Securing communications in a network function virtualization (NFV) core network
First Claim
1. A method of electronic communication via a virtual network function (NFV) implementation of a core network, comprising:
- receiving a first domain name lookup request that comprises an abstract service name having a format that does not include a domain name suffix referencing a top-level domain;
in response to receiving the first domain name lookup request, looking up an internet protocol (IP) address of a server associated with the abstract service name;
creating a mapping between a one-time-use domain name and the IP address, where the one-time-use domain name is created dynamically;
transmitting a reply to the first domain name lookup request comprising the one-time-use domain name, wherein the one-time-use domain name is dependent on and generated according to the abstract service name such that the one-time-use domain name comprises at least a portion of the abstract service name, and wherein the one-time-use domain name is configured to prevent inclusion of the domain name in the first domain name lookup request to access a service identified by the abstract service name;
receiving a hypertext transfer protocol (HTTP) content request from a user equipment (UE), wherein the HTTP content request is a trusted HTTP content request received from a trusted browser application executing in a trusted security zone of the UE and comprises the one-time-use domain name, and wherein the trusted security zone of the UE provides hardware assisted security on the UE;
in response to receiving the HTTP content request, looking up the IP address based on the one-time-use domain name and destroying the mapping between the one-time-use domain name and the IP address;
determining, by a trusted orchestrator service that executes in a trusted security zone of a first physical host, that insufficient NFV trusted processing capacity is available to perform the trusted HTTP content request;
dynamically increasing the NFV trusted processing capacity by the trusted orchestrator service;
performing the HTTP content request using the increased NFV trusted processing capacity; and
returning a HTTP content response to the UE, wherein the HTTP content response contains content responsive to the HTTP content request, and wherein the HTTP content response does not comprise an identification of a source of the content.
6 Assignments
0 Petitions
Accused Products
Abstract
A method of electronic communication via a virtual network function (NFV) implementation of a core network. The method comprises receiving a hypertext transfer protocol (HTTP) content request from a user equipment (UE), wherein the HTTP content request comprises an identification of a content source and determining by an orchestrator service that insufficient NFV processing capacity is available to perform the HTTP content request, where the orchestrator service is an application that executes on a first physical host. The method further comprises dynamically increasing the NFV processing capacity by the orchestrator service, performing the HTTP content request using the increased NFV processing capacity, and returning a HTTP content response to the UE, wherein the HTTP content response does not comprise identification of the content source.
251 Citations
5 Claims
-
1. A method of electronic communication via a virtual network function (NFV) implementation of a core network, comprising:
-
receiving a first domain name lookup request that comprises an abstract service name having a format that does not include a domain name suffix referencing a top-level domain; in response to receiving the first domain name lookup request, looking up an internet protocol (IP) address of a server associated with the abstract service name; creating a mapping between a one-time-use domain name and the IP address, where the one-time-use domain name is created dynamically; transmitting a reply to the first domain name lookup request comprising the one-time-use domain name, wherein the one-time-use domain name is dependent on and generated according to the abstract service name such that the one-time-use domain name comprises at least a portion of the abstract service name, and wherein the one-time-use domain name is configured to prevent inclusion of the domain name in the first domain name lookup request to access a service identified by the abstract service name; receiving a hypertext transfer protocol (HTTP) content request from a user equipment (UE), wherein the HTTP content request is a trusted HTTP content request received from a trusted browser application executing in a trusted security zone of the UE and comprises the one-time-use domain name, and wherein the trusted security zone of the UE provides hardware assisted security on the UE; in response to receiving the HTTP content request, looking up the IP address based on the one-time-use domain name and destroying the mapping between the one-time-use domain name and the IP address; determining, by a trusted orchestrator service that executes in a trusted security zone of a first physical host, that insufficient NFV trusted processing capacity is available to perform the trusted HTTP content request; dynamically increasing the NFV trusted processing capacity by the trusted orchestrator service; performing the HTTP content request using the increased NFV trusted processing capacity; and returning a HTTP content response to the UE, wherein the HTTP content response contains content responsive to the HTTP content request, and wherein the HTTP content response does not comprise an identification of a source of the content. - View Dependent Claims (2, 3, 4, 5)
-
Specification