CN114760130A - Method and device for updating configuration file of network function, electronic equipment and medium - Google Patents

Method and device for updating configuration file of network function, electronic equipment and medium Download PDF

Info

Publication number
CN114760130A
CN114760130A CN202210376276.4A CN202210376276A CN114760130A CN 114760130 A CN114760130 A CN 114760130A CN 202210376276 A CN202210376276 A CN 202210376276A CN 114760130 A CN114760130 A CN 114760130A
Authority
CN
China
Prior art keywords
configuration file
network function
updating
network
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210376276.4A
Other languages
Chinese (zh)
Inventor
何明
沈军
刘国荣
吴国威
潘家铭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN202210376276.4A priority Critical patent/CN114760130A/en
Publication of CN114760130A publication Critical patent/CN114760130A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • H04L41/0813Configuration setting characterised by the conditions triggering a change of settings
    • H04L41/082Configuration setting characterised by the conditions triggering a change of settings the condition being updates or upgrades of network functionality
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • H04L41/0823Configuration setting characterised by the purposes of a change of settings, e.g. optimising configuration for enhancing reliability
    • H04L41/0836Configuration setting characterised by the purposes of a change of settings, e.g. optimising configuration for enhancing reliability to enhance reliability, e.g. reduce downtime
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0866Checking the configuration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/28Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/2866Architectures; Arrangements
    • H04L67/30Profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/72Signcrypting, i.e. digital signing and encrypting simultaneously

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The present disclosure provides a method, an apparatus, an electronic device, and a medium for updating a configuration file of a network function, where the method for updating a configuration file of a Network Function (NF) includes: generating a profile of a Network Function (NF); signing the configuration file based on a local private key; and sending the signed configuration file to a Network Function (NF) for registration through a specified communication channel, wherein the network storage function determines the legality of the network function initiating the registration by verifying the signature. By the embodiment of the disclosure, the intrusion risk of the 5GC network is reduced, and the safety and reliability of the 5GC network are improved.

Description

Method and device for updating configuration file of network function, electronic equipment and medium
Technical Field
The present disclosure relates to the field of network technologies, and in particular, to a method and an apparatus for updating a configuration file of a network function, an electronic device, and a medium.
Background
Currently, NRF (Network security Function) is a Network element type newly introduced by 5G, and is responsible for providing service registration, discovery, authorization, and maintaining available NF (Network Function) instance information.
In the related art, the NF may request replacement or parameter change of its profile from the NRF, which does not perform security verification of this behavior, according to the specification of 3GPP (3rd Generation Partnership Project) standard TS 29.510 V17.2.0.
However, a 5GC (5G core network) network element may be sunk and deployed to a client room, and if the NF is controlled by intrusion, the configuration file may be changed arbitrarily, which brings a serious risk to the safe operation of the 5 GC.
It is to be noted that the information disclosed in the above background section is only for enhancement of understanding of the background of the present disclosure, and thus may include information that does not constitute prior art known to those of ordinary skill in the art.
Disclosure of Invention
An object of the present disclosure is to provide a method, an apparatus, an electronic device, and a medium for updating a configuration file of a network function, which are used to overcome, at least to some extent, a problem of poor security of a 5GC network due to limitations and disadvantages of the related art.
According to a first aspect of the embodiments of the present disclosure, there is provided a method for updating a configuration file of a network function, which is suitable for virtualization orchestration management of the network function, the method for updating a configuration file of a network function including: generating a configuration file of the network function; signing the configuration file based on a local private key; and sending the signed configuration file to the network function for registration through a specified communication channel, and determining the legality of the network function initiating the registration by the network storage function through verifying the signature.
According to a second aspect of the embodiments of the present disclosure, there is provided a method for updating a configuration file of a network function, which is applied to a network storage function, the method for updating a configuration file of a network function including: receiving a request for updating a configuration file sent by the network function; analyzing the verified request to determine an update object of the request; verifying the signature of the request according to the update object; and updating the updating object corresponding to the signature passing the verification.
In an exemplary embodiment of the present disclosure, verifying the signature of the request according to the update object includes: if the update object is determined to be the parameter in the configuration file, judging whether the request is heartbeat maintenance information; if the updated object is determined to be heartbeat maintenance information, the request is not verified; if the updated object is determined not to be the heartbeat maintenance information or the updated object is determined to be the configuration file, verifying the signature through a public key of the network function virtualization arrangement management; sending a request to the network function over a designated communication channel that passes the signature verification.
According to a third aspect of the embodiments of the present disclosure, there is provided a method for updating a configuration file of a network function, which is applied to the network function, and the method for updating the configuration file of the network function includes: and sending a request for updating the configuration file to a network storage function, so that the network storage function verifies the signature of the request based on the public key of network function virtualization arrangement management, and updates the corresponding configuration file for the request subjected to signature verification.
In an exemplary embodiment of the present disclosure, sending a request to update a configuration file to a network storage function includes: if the configuration file is determined to be updated, sending the signed configuration file to the network storage function, wherein the configuration file is configured to be signed through a private key of the network function virtualization orchestration management; if the parameters in the configuration file are determined to be updated, patch data corresponding to the updated parameters are generated, the signed patch data are sent to the network storage function, and the patch data are configured to be signed through a private key of network function virtualization arrangement management.
According to a fourth aspect of the embodiments of the present disclosure, there is provided an apparatus for updating a configuration file of a network function, which is suitable for virtualization orchestration management of the network function, the apparatus comprising: a generating module configured to generate a configuration file of a network function; a signature module configured to sign the configuration file based on a local private key; and the interaction module is set to send the signed configuration file to the network function for registration through a specified communication channel, and the network storage function determines the legality of the network function initiating the registration through verifying the signature.
According to a fifth aspect of the embodiments of the present disclosure, there is provided an apparatus for updating a configuration file of a network function, which is adapted to a network storage function, the apparatus for updating a configuration file of a network function including: a receiving module configured to receive a request for updating a configuration file sent by the network function; the analysis module is used for analyzing the request passing the verification so as to determine an update object of the request; a verification module configured to verify a signature of the request based on the update object; and the updating module is used for updating the updating object corresponding to the verified signature.
According to a sixth aspect of the embodiments of the present disclosure, there is provided an apparatus for updating a configuration file of a network function, which is suitable for the network function, the apparatus for updating a configuration file of a network function including: the sending module is configured to send a request for updating the configuration file to the network storage function, so that the network storage function verifies a signature of the request based on a public key of network function virtualization orchestration management, and updates the configuration file corresponding to the request subjected to signature verification.
According to a seventh aspect of the present disclosure, there is provided an electronic apparatus comprising: a memory; and a processor coupled to the memory, the processor configured to perform the method of any of the above based on instructions stored in the memory.
According to an eighth aspect of the present disclosure, there is provided a computer-readable storage medium, on which a program is stored, the program, when executed by a processor, implementing the method for updating a configuration file of a network function as described in any one of the above.
According to the embodiment of the disclosure, the configuration file is signed by the MANO, so that not only can the validity of the network function (network element) be verified based on the signature in the registration stage, but also the signature can be verified based on the public key of the MANO when the configuration file is updated by the subsequent NRF, and the configuration file or the parameters in the configuration file corresponding to the verified signature can be updated, so that the safety and the reliability of the 5GC network are improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure. It is to be understood that the drawings in the following description are merely exemplary of the disclosure, and that other drawings may be derived from those drawings by one of ordinary skill in the art without the exercise of inventive faculty.
FIG. 1 is a schematic diagram illustrating an exemplary system architecture for a profile update scheme for network functions to which embodiments of the present invention may be applied;
FIG. 2 is a flow chart of a method for updating a configuration file of a network function in an exemplary embodiment of the disclosure;
FIG. 3 is a flow chart of a method for updating a profile of another network function in an exemplary embodiment of the disclosure;
FIG. 4 is a flow chart of a method for updating a profile of another network function in an exemplary embodiment of the disclosure;
FIG. 5 is a flow chart of a method for updating a profile of another network function in an exemplary embodiment of the disclosure;
FIG. 6 is a flow chart of a method for updating a profile of another network function in an exemplary embodiment of the disclosure;
FIG. 7 is an interaction diagram of a method for updating a profile of a network function in an exemplary embodiment of the disclosure;
FIG. 8 is an interaction diagram of another method for updating a profile of a network function in an exemplary embodiment of the disclosure;
FIG. 9 is an interaction diagram of another method for updating a profile of a network function in an exemplary embodiment of the disclosure;
FIG. 10 is a block diagram of an apparatus for updating a configuration file of a network function in an exemplary embodiment of the present disclosure;
FIG. 11 is a block diagram of an apparatus for profile updating for another network function in an exemplary embodiment of the disclosure;
FIG. 12 is a block diagram of an apparatus for profile updating for another network function in an exemplary embodiment of the disclosure;
fig. 13 is a block diagram of an electronic device in an exemplary embodiment of the disclosure.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the embodiments of the present disclosure can be practiced without one or more of the specific details, or with other methods, components, devices, steps, etc. In other instances, well-known technical solutions have not been shown or described in detail to avoid obscuring aspects of the present disclosure.
Further, the drawings are merely schematic illustrations of the present disclosure, in which the same reference numerals denote the same or similar parts, and thus, a repetitive description thereof will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.
Fig. 1 shows a schematic diagram of an exemplary system architecture of an update scheme of a configuration file of a network function to which an embodiment of the present invention can be applied.
As shown in fig. 1, the system architecture 100 may include one or more of terminal devices 101, 102, 103, a network 104, and a server 105. Network 104 is the medium used to provide communication links between terminal devices 101, 102, 103 and server 105. Network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
It should be understood that the number of terminal devices, networks, and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for an implementation. For example, server 105 may be a server cluster comprised of multiple servers, and the like.
A user may use terminal devices 101, 102, 103 to interact with a server 105 over a network 104 to receive or send messages or the like. The terminal devices 101, 102, 103 may be various electronic devices having a display screen, including but not limited to smart phones, tablet computers, portable computers, desktop computers, and the like.
In some embodiments, the method for updating the configuration file of the network function provided by the embodiment of the present invention is generally performed by the terminal 105, and accordingly, the apparatus for updating the configuration file of the network function is generally disposed in the terminal device 103 (which may also be the terminal device 101 or 102). In other embodiments, some servers may have similar functionality as the terminal device to perform the method. Therefore, the method for updating the configuration file of the network function provided by the embodiment of the invention is not limited to be executed by the terminal device.
Nfv (network Function virtualization), i.e., virtualization of network functions, separates network functions (including Network Address Translation (NAT), firewalls, intrusion detection, domain name services, caching, etc.) from multiple proprietary hardware (e.g., layer three switches, routers). By integrating the network service and the related computing device and storage device through software, delivering a fully virtualized interface to the upper layer application, the NFV has the following advantages:
(1) Reduction of CAPEX: reduces the enterprise's need for proprietary hardware usage and provides a pay-on-demand model.
(2) Reduction of OPEX: the release and management of the network service are simplified, namely the deployment is convenient.
(3) Accelerate the time of service launch: the time for deploying new services is shortened, meanwhile, constantly changing business requirements can be effectively met, market opportunities are caught, and the return on investment is improved.
(4) Offer unparalleled agility and flexibility: the service can be expanded or reduced according to the requirement, and business innovation can be realized on a commercial standard server by software.
Further, NFV requires a large amount of virtualized resources, which require a high degree of software to manage, known in the industry as Orchestration (organization). The essence is that many network and software elements are arranged, connected, monitored and managed according to different business processes (inventory system, billing system, configuration tool and OSS, etc.).
Based on the application requirements of NFV, the emerging NFV MANO (network function virtualization management and orchestration) is an architectural framework for managing and coordinating Virtualized Network Functions (VNFs) and supporting software components, supporting deployment and connection on virtual machines. The MANO Standard defined by ETSI (European Telecommunications standards institute) is composed of three functional blocks: NFV orchestrator, VNF manager, Virtual Infrastructure Manager (VIM).
NFV Orchestrator (NFV Orchestrator): including service orchestration and resource orchestration, enabling control of new network services and integration of VNFs into virtual architectures, validating and authorizing resource requests of the NFV infrastructure (NFVI).
A VNF manager: virtualized Networks Function Management, managing the lifecycle of VNFs
VIM: virtualized Infrastructure Management, controlling and managing NFV Infrastructure, including computing, storage, and network resources
In addition, the MANO architecture supports APIs in existing 5G core network systems for use across multiple network domains to interoperate with other vendors.
The following detailed description of exemplary embodiments of the disclosure refers to the accompanying drawings.
Fig. 2 is a flowchart of a method for updating a configuration file of a network function in an exemplary embodiment of the present disclosure.
Referring to fig. 2, in an exemplary embodiment of the present disclosure, an update method of a configuration file of a network function is applied to network function virtualization orchestration management, and the update method of the configuration file of the network function may include:
step S202, generating a configuration file of the network function.
Step S204, signing the configuration file based on the local private key.
Step S206, the signed configuration file is sent to the network function for registration through a specified communication channel, and the network storage function determines the legality of the network function initiating the registration through verifying the signature.
In the above embodiment, the configuration file is signed by a MANO (network function virtualization orchestration management), when the configuration file is sent to an NRF for registration, the signature is verified based on a public key of the MANO, registration can be completed only by the configuration file corresponding to the verified signature, and the network function corresponding to the signature which cannot pass the verification is identified as illegal, thereby improving the security and reliability of the 5GC network.
Fig. 3 is a flowchart of a method for updating a configuration file of a network function in an exemplary embodiment of the present disclosure.
Referring to fig. 3, an updating method of a configuration file of a network function in an exemplary embodiment of the present disclosure is applied to a network storage function, and the updating method of the configuration file of the network function includes:
step S302, receiving a request for updating the configuration file sent by the network function.
Step S304, the verified request is analyzed to determine the update object of the request.
Step S306, the signature of the request is verified according to the updating object.
And step S308, updating the updating object corresponding to the signature passing the verification.
In the above embodiment, the request for updating the configuration file includes the updated object and the signature, and the NRF updates the updated object after the signature is verified, so that the probability that the configuration file of the NF is maliciously tampered is reduced, and the risk that the 5GC network is invaded in the process of updating the configuration file is reduced.
In an exemplary embodiment of the present disclosure, as shown in fig. 4, verifying the signature of the request according to the update object includes:
step S402, if the update object is determined to be the parameter in the configuration file, judging whether the request is the heartbeat maintenance information.
Step S404, if it is determined that the update object is heartbeat maintenance information, the request is not verified.
In the above embodiment, if it is determined that the update target is heartbeat maintenance information, the request is not verified, which avoids verification overhead of a large number of signatures caused by periodically processing heartbeat information, and reduces data verification pressure of a 5GC network.
Step S406, if it is determined that the updated object is not the heartbeat maintenance information or is determined that the updated object is the configuration file, verifying the signature by using the public key of the network function virtualization orchestration management.
Step S408, sending the request of passing the signature verification to the network function through the designated communication channel.
In the above embodiment, if it is determined that the update object is not the heartbeat maintenance information or is the configuration file (all files or part of parameters), the signature is verified by the public key of the network function virtualization orchestration management, which further improves the security and reliability of the 5GC network.
Fig. 5 is a flowchart of a method for updating a configuration file of a network function in an exemplary embodiment of the present disclosure.
Referring to fig. 5, an update method of a configuration file of a network function in an exemplary embodiment of the present disclosure is applied to a network function, and the update method of a configuration file of a network function includes:
step S502, a request for updating the configuration file is sent to the network storage function, so that the network storage function verifies the signature of the request based on the public key of the network function virtualization arrangement management, and updates the configuration file corresponding to the request subjected to signature verification.
In the embodiment, the configuration file is signed through a MANO (network function virtualization orchestration management), and then when the configuration file is updated by the NRF, the signature is verified based on the public key of the MANO, and the configuration file or the parameters in the configuration file corresponding to the verified signature can be updated, so that the safety and the reliability of the 5GC network are improved.
In an exemplary embodiment of the present disclosure, as shown in fig. 6, sending the request for updating the configuration file to the network storage function includes:
step S602, if it is determined that the configuration file is updated, sending the signed configuration file to the network storage function, where the configuration file is configured to be signed by a private key of the network function virtualization orchestration management.
In the above embodiment, if the configuration file is updated, the NF sends the signed configuration file to the NRF for verification by the NRF, and if the configuration file is verified, the configuration file is updated.
Step S604, if it is determined that the parameters in the configuration file are updated, generating patch data corresponding to the updated parameters, and sending the signed patch data to the network storage function, where the patch data is configured to be signed by a private key of the network function virtualization orchestration management.
In the above embodiment, if part of the parameters in the configuration file is updated, the NF sends signed patch data (patch data) to the NRF for verification by the NRF, and if the verification is passed, updates the configuration file.
In one embodiment of the present disclosure, the communication channel is designated as TLS or VPN, but is not limited thereto.
Among other things, TLS (Transport Layer Security) is used to provide privacy and data integrity between two communicating applications. The protocol consists of two layers, the TLS Record protocol (TLS Record) and the TLS Handshake protocol (TLS Handshake). The lower layer is the TLS recording protocol, which is located above a reliable transport protocol (e.g., TCP), and is independent of the specific application, so the TLS protocol is generally classified as a transport layer security protocol.
The TLS protocol consists of two protocol groups-the TLS record protocol and the TLS handshake protocol-each group having many different formats of information.
The TLS recording protocol is a layered protocol. The information in each layer may contain fields for length, description, and content. The recording protocol supports information transfer, segmenting data into processable blocks, compressing data, applying MAC, encryption, and transferring results, etc. Decrypts, checks, decompresses, reassembles, etc. the received data, and then delivers them to the higher level client.
The TLS connection status refers to an operating environment of the TLS recording protocol. It specifies a compression algorithm, an encryption algorithm and a MAC algorithm.
The TLS recording layer receives continuous data of an arbitrary size without empty blocks from an upper layer. Key calculation-the recording protocol algorithmically generates the key, IV and MAC keys from the security parameters provided by the handshake protocol. The TLS handshake protocol consists of three sub-protocol groups, allowing both peers to agree on security parameters in the record layer, authenticate themselves, instantiate negotiation security parameters, report error conditions to each other.
In addition, VPN (Virtual Private Network) is a public data Network based service that gives users the perception of a direct connection to a Private lan. VPNs greatly reduce the cost to the user and provide greater security and reliability than conventional approaches. The 'virtual private network' technology is adopted, namely, users do not actually have an independent private network, and the users can form a private telecommunication network belonging to the users without building or renting a private line or equipping a special device.
A virtual private network is a functional network built using a public telecommunication network. Different types of public networks can establish different types of virtual private networks through software control in the networks. For example: a "virtual private telephone network" can be constructed using the public telephone network.
The following describes the interaction process of the update scheme of the configuration file of the network function according to the present disclosure with reference to fig. 7 to 9.
In one embodiment of the present disclosure, as shown in fig. 7, the MANO 702 of the 5GC sends its public key Ka to the NRF 706 through a secure channel such as TLS or VPN.
The configuration file of NF (service consumer) 704 is controlled by the MANO.
In an embodiment of the present disclosure, as shown in fig. 8, the MANO 802 generates a Profile (Profile) of the NF804, signs the Profile (Profile) with a local private key Kb, and sends the Profile (Profile) and the signature of the Profile to the NF804 through security channels such as TLS or VPN; if the configuration file of the NF804 is to be completely replaced, the MANO 802 generates a new configuration file (Profile), signs the configuration file (Profile) by using the own private key Kb again, and sends the configuration file (Profile) and the signature of the Profile to the NF 802 through security channels such as TLS or VPN.
The NF 802 sends a put request to the NRF 804, applying for a replacement configuration file (Profile), put.
The NRF806 verifies the configuration file and the signature sent by the NF804 with the public key Ka of the MANO 802, and performs a subsequent standard process after success, that is, performs an update process of the configuration file according to the standard, and feeds back "200 OK" to the NF 804. If not, failure information is returned to the NF804 without updating the configuration file.
In an embodiment of the disclosure, as shown in fig. 9, when only the configuration file of the NF904 needs to be updated with partial parameters, the MANO 902 generates a PatchData from an operation list that needs to add, delete, replace, etc. the NF configuration file parameters, signs the PatchData with its own private key Kb, and sends the signatures of the PatchData and the PatchData in the configuration file partial update list to the NF904 through a security channel such as TLS or VPN.
NF904 sends a Patch request to NRF 906 for performing part of the update operations of the configuration file: PATCH./nf-instance/{ nfInstanceID } (PatchData, PatchData signature).
Upon receiving the PATCH request of the NF904, the NRF 906 checks whether the PatchData performs a "replace" operation on the attribute "nfStatus". If so, the command of PatchData is directly executed by considering that the command belongs to the heartbeat maintenance information. If not, the public key Ka of the MANO 902 is used for verifying the configuration file and the signature sent by the NF904, and a subsequent standard flow is carried out after success, namely, the updating flow of part of parameters in the configuration file is carried out according to the standard. If the verification is not successful, failure information is returned, and the updating command is not executed.
Corresponding to the method embodiment, the present disclosure further provides an apparatus for updating a configuration file of a network function, which may be used to execute the method embodiment.
Fig. 10 is a block diagram of an apparatus for updating a configuration file of a network function according to an exemplary embodiment of the present disclosure.
Referring to fig. 10, an apparatus for updating a configuration file of a network function in an exemplary embodiment of the present disclosure is adapted to network function virtualization orchestration management, and includes:
the generating module 1002 is configured to generate a configuration file of a network function.
A signature module 1004 arranged to sign the configuration file based on a local private key.
An interaction module 1006, configured to send the signed configuration file to the network function for registration through a specified communication channel, where the network storage function determines validity of the network function initiating registration by verifying the signature.
Fig. 11 is a block diagram of an apparatus for updating a configuration file of a network function according to an exemplary embodiment of the present disclosure.
Referring to fig. 11, an apparatus 1100 for updating a configuration file of a network function in an exemplary embodiment of the present disclosure is adapted to a network storage function, and the apparatus 1100 for updating a configuration file of a network function includes:
A receiving module 1102 configured to receive a request for updating a configuration file sent by the network function.
A parsing module 1104 configured to parse the validated request to determine an update object of the request.
A verification module 1106 configured to verify the signature of the request based on the update object.
An updating module 1108 configured to update the updated object corresponding to the signature passing the verification.
Fig. 12 is a block diagram of an apparatus for updating a configuration file of a network function in an exemplary embodiment of the present disclosure.
Referring to fig. 12, an apparatus 1200 for updating a profile of a network function in an exemplary embodiment of the present disclosure is applicable to a network function, and the apparatus 1200 for updating a profile of a network function includes:
the sending module 1202 is configured to send a request for updating a configuration file to a network storage function, so that the network storage function verifies a signature of the request based on a public key of network function virtualization orchestration management, and updates a corresponding configuration file for the request subjected to signature verification.
Since the functions of the apparatus 1000 for updating a configuration file of a network function, the apparatus 1100 for updating a configuration file of a network function, and the apparatus 1200 for updating a configuration file of a network function have been described in detail in the corresponding method embodiments, the details of the disclosure are not repeated herein.
It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functions of two or more modules or units described above may be embodied in one module or unit, according to embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.
In an exemplary embodiment of the present disclosure, an electronic device capable of implementing the above method is also provided.
As will be appreciated by one skilled in the art, aspects of the present invention may be embodied as a system, method or program product. Thus, various aspects of the invention may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.) or an embodiment combining hardware and software aspects that may all generally be referred to herein as a "circuit," module "or" system.
An electronic device 1300 according to this embodiment of the invention is described below with reference to fig. 13. The electronic device 1300 shown in fig. 13 is only an example and should not bring any limitation to the function and the scope of use of the embodiments of the present invention.
As shown in fig. 13, electronic device 1300 takes the form of a general-purpose computing device. The components of electronic device 1300 may include, but are not limited to: the at least one processing unit 1310, the at least one memory unit 1320, and the bus 1330 connecting the various system components including the memory unit 1320 and the processing unit 1310.
Wherein the memory unit stores program code that is executable by the processing unit 1310 to cause the processing unit 1310 to perform steps according to various exemplary embodiments of the present invention as described in the "exemplary methods" section above. For example, the processing unit 1310 may perform the methods as shown in the embodiments of the present disclosure.
The memory unit 1320 may include readable media in the form of volatile memory units such as a random access memory unit (RAM)13201 and/or a cache memory unit 13202, and may further include a read-only memory unit (ROM) 13203.
Storage 1320 may also include a program/utility 13204 having a set (at least one) of program modules 13205, such program modules 13205 including but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which or some combination thereof may comprise an implementation of a network environment.
Bus 1330 may be any bus representing one or more of several types of bus structures, including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or a local bus using any of a variety of bus architectures.
The electronic device 1300 may also communicate with one or more external devices 1340 (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device 1300, and/or with any devices (e.g., router, modem, etc.) that enable the electronic device 1300 to communicate with one or more other computing devices. Such communication may occur over input/output (I/O) interfaces 1350. Also, the electronic device 1300 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the internet) through the network adapter 1360. As shown, the network adapter 1360 communicates with the other modules of the electronic device 1300 via the bus 1330. It should be appreciated that although not shown, other hardware and/or software modules may be used in conjunction with the electronic device 1300, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, and may also be implemented by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a terminal device, or a network device, etc.) to execute the method according to the embodiments of the present disclosure.
In an exemplary embodiment of the present disclosure, there is also provided a computer readable storage medium having stored thereon a program product capable of implementing the above-described method of the present specification. In some possible embodiments, the various aspects of the invention may also be implemented in the form of a program product comprising program code means for causing a terminal device to carry out the steps according to various exemplary embodiments of the invention described in the above section "exemplary method" of this description, when said program product is run on said terminal device.
The program product for implementing the above method according to an embodiment of the present invention may employ a portable compact disc read only memory (CD-ROM) and include program codes, and may be run on a terminal device, such as a personal computer. However, the program product of the present invention is not limited in this regard and, in the present document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
A computer readable signal medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In situations involving remote computing devices, the remote computing devices may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to external computing devices (e.g., through the internet using an internet service provider).
Furthermore, the above-described drawings are only schematic illustrations of processes involved in methods according to exemplary embodiments of the invention, and are not intended to be limiting. It will be readily appreciated that the processes illustrated in the above figures are not intended to indicate or limit the temporal order of the processes. In addition, it is also readily understood that these processes may be performed, for example, synchronously or asynchronously in multiple modules.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice in the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.

Claims (10)

1. A method for updating a configuration file of a network function is suitable for virtualization orchestration management of the network function, and comprises the following steps:
generating a configuration file of the network function;
signing the configuration file based on a local private key;
And sending the signed configuration file to the network function for registration through a specified communication channel, and determining the validity of the network function initiating the registration by the network storage function through verifying the signature.
2. A method for updating a configuration file of a network function is suitable for a network storage function, and comprises the following steps:
receiving a request for updating the configuration file sent by the network function;
analyzing the verified request to determine an update object of the request;
verifying the signature of the request according to the update object;
and updating the updating object corresponding to the signature passing the verification.
3. The method for updating a configuration file of a network function according to claim 2, wherein verifying the signature of the request based on the update object comprises:
if the update object is determined to be the parameter in the configuration file, judging whether the request is heartbeat maintenance information;
if the updated object is determined to be heartbeat maintenance information, the request is not verified;
if the updated object is determined not to be the heartbeat maintenance information or the updated object is determined to be the configuration file, verifying the signature through a public key of the network function virtualization arrangement management;
Sending a request for verification of the signature to the network function over a designated communication channel.
4. A method for updating a configuration file of a network function is applicable to the network function, and the method for updating the configuration file of the network function comprises the following steps:
and sending a request for updating the configuration file to a network storage function, so that the network storage function verifies the signature of the request based on a public key of network function virtualization arrangement management, and updates the configuration file corresponding to the request subjected to signature verification.
5. The method of updating a configuration file for a network function of claim 4, wherein sending a request to update the configuration file to a network storage function comprises:
if the configuration file is determined to be updated, sending the signed configuration file to the network storage function, wherein the configuration file is configured to be signed through a private key of network function virtualization orchestration management;
if the parameters in the configuration file are determined to be updated, patch data corresponding to the updated parameters are generated, the signed patch data are sent to the network storage function, and the patch data are configured to be signed through a private key of network function virtualization arrangement management.
6. An apparatus for updating a configuration file of a network function, the apparatus being adapted to perform virtualization orchestration management of the network function, the apparatus comprising:
a generation module configured to generate a configuration file of the network function;
a signature module configured to sign the configuration file based on a local private key;
and the interaction module is set to send the signed configuration file to the network function for registration through a specified communication channel, and the network storage function determines the legality of the network function initiating the registration through verifying the signature.
7. An apparatus for updating a configuration file of a network function, the apparatus being adapted to a network storage function, the apparatus comprising:
a receiving module configured to receive a request for updating a configuration file sent by the network function;
the analysis module is used for analyzing the verified request to determine an update object of the request;
a verification module configured to verify a signature of the request based on the update object;
and the updating module is used for updating the updating object corresponding to the verified signature.
8. An apparatus for updating a configuration file of a network function, the apparatus being adapted for the network function, the apparatus comprising:
the sending module is configured to send a request for updating the configuration file to the network storage function, so that the network storage function verifies a signature of the request based on a public key of network function virtualization orchestration management, and updates the configuration file corresponding to the request subjected to signature verification.
9. An electronic device, comprising:
a memory; and
a processor coupled to the memory, the processor configured to perform the method of updating the profile of the network function of any of claims 1-6 based on instructions stored in the memory.
10. A computer-readable storage medium on which a program is stored, which when executed by a processor, implements a method of updating a profile of a network function according to any one of claims 1 to 6.
CN202210376276.4A 2022-04-11 2022-04-11 Method and device for updating configuration file of network function, electronic equipment and medium Pending CN114760130A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210376276.4A CN114760130A (en) 2022-04-11 2022-04-11 Method and device for updating configuration file of network function, electronic equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210376276.4A CN114760130A (en) 2022-04-11 2022-04-11 Method and device for updating configuration file of network function, electronic equipment and medium

Publications (1)

Publication Number Publication Date
CN114760130A true CN114760130A (en) 2022-07-15

Family

ID=82329018

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210376276.4A Pending CN114760130A (en) 2022-04-11 2022-04-11 Method and device for updating configuration file of network function, electronic equipment and medium

Country Status (1)

Country Link
CN (1) CN114760130A (en)

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109428874A (en) * 2017-08-31 2019-03-05 华为技术有限公司 Register method and device based on serviceization framework
CN109800563A (en) * 2018-12-29 2019-05-24 联想(北京)有限公司 Cipher set-up method and device, computer readable storage medium and computer system
CN110086652A (en) * 2019-03-25 2019-08-02 北京天地互连信息技术有限公司 A kind of management system and its method for service network element in 5G core net
US20210168751A1 (en) * 2018-08-13 2021-06-03 Apple Inc. Use of user equipment (ue) identifiers for registration in fifth generation (5g) systems
CN113163391A (en) * 2020-01-22 2021-07-23 华为技术有限公司 Communication method, device and system
CN113329417A (en) * 2020-02-28 2021-08-31 华为技术有限公司 Network configuration method and device
CN113497730A (en) * 2020-04-03 2021-10-12 大唐移动通信设备有限公司 Communication method and device of agent and network equipment
CN113518345A (en) * 2020-03-27 2021-10-19 诺基亚技术有限公司 Enhanced hop-by-hop security
CN114095987A (en) * 2021-11-22 2022-02-25 中国联合网络通信集团有限公司 Service processing method, device and storage medium
CN114095946A (en) * 2021-11-04 2022-02-25 南方电网数字电网研究院有限公司 5GC service network element management system and management method thereof

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109428874A (en) * 2017-08-31 2019-03-05 华为技术有限公司 Register method and device based on serviceization framework
US20210168751A1 (en) * 2018-08-13 2021-06-03 Apple Inc. Use of user equipment (ue) identifiers for registration in fifth generation (5g) systems
CN109800563A (en) * 2018-12-29 2019-05-24 联想(北京)有限公司 Cipher set-up method and device, computer readable storage medium and computer system
CN110086652A (en) * 2019-03-25 2019-08-02 北京天地互连信息技术有限公司 A kind of management system and its method for service network element in 5G core net
CN113163391A (en) * 2020-01-22 2021-07-23 华为技术有限公司 Communication method, device and system
CN113329417A (en) * 2020-02-28 2021-08-31 华为技术有限公司 Network configuration method and device
CN113518345A (en) * 2020-03-27 2021-10-19 诺基亚技术有限公司 Enhanced hop-by-hop security
CN113497730A (en) * 2020-04-03 2021-10-12 大唐移动通信设备有限公司 Communication method and device of agent and network equipment
CN114095946A (en) * 2021-11-04 2022-02-25 南方电网数字电网研究院有限公司 5GC service network element management system and management method thereof
CN114095987A (en) * 2021-11-22 2022-02-25 中国联合网络通信集团有限公司 Service processing method, device and storage medium

Similar Documents

Publication Publication Date Title
EP3731551A1 (en) Identity authentication method and system, and computing device
AU2018452176B2 (en) Real time digital content concealment
CN114626026A (en) API access to security sensitive computing systems
CN111144878B (en) Instruction generation method and instruction generation device
CN114513552B (en) Data processing method, device, equipment and storage medium
CN116158055A (en) Implementation of signatures for software deployment configurations
US11363072B1 (en) Identifying and mitigating vulnerable security policies
CN109451497B (en) Wireless network connection method and device, electronic equipment and storage medium
CN114760130A (en) Method and device for updating configuration file of network function, electronic equipment and medium
CN113055186B (en) Cross-system service processing method, device and system
CN109583182A (en) Start method, apparatus, electronic equipment and the computer storage medium of remote desktop
CN114553608A (en) Method and device for accessing cloud platform
CN115481440A (en) Data processing method, device, electronic equipment and medium
JP2024510461A (en) Multi-factor authentication with connection resilience
CN116527733A (en) Differentiated control method, device, equipment and storage of user terminal
US11632355B2 (en) Compliance management across multiple cloud environments
CN112954054A (en) Access method, server and system
CN114978551B (en) Access token issuing method, access token obtaining method, access token issuing device, access token obtaining system, access token issuing equipment and access token issuing medium
US12028315B2 (en) Methods, devices, and computer program products for authenticating peripheral device
WO2024120403A1 (en) Login method and apparatus for application, and computer device, storage medium and chip
CN108958771A (en) Update method, device, server and the storage medium of application program
CN114239010B (en) Multi-node distributed authentication method, system, electronic equipment and medium
CN114928617B (en) Private network subscription data management method, device, equipment and medium
US11824917B2 (en) Computing system with data transfer based upon device data flow characteristics and related methods
US20240195800A1 (en) Data Center Monitoring And Management Operation Including Interaction With A Monitoring And Management Console

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination