CN111416827B - Method for discovering network function NF according to security level - Google Patents
Method for discovering network function NF according to security level Download PDFInfo
- Publication number
- CN111416827B CN111416827B CN202010220042.1A CN202010220042A CN111416827B CN 111416827 B CN111416827 B CN 111416827B CN 202010220042 A CN202010220042 A CN 202010220042A CN 111416827 B CN111416827 B CN 111416827B
- Authority
- CN
- China
- Prior art keywords
- security level
- nrf
- security
- network
- level
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 37
- 238000002955 isolation Methods 0.000 claims description 10
- 238000012795 verification Methods 0.000 claims description 10
- 230000008901 benefit Effects 0.000 abstract description 3
- 230000000977 initiatory effect Effects 0.000 description 4
- 238000007726 management method Methods 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a method for discovering network function NF according to security level, which is characterized by comprising the following steps: configuring the security level of a network function NF; a network storage function (NRF) receives a registration request and verifies the security level; and the network storage function NRF receives the discovery request and discovers the NF according to the security level. Compared with the prior art, the method for discovering the network function NF according to the security level, disclosed by the invention, has the advantages that when each NF is accessed into the network, the corresponding security level is configured for the NF, and for NF service users with different security levels, NRF provides NF service providers discovering the corresponding security levels, so that mutual access or service calling among NF with the same security level requirement is ensured, the potential safety hazard is avoided, and the requirement of 5GC network element security protection level is met.
Description
Technical Field
The present invention relates to the field of wireless communications, and more particularly, to a method for discovering Network Function (NF) according to security level.
Background
The system architecture of the fifth generation mobile communication system (5G) is based on Service Based Architecture (SBA), elements in the system architecture are defined as Network Functions (NFs) composed of services, each NF provides services to the outside through a service interface, and allows other NFs to access or call their own services. All NFs implement automated management through a network function storage function (NRF). Each NF must be registered (NFRegister) with the NRF to provide services when it is started, and a NF must first perform service discovery (NFDiscover) through the NRF in order for another NF to provide services. The NF that provides a service is called a "NF service provider" and the NF that accesses or invokes a service is called a "NF service consumer".
In a 5G core network (hereinafter referred to as a 5GC), there may be multiple deployments of the same NF, including on various hardware logic and virtual hardware platforms. The NRF needs to select an optimal NF to return to the NF service user. In the prior art, one NF is usually returned according to comprehensive judgment of NF priority, capacity condition, load condition and the like.
However, in real world applications, the safety level of NF is critical. For example, NFs serving governments, public security agencies, finance and various special industries often need a very high security level, while NFs applied to the internet of things are relatively low in security level, and if NF service providers are selected only according to the information, mutual access and call among NFs with different security levels may be caused, thereby causing great potential safety hazards.
Disclosure of Invention
Therefore, the inventors propose a method of discovering a network function NF according to a security level; the method configures different security levels for the NF according to the network environments of different NF and the security policy and the authority during access. For NF service consumers of different security levels, the NRF returns the NF service provider of the corresponding security level.
The embodiment of the application provides a method for discovering network function NF according to security level, which comprises the following steps:
configuring the security level of a network function NF;
a network storage function (NRF) receives a registration request and verifies the security level;
and the network storage function NRF receives the discovery request and discovers the NF according to the security level.
Further, configuring the security level of the network function NF; the method specifically comprises the following steps:
determining a security level parameter subset according to the network environment, the security policy and the authority of the NF to be accessed; and determining the security level of the different security level parameter subsets according to the combination of the different security level parameter subsets. The security level of the NF is configured and recorded at the central database.
In the method, when each NF is accessed to the network, different security constraint conditions are set for each NF according to the network environment and different security policies and authority requirements, and the sets of the different security constraint conditions correspond to different security levels, so that each NF is ensured to determine a specific security level for the NF in advance when being accessed to the network, and the security levels are configured and recorded in the central database.
Further, the network storage function NRF receives the registration request and verifies the security level; the method specifically comprises the following steps:
the NRF receives a registration request sent by the NF, wherein the registration request carries the security level of the NF; the NRF requests the security level of the NF from the central database; the NRF receiving center database returns the safety level of NF; the NRF checks the security level of the NF and feeds back to the NF.
The feedback result specifically includes: when the security level carried by the NF is consistent with the security level returned by the central database, the NRF feeds back the NF to pass verification, and NF registration is completed;
or,
and when the security level carried by the NF is not consistent with the security level returned by the central database, the NRF feeds back the verification to the NF to be failed, and the registration is terminated.
In the above method, when each NF registers with the NRF, the NRF checks its security level in addition to performing the operations specified in the 3GPP specifications. The NF needs to carry the security level when initiating a registration request to the NRF, the NRF requests the security level of the NF from a central database after receiving the registration request of the NF, the central database inquires the security level of the NF and sends the security level of the NF to the NRF according to a local configuration record, the NRF compares the received security level of the NF returned by the central database with the security level carried by the NF initiating the registration, and if the received security level of the NF returned by the central database is consistent with the received security level carried by the NF initiating the registration, the NF is fed back to pass the verification, and the registration is completed. If not, the NF is fed back to check failure, and the registration is terminated. Thus, the security level of each NF that completes registration is guaranteed to be consistent with its pre-configured security level.
Further, the network storage function NRF receives the discovery request, and discovers the NF according to the security level. The method specifically comprises the following steps:
the NRF receives a discovery request sent by an NF service user, wherein the discovery request carries the security level of the NF service user; the NRF inquires whether an NF service provider meeting the safety grade exists in a central database according to the safety grade of the NF service user; and the NRF feeds back to the NF service user according to the query result.
The feedback result specifically includes: when the NF service provider which accords with the safety level exists, the NRF returns the configuration information of the NF service provider which accords with the safety level to the NF service user;
or,
when no NF service provider conforming to the security level exists, the NRF returns the query failure information to the NF service user.
In the above method, when each NF service user requests to the NRF to discover the NF service provider, the NRF performs the operations specified in the 3GPP specification and matches the corresponding NF according to its security level. The NF service user needs to carry the security level when initiating a service discovery request to the NRF, after the NRF receives the service discovery request of the NF service user, the NRF requests the central database to inquire whether NF service providers meeting the security level exist according to the security level of the NF service user, the central database inquires according to the local configuration record and sends the result to the NRF, and the NRF feeds back whether the NF service providers meeting the security level exist to the NF service user according to the received result returned by the central database and by combining the condition in the discovery request. If yes, returning the configuration information of the NF service provider to the NF service user; if not, returning the query failure information. Therefore, when the NF service user initiates a service discovery request, the matched NF service provider is selected according to the security level, so that the security levels of the two parties are consistent, and the potential safety hazard caused by mutual access or service calling between NF service providers with different security levels is avoided.
Preferably, the NRF queries the central database for the performance parameters of the NF service providers when the NF service providers meeting the security level exist according to the security level of the NF service user. The performance parameters include, but are not limited to, load, capacity, and priority.
By comprehensively inquiring the performance parameters of the NF service provider, a more preferable NF service provider can be found, and the service access and calling efficiency is further improved.
Preferably, the security level parameter subset is determined according to the network environment, security policy and authority where the NF to be accessed is located, including but not limited to:
the parameter operating _ environment. The parameter operating _ environment comprises a cloud service environment closed _ service and a private physical server environment physical _ isolation, and is used for representing the operating environment of the NF;
parameter NF _ verify. The parameter NF _ verify is a Boolean value and is used for indicating whether the NF digital signature needs to be checked;
the parameter network _ flow _ monitor. The parameter network _ flow _ monitor is a boolean value and is used for indicating whether the network manager needs to monitor the flow of the UPF in real time;
the parameter NFUpdate _ limit. The parameter NFUpdate _ limit is a boolean value used to indicate whether access to the NF is restricted from updating the security level field using the NFUpdate interface of the NRF.
The invention has the following beneficial effects:
compared with the prior art, the method for discovering the network function NF according to the security level, disclosed by the invention, has the advantages that when each NF is accessed into the network, the corresponding security level is configured for the NF, and for NF service users with different security levels, NRF provides NF service providers discovering the corresponding security levels, so that mutual access or service calling among NF with the same security level requirement is ensured, the potential safety hazard is avoided, and the requirement of 5GC network element security protection level is met.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
FIG. 1 is a schematic diagram of the architecture of NF target discovery via NRF in 5 GC.
Fig. 2 is a flowchart illustrating security level verification when a network function NF registers with an NRF according to a method for discovering the NF according to the present application.
Fig. 3 is a flowchart of security level verification when an NF discovers a target NF to an NRF according to a method for discovering a network function NF provided by the present application.
Fig. 4 is a flowchart of discovering a target NF to an NRF according to a network environment in a method for discovering a network function NF according to a security level provided by the present application.
Fig. 5 is a flowchart of discovering a target NF to an NRF according to whether a digital signature needs to be verified by the NF in the method for discovering a network function NF according to a security level provided by the present application.
Detailed Description
The technical solution of the present application will be described clearly and completely with reference to the following embodiments of the present application and the accompanying drawings. It should be apparent that the described embodiments are only some of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In 5GC, there may be multiple deployments of the same NF, and the NRF needs to select an optimal NF to return to the NF service user. Referring to fig. 1, the access and mobility management function AMF is the NF service consumer who requests the NRF to discover a unified data management function UDM.
In the present application, the NRF discovers the network function NF according to the security level, and the specific method includes:
step S1: configuring the security level of a network function NF; the method specifically comprises the following steps:
s101, determining the security level of NF to be accessed;
when each NF is accessed to the network, the security level parameter subset of each NF is determined according to the network environment, the security policy and the authority of the NF; and determining the security level of the different security level parameter subsets according to the combination of the different security level parameter subsets.
The network environment of the NF can be a completely private physical server or a cloud service environment; either the core side or the edge side. Different network environments represent different security level parameter subsets. The security policies and permissions of NF access include, but are not limited to, access control, access permission, security checksum authentication, and related status information of whether to monitor NF in real time, and each policy corresponds to a subset of security parameters. And determining the safety level of the NF according to the combination of different safety level parameter subsets. Specifically, the security level is defined as:
a set R, different security levels Si ═ R { S1, S2, S3, S4, S5 … Sn }; each security level corresponds to a combination of different security level parameter subsets, and each security level parameter subset corresponds to a network environment, a security policy and a right where different constraint conditions NF are located.
And step S102, configuring and recording the safety level of the NF in a central database.
The central database may be a logical central database, and the logical central database may be composed of one physical central database or a plurality of physical central databases. When composed of a plurality of physical center databases, each physical center database may be configured and recorded with information of all NFs, or configured and recorded with information of only a part of NFs. The central database can be a database of a 5GC network manager, can also be a database of the NRF, and can also be an independent database. It is to be noted how the central database is arranged does not affect the logical execution steps of the method of the invention for discovering a network function NF on the basis of a security level.
Step S2: a network storage function (NRF) receives a registration request and verifies the security level;
when NF is started, it needs to register with NRF first, and when NFRegister is executed, NRF checks its security level in addition to performing the operations specified in the 3GPP specifications.
The specific process is shown in FIG. 2. The method comprises the following steps:
step S201, NRF receives a registration request sent by NF, wherein the registration request carries the safety level of NF;
the NF sends a registration request to the NRF, wherein the registration request carries the security level of the NF, and the NRF accepts the registration request sent by the NF.
Step S202, NRF requests the security level of NF from a central database;
s203, the NRF receiving center database returns the safety level of the NF;
the central database returns the security level of the NF, and the NRF receives the security level of the NF returned by the central database.
And S204, the NRF checks the safety level of the NF and feeds back the safety level to the NF.
The matching algorithm of the NRF verification security level process is as follows:
f (request security level): security level carried by the NF request;
f (save security level): the central database maintains the security level of the NF.
Definition of f (verify level) and f (save verify level),
when the F (verify result) result is true, the check is passed.
When the security level carried by the NF is consistent with the security level returned by the central database, the NRF feeds back the NF to pass verification, and NF registration is completed;
or,
and when the security level carried by the NF is not consistent with the security level returned by the central database, the NRF feeds back the verification to the NF to be failed, and the registration is terminated.
Step S3: and the network storage function NRF receives the discovery request and discovers the NF according to the security level.
When an NF needs to have other NFs provide services, service discovery (NFDiscover) must first be performed through the NRF. The NF that provides a service is called a "NF service provider" and the NF that accesses or invokes a service is called a "NF service consumer". When the NF invokes the NFDiscover interface of the NRF to discover the network element, the NRF returns the NF that meets the security level, and the specific flow is as shown in fig. 3.
Step S301, NRF receives a discovery request sent by NF service user, wherein the discovery request carries the security level of the NF service user;
the NF service consumer sends a discovery request to the NRF, which carries the security level of the NF service consumer. The NRF receives a discovery request sent by the NF service user.
Step S302, NRF inquires whether NF service provider meeting the safety grade exists in the central database according to the safety grade of NF service user;
the algorithm for the NRF to query whether there is a NF service provider that meets the security level is as follows:
f (request security level): the NF finds that the request carries the security level;
f (save security level): the central database maintains the security level of the NF.
F(result)=F(request security level)∩F(save security level),
And returning a NF service provider list which conforms to the F (result) and has a true result.
Step S303, the NRF feeds back to the NF service user according to the query result.
When the NF service provider which accords with the safety level exists, the NRF returns the configuration information of the NF service provider which accords with the safety level to the NF service user;
or,
when no NF service provider conforming to the security level exists, the NRF returns the query failure information to the NF service user.
As a preferred embodiment, when the NRF queries the central database whether there is an NF service provider that meets the security level according to the security level of the NF service user, it queries the performance parameters of the NF service provider at the same time. The performance parameters include, but are not limited to, load, capacity, and priority.
Taking the case that when the NRF queries whether there is an NF service provider that meets the security level, the load condition of the NF service provider is queried at the same time, the query algorithm is as follows:
f (request security level): the NF finds that the request carries the security level;
f (save security level): the central database stores the safety level of NF;
f (load): a load condition.
F(result)=F(request security level)∩F(save security level)∩F(Load),
And returning a NF service provider list which conforms to the F (result) and has a true result.
As a preferred embodiment, the subset of parameters that determine the security level include, but are not limited to:
the parameter operating _ environment comprises a cloud service environment closed _ service and a private physical server environment physical _ isolation, and is used for representing the operating environment of the NF;
a parameter NF _ verify; the parameter NF _ verify is a Boolean value and is used for indicating whether the NF digital signature needs to be checked;
the parameter network _ flow _ monitor; the parameter network _ flow _ monitor is a Boolean value and is used for indicating whether the network manager needs to monitor the flow of the UPF in real time;
the parameter NFUpdate _ limit; the parameter NFUpdate _ limit is a boolean value used to indicate whether to restrict access to the NFUpdate interface update security level field of the NRF by the NF.
The specific definition method is as follows:
(1) the operating _ environment running environment is the security level defined by the environment in which the NF is located. The operating _ environment is defined as { closed _ service, physical _ isolation }, which is sequentially 0 and 1.
The cloud _ service represents that the cloud _ service is completely deployed in a cloud service environment, and the security depends on the cloud service environment;
the physical _ isolation is high in safety, the network element is deployed in a completely private physical server, and a specially-assigned person is responsible for supervision.
Specifically, referring to fig. 4, taking the SMF requesting the AMF as an example, the SMF discovers the AMF through the NFDiscover. Carrying the security isolation as physical _ isolation, the NRF searches for the AMF conforming to the physical _ isolation and returns the AMF conforming to the condition.
(2) NF _ verify definition: whether the digital signature needs to be verified.
NF _ verify is { false, true }, which is defined as 0, 1, and true is the check. When NF registers to NRF using NFRegister interface, it needs to carry its own digital signature. The NRF needs to verify whether the digital signature of the NF accords with a permission request list pre-configured by a 5GC network manager or not, so that illegal network element access is prevented, and the safety of the 5GC is damaged.
Specifically, referring to fig. 5, taking an example where an SMF requests access to an NRF, the SMF initiates a registration request via the NFRegister, and the NRF verifies that the digital signature of the SMF conforms to the grant list. If yes, returning the permission information to finish the registration. If not, returning rejection information and details.
(3) network _ flow _ monitor defines: for UPF access, whether the network management is required to monitor the UPF flow in real time or not is required.
network _ flow _ monitor, which is defined as 0, 1, and true, is monitoring. When the UPF accesses to the NRF, this field information needs to be carried. And when the value is set to true, the UPF sends an alarm to the 5GC network manager when finding that the traffic information is illegal.
(4) NFUpdate _ limit definition: whether the access network element is restricted from updating the security class field using the NFUpdate interface of the NRF.
NFUpdate _ limit ═ { false, true }, which is defined as 0, 1 in this order. The parameter is used for preventing the network element with low security level from illegally increasing the security level of the network element.
The following takes specific definitions of the security levels S1/S2/S3 as an example to further illustrate the definition of the security levels and their application in the NRF to discover the network function NF according to the security levels. It should be noted that in practical applications, the definition of the security level can be dynamically extended according to the requirements.
(1) S1: security level 1
This level is the highest security level and is set as follows:
security_level={operating_environment,NF_verify,network_flow_monitor,NFUpdate_limit}={1,1,1,1}。
setting the operating _ environment level as physical _ isolation, and adopting a completely private physical server; the NF _ verify grade is set to true, and the NRF needs to verify whether the digital signature of the NF conforms to a permission request list pre-configured by a central database; setting the network _ flow _ monitor grade to true, monitoring UPF illegal flow information, and preventing illegal information from being transmitted out through 5 GC; and setting the NFUpdate _ limit level to true, and limiting the NF to use the NFUpdate interface to upgrade the security level field so as to prevent the network element from upgrading the right.
The setting can be used in the scenes with extremely high requirements on the security of the private network, such as departments of financial institutions, public security institutions and the like.
(2) S2: security level 2
This level is a relative security level, set as follows:
security_level={operating_environment,NF_verify,network_flow_monitor,NFUpdate_limit}={1,1,0,1}。
setting the operating _ environment level as physical _ isolation, and adopting a completely private physical server; the NF _ verify level is set to true; the NRF needs to verify whether the digital signature of the NF conforms to a permission request list pre-configured by a central database; the network _ flow _ monitor level is set to false, and the UPF flow is not monitored; and setting the NFUpdate _ limit level to true, and limiting the NF to use the NFUpdate interface to upgrade the security level field so as to prevent the network element from upgrading the right.
The setting can be used for enterprises with relatively high security requirements, such as large-scale enterprises, and enterprises with relatively high security requirements on the core network.
(3) S3: security level 3
This level is an open security level, set as follows:
security_level={operating_environment,NF_verify,network_flow_monitor,NFUpdate_limit}={0,1,0,1}。
setting the operating _ environment level as a cloud _ service, and deploying a 5GC by adopting a cloud; the NF _ verify level is set to true; the NRF needs to verify whether the digital signature of the NF is a permission request list pre-configured by the central database; the network _ flow _ monitor level is set to false, and the UPF flow is not monitored; the NFUpdate _ limit level is set to true, restricting the NF from upgrading the security level field using the NFUpdate interface.
The setting can be used for enterprises with lower security requirements, such as private enterprises, and enterprises with low cost and low security requirements on the core network are needed.
In summary, the present patent provides a method for discovering a network function NF by an NRF according to a security level, and different security levels are configured for the NF according to network environments where different NFs are located and security policies and permissions during access. For NF service consumers of different security levels, the NRF returns the NF service provider of the corresponding security level. Based on the method for discovering NF according to the security level, a security service system model is provided, the overall security of the 5GC is improved, the illegal network intrusion is prevented, and the security of user data is protected. And a negotiation flow between NF is designed, so that value-added security service is realized for different users, the user cost is saved, and the user benefit is improved.
It should be noted that, for simplicity of description, the method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the illustrated order of acts, as some steps may occur in other orders or concurrently in accordance with the embodiments of the present invention. Further, those skilled in the art will appreciate that the embodiments described in the specification are presently preferred and that no particular act is required to implement the invention.
The above examples are given for the purpose of illustrating the invention clearly and not for the purpose of limiting the same, and it will be apparent to those skilled in the art that, in light of the foregoing description, numerous modifications and variations can be made in the form and details of the embodiments of the invention described herein, and it is not intended to be exhaustive or to limit the invention to the precise forms disclosed.
Claims (6)
1. A method for discovering network functions NF based on security level, comprising:
configuring the security level of a network function NF, specifically comprising:
determining a security level parameter subset according to the network environment, the security policy and the authority of the NF to be accessed;
determining the security level of the combination of different security level parameter subsets;
configuring and recording the safety level of NF in a central database;
a network storage function (NRF) receives a registration request and verifies the security level;
the method for discovering the NF according to the security level includes the following steps that a network storage function (NRF) receives a discovery request and discovers the NF according to the security level:
the NRF receives a discovery request sent by the NF service user, wherein the discovery request carries the security level of the NF service user,
NRF inquires the central database whether NF service provider in accordance with safety grade exists according to the safety grade of NF service user,
and the NRF feeds back to the NF service user according to the query result.
2. The method of claim 1, wherein the network storage function NRF receives the registration request and verifies the security level, and specifically comprises:
the NRF receives a registration request sent by the NF, wherein the registration request carries the security level of the NF;
the NRF requests the security level of the NF from the central database;
the NRF receiving center database returns the safety level of NF;
the NRF checks the security level of the NF and feeds back to the NF.
3. The method of claim 2, wherein the NRF checks the security level of the NF and feeds back the security level to the NF, and specifically comprises:
when the security level carried by the NF is consistent with the security level returned by the central database, the NRF feeds back the NF to pass verification, and NF registration is completed;
or,
and when the security level carried by the NF is not consistent with the security level returned by the central database, the NRF feeds back the verification to the NF to be failed, and the registration is terminated.
4. The method of claim 1, wherein the NRF feeds back to the NF service user according to the query result, and the method comprises:
when the NF service provider which accords with the safety level exists, the NRF returns the configuration information of the NF service provider which accords with the safety level to the NF service user;
or,
when no NF service provider conforming to the security level exists, the NRF returns the query failure information to the NF service user.
5. The method of claim 4, wherein the NRF queries the central database for performance parameters of NF service providers including load, capacity and priority if a NF service provider meeting the security class exists according to the security class of the NF service user.
6. The method for discovering, by the NRF, the network function NF according to security level of any of claims 1 to 5, wherein determining the security level parameter subset according to the network environment, security policy and rights under which the NF to be accessed is located comprises:
the parameter operating _ environment comprises a cloud service environment closed _ service and a private physical server environment physical _ isolation, and is used for representing the operating environment of the NF;
a parameter NF _ verify; the parameter NF _ verify is a Boolean value and is used for indicating whether the NF digital signature needs to be checked;
the parameter network _ flow _ monitor; the parameter network _ flow _ monitor is a Boolean value and is used for indicating whether the network manager needs to monitor the flow of the UPF in real time;
the parameter NFUpdate _ limit; the parameter NFUpdate _ limit is a boolean value used to indicate whether to restrict access to the NFUpdate interface update security level field of the NRF by the NF.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010220042.1A CN111416827B (en) | 2020-03-25 | 2020-03-25 | Method for discovering network function NF according to security level |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010220042.1A CN111416827B (en) | 2020-03-25 | 2020-03-25 | Method for discovering network function NF according to security level |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111416827A CN111416827A (en) | 2020-07-14 |
| CN111416827B true CN111416827B (en) | 2021-09-21 |
Family
ID=71494416
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010220042.1A Active CN111416827B (en) | 2020-03-25 | 2020-03-25 | Method for discovering network function NF according to security level |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111416827B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2023242743A1 (en) * | 2022-06-17 | 2023-12-21 | Lenovo (Singapore) Pte. Ltd. | Security management of trusted network functions |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114071465B (en) * | 2020-07-31 | 2024-08-06 | 维沃移动通信有限公司 | Access control method, device and communication equipment |
| US20230362199A1 (en) * | 2020-10-09 | 2023-11-09 | Nokia Technologies Oy | Mechanism for dynamic authorization |
| CN115297457A (en) * | 2022-08-02 | 2022-11-04 | 中国电信股份有限公司 | Service management method, service management apparatus, communication system, and storage medium |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109379206B (en) * | 2017-08-07 | 2022-04-22 | 华为技术有限公司 | Management method of network function information and related equipment |
| JP2021010041A (en) * | 2017-09-26 | 2021-01-28 | 株式会社Nttドコモ | Management device and network configuration control method |
| CN109673037B (en) * | 2017-10-17 | 2021-04-20 | 华为技术有限公司 | Network function discovery method and equipment |
| CN109688586B (en) * | 2017-10-19 | 2021-12-07 | 中兴通讯股份有限公司 | Network function authentication method and device and computer readable storage medium |
| CN109803242B (en) * | 2017-11-17 | 2021-09-03 | 中兴通讯股份有限公司 | Method, apparatus and readable storage medium for NF discovery through NRF |
| US10243789B1 (en) * | 2018-07-18 | 2019-03-26 | Nefeli Networks, Inc. | Universal scaling controller for software network functions |
| CN110740464A (en) * | 2018-07-20 | 2020-01-31 | 普天信息技术有限公司 | NF service discovery method and device |
| CN110913439A (en) * | 2018-09-17 | 2020-03-24 | 华为技术有限公司 | Network element selection method and device |
-
2020
- 2020-03-25 CN CN202010220042.1A patent/CN111416827B/en active Active
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2023242743A1 (en) * | 2022-06-17 | 2023-12-21 | Lenovo (Singapore) Pte. Ltd. | Security management of trusted network functions |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111416827A (en) | 2020-07-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111416827B (en) | Method for discovering network function NF according to security level | |
| CN112106336B (en) | Agent and agent account book on blockchain | |
| CN102947797B (en) | The online service using directory feature extending transversely accesses and controls | |
| US8935398B2 (en) | Access control in client-server systems | |
| US7747722B2 (en) | Device management method for device management system | |
| US8914421B2 (en) | Data management at a directory database | |
| US11638141B1 (en) | Remote sim unlock (RSU) implementation using blockchain | |
| CN103890726A (en) | Application installation system | |
| US10432642B2 (en) | Secure data corridors for data feeds | |
| US11405402B2 (en) | System and method for implementing a computer network | |
| JP2003504721A (en) | Reconfiguration manager that controls electronic device upgrades | |
| EP2856385A1 (en) | Managing distributed operating system physical resources | |
| US10621111B2 (en) | System and method for unified secure remote configuration and management of multiple applications on embedded device platform | |
| CN104079437B (en) | Realize the method and terminal of rights management control | |
| US7661125B2 (en) | System for providing and utilizing a network trusted context | |
| CN102972005A (en) | Consigning authentication method | |
| WO2022212949A1 (en) | Identity query language systems and methods | |
| CN103069767B (en) | Consigning authentication method | |
| CN102377589B (en) | Right management control method and terminal | |
| CN113992406A (en) | Authority access control method for alliance chain cross-chain | |
| CN111966994B (en) | Block chain authentication method, system and storage medium based on database | |
| US10432641B2 (en) | Secure data corridors | |
| CN106533688A (en) | Security authentication method and device | |
| KR101317403B1 (en) | Private information management system on trust level and method thereof | |
| WO2018125991A1 (en) | Secure data corridors for data feeds |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |