WO2022267994A1 - Système et procédé de communication, appareil, premier dispositif, deuxième dispositif et support de stockage - Google Patents

Système et procédé de communication, appareil, premier dispositif, deuxième dispositif et support de stockage Download PDF

Info

Publication number
WO2022267994A1
WO2022267994A1 PCT/CN2022/099569 CN2022099569W WO2022267994A1 WO 2022267994 A1 WO2022267994 A1 WO 2022267994A1 CN 2022099569 W CN2022099569 W CN 2022099569W WO 2022267994 A1 WO2022267994 A1 WO 2022267994A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
configuration
applications
edge computing
computing platform
Prior art date
Application number
PCT/CN2022/099569
Other languages
English (en)
Chinese (zh)
Inventor
唐小勇
尚宇翔
韩延涛
游正朋
朱磊
柯罗
Original Assignee
中移(成都)信息通信科技有限公司
中国移动通信集团有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中移(成都)信息通信科技有限公司, 中国移动通信集团有限公司 filed Critical 中移(成都)信息通信科技有限公司
Publication of WO2022267994A1 publication Critical patent/WO2022267994A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present application relates to the communication field, and in particular to a communication system, method, device, first device, second device and storage medium.
  • the fifth-generation mobile communication technology has many advantages such as large bandwidth, low latency, high reliability, high connection, ubiquitous network, etc., thereby promoting the rapid development and change of vertical industries, such as smart medical, The rise of smart education and smart agriculture.
  • MEC mobile edge computing
  • IT information technology
  • API application programming interface
  • the combination of 5G and MEC can introduce different technology combinations for different industry demand scenarios, such as quality of service (QoS), end-to-end network slicing, network capability exposure, edge cloud, etc., so as to provide customized solutions.
  • QoS quality of service
  • end-to-end network slicing network capability exposure
  • edge cloud etc.
  • embodiments of the present application provide a communication method, device, related equipment, and storage medium.
  • An embodiment of the present application provides a communication system, including: a first device, a second device, and a third device; wherein,
  • the first device is configured to receive first information from the second device, and provide security management functions for applications on the edge computing platform based on the first information and security policies; the first information is used for the Configure applications on the edge computing platform;
  • the second device is configured to send the first information to the first device based on the second information from the third device; the second information is used to arrange applications on the edge computing platform.
  • the security policy includes at least one of the following:
  • a first security level indicates that configurations for all applications on the edge computing platform are rejected
  • a second security level characterizes the configuration for some applications on the edge computing platform
  • the third security level characterizes the configuration for all applications on the edge computing platform.
  • the first device is further configured to send third information to the second device; the third information is used to indicate whether the configuration of the first information is successful;
  • the second device is further configured to send fourth information to a third device based on the third information; the fourth information is used to indicate whether the configuration of the second information is successful.
  • the first information includes configuration information of at least one of the following:
  • a first configuration strategy is aimed at operating permissions of different applications
  • a second configuration strategy is directed at routing rules for different applications
  • the third configuration strategy is aimed at the Domain Name System (DNS, Domain Name System) of different applications;
  • a fourth configuration strategy is aimed at the life cycles of different applications.
  • the second information includes at least one of the following:
  • the third device is further configured to receive first access authentication information from the first device, and send first authentication response information to the first device; the first authentication response information includes at least: first The identity of the device.
  • the third device is further configured to receive second access authentication information from the second device, and send second authentication response information to the second device; the second authentication response information includes at least: the second device identification;
  • the third device is further configured to send the identity of the first device to the second device.
  • the number of the first device is one or more.
  • An embodiment of the present application provides a communication method, which is applied to a first device, and the method includes:
  • the first information is used to configure applications on the edge computing platform
  • a security management function is provided for applications on the edge computing platform based on the first information and the security policy.
  • the security policy includes at least one of the following:
  • a first security level indicates that configurations for all applications on the edge computing platform are rejected
  • the second security level allows configuration for some applications on the edge computing platform
  • the third security level characterizes the configuration for all applications on the edge computing platform.
  • the method also includes:
  • the third information is used to indicate whether the configuration of the first information is successful.
  • the first information includes configuration information of at least one of the following:
  • a first configuration strategy is aimed at operating permissions of different applications
  • a second configuration strategy is directed at routing rules for different applications
  • a third configuration strategy is aimed at Domain Name System DNS for different applications;
  • a fourth configuration strategy is aimed at the life cycles of different applications.
  • the method also includes:
  • An embodiment of the present application provides a communication method, which is applied to a second device, and the method includes:
  • the second information is used to arrange applications on the edge computing platform
  • the first information includes configuration information of at least one of the following:
  • a first configuration strategy is aimed at operating permissions of different applications
  • a second configuration strategy is directed at routing rules for different applications
  • a third configuration strategy is aimed at Domain Name System DNS for different applications;
  • a fourth configuration strategy is aimed at the life cycles of different applications.
  • the second information includes at least one of the following:
  • the security policy includes at least one of the following:
  • a first security level indicates that configurations for all applications on the edge computing platform are rejected
  • a second security level characterizes the configuration for some applications on the edge computing platform
  • the third security level characterizes the configuration for all applications on the edge computing platform.
  • the method also includes:
  • the third information is used to indicate whether the configuration of the first information is successful
  • the fourth information is used to indicate whether the configuration of the second information is successful.
  • the method also includes:
  • the method further includes: receiving an identity of the first device.
  • An embodiment of the present application provides a communication device, which is set on the first device, including:
  • the first communication unit is configured to receive first information from the second device; the first information is used to configure applications on the edge computing platform;
  • the first processing unit is configured to provide security management functions for applications on the edge computing platform based on the first information and the security policy.
  • the security policy includes at least one of the following:
  • a first security level indicates that configurations for all applications on the edge computing platform are rejected
  • a second security level characterizes the configuration for some applications on the edge computing platform
  • the third security level characterizes the configuration for all applications on the edge computing platform.
  • the first communication unit is further configured to send third information to the second device; the third information is used to indicate whether the configuration of the first information is successful.
  • the first information includes configuration information of at least one of the following:
  • a first configuration strategy is aimed at operating permissions of different applications
  • a second configuration strategy is directed at routing rules for different applications
  • a third configuration strategy is aimed at Domain Name System DNS for different applications;
  • a fourth configuration strategy is aimed at the life cycles of different applications.
  • the first communication unit is further configured to send the first access authentication information to the third device;
  • An embodiment of the present application provides a first device, including: a first processor and a first communication interface; wherein,
  • the first communication interface is configured to receive first information from the second device; the first information is used to configure applications on the edge computing platform;
  • the first processor is configured to provide security management functions for applications on the edge computing platform based on the first information and security policies.
  • An embodiment of the present application provides a communication device, which is set on the second device, including:
  • the second communication unit is configured to receive second information from the third device; the second information is used to arrange applications on the edge computing platform;
  • the second processing unit is configured to send first information to the first device based on the second information; the first information is used to instruct the first device to target the edge computing platform based on the first device and the security policy configuration for the application.
  • the first information includes configuration information of at least one of the following:
  • a first configuration strategy is aimed at operating permissions of different applications
  • a second configuration strategy is directed at routing rules for different applications
  • a third configuration strategy is aimed at domain name systems of different applications.
  • a fourth configuration strategy is aimed at the life cycles of different applications.
  • the second information includes at least one of the following:
  • the security policy includes at least one of the following:
  • a first security level indicates that configurations for all applications on the edge computing platform are rejected
  • a second security level characterizes the configuration for some applications on the edge computing platform
  • the third security level characterizes the configuration for all applications on the edge computing platform.
  • the second communication unit is further configured to receive third information from the first device; the third information is used to explain whether the configuration of the first information is successful;
  • the second communication unit is further configured to send second access authentication information to a third device; receive second authentication response information from the third device; the second authentication response information includes at least: a device identity;
  • An embodiment of the present application provides a second device, including: a second processor and a second communication interface; wherein,
  • the second communication interface is configured to receive second information from a third device; the second information is used to arrange applications on the edge computing platform;
  • the second processor is configured to send first information to the first device based on the second information; the first information is used to instruct the first device to target the edge computing based on the first device and a security policy Configure applications on the platform.
  • An embodiment of the present application provides a network device, including: a processor and a memory configured to store a computer program that can run on the processor,
  • the processor is configured to execute the steps of any one of the methods described above on the first device side when running the computer program; or,
  • the processor is configured to execute the steps of any one of the methods described above on the second device side when running the computer program.
  • An embodiment of the present application provides a storage medium on which a computer program is stored, and when the computer program is executed by a processor, the steps of any one of the methods described above on the first device side are implemented; or,
  • the communication system, method, device, first device, second device, and storage medium provided in the embodiments of the present application, the system includes: the first device, the second device, and the third device; the first device is configured to receive The first information of the device, based on the first information and the security policy, provides a security management function for the application on the edge computing platform; the first information is used to configure the application on the edge computing platform; the The second device is configured to send the first information to the first device based on the second information from the third device; the second information is used to arrange applications on the edge computing platform.
  • the first device provides security management functions for applications on the edge computing platform based on the security policy, so that the first device can determine whether to perform orchestration according to the first information according to the security policy; Security management and control capabilities for configuring applications on edge computing platforms.
  • FIG. 1 is a schematic diagram of a system structure of an MEC in the related art
  • FIG. 2 is a schematic structural diagram of a host layer and a system layer of an MEC in the related art
  • FIG. 3 is a schematic structural diagram of a system for 5G industry cloud-network integration according to an embodiment of the present application
  • FIG. 4 is a schematic structural diagram of a communication system according to an embodiment of the present application.
  • FIG. 5 is a schematic flowchart of a communication method according to an embodiment of the present application.
  • FIG. 6 is a schematic flowchart of another communication method according to an embodiment of the present application.
  • FIG. 7 is a schematic structural diagram of a communication system of an application embodiment of the present application.
  • FIG. 8 is a schematic flowchart of a communication method in an application embodiment of the present application.
  • FIG. 9 is a schematic diagram of the registration authentication process of the application embodiment of the present application.
  • FIG. 10 is a schematic diagram of the relationship between a MEPM and an L-MEPM according to an embodiment of the present application
  • FIG. 11 is a schematic diagram of a permission authorization method according to an embodiment of the present application.
  • FIG. 12 is a schematic structural diagram of a communication device according to an embodiment of the present application.
  • FIG. 13 is a schematic structural diagram of another communication device according to an embodiment of the present application.
  • Fig. 14 is a schematic structural diagram of the first device of the embodiment of the present application.
  • FIG. 15 is a schematic structural diagram of a second device according to an embodiment of the present application.
  • MEC is a multi-access edge computing platform standard led by the European Telecommunications Standards Institute (ETSI, European Telecommunications Standards Institute). Connect to the edge computing platform, and provide more efficient business operation services by virtualizing and serving MEC applications, platforms, and resources to meet the differentiated needs of different businesses in terms of processing capabilities.
  • ETSI European Telecommunications Standards Institute
  • the ETSI standard organization defines the The framework of the MEC system shown.
  • the MEC system mainly includes: MEC system-level (MEC system-level), MEC host level (MEC host level), and network layer (Networks).
  • MEC system layer is responsible for the allocation, recovery and coordination of the entire MEC resources to meet the needs of different services for computing and transmission resources.
  • MEC system-level management supports MEC system-level management functions and host-level management functions.
  • MEC system-level management functions include user application lifecycle management agents, operation support systems, and MEC orchestrators, and MEC host-level management functions can include MEC platform managers and virtualized infrastructure managers.
  • MEC services provided to terminals and third-party customers (such as commercial enterprises) are managed through the MEC management layer.
  • the MEC host layer is used to provide necessary computing, storage and transmission functions for MEC applications and MEC platforms.
  • the network layer is used to provide different network options (such as 3GPP wireless network, non-3GPP wireless network, and wired network) for upper-layer applications, and dynamically adjust routing strategies according to upper-layer signaling to meet the transmission requirements of different services on the network.
  • network options such as 3GPP wireless network, non-3GPP wireless network, and wired network
  • the MEC host includes: MEC platform and virtual infrastructure (computing, storage, network).
  • the virtual facility includes the data plane, which is used to execute the routing rules received from the MEC platform, in the application (also called MEC app, MEC application or MEP application), service (also called MEC service or MEP service), DNS service/proxy, 3GPP Forward traffic between the network, other access networks, local networks, and external networks.
  • the MEP enables the application to provide and invoke the service, and the MEP itself can also provide the service.
  • the application runs on a virtual machine or a container, and can provide a variety of services (such as: location, wireless network information, traffic management), and the application can also use services provided by other applications, for example: Application A
  • the provided services such as location and traffic management can be used by application B and application C.
  • the service may be provided by the MEP or a certain application. When a certain service is provided by the application, the service may be registered in the service list of the MEP.
  • MEC platform (MEP, MEC platform), supported functions include:
  • MEC applications can discover, notify, use and provide MEC services, including MEC services provided by other platforms (optional).
  • MEC orchestrator (MEO, MEC orchestrator), also known as MEC application orchestrator (MEAO, MEC application orchestrator), is the core of MEC system layer management.
  • the supported functions include:
  • MEC platform management (MEPM, MEC platform manager), supported functions include:
  • MEC application life cycle management (LCM, Life Cycle Management), such as: notify MEAO of related application events;
  • Element mgmt element management function of the MEC platform (MEP, MEC Platform), including virtual network function (VNF, Virtualized Network Function) element management and network service (NS, Network Service) element management, where the NS information element Including physical network function (PNF, Physical Network Function) information element, virtual link information element, VNF forwarding graph (VNF Forwarding Graph) information element;
  • VNF Virtualized Network Function
  • NS Network Service
  • MEC app rules&reqts mgmt MEC application rules and requirements management
  • service authorization such as: service authorization, routing rules, Domain Name System (DNS) configuration and conflict handling
  • DNS Domain Name System
  • VIM Virtualisation Infrastructure Manager
  • the main functions of VIM include: allocating, managing, and releasing virtualized resources of virtualized infrastructure, receiving and storing software images, collecting and reporting performance and fault information of virtualized resources.
  • Mx1 , Mx2 , Mp1 , Mp2 , Mp3 , Mm1 , Mm2 . . . Mm9 in FIG. 2 indicate that various devices or modules can call interfaces and/or use corresponding communication protocols for communication.
  • MEC platform management is generally set on the industry gateway.
  • the data on the MEP can be directly connected to the external network, that is, the third-party network through the industry gateway.
  • the existing ETSI protocol does not protect data security in place and cannot adapt to the increasingly There are more and more management requirements for data security and privacy protection.
  • the management configuration information (or management configuration data) sent by MEPM to MEP must be subject to strict security control.
  • the MEPM lacks necessary security protection and authorization management mechanism for the management configuration information on the MEP, and the security management control mechanism of the MEPM for the MEP is not clearly defined.
  • the first device is configured to receive the first information from the second device, and provide security management functions for applications on the edge computing platform based on the first information and security policies;
  • the first information is used to configure applications on the edge computing platform;
  • the second device is used to send the first information to the first device based on the second information from the third device;
  • the second information is used to orchestrate applications on the edge computing platform. In this way, the ability to manage and control the configuration of the application for the edge computing platform in the first device can be improved.
  • An embodiment of the present application provides a communication system. As shown in FIG. 4 , the system includes: a first device, a second device, and a third device; wherein,
  • the first device is configured to receive first information from the second device, and provide security management functions for applications on the edge computing platform based on the first information and security policies; the first information is used for the Configure applications on the edge computing platform;
  • the second device is configured to send the first information to the first device based on the second information from the third device; the second information is used to arrange applications on the edge computing platform.
  • the second device is arranged between the first device and the third device.
  • the first device may be a locally set MEPM, which can be understood as the user sets up a local MEPM, and can perform local management and configuration on applications provided by the MEP.
  • the first device can be deployed locally or integrated into the MEP.
  • the embodiment of the present application does not limit the name of the first device, as long as the function of the first device can be realized.
  • the second device may be an MEPM, and the embodiment of the present application does not limit the name of the second device, as long as the functions of the second device can be realized.
  • the third device may be MEO or MEAO, and the embodiment of the present application does not limit the name of the third device, as long as the function of the third device can be realized.
  • the edge computing platform may be called MEP.
  • the orchestration of applications on the edge computing platform can be understood as: implementing by orchestrating the application programs and/or available resources of each application.
  • the security policy includes at least one of the following:
  • a first security level indicates that configurations for all applications on the edge computing platform are rejected
  • a second security level characterizes the configuration for some applications on the edge computing platform
  • the third security level characterizes the configuration for all applications on the edge computing platform.
  • the first device saves a security policy, and the security policy is used to set a security level, and manage whether the first device allows configuration of some applications on the edge computing platform through different security levels.
  • the second device may be notified whether the configuration is successful, that is, whether the arrangement is completed.
  • the first device is further configured to send third information to the second device; the third information is used to indicate whether the configuration of the first information is successful;
  • the second device is further configured to send fourth information to a third device based on the third information; the fourth information is used to indicate whether the configuration of the second information is successful.
  • the first information includes at least one of the following configuration information:
  • a first configuration strategy is aimed at operating permissions of different applications
  • a second configuration strategy is directed at routing rules for different applications
  • the third configuration strategy is aimed at Domain Name System (DNS) of different applications;
  • a fourth configuration strategy is aimed at the life cycles of different applications.
  • the second information includes at least one of the following:
  • the application management information may include: management of application packages, such as: loading application packages, enabling application packages, disabling application packages, and the like.
  • the life cycle management information of the application may include: instantiating the application package, operating (using) the application instance, and terminating the application instance.
  • the lifecycle change notification of the application may include: the application is not instantiated, the application has started and is running, and the application stops running.
  • the third device can perform identity authentication on the first device, and can communicate after passing the authentication.
  • the third device is further configured to receive first access authentication information from the first device, and send first authentication response information to the first device; the first authentication response The information includes at least: the identity of the first device.
  • the third device can authenticate the identity of the second device, and can communicate after passing the authentication.
  • the third device is further configured to receive second access authentication information from the second device, and send second authentication response information to the second device; the second authentication response The information at least includes: the identity of the second device;
  • the third device is further configured to send the identity of the first device to the second device.
  • the number of the first device is one or more.
  • the embodiment of the present application also provides a communication method, which is applied to the first device, as shown in FIG. 5 , the method includes:
  • Step 501 receiving first information from a second device; the first information is used to configure applications on the edge computing platform;
  • Step 502 Provide security management functions for applications on the edge computing platform based on the first information and the security policy.
  • the first device may be a locally set MEPM, which can be understood as the user sets up a local MEPM, and can perform local management and configuration on applications provided by the MEP.
  • the first device can be deployed locally or integrated into the MEP.
  • the embodiment of the present application does not limit the name of the first device, as long as the function of the first device can be realized.
  • the second device may be an MEPM, and the embodiment of the present application does not limit the name of the second device, as long as the functions of the second device can be realized.
  • the edge computing platform may be called MEP.
  • the security policy includes at least one of the following:
  • a first security level indicates that configurations for all applications on the edge computing platform are rejected
  • a second security level characterizes the configuration for some applications on the edge computing platform
  • the third security level characterizes the configuration for all applications on the edge computing platform.
  • the first device saves a security policy, and the security policy is used to set a security level, and whether the configuration for some applications on the edge computing platform is allowed in the first device is managed through different security levels.
  • the first device may request the second device to authenticate itself, and communication may be performed after the authentication is passed.
  • the method further includes:
  • the third information is used to indicate whether the configuration of the first information is successful.
  • the first information includes at least one of the following configuration information:
  • a first configuration strategy is aimed at operating permissions of different applications
  • a second configuration strategy is directed at routing rules for different applications
  • a third configuration strategy is aimed at domain name systems of different applications.
  • a fourth configuration strategy is aimed at the life cycles of different applications.
  • the first device may request the third device to authenticate itself, and communication may be performed after the authentication is passed.
  • the method further includes:
  • the embodiment of the present application provides another communication method, which is applied to the second device, as shown in FIG. 6 , the method includes:
  • Step 601. Receive second information from a third device; the second information is used to arrange applications on the edge computing platform;
  • Step 602 Send first information to the first device based on the second information; the first information is used to instruct the first device to configure applications on the edge computing platform based on the first device and security policies .
  • the first device may be a locally set MEPM, which can be understood as the user sets up a local MEPM, and can perform local management and configuration on applications provided by the MEP.
  • the first device can be deployed locally or integrated into the MEP.
  • the embodiment of the present application does not limit the name of the first device, as long as the function of the first device can be realized.
  • the second device may be an MEPM, and the embodiment of the present application does not limit the name of the second device, as long as the functions of the second device can be realized.
  • the third device may be MEO or MEAO, and the embodiment of the present application does not limit the name of the third device, as long as the function of the third device can be realized.
  • the edge computing platform may be called MEP.
  • the orchestration of applications on the edge computing platform can be understood as: implementing the orchestration of the application programs and/or available resources of each application.
  • the first information includes at least one of the following configuration information:
  • a first configuration strategy is aimed at operating permissions of different applications
  • a second configuration strategy is directed at routing rules for different applications
  • a third configuration strategy is aimed at domain name systems of different applications.
  • a fourth configuration strategy is aimed at the life cycles of different applications.
  • the second information includes at least one of the following:
  • the security policy includes at least one of the following:
  • a first security level indicates that configurations for all applications on the edge computing platform are rejected
  • a second security level characterizes the configuration for some applications on the edge computing platform
  • the third security level characterizes the configuration for all applications on the edge computing platform.
  • the first device saves a security policy, and the security policy is used to set a security level, and manage whether the first device allows configuration of some applications on the edge computing platform through different security levels.
  • the second device can perform identity authentication on the first device, and can communicate after passing the authentication.
  • the method further includes:
  • the third information is used to indicate whether the configuration of the first information is successful
  • the fourth information is used to indicate whether the configuration of the second information is successful.
  • the second device can request the third device to authenticate itself, and communication can be performed after the authentication is passed.
  • the method further includes:
  • the method further includes: receiving an identity of the first device.
  • the first device is called local MEPM (L-MEPM, Local MEPM); the second device is called MEPM; the third device is called MEAO or MEO; the edge computing platform is called for MEPs.
  • an L-MEPM deployed on the MEP side is introduced, which is mainly responsible for signaling interaction with the MEPM and/or MEAO, and responsible for the security supervision of the MEP local management configuration data, as shown in Figure 7 .
  • L-MEPM support functions
  • the security policy is saved, and the management configuration data from the MEPM (that is, the above-mentioned first information from the second device) is managed based on the security policy.
  • the security policy can include three levels: strict, general, and loose. For example, at the strict level, the management configuration data from MEPM cannot configure the application on the MEP; at the general level, L-MEPM determines the Whether the management configuration data can configure the application on the MEP, at the loose level, the L-MEPM is only responsible for forwarding the management configuration data of the MEPM (the management configuration data is determined based on the management configuration request from the MEPM) to the MEP for configuration of different applications.
  • grade division can be further subdivided, which is not limited here.
  • MEAO performs orchestration management through MEPM
  • L-MEPM is locally configured with a security policy to perform data security management and control for the control plane (specifically referring to the management configuration data of the application provided by MEP), In order to prevent the data of the control plane from arbitrarily configuring the application of the MEP.
  • the communication methods include:
  • Step 801 MEAO (an example of a third device) sends second information to MEPM (an example of a second device);
  • the second information includes: MEPM identity and arrangement information
  • the second information is used to orchestrate applications on the edge computing platform.
  • Step 802. After receiving the second information, the MEPM sends the first information to the L-MEPM (an example of a third device);
  • the first information includes: L-MEPM identity and management configuration information
  • the first information is used to configure applications on the edge computing platform.
  • Step 803 after receiving the first message, the L-MEPM checks the local security policy; performs corresponding operations based on the first message and the security policy and replies to the third message;
  • the local security policy of the L-MEPM includes:
  • L-MEPM rejects all management configuration information for MEP
  • L-MEPM allows some management configuration information for MEP
  • L-MEPM allows all management configuration information for MEP.
  • Each application in L-MEPM has a unique identifier, and each application's identifier is marked in the security policy, and whether the corresponding mark meets the requirements.
  • the application information on the MEP is partially configured, and after the configuration is completed, the configuration success information is returned to the MEPM;
  • the third information includes: MEPM identity and management configuration result information; as shown in Table 3.
  • Step 804 after the MEPM receives the third message from the L-MEPM, it returns the fourth message to the MEAO;
  • the fourth information is used to explain the result of editing based on the second information.
  • the fourth information may include: MEAO identity and management configuration result information; as shown in Table 4.
  • the unique ID can be used in each embodiment of the application to identify the identity, such as the embodiment in Table 5;
  • the MEPM type can be distinguished by a number or a character string identification, such as the embodiment of Table 6;
  • type of data illustrate number 1 means common MEPM; 2 means L-MEPM string "1" means normal MEPM; “2" means L-MEPM
  • the management configuration information issued by MEPM to L-MEPM provides an application example, as shown in Table 8;
  • the reply information of L-MEPM to MEPM that is, the third information, gives an application example, as shown in Table 9;
  • the reply message from MEPM to MEAO that is, the fourth message, gives an application example, as shown in Table 10;
  • L-MEPM identity mark in order to obtain MEPM identity mark, L-MEPM identity mark, described method also includes: identity registration; As shown in Figure 9, includes:
  • Step 901 MEPM (an example of a second device) and L-MEPM (an example of a first device) respectively register a request with MEAO (an example of a third device);
  • the registration request is the identity authentication information, which is used to request the MEAO to register an identity; the MEAO stores the corresponding identity marks of MEPM and L-MEPM after receiving the registration request and performing a registration operation.
  • the registered identity information can include the following content as shown in Table 11:
  • MEAO receives the registration request, registers and reply information; Include content as shown in table 12 below:
  • MEAO After MEAO receives the MEPM registration request, it executes a reply operation; an application example is given for the reply operation, as shown in Table 13; if it does not follow the format of Table 6, it is an illegal identification.
  • Step 903 MEAO sends the registered L-MEPM information to MEPM, provides a kind of application example, as shown in table 14;
  • Step 904 After the MEPM resolves the identity information and IP address of the L-MEPM, an association relationship between the MEPM and multiple L-MEPMs is formed, as shown in FIG. 10 below.
  • IP address For the IP address, an application example is given, as shown in Table 17;
  • L-MEPM identity information An example is given for L-MEPM identity information and IP address information, as follows:
  • Method 1 Implemented using a hash table, the key identifies the L-MEPM identity, and the value identifies the IP address of the L-MEPM.
  • Method 2 Use the JSON string method to implement.
  • the embodiment of the present application also provides a communication device, which is set on the first device, as shown in FIG. 12 , the device includes:
  • the first communication unit 1201 is configured to receive first information from the second device; the first information is used to configure applications on the edge computing platform;
  • the first processing unit 1202 is configured to provide a security management function for applications on the edge computing platform based on the first information and the security policy.
  • the security policy includes at least one of the following:
  • a first security level indicates that configurations for all applications on the edge computing platform are rejected
  • a second security level characterizes the configuration for some applications on the edge computing platform
  • the third security level characterizes the configuration for all applications on the edge computing platform.
  • the first communication unit 1201 is further configured to send third information to the second device; the third information is used to describe whether the configuration of the first information is successful.
  • the first information includes at least one of the following configuration information:
  • a first configuration strategy is aimed at operating permissions of different applications
  • a second configuration strategy is directed at routing rules for different applications
  • a third configuration strategy is aimed at domain name systems of different applications.
  • a fourth configuration strategy is aimed at the life cycles of different applications.
  • the first communication unit 1202 is further configured to send the first access authentication information to the third device;
  • the first communication unit 1201 and the first processing unit 1202 may be implemented by a processor in a communication device combined with a communication interface.
  • the embodiment of the present application also provides a communication device, which is set on the second device, as shown in FIG. 13 , the device includes:
  • the second communication unit 1301 is configured to receive second information from a third device; the second information is used to arrange applications on the edge computing platform;
  • the second processing unit 1302 is configured to send first information to the first device based on the second information; the first information is used to instruct the first device to target the edge computing platform based on the first device and a security policy Configure the application above.
  • the first information includes configuration information of at least one of the following:
  • a first configuration strategy is aimed at operating permissions of different applications
  • a second configuration strategy is directed at routing rules for different applications
  • a third configuration strategy is aimed at domain name systems of different applications.
  • a fourth configuration strategy is aimed at the life cycles of different applications.
  • the second information includes at least one of the following:
  • the security policy includes at least one of the following:
  • a first security level indicates that configurations for all applications on the edge computing platform are rejected
  • a second security level characterizes the configuration for some applications on the edge computing platform
  • the third security level characterizes the configuration for all applications on the edge computing platform.
  • the second communication unit 1301 is further configured to receive third information from the first device; the third information is used to explain whether the configuration of the first information is successful;
  • the fourth information is used to indicate whether the configuration of the second information is successful.
  • the second communication unit 1301 is further configured to send second access authentication information to a third device; receive second authentication response information from the third device; the second authentication response information at least include: the identity of the first device;
  • the second communication unit 1301 is further configured to receive the identity of the first device.
  • the second communication unit 1301 and the second processing unit 1302 may be implemented by a processor in a communication device combined with a communication interface.
  • the embodiment of the present application further provides a first device, as shown in FIG. 14 , the first device 1400 includes:
  • the first communication interface 1401 is capable of exchanging information with the second device
  • the first processor 1402 is connected to the first communication interface 1401 to implement information interaction with the second device, and is configured to execute the methods provided by one or more technical solutions on the first device side when running a computer program. Instead, the computer program is stored on the first memory 1403 .
  • the first communication interface 1401 is configured to receive first information from the second device; the first information is used to configure applications on the edge computing platform;
  • the first processor 1402 is configured to provide security management functions for applications on the edge computing platform based on the first information and the security policy.
  • the first communication interface 1401 is further configured to send third information to the second device; the third information is used to describe whether the configuration of the first information is successful.
  • the first communication interface 1401 is further configured to send first access authentication information to a third device;
  • bus system 1404 various components in the first device 1400 are coupled together through the bus system 1404 .
  • the bus system 1404 is used to realize connection and communication among these components.
  • the bus system 1404 also includes a power bus, a control bus and a status signal bus.
  • the various buses are labeled as bus system 1404 in FIG. 14 .
  • the first memory 1403 in the embodiment of the present application is used to store various types of data to support the operation of the first device 1400.
  • Examples of such data include: any computer programs for operating on the first device 1400 .
  • the methods disclosed in the foregoing embodiments of the present application may be applied to the first processor 1402 or implemented by the first processor 1402 .
  • the first processor 1402 may be an integrated circuit chip, which has a signal processing capability. In the implementation process, each step of the above method may be implemented by an integrated logic circuit of hardware in the first processor 1402 or an instruction in the form of software.
  • the aforementioned first processor 1402 may be a general-purpose processor, a digital signal processor (DSP, Digital Signal Processor), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, and the like.
  • the first processor 1402 may implement or execute various methods, steps, and logic block diagrams disclosed in the embodiments of the present application.
  • a general purpose processor may be a microprocessor or any conventional processor or the like.
  • the steps of the method disclosed in the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor.
  • the software module may be located in a storage medium, and the storage medium is located in the first memory 1403.
  • the first processor 1402 reads the information in the first memory 1403, and completes the steps of the foregoing method in combination with its hardware.
  • the first device 1400 may be implemented by one or more Application Specific Integrated Circuits (ASIC, Application Specific Integrated Circuit), DSP, Programmable Logic Device (PLD, Programmable Logic Device), complex programmable logic device (CPLD, Complex Programmable Logic Device), field-programmable gate array (FPGA, Field-Programmable Gate Array), general-purpose processor, controller, microcontroller (MCU, Micro Controller Unit), microprocessor (Microprocessor), or others Electronic components are implemented for performing the aforementioned methods.
  • ASIC Application Specific Integrated Circuit
  • DSP Programmable Logic Device
  • PLD Programmable Logic Device
  • CPLD Complex Programmable Logic Device
  • FPGA Field-Programmable Gate Array
  • controller controller
  • microcontroller MCU, Micro Controller Unit
  • microprocessor Microprocessor
  • the embodiment of the present application also provides a second device, as shown in FIG. 15 , the second device 1500 includes:
  • the second communication interface 1501 is capable of information interaction with the first device and the third device;
  • the second processor 1502 is connected to the second communication interface 1501 to implement information interaction with the first device and the third device, and is used to execute one or more technical solutions on the second device side when running the computer program. Methods. Instead, the computer program is stored on the second memory 1503 .
  • the second communication interface 1501 is configured to receive second information from a third device; the second information is used to arrange applications on the edge computing platform;
  • the second processor 1502 is configured to send first information to the first device based on the second information; the first information is used to instruct the first device to target the edge based on the first device and a security policy
  • the application on the computing platform is configured.
  • the second communication interface 1501 is further configured to receive third information from the first device; the third information is used to explain whether the configuration of the first information is successful;
  • the fourth information is used to indicate whether the configuration of the second information is successful.
  • the second communication interface 1501 is further configured to send second access authentication information to a third device; receive second authentication response information from the third device; the second authentication response information at least include: the identity of the first device;
  • bus system 1504 various components in the second device 1500 are coupled together through the bus system 1504 . It can be understood that the bus system 1504 is used to realize connection and communication between these components. In addition to the data bus, the bus system 1504 also includes a power bus, a control bus and a status signal bus. However, the various buses are labeled as bus system 1504 in FIG. 15 for clarity of illustration.
  • the second memory 1503 in the embodiment of the present application is used to store various types of data to support the operation of the second device 1500.
  • Examples of such data include: any computer programs for operating on the second device 1500 .
  • the methods disclosed in the foregoing embodiments of the present application may be applied to the second processor 1502 or implemented by the second processor 1502 .
  • the second processor 1502 may be an integrated circuit chip and has signal processing capabilities. In the implementation process, each step of the above method may be completed by an integrated logic circuit of hardware in the second processor 1502 or instructions in the form of software.
  • the aforementioned second processor 1502 may be a general-purpose processor, DSP, or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, and the like.
  • the second processor 1502 may implement or execute various methods, steps, and logic block diagrams disclosed in the embodiments of the present application.
  • a general purpose processor may be a microprocessor or any conventional processor or the like.
  • the steps of the method disclosed in the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor.
  • the software module may be located in a storage medium, and the storage medium is located in the second storage 1503, and the second processor 1502 reads information in the second storage 1503, and completes the steps of the aforementioned method in combination with its hardware.
  • the second device 1500 may be implemented by one or more ASICs, DSPs, PLDs, CPLDs, FPGAs, general processors, controllers, MCUs, Microprocessors, or other electronic components for performing the aforementioned methods.
  • the memory in this embodiment of the present application may be a volatile memory or a nonvolatile memory, and may also include both volatile and nonvolatile memories.
  • the non-volatile memory can be read-only memory (ROM, Read Only Memory), programmable read-only memory (PROM, Programmable Read-Only Memory), erasable programmable read-only memory (EPROM, Erasable Programmable Read-Only Memory) Only Memory), Electrically Erasable Programmable Read-Only Memory (EEPROM, Electrically Erasable Programmable Read-Only Memory), Magnetic Random Access Memory (FRAM, ferromagnetic random access memory), Flash Memory (Flash Memory), Magnetic Surface Memory , CD, or CD-ROM (Compact Disc Read-Only Memory); magnetic surface storage can be disk storage or tape storage.
  • the volatile memory may be random access memory (RAM, Random Access Memory), which is used as an external cache.
  • RAM random access memory
  • RAM Random Access Memory
  • many forms of RAM are available, such as Static Random Access Memory (SRAM, Static Random Access Memory), Synchronous Static Random Access Memory (SSRAM, Synchronous Static Random Access Memory), Dynamic Random Access Memory Memory (DRAM, Dynamic Random Access Memory), synchronous dynamic random access memory (SDRAM, Synchronous Dynamic Random Access Memory), double data rate synchronous dynamic random access memory (DDRSDRAM, Double Data Rate Synchronous Dynamic Random Access Memory), enhanced Synchronous Dynamic Random Access Memory (ESDRAM, Enhanced Synchronous Dynamic Random Access Memory), Synchronous Link Dynamic Random Access Memory (SLDRAM, SyncLink Dynamic Random Access Memory), Direct Memory Bus Random Access Memory (DRRAM, Direct Rambus Random Access Memory ).
  • SRAM Static Random Access Memory
  • SSRAM Synchronous Static Random Access Memory
  • DRAM Dynamic Random Access Memory
  • SDRAM Synchronous Dynamic Random Access Memory

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Storage Device Security (AREA)

Abstract

La présente demande concerne un système de communication, un procédé de communication, un appareil, un premier dispositif, un deuxième dispositif et un support de stockage. Le système comprend : un premier dispositif, un deuxième dispositif et un troisième dispositif. Le premier dispositif est configuré pour recevoir des premières informations en provenance du deuxième dispositif et, sur la base des premières informations et d'une politique de sécurité, fournir une fonction de gestion de sécurité pour une application sur une plateforme informatique de périphérie. Les premières informations sont utilisées pour configurer une application sur la plateforme informatique de périphérie. Le deuxième dispositif est configuré pour envoyer les premières informations au premier dispositif sur la base de deuxièmes informations provenant du troisième dispositif. Les deuxièmes informations sont utilisées pour orchestrer une application sur la plateforme informatique de périphérie.
PCT/CN2022/099569 2021-06-24 2022-06-17 Système et procédé de communication, appareil, premier dispositif, deuxième dispositif et support de stockage WO2022267994A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202110703440.3A CN115529144A (zh) 2021-06-24 2021-06-24 通信系统、方法、装置、第一设备、第二设备及存储介质
CN202110703440.3 2021-06-24

Publications (1)

Publication Number Publication Date
WO2022267994A1 true WO2022267994A1 (fr) 2022-12-29

Family

ID=84545132

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/099569 WO2022267994A1 (fr) 2021-06-24 2022-06-17 Système et procédé de communication, appareil, premier dispositif, deuxième dispositif et support de stockage

Country Status (2)

Country Link
CN (1) CN115529144A (fr)
WO (1) WO2022267994A1 (fr)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018089417A1 (fr) * 2016-11-09 2018-05-17 Interdigital Patent Holdings, Inc. Systèmes et procédés de création de tranches au niveau d'une périphérie de cellule pour fournir des services informatiques
WO2020185794A1 (fr) * 2019-03-11 2020-09-17 Intel Corporation Prise en charge multi-tranches pour déploiements 5g adaptés mec
WO2020192598A1 (fr) * 2019-03-22 2020-10-01 华为技术有限公司 Procédé et dispositif de déploiement de machine virtuelle et de conteneur
CN111837371A (zh) * 2018-01-26 2020-10-27 Idac控股公司 基于增强mptcp的应用移动性
WO2020259980A1 (fr) * 2019-06-26 2020-12-30 Orange Procedes et dispositifs de securisation d'un reseau de peripherie a acces multiple
CN112822675A (zh) * 2021-01-11 2021-05-18 北京交通大学 面向MEC环境的基于OAuth2.0的单点登录机制

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110944330B (zh) * 2018-09-21 2021-06-22 华为技术有限公司 Mec平台部署方法及装置
CN111935270A (zh) * 2020-08-04 2020-11-13 腾讯科技(深圳)有限公司 基于边缘计算平台的通信方法、装置、介质及电子设备
CN112422685B (zh) * 2020-11-19 2022-02-01 中国联合网络通信集团有限公司 一种基于移动边缘计算mec的5g数据处理系统和方法

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018089417A1 (fr) * 2016-11-09 2018-05-17 Interdigital Patent Holdings, Inc. Systèmes et procédés de création de tranches au niveau d'une périphérie de cellule pour fournir des services informatiques
CN111837371A (zh) * 2018-01-26 2020-10-27 Idac控股公司 基于增强mptcp的应用移动性
WO2020185794A1 (fr) * 2019-03-11 2020-09-17 Intel Corporation Prise en charge multi-tranches pour déploiements 5g adaptés mec
WO2020192598A1 (fr) * 2019-03-22 2020-10-01 华为技术有限公司 Procédé et dispositif de déploiement de machine virtuelle et de conteneur
WO2020259980A1 (fr) * 2019-06-26 2020-12-30 Orange Procedes et dispositifs de securisation d'un reseau de peripherie a acces multiple
CN112822675A (zh) * 2021-01-11 2021-05-18 北京交通大学 面向MEC环境的基于OAuth2.0的单点登录机制

Also Published As

Publication number Publication date
CN115529144A (zh) 2022-12-27

Similar Documents

Publication Publication Date Title
WO2019157955A1 (fr) Procédé d'accès à un dispositif, plate-forme associée et support de stockage informatique
JP6834033B2 (ja) ネットワークスライス管理方法、ユニット、及びシステム
KR102439559B1 (ko) 경보 방법 및 디바이스
TWI745473B (zh) 網路驗證方法及裝置
US10397352B2 (en) Network infrastructure management
TWI524204B (zh) 用於可管理性與安全路由及端點存取的方法、裝置與系統
US9690605B2 (en) Configuration of an edge switch downlink port with a network policy of a published network configuration service type
CN111885123B (zh) 一种跨K8s目标服务访问通道的构建方法及装置
US11438242B2 (en) Method for providing PaaS service, management system, and cloud computing service architecture
WO2016155394A1 (fr) Procédé et dispositif pour établir une liaison entre des fonctions réseau virtualisées
US10924966B2 (en) Management method, management unit, and system
CN114025021B (zh) 一种跨Kubernetes集群的通信方法、系统、介质和电子设备
US20190140972A1 (en) Network resource orchestration method and device
WO2017185251A1 (fr) Procédé de détermination de vnfm et orchestrateur de virtualisation de fonction de réseau
US11743117B2 (en) Streamlined onboarding of offloading devices for provider network-managed servers
EP3761595A1 (fr) Procédé et dispositif de comprenant un agent de nuage périphérique pour la fourniture d'un service
US20230261950A1 (en) Method of container cluster management and system thereof
US20220121471A1 (en) Device virtualization security layer
Zhang et al. Capture: Centralized library management for heterogeneous {IoT} devices
US10547590B1 (en) Network processing using asynchronous functions
CN108881460B (zh) 一种云平台统一监控的实现方法和实现装置
CN110839007A (zh) 一种云网络安全处理方法、设备和计算机存储介质
US20050097310A1 (en) Method and system for restricting PXE servers
WO2022267994A1 (fr) Système et procédé de communication, appareil, premier dispositif, deuxième dispositif et support de stockage
US11863382B2 (en) Software defined network device exposure to third parties

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22827489

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE