的、技术方案和优点更加清楚，下面将结合附图对本申请实施方式作进一步地详细描述。In order to make the objectives, technical solutions and advantages of the present application more clear, the implementation methods of the present application will be further described in detail below with reference to the accompanying drawings.

SR技术是一种在网络入口的头节点处部署SR路径来转发报文的一种技术。通过SR技术能够转发第六版网络互连协议(internet protocol version6，IPv6)报文、第四版网络互连协议(internet protocol version4，IPv4)报文、多协议标签交换(multiprotocol label switching，MPLS)报文等等。接下来，以IPv6报文为例进行介绍。SR technology is a technology that deploys SR paths at the head node of the network entrance to forward messages. SR technology can forward Internet protocol version 6 (IPv6) messages, Internet protocol version 4 (IPv4) messages, multiprotocol label switching (MPLS) messages, etc. Next, we will take IPv6 messages as an example to introduce.

通过SR转发IPv6报文的技术称为SRv6技术，用于转发IPv6报文的SR路径称为SRv6路径。SRv6技术是指在IPv6报文中***一个SID列表，位于SRv6路径上的每个节点通过该段标识(Segment Identifier，SID)列表对IPv6报文头中的目的地址进行不断地更新，从而完成IPv6报文的逐跳转发。其中，该SID列表包括多个SID，该多个SID用于标识SRv6路径上的多个节点，且该SID列表可以通过扩展头的形式携带在IPv6报文中，也即是，在该IPv6报文中***一个扩展头，该扩展头包括该SID列表。The technology of forwarding IPv6 packets through SR is called SRv6 technology, and the SR path used to forward IPv6 packets is called SRv6 path. SRv6 technology refers to inserting a SID list into the IPv6 packet, and each node on the SRv6 path continuously updates the destination address in the IPv6 packet header through the segment identifier (Segment Identifier, SID) list, thereby completing the hop-by-hop forwarding of the IPv6 packet. Among them, the SID list includes multiple SIDs, and the multiple SIDs are used to identify multiple nodes on the SRv6 path, and the SID list can be carried in the IPv6 packet in the form of an extension header, that is, an extension header is inserted into the IPv6 packet, and the extension header includes the SID list.

在一些实施例中，该扩展头可以为分段路由头(segment routing header，SRH)，一种可能的SRH扩展头结构如图1所示，这里就该SRH扩展头结构中的关键字段进行描述。In some embodiments, the extended header may be a segment routing header (SRH). A possible SRH extension is The header structure is shown in FIG1 . Here, the key fields in the SRH extended header structure are described.

1.下一报文头(Next Header)，8比特，用于标识紧跟在SRH扩展头之后的报文头的类型。1. Next Header, 8 bits, used to identify the type of header following the SRH extension header.

2.扩展头的长度(Hdr Ext Len)，8比特，指不包括前8字节(前8字节为固定长度)的SRH的长度。2. The length of the extended header (Hdr Ext Len), 8 bits, refers to the length of the SRH excluding the first 8 bytes (the first 8 bytes are fixed length).

3.路由头类型(Routing Type)，8比特，值为4，用于指示当前的扩展头为SRH扩展头。3. Routing Type, 8 bits, value 4, used to indicate that the current extension header is the SRH extension header.

4.剩下的部分(Segments Left，SL)，8比特，用于指示到达SRv6路径的尾节点前仍然应当访问的中间节点数。4. The remaining part (Segments Left, SL), 8 bits, is used to indicate the number of intermediate nodes that should still be visited before reaching the tail node of the SRv6 path.

5.最后一项(Last Entry)，8比特，用于指示SID列表中包含SID列表的最后一个元素的索引。5. Last Entry, 8 bits, used to indicate the index of the last element in the SID list.

6.标识(Flags)，8比特，是指报文的一些标识。6. Flags: 8 bits, which refers to some flags of the message.

7.标签(Tag)，16比特，用于标识同组报文。7. Tag: 16 bits, used to identify messages in the same group.

8.SID列表(Segment List[0]～Segment List[n])，128比特，且该SID列表从SRv6路径的最后一段开始编码。Segment List(分段列表)是IPv6地址形式。8. SID list (Segment List[0]~Segment List[n]), 128 bits, and the SID list is encoded from the last segment of the SRv6 path. Segment List is in the form of IPv6 address.

其中，Segment List[0]用于指示SRv6路径上的倒数第一个节点，即尾节点；Segment List[1]用于指示SRv6路径上的倒数第二个节点；Segment List[n-1]用于指示SRv6路径上的第二个节点；Segment List[n]用于指示SRv6路径的第一个节点，即头节点。Among them, Segment List[0] is used to indicate the last node on the SRv6 path, that is, the tail node; Segment List[1] is used to indicate the second last node on the SRv6 path; Segment List[n-1] is used to indicate the second node on the SRv6 path; Segment List[n] is used to indicate the first node on the SRv6 path, that is, the head node.

当通过上述SRH扩展头携带SID列表时，在IPv6报文的转发过程中，每经过一个节点，该节点需要按照SID列表，将IPv6报文头中的目的地址修改为下一跳节点的SID，同时，将SRH扩展头中的SL字段减1。也就是说，在SRv6中，IPv6报文头中的目的地址仅标识当前报文的下一跳节点，是不断变换的，并不是固定不变的。通过SRH扩展头中的SL字段和SID列表共同决定IPv6报文头中的目的地址。比如，如果SL字段的值是n，则IPv6报文头中的目的地址的取值就是Segment List[n]的值。如果SL字段的值是n-1，则IPv6报文头中的目的地址的取值就是Segment List[n-1]的值。如果SL字段的值是1，则IPv6报文头中的目的地址的取值就是Segment List[1]的值。如果SL字段的值是0，则IPv6报文头中的目的地址的取值就是Segment List[0]的值。When the SID list is carried in the above-mentioned SRH extension header, during the forwarding process of the IPv6 message, each time the message passes through a node, the node needs to modify the destination address in the IPv6 message header to the SID of the next hop node according to the SID list, and at the same time, reduce the SL field in the SRH extension header by 1. That is to say, in SRv6, the destination address in the IPv6 message header only identifies the next hop node of the current message, which is constantly changing and not fixed. The destination address in the IPv6 message header is determined by the SL field and the SID list in the SRH extension header. For example, if the value of the SL field is n, the value of the destination address in the IPv6 message header is the value of Segment List[n]. If the value of the SL field is n-1, the value of the destination address in the IPv6 message header is the value of Segment List[n-1]. If the value of the SL field is 1, the value of the destination address in the IPv6 message header is the value of Segment List[1]. If the value of the SL field is 0, the value of the destination address in the IPv6 packet header is the value of Segment List[0].

通过SR技术转发IPv4报文、MPLS报文的方式与上述类似。比如，在通过SR技术转发IPv4报文的情况下，上述的报文头为IPv4报文头，上述的SID列表中的Segment List是IPv4地址形式。在通过SR技术转发MPLS报文的情况下，上述的SID列表中的Segment List是MPLS标签形式，此时，该SID列表也可以称为MPLS标签栈，但与SRv6不同的是，SR MPLS通过对MPLS报文中的MPLS标签进行交换来实现MPLS报文的转发。The method of forwarding IPv4 packets and MPLS packets through SR technology is similar to the above. For example, when forwarding IPv4 packets through SR technology, the above packet header is an IPv4 packet header, and the Segment List in the above SID list is in the form of an IPv4 address. When forwarding MPLS packets through SR technology, the Segment List in the above SID list is in the form of an MPLS label. In this case, the SID list can also be called an MPLS label stack. However, unlike SRv6, SR MPLS forwards MPLS packets by exchanging the MPLS labels in the MPLS packets.

请参考图2，图2是本申请实施例提供的一种实施环境的示意图。该实施环境包括第一用户端设备201、第二用户端设备202和多个网络设备203。其中，第一用户端设备201和第二用户端设备202为用户侧处理业务的设备，该多个网络设备203为运营商的网络侧按照SR技术转发报文的设备。第一用户端设备201与第二用户端设备202之间通过该多个网络设备203中的部分或者全部进行通信。也即是，第一用户端设备201可以通过该多个网络设备203中的部分或全部向第二用户端设备202发送报文，第二用户端设备202也可以通过该多个网络设备203中的部分或全部向第一用户端设备201发送报文。Please refer to Figure 2, which is a schematic diagram of an implementation environment provided by an embodiment of the present application. The implementation environment includes a first user terminal device 201, a second user terminal device 202 and multiple network devices 203. Among them, the first user terminal device 201 and the second user terminal device 202 are devices for processing services on the user side, and the multiple network devices 203 are devices on the network side of the operator that forward messages according to the SR technology. The first user terminal device 201 and the second user terminal device 202 communicate with each other through some or all of the multiple network devices 203. That is, the first user terminal device 201 can send messages to the second user terminal device 202 through some or all of the multiple network devices 203, and the second user terminal device 202 can also send messages to the first user terminal device 201 through some or all of the multiple network devices 203.

该多个网络设备203被划分为多个SR域，每个SR域对应至少一个控制器，不同的SR域对应不同的控制器。每个SR域内的网络设备203与自身所在SR域的控制器进行通信连接。比如，图2中的SR域1内的各个网络设备与SR域1对应的控制器1进行通信连接，SR域2内的各个网络设备与SR域2对应的控制器2进行通信连接。对于该多个SR域中的任意一个SR域，该SR域对应的控制器用于接收该SR域内的每个网络设备203上报的设备信息，以收集该SR域内的网络拓扑信息，并基于该SR域内的网络拓扑信息生成至少一个分段路由策略(SR Policy)，每个分段路由策略对应一个头节点，该头节点为该SR域内的一个网络设备203。然后，为每个分段路由策略分配对应的绑定段标识(Binding SID，BSID)和信任级别，并将该多个分段路由策略、每个分段路由策略对应的BSID和信任级别分别下发给各自对应的头节点。在每个SR域的控制器都按照上述方法下发分段路由策略之后，该多个网络设备203能够按照分段路由策略对应的BSID、信任级别和SID列表，对第一用户端设备201与第二用户端设备202之间的报文进行转发。The multiple network devices 203 are divided into multiple SR domains, each SR domain corresponds to at least one controller, and different SR domains correspond to different controllers. The network devices 203 in each SR domain are connected in communication with the controller of the SR domain where the network devices 203 are located. For example, each network device in SR domain 1 in FIG. 2 is connected in communication with controller 1 corresponding to SR domain 1, and each network device in SR domain 2 is connected in communication with controller 2 corresponding to SR domain 2. For any one of the multiple SR domains, the controller corresponding to the SR domain is used to receive device information reported by each network device 203 in the SR domain to collect network topology information in the SR domain, and generate at least one segment routing policy (SR Policy) based on the network topology information in the SR domain, each segment routing policy corresponds to a head node, and the head node is a network device 203 in the SR domain. Then, a corresponding binding segment identifier (Binding SID, BSID) and a trust level are assigned to each segment routing policy, and the multiple segment routing policies, the BSID corresponding to each segment routing policy, and the trust level are respectively issued to the corresponding head nodes. After the controller of each SR domain issues the segment routing policy according to the above method, the multiple network devices 203 can forward the message between the first user terminal device 201 and the second user terminal device 202 according to the BSID, trust level and SID list corresponding to the segment routing policy.

其中，分段路由策略通过<头节点标识，颜色，尾节点标识>来全局唯一标识。该头节点标识用来标识该分段路由策略对应的头节点，该尾节点标识用来标识该分段路由策略对应的尾节点。该头节点与该尾节点之间可能存在多个分段路由策略，颜色(color)能够标识该头节点与该尾节点之间的多个分段路由策略中的某个分段路由策略。也即是，颜色能够用来区分该头节点与该尾节点之间的多个分段路由策略。而且，颜色还能够关联一个或多个业务需求模板，例如，低时延、小抖动、低丢包率等。分段路由策略指示的SR路径能够根据颜色来确定。也就是说，通过分段路由策略中的颜色能够指示该分段路由策略所指示的SR路径所对应的业务需求。比如，分段路由策略中的颜色所关联的业务需求模板为低时延模板，那么表明通过该分段路由策略所指示的SR路径转发报文的时延比较低。The segment routing strategy is globally uniquely identified by <head node identifier, color, tail node identifier>. The head node identifier is used to identify the head node corresponding to the segment routing strategy, and the tail node identifier is used to identify the tail node corresponding to the segment routing strategy. There may be multiple segment routing strategies between the points, and the color (color) can identify a segment routing strategy among the multiple segment routing strategies between the head node and the tail node. That is, the color can be used to distinguish the multiple segment routing strategies between the head node and the tail node. Moreover, the color can also be associated with one or more business demand templates, such as low latency, small jitter, low packet loss rate, etc. The SR path indicated by the segment routing strategy can be determined according to the color. In other words, the color in the segment routing strategy can indicate the business demand corresponding to the SR path indicated by the segment routing strategy. For example, if the business demand template associated with the color in the segment routing policy is a low latency template, it means that the delay of forwarding messages through the SR path indicated by the segment routing strategy is relatively low.

请参考图3，一个分段路由策略可以关联多个候选路径(Candidate Path)，每个候选路径都关联一个优先级(Preference)。当存在多个候选路径时，选择优先级最高的候选路径作为主路径，其余候选路径作为备选路径，一个候选路径可以通过<原生协议，生成节点，鉴别器>唯一标识，原生协议(Protocol-origin)用于描述该候选路径是通过什么协议/途径生成的；生成节点(Originator)描述生成该候选路径的节点；鉴别器(Discriminator)用于区分相同<原生协议，生成节点>下不同的候选路径。目前存在三种不同的候选路径，分别如下：Please refer to Figure 3. A segmented routing policy can be associated with multiple candidate paths (Candidate Path), and each candidate path is associated with a preference (Preference). When there are multiple candidate paths, the candidate path with the highest priority is selected as the main path, and the remaining candidate paths are selected as alternative paths. A candidate path can be uniquely identified by <native protocol, generation node, discriminator>. The native protocol (Protocol-origin) is used to describe the protocol/path through which the candidate path is generated; the generation node (Originator) describes the node that generates the candidate path; the discriminator (Discriminator) is used to distinguish different candidate paths under the same <native protocol, generation node>. There are currently three different candidate paths, as follows:

显示候选路径(Explicit Candidate Path)：一条显示候选路径会关联一个或多个SID列表，每个SID列表能够显性地指示对应的SR路径经过哪些节点、需要进行哪些转发操作等。而且，一个SID列表会关联一个权重(Weight)值，通过多个SID列表关联的权重值能够控制流量在该多个SID列表所指示的多个SR路径中的流量比例，从而形成负载分担。Explicit Candidate Path: An explicit candidate path is associated with one or more SID lists. Each SID list can explicitly indicate which nodes the corresponding SR path passes through, which forwarding operations need to be performed, etc. In addition, a SID list is associated with a weight value. The weight values associated with multiple SID lists can control the traffic proportion in the multiple SR paths indicated by the multiple SID lists, thereby forming load sharing.

动态候选路径(Dynamic Candidate Path)：动态候选路径不直接指定节点，而是关联一个优化问题(包含优化目标和限制条件)，通过求解该优化问题得到满足条件的路径都可以成为真实的SR路径。Dynamic Candidate Path: A dynamic candidate path does not directly specify a node, but is associated with an optimization problem (including optimization objectives and constraints). Any path that meets the conditions obtained by solving the optimization problem can become a real SR path.

复合候选路径(Composite Candidate Path)：复合候选路径是一组分段路由策略的组合。Composite Candidate Path: A composite candidate path is a combination of a set of segment routing strategies.

其中，信任级别指示对应的传输路径的可信程度。在本申请实施例中，将传输路径的可信程度划分为以下5个级别，分别为：The trust level indicates the trustworthiness of the corresponding transmission path. In the embodiment of the present application, the trustworthiness of the transmission path is divided into the following five levels, namely:

(1)不可信(untrusted)，报文转发业务不涉及敏感数据或高价值数据，即使发生数据窃取、数据篡改等攻击也不会对用户和服务提供方造成损失，因此对传输路径的可信程度没有要求，即使是不可信的传输路径也可以转发报文。(1) Untrusted: The message forwarding service does not involve sensitive or high-value data. Even if attacks such as data theft and data tampering occur, it will not cause losses to users and service providers. Therefore, there is no requirement for the trustworthiness of the transmission path. Messages can be forwarded even on untrusted transmission paths.

(2)最小可信(minimally trusted)，报文转发业务涉及的数据是公开的(public)，仅具备低价值(low value)，报文转发过程中如若发生数据窃取、数据篡改等攻击，会对用户和服务提供方造成一般性损失(routine consequence)，因此具备最小可信程度的传输路径可以用于转发此类业务。(2) Minimally trusted: The data involved in the message forwarding service is public and has only low value. If attacks such as data theft and data tampering occur during the message forwarding process, it will cause routine consequences to users and service providers. Therefore, a transmission path with a minimum degree of trust can be used to forward such services.

(3)中等可信(moderately trusted)，报文转发业务涉及秘密(confidential)、中等价值(medium value)的数据，一旦发生数据窃取、数据篡改等攻击、将造成严重的后果(significant consequence)，因此要求具备中等可信的传输路径来转发此类业务。(3) Moderately trusted: Message forwarding services involve confidential and medium-valued data. Once attacks such as data theft and data tampering occur, serious consequences will occur. Therefore, a moderately trusted transmission path is required to forward such services.

(4)高度可信(highly trusted)，报文转发业务涉及机密(secret)、高价值(high value)的数据，一旦发生数据窃取、数据篡改等攻击，将造成极其严重的后果(critical consequence)，因此要求高度可信的传输路径来传输此业务。(4) Highly trusted: Message forwarding services involve confidential and high-value data. Once attacks such as data theft and data tampering occur, extremely serious consequences will occur. Therefore, a highly trusted transmission path is required to transmit this service.

(5)完全可信(fully trusted)，数据传输业务涉及绝密(top secret)、极高价值(extremely high value)数据，一旦发生数据窃取、数据篡改等攻击，将造成极其严重的后果(critical consequence)，因此要求完全可信的传输路径来传输此业务。(5) Fully trusted: Data transmission services involve top secret and extremely high value data. Once attacks such as data theft and data tampering occur, it will cause extremely serious consequences. Therefore, a fully trusted transmission path is required to transmit this service.

为了方便描述，可以使用数字0-4来标识不同的信任级别，0表示不可信，1表示最小可信，2表示中等可信，3表示高度可信，4表示完全可信。For ease of description, numbers 0-4 may be used to identify different trust levels, where 0 indicates untrustworthy, 1 indicates minimally trustworthy, 2 indicates moderately trustworthy, 3 indicates highly trustworthy, and 4 indicates fully trustworthy.

需要说明的是，第一用户端设备201和第二用户端设备202可以为用户侧的网络设备，比如用户边缘路由器等。网络设备203可以为运营商侧的网络设备，比如运营商边缘路由器、运营商骨干路由器等。BSID用于标识一个分段路由策略，提供流量引导、SR路径的拼接等功能。如果报文中携带了某个分段路由策略的BSID，则会被引导到该分段路由策略的头节点并进入对应的SR路径。It should be noted that the first user terminal device 201 and the second user terminal device 202 may be network devices on the user side, such as a user edge router. The network device 203 may be a network device on the operator side, such as an operator edge router, an operator backbone router, etc. The BSID is used to identify a segment routing strategy and provide functions such as traffic guidance and SR path splicing. If the message carries the BSID of a segment routing strategy, it will be guided to the head node of the segment routing strategy and enter the corresponding SR path.

请参考图4，图4是根据本申请实施例示出的一种网络设备的结构示意图，该网络设备400可以是图2中所示的第一用户端设备201、第二用户端设备202和网络设备203。该网络设备400可以为交换机、路由器或者其他转发报文的网络设备。在该实施例中，该网络设备400包括：主控板410、接口板430和接口板440。多个接口板的情况下可以包括交换网板(图中未示出)，该交换网板用于完成各接口板(接口板也称为线卡或业务板)之间的数据交换。Please refer to Figure 4, which is a schematic diagram of the structure of a network device according to an embodiment of the present application. The network device 400 may be the first user terminal device 201, the second user terminal device 202 and the network device 203 shown in Figure 2. The network device 400 may be a switch, a router or other network device that forwards messages. In this embodiment, the network device 400 includes: a main control board 410, an interface board 430 and an interface board 440. In the case of multiple interface boards, a switching network board (not shown in the figure) may be included, and the switching network board is used to complete each interface board (interface board Also called line cards or business boards) for data exchange.

主控板410用于完成***管理、设备维护、协议处理等功能。接口板430和接口板440用于提供一个或多个网络接口433或443，例如，以太(ethernet)接口、快速以太(fast ethernet，FE)接口或千兆以太(gigabit ethernet，GE)接口等，通过这些接口实现报文的转发。主控板410、接口板430以及接口板440之间通过***总线与***背板相连实现互通。接口板430上包括一个或多个处理器431。处理器431用于对接口板进行控制管理并与主控板上的中央处理器412进行通信，以及用于报文的转发处理。接口板430上的存储器432用于存储转发表项，处理器431通过查找存储器432中存储的转发表项进行报文的转发。其中，报文的转发过程请参考下述实施例中的描述，此处不做阐述。The main control board 410 is used to complete functions such as system management, equipment maintenance, and protocol processing. The interface board 430 and the interface board 440 are used to provide one or more network interfaces 433 or 443, such as Ethernet interface, fast Ethernet (FE) interface or gigabit Ethernet (GE) interface, etc., through which the message forwarding is realized. The main control board 410, the interface board 430 and the interface board 440 are connected to the system backplane through the system bus to realize intercommunication. The interface board 430 includes one or more processors 431. The processor 431 is used to control and manage the interface board and communicate with the central processor 412 on the main control board, and is used for message forwarding processing. The memory 432 on the interface board 430 is used to store forwarding table entries, and the processor 431 forwards the message by searching the forwarding table entries stored in the memory 432. Among them, please refer to the description in the following embodiment for the message forwarding process, which will not be elaborated here.

可以理解，如图4所示，本申请实施例中包括多个接口板，采用分布式的转发机制，这种机制下，接口板440上的操作与所述接口板430的操作基本相似，为了简洁，不再赘述。此外，可以理解的是，图4中的接口板430中的处理器431和/或441可以是专用硬件或芯片，如网络处理器或者专用集成电路(application specific integrated circuit)来实现上述功能，这种实现方式即为通常所说的转发面采用专用硬件或芯片处理的方式。在另外的实施方式中，所述处理器431和/或441也可以采用通用的处理器，如通用的CPU来实现以上描述的功能。It can be understood that, as shown in FIG. 4 , the embodiment of the present application includes multiple interface boards, and a distributed forwarding mechanism is adopted. Under this mechanism, the operation on the interface board 440 is basically similar to the operation of the interface board 430, and for the sake of brevity, it will not be repeated. In addition, it can be understood that the processor 431 and/or 441 in the interface board 430 in FIG. 4 can be dedicated hardware or chips, such as a network processor or an application specific integrated circuit (application specific integrated circuit) to implement the above functions. This implementation method is what is usually referred to as the forwarding plane using dedicated hardware or chip processing. In another embodiment, the processor 431 and/or 441 can also use a general-purpose processor, such as a general-purpose CPU to implement the functions described above.

此外，需要说明的是，主控板可能有一块或多块，有多块的时候可以包括主用主控板和备用主控板。接口板可能有一块或多块，该设备的数据处理能力越强，提供的接口板越多。多块接口板的情况下，该多块接口板之间可以通过一块或多块交换网板通信，有多块的时候可以共同实现负荷分担冗余备份。在集中式转发架构下，该设备可以不需要交换网板，接口板承担整个***的业务数据的处理功能。在分布式转发架构下，该设备包括多块接口板，可以通过交换网板实现多块接口板之间的数据交换，提供大容量的数据交换和处理能力。所以，分布式架构的网络设备的数据接入和处理能力要大于集中式架构的设备。具体采用哪种架构，取决于具体的组网部署场景，此处不做任何限定。In addition, it should be noted that there may be one or more main control boards, and when there are multiple boards, they may include a main main control board and a standby main control board. There may be one or more interface boards. The stronger the data processing capability of the device, the more interface boards are provided. In the case of multiple interface boards, the multiple interface boards can communicate with each other through one or more switching network boards, and when there are multiple boards, they can jointly realize load sharing and redundant backup. Under the centralized forwarding architecture, the device may not need a switching network board, and the interface board is responsible for the processing function of the service data of the entire system. Under the distributed forwarding architecture, the device includes multiple interface boards, and data exchange between multiple interface boards can be realized through the switching network board, providing large-capacity data exchange and processing capabilities. Therefore, the data access and processing capabilities of network devices with distributed architecture are greater than those of devices with centralized architecture. Which architecture to adopt depends on the specific networking deployment scenario, and no limitation is made here.

具体的实施例中，存储器432可以是只读存储器(read-only memory，ROM)或可存储静态信息和指令的其它类型的静态存储设备，随机存取存储器(random access memory，RAM)或者可存储信息和指令的其它类型的动态存储设备，也可以是电可擦可编程只读存储器(electrically erasable programmable read-only memory，EEPROM)、只读光盘(compact disc read-only Memory，CD-ROM)或其它光盘存储、光碟存储(包括压缩光碟、激光碟、光碟、数字通用光碟、蓝光光碟等)、磁盘或者其它磁存储设备、或者能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其它介质，但不限于此。存储器432可以是独立存在，通过通信总线与处理器431相连接。存储器432也可以和处理器431集成在一起。In a specific embodiment, the memory 432 may be a read-only memory (ROM) or other types of static storage devices that can store static information and instructions, a random access memory (RAM) or other types of dynamic storage devices that can store information and instructions, or an electrically erasable programmable read-only memory (EEPROM), a compact disc read-only memory (CD-ROM) or other optical disc storage, optical disc storage (including compressed optical disc, laser disc, optical disc, digital versatile disc, Blu-ray disc, etc.), a disk or other magnetic storage device, or any other medium that can be used to carry or store the desired program code in the form of instructions or data structures and can be accessed by a computer, but is not limited thereto. The memory 432 may exist independently and be connected to the processor 431 via a communication bus. The memory 432 may also be integrated with the processor 431.

存储器432用于存储执行本申请方案的程序代码，处理器431可以执行存储器432中存储的程序代码来控制执行，以实现下述图8实施例所提供的报文转发方法。其中，存储器432中存储的程序代码中可以包括一个或多个软件模块。The memory 432 is used to store program codes for executing the solution of the present application, and the processor 431 can execute the program codes stored in the memory 432 to control the execution, so as to implement the message forwarding method provided in the embodiment of Figure 8 described below. Among them, the program codes stored in the memory 432 may include one or more software modules.

本申请实施例提供的报文转发方法可以应用于多种场景，接下来对其中的几种场景分别进行介绍。The message forwarding method provided in the embodiments of the present application can be applied to a variety of scenarios, and several of the scenarios are introduced below.

请参考图5，图5是本申请实施例提供的一种报文转发方法应用于核心网场景的实施环境的示意图。该实施环境包括用户端、基站、用户面功能(User Plane Function，UPF)1、UPF2以及数据网。其中，UPF是核心网***架构的重要组成部分，主要负责核心网中用户平面数据包的路由和转发相关功能。在用户端与数据网进行通信时，可通过本申请实施例提供的报文转发方法实现报文的机密传输。Please refer to Figure 5, which is a schematic diagram of an implementation environment of a message forwarding method provided in an embodiment of the present application applied to a core network scenario. The implementation environment includes a user terminal, a base station, a user plane function (UPF) 1, UPF2, and a data network. Among them, UPF is an important part of the core network system architecture, and is mainly responsible for the routing and forwarding related functions of user plane data packets in the core network. When the user terminal communicates with the data network, the confidential transmission of messages can be achieved through the message forwarding method provided in the embodiment of the present application.

请参考图6，图6是本申请实施例提供的一种报文转发方法应用于软件定义广义互联网(Software Defined Wide Area Network，SD-WAN)场景的实施环境的示意图。该实施环境包括企业分支站点A、企业分支站点B、SD-WAN控制器、SRv6控制器、以及互联网的多个网络节点。其中SD-WAN控制器分别与企业分支站点A、企业分支站点B以及SRv6控制器进行通信连接，SRv6控制器与互联网中的多个网络节点进行通信连接，企业分支站点A通过该多个网络节点中的边缘节点E1接入互联网，企业分支站点B通过该多个网络节点中的边缘节点E2接入互联网。在企业分支站点A与企业分支站点B进行通信时，可通过本申请实施例提供的报文转发方法实现报文的机密传输。也即是，本申请实施例提供的方法可支持不同的企业分支站点之间的可信互联。Please refer to Figure 6, which is a schematic diagram of an implementation environment of a message forwarding method provided in an embodiment of the present application applied to a Software Defined Wide Area Network (SD-WAN) scenario. The implementation environment includes an enterprise branch site A, an enterprise branch site B, an SD-WAN controller, an SRv6 controller, and multiple network nodes of the Internet. The SD-WAN controller is respectively connected to the enterprise branch site A, the enterprise branch site B, and the SRv6 controller, the SRv6 controller is connected to multiple network nodes in the Internet, the enterprise branch site A accesses the Internet through the edge node E1 among the multiple network nodes, and the enterprise branch site B accesses the Internet through the edge node E2 among the multiple network nodes. When the enterprise branch site A communicates with the enterprise branch site B, the confidential transmission of the message can be achieved through the message forwarding method provided in the embodiment of the present application. That is, the method provided in the embodiment of the present application can support trusted interconnection between different enterprise branch sites.

请参考图7，图7是本申请实施例提供的一种报文转发方法应用于跨自治***(Autonomous system， AS)域的场景的实施环境的示意图。该实施环境包括源端、AS域1、AS域2以及目的端。其中，AS域1和AS域2均中包括多个网络节点。在源端需要依次通过AS域1、AS域2与目的端进行通信的情况下，可通过本申请实施例提供的报文转发方法实现报文的机密传输。也即是，本申请实施例提供的方法可实现端到端的可信传输。Please refer to FIG. 7 , which is a diagram of a message forwarding method provided in an embodiment of the present application applied to a cross-autonomous system (Autonomous system, The implementation environment includes a source end, AS domain 1, AS domain 2, and a destination end. Among them, AS domain 1 and AS domain 2 both include multiple network nodes. In the case where the source end needs to communicate with the destination end through AS domain 1 and AS domain 2 in sequence, the message forwarding method provided in the embodiment of the present application can realize confidential transmission of the message. That is, the method provided in the embodiment of the present application can realize end-to-end trusted transmission.

图8是本申请实施例提供的一种报文转发方法的流程图。该方法用于在多个SR域之间转发报文，接下来以其中一个SR域为例进行介绍。请参考图8，该方法包括如下步骤。FIG8 is a flow chart of a message forwarding method provided in an embodiment of the present application. The method is used to forward messages between multiple SR domains, and one of the SR domains is used as an example for description. Please refer to FIG8 , the method includes the following steps.

步骤801：头节点获取第一报文，第一报文携带第一BSID列表，第一BSID列表是基于第一信任级别确定的，第一信任级别指示第一报文的传输路径的可信程度，第一BSID列表指示用于传输第一报文的多个SR域。Step 801: The head node obtains a first message, the first message carries a first BSID list, the first BSID list is determined based on a first trust level, the first trust level indicates the degree of trustworthiness of a transmission path of the first message, and the first BSID list indicates multiple SR domains used to transmit the first message.

基于上文描述，第一用户端设备能够向第二用户端设备发送报文，第二用户端设备也能够向第一用户端设备发送报文。如果第一用户端设备当前需要向第二用户端设备发送第一报文，那么，第一报文中的源地址为第一用户端设备的地址，目的地址为第二用户端设备的地址。如果第二用户端设备当前需要向第一用户端设备发送第一报文，那么，第一报文中的源地址为第二用户端设备的地址，目的地址为第一用户端设备的地址。Based on the above description, the first user terminal device can send a message to the second user terminal device, and the second user terminal device can also send a message to the first user terminal device. If the first user terminal device currently needs to send a first message to the second user terminal device, then the source address in the first message is the address of the first user terminal device, and the destination address is the address of the second user terminal device. If the second user terminal device currently needs to send a first message to the first user terminal device, then the source address in the first message is the address of the second user terminal device, and the destination address is the address of the first user terminal device.

头节点基于源地址、目的地址和第一信任级别确定第一BSID列表的方式，与边界节点基于源地址、目的地址和第一信任级别确定第一BSID列表的方式相同，接下来以头节点为例进行介绍。其中，头节点基于源地址、目的地址和第一信任级别，确定第一BSID列表的过程包括以下两种方式，接下来对该两种方式进行介绍：The way in which the head node determines the first BSID list based on the source address, the destination address and the first trust level is the same as the way in which the border node determines the first BSID list based on the source address, the destination address and the first trust level. The head node is used as an example for description. The process in which the head node determines the first BSID list based on the source address, the destination address and the first trust level includes the following two methods, which are described below:

第一种方式，头节点基于源地址、目的地址和第一信任级别，从第一路由表中获取第一BSID列表，第一路由表用于存储源地址、目的地址、信任级别与BSID列表之间的对应关系。In the first way, the head node obtains the first BSID list from the first routing table based on the source address, the destination address and the first trust level, and the first routing table is used to store the corresponding relationship between the source address, the destination address, the trust level and the BSID list.

由于第一路由表用于存储源地址、目的地址、信任级别与BSID列表之间的对应关系，所以，头节点接收到第三报文之后，可以基于第三报文中携带的源地址、目的地址以及第一信任级别，从第一路由表存储的源地址、目的地址、信任级别与BSID列表之间的对应关系中，获取对应的BSID列表，将获取的BSID列表确定为第一BSID列表。Since the first routing table is used to store the correspondence between the source address, destination address, trust level and BSID list, after the head node receives the third message, it can obtain the corresponding BSID list from the correspondence between the source address, destination address, trust level and BSID list stored in the first routing table based on the source address, destination address and first trust level carried in the third message, and determine the obtained BSID list as the first BSID list.

其中，第一路由表是事先生成的。也即是，头节点需要事先获取全网拓扑、每个SR域的分段路由策略、每个分段路由策略对应的BSID和信任级别，进而生成第一路由表。The first routing table is generated in advance, that is, the head node needs to obtain the entire network topology, the segment routing policy of each SR domain, the BSID and trust level corresponding to each segment routing policy in advance, and then generate the first routing table.

在头节点向第一SR域的控制器发送域间算路请求之后，第一SR域的控制器接收该域间算路请求，并基于该域间算路请求携带的源地址、目的地址和第一信任级别，通过存储的全网拓扑、每个SR域的分段路由策略、每个分段路由策略对应的BSID和信任级别，按照相关算路算法确定第一BSID列表，进而将第一BSID列表发送给头节点。 After the head node sends an inter-domain path calculation request to the controller of the first SR domain, the controller of the first SR domain receives the inter-domain path calculation request, and based on the source address, destination address and first trust level carried in the inter-domain path calculation request, determines the first BSID list according to the relevant path calculation algorithm through the stored full network topology, the segment routing policy of each SR domain, the BSID and trust level corresponding to each segment routing policy, and then sends the first BSID list to the head node.

在本申请实施例中，头节点可以先基于源地址、目的地址和第一信任级别，查询第一路由表来确定第一BSID列表，在头节点无法从第一路由表中获取第一BSID列表的情况下，头节点可向第一SR域的控制器发送域间算路请求。当然，头节点也可以直接向第一SR域的控制器发送域间算路请求，而无需先查询第一路由表。In an embodiment of the present application, the head node may first query the first routing table to determine the first BSID list based on the source address, the destination address and the first trust level. If the head node cannot obtain the first BSID list from the first routing table, the head node may send an inter-domain path calculation request to the controller of the first SR domain. Of course, the head node may also directly send an inter-domain path calculation request to the controller of the first SR domain without querying the first routing table first.

为了实现报文跨SR域传输，需要将各个SR域的分段路由策略、每个分段路由策略对应的BSID和信任级别在全网进行通告。本申请实施例提供了几种通告方式，接下来将分别进行介绍。In order to achieve cross-SR domain transmission of messages, it is necessary to announce the segment routing strategies of each SR domain, the BSID and trust level corresponding to each segment routing strategy in the whole network. The embodiment of the present application provides several announcement methods, which will be introduced below.

基于上文描述，每个SR域对应至少一个控制器，不同的SR域对应不同的控制器。每个SR域的控制器收集各自对应的SR域内的网络拓扑信息，进而生成各自对应的SR域内的分段路由策略，并为每个分段路由策略分配对应的BSID和信任级别，然后将分段路由策略、分段路由策略对应的BSID和信任级别下发给对应的头节点。所以，对于第一SR域中的该头节点来说，该头节点可以通过通告报文，将其包括的各个分段路由策略、每个分段路由策略对应的BSID和信任级别发送给邻居SR域，同时也接收来自邻居SR域的通告报文，并将来自邻居SR域的通告报文继续转发至其他的邻居SR域。这样，头节点可以获取到各个SR域的分段路由策略、每个分段路由策略对应的BSID和信任级别。Based on the above description, each SR domain corresponds to at least one controller, and different SR domains correspond to different controllers. The controller of each SR domain collects the network topology information within the corresponding SR domain, and then generates the segment routing strategy within the corresponding SR domain, and assigns the corresponding BSID and trust level to each segment routing strategy, and then sends the segment routing strategy, the BSID and trust level corresponding to the segment routing strategy to the corresponding head node. Therefore, for the head node in the first SR domain, the head node can send the segment routing strategies, the BSID and trust level corresponding to each segment routing strategy to the neighboring SR domain through the notification message, and also receive the notification message from the neighboring SR domain, and continue to forward the notification message from the neighboring SR domain to other neighboring SR domains. In this way, the head node can obtain the segment routing strategy of each SR domain, the BSID and trust level corresponding to each segment routing strategy.

在头节点获取到各个SR域的分段路由策略、每个分段路由策略对应的BSID和信任级别之后，该头节点还可以将各个SR域的分段路由策略、每个分段路由策略对应的BSID和信任级别发送给第一SR域的控制器和边界节点。After the head node obtains the segment routing policies of each SR domain, the BSID corresponding to each segment routing policy, and the trust level, the head node may also send the segment routing policies of each SR domain, the BSID corresponding to each segment routing policy, and the trust level to the controller and border node of the first SR domain.

在本申请实施例中，可以为一个分段路由策略对应的各个候选路径设置相同的信任级别，即一个分段路由策略整体对应一个信任级别。当然，也可以为一个分段路由策略对应的各个候选路径设置不同的信任级别，即一个分段路由策略对应多个信任级别。另外，也可以不为候选路径设置信任级别，而是为候选路径对应的域内路径标识设置信任级别。此时，可以为一个候选路径对应的各个域内路径标识设置不同的信任级别，即一个候选路径对应多个信任级别。In an embodiment of the present application, the same trust level can be set for each candidate path corresponding to a segment routing strategy, that is, a segment routing strategy as a whole corresponds to one trust level. Of course, different trust levels can also be set for each candidate path corresponding to a segment routing strategy, that is, a segment routing strategy corresponds to multiple trust levels. In addition, it is also possible not to set a trust level for the candidate path, but to set a trust level for the intra-domain path identifier corresponding to the candidate path. In this case, different trust levels can be set for each intra-domain path identifier corresponding to a candidate path, that is, one candidate path corresponds to multiple trust levels.

而且，一个候选路径对应一个通告报文，也即是，通过一个通告报文来通告一个候选路径及其相关信息。比如，对于上述第一候选路径来说，头节点发送一个通告报文，该通告报文携带第一BSID、第一候选路径和信任级别。在为候选路径设置信任级别的情况下，该通告报文携带的信任级别为第一候选路径的信任级别。在为候选路径对应的各个域内路径标识设置信任级别的情况下，该通告报文携带的信任级别为第一候选路径对应的各个域内路径标识的信任级别。当然，多个候选路径也可以对应一个通告报文，或者一个分段路由策略对应一个通告报文，本申请实施例对此不做限定，接下来以一个候选路径对应一个通告报文为例进行介绍。Moreover, one candidate path corresponds to one notification message, that is, one candidate path and its related information are notified through one notification message. For example, for the first candidate path mentioned above, the head node sends a notification message, and the notification message carries the first BSID, the first candidate path and the trust level. In the case of setting the trust level for the candidate path, the trust level carried by the notification message is the trust level of the first candidate path. In the case of setting the trust level for each intra-domain path identifier corresponding to the candidate path, the trust level carried by the notification message is the trust level of each intra-domain path identifier corresponding to the first candidate path. Of course, multiple candidate paths may also correspond to one notification message, or one segment routing strategy may correspond to one notification message. The embodiment of the present application does not limit this. Next, an example of one candidate path corresponding to one notification message will be introduced.

该通告报文可以为边界网关协议(Border Gateway Protocol，BGP)更新报文，BGP更新报文包括网络层可达信息(Network Layer Reachability Information，NLRI)，NLRI包括至少一个类型-长度-值(Type Length Value，TLV)字段，该至少一个TLV字段用于携带第一BSID和信任级别。也就是说，可以通过NLRI来携带分段路由策略的相关属性信息。The notification message may be a Border Gateway Protocol (BGP) update message, and the BGP update message includes Network Layer Reachability Information (NLRI), and the NLRI includes at least one Type-Length-Value (TLV) field, and the at least one TLV field is used to carry the first BSID and the trust level. In other words, the relevant attribute information of the segment routing policy can be carried through the NLRI.

示例地，在为候选路径设置信任级别的情况下，该NLRI可以表示如下：

For example, in the case of setting a trust level for a candidate path, the NLRI may be expressed as follows:

其中，加粗的Binding SID为该NLRI携带的BSID，Trust Level为该NLRI携带的信任级别，且该信任级别为对应的候选路径的信任级别。Among them, the bold Binding SID is the BSID carried by the NLRI, Trust Level is the trust level carried by the NLRI, and the trust level is the trust level of the corresponding candidate path.

示例地，在为候选路径对应的域内路径标识设置信任级别，且该域内路径标识为SID列表的情况下，该NLRI可以表示如下：
For example, when a trust level is set for an intra-domain path identifier corresponding to a candidate path, and the intra-domain path identifier is a SID list, the NLRI may be expressed as follows:

其中，在Segment List下的Trust Level指示了与候选路径关联的各个SID列表的信任级别，每个SID列表都对应一个信任级别。Among them, Trust Level under Segment List indicates the trust level of each SID list associated with the candidate path, and each SID list corresponds to a trust level.

请参考图9，图9是本申请实施例提供的一种TLV字段的示意图。该TLV字段用于携带第一BSID。该TLV字段包括五个子字段，分别为类型(Type)、长度(Length)、标识(Flags)、预留(Reserved)以及绑定段标识(Binding SID)。其中，Type子字段的长度为8比特，值为13；Length子字段的长度为8比特，值可以为2、6或者18，对于SRv6来说，取值为18；Flags子字段的长度为8比特，该Flags子字段包括三个标志位，分别为S、I、E。其中，S标志位用于标识该分段路由策略必须要有一个指定的合法的BSID，I标志位用于标识该BSID不合法，E标志位携带生效标识，用于标识该BSID在其他SR域也生效。Reserved子字段的长度为8比特，Binding SID子字段用于携带第一BSID。Please refer to Figure 9, which is a schematic diagram of a TLV field provided in an embodiment of the present application. The TLV field is used to carry the first BSID. The TLV field includes five subfields, namely Type, Length, Flags, Reserved, and Binding SID. Among them, the length of the Type subfield is 8 bits, and the value is 13; the length of the Length subfield is 8 bits, and the value can be 2, 6 or 18. For SRv6, the value is 18; the length of the Flags subfield is 8 bits, and the Flags subfield includes three flag bits, namely S, I, and E. Among them, the S flag bit is used to indicate that the segment routing policy must have a specified legal BSID, the I flag bit is used to indicate that the BSID is illegal, and the E flag bit carries an effective flag, which is used to indicate that the BSID is also effective in other SR domains. The length of the Reserved subfield is 8 bits, and the Binding SID subfield is used to carry the first BSID.

请参考图10，图10是本申请实施例提供的一种TLV字段的示意图。该TLV字段用于携带信任级别。该TLV字段包括五个子字段，分别为类型(Type)、长度(Length)、标识(Flags)、预留(Reserved)以及信任级别(Trust Level)。Trust Level子字段用于携带该分段路由策略对应的信任级别。Please refer to Figure 10, which is a schematic diagram of a TLV field provided in an embodiment of the present application. The TLV field is used to carry the trust level. The TLV field includes five subfields, namely Type, Length, Flags, Reserved, and Trust Level. The Trust Level subfield is used to carry the trust level corresponding to the segment routing policy.

第一SR域的控制器将通告报文发送给邻居SR域的控制器，同时也接收来自邻居SR域的通告报文，并将来自邻居SR域的通告报文继续转发至其他的邻居SR域。这样，第一SR域的控制器可以获取到各个 SR域的分段路由策略对应的BSID和信任级别。The controller of the first SR domain sends the notification message to the controller of the neighboring SR domain, and also receives the notification message from the neighboring SR domain, and forwards the notification message from the neighboring SR domain to other neighboring SR domains. In this way, the controller of the first SR domain can obtain the information of each BSID and trust level corresponding to the segment routing policy of the SR domain.

在第一SR域的控制器获取到各个SR域的分段路由策略、每个分段路由策略对应的BSID和信任级别之后，还可以将各个SR域的分段路由策略、每个分段路由策略对应的BSID和信任级别发送给第一SR域内各个分段路由策略对应的头节点以及第一SR域内的边界节点。After the controller of the first SR domain obtains the segment routing policies of each SR domain, the BSID corresponding to each segment routing policy, and the trust level, the segment routing policies of each SR domain, the BSID corresponding to each segment routing policy, and the trust level can also be sent to the head nodes corresponding to each segment routing policy in the first SR domain and the border nodes in the first SR domain.

第一SR域的控制器发送的通告报文与上述类似，具体请参考上文描述，此处不再赘述。The notification message sent by the controller of the first SR domain is similar to the above. Please refer to the above description for details, which will not be repeated here.

第一SR域的控制器可以将第一分段路由策略对应的各个候选路径及其相关信息，分多次上传至该多个SR域共享的区块链中，也可以同时上传至该多个SR域共享的区块链中，本申请实施例对此不做限定。The controller of the first SR domain may upload each candidate path and related information corresponding to the first segment routing policy to the blockchain shared by the multiple SR domains in multiple times, or may upload them to the blockchain shared by the multiple SR domains at the same time, which is not limited in this embodiment of the present application.

由于该区块链为该多个SR所共享的，所以，在第一SR域的控制器将第一SR域内的分段路由策略、每个分段路由策略对应的BSID以及信任级别上传至区块链之后，其他SR域的控制器可以获取第一SR域内的分段路由策略、每个分段路由策略对应的BSID以及信任级别。同样的，其他SR域的控制器将各自对应的SR域内的分段路由策略、每个分段路由策略对应的BSID以及信任级别上传至区块链之后，第一SR域的控制器也能够获取到。Since the blockchain is shared by the multiple SRs, after the controller of the first SR domain uploads the segment routing policy, the BSID corresponding to each segment routing policy, and the trust level within the first SR domain to the blockchain, the controllers of other SR domains can obtain the segment routing policy, the BSID corresponding to each segment routing policy, and the trust level within the first SR domain. Similarly, after the controllers of other SR domains upload the segment routing policy, the BSID corresponding to each segment routing policy, and the trust level within their respective corresponding SR domains to the blockchain, the controller of the first SR domain can also obtain them.

可选地，第一SR域的控制器还可以将第一SR域的前一个SR域和后一个SR域的相关信息上传至区块链。还可以将第一SR域内的分段路由策略的当前状态上传至区块链。该状态指示该分段路由策略当前是否可用。Optionally, the controller of the first SR domain may also upload relevant information of the previous SR domain and the next SR domain of the first SR domain to the blockchain. The current state of the segment routing policy in the first SR domain may also be uploaded to the blockchain. The state indicates whether the segment routing policy is currently available.

示例地，请参考图11，控制器1为SR域1对应的控制器，控制器2为SR域2对应的控制器。控制器1收集SR域1内的网络拓扑信息生成分段路由策略，并将分段路由策略、分段路由策略对应的BSID以及信任级别上传至区块链。控制器2收集SR域2内的网络拓扑信息生成分段路由策略，并将分段路由策略、分段路由策略对应的BSID以及信任级别上传至区块链。这样，区块链包括所有SR域的分段路由策略、每个分段路由策略对应的BSID和信任级别。每个SR域的控制器都可以从区块链中获取所有SR域的分段路由策略、每个分段路由策略对应的BSID和信任级别。For example, please refer to Figure 11, controller 1 is the controller corresponding to SR domain 1, and controller 2 is the controller corresponding to SR domain 2. Controller 1 collects network topology information within SR domain 1 to generate a segment routing policy, and uploads the segment routing policy, the BSID corresponding to the segment routing policy, and the trust level to the blockchain. Controller 2 collects network topology information within SR domain 2 to generate a segment routing policy, and uploads the segment routing policy, the BSID corresponding to the segment routing policy, and the trust level to the blockchain. In this way, the blockchain includes the segment routing policies of all SR domains, the BSID corresponding to each segment routing policy, and the trust level. The controller of each SR domain can obtain the segment routing policies of all SR domains, the BSID corresponding to each segment routing policy, and the trust level from the blockchain.

通过上述方式获取到第一BSID列表之后，可以将第一BSID列表以扩展头的形式***到第三报文的头部，以得到第一报文。也即是，在第三报文中***第一扩展头和第一报文头，第一扩展头包括第一BSID列表，第一报文头的目的地址为第一BSID，从而得到第一报文。After obtaining the first BSID list in the above manner, the first BSID list can be inserted into the header of the third message in the form of an extension header to obtain the first message. That is, the first extension header and the first message header are inserted into the third message, the first extension header includes the first BSID list, and the destination address of the first message header is the first BSID, thereby obtaining the first message.

示例地，请参考图12，第三报文携带的源地址SA＝APP，目的地址DA＝Srv，第一信任级别TL＝3。头节点获取到的第一BSID列表包括BSID1、BSID2、BSID3，此时，可以在第三报文中***第一SRH扩展头和第一IPv6报文头，第一SRH扩展头包括第一BSID列表，而且第一SRH扩展头中的SL＝2。第一IPv6报文头的目的地址DA＝BSID1，从而得到第一报文。For example, please refer to Figure 12, the source address SA=APP, the destination address DA=Srv, and the first trust level TL=3 carried by the third message. The first BSID list obtained by the head node includes BSID1, BSID2, and BSID3. At this time, the first SRH extension header and the first IPv6 message header can be inserted into the third message. The first SRH extension header includes the first BSID list, and SL in the first SRH extension header is 2. The destination address DA of the first IPv6 message header is BSID1, thereby obtaining the first message.

在该头节点不是边界节点的情况下，在边界节点按照上述方式生成第一报文之后，该边界节点基于第一报文头的目的地址，将第一报文传输至该头节点。In the case that the head node is not a border node, after the border node generates the first message in the above manner, the border node transmits the first message to the head node based on the destination address of the first message header.

步骤802：头节点基于第一BSID列表中的第一BSID，确定第一域内路径标识，第一BSID指示该多个SR域中的第一SR域，第一域内路径标识指示第一报文在第一SR域内传输的SR路径。Step 802: The head node determines a first intra-domain path identifier based on a first BSID in the first BSID list, where the first BSID indicates a first SR domain among the multiple SR domains, and the first intra-domain path identifier indicates an SR path for transmitting a first message in the first SR domain.

在该头节点获取到第一报文之后，头节点通过解析第一报文中的第一报文头的目的地址，以确定第一BSID，进而基于第一BSID确定第一域内路径标识。After the head node obtains the first message, the head node determines the first BSID by parsing the destination address of the first message header in the first message, and further determines the first intra-domain path identifier based on the first BSID.

由于第一BSID列表是基于第一信任级别确定的，所以，通过第一BSID列表指示的多个SR域来传输第一报文，能够满足第一报文在跨SR域传输时对传输路径的可信程度的要求。但是，一个BSID唯一标识一个分段路由策略，一个分段路由策略可能对应多个候选路径，每个候选路径可能对应多个域内路径标识，在为候选路径设置信任级别的情况下，该多个候选路径的信任级别可能相同，也可能存在不同。在为候选路径对应的域内路径标识设置信任级别的情况下，同一个候选路径对应的域内路径标识的信任级别存在不同。换言之，第一分段路由策略可能整体对应一个信任级别，也可能对应多个细粒度的信任级别。为了满足第一报文在第一SR域内传输时对传输路径的可信程度的要求，在不同的情况下，确定第一域内路径标识的方式不同，接下来将分别介绍。Since the first BSID list is determined based on the first trust level, the first message is transmitted through multiple SR domains indicated by the first BSID list, which can meet the trust level requirement of the transmission path when the first message is transmitted across SR domains. However, a BSID uniquely identifies a segment routing strategy, a segment routing strategy may correspond to multiple candidate paths, and each candidate path may correspond to multiple intra-domain path labels. Identification, when setting the trust level for the candidate paths, the trust levels of the multiple candidate paths may be the same or different. When setting the trust level for the intra-domain path identifier corresponding to the candidate paths, the trust levels of the intra-domain path identifier corresponding to the same candidate path are different. In other words, the first segment routing strategy may correspond to one trust level as a whole, or it may correspond to multiple fine-grained trust levels. In order to meet the requirements for the trust level of the transmission path when the first message is transmitted within the first SR domain, the methods of determining the first intra-domain path identifier are different in different situations, which will be introduced below.

在一些实施例中，头节点存储有BSID与域内路径标识的对应关系。此时，该头节点可以基于第一BSID，从BSID与域内路径标识的对应关系中获取对应的域内路径标识，将获取的域内路径标识确定为第一域内路径标识。In some embodiments, the head node stores a correspondence between BSID and intra-domain path identifier. At this time, the head node can obtain the corresponding intra-domain path identifier from the correspondence between BSID and intra-domain path identifier based on the first BSID, and determine the obtained intra-domain path identifier as the first intra-domain path identifier.

在另一些实施例中，头节点存储有各个BSID对应的分段路由策略。此时，该头节点可以确定第一BSID对应的分段路由策略，将该分段路由策略称为第一分段路由策略。从第一分段路由策略对应的多个候选路径中选择一个候选路径，从选择的候选路径对应的域内路径标识中选择一个域内路径标识作为第一域内路径标识。In some other embodiments, the head node stores the segment routing policies corresponding to each BSID. At this time, the head node can determine the segment routing policy corresponding to the first BSID, and the segment routing policy is referred to as the first segment routing policy. A candidate path is selected from the multiple candidate paths corresponding to the first segment routing policy, and an intra-domain path identifier is selected from the intra-domain path identifiers corresponding to the selected candidate paths as the first intra-domain path identifier.

由于第二路由表用于存储BSID、信任级别与域内路径标识之间的对应关系，所以，头节点可以基于第一BSID以及第一信任级别，从第二路由表存储的BSID、信任级别与域内路径标识之间的对应关系中，获取对应的域内路径标识，将获取的域内路径标识确定为第一域内路径标识。Since the second routing table is used to store the correspondence between BSID, trust level and intra-domain path identifier, the head node can obtain the corresponding intra-domain path identifier from the correspondence between BSID, trust level and intra-domain path identifier stored in the second routing table based on the first BSID and the first trust level, and determine the obtained intra-domain path identifier as the first intra-domain path identifier.

其中，第二路由表是事先生成的。也即是，头节点接收到第一SR域的控制器发送的分段路由策略以及对应的BSID和信任级别之后，可以将这些分段路由策略对应的BSID、信任级别，以及对应的SR路径的路径标识，存储至第二路由表中。The second routing table is generated in advance. That is, after the head node receives the segment routing policy and the corresponding BSID and trust level sent by the controller of the first SR domain, the head node can store the BSID, trust level, and path identifier of the corresponding SR path corresponding to these segment routing policies in the second routing table.

基于上文描述，一个分段路由策略可以关联多个候选路径，每个候选路径关联一个优先级。所以，头节点从第一分段路由策略对应的候选路径中选择第一候选路径时，可以先选择信任级别为第一信任级别的候选路径，然后将选择的这些候选路径中优先级最高的候选路径作为第一候选路径。 Based on the above description, a segment routing policy can be associated with multiple candidate paths, and each candidate path is associated with a priority. Therefore, when the head node selects the first candidate path from the candidate paths corresponding to the first segment routing policy, it can first select the candidate path with the first trust level, and then select the candidate path with the highest priority among the selected candidate paths as the first candidate path.

在第一分段路由策略对应多个候选路径，每个候选路径对应多个域内路径标识，每个域内路径标识具有信任级别，且同一个候选路径对应的多个域内路径标识的信任级别存在不同的情况下，头节点可以从第一分段路由策略对应的多个候选路径中选择一个候选路径作为第一候选路径，从第一候选路径对应的多个域内路径标识中选择信任级别为第一信任级别的域内路径标识作为第一域内路径标识。也即是，从第一候选路径关联的多个SR路径中选择信任级别为第一信任级别的SR路径，将选择的SR路径的路径标识作为第一域内路径标识。When the first segment routing strategy corresponds to multiple candidate paths, each candidate path corresponds to multiple intra-domain path identifiers, each intra-domain path identifier has a trust level, and the trust levels of the multiple intra-domain path identifiers corresponding to the same candidate path are different, the head node can select one candidate path from the multiple candidate paths corresponding to the first segment routing strategy as the first candidate path, and select the intra-domain path identifier with a trust level of the first trust level from the multiple intra-domain path identifiers corresponding to the first candidate path as the first intra-domain path identifier. That is, select an SR path with a trust level of the first trust level from the multiple SR paths associated with the first candidate path, and use the path identifier of the selected SR path as the first intra-domain path identifier.

基于上文描述，一个候选路径关联的多个SR路径分别具有一个权重值。所以，头节点从第一候选路径对应的域内路径标识中选择第一域内路径标识时，可以先选择信任级别为第一信任级别的域内路径标识，然后按照权重值，从选择的这些域内路径标识中确定一个域内路径标识作为第一域内路径标识。Based on the above description, multiple SR paths associated with a candidate path each have a weight value. Therefore, when the head node selects the first intra-domain path identifier from the intra-domain path identifiers corresponding to the first candidate path, it can first select the intra-domain path identifier with a trust level of the first trust level, and then determine an intra-domain path identifier from the selected intra-domain path identifiers according to the weight value as the first intra-domain path identifier.

在头节点向第一SR域的控制器发送域内算路请求之后，第一SR域的控制器接收该域内算路请求，并基于该域内算路请求携带的源地址、目的地址和第一信任级别，按照相关算路算法确定第一域内路径标识，进而将第一域内路径标识发送给头节点。After the head node sends an intra-domain path calculation request to the controller of the first SR domain, the controller of the first SR domain receives the intra-domain path calculation request, and determines the first intra-domain path identifier according to the relevant path calculation algorithm based on the source address, destination address and first trust level carried in the intra-domain path calculation request, and then sends the first intra-domain path identifier to the head node.

在本申请实施例中，头节点可以先基于第一BSID和第一信任级别，查询第二路由表来确定第一域内路径标识，在头节点无法从第二路由表中获取第一域内路径标识的情况下，头节点再向第一SR域的控制器发送域内算路请求。当然，头节点也可以直接向第一SR域的控制器发送域内算路请求，而无需先查询第二路由表。In an embodiment of the present application, the head node may first query the second routing table to determine the first intra-domain path identifier based on the first BSID and the first trust level, and when the head node cannot obtain the first intra-domain path identifier from the second routing table, the head node sends an intra-domain path calculation request to the controller of the first SR domain. Of course, the head node may also directly send an intra-domain path calculation request to the controller of the first SR domain without querying the second routing table first.

在第一域内路径标识为SID列表的情况下，头节点可直接基于SID列表进行转发。在第一域内路径标识为BSID列表的情况下，头节点可以基于该BSID列表中的各个BSID，确定对应的路径来转发。When the path in the first domain is identified as a SID list, the head node can forward directly based on the SID list. When the path in the first domain is identified as a BSID list, the head node can determine the corresponding path for forwarding based on each BSID in the BSID list.

步骤803：头节点基于第一报文生成第二报文，第二报文携带第一BSID列表和第一域内路径标识。Step 803: The head node generates a second message based on the first message, where the second message carries the first BSID list and the first intra-domain path identifier.

通过上述方式获取到第一域内路径标识之后，头节点将第一域内路径标识封装至第一报文，以生成第二报文。即，头节点将第一域内路径标识以扩展头的形式***第一报文的头部，以得到第二报文。换言之，头节点在第一报文中***第二扩展头和第二报文头，第二扩展头包括第一域内路径标识，第二报文头的源地址为第一域内路径标识中该头节点的标识，目的地址为第一域内路径标识中该头节点的下一跳节点的标识，从而得到第二报文。After obtaining the first intra-domain path identifier in the above manner, the head node encapsulates the first intra-domain path identifier into the first message to generate a second message. That is, the head node inserts the first intra-domain path identifier into the header of the first message in the form of an extension header to obtain the second message. In other words, the head node inserts the second extension header and the second message header into the first message, the second extension header includes the first intra-domain path identifier, the source address of the second message header is the identifier of the head node in the first intra-domain path identifier, and the destination address is the identifier of the next hop node of the head node in the first intra-domain path identifier, thereby obtaining the second message.

示例地，请参考图13，头节点获取到的第一域内路径标识包括R11、R12、R13、R14、R15，此时，头节点在第一报文中***第二SRH扩展头和第二IPv6报文头，第二SRH扩展头包括第一域内路径标识，而且第二SRH扩展头中的SL＝4。第二IPv6报文头的源地址SA＝R11，目的地址DA＝R12，从而得到第二报文。For example, please refer to Figure 13, the first intra-domain path identifier obtained by the head node includes R11, R12, R13, R14, and R15. At this time, the head node inserts the second SRH extension header and the second IPv6 message header into the first message, and the second SRH extension header includes the first intra-domain path identifier, and SL in the second SRH extension header = 4. The source address SA of the second IPv6 message header = R11, and the destination address DA = R12, thereby obtaining the second message.

步骤804：头节点转发第二报文。Step 804: The head node forwards the second message.

对于中间节点来说，在中间节点接收到第二报文之后，中间节点对第二报文进行更新，并将更新后的第二报文转发至下一跳节点。即，中间节点从第二扩展头包括的第一域内路径标识中获取下一跳节点的标识，将第二报文头中的目的地址修改为下一跳节点的标识，同时，将第二扩展头中的SL字段减1，保持第一扩展头和第一报文头不变，从而得到更新后的第二报文。然后，基于下一跳节点的标识，将更新后的报文转发至下一跳节点。 For the intermediate node, after receiving the second message, the intermediate node updates the second message and forwards the updated second message to the next hop node. That is, the intermediate node obtains the identifier of the next hop node from the first intra-domain path identifier included in the second extension header, modifies the destination address in the second message header to the identifier of the next hop node, and at the same time, reduces the SL field in the second extension header by 1, keeps the first extension header and the first message header unchanged, thereby obtaining the updated second message. Then, based on the identifier of the next hop node, the updated message is forwarded to the next hop node.

尾节点中存储有BSID与出接口的对应关系，所以，尾节点可以基于第二BSID，从该BSID与出接口的对应关系中获取对应的出接口，将获取的出接口作为第二SR域对应的出接口。尾节点通过第二SR域对应的出接口发送第八报文，以将第八报文引导至第二SR域。The egress node stores the correspondence between the BSID and the outbound interface, so the egress node can obtain the corresponding outbound interface from the correspondence between the BSID and the outbound interface based on the second BSID, and use the obtained outbound interface as the outbound interface corresponding to the second SR domain. The egress node sends the eighth message through the outbound interface corresponding to the second SR domain to guide the eighth message to the second SR domain.

由于第一SR域为该多个SR域中的最后一个SR域，当前已经完成了报文跨SR域的传输，因此尾节点弹出第二报文中的第一BSID列表以及第一域内路径标识，得到第三报文，并根据第三报文中携带的目的地址进行转发。即，尾节点弹出第二报文中的第一扩展头、第一报文头、第二扩展头和第二报文头，以得到第三报文，从而按照第三报文携带的目的地址进行转发。Since the first SR domain is the last SR domain among the multiple SR domains, the transmission of the message across SR domains has been completed, so the egress node pops up the first BSID list and the first intra-domain path identifier in the second message to obtain the third message, and forwards it according to the destination address carried in the third message. That is, the egress node pops up the first extension header, the first message header, the second extension header, and the second message header in the second message to obtain the third message, and then forwards it according to the destination address carried in the third message.

接下来以图14为例，对本申请实施例提供的报文转发方法进行介绍。请参考图14，用户终端需要向服务器发送报文1，报文1包括的源地址SA＝APP、目的地址DA＝Srv、信任级别TL＝3。用户终端将报文1发送给SR域1的边界节点R11，R11基于报文1中的源地址、目的地址以及信任级别确定出的BSID列表包括BSID 1、BSID 2、BSID 3，BSID1为SR域1内的一个分段路由策略对应的BSID，BSID2为SR域2内的一个分段路由策略对应的BSID，BSID3为SR域3内的一个分段路由策略对应的BSID。R11在报文1中***第一SRH扩展头和第一IPv6报文头，第一SRH扩展头包括该BSID列表，且SL＝2，第一IPv6报文头的目的地址DA＝BSID1，从而得到报文2。假设，R11为BSID1对应的分段路由策略的头节点，那么，R11基于BSID1确定对应的域内路径标识，该域内路径标识包括R11、R12、R13，R11在报文2中***第二SRH扩展头和第二IPv6报文头，第二SRH扩展头包括该域内路径标识，且SL＝2，第二IPv6报文头的源地址SA＝R11，目的地址DA＝R12，从而得到报文3。R11基于该域内路径标识将报文3转发至R12。R12将第二IPv6报文头中的目的地址修改为R13，将第二SRH扩展头中的SL字段减1，保持第一SRH扩展头和第一IPv6报文头不变，从而得到更新后的报文3。然后，将更新后的报文3转发至R13。R13弹出报文3中的第二SRH扩展头和第二IPv6报文头，并将第一IPv6报文头中的目的地址修改为BSID2，将第一SRH扩展头中的SL字段减1，从而得到报文4。R13将报文4转发至R21，R21按照上述类似的方式转发报文，直至将报文转发至R34，R34弹出报文中的第一SRH扩展头、第一IPv6报文头、第二SRH扩展头和第二IPv6报文头，从而得到报文1，R34基于报文1中的目的地址Srv，将报文1转发至服务器。Next, taking FIG. 14 as an example, the message forwarding method provided in the embodiment of the present application is introduced. Referring to FIG. 14, the user terminal needs to send message 1 to the server. Message 1 includes source address SA=APP, destination address DA=Srv, and trust level TL=3. The user terminal sends message 1 to the border node R11 of SR domain 1. R11 determines the BSID list based on the source address, destination address and trust level in message 1, including BSID 1, BSID 2, and BSID 3. BSID1 is the BSID corresponding to a segment routing strategy in SR domain 1, BSID2 is the BSID corresponding to a segment routing strategy in SR domain 2, and BSID3 is the BSID corresponding to a segment routing strategy in SR domain 3. R11 inserts the first SRH extension header and the first IPv6 message header into message 1. The first SRH extension header includes the BSID list, and SL=2. The destination address DA of the first IPv6 message header is BSID1, thereby obtaining message 2. Assuming that R11 is the head node of the segment routing policy corresponding to BSID1, then R11 determines the corresponding intra-domain path identifier based on BSID1, and the intra-domain path identifier includes R11, R12, and R13. R11 inserts the second SRH extension header and the second IPv6 header into message 2. The second SRH extension header includes the intra-domain path identifier, and SL=2, the source address SA of the second IPv6 header is R11, and the destination address DA is R12, thereby obtaining message 3. R11 forwards message 3 to R12 based on the intra-domain path identifier. R12 modifies the destination address in the second IPv6 header to R13, reduces the SL field in the second SRH extension header by 1, and keeps the first SRH extension header and the first IPv6 header unchanged, thereby obtaining the updated message 3. Then, the updated message 3 is forwarded to R13. R13 pops up the second SRH extension header and the second IPv6 header in message 3, modifies the destination address in the first IPv6 header to BSID2, and subtracts 1 from the SL field in the first SRH extension header, thereby obtaining message 4. R13 forwards message 4 to R21, and R21 forwards the message in a similar manner until the message is forwarded to R34, which pops up the first SRH extension header, the first IPv6 header, the second SRH extension header, and the second IPv6 header in the message, thereby obtaining message 1. R34 forwards message 1 to the server based on the destination address Srv in message 1.

上述转发过程是以SR技术应用于IPv6为例进行说明，在实际应用中也可以应用于IPv4，本申请实施例对此不作限定。The above forwarding process is described by taking the SR technology applied to IPv6 as an example. In actual applications, it can also be applied to IPv4, and the embodiments of the present application are not limited to this.

示例地，请参考图15，用户终端1需要向服务器1发送一条信任级别TL＝3的数据流，用户终端2需要向服务器2发送一条信任级别TL＝3的数据流。用户终端1发送报文1，报文1中的源地址SA＝APP1、目的地址DA＝Srv1、信任级别TL＝3。用户终端2发送报文2，报文2中的源地址SA＝APP1、目的地址DA＝Srv2、信任级别TL＝3。这两个报文到达SR域1的边界节点R11后，R11确定两个报文对应的BSID列表均包括BSID1、BSID2、BSID3。R11将该BSID列表分别封装至两个报文中。在R11为头节点的情况下，确定这两个报文对应相同的域内路径标识，进而将该域内路径标识封装在两个报文中，进而依次经过SR域1、SR域2以及SR域3到达R34，R34再根据这两个报文中各自的目的地址进行转发。For example, please refer to Figure 15, user terminal 1 needs to send a data flow with a trust level of TL=3 to server 1, and user terminal 2 needs to send a data flow with a trust level of TL=3 to server 2. User terminal 1 sends message 1, and the source address SA in message 1 is APP1. Destination address DA=Srv1, trust level TL=3. User terminal 2 sends message 2, in which source address SA=APP1, destination address DA=Srv2, and trust level TL=3. After the two messages arrive at the border node R11 of SR domain 1, R11 determines that the BSID lists corresponding to the two messages include BSID1, BSID2, and BSID3. R11 encapsulates the BSID list into two messages respectively. When R11 is the head node, it is determined that the two messages correspond to the same intra-domain path identifier, and then the intra-domain path identifier is encapsulated in two messages, and then they pass through SR domain 1, SR domain 2, and SR domain 3 in turn to reach R34, and R34 then forwards them according to the respective destination addresses in the two messages.

示例地，请参考图16，用户终端需要向服务器发送一条信任级别TL＝3的数据流。用户终端发送该数据流包括的报文1和报文2，这两个报文到达SR域1的边界节点R11后，R11确定报文1对应的BSID列表包括BSID1、BSID2、BSID3，报文2对应的BSID列表包括BSID1、BSID4、BSID3。R11分别将这两个BSID列表封装到各自对应的报文中。在R11为头节点的情况下，确定这两个报文对应不同的域内路径标识，进而分别将这两个域内路径标识封装在各自对应的报文中，进而依次经过各自对应的传输路径到达R34。R34将这两个报文再发送给服务器。For example, please refer to Figure 16. The user terminal needs to send a data stream with a trust level of TL=3 to the server. The user terminal sends the data stream including message 1 and message 2. After these two messages arrive at the border node R11 of SR domain 1, R11 determines that the BSID list corresponding to message 1 includes BSID1, BSID2, and BSID3, and the BSID list corresponding to message 2 includes BSID1, BSID4, and BSID3. R11 encapsulates these two BSID lists into their respective corresponding messages. When R11 is the head node, it is determined that the two messages correspond to different intra-domain path identifiers, and then the two intra-domain path identifiers are respectively encapsulated in their respective corresponding messages, and then they are sequentially transmitted through their respective corresponding transmission paths to reach R34. R34 then sends these two messages to the server.

对于同一个数据流中的不同报文，采用不同的传输路径进行传输时，可以通过负载均衡策略确定哪个报文通过哪个传输路径来转发。在实际应用中，也可以通过其他的策略来确定每个报文的传输路径，本申请实施例对此不作限定。When different messages in the same data stream are transmitted using different transmission paths, the load balancing strategy can be used to determine which message is forwarded through which transmission path. In practical applications, other strategies can also be used to determine the transmission path of each message, which is not limited in the embodiments of the present application.

本申请实施例能够在全网通告各个SR域的分段路由策略的BSID和信任级别，从而可以保证报文能够跨SR域进行传输。而且，通过发送通告报文通告分段路由策略的BSID和信任级别的情况下，通过该通告报文中的生效标识指示该分段路由策略的BSID可以在多个SR域生效，这样，在当一个SR域的报文到达另一个SR域的边界节点后，该边界节点不会将该报文丢弃，而是解析该BSID并引导该报文进入相应的传输路径，为报文的跨域传输提供了保障。另外，由于信任级别指示报文的传输路径的可信程度，所以，通过该信任级别确定出的BSID列表，能够满足该报文进行跨SR域传输时对传输路径的可信度要求。并且，在一个SR域内传输时，基于信任级别确定域内路径标识，还可以满足该报文在域内传输时对传输路径的可信度要求，进一步增加了报文传输时的机密性。The embodiment of the present application can announce the BSID and trust level of the segment routing strategy of each SR domain in the entire network, so as to ensure that the message can be transmitted across the SR domain. Moreover, by sending a notification message to announce the BSID and trust level of the segment routing strategy, the BSID of the segment routing strategy can be effective in multiple SR domains through the effective identifier in the notification message. In this way, when a message from an SR domain reaches the border node of another SR domain, the border node will not discard the message, but parse the BSID and guide the message into the corresponding transmission path, which provides a guarantee for the cross-domain transmission of the message. In addition, since the trust level indicates the degree of trustworthiness of the transmission path of the message, the BSID list determined by the trust level can meet the credibility requirements of the transmission path when the message is transmitted across SR domains. Moreover, when transmitting within an SR domain, determining the intra-domain path identifier based on the trust level can also meet the credibility requirements of the transmission path when the message is transmitted within the domain, further increasing the confidentiality of the message transmission.

图17是本申请实施例提供的一种报文转发装置的结构示意图，该报文转发装置可以由软件、硬件或者两者的结合实现成为网络设备的部分或者全部，该网络设备可以为上述提及的头节点。参见图17，该装置包括：第一获取模块1701、第一确定模块1702、第一生成模块1703和第一转发模块1704。FIG17 is a schematic diagram of the structure of a message forwarding device provided in an embodiment of the present application, and the message forwarding device can be implemented by software, hardware or a combination of both to become part or all of a network device, and the network device can be the head node mentioned above. Referring to FIG17 , the device includes: a first acquisition module 1701, a first determination module 1702, a first generation module 1703 and a first forwarding module 1704.

第一获取模块1701，用于获取第一报文，第一报文携带第一绑定段标识BSID列表，第一BSID列表是基于第一信任级别确定的，第一信任级别指示第一报文的传输路径的可信程度，第一BSID列表指示用于传输第一报文的多个分段路由SR域；A first acquisition module 1701 is configured to acquire a first message, where the first message carries a first binding segment identifier BSID list, where the first BSID list is determined based on a first trust level, where the first trust level indicates a degree of trustworthiness of a transmission path of the first message, and the first BSID list indicates multiple segment routing SR domains used to transmit the first message;

第一确定模块1702，用于基于第一BSID列表中的第一BSID，确定第一域内路径标识，第一BSID指示多个SR域中的第一SR域，第一域内路径标识指示第一报文在第一SR域内传输的SR路径；A first determining module 1702 is configured to determine a first intra-domain path identifier based on a first BSID in the first BSID list, where the first BSID indicates a first SR domain among multiple SR domains, and the first intra-domain path identifier indicates an SR path for transmitting a first message in the first SR domain;

第一生成模块1703，用于基于第一报文生成第二报文，第二报文携带第一BSID列表和第一域内路径标识；A first generating module 1703 is configured to generate a second message based on the first message, where the second message carries a first BSID list and a first intra-domain path identifier;

第一转发模块1704，用于转发第二报文。The first forwarding module 1704 is configured to forward the second message.

可选地，第一SR域为该多个SR域中的首个SR域；第一获取模块1701包括：Optionally, the first SR domain is the first SR domain among the multiple SR domains; the first acquisition module 1701 includes:

接收子模块，用于接收第三报文，第三报文携带源地址、目的地址和第一信任级别；A receiving submodule, used for receiving a third message, where the third message carries a source address, a destination address and a first trust level;

第一确定子模块，用于基于源地址、目的地址和第一信任级别，确定第一BSID列表；A first determination submodule, configured to determine a first BSID list based on a source address, a destination address, and a first trust level;

生成子模块，用于基于第三报文生成第一报文。A generating submodule is used to generate a first message based on the third message.

可选地，第一确定子模块具体用于：Optionally, the first determining submodule is specifically used for:

基于源地址、目的地址和第一信任级别，从第一路由表中获取第一BSID列表，第一路由表用于存储源地址、目的地址、信任级别与BSID列表之间的对应关系。Based on the source address, the destination address and the first trust level, a first BSID list is obtained from the first routing table, where the first routing table is used to store the corresponding relationship between the source address, the destination address, the trust level and the BSID list.

可选地，第一确定子模块具体用于： Optionally, the first determining submodule is specifically used for:

向第一SR域的控制器发送域间算路请求，该域间算路请求携带源地址、目的地址和第一信任级别；Sending an inter-domain path calculation request to the controller of the first SR domain, where the inter-domain path calculation request carries a source address, a destination address, and a first trust level;

接收控制器发送的第一BSID列表。The first BSID list sent by the receiving controller.

可选地，第一确定模块1702包括：Optionally, the first determining module 1702 includes:

第二确定子模块，用于基于第一BSID和第一信任级别，确定第一域内路径标识。The second determination submodule is configured to determine a first intra-domain path identifier based on the first BSID and the first trust level.

可选地，第二确定子模块具体用于：Optionally, the second determining submodule is specifically used for:

基于第一BSID和第一信任级别，从第二路由表中获取第一域内路径标识，第二路由表用于存储BSID、信任级别与域内路径标识之间的对应关系。Based on the first BSID and the first trust level, a first intra-domain path identifier is obtained from a second routing table, and the second routing table is used to store a correspondence between the BSID, the trust level and the intra-domain path identifier.

确定第一BSID对应的第一分段路由策略；Determine a first segment routing strategy corresponding to the first BSID;

基于第一信任级别，从第一分段路由策略对应的域内路径标识中选择一个域内路径标识作为第一域内路径标识。Based on the first trust level, an intra-domain path identifier is selected from the intra-domain path identifiers corresponding to the first segment routing policy as the first intra-domain path identifier.

可选地，第一分段路由策略对应多个候选路径，每个候选路径具有信任级别，且该多个候选路径的信任级别存在不同；第二确定子模块具体用于：Optionally, the first segment routing strategy corresponds to a plurality of candidate paths, each candidate path has a trust level, and the trust levels of the plurality of candidate paths are different; the second determining submodule is specifically used for:

从第一分段路由策略对应的多个候选路径中，选择信任级别为第一信任级别的候选路径作为第一候选路径；Selecting, from a plurality of candidate paths corresponding to the first segment routing policy, a candidate path with a first trust level as a first candidate path;

从第一候选路径对应的域内路径标识中选择一个域内路径标识作为第一域内路径标识。An intra-domain path identifier is selected from the intra-domain path identifiers corresponding to the first candidate path as the first intra-domain path identifier.

可选地，第一分段路由策略对应多个候选路径，每个候选路径对应多个域内路径标识，每个域内路径标识具有信任级别，且同一个候选路径对应的多个域内路径标识的信任级别存在不同；第二确定子模块具体用于：Optionally, the first segment routing strategy corresponds to multiple candidate paths, each candidate path corresponds to multiple intra-domain path identifiers, each intra-domain path identifier has a trust level, and the trust levels of the multiple intra-domain path identifiers corresponding to the same candidate path are different; the second determination submodule is specifically used to:

从第一分段路由策略对应的多个候选路径中选择一个候选路径作为第一候选路径；Selecting a candidate path from a plurality of candidate paths corresponding to the first segment routing strategy as a first candidate path;

从第一候选路径对应的多个域内路径标识中，选择信任级别为第一信任级别的域内路径标识作为第一域内路径标识。From the multiple intra-domain path identifiers corresponding to the first candidate path, an intra-domain path identifier with a trust level of a first trust level is selected as the first intra-domain path identifier.

向第一SR域的控制器发送域内算路请求，域内算路请求携带源地址、目的地址和第一信任级别；Sending an intra-domain path calculation request to the controller of the first SR domain, where the intra-domain path calculation request carries a source address, a destination address, and a first trust level;

接收控制器发送的第一域内路径标识。The first intra-domain path identifier sent by the receiving controller.

可选地，第一域内路径标识为段标识SID列表或者BSID列表。Optionally, the first intra-domain path identifier is a segment identifier SID list or a BSID list.

可选地，该装置还包括：Optionally, the device further comprises:

第二获取模块，用于获取第四报文，第四报文携带第一BSID列表，第四报文与第一报文属于不同的数据流；A second acquisition module is used to acquire a fourth message, where the fourth message carries the first BSID list, and the fourth message and the first message belong to different data flows;

第二确定模块，用于基于第一BSID确定第一域内路径标识；A second determination module, configured to determine a first intra-domain path identifier based on the first BSID;

第二生成模块，用于基于第四报文生成第五报文，第五报文携带第一BSID列表和第一域内路径标识；A second generating module, configured to generate a fifth message based on the fourth message, wherein the fifth message carries the first BSID list and the first intra-domain path identifier;

第二转发模块，用于转发第五报文。The second forwarding module is used to forward the fifth message.

可选地，该装置还包括：Optionally, the device further comprises:

第三获取模块，用于获取第六报文，第六报文携带第一BSID列表，第六报文与第一报文属于同一数据流；a third acquisition module, configured to acquire a sixth message, the sixth message carrying the first BSID list, the sixth message and the first message belonging to the same data flow;

第三确定模块，用于基于第一BSID确定第二域内路径标识，第二域内路径标识指示第六报文在第一SR域内传输的SR路径，且第二域内路径标识指示的SR路径与第一域内路径标识指示的SR路径不同；a third determination module, configured to determine a second intra-domain path identifier based on the first BSID, wherein the second intra-domain path identifier indicates an SR path for transmitting the sixth message in the first SR domain, and the SR path indicated by the second intra-domain path identifier is different from the SR path indicated by the first intra-domain path identifier;

第三生成模块，用于基于第六报文生成第七报文，第七报文携带第一BSID列表和第二域内路径标识；A third generating module, configured to generate a seventh message based on the sixth message, wherein the seventh message carries the first BSID list and the second intra-domain path identifier;

第三转发模块，用于转发第七报文。The third forwarding module is used to forward the seventh message.

可选地，该装置还包括：Optionally, the device further comprises:

发送模块，用于发送通告报文，通告报文携带第一BSID、第一候选路径和信任级别，第一候选路径为第一分段路由策略对应的一个候选路径，第一分段路由策略为第一BSID对应的分段路由策略，信任级别为第一候选路径的信任级别，或者为第一候选路径对应的各个域内路径标识的信任级别。A sending module is used to send a notification message, the notification message carries a first BSID, a first candidate path and a trust level, the first candidate path is a candidate path corresponding to a first segment routing strategy, the first segment routing strategy is a segment routing strategy corresponding to the first BSID, and the trust level is the trust level of the first candidate path, or the trust level of each intra-domain path identifier corresponding to the first candidate path.

可选地，通告报文为边界网关协议BGP更新报文，BGP更新报文包括网络层可达信息NLRI，NLRI包括至少一个类型-长度-值TLV字段，至少一个TLV字段用于携带第一BSID和信任级别。Optionally, the notification message is a Border Gateway Protocol BGP update message, the BGP update message includes network layer reachability information NLRI, the NLRI includes at least one type-length-value TLV field, and the at least one TLV field is used to carry the first BSID and the trust level.

可选地，该至少一个TLV字段还用于携带生效标识，生效标识指示第一BSID在第一SR域以及除第一SR域之外的其他SR域均生效。 Optionally, the at least one TLV field is further used to carry a validity flag, where the validity flag indicates that the first BSID is valid in the first SR domain and other SR domains except the first SR domain.

在本申请实施例中，能够在全网通告各个SR域的分段路由策略的BSID和信任级别，从而可以保证报文能够跨SR域进行传输。而且，通过发送通告报文通告分段路由策略的BSID和信任级别的情况下，通过该通告报文中的生效标识指示该分段路由策略的BSID可以在多个SR域生效，这样，在当一个SR域的报文到达另一个SR域的边界节点后，该边界节点不会将该报文丢弃，而是解析该BSID并引导该报文进入相应的传输路径，为报文的跨域传输提供了保障。另外，由于信任级别指示报文的传输路径的可信程度，所以，通过该信任级别确定出的BSID列表，能够满足该报文进行跨SR域传输时对传输路径的可信度要求。并且，在一个SR域内传输时，基于信任级别确定域内路径标识，还可以满足该报文在域内传输时对传输路径的可信度要求，进一步增加了报文传输时的机密性。In an embodiment of the present application, the BSID and trust level of the segment routing strategy of each SR domain can be announced in the entire network, so as to ensure that the message can be transmitted across the SR domain. Moreover, by sending a notification message to announce the BSID and trust level of the segment routing strategy, the BSID of the segment routing strategy indicated by the effective identifier in the notification message can be effective in multiple SR domains. In this way, when a message from an SR domain reaches the border node of another SR domain, the border node will not discard the message, but parse the BSID and guide the message into the corresponding transmission path, which provides a guarantee for the cross-domain transmission of the message. In addition, since the trust level indicates the degree of trustworthiness of the transmission path of the message, the BSID list determined by the trust level can meet the credibility requirements of the transmission path when the message is transmitted across SR domains. Moreover, when transmitting within an SR domain, determining the intra-domain path identifier based on the trust level can also meet the credibility requirements of the message for the transmission path when it is transmitted within the domain, further increasing the confidentiality of the message transmission.

需要说明的是：上述实施例提供的报文转发装置在进行报文转发时，仅以上述各功能模块的划分进行举例说明，实际应用中，可以根据需要而将上述功能分配由不同的功能模块完成，即将报文转发装置的内部结构划分成不同的功能模块，以完成以上描述的全部或者部分功能。另外，上述实施例提供的报文转发装置与报文转发方法实施例属于同一构思，其具体实现过程详见方法实施例，这里不再赘述。It should be noted that: the message forwarding device provided in the above embodiment only uses the division of the above functional modules as an example when forwarding messages. In actual applications, the above functions can be assigned to different functional modules as needed, that is, the internal structure of the message forwarding device is divided into different functional modules to complete all or part of the functions described above. In addition, the message forwarding device provided in the above embodiment and the message forwarding method embodiment belong to the same concept, and the specific implementation process is detailed in the method embodiment, which will not be repeated here.

本申请实施例提供了一种报文转发***，该***包括：The present application provides a message forwarding system, the system comprising:

头节点，用于获取第一报文，第一报文携带第一绑定段标识BSID列表，第一BSID列表是基于第一信任级别确定的，第一信任级别指示第一报文的传输路径的可信程度，第一BSID列表指示用于传输第一报文的多个分段路由SR域；A head node, configured to obtain a first message, the first message carrying a first binding segment identifier BSID list, the first BSID list being determined based on a first trust level, the first trust level indicating a degree of trustworthiness of a transmission path of the first message, and the first BSID list indicating a plurality of segment routing SR domains used to transmit the first message;

头节点，还用于基于第一BSID列表中的第一BSID，确定第一域内路径标识，第一BSID指示多个SR域中的第一SR域，第一域内路径标识指示第一报文在第一SR域内传输的SR路径；The head node is further configured to determine a first intra-domain path identifier based on a first BSID in the first BSID list, the first BSID indicating a first SR domain among the multiple SR domains, and the first intra-domain path identifier indicating an SR path for transmitting the first message in the first SR domain;

头节点，还用于基于第一报文生成第二报文，第二报文携带第一BSID列表和第一域内路径标识；The head node is further used to generate a second message based on the first message, where the second message carries the first BSID list and the first intra-domain path identifier;

头节点，还用于经过中间节点将第二报文转发至尾节点；The head node is further used to forward the second message to the tail node via the intermediate node;

尾节点，用于转发第二报文。The tail node is used to forward the second message.

可选地，第一SR域不为多个SR域中的最后一个SR域；Optionally, the first SR domain is not the last SR domain among the multiple SR domains;

尾节点，具体用于基于第二报文生成第八报文，第八报文携带第一BSID列表；基于第一BSID列表中的第二BSID，确定第二SR域对应的出接口，第二SR域为第一SR域的下一跳SR域，第二BSID指示第二SR域；通过出接口转发第八报文。The tail node is specifically used to generate an eighth message based on the second message, the eighth message carries the first BSID list; based on the second BSID in the first BSID list, determine the outbound interface corresponding to the second SR domain, the second SR domain is the next-hop SR domain of the first SR domain, and the second BSID indicates the second SR domain; and forward the eighth message through the outbound interface.

可选地，第一SR域为多个SR域中的最后一个SR域；Optionally, the first SR domain is the last SR domain among the multiple SR domains;

尾节点，具体用于弹出第二报文中的第一BSID列表和第一域内路径标识，以得到第三报文，第三报文携带源地址、目的地址和第一信任级别；转发第三报文。The tail node is specifically used to pop out the first BSID list and the first intra-domain path identifier in the second message to obtain a third message, where the third message carries a source address, a destination address and a first trust level; and forward the third message.

可选地，该***还包括：Optionally, the system further comprises:

第一SR域的控制器，用于发送通告报文，通告报文携带第一BSID、第一候选路径和信任级别，第一候选路径为第一分段路由策略对应的一个候选路径，第一分段路由策略为第一BSID对应的分段路由策略，信任级别为第一候选路径的信任级别，或者为第一候选路径对应的各个域内路径标识的信任级别。The controller of the first SR domain is used to send a notification message, where the notification message carries a first BSID, a first candidate path and a trust level, where the first candidate path is a candidate path corresponding to a first segment routing strategy, the first segment routing strategy is a segment routing strategy corresponding to the first BSID, and the trust level is the trust level of the first candidate path, or the trust level of each intra-domain path identifier corresponding to the first candidate path.

可选地，至少一个TLV字段还用于携带生效标识，生效标识指示第一BSID在第一SR域以及除第一SR域之外的其他SR域均生效。Optionally, at least one TLV field is further used to carry a validity flag, where the validity flag indicates that the first BSID is valid in the first SR domain and other SR domains except the first SR domain.

可选地，该***还包括：Optionally, the system further comprises:

第一SR域的控制器，用于将第一BSID、第一候选路径和信任级别上传至多个SR域共享的区块链中，第一候选路径为第一分段路由策略对应的一个候选路径，第一分段路由策略为第一BSID对应的分段路由策略，信任级别为第一候选路径的信任级别，或者为第一候选路径对应的各个域内路径标识的信任级别。The controller of the first SR domain is used to upload the first BSID, the first candidate path and the trust level to the blockchain shared by multiple SR domains, the first candidate path is a candidate path corresponding to the first segment routing strategy, the first segment routing strategy is the segment routing strategy corresponding to the first BSID, and the trust level is the trust level of the first candidate path, or the trust level of each intra-domain path identifier corresponding to the first candidate path.

在本申请实施例中，能够在全网通告各个SR域的分段路由策略的BSID和信任级别，从而可以保证报文能够跨SR域进行传输。而且，通过发送通告报文通告分段路由策略的BSID和信任级别的情况下，通过该通告报文中的生效标识指示该分段路由策略的BSID可以在多个SR域生效，这样，在当一个SR域的报文到达另一个SR域的边界节点后，该边界节点不会将该报文丢弃，而是解析该BSID并引导该报文进入相应的传输路径，为报文的跨域传输提供了保障。另外，由于信任级别指示报文的传输路径的可信程度，所以，通过该信任级别确定出的BSID列表，能够满足该报文进行跨SR域传输时对传输路径的可信度要求。并且，在一个SR域内传输时，基于信任级别确定域内路径标识，还可以满足该报文在域内传输时对传输路径的可信度要求，进一步增加了报文传输时的机密性。In an embodiment of the present application, the BSID and trust level of the segment routing policy of each SR domain can be announced to the entire network, thereby ensuring that the message can be transmitted across the SR domain. Moreover, when the BSID and trust level of the segment routing policy are announced by sending a notification message, the BSID of the segment routing policy indicated by the effective identifier in the notification message can be effective in multiple SR domains. In this way, when a message from one SR domain reaches the border node of another SR domain, the border node will not discard the message, but will parse the BSID and guide the message into the corresponding transmission path, thereby providing a guarantee for the cross-domain transmission of the message. In addition, since the trust level indicates the degree of trustworthiness of the message's transmission path, the BSID list determined by the trust level can meet the trustworthiness of the transmission path when the message is transmitted across SR domains. Moreover, when transmitting within an SR domain, determining the intra-domain path identifier based on the trust level can also meet the credibility requirement of the transmission path when the message is transmitted within the domain, further increasing the confidentiality of the message during transmission.

本申请实施例提供了一种网络设备，该网络设备包括存储器和处理器；存储器用于存储计算机程序，处理器用于执行存储器中存储的计算机程序，以实现如上述方法实施例提供的方法的全部或部分步骤。An embodiment of the present application provides a network device, which includes a memory and a processor; the memory is used to store computer programs, and the processor is used to execute the computer programs stored in the memory to implement all or part of the steps of the method provided in the above method embodiment.

本申请实施例提供了一种计算机可读存储介质，该计算机可读存储介质内存储有计算机程序，该计算机程序被执行时，实现如上述方法实施例提供的方法的全部或部分步骤。An embodiment of the present application provides a computer-readable storage medium, which stores a computer program. When the computer program is executed, all or part of the steps of the method provided in the above method embodiment are implemented.

本申请实施例提供了一种计算机程序产品，该计算机程序产品包括程序或代码，该程序或代码被执行时，实现如上述方法实施例提供的方法的全部或部分步骤。An embodiment of the present application provides a computer program product, which includes a program or code. When the program or code is executed, all or part of the steps of the method provided in the above method embodiment are implemented.

在上述实施例中，可以全部或部分地通过软件、硬件、固件或者其任意结合来实现。当使用软件实现时，可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机指令时，全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络或其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中，或者从一个计算机可读存储介质向另一个计算机可读存储介质传输，例如，所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如：同轴电缆、光纤、数据用户线(digital subscriber line，DSL))或无线(例如：红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质，或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质(例如：软盘、硬盘、磁带)、光介质(例如：数字通用光盘(digital versatile disc，DVD))或半导体介质(例如：固态硬盘(solid state disk，SSD))等。值得注意的是，本申请实施例提到的计算机可读存储介质可以为非易失性存储介质，换句话说，可以是非瞬时性存储介质。In the above embodiments, it can be implemented in whole or in part by software, hardware, firmware or any combination thereof. When implemented by software, it can be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer instructions are loaded and executed on a computer, the process or function described in the embodiment of the present application is generated in whole or in part. The computer can be a general-purpose computer, a special-purpose computer, a computer network or other programmable device. The computer instructions can be stored in a computer-readable storage medium, or transmitted from one computer-readable storage medium to another computer-readable storage medium. For example, the computer instructions can be transmitted from a website site, computer, server or data center by wired (for example: coaxial cable, optical fiber, data subscriber line (digital subscriber line, DSL)) or wireless (for example: infrared, wireless, microwave, etc.) mode to another website site, computer, server or data center. The computer-readable storage medium can be any available medium that can be accessed by a computer, or a data storage device such as a server or data center that includes one or more available media integrated. The available medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a digital versatile disc (DVD)), or a semiconductor medium (e.g., a solid state disk (SSD)). It is worth noting that the computer-readable storage medium mentioned in the embodiment of the present application may be a non-volatile storage medium, in other words, a non-transient storage medium.

应当理解的是，本文提及的“多个”是指两个或两个以上。在本申请实施例的描述中，除非另有说明，“/”表示或的意思，例如，A/B可以表示A或B；本文中的“和/或”仅仅是一种描述关联对象的关联关系，表示可以存在三种关系，例如，A和/或B，可以表示：单独存在A，同时存在A和B，单独存在B这三种情况。另外，为了便于清楚描述本申请实施例的技术方案，在本申请实施例中，采用了“第一”、“第二”等字样对功能和作用基本相同的相同项或相似项进行区分。本领域技术人员可以理解“第一”、“第二”等字样并不对数量和执行次序进行限定，并且“第一”、“第二”等字样也并不限定一定不同。It should be understood that the "multiple" mentioned herein refers to two or more. In the description of the embodiments of the present application, unless otherwise specified, "/" means or, for example, A/B can mean A or B; "and/or" in this article is only a description of the association relationship of the associated objects, indicating that there can be three relationships, for example, A and/or B can mean: A exists alone, A and B exist at the same time, and B exists alone. In addition, in order to facilitate the clear description of the technical solution of the embodiments of the present application, in the embodiments of the present application, the words "first", "second" and the like are used to distinguish between the same items or similar items with basically the same functions and effects. Those skilled in the art can understand that the words "first", "second" and the like do not limit the quantity and execution order, and the words "first", "second" and the like do not limit them to be necessarily different.

需要说明的是，本申请实施例所涉及的信息(包括但不限于用户设备信息、用户个人信息等)、数据(包括但不限于用于分析的数据、存储的数据、展示的数据等)以及信号，均为经用户授权或者经过各方充分授权的，且相关数据的收集、使用和处理需要遵守相关国家和地区的相关法律法规和标准。It should be noted that the information (including but not limited to user device information, user personal information, etc.), data (including but not limited to data used for analysis, stored data, displayed data, etc.) and signals involved in the embodiments of the present application are all authorized by the user or fully authorized by all parties, and the collection, use and processing of relevant data need to comply with relevant laws, regulations and standards of relevant countries and regions.

以上所述为本申请提供的实施例，并不用以限制本申请，凡在本申请的精神和原则之内，所作的任何修改、等同替换、改进等，均应包含在本申请的保护范围之内。 The above-mentioned embodiments are provided for the present application and are not intended to limit the present application. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and principles of the present application shall be included in the protection scope of the present application.

Claims

一种报文转发方法，其特征在于，所述方法包括：A message forwarding method, characterized in that the method comprises:

获取第一报文，所述第一报文携带第一绑定段标识BSID列表，所述第一BSID列表是基于第一信任级别确定的，所述第一信任级别指示所述第一报文的传输路径的可信程度，所述第一BSID列表指示用于传输所述第一报文的多个分段路由SR域；Acquire a first message, where the first message carries a first binding segment identifier BSID list, where the first BSID list is determined based on a first trust level, where the first trust level indicates a degree of trustworthiness of a transmission path of the first message, and the first BSID list indicates a plurality of segment routing SR domains used to transmit the first message;

基于所述第一BSID列表中的第一BSID，确定第一域内路径标识，所述第一BSID指示所述多个SR域中的第一SR域，所述第一域内路径标识指示所述第一报文在所述第一SR域内传输的SR路径；Determine a first intra-domain path identifier based on a first BSID in the first BSID list, where the first BSID indicates a first SR domain among the multiple SR domains, and the first intra-domain path identifier indicates an SR path for transmitting the first message in the first SR domain;

基于所述第一报文生成第二报文，所述第二报文携带所述第一BSID列表和所述第一域内路径标识；generating a second message based on the first message, wherein the second message carries the first BSID list and the first intra-domain path identifier;

转发所述第二报文。Forward the second message.
如权利要求1所述的方法，其特征在于，所述第一SR域为所述多个SR域中的首个SR域；所述获取第一报文，包括：The method according to claim 1, wherein the first SR domain is a first SR domain among the multiple SR domains; and the obtaining the first message comprises:

接收第三报文，所述第三报文携带源地址、目的地址和所述第一信任级别；receiving a third message, wherein the third message carries a source address, a destination address, and the first trust level;

基于所述源地址、所述目的地址和所述第一信任级别，确定所述第一BSID列表；Determining the first BSID list based on the source address, the destination address, and the first trust level;

基于所述第三报文生成所述第一报文。The first message is generated based on the third message.
如权利要求2所述的方法，其特征在于，所述基于所述源地址、所述目的地址和所述第一信任级别，确定所述第一BSID列表，包括：The method according to claim 2, wherein determining the first BSID list based on the source address, the destination address and the first trust level comprises:

基于所述源地址、所述目的地址和所述第一信任级别，从第一路由表中获取所述第一BSID列表，所述第一路由表用于存储源地址、目的地址、信任级别与BSID列表之间的对应关系。Based on the source address, the destination address and the first trust level, the first BSID list is obtained from a first routing table, where the first routing table is used to store a correspondence between a source address, a destination address, a trust level and a BSID list.
如权利要求2所述的方法，其特征在于，所述基于所述源地址、所述目的地址和所述第一信任级别，确定所述第一BSID列表，包括：The method according to claim 2, wherein determining the first BSID list based on the source address, the destination address and the first trust level comprises:

向所述第一SR域的控制器发送域间算路请求，所述域间算路请求携带所述源地址、所述目的地址和所述第一信任级别；Sending an inter-domain path calculation request to a controller of the first SR domain, where the inter-domain path calculation request carries the source address, the destination address, and the first trust level;

接收所述控制器发送的所述第一BSID列表。The first BSID list sent by the controller is received.
如权利要求1-4任一所述的方法，其特征在于，所述基于所述第一BSID列表中的第一BSID，确定第一域内路径标识，包括：The method according to any one of claims 1 to 4, wherein determining the first intra-domain path identifier based on the first BSID in the first BSID list comprises:

基于所述第一BSID和所述第一信任级别，确定所述第一域内路径标识。The first intra-domain path identifier is determined based on the first BSID and the first trust level.
如权利要求5所述的方法，其特征在于，所述基于所述第一BSID和所述第一信任级别，确定所述第一域内路径标识，包括：The method according to claim 5, wherein determining the first intra-domain path identifier based on the first BSID and the first trust level comprises:

基于所述第一BSID和所述第一信任级别，从第二路由表中获取所述第一域内路径标识，所述第二路由表用于存储BSID、信任级别与域内路径标识之间的对应关系。Based on the first BSID and the first trust level, the first intra-domain path identifier is obtained from a second routing table, where the second routing table is used to store a correspondence between a BSID, a trust level, and an intra-domain path identifier.
如权利要求5所述的方法，其特征在于，所述基于所述第一BSID和所述第一信任级别，确定所述第一域内路径标识，包括：The method according to claim 5, wherein determining the first intra-domain path identifier based on the first BSID and the first trust level comprises:

确定所述第一BSID对应的第一分段路由策略；Determine a first segment routing strategy corresponding to the first BSID;

基于所述第一信任级别，从所述第一分段路由策略对应的域内路径标识中选择一个域内路径标识作为所述第一域内路径标识。Based on the first trust level, an intra-domain path identifier is selected from the intra-domain path identifiers corresponding to the first segment routing policy as the first intra-domain path identifier.
如权利要求7所述的方法，其特征在于，所述第一分段路由策略对应多个候选路径，每个候选路径具有信任级别，且所述多个候选路径的信任级别存在不同；The method according to claim 7, wherein the first segment routing strategy corresponds to a plurality of candidate paths, each candidate path has a trust level, and the trust levels of the plurality of candidate paths are different;

所述基于所述第一信任级别，从所述第一分段路由策略对应的域内路径标识中选择一个域内路径标识作为所述第一域内路径标识，包括：selecting an intra-domain path identifier from the intra-domain path identifiers corresponding to the first segment routing policy based on the first trust level As the first intra-domain path identifier, it includes:

从所述第一分段路由策略对应的多个候选路径中，选择信任级别为所述第一信任级别的候选路径作为第一候选路径；Selecting, from a plurality of candidate paths corresponding to the first segment routing policy, a candidate path with a trust level of the first trust level as a first candidate path;

从所述第一候选路径对应的域内路径标识中选择一个域内路径标识作为所述第一域内路径标识。An intra-domain path identifier is selected from the intra-domain path identifiers corresponding to the first candidate paths as the first intra-domain path identifier.
如权利要求7所述的方法，其特征在于，所述第一分段路由策略对应多个候选路径，每个候选路径对应多个域内路径标识，每个域内路径标识具有信任级别，且同一个候选路径对应的多个域内路径标识的信任级别存在不同；The method according to claim 7, characterized in that the first segment routing strategy corresponds to multiple candidate paths, each candidate path corresponds to multiple intra-domain path identifiers, each intra-domain path identifier has a trust level, and the trust levels of the multiple intra-domain path identifiers corresponding to the same candidate path are different;

所述基于所述第一信任级别，从所述第一分段路由策略对应的域内路径标识中选择一个域内路径标识作为所述第一域内路径标识，包括：The selecting, based on the first trust level, an intra-domain path identifier from the intra-domain path identifiers corresponding to the first segment routing policy as the first intra-domain path identifier includes:

从所述第一分段路由策略对应的多个候选路径中选择一个候选路径作为第一候选路径；Selecting a candidate path from a plurality of candidate paths corresponding to the first segment routing strategy as a first candidate path;

从所述第一候选路径对应的多个域内路径标识中，选择信任级别为所述第一信任级别的域内路径标识作为所述第一域内路径标识。From the multiple intra-domain path identifiers corresponding to the first candidate path, an intra-domain path identifier with a trust level of the first trust level is selected as the first intra-domain path identifier.
如权利要求5所述的方法，其特征在于，所述基于所述第一BSID和所述第一信任级别，确定所述第一域内路径标识，包括：The method according to claim 5, wherein determining the first intra-domain path identifier based on the first BSID and the first trust level comprises:

向所述第一SR域的控制器发送域内算路请求，所述域内算路请求携带所述源地址、所述目的地址和所述第一信任级别；Sending an intra-domain path calculation request to a controller of the first SR domain, where the intra-domain path calculation request carries the source address, the destination address, and the first trust level;

接收所述控制器发送的所述第一域内路径标识。Receive the first intra-domain path identifier sent by the controller.
如权利要求1-10任一所述的方法，其特征在于，所述第一域内路径标识为段标识SID列表或者BSID列表。The method according to any one of claims 1-10 is characterized in that the first intra-domain path identifier is a segment identifier SID list or a BSID list.
如权利要求1-11任一所述的方法，其特征在于，所述方法还包括：The method according to any one of claims 1 to 11, characterized in that the method further comprises:

获取第四报文，所述第四报文携带所述第一BSID列表，所述第四报文与所述第一报文属于不同的数据流；Acquire a fourth message, where the fourth message carries the first BSID list, and the fourth message and the first message belong to different data flows;

基于所述第一BSID确定所述第一域内路径标识；determining the first intra-domain path identifier based on the first BSID;

基于所述第四报文生成第五报文，所述第五报文携带所述第一BSID列表和所述第一域内路径标识；generating a fifth message based on the fourth message, wherein the fifth message carries the first BSID list and the first intra-domain path identifier;

转发所述第五报文。Forward the fifth message.
如权利要求1-12任一所述的方法，其特征在于，所述方法还包括：The method according to any one of claims 1 to 12, characterized in that the method further comprises:

获取第六报文，所述第六报文携带所述第一BSID列表，所述第六报文与所述第一报文属于同一数据流；Acquire a sixth message, where the sixth message carries the first BSID list, and the sixth message and the first message belong to the same data flow;

基于所述第一BSID确定第二域内路径标识，所述第二域内路径标识指示所述第六报文在所述第一SR域内传输的SR路径，且所述第二域内路径标识指示的SR路径与所述第一域内路径标识指示的SR路径不同；determining a second intra-domain path identifier based on the first BSID, where the second intra-domain path identifier indicates an SR path for transmitting the sixth message in the first SR domain, and the SR path indicated by the second intra-domain path identifier is different from the SR path indicated by the first intra-domain path identifier;

基于所述第六报文生成第七报文，所述第七报文携带所述第一BSID列表和所述第二域内路径标识；generating a seventh message based on the sixth message, wherein the seventh message carries the first BSID list and the second intra-domain path identifier;

转发所述第七报文。Forward the seventh message.
如权利要求1-13任一所述的方法，其特征在于，所述方法还包括：The method according to any one of claims 1 to 13, characterized in that the method further comprises:

发送通告报文，所述通告报文携带所述第一BSID、第一候选路径和信任级别，所述第一候选路径为第一分段路由策略对应的一个候选路径，所述第一分段路由策略为所述第一BSID对应的分段路由策略，所述信任级别为所述第一候选路径的信任级别，或者为所述第一候选路径对应的各个域内路径标识的信任级别。A notification message is sent, wherein the notification message carries the first BSID, a first candidate path and a trust level, wherein the first candidate path is a candidate path corresponding to a first segment routing strategy, the first segment routing strategy is a segment routing strategy corresponding to the first BSID, and the trust level is the trust level of the first candidate path, or the trust level of each intra-domain path identifier corresponding to the first candidate path.
如权利要求14所述的方法，其特征在于，所述通告报文为边界网关协议BGP更新报文，所述BGP更新报文包括网络层可达信息NLRI，所述NLRI包括至少一个类型-长度-值TLV字段，所述至少一个TLV 字段用于携带所述第一BSID和所述信任级别。The method according to claim 14, characterized in that the notification message is a Border Gateway Protocol BGP update message, the BGP update message includes network layer reachability information NLRI, the NLRI includes at least one type-length-value TLV field, and the at least one TLV The field is used to carry the first BSID and the trust level.
如权利要求15所述的方法，其特征在于，所述至少一个TLV字段还用于携带生效标识，所述生效标识指示所述第一BSID在所述第一SR域以及除所述第一SR域之外的其他SR域均生效。The method as claimed in claim 15 is characterized in that the at least one TLV field is also used to carry a validity flag, and the validity flag indicates that the first BSID is valid in the first SR domain and other SR domains except the first SR domain.
一种报文转发方法，其特征在于，所述方法包括：A message forwarding method, characterized in that the method comprises:

头节点获取第一报文，所述第一报文携带第一绑定段标识BSID列表，所述第一BSID列表是基于第一信任级别确定的，所述第一信任级别指示所述第一报文的传输路径的可信程度，所述第一BSID列表指示用于传输所述第一报文的多个分段路由SR域；The head node obtains a first message, where the first message carries a first binding segment identifier BSID list, where the first BSID list is determined based on a first trust level, where the first trust level indicates a degree of trustworthiness of a transmission path of the first message, and the first BSID list indicates multiple segment routing SR domains used to transmit the first message;

所述头节点基于所述第一BSID列表中的第一BSID，确定第一域内路径标识，所述第一BSID指示所述多个SR域中的第一SR域，所述第一域内路径标识指示所述第一报文在所述第一SR域内传输的SR路径；The head node determines, based on a first BSID in the first BSID list, a first intra-domain path identifier, where the first BSID indicates a first SR domain among the multiple SR domains, and the first intra-domain path identifier indicates an SR path for transmitting the first message in the first SR domain;

所述头节点基于所述第一报文生成第二报文，所述第二报文携带所述第一BSID列表和所述第一域内路径标识；The head node generates a second message based on the first message, where the second message carries the first BSID list and the first intra-domain path identifier;

所述头节点经过中间节点将所述第二报文转发至尾节点；The head node forwards the second message to the tail node via the intermediate node;

所述尾节点转发所述第二报文。The tail node forwards the second message.
如权利要求17所述的方法，其特征在于，所述第一SR域不为所述多个SR域中的最后一个SR域；所述尾节点转发所述第二报文，包括：The method according to claim 17, wherein the first SR domain is not the last SR domain among the multiple SR domains; and the tail node forwarding the second message comprises:

所述尾节点基于所述第二报文生成第八报文，所述第八报文携带所述第一BSID列表；The tail node generates an eighth message based on the second message, where the eighth message carries the first BSID list;

所述尾节点基于所述第一BSID列表中的第二BSID，确定第二SR域对应的出接口，所述第二SR域为所述第一SR域的下一跳SR域，所述第二BSID指示所述第二SR域；The tail node determines, based on a second BSID in the first BSID list, an outbound interface corresponding to a second SR domain, where the second SR domain is a next-hop SR domain of the first SR domain, and the second BSID indicates the second SR domain;

所述尾节点通过所述出接口转发所述第八报文。The egress node forwards the eighth message through the outbound interface.
如权利要求17所述的方法，其特征在于，所述第一SR域为所述多个SR域中的最后一个SR域；所述尾节点转发所述第二报文，包括：The method according to claim 17, wherein the first SR domain is the last SR domain of the multiple SR domains; and the tail node forwarding the second message comprises:

所述尾节点弹出所述第二报文中的所述第一BSID列表和所述第一域内路径标识，以得到第三报文，所述第三报文携带源地址、目的地址和所述第一信任级别；The tail node pops the first BSID list and the first intra-domain path identifier in the second message to obtain a third message, where the third message carries a source address, a destination address, and the first trust level;

所述尾节点转发所述第三报文。The tail node forwards the third message.
如权利要求17-19任一所述的方法，其特征在于，所述方法还包括：The method according to any one of claims 17 to 19, characterized in that the method further comprises:

所述第一SR域的控制器发送通告报文，所述通告报文携带所述第一BSID、第一候选路径和信任级别，所述第一候选路径为第一分段路由策略对应的一个候选路径，所述第一分段路由策略为所述第一BSID对应的分段路由策略，所述信任级别为所述第一候选路径的信任级别，或者为所述第一候选路径对应的各个域内路径标识的信任级别。The controller of the first SR domain sends a notification message, which carries the first BSID, a first candidate path and a trust level, wherein the first candidate path is a candidate path corresponding to a first segment routing strategy, the first segment routing strategy is a segment routing strategy corresponding to the first BSID, and the trust level is the trust level of the first candidate path, or the trust level of each intra-domain path identifier corresponding to the first candidate path.
如权利要求20所述的方法，其特征在于，所述通告报文为边界网关协议BGP更新报文，所述BGP更新报文包括网络层可达信息NLRI，所述NLRI包括至少一个类型-长度-值TLV字段，所述至少一个TLV字段用于携带所述第一BSID和所述信任级别。The method as claimed in claim 20 is characterized in that the notification message is a Border Gateway Protocol BGP update message, the BGP update message includes network layer reachability information NLRI, the NLRI includes at least one type-length-value TLV field, and the at least one TLV field is used to carry the first BSID and the trust level.
如权利要求21所述的方法，其特征在于，所述至少一个TLV字段还用于携带生效标识，所述生效标识指示所述第一BSID在所述第一SR域以及除所述第一SR域之外的其他SR域均生效。The method as claimed in claim 21 is characterized in that the at least one TLV field is also used to carry a validity flag, and the validity flag indicates that the first BSID is valid in the first SR domain and other SR domains except the first SR domain.
如权利要求17-19任一所述的方法，其特征在于，所述方法还包括：The method according to any one of claims 17 to 19, characterized in that the method further comprises:

所述第一SR域的控制器将所述第一BSID、第一候选路径和信任级别上传至所述多个SR域共享的区块链中，所述第一候选路径为第一分段路由策略对应的一个候选路径，所述第一分段路由策略为所述第一BSID对应的分段路由策略，所述信任级别为所述第一候选路径的信任级别，或者为所述第一候选路径对应的各个域内路径标识的信任级别。The controller of the first SR domain uploads the first BSID, the first candidate path and the trust level to the blockchain shared by the multiple SR domains, wherein the first candidate path is a candidate path corresponding to the first segment routing strategy, the first segment routing strategy is the segment routing strategy corresponding to the first BSID, and the trust level is the trust level of the first candidate path, or the trust level of the first candidate path to the blockchain shared by the multiple SR domains. The trust level of each path identifier within the corresponding domain.
一种报文转发装置，其特征在于，所述装置包括：A message forwarding device, characterized in that the device comprises:

第一获取模块，用于获取第一报文，所述第一报文携带第一绑定段标识BSID列表，所述第一BSID列表是基于第一信任级别确定的，所述第一信任级别指示所述第一报文的传输路径的可信程度，所述第一BSID列表指示用于传输所述第一报文的多个分段路由SR域；A first acquisition module, configured to acquire a first message, wherein the first message carries a first binding segment identifier BSID list, the first BSID list is determined based on a first trust level, the first trust level indicates a degree of trustworthiness of a transmission path of the first message, and the first BSID list indicates a plurality of segment routing SR domains used to transmit the first message;

第一确定模块，用于基于所述第一BSID列表中的第一BSID，确定第一域内路径标识，所述第一BSID指示所述多个SR域中的第一SR域，所述第一域内路径标识指示所述第一报文在所述第一SR域内传输的SR路径；A first determining module, configured to determine a first intra-domain path identifier based on a first BSID in the first BSID list, where the first BSID indicates a first SR domain among the multiple SR domains, and the first intra-domain path identifier indicates an SR path for transmitting the first message in the first SR domain;

第一生成模块，用于基于所述第一报文生成第二报文，所述第二报文携带所述第一BSID列表和所述第一域内路径标识；A first generating module, configured to generate a second message based on the first message, wherein the second message carries the first BSID list and the first intra-domain path identifier;

第一转发模块，用于转发所述第二报文。The first forwarding module is used to forward the second message.
一种报文转发***，其特征在于，所述***包括：A message forwarding system, characterized in that the system comprises:

头节点，用于获取第一报文，所述第一报文携带第一绑定段标识BSID列表，所述第一BSID列表是基于第一信任级别确定的，所述第一信任级别指示所述第一报文的传输路径的可信程度，所述第一BSID列表指示用于传输所述第一报文的多个分段路由SR域；A head node, configured to obtain a first message, where the first message carries a first binding segment identifier BSID list, where the first BSID list is determined based on a first trust level, where the first trust level indicates a degree of trustworthiness of a transmission path of the first message, and the first BSID list indicates a plurality of segment routing SR domains used to transmit the first message;

所述头节点，还用于基于所述第一BSID列表中的第一BSID，确定第一域内路径标识，所述第一BSID指示所述多个SR域中的第一SR域，所述第一域内路径标识指示所述第一报文在所述第一SR域内传输的SR路径；The head node is further configured to determine a first intra-domain path identifier based on a first BSID in the first BSID list, where the first BSID indicates a first SR domain among the multiple SR domains, and the first intra-domain path identifier indicates an SR path for transmitting the first message in the first SR domain;

所述头节点，还用于基于所述第一报文生成第二报文，所述第二报文携带所述第一BSID列表和所述第一域内路径标识；The head node is further used to generate a second message based on the first message, where the second message carries the first BSID list and the first intra-domain path identifier;

所述头节点，还用于经过中间节点将所述第二报文转发至尾节点；The head node is further configured to forward the second message to the tail node via the intermediate node;

所述尾节点，用于转发所述第二报文。The tail node is used to forward the second message.
一种网络设备，其特征在于，所述网络设备包括存储器和处理器；A network device, characterized in that the network device comprises a memory and a processor;

所述存储器用于存储计算机程序，所述处理器用于执行所述存储器中存储的计算机程序，以实现权利要求1-16任一所述的方法。The memory is used to store a computer program, and the processor is used to execute the computer program stored in the memory to implement the method described in any one of claims 1-16.
一种计算机可读存储介质，其特征在于，所述存储介质内存储有指令，当所述指令在所述计算机上运行时，使得所述计算机执行权利要求1-16任一所述的方法的步骤。A computer-readable storage medium, characterized in that instructions are stored in the storage medium, and when the instructions are executed on the computer, the computer executes the steps of any one of the methods described in claims 1-16.
一种包含指令的计算机程序产品，其特征在于，当所述指令在计算机上运行时，使得计算机执行权利要求1-16任一所述的方法的步骤。 A computer program product comprising instructions, characterized in that when the instructions are executed on a computer, the computer is caused to execute the steps of any one of the methods of claims 1-16.