WO2020220937A1

WO2020220937A1 - Security policy management method and device

Info

Publication number: WO2020220937A1
Application number: PCT/CN2020/083361
Authority: WO
Inventors: 李飞; 夏海涛
Original assignee: 华为技术有限公司
Priority date: 2019-04-30
Filing date: 2020-04-03
Publication date: 2020-11-05
Also published as: CN111857941A; CN111857941B

Abstract

A security policy management method and device. The method comprises: a VNFM receives a container service update message which is, after determining that a VNF needs to be subjected to container service update, sent by a container manager, the container service update message comprising a first packet identifier of an updated first container service; if a first packet identifier set comprises the first packet identifier, the VNFM determines that a security policy for a VNF application does not need to be changed, and sends first instruction information to the container manager to instruct the container manager to perform container service update, the first packet identifier set being a set consisting of packet identifiers of at least one container service called by the VNF before the container service update. Therefore, in the case that the first packet identifier is comprised in the first packet identifier set, the VNFM does not need to request an NFV SC to issue a security policy for each container service update, thereby effectively reducing management complexity of the NFV SC and improving network deployment efficiency.

Description

一种安全策略管理方法及装置Safety strategy management method and device

相关申请的交叉引用Cross references to related applications

本申请要求在2019年04月30日提交中国专利局、申请号为201910363266.5、申请名称为“一种安全策略管理方法及装置”的中国专利申请的优先权，其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office on April 30, 2019, the application number is 201910363266.5, and the application name is "a security policy management method and device", the entire content of which is incorporated into this application by reference in.

技术领域Technical field

本申请涉及通信技术领域，尤其涉及一种安全策略管理方法及装置。This application relates to the field of communication technology, and in particular to a security policy management method and device.

背景技术Background technique

网络功能虚拟化(network function virtualization，NFV)是一种使用通用性硬件以及网络虚拟化构建通信网络***的技术，能够用于承载通信网络中的软件处理功能，实现通信网络的虚拟化、灵活部署、灵活扩容，并降低通信网络***昂贵的设备成本。Network function virtualization (NFV) is a technology that uses universal hardware and network virtualization to construct a communication network system. It can be used to carry the software processing functions in the communication network and realize the virtualization and flexible deployment of the communication network. , Flexible expansion, and reduce the expensive equipment cost of the communication network system.

在NFV网络架构中，NFV安全控制器(NFV security controller，NFV SC)负责安全策略的生成管理以及发放。在虚拟网络功能(virtual network function，VNF)进行实例化时，VNF管理器(VNF Management，VNFM)会将VNF的部署情况上报至NFV SC，NFV SC根据VNF的部署情况制定匹配的安全策略，下发给VNFM或容器管理器container manager进行网络部署。现有技术中，当发生VNF更新或容器服务更新时，VNFM需要将VNF的部署情况上报给NFV SC，使VNF SC实时动态地感知到容器服务的更新，并进行安全策略的决策和下发。然而，容器服务更新是常态化的，容器服务可能会被频繁地更新和重新发布，频繁地根据负载情况进行动态伸缩，容器服务实例还可能受到资源调度的影响从一台服务器迁移到另一台服务器。每次VNF更新或容器服务更新都上报VNF的部署情况，会使NFV SC反复地进行安全策略的决策和下发，增加了NFV SC的管理难度，并影响网络部署效率。In the NFV network architecture, NFV security controller (NFV security controller, NFV SC) is responsible for the generation, management and distribution of security policies. When the virtual network function (VNF) is instantiated, the VNF Manager (VNF Management, VNFM) will report the deployment of the VNF to the NFV SC, and the NFV SC will formulate a matching security policy based on the deployment of the VNF. Sent to VNFM or container manager for network deployment. In the prior art, when a VNF update or container service update occurs, the VNFM needs to report the deployment status of the VNF to the NFV SC, so that the VNF SC dynamically perceives the update of the container service in real time, and makes security policy decisions and issuance. However, container service updates are normal. Container services may be frequently updated and republished, and dynamically scaled according to load conditions. Container service instances may also be affected by resource scheduling and migrate from one server to another. server. Every VNF update or container service update reports the deployment status of the VNF, which will cause the NFV SC to repeatedly decide and issue security policies, increase the management difficulty of the NFV SC, and affect the efficiency of network deployment.

发明内容Summary of the invention

本申请实施例提供一种安全策略管理方法及装置，用于降低NFV SC的管理难度，提高网络部署效率。The embodiments of the present application provide a security policy management method and device, which are used to reduce the management difficulty of the NFV SC and improve the efficiency of network deployment.

第一方面，本申请实施例提供一种安全策略管理方法，该方法可应用于VNFM，该方法包括：VNFM接收容器管理器发送的容器服务更新消息，该容器服务更新消息包括第一分组标识，该第一分组标识为更新的第一容器服务的分组标识，该第一分组标识是根据VNF的类型和第一容器服务的安全能力确定的，该容器服务更新消息是容器管理器确定需要对VNF进行容器服务更新后发送的；若第一分组标识集合中包括第一分组标识，VNFM确定不需要改变VNF应用的安全策略，并向容器管理器发送第一指示信息，该第一指示信息用于指示容器管理器进行容器服务更新，第一分组标识集合为VNF在容器服务更新前调用的至少一个容器服务的分组标识构成的集合。In a first aspect, an embodiment of the present application provides a security policy management method, which can be applied to a VNFM, and the method includes: the VNFM receives a container service update message sent by a container manager, and the container service update message includes a first group identifier, The first group identifier is the group identifier of the updated first container service, the first group identifier is determined according to the type of the VNF and the security capability of the first container service, and the container service update message is determined by the container manager that the VNF needs to be updated. After the container service is updated; if the first group identifier is included in the first group identifier set, the VNFM determines that there is no need to change the security policy applied by the VNF, and sends the first instruction information to the container manager. The first instruction information is used for The container manager is instructed to update the container service, and the first group identifier set is a set of group identifiers of at least one container service called by the VNF before the container service update.

采用本申请实施例提供的技术方案，在更新的第一容器服务的分组标识包括在第一分组标识集合的情况下，VNFM确定不需要不改变VNF中应用的安全策略，VNFM可直接进行容器服务更新的决策，指示容器管理器进行容器服务更新，而不需要上报该VNF在容器服务更新后的部署情况，从而可有效降低NFV SC的管理复杂度，提升网络部署效率。Using the technical solution provided by the embodiments of this application, when the updated group identifier of the first container service is included in the first group identifier set, the VNFM determines that the security policy applied in the VNF does not need to be changed, and the VNFM can directly perform the container service The update decision instructs the container manager to update the container service without reporting the deployment status of the VNF after the container service is updated, thereby effectively reducing the management complexity of NFV SC and improving network deployment efficiency.

在一种可能的设计中，若第一分组标识集合中不包括第一分组标识，VNFM确定需要改变VNF应用的安全策略，并向NFV SC发送安全策略请求消息，该安全策略请求消息中包括第一分组标识；VNFM接收NFV SC根据第一分组标识发送的第一安全策略，该第一安全策略为VNF在容器服务更新后应用的安全策略。In a possible design, if the first group ID is not included in the first group ID set, the VNFM determines that the security policy applied by the VNF needs to be changed, and sends a security policy request message to the NFV SC. The security policy request message includes the first group ID. A group identifier; the VNFM receives the first security policy sent by the NFV SC according to the first group identifier, and the first security policy is a security policy applied by the VNF after the container service is updated.

采用本申请实施例提供的技术方案，在更新的第一容器服务的分组标识不包括在第一分组标识集合的情况下，VNFM可确定需要改变VNF中应用的安全策略，进而向NFV SC发送安全策略请求消息，以请求NFV SC下发新的安全策略，从而确保VNF的安全性。Using the technical solution provided by the embodiments of this application, when the updated group identifier of the first container service is not included in the first group identifier set, the VNFM can determine that the security policy applied in the VNF needs to be changed, and then send the security to the NFV SC Policy request message to request the NFV SC to issue a new security policy to ensure the security of the VNF.

在一种可能的设计中，VNFM接收第一安全策略后，VNFM还可向容器管理器发送第二指示信息，该第二指示信息用于指示容器管理器进行容器服务更新。In a possible design, after the VNFM receives the first security policy, the VNFM may also send second instruction information to the container manager, where the second instruction information is used to instruct the container manager to update the container service.

采用本申请实施例提供的技术方案，在VNFM需要向NFV SC申请新的安全策略的情况下，VNFM可在接收到第一安全策略后，指示容器管理器进行容器服务更新，从而完成网络部署。Using the technical solution provided by the embodiments of the present application, when the VNFM needs to apply for a new security policy from the NFV SC, the VNFM can instruct the container manager to update the container service after receiving the first security policy, thereby completing the network deployment.

在一种可能的设计中，VNFM接收容器管理器发送的容器服务更新消息之前，VNFM还可对VNF进行实例化；若实例化该VNF需要调用容器服务，VNFM可向容器管理器发送服务调用请求消息，该服务调用请求消息中包括VNF的标识和VNF请求调用的至少一个容器服务的标识。In a possible design, before the VNFM receives the container service update message sent by the container manager, the VNFM can also instantiate the VNF; if instantiating the VNF needs to call the container service, the VNFM can send a service call request to the container manager Message, the service invocation request message includes the identifier of the VNF and the identifier of at least one container service requested to be invoked by the VNF.

采用本申请实施例提供的技术方案，VNFM可在对VNF进行实例化时，确定需要调用容器管理器提供的容器服务，并向容器管理器发送服务调用请求消息，以完成网络部署。并且容器管理器还可根据该服务调用请求消息中VNF进行服务调用的有关信息，在后续步骤中确定出该VNF能够调用的每个容器服务的分组标识，如此，可使VNFM根据更新的容器服务的分组标识，确定是否需要改变VNF应用的安全策略，从而有效避免每次容器服务更新都需要向NFC SC请求安全策略的问题，有效提高网络部署效率。Using the technical solution provided by the embodiments of the present application, the VNFM can determine that the container service provided by the container manager needs to be invoked when instantiating the VNF, and send a service invocation request message to the container manager to complete network deployment. In addition, the container manager can also determine the group identifier of each container service that the VNF can call in the subsequent steps according to the information about the service invocation of the VNF in the service invocation request message. In this way, the VNFM can be made to use the updated container service To determine whether the security policy of the VNF application needs to be changed, so as to effectively avoid the problem of requesting the security policy from the NFC SC for each container service update, and effectively improve the efficiency of network deployment.

第二方面，本申请实施例提供另一种安全策略管理方法，该方法可应用于容器管理器，container manager，该方法包括：容器管理器若确定需要对VNF进行容器服务更新，向VNFM发送容器服务更新消息，该容器服务更新消息包括第一分组标识，该第一分组标识为更新的第一容器服务的分组标识，第一分组标识是根据VNF的类型和第一容器服务的安全能力确定的；容器管理器接收VNFM发送的第一指示信息，对VNF进行容器服务更新，第一指示信息是VNFM在确定第一分组标识集合中包括第一分组标识后发送的，第一分组标识集合为该VNF在容器服务更新前调用的至少一个容器服务的分组标识构成的集合。In the second aspect, the embodiments of the present application provide another security policy management method, which can be applied to a container manager, and the method includes: if the container manager determines that the VNF needs to be updated for the container service, it sends the container to the VNFM A service update message, the container service update message includes a first group identifier, the first group identifier is the updated group identifier of the first container service, the first group identifier is determined according to the type of the VNF and the security capability of the first container service The container manager receives the first instruction information sent by the VNFM, and updates the container service of the VNF. The first instruction information is sent by the VNFM after determining that the first group identifier set includes the first group identifier, and the first group identifier set is the The set of at least one container service group identifier called by the VNF before the container service is updated.

采用本申请实施例提供的技术方案，容器管理器在确定需要对VNF进行容器服务更新时，可将更新的第一容器服务的分组标识携带在容器服务更新消息中发送给VNFM，如此，VNFM可在该第一分组标识包括在第一分组标识集合的情况下，直接决策进行容器服务更新，而不再需要向NFV SC请求安全策略，从而有效降低NFV SC的管理复杂度，提升网络部署效率。Using the technical solution provided by the embodiments of the present application, when the container manager determines that the VNF needs to be updated for the container service, it can carry the updated group identifier of the first container service in the container service update message and send it to the VNFM. In this way, the VNFM can In the case where the first group identifier is included in the first group identifier set, it is directly decided to update the container service without requesting a security policy from the NFV SC, thereby effectively reducing the management complexity of the NFV SC and improving the efficiency of network deployment.

在一种可能的设计中，容器管理器还可接收VNFM发送的第二指示信息，对该VNF进行容器服务更新，该第二指示信息是VNFM接收到NFV SC发送的第一安全策略后发送的，第一安全策略为VNF在容器服务更新后应用的安全策略。In a possible design, the container manager may also receive the second instruction information sent by the VNFM, and perform container service update on the VNF. The second instruction information is sent after the VNFM receives the first security policy sent by the NFV SC , The first security policy is the security policy applied by the VNF after the container service is updated.

采用本申请实施例提供的技术方案，在VNFM决策该VNF需要应用新的安全策略的情况下，VNFM可在接收到新的安全策略之后，向容器管理器发送用于指示容器服务更新的第二指示信息，从而确保VNF的安全性，并完成网络部署。Using the technical solution provided by the embodiments of the present application, in the case that the VNFM decides that the VNF needs to apply a new security policy, the VNFM may send the second container service update instruction to the container manager after receiving the new security policy. Instructions to ensure the security of the VNF and complete the network deployment.

在一种可能的设计中，容器管理器判断是否需要对VNF调用的容器服务进行更新之前，容器管理器可向NFV SC发送VNF对应的容器服务集合中每个容器服务的标识和安全能力，该容器服务集合为VNF能够调用的容器服务的集合，容器服务集合中包括该VNF在容器服务更新前调用的至少一个容器服务和第一容器服务；容器管理器接收NFV SC发送的容器服务集合中每个容器服务的分组标识，每个容器服务的分组标识是NFV SC根据VNF的类型和容器服务的安全能力确定的。In a possible design, before the container manager determines whether the container service called by the VNF needs to be updated, the container manager can send the identity and security capabilities of each container service in the container service set corresponding to the VNF to the NFV SC. The container service set is the set of container services that can be invoked by the VNF. The container service set includes at least one container service and the first container service invoked by the VNF before the container service update; the container manager receives each container service set sent by the NFV SC. The group identifier of each container service, and the group identifier of each container service is determined by the NFV SC according to the type of VNF and the security capability of the container service.

采用本申请实施例提供的技术方案，容器管理器可与NFV SC进行安全能力协商，根据该VNF的类型和该VNF能够调用的每个容器服务的安全能力，确定出该VNF能够调用的每个容器服务的分组标识，以便VNFM根据更新的容器服务的分组标识对VNF中应用的安全策略进行有效管理，避免每次容器服务更新都需要向NFV SC请求安全策略的问题，从而降低NFV SC的管理复杂度，提高网络部署效率。Using the technical solution provided by the embodiments of this application, the container manager can negotiate security capabilities with the NFV SC, and determine each container service that the VNF can call based on the type of the VNF and the security capabilities of each container service that the VNF can call. The group identification of the container service, so that the VNFM can effectively manage the security policy applied in the VNF according to the updated group identification of the container service, avoiding the problem of requesting the security policy from the NFV SC for each container service update, thereby reducing the management of the NFV SC Complexity improves the efficiency of network deployment.

在一种可能的设计中，容器管理器向NFV SC发送VNF对应的容器服务集合中每个容器服务的标识和安全能力之前，容器管理器还可接收VNFM发送的服务调用请求消息，该服务调用请求消息中包括VNF的标识和VNF调用的至少一个容器服务的标识，服务调用请求消息是VNFM确定实例化VNF需要调用容器服务后发送的。In a possible design, before the container manager sends the identity and security capabilities of each container service in the container service set corresponding to the VNF to the NFV SC, the container manager can also receive the service invocation request message sent by the VNFM, and the service invocation The request message includes the identifier of the VNF and the identifier of at least one container service invoked by the VNF, and the service invocation request message is sent after the VNFM determines that the instantiated VNF needs to invoke the container service.

采用本申请实施例提供的技术方案，容器管理器可根据接收到的服务调用请求消息确定需要调用容器服务的VNF，以及该VNF当前请求调用的至少一个容器服务。可选地，容器管理器还可根据该VNF的类型，确定出该VNF能够调用的至少一个容器服务，以便于容器管理器与NFV SC进行安全能力协商，确定容器服务的分组标识。Using the technical solution provided by the embodiment of the present application, the container manager can determine the VNF that needs to invoke the container service according to the received service invocation request message, and at least one container service that the VNF currently requests to invoke. Optionally, the container manager may also determine at least one container service that can be invoked by the VNF according to the type of the VNF, so that the container manager and the NFV SC can negotiate security capabilities and determine the group identifier of the container service.

第三方面，本申请实施例提供又一种安全策略管理方法，该方法可应用于NFV SC，该方法包括：NFV SC接收容器管理器发送的VNF对应的容器服务集合中每个容器服务的标识和安全能力，该容器服务集合为VNF能够调用的容器服务的集合，该容器服务集合中包括VNF在容器服务更新前调用的至少一个容器服务和第一容器服务；NFV SC根据VNF的类型和容器服务集合中每个容器服务的安全能力，确定每个容器服务的分组标识，并将容器服务集合中每个容器服务的分组标识发送至容器管理器。In the third aspect, the embodiments of this application provide yet another security policy management method, which can be applied to NFV SC, and the method includes: the NFV SC receives the identifier of each container service in the set of container services corresponding to the VNF from the container manager And security capabilities. The container service set is a set of container services that can be invoked by the VNF. The container service set includes at least one container service and the first container service invoked by the VNF before the container service is updated; the NFVSC is based on the type and container of the VNF The security capability of each container service in the service set determines the group identifier of each container service, and sends the group identifier of each container service in the container service set to the container manager.

采用本申请实施例提供的技术方案，NFV SC可与容器管理器进行安全能力协商，根据该VNF的类型和该VNF能够调用的每个容器服务的安全能力，确定出该VNF能够调用的每个容器服务的分组标识，以便VNFM根据更新的容器服务的分组标识对VNF中应用的安全策略进行有效管理，避免每次容器服务更新VNFM都需要向NFV SC请求安全策略的问题，从而有效降低NFV SC的管理复杂度，提高网络部署效率。Using the technical solutions provided by the embodiments of this application, the NFV SC can negotiate security capabilities with the container manager, and determine each container service that the VNF can call based on the type of the VNF and the security capabilities of each container service that the VNF can call. The group identification of the container service, so that the VNFM can effectively manage the security policy applied in the VNF according to the updated group identification of the container service, avoiding the problem of requesting the security policy from the NFV SC every time the container service updates the VNFM, thereby effectively reducing the NFV SC The complexity of management and improve the efficiency of network deployment.

在一种可能的设计中，NFV SC可接收VNFM发送的安全策略请求消息，该安全策略请求消息中包括第一分组标识，该第一分组标识为更新的第一容器服务的分组标识，该安全策略请求消息是VNFM确定第一分组标识集合中不包括第一分组标识后发送的，第一分组标识集合为VNF在容器服务更新前调用的至少一个容器服务的分组标识构成的集合；之后，NFV SC根据第一分组标识，确定该VNF在容器服务更新后应用的第一安全策略，并将第一安全策略发送至VNFM。In a possible design, the NFV SC may receive a security policy request message sent by the VNFM. The security policy request message includes the first group identifier, and the first group identifier is the updated group identifier of the first container service. The policy request message is sent after the VNFM determines that the first group identifier set does not include the first group identifier. The first group identifier set is a set of group identifiers of at least one container service called by the VNF before the container service is updated; after that, the NFV The SC determines the first security policy applied by the VNF after the container service is updated according to the first group identifier, and sends the first security policy to the VNFM.

采用本申请实施例提供的技术方案，NFV SC可仅在第一分组标识不包括在第一分组标识集合的情况下，向NFV SC发送安全策略请求消息，以使NFV SC决策新的安全策略的，从而有效确保VNF的安全性，并提高网络部署效率。Using the technical solution provided by the embodiments of this application, the NFV SC can only send a security policy request message to the NFV SC when the first group identifier is not included in the first group identifier set, so that the NFV SC can decide on the new security policy. , So as to effectively ensure the security of VNF and improve the efficiency of network deployment.

第四方面，本申请实施例提供一种安全策略管理装置，该装置可具有实现上述第一方面或第一方面的任一种可能的设计中VNFM的功能，或者该装置也可具有实现上述第二方面或第二方面的任一种可能的设计中容器管理器的功能，或者该装置也可具有实现上述第三方面或第三方面的任一种可能的设计中NFV SC的功能。上述功能可以通过硬件实现，也可以通过硬件执行相应的软件实现，所述硬件或软件包括一个或多个与上述功能相对应的模块。In a fourth aspect, an embodiment of the present application provides a security policy management device. The device may have the function of implementing the VNFM in the first aspect or any possible design of the first aspect, or the device may also be capable of implementing the first aspect. The function of the container manager in any possible design of the second aspect or the second aspect, or the device may also have the function of implementing the NFV SC in any possible design of the third aspect or the third aspect. The above-mentioned functions may be realized by hardware, or may be realized by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above-mentioned functions.

在一种可能的设计中，该装置的结构中包括处理模块和收发模块，其中，处理模块被配置为支持该装置执行上述第一方面或第一方面的任一种设计中相应的功能、或执行上述第二方面或第二方面的任一种设计中相应的功能、或执行上述第三方面或第三方面的任一种设计中相应的功能。收发模块用于支持该装置与其他通信设备之间的通信，例如，装置为VNFM时，收发模块可与容器管理器通信，接收容器管理器发送的容器服务更新消息，收发模块还可与NFV SC网元通信，接收NFV SC发送的安全策略。该装置还可以包括存储模块，存储模块与处理模块耦合，其保存有装置必要的程序指令和数据。作为一种示例，处理模块可以为处理器，通信模块可以为收发器，存储模块可以为存储器，存储器可以和处理器集成在一起，也可以和处理器分离设置，本申请并不限定。In a possible design, the structure of the device includes a processing module and a transceiver module, wherein the processing module is configured to support the device to perform the corresponding function in the first aspect or any one of the first aspects, or Perform the corresponding function in the above-mentioned second aspect or any design of the second aspect, or perform the corresponding function in the above-mentioned third aspect or any design of the third aspect. The transceiver module is used to support the communication between the device and other communication equipment. For example, when the device is a VNFM, the transceiver module can communicate with the container manager and receive container service update messages sent by the container manager. The transceiver module can also communicate with NFV SC The network element communicates and receives the security policy sent by the NFV SC. The device may also include a storage module, which is coupled with the processing module, which stores program instructions and data necessary for the device. As an example, the processing module may be a processor, the communication module may be a transceiver, and the storage module may be a memory. The memory may be integrated with the processor or may be provided separately from the processor, which is not limited in this application.

在另一种可能的设计中，该装置的结构中包括处理器和存储器，处理器与存储器耦合，可用于执行存储器中存储的计算机程序指令，以使该装置执行上述第一方面或第一方面的任一种可能的设计中的方法，或使该装置执行上述第二方面或第二方面的任一种可能的设计中的方法，或使该装置执行上述第三方面或第三方面的任一种可能的设计中的方法。可选地，该通信装置还包括通信接口，处理器与通信接口耦合。该通信接口可以是收发器或输入/输出接口，也可以是芯片的输入/输出接口。In another possible design, the structure of the device includes a processor and a memory, and the processor is coupled to the memory and can be used to execute computer program instructions stored in the memory, so that the device can execute the first aspect or the first aspect. Any one of the possible design methods, or make the device execute any of the above-mentioned second aspect or any one of the possible design methods of the second aspect, or make the device execute any of the above-mentioned third aspect or the third aspect A possible design approach. Optionally, the communication device further includes a communication interface, and the processor is coupled with the communication interface. The communication interface can be a transceiver or an input/output interface, or an input/output interface of a chip.

第四方面，本申请实施例还提供一种芯片***，包括：处理器，所述处理器与存储器耦合，所述存储器用于存储程序或指令，当所述程序或指令被所述处理器执行时，使得该芯片***实现上述第一方面的任一种可能的设计中的方法、或执行上述第二方面的任一种可能的设计中的方法、或执行上述第三方面的任一种可能的设计中的方法。In a fourth aspect, an embodiment of the present application further provides a chip system, including: a processor, the processor is coupled with a memory, the memory is used to store a program or instruction, when the program or instruction is executed by the processor When the chip system implements any possible design method in the first aspect, or performs any possible design method in the second aspect, or implements any possible design in the third aspect. Method of design.

可选地，该芯片***中的处理器可以为一个或多个。该处理器可以通过硬件实现也可以通过软件实现。当通过硬件实现时，该处理器可以是逻辑电路、集成电路等。当通过软件实现时，该处理器可以是一个通用处理器，通过读取存储器中存储的软件代码来实现。Optionally, there may be one or more processors in the chip system. The processor can be implemented by hardware or software. When implemented by hardware, the processor may be a logic circuit, an integrated circuit, or the like. When implemented by software, the processor may be a general-purpose processor, which is implemented by reading software codes stored in the memory.

可选地，该芯片***中的存储器也可以为一个或多个。该存储器可以与处理器集成在一起，也可以和处理器分离设置，本申请并不限定。示例性的，存储器可以是非瞬时性处理器，例如只读存储器ROM，其可以与处理器集成在同一块芯片上，也可以分别设置在不同的芯片上，本申请对存储器的类型，以及存储器与处理器的设置方式不作具体限定。Optionally, there may be one or more memories in the chip system. The memory may be integrated with the processor, or may be provided separately from the processor, which is not limited in this application. Exemplarily, the memory may be a non-transitory processor, such as a read-only memory ROM, which may be integrated with the processor on the same chip, or may be set on different chips. The setting method of the processor is not specifically limited.

示例性的，该芯片***可以是现场可编程门阵列(field programmable gate array，FPGA)，可以是专用集成芯片(application specific integrated circuit，ASIC)，还可以是***芯片(system on chip，SoC)，还可以是中央处理器(central processor unit，CPU)，还可以是网络处理器(network processor，NP)，还可以是数字信号处理电路(digital signal processor，DSP)，还可以是微控制器(micro controller unit，MCU)，还可以是可编程控制器 (programmable logic device，PLD)或其他集成芯片。Exemplarily, the chip system may be a field programmable gate array (FPGA), an application specific integrated circuit (ASIC), or a system on chip (SoC). It can also be a central processor unit (CPU), a network processor (NP), a digital signal processing circuit (digital signal processor, DSP), or a microcontroller (microcontroller). The controller unit, MCU), may also be a programmable controller (programmable logic device, PLD) or other integrated chips.

第五方面，本申请实施例提供一种计算机可读存储介质，所述计算机存储介质中存储有计算机可读指令，当计算机读取并执行所述计算机可读指令时，使得计算机执行上述第一方面的任一种可能的设计中的方法、或执行上述第二方面的任一种可能的设计中的方法、或执行上述第三方面的任一种可能的设计中的方法。In a fifth aspect, an embodiment of the present application provides a computer-readable storage medium, which stores computer-readable instructions. When the computer reads and executes the computer-readable instructions, the computer is caused to execute the first The method in any possible design of the aspect, or the method in any possible design of the foregoing second aspect, or the method in any possible design of the foregoing third aspect.

第六方面，本申请实施例提供一种计算机程序产品，当计算机读取并执行所述计算机程序产品时，使得计算机执行上述第一方面的任一种可能的设计中的方法、或执行上述第二方面的任一种可能的设计中的方法、或执行上述第三方面的任一种可能的设计中的方法。In a sixth aspect, the embodiments of the present application provide a computer program product. When the computer reads and executes the computer program product, the computer executes any of the possible design methods in the first aspect, or executes the first The method in any possible design of the second aspect, or the method in any possible design of the foregoing third aspect.

第七方面，本申请实施例提供一种安全策略管理***，该***包括上述各方法实施例中所述的VNFM、容器管理器和NFV SC。In a seventh aspect, embodiments of the present application provide a security policy management system, which includes the VNFM, container manager, and NFV SC described in the foregoing method embodiments.

附图说明Description of the drawings

图1为本申请实施例适用的一种NFV***的网络架构示意图；FIG. 1 is a schematic diagram of a network architecture of an NFV system to which an embodiment of this application applies;

图2为本申请实施例提供的一种安全策略管理方法的流程示意图；2 is a schematic flowchart of a security policy management method provided by an embodiment of the application;

图3为本申请实施例提供的一种安全策略管理方法的另一流程示意图；FIG. 3 is a schematic diagram of another process of a security policy management method provided by an embodiment of the application;

图4为本申请实施例提供的一种安全策略管理方法的又一流程示意图；4 is a schematic diagram of another flow of a security policy management method provided by an embodiment of the application;

图5为本申请实施例提供的一种安全策略管理装置的结构示意图；FIG. 5 is a schematic structural diagram of a security policy management device provided by an embodiment of the application;

图6为本申请实施例提供的一种安全策略管理装置的另一结构示意图。FIG. 6 is a schematic diagram of another structure of a security policy management apparatus provided by an embodiment of the application.

具体实施方式Detailed ways

为了使本申请实施例的目的、技术方案和优点更加清楚，下面将结合附图对本申请实施例作进一步地详细描述。In order to make the objectives, technical solutions, and advantages of the embodiments of the present application clearer, the embodiments of the present application will be further described in detail below with reference to the accompanying drawings.

应理解，除非有相反的说明，本申请实施例中提及的“第一”、“第二”等序数词用于对多个对象进行区分，不用于限定多个对象的顺序、时序、优先级或者重要程度。“和/或”，用于描述关联对象之间的关联关系，表示可以存在三种关系，例如，A和/或B，可以表示单独存在A、同时存在A和B、单独存在B这三种情况。另外，字符“/”，如无特殊说明，一般表示前后关联对象是一种“或”的关系。“多个”是指两个或两个以上，本申请实施例中可以将“多个”理解为“至少两个”。“至少一个”，可理解为一个或多个，例如一个、两个或更多个。It should be understood that unless otherwise stated, the ordinal numbers such as "first" and "second" mentioned in the embodiments of this application are used to distinguish multiple objects, and are not used to limit the order, timing, and priority of multiple objects. Level or importance. "And/or" is used to describe the association relationship between associated objects, indicating that there can be three types of relationships, for example, A and/or B, which can mean that there are three kinds of relationships: A alone, A and B simultaneously, and B alone Happening. In addition, the character "/", unless otherwise specified, generally indicates that the associated objects before and after are in an "or" relationship. "Multiple" refers to two or more. In the embodiments of the present application, "multiple" can be understood as "at least two". "At least one" can be understood as one or more, for example one, two or more.

请参考图1，为本申请实施例适用的一种NFV***的网络架构示意图。该NFV***包括：运营支撑***/业务支撑***(operation support system/business support system，OSS/BSS)、网元管理***(element management system，EMS)、虚拟网络功能(virtualized network function，VNF)、容器服务、网络功能虚拟化基础设施(network function virtualization infrastructure，NFVI)、网络功能虚拟化编排器(NFV orchestrator，NFVO)、虚拟网络功能管理器(virtualized network function management，VNFM)、容器管理器container manager、虚拟化基础设施管理器(virtualized infrastructure manager，VIM)以及网络功能虚拟化安全控制器(NFV security controller，NFV SC)。其中，NFVO、VNFM、VIM为网络功能虚拟化管理与编排(NFV management and orchestration，NFV MANO)的组成部分。Please refer to FIG. 1, which is a schematic diagram of a network architecture of an NFV system to which an embodiment of this application is applicable. The NFV system includes: operation support system/business support system (OSS/BSS), element management system (EMS), virtualized network function (VNF), container Services, network function virtualization infrastructure (NFVI), network function virtualization orchestrator (NFV orchestrator, NFVO), virtualized network function management (VNFM), container manager, Virtualized infrastructure manager (VIM) and network function virtualization security controller (NFV security controller, NFV SC). Among them, NFVO, VNFM, and VIM are components of network function virtualization management and orchestration (NFV management and orchestration, NFVMANO).

OSS/BSS主要面向电信服务运营商，提供综合的网络管理和业务运营功能，包括网络管理(例如故障监控、网络信息收集等)、计费管理以及客户服务管理等。OSS/BSS is mainly for telecom service operators, providing comprehensive network management and business operation functions, including network management (such as fault monitoring, network information collection, etc.), billing management, and customer service management.

EMS可以用于管理一个或多个VNF，针对VNF实现故障管理、配置管理、计费管理、性能管理、安全管理(fault management、configuration management、accounting management、performance management、security management，简称FCAPS)功能。EMS can be used to manage one or more VNFs, and implement fault management, configuration management, billing management, performance management, and security management (fault management, configuration management, accounting management, performance management, security management, referred to as FCAPS) functions for the VNF.

VNF对应于传统非虚拟化网络中的物理网络功能(physical network function，PNF)，如虚拟化的演进分组核心网(evolved packet core，EPC)节点。虚拟化的EPC节点包括：移动管理实体(mobile management entity，MME)、服务网关(serving gateway，SGW)和分组数据网关(packet data network gateway，PGW)等。VNF corresponds to a physical network function (PNF) in a traditional non-virtualized network, such as a virtualized evolved packet core (EPC) node. The virtualized EPC nodes include: mobile management entity (mobile management entity, MME), serving gateway (serving gateway, SGW), packet data network gateway (packet data network gateway, PGW), etc.

当VNFM对VNF进行实例化后，能够得到VNF对应的虚拟网络功能实例(virtualized network function instance，VNFI)，VNFI能够部署在虚拟机上，并作为软件化后的网元执行其作为网元的相关功能。When the VNFM instantiates the VNF, the virtualized network function instance (VNFI) corresponding to the VNF can be obtained. The VNFI can be deployed on a virtual machine and be used as a softwareized network element to perform its related functions as a network element. Features.

NFVI可以包括计算硬件、存储硬件、网络硬件组成的硬件资源层、虚拟化层、以及虚拟计算(例如虚拟机)、虚拟存储和虚拟网络组成的虚拟资源层。NFVI中的虚拟化层用于抽象硬件资源层的硬件资源，将VNF和硬件资源所属的物理层解耦，向VNF提供虚拟资源。虚拟资源层可以包括虚拟计算、虚拟存储和虚拟网络。虚拟计算、虚拟存储可以以虚拟机(virtual machine，VM)或其他虚拟容器的形式向VNF提供，例如一个或多个虚拟机组成一个VNF。虚拟化层通过抽象网络硬件形成虚拟网络。虚拟网络，用于实现多个虚拟机之间，或多个承载VNF的其他类型的虚拟容器之间的通信。虚拟网络的创建可以通过虚拟LAN(virtual LAN，VLAN)、虚拟专用局域网业务(virtual private LAN service，VPLS)、虚拟可扩展局域网(virtual extensible local area network,VXLAN)或通用路由封装网络虚拟化(network virtualization using generic routing encapsulation，NVGRE)等技术实现。NFVI may include a hardware resource layer composed of computing hardware, storage hardware, and network hardware, a virtualization layer, and a virtual resource layer composed of virtual computing (such as virtual machines), virtual storage, and virtual networks. The virtualization layer in NFVI is used to abstract the hardware resources of the hardware resource layer, decouple the VNF and the physical layer to which the hardware resources belong, and provide virtual resources to the VNF. The virtual resource layer can include virtual computing, virtual storage, and virtual networking. Virtual computing and virtual storage can be provided to the VNF in the form of a virtual machine (VM) or other virtual containers, for example, one or more virtual machines form a VNF. The virtualization layer forms a virtual network by abstracting network hardware. The virtual network is used to implement communication between multiple virtual machines or between multiple other types of virtual containers carrying VNFs. The creation of a virtual network can be through virtual LAN (virtual LAN, VLAN), virtual private LAN service (virtual private LAN service, VPLS), virtual extensible local area network (virtual extensible local area network, VXLAN) or general routing encapsulation network virtualization (network virtualization) Virtualization using generic routing encapsulation, NVGRE) and other technologies.

容器服务，也称容器服务实例，用于为各个NFVI提供高性能可伸缩的容器应用管理服务，这些管理可被打包至可移植容器(docker)中。Container service, also known as container service instance, is used to provide high-performance and scalable container application management services for each NFVI, and these management can be packaged into portable containers (docker).

NFVO：用于根据OSS/BSS的服务请求，管理VNF的生命周期、编排管理资源以实现NFV服务，以及用于实时监测VNF、NFVI资源及运行状态信息。NFVO: It is used to manage the life cycle of VNF, orchestrate management resources to realize NFV service according to the service request of OSS/BSS, and to monitor VNF, NFVI resources and operating status information in real time.

VNFM：用于对一个或多个VNF进行管理，执行各种管理功能，如VNF实例的初始化、更新、查询、和/或终止，以及VNF的扩容/缩容。支持接收NFVO下发的弹性伸缩(scaling)策略，实现VNF的弹性伸缩。VNFM: used to manage one or more VNFs and perform various management functions, such as initialization, update, query, and/or termination of VNF instances, and expansion/reduction of VNFs. Support receiving the elastic scaling (scaling) strategy issued by NFVO to realize the elastic scaling of VNF.

VIM：主要负责基础设施层硬件资源、虚拟化资源的管理，监控和故障上报，面向上层应用提供虚拟化资源池，例如可用于控制和管理VNF对应的VNFI。VIM: Mainly responsible for the management, monitoring and fault reporting of infrastructure layer hardware resources and virtualized resources, and provide virtualized resource pools for upper-layer applications, for example, it can be used to control and manage the VNFI corresponding to VNFs.

容器管理，用于管理NFV***中的各容器服务实例，进行容器服务更新。Container management is used to manage the container service instances in the NFV system and update the container service.

NFV SC，负责安全策略的生成管理及发放，并与MANO有三个新增接口，分别负责网络服务(network service，NS)层，VNF层，I层的安全管理。NFV SC is responsible for the generation, management and issuance of security policies, and has three new interfaces with MANO, which are respectively responsible for the security management of the network service (NS) layer, VNF layer and I layer.

请参考图2，为本申请实施例提供的一种安全策略管理方法的流程示意图。该方法包括如下的步骤S201至步骤S204：Please refer to FIG. 2, which is a schematic flowchart of a security policy management method provided by an embodiment of this application. The method includes the following steps S201 to S204:

步骤S201、容器管理器若确定需要对VNF进行容器服务更新，向VNFM发送容器服务更新消息，该容器服务更新消息中包括第一分组标识，该第一分组标识为更新的第一容器服务的分组标识。Step S201: If the container manager determines that it is necessary to update the container service of the VNF, it sends a container service update message to the VNFM. The container service update message includes a first group identifier, and the first group identifier is the updated group of the first container service. Logo.

所述VNF可以是指VNF实例，VNF实例可由VNFM对VNF进行实例化得到。The VNF may refer to a VNF instance, and the VNF instance may be obtained by instantiating the VNF by the VNFM.

步骤S202、VNFM接收容器管理器发送的容器服务更新消息。Step S202: The VNFM receives the container service update message sent by the container manager.

步骤S203、若第一分组标识集合中包括第一分组标识，VNFM确定不需要改变VNF应用的安全策略，可向容器管理器发送第一指示信息，该第一指示信息用于指示容器管理器进行容器服务更新，该第一分组标识集合为由该VNF在容器服务更新前调用的至少一个容器服务的分组标识构成的集合。Step S203: If the first group identifier is included in the first group identifier set, the VNFM determines that there is no need to change the security policy applied by the VNF, and may send first indication information to the container manager. The first indication information is used to instruct the container manager to perform The container service is updated, and the first group identifier set is a set composed of the group identifiers of at least one container service called by the VNF before the container service is updated.

本申请实施例中，每个容器服务都具有一个对应的分组标识，一个容器服务的分组标识是根据调用该容器服务的VNF，以及该容器服务的安全能力确定的。不同的容器服务的分组标识可以相同，也可以不相同。In the embodiment of the present application, each container service has a corresponding group identifier, and the group identifier of a container service is determined according to the VNF that invokes the container service and the security capability of the container service. The group identifiers of different container services can be the same or different.

这里，VNFM确定不需要改变VNF应用的安全策略是指，容器服务更新后，VNF所需要的安全能力可能没有改变，NFV SC之前下发的第二安全策略仍可继续适用，VNFM无需将VNF在容器服务更新后的部署情况(例如，该VNF调用了哪些容器服务)上报给NFV SC，请求NFV SC进行新的安全策略决策。VNFM可以直接决策，并指示容器管理器进行容器服务更新，从而降低NFV SC的管理复杂度，提升网络部署效率。Here, the VNFM determines that the security policy applied by the VNF does not need to be changed means that after the container service is updated, the security capabilities required by the VNF may not change. The second security policy issued before the NFV SC can still continue to apply, and the VNFM does not need to place the VNF in The updated deployment status of the container service (for example, which container services are invoked by the VNF) is reported to the NFV SC, and the NFV SC is requested to make new security policy decisions. VNFM can directly make decisions and instruct the container manager to update container services, thereby reducing the management complexity of NFV SC and improving network deployment efficiency.

也可以理解为，在容器服务更新前，VNF调用的至少一个容器服务的分组标识构成的集合为第一分组标识集合，容器服务更新后，VNF调用的至少一个容器服务的分组标识构成的集合为第二分组标识集合。若第一分组标识集合与第二分组标识集合相同，可认为VNF在容器服务更新前后需要的安全能力没有改变，NFV SC之前下发的第二安全策略仍可继续适用，VNFM无需上报容器服务更新后VNF的部署情况，可以直接决策进行容器服务更新。It can also be understood that before the container service is updated, the set formed by the group identifiers of at least one container service called by the VNF is the first group identifier set, and after the container service is updated, the set formed by the group identifiers of at least one container service called by the VNF is The second group identification set. If the first group identification set is the same as the second group identification set, it can be considered that the security capabilities required by the VNF before and after the container service update have not changed. The second security policy issued before the NFV SC can still be applied, and the VNFM does not need to report the container service update After the deployment of VNF, you can directly decide to update the container service.

步骤S204、容器管理器接收VNFM发送的第一指示信息，对该VNF进行容器服务更新。Step S204: The container manager receives the first instruction information sent by the VNFM, and updates the container service of the VNF.

本申请实施例中，容器管理器进行容器服务更新可包括容器服务的新增、容器服务的替换、容器服务的位置变化、容器服务的扩容/缩容等多种可能的类型，本申请在此不做具体限定。In the embodiment of this application, the container service update performed by the container manager may include the addition of container service, the replacement of container service, the location change of container service, the expansion/reduction of container service, and other possible types. This application is here. No specific restrictions.

具体的，如图3所示，在步骤S301至步骤S302中，容器管理器可根据接收到的第一指示信息，确定需要对VNF进行容器服务更新，进而向VNFM发送容器服务更新消息，该容器服务更新消息包括第一分组标识。Specifically, as shown in FIG. 3, in step S301 to step S302, the container manager may determine that the VNF needs to be updated for the container service according to the received first instruction information, and then send a container service update message to the VNFM. The service update message includes the first group identifier.

在步骤S303至步骤S304中，若第一分组标识集合中不包括该第一分组标识，VNFM确定需要改变该VNF中应用的安全策略，于是，可向NFV SC发送安全策略请求消息，该安全策略请求消息中包括上述第一分组标识。在一种可能的设计中，该安全策略请求消息中可包括该VNF的标识、容器服务更新后该VNF调用的至少一个容器服务的标识、第一分组标识或者容器服务更新后该VNF调用的每个容器服务的分组标识。In step S303 to step S304, if the first group identifier is not included in the first group identifier set, the VNFM determines that the security policy applied in the VNF needs to be changed, so it can send a security policy request message to the NFV SC. The security policy The request message includes the foregoing first group identifier. In a possible design, the security policy request message may include the identity of the VNF, the identity of at least one container service called by the VNF after the container service is updated, the first group identity, or each VNF called after the container service is updated. The group identifier of a container service.

在步骤S305和步骤S306中，NFV SC接收到安全策略请求消息后，可根据第一分组标识，确定该VNF在进行容器服务更新后应用的第一安全策略，并将该第一安全策略发送至VNFM。在一种可能的设计中，NFV SC可向VNFM发送安全策略响应消息，该安全策略响应消息中可包括该VNF的标识、容器服务更新后该VNF调用的至少一个容器服务的标识、容器服务更新后该VNF调用的每个容器服务的分组标识，以及容器服务更新后，该VNF应用的第一安全策略。In step S305 and step S306, after the NFV SC receives the security policy request message, it can determine the first security policy applied by the VNF after the container service update according to the first group identifier, and send the first security policy to VNFM. In a possible design, the NFV SC may send a security policy response message to the VNFM, and the security policy response message may include the identifier of the VNF, the identifier of at least one container service called by the VNF after the container service is updated, and the container service update The group identifier of each container service called by the VNF, and the first security policy applied by the VNF after the container service is updated.

可以理解为，若第一分组标识集合与第二分组标识集合不同，认为容器服务更新后，NFV SC之前下发的第二安全策略已不再适用，VNFM需要将容器服务更新后该VNF的部署情况发送给NFV SC，请求NFV SC下发新的安全策略。第一分组标识集合与第二分组标识集合的定义如上文所述，在此不在赘述。It can be understood that if the first group identification set is different from the second group identification set, it is considered that after the container service is updated, the second security policy issued by the NFV SC is no longer applicable. The VNFM needs to update the container service after the VNF deployment The situation is sent to the NFV SC, requesting the NFV SC to issue a new security policy. The definitions of the first group identification set and the second group identification set are as described above, and will not be repeated here.

举例来说，容器服务更新前，VNF调用了容器管理器提供的A、B、C三个容器服务，某一时刻，容器管理器确定需要对该VNF进行容器服务更新，在容器服务更新后，该VNF新调用了容器服务D。如此，若容器服务D的分组标识与容器服务A、B、C中任一容器服务的分组标识相同，则可认为不需要改变VNF应用的安全策略；若容器服务D的分组标识与容器服务A、B、C的分组标识都不相同，则可认为需要改变VNF应用的安全策略，VNFM需要向NFV SC申请新的安全策略。也可以理解为，容器服务A、B、C的分组标识构成了第一分组标识集合，容器服务A、B、C、D的分组标识构成了第二分组标识集合，通过第一分组标识集合与第二分组标识集合的比较，确定是否需要改变VNF应用的安全策略，原理是类似的。For example, before the container service is updated, the VNF invokes the three container services A, B, and C provided by the container manager. At a certain moment, the container manager determines that it needs to update the container service of the VNF. After the container service is updated, This VNF newly invokes container service D. In this way, if the group identifier of container service D is the same as the group identifier of any of container services A, B, and C, it can be considered that there is no need to change the security policy of the VNF application; if the group identifier of container service D is the same as container service A If the group IDs of B and C are different, it can be considered that the security policy applied by the VNF needs to be changed, and the VNFM needs to apply to the NFV SC for a new security policy. It can also be understood that the group identifiers of container services A, B, and C constitute a first group identifier set, and the group identifiers of container services A, B, C, and D constitute a second group identifier set. The second group identification set is compared to determine whether the security policy applied by the VNF needs to be changed, and the principle is similar.

在步骤S307中，VNFM在接收到该第一安全策略后，可向容器管理器发送第二指示信息，容器管理器在第二指示信息的指示下进行容器服务更新。在一种可能的设计中，第二指示信息中可以包括NFV SC重新下发的第一安全策略，或者NFV SC还可以在将该第一安全策略发送至VNFM的同时，也将该第一安全策略发送至容器管理器，具体不作限定。In step S307, after receiving the first security policy, the VNFM may send second instruction information to the container manager, and the container manager updates the container service under the instruction of the second instruction information. In a possible design, the second indication information may include the first security policy reissued by the NFV SC, or the NFV SC may also send the first security policy to the VNFM at the same time as the first security policy. The policy is sent to the container manager, which is not limited.

在执行步骤S201之前，VNFM还可按照图4中所示的方法对该VNF进行实例化。如图4所示，在步骤S401中，VNFM对该VNF进行实例化，若实例化该VNF需要调用容器服务，在步骤S402中，VNFM可向容器管理器发送服务调用请求消息，该服务调用请求消息中包括该VNF的标识和该VNF请求调用的至少一个容器服务的标识。Before step S201 is executed, the VNFM may also instantiate the VNF according to the method shown in FIG. 4. As shown in Figure 4, in step S401, the VNFM instantiates the VNF. If instantiating the VNF needs to invoke the container service, in step S402, the VNFM can send a service invocation request message to the container manager. The service invocation request The message includes the identifier of the VNF and the identifier of at least one container service requested to be invoked by the VNF.

在步骤S403中，VNFM还可向NFV SC发送安全策略请求消息，该安全策略请求消息中包括该VNF的标识和该VNF请求调用的至少一个容器服务的标识。应理解，VNFM可以同时发送服务调用请求消息和安全策略请求消息，也可以不同时发送服务调用请求消息和安全策略请求消息，本申请并不限定。In step S403, the VNFM may also send a security policy request message to the NFV SC. The security policy request message includes the identity of the VNF and the identity of at least one container service requested by the VNF to be invoked. It should be understood that the VNFM may send the service invocation request message and the security policy request message at the same time, or may not send the service invocation request message and the security policy request message at the same time, which is not limited in this application.

进而，容器管理器接收到服务调用请求消息后，可与NFV SC进行安全能力协商，确定该VNF能够调用的每个容器服务的分组标识(group label)。具体包括：在步骤S404中，容器管理器向NFV SC发送该VNF对应的容器服务集合中每个容器服务的安全能力(security capability)。VNF对应的容器服务集合是指该VNF能够调用的容器服务构成的集合，该容器服务集合包括至少一个容器服务，例如可包括服务调用请求消息中VNF请求调用的至少一个容器服务，还可包括容器服务更新消息中更新的第一容器服务，或者还可以包括其它容器服务，每个容器服务的安全能力可体现该容器服务提供的安全特性。在一种可能的设计中，容器管理器向NFV SC发送该VNF对应的容器服务集合中的每个容器服务的安全能力可以为，容器管理器向NFV SC发送安全能力协商消息，该安全能力协商消息中包括该VNF的标识、该VNF能够调用的至少一个容器服务的标识，以及该VNF能够调用的每个容器服务对应的安全能力。Furthermore, after receiving the service invocation request message, the container manager may negotiate security capabilities with the NFV SC to determine the group label of each container service that can be invoked by the VNF. Specifically, it includes: in step S404, the container manager sends the security capability (security capability) of each container service in the container service set corresponding to the VNF to the NFVSC. The set of container services corresponding to the VNF refers to the set of container services that the VNF can call. The set of container services includes at least one container service. For example, it may include at least one container service requested by the VNF in a service call request message, and may also include a container. The first container service updated in the service update message may also include other container services, and the security capability of each container service may reflect the security features provided by the container service. In a possible design, the container manager sends the security capability of each container service in the container service set corresponding to the VNF to the NFV SC. The container manager sends a security capability negotiation message to the NFV SC, and the security capability negotiation The message includes the identifier of the VNF, the identifier of at least one container service that can be invoked by the VNF, and the security capability corresponding to each container service that can be invoked by the VNF.

随后，在步骤S405中，NFV SC可根据该VNF的类型，以及容器服务集合中包括的每个容器服务的安全能力，对该VNF能够调用的至少一个容器服务进行分组，确定每个容器服务的分组标识，并在步骤S406中将确定出的每个容器服务的分组标识发送至容器管理器。Subsequently, in step S405, the NFV SC can group at least one container service that the VNF can call according to the type of the VNF and the security capability of each container service included in the container service set, and determine the The group identifier, and the determined group identifier of each container service is sent to the container manager in step S406.

可以看出，通过进行安全能力协商，NFV SC可一次性地对VNF能够调用的大量容器服务进行标签分组，确定每个容器服务的分组标识。这样，VNFM可根据容器服务需要更新时，根据更新的容器服务的分组标识，对VNF中应用的安全策略进行有效管理，也可提高网络部署效率。It can be seen that through security capability negotiation, NFV SC can label and group a large number of container services that can be invoked by VNF at one time, and determine the group identification of each container service. In this way, when the VNFM needs to be updated according to the container service, the security policy applied in the VNF can be effectively managed according to the updated group identification of the container service, which can also improve the efficiency of network deployment.

在一种可能的设计中，NFV SC将确定出的每个容器服务的分组标识发送至容器管理器可以为，NFV SC向容器管理器发送安全能力响应消息，该安全能力响应消息中包括该VNF的标识、该VNF能够调用的至少一个容器服务的标识，以及该VNF能够调用的每个容器服务的分组标识。In a possible design, the NFV SC sends the determined group identification of each container service to the container manager. The NFV SC sends a security capability response message to the container manager, and the security capability response message includes the VNF The identifier of at least one container service that can be called by the VNF, and the group identifier of each container service that can be called by the VNF.

需要说明的是，一个分组内可以包括一个容器服务，也可以包括一个或多个容器服务，本申请并不限定。一个容器服务的分组标识可以理解为该容器服务所在的分组的标识，与该容器服务的标识是不同的。一般来说，安全能力相同的容器服务可以被分为一组，具有相同的分组标识，也可以理解为具有相同分组标识的任两个容器服务的安全属性相同。It should be noted that a group may include one container service, or one or more container services, which is not limited in this application. The group identifier of a container service can be understood as the identifier of the group in which the container service is located, which is different from the identifier of the container service. Generally speaking, container services with the same security capabilities can be grouped into a group with the same group identifier, or it can be understood that any two container services with the same group identifier have the same security attributes.

在步骤S407中，NFV SC还可根据该VNF的类型、该VNF请求调用的至少一个容器服务，以及该VNF请求调用的每个容器服务的安全能力或分组标识，确定该VNF匹配的安全策略，并在步骤S408中将确定出的安全策略发送至VNFM。为了与VNF进行容器服务更新后重新下发的第一安全策略相区别，在此将步骤S408中NFV SC下发的安全策略记作第二安全策略。在将第二安全策略发送至VNFM的同时，NFV SC还可将该VNF能够调用的每个容器服务的分组标识发送至VNFM。于是，VNFM在接收到NFV SC发送的第二安全策略后，VNFM可以对该VNF进行网络部署，得到实例化后的VNF实例。在一种可能的设计中，NFV SC可向VNFM发送安全策略响应消息，该安全策略响应消息中包括该VNF的标识、该VNF调用的至少一个容器服务的标识、该VNF调用的每个容器服务的分组标识、该VNF在实例化后应用的第二安全策略。In step S407, the NFV SC may also determine the security policy matched by the VNF according to the type of the VNF, at least one container service called by the VNF request, and the security capability or group identifier of each container service called by the VNF request. And in step S408, the determined security policy is sent to the VNFM. In order to be different from the first security policy reissued after the VNF updates the container service, the security policy issued by the NFV SC in step S408 is recorded as the second security policy. While sending the second security policy to the VNFM, the NFVSC can also send the group identifier of each container service that the VNF can call to the VNFM. Therefore, after the VNFM receives the second security policy sent by the NFV SC, the VNFM can perform network deployment on the VNF to obtain an instantiated VNF instance. In a possible design, the NFV SC may send a security policy response message to the VNFM. The security policy response message includes the identity of the VNF, the identity of at least one container service called by the VNF, and each container service called by the VNF The group identifier of the VNF, the second security policy applied after the VNF is instantiated.

本申请实施例中，VNF的类型是指该VNF作为虚拟的网元执行哪种网络功能，VNF的类型可体现出VNF需要的安全特性或者该VNF的安全级别。例如，VNF的类型可以为用户面功能(user plane function，UPF)或会话管理功能(session management function，SMF)，UPF与SMF的安全级别可以相同，因为它们主要用于数据转发，要求的安全特性是类似的，如要求安全启动等。VNF的类型还可以为统一数据管理(unified data management，UDM)，UDM主要用于存储用户的签约数据，安全级别较高，要求的安全特性如硬件加密等。VNF的类型还可以为接入和移动性管理功能(access and mobility management function，AMF)，AMF主要用来进行用户移动性管理，要求的安全特性如高可靠性等。根据VNF的类型的不同，NFV SC决策的安全策略也可能不同。一般来说，VNF中应用的安全策略与VNF所需要的安全特性是对应的，例如安全策略可包括VNF是否需要硬件加密、是否需要安全启动等等。In the embodiments of the present application, the type of VNF refers to which network function the VNF performs as a virtual network element, and the type of VNF may reflect the security features required by the VNF or the security level of the VNF. For example, the type of VNF can be user plane function (UPF) or session management function (session management function, SMF). The security level of UPF and SMF can be the same because they are mainly used for data forwarding and require security features It is similar, such as requiring a safe start. The type of VNF can also be unified data management (UDM). UDM is mainly used to store the user's subscription data, with a high level of security, and required security features such as hardware encryption. The type of VNF can also be access and mobility management function (AMF). AMF is mainly used for user mobility management and requires security features such as high reliability. Depending on the type of VNF, the security strategy of NFV SC decision may also be different. Generally speaking, the security policy applied in the VNF corresponds to the security features required by the VNF. For example, the security policy may include whether the VNF requires hardware encryption, whether it requires secure startup, and so on.

本申请实施例还提供一种安全策略管理装置，请参阅图5，为本申请实施例提供的一种安全策略管理装置的结构示意图，该装置包括：收发模块510和处理模块520。该装置可以作为VNFM，用于实现上述任一方法实施例中涉及VNFM的功能，该装置也可以作为容器管理器，用于实现上述任一方法实施例中涉及容器管理器的功能，该装置也可以作为NFV SC，用于实现上述任一方法实施例中涉及NFV SC的功能。An embodiment of the present application also provides a security policy management device. Please refer to FIG. 5, which is a schematic structural diagram of a security policy management device provided by an embodiment of the present application. The device includes a transceiver module 510 and a processing module 520. The device can be used as a VNFM to implement the functions related to the VNFM in any of the above method embodiments, and the device can also be used as a container manager to implement the functions related to the container manager in any of the above method embodiments. It can be used as an NFV SC, which is used to implement the functions of NFV SC in any of the foregoing method embodiments.

当该安全策略管理装置作为VNFM，执行图2中所示的方法实施例时，收发模块510，用于执行接收容器管理器发送的容器服务更新消息的操作；处理模块520用于执行若第一分组标识集合中包括第一分组标识，确定不需要改变VNF应用的安全策略，并通过收发模块510向容器管理器发送第一指示信息的操作。When the security policy management device is used as a VNFM and the method embodiment shown in FIG. 2 is executed, the transceiver module 510 is configured to perform the operation of receiving the container service update message sent by the container manager; the processing module 520 is configured to perform The group identifier set includes the first group identifier, it is determined that there is no need to change the security policy applied by the VNF, and the operation of sending the first indication information to the container manager through the transceiver module 510.

当该安全策略管理装置作为容器管理器，执行图2中所示的方法实施例时，收发模块510，用于执行在确定需要对VNF进行容器服务更新的情况下，向VNFM发送容器服务更新消息，以及接收VNFM发送的第一指示信息的操作；处理模块520用于执行判断是否确定需要对VNF进行容器服务更新，以及对VNF进行容器服务更新的操作。When the security policy management apparatus is used as a container manager and executes the method embodiment shown in FIG. 2, the transceiver module 510 is configured to send a container service update message to the VNFM when it is determined that the VNF needs to be updated. , And the operation of receiving the first indication information sent by the VNFM; the processing module 520 is configured to perform operations of determining whether it is determined whether it is necessary to update the container service of the VNF and performing the container service update of the VNF.

当该安全策略管理装置作为NFV SC，执行图4中所示的方法实施例时，收发模块510，用于执行接收容器管理器发送的VNF对应的容器服务集合中每个容器服务的标识和安全能力，以及将容器服务集合中每个容器服务的分组标识发送至容器管理器的操作；处理模块520用于执行根据VNF的类型和容器服务集合中每个容器服务的安全能力，确定每个容器服务的分组标识的操作。When the security policy management device is used as an NFV SC and the method embodiment shown in FIG. 4 is executed, the transceiver module 510 is configured to receive the identifier and security of each container service in the container service set corresponding to the VNF sent by the container manager. Capability, and the operation of sending the group identifier of each container service in the container service set to the container manager; the processing module 520 is used to execute the determination of each container according to the type of VNF and the security capability of each container service in the container service set The operation of the group identification of the service.

应理解，本申请实施例中提供的装置中涉及的处理模块520可以由处理器或处理器相关电路组件实现，收发模块510可以由收发器或收发器相关电路组件实现。It should be understood that the processing module 520 involved in the apparatus provided in the embodiments of the present application may be implemented by a processor or processor-related circuit components, and the transceiver module 510 may be implemented by a transceiver or transceiver-related circuit components.

需要说明的是，本申请实施例提供的安全策略管理装置500可对应于执行本申请实施例提供的安全策略管理方法S201至S204中的VNFM、或对应于执行本申请实施例提供的安全策略管理方法S201至S204中的容器管理器、或对应于执行本申请实施例提供的安全策略管理方法S201至S204中的NFV SC，该装置中的各个模块的操作和/或功能分别为了实现图2中所示方法的相应流程，为了简洁，在此不再赘述。It should be noted that the security policy management apparatus 500 provided in the embodiment of the application may correspond to the execution of the VNFM in the security policy management methods S201 to S204 provided in the embodiment of the application, or the security policy management provided in the embodiment of the application. The container manager in the methods S201 to S204, or the NFV SC in the security policy management methods S201 to S204 provided in the embodiments of the present application, the operations and/or functions of each module in the device are respectively implemented to realize For the sake of brevity, the corresponding flow of the method shown will not be repeated here.

请参阅图6，为本申请实施例中提供的安全策略管理装置的另一结构示意图。该装置600包括处理器610，存储器620、和通信接口630。可选地，该装置600还包括输入设备640、输出设备650和总线660。其中，处理器610、存储器620、通信接口630以及输入设备640、输出设备650通过总线660相互连接。存储器620中存储指令或程序，处理器610用于执行存储器620中存储的指令或程序。存储器620中存储的指令或程序被执行时，该处理器610用于执行上述方法实施例中处理模块520执行的操作，通信接口630用于执行上述实施例中收发模块510执行的操作。Please refer to FIG. 6, which is a schematic diagram of another structure of the security policy management apparatus provided in an embodiment of the application. The device 600 includes a processor 610, a memory 620, and a communication interface 630. Optionally, the apparatus 600 further includes an input device 640, an output device 650, and a bus 660. The processor 610, the memory 620, the communication interface 630, the input device 640, and the output device 650 are connected to each other through a bus 660. The memory 620 stores instructions or programs, and the processor 610 is configured to execute the instructions or programs stored in the memory 620. When the instructions or programs stored in the memory 620 are executed, the processor 610 is used to perform the operations performed by the processing module 520 in the foregoing method embodiment, and the communication interface 630 is used to perform the operations performed by the transceiver module 510 in the foregoing embodiment.

需要说明的是，本申请实施例提供的装置600可对应于执行本发明实施例提供的安全策略管理方法S201至S204的VNFM或容器管理器或NFV SC，并且该装置600中的各个模块的操作和/或功能分别为了实现图2、图3或图4中所示方法的相应流程，为了简洁，在此不再赘述。It should be noted that the device 600 provided in the embodiment of the present application can correspond to the VNFM or container manager or NFV SC that executes the security policy management methods S201 to S204 provided in the embodiment of the present invention, and the operation of each module in the device 600 The and/or functions are used to implement the corresponding procedures of the methods shown in FIG. 2, FIG. 3, or FIG. 4, respectively. For the sake of brevity, details are not repeated here.

本申请实施例还提供一种芯片***，包括：处理器，所述处理器与存储器耦合，所述存储器用于存储程序或指令，当所述程序或指令被所述处理器执行时，使得该芯片***实现上述任一方法实施例中的方法。An embodiment of the present application also provides a chip system, including: a processor, the processor is coupled with a memory, the memory is used to store a program or instruction, when the program or instruction is executed by the processor, the The chip system implements the method in any of the foregoing method embodiments.

示例性的，该芯片***可以是现场可编程门阵列(field programmable gate array，FPGA)，可以是专用集成芯片(application specific integrated circuit，ASIC)，还可以是***芯片 (system on chip，SoC)，还可以是中央处理器(central processor unit，CPU)，还可以是网络处理器(network processor，NP)，还可以是数字信号处理电路(digital signal processor，DSP)，还可以是微控制器(micro controller unit，MCU)，还可以是可编程控制器(programmable logic device，PLD)或其他集成芯片。Exemplarily, the chip system may be a field programmable gate array (FPGA), an application specific integrated circuit (ASIC), or a system on chip (SoC). It can also be a central processor unit (CPU), a network processor (NP), a digital signal processing circuit (digital signal processor, DSP), or a microcontroller (microcontroller). The controller unit, MCU), may also be a programmable controller (programmable logic device, PLD) or other integrated chips.

应理解，上述方法实施例中的各步骤可以通过处理器中的硬件的集成逻辑电路或者软件形式的指令完成。结合本申请实施例公开的方法步骤可以直接体现为硬件处理器执行完成，或者用处理器中的硬件及软件模块组合执行完成。It should be understood that each step in the foregoing method embodiments may be completed by an integrated logic circuit of hardware in a processor or instructions in the form of software. The method steps disclosed in the embodiments of the present application may be directly embodied as being executed and completed by a hardware processor, or executed and completed by a combination of hardware and software modules in the processor.

本申请实施例还提供一种计算机可读存储介质，所述计算机存储介质中存储有计算机可读指令，当计算机读取并执行所述计算机可读指令时，使得计算机执行上述任一方法实施例中的方法。The embodiment of the present application also provides a computer-readable storage medium, which stores computer-readable instructions, and when the computer reads and executes the computer-readable instructions, the computer is caused to execute any of the foregoing method embodiments Method in.

本申请实施例提供一种计算机程序产品，当计算机读取并执行所述计算机程序产品时，使得计算机执行上述任一方法实施例中的方法。The embodiment of the present application provides a computer program product. When the computer reads and executes the computer program product, the computer is caused to execute the method in any of the foregoing method embodiments.

本申请实施例提供一种安全策略管理***，该***包括上述各方法实施例中所述的VNFM、容器管理器和NFV SC。The embodiment of the present application provides a security policy management system, which includes the VNFM, the container manager, and the NFV SC described in the foregoing method embodiments.

应理解，本申请实施例中提及的处理器可以是中央处理单元(central processing unit，CPU)，还可以是其他通用处理器、数字信号处理器(digital signal processor，DSP)、专用集成电路(application specific integrated circuit，ASIC)、现成可编程门阵列(field programmable gate array，FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。It should be understood that the processor mentioned in the embodiments of this application may be a central processing unit (CPU), or may be other general-purpose processors, digital signal processors (DSP), or application specific integrated circuits ( application specific integrated circuit (ASIC), ready-made programmable gate array (field programmable gate array, FPGA) or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components, etc. The general-purpose processor may be a microprocessor or the processor may also be any conventional processor or the like.

还应理解，本申请实施例中提及的存储器可以是易失性存储器或非易失性存储器，或可包括易失性和非易失性存储器两者。其中，非易失性存储器可以是只读存储器(read-only memory，ROM)、可编程只读存储器(programmable ROM，PROM)、可擦除可编程只读存储器(erasable PROM，EPROM)、电可擦除可编程只读存储器(electrically EPROM，EEPROM)或闪存。易失性存储器可以是随机存取存储器(random access memory，RAM)，其用作外部高速缓存。通过示例性但不是限制性说明，许多形式的RAM可用，例如静态随机存取存储器(static RAM，SRAM)、动态随机存取存储器(dynamic RAM，DRAM)、同步动态随机存取存储器(synchronous DRAM，SDRAM)、双倍数据速率同步动态随机存取存储器(double data rate SDRAM，DDR SDRAM)、增强型同步动态随机存取存储器(enhanced SDRAM，ESDRAM)、同步连接动态随机存取存储器(synchlink DRAM，SLDRAM)和直接内存总线随机存取存储器(direct rambus RAM，DR RAM)。It should also be understood that the memory mentioned in the embodiments of the present application may be a volatile memory or a non-volatile memory, or may include both volatile and non-volatile memory. Among them, the non-volatile memory can be read-only memory (ROM), programmable read-only memory (programmable ROM, PROM), erasable programmable read-only memory (erasable PROM, EPROM), and electronic Erase programmable read-only memory (electrically EPROM, EEPROM) or flash memory. The volatile memory may be random access memory (RAM), which is used as an external cache. By way of exemplary but not restrictive description, many forms of RAM are available, such as static random access memory (static RAM, SRAM), dynamic random access memory (dynamic RAM, DRAM), synchronous dynamic random access memory (synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (double data rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous connection dynamic random access memory (synchlink DRAM, SLDRAM) ) And direct memory bus random access memory (direct rambus RAM, DR RAM).

需要说明的是，当处理器为通用处理器、DSP、ASIC、FPGA或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件时，存储器(存储模块)集成在处理器中。It should be noted that when the processor is a general-purpose processor, DSP, ASIC, FPGA or other programmable logic device, discrete gate or transistor logic device, or discrete hardware component, the memory (storage module) is integrated in the processor.

应注意，本文描述的存储器旨在包括但不限于这些和任意其它适合类型的存储器。It should be noted that the memories described herein are intended to include, but are not limited to, these and any other suitable types of memories.

应理解，在本申请的各种实施例中，上述各过程的序号的大小并不意味着执行顺序的先后，各过程的执行顺序应以其功能和内在逻辑确定，而不应对本发明实施例的实施过程构成任何限定。It should be understood that in the various embodiments of the present application, the size of the sequence numbers of the above-mentioned processes does not mean the order of execution. The execution order of the processes should be determined by their functions and internal logic, and should not be used in the embodiments of the present invention. The implementation process constitutes any limitation.

本领域普通技术人员可以意识到，结合本文中所公开的实施例描述的各示例的单元及算法步骤，能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行，取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能，但是这种实现不应认为超出本申请的范围。A person of ordinary skill in the art may be aware that the units and algorithm steps of the examples described in combination with the embodiments disclosed herein can be implemented by electronic hardware or a combination of computer software and electronic hardware. Whether these functions are executed by hardware or software depends on the specific application and design constraint conditions of the technical solution. Professionals and technicians can use different methods for each specific application to implement the described functions, but such implementation should not be considered beyond the scope of this application.

所属领域的技术人员可以清楚地了解到，为描述的方便和简洁，上述描述的***、装置和单元的具体工作过程，可以参考前述方法实施例中的对应过程，在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and conciseness of description, the specific working process of the above-described system, device, and unit can refer to the corresponding process in the foregoing method embodiment, which will not be repeated here.

在本申请所提供的几个实施例中，应该理解到，所揭露的***、装置和方法，可以通过其它的方式实现。例如，以上所描述的装置实施例仅仅是示意性的，例如，所述单元的划分，仅仅为一种逻辑功能划分，实际实现时可以有另外的划分方式，例如多个单元或组件可以结合或者可以集成到另一个***，或一些特征可以忽略，或不执行。另一点，所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口，装置或单元的间接耦合或通信连接，可以是电性，机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed system, device, and method may be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components can be combined or It can be integrated into another system, or some features can be ignored or not implemented. In addition, the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.

所述作为分离部件说明的单元可以是或者也可以不是物理上分开的，作为单元显示的部件可以是或者也可以不是物理单元，即可以位于一个地方，或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.

另外，在本申请各个实施例中的各功能单元可以集成在一个处理单元中，也可以是各个单元单独物理存在，也可以两个或两个以上单元集成在一个单元中。In addition, the functional units in each embodiment of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.

所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时，可以存储在一个计算机可读取存储介质中。基于这样的理解，本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来，该计算机软件产品存储在一个存储介质中，包括若干指令用以使得一台计算机设备(可以是个人计算机，服务器，或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括：U盘、移动硬盘、只读存储器(Read-Only Memory，ROM)、随机存取存储器(Random Access Memory，RAM)、磁碟或者光盘等各种可以存储程序代码的介质。If the function is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium. Based on this understanding, the technical solution of this application essentially or the part that contributes to the existing technology or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the method described in each embodiment of the present application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disk and other media that can store program code .

以上所述，仅为本申请的具体实施方式，但本申请的保护范围并不局限于此，任何熟悉本技术领域的技术人员在本申请揭露的技术范围内，可轻易想到变化或替换，都应涵盖在本申请的保护范围之内。因此，本申请的保护范围应所述以权利要求的保护范围为准。The above are only specific implementations of this application, but the protection scope of this application is not limited to this. Any person skilled in the art can easily think of changes or substitutions within the technical scope disclosed in this application. Should be covered within the scope of protection of this application. Therefore, the protection scope of this application shall be subject to the protection scope of the claims.

Claims

一种安全策略管理方法，其特征在于，所述方法包括：A security policy management method, characterized in that the method includes:

虚拟网络功能管理器VNFM接收容器管理器发送的容器服务更新消息，所述容器服务更新消息包括第一分组标识，所述第一分组标识为更新的第一容器服务的分组标识，所述第一分组标识是根据虚拟网络功能VNF的类型和所述第一容器服务的安全能力确定的，所述容器服务更新消息是所述容器管理器确定需要对所述VNF进行容器服务更新后发送的；The virtual network function manager VNFM receives a container service update message sent by the container manager. The container service update message includes a first group identifier, and the first group identifier is the updated group identifier of the first container service. The group identifier is determined according to the type of the virtual network function VNF and the security capability of the first container service, and the container service update message is sent after the container manager determines that the VNF needs to be updated in the container service;

若第一分组标识集合中包括所述第一分组标识，所述VNFM确定不需要改变所述VNF应用的安全策略，并向所述容器管理器发送第一指示信息，所述第一指示信息用于指示所述容器管理器进行容器服务更新，所述第一分组标识集合为所述VNF在容器服务更新前调用的至少一个容器服务的分组标识构成的集合。If the first group identifier set includes the first group identifier, the VNFM determines that there is no need to change the security policy applied by the VNF, and sends first indication information to the container manager, and the first indication information is used To instruct the container manager to update the container service, the first group identifier set is a set of group identifiers of at least one container service called by the VNF before the container service is updated.
根据权利要求1所述的方法，其特征在于，所述方法还包括：The method of claim 1, wherein the method further comprises:

若所述第一分组标识集合中不包括所述第一分组标识，所述VNFM确定需要改变所述VNF应用的安全策略，并向网络功能虚拟化安全控制器NFV SC发送安全策略请求消息，所述安全策略请求消息包括所述第一分组标识；If the first group identifier set does not include the first group identifier, the VNFM determines that the security policy applied by the VNF needs to be changed, and sends a security policy request message to the network function virtualization security controller NFV SC, so The security policy request message includes the first group identifier;

所述VNFM接收所述NFV SC根据所述第一分组标识发送的第一安全策略，所述第一安全策略为所述VNF在容器服务更新后应用的安全策略。The VNFM receives a first security policy sent by the NFV SC according to the first group identifier, where the first security policy is a security policy applied by the VNF after the container service is updated.
根据权利要求1或2所述的方法，其特征在于，所述VNFM接收容器管理器发送的容器服务更新消息之前，所述方法还包括：The method according to claim 1 or 2, wherein before the VNFM receives the container service update message sent by the container manager, the method further comprises:

所述VNFM对所述VNF进行实例化；The VNFM instantiates the VNF;

若实例化所述VNF需要调用容器服务，所述VNFM向所述容器管理器发送服务调用请求消息，所述服务调用请求消息中包括所述VNF的标识和所述VNF请求调用的至少一个容器服务的标识。If the container service needs to be invoked to instantiate the VNF, the VNFM sends a service invocation request message to the container manager. The service invocation request message includes the VNF identifier and at least one container service requested by the VNF to invoke Logo.
一种安全策略管理方法，其特征在于，所述方法包括：A security policy management method, characterized in that the method includes:

容器管理器若确定需要对虚拟网络功能VNF进行容器服务更新，则向虚拟网络功能管理器VNFM发送容器服务更新消息，所述容器服务更新消息包括第一分组标识，所述第一分组标识为更新的第一容器服务的分组标识，所述第一分组标识是根据所述VNF的类型和所述第一容器服务的安全能力确定的；If the container manager determines that it is necessary to update the container service of the virtual network function VNF, it sends a container service update message to the virtual network function manager VNFM. The container service update message includes a first group identifier, and the first group identifier is an update. A group identifier of the first container service, where the first group identifier is determined according to the type of the VNF and the security capability of the first container service;

所述容器管理器接收所述VNFM发送的第一指示信息，对所述VNF进行容器服务更新，所述第一指示信息是所述VNFM在确定第一分组标识集合中包括所述第一分组标识后发送的，所述第一分组标识集合为所述VNF在容器服务更新前调用的至少一个容器服务的分组标识构成的集合。The container manager receives the first indication information sent by the VNFM, and performs container service update on the VNF, where the first indication information is that the VNFM determines that the first group identifier set includes the first group identifier Later sent, the first set of group identifiers is a set of group identifiers of at least one container service invoked by the VNF before the container service is updated.
根据权利要求4所述的方法，其特征在于，所述容器管理器判断是否需要对VNF调用的容器服务进行更新之前，所述方法还包括：The method according to claim 4, characterized in that, before the container manager determines whether the container service invoked by the VNF needs to be updated, the method further comprises:

所述容器管理器向网络功能虚拟化安全控制器NFV SC发送所述VNF对应的容器服务集合中每个容器服务的标识和安全能力，所述容器服务集合为所述VNF能够调用的容器服务的集合，所述容器服务集合中包括所述VNF在容器服务更新前调用的所述至少一个容器服务和所述第一容器服务；The container manager sends the identity and security capability of each container service in the container service set corresponding to the VNF to the network function virtualization security controller NFVSC, where the container service set is the container service that can be called by the VNF A set, the set of container services includes the at least one container service and the first container service invoked by the VNF before the container service is updated;

所述容器管理器接收所述NFV SC发送的所述容器服务集合中每个容器服务的分组标识，每个容器服务的分组标识是所述NFV SC根据所述VNF的类型和所述容器服务的安全能力确定的。The container manager receives the group identifier of each container service in the container service set sent by the NFV SC, and the group identifier of each container service is determined by the NFV SC according to the type of the VNF and the container service The safety capability is determined.
根据权利要求4或5所述的方法，其特征在于，所述容器管理器向NFV SC发送所述VNF对应的容器服务集合中每个容器服务的标识和安全能力之前，所述方法还包括：The method according to claim 4 or 5, wherein before the container manager sends the identity and security capability of each container service in the container service set corresponding to the VNF to the NFVSC, the method further comprises:

所述容器管理器接收所述VNFM发送的服务调用请求消息，所述服务调用请求消息中包括所述VNF的标识和所述VNF调用的至少一个容器服务的标识，所述服务调用请求消息是所述VNFM确定实例化所述VNF需要调用容器服务后发送的。The container manager receives a service invocation request message sent by the VNFM, the service invocation request message includes the identifier of the VNF and the identifier of at least one container service invoked by the VNF, and the service invocation request message is The VNFM determines that the container service needs to be invoked to instantiate the VNF and is sent.
一种安全策略管理方法，其特征在于，所述方法包括：A security policy management method, characterized in that the method includes:

网络功能虚拟化安全控制器NFV SC接收容器管理器发送的虚拟网络功能VNF对应的容器服务集合中每个容器服务的标识和安全能力，所述容器服务集合为所述VNF能够调用的容器服务的集合，所述容器服务集合中包括所述VNF在容器服务更新前调用的所述至少一个容器服务和所述第一容器服务；The network function virtualization security controller NFV SC receives the identity and security capability of each container service in the container service set corresponding to the virtual network function VNF sent by the container manager, and the container service set is the container service that can be called by the VNF A set, the set of container services includes the at least one container service and the first container service invoked by the VNF before the container service is updated;

所述NFV SC根据所述VNF的类型和所述容器服务集合中每个容器服务的安全能力，确定每个容器服务的分组标识，并将所述容器服务集合中每个容器服务的分组标识发送至所述容器管理器。The NFVSC determines the group identifier of each container service according to the type of the VNF and the security capability of each container service in the container service set, and sends the group identifier of each container service in the container service set To the container manager.
根据权利要求7所述的方法，其特征在于，所述方法还包括：The method according to claim 7, wherein the method further comprises:

所述NFV SC接收虚拟网络功能管理器VNFM发送的安全策略请求消息，所述安全策略请求消息中包括第一分组标识，所述第一分组标识为更新的第一容器服务的分组标识，所述安全策略请求消息是所述VNFM确定第一分组标识集合中不包括所述第一分组标识后发送的，所述第一分组标识集合为所述VNF在容器服务更新前调用的至少一个容器服务的分组标识构成的集合；The NFV SC receives a security policy request message sent by a virtual network function manager VNFM, where the security policy request message includes a first group identifier, and the first group identifier is an updated group identifier of the first container service. The security policy request message is sent after the VNFM determines that the first group identifier set does not include the first group identifier, and the first group identifier set is for at least one container service called by the VNF before the container service is updated. A collection of group identifications;

所述NFV SC根据所述第一分组标识，确定所述VNF在容器服务更新后应用的第一安全策略，并将所述第一安全策略发送至所述VNFM。The NFVSC determines the first security policy applied by the VNF after the container service is updated according to the first group identifier, and sends the first security policy to the VNFM.
一种安全策略管理装置，其特征在于，所述装置包括：A security policy management device, characterized in that the device includes:

收发模块，用于接收容器管理器发送的容器服务更新消息，所述容器服务更新消息包括第一分组标识，所述第一分组标识为更新的第一容器服务的分组标识，所述第一分组标识是根据虚拟网络功能VNF的类型和所述第一容器服务的安全能力确定的，所述容器服务更新消息是所述容器管理器确定需要对所述VNF进行容器服务更新后发送的；The transceiver module is configured to receive a container service update message sent by the container manager, where the container service update message includes a first group identifier, the first group identifier being the updated group identifier of the first container service, and the first group The identifier is determined according to the type of the virtual network function VNF and the security capability of the first container service, and the container service update message is sent after the container manager determines that the VNF needs to be updated in the container service;

处理模块，用于若第一分组标识集合中包括所述第一分组标识，确定不需要改变所述VNF应用的安全策略，并通过所述收发模块向所述容器管理器发送第一指示信息，所述第一指示信息用于指示所述容器管理器进行容器服务更新，所述第一分组标识集合为所述VNF在容器服务更新前调用的至少一个容器服务的分组标识构成的集合。A processing module, configured to, if the first group identifier is included in the first group identifier set, determine that there is no need to change the security policy applied by the VNF, and send first indication information to the container manager through the transceiver module, The first indication information is used to instruct the container manager to update the container service, and the first group identifier set is a set of group identifiers of at least one container service called by the VNF before the container service update.
根据权利要求9所述的装置，其特征在于，所述处理模块还用于：The device according to claim 9, wherein the processing module is further configured to:

若所述第一分组标识集合中不包括所述第一分组标识，确定需要改变所述VNF应用的安全策略，并通过所述收发模块向网络功能虚拟化安全控制器NFV SC发送安全策略请求消息，所述安全策略请求消息包括所述第一分组标识；If the first group identifier set does not include the first group identifier, determine that the security policy applied by the VNF needs to be changed, and send a security policy request message to the network function virtualization security controller NFV SC through the transceiver module , The security policy request message includes the first group identifier;

所述收发模块还用于，接收所述NFV SC根据所述第一分组标识发送的第一安全策略，所述第一安全策略为所述VNF在容器服务更新后应用的安全策略。The transceiver module is further configured to receive a first security policy sent by the NFV SC according to the first group identifier, where the first security policy is a security policy applied by the VNF after the container service is updated.
根据权利要求9或10所述的装置，其特征在于，所述收发模块接收容器管理器发送的容器服务更新消息之前，所述处理模块还用于：The device according to claim 9 or 10, wherein before the transceiver module receives the container service update message sent by the container manager, the processing module is further configured to:

对所述VNF进行实例化；Instantiate the VNF;

若实例化所述VNF需要调用容器服务，通过所述收发模块向所述容器管理器发送服务调用请求消息，所述服务调用请求消息中包括所述VNF的标识和所述VNF请求调用的至少一个容器服务的标识。If instantiating the VNF needs to invoke the container service, send a service invocation request message to the container manager through the transceiver module, and the service invocation request message includes at least one of the VNF identifier and the VNF request invocation The identifier of the container service.
一种安全策略管理装置，其特征在于，所述装置包括：A security policy management device, characterized in that the device includes:

处理模块，用于若确定需要对虚拟网络功能VNF进行容器服务更新，通过收发模块向虚拟网络功能管理器VNFM发送容器服务更新消息，所述容器服务更新消息包括第一分组标识，所述第一分组标识为更新的第一容器服务的分组标识，所述第一分组标识是根据所述VNF的类型和所述第一容器服务的安全能力确定的；The processing module is configured to send a container service update message to the virtual network function manager VNFM through the transceiver module if it is determined that the virtual network function VNF needs to be updated. The container service update message includes a first group identifier, The group identifier is the updated group identifier of the first container service, and the first group identifier is determined according to the type of the VNF and the security capability of the first container service;

所述收发模块还用于，接收所述VNFM发送的第一指示信息；The transceiver module is further configured to receive the first indication information sent by the VNFM;

所述处理模块还用于，在所述收发模块接收所述第一指示信息后，对所述VNF进行容器服务更新，所述第一指示信息是所述VNFM在确定第一分组标识集合中包括所述第一分组标识后发送的，所述第一分组标识集合为所述VNF在容器服务更新前调用的至少一个容器服务的分组标识构成的集合。The processing module is further configured to perform a container service update on the VNF after the transceiver module receives the first indication information, where the first indication information is that the VNFM determines that the first group identifier set includes After the first group identifier is sent, the first group identifier set is a set of group identifiers of at least one container service called by the VNF before the container service is updated.
根据权利要求12所述的装置，其特征在于，所述处理模块判断是否需要对VNF进行容器服务更新之前，所述收发模块还用于：The device according to claim 12, characterized in that, before the processing module determines whether a container service update of the VNF is required, the transceiver module is further configured to:

向网络功能虚拟化安全控制器NFV SC发送所述VNF对应的容器服务集合中每个容器服务的标识和安全能力，所述容器服务集合为所述VNF能够调用的容器服务的集合，所述容器服务集合中包括所述VNF在容器服务更新前调用的所述至少一个容器服务和所述第一容器服务；Send the identity and security capability of each container service in the container service set corresponding to the VNF to the network function virtualization security controller NFVSC. The container service set is the set of container services that can be invoked by the VNF. The service set includes the at least one container service and the first container service invoked by the VNF before the container service is updated;

接收所述NFV SC发送的所述容器服务集合中每个容器服务的分组标识，每个容器服务的分组标识是所述NFV SC根据所述VNF的类型和所述容器服务的安全能力确定的。Receive the group identifier of each container service in the container service set sent by the NFV SC, where the group identifier of each container service is determined by the NFV SC according to the type of the VNF and the security capability of the container service.
根据权利要求12或13所述的装置，其特征在于，所述收发模块向NFV SC发送所述VNF对应的容器服务集合中每个容器服务的标识和安全能力之前，所述收发模块还用于：The device according to claim 12 or 13, wherein before the transceiver module sends the identifier and security capability of each container service in the container service set corresponding to the VNF to the NFV SC, the transceiver module is also configured to :

接收所述VNFM发送的服务调用请求消息，所述服务调用请求消息中包括所述VNF的标识和所述VNF调用的至少一个容器服务的标识，所述服务调用请求消息是所述VNFM确定实例化所述VNF需要调用容器服务后发送的。Receive a service invocation request message sent by the VNFM, where the service invocation request message includes the identifier of the VNF and the identifier of at least one container service invoked by the VNF, and the service invocation request message is determined by the VNFM to instantiate The VNF needs to be sent after calling the container service.
一种安全策略管理装置，其特征在于，所述装置包括：A security policy management device, characterized in that the device includes:

收发模块，用于接收容器管理器发送的虚拟网络功能VNF对应的容器服务集合中每个容器服务的标识和安全能力，所述容器服务集合为所述VNF能够调用的容器服务的集合，所述容器服务集合中包括所述VNF在容器服务更新前调用的所述至少一个容器服务和所述第一容器服务；The transceiver module is configured to receive the identity and security capability of each container service in the container service set corresponding to the virtual network function VNF sent by the container manager. The container service set is a set of container services that can be invoked by the VNF. The container service set includes the at least one container service and the first container service invoked by the VNF before the container service is updated;

处理模块，用于根据所述VNF的类型和所述容器服务集合中每个容器服务的安全能力，确定每个容器服务的分组标识，并将所述容器服务集合中每个容器服务的分组标识发送至所述容器管理器。The processing module is used to determine the group identifier of each container service according to the type of the VNF and the security capability of each container service in the container service set, and to identify the group identifier of each container service in the container service set Send to the container manager.
根据权利要求15所述的装置，其特征在于，所述收发模块还用于：The device according to claim 15, wherein the transceiver module is further configured to:

接收虚拟网络功能管理器VNFM发送的安全策略请求消息，所述安全策略请求消息中包括第一分组标识，所述第一分组标识为更新的第一容器服务的分组标识，所述安全策略请求消息是所述VNFM确定第一分组标识集合中不包括所述第一分组标识后发送的，所述第一分组标识集合为所述VNF在容器服务更新前调用的至少一个容器服务的分组标识构成的集合；Receive a security policy request message sent by a virtual network function manager VNFM, where the security policy request message includes a first group identifier, the first group identifier being the updated group identifier of the first container service, the security policy request message It is sent after the VNFM determines that the first group identifier set does not include the first group identifier, and the first group identifier set is composed of the group identifier of at least one container service called by the VNF before the container service is updated set;

所述处理模块还用于：The processing module is also used for:

根据所述第一分组标识，确定所述VNF在容器服务更新后应用的第一安全策略，并通过所述收发模块将所述第一安全策略发送至所述VNFM。According to the first group identifier, determine the first security policy applied by the VNF after the container service is updated, and send the first security policy to the VNFM through the transceiver module.
一种安全策略管理装置，其特征在于，所述装置包括至少一个处理器，所述至少一个处理器与至少一个存储器耦合：A security policy management device, characterized in that the device includes at least one processor, and the at least one processor is coupled with at least one memory:

所述至少一个处理器，用于执行所述至少一个存储器中存储的计算机程序或指令，以使得所述装置执行如权利要求1至8中任一项所述的方法。The at least one processor is configured to execute a computer program or instruction stored in the at least one memory, so that the device executes the method according to any one of claims 1 to 8.
一种计算机可读存储介质，其特征在于，所述计算机可读存储介质中存储有计算机程序或指令，当计算机读取并执行所述计算机程序或指令时，使得计算机执行如权利要求1至8中任一项所述的方法。A computer-readable storage medium, characterized in that a computer program or instruction is stored in the computer-readable storage medium, and when the computer reads and executes the computer program or instruction, the computer executes as claimed in claims 1 to 8. The method of any one of.