WO2021022764A1 - Network slicing method and network slicing apparatus for 5g core network - Google Patents
Network slicing method and network slicing apparatus for 5g core network Download PDFInfo
- Publication number
- WO2021022764A1 WO2021022764A1 PCT/CN2019/127743 CN2019127743W WO2021022764A1 WO 2021022764 A1 WO2021022764 A1 WO 2021022764A1 CN 2019127743 W CN2019127743 W CN 2019127743W WO 2021022764 A1 WO2021022764 A1 WO 2021022764A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- network
- mgr
- dpi
- audit
- level
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0893—Assignment of logical groups to network elements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/30—Security of mobile devices; Security of mobile applications
- H04W12/37—Managing security policies for mobile devices or for controlling mobile applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W28/00—Network traffic management; Network resource management
- H04W28/16—Central resource management; Negotiation of resources or communication parameters, e.g. negotiating bandwidth or QoS [Quality of Service]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
Definitions
- the invention relates to the field of wireless communication, in particular to a network slicing method and a network slicing device of a 5G core network.
- the overall deployment of the 5G core network (hereinafter referred to as: 5GC) is based on the public cloud platform NFV/SDN (Virtualization and Software Defined Networking) environment.
- Figure 1 shows the overall block diagram of the 5GC.
- the security protection needs of users in the multi-level Internet of Things and vertical industries cannot be met, including the security of 5GC itself signaling and the security of UE user data plane data transmitted on 5GC.
- the network slicing function for IoT and vertical industry (private network) purposes is not proposed in the 3GPP specifications.
- the Internet of Things or vertical industry (private network) users are not proposed to slice the core network. Yuan has a corresponding definition of network security protection.
- CN107580360A a method, equipment and network architecture for network slice selection
- CN108495358A a method for network slice selection based on NFV
- CN108566289A based on 5G mobile communication network slice architecture design management Method
- the present invention provides a network slicing method and a network slicing device for a 5G core network to solve the problems raised in the background art.
- a network slicing method for a 5G core network includes:
- the security protection level Si preset the network slice network elements of the network slice to an environment corresponding to the security protection level Si.
- the network slice network element includes at least one of the following network slice network elements: AMF, SMF, UDM, AUSF, PCF, and AUSF.
- the 5G core network is provided with a slice network security policy controller SPCF, and the slice network security policy controller SPCF is configured to set the security protection level Si of the network slice.
- the security protection level Si is defined as follows:
- Si ⁇ isolated_Level, inf_Audit, Mrg_Audit, content_DPI,... ⁇ ;
- isolated_Level represents the degree of security isolation, and its value indicates the isolation level of the deployment platform on which the network slice runs;
- inf_Audit represents the network interface, and its value indicates the security audit of each network interface
- Mrg_Audit represents the management interface, and its value indicates the security audit of each management interface
- content_DPI represents the external network interface, and its value indicates the DPI deep packet analysis of user data.
- the security isolation level isolated_Level ⁇ public_cloud, pravited_cloud, hardware_isolated ⁇ ;
- public_cloud means that each network element of the 5G core network is completely deployed in a shared cloud
- pravited_cloud means that each network element of the 5G core network is deployed in an independent network environment
- hardware_isolated indicates that each network element of the 5G core network is deployed in physical isolation.
- the network interface inf_Audit ⁇ N1, N2, N3, N4, N5, N6, N7, N8, N9 ⁇ ;
- the N1, N2, N3, N4, N5, N7, N8 interfaces are internal network interfaces of the 5G core network.
- the N6 and N9 interfaces are the external network interfaces in the 5G core network for external communication.
- the management interface Mrg_Audit ⁇ Mgr_AMF, Mgr_SMF, Mgr_UDM, Mgr_PCF, Mgr_UPF ⁇ ;
- Mgr_AMF represents the AMF network element management interface
- Mgr_SMF represents SMF network element management interface
- Mgr_UDM represents the UDM network element management interface
- Mgr_PCF represents the PCF network element management interface
- Mgr_UPF represents UPF network element management interface.
- the external network interface content_DPI ⁇ N6_DPI, N9_DPI ⁇ , where N6_DPI represents the external network interface N6, and N9_DPI represents the external network interface N9.
- the Si ⁇ S1, S2, S3, S4, S5 ⁇ , and
- a network slicing device for a 5G core network includes:
- the network slicing module is configured to perform network slicing on the 5G core network to obtain network slicing network elements of the network slicing;
- the security protection level setting module is configured to set the security protection level Si for the network slice, where i is an integer;
- the preset module is configured to preset the network slice network elements of the network slice to an environment corresponding to the security protection level Si according to the security protection level Si.
- the network slicing scheme of the 5G core network includes: performing network slicing on the 5G core network to obtain network slicing network elements of the network slicing; setting a security protection level Si for the network slicing, where i is an integer; and
- the security protection level Si is to preset the network slicing network elements of the network slice to an environment corresponding to the security protection level Si.
- the method proposed by the present invention supports the realization of independent users on the 5GC core network side to use a logically independent core network system under the environment of the Internet of Things or vertical industry, and integrates the core network elements of the Internet of Things and vertical industry customer groups with ordinary users. In terms of logic independence, it meets the various needs of different types of users for network delay, bandwidth, number of connections, security level, and application environment customization.
- Figure 1 shows the system framework of the 5G core network
- FIG. 2 shows a diagram of an example environment of a network slicing security architecture according to an embodiment of the present disclosure
- Fig. 3 shows a flow chart of constructing a secure environment for an end user UE according to an embodiment of the present disclosure
- Fig. 4 shows a block diagram of a 5G core network network slicing device according to an embodiment of the present disclosure.
- Figure 5 shows an example architecture of a 5G core network slicing network security environment.
- the system will slice the core network resources according to the needs of users (similar to deploying independent network element equipment) to meet the needs of the corresponding set of customer groups, and the purpose is to meet similar IoT and various types of The needs of private network user groups.
- the 5G core network has newly added the function of network slicing, providing independent core network elements in logical domains for user groups with different types of requirements.
- 5GC In the 5G network, when a user enters the network and starts to register, 5GC will perform network slice distribution to the users who are connected to the system after passing the authentication.
- network slice refers to the implementation of network data similar to traffic
- Indicators are used to divide, so as to deal with complex and changeable application scenarios.
- CN107580360A a method, equipment and network architecture for network slice selection
- CN108495358A a method for network slice selection based on NFV
- the security protection level Si is input as a necessary option parameter.
- the level of Si Preset the network slicing network elements (AMF/SMF/UDM/UPF/PCF/AUSF) in the software, hardware, and network environments required by different security levels.
- Fig. 2 shows a diagram of an example environment of a network slicing security architecture according to an embodiment of the present disclosure.
- the corresponding security protection level Si is set for the network slices divided by the end users who enter the network, so that the corresponding network slice network elements are preset to correspond to the security protection level Si Environment.
- the network slicing network element may include access and mobility management function AMF, session management function SMF, unified data management UDM, user platform function UPF, policy control function PCF, and authentication server function AUSF.
- AMF/SMF/UDM/UPF/PCF/AUSF is used as an example of network slicing network elements for description, the present disclosure is not limited to this, but may include other network slicing networks. yuan.
- a sliced network security policy controller SPCF as an example of a security protection level setting module (processing unit) can be set in the 5G network.
- the SPCF is used to generate the Si level defined according to the embodiment of the present disclosure.
- Si can be ⁇ S1, S2, S3, S4, S5, ... Sn ⁇ , that is, SPCF can be used to define n security protection levels, where n is an integer.
- the network slice network elements allocated to the end user UE are preset to different Software, hardware, network and other environments.
- FIG. 3 shows a flowchart of constructing a secure environment for an end user UE according to an embodiment of the present disclosure.
- building a secure environment for the end user UE includes:
- S302 Construct a 5G core network slicing security environment.
- the end user UE can set the 5G core network slice security protection level Si through the set slice network security policy controller SPCF.
- Si can be specifically S1, S2, S3, S4, S5, ... Sn one of.
- five security protection levels S1/S2/S3/S4/S5 are defined, but in actual applications, it can be dynamically expanded according to requirements.
- isolated_Level represents the degree of security isolation, a security level defined for the network slicing security environment of the 5G core network. Its value indicates the isolation level of the deployment platform on which the network slicing runs; inf_Audit represents the core network interface, and its value indicates the security of each network interface Audit; Mrg_Audit represents the management interface, and its value represents the audit of the network management interface; content_DPI represents the external network interface, and its value indicates the DPI deep packet analysis of user data.
- the security isolation level isolated_Level ⁇ public_cloud, pravited_cloud, hardware_isolated ⁇ , where public_cloud has the lowest security, and each network element of the 5G core network is completely in the common cloud, which may be attacked by public safety network security due to the security of the cloud.
- Pravited_cloud is relatively safer than public_cloud. When deployed in an independent network environment, it is only different from the public cloud where it is deployed, and it may still receive public network security attacks. The relative probability is lower than that of public cloud.
- isolated_Level includes public_cloud, pravited_cloud, and hardware_isolated
- present invention is not limited to this, but may also include other security isolation levels.
- isolated_Level element can contain any security isolation degree.
- the network interface inf_Audit represents each interface in the 5GC network, and its value represents the security audit of each interface.
- the network interface inf_Audit ⁇ N1, N2, N3, N4, N5, N6, N7, N8, N9 ⁇ .
- the N1, N2, N3, N4, N5, N7, and N8 interfaces are the internal network interfaces of the 5G core network
- the N6 and N9 interfaces are the external network interfaces in the 5G core network for external communication.
- stricter auditing is required.
- OFF 0, which means no audit
- NO 1 which means audit.
- the element of inf_Audit includes N1, N2, N3, N4, N5, N6, N7, N8, N9, the present invention is not limited to this, but may also include other network interfaces. In other words, the element of inf_Audit can contain any network interface.
- the network management interface Mrg_Audit represents the 5GC network element management interface, and its value represents the audit of each management interface.
- Mrg_Audit examples include Mgr_AMF, Mgr_SMF, Mgr_UDM, Mgr_PCF, and Mgr_UPF
- the present invention is not limited to this, but may also include other network management interfaces.
- the element of Mrg_Audit can contain any network management interface.
- content_DPI represents the content depth data packet of the external network interface, and its value represents the audit of the data packet.
- the UPF network element is an external interface for user data, and performs deep data packet analysis on the content of the UPF's N6/N9 network interface.
- the elements of content_DPI include N6_DPI and N9_DPI ⁇ , the present invention is not limited to this, but may also include other external network interface content depth data packets.
- the content_DPI element can contain any external network interface content depth data packet.
- each parameter in the protection level Si has been defined.
- five safety protection levels S1/S2/S3/S4/S5 are also specifically defined. It should be clear that in actual applications, it can be dynamically expanded according to requirements.
- the sub-elements included in these elements may not be limited to those shown above, but may include other sub-elements.
- the user's slice network environment is complete, physically isolated from other 5GC network slices, using physical isolation deployment (hardware_isolated).
- the open network interface N2/N3 communicates with (R)AN
- the open network interface N6 communicates with the user’s application server Appserver
- (R)AN and Appserver and the 5GC network slice require the same level of S1 security security environment
- N2/N3/N6 interface has authentication and safety protection.
- N1/N4/N5/N7/N8/N9 are not developed externally, and are only used inside the 5GC network slice.
- the S1 security level is the highest level of security protection in 5GC network slices.
- the user's slice network is completely the same as other users of this level. Users who access this 5GC slice network are required to obtain full authorization and complete trust.
- the visitor is required to be a user of the S1 level of the system, and the visiting user is also an operating entity in the environment, in the same security instance environment. Under the S1 security level, user data integrity is fully guaranteed.
- the S1 security level is sliced in the 5GC network.
- the management and application server that is required to be connected to it is a fully trusted device, and has the same physical isolation security protection level.
- the management interface audit of the network element can be closed.
- the operating deployment platform requires security and stability, and the hardware isolation level is adopted.
- the network interface is the interface between 5GC internal network elements and external network elements. Under the S1 security protection level, security review is required to be enabled.
- the N6/N9 network interface is connected to the outside world, and the security audit function must be enabled.
- the management interface of 5GC network elements does not control user behavior, and has low security requirements.
- PCF/UPF has user behavior control and requires security audits before the user can perform Login operation user account opening, account cancellation, Qos, billing and other data.
- the external network interface N6/N9 must perform DPI deep packet analysis on user data to prevent users from unsafe behavior.
- the user's slice network environment is complete, physically isolated from other 5GC network slices, using physical isolation deployment (hardware_isolated). Audit part of the network interface, management network interface, and external network interface N6 audit.
- the operating deployment platform requires security and stability, and the hardware isolation level is adopted.
- the network interface is the interface between the 5GC internal network element and the external network element. Under the S2 security protection level, the internal network interface does not enable security auditing.
- the N6/N9 network interface is connected to the outside world, and the security audit function must be enabled.
- the management interface of 5GC network elements does not control user behavior, and has low security requirements.
- PCF/UPF has user behavior control and requires security audits before the user can perform Login operation user account opening, account cancellation, Qos, billing and other data.
- the external network interface N6 performs DPI deep packet analysis on user data to prevent users from unsafe behavior.
- the N9 interface is a roaming data interface from internal or external. It receives data from the local network. It has GTP tunnel encapsulation, which can remove the DPI user deep packet analysis function.
- the user's slice network environment is complete, and it does not need to be physically isolated from other 5GC network slices, and uses private cloud deployment (private_cloud). Audit part of the network interface, management network interface, and external network interface N6 audit.
- the value of each element in Si is set as follows
- marking protection is required for the running deployment platform, and private cloud level deployment is adopted.
- the network interface is the interface between the 5GC internal network element and the external network element. Under the S2 security protection level, the internal network interface does not enable security auditing.
- the N6/N9 network interface is connected to the outside world, and the security audit function must be enabled.
- the management interface of the 5GC network element requires a security audit before the user can log in.
- the external network interface N6/N9 performs DPI deep packet analysis on user data to prevent users from unsafe behavior.
- the user's slice network environment is complete, and it does not need to be physically isolated from other 5GC network slices, and uses private cloud deployment (private_cloud). Audit part of the network interface, management network interface, and external network interface N6 audit.
- marking protection is required for the running deployment platform, and private cloud level deployment is adopted.
- the network interface is the interface between the 5GC internal network element and the external network element. Under the S3 security protection level, the internal network interface does not enable security auditing.
- the N6/N9 network interface is connected to the outside world, and the security audit function must be enabled.
- 5GC network elements are deployed in a private cloud environment, and their management interfaces require security audits before users can log in.
- the external network interface N6/N9 user data performs DPI deep packet analysis to prevent users from unsafe behavior.
- the N9 interface comes from an internal or external roaming data interface, and it receives data from the local network. It has a GTP tunnel encapsulation, which can remove the DPI user deep packet analysis function.
- the user's slice network environment is complete, and it does not need to be physically isolated from other 5GC network slices, and uses public cloud deployment (public_cloud).
- public_cloud There is no DPI deep packet inspection for some network interface audits, management network interfaces, and external network interfaces.
- marking protection is required for the running deployment platform, and private cloud level deployment is adopted.
- the network interface is the interface between the 5GC internal network element and the external network element. Under the S3 security protection level, the internal network interface does not enable security auditing.
- the N6/N9 network interface is connected to the outside world, and the security audit function must be enabled.
- 5GC network elements are deployed in a shared cloud environment, and their management interfaces require security audits before users can log in.
- the external network interface N6/N9 user data is subjected to DPI deep packet analysis to prevent users from unsafe behavior.
- the N9 interface is a roaming data interface from internal or external. It receives data from the local network. It has GTP tunnel encapsulation, which can remove the DPI user deep packet analysis function.
- the embodiments of the present disclosure are described with five security protection levels S1-S5, but the present disclosure is not limited to this, but more or less security protection levels may be used.
- an embodiment of the present disclosure also provides a 5G core network network slicing device 400 corresponding to the foregoing method embodiment, and the device includes:
- the network slicing module 401 is configured to perform network slicing on the 5G core network to obtain network slicing network elements of the network slice;
- the security protection level setting module 402 is configured to set a security protection level Si for the network slice, where i is an integer;
- the presetting module 403 is configured to preset the network slice network elements of the network slice to an environment corresponding to the security protection level Si according to the security protection level Si.
- the network slicing method and device of the 5G core network support the realization of independent users on the 5GC core network side to use a logically independent core network system in the Internet of Things or vertical industry environments, and integrate the Internet of Things and vertical industry customers
- the core network elements of the group and ordinary users are logically independent to meet the various needs of different types of users for network delay, bandwidth, number of connections, security level, and application environment customization.
- the security policy controller SPCF unit that sets the network slicing is added to receive the Sn security input by the user.
- the protection level is to obtain the security policy of each network slice and construct a security environment instance for it to protect the security of the newly generated network elements in the network slice, construct a security barrier, and provide protection for the safe operation of the 5GC system.
- the 5GC core network allocates different 5GC core network slice resources according to the slicing requirements of the terminal user UE when the end user UE enters the network through the default (initial) slice.
- a slicing policy security controller unit namely: slicing policy security controller SFCF
- SFCF slicing policy security controller
- five basic security protection levels such as S1/S2/S3/S4/S5, are defined to meet the current 5GC network slicing requirements for different levels of network security protection levels for various users.
- Si security protection level is based on the basic cloud and hardware platform deployed by 5GC network elements, 5GC network element network interface, 5GC network management interface, and 5GC external network interface security requirements, and 5 levels of security protection level configuration are proposed.
- the terminal user UE of the 5G network performs UE access authentication communication with the public (default) network slice of 5GC through gNB, according to the UE's demand for network slice, choose to allocate or enter the corresponding 5GC core In the network slicing network.
- network slices please refer to the patent: CN107580360A, a method, equipment and network architecture for network slice selection, CN108495358A, a network slice selection method based on NFV, CN108566289A, a design management method based on 5G mobile communication network slice architecture, these The entire content of the patent is incorporated herein by reference.
- 501 when 501 submits an application for 5GC network slicing requirements, 502 submits a security protection level Si to the slicing policy security controller SPCF according to the UE end user, and requires that the environment of 5GC network slicing provides a corresponding Si-level network Security level requirements.
- the 5GC network slicing resources (AMF/SMF/UDM/PCF/UPF) allocated to the current UE end users are constructed to construct the corresponding level of security protection environment instance. It is used to protect the security of UE terminal users.
- the 5GC slice network service network element provided for it is allocated according to the security protection level Si requirements of the UE terminal user
- the corresponding basic network security example of security protection requirements will effectively protect UE end users’ requirements for basic network security in the 5GC slice network, and also protect the safety of 5GC slice network instances in different vertical industries (private networks). Different requirements.
- embodiments of the present disclosure define five basic 5GC network slice security levels based on general network security requirements, which can also be dynamically expanded according to specific application environment requirements.
- the embodiments of the present disclosure define network interface security audit, management interface security audit, external network interface DPI deep packet inspection, external network interface DPI, etc. based on the characteristics of the 5GC network slice network element AMF/SMF/UDM/PCRF/UPF. It satisfies the security audit of the internal and external interfaces of the 5GC network slicing and the deep data packet analysis function of the data message.
- a complete security protection is provided independently for a single network element AMF/SMF/UDM/UPF/PCF, which can also achieve the purpose of security protection, but attacks such as DDOS attacks and network congestion cannot be well protected because It is an independent network element protection.
- the entire 5GC core network element can be protected, and a good 5GC single network element can be protected.
- This solution proposes to combine the 5GC network slicing with the basic network element security protection of the mobile communication core network, especially the network elements after 5GC network slicing, the security itself and the audit of the network interface, management interface, and external network interface Function, as well as external interface DPI function and security protection combined.
- the 5GC network slicing network elements according to the new specification, all run on the cloud platform. This will bring major security risks to 5GC network slicing.
- the method proposed in this solution effectively meets the security protection of 5GC network slicing at all levels. The customers who requested it solved the user's requirements for safety very well.
- the method of the embodiment of the present disclosure combines the security challenges faced by the 5GC slicing network with the protection needs of users, and will effectively solve the security problem of the 5GC network slicing and maintain the security and stability of the network.
Abstract
Description
Claims (10)
- 一种5G核心网的网络切片方法,其特征在于,所述方法包括:A network slicing method for a 5G core network, characterized in that the method includes:对5G核心网进行网络切片以获得网络切片的网络切片网元;Perform network slicing on the 5G core network to obtain network sliced network elements;对网络切片设置安全防护等级Si,其中i为整数;以及Set the security protection level Si for the network slice, where i is an integer; and根据所述安全防护等级Si,将所述网络切片的网络切片网元预置到与所述安全防护等级Si对应的环境。According to the security protection level Si, preset the network slice network elements of the network slice to an environment corresponding to the security protection level Si.
- 根据权利要求1所述的5G核心网的网络切片方法,其特征在于,所述网络切片网元包括以下网络切片网元中的至少一种:AMF、SMF、UDM、AUSF、PCF和AUSF。The 5G core network network slicing method according to claim 1, wherein the network slicing network element comprises at least one of the following network slicing network elements: AMF, SMF, UDM, AUSF, PCF, and AUSF.
- 根据权利要求1或2所述的基于5G核心网的网络切片方法,其特征在于,所述5G核心网设置有切片网络安全策略控制器SPCF,所述切片网络安全策略控制器SPCF被配置为设置网络切片的安全防护等级Si。The network slicing method based on the 5G core network according to claim 1 or 2, wherein the 5G core network is provided with a slice network security policy controller SPCF, and the slice network security policy controller SPCF is configured to set The security protection level of network slicing is Si.
- 根据权利要求3所述的5G核心网的网络切片方法,其特征在于,所述安全防护等级Si的定义如下:The 5G core network network slicing method according to claim 3, wherein the definition of the security protection level Si is as follows:Si={isolated_Level,inf_Audit,Mrg_Audit,content_DPI,…};其中,Si = {isolated_Level, inf_Audit, Mrg_Audit, content_DPI,...}; where,isolated_Level表示安全隔离度,其值指示网络切片运行的部署平台的隔离等级;isolated_Level represents the degree of security isolation, and its value indicates the isolation level of the deployment platform on which the network slice runs;inf_Audit表示网络接口,其值指示对各网络接口的安全审计;inf_Audit represents the network interface, and its value indicates the security audit of each network interface;Mrg_Audit表示管理接口,其值指示对各管理接口的安全审计;Mrg_Audit represents the management interface, and its value indicates the security audit of each management interface;content_DPI表示对外网络接口,其值指示对用户数据的DPI深度数据包解析。content_DPI represents the external network interface, and its value indicates the DPI deep packet analysis of user data.
- 根据权利要求4所述的5G核心网的网络切片方法,其特征在于,所述安全隔离度isolated_Level={public_cloud,pravited_cloud, hardware_isolated};其中The 5G core network network slicing method according to claim 4, wherein the security isolation level isolated_Level={public_cloud, pravited_cloud, hardware_isolated}; whereinpublic_cloud表示5G核心网的各个网元完全在共有云中部署;public_cloud means that each network element of the 5G core network is completely deployed in a shared cloud;pravited_cloud表示5G核心网的各个网元在独立网络环境中部署;pravited_cloud means that each network element of the 5G core network is deployed in an independent network environment;hardware_isolated表示5G核心网的各个网元使用物理隔离部署。hardware_isolated indicates that each network element of the 5G core network is deployed in physical isolation.
- 根据权利要求5所述的基于5G核心网的网络切片方法,其特征在于,所述网络接口inf_Audit={N1,N2,N3,N4,N5,N6,N7,N8,N9};其中The network slicing method based on 5G core network according to claim 5, wherein the network interface inf_Audit={N1, N2, N3, N4, N5, N6, N7, N8, N9}; whereinN1、N2、N3、N4、N5、N7、N8接口是5G核心网内部网络接口;并且The N1, N2, N3, N4, N5, N7, N8 interfaces are internal network interfaces of the 5G core network; andN6、N9接口是5G核心网中连接外部的网络接口,用于对外通信。The N6 and N9 interfaces are the external network interfaces in the 5G core network for external communication.
- 根据权利要求6所述的5G核心网的网络切片方法,其特征在于,所述管理接口Mrg_Audit={Mgr_AMF,Mgr_SMF,Mgr_UDM,Mgr_PCF,Mgr_UPF};其中,The 5G core network network slicing method according to claim 6, wherein the management interface Mrg_Audit={Mgr_AMF, Mgr_SMF, Mgr_UDM, Mgr_PCF, Mgr_UPF}; wherein,Mgr_AMF表示AMF网元管理接口;Mgr_AMF represents the AMF network element management interface;Mgr_SMF表示SMF网元管理接口;Mgr_SMF represents SMF network element management interface;Mgr_UDM表示UDM网元管理接口;Mgr_UDM represents the UDM network element management interface;Mgr_PCF表示PCF网元管理接口;并且Mgr_PCF represents the PCF network element management interface; andMgr_UPF表示UPF网元管理接口。Mgr_UPF represents UPF network element management interface.
- 根据权利要求7所述的5G核心网的网络切片方法,其特征在于,所述对外网络接口content_DPI={N6_DPI,N9_DPI},其中,N6_DPI表示对外网络接口N6,N9_DPI表示对外网络接口N9。The method for network slicing of the 5G core network according to claim 7, wherein the external network interface content_DPI={N6_DPI, N9_DPI}, wherein N6_DPI represents the external network interface N6, and N9_DPI represents the external network interface N9.
- 根据权利要求8所述的5G核心网的网络切片方法,其特征在于,所述Si={S1,S2,S3,S4,S5},并且The network slicing method for a 5G core network according to claim 8, wherein the Si={S1, S2, S3, S4, S5}, and在S1中,isolated_Level=hardware_isolated,inf_Audit={N1=1,N2=1,N3=1,N4=1,N5=1,N6=1,N7=1,N8=1,N9=1},Mrg_Audit= {Mgr_AMF=0,Mgr_SMF=0,Mgr_UDM=1,Mgr_PCF=1,Mgr_UPF=0},content_DPI={N6_DPI=1,N9_DPI=1};In S1, isolated_Level=hardware_isolated, inf_Audit={N1=1, N2=1, N3=1, N4=1, N5=1, N6=1, N7=1, N8=1, N9=1}, Mrg_Audit= {Mgr_AMF=0, Mgr_SMF=0, Mgr_UDM=1, Mgr_PCF=1, Mgr_UPF=0}, content_DPI={N6_DPI=1, N9_DPI=1};在S2中,isolated_Level={hardware_isolated},inf_Audit={N1=0,N2=0,N3=0,N4=0,N5=0,N6=1,N7=0,N8=0,N9=1},Mrg_Audit={Mgr_AMF=1,Mgr_SMF=1,Mgr_UDM=1,Mgr_PCF=1,Mgr_UPF=1},content_DPI={N6_DPI=1,N9_DPI=0},In S2, isolated_Level={hardware_isolated}, inf_Audit={N1=0, N2=0, N3=0, N4=0, N5=0, N6=1, N7=0, N8=0, N9=1}, Mrg_Audit={Mgr_AMF=1, Mgr_SMF=1, Mgr_UDM=1, Mgr_PCF=1, Mgr_UPF=1}, content_DPI={N6_DPI=1, N9_DPI=0},在S3中,isolated_Level={prvated_cloud},inf_Audit={N1=0,N2=0,N3=0,N4=0,N5=0,N6=1,N7=0,N8=0,N9=1},Mrg_Audit={Mgr_AMF=1,Mgr_SMF=1,Mgr_UDM=1,Mgr_PCF=1,Mgr_UPF=1},content_DPI={N6_DPI=1,N9_DPI=1},In S3, isolated_Level={prvated_cloud}, inf_Audit={N1=0, N2=0, N3=0, N4=0, N5=0, N6=1, N7=0, N8=0, N9=1}, Mrg_Audit={Mgr_AMF=1, Mgr_SMF=1, Mgr_UDM=1, Mgr_PCF=1, Mgr_UPF=1}, content_DPI={N6_DPI=1, N9_DPI=1},在S4中,isolated_Level={prvated_cloud},inf_Audit={N1=0,N2=0,N3=0,N4=0,N5=0,N6=1,N7=0,N8=0,N9=1},Mrg_Audit={Mgr_AMF=1,Mgr_SMF=1,Mgr_UDM=1,Mgr_PCF=1,Mgr_UPF=1},content_DPI={N6_DPI=1,N9_DPI=0},In S4, isolated_Level={prvated_cloud}, inf_Audit={N1=0, N2=0, N3=0, N4=0, N5=0, N6=1, N7=0, N8=0, N9=1}, Mrg_Audit={Mgr_AMF=1, Mgr_SMF=1, Mgr_UDM=1, Mgr_PCF=1, Mgr_UPF=1}, content_DPI={N6_DPI=1, N9_DPI=0},在S5中,isolated_Level={public_cloud},inf_Audit={N1=0,N2=0,N3=0,N4=0,N5=0,N6=1,N7=0,N8=0,N9=1},Mrg_Audit={Mgr_AMF=1,Mgr_SMF=1,Mgr_UDM=1,Mgr_PCF=1,Mgr_UPF=1},content_DPI={N6_DPI=1,N9_DPI=0}。In S5, isolated_Level={public_cloud}, inf_Audit={N1=0, N2=0, N3=0, N4=0, N5=0, N6=1, N7=0, N8=0, N9=1}, Mrg_Audit={Mgr_AMF=1, Mgr_SMF=1, Mgr_UDM=1, Mgr_PCF=1, Mgr_UPF=1}, content_DPI={N6_DPI=1, N9_DPI=0}.
- 一种5G核心网的网络切片装置,其特征在于,所述装置包括:A network slicing device for a 5G core network, characterized in that the device includes:网络切片模块,被配置为对5G核心网进行网络切片以获得网络切片的网络切片网元;The network slicing module is configured to perform network slicing on the 5G core network to obtain network slicing network elements of the network slicing;安全防护等级设置模块,被配置为对网络切片设置安全防护等级Si,其中i为整数;以及The security protection level setting module is configured to set the security protection level Si for the network slice, where i is an integer; and预置模块,被配置为根据所述安全防护等级Si将所述网络切片的网络切片网元预置到与所述安全防护等级Si对应的环境。The preset module is configured to preset the network slice network elements of the network slice to an environment corresponding to the security protection level Si according to the security protection level Si.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910728552.7A CN110401946A (en) | 2019-08-08 | 2019-08-08 | The network dicing method and network slicing device of 5G core net |
CN201910728552.7 | 2019-08-08 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2021022764A1 true WO2021022764A1 (en) | 2021-02-11 |
Family
ID=68327802
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2019/127743 WO2021022764A1 (en) | 2019-08-08 | 2019-12-24 | Network slicing method and network slicing apparatus for 5g core network |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN110401946A (en) |
WO (1) | WO2021022764A1 (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116208959A (en) * | 2023-05-04 | 2023-06-02 | 中建五洲工程装备有限公司 | Digital intelligent manufacturing management method and system based on 5G private network |
CN116546530A (en) * | 2023-07-03 | 2023-08-04 | 阿里巴巴(中国)有限公司 | Core network configuration method, device, equipment, storage medium and communication system |
Families Citing this family (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110401946A (en) * | 2019-08-08 | 2019-11-01 | 广州爱浦路网络技术有限公司 | The network dicing method and network slicing device of 5G core net |
CN111131258B (en) * | 2019-12-26 | 2022-04-08 | 中移(成都)信息通信科技有限公司 | Safe private network architecture system based on 5G network slice |
CN111200812B (en) * | 2020-01-07 | 2021-07-20 | 广州爱浦路网络技术有限公司 | Method for accelerating NFs mutual discovery in 5G core network |
CN111292570B (en) * | 2020-04-01 | 2021-09-17 | 广州爱浦路网络技术有限公司 | Cloud 5GC communication experiment teaching system and teaching method based on project type teaching |
US20230179638A1 (en) * | 2020-05-06 | 2023-06-08 | Nokia Technologies Oy | Method and apparatus for preventing network attacks in a network slice |
CN113852479B (en) * | 2020-06-28 | 2022-12-02 | 中移(成都)信息通信科技有限公司 | Secure network construction method, device, equipment and computer storage medium |
CN111885031B (en) * | 2020-07-13 | 2023-03-31 | 董鹏 | Fine-grained access control method and system based on session process |
CN116097760A (en) | 2020-08-03 | 2023-05-09 | 上海诺基亚贝尔股份有限公司 | Method and apparatus for fine granularity isolation in CN-NSS domain of E2E network slices |
CN112995228B (en) * | 2021-05-14 | 2021-07-13 | 广东省新一代通信与网络创新研究院 | Method and system for switching N9 port call of 5GC |
CN113554776A (en) * | 2021-06-23 | 2021-10-26 | 广东润建电力科技有限公司 | Power distribution room intelligent inspection and operation and maintenance method, system and device based on 5G message |
CN113923689A (en) * | 2021-08-31 | 2022-01-11 | 南京理工大学紫金学院 | Method and system for comprehensively checking services after version upgrading by DPI equipment |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106792692A (en) * | 2016-12-27 | 2017-05-31 | 兴唐通信科技有限公司 | A kind of physics dicing method based on SDN technologies |
US20170164212A1 (en) * | 2015-09-29 | 2017-06-08 | Telefonaktiebolaget L M Ericsson (Publ) | Network slice management |
CN109951440A (en) * | 2019-01-22 | 2019-06-28 | 中国人民解放军战略支援部队信息工程大学 | A kind of 5G network slice example dynamic switching method and function |
CN110401946A (en) * | 2019-08-08 | 2019-11-01 | 广州爱浦路网络技术有限公司 | The network dicing method and network slicing device of 5G core net |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
BR112019006281A2 (en) * | 2016-09-30 | 2019-07-02 | Huawei Tech Co Ltd | network slice management method and management unit |
-
2019
- 2019-08-08 CN CN201910728552.7A patent/CN110401946A/en active Pending
- 2019-12-24 WO PCT/CN2019/127743 patent/WO2021022764A1/en active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20170164212A1 (en) * | 2015-09-29 | 2017-06-08 | Telefonaktiebolaget L M Ericsson (Publ) | Network slice management |
CN106792692A (en) * | 2016-12-27 | 2017-05-31 | 兴唐通信科技有限公司 | A kind of physics dicing method based on SDN technologies |
CN109951440A (en) * | 2019-01-22 | 2019-06-28 | 中国人民解放军战略支援部队信息工程大学 | A kind of 5G network slice example dynamic switching method and function |
CN110401946A (en) * | 2019-08-08 | 2019-11-01 | 广州爱浦路网络技术有限公司 | The network dicing method and network slicing device of 5G core net |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116208959A (en) * | 2023-05-04 | 2023-06-02 | 中建五洲工程装备有限公司 | Digital intelligent manufacturing management method and system based on 5G private network |
CN116546530A (en) * | 2023-07-03 | 2023-08-04 | 阿里巴巴(中国)有限公司 | Core network configuration method, device, equipment, storage medium and communication system |
CN116546530B (en) * | 2023-07-03 | 2023-11-17 | 阿里巴巴(中国)有限公司 | Core network configuration method, device, equipment, storage medium and communication system |
Also Published As
Publication number | Publication date |
---|---|
CN110401946A (en) | 2019-11-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2021022764A1 (en) | Network slicing method and network slicing apparatus for 5g core network | |
Kotulski et al. | Towards constructive approach to end-to-end slice isolation in 5G networks | |
EP3565306B1 (en) | Quality of service provisioning for wireless networks | |
US11711754B2 (en) | Dynamic functional partitioning for security pass-through virtual network function (VNF) | |
US8032653B1 (en) | Guaranteed bandwidth sharing in a traffic shaping system | |
WO2020007202A1 (en) | Data transmission method, device and system | |
US9183374B2 (en) | Techniques for identity-enabled interface deployment | |
US11102176B2 (en) | Community WiFi access point (AP) virtual network function (VNF) with WiFi protected access 2 (WPA2) pass-through | |
WO2021037175A1 (en) | Network slice management method and related device | |
US20140379928A1 (en) | Method for implementing network using distributed virtual switch, apparatus for performing the same, and network system based on distributed virtual switch | |
CN107810623A (en) | Across more security level/service management of multiple network function examples | |
US20170245170A1 (en) | Dynamic Application QoS Profile Provisioning | |
CN114189905A (en) | Message processing method and related equipment | |
US20080117821A1 (en) | Adaptive quality of service in an easy virtual private network environment | |
US11395174B2 (en) | Systems and methods for optimized LTE private networks | |
CN110383792A (en) | The load balance that wireless subscriber packet is handled by more packet processing cores | |
BR112020025388A2 (en) | METHOD TO PROVIDE RESTRICTED SERVICE, COMMUNICATIONS DEVICE, COMMUNICATIONS SYSTEM AND COMPUTER-READABLE MEDIA | |
CN110870256B (en) | Method, system and computer readable medium for operating a telecommunication network | |
CN112073330A (en) | Cloud platform container network current limiting method | |
CN112087777A (en) | Method, device and system for determining MDBV | |
Griffioen et al. | VIP Lanes: High-speed custom communication paths for authorized flows | |
CN112187660A (en) | Tenant flow limiting method and system for cloud platform container network | |
KR101643829B1 (en) | System and method for cloud-based implementation of control of focused overload of network element (cofo-ne) | |
Chen et al. | Realization of 5g network slicing using open source softwares | |
CN110999371B (en) | Virtual anchor in anchorless mobile network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 19940695 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 19940695 Country of ref document: EP Kind code of ref document: A1 |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 19940695 Country of ref document: EP Kind code of ref document: A1 |
|
32PN | Ep: public notification in the ep bulletin as address of the adressee cannot be established |
Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 07.10.2022) |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 19940695 Country of ref document: EP Kind code of ref document: A1 |