Search

CN-116455641-B - Single-equipment power MEC terminal for preventing network intrusion

CN116455641BCN 116455641 BCN116455641 BCN 116455641BCN-116455641-B

Abstract

The invention discloses a single-device power MEC terminal for preventing network intrusion, which is characterized in that a first physical network port is connected with 5G core network control plane SMF equipment, a second physical network port is connected with a 5G base station, a third physical network port is connected with an enterprise intranet switch, a fourth physical network port is connected with an operator wide area network router, a first virtual network is a transmission channel between an encryption authentication application and a UPF network element, a second virtual network is a transmission channel between the encryption authentication application and a protocol conversion application, a third virtual network is a transmission channel between other power applications, protocol conversion applications and the encryption authentication application, and a fourth virtual network is a transmission channel between the UPF network element and the fourth physical network port and is used as a park management service virtual network segment for connecting non-power services, so that the scene adaptability of a terminal park is improved. The invention simplifies the network intrusion problem which can be solved only by combining the encryption authentication equipment and the network switch equipment multi-equipment networking of the general MEC equipment in the prior art.

Inventors

  • Xiao Suchao
  • SHEN XIANGMING
  • WANG NAN
  • WANG SHIXIN
  • LI TONGYANG
  • WANG ZHENYU
  • SHENG XIA
  • PAN YUTING

Assignees

  • 上海电力设计院有限公司

Dates

Publication Date
20260512
Application Date
20230421

Claims (8)

  1. 1. The single-equipment power MEC terminal for preventing network intrusion comprises a server serving as power MEC terminal equipment, and is characterized in that the server comprises a plurality of physical network ports which are respectively configured with an IP address, a subnet mask and a gateway address and a plurality of virtual networks which are created by adopting a virtualization technology; The first physical network port is connected with 5G core network control plane SMF equipment and is used for testing the control plane interface function between the 5G core network control plane SMF equipment and UPF network elements in the server; The second physical network port is connected with the 5G base station and is used for receiving data of the common user terminal and the power terminal; the third physical network port is connected with an enterprise intranet switch; The fourth physical network port is connected with an operator wide area network router; the first virtual network is a transmission channel between a cryptographic authentication application and the UPF network element, and is used for configuring an IP address, a subnet mask and a gateway address for communication in the UPF network element and the cryptographic authentication application; The encryption authentication application and the UPF network element adopt different IP addresses and adopt the same network segment corresponding to the first virtual network for communication; a second said virtual network is a transmission channel between said cryptographic authentication application and a protocol conversion application for configuring an IP address, a subnet mask and a gateway address for communication at said cryptographic authentication application and said protocol conversion application; the encryption authentication application and the protocol conversion application adopt different IP addresses and adopt the same network segment corresponding to the second virtual network for communication; a third said virtual network is a transmission channel between other power applications and said protocol conversion application, encryption authentication application, for configuring IP addresses, subnet masks and gateway addresses that can be used for communication in said encryption authentication application, said protocol conversion application and said other power applications; The other power application, the protocol conversion application and the encryption authentication application adopt different IP addresses and adopt the same network segment corresponding to a third virtual network for communication; And the fourth virtual network is used as a transmission channel of the UPF network element and the fourth physical network port and is used as a park management service virtual network segment connected with non-electric service, so that the scene adaptability of the terminal park is improved.
  2. 2. The network intrusion prevention single device power MEC terminal of claim 1 wherein said virtualization technology is dock software.
  3. 3. The network intrusion prevention single device power MEC terminal of claim 1 wherein the first, second, third and fourth physical network ports are each connected to a corresponding 5G core network control plane SMF device, a corresponding 5G base station, a corresponding intranet switch or a corresponding operator wide area network router using a network cable or optical cable.
  4. 4. The network intrusion prevention single device power MEC terminal of claim 1 wherein the other power applications include a network security monitoring application, a power usage information collection application, and/or a Web application.
  5. 5. The network intrusion prevention single device power MEC terminal of claim 1 wherein said common user terminal is a smart phone, tablet computer or personal computer; the data sent by the common user terminal comprises voice.
  6. 6. The network intrusion prevention single device power MEC terminal of claim 1 wherein said power terminal is a gateway device.
  7. 7. The network intrusion prevention single device power MEC terminal of claim 1 wherein said data sent by said regular user terminal is circulated according to the following flow: The data is packaged according to SDAP, PDAP, RLC G air interface protocol and MAC, and then the physical layer sends the data stream to the 5G base station; After the 5G base station analyzes the data, carrying out GTPU, UDP, IP and MAC encapsulation according to an N3 interface protocol between the 5G base station and the UPF network element in the server, and sending the data to the UPF network element in the server through a second physical network port; after receiving the data, the UPF network element in the server forwards the data to a fourth virtual network according to the N6 interface protocol requirement according to the forwarding rule defined by SMF; and forwarding the data to the wide area internet of the operator through a fourth physical network port by the virtual network according to the network mapping forwarding setting.
  8. 8. The network intrusion prevention single device power MEC terminal of claim 1 wherein said data sent by said power terminal is circulated according to the following flow: The data is packaged according to SDAP, PDAP, RLC G air interface protocol and MAC, and then the physical layer sends the data stream to the 5G base station; After the 5G base station analyzes the data, carrying out GTPU, UDP, IP and MAC encapsulation according to an N3 interface protocol between the 5G base station and the UPF network element in the server, and sending the data to the UPF network element in the server through a second physical network port; after receiving the data, the UPF network element in the server forwards the data to the first virtual network according to the N6 interface protocol requirement according to the forwarding rule defined by SMF; The encryption authentication application forwards the data to a second virtual network or a third virtual network according to a routing table according to an instruction of a first virtual network; The protocol conversion application analyzes and converts the protocol of the data according to the instruction of the second virtual network and forwards the data to a third virtual network; and the third virtual network sends the data to other power applications according to the routing table, or sends the data to a power intranet through the enterprise intranet switch through a third physical network port.

Description

Single-equipment power MEC terminal for preventing network intrusion Technical Field The invention relates to the technical field of manufacturing of power MEC terminals, in particular to a single-equipment power MEC terminal capable of preventing network intrusion. Background In a scene that a private network of a 5G operator industry needs to sink MEC equipment containing UPF network element functions to a user side park for deployment, general MEC equipment in the operator network does not have multiple network ports or does not establish a plurality of independent virtual networks, all data are forwarded through a unified network according to a routing table, the networking mode of the private network cannot meet the requirements of national energy authorities on 'safe partition, network special, transverse isolation and longitudinal encryption', the general MEC equipment does not have an electric power encryption authentication function, special encryption authentication equipment and a network switch are required to be additionally arranged, and single-point fault risks and large occupied space exist for multi-equipment cooperation work. Therefore, how to implement basic functions such as forwarding of 5G network UPF network element data, encryption authentication, protocol conversion, etc. on a single power MEC terminal, and support to expand the relevant application functions of power becomes a technical problem that needs to be solved by those skilled in the art. Disclosure of Invention In view of the above-mentioned drawbacks of the prior art, the present invention provides a single-device power MEC terminal for preventing network intrusion, which aims to simplify the network intrusion problem that the general MEC device in the prior art needs to be combined with multiple device networking such as encryption authentication device and network switch device to solve. To achieve the above object, the present invention discloses a single-device power MEC terminal for preventing network intrusion, comprising a server as a power MEC terminal device. The server comprises a plurality of physical network ports which are respectively configured with a corresponding configuration IP address, a subnet mask and a gateway address, and a plurality of virtual networks which are created by adopting a virtualization technology; The first physical network port is connected with 5G core network control plane SMF equipment and is used for testing the control plane interface function between the 5G core network control plane SMF equipment and UPF network elements in the server; The second physical network port is connected with the 5G base station and is used for receiving data of the common user terminal and the power terminal; the third physical network port is connected with an enterprise intranet switch; The fourth physical network port is connected with an operator wide area network router; the first virtual network is a transmission channel between a cryptographic authentication application and the UPF network element, and is used for configuring an IP address, a subnet mask and a gateway address for communication in the UPF network element and the cryptographic authentication application; The encryption authentication application and the UPF network element adopt different IP addresses and adopt the same network segment corresponding to the first virtual network for communication; a second said virtual network is a transmission channel between said cryptographic authentication application and a protocol conversion application for configuring an IP address, a subnet mask and a gateway address for communication at said cryptographic authentication application and said protocol conversion application; the encryption authentication application and the protocol conversion application adopt different IP addresses and adopt the same network segment corresponding to the second virtual network for communication; a third said virtual network is a transmission channel between other power applications and said protocol conversion application, encryption authentication application, for configuring IP addresses, subnet masks and gateway addresses that can be used for communication in said encryption authentication application, said protocol conversion application and said other power applications; The other power application, the protocol conversion application and the encryption authentication application adopt different IP addresses and adopt the same network segment corresponding to a third virtual network for communication; And the fourth virtual network is used as a transmission channel of the UPF network element and the fourth physical network port and is used as a park management service virtual network segment connected with non-electric service, so that the scene adaptability of the terminal park is improved. Preferably, the virtualization technology is dock software. Preferably, the first physical network port, the