CN114095923A

CN114095923A - Slice access authentication method, UPF, application server, PCF and terminal

Info

Publication number: CN114095923A
Application number: CN202010657883.9A
Authority: CN
Inventors: 苗丹; 廖佩贞; 郭漫雪; 万奇
Original assignee: China Mobile Communications Group Co Ltd; China Mobile Communications Ltd Research Institute
Current assignee: China Mobile Communications Group Co Ltd; China Mobile Communications Ltd Research Institute
Priority date: 2020-07-09
Filing date: 2020-07-09
Publication date: 2022-02-25

Abstract

The embodiment of the invention provides a slice access authentication method, a UPF, an application server, a PCF and a terminal, wherein the method comprises the following steps: session establishment is completed between the SMF entity and the SMF entity, and a slice identifier of a first slice sent by the SMF entity is received; the embodiment of the invention transmits the slice identifier of the first slice through the interface between the SMF and the UPF, the UPF forwards the uplink data packet sent by the terminal and the slice identifier of the first slice to the application server, and the application server performs authentication and certification according to the login mobile phone number in the received data packet and the received slice identifier of the first slice, so that on one hand, the login mobile phone number of the application can be authenticated and certified to judge whether to provide service, and on the other hand, the link access network is also authenticated and certified to ensure the rights and interests of the APP application provider who has ordered the slice, and also protect the due rights and interests of the user who has ordered the slice, so that the VIP user can enjoy the slice service by using different terminal equipment.

Description

Slice access authentication method, UPF, application server, PCF and terminal

Technical Field

The invention relates to the technical field of communication, in particular to a slice access authentication method, a UPF (unified power flow), an application server, a PCF (point code function) and a terminal.

Background

A network slice is a logical private network from end to end that provides specific network capabilities, a virtualized "private network" in a 5G network. An example of a network slice is a collection of network functions and required physical/virtual resources, which may specifically include access networks, core networks, transport bearers and applications.

The CSMF (Communication Service Management Function) completes the order and processing of the demand of the user Service Communication Service, and converts the Communication Service demand into a network slice demand for the NSMF.

The NSMF (Network Slice Management Function) is responsible for end-to-end Network Slice full life cycle Management, receives a Network Slice deployment request issued from the CSMF, decomposes an SLA requirement of a Network Slice into an SLA (Service Level Agreement) requirement of a Network sub-Slice, and issues the Network sub-Slice deployment request to the NSSMF.

The NSSMF (Network Slice Subnet Management Function) is responsible for Network Slice Subnet lifecycle Management, receives a Network Slice Subnet deployment request issued by the NSMF, maps the SLA request of the Network Slice Subnet to a QoS (Quality of Service) request of a Network Service, and issues a Network Service deployment request to an NFVO system of an NFV (Network Function Virtualization) domain.

In the prior art, a terminal-side Slice Selection process and mechanism are not defined, and a Network-side terminal authentication manner is S-NSSAI (Single-Network Slice Selection Assistance Information, Single Network Slice Selection Assistance Information) and 5G-GUTI (5G-global Unique Temporary UE Identity, 5G global Unique Temporary UE Identity) reported by a terminal, where the 5G-GUTI is obtained by a SIM (Subscriber Identity Module) card. As shown in fig. 1, taking a game application scenario as an example, the following problems exist in the prior art:

problem 1, the game orders slices, speeding up for VIP member users. For example, user a is a gaming VIP member and user B is not a member. Both user A and user B use the mobile phone number to log in, and user B can still use the slice acceleration service when playing games by using the mobile phone of user A, and the communication link is not in need.

Question 2, the game orders slices, speeding up for VIP member users. For example, user a is a gaming VIP member and user B is not a member. The user A and the user B both use the mobile phone numbers to log in, and the user A cannot use the slice acceleration service by using the mobile phone of the user B because the acceleration communication link of the user B is not communicated.

In summary, the prior art has a vulnerability of a slice access authentication system when in application.

Disclosure of Invention

The embodiment of the invention aims to provide a slice access authentication method, a UPF (unified power flow), an application server, a PCF (point code function) and a terminal, so as to solve the problem of the vulnerability of the conventional slice access authentication system.

In order to solve the above problem, an embodiment of the present invention provides a slice access authentication method, which is applied to a user plane function UPF entity, and includes:

and completing session establishment with a Session Management Function (SMF) entity, and receiving a slice identifier of a first slice sent by the SMF entity.

Wherein the method further comprises:

receiving a first uplink data packet sent by a terminal, wherein the first uplink data packet carries a login mobile phone number of a target application of the terminal;

and forwarding the first uplink data packet and the slice identifier of the first slice to an application server, so that the application server judges whether to provide network acceleration service for the terminal according to the login mobile phone number and the slice identifier of the first slice.

The embodiment of the invention also provides a slice access authentication method, which is applied to an application server and comprises the following steps:

receiving a first uplink data packet and a slice identifier of a first slice forwarded by a User Plane Function (UPF) entity; the first uplink data packet is sent to a UPF entity by a terminal; the slice identifier of the first slice is sent to a UPF entity by a Session Management Function (SMF) entity; the first uplink data packet carries a login mobile phone number of a target application of the terminal;

and judging whether to provide network acceleration service for the terminal according to the login mobile phone number and the slice identifier of the first slice.

Wherein, the judging whether to provide network acceleration service for the terminal according to the login mobile phone number and the slice identifier of the first slice comprises:

if the login mobile phone number does not subscribe the second slice of the target application, refusing to provide network acceleration service for the terminal;

if the login mobile phone number orders a second slice of the target application, judging whether a slice identifier of the ordered second slice of the login mobile phone number is consistent with a slice identifier of the first slice;

and if the slice identifier of the second slice ordered by the login mobile phone number is consistent with the slice identifier of the first slice, providing network acceleration service for the terminal.

Wherein the method further comprises:

and if the slice identifier of the second slice ordered by the login mobile phone number is not consistent with the slice identifier of the first slice, sending a slice redirection request to a Policy Control Function (PCF) entity, wherein the slice redirection request carries the slice identifier of the second slice ordered by the login mobile phone number.

After sending the slice redirection request to the policy control function PCF entity, the method includes:

receiving a second uplink data packet forwarded by the UPF entity and the slice identifier of the second slice; the second uplink data packet is sent to the UPF entity by the terminal; the slice identifier of the second slice is sent to the UPF entity by the SMF entity; the second uplink data packet carries a login mobile phone number of a target application of the terminal;

and determining to provide network acceleration service for the terminal according to the login mobile phone number and the slice identifier of the second slice.

The embodiment of the invention also provides a slice access authentication method, which is applied to a policy control function PCF entity and comprises the following steps:

receiving a slice redirection request sent by an application server, wherein the slice redirection request carries a slice identifier of a second slice ordered by a login mobile phone number of a target application of a terminal;

sending redirection indicating information used for indicating the terminal to redirect to the second slice to the terminal according to the slice redirection request; wherein the redirection indication information carries a slice identifier of the second slice.

Wherein, the sending, to the terminal according to the slice redirection request, redirection indication information for indicating that the terminal is redirected to the second slice includes:

generating a slice selection strategy according to the slice redirection request; the slice selection strategy is used for triggering the terminal to initiate a network registration process;

and sending the slice selection strategy to the terminal, wherein the slice selection strategy comprises the redirection indication information.

The embodiment of the invention also provides a slice access authentication method, which is applied to a terminal and comprises the following steps:

receiving redirection indication information sent by a Policy Control Function (PCF) entity, wherein the redirection indication information is used for indicating the terminal to redirect to the second slice; wherein the redirection indication information carries a slice identifier of the second slice;

and redirecting to the second slice according to the redirection indication information.

And the second slice is a slice ordered by a login mobile phone number of a target application of the terminal.

Wherein, the receiving the redirection indication information sent by the policy control function PCF entity includes:

and receiving a slice selection strategy sent by the PCF entity, wherein the slice selection strategy comprises the redirection indication information.

Wherein, redirecting to the second slice according to the redirection indication information comprises:

generating a redirection strategy according to the slice selection strategy; wherein the redirection policy comprises: the binding relationship between the identification of the target application and the second slice, and/or the binding relationship between the IP address of the application server and the second slice;

initiating a network registration process to attach to an access and mobility management function (AMF) entity according to the redirection strategy; the network registration flow carries the slice identifier of the second slice; to send, by the AMF entity, the slice identity of the second slice to a session management function, SMF, entity.

The embodiment of the invention also provides a slice access authentication device, which is applied to a user plane function UPF entity and comprises the following components:

and the first receiving module is used for completing session establishment with the SMF entity and receiving the slice identifier of the first slice sent by the SMF entity.

The embodiment of the invention also provides a user plane function UPF entity, which comprises a processor and a transceiver, wherein the transceiver receives and transmits data under the control of the processor, and the processor is used for executing the following operations:

Wherein the processor is further configured to:

The embodiment of the invention also provides a slice access authentication device, which is applied to an application server and comprises the following components:

the second receiving module is used for receiving the first uplink data packet and the slice identifier of the first slice forwarded by the user plane function UPF entity; the first uplink data packet is sent to a UPF entity by a terminal; the slice identifier of the first slice is sent to a UPF entity by a Session Management Function (SMF) entity; the first uplink data packet carries a login mobile phone number of a target application of the terminal;

and the judging module is used for judging whether to provide network acceleration service for the terminal according to the login mobile phone number and the slice identifier of the first slice.

An embodiment of the present invention further provides an application server, including a processor and a transceiver, where the transceiver receives and sends data under the control of the processor, and the processor is configured to perform the following operations:

Wherein the processor is further configured to:

The embodiment of the invention also provides a slice access authentication device, which is applied to a policy control function PCF entity and comprises the following steps:

a third receiving module, configured to receive a slice redirection request sent by an application server, where the slice redirection request carries a slice identifier of a second slice ordered by a login mobile phone number of a target application of a terminal;

a first sending module, configured to send, to the terminal according to the slice redirection request, redirection indication information for indicating that the terminal is redirected to the second slice; wherein the redirection indication information carries a slice identifier of the second slice.

The embodiment of the invention also provides a Policy Control Function (PCF) entity, which comprises a processor and a transceiver, wherein the transceiver receives and transmits data under the control of the processor, and the processor is used for executing the following operations:

Wherein the processor is further configured to:

The embodiment of the invention also provides a slice access authentication device, which is applied to a terminal and comprises the following components:

a fourth receiving module, configured to receive redirection indication information sent by a policy control function PCF entity, where the redirection indication information is used to indicate that the terminal is redirected to the second slice; wherein the redirection indication information carries a slice identifier of the second slice;

and the redirection module is used for redirecting to the second slice according to the redirection indication information.

An embodiment of the present invention further provides a terminal, including a processor and a transceiver, where the transceiver receives and transmits data under the control of the processor, and the processor is configured to perform the following operations:

Wherein the processor is further configured to:

The embodiment of the present invention further provides a communication device, which includes a memory, a processor, and a program stored in the memory and capable of running on the processor, and when the processor executes the program, the slice access authentication method as described above is implemented.

Embodiments of the present invention also provide a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps in the slice access authentication method as described above.

The technical scheme of the invention at least has the following beneficial effects:

in the slice access authentication method, the UPF, the application server, the PCF and the terminal of the embodiment of the invention, the slice identifier of the first slice is transmitted through the interface between the SMF and the UPF, the UPF forwards the uplink data packet sent by the terminal and the slice identifier of the first slice to the application server, and the application server performs authentication according to the login mobile phone number in the received data packet and the received slice identifier of the first slice.

Drawings

FIG. 1 is a schematic diagram of a prior art application scenario;

fig. 2 shows a network structure of a 5G core network according to an embodiment of the present invention;

fig. 3 is a schematic diagram illustrating one of the steps of a slice access authentication method according to an embodiment of the present invention;

fig. 4 is a second schematic diagram illustrating steps of a slice access authentication method according to an embodiment of the present invention;

fig. 5 is a schematic structural diagram of an application server according to an embodiment of the present invention;

fig. 6 is a schematic flow chart of an application server according to an embodiment of the present invention;

fig. 7 is a third schematic diagram illustrating steps of a slice access authentication method according to an embodiment of the present invention;

fig. 8 is a schematic structural diagram of a PCF entity according to an embodiment of the present invention;

fig. 9 is a fourth schematic diagram illustrating the steps of the slice access authentication method according to the embodiment of the present invention;

fig. 10 is a diagram illustrating a complete interaction example of a slice access authentication method according to an embodiment of the present invention;

fig. 11 is a schematic structural diagram of a slice access authentication apparatus according to an embodiment of the present invention;

fig. 12 is a schematic structural diagram of a communication device according to an embodiment of the present invention;

fig. 13 is a second schematic structural diagram of a slice access authentication apparatus according to an embodiment of the present invention;

fig. 14 is a third schematic structural diagram of a slice access authentication apparatus according to an embodiment of the present invention;

fig. 15 is a fourth schematic structural diagram of a slice access authentication apparatus according to an embodiment of the present invention.

Detailed Description

In order to make the technical problems, technical solutions and advantages of the present invention more apparent, the following detailed description is given with reference to the accompanying drawings and specific embodiments.

The slice access authentication method provided by the embodiment of the invention is mainly embodied in the stage of network session establishment, a 5GC (5G core network) network structure is shown in figure 2, and a network element and an application system participating in the process of slice selection session establishment mainly comprise a terminal (UE), an AMF (access and mobility management function), an SMF (session management function), a PCF (policy control function), a UPF (user plane function) and an application server.

On the system architecture level, the embodiment of the invention modifies the interface (N4) between SMF and UPF, and the interface (N6) between UPF and application server; an application server is modified, and a network service authentication mechanism is added; the PCF is modified, and a strategy generation and trigger mechanism is newly added; an interface (N15) between PCF and AMF and an interface (N1) between AMF and UE are modified, a network slice redirection interface function is added, and a terminal needs to be matched with a network issuing strategy to update the strategy; the slicing session establishment flow is also modified.

In the slice selection process, when a user-side session is established, the UPF sends a slice identifier of the current session (namely, a slice identifier of a first slice) to the application server, and the application server compares a login mobile phone number in a received data packet with the received slice identifier to make a contract relationship, and judges whether the login mobile phone number orders the slice. If not, rejecting the service, if the subscribed but the subscribed slice is not consistent with the current session slice, requesting to initiate slice redirection by the application server; on one hand, the authentication and verification of the login mobile phone number of the application can be carried out, whether the service is provided or not is judged, on the other hand, the authentication and verification is also carried out on the link access network, the rights and interests of the APP application provider who has ordered the slices are ensured, the network logout behavior is prevented, the due rights and interests of the user who has ordered the slices are also protected, and the VIP user can enjoy the slice service by using different terminal equipment.

As shown in fig. 3, an embodiment of the present invention provides a slice access authentication method, which is applied to a user plane function UPF entity, and includes:

and step 31, completing session establishment with the SMF entity, and receiving the slice identifier of the first slice sent by the SMF entity.

The embodiment of the invention modifies an interface (N4) between the SMF and the UPF, and transmits the slice identifier of the first slice selected by the terminal to the UPF through the N4 interface.

In the embodiment of the invention, a terminal selects a proper slice identifier of a first slice according to information (such as ID, IP address and the like) of a target application, and if the slice identifier of the first slice is an allowable slice identifier, the terminal initiates a PDU (protocol data unit) session creation request to AMF (advanced metering parameter function) carrying a session ID, a slice identifier and 5G-GUTI; and the AMF initiates a control plane slice selection signaling flow to complete the selection of the SMF by the AMF and realize PDU session authentication. The SMF determines which UPF to select based on slice identification, slice instance identification (NSI ID), DNN (data packet network), etc. And completing session establishment between the SMF and the selected UPF, and transmitting the slice identifier of the first slice to the UPF by the SMF in the session establishment process or after the session establishment is completed. For example, the SMF sends a PFCP (packet forwarding control protocol) session establishment request message to the UPF through the N4 interface to establish a new PFCP session context in the UPF, and adds a "current session S-NSSAI" resource in the PFCP session establishment request message to carry the slice identifier of the current session. The UPF can be added with a slice identifier storage module, after the UPF has the slice identifier, the UPF opens the service capability for the application server, and carries the slice identifier of the current session to the application server through the N6 interface.

The first slice is a terminal-selected slice. The slice identity may specifically be S-NSSAI (single network slice selection assistance information).

Optionally, after the session establishment between the SMF and the UPF is completed, the SMF further needs to establish a user plane session through a standard user plane session establishment procedure, thereby completing the network channel establishment. After the network channel is established, as an optional embodiment of the present invention, the method further includes:

The embodiment of the invention also modifies an interface (N6) between the UPF and the application server, and sends the first uplink data packet and the slice identifier of the first slice to the application server through the N6 interface, namely, the network side in the embodiment of the invention provides the slice identifier and the login mobile phone number in an auxiliary manner, and the application server realizes authentication and authentication.

To sum up, the embodiment of the present invention transmits the slice identifier of the first slice through the interface between the SMF and the UPF, the UPF forwards the uplink data packet sent by the terminal and the slice identifier of the first slice to the application server, and the application server performs authentication and authentication according to the login mobile phone number in the received data packet and the received slice identifier of the first slice, so that on one hand, the login mobile phone number of the application can be authenticated and judged whether to provide a service, and on the other hand, the link access network is also authenticated and authenticated, thereby ensuring the rights and interests of the APP application provider who has ordered slices, preventing the behavior of "network surfing" and also protecting the rights and interests of the user who has ordered slices, so that the user can enjoy the slice service using different terminal devices.

As shown in fig. 4, an embodiment of the present invention further provides a slice access authentication method applied to an application server, including:

step 41, receiving a first uplink data packet and a slice identifier of a first slice forwarded by a user plane function UPF entity; the first uplink data packet is sent to a UPF entity by a terminal; the slice identifier of the first slice is sent to a UPF entity by a Session Management Function (SMF) entity; the first uplink data packet carries a login mobile phone number of a target application of the terminal;

and step 42, judging whether to provide network acceleration service for the terminal according to the login mobile phone number and the slice identifier of the first slice.

In the embodiment of the invention, the UPF sends the first uplink data packet and the slice identifier of the first slice sent by the terminal to the application server, and the application server is added with a network service authentication mechanism, so that the application server realizes authentication and authentication.

Since the 5G introduces the slicing technology, different business applications can provide services using networks with different characteristics and performances to form a web-application-user three-level service system, so the subscription relationship between the applications and different networks is a new function that the application system needs to manage in the 5G era, and accordingly, the authentication of the user services also needs to be upgraded, and besides authenticating the identity of the user, whether the networks of the services are matched or not needs to be authenticated. The embodiment of the invention adds a network business cooperative service authentication module on the basis of the original application server account management system (a user account management module, a business management module and a user and business ordering relation management module), wherein the network business cooperative service authentication module comprises a user service authentication management submodule and a business and network ordering relation management submodule.

The service and network ordering relation management submodule is used for: after a user orders a network slice to an operator, it is necessary to specify which services use the slice (for example, after ordering the slice in Tencent, specify which game or games under the flag use the slice), and migrate the card user subscribed by the service to the slice. The module is responsible for storing and managing the order relationship between the service and the network, including the addition, change, deletion and the like of the order relationship.

The user service authentication management submodule comprises: the server is responsible for storing an authentication processing mechanism and executing logic judgment, namely authenticating a user and network service, and judging whether the user subscribes to the application, whether the application subscribes to a sliced network service, and whether the network service currently used by the user is matched with the network slice subscribed by the application.

As an alternative embodiment, step 42 comprises:

For example, the second slice is a VIP slice, and applications subscribed to the VIP slice can enjoy network-accelerated services.

Optionally, the method further comprises:

Further, after sending the slice redirection request to the policy control function PCF entity, the method includes:

In the embodiment of the invention, after an application server sends a slice redirection request to a PCF (point-to-point protocol), the PCF informs the terminal of redirection to a second slice by an AMF (advanced metering function) currently attached to the terminal, and the slice redirection identifier of the second slice is carried; the terminal side updates a slice selection strategy, triggers a network registration process, and judges whether the AMF needs to be reselected (judges whether the AMF needs to be reselected based on whether a second slice contains the current AMF); the terminal initiates a PDU session establishment request to the AMF after reselection or the AMF before reselection, wherein the PDU session establishment request carries the slice identifier of the second slice; and the AMF initiates a control plane slice selection signaling flow to complete the selection of the SMF by the AMF and realize PDU session authentication. The SMF determines which UPF to select based on the slice identity of the second slice, the slice instance identity (NSI ID), the DNN (data packet network), etc. And completing session establishment between the SMF and the selected UPF, and transmitting the slice identifier of the second slice to the UPF by the SMF in the session establishment process or after the session establishment is completed.

the terminal sends a second uplink data packet to the UPF, wherein the second uplink data packet carries a login mobile phone number of a target application of the terminal;

the UPF forwards the second uplink data packet and the slice identifier of the second slice to an application server;

and the application server determines to provide network acceleration service for the terminal according to the login mobile phone number and the slice identifier of the second slice.

As shown in fig. 6, the processing flow of the application server includes:

step 61, the user access request arrives;

step 62, the user and service subscription relation module queries user registration information and service subscription information (for example, network slice acceleration service subscription information);

step 63, the user service authentication management submodule judges whether the user is the application registered user, if so, the step 64 is entered, if not, the service is rejected, and the process is ended;

step 64, the user service authentication management submodule judges whether the application registered user judges whether the user subscribes the network slicing acceleration service;

step 65, the service and network subscription relation management submodule queries the network slice subscription information of the network slice acceleration service (for example, queries a slice identifier S-NSSAI corresponding to the acceleration service);

step 6, the user service authentication management submodule judges whether the currently used network slicing service is matched with the order information, if so, the step 67 is carried out, and if not, the step 68 is carried out;

step 67, returning a response of successful user access authentication;

and 68, requesting network redirection, requesting redirection to the ordered slice, if the user currently uses the default slice of the large network and orders the high-level slice acceleration service, redirecting to the high-level slice, and if the user currently uses the high-level slice network but does not order the high-level slice acceleration service, redirecting to the default slice of the large network.

As shown in fig. 7, an embodiment of the present invention further provides a slice access authentication method, which is applied to a policy control function PCF entity, and includes:

step 71, receiving a slice redirection request sent by an application server, wherein the slice redirection request carries a slice identifier of a second slice ordered by a login mobile phone number of a target application of a terminal; for example, the application server sends a slice redirection request through the N5 interface, carrying the slice id of the second slice.

Step 72, sending redirection indication information for indicating the terminal to redirect to the second slice to the terminal according to the slice redirection request; wherein the redirection indication information carries a slice identifier of the second slice.

The embodiment of the invention modifies PCF and adds a strategy generation and trigger mechanism. As shown in fig. 8, in the embodiment of the present invention, on the basis of the subscription relationship policy management module of the original PCF, an application request redirection policy management module is newly added, which is responsible for receiving a redirection request from an application server to an access terminal network, generating a redirection NSSP policy, and sending the redirection NSSP policy to a terminal through an access AMF of the terminal.

Optionally, step 72 comprises:

As shown in fig. 9, an embodiment of the present invention further provides a slice access authentication method, which is applied to a terminal, and includes:

step 91, receiving redirection instruction information sent by a policy control function PCF entity, where the redirection instruction information is used to instruct the terminal to redirect to the second slice; wherein the redirection indication information carries a slice identifier of the second slice;

and step 92, redirecting to the second slice according to the redirection indication information.

The embodiment of the invention adds a redirection strategy updating module on the basis of the original terminal, and is responsible for receiving the slice redirection instruction from the PCF, generating the redirection NSSP strategy and triggering the network redirection registration process. The redirection NSSP strategy comprises the binding relation between the APP ID/APP IP address of the APP application server and the redirection network slice identification. And when the terminal initiates a PDU session establishment request, searching a corresponding slice identifier in the redirection NSSP and sending the slice identifier to the network side.

Optionally, in the embodiment of the present invention, the second slice is a slice ordered by a login phone number of a target application of the terminal.

As an alternative embodiment, step 91 comprises:

Accordingly, step 92 includes:

As shown in fig. 10, a complete flow of the slice access authentication method provided in the embodiment of the present invention specifically includes:

0. the terminal selects a proper S-NSSAI from the NSSP according to the APP information (APP ID/destination IP address), detects whether the S-NSSAI exists in the allowed NSSAI, and enters the following process if the S-NSSAI exists;

step 1, a terminal initiates a PDU session establishment request carrying a session ID, a slice identifier S-NSSAI and a 5G-GUTI;

step 2, the network side initiates a control plane slice selection signaling flow to complete AMF selection SMF;

step 3, PDU conversation authentication;

step 4, the SMF judges which UPF is selected according to the slice identifier S-NSSAI, the slice example identifier NSI ID, DNN and the like;

step 5, the SMF and the UPF complete session establishment and carry a slice identifier S-NSSAI;

step 6, step 7, step 8, step 9 are the standard user plane conversation and establish the procedure;

step 10, establishing a network channel, and starting to send a data packet;

step 11, the application sends an uplink data packet carrying a login mobile phone number for logging in the application at the APP side;

step 12, UPF forwards the data packet to an application server, and the data packet carries a slice identifier S-NSSAI;

step 13, the application server judges whether the mobile phone number orders the application VIP slice, if yes, step 14a is carried out, and if not, step 14b is carried out;

step 14a, continuously judging whether the slice identifier ordered by the mobile phone number is consistent with the currently uploaded slice identifier, if so, entering step 15a, and if not, entering step 15 b;

step 14b, the application server refuses to provide service for the user, and the terminal side APP prompts the network acceleration service interruption or acceleration service access failure;

step 15a, continuing communication, sending a downlink data packet, and continuing using network acceleration service by a terminal user;

step 15b, notifying the VIP slice identifier ordered by the mobile phone number to the PCF to request slice redirection;

step 16, PCF generates a new slice selection strategy;

step 17, PCF informs UE terminal to redirect to target slice by AMF attached to current terminal, and carries target slice identification S-NSSAI;

step 18, the terminal side updates the slice selection strategy and triggers the network registration process;

step 19, the terminal initiates a network registration process to determine whether the AMF needs to be reselected (because the new slice does not necessarily contain the current AMF network element);

and 20, re-initiating a PDU session establishment flow, namely entering the step 1 and carrying the slice identifier of the target slice.

As shown in fig. 11, an embodiment of the present invention further provides a slice access authentication apparatus, which is applied to a user plane function UPF entity, and includes:

a first receiving module 101, configured to complete session establishment with a session management function SMF entity, and receive a slice identifier of a first slice sent by the SMF entity.

Optionally, as an optional embodiment of the present invention, the apparatus further includes:

an eleventh receiving module, configured to receive a first uplink data packet sent by a terminal, where the first uplink data packet carries a login mobile phone number of a target application of the terminal;

and the first forwarding module is used for forwarding the first uplink data packet and the slice identifier of the first slice to an application server, so that the application server judges whether to provide network acceleration service for the terminal according to the login mobile phone number and the slice identifier of the first slice.

It should be noted that the slice access authentication device provided in the embodiments of the present invention is a device capable of executing the slice access authentication method, and all embodiments of the slice access authentication method are applicable to the device and can achieve the same or similar beneficial effects.

As shown in fig. 12, an embodiment of the present invention further provides a user plane function UPF entity, which includes a processor 200 and a transceiver 210, where the transceiver 210 receives and transmits data under the control of the processor 200, and the processor 200 is configured to perform the following operations:

Optionally, as an optional embodiment of the present invention, the processor 200 is further configured to perform the following operations:

It should be noted that, the UPF entity provided in the embodiments of the present invention is a UPF capable of executing the slice access authentication method, and all embodiments of the slice access authentication method are applicable to the UPF entity and can achieve the same or similar beneficial effects.

As shown in fig. 13, an embodiment of the present invention further provides a slice access authentication apparatus, which is applied to an application server, and includes:

a second receiving module 130, configured to receive a first uplink data packet and a slice identifier of a first slice forwarded by a user plane function UPF entity; the first uplink data packet is sent to a UPF entity by a terminal; the slice identifier of the first slice is sent to a UPF entity by a Session Management Function (SMF) entity; the first uplink data packet carries a login mobile phone number of a target application of the terminal;

the judging module 131 is configured to judge whether to provide a network acceleration service for the terminal according to the login mobile phone number and the slice identifier of the first slice.

Optionally, as an optional embodiment of the present invention, the determining module includes:

the first sub-module is used for refusing to provide network acceleration service for the terminal if the login mobile phone number does not subscribe the second slice of the target application;

the second sub-module is used for judging whether the slice identifier of the second slice ordered by the login mobile phone number is consistent with the slice identifier of the first slice if the login mobile phone number orders the second slice of the target application;

and the third sub-module is used for providing network acceleration service for the terminal if the slice identifier of the second slice ordered by the login mobile phone number is consistent with the slice identifier of the first slice.

and the fourth sub-module is used for sending a slice redirection request to a Policy Control Function (PCF) entity if the slice identifier of the second slice ordered by the login mobile phone number is inconsistent with the slice identifier of the first slice, wherein the slice redirection request carries the slice identifier of the second slice ordered by the login mobile phone number.

Optionally, as an optional embodiment of the present invention, the apparatus comprises:

a twelfth receiving module, configured to receive a second uplink data packet forwarded by the UPF entity and the slice identifier of the second slice; the second uplink data packet is sent to the UPF entity by the terminal; the slice identifier of the second slice is sent to the UPF entity by the SMF entity; the second uplink data packet carries a login mobile phone number of a target application of the terminal;

and the determining module is used for determining to provide network acceleration service for the terminal according to the login mobile phone number and the slice identifier of the second slice.

As shown in fig. 12, an embodiment of the present invention further provides an application server, including a processor 200 and a transceiver 210, where the transceiver 210 receives and transmits data under the control of the processor 200, and the processor 200 is configured to perform the following operations:

Optionally, as an optional embodiment of the present invention, the processor is further configured to perform the following operations:

It should be noted that, the application server provided in the embodiments of the present invention is an application server capable of executing the above-mentioned slice access authentication method, and all embodiments of the above-mentioned slice access authentication method are applicable to the application server, and can achieve the same or similar beneficial effects.

As shown in fig. 14, an embodiment of the present invention further provides a slice access authentication apparatus, which is applied to a policy control function PCF entity, and includes:

a third receiving module 140, configured to receive a slice redirection request sent by an application server, where the slice redirection request carries a slice identifier of a second slice ordered by a login mobile phone number of a target application of a terminal;

a first sending module 141, configured to send, to the terminal according to the slice redirection request, redirection indication information for indicating that the terminal is redirected to the second slice; wherein the redirection indication information carries a slice identifier of the second slice.

Optionally, as an optional embodiment of the present invention, the first sending module includes:

the generating submodule is used for generating a slice selecting strategy according to the slice redirecting request; the slice selection strategy is used for triggering the terminal to initiate a network registration process;

and the sending submodule is used for sending the slice selection strategy to the terminal, and the slice selection strategy comprises the redirection indication information.

As shown in fig. 12, an embodiment of the present invention further provides a policy control function PCF entity, which includes a processor 200 and a transceiver 210, where the transceiver 210 receives and transmits data under the control of the processor 200, and the processor 200 is configured to perform the following operations:

It should be noted that the PCF entity provided in the embodiments of the present invention is a PCF entity capable of executing the above-mentioned slice access authentication method, and all embodiments of the above-mentioned slice access authentication method are applicable to the PCF entity, and can achieve the same or similar beneficial effects.

As shown in fig. 15, an embodiment of the present invention further provides a slice access authentication apparatus, which is applied to a terminal, and includes:

a fourth receiving module 150, configured to receive redirection indication information sent by a policy control function PCF entity, where the redirection indication information is used to indicate that the terminal is redirected to the second slice; wherein the redirection indication information carries a slice identifier of the second slice;

a redirection module 151, configured to redirect to the second slice according to the redirection indication information.

Optionally, as an optional embodiment of the present invention, the second slice is a slice ordered by a login mobile phone number of a target application of the terminal.

Optionally, as an optional embodiment of the present invention, the fourth receiving module includes:

a sixth sub-module, configured to receive a slice selection policy sent by the PCF entity, where the slice selection policy includes the redirection indication information.

Optionally, as an optional embodiment of the present invention, the redirection module includes:

the seventh sub-module is used for generating a redirection strategy according to the slice selection strategy; wherein the redirection policy comprises: the binding relationship between the identification of the target application and the second slice, and/or the binding relationship between the IP address of the application server and the second slice;

the eighth submodule is used for initiating a network registration process to attach to an access and mobility management function (AMF) entity according to the redirection strategy; the network registration flow carries the slice identifier of the second slice; to send, by the AMF entity, the slice identity of the second slice to a session management function, SMF, entity.

As shown in fig. 12, an embodiment of the present invention further provides a terminal, including a processor 200 and a transceiver 210, where the transceiver 210 receives and transmits data under the control of the processor 200, and the processor 200 is configured to perform the following operations:

It should be noted that, the terminal provided in the embodiments of the present invention is a terminal capable of executing the slice access authentication method, and all embodiments of the slice access authentication method are applicable to the terminal and can achieve the same or similar beneficial effects.

An embodiment of the present invention further provides a communication device, including a memory, a processor, and a computer program stored in the memory and capable of running on the processor, where the processor implements each process in the above-described slice access authentication method embodiment when executing the program, and can achieve the same technical effect, and details are not repeated here to avoid repetition.

The embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored, and when the computer program is executed by a processor, the computer program implements each process in the above-described slice access authentication method embodiment, and can achieve the same technical effect, and in order to avoid repetition, details are not repeated here. The computer-readable storage medium may be a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk.

As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-readable storage media (including, but not limited to, disk storage, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block or blocks.

These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

While the foregoing is directed to the preferred embodiment of the present invention, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention as defined in the appended claims.

Claims

1. A slice access authentication method is applied to a User Plane Function (UPF) entity, and is characterized by comprising the following steps:

2. The method of claim 1, further comprising:

3. A slice access authentication method is applied to an application server and is characterized by comprising the following steps:

4. The method according to claim 3, wherein the determining whether to provide the network acceleration service for the terminal according to the login mobile phone number and the slice identifier of the first slice comprises:

5. The method of claim 4, further comprising:

6. The method according to claim 5, wherein after sending the slice redirection request to a policy control function, PCF, entity, the method comprises:

7. A slice access authentication method is applied to a Policy Control Function (PCF) entity, and is characterized by comprising the following steps:

8. The method of claim 7, wherein the sending redirection indication information to the terminal for indicating that the terminal is redirected to the second slice according to the slice redirection request comprises:

9. A slice access authentication method is applied to a terminal, and is characterized by comprising the following steps:

receiving redirection indication information sent by a Policy Control Function (PCF) entity, wherein the redirection indication information is used for indicating the terminal to redirect to a second slice; wherein the redirection indication information carries a slice identifier of the second slice;

10. The method of claim 9, wherein the second slice is a slice ordered by a login phone number of a target application of the terminal.

11. The method of claim 10, wherein the receiving the redirection indication information sent by the policy control function PCF entity comprises:

12. The method of claim 11, wherein redirecting to the second slice according to the redirection indication information comprises:

13. A slice access authentication device applied to a User Plane Function (UPF) entity, comprising:

14. A user plane function, UPF, entity comprising a processor and a transceiver, the transceiver receiving and transmitting data under control of the processor, characterized in that the processor is adapted to:

15. The UPF entity of claim 14, wherein the processor is further configured to:

16. A slice access authentication device applied to an application server is characterized by comprising:

17. An application server comprising a processor and a transceiver, the transceiver receiving and transmitting data under control of the processor, characterized in that the processor is adapted to:

18. The application server of claim 17, wherein the processor is further configured to:

19. The application server of claim 18, wherein the processor is further configured to:

20. The application server of claim 19, wherein the processor is further configured to:

21. A slice access authentication device applied to a Policy Control Function (PCF) entity is characterized by comprising:

22. A policy control function, PCF, entity comprising a processor and a transceiver, said transceiver receiving and transmitting data under control of the processor, wherein said processor is configured to:

23. The PCF entity of claim 22, wherein said processor is further configured to:

24. A slice access authentication device applied to a terminal, comprising:

a fourth receiving module, configured to receive redirection indication information sent by a policy control function PCF entity, where the redirection indication information is used to indicate that the terminal is redirected to a second slice; wherein the redirection indication information carries a slice identifier of the second slice;

25. A terminal comprising a processor and a transceiver, the transceiver receiving and transmitting data under control of the processor, characterized in that the processor is adapted to:

26. The terminal of claim 25, wherein the second slice is a slice ordered by a login phone number of a target application of the terminal.

27. The terminal of claim 26, wherein the processor is further configured to:

28. The terminal of claim 27, wherein the processor is further configured to:

29. A communication device comprising a memory, a processor, and a program stored on the memory and executable on the processor; wherein the processor implements the slice access authentication method of claim 1 or 2 when executing the program; or, the processor, when executing the program, implements the slice access authentication method of any of claims 3-6; or, the processor implements the slice access authentication method according to claim 7 or 8 when executing the program; alternatively, the processor implements the slice access authentication method according to any one of claims 9 to 12 when executing the program.

30. A computer-readable storage medium, on which a computer program is stored, which program, when being executed by a processor, carries out the steps in the slice access authentication method according to claim 1 or 2; or the program when executed by a processor implements the steps in the slice access authentication method according to any of claims 3-6; or the program when executed by a processor implements the steps in the slice access authentication method of claim 7 or 8; or the program, when executed by a processor, implements the steps in the slice access authentication method of any one of claims 9-12.