WO2022267995A1

WO2022267995A1 - Communication method and apparatus, related device, and storage medium

Info

Publication number: WO2022267995A1
Application number: PCT/CN2022/099572
Authority: WO
Inventors: 游正朋; 种璟; 唐小勇; 朱磊; 罗柯
Original assignee: China Mobile Communications Group Co Ltd; China Mobile Chengdu ICT Co Ltd
Current assignee: China Mobile Communications Group Co Ltd; China Mobile Chengdu ICT Co Ltd
Priority date: 2021-06-24
Filing date: 2022-06-17
Publication date: 2022-12-29
Anticipated expiration: 2023-12-24
Also published as: CN115529143A; CN115529143B

Abstract

Disclosed in the present application are a communication method and apparatus, a first device, a second device, and a storage medium. The method comprises: a first device determining a management request, the management request being used for requesting configuration of a security policy for an application service on an edge computing platform; and determining the security policy according to the management request, the security policy being used for providing a security management function for the application service on the edge computing platform.

Description

Communication method, device, related equipment and storage medium

相关申请的交叉引用Cross References to Related Applications

本申请基于申请号为202110703263.9、申请日为2021年06月24日的中国专利申请提出，并要求该中国专利申请的优先权，该中国专利申请的全部内容在此引入本申请作为参考。This application is based on a Chinese patent application with application number 202110703263.9 and a filing date of June 24, 2021, and claims the priority of this Chinese patent application. The entire content of this Chinese patent application is hereby incorporated by reference into this application.

technical field

本申请涉及通信领域，尤其涉及一种通信方法、装置、相关设备及存储介质。The present application relates to the communication field, and in particular to a communication method, device, related equipment and storage medium.

Background technique

第五代移动通信技术(5G)作为新一代通信技术，具有大带宽、低时延、高可靠、高连接、泛在网等诸多优势，从而推动垂直行业的快速发展与更迭，比如智慧医疗、智慧教育、智慧农业等方向的崛起。As a new generation of communication technology, the fifth-generation mobile communication technology (5G) has many advantages such as large bandwidth, low latency, high reliability, high connection, ubiquitous network, etc., thereby promoting the rapid development and change of vertical industries, such as smart medical, The rise of smart education and smart agriculture.

移动边缘计算(MEC)技术作为5G演进的关键技术之一，是具备无线网络信息应用程序接口(API)交互能力，以及计算、存储、分析功能的信息技术(IT)通用平台；依托MEC技术，可将传统外部应用拉入移动内部，更贴近用户，提供本地化服务，从而提升用户体验，发挥边缘网络的更多价值。As one of the key technologies in the evolution of 5G, mobile edge computing (MEC) technology is a general information technology (IT) platform with wireless network information application programming interface (API) interaction capabilities, as well as computing, storage, and analysis functions; relying on MEC technology, It can pull traditional external applications into the mobile interior, get closer to users, and provide localized services, thereby improving user experience and giving full play to the value of edge networks.

将5G和MEC结合，可以面向不同的行业需求场景，引入不同的技术组合，比如服务质量(QoS)、端到端网络切片、网络能力开放、边缘云等，从而提供定制化的解决方案。The combination of 5G and MEC can introduce different technology combinations for different industry demand scenarios, such as quality of service (QoS), end-to-end network slicing, network capability exposure, edge cloud, etc., so as to provide customized solutions.

相关技术中，5G与MEC技术结合的方案存在安全风险。Among related technologies, the combination of 5G and MEC technology has security risks.

发明内容Contents of the invention

为解决相关技术问题，本申请实施例提供一种通信方法、装置、相关设备及存储介质。To solve related technical problems, embodiments of the present application provide a communication method, device, related equipment, and storage medium.

本申请实施例的技术方案是这样实现的：The technical scheme of the embodiment of the application is realized in this way:

本申请实施例提供了一种通信方法，应用于第一设备，包括：An embodiment of the present application provides a communication method applied to a first device, including:

确定管理请求；所述管理请求用于请求针对边缘计算平台上的应用服务的安全策略进行配置；Determining a management request; the management request is used to request configuration of a security policy for application services on the edge computing platform;

根据所述管理请求，确定安全策略；所述安全策略用于为边缘计算平台上的应用服务提供安全管理功能。A security policy is determined according to the management request; the security policy is used to provide security management functions for application services on the edge computing platform.

优选地，所述确定管理请求，包括：Preferably, said determining the management request includes:

确定针对第一设备的第一操作；determining a first operation for the first device;

基于所述第一操作确定第一管理请求；所述第一管理请求，包括：第一安全策略。A first management request is determined based on the first operation; the first management request includes: a first security policy.

接收来自第二设备的第二管理请求；所述第二管理请求，包括：第二安全策略。Receive a second management request from the second device; the second management request includes: a second security policy.

优选地，所述第二管理请求，还包括：第二安全策略的优先级；所述第一设备保存的安全策略对应有初始优先级；Preferably, the second management request further includes: the priority of the second security policy; the security policy saved by the first device corresponds to an initial priority;

所述方法还包括：The method also includes:

根据第二安全策略的优先级和所述第一设备保存的安全策略所对应的初始优先级，确定是否更新所述第一设备保存的安全策略。Determine whether to update the security policy saved by the first device according to the priority of the second security policy and the initial priority corresponding to the security policy saved by the first device.

接收来自边缘计算平台的第三管理请求；所述第三管理请求包括第三安全策略。A third management request from the edge computing platform is received; the third management request includes a third security policy.

优选地，所述第三管理请求，还包括：第三安全策略的优先级；所述第一设备保存的安全策略对应有初始优先级；Preferably, the third management request further includes: the priority of the third security policy; the security policy saved by the first device corresponds to an initial priority;

所述方法还包括：The method also includes:

根据第三安全策略的优先级和所述第一设备保存的安全策略所对应的初始优先级，确定是否更新所述第一设备保存的安全策略。Determine whether to update the security policy saved by the first device according to the priority of the third security policy and the initial priority corresponding to the security policy saved by the first device.

优选地，所述方法还包括：Preferably, the method also includes:

向第二设备发送所述更新结果；所述更新结果至少表征是否更新所述第一设备上的安全策略。Sending the update result to the second device; the update result at least represents whether the security policy on the first device is updated.

优选地，所述方法还包括：Preferably, the method also includes:

向所述边缘计算平台发送更新结果；所述更新结果至少表征是否更新所述安全策略。Sending an update result to the edge computing platform; the update result at least represents whether the security policy is updated.

优选地，所述安全策略，包括：针对至少一个应用服务中每个应用服务的安全等级；Preferably, the security policy includes: a security level for each application service in at least one application service;

所述更新结果，包括针对每个应用服务的安全策略的配置响应；所述配置响应的类型包括：The update result includes a configuration response for the security policy of each application service; the type of the configuration response includes:

全部同意、部分同意、拒绝、异常信息。Fully agree, partially agree, reject, exception information.

优选地，所述安全策略，包括以下至少之一：Preferably, the security policy includes at least one of the following:

第一安全等级；所述第一安全等级表征拒绝针对所述边缘计算平台上的所有应用服务的配置信息；The first security level; the first security level represents the denial of configuration information for all application services on the edge computing platform;

第二安全等级；所述第二安全等级表征允许针对所述边缘计算平台上的部分应用服务的配置信息；The second security level; the second security level characterizes the configuration information allowed for some application services on the edge computing platform;

第三安全等级；所述第一安全等级表征允许针对所述边缘计算平台上的所有应用服务的配置信息。The third security level: the first security level characterizes the configuration information allowed for all application services on the edge computing platform.

优选地，所述配置信息，包括以下至少之一：Preferably, the configuration information includes at least one of the following:

第一配置策略；所述第一配置策略针对不同应用服务的操作权限；A first configuration strategy; the operation authority of the first configuration strategy for different application services;

第二配置策略；所述第二配置策略针对不同应用服务的路由规则；A second configuration strategy; the second configuration strategy is directed at routing rules for different application services;

第三配置策略；所述第三配置策略针对不同应用服务的域名系统(DNS，Domain Name System)；The third configuration strategy; the third configuration strategy is aimed at the Domain Name System (DNS, Domain Name System) of different application services;

第四配置策略；所述第四配置策略针对不同应用服务的生命周期。A fourth configuration strategy; the fourth configuration strategy is aimed at the life cycles of different application services.

本申请实施例提供了一种通信方法，应用于第二设备，包括：An embodiment of the present application provides a communication method applied to a second device, including:

向第一设备发送第二管理请求；所述第二管理请求用于请求针对边缘计算平台上的应用服务的安全策略进行配置；所述安全策略用于为边缘计算平台上的应用服务提供安全管理功能。Sending a second management request to the first device; the second management request is used to request configuration of a security policy for the application service on the edge computing platform; the security policy is used to provide security management for the application service on the edge computing platform Function.

优选地，所述方法还包括：Preferably, the method also includes:

接收来自第一设备的更新结果；所述更新结果至少表征是否更新所述第一设备上的安全策略。An update result from the first device is received; the update result at least represents whether the security policy on the first device is updated.

所述第二安全策略的优先级和所述第一设备保存的安全策略所对应的初始优先级，用于由第一设备确定是否更新所述安全策略。The priority of the second security policy and the initial priority corresponding to the security policy saved by the first device are used by the first device to determine whether to update the security policy.

第三安全等级；所述第一安全等级表征允许针对所述边缘计算平台上的所有应用服务的配置信息。The third security level; the first security level characterizes the configuration information allowed for all application services on the edge computing platform.

第三配置策略；所述第三配置策略针对不同应用服务的域名系统；A third configuration strategy; the third configuration strategy is aimed at domain name systems of different application services;

本申请实施例提供了一种通信方法，应用于边缘计算平台，包括：An embodiment of the present application provides a communication method applied to an edge computing platform, including:

向第一设备发送第三管理请求；所述第三管理请求用于请求针对边缘计算平台上的应用服务的安全策略进行配置；所述安全策略用于为边缘计算平台上的应用服务提供安全管理功能。Sending a third management request to the first device; the third management request is used to request configuration of a security policy for the application service on the edge computing platform; the security policy is used to provide security management for the application service on the edge computing platform Function.

所述第三安全策略的优先级和所述第一设备保存的安全策略所对应的初始优先级，用于由第一设备确定是否更新所述安全策略。The priority of the third security policy and the initial priority corresponding to the security policy saved by the first device are used by the first device to determine whether to update the security policy.

优选地，所述方法还包括：Preferably, the method also includes:

接收来自所述第一设备的更新结果；所述更新结果至少表征是否更新所述第一设备上的安全策略。An update result from the first device is received; the update result at least indicates whether the security policy on the first device is updated.

本申请实施例提供了一种通信装置，设置在第一设备上，包括：An embodiment of the present application provides a communication device, which is set on the first device, including:

第一处理单元，配置为确定管理请求；所述管理请求用于请求针对边缘计算平台上的应用服务的安全策略进行配置；The first processing unit is configured to determine a management request; the management request is used to request configuration of a security policy for application services on the edge computing platform;

优选地，所述第一处理单元，配置为确定针对第一设备的第一操作；Preferably, the first processing unit is configured to determine a first operation for the first device;

优选地，所述装置还包括：第一通信单元，配置为接收来自第二设备的第二管理请求；所述第二管理请求，包括：第二安全策略。Preferably, the apparatus further includes: a first communication unit configured to receive a second management request from the second device; the second management request includes: a second security policy.

所述第一处理单元，配置为根据第二安全策略的优先级和所述第一设备保存的安全策略所对应的初始优先级，确定是否更新所述第一设备保存的安全策略。The first processing unit is configured to determine whether to update the security policy stored by the first device according to the priority of the second security policy and the initial priority corresponding to the security policy stored by the first device.

优选地，所述第一通信单元，配置为接收来自边缘计算平台的第三管理请求；所述第三管理请求包括第三安全策略。Preferably, the first communication unit is configured to receive a third management request from the edge computing platform; the third management request includes a third security policy.

所述第一处理单元，配置为根据第三安全策略的优先级和所述第一设备保存的安全策略所对应的初始优先级，确定是否更新所述第一设备保存的安全策略。The first processing unit is configured to determine whether to update the security policy saved by the first device according to the priority of the third security policy and the initial priority corresponding to the security policy saved by the first device.

优选地，所述第一通信单元，还配置为向第二设备发送所述更新结果；所述更新结果至少表征是否更新所述第一设备上的安全策略。Preferably, the first communication unit is further configured to send the update result to the second device; the update result at least indicates whether the security policy on the first device is updated.

优选地，所述第一通信单元，还配置为向所述边缘计算平台发送更新结果；所述更新结果至少表征是否更新所述安全策略。Preferably, the first communication unit is further configured to send an update result to the edge computing platform; the update result at least indicates whether the security policy is updated.

第三配置策略；所述第三配置策略针对不同应用服务的域名系统DNS；The third configuration strategy; the third configuration strategy is aimed at Domain Name System DNS of different application services;

本申请实施例提供了一种通信装置，设置在第二设备上，包括：An embodiment of the present application provides a communication device, which is set on the second device, including:

第二通信单元，配置为向第一设备发送第二管理请求；所述第二管理请求用于请求针对边缘计算平台上的应用服务的安全策略进行配置；所述安全策略用于为边缘计算平台上的应用服务提供安全管理功能。The second communication unit is configured to send a second management request to the first device; the second management request is used to request configuration of a security policy for application services on the edge computing platform; the security policy is used to configure the edge computing platform The application service on the server provides security management functions.

优选地，所述第二通信单元，还配置为接收来自第一设备的更新结果；所述更新结果至少表征是否更新所述第一设备上的安全策略。Preferably, the second communication unit is further configured to receive an update result from the first device; the update result at least indicates whether to update the security policy on the first device.

本申请实施例提供了一种通信装置，设置在边缘计算平台上，包括：An embodiment of the present application provides a communication device, which is set on an edge computing platform, including:

第三通信单元，配置为向第一设备发送第三管理请求；所述第三管理请求用于请求针对边缘计算平台上的应用服务的安全策略进行配置；所述安全策略用于为边缘计算平台上的应用服务提供安全管理功能。The third communication unit is configured to send a third management request to the first device; the third management request is used to request configuration of a security policy for application services on the edge computing platform; the security policy is used to configure the edge computing platform The application service on the server provides security management functions.

优选地，所述第三通信单元，还配置为接收来自所述第一设备的更新结果；所述更新结果至少表征是否更新所述第一设备上的安全策略。Preferably, the third communication unit is further configured to receive an update result from the first device; the update result at least indicates whether to update the security policy on the first device.

本申请实施例提供了一种第一设备，包括：第一处理器和第一通信接口；其中，An embodiment of the present application provides a first device, including: a first processor and a first communication interface; wherein,

所述第一处理器，配置为确定管理请求；所述管理请求用于请求针对边缘计算平台上的应用服务的安全策略进行配置；The first processor is configured to determine a management request; the management request is used to request configuration of a security policy for application services on the edge computing platform;

本申请实施例提供了一种第二设备，包括：第二处理器和第二通信接口；其中，An embodiment of the present application provides a second device, including: a second processor and a second communication interface; wherein,

所述第二通信接口，配置为向第一设备发送第二管理请求；所述第二管理请求用于请求针对边缘计算平台上的应用服务的安全策略进行配置；所述安全策略用于为边缘计算平台上的应用服务提供安全管理功能。The second communication interface is configured to send a second management request to the first device; the second management request is used to request configuration of a security policy for application services on the edge computing platform; Application services on the computing platform provide security management functions.

本申请实施例提供了一种边缘计算平台，包括：第三处理器和第三通信接口；其中，An embodiment of the present application provides an edge computing platform, including: a third processor and a third communication interface; wherein,

所述第三通信接口，配置为向第一设备发送第三管理请求；所述第三管理请求用于请求针对边缘计算平台上的应用服务的安全策略进行配置；所述安全策略用于为边缘计算平台上的应用服务提供安全管理功能。The third communication interface is configured to send a third management request to the first device; the third management request is used to request configuration of a security policy for application services on the edge computing platform; Application services on the computing platform provide security management functions.

本申请实施例提供了一种网络设备，包括：处理器及和配置为存储能够在处理器上运行的计算机程序的存储器，An embodiment of the present application provides a network device, including: a processor and a memory configured to store a computer program that can run on the processor,

其中，所述处理器配置为运行所述计算机程序时，执行以上第一设备侧任一项所述方法的步骤；或者，Wherein, the processor is configured to execute the steps of any one of the methods on the first device side above when running the computer program; or,

所述处理器配置为运行所述计算机程序时，执行以上第二设备侧任一项所述方法的步骤；或者，The processor is configured to execute the steps of any one of the methods described above on the second device side when running the computer program; or,

所述处理器配置为运行所述计算机程序时，执行以上第三设备侧任一项所述方法的步骤。The processor is configured to, when running the computer program, execute the steps of any one of the methods described above on the third device side.

本申请实施例提供了一种存储介质，其上存储有计算机程序，所述计算机程序被处理器执行时实现以上第一设备侧任一项所述方法的步骤；或者，An embodiment of the present application provides a storage medium on which a computer program is stored, and when the computer program is executed by a processor, the steps of any one of the methods described above on the first device side are implemented; or,

所述计算机程序被处理器执行时实现以上第二设备侧任一项所述方法的步骤；或者，When the computer program is executed by the processor, the steps of any one of the methods described above on the second device side are implemented; or,

所述计算机程序被处理器执行时实现以上第三设备侧任一项所述方法的步骤。When the computer program is executed by the processor, the steps of any one of the methods described above on the third device side are implemented.

本申请实施例提供的通信系统、方法、装置、第一设备、第二设备及存储介质，方法包括：第一设备确定管理请求；所述管理请求用于请求针对边缘计算平台上的应用服务的安全策略进行配置；根据所述管理请求，确定安全策略；所述安全策略用于为边缘计算平台上的应用服务提供安全管理功能。本申请实施例的方案，实现对于第一设备上的安全策略的配置，以使第一设备可以基于安全策略对边缘计算平台上的应用服务提供安全管理功能；如此，能够提高第一设备针对边缘计算平台的配置数据的安全管控能力。The communication system, method, device, first device, second device, and storage medium provided in the embodiments of the present application, the method includes: the first device determines a management request; the management request is used to request an application service on an edge computing platform Configure the security policy; determine the security policy according to the management request; the security policy is used to provide security management functions for the application services on the edge computing platform. The solution of the embodiment of this application implements the configuration of the security policy on the first device, so that the first device can provide security management functions for the application services on the edge computing platform based on the security policy; The security management and control capability of the configuration data of the computing platform.

Description of drawings

图1为相关技术中MEC的系统结构示意图；FIG. 1 is a schematic diagram of a system structure of an MEC in the related art;

图2为相关技术中MEC的主机层与系统层的结构示意图；FIG. 2 is a schematic structural diagram of a host layer and a system layer of an MEC in the related art;

图3为本申请实施例5G行业云网融合的系统结构示意图；FIG. 3 is a schematic structural diagram of a system for 5G industry cloud-network integration according to an embodiment of the present application;

图4为本申请应用实施例通信系统的结构示意图；FIG. 4 is a schematic structural diagram of a communication system of an application embodiment of the present application;

图5为本申请实施例一种通信方法的流程示意图；FIG. 5 is a schematic flowchart of a communication method according to an embodiment of the present application;

图6为本申请实施例另一种通信方法的流程示意图；FIG. 6 is a schematic flowchart of another communication method according to an embodiment of the present application;

图7为本申请实施例再一种通信方法的流程示意图；FIG. 7 is a schematic flowchart of another communication method according to an embodiment of the present application;

图8为本申请应用实施例一种通信方法的流程示意图；FIG. 8 is a schematic flowchart of a communication method in an application embodiment of the present application;

图9为本申请应用实施例另一种通信方法的流程示意图；FIG. 9 is a schematic flowchart of another communication method in an application embodiment of the present application;

图10为本申请实施例一种权限授权方式的示意图；FIG. 10 is a schematic diagram of a permission authorization method according to an embodiment of the present application;

图11为本申请实施例一种通信装置的结构示意图；FIG. 11 is a schematic structural diagram of a communication device according to an embodiment of the present application;

图12为本申请实施例另一种通信装置的结构示意图；FIG. 12 is a schematic structural diagram of another communication device according to an embodiment of the present application;

图13为本申请实施例再一种通信装置的结构示意图；FIG. 13 is a schematic structural diagram of another communication device according to an embodiment of the present application;

图14为本申请实施例第一设备的结构示意图；Fig. 14 is a schematic structural diagram of the first device of the embodiment of the present application;

图15为本申请实施例第二设备的结构示意图；Fig. 15 is a schematic structural diagram of the second device of the embodiment of the present application;

图16为本申请实施例第三设备的结构示意图。FIG. 16 is a schematic structural diagram of a third device according to an embodiment of the present application.

detailed description

下面结合附图及实施例对本申请再作进一步详细的描述。The application will be further described in detail below in conjunction with the accompanying drawings and embodiments.

相关技术中，MEC作为欧洲电信标准化协会(ETSI，European Telecommunications Standards Institute)主导的多接入边缘计算平台标准，从最初的移动边缘计算平台演进到基于虚拟网络功能(VNF，Virtual Network Feature)的多接入边缘计算平台，通过将MEC应用、平台、资源虚拟化和服务化的方式提供更高效的业务运行服务，以满足不同业务在处理能力上的差异化需求，ETSI标准组织定义了图1所示的MEC系统框架。In related technologies, MEC is a multi-access edge computing platform standard led by the European Telecommunications Standards Institute (ETSI, European Telecommunications Standards Institute). Connect to the edge computing platform, and provide more efficient business operation services by virtualizing and serving MEC applications, platforms, and resources to meet the differentiated needs of different businesses in terms of processing capabilities. The ETSI standard organization defines the The framework of the MEC system shown.

MEC系统，主要包括：MEC系统层(MEC system-level)、MEC主机层(MEC host level)、网络层(Networks)。其中，The MEC system mainly includes: MEC system-level (MEC system-level), MEC host level (MEC host level), and network layer (Networks). in,

MEC系统层负责整个MEC资源的分配、收回与协调工作，以满足不同业务对计算和传输资源的需求。MEC系统层管理支持MEC系统级管理功能和主机级管理功能。MEC系统级管理功能包含用户应用生命周期管理代理、运营支持系统和MEC编排器，MEC主机级管理功能可以包括MEC平台管理器和虚拟化基础设施管理器。通过MEC管理层管理为终端和第三方客户(如商业企业)提供的MEC服务。The MEC system layer is responsible for the allocation, recovery and coordination of the entire MEC resources to meet the needs of different services for computing and transmission resources. MEC system-level management supports MEC system-level management functions and host-level management functions. MEC system-level management functions include user application lifecycle management agents, operation support systems, and MEC orchestrators. MEC host-level management functions can include MEC platform managers and virtualized infrastructure managers. MEC services provided to terminals and third-party customers (such as commercial enterprises) are managed through the MEC management layer.

MEC主机层用于为MEC应用、MEC平台等提供必要的计算、存储及传输功能。The MEC host layer is used to provide necessary computing, storage and transmission functions for MEC applications and MEC platforms.

网络层用于为上层的应用提供不同的网络选择(如3GPP无线网络、非3GPP无线网络、有线网络)，并根据上层的信令动态调整路由策略，以满足不同业务在网络上的传输需求。The network layer is used to provide different network options (such as 3GPP wireless network, non-3GPP wireless network, and wired network) for upper-layer applications, and dynamically adjust routing strategies according to upper-layer signaling to meet the transmission requirements of different services on the network.

其中，如图2所示，MEC主机(MEC host)包括：MEC平台和虚拟基础设施(计算、存储、网络)。虚拟设施包含数据面，用于执行从MEC平台接收到的路由规则，在应用(也称MEC app、MEC应用或MEP应用)、服务(也称MEC服务或MEP服务)、DNS服务/代理、3GPP网络、其他接入网、本地网络和外部网络之间进行流量的转发。其中，MEP使能所述应用来提供和调用所述服务，MEP本身也可以提供服务。具体地，所述应用运行在虚拟机或容器上，可以对外提供丰富多样的服务(如：位置、无线网络信息、流量管理)，所述应用也可以使用其他应用提供的服务，例如：应用A提供的位置、流量管理等服务可以被应用B和应用C使用。所述服务可以由MEP或某一个应用提供，当某个服务由所述应用提供时，该服务可以注册到MEP的服务列表中。Among them, as shown in Figure 2, the MEC host (MEC host) includes: MEC platform and virtual infrastructure (computing, storage, network). The virtual facility includes the data plane, which is used to execute the routing rules received from the MEC platform, in the application (also called MEC app, MEC application or MEP application), service (also called MEC service or MEP service), DNS service/proxy, 3GPP Forward traffic between the network, other access networks, local networks, and external networks. Wherein, the MEP enables the application to provide and invoke the service, and the MEP itself can also provide the service. Specifically, the application runs on a virtual machine or a container, and can provide a variety of services (such as: location, wireless network information, traffic management), and the application can also use services provided by other applications, for example: Application A The provided services such as location and traffic management can be used by application B and application C. The service may be provided by the MEP or a certain application. When a certain service is provided by the application, the service may be registered in the service list of the MEP.

MEC平台(MEP，MEC platform)，支持的功能包括：MEC platform (MEP, MEC platform), supported functions include:

1)、提供MEC应用能够发现、通知、使用和提供MEC服务的环境，包括其他平台提供的MEC服务(可选)。1) Provide an environment where MEC applications can discover, notify, use and provide MEC services, including MEC services provided by other platforms (optional).

2)、从MEC平台管理、应用或服务接收路由规则，控制数据面流量。2) Receive routing rules from MEC platform management, applications or services to control data plane traffic.

3)、从MEC平台管理接收DNS记录，配置DNS代理/服务器；3) Manage and receive DNS records from the MEC platform, and configure DNS proxy/server;

4)、托管MEC服务；4) Managed MEC services;

5)、提供到永久性存储和当日时间信息的接入；5) Provide access to permanent storage and time of day information;

MEC编排器(MEO，MEC orchestrator)又称MEC应用编排器(MEAO，MEC application orchestrator)，是MEC系统层管理的核心，支持的功能包括：MEC orchestrator (MEO, MEC orchestrator), also known as MEC application orchestrator (MEAO, MEC application orchestrator), is the core of MEC system layer management. The supported functions include:

1)维护MEC系统的整体视图(即整体部署)；比如MEC的主机部署、MEC的可用资源分配、可用的MEC服务的调用、系统拓扑等；1) Maintain the overall view of the MEC system (that is, the overall deployment); such as MEC host deployment, MEC available resource allocation, available MEC service calls, system topology, etc.;

2)管理MEC应用包的上线，包括：检查应用包的完整性和真实性；确认应用规则和需求，并判断是否需要调整应用规则和需求，若需要调整，则调整应用规则和需求以与运营商的策略相符；保存应用包的上线记录，以及为处理该应用准备虚拟基础设施管理器；2) Manage the launch of the MEC application package, including: checking the integrity and authenticity of the application package; confirming the application rules and requirements, and judging whether the application rules and requirements need to be adjusted; conform to the vendor's policy; keep a record of the application package's rollout, and prepare the virtual infrastructure manager for handling the application;

3)基于约束(比如时延、可用资源、可用服务等)为应用的初始化选择合适的MEC主机；3) Select an appropriate MEC host for application initialization based on constraints (such as delay, available resources, available services, etc.);

4)触发应用的启动和结束；4) Trigger the start and end of the application;

5)触发应用的按需迁移。5) Trigger on-demand migration of applications.

MEC平台管理(MEPM，MEC platform manager)，支持的功能包括：MEC platform management (MEPM, MEC platform manager), supported functions include:

1)、MEC应用的生命周期管理(LCM，Life Cycle Management)，如：通知MEAO相关应用的事件；1), MEC application life cycle management (LCM, Life Cycle Management), such as: notify MEAO of related application events;

2)、提供MEC平台(MEP，MEC Platform)的元素管理(Element mgmt)功能，包括虚拟网络功能(VNF，Virtualised Network Function)元素管理和网络服务(NS，Network Service)元素管理，其中NS信息元素包括物理网络功能(PNF，Physical Network Function)信息元素、虚拟链路信息元素、VNF转发图(VNF Forwarding Graph)信息元素；2) Provide the element management (Element mgmt) function of the MEC platform (MEP, MEC Platform), including virtual network function (VNF, Virtualized Network Function) element management and network service (NS, Network Service) element management, where the NS information element Including physical network function (PNF, Physical Network Function) information element, virtual link information element, VNF forwarding graph (VNF Forwarding Graph) information element;

3)、MEC应用的规则和需求的管理(MEC app rules & reqts mgmt)，比如：服务授权、路由规则、域名系统(DNS)配置和冲突处理；3), MEC application rules and requirements management (MEC app rules & reqts mgmt), such as: service authorization, routing rules, Domain Name System (DNS) configuration and conflict handling;

4)、从虚拟基础设施管理(VIM，Virtualisation Infrastructure Manager) 接收虚拟资源的错误报告和性能测量数据。VIM主要功能包括：分配、管理、释放虚拟化基础设施的虚拟化资源，接收和存储软件镜像，收集、上报虚拟化资源的性能和故障信息。4) Receive error reports and performance measurement data of virtual resources from a virtualization infrastructure manager (VIM, Virtualization Infrastructure Manager). The main functions of VIM include: allocating, managing, and releasing virtualized resources of virtualized infrastructure, receiving and storing software images, collecting and reporting performance and fault information of virtualized resources.

从MEC各模块的功能描述可以看出，MEC应用的规则(包括路由规则、DNS配置、业务规则等)由MEPM管理、MEP接收，并最终在MEC主机的用户面执行。From the functional description of each module of MEC, it can be seen that the rules applied by MEC (including routing rules, DNS configuration, business rules, etc.) are managed by MEPM, received by MEP, and finally executed on the user plane of the MEC host.

图2中的Mx1、Mx2、Mp1、Mp2、Mp3、Mm1、Mm2……Mm9等表示各设备或模块之间可以调用接口和/或采用相应的通信协议进行通信。Mx1 , Mx2 , Mp1 , Mp2 , Mp3 , Mm1 , Mm2 . . . Mm9 in FIG. 2 indicate that various devices or modules can call interfaces and/or use corresponding communication protocols for communication.

实际应用中，垂直行业的终端接入技术类型繁多，第三方网络除5G外，还有非5G网络(比如4G、WiFi、Bluetooth、Zigbee、NB-IoT、SPN、红外网络、专线网络、Wireline等)，这些终端的数据可能会通过不同的网络传输到MEP。为保障MEP的网络与数据安全，实现泛在网络接入与控制功能，在一种5G行业云网融合的系统架构中引入了行业网关(iGW，industry GateWay)，该5G行业云网融合架构如图3所示。In practical applications, there are many types of terminal access technologies in vertical industries. In addition to 5G, third-party networks also have non-5G networks (such as 4G, WiFi, Bluetooth, Zigbee, NB-IoT, SPN, infrared network, dedicated line network, Wireline, etc.) ), the data of these terminals may be transmitted to the MEP through different networks. In order to ensure the network and data security of MEP and realize ubiquitous network access and control functions, an industry gateway (iGW, industry GateWay) is introduced into a 5G industry cloud-network integration system architecture. The 5G industry cloud-network integration architecture is as follows: Figure 3 shows.

MEC平台管理(MEPM)一般设置在行业网关上面，MEP上的数据可以通过行业网关直接接入到外部网络、即第三方网络，现有的ETSI协议对数据安全的保护并不到位，无法适应越来越多的数据安全和隐私保护的管理要求。MEC platform management (MEPM) is generally set on the industry gateway. The data on the MEP can be directly connected to the external network, that is, the third-party network through the industry gateway. The existing ETSI protocol does not protect data security in place and cannot adapt to the increasingly There are more and more management requirements for data security and privacy protection.

在一些医疗、教育、金融等数据敏感的典型应用场景，出于对保护用户隐私和商业机密的考虑，MEP上提供的一些应用和可用资源(硬件资源、网络资源等)是不能被远端(外部)的MEPM进行管理和配置的，MEPM向MEP发送的管理配置信息(或管理配置数据)必须受到严格的安全控制。基于此，本申请实施例中，提出了在现有系统架构上引入一个本地MEPM(L-MEPM)，用于对MEP提供的应用进行本地管理配置，如图4所示，其中，In some typical application scenarios with sensitive data such as medical care, education, and finance, some applications and available resources (hardware resources, network resources, etc.) External) MEPM for management and configuration, the management configuration information (or management configuration data) sent by MEPM to MEP must be subject to strict security control. Based on this, in the embodiment of the present application, it is proposed to introduce a local MEPM (L-MEPM) on the existing system architecture for local management and configuration of the applications provided by the MEP, as shown in Figure 4, wherein,

L-MEPM接收来自MEPM的第一信息，基于所述第一信息和安全策略为边缘计算平台上的应用提供安全管理功能；所述第一信息，用于针对所述边缘计算平台上的应用进行配置；The L-MEPM receives the first information from the MEPM, and provides security management functions for applications on the edge computing platform based on the first information and security policies; the first information is used to perform security management on the applications on the edge computing platform configuration;

MEPM可以接收来自MEAO的第二信息，根据所述第二信息向第一设备发送所述第一信息；所述第二信息，用于编排边缘计算平台上的应用。The MEPM may receive the second information from the MEAO, and send the first information to the first device according to the second information; the second information is used to arrange applications on the edge computing platform.

所述边缘计算平台可以称为MEP。所述编排边缘计算平台上的应用可以理解为：通过对每个应用的应用程序和/或可用资源进行编排实现。The edge computing platform may be called MEP. The orchestration of applications on the edge computing platform can be understood as: implementing by orchestrating the application programs and/or available resources of each application.

图4所示的系统架构需要提供一种有效的管理安全策略的方法，以确保对MEP侧的管理配置数据的安全保护。The system architecture shown in FIG. 4 needs to provide an effective method for managing security policies, so as to ensure the security protection of the management configuration data on the MEP side.

基于此，在本申请的各种实施例中，第一设备确定管理请求；所述管理请求用于请求针对边缘计算平台上的应用服务的安全策略进行配置；根据所述管理请求，确定安全策略；所述安全策略用于为边缘计算平台上的应用服务提供安全管理功能。Based on this, in various embodiments of the present application, the first device determines a management request; the management request is used to request configuration of a security policy for application services on the edge computing platform; according to the management request, the security policy is determined ; The security policy is used to provide security management functions for application services on the edge computing platform.

本申请实施例提供一种通信方法，应用于第一设备，如图5所示，所述方法包括：An embodiment of the present application provides a communication method applied to a first device, as shown in FIG. 5 , the method includes:

步骤501、确定管理请求；所述管理请求用于请求针对边缘计算平台上的应用服务的安全策略进行配置；Step 501. Determine a management request; the management request is used to request configuration of security policies for application services on the edge computing platform;

步骤502、根据所述管理请求，确定安全策略；所述安全策略用于为边缘计算平台上的应用服务提供安全管理功能。Step 502: Determine a security policy according to the management request; the security policy is used to provide security management functions for application services on the edge computing platform.

实际应用时，在边缘计算平台侧设置第一设备，所述第一设备可以与第二设备通信。In practical application, a first device is set on the side of the edge computing platform, and the first device can communicate with the second device.

实际应用时，所述第一设备可以为本地设置的MEPM，可以理解为使用方设置一个本地MEPM，可以对MEP提供的应用进行本地管理配置。第一设备既可以单独进行本地部署，也可以集成到MEP。本申请实施例对所述第一设备的名称不作限定，只要能实现所述第一设备的功能即可。In actual application, the first device may be a locally set MEPM, which can be understood as the user sets up a local MEPM, and can perform local management and configuration on applications provided by the MEP. The first device can be deployed locally or integrated into the MEP. The embodiment of the present application does not limit the name of the first device, as long as the function of the first device can be realized.

实际应用时，所述第二设备可以为MEPM，本申请实施例对所述第二设备的名称不作限定，只要能实现所述第二设备的功能即可。In practical applications, the second device may be an MEPM, and the embodiment of the present application does not limit the name of the second device, as long as the functions of the second device can be realized.

实际应用时，所述边缘计算平台可以称为MEP。In practical application, the edge computing platform may be called MEP.

实际应用时，所述安全策略可以由本地管理员通过第一设备、即本地MEPM提供的人机交互界面直接进行配置。In actual application, the security policy can be directly configured by the local administrator through the human-computer interaction interface provided by the first device, that is, the local MEPM.

基于此，在一实施例中，所述确定管理请求，包括：Based on this, in an embodiment, the determining the management request includes:

这里，本地管理员通过本地MEPM的人机交互界面进行第一操作，第一设备确定针对第一设备的第一操作，基于第一操作确定管理请求，即所述第一管理请求；基于所述第一管理请求可以确定出相应的安全策略，记做所述第一安全策略。Here, the local administrator performs the first operation through the human-computer interaction interface of the local MEPM, the first device determines the first operation for the first device, and determines the management request based on the first operation, that is, the first management request; based on the The first management request may determine a corresponding security policy, which is referred to as the first security policy.

实际应用时，所述安全策略可以由远程管理员通过第二设备、即MEPM提供的人机交互界面直接进行远程配置。In actual application, the security policy can be directly configured remotely by the remote administrator through the man-machine interaction interface provided by the second device, namely MEPM.

这里，远程管理员通过MEPM的人机交互界面进行第二操作，第二设备确定针对第二设备的第二操作，基于第二操作确定管理请求，即所述第二管理请求；第二设备向第一设备发送第二管理请求；所述第一设备接收所述第二管理请求，基于第二管理请求可以确定第二安全策略。Here, the remote administrator performs the second operation through the human-computer interaction interface of MEPM, the second device determines the second operation for the second device, and determines the management request based on the second operation, that is, the second management request; the second device sends The first device sends a second management request; the first device receives the second management request, and the second security policy may be determined based on the second management request.

实际应用时，为了提高安全策略配置的安全性，提出安全策略的优先级，基于优先级确定是否可以基于相应的管理请求进行安全策略的配置或更新。In practical application, in order to improve the security of security policy configuration, the priority of security policy is proposed, and based on the priority, it is determined whether the security policy can be configured or updated based on the corresponding management request.

基于此，在一实施例中，所述第二管理请求，还包括：第二安全策略的优先级；所述第一设备保存的安全策略对应有初始优先级；Based on this, in an embodiment, the second management request further includes: the priority of the second security policy; the security policy saved by the first device corresponds to the initial priority;

相应的，所述方法还包括：Correspondingly, the method also includes:

实际应用时，所述安全策略可以通过边缘计算平台上报的请求进行配置。In actual application, the security policy may be configured through a request reported by the edge computing platform.

基于此，在一实施例中，所述第三管理请求，还包括：第三安全策略的优先级；所述第一设备保存的安全策略对应有初始优先级；Based on this, in an embodiment, the third management request further includes: the priority of the third security policy; the security policy saved by the first device corresponds to an initial priority;

所述方法还包括：The method also includes:

举例来说，第一安全策略也可对应有优先级，第一安全策略的优先级、第二安全策略的优先级、第三安全策略的优先级，可以由不同的操作人员设定，如第一设备侧的本地管理员、第二设备侧的远程管理员、第三设备侧的操作人员等分别对应设定；在第一设备同时接收到第一管理请求、第二管理请求、第三管理请求中的两个或三个时，通过比较优先级，确定最高优先级的安全策略，如上述第一安全策略，则根据第一安全策略更新第一设备保存的安全策略。For example, the first security policy can also have a corresponding priority. The priority of the first security policy, the priority of the second security policy, and the priority of the third security policy can be set by different operators, such as the first The local administrator on the first device side, the remote administrator on the second device side, and the operator on the third device side are set accordingly; the first device receives the first management request, the second management request, and the third management request at the same time. When two or three of the requests are requested, the security policy with the highest priority is determined by comparing the priorities, such as the above-mentioned first security policy, and the security policy saved by the first device is updated according to the first security policy.

第一安全策略的优先级、第二安全策略的优先级、第三安全策略的优先级，也可以基于其对应的设备确定，例如，设定第一设备的优先级为1，第二设备的优先级为2，边缘计算平台的优先级为3，则相应的，第一安全策略也可以具有优先级、优先级为1，第二安全策略的优先级为2，第三安全策略的优先级为3；在第一设备同时接收到第一管理请求、第二管理请求、第三管理请求中的两个或三个时，通过比较优先级，确定最高优先级的安全策略，如上述第一安全策略，则根据第一安全策略更新第一设备保存的安全策略。The priority of the first security policy, the priority of the second security policy, and the priority of the third security policy can also be determined based on their corresponding devices, for example, set the priority of the first device to 1, and the priority of the second device The priority is 2, and the priority of the edge computing platform is 3. Correspondingly, the first security policy can also have a priority of 1, the priority of the second security policy is 2, and the priority of the third security policy is 3; when the first device receives two or three of the first management request, the second management request, and the third management request at the same time, by comparing the priorities, determine the security policy with the highest priority, as described in the first security policy, update the security policy stored in the first device according to the first security policy.

考虑到实际应用时，可能存在不同操作人员设定的优先权相同的场景，如第一设备侧的本地管理员、第二设备侧的远程管理员、第三设备侧的操作人员对于第一安全策略、第二安全策略、第三安全策略分别设定的优先级相同；考虑到该情况，可以结合上述操作人员设定优先级和基于对应设备确定优先级的方案，即针对每个安全策略设定两个优先级，其中一个是由操作人员(本地管理员、远程管理员等)设定，另一个是根据不同设备(第一设备、第二设备、第三设备)设定；在第一设备同时接收到第一管理请求、第二管理请求、第三管理请求中的两个或三个，且比较发现由操作人员设定的优先级相同时，进一步比较根据不同设备设定的优先级，以该优先级为准。例如：第一安全策略对应的两个优先级为2(本地管理员设定)、1(基于第一设备确定)，第二安全策略对应的两个优先级为2(远程管理员设定)、2(基于第二设备确定)，比较发现由操作人员设定的优先级均为2，进一步比较基于设备确定的优先级，比较确定第一安全策略的优先级更高，则根据第一安全策略更新第一设备保存的安全策略。When considering practical applications, there may be scenarios where different operators set the same priority, such as the local administrator on the first device side, the remote administrator on the second device side, and the operator on the third device side for the first security policy, the second security policy, and the third security policy have the same priority respectively; considering this situation, the above scheme of setting priority by the operator and determining the priority based on the corresponding equipment can be combined, that is, for each security policy setting Set two priorities, one of which is set by the operator (local administrator, remote administrator, etc.), and the other is set according to different devices (first device, second device, third device); in the first When the device receives two or three of the first management request, the second management request, and the third management request at the same time, and compares and finds that the priorities set by the operator are the same, further compare the priorities set by different devices , whichever takes precedence. For example: the two priorities corresponding to the first security policy are 2 (set by the local administrator) and 1 (determined based on the first device), and the two priorities corresponding to the second security policy are 2 (set by the remote administrator) , 2 (determined based on the second device), it is found that the priorities set by the operator are all 2, further comparison is made based on the priorities determined by the device, and it is determined that the priority of the first security policy is higher, then according to the first security policy The policy updates the security policy saved by the first device.

对于第二设备侧的远程管理员，还可能存在多个远程管理员的情况，则针对每个远程管理员还可以分配不同的权限；对于第一设备侧的本地管理员，也可能存在多个本地管理员的情况，则针对每个本地管理员还可以分配不同的权限。也就是说，可以综合考虑第一设备侧的各个本地管理员、第二设备侧的各个远程管理员、边缘计算平台，分配不同的权限(对应不同的优先级)，以上仅仅基于设备配置优先级仅仅是一种示例，不做限定，实际应用时应结合实际需求进行相应配置。For the remote administrator on the second device side, there may be multiple remote administrators, and different permissions can be assigned to each remote administrator; for the local administrator on the first device side, there may also be multiple remote administrators. In the case of local administrators, different permissions can be assigned to each local administrator. That is to say, various local administrators on the first device side, remote administrators on the second device side, and edge computing platforms can be considered comprehensively, and different permissions (corresponding to different priorities) can be assigned. The above is only based on device configuration priorities. It is just an example and does not make a limitation. In actual application, it should be configured according to actual needs.

以上仅仅是给出的几种优先权设定和具体应用示例，实际应用时可以基于需求设定优先权，不做限定。The above are just several priority setting and specific application examples given, and the priority can be set based on requirements in actual application, without limitation.

实际应用时，第一设备可以将安全策略的更新结果通知第二设备。In actual application, the first device may notify the second device of an update result of the security policy.

基于此，在一实施例中，所述方法还包括：Based on this, in an embodiment, the method further includes:

实际应用时，第一设备可以将安全策略的更新结果通知边缘计算平台，尤其是在基于第三管理请求更新安全策略的情况下，通知更新结果。In actual application, the first device may notify the edge computing platform of the update result of the security policy, especially in the case of updating the security policy based on the third management request, notify the update result.

在一实施例中，所述安全策略，包括：针对至少一个应用服务中每个应用服务的安全等级；In an embodiment, the security policy includes: a security level for each application service in at least one application service;

在一实施例中，所述安全策略，包括以下至少之一：In one embodiment, the security policy includes at least one of the following:

在一实施例中，所述配置信息，包括以下至少之一：In an embodiment, the configuration information includes at least one of the following:

第三配置策略；所述第三配置策略针对不同应用服务的域名系统(DNS)；The third configuration strategy; the third configuration strategy is aimed at Domain Name System (DNS) of different application services;

本申请实施例提供一种通信方法，应用于第二设备，如图6所示，所述方法包括：An embodiment of the present application provides a communication method applied to a second device, as shown in FIG. 6, the method includes:

步骤601、向第一设备发送第二管理请求；所述第二管理请求用于请求针对边缘计算平台上的应用服务的安全策略进行配置；所述安全策略用于为边缘计算平台上的应用服务提供安全管理功能。Step 601: Send a second management request to the first device; the second management request is used to request configuration of a security policy for application services on the edge computing platform; the security policy is used to serve applications on the edge computing platform Provides security management functions.

实际应用时，为了提高安全策略配置的安全性，提出安全策略的优先级，由第一设备基于优先级确定是否可以基于相应的管理请求进行安全策略的配置或更新。In actual application, in order to improve the security of security policy configuration, the priority of the security policy is proposed, and the first device determines whether the security policy can be configured or updated based on the corresponding management request based on the priority.

在一实施例中，所述安全策略，包括：针对至少一个应用服务中每个应用服务的安全等级；In one embodiment, the security policy includes: a security level for each application service in at least one application service;

本申请实施例提供一种通信方法，应用于边缘计算平台，如图7所示，所述方法包括：An embodiment of the present application provides a communication method applied to an edge computing platform, as shown in FIG. 7 , the method includes:

步骤701、向第一设备发送第三管理请求；所述第三管理请求用于请求针对边缘计算平台上的应用服务的安全策略进行配置；所述安全策略用于为边缘计算平台上的应用服务提供安全管理功能。Step 701: Send a third management request to the first device; the third management request is used to request configuration of a security policy for application services on the edge computing platform; the security policy is used to serve applications on the edge computing platform Provides security management functions.

下面结合应用实施例对本申请再作进一步详细的描述。The present application will be further described in detail below in conjunction with application examples.

在本应用实施例中，所述第一设备称为本地MEPM(L-MEPM，Local MEPM)；所述第二设备为MEPM；所述边缘计算平台称为MEP。In this application embodiment, the first device is called a local MEPM (L-MEPM, Local MEPM); the second device is a MEPM; and the edge computing platform is called an MEP.

提出三种管理L-MEPM上的安全策略的方式：Three ways of managing security policies on L-MEPM are proposed:

1)、本地管理员直接在L-MEPM上进行操作配置；相应于上述通过第一管理请求进行配置；1), the local administrator directly performs operation configuration on the L-MEPM; corresponding to the above configuration through the first management request;

2)、远程管理员通过MEPM远程管理请求进行配置；相应于上述通过第二管理请求进行配置；2), the remote administrator configures through the MEPM remote management request; corresponding to the above configuration through the second management request;

3)、通过MEP上报的本地请求进行配置；相应于上述通过第三管理请求进行配置。3) Configuration is performed through a local request reported by the MEP; corresponding to the above configuration through a third management request.

考虑到L-MEPM上有MEP上各个应用的默认安全策略，如果几个方法同时操作，可能存在冲突或安全性问题，提出了根据安全策略的优先级进行配置。Considering that L-MEPM has the default security policy of each application on the MEP, if several methods are operated at the same time, there may be conflicts or security issues, and it is proposed to configure according to the priority of the security policy.

方式2)举例说明，L-MEPM上的安全策略对应保存有：Mode 2) For example, the security policy on the L-MEPM corresponds to save:

被授权的远程操作人：可以用数组等方式进行存储各个远程操作人。Authorized remote operators: Each remote operator can be stored in an array or other ways.

实施例如下：Examples are as follows:

这里，为便于对于多个应用统一进行相同的操作，提出了应用分组，所述应用分组用于管理相同安全等级的多个应用列表。Here, in order to uniformly perform the same operation on multiple applications, an application group is proposed, and the application group is used to manage multiple application lists of the same security level.

在本应用实施例中提供一种通信方法，通过MEPM发送的远程管理请求(相当于上述第二管理请求)进行配置，如图8所示，所述方法包括：In this application embodiment, a communication method is provided, which is configured through a remote management request (equivalent to the above-mentioned second management request) sent by MEPM, as shown in FIG. 8, the method includes:

步骤801、MEPM向L-MEPM发送远程管理请求；Step 801, MEPM sends a remote management request to L-MEPM;

具体来说，远程管理员在运维管理设备上发起安全策略的配置请求，通过MEPM向L-MEPM发起远程管理请求，所述远程管理请求用于请求配置或更新安全策略。Specifically, the remote administrator initiates a security policy configuration request on the operation and maintenance management device, and initiates a remote management request to the L-MEPM through the MEPM, and the remote management request is used to request configuration or update of the security policy.

对于请求信息内容给出一种示例，所述请求信息包含但不限于表1的内容。An example is given for the content of the request information, which includes but is not limited to the content in Table 1.

表1Table 1

这里，对于任务请求类型给出一种示例，如表2所示。Here, an example is given for task request types, as shown in Table 2.

表2Table 2

这里，对于系统中唯一ID给出一种示例，如表3所示。Here, an example is given for the unique ID in the system, as shown in Table 3.

表3table 3

这里，对于安全策略优先级提供一种示例。具体来说，Here, an example is provided for security policy priority. Specifically,

方法1、使用数字(Int或Long)来表示安全策略优先级，数字越小则优先级越高，最高优先级设置为0，从高到低依次为0/1/2/3/4。Method 1. Use a number (Int or Long) to represent the security policy priority. The smaller the number, the higher the priority. The highest priority is set to 0, and the sequence from high to low is 0/1/2/3/4.

方法1：使用JSON字符串表示MEP上应用的安全策略的优先级Method 1: Use a JSON string to indicate the priority of the security policy applied on the MEP

方法2、使用哈希表表示，Key是应用名，value是安全策略的优先级。Method 2. Use a hash table to represent, Key is the application name, and value is the priority of the security policy.

1)、当请求中的安全策略优先级参数小于等于L-MEPM存储的优先级时，更新安全策略；例如：远程管理请求的优先级是1，现有优先级参数是3，则更新安全策略。1), when the security policy priority parameter in the request is less than or equal to the priority stored in L-MEPM, update the security policy; for example: the priority of the remote management request is 1, and the existing priority parameter is 3, then update the security policy .

2)、当请求中的安全策略优先级参数大于L-MEPM存储的优先级时，不更新安全策略；例如：远程管理请求的优先级是1，现有优先级参数是0，则不更新安全策略。2) When the security policy priority parameter in the request is greater than the priority stored in L-MEPM, the security policy will not be updated; for example, if the priority of the remote management request is 1, and the existing priority parameter is 0, the security policy will not be updated. Strategy.

这里，对于安全策略信息给出一种示例，针对MEP上的每个应用可以包括如表4所示的安全策略信息。Here, an example is given for the security policy information, which may include the security policy information shown in Table 4 for each application on the MEP.

表4Table 4

这里，对于所述配置信息给出一种示例，如下表5所示：Here, an example is given for the configuration information, as shown in Table 5 below:

表5table 5

具体来说，当MEP上应用的安全等级设置或更新为“严格”时，禁止MEP上所有应用的管理配置数据操作配置MEP，L-MEPM将主动切断MEPM的管理配置操作。Specifically, when the security level of the application on the MEP is set or updated to "strict", the management configuration data operation of all applications on the MEP is prohibited to configure the MEP, and L-MEPM will actively cut off the management configuration operation of the MEPM.

当MEP上应用的安全等级设置或更新为“普通”时，只有被允许的应用才能被MEPM进行管理配置，使用应用进行区分。When the security level of the application on the MEP is set or updated to "Normal", only allowed applications can be managed and configured by the MEPM, and the application is used to distinguish them.

当MEP上的应用的安全等级设置或更新为“宽松”时，允许应用的所有管理配置数据进行操作。When the security level of the application on the MEP is set or updated to "loose", all management configuration data of the application is allowed to be operated.

步骤802、L-MEPM响应远程管理请求。Step 802, the L-MEPM responds to the remote management request.

具体地，L-MEPM收到针对安全策略的远程管理请求后，根据所述远程管理请求中的“安全策略优先级”进行安全策略判断；Specifically, after the L-MEPM receives the remote management request for the security policy, it judges the security policy according to the "security policy priority" in the remote management request;

如果能够/不能够更新L-MEPM上的针对MEP上的应用的安全策略，L-MEPM向MEPM进行消息回复。If it is possible/unable to update the security policy on the L-MEPM for the application on the MEP, the L-MEPM sends a message reply to the MEPM.

对于回复的消息给出一种示例，所述请求信息包含但不限于表6的内容。An example is given for the reply message, and the request information includes but not limited to the content in Table 6.

表6Table 6

这里，对于L-MEPM向MEPM发送的回复类型和回复说明给出一种示例，如表7所示。Here, an example is given for the reply type and reply description sent by the L-MEPM to the MEPM, as shown in Table 7.

回复类型reply type 回复说明reply instructions 00 成功设置或更新安全策略Successfully set or updated security policy 11 安全策略优先级参数错误Security policy priority parameter error 22 安全策略优先级低于现有应用的优先级，无法更The priority of the security policy is lower than that of the existing application and cannot be changed.

the 新new 33 远程管理员没有获得权限The remote administrator does not have permission

表7Table 7

MEP上应用的安全策略发生变化，也可主动给L-MEPM上报更新后的安全策略，安全策略优先级可以高于L-MEPM现有的安全策略。If the security policy applied on the MEP changes, it can also proactively report the updated security policy to the L-MEPM, and the priority of the security policy can be higher than the existing security policy of the L-MEPM.

在本应用实施例中还提供一种通信方法，通过MEP上报的本地请求(相当于上述第三管理请求)进行配置，如图9所示，所述方法包括：In this application embodiment, a communication method is also provided, which is configured through a local request (equivalent to the above-mentioned third management request) reported by the MEP, as shown in FIG. 9 , the method includes:

步骤901、MEP向L-MEPM发送本地请求；Step 901, MEP sends a local request to L-MEPM;

具体地，当MEP上某个应用的安全策略发生变化，向L-MEPM发送变化的安全策略信息；内容可以如下表8所示：Specifically, when the security policy of an application on the MEP changes, the changed security policy information is sent to the L-MEPM; the content can be shown in Table 8 below:

表8Table 8

步骤902、L-MEPM响应本地请求。Step 902, the L-MEPM responds to the local request.

具体地，L-MEPM收到安全策略的管理请求后进行安全策略判断，当L-MEPM检测到请求消息中的“安全策略优先级”参数小于或等于现有的“安全策略优先级”参数时，则进行安全策略更新。L-MEPM向MEP进行消息回复，回复信息可以包括如下表9所示的信息：Specifically, L-MEPM performs a security policy judgment after receiving a security policy management request. When L-MEPM detects that the "Security Policy Priority" parameter in the request message is less than or equal to the existing "Security Policy Priority" parameter , the security policy is updated. The L-MEPM sends a message reply to the MEP, and the reply information may include the information shown in Table 9 below:

表9Table 9

对于L-MEPM向MEP发送的回复消息和回复说明提供一种示例，如表10所示。An example is provided for the reply message and reply description sent by the L-MEPM to the MEP, as shown in Table 10.

表10Table 10

所述方法还可以包括：The method may also include:

步骤903、向MEPM上报安全管理权限的中止情况；Step 903, reporting the suspension of the security management authority to the MEPM;

在安全策略更新后，可能存在部分应用的安全等级改变，如由“一般”改变为“严格”，则可以向MEPM发送更新结果，可以如表11所示，以告知该应用的安全管理权限中止，即告知MEPM不必向L-MEPM发送配置信息，MEPM将不能对MEP上的这个应用进行管理配置。After the security policy is updated, there may be changes in the security level of some applications. For example, if it is changed from "General" to "Strict", the update result can be sent to MEPM, as shown in Table 11, to inform the suspension of the security management authority of the application. , that is to tell the MEPM not to send configuration information to the L-MEPM, and the MEPM will not be able to manage and configure the application on the MEP.

表11Table 11

步骤904、L-MEPM向MEPM进行中止情况的响应回复；Step 904, L-MEPM responds to MEPM with a suspension situation;

即，L-MEPM告知MEPM已接收并获知自身将不能对MEP上的这个应用进行管理配置。That is, the L-MEPM informs the MEPM that it has received and knows that it will not be able to manage and configure this application on the MEP.

这里，给出响应回复的一种示例，如表12所示。Here, an example of the response reply is given, as shown in Table 12.

表12Table 12

为了实现本申请实施例第一设备侧的方法，本申请实施例还提供了一种通信装置，设置在第一设备上，如图11所示，该装置包括：In order to implement the method on the first device side of the embodiment of the present application, the embodiment of the present application also provides a communication device, which is set on the first device, as shown in FIG. 11 , the device includes:

第一处理单元1102，配置为确定管理请求；所述管理请求用于请求针对边缘计算平台上的应用服务的安全策略进行配置；The first processing unit 1102 is configured to determine a management request; the management request is used to request configuration of a security policy for application services on the edge computing platform;

在一实施例中，所述第一处理单元1102，配置为确定针对第一设备的第一操作；In an embodiment, the first processing unit 1102 is configured to determine a first operation for the first device;

在一实施例中，所述装置还包括：第一通信单元1101，配置为接收来自第二设备的第二管理请求；所述第二管理请求，包括：第二安全策略。In an embodiment, the apparatus further includes: a first communication unit 1101 configured to receive a second management request from the second device; the second management request includes: a second security policy.

其中，所述第二管理请求，还包括：第二安全策略的优先级；所述第一设备保存的安全策略对应有初始优先级；Wherein, the second management request further includes: the priority of the second security policy; the security policy saved by the first device corresponds to the initial priority;

所述第一处理单元1102，配置为根据第二安全策略的优先级和所述第一设备保存的安全策略所对应的初始优先级，确定是否更新所述第一设备保存的安全策略。The first processing unit 1102 is configured to determine whether to update the security policy saved by the first device according to the priority of the second security policy and the initial priority corresponding to the security policy saved by the first device.

在一实施例中，所述第一通信单元1101，配置为接收来自边缘计算平台的第三管理请求；所述第三管理请求包括第三安全策略。In an embodiment, the first communication unit 1101 is configured to receive a third management request from the edge computing platform; the third management request includes a third security policy.

其中，所述第三管理请求，还包括：第三安全策略的优先级；所述第一设备保存的安全策略对应有初始优先级；Wherein, the third management request further includes: the priority of the third security policy; the security policy saved by the first device corresponds to an initial priority;

所述第一处理单元1102，配置为根据第三安全策略的优先级和所述第一设备保存的安全策略所对应的初始优先级，确定是否更新所述第一设备保存的安全策略。The first processing unit 1102 is configured to determine whether to update the security policy saved by the first device according to the priority of the third security policy and the initial priority corresponding to the security policy saved by the first device.

在一实施例中，所述第一通信单元1101，还配置为向第二设备发送所述更新结果；所述更新结果至少表征是否更新所述第一设备上的安全策略。In an embodiment, the first communication unit 1101 is further configured to send the update result to the second device; the update result at least indicates whether to update the security policy on the first device.

在一实施例中，所述第一通信单元1101，还配置为向所述边缘计算平台发送更新结果；所述更新结果至少表征是否更新所述安全策略。In an embodiment, the first communication unit 1101 is further configured to send an update result to the edge computing platform; the update result at least indicates whether the security policy is updated.

实际应用时，所述第一通信单元1101和所述第一处理单元1102可由通信装置中的处理器结合通信接口实现。In practical applications, the first communication unit 1101 and the first processing unit 1102 may be implemented by a processor in a communication device combined with a communication interface.

为了实现本申请实施例第二设备侧的方法，本申请实施例还提供了一种通信装置，设置在第二设备上，如图12所示，该装置包括：In order to implement the method on the second device side of the embodiment of the present application, the embodiment of the present application also provides a communication device, which is set on the second device, as shown in FIG. 12 , the device includes:

第二通信单元1201，配置为向第一设备发送第二管理请求；所述第二管理请求用于请求针对边缘计算平台上的应用服务的安全策略进行配置；所述安全策略用于为边缘计算平台上的应用服务提供安全管理功能。The second communication unit 1201 is configured to send a second management request to the first device; the second management request is used to request configuration of a security policy for application services on the edge computing platform; the security policy is used for edge computing Application services on the platform provide security management functions.

在一实施例中，第二通信单元1201，还配置为接收来自第一设备的更新结果；所述更新结果至少表征是否更新所述第一设备上的安全策略。In an embodiment, the second communication unit 1201 is further configured to receive an update result from the first device; the update result at least indicates whether to update the security policy on the first device.

所述第二管理请求，还包括：第二安全策略的优先级；所述第一设备保存的安全策略对应有初始优先级；The second management request further includes: the priority of the second security policy; the security policy saved by the first device corresponds to the initial priority;

实际应用时，所述第二通信单元1201可由通信装置中的通信接口实现。In actual application, the second communication unit 1201 may be implemented by a communication interface in a communication device.

需要说明的是：上述实施例提供的通信装置在进行通信时，仅以上述各程序模块的划分进行举例说明，实际应用中，可以根据需要而将上述处理分配由不同的程序模块完成，即将装置的内部结构划分成不同的程序模块，以完成以上描述的全部或者部分处理。另外，上述实施例提供的通信装置与通信方法实施例属于同一构思，其具体实现过程详见方法实施例，这里不再赘述。It should be noted that: when the communication device provided by the above-mentioned embodiment performs communication, the division of the above-mentioned program modules is used as an example for illustration. The internal structure of the program is divided into different program modules to complete all or part of the processing described above. In addition, the communication device and the communication method embodiments provided in the above embodiments belong to the same idea, and the specific implementation process thereof is detailed in the method embodiments, and will not be repeated here.

为了实现本申请实施例第三设备侧的方法，本申请实施例还提供了一种通信装置，设置在第三设备上，如图13所示，该装置包括：In order to implement the method on the third device side of the embodiment of the present application, the embodiment of the present application also provides a communication device, which is set on the third device, as shown in FIG. 13 , the device includes:

第三通信单元1301，配置为向第一设备发送第三管理请求；所述第三管理请求用于请求针对边缘计算平台上的应用服务的安全策略进行配置；所述安全策略用于为边缘计算平台上的应用服务提供安全管理功能。The third communication unit 1301 is configured to send a third management request to the first device; the third management request is used to request configuration of a security policy for application services on the edge computing platform; the security policy is used for edge computing Application services on the platform provide security management functions.

在一实施例中，所述第三管理请求，还包括：第三安全策略的优先级；所述第一设备保存的安全策略对应有初始优先级；In an embodiment, the third management request further includes: the priority of the third security policy; the security policy saved by the first device corresponds to an initial priority;

在一实施例中，所述第三通信单元1301，还配置为接收来自所述第一设备的更新结果；所述更新结果至少表征是否更新所述第一设备上的安全策略。In an embodiment, the third communication unit 1301 is further configured to receive an update result from the first device; the update result at least indicates whether to update the security policy on the first device.

实际应用时，所述第三通信单元1301可由通信装置中的通信接口实现。In practical applications, the third communication unit 1301 may be implemented by a communication interface in a communication device.

基于上述程序模块的硬件实现，且为了实现本申请实施例第一设备侧的方法，本申请实施例还提供了一种第一设备，如图14所示，该第一设备1400包括：Based on the hardware implementation of the above program modules, and in order to implement the method on the first device side of the embodiment of the present application, the embodiment of the present application also provides a first device, as shown in Figure 14, the first device 1400 includes:

第一通信接口1401，能够与第二设备进行信息交互；The first communication interface 1401 is capable of exchanging information with the second device;

第一处理器1402，与所述第一通信接口1401连接，以实现与第二设备进行信息交互，配置为运行计算机程序时，执行上述第一设备侧一个或多个技术方案提供的方法。而所述计算机程序存储在第一存储器1403上。The first processor 1402 is connected to the first communication interface 1401 to implement information interaction with the second device, and is configured to execute the methods provided by one or more technical solutions on the first device side when running a computer program. Instead, the computer program is stored on the first memory 1403 .

具体地，所述第一通信接口1401，配置为确定管理请求；所述管理请求用于请求针对边缘计算平台上的应用服务的安全策略进行配置；Specifically, the first communication interface 1401 is configured to determine a management request; the management request is used to request configuration of a security policy for application services on the edge computing platform;

所述第一处理器1402，配置为根据所述管理请求，确定安全策略；所述安全策略用于为边缘计算平台上的应用服务提供安全管理功能。The first processor 1402 is configured to determine a security policy according to the management request; the security policy is used to provide security management functions for application services on the edge computing platform.

其中，在一实施例中，所述第一通信接口1401，配置为确定针对第一设备的第一操作；Wherein, in an embodiment, the first communication interface 1401 is configured to determine a first operation for the first device;

在一实施例中，所述第一通信接口1401，配置为接收来自第二设备的第二管理请求；所述第二管理请求，包括：第二安全策略。In an embodiment, the first communication interface 1401 is configured to receive a second management request from the second device; the second management request includes: a second security policy.

在一实施例中，所述第一处理器1402，配置为根据第二安全策略的优先级和所述第一设备保存的安全策略所对应的初始优先级，确定是否更新所述第一设备保存的安全策略。In an embodiment, the first processor 1402 is configured to determine whether to update the security policy saved by the first device according to the priority of the second security policy and the initial priority corresponding to the security policy saved by the first device. security policy.

在一实施例中，所述第一通信接口1401，配置为接收来自边缘计算平台的第三管理请求；所述第三管理请求包括第三安全策略。In an embodiment, the first communication interface 1401 is configured to receive a third management request from the edge computing platform; the third management request includes a third security policy.

在一实施例中，所述第一处理器1402，配置为根据第三安全策略的优先级和所述第一设备保存的安全策略所对应的初始优先级，确定是否更新所述第一设备保存的安全策略。In an embodiment, the first processor 1402 is configured to determine whether to update the security policy saved by the first device according to the priority of the third security policy and the initial priority corresponding to the security policy saved by the first device. security policy.

在一实施例中，所述第一通信接口1401，还配置为向第二设备发送所述更新结果；所述更新结果至少表征是否更新所述第一设备上的安全策略。In an embodiment, the first communication interface 1401 is further configured to send the update result to the second device; the update result at least indicates whether to update the security policy on the first device.

在一实施例中，所述第一通信接口1401，还配置为向所述边缘计算平台发送更新结果；所述更新结果至少表征是否更新所述安全策略。In an embodiment, the first communication interface 1401 is further configured to send an update result to the edge computing platform; the update result at least indicates whether the security policy is updated.

需要说明的是：第一处理器1402和第一通信接口1401的具体处理过程可参照上述方法理解。It should be noted that the specific processing procedures of the first processor 1402 and the first communication interface 1401 can be understood with reference to the above method.

当然，实际应用时，第一设备1400中的各个组件通过总线系统1404耦合在一起。可理解，总线系统1404用于实现这些组件之间的连接通信。总线系统1404除包括数据总线之外，还包括电源总线、控制总线和状态信号总线。但是为了清楚说明起见，在图14中将各种总线都标为总线系统1404。Of course, in practical applications, various components in the first device 1400 are coupled together through the bus system 1404 . It can be understood that the bus system 1404 is used to realize connection and communication between these components. In addition to the data bus, the bus system 1404 also includes a power bus, a control bus and a status signal bus. However, for clarity of illustration, the various buses are labeled as bus system 1404 in FIG. 14 .

本申请实施例中的第一存储器1403用于存储各种类型的数据以支持第一设备1400的操作。这些数据的示例包括：用于在第一设备1400上操作的任何计算机程序。The first memory 1403 in the embodiment of the present application is used to store various types of data to support the operation of the first device 1400 . Examples of such data include: any computer programs for operating on the first device 1400 .

上述本申请实施例揭示的方法可以应用于所述第一处理器1402中，或者由所述第一处理器1402实现。所述第一处理器1402可能是一种集成电路芯片，具有信号的处理能力。在实现过程中，上述方法的各步骤可以通过所述第一处理器1402中的硬件的集成逻辑电路或者软件形式的指令完成。上述的所述第一处理器1402可以是通用处理器、数字信号处理器(DSP，Digital Signal Processor)，或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。所述第一处理器1402可以实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合本申请实施例所公开的方法的步骤，可以直接体现为硬件译码处理器执行完成，或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于存储介质中，该存储介质位于第一存储器1403，所述第一处理器1402读取第一存储器1403中的信息，结合其硬件完成前述方法的步骤。The methods disclosed in the foregoing embodiments of the present application may be applied to the first processor 1402 or implemented by the first processor 1402 . The first processor 1402 may be an integrated circuit chip, which has a signal processing capability. In the implementation process, each step of the above method may be implemented by an integrated logic circuit of hardware in the first processor 1402 or an instruction in the form of software. The aforementioned first processor 1402 may be a general-purpose processor, a digital signal processor (DSP, Digital Signal Processor), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, and the like. The first processor 1402 may implement or execute various methods, steps, and logic block diagrams disclosed in the embodiments of the present application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in a storage medium, and the storage medium is located in the first memory 1403, and the first processor 1402 reads the information in the first memory 1403, and completes the steps of the foregoing method in combination with its hardware.

在示例性实施例中，第一设备1400可以被一个或多个应用专用集成电路(ASIC，Application Specific Integrated Circuit)、DSP、可编程逻辑器件(PLD，Programmable Logic Device)、复杂可编程逻辑器件(CPLD，Complex Programmable Logic Device)、现场可编程门阵列(FPGA，Field-Programmable Gate Array)、通用处理器、控制器、微控制器(MCU，Micro Controller Unit)、微处理器(Microprocessor)、或者其他电子元件实现，用于执行前述方法。In an exemplary embodiment, the first device 1400 may be implemented by one or more Application Specific Integrated Circuits (ASIC, Application Specific Integrated Circuit), DSP, Programmable Logic Device (PLD, Programmable Logic Device), complex programmable logic device ( CPLD, Complex Programmable Logic Device), field-programmable gate array (FPGA, Field-Programmable Gate Array), general-purpose processor, controller, microcontroller (MCU, Micro Controller Unit), microprocessor (Microprocessor), or others Electronic components are implemented for performing the aforementioned methods.

基于上述程序模块的硬件实现，且为了实现本申请实施例第二设备侧的方法，本申请实施例还提供了一种第二设备，如图15所示，该第二设备1500包括：Based on the hardware implementation of the above program modules, and in order to implement the method on the second device side of the embodiment of the present application, the embodiment of the present application also provides a second device, as shown in FIG. 15 , the second device 1500 includes:

第二通信接口1501，能够与第一设备和第三设备进行信息交互；The second communication interface 1501 is capable of information interaction with the first device and the third device;

第二处理器1502，与所述第二通信接口1501连接，以实现与第一设备和第三设备进行信息交互，配置为运行计算机程序时，执行上述第二设备侧一个或多个技术方案提供的方法。而所述计算机程序存储在第二存储器1503上。The second processor 1502 is connected to the second communication interface 1501 to realize information interaction with the first device and the third device, and is configured to execute one or more technical solutions on the second device side when running a computer program. Methods. Instead, the computer program is stored on the second memory 1503 .

具体地，所述第二通信接口1501，配置为向第一设备发送第二管理请求；所述第二管理请求用于请求针对边缘计算平台上的应用服务的安全策略进行配置；所述安全策略用于为边缘计算平台上的应用服务提供安全管理功能。Specifically, the second communication interface 1501 is configured to send a second management request to the first device; the second management request is used to request configuration of a security policy for application services on the edge computing platform; the security policy It is used to provide security management functions for application services on the edge computing platform.

其中，在一实施例中，所述第二通信接口1501，还配置为接收来自第一设备的更新结果；所述更新结果至少表征是否更新所述第一设备上的安全策略。Wherein, in an embodiment, the second communication interface 1501 is further configured to receive an update result from the first device; the update result at least indicates whether to update the security policy on the first device.

需要说明的是：第二通信接口1501和第二处理器1502的具体处理过程可参照上述方法理解。It should be noted that the specific processing procedures of the second communication interface 1501 and the second processor 1502 can be understood with reference to the above methods.

当然，实际应用时，第二设备1500中的各个组件通过总线系统1504 耦合在一起。可理解，总线系统1504用于实现这些组件之间的连接通信。总线系统1504除包括数据总线之外，还包括电源总线、控制总线和状态信号总线。但是为了清楚说明起见，在图15中将各种总线都标为总线系统1504。Of course, in actual application, various components in the second device 1500 are coupled together through the bus system 1504 . It can be understood that the bus system 1504 is used to realize connection and communication between these components. In addition to the data bus, the bus system 1504 also includes a power bus, a control bus and a status signal bus. However, the various buses are labeled as bus system 1504 in FIG. 15 for clarity of illustration.

本申请实施例中的第二存储器1503用于存储各种类型的数据以支持第二设备1500的操作。这些数据的示例包括：用于在第二设备1500上操作的任何计算机程序。The second memory 1503 in the embodiment of the present application is used to store various types of data to support the operation of the second device 1500 . Examples of such data include: any computer programs for operating on the second device 1500 .

上述本申请实施例揭示的方法可以应用于所述第二处理器1502中，或者由所述第二处理器1502实现。所述第二处理器1502可能是一种集成电路芯片，具有信号的处理能力。在实现过程中，上述方法的各步骤可以通过所述第二处理器1502中的硬件的集成逻辑电路或者软件形式的指令完成。上述的所述第二处理器1502可以是通用处理器、DSP，或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。所述第二处理器1502可以实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合本申请实施例所公开的方法的步骤，可以直接体现为硬件译码处理器执行完成，或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于存储介质中，该存储介质位于第二存储器1503，所述第二处理器1502读取第二存储器1503中的信息，结合其硬件完成前述方法的步骤。The methods disclosed in the foregoing embodiments of the present application may be applied to the second processor 1502 or implemented by the second processor 1502 . The second processor 1502 may be an integrated circuit chip and has signal processing capabilities. In the implementation process, each step of the above method may be completed by an integrated logic circuit of hardware in the second processor 1502 or instructions in the form of software. The aforementioned second processor 1502 may be a general-purpose processor, DSP, or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, and the like. The second processor 1502 may implement or execute various methods, steps, and logic block diagrams disclosed in the embodiments of the present application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in a storage medium, and the storage medium is located in the second storage 1503, and the second processor 1502 reads information in the second storage 1503, and completes the steps of the aforementioned method in combination with its hardware.

在示例性实施例中，第二设备1500可以被一个或多个ASIC、DSP、PLD、CPLD、FPGA、通用处理器、控制器、MCU、Microprocessor、或其他电子元件实现，用于执行前述方法。In an exemplary embodiment, the second device 1500 may be implemented by one or more ASICs, DSPs, PLDs, CPLDs, FPGAs, general processors, controllers, MCUs, Microprocessors, or other electronic components for performing the aforementioned methods.

基于上述程序模块的硬件实现，且为了实现本申请实施例第三设备侧的方法，本申请实施例还提供了一种第三设备，如图16所示，该第三设备1600包括：Based on the hardware implementation of the above program modules, and in order to implement the method on the third device side of the embodiment of the present application, the embodiment of the present application further provides a third device, as shown in FIG. 16 , the third device 1600 includes:

第三通信接口1601，能够与第一设备和第三设备进行信息交互；The third communication interface 1601 is capable of exchanging information with the first device and the third device;

第三处理器1602，与所述第三通信接口1601连接，以实现与第一设备和第三设备进行信息交互，配置为运行计算机程序时，执行上述第三设备侧一个或多个技术方案提供的方法。而所述计算机程序存储在第三存储器1603上。The third processor 1602 is connected to the third communication interface 1601 to realize information interaction with the first device and the third device, and is configured to execute one or more technical solutions on the third device side when running a computer program. Methods. Instead, the computer program is stored on the third memory 1603 .

具体地，所述第三通信接口1601，配置为向第一设备发送第三管理请求；所述第三管理请求用于请求针对边缘计算平台上的应用服务的安全策略进行配置；所述安全策略用于为边缘计算平台上的应用服务提供安全管理功能。Specifically, the third communication interface 1601 is configured to send a third management request to the first device; the third management request is used to request configuration of a security policy for application services on the edge computing platform; the security policy It is used to provide security management functions for application services on the edge computing platform.

其中，在一实施例中，所述第三通信接口1601，还配置为接收来自所述第一设备的更新结果；所述更新结果至少表征是否更新所述第一设备上的安全策略。Wherein, in an embodiment, the third communication interface 1601 is further configured to receive an update result from the first device; the update result at least indicates whether to update the security policy on the first device.

需要说明的是：第三通信接口1601和第三处理器1602的具体处理过程可参照上述方法理解。It should be noted that the specific processing procedures of the third communication interface 1601 and the third processor 1602 can be understood with reference to the above methods.

当然，实际应用时，第三设备1600中的各个组件通过总线系统1604耦合在一起。可理解，总线系统1604用于实现这些组件之间的连接通信。总线系统1604除包括数据总线之外，还包括电源总线、控制总线和状态信号总线。但是为了清楚说明起见，在图16中将各种总线都标为总线系统1604。Of course, in practical application, various components in the third device 1600 are coupled together through the bus system 1604 . It can be understood that the bus system 1604 is used to realize connection and communication between these components. In addition to the data bus, the bus system 1604 also includes a power bus, a control bus and a status signal bus. However, the various buses are labeled as bus system 1604 in FIG. 16 for clarity of illustration.

本申请实施例中的第三存储器1603用于存储各种类型的数据以支持第三设备1600的操作。这些数据的示例包括：用于在第三设备1600上操作的任何计算机程序。The third memory 1603 in the embodiment of the present application is used to store various types of data to support the operation of the third device 1600 . Examples of such data include: any computer programs for operating on the third device 1600 .

上述本申请实施例揭示的方法可以应用于所述第三处理器1602中，或者由所述第三处理器1602实现。所述第三处理器1602可能是一种集成电路芯片，具有信号的处理能力。在实现过程中，上述方法的各步骤可以通过所述第三处理器1602中的硬件的集成逻辑电路或者软件形式的指令完成。上述的所述第三处理器1602可以是通用处理器、DSP，或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。所述第三处理器1602可以实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合本申请实施例所公开的方法的步骤，可以直接体现为硬件译码处理器执行完成，或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于存储介质中，该存储介质位于第三存储器1603，所述第三处理器1602读取第三存储器1603中的信息，结合其硬件完成前述方法的步骤。The methods disclosed in the foregoing embodiments of the present application may be applied to the third processor 1602 or implemented by the third processor 1602 . The third processor 1602 may be an integrated circuit chip and has signal processing capability. In the implementation process, each step of the above method may be completed by an integrated logic circuit of hardware in the third processor 1602 or an instruction in the form of software. The aforementioned third processor 1602 may be a general-purpose processor, DSP, or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, and the like. The third processor 1602 may implement or execute various methods, steps, and logic block diagrams disclosed in the embodiments of the present application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in a storage medium, and the storage medium is located in the third storage 1603, and the third processor 1602 reads information in the third storage 1603, and completes the steps of the foregoing method in combination with its hardware.

在示例性实施例中，第三设备1600可以被一个或多个ASIC、DSP、PLD、CPLD、FPGA、通用处理器、控制器、MCU、Microprocessor、或其他电子元件实现，用于执行前述方法。In an exemplary embodiment, the third device 1600 may be implemented by one or more ASICs, DSPs, PLDs, CPLDs, FPGAs, general purpose processors, controllers, MCUs, Microprocessors, or other electronic components for performing the aforementioned methods.

可以理解，本申请实施例的存储器(第一存储器1403、第二存储器1503、第三存储器1603)可以是易失性存储器或者非易失性存储器，也可包括易失性和非易失性存储器两者。其中，非易失性存储器可以是只读存储器(ROM，Read Only Memory)、可编程只读存储器(PROM，Programmable Read-Only Memory)、可擦除可编程只读存储器(EPROM，Erasable Programmable Read-Only Memory)、电可擦除可编程只读存储器(EEPROM，Electrically Erasable Programmable Read-Only Memory)、磁性随机存取存储器(FRAM，ferromagnetic random access memory)、快闪存储器(Flash Memory)、磁表面存储器、光盘、或只读光盘(CD-ROM，Compact Disc Read-Only Memory)；磁表面存储器可以是磁盘存储器或磁带存储器。易失性存储器可以是随机存取存储器(RAM，Random Access Memory)，其用作外部高速缓存。通过示例性但不是限制性说明，许多形式的RAM可用，例如静态随机存取存储器(SRAM，Static Random Access Memory)、同步静态随机存取存储器(SSRAM，Synchronous Static Random Access Memory)、动态随机存取存储器(DRAM，Dynamic Random Access Memory)、同步动态随机存取存储器(SDRAM，Synchronous Dynamic Random Access Memory)、双倍数据速率同步动态随机存取存储器(DDRSDRAM，Double Data Rate Synchronous Dynamic Random Access Memory)、增强型同步动态随机存取存储器(ESDRAM，Enhanced Synchronous Dynamic Random Access Memory)、同步连接动态随机存取存储器(SLDRAM，SyncLink Dynamic Random Access Memory)、直接内存总线随机存取存储器(DRRAM，Direct Rambus Random Access Memory)。本申请实施例描述的存储器旨在包括但不限于这些和任意其它适合类型的存储器。It can be understood that the memory (the first memory 1403, the second memory 1503, and the third memory 1603) in the embodiment of the present application may be a volatile memory or a nonvolatile memory, and may also include volatile and nonvolatile memory both. Among them, the non-volatile memory can be read-only memory (ROM, Read Only Memory), programmable read-only memory (PROM, Programmable Read-Only Memory), erasable programmable read-only memory (EPROM, Erasable Programmable Read-Only Memory) Only Memory), Electrically Erasable Programmable Read-Only Memory (EEPROM, Electrically Erasable Programmable Read-Only Memory), Magnetic Random Access Memory (FRAM, ferromagnetic random access memory), Flash Memory (Flash Memory), Magnetic Surface Memory , CD, or CD-ROM (Compact Disc Read-Only Memory); magnetic surface storage can be disk storage or tape storage. The volatile memory may be random access memory (RAM, Random Access Memory), which is used as an external cache. By way of illustration and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM, Static Random Access Memory), Synchronous Static Random Access Memory (SSRAM, Synchronous Static Random Access Memory), Dynamic Random Access Memory Memory (DRAM, Dynamic Random Access Memory), synchronous dynamic random access memory (SDRAM, Synchronous Dynamic Random Access Memory), double data rate synchronous dynamic random access memory (DDRSDRAM, Double Data Rate Synchronous Dynamic Random Access Memory), enhanced Synchronous Dynamic Random Access Memory (ESDRAM, Enhanced Synchronous Dynamic Random Access Memory), Synchronous Link Dynamic Random Access Memory (SLDRAM, SyncLink Dynamic Random Access Memory), Direct Memory Bus Random Access Memory (DRRAM, Direct Rambus Random Access Memory ). The memories described in the embodiments of the present application are intended to include, but are not limited to, these and any other suitable types of memories.

需要说明的是：“第一”、“第二”等是用于区别类似的对象，而不必用于描述特定的顺序或先后次序。It should be noted that: "first", "second", etc. are used to distinguish similar objects, and not necessarily used to describe a specific order or sequence.

另外，本申请实施例所记载的技术方案之间，在不冲突的情况下，可以任意组合。In addition, the technical solutions described in the embodiments of the present application may be combined arbitrarily if there is no conflict.

以上所述，仅为本申请的较佳实施例而已，并非用于限定本申请的保护范围。The above descriptions are only preferred embodiments of the present application, and are not intended to limit the protection scope of the present application.

Claims

A communication method, applied to a first device, comprising:

Determining a management request; the management request is used to request configuration of a security policy for application services on the edge computing platform;

A security policy is determined according to the management request; the security policy is used to provide security management functions for application services on the edge computing platform.

The method according to claim 1, wherein said determining a management request comprises:

determining a first operation for the first device;

A first management request is determined based on the first operation; the first management request includes: a first security policy.

Receive a second management request from the second device; the second management request includes: a second security policy.

The method according to claim 3, wherein the second management request further includes: the priority of the second security policy; the security policy saved by the first device corresponds to an initial priority;

The method also includes:

Determine whether to update the security policy saved by the first device according to the priority of the second security policy and the initial priority corresponding to the security policy saved by the first device.

A third management request from the edge computing platform is received; the third management request includes a third security policy.

The method according to claim 5, wherein the third management request further includes: the priority of the third security policy; the security policy saved by the first device corresponds to an initial priority;

The method also includes:

Determine whether to update the security policy saved by the first device according to the priority of the third security policy and the initial priority corresponding to the security policy saved by the first device.

The method according to any one of claims 1 to 6, wherein the method further comprises:

Sending the update result to the second device; the update result at least represents whether the security policy on the first device is updated.

The method according to claim 4, wherein the method further comprises:

Sending an update result to the edge computing platform; the update result at least represents whether the security policy is updated.

The method according to any one of claims 1 to 7, wherein the security policy includes: a security level for each application service in at least one application service;

The update result includes a configuration response for the security policy of each application service; the type of the configuration response includes:

Fully agree, partially agree, reject, exception information.

The method according to claim 9, wherein the security policy includes at least one of the following:

The first security level; the first security level represents the denial of configuration information for all application services on the edge computing platform;

The second security level; the second security level characterizes the configuration information allowed for some application services on the edge computing platform;

The third security level: the first security level characterizes the configuration information allowed for all application services on the edge computing platform.

The method according to claim 10, wherein the configuration information includes at least one of the following:

A first configuration strategy; the operation authority of the first configuration strategy for different application services;

A second configuration strategy; the second configuration strategy is directed at routing rules for different application services;

The third configuration strategy; the third configuration strategy is aimed at Domain Name System DNS of different application services;

A fourth configuration strategy; the fourth configuration strategy is aimed at the life cycles of different application services.

A communication method, applied to a second device, comprising:

Sending a second management request to the first device; the second management request is used to request configuration of a security policy for the application service on the edge computing platform; the security policy is used to provide security management for the application service on the edge computing platform Function.

The method according to claim 12, wherein said method further comprises:

An update result from the first device is received; the update result at least represents whether the security policy on the first device is updated.

The method according to claim 12, wherein the second management request further includes: the priority of the second security policy; the security policy saved by the first device corresponds to an initial priority;

The priority of the second security policy and the initial priority corresponding to the security policy saved by the first device are used by the first device to determine whether to update the security policy.

The method according to any one of claims 12 to 14, wherein the security policy includes: a security level for each application service in at least one application service;

Fully agree, partially agree, reject, exception information.

The method according to claim 12, wherein the security policy includes at least one of the following:

The third security level; the first security level characterizes the configuration information allowed for all application services on the edge computing platform.

The method according to claim 16, wherein the configuration information includes at least one of the following:

A communication method, applied to an edge computing platform, comprising:

Sending a third management request to the first device; the third management request is used to request configuration of a security policy for the application service on the edge computing platform; the security policy is used to provide security management for the application service on the edge computing platform Function.

The method according to claim 18, wherein the third management request further includes: the priority of the third security policy; the security policy saved by the first device corresponds to an initial priority;

The priority of the third security policy and the initial priority corresponding to the security policy saved by the first device are used by the first device to determine whether to update the security policy.

The method according to claim 19, wherein said method further comprises:

An update result from the first device is received; the update result at least indicates whether the security policy on the first device is updated.

The method according to claim 20, wherein the security policy includes: a security level for each application service in at least one application service;

Fully agree, partially agree, reject, exception information.

The method according to any one of claims 18 to 21, wherein the security policy includes at least one of the following:

The method according to claim 22, wherein the configuration information includes at least one of the following:

A communication device, set on a first device, comprising:

The first processing unit is configured to determine a management request; the management request is used to request configuration of a security policy for application services on the edge computing platform;

A communication device, set on a second device, comprising:

The second communication unit is configured to send a second management request to the first device; the second management request is used to request configuration of a security policy for application services on the edge computing platform; the security policy is used to configure the edge computing platform The application service on the server provides security management functions.

A communication device, set on an edge computing platform, comprising:

The third communication unit is configured to send a third management request to the first device; the third management request is used to request configuration of a security policy for application services on the edge computing platform; the security policy is used to configure the edge computing platform The application service on the server provides security management functions.

A first device, comprising: a first processor and a first communication interface; wherein,

The first processor is configured to determine a management request; the management request is used to request configuration of a security policy for application services on the edge computing platform;

A second device, comprising: a second processor and a second communication interface; wherein,

The second communication interface is configured to send a second management request to the first device; the second management request is used to request configuration of a security policy for application services on the edge computing platform; Application services on the computing platform provide security management functions.

An edge computing platform, comprising: a third processor and a third communication interface; wherein,

The third communication interface is configured to send a third management request to the first device; the third management request is used to request configuration of a security policy for application services on the edge computing platform; Application services on the computing platform provide security management functions.

A network device comprising: a processor and a memory configured to store a computer program capable of running on the processor,

Wherein, the processor is configured to execute the steps of the method according to any one of claims 1 to 11 when running the computer program; or,

The processor is configured to execute the steps of the method according to any one of claims 12 to 17 when running the computer program; or,

The processor is configured to execute the steps of the method according to any one of claims 18 to 23 when running the computer program.

A storage medium on which a computer program is stored, and when the computer program is executed by a processor, the steps of the method according to any one of claims 1 to 11 are realized; or,

When said computer program is executed by a processor, it implements the steps of any one of claims 12 to 17; or,

When the computer program is executed by a processor, the steps of the method described in any one of claims 18 to 23 are realized.