WO2023216856A1 - Procédé et appareil de gestion de services - Google Patents

Procédé et appareil de gestion de services Download PDF

Info

Publication number
WO2023216856A1
WO2023216856A1 PCT/CN2023/090142 CN2023090142W WO2023216856A1 WO 2023216856 A1 WO2023216856 A1 WO 2023216856A1 CN 2023090142 W CN2023090142 W CN 2023090142W WO 2023216856 A1 WO2023216856 A1 WO 2023216856A1
Authority
WO
WIPO (PCT)
Prior art keywords
network element
measurement
information
scenario
software
Prior art date
Application number
PCT/CN2023/090142
Other languages
English (en)
Chinese (zh)
Inventor
李论
吴义壮
崔洋
雷骜
张万强
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2023216856A1 publication Critical patent/WO2023216856A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0893Assignment of logical groups to network elements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0894Policy-based network configuration management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • This application relates to the field of network function virtualization, and in particular to a service management method and device in a network function virtualization NFV architecture.
  • Network function virtualization realizes the functions of special equipment in traditional communication networks by using general hardware equipment and virtualization technology, and can quickly deploy new network services (NS) through resource sharing, thereby Reduce network deployment costs and improve network operation efficiency.
  • VNF virtual network functions
  • VI virtual instances
  • This application provides a business management method that can measure specific parts of NFV under specific trigger scenarios, reduce the complexity of measurement, save communication and computing overhead, and further improve the practical effect of remote certification.
  • a service management method is provided.
  • the method can be executed by the first network element, or can also be executed by a component (such as a chip or circuit) of the first network element.
  • a component such as a chip or circuit
  • the method may include: receiving first request information, the first request information being used to request measurement for a first measurement scenario, where the first measurement scenario includes multiple measurement objects; determining at least one second network element according to the mapping relationship, The mapping relationship is used to indicate the corresponding relationship between multiple measurement objects and multiple network elements. At least one second network element corresponds to at least one first measurement object. The first measurement object belongs to multiple measurement objects included in the first measurement scenario. Measuring the object: sending second request information to at least one second network element, where the second request information is used to request measurement of at least one first measurement object.
  • the first network element can measure specific content and objects according to different measurement scenarios, and determine whether the measurement scenario meets the requirements based on the measurement results, avoiding the inconvenience caused by measuring each part of the business network element. Waste of overhead, thereby reducing the complexity of measurement and saving communication and computing overhead.
  • a first measurement object corresponds to a second network element
  • a second network element may correspond to one or more first measurement objects.
  • Sending the second request information to at least one second network element may be understood as, According to the different measurement objects, network elements
  • the first measurement object is requested to correspond to the second network element, and the first measurement object is measured. That is to say, the second network element measures its corresponding first measurement object and does not measure other first measurement objects.
  • the first network element sends the second request information to two second network elements respectively.
  • Each second network element corresponds to a first measurement object, and then the second request information is sent to one of the second network elements.
  • the information is a request to measure the first measurement object corresponding to the second network element, and does not require the second network element to measure both first measurement objects.
  • the method further includes: receiving first metric information, where the first metric information includes at least one first metric result information sent by at least one second network element. , the first measurement result information is used to indicate the first measurement result for the first measurement object; according to the first measurement information, the first feedback information for the first request information is sent.
  • the first network element can receive the measurement results of multiple second network elements, comprehensively determine whether the multiple measurement results meet the requirements of the measurement scenario, and reduce the complexity of measurement.
  • the method further includes: sending third request information to at least one measurement network element corresponding to the first network element, where the third request information is used to request the measurement of the first degree.
  • the first feedback information of the request information includes: sending the first feedback information for the first request information according to the first metric information and the second metric information.
  • the first network element measures the measurement objects that it can measure, and combines the measurement results of the second network element to determine whether the measurement scenario meets the requirements, which increases the flexibility of the measurement solution.
  • the mapping relationship is specifically used to indicate the correspondence between multiple indexes and multiple parameter groups, where each index corresponds to at least one measurement scenario, and each parameter The group includes at least one of the following parameters: measurement object, measurement indicator, measurement level, and the first request information includes an index corresponding to the first measurement scenario.
  • the first network element can determine whether the requested measurement object itself can be measured according to the mapping relationship, thereby determining the measurement solution.
  • the multiple measurement scenarios include at least one of the following measurement scenarios: the first scenario is used to measure whether the security of the deployment environment or migration environment of the service network element meets the requirements; The second scenario is used to measure whether the geographical location of one or more virtual storage instances of the business network element meets the requirements; the third scenario is used to measure whether the one or more software of the business network element meets the requirements.
  • the measurement object corresponding to the first measurement scenario includes at least one of the following: an image file of the service network element; One or more virtualization layers corresponding to the deployment environment migration environment, and one or more hardware attributes corresponding to the deployment environment migration environment.
  • the first network element when the measurement object of the first measurement scenario is the image file of the service network element, the first network element includes the service network element management network element, and the service network element The management network element is used to manage the service network element.
  • the second network element includes an image verification network element.
  • the image verification network element is used to verify the correctness of the image file of the service network element.
  • the second request information includes the image file of the service network element. identification information; or,
  • the first network element includes the business network element management network element
  • the second network element includes the virtualization infrastructure management network element
  • virtualization infrastructure virtualization infrastructure The management network element is used to verify the security of one or more virtualization layers corresponding to the deployment environment and migration environment; or,
  • the first network element includes a virtualization infrastructure management network element, and the virtualization infrastructure management network element is used to manage virtualization Infrastructure
  • the second network element includes a geographical location verification network element
  • the geographical location verification network element is used to verify the geographical location attributes of one or more hardware corresponding to the deployment environment.
  • the method when the service network element is deployed or migrated successfully, the method further includes: receiving deployment result information from the service network element management network element, and the deployment result information is used to indicate If the service network element is successfully deployed or migrated, the deployment result information includes certification information of the service network element deployment or migration; based on the certification information, verify whether the service network element is deployed or migrated successfully.
  • the first network element can further verify whether the deployment is successful based on the feedback deployment results, which increases the reliability of the deployment.
  • the measurement object corresponding to the first measurement scenario includes one or more responsible storage information corresponding to the service network element.
  • the first network element includes a business network element verification network element.
  • the business network element verification network element is used to verify the geographical location of one or more virtual instances responsible for storing information.
  • the second network element includes a geographical location verification network element. Network element, geographical location verification network element is used to verify the geographical location of the virtual instance responsible for storing information.
  • the method further includes: obtaining first configuration information, the first configuration information is used to indicate the correspondence between multiple identifiers and multiple virtual instance groups, any two
  • the storage content corresponding to the virtual instance group is different, and the storage content includes at least one of the following: user information, communication records, and business data; and the first request information also includes a first identifier, and the second request information also includes the first virtual instance group.
  • the first virtual instance group is the virtual instance group corresponding to the first identification in the first configuration information.
  • the first network element can further measure the measurement object based on the obtained first configuration information according to the identification corresponding to one or more virtual instance groups responsible for storing content and the VI in the first configuration information.
  • the measurement object corresponding to the first measurement scenario includes at least one of the following: software in the virtual instance, virtual The virtualization layer software for instance deployment.
  • the first network element when the measurement object of the first measurement scenario includes software in the virtual instance, the first network element includes a service network element verification network element, and the service network element verification network element
  • the second network element includes a customer system verification network element, and the customer system verification network element is used to verify whether the software in the virtual instance meets the requirements; or,
  • the first network element includes the service network element verification network element
  • the second network element includes the cloud operating system verification network element
  • the cloud operating system verification network element It is used to verify whether the software of the virtualization layer deployed by the virtual instance meets the requirements.
  • the method further includes: obtaining second configuration information, the second configuration information is used to indicate the correspondence between multiple identifiers and multiple software, and the multiple software includes the following At least one item: software in the virtual instance, software in the virtualization layer deployed by the virtual instance; and the first request information also includes a second identification, the second request information also includes an identification of the first software, the first software is the third 2. The first software corresponding to the second identification in the configuration information.
  • the first network element can further obtain the second configuration information according to the second configuration information.
  • the measurement objects are measured using the identification corresponding to each software and VI in the system, which avoids the waste of overhead caused by storing a large amount of software information and saves storage space.
  • the method further includes: sending the first first feedback information to the service network element management network element.
  • Instruction information the first instruction information is used to instruct reconfiguration of one or more measurement objects.
  • the second aspect provides a business management method.
  • the method may be executed by the second network element, or may also be executed by a component (such as a chip or circuit) of the second network element.
  • a component such as a chip or circuit
  • the method may include: receiving second request information, the second request information is used to request to perform measurement on at least one first measurement object, and the first measurement object belongs to a plurality of measurement scenarios included in the first measurement scenario.
  • Measurement object measure at least one first measurement object and determine first measurement result information.
  • the second network element can measure different measurement scenarios, specific content and objects according to the measurement request of the first network element, and feed back the measurement results to the first network element, avoiding the impact on the business network element.
  • the overhead caused by measuring each part is wasted, thereby reducing the complexity of measurement and saving communication and computing overhead.
  • measuring at least one first measurement object and determining the first measurement result information includes: sending to at least one measurement network element corresponding to the second network element Fourth request information, the fourth request information is used to request measurement for at least one first measurement object; receiving third measurement information, the third measurement information includes at least one third measurement network element sent by at least one measurement network element corresponding to the second network element. Three measurement result information, the third measurement information is used to indicate the second measurement result for the first measurement object; the first measurement result information is determined according to the third measurement information.
  • the second network element can request its corresponding measurement network element to measure specific content and objects in different measurement scenarios according to the measurement request of the first network element, thereby saving communication and computing overhead.
  • the method further includes: sending first measurement result information, the first measurement result information is used to indicate a first degree for at least one first measurement object. Measure results.
  • the multiple measurement scenarios include at least one of the following measurement scenarios: the first scenario is used to measure whether the security of the deployment environment or migration environment of the service network element meets the requirements; The second scenario is used to measure whether the geographical location of one or more virtual storage instances of the business network element meets the requirements; the third scenario is used to measure whether the one or more software of the business network element meets the requirements.
  • the measurement object corresponding to the first measurement scenario includes at least one of the following: an image file of the service network element; One or more virtualization layers corresponding to the deployment environment migration environment, and one or more hardware attributes corresponding to the deployment environment migration environment.
  • the measurement object corresponding to the first measurement scenario when the first measurement scenario includes the second scenario, includes one or more responsible storage information corresponding to the service network element. The geographical location of the virtual instance.
  • the measurement object corresponding to the first measurement scenario includes at least one of the following: software in the virtual instance, virtual The virtualization layer software for instance deployment.
  • a service management method is provided.
  • the method can be executed by the first network element, or can also be executed by a component (such as a chip or circuit) of the first network element.
  • a component such as a chip or circuit
  • the method may include: obtaining a mapping relationship, the mapping relationship being used to indicate the corresponding relationship between multiple measurement scenarios and multiple network elements; receiving first request information, the first request information being used to perform measurement for the first measurement scenario ; According to the mapping relationship, determine the second network element corresponding to the first measurement scenario from the plurality of network elements; send second request information to the second network element, the second request information is used to request for the first Metrics for measuring scenarios.
  • the first network element can measure specific content and objects in different measurement scenarios, and determine whether the measurement scenario meets the requirements based on the measurement results, avoiding the inconvenience of measuring each part of the business network element. waste of overhead, thereby reducing the complexity of measurement and saving communication and computing overhead.
  • the first request information includes at least one of the following information: indication information of the measurement object corresponding to the first measurement scenario, and information of the measurement indicator corresponding to the first measurement scenario.
  • Instruction information indication information of the measurement level corresponding to the first measurement scenario;
  • the second request information includes at least one of the following information: indication information of the measurement object corresponding to the first measurement scenario, indication information of the measurement indicator corresponding to the first measurement scenario Instruction information, indication information of the measurement level corresponding to the first measurement scenario.
  • the first network element can determine the corresponding measurement scenario, measurement object, etc. according to the content in the first request information and the mapping relationship, thereby reducing the signaling overhead in information transmission.
  • the mapping relationship is specifically used to indicate the correspondence between multiple indexes and multiple parameter groups, where each index corresponds to at least one measurement scenario, and each parameter The group includes at least one of the following parameters: measurement object, measurement indicator, measurement level, and the first request information includes an index corresponding to the first measurement scenario.
  • the first network element can determine whether the measurement object in the measurement request can be measured by itself, and request other network elements to measure the measurement object that cannot be measured, which increases the flexibility of the measurement solution.
  • the multiple measurement scenarios include at least one of the following measurement scenarios: the first scenario is used to measure whether the security of the deployment environment or migration environment of the service network element meets the requirements; The second scenario is used to measure whether the geographical location of one or more virtual storage instances of the business network element meets the requirements; the third scenario is used to measure whether the one or more software of the business network element meets the requirements.
  • the method further includes: receiving first metric information, where the first metric information includes one or more first metrics corresponding to one or more metric objects. Result information; determine the second measurement result information based on whether the first measurement information meets the measurement index.
  • the first network element can comprehensively determine whether the measurement scenario meets the requirements based on the received measurement results, thereby reducing the complexity of measurement.
  • the method when the first network element verifies the network element for the service network element, the method further includes: sending the second measurement result information to the service triggering party.
  • the method further includes: sending the third measurement result to the service network element management network element.
  • One indication information the first indication information is used to instruct reconfiguration of one or more measurement objects.
  • the method further includes: obtaining first configuration information of a business network element functional component responsible for storing information.
  • the business network element functional component responsible for storing information includes one or more A virtual instance is responsible for storing information, and the first configuration information includes the number of the service network element functional component responsible for storing information, and one or more numbers of one or more virtual instances responsible for storing information.
  • the first network element can further measure the measurement object based on the identification corresponding to each virtual instance group and VI in the first configuration information through the obtained first configuration information, thereby avoiding the problem of storing a large amount of virtual instance group information. waste of overhead and save storage space.
  • obtaining the first configuration information of the service network element functional component responsible for storing information includes: sending third request information to the service network element functional component management network element, and The third request information is used to request to query the first configuration information; to receive the first configuration information.
  • the first network element can obtain the first configuration information by requesting a query from the service network element functional component management network element, which increases the flexibility of the solution.
  • obtaining the first configuration information of the service network element functional component responsible for storing information includes: sending fourth request information to the measurement network element of the first network element, and The fourth request information is used to request to measure the second configuration information of the service network element; to receive the second configuration information of the service network element, the second configuration information includes the type of the service network element functional component, the number of the service network element functional component, the service network element The number of one or more virtual instances corresponding to the functional component; verify the second configuration information to obtain the first configuration information.
  • the first network element can obtain the first configuration information by requesting network element measurement, which increases the flexibility of the solution.
  • the fourth aspect provides a business management method.
  • the method may be executed by the second network element, or may also be executed by a component (such as a chip or circuit) of the second network element.
  • a component such as a chip or circuit
  • the method may include: receiving second request information, the second request information is used to request measurement for the first measurement scenario; measuring the first measurement scenario; sending the first measurement information, the first measurement information includes One or more first measurement result information corresponding to one or more measurement objects.
  • the second network element can measure different measurement scenarios, specific content and objects according to the measurement request of the first network element, and feed back the measurement results to the first network element, avoiding the impact on the business network element.
  • the overhead caused by measuring each part is wasted, thereby reducing the complexity of measurement and saving communication and computing overhead.
  • determining the first metric information includes: sending to one or more metric network elements of the second network element second request information; receiving third measurement result information, the third measurement result information includes one or more results of measurement of the first measurement scenario by one or more measurement parties of the second network element; according to whether the third measurement information Meet the measurement indicators and determine the first measurement result information.
  • the second network element can request its corresponding measurement network element to measure specific content and objects in different measurement scenarios according to the measurement request of the first network element, thereby saving communication and computing overhead.
  • the second request information includes at least one of the following information: indication information of the measurement object corresponding to the first measurement scenario, and information of the measurement indicator corresponding to the first measurement scenario. Instruction information, indication information of the measurement level corresponding to the first measurement scenario.
  • the mapping relationship is specifically used to indicate the correspondence between multiple indexes and multiple parameter groups, where each index corresponds to at least one measurement scenario, and each parameter The group includes at least one of the following parameters: measurement object, measurement indicator, measurement level, and the first request information includes an index corresponding to the first measurement scenario.
  • the multiple measurement scenarios include at least one of the following measurement scenarios: the first scenario is used to measure whether the security of the deployment environment of the service network element meets the requirements; the second scenario , used for Measure whether the geographical location of one or more memories of the service network element meets the requirements; the third scenario is used to measure whether one or more software of the service network element meets the requirements.
  • a service management device including a unit for executing the method shown in the first aspect.
  • the communication device may be the first network element, or may be provided in the first network element. chip or circuit execution, this application does not limit this.
  • the communication device includes:
  • a transceiver unit configured to receive first request information, the first request information being used to request measurement for a first measurement scenario, where the first measurement scenario includes multiple measurement objects; a processing unit, configured to determine at least one measurement object according to the mapping relationship The second network element, the mapping relationship is used to indicate the corresponding relationship between multiple measurement objects and multiple network elements. At least one second network element corresponds to at least one first measurement object, and the first measurement object belongs to the first measurement object.
  • the scenario includes multiple measurement objects; the transceiver unit is further configured to send second request information to at least one second network element, where the second request information is used to request measurement for at least one first measurement object.
  • the transceiver unit is further configured to receive first measurement information, where the first measurement information includes at least one first measurement result sent by at least one second network element information, the first measurement result information is used to indicate the first measurement result for the first measurement object; the transceiver unit is also used to send the first feedback information for the first request information according to the first measurement information.
  • the transceiver unit is further configured to send third request information to at least one measurement network element corresponding to the first network element, where the third request information is used to request a measurement for the first network element. Measuring at least one second measurement object among multiple measurement objects included in the measurement scenario, and the second measurement object belongs to the measurement object that can be measured by the measurement network element corresponding to the first network element; the transceiver unit is also used to receive the second measurement Information, the second measurement information includes at least one second measurement result information sent by at least one measurement network element corresponding to the first network element, the second measurement information is used to indicate the second measurement result for the second measurement object; the transceiver unit, further Used to send first feedback information for the first request information according to the first metric information and the second metric information.
  • the mapping relationship is specifically used to indicate the correspondence between multiple indexes and multiple parameter groups, where each index corresponds to at least one measurement scenario, and each parameter The group includes at least one of the following parameters: measurement object, measurement indicator, measurement level, and the first request information includes an index corresponding to the first measurement scenario.
  • the multiple measurement scenarios include at least one of the following measurement scenarios: the first scenario is used to measure whether the security of the deployment environment or migration environment of the service network element meets the requirements; The second scenario is used to measure whether the geographical location of one or more virtual storage instances of the business network element meets the requirements; the third scenario is used to measure whether the one or more software of the business network element meets the requirements.
  • the measurement object corresponding to the first measurement scenario includes at least one of the following: an image file of the service network element, One or more virtualization layers corresponding to the deployment environment migration environment, and one or more hardware attributes corresponding to the deployment environment migration environment.
  • the first network element when the measurement object of the first measurement scenario is the image file of the service network element, the first network element includes the service network element management network element, and the service network element The management network element is used to manage the service network element.
  • the second network element includes an image verification network element.
  • the image verification network element is used to verify the correctness of the image file of the service network element.
  • the second request information includes the image file of the service network element. identification information; or,
  • the The first network element includes a business network element management network element
  • the second network element includes a virtualization infrastructure management network element.
  • the virtualization infrastructure management network element is used to verify the security of one or more virtualization layers corresponding to the deployment environment migration environment. ;or,
  • the first network element includes a virtualization infrastructure management network element, and the virtualization infrastructure management network element is used to manage virtualization Infrastructure
  • the second network element includes a geographical location verification network element
  • the geographical location verification network element is used to verify the geographical location attributes of one or more hardware corresponding to the deployment environment.
  • the transceiver unit is also used to receive deployment result information from the service network element management network element, and the deployment result information is used to indicate that the service network element is deployed or migrated successfully, and the deployment
  • the result information includes certification information of the deployment or migration of the service network element; the processing unit is also used to verify whether the deployment or migration of the service network element is successful based on the certification information.
  • the measurement object corresponding to the first measurement scenario includes one or more responsible storage information corresponding to the service network element.
  • the first network element includes a business network element verification network element.
  • the business network element verification network element is used to verify the geographical location of one or more virtual instances responsible for storing information.
  • the second network element includes a geographical location verification network element. Network element, geographical location verification network element is used to verify the geographical location of the virtual instance responsible for storing information.
  • the transceiver unit is also used to obtain first configuration information.
  • the first configuration information is used to indicate the corresponding relationship between multiple identifiers and multiple virtual instance groups. Any two The storage content corresponding to each virtual instance group is different, and the storage content includes at least one of the following: user information, communication records, business data; and the first request information also includes a first identifier, and the second request information also includes the first virtual instance group.
  • the identifier of the virtual instance, and the first virtual instance group is the virtual instance group corresponding to the first identifier in the first configuration information.
  • the measurement object corresponding to the first measurement scenario includes at least one of the following: software in the virtual instance, virtual The virtualization layer software for instance deployment.
  • the first network element when the measurement object of the first measurement scenario includes software in the virtual instance, the first network element includes a service network element verification network element, and the service network element verification network element
  • the second network element includes a customer system verification network element, and the customer system verification network element is used to verify whether the software in the virtual instance meets the requirements; or,
  • the first network element includes the service network element verification network element
  • the second network element includes the cloud operating system verification network element
  • the cloud operating system verification network element It is used to verify whether the software of the virtualization layer deployed by the virtual instance meets the requirements.
  • the transceiver unit is also used to obtain second configuration information.
  • the second configuration information is used to indicate the correspondence between multiple identifiers and multiple software.
  • the multiple software includes At least one of the following: software in the virtual instance, software in the virtualization layer deployed by the virtual instance; and the first request information also includes a second identifier, the second request information also includes an identifier of the first software, the first software is the The first software corresponding to the second identification in the second configuration information.
  • the transceiver unit is further configured to send first instruction information to the service network element management network element, where the first instruction information is used to instruct one or more measurement objects to be performed. Reconfigure.
  • a sixth aspect provides a service management device, including a unit for executing the method shown in the second aspect.
  • the communication device may be a second network element, or may be provided in the second network element. chip or circuit execution, this application does not limit this.
  • the communication device includes:
  • a transceiver unit configured to receive second request information.
  • the second request information is used to request measurement of at least one first measurement object.
  • the first measurement object belongs to multiple measurement scenarios included in the first measurement scenario.
  • the measurement object; the processing unit is also used to measure at least one first measurement object and determine the first measurement result information.
  • the transceiver unit is further configured to send fourth request information to at least one measurement network element corresponding to the second network element, where the fourth request information is used to request at least one The first measurement object performs measurement; the transceiver unit is also configured to receive third measurement information.
  • the third measurement information includes at least one third measurement result information sent by at least one measurement network element corresponding to the second network element.
  • the third measurement information used to indicate the second measurement result for the first measurement object; the processing unit is also used to determine the first measurement result information according to the third measurement information.
  • the transceiver unit is further configured to send first measurement result information, where the first measurement result information is used to indicate the first measurement result for at least one first measurement object. Measure results.
  • the multiple measurement scenarios include at least one of the following measurement scenarios: the first scenario is used to measure whether the security of the deployment environment or migration environment of the service network element meets the requirements; The second scenario is used to measure whether the geographical location of one or more virtual storage instances of the business network element meets the requirements; the third scenario is used to measure whether the one or more software of the business network element meets the requirements.
  • the measurement object corresponding to the first measurement scenario includes at least one of the following: an image file of the service network element, One or more virtualization layers corresponding to the deployment environment migration environment, and one or more hardware attributes corresponding to the deployment environment migration environment.
  • the measurement object corresponding to the first measurement scenario when the first measurement scenario includes the second scenario, includes one or more responsible storage information corresponding to the service network element. The geographical location of the virtual instance.
  • the measurement object corresponding to the first measurement scenario includes at least one of the following: software in the virtual instance, virtual The virtualization layer software for instance deployment.
  • a seventh aspect provides a service management device, including a unit for executing the method shown in the third aspect.
  • the communication device may be the first network element, or may be provided in the first network element. chip or circuit execution, this application does not limit this.
  • the communication device includes:
  • the transceiver unit is used to obtain a mapping relationship, which is used to indicate the corresponding relationship between multiple measurement scenarios and multiple network elements; the transceiver unit is also used to receive the first request information, the first request information is used to perform the processing for the first Measurement of a measurement scenario; a processing unit, configured to determine a second network element corresponding to the first measurement scenario from multiple network elements according to the mapping relationship; a transceiver unit, also configured to send a message to the second network element Second request information, the second request information is used to request measurement for the first measurement scenario.
  • the first request information includes at least one of the following information: The indication information of the measurement object corresponding to the first measurement scenario, the indication information of the measurement indicator corresponding to the first measurement scenario, the indication information of the measurement level corresponding to the first measurement scenario;
  • the second request information includes at least one of the following information: The indication information of the measurement object corresponding to the first measurement scenario, the indication information of the measurement index corresponding to the first measurement scenario, and the indication information of the measurement level corresponding to the first measurement scenario.
  • the mapping relationship is specifically used to indicate the correspondence between multiple indexes and multiple parameter groups, where each index corresponds to at least one measurement scenario, and each parameter The group includes at least one of the following parameters: measurement object, measurement indicator, measurement level, and the first request information includes an index corresponding to the first measurement scenario.
  • the multiple measurement scenarios include at least one of the following measurement scenarios: the first scenario is used to measure whether the security of the deployment environment of the service network element meets the requirements; the second scenario , used to measure whether the geographical location of one or more memories of the service network element meets the requirements; the third scenario, used to measure whether the one or more software of the service network element meets the requirements.
  • the transceiver unit is further configured to receive first metric information, where the first metric information includes one or more first degrees corresponding to one or more metric objects. measurement result information; the processing unit is also configured to determine the second measurement result information based on whether the first measurement information meets the measurement index.
  • the transceiver unit when the first network element verifies the network element for the service network element, the transceiver unit is also configured to send the second measurement result information to the service triggering party.
  • the transceiver unit is further configured to send first instruction information to the service network element management network element, where the first instruction information is used to instruct one or more measurement objects to be performed. Reconfigure.
  • the transceiver unit is also used to obtain the first configuration information of the service network element functional component responsible for storing information.
  • the service network element functional component responsible for storing information includes one or There are multiple virtual instances responsible for storing information.
  • the first configuration information includes the number of the service network element functional component responsible for storing information, and one or more numbers of one or more virtual instances responsible for storing information.
  • the transceiver unit is also used to send third request information to the service network element functional component management network element, and the third request information is used to request to query the first configuration information;
  • the transceiver unit is also used to receive the first configuration information.
  • the transceiver unit is further configured to send fourth request information to the measurement network element of the first network element, and the fourth request information is used to request the third measurement network element of the measurement service network element.
  • Second configuration information the transceiver unit is also used to receive the second configuration information of the service network element.
  • the second configuration information includes the type of the service network element functional component, the number of the service network element functional component, and one or more corresponding to the service network element functional component.
  • the numbers of multiple virtual instances; the processing unit is also used to verify the second configuration information to obtain the first configuration information.
  • An eighth aspect provides a service management device, including a unit for executing the method shown in the fourth aspect.
  • the communication device may be a second network element, or may be provided in the second network element. chip or circuit execution, this application does not limit this.
  • the communication device includes:
  • the transceiver unit is used to receive the second request information, and the second request information is used to request the measurement of the first measurement scenario; the processing unit is used to measure the first measurement scenario; the transceiver unit is also used to send the third a metric information,
  • the first measurement information includes one or more first measurement result information corresponding to one or more measurement objects.
  • the transceiver unit is further configured to send the second request information to one or more measurement network elements of the second network element; the transceiver unit is further configured to receive the third Measurement result information, the third measurement result information includes one or more results of measurement of the first measurement scenario by one or more measurement parties of the second network element; the processing unit is also used to determine whether the third measurement information meets the measurement Indicators determine the first measurement result information.
  • the second request information includes at least one of the following information: indication information of the measurement object corresponding to the first measurement scenario, and information of the measurement indicator corresponding to the first measurement scenario. Instruction information, indication information of the measurement level corresponding to the first measurement scenario.
  • the mapping relationship is specifically used to indicate the correspondence between multiple indexes and multiple parameter groups, where each index corresponds to at least one measurement scenario, and each parameter The group includes at least one of the following parameters: measurement object, measurement indicator, measurement level, and the first request information includes an index corresponding to the first measurement scenario.
  • the multiple measurement scenarios include at least one of the following measurement scenarios: the first scenario is used to measure whether the security of the deployment environment of the service network element meets the requirements; the second scenario , used to measure whether the geographical location of one or more memories of the service network element meets the requirements; the third scenario, used to measure whether the one or more software of the service network element meets the requirements.
  • a ninth aspect provides a business management device, which includes: a memory for storing programs; and at least one processor for executing computer programs or instructions stored in the memory to execute any of the above-mentioned first to fourth aspects.
  • a business management device which includes: a memory for storing programs; and at least one processor for executing computer programs or instructions stored in the memory to execute any of the above-mentioned first to fourth aspects.
  • the device is the first network element.
  • the device is a chip, chip system or circuit used in the first network element.
  • this application provides a processor for executing the methods provided in the above aspects.
  • processor output, reception, input and other operations can be understood as processor output, reception, input and other operations.
  • transmitting and receiving operations performed by the radio frequency circuit and the antenna, which is not limited in this application.
  • a computer-readable storage medium stores a program code for device execution.
  • the program code includes a possible implementation manner for executing any one of the above-mentioned first to fourth aspects. Methods.
  • a computer program product containing instructions is provided.
  • the computer program product When the computer program product is run on a computer, it causes the computer to execute the method of any one of the possible implementation methods of the first to fourth aspects.
  • a chip in a thirteenth aspect, includes a processor and a communication interface.
  • the processor reads instructions stored in the memory through the communication interface and executes any of the possible implementation methods of the first to fourth aspects.
  • the chip also includes a memory, in which computer programs or instructions are stored.
  • the processor is used to execute the computer programs or instructions stored in the memory.
  • the processor is used to execute Any possible implementation method of any of the above first to fourth aspects.
  • a fourteenth aspect provides a communication system, including one or more of the above first network elements and second network elements.
  • Figure 1 shows a schematic diagram of a network architecture suitable for embodiments of the present application.
  • Figure 2 shows a schematic architecture diagram of the NFV system according to the embodiment of the present application.
  • Figure 3 shows a schematic flow chart of a service management method 300 provided by this embodiment of the present application.
  • Figure 4 shows a schematic flow chart of a service management method 400 provided by this embodiment of the present application.
  • Figure 5 shows a schematic flow chart of a service management method 500 provided by this embodiment of the present application.
  • Figure 6 shows a schematic flow chart of a service management method 600 provided by this embodiment of the present application.
  • Figure 7 shows a schematic block diagram of a communication device 700 provided by an embodiment of the present application.
  • Figure 8 shows a schematic block diagram of another communication device 800 provided by an embodiment of the present application.
  • FIG. 9 shows a schematic diagram of a chip system 900 provided by an embodiment of the present application.
  • GSM global system of mobile communication
  • CDMA code division multiple access
  • WCDMA broadband code division multiple access
  • GPRS general packet radio service
  • LTE long term evolution
  • FDD frequency division duplex
  • TDD LTE Time division duplex
  • UMTS universal mobile telecommunication system
  • WiMAX global interoperability for microwave access
  • Figure 1 is a system architecture or scene diagram of an application according to an embodiment of the present application.
  • the network architecture takes the 5th generation system (5GS) as an example.
  • the network architecture may include three parts, namely the UE part, the data network (DN) part and the operator network part.
  • the operator network may include one or more of the following network elements: (radio) access network (R)AN) equipment, user plane function (UPF) network element, Authentication server function (AUSF) network element, unified data repository (UDR) network element, access and mobility management function (AMF) network element, SMF network element, network opening Network exposure function (NEF) network element, network repository function (NRF) network element, policy control function (PCF) network element, unified data management (UDM) network element and application function (AF) network elements.
  • R radio access network
  • UPF user plane function
  • AUSF Authentication server function
  • UDF unified data repository
  • AMF access and mobility management function
  • SMF network element
  • NEF network opening Network exposure function
  • NRF network repository function
  • PCF policy control function
  • UDM unified data management
  • the part other than the (R)AN part can be called the core network part.
  • user equipment, (wireless) access network equipment, UPF network element, AUSF network element, UDR network element, AMF network element, SMF network element, NEF network element, NRF network element, PCF network element, UDM Network elements and AF network elements are referred to as UE, (R)AN equipment, UPF, AUSF, UDR, AMF, SMF, NEF, NRF, PCF, UDM, and AF respectively.
  • the UE mainly accesses the 5G network and obtains services through the wireless air interface.
  • the UE interacts with the RAN through the air interface and interacts with the AMF of the core network through non-access stratum signaling (non-access stratum, NAS).
  • non-access stratum non-access stratum
  • the UE in the embodiment of this application may also be called terminal equipment, user, access terminal, user unit, user station, mobile station, mobile station, remote station, remote terminal, mobile device, user terminal, terminal, wireless communication equipment, User agent or user device.
  • UE can be a cellular phone, smart watch, wireless data card, mobile phone, tablet computer, personal digital assistant (PDA) computer, wireless modem, handheld device, laptop computer, machine type communication (MTC) ) terminals, computers with wireless transceiver functions, Internet of Things terminals, virtual reality terminal equipment, augmented reality terminal equipment, wearable devices, vehicles, terminals in device-to-device (D2D) communication, vehicles and things ( Terminals in vehicle to everything (V2X) communication, terminals in machine-type communication (MTC), terminals in the Internet of Things (IOT), terminals in smart offices, and terminals in industrial control , terminals in autonomous driving, terminals in remote surgery, terminals in smart grids, terminals in transportation security, terminals in smart cities, terminals in smart homes, terminals in
  • RAN equipment can provide authorized users in a specific area with the function of accessing communication networks. Specifically, it can include wireless network equipment in the 3rd generation partnership project (3GPP) network and can also include non-3GPP (non- Access point in 3GPP) network. The following uses AN equipment representation for convenience of description.
  • 3GPP 3rd generation partnership project
  • non-3GPP non- Access point in 3GPP
  • AN equipment can adopt different wireless access technologies.
  • 3GPP access technologies for example, wireless access technologies used in third generation (3G), fourth generation (4G) or 5G systems
  • non- 3GPP (non-3GPP) access technology refers to access technology that complies with 3GPP standard specifications.
  • the access network equipment in the 5G system is called next generation base station node (next generation node base station, gNB) or (R)AN equipment.
  • Non-3GPP access technologies can include air interface technology represented by access point (AP) in wireless fidelity (WiFi), global interoperability for microwave access (WiMAX), code Code division multiple access (CDMA), etc.
  • AP access point
  • WiFi wireless fidelity
  • WiMAX global interoperability for microwave access
  • CDMA code Code division multiple access
  • AN equipment can allow interconnection and interworking between terminal equipment and the 3GPP core network using non-3GPP technologies.
  • AN equipment can be responsible for wireless resource management, quality of service (QoS) management, data compression and encryption on the air interface side.
  • AN equipment provides access services to terminal equipment, thereby completing the forwarding of control signals and user data between the terminal equipment and the core network.
  • QoS quality of service
  • AN equipment may include, for example, but is not limited to: macro base station, micro base station (also called small station), radio network controller (RNC), node B (node B, NB), base station controller (base station controller) , BSC), base transceiver station (BTS), home base station (for example, home evolved NodeB, or home node B, HNB), baseband unit (baseband unit, BBU), AP in WiFi system, WiMAX (base station, BS), wireless relay node, wireless backhaul node, transmission point (transmission point, TP) or transmission and reception point (transmission and reception point, TRP), etc., and can also be used in 5G (such as NR) systems.
  • RNC radio network controller
  • node B node B
  • base station controller base station controller
  • BSC base transceiver station
  • home base station for example, home evolved NodeB, or home node B, HNB
  • baseband unit baseband unit
  • BBU baseband unit
  • AP in WiFi system WiMA
  • a gNB or transmission point TRP or TP
  • TRP or TP transmission point
  • a group including multiple antenna panels
  • a network node that constitutes a gNB or transmission point such as a distributed unit ( distributed unit (DU), or base stations in the next generation communication 6G system, etc.
  • DU distributed unit
  • UPF mainly provides user plane functions such as forwarding and processing of user packets, connection with DN, session anchor point, and quality of service (QoS) policy execution.
  • the UPF can receive user plane data from the DN and send the user plane data to the terminal device through the AN device.
  • UPF can also receive user plane data from the terminal device through the AN device and forward it to the DN.
  • DN is mainly used in operator networks that provide data services to UEs.
  • the Internet For example, the Internet, third-party business networks, IP multimedia service (internet protocol multi-media service, IMS) network, etc.
  • IMS Internet protocol multi-media service
  • AUSF is mainly used for user authentication, etc.
  • UDR mainly provides storage capabilities for contract data, policy data and data related to capability opening.
  • AMF is mainly used for functions such as access control, mobility management, attachment and detachment.
  • SMF is mainly responsible for session management (such as session establishment, modification, release), Internet protocol (internet protocol, IP) address allocation and management, UPF selection and control, etc.
  • NEF is mainly used to securely open services and capabilities provided by 3GPP network functions to the outside world.
  • NRF is mainly used to store network functional entities and description information of the services they provide.
  • PCF is mainly used to guide the unified policy framework of network behavior and provide policy rule information for control plane network elements (such as AMF, SMF, etc.).
  • UDM is mainly used for UE subscription data management, including storage and management of UE identification, UE access authorization, etc.
  • AF is mainly used to provide services to 3GPP networks, such as interacting with PCF for policy control.
  • network elements can communicate with each other through the interfaces shown in the figure, and some interfaces can be implemented in the form of service-oriented interfaces.
  • communication between UE and AMF can be carried out through the N1 interface.
  • RAN and AMF can communicate through the N2 interface.
  • the relationship between other interfaces and each network element is shown in Figure 1. For the sake of simplicity, they will not be described in detail here.
  • network architecture shown above is only an illustrative description, and the network architecture applicable to the embodiments of the present application is not limited thereto. Any network architecture that can realize the functions of each of the above network elements is applicable to the embodiments of the present application.
  • functions or network elements such as AMF, SMF, UPF, PCF, UDM, AUSF, UDR, NEF, NRF, and AF shown in Figure 1 can be understood as network elements used to implement different functions. For example, they can be Need to be combined into network slices. These network elements can be independent devices or integrated into the same device to implement different functions. They can be network elements in hardware devices, software functions running on dedicated hardware, or platforms (for example, The virtualization function instantiated on the cloud platform), this application does not limit the specific form of the above network elements.
  • the above network elements or functions can be divided into one or more services, and further, there may also be services that exist independently of network functions.
  • instances of the above functions, or instances of services included in the above functions, or service instances that exist independently of network functions can be called service instances.
  • network elements with different functions can be co-located.
  • the access and mobility management network element can be co-located with the session management network element; the session management network element can be co-located with the user plane network element.
  • FIG. 2 shows a schematic architecture diagram of the NFV system according to the embodiment of the present application.
  • the NFV reference architecture consists of the following main functional components:
  • NFV infrastructure is used to provide the virtualization resources required to support the execution of NFV, including commercial off the shelf (COTS) hardware, necessary accelerator components, and the implementation of underlying hardware.
  • COTS commercial off the shelf
  • Software layer for virtualization and abstraction is used to provide the virtualization resources required to support the execution of NFV, including commercial off the shelf (COTS) hardware, necessary accelerator components, and the implementation of underlying hardware.
  • NFVI can include a hardware resource layer composed of computing hardware, storage hardware, and network hardware, a virtualization layer, and a virtual resource layer composed of virtual computing, virtual storage, and virtual network.
  • the virtualization layer is a software layer composed of software required to host virtual instances. It is installed on the hardware layer of the COTS host.
  • the virtualization layer includes but is not limited to: boot program, cloud operating system (Cloud OS) or This application does not limit the host operating system (host OS), virtual machine monitor (hypervisor), virtual machine manager (VMM), and other software that supports the security, transmission, and business needs of virtual instances.
  • Cloud OS cloud operating system
  • host OS host operating system
  • hypervisor hypervisor
  • VMM virtual machine manager
  • VNF virtual network function
  • NF network function
  • EMS element management system
  • VNF functional components
  • VNFC Virtual network function component
  • a VNF has multiple VNFCs, and each VNFC is composed of one or more VIs.
  • a VNFC can be understood as a virtual instance VI group.
  • VNFP Virtual network function platform
  • VNFP provides functions such as managing VNFC, contacting network management, managing virtual devices, and bus communications.
  • a VNF has only one VNFP, and VNFP can have different forms.
  • VNFP can be combined with VNFC, or VNFP can be used as management software and inserted into the VI that constitutes the VNF, or it can be stored in the VNF as a set of configuration lists. In the configuration information, this application does not impose restrictions on this.
  • Management and orchestration used to provide comprehensive management capabilities, Including but not limited to orchestration, life cycle management of physical and/or software resources supporting infrastructure virtualization, life cycle management of VNF, etc.
  • MANO can also interact with the operation support system (OSS)/business support system (BSS) (external to NFV) to realize the management of NFV.
  • OSS operation support system
  • BSS business support system
  • NFV orchestrator is mainly used for the deployment and management of network services, and coordinates the deployment and management of VNFs based on network services.
  • NFVO can also interface with OSS/BSS to obtain business descriptions of network services.
  • NFVO can also be used to coordinate the deployment of VIM and VNFM or manage the corresponding VNF.
  • VNF manager (VNF manager, VNFM), is mainly responsible for deploying or managing the corresponding VNF. It should be understood that each VNF is assumed to have an associated VNFM, and a VNFM may be assigned to manage a single VNF instance or to manage multiple VNF instances of the same or different types. VNFM is mainly responsible for: VNF instantiation, VNF configuration NFV resources, VNF instance update, VNF instance scaling, collection of VNF instance-related NFVI performance metrics and events and correlation with VNF instance-related events, VNF instance assisted or automatic recovery, VNF instance Termination, integrity management of VNF instances throughout their life cycles, global coordination and adaptation roles for configuration and event reporting between NFVI and EMS, etc. For example, VNFM can add VNFs, delete VNFs, and find VNFs according to the needs of the network management , or manage VNF, such as monitoring and adjusting the status of VNF.
  • VIM Virtualized infrastructure manager
  • a VIM can specifically handle a certain type of NFV resources or can manage multiple types of NFV resources.
  • VIM is mainly responsible for orchestrating the allocation/upgrade/de-allocation/recycling of NFV resources, managing the relationship between virtualization resources and computing, storage, and network resources; managing hardware resources (computing, storage, network) and software resources (such as hypervisors) Catalog; collects and forwards performance metrics and events for virtualized resources, etc.
  • VIM can control NFVI to provide corresponding virtual resources for VNF deployment or management according to NFVO scheduling.
  • VIM can be a cloud platform, such as an open source cloud platform such as openstack, or a commercial cloud platform such as VMWare.
  • a virtual instance is a functional entity implemented through various virtualization methods, including but not limited to: traditional virtual machines implemented based on virtual machine technology, or virtual instances implemented based on container (container) technology. For example, docker) etc.
  • the noun “network element” refers to a functional component in the NFV architecture.
  • the network element can be NFVO, OSS, VNF or VNFM, etc.
  • the "network element” can also be called a "functional component", “Equipment” or “device” etc., the embodiments of the present application are not limited thereto.
  • NFV Network Functions Virtualization
  • Remote attestation is a unique security service that requests the measurement network element (called attester) to obtain data and sends it to the verification network element (called verifier) to verify or explain possible infections.
  • the malware s remote untrusted internal state (including memory and storage).
  • Remote attestation can be extended to allow remote code updates. This can be used to securely update the software running on the device, reset an infected device, or wipe the device.
  • the verifier generates a "challenge" containing some random number unique reference and request information, and requests the attester to measure.
  • Element management system referred to as network management, it is mainly responsible for the functional management of VNF, including but not limited to fault, configuration, billing, performance and security management.
  • EMS can manage VNFs through proprietary interfaces.
  • EMS can manage one or multiple VNFs.
  • the EMS deployment form is flexible. It may be a combination of virtualized deployment and VNF, or it may be physically deployed in the computer room.
  • Relying party Follow-up actions are taken based on the certification results.
  • the specific form of the relying party is not limited.
  • it can be an ordinary network element (for example, NRF), or it can be located in The network element at the EMS, or a network element located in the MANO.
  • Measurement scenario It can be understood as a measurement process that specifies one or more specified measurement objects in a specific scenario.
  • the measurement scenario is to measure whether the security of the deployment environment or migration environment of business network elements meets the requirements. Security requirements require measuring and verifying one or more measurement objects in sequence.
  • Measurement object It can be understood as the specific goal when measuring a certain measurement scenario.
  • One measurement scenario can correspond to one or more measurement objects.
  • the measurement object corresponding to the above measurement scenario can be the image file of the business network element. .
  • Measurement content It can be understood as the specific evidence when measuring a measurement object.
  • a measurement object can correspond to one or more measurement contents.
  • the measurement content of the above measurement object can be the generation date of the image file, hash value, Modification date, etc.
  • Metric index It can be understood as a baseline value, that is, the conditions that the measurement results are expected to meet.
  • One measurement content corresponds to one measurement index.
  • the generation date of the image file is the production date of the deployment of the service network element, etc.
  • tenant-oriented remote attestation can be used to conduct separate remote attestations for some tenants (for example, VNFs) in the NFV architecture.
  • VNFs virtual machines
  • remote attestation-based methods can be used to ensure the security of VNFs.
  • the attester will treat the VNF as a whole and measure every part of the VNF. At the same time, it cannot measure specific content and objects. measurement, which would make the entire remote attestation process lengthy and impractical.
  • this application provides a business management method that triggers remote certification of specific content and objects according to different measurement scenarios, and measures specific parts of NFV for specific trigger scenarios, thereby reducing the complexity of measurement. This saves communication and computing overhead and further improves the practical effect of remote proof.
  • FIG 3 is a schematic flow chart of a business management method 300 provided by an embodiment of the present application. As shown in Figure 3, the method 300 specifically includes the following steps.
  • the first network element receives the first request information.
  • the first network element receives the first request information from the service triggering party.
  • the service trigger that is, the functional module that requests to initiate measurement
  • the first request information is used to request measurement for a first measurement scenario, and the first measurement scenario is a measurement scenario that requires measurement.
  • the first request information includes at least one of the following information: indication information of the measurement object corresponding to the first measurement scenario, indication information of the measurement indicator corresponding to the first measurement scenario, and indication information of the measurement level corresponding to the first measurement scenario. Indication information, index corresponding to the first measurement scenario.
  • the first network element determines at least one second network element according to the mapping relationship.
  • the first network element determines at least one first measurement object corresponding to the first measurement scenario and the second network element corresponding to the first measurement object according to the local mapping relationship.
  • the second network element may be a network element capable of measuring the first measurement object, and one second network element may correspond to multiple first measurement objects, which is not limited by this application.
  • the first network element can obtain the mapping relationship through pre-configuration or other methods.
  • the mapping relationship is configured in the first network element through local configuration, which is not limited in this application.
  • mapping relationship is specifically used to indicate the correspondence between multiple indexes and multiple parameter groups, and each index corresponds to at least one measurement scenario.
  • measurement scenarios include but are not limited to:
  • the first scenario is used to measure whether the security of the deployment environment or migration environment of service network elements meets the requirements.
  • the deployment environment may be to deploy service network elements that have not yet been instantiated or have not been started to a new environment.
  • the migration environment may be migrating the instantiated or started service network elements to a new environment.
  • a service network element that has not yet been instantiated or started into a new environment (for example, NFV, or a virtualized network element deployment environment, or a cloud platform, or a telecommunications cloud).
  • a new environment for example, NFV, or a virtualized network element deployment environment, or a cloud platform, or a telecommunications cloud
  • a service network element that has been instantiated or started is deployed to a new environment (for example, NFV, or virtualized network element deployment environment, or cloud platform, or telecommunications cloud) through migration, etc.
  • a new environment for example, NFV, or virtualized network element deployment environment, or cloud platform, or telecommunications cloud
  • it is necessary to Measuring whether the environment's image files, virtualization layers, hardware attributes, etc. are safe or meet deployment requirements is not limited by this application.
  • the service network elements may be various network elements in the communication system, such as session management network elements, mobility management network elements, etc., which are not limited by this application.
  • the hardware of the deployment environment can be the motherboard, CPU, security chip, etc. in the host hosting the service network element, which is not limited by this application.
  • the second scenario is used to measure whether the geographical location of one or more virtual storage instances of service network elements meets the requirements. For example, for one or more virtual instances responsible for storing information corresponding to a business network element, determine whether its geographical location is in the correct location. This application will not be restricted within a reasonable geographical location.
  • the third scenario is to measure whether one or more software of service network elements meet the requirements. For example, for software in the virtualization layer, this application does not impose restrictions on determining whether the software version is within a reasonable software version range.
  • Each parameter group includes at least one of the following parameters: measurement index, measurement object, measurement indicator, and measurement level.
  • the measurement index is used to indicate the corresponding measurement scenario, and one measurement index corresponds to one measurement scenario.
  • the measurement object is the target for measuring a certain measurement scenario, such as the image file of the business network element, the geographical location of one or more virtual instances responsible for storing information corresponding to the business network element, and the virtualization layer of the virtual instance deployment.
  • software, etc. are not limited by this application.
  • the measurement content is relevant evidence of the measurement object that needs to be obtained, for example, the version of the software, the hash value of the image file of the service network element, etc., which is not limited by this application.
  • the measurement index is the expected range that the measurement results obtained based on the measurement content should meet, which can also be called the baseline value.
  • the metric can be a threshold.
  • the metric is "the reasonable software version range is v1.1-v1.5”. If the measurement result is "the software version is v1.2", the metric is satisfied.
  • the metric can also be "specific text”, for example, the metric is "the geographical location is China”, and if the measurement result is "the geographical location of the virtual instance is China”, the metric is satisfied.
  • the metric can also be "date”. For example, the metric is "June 2019 to December 2019". If the measurement result is "August 2019", the metric is met.
  • the metric index can also be a "hash value”.
  • the metric index is "3ac295783649”. If the measurement result is "3ac295783649", the metric index is satisfied. It should be understood that this application does not limit this.
  • the measurement indicator may be locally configured on the first network element or may be received from the service triggering party, which is not limited by this application.
  • the measurement level is the range of measurement objects that can be measured when measuring a certain measurement scenario. It can also be called the security level. For example, when the measurement level is level 1, all measurement objects corresponding to the measurement scenario can be measured. Measurement is performed; for another example, when the measurement level is level 2, the measurement objects with the first two levels of measurement levels in the measurement scenario are measured, which is not limited by this application.
  • Table 1 exemplarily lists some mapping relationships, that is, the corresponding relationships between multiple indexes and multiple parameter groups.
  • one metric index can correspond to one, and one metric scenario can correspond to one or more metric objects. It should be understood that the above Table 1 is only an example and is not limited by this application.
  • the first network element determines the measurement scenario as the first scenario according to the mapping relationship, and then determines that the measurement object is the image file of the service network element based on the measurement level being 1.
  • the attributes of one or more virtualization layers corresponding to the deployment environment or migration environment and one or more hardware corresponding to the deployment environment or migration environment further determine that the second network element can be an image verification network element (for example, the IMG verifier located in MANO ), virtualization infrastructure management network elements (for example, MANO-VIM at the virtualization layer) and geographical location verification network elements (for example, Cloud OS verifier at the virtualization layer).
  • the first network element determines the measurement scenario to be the second scenario according to the mapping relationship, and then determines that the measurement object is one or more corresponding to the service network element based on the measurement level being 1.
  • the geographical location of multiple virtual instances responsible for storing information further determines that the second network element can be the geographical location verification network element (for example, Cloud OS verifier located at the virtualization layer).
  • the first network element determines that the measurement scenario is the third scenario according to the mapping relationship, and then determines that the measurement object is the virtualization layer deployed by the virtual instance based on the measurement level of 2.
  • software to further determine that the second network element can verify the network element for the cloud operating system (for example, Cloud OS verifier located at the virtualization layer).
  • IMG verifier verification network element verifiers deployed in different locations and with different functions.
  • IMG verifier and Cloud OS verifier are only examples. This application may also involve verifiers with other functions. , such as Guest OS verifier, VNF verifier, etc., are not limited by this application.
  • IMG verifier can be a network element located in MANO, such as deployed on MANO-VNFM.
  • IMG verifier is mainly used to verify evidence related to the integrity of the image file.
  • the IMG verifier located in MANO requests its corresponding IMG attester Obtaining relevant evidence of the image file and verifying the relevant evidence are not restricted by this application.
  • Cloud OS verifier can be a network element located in MANO or the virtualization layer.
  • Cloud OS Verifie is mainly used to verify whether the specified virtualization layer and hardware layer are safe and the relevant evidence of configuration.
  • Cloud OS located in the virtualization layer The OS verifier requests its corresponding Cloud OS attester to obtain relevant evidence located in the hardware layer, virtualization layer, or virtual example, and verifies the relevant evidence. This application is not restricted.
  • the Guest OS verifier can be a network element located in the virtual instance.
  • the Guest OS verifier is mainly used to verify whether the software in the virtual instance is safe and the relevant evidence of the configuration.
  • the Guest OS verifier located in the virtual instance reports to its corresponding Guest
  • the OS attester requests to obtain relevant evidence of the software in the virtual instance and verify the relevant evidence, etc. This application will not limit it.
  • VNF verifier which is the service network element verification network element
  • VNF verifier can be a functional module on the EMS or a verification function module located on other service network elements.
  • VNF verifier is mainly used to verify the security and configuration of service network elements.
  • Relevant evidence for example, the VNF verifier located on the EMS requests the corresponding VNF attester to obtain the relevant evidence of the VNFP and verifies the relevant evidence, etc. This application will not limit it.
  • the second network element when the first network element determines that at least one measurement object in the first request information contains a measurement object that the measurement network element corresponding to the first network element cannot measure, the second network element will measure the measurement object.
  • the object is determined to be the first measurement object, and a second network element that can measure the first measurement object is determined according to the mapping relationship, and second request information is sent to the second network element to request that the first measurement object be measured. measure.
  • the judgment can be made in the following ways:
  • the first network element After the first network element obtains the measurement object that needs to be measured, it determines the measurement object corresponding to the measurement object based on the mapping relationship. If the network element is another network element, determines the measurement object. It is a measurement object that cannot be measured by the measurement network element corresponding to the first network element.
  • the first network element is MANO-VNFM
  • the measurement object is the image file of the service network element.
  • the first network element determines through the mapping relationship that the image file that measures the image file is IMG verifier, which is not MANO-VNFM. Then the first network element Determine the image file of the service network element as a measurement object that cannot be measured.
  • the first network element determines based on the preconfigured metric indicators that the preconfigured metric indicators do not include metric indicators that can verify the measurement object, and then the first network element determines that the measurement object is the first network element. The corresponding measurement object cannot be measured by the measurement network element.
  • the measurement object is the software of the virtual instance
  • the measurement indicator corresponding to the measurement object is "the version range of the software is v1.1-v1.5”.
  • the measurement indicator preconfigured by the first network element does not include "the software's version range is v1.1-v1.5”.
  • the version range is v1.1-v1.5”
  • the first network element determines that the image file of the service network element is a measurement object that cannot be measured.
  • the first network element determines based on the preconfigured measurable objects that the preconfigured measurable objects do not include the measurement object that needs to be measured, and then the first network element determines that the measurement object is the first network element. The corresponding measurement object cannot be measured by the measurement network element.
  • the measurement object that needs to be measured is the image file of the service network element. If the measurable object preconfigured by the first network element does not include the image file of the service network element, the first network element determines that the measurement object is the first network element. The measurement object corresponding to the network element cannot be measured by the network element.
  • the above method of determining whether there is a measurement object corresponding to the first network element that cannot be measured among at least one measurement object in the first request information is only an example, and is not limited by this application.
  • S330 The first network element sends the second request information to at least one second network element.
  • the first network element determines at least one first measurement object, it determines the second network element corresponding to the first measurement object according to the mapping relationship, and sends the second request information to the second network element to request the measurement.
  • the first measurement object is measured.
  • the second request information is used to request measurement for the first measurement scenario.
  • the second request information also includes measurement content and measurement indicators.
  • the second request information does not include the measurement content and the measurement index
  • the second network element obtains the measurement content and the measurement index for the measurement of the first measurement scenario through local preconfiguration.
  • the first network element determines that at least one measurement object in the first request information includes a measurement object that can be measured by the measurement network element corresponding to the first network element
  • the first network element converts the measurement object to
  • the first network element sends third request information to at least one measurement network element corresponding to the first network element to request measurement of the second measurement object.
  • the method 300 further includes:
  • the first network element obtains the first configuration information.
  • the first configuration information is used to indicate the corresponding relationship between multiple identifiers and multiple virtual instance groups.
  • each virtual instance group includes multiple virtual instances, and the storage content corresponding to any two virtual instance groups is different.
  • the virtual instance group numbered 01 is used to store data information
  • the virtual instance group numbered 02 is used for calculation, etc. , this application is not limited.
  • the virtual instance group may be a virtual network function component (VNFC), which is not limited by this application.
  • VNFC virtual network function component
  • each VNF includes multiple VNFCs with different functions. It can be understood that the NFV system includes multiple VNFs, where each VNF is composed of multiple VIs. One or more VIs are configured according to their functions. Different, divided into different VNFCs.
  • the storage content includes at least one of the following: user information, communication records, and business data.
  • user information may include information about the terminal device in the network
  • communication records may include record information between multiple network elements
  • service data may include subscription database information of the terminal device, etc., which is not limited by this application.
  • the first network element obtains the first configuration information by requesting a query from the VNFP.
  • the first network element obtains the first configuration information by verifying network element metrics through a service network element.
  • the first network element obtains the first configuration information, it can determine the virtual instance group that needs to be verified through the measurement object in the first request information, and carry the identity of the virtual instance in the virtual instance group in the request information. Request the second network element to measure the virtual instance group.
  • the method 300 further includes:
  • the first network element obtains the second configuration information.
  • the second configuration information is used to indicate the corresponding relationship between multiple identifiers and multiple software
  • the multiple software includes at least one of the following: software in the virtual instance, software in the virtualization layer deployed by the virtual instance, for example, VI-1 corresponding to No. 0001 includes Cloud OS-1 and hypervisor-1 software, etc., which is not limited by this application.
  • the first network element obtains the second configuration information by requesting a query from the VNFP.
  • the first network element obtains the second configuration information by verifying network element metrics through a service network element.
  • the service network element verification network element can be a VNF verifier, which is not limited by this application.
  • the first network element After the first network element obtains the second configuration information, it can determine the software corresponding to the VI that needs to be verified through the measurement object in the first request information, carry the identification of the software in the request information, and request the second network element. Yuan measures the software.
  • the second network element measures at least one first measurement object and determines the first measurement result information.
  • the second network element after receiving the second request information from the first network element, the second network element measures the first measurement scenario according to the measurement scenario, measurement object, measurement content and measurement index, and determines the first measurement result information.
  • the first measurement result information is used to indicate the first measurement result for the at least one first measurement object.
  • the measurement scenario is the first scenario:
  • the second network element verifies the correctness of the image file of the service network element to obtain the first measurement result.
  • verifying the correctness of the image file of the service network element may include verifying whether the image file is complete, for example, whether the hash value, file name, and modification time of the image file comply with the baseline value, which is not limited by this application.
  • the second network element measures the measurement of one or more virtualization layers corresponding to the deployment environment or migration environment. Safe conduct Verify and obtain the first measurement result.
  • the second network element measures one or more hardware corresponding to the deployment environment or migration environment. Verify multiple hardware attributes and obtain the first measurement result.
  • verifying the attributes of one or more hardware corresponding to the deployment environment or migration environment may include verifying whether the hardware includes security hardware (for example, security chips, global positioning system (GPS) modules, etc.), Or whether the geographical location of the cloud server where the hardware is located is safe, etc. This application will not limit it.
  • security hardware for example, security chips, global positioning system (GPS) modules, etc.
  • the second network element (such as Cloud OS verifier) verifies the geographical location of the above virtual instances, and obtains First measurement result.
  • verifying the geographical location of the virtual instance may include verifying whether the geographical location of the virtual instance responsible for storing information is within the expected geographical location, etc. For example, whether the geographical location of VI-1 is located in the expected "Beijing, China". There are no restrictions on applications.
  • the second network element for example, the Guest OS verifier located in the virtual instance
  • verifying the software in the virtual instance may include verifying whether the version of the software is within a reasonable software version range, etc., which is not limited by this application.
  • the second network element (such as the Cloud OS verifier located at the virtualization layer) verifies the software of the virtualization layer deployed by the virtual instance and obtains the third A measurement result.
  • the verification of the virtualization layer software deployed in the virtual instance may include verifying whether the version of the software is within a reasonable software version range, etc., which is not limited by this application.
  • the first network element receives the first metric information.
  • the first measurement information includes at least one first measurement result information sent by the at least one second network element.
  • the first network element determines that among at least one measurement object in the first request information, there is a measurement object that can be measured by the measurement network element corresponding to the first network element, that is, a second measurement object
  • the first network element requests at least one measurement network element corresponding to the first network element to measure the second measurement object and receives the second measurement information.
  • the second measurement information includes at least one second measurement result information sent by at least one measurement network element corresponding to the first network element, and the second measurement information is used to indicate the second measurement result for the second measurement object.
  • the first network element sends first feedback information for the first request information based on the first metric information.
  • the first network element determines the first feedback information based on whether the first metric information meets the metric index, and feeds it back to the service triggering party.
  • the first feedback information is used to indicate whether the first measurement scenario meets the requirements.
  • the first network element when the first network element receives the second metric information, the first network element determines the first feedback information based on the first metric information and the second metric information, and feeds it back to the service triggering party.
  • the method further includes:
  • the first network element sends the first instruction information to the service network element management network element.
  • the first instruction information is used to instruct reconfiguration of one or more measurement objects.
  • reconfiguring measurement objects includes but is not limited to: restarting virtual instances that do not meet the requirements, using image files to re-instantiate business network elements, re-providing image files, etc. This application does not allow this. limit.
  • the first network element can measure specific parts of NFV in a targeted manner according to different measurement scenarios triggered by the service triggering party, reducing the complexity of measurement, saving communication and computing overhead, and further improving the practicality of remote certification. Effect.
  • the network elements that are measured and the measurement process are different.
  • the specific measurement processes of different measurement scenarios are described in detail below with reference to Figures 4-6. .
  • Figure 4 is a schematic diagram of a communication method 400 provided by an embodiment of the present application.
  • Figure 4 may refer to the description of Figure 3.
  • the method 400 may include the following steps.
  • One possible implementation manner is for the service triggering party to send trigger request information to the EMS to trigger measurement of the security of the deployment environment of the service network element.
  • One possible implementation manner is that when the service triggering party and the EMS are deployed together, the EMS is internally triggered to measure the security of the deployment environment of the service network element.
  • the trigger request information includes at least one of the following: network element type and measurement level.
  • the trigger request information includes network element type and metric level.
  • the network element type is used by the network management EMS to determine the security environment used when deploying service network elements, so as to request measurement of whether the new environment meets the security environment.
  • the measurement level is used to indicate the measurement objects that need to be measured when measuring the security of the deployment environment.
  • the measurement level can also be called security level or security requirement description. This application does not limit this name.
  • the measurement level is 1, there are three measurement objects, specifically the image file of the service network element, the security of one or more virtualization layers corresponding to the deployment environment, and one or more hardware corresponding to the deployment environment. .
  • the measurement level is 2
  • there are two measurement objects specifically the image file of the service network element and one or more virtualization layers corresponding to the deployment environment.
  • the measurement object corresponding to each measurement level includes one or more virtualization layers corresponding to the deployment environment.
  • the measurement object can also refer to other objects and is not limited to the above three types, and the embodiment of the present application does not limit this.
  • the trigger request information may not include the measurement level, that is, the trigger request information only includes the network element type, and the EMS determines the measurement deployment environment based on the preconfiguration. Metric level.
  • EMS sends the first request information to MANO-VNFM (MANO-VNF manager).
  • MANO-VNFM receives the first request information from the EMS.
  • the MANO-VNFM in the above S402 can be understood as the first network element in S330.
  • MANO-VNFM is a network element located in MANO and is responsible for managing virtual network functions, including but not limited to virtual network function instantiation, monitoring, repair, expansion, update and backup.
  • the first request information is used to request to measure whether the security of the deployment environment of the service network element meets the requirements.
  • the first request information includes a measurement strategy.
  • the measurement strategy is the measurement result feedback of the measurement object corresponding to the measurement level, for example, the measurement results of the image file of the business network element, the measurement results of one or more virtualization layers corresponding to the deployment environment, the measurement results of the deployment environment corresponding Measurement results of attributes of one or more hardware, etc. This application does not limit this.
  • the first request information may also include NFVI deployment location requirements.
  • the NFVI deployment location requirement is the geographical location where the service network element is expected to be deployed.
  • the geographical location can be a specific location or a location range.
  • the NFVI deployment location requirement can refer to the requirement that the hardware COTS has a trusted execution environment. ;
  • the NFVI deployment location requirement can also refer to the use of containers for virtual instances; or the NFVI deployment location requirement can also refer to traditional virtual machine implementation; or the NFVI deployment location requirement can also refer to the specified virtual machine group identifiers that make up the VNF.
  • the NFVI deployment location requirement can also be to host the Cloud OS located in the hardware geographical location identifier (for example, the availability zone (availability zone, Az) number), this application
  • the availability zone for example, the availability zone (availability zone, Az) number
  • MANO-VNFM determines the measurement object.
  • MANO-VNFM analyzes the measurement strategy in the first request information and determines the measurement object.
  • a measurement object corresponds to one or more measurement indicators, and the measurement indicator is the expected range that the measurement result of the measurement object should meet.
  • the metric can be sent by the EMS, or can be obtained by the MANO-VNFM according to the local configuration, which is not limited by this application.
  • the method may also include S404-S406.
  • MANO-VNFM sends the second request information to IMG verifier.
  • the IMG verifier receives the second request information from MANO-VNFM.
  • the MANO-VNFM in the above S404 can be understood as the first network element in S330, and the IMG verifier can be understood as the second network element in S330.
  • IMG verifier is the network element used to verify image files in the MANO system. It should be noted that the network element used to verify the image file can also be other network elements. This application only uses IMG verifier as an example for explanation, and there is no limit to this.
  • the second request information is used to request IMG verifier to verify the correctness of the image file of the service network element.
  • the second request information includes identification information of the image file of the service network element.
  • the identification information is used to indicate the image file corresponding to the service network element.
  • the identification information may include the file name, the hash value of the file, the directory of the file, etc., and is not limited by this application.
  • verifying the correctness of the image file of the service network element can be understood as verifying whether the image file is complete or has been tampered with, for example, whether the hash value, file name, and modification time of the image file comply with the metric or baseline value.
  • IMG verifier requests IMG attester to measure the image file of the service network element.
  • the IMG verifier After receiving the second request information, the IMG verifier requests evidence from the IMG attester. After receiving the corresponding evidence, it verifies the above one or more evidences according to the measurement indicators to obtain the first measurement result information.
  • the first measurement result information is used to indicate whether the image file of the service network element meets the measurement indicators.
  • IMG verifier returns the first measurement result information corresponding to the image file of the service network element to MANO-VNFM.
  • the measurement process when the measurement object is the image file of the service network element, that is, S404-S406, is illustrated with an example.
  • IMG verifier requests its corresponding IMG attester to the storage device Find the corresponding udm123.img file, IMG attester measures the file, obtains the file's generation date, hash value, modification date and other evidence, and returns these evidence to IMG verifier.
  • IMG verifier verifies the metrics sent by MANO-VNFM or the locally configured metrics to determine whether the above evidence meets the metrics and determines the first measurement result information of the udm123.img file, for example, "udm123.img remote certification result "is qualified" and the first measurement result information is returned to MANO-VNFM.
  • the method 400 may also include S407-S408.
  • MANO-VNFM sends the third request information to MANO-VIM.
  • MANO-VIM receives the third request information from MANO-VNFM.
  • the MANO-VNFM in the above S407 can be understood as the first network element in S330, and the MANO-VIM can be understood as the second network element in S330.
  • the third request information is used to request MANO-VIM to verify the security of one or more virtualization layers in the specified NFVI part in the deployment environment.
  • MANO-VNFM when the NFVI deployment location requirement included in the first request information is required, MANO-VNFM requests MANO-VIM to perform remote certification of one or more virtualization layers in the specified NFVI area.
  • a possible implementation manner is that when the NFVI deployment location is not included in the first request information, MANO-VNFM requests MANO-VIM to virtualize one or more virtualization devices in the specified NFVI area based on the pre-configured specified NFVI area. layer for remote attestation.
  • MANO-VIM requests to measure one or more virtualization layers corresponding to the deployment environment.
  • MANO-VIM parses the NFVI deployment location requirement in the received third request information, and requests the attester corresponding to MANO-VIM to obtain relevant evidence of one or more virtualization layers corresponding to the deployment environment. After MANO-VIM receives the relevant evidence, it verifies the above evidence based on the measurement indicators and obtains the first measurement result information.
  • MANO-VIM returns the first measurement result information corresponding to one or more virtualization layers corresponding to the deployment environment to MANO-VNFM.
  • the first measurement result information is used to indicate whether one or more virtualization layers corresponding to the deployment environment meet the measurement indicators.
  • the NFVI deployment location requirement indicates deployment in the COTS host with Az number 0010
  • MANO-VNFM receives the request for remote certification of the COTS host with Az number 0010, it sends the second request information to MANO-VIM. , to request to verify whether the COTS host with Az number 0010 performs trusted startup.
  • MANO-VIM After MANO-VIM receives the request, it uses the attester corresponding to MANO-VIM to obtain relevant evidence, such as obtaining certification documents after trusted startup, and The time after the trust startup execution, the hash value sequence generated during the trusted startup process, etc., and then MANO-VIM verifies the above evidence based on the measurement indicators, and obtains the first measurement result information, for example, "Az number is 0010 The COTS host remotely proves that the result is qualified" and returns the first measurement result information to MANO-VNFM.
  • relevant evidence such as obtaining certification documents after trusted startup, and The time after the trust startup execution, the hash value sequence generated during the trusted startup process, etc.
  • the method 400 may also include S410-S414.
  • MANO-VNFM sends fourth request information to MANO-VIM.
  • the second request information is used to request MANO-VIM to remotely prove the security of one or more hardware in the specified NFVI part in the deployment environment.
  • the security of one or more hardware can be understood as whether there is security hardware in the one or more hardware (for example, whether there is a secure platform chip, a secure execution environment, etc.), or it can be understood as whether the one or more hardware Deployed within a predetermined geographical range (for example, whether the data center number, rack number, etc. are located within the predetermined geographical range). It should be understood that the embodiments of the present application are not limited to the above two situations.
  • MANO-VIM sends the fourth request information to Cloud OS verifier.
  • MANO-VIM determines that it does not have the ability to measure the security of one or more hardware, and therefore forwards the fourth request information to the geographical location verification network element.
  • the geographical location verification network element may be located in Cloud OS, such as Cloud OS verifier.
  • Cloud OS verifier uses Cloud OS verifier as an example for explanation.
  • MANO-VIM requests Cloud OS verifier to remotely prove the security of one or more hardware in the specified NFVI area.
  • MANO-VIM requests the Cloud OS verifier to verify one or more hardware in the specified NFVI area based on the preconfigured NFVI area. Security is proven remotely.
  • Cloud OS verifier requests Cloud OS attester to measure the security of one or more hardware in the specified NFVI area.
  • Cloud OS verifier requests Cloud OS attester to obtain evidence of the security of one or more hardware corresponding to the deployment environment. After receiving the corresponding evidence, Cloud OS verifier verifies the above evidence based on the measurement indicators and obtains the first measurement result information.
  • Cloud OS verifier returns to MANO-VIM the first measurement result information corresponding to the security of one or more hardware corresponding to the deployment environment.
  • the first measurement result information is used to indicate whether the security of one or more hardware corresponding to the deployment environment meets the measurement indicators.
  • MANO-VIM returns the first measurement result information corresponding to the security of one or more hardware corresponding to the deployment environment to MANO-VNFM.
  • the measurement process when the measurement object is the security of one or more hardware corresponding to the deployment environment that is, S410-S414, will be described with an example.
  • MANO-VNFM receives the request for remote certification of the hardware layer numbered 0010, and sends the second request information to MANO-VIM.
  • MANO -VIM forwards the second request information to Cloud OS verifier and requests Cloud OS verifier to remotely prove the security of the hardware layer numbered 0010.
  • Cloud OS verifier requests Cloud OS attester to measure it, for example, to measure it, such as number 0010.
  • Cloud OS verifier obtains relevant evidence, such as obtaining certification documents after trusted startup, time after trusted startup execution, hash value sequence generated during trusted startup, etc., and then Cloud OS verifier measures the above evidence based on After the indicators are verified, the first measurement result information is obtained, for example, "the remote certification result of the host numbered 0010 is qualified", etc., and the first measurement result information is returned to MANO-VNFM through MANO-VIM.
  • MANO-VNFM returns the first metric information to the EMS.
  • the first measurement information includes one or more first measurement result information corresponding to one or more measurement objects.
  • MANO-VNFM summarizes one or more first measurement result information received from MANO-VIM, IMG verifier, etc., and carries one or more first measurement result information in the first measurement information and returns it to EMS.
  • EMS EMS-based system for detecting expedition certification result of the image file of the service network element.
  • the expedition certification result of one or more virtualization layers corresponding to the deployment environment is unqualified
  • the security of one or more hardware corresponding to the deployment environment is qualified, etc., this application will This is not limited.
  • One possible implementation is that when the measurement object includes the security of one or more virtualization layers corresponding to the deployment environment and one or more hardware corresponding to the deployment environment, when MANO-VIM will receive one or more virtualization layers corresponding to the deployment environment. After the first measurement result information of the security of multiple hardware or multiple hardware is returned to MANO-VNFM, MANO-VNFM will combine the first measurement result information of one or more virtualization layers corresponding to the deployment environment and one or more virtualization layers corresponding to the deployment environment. The first measurement result information of the security of multiple hardwares is returned to the EMS together.
  • the security of one or more hardware corresponding to the deployment environment is obtained in the third step.
  • MANO-VNFM returns the two first measurement result information together.
  • S416 Based on the first metric information received in S415, the EMS comprehensively determines whether the deployment environment of the designated NFVI area meets the conditions for deploying/migrating service network elements.
  • the EMS determines that the deployment environment of the specified NFVI area meets the conditions for deploying/migrating VNF.
  • the EMS determines that the deployment environment of the specified NFVI area does not meet the conditions for deploying/migrating VNF.
  • the method may also include: S417, the EMS determines a deployment location in the designated NFVI area, Instruct MANO-VNFM and MANO-VIM to deploy service network elements at this deployment location.
  • S417 the EMS determines a deployment location in the designated NFVI area
  • Instruct MANO-VNFM and MANO-VIM to deploy service network elements at this deployment location.
  • MANO-VNFM deploys the service network element and remotely proves whether the service network element is successfully deployed.
  • MANO-VNFM instructs MANO-VIM to initialize a service network element using the UDM123.img file at the proven location numbered 0010.
  • the software in MANO-VNFM initializes the service network element through the dum123.img file.
  • the software allows the service network element to perform trusted startup to generate a series of hash values, which are stored in MANO-VNFM.
  • MANO-VIM reports the geographical location number of the service network element after startup, and provides remote certification results to MANO-VIM. VNFM.
  • the method 400 further includes: S419, MANO-VNFM returns deployment result information to the EMS.
  • the deployment result information is used to indicate that the service network element is deployed successfully.
  • the deployment result information includes certification information of service network element deployment.
  • the certification information for the deployment of the service network element can include: the signature of the VNFM, the hash value generated by the successful deployment of the service network element, the number of the successfully deployed virtual instance, the deployment vDC number, the Az number of the corresponding hardware of the service network element, etc.
  • the embodiments of the present application do not limit this.
  • S420 The EMS verifies the certification information of the service network element deployment in S419, and determines whether the deployment of the service network element performed by MANO-VNFM is trustworthy.
  • the EMS determines whether the MANO-VNFM is trustworthy in deploying the service network element by verifying the signature of the VNFM, the hash value generated by the successful deployment of the service network element, etc. This application does not limit this.
  • S421 EMS returns deployment result response information to the service triggering party.
  • the EMS replies to the service triggering party with deployment result response information indicating that the service network element cannot be deployed safely.
  • the EMS replies to the service triggering party with a deployment result response message indicating that the service network element has been successfully deployed on demand.
  • the method provided in this embodiment can determine whether the deployment environment is safe by measuring specific parts of NFVI when deploying a new network element, thereby determining whether it can be deployed at the deployment location. It achieves accurate measurement of scene triggers, saves measurement overhead, and increases practicality.
  • the measurement method can be used as shown in Figure 5.
  • the following is a detailed introduction in conjunction with Figure 5.
  • Figure 5 is a schematic diagram of a communication method 500 provided by an embodiment of the present application.
  • Figure 5 may refer to the description of Figure 3.
  • the method 500 may include the following steps.
  • the first request information is sent to the EMS to trigger the EMS to measure the geographical location of one or more virtual storage instances of the service network element.
  • the geographical location of one or more virtual storage instances of the service network element can be the actual location of the country, city, etc., for example, the geographical location of the country, city, specific region where the virtual storage instance is located, etc., or it can also be hardware, facilities , rack and other numbers, such as the data center number where the virtual instance is deployed (for example, Az number, data center (DC) number), virtual data center number (for example, vDC), virtual private cloud number (for example, dedicated have Network (virtual private cloud, vPC) number), virtual network function number (for example, VNF number), etc., are not limited by this application.
  • the data center number where the virtual instance is deployed for example, Az number, data center (DC) number
  • virtual data center number for example, vDC
  • virtual private cloud number for example, dedicated have Network (virtual private cloud, vPC) number
  • virtual network function number for example, VNF number
  • a network device such as a service network element, OSS/BSS, NFVI management network element, etc., sends the first request information to the EMS to trigger the geographical location of one or more memories of the service network element. Make measurements.
  • One possible implementation is that when the service triggering party and the EMS are deployed together, the program module within the EMS periodically sends the first request information to the EMS to trigger the geographical location of one or more virtual storage instances of the service network element. Make measurements.
  • the OSS/BSS sends the first request information to the EMS to trigger the EMS to measure the geographical location of one or more virtual storage instances of the service network element.
  • the first request information includes: the identification of one or more virtual instances responsible for storing information corresponding to the service network element.
  • the virtual instance responsible for storing information is used to store data information in the communication process, user equipment information in the communication process, etc., which is not limited by this application.
  • the first configuration information is used to indicate the correspondence between multiple identifiers and multiple virtual instance groups.
  • VIs are divided into multiple virtual instance groups according to different functions, and any two virtual instance groups have different storage contents.
  • the storage contents include but are not limited to user information, communication records, business data, etc.
  • the NFV system includes multiple VNFs, where each VNF is composed of multiple VIs, and the multiple VIs are divided into different VNFCs according to their different functions. That is, each VNF includes multiple VNFCs with different functions, such as VNFCs responsible for storing information, VNFCs responsible for calculations, etc. Each VNFC includes multiple VIs, among which multiple VNFCs are managed by one VNFP.
  • the first configuration information may be in the form of Table 2:
  • the first configuration list includes multiple VNFC numbers, VI numbers and the geographical location of each VI.
  • VNFC-1 includes a total of three VIs from VI-1 to VI-3.
  • the geographical locations where VI is located are Az-0001, Az-0002, and Az-0001 respectively. It should be noted that the above Table 2 is only an example, and this application does not limit it.
  • the EMS obtains the first configuration information in the following two ways.
  • the EMS obtains the first configuration information by requesting a query from the VNFP, that is, S503-S504:
  • the EMS sends the third request information to the VNFP to obtain the VNFC configuration list.
  • the EMS when the VNFP can accept the query request of the EMS, the EMS sends the third request information to the VNFP, The third request information is used to request a query to obtain the VNFC configuration list, and the EMS receives the VNFC configuration list from the VNFP.
  • the VNFC configuration list includes multiple VNFC identifiers.
  • the VNFC configuration list may also include the type of VNF, etc., which is not limited by this application.
  • EMS requests the VNF verifier to perform remote certification on the VNFC configuration list and obtain the first configuration information.
  • the EMS requests the VNF verifier to remotely certify the identity of the VNFC responsible for storing information.
  • the VNF verifier initiates measurement to the VNF attester.
  • the measurement content includes but is not limited to: the identity of the VI contained in the VNFC, the geographical location of each VI (for example, vDC number) etc.
  • the VNF verifier obtains the identification of one or more VIs corresponding to the VNFC responsible for storing information, that is, the first configuration information, and returns it to the EMS.
  • the EMS obtains the first configuration information by requesting metrics from the VNF verifier, that is, S505-S507:
  • the EMS requests the VNF verifier to perform remote certification of the VNFP to obtain the VNFC configuration list.
  • VNFP does not necessarily have the ability to reply information. If the EMS cannot obtain the VNFC configuration list by requesting a VNFP query, the EMS needs to request the VNF verifier to obtain the VNFC configuration list by measuring the VNFP.
  • the VNF verifier initiates the measurement of the VNFP to the VNF attester, for example, the measurement of the identity of the VNF, the configuration address of the VNFP, the identification of the VNFC responsible for storing information, etc., and obtains the VNFC configuration including the identification of the VNFC responsible for storing the information. list.
  • the EMS requests the VNF verifier to perform remote certification on the VNFC configuration list and obtain the first configuration information.
  • the EMS determines the number of the expected geographical location corresponding to the VI based on the identification of one or more VIs responsible for storing information corresponding to the service network element requesting measurement in S501.
  • EMS determines the number of the expected geographical location corresponding to the VI responsible for storing information.
  • the EMS can determine the number of the expected geographical location corresponding to the VI responsible for storing information through the preconfigured correspondence between the country and the Az number, or by querying the external data library.
  • the expected geographical location can be a specific location or a location range, which is not limited in this application.
  • the expected geographical location of the VI with Az number 0001 is China-Beijing
  • the expected geographical location of the VI with Az number 0002 is China-Shanghai, etc., which are not limited by this application.
  • the EMS can configure corresponding lists of different geographical location levels.
  • the EMS can determine other locations of different levels corresponding to the geographical location based on the corresponding list.
  • the corresponding lists at different geographical location levels may be in the form of Table 3:
  • S508 EMS sends the second request information to Cloud OS verifier.
  • the EMS sends the second request information to the geographical location verification network element.
  • the geographical location verification network element can be MANO-VIM or Cloud OS verifier. This application is not limited. The following uses Cloud OS verifier as an example for explanation.
  • the second request information is used to request the Cloud OS verifier to verify whether the identification of one or more VIs responsible for storing information corresponding to the business network element is located within the expected geographical location.
  • the second request information includes the identification of one or more VIs responsible for storing information corresponding to the service network element and the expected geographical location corresponding to the one or more VIs.
  • Cloud OS verifier requests Cloud OS attester to measure and obtain relevant evidence, that is, the actual geographical location of one or more VIs responsible for storing information corresponding to the business network element.
  • Cloud OS verifier and Cloud OS attester can refer to the existing technology, and will not be described in detail here in this application.
  • Cloud OS verifier verifies the relevant evidence and obtains the first measurement result information.
  • the Cloud OS verifier verifies the above relevant evidence based on the measurement index, that is, the expected geographical location corresponding to the VI, and obtains the first measurement result information.
  • the first measurement result information is used to indicate whether one or more VIs responsible for storing information corresponding to the service network element meet the measurement indicators.
  • the first measurement result information can be "the geographical location of VI-1 matches the expected geographical location", or it can also be “the geographical location of VI-2 does not match the expected geographical location", etc., which is not limited by this application. .
  • Cloud OS verifier sends the first metric information to EMS.
  • the first measurement information includes one or more first measurement result information.
  • S512 The EMS determines whether the first measurement result meets the requirements based on the first measurement information.
  • One possible implementation is that when the EMS verifies all VIs based on the expected geographical location corresponding to the VI, if the geographical location of a VI does not meet the expected geographical location, it determines that one or more responsible persons corresponding to the business network element None of the VIs that store information meet the requirements.
  • One possible implementation is that when the EMS verifies all VIs based on the expected geographical locations corresponding to the VIs, if the geographical locations of 90% of the VIs match the expected geographical locations, then it determines the location of one or more VIs corresponding to the service network element.
  • the VI responsible for storing information meets the requirements.
  • the method 500 may also include:
  • EMS requests VNFM to re-instantiate VIs that do not meet the expected geographical location.
  • the process of EMS requesting VNFM to re-instantiate the VI can be understood as the process of deleting the VI and reinstalling the VI in the VNFC corresponding to the VI, that is, the process of redeploying the VI.
  • the specific process can be Refer to S402-S420, which will not be described again here.
  • the method 500 may also include:
  • the relying party can take subsequent actions based on the remote certification results.
  • the specific form of the relying party is not limited.
  • the relying party can be an ordinary network element (for example, NRF), or it can be located in the network management system. of Function, it can also be a function located in MANO, etc., which is not limited by this application.
  • the EMS determines that one or more VIs responsible for storing information corresponding to the service network element do not meet the requirements, the EMS reports an error alarm to the OSS/BSS.
  • the method provided in this embodiment can accurately measure the geographical location of a specific component VNFC in an already running VNF.
  • the geographical location of the VNFC does not meet the expected location range, the specific VNFC can be redeployed, which increases practicality.
  • the measurement method can be used as shown in Figure 6.
  • Figure 6 The following is a detailed introduction in conjunction with Figure 6.
  • Figure 6 is a schematic diagram of a communication method 600 provided by an embodiment of the present application.
  • Figure 6 may refer to the description of Figure 3.
  • the method 600 may include the following steps.
  • the first request information is sent to the EMS to trigger the EMS to measure one or more software of the service network element and verify whether the software meets the requirements of the measurement scenario.
  • one or more software of the service network element includes software in the virtual instance and software in the virtualization layer deployed by the virtual instance.
  • the software in the virtual instance can be understood as the operating system installed in the VI, such as Guest OS, etc., which is not limited by this application.
  • the following takes Guest OS as an example.
  • the software of the virtualization layer deployed by the virtual instance can be understood as modules installed in the virtualization layer, such as virtual machine monitor hypervisor, virtual machine manager VMM, etc., which are not limited by this application.
  • the following uses hypervisor as an example.
  • the first request information includes at least one of the following: measurement object, measurement index, and measurement level.
  • measurement objects include but are not limited to Guest OS and hypervisor.
  • the second configuration information is used to indicate the corresponding relationship between multiple identifiers and multiple software.
  • the second configuration information includes the identifier of the VNFC and the identifier of the VI corresponding to the VNFC.
  • the identifier can be an identity identifier or a number, which is not limited by this application.
  • the second configuration information may be in the form of Table 4:
  • the second configuration list includes multiple VNFC numbers, VI numbers, and the identification of the hypervisor deployed by each VI.
  • VNFC-1 includes a total of three VIs from VI-1 to VI-3.
  • the geographical locations of the hypervisors deployed by each VI are hypervisor-1, hypervisor-2, and hypervisor-2 respectively. It should be noted, The above Table 4 is only an example, and this application does not limit it.
  • the EMS obtains the VNFC configuration list by requesting a query from the VNFP or requesting metrics from the VNF verifier, and further requests the VNF verifier to remotely certify the VNFC configuration list. , obtain the second configuration information.
  • the method 600 may also include the following S603-S605.
  • the Guest OS verifier receives the second request information from the EMS.
  • the EMS in the above S603 can be understood as the first network element in S330, and the Guest OS verifier can be understood as the second network element in S330.
  • the second request information is used to request remote certification of the Guest OS trusted startup.
  • the second request information includes the identification of the VI and a description of whether the GUEST OS performs trusted startup.
  • the second request information may also include a trusted baseline value of the Guest OS.
  • the trusted baseline value of the Guest OS may include any one or more of the following: the baseline value of the system version. , the baseline value of the security version of the main application program, the baseline value of the digital signature of key process execution files (such as secondary system execution files), etc., are not restricted by this application.
  • Guest OS verifier requests Guest OS attester to measure the Guest OS trusted startup.
  • the Guest OS verifier requests the Guest OS attester to obtain relevant evidence based on the description of whether the GUEST OS performs trusted startup.
  • Guest OS verifier verifies the GUEST OS where the VI is located based on the credible baseline value and relevant evidence of the Guest OS, and obtains the first measurement result information.
  • the first measurement result information includes the identification of the VI and the trusted startup result of the Guest OS where the VI is located.
  • the method 600 may also include the following S606-S608.
  • S606 EMS sends the third request information to Cloud OS verifier.
  • Cloud OS verifier receives the third request information from EMS.
  • EMS in S606 can be understood as the first network element in S330
  • Cloud OS verifier can be understood as the second network element in S330.
  • the third request information is used to request remote certification of hypervisor trusted startup.
  • the third request information includes the identification of the hypervisor and a description requiring verification of whether the hypervisor performs trusted startup.
  • the second request information may also include a hypervisor trusted baseline value.
  • the hypervisor trusted baseline value may include any one or more of the following: virtual machine management software version, metrics The number of abnormal management operations, etc., is not limited by this application.
  • Cloud OS verifier requests Cloud OS attester to measure the hypervisor trusted startup.
  • Cloud OS verifier requests Cloud OS attester to obtain evidence of trusted startup (for example, hash value sequence, etc.) based on the description of whether the hypervisor performs trusted startup.
  • Cloud OS verifier verifies the GUEST OS where the VI is located based on the hypervisor's trusted baseline value and relevant evidence, and obtains the first measurement result information.
  • the first measurement result information includes the identification of the hypervisor and the trusted startup result of the hypervisor.
  • the first measurement result may be "the virtual machine management software version of VI-1 is v2.1", which is not limited by this application.
  • the method 600 also includes:
  • the EMS receives the first measurement information.
  • the first measurement information includes one or more first measurement result information.
  • the Guest OS verifier and/or the Cloud OS verifier sends one or more first measurement result information to the EMS.
  • the first measurement result information includes "the virtual machine management software version of VI-1 is v2.1", “the version of the Guest OS of VI-1 is v1.0”, etc., which is not limited by this application.
  • S610 The EMS determines whether one or more software of the service network element meets the requirements based on the first measurement information.
  • the method 600 may also include:
  • the EMS notifies VNFM to update the relevant image file.
  • the EMS determines that the software of the virtual instance, such as the Guest OS software, does not meet the requirements, it will notify the VNFM to update the image file of the VI corresponding to the Guest OS.
  • the EMS requests the VNFM to re-instantiate the service network element.
  • the EMS determines that the software of the virtualization layer deployed in the virtual instance, such as the version of the hypervisor, does not meet the requirements, it requests the VNFM to destroy the service network element or the VNFC corresponding to the hypervisor, and re-install it in the appropriate virtualization layer according to the requirements. Re-instantiate the service network element or the corresponding VNFC.
  • the method provided by this embodiment can measure the information of the specified software in a targeted manner, saving measurement overhead, and can achieve a more efficient measurement and remote certification process.
  • each embodiment of the present application involves some message names, such as service discovery function entity selection information or policy information, etc. It should be understood that the naming does not limit the protection scope of the embodiments of the present application.
  • the methods and operations implemented by the terminal device can also be implemented by components (such as chips or circuits) that can be implemented by the terminal device; in addition, the methods and operations implemented by the network device can also be implemented by the network device. It can be implemented by components (such as chips or circuits) of network equipment, without limitation.
  • embodiments of the present application also provide corresponding devices, and the devices include modules for executing corresponding modules in each of the above method embodiments.
  • the module can be software, hardware, or a combination of software and hardware. It can be understood that the technical features described in the above method embodiments are also applicable to the following device embodiments.
  • first network element and the second network element can perform some or all of the steps in the above embodiments. These steps or operations are only examples. The embodiments of the present application can also perform other operations or variations of various operations. In addition, various steps may be performed in a different order than presented in the above-described embodiments, and it is possible that not all operations in the above-described embodiments are performed.
  • the communication method provided by the embodiment of the present application is introduced in detail above with reference to Figures 3 to 6.
  • the communication device provided by the embodiment of the present application is described in detail below with reference to Figures 7 to 9. It should be understood that the description of the device embodiments corresponds to the description of the method embodiments. Therefore, for content that is not described in detail, please refer to the above method embodiments. For the sake of brevity, some content will not be described again.
  • FIG. 7 is a schematic block diagram of a communication device provided by an embodiment of the present application.
  • the device 700 includes a transceiver unit 710, which may be used to implement corresponding communication functions.
  • the transceiver unit 710 may also be called a communication interface or communication unit.
  • the device 700 may also include a processing unit 720, which may be used for data processing.
  • a processing unit 720 which may be used for data processing.
  • the device 700 also includes a storage unit, which can be used to store instructions and/or data, and the processing unit 720 can read the instructions and/or data in the storage unit, so that the device implements each of the foregoing method embodiments.
  • Actions of different terminal devices in the network for example, actions of the first network element or the second network element.
  • the device 700 can be used to perform the actions performed by the first network element or the second network element in each of the above method embodiments.
  • the device 700 can be the first network element or the second network element, or the first network element.
  • the transceiver unit 710 is configured to perform transceiver-related operations of the first network element or the second network element in the above method embodiment
  • the processing unit 720 is configured to perform the transceiver operation of the first network element or the second network element in the above method embodiment. Operations related to processing of the first network element or the second network element.
  • the device 700 here is embodied in the form of a functional unit.
  • the term "unit” as used herein may refer to an application specific integrated circuit (ASIC), an electronic circuit, a processor (such as a shared processor, a proprietary processor, or a group of processors) used to execute one or more software or firmware programs. processor, etc.) and memory, merged logic circuitry, and/or other suitable components to support the described functionality.
  • ASIC application specific integrated circuit
  • the device 700 can be specifically the first network element or the second network element in the above embodiments, and can be used to perform the above method embodiments with the first network element or the second network element.
  • Each process and/or step corresponding to the second network element, or the device 700 can be specifically the first network element or the second network element in the above embodiments, and can be used to perform the above method embodiments with the first network element. Or the various processes and/or steps corresponding to the second network element will not be described again in order to avoid duplication.
  • the device 700 of each of the above solutions has the function of realizing the corresponding steps performed by the first network element or the second network element in the above method, or the device 700 of each of the above solutions has the function of realizing the first network element or the second network element of the above method.
  • the functions described can be implemented by hardware, or can be implemented by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above functions; for example, the transceiver unit can be replaced by a transceiver (for example, the sending unit in the transceiver unit can be replaced by a transmitter, and the receiving unit in the transceiver unit can be replaced by a receiving unit. (machine replacement), other units, such as processing units, etc., can be replaced by processors to perform the collection in each method embodiment respectively. issuing operations and related processing operations.
  • transceiver unit 710 may also be a transceiver circuit (for example, it may include a receiving circuit and a transmitting circuit), and the processing unit may be a processing circuit.
  • the device in Figure 7 can be the network element or device in the aforementioned embodiment, or it can be a chip or a chip system, such as a system on chip (SoC).
  • the transceiver unit may be an input-output circuit or a communication interface; the processing unit may be a processor, microprocessor, or integrated circuit integrated on the chip. No limitation is made here.
  • an embodiment of the present application provides another communication device 800 .
  • the device 800 includes a processor 810 coupled to a memory 820 for storing computer programs or instructions and/or data.
  • the processor 810 is used for executing computer programs or instructions stored in the memory 820, or reading the memory 820.
  • the stored data is used to execute the methods in the above method embodiments.
  • processors 810 there are one or more processors 810 .
  • the memory 820 is integrated with the processor 810, or is provided separately.
  • the device 800 also includes a transceiver 830, which is used for receiving and/or transmitting signals.
  • the processor 810 is used to control the transceiver 830 to receive and/or transmit signals.
  • the device 800 is used to implement the operations performed by the first network element or the second network element in each of the above method embodiments.
  • the processor 810 is used to execute the computer program or instructions stored in the memory 820 to implement the related operations of the first SMF in each of the above method embodiments.
  • the first network element in any one of the embodiments shown in Figures 3 to 6, or the method of the first network element in any one of the embodiments shown in Figures 3 to 6.
  • processors mentioned in the embodiments of this application may be a central processing unit (CPU), or other general-purpose processor, digital signal processor (DSP), or application-specific integrated circuit (ASIC).
  • ASIC application specific integrated circuit
  • FPGA field programmable gate array
  • a general-purpose processor may be a microprocessor or the processor may be any conventional processor, etc.
  • non-volatile memory can be read-only memory (ROM), programmable ROM (PROM), erasable programmable read-only memory (erasable PROM, EPROM), electrically removable memory. Erase electrically programmable read-only memory (EPROM, EEPROM) or flash memory. Volatile memory can be random access memory (RAM). For example, RAM can be used as an external cache.
  • RAM includes the following forms: static random access memory (static RAM, SRAM), dynamic random access memory (dynamic RAM, DRAM), synchronous dynamic random access memory (synchronous DRAM, SDRAM), Double data rate synchronous dynamic random access memory (double data rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous link dynamic random access memory (synchlink DRAM, SLDRAM) and direct Memory bus random access memory (direct rambus RAM, DR RAM).
  • the memory storage module
  • the processor is a general-purpose processor, DSP, ASIC, FPGA or other programmable logic device, discrete gate or transistor logic device, or discrete hardware component
  • the memory storage module
  • memories described herein are intended to include, but are not limited to, these and any other suitable types of memories.
  • an embodiment of the present application provides a chip system 900.
  • the chip system 900 (or can also be called a processing system) includes a logic circuit 910 and an input/output interface 920.
  • the logic circuit 910 may be a processing circuit in the chip system 900 .
  • the logic circuit 910 can be coupled to the memory unit and call instructions in the memory unit, so that the chip system 900 can implement the methods and functions of various embodiments of the present application.
  • the input/output interface 920 can be an input/output circuit in the chip system 900, which outputs information processed by the chip system 700, or inputs data or signaling information to be processed into the chip system 19000 for processing.
  • the chip system 1000 is used to implement the operations performed by the first network element or the second network element in each of the above method embodiments.
  • the logic circuit 910 is used to implement operations related to processing of the first network element in the above method embodiment, such as operations related to processing of the first network element in any of the embodiments shown in Figures 3 to 6;
  • the input/output interface 920 is used to implement operations related to sending and/or receiving by the first network element in the above method embodiments, as performed by the first network element in any of the embodiments shown in Figures 3 to 6. Send and/or receive related operations.
  • Embodiments of the present application also provide a computer-readable storage medium on which computer instructions for implementing the methods executed by the first network element or the second network element in each of the above method embodiments are stored.
  • the computer when the computer program is executed by a computer, the computer can implement the method executed by the first network element or the second network element in each embodiment of the above method.
  • An embodiment of the present application also provides a computer program product, which includes instructions.
  • the instructions are executed by a computer, the methods executed by the first network element or the second network element in each of the above method embodiments are implemented.
  • the disclosed devices and methods can be implemented in other ways.
  • the device embodiments described above are only illustrative.
  • the division of the units is only a logical function division. In actual implementation, there may be other division methods.
  • multiple units or components may be combined or can be integrated into another system, or some features can be ignored, or not implemented.
  • the coupling or direct coupling or communication connection between each other shown or discussed may be through some interfaces, and the indirect coupling or communication connection of the devices or units may be in electrical, mechanical or other forms.
  • the computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device.
  • the computer may be a personal computer, a server, or a network device.
  • the computer instructions may be stored in or transmitted from one computer-readable storage medium to another, e.g., the computer instructions may be transferred from a website, computer, server, or data center Transmission to another website, computer, server or data center by wired (such as coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (such as infrared, wireless, microwave, etc.) means.
  • the computer-readable storage medium can be any available medium that can be accessed by a computer or contain a Data storage devices such as servers and data centers integrated with one or more available media.
  • the available media may be magnetic media (such as floppy disks, hard disks, magnetic tapes), optical media (such as DVDs), or semiconductor media (such as solid state disks (SSD)).
  • the aforementioned available media include but Not limited to: U disk, mobile hard disk, read-only memory (ROM), random access memory (RAM), magnetic disk or optical disk and other media that can store program code.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Environmental & Geological Engineering (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

La présente demande porte, dans les modes de réalisation, sur un procédé et sur un appareil de gestion de services. Le procédé consiste : à recevoir des premières informations de demande, les premières informations de demande étant utilisées pour demander une mesure pour un premier scénario de mesure ; à déterminer au moins un second élément de réseau selon une relation de mappage ; et à envoyer des secondes informations de demande au ou aux seconds éléments de réseau, les secondes informations de demande étant utilisées pour demander une mesure pour au moins un premier objet de mesure. Par conséquent, une partie spécifique de NFV peut être mesurée dans un scénario de déclenchement spécifique, ce qui permet de réduire la complexité de mesure, d'économiser les surcharges de communication et de calcul et d'améliorer en outre l'effet pratique d'attestation à distance.
PCT/CN2023/090142 2022-05-07 2023-04-23 Procédé et appareil de gestion de services WO2023216856A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210493765.8A CN117061346A (zh) 2022-05-07 2022-05-07 业务管理方法和装置
CN202210493765.8 2022-05-07

Publications (1)

Publication Number Publication Date
WO2023216856A1 true WO2023216856A1 (fr) 2023-11-16

Family

ID=88652363

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/090142 WO2023216856A1 (fr) 2022-05-07 2023-04-23 Procédé et appareil de gestion de services

Country Status (2)

Country Link
CN (1) CN117061346A (fr)
WO (1) WO2023216856A1 (fr)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018022951A2 (fr) * 2016-07-29 2018-02-01 Intel IP Corporation Collecte de mesures de performance de fonction de réseau virtuel (vnf) associées à des ressources virtualisées
WO2021022966A1 (fr) * 2019-08-08 2021-02-11 华为技术有限公司 Procédé et dispositif d'acquisition de données de gestion
CN112787988A (zh) * 2019-11-11 2021-05-11 华为技术有限公司 一种远程证明方法、装置,系统及计算机存储介质
CN112787817A (zh) * 2019-11-11 2021-05-11 华为技术有限公司 一种远程证明方法、装置,系统及计算机存储介质
CN114091110A (zh) * 2020-08-04 2022-02-25 华为技术有限公司 一种完整性度量方法和完整性度量装置

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018022951A2 (fr) * 2016-07-29 2018-02-01 Intel IP Corporation Collecte de mesures de performance de fonction de réseau virtuel (vnf) associées à des ressources virtualisées
WO2021022966A1 (fr) * 2019-08-08 2021-02-11 华为技术有限公司 Procédé et dispositif d'acquisition de données de gestion
CN112787988A (zh) * 2019-11-11 2021-05-11 华为技术有限公司 一种远程证明方法、装置,系统及计算机存储介质
CN112787817A (zh) * 2019-11-11 2021-05-11 华为技术有限公司 一种远程证明方法、装置,系统及计算机存储介质
CN114091110A (zh) * 2020-08-04 2022-02-25 华为技术有限公司 一种完整性度量方法和完整性度量装置

Also Published As

Publication number Publication date
CN117061346A (zh) 2023-11-14

Similar Documents

Publication Publication Date Title
US11425634B2 (en) Slice information update method and apparatus
US20220217045A1 (en) Method and node for using templates
US11812496B2 (en) User group session management method and apparatus
EP3648432B1 (fr) Procédé et dispositif de découverte pour un service de fonction de réseau
EP3592012B1 (fr) Procédé, dispositif et système de mise à jour d'abonnement
US11363102B2 (en) Communication method and apparatus for network accessible only in specific area
US11432218B2 (en) Handover method and system, and device
US11646939B2 (en) Network function NF management method and NF management device
TW201633745A (zh) 網路功能虛擬化
WO2020147663A1 (fr) Procédé et dispositif de traitement de jeton
US10897699B2 (en) Subscription update method, device, and system
US11284303B2 (en) Network resource model to support next generation node B
US20220377653A1 (en) Slice information update method and apparatus
EP4120700A1 (fr) Procédé, dispositif et système de traitement de demande de positionnement
US20220007240A1 (en) Communication method and apparatus
US20240064510A1 (en) User equipment (ue) identifier request
EP4150877A1 (fr) Contrôle d'accès secondaire ou spécifique à une tranche dans un réseau de communication sans fil
US20240080664A1 (en) Routing indicator retrival for akma
WO2020052463A1 (fr) Procédé de communication et élément de réseau
WO2023216856A1 (fr) Procédé et appareil de gestion de services
WO2021196697A1 (fr) Procédé et appareil de traitement tolérant aux pannes
CN116746188A (zh) 使用允许性指示来支持应用认证和密钥管理(akma)的方法和系统
WO2023216913A1 (fr) Procédé et appareil de communication
WO2023185295A1 (fr) Procédé de communication, dispositif terminal, et dispositif de réseau central
WO2024027398A1 (fr) Procédé et appareil de communication

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23802630

Country of ref document: EP

Kind code of ref document: A1