CN-122027479-A - Configuration and access management method for industrial communication virtual private network

Abstract

The invention discloses a configuration and access management method of an industrial grade communication virtual private network, which comprises the steps of utilizing a configuration and access management functional entity to realize connection parameter configuration and terminal access management of a plurality of network functional entities of an industrial Internet terminal penetrating through a telecommunication public network to an industrial service control main station, configuring APN parameters of an operator communication module and carrying out access management of the communication module such as 4G/5G by a telecommunication operator or a telecommunication proxy configuration functional main station, configuring and carrying out access management of APN combined parameters of a plurality of telecommunication operators of the industrial communication terminal by an industrial virtual private network service provider, and carrying out service port configuration and service access management on operation control parameters of the industrial service terminal and the communication terminal by an industrial virtual private network operation responsible party. The invention can realize the domain division and right division configuration of the industrial Internet terminal and enhance the safety access management, thereby providing technical support for the wide area network of the operators for the deployment of the industrial control service.

Inventors

• XU TAO
• LUO LING
• Shen Linjin
• Sun Haolong
• HU SHUKAI
• Mou Haoran

Assignees

• 重庆景巽信息技术有限公司

Dates

Publication Date

20260512

Application Date

20260204

Claims (10)

1. 1. The configuration and access management method of the industrial grade communication virtual private network is characterized by comprising the steps of utilizing a configuration and access management functional entity to realize connection parameter configuration and terminal access management of a plurality of network functional entities of an industrial Internet terminal penetrating through a telecommunication public network to an industrial service control master station; The configuration and access management functional entity comprises a telecom operator or telecom agent configuration functional master station, an industrial virtual private network service provider and an industrial virtual private network operation responsibility party; The telecom operator or telecom agent configuration function master station configures an underlay APN parameter of an operator communication module and performs access management of the communication module; the multi-telecom operator APN ordered by the industrial virtual private network service provider carries out overlay APN combination parameter configuration and combination rule setting of access management on an industrial communication terminal side; and the industrial virtual private network operation responsible party performs service port configuration and service access management on operation control parameters of the industrial service terminal and the communication terminal according to the combination parameters of the overlay APN and the combination rules of access management provided by the industrial virtual private network service provider.
2. 2. The method for configuring and accessing the industrial grade communication virtual private network according to claim 1, wherein the configuration of the industrial grade communication virtual private network is implemented by two-stage pre-configuration, and the method specifically comprises the following steps: the first pre-configuration stage involves APN parameter configuration of one or more operators 'communication modules installed by an industrial terminal, the configuration of an underley APN is completed by a telecom operator or a telecom operator proxy function master station, and the configuration completes a communication configuration flow by a telecom public network according to user identity and the type of the operator's communication module; The second pre-configuration stage involves the configuration of the private network of the communication terminal, and the configuration of the parameters of the address, bandwidth, available buffer and queue of the industrial terminal is completed according to the identity of the industrial terminal, and the configuration of the access management capability of the port facing the operator, the address conversion capability of the network IP of the operator and the IP of the industrial virtual private network and the configuration of the address pool are configured.
3. 3. The method for configuring and accessing the industrial grade communication virtual private network according to claim 1, wherein the accessing the industrial grade communication virtual private network is performed by dynamically binding one or more operator network parameters with the industrial virtual private network parameters, and the method specifically comprises the following steps: The network of the industrial virtual private network binds industrial service parameters and binds one or more carrier configured underlay APN parameters to construct an overlay APN, the service policy template of the industrial terminal is issued by an industrial communication virtual private network ACS access control management server, qoS stream reorganization and distribution scheduling is completed based on 5QI, pooling resource unified scheduling and dynamic allocation are implemented on a 4G/5G heterogeneous resource pool, and equipment security authentication, firmware version management, bandwidth, queue, cache management and IP address dynamic allocation of the industrial terminal are completed.
4. 4. The method for configuring and accessing the industrial-grade communication virtual private network according to claim 1, wherein the step of accessing the industrial Internet terminal comprises an operator network environment preparation phase, a service network environment preparation phase and a field operation phase, and the method specifically comprises the following steps: Step 1, checking the configuration validity of a communication module and an SIM card, and importing basic configuration data of an underley APN from an operator database according to the types of the SIM card and the communication module, wherein the data comprise the types of the communication module, the SIM or USIM card and flow pool information; Step 2, the ACS access control management server verifies the identity validity of the industrial terminal and the eSIM card of the industrial terminal, then issues an overlay APN policy template to the industrial communication terminal, and completes the industrial virtual private network industrial terminal access, including the flow pool, the service address pool, the virtual private network address pool and the parameter writing of the north-south interfaces of the industrial terminal; Step 3, completing the network access of the operators, the access of the industrial virtual private network and the access of the industrial service network successively: the operator or the telecom agent configures the function master station to finish the first access of the operator communication module and then to write in the underlay APN correction parameter to the communication module after the second authentication, the parameter can be read by the overlay APN of the industrial communication terminal; The industrial virtual private network access comprises the steps of firstly, reading an overlay APN parameter combination of an operator communication module connected with an industrial communication terminal by the overlay APN of the industrial communication terminal to form an overlay APN initial parameter, negotiating with an ACS access control management server to complete whole network IP address planning configuration, keeping IP planning distribution data synchronization between the DHCP server and the ACS access control management server, then completing industrial Internet terminal nano-tube and full information management, supporting equipment information increasing, deleting, downloading a template, restarting and upgrading, and finally issuing overlay APN correction parameters by the ACS access control management server; the access of the industrial service network comprises the steps of receiving an industrial service terminal access request, then carrying out cooperative authentication through an ACS access control management server, firstly adopting a Radius protocol to package and forward to an industrial virtual private network AAA server, completing identity authentication and authority authorization based on pre-stored information, carrying out resource bandwidth allocation after authentication passes, constructing a full-link security management and control parameter, and writing a correction parameter of an overlay APN.
5. 5. The method for configuring and accessing the industrial-grade communication virtual private network according to claim 1, wherein the method for accessing and managing the industrial Internet terminal is characterized by further comprising: The industrial virtual private network access server is used for configuring a communication terminal of the industrial virtual private network through a telecommunication operator network, the separation of a terminal service data stream and a terminal management control stream is realized at an industrial communication terminal side, the industrial communication terminal is connected with the ACS access control management server, and the industrial communication terminal is connected with an application master station of the industrial virtual private network.
6. 6. The method for configuring and accessing the industrial-grade communication virtual private network according to claim 4, wherein the method is characterized in that the industrial Internet terminal is used as an overlay device and an underley module to realize hierarchical decoupling and service isolation, and specifically comprises the following steps: The north-oriented overlay APN CE interface of the industrial communication terminal is used for configuring service entrance resources, access and service strategies, different service configuration different overlay APN service domains for realizing service isolation, south-oriented overlay APN PE interface for configuring the resource aggregation, access and service strategies of the overlay APN, different service domains for realizing resource sharing and the like; Under the configuration of the industrial communication terminal transmission service, the industrial communication terminal only serves as an overlay PE device and manages a virtual overlay CE agent, and the industrial service terminal serves as an overlay CE device; when the industrial communication terminal is used as the configuration of the industrial virtual private network service server, the industrial communication terminal is used as an overlay PE device, a service server and an overlay CE agent for managing virtual machines; And the layer-by-layer mapping between the underlay APN and the overlay APN is realized, and protocol association does not exist between each network element between the underlay and the overlay, so that the layer decoupling is realized.
7. 7. The method for configuring and accessing the industrial-grade communication virtual private network according to claim 3, wherein the method for managing and mapping the address of the industrial Internet terminal comprises the following steps: Address management, namely, the public network address of the industrial communication terminal is obtained through the bound operator communication module and is used as Loopback management address to carry out secondary authentication of the operator module; the private network address of the industrial communication terminal is obtained through an access configuration process of an ACS access control management server of an industrial virtual private network service provider, or is obtained through pre-configuration, and is used as a management address of the industrial virtual private network to carry out primary authentication of the industrial communication terminal; The public network address of the operator module is preconfigured by a telecom operator or a telecom proxy configuration function master station, or is dynamically allocated in the process of accessing the module to the telecom operator or the telecom proxy configuration function master station, and can be used as a terminal address of a module bearing service and also can be bound by an industrial communication terminal to be Loopback management addresses; the service network private network address is obtained through a service access configuration process of an ACS access control management server of an industrial virtual private network server or is obtained through pre-configuration, and is used as an industrial communication terminal northbound route or addressing service address; The industrial communication terminal adopts a private network management address or a public network Loopback address as an overlay anchor address to be used for binding between the overlay anchor address and an operator unrecited address, namely binding between a specific overlay APN and a plurality of specific unrecited APNs, and supporting switching continuity or load sharing among different unrecited APNs; The industrial communication terminal adopts a private network management address or a public network Loopback address as an overlay anchor address, and is used for binding the overlay anchor address with an industrial virtual private network service domain, namely binding a specific overlay APN service isolation domain with logic positions among a plurality of specific service isolation domains, distinguishing the isolation domains through an overlay APN domain prefix, and supporting routing and addressing of different service domains in a specific isolation overlay channel.
8. 8. The method for configuring and accessing the industrial grade communication virtual private network according to claim 2, wherein the industrial terminal access control process conceals the topology information of the functional network elements of the industrial communication virtual private network related in the industrial Internet terminal configuring and accessing management process from operators, the ACS access control management server of the industrial virtual private network redirects the control flow of the configuration and accessing management of the industrial communication terminal, and the data control flow of the configuration and accessing management is redirected to the functional network elements of the service side according to the flow template in the industrial virtual private network accessing server matched with the flow identification.
9. 9. The method for configuring and accessing the industrial-grade communication virtual private network according to claim 8, wherein the industrial terminal access controller constructs an enhanced security mechanism, comprising: Transferring a core security link from an operator access side to an industrial virtual private network master station side for execution, wherein the operator is only responsible for the establishment of the underley APN connectivity of a basic link layer, and the authentication related to the authority of the industrial virtual private network is completed by a master station authentication server of the industrial virtual private network; An end-to-end encryption tunnel is established between an industrial application terminal and an industrial virtual private network service master station, and an IPsec or SSL VPN protocol is adopted to ensure that configuration information of an overlay APN parameter and an authentication key only flows in the industrial virtual private network.
10. 10. The method for configuring and accessing the industrial-grade communication virtual private network according to claim 9, wherein in the process of registering the industrial-grade communication terminal, the industrial-grade communication terminal applies for a terminal registration flow template from an ACS access control management server, and the ACS access control management server completes the registration flow of the industrial-grade communication terminal, and the functions of the method comprise the routing forwarding with a device configuration script server, an access authentication authorization server, a data transmission strategy server and a security key center server; In the service access process initiated by the industrial service terminal, the industrial communication terminal accesses the ACS access control management server to finish service access authentication with the service master station side according to the service flow template of the industrial communication terminal, and then finish the data transmission policy configuration of the overlay APN.

Description

Configuration and access management method for industrial communication virtual private network Technical Field The invention relates to the field of industrial Internet, in particular to a configuration and access management method of an industrial grade communication virtual private network. Background With the rapid development of the industrial internet, intelligent manufacturing and new power systems, industrial control systems are gradually evolving from traditional closed private communication networks to open, wide-area communication architectures. The industrial control field is widely provided with a PLC (programmable logic controller) controller, a DTU (digital television unit), an FTU (feeder terminal unit), various edge switches, industrial routers and other terminal equipment, and the terminals are generally distributed in a wide region, various in types and remarkable in communication demand difference, so that higher requirements are provided for the configuration and access management of an industrial-grade communication virtual private network. In recent years, the construction of virtual private networks by using public network resources of telecom operators has become an important development direction of industrial communication. The current mainstream technical solution is a value-added service centered on a telecom operator, that is, a telecom operator provides a dedicated physical or virtual APN/VPN channel for an industrial user, so as to realize isolation between an industrial service data stream and a public service data stream. However, the configuration and access management of the APN/VPN tunnel is mainly a telecom operator, and it is difficult for an industrial user to autonomously develop the operation management of the virtual private network, so that the deployment of the telecom operator network on the industrial internet is limited. Therefore, in order to solve the above problems, a new technical solution is needed to divide the configuration and access management of the industrial-level virtual private network into different operation subjects, so as to provide technical support for the deployment of the industrial control service in the wide area network of the operator. Disclosure of Invention Therefore, the present invention aims to overcome the defects in the prior art, and provide a configuration and access management method for an industrial-grade communication virtual private network, which can divide the configuration and access management of the industrial-grade virtual private network into different operation subjects, thereby providing technical support for the wide area network of the operators for the deployment of industrial control services. The configuration and access management method of the industrial grade communication virtual private network comprises the steps of utilizing a configuration and access management functional entity to realize connection parameter configuration and terminal access management of a plurality of network functional entities from an industrial Internet terminal to an industrial service control master station through a telecommunication public network; The configuration and access management functional entity comprises a telecom operator or telecom agent configuration functional master station, an industrial virtual private network service provider and an industrial virtual private network operation responsibility party; The telecom operator or telecom agent configuration function master station configures an underlay APN parameter of an operator communication module and performs access management of the communication module; the multi-telecom operator APN ordered by the industrial virtual private network service provider carries out overlay APN combination parameter configuration and combination rule setting of access management on an industrial communication terminal side; and the industrial virtual private network operation responsible party performs service port configuration and service access management on operation control parameters of the industrial service terminal and the communication terminal according to the combination parameters of the overlay APN and the combination rules of access management provided by the industrial virtual private network service provider. Furthermore, the configuration of the industrial communication virtual private network realizes decoupling and isolation of the configuration level through two-stage pre-configuration, and specifically comprises the following steps: the first pre-configuration stage involves APN parameter configuration of one or more operators 'communication modules installed by an industrial terminal, the configuration of an underley APN is completed by a telecom operator or a telecom operator proxy function master station, and the configuration completes a communication configuration flow by a telecom public network according to user identity and the type of the opera