CN115211159A - Allocation resources of network slices - Google Patents
Allocation resources of network slices Download PDFInfo
- Publication number
- CN115211159A CN115211159A CN202080097942.XA CN202080097942A CN115211159A CN 115211159 A CN115211159 A CN 115211159A CN 202080097942 A CN202080097942 A CN 202080097942A CN 115211159 A CN115211159 A CN 115211159A
- Authority
- CN
- China
- Prior art keywords
- network slice
- security
- instance
- network
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 claims description 59
- 230000015654 memory Effects 0.000 claims description 26
- 238000004590 computer program Methods 0.000 claims description 14
- 238000003860 storage Methods 0.000 claims description 12
- 238000013507 mapping Methods 0.000 claims description 9
- 238000012544 monitoring process Methods 0.000 claims description 9
- 206010000117 Abnormal behaviour Diseases 0.000 claims description 7
- 238000001514 detection method Methods 0.000 claims description 6
- 230000004044 response Effects 0.000 claims description 3
- 230000002547 anomalous effect Effects 0.000 claims description 2
- 230000006399 behavior Effects 0.000 claims description 2
- 238000013468 resource allocation Methods 0.000 abstract description 2
- 238000004891 communication Methods 0.000 description 37
- 230000006854 communication Effects 0.000 description 37
- 230000006870 function Effects 0.000 description 28
- 238000007726 management method Methods 0.000 description 18
- 238000010586 diagram Methods 0.000 description 16
- 230000008569 process Effects 0.000 description 10
- 238000007405 data analysis Methods 0.000 description 8
- 238000013480 data collection Methods 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 6
- 230000003993 interaction Effects 0.000 description 6
- 238000012545 processing Methods 0.000 description 6
- 238000004458 analytical method Methods 0.000 description 4
- 238000013475 authorization Methods 0.000 description 4
- 238000002955 isolation Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000002265 prevention Effects 0.000 description 3
- 230000011664 signaling Effects 0.000 description 3
- 230000003068 static effect Effects 0.000 description 3
- 238000012546 transfer Methods 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 230000001413 cellular effect Effects 0.000 description 2
- 238000007796 conventional method Methods 0.000 description 2
- 238000013496 data integrity verification Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000009826 distribution Methods 0.000 description 2
- 238000001914 filtration Methods 0.000 description 2
- 238000010295 mobile communication Methods 0.000 description 2
- 230000004913 activation Effects 0.000 description 1
- 230000007175 bidirectional communication Effects 0.000 description 1
- 230000010267 cellular communication Effects 0.000 description 1
- 229920006235 chlorinated polyethylene elastomer Polymers 0.000 description 1
- 238000000136 cloud-point extraction Methods 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000013439 planning Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000005201 scrubbing Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
- 238000001356 surgical procedure Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 230000036962 time dependent Effects 0.000 description 1
- 238000012384 transportation and delivery Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Embodiments of the present disclosure relate to resource allocation for network slices. According to an embodiment of the present disclosure, a first device receives a request for allocated resources for a network slice from a second device. The first device allocates a network slice instance that satisfies the security requirement based on the request. In this way, different safety requirements of different consumers can be met.
Description
Technical Field
Embodiments of the present disclosure relate generally to communication technology and, more particularly, relate to a method, apparatus, and computer-readable medium for allocating resources for network slices.
Background
With the development of mobile communication technology, people live more and more abundantly. In the future, mobile communication will continue to be developed into areas of industry such as automotive, manufacturing, logistics, energy, and the like, and areas such as finance, medical, and the like, where the potential for mobile services is not fully exploited at present. However, the various applications described above have different requirements. Some applications may require ultra-reliable communication, while other applications may require ultra-high bandwidth communication or very low latency. Thus, "network slicing" techniques were introduced to provide different combinations of capabilities while satisfying all of these different requirements.
Disclosure of Invention
In general, embodiments of the present disclosure relate to a method and corresponding apparatus for allocating network slices.
In a first aspect, a first device is provided. The first device comprises at least one processor; and at least one memory including computer program code, the at least one memory and the computer program code configured to, with the at least one processor, cause the first apparatus to: a request for allocated resources for the network slice is received from a second device. The first device is also caused to obtain security requirements for the network slice from the request. The first device is further caused to determine a list of security services based on the security requirements. The first device is further caused to allocate a network slice instance that satisfies at least the security requirements indicated by the received request. The first device is also caused to transmit an indication of the allocated network slice instance to the second device.
In a second aspect, a second apparatus is provided. The second device comprises at least one processor; and at least one memory including computer program code, the at least one memory and the computer program code configured to, with the at least one processor, cause the second apparatus to: a request for allocated resources for a network slice is generated, the request indicating at least a security requirement. The second device is also caused to transmit the request to the first device. The second device is further caused to receive an indication of the assigned network slice instance from the first device, the assigned network slice instance satisfying at least the security requirements.
In a third aspect, a method is provided. The method includes receiving, at a first device, a request from a second device to allocate resources for a network slice. The method also includes obtaining security requirements for the network slice from the request. The method also includes determining a list of security services based on the security requirements. The method also includes assigning a network slice instance that supports a list of security services. The method also includes transmitting an indication of the allocated network slice instance to a second device.
In a fourth aspect, a method is provided. The method includes generating a request for allocated resources for a network slice, the request indicating at least a security requirement. The method also includes transmitting the request to the first device. The method also includes receiving an indication of an allocated network slice instance from the first device, the allocated network slice instance satisfying at least the security requirements.
In a fifth aspect, an apparatus is provided. The apparatus includes means for receiving, at a first device, a request for allocated resources for a network slice from a second device; means for obtaining security requirements for the network slice from the request; means for determining a list of security services based on the security requirements; means for assigning a network slice instance that supports a secure services list; and means for transmitting an indication of the allocated network slice instance to the second device.
In a sixth aspect, an apparatus is provided. The apparatus includes means for generating a request for an allocated resource for a network slice, the request indicating at least a security requirement; means for transmitting the request to the first device; and means for receiving an indication of an assigned network slice instance from the first device, the assigned network slice instance satisfying at least the security requirements.
In a seventh aspect, there is provided a computer readable medium comprising program instructions for causing an apparatus to at least perform the method according to the above third or fourth aspect.
In an eighth aspect, there is provided a computer program product stored on a computer readable medium and comprising machine executable instructions, wherein the machine executable instructions, when executed, cause a machine to perform a method according to the third or fourth aspect described above.
It should be understood that this summary is not intended to identify key or essential features of the embodiments of the disclosure, nor is it intended to be used to limit the scope of the disclosure. Other features of the present disclosure will become readily apparent from the following description.
Drawings
Some example embodiments will now be described with reference to the accompanying drawings, in which:
fig. 1 shows a schematic diagram of a communication system, according to some example embodiments of the present disclosure;
fig. 2 illustrates a block diagram of a network slicing system, according to some example embodiments of the present disclosure;
fig. 3 shows a flow diagram of a method according to some example embodiments of the present disclosure;
fig. 4 shows a schematic diagram of interactions between devices, according to some example embodiments of the present disclosure;
FIG. 5 shows a schematic diagram of interactions between devices, according to some example embodiments of the present disclosure;
fig. 6 shows a flow diagram of a method according to some example embodiments of the present disclosure;
FIG. 7 shows a simplified block diagram of an apparatus suitable for implementing an example embodiment of the present disclosure; and
fig. 8 illustrates a block diagram of an example computer-readable medium, in accordance with some example embodiments of the present disclosure.
Throughout the drawings, the same or similar reference numbers refer to the same or similar elements.
Detailed Description
The principles of the present disclosure will now be described with reference to some exemplary embodiments. It is understood that the exemplary embodiments are described only to illustrate and assist those skilled in the art in understanding and enabling the disclosure, and do not represent any limitation as to the scope of the disclosure. The disclosure described herein may be implemented in a variety of other ways besides those described below.
In the following description and claims, unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this disclosure belongs.
References in the present disclosure to "one embodiment," "an example embodiment," etc., indicate that the embodiment described may include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an example embodiment, it is submitted that it is within the knowledge of one skilled in the art to affect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.
It will be understood that, although the terms first, second, etc. may be used herein to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another. For example, a first element may be termed a second element, and, similarly, a second element may be termed a first element, without departing from the scope of example embodiments. As used herein, the term "and/or" includes any and all combinations of one or more of the listed terms.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises," "comprising," "includes," "having," "has," "having," "includes" and/or "including" when used herein, specify the presence of stated features, elements, and/or components, etc., but do not preclude the presence or addition of one or more other features, elements, components, and/or groups thereof.
As used in this application, the term "circuitry" may refer to one or more or all of the following:
(a) A purely hardware circuit implementation (such as an implementation using only analog and/or digital circuitry), and
(b) A combination of hardware circuitry and software, such as (as applicable):
(i) Combinations of analog and/or digital hardware circuit(s) and software/firmware, and
(ii) Hardware processor(s) with software (including digital signal processor (s)), software, and any portion of memory(s) that work together to cause a device, such as a mobile phone or server, to perform various functions, and
(c) Hardware circuit(s) and/or processor(s), such as microprocessor(s) or a portion of microprocessor(s), that require software (e.g., firmware)
The operation is performed but the software may not be stored when the operation is not required.
The definition of circuitry is suitable for all uses of the term in this application, including in any claims. As another example, as used in this application, the term circuitry also encompasses implementations of merely a hardware circuit or processor (or multiple processors) or portion of a hardware circuit or processor and its (or their) accompanying software and/or firmware. For example, if applicable to the particular claim element, the term circuitry also encompasses a baseband integrated circuit or processor integrated circuit for a mobile device or a similar integrated circuit in a server, a cellular network device, or other computing or network device.
As used herein, the term "communication network" refers to a network that conforms to any suitable communication standard, such as Long Term Evolution (LTE), LTE-advanced (LTE-a), wideband Code Division Multiple Access (WCDMA), high Speed Packet Access (HSPA), narrowband internet of things (NB-IoT), new Radio (NR), and the like. Further, communication between terminal devices and network devices in a communication network may be performed according to any suitable generation of communication protocols, including but not limited to first generation (1G), second generation (2G), 2.5G, 2.55G, third generation (3G), fourth generation (4G), 4.5G, future fifth generation (5G) communication protocols, and/or any other protocols currently known or developed in the future. Embodiments of the present disclosure may be applied to various communication systems. In view of the rapid development of communications, there will, of course, also be future types of communication techniques and systems that may embody the present disclosure. And should not be taken as limiting the scope of the disclosure to only the above-described systems.
As used herein, the term "network device" refers to a node in a communication network via which a terminal device accesses the network and receives services therefrom. A network device may refer to a Base Station (BS) or Access Point (AP), e.g., a NodeB (NodeB or NB), evolved NodeB (eNodeB or eNB), NR NB (also known as gNB), remote Radio Unit (RRU), radio Header (RH), remote Radio Head (RRH), relay, integrated Access and Backhaul (IAB) node, low power node (such as femto, pico), etc., depending on the terminology and technology applied.
The term "terminal device" refers to any terminal device capable of wireless communication. By way of example, and not limitation, a terminal device may also be referred to as a communication device, user Equipment (UE), subscriber Station (SS), portable subscriber station, mobile Station (MS), or Access Terminal (AT). End devices may include, but are not limited to, mobile phones, cellular phones, smart phones, voice over IP (VoIP) phones, wireless local loop phones, tablets, wearable end devices, personal Digital Assistants (PDAs), portable computers, desktop computers, image acquisition end devices such as digital cameras, gaming end devices, music storage and playback devices, in-vehicle wireless end devices, wireless endpoints, mobile stations, laptop embedded devices (LEEs), laptop installation devices (LMEs), USB dongles, smart devices, wireless client devices (CPEs), internet of things loT devices, watches or other wearable devices, head Mounted Displays (HMDs), vehicles, drones, medical devices and applications (e.g., tele-surgery), industrial devices and applications (e.g., robots and/or other wireless devices operating in industrial and/or automated processing chain environments), consumer electronics, device business operations, and/or industrial wireless networks, and the like. In the following description, the terms "terminal device", "communication device", "terminal", "user equipment" and "UE" may be used interchangeably.
The term "network slice" as used herein refers to a technology that allows multiple logical networks to be created on top of a common shared physical infrastructure. The term "network slice" as used herein refers to an independent end-to-end logical network running on a shared physical infrastructure that is capable of providing a negotiated quality of service. The network slice is self-contained in operation and traffic and may have its own network architecture, engineering mechanisms, and network provisioning. Virtualized network resources are typically architected, partitioned, and organized to achieve flexible support for different use case implementations. The term "network slice instance" as used herein refers to an instance of a network slice that is created based on a network slice blueprint/template/resource module. The term "network slicing orchestration" as used herein refers to automation and customization capabilities for improving service performance and customer satisfaction. Orchestration may enable automation of service creation and delivery. The term "network slice subnet" as used herein refers to a logical network that is made up of a set of hosted network functions and required resources (e.g., computing, storage, and network resources). The term "network slice subnet instance" as used herein refers to an instance of a network slice subnet that is created based on a network slice subnet blueprint/template/resource module.
As mentioned above, "network slicing" techniques were introduced to provide different combinations of capabilities to simultaneously satisfy all of these different requirements. With network slicing, various types of users/customers can enjoy connectivity and data processing tailored to their particular requirements (e.g., data speed, quality, latency, reliability, security, and service) that comply with Service Level Agreements (SLAs) agreed with communication service providers. However, there are some challenges to achieving a comprehensive end-to-end network slice deployment for consumers, enterprises, and government departments, such as end-to-end precision slicing, network slice reliability, network slice scalability, and network slice lifecycle management. One of the most important challenges is network slice security, which is beginning to be a concern in academia and industry.
Network slice security includes several aspects such as security for network slice management, security for network slice orchestration, and access security for network slices. Security of network slicing is very important but has so far received little attention in the industry.
In some conventional techniques, management security for network slices has been defined, such as authentication, authorization, integrity protection, and confidentiality protection of the interface between a management service producer and a management service consumer. In addition, network slice specific authentication and authorization, data confidentiality and integrity, user identification privacy, and inter-slice security isolation are also proposed. Some additional conventional techniques have defined security for network slice management exposure interfaces and integrity protection for Network Slice Subnet Templates (NSSTs). However, there is little research on the security of network slicing.
According to an embodiment of the present disclosure, a first device receives a request for allocated resources for a network slice from a second device. The first device allocates a network slice instance that satisfies the security requirement based on the request. In this way, different safety requirements of different consumers can be met.
Fig. 1 shows a schematic diagram of a communication system in which embodiments of the present disclosure may be implemented. The communication system 100 includes a first device 110 and a second device 120. Communication system 100, which is part of a communication network, includes device 130-1, device 130-2, … …, device 130-N (which may be collectively referred to as third device(s) 130 "). One or more devices are associated with and covered by a cell. It should be understood that the number of devices and cells shown in fig. 1 is given for illustrative purposes and does not imply any limitation. Communication system 100 may include any suitable number of devices and cells. In the communication system 100, the first device 110, the second device 120, and the third device 130 may communicate data and control information with each other. The number of devices shown in fig. 1 is given for illustrative purposes and does not imply any limitation. The second device 120 and the first device 110 are interchangeable. The first device 110 may be a network device. Alternatively, the first device 110 may be a core network device. The second device 120 may communicate with the first device 110 to create a network slice instance. Thereafter, the third devices 130 may communicate with each other through the network slice instance. The third device 130 may be a terminal device. Alternatively, third device 130 may comprise a network device, for example, third devices 130-3 and 130-4 may be network devices. The number of third devices is only an example. The third device 130 may be able to access the network slice instance. The first device 110 will manage and monitor the status of the network slice instance through the third devices 130-3 and/or 130-4.
Communications in communication environment 100 may be implemented in accordance with any suitable communication protocol(s), including, but not limited to, first-generation (1G), second-generation (2G), third-generation (3G), fourth-generation (4G), and fifth-generation (5G), etc. cellular communication protocols, wireless local area network communication protocols such as Institute of Electrical and Electronics Engineers (IEEE) 802.11, and/or any other protocol currently known or developed in the future. Further, the communication may utilize any suitable wireless communication technology, including but not limited to: code Division Multiple Access (CDMA), frequency Division Multiple Access (FDMA), time Division Multiple Access (TDMA), frequency Division Duplex (FDD), time Division Duplex (TDD), multiple Input Multiple Output (MIMO), orthogonal Frequency Division Multiple Access (OFDMA), and/or any other technique now known or later developed.
Example embodiments of the present disclosure will be described in detail below with reference to the accompanying drawings. Fig. 2 illustrates a block diagram of a network slicing system 200, according to some example embodiments of the present disclosure. Network slicing system 200 is merely an example and not a limitation. Network slicing system 200 may also include other modules not shown in fig. 2. Network slicing system 200 may be implemented at any suitable device, such as first device 110.
As shown in fig. 2, network slice system 200 can include a Network Slice (NS) consumption portal 205, and NS consumption portal 205 can receive a request from a consumer (e.g., a healthcare provider) for allocated resources for a network slice. Network slicing system 300 may include NS management and orchestration portion 210.NS management module 2110 may support the operation of network slice instances. For example, the operation may be one or more of activation, supervision, performance reporting, resource capacity planning, and modification.
The NS data collection module 2120 may be configured to collect network data (e.g., data related to services, network slices, network slice subnets, and/or network functions) to support improving network performance and efficiency to accommodate and support the diversity of services and requirements.
In some embodiments, the NS management and orchestration portion 210 may further include an NS data analysis module 2130, the NS data analysis module 2130 configured to perform analysis using the collected network data to assist and supplement management services for optimal network performance and service guarantees. NS instance inventory module 2160 may be configured to store information regarding available network slice instances.
As shown in fig. 2, network slicing system 200 includes NS orchestration module 2140 configured to request allocated resources for a network slice. In addition, a network slice module that describes the static parameters and functional components of the network slice is stored in NS resource module 2150. In other embodiments, there are other modules in the network slicing system 200, such as an NS security policy module 2170, an NS security data collection module 2180, and an NS security data analysis module 2190. For example, NS security policy module 2170 may be configured to support reflecting security requirements of a requested network slicing service to a network slicing security policy. In some example embodiments, the NS security data collection module 2180 may be configured to collect security policy enforcement status regarding network data (e.g., services, network slices, network slice subnets, and/or network function related data) in support of checking whether security requirements of a requested network slice service are satisfied. The NS security data analysis module 2190 may be configured to perform analysis using the collected network data regarding the security policy enforcement status to obtain optimal network slice security guarantees. Details of the above-described modules will be described later with reference to the drawings.
In some embodiments, a network slice may include multiple NS subnets (NSSs), e.g., NSS 220-1, NSS 220-2, or NSS 220-3. For an NSS, there are several modules involved. As shown in fig. 2, an NSS (e.g., NSS 220-1) may include one or more of the following: NSS management module 2210, NSS data collection module 2220, NSS data analysis module 2230, NSS orchestration module 2240, NSS resource module 2250, NSS instance inventory module 2260, NSS security control module 2270, NSS security data collection module 2280, and NSS security data analysis module 2290. The NS subnet may be divided based on different domains, e.g., geographic regions. Alternatively, the NS subnet may be divided based on different functions. For example, there may be one or more NS subnets with certain security features.
The functionality of the above-described modules in NSS is similar to that in a network slice, as will be described later. For example, the NSS security control module 2270 may be configured to support setting a network slice security policy to network slice subnet security control. In some embodiments, the NSS security data collection module 2280 may be configured to collect security policy enforcement status regarding network data (e.g., network slices, network slice subnets, and/or network function related data) in support of checking whether security requirements of the requested network slice subnet are met. Further, the NSS security data analysis module 2290 may be configured to perform analysis using the collected network data regarding the security policy enforcement status to obtain optimal network slice subnet security guarantees.
Network slicing system 200 may also include a network function virtualization management and orchestration (NFV-MANO) module 230, NFV-MANO module 230 configured to manage Network Function Virtualization Infrastructure (NFVI) and orchestrate resource allocation required by network services and Virtual Network Functions (VNFs). The NFV orchestrator (NFVO) module 240 in the network slicing system 200 may be responsible for orchestration of NFVI resources across multiple Virtual Infrastructure Management (VIM) and lifecycle management of network services. In some embodiments, the NFVO module may include a network services catalog module 2410, a VNF catalog module 2420, a VFV instance inventory 2430, and a NFVI resources module 2440.
In some example embodiments, the network slicing system 200 may include a VNF manager (VNFM) configured to be responsible for lifecycle management of VNF instances. Virtualization Infrastructure Manager (VIM) module 270 may be configured to be responsible for controlling and managing NFVI computing, storage, and network resources. SDN control modules including data forwarding policies may be included into the VIM.
As shown in fig. 2, NFV-MANO module 230 may also include an NFV security manager module 250 configured to manage security of network services throughout its lifecycle. Further, the security services directory module 2510 in the NFV security manager module 250 may be a new logical function with the following capabilities: 1) Storing all onboard security services; 2) The establishment and management of a security service resource model are supported; 3) Support for creating a network slice subnet instance (i.e., NSS _ security). NFV security manager module 250 may also include a virtual security function (VSN) directory module 2520, which is a particular type of VNF directory. NFV security manager module 250 may also include VSF instance 2530, which is a particular type of VNF instance. A VSF as used herein may refer to a special type of VNF with custom security functions (e.g., firewall, IDS/IPS, virtualized security monitoring functions).
In an example embodiment, network slicing system 200 may include NFVI security manager 230, NFVI security manager 230 configured to build and manage security in NFVI to support NFV security manager requests for managing security of network services in a high layer. The VNF module 285 in the network slicing system 200 may include a VNF and a Virtual Security Function (VSF), which is a special type of VNF with customized security functions (e.g., firewall, IDS/IPS, virtualized security monitoring functions). The NFVI based security function module 290 may be a security function provided by the NFV infrastructure. It includes virtualized security devices or software security features (e.g., hypervisor-based firewalls) and hardware-based security devices/modules/features (e.g., hardware security modules, cryptographic accelerators, or trusted platform modules). The Physical Network Function (PNF) module 295 in the network slicing system 200 may include one or more PNFs and one or more Physical Security Functions (PSFs), which are security functions conventionally implemented in the physical portion of a hybrid network.
Referring now to fig. 3, fig. 3 illustrates a signaling flow 300 of allocating network slices according to some example embodiments of the present disclosure. For ease of discussion, the process 300 will be described with reference to fig. 2. The signaling flow 300 may involve the first device 110 and the second device 120. It should be noted that the signaling flow shown in fig. 3 is only one example.
Referring now to fig. 3, fig. 3 illustrates a flow diagram of a method 300 of allocating network slices, according to some example embodiments of the present disclosure. For purposes of discussion, the method 300 will be described with reference to fig. 2. Method 300 may be implemented at any suitable device. For example, the method may be implemented at the first device 110.
At block 310, the first device 110 receives a request for allocated resources for a network slice from the second device 120. The request may be transmitted to the first device 110 via the NS consumption portal 205. The request indicates one or more characteristics of the network slice. For example, the request indicates security requirements of the network slice. In some embodiments, the request may indicate a network slice type. Alternatively or additionally, the request may indicate a bandwidth of the network slice. These characteristics may include the priority of the network slice. In some example embodiments, the latency requirement of the network slice may be indicated in the request. The request may also indicate a throughput of the network slice and/or a maximum number of terminal devices accessing the network slice.
In some embodiments, first device 110 may perform authentication of second device 120 based on credentials or a pre-shared key. Alternatively or additionally, the second device 120 may be authorized by the first device 110 based on a white/black list or Access Control List (ACL).
At block 320, the first device 110 obtains the security requirements for the network slice from the request. At block 330, the first device 110 determines a list of security services based on the security requirements.
At block 340, the first device 110 allocates a network slice instance that supports the list of security services. The network slice instance at least meets the security requirements specified in the request. For example, if the request indicates that isolated hardware is required, the network slice may be allocated isolated hardware. In this way, the security requirements of the requested network slice may be satisfied.
In some example embodiments, first device 110 may map the list of security services to a plurality of network slice resource modules and obtain information of available network slice instances. The first device 110 may obtain the security status of the available network slice instance and determine whether the existing network slice instance meets the security requirements. If the existing network slice instance meets the security requirements, the first device 110 may determine the existing network slice instance as an allocated resource for the requested network slice subnet. If the existing network slice instance does not meet the profile of the network slice subnet, the first device 110 may create the network slice instance based at least in part on the security requirements.
In other example embodiments, first device 110 may map the list of security services to a plurality of network slice subnet resource modules and obtain information of available network slice subnet instances. The first device 110 may obtain the security status of the available network slice subnet instance and determine whether the existing network slice subnet instance meets the security requirements. If the existing network slice subnet instance meets the security requirements, the first device 110 may determine the existing network slice subnet instance as the allocated resources of the requested network slice subnet. If the existing network-slice subnet instance does not meet the profile of the network-slice subnet, the first device 110 may create the network-slice subnet instance based at least in part on the security requirements.
Fig. 4 and 5 show schematic diagrams of interactions 400 and 500, respectively, of allocating network slice instances, according to some example embodiments of the present disclosure. In particular, fig. 4 shows the interaction of assigning network slice instances at the NS level, and fig. 5 shows the interaction of assigning network slice subnet instances at the NSs level.
As shown in fig. 4, NS orchestration module 2140 may obtain 4005 security requirements from the received request. NS orchestration module 2140 may determine 4010 a list of security service types based on the security requirements. For example, NS orchestration module 2140 may determine that isolation of data transfers is required based on security requirements. Alternatively, the list of security service types may include virus detection and data scrubbing. In some example embodiments, NS orchestration module 2140 may determine that tamper-proofing of the management data is required. Confidentiality protection of data during transmission may be included in the secure service type list. In other embodiments, the list of security service types may further integrity protect data during transmission. The list of security service types may also include one or more of: hardware isolation, software isolation, DDoS attack prevention, virus prevention, and malware prevention. It should be noted that embodiments of the present disclosure are not limited thereto.
If the NSS orchestration module 2240 receives an additional request from the NS orchestration module 2140, the NSS orchestration module 2240 may authenticate and authorize the NS orchestration module 2140. The NSS orchestration module 2240 may access 5015 the NSS resources module 2250. As described above, NSS resource module 2250 may store network slice subnet modules that describe the static parameters and functional components of the network slice subnet. The NSS resource module 2250 may obtain the security status of the network slice subnet instance. NSS orchestration module 2240 may list received secure service types
The request of (c) maps 5020 to the appropriate NSS resource module. For example, an appropriate NSS resource model
The security profile of the block may satisfy the security requirements indicated in the further request. The security profile of the appropriate NSS resource module may include data encryption. In other example embodiments, the data integrity verification may be included in the security profile. The profile may also include data filtering and/or data cleansing. Alternatively or additionally, the appropriate NSS resource module may be capable of supporting the required services indicated in the request.
The NSS orchestration module 2240 may access 5025 the NSS instance inventory module 2260 to obtain information about available network slice subnet instances. The NSS orchestration module 2240 can determine 5030 whether the existing network slice subnet instance satisfies the request. In some example embodiments, NSS orchestration module 2240 may check whether the available network slice subnet instances can support the required service based on information obtained from NSS instance inventory module 2260. The NSS orchestration module 2240 may also check whether the available network slice subnet instances can meet the security requirements in the further request based on the information obtained from the NSS instance inventory module 2260. If there is one existing network slice subnet instance that meets the security requirements, the NSS orchestration module 2240 may allocate 5035 the existing network slice subnet instance to the allocated resources of the requested network slice subnet. NSS orchestration module 2240 may provide the security status of the network slice subnet instance to NS orchestration module 2140.
If there are no existing network slice subnet instances that meet the security requirements, NSS orchestration module 2240 may create 5040 a new network slice subnet instance. NSS orchestration module 2240 may transmit 5045 another request for allocated resources for the network service to NFV-MANO 230. NFV-MANO 230 may perform 5050 authentication of another request based on credentials and authorization of another request based on an ACL or white/black list.
After authentication and authorization, the NFV-MANO 230 may allocate 5055 the requested allocated resources for the network slice subnet to one or more existing network service instances that meet the security requirements. Alternatively, NFV-MANO 230 may create a new network service instance for the requested allocation of the network slice subnet. NFV-MANO 230 may transmit 5060 confirmation of the network service to NSS orchestration module 2240. In some embodiments, NSS orchestration module 2240 may confirm the allocation of network slice subnet instances to NS orchestration module 2140.
Referring again to fig. 3, at block 350, the first device 110 transmits an indication of the allocation of the network slice instance to the second device 120. For example, NS orchestration module 2140 may transmit the indication to second device 120 via NS consumption portal 205. NS orchestration module 2140 may also provide the security state of the network slice instance to second device 120.
In some example embodiments, first device 110 may monitor data on the assigned network slice instance. The first device 110 may determine whether the security requirements of the network slice are met based on the monitored data. The data may refer to a date associated with a network slice instance or a network slice subnet instance. For example, the NS security data collection module 2180 may collect security policy enforcement status of monitoring data in support of checking whether security requirements of allocated resources of a requested network slice are met. The NS security data analysis module 2190 may perform analysis using the collected network data regarding the security policy enforcement status to obtain optimal network slice subnet security guarantees. The NS security policy module 2170 may support setting the network slice security policy to network slice subnet security control. First device 110 may update the allocated resources of the network slice if the security requirements are not met. For example, first device 110 may recreate or reallocate the network slice instance.
After the network slice instance is assigned, the first device 110 may monitor the third device 130-1 through other devices (e.g., devices 130-3 and/or 130-4 as network devices). The first device 110 may also monitor access data from the third device 130-3 and/or 130-4. The anomalous behavior of the third device 130-1 may be detected by the first device 110 based on access data of the third device 130-1 via the devices 130-3 and/or 130-4 on the network slice instance.
Fig. 6 illustrates a flow diagram of a method 600 of allocating network slices according to some example embodiments of the present disclosure. Method 600 may be implemented at any suitable device. For example, the method may be implemented at the second device 120.
At block 610, the second device 120 generates a request for allocation of a network slice. The request indicates one or more characteristics of the network slice. For example, the request indicates security requirements of the network slice. In some embodiments, the request may indicate a network slice type. Alternatively or additionally, the request may indicate a bandwidth of the network slice. These characteristics may include the priority of the network slice. In some example embodiments, the latency requirement of the network slice may be indicated in the request. The request may also indicate a throughput of the network slice and/or a maximum number of terminal devices accessing the network slice.
At block 620, the second device 120 transmits the request to the first device 110. For example, the request may be transmitted to the first device 110 via the NS consumption portal 205. In some embodiments, the second device 120 may be authenticated by the first device 110 on credentials or a pre-shared key. Alternatively or additionally, the second device 120 may be authorized by the first device 110 based on a white/black list or Access Control List (ACL).
At block 630, the second device 120 receives an indication of an allocation of a network slice instance of the second device 120. For example, the indication may be received via the NS consumption portal 205. NS orchestration module 2140 may also provide the security state of the network slice instance to second device 120.
In some embodiments, the second device 120 may receive a further indication of the updated allocated resources of the network slice if the security requirements are not satisfied. Alternatively, the second device 120 may receive another indication of the detection of the abnormal behavior of the third device 130.
In an embodiment, an apparatus (e.g., first device 110) for performing method 300 may include respective means for performing corresponding steps in method 300. These components may be implemented in any suitable manner. For example, it may be implemented by circuitry or software modules.
In some embodiments, the apparatus includes means for receiving, at a first device, a request for allocated resources for a network slice from a second device; means for obtaining security requirements for the network slice from the request; means for determining a list of security services based on the security requirements; means for assigning a network slice instance that supports a secure services list; and means for transmitting an indication of the allocated network slice instance to the second device.
In some embodiments, the means for allocating network slice instances comprises: means for mapping a list of security services to a network slice resource module; means for obtaining information of available network slice instances; means for obtaining a security status of an available network slice instance; means for determining whether an existing network slice instance satisfies a security requirement; means for determining an existing network slice instance as an allocated resource for the requested network slice in accordance with a determination that the existing network slice instance satisfies the security requirement; or means for creating a new network slice instance based at least in part on the security requirements in accordance with a determination that the existing network slice instance does not meet the profile of the network slice.
In some embodiments, the means for creating the network slice instance comprises: means for allocating a plurality of network slice subnet instances that satisfy security requirements and required services; means for creating a network slice instance by linking a plurality of network slice subnet instances.
In some embodiments, the means for allocating the plurality of network slice subnet instances comprises means for mapping a list of security services to the plurality of network slice subnet resource modules; means for obtaining information of available network slice subnet instances; means for obtaining a security status of an available network slice subnet instance; means for determining whether an existing network slice subnet instance meets a security requirement; means for determining an existing network slice subnet instance as an allocated resource of the requested network slice subnet in accordance with a determination that the existing network slice subnet instance satisfies the security requirement; or means for creating a network slice subnet instance based at least in part on the security requirements in accordance with a determination that the existing network slice subnet instance does not satisfy the profile of the network slice subnet.
In some embodiments, the apparatus further comprises means for determining, in response to monitoring data on the network slice instance, whether security requirements of the network slice are satisfied based on the data; and means for updating the allocated resources of the network slice in accordance with the determination that the security requirements are not satisfied.
In some embodiments, the apparatus further comprises means for detecting abnormal behavior of the third device by monitoring access data of the third device on the network slice instance.
In some embodiments, the apparatus includes means for mapping a security service list to a network slice resource module; means for obtaining a security status of one or more network slice instances; and means for allocating network slice instances based on the network slice resource module.
In some embodiments, the first device is a network device, the second device is another network device, and the third device is a terminal device or another network device.
In an embodiment, an apparatus (e.g., second device 120) for performing method 600 may include respective means for performing corresponding steps in method 600. These components may be implemented in any suitable manner. It may be implemented, for example, by circuitry or software modules.
In some embodiments, the apparatus includes means for generating a request for an allocated resource for a network slice, the request indicating at least a security requirement; means for transmitting the request to the first device; and means for receiving an indication of an assigned network slice instance from the first device, the assigned network slice instance satisfying at least the security requirements.
In some embodiments, the apparatus further comprises means for receiving an additional indication of an updated allocation resource of the network slice in accordance with the determination that the security requirement is not satisfied.
In some embodiments, the apparatus further comprises means for receiving, from the first device, another indication of detection of abnormal behavior of the third device.
In some embodiments, the first device is a network device, the second device is another network device, and the third device is a terminal device or another network device.
Fig. 7 is a simplified block diagram of a device 700 suitable for implementing embodiments of the present disclosure. The device 700 may be provided to implement a communication device, such as the first device 110 or the second device 120 shown in fig. 1. As shown, the device 700 includes one or more processors 710, one or more memories 720 coupled to the processors 710, and one or more communication modules 740 coupled to the processors 710.
The communication module 740 is used for bidirectional communication. The communication module 740 has at least one antenna to facilitate communication. A communication interface may represent any interface necessary to communicate with other network elements.
The processor 710 may be of any type suitable for a local technology network, and may include, by way of non-limiting example, one or more of the following: general purpose computers, special purpose computers, microprocessors, digital Signal Processors (DSPs) and processors based on a multi-core processor architecture. Device 700 may have multiple processors, such as an application specific integrated circuit chip that is time dependent from a clock synchronized to the main processor.
The computer programs 730 include computer-executable instructions that are executed by the associated processor 710. The program 730 may be stored in the ROM 724. Processor 710 may perform any suitable actions and processes by loading programs 730 into RAM 722.
Embodiments of the disclosure may be implemented by the program 720 such that the device 700 may perform any of the processes of the disclosure as discussed with reference to fig. 2 and 6. Embodiments of the present disclosure may also be implemented by hardware, or a combination of software and hardware.
In some example embodiments, the program 730 may be tangibly embodied in a computer-readable medium, which may be included in the device 700 (such as the memory 720) or other storage device accessible to the device 700. The device 700 may load the program 730 from the computer-readable medium into the RAM 722 for execution. The computer readable medium may include any type of tangible, non-volatile memory, such as a ROM, EPROM, flash memory, hard disk, CD, DVD, etc. Fig. 8 shows an example of a computer readable medium 800 in the form of a CD or DVD. The program 730 is stored on a computer readable medium.
It should be appreciated that future networks may utilize Network Function Virtualization (NFV), which is a network architecture concept that proposes virtualizing network node functions as "building blocks" or entities that may be operatively connected or linked together to provide services. A Virtualized Network Function (VNF) may comprise one or more virtual machines that run computer program code using standard or general-purpose types of servers rather than custom hardware. Cloud computing or data storage may also be used. In radio communication, this may mean that the node operations are at least partly performed in a central/centralized unit CU (e.g. a server, a host or a node) operatively coupled to the distributed units DU (e.g. radio heads/nodes). Node operations may also be distributed among multiple servers, nodes, or hosts. It should also be understood that the allocation of work between core network operation and base station operation may vary depending on the implementation.
In one embodiment, the server may generate a virtual network through which the server communicates with the distributed elements. In general, virtual networks may involve the process of combining hardware and software network resources and network functions into a single software-based management entity (virtual network). Such a virtual network may provide flexible operational distribution between the server and the radio heads/nodes. In practice, any digital signal processing task may be performed in a CU or DU, and the boundary of responsibility transfer between a CU and DU may be chosen depending on the implementation.
Thus, in one embodiment, a CU-DU architecture is implemented. In this case, the device 700 may be included in a central unit (e.g., control unit, edge cloud server, server) operably coupled (e.g., via a wireless or wired network) to a distributed unit (e.g., remote radio head/node). That is, the central unit (e.g., edge cloud server) and the distributed units may be independent devices that communicate with each other via a radio path or via a wired connection. Alternatively, they may be in the same entity communicating via a wired connection or the like. An edge cloud or edge cloud server may serve multiple distributed units or radio access networks. In one embodiment, at least some of the described processes may be performed by a central unit. In another embodiment, the device 700 may instead be included in a distributed unit, and at least some of the described processes may be performed by the distributed unit.
In one embodiment, the performance of at least some of the functions of the device 500 may be shared between two physically separated devices (DU and CU) forming one operational entity. Accordingly, the apparatus may be seen as an operational entity comprising one or more physically separate devices for performing at least some of the described processes. In one embodiment, such a CU-DU architecture may provide flexible operation distribution between CUs and DUs. In practice, any digital signal processing task may be performed in a CU or DU, and the boundary of responsibility transfer between a CU and DU may be chosen depending on the implementation. In one embodiment, the apparatus 500 controls the execution of processes regardless of the location of the devices and where the processes/functions are performed.
In general, the various embodiments of the disclosure may be implemented using hardware or special purpose circuits, software, logic or any combination thereof. Some aspects may be implemented using hardware, while other aspects may be implemented using firmware or software which may be executed by a controller, microprocessor or other computing device. While various aspects of the embodiments of the disclosure are illustrated and described as block diagrams, flow charts, or using some other pictorial representation, it is well understood that the blocks, apparatus, systems, techniques or methods described herein may be implemented in, as non-limiting examples, hardware, software, firmware, special purpose circuits or logic, general purpose hardware or controller or other computing devices, or some combination thereof.
The present disclosure also provides at least one computer program product tangibly stored on a non-transitory computer-readable storage medium. The computer program product comprises computer executable instructions, such as instructions included in program modules, that are executed in a device on a target real or virtual processor to perform the methods 300 and 400 as described above with reference to fig. 3 and 6. Generally, program modules include routines, programs, libraries, objects, classes, components, data structures, etc. that perform particular tasks or implement particular abstract data types. In various embodiments, the functionality of the program modules may be combined or split between program modules as desired. Machine-executable instructions of program modules may be executed within local or distributed devices. In a distributed facility, program modules may be located in both local and remote memory storage media.
Program code for performing the methods of the present disclosure may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the program codes, when executed by the processor or controller, cause the functions/operations specified in the flowchart and/or block diagram to be performed. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of the present disclosure, computer program code or related data may be carried by any suitable carrier to enable a device, apparatus or processor to perform various processes and operations as described above. Examples of a carrier include a signal, computer readable medium, and the like.
The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a computer-readable storage medium would include an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
Further, while operations are described in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. In some cases, multitasking and parallel processing may be advantageous. Also, while several specific implementation details are included in the above discussion, these should not be construed as limitations on the scope of the disclosure, but rather as descriptions of features that may be specific to particular embodiments. Certain features that are described in the context of separate embodiments can also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment can also be implemented in multiple embodiments separately or in any suitable subcombination.
Although the disclosure has been described in language specific to structural features and/or methodological acts, it is to be understood that the disclosure defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims.
Claims (28)
1. A first device, comprising:
at least one processor; and
at least one memory including computer program code;
the at least one memory and the computer program code configured to, with the at least one processor, cause the first apparatus to:
receiving a request for allocated resources for a network slice from a second device;
obtaining the security requirement of the network slice from the request;
determining a list of security services based on the security requirements;
allocating a network slice instance supporting the secure service list; and
transmitting an indication of the allocated network slice instance to the second device.
2. The first device of claim 1, wherein the first device is caused to allocate the network slice instance by:
mapping the security service list to a network slice resource module;
acquiring information of available network slice instances;
acquiring the security state of the available network slice instance;
determining whether an existing network slice instance satisfies the security requirement;
in accordance with a determination that the existing network slice instance satisfies the security requirement, determining the existing network slice instance as an allocated resource for the requested network slice; or alternatively
In accordance with a determination that the existing network slice instance does not satisfy the profile of the network slice, a network slice instance is created based at least in part on the security requirements.
3. The first device of claim 2, wherein the first device is caused to create the network slice instance by:
allocating a plurality of network slice subnet instances that satisfy the security requirements and required services; and
creating the network slice instance by linking the plurality of network slice subnet instances.
4. The first device of claim 3, wherein the first device is further caused to allocate the plurality of network slice subnet instances by:
mapping the list of security services to the plurality of network slice subnet resource modules;
acquiring information of an available network slice subnet example;
acquiring the security state of the available network slice subnet instance;
determining whether an existing network slice subnet instance satisfies the security requirement;
determining the existing network slice subnet instance as the required allocated resource of the network slice subnet according to the determination that the existing network slice subnet instance meets the security requirement; or alternatively
In accordance with a determination that the existing network slice subnet instance does not satisfy the profile of the network slice subnet, a network slice subnet instance is created based at least in part on the security requirements.
5. The first device of claim 1, wherein the first device is further caused to:
in response to monitoring data on the network slice instance, determining whether the security requirements of the allocated resources of the requested network slice are met; and
in accordance with a determination that the security requirements are not satisfied, updating the allocated resources of the network slice.
6. The first device of claim 1, wherein the first device is further caused to:
detecting abnormal behavior of a third device on the network slice instance by monitoring access data of the third device; and
transmitting a further indication of the detection of the abnormal behavior to the second device.
7. The first device of claim 1, wherein the first device is further caused to:
mapping the list of security services to a network slice resource module; and
acquiring the security state of one or more network slice instances; and
allocating the network slice instance based on the network slice resource module.
8. The first device of any of claims 1-7, wherein the first device is a network device, the second device is another network device, and the third device is a terminal device or another network device.
9. A second device, comprising:
at least one processor; and
at least one memory including computer program code;
the at least one memory and the computer program code configured to, with the at least one processor, cause the second apparatus to:
generating a request for allocated resources for a network slice, the request indicating at least a security requirement;
transmitting the request to a first device; and
receiving, from the first device, an indication of an assigned network slice instance that at least satisfies the security requirement.
10. The second device of claim 9, wherein the second device is further caused to:
in accordance with a determination that the security requirements are not satisfied, receiving an additional indication of an updated allocation resource for the network slice.
11. The second device of claim 9, wherein the second device is further caused to:
receiving, from the first device, another indication of detection of abnormal behavior of a third device.
12. The second device of any of claims 8 to 10, wherein the first device is a network device, the second device is another network device, and the third device is a terminal device or another network device.
13. A method, comprising:
receiving, at a first device, a request for allocated resources for a network slice from a second device;
obtaining the security requirement of the network slice from the request;
determining a list of security services based on the security requirements;
allocating a network slice instance supporting the secure service list; and
transmitting an indication of the allocated network slice instance to the second device.
14. The method of claim 13, wherein allocating the network slice instance comprises:
mapping the security service list to a network slice resource module;
acquiring information of available network slice examples;
acquiring the security state of the available network slice instance;
determining whether an existing network slice instance satisfies the security requirement;
in accordance with a determination that the existing network slice instance satisfies the security requirement, determining the existing network slice instance as an allocated resource for the requested network slice; or
In accordance with a determination that the existing network slice instance does not satisfy the profile of the network slice, a network slice instance is created based at least in part on the security requirements.
15. The method of claim 14, wherein creating a network slice instance comprises:
allocating a plurality of network slice subnet instances that satisfy the security requirements and required services; and
creating a network slice instance by linking the plurality of network slice subnet instances.
16. The method of claim 15, wherein allocating the plurality of network slice subnet instances comprises:
mapping the list of security services to the plurality of network slice subnet resource modules;
acquiring information of an available network slice subnet example;
acquiring the security state of the available network slice subnet instance;
determining whether an existing network slice subnet instance meets the security requirement;
determining the existing network slice subnet instance as the required allocated resource of the network slice subnet according to the determination that the existing network slice subnet instance meets the security requirement; or
In accordance with a determination that the existing network slice subnet instance does not satisfy the profile of the network slice subnet, a network slice subnet instance is created based at least in part on the security requirements.
17. The method of claim 13, further comprising:
in response to monitoring data on the network slice instance, determining whether the security requirements of the network slice are satisfied based on the data; and
in accordance with a determination that the security requirements are not satisfied, updating the allocated resources of the network slice.
18. The method of claim 13, further comprising:
detecting anomalous behavior of a third device on the network slice instance by monitoring access data of the third device.
19. The method of claim 13, further comprising:
mapping the security service list to a network slice resource module; and
acquiring the security state of one or more network slice instances; and
allocating the network slice instance based on the network slice resource module.
20. The method according to any of claims 13 to 19, wherein the first device is a network device, the second device is another network device, and the third device is a terminal device or a further network device.
21. A method, comprising:
generating, at a second device, a request for allocated resources for a network slice, the request indicating at least security requirements;
transmitting the request to a first device; and
receiving, from the first device, an indication of an assigned network slice instance that at least satisfies the security requirement.
22. The method of claim 21, further comprising:
in accordance with a determination that the security requirements are not satisfied, receiving an additional indication of an updated allocation resource for the network slice.
23. The method of claim 21, further comprising:
receiving, from the first device, another indication of detection of abnormal behavior of a third device.
24. The method according to any of claims 21 to 23, wherein the first device is a network device, the second device is another network device, and the third device is a terminal device or a further network device.
25. An apparatus, comprising:
means for receiving, at a first device, a request for allocated resources for a network slice from a second device;
means for obtaining security requirements for the network slice from the request;
means for determining a safe list; and
means for transmitting an indication of the allocated network slice instance to the second device.
26. An apparatus, comprising:
means for generating a request for allocated resources for a network slice, the request indicating at least a security requirement;
means for transmitting the request to a first device; and
means for receiving, from the first device, an indication of an assigned network slice instance that at least satisfies the security requirement.
27. A computer readable storage medium comprising program instructions stored thereon which, when executed by an apparatus, cause the apparatus to perform the method of any of claims 13 to 20.
28. A computer readable storage medium comprising program instructions stored thereon which, when executed by an apparatus, cause the apparatus to perform the method of any of claims 21 to 24.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/CN2020/077752 WO2021174439A1 (en) | 2020-03-04 | 2020-03-04 | Allocation resource of network slice |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115211159A true CN115211159A (en) | 2022-10-18 |
Family
ID=77613899
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202080097942.XA Pending CN115211159A (en) | 2020-03-04 | 2020-03-04 | Allocation resources of network slices |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN115211159A (en) |
| WO (1) | WO2021174439A1 (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2023212891A1 (en) * | 2022-05-06 | 2023-11-09 | Nokia Shanghai Bell Co., Ltd. | Apparatus, method, and computer program |
| WO2023240524A1 (en) * | 2022-06-16 | 2023-12-21 | Nokia Shanghai Bell Co., Ltd. | Devices, methods, apparatuses, and computer readable media for network slice with high security |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017200978A1 (en) * | 2016-05-16 | 2017-11-23 | Idac Holdings, Inc. | Security-based slice selection and assignment |
| CN108023757A (en) * | 2016-11-03 | 2018-05-11 | 华为技术有限公司 | Manage the methods, devices and systems of network section example |
| CN108024255A (en) * | 2016-11-03 | 2018-05-11 | 华为技术有限公司 | The method and the network equipment of extended network section example |
| WO2018089634A1 (en) * | 2016-11-11 | 2018-05-17 | Intel IP Corporation | Network slice management |
| WO2018171459A1 (en) * | 2017-03-18 | 2018-09-27 | 华为技术有限公司 | Network slice management method and device |
| WO2019149016A1 (en) * | 2018-02-02 | 2019-08-08 | 中兴通讯股份有限公司 | Method, system, network device, storage medium for creating a network slice |
| WO2019201017A1 (en) * | 2018-04-19 | 2019-10-24 | 华为技术有限公司 | Negotiation method and apparatus for security algorithm |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108270823B (en) * | 2016-12-30 | 2022-02-22 | 华为技术有限公司 | Service providing method, device and system |
| US11039321B2 (en) * | 2017-07-05 | 2021-06-15 | Huawei Technologies Co., Ltd. | Methods and systems for network slicing |
| CN109392096B (en) * | 2017-08-04 | 2020-11-03 | 华为技术有限公司 | Resource allocation method and device |
-
2020
- 2020-03-04 WO PCT/CN2020/077752 patent/WO2021174439A1/en active Application Filing
- 2020-03-04 CN CN202080097942.XA patent/CN115211159A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017200978A1 (en) * | 2016-05-16 | 2017-11-23 | Idac Holdings, Inc. | Security-based slice selection and assignment |
| CN108023757A (en) * | 2016-11-03 | 2018-05-11 | 华为技术有限公司 | Manage the methods, devices and systems of network section example |
| CN108024255A (en) * | 2016-11-03 | 2018-05-11 | 华为技术有限公司 | The method and the network equipment of extended network section example |
| WO2018089634A1 (en) * | 2016-11-11 | 2018-05-17 | Intel IP Corporation | Network slice management |
| WO2018171459A1 (en) * | 2017-03-18 | 2018-09-27 | 华为技术有限公司 | Network slice management method and device |
| WO2019149016A1 (en) * | 2018-02-02 | 2019-08-08 | 中兴通讯股份有限公司 | Method, system, network device, storage medium for creating a network slice |
| WO2019201017A1 (en) * | 2018-04-19 | 2019-10-24 | 华为技术有限公司 | Negotiation method and apparatus for security algorithm |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2021174439A1 (en) | 2021-09-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11272569B2 (en) | System and method for sharing multi-access edge computing resources in a wireless network | |
| EP4002904A1 (en) | Technologies for radio equipment cybersecurity and multiradio interface testing | |
| US10838890B2 (en) | Acceleration resource processing method and apparatus, and network functions virtualization system | |
| EP3843440A1 (en) | Network slice selection method and device | |
| KR20210149576A (en) | Multi-entity resource, security and service management in edge computing deployments | |
| US20140379928A1 (en) | Method for implementing network using distributed virtual switch, apparatus for performing the same, and network system based on distributed virtual switch | |
| US11716627B2 (en) | Trusted 5G network slices | |
| KR20170056350A (en) | NFV(Network Function Virtualization) resource requirement verifier | |
| US12015646B2 (en) | Security for 5G network slicing | |
| CN109964507A (en) | Management method, administrative unit and the system of network function | |
| JP2012168585A (en) | Resource management server, resource management system, resource management method, and resource management program | |
| CN115211159A (en) | Allocation resources of network slices | |
| US10397071B2 (en) | Automated deployment of cloud-hosted, distributed network monitoring agents | |
| CN117918013A (en) | Side channel attack against 5G network slices | |
| US11812265B1 (en) | Certificate-based authentication for radio-based networks | |
| US11706658B2 (en) | 5G admission by verifying slice SLA guarantees | |
| CN116601941A (en) | Requester authenticity assessment based on communication request | |
| WO2021072594A1 (en) | Tenant management | |
| CN110347473B (en) | Method and device for distributing virtual machines of virtualized network elements distributed across data centers | |
| US20180115553A1 (en) | Transparent asynchronous network flow information exchange | |
| US11973666B1 (en) | Systems and methods for using blockchain to manage service-level agreements between multiple service providers | |
| US11900127B2 (en) | Automated recovery of far edge computing infrastructure in a 5G network | |
| CN117836761A (en) | Managing data isolation | |
| CN115529143A (en) | Communication method, communication device, related equipment and storage medium | |
| CN117081928A (en) | Communication method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |