CN115529143A

CN115529143A - Communication method, communication device, related equipment and storage medium

Info

Publication number: CN115529143A
Application number: CN202110703263.9A
Authority: CN
Inventors: 游正朋; 种璟; 唐小勇; 朱磊; 罗柯
Original assignee: China Mobile Communications Group Co Ltd; China Mobile Chengdu ICT Co Ltd
Current assignee: China Mobile Communications Group Co Ltd; China Mobile Chengdu ICT Co Ltd
Priority date: 2021-06-24
Filing date: 2021-06-24
Publication date: 2022-12-27
Also published as: WO2022267995A1

Abstract

The application discloses a communication method, a communication device, first equipment, second equipment and a storage medium. The method comprises the following steps: the first equipment determines a management request; the management request is used for requesting the configuration of a security policy of an application service on the edge computing platform; determining a security policy according to the management request; the security policy is used to provide security management functions for application services on the edge computing platform.

Description

Communication method, communication device, related equipment and storage medium

Technical Field

The present application relates to the field of communications, and in particular, to a communication method, apparatus, related device, and storage medium.

Background

The fifth generation mobile communication technology (5G) as a new generation communication technology has many advantages such as large bandwidth, low time delay, high reliability, high connectivity, ubiquitous network, and the like, thereby promoting rapid development and alternation of the vertical industry, such as the rise in the directions of smart medical, smart education, smart agriculture, and the like.

The Mobile Edge Computing (MEC) technology is one of key technologies of 5G evolution, and is an Information Technology (IT) general platform with wireless network information Application Program Interface (API) interaction capacity and computing, storing and analyzing functions; by means of the MEC technology, the traditional external application can be pulled into the mobile device, and the mobile device is closer to a user and provides localized service, so that the user experience is improved, and more values of the edge network are exerted.

By combining 5G and MEC, different technical combinations such as quality of service (QoS), end-to-end network slicing, network capability opening, edge cloud and the like can be introduced to different industry demand scenes, so that a customized solution is provided.

In the related art, the scheme combining 5G and MEC technology has a safety risk.

Disclosure of Invention

In order to solve related technical problems, embodiments of the present application provide a communication method, an apparatus, a related device, and a storage medium.

The technical scheme of the embodiment of the application is realized as follows:

the embodiment of the application provides a communication method, which is applied to first equipment and comprises the following steps:

determining a management request; the management request is used for requesting to configure a security policy of an application service on the edge computing platform;

determining a security policy according to the management request; the security policy is used to provide security management functions for application services on the edge computing platform.

In the foregoing solution, the determining the management request includes:

determining a first operation for a first device;

determining a first management request based on the first operation; the first management request includes: a first security policy.

In the foregoing solution, the determining the management request includes:

receiving a second management request from a second device; the second management request includes: a second security policy.

In the foregoing solution, the second management request further includes: a priority of the second security policy; the security policy stored by the first device corresponds to an initial priority;

the method further comprises the following steps:

and determining whether to update the security policy stored in the first device according to the priority of the second security policy and the initial priority corresponding to the security policy stored in the first device.

In the foregoing solution, the determining a management request includes:

receiving a third management request from the edge computing platform; the third management request includes a third security policy.

In the foregoing solution, the third management request further includes: a priority of the third security policy; the security policy stored by the first device corresponds to an initial priority;

the method further comprises the following steps:

and determining whether to update the security policy stored in the first device according to the priority of the third security policy and the initial priority corresponding to the security policy stored in the first device.

In the above scheme, the method further comprises:

sending the update result to the second device; the update result at least characterizes whether to update a security policy on the first device.

In the foregoing solution, the method further includes:

sending an update result to the edge computing platform; the update result at least characterizes whether to update the security policy.

In the foregoing solution, the security policy includes: a security level for each of the at least one application service;

the updating result comprises a configuration response of the security policy for each application service; the types of the configuration response include:

all consent, partial consent, rejection, exception information.

In the foregoing solution, the security policy includes at least one of:

a first security level; the first security level characterizes a rejection of configuration information for all application services on the edge computing platform;

a second security level; the second security level characterizes configuration information that is allowed for a portion of application services on the edge computing platform;

a third security level; the first security level characterizes configuration information that is allowed for all application services on the edge computing platform.

In the foregoing solution, the configuration information includes at least one of:

a first configuration policy; the first configuration strategy aims at the operation authority of different application services;

a second configuration policy; the second configuration policy is directed to routing rules of different application services;

a third configuration policy; the third configuration policy is for Domain Name Systems (DNS) of different application services;

a fourth configuration policy; the fourth configuration policy is for a lifecycle of a different application service.

The embodiment of the application provides a communication method, which is applied to a second device and comprises the following steps:

sending a second management request to the first device; the second management request is used for requesting to configure a security policy of the application service on the edge computing platform; the security policy is used to provide security management functions for application services on the edge computing platform.

In the above scheme, the method further comprises:

receiving an update result from the first device; the update result at least characterizes whether to update a security policy on the first device.

the priority of the second security policy and the initial priority corresponding to the security policy stored by the first device are used for determining whether to update the security policy by the first device.

all consent, partial consent, rejection, exception information.

In the foregoing solution, the security policy includes at least one of:

In the above solution, the configuration information includes at least one of:

a third configuration policy; the third configuration policy is for domain name systems of different application services;

The embodiment of the application provides a communication method, which is applied to an edge computing platform and comprises the following steps:

sending a third management request to the first device; the third management request is used for requesting to configure the security policy of the application service on the edge computing platform; the security policy is used to provide security management functions for application services on the edge computing platform.

the priority of the third security policy and the initial priority corresponding to the security policy stored by the first device are used for determining whether to update the security policy by the first device.

In the above scheme, the method further comprises:

all consent, partial consent, rejection, exception information.

In the foregoing solution, the security policy includes at least one of:

In the above solution, the configuration information includes at least one of:

The embodiment of the application provides a communication device, which is arranged on first equipment and comprises:

a first processing unit for determining a management request; the management request is used for requesting to configure a security policy of an application service on the edge computing platform;

In the foregoing solution, the first processing unit is configured to determine a first operation for a first device;

In the above solution, the apparatus further includes: a first communication unit for receiving a second management request from a second device; the second management request includes: a second security policy.

the first processing unit is configured to determine whether to update the security policy stored in the first device according to the priority of the second security policy and the initial priority corresponding to the security policy stored in the first device.

In the foregoing solution, the first communication unit is configured to receive a third management request from an edge computing platform; the third management request includes a third security policy.

the first processing unit is configured to determine whether to update the security policy stored in the first device according to the priority of the third security policy and the initial priority corresponding to the security policy stored in the first device.

In the foregoing solution, the first communication unit is further configured to send the update result to a second device; the update result at least characterizes whether to update a security policy on the first device.

In the above scheme, the first communication unit is further configured to send an update result to the edge computing platform; the update result at least characterizes whether to update the security policy.

all consent, partial consent, rejection, exception information.

In the foregoing solution, the security policy includes at least one of:

a third configuration policy; the third configuration policy is for domain name system DNS for different application services;

The embodiment of the application provides a communication device, which is arranged on a second device and comprises:

a second communication unit, configured to send a second management request to the first device; the second management request is used for requesting to configure a security policy of the application service on the edge computing platform; the security policy is used to provide security management functions for application services on the edge computing platform.

In the foregoing solution, the second communication unit is further configured to receive an update result from the first device; the update result at least characterizes whether to update a security policy on the first device.

all consent, partial consent, rejection, exception information.

In the foregoing solution, the security policy includes at least one of:

The embodiment of the application provides a communication device, which is arranged on an edge computing platform and comprises:

a third communication unit, configured to send a third management request to the first device; the third management request is used for requesting to configure a security policy of the application service on the edge computing platform; the security policy is used to provide security management functions for application services on the edge computing platform.

In the foregoing solution, the third communication unit is further configured to receive an update result from the first device; the update result at least characterizes whether to update a security policy on the first device.

all consent, partial consent, rejection, exception information.

In the foregoing solution, the security policy includes at least one of:

An embodiment of the present application provides a first device, including: a first processor and a first communication interface; wherein the content of the first and second substances,

the first processor is used for determining a management request; the management request is used for requesting the configuration of a security policy of an application service on the edge computing platform;

The embodiment of the present application provides a second device, including: a second processor and a second communication interface; wherein the content of the first and second substances,

the second communication interface is used for sending a second management request to the first equipment; the second management request is used for requesting to configure a security policy of the application service on the edge computing platform; the security policy is used to provide security management functions for application services on the edge computing platform.

An embodiment of the present application provides an edge computing platform, including: a third processor and a third communication interface; wherein the content of the first and second substances,

the third communication interface is used for sending a third management request to the first equipment; the third management request is used for requesting to configure a security policy of the application service on the edge computing platform; the security policy is used to provide security management functions for application services on the edge computing platform.

An embodiment of the present application provides a network device, including: a processor and a memory for storing a computer program capable of running on the processor,

wherein the processor is configured to execute the steps of the method of any one of the above first device sides when running the computer program; alternatively, the first and second electrodes may be,

the processor is configured to execute the steps of the method of any one of the above second device sides when running the computer program; alternatively, the first and second electrodes may be,

the processor is configured to perform the steps of the method of any of the above third device sides when running the computer program.

An embodiment of the present application provides a storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the method described in any one of the above first device sides; alternatively, the first and second liquid crystal display panels may be,

the computer program when executed by a processor implementing the steps of the method of any of the second device sides above; alternatively, the first and second electrodes may be,

which when executed by a processor performs the steps of the method of any of the above third device sides.

The embodiment of the application provides a communication system, a method, a device, a first device, a second device and a storage medium, wherein the method comprises the following steps: the first equipment determines a management request; the management request is used for requesting the configuration of a security policy of an application service on the edge computing platform; determining a security policy according to the management request; the security policy is used to provide security management functions for application services on the edge computing platform. According to the scheme of the embodiment of the application, the configuration of the security policy on the first device is realized, so that the first device can provide a security management function for the application service on the edge computing platform based on the security policy; therefore, the safety control capacity of the first device for the configuration data of the edge computing platform can be improved.

Drawings

Fig. 1 is a schematic system configuration diagram of an MEC in the related art;

FIG. 2 is a schematic diagram of a host layer and a system layer of an MEC in the related art;

fig. 3 is a schematic structural diagram of a system for cloud network convergence in the industry of 5G in the embodiment of the present application;

fig. 4 is a schematic structural diagram of a communication system according to an embodiment of the present application;

fig. 5 is a flowchart illustrating a communication method according to an embodiment of the present application;

fig. 6 is a flowchart illustrating another communication method according to an embodiment of the present application;

fig. 7 is a flowchart illustrating a further communication method according to an embodiment of the present application;

fig. 8 is a flowchart illustrating a communication method according to an embodiment of the present application;

fig. 9 is a schematic flowchart of another communication method according to an embodiment of the present application;

FIG. 10 is a diagram illustrating an authorization method according to an embodiment of the present application;

fig. 11 is a schematic structural diagram of a communication device according to an embodiment of the present application;

fig. 12 is a schematic structural diagram of another communication device according to an embodiment of the present application;

fig. 13 is a schematic structural diagram of another communication device according to an embodiment of the present application;

FIG. 14 is a schematic structural diagram of a first apparatus according to an embodiment of the present application;

FIG. 15 is a schematic structural diagram of a second apparatus according to an embodiment of the present application;

fig. 16 is a schematic structural diagram of a third apparatus according to an embodiment of the present application.

Detailed Description

The present application will be described in further detail with reference to the following drawings and examples.

In the related art, MEC, as a multi-access edge computing platform standard dominated by European Telecommunications Standardization Institute (ETSI), evolves from an initial mobile edge computing platform to a Virtual Network Function (VNF) -based multi-access edge computing platform, and provides more efficient service operation services by virtualizing and serving MEC applications, platforms and resources to meet the differentiated requirements of different services on processing capabilities, and the ETSI standard organization defines an MEC system framework shown in fig. 1.

MEC system mainly includes: MEC system layer (MEC system-level), MEC host layer (MEC host level), network layer (Networks). Wherein the content of the first and second substances,

the MEC system layer is responsible for the allocation, recovery and coordination of the whole MEC resource so as to meet the requirements of different services on computing and transmission resources. The MEC system level management supports MEC system level management functions and host level management functions. The MEC system level management functions include a user application lifecycle management agent, an operation support system, and an MEC orchestrator, and the MEC host level management functions may include an MEC platform manager and a virtualization infrastructure manager. MEC services provided for terminals and third party customers (e.g., business enterprises) are managed through a MEC management layer.

The MEC host layer is used to provide necessary computing, storage and transmission functions for MEC applications, MEC platforms, and the like.

The network layer is used for providing different network options (such as 3GPP wireless network, non-3 GPP wireless network and wired network) for the application of the upper layer, and dynamically adjusting the routing strategy according to the signaling of the upper layer so as to meet the transmission requirements of different services on the network.

As shown in fig. 2, the MEC host (MEC host) includes: MEC platform and virtual infrastructure (computing, storage, network). The virtual facility contains a data plane for executing routing rules received from the MEC platform for forwarding traffic between applications (also referred to as MEC applications or MEP applications), services (also referred to as MEC services or MEP services), DNS services/proxies, 3GPP networks, other access networks, local networks, and external networks. Where the MEP enables the application to provide and invoke the service, the MEP itself may also provide the service. Specifically, the application runs on a virtual machine or a container, and can provide rich and diverse services (such as location, wireless network information, traffic management) to the outside, and the application can also use services provided by other applications, such as: services such as location, traffic management, etc. provided by application a may be used by application B and application C. The service may be provided by the MEP or by a certain application, and when a certain service is provided by the application, the service may be registered in a service list of the MEP.

MEC platform (MEP), supported functions including:

1) Providing an environment in which MEC applications can discover, notify, use, and provide MEC services, including MEC services provided by other platforms (optional).

2) And receiving the routing rule from the MEC platform management, application or service, and controlling the data plane flow.

3) Receiving DNS records from the MEC platform management, and configuring a DNS proxy/server;

4) Hosting MEC services

5) Providing access to permanent storage and time of day information;

an MEC orchestrator (MEO, MEC orchestrator), also called MEC application orchestrator (MEAO, MEC application orchestrator), is the core of MEC system layer management, and the supported functions include:

1) Maintaining an overall view of the MEC system (i.e., overall deployment); such as hosting deployment of MECs, available resource allocation of MECs, invocation of available MEC services, system topology, etc.;

2) Managing the uplinking of MEC application packages, comprising: checking the integrity and authenticity of the application package; confirming the application rules and requirements, judging whether the application rules and requirements need to be adjusted, and if the application rules and requirements need to be adjusted, adjusting the application rules and requirements to be consistent with the strategies of operators; storing an online record of the application package and preparing a virtual infrastructure manager for processing the application;

3) Selecting an appropriate MEC host for initialization of the application based on constraints (such as latency, available resources, available services, etc.);

4) Triggering the starting and ending of the application;

5) Triggering on-demand migration of the application.

MEC platform management (MEPM), the supported functions include:

1) Managing the life cycle of the application, such as: notify events of the MEAO related application;

2) Providing an element management Function of the MEP, wherein the element management Function comprises Virtual Network Function (VNF) element management and Network Service (NS, network Service) element management, and the NS information element comprises a Physical Network Function (PNF) information element, a virtual link information element, and a VNF Forwarding Graph (VNF Forwarding Graph) information element;

3) Rules and requirements governing the application of MECs, such as: service authorizations, routing rules, domain Name System (DNS) configuration, and conflict handling;

4) The method includes receiving error reports and performance measurement data for virtual resources from a Virtual Infrastructure Management (VIM). The main functions of VIM include: allocating, managing and releasing virtualized resources of the virtualized infrastructure, receiving and storing software images, and collecting and reporting performance and fault information of the virtualized resources.

As can be seen from the functional description of the various modules of the MEC, the rules (including routing rules, DNS configuration, traffic rules, etc.) applied by the MEC are managed by the MEPM, received by the MEP, and finally executed on the user plane of the MEC host.

In practical applications, the types of terminal access technologies in the vertical industry are various, and besides 5G, the third party network also includes a non-5G network (such as 4G, wiFi, bluetooth, zigbee, NB-IoT, SPN, infrared network, private network, wired network, etc.), and data of these terminals may be transmitted to the MEP through different networks. In order to guarantee network and data security of the MEP and realize ubiquitous network access and control functions, an industry GateWay (iww) is introduced into a system architecture of 5G industry cloud network convergence, and the 5G industry cloud network convergence architecture is shown in fig. 3.

The MEC platform management (MEPM) is generally set on an industry gateway, data on the MEP can be directly accessed to an external network, namely a third-party network, through the industry gateway, the existing ETSI protocol does not protect data security in place, and cannot meet more and more management requirements of data security and privacy protection.

In some typical application scenarios where medical, educational, financial, etc. data is sensitive, some applications and available resources (hardware resources, network resources, etc.) provided on the MEP cannot be managed and configured by the remote (external) MEPM, and the management configuration information (or management configuration data) sent by the MEPM to the MEP must be subject to strict security control, in view of protecting user privacy and business confidentiality. Based on this, in the embodiment of the present application, it is proposed to introduce a local MEPM (L-MEPM) on the existing system architecture for performing local management configuration on the application provided by the MEP, as shown in fig. 4, wherein,

the L-MEPM receives first information from the MEPM and provides a security management function for an application on the edge computing platform based on the first information and the security policy; the first information is used for configuring aiming at the application on the edge computing platform;

the MEPM may receive second information from the MEAO, send said first information to the first device according to said second information; the second information is used for arranging the application on the edge computing platform.

The edge computing platform may be referred to as a MEP. The application on the orchestration edge computing platform may be understood as: by programming the application and/or available resources of each application.

The system architecture shown in fig. 4 needs to provide an effective method for managing security policies to ensure the security protection of the management configuration data on the MEP side.

Based on this, in various embodiments of the present application, the first device determines a management request; the management request is used for requesting to configure a security policy of an application service on the edge computing platform; determining a security policy according to the management request; the security policy is used to provide security management functions for application services on the edge computing platform.

An embodiment of the present application provides a communication method, which is applied to a first device, and as shown in fig. 5, the method includes:

step 501, determining a management request; the management request is used for requesting to configure a security policy of an application service on the edge computing platform;

step 502, determining a security policy according to the management request; the security policy is used to provide security management functions for application services on the edge computing platform.

In practical application, a first device is arranged on the side of the edge computing platform, and the first device can communicate with a second device.

In practical applications, the first device may be a locally-set MEPM, which may be understood as a local MEPM set by a user, and may perform local management and configuration on an application provided by the MEP. The first device may be deployed locally, either alone or integrated into the MEP. The name of the first device is not limited in the embodiment of the present application as long as the function of the first device can be realized.

In practical application, the second device may be an MEPM, and the name of the second device is not limited in this embodiment of the application as long as the function of the second device can be realized.

In practice, the edge computing platform may be referred to as an MEP.

In actual application, the security policy may be configured directly by a local administrator through a human-machine interaction interface provided by the first device, i.e., the local MEPM.

Based on this, in an embodiment, the determining the management request includes:

determining a first operation for a first device;

Here, the local administrator performs a first operation through the man-machine interaction interface of the local MEPM, the first device determines the first operation for the first device, and determines a management request based on the first operation, namely the first management request; based on the first management request, a corresponding security policy may be determined, denoted as the first security policy.

In practice, the security policy may be configured remotely by a remote administrator directly through the man-machine interface provided by the second device, i.e., the MEPM.

Here, the remote administrator performs a second operation through the man-machine interaction interface of the MEPM, the second device determines a second operation for the second device, and determines a management request, namely the second management request, based on the second operation; the second device sends a second management request to the first device; the first device receives the second management request, and may determine a second security policy based on the second management request.

In actual application, in order to improve the security of the security policy configuration, the priority of the security policy is provided, and whether the security policy can be configured or updated based on the corresponding management request is determined based on the priority.

Based on this, in an embodiment, the second management request further includes: a priority of the second security policy; the security policy stored by the first device corresponds to an initial priority;

correspondingly, the method further comprises the following steps:

In actual application, the security policy may be configured through a request reported by the edge computing platform.

Based on this, in an embodiment, the third management request further includes: a priority of the third security policy; the security policy stored by the first device corresponds to an initial priority;

the method further comprises the following steps:

For example, the first security policy may also correspond to a priority, and the priority of the first security policy, the priority of the second security policy, and the priority of the third security policy may be set by different operators, such as a local administrator at the first device side, a remote administrator at the second device side, and an operator at the third device side, which are respectively set correspondingly; when the first device receives two or three of the first management request, the second management request and the third management request at the same time, the security policy with the highest priority is determined by comparing the priorities, and the security policy stored in the first device is updated according to the first security policy.

The priority of the first security policy, the priority of the second security policy, and the priority of the third security policy may also be determined based on their corresponding devices, for example, if the priority of the first device is set to 1, the priority of the second device is set to 2, and the priority of the edge computing platform is set to 3, then correspondingly, the first security policy may also have a priority, and the priority of the first device is set to 1, the priority of the second security policy is set to 2, and the priority of the third security policy is set to 3; when the first device receives two or three of the first management request, the second management request and the third management request at the same time, the security policy with the highest priority is determined by comparing the priorities, and the security policy stored in the first device is updated according to the first security policy.

In consideration of actual application, there may be a scenario where priorities set by different operators are the same, for example, priorities set by a local administrator on the first device side, a remote administrator on the second device side, and an operator on the third device side for the first security policy, the second security policy, and the third security policy are the same respectively; in view of this, it is possible to combine the above-described schemes of setting priorities by the operator and determining the priorities based on the corresponding devices, that is, setting two priorities for each security policy, one of which is set by the operator (local administrator, remote administrator, etc.) and the other of which is set according to different devices (first device, second device, third device); when the first device receives two or three of the first management request, the second management request and the third management request at the same time, and the comparison shows that the priorities set by the operators are the same, the priorities set according to different devices are further compared, and the priority is taken as the standard. For example: the two priorities corresponding to the first security policy are 2 (set by a local administrator) and 1 (determined based on the first device), the two priorities corresponding to the second security policy are 2 (set by a remote administrator) and 2 (determined based on the second device), the priorities set by the operator are both 2 by comparison, the priorities determined based on the devices are further compared, the priority of the first security policy is determined to be higher by comparison, and the security policy stored in the first device is updated according to the first security policy.

For a remote administrator on the second device side, if there may be a plurality of remote administrators, different permissions may be assigned to each remote administrator; for the local administrator on the first device side, there may be a plurality of local administrators, and then different rights may be assigned for each local administrator. That is, different permissions (corresponding to different priorities) may be assigned by comprehensively considering each local administrator on the first device side, each remote administrator on the second device side, and the edge computing platform, where the priority based on the device configuration is merely an example, and is not limited, and the device configuration is configured correspondingly according to actual requirements in actual application.

The above are only a few priority setting and specific application examples, and the priority may be set based on the requirement in practical application, which is not limited.

In actual application, the first device may notify the second device of the update result of the security policy.

Based on this, in an embodiment, the method further comprises:

In practice, the first device may notify the edge computing platform of the update result of the security policy, particularly in the case of updating the security policy based on the third management request.

Based on this, in an embodiment, the method further comprises:

In one embodiment, the security policy includes: a security level for each of the at least one application service;

all consent, partial consent, rejection, exception information.

In one embodiment, the security policy includes at least one of:

In an embodiment, the configuration information includes at least one of:

a third configuration policy; the third configuration policy is for a Domain Name System (DNS) of a different application service;

An embodiment of the present application provides a communication method, which is applied to a second device, and as shown in fig. 6, the method includes:

step 601, sending a second management request to the first device; the second management request is used for requesting to configure the security policy of the application service on the edge computing platform; the security policy is used to provide security management functions for application services on the edge computing platform.

Based on this, in an embodiment, the method further comprises:

In practical application, in order to improve the security of the security policy configuration, the priority of the security policy is provided, and the first device determines whether the security policy can be configured or updated based on the corresponding management request based on the priority.

all consent, partial consent, rejection, exception information.

In one embodiment, the security policy includes at least one of:

In an embodiment, the configuration information includes at least one of:

An embodiment of the present application provides a communication method, which is applied to an edge computing platform, and as shown in fig. 7, the method includes:

step 701, sending a third management request to the first device; the third management request is used for requesting to configure the security policy of the application service on the edge computing platform; the security policy is used to provide security management functions for application services on the edge computing platform.

Based on this, in an embodiment, the method further comprises:

all consent, partial consent, rejection, exception information.

In one embodiment, the security policy includes at least one of:

In an embodiment, the configuration information includes at least one of:

The present application will be described in further detail with reference to the following application examples.

In the embodiment of the present application, the first device is referred to as a Local MEPM (L-MEPM); the second device is an MEPM; the edge computing platform is referred to as a MEP.

Three ways of managing security policies on the L-MEPM are proposed:

1) The local administrator directly performs operation configuration on the L-MEPM; configuring corresponding to the first management request;

2) The remote administrator configures through the MEPM remote management request; configuring corresponding to the request through the second management;

3) Configuring through a local request reported by the MEP; the configuration is performed corresponding to the above-described request by the third management.

Considering that there is a default security policy for each application on the MEP on the L-MEPM, if several methods operate simultaneously, there may be conflicts or security issues, it is proposed to configure according to the priority of the security policy.

Mode 2) illustrates that the security policy on the L-MEPM correspondingly holds:

an authorized remote operator: the storage of each remote operator may be performed in an array or the like.

The examples are as follows:

an example is provided for the setting (or updating) of security policies.

The JSON string is used to store the security policies of all applications, for example:

here, in order to facilitate uniform performance of the same operation for a plurality of applications, an application group for managing a plurality of application lists of the same security level is proposed.

In the embodiment of the present application, a communication method is provided, which is configured by a remote management request (corresponding to the second management request) sent by an MEPM, and as shown in fig. 8, the method includes:

step 801, the MEPM sends a remote management request to the L-MEPM;

specifically, a remote administrator initiates a configuration request of a security policy on an operation and maintenance management device, and initiates a remote management request to the L-MEPM through the MEPM, wherein the remote management request is used for requesting to configure or update the security policy.

An example is given for the content of the request information, including but not limited to the content of table 1.

TABLE 1

Here, an example is given for the task request type, as shown in table 2.

TABLE 2

Here, an example is given for the unique ID in the system, as shown in table 3.

TABLE 3

Here, an example is provided for security policy priorities. In particular, the present invention relates to a method for producing,

method 1, a number (Int or Long) is used to represent the priority of the security policy, the smaller the number, the higher the priority, the highest priority is set to 0, and the sequence from high to low is 0/1/2/3/4.

The method comprises the following steps: using JSON strings to represent priority of security policies applied on MEPs

Method 2, using a hash table to represent, wherein Key is an application name and value is the priority of the security policy.

1) When the priority parameter of the security policy in the request is less than or equal to the priority stored by the L-MEPM, updating the security policy; for example: the priority of the remote management request is 1 and the existing priority parameter is 3, the security policy is updated.

2) When the priority parameter of the security policy in the request is greater than the priority stored by the L-MEPM, the security policy is not updated; for example: if the priority of the remote management request is 1 and the existing priority parameter is 0, the security policy is not updated.

Here, an example is given for the security policy information, which may be included as shown in table 4 for each application on the MEP.

TABLE 4

Here, an example is given for the configuration information, as shown in table 5 below:

TABLE 5

Specifically, when the security level of an application on an MEP is set or updated to "strict," the management configuration data operations of all applications on the MEP are prohibited from configuring the MEP, and the L-MEPM will actively cut off the management configuration operations of the MEPM.

When the security level of the application on the MEP is set or updated to "normal", only the allowed applications can be administratively configured by the MEPM, and differentiated using the application.

When the security level of an application on a MEP is set or updated to "relaxed", all the management configuration data of the application is allowed to operate.

Step 802, L-MEPM responds to remote management request.

Specifically, after receiving a remote management request aiming at a security policy, the L-MEPM judges the security policy according to the security policy priority in the remote management request;

the L-MEPM replies with a message to the MEPM if it is/is not able to update the security policy on the L-MEPM for the application on the MEP.

An example is given for a reply message, including but not limited to the contents of table 6.

TABLE 6

Here, an example is given for the reply type and reply specification that the L-MEPM sends to the MEPM, as shown in table 7.

TABLE 7

The security policy applied on the MEP changes, and the updated security policy can also be actively reported to the L-MEPM, and the priority of the security policy can be higher than the existing security policy of the L-MEPM.

In this application embodiment, a communication method is further provided, where the configuration is performed through a local request (equivalent to the third management request) reported by the MEP, and as shown in fig. 9, the method includes:

step 901, the MEP sends a local request to the L-MEPM;

specifically, when a security policy of an application on an MEP changes, sending the changed security policy information to the L-MEPM; the contents may be as shown in table 8 below:

TABLE 8

Step 902, L-MEPM responds to local request.

Specifically, the L-MEPM judges the security policy after receiving a management request of the security policy, and updates the security policy when the L-MEPM detects that a parameter of 'security policy priority' in a request message is less than or equal to a parameter of the existing 'security policy priority'. The L-MEPM replies with a message to the MEP, and the reply message may include information as shown in table 9 below:

TABLE 9

An example is provided for a reply message and reply specification sent by the L-MEPM to the MEP, as shown in table 10.

Watch 10

The method may further comprise:

step 903, reporting the suspension condition of the security management authority to the MEPM;

after the security policy is updated, there may be a security level change of a part of the application, such as a change from "normal" to "strict", and the update result may be sent to the MEPM, as shown in table 11, to inform that the security management authority of the application is suspended, i.e. to inform that the MEPM does not have to send configuration information to the L-MEPM, and the MEPM will not be able to perform management configuration on the application on the MEP.

TABLE 11

Step 904, the L-MEPM replies a response of the termination condition to the MEPM;

that is, the L-MEPM tells the MEPM that it has received and knows that it will not be able to manage configuration for this application on the MEP.

Here, an example of the response reply is given as shown in table 12.

TABLE 12

In order to implement the method on the first device side in the embodiment of the present application, an embodiment of the present application further provides a communication apparatus, which is disposed on the first device, and as shown in fig. 11, the apparatus includes:

a first processing unit 1102 for determining a management request; the management request is used for requesting to configure a security policy of an application service on the edge computing platform;

In an embodiment, the first processing unit 1102 is configured to determine a first operation for a first device;

In one embodiment, the apparatus further comprises: a first communication unit 1101 for receiving a second management request from a second device; the second management request includes: a second security policy.

Wherein the second management request further comprises: a priority of the second security policy; the security policy stored by the first device corresponds to an initial priority;

the first processing unit 1102 is configured to determine whether to update the security policy stored in the first device according to the priority of the second security policy and the initial priority corresponding to the security policy stored in the first device.

In an embodiment, the first communication unit 1101 is configured to receive a third management request from an edge computing platform; the third management request includes a third security policy.

Wherein the third management request further comprises: a priority of the third security policy; the security policy stored by the first device corresponds to an initial priority;

the first processing unit 1102 is configured to determine whether to update the security policy stored in the first device according to the priority of the third security policy and the initial priority corresponding to the security policy stored in the first device.

In an embodiment, the first communication unit 1101 is further configured to send the update result to a second device; the update result at least characterizes whether to update a security policy on the first device.

In an embodiment, the first communication unit 1101 is further configured to send an update result to the edge computing platform; the update result at least characterizes whether to update the security policy.

all consent, partial consent, rejection, exception information.

In one embodiment, the security policy includes at least one of:

In one embodiment, the configuration information includes at least one of:

In practical applications, the first communication unit 1101 and the first processing unit 1102 may be implemented by a processor in a communication device in combination with a communication interface.

In order to implement the method on the second device side in the embodiment of the present application, an embodiment of the present application further provides a communication apparatus, which is disposed on the second device, and as shown in fig. 12, the apparatus includes:

a second communication unit 1201 for transmitting a second management request to the first device; the second management request is used for requesting to configure the security policy of the application service on the edge computing platform; the security policy is used to provide security management functions for application services on the edge computing platform.

In an embodiment, the second communication unit 1201 is further configured to receive an update result from the first device; the update result at least characterizes whether to update a security policy on the first device.

The second management request further includes: a priority of the second security policy; the security policy stored by the first device corresponds to an initial priority;

all consent, partial consent, rejection, exception information.

In one embodiment, the security policy includes at least one of:

In one embodiment, the configuration information includes at least one of:

In practical applications, the second communication unit 1201 can be implemented by a communication interface in a communication device.

It should be noted that: in the communication device provided in the above embodiment, only the division of each program module is exemplified when performing communication, and in practical applications, the above processing distribution may be completed by different program modules according to needs, that is, the internal structure of the device may be divided into different program modules to complete all or part of the above-described processing. In addition, the communication apparatus and the communication method provided by the above embodiments belong to the same concept, and specific implementation processes thereof are described in the method embodiments and are not described herein again.

In order to implement the method on the third device side in the embodiment of the present application, an embodiment of the present application further provides a communication apparatus, which is disposed on the third device, and as shown in fig. 13, the apparatus includes:

a third communication unit 1301, configured to send a third management request to the first apparatus; the third management request is used for requesting to configure a security policy of the application service on the edge computing platform; the security policy is used to provide security management functions for application services on the edge computing platform.

In an embodiment, the third management request further includes: a priority of the third security policy; the security policy stored by the first device corresponds to an initial priority;

In an embodiment, the third communication unit 1301 is further configured to receive an update result from the first apparatus; the update result at least characterizes whether to update a security policy on the first device.

all consent, partial consent, rejection, exception information.

In one embodiment, the security policy includes at least one of:

In one embodiment, the configuration information includes at least one of:

In practical applications, the third communication unit 1301 can be implemented by a communication interface in a communication device.

It should be noted that: in the communication device provided in the above embodiment, only the division of each program module is described as an example when performing communication, and in practical applications, the processing allocation may be completed by different program modules as needed, that is, the internal structure of the device may be divided into different program modules to complete all or part of the processing described above. In addition, the communication apparatus and the communication method provided by the above embodiments belong to the same concept, and specific implementation processes thereof are described in the method embodiments and are not described herein again.

Based on the hardware implementation of the program module, and in order to implement the method on the first device side in the embodiment of the present application, an embodiment of the present application further provides a first device, as shown in fig. 14, where the first device 1400 includes:

a first communication interface 1401 capable of performing information interaction with a second device;

the first processor 1402 is connected to the first communication interface 1401 to implement information interaction with the second device, and is configured to execute a method provided by one or more technical solutions of the first device side when running a computer program. And the computer program is stored on the first memory 1403.

In particular, the first communication interface 1401 is configured to determine a management request; the management request is used for requesting to configure a security policy of an application service on the edge computing platform;

the first processor 1402, configured to determine a security policy according to the management request; the security policy is used to provide security management functions for application services on the edge computing platform.

Wherein, in an embodiment, the first communication interface 1401 is configured to: determining a first operation for a first device;

In one embodiment, the first communication interface 1401 is configured to:

In an embodiment, the first processor 1402 is configured to determine whether to update the security policy stored in the first device according to a priority of the second security policy and an initial priority corresponding to the security policy stored in the first device.

In one embodiment, the first communication interface 1401 is configured to: receiving a third management request from the edge computing platform; the third management request includes a third security policy.

In an embodiment, the first processor 1402 is configured to determine whether to update the security policy stored in the first device according to a priority of the third security policy and an initial priority corresponding to the security policy stored in the first device.

In one embodiment, the first communication interface 1401 is further configured to: sending the update result to the second device; the update result at least characterizes whether to update a security policy on the first device.

In one embodiment, the first communication interface 1401 is further configured to: sending an update result to the edge computing platform; the update result at least characterizes whether to update the security policy.

It should be noted that: the specific processing of the first processor 1402 and the first communication interface 1401 may be understood with reference to the methods described above.

Of course, in practice, the various components of the first device 1400 are coupled together by a bus system 1404. It is understood that bus system 1404 is used to enable connective communication between these components. The bus system 1404 includes a power bus, a control bus, and a status signal bus in addition to a data bus. The various buses are designated as bus system 1404 in fig. 14 for the sake of clarity of illustration.

The first memory 1403 in the embodiment of the present application is used to store various types of data to support the operation of the first device 1400. Examples of such data include: any computer program for operating on the first device 1400.

The method disclosed in the embodiments of the present application may be applied to the first processor 1402, or implemented by the first processor 1402. The first processor 1402 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be implemented by integrated logic circuits of hardware or instructions in the form of software in the first processor 1402. The first Processor 1402 may be a general purpose Processor, a Digital Signal Processor (DSP), or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, etc. The first processor 1402 may implement or perform the methods, steps and logic blocks disclosed in the embodiments of the present application. The general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software modules may be located in a storage medium located in the first memory 1403, and the first processor 1402 reads the information in the first memory 1403 and in combination with its hardware performs the steps of the foregoing method.

In an exemplary embodiment, the first Device 1400 may be implemented by one or more Application Specific Integrated Circuits (ASICs), DSPs, programmable Logic Devices (PLDs), complex Programmable Logic Devices (CPLDs), field Programmable Gate Arrays (FPGAs), general purpose processors, controllers, micro Controllers (MCUs), microprocessors (microprocessors), or other electronic components for performing the aforementioned methods.

Based on the hardware implementation of the program module, and in order to implement the method on the second device side in the embodiment of the present application, an embodiment of the present application further provides a second device, as shown in fig. 15, where the second device 1500 includes:

the second communication interface 1501 can perform information interaction with the first device and the third device;

the second processor 1502 is connected to the second communication interface 1501 to implement information interaction with the first device and the third device, and is configured to execute the method provided by one or more technical solutions of the second device side when running a computer program. And the computer program is stored on the second memory 1503.

Specifically, the second communication interface 1501 is configured to send a second management request to the first device; the second management request is used for requesting to configure the security policy of the application service on the edge computing platform; the security policy is used to provide security management functions for application services on the edge computing platform.

In an embodiment, the second communication interface 1501 is further configured to:

It should be noted that: the specific processing of the second communication interface 1501 and the second processor 1502 can be understood with reference to the methods described above.

Of course, in practice, the various components in the second device 1500 are coupled together by a bus system 1504. It is understood that the bus system 1504 is used to enable connected communication between these components. The bus system 1504 includes, in addition to the data bus, a power bus, a control bus, and a status signal bus. For clarity of illustration, however, the various buses are designated as bus system 1504 in fig. 15.

The second memory 1503 in the embodiment of the present application is used for storing various types of data to support the operation of the second device 1500. Examples of such data include: any computer program for operating on the second device 1500.

The method disclosed in the above embodiments of the present application may be applied to the second processor 1502, or implemented by the second processor 1502. The second processor 1502 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method can be implemented by an integrated logic circuit of hardware or instructions in the form of software in the second processor 1502. The second processor 1502 described above may be a general purpose processor, a DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The second processor 1502 may implement or perform the methods, steps, and logic blocks disclosed in the embodiments of the present application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software modules may be located in a storage medium located in the second memory 1503, and the second processor 1502 reads the information in the second memory 1503 to complete the steps of the foregoing methods in combination with hardware thereof.

In an exemplary embodiment, the second device 1500 may be implemented by one or more ASICs, DSPs, PLDs, CPLDs, FPGAs, general-purpose processors, controllers, MCUs, microprocessors, or other electronic components for performing the aforementioned methods.

Based on the hardware implementation of the program module, and in order to implement the method on the third device side in the embodiment of the present application, an embodiment of the present application further provides a third device, as shown in fig. 16, where the third device 1600 includes:

the third communication interface 1601 is capable of performing information interaction with the first device and the third device;

the third processor 1602 is connected to the third communication interface 1601 to implement information interaction with the first device and the third device, and is configured to execute the method provided by one or more technical solutions of the third device side when running a computer program. And the computer program is stored on the third memory 1603.

Specifically, the third communication interface 1601 is configured to send a third management request to the first device; the third management request is used for requesting to configure a security policy of the application service on the edge computing platform; the security policy is used to provide security management functions for application services on the edge computing platform.

In an embodiment, the third communication interface 1601 is further configured to:

It should be noted that: the specific processing procedures of the third communication interface 1601 and the third processor 1602 can be understood with reference to the above-described methods.

Of course, in practice, various components within the third device 1600 are coupled together by the bus system 1604. It is understood that the bus system 1604 is used to enable connective communication between these components. The bus system 1604 includes a power bus, a control bus, and a status signal bus in addition to a data bus. For clarity of illustration, however, the various buses are labeled as the bus system 1604 in fig. 16.

The third memory 1603 in the embodiment of the application is used for storing various types of data to support the operation of the third device 1600. Examples of such data include: any computer program for operating on third device 1600.

The method disclosed in the embodiments of the present application may be applied to the third processor 1602, or implemented by the third processor 1602. The third processor 1602 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method can be implemented by integrated logic circuits of hardware or instructions in the form of software in the third processor 1602. The third processor 1602 described above may be a general purpose processor, a DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The third processor 1602 may implement or perform the methods, steps, and logic blocks disclosed in the embodiments of the present application. The general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in a storage medium located in the third memory 1603, and the third processor 1602 reads the information in the third memory 1603 and completes the steps of the foregoing method in combination with the hardware thereof.

In an exemplary embodiment, third device 1600 may be implemented by one or more ASICs, DSPs, PLDs, CPLDs, FPGAs, general-purpose processors, controllers, MCUs, microprocessors, or other electronic components for performing the aforementioned methods.

It is to be understood that the memories (the first memory 1403, the second memory 1503, and the third memory 1603) of the embodiments of the present application may be volatile memories or nonvolatile memories, and may include both volatile and nonvolatile memories. Among them, the nonvolatile Memory may be a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Programmable Read-Only Memory (EPROM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a magnetic random access Memory (FRAM), a magnetic random access Memory (Flash Memory), a magnetic surface Memory, an optical Disc, or a Compact Disc Read-Only Memory (CD-ROM); the magnetic surface storage may be disk storage or tape storage. Volatile Memory can be Random Access Memory (RAM), which acts as external cache Memory. By way of illustration and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), synchronous Static Random Access Memory (SSRAM), dynamic Random Access Memory (DRAM), synchronous Dynamic Random Access Memory (SDRAM), double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM), enhanced Synchronous Dynamic Random Access Memory (ESDRAM), enhanced Synchronous Dynamic Random Access Memory (Enhanced DRAM), synchronous Dynamic Random Access Memory (SLDRAM), direct Memory (DRmb Access), and Random Access Memory (DRAM). The memories described in the embodiments of the present application are intended to comprise, without being limited to, these and any other suitable types of memory.

It should be noted that: "first," "second," and the like are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order.

The technical means described in the embodiments of the present application may be arbitrarily combined without conflict.

The above description is only a preferred embodiment of the present application, and is not intended to limit the scope of the present application.

Claims

1. A communication method applied to a first device comprises the following steps:

determining a management request; the management request is used for requesting the configuration of a security policy of an application service on the edge computing platform;

2. The method of claim 1, wherein determining the management request comprises:

determining a first operation for a first device;

3. The method of claim 1, wherein determining the management request comprises:

4. The method of claim 3, wherein the second management request further comprises: a priority of the second security policy; the security policy stored by the first device corresponds to an initial priority;

the method further comprises the following steps:

5. The method of claim 1, wherein determining the management request comprises:

6. The method of claim 5, wherein the third management request further comprises: a priority of the third security policy; the security policy stored by the first device corresponds to an initial priority;

the method further comprises the following steps:

7. The method of any of claims 1 to 6, further comprising:

8. The method of claim 4, further comprising:

9. The method according to any one of claims 1 to 7, wherein the security policy comprises: a security level for each of the at least one application service;

all consent, partial consent, rejection, exception information.

10. The method of claim 9, wherein the security policy comprises at least one of:

11. The method of claim 10, wherein the configuration information comprises at least one of:

12. A communication method applied to a second device comprises the following steps:

sending a second management request to the first device; the second management request is used for requesting to configure the security policy of the application service on the edge computing platform; the security policy is used to provide security management functions for application services on the edge computing platform.

13. The method of claim 12, further comprising:

14. The method of claim 12, wherein the second management request further comprises: a priority of the second security policy; the security policy stored by the first device corresponds to an initial priority;

15. The method according to any of claims 12 to 14, wherein the security policy comprises: a security level for each of the at least one application service;

all consent, partial consent, rejection, exception information.

16. The method of claim 12, wherein the security policy comprises at least one of:

17. The method of claim 16, wherein the configuration information comprises at least one of:

a third configuration policy; the third configuration policy is for domain name systems, DNS, of different application services;

18. A communication method applied to an edge computing platform comprises the following steps:

19. The method of claim 18, wherein the third management request further comprises: a priority of the third security policy; the security policy stored by the first device corresponds to an initial priority;

20. The method of claim 19, further comprising:

21. The method of claim 20, wherein the security policy comprises: a security level for each of the at least one application service;

all consent, partial consent, rejection, exception information.

22. The method according to any of claims 18 to 21, wherein the security policy comprises at least one of:

23. The method of claim 22, wherein the configuration information comprises at least one of:

24. A communications apparatus, disposed on a first device, comprising:

a first processing unit for determining a management request; the management request is used for requesting the configuration of a security policy of an application service on the edge computing platform;

25. A communication apparatus, provided on a second device, comprising:

the second communication unit is used for sending a second management request to the first equipment; the second management request is used for requesting to configure a security policy of the application service on the edge computing platform; the security policy is used to provide security management functions for application services on the edge computing platform.

26. A communications apparatus, disposed on an edge computing platform, comprising:

27. A first device, comprising: a first processor and a first communication interface; wherein the content of the first and second substances,

the first processor is used for determining a management request; the management request is used for requesting to configure a security policy of an application service on the edge computing platform;

28. A second apparatus, comprising: a second processor and a second communication interface; wherein, the first and the second end of the pipe are connected with each other,

29. An edge computing platform, comprising: a third processor and a third communication interface; wherein the content of the first and second substances,

30. A network device, comprising: a processor and a memory for storing a computer program capable of running on the processor,

wherein the processor is configured to perform the steps of the method of any one of claims 1 to 11 when the computer program is run; alternatively, the first and second electrodes may be,

the processor, when being configured to execute the computer program, is configured to perform the steps of the method of any one of claims 12 to 17; alternatively, the first and second electrodes may be,

the processor is adapted to perform the steps of the method of any one of claims 18 to 23 when running the computer program.

31. A storage medium having a computer program stored thereon, the computer program, when being executed by a processor, implementing the steps of the method according to any one of claims 1 to 11; alternatively, the first and second electrodes may be,

the computer program when executed by a processor implementing the steps of the method of any one of claims 12 to 17; alternatively, the first and second electrodes may be,

the computer program when executed by a processor implements the steps of the method of any one of claims 18 to 23.