WO2022188160A1 - Offline network security configuration - Google Patents
Offline network security configuration Download PDFInfo
- Publication number
- WO2022188160A1 WO2022188160A1 PCT/CN2021/080492 CN2021080492W WO2022188160A1 WO 2022188160 A1 WO2022188160 A1 WO 2022188160A1 CN 2021080492 W CN2021080492 W CN 2021080492W WO 2022188160 A1 WO2022188160 A1 WO 2022188160A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- network
- security configuration
- configuration items
- network security
- validated
- Prior art date
Links
- 238000000034 method Methods 0.000 claims abstract description 70
- 238000010200 validation analysis Methods 0.000 claims abstract description 58
- 230000015654 memory Effects 0.000 claims description 35
- 238000004590 computer program Methods 0.000 claims description 25
- 238000012545 processing Methods 0.000 claims description 13
- 230000008569 process Effects 0.000 abstract description 14
- 238000004891 communication Methods 0.000 description 24
- 230000006854 communication Effects 0.000 description 24
- 230000006870 function Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000001413 cellular effect Effects 0.000 description 2
- 230000007774 longterm Effects 0.000 description 2
- 230000011664 signaling Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007175 bidirectional communication Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000001356 surgical procedure Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0803—Configuration setting
- H04L41/0806—Configuration setting for initial configuration or provisioning, e.g. plug-and-play
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0866—Checking the configuration
- H04L41/0869—Validating the configuration within one network element
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/28—Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
Definitions
- Embodiments of the present disclosure generally relate to the field of telecommunication and in particular, to devices, methods, apparatus and computer readable storage media of offline network security configuration.
- IP internet protocol
- PDUs packet data units
- IP internet protocol
- network security configurations are required for protecting the communications between various 3G, 4G or 5G network nodes.
- a local network node it may establish tunnels with multiple remote network nodes. After booting up, the network system may allocate either dynamic or static network addresses (e.g., IP addresses) for interfaces (e.g., F1, X2, S1 interfaces and so on) of these network nodes.
- IP addresses e.g., IP addresses
- interfaces e.g., F1, X2, S1 interfaces and so on
- Each of the tunnels has corresponding configuration data, and the local network node may perform a validation check on configuration data. If the configuration data is validated, the local network node may then establish a tunnel with the corresponding remote network node based on the configuration data and the allocated IP addresses.
- the base stations e.g., eNB, gNB, etc.
- CUs centralized units
- DUs distribution units
- the centralized units and distribution units are connected with each other through full mesh connections.
- example embodiments of the present disclosure provide a solution of offline network security configuration.
- a first device comprising at least one processor; and at least one memory including computer program codes; the at least one memory and the computer program codes are configured to, with the at least one processor, cause the first device at least to: receive, from a cloud device, a network address for the first device; receive, from the cloud device, network security configuration items validated by a network management device with a set of validation rules associated with the first device; and establish, based on the network address and the network security configuration items, a security tunnel with a second device.
- an electronic device comprising at least one processor; and at least one memory including computer program codes; the at least one memory and the computer program codes are configured to, with the at least one processor, cause the electronic device at least to: receive, from a cloud device, a network address for a first device; generate the network security configuration items for the network address; check a validity of the network security configuration items with a set of validation rules associated with the first device; and in accordance with a determination that the network security configuration items are validated, transmit the network security configuration items to the cloud device.
- an electronic device comprising at least one processor; and at least one memory including computer program codes; the at least one memory and the computer program codes are configured to, with the at least one processor, cause the electronic device at least to: allocating a network address for a first device; transmit the network address to a network management device; receive, from the network management device, network security configuration items for the network address, the network security configuration items validated by the network management device with a set of validation rules associated with the first device; transmit the network address to the first device; and transmit the network security configuration items to the first device.
- a method comprises: receiving, at a first device and from a cloud device, a network address for the first device; receiving, from the cloud device, network security configuration items validated by a network management device with a set of validation rules associated with the first device; and establishing, based on the network address and the network security configuration items, a security tunnel with a second device.
- a method comprises: receiving, at an electronic device and from a cloud device, a network address for a first device; generating the network security configuration items for the network address; checking a validity of the network security configuration items with a set of validation rules associated with the first device; and in accordance with a determination that the network security configuration items are validated, transmitting the network security configuration items to the cloud device.
- a method comprises: allocating, at an electronic device, a network address for a first device; transmitting the network address to a network management device; receiving, from the network management device, network security configuration items for the network address, the network security configuration items validated by the network management device with a set of validation rules associated with the first device; transmitting the network address to the first device; and transmitting the network security configuration items to the first device.
- a first apparatus comprising: means for receiving, from a cloud device, a network address for the first apparatus; means for receiving, from the cloud device, network security configuration items validated by a network management device with a set of validation rules associated with the first apparatus; and means for establishing, based on the network address and the network security configuration items, a security tunnel with a second device.
- a second apparatus comprising: means for receiving, from a cloud device, a network address for a first device; means for generating the network security configuration items for the network address; means for checking a validity of the network security configuration items with a set of validation rules associated with the first device; and means for in accordance with a determination that the network security configuration items are validated, transmitting the network security configuration items to the cloud device.
- a third apparatus comprising: means for allocating a network address for a first device; means for transmitting the network address to a network management device; means for receiving, from the network management device, network security configuration items for the network address, the network security configuration items validated by the network management device with a set of validation rules associated with the first device; means for transmitting the network address to the first device; and means for transmitting the network security configuration items to the first device.
- a computer readable medium having a computer program stored thereon which, when executed by at least one processor of a device, causes the device to carry out the method according to the fourth aspect.
- a computer readable medium having a computer program stored thereon which, when executed by at least one processor of a device, causes the device to carry out the method according to the fifth aspect.
- a computer readable medium having a computer program stored thereon which, when executed by at least one processor of a device, causes the device to carry out the method according to the sixth aspect.
- FIG. 1 shows a schematic diagram of an example deployment in a network system
- FIG. 2 shows an example environment in which example embodiments of the present disclosure can be implemented
- FIG. 3 shows a signaling chart illustrating an offline network security configuration process according to some example embodiments of the present disclosure
- FIG. 4 shows a flowchart of an example method of network security configuration according to some example embodiments of the present disclosure
- FIG. 5 shows a flowchart of an example method of network security configuration according to some example embodiments of the present disclosure
- FIG. 6 shows a flowchart of an example method of network security configuration according to some example embodiments of the present disclosure
- FIG. 7 shows a simplified block diagram of a device that is suitable for implementing example embodiments of the present disclosure.
- FIG. 8 shows a block diagram of an example computer readable medium in accordance with some embodiments of the present disclosure.
- references in the present disclosure to “one embodiment, ” “an embodiment, ” “an example embodiment, ” and the like indicate that the embodiment described may include a particular feature, structure, or characteristic, but it is not necessary that every embodiment includes the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an example embodiment, it is submitted that it is within the knowledge of one skilled in the art to affect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.
- circuitry may refer to one or more or all of the following:
- circuitry also covers an implementation of merely a hardware circuit or processor (or multiple processors) or portion of a hardware circuit or processor and its (or their) accompanying software and/or firmware.
- circuitry also covers, for example and if applicable to the particular claim element, a baseband integrated circuit or processor integrated circuit for a mobile device or a similar integrated circuit in server, a cellular network device, or other computing or network device.
- the term “communication network” refers to a network following any suitable communication standards, such as fifth generation (5G) systems, Long Term Evolution (LTE) , LTE-Advanced (LTE-A) , Wideband Code Division Multiple Access (WCDMA) , High-Speed Packet Access (HSPA) , Narrow Band Internet of Things (NB-IoT) and so on.
- 5G fifth generation
- LTE Long Term Evolution
- LTE-A LTE-Advanced
- WCDMA Wideband Code Division Multiple Access
- HSPA High-Speed Packet Access
- NB-IoT Narrow Band Internet of Things
- the communications between a terminal device and a network device in the communication network may be performed according to any suitable generation communication protocols, including, but not limited to, the first generation (1G) , the second generation (2G) , 2.5G, 2.75G, the third generation (3G) , the fourth generation (4G) , 4.5G, the future fifth generation (5G) new radio (NR) communication protocols, and/or any other protocols either currently known or to be developed in the future.
- suitable generation communication protocols including, but not limited to, the first generation (1G) , the second generation (2G) , 2.5G, 2.75G, the third generation (3G) , the fourth generation (4G) , 4.5G, the future fifth generation (5G) new radio (NR) communication protocols, and/or any other protocols either currently known or to be developed in the future.
- Embodiments of the present disclosure may be applied in various communication systems. Given the rapid development in communications, there will of course also be future type communication technologies and systems with which the present disclosure may be embodied. It should not be seen as limiting the
- the term “network device” refers to a node in a communication network via which a terminal device accesses the network and receives services therefrom.
- the network device may refer to a base station (BS) or an access point (AP) , for example, a node B (NodeB or NB) , an evolved NodeB (eNodeB or eNB) , a NR Next Generation NodeB (gNB) , a Remote Radio Unit (RRU) , a radio header (RH) , a remote radio head (RRH) , a relay, a low power node such as a femto, a pico, and so forth, depending on the applied terminology and technology.
- the network device is allowed to be defined as part of a gNB such as for example in CU/DU split in which case the network device is defined to be either a gNB-CU or a gNB-DU.
- terminal device refers to any end device that may be capable of wireless communication.
- a terminal device may also be referred to as a communication device, user equipment (UE) , a Subscriber Station (SS) , a Portable Subscriber Station, a Mobile Station (MS) , or an Access Terminal (AT) .
- UE user equipment
- SS Subscriber Station
- MS Mobile Station
- AT Access Terminal
- the terminal device may include, but not limited to, a mobile phone, a cellular phone, a smart phone, voice over IP (VoIP) phones, wireless local loop phones, a tablet, a wearable terminal device, a personal digital assistant (PDA) , portable computers, desktop computer, image capture terminal devices such as digital cameras, gaming terminal devices, music storage and playback appliances, vehicle-mounted wireless terminal devices, wireless endpoints, mobile stations, laptop-embedded equipment (LEE) , laptop-mounted equipment (LME) , USB dongles, smart devices, wireless customer-premises equipment (CPE) , an Internet of Things (IoT) device, a watch or other wearable, a head-mounted display (HMD) , a vehicle, a drone, a medical device and applications (e.g., remote surgery) , an industrial device and applications (e.g., a robot and/or other wireless devices operating in an industrial and/or an automated processing chain contexts) , a consumer electronics device, a device operating on commercial and/
- the terminal device may also correspond to Mobile Termination (MT) part of the integrated access and backhaul (IAB) node (a.k.a. a relay node) .
- MT Mobile Termination
- IAB integrated access and backhaul
- the terms “terminal device” , “communication device” , “terminal” , “user equipment” and “UE” may be used interchangeably.
- a user equipment apparatus such as a cell phone or tablet computer or laptop computer or desktop computer or mobile IoT device or fixed IoT device
- This user equipment apparatus can, for example, be furnished with corresponding capabilities as described in connection with the fixed and/or the wireless network node (s) , as appropriate.
- the user equipment apparatus may be the user equipment and/or or a control device, such as a chipset or processor, configured to control the user equipment when installed therein. Examples of such functionalities include the bootstrapping server function and/or the home subscriber server, which may be implemented in the user equipment apparatus by providing the user equipment apparatus with software configured to cause the user equipment apparatus to perform from the point of view of these functions/nodes.
- the IP security configuration is widely used as a security enhancement solution for IP layer PDU transmissions.
- the number and/or types of network devices are relatively large, the scale and complexity of the network system is expanded, the number of tunnels or connections between the network nodes is huge, and so on, the IP security configuration process may be time-consuming and inefficient.
- each CU node e.g., the network devices 110-C
- network addresses e.g., IP addresses
- the network nodes may obtain the IP addresses via the OAM 122 as well as network security configuration data (e.g., IP security configuration items) from the network management device 120 for respective tunnels between these network nodes. Validation checks may be performed on the network security configuration data by using a set of validation rules associated with the network device. Normally, if the network security configuration data is validated, the security tunnel will be established between the CU and DU nodes.
- network security configuration data e.g., IP security configuration items
- each of the security tunnels may have more than 30 parameters, resulting in a large volume of the network security configuration data for all the security tunnels. This takes a lot of time for a network management device 120 to initiate such a large volume of the network security configuration data for the CU and DU nodes one by one. For each of the CU and DU nodes, it also takes time to perform corresponding necessary validation checks against every tunnel.
- An example of the network security configuration items for a single tunnel is shown below.
- embodiments of the present disclosure provide an offline network security configuration process.
- the network address and security configuration items that are required for the network nodes to establish tunnels are prepared and validated in advance.
- the security configuration items will be effective on the network nodes immediately without performing the validation check again.
- tunnel configurations can be done in parallel in cloud, which saves the time for network security configuration, and thus the configuration process can be greatly simplified.
- FIG. 2 shows an example environment 200 in which example embodiments of the present disclosure can be implemented.
- the network system 200 comprises first devices 210-C and 210-1 to 210-N (which may be collectively referred as first device 210) , where N is a positive integer greater than or equal to 2.
- the network system 200 further comprises a network management device 220 and a cloud device 230.
- the first device 210 may be network devices, for example, base stations that provide radio coverages to terminal devices.
- the first device 210 may include CU and DU nodes.
- the first device 210-C is deployed as the CU node and the first devices 210-1 to 210-N are deployed as DUs node.
- the network system 200 includes one CU node and N DU nodes.
- the Packet Data Convergence Protocol (PDCP) layer and above functions may be deployed at the first device 210-C
- the Radio Link Control (RLC) layer and below functions may be deployed at the first devices 210-1 to 210-N.
- PDCP Packet Data Convergence Protocol
- RLC Radio Link Control
- the first devices 210-C and 210-1 to 210-N may communicate with each other through full mesh connections via various interfaces (e.g., F1, X2, S1, etc. ) .
- various interfaces e.g., F1, X2, S1, etc.
- the first device 210 may communicate with the network management device 220 and the cloud device 230.
- the network management device 220 may initiate the network security configuration. Specifically, the network management device 220 may obtain dynamic or static network addresses (e.g., IP addresses) for the interfaces of the first device 210 from the cloud device 230, and generate corresponding security configuration items for the network addresses.
- the security configuration items may include security configuration data and parameters that are necessary for establishment of security tunnels between the first devices 210-C and 210-1 to 210-N.
- the cloud device 230 may be flexibly deployed in the network system 200, and manage compute, storage and network resources for the network system 200. For example, the cloud device 230 allocates network addresses for the first device 210 and store the same as well as the security configuration items that are received from the network management device 220 locally. Upon detecting that the first device 210 is booted up, the cloud device 230 provides the network addresses and the security configuration items to the first device 210 for establishment of the security tunnels.
- the network system 100 may include any suitable number of terminal devices and additional devices adapted for implementing implementations of the present disclosure. Although illustrated as base stations, the first device 210 may be other device than a base station or a part of a base station.
- the network 200 may be a Code Division Multiple Access (CDMA) network, a Time Division Multiple Address (TDMA) network, a Frequency Division Multiple Access (FDMA) network, an Orthogonal Frequency-Division Multiple Access (OFDMA) network, a Single Carrier-Frequency Division Multiple Access (SC-FDMA) network or any others.
- CDMA Code Division Multiple Access
- TDMA Time Division Multiple Address
- FDMA Frequency Division Multiple Access
- OFDMA Orthogonal Frequency-Division Multiple Access
- SC-FDMA Single Carrier-Frequency Division Multiple Access
- Communications discussed in the network 100 may conform to any suitable standards including, but not limited to, New Radio Access (NR) , Long Term Evolution (LTE) , LTE-Evolution, LTE-Advanced (LTE-A) , Wideband Code Division Multiple Access (WCDMA) , Code Division Multiple Access (CDMA) , cdma2000, and Global System for Mobile Communications (GSM) and the like.
- NR New Radio Access
- LTE Long Term Evolution
- LTE-A LTE-Evolution
- WCDMA Wideband Code Division Multiple Access
- CDMA Code Division Multiple Access
- GSM Global System for Mobile Communications
- the communications may be performed according to any generation of communication protocols either currently known or to be developed in the future. Examples of the communication protocols include, but not limited to, the first generation (1G) , the second generation (2G) , 2.5G, 2.75G, the third generation (3G) , the fourth generation (4G) , 4.5G, the fifth generation (5G) communication protocols.
- the techniques described herein may be used
- FIG. 3 shows a signaling chart illustrating an offline network security configuration process 300 according to some example embodiments of the present disclosure.
- the process 300 may involve the first device 210, the network management device 220 and the cloud device 230.
- the network management device 220 may transmit 305 a request for allocating a network address for the interface of the first device 210.
- the cloud device 230 allocates 310 the network address for the first device 210.
- the cloud device 230 may store a mapping of the network address and the interface of the first device 210 locally.
- the cloud device 230 transmits 315 the network address to the network management device 220.
- the network management device 220 Upon receipt of the network address, the network management device 220 generates 320 network security configuration items for the network address.
- the network security configuration items may include security configuration data and parameters associated with the security tunnel between the first device 210 and a second device.
- the first device 210 may be any one of the first devices 210-C and 210-1 to 210-N
- the second device may be a further one of the first devices 210-C and 210-1 to 210-N.
- the network management device 220 checks 325 a validity of the network security configuration items with a set of validation rules associated with the first device 210.
- the network management device 220 may obtain the set of validation rules before the boot-up of the first device 210, for example, from the network operator of the first device 210 or from a third party.
- the set of validation rules may be a plugin specific to the first device 210 for checking the validity of the network security configuration items. In such cases, the network management device 220 may call a corresponding plugin when needed.
- the set of validation rules may be associated with at least one of hardware configurations of the first device 210, a processing capability of the first device 210, or a dependency relationship between the security tunnel with the second device and a further tunnel, and so on.
- the network management device 220 may include an indicator in the network security configuration items, which indicates that the network security configuration items have been validated by the network management device 220.
- the network management device 220 transmits 330 the validated security configuration items to the cloud device 230.
- the cloud device 230 may store 335 the security configuration items locally.
- the first device 210 receives 345 the network addresses from the cloud device 230.
- the first device 210 receives 350 the network security configuration items from the cloud device 230.
- the cloud device 230 may detect the boot-up of the first device 210, and provide it with the network address and the network security configuration items stored locally.
- the first device 210 establishes 355 the security tunnel with the second device.
- the security tunnel is established without checking validity of the network security configuration items by the first device 210.
- the first device 210 may determine whether the network security configuration items comprise an indication that the network security configuration items are validated by the network management device 220. If the network security configuration items comprise such an indication, the first device 210 may establish the security tunnel without checking the validity of the security configuration items. Otherwise, if the network security configuration items have no indication, the first device 210 may perform the validation check on the security configuration items.
- the network addresses are pre-allocated for various interfaces of the network nodes, and the network security configuration items are validated before the boot-up of the network nodes.
- the network security configuration items can be immediately effective on the network nodes once booted up.
- the network nodes since the network security configuration items are stored in cloud, the network nodes have no need to obtain from the network management device 220, which facilitating the network security configuration for the network system.
- FIG. 4 shows a flowchart of an example method 400 of network security configuration according to some example embodiments of the present disclosure.
- the method 400 can be implemented at a network device, e.g., the first device 210 described with reference to FIG. 2.
- the first device Upon boot up, the first device receives, at 410, a network address for the first device 210 from the cloud device 230.
- the network address may correspond to at least one interface of the first device 210, including but not limited to F1, X2, S1 interferences and so on.
- the network addresses are allocated dynamically or statically by the cloud device 230 before the boot-up of the first device 210.
- the first device 210 receives the network security configuration items from the cloud device 230.
- the network security configuration items have been validated by the network management device 220 with a set of validation rules associated with the first device 210.
- the network security configuration items are generated and validated by the network management device 220 before the boot-up of the first device 210.
- a set of validation rules may be associated with at least one of hardware configurations of the first device 210, a processing capability of the first device 210, or a dependency relationship between the security tunnel with the second device and a further tunnel, and so on.
- the first device 210 may be any one of the first devices 210-C and 210-1 to 210-N
- the second device may be a further one of the first devices 210-C and 210-1 to 210-N
- the first device 210 establishes the security tunnel with the second device based on the network address and the network security configuration items.
- the security tunnel may be established without checking validity of the network security configuration items by the first device 210.
- the first device 210 may determine whether the network security configuration items include an indication that the network security configuration items are validated by the network management device 220. If the network security configuration items include such an indication, the first device 210 may determine that the validation check has been performed by the network management device 220, and thus no more validation check is required. In this case, the first device 210 may establish the security tunnel without checking the validity of the security configuration items.
- the first device 210 is one of a distribution network device and a centralized network device at an access network side
- the second device is the other one of the distribution and centralized network devices.
- an offline network security configuration process With the pre-allocated network address as well as the validated network security configurations, the network devices (e.g., gNB) is capable of effecting the network security configurations immediately once being booted up. Therefore, the time consumption for network security configuration of the network system can be shortened. Moreover, the performance and maintenance of the network system can be improved.
- the network devices e.g., gNB
- FIG. 5 shows a flowchart of an example method 500 of network security configuration according to some example embodiments of the present disclosure.
- the method 500 can be implemented at an electronic management device, e.g., the network management device 220 described with reference to FIG. 2.
- the network management device 220 receives a network address for the first device 210 from the cloud device 230.
- the network management device 220 may transmit a network address allocation request to the cloud device 230, and receives the network address as a response.
- the network management device 220 generates the network security configuration items for the network address.
- the network security configuration items are generated before a boot-up of the first device.
- the network security configuration items may include security configuration data and parameters associated with the security tunnel between the first device 210 and a second device.
- the first device 210 may be any one of the first devices 210-C and 210-1 to 210-N
- the second device may be a further one of the first devices 210-C and 210-1 to 210-N.
- the network management device 220 checks a validity of the network security configuration items with a set of validation rules associated with the first device 210.
- the network security configuration items are validated before a boot-up of the first device 210.
- the network management device 220 may obtain the set of validation rules from the first device 210.
- the set of validation rules may be obtained from the network operator of the first device 210, or alternatively, from a third party.
- the set of validation rules are associated with at least one of hardware configurations of the first device 210, a processing capability of the first device 210, or a dependency relationship between a security tunnel with the second device and a further tunnel.
- the set of validation rules may be a plugin specific to the first device 210 for checking the validity of the network security configuration items.
- the network management device 220 may call a corresponding plugin when needed.
- the network management device 220 transmits the network security configuration items to the cloud device 230.
- the network management device 220 may include an indicator in the network security configuration items, and the indicator indicates that the network security configuration items are validated by the network management device 220.
- the first device 210 is one of a distribution network device and a centralized network device at an access network side.
- the network management device 220 of the network system 200 generates and checks the network security configuration items before the establishment of the security tunnels.
- the network security configuration can be performed in an offline manner, which can largely reduce the time consumption, and improve the network performance.
- FIG. 6 shows a flowchart of an example method 600 of network security configuration according to some example embodiments of the present disclosure.
- the method 600 can be implemented at an electronic device in cloud, e.g., the cloud device 230 described with reference to FIG. 2.
- the cloud device 230 allocates a network address for the first device 210.
- the network address is allocated before a boot-up of the first device 210.
- the cloud device 230 may receive a network address allocation request from the network management device 220 and allocate the network address.
- the network address may correspond to at least one interface of the first device 210, which includes but not limited to F1, X2, S1 interfaces and so on.
- the cloud device 230 may store the allocated network addresses locally.
- the cloud device 230 transmits the network address to the network management device 220.
- the cloud device 230 receives network security configuration items for the network address from the network management device 220.
- the network security configuration items are validated by the network management device 220 with a set of validation rules associated with the first device 210.
- the cloud device 230 may detect that the first device 210 is booted up. At 640, the cloud device 230 transmits the network address to the first device 210.
- the cloud device 230 transmits the network security configuration items to the first device 210.
- the first device 210 may perform the network security configuration, for example, establish a security tunnel with the second device immediately without performing any validation check.
- the first device 210 may be any one of the first devices 210-C and 210-1 to 210-N, and the second device may be a further one of the first devices 210-C and 210-1 to 210-N.
- the cloud device 230 is adopted to pre-allocate the network address and store the same as well as the network security configuration items. Since the cloud device 230 is flexibly deployed in the network system 200, after booted up, the network nodes (such as, CU and DU nodes) are able to obtain the network address and the network security configuration items locally, instead of obtaining from the network management device 220. Further, the network security configuration items can be effective immediately as the validation check has been performed before the boot-up of network nodes.
- a first apparatus capable of performing the method 400 may comprise means for performing the respective steps of the method 400.
- the means may be implemented in any suitable form.
- the means may be implemented in a circuitry or software module.
- the first apparatus may be implemented as or included in the first device 210.
- the means may comprise at least one processor and at least one memory including computer program code. The at least one memory and computer program code are configured to, with the at least one processor, cause performance of the first apparatus.
- the first apparatus comprises: means for receiving, from a cloud device, a network address for the first apparatus; means for receiving, from the cloud device, network security configuration items validated by a network management device with a set of validation rules associated with the first apparatus; and means for establishing, based on the network address and the network security configuration items, a security tunnel with a second device.
- the network address corresponds to at least one interface of the first apparatus and allocated by the cloud device before a boot-up of the first apparatus.
- the network security configuration items are generated and validated by the network management device before a boot-up of the first apparatus.
- the security tunnel is established without checking validity of the network security configuration items by the first apparatus.
- the means for establishing the security tunnel comprises: means for in accordance with a determination that the network security configuration items comprise an indication that the network security configuration items are validated by the network management device, establishing the security tunnel without checking the validity of the security configuration items.
- a set of validation rules are associated with at least one of the following: hardware configurations of the first apparatus, a processing capability of the first apparatus, or a dependency relationship between the security tunnel with the second device and a further tunnel.
- the first apparatus is one of a distribution network device and a centralized network device at an access network side
- the second device is the other one of the distribution and centralized network devices.
- a second apparatus capable of performing the method 500 may comprise means for performing the respective steps of the method 500.
- the means may be implemented in any suitable form.
- the means may be implemented in a circuitry or software module.
- the second apparatus may be implemented as or included in the network management device 220.
- the means may comprise at least one processor and at least one memory including computer program code. The at least one memory and computer program code are configured to, with the at least one processor, cause performance of the second apparatus.
- the second apparatus comprises: means for receiving, from a cloud device, a network address for a first device; means for generating the network security configuration items for the network address; means for checking a validity of the network security configuration items with a set of validation rules associated with the first device; and means for in accordance with a determination that the network security configuration items are validated, transmitting the network security configuration items to the cloud device.
- the second apparatus further comprises: means for obtaining the set of validation rules from the first device.
- the second apparatus further comprises: means for in accordance with a determination that the network security configuration items are validated, including an indicator in the network security configuration items, the indicator indicating that the network security configuration items are validated by the second apparatus.
- the set of validation rules are associated with at least one of the following: hardware configurations of the first device, a processing capability of the first device, or a dependency relationship between a security tunnel with a second device and a further tunnel.
- the set of validation rules comprise a plugin for checking the validity of the network security configuration items.
- the network security configuration items are generated before a boot-up of the first device.
- the network security configuration items are validated before a boot-up of the first device.
- the first device is one of a distribution network device and a centralized network device at an access network side
- the second apparatus comprises a network management device.
- a third apparatus capable of performing the method 600 may comprise means for performing the respective steps of the method 600.
- the means may be implemented in any suitable form.
- the means may be implemented in a circuitry or software module.
- the third apparatus may be implemented as or included in the cloud device 230.
- the means may comprise at least one processor and at least one memory including computer program code. The at least one memory and computer program code are configured to, with the at least one processor, cause performance of the third apparatus.
- the third apparatus comprises: means for allocating a network address for a first device; means for transmitting the network address to a network management device; means for receiving, from the network management device, network security configuration items for the network address, the network security configuration items validated by the network management device with a set of validation rules associated with the first device; transmitting the network address to the first device; and means for transmitting the network security configuration items to the first device.
- the network address corresponds to at least one interface of the first device and allocated by the third apparatus before a boot-up of the first device.
- the means for transmitting the network address comprises: means for in accordance with a determination that the first device is booted up, transmitting the network address to the first device.
- the means for transmitting the network security configuration items comprises: means for in accordance with a determination that the first device is booted up, transmitting the network security configuration items to the first device.
- the first device is one of a distribution network device and a centralized network device at an access network side
- the third apparatus is a cloud device.
- FIG. 7 is a simplified block diagram of a device 700 that is suitable for implementing embodiments of the present disclosure.
- the device 700 may be provided to implement the communication device, for example the first device 210, the network management device 220 or the cloud device 230 as shown in FIG. 2.
- the device 700 includes one or more processors 710, one or more memories 720 coupled to the processor 710, and one or more transmitters and receivers (TX/RX) 740 coupled to the processor 710.
- TX/RX transmitters and receivers
- the TX/RX 740 is for bidirectional communications.
- the TX/RX 740 has at least one antenna to facilitate communication.
- the communication interface may represent any interface that is necessary for communication with other network elements.
- the processor 710 may be of any type suitable to the local technical network and may include one or more of the following: general purpose computers, special purpose computers, microprocessors, digital signal processors (DSPs) and processors based on multicore processor architecture, as non-limiting examples.
- the device 700 may have multiple processors, such as an application specific integrated circuit chip that is slaved in time to a clock which synchronizes the main processor.
- the memory 720 may include one or more non-volatile memories and one or more volatile memories.
- the non-volatile memories include, but are not limited to, a Read Only Memory (ROM) 724, an electrically programmable read only memory (EPROM) , a flash memory, a hard disk, a compact disc (CD) , a digital video disk (DVD) , and other magnetic storage and/or optical storage.
- the volatile memories include, but are not limited to, a random access memory (RAM) 722 and other volatile memories that will not last in the power-down duration.
- a computer program 730 includes computer executable instructions that are executed by the associated processor 710.
- the program 730 may be stored in the ROM 720.
- the processor 710 may perform any suitable actions and processing by loading the program 730 into the RAM 720.
- the embodiments of the present disclosure may be implemented by means of the program 730 so that the device 700 may perform any process of the disclosure as discussed with reference to FIGs. 4-6.
- the embodiments of the present disclosure may also be implemented by hardware or by a combination of software and hardware.
- the program 730 may be tangibly contained in a computer readable medium which may be included in the device 700 (such as in the memory 720) or other storage devices that are accessible by the device 700.
- the device 700 may load the program 730 from the computer readable medium to the RAM 722 for execution.
- the computer readable medium may include any types of tangible non-volatile storage, such as ROM, EPROM, a flash memory, a hard disk, CD, DVD, and the like.
- FIG. 8 shows an example of the computer readable medium 800 in form of CD or DVD.
- the computer readable medium has the program 730 stored thereon.
- various embodiments of the present disclosure may be implemented in hardware or special purpose circuits, software, logic or any combination thereof. Some aspects may be implemented in hardware, while other aspects may be implemented in firmware or software which may be executed by a controller, microprocessor or other computing device. While various aspects of embodiments of the present disclosure are illustrated and described as block diagrams, flowcharts, or using some other pictorial representations, it is to be understood that the block, device, system, technique or method described herein may be implemented in, as non-limiting examples, hardware, software, firmware, special purpose circuits or logic, general purpose hardware or controller or other computing devices, or some combination thereof.
- the present disclosure also provides at least one computer program product tangibly stored on a non-transitory computer readable storage medium.
- the computer program product includes computer-executable instructions, such as those included in program modules, being executed in a device on a target real or virtual processor, to carry out the methods 400, 500 and 600 as described above with reference to FIGs. 4-6.
- program modules include routines, programs, libraries, objects, classes, components, data structures, or the like that perform particular tasks or implement particular abstract data types.
- the functionality of the program modules may be combined or split between program modules as desired in various embodiments.
- Machine-executable instructions for program modules may be executed within a local or distributed device. In a distributed device, program modules may be located in both local and remote storage media.
- Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing device, such that the program codes, when executed by the processor or controller, cause the functions/operations specified in the flowcharts and/or block diagrams to be implemented.
- the program code may execute entirely on a machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
- the computer program codes or related data may be carried by any suitable carrier to enable the device, device or processor to perform various processes and operations as described above.
- Examples of the carrier include a signal, computer readable medium, and the like.
- the computer readable medium may be a computer readable signal medium or a computer readable storage medium.
- a computer readable medium may include but not limited to an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, device, or device, or any suitable combination of the foregoing. More specific examples of the computer readable storage medium would include an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM) , a read-only memory (ROM) , an erasable programmable read-only memory (EPROM or Flash memory) , an optical fiber, a portable compact disc read-only memory (CD-ROM) , an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Example embodiments of the present disclosure relate to devices, methods, apparatuses and computer readable storage media of network security configuration. The method comprises: receiving, at a first device and from a cloud device, a network address for the first device; receiving, from the cloud device, network security configuration items validated by a network management device with a set of validation rules associated with the first device; and establishing, based on the network address and the network security configuration items, a security tunnel with a second device. In this way, the network devices are capable of effecting the network security configurations immediately once being booted-up without the validation check. As such, the time consumption of the network security configuration process can be reduced, and the system performance can be improved.
Description
Embodiments of the present disclosure generally relate to the field of telecommunication and in particular, to devices, methods, apparatus and computer readable storage media of offline network security configuration.
In order to protect data security and integrity as well as the user’s privacy, internet protocol (IP) layer packet data units (PDUs) are typically encrypted before being transmitted to its destination. To this end, network security configurations are required for protecting the communications between various 3G, 4G or 5G network nodes. For a local network node, it may establish tunnels with multiple remote network nodes. After booting up, the network system may allocate either dynamic or static network addresses (e.g., IP addresses) for interfaces (e.g., F1, X2, S1 interfaces and so on) of these network nodes. Each of the tunnels has corresponding configuration data, and the local network node may perform a validation check on configuration data. If the configuration data is validated, the local network node may then establish a tunnel with the corresponding remote network node based on the configuration data and the allocated IP addresses.
In the 5G New Radio (NR) system architecture, the base stations (e.g., eNB, gNB, etc. ) are deployed as centralized units (CUs) and distribution units (DUs) for implementing different network functions. The centralized units and distribution units are connected with each other through full mesh connections. As a result, such a deployment may bring a dramatically increase in the number of network elements and the number of tunnels between these network elements. Thus, there is a demand for simplifying network security configuration process.
SUMMARY
In general, example embodiments of the present disclosure provide a solution of offline network security configuration.
In a first aspect, there is provided a first device. The first device comprises at least one processor; and at least one memory including computer program codes; the at least one memory and the computer program codes are configured to, with the at least one processor, cause the first device at least to: receive, from a cloud device, a network address for the first device; receive, from the cloud device, network security configuration items validated by a network management device with a set of validation rules associated with the first device; and establish, based on the network address and the network security configuration items, a security tunnel with a second device.
In a second aspect, there is provided an electronic device. The electronic device comprises at least one processor; and at least one memory including computer program codes; the at least one memory and the computer program codes are configured to, with the at least one processor, cause the electronic device at least to: receive, from a cloud device, a network address for a first device; generate the network security configuration items for the network address; check a validity of the network security configuration items with a set of validation rules associated with the first device; and in accordance with a determination that the network security configuration items are validated, transmit the network security configuration items to the cloud device.
In a third aspect, there is provided an electronic device. The electronic device comprises at least one processor; and at least one memory including computer program codes; the at least one memory and the computer program codes are configured to, with the at least one processor, cause the electronic device at least to: allocating a network address for a first device; transmit the network address to a network management device; receive, from the network management device, network security configuration items for the network address, the network security configuration items validated by the network management device with a set of validation rules associated with the first device; transmit the network address to the first device; and transmit the network security configuration items to the first device.
In a fourth aspect, there is provided a method. The method comprises: receiving, at a first device and from a cloud device, a network address for the first device; receiving, from the cloud device, network security configuration items validated by a network management device with a set of validation rules associated with the first device; and establishing, based on the network address and the network security configuration items, a security tunnel with a second device.
In a fifth aspect, there is provided a method. The method comprises: receiving, at an electronic device and from a cloud device, a network address for a first device; generating the network security configuration items for the network address; checking a validity of the network security configuration items with a set of validation rules associated with the first device; and in accordance with a determination that the network security configuration items are validated, transmitting the network security configuration items to the cloud device.
In a sixth aspect, there is provided a method. The method comprises: allocating, at an electronic device, a network address for a first device; transmitting the network address to a network management device; receiving, from the network management device, network security configuration items for the network address, the network security configuration items validated by the network management device with a set of validation rules associated with the first device; transmitting the network address to the first device; and transmitting the network security configuration items to the first device.
In a seventh aspect, there is provided a first apparatus comprising: means for receiving, from a cloud device, a network address for the first apparatus; means for receiving, from the cloud device, network security configuration items validated by a network management device with a set of validation rules associated with the first apparatus; and means for establishing, based on the network address and the network security configuration items, a security tunnel with a second device.
In an eighth aspect, there is provided a second apparatus comprising: means for receiving, from a cloud device, a network address for a first device; means for generating the network security configuration items for the network address; means for checking a validity of the network security configuration items with a set of validation rules associated with the first device; and means for in accordance with a determination that the network security configuration items are validated, transmitting the network security configuration items to the cloud device.
In a ninth aspect, there is provided a third apparatus comprising: means for allocating a network address for a first device; means for transmitting the network address to a network management device; means for receiving, from the network management device, network security configuration items for the network address, the network security configuration items validated by the network management device with a set of validation rules associated with the first device; means for transmitting the network address to the first device; and means for transmitting the network security configuration items to the first device.
In a tenth aspect, there is provided a computer readable medium having a computer program stored thereon which, when executed by at least one processor of a device, causes the device to carry out the method according to the fourth aspect.
In an eleventh aspect, there is provided a computer readable medium having a computer program stored thereon which, when executed by at least one processor of a device, causes the device to carry out the method according to the fifth aspect.
In a twelfth aspect, there is provided a computer readable medium having a computer program stored thereon which, when executed by at least one processor of a device, causes the device to carry out the method according to the sixth aspect.
Other features and advantages of the embodiments of the present disclosure will also be apparent from the following description of specific embodiments when read in conjunction with the accompanying drawings, which illustrate, by way of example, the principles of embodiments of the disclosure.
Embodiments of the disclosure are presented in the sense of examples and their advantages are explained in greater detail below, with reference to the accompanying drawings, where
FIG. 1 shows a schematic diagram of an example deployment in a network system;
FIG. 2 shows an example environment in which example embodiments of the present disclosure can be implemented;
FIG. 3 shows a signaling chart illustrating an offline network security configuration process according to some example embodiments of the present disclosure;
FIG. 4 shows a flowchart of an example method of network security configuration according to some example embodiments of the present disclosure;
FIG. 5 shows a flowchart of an example method of network security configuration according to some example embodiments of the present disclosure;
FIG. 6 shows a flowchart of an example method of network security configuration according to some example embodiments of the present disclosure;
FIG. 7 shows a simplified block diagram of a device that is suitable for implementing example embodiments of the present disclosure; and
FIG. 8 shows a block diagram of an example computer readable medium in accordance with some embodiments of the present disclosure.
Throughout the drawings, the same or similar reference numerals represent the same or similar element.
Principle of the present disclosure will now be described with reference to some example embodiments. It is to be understood that these embodiments are described only for the purpose of illustration and help those skilled in the art to understand and implement the present disclosure, without suggesting any limitation as to the scope of the disclosure. The disclosure described herein can be implemented in various manners other than the ones described below.
In the following description and claims, unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skills in the art to which this disclosure belongs.
References in the present disclosure to “one embodiment, ” “an embodiment, ” “an example embodiment, ” and the like indicate that the embodiment described may include a particular feature, structure, or characteristic, but it is not necessary that every embodiment includes the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an example embodiment, it is submitted that it is within the knowledge of one skilled in the art to affect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.
It shall be understood that although the terms “first” and “second” etc. may be used herein to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish functionalities of various elements. As used herein, the term “and/or” includes any and all combinations of one or more of the listed terms.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments. As used herein, the singular forms “a” , “an” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms “comprises” , “comprising” , “has” , “having” , “includes” and/or “including” , when used herein, specify the presence of stated features, elements, and/or components etc., but do not preclude the presence or addition of one or more other features, elements, components and/or combinations thereof.
As used in this application, the term “circuitry” may refer to one or more or all of the following:
(a) hardware-only circuit implementations (such as implementations in only analog and/or digital circuitry) and
(b) combinations of hardware circuits and software, such as (as applicable) :
(i) a combination of analog and/or digital hardware circuit (s) with software/firmware and
(ii) any portions of hardware processor (s) with software (including digital signal processor (s) ) , software, and memory (ies) that work together to cause an apparatus, such as a mobile phone or server, to perform various functions) and
(c) hardware circuit (s) and or processor (s) , such as a microprocessor (s) or a portion of a microprocessor (s) , that requires software (e.g., firmware) for operation, but the software may not be present when it is not needed for operation.
This definition of circuitry applies to all uses of this term in this application, including in any claims. As a further example, as used in this application, the term circuitry also covers an implementation of merely a hardware circuit or processor (or multiple processors) or portion of a hardware circuit or processor and its (or their) accompanying software and/or firmware. The term circuitry also covers, for example and if applicable to the particular claim element, a baseband integrated circuit or processor integrated circuit for a mobile device or a similar integrated circuit in server, a cellular network device, or other computing or network device.
As used herein, the term “communication network” refers to a network following any suitable communication standards, such as fifth generation (5G) systems, Long Term Evolution (LTE) , LTE-Advanced (LTE-A) , Wideband Code Division Multiple Access (WCDMA) , High-Speed Packet Access (HSPA) , Narrow Band Internet of Things (NB-IoT) and so on. Furthermore, the communications between a terminal device and a network device in the communication network may be performed according to any suitable generation communication protocols, including, but not limited to, the first generation (1G) , the second generation (2G) , 2.5G, 2.75G, the third generation (3G) , the fourth generation (4G) , 4.5G, the future fifth generation (5G) new radio (NR) communication protocols, and/or any other protocols either currently known or to be developed in the future. Embodiments of the present disclosure may be applied in various communication systems. Given the rapid development in communications, there will of course also be future type communication technologies and systems with which the present disclosure may be embodied. It should not be seen as limiting the scope of the present disclosure to only the aforementioned system.
As used herein, the term “network device” refers to a node in a communication network via which a terminal device accesses the network and receives services therefrom. The network device may refer to a base station (BS) or an access point (AP) , for example, a node B (NodeB or NB) , an evolved NodeB (eNodeB or eNB) , a NR Next Generation NodeB (gNB) , a Remote Radio Unit (RRU) , a radio header (RH) , a remote radio head (RRH) , a relay, a low power node such as a femto, a pico, and so forth, depending on the applied terminology and technology. The network device is allowed to be defined as part of a gNB such as for example in CU/DU split in which case the network device is defined to be either a gNB-CU or a gNB-DU.
The term “terminal device” refers to any end device that may be capable of wireless communication. By way of example rather than limitation, a terminal device may also be referred to as a communication device, user equipment (UE) , a Subscriber Station (SS) , a Portable Subscriber Station, a Mobile Station (MS) , or an Access Terminal (AT) . The terminal device may include, but not limited to, a mobile phone, a cellular phone, a smart phone, voice over IP (VoIP) phones, wireless local loop phones, a tablet, a wearable terminal device, a personal digital assistant (PDA) , portable computers, desktop computer, image capture terminal devices such as digital cameras, gaming terminal devices, music storage and playback appliances, vehicle-mounted wireless terminal devices, wireless endpoints, mobile stations, laptop-embedded equipment (LEE) , laptop-mounted equipment (LME) , USB dongles, smart devices, wireless customer-premises equipment (CPE) , an Internet of Things (IoT) device, a watch or other wearable, a head-mounted display (HMD) , a vehicle, a drone, a medical device and applications (e.g., remote surgery) , an industrial device and applications (e.g., a robot and/or other wireless devices operating in an industrial and/or an automated processing chain contexts) , a consumer electronics device, a device operating on commercial and/or industrial wireless networks, and the like. The terminal device may also correspond to Mobile Termination (MT) part of the integrated access and backhaul (IAB) node (a.k.a. a relay node) . In the following description, the terms “terminal device” , “communication device” , “terminal” , “user equipment” and “UE” may be used interchangeably.
Although functionalities described herein can be performed, in various example embodiments, in a fixed and/or a wireless network node, in other example embodiments, functionalities may be implemented in a user equipment apparatus (such as a cell phone or tablet computer or laptop computer or desktop computer or mobile IoT device or fixed IoT device) . This user equipment apparatus can, for example, be furnished with corresponding capabilities as described in connection with the fixed and/or the wireless network node (s) , as appropriate. The user equipment apparatus may be the user equipment and/or or a control device, such as a chipset or processor, configured to control the user equipment when installed therein. Examples of such functionalities include the bootstrapping server function and/or the home subscriber server, which may be implemented in the user equipment apparatus by providing the user equipment apparatus with software configured to cause the user equipment apparatus to perform from the point of view of these functions/nodes.
As previously described, the IP security configuration is widely used as a security enhancement solution for IP layer PDU transmissions. In face of a complex network environment, for example, the number and/or types of network devices are relatively large, the scale and complexity of the network system is expanded, the number of tunnels or connections between the network nodes is huge, and so on, the IP security configuration process may be time-consuming and inefficient.
Assuming that the network devices 110-C and 110-1 to 110-128 are deployed as the CU node and 128 DU nodes in a network system 100, as shown in FIG. 1. For F1 interface, each CU node (e.g., the network devices 110-C) may have 128 security tunnels with 128 DU nodes (e.g., the network devices 110-1 to 110-128) , and if the IP security configurations are performed at all interfaces, such as, X2 and S1, there may be 128*3+3*128=768 tunnels in total. Typically, after a boot-up of the network nodes, network addresses (e.g., IP addresses) will be allocated for various interfaces of the network nodes. The network nodes may obtain the IP addresses via the OAM 122 as well as network security configuration data (e.g., IP security configuration items) from the network management device 120 for respective tunnels between these network nodes. Validation checks may be performed on the network security configuration data by using a set of validation rules associated with the network device. Normally, if the network security configuration data is validated, the security tunnel will be established between the CU and DU nodes.
In a case that the network system includes more CU and DU nodes, the total number of the tunnels will become much larger. Additionally, each of the security tunnels may have more than 30 parameters, resulting in a large volume of the network security configuration data for all the security tunnels. This takes a lot of time for a network management device 120 to initiate such a large volume of the network security configuration data for the CU and DU nodes one by one. For each of the CU and DU nodes, it also takes time to perform corresponding necessary validation checks against every tunnel. An example of the network security configuration items for a single tunnel is shown below.
sudo -u tpl_user TplStub ipseclib -c setupPolicyConfiguration -ownerName ei-0 -ikeProfile ikeProfileId 100 connMode Responder dpdDelay 4294967295 ikeDHGrp DH20 ikeEncryption AesCbc128 ikeAuthentication HmacSha96 ikeMaxLifetime 1000 perfectForwardSecrecyEnabled false localEndpoint 10.37.16.150 remoteEndpoint 10.39.130.163 -ipsecProfiles ipsecProfileId 100 antiReplayState Disabled antiReplayWindowSize Size2048 espEncryption Null espAuthentication AesGmac256 extendedSequenceNumberMode NormalSequence pfsDHGrp DH14 espMaxLifetime 600 -securityPolicyProfiles securityPolicyProfileId 100 ikeProfileId 100 ipsecProfileId 100 policyAction Protect policyOrderNumber 100 trafficSelector localIpAddress 99.99.0.1 remoteIpAddress 88.88.1.1 localIpPrefixLength 32 remoteIpPrefixLength 32 protocol 0
It is expected that the network security configuration for the network systems is completed within a few minutes (e.g., 5 minutes) . Currently, the time consumption for such security configuration is far beyond 5 minutes due to the massive deployment of the network system and the complex process, which degrades the system performance and increase the workload of managing and maintaining the network system.
In order to solve the above and other potential problems, embodiments of the present disclosure provide an offline network security configuration process. In general, the network address and security configuration items that are required for the network nodes to establish tunnels are prepared and validated in advance. As such, after boot-up, the security configuration items will be effective on the network nodes immediately without performing the validation check again. In this way, tunnel configurations can be done in parallel in cloud, which saves the time for network security configuration, and thus the configuration process can be greatly simplified.
FIG. 2 shows an example environment 200 in which example embodiments of the present disclosure can be implemented. As shown in FIG. 2, the network system 200 comprises first devices 210-C and 210-1 to 210-N (which may be collectively referred as first device 210) , where N is a positive integer greater than or equal to 2. The network system 200 further comprises a network management device 220 and a cloud device 230.
The first device 210 may be network devices, for example, base stations that provide radio coverages to terminal devices. The first device 210 may include CU and DU nodes. Specifically, the first device 210-C is deployed as the CU node and the first devices 210-1 to 210-N are deployed as DUs node. In other words, the network system 200 includes one CU node and N DU nodes. For example, the Packet Data Convergence Protocol (PDCP) layer and above functions may be deployed at the first device 210-C, while the Radio Link Control (RLC) layer and below functions may be deployed at the first devices 210-1 to 210-N. The first devices 210-C and 210-1 to 210-N may communicate with each other through full mesh connections via various interfaces (e.g., F1, X2, S1, etc. ) . In the example as shown in FIG. 2, there are N tunnels for transmission of the encrypted data between the first device 210-C and the first devices 210-1 to 210-N. Moreover, the first device 210 may communicate with the network management device 220 and the cloud device 230.
The network management device 220 may initiate the network security configuration. Specifically, the network management device 220 may obtain dynamic or static network addresses (e.g., IP addresses) for the interfaces of the first device 210 from the cloud device 230, and generate corresponding security configuration items for the network addresses. The security configuration items may include security configuration data and parameters that are necessary for establishment of security tunnels between the first devices 210-C and 210-1 to 210-N.
The cloud device 230 may be flexibly deployed in the network system 200, and manage compute, storage and network resources for the network system 200. For example, the cloud device 230 allocates network addresses for the first device 210 and store the same as well as the security configuration items that are received from the network management device 220 locally. Upon detecting that the first device 210 is booted up, the cloud device 230 provides the network addresses and the security configuration items to the first device 210 for establishment of the security tunnels.
It is to be understood that the number of network devices shown in FIG. 2 is given for the purpose of illustration without suggesting any limitations. The network system 100 may include any suitable number of terminal devices and additional devices adapted for implementing implementations of the present disclosure. Although illustrated as base stations, the first device 210 may be other device than a base station or a part of a base station.
Depending on the communication technologies, the network 200 may be a Code Division Multiple Access (CDMA) network, a Time Division Multiple Address (TDMA) network, a Frequency Division Multiple Access (FDMA) network, an Orthogonal Frequency-Division Multiple Access (OFDMA) network, a Single Carrier-Frequency Division Multiple Access (SC-FDMA) network or any others. Communications discussed in the network 100 may conform to any suitable standards including, but not limited to, New Radio Access (NR) , Long Term Evolution (LTE) , LTE-Evolution, LTE-Advanced (LTE-A) , Wideband Code Division Multiple Access (WCDMA) , Code Division Multiple Access (CDMA) , cdma2000, and Global System for Mobile Communications (GSM) and the like. Furthermore, the communications may be performed according to any generation of communication protocols either currently known or to be developed in the future. Examples of the communication protocols include, but not limited to, the first generation (1G) , the second generation (2G) , 2.5G, 2.75G, the third generation (3G) , the fourth generation (4G) , 4.5G, the fifth generation (5G) communication protocols. The techniques described herein may be used for the wireless networks and radio technologies mentioned above as well as other wireless networks and radio technologies. For clarity, certain aspects of the techniques are described below for LTE, and LTE terminology is used in much of the description below.
Principle and implementations of the present disclosure will be described in detail below with reference to FIGs. 3 to 6. FIG. 3 shows a signaling chart illustrating an offline network security configuration process 300 according to some example embodiments of the present disclosure. For the purpose of discussion, the process 300 will be described with reference to FIG. 2. The process 300 may involve the first device 210, the network management device 220 and the cloud device 230.
As shown in FIG. 3, before the first device 210 is booted up, the network management device 220 may transmit 305 a request for allocating a network address for the interface of the first device 210. The cloud device 230 allocates 310 the network address for the first device 210. The cloud device 230 may store a mapping of the network address and the interface of the first device 210 locally.
The cloud device 230 transmits 315 the network address to the network management device 220. Upon receipt of the network address, the network management device 220 generates 320 network security configuration items for the network address. In some example embodiments, the network security configuration items may include security configuration data and parameters associated with the security tunnel between the first device 210 and a second device. In the context of the present disclosure, the first device 210 may be any one of the first devices 210-C and 210-1 to 210-N, and the second device may be a further one of the first devices 210-C and 210-1 to 210-N.
The network management device 220 checks 325 a validity of the network security configuration items with a set of validation rules associated with the first device 210. To this end, the network management device 220 may obtain the set of validation rules before the boot-up of the first device 210, for example, from the network operator of the first device 210 or from a third party. In some example embodiments, the set of validation rules may be a plugin specific to the first device 210 for checking the validity of the network security configuration items. In such cases, the network management device 220 may call a corresponding plugin when needed.
In some example embodiments, the set of validation rules may be associated with at least one of hardware configurations of the first device 210, a processing capability of the first device 210, or a dependency relationship between the security tunnel with the second device and a further tunnel, and so on.
In some example embodiments, if the security configuration items are validated in 325, the network management device 220 may include an indicator in the network security configuration items, which indicates that the network security configuration items have been validated by the network management device 220.
The network management device 220 transmits 330 the validated security configuration items to the cloud device 230. The cloud device 230 may store 335 the security configuration items locally.
After boot-up, the first device 210 receives 345 the network addresses from the cloud device 230. In addition, the first device 210 receives 350 the network security configuration items from the cloud device 230. For example, the cloud device 230 may detect the boot-up of the first device 210, and provide it with the network address and the network security configuration items stored locally.
With the network address and the network security configuration items, the first device 210 establishes 355 the security tunnel with the second device. In some example embodiments, since the validation check has been performed by the network management device 220, the security tunnel is established without checking validity of the network security configuration items by the first device 210.
In some example embodiments, the first device 210 may determine whether the network security configuration items comprise an indication that the network security configuration items are validated by the network management device 220. If the network security configuration items comprise such an indication, the first device 210 may establish the security tunnel without checking the validity of the security configuration items. Otherwise, if the network security configuration items have no indication, the first device 210 may perform the validation check on the security configuration items.
According to the embodiments of the present disclosure, there is provided a solution of offline network security configuration, which is beneficial to a massive network deployment. In the offline process, the network addresses are pre-allocated for various interfaces of the network nodes, and the network security configuration items are validated before the boot-up of the network nodes. As such, the network security configuration items can be immediately effective on the network nodes once booted up. In addition, since the network security configuration items are stored in cloud, the network nodes have no need to obtain from the network management device 220, which facilitating the network security configuration for the network system.
FIG. 4 shows a flowchart of an example method 400 of network security configuration according to some example embodiments of the present disclosure. The method 400 can be implemented at a network device, e.g., the first device 210 described with reference to FIG. 2.
Upon boot up, the first device receives, at 410, a network address for the first device 210 from the cloud device 230. The network address may correspond to at least one interface of the first device 210, including but not limited to F1, X2, S1 interferences and so on. In some example embodiments, the network addresses are allocated dynamically or statically by the cloud device 230 before the boot-up of the first device 210.
At 420, the first device 210 receives the network security configuration items from the cloud device 230. The network security configuration items have been validated by the network management device 220 with a set of validation rules associated with the first device 210. In some example embodiments, the network security configuration items are generated and validated by the network management device 220 before the boot-up of the first device 210.
In some example embodiments, a set of validation rules may be associated with at least one of hardware configurations of the first device 210, a processing capability of the first device 210, or a dependency relationship between the security tunnel with the second device and a further tunnel, and so on. In the context of the present disclosure, the first device 210 may be any one of the first devices 210-C and 210-1 to 210-N, and the second device may be a further one of the first devices 210-C and 210-1 to 210-N
At 430, the first device 210 establishes the security tunnel with the second device based on the network address and the network security configuration items. In some example embodiments, the security tunnel may be established without checking validity of the network security configuration items by the first device 210.
In the above embodiments, the first device 210 may determine whether the network security configuration items include an indication that the network security configuration items are validated by the network management device 220. If the network security configuration items include such an indication, the first device 210 may determine that the validation check has been performed by the network management device 220, and thus no more validation check is required. In this case, the first device 210 may establish the security tunnel without checking the validity of the security configuration items.
In some example embodiments, the first device 210 is one of a distribution network device and a centralized network device at an access network side, and the second device is the other one of the distribution and centralized network devices.
According to the embodiments of the present disclosure, there is provided an offline network security configuration process. With the pre-allocated network address as well as the validated network security configurations, the network devices (e.g., gNB) is capable of effecting the network security configurations immediately once being booted up. Therefore, the time consumption for network security configuration of the network system can be shortened. Moreover, the performance and maintenance of the network system can be improved.
FIG. 5 shows a flowchart of an example method 500 of network security configuration according to some example embodiments of the present disclosure. The method 500 can be implemented at an electronic management device, e.g., the network management device 220 described with reference to FIG. 2.
At 510, the network management device 220 receives a network address for the first device 210 from the cloud device 230. In some example embodiments, the network management device 220 may transmit a network address allocation request to the cloud device 230, and receives the network address as a response.
At 520, the network management device 220 generates the network security configuration items for the network address. In some example embodiments, the network security configuration items are generated before a boot-up of the first device.
The network security configuration items may include security configuration data and parameters associated with the security tunnel between the first device 210 and a second device. In the context of the present disclosure, the first device 210 may be any one of the first devices 210-C and 210-1 to 210-N, and the second device may be a further one of the first devices 210-C and 210-1 to 210-N.
At 530, the network management device 220 checks a validity of the network security configuration items with a set of validation rules associated with the first device 210. In the example embodiments, the network security configuration items are validated before a boot-up of the first device 210.
In some example embodiments, the network management device 220 may obtain the set of validation rules from the first device 210. For example, the set of validation rules may be obtained from the network operator of the first device 210, or alternatively, from a third party.
In some example embodiments, the set of validation rules are associated with at least one of hardware configurations of the first device 210, a processing capability of the first device 210, or a dependency relationship between a security tunnel with the second device and a further tunnel.
In some example embodiments, the set of validation rules may be a plugin specific to the first device 210 for checking the validity of the network security configuration items. In such cases, the network management device 220 may call a corresponding plugin when needed.
If the network security configuration items are validated at 530, the network management device 220 transmits the network security configuration items to the cloud device 230. In some example embodiments, if the network security configuration items are validated at 530, the network management device 220 may include an indicator in the network security configuration items, and the indicator indicates that the network security configuration items are validated by the network management device 220.
In some example embodiments, the first device 210 is one of a distribution network device and a centralized network device at an access network side.
According to the example embodiments of the present disclosure, the network management device 220 of the network system 200 generates and checks the network security configuration items before the establishment of the security tunnels. As such, the network security configuration can be performed in an offline manner, which can largely reduce the time consumption, and improve the network performance.
FIG. 6 shows a flowchart of an example method 600 of network security configuration according to some example embodiments of the present disclosure. The method 600 can be implemented at an electronic device in cloud, e.g., the cloud device 230 described with reference to FIG. 2.
At 610, the cloud device 230 allocates a network address for the first device 210. The network address is allocated before a boot-up of the first device 210. In some example embodiments, the cloud device 230 may receive a network address allocation request from the network management device 220 and allocate the network address.
In some example embodiments, the network address may correspond to at least one interface of the first device 210, which includes but not limited to F1, X2, S1 interfaces and so on. The cloud device 230 may store the allocated network addresses locally. At 620, the cloud device 230 transmits the network address to the network management device 220.
At 630, the cloud device 230 receives network security configuration items for the network address from the network management device 220. In the example embodiments, the network security configuration items are validated by the network management device 220 with a set of validation rules associated with the first device 210.
In some example embodiments, the cloud device 230 may detect that the first device 210 is booted up. At 640, the cloud device 230 transmits the network address to the first device 210.
At 650, the cloud device 230 transmits the network security configuration items to the first device 210. With the network address and the network security configuration items, the first device 210 may perform the network security configuration, for example, establish a security tunnel with the second device immediately without performing any validation check. In the context of the present disclosure, the first device 210 may be any one of the first devices 210-C and 210-1 to 210-N, and the second device may be a further one of the first devices 210-C and 210-1 to 210-N.
According to the example embodiments, the cloud device 230 is adopted to pre-allocate the network address and store the same as well as the network security configuration items. Since the cloud device 230 is flexibly deployed in the network system 200, after booted up, the network nodes (such as, CU and DU nodes) are able to obtain the network address and the network security configuration items locally, instead of obtaining from the network management device 220. Further, the network security configuration items can be effective immediately as the validation check has been performed before the boot-up of network nodes.
In some example embodiments, a first apparatus capable of performing the method 400 (for example, the first device 210) may comprise means for performing the respective steps of the method 400. The means may be implemented in any suitable form. For example, the means may be implemented in a circuitry or software module. The first apparatus may be implemented as or included in the first device 210. In some embodiments, the means may comprise at least one processor and at least one memory including computer program code. The at least one memory and computer program code are configured to, with the at least one processor, cause performance of the first apparatus.
In some example embodiments, the first apparatus comprises: means for receiving, from a cloud device, a network address for the first apparatus; means for receiving, from the cloud device, network security configuration items validated by a network management device with a set of validation rules associated with the first apparatus; and means for establishing, based on the network address and the network security configuration items, a security tunnel with a second device.
In some example embodiments, the network address corresponds to at least one interface of the first apparatus and allocated by the cloud device before a boot-up of the first apparatus.
In some example embodiments, the network security configuration items are generated and validated by the network management device before a boot-up of the first apparatus.
In some example embodiments, the security tunnel is established without checking validity of the network security configuration items by the first apparatus.
In some example embodiments, the means for establishing the security tunnel comprises: means for in accordance with a determination that the network security configuration items comprise an indication that the network security configuration items are validated by the network management device, establishing the security tunnel without checking the validity of the security configuration items.
In some example embodiments, a set of validation rules are associated with at least one of the following: hardware configurations of the first apparatus, a processing capability of the first apparatus, or a dependency relationship between the security tunnel with the second device and a further tunnel.
In some example embodiments, the first apparatus is one of a distribution network device and a centralized network device at an access network side, and the second device is the other one of the distribution and centralized network devices.
In some example embodiments, a second apparatus capable of performing the method 500 (for example, the network management device 220) may comprise means for performing the respective steps of the method 500. The means may be implemented in any suitable form. For example, the means may be implemented in a circuitry or software module. The second apparatus may be implemented as or included in the network management device 220. In some embodiments, the means may comprise at least one processor and at least one memory including computer program code. The at least one memory and computer program code are configured to, with the at least one processor, cause performance of the second apparatus.
In some example embodiments, the second apparatus comprises: means for receiving, from a cloud device, a network address for a first device; means for generating the network security configuration items for the network address; means for checking a validity of the network security configuration items with a set of validation rules associated with the first device; and means for in accordance with a determination that the network security configuration items are validated, transmitting the network security configuration items to the cloud device.
In some example embodiments, the second apparatus further comprises: means for obtaining the set of validation rules from the first device.
In some example embodiments, the second apparatus further comprises: means for in accordance with a determination that the network security configuration items are validated, including an indicator in the network security configuration items, the indicator indicating that the network security configuration items are validated by the second apparatus.
In some example embodiments, the set of validation rules are associated with at least one of the following: hardware configurations of the first device, a processing capability of the first device, or a dependency relationship between a security tunnel with a second device and a further tunnel.
In some example embodiments, the set of validation rules comprise a plugin for checking the validity of the network security configuration items.
In some example embodiments, the network security configuration items are generated before a boot-up of the first device.
In some example embodiments, the network security configuration items are validated before a boot-up of the first device.
In some example embodiments, the first device is one of a distribution network device and a centralized network device at an access network side, and the second apparatus comprises a network management device.
In some example embodiments, a third apparatus capable of performing the method 600 (for example, the cloud device 230) may comprise means for performing the respective steps of the method 600. The means may be implemented in any suitable form. For example, the means may be implemented in a circuitry or software module. The third apparatus may be implemented as or included in the cloud device 230. In some embodiments, the means may comprise at least one processor and at least one memory including computer program code. The at least one memory and computer program code are configured to, with the at least one processor, cause performance of the third apparatus.
In some example embodiments, the third apparatus comprises: means for allocating a network address for a first device; means for transmitting the network address to a network management device; means for receiving, from the network management device, network security configuration items for the network address, the network security configuration items validated by the network management device with a set of validation rules associated with the first device; transmitting the network address to the first device; and means for transmitting the network security configuration items to the first device.
In some example embodiments, the network address corresponds to at least one interface of the first device and allocated by the third apparatus before a boot-up of the first device.
In some example embodiments, the means for transmitting the network address comprises: means for in accordance with a determination that the first device is booted up, transmitting the network address to the first device.
In some example embodiments, the means for transmitting the network security configuration items comprises: means for in accordance with a determination that the first device is booted up, transmitting the network security configuration items to the first device.
In some example embodiments, the first device is one of a distribution network device and a centralized network device at an access network side, and the third apparatus is a cloud device.
FIG. 7 is a simplified block diagram of a device 700 that is suitable for implementing embodiments of the present disclosure. The device 700 may be provided to implement the communication device, for example the first device 210, the network management device 220 or the cloud device 230 as shown in FIG. 2. As shown, the device 700 includes one or more processors 710, one or more memories 720 coupled to the processor 710, and one or more transmitters and receivers (TX/RX) 740 coupled to the processor 710.
The TX/RX 740 is for bidirectional communications. The TX/RX 740 has at least one antenna to facilitate communication. The communication interface may represent any interface that is necessary for communication with other network elements.
The processor 710 may be of any type suitable to the local technical network and may include one or more of the following: general purpose computers, special purpose computers, microprocessors, digital signal processors (DSPs) and processors based on multicore processor architecture, as non-limiting examples. The device 700 may have multiple processors, such as an application specific integrated circuit chip that is slaved in time to a clock which synchronizes the main processor.
The memory 720 may include one or more non-volatile memories and one or more volatile memories. Examples of the non-volatile memories include, but are not limited to, a Read Only Memory (ROM) 724, an electrically programmable read only memory (EPROM) , a flash memory, a hard disk, a compact disc (CD) , a digital video disk (DVD) , and other magnetic storage and/or optical storage. Examples of the volatile memories include, but are not limited to, a random access memory (RAM) 722 and other volatile memories that will not last in the power-down duration.
A computer program 730 includes computer executable instructions that are executed by the associated processor 710. The program 730 may be stored in the ROM 720. The processor 710 may perform any suitable actions and processing by loading the program 730 into the RAM 720.
The embodiments of the present disclosure may be implemented by means of the program 730 so that the device 700 may perform any process of the disclosure as discussed with reference to FIGs. 4-6. The embodiments of the present disclosure may also be implemented by hardware or by a combination of software and hardware.
In some embodiments, the program 730 may be tangibly contained in a computer readable medium which may be included in the device 700 (such as in the memory 720) or other storage devices that are accessible by the device 700. The device 700 may load the program 730 from the computer readable medium to the RAM 722 for execution. The computer readable medium may include any types of tangible non-volatile storage, such as ROM, EPROM, a flash memory, a hard disk, CD, DVD, and the like. FIG. 8 shows an example of the computer readable medium 800 in form of CD or DVD. The computer readable medium has the program 730 stored thereon.
Generally, various embodiments of the present disclosure may be implemented in hardware or special purpose circuits, software, logic or any combination thereof. Some aspects may be implemented in hardware, while other aspects may be implemented in firmware or software which may be executed by a controller, microprocessor or other computing device. While various aspects of embodiments of the present disclosure are illustrated and described as block diagrams, flowcharts, or using some other pictorial representations, it is to be understood that the block, device, system, technique or method described herein may be implemented in, as non-limiting examples, hardware, software, firmware, special purpose circuits or logic, general purpose hardware or controller or other computing devices, or some combination thereof.
The present disclosure also provides at least one computer program product tangibly stored on a non-transitory computer readable storage medium. The computer program product includes computer-executable instructions, such as those included in program modules, being executed in a device on a target real or virtual processor, to carry out the methods 400, 500 and 600 as described above with reference to FIGs. 4-6. Generally, program modules include routines, programs, libraries, objects, classes, components, data structures, or the like that perform particular tasks or implement particular abstract data types. The functionality of the program modules may be combined or split between program modules as desired in various embodiments. Machine-executable instructions for program modules may be executed within a local or distributed device. In a distributed device, program modules may be located in both local and remote storage media.
Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing device, such that the program codes, when executed by the processor or controller, cause the functions/operations specified in the flowcharts and/or block diagrams to be implemented. The program code may execute entirely on a machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of the present disclosure, the computer program codes or related data may be carried by any suitable carrier to enable the device, device or processor to perform various processes and operations as described above. Examples of the carrier include a signal, computer readable medium, and the like.
The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable medium may include but not limited to an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, device, or device, or any suitable combination of the foregoing. More specific examples of the computer readable storage medium would include an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM) , a read-only memory (ROM) , an erasable programmable read-only memory (EPROM or Flash memory) , an optical fiber, a portable compact disc read-only memory (CD-ROM) , an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
Further, while operations are depicted in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. In certain circumstances, multitasking and parallel processing may be advantageous. Likewise, while several specific implementation details are contained in the above discussions, these should not be construed as limitations on the scope of the present disclosure, but rather as descriptions of features that may be specific to particular embodiments. Certain features that are described in the context of separate embodiments may also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment may also be implemented in multiple embodiments separately or in any suitable sub-combination.
Although the present disclosure has been described in languages specific to structural features and/or methodological acts, it is to be understood that the present disclosure defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims.
Claims (46)
- A first device comprising:at least one processor; andat least one memory including computer program codes;the at least one memory and the computer program codes are configured to, with the at least one processor, cause the first device at least to:receive, from a cloud device, a network address for the first device;receive, from the cloud device, network security configuration items validated by a network management device with a set of validation rules associated with the first device; andestablish, based on the network address and the network security configuration items, a security tunnel with a second device.
- The first device of Claim 1, wherein the network address corresponds to at least one interface of the first device and allocated by the cloud device before a boot-up of the first device.
- The first device of Claim 1, wherein the network security configuration items are generated and validated by the network management device before a boot-up of the first device.
- The first device of Claim 1, wherein the security tunnel is established without checking validity of the network security configuration items by the first device.
- The first device of Claim 4, wherein the first device is caused to establish the security tunnel by:in accordance with a determination that the network security configuration items comprise an indication that the network security configuration items are validated by the network management device, establishing the security tunnel without checking the validity of the security configuration items.
- The first device of Claim 1, wherein a set of validation rules are associated with at least one of the following: hardware configurations of the first device, a processing capability of the first device, or a dependency relationship between the security tunnel with the second device and a further tunnel.
- The first device of any of Claims 1 to 6, wherein the first device is one of a distribution network device and a centralized network device at an access network side, and wherein the second device is the other one of the distribution and centralized network devices.
- An electronic device comprising:at least one processor; andat least one memory including computer program codes;the at least one memory and the computer program codes are configured to, with the at least one processor, cause the electronic device at least to:receive, from a cloud device, a network address for a first device;generate the network security configuration items for the network address;check a validity of the network security configuration items with a set of validation rules associated with the first device; andin accordance with a determination that the network security configuration items are validated, transmit the network security configuration items to the cloud device.
- The electronic device of Claim 8, wherein the electronic device is further caused to:obtain the set of validation rules from the first device.
- The electronic device of Claim 8, wherein the electronic device is further caused to:in accordance with a determination that the network security configuration items are validated, include an indicator in the network security configuration items, the indicator indicating that the network security configuration items are validated by the electronic device.
- The electronic device of Claim 8, wherein the set of validation rules are associated with at least one of the following: hardware configurations of the first device, a processing capability of the first device, or a dependency relationship between a security tunnel with a second device and a further tunnel.
- The electronic device of Claim 8, wherein the set of validation rules comprise a plugin for checking the validity of the network security configuration items.
- The electronic device of Claim 8, wherein the network security configuration items are generated before a boot-up of the first device.
- The electronic device of Claim 8, wherein the network security configuration items are validated before a boot-up of the first device.
- The electronic device of any of Claims 8 to 14, wherein the first device is one of a distribution network device and a centralized network device at an access network side, and the electronic device comprises a network management device.
- A electronic device comprising:at least one processor; andat least one memory including computer program codes;the at least one memory and the computer program codes are configured to, with the at least one processor, cause the electronic device at least to:allocating a network address for a first device;transmit the network address to a network management device;receive, from the network management device, network security configuration items for the network address, the network security configuration items validated by the network management device with a set of validation rules associated with the first device;transmit the network address to the first device; andtransmit the network security configuration items to the first device.
- The electronic device of Claim 16, wherein the network address corresponds to at least one interface of the first device and allocated by the electronic device before a boot-up of the first device.
- The electronic device of Claim 16, wherein the electronic device is caused to transmit the network address by:in accordance with a determination that the first device is booted up, transmitting the network address to the first device.
- The electronic device of Claim 16, wherein the electronic device is caused to transmit the network security configuration items by:in accordance with a determination that the first device is booted up, transmitting the network security configuration items to the first device.
- The electronic device of any of Claims 16-19, wherein the first device is one of a distribution network device and a centralized network device at an access network side, and the electronic device is a cloud device.
- A method comprising:receiving, at a first device and from a cloud device, a network address for the first device;receiving, from the cloud device, network security configuration items validated by a network management device with a set of validation rules associated with the first device; andestablishing, based on the network address and the network security configuration items, a security tunnel with a second device.
- The method of Claim 21, wherein the network address corresponds to at least one interface of the first device and allocated by the cloud device before a boot-up of the first device.
- The method of Claim 21, wherein the network security configuration items are generated and validated by the network management device before a boot-up of the first device.
- The method of Claim 21, wherein the security tunnel is established without checking validity of the network security configuration items by the first device.
- The method of Claim 24, wherein establishing the security tunnel comprises:in accordance with a determination that the network security configuration items comprise an indication that the network security configuration items are validated by the network management device, establishing the security tunnel without checking the validity of the security configuration items.
- The method of Claim 21, wherein a set of validation rules are associated with at least one of the following: hardware configurations of the first device, a processing capability of the first device, or a dependency relationship between the security tunnel with the second device and a further tunnel.
- The method of any of Claims 21 to 26, wherein the first device is one of a distribution network device and a centralized network device at an access network side, and the second device is the other one of the distribution and centralized network devices.
- A method comprising:receiving, at an electronic device and from a cloud device, a network address for a first device;generating the network security configuration items for the network address;checking a validity of the network security configuration items with a set of validation rules associated with the first device; andin accordance with a determination that the network security configuration items are validated, transmitting the network security configuration items to the cloud device.
- The method of Claim 28, further comprising:obtaining the set of validation rules from the first device.
- The method of Claim 28, further comprising:in accordance with a determination that the network security configuration items are validated, including an indicator in the network security configuration items, the indicator indicating that the network security configuration items are validated by the electronic device.
- The method of Claim 28, wherein the set of validation rules are associated with at least one of the following: hardware configurations of the first device, a processing capability of the first device, or a dependency relationship between a security tunnel with a second device and a further tunnel.
- The method of Claim 28, wherein the set of validation rules comprise a plugin for checking the validity of the network security configuration items.
- The method of Claim 28, wherein the network security configuration items are generated before a boot-up of the first device.
- The method of Claim 28, wherein the network security configuration items are validated before a boot-up of the first device.
- The method of any of Claims 28 to 34, wherein the first device is one of a distribution network device and a centralized network device at an access network side, and the electronic device comprises a network management device.
- A method comprising:allocating, at an electronic device, a network address for a first device;transmitting the network address to a network management device;receiving, from the network management device, network security configuration items for the network address, the network security configuration items validated by the network management device with a set of validation rules associated with the first device;transmitting the network address to the first device; andtransmitting the network security configuration items to the first device.
- The method of Claim 36, wherein the network address corresponds to at least one interface of the first device and allocated by the electronic device before a boot-up of the first device.
- The method of Claim 36, wherein transmitting the network address comprises:in accordance with a determination that the first device is booted up, transmitting the network address to the first device.
- The method of Claim 36, wherein transmitting the network security configuration items comprises:in accordance with a determination that the first device is booted up, transmitting the network security configuration items to the first device.
- The method of any of Claims 36-39, wherein the first device is one of a distribution network device and a centralized network device at an access network side, and the electronic device is a cloud device.
- A first apparatus comprising:means for receiving, from a cloud device, a network address for the first apparatus;means for receiving, from the cloud device, network security configuration items validated by a network management device with a set of validation rules associated with the first apparatus; andmeans for establishing, based on the network address and the network security configuration items, a security tunnel with a second device.
- A second apparatus comprising:means for receiving, from a cloud device, a network address for a first device;means for generating the network security configuration items for the network address;means for checking a validity of the network security configuration items with a set of validation rules associated with the first device; andmeans for in accordance with a determination that the network security configuration items are validated, transmitting the network security configuration items to the cloud device.
- A third apparatus comprising:means for allocating a network address for a first device;means for transmitting the network address to a network management device;means for receiving, from the network management device, network security configuration items for the network address, the network security configuration items validated by the network management device with a set of validation rules associated with the first device;means for transmitting the network address to the first device; andmeans for transmitting the network security configuration items to the first device.
- A non-transitory computer readable medium comprising program instructions for causing an apparatus to perform at least the method of any of claims 21-27.
- A non-transitory computer readable medium comprising program instructions for causing an apparatus to perform at least the method of any of claims 28-35.
- A non-transitory computer readable medium comprising program instructions for causing an apparatus to perform at least the method of any of claims 36-40.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202180095569.9A CN117063441A (en) | 2021-03-12 | 2021-03-12 | Offline network security configuration |
PCT/CN2021/080492 WO2022188160A1 (en) | 2021-03-12 | 2021-03-12 | Offline network security configuration |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2021/080492 WO2022188160A1 (en) | 2021-03-12 | 2021-03-12 | Offline network security configuration |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2022188160A1 true WO2022188160A1 (en) | 2022-09-15 |
Family
ID=83226223
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2021/080492 WO2022188160A1 (en) | 2021-03-12 | 2021-03-12 | Offline network security configuration |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN117063441A (en) |
WO (1) | WO2022188160A1 (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050238009A1 (en) * | 2004-04-26 | 2005-10-27 | Intel Corporation | Address validating data structure used for validating addresses |
CN102711106A (en) * | 2012-05-21 | 2012-10-03 | 中兴通讯股份有限公司 | Method and system for establishing IPSec (internet protocol security) tunnel |
CN108540559A (en) * | 2018-04-16 | 2018-09-14 | 北京航空航天大学 | A kind of SDN controllers for supporting IPSec VPN load balancing |
WO2019137519A1 (en) * | 2018-01-12 | 2019-07-18 | 华为技术有限公司 | Duplication-mode communication processing method and device under cu-du architecture |
US20210051182A1 (en) * | 2019-08-13 | 2021-02-18 | Hewlett Packard Enterprise Development Lp | Multiple level validation |
-
2021
- 2021-03-12 WO PCT/CN2021/080492 patent/WO2022188160A1/en active Application Filing
- 2021-03-12 CN CN202180095569.9A patent/CN117063441A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050238009A1 (en) * | 2004-04-26 | 2005-10-27 | Intel Corporation | Address validating data structure used for validating addresses |
CN102711106A (en) * | 2012-05-21 | 2012-10-03 | 中兴通讯股份有限公司 | Method and system for establishing IPSec (internet protocol security) tunnel |
WO2019137519A1 (en) * | 2018-01-12 | 2019-07-18 | 华为技术有限公司 | Duplication-mode communication processing method and device under cu-du architecture |
CN108540559A (en) * | 2018-04-16 | 2018-09-14 | 北京航空航天大学 | A kind of SDN controllers for supporting IPSec VPN load balancing |
US20210051182A1 (en) * | 2019-08-13 | 2021-02-18 | Hewlett Packard Enterprise Development Lp | Multiple level validation |
Non-Patent Citations (2)
Title |
---|
L. DUNBAR FUTUREWEI ANDY MALIS MALIS CONSULTING C. JACQUENET ORANGE M. TOY VERIZON: "Dynamic Networks to Hybrid Cloud DCs Problem Statement; draft-ietf-rtgwg-net2cloud-problem-statement-11.txt", DYNAMIC NETWORKS TO HYBRID CLOUD DCS PROBLEM STATEMENT; DRAFT-IETF-RTGWG-NET2CLOUD-PROBLEM-STATEMENT-11.TXT; INTERNET-DRAFT: NETWORK WORKING GROUP, INTERNET ENGINEERING TASK FORCE, IETF; STANDARDWORKINGDRAFT, INTERNET SOCIETY (ISOC) 4, RUE DES FALAIS, no. 11, 26 July 2020 (2020-07-26), Internet Society (ISOC) 4, rue des Falaises CH- 1205 Geneva, Switzerland , pages 1 - 19, XP015141144 * |
LI, ZEGUANG ET AL.: "STUDY AND IMPLEMENTATION OF THE IPSEC SECURITY ARCHITECTURE", WANGLUO ANQUAN JISHU YU YINGYONG - NETWORK SECURITY TECHNOLOGY & APPLICATION, BEIJING DAXUE CHUBANSHE, CN, vol. 2, 31 December 2005 (2005-12-31), CN , pages 38 - 41, XP009540749, ISSN: 1009-6833 * |
Also Published As
Publication number | Publication date |
---|---|
CN117063441A (en) | 2023-11-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2022027186A1 (en) | Positioning reference signal design for low power tracking | |
US20220295441A1 (en) | Method for rapid location reporting between ue and base station | |
CN114424611B (en) | Control of network functions | |
CN117729641A (en) | Apparatus, method and device for beam reporting | |
WO2022188160A1 (en) | Offline network security configuration | |
CN114557042A (en) | Reducing signaling upon handover of IAB node | |
WO2023015482A1 (en) | Management data isolation | |
WO2022227039A1 (en) | Measurement gap enhancement | |
WO2022082540A1 (en) | Devices, methods, apparatuses and computer readable media for establishing communicating link | |
CN113259079B (en) | Dynamic signaling for measurement gaps | |
EP4270870A1 (en) | Method, device and computer readable medium for communications | |
US20230345557A1 (en) | Caching configuration profiles associated with capability id | |
US20240056506A1 (en) | Network function validation | |
US11876878B2 (en) | Data transport for event machine based application | |
WO2022151630A1 (en) | Uplink skipping | |
WO2024045133A1 (en) | Machine learning performance abstraction | |
WO2024020926A1 (en) | Enhancements on multi-transmission and reception point transmission | |
CN113632398B (en) | Channel state information feedback for higher rank extensions | |
WO2024216609A1 (en) | Determination of sensing beam | |
WO2023155117A1 (en) | Access resource selection for small data transmission | |
US20240314557A1 (en) | Network repository function services access authorization | |
WO2023070678A1 (en) | Power management in dual-connectivity | |
US20230097223A1 (en) | Method, device and computer readable medium of communication | |
CN118251935A (en) | Transmit power determination in radio resource control inactive state | |
CN117730558A (en) | Positioning |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 202180095569.9 Country of ref document: CN |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 21929634 Country of ref document: EP Kind code of ref document: A1 |