CN115529144A

CN115529144A - Communication system, method, apparatus, first device, second device, and storage medium

Info

Publication number: CN115529144A
Application number: CN202110703440.3A
Authority: CN
Inventors: 唐小勇; 尚宇翔; 韩延涛; 游正朋; 朱磊; 罗柯
Original assignee: China Mobile Communications Group Co Ltd; China Mobile Chengdu ICT Co Ltd
Current assignee: China Mobile Communications Group Co Ltd; China Mobile Chengdu ICT Co Ltd
Priority date: 2021-06-24
Filing date: 2021-06-24
Publication date: 2022-12-27
Also published as: WO2022267994A1

Abstract

The application discloses a communication system, a communication method, a communication device, a first device, a second device and a storage medium. Wherein, the system includes: a first device, a second device, a third device; the first device is used for receiving first information from a second device and providing a security management function for an application on an edge computing platform based on the first information and a security policy; the first information is used for configuring aiming at the application on the edge computing platform; the second device is used for sending the first information to the first device based on second information from a third device; the second information is used for arranging the application on the edge computing platform.

Description

Communication system, method, apparatus, first device, second device, and storage medium

Technical Field

The present application relates to the field of communications, and in particular, to a communication system, method, apparatus, first device, second device, and storage medium.

Background

The fifth generation mobile communication technology (5G) as a new generation communication technology has many advantages such as large bandwidth, low time delay, high reliability, high connectivity, ubiquitous network, and the like, thereby promoting rapid development and alternation of the vertical industry, such as the rise of the directions of smart medical treatment, smart education, smart agriculture, and the like.

The Mobile Edge Computing (MEC) technology is one of key technologies of 5G evolution, and is an Information Technology (IT) general platform with wireless network information Application Program Interface (API) interaction capacity and computing, storing and analyzing functions; by means of the MEC technology, the traditional external application can be pulled into the mobile device, and the mobile device is closer to a user and provides localized service, so that the user experience is improved, and more values of the edge network are exerted.

By combining 5G and MEC, different technical combinations such as quality of service (QoS), end-to-end network slicing, network capability opening, edge cloud and the like can be introduced to different industry demand scenes, so that a customized solution is provided.

In the related art, the scheme combining 5G and MEC technology has a safety risk.

Disclosure of Invention

In order to solve the related technical problems, embodiments of the present application provide a communication method, an apparatus, related devices, and a storage medium.

The technical scheme of the embodiment of the application is realized as follows:

an embodiment of the present application provides a communication system, including: a first device, a second device, a third device; wherein,

the first device is used for receiving first information from a second device and providing a security management function for an application on an edge computing platform based on the first information and a security policy; the first information is used for configuring aiming at the application on the edge computing platform;

the second device is used for sending the first information to the first device based on second information from a third device; the second information is used for arranging the application on the edge computing platform.

In the above solution, the security policy includes at least one of:

a first security level; the first security level characterizes a denial of configuration for all applications on the edge computing platform;

a second security level; the second security level characterizes a configuration allowed for a portion of applications on the edge computing platform;

a third security level; the first security level characterizes a configuration allowed for all applications on the edge computing platform.

In the above solution, the first device is further configured to send third information to the second device; the third information is used for explaining whether the first information is successfully configured or not;

the second device is further configured to send fourth information to a third device based on the third information; the fourth information is used for explaining whether the second information is configured successfully or not.

In the above solution, the first information includes configuration information of at least one of:

a first configuration policy; the first configuration policy aims at the operation permission of different applications;

a second configuration policy; the second configuration policy is directed to routing rules of different applications;

a third configuration policy; the third configuration policy is specific to a Domain Name System (DNS) of a different application;

a fourth configuration policy; the fourth configuration policy is for a lifecycle of a different application.

In the foregoing solution, the second information includes at least one of:

management information of the application;

lifecycle management information for the application;

lifecycle change information for an application.

In the above scheme, the third device is further configured to receive first access authentication information from the first device, and send first authentication response information to the first device; the first authentication response information includes at least: an identity of the first device.

In the above scheme, the third device is further configured to receive second access authentication information from the second device, and send second authentication response information to the second device; the second authentication response information includes at least: an identity of the second device;

the third device is further configured to send the identity of the first device to the second device.

In the above scheme, the number of the first devices is one or more.

The embodiment of the application provides a communication method, which is applied to first equipment, and the method comprises the following steps:

receiving first information from a second device; the first information is used for configuring aiming at the application on the edge computing platform;

providing security management functionality for an application on an edge computing platform based on the first information and a security policy.

In the foregoing solution, the security policy includes at least one of:

In the above scheme, the method further comprises:

sending third information to the second device; the third information is used for explaining whether the first information is successfully configured or not.

In the foregoing solution, the first information includes configuration information of at least one of the following:

a third configuration policy; the third configuration policy is for domain name systems, DNS, of different applications;

In the above scheme, the method further comprises:

sending first access authentication information to third equipment;

receiving first authentication response information from the third device; the first authentication response information includes at least: an identity of the first device.

The embodiment of the application provides a communication method, which is applied to second equipment, and the method comprises the following steps:

receiving second information from a third device; the second information is used for arranging the application on the edge computing platform;

sending first information to the first device based on the second information; the first information is to instruct a first device to configure for an application on the edge computing platform based on the first device and a security policy.

a first configuration policy; the first configuration strategy aims at the operation authority of different applications;

a third configuration policy; the third configuration policy is for domain name system DNS of different applications;

In the foregoing solution, the second information includes at least one of:

management information of the application;

lifecycle management information for the application;

lifecycle change information for the application.

In the foregoing solution, the security policy includes at least one of:

In the above scheme, the method further comprises:

receiving third information from the first device; the third information is used for explaining whether the first information is successfully configured or not;

sending fourth information to a third device based on the third information; the fourth information is used for explaining whether the second information is successfully configured.

In the above scheme, the method further comprises:

sending second access authentication information to third equipment; receiving second authentication response information from the third device; the second authentication response information includes at least: an identity of the first device;

the method further comprises the following steps: and receiving the identity of the first equipment.

The embodiment of the application provides a communication device, which is arranged on first equipment and comprises:

a first communication unit for receiving first information from a second device; the first information is used for configuring aiming at the application on the edge computing platform;

a first processing unit to provide a security management function for an application on an edge computing platform based on the first information and a security policy.

In the foregoing solution, the security policy includes at least one of:

a third security level; the first security level characterizes allowing configuration for all applications on the edge computing platform.

In the above solution, the first communication unit is further configured to send third information to the second device; the third information is used for explaining whether the first information is successfully configured.

a second configuration policy; the second configuration policy is for routing rules of different applications;

In the above scheme, the first communication unit is further configured to send first access authentication information to a third device;

An embodiment of the present application provides a first device, including: a first processor and a first communication interface; wherein,

the first communication interface is used for receiving first information from a second device; the first information is used for configuring aiming at the application on the edge computing platform;

the first processor is configured to provide a security management function for an application on an edge computing platform based on the first information and a security policy.

The embodiment of the application provides a communication device, which is arranged on a second device and comprises:

a second communication unit for receiving second information from a third device; the second information is used for arranging the application on the edge computing platform;

a second processing unit, configured to send first information to the first device based on the second information; the first information is to instruct a first device to configure for an application on the edge computing platform based on the first device and a security policy.

a third configuration policy; the third configuration policy is for a domain name system of a different application;

In the foregoing solution, the second information includes at least one of:

management information of the application;

lifecycle management information for the application;

lifecycle change information for an application.

In the above solution, the security policy includes at least one of:

In the above solution, the second communication unit is further configured to receive third information from the first device; the third information is used for explaining whether the first information is successfully configured or not;

In the above scheme, the second communication unit is further configured to send second access authentication information to a third device; receiving second authentication response information from the third device; the second authentication response information includes at least: an identity of the first device;

and receiving the identity of the first device.

An embodiment of the present application provides a second device, including: a second processor and a second communication interface; wherein,

the second communication interface is used for receiving second information from a third device; the second information is used for arranging the application on the edge computing platform;

the second processor is used for sending first information to the first equipment based on the second information; the first information is to instruct a first device to configure for an application on the edge computing platform based on the first device and a security policy.

An embodiment of the present application provides a network device, including: a processor and a memory for storing a computer program capable of running on the processor,

wherein the processor is configured to execute the steps of the method of any one of the above first device sides when running the computer program; or,

the processor is configured to perform the steps of the method of any of the above second device sides when running the computer program.

The embodiment of the present application provides a storage medium, on which a computer program is stored, where the computer program is executed by a processor, and is characterized in that the computer program implements the steps of the method described in any one of the above first device sides; or,

the computer program when executed by a processor realizes the steps of the method of any of the second device side above.

The communication system, method, apparatus, first device, second device and storage medium provided by the embodiment of the application, the system includes: a first device, a second device, a third device; the first device is used for receiving first information from a second device and providing a security management function for an application on an edge computing platform based on the first information and a security policy; the first information is used for configuring aiming at the application on the edge computing platform; the second device is used for sending the first information to the first device based on second information from a third device; the second information is used for arranging the application on the edge computing platform. According to the scheme of the embodiment of the application, the first device provides a security management function for the application on the edge computing platform based on the security policy, so that the first device can determine whether to arrange according to the first information according to the security policy; therefore, the safety management and control capacity of the first device for configuring the application of the edge computing platform can be improved.

Drawings

Fig. 1 is a schematic system configuration diagram of an MEC in the related art;

FIG. 2 is a schematic diagram of a host layer and a system layer of an MEC in the related art;

fig. 3 is a schematic structural diagram of a system for cloud network convergence in the industry of 5G in the embodiment of the present application;

fig. 4 is a schematic structural diagram of a communication system according to an embodiment of the present application;

fig. 5 is a flowchart illustrating a communication method according to an embodiment of the present application;

fig. 6 is a flowchart illustrating another communication method according to an embodiment of the present application;

fig. 7 is a schematic structural diagram of a communication system according to an embodiment of the present application;

FIG. 8 is a flowchart illustrating a communication method according to an embodiment of the present application;

FIG. 9 is a flowchart illustrating registration authentication according to an embodiment of the present application;

FIG. 10 is a schematic diagram of the relationship between an MEPM and an L-MEPM according to an embodiment of the present application;

FIG. 11 is a diagram illustrating a method for authorization according to an embodiment of the present application;

fig. 12 is a schematic structural diagram of a communication device according to an embodiment of the present application;

fig. 13 is a schematic structural diagram of another communication device according to an embodiment of the present application;

FIG. 14 is a schematic structural diagram of a first apparatus according to an embodiment of the present application;

fig. 15 is a schematic structural diagram of a second apparatus according to an embodiment of the present application.

Detailed Description

The present application will be described in further detail with reference to the following drawings and examples.

In the related art, MEC, as a multi-access edge computing platform standard dominated by European Telecommunications Standardization Institute (ETSI), evolves from an initial mobile edge computing platform to a Virtual Network Function (VNF) -based multi-access edge computing platform, and provides more efficient service operation services by virtualizing and serving MEC applications, platforms and resources to meet the differentiated requirements of different services on processing capabilities, and the ETSI standard organization defines an MEC system framework shown in fig. 1.

MEC system mainly includes: MEC system layer (MEC system-level), MEC host layer (MEC host level), network layer (Networks).

The MEC system layer is responsible for the allocation, recovery and coordination of the whole MEC resource so as to meet the requirements of different services on computing and transmission resources. The MEC system level management supports MEC system level management functions and host level management functions. The MEC system level management functions include a user application lifecycle management agent, an operation support system, and an MEC orchestrator, and the MEC host level management functions may include an MEC platform manager and a virtualization infrastructure manager. MEC services provided to terminals and third party customers (e.g., business enterprises) are managed through an MEC management layer.

The MEC host layer is used to provide necessary computing, storage and transmission functions for MEC applications, MEC platforms, and the like.

The network layer is used for providing different network options (such as 3GPP wireless network, non-3 GPP wireless network and wired network) for the application of the upper layer, and dynamically adjusting the routing strategy according to the signaling of the upper layer so as to meet the transmission requirements of different services on the network.

As shown in fig. 2, the MEC host (MEC host) includes: MEC platform and virtual infrastructure (computing, storage, network). The virtual facility contains a data plane for executing routing rules received from the MEC platform for forwarding traffic between applications (also called MEC applications or MEP applications), services (also called MEC services or MEP services), DNS services/proxies, 3GPP networks, other access networks, local networks, and external networks. Where the MEP enables the application to provide and invoke the service, the MEP itself may also provide the service. Specifically, the application runs on a virtual machine or a container, and can provide rich and diverse services (such as location, wireless network information, and traffic management) to the outside, and the application can also use services provided by other applications, such as: services such as location, traffic management, etc. provided by application a may be used by application B and application C. The service may be provided by the MEP or by a certain application, and when a certain service is provided by the application, the service may be registered in a service list of the MEP.

MEC platform (MEP), supported functions including:

1) Providing an environment in which MEC applications can discover, notify, use, and provide MEC services, including MEC services provided by other platforms (optional).

2) And receiving the routing rule from the MEC platform management, application or service, and controlling the data plane flow.

3) Receiving a DNS record from the management of the MEC platform, and configuring a DNS proxy/server;

4) Hosting MEC services

5) Providing access to persistent storage and time of day information;

an MEC orchestrator (MEO, MEC orchestrator), also called MEC application orchestrator (MEAO, MEC application orchestrator), is the core of MEC system layer management, and the supported functions include:

1) Maintaining an overall view of the MEC system (i.e., overall deployment); such as hosting deployments of MECs, available resource allocations of MECs, invocations of available MEC services, system topology, etc.;

2) Managing the uplinking of MEC application packages, comprising: checking the integrity and authenticity of the application package; confirming the application rules and requirements, and judging whether the application rules and requirements need to be adjusted, if so, adjusting the application rules and requirements to conform to the policies of the operator; storing an online record of the application package and preparing a virtual infrastructure manager for processing the application;

3) Selecting an appropriate MEC host for initialization of the application based on constraints (such as latency, available resources, available services, etc.);

4) Triggering the starting and ending of the application;

5) Triggering on-demand migration of the application.

MEC platform management (MEPM), functions supported include:

1) Managing the life cycle of the application, such as: notify events of the MEAO related application;

2) Providing an element management Function of the MEP, wherein the element management Function comprises Virtual Network Function (VNF) element management and Network Service (NS, network Service) element management, and the NS information element comprises a Physical Network Function (PNF) information element, a virtual link information element, and a VNF Forwarding Graph (VNF Forwarding Graph) information element;

3) Rules and requirements governing the application of MECs, such as: service authorizations, routing rules, domain Name System (DNS) configuration, and conflict handling;

4) And receiving error reports and performance measurement data for the virtual resources from a Virtual Infrastructure Management (VIM). The VIM major functions include: allocating, managing and releasing virtualized resources of the virtualized infrastructure, receiving and storing software images, and collecting and reporting performance and fault information of the virtualized resources.

As can be seen from the functional description of the various modules of the MEC, the rules (including routing rules, DNS configuration, traffic rules, etc.) applied by the MEC are managed by the MEPM, received by the MEP, and finally executed on the user plane of the MEC host.

In practical applications, the types of terminal access technologies in the industry vertical are various, and the third party network includes non-5G networks (such as 4G, wiFi, bluetooth, zigbee, NB-IoT, SPN, infrared network, private network, wired network, etc.) in addition to 5G, and data of these terminals may be transmitted to the MEP through different networks. In order to guarantee network and data security of the MEP and realize ubiquitous network access and control functions, an industry GateWay (iww) is introduced into a system architecture of 5G industry cloud network convergence, and the 5G industry cloud network convergence architecture is shown in fig. 3.

The MEC platform management (MEPM) is generally set on an industry gateway, data on the MEP can be directly accessed to an external network, namely a third-party network, through the industry gateway, the existing ETSI protocol does not protect data security in place, and cannot meet more and more management requirements of data security and privacy protection.

In some typical application scenarios where medical, educational, financial, etc. data is sensitive, some applications and available resources (hardware resources, network resources, etc.) provided on the MEP cannot be managed and configured by the remote (external) MEPM, and the management configuration information (or management configuration data) sent by the MEPM to the MEP must be subject to strict security control, in view of protecting user privacy and business confidentiality. In the related art, the MEPM lacks necessary security protection and authorization management mechanisms for management configuration information on the MEP, and the MEPM has no clear definition for the security management control mechanism of the MEPM.

Based on this, in various embodiments of the present application, a first device configured to receive first information from a second device, provide a security management function for an application on an edge computing platform based on the first information and a security policy; the first information is used for configuring aiming at the application on the edge computing platform; the second device is used for sending the first information to the first device based on second information from a third device; the second information is used for arranging the application on the edge computing platform. Therefore, the management and control capability of configuring the application of the edge computing platform in the first device can be improved.

An embodiment of the present application provides a communication system, as shown in fig. 4, the system includes: a first device, a second device, a third device; wherein,

And when the second device is actually applied, the second device is arranged between the first device and the third device.

In practical application, the first device may be a locally-configured MEPM, which may be understood as a local MEPM set by a user, and may perform local management configuration on an application provided by the MEP. The first device may be deployed locally, either alone or integrated into the MEP. The name of the first device is not limited in the embodiment of the present application as long as the function of the first device can be realized.

In practical application, the second device may be an MEPM, and the name of the second device is not limited in this embodiment of the application as long as the function of the second device can be realized.

In practical applications, the third device may be an MEO or an MEAO, and the name of the third device is not limited in this application as long as the function of the third device can be implemented.

In practice, the edge computing platform may be referred to as MEP.

The application on the orchestration edge computing platform can be understood as: by programming the application and/or available resources of each application.

In one embodiment, the security policy includes at least one of:

The first device stores a security policy, the security policy is used for setting security levels, and whether configuration of part of applications on the edge computing platform is allowed in the first device is managed through different security levels.

In practice, the second device may be informed whether the configuration is successful, i.e. whether the orchestration is completed.

Based on this, in an embodiment, the first device is further configured to send third information to the second device; the third information is used for explaining whether the first information is successfully configured or not;

In an embodiment, the first information includes configuration information of at least one of:

a third configuration policy; the third configuration policy is for a Domain Name System (DNS) of a different application;

In one embodiment, the second information includes at least one of:

management information of the application;

lifecycle management information for the application;

lifecycle change information for an application.

Here, the management information of the application may include: management of application packages, such as: load application packages, enable application packages, disable application packages, and the like.

The lifecycle management information of the application may include: instantiating an application package, operating (using) an application instance, terminating an application instance.

The notification of the lifecycle change of the application may include: the application is not instantiated, the application has started running, and the application stops running.

In practical application, the third device may perform identity authentication on the first device, and may perform communication after the authentication is passed.

Based on this, in an embodiment, the third device is further configured to receive first access authentication information from the first device, and send first authentication response information to the first device; the first authentication response information includes at least: an identity of the first device.

In practical application, the third device may perform identity authentication on the second device, and may perform communication after the authentication is passed.

Based on this, in an embodiment, the third device is further configured to receive second access authentication information from the second device, and send second authentication response information to the second device; the second authentication response information includes at least: an identity of the second device;

In one embodiment, the number of the first devices is one or more.

Correspondingly, an embodiment of the present application further provides a communication method applied to a first device, and as shown in fig. 5, the method includes:

step 501, receiving first information from a second device; the first information is used for configuring aiming at the application on the edge computing platform;

step 502, providing a security management function for an application on the edge computing platform based on the first information and the security policy.

In practical application, the first device may be a locally-configured MEPM, which may be understood as a local MEPM set by a user, and may perform local management configuration on an application provided by the MEP. The first device may be deployed locally alone or integrated into the MEP. The name of the first device is not limited in the embodiment of the present application as long as the function of the first device can be realized.

In practical applications, the second device may be an MEPM, and the name of the second device is not limited in the embodiment of the present application as long as the function of the second device can be implemented.

In practice, the edge computing platform may be referred to as MEP.

In one embodiment, the security policy includes at least one of:

The first device stores a security policy, the security policy is used for setting security levels, and whether configuration of partial applications on the edge computing platform is allowed in the first device is managed through different security levels.

In an embodiment, the first device may request the second device to authenticate itself, and after the authentication is passed, communication may be performed.

Based on this, in an embodiment, the method further comprises:

sending third information to the second device; the third information is used for explaining whether the first information is successfully configured.

In actual application, the first device may request the third device to perform identity authentication on itself, and communication may be performed after the authentication is passed.

Based on this, in an embodiment, the method further comprises:

sending first access authentication information to third equipment;

Correspondingly, in an embodiment of the present application, there is further provided a communication method applied to a second device, as shown in fig. 6, the method includes:

step 601, receiving second information from third equipment; the second information is used for arranging the application on the edge computing platform;

step 602, sending first information to a first device based on the second information; the first information is to instruct a first device to configure for an application on the edge computing platform based on the first device and a security policy.

In practical applications, the third device may be an MEO or a MEAO, and the name of the third device is not limited in this application embodiment as long as the function of the third device can be realized.

In practice, the edge computing platform may be referred to as MEP.

In practice, the application on the orchestration edge computing platform may be understood as: by programming the application and/or available resources of each application.

In one embodiment, the second information includes at least one of:

management information of the application;

lifecycle management information for the application;

lifecycle change information for an application.

In one embodiment, the security policy includes at least one of:

In practical application, the second device can perform identity authentication on the first device, and communication can be performed after the authentication is passed.

Based on this, in an embodiment, the method further comprises:

sending fourth information to a third device based on the third information; the fourth information is used for explaining whether the second information is configured successfully or not.

In actual application, the second device may request the third device to perform identity authentication on itself, and communication may be performed after the authentication is passed.

Based on this, in an embodiment, the method further comprises:

The present application will be described in further detail with reference to the following application examples.

In the embodiment of the application, the first device is called Local MEPM (L-MEPM); the second device is an MEPM; said third device is called a MEAO or MEO; the edge computing platform is referred to as a MEP.

In the embodiment of the present application, an L-MEPM deployed on the MEP side is introduced, and is mainly responsible for signaling interaction with the MEPM and/or the MEAO, and for security supervision of MEP local management configuration data, as shown in fig. 7.

Wherein, the support functions of the L-MEPM comprise:

1) Managing a management configuration request of the MEPM, and correspondingly managing the configuration request according to a security policy and the like aiming at the application on the MEP;

2) And a management configuration data (i.e., the first information from the second device) stored with the security policy and managed from the MEPM based on the security policy. The security policy may include: strict, general, loose, etc., e.g.: at a strict level, the management configuration data from the MEPM cannot configure the application on the MEP; at the general level, the L-MEPM determines whether the management configuration data from the MEPM can configure the application on the MEP based on the security policy, and at the liberal level, the L-MEPM is only responsible for forwarding the management configuration data of the MEPM (the management configuration data is determined based on the management configuration request from the MEPM) to the MEP for configuration for different applications.

Of course, in practical applications, the ranking may be further subdivided, and this is not limited here.

In the embodiment of the application, as shown in fig. 8, the MEAO performs orchestration management through the MEPM, the L-MEPM is configured with a security policy locally, and data security management and control are performed on a control plane (specifically, management configuration data of an application provided by the MEP), so that data of the control plane cannot configure the application of the MEP at will. The communication method comprises the following steps:

step 801, the MEAO (a third device example) issues a second message to the MEPM (a second device example);

the second information includes: MEPM identification and arrangement information;

the second information is used for arranging the application on the edge computing platform.

An example is given for second information, including but not limited to the contents of table 1:

TABLE 1

Step 802, after receiving the second information, the MEPM sends the first information to the L-MEPM (a third device example);

the first information includes: the L-MEPM identity identification and management configuration information;

the first information is used for configuring aiming at the application on the edge computing platform.

An example is given for the first information, as shown in table 2;

name of parameter	Type (B)	Description of the invention
			L-MEPM identity	As shown in table 5	Unique identification of L-MEPM
Managing configuration information	As shown in Table 8	Managing configuration information

TABLE 2

Step 803, after receiving the first information, the L-MEPM checks a local security policy; performing corresponding operation based on the first information and the security policy, and replying third information;

the local security policy of the L-MEPM comprises the following steps:

at the "strict" level (equivalent to the first security level described above), the L-MEPM rejects all management configuration information for the MEP;

the L-MEPM allows partial management of configuration information for the MEP at a "general" level (equivalent to the second security level described above);

the "relaxed" level (equivalent to the third security level described above), the L-MEPM allows all management configuration information for the MEP.

Each application in the L-MEPM has a unique identifier, and the security policy is marked by the identifier of each application and corresponds to whether the mark meets the requirement or not.

Checking a local security policy, configuring the application on the MEP corresponding to the condition of meeting the security policy, and replying information of successful configuration to the MEPM after the configuration is finished;

corresponding to the condition of meeting part of the security policy, performing part of configuration on the application information on the MEP, and replying information of successful configuration to the MEPM after the configuration is completed;

and if the local security policy is not met, directly replying the information of configuration failure to the MEPM.

That is, the third information includes: MEPM identification and management configuration result information; as shown in table 3.

TABLE 3

Step 804, after receiving the third information of the L-MEPM, the MEPM replies a fourth information to the MEAO;

and the fourth information is used for explaining the result of arrangement based on the second information.

The fourth information may include: the MEAO identity and management configuration result information; as shown in table 4.

Parameter name	Type (B)	Description of the invention
			MEAO identification	As shown in table 5	Unique identification of MEAO
Managing configuration result information	As shown in Table 10	Success or failure

TABLE 4

Embodiments of the present invention may be used for unique ID identification, as in the embodiment of table 5;

TABLE 5

In the embodiments of the present invention, the MEPM types may be distinguished by numeric or character string identifiers, as in the embodiment of table 6;

type of data	Description of the invention
		Number of figures	1 represents a general MEPM;2 represents L-MEPM
Character string	"1" means ordinary MEPM; "2" represents L-MEPM

TABLE 6

The layout information issued by the MEAO in each embodiment of the present invention, as shown in Table 7, is designed according to the provisions in the ETSI MEC010-2 standard protocol, and for each application packet:

TABLE 7

An application example is given by the management configuration information issued by the MEPM to the L-MEPM, as shown in table 8;

TABLE 8

Reply information of the L-MEPM to the MEPM, that is, third information, gives an application example, as shown in table 9;

TABLE 9

The reply message of MEPM to the MEAO, i.e. the fourth information, gives an application example, as shown in table 10;

TABLE 10

In practical application, in order to obtain the MEPM identity and the L-MEPM identity, the method further comprises the following steps: identity registration; as shown in fig. 9, includes:

step 901, MEPM (a second device example) and L-MEPM (a first device example) register requests to the MEAO (a third device example), respectively;

the registration request, i.e. the identity authentication information, is used to request the MEAO to register an identity; and after receiving the registration request, the MEAO stores the corresponding identification marks of the MEPM and the L-MEPM. The registered identity information may contain the following as shown in table 11:

TABLE 11

Step 902, after receiving the registration request, the MEAO registers and replies information; including the following table 12:

TABLE 12

After receiving the MEPM registration request, the MEAO executes a reply operation; an application example is given for the reply operation, as shown in table 13; if the format is not in the form of table 6, the identity is illegal.

Watch 13

Step 903, the MEAO sends the registered L-MEPM information to the MEPM, and an application example is given, as shown in the table 14;

TABLE 14

Step 904, after the MEPM analyzes the identity information and the IP address of the L-MEPM, an association relationship between the MEPM and a plurality of L-MEPMs is formed, as shown in fig. 10 below.

MEPM and reply to the MEAO. As for the content of the reply information, an application example is given as shown in table 15;

watch 15

With respect to the reply type and the reply specification, an application example is given as shown in table 16;

type of reply	Description of recovery
		0	Successful
1	Illegal identity

TABLE 16

For the IP address, an application example is given as shown in table 17;

TABLE 17

An example is given for L-MEPM identity information and IP address information, as follows:

the method comprises the following steps: the method is realized by using a hash table mode, keys identify the identity of the L-MEPM, and values identify the IP address of the L-MEPM.

Mode 2: the method is realized by using a JSON character string mode.

{

"880e8400-e29b-41d4-a716-446655440000":"156.123.52.41",

"990e8400-e29b-41d4-a716-446655440000":"156.123.52.42",

"770e8400-e29b-41d4-a716-446655440000":"156.123.52.43",

"660e8400-e29b-41d4-a716-446655440000":"156.123.52.44"

}

In order to implement the method on the first device side in the embodiment of the present application, an embodiment of the present application further provides a communication apparatus, which is disposed on the first device, and as shown in fig. 12, the apparatus includes:

a first communication unit 1201 for receiving first information from a second device; the first information is used for configuring aiming at the application on the edge computing platform;

a first processing unit 1202, configured to provide a security management function for an application on an edge computing platform based on the first information and a security policy.

In one embodiment, the security policy includes at least one of:

In an embodiment, the first communication unit 1201 is further configured to send third information to the second device; the third information is used for explaining whether the first information is successfully configured.

In an embodiment, the first communication unit 1202 is further configured to send first access authentication information to a third device;

In practical applications, the first communication unit 1201 and the first processing unit 1202 may be implemented by a processor in a communication device in combination with a communication interface.

In order to implement the method on the second device side in the embodiment of the present application, an embodiment of the present application further provides a communication apparatus, which is disposed on the second device, and as shown in fig. 13, the apparatus includes:

a second communication unit 1301, configured to receive second information from a third device; the second information is used for arranging the application on the edge computing platform;

a second processing unit 1302, configured to send first information to the first device based on the second information; the first information is used for indicating a first device to configure aiming at the application on the edge computing platform based on the first device and a security policy.

In one embodiment, the second information includes at least one of:

management information of the application;

lifecycle management information for the application;

lifecycle change information for an application.

In one embodiment, the security policy includes at least one of:

In an embodiment, the second communication unit 1301 is further configured to receive third information from the first apparatus; the third information is used for explaining whether the first information is successfully configured or not;

In an embodiment, the second communication unit 1301 is further configured to send second access authentication information to a third device; receiving second authentication response information from the third device; the second authentication response information includes at least: an identity of the first device;

the second communication unit 1301 is further configured to receive an identity of the first device.

In actual application, the second communication unit 1301 and the second processing unit 1302 may be implemented by a processor in a communication device in combination with a communication interface.

It should be noted that: in the communication device provided in the above embodiment, only the division of each program module is described as an example when performing communication, and in practical applications, the processing allocation may be completed by different program modules as needed, that is, the internal structure of the device may be divided into different program modules to complete all or part of the processing described above. In addition, the communication apparatus and the communication method provided in the above embodiments belong to the same concept, and specific implementation processes thereof are described in the method embodiments, and are not described herein again.

Based on the hardware implementation of the program module, and in order to implement the method on the first device side in the embodiment of the present application, an embodiment of the present application further provides a first device, as shown in fig. 14, where the first device 1400 includes:

a first communication interface 1401 capable of information interaction with a second device;

the first processor 1402 is connected to the first communication interface 1401 to implement information interaction with the second device, and is configured to execute a method provided by one or more technical solutions of the first device side when running a computer program. And the computer program is stored on the first memory 1403.

In particular, the first communication interface 1401 is for receiving first information from a second device; the first information is used for configuring aiming at the application on the edge computing platform;

the first processor 1402 is configured to provide security management functionality for an application on an edge computing platform based on the first information and a security policy.

Wherein, in an embodiment, the first communication interface 1401 is further configured to:

In one embodiment, the first communication interface 1401 is further configured to:

sending first access authentication information to third equipment;

It should be noted that: the specific processing of the first processor 1402 and the first communication interface 1401 may be understood with reference to the methods described above.

Of course, in practice, the various components of the first device 1400 are coupled together by a bus system 1404. It is understood that bus system 1404 is used to enable connective communication between these components. The bus system 1404 includes a power bus, a control bus, and a status signal bus in addition to a data bus. The various buses are designated as bus system 1404 in fig. 14 for the sake of clarity of illustration.

The first memory 1403 in the embodiment of the present application is used to store various types of data to support the operation of the first device 1400. Examples of such data include: any computer program for operating on the first device 1400.

The method disclosed in the embodiments of the present application may be applied to the first processor 1402, or implemented by the first processor 1402. The first processor 1402 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be implemented by integrated logic circuits of hardware or instructions in the form of software in the first processor 1402. The first Processor 1402 may be a general purpose Processor, a Digital Signal Processor (DSP), or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, etc. The first processor 1402 may implement or perform the methods, steps, and logic blocks disclosed in the embodiments of the present application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software modules may be located in a storage medium located in the first memory 1403, and the first processor 1402 reads the information in the first memory 1403 and in combination with its hardware performs the steps of the foregoing method.

In an exemplary embodiment, the first Device 1400 may be implemented by one or more Application Specific Integrated Circuits (ASICs), DSPs, programmable Logic Devices (PLDs), complex Programmable Logic Devices (CPLDs), field Programmable Gate Arrays (FPGAs), general purpose processors, controllers, micro Controllers (MCUs), microprocessors (microprocessors), or other electronic components for performing the aforementioned methods.

Based on the hardware implementation of the program module, and in order to implement the method on the second device side in the embodiment of the present application, an embodiment of the present application further provides a second device, as shown in fig. 15, where the second device 1500 includes:

the second communication interface 1501 can perform information interaction with the first device and the third device;

the second processor 1502 is connected to the second communication interface 1501 to implement information interaction with the first device and the third device, and is configured to execute the method provided by one or more technical solutions of the second device side when running a computer program. And the computer program is stored on the second memory 1503.

In particular, the second communication interface 1501 is configured to receive second information from a third device; the second information is used for arranging the application on the edge computing platform;

the second processor 1502 is configured to send first information to the first device based on the second information; the first information is used for indicating a first device to configure aiming at the application on the edge computing platform based on the first device and a security policy.

In an embodiment, the second communication interface 1501 is further configured to:

In an embodiment, the second communication interface 1501 is further configured to send second access authentication information to a third device; receiving second authentication response information from the third device; the second authentication response information includes at least: an identity of the first device;

and receiving the identity of the first device.

It should be noted that: the specific processing procedures of the second communication interface 1501 and the second processor 1502 can be understood with reference to the methods described above.

Of course, in practice, the various components in the second device 1500 are coupled together by a bus system 1504. It is understood that the bus system 1504 is used to enable connected communication between these components. The bus system 1504 includes a power bus, a control bus, and a status signal bus in addition to a data bus. For clarity of illustration, however, the various buses are designated as bus system 1504 in fig. 15.

The second memory 1503 in the embodiment of the present application is used to store various types of data to support the operation of the second device 1500. Examples of such data include: any computer program for operating on the second device 1500.

The method disclosed in the above embodiments of the present application may be applied to the second processor 1502, or implemented by the second processor 1502. The second processor 1502 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method can be implemented by an integrated logic circuit of hardware or instructions in the form of software in the second processor 1502. The second processor 1502 described above may be a general purpose processor, a DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The second processor 1502 may implement or perform the methods, steps and logic blocks disclosed in the embodiments of the present application. The general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in a storage medium located in the second memory 1503, and the second processor 1502 reads the information in the second memory 1503 to complete the steps of the foregoing method in combination with the hardware thereof.

In an exemplary embodiment, the second device 1500 may be implemented by one or more ASICs, DSPs, PLDs, CPLDs, FPGAs, general-purpose processors, controllers, MCUs, microprocessors, or other electronic components for performing the aforementioned methods.

It is to be understood that the memories (the first memory 1403 and the second memory 1503) in the embodiments of the present application may be volatile memories or nonvolatile memories, and may include both volatile and nonvolatile memories. Among them, the nonvolatile Memory may be a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Programmable Read-Only Memory (EPROM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a magnetic random access Memory (FRAM), a magnetic random access Memory (Flash Memory), a magnetic surface Memory, an optical Disc, or a Compact Disc Read-Only Memory (CD-ROM); the magnetic surface storage may be disk storage or tape storage. Volatile Memory can be Random Access Memory (RAM), which acts as external cache Memory. By way of illustration and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), synchronous Static Random Access Memory (SSRAM), dynamic Random Access Memory (DRAM), synchronous Dynamic Random Access Memory (SDRAM), double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM), enhanced Synchronous Dynamic Random Access Memory (ESDRAM), enhanced Synchronous Dynamic Random Access Memory (Enhanced DRAM), synchronous Dynamic Random Access Memory (SLDRAM), direct Memory (DRmb Access), and Random Access Memory (DRAM). The memories described in the embodiments of the present application are intended to comprise, without being limited to, these and any other suitable types of memory.

It should be noted that: "first," "second," and the like are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order.

The technical means described in the embodiments of the present application may be arbitrarily combined without conflict.

The above description is only a preferred embodiment of the present application, and is not intended to limit the scope of the present application.

Claims

1. A communication system, comprising: a first device, a second device, a third device; wherein,

2. The system of claim 1, wherein the security policy comprises at least one of:

3. The system of claim 1, wherein the first device is further configured to send third information to the second device; the third information is used for explaining whether the first information is successfully configured or not;

4. The system of claim 1, wherein the first information comprises configuration information of at least one of:

5. The system of claim 4, wherein the second information comprises at least one of:

management information of the application;

lifecycle management information for the application;

lifecycle change information for an application.

6. The system of claim 1, wherein the third device is further configured to receive first access authentication information from the first device, and send first authentication response information to the first device; the first authentication response information includes at least: an identity of the first device.

7. The system of claim 1, wherein the third device is further configured to receive second access authentication information from the second device, and send second authentication response information to the second device; the second authentication response information includes at least: an identity of the second device;

8. The system of any one of claims 1 to 7, wherein the number of first devices is one or more.

9. A method of communication, applied to a first device, the method comprising:

10. The method of claim 9, wherein the security policy comprises at least one of:

11. The method of claim 9, further comprising:

12. The method of claim 9, wherein the first information comprises configuration information of at least one of:

13. The method of claim 9, further comprising:

sending first access authentication information to third equipment;

14. A method of communication, applied to a second device, the method comprising:

15. The method of claim 14, wherein the first information comprises configuration information of at least one of:

16. The method of claim 14, wherein the second information comprises at least one of:

management information of the application;

lifecycle management information for the application;

lifecycle change information for an application.

17. The method of claim 14, wherein the security policy comprises at least one of:

18. The method of claim 14, further comprising:

19. The method of claim 14, further comprising:

20. A communications apparatus, disposed on a first device, comprising:

21. A first device, comprising: a first processor and a first communication interface; wherein,

22. A communication apparatus, provided on a second device, comprising:

23. A second apparatus, comprising: a second processor and a second communication interface; wherein,

24. A network device, comprising: a processor and a memory for storing a computer program capable of running on the processor,

wherein the processor is configured to perform the steps of the method of any one of claims 9 to 13 when executing the computer program; or,

the processor is adapted to perform the steps of the method of any one of claims 14 to 19 when running the computer program.

25. A storage medium having a computer program stored thereon, the computer program, when being executed by a processor, performing the steps of the method according to any one of claims 9 to 13; or,

the computer program when executed by a processor implements the steps of the method of any one of claims 14 to 19.