CN114666070A - Authority authentication method, and authority information processing method and device - Google Patents

Abstract

The embodiment of the application discloses a permission authentication method, wherein before two communication devices establish service connection, self service permission information can be sent to an opposite communication device, and the two communication devices respectively verify whether the opposite communication device has permission to establish the service connection based on the received permission information. By adopting the scheme, whether the opposite-end communication device has the authority to establish the service connection can be effectively and efficiently determined.

Description

Authority authentication method, and authority information processing method and device

Technical Field

The present application relates to the field of communications, and in particular, to a method for authenticating a right, a method for processing right information, and an apparatus for processing right information.

Background

Currently, when two communication devices establish service connection, for example, an Internet Protocol Security (IPSec) tunnel is established, a Border Gateway Protocol (BGP) session is established, and the identity validity of an opposite-end communication device and whether there is an authority to establish a related service need to be verified. In the existing scheme, a network administrator can perform related configuration on two communication devices establishing service links respectively, and confirm the identities and the rights of the communication devices in a manual manner. However, the manual configuration is unreliable, and has low safety and low efficiency. In another existing solution, the identity of the device is verified through a local identity certificate of the device, but the authority of the device cannot be authenticated. In order to authenticate the device rights. Another possible scheme is to authenticate the authorities of the devices at both ends of communication respectively through a centralized authority control server, but the scheme of performing centralized authority authentication by using the server increases failure points in the network, and once the server is attacked, the possibility that all network authorities are broken down is caused. In addition, in a large-scale network deployment scene, the centralized authority authentication increases the network interaction amount and increases the experiment for establishing the service. In some scenarios, for example, when the device is open, and the network is disconnected, the network device cannot connect to the right control server.

Therefore, when a network device performs communication, it is necessary to provide a solution that is effective and performs authentication on the authority of the network device, so as to solve the above technical problem.

Disclosure of Invention

The embodiment of the application provides an authority authentication method, an authority information processing method and an authority information processing device, which can determine whether an opposite-end communication device supports a certain network function.

In a first aspect, an embodiment of the present application provides an authority authentication method, which may be performed by a first communication device. In one example, the first communication device may receive first information sent by the second communication device, where the first information indicates network functions supported by the second communication device, and the network functions supported by the second communication device include the first network function. After the first communication device receives the first information, it may be determined that the second communication device supports the first network function according to the first information. It can be seen that the second communication device may send first information indicating network functions supported by the second device to the first communication device, so that the first communication device determines that the first communication device supports the first network function according to the first information. By the aid of the scheme, the first communication device does not need to interact with third-party equipment to determine whether the second communication device supports the first network function, so that signaling overhead of interaction between the first communication device and the third-party equipment is saved, and efficiency of determining that the second communication device supports the first network function is improved. Moreover, since whether the second communication device supports the first network function or not does not need to be determined by means of the third-party device, the security risk caused by the attack of the third-party device by a network hacker is also avoided. In addition, the problem that whether the second communication device supports the first network function or not cannot be determined due to the fact that the first communication device cannot establish connection with the third-party equipment is avoided.

In one implementation, the first information may be further used to indicate configuration information for implementing the first network function. In this way, the second communication device can implement the first network function using the configuration information.

In one implementation, the network functions supported by the communication device may be related communication operations that the communication device is capable of performing. As one example, the first network function includes establishing a first communication connection.

In one implementation, when the first information may also be used to indicate configuration information for implementing the first network function, and the first network function is to establish a first communication connection, the configuration information may include, for example, a peer communication apparatus when the second communication apparatus establishes the first communication connection. For this situation, after the first communication device receives the first information sent by the second communication device, it may also be determined that the first communication device is an opposite end that establishes the first communication connection with the second communication device according to the configuration information. Thereby determining that the first communication device can establish a first communication connection with the second communication device.

In an implementation manner, the aforementioned first communication connection may be a mac sec tunnel, a BGP session, an IPsec tunnel, a bidirectional forwarding detection BFD, an IGP session, or an ip sixth-generation segment routing SRv6 tunnel.

In one implementation, considering that the network plan of the network provider may change, for example, a tunnel may be established SRv6 between the first communication device and the second communication device during the first communication period, and after the first communication period ends, a tunnel may no longer be established SRv6 between the first communication device and the second communication device. In other words, the second communication device may support the first network function for a certain period of time. Therefore, in one implementation, the first information further includes first indication information, and the first indication information is used for indicating a validity period of the first network function.

In one implementation, the first information is a first security authentication profile SAP. The first SAP may be in a JSON format or an XML format, and is not specifically limited herein.

In one implementation, the first information may further include a signature of the network provider, so as to indicate that the first information is information approved by the network provider.

In one implementation, when the first information includes a signature of the network provider, the first communication device may also verify the signature to determine the validity of the first information. In one example, the first communication device may determine whether the second communication device supports the first network function based on the first information after determining that the first information is legitimate.

In one implementation, the use of keys may be required in view of the implementation of some network functions. In other words, the second communication device may also need to use the key in order to implement the first network function. Thus, in one example, if a second communications device requires the use of a key to implement the first network function, the first information may also include a certificate that includes the key required to implement the first network function. In this way, the second communication apparatus can obtain the key required to implement the first network function from the certificate, thereby implementing the first network function based on the obtained key.

In one implementation, the first communication device may further obtain second information indicating that the first communication device supports the first network function. In one example, the second information may be sent to the first communication apparatus by a control management entity.

In one implementation, after the first communication device obtains the second information, the second information may be sent to the second communication device, so that the second communication device determines that the first communication device supports the first network function according to the second information.

In one implementation, the second information is a second SAP. Similar to the first SAP, the second SAP may be in JSON format or XML format, and is not limited herein.

In one implementation, the second information further includes a signature of the network provider to indicate that the second information is information approved by the network provider.

In one implementation, the use of a key may be required in view of the first communication device implementing the first network function. Thus, in one example, when a first communications device requires the use of a key to implement the first network function, the second information may also include a certificate that includes the key required to implement the first network function. In this way, the first communication apparatus can obtain the key required to implement the first network function from the certificate, thereby implementing the first network function based on the obtained key.

In one implementation, the second communication device may carry the first information in a first message and send the first message to the first communication device. For example, the first information may be carried in an extended TLV field of the first packet. The first message may be an EAP message, for example, when the first network function is to establish a MACsec tunnel, the first message is an EAP message. The first packet may also be a BGP message, for example, when the first network function is a BGP session, the first packet is a BGP packet.

In one implementation, when the first information is the first SAP, the first information may further include related information of the second communication device, where the related information of the second communication device may include: one or more of an identification of a second communication device, an identification of a network to which the second communication device belongs, a location of the second communication device in the network, a management address of the second communication device, and a name of the first network function. The information of the second communication device is carried in the first information, so that the first communication device can obtain more information of the second communication device. Additionally, the first SAP may also include an identification of the first SAP.

In an implementation manner, if the network function supported by the second communication device does not include the second network function, the first information may be further used to indicate that the second network device does not support the second network function. For this case, the first communication apparatus may determine, based on the first information, that the second network device does not support the second network function, in addition to determining, based on the first information, that the second communication apparatus supports the first network function.

In one implementation, if the network functions supported by the second communication device include a third network function, the first information may be further used to indicate that the second network device supports the third network function. For this case, the first communication apparatus may determine that the second network device supports the third network function according to the first information, in addition to determining that the second communication apparatus supports the first network function according to the first information.

In a second aspect, the present application provides an authority information processing method, which may be performed by a second communication device or a control management entity. In one example, when the method is performed by a control management entity, the control management entity may obtain first information indicating network functions supported by the second communication device, the network functions including the first network function. After the control management entity acquires the first information, the first information may be sent to the second communication device. In yet another example, when the method is performed by a second communication device, the second communication device may obtain the first information and send the first information to the first communication device in order for the first communication device to determine that the second communication device supports the first network function using the first information. Therefore, by the scheme, the first communication device does not need to interact with the third-party equipment to determine whether the second communication device supports the first network function, so that signaling overhead of interaction between the first communication device and the third-party equipment is saved, and efficiency of determining that the second communication device supports the first network function is improved. Moreover, since whether the second communication device supports the first network function or not does not need to be determined by means of the third-party device, the security risk caused by the attack of the third-party device by a network hacker is also avoided. In addition, the problem that whether the second communication device supports the first network function or not cannot be determined due to the fact that the first communication device cannot establish connection with the third-party equipment is avoided.

In one implementation, the first information is further used to indicate configuration information for implementing the first network function. In this way, the second communication device can implement the first network function using the configuration information.

In one implementation, the first network function includes establishing a first communication connection.

In one implementation, when the first information may also be used to indicate configuration information for implementing the first network function, and the first network function is to establish a first communication connection, the configuration information may include, for example, a peer communication apparatus when the second communication apparatus establishes the first communication connection.

In one implementation, the first communication connection includes any one of: media access control security, MACsec, border gateway protocol, BGP, internet protocol security, IPsec, bidirectional forwarding detection, BFD, interior gateway protocol, IGP, internet protocol, sixth version of the internet protocol, route SRv 6.

In one implementation, the first information further includes first indication information, where the first indication information is used to indicate a validity period of the first network function.

In one implementation, the first information is a first security authentication profile SAP.

In one implementation, the first information further includes a signature of the network provider.

In one implementation, the first information further includes a certificate including a key required to implement the first network function.

In one implementation, the method is performed by a control management entity, and for this case, the sending the first information includes, in a specific implementation: sending the first information to the second communication device. In this way, the second communication device may obtain the first information and further transmit the first information to the first communication device, thereby enabling the first communication device to determine that the second communication device supports the first network function based on the first information.

In one implementation, the control management entity may send the first information to a second communication device based on a request of the second communication device. In other words, before the control management entity acquires the first information, the first request sent by the second communication device may also be received, and the first request is used for requesting the first information. After receiving the first request, the control management entity may acquire first information and send the first information to the second communication device.

In one implementation, considering that the network plan of the network provider may change, when the network plan of the network provider changes, the network functions supported by the communication device may also change. For example, some network functions of the communication device are deregistered after a change in network planning. For this case, the control management entity may acquire a deregistration list and send the deregistration list to the communication device. Wherein the deregistration list can be used to indicate deregistered information which is used to indicate a network function that the communication apparatus is deregistered, so that the communication apparatus knows which network functions have been deregistered.

In one implementation, the control management entity may send the deregistration list to a plurality of communication devices it manages, where a second communication device is one of the communication devices managed by the control management entity.

In one implementation, the control management entity may send the deregistration list to a second communication device based on a request of the second communication device. In other words, the control management entity may further receive a second request sent by the second communication device before acquiring the logout list, where the second request is used for requesting the logout list. After receiving the second request, the control management entity may obtain the revocation list based on the second request, and send the revocation list to the second communication apparatus.

In one implementation, the method is performed by a second communication device, and for this case, the sending the first information includes, in a specific implementation: and sending the first information to a first communication device. In this way, the first communication device may determine that the second communication device supports the first network function based on the first information.

In one implementation, the method is performed by a second communication device, and for this case, the second communication device may further receive second information sent by the first communication device, where the second information is used to indicate that the first communication device supports the first network function; after the second communication device receives the second information, it may be determined that the first communication device supports the first network function according to the second information. Accordingly, if the first communication device determines, according to the first information, that the second communication device also supports the first network function, the first communication device and the second communication device may jointly implement the first network function, for example, establish a first network connection.

In one implementation, the second information further includes a signature of the network provider to indicate that the second information is information approved by the network provider.

In one implementation, if the second information includes a signature of a network provider, the second communication device may further verify the signature included in the second information, thereby determining the validity of the second information. In one example, the second communication apparatus may determine whether the first communication apparatus supports the first network function from the second information in a case where a signature included in the second information is verified.

In one implementation, the second information further includes a certificate including a key required to implement the first network function.

In one implementation, the second information further includes second indication information, where the second indication information is used to indicate a validity period of the second information.

In one implementation, the second information is a second SAP.

In a third aspect, an embodiment of the present application provides a method for processing rights information, where the method may be performed by a control management entity. In one example, the control management entity may obtain a deregistration list indicating deregistered information indicating network functions for which the communication device is deregistered. The revocation list may be transmitted after the control management entity acquires the revocation list. As an example, the control management entity may send the de-registration list to the communication device. After the communication device receives the logout list, it can determine which network functions have been logged out, thereby determining which network functions of itself or a peer communication device interacting with itself have been logged out, and further, the communication device can no longer implement the network functions of itself or peer devices that have been logged out.

In one implementation, the logout list includes an identification of a logged out security authentication profile SAP, which is used to indicate network functions supported by the communication device. The communication apparatus that receives the deregistration list for this case can determine the communication function in which itself and other communication apparatuses are deregistered, based on the identification of the SAP included in the deregistration list. For example, if the logout list includes an identifier of a first SAP, the second communication device may determine that the first network function of the second communication device is logged out according to the identifier of the first SAP. Correspondingly, when the first communication device receives the first SAP sent by the second communication device, the first communication device can know that the first SAP is cancelled by combining the cancellation list, so that the second communication device is determined to no longer support the first network function.

In one implementation, the control management entity may obtain and issue the logout list based on a request of the communication device. In other words, the control management entity may also receive a second request for requesting the revocation list before obtaining the revocation list.

In one implementation, the information that is deregistered may include a network function in which a plurality of communication devices managed by the control management entity are deregistered. In one example, the logged out information may include: a network function in which the first communication device is deregistered, and/or a network function in which the second communication device is deregistered.

In one implementation, the control management entity may further obtain first information, where the first information is used to indicate network functions supported by the second communication device, and the network functions include the first network function. After the control management entity acquires the first information, the first information may be sent to the second communication device. Further, the second communication device may send the first information to the first communication device, so that the first communication device determines that the second communication device supports the first network function using the first information. Therefore, by the scheme, the first communication device does not need to interact with the third-party equipment to determine whether the second communication device supports the first network function, so that signaling overhead of interaction between the first communication device and the third-party equipment is saved, and efficiency of determining that the second communication device supports the first network function is improved. Moreover, since whether the second communication device supports the first network function or not does not need to be determined by means of the third-party device, the security risk caused by the attack of the third-party device by a network hacker is also avoided. In addition, the problem that whether the second communication device supports the first network function or not cannot be determined due to the fact that the first communication device cannot be connected with the third-party equipment is avoided.

In one implementation, the first information is further used to indicate configuration information for implementing the first network function. In this way, the second communication device can implement the first network function using the configuration information.

In one implementation, the first network function includes establishing a first communication connection.

In one implementation, when the first information may also be used to indicate configuration information for implementing the first network function, and the first network function is to establish a first communication connection, the configuration information may include, for example, a peer communication apparatus when the second communication apparatus establishes the first communication connection.

In one implementation, the first communication connection includes any one of: media access control security, MACsec, border gateway protocol, BGP, internet protocol security, IPsec, bidirectional forwarding detection, BFD, interior gateway protocol, IGP, internet protocol, sixth version of the internet protocol, route SRv 6.

In one implementation, the first information further includes first indication information, where the first indication information is used to indicate a validity period of the first network function.

In one implementation, the first information is a first security authentication profile SAP.

In one implementation, the first information further includes a signature of the network provider.

In one implementation, the first information further includes a certificate including a key required to implement the first network function.

In one implementation, the control management entity may send the first information to a second communication device based on a request of the second communication device. In other words, before the control management entity acquires the first information, the first request sent by the second communication device may also be received, and the first request is used for requesting the first information. After receiving the first request, the control management entity may acquire first information and send the first information to the second communication device.

In a fourth aspect, embodiments of the present application provide an authority information processing method, which may be executed by a communication apparatus, for example, a second communication apparatus. In one example, the second communication device may receive a deregistration list indicating deregistered information for indicating network functions for which the communication device is deregistered. The second communication device may save the revocation list after receiving the revocation list. The second communication device may determine which network functions have been logged out according to the logout list, thereby determining which network functions of itself or a peer communication device interacting with itself have been logged out, and further, the second communication device may not perform network functions of itself or peer devices that have been logged out.

In one implementation, the logout list includes an identification of a logged out security authentication profile SAP, which is used to indicate network functions supported by the communication device.

In one implementation, the second communication device may actively request the deregistration list from the control management entity. For this case, the method further comprises: and sending a second request to a control management entity, wherein the second request is used for requesting the logout list.

In one implementation, the logged-out information includes: a network function in which the first communication device is deregistered, and/or a network function in which the second communication device is deregistered.

In one implementation, the second communication device may further obtain the first information and send the first information to the first communication device, so that the first communication device determines that the second communication device supports the first network function by using the first information. Therefore, by the aid of the scheme, the first communication device does not need to interact with third-party equipment to determine whether the second communication device supports the first network function, signaling overhead of interaction between the first communication device and the third-party equipment is saved, and efficiency of determining that the second communication device supports the first network function is improved. Moreover, since whether the second communication device supports the first network function or not does not need to be determined by means of the third-party device, the security risk caused by the attack of the third-party device by a network hacker is also avoided. In addition, the problem that whether the second communication device supports the first network function or not cannot be determined due to the fact that the first communication device cannot establish connection with the third-party equipment is avoided.

In one implementation, the first information is further used to indicate configuration information for implementing the first network function.

In one implementation, the first network function includes establishing a first communication connection.

In one implementation, the configuration information is used to indicate a peer end that establishes the first communication connection with the second communication device.

In one implementation, the first communication connection includes any one of: media access control security, MACsec, border gateway protocol, BGP, internet protocol security, IPsec, bidirectional forwarding detection, BFD, interior gateway protocol, IGP, internet protocol, sixth version, route SRv6, tunnels.

In one implementation, the first information further includes first indication information, where the first indication information is used to indicate a validity period of the first network function.

In one implementation, the first information is a first security authentication profile SAP.

In one implementation, the first information further includes a signature of the network provider.

In one implementation, the first information further includes a certificate including a key required to implement the first network function.

In one implementation, the second communication device may further receive second information sent by the first communication device, where the second information is used to indicate that the first communication device supports the first network function. After receiving the second information, the second communication apparatus may determine that the first communication apparatus supports the first network function according to the second information. Accordingly, if a first communication device determines that the second communication device also supports the first network function, the first communication device and the second communication device may jointly implement the first network function.

In one implementation, the second information further includes a signature of the network provider.

In one implementation, when the second information further includes a signature of a network provider, the second communication device may also verify the signature included in the second information when receiving the second information.

In one implementation, the second information further includes a certificate including a key required to implement the first network function. In this way, the first communication device can obtain the key required for implementing the first network function according to the certificate in the second information, and implement the first network function based on the obtained key.

In one implementation manner, the second information further includes second indication information, and the second indication information is used for indicating a validity period of the second information.

In one implementation, the second information is a second SAP.

In a fifth aspect, the present application provides a first communications apparatus, comprising: a transceiving unit and a processing unit. The transceiver unit is configured to perform transceiver operations performed by the first communication device according to any one of the first aspect and the first aspect, and the processing unit is configured to perform other operations than the transceiver operations performed by the first communication device according to any one of the first aspect and the first aspect.

In a sixth aspect, the present application provides a first communications device comprising a memory and a processor; the memory for storing program code; the processor is configured to execute instructions in the program code to cause the first communication device to perform the method of any one of the first aspect and the first aspect.

In a seventh aspect, the present application provides a first communication device, where the first communication device includes a communication interface and a processor, where the communication interface is configured to perform the transceiving operation performed by the first communication device according to any one of the above first aspect and the first aspect, and the processor is configured to perform other operations than the transceiving operation performed by the first communication device according to any one of the above first aspect and the first aspect.

In an eighth aspect, the present application provides a second communication device, comprising: a transceiving unit and a processing unit. The transceiver unit is configured to perform transceiver operations performed by the second communication apparatus according to any one of the second aspect and the second aspect, and the processing unit is configured to perform other operations than the transceiver operations performed by the second communication apparatus according to any one of the second aspect and the second aspect. Alternatively, the transceiver unit is configured to perform transceiver operations performed by the second communication apparatus according to any one of the above fourth aspect and the fourth aspect, and the processing unit is configured to perform operations other than the transceiver operations performed by the second communication apparatus according to any one of the above fourth aspect and the fourth aspect.

In a ninth aspect, the present application provides a second communication device comprising a memory and a processor; the memory for storing program code; the processor is configured to execute the instructions in the program code to cause the second communication device to perform the method of any one of the second and third aspects, or to cause the second communication device to perform the method of any one of the fourth and third aspects.

In a tenth aspect, the present application provides a second communication device comprising a communication interface and a processor. The communication interface is configured to perform transceiving operations performed by the second communication apparatus according to any one of the second aspect and the second aspect, and the processor is configured to perform other operations than transceiving operations performed by the second communication apparatus according to any one of the second aspect and the second aspect. Alternatively, the communication interface is configured to perform transceiving operations performed by the second communication apparatus according to any of the above fourth and fourth aspects, and the processor is configured to perform other operations than transceiving operations performed by the second communication apparatus according to any of the above fourth and fourth aspects.

In an eleventh aspect, the present application provides a control management entity, comprising: a transceiving unit and a processing unit. The transceiving unit is configured to perform transceiving operations performed by the control management entity according to any one of the third aspect and the fourth aspect, and the processing unit is configured to perform other operations than transceiving operations performed by the control management entity according to any one of the third aspect and the fourth aspect.

In a twelfth aspect, the present application provides a control management entity comprising a memory and a processor; the memory for storing program code; the processor is configured to execute the instructions in the program code, so that the control management entity performs the method of any one of the third aspect and the fourth aspect.

In a thirteenth aspect, the present application provides a control management entity, where the control management entity includes a communication interface and a processor, where the communication interface is configured to perform the transceiving operation performed by the control management entity in any one of the third aspect and the third aspect, and the processor is configured to perform other operations than the transceiving operation performed by the control management entity in any one of the third aspect and the third aspect.

In a fourteenth aspect, the present application provides a computer-readable storage medium, wherein the computer-readable storage medium has stored therein instructions, which when run on a computer, cause the computer to perform the method of any one of the above first aspect and first aspect, or cause the computer to perform the method of any one of the above second aspect and second aspect, or cause the computer to perform the method of any one of the above third aspect and third aspect, or cause the computer to perform the method of any one of the above fourth aspect and fourth aspect.

In a fifteenth aspect, the present application provides a communication system comprising: at least two of the first communication device of the above fifth aspect or the sixth aspect or the seventh aspect, the second communication device of the above eighth aspect or the ninth aspect or the tenth aspect, and the control management entity of the above eleventh aspect or the twelfth aspect or the thirteenth aspect.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the present application, and other drawings can be obtained by those skilled in the art without creative efforts.

FIG. 1a is a schematic diagram of an exemplary application scenario;

FIG. 1b is a schematic diagram of yet another exemplary application scenario;

fig. 1c is a schematic diagram of an exemplary application scenario provided in an embodiment of the present application;

fig. 2 is a signaling interaction diagram of a method for authority authentication according to an embodiment of the present application;

fig. 3 is a signaling interaction diagram of a method for authority authentication according to an embodiment of the present application;

FIG. 4 is a schematic view of an SAP provided in an embodiment of the present application;

fig. 5 is a schematic flowchart of a method for right authentication according to an embodiment of the present application;

fig. 6 is a schematic flowchart of a method for processing authority information according to an embodiment of the present application;

fig. 7 is a schematic flowchart of a method for processing authority information according to an embodiment of the present application;

fig. 8 is a schematic flowchart of a method for processing authority information according to an embodiment of the present application;

fig. 9 is a schematic structural diagram of a communication device according to an embodiment of the present application;

fig. 10 is a schematic structural diagram of a communication device according to an embodiment of the present application;

fig. 11 is a schematic structural diagram of a communication device according to an embodiment of the present application.

Detailed Description

The embodiment of the application provides an authority authentication method, an authority information processing method and an authority information processing device, which can determine whether an opposite-end communication device supports a certain network function.

For convenience of understanding, a possible application scenario of the embodiment of the present application is first described.

Referring to fig. 1a, an exemplary application scenario is shown. As shown in fig. 1a, communication may be performed between communication device 101 and communication device 102. Before the communication apparatus 101 and the communication apparatus 102 need to cooperatively implement the network function a, the communication apparatus 101 may determine whether the communication apparatus 102 supports the network function a, and accordingly, the communication apparatus 102 may determine whether the communication apparatus 101 supports the network function a. If the communication apparatus 101 determines that the communication apparatus 102 supports the network function a, and the communication apparatus 102 also determines that the communication apparatus 101 supports the network function a, the communication apparatus 101 and the communication apparatus 102 may cooperatively implement the network function a.

The network function mentioned in the embodiments of the present application may be a related communication operation performed by the communication device. The network function a mentioned herein may be, for example, establishing a first communication connection, where the first communication connection mentioned herein includes, but is not limited to, any one of a media access control Security (MACsec) tunnel, an IPSec tunnel, a BGP session, an Internet Protocol Security (IPSec) tunnel, a Bidirectional Forwarding Detection (BFD), an Interior Gateway Protocol (IGP) session, and an Internet Protocol Version six Segment Routing (Routing Internet Protocol Version 6, SRv6) tunnel. The network function a may also verify the message, for example, verify the BGP message.

In one example, the communication apparatus 101 and the communication apparatus 102 may determine whether the counterpart communication apparatus supports the network function a by means of a third party device, for example, an authority control server. FIG. 1b is a schematic diagram of yet another exemplary application scenario. The communication apparatus 101 may determine whether the communication apparatus 102 supports the network function a through the authority control server 103, and the communication apparatus 102 may determine whether the communication apparatus 101 supports the network function a through the authority control server 103. That is, the communication device 101 needs to interact with the authority control server 103 to determine whether the communication device 102 supports the network function a, and the communication device 102 needs to interact with the authority control server 103 to determine whether the communication device 101 supports the network function a. However, this approach has the following drawbacks:

first, if the right control server 103 is hacked by a network hacker, the network functions supported by the communication device 101 and the communication device 102 are both obtained by the network hacker, thereby bringing about a certain security risk.

Secondly, a certain signaling overhead is brought by the interaction between the communication device 101 and the right control server 103, and correspondingly, a certain signaling overhead is also brought by the interaction between the communication device 102 and the right control server 103. Moreover, since the communication device 101 and the communication device 102 both need to interact with the authorization control server 103, it is inefficient for the communication device 102 and the communication device 101 to determine whether each other supports the network function a, which in turn results in inefficient implementation of the network function a, e.g., establishing the first communication connection, by the communication device 101 and the communication device 102.

Third, if the communication device 101 cannot establish a connection with the right control server 103, for example, in the network initialization phase, the network connectivity between the communication device 101 and the right control server 103 is not good. The communication apparatus 101 cannot determine whether the communication apparatus 102 supports the network function a through the authority control server 103. Similarly, if the communication apparatus 102 cannot establish a connection with the authorization control server 103, the communication apparatus 102 cannot determine whether the communication apparatus 101 supports the network function a through the authorization control server 103.

In some embodiments, before the communication device 101 and the communication device 102 communicate with each other, identity authentication is further required to verify the identity of the communication device at the opposite end, and details regarding the specific manner of identity authentication performed by the communication device 101 and the communication device 102 are not described herein.

The communication device, for example, the communication device 101 and the communication device 102, mentioned in the embodiment of the present application may be a network device such as a switch and a router, or may be a part of a component on the network device, for example, a board and a line card on the network device, or may be a functional module on the network device, which is not specifically limited in the embodiment of the present application. The communication devices may be directly connected to each other, for example, but not limited to, by ethernet wires or optical cables.

In view of this, the present application provides a method for authority authentication, which is described below with reference to the accompanying drawings.

Referring to fig. 2, fig. 2 is a signaling interaction diagram of a method for authenticating a right according to an embodiment of the present application. The method 100 shown in fig. 2 may be applied to the network scenario shown in fig. 1 c.

Wherein:

the communication device 1 shown in fig. 1c may be the communication device 101 shown in fig. 1a or 1 b. The communication device 2 shown in fig. 1c may be the communication device 102 shown in fig. 1a or 1 b. The control management entity shown in fig. 1c may be, for example, a device running a Network Management System (NMS), and may be, for example, a controller. The control management entity may be a functional module for implementing a control and/or management function, or may be a physical entity running a related functional module, where the physical entity may be, for example, a server installed with related software, and the related software is used for implementing the function of the control management entity. The embodiments of the present application are not particularly limited.

The method 100 shown in FIG. 2, for example, may include the following S101-S106.

S101: the control management entity acquires information 1, wherein the information 1 is used for indicating the network functions supported by the communication device 1, and the network functions supported by the communication device 1 comprise the network functions 1.

In this embodiment, the control management entity may generate the information 1 according to a network plan of a network provider. In one example, the information 1 may be Security Authentication Profile (SAP) 1. The SAP1 may be in a Java Script Object Notation (JSON) format or an extensible markup language (XML) format, and the embodiment of the present application is not particularly limited. With respect to SAP1, reference may be made to the description below with respect to fig. 4, which is not detailed here.

The network function1 mentioned here, like the network function a mentioned above, may also be that the network function1 establishes a first communication connection, where the first communication connection may include any one of a MACsec tunnel, a BGP session, an IPsec tunnel, a BFD, an IGP session, and an SRv6 tunnel. The network function1 may also verify the message, for example, the BGP message.

In one example, the information 1 may further include a signature of the network provider. Wherein the network provider may be, for example, an operator. The signature of the network provider may be calculated according to the first content, for example, the first content may be calculated by using a hash algorithm to obtain a first calculation result, and then the first calculation result may be encrypted by using a private key of the network provider to obtain the signature of the network provider. The information 1 carries a signature of the network provider, which is used to indicate that the information 1 is approved information of the network provider. The communication device that receives the information 1 can determine the validity of the information 1 by verifying the signature of the network provider.

In one example, the information 1 may further include configuration information 1 for implementing the network function1, in other words, the information 1 may further be used to indicate the configuration information 1 for implementing the network function1, so that the communication device receiving the information 1 implements the network function1 based on the configuration information 1. The configuration information 1 is not specifically limited in the embodiment of the present application, and when the network function1 is to establish a first communication connection, the configuration information 1 may include a peer communication device that establishes the first communication connection with the communication device 1. For example, the configuration information 1 includes an IP address of a counterpart communication apparatus that establishes the first communication connection with the communication apparatus 1. In an example, if the address of the peer communication device for indicating the establishment of the first communication connection with the communication device 1 in the configuration information 1 is a default value or is null, it indicates that the peer communication device for establishing the first communication connection with the communication device 1 is not limited.

In one example, considering that the network plan of the network provider may change, for example, an SRv6 tunnel may be established between communication apparatus 1 and communication apparatus 2 during the first communication period, and after the first communication period ends, a SRv6 tunnel may no longer be established between communication apparatus 1 and communication apparatus 2. In other words, the communication device 1 may support the network function1 for a certain period of time. Therefore, in one implementation, the information 1 may further include indication information 1, and the indication information 1 is used to indicate the validity period of the information 1. In yet another example, considering that the network functions supported by the communication apparatus 1 indicated by the information 1 may not be limited to the network function1, but the validity periods of the respective network functions supported by the communication apparatus 1 may be different, in one example, the indication information 1 may also be used to indicate the validity period of the network function 1. Accordingly, when the information 1 further indicates that the communication apparatus 1 supports the network function 2, the information 1 may further include indication information 1' indicating a validity period of the network function 2.

In one example, the use of a key may be required in view of the communication apparatus 1 implementing the network function 1. For example, when the network function1 is a MACsec tunnel, the key also needs to be used in negotiating the MACsec session key. Therefore, in an implementation manner of the embodiment of the present application, the information 1 may further include a certificate, where the certificate includes a key required to implement the network function 1. In addition, the certificate may include information such as an issuer of the certificate, in addition to a key required for implementing the network function1, and this embodiment of the present application is not particularly limited.

In some embodiments, since the information 1 is used to indicate the network functions supported by the communication apparatus 1, the related content of the communication apparatus 1 may also be included in the information 1. For example, an identification of the communication apparatus 1 may be included; as another example, manufacturer information of the communication apparatus 1 may be included; as another example, a network to which the communication apparatus 1 belongs may be included; as another example, a specific location of the communication apparatus 1 in the network may be included; as another example, a management address of the communication apparatus 1, and the like may be included. In addition, in some embodiments, the information 1 may further include an identifier of the information 1, and the identifier of the information 1 may serve as an index of the information 1. When the information 1 is the SAP1, the identifier of the information 1 is the identifier of the SAP 1.

In addition, the control management entity may also allocate a public-private key pair of the communication apparatus 1 to the communication apparatus 1 so that the communication apparatus 1 processes data interacted with other communication apparatuses by using the public-private key pair. In one example, a public key assigned by the control management entity to the communication apparatus 1 may also be included in the information 1. The private key assigned by the control management entity to the communication device 1 may be issued to the communication device 1 through other files, which will not be described in detail herein.

S102: the control management entity sends said information 1 to the communication device 1.

S103: the communication device 1 receives and saves the information 1.

After the control management entity acquires the information 1, the control management entity may transmit the information 1 to the communication apparatus 1, and after the communication apparatus 1 receives the information 1, the communication apparatus 1 may store the information 1.

In the embodiment of the present application, the control management entity may actively send the information 1 to the communication device 1; the control management entity may also send the information 1 to the communication apparatus 1 based on a request of the communication apparatus 1, and for this case, the control management entity may also receive the request 1 sent by the communication apparatus 1 before performing S101, and the request 1 is used for requesting the information 1 from the control management entity.

In one example, if the information 1 includes a signature of a network provider, the communication device 1 may verify the signature of the network provider, and after the signature of the network provider is verified, the communication device 1 may determine that the information 1 is information approved by the network provider, and further, the communication device 1 may store the information 1. After receiving the information 1, the communication device 1 may decrypt the signature in the information 1 by using the public key of the network provider to obtain a second calculation result, and calculate the first content by using a hash algorithm to obtain a first calculation result, and then the communication device 1 compares the first calculation result and the second calculation result, if the first calculation result and the second calculation result are the same, it may be determined that the signature of the network provider is legal, and if the first calculation result and the second calculation result are different, it may be determined that the signature of the network provider is illegal.

S104: the communication apparatus 1 transmits the information 1 to the communication apparatus 2.

Before implementing the network function1, the communication device 1 may send the information 1 to the communication device 2, so that the communication device 2 determines that the communication device 1 supports the network function 1.

In one example, communication apparatus 1 may send said information 1 to communication apparatus 2 in message 1. In an example, the packet 1 may include an extended Type Length Value (TLV) field, and the information 1 is carried in the extended TLV field.

The embodiment of the present application does not specifically limit the message 1. In an example, the message 1 may be an Extensible Authentication Protocol (EAP) message, for example, when the network function1 is a MACsec tunnel, the message 1 is an EAP message. In yet another example, the message 1 may be a BGP message, for example, when the network function1 is a BGP session, the message 1 may be a BGP message.

S105: the communication device 2 receives the information 1.

S106: the communication apparatus 2 determines that the communication apparatus 1 supports the network function1 based on the information 1.

After the communication apparatus 2 receives the information 1, since the information 1 indicates that the communication apparatus 1 supports the network function1, the communication apparatus 2 can determine that the communication apparatus 1 supports the network function1 based on the information 1.

As before, in one example, the information 1 includes a signature of the network provider, and for this case, the communication device 2 may also verify the signature of the network provider before determining from the information 1 that the communication device 1 supports the network function1 to determine that the information 1 is information approved by the network provider. After the signature of the network provider is determined to be legal, the communication device 1 is determined to support the network function1 according to the information 1. As for a specific manner in which the communication apparatus 2 verifies the signature of the network provider, as in the case where the communication apparatus 1 verifies the signature of the network provider, a detailed description may be made with reference to the above description portion in which the communication apparatus 1 verifies the signature of the network provider, and a description thereof will not be repeated.

As described above, in an example, the information 1 can also be used to indicate configuration information 1 for implementing the network function1, and when the network function1 is to establish a first communication connection, the configuration information 1 can be used to indicate a peer communication apparatus for establishing the first communication connection with the communication apparatus 1. The purpose of the communication device 2 to verify whether the communication device 1 supports the network function1 is to implement the network function1 together with the communication device 1. In view of this, for this case, the communication apparatus 2 may also determine, according to the configuration information 1 in the information 1, whether the communication apparatus 2 can be a counterpart communication apparatus that establishes the first communication connection with the communication apparatus 1. For example, when the IP address of the counterpart communication device that establishes the first communication connection with the communication device 1, which is included in the configuration information 1, includes the IP address of the communication device 2, the communication device 2 may determine that it can be a counterpart communication device that establishes the first communication connection with the communication device 1. For another example, when the address of the peer communication apparatus indicating that the first communication connection is established with the communication apparatus 1 in the configuration information 1 is a default value or is empty, the communication apparatus 2 may determine that it can be a peer communication apparatus establishing the first communication connection with the communication apparatus 1.

As before, in an example, the information 1 further includes indication information 1 for indicating the validity period of the information 1 or the network function 1. For this case, the communication apparatus 2 may also determine whether the current time is within the validity period indicated by the indication information 1, and may determine that the communication apparatus 1 supports the network function1 only when the current time is within the validity period indicated by the indication information 1. If the current time is not within the validity period indicated by the indication information 1, the communication apparatus 2 may determine that the communication apparatus 1 does not support the network function 1.

Through the above S101 to S106, the communication apparatus 2 can determine that the communication apparatus 1 supports the network function 1. By using the scheme, the communication device 2 does not need to interact with a third-party device to determine whether the communication device 1 supports the network function1, so that signaling overhead of interaction between the communication device 2 and the third-party device is saved, and efficiency of determining that the communication device 1 supports the network function1 is improved. Moreover, since it is not necessary to determine whether the communication apparatus 1 supports the network function1 by means of a third party device, the security risk caused by the third party device being hacked by a network hacker is also avoided. In addition, the problem that whether the communication apparatus 1 supports the network function1 cannot be determined due to the fact that the communication apparatus 2 cannot establish connection with a third-party device is also avoided.

It is understood that if the communication apparatus 1 and the communication apparatus 2 are to commonly implement the network function1, not only the communication apparatus 2 but also the communication apparatus 1 determines that the communication apparatus 1 supports the network function1, the communication apparatus 1 determines that the communication apparatus 2 supports the network function 1. In the embodiment of the present application, the communication apparatus 1 determines that the communication apparatus 2 supports the network function1, similarly to the determination that the communication apparatus 2 determines that the communication apparatus 1 supports the network function1, and next, briefly describing the implementation that the communication apparatus 1 determines that the communication apparatus 2 supports the network function1 with reference to fig. 3, a method 200 shown in fig. 3 may include the following steps S201 to S205.

S201: the control management entity obtains information 2, where the information 2 is used to indicate network functions supported by the communication apparatus 2, and the network functions supported by the communication apparatus 2 include the network function 1.

The control management entity may send the information 2 to the communication device 2 based on a request of the communication device 2, or may actively send the information 2 to the communication device 2, which is not specifically limited in the embodiment of the present application.

The information 2 may be SAP2, and regarding SAP2, reference may be made to SAP1 and the following description of fig. 4, which is not detailed here.

The configuration information 2 for implementing the network function1 may be included in the information 2, for example, when the network function1 is to establish a first communication connection, the configuration information 2 in the information 2 may include a peer communication apparatus that establishes the first communication connection with the communication apparatus 2. The relevant content can refer to the above description part of the configuration information 1 in the information 1, and is not detailed here.

The information 2 may also include a signature of the network provider. The information 2 may further include indication information 2, and the indication information 2 is used to indicate the validity period of the information 2 or the network function 1.

In some embodiments, since the information 2 is used to indicate the network functions supported by the communication apparatus 2, the related content of the communication apparatus 2 may also be included in the information 2. For example, an identification of the communication apparatus 2 may be included; as another example, manufacturer information of the communication apparatus 2 may be included; as another example, a network to which the communication apparatus 2 belongs may be included; as another example, a specific location of the communication device 2 in the network may be included; as another example, a management address of the communication apparatus 2, and the like may be included. In addition, in some embodiments, the information 2 may further include an identifier of the information 2, and the identifier of the information 2 may serve as an index of the information 2. When the information 2 is SAP2, the identifier of the information 2 is an identifier of SAP 2.

In addition, the control management entity may also assign a public-private key pair of communication device 2 to facilitate processing of data exchanged between communication device 2 and other communication devices using the public-private key pair. In one example, a public key assigned by the control management entity to the communication apparatus 2 may also be included in the information 2. The private key assigned by the control management entity to the communication device 2 may be issued to the communication device 2 through other files, which will not be described in detail herein.

S202: the control management entity sends said information 2 to the communication device 2.

S203: the communication means 2 receive and save said information 2.

After the control management entity acquires the information 2, the control management entity may transmit the information 2 to the communication device 2, and after the communication device 2 receives the information 2, the communication device 2 may store the information 2.

In one example, if the information 2 includes a signature of a network provider, the communication device 2 may verify the signature of the network provider, and after the signature of the network provider is verified, the communication device 2 may determine that the information 2 is information approved by the network provider, and further, the communication device 2 may store the information 2.

S204: the communication device 2 transmits the information 2 to the communication device 1.

The communication device 2 may send the information 2 to the communication device 1 before implementing the network function1, so that the communication device 1 determines that the communication device 2 supports the network function 1.

In one example, communication apparatus 2 may send communication apparatus 1 said information 2 carried in message 2. In one example, the packet 2 may include an extended TLV field, and the information 2 is carried in the extended TLV field.

The message 2 is not specifically limited in the embodiment of the present application. In one example, the message 2 may be an EAP message. In yet another example, the message 2 may be a BGP message.

S205: the communication device 1 receives the information 2.

S206: the communication apparatus 1 determines from the information 2 that the communication apparatus 2 supports the network function 1.

After the communication apparatus 1 receives the information 2, since the information 2 indicates that the communication apparatus 2 supports the network function1, the communication apparatus 1 can determine that the communication apparatus 2 supports the network function1 based on the information 2.

As before, in one example, the information 2 includes a signature of the network provider, and for this case, the communication apparatus 1 may also verify the signature of the network provider to determine that the information 2 is information approved by the network provider before determining that the communication apparatus 2 supports the network function1 according to the information 2. After determining that the signature of the network provider is legal, it is determined that the communication device 2 supports the network function1 according to the information 2.

As mentioned above, in an example, the information 2 can also be used to indicate configuration information 2 for implementing the network function1, and when the network function1 is to establish a first communication connection, the configuration information 2 can be used to indicate a peer communication apparatus for establishing the first communication connection with the communication apparatus 2. For this case, the communication apparatus 1 may also determine whether the communication apparatus 1 is a counterpart communication apparatus that establishes the first communication connection with the communication apparatus 2 according to the configuration information 2 in the information 2. For example, when the IP address of the counterpart communication device that establishes the first communication connection with the communication device 2, which is included in the configuration information 2, includes the IP address of the communication device 1, the communication device 1 may determine that it can be a counterpart communication device that establishes the first communication connection with the communication device 2. For another example, when the address of the peer communication apparatus for indicating the establishment of the first communication connection with the communication apparatus 2 in the configuration information 2 is a default value or is null, the communication apparatus 1 may determine that it is a peer communication apparatus that can establish the first communication connection with the communication apparatus 2.

As before, in one example, the information 2 further includes indication information 2 for indicating the validity period of the information 2 or the network function 1. For this case, the communication apparatus 1 may also determine whether the current time is within the validity period indicated by the indication information 2, and may determine that the communication apparatus 2 supports the network function1 only when the current time is within the validity period indicated by the indication information 2. If the current time is not within the validity period indicated by the indication information 2, the communication apparatus 1 may determine that the communication apparatus 2 does not support the network function 1.

By the above method 100 and method 200, the communication apparatus 1 determines that the communication apparatus 2 supports the network function1, and the communication apparatus 2 also determines that the communication apparatus 1 supports the network function 1. The communication device 1 and the communication device 2 can then jointly implement the network function1, for example the communication device 1 and the communication device 2 can establish a first communication connection. In the process that the communication device 1 and the communication device 2 jointly implement the network function1, the communication device 1 can process data interacted between the communication device 1 and the communication device 2 by using the key in the information 1, and the communication device 2 can process data interacted between the communication device 1 and the communication device 2 by using the key in the information 2.

In one implementation manner of the embodiment of the present application, the network functions supported by the communication apparatus 1 indicated by the aforementioned information 1 may include other network functions besides the network function1, for example, include the network function 2. For this case, the communication apparatus 2 may also determine that the communication apparatus 2 supports the network function 2 based on the information 1. In addition, if the information 1 indicates that the communication apparatus 1 supports the network function1 and the network function 2, the communication apparatus 2 may also determine, from the information 1, that the communication apparatus 1 does not support the network function 3, where the network function 3 is a network function different from both the network function1 and the network function 2. In one example, when the information 1 is further used to indicate that the communication apparatus 1 supports the network function 2, a key required for implementing the network function 2 may also be included in the information 1.

Similarly, the network functions supported by the communication apparatus 2 indicated by the aforementioned information 2 may include other network functions, for example, a network function 3, in addition to the network function 1. For this case, the communication apparatus 1 may also determine that the communication apparatus 1 supports the network function 3 based on the information 2. Further, if the information 2 indicates that the communication apparatus 2 supports the network function1 and the network function 3, the communication apparatus 1 may also determine that the communication apparatus 2 does not support the network function 2 from the information 2. In one example, when the information 2 is further used to indicate that the communication apparatus 2 supports the network function 3, a key required for implementing the network function 3 may also be included in the information 2.

It is understood that if the communication apparatus 2 determines that the communication apparatus 1 supports the network function 2 and the communication apparatus 1 determines that the communication apparatus 2 does not support the network function 2, the communication apparatus 1 and the communication apparatus 2 cannot collectively implement the network function 2. Similarly, if the communication apparatus 2 determines that the communication apparatus 1 does not support the network function 3, and the communication apparatus 1 determines that the communication apparatus 2 supports the network function 3, the communication apparatus 1 and the communication apparatus 2 cannot collectively implement the network function 3.

With the above description of method 100 and method 200, the following description of SAP1 and SAP2 is provided, taking the SAP shown in FIG. 4 as an example.

The SAP shown in fig. 4 includes the following:

the SAP ID is used to carry an identification of the SAP. When the SAP shown in fig. 4 is the aforementioned SAP1, the SAP ID is used to carry the identifier of information 1; when the SAP shown in fig. 4 is the aforementioned SAP2, the SAP ID is used to carry the identification of information 2.

The network element ID is used to carry the network element identity. When the SAP is used to indicate a network function supported by the communication apparatus 1, the network element ID is used to carry an identifier of the communication apparatus 1; when the SAP is used to indicate a network function supported by the communication apparatus 2, the network element ID is used to carry an identifier of the communication apparatus 2.

The network ID is used to carry the identifier of the network to which the network element indicated by the network element ID belongs. When the SAP shown in fig. 4 is the aforementioned SAP1, the network ID is used to carry the identification of the communication device 1. When the SAP shown in fig. 4 is the aforementioned SAP2, the network ID is used to carry an identification of the communication device 2.

The network location is used to carry the location of the network element indicated by the network element ID in the network. When the SAP shown in fig. 4 is the aforementioned SAP1, the network location is used to carry the location of the communication device 1 in the network. When the SAP shown in fig. 4 is the aforementioned SAP2, the network location is used to carry the location of the communication device 2 in the network.

And the management address is used for carrying the management address of the network element indicated by the network element ID. When the SAP shown in fig. 4 is the aforementioned SAP1, the management address is used to carry the management address of the communication apparatus 1. When the SAP shown in fig. 4 is the SAP2, the management address is used to carry the management address of the communication device 2.

expire is used to carry the expiration date of the SAP. When the SAP shown in fig. 4 is the aforementioned SAP1, the expire is used to carry the validity period of the information 1; when the SAP shown in fig. 4 is the aforementioned SAP2, the expire is used to carry the validity period of the information 2.

The content in block 401 in fig. 4 is used to indicate network function1, where name is used to carry the name of network function 1; policy is used to carry configuration information for implementing network function 1.

The content in block 402 in fig. 4 is used to indicate network function 2, where a name is used to carry the name of network function 2; policy is used to carry configuration information for implementing network function 2.

The contents of block 403 in fig. 4 are used to indicate the certificate. Wherein the issuers are used for carrying the issuers of the certificates. The function is used to indicate the network function corresponding to the certificate, and when the value carried by the function is function1, it indicates that the certificate is a certificate of network function1, and the certificate includes a key required to implement network function 1. usage is used to indicate the specific way of using the key in the certificate.

The signature is used to carry the signature of the network provider.

In some embodiments, considering that the network plan of the network provider may change, when the network plan of the network provider changes, the network functions supported by the communication device may also change. For example, some network functions of the communication apparatus 1 are deregistered after a change in the network plan. For this case, the control management entity may acquire a deregistration list and send the deregistration list to the communication device. Wherein the deregistration list may be used to indicate deregistered information that indicates network functions that the communication apparatus has been deregistered, so that the communication apparatus knows which network functions have been deregistered.

In one example, the network functions that are deregistered, as indicated by the deregistration list, may include network functions that are deregistered for a plurality of communication devices managed by the control management entity. For example, the network function to be deregistered indicated by the deregistration list may include a network function in which the communication apparatus 1 is deregistered, may include a network function in which the communication apparatus 2 is deregistered, and may include a network function in which other communication apparatuses are deregistered. Accordingly, the control management entity may transmit the deregistration list to a plurality of communication devices it manages. In one example, the logout list may include an identification of the logged-out SAP, such as the aforementioned identification of information 1, and/or the aforementioned identification of information 2.

In this way, it is possible for the communication apparatus 1 to determine the network function in which other communication apparatuses are deregistered, in addition to the network function in which it is deregistered from the deregistration list. Similarly, it is possible for the communication apparatus 2 to determine a network function in which other communication apparatuses are deregistered, in addition to a network function in which it is deregistered from the deregistration list. For this approach: the method 100 may further include the communication apparatus 2 determining whether the information 1 is unregistered according to the unregistering list before determining that the communication apparatus 1 supports the network function1 according to the information 1, and determining that the communication apparatus 1 supports the network function1 according to the information 1 in a case where the information 1 is not unregistered. Similarly, in the method 200, the communication apparatus 1 may further determine whether the information 2 is unregistered according to the unregistered list before determining that the communication apparatus 2 supports the network function1 according to the information 2, and determine that the communication apparatus 2 supports the network function1 according to the information 2 in a case where the information 2 is not unregistered.

In an embodiment of the present application, the control management entity may transmit the deregistration list to a communication device it manages, based on a request of the communication device. For this case, the control management entity may further receive a request 2 sent by a communication apparatus (e.g. communication apparatus 1 or communication apparatus 2) before acquiring the revocation list, where the request 2 is used for requesting the revocation list. Of course, the control management entity may also actively send the logout list to the communication device managed by the control management entity, and the embodiment of the present application is not particularly limited.

Fig. 5 is a flowchart illustrating an authority authentication method according to an embodiment of the present application. The method 300 shown in fig. 5 may be performed by a first communication device, which may correspond to the communication device 2 in the method 100 or the method 200, and is configured to perform the steps performed by the communication device 2 in the method 100 or the method 200. The method 300 may include, for example, the following S301-S302.

S301: receiving first information sent by a second communication device, wherein the first information is used for indicating network functions supported by the second communication device, and the network functions comprise a first network function.

S302: determining, according to the first information, that the second communication device supports the first network function.

The second communication apparatus mentioned here may correspond to the communication apparatus 1 in the method 100 or the method 200; the first information mentioned here may correspond to information 1 in the method 100; the first network function mentioned here may correspond to the network function1 in the method 100 or the method 200.

In one implementation, the first information is further used to indicate configuration information for implementing the first network function.

The configuration information mentioned here may correspond to configuration information 1 in method 100.

In one implementation, the first network function includes establishing a first communication connection.

In one implementation, the method further comprises:

and determining that the first communication device is an opposite terminal establishing the first communication connection with the second communication device according to the configuration information.

In one implementation, the first communication connection includes any one of:

media access control security, MACsec, border gateway protocol, BGP, internet protocol security, IPsec, bidirectional forwarding detection, BFD, interior gateway protocol, IGP, and internet protocol version six, routing SRv6 tunnels.

In one implementation manner, the first information further includes first indication information, and the first indication information is used for indicating a validity period of the first network function.

The first indication mentioned here may correspond to indication 1 in method 100.

In one implementation, the first information is a first security authentication profile SAP.

The first SAP, as referred to herein, may correspond to SAP1 in method 100.

In one implementation, the first information further includes a signature of the network provider.

In one implementation, the method further comprises:

the signature is verified.

In one implementation, the first information further includes a certificate including a key required to implement the first network function.

In one implementation, the method further comprises:

second information is obtained, wherein the second information is used for indicating that the first communication device supports the first network function.

The second information mentioned here may correspond to the information 2 in the method 100 or the method 200.

In one implementation, the method further comprises:

and sending the second information to the second communication device.

In one implementation, the second information is a second SAP.

The second SAP, as referred to herein, may correspond to SAP2 of method 200.

In one implementation, the second information further includes a signature of the network provider.

In one implementation, the second information further includes a certificate including a key required to implement the first network function.

In one implementation, the first information is carried in an extensible authentication protocol EAP message or a BGP message.

In one implementation, the first information is a first SAP, and the first information further includes one or more of the following information:

an identification of a first SAP, an identification of a second communication device, an identification of a network to which the second communication device belongs, a location of the second communication device in the network, a management address of the second communication device, and a name of the first network function.

Fig. 6 is a flowchart illustrating a method for processing authority information according to an embodiment of the present application. The method 400 shown in fig. 6 may be performed by a second communication device or a control management entity, and the second communication device may correspond to the communication device 1 in the method 100 or the method 200, and is configured to perform the steps performed by the communication device 1 in the method 100 or the method 200. The control management entity is configured to perform the steps performed by the control management entity in the above method 100 or method 200. The method 400 may include, for example, the following S401-S402.

S401: first information is acquired, wherein the first information is used for indicating network functions supported by a second communication device, and the network functions comprise a first network function.

S402: and sending the first information.

The first information mentioned here may correspond to information 1 in the method 100; the first network function mentioned here may correspond to the network function1 in the method 100 or the method 200.

In one implementation, the first information is further used to indicate configuration information for implementing the first network function.

The configuration information mentioned here may correspond to configuration information 1 in method 100.

In one implementation, the first network function includes establishing a first communication connection.

In one implementation, the configuration information is used to indicate a peer end that establishes the first communication connection with the second communication device.

In one implementation, the first communication connection includes any one of:

media access control security, MACsec, border gateway protocol, BGP, internet protocol security, IPsec, bidirectional forwarding detection, BFD, interior gateway protocol, IGP, internet protocol, sixth version of the internet protocol, route SRv 6.

In one implementation, the first information further includes first indication information, where the first indication information is used to indicate a validity period of the first network function.

The first indication mentioned here may correspond to indication 1 in method 100.

In one implementation, the first information is a first security authentication profile SAP.

The first SAP, as referred to herein, may correspond to SAP1 of method 100.

In one implementation, the first information further includes a signature of the network provider.

In one implementation, the first information further includes a certificate including a key required to implement the first network function.

In one implementation, when the method 400 is performed by a control management entity, the sending the first information includes:

sending the first information to the second communication device.

The second communication apparatus mentioned here may correspond to the communication apparatus 1 in the method 100 or the method 200.

In one implementation, when the method 400 is performed by a control management entity, the method further comprises:

acquiring a logout list, wherein the logout list is used for indicating the information to be logged out, and the information to be logged out is used for indicating the network function of the communication device to be logged out;

and sending the logout list.

In one implementation, the method further comprises:

and receiving a first request sent by the second communication device, wherein the first request is used for requesting the first information.

The first request mentioned here may correspond to request 1 in method 100.

In one implementation, the method further comprises:

and receiving a second request sent by the second communication device, wherein the second request is used for requesting the logout list.

The second request referred to herein may correspond to request 2 in method 200.

In one implementation, when the method 400 is performed by a second communications device, the sending the first information includes:

and sending the first information to a first communication device.

The first communication device mentioned here may correspond to the communication device 2 in the method 100 or the method 200.

In one implementation, when the method 400 is performed by a second communications device, the method further comprises:

receiving second information sent by a first communication device, wherein the second information is used for indicating that the first communication device supports the first network function;

determining, according to the second information, that the first communication device supports the second network function.

The second information mentioned here may correspond to information 2 in method 200, and the second network function mentioned here may correspond to network function 2 in method 200.

In one implementation, the second information further includes a signature of the network provider.

In one implementation, the method further comprises:

verifying the signature included in the second information.

In one implementation, the second information further includes a certificate including a key required to implement the first network function.

In one implementation, the second information further includes second indication information, where the second indication information is used to indicate a validity period of the second information.

The second indication information mentioned here may correspond to indication information 2 in the method 200.

In one implementation, the second information further includes configuration information for implementing the first network function.

The configuration information mentioned here may correspond to configuration information 2 in method 200.

In one implementation, the second information is a second SAP.

The second SAP, as referred to herein, may correspond to SAP2 of method 200.

Fig. 7 is a schematic flowchart of an authority information processing method according to an embodiment of the present application. The method 500 shown in fig. 7 may be performed by a control management entity for performing the steps performed by the control management entity in the method 100 or the method 200 above. The method 500 may include, for example, the following S501-S502.

S501: a logout list is acquired, the logout list being used for indicating information to be logged out, the information to be logged out being used for indicating network functions of the communication apparatus to be logged out.

S502: and sending the logout list.

In one implementation, the logout list includes an identification of a logged out security authentication profile SAP, which is used to indicate network functions supported by the communication device.

In one implementation, the method further comprises:

receiving a second request, the second request requesting the revocation list.

The second request referred to herein may correspond to request 2 in method 200.

In one implementation, the logged-out information includes: a network function in which the first communication device is deregistered, and/or a network function in which the second communication device is deregistered.

The first communication device mentioned here may correspond to the communication device 2 in the method 100 or the method 200; the second communication apparatus mentioned here may correspond to the communication apparatus 1 in the method 100 or the method 200.

In one implementation, the method further comprises:

acquiring first information, wherein the first information is used for indicating network functions supported by a second communication device, and the network functions comprise a first network function;

sending the first information to the second communication device.

The first information mentioned here may correspond to information 1 in the method 100; the first network function mentioned here may correspond to network function1 in method 100 or method 200; the second communication apparatus mentioned here may correspond to the communication apparatus 1 in the method 100 or the method 200.

In one implementation, the first information is further used to indicate configuration information for implementing the first network function.

The configuration information mentioned here may correspond to configuration information 1 in method 100.

In one implementation, the first network function includes establishing a first communication connection.

In one implementation, the configuration information is used to indicate a peer end that establishes the first communication connection with the second communication device.

In one implementation, the first communication connection includes any one of:

media access control security, MACsec, border gateway protocol, BGP, internet protocol security, IPsec, bidirectional forwarding detection, BFD, interior gateway protocol, IGP, internet protocol, sixth version of the internet protocol, route SRv 6.

In one implementation, the first information further includes first indication information, where the first indication information is used to indicate a validity period of the first network function.

The first indication mentioned here may correspond to indication 1 in method 100.

In one implementation, the first information is a first security authentication profile SAP.

The first SAP, as referred to herein, may correspond to SAP1 of method 100.

In one implementation, the first information further includes a signature of the network provider.

In one implementation, the first information further includes a certificate including a key required to implement the first network function.

In one implementation, the method further comprises:

and receiving a first request sent by the second communication device, wherein the first request is used for requesting the first information.

The first request mentioned here may correspond to request 1 in method 100.

Fig. 8 is a flowchart illustrating a method for processing authority information according to an embodiment of the present application. The method 600 shown in fig. 8 may be performed by a second communication device, and the second communication device may correspond to the communication device 1 in the method 100 or the method 200, and is configured to perform the steps performed by the communication device 1 in the method 100 or the method 200. The method 600 may include, for example, the following S601-S602.

S601: receiving a logout list, wherein the logout list is used for indicating the information which is logged out, and the information which is logged out is used for indicating the network function of the communication device which is logged out.

S602: and saving the logout list.

In one implementation, the logout list includes an identification of a logged out security authentication profile SAP, which is used to indicate network functions supported by the communication device.

In one implementation, the method further comprises:

and sending a second request to a control management entity, wherein the second request is used for requesting the logout list.

The second request referred to herein may correspond to request 2 in method 200.

In one implementation, the logged-out information includes:

a network function in which the first communication device is deregistered, and/or a network function in which the second communication device is deregistered.

In one implementation, the method further comprises:

first information is acquired, wherein the first information is used for indicating network functions supported by a second communication device, and the network functions comprise a first network function.

And sending the first information to a first communication device.

The first information mentioned here may correspond to information 1 in the method 100; the first network function mentioned here may correspond to network function1 in method 100 or method 200; the first communication device mentioned here may correspond to the communication device 2 in the method 100 or the method 200.

In one implementation, the first information is further used to indicate configuration information for implementing the first network function.

The configuration information mentioned here may correspond to configuration information 1 in method 100.

In one implementation, the first network function includes establishing a first communication connection.

In one implementation, the configuration information is used to indicate a peer end that establishes the first communication connection with the second communication device.

In one implementation, the first communication connection includes any one of:

media access control security, MACsec, border gateway protocol, BGP, internet protocol security, IPsec, bidirectional forwarding detection, BFD, interior gateway protocol, IGP, internet protocol, sixth version of the internet protocol, route SRv 6.

In one implementation, the first information further includes first indication information, where the first indication information is used to indicate a validity period of the first network function.

The first indication information mentioned here may correspond to indication information 1 in the method 100.

In one implementation, the first information is a first security authentication profile SAP.

The first SAP, as referred to herein, may correspond to SAP1 of method 100.

In one implementation, the first information further includes a signature of the network provider.

In one implementation, the first information further includes a certificate including a key required to implement the first network function.

In one implementation, the method further comprises:

receiving second information sent by a first communication device, wherein the second information is used for indicating that the first communication device supports the first network function;

determining, according to the second information, that the first communication device supports the second network function.

The second information mentioned here may correspond to information 2 in method 200, and the second network function mentioned here may correspond to network function 2 in method 200.

In one implementation, the second information further includes a signature of the network provider.

In one implementation, the method further comprises:

verifying the signature included in the second information.

In one implementation, the second information further includes a certificate including a key required to implement the first network function.

In one implementation, the second information further includes second indication information, where the second indication information is used to indicate a validity period of the second information.

The second indication information mentioned here may correspond to indication information 2 in the method 200.

In one implementation, the second information is a second SAP.

The second SAP, as referred to herein, may correspond to SAP2 of method 100.

With respect to the above specific implementation of the method 300, the method 400, the method 500 and the method 600, reference may be made to the above description of the method 100 and the method 200, and no detailed description is made here.

In addition, an embodiment of the present application further provides a communication apparatus 900, which is shown in fig. 9. Fig. 9 is a schematic structural diagram of a communication device according to an embodiment of the present application. The communication apparatus 900 includes a transceiver 901 and a processing unit 902. The communication device 900 may be configured to perform the method 100, the method 200, the method 300, the method 400, the method 500, or the method 600 in the above embodiments.

In one example, the communication device 900 may perform the method 100 in the above embodiment, and when the communication device 900 is used to perform the method 100 in the above embodiment, the communication device 900 is equivalent to the communication device 1 in the method 100. The transceiving unit 901 is used to perform transceiving operations performed by the communication device 1 in the method 100. The processing unit 902 is configured to perform operations other than transceiving operations performed by the communication apparatus 1 in the method 100. For example: the transceiving unit 901 is configured to receive information 1, where the information 1 is used to indicate network functions supported by the communication apparatus 1, and the network functions supported by the communication apparatus 1 include the network function 1. The processing unit 902 is configured to store the information 1; the transceiving unit 901 is further configured to send the information 1 to the communication device 2.

In one example, the communication device 900 may perform the method 100 in the above embodiment, and when the communication device 900 is used to perform the method 100 in the above embodiment, the communication device 900 is equivalent to the communication device 2 in the method 100. The transceiving unit 901 is configured to perform transceiving operations performed by the communication apparatus 2 in the method 100. Processing unit 902 is configured to perform operations other than transceiving operations performed by communication device 2 in method 100. For example: the transceiving unit 901 is configured to receive information 1, where the information 1 is used to indicate network functions supported by the communication apparatus 1, and the network functions supported by the communication apparatus 1 include the network function 1; the processing unit 902 is configured to determine that the communication apparatus 1 supports the network function1 according to the information 1.

In one example, the communication device 900 may perform the method 100 in the above embodiment, and when the communication device 900 is used to perform the method 100 in the above embodiment, the communication device 900 is equivalent to the control management entity in the method 100. The transceiving unit 901 is used for performing transceiving operations performed by the control management entity in the method 100. The processing unit 902 is configured to perform operations other than transceiving operations performed by the control management entity in the method 100. For example: the processing unit 902 is configured to obtain information 1, where the information 1 is used to indicate network functions supported by the communication apparatus 1, and the network functions supported by the communication apparatus 1 include the network function 1; the transceiving unit 901 is configured to transmit the information 1 to the communication device 1.

In one example, the communication device 900 may perform the method 200 in the above embodiment, and when the communication device 900 is used to perform the method 200 in the above embodiment, the communication device 900 is equivalent to the communication device 1 in the method 200. The transceiving unit 901 is used to perform transceiving operations performed by the communication device 1 in the method 200. The processing unit 902 is configured to perform operations other than transceiving operations performed by the communication apparatus 1 in the method 200. For example: the transceiving unit 901 is configured to receive information 2, where the information 2 is configured to indicate network functions supported by the communication apparatus 2, and the network functions supported by the communication apparatus 2 include the network function 1. The processing unit 902 is configured to determine, from the information 2, that the communication apparatus 2 supports the network function 1.

In one example, the communication device 900 may perform the method 200 in the above embodiment, and when the communication device 900 is used to perform the method 200 in the above embodiment, the communication device 900 is equivalent to the communication device 2 in the method 200. The transceiving unit 901 is configured to perform transceiving operations performed by the communication apparatus 2 in the method 200. Processing unit 902 is configured to perform operations other than transceiving operations performed by communication device 2 in method 200. For example: the transceiving unit 901 is configured to receive information 2, where the information 2 is used to indicate network functions supported by the communication apparatus 2, and the network functions supported by the communication apparatus 2 include a network function 1; the processing unit 902 is configured to store the information 2; the transceiver 901 is further configured to send the information 2 to the communication apparatus 1.

In one example, the communication device 900 can execute the method 200 in the above embodiment, and when the communication device 900 is used for executing the method 200 in the above embodiment, the communication device 900 is equivalent to the control management entity in the method 200. The transceiving unit 901 is used for performing transceiving operations performed by the control management entity in the method 200. The processing unit 902 is configured to perform operations other than transceiving operations performed by the control management entity in the method 200. For example: the processing unit 902 is configured to obtain information 2, where the information 2 is used to indicate network functions supported by the communication apparatus 2, and the network functions supported by the communication apparatus 2 include a network function 1; the transceiver 901 is configured to send the information 2 to the communication device 2.

In one example, the communication device 900 can perform the method 300 in the above embodiment, and when the communication device 900 is used to perform the method 300 in the above embodiment, the communication device 900 is equivalent to the first communication device in the method 300. The transceiving unit 901 is configured to perform transceiving operations performed by the first communication device in the method 300. The processing unit 902 is configured to perform operations other than transceiving operations performed by the first communication device in the method 300. For example: the transceiving unit 901 is configured to receive first information sent by a second communication apparatus, where the first information is used to indicate network functions supported by the second communication apparatus, and the network functions include a first network function; the processing unit 902 is configured to determine, according to the first information, that the second communication device supports the first network function.

In one example, the communication device 900 can perform the method 400 in the above embodiment, and when the communication device 900 is used for performing the method 400 in the above embodiment, the communication device 900 is equivalent to a device for performing the method 400. The transceiving unit 901 is used to perform transceiving operations in the method 400. The processing unit 902 is configured to perform operations of the method 400 other than transceiving operations. For example: the processing unit 902 is configured to obtain first information, where the first information is used to indicate network functions supported by the second communication apparatus, and the network functions include a first network function; the transceiving unit 901 is configured to send the first information.

In one example, the communication device 900 can perform the method 500 in the above embodiment, and when the communication device 900 is used to perform the method 500 in the above embodiment, the communication device 900 is equivalent to the control management entity in the method 500. The transceiving unit 901 is used for performing transceiving operations performed by the control management entity in the method 500. The processing unit 902 is configured to perform operations other than transceiving operations performed by the control management entity in the method 500. For example: the processing unit 902 is configured to obtain a logout list, where the logout list is used to indicate information to be logged out, and the information to be logged out is used to indicate a network function that the communication apparatus is logged out; the transceiving unit 901 is configured to send the logout list.

In one example, the communication device 900 can perform the method 600 in the above embodiment, and when the communication device 900 is used to perform the method 600 in the above embodiment, the communication device 900 is equivalent to the second communication device in the method 600. The transceiving unit 901 is configured to perform transceiving operations performed by the second communication device in the method 600. The processing unit 902 is configured to perform operations other than transceiving operations performed by the second communication device in the method 600. For example: the transceiving unit 901 is configured to receive a deregistration list, where the deregistration list is used to indicate deregistered information, and the deregistered information is used to indicate a network function that the communication apparatus is deregistered; the processing unit 902 is configured to maintain the logoff list.

In addition, an embodiment of the present application further provides a communication device 1000, and referring to fig. 10, fig. 10 is a schematic structural diagram of the communication device provided in the embodiment of the present application. The communication device 1000 includes a communication interface 1001 and a processor 1002 connected to the communication interface 1001. The communication device 1000 may be used to perform the method 100, the method 200, the method 300, the method 400, the method 500, or the method 600 in the above embodiments.

In one example, the communication device 1000 may perform the method 100 in the above embodiment, and when the communication device 1000 is used to perform the method 100 in the above embodiment, the communication device 1000 is equivalent to the communication device 1 in the method 100. The communication interface 1001 is used to perform a transceiving operation performed by the communication apparatus 1 in the method 100. The processor 1002 is configured to perform operations other than transceiving operations performed by the communication apparatus 1 in the method 100. For example: the communication interface 1001 is configured to receive information 1, where the information 1 is used to indicate network functions supported by the communication apparatus 1, and the network functions supported by the communication apparatus 1 include the network function 1. The processor 1002 is configured to store the information 1; the communication interface 1001 is also used to transmit the information 1 to the communication apparatus 2.

In one example, the communication device 1000 may perform the method 100 in the above embodiment, and when the communication device 1000 is used to perform the method 100 in the above embodiment, the communication device 1000 is equivalent to the communication device 2 in the method 100. The communication interface 1001 is used to perform a transceiving operation performed by the communication apparatus 2 in the method 100. Processor 1002 is configured to perform operations other than transceiving operations performed by communication device 2 in method 100. For example: the communication interface 1001 is configured to receive information 1, where the information 1 is used to indicate network functions supported by the communication apparatus 1, and the network functions supported by the communication apparatus 1 include the network function 1; the processor 1002 is configured to determine that the communication apparatus 1 supports the network function1 according to the information 1.

In one example, the communication device 1000 may perform the method 100 in the above embodiment, and when the communication device 1000 is used to perform the method 100 in the above embodiment, the communication device 1000 is equivalent to the control management entity in the method 100. The communication interface 1001 is used for performing transceiving operations performed by the control management entity in the method 100. The processor 1002 is configured to perform operations other than transceiving operations performed by the control management entity in the method 100. For example: the processor 1002 is configured to obtain information 1, where the information 1 is used to indicate network functions supported by the communication apparatus 1, and the network functions supported by the communication apparatus 1 include the network function 1; the communication interface 1001 is used to transmit the information 1 to the communication apparatus 1.

In one example, the communication device 1000 may perform the method 200 in the above embodiment, and when the communication device 1000 is used to perform the method 200 in the above embodiment, the communication device 1000 is equivalent to the communication device 1 in the method 200. The communication interface 1001 is used to perform the transceiving operation performed by the communication apparatus 1 in the method 200. The processor 1002 is configured to perform operations other than transceiving operations performed by the communication apparatus 1 in the method 200. For example: the communication interface 1001 is configured to receive information 2, where the information 2 is configured to indicate network functions supported by the communication apparatus 2, and the network functions supported by the communication apparatus 2 include the network function 1. The processor 1002 is configured to determine that the communication apparatus 2 supports the network function1 according to the information 2.

In one example, the communication device 1000 may perform the method 200 in the above embodiment, and when the communication device 1000 is used to perform the method 200 in the above embodiment, the communication device 1000 is equivalent to the communication device 2 in the method 200. The communication interface 1001 is used to perform the transceiving operations performed by the communication apparatus 2 in the method 200. Processor 1002 is configured to perform operations other than transceiving operations performed by communication device 2 in method 200. For example: the communication interface 1001 is configured to receive information 2, where the information 2 is used to indicate network functions supported by the communication apparatus 2, and the network functions supported by the communication apparatus 2 include a network function 1; the processor 1002 is configured to store the information 2; the communication interface 1001 is also used to send the information 2 to the communication device 1.

In one example, the communication device 1000 may perform the method 200 in the above embodiment, and when the communication device 1000 is used to perform the method 200 in the above embodiment, the communication device 1000 is equivalent to the control management entity in the method 200. The communication interface 1001 is used for performing transceiving operations performed by the control management entity in the method 200. The processor 1002 is configured to perform operations other than transceiving operations performed by the control management entity in the method 200. For example: the processor 1002 is configured to obtain information 2, where the information 2 is used to indicate network functions supported by the communication apparatus 2, and the network functions supported by the communication apparatus 2 include a network function 1; the communication interface 1001 is used to transmit the information 2 to the communication apparatus 2.

In one example, the communication device 1000 can perform the method 300 in the above embodiment, and when the communication device 1000 is used to perform the method 300 in the above embodiment, the communication device 1000 is equivalent to the first communication device in the method 300. The communication interface 1001 is used to perform transceiving operations performed by the first communication device in the method 300. The processor 1002 is configured to perform operations other than transceiving operations performed by the first communication device in the method 300. For example: the communication interface 1001 is configured to receive first information sent by a second communication apparatus, where the first information is used to indicate network functions supported by the second communication apparatus, and the network functions include a first network function; the processor 1002 is configured to determine that the second communication device supports the first network function according to the first information.

In one example, the communication device 1000 can perform the method 400 in the above embodiments, and when the communication device 1000 is used to perform the method 400 in the above embodiments, the communication device 1000 is equivalent to a device that performs the method 400. The communication interface 1001 is used to perform transceiving operations in the method 400. The processor 1002 is configured to perform operations of the method 400 other than transceiving operations. For example: the processor 1002 is configured to obtain first information, where the first information is used to indicate network functions supported by the second communication apparatus, and the network functions include a first network function; the communication interface 1001 is used to transmit the first information.

In one example, the communication device 1000 may perform the method 500 in the above embodiment, and when the communication device 1000 is used to perform the method 500 in the above embodiment, the communication device 1000 is equivalent to the control management entity in the method 500. The communication interface 1001 is used for performing transceiving operations performed by the control management entity in the method 500. The processor 1002 is configured to perform operations other than transceiving operations performed by the control management entity in the method 500. For example: the processor 1002 is configured to obtain a logout list, where the logout list is used to indicate information that is logged out, and the logged out information is used to indicate a network function that the communication apparatus is logged out; communication interface 1001 is used to send the logoff list.

In one example, the communication device 1000 can perform the method 600 in the above embodiment, and when the communication device 1000 is used to perform the method 600 in the above embodiment, the communication device 1000 is equivalent to the second communication device in the method 600. The communication interface 1001 is used to perform transceiving operations performed by the second communication device in the method 600. The processor 1002 is configured to perform operations other than transceiving operations performed by the second communication device in the method 600. For example: the communication interface 1001 is configured to receive a logout list indicating information to be logged out, the logged out information indicating a network function for which the communication apparatus is logged out; the processor 1002 is configured to maintain the revocation list.

In addition, an embodiment of the present application further provides a communication apparatus 1100, referring to fig. 11, where fig. 11 is a schematic structural diagram of the communication apparatus provided in the embodiment of the present application.

The communication device 1100 may be used to perform the method 100, the method 200, the method 300, the method 400, the method 500 or the method 600 in the above embodiments.

As shown in fig. 11, the communications apparatus 1100 can include a processor 1110, a memory 1120 coupled to the processor 1110, and a transceiver 1130. The transceiver 1130 may be, for example, a communication interface, an optical module, etc. The processor 1110 may be a Central Processing Unit (CPU), a Network Processor (NP), or a combination of a CPU and an NP. The processor may also be an application-specific integrated circuit (ASIC), a Programmable Logic Device (PLD), or a combination thereof. The PLD may be a Complex Programmable Logic Device (CPLD), a field-programmable gate array (FPGA), a General Array Logic (GAL), or any combination thereof. Processor 1110 may refer to one processor or may comprise multiple processors. The memory 1120 may include a volatile memory (RAM), such as a random-access memory (RAM); the memory may also include a non-volatile memory (ROM), such as a read-only memory (ROM), a flash memory (flash memory), a hard disk (HDD) or a solid-state drive (SSD); the memory 1120 may also comprise a combination of memories of the kind described above. The memory 1120 may refer to one memory, or may include a plurality of memories. In one embodiment, the memory 1120 has stored therein computer-readable instructions comprising a plurality of software modules, such as a sending module 1121, a processing module 1122, and a receiving module 1123. The processor 1110 may perform corresponding operations according to the instructions of each software module after executing each software module. In this embodiment, the operation performed by a software module actually refers to the operation performed by the processor 1110 according to the instruction of the software module.

In one example, the communication device 1100 may perform the method 100 in the above embodiment, and when the communication device 1100 is used to perform the method 100 in the above embodiment, the communication device 1100 is equivalent to the communication device 1 in the method 100. The transceiver 1130 is used to perform transceiving operations performed by the communication apparatus 1 in the method 100. Processor 1110 is configured to perform operations other than transceiving operations performed by communication apparatus 1 in method 100. For example: the transceiver 1130 is configured to receive the information 1, where the information 1 is used to indicate network functions supported by the communication apparatus 1, and the network functions supported by the communication apparatus 1 include the network function 1. Processor 1110 is configured to store the information 1; the transceiver 1130 is also used to transmit the information 1 to the communication device 2.

In one example, the communication device 1100 may perform the method 100 in the above embodiment, and when the communication device 1100 is used to perform the method 100 in the above embodiment, the communication device 1100 is equivalent to the communication device 2 in the method 100. The transceiver 1130 is used to perform transceiving operations performed by the communication apparatus 2 in the method 100. Processor 1110 is configured to perform operations other than transceiving operations performed by communication device 2 in method 100. For example: the transceiver 1130 is configured to receive information 1, where the information 1 is used to indicate network functions supported by the communication apparatus 1, and the network functions supported by the communication apparatus 1 include the network function 1; processor 1110 is configured to determine from information 1 that communication apparatus 1 supports network function 1.

In one example, the communication device 1100 can perform the method 100 in the above embodiment, and when the communication device 1100 is used to perform the method 100 in the above embodiment, the communication device 1100 corresponds to the control management entity in the method 100. The transceiver 1130 is used to perform transceiving operations performed by the control management entity in the method 100. Processor 1110 is configured to perform operations of method 100 other than transceiving operations performed by a control management entity. For example: the processor 1110 is configured to obtain information 1, where the information 1 is used to indicate network functions supported by the communication apparatus 1, and the network functions supported by the communication apparatus 1 include the network function 1; the transceiver 1130 is used to transmit the information 1 to the communication apparatus 1.

In one example, the communication device 1100 may perform the method 200 in the above embodiment, and when the communication device 1100 is used to perform the method 200 in the above embodiment, the communication device 1100 is equivalent to the communication device 1 in the method 200. The transceiver 1130 is used to perform transceiving operations performed by the communication apparatus 1 in the method 200. Processor 1110 is configured to perform operations other than transceiving operations performed by communication apparatus 1 in method 200. For example: the transceiver 1130 is configured to receive information 2, where the information 2 is used to indicate network functions supported by the communication apparatus 2, and the network functions supported by the communication apparatus 2 include the network function 1. Processor 1110 is configured to determine from information 2 that communication apparatus 2 supports network function 1.

In one example, the communication device 1100 may perform the method 200 in the above embodiment, and when the communication device 1100 is used to perform the method 200 in the above embodiment, the communication device 1100 is equivalent to the communication device 2 in the method 200. The transceiver 1130 is used to perform transceiving operations performed by the communication apparatus 2 in the method 200. Processor 1110 is configured to perform operations other than transceiving operations performed by communication device 2 in method 200. For example: the transceiver 1130 is configured to receive information 2, where the information 2 is used to indicate network functions supported by the communication apparatus 2, and the network functions supported by the communication apparatus 2 include a network function 1; processor 1110 is configured to store said information 2; the transceiver 1130 is also configured to transmit the information 2 to the communication apparatus 1.

In one example, the communication device 1100 can perform the method 200 in the above embodiment, and when the communication device 1100 is used to perform the method 200 in the above embodiment, the communication device 1100 corresponds to the control management entity in the method 200. The transceiver 1130 is used to perform transceiving operations performed by the control management entity in the method 200. Processor 1110 is configured to perform operations in method 200 other than transceiving operations performed by a control management entity. For example: processor 1110 is configured to obtain information 2, where information 2 is configured to indicate network functions supported by communication apparatus 2, and the network functions supported by communication apparatus 2 include network function 1; the transceiver 1130 is configured to transmit the information 2 to the communication apparatus 2.

In one example, the communication device 1100 can perform the method 300 in the above embodiment, and when the communication device 1100 is used to perform the method 300 in the above embodiment, the communication device 1100 is equivalent to the first communication device in the method 300. The transceiver 1130 is used to perform transceiving operations performed by the first communication device in the method 300. Processor 1110 is configured to perform operations other than transceiving operations performed by the first communications device in method 300. For example: the transceiver 1130 is configured to receive first information sent by a second communication apparatus, where the first information is used to indicate network functions supported by the second communication apparatus, and the network functions include a first network function; processor 1110 is configured to determine that the second communication device supports the first network function based on the first information.

In one example, the communication device 1100 can perform the method 400 in the above embodiments, and when the communication device 1100 is used to perform the method 400 in the above embodiments, the communication device 1100 is equivalent to a device that performs the method 400. The transceiver 1130 is used to perform transceiving operations in the method 400. Processor 1110 is configured to perform operations of method 400 other than transceiving operations. For example: processor 1110 is configured to obtain first information indicating network functions supported by a second communications device, the network functions including a first network function; the transceiver 1130 is used to transmit the first information.

In one example, the communication device 1100 can perform the method 500 in the above embodiment, and when the communication device 1100 is used to perform the method 500 in the above embodiment, the communication device 1100 corresponds to the control management entity in the method 500. The transceiver 1130 is used to perform transceiving operations performed by the control management entity in the method 500. Processor 1110 is configured to perform operations in method 500 other than transceiving operations performed by a control management entity. For example: the processor 1110 is configured to obtain a deregistration list, where the deregistration list is used to indicate deregistered information, where the deregistration information is used to indicate a network function that the communication device is deregistered; transceiver 1130 is configured to transmit the logoff list.

In one example, the communication device 1100 can perform the method 600 in the above embodiment, and when the communication device 1100 is used to perform the method 600 in the above embodiment, the communication device 1100 is equivalent to the second communication device in the method 600. The transceiver 1130 is used to perform transceiving operations performed by the second communication device in the method 600. Processor 1110 is configured to perform operations other than transceiving operations performed by the second communication device in method 600. For example: the transceiver 1130 is configured to receive a deregistration list indicating information deregistered, the deregistration information indicating a network function that the communication device is deregistered; processor 1110 is configured to maintain the logoff list.

The present application also provides a computer-readable storage medium having stored therein instructions, which when executed on a computer, cause the computer to perform any one or more of the operations of the methods (e.g., method 100, method 200, method 300, method 400, method 500, and method 600) described in any of the preceding embodiments.

The present application also provides a computer program product comprising a computer program that, when run on a computer, causes the computer to perform any one or more of the operations of the methods (e.g., method 100, method 200, method 300, method 400, method 500, and method 600) described in any of the preceding embodiments.

The present application also provides a communication system including at least two of the first communication apparatus, the second communication apparatus, and the control management entity mentioned in the above embodiments. For example, the communication system includes a first communication apparatus and a second communication apparatus; as another example, the communication system includes a first communication device and a control management entity; for another example, the communication system includes a second communication device and a control management entity; for another example, the communication system includes a first communication device, a second communication device, and a control management entity.

The present application further provides a communication system comprising at least one memory storing instructions and at least one processor, the at least one memory storing the instructions, the at least one processor executing the instructions to cause the communication system to perform any one or more of the operations of the methods (e.g., method 100, method 200, method 300, method 400, method 500, and method 600) described in any of the previous embodiments of the present application.

The terms "first," "second," "third," "fourth," and the like in the description and in the claims of the present application and in the drawings described above, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.

In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described embodiments of the apparatus are merely illustrative, and for example, a division of a unit is only a logical division, and an actual implementation may have another division, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

Units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, each service unit in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a hardware form, and can also be realized in a software service unit form.

The integrated unit, if implemented in the form of a software business unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method of the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.

Those skilled in the art will recognize that the services described in this disclosure may be implemented in hardware, software, firmware, or any combination thereof, in one or more of the examples described above. When implemented in software, the services may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.

The above embodiments are intended to explain the objects, aspects and advantages of the present invention in further detail, and it should be understood that the above embodiments are merely illustrative of the present invention.

The above embodiments are only used to illustrate the technical solutions of the present application, and not to limit the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and these modifications or substitutions do not depart from the scope of the technical solutions of the embodiments of the present application.

Claims (42)

1. A method of rights authentication, performed by a first communications device, the method comprising:

receiving first information sent by a second communication device, wherein the first information is used for indicating network functions supported by the second communication device, and the network functions comprise a first network function;

determining that the second communication device supports the first network function according to the first information.

2. The method of claim 1, wherein the first information is further used for indicating configuration information for implementing the first network function.

3. The method of claim 2, wherein the first network function comprises establishing a first communication connection.

4. The method of claim 3, further comprising:

and determining that the first communication device is an opposite end which establishes the first communication connection with the second communication device according to the configuration information.

5. The method according to claim 3 or 4, wherein the first communication connection comprises any one of:

media access control security, MACsec, border gateway protocol, BGP, internet protocol security, IPsec, bidirectional forwarding detection, BFD, interior gateway protocol, IGP, and internet protocol version six, routing SRv6 tunnels.

6. The method according to any of claims 1-5, wherein the first information further comprises first indication information indicating a validity period of the first network function.

7. Method according to claims 1-6, characterized in that the first information is a first security authentication profile, SAP.

8. The method of any of claims 1-7, wherein the first information further comprises a signature of a network provider.

9. The method of claim 8, further comprising:

the signature is verified.

10. The method according to any of claims 1-9, wherein the first information further comprises a certificate comprising a key required to implement the first network function.

11. The method according to any one of claims 1-10, further comprising:

second information is obtained, wherein the second information is used for indicating that the first communication device supports the first network function.

12. The method of claim 11, further comprising:

sending the second information to the second communication device.

13. The method according to claim 11 or 12, wherein the second information is a second SAP.

14. The method of any of claims 11-13, wherein the second information further comprises a signature of a network provider.

15. The method according to any of claims 11-14, wherein the second information further comprises a certificate comprising a key required to implement the first network function.

16. The method according to any of claims 1-15, wherein the first information is carried in an extensible authentication protocol, EAP, message or a BGP message.

17. The method of any one of claims 1-16, wherein the first information is a first SAP, the first information further comprising one or more of:

an identification of the first SAP, an identification of a second communication device, an identification of a network to which the second communication device belongs, a location of the second communication device in the network, a management address of the second communication device, and a name of the first network function.

18. A method of processing rights information, the method comprising:

acquiring first information, wherein the first information is used for indicating network functions supported by a second communication device, and the network functions comprise a first network function;

and sending the first information.

19. The method of claim 18, wherein the first information is further used for indicating configuration information for implementing the first network function.

20. The method of claim 19, wherein the first network function comprises establishing a first communication connection.

21. The method of claim 20, wherein the configuration information is used to indicate a peer end for establishing the first communication connection with the second communication device.

22. The method according to claim 20 or 21, wherein the first communication connection comprises any one of:

media access control security, MACsec, border gateway protocol, BGP, internet protocol security, IPsec, bidirectional forwarding detection, BFD, interior gateway protocol, IGP, internet protocol, sixth version, route SRv6, tunnels.

23. The method according to any of claims 18-22, wherein the first information further comprises first indication information indicating a validity period of the first network function.

24. The method according to any of claims 18-23, wherein the first information is a first security authentication profile, SAP.

25. The method of any of claims 18-24, wherein the first information further comprises a signature of a network provider.

26. The method of any of claims 18-25, wherein the first information further comprises a certificate, the certificate comprising a key required to implement the first network function.

27. The method according to any of claims 18-26, wherein the method is performed by a control management entity, and wherein the sending the first information comprises:

sending the first information to the second communication device.

28. The method according to any of claims 18-27, wherein the method is performed by a control management entity, the method further comprising:

acquiring a logout list, wherein the logout list is used for indicating the information to be logged out, and the information to be logged out is used for indicating the network function of the communication device to be logged out;

and sending the logout list.

29. The method of claim 27 or 28, further comprising:

and receiving a first request sent by the second communication device, wherein the first request is used for requesting the first information.

30. The method of claim 28, further comprising:

and receiving a second request sent by the second communication device, wherein the second request is used for requesting the logout list.

31. The method of any of claims 18-26, wherein the method is performed by a second communications device, and wherein sending the first information comprises:

and sending the first information to a first communication device.

32. The method according to any one of claims 18-26 or 31, wherein the method is performed by a second communication device, the method further comprising:

receiving second information sent by a first communication device, wherein the second information is used for indicating that the first communication device supports the first network function;

determining, from the second information, that the first communication device supports the first network function.

33. The method of claim 32, wherein the second information further comprises a signature of a network provider.

34. The method of claim 33, further comprising:

verifying the signature included in the second information.

35. The method of any of claims 32-34, wherein the second information further comprises a certificate, the certificate comprising a key required to implement the first network function.

36. The method according to any one of claims 32-35, wherein the second information further comprises second indication information, and the second indication information is used for indicating a validity period of the second information.

37. The method of any one of claims 32-36, wherein the second information is a second SAP.

38. A first communications device, comprising a memory and a processor;

the memory for storing program code;

the processor, configured to execute instructions in the program code to cause the first communication device to perform the method of any of claims 1-17 above.

39. A second communications device, comprising a memory and a processor;

the memory for storing program code;

the processor, configured to execute instructions in the program code to cause the second communication device to perform the method of any of the preceding claims 18-37.

40. A computer-readable storage medium having stored therein instructions which, when executed on a computer, cause the computer to perform the method of any one of claims 1-37.

41. A communication system comprising the first communication device of claim 38 and the second communication device of claim 39.

42. The communication system according to claim 41, further comprising a control management entity for sending the first information to the second communication device.

Images