[go: up one dir, main page]

WO2020220937A1 - Procédé et dispositif de gestion de politique de sécurité - Google Patents

Procédé et dispositif de gestion de politique de sécurité Download PDF

Info

Publication number
WO2020220937A1
WO2020220937A1 PCT/CN2020/083361 CN2020083361W WO2020220937A1 WO 2020220937 A1 WO2020220937 A1 WO 2020220937A1 CN 2020083361 W CN2020083361 W CN 2020083361W WO 2020220937 A1 WO2020220937 A1 WO 2020220937A1
Authority
WO
WIPO (PCT)
Prior art keywords
container
container service
vnf
group identifier
service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2020/083361
Other languages
English (en)
Chinese (zh)
Inventor
李飞
夏海涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of WO2020220937A1 publication Critical patent/WO2020220937A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45595Network integration; Enabling network access in virtual machine instances

Definitions

  • This application relates to the field of communication technology, and in particular to a security policy management method and device.
  • Network function virtualization is a technology that uses universal hardware and network virtualization to construct a communication network system. It can be used to carry the software processing functions in the communication network and realize the virtualization and flexible deployment of the communication network. , Flexible expansion, and reduce the expensive equipment cost of the communication network system.
  • NFV security controller In the NFV network architecture, NFV security controller (NFV security controller, NFV SC) is responsible for the generation, management and distribution of security policies.
  • VNF virtual network function
  • VNF Manager VNF Management
  • VNFM VNF Management
  • the NFV SC will formulate a matching security policy based on the deployment of the VNF.
  • VNFM when a VNF update or container service update occurs, the VNFM needs to report the deployment status of the VNF to the NFV SC, so that the VNF SC dynamically perceives the update of the container service in real time, and makes security policy decisions and issuance.
  • container service updates are normal.
  • Container services may be frequently updated and republished, and dynamically scaled according to load conditions. Container service instances may also be affected by resource scheduling and migrate from one server to another. server. Every VNF update or container service update reports the deployment status of the VNF, which will cause the NFV SC to repeatedly decide and issue security policies, increase the management difficulty of the NFV SC, and affect the efficiency of network deployment.
  • the embodiments of the present application provide a security policy management method and device, which are used to reduce the management difficulty of the NFV SC and improve the efficiency of network deployment.
  • an embodiment of the present application provides a security policy management method, which can be applied to a VNFM, and the method includes: the VNFM receives a container service update message sent by a container manager, and the container service update message includes a first group identifier, The first group identifier is the group identifier of the updated first container service, the first group identifier is determined according to the type of the VNF and the security capability of the first container service, and the container service update message is determined by the container manager that the VNF needs to be updated.
  • the VNFM determines that there is no need to change the security policy applied by the VNF, and sends the first instruction information to the container manager.
  • the first instruction information is used for The container manager is instructed to update the container service, and the first group identifier set is a set of group identifiers of at least one container service called by the VNF before the container service update.
  • the VNFM determines that the security policy applied in the VNF does not need to be changed, and the VNFM can directly perform the container service
  • the update decision instructs the container manager to update the container service without reporting the deployment status of the VNF after the container service is updated, thereby effectively reducing the management complexity of NFV SC and improving network deployment efficiency.
  • the VNFM determines that the security policy applied by the VNF needs to be changed, and sends a security policy request message to the NFV SC.
  • the security policy request message includes the first group ID.
  • a group identifier the VNFM receives the first security policy sent by the NFV SC according to the first group identifier, and the first security policy is a security policy applied by the VNF after the container service is updated.
  • the VNFM can determine that the security policy applied in the VNF needs to be changed, and then send the security to the NFV SC Policy request message to request the NFV SC to issue a new security policy to ensure the security of the VNF.
  • the VNFM may also send second instruction information to the container manager, where the second instruction information is used to instruct the container manager to update the container service.
  • the VNFM when the VNFM needs to apply for a new security policy from the NFV SC, the VNFM can instruct the container manager to update the container service after receiving the first security policy, thereby completing the network deployment.
  • the VNFM before the VNFM receives the container service update message sent by the container manager, the VNFM can also instantiate the VNF; if instantiating the VNF needs to call the container service, the VNFM can send a service call request to the container manager Message, the service invocation request message includes the identifier of the VNF and the identifier of at least one container service requested to be invoked by the VNF.
  • the VNFM can determine that the container service provided by the container manager needs to be invoked when instantiating the VNF, and send a service invocation request message to the container manager to complete network deployment.
  • the container manager can also determine the group identifier of each container service that the VNF can call in the subsequent steps according to the information about the service invocation of the VNF in the service invocation request message. In this way, the VNFM can be made to use the updated container service To determine whether the security policy of the VNF application needs to be changed, so as to effectively avoid the problem of requesting the security policy from the NFC SC for each container service update, and effectively improve the efficiency of network deployment.
  • the embodiments of the present application provide another security policy management method, which can be applied to a container manager, and the method includes: if the container manager determines that the VNF needs to be updated for the container service, it sends the container to the VNFM A service update message, the container service update message includes a first group identifier, the first group identifier is the updated group identifier of the first container service, the first group identifier is determined according to the type of the VNF and the security capability of the first container service
  • the container manager receives the first instruction information sent by the VNFM, and updates the container service of the VNF.
  • the first instruction information is sent by the VNFM after determining that the first group identifier set includes the first group identifier, and the first group identifier set is the The set of at least one container service group identifier called by the VNF before the container service is updated.
  • the container manager when the container manager determines that the VNF needs to be updated for the container service, it can carry the updated group identifier of the first container service in the container service update message and send it to the VNFM. In this way, the VNFM can In the case where the first group identifier is included in the first group identifier set, it is directly decided to update the container service without requesting a security policy from the NFV SC, thereby effectively reducing the management complexity of the NFV SC and improving the efficiency of network deployment.
  • the container manager may also receive the second instruction information sent by the VNFM, and perform container service update on the VNF.
  • the second instruction information is sent after the VNFM receives the first security policy sent by the NFV SC ,
  • the first security policy is the security policy applied by the VNF after the container service is updated.
  • the VNFM may send the second container service update instruction to the container manager after receiving the new security policy. Instructions to ensure the security of the VNF and complete the network deployment.
  • the container manager can send the identity and security capabilities of each container service in the container service set corresponding to the VNF to the NFV SC.
  • the container service set is the set of container services that can be invoked by the VNF.
  • the container service set includes at least one container service and the first container service invoked by the VNF before the container service update; the container manager receives each container service set sent by the NFV SC.
  • the group identifier of each container service, and the group identifier of each container service is determined by the NFV SC according to the type of VNF and the security capability of the container service.
  • the container manager can negotiate security capabilities with the NFV SC, and determine each container service that the VNF can call based on the type of the VNF and the security capabilities of each container service that the VNF can call.
  • the group identification of the container service so that the VNFM can effectively manage the security policy applied in the VNF according to the updated group identification of the container service, avoiding the problem of requesting the security policy from the NFV SC for each container service update, thereby reducing the management of the NFV SC Complexity improves the efficiency of network deployment.
  • the container manager before the container manager sends the identity and security capabilities of each container service in the container service set corresponding to the VNF to the NFV SC, the container manager can also receive the service invocation request message sent by the VNFM, and the service invocation The request message includes the identifier of the VNF and the identifier of at least one container service invoked by the VNF, and the service invocation request message is sent after the VNFM determines that the instantiated VNF needs to invoke the container service.
  • the container manager can determine the VNF that needs to invoke the container service according to the received service invocation request message, and at least one container service that the VNF currently requests to invoke.
  • the container manager may also determine at least one container service that can be invoked by the VNF according to the type of the VNF, so that the container manager and the NFV SC can negotiate security capabilities and determine the group identifier of the container service.
  • the embodiments of this application provide yet another security policy management method, which can be applied to NFV SC, and the method includes: the NFV SC receives the identifier of each container service in the set of container services corresponding to the VNF from the container manager And security capabilities.
  • the container service set is a set of container services that can be invoked by the VNF.
  • the container service set includes at least one container service and the first container service invoked by the VNF before the container service is updated; the NFVSC is based on the type and container of the VNF
  • the security capability of each container service in the service set determines the group identifier of each container service, and sends the group identifier of each container service in the container service set to the container manager.
  • the NFV SC can negotiate security capabilities with the container manager, and determine each container service that the VNF can call based on the type of the VNF and the security capabilities of each container service that the VNF can call.
  • the group identification of the container service so that the VNFM can effectively manage the security policy applied in the VNF according to the updated group identification of the container service, avoiding the problem of requesting the security policy from the NFV SC every time the container service updates the VNFM, thereby effectively reducing the NFV SC
  • the NFV SC may receive a security policy request message sent by the VNFM.
  • the security policy request message includes the first group identifier, and the first group identifier is the updated group identifier of the first container service.
  • the policy request message is sent after the VNFM determines that the first group identifier set does not include the first group identifier.
  • the first group identifier set is a set of group identifiers of at least one container service called by the VNF before the container service is updated; after that, the NFV
  • the SC determines the first security policy applied by the VNF after the container service is updated according to the first group identifier, and sends the first security policy to the VNFM.
  • the NFV SC can only send a security policy request message to the NFV SC when the first group identifier is not included in the first group identifier set, so that the NFV SC can decide on the new security policy. , So as to effectively ensure the security of VNF and improve the efficiency of network deployment.
  • an embodiment of the present application provides a security policy management device.
  • the device may have the function of implementing the VNFM in the first aspect or any possible design of the first aspect, or the device may also be capable of implementing the first aspect.
  • the function of the container manager in any possible design of the second aspect or the second aspect, or the device may also have the function of implementing the NFV SC in any possible design of the third aspect or the third aspect.
  • the above-mentioned functions may be realized by hardware, or may be realized by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above-mentioned functions.
  • the structure of the device includes a processing module and a transceiver module, wherein the processing module is configured to support the device to perform the corresponding function in the first aspect or any one of the first aspects, or Perform the corresponding function in the above-mentioned second aspect or any design of the second aspect, or perform the corresponding function in the above-mentioned third aspect or any design of the third aspect.
  • the transceiver module is used to support the communication between the device and other communication equipment. For example, when the device is a VNFM, the transceiver module can communicate with the container manager and receive container service update messages sent by the container manager. The transceiver module can also communicate with NFV SC The network element communicates and receives the security policy sent by the NFV SC.
  • the device may also include a storage module, which is coupled with the processing module, which stores program instructions and data necessary for the device.
  • the processing module may be a processor
  • the communication module may be a transceiver
  • the storage module may be a memory.
  • the memory may be integrated with the processor or may be provided separately from the processor, which is not limited in this application.
  • the structure of the device includes a processor and a memory, and the processor is coupled to the memory and can be used to execute computer program instructions stored in the memory, so that the device can execute the first aspect or the first aspect.
  • the communication device further includes a communication interface, and the processor is coupled with the communication interface.
  • the communication interface can be a transceiver or an input/output interface, or an input/output interface of a chip.
  • an embodiment of the present application further provides a chip system, including: a processor, the processor is coupled with a memory, the memory is used to store a program or instruction, when the program or instruction is executed by the processor
  • the chip system implements any possible design method in the first aspect, or performs any possible design method in the second aspect, or implements any possible design in the third aspect. Method of design.
  • processors in the chip system there may be one or more processors in the chip system.
  • the processor can be implemented by hardware or software.
  • the processor may be a logic circuit, an integrated circuit, or the like.
  • the processor may be a general-purpose processor, which is implemented by reading software codes stored in the memory.
  • the memory may be integrated with the processor, or may be provided separately from the processor, which is not limited in this application.
  • the memory may be a non-transitory processor, such as a read-only memory ROM, which may be integrated with the processor on the same chip, or may be set on different chips.
  • the setting method of the processor is not specifically limited.
  • the chip system may be a field programmable gate array (FPGA), an application specific integrated circuit (ASIC), or a system on chip (SoC). It can also be a central processor unit (CPU), a network processor (NP), a digital signal processing circuit (digital signal processor, DSP), or a microcontroller (microcontroller).
  • the controller unit, MCU may also be a programmable controller (programmable logic device, PLD) or other integrated chips.
  • an embodiment of the present application provides a computer-readable storage medium, which stores computer-readable instructions.
  • the computer reads and executes the computer-readable instructions, the computer is caused to execute the first
  • the method in any possible design of the aspect, or the method in any possible design of the foregoing second aspect, or the method in any possible design of the foregoing third aspect.
  • the embodiments of the present application provide a computer program product.
  • the computer reads and executes the computer program product, the computer executes any of the possible design methods in the first aspect, or executes the first The method in any possible design of the second aspect, or the method in any possible design of the foregoing third aspect.
  • embodiments of the present application provide a security policy management system, which includes the VNFM, container manager, and NFV SC described in the foregoing method embodiments.
  • FIG. 1 is a schematic diagram of a network architecture of an NFV system to which an embodiment of this application applies;
  • FIG. 2 is a schematic flowchart of a security policy management method provided by an embodiment of the application
  • FIG. 3 is a schematic diagram of another process of a security policy management method provided by an embodiment of the application.
  • FIG. 4 is a schematic diagram of another flow of a security policy management method provided by an embodiment of the application.
  • FIG. 5 is a schematic structural diagram of a security policy management device provided by an embodiment of the application.
  • FIG. 6 is a schematic diagram of another structure of a security policy management apparatus provided by an embodiment of the application.
  • FIG. 1 is a schematic diagram of a network architecture of an NFV system to which an embodiment of this application is applicable.
  • the NFV system includes: operation support system/business support system (OSS/BSS), element management system (EMS), virtualized network function (VNF), container Services, network function virtualization infrastructure (NFVI), network function virtualization orchestrator (NFV orchestrator, NFVO), virtualized network function management (VNFM), container manager, Virtualized infrastructure manager (VIM) and network function virtualization security controller (NFV security controller, NFV SC).
  • NFVO, VNFM, and VIM are components of network function virtualization management and orchestration (NFV management and orchestration, NFVMANO).
  • OSS/BSS is mainly for telecom service operators, providing comprehensive network management and business operation functions, including network management (such as fault monitoring, network information collection, etc.), billing management, and customer service management.
  • EMS can be used to manage one or more VNFs, and implement fault management, configuration management, billing management, performance management, and security management (fault management, configuration management, accounting management, performance management, security management, referred to as FCAPS) functions for the VNF.
  • FCAPS fault management, configuration management, accounting management, performance management, security management
  • VNF corresponds to a physical network function (PNF) in a traditional non-virtualized network, such as a virtualized evolved packet core (EPC) node.
  • the virtualized EPC nodes include: mobile management entity (mobile management entity, MME), serving gateway (serving gateway, SGW), packet data network gateway (packet data network gateway, PGW), etc.
  • VNFI virtualized network function instance
  • NFVI may include a hardware resource layer composed of computing hardware, storage hardware, and network hardware, a virtualization layer, and a virtual resource layer composed of virtual computing (such as virtual machines), virtual storage, and virtual networks.
  • the virtualization layer in NFVI is used to abstract the hardware resources of the hardware resource layer, decouple the VNF and the physical layer to which the hardware resources belong, and provide virtual resources to the VNF.
  • the virtual resource layer can include virtual computing, virtual storage, and virtual networking. Virtual computing and virtual storage can be provided to the VNF in the form of a virtual machine (VM) or other virtual containers, for example, one or more virtual machines form a VNF.
  • the virtualization layer forms a virtual network by abstracting network hardware.
  • the virtual network is used to implement communication between multiple virtual machines or between multiple other types of virtual containers carrying VNFs.
  • the creation of a virtual network can be through virtual LAN (virtual LAN, VLAN), virtual private LAN service (virtual private LAN service, VPLS), virtual extensible local area network (virtual extensible local area network, VXLAN) or general routing encapsulation network virtualization (network virtualization) Virtualization using generic routing encapsulation, NVGRE) and other technologies.
  • Container service also known as container service instance, is used to provide high-performance and scalable container application management services for each NFVI, and these management can be packaged into portable containers (docker).
  • NFVO It is used to manage the life cycle of VNF, orchestrate management resources to realize NFV service according to the service request of OSS/BSS, and to monitor VNF, NFVI resources and operating status information in real time.
  • VNFM used to manage one or more VNFs and perform various management functions, such as initialization, update, query, and/or termination of VNF instances, and expansion/reduction of VNFs. Support receiving the elastic scaling (scaling) strategy issued by NFVO to realize the elastic scaling of VNF.
  • VIM Mainly responsible for the management, monitoring and fault reporting of infrastructure layer hardware resources and virtualized resources, and provide virtualized resource pools for upper-layer applications, for example, it can be used to control and manage the VNFI corresponding to VNFs.
  • Container management is used to manage the container service instances in the NFV system and update the container service.
  • NFV SC is responsible for the generation, management and issuance of security policies, and has three new interfaces with MANO, which are respectively responsible for the security management of the network service (NS) layer, VNF layer and I layer.
  • NS network service
  • FIG. 2 is a schematic flowchart of a security policy management method provided by an embodiment of this application.
  • the method includes the following steps S201 to S204:
  • Step S201 If the container manager determines that it is necessary to update the container service of the VNF, it sends a container service update message to the VNFM.
  • the container service update message includes a first group identifier, and the first group identifier is the updated group of the first container service. logo.
  • the VNF may refer to a VNF instance, and the VNF instance may be obtained by instantiating the VNF by the VNFM.
  • Step S202 The VNFM receives the container service update message sent by the container manager.
  • Step S203 If the first group identifier is included in the first group identifier set, the VNFM determines that there is no need to change the security policy applied by the VNF, and may send first indication information to the container manager.
  • the first indication information is used to instruct the container manager to perform The container service is updated, and the first group identifier set is a set composed of the group identifiers of at least one container service called by the VNF before the container service is updated.
  • each container service has a corresponding group identifier
  • the group identifier of a container service is determined according to the VNF that invokes the container service and the security capability of the container service.
  • the group identifiers of different container services can be the same or different.
  • the VNFM determines that the security policy applied by the VNF does not need to be changed means that after the container service is updated, the security capabilities required by the VNF may not change.
  • the second security policy issued before the NFV SC can still continue to apply, and the VNFM does not need to place the VNF in
  • the updated deployment status of the container service (for example, which container services are invoked by the VNF) is reported to the NFV SC, and the NFV SC is requested to make new security policy decisions.
  • VNFM can directly make decisions and instruct the container manager to update container services, thereby reducing the management complexity of NFV SC and improving network deployment efficiency.
  • the set formed by the group identifiers of at least one container service called by the VNF is the first group identifier set
  • the set formed by the group identifiers of at least one container service called by the VNF is The second group identification set. If the first group identification set is the same as the second group identification set, it can be considered that the security capabilities required by the VNF before and after the container service update have not changed. The second security policy issued before the NFV SC can still be applied, and the VNFM does not need to report the container service update After the deployment of VNF, you can directly decide to update the container service.
  • Step S204 The container manager receives the first instruction information sent by the VNFM, and updates the container service of the VNF.
  • the container service update performed by the container manager may include the addition of container service, the replacement of container service, the location change of container service, the expansion/reduction of container service, and other possible types. This application is here. No specific restrictions.
  • the container manager may determine that the VNF needs to be updated for the container service according to the received first instruction information, and then send a container service update message to the VNFM.
  • the service update message includes the first group identifier.
  • step S303 to step S304 if the first group identifier is not included in the first group identifier set, the VNFM determines that the security policy applied in the VNF needs to be changed, so it can send a security policy request message to the NFV SC.
  • the security policy The request message includes the foregoing first group identifier.
  • the security policy request message may include the identity of the VNF, the identity of at least one container service called by the VNF after the container service is updated, the first group identity, or each VNF called after the container service is updated.
  • the group identifier of a container service may be the identity of the VNF, the identity of at least one container service called by the VNF after the container service is updated.
  • step S305 and step S306 after the NFV SC receives the security policy request message, it can determine the first security policy applied by the VNF after the container service update according to the first group identifier, and send the first security policy to VNFM.
  • the NFV SC may send a security policy response message to the VNFM, and the security policy response message may include the identifier of the VNF, the identifier of at least one container service called by the VNF after the container service is updated, and the container service update The group identifier of each container service called by the VNF, and the first security policy applied by the VNF after the container service is updated.
  • the first group identification set is different from the second group identification set, it is considered that after the container service is updated, the second security policy issued by the NFV SC is no longer applicable.
  • the VNFM needs to update the container service after the VNF deployment The situation is sent to the NFV SC, requesting the NFV SC to issue a new security policy.
  • the definitions of the first group identification set and the second group identification set are as described above, and will not be repeated here.
  • the VNF invokes the three container services A, B, and C provided by the container manager. At a certain moment, the container manager determines that it needs to update the container service of the VNF. After the container service is updated, This VNF newly invokes container service D.
  • the group identifier of container service D is the same as the group identifier of any of container services A, B, and C, it can be considered that there is no need to change the security policy of the VNF application; if the group identifier of container service D is the same as container service A If the group IDs of B and C are different, it can be considered that the security policy applied by the VNF needs to be changed, and the VNFM needs to apply to the NFV SC for a new security policy. It can also be understood that the group identifiers of container services A, B, and C constitute a first group identifier set, and the group identifiers of container services A, B, C, and D constitute a second group identifier set. The second group identification set is compared to determine whether the security policy applied by the VNF needs to be changed, and the principle is similar.
  • the VNFM may send second instruction information to the container manager, and the container manager updates the container service under the instruction of the second instruction information.
  • the second indication information may include the first security policy reissued by the NFV SC, or the NFV SC may also send the first security policy to the VNFM at the same time as the first security policy. The policy is sent to the container manager, which is not limited.
  • the VNFM may also instantiate the VNF according to the method shown in FIG. 4. As shown in Figure 4, in step S401, the VNFM instantiates the VNF. If instantiating the VNF needs to invoke the container service, in step S402, the VNFM can send a service invocation request message to the container manager.
  • the service invocation request The message includes the identifier of the VNF and the identifier of at least one container service requested to be invoked by the VNF.
  • the VNFM may also send a security policy request message to the NFV SC.
  • the security policy request message includes the identity of the VNF and the identity of at least one container service requested by the VNF to be invoked. It should be understood that the VNFM may send the service invocation request message and the security policy request message at the same time, or may not send the service invocation request message and the security policy request message at the same time, which is not limited in this application.
  • the container manager may negotiate security capabilities with the NFV SC to determine the group label of each container service that can be invoked by the VNF. Specifically, it includes: in step S404, the container manager sends the security capability (security capability) of each container service in the container service set corresponding to the VNF to the NFVSC.
  • the set of container services corresponding to the VNF refers to the set of container services that the VNF can call.
  • the set of container services includes at least one container service. For example, it may include at least one container service requested by the VNF in a service call request message, and may also include a container.
  • the first container service updated in the service update message may also include other container services, and the security capability of each container service may reflect the security features provided by the container service.
  • the container manager sends the security capability of each container service in the container service set corresponding to the VNF to the NFV SC.
  • the container manager sends a security capability negotiation message to the NFV SC, and the security capability negotiation The message includes the identifier of the VNF, the identifier of at least one container service that can be invoked by the VNF, and the security capability corresponding to each container service that can be invoked by the VNF.
  • the NFV SC can group at least one container service that the VNF can call according to the type of the VNF and the security capability of each container service included in the container service set, and determine the The group identifier, and the determined group identifier of each container service is sent to the container manager in step S406.
  • NFV SC can label and group a large number of container services that can be invoked by VNF at one time, and determine the group identification of each container service.
  • the security policy applied in the VNF can be effectively managed according to the updated group identification of the container service, which can also improve the efficiency of network deployment.
  • the NFV SC sends the determined group identification of each container service to the container manager.
  • the NFV SC sends a security capability response message to the container manager, and the security capability response message includes the VNF
  • a group may include one container service, or one or more container services, which is not limited in this application.
  • the group identifier of a container service can be understood as the identifier of the group in which the container service is located, which is different from the identifier of the container service.
  • container services with the same security capabilities can be grouped into a group with the same group identifier, or it can be understood that any two container services with the same group identifier have the same security attributes.
  • the NFV SC may also determine the security policy matched by the VNF according to the type of the VNF, at least one container service called by the VNF request, and the security capability or group identifier of each container service called by the VNF request. And in step S408, the determined security policy is sent to the VNFM. In order to be different from the first security policy reissued after the VNF updates the container service, the security policy issued by the NFV SC in step S408 is recorded as the second security policy. While sending the second security policy to the VNFM, the NFVSC can also send the group identifier of each container service that the VNF can call to the VNFM.
  • the VNFM can perform network deployment on the VNF to obtain an instantiated VNF instance.
  • the NFV SC may send a security policy response message to the VNFM.
  • the security policy response message includes the identity of the VNF, the identity of at least one container service called by the VNF, and each container service called by the VNF The group identifier of the VNF, the second security policy applied after the VNF is instantiated.
  • the type of VNF refers to which network function the VNF performs as a virtual network element, and the type of VNF may reflect the security features required by the VNF or the security level of the VNF.
  • the type of VNF can be user plane function (UPF) or session management function (session management function, SMF).
  • UPF user plane function
  • SMF session management function
  • the security level of UPF and SMF can be the same because they are mainly used for data forwarding and require security features It is similar, such as requiring a safe start.
  • the type of VNF can also be unified data management (UDM). UDM is mainly used to store the user's subscription data, with a high level of security, and required security features such as hardware encryption.
  • the type of VNF can also be access and mobility management function (AMF).
  • AMF access and mobility management function
  • AMF is mainly used for user mobility management and requires security features such as high reliability.
  • the security strategy of NFV SC decision may also be different.
  • the security policy applied in the VNF corresponds to the security features required by the VNF.
  • the security policy may include whether the VNF requires hardware encryption, whether it requires secure startup, and so on.
  • FIG. 5 is a schematic structural diagram of a security policy management device provided by an embodiment of the present application.
  • the device includes a transceiver module 510 and a processing module 520.
  • the device can be used as a VNFM to implement the functions related to the VNFM in any of the above method embodiments, and the device can also be used as a container manager to implement the functions related to the container manager in any of the above method embodiments.
  • It can be used as an NFV SC, which is used to implement the functions of NFV SC in any of the foregoing method embodiments.
  • the transceiver module 510 is configured to perform the operation of receiving the container service update message sent by the container manager; the processing module 520 is configured to perform The group identifier set includes the first group identifier, it is determined that there is no need to change the security policy applied by the VNF, and the operation of sending the first indication information to the container manager through the transceiver module 510.
  • the transceiver module 510 is configured to send a container service update message to the VNFM when it is determined that the VNF needs to be updated.
  • the processing module 520 is configured to perform operations of determining whether it is determined whether it is necessary to update the container service of the VNF and performing the container service update of the VNF.
  • the transceiver module 510 is configured to receive the identifier and security of each container service in the container service set corresponding to the VNF sent by the container manager. Capability, and the operation of sending the group identifier of each container service in the container service set to the container manager; the processing module 520 is used to execute the determination of each container according to the type of VNF and the security capability of each container service in the container service set The operation of the group identification of the service.
  • processing module 520 involved in the apparatus provided in the embodiments of the present application may be implemented by a processor or processor-related circuit components
  • transceiver module 510 may be implemented by a transceiver or transceiver-related circuit components.
  • the security policy management apparatus 500 provided in the embodiment of the application may correspond to the execution of the VNFM in the security policy management methods S201 to S204 provided in the embodiment of the application, or the security policy management provided in the embodiment of the application.
  • FIG. 6 is a schematic diagram of another structure of the security policy management apparatus provided in an embodiment of the application.
  • the device 600 includes a processor 610, a memory 620, and a communication interface 630.
  • the apparatus 600 further includes an input device 640, an output device 650, and a bus 660.
  • the processor 610, the memory 620, the communication interface 630, the input device 640, and the output device 650 are connected to each other through a bus 660.
  • the memory 620 stores instructions or programs, and the processor 610 is configured to execute the instructions or programs stored in the memory 620.
  • the processor 610 is used to perform the operations performed by the processing module 520 in the foregoing method embodiment, and the communication interface 630 is used to perform the operations performed by the transceiver module 510 in the foregoing embodiment.
  • the device 600 provided in the embodiment of the present application can correspond to the VNFM or container manager or NFV SC that executes the security policy management methods S201 to S204 provided in the embodiment of the present invention, and the operation of each module in the device 600
  • the and/or functions are used to implement the corresponding procedures of the methods shown in FIG. 2, FIG. 3, or FIG. 4, respectively.
  • FIG. 2, FIG. 3, or FIG. 4, respectively For the sake of brevity, details are not repeated here.
  • An embodiment of the present application also provides a chip system, including: a processor, the processor is coupled with a memory, the memory is used to store a program or instruction, when the program or instruction is executed by the processor, the The chip system implements the method in any of the foregoing method embodiments.
  • processors in the chip system there may be one or more processors in the chip system.
  • the processor can be implemented by hardware or software.
  • the processor may be a logic circuit, an integrated circuit, or the like.
  • the processor may be a general-purpose processor, which is implemented by reading software codes stored in the memory.
  • the memory may be integrated with the processor, or may be provided separately from the processor, which is not limited in this application.
  • the memory may be a non-transitory processor, such as a read-only memory ROM, which may be integrated with the processor on the same chip, or may be set on different chips.
  • the setting method of the processor is not specifically limited.
  • the chip system may be a field programmable gate array (FPGA), an application specific integrated circuit (ASIC), or a system on chip (SoC). It can also be a central processor unit (CPU), a network processor (NP), a digital signal processing circuit (digital signal processor, DSP), or a microcontroller (microcontroller).
  • the controller unit, MCU may also be a programmable controller (programmable logic device, PLD) or other integrated chips.
  • each step in the foregoing method embodiments may be completed by an integrated logic circuit of hardware in a processor or instructions in the form of software.
  • the method steps disclosed in the embodiments of the present application may be directly embodied as being executed and completed by a hardware processor, or executed and completed by a combination of hardware and software modules in the processor.
  • the embodiment of the present application also provides a computer-readable storage medium, which stores computer-readable instructions, and when the computer reads and executes the computer-readable instructions, the computer is caused to execute any of the foregoing method embodiments Method in.
  • the embodiment of the present application provides a computer program product.
  • the computer reads and executes the computer program product, the computer is caused to execute the method in any of the foregoing method embodiments.
  • the embodiment of the present application provides a security policy management system, which includes the VNFM, the container manager, and the NFV SC described in the foregoing method embodiments.
  • processors mentioned in the embodiments of this application may be a central processing unit (CPU), or may be other general-purpose processors, digital signal processors (DSP), or application specific integrated circuits ( application specific integrated circuit (ASIC), ready-made programmable gate array (field programmable gate array, FPGA) or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components, etc.
  • the general-purpose processor may be a microprocessor or the processor may also be any conventional processor or the like.
  • the memory mentioned in the embodiments of the present application may be a volatile memory or a non-volatile memory, or may include both volatile and non-volatile memory.
  • the non-volatile memory can be read-only memory (ROM), programmable read-only memory (programmable ROM, PROM), erasable programmable read-only memory (erasable PROM, EPROM), and electronic Erase programmable read-only memory (electrically EPROM, EEPROM) or flash memory.
  • the volatile memory may be random access memory (RAM), which is used as an external cache.
  • RAM random access memory
  • static random access memory static random access memory
  • dynamic RAM dynamic random access memory
  • synchronous dynamic random access memory synchronous DRAM, SDRAM
  • double data rate synchronous dynamic random access memory double data rate SDRAM, DDR SDRAM
  • enhanced synchronous dynamic random access memory enhanced SDRAM, ESDRAM
  • synchronous connection dynamic random access memory serial DRAM, SLDRAM
  • direct rambus RAM direct rambus RAM, DR RAM
  • the processor is a general-purpose processor, DSP, ASIC, FPGA or other programmable logic device, discrete gate or transistor logic device, or discrete hardware component
  • the memory storage module
  • the size of the sequence numbers of the above-mentioned processes does not mean the order of execution.
  • the execution order of the processes should be determined by their functions and internal logic, and should not be used in the embodiments of the present invention.
  • the implementation process constitutes any limitation.
  • the disclosed system, device, and method may be implemented in other ways.
  • the device embodiments described above are only illustrative.
  • the division of the units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components can be combined or It can be integrated into another system, or some features can be ignored or not implemented.
  • the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
  • each unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
  • the function is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium.
  • the technical solution of this application essentially or the part that contributes to the existing technology or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the method described in each embodiment of the present application.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disk and other media that can store program code .

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un procédé et un dispositif de gestion de politique de sécurité. Le procédé comprend les étapes suivantes : un VNFM reçoit un message de mise à jour de service de conteneur qui est envoyé par un gestionnaire de conteneur, après qu'il a été déterminé qu'une VNF doit faire l'objet d'une mise à jour de service de conteneur, le message de mise à jour de service de conteneur comprenant un premier identifiant de paquet d'un premier service de conteneur mis à jour ; si un premier ensemble d'identifiants de paquets comprend le premier identifiant de paquet, le VNFM détermine qu'une politique de sécurité liée à une application VNF n'a pas besoin d'être modifiée, et envoie des premières informations d'instruction au gestionnaire de conteneur afin que celui-ci effectue une mise à jour de service de conteneur, le premier ensemble d'identifiants de paquets étant un ensemble constitué d'identifiants de paquets d'au moins un service de conteneur appelé par la VNF avant la mise à jour de service de conteneur. Par conséquent, lorsque le premier identifiant de paquet est compris dans le premier ensemble d'identifiants de paquets, le VNFM n'a pas besoin de demander à un SC de NFV d'émettre une politique de sécurité pour chaque mise à jour de service de conteneur, ce qui réduit efficacement la complexité de gestion du SC de NFV et améliore l'efficacité de déploiement du réseau.
PCT/CN2020/083361 2019-04-30 2020-04-03 Procédé et dispositif de gestion de politique de sécurité Ceased WO2020220937A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910363266.5 2019-04-30
CN201910363266.5A CN111857941B (zh) 2019-04-30 2019-04-30 一种安全策略管理方法及装置

Publications (1)

Publication Number Publication Date
WO2020220937A1 true WO2020220937A1 (fr) 2020-11-05

Family

ID=72966736

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/083361 Ceased WO2020220937A1 (fr) 2019-04-30 2020-04-03 Procédé et dispositif de gestion de politique de sécurité

Country Status (2)

Country Link
CN (1) CN111857941B (fr)
WO (1) WO2020220937A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112860720A (zh) * 2021-03-09 2021-05-28 中国电子系统技术有限公司 一种存储容量的更新方法以及装置

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1777122A (zh) * 2005-12-15 2006-05-24 杭州华为三康技术有限公司 一种下发安全策略的方法
CN106464540A (zh) * 2014-06-26 2017-02-22 华为技术有限公司 虚拟网络功能策略管理的系统与方法
US20180131723A1 (en) * 2016-11-10 2018-05-10 International Business Machines Corporation Security Policy Inclusion with Container Deployment
CN108370368A (zh) * 2016-09-20 2018-08-03 华为技术有限公司 安全策略部署方法与装置

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7350077B2 (en) * 2002-11-26 2008-03-25 Cisco Technology, Inc. 802.11 using a compressed reassociation exchange to facilitate fast handoff
CN103248521B (zh) * 2013-04-28 2016-09-28 华为技术有限公司 一种业务策略规则配置的方法、装置及通信系统

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1777122A (zh) * 2005-12-15 2006-05-24 杭州华为三康技术有限公司 一种下发安全策略的方法
CN106464540A (zh) * 2014-06-26 2017-02-22 华为技术有限公司 虚拟网络功能策略管理的系统与方法
CN108370368A (zh) * 2016-09-20 2018-08-03 华为技术有限公司 安全策略部署方法与装置
US20180131723A1 (en) * 2016-11-10 2018-05-10 International Business Machines Corporation Security Policy Inclusion with Container Deployment

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112860720A (zh) * 2021-03-09 2021-05-28 中国电子系统技术有限公司 一种存储容量的更新方法以及装置

Also Published As

Publication number Publication date
CN111857941B (zh) 2021-09-03
CN111857941A (zh) 2020-10-30

Similar Documents

Publication Publication Date Title
US12218793B2 (en) Alarm method and apparatus
US11032214B2 (en) Method, apparatus, and system for managing network slice instance
US11502919B2 (en) Network service management method, related apparatus, and system
JP6834033B2 (ja) ネットワークスライス管理方法、ユニット、及びシステム
US20190123963A1 (en) Method and apparatus for managing resources of network slice
US20200052969A1 (en) Network Slice Management Method and Apparatus
EP3373518B1 (fr) Procédé et dispositif de configuration de service pour service de réseau
CN111556136A (zh) 一种电力边缘物联代理内部容器间的数据交互方法
US10848366B2 (en) Network function management method, management unit, and system
WO2018058579A1 (fr) Procédé de gestion de tranche de réseau et unité de gestion
CN109428764B (zh) 虚拟网络功能的实例化方法
CN112583615B (zh) Vnf实例化方法、nfvo、vim、vnfm及系统
CN107153565A (zh) 配置资源的方法及其网络设备
WO2019174000A1 (fr) Procédé et appareil de gestion de service
EP3672314A1 (fr) Procédé, dispositif et système de gestion de réseau
CN108512779B (zh) 控制信息传递方法、服务器和系统
CN117528459A (zh) QoS服务提供方法及系统、5G-RG
WO2021147358A1 (fr) Procédé, appareil et système d'établissement d'interface réseau
WO2018127068A1 (fr) Procédé et appareil de gestion de réseau
WO2020220937A1 (fr) Procédé et dispositif de gestion de politique de sécurité
CN113541981B (zh) 网络切片的成员管理方法及系统
CN106713244A (zh) 一种能力接入方法及网元
WO2024046298A1 (fr) Procédé et appareil de création de réseau virtuel
US20230327959A1 (en) Method for establishing network connection and apparatus
US20230105269A1 (en) Virtualized network service deployment method and apparatus

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20798221

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20798221

Country of ref document: EP

Kind code of ref document: A1