CN114828010A - Method for safely accessing network slice based on application attribute and related equipment - Google Patents
Method for safely accessing network slice based on application attribute and related equipment Download PDFInfo
- Publication number
- CN114828010A CN114828010A CN202210434192.1A CN202210434192A CN114828010A CN 114828010 A CN114828010 A CN 114828010A CN 202210434192 A CN202210434192 A CN 202210434192A CN 114828010 A CN114828010 A CN 114828010A
- Authority
- CN
- China
- Prior art keywords
- application
- slice
- middleware
- terminal
- management server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W24/00—Supervisory, monitoring or testing arrangements
- H04W24/08—Testing, supervising or monitoring using real traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W40/00—Communication routing or communication path finding
- H04W40/24—Connectivity information management, e.g. connectivity discovery or connectivity update
- H04W40/246—Connectivity information discovery
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method for safely accessing a network slice based on application attributes and related equipment, wherein the method comprises the following steps: the slice application management server acquires a flow descriptor parameter in a user routing strategy rule from a network element; the slice application management server establishes association between the application identifier and the application attribute to form an association list; the slice middleware monitors the running state of the application on the 5G terminal; responding to the monitoring of the slicing middleware to the starting of the application, and matching the application parameters of the application with the association list by the slicing middleware or the slicing management server; if the application parameters of the application are matched with any item in the association list, the slice middleware initiates request information for creating a new slice and a new route to the modem and binds the new slice with the new route; the modem executes the execution instruction according to the request information, and the newly-established route is used for the application to send data. The invention meets the requirements of various scenes on application slice authentication.
Description
Technical Field
The present invention relates to the field of communications, and in particular, to a method, system, device, and storage medium for securely accessing a network slice based on application attributes.
Background
At present, in order to ensure the access security of the application level network slice, an application based on an application identifier needs to perform application Authentication on an AAA (Authentication, Authorization, Accounting) server deployed by an operator or a third party.
The existing slice authentication method can be seen in fig. 1. The slice authentication method shown in fig. 1 includes the following steps: s110: the user terminal initiates registration in the 5G network and carries network slice information; s120: a terminal acquires a user routing strategy rule complete set from a network element; step S130, running a terminal application; step S140A and step S140B are two execution manners. Step S140A: the application forwards the application identification to the modem via the operating system. Step S140B: the operating system sends the application attributes to the modem as an application identification by automatic detection. Step S150: the modem initiates a PDU session for an application and binds a route; step S160: the application sends the data through the route. In this manner, step S140A requires upgrading the application, so that the application has the capability of sending the application identifier; in step S140B, since the user routing policy rule is formulated by the operator, the operating system does not know the mapping relationship between the application identifier and the application in the user routing policy rule, and thus the operating system manufacturer needs to access the service provisioning process. Thus, the above approach requires modification of the application or modification of the operating system. Meanwhile, with reference to fig. 2, in the authentication manner, the interaction between the 5G terminal and the network element of the 5G core network is performed through a southbound interface.
The slice authentication in the above manner may be as shown in fig. 3 or fig. 4. In the slice authentication shown in fig. 3, slice authentication is performed only on a slice basis. After the first application passes the authentication and authentication, other subsequent applications select the existing PDU session or slice, the authentication and authentication of the network slice are not needed, the network slice resources are directly used, and slice stealing and the like can be caused. In the Slice Authentication method shown in fig. 4, which relates to a change of the 3GPP Slice Authentication procedure, depending on the support of the 5G core Network element AMF (Access and Mobility Management Function)/nsaaf (Network Slice Specific Authentication and Authorization Function) and needs to deploy an AAA server for an application, which is difficult to implement in a short period of time.
It can be seen that during the above slice deployment process, the approach of fig. 1 and 2 is temporarily not available because the terminal operating system and modem do not support application slice authentication, plus most applications do not deploy a dedicated authentication server for the application.
Therefore, how to meet the requirements of various scenes on slice authentication application is a technical problem to be solved urgently by the technical personnel in the field.
It is to be noted that the information disclosed in the above background section is only for enhancement of understanding of the background of the invention and therefore may include information that does not constitute prior art that is already known to a person of ordinary skill in the art.
Disclosure of Invention
Aiming at the problems in the prior art, the invention aims to provide a method, a system, equipment and a storage medium for safely accessing a network slice based on application attributes, which overcome the difficulty in the prior art and meet the requirements of various scenes on application slice authentication.
The embodiment of the invention provides a method for safely accessing a network slice based on application attributes, which comprises the following steps:
the slice application management server acquires a flow descriptor parameter in a user routing strategy rule from a network element of a 5G core network;
the slice application management server establishes association between application identification and application attribute in flow descriptor parameters to form an association list;
the method comprises the steps that a slice middleware of a 5G terminal monitors the running state of an application on the 5G terminal;
responding to the monitoring of the slicing middleware to the starting of the application on the 5G terminal, and matching the application parameters of the application with the association list by the slicing middleware or the slicing management server;
if the application parameters of the application are matched with any item in the association list, the slice middleware initiates request information of creating a new slice and a new route to a modem of the 5G terminal and binds the new slice with the new route;
and the modem of the 5G terminal executes the new slice and the new route according to the request information, and binds the new slice with the new route for the application to send data.
In some embodiments of the present application, before the monitoring, by the slice middleware, that an application on the 5G terminal is started, and the slice middleware or the slice management server matches application parameters of the application with the association list, the method includes:
after the 5G terminal is on line, the slice middleware in the 5G terminal acquires the association list from the slice application management server,
wherein the matching of the application parameters of the application with the association list is performed by the slice middleware.
In some embodiments of the present application, the slice middleware in the 5G terminal periodically updates the association list acquired from the slice application management server.
In some embodiments of the application, the monitoring, by the slice middleware, that an application on the 5G terminal is started, and the matching, by the slice middleware or the slice management server, the application parameter of the application with the association list includes:
the slice middleware sends the application parameters of the application to the slice management server;
the slice management server matches the application parameters of the application with the association list;
and the slice management server returns a matching result to the slice middleware.
In some embodiments of the present application, if the application parameter of the application matches any of the association lists, the matching result is true; otherwise, the matching result is false,
the slice management server returns a matching result to the slice middleware to be true or false; or in response to the matching result being true, the slice management server returns the application identifier and/or the application attribute in the traffic descriptor parameter to the slice middleware.
In some embodiments of the present application, before the acquiring, by the slice application management server, a traffic descriptor parameter in a user routing policy rule from a network element of a 5G core network, the method includes:
and the 5G terminal registers a 5G core network, and a network element of the 5G core network sends the user routing strategy rule to a modem of the 5G terminal through a southbound interface of the 5G terminal.
In some embodiments of the present application, the slice application management server communicates with the slice middleware of the 5G terminal through a northbound interface of the 5G terminal.
According to another aspect of the present application, there is also provided a method for securely accessing a network slice based on an application attribute, which is applied to a slice application management server, and includes:
the slice application management server acquires a flow descriptor parameter in a user routing strategy rule from a network element of a 5G core network;
the slice application management server establishes an association between the application identification and the application attribute in the traffic descriptor parameters, forms an association list,
the slice application management server communicates with a slice middleware of the 5G terminal to match application parameters of the application started by the 5G terminal with the association list, and the matching result is used for the slice middleware to initiate request information of creating a new slice and a new route to a modem of the 5G terminal and binding the created slice with the created route.
According to another aspect of the present application, there is also provided a method for secure access to a network slice based on an application attribute, which is applied to a slice middleware on a 5G terminal, and includes:
the slice middleware of the 5G terminal monitors the running state of the application on the 5G terminal;
responding to the slice middleware to monitor the application starting on the 5G terminal, the slice middleware or the slice management server matches the application parameter of the application with an association list, and the association list is formed by the application management server acquiring the application identifier and the application attribute in the flow descriptor parameter in the user routing policy rule from the network element of the 5G core network
And if the application parameters of the application are matched with any item in the association list, the slice middleware initiates request information for creating a new slice and a new route to a modem of the 5G terminal and binds the new slice with the new route.
According to another aspect of the present application, there is also provided a system for secure access to a network slice based on application attributes, including:
the 5G terminal comprises an application, slice middleware and a modem;
a slice application management server;
the slice application management server acquires a traffic descriptor parameter in a user routing strategy rule from a network element of a 5G core network;
the slice application management server establishes association between application identification and application attribute in flow descriptor parameters to form an association list;
the method comprises the steps that a slice middleware of a 5G terminal monitors the running state of an application on the 5G terminal;
responding to the monitoring of the slicing middleware to the starting of the application on the 5G terminal, and matching the application parameters of the application with the association list by the slicing middleware or the slicing management server;
if the application parameters of the application are matched with any item in the association list, the slice middleware initiates request information of creating a new slice and a new route to a modem of the 5G terminal and binds the new slice with the new route;
and the modem of the 5G terminal executes the new slice and the new route according to the request information, and binds the new slice with the new route for the application to send data.
According to another aspect of the present invention, there is also provided an application attribute-based security access network slice processing apparatus, including:
a processor;
a memory having stored therein executable instructions of the processor;
wherein the processor is configured to perform the steps of the method for secure access to a network slice based on application properties as described above via execution of the executable instructions.
Embodiments of the present invention also provide a computer-readable storage medium for storing a program that, when executed, performs the steps of the above method for secure access to a network slice based on application properties.
Compared with the prior art, the invention aims to:
an association list of URSP (UE Route Selection Policy) rules is acquired from the slice application management server through the slice middleware of the 5G terminal. When the 5G terminal application runs, the slice middleware acquires running application parameters, matches the running application parameters with the application information in the association list, creates a slice and a route for the successfully matched application and binds the route, thereby realizing the method for safely accessing the network slice based on the application attribute. The application access slice verification mechanism based on the application attributes is provided, the existing 3GPP standard flow is not required to be changed, the application of the terminal is not required to be changed, the problem that the terminal can initiate slice establishment and route binding by which application can be solved, and rapid deployment and implementation of operators are facilitated.
Drawings
Other features, objects and advantages of the present invention will become more apparent upon reading of the following detailed description of non-limiting embodiments thereof, with reference to the accompanying drawings.
Fig. 1 is a flow chart of existing slice access.
Fig. 2 is a schematic diagram of a conventional slice access system.
Fig. 3 is a flow chart of an existing slice authentication.
Fig. 4 is a flow chart of another existing slice authentication.
Fig. 5 is a flow diagram of a method of secure access to a network slice based on application attributes, an embodiment of the invention.
Fig. 6 is a flowchart of a method for secure access to a network slice based on application attributes according to an embodiment of the present invention.
Fig. 7 is a flowchart of a method for secure access to a network slice based on application attributes according to another embodiment of the present invention.
Fig. 8 is a flow chart of a method of the present invention for performing secure access to a network slice based on application attributes at a slice application management server.
Fig. 9 is a flow diagram of a method of the present invention for performing application attribute based secure access network slicing in slicing middleware.
Fig. 10 is a block diagram of a system for secure access to a network slice based on application attributes, in accordance with an embodiment of the present invention.
Fig. 11 is a block diagram of a slice application management server according to an embodiment of the present invention.
FIG. 12 is a block diagram of a slicing middleware of an embodiment of the present invention.
Fig. 13 is a schematic structural diagram of the device for secure access to network slicing based on application attributes of the present invention.
Fig. 14 is a schematic structural diagram of a computer-readable storage medium according to an embodiment of the present invention.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The same reference numerals in the drawings denote the same or similar structures, and thus their repetitive description will be omitted.
Referring to fig. 1, fig. 1 is a flowchart of an embodiment of a method for secure access to a network slice based on application attributes applied to a calling terminal according to the present invention. The embodiment of the invention provides a method for safely accessing a network slice based on application attributes, which comprises the following steps:
step S510: and the slice application management server acquires the traffic descriptor parameters in the user routing policy rules from the network elements of the 5G core network.
Specifically, before step S510, the method may further include: when the 5G terminal registers the 5G core network, the PCF (Policy Control function) issues the URSP rule (including TD (traffic descriptor) and RSD (routing descriptor) parameters) to the modem of the 5G terminal through the southbound interface.
Specifically, the network element in step S110 may be a policy control function network element or a UDM (Unified Data Management) network element, which is not limited in this application.
Specifically, the PCF network element of the 5G core network is configured to store and issue the URSP rule, and the slice management server may obtain the key parameter of the URSP rule from the PCF. The UDM of the 5G core Network is used to store information of a user signing a service level agreement with an operator, including but not limited to an application attribute (each attribute that can be associated with an application identifier), and a subscription DNN (Data Network Name) attribute. And the NSSAAF network element of the 5G core network is used for providing a network slice authentication authorization function.
Step S520: and the slice application management server establishes the association between the application identifier and the application attribute in the traffic descriptor parameter to form an association list.
Step S530: the slice middleware of the 5G terminal monitors the running state of the application on the 5G terminal.
Step S540: and responding to the monitoring of the application starting on the 5G terminal by the slice middleware, and matching the application parameters of the application with the association list by the slice middleware or the slice management server.
Step S550: and if the application parameters of the application are matched with any item in the association list, the slice middleware initiates request information for creating a new slice and a new route to a modem of the 5G terminal and binds the new slice with the new route.
Step S560: and the modem of the 5G terminal executes the new slice and the new route according to the request information, and binds the new slice with the new route for the application to send data.
The slice application management server is communicated with the slice middleware of the 5G terminal through a northbound interface of the 5G terminal. Therefore, slice access authentication of the application is carried out through the northbound interface, slice access and route binding based on the application attribute are completed through matching with the southbound interface, preliminary authentication of the application based on the application attribute can be provided, and implementation and deployment are facilitated.
Thereby, an association list of URSP (UE Route Selection Policy) rules is acquired from the slice application management server through the slice middleware of the 5G terminal. When the 5G terminal application runs, the slice middleware acquires running application parameters, matches the running application parameters with the application information in the association list, creates a slice and a route for the successfully matched application and binds the route, thereby realizing the method for safely accessing the network slice based on the application attribute. The application provides a verification mechanism of an application access slice based on application attributes, the existing 3GPP standard flow is not required to be changed, the application of a terminal is not required to be changed, the problem that the terminal can initiate slice establishment and route binding by which application can be solved, and the rapid deployment and implementation of operators are facilitated.
Referring now to fig. 6, fig. 6 is a flow diagram of a method for secure access to a network slice based on application attributes, in accordance with an embodiment of the present invention. The method for safely accessing the network slice based on the application attribute comprises the following steps:
step S610: and the slice application management server acquires the traffic descriptor parameters in the user routing policy rules from the network elements of the 5G core network.
Step S620: and the slice application management server establishes the association between the application identifier and the application attribute in the traffic descriptor parameter to form an association list.
Step S630: after the 5G terminal is on line, the slice middleware in the 5G terminal acquires the association list from the slice application management server,
further, the slice middleware in the 5G terminal may update the association list acquired from the slice application management server at regular time.
Step S640: the slice middleware of the 5G terminal monitors the running state of the application on the 5G terminal.
Step S650: and responding to the slice middleware monitoring the application starting on the 5G terminal, and matching the application parameters of the application with the association list by the slice middleware.
Step S660: and if the application parameters of the application are matched with any item in the association list, the slice middleware initiates request information for creating a new slice and a new route to a modem of the 5G terminal and binds the new slice with the new route.
Step S670: and the modem of the 5G terminal executes the new slice and the new route according to the request information, and binds the new slice with the new route for the application to send data.
Referring now to fig. 7, fig. 7 is a flow diagram of a method for secure access to a network slice based on application attributes in accordance with another embodiment of the present invention. The method for secure access to a network slice based on application attributes in another embodiment comprises the following steps:
step S710: and the slice application management server acquires the traffic descriptor parameters in the user routing policy rules from the network elements of the 5G core network.
Step S720: and the slice application management server establishes the association between the application identifier and the application attribute in the traffic descriptor parameter to form an association list.
Step S730: the slice middleware of the 5G terminal monitors the running state of the application on the 5G terminal.
Step S740: and the slice middleware sends the application parameters of the application to the slice management server.
Step S750: the slice management server matches the application parameters of the application with the association list;
step S760: and the slice management server returns a matching result to the slice middleware.
Specifically, if the application parameter of the application is matched with any one item in the association list, the matching result is true; otherwise, the matching result is false. The slice management server returns a matching result to the slice middleware to be true or false; or in response to the matching result being true, the slice management server returns the application identifier and/or the application attribute in the traffic descriptor parameter to the slice middleware.
Step S770: and if the application parameters of the application are matched with any item in the association list, the slice middleware initiates request information for creating a new slice and a new route to a modem of the 5G terminal and binds the new slice with the new route.
Step S780: and the modem of the 5G terminal executes the new slice and the new route according to the request information, and binds the new slice with the new route for the application to send data.
Referring now to fig. 8, fig. 8 is a flow chart of a method of the present invention for performing application attribute based secure access to a network slice at a slice application management server. Fig. 8 shows the following steps in total:
step S810: the slice application management server acquires a flow descriptor parameter in a user routing strategy rule from a network element of a 5G core network;
step S820: the slice application management server establishes an association between the application identification and the application attribute in the traffic descriptor parameters, forms an association list,
the slice application management server communicates with a slice middleware of the 5G terminal to match application parameters of the application started by the 5G terminal with the association list, and the matching result is used for the slice middleware to initiate request information of creating a new slice and a new route to a modem of the 5G terminal and binding the new slice with the new route.
Referring now to fig. 9, fig. 9 is a flow diagram of a method for performing application attribute based secure access network slicing in slicing middleware according to the present invention. Fig. 9 shows the following steps in total:
step S910: the slice middleware of the 5G terminal monitors the running state of the application on the 5G terminal;
step S920: responding to the slice middleware monitoring the application starting on the 5G terminal, the slice middleware or the slice management server matches the application parameter of the application with an association list, and the association list is formed by acquiring the application identifier and the application attribute in the flow descriptor parameter in the user routing policy rule from the network element of the 5G core network by the slice application management server
Step S930: and if the application parameters of the application are matched with any item in the association list, the slice middleware initiates request information for creating a new slice and a new route to a modem of the 5G terminal and binds the new slice with the new route.
The above description is only illustrative of specific implementations of the present invention, and the present invention is not limited thereto, and the steps of splitting, merging, changing the execution sequence, splitting, merging, and information transmission are all within the protection scope of the present invention.
Fig. 10 is a block diagram of a system for secure access to a network slice based on application attributes, in accordance with an embodiment of the present invention. The system for secure access to network slices based on application properties includes a 5G terminal 1000 and a slice application management server 1040. The 5G terminal 1000 includes an application 1010, slice middleware 1020, and a modem 1030.
After the application 1010 installed on the 5G terminal 1000 runs, network slice access based on the application identification may be initiated. Slice middleware 1020 installed on a 5G terminal 1000 obtains URSP key parameters (including traffic descriptor TD (including but not limited to attributes such as APP ID and DNN) and routing descriptor RSD) from slice middleware access slice application management server 1040, creates a slice for APP, creates a new route, and binds the route.slice application management server 1040 provides application attribute-based security access service for applications installed on the terminal, provides URSP key parameters (including but not limited to application attributes (including attributes such as APP ID and DNN) for slice middleware on the terminal
Thus, the slice application management server 1040 obtains the traffic descriptor parameter in the user routing policy rule from the network element 4050 of the 5G core network. The slice application management server 1040 establishes an association between the application identifier and the application attribute in the traffic descriptor parameter, forming an association list. The slice middleware 1020 of the 5G terminal 1000 monitors the running state of the application 1010 on the 5G terminal 1000. In response to the slice middleware 1020 monitoring the start of the application 1010 on the 5G terminal 1000, the slice middleware 1020 or the slice management server 1040 matches the application parameters of the application with the association list. If the application parameter of the application 1000 matches any one of the association lists, the slice middleware 1020 sends request information for creating a new slice and a new route to the modem 1030 of the 5G terminal 1000, and binds the new slice to the new route. The modem 1030 of the 5G terminal 1000 executes a new slice and a new route according to the request information, and binds the new slice to the new route, where the new route is used by the application 1010 to send data.
Therefore, the 5G terminal 1000 provides an authentication mechanism for application access slices based on application attributes through a northbound interface and cooperation of the terminal slice middleware 1020 and the slice management server 1040; NAS signaling and flow of the existing 3GPP standard are not required to be changed, and deployment and implementation of operators are facilitated; the problem that which applications of the terminal can initiate slice establishment and route binding can be solved without changing the applications
Referring now to fig. 11, fig. 11 is a block diagram of a slice application management server according to an embodiment of the present invention. The slice application management server 1100 includes:
the obtaining module 1110 is configured to obtain a traffic descriptor parameter in a user routing policy rule from a network element of a 5G core network;
the association list generation module 1120 is used to establish associations between application identifications and application attributes in traffic descriptor parameters, form association lists,
the slice application management server communicates with a slice middleware of the 5G terminal to match application parameters of the application started by the 5G terminal with the association list, and the matching result is used for the slice middleware to initiate request information of creating a new slice and a new route to a modem of the 5G terminal and binding the new slice with the new route.
Referring now to FIG. 12, FIG. 12 is a block diagram of a slicing middleware of an embodiment of the present invention. The slicing middleware 1200 includes:
the monitoring module 1210 is configured to monitor an operation state of an application on the 5G terminal;
the matching module 1220, in response to the slice middleware monitoring the application start on the 5G terminal, matches the application parameter of the application with an association list formed by the application identifier and the application attribute in the traffic descriptor parameter in the user routing policy rule obtained by the slice application management server from the network element of the 5G core network
The request initiating module 1230 is configured to initiate a new slice and a new route to the modem of the 5G terminal and bind the new slice to the request information of the new route if the application parameter of the application matches with any one of the association lists.
The implementation principle of the above module is described in the method for securely accessing to a network slice based on the application attribute, and is not described herein again.
The device for safely accessing the network slice based on the application attribute acquires an association list of URSP (user routing Policy) rules from a slice application management server through the slice middleware of the 5G terminal. When the 5G terminal application runs, the slice middleware acquires running application parameters, matches the running application parameters with the application information in the association list, creates a slice and a route for the successfully matched application and binds the route, thereby realizing the method for safely accessing the network slice based on the application attribute. The application provides a verification mechanism of an application access slice based on application attributes, the existing 3GPP standard flow is not required to be changed, the application of a terminal is not required to be changed, the problem that the terminal can initiate slice establishment and route binding by which application can be solved, and the rapid deployment and implementation of operators are facilitated.
Fig. 10 to 12 are merely schematic diagrams respectively illustrating the system for secure access to network slicing based on application attributes, the slicing application management server and the slicing middleware provided by the present invention, and the splitting, merging and adding of modules are within the protection scope of the present invention without departing from the concept of the present invention. The system for safely accessing the network slice based on the application attribute, the slice application management server and the slice middleware provided by the invention can be realized by software, hardware, firmware, plug-in and any combination of the software, the hardware, the firmware and the plug-in, and the invention is not limited by the invention.
The embodiment of the invention also provides a processing device for safely accessing the network slice based on the application attribute, which comprises a processor. A memory having stored therein executable instructions of the processor. Wherein the processor is configured to perform the steps of the method of secure access to a network slice based on application properties via execution of executable instructions.
As shown above, the processing device for secure access to network slices based on application attributes according to this embodiment of the present invention thus obtains an association list of URSP (UE Route Selection Policy) rules from a slice application management server through the slice middleware of the 5G terminal. When the 5G terminal application runs, the slice middleware acquires running application parameters, matches the running application parameters with the application information in the association list, creates a slice and a route for the successfully matched application and binds the route, thereby realizing the method for safely accessing the network slice based on the application attribute. The application provides a verification mechanism of an application access slice based on application attributes, the existing 3GPP standard flow is not required to be changed, the application of a terminal is not required to be changed, the problem that the terminal can initiate slice establishment and route binding by which application can be solved, and the rapid deployment and implementation of operators are facilitated.
As will be appreciated by one skilled in the art, aspects of the present invention may be embodied as a system, method or program product. Thus, various aspects of the invention may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.) or an embodiment combining hardware and software aspects that may all generally be referred to herein as a "circuit," module "or" platform.
Fig. 13 is a schematic structural diagram of a processing device for secure access network slicing based on application attributes according to the present invention. An electronic device 1300 according to this embodiment of the invention is described below with reference to fig. 13. The electronic device 1300 shown in fig. 13 is only an example and should not bring any limitations to the function and scope of use of the embodiments of the present invention.
As shown in fig. 13, the electronic device 1300 is in the form of a general purpose computing device. The components of the electronic device 1300 may include, but are not limited to: at least one processing unit 1310, at least one memory unit 1320, a bus 830 connecting different platform components (including the memory unit 1320 and the processing unit 1310), a display unit 1340, and the like.
Where the memory unit stores program code that may be executed by processing unit 1310 to cause processing unit 1310 to perform steps according to various exemplary embodiments of the present invention as described in the method section for secure access to network slices based on application properties section above in this specification. For example, the processing unit 1300 may perform the steps as shown in fig. 8 or 9.
The storage 1320 may include readable media in the form of volatile memory units, such as a random access memory unit (RAM)13201 and/or a cache memory unit 13202, and may further include a read-only memory unit (ROM) 13203.
The electronic device 1300 may also communicate with one or more external devices 13001 (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device 1300, and/or with any devices (e.g., router, modem, etc.) that enable the electronic device 1300 to communicate with one or more other computing devices. Such communication may occur via input/output (I/O) interfaces 1350. Also, the electronic device 1300 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the internet) through the network adapter 1360. The network adapter 1360 may communicate with other modules of the electronic device 1300 via the bus 1330. It should be appreciated that although not shown, other hardware and/or software modules may be used in conjunction with the electronic device 1300, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage platforms, to name a few.
Embodiments of the present invention further provide a computer-readable storage medium for storing a program, and the steps of the method for securely accessing a network slice based on an application attribute when the program is executed. In some possible embodiments, the various aspects of the invention may also be implemented in the form of a program product comprising program code means for causing a terminal device to carry out the steps according to various exemplary embodiments of the invention described in the method part of the present description for secure access to a network slice based on application properties, when said program product is run on a terminal device.
As described above, the computer-readable storage medium to execute application attribute-based secure access network slicing of this embodiment acquires an association list of URSP (UE Route Selection Policy) rules from a slice application management server through a slice middleware of a 5G terminal. When the 5G terminal application runs, the slice middleware acquires running application parameters, matches the running application parameters with the application information in the association list, creates a slice and a route for the successfully matched application and binds the route, thereby realizing the method for safely accessing the network slice based on the application attribute. The application provides a verification mechanism of an application access slice based on application attributes, the existing 3GPP standard flow is not required to be changed, the application of a terminal is not required to be changed, the problem that the terminal can initiate slice establishment and route binding by which application can be solved, and the rapid deployment and implementation of operators are facilitated.
Fig. 14 is a schematic structural diagram of a computer-readable storage medium of the present invention. Referring to fig. 14, a program product 1400 for implementing the above method according to an embodiment of the present invention is described, which may employ a portable compact disc read only memory (CD-ROM) and include program code, and may be run on a terminal device, such as a personal computer. However, the program product of the present invention is not limited in this regard and, in the present document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
A computer readable storage medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable storage medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a readable storage medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
In summary, the application acquires an association list of the URSP (UE Route Selection Policy) rule from the slice application management server through the slice middleware of the 5G terminal. When the 5G terminal application runs, the slice middleware acquires running application parameters, matches the running application parameters with the application information in the association list, creates a slice and a route for the successfully matched application and binds the route, thereby realizing the method for safely accessing the network slice based on the application attribute. The application access slice verification mechanism based on the application attributes is provided, the existing 3GPP standard flow is not required to be changed, the application of the terminal is not required to be changed, the problem that the terminal can initiate slice establishment and route binding by which application can be solved, and rapid deployment and implementation of operators are facilitated.
The foregoing is a more detailed description of the invention in connection with specific preferred embodiments and it is not intended that the invention be limited to these specific details. For those skilled in the art to which the invention pertains, several simple deductions or substitutions can be made without departing from the spirit of the invention, and all shall be considered as belonging to the protection scope of the invention.
Claims (10)
1. A method for secure access to a network slice based on application attributes, comprising:
the slice application management server acquires a flow descriptor parameter in a user routing strategy rule from a network element of a 5G core network;
the slice application management server establishes association between application identification and application attribute in flow descriptor parameters to form an association list;
the method comprises the steps that a slice middleware of a 5G terminal monitors the running state of an application on the 5G terminal;
responding to the monitoring of the slicing middleware to the starting of the application on the 5G terminal, and matching the application parameters of the application with the association list by the slicing middleware or the slicing management server;
if the application parameters of the application are matched with any item in the association list, the slice middleware initiates request information of creating a new slice and a new route to a modem of the 5G terminal and binds the new slice with the new route;
and the modem of the 5G terminal executes the new slice and the new route according to the request information, and binds the new slice with the new route for the application to send data.
2. The method for secure access to network slicing based on application attributes according to claim 1, wherein before the slicing middleware or the slicing management server matches application parameters of an application with the association list in response to the slicing middleware monitoring application startup on the 5G terminal, the method comprises:
after the 5G terminal is on line, the slice middleware in the 5G terminal acquires the association list from the slice application management server,
wherein the matching of the application parameters of the application with the association list is performed by the slice middleware.
3. The method for secure access to network slices based on application attributes of claim 2, wherein a slice middleware in the 5G terminal periodically updates the association list obtained from the slice application management server.
4. The method for secure access to network slicing based on application attributes of claim 1, wherein the response to the slicing middleware monitoring application startup on the 5G terminal, the slicing middleware or the slicing management server matching application parameters of the application with the association list comprises:
the slice middleware sends the application parameters of the application to the slice management server;
the slice management server matches the application parameters of the application with the association list;
and the slice management server returns a matching result to the slice middleware.
5. The method of claim 3, wherein if the application parameter of the application matches any of the association lists, the match is true; otherwise, the matching result is false,
the slice management server returns a matching result to the slice middleware to be true or false; or in response to the matching result being true, the slice management server returns the application identifier and/or the application attribute in the traffic descriptor parameter to the slice middleware.
6. The method for secure access network slicing based on application attribute of claim 1, wherein before the slicing application management server obtains the traffic descriptor parameter in the user routing policy rule from the network element of the 5G core network, the method comprises:
and the 5G terminal registers a 5G core network, and a network element of the 5G core network sends the user routing strategy rule to a modem of the 5G terminal through a southbound interface of the 5G terminal.
7. The method for secure access to network slices based on application attributes of claim 1, wherein the slice application management server communicates with the slice middleware of the 5G terminal through a northbound interface of the 5G terminal.
8. A method for safely accessing network slices based on application attributes is applied to a slice application management server and comprises the following steps:
the slice application management server acquires a flow descriptor parameter in a user routing strategy rule from a network element of a 5G core network;
the slice application management server establishes an association between the application identification and the application attribute in the traffic descriptor parameters, forms an association list,
the slice application management server communicates with a slice middleware of the 5G terminal to match application parameters of the application started by the 5G terminal with the association list, and the matching result is used for the slice middleware to initiate request information of creating a new slice and a new route to a modem of the 5G terminal and binding the new slice with the new route.
9. A method for safely accessing network slicing based on application attributes is characterized in that slicing middleware applied to a 5G terminal comprises the following steps:
the slice middleware of the 5G terminal monitors the running state of the application on the 5G terminal;
responding to the slice middleware to monitor the application starting on the 5G terminal, the slice middleware or the slice management server matches the application parameter of the application with an association list, and the association list is formed by the application management server acquiring the application identifier and the application attribute in the flow descriptor parameter in the user routing policy rule from the network element of the 5G core network
And if the application parameters of the application are matched with any item in the association list, the slice middleware initiates request information for creating a new slice and a new route to a modem of the 5G terminal and binds the new slice with the new route.
10. A system for secure access to a network slice based on application attributes, comprising:
the 5G terminal comprises an application, slice middleware and a modem;
a slice application management server;
the slice application management server acquires a traffic descriptor parameter in a user routing strategy rule from a network element of a 5G core network;
the slice application management server establishes association between application identification and application attribute in flow descriptor parameters to form an association list;
the method comprises the steps that a slice middleware of a 5G terminal monitors the running state of an application on the 5G terminal;
responding to the monitoring of the slicing middleware to the starting of the application on the 5G terminal, and matching the application parameters of the application with the association list by the slicing middleware or the slicing management server;
if the application parameters of the application are matched with any item in the association list, the slice middleware initiates request information of creating a new slice and a new route to a modem of the 5G terminal and binds the new slice with the new route;
and the modem of the 5G terminal executes the new slice and the new route according to the request information, and binds the new slice with the new route for the application to send data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210434192.1A CN114828010B (en) | 2022-04-24 | 2022-04-24 | Method for safely accessing network slice based on application attribute and related equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210434192.1A CN114828010B (en) | 2022-04-24 | 2022-04-24 | Method for safely accessing network slice based on application attribute and related equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114828010A true CN114828010A (en) | 2022-07-29 |
| CN114828010B CN114828010B (en) | 2023-10-03 |
Family
ID=82507184
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210434192.1A Active CN114828010B (en) | 2022-04-24 | 2022-04-24 | Method for safely accessing network slice based on application attribute and related equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114828010B (en) |
Citations (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109743766A (en) * | 2018-02-13 | 2019-05-10 | 华为技术有限公司 | A kind of method and device of data Route Selection |
| US20190261185A1 (en) * | 2018-02-16 | 2019-08-22 | Lenovo (Singapore) Pte. Ltd. | Network slice selection assistance information configuration |
| WO2020040752A1 (en) * | 2018-08-21 | 2020-02-27 | Nokia Technologies Oy | Support for enterprise network slicing and flexible sub-slicing controlled by an enterprise |
| CN111034268A (en) * | 2018-08-10 | 2020-04-17 | 联发科技股份有限公司 | Enhanced user equipment path selection policy rule matching |
| US20200314955A1 (en) * | 2019-03-29 | 2020-10-01 | Lenovo (Singapore) Pte. Ltd. | Session management function derived core network assisted radio access network parameters |
| CN112039699A (en) * | 2020-08-25 | 2020-12-04 | RealMe重庆移动通信有限公司 | Network slice selection method and device, storage medium and electronic equipment |
| US20210058857A1 (en) * | 2019-08-23 | 2021-02-25 | Mediatek Inc. | Method and apparatus for data network name selection in mobile communications |
| CN112913283A (en) * | 2018-08-24 | 2021-06-04 | 诺基亚技术有限公司 | Configuring routing policies |
| WO2021188351A1 (en) * | 2020-03-17 | 2021-09-23 | Apple Inc. | Improved selection of slice-supporting plmns while roaming away from home network |
| US20210306939A1 (en) * | 2020-03-27 | 2021-09-30 | Qualcomm Incorporated | Slice allocation and interface to applications |
| WO2021223335A1 (en) * | 2020-05-08 | 2021-11-11 | 北京紫光展锐通信技术有限公司 | Route selection method for application program, and related device |
| CN113766534A (en) * | 2020-06-04 | 2021-12-07 | Oppo广东移动通信有限公司 | Network slice mapping method and related device |
| CN113891419A (en) * | 2021-11-17 | 2022-01-04 | 展讯通信(上海)有限公司 | Policy routing establishing method and related device |
| CN113993129A (en) * | 2021-10-27 | 2022-01-28 | 中国联合网络通信集团有限公司 | PDU session establishment method, terminal and computer readable storage medium |
| US20220039004A1 (en) * | 2020-07-31 | 2022-02-03 | Apple Inc. | Network slice customer (nsc) service id and user equipment (ue) route selection policy for network slice as a service |
| CN114079933A (en) * | 2020-08-11 | 2022-02-22 | 华为技术有限公司 | Network slice management system, application server and terminal equipment |
| CN114301789A (en) * | 2021-12-29 | 2022-04-08 | 中国电信股份有限公司 | Data transmission method and device, storage medium and electronic equipment |
| WO2022080972A1 (en) * | 2020-10-16 | 2022-04-21 | Samsung Electronics Co., Ltd. | A method and systems for enhancing user network slice experience |
-
2022
- 2022-04-24 CN CN202210434192.1A patent/CN114828010B/en active Active
Patent Citations (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109743766A (en) * | 2018-02-13 | 2019-05-10 | 华为技术有限公司 | A kind of method and device of data Route Selection |
| US20190261185A1 (en) * | 2018-02-16 | 2019-08-22 | Lenovo (Singapore) Pte. Ltd. | Network slice selection assistance information configuration |
| CN111034268A (en) * | 2018-08-10 | 2020-04-17 | 联发科技股份有限公司 | Enhanced user equipment path selection policy rule matching |
| WO2020040752A1 (en) * | 2018-08-21 | 2020-02-27 | Nokia Technologies Oy | Support for enterprise network slicing and flexible sub-slicing controlled by an enterprise |
| CN112913283A (en) * | 2018-08-24 | 2021-06-04 | 诺基亚技术有限公司 | Configuring routing policies |
| US20200314955A1 (en) * | 2019-03-29 | 2020-10-01 | Lenovo (Singapore) Pte. Ltd. | Session management function derived core network assisted radio access network parameters |
| US20210058857A1 (en) * | 2019-08-23 | 2021-02-25 | Mediatek Inc. | Method and apparatus for data network name selection in mobile communications |
| WO2021188351A1 (en) * | 2020-03-17 | 2021-09-23 | Apple Inc. | Improved selection of slice-supporting plmns while roaming away from home network |
| US20210306939A1 (en) * | 2020-03-27 | 2021-09-30 | Qualcomm Incorporated | Slice allocation and interface to applications |
| WO2021223335A1 (en) * | 2020-05-08 | 2021-11-11 | 北京紫光展锐通信技术有限公司 | Route selection method for application program, and related device |
| CN113766534A (en) * | 2020-06-04 | 2021-12-07 | Oppo广东移动通信有限公司 | Network slice mapping method and related device |
| US20220039004A1 (en) * | 2020-07-31 | 2022-02-03 | Apple Inc. | Network slice customer (nsc) service id and user equipment (ue) route selection policy for network slice as a service |
| CN114079933A (en) * | 2020-08-11 | 2022-02-22 | 华为技术有限公司 | Network slice management system, application server and terminal equipment |
| CN112039699A (en) * | 2020-08-25 | 2020-12-04 | RealMe重庆移动通信有限公司 | Network slice selection method and device, storage medium and electronic equipment |
| WO2022080972A1 (en) * | 2020-10-16 | 2022-04-21 | Samsung Electronics Co., Ltd. | A method and systems for enhancing user network slice experience |
| CN113993129A (en) * | 2021-10-27 | 2022-01-28 | 中国联合网络通信集团有限公司 | PDU session establishment method, terminal and computer readable storage medium |
| CN113891419A (en) * | 2021-11-17 | 2022-01-04 | 展讯通信(上海)有限公司 | Policy routing establishing method and related device |
| CN114301789A (en) * | 2021-12-29 | 2022-04-08 | 中国电信股份有限公司 | Data transmission method and device, storage medium and electronic equipment |
Non-Patent Citations (3)
| Title |
|---|
| 3GPP: ""R5-210107 5G Smart Devices Supporting Network Slicing"", 3GPP TSG_RAN\\WG5_TEST_EX-T1 * |
| YI LI ECT.: "Research on Wireless Resource Management and Scheduling for 5G Network Slice", 《2021 INTERNATIONAL WIRELESS COMMUNICATIONS AND MOBILE COMPUTING (IWCMC)》 * |
| 任驰;马瑞涛;: "5G核心网uRLLC系统架构及关键技术研究", 邮电设计技术, no. 09 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114828010B (en) | 2023-10-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110944330B (en) | MEC platform deployment method and device | |
| US10818291B2 (en) | Method and apparatus for interacting information | |
| CN105045608B (en) | System and method for managing the software upgrading in vehicle computing system | |
| CN109936587B (en) | Control method, control device, electronic apparatus, and storage medium | |
| CN103827866A (en) | Network connected media gateway for communication networks | |
| CN111757422B (en) | Equipment activation method and device, user terminal, equipment to be activated and storage medium | |
| CN109800557B (en) | Block chain-based integrated processing method, device, server, equipment and medium | |
| CN112838951B (en) | Operation and maintenance method, device and system of terminal equipment and storage medium | |
| CN113411286B (en) | Access processing method and device based on 5G technology, electronic equipment and storage medium | |
| CN115801299B (en) | Meta universe identity authentication method, device, equipment and storage medium | |
| CN113014621B (en) | In-vehicle communication system and method based on HTTP (hyper text transport protocol) | |
| CN114828010B (en) | Method for safely accessing network slice based on application attribute and related equipment | |
| CN115150113A (en) | Method for accessing intranet application and related equipment | |
| CN108228280A (en) | The configuration method and device of browser parameters, storage medium, electronic equipment | |
| US20200137667A1 (en) | Method and apparatus for publishing information at wireless routing device end | |
| CN113852474B (en) | Task processing method, gateway, computer readable storage medium and electronic device | |
| CN106131100B (en) | Method and apparatus for module remote request processing | |
| CN113905380A (en) | Access stratum security algorithm processing method, system, equipment and storage medium | |
| CN115119286A (en) | Method and device for accessing equipment to network | |
| KR20140011030A (en) | Service system and operation method for single-sign on | |
| WO2021109309A1 (en) | Information processing method, device, and computer storage medium | |
| CN116545777B (en) | User category switching method and device, storage medium and electronic equipment | |
| CN110716915A (en) | Method and device for operating database, electronic equipment and storage medium | |
| CN113328883B (en) | Terminal management method and device, storage medium and electronic equipment | |
| CN113573261B (en) | Method, device, system and equipment for issuing and activating ETC (electronic toll Collection) on-board unit |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |