This application relates to the field of communication technologies, and in particular, to a method for obtaining a manufacturer usage description (MUD) file, a device, and a system.
With continuous improvement of digitization and intelligence, more terminal devices emerge in a network scenario, for example, terminal devices such as printers, cameras, smart LED lights, and conference room projection devices in an internet of things (IoT) scenario. To constrain various terminal devices, manufacturers of terminal devices generate MUD files including information describing device types, network access permission, and the like of the terminal devices, and network devices connected to the terminal devices when the terminal devices access a network can place corresponding constraint on the terminal devices by applying the MUD files.
According to the Internet Engineering Task Force (IETF) Request For Comments (RFC) 8520 “Manufacturer Usage Description Specification”, the manufacturer of the terminal device stores the generated MUD file in a MUD file server of the manufacturer, and stores, in the terminal device, only a uniform resource locator (URL) (which is referred to as a MUD URL below) corresponding to the MUD file. When the terminal device needs to access the network, the terminal device sends the MUD URL to the network device connected to the terminal device. The terminal device sends the MUD URL to a MUD control management device via the network device. The MUD control management device obtains the corresponding MUD file from the MUD file server based on the MUD URL, and maps content of the MUD file to a network policy for constraining network behavior of the terminal device.
It can be seen that, due to a limitation of the current RFC 8520 protocol, the MUD control management device can obtain, based on a MUD URL in the terminal device, a MUD file from only the MUD file server corresponding to the manufacturer of the terminal device, and cannot obtain a MUD file from a plurality of MUD file servers. On this basis, a mechanism for obtaining a MUD file is urgently required for the MUD control management device to obtain the MUD file from the plurality of MUD file servers.
On this basis, embodiments of this application provide a method for obtaining a manufacturer usage description MUD file, a device, and a system, to obtain a MUD file from a plurality of MUD file servers, so as to accurately constrain a terminal device based on the obtained MUD file.
According to a first aspect, an embodiment of this application provides a method for obtaining a MUD file. The method is implemented by a MUD control management device. For example, the method may include: receiving a MUD URL request message sent by a terminal device; and obtaining at least one MUD file from a plurality of MUD file servers based on a target obtaining policy corresponding to the terminal device. It can be learned that in embodiments of this application, because the MUD control management device has target obtaining policies corresponding to terminal devices, the MUD control management device can obtain the MUD file from the plurality of MUD file servers based on the target obtaining policy corresponding to the terminal device. Therefore, a MUD file of the terminal device is obtained from the plurality of MUD file servers in a scenario in which a plurality of MUD files are distributed on the plurality of MUD file servers, so that network behavior of the terminal device is more accurately constrained.
In an example, the MUD control management device may store a first mapping relationship between the target obtaining policy and a MUD URL that is provided by a manufacturer of the terminal device for the terminal device. In this case, embodiments of this application may further include: The MUD control management device obtains, from the MUD URL request message, the MUD URL provided by the manufacturer of the terminal device for the terminal device, and determines that the MUD URL matches the first mapping relationship, to further obtain the target obtaining policy based on the first mapping relationship.
In another example, the MUD control management device may also store a second mapping relationship between device information of the terminal device and the target obtaining policy. In this case, embodiments of this application may further include: The MUD control management device obtains the device information of the terminal device from the MUD URL request message, and determines that the device information matches the second mapping relationship, to further obtain the target obtaining policy based on the second mapping relationship. The device information of the terminal device may include, for example, one or more of the following: a device identifier of the terminal device; a device type of the terminal device; a network segment to which the terminal device belongs; an internet protocol (IP) address of the terminal device; a media access control (MAC) address of the terminal device; or information about the manufacturer of the terminal device.
In some possible implementations, there is only one obtaining policy in the MUD control management device. In this case, when receiving a MUD URL request message sent by any terminal device, the MUD control management device uses the unique obtaining policy as the target obtaining policy, and obtains the at least one MUD file from the plurality of MUD file servers based on the target obtaining policy.
In some other possible implementations, there are a plurality of obtaining policies in the MUD control management device. In this case, embodiments of this application may further include: The MUD control management device determines the target obtaining policy from a plurality of preconfigured obtaining policies. The plurality of obtaining policies may be specifically locally configured and stored in the MUD control management device, or may be obtained by the MUD control management device from another device.
The obtaining policy (including the target obtaining policy) indicates a rule for obtaining a MUD file from the plurality of MUD file servers. In a case, in an example, the target obtaining policy may include: redirecting, based on the MUD URL provided by the manufacturer of the terminal device for the terminal device, a first MUD file server corresponding to the MUD URL to at least one target MUD file server, and obtaining the MUD file in the at least one target MUD file server, where the plurality of MUD file servers include the first MUD file server, and the at least one target MUD file server includes a second MUD file server. Alternatively, in another case, in an example, the target obtaining policy may include: globally updating an obtained MUD file to a MUD file that is latest read from a MUD file server in a sequential reading principle. Alternatively, in still another case, in an example, the target obtaining policy may include: reading and storing a plurality of MUD files in the plurality of MUD file servers in sequence. Alternatively, in yet another case, in an example, the target obtaining policy may include: pre-designating at least one target MUD file server from the plurality of MUD file servers, and obtaining the MUD file in the at least one target MUD file server.
In an example, that the MUD control management device obtains at least one MUD file from a plurality of MUD file servers based on a target obtaining policy corresponding to the terminal device may specifically include: first determining the at least one target MUD file server from the plurality of MUD file servers based on the target obtaining policy; and then obtaining the at least one MUD file from the at least one target MUD file server. It should be noted that the target MUD file server is one of the plurality of MUD file servers. The at least one target MUD file server may be all of the plurality of MUD file servers, or the at least one target MUD file server may be a part of the plurality of MUD file servers.
In addition, in an example, the target obtaining policy may alternatively include: redirecting, based on the MUD URL provided by the manufacturer of the terminal device for the terminal device, the first MUD file server corresponding to the MUD URL to at least one target MUD URL, and obtaining the at least one MUD file from the plurality of MUD file servers based on the at least one target MUD URL. A quantity of the at least one target MUD URL is less than or equal to a quantity of all MUD file servers included in the plurality of MUD file servers. That the MUD control management device obtains at least one MUD file from a plurality of MUD file servers based on a target obtaining policy corresponding to the terminal device may specifically include: determining, based on the target obtaining policy, the at least one target MUD URL from a plurality of MUD URLs corresponding to the plurality of MUD file servers; and obtaining the at least one MUD file from the at least one target MUD URL. It should be noted that the target MUD URL is a MUD URL that is of the plurality of MUD URLs in the plurality of MUD file servers and that corresponds to the stored MUD file of the terminal device. The at least one target MUD URL may be all of the plurality of MUD URLs, or the at least one target MUD URL may be a part of the plurality of MUD URLs.
In some specific implementations, after the MUD control management device obtains the at least one MUD file according to the method provided in embodiments of this application, embodiments of this application may further include: The MUD control management device processes the at least one MUD file to obtain a target MUD file, where the target MUD file is for constraining network behavior of the terminal device. In one case, when the at least one MUD file includes only one MUD file, the MUD control management device may directly use the unique obtained MUD file as the target MUD file, and constrain the network behavior of the terminal device based on the target MUD file. In another case, when the at least one MUD file includes at least two MUD files, the MUD control management device needs to process the at least two MUD files to obtain the target MUD file, and constrains the network behavior of the terminal device based on the target MUD file.
In an example, a process of processing the at least one MUD file to obtain the target MUD file may include, for example, a process of determining a device description entry included in the target MUD file. In one case, all device description entries included in the obtained MUD file may be used as device description entries in the target MUD file. Assuming that the at least one MUD file includes a first MUD file and a second MUD file, the first MUD file includes a first device description entry of the terminal device, the second MUD file includes a second device description entry of the terminal device, and the first device description entry is different from the second device description entry, the target MUD file includes the first device description entry and the second device description entry. In another case, a device description entry included in all the obtained MUD files may alternatively be used as a device description entry in the target MUD file. Assuming that the at least one MUD file includes a first MUD file and a second MUD file, the first MUD file includes a first device description entry and a second device description entry that are of the terminal device, the second MUD file includes the second device description entry of the terminal device, and the first device description entry is different from the second device description entry, the target MUD file includes the second device description entry.
In addition, when a plurality of MUD files of the obtained at least one MUD file include a same device description entry, but MUD information of the same device description entry is different, a process of processing the at least one MUD file to obtain the target MUD file may include, for example, a process of determining MUD information of the device description entry in the target MUD file. In an example, embodiments of this application may further include: obtaining, based on a target MUD file processing policy corresponding to the terminal device, MUD information that is for describing the first device description entry and that is in the target MUD file. The first device description entry is the same device description entry included in the plurality of MUD files of the obtained at least one MUD file.
The target MUD file processing policy indicates a rule of processing the obtained at least one MUD file to obtain the target MUD file. In one case, in an example, the target MUD file processing policy may include: when the plurality of MUD files are obtained in sequence, using MUD information that is for describing the first device description entry and that is in the latest obtained MUD file as the MUD information that is for describing the first device description entry and that is in the target MUD file. Alternatively, in another case, in an example, the target MUD file processing policy may include: when there is MUD information for describing the first device description entry in the plurality of MUD files, using MUD information that is for describing the first device description entry and that is in a specified MUD file (for example, a MUD file provided by the manufacturer of the terminal device) as the MUD information that is for describing the first device description entry and that is in the target MUD file. Alternatively, in still another case, in an example, the target MUD file processing policy may include: when there is MUD information for describing the first device description entry in the plurality of MUD files, processing the MUD information of the first device description entry by using a specified operation, and using an operation result as the MUD information that is of the first device description entry and that is in the target MUD file. Alternatively, in yet another case, in an example, the target MUD file processing policy may include: when the plurality of MUD files include first MUD information and second MUD information that are for describing the first device description entry, obtaining the first MUD information and the second MUD information, and associating, in the target MUD file, the first MUD information with a first service and the second MUD information with a second service.
It can be learned that according to the method provided in embodiments of this application, in a scenario in which a plurality of MUD files are distributed on different MUD file servers, when the terminal device accesses a network, the MUD control management device may obtain the at least one MUD file from the plurality of MUD file servers based on the target obtaining policy corresponding to the terminal device, so as to obtain the MUD file from the plurality of MUD file servers. In addition, to more accurately constrain the terminal device based on the obtained at least one MUD file, and avoid a constraint conflict, on the network behavior of the terminal device, caused by different MUD information of the same device description entry in the plurality of obtained MUD files, the MUD control management device can further process the obtained at least one MUD file to determine the target MUD file, so as to accurately constrain the network behavior of the terminal device based on the processed target MUD file.
According to a second aspect, an embodiment of this application further provides a MUD control management device. The MUD control management device includes a transceiver unit and a processing unit. The transceiver unit is configured to perform receiving and sending operations in the method provided in the first aspect. The processing unit is configured to perform an operation other than the receiving and sending operations in the method provided in the first aspect. For example, when the MUD control management device performs the method provided in the first aspect, the transceiver unit may be configured to receive a MUD URL request message sent by a terminal device, and the processing unit may be configured to obtain at least one MUD file from a plurality of MUD file servers based on a target obtaining policy corresponding to the terminal device.
According to a third aspect, an embodiment of this application further provides a MUD control management device. The MUD control management device includes a communication interface and a processor. The communication interface is configured to perform receiving and sending operations in the method provided in the first aspect. The processor is configured to perform other operation other than the receiving and sending operations in the method provided in any one of the first aspect or the possible implementations of the first aspect.
According to a fourth aspect, an embodiment of this application further provides a MUD control management device. The MUD control management device includes a memory and a processor. The memory includes computer-readable instructions. The processor communicating with the memory is configured to execute the computer-readable instructions, so that the MUD control management device is configured to perform the method provided in any one of the first aspect or the possible implementations of the first aspect.
According to a fifth aspect, an embodiment of this application further provides a communication system. The communication system includes a MUD control management device, a terminal device, and a plurality of MUD file servers. The MUD control management device may be specifically the MUD control management device provided in the second aspect, the third aspect, or the fourth aspect.
According to a sixth aspect, an embodiment of this application further provides a communication system. The communication system includes a MUD control management device, a terminal device, and a plurality of MUD file servers. The plurality of MUD file servers include a first MUD file server, and the first MUD file server is configured to store a first MUD file. The plurality of MUD file servers include a second MUD file server, and the second MUD file server is configured to store a second MUD file. In addition, the plurality of MUD file servers may further include another MUD file server. For example, the plurality of MUD file servers may further include a third MUD file server, and the third MUD file server is configured to store a third MUD file.
In the communication system provided in the fifth aspect or the sixth aspect, the following related operations may be further specifically performed.
The terminal device in the communication system is configured to send a MUD uniform resource locator URL request message to the MUD control management device; and the MUD control management device is configured to obtain at least one MUD file from the plurality of MUD file servers based on a target obtaining policy corresponding to the terminal device. For example, the at least one MUD file may include at least one of the following MUD files: the first MUD file, the second MUD file, and the third MUD file.
In some possible implementations, the MUD control management device stores a first mapping relationship between the target obtaining policy and a MUD URL that is provided by a manufacturer of the terminal device for the terminal device. In this case, the MUD control management device in the communication system is further configured to obtain the target obtaining policy based on the first mapping relationship.
In some other possible implementations, the MUD control management device stores a second mapping relationship between device information of the terminal device and the target obtaining policy. In this case, the MUD control management device in the communication system is further configured to obtain the target obtaining policy based on the second mapping relationship. The device information of the terminal device includes one or more of the following: a device identifier of the terminal device; a device type of the terminal device; a network segment to which the terminal device belongs; an internet protocol IP address of the terminal device; a media access control MAC address of the terminal device; or information about the manufacturer of the terminal device.
In still some possible implementations, the MUD control management device in the communication system is further configured to determine the target obtaining policy from a plurality of preconfigured obtaining policies. The plurality of obtaining policies may be locally configured and stored in the MUD control management device, or may be obtained by the MUD control management device from another device and stored.
In still some possible implementations, that the MUD control management device in the communication system is configured to obtain at least one MUD file from the plurality of MUD file servers 1003 based on a target obtaining policy corresponding to the terminal device may specifically include: determining at least one target MUD file server from the plurality of MUD file servers based on the target obtaining policy; and obtaining the at least one MUD file from the at least one target MUD file server.
The target obtaining policy includes: redirecting, based on the MUD URL provided by the manufacturer of the terminal device for the terminal device, the first MUD file server corresponding to the MUD URL to the at least one target MUD file server, and obtaining the MUD file in the at least one target MUD file server, where the plurality of MUD file servers include the first MUD file server, and the at least one target MUD file server includes the second MUD file server; globally updating an obtained MUD file to a MUD file that is latest read from a MUD file server in a sequential reading principle; reading and storing a plurality of MUD files in the plurality of MUD file servers in sequence; or pre-designating the at least one target MUD file server from the plurality of MUD file servers, and obtaining the MUD file in the at least one target MUD file server.
It should be noted that the at least one target MUD file server may be all of the plurality of MUD file servers, or the at least one target MUD file server may be a part of the plurality of MUD file servers.
In some possible implementations, the MUD control management device in the communication system is further configured to process the at least one MUD file to obtain a target MUD file, where the target MUD file is for constraining network behavior of the terminal device.
In an example, the at least one MUD file includes the first MUD file and the second MUD file, the first MUD file includes a first device description entry of the terminal device, the second MUD file includes a second device description entry of the terminal device, the first device description entry is different from the second device description entry, and the target MUD file includes the first device description entry and the second device description entry.
In a possible implementation, the MUD control management device in the communication system is further configured to obtain, based on a target MUD file processing policy corresponding to the terminal device, MUD information that is for describing the first device description entry and that is in the target MUD file. The target MUD file processing policy includes: when the plurality of MUD files are obtained in sequence, using MUD information that is for describing the first device description entry and that is in the latest obtained MUD file as the MUD information that is for describing the first device description entry and that is in the target MUD file; when there is MUD information for describing the first device description entry in all the plurality of MUD files, using MUD information that is for describing the first device description entry and that is in a MUD file provided by the manufacturer of the terminal device as the MUD information that is for describing the first device description entry and that is in the target MUD file; or when the plurality of MUD files include first MUD information and second MUD information that are for describing the first device description entry, obtaining the first MUD information and the second MUD information, and associating, in the target MUD file, the first MUD information with a first service and the second MUD information with a second service.
It should be noted that for related descriptions and achieved effects of specific implementations of the communication system provided in the fifth aspect and the sixth aspect, refer to related descriptions of the method provided in any one of the first aspect or the possible implementations of the first aspect.
According to a seventh aspect, an embodiment of this application further provides a computer-readable storage medium. The computer-readable storage medium stores instructions. When the instructions are run on a computer, the computer is enabled to perform the method provided in any one of the first aspect or the possible implementations of the first aspect.
According to an eighth aspect, an embodiment of this application further provides a computer program product, including a computer program or computer-readable instructions. When the computer program or the computer-readable instructions are run on a computer, the computer is enabled to perform the method provided in any one of the first aspect or the possible implementations of the first aspect.
The following describes technical solutions of embodiments in this application with reference to accompanying drawings. A network architecture and a service scenario described in embodiments of this application are intended to describe the technical solutions in embodiments of this application more clearly, and do not constitute a limitation on the technical solutions provided in embodiments of this application. A person of ordinary skill in the art may know that: With the evolution of the network architecture and the emergence of new service scenarios, the technical solutions provided in embodiments of this application are also applicable to similar technical problems.
Ordinal numbers such as “1”, “2”, “3”, “first”, “second”, and “third” in this application are used to distinguish between a plurality of objects, but are not used to limit a sequence of the plurality of objects.
“A and/or B” mentioned in this application should be understood as including the following cases: Only A is included, only B is included, or both A and B are included.
For related content of the MUD file in this application, refer to related descriptions of the Internet Engineering Task Force (IETF) Request For Comments (RFC) 8520 “Manufacturer Usage Description Specification”. The foregoing standard is incorporated in this application by reference in its entirety.
To constrain various terminal devices that are on a network, a manufacturer usually generates corresponding MUD files for the terminal devices before delivery. Network behavior of the terminal device is constrained based on MUD information corresponding to a device description entry included in the MUD file. The device description entry is specifically for describing the network behavior related to the terminal device. The device description entry may include, for example, a device type, network access permission, defined bandwidth, and a network priority of the terminal device. The MUD information corresponding to the device description entry is a specific description of the device description entry. For example, MUD information of a device description entry of the defined bandwidth may be a value of the bandwidth. For another example, MUD information of a device description entry of the network access permission may be network access permission assigned to the terminal device.
In embodiments of this application, the terminal device may be any device that needs to access a network through a network device, and may be, for example, a personal computer, a printer, a camera, a smart LED lamp, or a conference room projection device.
The RFC 8520 is a set of protocol frameworks based on the MUD file. According to the RFC 8520, to save storage space on the terminal device, generally, the manufacturer of the terminal device stores the generated MUD file in a MUD file server corresponding to the manufacturer, and stores, in the terminal device, only a MUD URL corresponding to the MUD file. When the terminal device accesses the network, the terminal device may send the MUD URL to the network device connected to the terminal device. The network device sends the MUD URL to a MUD control management device. The MUD control management device obtains the corresponding MUD file from the MUD file server of the manufacturer based on the MUD URL, and maps content of the MUD file to a network policy for constraining the network behavior of the terminal device.
It should be noted that, in embodiments of this application, the MUD control management device is an absolutely trusted and secure device by default. According to usage in the RFC 8520, the MUD control management device may be a MUD manager (which may also be referred to as a MUD controller).
The scenario shown in
In an example, the manufacturer may directly store the MUD URL in each terminal device. In this case, the terminal device 11 is used as an example, and a process of obtaining the MUD file may include, for example, the following steps. S11: When the terminal device 11 accesses the network, the terminal device 11 sends a message to the network device 20, where the message carries a MUD URL x, and the message may be, for example, a link layer discovery protocol (LLDP) request message or a dynamic host configuration protocol (DHCP) request message. S12: The network device 20 obtains the MUD URL x, and directly or indirectly sends the MUD URL x to the MUD control management device 30. S13: The MUD control management device 30 accesses the MUD file server 40 based on the MUD URL x, and obtains a MUD file 1 corresponding to the MUD URL x. S14: The MUD control management device 30 obtains a network policy 1 based on the MUD file 1, and applies the network policy 1 to the network device 20. S15: The network device 20 to which the network policy 1 is applied constrains network behavior of the terminal device 11. The network behavior may include, for example, one or more of network access permission, defined bandwidth, or a network priority of the terminal device 11.
It can be learned from the example that, currently, due to a limitation of the RFC 8520 protocol, a MUD control management device can obtain, based on an obtained MUD URL, a MUD file from only a MUD file server corresponding to a manufacturer of a terminal device, and further constrain network behavior of the terminal device based on the MUD file generated by the manufacturer.
However, in a process from producing the terminal device by the manufacturer to using the terminal device by a user, many production (or deployment) phases may need to impose a specific limitation on the network behavior of the terminal device, and generate corresponding MUD files. For example, after the terminal device is produced by the manufacturer, the terminal device may be commercially deployed on a client side after a plurality of intermediate production procedures of a plurality of intermediate vendors are performed on the terminal device. In this case, the intermediate vendors or the intermediate production procedures may provide corresponding MUD files for the terminal device as required. For another example, after the terminal device is commercially deployed on a client side, security hardening by an information security department, operation and maintenance enhancement by an Internet technology (IT) maintenance department, or the like may be performed on the terminal device. In this case, during security hardening or operation and maintenance enhancement, a corresponding MUD file may be provided for the terminal device as required. In this way, the network architecture shown in
On this basis, an embodiment of this application provides a communication system. The communication system may include a terminal device, a plurality of MUD file servers, and a MUD control management device. The MUD control management device can communicate with the terminal device, or the MUD control management device may separately communicate with the plurality of MUD file servers. Each of the plurality of MUD file servers is configured to store a MUD file provided for the terminal device in one or more production (or deployment) phases. For example, the communication system includes n MUD file servers, and each MUD file server includes one MUD file of the terminal device.
It can be learned that in the foregoing communication system provided in embodiments of this application, a plurality of MUD files of one terminal device are distributed on a plurality of MUD file servers, and these MUD files are network behavior constraints imposed on the terminal device in each production (or deployment) phase. In this way, by using a network framework in which the plurality of MUD files are distributed on the plurality of MUD file servers in the communication system, it is possible that all production (or deployment) phases of the terminal device generate a plurality of different MUD files for the terminal device.
For ease of understanding a scenario similar to that shown in
In the communication system provided in embodiments of this application, to accurately constrain network behavior of a terminal device, a device description entry and MUD information of the device description entry in each MUD file of the terminal device need to be comprehensively considered. However, in a current RFC 8520 protocol, a MUD control management device obtains, by default based on an obtained MUD URL, a MUD file from a MUD file server corresponding to a manufacturer of a terminal device, and a mechanism of obtaining a MUD file from a plurality of MUD file servers is not supported. Consequently, when a plurality of MUD files are distributed on a plurality of MUD file servers, the MUD file cannot be obtained from the plurality of MUD file servers for the terminal device, and network behavior of the terminal device cannot be accurately constrained.
On this basis, in embodiments of this application, a method for obtaining a manufacturer usage description MUD file is provided. In the method, in a scenario in which a plurality of MUD files are distributed on a plurality of MUD file servers, a MUD file can be obtained from the plurality of MUD file servers. During specific implementation, in the communication system 200 shown in
It should be noted that the target obtaining policy in the MUD control management device indicates a rule for obtaining the at least one MUD file from the plurality of MUD file servers. In one case, the target obtaining policy may be configured and stored by a user on the MUD control management device. In another case, the target obtaining policy may alternatively be obtained by the MUD control management device from another device and stored. In the MUD control management device, one terminal device corresponds to only one target obtaining policy. However, one target obtaining policy may correspond to at least one terminal device. In other words, target obtaining policies corresponding to different terminal devices may be the same or different.
The MUD control management device may store a first mapping relationship between the target obtaining policy and a MUD URL provided by a manufacturer of the terminal device for the terminal device, so that after obtaining the MUD URL of the terminal device, the MUD control management device determines, from the first mapping relationship, the target obtaining policy matching the MUD URL, so as to obtain the at least one MUD file from the plurality of MUD file servers based on the target obtaining policy. Alternatively, the MUD control management device may store a second mapping relationship between the target obtaining policy and device information of the terminal device, so that after obtaining the device information of the terminal device, the MUD control management device determines, from the second mapping relationship, the target obtaining policy matching the device information of the terminal device, to obtain the at least one MUD file from the plurality of MUD file servers based on the target obtaining policy. The device information may be a unique identifier of the terminal device, for example, a device identifier, an IP address, or a MAC address of the terminal device, or the device information may be a batch identifier of the terminal device, for example, a device type of the terminal device, a network segment to which the terminal device belongs, or information about the manufacturer of the terminal device. For example, the device information is the device type of the terminal device. Each device type corresponds to only one target obtaining policy, and one target obtaining policy may correspond to at least one device type. In this way, terminal devices of a same device type definitely correspond to a same target obtaining policy, and terminal devices of different device types may correspond to a same target obtaining policy or may correspond to different target obtaining policies.
The communication system 200 shown in
In specific implementation, a process of obtaining a MUD file may include the following steps. S21: When the terminal device 11 accesses a network, the terminal device 11 sends a MUD URL request message to the MUD control management device 30, where the MUD URL request message carries a MUD URL x. S22: The MUD control management device 30 parses the MUD URL request message to obtain a device type A of the terminal device it S23: The MUD control management device 30 determines, from the three prestored mapping relationships, that the device type A of the terminal device 11 corresponds to the mapping relationship 1, and uses the obtaining policy 1 in the mapping relationship 1 as a target obtaining policy. S24: The MUD control management device 30 determines, based on the obtaining policy 1, that corresponding MUD files need to be respectively obtained from the MUD file server 40, the MUD file server 50, and the MUD file server 60. S25: The MUD control management device obtains the MUD file 1 from the MUD file server 40. S26: The MUD control management device 30 obtains the MUD file 2 from the MUD file server 50. S27: The MUD control management device 30 obtains the MUD file 3 from the MUD file server 60. S28: The MUD control management device 30 determines a corresponding network policy 2 based on the MUD file 1, the MUD file 2, and the MUD file 3, and applies the network policy 2 to the network device so that the network device 20 constrains network behavior of the terminal device 11. S25, S26, and S27 may be performed sequentially or simultaneously. A specific execution sequence is not limited.
In this way, an obtaining policy is configured in the MUD control management device 30, so that in the scenario in which the plurality of MUD files are distributed on the plurality of MUD file servers, the MUD file can be obtained from the plurality of MUD file servers, thereby implementing an accurate constraint on the network behavior of the terminal device.
In another example, if the three mapping relationships pre-stored on the MUD control management device 30 are updated depending on an actual requirement, an updated mapping relationship 1 is specifically: device type A-obtaining policy 4 “Redirect, based on the MUD URL x provided by the manufacturer of the terminal device for the terminal device, the MUD file server 40 corresponding to the MUD URL x to the MUD file server 50 and the MUD file server 60”. In specific implementation, in addition to the foregoing S21 and S22, a process of obtaining a MUD file further includes the following steps. S23′: The MUD control management device 30 determines, from the three prestored mapping relationships, that the device type A of the terminal device 11 corresponds to the mapping relationship 1, and uses the obtaining policy 4 in the mapping relationship 1 as a target obtaining policy. S24′: The MUD control management device 30 determines, based on the obtaining policy 4 in the mapping relationship 1, that corresponding MUD files need to be obtained from the MUD file server 50 and the MUD file server 60. S26: The MUD control management device 30 obtains the MUD file 2 from the MUD file server 50. S27: The MUD control management device 30 obtains the MUD file 3 from the MUD file server 60. S28′: The MUD control management device 30 determines a corresponding network policy 3 based on the MUD file 2 and the MUD file 3, and applies the network policy 3 to the network device 20, so that the network device 20 constrains network behavior of the terminal device 11. S26 and S27 may be performed sequentially or simultaneously. A specific execution sequence is not limited.
In this way, different obtaining policies are flexibly defined in the MUD control management device 30 based on actual requirements, so that it is possible to obtain different MUD files in different phases based on different requirements, and network behavior of the terminal device can be flexibly constrained.
It should be noted that, for specific implementation details and effects, refer to related descriptions in the following method 100 shown in
It may be understood that, the scenario is merely a scenario example provided in embodiments of this application, but embodiments of this application are not limited to the scenario.
With reference to
S101: The terminal device 11 sends a MUD URL request message 1 to a MUD control management device 30.
S102: The MUD control management device 30 receives the MUD URL request message 1 sent by the terminal device 11.
When the terminal device 11 needs to access a network, the terminal device 11 may perform S101 to send the MUD URL request message 1 to the MUD control management device 30. The MUD URL request message 1 is used to request the MUD control management device 30 to obtain a MUD file of the terminal device 11, so as to subsequently constrain network behavior of the terminal device 11 based on the MUD file. The MUD URL request message 1 carries a MUD URL x provided for the terminal device 11 by a manufacturer of the terminal device 11.
In an example, the MUD URL request message 1 may be an 802.1X request message. In this case, S101 may specifically include: The terminal device 11 sends the 802.1X request message to the MUD control management device 30, where the 802.1X request message carries the MUD URL x provided for the terminal device 11 by the manufacturer of the terminal device 11.
In another example, the MUD URL request message 1 may alternatively be a DHCP request message or an LLDP request message. In this case, S101 may specifically include: The terminal device 11 sends the DHCP request message or the LLDP request message to the MUD control management device 30, where the DHCP request message or the LLDP request message carries the MUD URL x provided for the terminal device 11 by the manufacturer of the terminal 11. For example, the DHCP request message or the LLDP request message may carry, in an extended option field or a type-length-value (TLV) field, the MUD URL x provided for the terminal device 11 by the manufacturer of the terminal device 11.
The terminal device 11 is equipped with the MUD URL x by the manufacturer before delivery, and is used to obtain, from a MUD file server 40 corresponding to the manufacturer, a MUD file 1 generated by the manufacturer for the terminal device 11. The MUD file 1, the MUD file server 40, and the MUD URL x are in one-to-one correspondence. The MUD URL x may include information such as the manufacturer of the terminal device 11, a device type of the terminal device 11, a firmware version number of the terminal device 11, and a system version number of the terminal device 11. For example, the MUD URL x is https://www.huawei.com/mud/router/firmware_version_1234/os_version_4321.json. It can be learned based on the MUD URL x that the manufacturer of the terminal device 11 is Huawei, the device type is router, the firmware version number of the terminal device 11 is 1234, and the system version number of the terminal device is 4321.
After receiving the MUD URL request message 1 sent by the terminal device 11, the MUD control management device 30 may obtain the MUD URL x from the MUD URL request message 1. In addition, the MUD control management device 30 may further obtain device information X of the terminal device 11 from the MUD URL request message 1. In one case, the MUD control management device 30 may obtain the device information X of the terminal device 11 by parsing the MUD URL x, for example, obtain a device type X of the terminal device 11 by parsing the MUD URL x, and use the device type X as the device information X of the terminal device 11. In another case, the MUD control management device 30 may obtain the device information X of the terminal device 11 based on content other than the MUD URL x in the MUD URL request message 1, for example, obtain, based on a source Internet Protocol (IP) address carried in the MUD URL request message 1, a network segment X to which the terminal device 11 belongs, and use the network segment X as the device information X of the terminal device 11.
The device information X of the terminal device 11 specifically refers to one or more pieces of attribute information of the terminal device 11. For example, the device information X of the terminal device 11 includes but is not limited to at least one of the following information: a device identifier X of the terminal device 11, the device type X of the terminal device 11, information about the manufacturer X of the terminal device 11, the network segment X to which the terminal device 11 belongs, an IP address of the terminal device 11, or a MAC address of the terminal device 11.
S103: The MUD control management device 30 obtains at least one MUD file from a plurality of MUD file servers based on a target obtaining policy X corresponding to the terminal device 11.
Between S102 and S103, this embodiment of this application may further include a process in which the MUD control management device 30 determines the target obtaining policy X corresponding to the terminal device 11. For example, S104 may be included between S102 and S103.
S104: The MUD control management device 30 determines, from at least one preconfigured obtaining policy, the target obtaining policy X corresponding to the terminal device 11.
The at least one obtaining policy is preconfigured and stored in the MUD control management device 30 depending on an actual requirement. The obtaining policy indicates a rule for obtaining a MUD file from the plurality of MUD file servers.
If only one obtaining policy is configured and stored in the MUD control management device 30, the MUD control management device 30 may directly use the obtaining policy as the target obtaining policy X, and perform S103.
If a plurality of obtaining policies are configured and stored in the MUD control management device 30, a plurality of mapping relationships including the obtaining policies may be stored in the MUD control management device 30. During specific implementation, S104 may specifically include: The MUD control management device 30 determines, from at least one locally stored mapping relationship, one mapping relationship corresponding to the terminal device 11, and denotes an obtaining policy in the determined mapping relationship as the target obtaining policy X.
In an example, the plurality of mapping relationships may be specifically first mapping relationships between an obtaining policy and a MUD URL of the terminal device, and the plurality of first mapping relationships include a first mapping relationship X1 between the target obtaining policy X and the MUD URL x of the terminal device 11. For example, the MUD control management device 30 stores m (where m is greater than or equal to 1) first mapping relationships: MUD URL x-obtaining policy 1, MUD URL 2—obtaining policy 2, . . . , and MUD URL m-obtaining policy m. The obtaining policy 1 to the obtaining policy m may have a same obtaining policy or may be different. MUD URLs in the MUD URL x to the MUD URL m are different. In addition, the m first mapping relationships include the first mapping relationship X1: MUD URL x-target obtaining policy X. In this example, S104 may specifically include: The MUD control management device 30 may search at least one first mapping relationship for the first mapping relationship X1 in which a MUD URL is the MUD URL x, and denote an obtaining policy X in the first mapping relationship X1 as the target obtaining policy X.
In another example, the plurality of mapping relationships may be specifically second mapping relationships between an obtaining policy and device information of the terminal device, and the plurality of second mapping relationships include a second mapping relationship X1 between the target obtaining policy X and the device information X of the terminal device 11. For example, the MUD control management device 30 stores m second mapping relationships: device information 1—obtaining policy 1, device information 2—obtaining policy 2, . . . , and device information m-obtaining policy m. The obtaining policy 1 to the obtaining policy m may have a same obtaining policy or may be different. Content in the device information 1 to the device information m is different. In addition, the m second mapping relationships include the second mapping relationship X1: device information X-target obtaining policy X. In this example, S104 may specifically include: The MUD control management device 30 may search at least one second mapping relationship for the second mapping relationship X1 in which device information is the device information X, and denote an obtaining policy X in the second mapping relationship X1 as the target obtaining policy X.
The target obtaining policy X is one of obtaining policies preconfigured by the MUD control management device. The following describes several possible target obtaining policies X by using some examples.
In a first example, the target obtaining policy X may be specifically: redirecting, based on a MUD URL provided by a manufacturer of a terminal device for the terminal device, a first MUD file server corresponding to the MUD URL to at least one target MUD file server in the plurality of MUD file servers, and obtaining the MUD file in the at least one target MUD file server. The first MUD file server belongs to the plurality of MUD file servers, the at least one target MUD file server to which redirection is performed includes a second MUD file server, and the second MUD file server and the first MUD file server are different servers. The network device 200 is used as an example. The target obtaining policy X corresponds to the terminal device 11. When the MUD file server 40 is redirected to the MUD file server 40 and the MUD file server 50, the target obtaining policy X may specifically indicate: redirecting the MUD file server 40 corresponding to the MUD URL x to the MUD file server 40 and the MUD file server 50 based on the MUD URL x of the terminal device 11, and obtaining the MUD file 1 from the MUD file server 40 and the MUD file 2 from the MUD file server 50. Alternatively, when the MUD file server 40 is redirected to the MUD file server 40, the MUD file server 50, and the MUD file server 60, the target obtaining policy X may alternatively specifically indicate: redirecting the MUD file server 40 corresponding to the MUD URL x to the MUD file server 40, the MUD file server 50, and the MUD file server 60 based on the MUD URL x of the terminal device 11, and obtaining the MUD file 1 from the MUD file server 40, the MUD file 2 from the MUD file server 50, and the MUD file 3 from the MUD file server 60. Alternatively, when the MUD file server 40 is redirected to the MUD file server 60, the target obtaining policy X may alternatively specifically indicate: redirecting the MUD file server 40 corresponding to the MUD URL x to the MUD file server 60 based on the MUD URL x of the terminal device 11, and obtaining the MUD file 3 from the MUD file server 60.
In a second example, the target obtaining policy X may alternatively be specifically: pre-designating at least one target MUD file server from the plurality of MUD file servers, and obtaining the MUD file in the at least one target MUD file server. The network device 200 is used as an example. When the specified target MUD file server includes the MUD file server 40 and the MUD file server 50, the target obtaining policy X may specifically indicate: obtaining the MUD file 1 from the MUD file server 40 and the MUD file 2 from the MUD file server 50. Alternatively, when the specified target MUD file server includes the MUD file server 40, the MUD file server 50, and the MUD file server 60, the target obtaining policy X may alternatively specifically indicate: obtaining the MUD file 1 from the MUD file server 40, the MUD file 2 from the MUD file server 50, and the MUD file 3 from the MUD file server 60. Alternatively, when the specified target MUD file server includes the MUD file server 60, the target obtaining policy X may alternatively specifically indicate: obtaining the MUD file 3 from the MUD file server 60.
In a third example, the target obtaining policy X may alternatively be specifically: globally updating an obtained MUD file to a MUD file that is latest read from a MUD file server in a sequential reading principle. The network device 200 is still used as an example. The target obtaining policy X corresponding to the terminal device 11 may specifically indicate: In a principle of sequentially reading all MUD file servers in a first-to-last production (or deployment) sequence, the MUD control management device 30 first reads the MUD file 1 from the MUD file server 40; then reads the MUD file 2 from the MUD file server 50, and globally updates the MUD file 1 to the MUD file 2; and then reads the MUD file 3 from the MUD file server 60, and globally updates the MUD file 2 to the MUD file 3. Alternatively, the target obtaining policy X corresponding to the terminal device 11 may specifically indicate: In a principle of sequentially reading other MUD file servers than the MUD file server 40 in a last-to-first production (or deployment) sequence, the MUD control management device 30 first reads the MUD file 3 from the MUD file server 60; and then reads the MUD file 2 from the MUD file server 50, and globally updates the MUD file 3 to the MUD file 2. It should be noted that, in the third example, the target MUD file server includes all or a part of a plurality of MUD file servers read in the sequential reading principle that are specified in the target obtaining policy X.
In a fourth example, the target obtaining policy X may alternatively be specifically: reading and storing a plurality of MUD files in the plurality of MUD file servers in sequence. The network device 200 is still used as an example. The target obtaining policy X corresponding to the terminal device 11 may specifically indicate: respectively reading the MUD file 1, the MUD file 2, and the MUD file 3 from the MUD file server 40, the MUD file server 50, and the MUD file server 60 that correspond to the terminal device 11. It should be noted that in the fourth example, the target MUD file server includes a MUD file server in the plurality of MUD file servers of the terminal device. [moo] It should be noted that, in embodiments of this application, the plurality of MUD file servers are all MUD servers corresponding to the terminal device 11, and each of the plurality of MUD file servers stores a MUD file generated for the terminal device 11 in one or more production (or deployment) phases. For example, in the communication system 200 shown in
S104 is performed to obtain the target obtaining policy X corresponding to the terminal device 11. This provides a basis for performing S103.
In an example, that the MUD control management device 30 obtains at least one MUD file from a plurality of MUD file servers based on a target obtaining policy X corresponding to the terminal device 11 in S103 may include: The MUD control management device 30 first determines the at least one target MUD file server from the plurality of MUD file servers based on the target obtaining policy X corresponding to the terminal device 11, and obtains the at least one MUD file from the at least one target MUD file server.
In an example, the target obtaining policy X is redirecting, based on the MUD URL provided by the manufacturer of the terminal device for the terminal device, the first MUD file server corresponding to the MUD URL to the at least one target MUD file server in the plurality of MUD file servers, and obtaining the MUD file in the at least one target MUD file server. The first MUD file server belongs to the plurality of MUD file servers, and the at least one target MUD file server to which redirection is performed generally cannot include only the first MUD file server. It may be determined that the at least one target MUD file server includes the second MUD file server, and the second MUD file server and the first MUD file server are different servers. The network device 200 is used as an example. Assuming that the target obtaining policy X is redirecting the MUD file server 40 to the MUD file server 40 and the MUD file server S103 may specifically include: The MUD control management device 30 determines, from the MUD file server 40, the MUD file server 50, and the MUD file server 60, that the at least one target MUD file server includes the MUD file server 40 and the MUD file server 50, so as to obtain the MUD file 1 from the MUD file server 40 and the MUD file 2 from the MUD file server 50. The network device 200 is still used as an example. Assuming that the target obtaining policy X is redirecting the MUD file server 40 to the MUD file server 40, the MUD file server 50, and the MUD file server 60, S103 may specifically include: The MUD control management device 30 determines, from the MUD file server 40, the MUD file server 50, and the MUD file server 60, that the at least one target MUD file server includes the MUD file server 40, the MUD file server 50, and the MUD file server 60, so as to obtain the MUD file 1 from the MUD file server 40, the MUD file 2 from the MUD file server 50, and the MUD file 3 from the MUD file server 60.
In another example, the target obtaining policy X is pre-designating the at least one target MUD file server from the plurality of MUD file servers, and obtaining the MUD file in the at least one target MUD file server. The network device 200 is used as an example. Assuming that the at least one target MUD file server specified in the target obtaining policy X is the MUD file server 40, S103 may specifically include: The MUD control management device 30 determines, from the MUD file server 40, the MUD file server 50, and the MUD file server 60, that the at least one target MUD file server is the MUD file server 40, so as to obtain the MUD file 1 from the MUD file server 40. The network device 200 is still used as an example. Assuming that the at least one target MUD file server specified in the target obtaining policy X is the MUD file server 40, the MUD file server 50, and the MUD file server 60, S103 may specifically include: The MUD control management device 30 determines, from the MUD file server 40, the MUD file server 50, and the MUD file server 60, that the at least one target MUD file server is the MUD file server 40, the MUD file server 50, and the MUD file server 60, so as to obtain the MUD file 1 from the MUD file server 40, the MUD file 2 from the MUD file server 50, and the MUD file 3 from the MUD file server 60.
In still another example, the target obtaining policy X is globally updating the obtained MUD file to the MUD file that is latest read from the MUD file server in the sequential reading principle. The network device 200 is used as an example. Assuming that the sequential reading principle in the target obtaining policy X is the principle of sequentially reading all the MUD file servers in the first-to-last production (or deployment) sequence, S103 may specifically include: The MUD control management device 30 first reads the MUD file 1 from the MUD file server 40; then reads the MUD file 2 from the MUD file server 50, and globally updates the MUD file 1 to the MUD file 2; and then reads the MUD file 3 from the MUD file server 60, and globally updates the MUD file 2 to the MUD file 3. The network device 200 is used as an example. Assuming that the sequential reading principle in the target obtaining policy X is the principle of sequentially reading other MUD file servers than the MUD file server 40 in the last-to-first production (or deployment) sequence, S103 may specifically include: The MUD control management device 30 first reads the MUD file 3 from the MUD file server 60; and then reads the MUD file 2 from the MUD file server 50, and globally updates the MUD file 3 to the MUD file 2. It should be noted that, in the example, the target MUD file server includes all or a part of the plurality of MUD file servers read in the sequential reading principle that are specified in the target obtaining policy X.
In still another example, the target obtaining policy X is reading and storing the plurality of MUD files in the plurality of MUD file servers in sequence. The network device 200 is still used as an example. S103 may specifically include: The MUD control management device 30 reads the MUD file 1 from the MUD file server 40, the MUD file 2 from the MUD file server 50, and the MUD file 3 from the MUD file server 60. It should be noted that in the example, the at least one target MUD file server includes all of the plurality of MUD file servers of the terminal device.
It should be noted that the target MUD file server in the target obtaining policy X is determined depending on an actual requirement. In an example, the target MUD file server may be determined based on trust in a production (or deployment) phase. For example, if a manufacturer is trusted, the MUD file server 40 corresponding to the manufacturer is specified as the target MUD file server. For another example, if a user is trusted, the MUD file server 60 corresponding to the user is specified as the target MUD file server. In another example, the target MUD file server may alternatively be determined based on a service requirement. In still another example, the target MUD file server may alternatively be determined based on a subsequent processing feature of a MUD file.
In some other possible implementations, if the target obtaining policy X may alternatively indicate a location at which the MUD file corresponding to the terminal device 11 is stored in each target MUD file server, that is, the target obtaining policy X indicates at least one target MUD URL, S103 may specifically include: The MUD control management device 30 first determines the at least one target MUD URL based on the target obtaining policy X, and then obtains the at least one MUD file based on the at least one target MUD URL. A quantity of the at least one target MUD URL is less than or equal to a quantity of all the MUD file servers included in the plurality of MUD file servers.
A plurality of MUD URLs of all MUD files generated by the terminal device 11 in all production (or deployment) phases are known in the MUD control management device 30. A location of the MUD file 1 of the terminal device 11 in the MUD file server 40 is the MUD URL x, a location of the MUD file 2 in the MUD file server 50 is a MUD URL y, and a location of the MUD file 3 in the MUD file server 60 is a MUD URL z. The MUD control management device 30 can determine the at least one target MUD URL from the plurality of MUD URLs based on the target obtaining policy X. A target MUD URL is one of the plurality of MUD URLs. For example, a target MUD URL corresponding to the terminal device 11 may be the MUD URL x, the MUD URL y, or the MUD URL z. The at least one target MUD URL includes all or a part of the plurality of MUD URLs. For example, the at least one target MUD URL corresponding to the terminal device 11 may include the MUD URL x, the MUD URL y, and the MUD URL z. Alternatively, the target MUD URL corresponding to the terminal device 11 may be the MUD URL x.
In an example, the target obtaining policy X may alternatively be: redirecting the MUD file server 40 corresponding to the MUD URL x stored in the terminal device 11 to the at least one target MUD URL. For example, when the target obtaining policy X is redirecting the MUD file server 40 corresponding to the MUD URL x to the MUD URL x, the MUD URL y, and the MUD URL z, the at least one target MUD URL includes the MUD URL x, the MUD URL y, and the MUD URL z. For another example, when the target obtaining policy X is redirecting the MUD file server 40 corresponding to the MUD URL x to the MUD URL z, the at least one target MUD URL includes only the MUD URL z. In this embodiment, S103 may specifically include: The MUD control management device 30 determines, based on the target obtaining policy X, the at least one target MUD URL to which the MUD control management device 30 corresponding to the MUD URL x is redirected, and obtains the at least one MUD file based on the at least one target MUD URL.
It should be noted that the target MUD URL in the target obtaining policy X may be determined depending on an actual requirement. For example, the target MUD URL may be determined based on trust in a production (or deployment) phase. For another example, the target MUD URL may alternatively be determined based on a service requirement. For still another example, the target MUD URL may alternatively be determined based on a subsequent processing feature of a MUD file.
In this way, S103 may be: The MUD control management device 30 obtains the MUD file corresponding to the terminal device 11 from each of the at least one target MUD file server, or S103 may be: The MUD control management device 30 obtains, based on each of the at least one target MUD URL, a corresponding MUD file at a location of the target MUD URL on a MUD file server corresponding to the target MUD URL.
After obtaining the at least one MUD file from the plurality of MUD file servers, the MUD control management device 30 may comprehensively consider the at least one MUD file, determine a network policy corresponding to the terminal device 11, and apply the network policy to the network device 20, so that the network device 20 constrains network behavior of the terminal device 11 based on the network policy. For details of a method for processing the obtained at least one MUD file, refer to the following method 200 shown in
It can be learned that according to the method 100 provided in this embodiment of this application, in a scenario in which a plurality of MUD files are distributed on different MUD file servers, when a terminal device accesses a network, a MUD control management device obtains at least one MUD file from a plurality of MUD file servers based on a target obtaining policy that corresponds to the terminal device and that is in the MUD control management device, so that the MUD file is obtained from the plurality of MUD file servers in the method 100. Therefore, network behavior of the terminal device can be more accurately constrained based on the MUD file obtained from the plurality of MUD file servers.
It should be noted that, in the method 100 provided in this embodiment of this application, the target obtaining policy that corresponds to the terminal device and that is in the MUD control management device may be further flexibly adjusted based on a requirement change. Different target obtaining policies are flexibly defined in the MUD control management device based on actual requirements, so that a MUD file obtaining mechanism provided in the method 100 is more flexible in the scenario in which the plurality of MUD files are distributed on the plurality of MUD file servers, and it is also possible to obtain different MUD files in different phases based on different requirements. For example, the terminal device can obtain a MUD file during service requirement change, function change, device maintenance, or the like, so as to flexibly and accurately constrain network behavior of the terminal device.
After the at least one MUD file of the terminal device 11 is obtained in S103, if the at least one MUD file is one MUD file, for example, only the MUD file 1 is obtained, the MUD control management device 30 may convert the MUD file 1 into a network policy 1, and apply the network policy 1 to the network device 20, so that the network device 20 constrains network behavior of the terminal device 11 based on the network policy 1. If the at least one MUD file is at least two MUD files, to avoid a conflict between MUD information of a same device description entry and better constrain network behavior of the terminal device 11, the MUD control management device 30 needs to process the at least two MUD files to obtain a processed target MUD file, convert the target MUD file into a network policy 2, and apply the network policy 2 to the network device 20, so that the network device 20 constrains network behavior of the terminal device 11 based on the network policy 2.
An embodiment of this application further provides another method 200 for obtaining a MUD file. Refer to
S105. The MUD control management device 30 processes the at least one MUD file to obtain a target MUD file.
In an example, S105 may include, for example, the following steps.
S1051: The MUD control management device 30 determines, from at least one preconfigured MUD file processing policy, a target MUD file processing policy X corresponding to the terminal device 11.
S1052. The MUD control management device 30 processes the at least one MUD file based on the target MUD file processing policy X to obtain the target MUD file.
At least one MUD file processing policy may be preconfigured and stored in the MUD control management device 30 depending on an actual requirement. The MUD file processing policy indicates a rule of processing the obtained at least one MUD file to obtain the target MUD file.
If only one MUD file processing policy is configured and stored in the MUD control management device 30, the MUD control management device 30 may directly use the MUD file processing policy as the target MUD file processing policy X, and perform subsequent steps.
If a plurality of MUD file processing policies are configured and stored in the MUD control management device 30, a plurality of mapping relationships including the MUD file processing policies may be stored in the MUD control management device 30. During specific implementation, S1051 may specifically include: The MUD control management device 30 determines one mapping relationship corresponding to the terminal device 11 from at least one locally stored mapping relationship, and records a MUD file processing policy in the determined mapping relationship as the target MUD file processing policy X. In an example, the plurality of mapping relationships may be specifically mapping relationships between a MUD file processing policy and a MUD URL of a terminal device, and the plurality of mapping relationships include a mapping relationship X2 between the target MUD file processing policy X and a MUD URL x of the terminal device 11. In another example, the plurality of mapping relationships may be specifically mapping relationships between an obtaining policy and device information of a terminal device, and the plurality of mapping relationships include a mapping relationship X2 between the target MUD file processing policy X and device information X of the terminal device 11.
In a possible implementation, the target MUD file processing policy X may indicate that a MUD file, generated in a specific production (or deployment) phase, of at least two MUD files is used as the target MUD file. For example, assuming that the MUD file obtained in S103 includes a MUD file 1, a MUD file 2, and a MUD file 3, the target MUD file processing policy X may indicate that the MUD file 1 generated by a unique trusted manufacturer is the target MUD file, or the processing policy may alternatively indicate that the latest generated MUD file 3 is the target MUD file.
In another possible implementation, the target MUD file processing policy X may also indicate a method for generating the target MUD file based on device description entries in at least two MUD files. The target MUD file processing policy X may not only include Manner 1 that indicates an operation for determining a device description entry in the target MUD file, but also include Manner 2 that indicates an operation for determining MUD information of the device description entry in the target MUD file. Manner 1 and Manner 2 may be set depending on an actual requirement.
Manner 1 may specifically indicate: obtaining a union set or an intersection set of device description entries included in each of obtained MUD files, to obtain the device description entry in the target MUD file. For example, the at least one MUD file includes a MUD file 1 and a MUD file 2, the MUD file 1 includes a device description entry 1 and a device description entry 2, and the MUD file 2 includes the device description entry 2 and a device description entry 3. In one case, based on an indication of the target MUD file processing policy X of obtaining a union set, the target MUD file may include the device description entry 1, the device description entry 2, and the device description entry 3. In another case, based on an indication of the target MUD file processing policy X of obtaining an insertion set, the target MUD file may include the device description entry 2.
Manner 2 may specifically indicate: determining MUD information of each device description entry in the target MUD file based on MUD information of device description entries in the obtained MUD files.
In an example, Manner 2 may indicate that MUD information of a same device description entry in the target MUD file is subject to MUD information of the device description entry in a specific MUD file. For example, the at least one MUD file includes a MUD file 1 and a MUD file 2, the MUD file 1 includes a device description entry 2 whose MUD information is Q1, and the MUD file 2 includes a device description entry 2 whose MUD information is Q2. In one case, if the target MUD file processing policy X indicates that the MUD information of the same device description entry in the target MUD file is subject to MUD information in a MUD file provided by a manufacturer of the terminal device 11 (that is, the MUD information in the MUD file 1), based on the indication of the target MUD file processing policy X, MUD information of a device description entry 2 in the target MUD file is Q1. In another case, if the target MUD file processing policy X indicates that the MUD information of the same device description entry in the target MUD file is subject to the MUD information in the MUD file 2, based on the indication of the target MUD file processing policy X, MUD information of a device description entry 2 in the target MUD file is Q2.
In another example, Manner 2 may alternatively indicate that MUD information of a same device description entry in the target MUD file is a result obtained by performing a first operation on MUD information of the device description entry in the at least two MUD files. For example, the at least one MUD file includes a MUD file 1 and a MUD file 2, the MUD file 1 includes a device description entry 2 whose MUD information is Q1, and the MUD file 2 includes a device description entry 2 whose MUD information is Q2. In this case, based on an indication of the target MUD file processing policy X, MUD information of a device description entry 2 in the target MUD file is Q=f(Q1, Q2), where f( ) may be specifically any first operation performed on MUD information of a same device description entry in different MUD files, where for example, f(Q1, Q2)=min(Q1, Q2) or f(Q1, Q2)=(Q1, Q2)/2.
In still another example, Manner 2 may alternatively indicate that a same device description entry retains a plurality of pieces of MUD information, and the plurality of pieces of MUD information are separately associated with a different service. For example, the at least one MUD file includes a MUD file 1 and a MUD file 2, the MUD file 1 includes a device description entry 2 whose MUD information is Q1, and the MUD file 2 includes a device description entry 2 whose MUD information is Q2. In this case, based on an indication of the target MUD file processing policy X, the MUD information Q1 of the device description entry 2 in the target MUD file is associated with a service 1, and the MUD information Q2 of the device description entry 2 is associated with a service 2. In this way, when the terminal device 11 executes different services, network behavior of the terminal device 11 may be constrained based on MUD information of device description entries corresponding to the services.
The MUD control management device 30 performs S1051 to obtain the target MUD file processing policy X. This provides a basis for S1052.
For S1052, the MUD control management device 30 determines the target MUD file based on the target MUD file processing policy X, where the target MUD file includes at least one device description entry and MUD information corresponding to the at least one device description entry. Each device description entry in the target MUD file and MUD information of the device description entry are used to constrain network behavior of the network device 11.
In an example, if the target MUD file processing policy X indicates that the MUD file, generated in the specific production (or deployment) phase, of the at least two MUD files is used as the target MUD file, S1052 is specifically that the MUD control management device 30 obtains, from the obtained at least one MUD file based on the target MUD file processing policy X, the MUD file indicated by the target MUD file processing policy X, and uses the MUD file as the target MUD file. For example, assuming that the MUD file obtained in S103 includes a MUD file 1, a MUD file 2, and a MUD file 3, the target MUD file processing policy X indicates that the MUD file 1 generated by the unique trusted manufacturer is the target MUD file. In this case, S1052 is specifically that the MUD control management device 30 determines the MUD file 1 from the MUD file 1, the MUD file 2, and the MUD file 3 as the target MUD file.
In another example, the target MUD file processing policy X indicates that the target MUD file is generated based on the device description entries in the at least two MUD files.
Assuming that the target MUD file processing policy X indicates that the device description entry in the target MUD file is a union set of device description entries included in the MUD files, S1052 may include: The MUD control management device obtains a device description entry from each obtained MUD file, and uses the union set of the device description entries of the MUD files as the device description entry included in the target MUD file. For example, the at least one MUD file includes a MUD file 1 and a MUD file 2, the MUD file 1 includes a device description entry 1 and a device description entry 2, and the MUD file 2 includes the device description entry 2 and a device description entry 3. In this case, the target MUD file generated in S1052 may include the device description entry 1, the device description entry 2, and the device description entry 3.
Assuming that the target MUD file processing policy X indicates that the device description entry in the target MUD file is an intersection set of device description entries included in the MUD files, S1052 may include: The MUD control management device 30 obtains a device description entry from each obtained MUD file, and uses the intersection set of the device description entries of the MUD files as the device description entry included in the target MUD file. For example, the at least one MUD file includes a MUD file 1 and a MUD file 2, the MUD file 1 includes a device description entry 1 and a device description entry 2, and the MUD file 2 includes the device description entry 2 and a device description entry 3. In this case, the target MUD file generated in S1052 may include the device description entry 2.
After the device description entry of the target MUD file is determined, the MUD information of each device description entry may be further determined in any one of the following manners.
If a device description entry of the target MUD file appears in only one obtained MUD file, or if a device description entry of the target MUD file appears in different obtained MUD files and MUD information of the device description entry in the different MUD files is the same, S1052 may include: The MUD control management device 30 determines the MUD information of the device description entry in the obtained MUD file or files as MUD information of the device description entry in the target MUD file.
If a device description entry of the target MUD file appears in different obtained MUD files and MUD information of the device description entry in the different MUD files is different, S1052 may include: The MUD control management device 30 processes, based on the target MUD file processing policy X, the MUD information of the device description entry in the different MUD files to obtain MUD information of the device description entry in the target MUD file.
In one case, the target MUD file processing policy X indicates that the MUD information of the same device description entry in the target MUD file is subject to the MUD information of the device description entry in the specific MUD file. In this case, in S1052, the MUD control management device 30 determines, based on the target MUD file processing policy X, the MUD information of the device description entry in the specific MUD file as the MUD information of the device description entry in the target MUD file. For example, the at least one MUD file includes the MUD file 1 and the MUD file 2, the MUD file 1 includes the device description entry 2 whose MUD information is Q1, the MUD file 2 includes the device description entry 2 whose MUD information is Q2, and the target MUD file processing policy X indicates that the MUD information of the same device description entry in the target MUD file is subject to the MUD information in the MUD file provided by the manufacturer of the terminal device 11 (that is, the MUD information in the MUD file 1). In this case, the MUD information of the device description entry 2 in the target MUD file generated in S1052 is Q1. For another example, if the target MUD file processing policy X indicates that the MUD information of the same device description entry in the target MUD file is subject to the MUD information in the MUD file 2, the MUD information of the device description entry 2 in the target MUD file generated in S1052 is Q2.
In another case, the target MUD file processing policy X indicates that the MUD information of the same device description entry in the target MUD file is the result obtained by performing the first operation on the MUD information of the device description entry in the at least two MUD files. In this case, in S1052, the MUD control management device 30 obtains different MUD information of the same device description entry from the at least two MUD files based on the target MUD file processing policy X, and performs the first operation on the different MUD information, where the operation result is denoted as the MUD information of the device description entry in the target MUD file. For example, the at least one MUD file includes the MUD file 1 and the MUD file 2, the MUD file 1 includes the device description entry 2 whose MUD information is Q1, and the MUD file 2 includes the device description entry 2 whose MUD information is Q2. In this case, the MUD information of the device description entry 2 in the target MUD file generated in S1052 is Q=f(Q1, Q2), where f( ) is the first operation in the target MUD file processing policy X, where for example, f(Q1, Q2)=min(Q1, Q2) or f(Q1, Q2)=(Q1, Q2)/2.
In still another case, the target MUD file processing policy X indicates that the same device description entry retains the plurality of pieces of MUD information, and the plurality of pieces of MUD information are separately associated with a different service. For example, the at least one MUD file includes the MUD file 1 and the MUD file 2, the MUD file 1 includes the device description entry 2 whose MUD information is Q1, and the MUD file 2 includes the device description entry 2 whose MUD information is Q2. In this case, in the target MUD file generated by the MUD control management device 30 based on the target MUD file processing policy X in S1052, the MUD information Q1 of the device description entry 2 is associated with the service 1, and the MUD information Q2 of the device description entry 2 is associated with the service 2.
S106: The MUD control management device 30 converts the target MUD file into a network policy 2.
S107: The MUD control management device 30 sends the network policy 2 to a network device 20.
S108: The network device 20 constrains network behavior of the terminal device 11 based on the network policy 2.
Implementations of S106 to S108 are consistent with a manner stipulated in the RFC 8520 protocol. For specific implementations and related descriptions, refer to related descriptions in the RFC 8520. Details are not described herein.
It should be noted that, in the MUD control management device 30, in one case, there may be specifically two sets of mapping relationships: a first set is at least one mapping relationship between an obtaining policy and device information of a terminal device (or between an obtaining policy and a MUD URL provided by a manufacturer for a terminal device), and a second set is at least one mapping relationship between a MUD file processing policy and device information of a terminal device (or between a MUD file processing policy and a MUD URL provided by a manufacturer for a terminal device). In this case, the first set of mapping relationships is used in S104, and the second set of mapping relationships is used in S1051. Alternatively, in another case, there may be one set of mapping relationship, and is specifically at least one mapping relationship between an obtaining policy, a MUD file processing policy, and device information of a terminal device (or between an obtaining policy, a MUD file processing policy, and a MUD URL provided by a manufacturer for a terminal device). In this case, a correspondence between an obtaining policy and device information of a terminal device (or between an obtaining policy and a MUD URL provided by a manufacturer for a terminal device) in the mapping relationship is used in S104, and a correspondence between a MUD file processing policy and device information of a terminal device (or between a MUD file processing policy and a MUD URL provided by a manufacturer for a terminal device) in the mapping relationship is used in S1051.
It can be learned that according to the method 200 provided in this embodiment of this application, in a scenario in which a plurality of MUD files are distributed on different MUD file servers, when the terminal device 11 accesses a network, the MUD control management device 30 obtains the at least one MUD file from the plurality of MUD file servers based on the target obtaining policy X corresponding to the terminal device 11, so that the MUD file is obtained from the plurality of MUD file servers in the method 200. In addition, to more accurately constrain the terminal device 11 based on the obtained at least one MUD file, and avoid a constraint conflict, on network behavior of the terminal device 11, caused by different MUD information of a same device description entry in a plurality of obtained MUD files, the MUD control management device 30 can further process the obtained at least one MUD file to determine the target MUD file, so that network behavior of the terminal device 11 can be accurately constrained based on the processed target MUD file in the method 200.
It should be noted that, in the method 200 provided in this embodiment of this application, the target MUD file processing policy in the MUD control management device may also be flexibly adjusted based on a requirement change. Different target MUD file processing policies are flexibly defined in the MUD control management device based on actual requirements, so that in the scenario in which the plurality of MUD files are distributed on the plurality of MUD file servers provided in the method 200, an obtained MUD file is flexibly processed based on different requirements, to flexibly and accurately constrain the network behavior of the terminal device based on the target MUD file obtained through processing.
S301: Receive a MUD URL request message sent by a terminal device.
S302: Obtain at least one MUD file from a plurality of MUD file servers based on a target obtaining policy corresponding to the terminal device.
The MUD control management device in the method 300 may be specifically the MUD control management device 30 in the foregoing embodiments. For specific operations performed by the MUD control management device, refer to the operations performed by the MUD control management device 30 in the method 100. Specifically, for related descriptions of S301 and S302, refer to S102 and S103 in the method 100. The terminal device may refer to the terminal device 11, the MUD URL request message may be the MUD URL request message 1 in the method 100, the target obtaining policy may refer to the target obtaining policy X, the plurality of MUD file servers include the MUD file server 40, the MUD file server 50, and the MUD file server 60, and the at least one MUD file may include at least one of the MUD file 1, the MUD file 2, or the MUD file 3.
In an example, the MUD control management device may store a first mapping relationship between the target obtaining policy and a MUD URL that is provided by a manufacturer of the terminal device for the terminal device. In this case, the method 300 may further include: The MUD control management device obtains, from the MUD URL request message, the MUD URL provided by the manufacturer of the terminal device for the terminal device, and determines that the MUD URL matches the first mapping relationship, to further obtain the target obtaining policy based on the first mapping relationship.
In another example, the MUD control management device may also store a second mapping relationship between device information of the terminal device and the target obtaining policy. In this case, the method 300 may further include: The MUD control management device obtains the device information of the terminal device from the MUD URL request message, and determines that the device information matches the second mapping relationship, to further obtain the target obtaining policy based on the second mapping relationship. The device information of the terminal device may include, for example, one or more of the following: a device identifier of the terminal device; a device type of the terminal device; a network segment to which the terminal device belongs; an internet protocol IP address of the terminal device; a media access control MAC address of the terminal device; or information about the manufacturer of the terminal device.
In some possible implementations, there is only one obtaining policy in the MUD control management device. In this case, when receiving a MUD URL request message sent by any terminal device, the MUD control management device uses the unique obtaining policy as the target obtaining policy, and obtains the at least one MUD file from the plurality of MUD file servers based on the target obtaining policy.
In some other possible implementations, there are a plurality of obtaining policies in the MUD control management device. In this case, the method 300 may further include: The MUD control management device determines the target obtaining policy from a plurality of preconfigured obtaining policies. The plurality of obtaining policies may be specifically locally configured and stored in the MUD control management device, or may be obtained by the MUD control management device from another device.
The obtaining policy (including the target obtaining policy) indicates a rule for obtaining a MUD file from the plurality of MUD file servers. In a case, in an example, the target obtaining policy may include: redirecting, based on the MUD URL provided by the manufacturer of the terminal device for the terminal device, a first MUD file server corresponding to the MUD URL to at least one target MUD file server, and obtaining the MUD file in the at least one target MUD file server, where the plurality of MUD file servers include the first MUD file server, and the at least one target MUD file server includes a second MUD file server. Alternatively, in another case, in an example, the target obtaining policy may include: globally updating an obtained MUD file to a MUD file that is latest read from a MUD file server in a sequential reading principle. Alternatively, in still another case, in an example, the target obtaining policy may include: reading and storing a plurality of MUD files in the plurality of MUD file servers in sequence. Alternatively, in yet another case, in an example, the target obtaining policy may include: pre-designating at least one target MUD file server from the plurality of MUD file servers, and obtaining the MUD file in the at least one target MUD file server.
In an example, the obtaining at least one MUD file from a plurality of MUD file servers based on a target obtaining policy corresponding to the terminal device in S302 may specifically include: determining the at least one target MUD file server from the plurality of MUD file servers based on the target obtaining policy; and obtaining the at least one MUD file from the at least one target MUD file server. It should be noted that the target MUD file server is one of the plurality of MUD file servers. The at least one target MUD file server may be all of the plurality of MUD file servers, or the at least one target MUD file server may be a part of the plurality of MUD file servers.
In an example, the target obtaining policy may alternatively include: redirecting, based on the MUD URL provided by the manufacturer of the terminal device for the terminal device, the first MUD file server corresponding to the MUD URL to at least one target MUD URL, and obtaining the at least one MUD file from the plurality of MUD file servers based on the at least one target MUD URL. A quantity of the at least one target MUD URL is less than or equal to a quantity of all MUD file servers included in the plurality of MUD file servers. The obtaining at least one MUD file from a plurality of MUD file servers based on a target obtaining policy corresponding to the terminal device in S302 may specifically include: determining, based on the target obtaining policy, the at least one target MUD URL from a plurality of MUD URLs corresponding to the plurality of MUD file servers; and obtaining the at least one MUD file from the at least one target MUD URL. It should be noted that the target MUD URL is a MUD URL that is of the plurality of MUD URLs in the plurality of MUD file servers and that corresponds to the stored MUD file of the terminal device. The at least one target MUD URL may be all of the plurality of MUD URLs, or the at least one target MUD URL may be a part of the plurality of MUD URLs.
In some specific implementations, after the MUD control management device performs S302 to obtain the at least one MUD file, the method 300 may further include: The MUD control management device processes the at least one MUD file to obtain a target MUD file, where the target MUD file is for constraining network behavior of the terminal device. In one case, when the at least one MUD file includes only one MUD file, the MUD control management device may directly use the unique obtained MUD file as the target MUD file, and constrain the network behavior of the terminal device based on the target MUD file. In another case, when the at least one MUD file includes at least two MUD files, the MUD control management device needs to process the at least two MUD files to obtain the target MUD file, and constrains the network behavior of the terminal device based on the target MUD file.
It should be noted that for related descriptions and achieved effects of this implementation, refer to related descriptions of S105 in the method 200 shown in
In an example, a process of processing the at least one MUD file to obtain the target MUD file may include, for example, a process of determining a device description entry included in the target MUD file. In one case, all device description entries included in the obtained MUD file may be used as device description entries in the target MUD file. Assuming that the at least one MUD file includes a first MUD file and a second MUD file, the first MUD file includes a first device description entry of the terminal device, the second MUD file includes a second device description entry of the terminal device, and the first device description entry is different from the second device description entry, the target MUD file includes the first device description entry and the second device description entry. In another case, a device description entry included in all the obtained MUD files may alternatively be used as a device description entry in the target MUD file. Assuming that the at least one MUD file includes a first MUD file and a second MUD file, the first MUD file includes a first device description entry and a second device description entry that are of the terminal device, the second MUD file includes the second device description entry of the terminal device, and the first device description entry is different from the second device description entry, the target MUD file includes the second device description entry.
In addition, when a plurality of MUD files of the obtained at least one MUD file include a same device description entry, but MUD information of the same device description entry is different, a process of processing the at least one MUD file to obtain the target MUD file may include, for example, a process of determining MUD information of the device description entry in the target MUD file. In an example, the method 300 may further include: obtaining, based on a target MUD file processing policy corresponding to the terminal device, MUD information that is for describing the first device description entry and that is in the target MUD file. The first device description entry is the same device description entry included in the plurality of MUD files of the obtained at least one MUD file.
The target MUD file processing policy indicates a rule of processing the obtained at least one MUD file to obtain the target MUD file. In one case, in an example, the target MUD file processing policy may include: when the plurality of MUD files are obtained in sequence, using MUD information that is for describing the first device description entry and that is in the latest obtained MUD file as the MUD information that is for describing the first device description entry and that is in the target MUD file. Alternatively, in another case, in an example, the target MUD file processing policy may include: when there is MUD information for describing the first device description entry in the plurality of MUD files, using MUD information that is for describing the first device description entry and that is in a specified MUD file (for example, a MUD file provided by the manufacturer of the terminal device) as the MUD information that is for describing the first device description entry and that is in the target MUD file. Alternatively, in still another case, in an example, the target MUD file processing policy may include: when there is MUD information for describing the first device description entry in the plurality of MUD files, processing the MUD information of the first device description entry by using a specified operation, and using an operation result as the MUD information that is of the first device description entry and that is in the target MUD file. Alternatively, in yet another case, in an example, the target MUD file processing policy may include: when the plurality of MUD files include first MUD information and second MUD information that are for describing the first device description entry, obtaining the first MUD information and the second MUD information, and associating, in the target MUD file, the first MUD information with a first service and the second MUD information with a second service.
It can be learned that according to the method 300 provided in this embodiment of this application, in a scenario in which a plurality of MUD files are distributed on different MUD file servers, when the terminal device accesses a network, the MUD control management device obtains the at least one MUD file from the plurality of MUD file servers based on the target obtaining policy corresponding to the terminal device, so that the MUD file can be obtained from the plurality of MUD file servers in the method 300. In addition, to more accurately constrain the terminal device based on the obtained at least one MUD file, and avoid a constraint conflict, on network behavior of the terminal device, caused by different MUD information of a same device description entry in the plurality of obtained MUD files, the MUD control management device can further process the obtained at least one MUD file to determine the target MUD file, so that the network behavior of the terminal device can be accurately constrained based on the processed target MUD file in the method 300.
It should be noted that, according to the method 300 in this embodiment of this application, for a specific implementation and an achieved effect, refer to related descriptions in embodiments shown in
In addition, this application further provides a MUD control management device 600 as shown in
In addition, an embodiment of this application further provides a manufacturer usage description MUD control management device 700 as shown in
In addition, an embodiment of this application further provides a manufacturer usage description MUD control management device 800 as shown in
It may be understood that, in the foregoing embodiment, the processor may be a central processing unit (CPU), a network processor (NP), or a combination of the CPU and the NP. Alternatively, the processor may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD), or a combination thereof. The PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), generic array logic (GAL), or any combination thereof. The processor may be one processor, or may include a plurality of processors. The memory may include a volatile memory, for example, a random access memory (RAM); the memory may further include a non-volatile memory, for example, a read-only memory (ROM), a flash memory, a hard disk drive (HDD), or a solid-state drive (SSD). The memory may further include a combination of the foregoing memories. The memory may be one memory, or may include a plurality of memories. In a specific implementation, the memory stores computer-readable instructions, and the computer-readable instructions include a plurality of software modules, for example, a sending module, a processing module, and a receiving module. After executing each software module, the processor may perform a corresponding operation based on an indication of each software module. In this embodiment, an operation performed by a software module is actually an operation performed by the processor based on an indication of the software module. After executing the computer-readable instructions in the memory, the processor may perform, based on indications of the computer-readable instructions, all operations that may be performed by a MUD file obtaining device.
It may be understood that, in the foregoing embodiment, the communication interface 701 of the MUD control management device 700 may be specifically used as the transceiver unit 601 in the MUD control management device 600, to implement data communication between the MUD control management device and another device (for example, a terminal device).
In addition, an embodiment of this application further provides a communication system 900 as shown in
In addition, an embodiment of this application further provides a communication system moo as shown in
In an example, the plurality of MUD file servers 1003 further include a third MUD file server 10033, and the third MUD file server 10033 is configured to store a third MUD file.
In the communication system moo, the terminal device 1002 is configured to send a MUD uniform resource locator URL request message to the MUD control management device 1001, and the MUD control management device 1001 is configured to obtain at least one MUD file from the plurality of MUD file servers 1003 based on a target obtaining policy corresponding to the terminal device 1002. For example, the at least one MUD file may include at least one of the following MUD files: the first MUD file, the second MUD file, and the third MUD file.
In some possible implementations, the MUD control management device 1001 stores a first mapping relationship between the target obtaining policy and a MUD URL that is provided by a manufacturer of the terminal device for the terminal device 1002. In this case, the MUD control management device 1001 is further configured to obtain the target obtaining policy based on the first mapping relationship.
In some other possible implementations, the MUD control management device 1001 stores a second mapping relationship between device information of the terminal device 1002 and the target obtaining policy. In this case, the MUD control management device 1001 is further configured to obtain the target obtaining policy based on the second mapping relationship. The device information of the terminal device 1002 includes one or more of the following: a device identifier of the terminal device; a device type of the terminal device; a network segment to which the terminal device belongs; an internet protocol IP address of the terminal device; a media access control MAC address of the terminal device; or information about the manufacturer of the terminal device.
In still some possible implementations, the MUD control management device 1001 is further configured to determine the target obtaining policy from a plurality of preconfigured obtaining policies. The plurality of obtaining policies may be locally configured and stored in the MUD control management device 1001, or may be obtained by the MUD control management device 1001 from another device and stored.
In still some possible implementations, that the MUD control management device 1001 is configured to obtain at least one MUD file from the plurality of MUD file servers 1003 based on a target obtaining policy corresponding to the terminal device 1002 may specifically include: The MUD control management device 1001 determines at least one target MUD file server from the plurality of MUD file servers based on the target obtaining policy. The MUD control management device 1001 obtains the at least one MUD file from the at least one target MUD file server.
The target obtaining policy includes: redirecting, based on the MUD URL provided by the manufacturer of the terminal device 1002 for the terminal device 1002, the first MUD file server 10031 corresponding to the MUD URL to the at least one target MUD file server, and obtaining the MUD file in the at least one target MUD file server, where the plurality of MUD file servers include the first MUD file server 10031, and the at least one target MUD file server includes the second MUD file server 10032; globally updating an obtained MUD file to a MUD file that is latest read from a MUD file server in a sequential reading principle; reading and storing a plurality of MUD files in the plurality of MUD file servers 1003 in sequence; or pre-designating the at least one target MUD file server from the plurality of MUD file servers 1003, and obtaining the MUD file in the at least one target MUD file server.
It should be noted that the at least one target MUD file server may be all of the plurality of MUD file servers 1003, or the at least one target MUD file server may be a part of the plurality of MUD file servers 1003.
In some possible implementations, the MUD control management device 1001 is further configured to process the at least one MUD file to obtain a target MUD file, where the target MUD file is for constraining network behavior of the terminal device 1002.
In an example, the at least one MUD file includes a first MUD file and a second MUD file, the first MUD file includes a first device description entry of the terminal device, the second MUD file includes a second device description entry of the terminal device, the first device description entry is different from the second device description entry, and the target MUD file includes the first device description entry and the second device description entry.
In a possible implementation, the MUD control management device 1001 is further configured to obtain, based on a target MUD file processing policy corresponding to the terminal device 1002, MUD information that is for describing the first device description entry and that is in the target MUD file. The target MUD file processing policy includes: when the plurality of MUD files are obtained in sequence, using MUD information that is for describing the first device description entry and that is in the latest obtained MUD file as the MUD information that is for describing the first device description entry and that is in the target MUD file; when there is MUD information for describing the first device description entry in all the plurality of MUD files, using MUD information that is for describing the first device description entry and that is in a MUD file provided by the manufacturer of the terminal device 1002 as the MUD information that is for describing the first device description entry and that is in the target MUD file; or when the plurality of MUD files include first MUD information and second MUD information that are for describing the first device description entry, obtaining the first MUD information and the second MUD information, and associating, in the target MUD file, the first MUD information with a first service and the second MUD information with a second service.
It can be learned that in the communication system 1000 provided in this embodiment of this application, in a scenario in which a plurality of MUD files are distributed on a plurality of MUD file servers 1003, when the terminal device 1002 accesses a network, the MUD control management device 1001 can obtain the at least one MUD file from the plurality of MUD file servers 1003 based on the target obtaining policy corresponding to the terminal device 1002, so as to obtain the MUD file from the plurality of MUD file servers 1003. In addition, to more accurately constrain the terminal device 1002 based on the obtained at least one MUD file, and avoid a constraint conflict, on network behavior of the terminal device, caused by different MUD information of a same device description entry in a plurality of obtained MUD files, the MUD control management device 1001 can further process the obtained at least one MUD file to determine the target MUD file, so as to accurately constrain the network behavior of the terminal device 1002 based on the processed target MUD file.
It should be noted that functions implemented by the terminal device 1002, the MUD control management device low, and the plurality of MUD file servers 1003 in the communication system 1000 in this embodiment of this application may respectively correspond to the MUD control management device 901, the terminal device 902, and the plurality of MUD file servers 903 in the communication system 900 shown in
In addition, an embodiment of this application further provides a computer-readable storage medium. The computer-readable storage medium stores instructions. When the instructions are run on a computer, the computer is enabled to perform the method for obtaining a MUD file in the embodiment shown in the method 100, the method 200, or the method 300.
In addition, an embodiment of this application further provides a computer program product, including a computer program or computer-readable instructions. When the computer program or the computer-readable instructions are run on a computer, the computer is enabled to perform the method for obtaining a MUD file in the embodiment shown in the method 100, the method 200, or the method 300.
From the foregoing descriptions of the implementations, a person skilled in the art may clearly understand that some or all steps of the methods in embodiments may be implemented by software in addition to a universal hardware platform. Based on such an understanding, the technical solutions of this application may be implemented in a form of a software product. The computer software product may be stored in a storage medium, for example, a read-only memory (ROM)/RAM, a magnetic disk, or a compact disc, and includes several instructions for instructing a computer device (which may be a personal computer, a server, or a network communication device such as a router) to perform the methods described in embodiments or some parts of embodiments of this application.
Embodiments in this specification are all described in a progressive manner. For same or similar parts in embodiments, refer to each other. Each embodiment focuses on a difference from other embodiments. Especially, device and system embodiments are basically similar to method embodiments, and therefore are described briefly. For related parts, refer to partial descriptions in the method embodiments. The described device and system embodiments are merely examples. The modules described as separate parts may or may not be physically separate, and parts displayed as modules may or may not be physical modules, may be located in one position, or may be distributed on a plurality of network units. Some or all the modules may be selected based on actual requirements to achieve the objectives of the solutions of embodiments. A person of ordinary skill in the art may understand and implement embodiments of the present invention without creative efforts.
The foregoing descriptions are merely preferred implementations of this application, but are not intended to limit the protection scope of this application. It should be noted that a person of ordinary skill in the art may make some improvements and polishing without departing from this application and the improvements and polishing shall fall within the protection scope of this application.
Number | Date | Country | Kind |
---|---|---|---|
202010340085.3 | Apr 2020 | CN | national |
This application is a continuation of International Application No. PCT/CN2021/085863, filed on Apr. 8, 2021, which claims priority to Chinese Patent Application No. 202010340085.3, filed on Apr. 26, 2020. The disclosures of the aforementioned applications are hereby incorporated by reference in their entireties.
Number | Date | Country | |
---|---|---|---|
Parent | PCT/CN2021/085863 | Apr 2021 | US |
Child | 17973286 | US |