CN115941214A - Method, device and storage medium for policy message processing - Google Patents

Abstract

The invention discloses a strategy message processing method, a device and a storage medium, comprising the following steps: the PDE generates a strategy message; the policy message is sent to the CE. The CE receives the strategy message sent by the PDE and checks the strategy message; after the check is passed, the policy message is sent to the DE deployed at the boundary of the physical network. And the DE receives the strategy message sent by the CE, extracts the instruction in the strategy message and then sends the strategy message to the network element entity equipment. The invention can ensure the safety of issuing the strategy and also solves the safety problem that the strategy generated by the digital twin network directly acts on the physical network layer.

Description

Method, device and storage medium for policy message processing

technical field

The present invention relates to the technical field of data security, in particular to a policy message processing method, device and storage medium.

Background technique

Digital twins are real-time mirror images of physical entities in the digital world, and are becoming the new focus of global information technology development and industrial digital transformation. In the future network, digital twin technology will be widely used in the fields of intelligent manufacturing, smart city and scientific research, making the whole society move towards a "digital twin" world combining virtual and reality.

DTN (Digital Twin Network, Digital Twin Network) is a network system with physical network entities and virtual twins, and the two can be interactively mapped in real time. In this system, various network management and applications can use the network virtual twin constructed by digital twin technology to efficiently analyze, diagnose, simulate and control the physical network based on data and models. Network twins can help physical networks achieve low-cost trial and error, intelligent decision-making, efficient innovation, and predictive maintenance. Using the digital twin network as a key enabling platform for future mobile communication networks can help mobile communication networks achieve the goal of distributed autonomy. At the same time, the digital twin network can help users clearly perceive the network status on demand, efficiently mine valuable information on the network, and explore innovative network applications with a more friendly immersive interactive interface through capability exposure and twin copying.

The digital twin network has been discussed in the ITU (International Telecommunication Union), and the framework design has been basically completed, but its shortcoming is that the framework does not fully consider the security issues in the policy distribution process from the perspective of security.

Contents of the invention

The present invention provides a policy message processing method, device and storage medium, which are used to solve the security problem that the digital twin network framework does not fully consider the policy delivery process from the perspective of security.

The invention provides the following technical solutions:

A policy message processing method, comprising:

CE receives the policy message sent by PDE;

CE verifies the policy message;

After passing the verification, the CE sends the policy message to the DE deployed on the border of the physical network.

Wherein, the CE is an entity that sends the policy message to the DE deployed on the boundary of the physical network after the policy message sent by the PDE is verified, and the DE extracts the command in the policy message and sends it to the network element entity device entity.

During implementation, before CE verifies the policy message, it further includes:

The policy message is decrypted using the first key negotiated between CE and PDE.

In implementation, part of the information of the policy message sent to the DE after the verification is passed is encrypted by the PDE using the second key negotiated between the DE and the PDE.

In implementation, TLS is used to transmit policy messages between CE and DE.

During implementation, the policy message is verified, including one or a combination of the following verifications:

Source validation, target validation, post-policy validation including policy integrity and stability validation.

In practice, stability verification includes one or a combination of the following verifications:

Dynamic baseline comparison is adopted, and historical data is used as input. When the adjustment range of the strategy exceeds the preset value, manual secondary confirmation is used;

Compare the strategic intent of the target object with the function of the real network element device to prevent the strategic intent from being wrongly applied to other network element devices;

Routing loop filtering is performed on policies to prevent routing loops.

During implementation, the policy message is verified, including:

After receiving the policy message, verify the integrity of the policy message;

After the verification is passed, the policy content in the policy message is extracted;

After the policy content is extracted, perform hash processing and compare it with the stored original hash value;

After the hash value comparison passes, the policy message verification is successful.

A policy message processing method, comprising:

DE receives the policy message sent by CE;

The DE extracts the instruction in the policy message and sends it to the network element entity device.

Wherein, the CE is an entity that sends the policy message to the DE deployed on the boundary of the physical network after the policy message sent by the PDE is verified, and the DE extracts the command in the policy message and sends it to the network element entity device entity.

In implementation, after receiving the policy message sent by CE, further include:

Part of the information in the policy message is decrypted using the second key negotiated between the DE and the PDE.

A policy message processing method, comprising:

PDE generates policy messages;

PDE sends a policy message to CE.

Wherein, the CE is an entity that sends the policy message to the DE deployed on the boundary of the physical network after the policy message sent by the PDE is verified, and the DE extracts the command in the policy message and sends it to the network element entity device entity.

In implementation, before sending the policy message to CE, it further includes:

Encrypt the policy message using the first key negotiated between CE and PDE;

Partial information of the policy message is encrypted using the second key negotiated between the DE and the PDE.

In implementation, after the policy message is generated, it further includes:

The Hash value is stored after Hash processing is performed on the policy message.

A CE consisting of:

The processor, which reads the program in the memory, performs the following processes:

Receive policy messages sent by PDE;

Verify the policy message;

After the verification is passed, the policy message is sent to the DE deployed on the border of the physical network;

Transceiver, used to receive and transmit data under the control of the processor.

Wherein, the CE is an entity that sends the policy message to the DE deployed on the boundary of the physical network after the policy message sent by the PDE is verified, and the DE extracts the command in the policy message and sends it to the network element entity device entity.

During implementation, before verifying the policy message, it further includes:

The policy message is decrypted using the first key negotiated between CE and PDE.

In implementation, part of the information of the policy message sent to the DE after the verification is passed is encrypted by the PDE using the second key negotiated between the DE and the PDE.

In implementation, use TLS to transmit policy messages with DE.

During implementation, the policy message is verified, including one or a combination of the following verifications:

Source validation, target validation, post-policy validation including policy integrity and stability validation.

In practice, stability verification includes one or a combination of the following verifications:

Dynamic baseline comparison is adopted, and historical data is used as input. When the adjustment range of the strategy exceeds the preset value, manual secondary confirmation is used;

Compare the strategic intent of the target object with the function of the real network element device to prevent the strategic intent from being wrongly applied to other network element devices;

Routing loop filtering is performed on policies to prevent routing loops.

During implementation, the policy message is verified, including:

After receiving the policy message, verify the integrity of the policy message;

After the verification is passed, the policy content in the policy message is extracted;

After the policy content is extracted, perform hash processing and compare it with the stored original hash value;

After the hash value comparison passes, the policy message verification is successful.

A CE consisting of:

The CE receiving module is used to receive the policy message sent by the PDE;

The CE verification module is used to verify the policy message;

The CE sending module is configured to send the policy message to the DE deployed on the border of the physical network after the verification is passed.

Wherein, the CE is an entity that sends the policy message to the DE deployed on the boundary of the physical network after the policy message sent by the PDE is verified, and the DE extracts the command in the policy message and sends it to the network element entity device entity.

In implementation, it further includes:

The CE decryption module is used for decrypting the policy message using the first key negotiated between the CE and the PDE before the CE verifies the policy message.

In an implementation, the CE sending module is further used to encrypt part of the information of the policy message sent to the DE after the verification is passed by the PDE using the second key negotiated between the DE and the PDE.

In implementation, the CE sending module is further configured to use TLS to transmit the policy message with the DE.

During implementation, the CE verification module is further used to verify policy messages, including one or a combination of the following verifications:

Source validation, target validation, post-policy validation including policy integrity and stability validation.

During implementation, the CE verification module is further used for stability verification including one or a combination of the following verifications:

Dynamic baseline comparison is adopted, and historical data is used as input. When the adjustment range of the strategy exceeds the preset value, manual secondary confirmation is used;

Compare the strategic intent of the target object with the function of the real network element device to prevent the strategic intent from being wrongly applied to other network element devices;

Routing loop filtering is performed on policies to prevent routing loops.

During implementation, the CE verification module is further used to verify policy messages, including:

After receiving the policy message, verify the integrity of the policy message;

After the verification is passed, the policy content in the policy message is extracted;

After the policy content is extracted, perform hash processing and compare it with the stored original hash value;

After the hash value comparison passes, the policy message verification is successful.

A DE consisting of:

The processor, which reads the program in the memory, performs the following processes:

Receive policy messages sent by CE;

Extract the instruction in the policy message and send it to the network element entity device;

Transceiver, used to receive and transmit data under the control of the processor.

Wherein, the CE is an entity that sends the policy message to the DE deployed on the boundary of the physical network after the policy message sent by the PDE is verified, and the DE extracts the command in the policy message and sends it to the network element entity device entity.

In implementation, after receiving the policy message sent by CE, further include:

Part of the information in the policy message is decrypted using the second key negotiated between the DE and the PDE.

A DE consisting of:

The DE receiving module is used to receive the policy message sent by the CE;

The DE sending module is used to extract the instruction in the policy message and send it to the network element entity device.

Wherein, the CE is an entity that sends the policy message to the DE deployed on the boundary of the physical network after the policy message sent by the PDE is verified, and the DE extracts the command in the policy message and sends it to the network element entity device entity.

In implementation, it further includes:

The DE decryption module is configured to use the second key negotiated between the DE and the PDE to decrypt part of the information of the policy message after receiving the policy message sent by the CE.

A PDE comprising:

The processor, which reads the program in the memory, performs the following processes:

generate policy messages;

Send a policy message to CE;

Transceiver, used to receive and transmit data under the control of the processor.

Wherein, the CE is an entity that sends the policy message to the DE deployed on the boundary of the physical network after the policy message sent by the PDE is verified, and the DE extracts the command in the policy message and sends it to the network element entity device entity.

In implementation, before sending the policy message to CE, it further includes:

Encrypt the policy message using the first key negotiated between CE and PDE;

Partial information of the policy message is encrypted using the second key negotiated between the DE and the PDE.

In implementation, after the policy message is generated, it further includes:

The Hash value is stored after Hash processing is performed on the policy message.

A PDE comprising:

PDE generating module, used to generate strategy message;

The PDE sending module is configured to send policy messages to CE.

Wherein, the CE is an entity that sends the policy message to the DE deployed on the boundary of the physical network after the policy message sent by the PDE is verified, and the DE extracts the command in the policy message and sends it to the network element entity device entity.

In implementation, it further includes:

The PDE encryption module is used to encrypt the policy message using the first key negotiated between the CE and the PDE before sending the policy message to the CE; and encrypt part of the information of the policy message using the second key negotiated between the DE and the PDE.

During implementation, the PDE generation module is further used to generate the policy message, perform Hash processing on the policy message, and store the Hash value.

A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program for executing the above policy message processing method.

The beneficial effects of the present invention are as follows:

In the technical solution provided by the embodiment of the present invention, the security problem of policy delivery is solved by introducing DTPF including CE and DE. When the policy is delivered to CE, CE can check the integrity and reliability of the policy and the authenticity of the policy source. Verification is carried out. If the verification is passed, the policy can be correctly delivered to each network element device in the physical world, thus ensuring the security of the delivered policy. This also solves the security problem that the strategy generated by the digital twin network will directly affect the physical network layer.

Description of drawings

The accompanying drawings described here are used to provide a further understanding of the present invention, and constitute a part of the present invention. The schematic embodiments of the present invention and their descriptions are used to explain the present invention, and do not constitute improper limitations to the present invention. In the attached picture:

Fig. 1 is a schematic diagram of a digital twin network architecture in an embodiment of the present invention;

FIG. 2 is a schematic diagram of the implementation flow of the policy message processing method on the PDE side in the embodiment of the present invention;

FIG. 3 is a schematic diagram of an implementation flow of a policy message processing method on the CE side in an embodiment of the present invention;

FIG. 4 is a schematic diagram of an implementation flow of a policy message processing method on the DE side in an embodiment of the present invention;

Fig. 5 is the schematic diagram of DTPF and operating environment in the embodiment of the present invention;

Figure 6 is a schematic diagram of the DTPF structure in an embodiment of the present invention;

FIG. 7 is a schematic diagram of an interaction flow among PDE, CE, and DE in an embodiment of the present invention;

FIG. 8 is a schematic diagram of a post-policy verification process in an embodiment of the present invention;

FIG. 9 is a schematic diagram of CE structure in an embodiment of the present invention;

Fig. 10 is a schematic diagram of the structure of DE in the embodiment of the present invention;

Fig. 11 is a schematic diagram of the PDE structure in the embodiment of the present invention.

Detailed ways

The inventor noticed during the invention that:

This framework does not fully consider from the perspective of security, because the policies generated by the digital twin network will directly affect the physical network layer, which is completely different from the traditional network control and configuration, so how to solve the security issues in the process of policy distribution is very important Important, it will also be the last line of security defense for automatic configuration of the digital twin network and optimization of the physical network.

Therefore, the problem existing in the existing technology is: the existing standards and procedures do not involve the safety part.

The technical problem to be solved by the technical solution provided by the embodiment of the present invention involves designing a policy delivery interface security model to ensure interface security.

Based on the above security problems and security requirements, the technical solution provided by the embodiment of the present invention will provide a solution to protect the security of the digital twin network policy delivery interface. By introducing the twin security center module to solve the security problem of policy delivery, when the policy Send to the twin security center, the center can verify the integrity and reliability of the policy and the authenticity of the policy source, if the verification is passed, the policy can be correctly delivered to each network element device in the physical world. For different security levels of physical networks, the Twin Security Center can perform differentiated security configurations, thereby improving the efficiency of policy distribution.

Specific embodiments of the present invention will be described below in conjunction with the accompanying drawings.

During the description, the implementation of the PDE, CE, and DE will be described respectively, and then an example of their coordinated implementation will be given to better understand the implementation of the solution given in the embodiment of the present invention. This way of explanation does not mean that they must be implemented together or independently. In fact, when PDE is implemented separately from CE and DE, they each solve their own problems, and when they are used in combination, they will get better Nice technical effect.

Firstly, the environment and background of the implementation of the scheme are explained.

Figure 1 is a schematic diagram of the digital twin network architecture. As shown in the figure, the digital twin network architecture mainly includes: network application layer, twin network layer, and physical network layer. There are data acquisition and control systems between the twin network layer and the physical network layer. sending interface.

The digital twin network has the characteristics of digitization, networking, and intelligence, and its application environment is more open, interconnected, and shared. With the continuous expansion of its application fields, network security issues will gradually become prominent. Digital twin networks and applications mainly face the following security risks and challenges:

1. Data security risk: The digital twin network needs to generate and store massive amounts of device data, user data, interaction data, and management data during the application process. How to ensure the security of these data transmission and storage will bring huge challenges to the network ;

2. Risks of sensor equipment: The smart cells of the digital twin network of sensor equipment are the basic link to realize the collection of network configuration information, network operation status and user business data. These sensor equipment have the characteristics of large number, wide distribution, and centralized management and control , if the security loopholes in software, hardware and data interfaces are exploited maliciously, it will have a huge impact on the physical network.

3. Twin network threats to the physical world: Originally relatively closed physical networks, such as mobile communication network wireless systems, may have multiple exposed interfaces. Because virtual systems such as digital twin networks may have various unknown security vulnerabilities, they are vulnerable to external attacks, resulting in The system is disordered, giving wrong instructions to the real physical network.

4. Network application security risks: Network applications input requirements to the twin network, and deploy services on the twin network through modeled instances. After full verification, the twin network layer will control updates to the physical entity network. Unauthorized access may be caused by improper network permission configuration, and attackers issue wrong requirements, resulting in incorrect configuration of the twin network and affecting the physical network.

Among them, the security importance of the control delivery interface is particularly prominent. To a certain extent, it can be equivalent to the last line of defense of the physical network. The control information transmitted through the control delivery interface belongs to the key configuration information of the network, and requires a minimum area to be known, so Security faces two problems:

1. How to ensure the security of the interface channel;

2. How to ensure that the privacy of messages is minimized during transmission.

Based on this, in the technical solution provided by the embodiment of the present invention, DTPF (Digital Twin Protection Function) will be introduced to solve the above two problems.

Figure 2 is a schematic diagram of the implementation flow of the policy message processing method on the PDE side, as shown in the figure, may include:

Step 201, PDE generates a policy message;

Step 202, the PDE sends a policy message to the CE.

Wherein, the CE is an entity that sends the policy message to the DE deployed on the boundary of the physical network after the policy message sent by the PDE is verified, and the DE extracts the command in the policy message and sends it to the network element entity device entity.

Figure 3 is a schematic diagram of the implementation flow of the policy message processing method on the CE side, as shown in the figure, which may include:

Step 301, CE receives the policy message sent by PDE;

Step 302, the CE verifies the policy message;

In step 303, the CE sends the policy message to the DE deployed on the boundary of the physical network after passing the verification.

Wherein, the CE is an entity that sends the policy message to the DE deployed on the boundary of the physical network after the policy message sent by the PDE is verified, and the DE extracts the command in the policy message and sends it to the network element entity device entity.

Figure 4 is a schematic diagram of the implementation flow of the policy message processing method on the DE side, as shown in the figure, may include:

Step 401, DE receives the policy message sent by CE;

In step 402, the DE extracts the instruction in the policy message and sends it to the network element entity device.

Among them, the CE is the entity that sends the policy message to the DE deployed on the boundary of the physical network after the policy message sent by the PDE is verified, and the DE is the entity that extracts the instructions in the policy message and sends it to the network element entity device.

In the implementation, CE is the entity that sends the policy message to the DE deployed on the boundary of the physical network after the policy message sent by the PDE is verified, and the DE is the entity that extracts the instructions in the policy message and sends it to the network element entity device. Considering that these entities in the future of 5G may be virtualized network elements, even virtualized network elements must be carried on entities, so entities here can be understood as entities that can realize DE or CE functions.

FIG. 5 is a schematic diagram of DTPF and its operating environment. As shown in the figure, the technical solution provided by the embodiment of the present invention solves the security problem of policy delivery by introducing DTPF. DTPF is divided into two functional entities: CE (Central Entity, Central Entity) and DE (Distributed Entity, Distributed Entity). Among them, CE is deployed in a centralized manner, and can partially decrypt and verify the policy. At the same time, the security level of the physical network is different. It can also provide differentiated services for different network objects in a fine-grained manner. Deployed at the boundary of each physical network, DE can decrypt all policies and extract the commands in the policies and send them directly to the network element physical equipment.

CE's security functions include but are not limited to verification of source authenticity, secondary comparison and verification of delivered policies, and matching verification of policy intentions and network element entity functions.

The implementation of encryption and decryption of policy messages will be described below.

During implementation, before sending policy messages to CE on the PDE (Policy Distribution Entity) side, further include:

Encrypt the policy message using the first key negotiated between CE and PDE;

Partial information of the policy message is encrypted using the second key negotiated between the DE and the PDE.

Correspondingly, on the CE side, before the CE verifies the policy message, it further includes:

The policy message is decrypted using the first key negotiated between CE and PDE.

In implementation, part of the information of the policy message sent to the DE after the verification is passed is encrypted by the PDE using the second key negotiated between the DE and the PDE.

Correspondingly, on the DE side, after receiving the policy message sent by CE, it further includes:

Part of the information in the policy message is decrypted using the second key negotiated between the DE and the PDE.

Objects (Object) A, B, and C in FIG. 5 represent heterogeneous networks, and the heterogeneous networks have different security levels.

The control distribution center adopts multi-layer encryption between PDE, CE, and DE. PDE and CE adopt one layer of encryption, and the connection between PDE and DE adopts the second layer of encryption. For example, the control distribution center PDE first uses the key pair of DE The information is encrypted, and then all payload information is encrypted using the CE's key. The difference between the DTPF mechanism and the traditional TLS (Transport Layer Security, Transport Layer Security) is that TLS only involves two ends, while DTPF involves three-party entities, and the implementation of DTPF security channels includes but is not limited to TLS. That is, during implementation, TLS is used to transmit policy messages between CE and DE.

During implementation, the policy message is verified, including one or a combination of the following verifications:

Source validation, target validation, post-policy validation including policy integrity and stability validation.

In specific implementation, stability verification includes one or a combination of the following verifications:

Dynamic baseline comparison is adopted, and historical data is used as input. When the adjustment range of the strategy exceeds the preset value, manual secondary confirmation is used;

Compare the strategic intent of the target object with the function of the real network element device to prevent the strategic intent from being wrongly applied to other network element devices;

Routing loop filtering is performed on policies to prevent routing loops.

Specifically, after DTPF receives the delivered policy, it first decrypts the message with the key of CE, and performs three verifications on the decrypted content:

Source verification: including but not limited to sending a message in reverse, adding a pair of interactive information to verify source authenticity.

Target verification: including but not limited to CE needing to cache the addresses of all network element physical devices, extracting the target address and comparing it with the address of the controlled network element to realize the verification of the target address.

Post-policy verification: including two major verifications, verifying the integrity of the strategy; verifying the stability of the strategy, and the stability of the strategy can include the following aspects:

Dynamic baseline comparison is adopted, and historical data is used as input. If the adjustment range of the new strategy exceeds 5%, manual confirmation is required;

Compare the strategic intent of the target object with the function of the real network element device to prevent the strategic intent from being wrongly applied to other network element devices;

Route loop filtering is performed on policies to prevent routing loops.

After the basic verification of the above aspects is passed, the message with part of the ciphertext is sent to DE, and the border security gateway DE uses its own key to decrypt the remaining ciphertext message, and after decryption, it extracts the final control command and sends it to the designated network element physical equipment.

Figure 6 is a schematic diagram of the DTPF structure. As shown in the figure, DTPF includes two major functional modules. As shown in Figure 6, logically DTPF is a functional whole, which mainly realizes control and sending functions. In actual deployment, CE and DE can be combined Separation. CE has certain requirements for computing resources. CE can be deployed according to the network node location and equipment load of the network. DE is deployed based on the principle of the nearest physical network element equipment.

CE mainly implements one or a combination of the following functions: message reception, decryption, policy verification, identity verification, key update, and message sending.

DE mainly implements one or a combination of the following functions: message reception, identity verification, key update, decryption, command extraction, and message sending.

Figure 7 is a schematic diagram of the interaction process between PDE, CE, and DE. As shown in the figure, the interaction process between PDE, CE, and DE can be as follows:

After PDE and CE conduct mutual authentication, key negotiation is carried out;

After PDE and DE conduct two-way authentication, key negotiation is carried out;

PDE issues policies;

CE performs partial decryption and policy verification;

After passing the verification, the policy is forwarded to DE;

After DE completes decryption, policy extraction is performed;

DE delivers the extracted configuration.

The following describes the implementation of the post-policy verification process.

In the implementation, for the PDE side, after generating the policy message, it further includes:

The Hash value is stored after Hash processing is performed on the policy message.

Correspondingly, on the DE side, the policy message is verified, including:

After receiving the policy message, verify the integrity of the policy message;

After the verification is passed, the policy content in the policy message is extracted;

After the policy content is extracted, perform hash processing and compare it with the stored original hash value;

After the hash value comparison passes, the policy message verification is successful.

Figure 8 is a schematic diagram of the post-policy verification process, as shown in the figure, mainly including:

The policy distribution center PDE generates a policy, first hashes the policy and stores the value, and then sends the policy message;

After the twin security center CE receives the policy message, it first verifies the integrity of the message. If the verification is passed, it means that the transmission process has not been tampered with, and then extracts the policy content in the message. After extraction, hash processing is performed and the stored original hash value Compare to ensure that there is no attack and tampering at the source.

After all the checks pass, it means that the policy check is completed successfully.

Based on the same inventive concept, the embodiment of the present invention also provides a CE, DE, PDE, and computer-readable storage medium. Since the problem-solving principles of these devices are similar to the policy message processing method, the implementation of these devices can be found in the method The implementation of the implementation, the repetition will not repeat them.

When implementing the technical solution provided by the embodiment of the present invention, it can be implemented in the following manner.

Figure 9 is a schematic diagram of the CE structure. As shown in the figure, the CE includes:

The processor 900 is used to read the program in the memory 920 and execute the following processes:

Receive the policy message sent by the PDE, the CE is the entity that sends the policy message to the DE deployed on the boundary of the physical network after the policy message sent by the PDE is verified, and the DE extracts the instruction in the policy message and sends it Entities for network element physical equipment;

Verify the policy message;

After the verification is passed, the policy message is sent to the DE deployed on the border of the physical network;

The transceiver 910 is used for receiving and sending data under the control of the processor 900 .

During implementation, before verifying the policy message, it further includes:

The policy message is decrypted using the first key negotiated between CE and PDE.

In implementation, part of the information of the policy message sent to the DE after the verification is passed is encrypted by the PDE using the second key negotiated between the DE and the PDE.

In implementation, use TLS to transmit policy messages with DE.

During implementation, the policy message is verified, including one or a combination of the following verifications:

Source validation, target validation, post-policy validation including policy integrity and stability validation.

In practice, stability verification includes one or a combination of the following verifications:

Dynamic baseline comparison is adopted, and historical data is used as input. When the adjustment range of the strategy exceeds the preset value, manual secondary confirmation is used;

Compare the strategic intent of the target object with the function of the real network element device to prevent the strategic intent from being wrongly applied to other network element devices;

Routing loop filtering is performed on policies to prevent routing loops.

During implementation, the policy message is verified, including:

After receiving the policy message, verify the integrity of the policy message;

After the verification is passed, the policy content in the policy message is extracted;

After the policy content is extracted, perform hash processing and compare it with the stored original hash value;

After the hash value comparison passes, the policy message verification is successful.

Wherein, in FIG. 9 , the bus architecture may include any number of interconnected buses and bridges, specifically one or more processors represented by the processor 900 and various circuits of the memory represented by the memory 920 are linked together. The bus architecture can also link together various other circuits, such as peripherals, voltage regulators, and power management circuits, etc., which are well known in the art and therefore will not be further described herein. The bus interface provides the interface. Transceiver 910 may be a plurality of elements, including a transmitter and a receiver, providing a means for communicating with various other devices over transmission media. The processor 900 is responsible for managing the bus architecture and general processing, and the memory 920 can store data used by the processor 900 when performing operations.

An embodiment of the present invention also provides a CE, including:

The CE receiving module is used to receive the policy message sent by the PDE. The CE is an entity that sends the policy message to the DE deployed on the boundary of the physical network after the policy message sent by the PDE is verified. The DE is the entity that sends the policy message The instruction in is extracted and sent to the entity of the network element physical device;

The CE verification module is used to verify the policy message;

The CE sending module is configured to send the policy message to the DE deployed on the border of the physical network after the verification is passed.

In implementation, it further includes:

The CE decryption module is used for decrypting the policy message using the first key negotiated between the CE and the PDE before the CE verifies the policy message.

In implementation, the CE sending module is further used to encrypt part of the information of the policy message sent to the DE after the verification is passed, which is encrypted by the PDE using the second key negotiated between the DE and the PDE.

In implementation, the CE sending module is further configured to use TLS to transmit the policy message with the DE.

During implementation, the CE verification module is further used to verify policy messages, including one or a combination of the following verifications:

Source validation, target validation, post-policy validation including policy integrity and stability validation.

During implementation, the CE verification module is further used for stability verification including one or a combination of the following verifications:

Dynamic baseline comparison is adopted, and historical data is used as input. When the adjustment range of the strategy exceeds the preset value, manual secondary confirmation is used;

Compare the strategic intent of the target object with the function of the real network element device to prevent the strategic intent from being wrongly applied to other network element devices;

Routing loop filtering is performed on policies to prevent routing loops.

During implementation, the CE verification module is further used to verify policy messages, including:

After receiving the policy message, verify the integrity of the policy message;

After the verification is passed, the policy content in the policy message is extracted;

After the policy content is extracted, perform hash processing and compare it with the stored original hash value;

After the hash value comparison passes, the policy message verification is successful.

For the convenience of description, each part of the device described above is divided into various modules or units by function and described separately. Of course, when implementing the present invention, the functions of each module or unit can be implemented in one or more pieces of software or hardware.

Figure 10 is a schematic diagram of the structure of DE, as shown in the figure, CE includes:

The processor 1000 is used to read the program in the memory 1020 and execute the following processes:

Receive the policy message sent by CE, the CE is the entity that sends the policy message to the DE deployed on the boundary of the physical network after the policy message sent by the PDE is verified, and the DE extracts the instruction in the policy message and sends it Entities for network element physical equipment;

Extract the instruction in the policy message and send it to the network element entity device;

The transceiver 1010 is used for receiving and sending data under the control of the processor 1000 .

In implementation, after receiving the policy message sent by CE, further include:

Part of the information in the policy message is decrypted using the second key negotiated between the DE and the PDE.

Wherein, in FIG. 10 , the bus architecture may include any number of interconnected buses and bridges, specifically one or more processors represented by the processor 1000 and various circuits of the memory represented by the memory 1020 are linked together. The bus architecture can also link together various other circuits such as peripherals, voltage regulators, and power management circuits, etc., which are well known in the art and therefore will not be further described herein. The bus interface provides the interface. Transceiver 1010 may be a plurality of elements, including a transmitter and a receiver, providing a means for communicating with various other devices over transmission media. The processor 1000 is responsible for managing the bus architecture and general processing, and the memory 1020 can store data used by the processor 1000 when performing operations.

An embodiment of the present invention also provides a DE, including:

The DE receiving module is used to receive the policy message sent by the CE. The CE is an entity that sends the policy message to the DE deployed on the boundary of the physical network after the policy message sent by the PDE is verified. The DE is the entity that sends the policy message The instruction in is extracted and sent to the entity of the network element physical device;

The DE sending module is used to extract the instruction in the policy message and send it to the network element entity device.

In implementation, it further includes:

The DE decryption module is configured to use the second key negotiated between the DE and the PDE to decrypt part of the information of the policy message after receiving the policy message sent by the CE.

For the convenience of description, each part of the device described above is divided into various modules or units by function and described separately. Of course, when implementing the present invention, the functions of each module or unit can be implemented in one or more pieces of software or hardware.

Figure 11 is a schematic diagram of the PDE structure. As shown in the figure, CE includes:

The processor 1100 is used to read the program in the memory 1120 and execute the following processes:

generate policy messages;

Send a policy message to the CE, the CE is the entity that sends the policy message to the DE deployed on the border of the physical network after the policy message sent by the PDE is verified, and the DE extracts the instructions in the policy message and sends it to The entity of the network element physical equipment;

The transceiver 1110 is used for receiving and sending data under the control of the processor 1100 .

In implementation, before sending the policy message to CE, it further includes:

Encrypt the policy message using the first key negotiated between CE and PDE;

Partial information of the policy message is encrypted using the second key negotiated between the DE and the PDE.

In implementation, after the policy message is generated, it further includes:

The Hash value is stored after Hash processing is performed on the policy message.

Wherein, in FIG. 11 , the bus architecture may include any number of interconnected buses and bridges, specifically one or more processors represented by the processor 1100 and various circuits of the memory represented by the memory 1120 are linked together. The bus architecture can also link together various other circuits, such as peripherals, voltage regulators, and power management circuits, etc., which are well known in the art and therefore will not be further described herein. The bus interface provides the interface. Transceiver 1110 may be a plurality of elements, including a transmitter and a receiver, providing a means for communicating with various other devices over transmission media. The processor 1100 is responsible for managing the bus architecture and general processing, and the memory 1120 can store data used by the processor 1100 when performing operations.

A kind of PDE is also provided in the embodiment of the present invention, comprises:

PDE generating module, used to generate strategy message;

The PDE sending module is configured to send policy messages to CE.

Wherein, the CE is an entity that sends the policy message to the DE deployed on the boundary of the physical network after the policy message sent by the PDE is verified, and the DE extracts the command in the policy message and sends it to the network element entity device entity.

In implementation, it further includes:

The PDE encryption module is used to encrypt the policy message using the first key negotiated between the CE and the PDE before sending the policy message to the CE; and encrypt part of the information of the policy message using the second key negotiated between the DE and the PDE.

During implementation, the PDE generation module is further used to generate the policy message, perform Hash processing on the policy message, and store the Hash value.

For the convenience of description, each part of the device described above is divided into various modules or units by function and described separately. Of course, when implementing the present invention, the functions of each module or unit can be implemented in one or more pieces of software or hardware.

An embodiment of the present invention also provides a computer-readable storage medium, wherein the computer-readable storage medium stores a computer program for executing the above policy message processing method.

For details, refer to the implementation of the policy message processing method on the CE, DE, and PDE sides.

To sum up, in the technical solution provided by the embodiment of the present invention, a twin security center function module is newly added to the policy delivery interface of the digital twin network layer and the physical network layer, including CE and DE two functional modules; Only after the issued policy is verified and passed, it is distributed to DE, thus improving security.

Further, a multi-layer encryption method is adopted between PDE, CE, and DE;

Furthermore, DPTF mainly has functions such as source verification, post-policy verification, and destination verification;

Further, it also provides a post-policy verification process, including policy stability verification and policy integrity verification;

Furthermore, a security model for digital twin network policy distribution is also provided.

In the solution, DTPF is introduced to solve the security problem of policy delivery. When the policy is delivered to CE, CE can verify the integrity and reliability of the policy and the authenticity of the policy source. If the verification is passed, the policy can be delivered correctly. To each network element device in the physical world, thus ensuring the security of the issued policy. For different security levels of physical networks, the Twin Security Center can perform differentiated security configurations, thereby improving the efficiency of policy distribution.

Those skilled in the art should understand that the embodiments of the present invention may be provided as methods, systems, or computer program products. Accordingly, the present invention can take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage and optical storage, etc.) having computer-usable program code embodied therein.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and a combination of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a An apparatus for realizing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions The device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

These computer program instructions can also be loaded onto a computer or other programmable data processing device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby The instructions provide steps for implementing the functions specified in the flow chart or blocks of the flowchart and/or the block or blocks of the block diagrams.

Obviously, those skilled in the art can make various changes and modifications to the present invention without departing from the spirit and scope of the present invention. Thus, if these modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalent technologies, the present invention also intends to include these modifications and variations.

Claims (19)

1. A policy message processing method, characterized in that, comprising: The central entity CE receives the policy message sent by the policy sending entity PDE; CE verifies the policy message; After passing the verification, the CE sends the policy message to the DE deployed on the border of the physical network. 2. The method according to claim 1, wherein before CE verifies the policy message, further comprising: The policy message is decrypted using the first key negotiated between CE and PDE. 3. The method according to claim 1, characterized in that, after the verification is passed, part of the information of the policy message sent to the DE is encrypted by the PDE using the second key negotiated between the DE and the PDE. 4. The method according to claim 1, wherein the policy message is transmitted between CE and DE using Transport Layer Security (TLS). 5. The method according to claim 1, wherein the verification of the policy message includes one or a combination of the following verifications: Source validation, target validation, post-policy validation including policy integrity and stability validation. 6. The method according to claim 5, wherein the stability verification comprises one or a combination of the following verifications: Dynamic baseline comparison is adopted, and historical data is used as input. When the adjustment range of the strategy exceeds the preset value, manual secondary confirmation is used; Compare the strategic intent of the target object with the function of the real network element device to prevent the strategic intent from being wrongly applied to other network element devices; Routing loop filtering is performed on policies to prevent routing loops. 7. The method according to claim 1, wherein verifying the policy message comprises: After receiving the policy message, verify the integrity of the policy message; After the verification is passed, the policy content in the policy message is extracted; After the policy content is extracted, perform hash processing and compare it with the stored original hash value; After the hash value comparison passes, the policy message verification is successful. 8. A policy message processing method, comprising: DE receives the policy message sent by CE; The DE extracts the instruction in the policy message and sends it to the network element entity device. 9. The method according to claim 8, further comprising: after receiving the policy message sent by the CE: Part of the information in the policy message is decrypted using the second key negotiated between the DE and the PDE. 10. A policy message processing method, comprising: PDE generates policy messages; PDE sends a policy message to CE. 11. The method according to claim 10, further comprising: before sending the policy message to CE: Encrypt the policy message using the first key negotiated between CE and PDE; Partial information of the policy message is encrypted using the second key negotiated between the DE and the PDE. 12. The method according to claim 10, wherein after generating the policy message, further comprising: The Hash value is stored after Hash processing is performed on the policy message. 13. A CE, characterized in that it comprises: The processor, which reads the program in the memory, performs the following processes: Receive policy messages sent by PDE; Verify the policy message; After the verification is passed, the policy message is sent to the DE deployed on the border of the physical network; Transceiver, used to receive and transmit data under the control of the processor. 14. A CE, characterized in that it comprises: The CE receiving module is used to receive the policy message sent by the PDE; The CE verification module is used to verify the policy message; The CE sending module is configured to send the policy message to the DE deployed on the border of the physical network after the verification is passed. 15. A DE, characterized in that, comprising: The processor, which reads the program in the memory, performs the following processes: Receive policy messages sent by CE; Extract the instruction in the policy message and send it to the network element entity device; Transceiver, used to receive and transmit data under the control of the processor. 16. A DE, characterized in that, comprising: The DE receiving module is used to receive the policy message sent by the CE; The DE sending module is used to extract the instruction in the policy message and send it to the network element entity device. 17. A PDE, characterized in that it comprises: The processor, which reads the program in the memory, performs the following processes: generate policy messages; Send a policy message to CE; Transceiver, used to receive and transmit data under the control of the processor. 18. A PDE, characterized in that, comprising: PDE generating module, used to generate strategy message; The PDE sending module is configured to send policy messages to CE. 19. A computer-readable storage medium, wherein the computer-readable storage medium stores a computer program for executing the method according to any one of claims 1 to 13.

Images