CN115529144B - Communication system, method, apparatus, first device, second device, and storage medium - Google Patents
Communication system, method, apparatus, first device, second device, and storage medium Download PDFInfo
- Publication number
- CN115529144B CN115529144B CN202110703440.3A CN202110703440A CN115529144B CN 115529144 B CN115529144 B CN 115529144B CN 202110703440 A CN202110703440 A CN 202110703440A CN 115529144 B CN115529144 B CN 115529144B
- Authority
- CN
- China
- Prior art keywords
- information
- edge computing
- computing platform
- application
- configuration
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 86
- 238000004891 communication Methods 0.000 title claims abstract description 85
- 230000006870 function Effects 0.000 claims description 42
- 230000004044 response Effects 0.000 claims description 37
- 230000015654 memory Effects 0.000 claims description 31
- 238000004590 computer program Methods 0.000 claims description 18
- 238000012545 processing Methods 0.000 claims description 16
- 230000008859 change Effects 0.000 claims description 10
- DMJNNHOOLUXYBV-PQTSNVLCSA-N meropenem Chemical compound C=1([C@H](C)[C@@H]2[C@H](C(N2C=1C(O)=O)=O)[C@H](O)C)S[C@@H]1CN[C@H](C(=O)N(C)C)C1 DMJNNHOOLUXYBV-PQTSNVLCSA-N 0.000 claims 14
- 238000007726 management method Methods 0.000 description 67
- 238000010586 diagram Methods 0.000 description 14
- 238000005516 engineering process Methods 0.000 description 12
- 230000008569 process Effects 0.000 description 6
- 230000001360 synchronised effect Effects 0.000 description 5
- 235000019800 disodium phosphate Nutrition 0.000 description 4
- 238000013475 authorization Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 3
- 230000010354 integration Effects 0.000 description 3
- 230000005291 magnetic effect Effects 0.000 description 3
- 101000827703 Homo sapiens Polyphosphoinositide phosphatase Proteins 0.000 description 2
- 102100023591 Polyphosphoinositide phosphatase Human genes 0.000 description 2
- 101100012902 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) FIG2 gene Proteins 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000011664 signaling Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 210000003311 CFU-EM Anatomy 0.000 description 1
- 101001121408 Homo sapiens L-amino-acid oxidase Proteins 0.000 description 1
- 102100026388 L-amino-acid oxidase Human genes 0.000 description 1
- 101100233916 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) KAR5 gene Proteins 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000005294 ferromagnetic effect Effects 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 230000005012 migration Effects 0.000 description 1
- 238000013508 migration Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
- 238000004549 pulsed laser deposition Methods 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 238000013468 resource allocation Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
- Mobile Radio Communication Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
技术领域Technical Field
本申请涉及通信领域,尤其涉及一种通信系统、方法、装置、第一设备、第二设备及存储介质。The present application relates to the field of communications, and in particular to a communication system, method, apparatus, first device, second device and storage medium.
背景技术Background technique
第五代移动通信技术(5G)作为新一代通信技术,具有大带宽、低时延、高可靠、高连接、泛在网等诸多优势,从而推动垂直行业的快速发展与更迭,比如智慧医疗、智慧教育、智慧农业等方向的崛起。As a new generation of communication technology, the fifth generation mobile communication technology (5G) has many advantages such as large bandwidth, low latency, high reliability, high connectivity, and ubiquitous network, thus promoting the rapid development and change of vertical industries, such as the rise of smart medical care, smart education, and smart agriculture.
移动边缘计算(MEC)技术作为5G演进的关键技术之一,是具备无线网络信息应用程序接口(API)交互能力,以及计算、存储、分析功能的信息技术(IT)通用平台;依托MEC技术,可将传统外部应用拉入移动内部,更贴近用户,提供本地化服务,从而提升用户体验,发挥边缘网络的更多价值。Mobile edge computing (MEC) technology, as one of the key technologies for 5G evolution, is an information technology (IT) general platform with wireless network information application program interface (API) interaction capabilities, as well as computing, storage, and analysis functions. Relying on MEC technology, traditional external applications can be pulled into the mobile internal, closer to users, and localized services can be provided, thereby improving user experience and unleashing more value from edge networks.
将5G和MEC结合,可以面向不同的行业需求场景,引入不同的技术组合,比如服务质量(QoS)、端到端网络切片、网络能力开放、边缘云等,从而提供定制化的解决方案。Combining 5G and MEC can introduce different technology combinations for different industry demand scenarios, such as quality of service (QoS), end-to-end network slicing, network capability exposure, edge cloud, etc., to provide customized solutions.
相关技术中,5G与MEC技术结合的方案存在安全风险。Among the related technologies, the combination of 5G and MEC technologies poses security risks.
发明内容Summary of the invention
为解决相关技术问题,本申请实施例提供一种通信方法、装置、相关设备及存储介质。To solve related technical problems, the embodiments of the present application provide a communication method, apparatus, related equipment and storage medium.
本申请实施例的技术方案是这样实现的:The technical solution of the embodiment of the present application is implemented as follows:
本申请实施例提供了一种通信系统,包括:第一设备、第二设备、第三设备;其中,The embodiment of the present application provides a communication system, including: a first device, a second device, and a third device; wherein:
所述第一设备,用于接收来自第二设备的第一信息,基于所述第一信息和安全策略为边缘计算平台上的应用提供安全管理功能;所述第一信息,用于针对所述边缘计算平台上的应用进行配置;The first device is used to receive first information from the second device, and provide a security management function for the application on the edge computing platform based on the first information and the security policy; the first information is used to configure the application on the edge computing platform;
所述第二设备,用于基于来自第三设备的第二信息向第一设备发送所述第一信息;所述第二信息,用于编排边缘计算平台上的应用。The second device is used to send the first information to the first device based on the second information from the third device; the second information is used to orchestrate the application on the edge computing platform.
上述方案中,所述安全策略,包括以下至少之一:In the above solution, the security policy includes at least one of the following:
第一安全等级;所述第一安全等级表征拒绝针对所述边缘计算平台上的所有应用的配置;The first security level represents the rejection of configuration for all applications on the edge computing platform;
第二安全等级;所述第二安全等级表征允许针对所述边缘计算平台上的部分应用的配置;The second security level indicates that configuration of some applications on the edge computing platform is allowed;
第三安全等级;所述第一安全等级表征允许针对所述边缘计算平台上的所有应用的配置。Third security level: The first security level represents that configuration is allowed for all applications on the edge computing platform.
上述方案中,所述第一设备,还用于向第二设备发送第三信息;所述第三信息,用于说明所述第一信息是否配置成功;In the above solution, the first device is further used to send third information to the second device; the third information is used to indicate whether the first information is configured successfully;
所述第二设备,还用于基于所述第三信息向第三设备发送第四信息;所述第四信息,用于说明所述第二信息是否配置成功。The second device is further used to send fourth information to the third device based on the third information; the fourth information is used to indicate whether the second information is configured successfully.
上述方案中,所述第一信息,包括以下至少之一的配置信息:In the above solution, the first information includes at least one of the following configuration information:
第一配置策略;所述第一配置策略针对不同应用的操作权限;A first configuration strategy; the first configuration strategy is for operation permissions of different applications;
第二配置策略;所述第二配置策略针对不同应用的路由规则;The second configuration strategy; the second configuration strategy is for routing rules of different applications;
第三配置策略;所述第三配置策略针对不同应用的域名系统(DNS,Domain NameSystem);The third configuration strategy; the third configuration strategy is for domain name systems (DNS, Domain Name System) of different applications;
第四配置策略;所述第四配置策略针对不同应用的生命周期。Fourth configuration strategy: The fourth configuration strategy is aimed at the life cycle of different applications.
上述方案中,所述第二信息,包括以下至少之一:In the above solution, the second information includes at least one of the following:
应用的管理信息;Management information of the application;
应用的生命周期管理信息;Application lifecycle management information;
应用的生命周期变更信息。Application lifecycle change information.
上述方案中,所述第三设备,还用于接收来自第一设备的第一接入认证信息,向所述第一设备发送第一认证响应信息;所述第一认证响应信息至少包括:第一设备的身份标识。In the above solution, the third device is further used to receive first access authentication information from the first device, and send first authentication response information to the first device; the first authentication response information at least includes: an identity identifier of the first device.
上述方案中,所述第三设备,还用于接收来自第二设备的第二接入认证信息,向所述第二设备发送第二认证响应信息;所述第二认证响应信息至少包括:第二设备的身份标识;In the above solution, the third device is further used to receive second access authentication information from the second device, and send second authentication response information to the second device; the second authentication response information at least includes: an identity identifier of the second device;
所述第三设备,还用于向所述第二设备发送所述第一设备的身份标识。The third device is further used to send the identity of the first device to the second device.
上述方案中,所述第一设备的数量为一个或多个。In the above solution, the number of the first devices is one or more.
本申请实施例提供了一种通信方法,应用于第一设备,所述方法包括:An embodiment of the present application provides a communication method, which is applied to a first device, and the method includes:
接收来自第二设备的第一信息;所述第一信息,用于针对所述边缘计算平台上的应用进行配置;Receiving first information from a second device; the first information is used to configure an application on the edge computing platform;
基于所述第一信息和安全策略为边缘计算平台上的应用提供安全管理功能。Based on the first information and security policies, security management functions are provided for applications on the edge computing platform.
上述方案中,所述安全策略,包括以下至少之一:In the above solution, the security policy includes at least one of the following:
第一安全等级;所述第一安全等级表征拒绝针对所述边缘计算平台上的所有应用的配置;The first security level represents the rejection of configuration for all applications on the edge computing platform;
第二安全等级;所述第二安全等级表征允许针对所述边缘计算平台上的部分应用的配置;The second security level indicates that configuration of some applications on the edge computing platform is allowed;
第三安全等级;所述第一安全等级表征允许针对所述边缘计算平台上的所有应用的配置。Third security level: The first security level represents that configuration is allowed for all applications on the edge computing platform.
上述方案中,所述方法还包括:In the above solution, the method further comprises:
向第二设备发送第三信息;所述第三信息,用于说明所述第一信息是否配置成功。Sending third information to the second device; the third information is used to indicate whether the first information is configured successfully.
上述方案中,所述第一信息,包括以下至少之一的配置信息:In the above solution, the first information includes at least one of the following configuration information:
第一配置策略;所述第一配置策略针对不同应用的操作权限;A first configuration strategy; the first configuration strategy is for operation permissions of different applications;
第二配置策略;所述第二配置策略针对不同应用的路由规则;The second configuration strategy; the second configuration strategy is for routing rules of different applications;
第三配置策略;所述第三配置策略针对不同应用的域名系统DNS;The third configuration strategy; the third configuration strategy is for the domain name system DNS of different applications;
第四配置策略;所述第四配置策略针对不同应用的生命周期。Fourth configuration strategy: The fourth configuration strategy is aimed at the life cycle of different applications.
上述方案中,所述方法还包括:In the above solution, the method further comprises:
向第三设备发送第一接入认证信息;Sending first access authentication information to a third device;
接收来自所述第三设备的第一认证响应信息;所述第一认证响应信息至少包括:第一设备的身份标识。Receive first authentication response information from the third device; the first authentication response information at least includes: an identity identifier of the first device.
本申请实施例提供了一种通信方法,应用于第二设备,所述方法包括:An embodiment of the present application provides a communication method, which is applied to a second device, and the method includes:
接收来自第三设备的第二信息;所述第二信息,用于编排边缘计算平台上的应用;receiving second information from a third device; the second information is used to orchestrate an application on an edge computing platform;
基于所述第二信息向第一设备发送第一信息;所述第一信息,用于指示第一设备基于所述第一设备和安全策略针对所述边缘计算平台上的应用进行配置。Sending first information to the first device based on the second information; the first information is used to instruct the first device to configure the application on the edge computing platform based on the first device and the security policy.
上述方案中,所述第一信息,包括以下至少之一的配置信息:In the above solution, the first information includes at least one of the following configuration information:
第一配置策略;所述第一配置策略针对不同应用的操作权限;A first configuration strategy; the first configuration strategy is for operation permissions of different applications;
第二配置策略;所述第二配置策略针对不同应用的路由规则;The second configuration strategy; the second configuration strategy is for routing rules of different applications;
第三配置策略;所述第三配置策略针对不同应用的域名系统DNS;The third configuration strategy; the third configuration strategy is for the domain name system DNS of different applications;
第四配置策略;所述第四配置策略针对不同应用的生命周期。Fourth configuration strategy: The fourth configuration strategy is aimed at the life cycle of different applications.
上述方案中,所述第二信息,包括以下至少之一:In the above solution, the second information includes at least one of the following:
应用的管理信息;Management information of the application;
应用的生命周期管理信息;Application lifecycle management information;
应用的生命周期变更信息。Application lifecycle change information.
上述方案中,所述安全策略,包括以下至少之一:In the above solution, the security policy includes at least one of the following:
第一安全等级;所述第一安全等级表征拒绝针对所述边缘计算平台上的所有应用的配置;The first security level represents the rejection of configuration for all applications on the edge computing platform;
第二安全等级;所述第二安全等级表征允许针对所述边缘计算平台上的部分应用的配置;The second security level indicates that configuration of some applications on the edge computing platform is allowed;
第三安全等级;所述第一安全等级表征允许针对所述边缘计算平台上的所有应用的配置。Third security level: The first security level represents that configuration is allowed for all applications on the edge computing platform.
上述方案中,所述方法还包括:In the above solution, the method further comprises:
接收来自第一设备的第三信息;所述第三信息,用于说明所述第一信息是否配置成功;receiving third information from the first device; the third information is used to indicate whether the first information is configured successfully;
基于所述第三信息向第三设备发送第四信息;所述第四信息,用于说明所述第二信息是否配置成功。Sending fourth information to the third device based on the third information; the fourth information is used to indicate whether the second information is configured successfully.
上述方案中,所述方法还包括:In the above scheme, the method further includes:
向第三设备发送第二接入认证信息;接收来自所述第三设备的第二认证响应信息;所述第二认证响应信息至少包括:第一设备的身份标识;Sending second access authentication information to a third device; receiving second authentication response information from the third device; the second authentication response information at least includes: an identity identifier of the first device;
所述方法还包括:接收所述第一设备的身份标识。The method also includes: receiving an identity of the first device.
本申请实施例提供了一种通信装置,设置在第一设备上,包括:The present application provides a communication device, which is provided on a first device and includes:
第一通信单元,用于接收来自第二设备的第一信息;所述第一信息,用于针对所述边缘计算平台上的应用进行配置;A first communication unit, configured to receive first information from a second device; the first information is used to configure an application on the edge computing platform;
第一处理单元,用于基于所述第一信息和安全策略为边缘计算平台上的应用提供安全管理功能。The first processing unit is used to provide security management functions for applications on the edge computing platform based on the first information and security policies.
上述方案中,所述安全策略,包括以下至少之一:In the above solution, the security policy includes at least one of the following:
第一安全等级;所述第一安全等级表征拒绝针对所述边缘计算平台上的所有应用的配置;The first security level represents the rejection of configuration for all applications on the edge computing platform;
第二安全等级;所述第二安全等级表征允许针对所述边缘计算平台上的部分应用的配置;The second security level indicates that configuration of some applications on the edge computing platform is allowed;
第三安全等级;所述第一安全等级表征允许针对所述边缘计算平台上的所有应用的配置。Third security level: The first security level represents that configuration is allowed for all applications on the edge computing platform.
上述方案中,所述第一通信单元,还用于向第二设备发送第三信息;所述第三信息,用于说明所述第一信息是否配置成功。In the above scheme, the first communication unit is also used to send third information to the second device; the third information is used to indicate whether the first information is configured successfully.
上述方案中,所述第一信息,包括以下至少之一的配置信息:In the above solution, the first information includes at least one of the following configuration information:
第一配置策略;所述第一配置策略针对不同应用的操作权限;A first configuration strategy; the first configuration strategy is for operation permissions of different applications;
第二配置策略;所述第二配置策略针对不同应用的路由规则;The second configuration strategy; the second configuration strategy is for routing rules of different applications;
第三配置策略;所述第三配置策略针对不同应用的域名系统DNS;The third configuration strategy; the third configuration strategy is for the domain name system DNS of different applications;
第四配置策略;所述第四配置策略针对不同应用的生命周期。Fourth configuration strategy: The fourth configuration strategy is aimed at the life cycle of different applications.
上述方案中,所述第一通信单元,还用于向第三设备发送第一接入认证信息;In the above solution, the first communication unit is further used to send the first access authentication information to the third device;
接收来自所述第三设备的第一认证响应信息;所述第一认证响应信息至少包括:第一设备的身份标识。Receive first authentication response information from the third device; the first authentication response information at least includes: an identity identifier of the first device.
本申请实施例提供了一种第一设备,包括:第一处理器及第一通信接口;其中,The embodiment of the present application provides a first device, including: a first processor and a first communication interface; wherein,
所述第一通信接口,用于接收来自第二设备的第一信息;所述第一信息,用于针对所述边缘计算平台上的应用进行配置;The first communication interface is used to receive first information from a second device; the first information is used to configure an application on the edge computing platform;
所述第一处理器,用于基于所述第一信息和安全策略为边缘计算平台上的应用提供安全管理功能。The first processor is used to provide security management functions for applications on the edge computing platform based on the first information and security policies.
本申请实施例提供了一种通信装置,设置在第二设备上,包括:The present application provides a communication device, which is arranged on a second device and includes:
第二通信单元,用于接收来自第三设备的第二信息;所述第二信息,用于编排边缘计算平台上的应用;A second communication unit is used to receive second information from a third device; the second information is used to orchestrate an application on an edge computing platform;
第二处理单元,用于基于所述第二信息向第一设备发送第一信息;所述第一信息,用于指示第一设备基于所述第一设备和安全策略针对所述边缘计算平台上的应用进行配置。The second processing unit is used to send the first information to the first device based on the second information; the first information is used to instruct the first device to configure the application on the edge computing platform based on the first device and the security policy.
上述方案中,所述第一信息,包括以下至少之一的配置信息:In the above solution, the first information includes at least one of the following configuration information:
第一配置策略;所述第一配置策略针对不同应用的操作权限;A first configuration strategy; the first configuration strategy is for operation permissions of different applications;
第二配置策略;所述第二配置策略针对不同应用的路由规则;The second configuration strategy; the second configuration strategy is for routing rules of different applications;
第三配置策略;所述第三配置策略针对不同应用的域名系统;A third configuration strategy; the third configuration strategy is for domain name systems of different applications;
第四配置策略;所述第四配置策略针对不同应用的生命周期。Fourth configuration strategy: The fourth configuration strategy is aimed at the life cycle of different applications.
上述方案中,所述第二信息,包括以下至少之一:In the above solution, the second information includes at least one of the following:
应用的管理信息;Management information of the application;
应用的生命周期管理信息;Application lifecycle management information;
应用的生命周期变更信息。Application lifecycle change information.
上述方案中,所述安全策略,包括以下至少之一:In the above solution, the security policy includes at least one of the following:
第一安全等级;所述第一安全等级表征拒绝针对所述边缘计算平台上的所有应用的配置;The first security level represents the rejection of configuration for all applications on the edge computing platform;
第二安全等级;所述第二安全等级表征允许针对所述边缘计算平台上的部分应用的配置;The second security level indicates that configuration of some applications on the edge computing platform is allowed;
第三安全等级;所述第一安全等级表征允许针对所述边缘计算平台上的所有应用的配置。Third security level: The first security level represents that configuration is allowed for all applications on the edge computing platform.
上述方案中,所述第二通信单元,还用于接收来自第一设备的第三信息;所述第三信息,用于说明所述第一信息是否配置成功;In the above solution, the second communication unit is further used to receive third information from the first device; the third information is used to indicate whether the first information is configured successfully;
基于所述第三信息向第三设备发送第四信息;所述第四信息,用于说明所述第二信息是否配置成功。Sending fourth information to the third device based on the third information; the fourth information is used to indicate whether the second information is configured successfully.
上述方案中,所述第二通信单元,还用于向第三设备发送第二接入认证信息;接收来自所述第三设备的第二认证响应信息;所述第二认证响应信息至少包括:第一设备的身份标识;In the above solution, the second communication unit is further used to send second access authentication information to the third device; receive second authentication response information from the third device; the second authentication response information at least includes: the identity of the first device;
以及,接收所述第一设备的身份标识。And, receiving the identity of the first device.
本申请实施例提供了一种第二设备,包括:第二处理器及第二通信接口;其中,The embodiment of the present application provides a second device, including: a second processor and a second communication interface; wherein,
所述第二通信接口,用于接收来自第三设备的第二信息;所述第二信息,用于编排边缘计算平台上的应用;The second communication interface is used to receive second information from a third device; the second information is used to orchestrate applications on the edge computing platform;
所述第二处理器,用于基于所述第二信息向第一设备发送第一信息;所述第一信息,用于指示第一设备基于所述第一设备和安全策略针对所述边缘计算平台上的应用进行配置。The second processor is used to send first information to the first device based on the second information; the first information is used to instruct the first device to configure the application on the edge computing platform based on the first device and the security policy.
本申请实施例提供了一种网络设备,包括:处理器及和用于存储能够在处理器上运行的计算机程序的存储器,An embodiment of the present application provides a network device, comprising: a processor and a memory for storing a computer program that can be run on the processor,
其中,所述处理器用于运行所述计算机程序时,执行以上第一设备侧任一项所述方法的步骤;或者,Wherein, when the processor is used to run the computer program, the processor executes the steps of any one of the methods described above on the first device side; or,
所述处理器用于运行所述计算机程序时,执行以上第二设备侧任一项所述方法的步骤。When the processor is used to run the computer program, it executes the steps of any one of the methods described above on the second device side.
本申请实施例提供了一种存储介质,其上存储有计算机程序,其特征在于,所述计算机程序被处理器执行时实现以上第一设备侧任一项所述方法的步骤;或者,The embodiment of the present application provides a storage medium having a computer program stored thereon, characterized in that when the computer program is executed by a processor, the steps of any one of the methods described in the first device side are implemented; or,
所述计算机程序被处理器执行时实现以上第二设备侧任一项所述方法的步骤。When the computer program is executed by the processor, the steps of any one of the methods described above on the second device side are implemented.
本申请实施例提供的通信系统、方法、装置、第一设备、第二设备及存储介质,系统包括:第一设备、第二设备、第三设备;所述第一设备,用于接收来自第二设备的第一信息,基于所述第一信息和安全策略为边缘计算平台上的应用提供安全管理功能;所述第一信息,用于针对所述边缘计算平台上的应用进行配置;所述第二设备,用于基于来自第三设备的第二信息向第一设备发送所述第一信息;所述第二信息,用于编排边缘计算平台上的应用。本申请实施例的方案,第一设备基于安全策略对边缘计算平台上的应用提供安全管理功能,使得第一设备可以根据安全策略确定是否根据第一信息进行编排;如此,能够提高第一设备针对边缘计算平台的应用进行配置的安全管控能力。The communication system, method, apparatus, first device, second device and storage medium provided in the embodiment of the present application, the system includes: a first device, a second device and a third device; the first device is used to receive the first information from the second device, and provide security management functions for the applications on the edge computing platform based on the first information and the security policy; the first information is used to configure the applications on the edge computing platform; the second device is used to send the first information to the first device based on the second information from the third device; the second information is used to orchestrate the applications on the edge computing platform. In the scheme of the embodiment of the present application, the first device provides security management functions for the applications on the edge computing platform based on the security policy, so that the first device can determine whether to orchestrate according to the first information according to the security policy; in this way, the security management and control capabilities of the first device for configuring the applications on the edge computing platform can be improved.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
图1为相关技术中MEC的系统结构示意图;FIG1 is a schematic diagram of the system structure of MEC in the related art;
图2为相关技术中MEC的主机层与系统层的结构示意图;FIG2 is a schematic diagram of the structure of the host layer and system layer of MEC in the related art;
图3为本申请实施例5G行业云网融合的系统结构示意图;FIG3 is a schematic diagram of the system structure of 5G industry cloud network integration according to an embodiment of the present application;
图4为本申请实施例一种通信系统的结构示意图;FIG4 is a schematic diagram of the structure of a communication system according to an embodiment of the present application;
图5为本申请实施例一种通信方法的流程示意图;FIG5 is a flow chart of a communication method according to an embodiment of the present application;
图6为本申请实施例另一种通信方法的流程示意图;FIG6 is a flow chart of another communication method according to an embodiment of the present application;
图7为本申请应用实施例通信系统的结构示意图;FIG7 is a schematic diagram of the structure of a communication system according to an embodiment of the present application;
图8为本申请应用实施例通信方法的流程示意图;FIG8 is a flow chart of a communication method according to an embodiment of the present application;
图9为本申请应用实施例注册认证的流程示意图;FIG9 is a schematic diagram of the registration and authentication process of an application example of the present application;
图10为本申请实施例一种MEPM和L-MEPM的关系示意图;FIG10 is a schematic diagram showing the relationship between a MEPM and an L-MEPM according to an embodiment of the present application;
图11为本申请实施例一种权限授权方式的示意图;FIG11 is a schematic diagram of a permission authorization method according to an embodiment of the present application;
图12为本申请实施例一种通信装置的结构示意图;FIG12 is a schematic diagram of the structure of a communication device according to an embodiment of the present application;
图13为本申请实施例另一种通信装置的结构示意图;FIG13 is a schematic diagram of the structure of another communication device according to an embodiment of the present application;
图14为本申请实施例第一设备的结构示意图;FIG14 is a schematic diagram of the structure of the first device according to an embodiment of the present application;
图15为本申请实施例第二设备的结构示意图。FIG. 15 is a schematic diagram of the structure of the second device according to an embodiment of the present application.
具体实施方式Detailed ways
下面结合附图及实施例对本申请再作进一步详细的描述。The present application is further described in detail below in conjunction with the accompanying drawings and embodiments.
相关技术中,MEC作为欧洲电信标准化协会(ETSI,European TelecommunicationsStandards Institute)主导的多接入边缘计算平台标准,从最初的移动边缘计算平台演进到基于虚拟网络功能(VNF,Virtual Network Feature)的多接入边缘计算平台,通过将MEC应用、平台、资源虚拟化和服务化的方式提供更高效的业务运行服务,以满足不同业务在处理能力上的差异化需求,ETSI标准组织定义了图1所示的MEC系统框架。In the related technologies, MEC, as a multi-access edge computing platform standard led by the European Telecommunications Standards Institute (ETSI), has evolved from the original mobile edge computing platform to a multi-access edge computing platform based on virtual network functions (VNF, Virtual Network Feature). By virtualizing and servitizing MEC applications, platforms, and resources, it provides more efficient business operation services to meet the differentiated processing capabilities of different businesses. The ETSI standard organization defines the MEC system framework shown in Figure 1.
MEC系统,主要包括:MEC系统层(MEC system-level)、MEC主机层(MEC hostlevel)、网络层(Networks)。The MEC system mainly includes: MEC system layer (MEC system-level), MEC host layer (MEC hostlevel), and network layer (Networks).
其中,MEC系统层负责整个MEC资源的分配、收回与协调工作,以满足不同业务对计算和传输资源的需求。MEC系统层管理支持MEC系统级管理功能和主机级管理功能。MEC系统级管理功能包含用户应用生命周期管理代理、运营支持系统和MEC编排器,MEC主机级管理功能可以包括MEC平台管理器和虚拟化基础设施管理器。通过MEC管理层管理为终端和第三方客户(如商业企业)提供的MEC服务。Among them, the MEC system layer is responsible for the allocation, recovery and coordination of the entire MEC resources to meet the needs of different businesses for computing and transmission resources. MEC system layer management supports MEC system-level management functions and host-level management functions. MEC system-level management functions include user application lifecycle management agents, operation support systems, and MEC orchestrators. MEC host-level management functions can include MEC platform managers and virtualized infrastructure managers. MEC services provided to terminals and third-party customers (such as commercial enterprises) are managed through the MEC management layer.
MEC主机层用于为MEC应用、MEC平台等提供必要的计算、存储及传输功能。The MEC host layer is used to provide necessary computing, storage, and transmission functions for MEC applications, MEC platforms, etc.
网络层用于为上层的应用提供不同的网络选择(如3GPP无线网络、非3GPP无线网络、有线网络),并根据上层的信令动态调整路由策略,以满足不同业务在网络上的传输需求。The network layer is used to provide different network options (such as 3GPP wireless networks, non-3GPP wireless networks, and wired networks) for upper-layer applications, and dynamically adjust routing strategies based on upper-layer signaling to meet the transmission requirements of different services on the network.
其中,如图2所示,MEC主机(MEC host)包括:MEC平台和虚拟基础设施(计算、存储、网络)。虚拟设施包含数据面,用于执行从MEC平台接收到的路由规则,在应用(也称MEC应用或MEP应用)、服务(也称MEC服务或MEP服务)、DNS服务/代理、3GPP网络、其他接入网、本地网络和外部网络之间进行流量的转发。其中,MEP使能所述应用来提供和调用所述服务,MEP本身也可以提供服务。具体地,所述应用运行在虚拟机或容器上,可以对外提供丰富多样的服务(如:位置、无线网络信息、流量管理),所述应用也可以使用其他应用提供的服务,例如:应用A提供的位置、流量管理等服务可以被应用B和应用C使用。所述服务可以由MEP或某一个应用提供,当某个服务由所述应用提供时,该服务可以注册到MEP的服务列表中。As shown in FIG2 , the MEC host includes: a MEC platform and a virtual infrastructure (computing, storage, and network). The virtual infrastructure includes a data plane, which is used to execute routing rules received from the MEC platform, and forward traffic between applications (also called MEC applications or MEP applications), services (also called MEC services or MEP services), DNS services/proxy, 3GPP networks, other access networks, local networks, and external networks. Among them, the MEP enables the application to provide and call the service, and the MEP itself can also provide services. Specifically, the application runs on a virtual machine or container, and can provide a variety of services (such as location, wireless network information, and traffic management) to the outside world. The application can also use services provided by other applications. For example, the location, traffic management, and other services provided by application A can be used by application B and application C. The service can be provided by the MEP or an application. When a service is provided by the application, the service can be registered in the service list of the MEP.
MEC平台(MEP,MEC platform),支持的功能包括:MEC platform (MEP) supports the following functions:
1)、提供MEC应用能够发现、通知、使用和提供MEC服务的环境,包括其他平台提供的MEC服务(可选)。1) Provide an environment in which MEC applications can discover, notify, use and provide MEC services, including MEC services provided by other platforms (optional).
2)、从MEC平台管理、应用或服务接收路由规则,控制数据面流量。2) Receive routing rules from MEC platform management, applications or services to control data plane traffic.
3)、从MEC平台管理接收DNS记录,配置DNS代理/服务器;3) Manage and receive DNS records from the MEC platform and configure DNS proxy/server;
4)、托管MEC服务4) Managed MEC services
5)、提供到永久性存储和当日时间信息的接入;5) Provide access to permanent storage and time of day information;
MEC编排器(MEO,MEC orchestrator)又称MEC应用编排器(MEAO,MEC applicationorchestrator),是MEC系统层管理的核心,支持的功能包括:MEC orchestrator (MEO), also known as MEC application orchestrator (MEAO), is the core of MEC system layer management and supports the following functions:
1)维护MEC系统的整体视图(即整体部署);比如MEC的主机部署、MEC的可用资源分配、可用的MEC服务的调用、系统拓扑等;1) Maintain the overall view of the MEC system (i.e., overall deployment); such as MEC host deployment, MEC available resource allocation, available MEC service calls, system topology, etc.;
2)管理MEC应用包的上线,包括:检查应用包的完整性和真实性;确认应用规则和需求,并判断是否需要调整应用规则和需求,若需要调整,则调整应用规则和需求以与运营商的策略相符;保存应用包的上线记录,以及为处理该应用准备虚拟基础设施管理器;2) Manage the launch of MEC application packages, including: checking the integrity and authenticity of the application packages; confirming the application rules and requirements, and determining whether the application rules and requirements need to be adjusted. If so, adjust the application rules and requirements to comply with the operator's policies; save the launch records of the application packages, and prepare the virtual infrastructure manager for processing the application;
3)基于约束(比如时延、可用资源、可用服务等)为应用的初始化选择合适的MEC主机;3) Selecting a suitable MEC host for application initialization based on constraints (e.g. latency, available resources, available services, etc.);
4)触发应用的启动和结束;4) Trigger the start and end of the application;
5)触发应用的按需迁移。5) Trigger on-demand migration of applications.
MEC平台管理(MEPM,MEC platform manager),支持的功能包括:MEC platform manager (MEPM) supports the following functions:
1)、管理应用的生命周期,如:通知MEAO相关应用的事件;1) Manage the application life cycle, such as notifying MEAO of events related to the application;
2)、提供MEP的元素管理功能,包括虚拟网络功能(VNF,Virtualised NetworkFunction)元素管理和网络服务(NS,Network Service)元素管理,其中NS信息元素包括物理网络功能(PNF,Physical Network Function)信息元素、虚拟链路信息元素、VNF转发图(VNF Forwarding Graph)信息元素;2) Provide MEP element management functions, including virtualized network function (VNF) element management and network service (NS) element management, where NS information elements include physical network function (PNF) information elements, virtual link information elements, and VNF forwarding graph (VNF Forwarding Graph) information elements;
3)、管理MEC应用的规则和需求,比如:服务授权、路由规则、域名系统(DNS)配置和冲突处理;3) Manage the rules and requirements of MEC applications, such as service authorization, routing rules, domain name system (DNS) configuration, and conflict handling;
4)、从虚拟基础设施管理(VIM,Virtualisation Infrastructure Manager)接收虚拟资源的错误报告和性能测量数据。VIM主要功能包括:分配、管理、释放虚拟化基础设施的虚拟化资源,接收和存储软件镜像,收集、上报虚拟化资源的性能和故障信息。4) Receive error reports and performance measurement data of virtual resources from the Virtualization Infrastructure Manager (VIM). The main functions of VIM include: allocating, managing, and releasing virtualized resources of the virtualized infrastructure, receiving and storing software images, and collecting and reporting performance and fault information of virtualized resources.
从MEC各模块的功能描述可以看出,MEC应用的规则(包括路由规则、DNS配置、业务规则等)由MEPM管理、MEP接收,并最终在MEC主机的用户面执行。From the functional description of each MEC module, it can be seen that the rules of MEC applications (including routing rules, DNS configuration, business rules, etc.) are managed by MEPM, received by MEP, and finally executed on the user plane of the MEC host.
实际应用中,垂直行业的终端接入技术类型繁多,第三方网络除5G外,还有非5G网络(比如4G、WiFi、Bluetooth、Zigbee、NB-IoT、SPN、红外网络、专线网络、Wireline等),这些终端的数据可能会通过不同的网络传输到MEP。为保障MEP的网络与数据安全,实现泛在网络接入与控制功能,在一种5G行业云网融合的系统架构中引入了行业网关(iGW,industryGateWay),该5G行业云网融合架构如图3所示。In actual applications, there are many types of terminal access technologies in vertical industries. In addition to 5G, third-party networks also include non-5G networks (such as 4G, WiFi, Bluetooth, Zigbee, NB-IoT, SPN, infrared network, dedicated line network, Wireline, etc.). The data of these terminals may be transmitted to MEP through different networks. In order to ensure the network and data security of MEP and realize ubiquitous network access and control functions, an industry gateway (iGW, industryGateWay) is introduced in a 5G industry cloud network integration system architecture. The 5G industry cloud network integration architecture is shown in Figure 3.
MEC平台管理(MEPM)一般设置在行业网关上面,MEP上的数据可以通过行业网关直接接入到外部网络、即第三方网络,现有的ETSI协议对数据安全的保护并不到位,无法适应越来越多的数据安全和隐私保护的管理要求。MEC platform management (MEPM) is generally set up on the industry gateway. The data on the MEP can be directly accessed to the external network, that is, the third-party network, through the industry gateway. The existing ETSI protocol does not provide adequate protection for data security and cannot adapt to the increasing management requirements for data security and privacy protection.
在一些医疗、教育、金融等数据敏感的典型应用场景,出于对保护用户隐私和商业机密的考虑,MEP上提供的一些应用和可用资源(硬件资源、网络资源等)是不能被远端(外部)的MEPM进行管理和配置的,MEPM向MEP发送的管理配置信息(或管理配置数据)必须受到严格的安全控制。相关技术中,MEPM对MEP上的管理配置信息缺乏必要的安全保护和授权管理机制,MEPM针对MEP的安全管理控制机制没有明确定义。In some typical data-sensitive application scenarios such as medical care, education, and finance, some applications and available resources (hardware resources, network resources, etc.) provided by MEP cannot be managed and configured by remote (external) MEPM for the sake of protecting user privacy and commercial secrets. The management configuration information (or management configuration data) sent by MEPM to MEP must be subject to strict security control. In related technologies, MEPM lacks the necessary security protection and authorization management mechanism for the management configuration information on MEP, and the security management control mechanism of MEPM for MEP is not clearly defined.
基于此,在本申请的各种实施例中,第一设备,用于接收来自第二设备的第一信息,基于所述第一信息和安全策略为边缘计算平台上的应用提供安全管理功能;所述第一信息,用于针对所述边缘计算平台上的应用进行配置;所述第二设备,用于基于来自第三设备的第二信息向第一设备发送所述第一信息;所述第二信息,用于编排边缘计算平台上的应用。如此,能够提高对第一设备中针对边缘计算平台的应用进行配置的管控能力。Based on this, in various embodiments of the present application, the first device is used to receive the first information from the second device, and provide security management functions for the application on the edge computing platform based on the first information and security policies; the first information is used to configure the application on the edge computing platform; the second device is used to send the first information to the first device based on the second information from the third device; the second information is used to orchestrate the application on the edge computing platform. In this way, the management and control capabilities of configuring the application on the edge computing platform in the first device can be improved.
本申请实施例提供一种通信系统,如图4所示,所述系统包括:第一设备、第二设备、第三设备;其中,The embodiment of the present application provides a communication system, as shown in FIG4 , the system includes: a first device, a second device, and a third device; wherein:
所述第一设备,用于接收来自第二设备的第一信息,基于所述第一信息和安全策略为边缘计算平台上的应用提供安全管理功能;所述第一信息,用于针对所述边缘计算平台上的应用进行配置;The first device is used to receive first information from the second device, and provide a security management function for the application on the edge computing platform based on the first information and the security policy; the first information is used to configure the application on the edge computing platform;
所述第二设备,用于基于来自第三设备的第二信息向第一设备发送所述第一信息;所述第二信息,用于编排边缘计算平台上的应用。The second device is used to send the first information to the first device based on the second information from the third device; the second information is used to orchestrate the application on the edge computing platform.
其中,实际应用时,所述第二设备设置在第一设备和第三设备之间。In actual application, the second device is arranged between the first device and the third device.
实际应用时,所述第一设备可以为本地设置的MEPM,可以理解为使用方设置一个本地MEPM,可以对MEP提供的应用进行本地管理配置。第一设备既可以单独进行本地部署,也可以集成到MEP。本申请实施例对所述第一设备的名称不作限定,只要能实现所述第一设备的功能即可。In actual application, the first device can be a locally set MEPM, which can be understood as the user setting a local MEPM, and can locally manage and configure the applications provided by the MEP. The first device can be deployed locally alone or integrated into the MEP. The embodiment of the present application does not limit the name of the first device, as long as the function of the first device can be realized.
实际应用时,所述第二设备可以为MEPM,本申请实施例对所述第二设备的名称不作限定,只要能实现所述第二设备的功能即可。In actual application, the second device may be an MEPM. The embodiment of the present application does not limit the name of the second device as long as the function of the second device can be realized.
实际应用时,所述第三设备可以为MEO或MEAO,本申请实施例对所述第三设备的名称不作限定,只要能实现所述第三设备的功能即可。In actual application, the third device may be MEO or MEAO. The embodiment of the present application does not limit the name of the third device, as long as the function of the third device can be realized.
实际应用时,所述边缘计算平台可以称为MEP。In actual application, the edge computing platform can be called MEP.
所述编排边缘计算平台上的应用可以理解为:通过对每个应用的应用程序和/或可用资源进行编排实现。The orchestration of applications on the edge computing platform can be understood as being implemented by orchestrating the application program and/or available resources of each application.
在一实施例中,所述安全策略,包括以下至少之一:In one embodiment, the security policy includes at least one of the following:
第一安全等级;所述第一安全等级表征拒绝针对所述边缘计算平台上的所有应用的配置;The first security level represents the rejection of configuration for all applications on the edge computing platform;
第二安全等级;所述第二安全等级表征允许针对所述边缘计算平台上的部分应用的配置;The second security level indicates that configuration of some applications on the edge computing platform is allowed;
第三安全等级;所述第一安全等级表征允许针对所述边缘计算平台上的所有应用的配置。Third security level: The first security level represents that configuration is allowed for all applications on the edge computing platform.
所述第一设备保存有安全策略,安全策略用于设置安全等级,通过不同安全等级管理第一设备中是否允许针对所述边缘计算平台上的部分应用的配置。The first device stores a security policy, which is used to set a security level. Different security levels are used to manage whether the configuration of some applications on the edge computing platform is allowed in the first device.
实际应用时,可以向第二设备告知是否配置成功,即是否完成编排。In actual application, the second device may be informed whether the configuration is successful, that is, whether the orchestration is completed.
基于此,在一实施例中,所述第一设备,还用于向第二设备发送第三信息;所述第三信息,用于说明所述第一信息是否配置成功;Based on this, in one embodiment, the first device is further used to send third information to the second device; the third information is used to indicate whether the first information is configured successfully;
所述第二设备,还用于基于所述第三信息向第三设备发送第四信息;所述第四信息,用于说明所述第二信息是否配置成功。The second device is further used to send fourth information to the third device based on the third information; the fourth information is used to indicate whether the second information is configured successfully.
在一实施例中,所述第一信息,包括以下至少之一的配置信息:In one embodiment, the first information includes at least one of the following configuration information:
第一配置策略;所述第一配置策略针对不同应用的操作权限;A first configuration strategy; the first configuration strategy is for operation permissions of different applications;
第二配置策略;所述第二配置策略针对不同应用的路由规则;The second configuration strategy; the second configuration strategy is for routing rules of different applications;
第三配置策略;所述第三配置策略针对不同应用的域名系统(DNS);A third configuration strategy; the third configuration strategy is for a domain name system (DNS) of different applications;
第四配置策略;所述第四配置策略针对不同应用的生命周期。Fourth configuration strategy: The fourth configuration strategy is aimed at the life cycle of different applications.
在一实施例中,所述第二信息,包括以下至少之一:In one embodiment, the second information includes at least one of the following:
应用的管理信息;Management information of the application;
应用的生命周期管理信息;Application lifecycle management information;
应用的生命周期变更信息。Application lifecycle change information.
这里,所述应用的管理信息,可以包括:应用包的管理,如:加载应用包、启用应用包、禁用应用包等。Here, the management information of the application may include: management of application packages, such as: loading application packages, enabling application packages, disabling application packages, etc.
所述应用的生命周期管理信息,可以包括:实例化应用包、操作(使用)应用实例、终止应用实例。The lifecycle management information of the application may include: instantiating an application package, operating (using) an application instance, and terminating an application instance.
所述应用的生命周期变更通知,可以包括:应用程序未实例化、应用程序已经启动在运行中、应用程序停止运行。The application lifecycle change notification may include: the application is not instantiated, the application has been started and is running, and the application has stopped running.
实际应用时,第三设备可以对第一设备进行身份认证,认证通过后可进行通信。In actual application, the third device can perform identity authentication on the first device, and communication can be carried out after the authentication is passed.
基于此,在一实施例中,所述第三设备,还用于接收来自第一设备的第一接入认证信息,向所述第一设备发送第一认证响应信息;所述第一认证响应信息至少包括:第一设备的身份标识。Based on this, in one embodiment, the third device is further used to receive first access authentication information from the first device, and send first authentication response information to the first device; the first authentication response information at least includes: an identity identifier of the first device.
实际应用时,第三设备可以对第二设备进行身份认证,认证通过后可进行通信。In actual application, the third device can perform identity authentication on the second device, and communication can be carried out after the authentication is passed.
基于此,在一实施例中,所述第三设备,还用于接收来自第二设备的第二接入认证信息,向所述第二设备发送第二认证响应信息;所述第二认证响应信息至少包括:第二设备的身份标识;Based on this, in one embodiment, the third device is further used to receive second access authentication information from the second device, and send second authentication response information to the second device; the second authentication response information at least includes: an identity identifier of the second device;
所述第三设备,还用于向所述第二设备发送所述第一设备的身份标识。The third device is further used to send the identity of the first device to the second device.
在一实施例中,所述第一设备的数量为一个或多个。In one embodiment, the number of the first devices is one or more.
相应地,本申请实施例中还提供一种通信方法,应用于第一设备,如图5所示,所述方法包括:Accordingly, an embodiment of the present application further provides a communication method, which is applied to a first device, as shown in FIG5 , and includes:
步骤501、接收来自第二设备的第一信息;所述第一信息,用于针对所述边缘计算平台上的应用进行配置;Step 501: Receive first information from a second device; the first information is used to configure an application on the edge computing platform;
步骤502、基于所述第一信息和安全策略为边缘计算平台上的应用提供安全管理功能。Step 502: Provide security management functions for applications on the edge computing platform based on the first information and security policies.
实际应用时,所述第一设备可以为本地设置的MEPM,可以理解为使用方设置一个本地MEPM,可以对MEP提供的应用进行本地管理配置。第一设备既可以单独进行本地部署,也可以集成到MEP。本申请实施例对所述第一设备的名称不作限定,只要能实现所述第一设备的功能即可。In actual application, the first device can be a locally set MEPM, which can be understood as the user setting a local MEPM, and can locally manage and configure the applications provided by the MEP. The first device can be deployed locally alone or integrated into the MEP. The embodiment of the present application does not limit the name of the first device, as long as the function of the first device can be realized.
实际应用时,所述第二设备可以为MEPM,本申请实施例对所述第二设备的名称不作限定,只要能实现所述第二设备的功能即可。In actual application, the second device may be an MEPM. The embodiment of the present application does not limit the name of the second device as long as the function of the second device can be realized.
实际应用时,所述边缘计算平台可以称为MEP。In actual application, the edge computing platform can be called MEP.
在一实施例中,所述安全策略,包括以下至少之一:In one embodiment, the security policy includes at least one of the following:
第一安全等级;所述第一安全等级表征拒绝针对所述边缘计算平台上的所有应用的配置;The first security level represents the rejection of configuration for all applications on the edge computing platform;
第二安全等级;所述第二安全等级表征允许针对所述边缘计算平台上的部分应用的配置;The second security level indicates that configuration of some applications on the edge computing platform is allowed;
第三安全等级;所述第一安全等级表征允许针对所述边缘计算平台上的所有应用的配置。Third security level: The first security level represents that configuration is allowed for all applications on the edge computing platform.
所述第一设备保存有安全策略,安全策略用于设置安全等级,通过不同安全等级管理第一设备中是否允许针对所述边缘计算平台上的部分应用的配置。The first device stores a security policy, which is used to set a security level. Different security levels are used to manage whether the configuration of some applications on the edge computing platform is allowed in the first device.
在一实施例中,第一设备可以请求第二设备对自身进行身份认证,认证通过后可进行通信。In one embodiment, the first device may request the second device to authenticate itself, and communication may be performed after the authentication is passed.
基于此,在一实施例中,所述方法还包括:Based on this, in one embodiment, the method further includes:
向第二设备发送第三信息;所述第三信息,用于说明所述第一信息是否配置成功。Sending third information to the second device; the third information is used to indicate whether the first information is configured successfully.
在一实施例中,所述第一信息,包括以下至少之一的配置信息:In one embodiment, the first information includes at least one of the following configuration information:
第一配置策略;所述第一配置策略针对不同应用的操作权限;A first configuration strategy; the first configuration strategy is for operation permissions of different applications;
第二配置策略;所述第二配置策略针对不同应用的路由规则;The second configuration strategy; the second configuration strategy is for routing rules of different applications;
第三配置策略;所述第三配置策略针对不同应用的域名系统;A third configuration strategy; the third configuration strategy is for domain name systems of different applications;
第四配置策略;所述第四配置策略针对不同应用的生命周期。Fourth configuration strategy: The fourth configuration strategy is aimed at the life cycle of different applications.
实际应用时,第一设备可以请求第三设备对自身进行身份认证,认证通过后可进行通信。In actual application, the first device can request the third device to authenticate itself, and communication can be carried out after the authentication is passed.
基于此,在一实施例中,所述方法还包括:Based on this, in one embodiment, the method further includes:
向第三设备发送第一接入认证信息;Sending first access authentication information to a third device;
接收来自所述第三设备的第一认证响应信息;所述第一认证响应信息至少包括:第一设备的身份标识。Receive first authentication response information from the third device; the first authentication response information at least includes: an identity identifier of the first device.
相应地,本申请实施例中又提供一种通信方法,应用于第二设备,如图6所示,所述方法包括:Accordingly, an embodiment of the present application further provides a communication method, which is applied to a second device. As shown in FIG6 , the method includes:
步骤601、接收来自第三设备的第二信息;所述第二信息,用于编排边缘计算平台上的应用;Step 601: Receive second information from a third device; the second information is used to orchestrate applications on the edge computing platform;
步骤602、基于所述第二信息向第一设备发送第一信息;所述第一信息,用于指示第一设备基于所述第一设备和安全策略针对所述边缘计算平台上的应用进行配置。Step 602: Send first information to the first device based on the second information; the first information is used to instruct the first device to configure the application on the edge computing platform based on the first device and the security policy.
实际应用时,所述第一设备可以为本地设置的MEPM,可以理解为使用方设置一个本地MEPM,可以对MEP提供的应用进行本地管理配置。第一设备既可以单独进行本地部署,也可以集成到MEP。本申请实施例对所述第一设备的名称不作限定,只要能实现所述第一设备的功能即可。In actual application, the first device can be a locally set MEPM, which can be understood as the user setting a local MEPM, and can locally manage and configure the applications provided by the MEP. The first device can be deployed locally alone or integrated into the MEP. The embodiment of the present application does not limit the name of the first device, as long as the function of the first device can be realized.
实际应用时,所述第二设备可以为MEPM,本申请实施例对所述第二设备的名称不作限定,只要能实现所述第二设备的功能即可。In actual application, the second device may be an MEPM. The embodiment of the present application does not limit the name of the second device as long as the function of the second device can be realized.
实际应用时,所述第三设备可以为MEO或MEAO,本申请实施例对所述第三设备的名称不作限定,只要能实现所述第三设备的功能即可。In actual application, the third device may be MEO or MEAO. The embodiment of the present application does not limit the name of the third device, as long as the function of the third device can be realized.
实际应用时,所述边缘计算平台可以称为MEP。In actual application, the edge computing platform can be called MEP.
实际应用时,所述编排边缘计算平台上的应用可以理解为:通过对每个应用的应用程序和/或可用资源进行编排实现。In actual application, the orchestration of applications on the edge computing platform can be understood as being implemented by orchestrating the application program and/or available resources of each application.
在一实施例中,所述第一信息,包括以下至少之一的配置信息:In one embodiment, the first information includes at least one of the following configuration information:
第一配置策略;所述第一配置策略针对不同应用的操作权限;A first configuration strategy; the first configuration strategy is for operation permissions of different applications;
第二配置策略;所述第二配置策略针对不同应用的路由规则;The second configuration strategy; the second configuration strategy is for routing rules of different applications;
第三配置策略;所述第三配置策略针对不同应用的域名系统;A third configuration strategy; the third configuration strategy is for domain name systems of different applications;
第四配置策略;所述第四配置策略针对不同应用的生命周期。Fourth configuration strategy: The fourth configuration strategy is aimed at the life cycle of different applications.
在一实施例中,所述第二信息,包括以下至少之一:In one embodiment, the second information includes at least one of the following:
应用的管理信息;Management information of the application;
应用的生命周期管理信息;Application lifecycle management information;
应用的生命周期变更信息。Application lifecycle change information.
在一实施例中,所述安全策略,包括以下至少之一:In one embodiment, the security policy includes at least one of the following:
第一安全等级;所述第一安全等级表征拒绝针对所述边缘计算平台上的所有应用的配置;The first security level represents the rejection of configuration for all applications on the edge computing platform;
第二安全等级;所述第二安全等级表征允许针对所述边缘计算平台上的部分应用的配置;The second security level indicates that configuration of some applications on the edge computing platform is allowed;
第三安全等级;所述第一安全等级表征允许针对所述边缘计算平台上的所有应用的配置。Third security level: The first security level represents that configuration is allowed for all applications on the edge computing platform.
所述第一设备保存有安全策略,安全策略用于设置安全等级,通过不同安全等级管理第一设备中是否允许针对所述边缘计算平台上的部分应用的配置。The first device stores a security policy, which is used to set a security level. Different security levels are used to manage whether the configuration of some applications on the edge computing platform is allowed in the first device.
实际应用时,第二设备可以对第一设备进行身份认证,认证通过后可进行通信。In actual application, the second device can perform identity authentication on the first device, and communication can be carried out after the authentication is passed.
基于此,在一实施例中,所述方法还包括:Based on this, in one embodiment, the method further includes:
接收来自第一设备的第三信息;所述第三信息,用于说明所述第一信息是否配置成功;receiving third information from the first device; the third information is used to indicate whether the first information is configured successfully;
基于所述第三信息向第三设备发送第四信息;所述第四信息,用于说明所述第二信息是否配置成功。Sending fourth information to the third device based on the third information; the fourth information is used to indicate whether the second information is configured successfully.
实际应用时,第二设备可以请求第三设备对自身进行身份认证,认证通过后可进行通信。In actual application, the second device can request the third device to authenticate itself, and communication can be carried out after the authentication is passed.
基于此,在一实施例中,所述方法还包括:Based on this, in one embodiment, the method further includes:
向第三设备发送第二接入认证信息;接收来自所述第三设备的第二认证响应信息;所述第二认证响应信息至少包括:第一设备的身份标识;Sending second access authentication information to a third device; receiving second authentication response information from the third device; the second authentication response information at least includes: an identity identifier of the first device;
所述方法还包括:接收所述第一设备的身份标识。The method also includes: receiving an identity of the first device.
下面结合应用实施例对本申请再作进一步详细的描述。The present application is further described in detail below in conjunction with application examples.
在本应用实施例中,所述第一设备称为本地MEPM(L-MEPM,Local MEPM);所述第二设备为MEPM;所述第三设备称为MEAO或MEO;所述边缘计算平台称为MEP。In this application embodiment, the first device is called local MEPM (L-MEPM); the second device is MEPM; the third device is called MEAO or MEO; and the edge computing platform is called MEP.
在本应用实施例中,引入一个部署在MEP侧的L-MEPM,主要负责与MEPM和/或MEAO进行信令交互,并负责MEP本地管理配置数据的安全监管,如图7所示。In this application embodiment, an L-MEPM deployed on the MEP side is introduced, which is mainly responsible for signaling interaction with MEPM and/or MEAO, and is responsible for security supervision of MEP local management configuration data, as shown in FIG7 .
其中,L-MEPM,支持功能包括:Among them, L-MEPM supports the following functions:
1)、管理MEPM的管理配置请求,根据针对MEP上的应用的安全策略等相应管理配置请求;1) Manage the management configuration requests of MEPM, and manage the configuration requests according to the security policies applied on MEP;
2)、保存有安全策略,基于安全策略管理来自MEPM的管理配置数据(即上述来自第二设备的第一信息)。安全策略可以包括:严格、一般、宽松等三个等级,例如:在严格等级时,来自MEPM的管理配置数据不能配置MEP上的应用;在一般等级时,L-MEPM基于安全策略确定来自MEPM的管理配置数据是否能够配置MEP上的应用,在宽松等级时,L-MEPM只负责转发MEPM的管理配置数据(管理配置数据基于来自MEPM的管理配置请求确定)到MEP进行针对不同应用的配置。2) Save the security policy and manage the management configuration data from MEPM (i.e., the first information from the second device) based on the security policy. The security policy may include three levels: strict, general, and loose. For example, at the strict level, the management configuration data from MEPM cannot configure the application on the MEP; at the general level, L-MEPM determines whether the management configuration data from MEPM can configure the application on the MEP based on the security policy; at the loose level, L-MEPM is only responsible for forwarding the management configuration data of MEPM (the management configuration data is determined based on the management configuration request from MEPM) to MEP for configuration of different applications.
当然,实际应用时还可以对于等级划分更为细分,这里不做限定。Of course, in actual application, the level division can be further subdivided, which is not limited here.
在本应用实施例中,如图8所示,MEAO通过MEPM进行编排管理,L-MEPM本地配置有安全策略,针对控制面(具体指针对MEP提供的应用的管理配置数据)进行数据安全管控,以使控制面的数据不能随意对MEP的应用进行配置。所述通信方法包括:In this application embodiment, as shown in FIG8 , MEAO is orchestrated and managed through MEPM, and L-MEPM is locally configured with a security policy to perform data security management and control on the control plane (specifically, the management configuration data of the application provided by MEP) so that the data on the control plane cannot arbitrarily configure the application of MEP. The communication method includes:
步骤801、MEAO(一种第三设备示例)向MEPM(一种第二设备示例)下发第二信息;Step 801: MEAO (an example of a third device) sends second information to MEPM (an example of a second device);
所述第二信息包括:MEPM身份标识和编排信息;The second information includes: MEPM identity and arrangement information;
所述第二信息,用于编排边缘计算平台上的应用。The second information is used to orchestrate applications on the edge computing platform.
对于第二信息给出一种示例,所述第二信息包含但不限于表1的内容:An example is given for the second information, where the second information includes but is not limited to the content in Table 1:
表1Table 1
步骤802、MEPM收到第二信息后,向L-MEPM(一种第三设备示例)发送第一信息;Step 802: After receiving the second information, the MEPM sends the first information to the L-MEPM (an example of a third device);
所述第一信息包括:L-MEPM身份标识和管理配置信息;The first information includes: L-MEPM identity identification and management configuration information;
所述第一信息,用于针对所述边缘计算平台上的应用进行配置。The first information is used to configure the application on the edge computing platform.
对于第一信息给出一种示例,如表2所示;An example is given for the first information, as shown in Table 2;
表2Table 2
步骤803、L-MEPM收到第一信息后,检查本地的安全策略;基于第一信息和安全策略进行相应操作并回复第三信息;Step 803: After receiving the first information, the L-MEPM checks the local security policy; performs corresponding operations based on the first information and the security policy and replies with the third information;
所述L-MEPM本地的安全策略,包括:The L-MEPM local security policy includes:
“严格”等级(相当于上述第一安全等级)时,L-MEPM拒绝针对MEP的所有管理配置信息;At the "strict" level (equivalent to the first security level mentioned above), L-MEPM rejects all management configuration information for MEP;
“一般”等级(相当于上述第二安全等级)时,L-MEPM允许针对MEP的部分管理配置信息;At the "general" level (equivalent to the second security level mentioned above), L-MEPM allows partial management configuration information for MEPs;
“宽松”等级(相当于上述第三安全等级)时,L-MEPM允许针对MEP的所有管理配置信息。At the "relaxed" level (equivalent to the third security level mentioned above), L-MEPM allows all management configuration information for MEP.
L-MEPM中每个应用具有唯一标识,安全策略中通过每个应用的标识标记,并对应标记是否符合要求。Each application in L-MEPM has a unique identifier. The security policy is marked with the identifier of each application and the corresponding mark is used to check whether it meets the requirements.
检查本地的安全策略,相应于符合安全策略的情况,对MEP上的应用进行配置,配置完成后向MEPM回复配置成功的信息;Check the local security policy, configure the application on the MEP according to the situation that complies with the security policy, and reply to the MEPM with a successful configuration message after the configuration is completed;
相应于符合部分安全策略的情况,对MEP上的应用信息进行部分的配置,配置完成后向MEPM回复配置成功的信息;According to the situation that some security policies are met, the application information on the MEP is partially configured, and after the configuration is completed, the MEPM is replied with a successful configuration message;
如果不符合本地安全策略,直接向MEPM回复配置失败的信息。If it does not comply with the local security policy, a configuration failure message will be directly sent to MEPM.
也就是说,所述第三信息,包括:MEPM身份标识和管理配置结果信息;如表3所示。That is to say, the third information includes: MEPM identity identification and management configuration result information; as shown in Table 3.
表3table 3
步骤804、MEPM收到L-MEPM的第三信息后,向MEAO回复第四信息;Step 804: After receiving the third message from L-MEPM, MEPM replies with a fourth message to MEAO;
所述第四信息,用于说明基于第二信息进行编排的结果。The fourth information is used to illustrate a result of arrangement based on the second information.
所述第四信息可以包括:MEAO身份标识和管理配置结果信息;如表4所示。The fourth information may include: MEAO identity identification and management configuration result information; as shown in Table 4.
表4Table 4
本发明各实施例中可以用于唯一ID标识身份,如表5的实施例;The embodiments of the present invention can be used for unique ID identification, such as the embodiment of Table 5;
表5table 5
本发明各实施例中可以通过数字或字符串标识来区分MEPM类型,如表6的实施例;In various embodiments of the present invention, the MEPM type can be distinguished by a number or a string identifier, such as the embodiment of Table 6;
表6Table 6
本发明各实施例中MEAO下发的编排信息,如表7所示,根据ETSI MEC010-2标准协议中规定进行设计,针对每个应用包:The orchestration information sent by MEAO in each embodiment of the present invention is shown in Table 7, which is designed according to the provisions of the ETSI MEC010-2 standard protocol, for each application package:
表7Table 7
MEPM向L-MEPM下发的管理配置信息,给出一种应用示例,如表8所示;The management configuration information sent by MEPM to L-MEPM is given as an application example, as shown in Table 8;
表8Table 8
L-MEPM向MEPM的回复信息、即第三信息,给出一种应用示例,如表9所示;The reply message of L-MEPM to MEPM, i.e., the third message, provides an application example, as shown in Table 9;
表9Table 9
MEPM向MEAO的回复消息、即第四信息,给出一种应用示例,如表10所示;The reply message of MEPM to MEAO, i.e., the fourth message, provides an application example, as shown in Table 10;
表10Table 10
实际应用时,为了得到MEPM身份标识、L-MEPM身份标识,所述方法还包括:身份注册;如图9所示,包括:In actual application, in order to obtain the MEPM identity and the L-MEPM identity, the method further includes: identity registration; as shown in FIG9 , including:
步骤901、MEPM(一种第二设备示例)和L-MEPM(一种第一设备示例)分别向MEAO(一种第三设备示例)注册请求;Step 901, MEPM (an example of a second device) and L-MEPM (an example of a first device) respectively request registration with MEAO (an example of a third device);
所述注册请求即所述身份认证信息,用于请求MEAO注册身份;MEAO收到注册请求进行注册操作后存储MEPM、L-MEPM相应的身份标识。注册的身份信息可以包含以下如表11所示内容:The registration request is the identity authentication information, which is used to request MEAO to register its identity; after receiving the registration request and performing the registration operation, MEAO stores the corresponding identity identification of MEPM and L-MEPM. The registered identity information may include the following contents as shown in Table 11:
表11Table 11
步骤902、MEAO收到注册请求后,进行注册并回复信息;包括如下表12所示内容:Step 902: After receiving the registration request, MEAO registers and responds with information, including the following content as shown in Table 12:
表12Table 12
MEAO收到MEPM注册请求后,执行回复操作;针对回复操作给出一种应用示例,如表13所示;没有按照表6格式则是非法身份标识。After receiving the MEPM registration request, MEAO performs a reply operation; an application example is given for the reply operation, as shown in Table 13; if it does not follow the format of Table 6, it is an illegal identity.
表13Table 13
步骤903、MEAO向MEPM发送已经注册的L-MEPM信息,给出一种应用示例,如表14所示;Step 903, MEAO sends the registered L-MEPM information to MEPM, and an application example is given, as shown in Table 14;
表14Table 14
步骤904、MEPM解析出L-MEPM的身份信息和IP地址后,形成MEPM和多个L-MEPM的关联关系,如下图10所示。Step 904: After MEPM parses the identity information and IP address of L-MEPM, an association relationship between MEPM and multiple L-MEPMs is formed, as shown in FIG. 10 below.
MEPM并向MEAO进行信息回复。关于回复信息的内容,给出一种应用示例,如表15所示;MEPM also replies to MEAO. Regarding the content of the reply information, an application example is given, as shown in Table 15;
表15Table 15
关于回复类型和回复说明,给出一种应用示例,如表16所示;Regarding the reply type and reply description, an application example is given, as shown in Table 16;
表16Table 16
针对IP地址,给出一种应用示例,如表17所示;For IP addresses, an application example is given, as shown in Table 17;
表17Table 17
针对L-MEPM身份信息和IP地址信息,给出一种示例,如下:An example is given for L-MEPM identity information and IP address information as follows:
方法1:使用哈希表方式实现,key标识L-MEPM身份标识,value标识L-MEPM的IP地址。Method 1: Use a hash table, where the key identifies the L-MEPM identity and the value identifies the IP address of the L-MEPM.
方式2:使用JSON字符串方式实现。Method 2: Use JSON string method.
{{
"880e8400-e29b-41d4-a716-446655440000":"156.123.52.41","880e8400-e29b-41d4-a716-446655440000":"156.123.52.41",
"990e8400-e29b-41d4-a716-446655440000":"156.123.52.42","990e8400-e29b-41d4-a716-446655440000":"156.123.52.42",
"770e8400-e29b-41d4-a716-446655440000":"156.123.52.43","770e8400-e29b-41d4-a716-446655440000":"156.123.52.43",
"660e8400-e29b-41d4-a716-446655440000":"156.123.52.44""660e8400-e29b-41d4-a716-446655440000":"156.123.52.44"
}}
为了实现本申请实施例第一设备侧的方法,本申请实施例还提供了一种通信装置,设置在第一设备上,如图12所示,该装置包括:In order to implement the method on the first device side of the embodiment of the present application, the embodiment of the present application further provides a communication device, which is arranged on the first device, as shown in FIG12, and the device includes:
第一通信单元1201,用于接收来自第二设备的第一信息;所述第一信息,用于针对所述边缘计算平台上的应用进行配置;The first communication unit 1201 is used to receive first information from a second device; the first information is used to configure an application on the edge computing platform;
第一处理单元1202,用于基于所述第一信息和安全策略为边缘计算平台上的应用提供安全管理功能。The first processing unit 1202 is used to provide security management functions for applications on the edge computing platform based on the first information and security policies.
其中,在一实施例中,所述安全策略,包括以下至少之一:In one embodiment, the security policy includes at least one of the following:
第一安全等级;所述第一安全等级表征拒绝针对所述边缘计算平台上的所有应用的配置;The first security level represents the rejection of configuration for all applications on the edge computing platform;
第二安全等级;所述第二安全等级表征允许针对所述边缘计算平台上的部分应用的配置;The second security level indicates that configuration of some applications on the edge computing platform is allowed;
第三安全等级;所述第一安全等级表征允许针对所述边缘计算平台上的所有应用的配置。Third security level: The first security level represents that configuration is allowed for all applications on the edge computing platform.
在一实施例中,所述第一通信单元1201,还用于向第二设备发送第三信息;所述第三信息,用于说明所述第一信息是否配置成功。In one embodiment, the first communication unit 1201 is further used to send third information to the second device; the third information is used to indicate whether the first information is configured successfully.
在一实施例中,所述第一信息,包括以下至少之一的配置信息:In one embodiment, the first information includes at least one of the following configuration information:
第一配置策略;所述第一配置策略针对不同应用的操作权限;A first configuration strategy; the first configuration strategy is for operation permissions of different applications;
第二配置策略;所述第二配置策略针对不同应用的路由规则;The second configuration strategy; the second configuration strategy is for routing rules of different applications;
第三配置策略;所述第三配置策略针对不同应用的域名系统;A third configuration strategy; the third configuration strategy is for domain name systems of different applications;
第四配置策略;所述第四配置策略针对不同应用的生命周期。Fourth configuration strategy: The fourth configuration strategy is aimed at the life cycle of different applications.
在一实施例中,所述第一通信单元1202,还用于向第三设备发送第一接入认证信息;In one embodiment, the first communication unit 1202 is further configured to send first access authentication information to a third device;
接收来自所述第三设备的第一认证响应信息;所述第一认证响应信息至少包括:第一设备的身份标识。Receive first authentication response information from the third device; the first authentication response information at least includes: an identity identifier of the first device.
实际应用时,所述第一通信单元1201和所述第一处理单元1202可由通信装置中的处理器结合通信接口实现。In actual application, the first communication unit 1201 and the first processing unit 1202 can be implemented by a processor in a communication device in combination with a communication interface.
为了实现本申请实施例第二设备侧的方法,本申请实施例还提供了一种通信装置,设置在第二设备上,如图13所示,该装置包括:In order to implement the method on the second device side of the embodiment of the present application, the embodiment of the present application further provides a communication device, which is arranged on the second device, as shown in FIG13, and the device includes:
第二通信单元1301,用于接收来自第三设备的第二信息;所述第二信息,用于编排边缘计算平台上的应用;The second communication unit 1301 is used to receive second information from a third device; the second information is used to orchestrate applications on the edge computing platform;
第二处理单元1302,用于基于所述第二信息向第一设备发送第一信息;所述第一信息,用于指示第一设备基于所述第一设备和安全策略针对所述边缘计算平台上的应用进行配置。The second processing unit 1302 is used to send first information to the first device based on the second information; the first information is used to instruct the first device to configure the application on the edge computing platform based on the first device and the security policy.
其中,在一实施例中,所述第一信息,包括以下至少之一的配置信息:In one embodiment, the first information includes at least one of the following configuration information:
第一配置策略;所述第一配置策略针对不同应用的操作权限;A first configuration strategy; the first configuration strategy is for operation permissions of different applications;
第二配置策略;所述第二配置策略针对不同应用的路由规则;The second configuration strategy; the second configuration strategy is for routing rules of different applications;
第三配置策略;所述第三配置策略针对不同应用的域名系统;A third configuration strategy; the third configuration strategy is for domain name systems of different applications;
第四配置策略;所述第四配置策略针对不同应用的生命周期。Fourth configuration strategy: The fourth configuration strategy is aimed at the life cycle of different applications.
在一实施例中,所述第二信息,包括以下至少之一:In one embodiment, the second information includes at least one of the following:
应用的管理信息;Management information of the application;
应用的生命周期管理信息;Application lifecycle management information;
应用的生命周期变更信息。Application lifecycle change information.
在一实施例中,所述安全策略,包括以下至少之一:In one embodiment, the security policy includes at least one of the following:
第一安全等级;所述第一安全等级表征拒绝针对所述边缘计算平台上的所有应用的配置;The first security level represents the rejection of configuration for all applications on the edge computing platform;
第二安全等级;所述第二安全等级表征允许针对所述边缘计算平台上的部分应用的配置;The second security level indicates that configuration of some applications on the edge computing platform is allowed;
第三安全等级;所述第一安全等级表征允许针对所述边缘计算平台上的所有应用的配置。Third security level: The first security level represents that configuration is allowed for all applications on the edge computing platform.
在一实施例中,所述第二通信单元1301,还用于接收来自第一设备的第三信息;所述第三信息,用于说明所述第一信息是否配置成功;In one embodiment, the second communication unit 1301 is further used to receive third information from the first device; the third information is used to indicate whether the first information is configured successfully;
基于所述第三信息向第三设备发送第四信息;所述第四信息,用于说明所述第二信息是否配置成功。Sending fourth information to the third device based on the third information; the fourth information is used to indicate whether the second information is configured successfully.
在一实施例中,所述第二通信单元1301,还用于向第三设备发送第二接入认证信息;接收来自所述第三设备的第二认证响应信息;所述第二认证响应信息至少包括:第一设备的身份标识;In one embodiment, the second communication unit 1301 is further configured to send second access authentication information to a third device; receive second authentication response information from the third device; the second authentication response information at least includes: an identity identifier of the first device;
所述第二通信单元1301,还用于接收所述第一设备的身份标识。The second communication unit 1301 is further configured to receive an identity of the first device.
实际应用时,实际应用时,所述第二通信单元1301和所述第二处理单元1302可由通信装置中的处理器结合通信接口实现。In actual application, the second communication unit 1301 and the second processing unit 1302 can be implemented by a processor in a communication device in combination with a communication interface.
需要说明的是:上述实施例提供的通信装置在进行通信时,仅以上述各程序模块的划分进行举例说明,实际应用中,可以根据需要而将上述处理分配由不同的程序模块完成,即将装置的内部结构划分成不同的程序模块,以完成以上描述的全部或者部分处理。另外,上述实施例提供的通信装置与通信方法实施例属于同一构思,其具体实现过程详见方法实施例,这里不再赘述。It should be noted that: when the communication device provided in the above embodiment performs communication, only the division of the above program modules is used as an example. In actual applications, the above processing can be assigned to different program modules as needed, that is, the internal structure of the device is divided into different program modules to complete all or part of the processing described above. In addition, the communication device and the communication method embodiment provided in the above embodiment belong to the same concept, and the specific implementation process is detailed in the method embodiment, which will not be repeated here.
基于上述程序模块的硬件实现,且为了实现本申请实施例第一设备侧的方法,本申请实施例还提供了一种第一设备,如图14所示,该第一设备1400包括:Based on the hardware implementation of the above program module, and in order to implement the method on the first device side of the embodiment of the present application, the embodiment of the present application further provides a first device, as shown in FIG. 14 , the first device 1400 includes:
第一通信接口1401,能够与第二设备进行信息交互;The first communication interface 1401 is capable of exchanging information with the second device;
第一处理器1402,与所述第一通信接口1401连接,以实现与第二设备进行信息交互,用于运行计算机程序时,执行上述第一设备侧一个或多个技术方案提供的方法。而所述计算机程序存储在第一存储器1403上。The first processor 1402 is connected to the first communication interface 1401 to implement information exchange with the second device, and is used to execute the method provided by one or more technical solutions on the first device side when running a computer program. The computer program is stored in the first memory 1403.
具体地,所述第一通信接口1401,用于接收来自第二设备的第一信息;所述第一信息,用于针对所述边缘计算平台上的应用进行配置;Specifically, the first communication interface 1401 is used to receive first information from a second device; the first information is used to configure an application on the edge computing platform;
所述第一处理器1402,用于基于所述第一信息和安全策略为边缘计算平台上的应用提供安全管理功能。The first processor 1402 is used to provide security management functions for applications on the edge computing platform based on the first information and security policies.
其中,在一实施例中,所述第一通信接口1401,还用于:In one embodiment, the first communication interface 1401 is further used for:
向第二设备发送第三信息;所述第三信息,用于说明所述第一信息是否配置成功。Sending third information to the second device; the third information is used to indicate whether the first information is configured successfully.
在一实施例中,所述第一通信接口1401,还用于:In one embodiment, the first communication interface 1401 is further used for:
向第三设备发送第一接入认证信息;Sending first access authentication information to a third device;
接收来自所述第三设备的第一认证响应信息;所述第一认证响应信息至少包括:第一设备的身份标识。Receive first authentication response information from the third device; the first authentication response information at least includes: an identity identifier of the first device.
需要说明的是:第一处理器1402和第一通信接口1401的具体处理过程可参照上述方法理解。It should be noted that the specific processing process of the first processor 1402 and the first communication interface 1401 can be understood by referring to the above method.
当然,实际应用时,第一设备1400中的各个组件通过总线系统1404耦合在一起。可理解,总线系统1404用于实现这些组件之间的连接通信。总线系统1404除包括数据总线之外,还包括电源总线、控制总线和状态信号总线。但是为了清楚说明起见,在图14中将各种总线都标为总线系统1404。Of course, in actual application, the various components in the first device 1400 are coupled together through the bus system 1404. It can be understood that the bus system 1404 is used to realize the connection and communication between these components. In addition to the data bus, the bus system 1404 also includes a power bus, a control bus and a status signal bus. However, for the sake of clarity, various buses are marked as the bus system 1404 in Figure 14.
本申请实施例中的第一存储器1403用于存储各种类型的数据以支持第一设备1400的操作。这些数据的示例包括:用于在第一设备1400上操作的任何计算机程序。The first memory 1403 in the embodiment of the present application is used to store various types of data to support the operation of the first device 1400. Examples of such data include: any computer program used to operate on the first device 1400.
上述本申请实施例揭示的方法可以应用于所述第一处理器1402中,或者由所述第一处理器1402实现。所述第一处理器1402可能是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法的各步骤可以通过所述第一处理器1402中的硬件的集成逻辑电路或者软件形式的指令完成。上述的所述第一处理器1402可以是通用处理器、数字信号处理器(DSP,Digital Signal Processor),或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。所述第一处理器1402可以实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合本申请实施例所公开的方法的步骤,可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于存储介质中,该存储介质位于第一存储器1403,所述第一处理器1402读取第一存储器1403中的信息,结合其硬件完成前述方法的步骤。The method disclosed in the above embodiment of the present application can be applied to the first processor 1402, or implemented by the first processor 1402. The first processor 1402 may be an integrated circuit chip with signal processing capabilities. In the implementation process, each step of the above method can be completed by the hardware integrated logic circuit or software instructions in the first processor 1402. The above-mentioned first processor 1402 may be a general-purpose processor, a digital signal processor (DSP, Digital Signal Processor), or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components, etc. The first processor 1402 can implement or execute the various methods, steps and logic block diagrams disclosed in the embodiments of the present application. A general-purpose processor may be a microprocessor or any conventional processor, etc. In combination with the steps of the method disclosed in the embodiment of the present application, it can be directly embodied as a hardware decoding processor to execute, or it can be executed by a combination of hardware and software modules in the decoding processor. The software module may be located in a storage medium, which is located in the first memory 1403, and the first processor 1402 reads the information in the first memory 1403 and completes the steps of the above method in combination with its hardware.
在示例性实施例中,第一设备1400可以被一个或多个应用专用集成电路(ASIC,Application Specific Integrated Circuit)、DSP、可编程逻辑器件(PLD,ProgrammableLogic Device)、复杂可编程逻辑器件(CPLD,Complex Programmable Logic Device)、现场可编程门阵列(FPGA,Field-Programmable Gate Array)、通用处理器、控制器、微控制器(MCU,Micro Controller Unit)、微处理器(Microprocessor)、或者其他电子元件实现,用于执行前述方法。In an exemplary embodiment, the first device 1400 can be implemented by one or more application specific integrated circuits (ASIC), DSP, programmable logic device (PLD), complex programmable logic device (CPLD), field programmable gate array (FPGA), general processor, controller, microcontroller (MCU), microprocessor, or other electronic components to execute the aforementioned method.
基于上述程序模块的硬件实现,且为了实现本申请实施例第二设备侧的方法,本申请实施例还提供了一种第二设备,如图15所示,该第二设备1500包括:Based on the hardware implementation of the above program module, and in order to implement the method on the second device side of the embodiment of the present application, the embodiment of the present application further provides a second device, as shown in FIG. 15 , the second device 1500 includes:
第二通信接口1501,能够与第一设备和第三设备进行信息交互;The second communication interface 1501 is capable of exchanging information with the first device and the third device;
第二处理器1502,与所述第二通信接口1501连接,以实现与第一设备和第三设备进行信息交互,用于运行计算机程序时,执行上述第二设备侧一个或多个技术方案提供的方法。而所述计算机程序存储在第二存储器1503上。The second processor 1502 is connected to the second communication interface 1501 to implement information exchange with the first device and the third device, and is used to execute the method provided by one or more technical solutions on the second device side when running the computer program. The computer program is stored in the second memory 1503.
具体地,所述第二通信接口1501,用于接收来自第三设备的第二信息;所述第二信息,用于编排边缘计算平台上的应用;Specifically, the second communication interface 1501 is used to receive second information from a third device; the second information is used to orchestrate applications on the edge computing platform;
所述第二处理器1502,用于基于所述第二信息向第一设备发送第一信息;所述第一信息,用于指示第一设备基于所述第一设备和安全策略针对所述边缘计算平台上的应用进行配置。The second processor 1502 is used to send first information to the first device based on the second information; the first information is used to instruct the first device to configure the application on the edge computing platform based on the first device and the security policy.
其中,在一实施例中,所述第二通信接口1501,还用于:In one embodiment, the second communication interface 1501 is further used for:
接收来自第一设备的第三信息;所述第三信息,用于说明所述第一信息是否配置成功;receiving third information from the first device; the third information is used to indicate whether the first information is configured successfully;
基于所述第三信息向第三设备发送第四信息;所述第四信息,用于说明所述第二信息是否配置成功。Sending fourth information to the third device based on the third information; the fourth information is used to indicate whether the second information is configured successfully.
在一实施例中,所述第二通信接口1501,还用于向第三设备发送第二接入认证信息;接收来自所述第三设备的第二认证响应信息;所述第二认证响应信息至少包括:第一设备的身份标识;In one embodiment, the second communication interface 1501 is further used to send second access authentication information to a third device; receive second authentication response information from the third device; the second authentication response information at least includes: an identity identifier of the first device;
以及,接收所述第一设备的身份标识。And, receiving the identity of the first device.
需要说明的是:第二通信接口1501和第二处理器1502的具体处理过程可参照上述方法理解。It should be noted that the specific processing process of the second communication interface 1501 and the second processor 1502 can be understood by referring to the above method.
当然,实际应用时,第二设备1500中的各个组件通过总线系统1504耦合在一起。可理解,总线系统1504用于实现这些组件之间的连接通信。总线系统1504除包括数据总线之外,还包括电源总线、控制总线和状态信号总线。但是为了清楚说明起见,在图15中将各种总线都标为总线系统1504。Of course, in actual application, the various components in the second device 1500 are coupled together through the bus system 1504. It can be understood that the bus system 1504 is used to realize the connection and communication between these components. In addition to the data bus, the bus system 1504 also includes a power bus, a control bus and a status signal bus. However, for the sake of clarity, various buses are marked as bus system 1504 in Figure 15.
本申请实施例中的第二存储器1503用于存储各种类型的数据以支持第二设备1500的操作。这些数据的示例包括:用于在第二设备1500上操作的任何计算机程序。The second memory 1503 in the embodiment of the present application is used to store various types of data to support the operation of the second device 1500. Examples of such data include: any computer program used to operate on the second device 1500.
上述本申请实施例揭示的方法可以应用于所述第二处理器1502中,或者由所述第二处理器1502实现。所述第二处理器1502可能是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法的各步骤可以通过所述第二处理器1502中的硬件的集成逻辑电路或者软件形式的指令完成。上述的所述第二处理器1502可以是通用处理器、DSP,或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。所述第二处理器1502可以实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合本申请实施例所公开的方法的步骤,可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于存储介质中,该存储介质位于第二存储器1503,所述第二处理器1502读取第二存储器1503中的信息,结合其硬件完成前述方法的步骤。The method disclosed in the above embodiment of the present application can be applied to the second processor 1502, or implemented by the second processor 1502. The second processor 1502 may be an integrated circuit chip with signal processing capabilities. In the implementation process, each step of the above method can be completed by the hardware integrated logic circuit or software instructions in the second processor 1502. The above-mentioned second processor 1502 may be a general-purpose processor, DSP, or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components, etc. The second processor 1502 can implement or execute the various methods, steps and logic block diagrams disclosed in the embodiments of the present application. A general-purpose processor may be a microprocessor or any conventional processor, etc. In combination with the steps of the method disclosed in the embodiment of the present application, it can be directly embodied as a hardware decoding processor to execute, or it can be executed by a combination of hardware and software modules in the decoding processor. The software module may be located in a storage medium, which is located in the second memory 1503, and the second processor 1502 reads the information in the second memory 1503 and completes the steps of the above method in combination with its hardware.
在示例性实施例中,第二设备1500可以被一个或多个ASIC、DSP、PLD、CPLD、FPGA、通用处理器、控制器、MCU、Microprocessor、或其他电子元件实现,用于执行前述方法。In an exemplary embodiment, the second device 1500 may be implemented by one or more ASICs, DSPs, PLDs, CPLDs, FPGAs, general purpose processors, controllers, MCUs, Microprocessors, or other electronic components to perform the aforementioned methods.
可以理解,本申请实施例的存储器(第一存储器1403、第二存储器1503)可以是易失性存储器或者非易失性存储器,也可包括易失性和非易失性存储器两者。其中,非易失性存储器可以是只读存储器(ROM,Read Only Memory)、可编程只读存储器(PROM,Programmable Read-Only Memory)、可擦除可编程只读存储器(EPROM,ErasableProgrammable Read-Only Memory)、电可擦除可编程只读存储器(EEPROM,ElectricallyErasable Programmable Read-Only Memory)、磁性随机存取存储器(FRAM,ferromagneticrandom access memory)、快闪存储器(Flash Memory)、磁表面存储器、光盘、或只读光盘(CD-ROM,Compact Disc Read-Only Memory);磁表面存储器可以是磁盘存储器或磁带存储器。易失性存储器可以是随机存取存储器(RAM,Random Access Memory),其用作外部高速缓存。通过示例性但不是限制性说明,许多形式的RAM可用,例如静态随机存取存储器(SRAM,Static Random Access Memory)、同步静态随机存取存储器(SSRAM,SynchronousStatic Random Access Memory)、动态随机存取存储器(DRAM,Dynamic Random AccessMemory)、同步动态随机存取存储器(SDRAM,Synchronous Dynamic Random AccessMemory)、双倍数据速率同步动态随机存取存储器(DDRSDRAM,Double Data RateSynchronous Dynamic Random Access Memory)、增强型同步动态随机存取存储器(ESDRAM,Enhanced Synchronous Dynamic Random Access Memory)、同步连接动态随机存取存储器(SLDRAM,SyncLink Dynamic Random Access Memory)、直接内存总线随机存取存储器(DRRAM,Direct Rambus Random Access Memory)。本申请实施例描述的存储器旨在包括但不限于这些和任意其它适合类型的存储器。It can be understood that the memory (first memory 1403, second memory 1503) of the embodiment of the present application can be a volatile memory or a non-volatile memory, and can also include both volatile and non-volatile memories. Among them, the non-volatile memory can be a read-only memory (ROM), a programmable read-only memory (PROM), an erasable programmable read-only memory (EPROM), an electrically erasable programmable read-only memory (EEPROM), a magnetic random access memory (FRAM), a ferromagnetic random access memory, a flash memory, a magnetic surface memory, an optical disc, or a compact disc read-only memory (CD-ROM); the magnetic surface memory can be a disk memory or a tape memory. The volatile memory can be a random access memory (RAM), which is used as an external cache. By way of example but not limitation, many forms of RAM are available, such as static random access memory (SRAM), synchronous static random access memory (SSRAM), dynamic random access memory (DRAM), synchronous dynamic random access memory (SDRAM), double data rate synchronous dynamic random access memory (DDRSDRAM), enhanced synchronous dynamic random access memory (ESDRAM), synchronous link dynamic random access memory (SLDRAM), direct memory bus random access memory (DRRAM). The memory described in the embodiments of the present application is intended to include but is not limited to these and any other suitable types of memory.
需要说明的是:“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。It should be noted that: "first", "second", etc. are used to distinguish similar objects, and are not necessarily used to describe a specific order or sequence.
另外,本申请实施例所记载的技术方案之间,在不冲突的情况下,可以任意组合。In addition, the technical solutions described in the embodiments of the present application can be combined arbitrarily without conflict.
以上所述,仅为本申请的较佳实施例而已,并非用于限定本申请的保护范围。The above description is only a preferred embodiment of the present application and is not intended to limit the protection scope of the present application.
Claims (25)
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110703440.3A CN115529144B (en) | 2021-06-24 | 2021-06-24 | Communication system, method, apparatus, first device, second device, and storage medium |
| PCT/CN2022/099569 WO2022267994A1 (en) | 2021-06-24 | 2022-06-17 | Communication system and method, apparatus, first device, second device, and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110703440.3A CN115529144B (en) | 2021-06-24 | 2021-06-24 | Communication system, method, apparatus, first device, second device, and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115529144A CN115529144A (en) | 2022-12-27 |
| CN115529144B true CN115529144B (en) | 2024-06-18 |
Family
ID=84545132
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110703440.3A Active CN115529144B (en) | 2021-06-24 | 2021-06-24 | Communication system, method, apparatus, first device, second device, and storage medium |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN115529144B (en) |
| WO (1) | WO2022267994A1 (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110944330A (en) * | 2018-09-21 | 2020-03-31 | 华为技术有限公司 | MEC platform deployment method and device |
| CN111935270A (en) * | 2020-08-04 | 2020-11-13 | 腾讯科技(深圳)有限公司 | Communication method, device, medium and electronic equipment based on edge computing platform |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018089417A1 (en) * | 2016-11-09 | 2018-05-17 | Interdigital Patent Holdings, Inc. | Systems and methods to create slices at a cell edge to provide computing services |
| WO2019147970A1 (en) * | 2018-01-26 | 2019-08-01 | Idac Holdings, Inc. | Application mobility based on enhanced mptcp |
| WO2020185794A1 (en) * | 2019-03-11 | 2020-09-17 | Intel Corporation | Multi-slice support for mec-enabled 5g deployments |
| CN111722906A (en) * | 2019-03-22 | 2020-09-29 | 华为技术有限公司 | A method and apparatus for deploying virtual machines and containers |
| FR3096535A1 (en) * | 2019-06-26 | 2020-11-27 | Orange | Methods and devices for securing a multiple access edge network |
| CN112422685B (en) * | 2020-11-19 | 2022-02-01 | 中国联合网络通信集团有限公司 | 5G data processing system and method based on mobile edge computing MEC |
| CN112822675B (en) * | 2021-01-11 | 2021-11-23 | 北京交通大学 | MEC environment-oriented OAuth 2.0-based single sign-on mechanism |
-
2021
- 2021-06-24 CN CN202110703440.3A patent/CN115529144B/en active Active
-
2022
- 2022-06-17 WO PCT/CN2022/099569 patent/WO2022267994A1/en active Application Filing
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110944330A (en) * | 2018-09-21 | 2020-03-31 | 华为技术有限公司 | MEC platform deployment method and device |
| CN111935270A (en) * | 2020-08-04 | 2020-11-13 | 腾讯科技(深圳)有限公司 | Communication method, device, medium and electronic equipment based on edge computing platform |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2022267994A1 (en) | 2022-12-29 |
| CN115529144A (en) | 2022-12-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2019157955A1 (en) | Device access method, related platform and computer storage medium | |
| US11296957B2 (en) | Network slice management method, unit, and system | |
| KR102439559B1 (en) | Alarm method and device | |
| CN111556136B (en) | Data interaction method between internal containers of power edge Internet of things agent | |
| US9690605B2 (en) | Configuration of an edge switch downlink port with a network policy of a published network configuration service type | |
| WO2019056883A1 (en) | Network slice deployment method and related device | |
| CN106134141B (en) | A method and device for updating network service descriptor NSD | |
| EP3723325B1 (en) | Network service management method, related device and system | |
| CN114025021B (en) | Communication method, system, medium and electronic equipment crossing Kubernetes cluster | |
| US20190281503A1 (en) | Management Method, Management Unit, and System | |
| CN109327557B (en) | Method and device for managing IP address of virtual machine | |
| US20190140972A1 (en) | Network resource orchestration method and device | |
| WO2017185251A1 (en) | Vnfm determining method and network function virtualization orchestrator | |
| CN110855488B (en) | Virtual machine access method and device | |
| WO2019062995A1 (en) | Network management method, device and system | |
| WO2021147358A1 (en) | Network interface establishing method, apparatus, and system | |
| CN115250234A (en) | Method, device, equipment, system and storage medium for deploying network equipment | |
| CN110839007B (en) | Cloud network security processing method and device and computer storage medium | |
| KR20230069088A (en) | Container cluster management method and its system | |
| CN115529144B (en) | Communication system, method, apparatus, first device, second device, and storage medium | |
| US11888700B2 (en) | Method and apparatus for fine-grained isolation in CN NSS domain of E2E network slice | |
| WO2018082574A1 (en) | Information sending method, unit and system | |
| US20230259387A1 (en) | Data flow mirroring method and apparatus | |
| CN115529310B (en) | Communication method, device, related equipment and storage medium | |
| CN105530633A (en) | Method, system and equipment for implementing WiFi access service |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |