WO2023246535A1

WO2023246535A1 - Data transmission method and apparatus and system

Info

Publication number: WO2023246535A1
Application number: PCT/CN2023/099595
Authority: WO
Inventors: 刘翔; 王海光; 康鑫; 李铁岩
Original assignee: 华为技术有限公司
Priority date: 2022-06-20
Filing date: 2023-06-12
Publication date: 2023-12-28
Also published as: CN117294769A

Abstract

The present application relates to the technical field of communications, and discloses a data transmission method and apparatus and a system. A terminal device obtains a target connection identifier according to a service QoT level corresponding to a first service and a destination address of the first service. The service QoT level corresponding to the first service matches a device QoT level of the terminal device. The target connection identifier is a connection identifier of a target communication connection that is established between the terminal device and the destination address of the first service and matches the service QoT level corresponding to the first service. The terminal device sends a service packet of the first service to the destination address of the first service. The service packet comprises the target connection identifier, and the target connection identifier is used for instructing to transmit the service packet on the basis of the target communication connection. According to present application, according to the credibility of the terminal device and trust requirements of the service for data transmission, a network side can provide matched trusted transmission for a service on the terminal device, thereby improving the quality of service of a network and the service experience of a user.

Description

Data transmission method, device and system

This application claims priority to the Chinese patent application with application number 202210699339.

Technical field

The present application relates to the field of communication technology, and in particular to a data transmission method, device and system.

Background technique

With the development of artificial intelligence, big data, digital twins and other technologies, the value of data has become increasingly prominent. Data is called the “oil” of the digital economy. Therefore, how to ensure the orderly and credible flow of data is crucial to the development of the digital economy. As the network is the underlying carrier of data flow and transmission, how to achieve safe and trustworthy transmission of data in the network is an urgent problem that needs to be solved.

Contents of the invention

This application provides a data transmission method, device and system, which can realize safe and reliable transmission of data in the network.

In the first aspect, a data transmission method is provided. The method includes: the terminal device obtains a service quality of trust (QoT) level corresponding to the first service and a destination address of the first service, and the service QoT level corresponding to the first service matches the device QoT level of the terminal device. The terminal device obtains a target connection identifier based on the service QoT level corresponding to the first service and the destination address of the first service. The target connection identifier is the service QoT level corresponding to the first service established between the terminal device and the destination address of the first service. The connection ID of the matching target communication connection. The terminal device sends a service message of the first service to the destination address of the first service. The service message includes a target connection identifier, and the target connection identifier is used to indicate that the service message is transmitted based on the target communication connection.

In this application, since the service QoT level corresponding to the service transmitted by the terminal device matches the device QoT level of the terminal device, and the communication connection based on the service transmission matches the service QoT level corresponding to the service, the network side can combine the terminal The credibility of the device and the trust requirements of the business for data transmission provide matching trusted transmission for the business on the terminal device, improving the service quality of the network and the user's service experience.

Optionally, the terminal device stores a set of connection identifiers. The connection identification set is used to record the connection identification of the communication connection established by the terminal device. Each connection ID in the connection ID set is set with a corresponding destination address and service QoT level. The implementation process of the terminal device obtaining the target connection identifier according to the service QoT level corresponding to the first service and the destination address of the first service includes: when the service QoT level corresponding to the first service and the destination of the first service do not exist in the connection identifier set When the connection identifier corresponding to the address is specified, the terminal device sends a data transmission request to the management device. The data transmission request includes the destination address of the first service and the QoT certificate of the terminal device. The QoT certificate includes the device QoT level of the terminal device. The terminal device receives a data transmission response sent by the management device, where the data transmission response includes a target connection identifier.

In this application, after the terminal device obtains the service QoT level corresponding to the first service and the destination address of the first service, it first queries whether the connection identification set stores the destination address of the first service and the service QoT level corresponding to the first service. Connection ID. If the connection identification set stores the destination address of the first service and the service QoT level corresponding to the first service If the corresponding connection ID is specified, the terminal device will use the connection ID as the target connection ID.

Optionally, the QoT certificate also includes the QoT forwarding policy of the management device for the terminal device. The QoT forwarding policy includes the highest service QoT level provided by the management device to the terminal device and/or the default service QoT level provided by the management device to the terminal device.

In this application, by carrying the QoT forwarding policy of the management device for the terminal device in the QoT certificate, it is helpful to formulate the QoT forwarding policy on the application side, so that the QoT forwarding policy on the application side matches the QoT forwarding policy on the network side as much as possible. Improve business operation efficiency.

Optionally, after the terminal device receives the data transmission response sent by the management device, the terminal device may add the corresponding relationship between the destination address of the first service, the service QoT level corresponding to the first service and the target connection identifier in the connection identification set.

Optionally, the data transmission request further includes a service QoT level indication, and the service QoT level indication is used to indicate the service QoT level corresponding to the first service.

In this application, if the service QoT level corresponding to the first service is the default service QoT level provided by the management device to the terminal device, the data transmission request may not include the service QoT level indication. Correspondingly, the management device will directly establish a communication connection corresponding to the default service QoT level.

Optionally, the terminal device sends QoT parameters of the terminal device to the management device, where the QoT parameters include one or more of device identity information, hardware configuration information, software configuration information or network access information. The terminal device receives the QoT certificate obtained based on the QoT parameters and sent by the management device.

Optionally, before the terminal device sends the QoT parameter of the terminal device to the management device, the terminal device sends a registration request to the management device. The terminal device receives the QoT authentication request sent by the management device. The QoT authentication request includes a QoT parameter indication, and the QoT parameter indication is used to indicate the QoT parameters that the terminal device needs to provide. An implementation manner in which the terminal device sends the QoT parameter of the terminal device to the management device includes: the terminal device sends a QoT authentication response to the management device, where the QoT authentication response includes the QoT parameter indicated by the QoT parameter indication.

Alternatively, the terminal device and the management device can also agree in advance on the QoT parameters that the terminal device needs to provide when issuing a QoT certificate. In this way, when the terminal device wants to obtain a QoT certificate, it can directly send the QoT parameters of the terminal device to the management device. .

Optionally, when the QoT certificate meets the certificate update conditions, the terminal device sends the latest QoT parameters of the terminal device to the management device. The terminal device receives the updated QoT certificate based on the latest QoT parameters sent by the management device.

Optionally, the certificate update conditions include one or more of the following: the QoT certificate exceeds the validity period; the QoT parameters of the terminal device change; the terminal device and/or the management device cannot parse the QoT certificate.

Optionally, the service message also includes an indication of the service QoT level corresponding to the first service and an integrity verification label for the indication. The integrity verification identification may be a message authentication code or a digital signature.

In this application, by carrying an indication of the service QoT level and an integrity verification label for the indication in the service message, the network device that receives the service message can verify the actual service QoT level used by the service message. Whether the service QoT level that the service actually matches is the same. In addition, it can also be verified whether the service message has been tampered with, thereby improving the reliability and credibility of data transmission.

Optionally, the terminal device obtains the service QoT level corresponding to the second service, and the service QoT level corresponding to the second service does not match the device QoT level of the terminal device. The terminal device refuses to transmit the service packet of the second service. This can prevent users from maliciously using trusted data transmission services that do not match the credibility of the terminal device, so that the network side can not only meet the trust requirements of the business, but also consider the credibility of the terminal device, thereby achieving data credibility. transmission.

The second aspect provides a data transmission method. The method includes: the management device receives a data transmission request sent by the terminal device, the data transmission request includes a destination address of the first service and a QoT certificate of the terminal device, and the QoT certificate includes the device QoT level of the terminal device. The management device establishes a target communication connection between the terminal device and the destination address of the first service based on the QoT certificate, and the service QoT level corresponding to the target communication connection matches the device QoT level of the terminal device. The management device sends a data transmission response to the terminal device, where the data transmission response includes a target connection identifier, and the target connection identifier is the connection identifier of the target communication connection.

In this application, the management device establishes a communication connection for the service on the terminal device that matches the device QoT level of the terminal device. The management device can consider the credibility of the terminal device and provide matching credibility for the service on the terminal device. transmission, improving network service quality and user service experience.

Optionally, the data transmission request further includes a service QoT level indication, and the service QoT level indication is used to indicate the service QoT level corresponding to the first service. The management device establishes a target communication connection between the terminal device and the destination address of the first service based on the QoT certificate, including: when the service QoT level indicated by the service QoT level indication matches the device QoT level of the terminal device, The management device establishes a target communication connection corresponding to the service QoT level indicated by the service QoT level indication.

In this application, the management device establishes a communication connection for the service on the terminal device that matches the device QoT level of the terminal device and the service QoT level corresponding to the service. The management device can combine the credibility of the terminal device and the business's trust in data transmission. requirements, providing matching trusted transmission for the service on the terminal device, improving the service quality of the network and the user's service experience.

Optionally, the management device receives the QoT parameters of the terminal device sent by the terminal device. The QoT parameters include one or more of device identity information, hardware configuration information, software configuration information or network access information. The management device generates a QoT certificate based on the QoT parameters. The management device sends the QoT certificate to the terminal device.

Optionally, the management device receives the registration request sent by the terminal device. Based on the registration request, the management device sends a QoT authentication request to the terminal device. The QoT authentication request includes a QoT parameter indication, and the QoT parameter indication is used to indicate the QoT parameters that the terminal device needs to provide. An implementation manner in which the management device receives the QoT parameters of the terminal device sent by the terminal device includes: the management device receives a QoT authentication response sent by the terminal device, where the QoT authentication response includes the QoT parameters indicated by the QoT parameter indication.

Optionally, the management device receives a path calculation request from the network device, and the path calculation request includes the target connection identifier. The management device determines the target transmission path used by the target communication connection according to the service QoT level corresponding to the target connection identifier. The device QoT level of the network device on the target transmission path matches the service QoT level corresponding to the target connection identifier. The management device sends a path calculation response to the network device, and the path calculation response includes path information of the target transmission path.

The third aspect provides a data transmission method. The method includes: the network device receives a service message of a first service sent by a terminal device, where the service message includes a target connection identifier. The network device obtains the target transmission path corresponding to the target connection identifier, and the device QoT level of the network device on the target transmission path matches the service QoT level corresponding to the target connection identifier. Network devices forward service packets based on the target transmission path.

In this application, the transmission path used by the network device to transmit the service message matches the service QoT level corresponding to the service message. Therefore, the network side can consider the trust requirements of the service for data transmission and provide the service on the terminal device. Matching trusted transmission improves network service quality and user service experience.

Optionally, an implementation manner for the network device to obtain the target transmission path corresponding to the target connection identifier includes: the network device sends a path calculation request to the management device, and the path calculation request includes the target connection identifier. The network device receives a path calculation response sent by the management device, and the path calculation response includes path information of the target transmission path.

Optionally, the service message also includes an indication of the service QoT level corresponding to the first service and an integrity verification label for the indication. The implementation of the network device forwarding the service message based on the target transmission path includes: when the service message The service QoT level indicated by the indication in is the same as the service QoT level corresponding to the target connection identifier, and when the network device passes the verification of the integrity verification label, the network device forwards the service packet based on the target transmission path.

The fourth aspect provides a terminal device. The terminal device includes multiple functional modules, and the multiple functional modules interact to implement the method in the above first aspect and its various implementations. The multiple functional modules can be implemented based on software, hardware, or a combination of software and hardware, and the multiple functional modules can be arbitrarily combined or divided based on specific implementation.

The fifth aspect provides a management device. The management device includes multiple functional modules, and the multiple functional modules interact to implement the method in the above second aspect and its various implementations. The multiple functional modules can be implemented based on software, hardware, or a combination of software and hardware, and the multiple functional modules can be arbitrarily combined or divided based on specific implementation.

A sixth aspect provides a network device. The network device includes multiple functional modules, and the multiple functional modules interact to implement the method in the above third aspect and its various implementation modes. The multiple functional modules can be implemented based on software, hardware, or a combination of software and hardware, and the multiple functional modules can be arbitrarily combined or divided based on specific implementation.

In a seventh aspect, a data transmission system is provided, including: a terminal device, a management device and a network device. The terminal device is used to execute the method in the above first aspect and its various implementation modes. The management device is used to execute According to the method in the above second aspect and its various implementations, the network device is configured to execute the method in the above third aspect and its respective implementations.

In an eighth aspect, a data transmission device is provided, including: a processor and a memory;

The memory is used to store a computer program, the computer program includes program instructions;

The processor is configured to call the computer program to implement any one of the above first to third aspects and the methods in each implementation thereof.

In a ninth aspect, a computer-readable storage medium is provided. Instructions are stored on the computer-readable storage medium. When the instructions are executed by a processor, any one of the above-mentioned first to third aspects is implemented. and methods in various embodiments thereof.

In a tenth aspect, a computer program product is provided, including a computer program that, when executed by a processor, implements any one of the above-mentioned first to third aspects and the methods in each embodiment thereof.

In an eleventh aspect, a chip is provided. The chip includes programmable logic circuits and/or program instructions. When the chip is run, any one of the above-mentioned first to third aspects and the methods in each embodiment thereof are implemented. .

Description of the drawings

Figure 1 is a schematic diagram of an application scenario involving the data transmission method provided by the embodiment of the present application;

Figure 2 is a schematic flow chart of the implementation of a data transmission method provided by an embodiment of the present application;

Figure 3 is a schematic flow chart of the implementation of another data transmission method provided by an embodiment of the present application;

Figure 4 is a schematic diagram of an implementation scenario provided by the embodiment of the present application;

Figure 5 is a schematic diagram of a system architecture provided by an embodiment of the present application;

Figure 6 is a schematic diagram of the registration process in the separation scenario of DMM-FE and TLV-FE provided by the embodiment of this application;

Figure 7 is a schematic diagram of the registration process in the DMM-FE and TLV-FE merger scenario provided by the embodiment of this application;

Figure 8 is a schematic diagram of a data transmission process provided by an embodiment of the present application;

Figure 9 is a schematic structural diagram of a terminal device provided by an embodiment of the present application;

Figure 10 is a schematic structural diagram of another terminal device provided by an embodiment of the present application;

Figure 11 is a schematic structural diagram of a management device provided by an embodiment of the present application;

Figure 12 is a schematic structural diagram of a network device provided by an embodiment of the present application;

Figure 13 is a schematic diagram of the hardware structure of a terminal device provided by an embodiment of the present application;

Figure 14 is a schematic diagram of the hardware structure of a management device provided by an embodiment of the present application;

Figure 15 is a schematic diagram of the hardware structure of a network device provided by an embodiment of the present application.

Detailed ways

In order to make the purpose, technical solutions and advantages of the present application clearer, the embodiments of the present application will be further described in detail below with reference to the accompanying drawings.

In recent years, with the rapid development and large-scale commercialization of the fifth-generation mobile communication (5G) technology, the global academic community and industry have begun research and exploration of next-generation network technology. Many researchers and researchers Organizations have conducted extensive research and discussion around the vision, architecture and key technologies of future networks. Among them, security and trustworthiness have become research areas that many institutions and manufacturers focus on.

With the development of artificial intelligence, big data, digital twins and other technologies, the value of data has become increasingly prominent. Data is called the “oil” of the digital economy. Therefore, how to ensure the orderly and credible flow of data is crucial to the development of the digital economy. As the underlying carrier of data flow and transmission, the network ensures trustworthy networking and data transmission, which is one of the key enabling technologies for future network trustworthiness.

Currently, in terms of trusted networking and data transmission, the International Telecommunications Union Telecommunication Standardization Sector (ITU-T) has conducted a lot of research work and is currently studying or has released several technical standards. For example, ITU-T Y.3052 provides a definition of trust and a basic framework for trust in the field of information and communications technology (ICT). shelf. In the network data transmission scenario, the data sender is the trustor and the network device is the trustee. Trust refers to the data sender's expectation that the network device will help it complete data transmission according to established behaviors. For another example, ITU-T Y.3053 proposes a trusted networking architecture based on trust domains, and on this basis proposes a trusted data transmission method. In this architecture, the network is divided into multiple trust domains. Entities in a single trust domain trust each other and can directly transmit data without security protection. When entities in different trust domains perform data transmission, they need to be controlled through their respective access and delivery control functions to achieve trusted data transmission. Among them, the full name of trust domain is trust-centric network domain.

However, although a lot of research work has been carried out in the field of trusted networking and data transmission, there are still many problems that need to be solved. One of them is the decoupling of the application side and the network side, and the inability to establish a unified trust management framework to support the terminal. End-to-end trusted data transmission. With the advent of the 5G era, various new applications are emerging one after another, but the network is still regarded as a pipeline for applications, and applications cannot be perceived. According to the definition of trust in ITU-T Y.3052, trust is highly related to context. In the scenario of network data transmission, different applications represent different contexts. There are many types of applications and different business types involved. Data of different business types have different trust requirements for the network and operating environment.

Based on this, this application proposes a technical solution to achieve unified trust management of the application side and the network side by establishing a unified trust management framework for the application side and the network side, so that the application side can express the trust requirements for data transmission to the network side. , The network side can also determine whether a certain business can use data transmission services of a specific trust level, and select appropriate processing strategies, such as access control and routing control, for business data with different trust requirements. Among them, the higher the trust requirement of the business for data transmission on the network side, the higher the trust level of the data transmission service should be used on the network side.

Indicators such as quality of service (QoS) and quality of experience (QoE) are defined in ITU-T. QoS is used to quantitatively reflect the degree of service quality that can be achieved. QoE is used to reflect in a quantitative way how good or bad the user's service experience is. Based on indicators such as QoS and QoE, the network side can make adjustments according to relevant parameters and treat different services and users differently, thereby improving network service quality and user service experience. In the same way, different services have different trust requirements for network-side data transmission. For example, payment services have higher trust requirements for network-side data transmission than video services. In addition, the network side also needs to distinguish between different end users to prevent some end users from maliciously using mismatched trusted data transmission services, wasting or even destroying network resources. Therefore, in order to achieve trusted transmission of data, it is necessary to quantify the trust requirements of the business for data transmission, so that the network side can implement customized data transmission services for different trust requirements. In addition, it is also necessary to develop a unified trust management system on the application side and the network side based on a unified trust quantification method. Based on this, this application proposes the concept of QoT. QoT is used to quantitatively describe device credibility and business trust requirements for network-side data transmission. Specifically, methods such as grading or scoring can be used to quantitatively describe device credibility and business trust requirements for network-side data transmission. Among them, grading refers to dividing QoT into multiple levels. Different QoT levels represent different device credibility or different business trust requirements for network-side data transmission. In the embodiment of this application, QoT is divided into five levels for illustration. The five levels include QoT levels 1-5 respectively. The higher the level, the more trustworthy the device is or the higher the trust requirement of the business for data transmission. The embodiments of this application do not limit the QoT grading method. Through different QoT level divisions, the trust requirements for data transmission of different types of businesses can be met at various granularities. Scoring refers to scoring the credibility of the device based on the credibility of the device within the preset scoring interval or scoring the trust requirements of the business based on the business's trust requirements for network-side data transmission. Different scores represent the credibility of the device. Different businesses or businesses have different trust requirements for network-side data transmission. For example, the scoring interval may be 0 to 1, or may be 0 to 100. The embodiment of the present application does not limit the range setting of the scoring interval.

In the embodiment of this application, the mapping relationship between QoT scores and QoT levels can be set. For example, the default scoring interval is 0 to 1, QoT level 1-5. Among them, QoT score 0~0.2 corresponds to QoT level 1, QoT score 0.2~0.4 corresponds to QoT level 2, QoT score 0.4~0.6 corresponds to QoT level 3, QoT score 0.6~0.8 corresponds to QoT level 4, QoT score 0.8~1 corresponds to QoT level 5. During specific implementation, you can first score the credibility of the device or score the trust requirements of the business, and then determine the corresponding QoT level based on the QoT score obtained. For example, if the reliability score of a certain device is 0.5, the device corresponds to QoT level 3. This application uses a hierarchical approach to quantitatively describe device credibility and business trust requirements for network-side data transmission. If a scoring method is used to quantitatively describe device credibility and business trust requirements for network-side data transmission, QoT scores can be used to uniformly replace QoT levels.

In order to facilitate readers' understanding of the solution of this application, the QoT levels involved in this application are first explained. This application involves two concepts: device QoT level and service QoT level.

The business QoT level is used to express the business's trust requirements for data transmission. The higher the business QoT level, the higher the trust requirements of the business for data transmission. The service QoT level is related to the service type. The service QoT level corresponding to each service type can be preset. For example, the service QoT level corresponding to the payment service can be set to 4, the service QoT level corresponding to the user information service can be set to 3, the service QoT level corresponding to the multimedia streaming service can be set to 2, and so on. Both the network side and the application side can pre-store the corresponding relationship between service types and service QoT levels.

The device QoT level is used to indicate the trustworthiness of the device. The higher the QoT level of the device, the more trustworthy the device is. The device QoT level is related to the device's own information. For terminal equipment, the higher the equipment QoT level, the higher the service QoT level corresponding to the services that the terminal equipment can run. For network devices, the higher the device QoT level, the higher the service QoT level corresponding to the services that the network device can forward. In the embodiment of this application, the credibility of the device also reflects the security of the device. Correspondingly, the device QoT level can also be used to represent the security of the device. For a terminal device, the higher the QoT level of the device, the safer the operating environment of the terminal device and/or the network environment in which the terminal device is located. For network equipment, the higher the device QoT level, the more secure the data transmission service the network equipment can provide.

Optionally, the device QoT level and the service QoT level may have a one-to-one correspondence, that is, the device QoT level and the service QoT level have the same division granularity. In this case, for the network device, the network device is usually used to forward services whose service QoT level is the same as the device QoT level of the network device. For example, if the device QoT level of a network device is 3, then the network device can forward services with a service QoT level of 3. Of course, it is not ruled out that the network device can forward services with a service QoT level lower than or slightly higher than the device QoT level of the network device. For terminal equipment, the terminal equipment usually supports running services whose service QoT level is not higher than the device QoT level of the terminal equipment. For example, if the device QoT level of the terminal device is 3, the terminal device can run services with service QoT levels 1-3. Of course, it is not ruled out that the terminal device can run services with a service QoT level slightly higher than the device QoT level of the terminal device. For example, if the device QoT level of the terminal device is 3, the terminal device can run services with service QoT levels of 1-4. However, when the terminal device runs a service with QoT level 4, it may have certain security risks due to the device QoT level of the terminal device itself. In this case, the terminal device can issue an alarm prompt. In the embodiment of this application, the service QoT level corresponding to the service supported by the terminal device is called the service QoT level that matches the device QoT level of the terminal device. The service QoT level corresponding to the service that the network device supports forwarding is called the service QoT level that matches the device QoT level of the network device.

Alternatively, the device QoT level and the service QoT level may also have a one-to-many relationship, that is, the division granularity of the device QoT level is coarser than the division granularity of the service QoT level. For example, the device QoT level is divided into 5 levels, and the service QoT level is divided into 10 QoT levels. For network equipment, device QoT level 1 matches business QoT level 1-2, device QoT level 2 matches business QoT level 3-4, device QoT level 3 matches business QoT level 5-6, device QoT Level 4 matches business QoT levels 7-8, and device QoT level 5 matches business QoT levels 9-10. match. For terminal equipment, device QoT level 1 matches business QoT levels 1-2, device QoT level 2 matches business QoT levels 1-4, device QoT level 3 matches business QoT levels 1-6, device QoT Level 4 matches business QoT levels 1-8, and device QoT level 5 matches business QoT levels 1-10.

Alternatively, the device QoT level and the service QoT level may also have a many-to-one relationship, that is, the division granularity of the device QoT level is finer than the division granularity of the service QoT level.

The embodiment of this application does not limit the division method of service QoT levels and device QoT levels. In addition, the service QoT level matched by the device QoT level of the terminal device and the service QoT level matched by the device QoT level of the network device respectively depend on decisions made by the network side, and are not limited in this embodiment of the present application.

This application proposes a technical solution based on the unified division of device QoT levels and service QoT levels on the application side and the network side. After the terminal device obtains the service QoT level corresponding to the service, if the service QoT level corresponding to the service matches the device QoT level of the terminal device, the terminal device obtains the connection between the terminal device and the destination address of the service. The connection identifier of the communication connection that matches the service QoT level corresponding to the service, and then carries the connection identifier in the service message of the service sent to the destination address of the service to indicate that the network device receiving the service message is based on the The communication connection corresponding to the connection identifier transmits the service message. Since the service QoT level corresponding to the service transmitted by the terminal device matches the device QoT level of the terminal device, and the communication connection based on the service transmission matches the service QoT level corresponding to the service, the network side can combine the trustworthiness of the terminal device degree and the trust requirements of the business for data transmission, providing matching trusted transmission for the business on the terminal device, improving the service quality of the network and the user's service experience.

The following is a detailed introduction to this technical solution from multiple perspectives such as application scenarios, method processes, functional modules, software devices, hardware devices, and systems.

The application scenarios involved in the embodiments of this application are illustrated below with examples.

For example, FIG. 1 is a schematic diagram of an application scenario involving the data transmission method provided by the embodiment of the present application. As shown in Figure 1, the application scenario includes: terminal device 101, network device 102 and management device 103. The number of various types of devices in Figure 1 is only used for illustrative purposes and is not intended to limit the application scenarios involved in the embodiments of this application.

Optionally, the data transmission method provided by the embodiments of this application can be applied to a mobile cellular network or an Internet Protocol (Internet Protocol, IP) network. IP networks include, for example, data center networks (DCN), metropolitan area networks, wide area networks or campus networks.

In a mobile cellular network, the terminal device 101 may be a user equipment (UE), an access terminal, a subscriber unit, a user station, a mobile station, a mobile station, a remote station, a remote terminal, a mobile device, a wireless communication device, a user Agent or user device. Alternatively, the terminal device 101 may also be a cellular phone, a cordless phone, a Session Initiation Protocol (SIP) phone, a wireless local loop (WLL) station, a personal digital assistant (PDA), Handheld devices with wireless communication capabilities, computing devices or other processing devices connected to wireless modems, vehicle-mounted devices, wearable devices, terminal devices in 5G systems (5G systems, 5GS) or future evolved public land mobile communication networks (pub1ic terminal equipment in land mobi1e network, PLMN), etc. Network device 102 may be an access network device. The access network device is used to provide wireless communication functions for the terminal device 101. The terminal device 101 can establish a communication relationship with the core network device through the access network device. Access network equipment can be various forms of macro base stations, micro base stations, relay stations, access points, etc. The management device 103 may be a core network device. The functions of core network equipment are mainly to provide user connections, manage users, and carry services. As a bearer network, it provides an interface to external networks. For example, core network equipment may include access and mobility management functions. Equipment such as management function (AMF) entity, user plane function (UPF) entity, and session management function (SMF) entity.

In an IP network, the terminal device 101 may be a workstation, such as a computer, a server or a virtual machine (VM), etc. Network device 102 may be a router, switch, firewall, etc. The management device 103 may be a network controller, a network management device, a gateway or other devices with control capabilities. The management device 103 and the network device 102 are connected through a wired network or a wireless network. The management device 103 is used to manage and control the network device 102.

The following is an example of the method flow of the embodiment of the present application.

Optionally, the technical solution of this application is mainly divided into two implementation stages, namely the registration stage and the data transmission stage. During the registration phase, the network side conducts a trust assessment on the terminal device and issues a QoT certificate for the terminal device based on the assessment results to perform QoT authorization management on the terminal device through the QoT certificate. In the data transmission phase, the terminal device uses the QoT certificate to establish a communication connection with the network side. The network side decides whether to allow the establishment of a communication connection based on the QoT certificate of the terminal device, thereby realizing the access control function. In mobile cellular networks, a communication connection may be referred to as a session. In IP networks, communication connections can refer to tunnels. The following embodiments of this application describe in detail the implementation processes of the registration phase and the data transmission phase respectively.

In one embodiment of the present application, an implementation process of the registration phase is provided. For example, FIG. 2 is a schematic flowchart of the implementation of a data transmission method 200 provided by an embodiment of the present application. The method 200 only shows the implementation process of the registration phase. As shown in Figure 2, the method 200 includes steps 201 to 205.

Step 201: The terminal device sends a registration request to the management device.

The registration request is used by the terminal device to apply to the management device to initiate the registration process. Optionally, the registration request includes the device identification of the terminal device. The device identifier of a terminal device can uniquely identify the terminal device. For example, the device identification of the terminal device may be the device serial number of the terminal device, the Media Access Control (MAC) address of the terminal device, the IP address of the terminal device, or the international mobile equipment identity (international mobile equipment identity) of the terminal device. ,IMEI). Optionally, the registration request also includes the user identification of the terminal device. For example, the user ID may be a subscription permanent identifier (SUPI).

Step 202: Based on the registration request, the management device sends a QoT authentication request to the terminal device, where the QoT authentication request includes a QoT parameter indication.

The QoT parameter indication is used to indicate the QoT parameters that the terminal device needs to provide. Optionally, the QoT parameters include one or more of device identity information, hardware configuration information, software configuration information or network access information. Device identity information includes device identification. Device identity information may also include user identification and/or original equipment manufacturer (OEM) identification. Hardware configuration information includes but is not limited to device type, hardware version, trusted execution environment (TEE) capabilities, or secure or trusted boot capabilities. Software configuration information includes but is not limited to operating system (OS) version (version) or patches (patches). Network access information includes but is not limited to radio access technology (RAT), security level or access point location. Among them, wireless access technologies include but are not limited to long term evolution (LTE), 5G or wireless local area network (WLAN).

Optionally, the QoT parameter indication may be in bitmap format. For example, the bit corresponding to the required parameter can be set to 1, and the bit corresponding to the optional parameter can be set to 0. For example, the management device requires the terminal device to provide 8 QoT parameters, of which the first 4 QoT parameters are mandatory parameters and the last 4 QoT parameters are optional parameters, then the QoT parameter indication can be set Set to 11110000.

Optionally, the QoT authentication request also includes a random number. By carrying a random number in the QoT authentication request, it helps the terminal device identify replay attacks.

Optionally, the QoT authentication request also includes the device identification of the terminal device and/or the user identification of the terminal device.

Step 203: The terminal device sends a QoT authentication response to the management device, where the QoT authentication response includes the QoT parameters indicated by the QoT parameter indication.

Optionally, after receiving the QoT authentication request sent by the management device, the terminal device parses the QoT parameter indication and collects the corresponding parameter information, packages the parameter information into the QoT parameter list, and then sends the QoT authentication request to the management device based on the QoT authentication request. Send a QoT authentication response carrying the QoT parameter list.

Optionally, before the terminal device sends a QoT authentication response to the management device, authentication and key negotiation can be performed between the terminal device and the management device to agree on a pair of asymmetric keys or a symmetric key. The embodiment of this application takes an example in which the terminal device and the management device share a symmetric key k. In this way, the terminal device can use the symmetric key k to encrypt and transmit the QoT parameters of the terminal device to improve the confidentiality and security of the QoT parameter transmission.

Optionally, if the QoT authentication request includes a random number, the QoT authentication response may also include the random number.

In the embodiment of this application, the terminal device and the management device can also agree in advance on the QoT parameters that the terminal device needs to provide when issuing a QoT certificate. In this way, when the terminal device wants to obtain the QoT certificate, it directly sends the terminal device's parameters to the management device. QoT parameters are enough. That is, the above steps 201 to 203 may be replaced by: the terminal device sends the QoT parameters of the terminal device to the management device.

Step 204: The management device generates a QoT certificate of the terminal device based on the QoT parameters sent by the terminal device.

The QoT certificate of the terminal device includes the device QoT level of the terminal device. The management device performs a trust evaluation on the terminal device based on its QoT parameters, and uses its own private key to issue a QoT certificate for the terminal device based on the evaluation results. For example, the trust evaluation criteria of the management device on the terminal device can be as shown in Table 1.

Table 1

In Table 1, “a>b” means that the QoT level of the device corresponding to a is higher than the QoT level of the device corresponding to b. Whether the OEM is trustworthy can be determined by the management device itself.

Optionally, after determining the device QoT level of the terminal device, the management device may further determine the service QoT level that the terminal device is allowed to use and the service QoT level that is used by default. For example, the QoT forwarding policies set by the management device for terminal devices with different device QoT levels can be as shown in Table 2.

Table 2

Referring to Table 2, the management device can set the mapping relationship between the QoT score and the device QoT level of the terminal device. When the management device performs trust assessment on the terminal device, it can first score the credibility of the terminal device according to the QoT parameters of the terminal device, and then use the device QoT level corresponding to the scored QoT score as the device QoT level of the terminal device. Alternatively, the management device can also directly determine the device QoT level of the terminal device based on the QoT parameters of the terminal device, that is, the QoT score entry in Table 2 does not need to be set.

Optionally, the QoT certificate of the terminal device also includes the QoT forwarding policy of the management device for the terminal device. The QoT forwarding policy includes the highest service QoT level provided by the management device to the terminal device and/or the default service provided by the management device to the terminal device. QoT level. For example, the QoT certificate of the terminal device can be based on the X.509 certificate format and use extension fields to extend QoT capabilities. For example, the content of the QoT certificate of the terminal device can be expressed as follows:

"

1. OS version of the terminal device

2. Device serial number of the terminal device

3. Signature algorithm

4. Signature Hash Algorithm

5.Issued by: domain name or domain ID (domain name/domain ID)

6. Validity period: xx/xx/xx-xx/xx/xx

7. User: User ID

8.Public key

9. QoT information of terminal equipment

9.1 Verification results (device QoT level = 3)

9.2 QoT parameters used

9.3 Support business QoT level: 1-4

9.4Default business QoT level: 2

10.Digital signature

"

Optionally, if the QoT parameters in the QoT authentication response are encrypted with the symmetric key k, then after receiving the QoT authentication response, the management device uses the symmetric key k to decrypt the QoT parameters in the QoT authentication response to obtain the terminal device's QoT parameters.

Optionally, if the QoT authentication response carries a random number, after receiving the QoT authentication response, the management device first Use the random number in the QoT authentication response to verify the freshness of the message. After passing the verification, the management device then performs a trust evaluation on the terminal device. By carrying random numbers in the QoT authentication response, on the one hand, the management device can verify the message freshness, and on the other hand, it helps the management device identify replay attacks.

Step 205: The management device sends the QoT certificate to the terminal device.

After receiving the QoT certificate sent by the management device, the terminal device stores the QoT certificate. The application on the terminal device can perceive the information in the QoT certificate of the terminal device and set the local QoT forwarding policy. For example, the application of QoT forwarding policies set separately for terminal devices with different device QoT levels can be as shown in Table 3.

table 3

Referring to Table 3, the processing policy "Allow" indicates that the application can run services at the corresponding service QoT level. The processing policy "Allow and warn" means that the application can run the corresponding service QoT level service but will alert the user. The processing policy "forbidden" means that the application is prohibited from running services at the corresponding service QoT level. The QoT forwarding policy on the application side can be manually changed by the user. For example, the user can manually change the processing policy corresponding to the service QoT level.

Optionally, when the QoT certificate of the terminal device meets the certificate update condition, the terminal device sends the latest QoT parameters of the terminal device to the management device. The management device generates an updated QoT certificate based on the latest QoT parameters of the terminal device. Then, the management device sends the updated QoT certificate to the terminal device. After receiving the updated QoT certificate sent by the management device, the terminal device stores the updated QoT certificate and treats the original QoT certificate as invalid. After the QoT certificate of the terminal device is changed, the updated QoT certificate is applied on the terminal device to adjust the QoT forwarding policy.

Optionally, the certificate update process can be triggered by the terminal device, and the certificate update implementation process can refer to the above steps 201 to 205. Alternatively, the certificate update process can also be triggered by the management device, and the certificate update implementation process can refer to the above steps 202 to 205. This will not be described again in the embodiments of this application.

Optionally, the certificate update conditions for the QoT certificate include one or more of the following: the QoT certificate exceeds the validity period; the QoT parameters of the terminal device change; the terminal device and/or the management device cannot parse the QoT certificate. For example, the QoT certificate issued by the management device is valid for 24 hours. After the QoT certificate expires, the certificate update process can be triggered by the terminal device or the management device. For another example, within the validity period of the original QoT certificate, if the terminal device undergoes system update, reboot, network standard switching (such as switching from WLAN to 5G) or base station switching, the terminal device can trigger the certificate update process. If the original QoT certificate of the terminal device becomes invalid due to changes in the QoT parameters of the terminal device, or the terminal device and/or the management device are unable to parse the original QoT certificate of the terminal device, the management device also needs to revoke the original QoT certificate of the terminal device. QoT certificate.

In another embodiment of the present application, an implementation process of the data transmission phase is provided. For example, FIG. 3 is a schematic flowchart of the implementation of a data transmission method 300 provided by an embodiment of the present application. The method 300 shows the implementation process of the data transmission phase. As shown in Figure 3, method 300 includes steps 301 to 305.

Step 301: The terminal device obtains the service QoT level corresponding to the first service and the destination address of the first service.

The service QoT level corresponding to the first service matches the device QoT level of the terminal device.

The user starts the application on the terminal device and selects a service. The application determines the service QoT level corresponding to the service selected by the user based on the corresponding relationship between the locally preset service type and the service QoT level. For example, if the QoT forwarding policy set on the application side is shown in Table 3, there are the following three possible situations.

In the first possible case, the processing policy corresponding to the service QoT level corresponding to the service selected by the user is allowed. Then the application directly generates the service message (message) and sends it by the terminal device. The service message includes an indication of the service QoT level required to transmit the service message, a destination address (destination) and service data (data).

The second possible situation is that the processing policy corresponding to the service QoT level corresponding to the service selected by the user is allow and warning. Then the application explicitly sends an alarm to the user, prompting the user that the service QoT level corresponding to the currently selected service is higher than the device QoT level of the terminal device (for example, the device QoT level of the terminal device is 2, and the service QoT level corresponding to the service selected by the user is 3), and give the user options (for example, including continue or stop), and let the user choose whether to continue running the service. If the user chooses to continue, the application generates a service message and is sent by the terminal device. If the user chooses to stop, the application stops running the service. Optionally, the application explicitly sends an alarm to the user, which may be by displaying the alarm information and user options on the application interface.

In the above first possible situation and the second possible situation, the service QoT level corresponding to the service selected by the user is deemed to match the device QoT level of the terminal device.

In the third possible case, the processing policy corresponding to the service QoT level corresponding to the service selected by the user is prohibited. The application explicitly informs the user of the denial of service. The application can also explicitly inform the rejection reason, which is that the service QoT level corresponding to the service currently selected by the user does not match the device QoT level of the terminal device.

Step 302: The terminal device obtains the target connection identifier according to the service QoT level corresponding to the first service and the destination address of the first service.

The target connection identifier is a connection identifier of a target communication connection established between the terminal device and the destination address of the first service that matches the service QoT level corresponding to the first service.

Optionally, a connection identification set is stored in the terminal device. The connection identification set is used to record the connection identification of the communication connection established by the terminal device. Each connection identification in the connection identification set is correspondingly set with a destination address and service QoT level. After the terminal device obtains the service QoT level corresponding to the first service and the destination address of the first service, it first queries whether the connection identification set stores a connection identification corresponding to the destination address of the first service and the service QoT level corresponding to the first service. When there is no connection identifier corresponding to the service QoT level corresponding to the first service and the destination address of the first service in the connection identifier set, the following steps 3021 to 3023 are performed.

In step 3021, the terminal device sends a data transmission request to the management device, where the data transmission request includes the destination address of the first service and the QoT certificate of the terminal device.

After receiving the data transmission request sent by the terminal device, the management device establishes a target communication connection between the terminal device and the destination address of the first service based on the QoT certificate in the data transmission request. Optionally, after receiving the data transmission request sent by the terminal device, the management device can first verify whether the QoT certificate in the data transmission request is valid, and then establish a corresponding communication connection if the QoT certificate is valid.

Optionally, the data transmission request further includes a service QoT level indication, where the service QoT level indication is used to indicate the service QoT level corresponding to the first service. Alternatively, if the service QoT level corresponding to the first service is the default service QoT level provided by the management device to the terminal device, the data transmission request may not include the service QoT level indication.

In the case where the data transmission request includes a service QoT level indication, when the service QoT level indicated by the service QoT level indication matches the device QoT level of the terminal device, the management device establishes the service QoT level indicated by the service QoT level indication. Corresponding communication connection. When the service QoT level indicated by the service QoT level indication does not match the device QoT level of the terminal device, the management device refuses to establish a communication connection corresponding to the service QoT level indicated by the service QoT level indication. Optionally, the management device may obtain the device QoT level of the terminal device from the QoT certificate of the terminal device.

In the case where the data transmission request does not include the service QoT level indication, the management device establishes a communication connection corresponding to the default service QoT level provided to the terminal device. Optionally, the management device may obtain the default service QoT level provided by the management device to the terminal device from the QoT certificate of the terminal device.

In step 3022, the terminal device receives a data transmission response sent by the management device, where the data transmission response includes a target connection identifier.

Optionally, the data transmission response may also include some QoT policies, such as whether the terminal device is allowed to transmit services with a service QoT level lower than the service QoT level corresponding to the target communication connection based on the target communication connection, and so on.

In step 3023, the terminal device adds the corresponding relationship between the destination address of the first service, the service QoT level corresponding to the first service and the target connection identifier in the connection identification set.

In this way, when the terminal device subsequently needs to transmit a service whose destination address is the same as the destination address of the first service and whose service QoT level is the same as the service QoT level corresponding to the first service, it can directly obtain the target connection identifier from the connection identifier set, indicating that the terminal The device has established an available target communication connection that meets QoT requirements.

Step 303: The terminal device sends a service packet of the first service to the destination address of the first service, where the service packet includes a target connection identifier.

The target connection identifier in the service packet of the first service is used to indicate that the service packet is transmitted based on the target communication connection.

Optionally, the service packet of the first service also includes an indication of the service QoT level corresponding to the first service and an integrity verification tag for the indication. Optionally, the integrity verification tag for the indication can be the message authentication code (MAC) calculated by the terminal device using the symmetric key k for the indication, or it can also be the terminal device using the private key for the indication. 's signature. The integrity verification tag is used to verify message integrity and whether it has been tampered with.

Optionally, a QoT header (QoT header) is extended in the message header of the service message of the first service to carry an indication of the service QoT level corresponding to the first service. The indication of the service QoT level corresponding to the first service can specifically be the service QoT level corresponding to the first service, or it can also be the service type of the first service. The network side can be based on the correspondence between the preset service type and the service QoT level. relationship, and determine the service QoT level corresponding to the first service according to the service type of the first service.

After receiving the service packet of the first service, the network device performs the following steps 304 to 305. Optionally, when the service message received by the network device includes an indication of the service QoT level corresponding to the first service and an integrity verification label for the indication, the network device first verifies the integrity verification label, and then verifies If passed, perform the following steps 304 to 305. Otherwise, the network device directly discards the service packet.

Step 304: The network device obtains the target transmission path corresponding to the target connection identifier, and the device QoT level of the network device on the target transmission path matches the service QoT level corresponding to the target connection identifier.

In one possible implementation manner, the implementation process of step 304 includes: the network device sends a path calculation request to the management device, where the path calculation request includes a target connection identifier. The network device receives a path calculation response sent by the management device, where the path calculation response includes path information of the target transmission path.

Correspondingly, for the management device, after receiving the path calculation request from the network device, the management device determines the target transmission path used by the target communication connection according to the service QoT level corresponding to the target connection identifier. The network equipment on the target transmission path The device QoT level matches the service QoT level corresponding to the target connection identifier. The management device then sends a path calculation response to the network device.

Optionally, the management device is responsible for the QoT information management of the entire life cycle of the network device, including initialization, modification, update, storage, distribution, deletion, etc. of the device QoT level. The management device can determine the device QoT level of each network device based on attributes such as the network device's software configuration information, hardware configuration information, runtime status, manufacturer's reliability, and historical forwarding performance.

Another possible implementation is that after the management device establishes the target communication connection, it determines the target transmission path used by the target communication connection, and then the management device carries the path information of the target transmission path in the data transmission response sent to the terminal device. The data transmission response is forwarded by the network device to the end device. The network device here can be an edge device through which the terminal device accesses the network.

In one case, after the network device receives the data transmission response sent by the management device to the terminal device, it parses the data transmission response, obtains and stores the corresponding relationship between the target transmission path and the target connection identifier, so that the network device receives the data transmission response that carries the target connection identifier. After identifying the service packet, the target transmission path can be directly used to transmit the service packet.

In another case, after receiving the data transmission response sent by the management device, the terminal device parses the data transmission response, obtains and stores the corresponding relationship between the target transmission path and the target connection identifier. The terminal device then carries the path information of the target transmission path in the service message sent, for example, adds a label list to the header of the service message to carry the path information. In this way, the network device that receives the service message can directly obtain the path information of the target transmission path from the service message.

Step 305: The network device forwards the service message based on the target transmission path.

Optionally, when the service QoT level indicated by the indication of the service QoT level carried in the service packet is the same as the service QoT level corresponding to the target connection identifier, and the network device passes the verification of the integrity verification label for the indication, The network device forwards the service message based on the target transmission path. Optionally, each network device through which the service packet passes can perform the verification process, or the verification process can only be performed by the edge device of each domain through which the service message passes. This is not done in the embodiment of this application. limited.

In the embodiment of this application, by carrying an indication of the service QoT level and an integrity verification label for the indication in the service message, the network device can verify that the service QoT level actually used by the service message actually matches the service. Whether the service QoT level is the same, it can also be verified whether the service message has been tampered with, thereby improving the reliability and credibility of data transmission.

In some implementations, the terminal device obtains the service QoT level corresponding to the second service, and the service QoT level corresponding to the second service does not match the device QoT level of the terminal device. The terminal device refuses to transmit the service packet of the second service.

Since the QoT forwarding policy on the application side can be manually changed by the user, it may happen that the QoT forwarding policy on the application side allows the operation of services at a QoT level that does not match the device QoT level of the terminal device. For example, the device QoT level of the terminal device is 3, the QoT forwarding policy on the network side is that device QoT level 3 matches service QoT levels 1-4, and the QoT forwarding policy on the application side is to prohibit the operation of services with service QoT level 5. At this time, if the user starts the application on the terminal device and selects a service with QoT level 5, the application will explicitly inform the user of the denial of service. If the user manually Change the QoT forwarding policy on the application side, modify the processing policy corresponding to service QoT level 5 to allow, and restart the application and select the service. The application will generate service messages and prepare them to be sent by the terminal device. However, on the network side, the service QoT level corresponding to this service does not match the device QoT level of the terminal device. Therefore, the terminal device will refuse to transmit the service packets of this service to avoid malicious use by users and the credibility of the terminal device does not match. The trusted data transmission service enables the network side to not only meet the trust requirements of the business, but also take into account the credibility of the terminal device, thereby achieving trusted transmission of data.

Optionally, when the terminal device receives a service message whose service QoT level does not match the device QoT level of the terminal device, the terminal device may decide to refuse transmission on its own. For example, when the QoT certificate of the terminal device includes the service QoT level provided by the management device to the terminal device, after the terminal device obtains the service message, it can determine whether the service QoT level carried in the service message belongs to the management device based on its own QoT certificate. If the service QoT level provided to the terminal device does not belong to the service QoT level, the terminal device determines that the service QoT level does not match the device QoT level of the terminal device. At this time, the terminal device can refuse to transmit the corresponding service packet.

Alternatively, when the terminal device receives the service message from the application, it may send a data transmission request to the management device, where the data transmission request includes the QoT certificate of the terminal device, the service QoT level indication and the destination address. The management device determines that the service QoT level indicated by the service QoT level indication does not belong to the service QoT level that matches the device QoT level of the terminal device, that is, it determines that the service QoT level indicated by the service QoT level indication does not match the device QoT level of the terminal device. matches, at this time the management device can send a reject transmission response to the terminal device. Based on the transmission rejection response, the terminal device refuses to transmit the corresponding service message.

For example, FIG. 4 is a schematic diagram of an implementation scenario provided by an embodiment of the present application. As shown in Figure 4, the implementation scenario includes a terminal device 401, network devices 402A-402F, and servers 403A-403C. It is assumed that the terminal device 401 is authorized to use data transmission services with service QoT levels of 1-4. A communication connection 1 with a service QoT level of 4 is established between the terminal device 401 and the server 403A. The transmission path used by the communication connection 1 includes a network device 402A and a network device 402B. A communication connection 2 with a service QoT level of 3 is established between the terminal device 401 and the server 403B. The transmission path used by the communication connection 2 includes a network device 402C and a network device 402D. A communication connection 3 with a service QoT level of 2 is established between the terminal device 401 and the server 403C. The transmission path used by the communication connection 3 includes a network device 402E and a network device 402F. It is assumed that the service QoT level corresponding to the multimedia streaming service is 2, the service QoT level corresponding to the user information service is 3, and the service QoT level corresponding to the payment service is 4.

Referring to Figure 4, the terminal device 401 can send a service message of the payment service to the server 403A through the communication connection 1. The terminal device 401 can send the service packet of the user information service to the server 403B through the communication connection 2. The terminal device 401 can send the service packet of the multimedia streaming service to the server 403C through the communication connection 3. However, when the application on the terminal device 401 needs to transmit a service packet with a service QoT level of 5, the terminal device 401 will refuse to transmit the service packet because the network side has not authorized the terminal device to use the data transmission service with a service QoT level of 5. .

To sum up, in the data transmission method provided by the embodiment of the present application, after the terminal device obtains the service QoT level corresponding to the service, when the service QoT level corresponding to the service matches the device QoT level of the terminal device , obtain the connection identifier of the communication connection established between the terminal device and the destination address of the service that matches the service QoT level corresponding to the service, and then carry it in the service message of the service sent to the destination address of the service The connection identifier is used to instruct the network device that receives the service message to transmit the service message based on the communication connection corresponding to the connection identifier. Since the service QoT level corresponding to the service transmitted by the terminal device matches the device QoT level of the terminal device, and the communication connection based on the service transmission matches the service QoT level corresponding to the service, the network side can combine the trustworthiness of the terminal device degree and business trust requirements for data transmission, providing matching trusted transmission for the business on the terminal device, improving Network service quality and user service experience.

The embodiment of the present application takes the application of the above data transmission method to a mobile cellular network as an example for illustrative description. For example, the system architecture involved in the above data transmission method can be implemented based on the functional architecture expansion in Y.3053. Figure 5 is a schematic diagram of a system architecture provided by an embodiment of the present application. As shown in Figure 5, the main body of this system architecture is the trust domain. Each trust domain includes three main function sets, namely access and delivery control functions, domain administration functions and trust management functions. Trusted domains can connect to external trusted domains and applications/services through reference points. Applications/services can also be connected through reference points to form an end-to-end reference architecture.

Please continue to refer to Figure 5, applications/services are connected through the reference point Tx. The reference point Tx is a logical reference point that enables end-to-end request/response information to be reliably and securely exchanged between applications/services in order to establish a trustworthy network. The trust domain is connected to the external trust domain through reference points Tp and Td. The reference point Tp is the control plane interface that enables the reliable and secure exchange of request/response information between trust domains. The reference point Td is the data plane interface, which provides reliable and secure cross-domain data transmission. The trust domain and the application/service are connected through the reference point Ts. The reference point Ts enables the reliable and secure exchange of request/response information between the trust domain and the application/service. For the specific definition and function of the reference point, please refer to Y.3053, which will not be described in detail here in the embodiment of this application.

Please continue to refer to Figure 5. The access and distribution control function set includes trust-based routing support functional entity (TRS-FE), data transport and processing functional entity (DPT-FE), and data transport and processing functional entity (DPT-FE). FE), accessing/peering control support functional entity (APCS-FE), trust based tunneling support functional entity (TTS-FE) and ID-based routing support Functional entity (ID-based routing support functional entity, IRS-FE). The domain management function set includes ID-locator mapping support functional entity (ILMS-FE), domain membership management functional entity (DMM-FE), domain policy management functional entity (domain policy management functional entity (DPM-FE) and domain application and service management functional entity (DASM-FE). The trust management function set includes trust verification support functional entity (TVS-FE), trust level verification functional entity (TLV-FE) and trust information lifecycle management functional entity (trust information lifecycle management functional entity, TILM-FE). Compared with the Y.3053 functional architecture, DASM-FE, TRS-FE and TTS-FE are new functional entities. In addition, this system architecture enhances the three functional entities of TVS-FE, TLV-FE and TILM-FE.

TVS-FE: In Y.3053, TVS-FE is responsible for collecting information about network elements within the trust domain to evaluate the trust level of network elements. Based on the original functions of this functional entity, this application enhances the QoT information collection capability, that is, this functional entity can determine and collect information on network elements for QoT assessment. Network devices and terminal devices are collectively referred to here as network elements.

TLV-FE: In Y.3053, TLV-FE is responsible for evaluating the trust level of network elements. This application enhances the QoT level assessment capability based on the original functions of this functional entity. This capability can be implemented in two ways: 1) directly evaluate the device QoT level of the network element based on the QoT evaluation model; 2) first evaluate the trust level of the network element according to the definition of Y.3053, and then map it to the device QoT level .

TILM-FE: In Y.3053, TILM-FE is responsible for the life cycle management of trust information within the trust domain, such as trust values Creation, distribution, modification, and deletion. Based on the original functions, this application enhances the capability of QoT information life cycle management, including the creation, distribution, modification and deletion of device QoT levels of network elements.

DASM-FE: Responsible for managing the QoT classification of services and performing session management based on the service QoT level and the QoT certificate of the terminal device.

TRS-FE: Based on the QoT information carried in service packets and the QoT policy of the session, QoT-based routing planning and control, such as path calculation, etc. are implemented.

TTS-FE: Based on the QoT policy of the session and the QoT information carried in the service packets, QoT-based end-to-end tunnel management is implemented, including establishment, maintenance, modification, and release.

The roles of other functional entities in the trust domain shown in Figure 5 can be referred to Y.3053, and will not be described in detail here in the embodiment of this application.

Please continue to refer to Figure 5. The application/service has a built-in QoT module to provide QoT processing capabilities for the application. For example, obtain the QoT certificate of the terminal device, set or modify the QoT forwarding policy on the application side, etc.

Under the system architecture shown in Figure 5, the management device is implemented by one or more functional entities. The following embodiments of this application illustrate the specific implementation processes of the above method 200 and method 300.

For example, Figure 6 is a schematic diagram of the registration process in the separation scenario of DMM-FE and TLV-FE provided by the embodiment of the present application. As shown in Figure 6, the registration process includes the following steps 601 to 610.

Step 601: The terminal device sends a registration request to the DMM-FE.

The registration request includes the device identification of the end device. Optionally, the registration request also includes the user identification of the terminal device. The explanation of this step 601 may refer to the above-mentioned step 201, which will not be described again in this embodiment of the present application.

Step 602: The DMM-FE sends QoT assessment request signaling to the TLV-FE.

The QoT assessment request signaling includes the device identification of the terminal device. Optionally, the QoT assessment request signaling also includes the user identification of the terminal device.

Step 603: The TLV-FE sends a QoT authentication request to the terminal device, where the QoT authentication request includes a QoT parameter indication.

The explanation of this step 603 may refer to the above-mentioned step 202, and will not be described again in this embodiment of the present application.

Step 604: The terminal device sends a QoT authentication response to the TLV-FE, where the QoT authentication response includes the QoT parameters indicated by the QoT parameter indication.

The explanation of this step 604 may refer to the above-mentioned step 203, and will not be described again in this embodiment of the present application.

Step 605: The TLV-FE performs QoT evaluation on the terminal device based on the QoT parameters sent by the terminal device, and obtains a QoT evaluation result. The QoT evaluation result includes the device QoT level of the terminal device.

Step 606: TLV-FE sends the QoT evaluation result to DMM-FE.

Step 607: DMM-FE uses the private key to issue a QoT certificate for the terminal device, and the QoT certificate includes the QoT evaluation result.

For explanations of the above steps 605 to 607, reference may be made to the above step 204, which will not be described again in this embodiment of the present application.

Step 608: DMM-FE sends the QoT certificate to the terminal device.

The explanation of this step 608 may refer to the above-mentioned step 205, which will not be described again in the embodiment of this application.

Step 609: DMM-FE sends a QoT certificate update message to DASM-FE. The QoT certificate update message includes the device identification of the terminal device and the QoT certificate of the terminal device.

Step 610: DASM-FE generates a QoT forwarding policy for the terminal device on the network side based on the QoT certificate update message.

Optionally, the QoT forwarding policy of the terminal device on the network side includes the highest service QoT level that the terminal device is allowed to use. The service QoT level used by default by different types and/or terminal devices.

As another example, Figure 7 is a schematic diagram of the registration process in the DMM-FE and TLV-FE merger scenario provided by the embodiment of the present application. In Figure 7, the merged DMM-FE and TLV-FE are referred to as DMM-FE/TLV-FE. As shown in Figure 7, the registration process includes the following steps 701 to 708.

Step 701: The terminal device sends a registration request to the DMM-FE/TLV-FE.

The registration request includes the device identification of the end device. Optionally, the registration request also includes the user identification of the terminal device. The explanation of this step 701 may refer to the above-mentioned step 201, which will not be described again in this embodiment of the present application.

Step 702: The DMM-FE/TLV-FE sends a QoT authentication request to the terminal device, where the QoT authentication request includes a QoT parameter indication.

The explanation of this step 702 may refer to the above-mentioned step 202, which will not be described again in this embodiment of the present application.

Step 703: The terminal device sends a QoT authentication response to the DMM-FE/TLV-FE, where the QoT authentication response includes the QoT parameters indicated by the QoT parameter indication.

The explanation of this step 703 may refer to the above-mentioned step 203, which will not be described again in this embodiment of the present application.

Step 704: DMM-FE/TLV-FE performs QoT evaluation on the terminal device based on the QoT parameters sent by the terminal device, and obtains a QoT evaluation result. The QoT evaluation result includes the device QoT level of the terminal device.

Step 705: DMM-FE/TLV-FE uses the private key to issue a QoT certificate for the terminal device. The QoT certificate includes the QoT evaluation result.

For explanations of the above steps 704 to 705, reference may be made to the above step 204, which will not be described again in this embodiment of the present application.

Step 706: DMM-FE/TLV-FE sends the QoT certificate to the terminal device.

The explanation of this step 706 may refer to the above-mentioned step 205, which will not be described again in this embodiment of the present application.

Step 707: DMM-FE/TLV-FE sends a QoT certificate update message to DASM-FE. The QoT certificate update message includes the device identification of the terminal device and the QoT certificate of the terminal device.

Step 708: DASM-FE generates a QoT forwarding policy for the terminal device on the network side based on the QoT certificate update message.

Optionally, the QoT forwarding policy of the terminal device on the network side includes the highest service QoT level allowed to be used by the terminal device and/or the service QoT level used by the terminal device by default.

It is worth noting that the update process of the QoT certificate of the terminal device may refer to the registration process shown in FIG. 6 or FIG. 7 , and will not be described again in the embodiment of the present application.

As another example, FIG. 8 is a schematic diagram of a data transmission process provided by an embodiment of the present application. As shown in Figure 8, the data transmission process includes the following steps 801 to 813.

Step 801: The terminal device obtains the service QoT level corresponding to the service and the destination address of the service.

The explanation of this step 801 may refer to the above-mentioned step 301, which will not be described again in this embodiment of the present application.

Step 802: The terminal device sends a session establishment request to the DASM-FE. The session establishment request includes the destination address of the service, the service QoT level corresponding to the service, and the QoT certificate of the terminal device.

The session establishment request is used to request the network side to establish a session.

Step 803: DASM-FE verifies whether the QoT certificate of the terminal device in the session establishment request is valid, and determines whether the service QoT level corresponding to the service matches the device QoT level of the terminal device based on the QoT forwarding policy of the terminal device on the network side.

Step 804: When the QoT certificate of the terminal device is valid and the service QoT level corresponding to the service matches the device QoT level of the terminal device, DASM-FE establishes a session connection based on the session establishment request.

Step 805: DASM-FE sends a session establishment response to the terminal device, where the session establishment response includes a session identifier.

In a mobile cellular network, the data transmission request in step 302 is equivalent to the session establishment request in step 802. The data transmission response in step 302 is equivalent to the session establishment response in step 805. The connection identifier in step 302 is equivalent to the session identifier in step 805.

For explanations of the above steps 802 to 805, reference may be made to the above step 302, which will not be described again in this embodiment of the present application.

Step 806: The terminal device sends a service message, which includes the session identifier, an indication of the service QoT level corresponding to the service, and an integrity verification label for the indication.

The explanation of this step 806 may refer to the above-mentioned step 303, which will not be described again in this embodiment of the present application.

Step 807: After receiving the service message, the network device verifies the integrity verification label.

Step 808: After the network device passes the verification of the integrity verification label, it sends a path calculation request to the TRS-FE. The path calculation request includes the session identifier and the destination address of the service.

Step 809: TRS-FE queries DASM-FE for the service QoT level corresponding to the session identifier.

Step 810: DASM-FE replies to TRS-FE with the service QoT level corresponding to the session identifier.

Step 811: The TRS-FE determines a transmission path according to the service QoT level corresponding to the session identifier. The device QoT level of the network device on the transmission path matches the service QoT level corresponding to the session identifier.

Step 812: The TRS-FE sends a path calculation response to the network device, where the path calculation response includes the path information of the transmission path.

For explanations of the above steps 807 to 812, reference may be made to the above step 304, which will not be described again in this embodiment of the present application.

Step 813: The network device forwards the service packet based on the transmission path.

The explanation of this step 813 may refer to the above-mentioned step 305, which will not be described again in this embodiment of the present application.

The following is an example of the virtual device involved in the embodiment of the present application.

For example, FIG. 9 is a schematic structural diagram of a terminal device provided by an embodiment of the present application. As shown in Figure 9, terminal device 900 includes:

The processing module 901 is configured to obtain the service QoT level corresponding to the first service and the destination address of the first service. The service QoT level corresponding to the first service matches the device QoT level of the terminal device.

The processing module 901 is also configured to obtain a target connection identifier according to the service QoT level corresponding to the first service and the destination address of the first service. The target connection identifier is the first service established between the terminal device and the destination address of the first service. The service QoT level matches the connection ID of the target communication connection.

The sending module 902 is configured to send a service message of the first service to the destination address of the first service. The service message includes a target connection identifier, and the target connection identifier is used to indicate that the service message is transmitted based on the target communication connection.

Optionally, a connection identification set is stored in the terminal device. The connection identification set is used to record the connection identification of the communication connection established by the terminal device. Each connection identification in the connection identification set is correspondingly set with a destination address and service QoT level. As shown in Figure 10, the terminal device also includes a receiving module 903. The processing module 901 is configured to send a data transmission request to the management device through the sending module 901 when there is no connection identifier corresponding to the service QoT level corresponding to the first service and the destination address of the first service in the connection identifier set, and receive the Module 902 receives a data transmission response sent by the management device. The data transmission request includes the destination address of the first service and the QoT certificate of the terminal device. The QoT certificate includes the device information of the terminal device. QoT level, the data transmission response includes the target connection identification.

Optionally, the processing module 901 is also configured to add the destination address of the first service, the service QoT level corresponding to the first service and the target connection identifier to the connection identification set after the terminal device receives the data transmission response sent by the management device. Correspondence.

Optionally, the sending module 902 is configured to send QoT parameters of the terminal device to the management device, where the QoT parameters include one or more of device identity information, hardware configuration information, software configuration information or network access information. The receiving module 903 is configured to receive the QoT certificate obtained based on the QoT parameters and sent by the management device.

Optionally, the sending module 902 is also configured to send a registration request to the management device before sending the QoT parameters of the terminal device to the management device. The receiving module 903 is also configured to receive a QoT authentication request sent by the management device. The QoT authentication request includes a QoT parameter indication, and the QoT parameter indication is used to indicate the QoT parameters that the terminal device needs to provide. The sending module 902 is configured to send a QoT authentication response to the management device, where the QoT authentication response includes the QoT parameters indicated by the QoT parameter indication.

Optionally, the sending module 902 is also configured to send the latest QoT parameters of the terminal device to the management device when the QoT certificate meets the certificate update conditions. The receiving module 903 is also used to receive the updated QoT certificate based on the latest QoT parameters sent by the management device.

Optionally, the service message also includes an indication of the service QoT level corresponding to the first service and an integrity verification label for the indication.

Optionally, the processing module 901 is also configured to obtain the service QoT level corresponding to the second service. The service QoT level corresponding to the second service does not match the device QoT level of the terminal device. The processing module 901 is also configured to refuse to transmit the service packet of the second service.

For example, FIG. 11 is a schematic structural diagram of a management device provided by an embodiment of the present application. As shown in Figure 11, the management device 1100 includes:

The receiving module 1101 is configured to receive a data transmission request sent by the terminal device. The data transmission request includes the destination address of the first service and the QoT certificate of the terminal device. The QoT certificate includes the device QoT level of the terminal device.

The processing module 1102 is configured to establish a target communication connection between the terminal device and the destination address of the first service based on the QoT certificate, where the service QoT level corresponding to the target communication connection matches the device QoT level of the terminal device.

The sending module 1103 is configured to send a data transmission response to the terminal device, where the data transmission response includes a target connection identifier, and the target connection identifier is the connection identifier of the target communication connection.

Optionally, the data transmission request further includes a service QoT level indication, and the service QoT level indication is used to indicate the service QoT level corresponding to the first service. The processing module 1102 is configured to: when the service QoT level indicated by the service QoT level indication matches the device QoT level of the terminal device, establish a target communication connection corresponding to the service QoT level indicated by the service QoT level indication.

Optionally, the receiving module 1101 is also configured to receive QoT parameters of the terminal device sent by the terminal device. The QoT parameters include one or more of device identity information, hardware configuration information, software configuration information or network access information. The processing module 1102 is also used to generate a QoT certificate based on the QoT parameters. The sending module 1103 is also used to send the QoT certificate to the terminal device.

Optionally, the receiving module 1101 is also used to receive a registration request sent by the terminal device. The sending module 1103 is also configured to send a QoT authentication request to the terminal device based on the registration request. The QoT authentication request includes a QoT parameter indication, and the QoT parameter indication is used to indicate the QoT parameters that the terminal device needs to provide. The receiving module 1101 is configured to receive a QoT authentication response sent by the terminal device, where the QoT authentication response includes the QoT parameters indicated by the QoT parameter indication.

Optionally, the receiving module 1101 is also configured to receive a path calculation request from the network device, where the path calculation request includes a target connection identifier. The processing module 1102 is also configured to determine the target transmission path used by the target communication connection according to the service QoT level corresponding to the target connection identifier. The device QoT level of the network device on the target transmission path matches the service QoT level corresponding to the target connection identifier. . The sending module 1103 is also configured to send a path calculation response to the network device, where the path calculation response includes path information of the target transmission path.

For example, FIG. 12 is a schematic structural diagram of a network device provided by an embodiment of the present application. As shown in Figure 12, network device 1200 includes:

The receiving module 1201 is configured to receive a service message of the first service sent by the terminal device, where the service message includes a target connection identifier.

The processing module 1202 is configured to obtain the target transmission path corresponding to the target connection identifier, and the device trust quality QoT level of the network device on the target transmission path matches the service QoT level corresponding to the target connection identifier.

The sending module 1203 is used to forward service messages based on the target transmission path.

Optionally, the processing module 1202 is configured to: send a path calculation request to the management device through the sending module 1203, where the path calculation request includes the target connection identifier. The path calculation response sent by the management device is received through the receiving module 1201, where the path calculation response includes path information of the target transmission path.

Optionally, the service message also includes an indication of the service QoT level corresponding to the first service and an integrity verification label for the indication. The sending module 1203 is configured to: when the service QoT level indicated by the indication is the same as the service QoT level corresponding to the target connection identifier, and the network device passes the verification of the integrity verification label, forward the service message based on the target transmission path.

Regarding the devices in the above embodiments, the specific manner in which each module performs operations has been described in detail in the embodiments related to the method, and will not be described in detail here.

The following is an example of the hardware structure involved in the embodiment of the present application.

For example, FIG. 13 is a schematic diagram of the hardware structure of a terminal device provided by an embodiment of the present application. As shown in FIG. 13 , the terminal device 1300 includes a processor 1301 and a memory 1302 . The memory 1301 and the memory 1302 are connected through a bus 1303 . Figure 13 illustrates the processor 1301 and the memory 1302 independently of each other. Optionally, processor 1301 and memory 1302 are integrated together.

Among them, the memory 1302 is used to store computer programs, and the computer programs include operating systems and program codes. Memory 1302 is various types of storage media, such as read-only memory (ROM), random access memory (RAM), electrically erasable programmable read-only memory (electrically erasable programmable read-only memory) memory, EEPROM), compact disc read-only memory (CD-ROM), flash memory, optical memory, register, optical disk storage, optical disk storage, magnetic disk or other magnetic storage device.

Among them, the processor 1301 is a general-purpose processor or a special-purpose processor. Processor 1301 may be a single-core processor or a multi-core processor. The processor 1301 includes at least one circuit to perform actions performed by the terminal device in the above method embodiments provided by the embodiments of this application.

Optionally, the terminal device 1300 also includes a network interface 1304, which is connected to the processor 1301 and the memory 1302 through a bus 1303. The network interface 1304 enables communication between the terminal device 1300 and the network side. The processor 1301 can interact with the network side through the network interface 1304 to register QoT certificates and perform data transmission.

Optionally, the terminal device 1300 also includes an input/output (I/O) interface 1305. The I/O interface 1305 is connected to the processor 1301 and the memory 1302 through a bus 1303. The processor 1301 can receive input commands or data through the I/O interface 1305. The I/O interface 1305 is used for the terminal device 1300 to connect input devices, such as a keyboard, a mouse, etc. Optionally, in some possible scenarios, the above-mentioned network interface 1304 and I/O interface 1305 are collectively referred to as communication interfaces.

Optionally, the terminal device 1300 also includes a display 1306, which is connected to the processor 1301 and the memory 1302 through a bus 1303. The display 1306 can be used to display intermediate results and/or final results generated by the processor 1301 when executing the above method, for example, displaying alarm prompts. In a possible implementation, the display 1306 is a touch display screen to provide a human-computer interaction interface.

The bus 1303 is any type of communication bus used to interconnect internal devices of the terminal device 1300 . For example, system bus. The embodiment of the present application takes the above-mentioned devices inside the terminal device 1300 as being interconnected through the bus 1303 as an example. Optionally, the above-mentioned devices inside the terminal device 1300 communicate with each other using other connection methods besides the bus 1303. For example, the terminal device 1300 The above-mentioned internal devices are interconnected through logical interfaces inside the terminal device 1300 .

The above-mentioned devices may be arranged on separate chips, or at least part or all of them may be arranged on the same chip. Whether each device is independently installed on different chips or integrated on one or more chips often depends on the needs of product design. The embodiments of this application do not limit the specific implementation forms of the above devices.

The terminal device 1300 shown in Figure 13 is only exemplary. During the implementation process, the terminal device 1300 includes other components, which will not be listed one by one in this article. The terminal device 1300 shown in Figure 13 can implement data transmission by executing all or part of the steps of the method provided by the above embodiment.

For example, FIG. 14 is a schematic diagram of the hardware structure of a management device provided by an embodiment of the present application. As shown in FIG. 14 , the management device 1400 includes a processor 1401 and a memory 1402 . The memory 1401 and the memory 1402 are connected through a bus 1403 . Figure 14 illustrates the processor 1401 and the memory 1402 independently of each other. Optionally, processor 1401 and memory 1402 are integrated together.

Among them, the memory 1402 is used to store computer programs, and the computer programs include operating systems and program codes. Memory 1402 is various types of storage media, such as ROM, RAM, EEPROM, CD-ROM, flash memory, optical memory, registers, optical disk storage, optical disk storage, magnetic disks, or other magnetic storage devices.

Among them, the processor 1401 is a general-purpose processor or a special-purpose processor. Processor 1401 may be a single-core processor or a multi-core processor. The processor 1401 includes at least one circuit to perform actions performed by the management device in the above method embodiments provided by the embodiments of this application.

Optionally, the management device 1400 also includes a network interface 1404, which is connected to the processor 1401 and the memory 1402 through a bus 1403. The network interface 1404 enables communication between the management device 1400 and the application side. The processor 1401 can interact with the application side through the network interface 1404 to issue QoT certificates to the terminal device and perform communication connections.

Optionally, the management device 1400 also includes an I/O interface 1405, which is connected to the processor 1401 and the memory 1402 through a bus 1403. The processor 1401 can receive input commands or data through the I/O interface 1405. The I/O interface 1405 is used to connect the management device 1400 to input devices, such as keyboards, mice, etc. Optionally, in some possible scenarios, the above-mentioned network interface 1404 and I/O interface 1405 are collectively referred to as communication interfaces.

Optionally, the management device 1400 also includes a display 1406, which is connected to the processor 1401 and the memory 1402 through a bus 1403. The display 1406 can be used to display intermediate results and/or final results generated by the processor 1401 when executing the above method, for example, displaying alarm prompts. In a possible implementation, the display 1406 is a touch display screen to provide a human-computer interaction interface.

The bus 1403 is any type of communication bus used to interconnect internal devices of the management device 1400 . For example, system bus. The embodiment of the present application takes the above-mentioned devices inside the management device 1400 as being interconnected through the bus 1403 as an example. Optionally, the above-mentioned devices inside the management device 1400 communicate with each other using other connection methods besides the bus 1403. For example, the management device 1400 The above-mentioned internal devices are interconnected through logical interfaces within the management device 1400 .

The management device 1400 shown in Figure 14 is only exemplary. During the implementation process, the management device 1400 includes other components, which will not be listed one by one in this article. The management device 1400 shown in Figure 14 can implement data transmission by executing all or part of the steps of the method provided by the above embodiment.

For example, FIG. 15 is a schematic diagram of the hardware structure of a network device provided by an embodiment of the present application. As shown in FIG. 15 , the network device 1500 includes a processor 1501 and a memory 1502 . The memory 1501 and the memory 1502 are connected through a bus 1503 . Figure 15 illustrates the processor 1501 and the memory 1502 independently of each other. Optionally, processor 1501 and memory 1502 are integrated together.

Among them, the memory 1502 is used to store computer programs, which include operating systems and program codes. Memory 1502 is various types of storage media, such as ROM, RAM, EEPROM, CD-ROM, flash memory, optical memory, registers, optical disk storage, optical disk storage, magnetic disks, or other magnetic storage devices.

Among them, the processor 1501 is a general-purpose processor or a special-purpose processor. Processor 1501 may be a single-core processor or a multi-core processor. The processor 1501 includes at least one circuit to perform actions performed by the network device in the above method embodiments provided by the embodiments of this application.

Optionally, the network device 1500 also includes a network interface 1504, which is connected to the processor 1501 and the memory 1502 through a bus 1503. The network interface 1504 enables the network device 1500 to communicate with the application side and management device. The processor 1501 can receive service packets from the application side through the network interface 1504 and forward the service packets.

Optionally, the network device 1500 also includes an I/O interface 1505, which is connected to the processor 1501 and the memory 1502 through the bus 1503. The processor 1501 can receive input commands or data through the I/O interface 1505. The I/O interface 1505 is used for the network device 1500 to connect input devices, such as keyboards, mice, etc. Optionally, in some possible scenarios, the above-mentioned network interface 1504 and I/O interface 1505 are collectively referred to as communication interfaces.

Optionally, the network device 1500 also includes a display 1506, which is connected to the processor 1501 and the memory 1502 through a bus 1503. The display 1506 can be used to display intermediate results and/or final results generated by the processor 1501 when executing the above method, for example, displaying alarm prompts. In a possible implementation, the display 1506 is a touch display screen to provide a human-computer interaction interface.

The bus 1503 is any type of communication bus used to interconnect internal devices of the network device 1500 . For example, system bus. The embodiment of the present application takes the above-mentioned devices inside the network device 1500 as being interconnected through the bus 1503 as an example. Optionally, the above-mentioned devices inside the network device 1500 communicate with each other using other connection methods besides the bus 1503. For example, the network device 1500 The above-mentioned internal devices are interconnected through logical interfaces within the network device 1500 .

The network device 1500 shown in Figure 15 is only exemplary. During the implementation process, the network device 1500 includes other components, which will not be listed one by one in this article. The network device 1500 shown in Figure 15 can implement data transmission by executing all or part of the steps of the method provided by the above embodiment.

The embodiment of the present application also provides a data transmission system, including: terminal equipment, management equipment and network equipment. The terminal device is used to perform the actions performed by the terminal device in the above method embodiment. The management device is used to perform the actions performed by the management device in the above method embodiment, and the network device is used to perform the actions performed by the network device in the above method embodiment.

Embodiments of the present application also provide a computer-readable storage medium. Instructions are stored on the computer-readable storage medium. When the instructions are executed by a processor, the terminal device, management device or network in the above method embodiments is implemented. The action performed by the device.

Embodiments of the present application also provide a computer program product, including a computer program. When the computer program is executed by a processor, the actions performed by the terminal device, management device or network device in the above method embodiment are implemented.

Those of ordinary skill in the art can understand that all or part of the steps to implement the above embodiments can be completed by hardware, or can be completed by instructing relevant hardware through a program. The program can be stored in a computer-readable storage medium. The above-mentioned The storage media mentioned can be read-only memory, magnetic disks or optical disks, etc.

In the embodiments of the present application, the terms "first", "second" and "third" are only used for description purposes and cannot be understood as indicating or implying relative importance.

The term "and/or" in this application is just an association relationship describing related objects, indicating that there can be three relationships, for example, A and/or B, which can mean: A exists alone, A and B exist simultaneously, alone There are three situations B. In addition, the character "/" in this article generally indicates that the related objects are an "or" relationship.

It should be noted that the information (including but not limited to user equipment information, user personal information, etc.), data (including but not limited to data used for analysis, stored data, displayed data, etc.) and signals involved in this application, All are authorized by the user or fully authorized by all parties, and the collection, use and processing of relevant data need to comply with relevant laws, regulations and standards of relevant countries and regions. For example, the device identity information, device identification, user identification, QoT parameters, etc. involved in this application are all obtained with full authorization.

The above are only optional embodiments of the present application and are not intended to limit the present application. Any modifications, equivalent substitutions, improvements, etc. made within the concepts and principles of the present application shall be included in the protection of the present application. within the range.

Claims

A data transmission method, characterized in that the method includes:

The terminal device obtains the service quality of trust QoT level corresponding to the first service and the destination address of the first service, and the service QoT level corresponding to the first service matches the device QoT level of the terminal device;

The terminal device obtains a target connection identifier based on the service QoT level corresponding to the first service and the destination address of the first service. The target connection identifier is between the terminal device and the destination address of the first service. The connection identifier of the established target communication connection that matches the service QoT level corresponding to the first service;

The terminal device sends a service message of the first service to the destination address of the first service, where the service message includes the target connection identifier, and the target connection identifier is used to indicate a communication connection based on the target Transmit the service message.
The method according to claim 1, characterized in that a set of connection identifiers is stored in the terminal device, and the set of connection identifiers is used to record connection identifiers of communication connections established by the terminal device, and the set of connection identifiers Each connection identifier in is correspondingly set with a destination address and service QoT level. The terminal device obtains the target connection identifier according to the service QoT level corresponding to the first service and the destination address of the first service, including:

When there is no connection identifier corresponding to the service QoT level corresponding to the first service and the destination address of the first service in the connection identifier set, the terminal device sends a data transmission request to the management device. The transmission request includes the destination address of the first service and the QoT certificate of the terminal device, where the QoT certificate includes the device QoT level of the terminal device;

The terminal device receives a data transmission response sent by the management device, where the data transmission response includes the target connection identifier.
The method of claim 2, wherein the QoT certificate further includes a QoT forwarding policy of the management device for the terminal device, and the QoT forwarding policy includes a QoT forwarding policy provided by the management device to the terminal device. The highest service QoT level and/or the default service QoT level provided by the management device to the terminal device.
The method according to claim 2 or 3, characterized in that, after the terminal device receives the data transmission response sent by the management device, the method further includes:

The terminal device adds the corresponding relationship between the destination address of the first service, the service QoT level corresponding to the first service and the target connection identifier in the connection identification set.
The method according to any one of claims 2 to 4, characterized in that the data transmission request further includes a service QoT level indication, and the service QoT level indication is used to indicate the service QoT level corresponding to the first service.
The method according to any one of claims 2 to 5, characterized in that, the method further includes:

The terminal device sends QoT parameters of the terminal device to the management device, where the QoT parameters include one or more of device identity information, hardware configuration information, software configuration information or network access information;

The terminal device receives the QoT certificate obtained based on the QoT parameter and sent by the management device.
The method according to claim 6, characterized in that, before the terminal device sends the QoT parameters of the terminal device to the management device, the method further includes:

The terminal device sends a registration request to the management device;

The terminal device receives a QoT authentication request sent by the management device, where the QoT authentication request includes a QoT parameter indication, and the QoT parameter indication is used to indicate the QoT parameters that the terminal device needs to provide;

The terminal device sends the QoT parameters of the terminal device to the management device, including:

The terminal device sends a QoT authentication response to the management device, where the QoT authentication response includes the QoT parameter indicated by the QoT parameter indication.
The method according to claim 6 or 7, characterized in that, the method further includes:

When the QoT certificate meets the certificate update conditions, the terminal device sends the latest QoT parameters of the terminal device to the management device;

The terminal device receives the updated QoT certificate based on the latest QoT parameters sent by the management device.
The method according to claim 8, characterized in that the certificate update conditions include one or more of the following:

The QoT certificate has expired;

The QoT parameters of the terminal device change;

The terminal device and/or the management device cannot parse the QoT certificate.
The method according to any one of claims 1 to 9, characterized in that the service message further includes an indication of the service QoT level corresponding to the first service and an integrity verification tag for the indication.
The method according to any one of claims 1 to 10, characterized in that the method further includes:

The terminal device obtains a service QoT level corresponding to the second service, and the service QoT level corresponding to the second service does not match the device QoT level of the terminal device;

The terminal device refuses to transmit the service packet of the second service.
A data transmission method, characterized in that the method includes:

The management device receives a data transmission request sent by the terminal device, the data transmission request includes the destination address of the first service and the trust quality QoT certificate of the terminal device, and the QoT certificate includes the device QoT level of the terminal device;

The management device establishes a target communication connection between the terminal device and the destination address of the first service based on the QoT certificate, and the service QoT level corresponding to the target communication connection is the same as the device QoT level of the terminal device. match;

The management device sends a data transmission response to the terminal device, where the data transmission response includes a target connection identifier, and the target connection identifier is a connection identifier of the target communication connection.
The method according to claim 12, characterized in that the data transmission request further includes a service QoT level indication, the service QoT level indication is used to indicate the service QoT level corresponding to the first service, and the management device is based on The QoT certificate establishes a target communication connection between the terminal device and the destination address of the first service, including:

When the service QoT level indicated by the service QoT level indication matches the device QoT level of the terminal device, the management device establishes the target communication connection corresponding to the service QoT level indicated by the service QoT level indication. .
The method according to claim 12 or 13, characterized in that the QoT certificate further includes a QoT forwarding policy of the management device for the terminal device, and the QoT forwarding policy includes a request from the management device to the terminal device. The highest service QoT level provided and/or the default service QoT level provided by the management device to the terminal device.
The method according to any one of claims 12 to 14, characterized in that the method further includes:

The management device receives the QoT parameters of the terminal device sent by the terminal device, where the QoT parameters include one or more of device identity information, hardware configuration information, software configuration information or network access information;

The management device generates the QoT certificate based on the QoT parameters;

The management device sends the QoT certificate to the terminal device.
The method of claim 15, further comprising:

The management device receives the registration request sent by the terminal device;

The management device sends a QoT authentication request to the terminal device based on the registration request, where the QoT authentication request includes a QoT parameter indication, and the QoT parameter indication is used to indicate the QoT parameters that the terminal device needs to provide;

The management device receives the QoT parameters of the terminal device sent by the terminal device, including:

The management device receives a QoT authentication response sent by the terminal device, where the QoT authentication response includes the QoT parameter indicated by the QoT parameter indication.
The method according to any one of claims 12 to 16, characterized in that the method further includes:

The management device receives a path calculation request from a network device, where the path calculation request includes the target connection identifier;

The management device determines the target transmission path used by the target communication connection according to the service QoT level corresponding to the target connection identifier. The device QoT level of the network device on the target transmission path corresponds to the target connection identifier. Match the business QoT level;

The management device sends a path calculation response to the network device, where the path calculation response includes path information of the target transmission path.
A data transmission method, characterized in that the method includes:

The network device receives a service message of the first service sent by the terminal device and the destination address of the first service, where the service message includes a target connection identifier;

The network device obtains the target transmission path corresponding to the target connection identifier, and the device trust quality QoT level of the network device on the target transmission path matches the service QoT level corresponding to the target connection identifier;

The network device forwards the service message based on the target transmission path.
The method of claim 18, wherein the network device obtains the target transmission path corresponding to the target connection identifier, including:

The network device sends a path calculation request to the management device, where the path calculation request includes the target connection identifier;

The network device receives a path calculation response sent by the management device, where the path calculation response includes path information of the target transmission path.
The method according to claim 18 or 19, characterized in that the service message further includes an indication of the service QoT level corresponding to the first service and an integrity verification label for the indication, and the network device Forwarding the service message based on the target transmission path includes:

When the service QoT level indicated by the indication is the same as the service QoT level corresponding to the target connection identifier, and the network device passes the verification of the integrity verification label, the network device forwards the information based on the target transmission path. the business message.
A terminal device, characterized in that the terminal device includes:

A processing module configured to obtain the service quality of trust QoT level corresponding to the first service, where the service QoT level corresponding to the first service matches the device QoT level of the terminal device;

The processing module is further configured to obtain a target connection identifier according to the service QoT level corresponding to the first service and the destination address of the first service. The target connection identifier is the connection between the terminal device and the first service. The connection identifier of the target communication connection established between the destination addresses that matches the service QoT level corresponding to the first service;

A sending module, configured to send a service message of the first service to the destination address of the first service, where the service message includes the target connection identifier, and the target connection identifier is used to indicate communication based on the target The connection transmits the service message.
The terminal device according to claim 21, characterized in that a connection identification set is stored in the terminal device, and the connection identification set is used to record the connection identification of the communication connection established by the terminal device, and the connection identification set Each connection identifier in the set is correspondingly set with a destination address and service QoT level, and the terminal device also includes a receiving module;

The processing module is configured to send a message to the management device through the sending module when there is no connection identifier corresponding to the service QoT level corresponding to the first service and the destination address of the first service in the connection identifier set. Send a data transmission request, and receive the data transmission response sent by the management device through the receiving module. The data transmission request includes the destination address of the first service and the QoT certificate of the terminal device, and the QoT certificate includes The device QoT level of the terminal device, and the data transmission response includes the target connection identifier.
The terminal device according to claim 22, wherein the QoT certificate further includes a QoT forwarding policy of the management device for the terminal device, and the QoT forwarding policy includes the management device providing the terminal device with The highest service QoT level and/or the default service QoT level provided by the management device to the terminal device.
The terminal device according to claim 22 or 23, characterized in that,

The processing module is also configured to add the destination address of the first service and the service corresponding to the first service to the connection identification set after the terminal device receives the data transmission response sent by the management device. The corresponding relationship between the QoT level and the target connection identifier.
The terminal device according to any one of claims 22 to 24, wherein the data transmission request further includes a service QoT level indication, and the service QoT level indication is used to indicate the service QoT level corresponding to the first service.
The terminal device according to any one of claims 22 to 25, characterized in that,

The sending module is configured to send QoT parameters of the terminal device to the management device, where the QoT parameters include one or more of device identity information, hardware configuration information, software configuration information or network access information;

The receiving module is configured to receive the QoT certificate obtained based on the QoT parameters and sent by the management device.
The terminal device according to claim 26, characterized in that:

The sending module is also configured to send a registration request to the management device before sending the QoT parameters of the terminal device to the management device;

The receiving module is also configured to receive a QoT authentication request sent by the management device, where the QoT authentication request includes a QoT parameter indication, and the QoT parameter indication is used to indicate the QoT parameters that the terminal device needs to provide;

The sending module is configured to send a QoT authentication response to the management device, where the QoT authentication response includes the QoT parameters indicated by the QoT parameter indication.
The terminal device according to claim 26 or 27, characterized in that,

The sending module is also configured to send the latest QoT parameters of the terminal device to the management device when the QoT certificate meets the certificate update conditions;

The receiving module is also configured to receive an updated QoT certificate based on the latest QoT parameters sent by the management device.
The terminal device according to claim 28, characterized in that the certificate update conditions include one or more of the following:

The QoT certificate has expired;

The QoT parameters of the terminal device change;

The terminal device and/or the management device cannot parse the QoT certificate.
The terminal device according to any one of claims 21 to 29, characterized in that the service message further includes an indication of the service QoT level corresponding to the first service and an integrity verification label calculated for the indication. .
The terminal device according to any one of claims 21 to 30, characterized in that,

The processing module is also used to obtain the service QoT level corresponding to the second service, and the service QoT level corresponding to the second service does not match the device QoT level of the terminal device;

The processing module is also configured to refuse to transmit the service message of the second service.
A management device, characterized in that the management device includes:

A receiving module configured to receive a data transmission request sent by a terminal device. The data transmission request includes the destination address of the first service and the trust quality QoT certificate of the terminal device. The QoT certificate includes the device QoT level of the terminal device. ;

A processing module configured to establish a target communication connection between the terminal device and the destination address of the first service based on the QoT certificate, where the service QoT level corresponding to the target communication connection is consistent with the device QoT of the terminal device. levels match;

A sending module, configured to send a data transmission response to the terminal device, where the data transmission response includes a target connection identifier, and the target connection identifier is a connection identifier of the target communication connection.
The management device according to claim 32, wherein the data transmission request further includes a service QoT level indication, and the service QoT level indication is used to indicate the service QoT level corresponding to the first service, and the processing module , used for:

When the service QoT level indicated by the service QoT level indication matches the device QoT level of the terminal device, the target communication connection corresponding to the service QoT level indicated by the service QoT level indication is established.
The management device according to claim 32 or 33, characterized in that the QoT certificate further includes a QoT forwarding policy of the management device for the terminal device, and the QoT forwarding policy includes a request from the management device to the terminal device. The highest service QoT level provided by the device and/or the default service QoT level provided by the management device to the terminal device.
The management device according to any one of claims 32 to 34, characterized in that:

The receiving module is also configured to receive QoT parameters of the terminal device sent by the terminal device. The QoT parameters include one or more of device identity information, hardware configuration information, software configuration information or network access information. kind;

The processing module is also used to generate the QoT certificate based on the QoT parameters;

The sending module is also used to send the QoT certificate to the terminal device.
The management device according to claim 35, characterized in that:

The receiving module is also used to receive the registration request sent by the terminal device;

The sending module is further configured to send a QoT authentication request to the terminal device based on the registration request. The QoT authentication request includes a QoT parameter indication, and the QoT parameter indication is used to indicate that the terminal device needs to provide QoT parameters;

The receiving module is configured to receive a QoT authentication response sent by the terminal device, where the QoT authentication response includes the QoT parameters indicated by the QoT parameter indication.
The management device according to any one of claims 32 to 36, characterized in that:

The receiving module is also configured to receive a path calculation request from a network device, where the path calculation request includes the target connection identifier;

The processing module is also configured to determine the target transmission path used by the target communication connection according to the service QoT level corresponding to the target connection identifier. The device QoT level of the network device on the target transmission path is consistent with the target The service QoT level corresponding to the connection identifier matches;

The sending module is also configured to send a path calculation response to the network device, where the path calculation response includes path information of the target transmission path.
A network device, characterized in that the network device includes:

A receiving module, configured to receive a service message of the first service sent by the terminal device, where the service message includes a target connection identifier;

A processing module configured to obtain the target transmission path corresponding to the target connection identifier, and the device trust quality QoT level of the network device on the target transmission path matches the service QoT level corresponding to the target connection identifier;

A sending module, configured to forward the service message based on the target transmission path.
The network device according to claim 38, characterized in that the processing module is used for:

Send a path calculation request to the management device through the sending module, where the path calculation request includes the target connection identifier;

The path calculation response sent by the management device is received through the receiving module, where the path calculation response includes path information of the target transmission path.
The network device according to claim 38 or 39, wherein the service message further includes an indication of the service QoT level corresponding to the first service and an integrity verification label calculated from the indication, so The above sending module is used for:

When the service QoT level indicated by the indication is the same as the service QoT level corresponding to the target connection identifier, and the network device passes the verification of the integrity verification label, the service packet is forwarded based on the target transmission path. arts.
A data transmission system, characterized in that it includes: a terminal device, a management device and a network device, the terminal device is used to perform the method as described in any one of claims 1 to 11, and the management device is used to perform the method as claimed in any one of the claims 1 to 11 The method according to any one of claims 12 to 17, the network device is used to perform the method according to any one of claims 18 to 20.
A data transmission device, characterized by including: a processor and a memory;

The memory is used to store a computer program, the computer program includes program instructions;

The processor is configured to call the computer program to implement the method according to any one of claims 1 to 20.
A computer-readable storage medium, characterized in that instructions are stored on the computer-readable storage medium, and when the instructions are executed by a processor, the method according to any one of claims 1 to 20 is implemented.
A computer program product, characterized in that it includes a computer program. When the computer program is executed by a processor, the method according to any one of claims 1 to 20 is implemented.