WO2022267994A1

WO2022267994A1 - Communication system and method, apparatus, first device, second device, and storage medium

Info

Publication number: WO2022267994A1
Application number: PCT/CN2022/099569
Authority: WO
Inventors: 唐小勇; 尚宇翔; 韩延涛; 游正朋; 朱磊; 柯罗
Original assignee: China Mobile Communications Group Co Ltd; China Mobile Chengdu ICT Co Ltd
Current assignee: China Mobile Communications Group Co Ltd; China Mobile Chengdu ICT Co Ltd
Priority date: 2021-06-24
Filing date: 2022-06-17
Publication date: 2022-12-29
Anticipated expiration: 2023-12-24
Also published as: CN115529144B; CN115529144A

Abstract

The present application discloses a communication system, a communication method, an apparatus, a first device, a second device, and a storage medium. The system comprises: a first device, a second device, and a third device. The first device is configured to receive first information from the second device and, on the basis of the first information and a security policy, provide a security management function for an application on an edge computing platform. The first information is used to configure an application on the edge computing platform. The second device is configured to send the first information to the first device on the basis of second information from the third device. The second information is used to orchestrate an application on the edge computing platform.

Description

Communication system, method, device, first device, second device and storage medium

相关申请的交叉引用Cross References to Related Applications

本申请基于申请号为202110703440.3、申请日为2021年06月24日的中国专利申请提出，并要求该中国专利申请的优先权，该中国专利申请的全部内容在此引入本申请作为参考。This application is based on a Chinese patent application with application number 202110703440.3 and a filing date of June 24, 2021, and claims the priority of this Chinese patent application. The entire content of this Chinese patent application is hereby incorporated by reference into this application.

technical field

本申请涉及通信领域，尤其涉及一种通信系统、方法、装置、第一设备、第二设备及存储介质。The present application relates to the communication field, and in particular to a communication system, method, device, first device, second device and storage medium.

Background technique

第五代移动通信技术(5G)作为新一代通信技术，具有大带宽、低时延、高可靠、高连接、泛在网等诸多优势，从而推动垂直行业的快速发展与更迭，比如智慧医疗、智慧教育、智慧农业等方向的崛起。As a new generation of communication technology, the fifth-generation mobile communication technology (5G) has many advantages such as large bandwidth, low latency, high reliability, high connection, ubiquitous network, etc., thereby promoting the rapid development and change of vertical industries, such as smart medical, The rise of smart education and smart agriculture.

移动边缘计算(MEC)技术作为5G演进的关键技术之一，是具备无线网络信息应用程序接口(API)交互能力，以及计算、存储、分析功能的信息技术(IT)通用平台；依托MEC技术，可将传统外部应用拉入移动内部，更贴近用户，提供本地化服务，从而提升用户体验，发挥边缘网络的更多价值。As one of the key technologies in the evolution of 5G, mobile edge computing (MEC) technology is a general information technology (IT) platform with wireless network information application programming interface (API) interaction capabilities, as well as computing, storage, and analysis functions; relying on MEC technology, It can pull traditional external applications into the mobile interior, get closer to users, and provide localized services, thereby improving user experience and giving full play to the value of edge networks.

将5G和MEC结合，可以面向不同的行业需求场景，引入不同的技术组合，比如服务质量(QoS)、端到端网络切片、网络能力开放、边缘云等，从而提供定制化的解决方案。The combination of 5G and MEC can introduce different technology combinations for different industry demand scenarios, such as quality of service (QoS), end-to-end network slicing, network capability exposure, edge cloud, etc., so as to provide customized solutions.

相关技术中，5G与MEC技术结合的方案存在安全风险。Among related technologies, the combination of 5G and MEC technology has security risks.

发明内容Contents of the invention

为解决相关技术问题，本申请实施例提供一种通信方法、装置、相关设备及存储介质。To solve related technical problems, embodiments of the present application provide a communication method, device, related equipment, and storage medium.

本申请实施例的技术方案是这样实现的：The technical scheme of the embodiment of the application is realized in this way:

本申请实施例提供了一种通信系统，包括：第一设备、第二设备、第三设备；其中，An embodiment of the present application provides a communication system, including: a first device, a second device, and a third device; wherein,

所述第一设备，配置为接收来自第二设备的第一信息，基于所述第一信息和安全策略为边缘计算平台上的应用提供安全管理功能；所述第一信息，用于针对所述边缘计算平台上的应用进行配置；The first device is configured to receive first information from the second device, and provide security management functions for applications on the edge computing platform based on the first information and security policies; the first information is used for the Configure applications on the edge computing platform;

所述第二设备，配置为基于来自第三设备的第二信息向第一设备发送所述第一信息；所述第二信息，用于编排边缘计算平台上的应用。The second device is configured to send the first information to the first device based on the second information from the third device; the second information is used to arrange applications on the edge computing platform.

优选地，所述安全策略，包括以下至少之一：Preferably, the security policy includes at least one of the following:

第一安全等级；所述第一安全等级表征拒绝针对所述边缘计算平台上的所有应用的配置；A first security level; the first security level indicates that configurations for all applications on the edge computing platform are rejected;

第二安全等级；所述第二安全等级表征允许针对所述边缘计算平台上的部分应用的配置；A second security level; the second security level characterizes the configuration for some applications on the edge computing platform;

第三安全等级；所述第一安全等级表征允许针对所述边缘计算平台上的所有应用的配置。The third security level; the first security level characterizes the configuration for all applications on the edge computing platform.

优选地，所述第一设备，还配置为向第二设备发送第三信息；所述第三信息，用于说明所述第一信息是否配置成功；Preferably, the first device is further configured to send third information to the second device; the third information is used to indicate whether the configuration of the first information is successful;

所述第二设备，还配置为基于所述第三信息向第三设备发送第四信息；所述第四信息，用于说明所述第二信息是否配置成功。The second device is further configured to send fourth information to a third device based on the third information; the fourth information is used to indicate whether the configuration of the second information is successful.

优选地，所述第一信息，包括以下至少之一的配置信息：Preferably, the first information includes configuration information of at least one of the following:

第一配置策略；所述第一配置策略针对不同应用的操作权限；A first configuration strategy; the first configuration strategy is aimed at operating permissions of different applications;

第二配置策略；所述第二配置策略针对不同应用的路由规则；A second configuration strategy; the second configuration strategy is directed at routing rules for different applications;

第三配置策略；所述第三配置策略针对不同应用的域名系统(DNS，Domain Name System)；The third configuration strategy; the third configuration strategy is aimed at the Domain Name System (DNS, Domain Name System) of different applications;

第四配置策略；所述第四配置策略针对不同应用的生命周期。A fourth configuration strategy; the fourth configuration strategy is aimed at the life cycles of different applications.

优选地，所述第二信息，包括以下至少之一：Preferably, the second information includes at least one of the following:

应用的管理信息；Application management information;

应用的生命周期管理信息；Application life cycle management information;

应用的生命周期变更信息。Application lifecycle change information.

优选地，所述第三设备，还配置为接收来自第一设备的第一接入认证信息，向所述第一设备发送第一认证响应信息；所述第一认证响应信息至少包括：第一设备的身份标识。Preferably, the third device is further configured to receive first access authentication information from the first device, and send first authentication response information to the first device; the first authentication response information includes at least: first The identity of the device.

优选地，所述第三设备，还配置为接收来自第二设备的第二接入认证信息，向所述第二设备发送第二认证响应信息；所述第二认证响应信息至少包括：第二设备的身份标识；Preferably, the third device is further configured to receive second access authentication information from the second device, and send second authentication response information to the second device; the second authentication response information includes at least: the second device identification;

所述第三设备，还配置为向所述第二设备发送所述第一设备的身份标识。The third device is further configured to send the identity of the first device to the second device.

优选地，所述第一设备的数量为一个或多个。Preferably, the number of the first device is one or more.

本申请实施例提供了一种通信方法，应用于第一设备，所述方法包括：An embodiment of the present application provides a communication method, which is applied to a first device, and the method includes:

接收来自第二设备的第一信息；所述第一信息，用于针对所述边缘计算平台上的应用进行配置；receiving first information from a second device; the first information is used to configure applications on the edge computing platform;

基于所述第一信息和安全策略为边缘计算平台上的应用提供安全管理功能。A security management function is provided for applications on the edge computing platform based on the first information and the security policy.

第二安全等级；所述第二安全等级表征允许针对所述边缘计算平台上的部分应用的配置；The second security level; the second security level characterization allows configuration for some applications on the edge computing platform;

优选地，所述方法还包括：Preferably, the method also includes:

向第二设备发送第三信息；所述第三信息，用于说明所述第一信息是否配置成功。Sending third information to the second device; the third information is used to indicate whether the configuration of the first information is successful.

第三配置策略；所述第三配置策略针对不同应用的域名系统DNS；A third configuration strategy; the third configuration strategy is aimed at Domain Name System DNS for different applications;

优选地，所述方法还包括：Preferably, the method also includes:

向第三设备发送第一接入认证信息；sending the first access authentication information to the third device;

接收来自所述第三设备的第一认证响应信息；所述第一认证响应信息至少包括：第一设备的身份标识。Receive first authentication response information from the third device; the first authentication response information at least includes: an identity of the first device.

本申请实施例提供了一种通信方法，应用于第二设备，所述方法包括：An embodiment of the present application provides a communication method, which is applied to a second device, and the method includes:

接收来自第三设备的第二信息；所述第二信息，用于编排边缘计算平台上的应用；receiving second information from a third device; the second information is used to arrange applications on the edge computing platform;

基于所述第二信息向第一设备发送第一信息；所述第一信息，用于指示第一设备基于所述第一设备和安全策略针对所述边缘计算平台上的应用进行配置。Sending first information to the first device based on the second information; the first information is used to instruct the first device to configure applications on the edge computing platform based on the first device and a security policy.

应用的管理信息；Application management information;

应用的生命周期变更信息。Application lifecycle change information.

优选地，所述方法还包括：Preferably, the method also includes:

接收来自第一设备的第三信息；所述第三信息，用于说明所述第一信息是否配置成功；receiving third information from the first device; the third information is used to indicate whether the configuration of the first information is successful;

基于所述第三信息向第三设备发送第四信息；所述第四信息，用于说明所述第二信息是否配置成功。Sending fourth information to the third device based on the third information; the fourth information is used to indicate whether the configuration of the second information is successful.

优选地，所述方法还包括：Preferably, the method also includes:

向第三设备发送第二接入认证信息；接收来自所述第三设备的第二认证响应信息；所述第二认证响应信息至少包括：第一设备的身份标识；Sending second access authentication information to a third device; receiving second authentication response information from the third device; the second authentication response information includes at least: the identity of the first device;

所述方法还包括：接收所述第一设备的身份标识。The method further includes: receiving an identity of the first device.

本申请实施例提供了一种通信装置，设置在第一设备上，包括：An embodiment of the present application provides a communication device, which is set on the first device, including:

第一通信单元，配置为接收来自第二设备的第一信息；所述第一信息，用于针对所述边缘计算平台上的应用进行配置；The first communication unit is configured to receive first information from the second device; the first information is used to configure applications on the edge computing platform;

第一处理单元，配置为基于所述第一信息和安全策略为边缘计算平台上的应用提供安全管理功能。The first processing unit is configured to provide security management functions for applications on the edge computing platform based on the first information and the security policy.

优选地，所述第一通信单元，还配置为向第二设备发送第三信息；所述第三信息，用于说明所述第一信息是否配置成功。Preferably, the first communication unit is further configured to send third information to the second device; the third information is used to indicate whether the configuration of the first information is successful.

优选地，所述第一通信单元，还配置为向第三设备发送第一接入认证信息；Preferably, the first communication unit is further configured to send the first access authentication information to the third device;

本申请实施例提供了一种第一设备，包括：第一处理器及第一通信接口；其中，An embodiment of the present application provides a first device, including: a first processor and a first communication interface; wherein,

所述第一通信接口，配置为接收来自第二设备的第一信息；所述第一信息，用于针对所述边缘计算平台上的应用进行配置；The first communication interface is configured to receive first information from the second device; the first information is used to configure applications on the edge computing platform;

所述第一处理器，配置为基于所述第一信息和安全策略为边缘计算平台上的应用提供安全管理功能。The first processor is configured to provide security management functions for applications on the edge computing platform based on the first information and security policies.

本申请实施例提供了一种通信装置，设置在第二设备上，包括：An embodiment of the present application provides a communication device, which is set on the second device, including:

第二通信单元，配置为接收来自第三设备的第二信息；所述第二信息，用于编排边缘计算平台上的应用；The second communication unit is configured to receive second information from the third device; the second information is used to arrange applications on the edge computing platform;

第二处理单元，配置为基于所述第二信息向第一设备发送第一信息；所述第一信息，用于指示第一设备基于所述第一设备和安全策略针对所述边缘计算平台上的应用进行配置。The second processing unit is configured to send first information to the first device based on the second information; the first information is used to instruct the first device to target the edge computing platform based on the first device and the security policy configuration for the application.

第三配置策略；所述第三配置策略针对不同应用的域名系统；A third configuration strategy; the third configuration strategy is aimed at domain name systems of different applications;

应用的管理信息；Application management information;

应用的生命周期变更信息。Application lifecycle change information.

优选地，所述第二通信单元，还配置为接收来自第一设备的第三信息；所述第三信息，用于说明所述第一信息是否配置成功；Preferably, the second communication unit is further configured to receive third information from the first device; the third information is used to explain whether the configuration of the first information is successful;

基于所述第三信息向第三设备发送第四信息；所述第四信息，用于说明所述第二信息是否配置成功。Sending fourth information to a third device based on the third information; the fourth information is used to describe whether the configuration of the second information is successful.

优选地，所述第二通信单元，还配置为向第三设备发送第二接入认证信息；接收来自所述第三设备的第二认证响应信息；所述第二认证响应信息至少包括：第一设备的身份标识；Preferably, the second communication unit is further configured to send second access authentication information to a third device; receive second authentication response information from the third device; the second authentication response information includes at least: a device identity;

以及，接收所述第一设备的身份标识。And, receiving the identity of the first device.

本申请实施例提供了一种第二设备，包括：第二处理器及第二通信接口；其中，An embodiment of the present application provides a second device, including: a second processor and a second communication interface; wherein,

所述第二通信接口，配置为接收来自第三设备的第二信息；所述第二信息，用于编排边缘计算平台上的应用；The second communication interface is configured to receive second information from a third device; the second information is used to arrange applications on the edge computing platform;

所述第二处理器，配置为基于所述第二信息向第一设备发送第一信息；所述第一信息，用于指示第一设备基于所述第一设备和安全策略针对所述边缘计算平台上的应用进行配置。The second processor is configured to send first information to the first device based on the second information; the first information is used to instruct the first device to target the edge computing based on the first device and a security policy Configure applications on the platform.

本申请实施例提供了一种网络设备，包括：处理器及和配置为存储能够在处理器上运行的计算机程序的存储器，An embodiment of the present application provides a network device, including: a processor and a memory configured to store a computer program that can run on the processor,

其中，所述处理器配置为运行所述计算机程序时，执行以上第一设备侧任一项所述方法的步骤；或者，Wherein, the processor is configured to execute the steps of any one of the methods described above on the first device side when running the computer program; or,

所述处理器配置为运行所述计算机程序时，执行以上第二设备侧任一项所述方法的步骤。The processor is configured to execute the steps of any one of the methods described above on the second device side when running the computer program.

本申请实施例提供了一种存储介质，其上存储有计算机程序，所述计算机程序被处理器执行时实现以上第一设备侧任一项所述方法的步骤；或者，An embodiment of the present application provides a storage medium on which a computer program is stored, and when the computer program is executed by a processor, the steps of any one of the methods described above on the first device side are implemented; or,

所述计算机程序被处理器执行时实现以上第二设备侧任一项所述方法的步骤。When the computer program is executed by the processor, the steps of any one of the methods described above on the second device side are implemented.

本申请实施例提供的通信系统、方法、装置、第一设备、第二设备及存储介质，系统包括：第一设备、第二设备、第三设备；所述第一设备，配置为接收来自第二设备的第一信息，基于所述第一信息和安全策略为边缘计算平台上的应用提供安全管理功能；所述第一信息，用于针对所述边缘计算平台上的应用进行配置；所述第二设备，配置为基于来自第三设备的第二信息向第一设备发送所述第一信息；所述第二信息，用于编排边缘计算平台上的应用。本申请实施例的方案，第一设备基于安全策略对边缘计算平台上的应用提供安全管理功能，使得第一设备可以根据安全策略确定是否根据第一信息进行编排；如此，能够提高第一设备针对边缘计算平台的应用进行配置的安全管控能力。The communication system, method, device, first device, second device, and storage medium provided in the embodiments of the present application, the system includes: the first device, the second device, and the third device; the first device is configured to receive The first information of the device, based on the first information and the security policy, provides a security management function for the application on the edge computing platform; the first information is used to configure the application on the edge computing platform; the The second device is configured to send the first information to the first device based on the second information from the third device; the second information is used to arrange applications on the edge computing platform. According to the solution of the embodiment of this application, the first device provides security management functions for applications on the edge computing platform based on the security policy, so that the first device can determine whether to perform orchestration according to the first information according to the security policy; Security management and control capabilities for configuring applications on edge computing platforms.

Description of drawings

图1为相关技术中MEC的系统结构示意图；FIG. 1 is a schematic diagram of a system structure of an MEC in the related art;

图2为相关技术中MEC的主机层与系统层的结构示意图；FIG. 2 is a schematic structural diagram of a host layer and a system layer of an MEC in the related art;

图3为本申请实施例5G行业云网融合的系统结构示意图；FIG. 3 is a schematic structural diagram of a system for 5G industry cloud-network integration according to an embodiment of the present application;

图4为本申请实施例一种通信系统的结构示意图；FIG. 4 is a schematic structural diagram of a communication system according to an embodiment of the present application;

图5为本申请实施例一种通信方法的流程示意图；FIG. 5 is a schematic flowchart of a communication method according to an embodiment of the present application;

图6为本申请实施例另一种通信方法的流程示意图；FIG. 6 is a schematic flowchart of another communication method according to an embodiment of the present application;

图7为本申请应用实施例通信系统的结构示意图；FIG. 7 is a schematic structural diagram of a communication system of an application embodiment of the present application;

图8为本申请应用实施例通信方法的流程示意图；FIG. 8 is a schematic flowchart of a communication method in an application embodiment of the present application;

图9为本申请应用实施例注册认证的流程示意图；FIG. 9 is a schematic diagram of the registration authentication process of the application embodiment of the present application;

图10为本申请实施例一种MEPM和L-MEPM的关系示意图；10 is a schematic diagram of the relationship between a MEPM and an L-MEPM according to an embodiment of the present application;

图11为本申请实施例一种权限授权方式的示意图；FIG. 11 is a schematic diagram of a permission authorization method according to an embodiment of the present application;

图12为本申请实施例一种通信装置的结构示意图；FIG. 12 is a schematic structural diagram of a communication device according to an embodiment of the present application;

图13为本申请实施例另一种通信装置的结构示意图；FIG. 13 is a schematic structural diagram of another communication device according to an embodiment of the present application;

图14为本申请实施例第一设备的结构示意图；Fig. 14 is a schematic structural diagram of the first device of the embodiment of the present application;

图15为本申请实施例第二设备的结构示意图。FIG. 15 is a schematic structural diagram of a second device according to an embodiment of the present application.

detailed description

下面结合附图及实施例对本申请再作进一步详细的描述。The application will be further described in detail below in conjunction with the accompanying drawings and embodiments.

相关技术中，MEC作为欧洲电信标准化协会(ETSI，European Telecommunications Standards Institute)主导的多接入边缘计算平台标准，从最初的移动边缘计算平台演进到基于虚拟网络功能(VNF，Virtual Network Feature)的多接入边缘计算平台，通过将MEC应用、平台、资源虚拟化和服务化的方式提供更高效的业务运行服务，以满足不同业务在处理能力上的差异化需求，ETSI标准组织定义了图1所示的MEC系统框架。In related technologies, MEC is a multi-access edge computing platform standard led by the European Telecommunications Standards Institute (ETSI, European Telecommunications Standards Institute). Connect to the edge computing platform, and provide more efficient business operation services by virtualizing and serving MEC applications, platforms, and resources to meet the differentiated needs of different businesses in terms of processing capabilities. The ETSI standard organization defines the The framework of the MEC system shown.

MEC系统，主要包括：MEC系统层(MEC system-level)、MEC主机层(MEC host level)、网络层(Networks)。The MEC system mainly includes: MEC system-level (MEC system-level), MEC host level (MEC host level), and network layer (Networks).

其中，MEC系统层负责整个MEC资源的分配、收回与协调工作，以满足不同业务对计算和传输资源的需求。MEC系统层管理支持MEC系统级管理功能和主机级管理功能。MEC系统级管理功能包含用户应用生命周期管理代理、运营支持系统和MEC编排器，MEC主机级管理功能可以包括MEC平台管理器和虚拟化基础设施管理器。通过MEC管理层管理为终端和第三方客户(如商业企业)提供的MEC服务。Among them, the MEC system layer is responsible for the allocation, recovery and coordination of the entire MEC resources to meet the needs of different services for computing and transmission resources. MEC system-level management supports MEC system-level management functions and host-level management functions. MEC system-level management functions include user application lifecycle management agents, operation support systems, and MEC orchestrators, and MEC host-level management functions can include MEC platform managers and virtualized infrastructure managers. MEC services provided to terminals and third-party customers (such as commercial enterprises) are managed through the MEC management layer.

MEC主机层用于为MEC应用、MEC平台等提供必要的计算、存储及传输功能。The MEC host layer is used to provide necessary computing, storage and transmission functions for MEC applications and MEC platforms.

网络层用于为上层的应用提供不同的网络选择(如3GPP无线网络、非3GPP无线网络、有线网络)，并根据上层的信令动态调整路由策略，以满足不同业务在网络上的传输需求。The network layer is used to provide different network options (such as 3GPP wireless network, non-3GPP wireless network, and wired network) for upper-layer applications, and dynamically adjust routing strategies according to upper-layer signaling to meet the transmission requirements of different services on the network.

其中，如图2所示，MEC主机(MEC host)包括：MEC平台和虚拟基础设施(计算、存储、网络)。虚拟设施包含数据面，用于执行从MEC平台接收到的路由规则，在应用(也称MEC app、MEC应用或MEP应用)、服务(也称MEC服务或MEP服务)、DNS服务/代理、3GPP网络、其他接入网、本地网络和外部网络之间进行流量的转发。其中，MEP使能所述应用来提供和调用所述服务，MEP本身也可以提供服务。具体地，所述应用运行在虚拟机或容器上，可以对外提供丰富多样的服务(如：位置、无线网络信息、流量管理)，所述应用也可以使用其他应用提供的服务，例如：应用A提供的位置、流量管理等服务可以被应用B和应用C使用。所述服务可以由MEP或某一个应用提供，当某个服务由所述应用提供时，该服务可以注册到MEP的服务列表中。Among them, as shown in Figure 2, the MEC host (MEC host) includes: MEC platform and virtual infrastructure (computing, storage, network). The virtual facility includes the data plane, which is used to execute the routing rules received from the MEC platform, in the application (also called MEC app, MEC application or MEP application), service (also called MEC service or MEP service), DNS service/proxy, 3GPP Forward traffic between the network, other access networks, local networks, and external networks. Wherein, the MEP enables the application to provide and invoke the service, and the MEP itself can also provide the service. Specifically, the application runs on a virtual machine or a container, and can provide a variety of services (such as: location, wireless network information, traffic management), and the application can also use services provided by other applications, for example: Application A The provided services such as location and traffic management can be used by application B and application C. The service may be provided by the MEP or a certain application. When a certain service is provided by the application, the service may be registered in the service list of the MEP.

MEC平台(MEP，MEC platform)，支持的功能包括：MEC platform (MEP, MEC platform), supported functions include:

1)、提供MEC应用能够发现、通知、使用和提供MEC服务的环境，包括其他平台提供的MEC服务(可选)。1) Provide an environment where MEC applications can discover, notify, use and provide MEC services, including MEC services provided by other platforms (optional).

2)、从MEC平台管理、应用或服务接收路由规则，控制数据面流量。2) Receive routing rules from MEC platform management, applications or services to control data plane traffic.

3)、从MEC平台管理接收DNS记录，配置DNS代理/服务器；3) Manage and receive DNS records from the MEC platform, and configure DNS proxy/server;

4)、托管MEC服务；4) Managed MEC services;

5)、提供到永久性存储和当日时间信息的接入；5) Provide access to permanent storage and time of day information;

MEC编排器(MEO，MEC orchestrator)又称MEC应用编排器(MEAO，MEC application orchestrator)，是MEC系统层管理的核心，支持的功能包括：MEC orchestrator (MEO, MEC orchestrator), also known as MEC application orchestrator (MEAO, MEC application orchestrator), is the core of MEC system layer management. The supported functions include:

1)维护MEC系统的整体视图(即整体部署)；比如MEC的主机部署、MEC的可用资源分配、可用的MEC服务的调用、系统拓扑等；1) Maintain the overall view of the MEC system (that is, the overall deployment); such as MEC host deployment, MEC available resource allocation, available MEC service calls, system topology, etc.;

2)管理MEC应用包的上线，包括：检查应用包的完整性和真实性；确认应用规则和需求，并判断是否需要调整应用规则和需求，若需要调整，则调整应用规则和需求以与运营商的策略相符；保存应用包的上线记录，以及为处理该应用准备虚拟基础设施管理器；2) Manage the launch of the MEC application package, including: checking the integrity and authenticity of the application package; confirming the application rules and requirements, and judging whether the application rules and requirements need to be adjusted; conform to the vendor's policy; keep a record of the application package's rollout, and prepare the virtual infrastructure manager for handling the application;

3)基于约束(比如时延、可用资源、可用服务等)为应用的初始化选择合适的MEC主机；3) Select an appropriate MEC host for application initialization based on constraints (such as delay, available resources, available services, etc.);

4)触发应用的启动和结束；4) Trigger the start and end of the application;

5)触发应用的按需迁移。5) Trigger on-demand migration of applications.

MEC平台管理(MEPM，MEC platform manager)，支持的功能包括：MEC platform management (MEPM, MEC platform manager), supported functions include:

1)、MEC应用的生命周期管理(LCM，Life Cycle Management)，如：通知MEAO相关应用的事件；1), MEC application life cycle management (LCM, Life Cycle Management), such as: notify MEAO of related application events;

2)、提供MEC平台(MEP，MEC Platform)的元素管理(Element mgmt)功能，包括虚拟网络功能(VNF，Virtualised Network Function)元素管理和网络服务(NS，Network Service)元素管理，其中NS信息元素包括物理网络功能(PNF，Physical Network Function)信息元素、虚拟链路信息元素、VNF转发图(VNF Forwarding Graph)信息元素；2) Provide the element management (Element mgmt) function of the MEC platform (MEP, MEC Platform), including virtual network function (VNF, Virtualized Network Function) element management and network service (NS, Network Service) element management, where the NS information element Including physical network function (PNF, Physical Network Function) information element, virtual link information element, VNF forwarding graph (VNF Forwarding Graph) information element;

3)、MEC应用的规则和需求的管理(MEC app rules&reqts mgmt)，比如：服务授权、路由规则、域名系统(DNS)配置和冲突处理；3), MEC application rules and requirements management (MEC app rules&reqts mgmt), such as: service authorization, routing rules, Domain Name System (DNS) configuration and conflict handling;

4)、从虚拟基础设施管理(VIM，Virtualisation Infrastructure Manager)接收虚拟资源的错误报告和性能测量数据。VIM主要功能包括：分配、管理、释放虚拟化基础设施的虚拟化资源，接收和存储软件镜像，收集、上报虚拟化资源的性能和故障信息。4) Receive error reports and performance measurement data of virtual resources from a virtual infrastructure manager (VIM, Virtualisation Infrastructure Manager). The main functions of VIM include: allocating, managing, and releasing virtualized resources of virtualized infrastructure, receiving and storing software images, collecting and reporting performance and fault information of virtualized resources.

从MEC各模块的功能描述可以看出，MEC应用的规则(包括路由规则、DNS配置、业务规则等)由MEPM管理、MEP接收，并最终在MEC主机的用户面执行。From the functional description of each module of MEC, it can be seen that the rules applied by MEC (including routing rules, DNS configuration, business rules, etc.) are managed by MEPM, received by MEP, and finally executed on the user plane of the MEC host.

图2中的Mx1、Mx2、Mp1、Mp2、Mp3、Mm1、Mm2……Mm9等表示各设备或模块之间可以调用接口和/或采用相应的通信协议进行通信。Mx1 , Mx2 , Mp1 , Mp2 , Mp3 , Mm1 , Mm2 . . . Mm9 in FIG. 2 indicate that various devices or modules can call interfaces and/or use corresponding communication protocols for communication.

实际应用中，垂直行业的终端接入技术类型繁多，第三方网络除5G外，还有非5G网络(比如4G、WiFi、Bluetooth、Zigbee、NB-IoT、SPN、红外网络、专线网络、Wireline等)，这些终端的数据可能会通过不同的网络传输到MEP。为保障MEP的网络与数据安全，实现泛在网络接入与控制功能，在一种5G行业云网融合的系统架构中引入了行业网关(iGW，industry GateWay)，该5G行业云网融合架构如图3所示。In practical applications, there are many types of terminal access technologies in vertical industries. In addition to 5G, third-party networks also have non-5G networks (such as 4G, WiFi, Bluetooth, Zigbee, NB-IoT, SPN, infrared network, dedicated line network, Wireline, etc.) ), the data of these terminals may be transmitted to the MEP through different networks. In order to ensure the network and data security of MEP and realize ubiquitous network access and control functions, an industry gateway (iGW, industry GateWay) is introduced into a 5G industry cloud-network integration system architecture. The 5G industry cloud-network integration architecture is as follows: Figure 3 shows.

MEC平台管理(MEPM)一般设置在行业网关上面，MEP上的数据可以通过行业网关直接接入到外部网络、即第三方网络，现有的ETSI协议对数据安全的保护并不到位，无法适应越来越多的数据安全和隐私保护的管理要求。MEC platform management (MEPM) is generally set on the industry gateway. The data on the MEP can be directly connected to the external network, that is, the third-party network through the industry gateway. The existing ETSI protocol does not protect data security in place and cannot adapt to the increasingly There are more and more management requirements for data security and privacy protection.

在一些医疗、教育、金融等数据敏感的典型应用场景，出于对保护用户隐私和商业机密的考虑，MEP上提供的一些应用和可用资源(硬件资源、网络资源等)是不能被远端(外部)的MEPM进行管理和配置的，MEPM向MEP发送的管理配置信息(或管理配置数据)必须受到严格的安全控制。相关技术中，MEPM对MEP上的管理配置信息缺乏必要的安全保护和授权管理机制，MEPM针对MEP的安全管理控制机制没有明确定义。In some typical application scenarios with sensitive data such as medical care, education, and finance, some applications and available resources (hardware resources, network resources, etc.) External) MEPM for management and configuration, the management configuration information (or management configuration data) sent by MEPM to MEP must be subject to strict security control. In related technologies, the MEPM lacks necessary security protection and authorization management mechanism for the management configuration information on the MEP, and the security management control mechanism of the MEPM for the MEP is not clearly defined.

基于此，在本申请的各种实施例中，第一设备，用于接收来自第二设备的第一信息，基于所述第一信息和安全策略为边缘计算平台上的应用提供安全管理功能；所述第一信息，用于针对所述边缘计算平台上的应用进行配置；所述第二设备，用于基于来自第三设备的第二信息向第一设备发送所述第一信息；所述第二信息，用于编排边缘计算平台上的应用。如此，能够提高对第一设备中针对边缘计算平台的应用进行配置的管控能力。Based on this, in various embodiments of the present application, the first device is configured to receive the first information from the second device, and provide security management functions for applications on the edge computing platform based on the first information and security policies; The first information is used to configure applications on the edge computing platform; the second device is used to send the first information to the first device based on the second information from the third device; the The second information is used to orchestrate applications on the edge computing platform. In this way, the ability to manage and control the configuration of the application for the edge computing platform in the first device can be improved.

本申请实施例提供一种通信系统，如图4所示，所述系统包括：第一设备、第二设备、第三设备；其中，An embodiment of the present application provides a communication system. As shown in FIG. 4 , the system includes: a first device, a second device, and a third device; wherein,

所述第一设备，用于接收来自第二设备的第一信息，基于所述第一信息和安全策略为边缘计算平台上的应用提供安全管理功能；所述第一信息，用于针对所述边缘计算平台上的应用进行配置；The first device is configured to receive first information from the second device, and provide security management functions for applications on the edge computing platform based on the first information and security policies; the first information is used for the Configure applications on the edge computing platform;

所述第二设备，用于基于来自第三设备的第二信息向第一设备发送所述第一信息；所述第二信息，用于编排边缘计算平台上的应用。The second device is configured to send the first information to the first device based on the second information from the third device; the second information is used to arrange applications on the edge computing platform.

其中，实际应用时，所述第二设备设置在第一设备和第三设备之间。Wherein, in actual application, the second device is arranged between the first device and the third device.

实际应用时，所述第一设备可以为本地设置的MEPM，可以理解为使用方设置一个本地MEPM，可以对MEP提供的应用进行本地管理配置。第一设备既可以单独进行本地部署，也可以集成到MEP。本申请实施例对所述第一设备的名称不作限定，只要能实现所述第一设备的功能即可。In actual application, the first device may be a locally set MEPM, which can be understood as the user sets up a local MEPM, and can perform local management and configuration on applications provided by the MEP. The first device can be deployed locally or integrated into the MEP. The embodiment of the present application does not limit the name of the first device, as long as the function of the first device can be realized.

实际应用时，所述第二设备可以为MEPM，本申请实施例对所述第二设备的名称不作限定，只要能实现所述第二设备的功能即可。In practical applications, the second device may be an MEPM, and the embodiment of the present application does not limit the name of the second device, as long as the functions of the second device can be realized.

实际应用时，所述第三设备可以为MEO或MEAO，本申请实施例对所述第三设备的名称不作限定，只要能实现所述第三设备的功能即可。In practical application, the third device may be MEO or MEAO, and the embodiment of the present application does not limit the name of the third device, as long as the function of the third device can be realized.

实际应用时，所述边缘计算平台可以称为MEP。In practical application, the edge computing platform may be called MEP.

所述编排边缘计算平台上的应用可以理解为：通过对每个应用的应用程序和/或可用资源进行编排实现。The orchestration of applications on the edge computing platform can be understood as: implementing by orchestrating the application programs and/or available resources of each application.

在一实施例中，所述安全策略，包括以下至少之一：In one embodiment, the security policy includes at least one of the following:

所述第一设备保存有安全策略，安全策略用于设置安全等级，通过不同安全等级管理第一设备中是否允许针对所述边缘计算平台上的部分应用的配置。The first device saves a security policy, and the security policy is used to set a security level, and manage whether the first device allows configuration of some applications on the edge computing platform through different security levels.

实际应用时，可以向第二设备告知是否配置成功，即是否完成编排。In actual application, the second device may be notified whether the configuration is successful, that is, whether the arrangement is completed.

基于此，在一实施例中，所述第一设备，还用于向第二设备发送第三信息；所述第三信息，用于说明所述第一信息是否配置成功；Based on this, in an embodiment, the first device is further configured to send third information to the second device; the third information is used to indicate whether the configuration of the first information is successful;

所述第二设备，还用于基于所述第三信息向第三设备发送第四信息；所述第四信息，用于说明所述第二信息是否配置成功。The second device is further configured to send fourth information to a third device based on the third information; the fourth information is used to indicate whether the configuration of the second information is successful.

在一实施例中，所述第一信息，包括以下至少之一的配置信息：In an embodiment, the first information includes at least one of the following configuration information:

第三配置策略；所述第三配置策略针对不同应用的域名系统(DNS)；The third configuration strategy; the third configuration strategy is aimed at Domain Name System (DNS) of different applications;

在一实施例中，所述第二信息，包括以下至少之一：In an embodiment, the second information includes at least one of the following:

应用的管理信息；Application management information;

应用的生命周期变更信息。Application lifecycle change information.

这里，所述应用的管理信息，可以包括：应用包的管理，如：加载应用包、启用应用包、禁用应用包等。Here, the application management information may include: management of application packages, such as: loading application packages, enabling application packages, disabling application packages, and the like.

所述应用的生命周期管理信息，可以包括：实例化应用包、操作(使用)应用实例、终止应用实例。The life cycle management information of the application may include: instantiating the application package, operating (using) the application instance, and terminating the application instance.

所述应用的生命周期变更通知，可以包括：应用程序未实例化、应用程序已经启动在运行中、应用程序停止运行。The lifecycle change notification of the application may include: the application is not instantiated, the application has started and is running, and the application stops running.

实际应用时，第三设备可以对第一设备进行身份认证，认证通过后可进行通信。In actual application, the third device can perform identity authentication on the first device, and can communicate after passing the authentication.

基于此，在一实施例中，所述第三设备，还用于接收来自第一设备的第一接入认证信息，向所述第一设备发送第一认证响应信息；所述第一认证响应信息至少包括：第一设备的身份标识。Based on this, in an embodiment, the third device is further configured to receive first access authentication information from the first device, and send first authentication response information to the first device; the first authentication response The information includes at least: the identity of the first device.

实际应用时，第三设备可以对第二设备进行身份认证，认证通过后可进行通信。In actual application, the third device can authenticate the identity of the second device, and can communicate after passing the authentication.

基于此，在一实施例中，所述第三设备，还用于接收来自第二设备的第二接入认证信息，向所述第二设备发送第二认证响应信息；所述第二认证响应信息至少包括：第二设备的身份标识；Based on this, in an embodiment, the third device is further configured to receive second access authentication information from the second device, and send second authentication response information to the second device; the second authentication response The information at least includes: the identity of the second device;

所述第三设备，还用于向所述第二设备发送所述第一设备的身份标识。The third device is further configured to send the identity of the first device to the second device.

在一实施例中，所述第一设备的数量为一个或多个。In an embodiment, the number of the first device is one or more.

相应地，本申请实施例中还提供一种通信方法，应用于第一设备，如图5所示，所述方法包括：Correspondingly, the embodiment of the present application also provides a communication method, which is applied to the first device, as shown in FIG. 5 , the method includes:

步骤501、接收来自第二设备的第一信息；所述第一信息，用于针对所述边缘计算平台上的应用进行配置；Step 501, receiving first information from a second device; the first information is used to configure applications on the edge computing platform;

步骤502、基于所述第一信息和安全策略为边缘计算平台上的应用提供安全管理功能。Step 502: Provide security management functions for applications on the edge computing platform based on the first information and the security policy.

所述第一设备保存有安全策略，安全策略用于设置安全等级，通过不同安全等级管理第一设备中是否允许针对所述边缘计算平台上的部分应用的配置。The first device saves a security policy, and the security policy is used to set a security level, and whether the configuration for some applications on the edge computing platform is allowed in the first device is managed through different security levels.

在一实施例中，第一设备可以请求第二设备对自身进行身份认证，认证通过后可进行通信。In an embodiment, the first device may request the second device to authenticate itself, and communication may be performed after the authentication is passed.

基于此，在一实施例中，所述方法还包括：Based on this, in an embodiment, the method further includes:

实际应用时，第一设备可以请求第三设备对自身进行身份认证，认证通过后可进行通信。In actual application, the first device may request the third device to authenticate itself, and communication may be performed after the authentication is passed.

相应地，本申请实施例中又提供一种通信方法，应用于第二设备，如图6所示，所述方法包括：Correspondingly, the embodiment of the present application provides another communication method, which is applied to the second device, as shown in FIG. 6 , the method includes:

步骤601、接收来自第三设备的第二信息；所述第二信息，用于编排边缘计算平台上的应用；Step 601. Receive second information from a third device; the second information is used to arrange applications on the edge computing platform;

步骤602、基于所述第二信息向第一设备发送第一信息；所述第一信息，用于指示第一设备基于所述第一设备和安全策略针对所述边缘计算平台上的应用进行配置。Step 602: Send first information to the first device based on the second information; the first information is used to instruct the first device to configure applications on the edge computing platform based on the first device and security policies .

实际应用时，所述编排边缘计算平台上的应用可以理解为：通过对每个应用的应用程序和/或可用资源进行编排实现。In actual application, the orchestration of applications on the edge computing platform can be understood as: implementing the orchestration of the application programs and/or available resources of each application.

应用的管理信息；Application management information;

应用的生命周期变更信息。Application lifecycle change information.

实际应用时，第二设备可以对第一设备进行身份认证，认证通过后可进行通信。In actual application, the second device can perform identity authentication on the first device, and can communicate after passing the authentication.

实际应用时，第二设备可以请求第三设备对自身进行身份认证，认证通过后可进行通信。In actual application, the second device can request the third device to authenticate itself, and communication can be performed after the authentication is passed.

下面结合应用实施例对本申请再作进一步详细的描述。The present application will be further described in detail below in conjunction with application examples.

在本应用实施例中，所述第一设备称为本地MEPM(L-MEPM，Local MEPM)；所述第二设备为MEPM；所述第三设备称为MEAO或MEO；所述边缘计算平台称为MEP。In this application embodiment, the first device is called local MEPM (L-MEPM, Local MEPM); the second device is called MEPM; the third device is called MEAO or MEO; the edge computing platform is called for MEPs.

在本应用实施例中，引入一个部署在MEP侧的L-MEPM，主要负责与MEPM和/或MEAO进行信令交互，并负责MEP本地管理配置数据的安全监管，如图7所示。In this application embodiment, an L-MEPM deployed on the MEP side is introduced, which is mainly responsible for signaling interaction with the MEPM and/or MEAO, and responsible for the security supervision of the MEP local management configuration data, as shown in Figure 7 .

其中，L-MEPM，支持功能包括：Among them, L-MEPM, support functions include:

1)、管理MEPM的管理配置请求，根据针对MEP上的应用的安全策略等相应管理配置请求；1), manage the management configuration request of MEPM, according to the corresponding management configuration request such as the security policy for the application on the MEP;

2)、保存有安全策略，基于安全策略管理来自MEPM的管理配置数据(即上述来自第二设备的第一信息)。安全策略可以包括：严格、一般、宽松等三个等级，例如：在严格等级时，来自MEPM的管理配置数据不能配置MEP上的应用；在一般等级时，L-MEPM基于安全策略确定来自MEPM的管理配置数据是否能够配置MEP上的应用，在宽松等级时，L-MEPM只负责转发MEPM的管理配置数据(管理配置数据基于来自MEPM的管理配置请求确定)到MEP进行针对不同应用的配置。2) The security policy is saved, and the management configuration data from the MEPM (that is, the above-mentioned first information from the second device) is managed based on the security policy. The security policy can include three levels: strict, general, and loose. For example, at the strict level, the management configuration data from MEPM cannot configure the application on the MEP; at the general level, L-MEPM determines the Whether the management configuration data can configure the application on the MEP, at the loose level, the L-MEPM is only responsible for forwarding the management configuration data of the MEPM (the management configuration data is determined based on the management configuration request from the MEPM) to the MEP for configuration of different applications.

当然，实际应用时还可以对于等级划分更为细分，这里不做限定。Of course, in actual application, the grade division can be further subdivided, which is not limited here.

在本应用实施例中，如图8所示，MEAO通过MEPM进行编排管理，L-MEPM本地配置有安全策略，针对控制面(具体指针对MEP提供的应用的管理配置数据)进行数据安全管控，以使控制面的数据不能随意对MEP的应用进行配置。所述通信方法包括：In this application embodiment, as shown in Figure 8, MEAO performs orchestration management through MEPM, and L-MEPM is locally configured with a security policy to perform data security management and control for the control plane (specifically referring to the management configuration data of the application provided by MEP), In order to prevent the data of the control plane from arbitrarily configuring the application of the MEP. The communication methods include:

步骤801、MEAO(一种第三设备示例)向MEPM(一种第二设备示例)下发第二信息；Step 801, MEAO (an example of a third device) sends second information to MEPM (an example of a second device);

所述第二信息包括：MEPM身份标识和编排信息；The second information includes: MEPM identity and arrangement information;

所述第二信息，用于编排边缘计算平台上的应用。The second information is used to orchestrate applications on the edge computing platform.

对于第二信息给出一种示例，所述第二信息包含但不限于表1的内容：An example is given for the second information, which includes but is not limited to the contents of Table 1:

表1Table 1

步骤802、MEPM收到第二信息后，向L-MEPM(一种第三设备示例) 发送第一信息；Step 802. After receiving the second information, the MEPM sends the first information to the L-MEPM (an example of a third device);

所述第一信息包括：L-MEPM身份标识和管理配置信息；The first information includes: L-MEPM identity and management configuration information;

所述第一信息，用于针对所述边缘计算平台上的应用进行配置。The first information is used to configure applications on the edge computing platform.

对于第一信息给出一种示例，如表2所示；An example is given for the first information, as shown in Table 2;

参数名parameter name 类型Types of 说明illustrate L-MEPM身份标识L-MEPM ID 如表5所示As shown in Table 5 L-MEPM的唯一身份标识Unique ID of L-MEPM 管理配置信息Manage configuration information 如表8所示As shown in Table 8 管理配置信息Manage configuration information

表2Table 2

步骤803、L-MEPM收到第一信息后，检查本地的安全策略；基于第一信息和安全策略进行相应操作并回复第三信息；Step 803, after receiving the first message, the L-MEPM checks the local security policy; performs corresponding operations based on the first message and the security policy and replies to the third message;

所述L-MEPM本地的安全策略，包括：The local security policy of the L-MEPM includes:

“严格”等级(相当于上述第一安全等级)时，L-MEPM拒绝针对MEP的所有管理配置信息；At the "strict" level (equivalent to the above-mentioned first security level), L-MEPM rejects all management configuration information for MEP;

“一般”等级(相当于上述第二安全等级)时，L-MEPM允许针对MEP的部分管理配置信息；At the "general" level (equivalent to the above-mentioned second security level), L-MEPM allows some management configuration information for MEP;

“宽松”等级(相当于上述第三安全等级)时，L-MEPM允许针对MEP的所有管理配置信息。At "loose" level (corresponding to the third security level mentioned above), L-MEPM allows all management configuration information for MEP.

L-MEPM中每个应用具有唯一标识，安全策略中通过每个应用的标识标记，并对应标记是否符合要求。Each application in L-MEPM has a unique identifier, and each application's identifier is marked in the security policy, and whether the corresponding mark meets the requirements.

检查本地的安全策略，相应于符合安全策略的情况，对MEP上的应用进行配置，配置完成后向MEPM回复配置成功的信息；Check the local security policy, and configure the application on the MEP corresponding to the situation that meets the security policy, and reply to the MEPM with a successful configuration message after the configuration is completed;

相应于符合部分安全策略的情况，对MEP上的应用信息进行部分的配置，配置完成后向MEPM回复配置成功的信息；Corresponding to the situation in which part of the security policy is met, the application information on the MEP is partially configured, and after the configuration is completed, the configuration success information is returned to the MEPM;

如果不符合本地安全策略，直接向MEPM回复配置失败的信息。If it does not comply with the local security policy, it will directly reply the configuration failure information to MEPM.

也就是说，所述第三信息，包括：MEPM身份标识和管理配置结果信息；如表3所示。That is to say, the third information includes: MEPM identity and management configuration result information; as shown in Table 3.

参数名parameter name 类型Types of 说明illustrate MEPM身份标识MEPM ID 如表5所示As shown in Table 5 MEPM的唯一身份标识Unique ID of MEPM 管理配置结果信息Manage configuration result information 如表9所示As shown in Table 9 成功或失败success or failure

表3table 3

步骤804、MEPM收到L-MEPM的第三信息后，向MEAO回复第四信息；Step 804, after the MEPM receives the third message from the L-MEPM, it returns the fourth message to the MEAO;

所述第四信息，用于说明基于第二信息进行编排的结果。The fourth information is used to explain the result of editing based on the second information.

所述第四信息可以包括：MEAO身份标识和管理配置结果信息；如表4所示。The fourth information may include: MEAO identity and management configuration result information; as shown in Table 4.

参数名parameter name 类型Types of 说明illustrate MEAO身份标识MEAO identity 如表5所示As shown in Table 5 MEAO的唯一身份标识Unique ID of MEAO 管理配置结果信息Manage configuration result information 如表10所示As shown in Table 10 成功或失败success or failure

表4Table 4

本申请各实施例中可以用于唯一ID标识身份，如表5的实施例；The unique ID can be used in each embodiment of the application to identify the identity, such as the embodiment in Table 5;

表5table 5

本申请各实施例中可以通过数字或字符串标识来区分MEPM类型，如表6的实施例；In each embodiment of the present application, the MEPM type can be distinguished by a number or a character string identification, such as the embodiment of Table 6;

数据类型type of data 说明illustrate 数字number 1表示普通MEPM；2表示L-MEPM1 means common MEPM; 2 means L-MEPM 字符串string “1”表示普通MEPM；“2”表示L-MEPM"1" means normal MEPM; "2" means L-MEPM

表6Table 6

本申请各实施例中MEAO下发的编排信息，如表7所示，根据ETSI MEC 010-2标准协议中规定进行设计，针对每个应用包：The layout information issued by MEAO in each embodiment of this application, as shown in Table 7, is designed according to the provisions of the ETSI MEC 010-2 standard protocol, and for each application package:

表7Table 7

MEPM向L-MEPM下发的管理配置信息，给出一种应用示例，如表8 所示；The management configuration information issued by MEPM to L-MEPM provides an application example, as shown in Table 8;

表8Table 8

L-MEPM向MEPM的回复信息、即第三信息，给出一种应用示例，如表9所示；The reply information of L-MEPM to MEPM, that is, the third information, gives an application example, as shown in Table 9;

表9Table 9

MEPM向MEAO的回复消息、即第四信息，给出一种应用示例，如表10所示；The reply message from MEPM to MEAO, that is, the fourth message, gives an application example, as shown in Table 10;

表10Table 10

实际应用时，为了得到MEPM身份标识、L-MEPM身份标识，所述方法还包括：身份注册；如图9所示，包括：During actual application, in order to obtain MEPM identity mark, L-MEPM identity mark, described method also includes: identity registration; As shown in Figure 9, includes:

步骤901、MEPM(一种第二设备示例)和L-MEPM(一种第一设备示例)分别向MEAO(一种第三设备示例)注册请求；Step 901, MEPM (an example of a second device) and L-MEPM (an example of a first device) respectively register a request with MEAO (an example of a third device);

所述注册请求即所述身份认证信息，用于请求MEAO注册身份；MEAO收到注册请求进行注册操作后存储MEPM、L-MEPM相应的身份标识。注册的身份信息可以包含以下如表11所示内容：The registration request is the identity authentication information, which is used to request the MEAO to register an identity; the MEAO stores the corresponding identity marks of MEPM and L-MEPM after receiving the registration request and performing a registration operation. The registered identity information can include the following content as shown in Table 11:

表11Table 11

步骤902、MEAO收到注册请求后，进行注册并回复信息；包括如下表12所示内容：After step 902, MEAO receives the registration request, registers and reply information; Include content as shown in table 12 below:

表12Table 12

MEAO收到MEPM注册请求后，执行回复操作；针对回复操作给出一种应用示例，如表13所示；没有按照表6格式则是非法身份标识。After MEAO receives the MEPM registration request, it executes a reply operation; an application example is given for the reply operation, as shown in Table 13; if it does not follow the format of Table 6, it is an illegal identification.

表13Table 13

步骤903、MEAO向MEPM发送已经注册的L-MEPM信息，给出一种应用示例，如表14所示；Step 903, MEAO sends the registered L-MEPM information to MEPM, provides a kind of application example, as shown in table 14;

表14Table 14

步骤904、MEPM解析出L-MEPM的身份信息和IP地址后，形成MEPM和多个L-MEPM的关联关系，如下图10所示。Step 904: After the MEPM resolves the identity information and IP address of the L-MEPM, an association relationship between the MEPM and multiple L-MEPMs is formed, as shown in FIG. 10 below.

MEPM并向MEAO进行信息回复。关于回复信息的内容，给出一种应用示例，如表15所示；MEPM and reply to MEAO. Regarding the content of the reply information, an application example is given, as shown in Table 15;

表15Table 15

关于回复类型和回复说明，给出一种应用示例，如表16所示；Regarding the reply type and reply description, an application example is given, as shown in Table 16;

回复类型reply type 回复说明reply instructions 00 成功success 11 非法身份illegal status

表16Table 16

针对IP地址，给出一种应用示例，如表17所示；For the IP address, an application example is given, as shown in Table 17;

表17Table 17

针对L-MEPM身份信息和IP地址信息，给出一种示例，如下：An example is given for L-MEPM identity information and IP address information, as follows:

方法1：使用哈希表方式实现，key标识L-MEPM身份标识，value标识L-MEPM的IP地址。Method 1: Implemented using a hash table, the key identifies the L-MEPM identity, and the value identifies the IP address of the L-MEPM.

方式2：使用JSON字符串方式实现。Method 2: Use the JSON string method to implement.

为了实现本申请实施例第一设备侧的方法，本申请实施例还提供了一种通信装置，设置在第一设备上，如图12所示，该装置包括：In order to implement the method on the first device side of the embodiment of the present application, the embodiment of the present application also provides a communication device, which is set on the first device, as shown in FIG. 12 , the device includes:

第一通信单元1201，配置为接收来自第二设备的第一信息；所述第一信息，用于针对所述边缘计算平台上的应用进行配置；The first communication unit 1201 is configured to receive first information from the second device; the first information is used to configure applications on the edge computing platform;

第一处理单元1202，配置为基于所述第一信息和安全策略为边缘计算平台上的应用提供安全管理功能。The first processing unit 1202 is configured to provide a security management function for applications on the edge computing platform based on the first information and the security policy.

其中，在一实施例中，所述安全策略，包括以下至少之一：Wherein, in an embodiment, the security policy includes at least one of the following:

在一实施例中，所述第一通信单元1201，还配置为向第二设备发送第三信息；所述第三信息，用于说明所述第一信息是否配置成功。In an embodiment, the first communication unit 1201 is further configured to send third information to the second device; the third information is used to describe whether the configuration of the first information is successful.

在一实施例中，所述第一通信单元1202，还配置为向第三设备发送第一接入认证信息；In an embodiment, the first communication unit 1202 is further configured to send the first access authentication information to the third device;

实际应用时，所述第一通信单元1201和所述第一处理单元1202可由通信装置中的处理器结合通信接口实现。In practical applications, the first communication unit 1201 and the first processing unit 1202 may be implemented by a processor in a communication device combined with a communication interface.

为了实现本申请实施例第二设备侧的方法，本申请实施例还提供了一种通信装置，设置在第二设备上，如图13所示，该装置包括：In order to implement the method on the second device side of the embodiment of the present application, the embodiment of the present application also provides a communication device, which is set on the second device, as shown in FIG. 13 , the device includes:

第二通信单元1301，配置为接收来自第三设备的第二信息；所述第二信息，用于编排边缘计算平台上的应用；The second communication unit 1301 is configured to receive second information from a third device; the second information is used to arrange applications on the edge computing platform;

第二处理单元1302，配置为基于所述第二信息向第一设备发送第一信息；所述第一信息，用于指示第一设备基于所述第一设备和安全策略针对所述边缘计算平台上的应用进行配置。The second processing unit 1302 is configured to send first information to the first device based on the second information; the first information is used to instruct the first device to target the edge computing platform based on the first device and a security policy Configure the application above.

其中，在一实施例中，所述第一信息，包括以下至少之一的配置信息：Wherein, in an embodiment, the first information includes configuration information of at least one of the following:

应用的管理信息；Application management information;

应用的生命周期变更信息。Application lifecycle change information.

在一实施例中，所述第二通信单元1301，还配置为接收来自第一设备的第三信息；所述第三信息，用于说明所述第一信息是否配置成功；In an embodiment, the second communication unit 1301 is further configured to receive third information from the first device; the third information is used to explain whether the configuration of the first information is successful;

在一实施例中，所述第二通信单元1301，还配置为向第三设备发送第二接入认证信息；接收来自所述第三设备的第二认证响应信息；所述第二认证响应信息至少包括：第一设备的身份标识；In an embodiment, the second communication unit 1301 is further configured to send second access authentication information to a third device; receive second authentication response information from the third device; the second authentication response information at least include: the identity of the first device;

所述第二通信单元1301，还配置为接收所述第一设备的身份标识。The second communication unit 1301 is further configured to receive the identity of the first device.

实际应用时，实际应用时，所述第二通信单元1301和所述第二处理单元1302可由通信装置中的处理器结合通信接口实现。In actual application, in actual application, the second communication unit 1301 and the second processing unit 1302 may be implemented by a processor in a communication device combined with a communication interface.

需要说明的是：上述实施例提供的通信装置在进行通信时，仅以上述各程序模块的划分进行举例说明，实际应用中，可以根据需要而将上述处理分配由不同的程序模块完成，即将装置的内部结构划分成不同的程序模块，以完成以上描述的全部或者部分处理。另外，上述实施例提供的通信装置与通信方法实施例属于同一构思，其具体实现过程详见方法实施例，这里不再赘述。It should be noted that: when the communication device provided by the above-mentioned embodiment performs communication, the division of the above-mentioned program modules is used as an example for illustration. The internal structure of the program is divided into different program modules to complete all or part of the processing described above. In addition, the communication device and the communication method embodiments provided in the above embodiments belong to the same idea, and the specific implementation process thereof is detailed in the method embodiments, and will not be repeated here.

基于上述程序模块的硬件实现，且为了实现本申请实施例第一设备侧的方法，本申请实施例还提供了一种第一设备，如图14所示，该第一设备1400包括：Based on the hardware implementation of the above program modules, and in order to implement the method on the first device side of the embodiment of the present application, the embodiment of the present application further provides a first device, as shown in FIG. 14 , the first device 1400 includes:

第一通信接口1401，能够与第二设备进行信息交互；The first communication interface 1401 is capable of exchanging information with the second device;

第一处理器1402，与所述第一通信接口1401连接，以实现与第二设备进行信息交互，配置为运行计算机程序时，执行上述第一设备侧一个或多个技术方案提供的方法。而所述计算机程序存储在第一存储器1403上。The first processor 1402 is connected to the first communication interface 1401 to implement information interaction with the second device, and is configured to execute the methods provided by one or more technical solutions on the first device side when running a computer program. Instead, the computer program is stored on the first memory 1403 .

具体地，所述第一通信接口1401，配置为接收来自第二设备的第一信息；所述第一信息，用于针对所述边缘计算平台上的应用进行配置；Specifically, the first communication interface 1401 is configured to receive first information from the second device; the first information is used to configure applications on the edge computing platform;

所述第一处理器1402，配置为基于所述第一信息和安全策略为边缘计算平台上的应用提供安全管理功能。The first processor 1402 is configured to provide security management functions for applications on the edge computing platform based on the first information and the security policy.

其中，在一实施例中，所述第一通信接口1401，还配置为向第二设备发送第三信息；所述第三信息，用于说明所述第一信息是否配置成功。Wherein, in an embodiment, the first communication interface 1401 is further configured to send third information to the second device; the third information is used to describe whether the configuration of the first information is successful.

在一实施例中，所述第一通信接口1401，还配置为向第三设备发送第一接入认证信息；In an embodiment, the first communication interface 1401 is further configured to send first access authentication information to a third device;

需要说明的是：第一处理器1402和第一通信接口1401的具体处理过程可参照上述方法理解。It should be noted that the specific processing procedures of the first processor 1402 and the first communication interface 1401 can be understood with reference to the above method.

当然，实际应用时，第一设备1400中的各个组件通过总线系统1404耦合在一起。可理解，总线系统1404用于实现这些组件之间的连接通信。总线系统1404除包括数据总线之外，还包括电源总线、控制总线和状态信号总线。但是为了清楚说明起见，在图14中将各种总线都标为总线系统1404。Of course, in practical applications, various components in the first device 1400 are coupled together through the bus system 1404 . It can be understood that the bus system 1404 is used to realize connection and communication among these components. In addition to the data bus, the bus system 1404 also includes a power bus, a control bus and a status signal bus. However, for clarity of illustration, the various buses are labeled as bus system 1404 in FIG. 14 .

本申请实施例中的第一存储器1403用于存储各种类型的数据以支持第一设备1400的操作。这些数据的示例包括：用于在第一设备1400上操作的任何计算机程序。The first memory 1403 in the embodiment of the present application is used to store various types of data to support the operation of the first device 1400. Examples of such data include: any computer programs for operating on the first device 1400 .

上述本申请实施例揭示的方法可以应用于所述第一处理器1402中，或者由所述第一处理器1402实现。所述第一处理器1402可能是一种集成电路芯片，具有信号的处理能力。在实现过程中，上述方法的各步骤可以通过所述第一处理器1402中的硬件的集成逻辑电路或者软件形式的指令完成。上述的所述第一处理器1402可以是通用处理器、数字信号处理器(DSP，Digital Signal Processor)，或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。所述第一处理器1402可以实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合本申请实施例所公开的方法的步骤，可以直接体现为硬件译码处理器执行完成，或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于存储介质中，该存储介质位于第一存储器1403，所述第一处理器1402读取第一存储器1403中的信息，结合其硬件完成前述方法的步骤。The methods disclosed in the foregoing embodiments of the present application may be applied to the first processor 1402 or implemented by the first processor 1402 . The first processor 1402 may be an integrated circuit chip, which has a signal processing capability. In the implementation process, each step of the above method may be implemented by an integrated logic circuit of hardware in the first processor 1402 or an instruction in the form of software. The aforementioned first processor 1402 may be a general-purpose processor, a digital signal processor (DSP, Digital Signal Processor), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, and the like. The first processor 1402 may implement or execute various methods, steps, and logic block diagrams disclosed in the embodiments of the present application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in a storage medium, and the storage medium is located in the first memory 1403. The first processor 1402 reads the information in the first memory 1403, and completes the steps of the foregoing method in combination with its hardware.

在示例性实施例中，第一设备1400可以被一个或多个应用专用集成电路(ASIC，Application Specific Integrated Circuit)、DSP、可编程逻辑器件(PLD，Programmable Logic Device)、复杂可编程逻辑器件(CPLD，Complex Programmable Logic Device)、现场可编程门阵列(FPGA，Field-Programmable Gate Array)、通用处理器、控制器、微控制器(MCU，Micro Controller Unit)、微处理器(Microprocessor)、或者其他电子元件实现，用于执行前述方法。In an exemplary embodiment, the first device 1400 may be implemented by one or more Application Specific Integrated Circuits (ASIC, Application Specific Integrated Circuit), DSP, Programmable Logic Device (PLD, Programmable Logic Device), complex programmable logic device ( CPLD, Complex Programmable Logic Device), field-programmable gate array (FPGA, Field-Programmable Gate Array), general-purpose processor, controller, microcontroller (MCU, Micro Controller Unit), microprocessor (Microprocessor), or others Electronic components are implemented for performing the aforementioned methods.

基于上述程序模块的硬件实现，且为了实现本申请实施例第二设备侧的方法，本申请实施例还提供了一种第二设备，如图15所示，该第二设备1500包括：Based on the hardware implementation of the above program modules, and in order to implement the method on the second device side of the embodiment of the present application, the embodiment of the present application also provides a second device, as shown in FIG. 15 , the second device 1500 includes:

第二通信接口1501，能够与第一设备和第三设备进行信息交互；The second communication interface 1501 is capable of information interaction with the first device and the third device;

第二处理器1502，与所述第二通信接口1501连接，以实现与第一设备和第三设备进行信息交互，用于运行计算机程序时，执行上述第二设备侧一个或多个技术方案提供的方法。而所述计算机程序存储在第二存储器1503上。The second processor 1502 is connected to the second communication interface 1501 to implement information interaction with the first device and the third device, and is used to execute one or more technical solutions on the second device side when running the computer program. Methods. Instead, the computer program is stored on the second memory 1503 .

具体地，所述第二通信接口1501，配置为接收来自第三设备的第二信息；所述第二信息，用于编排边缘计算平台上的应用；Specifically, the second communication interface 1501 is configured to receive second information from a third device; the second information is used to arrange applications on the edge computing platform;

所述第二处理器1502，配置为基于所述第二信息向第一设备发送第一信息；所述第一信息，用于指示第一设备基于所述第一设备和安全策略针对所述边缘计算平台上的应用进行配置。The second processor 1502 is configured to send first information to the first device based on the second information; the first information is used to instruct the first device to target the edge based on the first device and a security policy The application on the computing platform is configured.

其中，在一实施例中，所述第二通信接口1501，还配置为接收来自第一设备的第三信息；所述第三信息，用于说明所述第一信息是否配置成功；Wherein, in an embodiment, the second communication interface 1501 is further configured to receive third information from the first device; the third information is used to explain whether the configuration of the first information is successful;

在一实施例中，所述第二通信接口1501，还配置为向第三设备发送第二接入认证信息；接收来自所述第三设备的第二认证响应信息；所述第二认证响应信息至少包括：第一设备的身份标识；In an embodiment, the second communication interface 1501 is further configured to send second access authentication information to a third device; receive second authentication response information from the third device; the second authentication response information at least include: the identity of the first device;

需要说明的是：第二通信接口1501和第二处理器1502的具体处理过程可参照上述方法理解。It should be noted that the specific processing procedures of the second communication interface 1501 and the second processor 1502 can be understood with reference to the above methods.

当然，实际应用时，第二设备1500中的各个组件通过总线系统1504耦合在一起。可理解，总线系统1504用于实现这些组件之间的连接通信。总线系统1504除包括数据总线之外，还包括电源总线、控制总线和状态信号总线。但是为了清楚说明起见，在图15中将各种总线都标为总线系统1504。Of course, in practical applications, various components in the second device 1500 are coupled together through the bus system 1504 . It can be understood that the bus system 1504 is used to realize connection and communication between these components. In addition to the data bus, the bus system 1504 also includes a power bus, a control bus and a status signal bus. However, the various buses are labeled as bus system 1504 in FIG. 15 for clarity of illustration.

本申请实施例中的第二存储器1503用于存储各种类型的数据以支持第二设备1500的操作。这些数据的示例包括：用于在第二设备1500上操作的任何计算机程序。The second memory 1503 in the embodiment of the present application is used to store various types of data to support the operation of the second device 1500. Examples of such data include: any computer programs for operating on the second device 1500 .

上述本申请实施例揭示的方法可以应用于所述第二处理器1502中，或者由所述第二处理器1502实现。所述第二处理器1502可能是一种集成电路芯片，具有信号的处理能力。在实现过程中，上述方法的各步骤可以通过所述第二处理器1502中的硬件的集成逻辑电路或者软件形式的指令完成。上述的所述第二处理器1502可以是通用处理器、DSP，或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。所述第二处理器1502可以实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合本申请实施例所公开的方法的步骤，可以直接体现为硬件译码处理器执行完成，或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于存储介质中，该存储介质位于第二存储器1503，所述第二处理器1502读取第二存储器1503中的信息，结合其硬件完成前述方法的步骤。The methods disclosed in the foregoing embodiments of the present application may be applied to the second processor 1502 or implemented by the second processor 1502 . The second processor 1502 may be an integrated circuit chip and has signal processing capabilities. In the implementation process, each step of the above method may be completed by an integrated logic circuit of hardware in the second processor 1502 or instructions in the form of software. The aforementioned second processor 1502 may be a general-purpose processor, DSP, or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, and the like. The second processor 1502 may implement or execute various methods, steps, and logic block diagrams disclosed in the embodiments of the present application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in a storage medium, and the storage medium is located in the second storage 1503, and the second processor 1502 reads information in the second storage 1503, and completes the steps of the aforementioned method in combination with its hardware.

在示例性实施例中，第二设备1500可以被一个或多个ASIC、DSP、PLD、CPLD、FPGA、通用处理器、控制器、MCU、Microprocessor、或其他电子元件实现，用于执行前述方法。In an exemplary embodiment, the second device 1500 may be implemented by one or more ASICs, DSPs, PLDs, CPLDs, FPGAs, general processors, controllers, MCUs, Microprocessors, or other electronic components for performing the aforementioned methods.

可以理解，本申请实施例的存储器(第一存储器1403、第二存储器1503)可以是易失性存储器或者非易失性存储器，也可包括易失性和非易失性存储器两者。其中，非易失性存储器可以是只读存储器(ROM，Read Only Memory)、可编程只读存储器(PROM，Programmable Read-Only Memory)、可擦除可编程只读存储器(EPROM，Erasable Programmable Read-Only Memory)、电可擦除可编程只读存储器(EEPROM，Electrically Erasable Programmable Read-Only Memory)、磁性随机存取存储器(FRAM，ferromagnetic random access memory)、快闪存储器(Flash Memory)、磁表面存储器、光盘、或只读光盘(CD-ROM，Compact Disc Read-Only Memory)；磁表面存储器可以是磁盘存储器或磁带存储器。易失性存储器可以是随机存取存储器(RAM，Random Access Memory)，其用作外部高速缓存。通过示例性但不是限制性说明，许多形式的RAM可用，例如静态随机存取存储器(SRAM，Static Random Access Memory)、同步静态随机存取存储器(SSRAM，Synchronous Static Random Access Memory)、动态随机存取存储器(DRAM，Dynamic Random Access Memory)、同步动态随机存取存储器(SDRAM，Synchronous Dynamic Random Access Memory)、双倍数据速率同步动态随机存取存储器(DDRSDRAM，Double Data Rate Synchronous Dynamic Random Access Memory)、增强型同步动态随机存取存储器(ESDRAM，Enhanced Synchronous Dynamic Random Access Memory)、同步连接动态随机存取存储器(SLDRAM，SyncLink Dynamic Random Access Memory)、直接内存总线随机存取存储器(DRRAM，Direct Rambus Random Access Memory)。本申请实施例描述的存储器旨在包括但不限于这些和任意其它适合类型的存储器。It can be understood that the memory (the first memory 1403 and the second memory 1503 ) in this embodiment of the present application may be a volatile memory or a nonvolatile memory, and may also include both volatile and nonvolatile memories. Among them, the non-volatile memory can be read-only memory (ROM, Read Only Memory), programmable read-only memory (PROM, Programmable Read-Only Memory), erasable programmable read-only memory (EPROM, Erasable Programmable Read-Only Memory) Only Memory), Electrically Erasable Programmable Read-Only Memory (EEPROM, Electrically Erasable Programmable Read-Only Memory), Magnetic Random Access Memory (FRAM, ferromagnetic random access memory), Flash Memory (Flash Memory), Magnetic Surface Memory , CD, or CD-ROM (Compact Disc Read-Only Memory); magnetic surface storage can be disk storage or tape storage. The volatile memory may be random access memory (RAM, Random Access Memory), which is used as an external cache. By way of illustration and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM, Static Random Access Memory), Synchronous Static Random Access Memory (SSRAM, Synchronous Static Random Access Memory), Dynamic Random Access Memory Memory (DRAM, Dynamic Random Access Memory), synchronous dynamic random access memory (SDRAM, Synchronous Dynamic Random Access Memory), double data rate synchronous dynamic random access memory (DDRSDRAM, Double Data Rate Synchronous Dynamic Random Access Memory), enhanced Synchronous Dynamic Random Access Memory (ESDRAM, Enhanced Synchronous Dynamic Random Access Memory), Synchronous Link Dynamic Random Access Memory (SLDRAM, SyncLink Dynamic Random Access Memory), Direct Memory Bus Random Access Memory (DRRAM, Direct Rambus Random Access Memory ). The memories described in the embodiments of the present application are intended to include, but are not limited to, these and any other suitable types of memories.

需要说明的是：“第一”、“第二”等是用于区别类似的对象，而不必用于描述特定的顺序或先后次序。It should be noted that: "first", "second", etc. are used to distinguish similar objects, and not necessarily used to describe a specific order or sequence.

另外，本申请实施例所记载的技术方案之间，在不冲突的情况下，可以任意组合。In addition, the technical solutions described in the embodiments of the present application may be combined arbitrarily if there is no conflict.

以上所述，仅为本申请的较佳实施例而已，并非用于限定本申请的保护范围。The above descriptions are only preferred embodiments of the present application, and are not intended to limit the protection scope of the present application.

Claims

A communication system, comprising: a first device, a second device, and a third device; wherein,

The first device is configured to receive first information from the second device, and provide security management functions for applications on the edge computing platform based on the first information and security policies; the first information is used for the Configure applications on the edge computing platform;

The second device is configured to send the first information to the first device based on the second information from the third device; the second information is used to arrange applications on the edge computing platform.

The system according to claim 1, wherein the security policy includes at least one of the following:

A first security level; the first security level indicates that configurations for all applications on the edge computing platform are rejected;

A second security level; the second security level characterizes the configuration for some applications on the edge computing platform;

The third security level; the first security level characterizes the configuration for all applications on the edge computing platform.

The system according to claim 1, wherein the first device is further configured to send third information to the second device; the third information is used to indicate whether the configuration of the first information is successful;

The second device is further configured to send fourth information to a third device based on the third information; the fourth information is used to indicate whether the configuration of the second information is successful.

The system according to claim 1, wherein the first information includes configuration information of at least one of the following:

A first configuration strategy; the first configuration strategy is aimed at operating permissions of different applications;

A second configuration strategy; the second configuration strategy is directed at routing rules for different applications;

A third configuration strategy; the third configuration strategy is aimed at Domain Name System DNS for different applications;

A fourth configuration strategy; the fourth configuration strategy is aimed at the life cycles of different applications.

The system according to claim 4, wherein the second information includes at least one of the following:

Application management information;

Application life cycle management information;

Application lifecycle change information.

The system according to claim 1, wherein the third device is further configured to receive first access authentication information from the first device, and send first authentication response information to the first device; the first The authentication response information at least includes: the identity of the first device.

The system according to claim 1, wherein the third device is further configured to receive second access authentication information from the second device, and send second authentication response information to the second device; the second The authentication response information at least includes: the identity of the second device;

The third device is further configured to send the identity of the first device to the second device.

The system according to any one of claims 1 to 7, wherein the number of the first devices is one or more.

A communication method, applied to a first device, the method comprising:

receiving first information from a second device; the first information is used to configure applications on the edge computing platform;

A security management function is provided for applications on the edge computing platform based on the first information and the security policy.

The method according to claim 9, wherein the security policy includes at least one of the following:

The first security level; the first security level characterizes denial of configuration for all applications on the edge computing platform;

The method according to claim 9, wherein the method further comprises:

Sending third information to the second device; the third information is used to indicate whether the configuration of the first information is successful.

The method according to claim 9, wherein the first information includes configuration information of at least one of the following:

The method according to claim 9, wherein the method further comprises:

sending the first access authentication information to the third device;

Receive first authentication response information from the third device; the first authentication response information at least includes: an identity of the first device.

A communication method applied to a second device, the method comprising:

receiving second information from a third device; the second information is used to arrange applications on the edge computing platform;

Sending first information to the first device based on the second information; the first information is used to instruct the first device to configure applications on the edge computing platform based on the first device and a security policy.

The method according to claim 14, wherein the first information includes configuration information of at least one of the following:

The method according to claim 14, wherein the second information includes at least one of the following:

Application management information;

Application life cycle management information;

Application lifecycle change information.

The method according to claim 14, wherein the security policy includes at least one of the following:

The second security level; the second security level characterizes the configuration for some applications on the edge computing platform;

The method according to claim 14, wherein said method further comprises:

receiving third information from the first device; the third information is used to indicate whether the configuration of the first information is successful;

Sending fourth information to the third device based on the third information; the fourth information is used to indicate whether the configuration of the second information is successful.

The method according to claim 14, wherein said method further comprises:

Sending second access authentication information to a third device; receiving second authentication response information from the third device; the second authentication response information includes at least: the identity of the first device;

The method further includes: receiving an identity of the first device.

A communication device, set on a first device, comprising:

The first communication unit is configured to receive first information from the second device; the first information is used to configure applications on the edge computing platform;

The first processing unit is configured to provide security management functions for applications on the edge computing platform based on the first information and the security policy.

A first device, comprising: a first processor and a first communication interface; wherein,

The first communication interface is configured to receive first information from the second device; the first information is used to configure applications on the edge computing platform;

The first processor is configured to provide security management functions for applications on the edge computing platform based on the first information and security policies.

A communication device, set on a second device, comprising:

The second communication unit is configured to receive second information from the third device; the second information is used to arrange applications on the edge computing platform;

The second processing unit is configured to send first information to the first device based on the second information; the first information is used to instruct the first device to target the edge computing platform based on the first device and the security policy configuration for the application.

A second device, comprising: a second processor and a second communication interface; wherein,

The second communication interface is configured to receive second information from a third device; the second information is used to arrange applications on the edge computing platform;

The second processor is configured to send first information to the first device based on the second information; the first information is used to instruct the first device to target the edge computing based on the first device and a security policy Configure applications on the platform.

A network device comprising: a processor and a memory configured to store a computer program capable of running on the processor,

Wherein, the processor is configured to execute the steps of the method according to any one of claims 9 to 13 when running the computer program; or,

The processor is configured to execute the steps of the method according to any one of claims 14 to 19 when running the computer program.

A storage medium on which a computer program is stored, and when the computer program is executed by a processor, the steps of the method according to any one of claims 9 to 13 are realized; or,

When the computer program is executed by a processor, the steps of the method described in any one of claims 14 to 19 are implemented.