WO2019109942A1 - 建立虚拟网络功能实例的方法和装置 - Google Patents

建立虚拟网络功能实例的方法和装置 Download PDF

Info

Publication number
WO2019109942A1
WO2019109942A1 PCT/CN2018/119337 CN2018119337W WO2019109942A1 WO 2019109942 A1 WO2019109942 A1 WO 2019109942A1 CN 2018119337 W CN2018119337 W CN 2018119337W WO 2019109942 A1 WO2019109942 A1 WO 2019109942A1
Authority
WO
WIPO (PCT)
Prior art keywords
hmee
vnfc
control device
security
security control
Prior art date
Application number
PCT/CN2018/119337
Other languages
English (en)
French (fr)
Inventor
李飞
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to EP18886232.0A priority Critical patent/EP3716563A4/en
Publication of WO2019109942A1 publication Critical patent/WO2019109942A1/zh
Priority to US16/894,198 priority patent/US11487867B2/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/306Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45595Network integration; Enabling network access in virtual machine instances

Definitions

  • the present application relates to the field of computers and, more particularly, to methods and apparatus for establishing instances of network virtual functions.
  • NFV Network Function Virtualization
  • NFV technology can implement some network functions in software on general-purpose hardware.
  • NFV technology can be used to implement partial telecommunications in general-purpose cloud servers, switches, and storage. Network capabilities to enable rapid and efficient deployment of network services.
  • VNFI virtual network function instance
  • VNFI virtual network function instance
  • VNF Components VNFCs
  • VNFCs virtual network function components
  • some sensitive components such as virtual point of interception (vPOI) are not allowed by ordinary business personnel.
  • VNFCs Perceived; for example, in order to protect the technical secrets of enterprises, for example, core algorithms, parameters, etc., although some VNFCs can be perceived and used, their internal core algorithms, parameters, etc. need to be kept secret, and do not want to be used by ordinary business personnel. Obtain. Therefore, it is desirable to provide a method that can ensure the security of a sensitive VNFC.
  • the present application provides a method and apparatus for establishing a VNFI to improve the security of a sensitive VNFC.
  • a method of establishing a VNFI including:
  • the hardware function execution environment HMEE in the network function virtualization NFV system generates a public-private key pair, the NFV system deploys a VNFI to be instantiated, and the VNFI deploys the HMEE and a first virtual network function component VNFC to be instantiated;
  • an encrypted security credential from the security control device, the encrypted security credential being obtained by encrypting a security credential of an installation package of the first VNFC based on the public key, the security credential being used for decrypting The installation package of the first VNFC;
  • the HMEE decrypts the encrypted security credential based on the private key in the public-private key pair to obtain the security credential.
  • the security of the public-private key pair can be ensured and prevented from being obtained or tampered with by a third party.
  • the security credential of the first VNFC installation package is encrypted by the security control device based on the public key in the public private key pair, and the encrypted security credential needs to be decrypted by the private key generated by the HMEE, so that the security credential can be transmitted. Security in the process.
  • the decryption process of the security credential is also performed in the secure execution environment provided by the HMEE, so that the outside world cannot obtain the private key, the security credential, and the installation package of the first VNFC, and the decryption of the security credential cannot be perceived. Unable to sense the installation process of the first VNFC. Thereby, the security of the first VNFC can be ensured.
  • the VNFI is further deployed with a second VNFC that has been instantiated, and
  • the HMEE receives the encrypted security credentials from the security control device, including:
  • the HMEE receives the encrypted security credential from the security control device via the second VNFC.
  • the interface of the HMEE can be defined to be able to communicate only with a normal VNFC (eg, a second VNFC) in the VNFI, and the ordinary VNFC forwards the information transmitted by the HMEE or forwards the information to the HMEE.
  • a normal VNFC eg, a second VNFC
  • the method further comprises:
  • the HMEE receives an instantiation completion message from the second VNFC.
  • the communication connection with MANO is established, and the ability to forward information for HMEE is also provided.
  • the method further comprises:
  • the HMEE sends the identifier of the first VNFC to the security control device.
  • the security control device may manage the identification of multiple sensitive VNFCs, and the security control device may encrypt and send the security credentials of the corresponding VNFC installation package based on the VNFC identification.
  • the sending, by the HMEE, the identifier of the first VNFC to the security control device including:
  • the HMEE sends the identifier of the first VNFC to the security control device via the second VNFC.
  • the method further comprises:
  • the HMEE sends a hash of the public key to the security control device.
  • the security control device can perform integrity verification on the received public key based on the hash of the public key, and deliver the security if the verification succeeds. Credentials to ensure the secure issuance of security credentials.
  • the HMEE sends the hash of the public key to the security control device, including:
  • the HMEE sends a hash of the public key to the security control device via the second VNFC.
  • the method further comprises:
  • the HMEE sends a hash of a host identification and/or code to the security control device, the host identification being an identification of a host on which the HMEE is installed, the code being a code executed by the HMEE.
  • a possible security control device that attempts to obtain security credentials from the security control device may Identification and/or code for certification.
  • the security certificate is issued, so that the security certificate can be securely delivered.
  • the HMEE sends a hash of the host identifier and/or code to the security control device, including:
  • the HMEE sends the host identification and/or the hash of the code to the security control device via the second VNFC.
  • a method of establishing a VNFI including:
  • the security control device receives a public key from a hardware agent execution environment HMEE in a network function virtualization NFV system, the NFV system deploying a VNFI to be instantiated, the VNFI deploying the HMEE and a first virtual network to be instantiated Functional component VNFC;
  • the security control device encrypts the security credential of the installation package of the first VNFC based on the public key, and obtains the encrypted security credential, where the security credential is used to decrypt the installation package of the first VNFC;
  • the security control device sends the encrypted security credential to the HMEE.
  • the security of the public-private key pair can be ensured and prevented from being obtained or tampered with by a third party.
  • the security credential of the first VNFC installation package is encrypted by the security control device based on the public key in the public private key pair, and the encrypted security credential needs to be decrypted by the private key generated by the HMEE, so that the security credential can be transmitted. Security in the process.
  • the decryption process of the security credential is also performed in the secure execution environment provided by the HMEE, so that the outside world cannot obtain the private key, the security credential, and the installation package of the first VNFC, and the decryption of the security credential cannot be perceived. Unable to sense the installation process of the first VNFC. Thereby, the security of the first VNFC can be ensured.
  • the VNFI is further deployed with a second VNFC that has been instantiated
  • the security control device receives a public key from the HMEE in the NFV system, including:
  • the security control device receives a public key from the HMEE in the NFV system via a second VNFC in the NFV system;
  • the security control device sends the encrypted security credential to the HMEE via the second VNFC.
  • the interface of the HMEE can be defined to be able to communicate only with a normal VNFC (eg, a second VNFC) in the VNFI, and the ordinary VNFC forwards the information transmitted by the HMEE or forwards the information to the HMEE.
  • a normal VNFC eg, a second VNFC
  • the method further includes:
  • the security control device receives an identification of the first VNFC from the HMEE.
  • the security control device may manage the identification of multiple sensitive VNFCs, and the security control device may encrypt and send the security credentials of the corresponding VNFC installation package based on the VNFC identification.
  • the security control device receives the identifier of the first VNFC from the HMEE, including:
  • the security control device receives an identification of the first VNFC from the HMEE via the second VNFC.
  • the method further includes:
  • the security control device receives a hash of the public key from the HMEE;
  • the security control device verifies the public key based on the received hash of the public key and the public key;
  • the security control device encrypts the security credential based on the public key, including:
  • the security control device encrypts the security credential based on the public key if the public key verification is successful.
  • the security control device can perform integrity verification on the received public key based on the hash of the public key, and deliver the security if the verification succeeds. Credentials to ensure the secure issuance of security credentials.
  • the security control device receives a hash of the public key from the HMEE, including:
  • the security control device receives a hash of the public key from the HMEE via the second VNFC.
  • the method further includes:
  • the security control device authenticates the HMEE
  • the security control device sends the encrypted security credential to the HMEE if the HMEE authentication is successful.
  • the HMEE can be authenticated. If the authentication is successful, the security certificate is issued, so that the security certificate can be securely delivered.
  • the security control device authenticates the HMEE, including:
  • the security control device receives a hash of a host identification and/or code from the HMEE, the host identification being an identity of a host configuring the HMEE, the code being a code executed by the HMEE;
  • the security control device authenticates the HMEE according to a hash of the host identifier and/or code, wherein the security control device pre-stores an identifier of the authenticated host and/or a code that is allowed to be executed.
  • a possible security control device that attempts to obtain security credentials from the security control device may Identification and/or code for certification.
  • the security certificate is issued, so that the security certificate can be securely delivered.
  • the security control device receives a hash of the host identifier and/or code from the HMEE, including:
  • the security control device receives a hash of the host identification and/or code from the HMEE via the second VNFC.
  • an apparatus for establishing a VNFI comprising means for performing the method of the first aspect and the method of any of the possible implementations of the first aspect.
  • an apparatus for establishing a VNFI comprising means for performing the methods of the second aspect and the possible implementation of any of the second aspects.
  • an apparatus for establishing a VNFI comprising: a communication interface, a processor, and a memory, the processor is configured to control a communication interface to send and receive signals, the memory is used to store a computer program, and the processor is used to call from a memory and The computer program is executed such that the apparatus performs the method of any of the possible implementations of the first aspect or the first aspect.
  • an apparatus for establishing a VNFI comprising: a communication interface, a processor, and a memory, the processor is configured to control a communication interface to transmit and receive signals, the memory is configured to store a computer program, and the processor is configured to be called from the memory and The computer program is executed such that the apparatus performs the method of any of the possible implementations of the first aspect or the first aspect.
  • a computer program product comprising: computer program code, when the computer program code is run by a device that establishes a VNFI, causing the device to perform the first aspect or the first aspect described above Any of the possible implementations.
  • a computer program product comprising: computer program code, when the computer program code is run by a device that establishes VNFI, causing the device to perform the second or second aspect described above Any of the possible implementations.
  • a ninth aspect a computer readable medium storing program code, the program code comprising instructions for performing the method of the first aspect or any of the possible implementations of the first aspect .
  • a tenth aspect a computer readable medium storing program code, the program code comprising instructions for performing the method of the second aspect or any of the possible implementations of the second aspect .
  • the first VNFC includes a virtual listening unit vPOI.
  • FIG. 1 is a schematic architectural diagram of an NFV system suitable for implementing a method and apparatus for VNFI implemented in the present application;
  • FIG. 2 is a schematic flowchart of a method for establishing a VNFI according to an embodiment of the present application
  • FIG. 3 is a schematic block diagram of an apparatus for establishing a VNFI according to an embodiment of the present application
  • FIG. 4 is a schematic block diagram of an apparatus for establishing a VNFI according to another embodiment of the present application.
  • FIG. 5 is a schematic structural diagram of an apparatus for establishing a VNFI according to an embodiment of the present application
  • FIG. 6 is a schematic structural diagram of an apparatus for establishing a VNFI according to another embodiment of the present application.
  • GSM Global System of Mobile communication
  • CDMA Code Division Multiple Access
  • WCDMA Wideband Code Division Multiple Access
  • GPRS General Packet Radio Service
  • LTE Long Term Evolution
  • FDD Frequency Division Duplex
  • TDD Time Division Duplex
  • UMTS Universal Mobile Telecommunication System
  • WiMAX Worldwide Interoperability for Microwave Access
  • Virtual Machine A complete computer system that runs through a software and runs in a fully isolated environment with full hardware system functionality. That is, the virtual machine can be a virtual device that is simulated on the physical device by virtual machine software. After entering the virtual machine's system, all operations can be performed in a separate virtual system. For example, you can install and run software independently, save data, have your own independent desktop, and access network resources. For applications running in virtual machines, these virtual machines work just like real physical devices.
  • VNF Virtual Network Function
  • a VNF can be composed of multiple lower level components.
  • one VNF can be deployed on one or more VMs.
  • VNF Virtual Network Function Instance
  • VNFI Virtual Network Function Instance
  • the instantiation may include: requesting resources (including, for example, computing resources, network resources, and storage resources), and installing and running on the applied resources, completing related configurations, and the like, so that the VNF can perform its corresponding functions on the hardware.
  • VNFI is the result of the instantiation of the connection of the various component machines to each other.
  • a VNFI may include one or more Virtualized Network Function Components (VNFCs), each of which may be carried on one or more VMs.
  • VNFCs Virtualized Network Function Components
  • VNF Component An internal component of the VNF that can be mapped to one or more VMs.
  • HMEE Hardware-mediated execution enclave
  • a process space and memory area in a host (eg, VM) system environment that enables the confidentiality and integrity of instructions and protection data associated with the area.
  • HMEE can be implemented by a combination of software and hardware.
  • FIG. 1 is a schematic architectural diagram of an NFV system 100 suitable for use in a method and apparatus for establishing a VNFI in accordance with the present application.
  • the NFV system 100 can run on a server, which can be composed of a processor, a hard disk, a memory, a system bus, etc., similar to a general computer architecture.
  • the function of the server can be implemented by one physical device or by a cluster of multiple physical devices. This application does not limit this.
  • the NFV system 100 can be implemented by various networks, such as a data center network, a service provider network, or a local area network (LAN).
  • the NFV system 100 can include:
  • NFVI NFV Infrastructure
  • VNF virtual network functions
  • EMS Multiple Element Management System
  • OSS Operation Support System
  • BSS Business Support System
  • the MANO 128 may include a NFV Orchestrator (NFVO) 102, one or more VNF Managers (VNFMs) 104, and one or more Virtualized Infrastructure Managers (VIMs) 106. .
  • NFVO NFV Orchestrator
  • VNFMs VNF Managers
  • VIPs Virtualized Infrastructure Managers
  • the NFVI 130 may include a computing hardware 112, storage hardware 114, a hardware resource layer composed of network hardware 116, a virtualization layer, and a virtual resource layer composed of virtual computing 110 (eg, virtual machine), virtual storage 118, and virtual network 120.
  • the computing hardware 112 can be a dedicated processor or a general purpose processor for providing processing and computing functions.
  • the storage hardware 114 is configured to provide storage capabilities, which may be provided by the storage hardware 114 itself (eg, a server's local memory), or may be provided over a network (eg, the server connects to a network storage device over a network).
  • Network hardware 116 may be a switch, router, and/or other network device, and network hardware 116 is used to enable communication between multiple devices, with wireless or wired connections between multiple devices.
  • the virtualization layer in NFVI 130 is used to abstract the hardware resources of the hardware resource layer, decouple the VNF 108 from the physical layer to which the hardware resources belong, and provide virtual resources to the VNF.
  • virtual resources may include virtual computing 110, virtual storage 118, and virtual network 120.
  • Virtual computing 110, virtual storage 118 may provide virtual resources to VNF 108 in the form of virtual machines or other virtual containers, for example, one or more VNFs 108 may be deployed on one or more virtual machines.
  • the virtualization layer forms a virtual network 120 through abstract network hardware 116.
  • a virtual network 120 such as a virtual switch (eg, Vswitches), is used to enable communication between multiple virtual machines, or between other types of virtual containers hosting VNFs.
  • Virtualization of network hardware can be virtualized by virtual LAN (VLAN, Virtual LAN), Virtual Private LAN Service (VPLS, Virtual Private LAN Service), Virtual EXtensible Local Area Network (VxLAN), or Universal Routing Encapsulation Network ( NVGRE, Nerwork Virtualization using Generic Routing Encapsulation) and other technical implementations.
  • VLAN Virtual LAN
  • VPLS Virtual Private LAN Service
  • VxLAN Virtual EXtensible Local Area Network
  • NVGRE Universal Routing Encapsulation Network
  • OSS/BSS 124 is mainly for telecom operators, providing comprehensive network management and service operation functions, including network management (such as fault monitoring, network information collection, etc.), billing management, and customer service management.
  • network management such as fault monitoring, network information collection, etc.
  • billing management such as billing management
  • customer service management such as customer service management.
  • the Service VNF and Infrastructure Description System 126 is described in detail in the ETSI GS NFV 002v1.1.1 standard, and details are not described herein again.
  • the MANO 128 can be used to monitor and manage VNF 108 and NFVI 130.
  • the NFVO 102 can communicate with one or more VNFMs 104 to implement resource related requests, send configuration information to the VNFM 104, and collect status information for the VNF 108.
  • NFVO 102 can also communicate with VIM 106 to enable resource allocation, and/or to implement provisioning and exchange of configuration information and status information for virtualized hardware resources.
  • the VNFM 104 can be used to manage one or more VNFs 108, performing various management functions, such as initializing, updating, querying, and/or terminating the VNF 108.
  • the VIM 106 can be used to control and manage the interaction of the VNF 108 and computing hardware 112, storage hardware 114, network hardware 116, virtual computing 110, virtual storage 118, virtual network 120.
  • VIM 106 can be used to perform resource allocation operations to VNF 108.
  • VNFM 104 and VIM 106 can communicate with each other to exchange virtualized hardware resource configuration and status information.
  • NFVI 130 includes both hardware and software that together create a virtualized environment to deploy, manage, and execute VNF 108.
  • the hardware resource layer and the virtual resource layer are used to provide virtual resources, such as virtual machines and/or other forms of virtual containers, to the VNF 108.
  • VNFM 104 can communicate with VNF 108 and EMS 122 to perform VNF lifecycle management and implement exchange of configuration/status information.
  • the VNF 108 is a virtualization of at least one network function that was previously provided by a physical network device.
  • the VNF 108 can be a virtualized Mobility Management Entity (MME) node for providing all network functions provided by a typical non-virtualized MME device.
  • MME Mobility Management Entity
  • the VNF 108 can be used to implement the functionality of some of the components provided on the non-virtualized MME device.
  • One or more VNFs 108 can be deployed on a virtual machine (or other form of virtual container).
  • the EMS 122 can be used to manage one or more VNFs.
  • VNF 108 may include HMEE, which may be understood as software running on virtual resources used to host VNF 108 to perform its respective functions.
  • HMEE can be understood as a VNFC in VNF.
  • the functionality of HMEE has been described in detail, and in the present application, HMEE can be used to perform the steps in method 200 below.
  • each VNFI may be deployed on one or more VMs to implement different network functions.
  • a VNFI may include one or more VNFCs, and each VNFC may be mapped on one or more VMs.
  • the VNFI When the VNFI is deployed on multiple VMs, the multiple VMs are connected to each other.
  • the specific connection mode may be the same as that in the prior art. For example, reference may be made to the connection mode defined in the standard, which is not described herein.
  • a non-sensitive VNFC can be included.
  • a non-sensitive VNFC can also be called a normal VNFC. It has low security requirements and can be a VNFC that is visible to ordinary business personnel or a VNFC that can be operated by ordinary business personnel.
  • the VNFI may also include a sensitive VNFC.
  • the sensitive VNFC has high security requirements. For example, some sensitive VNFCs are invisible to ordinary business personnel, or are not perceived by ordinary business personnel, and only allow specific ones. Personnel use; although some sensitive VNFCs can be seen and used by ordinary business people, their core algorithms may need to be kept secret and do not want to be obtained by ordinary business personnel.
  • a sensitive VNFC includes a vPOI.
  • the installation process of the sensitive VNFC is usually created by a common VNFC, that is, the instantiation process of the VNFC is completely controlled by the ordinary VNFC.
  • the security of a normal VNFC is not high. If a normal VNFC is attacked, for example, receiving malicious party control, it will affect the security of the sensitive VNFC. Therefore, it is desirable to provide a method that can ensure the security of a sensitive VNFC.
  • the present application provides a method and apparatus for establishing a VNFI, which can install a sensitive VNFC in a secure environment to complete the instantiation of the VNFI and meet the security requirements of the VNFC.
  • FIG. 2 is a schematic flowchart of a method for establishing a VNFI according to an embodiment of the present application.
  • the method 200 can be performed in a system including an NFV system and a security control device, wherein the VNF system can deploy one or more VNFIs, and each VNFI can be deployed with one or more VNFCs.
  • the method for establishing VNFI provided by the present application is described in detail by taking the instantiation process of the first VNFC in the first VNFI in the NFV system as an example.
  • the first VNFC can be a sensitive VNFC.
  • the NFV system may be the NFV system 100 as shown in FIG. 1, and its function may be implemented by a cluster of one physical device or multiple physical devices.
  • Each module in the NFV system for example, HMEE, VNFC, etc. in the embodiments of the present application can be understood as software running on different virtual machines, and resources (including, for example, network resources, computing resources, and storage resources) can be used.
  • resources including, for example, network resources, computing resources, and storage resources
  • a processor in a physical device executes the functions stored in the memory by executing code stored in the memory.
  • the method 200 is described in detail below in conjunction with FIG. As shown in FIG. 2, the method 200 includes steps 210 through 260.
  • step 210 the HMEE generates a public-private key pair.
  • the HEMM can be used to provide a secure, trusted execution environment that can be understood as a secure execution environment.
  • the secure execution environment can be isolated from the non-secure execution environment hardware, or the secure execution environment and the non-secure execution environment can be understood as two operating environments running on the same device at the same time.
  • the operation of the operating system and software can be regarded as running in the background of the system and not being seen by ordinary users. Therefore, resources in the environment can be protected from malware attacks and resist multiple types. Security threats. Therefore, the secure execution environment can effectively ensure the security of information and data, and the information or data saved in the secure execution environment cannot be obtained or tampered with by an attacker.
  • the HMEE may include Intel's Safe Guard Extensions (SGX) technology.
  • HMEE can perform its corresponding functions by loading software on a physical device (for example, a server).
  • the device can be used not only to implement the corresponding functions of HMEE, but also to build multiple VNFIs through virtualization technology to realize various business functions.
  • HMEE can be understood as an example of a secure execution environment, and should not be limited to the present application.
  • the secure execution environment may be, for example, a Trusted Environment (TE) or the like.
  • TE Trusted Environment
  • step 220 the HMEE sends the public key in the public-private key pair generated in step 210 to the security control device.
  • the public-private key pair generated by the HMEE may include a corresponding public key and a private key, and the HMEE may send the public key to the security control device to request to instantiate the first VNFC, and the private key Save it locally. Since HMEE can generate a public-private key pair in a secure execution environment and save the private key, the private key has high security and is not easily acquired or tampered with by an attacker.
  • the security control device receives the public key from the HMEE.
  • HMEE may not have the ability to communicate externally.
  • an HMEE vendor can define an Application Programming Interface (API) interface to be able to communicate only with a normal VNFC in an NFV system, but not directly with a security control device. Then the HMEE can forward the public key to the security control device through the network element in the NFV system.
  • the first VNFI further includes a second VNFC, and the second VNFC may be a VNFC that has been instantiated.
  • step 220 specifically includes:
  • the HMEE sends the public key to the security control device via the second VNFC.
  • the security control device receives the public key from the HMEE via the second VNFC.
  • the method 200 further includes:
  • Step 230 The second VNFC sends an instantiation completion message to the HMEE.
  • the HMEE receives an instantiation completion message sent by the second VNFC.
  • the HMEE may send the public key to the security control device via the second VNFC in step 220. More specifically, the HMEE can send the public key to the second VNFC, the second VNFC can send the public key to the MANO (specifically, the VNFM in the MANO), and the MANO can forward the public key to the security control device.
  • the MANO specifically, the VNFM in the MANO
  • the security control device mentioned herein can be understood as a third-party security control device.
  • it can be a security controller (Security Controller, SC) in the European Telecommunication Standards Institute (ETSI) NFV SEC013. ), Network Security Manager (NSM) in ETSI NFV SEC 013, and Carrier's Credential Manager (CM).
  • SC Security Controller
  • ETSI European Telecommunication Standards Institute
  • NSM Network Security Manager
  • CM Carrier's Credential Manager
  • the security control device may be a Lawful Interception Controller (LI controller) and an Administration Function (ADMF).
  • LI controller Lawful Interception Controller
  • ADMF Administration Function
  • the LI controller can be used to interface with the MANO to control the operation of the vPOI NFV layer.
  • the ADMF can be used to control the configuration and delivery of the vPOI layer.
  • the specific functions of the LI controller and the ADMF can be referred to the prior art, and a detailed description of the functions thereof is omitted here for the sake of brevity.
  • ADMF can manage the security credentials of sensitive VNFC.
  • the public key sent by the above HMEE can be sent to the ADMF via the LI controller.
  • the security control device can be used to manage the security certificate of the first VNFC to be instantiated, and whether the security certificate is sent to the HMEE is determined by the security control device, that is, It is said that whether the first VNFC is instantiated can be determined by the security control device.
  • step 240 the security control device encrypts the security credential of the installation package of the first VNFC based on the received public key to obtain the encrypted security credential.
  • the security credential can be used to encrypt the installation package of the first VNFC, for example, encrypt part or all of the code of the first VNFC type installation package.
  • the installation package of the first VNFC can be used to install the first VNFC after being decrypted by the security credential.
  • step 250 the security control device sends the encrypted security credentials to the HMEE.
  • the HMEE receives the encrypted security credentials from the security control device.
  • the security control device may forward the encrypted security credential to the HMEE via the MANO and the second VNFC.
  • the HMEE receives the encrypted security credentials from the security control device via the second VNFC and MANO.
  • the same security control device may manage security credentials for multiple sensitive VNFCs, one for each VNFC.
  • the same security control device may receive a public key from multiple HMEEs, or even a public key sent by a third party impersonating HMEE, and the security control device may send the sender of the information (ie HMEE). Authenticate to ensure the security certificate is issued securely.
  • the public key may be tampered with by a third party during the transmission process, and the security control device may verify the public key before encrypting the security certificate to ensure the secure delivery of the security certificate.
  • the method further includes: the HMEE sending the identifier of the first VNFC to the security control device.
  • the security control device receives the identity of the first VNFC from the HMEE.
  • the security control device may search for the corresponding security credential based on the identifier of the first VNFC, and then encrypt and send.
  • the method further includes: the HMEE sending a hash of the public key to the security control device.
  • the security control device receives a hash of the public key from the HMEE.
  • the hash of the public key can be used to perform integrity verification on the public key received in step 220. Therefore, step 250 may specifically include: in case the verification is successful, the security control device may encrypt the security credential based on the public key. In the case that the verification is unsuccessful, the security control device may not send the security credential, for example, reply to the empty message, or reply to the failure message, or reply to the random message, etc., to notify the HMEE security credential not to be delivered. Therefore, the security risks of the public key being falsified during the transmission process can be avoided, and the security certificate can be securely delivered.
  • the method further comprises: the HMEE sending a hash of the host identity and/or code to the security control device.
  • the host identifier is the identifier of the host where the HMEE is installed, and the code is the code executed by the HMEE.
  • the security control device receives a hash of the host identification and/or code sent from the security control device.
  • the security control device authenticates the host on which the HMEE is installed based on the host identity and the pre-saved authenticated host identity. Therefore, the step 250 may specifically include: in the case that the host authentication is successful, the security control device may send the encrypted security credential to the HMEE. In the case that the host authentication is unsuccessful, the security control device may not send the security credential, for example, reply to the empty message, or reply to the failure message, or reply to the random message, etc., to notify the HMEE security credential not to be delivered. Therefore, it is possible to prevent other devices from posing as HMEEs to obtain security credentials from the security control device, and to ensure the secure delivery of the security credentials.
  • the security control device can also authenticate the code executed by the HMEE based on the hash of the code and the pre-saved code that is allowed to execute. Therefore, the step 250 may specifically include: in the case that the code authentication is successful, the security control device may send the encrypted security credential to the HMEE. In the case that the code authentication is unsuccessful, the security control device may not send the security credential, for example, reply to the empty message, or reply to the failure message, or reply to the random message, etc., to notify the HMEE security credential not to be delivered. Therefore, it is possible to prevent the host from being attacked by a third party to obtain a security certificate from the security control device by using an illegal code, and to ensure the secure delivery of the security certificate.
  • the security control device can authenticate both the host and the code. Therefore, the step 250 can specifically include: in the case that both the host and the code are successfully authenticated, the security control device can send the encrypted security credential to the HMEE; In the case where any of the codes in the code is unsuccessful, the security control device may not issue the security credentials. As a result, authentication can be performed from both hardware and software to further improve security.
  • the public key, the identifier of the first VNFC, the hash of the public key, the host identifier, and the hash of the code may be carried in the same message (for example, as the first message), for example,
  • the HMEE sends the first message to the security control device, so that the security control device completes the integrity verification of the public key and the HMEE authentication based on the received message, so that the security certificate of the installation package of the first VNFC is performed based on the public key. encryption.
  • the specific information carried in the first message listed herein is only an exemplary description.
  • the first message may carry at least one of the following: a hash of the public key, the first VNFC. The hash of the identity, host ID, and code.
  • the hash of the public key, the identifier of the first VNFC, the host identifier, and the hash of the code may be forwarded to the security control device by using the second VNFC.
  • the HMEE may perform step 260, and the HMEE decrypts the encrypted security credential based on the private key to obtain the security credential.
  • the HMEE may generate a public-private key pair by using an encryption algorithm, where the public key and the private key correspond to each other, and the information encrypted by the public key can be decrypted only by the private key. Therefore, when the security control device encrypts the security credential based on the public key transmitted by the HMEE, the encrypted security credential requires the private key of the HMEE to be decrypted. After the HMEE generates the public-private key pair, the private key can be saved locally. Because the HMEE environment is secure, the private key is not obtained or tampered with by a third party. After the HMEE receives the encrypted security credential, the encrypted security credential can be decrypted based on the locally saved private key to obtain the security credential.
  • the HMEE may decrypt the installation package of the first VNFC based on the security credential to complete instantiation of the first VNFC on the pre-configured virtual resource (eg, VM).
  • the HMEE may delete the installation package of the first VNFC after completing the instantiation of the first VNFC.
  • the instantiation process of the first VNFC may be the same as the instantiation process of the sensitive VNFC in the prior art, and a detailed description of the process is omitted here for the sake of brevity.
  • the first VNFC may have the same function as the second VNFC, for example, may communicate directly with the outside or the like. This application does not limit the function of the first VNFC.
  • the security control device may encrypt the security credential of the installation package of the first VNFC based on the public key generated by the HMEE, and the encrypted security credential needs to be decrypted by the private key generated by the HMEE, and the security credential can be transmitted.
  • Security in the process.
  • the process of public-private key pairing and decryption is performed in the secure execution environment provided by HMEE, so that the outside world cannot obtain the private key, the security credential, the code of the first VNFC, and the decryption of the security credential is also not known. Unable to sense the installation process of the first VNFC. Thereby, the security of the first VNFC can be ensured.
  • the first VNFC includes a vPOI.
  • the use process of the vPOI is also not expected to be perceived. Therefore, although the vPOI has the function of communicating with the outside world, it only communicates directly with the security control device (such as the LI controller and ADMF described above), that is, the vPOI is completely controlled only by the security control device, and therefore, the vPOI The communication process with the security control device is not perceived by a normal VNFC (eg, a second VNFC) or MANO.
  • a normal VNFC eg, a second VNFC
  • MANO a normal VNFC
  • the security key generated by the HMEE is encrypted, and the HMEE saves the security certificate, thereby ensuring the security of the security certificate, thereby ensuring that the vPOI installation package is not obtained by the third party.
  • the vPOI by restricting the vPOI to communicate only with the security control device, it is ensured that the vPOI and the normal VNFC are independent of each other, thereby ensuring that the vPOI use process is not perceived by the outside world.
  • VNI including the first VNFI and other VNFIs
  • MANO can deceive MANO by sending information to MANO (for example, sending a public key). Therefore, MANO can not judge which VNFI contains vPOI, which ensures that the installation and use process of vPOI is not perceived by MANO, which further improves the security of vPOI.
  • the second VNFC and the MANO are respectively forwarded, but it should be understood that the forwarding of the second VNFC and the MANO may be only transparent transmission, and the information itself is not performed. deal with.
  • MANO can include VIM, VNFM, and NFVO; for example, the NFV system can also include a first VNFC, a third VNFC, and the like.
  • FIG. 3 is a schematic block diagram of an apparatus 300 for establishing a VNFI according to an embodiment of the present application. It should be understood that the apparatus for establishing VNFI shown in FIG. 3 is only an example, and the apparatus for establishing VNFI in the embodiment of the present application may further include other units or modules, or include units similar in function to the units in FIG. 3, or It is not necessary to include all the elements in Figure 3.
  • the device 300 is configured in a network function virtualization NFV system, where the NFV system is deployed with a VNFI to be instantiated, and the VNFI is deployed with the device 500 and a first virtual network to be instantiated to form a VNFC.
  • the apparatus 300 may include a generating unit 310, a communication unit 320, and a decrypting unit 330.
  • the generating unit 310 is configured to generate a public-private key pair.
  • the communication unit 320 is configured to send the public key in the public-private key pair to the security control device;
  • the decryption unit 330 is configured to decrypt the encrypted security credential based on the private key in the public-private key pair to obtain the security credential.
  • VNFI-enabled device 300 shown in FIG. 3 may correspond to (for example, may be configured or be itself) the HMEE in the method of establishing VNFI in the above embodiment, and establish the above-mentioned units in the VNFI device 300. And other operations and/or functions, respectively, in order to implement the corresponding process of the method for establishing VNFI in FIG. 2, for brevity, no further details are provided herein.
  • FIG. 4 is a schematic block diagram of an apparatus 400 for establishing a VNFI according to another embodiment of the present application. It should be understood that the apparatus for establishing VNFI shown in FIG. 4 is only an example, and the apparatus for establishing VNFI in the embodiment of the present application may further include other units or modules, or include units similar in function to the units in FIG. 4, or It is not intended to include all of the elements in Figure 4.
  • the apparatus 400 may include a communication unit 410 and an encryption unit 420.
  • the communication unit 410 is configured to receive a public key from a hardware intermediary execution environment HMEE in a network function virtualization NFV system, where the NFV system deploys a VNFI to be instantiated, the VNFI deploying the HMEE and a first virtual to be instantiated Network function component VNFC;
  • the encryption unit 420 is configured to encrypt the security credential of the installation package of the first VNFC based on the public key, to obtain an encrypted security credential, where the security credential is used to decrypt the installation package of the first VNFC;
  • the communication unit 410 is further configured to send the encrypted security credential to the HMEE.
  • VNFI-enabled device 400 shown in FIG. 4 may correspond to (eg, may be configured or itself) the security control device in the method of establishing VNFI in the above embodiment, and establish each unit in the VNFI device 400.
  • the foregoing and other operations and/or functions are respectively implemented in order to implement the corresponding process of the method for establishing VNFI in FIG. 2, and are not described herein again for brevity.
  • FIG. 5 is a schematic structural diagram of a device 500 for establishing a VNFI according to an embodiment of the present application.
  • the device 500 includes a memory 510, a processor 520, and a communication interface 530.
  • the memory 510 may be integrated in the processor 520 or may be independent of the processor 520.
  • the memory 510 can be used to store instructions, and the processor 520 can be configured to execute instructions stored in the memory 510 to control communication interface 530 trick information or signals.
  • the memory 510, the processor 520, and the communication interface 530 can communicate with each other through an internal connection path. Control and / or data signals.
  • the device 500 is configured in a network function virtualization NFV system, where the NFV system is deployed with a VNFI to be instantiated, and the VNFI is deployed with the device 500 and a first virtual network to be instantiated to form a VNFC, and the processing in the device 500
  • the 520 can call the program code stored in the memory 510 to perform the following operations:
  • Control communication interface 530 sends the public key in the public-private key pair to the security control device;
  • the control communication interface 530 receives the encrypted security credential from the security control device, and the encrypted security credential is obtained by encrypting the security credential of the installation package of the first VNFC based on the public key, and the security credential is used for Decrypting the installation package of the first VNFC;
  • the encrypted security certificate is decrypted based on the private key in the public-private key pair to obtain a security credential.
  • the VNFI-enabled device 500 shown in FIG. 5 may correspond to (for example, may be configured or be itself) the HMEE in the method of establishing VNFI in the above embodiment, and establish the above-mentioned units in the VNFI device 500. And other operations and/or functions, respectively, in order to implement the corresponding process of the method for establishing VNFI in FIG. 2, for brevity, no further details are provided herein.
  • the generating unit 310 and the encrypting unit 320 in the apparatus 300 shown in FIG. 3 may correspond to the processor 520
  • the communication unit 320 in the apparatus 300 shown in FIG. 3 may correspond to the communication interface 530.
  • FIG. 6 is a schematic structural diagram of a device 600 for establishing a VNFI according to another embodiment of the present application.
  • the device 600 includes a memory 610, a processor 620, and a communication interface 630.
  • the memory 610 may be integrated in the processor 620 or may be independent of the processor 620.
  • the memory 610 can be used to store instructions, and the processor 620 can be configured to execute instructions stored in the memory 610 to control communication interface 630 trick information or signals.
  • the memory 610, the processor 620, and the communication interface 630 can communicate with each other through an internal connection path. Control and / or data signals.
  • the processor 11 can call the program code stored in the memory 12 to perform the following operations:
  • the control communication interface 630 receives a public key from a hardware agent execution environment HMEE in a network function virtualization NFV system, the NFV system deploying a VNFI to be instantiated, the VNFI deploying the HMEE and a first virtual to be instantiated Network function component VNFC;
  • Control communication interface 630 sends the encrypted security credentials to the HMEE.
  • the VNFI-enabled device 600 shown in FIG. 6 may correspond to (for example, may be configured or be itself) the security control device in the method for establishing VNFI in the above embodiment, and establish each unit in the VNFI device 600.
  • the foregoing and other operations and/or functions are respectively implemented in order to implement the corresponding process of the method for establishing VNFI in FIG. 2, and are not described herein again for brevity.
  • the communication unit 410 in the apparatus 400 shown in FIG. 4 can correspond to the communication interface 630
  • the encryption unit 420 in the apparatus 400 shown in FIG. 4 can correspond to the processor 620.
  • the processor may be an integrated circuit chip with signal processing capability.
  • each step of the foregoing method embodiment may be completed by an integrated logic circuit of hardware in a processor or an instruction in a form of software.
  • the above processor may be a CPU, or may be another general-purpose processor, a digital signal processor (DSP), an application specific integrated circuit (ASIC), or a field programmable gate array (Field Programmable Gate Array). FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware component.
  • the general purpose processor can be a microprocessor or any conventional processor or the like.
  • the general purpose processor may be a microprocessor or the processor or any conventional processor or the like.
  • the steps of the method disclosed in the embodiments of the present application may be directly implemented by the hardware decoding processor, or may be performed by a combination of hardware and software modules in the decoding processor.
  • the software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like.
  • the storage medium is located in the memory, and the processor reads the information in the memory and combines the hardware to complete the steps of the above method.
  • the memory may be a volatile memory or a non-volatile memory, or may include both volatile and non-volatile memory.
  • the non-volatile memory may be a read-only memory (ROM), a programmable read only memory (ROMM), an erasable programmable read only memory (erasable PROM, EPROM), or an electrical Erase programmable EPROM (EEPROM) or flash memory.
  • the volatile memory can be a random access memory (RAM) that acts as an external cache.
  • RAM Direct memory bus random access memory
  • the disclosed systems, devices, and methods may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the functions may be stored in a computer readable storage medium if implemented in the form of a software functional unit and sold or used as a standalone product.
  • the technical solution of the present application which is essential or contributes to the prior art, or a part of the technical solution, may be embodied in the form of a software product, which is stored in a storage medium, including
  • the instructions are used to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present application.
  • the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like, which can store program codes. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Technology Law (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

本申请提供了一种建立虚拟网络功能实例VNFI的方法和装置,能够保证虚拟网络功能组件VNFC的安全性。该方法包括:网络功能虚拟化NFV系统中的硬件中介执行环境HMEE生成公私钥对,该NFV系统部署有待实例化的VNFI,该VNFI部署有该HMEE和待实例化的第一VNFC;该HMEE向安全控制设备发送该公私钥对中的公钥;该HMEE接收来自该安全控制设备的加密后的安全凭证,该加密后的安全凭证是基于该公钥对第一VNFC的安装包的安全凭证加密得到,该安全凭证用于解密该第一VNFC的安装包;该HMEE基于该公私钥对中的私钥解密该加密后的安全凭证,得到该安全凭证。

Description

建立虚拟网络功能实例的方法和装置
本申请要求于2017年12月7日提交中国国家知识产权局、申请号为201711283694.4、发明名称为“建立虚拟网络功能实例的方法和装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。
技术领域
本申请涉及计算机领域,并且,更具体地,涉及建立网络虚拟功能实例的方法和装置。
背景技术
网络功能虚拟化(Network Function Virtualization,NFV)技术可以将部分网络功能以软件方式在通用硬件上实现,例如,在电信网络中,利用NFV技术可以在通用的云服务器、交换机和存储中实现部分电信网络功能,从而实现网络服务的快速、高效部署。
目前,已知一种建立虚拟网络功能实例(Virtual Network Function Instance,VNFI)的方法,在申请到用于建立VNFI的资源(例如包括网络资源、计算资源和存储资源)之后,便可以在申请到的资源上创建虚拟机(Virtual Machine,VM),进而在虚拟机上安装用于实现不同功能的软件包,以建立用于不同业务需求的VNFI。VNFI通常可以可包括一个或多个虚拟网络功能组件(VNF Component,VNFC),每个VNFC可以对应于一种业务功能。在某些情况下,可能并不希望某些VNFC对所有人都可见,例如,根据国家的法律法规,不允许一些敏感部件,如虚拟监听单元(virtual Point of Interception,vPOI),被普通业务人员感知;又例如,为了保护企业的技术机密,例如,核心算法、参数等,某些VNFC虽然能够被感知和使用,但其内部的核心算法、参数等是需要保密的,不希望被普通业务人员获取。因此,希望提供一种方法,能够保证敏感的VNFC的安全性。
发明内容
本申请提供一种建立VNFI的方法和装置,以提高敏感的VNFC的安全性。
第一方面,提供了一种建立VNFI的方法,包括:
网络功能虚拟化NFV系统中的硬件中介执行环境HMEE生成公私钥对,所述NFV系统部署有待实例化的VNFI,所述VNFI部署有所述HMEE和待实例化的第一虚拟网络功能组件VNFC;
所述HMEE向安全控制设备发送所述公私钥对中的公钥;
所述HMEE接收来自所述安全控制设备的加密后的安全凭证,所述加密后的安全凭证是基于所述公钥对第一VNFC的安装包的安全凭证加密得到,所述安全凭证用于解密所述第一VNFC的安装包;
所述HMEE基于所述公私钥对中的私钥解密所述加密后的安全凭证,得到所述安全凭证。
基于上述技术方案,通过在HMEE中生成公私钥对,可以保证公私钥对的安全性,避免被第三方获取或篡改。另外,通过安全控制设备基于该公私钥对中的公钥对第一VNFC的安装包的安全凭证进行加密,该加密的安全凭证需由HMEE生成的私钥才能够解密,可以保证安全凭证在传输过程中的安全性。并且,对该安全凭证的解密过程也是在HMEE所提供的的安全执行环境中进行,使得外界无法获取私钥、安全凭证以及第一VNFC的安装包,无法感知到该安全凭证的解密,也就无法感知第一VNFC的安装过程。由此,可以保证第一VNFC的安全性。
结合第一方面,在第一方面的某些实现方式中,所述VNFI还部署有已完成实例化的第二VNFC,以及
所述HMEE向安全控制设备发送所述公私钥对中的公钥,包括:
所述HMEE经由所述第二VNFC向所述安全控制设备发送所述公私钥对中的公钥;
所述HMEE接收来自所述安全控制设备的加密后的安全凭证,包括:
所述HMEE经由所述第二VNFC接收来自所述安全控制设备的所述加密后的安全凭证。
为了进一步保证HMEE的安全执行环境,可将HMEE的接口定义为仅能够与VNFI中的普通VNFC(例如,第二VNFC)通信,由普通VNFC来转发HMEE发送的信息或向HMEE转发信息。
结合第一方面,在第一方面的某些实现方式中,所述方法还包括:
所述HMEE接收来自所述第二VNFC的实例化完成消息。
当第二VNFC完成了实例化,也就建立好了与MANO的通信连接关系,也就具备为HMEE转发信息的能力。
结合第一方面,在第一方面的某些实现方式中,所述方法还包括:
所述HMEE向所述安全控制设备发送所述第一VNFC的标识。
在某些情况下,安全控制设备可能管理者多个敏感的VNFC的标识,安全控制设备可基于VNFC的标识,对相应的VNFC的安装包的安全凭证进行加密并发送。
可选地,所述HMEE向所述安全控制设备发送所述第一VNFC的标识,包括:
所述HMEE经由所述第二VNFC向所述安全控制设备发送所述第一VNFC的标识。
结合第一方面,在第一方面的某些实现方式中,所述方法还包括:
所述HMEE向所述安全控制设备发送所述公钥的哈希。
为了避免传输过程中第三方可能对公钥进行篡改可能带来的安全隐患,安全控制设备可以基于公钥的哈希对接收到的公钥进行完整性验证,在验证成功的情况下下发安全凭证,从而保证安全凭证的安全下发。
可选地,所述HMEE向所述安全控制设备发送所述公钥的哈希,包括:
所述HMEE经由所述第二VNFC向所述安全控制设备发送所述公钥的哈希。
结合第一方面,在第一方面的某些实现方式中,所述方法还包括:
所述HMEE向所述安全控制设备发送主机标识和/或代码的哈希,所述主机标识为安装所述HMEE的主机的标识,所述代码为所述HMEE所执行的代码。
为了避免第三方(例如,未经过安全控制设备认证的设备)冒充HMEE发送公钥,或者HMEE被第三方攻破采用非法的代码,以试图从安全控制设备获取安全凭证的可能 安全控制设备可以对主机标识和/或代码进行认证。在对主机标识和/或代码认证成功的情况下,才下发安全凭证,从而可保证安全凭证的安全下发。
可选地,所述HMEE向所述安全控制设备发送主机标识和/或代码的哈希,包括:
所述HMEE经由所述第二VNFC向所述安全控制设备发送所述主机标识和/或所述代码的哈希。
第二方面,提供了一种建立VNFI的方法,包括:
安全控制设备接收来自网络功能虚拟化NFV系统中的硬件中介执行环境HMEE的公钥,所述NFV系统部署有待实例化的VNFI,所述VNFI部署有所述HMEE和待实例化的第一虚拟网络功能组件VNFC;
所述安全控制设备基于所述公钥对第一VNFC的安装包的安全凭证进行加密,得到加密后的安全凭证,所述安全凭证用于解密所述第一VNFC的安装包;
所述安全控制设备向所述HMEE发送所述加密后的安全凭证。
基于上述技术方案,通过在HMEE中生成公私钥对,可以保证公私钥对的安全性,避免被第三方获取或篡改。另外,通过安全控制设备基于该公私钥对中的公钥对第一VNFC的安装包的安全凭证进行加密,该加密的安全凭证需由HMEE生成的私钥才能够解密,可以保证安全凭证在传输过程中的安全性。并且,对该安全凭证的解密过程也是在HMEE所提供的的安全执行环境中进行,使得外界无法获取私钥、安全凭证以及第一VNFC的安装包,无法感知到该安全凭证的解密,也就无法感知第一VNFC的安装过程。由此,可以保证第一VNFC的安全性。
结合第二方面,在第二方面的某些实现方式中,所述VNFI还部署有已完成实例化的第二VNFC,以及
所述安全控制设备接收来自NFV系统中的HMEE的公钥,包括:
所述安全控制设备经由所述NFV系统中的第二VNFC接收来自所述NFV系统中的所述HMEE的公钥;
所述安全控制设备向所述HMEE发送所述加密后的安全凭证,包括:
所述安全控制设备经由所述第二VNFC向所述HMEE发送所述加密后的安全凭证。
为了进一步保证HMEE的安全执行环境,可将HMEE的接口定义为仅能够与VNFI中的普通VNFC(例如,第二VNFC)通信,由普通VNFC来转发HMEE发送的信息或向HMEE转发信息。
结合第二方面,在第二方面的某些实现方式中,所述方法还包括:
所述安全控制设备接收来自所述HMEE的所述第一VNFC的标识。
在某些情况下,安全控制设备可能管理者多个敏感的VNFC的标识,安全控制设备可基于VNFC的标识,对相应的VNFC的安装包的安全凭证进行加密并发送。
可选地,所述安全控制设备接收来自所述HMEE的所述第一VNFC的标识,包括:
所述安全控制设备经由所述第二VNFC接收来自所述HMEE的所述第一VNFC的标识。
结合第二方面,在第二方面的某些实现方式中,所述方法还包括:
所述安全控制设备接收来自所述HMEE的所述公钥的哈希;
所述安全控制设备基于接收到的所述公钥和所述公钥的哈希,对所述公钥进行验证;
所述安全控制设备基于所述公钥对安全凭证进行加密,包括:
所述安全控制设备在对所述公钥验证成功的情况下,基于所述公钥对所述安全凭证进行加密。
为了避免传输过程中第三方可能对公钥进行篡改可能带来的安全隐患,安全控制设备可以基于公钥的哈希对接收到的公钥进行完整性验证,在验证成功的情况下下发安全凭证,从而保证安全凭证的安全下发。
可选地,所述安全控制设备接收来自所述HMEE的公钥的哈希,包括:
所述安全控制设备经由所述第二VNFC接收来自所述HMEE的所述公钥的哈希。
结合第二方面,在第二方面的某些实现方式中,所述方法还包括:
所述安全控制设备对所述HMEE进行认证;
所述安全控制设备向所述HMEE发送所述加密后的安全凭证,包括:
所述安全控制设备在对所述HMEE认证成功的情况下,向所述HMEE发送所述加密后的安全凭证。
为了避免安全凭证被第三方获取,可对HMEE进行认证,在认证成功的情况下,才下发安全凭证,从而可保证安全凭证的安全下发。
结合第二方面,在第二方面的某些实现方式中,所述安全控制设备对所述HMEE进行认证,包括:
所述安全控制设备接收来自所述HMEE的主机标识和/或代码的哈希,所述主机标识为配置所述HMEE的主机的标识,所述代码为所述HMEE所执行的代码;
所述安全控制设备根据所述主机标识和/或代码的哈希,对所述HMEE进行认证,其中,所述安全控制设备中预先保存有已认证的主机的标识和/或允许执行的代码。
为了避免第三方(例如,未经过安全控制设备认证的设备)冒充HMEE发送公钥,或者HMEE被第三方攻破采用非法的代码,以试图从安全控制设备获取安全凭证的可能安全控制设备可以对主机标识和/或代码进行认证。在对主机标识和/或代码认证成功的情况下,才下发安全凭证,从而可保证安全凭证的安全下发。
可选地,所述安全控制设备接收来自所述HMEE的主机标识和/或代码的哈希,包括:
所述安全控制设备经由所述第二VNFC接收来自所述HMEE的主机标识和/或代码的哈希。
第三方面,提供了一种建立VNFI的装置,包括用于执行上述第一方面以及第一方面中任一种可能实现方式中的方法的各个单元。
第四方面,提供了一种建立VNFI的装置,包括用于执行上述第二方面以及第二方面中任一种可能实现方式中的方法的各个单元。
第五方面,提供了一种建立VNFI的装置,包括:通信接口、处理器和存储器,该处理器用于控制通信接口收发信号,该存储器用于存储计算机程序,该处理器用于从存储器中调用并运行该计算机程序,使得该装置执行第一方面或第一方面任一种可能实现方式中的方法。
第六方面,提供了一种建立VNFI的装置,包括:通信接口、处理器和存储器,该处理器用于控制通信接口收发信号,该存储器用于存储计算机程序,该处理器用于从存 储器中调用并运行该计算机程序,使得该装置执行第一方面或第一方面任一种可能实现方式中的方法。
第七方面,提供了一种计算机程序产品,所述计算机程序产品包括:计算机程序代码,当所述计算机程序代码被建立VNFI的装置运行时,使得所述装置执行上述第一方面或第一方面任一种可能实现方式中的方法。
第八方面,提供了一种计算机程序产品,所述计算机程序产品包括:计算机程序代码,当所述计算机程序代码被建立VNFI的装置运行时,使得所述装置执行上述第二方面或第二方面任一种可能实现方式中的方法。
第九方面,提供了一种计算机可读介质,所述计算机可读介质存储有程序代码,所述程序代码包括用于执行第一方面或第一方面任一种可能实现方式中的方法的指令。
第十方面,提供了一种计算机可读介质,所述计算机可读介质存储有程序代码,所述程序代码包括用于执行第二方面或第二方面任一种可能实现方式中的方法的指令。
结合上述各方面,在某些可能的实现方式中,所述第一VNFC包括虚拟监听单元vPOI。
附图说明
图1是适用于本申请实施的建立VNFI的方法和装置的NFV系统的示意性架构图;
图2是本申请一实施例提供的建立VNFI的方法的示意性流程图;
图3是本申请一实施例提供的一种建立VNFI的装置的示意性框图;
图4是本申请另一实施例提供的一种建立VNFI的装置的示意性框图;
图5是本申请一实施例提供的一种建立VNFI的设备的示意性结构图;
图6是本申请另一实施例提供的一种建立VNFI的设备的示意性结构图。
具体实施方式
下面将结合附图,对本申请中的技术方案进行描述。
本申请实施例的技术方案可以应用于各种通信系统,例如:全球移动通讯(Global System of Mobile communication,GSM)系统、码分多址(Code Division Multiple Access,CDMA)系统、宽带码分多址(Wideband Code Division Multiple Access,WCDMA)系统、通用分组无线业务(General Packet Radio Service,GPRS)、长期演进(Long Term Evolution,LTE)系统、LTE频分双工(Frequency Division Duplex,FDD)系统、LTE时分双工(Time Division Duplex,TDD)、通用移动通信系统(Universal Mobile Telecommunication System,UMTS)、全球互联微波接入(Worldwide Interoperability for Microwave Access,WiMAX)通信系统、未来的第五代(5th Generation,5G)系统或新无线(New Radio,NR)等。
为便于理解本申请实施例,首先对本申请设计的概念进行简要介绍。
虚拟机:通过软件模拟的具有完整硬件系统功能的、运行在一个完全隔离环境中的完整计算机系统。也就是说,虚拟机可以是通过虚拟机软件在物理设备上模拟出的虚拟设备。进入虚拟机的系统之后,所有的操作可以是在独立的虚拟系统里面进行,例如,可以独立安装运行软件,保存数据,拥有自己的独立桌面,以及访问网络资源等。对于 虚拟机中运行的应用程序而言,这些虚拟机就像真正的物理设备那样进行工作。
虚拟网络功能(Virtual Network Function,VNF):也可以称之为虚拟化网元,可对应于传统的非虚拟化网络中的物理网络功能。VNF可以由多个更低级别的组件组成,可选地,一个VNF可以部署在一个或多个VM上。
虚拟网络功能实例(VNF Instance,VNFI):VNF经过实例化,可建立起VNFI。这里,实例化可包括:申请资源(例如包括计算资源、网络资源和存储资源),并在申请到的资源上安装运行、完成相关配置等,使得该VNF能够在硬件上执行其相应的功能。VNFI是各个组件机器相互间连接的实例化在完成之后的结果。一个VNFI可包括一个或多个虚拟网络功能组件(Virtualized Network Function Component,VNFC),每个VNFC可承载在一个或多个VM上。
虚拟网络功能组件(VNF Component,VNFC):VNF的内部组件,每个VNFC的实例可以被映射到一个或多个VM中。
硬件中介执行环境(hardware-mediated execution enclave,HMEE):主机(例如,VM)系统环境中的一片进程空间和内存区域,能够实现与该区域有关的指令及保护数据的机密性和完整性。HMEE可以通过软硬件结合的方式实现。
下面结合图1详细说明适用于本申请实施例的建立VNFI的方法和装置的NFV系统。
图1是适用于本申请实施的建立VNFI的方法和装置的NFV系统100的示意性架构图。该NFV系统100可以运行在服务器上,该服务器的构成可以包括处理器、硬盘、内存、系统总线等,和通用的计算机架构类似。该服务器的功能可以由一个物理设备实现,也可以由多个物理设备构成的集群实现。本申请对此不做限定。并且,该NFV系统100可以通过多种网络实现,例如数据中心网络、服务提供者网络、或者局域网(LAN,Local Area Network)。如图1所示,该NFV系统100可以包括:
管理和编制系统(MANO,Management and Orchestration System)128,
基础设施(NFVI,NFV Infrastructure)130,
多个虚拟网络功能(VNF)108,
多个网元管理系统(EMS,Element Management System)122,
服务VNF和基础设施描述(Service VNF and Infrastructure Description)126,
一个或多个运营支撑系统(Operation Support System,OSS)/业务支撑系统(Business Support System,BSS)124。
其中,MANO 128可以包括编制器(NFV Orchestrator,NFVO)102、一个或多个VNF管理器(VNF Manager,VNFM)104,以及一个或多个虚拟化基础设施管理器(Virtualized Infrastructure Manager,VIM)106。
NFVI 130可以包括计算硬件112、存储硬件114、网络硬件116组成的硬件资源层、虚拟化层、以及虚拟计算110(例如,虚拟机)、虚拟存储118和虚拟网络120组成的虚拟资源层。其中,计算硬件112可以为专用的处理器或通用的用于提供处理和计算功能的处理器。存储硬件114用于提供存储能力,该存储能力可以是存储硬件114本身提供的(例如一台服务器的本地内存),也可以通过网络提供(例如服务器通过网络连接一个网络存储设备)。网络硬件116可以是交换机、路由器和/或其他网络设备,网络硬 件116用于实现多个设备之间的通信,多个设备之间通过无线或有线连接。NFVI 130中的虚拟化层用于抽象硬件资源层的硬件资源,将VNF108和硬件资源所属的物理层解耦,向VNF提供虚拟资源。
如图1所示,虚拟资源可以包括虚拟计算110、虚拟存储118和虚拟网络120。虚拟计算110、虚拟存储118可以以虚拟机或其他虚拟容器的形式向VNF 108提供虚拟资源,例如,一个或多个VNF 108可以部署在一台或多台虚拟机上。虚拟化层通过抽象网络硬件116形成虚拟网络120。虚拟网络120,例如虚拟交换机(例如,Vswitches),用于实现多个虚拟机之间,或多个承载VNF的其他类型的虚拟容器之间的通信。网络硬件的虚拟化可以通过虚拟LAN(VLAN,Virtual LAN)、虚拟专用局域网业务(VPLS,Virtual Private LAN Service)、虚拟可扩展局域网(VxLAN,Virtual eXtensible Local Area Network)或通用路由封装网络虚拟化(NVGRE,Nerwork Virtualization using Generic Routing Encapsulation)等技术实现。
OSS/BSS 124主要面向电信运营商,提供综合的网络管理和业务运营功能,包括网络管理(例如故障监控、网络信息收集等)、计费管理以及客户服务管理等。Service VNF and Infrastructure Description系统126在ETSI GS NFV 002v1.1.1标准中有详细介绍,本申请实施例在此不再赘述。
MANO 128可以用于实现VNF 108和NFVI 130的监控和管理。NFVO 102可以与一个或多个VNFM 104通信以实现与资源相关的请求、发送配置信息给VNFM 104、以及收集VNF 108的状态信息。另外,NFVO 102还可以与VIM 106进行通信以实现资源分配,和/或实现虚拟化硬件资源的配置信息和状态信息的预留和交换。VNFM 104可以用于管理一个或多个VNF 108,执行各种管理功能,例如初始化、更新、查询、和/或终止VNF 108。VIM 106可以用于控制和管理VNF 108和计算硬件112、存储硬件114、网络硬件116、虚拟计算110、虚拟存储118、虚拟网络120的交互。例如,VIM 106可以用于执行资源向VNF 108的分配操作。VNFM 104和VIM 106可以互相通信以交换虚拟化硬件资源配置和状态信息。
NFVI 130包含硬件和软件,二者共同建立虚拟化环境以部署、管理和执行VNF108。换句话说,硬件资源层和虚拟资源层用于向VNF 108提供虚拟资源,例如虚拟机和/或其他形式的虚拟容器。
如图1所示,VNFM 104可以与VNF 108和EMS 122通信以执行VNF生命周期管理和实现配置/状态信息的交换。VNF 108是至少一个网络功能的虚拟化,该网络功能之前是由物理网络设备提供的。在一种实现方式下,VNF 108可以是一个虚拟化的移动管理实体(Mobility Management Entity,MME)节点,用于提供典型的非虚拟化的MME设备提供的所有网络功能。在另一种实现方式下,VNF 108可以用于实现非虚拟化的MME设备上提供的全部组件中的部分组件的功能。一个虚拟机(或其他形式的虚拟容器)上可以部署有一个或多个VNF 108。EMS 122可以用于管理一个或多个VNF。
可选地,VNF 108可包括HMEE,HMEE可理解为运行在用于承载VNF 108的虚拟资源上的软件,以完成其相应的功能。换句话说,HMEE可理解为VNF中的VNFC。HMEE的功能已经详细说明,在本申请中,HMEE可用于执行后文中方法200中的步骤。
应理解,以上对各模块的功能的介绍是为了帮助本领域技术人员更好地理解本申请实施例,而非要限制本申请实施例的范围。本申请并不排除上述列举的各模块具有执行其他功能或者,在上述VNF系统中增加或删减模块的可能。
在本申请实施例中,每个VNFI可以部署在一个或多个VM上,以实现不同的网络功能。一个VNFI可包括一个或多个VNFC,每个VNFC可以映射在一个或多个VM上。当VNFI部署在多个VM上时,该多个VM之间相互连接,具体连接方式可以与现有技术相同,例如,可以参考标准中定义的连接方式,本申请实施例在此不做赘述。
在一个VNFI中,可以包括非敏感的VNFC。非敏感的VNFC也可以称为普通的VNFC,其对安全性的要求较低,可以为对普通业务人员可见的VNFC,或者为普通业务人员可操作的VNFC。可选地,VNFI还可以包括敏感的VNFC,敏感的VNFC对安全性的要求较高,例如,某些敏感的VNFC对普通业务人员不可见,或者说,不被普通业务人员感知,只允许特定人员使用;某些敏感的VNFC虽然能够对普通业务人员可见和使用,但其核心算法等可能是需要保密的,不希望被普通业务人员获取。作为示例而非限定,敏感的VNFC包括vPOI。
然而,在当前技术中,敏感的VNFC的安装过程通常是通过普通的VNFC来创建的,也就是说,VNFC的实例化过程完全被普通的VNFC控制。但普通的VNFC的安全性并不高,如果普通的VNFC被攻击,例如,收到恶意方控制,则会影响敏感的VNFC的安全性。因此,希望提供一种方法,能够保证敏感的VNFC的安全性。
本申请提供了一种建立VNFI的方法和装置,能够在安全的环境中安装敏感的VNFC,以完成VNFI的实例化,满足VNFC的安全性需求。
下面将结合附图详细说明本申请提供的建立VNFI的方法和装置。
图2从设备交互的角度示出了本申请一实施例提供的建立VNFI的方法的示意性流程图。该方法200可以在包括NFV系统和安全控制设备的系统中执行,其中,该VNF系统可部署一个或多个VNFI,每个VNFI可部署有一个或多个VNFC。这里,不失一般性,以NFV系统中的第一VNFI中的第一VNFC的实例化过程为例,对本申请提供的建立VNFI的方法200进行详细说明。其中,第一VNFC可以为敏感的VNFC。
需要说明的是,NFV系统可以为如图1中示出的NFV系统100,其功能可以由一个物理设备或者多个物理设备构成的集群实现。NFV系统中的各个模块,例如,本申请实施例中的HMEE、VNFC等可以理解为运行在不同的虚拟机上的软件,其资源(例如包括,网络资源、计算资源和存储资源)可以由用于运行该NFV系统的上述一个或多个物理设备提供。物理设备中的处理器通过执行存储在存储器中的代码,以执行各模块相应的功能。
下面结合图2详细说明该方法200。如图2所示,该方法200包括步骤210至步骤260。
在步骤210中,HMEE生成公私钥对。
具体地,HEMM可用于提供安全的、可信任的执行环境,可理解为安全执行环境。安全执行环境可与非安全的执行环境硬件隔离,或者说,安全执行环境和非安全执行环境可以理解为同时运行在同一个设备上的两个运行环境。在安全执行环境下,操作系统 和软件等的运行可以视为在系统的后台运行,不被普通用户看到,因此,可以保护处于该环境中的资源不受到恶意软件的攻击,抵御多种类型的安全威胁。因此,安全执行环境可以有效地保证信息和数据的安全性,该安全执行环境中保存的信息或数据将无法被攻击者获取或者篡改。可选地,该HMEE可以包括英特尔(Intel)的安全扩展(Safe Guard Extensions,SGX)技术。
需要说明的是,HMEE可通过将软件加载在物理设备(例如,服务器)上以完成其相应的功能。该设备不仅可用于实现HMEE的相应功能,还可通过虚拟化技术,构建多个VNFI,以实现多种业务功能。
应理解,HMEE可理解为安全执行环境的一例,不应对本申请构成任何限定,该安全执行环境例如还可以为可信任环境(Trusted Environment,TE)等。
在步骤220中,HMEE向安全控制设备发送步骤210中生成的公私钥对中的公钥。
在本申请实施例中,HMEE所生成的公私钥对可以包括相对应的一个公钥和一个私钥,该HMEE可以将公钥发送给安全控制设备以请求实例化第一VNFC,并将私钥保存在本地。由于HMEE可以在安全执行环境中生成公私钥对,并保存私钥,故该私钥具有较高的安全性,不容易被攻击者获取或者篡改。
相对应地,在步骤220中,安全控制设备接收来自HMEE的公钥。
在某些情况下,基于安全性的考虑,HMEE可能不具备对外通信的能力。例如,HMEE厂商可以将应用程序编程(Application Programming Interface,API)接口定义为仅能够与NFV系统中的普通VNFC通信,而无法直接与安全控制设备通信。则HMEE可通过NFV系统中的网元向安全控制设备转发公钥。可选地,该第一VNFI还包括第二VNFC,且该第二VNFC可以为已完成实例化的VNFC。
可选地,步骤220具体包括:
HMEE经由第二VNFC向安全控制设备发送公钥。
相对应地,安全控制设备经由第二VNFC接收来自HMEE的公钥。
更进一步地,当第二VNFC建立起来之后,也需要通过初始化才能够建立与外界(具体地,MANO中的VNFM)的通信连接关系,由此完成第二VNFC的实例化。可选地,该方法200还包括:
步骤230,第二VNFC向HMEE发送实例化完成消息。
相对应地,在步骤230中,HMEE接收第二VNFC发送的实例化完成消息。
此后,HMEE便可以在步骤220中经由第二VNFC向安全控制设备发送公钥。更具体地说,HMEE可将公钥发送至第二VNFC,第二VNFC可将公钥发送至MANO(具体地,MANO中的VNFM),MANO可将公钥转发至安全控制设备。
需要说明的是,这里所说的安全控制设备可以理解为第三方的安全控制设备,例如,可以为欧洲电信标准协会(European Telecommunication Standards Institute,ETSI)NFV SEC013中的安全控制器(Security Controller,SC)、ETSI NFV SEC 013中的网络安全管理(Network and Security Manager,NSM)、运营商的凭证管理器(Credential Manager,CM)。
特别地,若第一VNFC为vPOI,则该安全控制设备可以为合法监听控制器(Lawful  Interception controller,LI controller)和管理功能(Administration Function,ADMF)。这里,LI controller与ADMF可以为运行在同一物理设备上的两个软件,用于执行不同的功能。其中,LI controller可用于与MANO进行对接,控制vPOI NFV层面的操作,ADMF可用于控制vPOI层面的配置及下发。LI controller和ADMF的具体功能可参考现有技术,这里为了简洁,省略对其功能的详细说明。需要注意的是,ADMF可管理敏感的VNFC的安全凭证。在此情况下,上述HMEE发送的公钥可经由LI controller发送至ADMF。
应理解,上述列举的安全控制设备的具体形式仅为示例性说明,而不应对本申请构成任何限定。不论是怎样的具体形式,在本申请实施例中,该安全控制设备可用于管理待实例化的第一VNFC的安全凭证,该安全凭证是否下发给HMEE由该安全控制设备来决定,也就是说,第一VNFC是否实例化可以由安全控制设备来决定。
在步骤240中,安全控制设备基于接收到的公钥对第一VNFC的安装包的安全凭证进行加密,得到加密后的安全凭证。
其中,该安全凭证可用于对第一VNFC的安装包进行加密,例如,对该第一VNFC种的安装包的部分代码或全部代码进行加密。该第一VNFC的安装包经过安全凭证的解密之后才能够用于安装第一VNFC。
在步骤250中,安全控制设备向HMEE发送加密后的安全凭证。
相对应地,在步骤250中,HMEE接收来自安全控制设备的加密后的安全凭证。
可选地,该安全控制设备可经由MANO、第二VNFC向HMEE转发加密后的安全凭证。相对应地,HMEE经由第二VNFC和MANO接收来自安全控制设备的加密后的安全凭证。
在某些情况下,同一个安全控制设备可能管理着多个敏感的VNFC的安全凭证,每个安全凭证对应一个VNFC。此外,同一个安全控制设备可能会接收到来自多个HMEE的公钥,甚至有可能是第三方冒充的HMEE发送的公钥,安全控制设备可以对接收到的信息的发送方(也就是HMEE)进行认证,以保证安全凭证的安全下发。再有,公钥在传输过程中也有可能遭受第三方的攻击而被篡改,安全控制设备可以在对安全凭证进行加密前对公钥进行验证,以保证安全凭证的安全下发。
可选地,该方法还包括:HMEE向安全控制设备发送第一VNFC的标识。
相对应地,安全控制设备接收来自HMEE的第一VNFC的标识。安全控制设备可基于该第一VNFC的标识,查找所对应的安全凭证,进而加密后发送。
可选地,该方法还包括:HMEE向安全控制设备发送公钥的哈希。
相对应地,安全控制设备接收来自HMEE的公钥的哈希。该公钥的哈希可以用于对在步骤220中接收到的公钥进行完整性验证。因此,步骤250具体可以包括:在验证成功的情况下,安全控制设备可以基于该公钥对安全凭证进行加密。而在验证不成功的情况下,安全控制设备可以不下发安全凭证,例如,回复空消息,或者回复失败消息,或者回复随机消息等,以通知HMEE安全凭证不下发。由此,可以避免公钥在传输过程中被篡改可能带来的安全隐患,保证安全凭证的安全下发。
可选地,该方法还包括:HMEE向安全控制设备发送主机标识和/或代码的哈希。其中,主机标识为安装该HMEE的主机的标识,代码为该HMEE所执行的代码。
相对应地,安全控制设备接收来自安全控制设备发送的主机标识和/或代码的哈希。安全控制设备基于该主机标识以及预先保存的已认证的主机标识,对安装HMEE的主机进行认证。因此,步骤250可以具体包括:在对主机认证成功的情况下,安全控制设备可以向HMEE下发加密后的安全凭证。而在对主机认证不成功的情况下,安全控制设备可以不下发安全凭证,例如,回复空消息,或者回复失败消息,或者回复随机消息等,以通知HMEE安全凭证不下发。由此,可以避免其他设备冒充HMEE从安全控制设备获取安全凭证的可能,保证安全凭证的安全下发。
安全控制设备也可以基于代码的哈希以及预先保存的允许执行的代码,对该HMEE执行的代码进行认证。因此,步骤250可以具体包括:在对代码认证成功的情况下,安全控制设备可以向HMEE下发加密后的安全凭证。而在对代码认证不成功的情况下,安全控制设备可以不下发安全凭证,例如,回复空消息,或者回复失败消息,或者回复随机消息等,以通知HMEE安全凭证不下发。由此,可以避免主机被第三方攻破采用非法的代码从安全控制设备获取安全凭证的可能,保证安全凭证的安全下发。
安全控制设备可以对主机和代码都进行认证,因此,步骤250具体可以包括:在对主机和代码均认证成功的情况下,安全控制设备可以向HMEE下发加密后的安全凭证;在对主机和代码中的任意一个认证不成功的情况下,安全控制设备可以不下发安全凭证。由此,可以从硬件、软件两方面进行认证,进一步提高安全性。
在一种可能的设计中,上述公钥、第一VNFC的标识、公钥的哈希、主机标识以及代码的哈希可以携带在同一个消息(例如,记作第一消息)中,例如,HMEE向安全控制设备发送该第一消息,以便安全控制设备基于接收到的消息,完成对公钥的完整性验证、HMEE的认证,从而基于公钥对该第一VNFC的安装包的安全凭证进行加密。
应理解,这里所列举的第一消息所携带的具体信息仅为示例性说明,该第一消息中除了携带公钥之外,还可以携带以下至少一项:公钥的哈希、第一VNFC的标识、主机标识和代码的哈希。
还应理解,通过第一消息携带上述信息的方法仅为一种可能的实现方式,上述列举的信息可以通过一个或者更多个消息发送给安全控制设备,本申请对此不做限定。
在一种可能的实现方式中,上述公钥的哈希、第一VNFC的标识、主机标识和代码的哈希均可通过第二VNFC转发至安全控制设备。
HMEE在步骤250中接收到来自安全控制设备的加密后的安全凭证后,便可以执行步骤260,HMEE基于私钥,解密该加密后的安全凭证,得到该安全凭证。
具体地,该HMEE可以通过加密算法生成公私钥对,该公私钥对中的公钥和私钥是相对应的,通过该公钥加密的信息只有通过该私钥才能够解密。因此,当安全控制设备基于HMEE发送的公钥加密安全凭证后,该加密后的安全凭证需要HMEE的私钥才能够解密。HMEE在生成公私钥对后,可以将私钥在本地保存,因HMEE的环境是安全的,该私钥不会被第三方获取或篡改。当HMEE接收到加密后的安全凭证后,便可以基于本地保存的私钥解密该加密后的安全凭证,得到该安全凭证。
此后,HMEE可基于该安全凭证解密第一VNFC的安装包,以便在预先配置好的虚拟资源(例如,VM)上完成第一VNFC的实例化。可选地,HMEE可在完成第一VNFC的实 例化后,删除该第一VNFC的安装包。应理解,第一VNFC的实例化过程可以与现有技术中敏感的VNFC的实例化过程相同,为了简洁,这里省略对该过程的详细说明。在完成了第一VNFC的实例化之后,第一VNFC可具有与第二VNFC相同的功能,例如,可直接与外界通信等。本申请对于第一VNFC的功能不做限定。
基于上述技术方案,安全控制设备可以基于HMEE生成的公钥对第一VNFC的安装包的安全凭证进行加密,该加密的安全凭证需由HMEE生成的私钥才能够解密,可以保证安全凭证在传输过程中的安全性。并且,公私钥对和解密的过程都在HMEE所提供的的安全执行环境中进行,使得外界无法获取私钥、安全凭证以及该第一VNFC的代码,也无法感知到安全凭证的解密,也就无法感知第一VNFC的安装过程。由此,可以保证第一VNFC的安全性。
可选地,该第一VNFC包括vPOI。
若该第一VNFC为vPOI,则该vPOI的使用过程也不希望被感知。因此,该vPOI虽然具备与外界通信的功能,但仅与安全控制设备(例如上文中所述的LI controller和ADMF)直接通信,也就是说,vPOI完全只受安全控制设备的控制,因此,vPOI与安全控制设备的通信过程是不会被普通的VNFC(例如,第二VNFC)或者MANO感知到的。
基于上述技术方案,在vPOI的安装过程中,通过HMEE生成的公钥加密安全凭证,并有HMEE保存安全凭证,能够保证安全凭证的安全性,由此可以保证vPOI的安装包不被第三方获取;在vPOI的使用过程中,通过限制vPOI仅与安全控制设备通信,能够保证vPOI与普通的VNFC间相互独立,由此可以保证vPOI使用过程不被外界感知。
再进一步地,为了使得MANO对于vPOI的存在无感知,不论VNFI(包括第一VNFI以及其他的VNFI)中是否包含vPOI,均可以通过向MANO发送信息(例如,发送公钥)的方式来欺骗MANO,使得MANO也无法判断哪些VNFI中包含了vPOI,保证了vPOI的安装和使用过程不被MANO感知,进一步提高了vPOI的安全性。
需要说明的是,在图2示出的各信息传输的过程中,分别经由第二VNFC和MANO转发,但应理解,第二VNFC和MANO的转发可以仅为透传,对信息本身并不做处理。
应理解,图2中仅为便于理解,示出了本申请实施例中涉及到的网元,但NFV系统中的网元并不仅限于图2中所示,因此,图2所示的网元不应对本申请构成任何限定。例如,MANO可包括VIM、VNFM和NFVO;又例如,NFV系统还可包括第一VNFC、第三VNFC等。
还应理解,在本申请实施例中,上述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本申请实施例的实施过程构成任何限定。
上文中结合图2详细说明了本申请实施例的建立VNFI的方法。下面将结合图3至图6详细说明本申请实施例的建立VNFI的装置。
图3是本申请一实施例提供的一种建立VNFI的装置300的示意性框图。应理解,图3示出的建立VNFI的装置300仅为示例,本申请实施例的建立VNFI的装置还可以包括其他单元或模块,或者包括与图3中的各个单元的功能相似的单元,或者并非要包括图3中的所有单元。
具体地,该装置300配置于网络功能虚拟化NFV系统中,该NFV系统部署有待实例化的VNFI,该VNFI部署有该设备500和待实例化的第一虚拟网络组建VNFC。如图3所示,该装置300可包括:生成单元310、通信单元320和解密单元330。
其中,生成单元310用于生成公私钥对;
通信单元320用于向安全控制设备发送该公私钥对中的公钥;
解密单元330用于基于该公私钥对中的私钥解密加密后的安全凭证,得到该安全凭证。
应理解,图3所示的建立VNFI的装置300可对应(例如,可以配置于或本身即为)上述实施例中建立VNFI的方法中的HMEE,并且建立VNFI的装置300中的各个单元的上述和其它操作和/或功能分别为了实现图2中的建立VNFI的方法的相应流程,为了简洁,在此不再赘述。
图4是本申请另一实施例提供的建立VNFI的装置400的示意性框图。应理解,图4示出的建立VNFI的装置400仅为示例,本申请实施例的建立VNFI的装置还可以包括其他单元或模块,或者包括与图4中的各个单元的功能相似的单元,或者并非要包括图4中的所有单元。
具体地,如图4所示,该装置400可包括:通信单元410和加密单元420。
其中,通信单元410用于接收来自网络功能虚拟化NFV系统中的硬件中介执行环境HMEE的公钥,该NFV系统部署有待实例化的VNFI,该VNFI部署有该HMEE和待实例化的第一虚拟网络功能组件VNFC;
加密单元420用于基于该公钥对第一VNFC的安装包的安全凭证进行加密,得到加密后的安全凭证,该安全凭证用于解密该第一VNFC的安装包;
通信单元410还用于向该HMEE发送该加密后的安全凭证。
应理解,图4所示的建立VNFI的装置400可对应(例如,可以配置于或本身即为)上述实施例中建立VNFI的方法中的安全控制设备,并且建立VNFI的装置400中的各个单元的上述和其它操作和/或功能分别为了实现图2中的建立VNFI的方法的相应流程,为了简洁,在此不再赘述。
图5是本申请一实施例提供的建立VNFI的设备500的示意性结构图。如图5所示,该设备500包括:存储器510、处理器520和通信接口530。其中,存储器510可以集成在处理器520中,也可以独立于处理器520。存储器510可用于存储指令,处理器520可用于执行该存储器510存储的指令,以控制通信接口530手法信息或信号,该存储器510、处理器520和通信接口530可通过内部连接通路互相通信,传递控制和/或数据信号。
具体地,设备500配置于网络功能虚拟化NFV系统中,该NFV系统部署有待实例化的VNFI,该VNFI部署有该设备500和待实例化的第一虚拟网络组建VNFC,该设备500中的处理器520可以调用存储器510中存储的程序代码执行以下操作:
生成公私钥对;
控制通信接口530向安全控制设备发送该公私钥对中的公钥;
控制通信接口530接收来自所述安全控制设备的加密后的安全凭证,所述加密后的 安全凭证是基于所述公钥对第一VNFC的安装包的安全凭证加密得到,所述安全凭证用于解密所述第一VNFC的安装包;
基于该公私钥对中的私钥解密加密后的安全凭证,得到安全凭证。
应理解,图5所示的建立VNFI的设备500可对应(例如,可以配置于或本身即为)上述实施例中建立VNFI的方法中的HMEE,并且建立VNFI的设备500中的各个单元的上述和其它操作和/或功能分别为了实现图2中的建立VNFI的方法的相应流程,为了简洁,在此不再赘述。并且,图3所示的装置300中的生成单元310和加密单元320可以对应该处理器520,图3所示的装置300中的通信单元320可以对应该通信接口530。
图6是本申请另一实施例提供的建立VNFI的设备600的示意性结构图。如图6所示,该设备600包括:存储器610、处理器620和通信接口630。其中,存储器610可以集成在处理器620中,也可以独立于处理器620。存储器610可用于存储指令,处理器620可用于执行该存储器610存储的指令,以控制通信接口630手法信息或信号,该存储器610、处理器620和通信接口630可通过内部连接通路互相通信,传递控制和/或数据信号。
具体地,处理器11可以调用存储器12中存储的程序代码执行以下操作:
控制通信接口630接收来自网络功能虚拟化NFV系统中的硬件中介执行环境HMEE的公钥,所述NFV系统部署有待实例化的VNFI,所述VNFI部署有所述HMEE和待实例化的第一虚拟网络功能组件VNFC;
基于所述公钥对第一VNFC的安装包的安全凭证进行加密,得到加密后的安全凭证,所述安全凭证用于解密所述第一VNFC的安装包;
控制通信接口630向所述HMEE发送所述加密后的安全凭证。
应理解,图6所示的建立VNFI的设备600可对应(例如,可以配置于或本身即为)上述实施例中建立VNFI的方法中的安全控制设备,并且建立VNFI的设备600中的各个单元的上述和其它操作和/或功能分别为了实现图2中的建立VNFI的方法的相应流程,为了简洁,在此不再赘述。并且,图4所示的装置400中的通信单元410可以对应该通信接口630,图4所示的装置400中的加密单元420可以对应该处理器620。
在本申请实施例中,处理器可能是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法实施例的各步骤可以通过处理器中的硬件的集成逻辑电路或者软件形式的指令完成。上述的处理器可以CPU,也可以是其他通用处理器、数字信号处理器(Digital Signal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现成可编程门阵列(Field Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件。通用处理器可以是微处理器或者是任何常规的处理器等。
可以实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。结合本申请实施例所公开的方法的步骤可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质 位于存储器,处理器读取存储器中的信息,结合其硬件完成上述方法的步骤。
在本申请实施例中,存储器可以是易失性存储器或非易失性存储器,或可包括易失性和非易失性存储器两者。其中,非易失性存储器可以是只读存储器(read-only memory,ROM)、可编程只读存储器(programmable ROM,PROM)、可擦除可编程只读存储器(erasable PROM,EPROM)、电可擦除可编程只读存储器(electrically EPROM,EEPROM)或闪存。易失性存储器可以是随机存取存储器(random access memory,RAM),其用作外部高速缓存。通过示例性但不是限制性说明,许多形式的RAM可用,例如静态随机存取存储器(static RAM,SRAM)、动态随机存取存储器(DRAM)、同步动态随机存取存储器(synchronous DRAM,SDRAM)、双倍数据速率同步动态随机存取存储器(double data date SDRAM,DDR SDRAM)、增强型同步动态随机存取存储器(enhanced SDRAM,ESDRAM)、同步连接动态随机存取存储器(synch link DRAM,SLDRAM)和直接内存总线随机存取存储器(direct ram bus RAM,DR RAM)。
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。
在本申请所提供的几个实施例中,应该理解到,所揭露的系统、装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。
所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(Read-Only Memory,ROM)、随机存取存储器(Random Access Memory,RAM)、磁碟或者光盘等各种可以存储 程序代码的介质。
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。

Claims (28)

  1. 一种建立虚拟网络功能实例VNFI的方法,其特征在于,包括:
    网络功能虚拟化NFV系统中的硬件中介执行环境HMEE生成公私钥对,所述NFV系统部署有待实例化的VNFI,所述VNFI部署有所述HMEE和待实例化的第一虚拟网络功能组件VNFC;
    所述HMEE向安全控制设备发送所述公私钥对中的公钥;
    所述HMEE接收来自所述安全控制设备的加密后的安全凭证,所述加密后的安全凭证是基于所述公钥对第一VNFC的安装包的安全凭证加密得到,所述安全凭证用于解密所述第一VNFC的安装包;
    所述HMEE基于所述公私钥对中的私钥解密所述加密后的安全凭证,得到所述安全凭证。
  2. 根据权利要求1所述的方法,其特征在于,所述VNFI还部署有已完成实例化的第二VNFC,以及
    所述HMEE向安全控制设备发送所述公私钥对中的公钥,包括:
    所述HMEE经由所述第二VNFC向所述安全控制设备发送所述公私钥对中的公钥;
    所述HMEE接收来自所述安全控制设备的加密后的安全凭证,包括:
    所述HMEE经由所述第二VNFC接收来自所述安全控制设备的所述加密后的安全凭证。
  3. 根据权利要求2所述的方法,其特征在于,所述方法还包括:
    所述HMEE接收来自所述第二VNFC的实例化完成消息。
  4. 根据权利要求1至3中任一项所述的方法,其特征在于,所述方法还包括:
    所述HMEE向所述安全控制设备发送所述第一VNFC的标识。
  5. 根据权利要求1至4中任一项所述的方法,其特征在于,所述方法还包括:
    所述HMEE向所述安全控制设备发送所述公钥的哈希。
  6. 根据权利要求1至5中任一项所述的方法,其特征在于,所述方法还包括:
    所述HMEE向所述安全控制设备发送主机标识和/或代码的哈希,所述主机标识为安装所述HMEE的主机的标识,所述代码为所述HMEE所执行的代码。
  7. 一种建立虚拟网络功能实例VNFI的方法,其特征在于,包括:
    安全控制设备接收来自网络功能虚拟化NFV系统中的硬件中介执行环境HMEE的公钥,所述NFV系统部署有待实例化的VNFI,所述VNFI部署有所述HMEE和待实例化的第一虚拟网络功能组件VNFC;
    所述安全控制设备基于所述公钥对第一VNFC的安装包的安全凭证进行加密,得到加密后的安全凭证,所述安全凭证用于解密所述第一VNFC的安装包;
    所述安全控制设备向所述HMEE发送所述加密后的安全凭证。
  8. 根据权利要求7所述的方法,其特征在于,所述VNFI还部署有已完成实例化的第二VNFC,以及
    所述安全控制设备接收来自NFV系统中的HMEE的公钥,包括:
    所述安全控制设备经由所述第二VNFC接收来自所述NFV系统中的所述HMEE的公钥;
    所述安全控制设备向所述HMEE发送所述加密后的安全凭证,包括:
    所述安全控制设备经由所述第二VNFC向所述HMEE发送所述加密后的安全凭证。
  9. 根据权利要求7或8所述的方法,其特征在于,所述方法还包括:
    所述安全控制设备接收来自所述HMEE的所述第一VNFC的标识。
  10. 根据权利要求7至9中任一项所述的方法,其特征在于,所述方法还包括:
    所述安全控制设备接收来自所述HMEE的所述公钥的哈希;
    所述安全控制设备基于接收到的所述公钥和所述公钥的哈希,对所述公钥进行验证;
    所述安全控制设备基于所述公钥对安全凭证进行加密,包括:
    所述安全控制设备在对所述公钥验证成功的情况下,基于所述公钥对所述安全凭证进行加密。
  11. 根据权利要求7至10中任一项所述的方法,其特征在于,所述方法还包括:
    所述安全控制设备对所述HMEE进行认证;
    所述安全控制设备向所述HMEE发送所述加密后的安全凭证,包括:
    所述安全控制设备在对所述HMEE认证成功的情况下,向所述HMEE发送所述加密后的安全凭证。
  12. 根据权利要求11所述的方法,其特征在于,所述安全控制设备对所述HMEE进行认证,包括:
    所述安全控制设备接收来自所述HMEE的主机标识和/或代码的哈希,所述主机标识为配置所述HMEE的主机的标识,所述代码为所述HMEE所执行的代码;
    所述安全控制设备根据所述主机标识和/或代码的哈希,对所述HMEE进行认证,其中,所述安全控制设备中预先保存有已认证的主机的标识和/或允许执行的代码。
  13. 根据权利要求1至12中任一项所述的方法,其特征在于,所述第一VNFC包括虚拟监听单元vPOI。
  14. 一种建立虚拟网络功能实例VNFI的装置,其特征在于,配置于网络功能虚拟化NFV系统中,所述NFV系统部署有待实例化的VNFI,所述VNFI部署有所述装置和待实例化的第一虚拟网络组建VNFC,所述装置包括:
    生成单元,用于生成公私钥对;
    通信单元,用于向安全控制设备发送所述公私钥对中的公钥;
    解密单元,用于基于所述公私钥对中的私钥解密所述加密后的安全凭证,得到所述安全凭证。
  15. 根据权利要求14所述的装置,其特征在于,所述VNFI还部署有已完成实例化的第二VNFC,
    所述通信单元具体用于:
    经由所述第二VNFC向所述安全控制设备发送所述公私钥对中的公钥;
    经由所述第二VNFC接收来自所述安全控制设备的所述加密后的安全凭证。
  16. 根据权利要求15所述的装置,其特征在于,所述通信单元还用于接收来自所述第二VNFC的实例化完成消息。
  17. 根据权利要求14至16中任一项所述的装置,其特征在于,所述通信单元还用于向所述安全控制设备发送所述第一VNFC的标识。
  18. 根据权利要求14至17中任一项所述的装置,其特征在于,所述通信单元还用于向所述安全控制设备发送所述公钥的哈希。
  19. 根据权利要求14至18中任一项所述的装置,其特征在于,所述通信单元还用于向所述安全控制设备发送主机标识和/或代码的哈希,所述主机标识为安装所述HMEE的主机的标识,所述代码为所述HMEE所执行的代码。
  20. 一种建立虚拟网络功能实例VNFI的装置,其特征在于,包括:
    通信单元,用于接收来自网络功能虚拟化NFV系统中的硬件中介执行环境HMEE的公钥,所述NFV系统部署有待实例化的VNFI,所述VNFI部署有所述HMEE和待实例化的第一虚拟网络功能组件VNFC;
    加密单元,用于基于所述公钥对第一VNFC的安装包的安全凭证进行加密,得到加密后的安全凭证,所述安全凭证用于解密所述第一VNFC的安装包;
    所述通信单元还用于向所述HMEE发送所述加密后的安全凭证。
  21. 根据权利要求20所述的装置,其特征在于,所述VNFI还部署有已完成实例化的第二VNFC,
    所述通信单元具体用于:
    经由所述第二VNFC接收来自所述HMEE的公钥;
    经由所述第二VNFC向所述HMEE发送所述加密后的安全凭证。
  22. 根据权利要求20或21所述的装置,其特征在于,所述通信单元还用于接收来自所述HMEE的所述第一VNFC的标识。
  23. 根据权利要求20至22中任一项所述的装置,其特征在于,所述通信单元还用于接收来自所述HMEE的所述公钥的哈希;
    所述装置还包括验证单元,用于对所述公钥进行验证;
    所述加密单元具体用于在对所述公钥验证成功的情况下,基于所述公钥对所述安全凭证进行加密。
  24. 根据权利要求20至23中任一项所述的装置,其特征在于,所述装置还包括认证单元,用于对所述HMEE进行认证;
    所述通信单元具体用于在对所述HMEE认证成功的情况下,向所述HMEE发送所述加密后的安全凭证。
  25. 根据权利要求24所述的装置,其特征在于,所述通信单元还用于接收来自所述HMEE的主机标识和/或代码的哈希,所述主机标识为配置所述HMEE的主机的标识,所述代码为所述HMEE所执行的代码;
    所述认证单元具体用于根据所述主机标识和/或代码的哈希,对所述HMEE进行认证,其中,所述安全控制设备中预先保存有已认证的主机的标识和/或允许执行的代码。
  26. 根据权利要求14至25中任一项所述的装置,其特征在于,所述第一VNFC包括虚拟监听单元vPOI。
  27. 一种建立虚拟网络功能实例VNFI的装置,其特征在于,包括:
    存储器,用于存储计算机程序;
    处理器,用于执行所述存储器中存储的计算机程序,以使得所述装置执行如权利要求1至13中任一项所述的方法。
  28. 一种计算机可读存储介质,包括计算机程序代码,当所述计算机程序代码在计算机上运行时,如权利要求1至13中任一项所述的方法被执行。
PCT/CN2018/119337 2017-12-07 2018-12-05 建立虚拟网络功能实例的方法和装置 WO2019109942A1 (zh)

Priority Applications (2)

Application Number Priority Date Filing Date Title
EP18886232.0A EP3716563A4 (en) 2017-12-07 2018-12-05 METHOD AND APPARATUS FOR ESTABLISHING A VIRTUAL NETWORK FUNCTION INSTANCE
US16/894,198 US11487867B2 (en) 2017-12-07 2020-06-05 Method and apparatus for creating virtualized network function instance

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201711283694.4 2017-12-07
CN201711283694.4A CN109905252B (zh) 2017-12-07 2017-12-07 建立虚拟网络功能实例的方法和装置

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US16/894,198 Continuation US11487867B2 (en) 2017-12-07 2020-06-05 Method and apparatus for creating virtualized network function instance

Publications (1)

Publication Number Publication Date
WO2019109942A1 true WO2019109942A1 (zh) 2019-06-13

Family

ID=66750808

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/119337 WO2019109942A1 (zh) 2017-12-07 2018-12-05 建立虚拟网络功能实例的方法和装置

Country Status (4)

Country Link
US (1) US11487867B2 (zh)
EP (1) EP3716563A4 (zh)
CN (1) CN109905252B (zh)
WO (1) WO2019109942A1 (zh)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11240135B1 (en) * 2018-05-23 2022-02-01 Open Invention Network Llc Monitoring VNFCs that are composed of independently manageable software modules
WO2020252052A1 (en) * 2019-06-10 2020-12-17 Apple Inc. End-to-end radio access network (ran) deployment in open ran (o-ran)
DE102020200969A1 (de) * 2020-01-28 2021-07-29 Robert Bosch Gesellschaft mit beschränkter Haftung Verfahren zum Instanziieren mindestens einer Ausführungsumgebung
CN114268507B (zh) * 2021-12-30 2023-12-05 天翼物联科技有限公司 一种基于sgx的网络云安全优化方法、系统及相关介质

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104580208A (zh) * 2015-01-04 2015-04-29 华为技术有限公司 一种身份认证方法及装置
WO2015168914A1 (zh) * 2014-05-08 2015-11-12 华为技术有限公司 一种证书获取方法和设备
US20170111207A1 (en) * 2015-10-14 2017-04-20 Electronics And Telecommunications Research Institute Nfv system and method for linking vnfm

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3107246B1 (en) * 2014-03-26 2019-05-22 Huawei Technologies Co., Ltd. Network function virtualization-based certificate configuration
BR112016026037B1 (pt) * 2014-05-08 2023-04-04 Huawei Technologies Co., Ltd Dispositivo de aquisição de certificado
US9578008B2 (en) * 2015-05-11 2017-02-21 Intel Corporation Technologies for secure bootstrapping of virtual network functions
JP6965921B2 (ja) * 2016-09-08 2021-11-10 日本電気株式会社 ネットワーク機能仮想化システム及び検証方法

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015168914A1 (zh) * 2014-05-08 2015-11-12 华为技术有限公司 一种证书获取方法和设备
CN104580208A (zh) * 2015-01-04 2015-04-29 华为技术有限公司 一种身份认证方法及装置
US20170111207A1 (en) * 2015-10-14 2017-04-20 Electronics And Telecommunications Research Institute Nfv system and method for linking vnfm

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
4G AMERICA S: "NFV and SDN Networks", THE VOICE OF 5G FOR THE AMERICA S, 30 November 2015 (2015-11-30), pages 1 - 34, XP009521263 *
See also references of EP3716563A4

Also Published As

Publication number Publication date
US20200302051A1 (en) 2020-09-24
CN109905252A (zh) 2019-06-18
CN109905252B (zh) 2022-06-07
EP3716563A1 (en) 2020-09-30
US11487867B2 (en) 2022-11-01
EP3716563A4 (en) 2021-01-13

Similar Documents

Publication Publication Date Title
EP3937424B1 (en) Blockchain data processing methods and apparatuses based on cloud computing
CN109361668B (zh) 一种数据可信传输方法
KR101722631B1 (ko) 프록시를 사용하여 자원들에의 보안 액세스
JP6965921B2 (ja) ネットワーク機能仮想化システム及び検証方法
JP6114832B2 (ja) 仮想マシンのための管理制御方法、装置及びシステム
US10382450B2 (en) Network data obfuscation
JP6222592B2 (ja) モバイルアプリケーション管理のためのモバイルアプリケーションのアイデンティティの検証
CN105745661B (zh) 对权限管理的内容的基于策略的受信任的检测
WO2019109942A1 (zh) 建立虚拟网络功能实例的方法和装置
US20220191693A1 (en) Remote management of hardware security modules
US9524394B2 (en) Method and apparatus for providing provably secure user input/output
US20230259462A1 (en) Data Management Method, Apparatus, and System, and Storage Medium
CN112765637A (zh) 数据处理方法、密码服务装置和电子设备
EP3720042B1 (en) Method and device for determining trust state of tpm, and storage medium
Robinson Cryptography as a service
US11171786B1 (en) Chained trusted platform modules (TPMs) as a secure bus for pre-placement of device capabilities
Shamseddine et al. Mitigating rogue node attacks in edge computing
WO2018040095A1 (zh) 一种生成安全凭证的方法和设备
WO2023089438A1 (en) Correlating remote attestation quotes with a virtualized network function (vnf) resource allocation event
CN118606925A (zh) 主机、密码服务管理方法、存储介质及程序
Freitez et al. Authentication services in mobile ad hoc networks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18886232

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2018886232

Country of ref document: EP

Effective date: 20200623