白丝美女被狂躁免费视频网站,500av导航大全精品,yw.193.cnc爆乳尤物未满,97se亚洲综合色区,аⅴ天堂中文在线网官网

Method and arrangement for configuring a secure domain in a network functions virtualization infrastructure

專利號(hào)
US10897467B2
公開(kāi)日期
2021-01-19
申請(qǐng)人
TELEFONAKTIEBOLAGET LM ERICSSON (PUBL)(SE Stockholm)
發(fā)明人
Giuseppe Celozzi; Luca Baldini; Daniele Gaito; Gaetano Patria
IPC分類
H04L29/06; G06F9/455; H04L29/08; G06F21/53; H04L12/24; H04W12/02; G06F9/50; H04W12/00
技術(shù)領(lǐng)域
vnf,sd,nfvo,virtual,vim,location,ns,party,be,roles
地域: Stockholm

摘要

It is disclosed a method, an arrangement and a computer program for configuring a secure domain, SD, in a network functions virtualization infrastructure. The SD comprises virtual objects handling privileged information. NS instance information of a virtual object is obtained based on input from a party associated with the SD. The NS instance information is searched for a level of confidentiality and a geographic location information. When having identified the level of confidentiality and the geographic location information, the virtual object is allocated to the SD according to the geographic location information, based on the level of confidentiality and a specific role of the party. It is an advantage that access to a SD is allowed or granted based on the specific role of the party.

說(shuō)明書(shū)

TECHNICAL FIELD

This disclosure relates to a network functions virtualization infrastructure. More particularly, it relates to a method, an apparatus and a computer program for configuring a secure domain in a network functions virtualization infrastructure.

BACKGROUND

Telecom networks contain an increasing variety of proprietary hardware appliances. Each network service, as illustrated in FIG. 1, may require a separate hardware appliance.

Moreover, hardware-based appliances follow hardware lifecycles which become shorter thereby reducing the return-on-investment of deploying new services in an increasingly network-centric world.

Network Functions Virtualization (NFV), being a network operator-led industry specification group aims to work through technical challenges therefore, by evolving standard Internet technology (IT) virtualization technology to consolidate many network equipment types onto industry standard high volume servers, switches and storage.

NFV involves implementing network functions in software capable of running on a range of industry standard server hardware, which can be moved to, or instantiated in, various locations in the network as required, without the need to install new equipment. NFV decouples software implementations of network functions from compute, storage, and networking resources by introducing a virtualization layer. Virtualized network functions (VNFs) have an ability to elastically scale, to perform commissioning, capacity planning and management of devices. This ability becomes more complex and requires specific solutions. It is envisaged that NFV will have a significant impact on the design of future telecommunications support systems.

權(quán)利要求

1
The invention claimed is:1. A method for configuring a secure domain, SD, in a network functions virtualization infrastructure, NFVI, the SD being controlled by a network functions virtualization orchestrator, NFVO, and a virtualized infrastructure manager, VIM where the NFVO and the VIM are connected to a virtualized network function, VNF, manager, the SD comprising virtual objects handling privileged information, said method comprising:obtaining, from the NFVO or the VNF manager, network service, NS, instance information of a virtual object, based on input from a party associated with the SD;searching in the NS instance information, for a level of confidentiality and geographic location information; andwhen having identified the level of confidentiality and the geographic location information, allocating the virtual object to the SD according to the geographic location information, based on the level of confidentiality and a specific role of the party;authorizing access to a set of operations on the virtual object, for the party, wherein the operations are based on the specific role of the party, in a hierarchy of party roles;receiving, from the NFVO or the VNF manager, a selection input for a further virtual object, the selection input comprising a level of confidentiality of the further virtual object and a location attribute of the further virtual object;when the location attribute of the further virtual object indicates a location within the geographic location information of the NS instance information, allocating the further virtual object to the NS according to the level of confidentiality as comprised in the selection input, based on the specific role of the party; andwhen the location attribute of the further virtual object does not indicate a location within the geographic location information of the NS instance information, the method further comprises: checking whether location attributes of a second virtual object and of a second virtual link for accessing the second virtual object, allocated to an existing VNF, indicate a second location within or outside borders of a jurisdiction indicated in the geographic location information of the NS instance information; andconfiguring the SD to allow lawful intercept, LI, by a privileged party in a hierarchy in the roles, when said location attributes of the second virtual object and of the second virtual link for accessing the second virtual object, indicate a second location within said borders of the jurisdiction, based on the role of the privileged party.2. The method according to claim 1, wherein the hierarchy of party roles comprises a hierarchy of one or more user roles and one or more administrator roles.3. The method according to claim 1, wherein the set of operations comprises any one of: allocating a virtualized network function, VNF, performing a network or storage request, and updating or querying an allocated resource.4. The method according to claim 1, wherein separation of duty is applied to the hierarchy of party roles.5. The method according to claim 1, wherein obtaining NS instance information comprises allocating NS instance information from the NFVO or from the VNF manager.6. The method according to claim 1, wherein the virtual object comprises any one of: a virtual link, a VNF, a VNF component, a VNF component instance, a virtual machine image, a virtual storage, vTap and vFEP.7. The method according to claim 1, further comprising:receiving, from the NFVO or the VNF manager, a resource selection input, comprising a location attribute of a resource; andwhen the location attribute of the resource indicates a location within the geographic location information of the NS instance information, allowing the resource to be allocated for a VNF of the NS.8. The method according to claim 7, wherein the resource comprises storage resource or a virtual link.9. The method according to claim 1, further comprising:receiving, from the NFVO or the VNF manager, a selection input indicating scaling down of resources used for the SD; anderasing data stored on resources, used for the SD, to be removed prior to release of said resources.10. An apparatus capable of configuring a secure domain, SD, in a network functions virtualisation infrastructure, NFVI, where the SD is controlled by a network function virtualizations orchestrator, NFVO, and a virtualized infrastructure manager, VIM, where the NFVO and the VIM are associated with a virtualized network function, VNF, manager, the SD comprising virtual objects handling privileged information, the apparatus having a processing circuit and a memory circuit, the memory circuit having instructions executable by the processor circuit, wherein said processing circuit when executing the instructions is configured to:obtain, from the NFVO or the VNF manager, network service, NS, instance information of a virtual object, based on input from a party associated with the SD;search in the NS instance information, for a level of confidentiality and geographic location information; andallocate the virtual object to the SD according to the geographic location information, based on the level of confidentiality and a specific role of the party, when having identified the level of confidentiality and the geographic location;authorize access to a set of operations on the virtual object, for the party, wherein the operations are based on the specific role of the party, in a hierarchy of party roles;receive, from the NFVO or the VNF manager, a selection input for a further virtual object, the selection input comprising a level of confidentiality of the further virtual object and a location attribute of the further virtual object;when the location attribute of the further virtual object indicates a location within the geographic location information of the NS instance information, allocate the further virtual object to the NS according to the level of confidentiality as comprised in the selection input, based on the specific role of the party; andwhen the location attribute of the further virtual object does not indicate a location within the geographic location information of the NS instance information, wherein the processing circuit when executing the instructions is configured to: check whether location attributes of a second virtual object and of a second virtual link for accessing the second virtual object, allocated to an existing VNF, indicate a second location within or outside borders of a jurisdiction indicated in the geographic location information of the NS instance information; andconfigure the SD to allow lawful intercept, LI, by a privileged party in a hierarchy in the roles, when said location attributes of the second virtual object and of the second virtual link for accessing the second virtual object, indicate a second location within said borders of the jurisdiction, based on the role of the privileged party.11. The apparatus according to claim 10, for which the hierarchy of party roles comprises a hierarchy of one or more user roles and one or more administrator roles.12. The apparatus according to claim 10, wherein the set of operations comprises any one of: allocating a VNF, performing a network or storage request, and updating or querying an allocated resource.13. The apparatus according to claim 10, wherein separation of duty is applied to the hierarchy of party roles.14. The apparatus according to claim 10, wherein the processing circuit when executing the instructions is configured to allocate NS instance information from the NFVO.15. The apparatus according to claim 10, wherein the virtual object comprises any one of: a virtual link, a VNF, a VNF component, a VNF component instance, virtual machine image, a virtual storage, vTap and vFEP.16. The apparatus according to claim 10, wherein the resource comprises storage resource or a virtual link.
微信群二維碼
意見(jiàn)反饋