Network system and method implemented in a network component to provide an interest to a mobile devi

专利摘要:
METHOD AND APPARATUS FOR A CONTROL PLAN TO MANAGE DOMAIN-BASED SECURITY AND MOBILITY IN A CENTRAL INFORMATION NETWORK A network system comprising a virtual group controller in a central information network configured to enable mobility and security for a plurality of groups of central information network users, a plurality of user groups coupled to the virtual group controller and associated with the users, a plurality of agents that are each associated with one of the user groups, and a trusted service profile database coupled to virtual group controller, where the virtual group controller is configured to interact with agents to enable mobility for user groups using a server-less domain-based naming scheme.
公开号:BR112013019922B1
申请号:R112013019922-9
申请日:2012-02-06
公开日:2022-01-25
发明作者:Guoqiang Wang；Xinwen Zhang；Ravi Ravindran
申请人:Huawei Technologies, Co., Ltd；
IPC主号:

专利说明:

CROSS REFERENCE FOR RELATED ORDERS
The present patent application claims the benefit of Provisional Patent Application No. US 61/439,769 filed February 4, 2011 by Guo-Qiang Wang et al. and entitled "Method and Apparatus for a Control Plane for Managing Domain-Based Security, Mobility, and Social Groups in a Content-Oriented Network", and claims the benefit of Patent Application No. Serial US 13/352835 filed January 18, 2012 by Guo-Qiang Wang et al. and entitled "Method and Apparatus for a Control Plane for Managing Domain-Based Security and Mobility in a Central Information Network", which are hereby incorporated by reference as if reproduced in their entirety. FIELD OF THE INVENTION
The present invention relates to the communication network and, more particularly, to the method and apparatus for a control plane to manage domain-based security and mobility in a central information network. FUNDAMENTALS
An Information Central Network (ICN) is a type of network architecture where the focus is on locating and providing information to users rather than connecting end hosts that exchange data. One type of ICN is a content-oriented network (CON). In a CON, also known as a Content Core Network (CCN), a content router is responsible for routing user requests and content to appropriate recipients. In the CON, a unique domain-wide name is assigned to each entity that is part of a content delivery framework. Entities may include data content, such as video clips or web pages, and/or infrastructure elements, such as routers, switches, or servers. The content router uses name prefixes, which can be full content names or suitable prefixes of content names instead of network addresses, to route content packets within the content network. SUMMARY
In one embodiment, the disclosure includes a network system comprising a virtual group controller in a central information network configured to enable mobility and security for a plurality of user groups of the central information network, a plurality of user groups coupled to the virtual group controller and associated with users, a plurality of agents that are each associated with one of the user groups, and a database for the trusted service profile coupled with the virtual group controller, where the virtual group controller is configured to interact with agents to enable mobility for user groups using a server-less domain-based naming scheme.
In another embodiment, the disclosure includes a network component operating on a control plane comprising a receiver configured to receive a request via a central information network, wherein the request is associated with a user device in a group of users. , a virtual group controller configured to operate in the control plane to determine a domain for the user device based on a domain name obtained from the request, route the request correctly by mapping a name to the user device in the request using trusted service profile information, and a transmitter configured to forward the request for the domain to the user device.
In a third aspect, the disclosure includes a method implemented in a network component for providing an interest to a mobile device, comprising receiving, in a virtual group controller operating on a control plane in a central information network, a request for the mobile device from a group proxy, where the group proxy receives the request from a peer device, map with the virtual group controller the request to an access point for the mobile device using a service profile trusted to the mobile device, and send, with the virtual group controller, the request to the access point to the mobile device.
These and other features will be more clearly understood from the following detailed description taken in conjunction with the accompanying drawings and claims. BRIEF DESCRIPTION OF THE DRAWINGS
For a more complete understanding of the present disclosure, reference is now made to the following summary description, made in connection with the accompanying drawings and detailed description, in which like reference numerals represent like parts.
Figure 1 is a schematic diagram of an embodiment of a CON including a domain-based secure mobile virtual group control (SMVG) system.
Figure 2 is a schematic diagram of one embodiment of a name mapping scheme.
Figure 3 is a schematic diagram of one embodiment of an intergateway mobility operation.
Figure 4 is a schematic diagram of an embodiment of a name to security key mapping scheme.
Figure 5 is a schematic diagram of one modality of a mobile social group push model.
Figure 6 is a schematic diagram of an embodiment of a multi-domain controller and agent interaction.
Figure 7 is a schematic diagram of one embodiment of a multi-domain service assurance framework.
Figure 8 is a flowchart of another embodiment of a device registration method.
Figure 9 is a flowchart of another embodiment of an interdomain routing method of interest.
Figure 10 is a schematic diagram of one embodiment of a network unit.
Figure 11 is a schematic diagram of one embodiment of a general purpose computer system. DETAILED DESCRIPTION
It should be understood at the outset that although an illustrative implementation of one or more embodiments is provided below, the systems and/or methods described may be implemented using any number of techniques, either currently known or in the future. The disclosure should in no way be limited to the illustrative implementations, drawings and techniques illustrated below, including the exemplary drawings and implementations illustrated and described herein, but may be modified within the scope of the appended claims along with the full scope of equivalents.
In an NOC, delivery or dissemination of content including publication, solicitation and management (modification, deletion), and other functions may be based on content name and not location. CON may also provide a caching feature for real-time data, for example when data is fetched by users, and/or persistent data by users or third-party content providers 140 such as companies or social networks. One of the aspects of CON that is different from traditional Internet Protocol (IP) networking is that content accessibility can be determined by the content name, for example, rather than the address of the device hosting the content. Unlike the case of a traditional IP network which may be address based, in a CON system the functional building blocks of enabled services can be implemented on top of a name based foundation. These functional building blocks or network service (entity) control functions may include functions for security, mobility, social clustering, multicast, real-time processing, and other functions. In IP networks, content can be stored and fetched on a hosting system (eg Google server), while in CON, content can be replicated and retrieved across many content routers. Replicating content across multiple content routers can have fundamental impacts when network service control functions shift from a centralized portal to distributed, on-premises portals.
Disclosed herein is a system and methods for implementing an SMVG control system. The SMVG system can support various support service articles, including security, mobility, and social grouping, to manage trusted service profiles for CON users and user groups. Since domain-based CON can be configured or built in a distributed fashion, the SMVG implementation can be name-based and server-less in nature. A domain-based naming structure can be used in the SMVG system to identify each named object. The domain-based naming framework can serve as a control plane platform that allows the CON to pick and mix the named objects for users/user groups to provide trusted service flows with privacy, security, mobility, and social interaction capability. . An SMVG controller can serve as a control plane entity that utilizes and manages trusted service profiles in a dynamic, distributed manner. The controller can implement intradomain and interdomain operations, as described below.
Figure 1 illustrates one embodiment of a CON 100 that can implement an SMVG control system where content can be routed based on name prefixes and delivered to users or customers on a request basis. CON 100 is an example of an ICN. However, the methods, systems and apparatus described here can be applied to types of ICNs other than a CON. The CON 100 may comprise a plurality of user groups 120, which may be SMVGs or secure virtual groups (SVGs). The SMVG control system may comprise an SMVG controller 110 coupled to a Trusted Service Profile (TSP) database 112, for example in a home domain, and user groups 120. User groups 120 may be located in the CON 100, for example, in the home domain or in a plurality of domains, or they may be located in a plurality of guest access domains in one or a plurality of guest access networks. For example, domains can include IP domains, Multi-Protocol Label Switching (MPLS) domains, Ethernet domains, or combinations thereof. Each user group 120 can be associated with an SMVG agent 122 coupled to the SMVG controller 110, and a local access profile database 124 and CON proxy nodes 126 coupled to the SMVG agent 122. to more access devices or access points (APs) 128 configured to communicate with a plurality of user devices 130 in each user group 120. In one embodiment, the APs 128 may comprise base stations configured to communicate wirelessly. (via wireless links) with user devices 130, such as mobile smart phones or other mobile devices. The components of the CON 100 can be arranged as illustrated in Figure 1. The SMVG 110 controller and SMVG 122 agent can be functions implemented using hardware, software, or both. The CON 126 proxy can correspond to an edge content router on the CON 100.
The CON 100 may comprise a plurality of content routers 114, including the CON proxy nodes 126 in the user groups 120. The CON 100 may also comprise a plurality of internal nodes, such as routers, bridges, and/or switches (not shown). ). Content routers 114 and internal nodes may be coupled to each other over network links, for example, fixed connections. Some of the content routers 114, for example the CON proxy nodes 126, may also be coupled to a plurality of client nodes, including the user devices 130 and/or client sites directly or through the APs 128 and optionally a plurality of access networks (not shown). Content routers 114 and internal nodes can be any nodes, devices or components that support transport of traffic on CON 100 and between CON 100 and external components, such as user devices 130. Content routers 114 can be nodes of edge, such as CON proxy nodes 126, which forward content traffic from internal nodes and/or other content routers 114 to client nodes, including user devices 130 and/or client locations, for example, based on a customer request or demand. Content routers can also receive content requests from client nodes. For example, content routers 114 can be routers or bridges such as backbone edge bridges (BEBs), provider edge bridges (BPEs), or label edge routers (LERs) that forward content based on name prefixes. of content. The content routers 114 and internal nodes may comprise or may be coupled to a plurality of content servers that store or cache content, which may be provided to clients or subscribers, for example, on demand. In addition, the content routers 114 may comprise content stores that may be configured to cache at least some of the content forwarded on the CON 100.
Client nodes can be nodes, devices, or components configured to deliver content to a user or client and receive requests for content from the user or client. For example, client nodes including user devices 130 can be fixed or mobile user-oriented devices such as desktop computers, laptop computers, personal digital assistants (PDAs), or cell phones. Alternatively, client nodes can be connectivity devices at client premises, such as modems and set-top boxes. The client nodes may also comprise client equipment (not shown) that can be configured to receive content from content routers across access networks and distribute the content to a plurality of clients. For example, client nodes may include an application server and associated virtual machines; data center storage devices, optical network terminals (ONUs) and/or very high bit rate digital subscriber line (VDSL) transceiver units in residential locations (VTU-Rs). Access networks can be any networks that provide access to content on the CON 100, such as virtual private networks (VPNs). Client locations can be any office locations or environments configured to receive content from content routers and can send the content to corresponding client nodes over access networks. Client locations can also receive content requests from client nodes and send the content requests to content routers.
The SMVG control system can be a domain-based control plane platform that is configured to allow the CON 100 to select and match the named objects for specific users/user groups to provide trusted service flows with privacy, security, mobility and ability for social interaction. Specifically, the SMVG 110 controller can be a control plane entity located in a home domain and configured to use and manage trusted service profiles in a dynamic, distributed manner across the CON 100, as described later. The SMVG controller 110 may be located at or correspond to a node or a network component, such as a router (e.g., a content router 114), an internal node, or a server.
In terms of a relationship between a service subscriber and provider, trust can include security, quality of service and associated service accountability, for example, based on a set of rules to be applied as expected. In the CON 100, the subscriber and service provider can correspond to a subscriber and content publisher, respectively, as users of user devices 130. The SMVG controller 110 can be configured to create, maintain, validate, apply, and track/measure the trust service relationship between users/user groups, applications, mobility, security, and user/network devices, e.g. within a specified time (e.g. time of day (TOD), duration, or lifetime (TTL)). This trust relationship can be described and enforced by a profile.
The SMVG control system can support multiple users/user groups, for example in a CON 100 mobile environment. In a single domain case, the SMVG 110 controller can reside in a home domain and collaborate with multiple user groups 120 Alternatively, user groups 120 may be distributed across one or more visiting access domains at the CON 100 or a plurality of external access networks coupled to the CON 100. The SMVG agent 122 may be located at or correspond to a node or a network component, such as a router (eg, a content router 114), an internal node, or a server. The SMVG 110 controller can collaborate with the SMVG 122 agent within the context of a virtual group ensuring security and mobility functions.
The TSP database 112 can be configured to manage user groups 120. Each user group 120 can be identified by an identifier (ID), which can be unique if global mobility is desired, a list of members, and metadata related to security functions (eg, key distribution, integrity, confidentiality) and social interaction. In addition, the TSP 112 database may link with external third party entities, such as social networks or VPNs, to allow application/context user group interaction, which may be enabled over a service provider network. (SP) for personalized treatment with regard to network resources. The information contained in the TSP database 112 may include a plurality of associations or entries (e.g., in a TSP table) that associate user IDs, device IDs, group IDs, network anchor points, security privileges, or their combinations.
A domain, for example the domestic domain in CON 100, can be a set of objects that are constructed and constrained by some relationships, such as administrative relationships, property relationships, social relationships, geographic relationships, topological relationships, other defined relationships, or their combinations. Each domain can have a name that represents the "realm" of objects within the domain. Each object in a domain can also have a name that can use the domain name as a prefix. A domain can be constructed recursively (that is, a domain can contain subdomains), and thus each object in the domain can be assigned a hierarchical name. For example, the name www.hollywood.com/movie/new_release/The_Company_Men can be used, where the movie "The_Company_Men" is owned by Hollywood, and "Hollywood" is the domestic domain of the named movie.
SMVG 122 agents can collaborate with CON 126 proxy nodes, for example, which can be located in visiting access networks, to manage mobility, security key distribution, and social ownership. Operations can be based on the name of objects involved in content dissemination. Named objects can include users, user devices, hotspots, social groups, SMVG controller and agent, other objects, or combinations thereof. In this context, user device names may not necessarily be "globally accessible", ie they may be local names. However, the home domain SMVG controller name and the visiting AP name (eg, of Wireless Base Stations (BS) or 4th Generation (4G) Gateways), may be "globally accessible". The globally accessible name can also be referred to as a "well-known" name, from a content routing perspective. Local access profile database 124 may be configured to store registration information from user devices 130.
The SMVG control system can also provide service assurance within a domain. Interaction between a third party whose groups are being manipulated and CON SP may be within the bounds of not violating users' rights and privileges. In one scenario, the SP may interact with third parties to map the SP's subscribers to known social networks and therefore use subscriber behavior statistics, which can be obtained from the social networks, to promote the SP's services, as an advertising service. In another scenario, the SP may map subscribers or users to one or more instances of virtual private groups (VPGs) on network content routers, for example, to provide guaranteed performance with respect to content dissemination over the domain. of SP.
In one embodiment, the CON 100 may also comprise a plurality of content routers 114 that may be positioned between the SMVG controller 110 and the SMVG agents 122. Each of these content routers 114 may be configured to forward or allow communication between the controller. SMVG 110 and the corresponding SMVG agent 122 in a corresponding user group 120. Each content router 114 and a corresponding CON proxy node 126 may be associated with a corresponding VPG instance. Thus, user devices 130 communicating with proxy node CON 126 can be mapped to the same VPG instance by the SP.
At the CON 100, the SMVG controller 110 and the SMVG agents 122 can communicate with the CON 126 proxy nodes to support security, mobility, and social networks, under a plurality of scenarios. The following scenarios describe how service profiles can be created, maintained, and used for these supported services. In this context, the SMVG controller 110 and the SMVG agents 122 can be control plane entities, and CON proxy nodes 126 can be content data transport plane entities. This SMVP control system can provide an integrated, collaborative service control plane that is based on a server-less architecture and is separate from the content data transport plane.
The SMVG control system in CON 100 can implement a domain-based naming scheme, where each established domain can represent a set of objects. The set of objects can be constrained by some relations, as described above. Each established domain can represent a realm that has a domain name. Within this realm, all objects can be named starting from the domain name, which can be used as the prefix of object names. The domain name can be known, ie it can be globally routable in the CON 100. In the CON infrastructure, each element or object can be a named object and each object can belong to a domain. Specifically, each mobile device 130, user, user group 120, AP 128, SMVG controller 110, and SMVG agent 122 can be named with a selected domain name as a prefix and can each belong to a selected domain. The plurality or all of the domain names may be globally routable at the CON 100. Each AP 128 may also be assumed to be globally routable. For example, a long-term evolution (LTE) base station in Santa Clara, California, which may be owned and operated by AT&T, may be named top/att.us/CA/SantaClaraBS-1, where "top" represents a virtual name, which can represent an abstract organization or a technology like the name "www".
The SMVG control system may also apply an ID and registration management procedure and, for example, after a user device 130 attaches to an AP 128 of the CON 100. While the AP 128 performs user/device authentication, the AP 128 can learn (or derive) the home domain from the mobile device name prefix. This can be applied to the case where the mobile device 130 belongs to the domain of the AP 128 and also to the case where the mobile device 130 and the AP 128 belong to different domains. In the latter case, the operator of the mobile device (eg, telco) may need to verify that the operator's service license agreement (SLA) policies allow it to accept or authorize the mobile device 130 in a visiting access domain.
After finishing the registration of the mobile device 130 in a local access profile 124, the local SMVG agent 122 can send profile registration messages to the home SMVG controller 110. The destination name for the registration message can be determined by a domain name abstracted from user device name 130 (or together with user name). The registration message can include the mobile device name (eg user-domain/user-name/My.IPhone) and AP name (eg top/att.us/CA/SantaClaraBS-1). These two names can be stored in the TSP database 112 in the home domain, and can be used to establish a binding relationship between the user device 130 and the AP 128. This binding relationship can be dynamically updated, for example , when the mobile device changes its attachment (eg roaming, handover, roaming, off-hook, etc).
Registration can be achieved multiple times, for example, if a user has multiple devices, which may include mobile and/or fixed devices, and/or due to policy updates between AP 128 and remote device 130. User can also switch between devices in real time. The registry can create corresponding entries in the TSP 112 database or table in the home domain. The TSP 112 database or table may have additional fields for management and service enablement purposes. For example, the TSP table may comprise a caller name field to indicate which type of calls should go to which devices (eg personal mobility). The TSP table can also include a social group ID that indicates the user's group. The TSP table may also comprise a key locator that indicates which cryptographic materials have been assigned to the mobile device 130. The TSP table may also include various policies for ID management, access control, security of service, quality of service (QoS) , and/or site management (mgmt). The TSP 112 database or file may contain both statically registered fields (e.g. when the user account was created in the home domain or a third party domain, such as a social group and a personal profile) and dynamically registered fields (e.g. , when mobile device 130 attaches to a guest access network).
The SMVG control system can also support user mobility at CON 100. In one embodiment, the SMVG control system can implement three types of mobility control: handover, nomad, and global roaming. Typically, handover between two base stations or 128 APs (e.g. under the control of the same gateway, such as a World Wide Interoperability for Microwave Access (WiMAX) or LTE gateway) can be handled by two-layer (L2) wireless access. . CON 100 at the named object level may require support for mobile device nomadic movement 130 and global roaming. Using the domain-based naming scheme described above, each object name can have a domain name prefix and the domain name can be globally accessible in CON 100. Thus, deriving the domestic domain name from a domain name user device 130 may not be difficult. The SMVG 110 controller and SMVG 122 agent on the CON 100 can also support name-based mobility.
When a mobile device 130 attaches to a home access network, the local SMVG agent 122 can be triggered to send a registration message to the SMVG home domain controller 110. The mobile devices' home domain name can be derived from the home domain name. mobile device (or may be acquired from data pre-configured in the user device 130). The registration message may include both the names from the user device 130 and AP 128. The SMVG controller 110 may record the binding data between the user device 130 and AP 128 in a TSP profile. When a corresponding peer wants to send requests or interests to the mobile device 130 (e.g., make a phone call), the local SMVG agent 122 coupled with the AP 128 can first obtain the home domain name from the called party's name, and send messages to the home SMVG controller 110 to resolve the called party's current location. Then, proxy CON 126 at the calling site can send interests to the called party's site at the far end by concatenating the site name (e.g., the calling party's AP name) as a prefix combined with the party's name. call. Since the names of both APs 128 on the two parties can be globally routable, communications between the calling party and the called party can be efficiently established via the globally routable resolved name. In this case, the calling party and called party names may not be globally routable. In some cases, it may be difficult to fulfill calling/calling party reachability to global network (even if names are globally routable) due to routing protocol update scalability and dynamic calling/calling party mobility.
Figure 2 illustrates one embodiment of a name mapping scheme 200 that can be used in a CON, for example, similar to the CON 100, for example, as part of the SMVG control system described above. The name mapping scheme 200 can be used to map between domestic names 210 (in a domestic name hierarchy) and outer names 220 (in an outer name hierarchy). Domestic names 210 can be assigned from a domestic domain in the CON, and foreign names 220 can be assigned from a visiting access domain. Domestic names 210 and foreign names 220 can be globally routable within the CON, but in different domains. For example, domestic names 210 may be used or routed within the domestic domain and may be mapped to foreign names 220 in the corresponding visiting domain access. Exterior names 220 can be used and forwarded in the corresponding visiting access domains. For example, household names 210 can be used for two user devices (mobile devices) registered to a user: top/Huawei/Abel/Abel.IPhone and top/Huawei/Abel/Abel.iPad. A user device can also have multiple exterior names (for example, by Radio Access Network (RAN)). Exterior names 220 may be used for the two user devices in two corresponding visiting access domains or networks that may have different access technologies. A user device can obtain an external name when visiting an access domain or network. For example, exterior names 220 can be used for two different RANs: top/ATT.US/LTE/SF-GW Huawei/Abel/Abel.IPhone for LTE access and topo/ATT.US/WiFi/LA-GW/Huawei /Abel/Abel.iPad.
The user device can register its foreign name in the domestic domain. The domestic name can be mapped to the foreign name in the domestic domain, for example when receiving or sending requests (interests) or responses comprising object names. The home SMVG controller can manage the mapping between the home domain and the foreign domain. The mapping scheme 200 can be used with an ID-Based Public Key Infrastructure (PKI) and implement per-domain policy control in the mapping between the domestic name and the foreign name.
Figure 3 illustrates one embodiment of an intergateway mobility operation 300 that can be used in a CON, for example, similar to the CON 100, for example, as part of the SMVG control system described above. Intergateway Mobility Operation 300 can be implemented to handle proper forwarding of data to a mobile device when the mobile device moves between different APs in the CON, for example, to maintain continuity of service. The CON may comprise or may be coupled to a serving AP 310 coupled to a first CON proxy or serving proxy 312, a target AP 320 coupled to a second CON proxy or target proxy 322, and a corresponding peer access point (AP). 330 coupled with a third proxy CON or proxy peer 332. The serving AP 310 may be attached to a first mobile device 314 which may move (during a handover) from the serving AP 310 to the target AP 320. The corresponding peer 330 may be attached to a second mobile device 316 that may be in communication (e.g., establish a call) with the first mobile device 314. The serving proxy 312, the target proxy 322, and the peer proxies 332 may be CON-enabled gateways (or base stations). ) configured to couple or link user or mobile devices with the APs in the NO and allow communication between the NO and the devices.
Intergateway Mobility Operation 300 can correspond to a make-before-break scenario for intergateway mobility management. Before the first mobile device 314 moves from the proxy serving 312 on the AP serving 310 to the target proxy 322 to the target AP 320, the first mobile device 314 can start the attachment process with the target proxy 322 / target AP 320. The first device mobile 314 may then inform the serving proxy 312 that the target proxy 322 is the target proxy for the handover. The proxy serving 312 can then notify the proxy peer 332 on the corresponding peer 330 of the name of the target proxy 322. Thus, the proxy peer 332 can use the name of the target proxy 322 as a prefix and concatenate this prefix with the name of the first device mobile 314 for data docking.
The serving proxy 312 may also use the target proxy name 322 to replace the name prefix in the received data. Data received, for example, from the second mobile device 316, may target the first mobile device 314 using an old prefix (for example, the name of the proxy serving 312). The target proxy name 322 can be used as a new prefix. Data can be sent from proxy peer 332 to proxy serving 312 via a first path (identified as "path before handover"). As such, the proxy serving 312 can route incoming data to the proxy target 322. During the handover, proxy peer 332 can biproject data to both the proxy serving 312 and the proxy target 322. If proxy peer 332 only anchors unicast traffic to the serving proxy 312, after the handover, the peer proxy 332 can switch the data to the target AP 320 using the new prefix, and the serving proxy 312 can scramble or move the remaining data (received at the serving proxy 312) to the AP target 320, via a transient path. When all data is switched or scrambled after handover, proxy peer 332 can send the data to target proxy 322 via a second path (labeled "path after handover").
In one embodiment, when a mobile device or other object changes its location within the same wireless access domain, an intradomain handover can be handled by the wireless access network. When the gateway is enabled with content-oriented network architecture (CONA), a CONA proxy can perform data anchoring functions for all or multiple base stations or APs within that domain. In both intra-gateway and inter-gateway handover scenarios, the CONA proxy may be able to perform data anchoring functions using the entity name. When the handover is successful, the local SMVG agent on a target AP can register the new binding information to the home domain SMVG controller as described above.
The SMVG control system can also support user security at the CON (eg CON 100) by enabling various security services for mobile devices with the SMVG controller enabled with CON and proxy nodes. For authenticity and data integrity, each data in the CON can be signed by a private key from the publisher, for example with user, device or application specific keys, and can be verified by the receiver using the publisher's public key. Distribution of these keys can lead to implementation complexity. To simplify implementation, the SMVG control system can allow flexible data authenticity verification by leveraging domain-based named data. Specifically, how the AP can handle data publishing and signing operations for mobile devices, for example, as an authenticator. The AP can provide certificate verification and data signature verification functions on behalf of devices.
For example, based on a trust relationship established between the SMVG home controller in a home domain and the SMVG agent on a visiting AP in a visiting access domain, the SMVG agent can verify all mobile publisher certificates belonging to that home domain. domestic domain. In this case, when a peer (AP) queries the location of a mobile device, the home SMVG controller can send the mobile device certificates to the SMVG agent attached to the peer. The SMVG agent can operate as a representative of the matched peer to verify the certificates and then forward the mobile publisher's public key to the matched peer. This can save the cost of retrieving and verifying content publishers' public key certificates from the CON. In addition, for data publishing, the AP can generate digital signatures on behalf of mobile devices to ensure data transport integrity. For example, when delivering mobile publisher certificates from the home SMVG controller to the visiting SMVG agent, the named object can be secured using credentials established between the SMVG controller and the SMVG agent. The protected name can also be applicable to inter-AP communications, for example, based on a pre-established trust relationship between two APs (both intradomain and interdomain). This can be useful as signing large amounts of data is typically a costly operation for power constrained devices.
For privacy and confidentiality, the home SMVG controller can be leveraged as a server and key distributor. Specifically, when a mobile device is registered with its social group ID in a CON proxy through an AP, a new session key can be generated by the SMVG controller based on domain name or group ID. To enable secure group communications between mobile devices, the key can be shared among all devices within the same group, so that each device can use the group key to build logical secure communication channels to other peers (devices ) in the group. Data published by a device can only be accessible to devices in the same group. As such, the SMVG controller can become the key issuer, distributor, and group member manager, based on the device registration process and social value or context.
In addition, the device's home SMVG controller can be the proxy for secure communications between other peers (devices) spanning multiple domains. This can enable a delegate model for trust relationship management for interdomain communication. When devices in different domains are created to form a secure group, corresponding home SMVG controllers of the devices can negotiate a unique session key for all peers and distribute the key to the individual devices, e.g. with public/private key pairs devices registered to your home SMVG controllers. This can save computing and thus energy for each mobile device for key agreement.
Figure 4 illustrates one embodiment of a name to security key mapping scheme 400 that can be used in a CON, for example, similar to CON 100, for example, as part of the SMVG control system described above. The name to security key mapping scheme 400 can be used to map between household names 410 (in a household name hierarchy) and corresponding keys 420 (in a key hierarchy). Home names 410 can be assigned from a home domain in the CON, and keys 420 can be generated by the home SMVG controller using home names 410. Home names 410 can be mapped to corresponding keys 420 which can then be be distributed to the corresponding devices, for example, through the APs in the visiting access domains.
In the name to security key mapping scheme 400, household names 410 can be used as device IDs to generate the corresponding keys 420. Device IDs or names 410 can be used to obtain public keys, for example, using identity-based encryption (IBC). 420 keys can be used to secure publishing/recording data/contents between devices. A hierarchical IBC (HIBC) can be used to derive 420 keys based on 410 names, where the top domain can be an intermediate key issuer (or authority). Mapped keys 420 can be a combination of a domain key user (authority), a user key issuer (authority), and a generated device key. The domain key user and user key issuer can be obtained from the names 410. For example, the household names 410 can be used for two user devices (mobile devices) registered to a user: top/Huawei/ Abel/Abel.IPhone and top/Huawei/Abel/Abel.iPad. As such, two 420 keys can be used for the two user devices: Huawei/Abel/key1-for-IPhone and Huawei/Abel/key1-for-iPad.
The SMVG control system can also support social workgroups that use the CON, eg CON 100. The SMVP control system can be configured to support social group functions for fixed/mobile users. A user can register their social group (or social group locator) information in the TSP profile. For example, the TSP profile may include entries to store a user's social group ID, VPN ID, social activity status, attendance, and/or other group-related information. The TSP can also store the "social event type" the user is interested in.
Figure 5 illustrates one embodiment of a mobile social group push model 500 that can be implemented in a CON, for example, similar to the CON 100. The mobile social group push model 500 can be controlled by the SMVP control system in the CON for push events for a plurality of members in a social group. In this scenario, when an event publisher, such as a mobile device 514, places an event in the CON (through a proxy 512), a local SMVG agent, 513 (in a visiting access domain 510) can send an interest of " push" to a 511 home domain SMVG controller (in a 502 home domain). The SMVG 511 controller can be part of a VPN domain manager in the 502 home domain. By matching the social group name (and/or the interested event type), the SMVG 511 controller can relay "push" interests to a plurality of mobile devices registered 514, for example, in one or more visit access domains 510. The SMVG controller 511 may communicate with SMVG agents 513 in the visit access domains 510 to relay push interests. Push interests can be similar to "paging" messages, which can be received by corresponding APs on domains. In turn, 514 mobile devices on domains can be paginated. The paginated mobile devices 514 can then send interests to the publisher (a mobile device 514) to retrieve the event.
In this scenario, the SMVG 511 controller and SMVG 513 agents can transmit control messages but not event data. Event data may actually be transmitted between CON proxy nodes 512 in different visiting access domains 510 (eg, in the data plane). While event data is replicated across some content routers, event data can be shared by social members in a group if their interests go the same way. Another advantage of this approach is energy savings. For all mobile members or 514 devices in the same social group, members do not have to be "always on" and can periodically "pull" the event (or social status updates) to the other members. Members can be paginated if some events occur. The "paging" group can benefit 514 mobile devices due to their reduced or limited power requirement. Content name level "paging" can also be collaborated with wireless L2 paging functions to achieve greater power savings when the 514 mobile device is in sleep state.
In a TSP table, a social group entry can serve as a locator for a third party social domain, which can enable interdomain service profile switching. For example, an AT&T domain can acquire "which user likes/dislikes" information from a Facebook domain. When AT&T AP pushes events to the mobile device, the AP may use users profile information acquired from the third party to insert some advertisement to the user's mobile devices. For example, when a user is walking through a Wal-Mart store, a CON proxy can push a Wal-Mart coupon on the user's iPhone. The CON proxy can also push a nearby Chinese restaurant menu to the iPhone if the CON proxy knows the user likes Chinese food. This example shows how the SMVG control system can integrate location and social group information to support new services.
The SMVG control system can also implement inter-domain policy management in the NOC. This interdomain policy management can be associated with interdomain policy profile exchange and enforcement when mobile users move between domains. Figure 6 illustrates an embodiment of a multi-domain controller and agent interaction 600 in a CON, for example, similar to the CON 100, which may be part of the SMVG control system. Specifically, multiple CON-coupled domains can collaborate to enable members of globally distributed virtual groups to interact with each other. Normally, social networks can be considered as an over the top (OTT) phenomenon, that is, where social interactions can be forgotten or invisible to the SP. Making the provider part of this interaction can allow the provider to create new services that can be customized to the needs of each virtual group, which can lead to better quality of experience (QoE) support in a global context.
The domains may comprise a home domain 602 of the CON and a plurality of visiting access domains 610, which may be located in a plurality of external access networks coupled to the CON. Members of virtual groups may include objects or mobile devices 614 attached to external access networks and/or the CON. Home domain 602 may comprise a home SMVG controller 611 and a TSP database 609. Each external access network or guest access domains 610 may include a home SMVG controller 615, a local SMVG agent 613, a database access profile 616 and local proxy CON 612. Proxy CON 612 can be coupled to the mobile device via an AP 614 (not shown).
The CON may also comprise one or more user groups (not shown) coupled to the home domain 602 and each comprising an SMVG agent, an access profile database, and a proxy CON that can be coupled to a user's mobile device. . The SMVG agents and the SMVG home controller 611 in the home domain 602 can interact with the home domain (intradomain interactions) as described above. Local SMVG agents 613 may also similarly interact with SMVG guest controllers 615 in their corresponding guest access domains 610, as described above. In addition, the home SMVG controller 611 in the home domain 602 may interact with the visiting SMVG controllers 615 in their corresponding visiting access domains 610 to enable interdomain interactions, such as for implementation and/or support of interdomain policy management, interdomain reachability , mobile registration, and service guarantee, as described below.
The SMVG control system at the CON can support interdomain reachability. Specifically, to enable interaction between the various domains, for example, in a similar way to handling IP networks, the CON SP can examine or peer at the boundary points (APs) in the different domains. Control plane interaction over interdomain routing protocols or a mutually agreed exchange point can be used on an AP in one domain to exchange named prefixes (for content objects, network elements, other entities) from other domains. This can allow each domain to build the necessary reachability to properly resolve IDs (names) of SMVG controllers, and allow CON proxy nodes to properly resolve border gateway points (APs).
The SMVG control system at the CON can also support mobile registration. Each mobile user device can be initially registered to their home SMVG controller through their home CON proxy and home SMVG agent. Once the mobile device crosses into another domain, and the visiting proxy CON associated in the new domain discovers this mobile device, the proxy CON can first check with a local interdomain peering database to determine if the mobile device can be admitted. . The proxy CON can verify this by using a user ID (name) that the mobile device uses to advertise itself when the mobile device is within the attachment range of the CON proxy.
For example, an AT&T network user with ~/att in their name could be verified that the user is allowed to join the Verizon network by checking with the network's local peering database, which could indicate the policy and the agreement is in effect for users arriving from the AT&T network. If the mobile device is allowed to enter the Verizon network, the visiting CON proxy can first update its SMVG agent, which can interact with the local home SMVG controller ( on the Verizon network) to register the mobile user. Then the visiting SMVG agent can trigger a control plane update to the home SMVG agent from the mobile device in transit. Thus, any mobile device can set up a session with the mobile device roaming by first contacting the mobile device's own SMVG controller to determine if the roaming mobile device is in its current domain. If the request from the roaming device cannot be resolved, then the SMVG controller can forward the request to the roaming home SMVG mobile device controller, which may be able to resolve the user to the current domain. In the case where a mobile device is in a live session, and the mobile device moves into a visit access domain (assuming the mobile user is allowed to enter the visit access domain), the do-before-break scheme described above can be applied to allow session continuity even after interdomain handover. This interaction can also be used even in situations where the corresponding device does not belong to the home domain or the visiting access domain.
The SMVG system can also allow social group interaction across multiple domains, to enable group interaction between members distributed across multiple domains. In order to enable interaction between users in different domains, TSPs in different domains can collaborate to instantiate supported group profiles within their own domains. This instantiation may normally require operator intervention to fill in the appropriate policies that allow TSPs from different domains to interact with each other. The exchange of control plane information can allow each TSP to build group profile information. From a practical perspective, it may not be necessary for a TSP to support all groups. Group profile information can also be dynamically modified, either through operator intervention or a third-party/application level trigger mechanism.
With the group profile information instantiated, the group profile information can be applied against mobile users (mobile devices) either in their home domains or in an external domain. For transiting users, group policy rules can be applied as follows: whenever a mobile user device with matching group affiliations enters a visiting domain, for example during the registration process with the visiting SMVG controller , the user can send the user's group credentials (in addition to their name ID). The SMVG controller can compare the groups in the submitted user group information with groups that are supported in its own domain. Of the groups that are submitted, the SMVG controller may recognize a subset of groups. Once the set of supported groups within the visiting domain is identified, the visiting SMVG controller will be able to notify the home (mobile device) SMVG controller of the new visiting CON proxy that the mobile device is attached to, and of the interaction groups that the visiting SMVG controller can support. This can allow the home SMVG controller to forward a group membership request to set up new sessions or enable "push" actions to be flooded for members of the same group even if they are in different domain.
The SMVG control system can also provide a service guarantee to respect any agreements in place to provide a service guarantee, for example when users in a group transition between domains. The SMVG control system can enable the CON to deliver content with guarantees regarding the QoS, reliability, availability and security of the content exchanged between domains. The model of ensuring fine-grained QoS and efficient content distribution can also be extended across peering points (APs).
Figure 7 illustrates one embodiment of a multi-domain service guarantee structure 700 in a CON, for example, similar to the CON 100, which may use VPGs. VPG instances in the CON can be instantiated at peering points. This can allow any inter-domain content dissemination to occur within the context of the group profiles defined on the content routers. The CON may be coupled to a plurality of domains, including a first domain 702 (Domain-1) and a second domain 704 (Domain-2). The first domain 702 may comprise a home domain SMVG controller 710, a TSP database 712, and a plurality of user groups 720. Each user group 720 may comprise an SMVG agent 722, a CON proxy 726, a database local access profile data 724, and a plurality of access points 728 that can attach to mobile devices 740. At least one content router 714 in the first domain 702 can be coupled to another content router 714 in the second domain 704.
The second domain 702 may comprise an external (or visiting) domain SMVG controller 711, another corresponding TSP database 712, and a plurality of corresponding user groups 720. Each corresponding user group 720 may comprise an external SMVG agent ( or visiting) 723, a CON proxy 726, a local access profile database 724, and a plurality of access points 728 that can attach to mobile devices 740. The components of the first domain and the second domain can be configured substantially similar to the corresponding components of the CON 100, and may be arranged as shown in Figure 7. The external SMVG agents 722 may also be coupled to a matching database (DB) 713, which may be an interdomain matching database. location used to determine whether a mobile device can be admitted to the second domain 704. The pairing DB 713 can include information about the mobile device 74 0, for example, similar to the information available in the first domain 702. The home domain SMVG controller 710, the foreign domain SMVG controller 711, SMVG agents 722, external SMVG agents 723, and corresponding CON proxy nodes 726, in both domains can communicate with each other to enable interdomain interactions as described above.
Figure 8 illustrates one embodiment of a device registration method 800, which can be implemented by the SMVG control system, for example, at CON 100. The method can start at block 810, where a mobile device can be registered to a profile. of local access. The mobile device can attach via an AP to an NOC home domain or a visiting access domain (eg, on an external access or visiting network attached to the NO). AP can authenticate mobile device/device user and get home domain from mobile device name prefix. The local SMVG agent can then enroll the mobile device in a local access profile. At step 820, a profile registration message for the mobile device can be sent to a home domain SMVG controller. The home domain SMVG controller can be identified based on the home domain derived for the mobile device. The home domain SMVG controller can be located in the same domain that the mobile device is attached to, for example in the case of an intradomain registration scenario, or in a separate domain, for example in the case of an interdomain registration scenario.
At block 830, a TSP entry corresponding to the registration message can be created for the mobile device. The TSP entry may comprise registration information for the mobile device indicated in the registration message and/or obtained from the name forwarded in the message. The TSP entry can be inserted into a TSP database or table in the home domain that is coupled to the SMVG controller. The TSP entry may include connection information between the mobile device and the AP attached to the mobile device. The TSP entry may comprise the access point name attached to the mobile device which indicates the location of the mobile device and which is globally routable in the CON. The method can then 800 terminate.
Figure 9 illustrates one embodiment of an interdomain interest forwarding method 900, which may be implemented by the SMVG control system, for example, at CON 100. The method may start at block 910, where interest to a mobile device may be received from a peer device. The interest can be a voice call request sent to the mobile device (called party) by the peer device (caller). An SMVG agent in the peer device's local domain can receive interest. At block 920, the domain of the mobile device can be derived. The SMVG agent can derive the home domain name of the mobile device from the name of the mobile device in the received interest. At block 930, the interest can be sent to the mobile device's home domain SMVG controller. The SMVG agent can send the interest to the mobile device's given home domain SMVG controller, which can be located in a separate domain from the peer device. The interest can first be sent to an on-premises SMVG home domain controller corresponding to the on-premises SMVG agent and peer device before being forwarded to the mobile device's home domain SMVG controller. For example, when the peer device is on a separate network from the mobile device, each network can have its own home SMVG domain controller.
At block 940, the name to correctly forward the interest to the mobile device can be mapped. The mobile device's home domain SMVG controller (or the peer device's home domain SMVG controller) can map the interest name before sending the interest to the mobile device, for example, using the TSP database. The name can be mapped to indicate the proper AP attached to the called mobile device in the proper destination or target domain. At block 950, the interest can be sent with the name mapped to the mobile device. The interest can be forwarded by the home domain SMVG controller, the SMVG agent, then the CON proxy of the domain where the mobile device is attached based on the mapped name information. The method can then 900 terminate.
Figure 10 illustrates one embodiment of a network unit 1000, which may be any device that transports and processes data over a network. For example, the network unit 1000 can be located on the content router or any node on the CON 100, or on any node in the schemes described above. The content router can also be configured to implement or support the CON systems and methods described above. Network unit 1000 may comprise one or more ports or input units 1010 coupled to a receiver (RX) 1012 for receiving signals and data/frames from other network components. The network unit 1000 may comprise a content-aware unit 1020 for determining which network components to send content. The content-aware unit 1020 may be implemented using hardware, software, or both. The network unit 1000 may also comprise one or more ports or output units 1030, coupled to a transmitter (TX), 1032 for transmitting signals and data/frames to the other network components. Receiver 1012, content-aware unit 1020, and transmitter 1032 may also be configured to implement at least some of the described schemes and methods, which may be based on hardware, software, or both. The components of the network unit 1000 can be arranged as shown in Figure 10.
The content-aware unit 1020 may also comprise a programmable content-forwarding plan block 1028 and one or more blocks of storage 1022 that may be coupled to the programmable content-forwarding-plan block 1028. The content-forwarding-plan block 1028 programmable 1028 can be configured to implement content forwarding and processing functions, such as at an application or L3 layer, where content can be forwarded based on content name or prefix and possibly other content-related information that maps to the content for network traffic. Such mapping information may be maintained in a table of contents in the content-aware unit 1020 or the network unit 1000. The programmable content forwarding plan block 1028 may interpret user requests for content and, accordingly, fetch content, for example. e.g. based on metadata and/or content name, from the network or other content routers and may store the content, e.g. temporarily, in storage blocks 1022. Programmable content forwarding plan block 1028 may then forward the cached content to the user. The programmable content forwarding plan block 1028 can be implemented using software, hardware, or both and can operate above the IP or L2 layer. Storage blocks 1022 may comprise a cache 1024 for temporarily storing content when the content is requested by the subscriber. In addition, storage blocks 1022 may comprise long term storage 1026 for storing relatively longer content, such as content submitted by a publisher. For example, cache 1024 and long-term storage 1026 may include dynamic random access memory (DRAM), solid state drives (SSDs), hard drives, or combinations thereof.
The network elements described above can be implemented in any general purpose network component, such as a computer or network component with sufficient processing power, memory resources, and network transfer capability to handle the necessary workload placed upon it. he. Figure 11 illustrates a typical general purpose network component 1100 suitable for implementing one or more embodiments of the components described herein. Network component 1100 includes a processor 1102 (which may be referred to as a central processing unit or CPU) that is in communication with memory devices including secondary storage 1104, read-only memory (ROM) 1106, access memory (RAM) 1108, input/output (I/O) devices 1110, and network connectivity devices 1112. Processor 1102 may be implemented as one or more CPU chips, or may be part of one or more integrated circuits. specific application (ASIC).
Secondary storage 1104 is typically comprised of one or more hard disks or tape drives and is used for non-volatile data storage and as an overflow data storage device if 1108 RAM is not large enough to store all data from work. Secondary storage 1104 may be used to store programs that are loaded into RAM 1108 when such programs are selected for execution. ROM 1106 is used to store instructions and perhaps data that are read during program execution. ROM 1106 is a non-volatile memory device, which typically has a small memory capacity relative to the larger secondary storage memory capacity 1104. RAM 1108 is used to store volatile data and perhaps to store instructions. Access to both ROM 1106 and RAM 1108 is typically faster than for secondary storage 104.
At least one embodiment is disclosed and variations, combinations and/or modifications of the embodiment(s) and/or features of the embodiment(s) made by a person of ordinary skill in the art are within the scope of the disclosure. Alternative modalities that result from combining, integrating and/or omitting features of the modality(s) are also within the scope of the description. Where numerical ranges or limitations are expressly stated, such expressed ranges or limitations are to be understood to include iterative ranges or limitations of such magnitude falling within the recited ranges or limitations (e.g. from about 1 to about 9 includes, 2, 3 , 4 , etc., greater than 0.10 includes 0.11, 0.12, 0.13, etc.) For example, when a numerical range is revealed, with a lower bound, Rl, and an upper bound, Ru, any number falling within the range is specifically disclosed. In particular, the following numbers within the range are specifically disclosed: R = Rl + k * (Ru - Rl), where k is a variable ranging from 1 percent to 90 percent with a 1 percent increment, i.e. is, k is 1 percent, 2 percent, 3 percent, 4 percent, 7 percent, ... 70 percent, 71 percent, 72 percent, ... 97 percent, 96 percent, 97 percent, 98 percent, 99 percent, or 90 percent. Furthermore, any numerical range defined by two R numbers as defined above is also specifically disclosed. The use of the term "optionally" with respect to any element of a claim means that the element is necessary, or alternatively, the element is not necessary, both alternatives being within the scope of the claim. The use of broader terms such as comprises, includes, and having is to be understood to provide support for the narrower terms as consisting of, consisting essentially of, and substantially comprising of. Therefore, the scope of protection is not limited by the description set out above, but is defined by the claims that follow, this scope including all equivalents of the subject matter of the claims. Each and every claim is incorporated as a further disclosure in the specification and the claims are embodiment(s) of the present disclosure. Discussion of a reference in the disclosure is not an admission that it is prior art, especially any reference that has a publication date after the priority date of this application. The disclosure of all patents, patent applications and publications cited in the specification is incorporated herein by reference insofar as they provide exemplary, procedural or other supplemental details for the disclosure.
While various embodiments have been provided in the present disclosure, it is to be understood that the disclosed systems and methods may be embodied in many other specific ways without departing from the spirit or scope of the present disclosure. The present examples are to be considered illustrative and not restrictive, and it is intended not to be limited to the details indicated herein. For example, different elements or components may be combined or integrated into another system or certain features may be omitted or not implemented.
Furthermore, techniques, systems, subsystems, and methods described and illustrated in the various embodiments as discrete or separate may be combined or integrated with other systems, modules, techniques, or methods without departing from the scope of the present disclosure. Other items shown or discussed as coupled or directly coupled or communicating with each other may be indirectly associated with or communicate through some interface, device or intermediate component either electrically and mechanically or otherwise. Other examples of modifications, substitutions and alterations are determinable by one of skill in the art and can be made without departing from the spirit and scope described herein.

权利要求:
Claims (11)
[0001]
1. Network system characterized in that it comprises: a Secure Mobile Virtual Group (SMVG) controller in a Content Oriented Network (CON); a plurality of user groups coupled to the SMVG controller and associated with users; a plurality of SMVG agents that are each associated with one of the user groups; and a trusted service profile database coupled with the SMVG controller, wherein the trust relationship between a subscriber and service provider is described and enforced by the trusted service profile; a plurality of CON proxy nodes that are associated with one of the user groups and coupled with one of the SMVG agents; one or more access points (APs) that are configured to communicate with a plurality of user devices in each user group and coupled with COM proxy nodes; where the SMVG controller is configured to interact with SMVG agents to support name-based mobility, where a name of each user device has a domain name prefix, and a home domain name is derived from the name of each device of user; where a local SMVG agent is configured to derive a home domain name from a mobile device name and be triggered to send a registration message to a home domain SMVG controller when a mobile device attaches to a visiting access network.
[0002]
2. Network system, according to claim 1, characterized in that it further comprises a plurality of local access profile databases that are associated with one of the user groups and coupled to one of the SMVG agents.
[0003]
3. Network system, according to claim 1, characterized in that it further comprises: a plurality of content routers coupled to the SMVG controller and user groups and configured to route and cache content data.
[0004]
4. Network system, according to claim 1, characterized in that the SMVG controller and one or more user groups are located in the same domain, and in which the SMVG controller, the SMVG agents and the CON proxy nodes enable intradomain security, mobility, and social group services for user groups.
[0005]
5. Network system, according to claim 1, characterized in that the SMVG controller and one or more user groups are located in different domains, and in which the SMVG controller, the SMVG agents and the CON proxy nodes enable cross-domain security, mobility, and social group services for user groups.
[0006]
6. Network system according to claim 5, characterized in that user groups that are located in different domains than the SMVG controller are also associated with a plurality of corresponding local domain controllers that are located in the domains different than the SMVG controller.
[0007]
7. Network system, according to claim 5, characterized in that the SMVG controller is coupled to a pairing database that is used to obtain information about user groups in different domains.
[0008]
8. Network system according to claim 5, characterized in that user groups that are located in different domains than the SMVG controller are also located on separate networks than the home domain controller.
[0009]
9. A network system according to claim 1, characterized in that the SMVG controller, SMVG agents, and CON proxy nodes are configured to provide an integrated, collaborative service control plane that is separate from a content data transport plan.
[0010]
10. Method implemented in a network component to provide an interest to a mobile device, characterized in that it comprises: receiving, by a Secure Mobile Virtual Group (SMVG) controller from the home domain of the mobile device, the interest to the device from an SMVG agent in a local domain of a peer device, where the interest is sent to the SMVG agent from the peer device, and a home domain name of the mobile device is derived by the SMVG agent from the peer device. a name of the mobile device in the interest received; mapping, by the home domain SMVG controller, the name of the mobile device to the received interest to indicate an access point attached to the mobile device using a trusted service profile before sending the interest to the mobile device, where the trust relationship between a subscriber and service provider is described and enforced by the trusted service profile; and send, by the home domain SMVG controller, the interest to the access point attached to the mobile device.
[0011]
11. Method implemented, according to claim 10, characterized in that it further comprises: registering the mobile device that attaches to a network domain in a local access profile of the network domain; send a profile registration message to the mobile device to the SMVG controller associated with the network domain; and create an entry for the trusted service profile corresponding to the registration message for the mobile device.

类似技术:

---

公开号 | 公开日 | 专利标题

---

US10271253B2|2019-04-23|Mapping scheme employed in an information centric network to manage domain-based security and mobility

---

Kutscher et al.2016|Information-centric networking | research challenges

---

Yu et al.2015|A key management scheme for secure communications of information centric advanced metering infrastructure in smart grid

---

RU2573771C2|2016-01-27|Method and apparatus for creating and managing virtual private groups in content oriented network

---

US9379970B2|2016-06-28|Selective content routing and storage protocol for information-centric network

---

RU2571394C2|2015-12-20|Method and apparatus for using identification information for digital signing and encrypting content integrity and authenticity in content oriented networks

---

US8863227B2|2014-10-14|Method and apparatus to create and manage a differentiated security framework for content oriented networks

---

Ding et al.2016|A survey on future Internet security architectures

---

US20070297430A1|2007-12-27|Terminal reachability

---

JP2009277234A|2009-11-26|Method for facilitating communication in content centric network

---

Tyson et al.2014|Beyond content delivery: Can icns help emergency scenarios?

---

Ford2008|UIA: A global connectivity architecture for mobile personal devices

---

Gawande et al.2019|Decentralized and secure multimedia sharing application over named data networking

---

Zheng et al.2009|A secure architecture for P2PSIP-based communication systems

---

Carrozzo et al.2018|Interoperation of IoT platforms in confined smart spaces: the SymbIoTe smart space architecture

---

Ravindran et al.2011|Towards secure mobile virtual group in information-centric network

---

BR112013015239B1|2021-10-05|CONTENT ROUTER FOR CONTENT MANAGEMENT FOR VIRTUAL PRIVATE GROUPS USED IN A CONTENT-DRIVEN NETWORK AND CONTENT-DRIVEN NETWORK | SYSTEM

---

Juste2014|A peer-to-peer architecture for social networking applications

---

Pentikousis et al.2014|Network Working Group D. Kutscher, Ed. Internet-Draft NEC Intended status: Standards Track S. Eum Expires: August 18, 2014 NICT

---

Mahiuddin et al.2012|Secure dynamic flow policy for content delivery networks

---

Vidal2013|ICNRG D. Corujo Internet-Draft Instituto de Telecomunicacoes Intended status: Informational K. Pentikousis Expires: August 22, 2013 Huawei Technologies

---

Kovacs et al.2010|PN networking

---

Zheng2010|The design of efficient and secure P2PSIP systems

---

Carrozzo et al.0|The symbIoTe Smart Space Architecture

---

Zidbeck et al.2010|PN platforms

同族专利:

---

公开号 | 公开日

---

CN103477689B|2017-10-17|

---

BR112013019922A2|2016-12-13|

---

US20120204224A1|2012-08-09|

---

EP2649850A4|2014-05-14|

---

RU2557087C2|2015-07-20|

---

RU2013140162A|2015-03-10|

---

EP2649850B1|2016-05-18|

---

WO2012103818A1|2012-08-09|

---

US10271253B2|2019-04-23|

---

CN103477689A|2013-12-25|

---

US20150007287A1|2015-01-01|

---

US8881236B2|2014-11-04|

---

US9253215B2|2016-02-02|

---

EP2649850A1|2013-10-16|

---

US20160119837A1|2016-04-28|

引用文献:

---

公开号 | 申请日 | 公开日 | 申请人 | 专利标题

---

---

EP1046271A1|1998-01-07|2000-10-25|TELEFONAKTIEBOLAGET L M ERICSSON |Internet access by telephone|

---

NL1011359C1|1999-02-22|1999-03-22|Koninkl Kpn Nv|'Virtual' personal assistant program system for use on computer network|

---

US7287093B2|2000-08-04|2007-10-23|Mobileaware Technologies Limited|E-business mobility platform|

---

US7403980B2|2000-11-08|2008-07-22|Sri International|Methods and apparatus for scalable, distributed management of virtual private networks|

---

WO2003014955A1|2001-08-09|2003-02-20|Gigamedia Access Corporation|Hybrid system architecture for secure peer-to-peer-communication|

---

US7949785B2|2003-03-31|2011-05-24|Inpro Network Facility, Llc|Secure virtual community network system|

---

CN101180850B|2005-05-19|2011-10-05|爱利亚有限责任公司|Authorized domain policy method|

---

US20080091807A1|2006-10-13|2008-04-17|Lyle Strub|Network service usage management systems and methods|

---

US8165118B2|2008-05-19|2012-04-24|Palo Alto Research Center Incorporated|Voice over content centric networks|

---

US8886200B2|2008-09-18|2014-11-11|Qualcomm Incorporated|Using signal monitoring to resolve access point identifier ambiguity|

---

US9268813B2|2009-12-24|2016-02-23|Samsung Electronics Co., Ltd.|Terminal device based on content name, and method for routing based on content name|

---

US8918835B2|2010-12-16|2014-12-23|Futurewei Technologies, Inc.|Method and apparatus to create and manage virtual private groups in a content oriented network|

---

US8751664B2|2010-12-16|2014-06-10|Palo Alto Research Center Incorporated|Custodian-based routing in content-centric networks|US8918835B2|2010-12-16|2014-12-23|Futurewei Technologies, Inc.|Method and apparatus to create and manage virtual private groups in a content oriented network|

---

US10185741B2|2011-03-14|2019-01-22|Verisign, Inc.|Smart navigation services|

---

US9646100B2|2011-03-14|2017-05-09|Verisign, Inc.|Methods and systems for providing content provider-specified URL keyword navigation|

---

US9811599B2|2011-03-14|2017-11-07|Verisign, Inc.|Methods and systems for providing content provider-specified URL keyword navigation|

---

US10057207B2|2013-04-07|2018-08-21|Verisign, Inc.|Smart navigation for shortened URLs|

---

US9781091B2|2011-03-14|2017-10-03|Verisign, Inc.|Provisioning for smart navigation services|

---

US9402271B2|2011-06-27|2016-07-26|Brocade Communications Systems, Inc.|Converged wireless local area network|

---

KR20130080626A|2012-01-05|2013-07-15|삼성전자주식회사|A routing method between domains for content centric network and the content centric network|

---

US20130339481A1|2012-06-11|2013-12-19|Samsung Electronics Co., Ltd.|Method for content discovery of node in intra-domain and inter-domain in content centric network and node therefor|

---

US9326042B2|2012-06-11|2016-04-26|Samsung Electronics Co., Ltd.|Routing method for inter/intra-domain in content centric network|

---

US9736273B2|2012-10-05|2017-08-15|Nokia Technologies Oy|Method for proxying communication between a content-centric network and an internet domain|

---

US20140112307A1|2012-10-19|2014-04-24|Electronics And Telecommunications Research Institute|User terminal and communication apparatus for preventing interuption of communication in information centric network and method thereof|

---

KR101474320B1|2013-02-04|2014-12-18|아주대학교산학협력단|Location-based content-centric networking method for location-based contents|

---

US9009465B2|2013-03-13|2015-04-14|Futurewei Technologies, Inc.|Augmenting name/prefix based routing protocols with trust anchor in information-centric networks|

---

US9460272B2|2013-03-14|2016-10-04|Arris Enterprises, Inc.|Method and apparatus for group licensing of device features|

---

EP2984796B1|2013-04-12|2020-09-23|Nec Corporation|Method and system for providing an information centric network with a software defined network|

---

US9497682B2|2013-06-07|2016-11-15|Intel Corporation|Central processing unit and methods for supporting coordinated multipoint transmission in an LTE network|

---

WO2014207551A2|2013-06-28|2014-12-31|Orange|Social router|

---

US20150006571A1|2013-06-28|2015-01-01|LGS Innovations LLC|Method And Apparatus For Enabling Queries In An Information-Centric Network|

---

US9628400B2|2013-07-24|2017-04-18|Cisco Technology, Inc.|Interest forwarding for interactive client anonymity|

---

CN104348728B|2013-08-08|2018-03-09|华为技术有限公司|Generate the method and apparatus of forwarding information|

---

CN104754619B|2013-12-31|2019-01-01|中国移动通信集团公司|A kind of method for controlling power supply and equipment of wireless access point AP|

---

US9246803B2|2014-01-02|2016-01-26|Futurewei Technologies, Inc.|Method and apparatus for scalable content routing and mobility in named data networks|

---

KR101954314B1|2014-01-17|2019-03-05|노키아 솔루션스 앤드 네트웍스 게엠베하 운트 코. 카게|Controlling of communication network comprising virtualized network functions|

---

EP3103012A1|2014-02-07|2016-12-14|Telefonaktiebolaget LM Ericsson |A technique for operating a system controller of a virtualized application cluster|

---

US9712240B2|2014-02-24|2017-07-18|Futurewei Technologies, Inc.|Mapping information centric networking flows to optical flows|

---

US20150288667A1|2014-04-08|2015-10-08|Samsung Electronics Co., Ltd.|Apparatus for sharing a session key between devices and method thereof|

---

US9451032B2|2014-04-10|2016-09-20|Palo Alto Research Center Incorporated|System and method for simple service discovery in content-centric networks|

---

CN106031119B|2014-08-13|2019-06-21|华为技术有限公司|A kind of security domain management method, apparatus and system|

---

US9491683B2|2014-10-31|2016-11-08|At&T Intellectual Property I, L.P.|Mobile network with software defined networking architecture|

---

US9462006B2|2015-01-21|2016-10-04|Palo Alto Research Center Incorporated|Network-layer application-specific trust model|

---

US10469464B2|2015-06-09|2019-11-05|Intel Corporation|Self-configuring key management system for an internet of things network|

---

US20160380986A1|2015-06-26|2016-12-29|Cisco Technology, Inc.|Communicating private data and data objects|

---

CN108886825B|2015-09-23|2022-02-18|谷歌有限责任公司|Distributed software defined radio packet core system|

---

JP6699847B2|2015-09-30|2020-05-27|華為技術有限公司Ｈｕａｗｅｉ Ｔｅｃｈｎｏｌｏｇｉｅｓ Ｃｏ．，Ｌｔｄ．|Service continuity assurance method, control plane gateway, and mobility management network element|

---

CN106951795B|2016-01-07|2020-07-21|阿里巴巴集团控股有限公司|Application data access isolation method and device|

---

CN106060108A|2016-05-05|2016-10-26|北京邮电大学|Mobility supporting method and device in network|

---

WO2018005766A1|2016-06-30|2018-01-04|Idac Holdings, Inc.|Method and apparatus for performing mobility management in a network supporting an ip over information centric network architecture|

---

US10244071B2|2016-11-21|2019-03-26|Intel Corporation|Data management in an edge network|

---

CN108337709B|2017-12-26|2021-08-24|北京新岸线移动通信技术有限公司|Cross-cell switching method and system|

---

US11171991B2|2019-02-28|2021-11-09|Illumio, Inc.|Automatically assigning labels to workloads while maintaining security boundaries|

---

KR102218325B1|2019-10-29|2021-02-22|숭실대학교산학협력단|Mobility management method for producer mobility in information-centric networking, recording medium and device for performing the method|

法律状态:
2018-12-18| B06F| Objections, documents and/or translations needed after an examination request according [chapter 6.6 patent gazette]|

---

2020-04-14| B06U| Preliminary requirement: requests with searches performed by other patent offices: procedure suspended [chapter 6.21 patent gazette]|

---

2021-12-14| B09A| Decision: intention to grant [chapter 9.1 patent gazette]|

---

2022-01-25| B16A| Patent or certificate of addition of invention granted [chapter 16.1 patent gazette]|Free format text: PRAZO DE VALIDADE: 20 (VINTE) ANOS CONTADOS A PARTIR DE 06/02/2012, OBSERVADAS AS CONDICOES LEGAIS. |

优先权:

---

申请号 | 申请日 | 专利标题

---

US201161439769P| true| 2011-02-04|2011-02-04|

---

US61/439,769|2011-02-04|

---

US13/352,835|2012-01-18|

---

US13/352,835|US8881236B2|2011-02-04|2012-01-18|Method and apparatus for a control plane to manage domain-based security and mobility in an information centric network|

---

PCT/CN2012/070889|WO2012103818A1|2011-02-04|2012-02-06|Method and apparatus for a control plane to manage domain-based security and mobility in an information centric network|

---