WO2021022764A1 - Network slicing method and network slicing apparatus for 5g core network - Google Patents

Network slicing method and network slicing apparatus for 5g core network Download PDF

Info

Publication number
WO2021022764A1
WO2021022764A1 PCT/CN2019/127743 CN2019127743W WO2021022764A1 WO 2021022764 A1 WO2021022764 A1 WO 2021022764A1 CN 2019127743 W CN2019127743 W CN 2019127743W WO 2021022764 A1 WO2021022764 A1 WO 2021022764A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
mgr
dpi
audit
level
Prior art date
Application number
PCT/CN2019/127743
Other languages
French (fr)
Chinese (zh)
Inventor
吕东
周远长
苏国章
Original Assignee
广州爱浦路网络技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 广州爱浦路网络技术有限公司 filed Critical 广州爱浦路网络技术有限公司
Publication of WO2021022764A1 publication Critical patent/WO2021022764A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0893Assignment of logical groups to network elements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • H04W12/37Managing security policies for mobile devices or for controlling mobile applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W28/00Network traffic management; Network resource management
    • H04W28/16Central resource management; Negotiation of resources or communication parameters, e.g. negotiating bandwidth or QoS [Quality of Service]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls

Definitions

  • the invention relates to the field of wireless communication, in particular to a network slicing method and a network slicing device of a 5G core network.
  • the overall deployment of the 5G core network (hereinafter referred to as: 5GC) is based on the public cloud platform NFV/SDN (Virtualization and Software Defined Networking) environment.
  • Figure 1 shows the overall block diagram of the 5GC.
  • the security protection needs of users in the multi-level Internet of Things and vertical industries cannot be met, including the security of 5GC itself signaling and the security of UE user data plane data transmitted on 5GC.
  • the network slicing function for IoT and vertical industry (private network) purposes is not proposed in the 3GPP specifications.
  • the Internet of Things or vertical industry (private network) users are not proposed to slice the core network. Yuan has a corresponding definition of network security protection.
  • CN107580360A a method, equipment and network architecture for network slice selection
  • CN108495358A a method for network slice selection based on NFV
  • CN108566289A based on 5G mobile communication network slice architecture design management Method
  • the present invention provides a network slicing method and a network slicing device for a 5G core network to solve the problems raised in the background art.
  • a network slicing method for a 5G core network includes:
  • the security protection level Si preset the network slice network elements of the network slice to an environment corresponding to the security protection level Si.
  • the network slice network element includes at least one of the following network slice network elements: AMF, SMF, UDM, AUSF, PCF, and AUSF.
  • the 5G core network is provided with a slice network security policy controller SPCF, and the slice network security policy controller SPCF is configured to set the security protection level Si of the network slice.
  • the security protection level Si is defined as follows:
  • Si ⁇ isolated_Level, inf_Audit, Mrg_Audit, content_DPI,... ⁇ ;
  • isolated_Level represents the degree of security isolation, and its value indicates the isolation level of the deployment platform on which the network slice runs;
  • inf_Audit represents the network interface, and its value indicates the security audit of each network interface
  • Mrg_Audit represents the management interface, and its value indicates the security audit of each management interface
  • content_DPI represents the external network interface, and its value indicates the DPI deep packet analysis of user data.
  • the security isolation level isolated_Level ⁇ public_cloud, pravited_cloud, hardware_isolated ⁇ ;
  • public_cloud means that each network element of the 5G core network is completely deployed in a shared cloud
  • pravited_cloud means that each network element of the 5G core network is deployed in an independent network environment
  • hardware_isolated indicates that each network element of the 5G core network is deployed in physical isolation.
  • the network interface inf_Audit ⁇ N1, N2, N3, N4, N5, N6, N7, N8, N9 ⁇ ;
  • the N1, N2, N3, N4, N5, N7, N8 interfaces are internal network interfaces of the 5G core network.
  • the N6 and N9 interfaces are the external network interfaces in the 5G core network for external communication.
  • the management interface Mrg_Audit ⁇ Mgr_AMF, Mgr_SMF, Mgr_UDM, Mgr_PCF, Mgr_UPF ⁇ ;
  • Mgr_AMF represents the AMF network element management interface
  • Mgr_SMF represents SMF network element management interface
  • Mgr_UDM represents the UDM network element management interface
  • Mgr_PCF represents the PCF network element management interface
  • Mgr_UPF represents UPF network element management interface.
  • the external network interface content_DPI ⁇ N6_DPI, N9_DPI ⁇ , where N6_DPI represents the external network interface N6, and N9_DPI represents the external network interface N9.
  • the Si ⁇ S1, S2, S3, S4, S5 ⁇ , and
  • a network slicing device for a 5G core network includes:
  • the network slicing module is configured to perform network slicing on the 5G core network to obtain network slicing network elements of the network slicing;
  • the security protection level setting module is configured to set the security protection level Si for the network slice, where i is an integer;
  • the preset module is configured to preset the network slice network elements of the network slice to an environment corresponding to the security protection level Si according to the security protection level Si.
  • the network slicing scheme of the 5G core network includes: performing network slicing on the 5G core network to obtain network slicing network elements of the network slicing; setting a security protection level Si for the network slicing, where i is an integer; and
  • the security protection level Si is to preset the network slicing network elements of the network slice to an environment corresponding to the security protection level Si.
  • the method proposed by the present invention supports the realization of independent users on the 5GC core network side to use a logically independent core network system under the environment of the Internet of Things or vertical industry, and integrates the core network elements of the Internet of Things and vertical industry customer groups with ordinary users. In terms of logic independence, it meets the various needs of different types of users for network delay, bandwidth, number of connections, security level, and application environment customization.
  • Figure 1 shows the system framework of the 5G core network
  • FIG. 2 shows a diagram of an example environment of a network slicing security architecture according to an embodiment of the present disclosure
  • Fig. 3 shows a flow chart of constructing a secure environment for an end user UE according to an embodiment of the present disclosure
  • Fig. 4 shows a block diagram of a 5G core network network slicing device according to an embodiment of the present disclosure.
  • Figure 5 shows an example architecture of a 5G core network slicing network security environment.
  • the system will slice the core network resources according to the needs of users (similar to deploying independent network element equipment) to meet the needs of the corresponding set of customer groups, and the purpose is to meet similar IoT and various types of The needs of private network user groups.
  • the 5G core network has newly added the function of network slicing, providing independent core network elements in logical domains for user groups with different types of requirements.
  • 5GC In the 5G network, when a user enters the network and starts to register, 5GC will perform network slice distribution to the users who are connected to the system after passing the authentication.
  • network slice refers to the implementation of network data similar to traffic
  • Indicators are used to divide, so as to deal with complex and changeable application scenarios.
  • CN107580360A a method, equipment and network architecture for network slice selection
  • CN108495358A a method for network slice selection based on NFV
  • the security protection level Si is input as a necessary option parameter.
  • the level of Si Preset the network slicing network elements (AMF/SMF/UDM/UPF/PCF/AUSF) in the software, hardware, and network environments required by different security levels.
  • Fig. 2 shows a diagram of an example environment of a network slicing security architecture according to an embodiment of the present disclosure.
  • the corresponding security protection level Si is set for the network slices divided by the end users who enter the network, so that the corresponding network slice network elements are preset to correspond to the security protection level Si Environment.
  • the network slicing network element may include access and mobility management function AMF, session management function SMF, unified data management UDM, user platform function UPF, policy control function PCF, and authentication server function AUSF.
  • AMF/SMF/UDM/UPF/PCF/AUSF is used as an example of network slicing network elements for description, the present disclosure is not limited to this, but may include other network slicing networks. yuan.
  • a sliced network security policy controller SPCF as an example of a security protection level setting module (processing unit) can be set in the 5G network.
  • the SPCF is used to generate the Si level defined according to the embodiment of the present disclosure.
  • Si can be ⁇ S1, S2, S3, S4, S5, ... Sn ⁇ , that is, SPCF can be used to define n security protection levels, where n is an integer.
  • the network slice network elements allocated to the end user UE are preset to different Software, hardware, network and other environments.
  • FIG. 3 shows a flowchart of constructing a secure environment for an end user UE according to an embodiment of the present disclosure.
  • building a secure environment for the end user UE includes:
  • S302 Construct a 5G core network slicing security environment.
  • the end user UE can set the 5G core network slice security protection level Si through the set slice network security policy controller SPCF.
  • Si can be specifically S1, S2, S3, S4, S5, ... Sn one of.
  • five security protection levels S1/S2/S3/S4/S5 are defined, but in actual applications, it can be dynamically expanded according to requirements.
  • isolated_Level represents the degree of security isolation, a security level defined for the network slicing security environment of the 5G core network. Its value indicates the isolation level of the deployment platform on which the network slicing runs; inf_Audit represents the core network interface, and its value indicates the security of each network interface Audit; Mrg_Audit represents the management interface, and its value represents the audit of the network management interface; content_DPI represents the external network interface, and its value indicates the DPI deep packet analysis of user data.
  • the security isolation level isolated_Level ⁇ public_cloud, pravited_cloud, hardware_isolated ⁇ , where public_cloud has the lowest security, and each network element of the 5G core network is completely in the common cloud, which may be attacked by public safety network security due to the security of the cloud.
  • Pravited_cloud is relatively safer than public_cloud. When deployed in an independent network environment, it is only different from the public cloud where it is deployed, and it may still receive public network security attacks. The relative probability is lower than that of public cloud.
  • isolated_Level includes public_cloud, pravited_cloud, and hardware_isolated
  • present invention is not limited to this, but may also include other security isolation levels.
  • isolated_Level element can contain any security isolation degree.
  • the network interface inf_Audit represents each interface in the 5GC network, and its value represents the security audit of each interface.
  • the network interface inf_Audit ⁇ N1, N2, N3, N4, N5, N6, N7, N8, N9 ⁇ .
  • the N1, N2, N3, N4, N5, N7, and N8 interfaces are the internal network interfaces of the 5G core network
  • the N6 and N9 interfaces are the external network interfaces in the 5G core network for external communication.
  • stricter auditing is required.
  • OFF 0, which means no audit
  • NO 1 which means audit.
  • the element of inf_Audit includes N1, N2, N3, N4, N5, N6, N7, N8, N9, the present invention is not limited to this, but may also include other network interfaces. In other words, the element of inf_Audit can contain any network interface.
  • the network management interface Mrg_Audit represents the 5GC network element management interface, and its value represents the audit of each management interface.
  • Mrg_Audit examples include Mgr_AMF, Mgr_SMF, Mgr_UDM, Mgr_PCF, and Mgr_UPF
  • the present invention is not limited to this, but may also include other network management interfaces.
  • the element of Mrg_Audit can contain any network management interface.
  • content_DPI represents the content depth data packet of the external network interface, and its value represents the audit of the data packet.
  • the UPF network element is an external interface for user data, and performs deep data packet analysis on the content of the UPF's N6/N9 network interface.
  • the elements of content_DPI include N6_DPI and N9_DPI ⁇ , the present invention is not limited to this, but may also include other external network interface content depth data packets.
  • the content_DPI element can contain any external network interface content depth data packet.
  • each parameter in the protection level Si has been defined.
  • five safety protection levels S1/S2/S3/S4/S5 are also specifically defined. It should be clear that in actual applications, it can be dynamically expanded according to requirements.
  • the sub-elements included in these elements may not be limited to those shown above, but may include other sub-elements.
  • the user's slice network environment is complete, physically isolated from other 5GC network slices, using physical isolation deployment (hardware_isolated).
  • the open network interface N2/N3 communicates with (R)AN
  • the open network interface N6 communicates with the user’s application server Appserver
  • (R)AN and Appserver and the 5GC network slice require the same level of S1 security security environment
  • N2/N3/N6 interface has authentication and safety protection.
  • N1/N4/N5/N7/N8/N9 are not developed externally, and are only used inside the 5GC network slice.
  • the S1 security level is the highest level of security protection in 5GC network slices.
  • the user's slice network is completely the same as other users of this level. Users who access this 5GC slice network are required to obtain full authorization and complete trust.
  • the visitor is required to be a user of the S1 level of the system, and the visiting user is also an operating entity in the environment, in the same security instance environment. Under the S1 security level, user data integrity is fully guaranteed.
  • the S1 security level is sliced in the 5GC network.
  • the management and application server that is required to be connected to it is a fully trusted device, and has the same physical isolation security protection level.
  • the management interface audit of the network element can be closed.
  • the operating deployment platform requires security and stability, and the hardware isolation level is adopted.
  • the network interface is the interface between 5GC internal network elements and external network elements. Under the S1 security protection level, security review is required to be enabled.
  • the N6/N9 network interface is connected to the outside world, and the security audit function must be enabled.
  • the management interface of 5GC network elements does not control user behavior, and has low security requirements.
  • PCF/UPF has user behavior control and requires security audits before the user can perform Login operation user account opening, account cancellation, Qos, billing and other data.
  • the external network interface N6/N9 must perform DPI deep packet analysis on user data to prevent users from unsafe behavior.
  • the user's slice network environment is complete, physically isolated from other 5GC network slices, using physical isolation deployment (hardware_isolated). Audit part of the network interface, management network interface, and external network interface N6 audit.
  • the operating deployment platform requires security and stability, and the hardware isolation level is adopted.
  • the network interface is the interface between the 5GC internal network element and the external network element. Under the S2 security protection level, the internal network interface does not enable security auditing.
  • the N6/N9 network interface is connected to the outside world, and the security audit function must be enabled.
  • the management interface of 5GC network elements does not control user behavior, and has low security requirements.
  • PCF/UPF has user behavior control and requires security audits before the user can perform Login operation user account opening, account cancellation, Qos, billing and other data.
  • the external network interface N6 performs DPI deep packet analysis on user data to prevent users from unsafe behavior.
  • the N9 interface is a roaming data interface from internal or external. It receives data from the local network. It has GTP tunnel encapsulation, which can remove the DPI user deep packet analysis function.
  • the user's slice network environment is complete, and it does not need to be physically isolated from other 5GC network slices, and uses private cloud deployment (private_cloud). Audit part of the network interface, management network interface, and external network interface N6 audit.
  • the value of each element in Si is set as follows
  • marking protection is required for the running deployment platform, and private cloud level deployment is adopted.
  • the network interface is the interface between the 5GC internal network element and the external network element. Under the S2 security protection level, the internal network interface does not enable security auditing.
  • the N6/N9 network interface is connected to the outside world, and the security audit function must be enabled.
  • the management interface of the 5GC network element requires a security audit before the user can log in.
  • the external network interface N6/N9 performs DPI deep packet analysis on user data to prevent users from unsafe behavior.
  • the user's slice network environment is complete, and it does not need to be physically isolated from other 5GC network slices, and uses private cloud deployment (private_cloud). Audit part of the network interface, management network interface, and external network interface N6 audit.
  • marking protection is required for the running deployment platform, and private cloud level deployment is adopted.
  • the network interface is the interface between the 5GC internal network element and the external network element. Under the S3 security protection level, the internal network interface does not enable security auditing.
  • the N6/N9 network interface is connected to the outside world, and the security audit function must be enabled.
  • 5GC network elements are deployed in a private cloud environment, and their management interfaces require security audits before users can log in.
  • the external network interface N6/N9 user data performs DPI deep packet analysis to prevent users from unsafe behavior.
  • the N9 interface comes from an internal or external roaming data interface, and it receives data from the local network. It has a GTP tunnel encapsulation, which can remove the DPI user deep packet analysis function.
  • the user's slice network environment is complete, and it does not need to be physically isolated from other 5GC network slices, and uses public cloud deployment (public_cloud).
  • public_cloud There is no DPI deep packet inspection for some network interface audits, management network interfaces, and external network interfaces.
  • marking protection is required for the running deployment platform, and private cloud level deployment is adopted.
  • the network interface is the interface between the 5GC internal network element and the external network element. Under the S3 security protection level, the internal network interface does not enable security auditing.
  • the N6/N9 network interface is connected to the outside world, and the security audit function must be enabled.
  • 5GC network elements are deployed in a shared cloud environment, and their management interfaces require security audits before users can log in.
  • the external network interface N6/N9 user data is subjected to DPI deep packet analysis to prevent users from unsafe behavior.
  • the N9 interface is a roaming data interface from internal or external. It receives data from the local network. It has GTP tunnel encapsulation, which can remove the DPI user deep packet analysis function.
  • the embodiments of the present disclosure are described with five security protection levels S1-S5, but the present disclosure is not limited to this, but more or less security protection levels may be used.
  • an embodiment of the present disclosure also provides a 5G core network network slicing device 400 corresponding to the foregoing method embodiment, and the device includes:
  • the network slicing module 401 is configured to perform network slicing on the 5G core network to obtain network slicing network elements of the network slice;
  • the security protection level setting module 402 is configured to set a security protection level Si for the network slice, where i is an integer;
  • the presetting module 403 is configured to preset the network slice network elements of the network slice to an environment corresponding to the security protection level Si according to the security protection level Si.
  • the network slicing method and device of the 5G core network support the realization of independent users on the 5GC core network side to use a logically independent core network system in the Internet of Things or vertical industry environments, and integrate the Internet of Things and vertical industry customers
  • the core network elements of the group and ordinary users are logically independent to meet the various needs of different types of users for network delay, bandwidth, number of connections, security level, and application environment customization.
  • the security policy controller SPCF unit that sets the network slicing is added to receive the Sn security input by the user.
  • the protection level is to obtain the security policy of each network slice and construct a security environment instance for it to protect the security of the newly generated network elements in the network slice, construct a security barrier, and provide protection for the safe operation of the 5GC system.
  • the 5GC core network allocates different 5GC core network slice resources according to the slicing requirements of the terminal user UE when the end user UE enters the network through the default (initial) slice.
  • a slicing policy security controller unit namely: slicing policy security controller SFCF
  • SFCF slicing policy security controller
  • five basic security protection levels such as S1/S2/S3/S4/S5, are defined to meet the current 5GC network slicing requirements for different levels of network security protection levels for various users.
  • Si security protection level is based on the basic cloud and hardware platform deployed by 5GC network elements, 5GC network element network interface, 5GC network management interface, and 5GC external network interface security requirements, and 5 levels of security protection level configuration are proposed.
  • the terminal user UE of the 5G network performs UE access authentication communication with the public (default) network slice of 5GC through gNB, according to the UE's demand for network slice, choose to allocate or enter the corresponding 5GC core In the network slicing network.
  • network slices please refer to the patent: CN107580360A, a method, equipment and network architecture for network slice selection, CN108495358A, a network slice selection method based on NFV, CN108566289A, a design management method based on 5G mobile communication network slice architecture, these The entire content of the patent is incorporated herein by reference.
  • 501 when 501 submits an application for 5GC network slicing requirements, 502 submits a security protection level Si to the slicing policy security controller SPCF according to the UE end user, and requires that the environment of 5GC network slicing provides a corresponding Si-level network Security level requirements.
  • the 5GC network slicing resources (AMF/SMF/UDM/PCF/UPF) allocated to the current UE end users are constructed to construct the corresponding level of security protection environment instance. It is used to protect the security of UE terminal users.
  • the 5GC slice network service network element provided for it is allocated according to the security protection level Si requirements of the UE terminal user
  • the corresponding basic network security example of security protection requirements will effectively protect UE end users’ requirements for basic network security in the 5GC slice network, and also protect the safety of 5GC slice network instances in different vertical industries (private networks). Different requirements.
  • embodiments of the present disclosure define five basic 5GC network slice security levels based on general network security requirements, which can also be dynamically expanded according to specific application environment requirements.
  • the embodiments of the present disclosure define network interface security audit, management interface security audit, external network interface DPI deep packet inspection, external network interface DPI, etc. based on the characteristics of the 5GC network slice network element AMF/SMF/UDM/PCRF/UPF. It satisfies the security audit of the internal and external interfaces of the 5GC network slicing and the deep data packet analysis function of the data message.
  • a complete security protection is provided independently for a single network element AMF/SMF/UDM/UPF/PCF, which can also achieve the purpose of security protection, but attacks such as DDOS attacks and network congestion cannot be well protected because It is an independent network element protection.
  • the entire 5GC core network element can be protected, and a good 5GC single network element can be protected.
  • This solution proposes to combine the 5GC network slicing with the basic network element security protection of the mobile communication core network, especially the network elements after 5GC network slicing, the security itself and the audit of the network interface, management interface, and external network interface Function, as well as external interface DPI function and security protection combined.
  • the 5GC network slicing network elements according to the new specification, all run on the cloud platform. This will bring major security risks to 5GC network slicing.
  • the method proposed in this solution effectively meets the security protection of 5GC network slicing at all levels. The customers who requested it solved the user's requirements for safety very well.
  • the method of the embodiment of the present disclosure combines the security challenges faced by the 5GC slicing network with the protection needs of users, and will effectively solve the security problem of the 5GC network slicing and maintain the security and stability of the network.

Abstract

Disclosed are a network slicing method for a 5G core network and a network slicing apparatus for the 5G core network. The method comprises: performing network slicing on a 5G core network so as to obtain network slicing network elements for network slicing; and setting a security protection level Si for network slicing, wherein i is an integer; and according to the security protection level Si, presetting the network slicing network elements for network slicing to an environment corresponding to the security protection level Si. The method proposed by the present invention supports the implementation of independent users using a logically independent core network system on the 5GC core network side in an Internet of Things or vertical industry environment, and the core network elements of customer groups of the Internet of Things and vertical industry and the core network elements of ordinary users are logically independent from each other to meet various demands for different types of users with regards to network delay, bandwidth, the number of connections, security levels, and application environment customization.

Description

5G核心网的网络切片方法和网络切片装置Network slicing method and network slicing device of 5G core network 技术领域Technical field
本发明涉及无线通讯领域,具体涉及一种5G核心网的网络切片方法和网络切片装置。The invention relates to the field of wireless communication, in particular to a network slicing method and a network slicing device of a 5G core network.
背景技术Background technique
5G核心网(以下简称:5GC)的整体部署基于公有云平台NFV/SDN(虚拟化和软件定义网络)环境,图1示出了5GC的整体框图。在该模型模式下,无法满足在多层次物联网和垂直行业(专网)用户的安全防护的需求,包括5GC本身信令安全以及在5GC上传输的UE用户数据面数据安全等。The overall deployment of the 5G core network (hereinafter referred to as: 5GC) is based on the public cloud platform NFV/SDN (Virtualization and Software Defined Networking) environment. Figure 1 shows the overall block diagram of the 5GC. In this model mode, the security protection needs of users in the multi-level Internet of Things and vertical industries (private networks) cannot be met, including the security of 5GC itself signaling and the security of UE user data plane data transmitted on 5GC.
在5G无线网络通信的架构下,针对物联网和垂直行业(专网)用途的网络切片功能,在3GPP规范定中,没有提出物联网或垂直行业(专网)户对切片后的核心网网元有对应的网络安全防护定义。Under the framework of 5G wireless network communication, the network slicing function for IoT and vertical industry (private network) purposes is not proposed in the 3GPP specifications. The Internet of Things or vertical industry (private network) users are not proposed to slice the core network. Yuan has a corresponding definition of network security protection.
此外,在提交的专利申请中,诸如CN107580360A(一种网络切片选择的方法、设备及网络架构)、CN108495358A(一种基于NFV的网络切片选择方法)以及CN108566289A(基于5G移动通信网络切片架构设计管理方法)所提出的各种5GC网络切片专利方案中,仅提出了5GC网络切片的实现方法,但未提及网络切片所需的安全防护方法。In addition, in the submitted patent applications, such as CN107580360A (a method, equipment and network architecture for network slice selection), CN108495358A (a method for network slice selection based on NFV), and CN108566289A (based on 5G mobile communication network slice architecture design management Method) Among the various 5GC network slicing patent solutions proposed, only the implementation method of 5GC network slicing is proposed, but the security protection method required for network slicing is not mentioned.
发明内容Summary of the invention
本发明的提供的一种5G核心网的网络切片方法和网络切片装置,以解决上述背景技术中提出的问题。The present invention provides a network slicing method and a network slicing device for a 5G core network to solve the problems raised in the background art.
第一方面,提供了一种5G核心网的网络切片方法,所述方法包括:In the first aspect, a network slicing method for a 5G core network is provided, and the method includes:
对5G核心网进行网络切片以获得网络切片的网络切片网元;Perform network slicing on the 5G core network to obtain network sliced network elements;
对网络切片设置安全防护等级Si,其中i为整数;以及Set the security protection level Si for the network slice, where i is an integer; and
根据所述安全防护等级Si,将所述网络切片的网络切片网元预置到与所述安全防护等级Si对应的环境。According to the security protection level Si, preset the network slice network elements of the network slice to an environment corresponding to the security protection level Si.
根据本公开实施例的一种具体实现方式,所述网络切片网元包括以下网络切片网元中的至少一种:AMF、SMF、UDM、AUSF、PCF和AUSF。According to a specific implementation of the embodiment of the present disclosure, the network slice network element includes at least one of the following network slice network elements: AMF, SMF, UDM, AUSF, PCF, and AUSF.
根据本公开实施例的一种具体实现方式,所述5G核心网设置有切片网络安全策略控制器SPCF,所述切片网络安全策略控制器SPCF被配置为设置网络切片的安全防护等级Si。According to a specific implementation of the embodiment of the present disclosure, the 5G core network is provided with a slice network security policy controller SPCF, and the slice network security policy controller SPCF is configured to set the security protection level Si of the network slice.
根据本公开实施例的一种具体实现方式,所述安全防护等级Si的定义如下:According to a specific implementation of the embodiment of the present disclosure, the security protection level Si is defined as follows:
Si={isolated_Level,inf_Audit,Mrg_Audit,content_DPI,…};其中,Si = {isolated_Level, inf_Audit, Mrg_Audit, content_DPI,...}; where,
isolated_Level表示安全隔离度,其值指示网络切片运行的部署平台的隔离等级;isolated_Level represents the degree of security isolation, and its value indicates the isolation level of the deployment platform on which the network slice runs;
inf_Audit表示网络接口,其值指示对各网络接口的安全审计;inf_Audit represents the network interface, and its value indicates the security audit of each network interface;
Mrg_Audit表示管理接口,其值指示对各管理接口的安全审计;Mrg_Audit represents the management interface, and its value indicates the security audit of each management interface;
content_DPI表示对外网络接口,其值指示对用户数据的DPI深度数据包解析。content_DPI represents the external network interface, and its value indicates the DPI deep packet analysis of user data.
根据本公开实施例的一种具体实现方式,所述安全隔离度isolated_Level={public_cloud,pravited_cloud,hardware_isolated};其中According to a specific implementation of the embodiment of the present disclosure, the security isolation level isolated_Level={public_cloud, pravited_cloud, hardware_isolated}; where
public_cloud表示5G核心网的各个网元完全在共有云中部署;public_cloud means that each network element of the 5G core network is completely deployed in a shared cloud;
pravited_cloud表示5G核心网的各个网元在独立网络环境中部署;pravited_cloud means that each network element of the 5G core network is deployed in an independent network environment;
hardware_isolated表示5G核心网的各个网元使用物理隔离部署。hardware_isolated indicates that each network element of the 5G core network is deployed in physical isolation.
根据本公开实施例的一种具体实现方式,所述网络接口inf_Audit={N1,N2,N3,N4,N5,N6,N7,N8,N9};其中According to a specific implementation of the embodiment of the present disclosure, the network interface inf_Audit={N1, N2, N3, N4, N5, N6, N7, N8, N9}; where
N1、N2、N3、N4、N5、N7、N8接口是5G核心网内部网络接口;并且The N1, N2, N3, N4, N5, N7, N8 interfaces are internal network interfaces of the 5G core network; and
N6、N9接口是5G核心网中连接外部的网络接口,用于对外通信。The N6 and N9 interfaces are the external network interfaces in the 5G core network for external communication.
根据本公开实施例的一种具体实现方式,所述管理接口Mrg_Audit={Mgr_AMF,Mgr_SMF,Mgr_UDM,Mgr_PCF,Mgr_UPF};其中,According to a specific implementation of the embodiment of the present disclosure, the management interface Mrg_Audit={Mgr_AMF, Mgr_SMF, Mgr_UDM, Mgr_PCF, Mgr_UPF}; where,
Mgr_AMF表示AMF网元管理接口;Mgr_AMF represents the AMF network element management interface;
Mgr_SMF表示SMF网元管理接口;Mgr_SMF represents SMF network element management interface;
Mgr_UDM表示UDM网元管理接口;Mgr_UDM represents the UDM network element management interface;
Mgr_PCF表示PCF网元管理接口;并且Mgr_PCF represents the PCF network element management interface; and
Mgr_UPF表示UPF网元管理接口。Mgr_UPF represents UPF network element management interface.
根据本公开实施例的一种具体实现方式,所述对外网络接口content_DPI={N6_DPI,N9_DPI},其中,N6_DPI表示对外网络接口N6,N9_DPI表示对外网络接口N9。According to a specific implementation of the embodiment of the present disclosure, the external network interface content_DPI={N6_DPI, N9_DPI}, where N6_DPI represents the external network interface N6, and N9_DPI represents the external network interface N9.
根据本公开实施例的一种具体实现方式,所述Si={S1,S2,S3,S4,S5},并且According to a specific implementation of the embodiment of the present disclosure, the Si={S1, S2, S3, S4, S5}, and
在S1中,isolated_Level=hardware_isolated,inf_Audit={N1=1,N2=1,N3=1,N4=1,N5=1,N6=1,N7=1,N8=1,N9=1},Mrg_Audit={Mgr_AMF=0,Mgr_SMF=0,Mgr_UDM=1,Mgr_PCF=1,Mgr_UPF=0},content_DPI={N6_DPI=1,N9_DPI=1};In S1, isolated_Level=hardware_isolated, inf_Audit={N1=1, N2=1, N3=1, N4=1, N5=1, N6=1, N7=1, N8=1, N9=1}, Mrg_Audit= {Mgr_AMF=0, Mgr_SMF=0, Mgr_UDM=1, Mgr_PCF=1, Mgr_UPF=0}, content_DPI={N6_DPI=1, N9_DPI=1};
在S2中,isolated_Level={hardware_isolated},inf_Audit={N1=0,N2=0,N3=0,N4=0,N5=0,N6=1,N7=0,N8=0,N9=1},Mrg_Audit={Mgr_AMF=1,Mgr_SMF=1,Mgr_UDM=1,Mgr_PCF=1,Mgr_UPF=1},content_DPI ={N6_DPI=1,N9_DPI=0},In S2, isolated_Level={hardware_isolated}, inf_Audit={N1=0, N2=0, N3=0, N4=0, N5=0, N6=1, N7=0, N8=0, N9=1}, Mrg_Audit = {Mgr_AMF = 1, Mgr_SMF = 1, Mgr_UDM = 1, Mgr_PCF = 1, Mgr_UPF = 1}, content_DPI = {N6_DPI = 1, N9_DPI = 0},
在S3中,isolated_Level={prvated_cloud},inf_Audit={N1=0,N2=0,N3=0,N4=0,N5=0,N6=1,N7=0,N8=0,N9=1},Mrg_Audit={Mgr_AMF=1,Mgr_SMF=1,Mgr_UDM=1,Mgr_PCF=1,Mgr_UPF=1},content_DPI={N6_DPI=1,N9_DPI=1},In S3, isolated_Level={prvated_cloud}, inf_Audit={N1=0, N2=0, N3=0, N4=0, N5=0, N6=1, N7=0, N8=0, N9=1}, Mrg_Audit={Mgr_AMF=1, Mgr_SMF=1, Mgr_UDM=1, Mgr_PCF=1, Mgr_UPF=1}, content_DPI={N6_DPI=1, N9_DPI=1},
在S4中,isolated_Level={prvated_cloud},inf_Audit={N1=0,N2=0,N3=0,N4=0,N5=0,N6=1,N7=0,N8=0,N9=1},Mrg_Audit={Mgr_AMF=1,Mgr_SMF=1,Mgr_UDM=1,Mgr_PCF=1,Mgr_UPF=1},content_DPI={N6_DPI=1,N9_DPI=0},In S4, isolated_Level={prvated_cloud}, inf_Audit={N1=0, N2=0, N3=0, N4=0, N5=0, N6=1, N7=0, N8=0, N9=1}, Mrg_Audit={Mgr_AMF=1, Mgr_SMF=1, Mgr_UDM=1, Mgr_PCF=1, Mgr_UPF=1}, content_DPI={N6_DPI=1, N9_DPI=0},
在S5中,isolated_Level={public_cloud},inf_Audit={N1=0,N2=0,N3=0,N4=0,N5=0,N6=1,N7=0,N8=0,N9=1},Mrg_Audit={Mgr_AMF=1,Mgr_SMF=1,Mgr_UDM=1,Mgr_PCF=1,Mgr_UPF=1},content_DPI={N6_DPI=1,N9_DPI=0}。In S5, isolated_Level={public_cloud}, inf_Audit={N1=0, N2=0, N3=0, N4=0, N5=0, N6=1, N7=0, N8=0, N9=1}, Mrg_Audit={Mgr_AMF=1, Mgr_SMF=1, Mgr_UDM=1, Mgr_PCF=1, Mgr_UPF=1}, content_DPI={N6_DPI=1, N9_DPI=0}.
第二方面,提供了一种5G核心网的网络切片装置,所述装置包括:In a second aspect, a network slicing device for a 5G core network is provided, and the device includes:
网络切片模块,被配置为对5G核心网进行网络切片以获得网络切片的网络切片网元;The network slicing module is configured to perform network slicing on the 5G core network to obtain network slicing network elements of the network slicing;
安全防护等级设置模块,被配置为对网络切片设置安全防护等级Si,其中i为整数;以及The security protection level setting module is configured to set the security protection level Si for the network slice, where i is an integer; and
预置模块,被配置为根据所述安全防护等级Si将所述网络切片的网络切片网元预置到与所述安全防护等级Si对应的环境。The preset module is configured to preset the network slice network elements of the network slice to an environment corresponding to the security protection level Si according to the security protection level Si.
根据本公开实施例的5G核心网的网络切片方案包括:对5G核心网进行网络切片以获得网络切片的网络切片网元;对网络切片设置安全防护等级Si,其中i为整数;以及根据所述安全防护等级Si,将所述网络切片的网络切片网元 预置到与所述安全防护等级Si对应的环境。本发明提出的方法,支持在物联网或者垂直行业环境下,在5GC核心网侧实现独立的用户使用逻辑上独立的核心网系统,将物联网、垂直行业客户群与普通用户的核心网网元在逻辑实现独立,满足不同类别用户的对网络时延、带宽、连接数量、安全等级、应用环境定制的各种需求。The network slicing scheme of the 5G core network according to the embodiment of the present disclosure includes: performing network slicing on the 5G core network to obtain network slicing network elements of the network slicing; setting a security protection level Si for the network slicing, where i is an integer; and The security protection level Si is to preset the network slicing network elements of the network slice to an environment corresponding to the security protection level Si. The method proposed by the present invention supports the realization of independent users on the 5GC core network side to use a logically independent core network system under the environment of the Internet of Things or vertical industry, and integrates the core network elements of the Internet of Things and vertical industry customer groups with ordinary users. In terms of logic independence, it meets the various needs of different types of users for network delay, bandwidth, number of connections, security level, and application environment customization.
附图说明Description of the drawings
为了更清楚地说明本公开实施例的技术方案,下面将对实施例中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本公开的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其它的附图。In order to explain the technical solutions of the embodiments of the present disclosure more clearly, the following will briefly introduce the drawings that need to be used in the embodiments. Obviously, the drawings in the following description are only some embodiments of the present disclosure. For those of ordinary skill in the art, other drawings can be obtained from these drawings without creative work.
图1示出了5G核心网络的系统框架;Figure 1 shows the system framework of the 5G core network;
图2示出了根据本公开实施例的网络切片安全架构实例环境的图;2 shows a diagram of an example environment of a network slicing security architecture according to an embodiment of the present disclosure;
图3示出了根据本公开实施例的为终端用户UE构建安全环境的流程图;Fig. 3 shows a flow chart of constructing a secure environment for an end user UE according to an embodiment of the present disclosure;
图4示出了根据本公开实施例的5G核心网的网络切片装置的框图;以及Fig. 4 shows a block diagram of a 5G core network network slicing device according to an embodiment of the present disclosure; and
图5示出了5G核心网络切片网络安全环境实例架构。Figure 5 shows an example architecture of a 5G core network slicing network security environment.
具体实施方式detailed description
下面结合附图对本公开实施例进行详细描述。The embodiments of the present disclosure will be described in detail below with reference to the accompanying drawings.
以下通过特定的具体实例说明本公开的实施方式,本领域技术人员可由本说明书所揭露的内容轻易地了解本公开的其他优点与功效。显然,所描述的实施例仅仅是本公开一部分实施例,而不是全部的实施例。本公开还可以通过另外不同的具体实施方式加以实施或应用,本说明书中的各项细节也可以基于不同观点与应用,在没有背离本公开的精神下进行各种修饰或改变。需说明的 是,在不冲突的情况下,以下实施例及实施例中的特征可以相互组合。基于本公开中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本公开保护的范围。The following describes the implementation of the present disclosure through specific specific examples, and those skilled in the art can easily understand other advantages and effects of the present disclosure from the content disclosed in this specification. Obviously, the described embodiments are only a part of the embodiments of the present disclosure, rather than all the embodiments. The present disclosure can also be implemented or applied through other different specific embodiments, and various details in this specification can also be modified or changed based on different viewpoints and applications without departing from the spirit of the present disclosure. It should be noted that the following embodiments and the features in the embodiments can be combined with each other if there is no conflict. Based on the embodiments in the present disclosure, all other embodiments obtained by those of ordinary skill in the art without creative work shall fall within the protection scope of the present disclosure.
需要说明的是,下文描述在所附权利要求书的范围内的实施例的各种方面。应显而易见,本文中所描述的方面可体现于广泛多种形式中,且本文中所描述的任何特定结构及/或功能仅为说明性的。基于本公开,所属领域的技术人员应了解,本文中所描述的一个方面可与任何其它方面独立地实施,且可以各种方式组合这些方面中的两者或两者以上。举例来说,可使用本文中所阐述的任何数目个方面来实施设备及/或实践方法。另外,可使用除了本文中所阐述的方面中的一或多者之外的其它结构及/或功能性实施此设备及/或实践此方法。It should be noted that various aspects of the embodiments within the scope of the appended claims are described below. It should be obvious that the aspects described herein can be embodied in a wide variety of forms, and any specific structure and/or function described herein are only illustrative. Based on the present disclosure, those skilled in the art should understand that one aspect described herein can be implemented independently of any other aspects, and two or more of these aspects can be combined in various ways. For example, any number of aspects set forth herein can be used to implement devices and/or methods of practice. In addition, other structures and/or functionalities other than one or more of the aspects set forth herein may be used to implement this device and/or practice this method.
还需要说明的是,以下实施例中所提供的图示仅以示意方式说明本公开的基本构想,图式中仅显示与本公开中有关的组件而非按照实际实施时的组件数目、形状及尺寸绘制,其实际实施时各组件的型态、数量及比例可为一种随意的改变,且其组件布局型态也可能更为复杂。It should also be noted that the illustrations provided in the following embodiments merely illustrate the basic idea of the present disclosure in a schematic manner. The figures only show the components related to the present disclosure rather than the number, shape, and shape of the components in actual implementation. For size drawing, the type, quantity, and ratio of each component can be changed at will during actual implementation, and the component layout type may also be more complicated.
另外,在以下描述中,提供具体细节是为了便于透彻理解实例。然而,所属领域的技术人员将理解,可在没有这些特定细节的情况下实践所述方面。In addition, in the following description, specific details are provided to facilitate a thorough understanding of the examples. However, those skilled in the art will understand that the described aspects may be practiced without these specific details.
在5GC系统架构下,系统将根据用户的需求,对核心网资源进行切片处理(类似部署独立的网元设备),以满足对应集合的客户群的需求,其目的是满足类似物联网和各类专网用户群的需求。Under the 5GC system architecture, the system will slice the core network resources according to the needs of users (similar to deploying independent network element equipment) to meet the needs of the corresponding set of customer groups, and the purpose is to meet similar IoT and various types of The needs of private network user groups.
伴随NFV/SDN的发展,特别是虚拟化网络技术的成熟,为核心网在统一平台上多实例化提供了非常便利的条件。5G核心网在新的规范中,新加入了网络切片的功能,为不同类别要求的用户群提供了逻辑域上独立的核心网网元。With the development of NFV/SDN, especially the maturity of virtualized network technology, it provides very convenient conditions for the core network to be multi-instantiated on a unified platform. In the new specification, the 5G core network has newly added the function of network slicing, providing independent core network elements in logical domains for user groups with different types of requirements.
在5G网络中,在用户进入开始注册网络时,5GC对接入到系统的用户,通过认证后,对接入的用户进行网络切片分发,术语“网络切片”就是指对网络数据实行类似于交通管理的分流管理,其本质是将现实存在的物理网络在逻辑层面上,划分为多个不同类型的虚拟网络,依照不同用户的服务需求,以诸如时延高低、带宽大小、可靠性强弱等指标来进行划分,从而应对复杂多变的应用场景。In the 5G network, when a user enters the network and starts to register, 5GC will perform network slice distribution to the users who are connected to the system after passing the authentication. The term "network slice" refers to the implementation of network data similar to traffic The essence of management offload management is to logically divide the actual physical network into multiple different types of virtual networks, according to the service requirements of different users, such as delay, bandwidth, reliability, etc. Indicators are used to divide, so as to deal with complex and changeable application scenarios.
对接入的用户进行网络切片分发的方法例如可参见CN107580360A(一种网络切片选择的方法、设备及网络架构)和CN108495358A(一种基于NFV的网络切片选择方法),这些专利的内容通过引用结合于此。For the method of distributing network slices to connected users, refer to CN107580360A (a method, equipment and network architecture for network slice selection) and CN108495358A (a method for network slice selection based on NFV). The contents of these patents are incorporated by reference. Here.
在本公开实施例中,当终端用户进入到网络,向其划分网络切片的时候,根据5GC网络切片网元安全防护等级要求Si,将安全防护等级Si作为必要选项参数输入,根据Si的级别,将网络切片网元(AMF/SMF/UDM/UPF/PCF/AUSF)预置在不同的安全等级要求的软件、硬件、网络等环境中。In the embodiment of the present disclosure, when a terminal user enters the network and divides network slices into it, according to the 5GC network slice network element security protection level requirement Si, the security protection level Si is input as a necessary option parameter. According to the level of Si, Preset the network slicing network elements (AMF/SMF/UDM/UPF/PCF/AUSF) in the software, hardware, and network environments required by different security levels.
图2示出了根据本公开实施例的网络切片安全架构实例环境的图。如图2所示,在本公开实施例中,为进入到网络的终端用户划分的网络切片设置相应的安全防护等级Si,从而将相应的网络切片网元预置到与该安全防护等级Si对应的环境中。Fig. 2 shows a diagram of an example environment of a network slicing security architecture according to an embodiment of the present disclosure. As shown in FIG. 2, in the embodiment of the present disclosure, the corresponding security protection level Si is set for the network slices divided by the end users who enter the network, so that the corresponding network slice network elements are preset to correspond to the security protection level Si Environment.
具体地,网络切片网元可以包括接入及移动性管理功能AMF、会话管理功能SMF、统一数据管理UDM、用户平台功能UPF、策略控制功能PCF和鉴权服务器功能AUSF等。应当理解,虽然在本公开实施例中,以AMF/SMF/UDM/UPF/PCF/AUSF作为网络切片网元的示例进行了描述,但是本公开不限于此,而是可以包含其他的网络切片网元。Specifically, the network slicing network element may include access and mobility management function AMF, session management function SMF, unified data management UDM, user platform function UPF, policy control function PCF, and authentication server function AUSF. It should be understood that although in the embodiments of the present disclosure, AMF/SMF/UDM/UPF/PCF/AUSF is used as an example of network slicing network elements for description, the present disclosure is not limited to this, but may include other network slicing networks. yuan.
具体地,可以在5G网络中设置作为安全防护等级设置模块(处理单元)的示例的切片网络安全策略控制器SPCF,该SPCF用来产生根据本公开实施例定义的Si等级,Si例如可以为{S1,S2,S3,S4,S5,…Sn},也就是说,SPCF可以用来定义n个安全防护等级,其中n为整数。Specifically, a sliced network security policy controller SPCF as an example of a security protection level setting module (processing unit) can be set in the 5G network. The SPCF is used to generate the Si level defined according to the embodiment of the present disclosure. Si can be { S1, S2, S3, S4, S5, ... Sn}, that is, SPCF can be used to define n security protection levels, where n is an integer.
如此,当在系统为终端用户分配网络切片,5GC核心网切片操作的时,根据终端用户UE输入的安全防护等级(需求),将分配给该终端用户UE的网络切片网元预置于不同的软件、硬件、网络等环境中。In this way, when the system allocates network slices to end users, and 5GC core network slices are operated, according to the security protection level (requirements) input by the end user UE, the network slice network elements allocated to the end user UE are preset to different Software, hardware, network and other environments.
图3示出了根据本公开实施例的为终端用户UE构建安全环境的流程图。如图3所示,为终端用户UE构建安全环境包括:Fig. 3 shows a flowchart of constructing a secure environment for an end user UE according to an embodiment of the present disclosure. As shown in Figure 3, building a secure environment for the end user UE includes:
S301:设置5G核心网切片安全防护等级Si。S301: Set the 5G core network slice security protection level Si.
S302:构建5G核心网切片安全环境。S302: Construct a 5G core network slicing security environment.
在本公开实施例中,终端用户UE可以通过设置的切片网络安全策略控制器SPCF来设置5G核心网切片安全防护等级Si,Si可以具体地是S1,S2,S3,S4,S5,…Sn中的一个。In the embodiment of the present disclosure, the end user UE can set the 5G core network slice security protection level Si through the set slice network security policy controller SPCF. Si can be specifically S1, S2, S3, S4, S5, ... Sn one of.
在本公开实施例中,将安全防护等级Si定义为集合R。则Si=R{S1,S2,S3,S4,S5......Sn},并且安全防护等级Si随着i增大防护等级由低到高。In the embodiment of the present disclosure, the safety protection level Si is defined as a set R. Then Si=R{S1, S2, S3, S4, S5...Sn}, and the safety protection level Si increases from low to high as i increases.
根据本公开实施例的一种具体实现方式,定义S1/S2/S3/S4/S5五个安全防护等级,但是在实际的应用中,可以根据需求进行动态扩展。According to a specific implementation of the embodiment of the present disclosure, five security protection levels S1/S2/S3/S4/S5 are defined, but in actual applications, it can be dynamically expanded according to requirements.
此外,安全防护等级Si的定义如下:Si={isolated_Level,inf_Audit,Mrg_Audit,content_DPI,…}。应当理解,虽然在本公开实施例中,Si的元素包含isolated_Level,inf_Audit,Mrg_Audit,content_DPI,但是本发明不限于此,Si的元素还可以包含其他的元素,也即可以根据除了isolated_Level,inf_Audit,Mrg_Audit,content_DPI这些因素之外的其他 因素确定安全防护等级Si。In addition, the definition of the security protection level Si is as follows: Si={isolated_Level, inf_Audit, Mrg_Audit, content_DPI,...}. It should be understood that although in the embodiments of the present disclosure, the element of Si includes isolated_Level, inf_Audit, Mrg_Audit, and content_DPI, the present invention is not limited to this. The element of Si may also include other elements, that is, according to the Other factors besides content_DPI determine the safety protection level Si.
isolated_Level表示安全隔离度,为5G核心网的网络切片安全环境构建定义的安全等级,其值指示网络切片运行的部署平台的隔离等级;inf_Audit代表核心网网络接口,其值指示对各网络接口的安全审计;Mrg_Audit代表管理接口,其值表示网络管理接口的审计;content_DPI表示对外网络接口,其值指示对用户数据的DPI深度数据包解析。isolated_Level represents the degree of security isolation, a security level defined for the network slicing security environment of the 5G core network. Its value indicates the isolation level of the deployment platform on which the network slicing runs; inf_Audit represents the core network interface, and its value indicates the security of each network interface Audit; Mrg_Audit represents the management interface, and its value represents the audit of the network management interface; content_DPI represents the external network interface, and its value indicates the DPI deep packet analysis of user data.
具体地,安全隔离度isolated_Level={public_cloud,pravited_cloud,hardware_isolated},其中public_cloud安全性最低,5G核心网的各个网元完全在共有云,可能因为云的安全性,受到公共安全网络安全的攻击。pravited_cloud安全性相对public_cloud高,在独立网络环境部署,仅仅在部署的地方与公有云区别,还是可能收到公共网络安全攻击,相对概率比公共云低。hardware_isolated表示使用物理隔离部署,安全防护等级最高。对于public_cloud,pravited_cloud,hardware_isolated的值,OFF=0,表示启用,NO=1,表示不启用。Specifically, the security isolation level isolated_Level={public_cloud, pravited_cloud, hardware_isolated}, where public_cloud has the lowest security, and each network element of the 5G core network is completely in the common cloud, which may be attacked by public safety network security due to the security of the cloud. Pravited_cloud is relatively safer than public_cloud. When deployed in an independent network environment, it is only different from the public cloud where it is deployed, and it may still receive public network security attacks. The relative probability is lower than that of public cloud. hardware_isolated indicates the use of physical isolation deployment, the highest level of security protection. For the values of public_cloud, pravited_cloud, and hardware_isolated, OFF=0, which means enabled, and NO=1, which means not enabled.
应当理解,虽然在本公开实施例中,isolated_Level的元素包含public_cloud,pravited_cloud,hardware_isolated,但是本发明不限于此,而是还可以包含其他的安全隔离度。也就是说,isolated_Level的元素可以包含任何的安全隔离度。It should be understood that although in the embodiment of the present disclosure, the elements of isolated_Level include public_cloud, pravited_cloud, and hardware_isolated, the present invention is not limited to this, but may also include other security isolation levels. In other words, the isolated_Level element can contain any security isolation degree.
网络接口inf_Audit表示5GC网络中的各个接口,其值表示各接口的安全审计。The network interface inf_Audit represents each interface in the 5GC network, and its value represents the security audit of each interface.
具体地,网络接口inf_Audit={N1,N2,N3,N4,N5,N6,N7,N8,N9}。在5G核心网中,N1、N2、N3、N4、N5、N7、N8接口是5G核心网内部网络接口,N6、N9接口是5G核心网中连接外部的网络接口,用于对外通信,在配置 的时候,需要更加严格的审计。对于N1-N9的值,OFF=0,表示不审计,NO=1,表示审计。Specifically, the network interface inf_Audit={N1, N2, N3, N4, N5, N6, N7, N8, N9}. In the 5G core network, the N1, N2, N3, N4, N5, N7, and N8 interfaces are the internal network interfaces of the 5G core network, and the N6 and N9 interfaces are the external network interfaces in the 5G core network for external communication. At that time, stricter auditing is required. For the value of N1-N9, OFF=0, which means no audit, and NO=1, which means audit.
应当理解,虽然在本公开实施例中,inf_Audit的元素包含N1,N2,N3,N4,N5,N6,N7,N8,N9,但是本发明不限于此,而是还可以包含其他的网络接口。也就是说,inf_Audit的元素可以包含任何的网络接口。It should be understood that although in the embodiment of the present disclosure, the element of inf_Audit includes N1, N2, N3, N4, N5, N6, N7, N8, N9, the present invention is not limited to this, but may also include other network interfaces. In other words, the element of inf_Audit can contain any network interface.
网络管理接口Mrg_Audit表示5GC网元管理接口,其值表示各管理接口的审计。The network management interface Mrg_Audit represents the 5GC network element management interface, and its value represents the audit of each management interface.
具体地,网络管理接口Mrg_Audit={Mgr_AMF,Mgr_SMF,Mgr_UDM,Mgr_PCF,Mgr_UPF},对于其值,OFF=0,表示不审计,NO=1,表示审计。Specifically, the network management interface Mrg_Audit={Mgr_AMF, Mgr_SMF, Mgr_UDM, Mgr_PCF, Mgr_UPF}, for its value, OFF=0, which means no audit, and NO=1, which means audit.
应当理解,虽然在本公开实施例中,Mrg_Audit的元素包含Mgr_AMF,Mgr_SMF,Mgr_UDM,Mgr_PCF,Mgr_UPF,但是本发明不限于此,而是还可以包含其他的网络管理接口。也就是说,Mrg_Audit的元素可以包含任何的网络管理接口。It should be understood that although in the embodiments of the present disclosure, the elements of Mrg_Audit include Mgr_AMF, Mgr_SMF, Mgr_UDM, Mgr_PCF, and Mgr_UPF, the present invention is not limited to this, but may also include other network management interfaces. In other words, the element of Mrg_Audit can contain any network management interface.
content_DPI代表对外网络接口内容深度数据包,其值表示对数据包的审计。在5G核心网网元中,UPF网元是用户数据对外的接口,对UPF的N6/N9网络接口的内容进行深度数据包解析。具体地,content_DPI={N6_DPI,N9_DPI},对于其值,OFF=0,表示不审计,NO=1,表示审计。content_DPI represents the content depth data packet of the external network interface, and its value represents the audit of the data packet. Among the 5G core network elements, the UPF network element is an external interface for user data, and performs deep data packet analysis on the content of the UPF's N6/N9 network interface. Specifically, content_DPI={N6_DPI, N9_DPI}, for its value, OFF=0, which means no audit, and NO=1, which means audit.
应当理解,虽然在本公开实施例中,content_DPI的元素包含N6_DPI和N9_DPI},但是本发明不限于此,而是还可以包含其他的对外网络接口内容深度数据包。也就是说,content_DPI的元素可以包含任何的对外网络接口内容深度数据包。It should be understood that although in the embodiments of the present disclosure, the elements of content_DPI include N6_DPI and N9_DPI}, the present invention is not limited to this, but may also include other external network interface content depth data packets. In other words, the content_DPI element can contain any external network interface content depth data packet.
以上,已经定义了防护等级Si中各个参数的含义,在本公开实施例中,还具体定义了S1/S2/S3/S4/S5五个安全防护等级。应当清楚的是,在实际的 应用中,可以根据需求进行动态扩展。此外,如下定义Si中的元素:isolated_Level={public_cloud,pravited_cloud,hardware_isolated}、inf_Audit={N1,N2,N3,N4,N5,N6,N7,N8,N9}、Mrg_Audit={Mgr_AMF,Mgr_SMF,Mgr_UDM,Mgr_PCF,Mgr_UPF}且content_DPI={N6_DPI,N9_DPI}。但是应当理解,这些元素中所包含的子元素可以不限于如上所显示的那些,而是可以包含其他的子元素。Above, the meaning of each parameter in the protection level Si has been defined. In the embodiment of the present disclosure, five safety protection levels S1/S2/S3/S4/S5 are also specifically defined. It should be clear that in actual applications, it can be dynamically expanded according to requirements. In addition, define the elements in Si as follows: isolated_Level={public_cloud, pravited_cloud, hardware_isolated}, inf_Audit={N1, N2, N3, N4, N5, N6, N7, N8, N9}, Mrg_Audit={Mgr_AMF, Mgr_SMF, Mgr_UDM, Mgr_PCF, Mgr_UPF} and content_DPI={N6_DPI, N9_DPI}. However, it should be understood that the sub-elements included in these elements may not be limited to those shown above, but may include other sub-elements.
(1)S1:自主安全防护。(1) S1: Autonomous security protection.
该用户的切片网络环境完全,与其他5GC网络切片在物理上进行隔离,使用物理隔离部署(hardware_isolated)。开放网络接口N2/N3与(R)AN通信,开放网络接口N6与用户的应用服务器通信Appserver,(R)AN与Appserver与该5GC网络切片要求在同一个等级的S1安全级别的安全环境中,并且N2/N3/N6的接口有认证与安全防护。N1/N4/N5/N7/N8/N9不对外开发,仅仅在5GC网络切片内部使用。The user's slice network environment is complete, physically isolated from other 5GC network slices, using physical isolation deployment (hardware_isolated). The open network interface N2/N3 communicates with (R)AN, the open network interface N6 communicates with the user’s application server Appserver, (R)AN and Appserver and the 5GC network slice require the same level of S1 security security environment, And N2/N3/N6 interface has authentication and safety protection. N1/N4/N5/N7/N8/N9 are not developed externally, and are only used inside the 5GC network slice.
S1安全等级是在5GC网络切片中安全防护等级最高的,用户的切片网络完全与其他该级别访问用户,对访问本5GC切片网络的用户,要求取得完全的授权,完全信任。访问者要求是本系统S1等级的用户,访问用户本身也是环境下的运行实体,在同一个安全实例环境下。在S1安全等级下,用户的数据完整得到完全保证。The S1 security level is the highest level of security protection in 5GC network slices. The user's slice network is completely the same as other users of this level. Users who access this 5GC slice network are required to obtain full authorization and complete trust. The visitor is required to be a user of the S1 level of the system, and the visiting user is also an operating entity in the environment, in the same security instance environment. Under the S1 security level, user data integrity is fully guaranteed.
S1安全等级是在5GC网络切片,要求与之对接的管理与应用服务器,是完全授信设备,并且相同的物理隔离安全防护等级,网元的管理接口审计可以关闭。The S1 security level is sliced in the 5GC network. The management and application server that is required to be connected to it is a fully trusted device, and has the same physical isolation security protection level. The management interface audit of the network element can be closed.
在S1安全等级下,Si中各元素的值设置如下:Under the S1 security level, the values of the elements in Si are set as follows:
部署平台:Deployment platform:
isolated_Level={hardware_isolated}isolated_Level={hardware_isolated}
在S1安全防护等级下,对运行的部署平台要求安全稳定,采用硬件隔离等级。Under the S1 security protection level, the operating deployment platform requires security and stability, and the hardware isolation level is adopted.
网络接口:Network Interface:
inf_Audit={N1=1,N2=1,N3=1,N4=1,N5=1,N6=1,N7=1,N8=1,N9=1};(OFF=0,表示不审计,NO=1,表示审计,下同)。inf_Audit={N1=1, N2=1, N3=1, N4=1, N5=1, N6=1, N7=1, N8=1, N9=1}; (OFF=0, means no audit, NO =1, means audit, the same below).
网络接口是5GC内部网元与外部网元之间的接口,在S1安全防护等级下,均要求启用安全审查。N6/N9网络接口与对外对接,要启用安全审计功能。The network interface is the interface between 5GC internal network elements and external network elements. Under the S1 security protection level, security review is required to be enabled. The N6/N9 network interface is connected to the outside world, and the security audit function must be enabled.
管理接口:Management interface:
Mrg_Audit={Mgr_AMF=0,Mgr_SMF=0,Mgr_UDM=1,Mgr_PCF=1,Mgr_UPF=0};Mrg_Audit={Mgr_AMF=0, Mgr_SMF=0, Mgr_UDM=1, Mgr_PCF=1, Mgr_UPF=0};
在S1等级下,5GC网元的管理接口,AMF/SMF/UPF管理接口,不对用户的行为有管控,安全要求低,PCF/UPF具有用户行为管控,要求进行安全审计,方可让使用方进行登录操作用户开户、销户、Qos、计费等数据。Under the S1 level, the management interface of 5GC network elements, AMF/SMF/UPF management interface, does not control user behavior, and has low security requirements. PCF/UPF has user behavior control and requires security audits before the user can perform Login operation user account opening, account cancellation, Qos, billing and other data.
对外网络接口:External network interface:
content_DPI={N6_DPI=1,N9_DPI=1};content_DPI={N6_DPI=1, N9_DPI=1};
在S1安全防护等级下,对外网络接口N6/N9要对用户数据进行DPI深度数据包解析,防止用户不安全行为。Under the S1 security protection level, the external network interface N6/N9 must perform DPI deep packet analysis on user data to prevent users from unsafe behavior.
(2)S2:系统审计防护(2) S2: System audit protection
该用户的切片网络环境完全,与其他5GC网络切片在物理上进行隔离,使用物理隔离部署(hardware_isolated)。对部分网络接口审计、管理网络接口、对外网络接口N6审计。The user's slice network environment is complete, physically isolated from other 5GC network slices, using physical isolation deployment (hardware_isolated). Audit part of the network interface, management network interface, and external network interface N6 audit.
具体地,在S2安全等级下,Si中各元素的值设置如下:Specifically, under the S2 security level, the value of each element in Si is set as follows:
部署平台:Deployment platform:
isolated_Level={hardware_isolated}isolated_Level={hardware_isolated}
在S2安全防护等级下,对运行的部署平台要求安全稳定,采用硬件隔离等级。Under the S2 security protection level, the operating deployment platform requires security and stability, and the hardware isolation level is adopted.
网络接口:Network Interface:
inf_Audit={N1=0,N2=0,N3=0,N4=0,N5=0,N6=1,N7=0,N8=0,N9=1};inf_Audit={N1=0, N2=0, N3=0, N4=0, N5=0, N6=1, N7=0, N8=0, N9=1};
网络接口是5GC内部网元与外部网元之间的接口,在S2安全防护等级下,内部网络接口,不启用安全审计。N6/N9网络接口与对外对接,要启用安全审计功能。The network interface is the interface between the 5GC internal network element and the external network element. Under the S2 security protection level, the internal network interface does not enable security auditing. The N6/N9 network interface is connected to the outside world, and the security audit function must be enabled.
管理接口:Management interface:
Mrg_Audit={Mgr_AMF=1,Mgr_SMF=1,Mgr_UDM=1,Mgr_PCF=1,Mgr_UPF=1};Mrg_Audit={Mgr_AMF=1, Mgr_SMF=1, Mgr_UDM=1, Mgr_PCF=1, Mgr_UPF=1};
在S2等级下,5GC网元的管理接口,AMF/SMF/UPF管理接口,不对用户的行为有管控,安全要求低,PCF/UPF具有用户行为管控,要求进行安全审计,方可让使用方进行登录操作用户开户、销户、Qos、计费等数据。Under the S2 level, the management interface of 5GC network elements, AMF/SMF/UPF management interface, does not control user behavior, and has low security requirements. PCF/UPF has user behavior control and requires security audits before the user can perform Login operation user account opening, account cancellation, Qos, billing and other data.
对外网络接口:External network interface:
content_DPI={N6_DPI=1,N9_DPI=0};content_DPI={N6_DPI=1, N9_DPI=0};
在S2安全防护等级下,对外网络接口N6对要用户数据进行DPI深度数据包解析,防止用户不安全行为。N9接口是来自内部或者外部的漫游的数据接口,接收的是本网的数据,有GTP隧道封装,可以去掉DPI用户深度数据包解析功能。Under the S2 security protection level, the external network interface N6 performs DPI deep packet analysis on user data to prevent users from unsafe behavior. The N9 interface is a roaming data interface from internal or external. It receives data from the local network. It has GTP tunnel encapsulation, which can remove the DPI user deep packet analysis function.
(3)S3:安全标记防护(3) S3: Security mark protection
该用户的切片网络环境完全,与其他5GC网络切片在无需进行物理隔离,使用私有云部署(private_cloud)。对部分网络接口审计、管理网络接口、对外网络接口N6审计。The user's slice network environment is complete, and it does not need to be physically isolated from other 5GC network slices, and uses private cloud deployment (private_cloud). Audit part of the network interface, management network interface, and external network interface N6 audit.
具体地,在S3安全等级下,Si中各元素的值设置如下Specifically, under the S3 security level, the value of each element in Si is set as follows
部署平台:Deployment platform:
isolated_Level={prvated_cloud}isolated_Level={prvated_cloud}
在S3安全防护等级下,对运行的部署平台要求标记防护,采用私有云等级部署。Under the S3 security protection level, marking protection is required for the running deployment platform, and private cloud level deployment is adopted.
网络接口:Network Interface:
inf_Audit={N1=0,N2=0,N3=0,N4=0,N5=0,N6=1,N7=0,N8=0,N9=1};inf_Audit={N1=0, N2=0, N3=0, N4=0, N5=0, N6=1, N7=0, N8=0, N9=1};
网络接口是5GC内部网元与外部网元之间的接口,在S2安全防护等级下,内部网络接口,不启用安全审计。N6/N9网络接口与对外对接,要启用安全审计功能。The network interface is the interface between the 5GC internal network element and the external network element. Under the S2 security protection level, the internal network interface does not enable security auditing. The N6/N9 network interface is connected to the outside world, and the security audit function must be enabled.
管理接口:Management interface:
Mrg_Audit={Mgr_AMF=1,Mgr_SMF=1,Mgr_UDM=1,Mgr_PCF=1,Mgr_UPF=1};Mrg_Audit={Mgr_AMF=1, Mgr_SMF=1, Mgr_UDM=1, Mgr_PCF=1, Mgr_UPF=1};
在S3等级下,系统部署私有云环境下,5GC网元的管理接口,均要求进行安全审计,方可让使用方进行登录。Under the S3 level, in the private cloud environment of the system deployment, the management interface of the 5GC network element requires a security audit before the user can log in.
对外网络接口:External network interface:
content_DPI={N6_DPI=1,N9_DPI=1};content_DPI={N6_DPI=1, N9_DPI=1};
在S3安全防护等级下,对外网络接口N6/N9对用户数据进行DPI深度数据包解析,防止用户不安全行为。Under the S3 security protection level, the external network interface N6/N9 performs DPI deep packet analysis on user data to prevent users from unsafe behavior.
(4)S4:结构化防护(4) S4: Structured protection
该用户的切片网络环境完全,与其他5GC网络切片无需物理隔离,使用私有云部署(private_cloud)。对部分网络接口审计、管理网络接口、对外网络接口N6审计。The user's slice network environment is complete, and it does not need to be physically isolated from other 5GC network slices, and uses private cloud deployment (private_cloud). Audit part of the network interface, management network interface, and external network interface N6 audit.
具体地,在S4安全等级下,Si中各元素的值设置如下Specifically, under the S4 security level, the value of each element in Si is set as follows
部署平台:Deployment platform:
isolated_Level={prvated_cloud}isolated_Level={prvated_cloud}
在S4安全防护等级下,对运行的部署平台要求标记防护,采用私有云等级部署。Under the S4 security protection level, marking protection is required for the running deployment platform, and private cloud level deployment is adopted.
网络接口:Network Interface:
inf_Audit={N1=0,N2=0,N3=0,N4=0,N5=0,N6=1,N7=0,N8=0,N9=1};inf_Audit={N1=0, N2=0, N3=0, N4=0, N5=0, N6=1, N7=0, N8=0, N9=1};
网络接口是5GC内部网元与外部网元之间的接口,在S3安全防护等级下,内部网络接口,不启用安全审计。N6/N9网络接口与对外对接,要启用安全审计功能。The network interface is the interface between the 5GC internal network element and the external network element. Under the S3 security protection level, the internal network interface does not enable security auditing. The N6/N9 network interface is connected to the outside world, and the security audit function must be enabled.
管理接口:Management interface:
Mrg_Audit={Mgr_AMF=1,Mgr_SMF=1,Mgr_UDM=1,Mgr_PCF=1,Mgr_UPF=1};Mrg_Audit={Mgr_AMF=1, Mgr_SMF=1, Mgr_UDM=1, Mgr_PCF=1, Mgr_UPF=1};
在S4等级下,5GC网元部署在私有云环境下,其管理接口,均要求进行安全审计,方可让使用方进行登录。In the S4 level, 5GC network elements are deployed in a private cloud environment, and their management interfaces require security audits before users can log in.
对外网络接口:External network interface:
content_DPI={N6_DPI=1,N9_DPI=0};content_DPI={N6_DPI=1, N9_DPI=0};
在S4安全防护等级下,对外网络接口N6/N9用户数据进行DPI深度数据包解析,防止用户不安全行为。N9接口来自内部或者外部的漫游的数据接口,接收的是本网的数据,有GTP隧道封装,可以去掉DPI用户深度数据包解析功能。Under the S4 security protection level, the external network interface N6/N9 user data performs DPI deep packet analysis to prevent users from unsafe behavior. The N9 interface comes from an internal or external roaming data interface, and it receives data from the local network. It has a GTP tunnel encapsulation, which can remove the DPI user deep packet analysis function.
(5)S5:访问验证防护(5) S5: Access verification protection
该用户的切片网络环境完全,与其他5GC网络切片无需物理隔离,使用有公云部署(public_cloud)。对部分网络接口审计、管理网络接口、对外网络接口无DPI深度数据包检查。The user's slice network environment is complete, and it does not need to be physically isolated from other 5GC network slices, and uses public cloud deployment (public_cloud). There is no DPI deep packet inspection for some network interface audits, management network interfaces, and external network interfaces.
具体地,在S5安全等级下,Si中各元素的值设置如下Specifically, under the S5 security level, the value of each element in Si is set as follows
部署平台:Deployment platform:
isolated_Level={public_cloud}isolated_Level={public_cloud}
在S5安全防护等级下,对运行的部署平台要求标记防护,采用私有云等级部署。Under the S5 security protection level, marking protection is required for the running deployment platform, and private cloud level deployment is adopted.
网络接口:Network Interface:
inf_Audit={N1=0,N2=0,N3=0,N4=0,N5=0,N6=1,N7=0,N8=0,N9=1};inf_Audit={N1=0, N2=0, N3=0, N4=0, N5=0, N6=1, N7=0, N8=0, N9=1};
网络接口是5GC内部网元与外部网元之间的接口,在S3安全防护等级下,内部网络接口,不启用安全审计。N6/N9网络接口与对外对接,要启用安全审计功能。The network interface is the interface between the 5GC internal network element and the external network element. Under the S3 security protection level, the internal network interface does not enable security auditing. The N6/N9 network interface is connected to the outside world, and the security audit function must be enabled.
管理接口:Management interface:
Mrg_Audit={Mgr_AMF=1,Mgr_SMF=1,Mgr_UDM=1,Mgr_PCF=1,Mgr_UPF=1};Mrg_Audit={Mgr_AMF=1, Mgr_SMF=1, Mgr_UDM=1, Mgr_PCF=1, Mgr_UPF=1};
在S5等级下,5GC网元部署在共有云环境下,其的管理接口,均要求进行安全审计,方可让使用方进行登录。At the S5 level, 5GC network elements are deployed in a shared cloud environment, and their management interfaces require security audits before users can log in.
对外网络接口:External network interface:
content_DPI={N6_DPI=1,N9_DPI=0};content_DPI={N6_DPI=1, N9_DPI=0};
在S5安全防护等级下,对外网络接口N6/N9用户数据进行DPI深度数据包解析,防止用户不安全行为。N9接口是来自内部或者外部的漫游的数据接口,接收的是本网的数据,有GTP隧道封装,可以去掉DPI用户深度数据包解析功能。Under the S5 security protection level, the external network interface N6/N9 user data is subjected to DPI deep packet analysis to prevent users from unsafe behavior. The N9 interface is a roaming data interface from internal or external. It receives data from the local network. It has GTP tunnel encapsulation, which can remove the DPI user deep packet analysis function.
以上,以S1-S5五个安全防护等级描述了本公开实施例,但是本公开不限于此,而是可以采用更多或者更少个安全防护等级。Above, the embodiments of the present disclosure are described with five security protection levels S1-S5, but the present disclosure is not limited to this, but more or less security protection levels may be used.
参见图4,本公开实施例还提供了一种与上述方法实施例对应的5G核心网 的网络切片装置400,该装置包括:Referring to Fig. 4, an embodiment of the present disclosure also provides a 5G core network network slicing device 400 corresponding to the foregoing method embodiment, and the device includes:
网络切片模块401,被配置为对5G核心网进行网络切片以获得网络切片的网络切片网元;The network slicing module 401 is configured to perform network slicing on the 5G core network to obtain network slicing network elements of the network slice;
安全防护等级设置模块402,被配置为对网络切片设置安全防护等级Si,其中i为整数;以及The security protection level setting module 402 is configured to set a security protection level Si for the network slice, where i is an integer; and
预置模块403,被配置为根据所述安全防护等级Si将所述网络切片的网络切片网元预置到与所述安全防护等级Si对应的环境。The presetting module 403 is configured to preset the network slice network elements of the network slice to an environment corresponding to the security protection level Si according to the security protection level Si.
由于5G核心网的网络切片装置的各个模块和功能已经参照方法实施例进行了描述,在此不再赘述。Since the various modules and functions of the network slicing device of the 5G core network have been described with reference to the method embodiments, they will not be repeated here.
根据本公开实施例的5G核心网的网络切片方法和装置支持在物联网或者垂直行业环境下,在5GC核心网侧实现独立的用户使用逻辑上独立的核心网系统,将物联网、垂直行业客户群与普通用户的核心网网元在逻辑实现独立,满足不同类别用户的对网络时延、带宽、连接数量、安全等级、应用环境定制的各种需求。The network slicing method and device of the 5G core network according to the embodiments of the present disclosure support the realization of independent users on the 5GC core network side to use a logically independent core network system in the Internet of Things or vertical industry environments, and integrate the Internet of Things and vertical industry customers The core network elements of the group and ordinary users are logically independent to meet the various needs of different types of users for network delay, bandwidth, number of connections, security level, and application environment customization.
具体地,在本公开实施例中,在终端用户UE进入到网络,在对该终端用户UE进行的5GC网络切片操作时候,增加设置网络切片的安全策略控制器SPCF单元,接收用户输入的Sn安全防护等级,如此得到每个网络切片的安全策略,并为之构建安全环境实例,以防护本网络切片中,新产生的网元安全,构筑安全屏障,为5GC的系统安全运行提供保护。Specifically, in the embodiment of the present disclosure, when the terminal user UE enters the network, when the 5GC network slicing operation is performed on the terminal user UE, the security policy controller SPCF unit that sets the network slicing is added to receive the Sn security input by the user. The protection level is to obtain the security policy of each network slice and construct a security environment instance for it to protect the security of the newly generated network elements in the network slice, construct a security barrier, and provide protection for the safe operation of the 5GC system.
5GC核心网在终端用户UE通过默认(初始化)切片进入到网络的时候,根据终端用户UE的切片需求,分配不同的5GC核心网切片资源。在给UE分配核心网网络切片资源的时候,根据本公开实施例的方法增加切片策安全控制器单元,即:切片策略安全控制器SFCF,给终端用户UE提供安全等级防护Si接口 API,满足各种终端用户UE对5G核心网切片不安全防护等级的要求。在给该UE分配网络切片资源的时候,根据该Si等级构建不同安全防护等级的安全实例环境,保护该网络切片的网元安全。The 5GC core network allocates different 5GC core network slice resources according to the slicing requirements of the terminal user UE when the end user UE enters the network through the default (initial) slice. When allocating core network slicing resources to the UE, a slicing policy security controller unit, namely: slicing policy security controller SFCF, is added according to the method of the embodiment of the present disclosure, which provides the end user UE with a security level protection Si interface API to meet various requirements. This kind of terminal user UE's requirements for the insecure protection level of 5G core network slices. When allocating network slice resources to the UE, a security instance environment with different security protection levels is constructed according to the Si level to protect the network elements of the network slice.
在本公开实施例中,定义了S1/S2/S3/S4/S5等5个基本的安全防护等级,满足当前5GC在网络切片对各种用户对网络安全防护等级的不同层次的需求。In the embodiments of the present disclosure, five basic security protection levels, such as S1/S2/S3/S4/S5, are defined to meet the current 5GC network slicing requirements for different levels of network security protection levels for various users.
Si安全防护等级的定义,依据5GC网元部署的基础云、硬件平台,5GC网元网络接口,5GC网络管理接口,5GC对外网络接口的安全要求,提出5个等级的安全防护等级配置。The definition of Si security protection level is based on the basic cloud and hardware platform deployed by 5GC network elements, 5GC network element network interface, 5GC network management interface, and 5GC external network interface security requirements, and 5 levels of security protection level configuration are proposed.
如图5所示,5G网络的终端用户UE通过gNB与5GC的公共(默认)网络切片进行UE接入认证通信后,在根据UE的对网络的切片的需求,选择分配或者进入对应的5GC核心网切片网络中。网络切片的选择,可以参考专利:CN107580360A,一种网络切片选择的方法、设备及网络架构,CN108495358A,一种基于NFV的网络切片选择方法,CN108566289A,基于5G移动通信网络切片架构设计管理方法,这些专利的全部内容通过引用结合于此。As shown in Figure 5, after the terminal user UE of the 5G network performs UE access authentication communication with the public (default) network slice of 5GC through gNB, according to the UE's demand for network slice, choose to allocate or enter the corresponding 5GC core In the network slicing network. For the selection of network slices, please refer to the patent: CN107580360A, a method, equipment and network architecture for network slice selection, CN108495358A, a network slice selection method based on NFV, CN108566289A, a design management method based on 5G mobile communication network slice architecture, these The entire content of the patent is incorporated herein by reference.
在本公开实施例中,在501提交申请5GC网络切片需求时,502根据UE终端用户,向切片策略安全控制器SPCF提交安全保护等级Si,要求在5GC网络切片的环境,提供对应Si级别的网络安全等级要求。In the embodiment of the present disclosure, when 501 submits an application for 5GC network slicing requirements, 502 submits a security protection level Si to the slicing policy security controller SPCF according to the UE end user, and requires that the environment of 5GC network slicing provides a corresponding Si-level network Security level requirements.
503在给UE终端用户提供5GC网络切片分配中,依照本方案提供的切片策略安全控制器SPCF的功能,输出满足UE终端用户的安全保护等级Si策略,交给504建立对应的专用5GC切片网络安全环境实例。When 503 provides 5GC network slice allocation to UE terminal users, according to the function of the slice strategy security controller SPCF provided by this solution, output the security protection level Si strategy that meets the UE terminal user's security protection level Si strategy, and hand it over to 504 to establish the corresponding dedicated 5GC slice network security Environmental examples.
504根据安全保护等级Si策略,依据Si等级定义,为当前UE终端用户分 配的5GC网络切片资源(AMF/SMF/UDM/PCF/UPF),构建对应等级的安全防护环境实例。用来保护UE终端用户的安全防护。504 According to the security protection level Si strategy, according to the Si level definition, the 5GC network slicing resources (AMF/SMF/UDM/PCF/UPF) allocated to the current UE end users are constructed to construct the corresponding level of security protection environment instance. It is used to protect the security of UE terminal users.
根据本公开实施例的方法,在终端用户UE进入到5GC时,对其进行网络切片分配后,为之提供的5GC切片网络服务网元,按照UE终端用户的安全防护等级Si要求,为其分配与之对应的安全防护要求的基础网络安全实例,将有效的保护UE终端用户对5GC切片网络在基础网络安全方面的要求,也保护了5GC切片网络实例的对不同垂直行业(专网)对安全不同的要求。According to the method of the embodiment of the present disclosure, when the terminal user UE enters the 5GC, after the network slice is allocated to it, the 5GC slice network service network element provided for it is allocated according to the security protection level Si requirements of the UE terminal user The corresponding basic network security example of security protection requirements will effectively protect UE end users’ requirements for basic network security in the 5GC slice network, and also protect the safety of 5GC slice network instances in different vertical industries (private networks). Different requirements.
此外,本公开实施例依据通用的网络安全要求,定义了基本的5GC网络切片的5个级别安全等级,也可以根据具体应用环境需求,动态扩展。In addition, the embodiments of the present disclosure define five basic 5GC network slice security levels based on general network security requirements, which can also be dynamically expanded according to specific application environment requirements.
另外,本公开实施例依据5GC网络切片网元AMF/SMF/UDM/PCRF/UPF的特征,定义了网络接口安全审计,管理接口安全审计,对外网络接口DPI深度数据包检查,对外网络接口DPI等满足5GC网络切片对内部和外部接口的安全审计以及数据报文的深度数据包解析功能。In addition, the embodiments of the present disclosure define network interface security audit, management interface security audit, external network interface DPI deep packet inspection, external network interface DPI, etc. based on the characteristics of the 5GC network slice network element AMF/SMF/UDM/PCRF/UPF. It satisfies the security audit of the internal and external interfaces of the 5GC network slicing and the deep data packet analysis function of the data message.
在5GC核心网中,为单个网元AMF/SMF/UDM/UPF/PCF独立提供完整的安全防护,也可以达到安全保护的目的,但是类似DDOS攻击,网络阻塞等攻击,无法很好防护,因为其是一种独立的网元防护。在本公开实施例中,可以做到整个5GC核心网网元防护,可以达到很好的5GC单个网元的防护目的。In the 5GC core network, a complete security protection is provided independently for a single network element AMF/SMF/UDM/UPF/PCF, which can also achieve the purpose of security protection, but attacks such as DDOS attacks and network congestion cannot be well protected because It is an independent network element protection. In the embodiment of the present disclosure, the entire 5GC core network element can be protected, and a good 5GC single network element can be protected.
本方案提出的是将5GC网络切片与移动通信核心网的基础网元安全防护结合起来,特别是5GC网络切片后的网元,涉及的安全本身以及对网络接口、管理接口、对外网络接口的审计功能,以及对外接口DPI功能与安全防护结合起来。特别是5GC网络切片网元,按照新的规范,均运行在云平台,这个将给5GC网络切片带来重大的安全隐患,本方案提出的方法,有效的满足5GC网络切片在面向各个级别安全防护要求的客户,非常好的解决了用户对安全的要 求。This solution proposes to combine the 5GC network slicing with the basic network element security protection of the mobile communication core network, especially the network elements after 5GC network slicing, the security itself and the audit of the network interface, management interface, and external network interface Function, as well as external interface DPI function and security protection combined. Especially the 5GC network slicing network elements, according to the new specification, all run on the cloud platform. This will bring major security risks to 5GC network slicing. The method proposed in this solution effectively meets the security protection of 5GC network slicing at all levels. The customers who requested it solved the user's requirements for safety very well.
本公开实施例的方法将5GC切片网络面临的安全挑战,与用户的防护需求进行结合,将有效解决5GC网络切片的安全问题,维护网络的安全与稳定。The method of the embodiment of the present disclosure combines the security challenges faced by the 5GC slicing network with the protection needs of users, and will effectively solve the security problem of the 5GC network slicing and maintain the security and stability of the network.
对于本领域技术人员而言,显然本发明不限于上述示范性实施例的细节,而且在不背离本发明的精神或基本特征的情况下,能够以其他的具体形式实现本发明。因此,无论从哪一点来看,均应将实施例看作是示范性的,而且是非限制性的,本发明的范围由所附权利要求而不是上述说明限定,因此旨在将落在权利要求的等同要件的含义和范围内的所有变化囊括在本发明内。For those skilled in the art, it is obvious that the present invention is not limited to the details of the above exemplary embodiments, and the present invention can be implemented in other specific forms without departing from the spirit or basic characteristics of the present invention. Therefore, from any point of view, the embodiments should be regarded as exemplary and non-limiting. The scope of the present invention is defined by the appended claims rather than the above description, and therefore it is intended to fall within the claims. All changes within the meaning and scope of the equivalent elements of are included in the present invention.
此外,应当理解,虽然本说明书按照实施方式加以描述,但并非每个实施方式仅包含一个独立的技术方案,说明书的这种叙述方式仅仅是为清楚起见,本领域技术人员应当将说明书作为一个整体,各实施例中的技术方案也可以经适当组合,形成本领域技术人员可以理解的其他实施方式。In addition, it should be understood that although this specification is described in accordance with the implementation manners, not each implementation manner only contains an independent technical solution. This narration in the specification is only for clarity, and those skilled in the art should regard the specification as a whole The technical solutions in each embodiment can also be appropriately combined to form other implementations that can be understood by those skilled in the art.

Claims (10)

  1. 一种5G核心网的网络切片方法,其特征在于,所述方法包括:A network slicing method for a 5G core network, characterized in that the method includes:
    对5G核心网进行网络切片以获得网络切片的网络切片网元;Perform network slicing on the 5G core network to obtain network sliced network elements;
    对网络切片设置安全防护等级Si,其中i为整数;以及Set the security protection level Si for the network slice, where i is an integer; and
    根据所述安全防护等级Si,将所述网络切片的网络切片网元预置到与所述安全防护等级Si对应的环境。According to the security protection level Si, preset the network slice network elements of the network slice to an environment corresponding to the security protection level Si.
  2. 根据权利要求1所述的5G核心网的网络切片方法,其特征在于,所述网络切片网元包括以下网络切片网元中的至少一种:AMF、SMF、UDM、AUSF、PCF和AUSF。The 5G core network network slicing method according to claim 1, wherein the network slicing network element comprises at least one of the following network slicing network elements: AMF, SMF, UDM, AUSF, PCF, and AUSF.
  3. 根据权利要求1或2所述的基于5G核心网的网络切片方法,其特征在于,所述5G核心网设置有切片网络安全策略控制器SPCF,所述切片网络安全策略控制器SPCF被配置为设置网络切片的安全防护等级Si。The network slicing method based on the 5G core network according to claim 1 or 2, wherein the 5G core network is provided with a slice network security policy controller SPCF, and the slice network security policy controller SPCF is configured to set The security protection level of network slicing is Si.
  4. 根据权利要求3所述的5G核心网的网络切片方法,其特征在于,所述安全防护等级Si的定义如下:The 5G core network network slicing method according to claim 3, wherein the definition of the security protection level Si is as follows:
    Si={isolated_Level,inf_Audit,Mrg_Audit,content_DPI,…};其中,Si = {isolated_Level, inf_Audit, Mrg_Audit, content_DPI,...}; where,
    isolated_Level表示安全隔离度,其值指示网络切片运行的部署平台的隔离等级;isolated_Level represents the degree of security isolation, and its value indicates the isolation level of the deployment platform on which the network slice runs;
    inf_Audit表示网络接口,其值指示对各网络接口的安全审计;inf_Audit represents the network interface, and its value indicates the security audit of each network interface;
    Mrg_Audit表示管理接口,其值指示对各管理接口的安全审计;Mrg_Audit represents the management interface, and its value indicates the security audit of each management interface;
    content_DPI表示对外网络接口,其值指示对用户数据的DPI深度数据包解析。content_DPI represents the external network interface, and its value indicates the DPI deep packet analysis of user data.
  5. 根据权利要求4所述的5G核心网的网络切片方法,其特征在于,所述安全隔离度isolated_Level={public_cloud,pravited_cloud, hardware_isolated};其中The 5G core network network slicing method according to claim 4, wherein the security isolation level isolated_Level={public_cloud, pravited_cloud, hardware_isolated}; wherein
    public_cloud表示5G核心网的各个网元完全在共有云中部署;public_cloud means that each network element of the 5G core network is completely deployed in a shared cloud;
    pravited_cloud表示5G核心网的各个网元在独立网络环境中部署;pravited_cloud means that each network element of the 5G core network is deployed in an independent network environment;
    hardware_isolated表示5G核心网的各个网元使用物理隔离部署。hardware_isolated indicates that each network element of the 5G core network is deployed in physical isolation.
  6. 根据权利要求5所述的基于5G核心网的网络切片方法,其特征在于,所述网络接口inf_Audit={N1,N2,N3,N4,N5,N6,N7,N8,N9};其中The network slicing method based on 5G core network according to claim 5, wherein the network interface inf_Audit={N1, N2, N3, N4, N5, N6, N7, N8, N9}; wherein
    N1、N2、N3、N4、N5、N7、N8接口是5G核心网内部网络接口;并且The N1, N2, N3, N4, N5, N7, N8 interfaces are internal network interfaces of the 5G core network; and
    N6、N9接口是5G核心网中连接外部的网络接口,用于对外通信。The N6 and N9 interfaces are the external network interfaces in the 5G core network for external communication.
  7. 根据权利要求6所述的5G核心网的网络切片方法,其特征在于,所述管理接口Mrg_Audit={Mgr_AMF,Mgr_SMF,Mgr_UDM,Mgr_PCF,Mgr_UPF};其中,The 5G core network network slicing method according to claim 6, wherein the management interface Mrg_Audit={Mgr_AMF, Mgr_SMF, Mgr_UDM, Mgr_PCF, Mgr_UPF}; wherein,
    Mgr_AMF表示AMF网元管理接口;Mgr_AMF represents the AMF network element management interface;
    Mgr_SMF表示SMF网元管理接口;Mgr_SMF represents SMF network element management interface;
    Mgr_UDM表示UDM网元管理接口;Mgr_UDM represents the UDM network element management interface;
    Mgr_PCF表示PCF网元管理接口;并且Mgr_PCF represents the PCF network element management interface; and
    Mgr_UPF表示UPF网元管理接口。Mgr_UPF represents UPF network element management interface.
  8. 根据权利要求7所述的5G核心网的网络切片方法,其特征在于,所述对外网络接口content_DPI={N6_DPI,N9_DPI},其中,N6_DPI表示对外网络接口N6,N9_DPI表示对外网络接口N9。The method for network slicing of the 5G core network according to claim 7, wherein the external network interface content_DPI={N6_DPI, N9_DPI}, wherein N6_DPI represents the external network interface N6, and N9_DPI represents the external network interface N9.
  9. 根据权利要求8所述的5G核心网的网络切片方法,其特征在于,所述Si={S1,S2,S3,S4,S5},并且The network slicing method for a 5G core network according to claim 8, wherein the Si={S1, S2, S3, S4, S5}, and
    在S1中,isolated_Level=hardware_isolated,inf_Audit={N1=1,N2=1,N3=1,N4=1,N5=1,N6=1,N7=1,N8=1,N9=1},Mrg_Audit= {Mgr_AMF=0,Mgr_SMF=0,Mgr_UDM=1,Mgr_PCF=1,Mgr_UPF=0},content_DPI={N6_DPI=1,N9_DPI=1};In S1, isolated_Level=hardware_isolated, inf_Audit={N1=1, N2=1, N3=1, N4=1, N5=1, N6=1, N7=1, N8=1, N9=1}, Mrg_Audit= {Mgr_AMF=0, Mgr_SMF=0, Mgr_UDM=1, Mgr_PCF=1, Mgr_UPF=0}, content_DPI={N6_DPI=1, N9_DPI=1};
    在S2中,isolated_Level={hardware_isolated},inf_Audit={N1=0,N2=0,N3=0,N4=0,N5=0,N6=1,N7=0,N8=0,N9=1},Mrg_Audit={Mgr_AMF=1,Mgr_SMF=1,Mgr_UDM=1,Mgr_PCF=1,Mgr_UPF=1},content_DPI={N6_DPI=1,N9_DPI=0},In S2, isolated_Level={hardware_isolated}, inf_Audit={N1=0, N2=0, N3=0, N4=0, N5=0, N6=1, N7=0, N8=0, N9=1}, Mrg_Audit={Mgr_AMF=1, Mgr_SMF=1, Mgr_UDM=1, Mgr_PCF=1, Mgr_UPF=1}, content_DPI={N6_DPI=1, N9_DPI=0},
    在S3中,isolated_Level={prvated_cloud},inf_Audit={N1=0,N2=0,N3=0,N4=0,N5=0,N6=1,N7=0,N8=0,N9=1},Mrg_Audit={Mgr_AMF=1,Mgr_SMF=1,Mgr_UDM=1,Mgr_PCF=1,Mgr_UPF=1},content_DPI={N6_DPI=1,N9_DPI=1},In S3, isolated_Level={prvated_cloud}, inf_Audit={N1=0, N2=0, N3=0, N4=0, N5=0, N6=1, N7=0, N8=0, N9=1}, Mrg_Audit={Mgr_AMF=1, Mgr_SMF=1, Mgr_UDM=1, Mgr_PCF=1, Mgr_UPF=1}, content_DPI={N6_DPI=1, N9_DPI=1},
    在S4中,isolated_Level={prvated_cloud},inf_Audit={N1=0,N2=0,N3=0,N4=0,N5=0,N6=1,N7=0,N8=0,N9=1},Mrg_Audit={Mgr_AMF=1,Mgr_SMF=1,Mgr_UDM=1,Mgr_PCF=1,Mgr_UPF=1},content_DPI={N6_DPI=1,N9_DPI=0},In S4, isolated_Level={prvated_cloud}, inf_Audit={N1=0, N2=0, N3=0, N4=0, N5=0, N6=1, N7=0, N8=0, N9=1}, Mrg_Audit={Mgr_AMF=1, Mgr_SMF=1, Mgr_UDM=1, Mgr_PCF=1, Mgr_UPF=1}, content_DPI={N6_DPI=1, N9_DPI=0},
    在S5中,isolated_Level={public_cloud},inf_Audit={N1=0,N2=0,N3=0,N4=0,N5=0,N6=1,N7=0,N8=0,N9=1},Mrg_Audit={Mgr_AMF=1,Mgr_SMF=1,Mgr_UDM=1,Mgr_PCF=1,Mgr_UPF=1},content_DPI={N6_DPI=1,N9_DPI=0}。In S5, isolated_Level={public_cloud}, inf_Audit={N1=0, N2=0, N3=0, N4=0, N5=0, N6=1, N7=0, N8=0, N9=1}, Mrg_Audit={Mgr_AMF=1, Mgr_SMF=1, Mgr_UDM=1, Mgr_PCF=1, Mgr_UPF=1}, content_DPI={N6_DPI=1, N9_DPI=0}.
  10. 一种5G核心网的网络切片装置,其特征在于,所述装置包括:A network slicing device for a 5G core network, characterized in that the device includes:
    网络切片模块,被配置为对5G核心网进行网络切片以获得网络切片的网络切片网元;The network slicing module is configured to perform network slicing on the 5G core network to obtain network slicing network elements of the network slicing;
    安全防护等级设置模块,被配置为对网络切片设置安全防护等级Si,其中i为整数;以及The security protection level setting module is configured to set the security protection level Si for the network slice, where i is an integer; and
    预置模块,被配置为根据所述安全防护等级Si将所述网络切片的网络切片网元预置到与所述安全防护等级Si对应的环境。The preset module is configured to preset the network slice network elements of the network slice to an environment corresponding to the security protection level Si according to the security protection level Si.
PCT/CN2019/127743 2019-08-08 2019-12-24 Network slicing method and network slicing apparatus for 5g core network WO2021022764A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910728552.7A CN110401946A (en) 2019-08-08 2019-08-08 The network dicing method and network slicing device of 5G core net
CN201910728552.7 2019-08-08

Publications (1)

Publication Number Publication Date
WO2021022764A1 true WO2021022764A1 (en) 2021-02-11

Family

ID=68327802

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/127743 WO2021022764A1 (en) 2019-08-08 2019-12-24 Network slicing method and network slicing apparatus for 5g core network

Country Status (2)

Country Link
CN (1) CN110401946A (en)
WO (1) WO2021022764A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116208959A (en) * 2023-05-04 2023-06-02 中建五洲工程装备有限公司 Digital intelligent manufacturing management method and system based on 5G private network
CN116546530A (en) * 2023-07-03 2023-08-04 阿里巴巴(中国)有限公司 Core network configuration method, device, equipment, storage medium and communication system

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110401946A (en) * 2019-08-08 2019-11-01 广州爱浦路网络技术有限公司 The network dicing method and network slicing device of 5G core net
CN111131258B (en) * 2019-12-26 2022-04-08 中移(成都)信息通信科技有限公司 Safe private network architecture system based on 5G network slice
CN111200812B (en) * 2020-01-07 2021-07-20 广州爱浦路网络技术有限公司 Method for accelerating NFs mutual discovery in 5G core network
CN111292570B (en) * 2020-04-01 2021-09-17 广州爱浦路网络技术有限公司 Cloud 5GC communication experiment teaching system and teaching method based on project type teaching
US20230179638A1 (en) * 2020-05-06 2023-06-08 Nokia Technologies Oy Method and apparatus for preventing network attacks in a network slice
CN113852479B (en) * 2020-06-28 2022-12-02 中移(成都)信息通信科技有限公司 Secure network construction method, device, equipment and computer storage medium
CN111885031B (en) * 2020-07-13 2023-03-31 董鹏 Fine-grained access control method and system based on session process
CN116097760A (en) 2020-08-03 2023-05-09 上海诺基亚贝尔股份有限公司 Method and apparatus for fine granularity isolation in CN-NSS domain of E2E network slices
CN112995228B (en) * 2021-05-14 2021-07-13 广东省新一代通信与网络创新研究院 Method and system for switching N9 port call of 5GC
CN113554776A (en) * 2021-06-23 2021-10-26 广东润建电力科技有限公司 Power distribution room intelligent inspection and operation and maintenance method, system and device based on 5G message
CN113923689A (en) * 2021-08-31 2022-01-11 南京理工大学紫金学院 Method and system for comprehensively checking services after version upgrading by DPI equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106792692A (en) * 2016-12-27 2017-05-31 兴唐通信科技有限公司 A kind of physics dicing method based on SDN technologies
US20170164212A1 (en) * 2015-09-29 2017-06-08 Telefonaktiebolaget L M Ericsson (Publ) Network slice management
CN109951440A (en) * 2019-01-22 2019-06-28 中国人民解放军战略支援部队信息工程大学 A kind of 5G network slice example dynamic switching method and function
CN110401946A (en) * 2019-08-08 2019-11-01 广州爱浦路网络技术有限公司 The network dicing method and network slicing device of 5G core net

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
BR112019006281A2 (en) * 2016-09-30 2019-07-02 Huawei Tech Co Ltd network slice management method and management unit

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170164212A1 (en) * 2015-09-29 2017-06-08 Telefonaktiebolaget L M Ericsson (Publ) Network slice management
CN106792692A (en) * 2016-12-27 2017-05-31 兴唐通信科技有限公司 A kind of physics dicing method based on SDN technologies
CN109951440A (en) * 2019-01-22 2019-06-28 中国人民解放军战略支援部队信息工程大学 A kind of 5G network slice example dynamic switching method and function
CN110401946A (en) * 2019-08-08 2019-11-01 广州爱浦路网络技术有限公司 The network dicing method and network slicing device of 5G core net

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116208959A (en) * 2023-05-04 2023-06-02 中建五洲工程装备有限公司 Digital intelligent manufacturing management method and system based on 5G private network
CN116546530A (en) * 2023-07-03 2023-08-04 阿里巴巴(中国)有限公司 Core network configuration method, device, equipment, storage medium and communication system
CN116546530B (en) * 2023-07-03 2023-11-17 阿里巴巴(中国)有限公司 Core network configuration method, device, equipment, storage medium and communication system

Also Published As

Publication number Publication date
CN110401946A (en) 2019-11-01

Similar Documents

Publication Publication Date Title
WO2021022764A1 (en) Network slicing method and network slicing apparatus for 5g core network
Kotulski et al. Towards constructive approach to end-to-end slice isolation in 5G networks
EP3565306B1 (en) Quality of service provisioning for wireless networks
US11711754B2 (en) Dynamic functional partitioning for security pass-through virtual network function (VNF)
US8032653B1 (en) Guaranteed bandwidth sharing in a traffic shaping system
WO2020007202A1 (en) Data transmission method, device and system
US9183374B2 (en) Techniques for identity-enabled interface deployment
US11102176B2 (en) Community WiFi access point (AP) virtual network function (VNF) with WiFi protected access 2 (WPA2) pass-through
WO2021037175A1 (en) Network slice management method and related device
US20140379928A1 (en) Method for implementing network using distributed virtual switch, apparatus for performing the same, and network system based on distributed virtual switch
CN107810623A (en) Across more security level/service management of multiple network function examples
US20170245170A1 (en) Dynamic Application QoS Profile Provisioning
CN114189905A (en) Message processing method and related equipment
US20080117821A1 (en) Adaptive quality of service in an easy virtual private network environment
US11395174B2 (en) Systems and methods for optimized LTE private networks
CN110383792A (en) The load balance that wireless subscriber packet is handled by more packet processing cores
BR112020025388A2 (en) METHOD TO PROVIDE RESTRICTED SERVICE, COMMUNICATIONS DEVICE, COMMUNICATIONS SYSTEM AND COMPUTER-READABLE MEDIA
CN110870256B (en) Method, system and computer readable medium for operating a telecommunication network
CN112073330A (en) Cloud platform container network current limiting method
CN112087777A (en) Method, device and system for determining MDBV
Griffioen et al. VIP Lanes: High-speed custom communication paths for authorized flows
CN112187660A (en) Tenant flow limiting method and system for cloud platform container network
KR101643829B1 (en) System and method for cloud-based implementation of control of focused overload of network element (cofo-ne)
Chen et al. Realization of 5g network slicing using open source softwares
CN110999371B (en) Virtual anchor in anchorless mobile network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19940695

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19940695

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 19940695

Country of ref document: EP

Kind code of ref document: A1

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 07.10.2022)

122 Ep: pct application non-entry in european phase

Ref document number: 19940695

Country of ref document: EP

Kind code of ref document: A1