CN114095158A - Network slice selection method, system, device and storage medium - Google Patents
Network slice selection method, system, device and storage medium Download PDFInfo
- Publication number
- CN114095158A CN114095158A CN202111299230.9A CN202111299230A CN114095158A CN 114095158 A CN114095158 A CN 114095158A CN 202111299230 A CN202111299230 A CN 202111299230A CN 114095158 A CN114095158 A CN 114095158A
- Authority
- CN
- China
- Prior art keywords
- identifier
- equipment
- network slice
- service
- terminal equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000010187 selection method Methods 0.000 title claims abstract description 31
- 230000006855 networking Effects 0.000 claims abstract description 54
- 238000000034 method Methods 0.000 claims abstract description 21
- 239000000284 extract Substances 0.000 claims abstract description 7
- 239000011159 matrix material Substances 0.000 claims description 12
- 238000005538 encapsulation Methods 0.000 claims description 9
- 230000000977 initiatory effect Effects 0.000 claims description 3
- 238000000605 extraction Methods 0.000 claims description 2
- 238000007726 management method Methods 0.000 description 13
- 238000010586 diagram Methods 0.000 description 11
- 238000005516 engineering process Methods 0.000 description 11
- 238000012545 processing Methods 0.000 description 10
- 230000006870 function Effects 0.000 description 8
- 230000003287 optical effect Effects 0.000 description 8
- 238000004891 communication Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 4
- 238000012795 verification Methods 0.000 description 4
- 238000006243 chemical reaction Methods 0.000 description 3
- 238000002955 isolation Methods 0.000 description 3
- 238000000926 separation method Methods 0.000 description 3
- 238000012550 audit Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 239000013307 optical fiber Substances 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000011217 control strategy Methods 0.000 description 1
- 230000004069 differentiation Effects 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000005111 flow chemistry technique Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000003252 repetitive effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0893—Assignment of logical groups to network elements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/34—Source routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
Abstract
The invention provides a network slice selection method, a system, equipment and a storage medium, wherein the method comprises the following steps: the access gateway receives the networking requirement of at least one target service sent by the terminal equipment based on the updated IP packet header, extracts the equipment identification of the terminal equipment and the service identification of the target service from the updated IP packet header to perform access authentication on the equipment identification of the terminal equipment, and selects a corresponding target network slice according to the service identification under the condition that the access authentication is passed. The invention can realize the equipment access authentication of the terminal equipment and the network slice selection based on the service identification at the access gateway, and solves the problem of multi-head distributed management of the equipment access authentication and the network slice selection in the prior art. Because the equipment access authentication and the network slice selection are executed in a centralized manner at one end, the consistency of time management can be ensured, and the networking configuration efficiency of the terminal equipment and the network slice can be improved.
Description
Technical Field
The present invention relates to the field of network security, and in particular, to a method, system, device, and storage medium for selecting a network slice.
Background
With the continuous emergence of various communication services, the requirements of different communication services on network performance are significantly different, and a concept of Network Slice (NS) is introduced to cope with the difference of the requirements of different communication services on network performance.
The network slice refers to a set of logic network functional entities supporting specific communication service requirements, and realizes a service that can be customized for a communication service mainly by means of a Software Defined Network (SDN) technology and a Network Function Virtualization (NFV) technology. SDN separates network forwarding functions from network control functions, with the goal of creating a centrally manageable and programmable network. NFV abstracts network functions from hardware. NFV supports SDN by providing an infrastructure that can run SDN software.
The method and the device for selecting the network slice for the different service on the terminal device can realize that the terminal device provides diversified services for users, so how to provide the network slice selection service for the terminal device with high efficiency is a subject of common research in the industry.
Disclosure of Invention
The invention aims to provide a network slice selection method, a system, equipment and a storage medium, which solve the problems in the prior art, can perform terminal equipment authentication and network slice selection on an access gateway of a network layer, and solve the problem of low network slice selection efficiency caused by separation of terminal equipment authentication and network slice selection.
The embodiment of the invention provides a network slice selection method, which is applied to terminal equipment and comprises the following steps:
calling an IP protocol stack according to the networking requirement of at least one target service;
embedding the equipment identification of the terminal equipment and the service identification of the target service into an IP packet header in an IP protocol stack to obtain an updated IP packet header;
and taking the updated IP packet header as a data encapsulation head of the networking requirement, and sending the networking requirement to an access gateway, wherein the equipment identifier is used for the access gateway to perform access authentication on the terminal equipment, and the service identifier is used for selecting a corresponding target network slice for the terminal equipment under the condition that the access authentication is passed.
Preferably, the method further comprises:
before embedding the equipment identifier of the terminal equipment and the service identifier of the target service into an IP packet header in an IP protocol stack, signing the equipment identifier by using an equipment private key to obtain the equipment identifier with signature information;
embedding the device identification of the terminal device and the service identification of the target service into an IP packet header in an IP protocol stack, comprising:
and embedding the equipment identifier with the signature information and the service identifier of the target service into an IP packet header in an IP protocol stack.
Preferably, embedding the device identifier of the terminal device and the service identifier of the target service into the IP packet header in the IP protocol stack includes:
the device identification of the terminal device and the service identification of the target service are embedded in SRv6 labels of the IP packet header in the IP protocol stack.
The embodiment of the invention also provides a network slice selection method, which is applied to the access gateway and comprises the following steps:
receiving the networking requirement of at least one target service sent by the terminal equipment based on the updated IP packet header;
extracting the equipment identifier of the terminal equipment and the service identifier of the target service from the updated IP packet header;
performing access authentication on the equipment identifier of the terminal equipment;
and under the condition that the access authentication is passed, selecting a corresponding target network slice for the terminal equipment according to the service identifier.
Preferably, the performing access authentication on the device identifier of the terminal device includes:
and under the condition that the equipment identifier has signature information, acquiring a public key and verifying the signature information, wherein the signature information is obtained by utilizing an equipment private key corresponding to the public key to sign the equipment identifier.
Preferably, the obtaining the public key if the service identifier is an application identifier of a target application running on the terminal device includes:
acquiring a corresponding target application matrix according to the application identifier;
and determining a corresponding public key according to the target application matrix.
Preferably, the network slice selection method further comprises:
and accessing the terminal equipment into the network slice according to the networking requirement, and forwarding the data packet through the network slice.
An embodiment of the present invention further provides a network slice selection system, including:
the terminal equipment calls an IP protocol stack according to the networking requirement of at least one target service, embeds the equipment identifier of the terminal equipment and the service identifier of the target service into an IP packet header in the IP protocol stack to obtain an updated IP packet header, uses the updated IP packet header as a data encapsulation head of the networking requirement, and sends the networking requirement to the access gateway;
and the access gateway receives the networking requirement of at least one target service sent by the terminal equipment, extracts the equipment identifier of the terminal equipment and the service identifier of the target service from the updated IP packet header, performs access authentication on the equipment identifier of the terminal equipment, and selects a corresponding target network slice for the terminal equipment according to the service identifier under the condition that the authentication is passed.
The embodiment of the invention also provides a network slice selection device, which is applied to terminal equipment and comprises:
the calling module calls an IP protocol stack according to the networking requirement of at least one target service;
the embedding module is used for embedding the equipment identifier of the terminal equipment and the service identifier of the target service into an IP packet header in an IP protocol stack to obtain an updated IP packet header;
and the authentication initiating module is used for sending the networking requirement to the access gateway by taking the updated IP packet header as a data encapsulation header of the networking requirement, wherein the equipment identifier is used for carrying out access authentication on the terminal equipment by the access gateway, and the service identifier is used for selecting a corresponding target network slice for the terminal equipment under the condition that the access authentication is passed.
The embodiment of the present invention further provides a network slice selection device, which is applied to an access gateway, and includes:
the receiving module is used for receiving the networking requirement of at least one target service sent by the terminal equipment based on the updated IP packet header;
the extraction module extracts the equipment identifier of the terminal equipment and the service identifier of the target service from the updated IP packet header;
the authentication module is used for performing access authentication on the equipment identifier of the terminal equipment;
and the selection module selects a corresponding target network slice for the terminal equipment according to the service identifier under the condition that the access authentication is passed.
An embodiment of the present invention further provides a network slice selecting device, including:
a processor;
a memory having stored therein executable instructions of the processor;
wherein the processor is configured to perform the steps of the network slice selection method described above via execution of executable instructions.
Embodiments of the present invention also provide a computer-readable storage medium storing a program that, when executed, implements the steps of the above-described network slice selection method.
The invention aims to provide a network slice selection method, a system, equipment and a storage medium, wherein terminal equipment initiates a networking requirement based on equipment access authentication to an access gateway, the equipment access authentication of the terminal equipment and the network slice selection based on service identification are realized at the access gateway, and the problem of multi-head distributed management of equipment access authentication and network slice selection in the prior art is solved. Because the equipment access authentication and the network slice selection are executed in a centralized manner at one end, the consistency of time management can be ensured, and the networking configuration efficiency of the terminal equipment and the network slice can be improved.
Drawings
Other features, objects and advantages of the present invention will become more apparent upon reading of the following detailed description of non-limiting embodiments thereof, with reference to the accompanying drawings.
FIG. 1 is a block diagram of a network slice selection system according to an embodiment of the invention;
FIG. 2 is one of the flow diagrams of a network slice selection method of an embodiment of the present invention;
FIG. 3 is a second flowchart of a network slice selection method according to an embodiment of the present invention;
fig. 4 is a third flowchart of a network slice selection method according to an embodiment of the present invention;
FIG. 5 is a fourth flowchart of a network slice selection method according to an embodiment of the present invention;
FIG. 6 is a fifth flowchart of a network slice selection method according to an embodiment of the present invention;
FIG. 7 is a sixth flowchart of a network slice selection method according to an embodiment of the present invention;
fig. 8 is one of the structural diagrams of a network slice selection apparatus of an embodiment of the present invention;
fig. 9 is a second block diagram of a network slice selection apparatus according to an embodiment of the present invention;
fig. 10 is a third block diagram of a network slice selection apparatus according to an embodiment of the present invention;
fig. 11 is a fourth of the structural diagram of a network slice selection apparatus of an embodiment of the present invention;
fig. 12 is a schematic diagram of the operation of a network slice selection system of an embodiment of the present invention.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art.
The drawings are merely schematic illustrations of the invention and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus their repetitive description will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in the form of software, or in one or more hardware forwarding modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.
In addition, the flow shown in the drawings is only an exemplary illustration, and not necessarily includes all the steps. For example, some steps may be divided, some steps may be combined or partially combined, and the actual execution sequence may be changed according to the actual situation. The use of "first," "second," and similar terms in the detailed description is not intended to imply any order, quantity, or importance, but rather is used to distinguish one element from another. It should be noted that features of the embodiments of the invention and of the different embodiments may be combined with each other without conflict.
In practical applications, it is found that in the prior art, access authentication and service admission configuration of a terminal device are separated and are respectively realized by different main bodies, that is, service differentiation is not performed in the device access and data transmission links. This leads to inconsistency between multi-head management and time management, which leads to complicated and dispersed operations such as network access management of terminal devices, selection and connection of network slices, and low efficiency. It is also contemplated that multi-tap management and time inconsistencies may also result in service outages or security risks that are exposed for too long.
The embodiment of the invention provides a technical scheme for solving the technical problems, equipment access authentication of terminal equipment and network slice selection based on service identification are realized in an access gateway, and the problem of multi-head distributed management of equipment access authentication and network slice selection in the prior art is solved. Because the equipment access authentication and the network slice selection are executed in a centralized manner at one end, the consistency of time management can be ensured, and the configuration efficiency and the connection efficiency of the terminal equipment and the network slice are ensured to be high.
In addition, the embodiment of the invention can also reduce the safety risk problem of service interruption or overlong exposure time caused by multi-head management.
Fig. 1 is a block diagram of a network slice selection system according to an embodiment of the present invention, where the system includes:
the terminal device 110 calls an IP protocol stack according to the networking requirement of at least one target service, embeds the device identifier of the terminal device 110 and the service identifier of the target service into an IP packet header in the IP protocol stack to obtain an updated IP packet header, uses the updated IP packet header as a data encapsulation header of the networking requirement, and sends the networking requirement to the access gateway 120;
the access gateway 120 receives the networking requirement of at least one target service sent by the terminal device 110, extracts the device identifier of the terminal device 110 and the service identifier of the target service from the updated IP packet header, performs access authentication on the device identifier of the terminal device 110, and selects a corresponding target network slice for the terminal device 110 according to the service identifier when the authentication is passed.
In an optional embodiment, the access gateway 120 may receive and process the networking requirements sent by one or more terminal devices 110, perform device authentication and network slice selection based on the service identifier on the networking requirements of each terminal device 110 collectively, avoid the problem of decentralized execution, and have high network configuration efficiency for the terminal devices.
Meanwhile, because the network slice selection is realized on the access gateway level based on the service identification, the shunting isolation can be carried out on various services at the first hop of the access link, the problem that the various services are not isolated in the transmission link in the prior art is solved, the service safety can be ensured to a certain extent, the configuration links are reduced, and the efficiency is higher.
In an alternative embodiment, the terminal device 110 may be a smart phone, a notebook computer, a tablet computer, a camera device, or the like, or the terminal device 110 may be an industrial application device such as a remote terminal device rtu (remote terminal unit) or a programmable logic controller rtu (programmable logic controller), and is not limited in detail herein.
The RTU is a microprocessor controlled, electronic device that serves as an interface to the device, introduces data into a distributed control system or a data acquisition and monitoring System (SCADA), transmits telemetry data to a host system, and uses the data of the host monitoring system to control the connected devices. The RTU may also be interpreted as a remote telemetry device or a remote control device.
The PLC is a digital electronic device with a microprocessor, is a digital logic controller for automatic control, and can load control instructions into a memory at any time for storage and operation.
In an alternative embodiment, the access gateway may be an optical line terminal ONU (optical NetWork unit), and the ONU is configured to perform conversion between an optical signal and an electrical signal and multiplexing and separating the optical signal. The ONU is generally called an optical modem, but the ONU performs analog-to-digital conversion for communication and performs optical-to-digital signal conversion.
Fig. 2 is a flowchart of a network slice selection method according to an embodiment of the present invention, where an execution subject of the method is a terminal device to be accessed to a network or an application installed in the terminal device, which is not limited herein.
Referring to fig. 2, a network slice selection method provided by the embodiment of the present invention includes the following steps:
step 210: calling an IP protocol stack according to the networking requirement of at least one target service;
step 220: embedding the equipment identification of the terminal equipment and the service identification of the target service into an IP packet header in an IP protocol stack to obtain an updated IP packet header;
step 230: and taking the updated IP packet header as a data encapsulation head of the networking requirement, and sending the networking requirement to an access gateway, wherein the equipment identifier is used for the access gateway to perform access authentication on the terminal equipment, and the service identifier is used for selecting a corresponding target network slice for the terminal equipment under the condition that the access authentication is passed.
In this embodiment, the service identifier is identification information for determining a specific service. One network slice can carry one or a class of service, so that a certain corresponding relation exists between the network slice and the service identifier.
The IP packet header is modified at one side of the terminal equipment, the equipment identifier and the service identifier are embedded into the IP packet header and are sent to the access gateway, and then equipment access authentication and network slice selection based on the service identifier are carried out at one side of the access gateway, so that the problem of low network access configuration efficiency of the terminal equipment caused by equipment access authentication and network slice selection decentralized management in the related technology is solved.
In alternative embodiments, the service identifier may be an application identifier of a target application providing the service, or identification information of a controller performing a specific service function within the terminal device.
Fig. 3 is a flowchart of an alternative embodiment of a network slice selection method provided in the present invention, where the method specifically includes the following steps:
step 310: calling an IP protocol stack according to the networking requirement of at least one target service;
step 320: signing the equipment identification by using an equipment private key to obtain the equipment identification with signature information;
step 330: embedding the equipment identification with signature information and the service identification of the target service into an IP packet header in an IP protocol stack to obtain an updated IP packet header;
step 340: and taking the updated IP packet header as a data encapsulation head of the networking requirement, and sending the networking requirement to an access gateway, wherein the equipment identifier is used for the access gateway to perform access authentication on the terminal equipment, and the service identifier is used for selecting a corresponding target network slice for the terminal equipment under the condition that the access authentication is passed.
In this embodiment, an asymmetric signature technology is adopted, the device identification is signed by using the device private key on the side of the terminal device, and then the signature information is verified by using the public key corresponding to the device private key on the side of the access gateway.
By using the asymmetric signature technology, the device private key and the corresponding public key are separated, the device private key is held by the terminal device, the public key is public, and the signature information only using the real device private key can be verified and signed by the public key, so that even if an impersonated device identifier is used, the device private key is wrong, and the signature verification authentication cannot pass, so that the information security can be enhanced by the asymmetric signature technology.
The device private key may be agreed in advance between the access gateway and the terminal device.
In an alternative embodiment, symmetric encryption technology may be further selected to encrypt the device identifier and perform decryption verification by the access gateway.
In an optional embodiment, the device private key and the service identifier have a preset corresponding relationship. Therefore, before the device identification is signed by the device private key, the corresponding device private key can be obtained according to the service identification.
In this case, each corresponding service has a corresponding device private key.
Referring to fig. 4, in an alternative embodiment, the device identifier of the terminal device and the service identifier of the target service are embedded in the IP protocol stack in SRv6 tags of the IP packet header, such as a service ID and a signature string, where the signature string is signature information.
SRv6 is the abbreviation of Segment Routing internet protocol sixth edition (Segment Routing IPv6), which adopts the existing IPv6 forwarding technology and realizes network programmability through flexible IPv6 extension header. SRv6 simplifies the network protocol type, has good expansibility and programmability, can meet the diversified requirements of more new services, and provides high reliability.
SRv6 the label defines the next hop address storing the segmented route, and the embodiment inserts the device identification and the service identification of the target service before the address, thereby redefining the next hop address and providing a new protocol expression. Therefore, the present embodiment can automatically embed authentication information such as device identifier and service identifier in the IP packet header by using the programmability of SRv6, which enhances the credibility and reliability of the solution of the present embodiment.
Fig. 5 is a flowchart of a network slice selection method provided in an embodiment of the present invention, where an execution main body of the method is an access gateway ag (access gateway), which is located in an edge access layer in a soft switch architecture and provides an analog subscriber line interface for directly accessing a general telephone subscriber to a soft switch network.
In a three-layer IP network, an access gateway generally refers to various IP gateway devices connected to a user host at the edge of the network. A typical access gateway includes: broadband access gateway (BRAS), wireless access gateway (WiFi router), home (access) gateway, various dial-up (protocol) access gateways, private line access gateway, VPN access gateway, enterprise access gateway, etc.
The method comprises the following steps:
step 510: receiving the networking requirement of at least one target service sent by the terminal equipment based on the updated IP packet header;
step 520: extracting the equipment identifier of the terminal equipment and the service identifier of the target service from the updated IP packet header;
step 530: performing access authentication on the equipment identifier of the terminal equipment;
step 540: and under the condition that the access authentication is passed, selecting a corresponding target network slice for the terminal equipment according to the service identifier.
In the embodiment of the invention, the access authentication and network slice selection functions of the terminal equipment are deployed at the access gateway, so that the problem of low network access efficiency caused by the separation processing of the access authentication and the network slice selection in the related technology is solved.
Fig. 6 is a flowchart of an embodiment of a network slice selection method provided in the present invention, where the method includes the following steps:
step 610: receiving the networking requirement of at least one target service sent by the terminal equipment based on the updated IP packet header;
step 620: extracting the equipment identifier of the terminal equipment and the service identifier of the target service from the updated IP packet header;
step 630: under the condition that the equipment identification has signature information, acquiring a public key and verifying the signature information, wherein the signature information is obtained by utilizing an equipment private key corresponding to the public key to sign the equipment identification;
step 640: and under the condition that the access authentication is passed, selecting a corresponding target network slice for the terminal equipment according to the service identifier.
Wherein, the steps 610, 620, 640 refer to the above steps 210, 220, 240 respectively, and are not repeated again.
Corresponding to the embodiment shown in fig. 3, the public key and the device private key at the side of the terminal device form a key pair, the access gateway decrypts the signature information by using the public key, if the correct device identifier is obtained through analysis, the signature information is valid, and a corresponding target network slice is queried based on the service identifier; and if the correct equipment identifier cannot be analyzed, discarding the networking requirement and ending the current process.
In an optional embodiment, if the service identifier is an application identifier of a target application running on the terminal device, acquiring the public key, including the following steps:
acquiring a corresponding target application matrix according to the application identifier;
and determining a corresponding public key according to the target application matrix.
The target application matrix can be directly used as a public key, and the public key can also be generated according to the target application matrix.
In an optional embodiment, in the case that the access gateway selects the target network slice, the method further includes:
and accessing the terminal equipment into the network slice according to the networking requirement, and forwarding the data packet through the network slice.
This can realize instant service shunting isolation and can realize service transparency.
Fig. 7 is a flowchart of an embodiment of a network slice selection method according to an embodiment of the present invention, where the method specifically includes the following steps:
step 710: an application installed on the terminal equipment starts a networking sending requirement and calls an IP protocol stack, wherein the networking sending requirement corresponds to the networking requirement;
step 720: the terminal equipment signs the equipment ID by using an equipment private key, and signature information and the application ID are embedded SRv6 labels in an IP protocol stack;
step 730: the access gateway receives a networking sending requirement carrying a data packet from the terminal equipment, acquires a corresponding application matrix by using the application ID, acquires a public key by using the prefabricated application matrix, verifies the signature information by using the public key, and if the verification is passed, the step 740 is carried out, and if the verification is not passed, the step 760 is carried out;
step 740: the querying and configuring the policy by the access gateway may specifically include: inquiring a shunting strategy, an access control strategy, a security audit requirement and the like configured for a service provided by an application ID by using the application ID, opening a corresponding VLAN (virtual LAN), translating the VLAN into a Chinese character, wherein the Chinese character is a Virtual Local Area Network (VLAN), the virtual local area network is an example of an internet access target network slice, and a firewall configuration rule of an access gateway is provided;
step 750: according to each preset strategy, VLAN is distributed to the data packet of the terminal equipment, a corresponding filtering strategy is executed, and shunting and forwarding are carried out;
step 760: if the authentication is not passed, the access gateway discards the data packet and ends the process.
In an optional embodiment, an equipment access authentication and distribution link is added to the access gateway, the access gateway can provide a timely network distribution service based on a network slice selected for a service on each terminal equipment, each service data packet is output to a corresponding network slice by the access gateway, end-to-end service isolation of the network is realized, distribution can be performed at the first hop of the access authentication link, service safety is fully ensured, and configuration links are reduced.
Fig. 8 is a network slice selection device provided in an embodiment of the present invention, where the system is applied to a terminal device, and includes:
the calling module 810 calls an IP protocol stack according to the networking requirement of at least one target application;
an embedding module 820, which embeds the device identifier of the terminal device and the application identifier of the target application into an IP packet header in an IP protocol stack to obtain an updated IP packet header;
the authentication initiating module 830 is configured to send the networking requirement to the access gateway, where the device identifier is used for the access gateway to perform access authentication on the terminal device, and the service identifier is used for selecting a corresponding target network slice for the terminal device when the access authentication is passed.
The implementation principle of the above modules is described in the network slice selection method, and is not described herein again.
The network slice selection equipment can embed the equipment identification and the service identification into the IP packet header and send the equipment identification and the service identification to the access gateway, so that equipment access authentication and network slice selection based on the service identification are realized at one side of the access gateway, and the problem of low network access configuration efficiency of the terminal equipment caused by equipment access authentication and network slice selection decentralized management in the related technology is solved.
In an alternative embodiment, the embedding module 820 may be specifically configured to:
the device identification of the terminal device and the service identification of the target service are embedded in SRv6 labels of the IP packet header in the IP protocol stack.
In an alternative embodiment, compared to fig. 8, the network slice selecting apparatus shown in fig. 9 further includes:
the signature module 910 is configured to, before embedding the device identifier of the terminal device and the service identifier of the target service into the IP packet header in the IP protocol stack, sign the device identifier using a device private key to obtain a device identifier with signature information;
wherein, the embedding module 920 is specifically configured to:
and embedding the equipment identifier with the signature information and the service identifier of the target service into an IP packet header in an IP protocol stack.
Fig. 10 is a structural diagram of a network slice selection device provided in the present invention, where the network slice selection device is applied to an access gateway, and the network slice selection device includes:
a receiving module 1010, configured to receive a networking requirement of at least one target service sent by a terminal device based on an updated IP packet header;
an extracting module 1020, which extracts the device identifier of the terminal device and the application identifier of the target service from the updated IP packet header;
the authentication module 1030 is used for performing access authentication on the equipment identifier of the terminal equipment;
the selecting module 1040, when the access authentication passes, selects a corresponding target network slice for the terminal device according to the service identifier.
The network slice selection equipment can deploy the functions of terminal equipment access authentication and network slice selection at the access gateway, and solves the problem of low network access efficiency caused by access authentication and network slice selection separation processing in the related technology.
In an alternative embodiment, the authentication module 1030 may specifically be configured to:
and under the condition that the equipment identifier has signature information, acquiring a public key and verifying the signature information, wherein the signature information is obtained by utilizing an equipment private key corresponding to the public key to sign the equipment identifier.
In an alternative embodiment, the authentication module 1030 may specifically be configured to:
acquiring a corresponding target application matrix according to the application identifier;
and determining a corresponding public key according to the target application matrix.
In an alternative embodiment, referring to fig. 11, compared to fig. 10, the network slice selecting apparatus may further include:
the policy execution module 1110 queries a distribution policy, an access control policy and a security audit requirement configured for a target service by using the application ID, and opens a corresponding VLAN;
the network offloading module 1120 offloads the data packet of the terminal device according to the offloading policy.
Fig. 12 is a schematic structural diagram of a network slice selection apparatus of the present invention. An electronic device 1200 according to this embodiment of the invention is described below with reference to fig. 12. The electronic device 1200 shown in fig. 12 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.
As shown in fig. 12, the electronic device 1200 is embodied in the form of a general purpose computing device. The components of the electronic device 1200 may include, but are not limited to: at least one processing unit 1210, at least one memory unit 1220, a bus 1230 connecting the various platform components (including the memory unit 1220 and the processing unit 1210), a display unit 1240, and the like.
Wherein the storage unit stores program codes executable by the processing unit 1210 to cause the processing unit 1210 to perform steps according to various exemplary embodiments of the present invention described in the above-mentioned electronic prescription flow processing method section of the present specification. For example, the processing unit 1210 may perform the steps as shown in any of the embodiments of fig. 2-7.
The storage unit 1220 may include readable media in the form of volatile memory units, such as a random access memory unit (RAM)1221 and/or a cache memory unit 1222, and may further include a read only memory unit (ROM) 1223.
The electronic device 1200 may also communicate with one or more external devices 1250 (e.g., a keyboard, a pointing device, a bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device 1200, and/or with any devices (e.g., a router, a modem, etc.) that enable the electronic device 1200 to communicate with one or more other computing devices. Such communication may occur via input/output (I/O) interfaces 1260. Also, the electronic device 1200 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network such as the internet) via the network adapter 1270. The network adapter 1270 may communicate with other modules of the electronic device 1200 via the bus 1230. It should be appreciated that although not shown, other hardware and/or software modules may be used in conjunction with the electronic device 1200, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage platforms, to name a few.
Embodiments of the present invention also provide a computer-readable storage medium for storing a program, and the steps of the network slice selection method implemented when the program is executed. In some possible embodiments, the various aspects of the invention may also be implemented in the form of a program product comprising program code means for causing a terminal device to carry out the steps according to various exemplary embodiments of the invention described in the above-mentioned network slice selection method section of the present description, when the program product is run on the terminal device.
The program product 800 for implementing the above method according to an embodiment of the present invention may employ a portable compact disc read only memory (CD-ROM) and include program code, and may be run on a terminal device, such as a personal computer. However, the program product of the present invention is not limited in this regard and, in the present document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
A computer readable storage medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable storage medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a readable storage medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out processes of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
In summary, the present invention is directed to a method, a system, a device and a storage medium for network slice selection, which implement device access authentication of a terminal device and network slice selection based on a service identifier at an access gateway, and solve the problem of multi-head distributed management of device access authentication and network slice selection in the prior art. Because the equipment access authentication and the network slice selection are executed in a centralized manner at one end, the consistency of time management can be ensured, and the networking configuration efficiency of the terminal equipment and the network slice can be improved.
The foregoing is a more detailed description of the invention in connection with specific preferred embodiments and it is not intended that the invention be limited to these specific details. For those skilled in the art to which the invention pertains, several simple deductions or substitutions can be made without departing from the spirit of the invention, and all shall be considered as belonging to the protection scope of the invention.
Claims (12)
1. A network slice selection method is applied to a terminal device and comprises the following steps:
calling an IP protocol stack according to the networking requirement of at least one target service;
embedding the equipment identifier of the terminal equipment and the service identifier of the target service into an IP packet header in the IP protocol stack to obtain an updated IP packet header;
and taking the updated IP packet header as a data encapsulation header of the networking requirement, and sending the networking requirement to an access gateway, wherein the equipment identifier is used for the access gateway to perform access authentication on the terminal equipment, and the service identifier is used for selecting a corresponding target network slice for the terminal equipment under the condition that the access authentication is passed.
2. The method of claim 1, further comprising:
before embedding the equipment identifier of the terminal equipment and the service identifier of the target service into an IP packet header in the IP protocol stack, signing the equipment identifier by using an equipment private key to obtain an equipment identifier with signature information;
embedding the device identifier of the terminal device and the service identifier of the target service into an IP packet header in the IP protocol stack, including:
and embedding the equipment identifier with the signature information and the service identifier of the target service into an IP packet header in the IP protocol stack.
3. The method of claim 1, wherein embedding the device identifier of the terminal device and the service identifier of the target service in an IP header in the IP protocol stack comprises:
and embedding the equipment identifier of the terminal equipment and the service identifier of the target service into an SRv6 label of the IP packet header in the IP protocol stack.
4. A network slice selection method is applied to an access gateway, and comprises the following steps:
receiving the networking requirement of at least one target service sent by the terminal equipment based on the updated IP packet header;
extracting the equipment identifier of the terminal equipment and the service identifier of the target service from the updated IP packet header;
performing access authentication on the equipment identifier of the terminal equipment;
and under the condition that the access authentication is passed, selecting a corresponding target network slice for the terminal equipment according to the service identification.
5. The network slice selection method of claim 4, wherein the performing access authentication on the device identity of the terminal device comprises:
and under the condition that the equipment identifier has signature information, acquiring a public key and verifying the signature information, wherein the signature information is obtained by utilizing an equipment private key corresponding to the public key to sign the equipment identifier.
6. The method according to claim 5, wherein if the service identifier is an application identifier of a target application running on the terminal device, the obtaining a public key includes:
acquiring a corresponding target application matrix according to the application identifier;
and determining the corresponding public key according to the target application matrix.
7. The network slice selection method of claim 4, further comprising:
and accessing the terminal equipment into the network slice according to the networking requirement, and forwarding a data packet through the network slice.
8. A network slice selection system, comprising:
the terminal equipment calls an IP protocol stack according to the networking requirement of at least one target service, embeds the equipment identifier of the terminal equipment and the service identifier of the target service into an IP packet header in the IP protocol stack to obtain an updated IP packet header, uses the updated IP packet header as a data encapsulation header of the networking requirement, and sends the networking requirement to an access gateway;
and the access gateway receives the networking requirement of the at least one target service sent by the terminal equipment, extracts the equipment identifier of the terminal equipment and the service identifier of the target service from the updated IP packet header, performs access authentication on the equipment identifier of the terminal equipment, and selects a corresponding target network slice for the terminal equipment according to the service identifier under the condition of passing authentication.
9. A network slice selection device applied to a terminal device includes:
the calling module calls an IP protocol stack according to the networking requirement of at least one target service;
the embedding module is used for embedding the equipment identifier of the terminal equipment and the service identifier of the target service into an IP packet header in the IP protocol stack to obtain an updated IP packet header;
and the authentication initiating module is used for sending the networking requirement to an access gateway by taking the updated IP packet header as a data encapsulation header of the networking requirement, wherein the equipment identifier is used for carrying out access authentication on the terminal equipment by the access gateway, and the service identifier is used for selecting a corresponding target network slice for the terminal equipment under the condition that the access authentication is passed.
10. A network slice selection device, applied to an access gateway, comprising:
the receiving module is used for receiving the networking requirement of at least one target service sent by the terminal equipment based on the updated IP packet header;
the extraction module extracts the equipment identifier of the terminal equipment and the service identifier of the target service from the updated IP packet header;
the authentication module is used for performing access authentication on the equipment identifier of the terminal equipment;
and the selection module selects a corresponding target network slice for the terminal equipment according to the service identifier under the condition that the access authentication is passed.
11. A network slice selection device, comprising:
a processor;
a memory having stored therein executable instructions of the processor;
wherein the processor is configured to perform the steps of the network slice selection method of any one of claims 1 to 7 via execution of the executable instructions.
12. A computer-readable storage medium storing a program, wherein the program when executed by a processor implements the steps of the network slice selection method of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111299230.9A CN114095158A (en) | 2021-11-04 | 2021-11-04 | Network slice selection method, system, device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111299230.9A CN114095158A (en) | 2021-11-04 | 2021-11-04 | Network slice selection method, system, device and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114095158A true CN114095158A (en) | 2022-02-25 |
Family
ID=80298938
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111299230.9A Pending CN114095158A (en) | 2021-11-04 | 2021-11-04 | Network slice selection method, system, device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114095158A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20220191761A1 (en) * | 2020-12-16 | 2022-06-16 | Huawei Technologies Co., Ltd. | Terminal identification method and apparatus |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101094061A (en) * | 2006-06-24 | 2007-12-26 | 华为技术有限公司 | Access method for authorizing and authenticating digital gateway system, devices, and network terminal devices |
| CN101789906A (en) * | 2010-02-24 | 2010-07-28 | 杭州华三通信技术有限公司 | Method and system for access authentication of user |
| CN108243483A (en) * | 2016-12-23 | 2018-07-03 | 大唐移动通信设备有限公司 | A kind of communication means, apparatus and system |
| CN110881207A (en) * | 2019-10-31 | 2020-03-13 | 华为技术有限公司 | Network slice selection method and related product |
| CN112019428A (en) * | 2020-09-02 | 2020-12-01 | 成都西加云杉科技有限公司 | Gateway |
| CN112073248A (en) * | 2020-09-11 | 2020-12-11 | Oppo(重庆)智能科技有限公司 | Network access method, device, terminal and storage medium |
| WO2021134377A1 (en) * | 2019-12-30 | 2021-07-08 | 华为技术有限公司 | Network slice accessing method and apparatus |
-
2021
- 2021-11-04 CN CN202111299230.9A patent/CN114095158A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101094061A (en) * | 2006-06-24 | 2007-12-26 | 华为技术有限公司 | Access method for authorizing and authenticating digital gateway system, devices, and network terminal devices |
| CN101789906A (en) * | 2010-02-24 | 2010-07-28 | 杭州华三通信技术有限公司 | Method and system for access authentication of user |
| CN108243483A (en) * | 2016-12-23 | 2018-07-03 | 大唐移动通信设备有限公司 | A kind of communication means, apparatus and system |
| CN110881207A (en) * | 2019-10-31 | 2020-03-13 | 华为技术有限公司 | Network slice selection method and related product |
| WO2021134377A1 (en) * | 2019-12-30 | 2021-07-08 | 华为技术有限公司 | Network slice accessing method and apparatus |
| CN112019428A (en) * | 2020-09-02 | 2020-12-01 | 成都西加云杉科技有限公司 | Gateway |
| CN112073248A (en) * | 2020-09-11 | 2020-12-11 | Oppo(重庆)智能科技有限公司 | Network access method, device, terminal and storage medium |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20220191761A1 (en) * | 2020-12-16 | 2022-06-16 | Huawei Technologies Co., Ltd. | Terminal identification method and apparatus |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9602307B2 (en) | Tagging virtual overlay packets in a virtual networking system | |
| CN110266592B (en) | Communication method and device for SRV6 network and IP MPLS network | |
| US9667653B2 (en) | Context-aware network service policy management | |
| CN111131037B (en) | Data transmission method, device, medium and electronic equipment based on virtual gateway | |
| CN104685500A (en) | Providing services to virtual overlay network traffic | |
| CN107733795B (en) | Ethernet virtual private network EVPN and public network intercommunication method and device | |
| CN100534034C (en) | Access control method and apparatus | |
| US20040039847A1 (en) | Computer system, method and network | |
| US10868792B2 (en) | Configuration of sub-interfaces to enable communication with external network devices | |
| CN104993993B (en) | A kind of message processing method, equipment and system | |
| RU2602333C2 (en) | Network system, packet processing method and storage medium | |
| CN104205764A (en) | Frame passing based on ethertype | |
| CN110677337B (en) | Data forwarding method and device, network equipment and computer readable storage medium | |
| CN114095158A (en) | Network slice selection method, system, device and storage medium | |
| CN108093041A (en) | Single channel VDI proxy servers and implementation method | |
| US9426122B2 (en) | Architecture for network management in a multi-service network | |
| US20160365987A1 (en) | Personal computer network | |
| JP5940632B2 (en) | Network grouping system and network grouping method | |
| CN114827057A (en) | Communication method and communication system | |
| CN112737947B (en) | Virtual network cross-domain transmission method, system, equipment and medium based on MPLS | |
| KR100788138B1 (en) | System and method for providing communication service using network-based service platform | |
| US11836382B2 (en) | Data read method, data storage method, electronic device, and computer program product | |
| CN113014507B (en) | Traffic processing method, device, system and computer readable storage medium | |
| JP4312650B2 (en) | Access network system and method | |
| EP2086188B1 (en) | Transporting X.25-OVER-ISDN through IP, using CUGS/PROTOCOL translation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |