CN115175194A - Method and apparatus for secure communication - Google Patents
Method and apparatus for secure communication Download PDFInfo
- Publication number
- CN115175194A CN115175194A CN202110295551.5A CN202110295551A CN115175194A CN 115175194 A CN115175194 A CN 115175194A CN 202110295551 A CN202110295551 A CN 202110295551A CN 115175194 A CN115175194 A CN 115175194A
- Authority
- CN
- China
- Prior art keywords
- security group
- group
- security
- communication
- network element
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004891 communication Methods 0.000 title claims abstract description 484
- 238000000034 method Methods 0.000 title claims abstract description 287
- 230000006870 function Effects 0.000 claims description 75
- 230000015654 memory Effects 0.000 claims description 35
- 230000032683 aging Effects 0.000 claims description 32
- 238000004590 computer program Methods 0.000 claims description 8
- 230000008569 process Effects 0.000 description 71
- 238000012545 processing Methods 0.000 description 49
- 238000007726 management method Methods 0.000 description 46
- 238000010586 diagram Methods 0.000 description 33
- 238000005516 engineering process Methods 0.000 description 24
- 230000005540 biological transmission Effects 0.000 description 18
- 230000003993 interaction Effects 0.000 description 15
- 238000012217 deletion Methods 0.000 description 12
- 230000037430 deletion Effects 0.000 description 12
- 101100059544 Arabidopsis thaliana CDC5 gene Proteins 0.000 description 10
- 101150115300 MAC1 gene Proteins 0.000 description 10
- 238000013475 authorization Methods 0.000 description 9
- 230000011664 signaling Effects 0.000 description 9
- 101100244969 Arabidopsis thaliana PRL1 gene Proteins 0.000 description 8
- 102100039558 Galectin-3 Human genes 0.000 description 8
- 101100454448 Homo sapiens LGALS3 gene Proteins 0.000 description 8
- 101150051246 MAC2 gene Proteins 0.000 description 8
- 230000009471 action Effects 0.000 description 6
- 238000012546 transfer Methods 0.000 description 6
- 238000013459 approach Methods 0.000 description 5
- 238000013486 operation strategy Methods 0.000 description 4
- 230000001360 synchronised effect Effects 0.000 description 4
- 230000001960 triggered effect Effects 0.000 description 4
- 230000001413 cellular effect Effects 0.000 description 3
- 230000008859 change Effects 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000013500 data storage Methods 0.000 description 3
- GVVPGTZRZFNKDS-JXMROGBWSA-N geranyl diphosphate Chemical compound CC(C)=CCC\C(C)=C\CO[P@](O)(=O)OP(O)(O)=O GVVPGTZRZFNKDS-JXMROGBWSA-N 0.000 description 3
- 230000000977 initiatory effect Effects 0.000 description 3
- 238000010295 mobile communication Methods 0.000 description 3
- 230000006855 networking Effects 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 238000011217 control strategy Methods 0.000 description 2
- 238000013523 data management Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000011144 upstream manufacturing Methods 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 230000003190 augmentative effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 238000013480 data collection Methods 0.000 description 1
- 238000013144 data compression Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000013508 migration Methods 0.000 description 1
- 230000005012 migration Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000001228 spectrum Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/009—Security arrangements; Authentication; Protecting privacy or anonymity specially adapted for networks, e.g. wireless sensor networks, ad-hoc networks, RFID networks or cloud networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/69—Identity-dependent
- H04W12/76—Group identity
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a method and a device for secure communication. The method can comprise the following steps: a first network element receives information of service data sent by first communication equipment to second communication equipment, wherein the first communication equipment and the second communication equipment are equipment in the same VN group; a first network element acquires a communication strategy between a first security group and a second security group, wherein the first security group is a security group corresponding to first communication equipment, and the second security group is a security group corresponding to second communication equipment; according to a communication strategy between the first security group and the second security group, the first network element formulates a forwarding rule for the service data; the VN group comprises a plurality of security groups, and the plurality of security groups comprise a first security group and a second security group. By defining a plurality of security groups and respectively configuring communication strategies among the security groups, communication devices (such as communication devices in a virtual network group) in a network respectively join the corresponding security groups, so that access control of the communication devices in group granularity can be realized.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method and an apparatus for secure communication.
Background
A Local Area Network (LAN) is a computer communication network that connects various computers, external devices, databases, etc. to each other within a local geographical area (e.g., within a school, factory, or institution).
In current LAN technologies, such as the fifth generation (5g) LAN technology, virtual local area network interworking of communication devices within a mobile network may be implemented via a Virtual Network (VN) group (group). In the aspect of equipment intercommunication safety, no further definition is made on the intercommunication authority of the equipment in the VN group, and a safety access control mechanism is lacked.
Disclosure of Invention
The application provides a method and a device for secure communication, which can realize the secure access of equipment in a virtual network group.
In a first aspect, a method for secure communication is provided, where the method may be performed by a network device, or may also be performed by a chip or a circuit for the network device, and this application is not limited thereto, and for convenience of description, the following description will be given by taking the first network element device as an example.
The method can comprise the following steps: a first network element receives information of service data sent to a second communication device by a first communication device; a first network element acquires a communication strategy between a first security group and a second security group, wherein the first security group is a security group corresponding to first communication equipment, and the second security group is a security group corresponding to second communication equipment; according to a communication strategy between the first security group and the second security group, the first network element formulates a forwarding rule for the service data; the first communication device and the second communication device are devices in the same virtual network VN group, the VN group comprises a plurality of security groups, and the plurality of security groups comprise a first security group and a second security group.
The method may be executed by a core network element (i.e., a first network element) (e.g., a Session Management Function (SMF) network element or a User Plane Function (UPF) network element), or may also be executed by a chip or a circuit for the core network element.
Based on the above technical solution, by defining a plurality of security groups and configuring communication policies (or access policies) between the security groups, communication devices in a network (such as communication devices in a virtual network group) join corresponding security groups, so that access control of the communication devices in group granularity can be achieved. Specifically, for example, after receiving the traffic data from the terminal device, the first network element may determine a communication policy between a security group to which a source address (i.e., an address of the first communication device) of the traffic data belongs and a security group to which a destination address (i.e., an address of the second communication device) of the traffic data belongs, and formulate a forwarding rule of the traffic data according to the communication policy, which may not only improve security of communication between devices, but also facilitate management.
With reference to the first aspect, in certain implementations of the first aspect, the communication policy between the first security group and the second security group includes: communication is allowed between the first security group and the second security group or communication is prohibited between the first security group and the second security group.
Based on the technical scheme, the communication strategy between the security groups can comprise two modes of communication permission and communication prohibition, so that the security access can be realized, and the method is simple and easy to implement.
With reference to the first aspect, in some implementations of the first aspect, the first network element is a session management function network element.
With reference to the first aspect, in certain implementations of the first aspect, the method further includes: under the condition that the communication policy between the first security group and the second security group is allowed to communicate, the forwarding rule is used for indicating the forwarding path of the business data; or; and under the condition that the communication policy between the first security group and the second security group is communication prohibition, the forwarding rule is used for indicating that the business data is discarded.
With reference to the first aspect, in some implementation manners of the first aspect, the receiving, by the first network element, information of service data sent by the first communication device to the second communication device includes: the first network element receives a forwarding rule unknown message from the second network element, wherein the forwarding rule unknown message comprises source address information and destination address information of the service data, the source address corresponds to the first security group, and the destination address corresponds to the second security group; according to a communication strategy between the first security group and the second security group, the first network element formulates a forwarding rule for the service data, and the forwarding rule comprises the following steps: a first network element formulates a forwarding rule for service data according to a communication strategy between a first security group corresponding to a source address and a second security group corresponding to a destination address; the first network element sends the forwarding rule to the second network element.
Based on the above technical solution, after receiving the forwarding rule unknown message sent by the second network element, the first network element determines the security groups corresponding to the source address and the destination address based on the relevant information of the service data in the forwarding rule unknown message, such as the source address and the destination address, and then may formulate the forwarding rule for the service data according to the communication policy between the security groups corresponding to the source address and the destination address, and then send the forwarding rule to the second network element, so that the second network element may process the service data according to the forwarding rule.
With reference to the first aspect, in some implementations of the first aspect, before the first network element receives the forwarding-rule-unknown message from the second network element, the method further includes: and the first network element sends first indication information to the second network element, wherein the first indication information is used for indicating that the reporting forwarding rule is unknown.
Illustratively, the forwarding rule is unknown, i.e. it means that the forwarding rule cannot be matched according to the source address and the destination address.
Based on the above technical solution, the first network element may configure the unknown forwarding rule message reporting indication to the second network element. Therefore, after receiving the unknown message, the second network element can report the unknown forwarding rule of the service data to the first network element, and the first network element can make the forwarding rule for the service data.
With reference to the first aspect, in certain implementations of the first aspect, the method further includes: and the first network element sends second indication information to the second network element, wherein the second indication information is used for indicating deletion of the forwarding rule.
Based on the technical scheme, the security group can be updated in time, so that the resource utilization rate can be improved, and the data transmission performance can be ensured.
With reference to the first aspect, in some implementations of the first aspect, the sending, by the first network element, the second indication information to the second network element includes: and under the condition that the session release of the first communication equipment is determined or the address related to the forwarding rule is aged, the first network element sends second indication information to the second network element.
Illustratively, the first network element may also periodically send the second indication information to the second network element.
With reference to the first aspect, in some implementations of the first aspect, the second network element is a user plane function network element.
With reference to the first aspect, in some implementations of the first aspect, the first network element is a user plane function network element.
With reference to the first aspect, in certain implementations of the first aspect, the method further includes: the first network element receives information of a plurality of security groups from the second network element, the information of the plurality of security groups comprising: information of communication policies between any two security groups of the plurality of security groups.
Based on the above technical solution, the first network element may obtain the relevant information of the multiple security groups in advance.
With reference to the first aspect, in some implementation manners of the first aspect, the receiving, by the first network element, information of service data sent by the first communication device to the second communication device includes: a first network element receives service data sent to a second communication device by a first communication device; the method for acquiring the communication policy between the first security group and the second security group by the first network element includes: when the first network element judges that the first communication device belongs to the communication device corresponding to the first security group in the VN group and the second communication device belongs to the communication device corresponding to the second security group in the VN group, the first network element acquires a communication policy between the first security group and the second security group from information of the security groups.
With reference to the first aspect, in some implementations of the first aspect, when the communication policy between the first security group and the second security group is communication permission, the forwarding rule is used to indicate a forwarding path of the service data, and the first network element forwards the service data according to the forwarding path of the service data indicated by the forwarding rule; or, in the case that the communication policy between the first security group and the second security group is communication prohibition, the forwarding rule is used to instruct to discard the service data, and the first network element discards the service data according to the forwarding rule.
With reference to the first aspect, in certain implementations of the first aspect, the method further includes: and the first network element sends third indication information to the second network element, wherein the third indication information is used for indicating the address aging related to the forwarding rule.
Based on the above technical solution, after the address is aged, the first network element may indicate the address aging to the second network element, so that the first network element may delete the forwarding rule corresponding to the address, and save the storage space.
With reference to the first aspect, in certain implementations of the first aspect, the method further includes: and the first network element receives fourth indication information from the second network element, wherein the fourth indication information is used for indicating deletion of the forwarding rule.
With reference to the first aspect, in some implementations of the first aspect, the second network element is a session management function network element.
With reference to the first aspect, in certain implementations of the first aspect, each security group includes one or more of the following information: the data network corresponding to the security group, the external identifier of the VN group to which the security group belongs, the identifier of the security group, the name of the security group, the communication device corresponding to the security group, and the communication policy between the security group and another security group in the plurality of security groups in the VN group.
In a second aspect, a method for secure communication is provided, where the method may be performed by a network device, or may also be performed by a chip or a circuit for the network device, and this is not limited in this application, and for convenience of description, the following description will be given by taking the third network element as an example.
The method can comprise the following steps: the third network element receives a first request message from the fourth network element, wherein the first request message is used for requesting to create a security group for the VN group of the virtual network; the third network element creates a plurality of security groups for the VN group based on the first request message; the VN group includes a plurality of security groups, each security group corresponds to one or more communication devices, the plurality of security groups includes a first security group, and a communication policy is provided between the first security group and another security group in the plurality of security groups, and the communication policy is used for controlling communication between the communication device corresponding to the first security group and the communication device corresponding to the another security group.
For example, multiple security groups may be included in a VN group.
Illustratively, the third network element may be, for example, a Network Exposure Function (NEF), and the fourth network element may be, for example, an Application Function (AF).
Based on the above technical solution, a plurality of security groups are defined in a Virtual Network (VN) group (group), and communication policies between the security groups are configured respectively, and communication devices in the network (such as communication devices in the VN group) join corresponding security groups respectively, thereby enabling the communication devices to perform access control at group granularity. Therefore, the safety of communication between the devices can be improved, and management can be facilitated.
With reference to the second aspect, in some implementations of the second aspect, the communication policy is to allow communication or prohibit communication.
Based on the technical scheme, the communication strategy between the security groups can comprise two modes of communication permission and communication prohibition, so that the security access can be realized, and the method is simple and easy to implement.
With reference to the second aspect, in some implementations of the second aspect, the first request message includes one or more of the following information: the method comprises the steps of external identification of a VN group to which a security group to be created belongs, a data network corresponding to the security group to be created, identification of the security group to be created, name of the security group to be created, and communication strategies among the security groups to be created.
With reference to the second aspect, in some implementations of the second aspect, the first request message includes a communication policy between the security groups to be created, and the method further includes: and according to the communication strategy among the security groups to be created, the third network element sets a communication strategy for the security groups to be created, wherein the communication strategy is communication permission or communication prohibition.
With reference to the second aspect, in certain implementations of the second aspect, the method further includes: the third network element receives a second request message from the fourth network element requesting addition of one or more communication devices for the first security group.
With reference to the second aspect, in some implementations of the second aspect, the second request message includes one or more of the following information: the data network corresponding to the first security group, the external identifier of the VN group to which the first security group belongs, the identifier of the first security group, the name of the first security group, and the information of one or more communication devices to be added.
With reference to the second aspect, in certain implementations of the second aspect, each security group includes one or more of the following information: a data network corresponding to the security group, an external identifier of a VN group to which the security group belongs, an identifier of the security group, a name of the security group, a communication device corresponding to the security group, and a communication policy between the security group and another security group among a plurality of security groups of the VN group.
With reference to the second aspect, in some implementations of the second aspect, the third network element is a capability openness function network element, and the fourth network element is an application function network element.
In a third aspect, a method for secure communication is provided, where the method may be performed by a network device, or may also be performed by a chip or a circuit for the network device, and this is not limited in this application, and for convenience of description, the following description is given by taking the first network element as an example.
The method can comprise the following steps: the first network element receiving a session establishment request from the first communication device, the session establishment request comprising an identification of a virtual network VN group; the security group corresponding to the first communication device is a first security group; the first network element formulates a forwarding rule for the first communication equipment according to a communication strategy between the first security group and other security groups; the first network element sends a forwarding rule to the second network element; the VN group includes a plurality of security groups, each security group corresponds to one or more communication devices, the plurality of security groups includes a first security group, and a communication policy is provided between the first security group and another security group in the plurality of security groups, and the communication policy is used for controlling communication between the communication device corresponding to the first security group and the communication device corresponding to the another security group.
The above method may be performed by a core network element (i.e. the first network element), such as an SMF network element, or may also be performed by a chip or a circuit for the core network element.
Illustratively, the first network element is an SMF network element, and the second network element is a UPF network element.
Illustratively, the first network element determines that the first communication device belongs to the communication device corresponding to the first security group.
With regard to the communication policy, reference may be made to the description of the first aspect or the second aspect.
Based on the above technical solution, by defining a plurality of security groups and configuring communication policies between the security groups, the communication devices in the network join the corresponding security groups, so that access control of the communication devices according to group granularity can be realized. In addition, after receiving the session establishment request of the communication device, the core network element (e.g., an SMF network element) may formulate a forwarding rule for the communication device based on a communication policy between the security group in which the communication device is located and another security group, and send the forwarding rule to the second network element, so that the second network element may perform data forwarding based on the forwarding rule.
With reference to the third aspect, in certain implementations of the third aspect, the method further includes: the first network element requests VN group session subscription information from a sixth network element; the first network element receives VN group session subscription information from the sixth network element, the VN group session subscription information includes information of the plurality of security groups, and the information of the plurality of security groups includes: information of communication policies between any two security groups of the plurality of security groups.
Illustratively, the sixth network element is a core network element, such as a Unified Data Management (UDM) network element or a unified data storage (UDR) network element.
With reference to the third aspect, in some implementations of the third aspect, the first network element sends second indication information to the second network element, where the second indication information is used to indicate that the forwarding rule formulated for the first communication device is deleted.
With reference to the third aspect, in some implementations of the third aspect, the sending, by the first network element, the second indication information to the second network element includes: and under the condition that the session of the first communication equipment is determined to be released or the address related to the forwarding rule is determined to be aged, the first network element sends second indication information to the second network element.
Illustratively, the first network element may also periodically send the second indication information to the second network element.
With reference to the third aspect, in certain implementations of the third aspect, the method further includes: and the first network element receives the address aging message from the second network element and removes the association relation related to the address according to the address aging message.
Illustratively, the address is disassociated from the terminal device session, and the address is disassociated from the UPF.
Illustratively, the address is disassociated from the data network name and the group session.
In a fourth aspect, a method for secure communication is provided, where the method may be executed by a network device, or may also be executed by a chip or a circuit used for the network device, and this is not limited in this application, and for convenience of description, the following is described by taking the second network element as an example.
The method can comprise the following steps: the second network element receives a forwarding rule corresponding to first communication equipment from the first network element, the security group corresponding to the first communication equipment is a first security group, and the forwarding rule corresponding to the first communication equipment is formulated according to communication strategies between the first security group and other security groups; the second network element receives service data from the first communication equipment; and the second network element processes the service data according to the forwarding rule corresponding to the first communication equipment.
The above method may be performed by a core network element (i.e. the second network element), such as a UPF network element, or may be performed by a chip or a circuit for the core network element.
Illustratively, the second network element is a UPF network element, and the first network element is an SMF network element.
With respect to the communication policy, reference may be made to the description of the first aspect or the second aspect.
Based on the above technical solution, by defining a plurality of security groups and configuring communication policies between the security groups, the communication devices in the network join the corresponding security groups, so that access control of the communication devices according to group granularity can be realized. In addition, the security group strategy is executed through a core network element (such as a UPF network element) to complete message intercommunication control of the communication equipment, so that the communication security between the equipment can be improved.
With reference to the fourth aspect, in some implementations of the fourth aspect, the plurality of security groups includes a second security group, and the service data is data sent by the first communication device to a communication device corresponding to the second security group; the second network element processes the service data according to the forwarding rule corresponding to the first communication device, and the process includes: under the condition that the communication policy between the first security group and the second security group is communication permission, the forwarding rule is used for indicating the forwarding path of the service data, and the second network element forwards the service data according to the forwarding path of the service data indicated by the forwarding rule; or, when the communication policy between the first security group and the second security group is communication prohibition, the forwarding rule is used to instruct to discard the service data, and the second network element discards the service data according to the forwarding rule.
With reference to the fourth aspect, in certain implementations of the fourth aspect, the method further includes: and the second network element receives second indication information from the first network element, wherein the second indication information is used for indicating that the forwarding rule made for the first communication equipment is deleted.
With reference to the fourth aspect, in certain implementations of the fourth aspect, the method further comprises: determining that the address corresponding to the first communication device is aged; and deleting all forwarding rules corresponding to the aged addresses, or deleting security group information corresponding to the aged addresses.
In a fifth aspect, a communication device is provided, which is configured to perform the methods provided in the first to fourth aspects. In particular, the apparatus may comprise means and/or modules, such as a processing unit and/or a communication unit, for performing the methods provided by the first to fourth aspects.
In one implementation, the apparatus is a network device. When the apparatus is a network device, the communication unit may be a transceiver, or an input/output interface; the processing unit may be a processor.
In another implementation, the apparatus is a chip, a system of chips, or a circuit for use in a network device. When the apparatus is a chip, a chip system or a circuit used in a communication device, the communication unit may be an input/output interface, an interface circuit, an output circuit, an input circuit, a pin or a related circuit on the chip, the chip system or the circuit, and the like; the processing unit may be a processor, a processing circuit, a logic circuit, or the like.
Alternatively, the transceiver may be a transceiver circuit. Alternatively, the input/output interface may be an input/output circuit.
In a sixth aspect, a communication apparatus is provided, the apparatus comprising: a memory for storing a program; a processor for executing the memory-stored program, the processor being configured to perform the method provided in the first to fourth aspects when the memory-stored program is executed.
In one implementation, the apparatus is a terminal device or a network device.
In another implementation, the apparatus is a chip, a system of chips, or a circuit used in a terminal device or a network device.
In a seventh aspect, the present application provides a processor configured to perform the method provided by the above aspects. In the course of performing these methods, the processes of the above-mentioned methods regarding the transmission of the above-mentioned information and the acquisition/reception of the above-mentioned information may be understood as a process of outputting the above-mentioned information by a processor, and a process of receiving the above-mentioned information inputted by a processor. Upon outputting the information, the processor outputs the information to the transceiver for transmission by the transceiver. The information may also need to be processed after being output by the processor before reaching the transceiver. Similarly, when the processor receives the input information, the transceiver acquires/receives the information and inputs the information into the processor. Further, after the transceiver receives the information, the information may need to be processed before being input to the processor.
Based on the above principle, for example, the aforementioned method for acquiring the communication policy between the first security group and the second security group may be understood as the processor receiving the input information.
The operations relating to the processor, such as transmitting, sending and acquiring/receiving, may be understood more generally as operations relating to processor output and receiving, input, etc., rather than operations relating directly to transmitting, sending and receiving by the rf circuitry and antenna, if not specifically stated or if not contradicted by their actual role or inherent logic in the associated description.
In implementation, the processor may be a processor dedicated to performing the methods, or may be a processor executing computer instructions in a memory to perform the methods, such as a general-purpose processor. The Memory may be a non-transitory Memory, such as a Read Only Memory (ROM), which may be integrated on the same chip as the processor or disposed on different chips, and the embodiment of the present invention is not limited to the type of the Memory and the arrangement manner of the Memory and the processor.
In an eighth aspect, a computer-readable storage medium is provided, which stores program code for execution by a device, the program code comprising instructions for performing the method provided by the first to fourth aspects above.
In a ninth aspect, there is provided a computer program product comprising instructions which, when run on a computer, cause the computer to perform the method provided in the first to fourth aspects above.
In a tenth aspect, a chip is provided, where the chip includes a processor and a communication interface, and the processor reads instructions stored in a memory through the communication interface to perform the method provided in the first to fourth aspects.
Optionally, as an implementation manner, the chip may further include a memory, where the memory stores instructions, and the processor is configured to execute the instructions stored on the memory, and when the instructions are executed, the processor is configured to execute the method provided in the first aspect to the fourth aspect.
In an eleventh aspect, a communication system is provided, which includes the network devices described above, such as the first network element and the second network element (such as SMF and UPF); as another example, a third network element and a fourth network element (e.g., NEF and AF).
Drawings
Fig. 1 shows a schematic diagram of a network architecture suitable for the method provided by the embodiment of the present application.
Fig. 2 shows a schematic diagram of PDU concatenation suitable for use in embodiments of the present application.
Fig. 3 shows a schematic diagram of packet forwarding suitable for use in embodiments of the present application.
Fig. 4 and 5 are schematic diagrams illustrating a user plane architecture of data interaction of a terminal device in a 5G LAN group, which is suitable for an embodiment of the present application.
Fig. 6 and 7 show schematic diagrams of 5G LAN scenario UPF forwarding suitable for embodiments of the present application.
Fig. 8 shows a schematic diagram of an AF configuration management 5G VN group.
Fig. 9 shows a schematic interaction diagram of a method 900 for secure communication according to an embodiment of the present application.
Fig. 10 shows a schematic interaction diagram of a method 1000 for secure communication according to an embodiment of the present application.
Fig. 11 shows a schematic flow diagram of secure communications suitable for use with embodiments of the present application.
Fig. 12 shows another schematic flow diagram of secure communication suitable for use with embodiments of the present application.
Fig. 13 (1) and (2) show a schematic flow chart of security group policy enforcement suitable for use in an embodiment of the present application.
Fig. 14 (1) and (2) show another schematic flow chart of security group policy enforcement suitable for use in an embodiment of the present application.
FIG. 15 shows a schematic flow chart of security group policy enforcement suitable for use in another embodiment of the present application.
FIG. 16 shows another schematic flow chart of security group policy enforcement suitable for use in another embodiment of the present application.
Fig. 17 shows a schematic flow diagram of security group updates suitable for use in embodiments of the present application.
Fig. 18 shows another schematic flow diagram of security group updates suitable for use with embodiments of the present application.
Fig. 19 is a schematic block diagram of an apparatus for secure communication provided in accordance with an embodiment of the present application.
Fig. 20 is another schematic block diagram of an apparatus for secure communication provided in accordance with an embodiment of the present application.
Fig. 21 is a schematic structural diagram of a network device according to an embodiment of the present application.
Detailed Description
The technical solution in the present application will be described below with reference to the accompanying drawings.
The technical scheme provided by the application can be applied to various communication systems, such as: fifth generation (5th Generation, 5G) mobile communication systems or new radio access technology (NR). The 5G mobile communication system may include a non-independent Network (NSA) and/or an independent network (SA), among others. The technical scheme provided by the application can also be applied to future communication systems, such as a sixth generation mobile communication system. The technical scheme of the embodiment of the application can also be applied to Machine Type Communication (MTC), long Term Evolution-machine (LTE-M) for communication between machines, device-to-device (D2D) network, machine-to-machine (M2M) network, internet of things (IoT) network, or other networks. The IoT network may comprise, for example, a car networking network. The communication modes in the car networking system are collectively referred to as car-to-other devices (V2X, X may represent anything), for example, the V2X may include: vehicle to vehicle (V2V) communication, vehicle to infrastructure (V2I) communication, vehicle to pedestrian (V2P) or vehicle to network (V2N) communication, and the like.
For the understanding of the embodiments of the present application, a network architecture suitable for the embodiments of the present application is first described in detail with reference to fig. 1.
Fig. 1 is a schematic diagram of a network architecture suitable for the method provided by the embodiment of the present application. As shown in FIG. 1, the network architecture is, for example, the 5G networking architecture defined by the third Generation Partnership project (3 rd Generation Partnership project,3 GPP). The network architecture may include, for example, but is not limited to, the following: user Equipment (UE), access Network (AN), access and mobility management function (AMF) network elements, session Management Function (SMF) network elements, user Plane Function (UPF) network elements, policy Control Function (PCF) network elements, unified Data Management (UDM) network elements, unified data storage (unified data retrieval, UDR), application Function (AF) or open capability function (NEF), data network (data network, DN), and so on.
The network elements shown in fig. 1 are briefly described below.
1.A terminal device: may be referred to as User Equipment (UE), an access terminal, a subscriber unit, a subscriber station, a Mobile Station (MS), a Mobile Terminal (MT), a remote station, a remote terminal, a mobile device, a user terminal, a wireless communication device, a user agent, or a user equipment. The terminal device may be a device providing voice/data connectivity to a user, e.g. a handheld device, a vehicle mounted device, etc. with wireless connectivity. Currently, some examples of terminals may be: a mobile phone (mobile phone), a tablet computer (pad), a computer with wireless transceiving function (e.g. a laptop, a palmtop, etc.), a Mobile Internet Device (MID), a Virtual Reality (VR) device, an Augmented Reality (AR) device, a wireless terminal in industrial control (industrial control), a wireless terminal in self driving (self driving), a wireless terminal in remote medical (remote medical), a wireless terminal in smart grid (smart grid), a wireless terminal in transportation security, a wireless terminal in smart city (smart city), a wireless terminal in smart home (smart home), a cellular phone, a cordless phone, a session initiation protocol (session initiation protocol) phone, a wireless local loop phone (SIP), a wireless terminal in wireless local network (smart home), a wireless terminal in wireless network (wireless local area network), a wireless communication terminal in public land mobile network (PDA) or other mobile network devices with wireless network (wireless network) processing function (PDA 5), a wireless network communication device with wireless local area network (wireless network) or other wireless network communication network processing function.
Furthermore, the terminal device may also be a terminal device in an IoT system. The IoT is an important component of future information technology development, and the main technical characteristic of the IoT is to connect objects with a network through a communication technology, so that an intelligent network with man-machine interconnection and object-object interconnection is realized. The IoT technology can achieve massive connection, deep coverage, and power saving of the terminal through, for example, narrowband (NB) technology.
In addition, the terminal equipment can also comprise sensors such as an intelligent printer, a train detector, a gas station and the like, and the main functions of the terminal equipment comprise data collection (part of the terminal equipment), control information and downlink data receiving of the network equipment, electromagnetic wave sending and uplink data transmission to the network equipment.
It should be understood that the terminal device may be any device that can access the network. The terminal equipment and the access network equipment can communicate with each other by adopting a certain air interface technology.
Alternatively, the terminal device may be arranged to act as a base station. For example, the terminal devices may act as scheduling entities that provide sidelink signals between terminal devices in V2X or D2D, etc. For example, cellular telephones and automobiles communicate with each other using sidelink signals. The communication between the cellular phone and the smart home device is performed without relaying communication signals through a base station.
2. Access Network (AN): the access network may provide a network access function for authorized users in a specific area, and includes Radio Access Network (RAN) equipment and AN equipment. The RAN equipment is mainly 3GPP network wireless network equipment, and the AN equipment may be access network equipment defined by non-3GPP (non-3 GPP).
The access network may be an access network employing different access technologies. There are two types of current radio access technologies: 3GPP access technologies (e.g., radio access technologies employed in 3G, 4G, or 5G systems) and non-3GPP (non-3 GPP) access technologies. The 3GPP access technology refers to an access technology conforming to 3GPP standard specifications, for example, an access network device in a 5G system is called next generation Base station (gNB) or RAN. The non-3GPP access technology refers to an access technology that does not comply with the 3GPP standard specification, and examples thereof include an air interface technology represented by an Access Point (AP) in wireless fidelity (WiFi), a Worldwide Interoperability for Microwave Access (WiMAX), a Code Division Multiple Access (CDMA) network, and the like. Access network equipment (AN equipment) may allow interworking between terminal equipment and a 3GPP core network using non-3GPP technology.
An access network that implements access network functionality based on wireless communication technology may be referred to as a RAN. The radio access network can be responsible for functions such as radio resource management, quality of service (QoS) management, data compression and encryption on the air interface side. The wireless access network provides access service for the terminal equipment, and then completes the forwarding of the control signal and the user data between the terminal and the core network.
The radio access networks may include, for example, but are not limited to: macro base stations, micro base stations (also called small stations), radio Network Controllers (RNCs), node bs (Node bs, NBs), base Station Controllers (BSCs), base Transceiver Stations (BTSs), home base stations (e.g., home evolved NodeB, or home Node B, HNB), base Band Units (BBUs), APs, radio relay nodes, radio backhaul nodes, transmission Points (TPs) or transmission points (TRPs) in WiFi systems, etc., and may also be a gbb or transmission points (TRP or TP) in 5G (e.g., NR) systems, one or a group (including multiple antenna panels) of base stations in 5G systems, or may also be a network Node constituting a gbb or transmission point, such as a Base Band Unit (BBU), or a distributed unit (distributed unit), or a next generation of base station in a WiFi system, or a next generation of communication systems. The embodiment of the present application does not limit the specific technology and the specific device form adopted by the radio access network device.
The access network may serve the cell. A terminal device may communicate with a cell via transmission resources (e.g., frequency domain resources, or alternatively, spectrum resources) allocated by an access network device.
3. AMF network element: the mobile terminal is mainly responsible for carrying out functions of mobility management, access authentication/authorization and the like on the UE. In addition, the method can also be responsible for transferring the user policy between the UE and the PCF.
4. The SMF network element: the method is mainly responsible for performing functions of Protocol Data Unit (PDU) session management, execution of control strategy issued by PCF, selection of UPF, UE IP address allocation when PDU Type is Internet Protocol (IP) Type, and the like on UE.
5. UPF network element: as an interface with the data network, the UPF can be used to perform functions such as user plane data forwarding, session/flow level based accounting statistics, bandwidth limitation, etc.
6. PCF network element: the method is mainly responsible for carrying out charging, qoS bandwidth guarantee and mobility management, UE strategy decision and other strategy control functions aiming at the conversation and service flow level.
7. AF network element: requirements of the application side on the network side, such as QoS requirements or user state event subscription, are mainly transferred. The AF network element may be a third-party functional entity, or may be an application service deployed by an operator, such as an IP Multimedia Service (IMS) voice call service. For the application function entity of the third party application, when interacting with the core network, it may also perform authorization processing through the NEF, for example, the third party application function directly sends a request message to the NEF, the NEF determines whether the AF is allowed to send the request message, and if the AF passes the verification, forwards the request message to the corresponding PCF or UDM.
8. UDM network element: the system is mainly responsible for functions of managing subscription data, user access authorization and the like.
9. UDR network element: the access function of the type data such as subscription data, strategy data, application data and the like is mainly responsible.
10. Data Network (DN): a service network for providing data services to users. Such as the Internet (Internet), a third party's service network, an IMS network, etc. The data network may be identified by a Data Network Name (DNN).
It is to be understood that the various network elements or functions shown in fig. 1, such as AMF, SMF, UPF, PCF, UDM, etc., may be understood as network elements for implementing different functions, e.g. may be combined into network slices as needed. These network elements may be independent devices, or may be integrated in the same device to implement different functions, or may be network elements in a hardware device, or may be software functions running on dedicated hardware, or virtualization functions instantiated on a platform (e.g., a cloud platform), and the present application is not limited to the specific form of the above network element.
It is also to be understood that the above-described nomenclature is defined merely to distinguish between different functions, and is not intended to limit the application in any way. This application does not exclude the possibility of using other nomenclature in 5G networks and other networks in the future. For example, in a 6G network, some or all of the above network elements may follow the terminology in 5G, and may also adopt other names.
By way of example, the interface functions are described below.
N1: the signaling interface between the AMF and the UE is irrelevant to access, and can be used for exchanging signaling messages between the core network and the UE, such as UE registration and network access, UE establishment of PDU session, UE policy configuration on the network side and the like.
N2: the interface between the AMF and the RAN may be used to transfer radio bearer control information from the core network to the RAN, etc.
N3 (R) AN interface between the AN and the UPF, which can be used to transfer UE traffic data between the RAN and the UPF.
N4: the interface between the SMF and the UPF can be used for transmitting information between the control plane and the user plane, including controlling the issuing of forwarding rules, qoS control rules, traffic statistics rules, etc. for the user plane and the reporting of information for the user plane.
N5: the interface between AF and PCF can be used for sending application service request and reporting network event.
N6: and the interface between the UPF and the DN can be used for transmitting UE service data between the UPF and the DN.
N7: the interface between PCF and SMF can be used to send down PDU conversation granularity and service data flow granularity control strategy.
N8: the interface between AMF and UDM can be used for AMF to obtain the subscription data and authentication data related to access and mobility management from UDM, and AMF to register the current mobility management related information of UE to UDM.
N9: the interface between the UPFs, such as the interface between a visited-policy control function (V-PCF) and a home-policy control function (H-PCF), or the interface between the UPF connected to the DN and the UPF connected to the RAN, is used to transfer user plane data between the UPFs.
N10: the interface between the SMF and the UDM may be used for the SMF to acquire the subscription data related to session management from the UDM, and for the SMF to register the current session related information of the UE with the UDM.
N11: the interface between the SMF and the AMF may be used to transfer PDU session tunnel information between the RAN and the UPF, transfer control messages sent to the UE, transfer radio resource control information sent to the RAN, and the like.
N15: the interface between PCF and AMF can be used to send down UE strategy and access control relative strategy.
N35: and an interface between the UDM and the UDR can be used for the UDM to acquire user subscription data information from the UDR.
N36: the interface between PCF and UDR can be used for PCF to obtain the subscription data related to policy and the information related to application data from UDR.
The relationships between the other interfaces and the network elements are shown in fig. 1, and for brevity, a detailed description thereof is omitted.
It should be understood that the name of the interface between each network element in fig. 1 is only an example, and the name of the interface in the specific implementation may be other names, which is not specifically limited in this application. In addition, the name of the transmitted message (or signaling) between the network elements is only an example, and the function of the message itself is not limited in any way.
It should also be understood that the network architecture applied to the embodiments of the present application is only an exemplary one, and the network architecture to which the embodiments of the present application are applied is not limited thereto, and any network architecture capable of implementing the functions of the network elements described above is applied to the embodiments of the present application.
To facilitate understanding of the embodiments of the present application, first, a brief description will be given of terms referred to in the present application.
1. PDU connection and session management.
The network (e.g., a 5G network) provides data exchange services for the UE and the DN network, which may be referred to as a PDU connect service, for example. The UE obtains a PDU connection service by initiating a PDU session setup request to the mobile network. The network side provides PDU connection service by maintaining PDU sessions for the UE.
As an exemplary illustration, fig. 2 shows a schematic diagram of a PDU connection suitable for use in embodiments of the present application. As shown in fig. 2, the networks involved in the PDU connection may include, for example, network elements: based on the Network Slice Specific Authentication and Authorization Function (NSSAAF), the Network Slice Selection Function (NSSF), the authentication service function (AUSF), UDM, AMF, SMF, PCF, AF, UE, (R) AN, UPF, DN. For the specific description, reference may be made to the introduction in the standard or also to the description in fig. 1, which is not described herein again.
As shown in fig. 2, the data plane path represents a traffic data exchange path between the UE and the DN network, which is a data traffic path of the UE in the mobile network. In order to realize data exchange between the UE and the DN network, the UE needs to use a PDU connection service provided by the mobile network to establish a DNN-based PDU session, i.e., a signaling plane procedure. The establishment of a PDU session generally includes two procedures: the two processes belong to a signaling plane interaction flow of the UE and the mobile network, that is, a signaling plane path shown in fig. 2.
As an exemplary description, a terminal device is taken as an example, and a general terminal device registration network access procedure is briefly introduced. UE sends register request to AMF through (R) AN, AMF obtains subscription data from UDM according to UE ID. The network side finally confirms that the UE is allowed to access the network through a series of authentication and authorization operations. And the AMF responds to the UE registration request and issues related strategy information to the UE, and the UE finishes network registration and residence. And the network side AMF maintains the registration network access information of the UE and performs mobility management on the UE. It should be understood that the foregoing is only an exemplary illustration, and the embodiments of the present application are not limited to the specific procedure for registering the UE to the network.
After the UE finishes registering and accessing the network, the UE can initiate a PDU session establishment request to acquire the PDU connection service of the network. As an exemplary illustration, a terminal device is taken as an example UE, and a general PDU session establishment procedure is briefly introduced. The UE sends a PDU session setup request to the AMF through the RAN. Based on the PDU session establishment request of the UE, the AMF selects the SMF to provide session service for the UE, stores the corresponding relation between the SMF and the PDU session, and sends the PDU session establishment request to the SMF. The SMF selects a corresponding UPF for the UE to establish a user plane transmission path and allocates an IP address for the UE. It should be understood that the foregoing is only an exemplary illustration, and the embodiments of the present application are not limited in terms of a specific procedure for acquiring a PDU connection service of a network by a UE.
In the PDU session management process for the UE, the SMF interacts with the UPF through an N4 interface, controls the UPF to create, modify, and delete a corresponding UE N4session (N4 session or Packet Forwarding Control Protocol (PFCP) session), and implements control of the UPF to process a data packet. SMF sends down each kind of data packet processing rules to UE N4session in UPF to complete the control of UPF processing data packet. After receiving the external data packet, the UPF performs packet matching according to a matching rule (e.g., packet Detection Rule (PDR)) issued by the SMF, and forwards the packet according to a forwarding rule (e.g., forwarding Action Rule (FAR)). The matching and forwarding rules are described in detail below.
For ease of understanding, the PDR and FAR will be briefly described below.
The PDR can be issued to the UPF by the SMF in the PDU session management process, and the UPF executes the corresponding data packet matching rule according to the PDR issued by the SMF, and thus obtains the corresponding FAR to complete data packet forwarding. A PDR may include a Packet Detection Information (PDI) parameter, where the PDI parameter includes one or more matching fields for matching with a data packet received by the UPF, identifying the packet, and completing association between the data packet and the N4 session. The PDI information provided by the SMF to the UPF mainly includes a data packet entry (i.e., source interface) and a series of parameters for matching the entry packet. A series of parameters for matching the ingress packet may include, but are not limited to: tunnel endpoints (e.g., local fully qualified tunnel end identifier (F-TEID)), network instances (network instance), UE IP addresses, service Data Flow (SDF) filters (SDF filters (s)) or application IDs (application IDs)), etc.
After receiving a data message, the UPF matches each field of the data message header with a parameter item defined by PDI in the PDR, finds out N4 conversation to which the message belongs and PDR rules with the highest priority matching relation with the data message in the N4 conversation, and completes message matching. After PDR matching is completed, the PDR rule contains corresponding FAR indication, and the UPF completes data message forwarding according to the FAR indication.
The FAR instructs the UPF to perform data message processing mainly by the following information: an application action parameter (application action parameter) and a forward, cache, copy parameter. The application action parameter is mainly used to indicate whether the UPF needs to forward, copy, and discard the packet, or buffer the downlink packet in a manner of notifying or not notifying a control plane (such as SMF), or indicate whether the UPF allows the UE to join the IP multicast group. When an application action instructs the UPF to forward, cache, or copy a packet, the UPF needs to use the forwarding, caching, copying parameters.
2. User plane management, matching and forwarding rules.
SMF can issue various data packet processing rules to UPF through N4 interface to control UPF processing data packet. The PDR is used for matching the data packet, and the FAR is used for indicating a message forwarding mode. For the flow of UPF to packet processing, the definition in the protocol (for example, refer to standard 3gpp 29.244) can be referred to. The external data message enters UPF, the UPF matches N4session information (N4 session/PFCP session) according to the PDR matching condition, then matches the PDR with the highest priority in the N4session, and completes the data packet forwarding according to the corresponding FAR.
By way of illustration, fig. 3 shows a schematic diagram of packet forwarding suitable for use in embodiments of the present application.
As shown in fig. 3, the uplink data and the downlink data enter the UPF interface, and the UPF completes the packet forwarding process according to the rule matching, which is specifically as follows.
(1) Upstream (upstream traffic): the uplink message of UE reaches N3 interface through RAN, obtains source UE N4 conversation through matching data message source port, tunnel identification (such as F-TEID), carries on PDR match according to service data flow filter (SDF), the corresponding FAR transmits the rule to instruct how to transmit the message. Fig. 3 shows that the UE uplink packet is forwarded to the DN network side through the N6 interface.
(2) Downstream (downlink traffic): DN downlink message enters UPF through N6 interface, and through matching data message source port, network instance, destination IP address matching destination UE N4 conversation and PDR rule, the corresponding FAR forwarding rule message indicates how to forward the message. Fig. 3 shows that the DN downlink packet is forwarded to the UE through the N3 interface.
It should be understood that the above description is only an exemplary illustration, and the embodiments of the present application are not limited to the specific forwarding flow of the data packet.
3. 5G local area network (5G LAN) data plane architecture.
By way of example and not limitation, the technical solutions provided in the present application may be applied to communication in a 5G LAN. A Local Area Network (LAN) is a computer communication network that connects various computers, external devices, databases, etc. to each other within a local geographical area (e.g., within a school, factory, or institution). It can be connected with remote local area network, data base or processing centre by means of data communication network or special-purpose data circuit to form a large-range information processing system.
With the emergence of emerging enterprise office model and smart home model, wired Local Access Networks (WLANs) and Wireless Local Access Networks (WLANs) have shown their shortcomings in terms of complexity of deployment, flexibility, mobility, coverage, etc., which has prompted LAN technology to evolve to meet the demands of future applications on LANs. The wide coverage characteristic of the mobile network itself is utilized to directly provide LAN service, which can be called as 5G LAN. The 5G LAN can be used in a wider mobile network coverage, i.e., LAN-based data exchange and communication can be achieved by joining the same 5G LAN regardless of whether the terminal devices are in the same region or not. By utilizing the mobile network with wide coverage, the establishment of the 5G LAN service and the scaling migration adjustment thereof can be automatically completed by the mobile network without manual intervention. In addition, the 5G LANs may be customized as needed, with different 5G LANs securely isolated from each other.
The mobile network constructs a virtual mobile private network for the terminal equipment through the 5G LAN service. The terminal equipment can solve the problem of data exchange between the terminal equipment and the DN by establishing the traditional PDU connection. The 5G LAN adds a group concept based on the conventional PDU connection, which is denoted as 5G LAN group. The terminal equipment belonging to the same 5G LAN group can complete data exchange with the DN corresponding to the 5G LAN group, and can also directly complete data exchange with other terminal equipment in the 5G LAN group through UPF, and the terminal equipment between the two 5G LAN groups are mutually isolated. Virtual private network communication is realized through a 5G LAN. The mobile network can simultaneously support a plurality of 5G LAN groups, terminal devices under the same 5G LAN group can communicate with each other, and terminal devices under different 5G LAN groups can be isolated from each other.
As an exemplary illustration, fig. 4 and 5 show schematic diagrams of a user plane architecture of data interaction of a terminal device in a 5G LAN group, which is suitable for an embodiment of the present application.
As shown in fig. 4, fig. 4 is a user plane architecture in which a plurality of UEs in the same 5G LAN group are registered in the same PDU Session Anchor (PSA) UPF. Generally, depending on the DN accessed by the UE, the network may select a UPF to access the DN as an anchor (anchor), denoted as PSA, depending on the network policy. Taking UE1 and UE2 belonging to the same 5G LAN group as an example, in the architecture shown in fig. 4, PSA UPF can complete data exchange between UE1 and UE2 as local switch of 5G LAN group, in addition to completing data exchange with DN for UE1 and UE2, since UE1 and UE2 belong to the same 5G LAN group, PSA UPF can also complete data exchange between UE1 and UE2.
As shown in fig. 5, fig. 5 shows a user plane architecture in which a plurality of UEs in the same 5G LAN group are registered in a plurality of PSA UPFs. Taking the example that UE1 and UE2 belong to the same 5G LAN group, in the architecture shown in fig. 5, an N19 interface is added between PSA UPFs, and when UE1 and UE2 belonging to the same 5G LAN group exchange data, the PSA UPF corresponding to the PSA UPF may complete data transmission through an N19 channel.
It should be understood that fig. 4 and 5 are only two examples, and are not limited thereto.
4. And 5G LAN data plane matching and forwarding rules.
Under the 5G LAN scene, a network side can adopt a twice matching and forwarding model in the UPF. As an exemplary illustration, fig. 6 and 7 show schematic diagrams of 5G LAN scenario UPF forwarding suitable for embodiments of the present application.
Fig. 6 illustrates a 5G LAN scenario UPF forwarding model, which, as shown in fig. 6, may include the following features.
(1) A 5G virtual network (5G virtual network,5G VN) Internal (Internal) interface (such as 5G VN Internal) is added inside the UPF, a group N4session (group-level N4 session) is added on the basis of the PDU session, and an N19 interface is added between UPFs.
(2) According to the different destination addresses of the user service data packets received by the UPF, the messages may be locally and mutually sent to the destination UE in the same UPF in the UPF, may be sent to DN network side equipment through an N6 interface, and may also be sent to other UPFs through an N19.
Fig. 7 shows a 5G LAN scenario UPF forwarding process, and as shown in fig. 7, the 5G LAN intra-group data packet matching forwarding process is as follows. In the 5G LAN service, a group of terminal apparatuses using private communication is referred to as a 5G VN group (5G VN group).
In a possible scenario, multiple UEs belong to the same 5G VN group, and the multiple UEs are all under the same PSA UPF.
In this scenario, the UPF completes the data exchange between UEs in the group using local exchange. The specific process comprises the following steps: the UPF receives a data packet sent from a source UE to a destination UE through an N3 interface, and obtains a source UE N4session after a first PDR matching (matching is completed based on a packet radio service (GPRS) user plane tunnel protocol (GTP-U) packet header). And the corresponding FAR instruction forwards the message to a 5G VN Internal to enter a second PDR matching (matching is completed based on the message destination IP) to obtain a destination UE N4session, and the corresponding FAR instruction forwards the message to the destination UE through an N3 port. As shown in fig. 7, assuming that the source UE is UE1 and the target UE is UE2, the UPF receives a data packet sent from UE1 to UE2 through the N3 interface, and obtains a UE 1N 4session after a first PDR matching. And the corresponding FAR instruction forwards the message to a 5G VN Internal for entering second PDR matching to obtain a UE 2N 4session, and the corresponding FAR instruction forwards the message to the UE2 through an N3 port.
Yet another possible scenario is that two communicating UEs within the same 5G VN group are not under the same PSA UPF.
In this scenario, the data interface may be accomplished through an N19 interface. The specific process comprises the following steps: the SMF creates a corresponding group level N4session for the 5G LAN group on the involved PSA UPF to enable N9 forwarding and N6 forwarding capabilities. After the message is forwarded to the UPF 5G VN Internal through first matching, the message may be finally matched to the group N4session through PDR rule matching (based on a target IP or matching all (match-all) default rules and the like under conditions), and the corresponding FAR indication message is sent to DN network side equipment through N6 or sent to the UPF where the target UE is located through N19. As shown in fig. 7, assuming that the source UE is UE1 and the target UE is UE4, the SMF creates a corresponding group-level N4session for the 5G LAN group on the involved PSA UPF to enable N9 forwarding and N6 forwarding capabilities. After the packet is forwarded to the UPF 5G VN Internal after the first matching, the packet may be finally matched to the group N4session (N4 session for group) through PDR rule matching, and the corresponding FAR indication packet is sent to the UPF where the UE4 is located through N19.
The above description is exemplary and not limiting with respect to two scenarios.
In a scenario where the 5G network has multiple 5G VN groups, for a 5G VN Internal packet, the matching and forwarding rule attribute field network instance in the N4session is assigned as a 5G VN group unique identifier (e.g., using an Internal group identifier (Internal group ID)) to indicate that the packet belongs to the specified 5G VN group. For example, for the FAR with the destination interface set to 5G VN Internal, its network instance is also correspondingly set to the specified 5G VN group. As another example, for a PDR with a source interface set to 5G VN group, its network instance is also correspondingly set to the specified 5G VN group.
5. 5G VN group management.
The 5G system supports management of 5G VN groups through Operation Administration and Maintenance (OAM) and also supports interactive completion of 5G VN group management through AF and NEF. The management of the 5G VN group mainly includes creation, modification, deletion, and the like of the 5G VN group. A 5G VN group may include, but is not limited to, one or more of the following: 5G VN group identifier, 5G VN group membership, 5G VN group data.
(1) A 5G VN group identifier. The identification of the 5G VN group comprises an external group identification (external group ID) and an internal group ID. Wherein, the external group ID can be defined by the AF side and uniquely identifies a 5G VN group. The internal group ID can be defined by a UDM network element at the mobile network side, and a 5G VN group is uniquely identified in the network. The mapping relation from the external group ID to the internal group ID can be realized by automatically generating the internal group ID by the UDM when the 5G VN group is created by the AF, and completing the mapping between the internal group ID and the external group ID.
(2) 5G VN group membership. UE member list belonging to the same 5G VN group. Each member is uniquely identified by its General Public Subscription Identifier (GPSI).
(3) 5G VN group data. The 5G VN group data contains several attribute fields for defining parameters of various aspects of a 5G VN group, such as: PDU session type, data network information (e.g., DNN), slice information (e.g., network slice selection assistance information (S-NSSAI)), application descriptor (application descriptor), etc. In addition, the 5G VN group data may also include information related to secondary authentication/authorization, such as enabling authentication, authorization, and accounting (AAA) server (server) (e.g. denoted as DN-AAA) to perform IP address allocation.
In order to support dynamic management of the 5G VN group, the capability openness network element NEF opens a series of interfaces (e.g., create, modify, delete, etc.) for completing management of the 5G VN group, the 5G VN group members and the 5G VN group data.
6. The capability is open.
In order to realize the cooperative processing of the application function entity and the operator network, the operator network opens part of network capacity to the application function entity through the NEF, so as to support the application function entity to realize more flexible control on the user. The current ability to support openness includes: the AF is allowed to subscribe the event information of user position, terminal accessibility event, connection state, roaming state, terminal number in the area and the like to the network side through the NEF, and the message of sending parameter configuration request, application routing request, service authorization request and the like is configured to the network side through the NEF via the UDM or the UDR or the PCF. In combination with the 5G LAN group management scenario, the process of performing 5G VN group management by opening the network capability by the AF is briefly introduced here.
As an exemplary illustration, fig. 8 shows a schematic diagram of an AF configuration management 5G VN group.
As shown in fig. 8, the process for the 5G VN group management scenario is as follows.
(1) And the AF calls an interface opened by the NEF to realize the management of the 5G VN group.
Illustratively, the AF calls the nff _ parameterprovisioning _ Create/Update/Delete open by the NEF, implementing the management of the 5G VN group. The Nnef interface is a service interface provided by the NEF to the outside.
For example, the AF may send a Nnef interface parameter prepare Create (Nnef _ parameterprovisioning _ Create) message to the NEF to Create a 5G VN group. For a request to create a 5G VN group, the AF may carry an external group ID for uniquely identifying one 5G VN group.
As another example, the AF may send an Nnef interface parameter prepare Update (Nnef _ parameterprovisioning _ Update) message to the NEF to Update or modify the 5G VN group. For the update 5G VN group request, the information carried by the AF may include the following information: external Group ID and 5G VN Group data (i.e. 5G VN configuration parameters) (as shown in table 1) or alternatively, 5G VN Group member management parameters (as shown in table 2) may be included.
As another example, the AF may send an Nnef interface parameter prepare Delete (Nnef _ parameterprovisioning _ Delete) message to the NEF to ask the NEF to Delete the 5G VN group.
TABLE 1 5G VN group data information provided by AF to NEF
TABLE 2.5G VN group Member management parameters
It should be understood that tables 1 and 2 are only exemplary illustrations for ease of understanding and are not intended to be limiting. For example, the 5G VN group data information and the 5G VN group member management parameters may refer to the definitions in the standard, or when the 5G VN group data information or the 5G VN group member management parameters are adjusted in the future, the adjusted 5G VN group data information and 5G VN group member management parameters are also applicable to the embodiment of the present application.
(2) The NEF requests the UDM to create, update, store, or delete the corresponding subscription data according to the request of the AF.
After the NEF receives the authorized AF request, the NEF requests the UDM to Create, update, store, or Delete the corresponding subscription data through the numdm _ parameterprovisioning _ Create/Update/Delete interface provided by the UDM. Wherein, the Nudm interface is a service interface provided by the UDM to the outside.
For unauthorized AF requests, the NEF may directly return a response to the AF at step (6) and inform of the reason for the failure.
(3) The UDM initiates a data query.
The UDM can initiate a data Query through the UDR _ DM _ Query interface provided by the UDR to complete the relevant verification and authorization of the AF's corresponding update request.
(4) And the UDM processes according to the request.
For example, for a create 5G VN group request, the UDM assigns an internal group ID to the request for uniquely identifying the 5G VN group inside the mobile network. The UDM may also send the internal group ID to the UDR through the nurr DM Create interface provided by the UDR.
For another example, for a request for updating a 5G VN group, such as a change of a member of the 5G VN group, and a change of data of the 5G VN group, the UDM may call an interface provided by the UDR to complete a corresponding change of information according to the AF request.
And when the corresponding subscription data is changed, the UDM notifies the responding network element.
(5) The UDM sends a response to the NEF.
I.e. UDM responds to the Nudm _ ParameterProvision _ Create/Update/Delete request sent by NEF. And if the flow has errors, returning an error reason.
(6) The NEF sends a response to the AF.
I.e. the NEF responds to the Nnef _ ParameterProvision _ Create/Update/Delete request sent by the AF. And if the flow has errors, returning an error reason.
It should be understood that the above description is only an exemplary illustration, and the embodiments of the present application are not limited with respect to management of 5G VN groups.
While the terms referred to in the present application have been described above for the sake of clarity, it should be understood that the embodiments of the present application are not limited by the specific meanings of the respective terms. For example, reference may be made to the prior art.
As mentioned earlier, in current 5G LAN technology, virtual local area network interworking of communication devices within a mobile network can be achieved through a 5G VN group. In terms of device interworking security, only a white list of device Media Access Control (MAC) addresses allowed to be accessed by a client access device (CPE) or a UE in an Ethernet (Ethernet) scenario is defined. No further definition is made on the intercommunication authority of the devices in the 5G VN group, and a safe access control mechanism is lacked.
In view of the above, the present application provides a method, i.e., a security group-based network access control method, such as security group-based network access control in a 5G LAN network. Specifically, for example, by defining a plurality of security groups and configuring communication policies (or access policies) between the security groups respectively, communication devices in a network (such as communication devices in a 5G VN group) join the corresponding security groups respectively, so that access control of the communication devices in group granularity can be achieved.
Various embodiments provided herein will be described in detail below with reference to the accompanying drawings.
Fig. 9 is a schematic interaction diagram of a method 900 for secure communication according to an embodiment of the present application. Method 900 may include the following steps.
And 910, receiving information of the service data sent by the first communication device to the second communication device.
And 920, acquiring a communication policy between a first security group and a second security group, where the first security group is a security group corresponding to the first communication device, and the second security group is a security group corresponding to the second communication device.
And 930, establishing forwarding rules for the business data according to the communication strategy between the first security group and the second security group.
The first communication device and the second communication device are devices in the same VN group, the VN group comprises a plurality of security groups, and the plurality of security groups comprise a first security group and a second security group.
In an embodiment of the present application, a plurality of security groups are created for a VN group, and a communication policy is provided between any two security groups, where the communication policy is used to control secure communication between communication devices corresponding to the two security groups.
The first security group is a security group corresponding to the first communication device, and it can also be understood that the first security group is a security group corresponding to the source address, or the first security group is a security group to which the source address belongs. The second security group is a security group corresponding to the second communication device, and may also be understood as a security group corresponding to the destination address, or the second security group is a security group to which the destination address belongs. The address may be, for example, a MAC address or an IP address, etc., which is not limited in this respect.
In the embodiment of the present application, a communication policy between a security group corresponding to a first communication device and a security group corresponding to a second communication device is determined, or a communication policy between a security group to which a source address of traffic data belongs and a security group to which a destination address of the traffic data belongs is determined, and a forwarding rule of the traffic data is formulated according to the communication policy, so that not only the security of communication between devices can be improved, but also management can be facilitated.
In the embodiments of the present application, a communication policy, that is, a policy indicating communication, is mentioned multiple times. In the present embodiment, the communication policy may represent a policy for communication between two security groups, or may also represent a policy for communication between devices or addresses belonging to two security groups.
One possible design, the communication policy may include, for example: allowing communication (or allowing access) and prohibiting communication (or prohibiting access). When the communication policy between the two security groups is to allow communication (or to allow access), it means that the two security groups can communicate with each other or transmit data with each other; when the communication policy between the two security groups is to prohibit communication (or prohibit access), this indicates that data transmission between the two security groups may be prohibited.
It should be understood that enabling communication (or allowing access) and disabling communication (or disabling access) are merely two simple communication strategies and are not intended to be limiting. It is within the scope of the embodiments of the present application to define policies for the same communication between two security groups.
It should also be understood that the communication policy, for example, may also be referred to as a security group policy, or may be referred to as an access right, or may be referred to as a transmission policy, etc., and the naming thereof does not limit the scope of the embodiments of the present application.
In the embodiments of the present application, the forwarding rule is referred to and established many times, and the meaning thereof should be understood by those skilled in the art. The forwarding rules may indicate a forwarding path for the data or packet, or in some cases, the forwarding rules may also indicate to discard the data or packet.
Taking the first security group and the second security group as an example, assume that the communication device corresponding to the first security group transmits the traffic data to the communication device corresponding to the second security group. As an example, in a case where the communication policy between the first security group and the second security group is to allow communication, the forwarding rule formulated for the traffic data may be used to indicate a forwarding path of the traffic data; in the case where the communication policy between the first security group and the second security group is to prohibit communication, the forwarding rule formulated for the traffic data may be used to instruct to discard the traffic data.
Taking the method 900 executed by the first network element as an example, two possible solutions applicable to the embodiment of the present application are described below in combination with different forms of the first network element.
In scheme 1, the first network element is an SMF, that is, the SMF executes a security group policy.
Based on the scheme 1, the SMF acquires a communication strategy between the first security group and the second security group, and formulates a forwarding rule for the service data according to the communication strategy between the first security group and the second security group.
Optionally, under this scheme, the SMF sends the forwarding rule of the service data to the second network element (e.g., UPF). And after receiving the forwarding rule of the service data, the second network element (such as a UPF) processes the service data according to the forwarding rule of the service data.
For ease of understanding, the enabling and disabling of communications are used as examples.
For example, in a case where the communication policy between the first security group and the second security group is to allow communication, the SMF-formulated forwarding rule of the traffic data is used to indicate a forwarding path of the traffic data or to indicate forwarding of the traffic data. And after receiving the forwarding rule of the service data, the UPF sends the service data to the second communication equipment according to the forwarding rule.
As yet another example, in a case where the communication policy between the first security group and the second security group is to prohibit communication, the forwarding rule of the traffic data formulated by the SMF is used to instruct to discard the traffic data. And after receiving the forwarding rule of the service data, the UPF discards or ignores the service data according to the forwarding rule.
Alternatively, the SMF may interact with the UDM or DN-AAA to obtain communication policies between the first security group and the second security group.
Optionally, in this scheme, the SMF may further send an indication message to a second network element (e.g., UPF), and the indication message is denoted as indication message # 1 for distinguishing, where the indication message # 1 is used to indicate that the forwarding rule unknown message is reported. Thus, after receiving the packet with unknown forwarding rule, the second network element (e.g., UPF) may send a message with unknown forwarding rule to the SMF, so that the SMF may make the forwarding rule for the packet.
In the scheme 2, the first network element is a UPF, that is, the UPF executes the security group policy.
Based on the scheme 2, the upf acquires a communication policy between the first security group and the second security group, and determines a forwarding rule of the service data according to the communication policy between the first security group and the second security group.
Optionally, in this solution, the UPF determines a forwarding rule of the service data according to a communication policy between the first security group and the second security group, and processes the service data according to the forwarding rule of the service data.
For ease of understanding, the example of enabling and disabling communication is taken.
As an example, the UPF sends the traffic data to the second communication device in case the communication policy between the first security group and the second security group is to allow communication.
As yet another example, the UPF discards or ignores the traffic data in the event that the communication policy between the first security group and the second security group is to disallow communication.
Optionally, the UPF may locally read the communication policy between the first security group and the second security group, or the UPF may obtain the communication policy between the first security group and the second security group from the SMF.
Two possible solutions are briefly introduced above and are described in detail below in connection with fig. 13-16.
Optionally, the first network element may determine whether the first security group and the second security group exist.
In a possible scenario, the first network element determines that the first security group and the second security group exist. In this case, the first network element may formulate a forwarding rule of the traffic data according to a communication policy between the first security group and the second security group.
In yet another possible scenario, the first network element determines that the first security group and/or the second security group do not exist. In this case, the first network element may formulate a forwarding rule of the service data according to a source address and/or a destination address of the service data. For example, if the network segment to which the destination address of the service data belongs is on the DN side and there is no second security group, the UPF forwards the service data to the destination address of the service data when there is the first security group, or the SMF sends a forwarding rule of the service data to the UPF, where the forwarding rule of the service data is used to instruct to forward the service data; or, in the absence of the first security group, the UPF discards the traffic data, or the SMF sends a forwarding rule of the traffic data to the UPF, where the forwarding rule of the traffic data is used to indicate that the traffic data is discarded. In particular, reference is made below to the different cases in the embodiments shown in fig. 15 to 16.
Optionally, in the embodiment of the present application, it is further provided that the security group can be updated in time, so that not only the resource utilization rate can be improved, but also the data transmission performance can be ensured.
The condition for triggering the update of the security group may be set according to an actual communication situation, which is not limited in this respect.
And a possible trigger condition is the session release of the terminal equipment.
For example, the session release of the terminal device may trigger the SMF to send an indication to the UPF, where the indication is to delete all forwarding rules corresponding to the terminal device. For another example, the session release of the terminal device may trigger the SMF to send an indication to the UPF, indicating to delete the security group information corresponding to the terminal device.
Yet another possible trigger condition, aging of the address learned by the UPF.
For example, the address learned by the UPF is aged, which may trigger the UPF to delete all forwarding rules corresponding to the address. As another example, aging of an address learned by the UPF may trigger the UPF to delete security group information to which the address belongs.
Yet another possible trigger condition is that SMF actively deletes.
For example, the SMF may periodically send an indication to the UPF indicating to delete all forwarding rules for a given address, or indicating to delete security group information to which a given address belongs.
The above-mentioned several possible trigger conditions are merely exemplary and are not limited thereto.
The several possible trigger conditions described above are described in detail below in connection with the embodiments shown in fig. 17-18.
Fig. 10 is a schematic interaction diagram of a method 1000 for secure communication according to an embodiment of the present application. The method 1000 may include the following steps.
The third network element receives a first request message from the fourth network element requesting to create a security group for the VN group 1010.
The third network element creates a plurality of security groups for the VN group based on the first request message 1020.
The VN group comprises a plurality of security groups, each security group corresponds to one or more communication devices, the plurality of security groups comprises a first security group, and communication policies are arranged between the first security group and other security groups in the plurality of security groups, and the communication policies are used for controlling communication between the communication device corresponding to the first security group and the communication devices corresponding to the other security groups. Take the second security group of the plurality of security groups as an example. The first security group and the second security group have a communication policy therebetween, the communication policy for controlling secure communications between communication devices corresponding to the first security group and communication devices corresponding to the second security group.
According to the embodiment of the application, a plurality of security groups are defined in the VN group, and communication policies between the security groups are configured respectively, so that communication devices in the network (such as communication devices in the VN group) join the corresponding security groups respectively, thereby realizing that the communication devices perform access control at group granularity. Therefore, the safety of communication between the devices can be improved, and management can be facilitated.
As an example, the third network element may be, for example, a NEF, and the fourth network element may be, for example, an AF. Exemplarily, the third network element may further send a request to the fifth network element to request an update of the VN group subscription data. For example, the fifth network element is UDM/UDR, and the third network element sends a request to the UDM/UDR to request updating of the VN group subscription data.
It should be understood that, regarding the specific form of the third network element and the fourth network element, the embodiments of the present application are not limited.
The first request message is for requesting creation of a security group. Information related to the security group to be created may be included in the first request message. By way of example and not limitation, the first request message may further include one or more of the following information: the method comprises the steps of external identification of a VN group to which a security group to be created belongs, a data network corresponding to the security group to be created, identification of the security group to be created, name of the security group to be created and communication strategy among the security groups to be created.
Example 1, the first request message includes: and the external identification of the VN group to which the security group to be created belongs.
In this example, the third network element may determine, according to the external identifier of the VN group to which the security group to be created belongs, that a security group needs to be created for the VN group, or that the created VN group to which the security group belongs.
In this example, there is no limitation on how to obtain the specific information of the security group.
For example, the number of security groups, the names of security groups, etc., may be determined according to default rules. P security groups (P is an integer greater than 1) are created in a VN group by default, which may be numbered sequentially, such as security group 1, security group 2, security group 3, etc.
As another example, the communication policy between security groups may be default. By way of example and not limitation, communication between different security groups may be agreed upon in advance or defaulted to disallow communication between the same security group.
As another example, the first request message may include specific information for the security group to be created. Such as the data network corresponding to the security group to be created, the identification of the security group to be created, the name of the security group to be created, and the communication policy between the security groups to be created.
Example 2, the first request message includes: and the data network corresponding to the security group to be created.
In this example, the third network element may determine, according to the data network corresponding to the security group to be created, the attributed data network to which the security group to be created belongs.
In this example, with respect to acquiring specific information of a security group, reference may be made to the description in example 1.
In this example, the information about the VN group may be a lookup of information through the data network, or may be pre-agreed, such as pre-agreed to create a security group for a particular VN group or groups. Alternatively, the first request message may also carry information of the VN group.
In this example, specific information on security groups, such as the number of security groups, names of security groups, and the like, can be referred to the description in example 1.
Example 3, the first request message includes: identification or name of the security group to be created.
In this example, the third network element may determine which security groups to create according to the identity or name of the security group to be created.
In this example, reference may be made to the description in example 1 regarding obtaining other information for security groups, such as communication policies between security groups.
In this example, with respect to the information of the VN group, the description in example 2 may be referred to.
Example 4, the first request message includes: communication policies between security groups to be created.
In this example, the third network element may determine which security groups to create and the communication policy between the security groups according to the communication policy between the security groups to be created.
In this example, with respect to the information of the VN group, the description in example 2 may be referred to.
It should be understood that the foregoing examples are merely illustrative, and are not limited thereto, and any way that the third network element may obtain the information related to the security group to be created is applicable to the embodiments of the present application.
Optionally, the third network element may further receive a second request message from the fourth network element, the second request message requesting to add one or more communication devices for the security group.
It is to be appreciated that the second request message is for requesting addition of a device member for the security group. Information relating to the security group of the device to be added may be included in the second request message. By way of example and not limitation, the second request message includes one or more of the following items of information: the method comprises the steps of obtaining a data network corresponding to a security group of a device to be added, an external identifier of a VN group to which the security group of the device to be added belongs, an identifier of the security group of the device to be added, a name of the security group of the device to be added and information of a communication device to be added.
Example 1, the second request message includes: and the external identification of the VN group to which the security group of the device to be added belongs.
In this example, the third network element may determine, according to the external identifier of the VN group to which the security group of the device to be added belongs, that a device member (i.e., a communication device) needs to be added to the security group in the VN group, or that the VN group to which the security group of the device member belongs needs to be added.
In this example, specific information on how to acquire the communication device to be added is not limited.
For example, the number of communication devices to be added, etc., may be determined according to a default rule. L communication devices are added to each security group as a default (L being an integer greater than 1 or equal to 1).
As another example, the second request message may include information about the communication device to be added.
Example 2, the second request message includes: the identity or name of the security group of the device to be added.
In this example, the third network element may determine in which security groups to add the communication device based on the identity or name of the security group to be created.
In this example, with respect to acquiring specific information of a communication device to be added, reference may be made to the description in example 1.
Example 3, the second request message includes: information of the communication device to be added.
In this example, the third network element may determine which communication devices to add, according to the communication devices to be added.
In this example, there is no limitation as to which security groups to add communication devices.
For example, a communication device may be added in certain security groups by default. The communication device in the second request message is added to the security group that identifies the smallest security group as a default. Alternatively, the same number of communication devices may be added in sequence across multiple security groups, in the order of security group identification by default, and so on.
As another example, the second request message may include information about the communication device to be added.
It should be understood that the foregoing examples are merely illustrative, and are not limited thereto, and any manner that can enable the third network element to acquire the information related to the communication device to be added is applicable to the embodiments of the present application.
Specific flows applicable to the method 1000 will be described in detail below with reference to fig. 11 and 12.
For the sake of understanding, the communication policy is denoted as a security group policy, and the security group policy includes permission of access and prohibition of access, for example, a possible specific flow is described in conjunction with fig. 11 to 18. It is to be understood that a VN group (VN group) hereinafter may be a VN group for use in 5G, and that a VN group hereinafter may each be replaced with a 5G VN group.
First, a possible flow of a method 1000 applicable to the embodiment of the present application is described with reference to fig. 11 to 12.
Fig. 11 is a schematic flow diagram of secure communication suitable for use with embodiments of the present application.
As shown in FIG. 11, the method 1100 is illustrated primarily with the interaction between AF, NEF, UDM, or UDR as an example. In the method 1100, the third network element may be, for example, a NEF, and the fourth network element may be, for example, an AF. By way of example, and not limitation, the method 1100 illustrated in FIG. 11 may be used in the process of creating a security group. The method 1100 shown in fig. 11 may include the following steps.
1110, the AF requests the creation of a security group from the NEF.
The AF can call a NEF interface, and a VN group security group is configured on the network side through a capability open interface provided by the NEF. For example, the AF may provide security group information to the mobile operator network through the NEF in order to create a VN group security group.
For example, the AF may provide one or more of the following information to the NEF in order to create a security group: DNN, external group ID, security group list, security group policy list. Table 3 lists various pieces of information by way of example.
TABLE 3 safety group information AF provides to NEF
Each entry in the security group list may include parameters as shown in table 4, that is, the security group list may include, but is not limited to: a security group identification (a security group unique identification within a VN group) and/or a security group name.
Each entry of the security group policy list may include parameters as shown in table 5, that is, the security group policy list may include, but is not limited to: the security groups identify, and/or access rights between, the security groups (indicating whether or not inter-access is available between the two security groups).
It should be understood that the first security group and the second security group in table 5 are only names for distinguishing different security groups, and the names do not limit the scope of the embodiments of the present application. It should also be understood that two security groups are exemplified in table 5, and the embodiments of the present application are not limited to the number of security groups. It should also be understood that table 5 indicates security groups with security group identifications, which is not limiting and could be, for example, indicating security groups by security group names.
TABLE 4 Security group List
| Secure group list | description |
| security group ID | Security group identification |
| security group name | Security group name |
TABLE 5 Security group policy List
| Security group policy list | description |
| first security group ID | First security group identification |
| second security group ID | Second security group identification |
| permission | Right to allow or prohibit access |
1120, NEF requests the UDM/UDR to add security group information.
After receiving the security group information from the AF, the NEF may send a request to the UDM/UDR, and store the security group information in the VN group subscription data. After the UDM/UDR receives the security group information, the VN group subscription data can be modified, and the security group information is added to the VN group.
Based on the above scheme, the AF may configure the security group of the VN group to the network side through the capability open interface provided by the NEF.
Fig. 12 is another schematic flow diagram of secure communications suitable for use with embodiments of the present application.
As shown in FIG. 12, the method 1200 is illustrated primarily with respect to interactions between AF, NEF, UDM, or UDR. In the method 1200, the third network element may be, for example, a NEF, and the fourth network element may be, for example, an AF. By way of example and not limitation, the method 1200 shown in FIG. 12 may be used in the flow of a security group adding a device member. The method 1200 shown in fig. 12 may include the following steps.
1210, the af requests from the NEF to add a device member to the security group.
The AF may call the NEF interface to add device members to the specified security group. For example, the AF provides security group member information to the mobile operator network through the NEF to add device members to a specified security group.
Illustratively, the AF may provide one or more of the following information to the NEF in order to add a device member: DNN, external group ID, security group ID, device member list. Table 6 exemplarily lists various pieces of information.
TABLE 6 AF Security group Member information provided to NEF
Each entry of the device member list may include parameters as shown in table 7, that is, the device member list may include, but is not limited to, one or more of the following items: GPSI, MAC address (MAC address), IP address (IP address). Generally, one of the MAC address and the IP address may be selected.
TABLE 7 device Member List
| Device member list | description |
| GPSI | Terminal equipment for indicating member affiliation of equipment |
| MAC address | Indicating a MAC address of a device member |
| IP address | Indicating the IP address of a device member |
It should be understood that table 7 is only an exemplary illustration, and is not limited thereto, and any modification belonging to table 7 falls within the scope of the embodiments of the present application. For example, any manner of indicating the terminal device to which the device member belongs is applicable to the embodiments of the present application.
1220,nef requests the security group to add a member list to the UDM/UDR.
After receiving the security group member information from the AF, the NEF may send a request to the UDM/UDR, and configure and store the security group device member information in the VN group subscription data. After the UDM/UDR receives the security group member information, the VN group signing data can be modified, and a member list is added.
In the following, a MAC address is taken as an example to list a specific application.
TABLE 8 example Security group applications
As shown in the example of table 8, security groups, security group policies, and security group member information are defined by security group management and member management. MAC1, MAC4 belong to security group 1, MAC2 to security group 2, MAC3 to security group 3; communication is allowed between the security group 1 and the security group 2, communication is prohibited between the security group 1 and the security group 3, communication is allowed between the security group 2 and the security group 3, and communication is allowed by default for members within the same security group. Communication is allowed when MAC1 sends a communication message to MAC2, communication is prohibited when MAC1 sends a message to MAC3, and communication is allowed when MAC1 sends a message to MAC 4.
Based on the scheme, the security group member manages the security group defining the attribution of the MAC/IP of the communication equipment under the VN group. The security group home information of the communication device may be stored on the DN-AAA or may be configured to the network side by invoking the NEF through the AF. When the security group attribution information of the communication equipment is stored on the DN-AAA, the management of the security group members can be maintained by the DN side, and when the communication equipment initiates communication, the network side and the DN-AAA interact to acquire the security group information attributed to the equipment, thereby completing the communication authority control of the equipment.
Next, a possible flow of a method 900 applicable to the embodiment of the present application is described with reference to fig. 13 to 16.
FIG. 13 is a schematic flow chart diagram of security group policy enforcement suitable for use in one embodiment of the present application.
As shown in FIG. 13, method 1300 is illustrated primarily by the interaction between a device, CPE/UE, RAN, AMF, SMF, UDM, DN-AAA, UPF, DN. In the method 1300, the first network element is, for example, an SMF, and the second network element is, for example, a UPF. As an example and not by way of limitation, the method 1300 shown in fig. 13 may be used in a scenario where the PDU session type is IP, and the SMF executes the security group policy of the VN group, that is, the SMF formulates a forwarding rule based on the security group policy, and completes a flow of communication device packet interworking control. The method 1300 shown in fig. 13 may include the following steps.
1310, the smf creates a VN group session.
The embodiment of the present application is not limited with respect to the condition for triggering the SMF to create the VN group session. For example, for a 5G LAN scenario, after completing the configuration on the 5G LAN network side, the network entry of the 5G LAN terminal (e.g., CPE/UE) triggers the SMF to create a 5G VN group session. By way of example and not limitation, the manner in which the 5G VN group session is created is as in steps 1311 to 1313.
1311, the SMF requests 5G VN group session subscription information from the UDM.
1312, the udm returns 5G VN group session subscription information to the SMF.
The 5G VN group session subscription information may include security group information configured for the 5G VN group. The configured security group information may include, for example: configured security groups (e.g., security group identification/name, etc.), and security group policies.
1313, 5G VN group session creation is completed.
The SMF completes the 5G VN group session creation and saves the corresponding security group information, such as the security group list (e.g. security group identification/name, etc.) and security group policy information, in the 5G VN group session.
It should be understood that the above description is only an exemplary illustration, and the embodiments of the present application are not limited with respect to the specific manner of creating a VN group session. For example, reference may be made to existing approaches, or any future approach that may enable creation of a VN group session may be applicable to embodiments of the present application.
1320, a UE session under the VN is created.
As previously described, a UE under the VN may establish one or more PDU sessions, and the UE may access the DN through the PDU sessions established between the UE and the DN. For example, the UE may exchange traffic data packets with the DN through a PDU session established between the UE and the DN through the UPF.
It should be understood that the steps 1310 and 1320 are not strictly sequential. For example, step 1310 and step 1320 may be performed synchronously.
Illustratively, the UE initiates a PDU session establishment request, and the SMF selects a UPF for the session, that is, the SMF selects a UPF providing a message forwarding function for the UE.
When the UPF has not established the VN group session, the SMF may first establish the VN group session for the UPF, and when the VN group session creation is completed, the SMF may continue to create the PDU session for the UE. Or when the UPF has established a VN group session, the SMF creates a PDU session for the UE. It is to be appreciated that the SMF may create one VN group session for each UPF.
It should be understood that the above is only an exemplary illustration, and regarding the way of creating the VN group session and the way of creating the UE session, reference may be made to the existing flow, or any way that creation of the VN group session and creation of the UE session may be implemented in the future may be applied to the embodiments of the present application.
1330, the UPF receives the service data message and performs rule matching on the source address and the destination address.
For example, the service data packet received by the UPF may be an uplink data packet sent by the CPE/UE or the device, or may also be a downlink data packet sent by the network on the DN side, which is not limited herein. The UPF receives the service data packet, and can determine how to process the service data packet by performing rule matching on the source address and the destination address of the service data packet.
The UPF performs rule matching on the source address and the destination address of the service data packet, and if the matching fails, performs step 1330a in fig. 13 (1); if the matching is successful, step 1330b in fig. 13 (2) is executed, that is, the service data packet is forwarded or discarded according to the matching forwarding rule.
Step 1330b: and (5) matching success. In the process of matching the VN group session by the UPF, the source address and the destination address of the service data message are subjected to rule matching, and if the matching is successful, the service data message can be forwarded or discarded according to the matched forwarding rule. For example, reference may be made to the content explained by the foregoing terms, and details are not described herein.
Step 1330a is described in detail below with reference to FIG. 13 (1).
Step 1330a: case of failure of matching. As shown in fig. 13 (1), in the case that the UPF receives the service data packet and fails to perform rule matching on the source address and the destination address of the service data packet, the method 1300 may include a step 1330a1 and a step 1330a2.
1330a1, UPF reports message forwarding rule unknown messages to SMF.
The message forwarding rule unknown message may include, but is not limited to, one or more of the following information: DNN, VN group, source IP address, destination IP address and security group to which the source IP address belongs. Wherein the DNN indicates the DNN to which the message belongs. The VN group indicates the VN group to which the message belongs. The source IP address represents a source address of the traffic data packet. The destination IP address represents a destination address of the service data packet. Optionally, if the operation policy configures the security group information to which the source IP address belongs in the DN side downlink tunnel packet, the unknown forwarding rule message of the packet carries information of the security group to which the source IP address belongs.
The SMF determines a message forwarding rule, namely the forwarding rule of the service data message, according to the received information, and issues the forwarding rule of the service data message to the UPF.
1330a2, SMF sends message forwarding rules to UPF.
That is, the SMF issues the forwarding rule of the service data packet to the UPF, and the UPF processes the service data packet according to the forwarding rule. For example, the packet forwarding rule includes forwarding the service data packet, and the UPF forwards the service data packet to the destination address according to the packet forwarding rule. For another example, if the packet forwarding rule includes discarding the service data packet, the UPF discards or ignores the service data packet according to the packet forwarding rule.
Step 1330a1 and step 1330a2 are described in detail below with respect to different scenarios.
In case 1, in step 1330a1, the unknown message of the message forwarding rule reported by the UPF includes a destination IP address, and the destination IP address is a DN side IP address.
In this case 1, the SMF interacts with the UDM or DN-AAA to obtain the security group information to which the source IP address belongs. Optionally, the SMF may also obtain security group information to which the destination IP address belongs.
Alternatively, the SMF may determine whether there is security group information to which the source IP address belongs and security group information to which the destination IP address belongs, and determine whether to execute the security group policy, that is, whether to formulate the forwarding rule according to the security group policy, according to whether there is security group information to which the source IP address belongs and security group information to which the destination IP address belongs.
For example, if the SMF obtains the security group to which the source IP address belongs and the security group information to which the destination IP address belongs, the SMF performs security group policy checking. For another example, if the SMF obtains the security group information to which the destination IP address belongs and does not obtain the security group to which the source IP address belongs, the SMF lacks the security group information to which the source IP address belongs and does not perform security group policy check on the source IP address and the destination IP address. For another example, if the SMF obtains the security group information to which the source IP address belongs and does not obtain the security group to which the destination IP address belongs, the SMF lacks the security group information to which the destination IP address belongs and does not perform security group policy check on the source IP address and the destination IP address.
In a possible implementation manner, the security group information is maintained by a mobile operator network, and the SMF may obtain the security group information to which the source IP address belongs from the UDM, that is, if there is a security group to which the source IP address belongs, the SMF interacts with the UDM to obtain the security group information to which the source IP address belongs. For the message with the destination IP address as the DN side address, the UDM does not have the security group information of the destination IP address. Thus, in this manner, the SMF does not execute security group policies.
In yet another possible implementation, the security group information is maintained by the DN-AAA, and the SMF may obtain the security group information to which the source IP address belongs from the DN-AAA, that is, if there is a security group to which the source IP address belongs, the SMF interacts with the DN-AAA to obtain the security group information to which the source IP address belongs. Whether the SMF obtains the security group information to which the destination IP address belongs through the DN-AAA may be determined by operator policy.
The above two implementations are merely exemplary and are not limited thereto. The present application is applicable to the SMF as long as the SMF can acquire the security group information to which the source IP address belongs or the security group information to which the destination IP address belongs.
In this case 1, step 1330a2 is described in conjunction with two scenarios.
If the SMF executes security group policy check on the source IP address and the destination IP address (for example, the SMF executes security group policy check on the source IP address and the destination IP address according to an operator policy), the SMF executes the security group policy according to the obtained security group information to which the source IP address belongs and the security group information to which the destination IP address belongs, issues a message forwarding rule to the UPF, and allows or prohibits the message from being sent.
Optionally, if the packet is allowed to be sent out, the tunnel packet may carry security group information to which the source IP address belongs. By carrying the security group information to which the source IP address belongs, the DN network can apply the security policy. For example, whether to carry the security group information to which the source IP address belongs may be determined by an operation policy.
The following examples are given in Table 7. For example, assuming that the security group to which the source IP address belongs is security group 1 and the security group to which the destination IP address belongs is security group 2, the SMF may issue a packet forwarding rule to the UPF, allowing the service data packet to be sent out from the UPF N6 port. For another example, assuming that the security group to which the source IP address belongs is security group 1 and the security group to which the destination IP address belongs is security group 3, the SMF may issue a packet forwarding rule to the UPF, and prohibit the service data packet from being sent from the UPF N6 port.
If the SMF does not perform security group policy check on the source IP address and the destination IP address (e.g., the SMF does not perform security group policy check on the source IP address and the destination IP address according to the operator policy), then, in one possible implementation, the SMF may also issue a message forwarding rule to the UPF according to whether the source IP address is a legitimate address, and allow or prohibit the message from being sent.
For example, the SMF may determine whether the source IP address is a legitimate address based on whether security group information for the source IP address exists.
For example, when the SMF obtains the security group information of the source IP address, the SMF may determine that the source IP address is a legitimate address. At this time, the SMF may issue a message forwarding rule to the UPF, and allow the message to be sent, for example, allow the message to be sent from the UPF N6 port.
As another example, when the SMF does not query the security group information for the source IP address, the SMF may determine that the source IP address is not a legitimate address. At this time, the SMF may issue a message forwarding rule to the UPF, and prohibit the message from being issued, for example, prohibit the message from being issued from the UPF N6 port.
Optionally, if the packet is allowed to be sent out, the tunnel packet may carry security group information to which the source IP address belongs. The DN network can apply the security policy by carrying the security group information of the source IP address. Whether to carry security group information to which the source IP address belongs may be determined by an operation policy, for example.
It should be understood that, in the scenario 2, the SMF determining whether the source IP address is a legal address is only one possible implementation manner, and is not limited thereto. For example, if the SMF does not perform security group policy checking on the source IP address and the destination IP address, it may also issue a message forwarding rule to the UPF to prohibit message forwarding.
It should be further understood that, in case 1, the unknown message forwarding rule reported by the UPF includes a destination IP address as an example, which does not limit that the unknown message forwarding rule only includes the destination IP address, and the unknown message forwarding rule may also include other information, which is not limited thereto.
In case 2, in step 1330a1, the unknown message of the message forwarding rule reported by the UPF includes a source IP address, and the source IP address is a DN side IP address.
In this case 2, the SMF interacts with the UDM or DN-AAA to obtain security group information to which the destination IP address belongs. Optionally, the SMF may also obtain security group information to which the source IP address belongs.
Alternatively, the SMF may determine whether security group information to which the source IP address belongs and security group information to which the destination IP address belongs exist, and determine whether to execute the security group policy according to whether the security group information to which the source IP address belongs and the security group information to which the destination IP address belongs exist. For example, if the SMF obtains the security group to which the source IP address belongs and the security group information to which the destination IP address belongs, the SMF performs security group policy checking. For another example, if the SMF obtains the security group information to which the destination IP address belongs and does not obtain the security group to which the source IP address belongs, the SMF lacks the security group information to which the source IP address belongs and does not perform security group policy check on the source IP address and the destination IP address. For another example, if the SMF obtains the security group information to which the source IP address belongs and does not obtain the security group to which the destination IP address belongs, the SMF lacks the security group information to which the destination IP address belongs and does not perform security group policy check on the source IP address and the destination IP address.
In a possible implementation manner, the security group information is maintained by a mobile operator network, and the SMF may obtain the security group information to which the destination IP address belongs from the UDM, that is, if there is a security group to which the destination IP address belongs, the SMF interacts with the UDM to obtain the security group information to which the destination IP address belongs. For the message with the source IP address as the DN side address, the UDM has no security group information to which the source IP address belongs, and if the operation strategy configures that the DN side downlink message carries the security group information to which the source IP address belongs, the message forwarding rule unknown message reported by the UPF possibly carries the security group information to which the source IP address belongs.
In yet another possible implementation, the security group information is maintained by the DN-AAA, and the SMF may obtain the security group information to which the destination IP address belongs from the DN-AAA, that is, if there is a security group to which the destination IP address belongs, the SMF interacts with the DN-AAA to obtain the security group information to which the destination IP address belongs. If the SMF is configured in the operation strategy to acquire the security group information to which the source IP address belongs through the DN-AAA, the SMF can acquire the security group information to which the source IP address belongs from the DN-AAA. Or, if the unknown message forwarding rule message reported by the UPF carries the security group information to which the source IP address belongs, for example, if the security group information to which the source IP address belongs is configured in the operation policy for the downlink message on the DN side, the unknown message forwarding rule message reported by the UPF carries the security group information to which the source IP address belongs, and then the SMF may obtain the security group information to which the source IP address belongs from the unknown message forwarding rule message.
The above two implementations are merely exemplary and are not limited thereto. As long as the SMF can acquire the security group information to which the source IP address belongs or the security group information to which the destination IP address belongs, the embodiments of the present application are applicable.
In this case 2, step 1330a2 is described in conjunction with two scenarios.
If the SMF executes security group policy check on the source IP address and the destination IP address (for example, the SMF executes security group policy check on the source IP address and the destination IP address according to an operator policy), the SMF executes the security group policy according to the obtained security group information to which the source IP address belongs and the security group information to which the destination IP address belongs, issues a message forwarding rule to the UPF, and allows or prohibits message transmission.
The following examples are given in Table 7. For example, assuming that the security group to which the source IP address belongs is security group 2 and the security group to which the destination IP address belongs is security group 3, the SMF may issue a packet forwarding rule to the UPF, allowing the traffic data packet to be sent from the UPF N6 port. For another example, assuming that the security group to which the source IP address belongs is security group 1 and the security group to which the destination IP address belongs is security group 2, the SMF may issue a packet forwarding rule to the UPF, and prohibit the service data packet from being sent from the UPF N6 port.
If the SMF does not perform security group policy check on the source IP address and the destination IP address (e.g., the SMF does not perform security group policy check on the source IP address and the destination IP address according to the operator policy), then, in one possible implementation, the SMF may also issue a message forwarding rule to the UPF according to whether the destination IP address is a legal address, and allow or prohibit the message from being sent.
For example, the SMF may determine whether the destination IP address is a legitimate address based on whether security group information for the destination IP address exists.
For example, when the SMF acquires the security group information of the destination IP address, the SMF may determine that the destination IP address is a valid address. At this time, the SMF may issue a message forwarding rule to the UPF, and allow the message to be sent, for example, allow the message to be sent from the UPF N6 port.
For another example, when the SMF does not query the security group information of the destination IP address, the SMF may determine that the destination IP address is not a legitimate address. At this time, the SMF may issue a message forwarding rule to the UPF, and prohibit the message from being issued, for example, prohibit the message from being issued from the UPF N6 port.
It should be understood that, in the scenario 2, the SMF determining whether the destination IP address is a legal address is only one possible implementation manner, and is not limited thereto. For example, if the SMF does not perform security group policy checking on the source IP address and the destination IP address, it may also issue a message forwarding rule to the UPF to prohibit message forwarding.
It should be further understood that, in case 2, the unknown message of the message forwarding rule reported by the UPF includes the source IP address as an example, which does not limit that the unknown message of the message forwarding rule only includes the source IP address, and the unknown message of the message forwarding rule may also include other information, which is not limited thereto.
In case 3, in step 1330a1, the unknown message of the message forwarding rule reported by the UPF includes a source IP address and a destination IP address, and both the source IP address and the destination IP address are network side device addresses.
In this case 3, the SMF interacts with the UDM or DN-AAA, and acquires the security group information to which the source IP address belongs and the security group information to which the destination IP address belongs.
Alternatively, the SMF may determine whether security group information to which the source IP address belongs and security group information to which the destination IP address belongs exist, and determine the packet forwarding rule according to whether the security group information to which the source IP address belongs and the security group information to which the destination IP address belongs exist.
In a possible implementation manner, the security group member information is maintained by a mobile operator network, and the SMF and the UDM interactively obtain the security group information to which the source IP address belongs and the security group information to which the destination IP address belongs.
In another possible implementation manner, the security group member information is maintained by DN-AAA, and the SMF interacts with the DN-AAA to obtain the security group information to which the source IP address belongs and the security group information to which the destination IP address belongs.
The above two implementations are merely exemplary and are not limited thereto. The SMF is applicable to the embodiment of the present application as long as it can acquire the security group information to which the source IP address belongs and the security group information to which the destination IP address belongs.
In this case 3, step 1330a2 is described in conjunction with two scenarios.
If the source IP address does not have associated security group information, then a possible implementation is that the SMF issues a message forwarding rule to the UPF, and discards a message with the source IP address as a source address or a destination address.
If the destination IP address does not have associated security group information, then a possible implementation is that the SMF issues a message forwarding rule to the UPF and discards the message using the destination IP address as a source address or a destination address.
It should be understood that, in case 3, the unknown message forwarding rule reported by the UPF includes a source IP address and a destination IP address as an example, which does not limit that the unknown message forwarding rule only includes the source IP address and the destination IP address, and the unknown message forwarding rule may also include other information, which is not limited thereto.
It is also to be understood that the above description is intended to be illustrative, and not restrictive. As long as a scheme that the SMF can execute the security group policy of the embodiment of the present application can be implemented, the method and the apparatus are all applicable to the embodiment of the present application. It should also be understood that in actual communication, the adjustment can be flexibly performed according to different communication environments or scenes.
It should also be understood that in the scenario illustrated in fig. 13, the source address may be in the form of an IP address, and the source address and the source IP address are sometimes used interchangeably, and it should be understood that they are used to refer to the same meaning, both referring to the messaging address or source address of the message. In the scenario shown in fig. 13, the destination address may be in the form of an IP address, and the destination address and the destination IP address are sometimes used interchangeably, and it should be understood that they all represent the same meaning and are used to represent the destination address of the message.
One possible flow for the SMF to perform security group policy is illustratively described above in connection with steps 1310-1330 shown in fig. 13, such as the scenario where the PDU session type is IP. It should be understood that the above steps are only exemplary, and are not strictly limited thereto. In addition, the sequence numbers of the above processes do not mean the execution sequence, and the execution sequence of each process should be determined by the function and the inherent logic of each process, and should not limit the implementation process of the embodiment of the present application.
Based on the above scheme, for the scenario that the PDU session type is IP, the SMF executes the VN group security group policy, that is, the SMF formulates the forwarding rule according to the security group policy, and completes the message intercommunication control of the communication device, thereby improving the security of the communication between the devices.
FIG. 14 is another schematic flow chart diagram of security group policy enforcement suitable for use with an embodiment of the present application.
As shown in FIG. 14, the method 1400 is illustrated primarily with the interaction between a device, CPE/UE, RAN, AMF, SMF, UDM, DN-AAA, UPF, DN being an example. In the method 1400, the first network element is, for example, an SMF, and the second network element is, for example, a UPF. As an example and not by way of limitation, the method 1400 shown in fig. 14 may be used in a scenario where the PDU session type is Ethernet (Ethernet), and the VN group security group policy is executed by the SMF, that is, the SMF formulates a forwarding rule based on the security group policy, and completes a flow of message interworking control of the communication device. The method 1400 shown in fig. 14 may include the following steps.
1410, the SMF creates a VN group session.
For step 1410, reference may be made to the description of step 1310 above, for example, and will not be described here.
1420, a UE session under the VN is created.
For step 1420, reference may be made to the description of step 1320 above, for example, and will not be described here.
The UPF may receive messages from different interfaces and the type of message received may be different. The following description will be made in conjunction with different cases.
In case a, the UPF N3 interface receives an uplink packet, and the source MAC address of the uplink packet is unknown.
That is, the UPF receives an uplink packet from the UE through the N3 interface, and a source MAC address of the uplink packet is unknown. In this case, method 1400 may also include steps 1431 and 1432.
1431, the upf reports the MAC address learning message to the SMF.
For example, the MAC address learning message may include one or more of the following parameters: DNN, VN group, UE SUPI, source MAC address, N3 interface. The DNN indicates a DNN to which the MAC address belongs. And a VN group indicating a VN group to which the MAC address belongs. UE SUPI, indicates the CPE/UE to which the MAC address belongs. N3 interface, indicating MAC address learning, address source interface.
After receiving the N3 interface MAC address learning message reported by the UPF, the SMF may associate the MAC address with the corresponding UE session and the corresponding UPF.
1432, smf associates MAC addresses to corresponding UE sessions and corresponding UPFs.
If the MAC address reported by the UPF is learned in the MAC address learning list of the SMF and is inconsistent with the UPF report information currently received, it indicates that the device corresponding to the MAC address may be changed (e.g., moved to another UPF, or moved to another CPE/UE, etc.). In this case, the SMF may be triggered to actively age the forwarding rule for the MAC address in the UPF and refresh the learning of the MAC address in the SMF.
In case B, the UPF N6 interface receives the downlink packet, and the source MAC address of the downlink packet is unknown.
In this case, method 1400 may also include steps 1441 and 1442.
1441, UPF reports MAC address learning messages to SMF.
For example, the MAC address learning message may include one or more of the following parameters: DNN, VN group, source MAC address, N6 interface. The DNN indicates a DNN to which the MAC address belongs. And the VN group represents a VN group to which the MAC address belongs. N6 interface, indicating MAC address learning, address source interface.
After receiving the N6 interface MAC address learning message reported by the UPF, the SMF may associate the MAC address with the corresponding DNN and VN group session.
1442, SMF associates MAC addresses to corresponding DNN and VN group sessions.
If the MAC address reported by the UPF is learned in the MAC address learning list of the SMF and is inconsistent with the UPF report information currently received, it indicates that the device corresponding to the MAC address may have changed (for example, move from the network side to the DN network side). In this case, the SMF may be triggered to actively age the forwarding rule for the MAC address in the UPF and refresh the learning of the MAC address in the SMF.
And C, the UPF receives the service data message and performs rule matching on the source address and the destination address.
For example, the service data packet received by the UPF may be an uplink data packet sent by the CPE/UE or the device, or may also be a downlink data packet sent by the network on the DN side, which is not limited herein. The UPF receives the service data packet, and can determine how to process the service data packet by performing rule matching on the source address and the destination address of the service data packet.
The UPF performs rule matching on the source address and the destination address of the service data message, and if the matching fails, performs step 1450a in fig. 14 (1); if the matching is successful, step 1450b in fig. 14 (2) is executed, that is, the service data packet is forwarded or discarded according to the matched forwarding rule.
Step 1450b: and (5) matching success. And in the process of carrying out VN group session matching on the UPF, carrying out rule matching on the source address and the destination address of the service data message, and if the matching is successful, forwarding or discarding the service data message according to the matched forwarding rule. For specific matching and forwarding, for example, reference may be made to the explanation of the foregoing terms, which are not described herein again.
Step 1450a is described in detail below with reference to FIG. 14 (1).
Step 1450a: case of failure of matching. As shown in fig. 14 (1), in the case that the UPF receives the service data packet and fails to perform rule matching on the source address and the destination address of the service data packet, the method 1400 may include a step 1450a1 and a step 1450a2.
1450a1, UPF reports message forwarding rule unknown information to SMF.
The message forwarding rule unknown message may include, for example, but is not limited to, one or more of the following information: DNN, VN group, source MAC address, destination MAC address and security group information of source MAC attribution. Wherein the DNN indicates the DNN to which the message belongs. The VN group indicates the VN group to which the message belongs. The source MAC address represents the source address of the service data message. The destination MAC address represents a destination address of the service data packet.
The SMF determines a message forwarding rule, that is, a forwarding rule of the service data packet, according to the received information, and issues the forwarding rule of the service data packet to the UPF.
1450a2, SMF sends message forwarding rules to UPF.
That is, the SMF issues the forwarding rule of the service data packet to the UPF, and the UPF processes the service data packet according to the forwarding rule. For example, the packet forwarding rule includes forwarding the service data packet, and the UPF forwards the service data packet to the destination address according to the packet forwarding rule. As another example, if the packet forwarding rule includes discarding the service data packet, the UPF discards or ignores the service data packet according to the packet forwarding rule.
Step 1450a1 and step 1450a2 are described in detail below with respect to different scenarios.
In case 1, in step 1450a1, the unknown message of the message forwarding rule reported by the UPF includes a destination MAC address, and the destination MAC address is a multicast or broadcast address.
Alternatively, the SMF may obtain security group information to which the source MAC address belongs.
In a possible implementation manner, the source MAC address is a network side address of a mobile operator, and the SMF interacts with the UDM or DN-AAA to obtain security group information to which the source MAC address belongs. For example, if security group membership information is maintained by the mobile operator network, the SMF interacts with the UDM to obtain security group information to which the source MAC address belongs. As another example, if security group membership information is maintained by the DN-AAA, the SMF interacts with the DN-AAA to obtain security group information to which the source MAC address belongs.
In yet another possible implementation, the source MAC address is a DN side address, and the security group information is maintained by the mobile operator network, then the UDM lacks the security group information to which the source MAC address belongs. In this case, if the operator configures the DN downlink packet tunnel packet to carry the security group information to which the source MAC address belongs, the unknown message of the packet forwarding rule reported by the UPF may carry the security group information to which the source MAC address belongs, and the SMF checks the validity of the source MAC address, otherwise the SMF does not check the validity of the source MAC address.
In another possible case, the source MAC address is a DN-side address, and the security group information is maintained by DN-AAA, the SMF interacts with DNAAA to obtain the security group information to which the source MAC address belongs, and determines the validity of the MAC address.
It should be understood that the above-described implementations are exemplary only, and are not limiting.
In this case 1, the SMF may check the source MAC address validity according to step 1450a1, and issue a packet forwarding rule to the UPF according to the multicast and broadcast forwarding policy configured by the operation, so as to allow or prohibit the packet from being issued.
It should be understood that, in case 1, the unknown message of the message forwarding rule reported by the UPF includes the destination MAC address as an example, which does not limit that the unknown message of the message forwarding rule only includes the destination MAC address, and the unknown message of the message forwarding rule may also include other information, which is not limited thereto.
In step 1450a1, the unknown message of the message forwarding rule reported by the UPF includes a destination MAC address, and the destination MAC address is a DN side address.
In this case 2, the SMF interacts with the UDM or DN-AAA and obtains the security group information to which the source MAC address belongs. Optionally, the SMF may also obtain security group information to which the destination MAC address belongs.
Alternatively, the SMF may determine whether security group information to which the source MAC address belongs and security group information to which the destination MAC address belongs exist, and determine whether to execute a security group policy, that is, whether to formulate a forwarding rule according to the security group policy, according to whether the security group information to which the source MAC address belongs and the security group information to which the destination MAC address belongs exist. For example, if the SMF obtains security group information to which the source MAC address belongs and security group information to which the destination MAC address belongs, the SMF performs security group policy checking. For another example, if the SMF obtains the security group information to which the destination MAC address belongs, and does not obtain the security group to which the source MAC address belongs, the SMF lacks the security group information to which the source MAC address belongs, and does not perform security group policy check on the source MAC address and the destination MAC address. For another example, if the SMF obtains the security group information to which the source MAC address belongs and does not obtain the security group to which the destination MAC address belongs, the SMF lacks the security group information to which the destination MAC address belongs and does not perform security group policy check on the source MAC address and the destination MAC address.
In a possible implementation manner, the security group information is maintained by a mobile operator network, and the SMF may obtain the security group information to which the source MAC address belongs from the UDM, that is, if there is a security group to which the source MAC address belongs, the SMF interacts with the UDM to obtain the security group information to which the source MAC address belongs. For the message with the destination MAC address as the DN side address, the UDM does not have the security group information of the destination MAC address. Thus, in this manner, the SMF does not execute security group policies.
In yet another possible implementation, the security group information is maintained by the DN-AAA, and the SMF may obtain the security group information to which the source MAC address belongs from the DN-AAA, that is, if there is a security group to which the source MAC address belongs, the SMF interacts with the DN-AAA to obtain the security group information to which the source MAC address belongs. Whether the SMF obtains the security group information to which the destination MAC address belongs through the DN-AAA may be determined by operator policy.
The above two implementations are merely exemplary and are not limited thereto. As long as the SMF can acquire the security group information to which the source MAC address belongs or the security group information to which the destination MAC address belongs, the present embodiment is applicable.
In this case 2, step 1450a2 is illustrated in connection with two scenarios.
If the SMF performs security group policy check on the source MAC address and the destination MAC address (for example, the SMF performs security group policy check on the source MAC address and the destination MAC address according to the operator policy), the SMF performs security group policy according to the obtained security group information to which the source MAC address belongs and the security group information to which the destination MAC address belongs, and issues a packet forwarding rule to the UPF to allow or prohibit packet transmission.
Optionally, if the packet is allowed to be sent out, the tunnel packet may carry security group information to which the source MAC address belongs. The DN network can apply the security policy by carrying the security group information of the source MAC address. For example, whether to carry security group information to which the source MAC address belongs may be determined by an operation policy.
The following examples are given in Table 7. For example, assuming that the source MAC address is MAC1, the security group to which the MAC1 belongs is security group 1, the destination MAC address is MAC2, and the security group to which the MAC2 belongs is security group 2, the SMF may issue a packet forwarding rule to the UPF, allowing the service data packet to be sent from the UPF N6 port. For another example, if the source MAC address is MAC1, the security group to which the MAC1 belongs is security group 1, the destination MAC address is MAC3, and the security group to which the MAC3 belongs is security group 3, the SMF may issue a packet forwarding rule to the UPF, and prohibit the service data packet from being sent from the UPF N6 port.
If the SMF does not perform security group policy checking on the source MAC address and the destination MAC address (e.g., the SMF does not perform security group policy checking on the source MAC address and the destination MAC address according to the operator policy), then, in one possible implementation, the SMF may also issue a message forwarding rule to the UPF according to whether the source MAC address is a valid address, and allow or prohibit the message from being sent.
For example, the SMF may determine whether the source MAC address is a legitimate address based on whether security group information for the source MAC address exists.
For example, when the SMF obtains the security group information of the source MAC address, the SMF may determine that the source MAC address is a valid address. At this time, the SMF may issue a message forwarding rule to the UPF, and allow the message to be sent, for example, allow the message to be sent from the UPF N6 port.
As another example, when the SMF does not query the security group information for the source MAC address, the SMF may determine that the source MAC address is not a legitimate address. At this time, the SMF may issue a message forwarding rule to the UPF to prohibit the message from being sent, for example, prohibit the message from being sent from the UPF N6 port.
Optionally, if the packet is allowed to be sent out, the tunnel packet may carry security group information to which the source MAC address belongs. By carrying the security group information to which the source MAC address belongs, the DN network can apply the security policy. For example, whether to carry security group information to which the source MAC address belongs may be determined by an operation policy.
It should be understood that, in the scenario 2 described above, the SMF determining whether the source MAC address is a legal address is only one possible implementation manner, and is not limited thereto. For example, if the SMF does not perform security group policy checking on the source MAC address and the destination MAC address, it may also issue a packet forwarding rule to the UPF to prohibit the packet from being issued.
It should be further understood that, in case 2, the unknown message of the message forwarding rule reported by the UPF includes the destination MAC address as an example, which does not limit that the unknown message of the message forwarding rule only includes the destination MAC address, and the unknown message of the message forwarding rule may also include other information, which is not limited thereto.
In step 1450a1, the unknown message of the message forwarding rule reported by the UPF includes a source MAC address, and the source MAC address is a DN side address.
In this case 3, the SMF interacts with the UDM or DN-AAA and obtains the security group information to which the destination MAC address belongs. Optionally, the SMF may also obtain security group information to which the source MAC address belongs.
Alternatively, the SMF may determine whether security group information to which the source MAC address belongs and security group information to which the destination MAC address belongs exist, and determine whether to execute the security group policy according to whether the security group information to which the source MAC address belongs and the security group information to which the destination MAC address belongs exist. For example, if the SMF obtains security group information to which the source MAC address belongs and security group information to which the destination MAC address belongs, the SMF performs security group policy checking. For another example, if the SMF obtains the security group information to which the destination MAC address belongs and does not obtain the security group to which the source MAC address belongs, the SMF lacks the security group information to which the source MAC address belongs and does not perform security group policy check on the source MAC address and the destination MAC address, and if the SMF obtains the security group information to which the source MAC address belongs and does not obtain the security group to which the destination MAC address belongs, the SMF lacks the security group information to which the destination MAC address belongs and does not perform security group policy check on the source MAC address and the destination MAC address.
In a possible implementation, the security group information is maintained by the mobile operator network, and the SMF may obtain the security group information to which the destination MAC address belongs from the UDM, that is, if there is a security group to which the destination MAC address belongs, the SMF may obtain the security group information to which the destination MAC address belongs by interacting with the UDM. For the message with the source MAC address as the DN side address, the UDM has no security group information to which the source MAC address belongs, and if the operation strategy configures that the DN side downlink message carries the security group information to which the source MAC address belongs, the message forwarding rule unknown message reported by the UPF possibly carries the security group information to which the source MAC address belongs.
In yet another possible implementation, the security group information is maintained by the DN-AAA, and the SMF may obtain the security group information to which the destination MAC address belongs from the DN-AAA, that is, if there is a security group to which the destination MAC address belongs, the SMF interacts with the DN-AAA to obtain the security group information to which the destination MAC address belongs. If the SMF is configured in the operation strategy to acquire the security group information of the source MAC address through DN-AAA, the SMF can acquire the security group information of the source MAC address from the DN-AAA. Or, if the unknown message forwarding rule reported by the UPF carries the security group information to which the source MAC address belongs, such as the security group information to which the source MAC address belongs is configured in the operation policy for the downlink message on the DN side, the unknown message forwarding rule reported by the UPF carries the security group information to which the source MAC address belongs, and then the SMF may obtain the security group information to which the source MAC address belongs from the unknown message forwarding rule.
The above two implementations are merely exemplary and are not limited thereto. As long as the SMF can acquire the security group information to which the source MAC address belongs or the security group information to which the destination MAC address belongs, the present embodiment is applicable.
In this case 3, step 1450a2 is illustrated in connection with two scenarios.
If the SMF performs security group policy check on the source MAC address and the destination MAC address (for example, the SMF performs security group policy check on the source MAC address and the destination MAC address according to the operator policy), the SMF performs security group policy according to the obtained security group information to which the source MAC address belongs and the security group information to which the destination MAC address belongs, issues a packet forwarding rule to the UPF, and allows or prohibits packet forwarding.
The following examples are given in Table 7. For example, assuming that the source MAC address is MAC2, the security group to which MAC2 belongs is security group 2, the destination MAC address is MAC3, and the security group to which MAC3 belongs is security group 3, the SMF may issue a packet forwarding rule to the UPF to allow the service data packet to be sent from the UPF N6 port. For another example, if the source MAC address is MAC1, the security group to which the MAC1 belongs is security group 1, the destination MAC address is MAC2, and the security group to which the MAC2 belongs is security group 2, the SMF may issue a packet forwarding rule to the UPF, and prohibit the service data packet from being sent from the UPF N6 port.
If the SMF does not perform security group policy checking on the source MAC address and the destination MAC address (e.g., the SMF does not perform security group policy checking on the source MAC address and the destination MAC address according to the operator policy), then, in one possible implementation, the SMF may also issue a message forwarding rule to the UPF according to whether the destination MAC address is a legal address, and allow or prohibit the message from being sent.
For example, the SMF may determine whether the destination MAC address is a legitimate address based on whether security group information for the destination MAC address exists.
For example, when the SMF obtains security group information of the destination MAC address, the SMF may determine that the destination MAC address is a valid address. At this time, the SMF may issue a message forwarding rule to the UPF, and allow the message to be sent, for example, allow the message to be sent from the UPF N6 port.
For another example, when the SMF does not query the security group information for the destination MAC address, the SMF may determine that the destination MAC address is not a legitimate address. At this time, the SMF may issue a message forwarding rule to the UPF to prohibit the message from being sent, for example, prohibit the message from being sent from the UPF N6 port.
It should be understood that, in the scenario 2, the SMF determines whether the destination MAC address is a legal address, which is only one possible implementation manner and is not limited thereto. For example, if the SMF does not perform security group policy checking on the source MAC address and the destination MAC address, it may also issue a message forwarding rule to the UPF to prohibit message forwarding.
It should be further understood that, in case 3, the unknown message of the message forwarding rule reported by the UPF includes the source MAC address as an example, which does not limit that the unknown message of the message forwarding rule only includes the source MAC address, and the unknown message of the message forwarding rule may also include other information, which is not limited thereto.
In step 1450a1, the unknown message of the message forwarding rule reported by the UPF includes a source MAC address and a destination MAC address, where the destination MAC address is a unicast address, and the source MAC address and the destination MAC address are network-side device addresses.
In this case 4, the SMF interacts with the UDM or DN-AAA, and acquires security group information to which the source MAC address belongs and security group information to which the destination MAC address belongs.
Alternatively, the SMF may determine whether security group information to which the source MAC address belongs and security group information to which the destination MAC address belongs exist, and determine the packet forwarding rule according to whether the security group information to which the source MAC address belongs and the security group information to which the destination MAC address belongs exist.
In a possible implementation manner, the security group member information is maintained by a mobile operator network, and the SMF interacts with the UDM to obtain the security group information to which the source MAC address belongs and the security group information to which the destination MAC address belongs.
In another possible implementation manner, the security group member information is maintained by DN-AAA, and the SMF interacts with the DN-AAA to obtain the security group information to which the source MAC address belongs and the security group information to which the destination MAC address belongs.
The above two implementations are merely exemplary and are not limited thereto. The SMF is applicable to the embodiment of the present application as long as it can obtain the security group information to which the source MAC address belongs and the security group information to which the destination MAC address belongs.
In this case 4, step 1450a2 is illustrated in connection with two scenarios.
If the source MAC address does not have associated security group information, then a possible implementation is that the SMF issues a message forwarding rule to the UPF, discarding the message with the source MAC address as the source address or the destination address.
If the destination MAC address does not have associated security group information, a possible implementation is that the SMF issues a message forwarding rule to the UPF, and discards a message with the destination MAC address as a source address or a destination address.
It should be understood that, in case 4, the unknown message of the message forwarding rule reported by the UPF includes a source MAC address and a destination MAC address as an example, which does not limit that the unknown message of the message forwarding rule only includes the source MAC address and the destination MAC address, and the unknown message of the message forwarding rule may also include other information, which is not limited herein.
It should also be understood that the above description is illustrative only and is not limiting. The embodiments of the present application are all applicable as long as a scheme that the SMF can execute the security group policy of the embodiments of the present application can be implemented. It should also be understood that in actual communication, the adjustment can be flexibly performed according to different communication environments or scenes.
It should also be understood that in the scenario illustrated in fig. 14, the source address may be in the form of a MAC address, and the source address and the source MAC address are sometimes used interchangeably, and it should be understood that they are used to refer to the same meaning, both referring to the messaging address or source address of the message. In the scenario shown in fig. 14, the destination address may be in the form of a MAC address, and the destination address and the destination MAC address are sometimes used interchangeably, and it should be understood that they are used to indicate the destination address of the message.
One possible flow for SMF to perform security group policy is illustratively described above in connection with steps 1410-1450 shown in fig. 14, such as the scenario where the PDU session type is Ethernet. It should be understood that the above steps are only exemplary, and are not strictly limited thereto. In addition, the sequence numbers of the above processes do not mean the execution sequence, and the execution sequence of each process should be determined by the function and the inherent logic of each process, and should not limit the implementation process of the embodiment of the present application. For example, steps 1431 and 1432, described above, may exist simultaneously with step 1450, or may exist separately.
Based on the above scheme, for the scenario that the PDU session type is Ethernet, the SMF executes the VN group security group strategy, that is, the SMF formulates a forwarding rule according to the security group strategy to complete message intercommunication control of the communication equipment, thereby improving the communication security between the equipment.
FIG. 15 is a schematic flow chart diagram of security group policy enforcement suitable for use in another embodiment of the present application.
As shown in FIG. 15, the method 1500 is illustrated primarily with the interaction between a device, CPE/UE, RAN, AMF, SMF, UDM, DN-AAA, UPF, DN being taken as an example. In the method 1500, the first network element is, for example, a UPF and the second network element is, for example, an SMF. By way of example and not limitation, the method 1500 shown in fig. 15 may be used in a scenario where the PDU session type is IP, and the VN group security group policy is executed by the UPF, that is, the UPF determines the forwarding rule based on the security group policy, and completes the flow of the communication device message interworking control. The method 1500 shown in fig. 15 may include the following steps.
1510, SMF create a VN group session.
The embodiment of the present application is not limited with respect to the condition for triggering the SMF to create the VN group session. For example, for a 5G LAN scenario, after completing the configuration on the 5G LAN network side, the network entry of the 5G LAN terminal (e.g., CPE/UE) triggers the SMF to create a 5G VN group session. By way of example and not limitation, the way a 5G VN group session is created is as in steps 1511 to 1513.
1511, the smf requests 5G VN group session subscription information from the UDM.
1512, the UDM returns 5G VN group session subscription information to the SMF.
The 5G VN group session subscription information may include security group information configured for the 5G VN group. The configured security group information may include, for example: configured security groups (e.g., security group identification/name, etc.), and security group policies.
1513, 5G VN group session creation is completed.
The SMF completes 5G VN group session creation and saves the corresponding security group information (such as security group identification/name, etc.) and security group policy) in the 5G VN group session.
In addition, the SMF may issue 5G VN security group information, such as security group (e.g. security group identification/name, etc.) and security group policies, to the UPF.
It should be understood that the above description is only an exemplary illustration, and the embodiments of the present application are not limited with respect to the specific manner of creating a VN group session. For example, reference may be made to existing approaches, or any future approach that may enable creation of a VN group session may be applicable to embodiments of the present application.
1520, create a UE session under the VN.
And for the UE session with the PDU session type being the Ethernet type, the SMF and the UDM/DN-AAA interact to acquire security group information corresponding to the IP address of the UE. For example, if the security group information is maintained by the mobile operator network, the SMF may interact with the UDM to obtain the security group information to which the UE IP address belongs. As another example, if the security group information is maintained by the DN-AAA, the SMF may interact with the DN-AAA to obtain the security group information to which the UE IP address belongs.
During the process of creating a UE session under the VN, the SMF may issue information related to a security group to which the UE belongs to all UPFs under the VN group, for example, the information may include, but is not limited to, one or more of the following information: UE SUPI, UE IP address, security group, UPF ID, UPF N19 IP address. And the UE IP address indicates the IP address allocated to the UE. And the security group indicates security group information of UE attribution. And the UPF ID indicates the UPF currently accessed by the UE. UPF N19 IP address, indicating the UPF the UE accesses, its N19 interface address.
After the session of the UE under the VN is established, the UE can exchange service data messages with the DN through the PDU session established between the UE and the DN and through the UPF.
After receiving the service data message, the UPF may process the service data message according to a forwarding rule. The following description will be made in conjunction with different cases.
In case 1, the source address and the destination address of the service data message received by the upf are both network side device addresses.
In this case 1, the method 1500 may further include a step 1531.
1531, the upf processes the traffic data packet according to the security group policy between the security group to which the source address belongs and the security group to which the destination address belongs.
In a possible implementation manner, the UPF may obtain the security group information to which the source address belongs according to the source address, obtain the security group information to which the destination address belongs according to the destination address, and process the service data packet according to the security group policy between the security group to which the source address belongs and the security group to which the destination address belongs.
The following examples are given in Table 7. For example, assuming that the security group to which the source address belongs is the security group 1, and the security group to which the destination address belongs is the security group 2, the UPF forwards the service data packet according to the security group policy between the security group 1 and the security group 2, that is, forwards the service data packet to the destination address. For another example, assuming that the security group to which the source address belongs is the security group 1 and the security group to which the destination address belongs is the security group 3, the UPF discards or ignores the service data packet according to the security group policy between the security group 1 and the security group 3, i.e., does not forward the service data packet to the destination address.
For example, in the case that any one of the security group information to which the source address belongs and the security group information to which the destination address belongs is not queried, the UPF may directly discard the traffic data packet. It is to be understood that no limitation is thereby intended. For example, when the security group information to which the source address belongs is not queried and the security group information to which the destination address belongs is not queried, different processing modes may be available according to actual situations.
And 2, the network segment to which the destination address of the service data message received by the UPF belongs is on the DN side.
In this case 2, the method 1500 may further include a step 1532.
1532, the upf forwards the message to the DN network over the N6 interface.
The UPF may index the security group information to which the source address belongs based on the source address. The tunnel message sent by the UPF to the DN side through the N6 interface can carry the security group information to which the source address belongs, so that the security policy can be applied by the DN network. For example, whether a tunnel message sent by the UPF to the DN side carries security group information to which the source address belongs may be determined by an operation policy, which is not limited.
And in case 3, the network segment to which the source address of the service data message received by the UPF belongs is on the DN side.
In this case 3, the method 1500 may further include step 1533.
1533, the upf processes the traffic data packets according to security group policies between the security group to which the source address belongs and the security group to which the destination address belongs, or according to operator policies.
In a possible implementation manner, the UPF processes the service data packet according to the security group policy between the security group to which the source address belongs and the security group to which the destination address belongs. If the downlink tunnel message carries the security group information corresponding to the source address, the UPF may index the security group information to which the destination address belongs according to the destination address, and process the service data message, such as discard message or forward message, according to the security group policy between the security group to which the source address belongs and the security group to which the destination address belongs.
Or, in a possible implementation manner, the UPF processes the service data packet according to the operator policy. If the operator strategy is not to make security group strategy control on the downlink message, the UPF can directly forward the message.
It is to be understood that the above description is intended to be illustrative, and not restrictive. The present application is applicable to all schemes as long as a scheme that UPF can execute the security group policy of the present application embodiment can be implemented. It should also be understood that in actual communication, the adjustment can be flexibly performed according to different communication environments or scenes.
It should also be understood that in the scenario illustrated in fig. 15, the source address may be in the form of an IP address, and the source address and the source IP address are sometimes used interchangeably, and it should be understood that they are used to refer to the same meaning, both referring to the messaging address or source address of the message. In the scenario shown in fig. 15, the destination address may be in the form of an IP address, and the destination address and the destination IP address are sometimes used interchangeably, and it should be understood that they are used to indicate the destination address of the message.
One possible flow for UPF to enforce security group policies is described above in connection with steps 1510-1533 shown in fig. 15, such as the scenario where the PDU session type is IP. It should be understood that the above steps are only exemplary, and are not strictly limited thereto. In addition, the sequence numbers of the above processes do not mean the execution sequence, and the execution sequence of each process should be determined by the function and the inherent logic of each process, and should not limit the implementation process of the embodiment of the present application.
Based on the above scheme, for the scenario that the PDU session type is IP, the UPF executes the VN group security group policy, that is, the UPF determines the forwarding rule according to the security group policy, and completes the message intercommunication control of the communication equipment, thereby improving the security of the communication between the equipments. In addition, the UPF is used for executing the security group strategy, so that the signaling overhead caused by inquiring the forwarding rule from the SMF by the UPF can be saved, and the data transmission performance is improved.
FIG. 16 is another schematic flow chart diagram of security group policy enforcement suitable for use in another embodiment of the present application.
As shown in FIG. 16, method 1600 is illustrated primarily with the example of interactions between devices, CPE/UE, RAN, AMF, SMF, UDM, DN-AAA, UPF, DN. In method 16500, the first network element is, for example, a UPF, and the second network element is, for example, an SMF. By way of example and not limitation, the method 1600 shown in fig. 16 may be used in a scenario where the PDU session type is Ethernet, and the UPF executes the VN group security group policy, that is, the UPF determines the forwarding rule based on the security group policy, and completes the flow of communication device packet interworking control. The method 1600 shown in fig. 16 may include the following steps.
1610, smf creates a 5VN group session.
For step 1610, reference may be made to the description of step 1510 above, for example, and no further description is provided here.
1620, a UE session under the VN is created.
For step 1620, reference may be made to the description of step 1520 above, for example, and it is not described here.
The UPF may receive messages from different interfaces and the type of message received may be different. The following description will be made in conjunction with different cases.
In case 1, an upf N3 interface receives an uplink packet, and a source MAC address of the uplink packet is unknown.
In this case 1, for the VN group whose PDU type is Ethernet, the UPF receives an uplink packet from the UE from the N3 interface, and the source MAC address of the uplink packet is unknown. In this case, method 1600 may further include steps 1631 through 1633.
1631, UPF reports message of unknown MAC address to SMF.
For example, the MAC address unknown message may include one or more of the following parameters: DNN, VN group, UE SUPI, source MAC address. The DNN indicates a DNN to which the MAC address belongs. And the VN group represents a VN group to which the MAC address belongs. UE SUPI, indicates the CPE/UE to which the MAC address belongs.
1632, the SMF obtains the security group information to which the MAC address belongs.
After receiving the unknown MAC address message, the N3 interface reported by the UPF, the SMF acquires the security group information of the MAC address.
For example, if the security group information is maintained by the mobile operator network, the SMF interacts with the UDM to obtain the security group information to which the MAC address belongs. For another example, if the security group information is maintained by the DN-AAA, the SMF interacts with the DN-AAA to obtain the security group information to which the MAC address belongs.
After the SMF queries the security group information to which the MAC address belongs, the SMF can issue the security group information to which the MAC address belongs to the UPF.
1633, SMF sends the security group information of MAC address to UPF.
For example, the SMF may send the queried information related to the security group to which the MAC address belongs to all UPFs under the VN group, and may include, but is not limited to, one or more of the following information: DNN, VN group, MAC address, security group ID, UPF ID, N19 address. And the DNN indicates the DNN to which the MAC address belongs. A VN group indicating a VN group to which the MAC address belongs. A security group ID indicating the security group to which the MAC address belongs. UPF ID, indicating the UPF to which the current MAC belongs. N19 address, indicating the UPF N19 interface address.
In case 2, the destination address of the message received by the upf is a broadcast address or a multicast address.
In this case 2, if the uplink packet is the uplink packet, the method 1600 may further include a step 1641.
1641, the UPF processes the message according to the security group information to which the source address belongs.
If the message is an uplink message, the UPF acquires the security group information of the source MAC address, and decides to forward or discard the message according to the strategy configured by the operator. If the UPF fails to obtain the security group information to which the source MAC address belongs, the UPF may discard the message, for example.
In case 2, if the packet is a downlink packet, the method 1600 may further include step 1642.
1642, the UPF processes the message according to the security group information or the operator strategy to which the source address belongs.
If the message is a downlink message, if the operator configures the security group information to which the source MAC address belongs in the downlink tunnel message, the UPF checks the validity of the security group information, and decides to forward or discard the message according to the policy configured by the operator. Otherwise, the UPF does not check the validity of the MAC address of the downlink message source, and decides to forward or discard the message according to the strategy configured by the operator.
In case 3, the source address and the destination address of the message received by the UPF are both network side device addresses.
In this case 3, the method 1600 may further include a step 1651.
1651, UPF processes messages according to security group policies between the security group to which the source address belongs and the security group to which the destination address belongs.
The UPF may search for the security group to which the source address belongs and the security group to which the destination address belongs, and process the packet, such as forward or discard the packet, according to the security group policy between the security group to which the source address belongs and the security group to which the destination address belongs.
In case 4, the upf receives the downlink message, and the destination address is a unicast address and is unknown.
In this case 4, the method 1600 may further include step 1661.
1661, UPF discards the message.
In case 5, the upf receives the uplink packet and the destination address is a unicast address and is unknown.
In this case 5, method 1600 may also include step 1671.
1671, UPF sends the message to DN.
Illustratively, the packet is sent to the DN network through an N6 interface, and the tunnel packet may carry security group information to which the source address belongs, so that the DN network applies the security policy. Whether the tunnel message carries the security group information to which the source address belongs may be determined by, for example, an operation policy, and is not limited thereto.
In case 6, the source address of the message received by the UPF is the DN side address.
In this case 6, method 1600 may also include step 1681.
1681, the upf processes the message and sends the message to the DN according to the security group policy between the security group to which the source address belongs and the security group to which the destination address belongs, or according to the operator policy.
For example, if the downstream tunnel packet carries security group information corresponding to the source MAC address (e.g., the downstream tunnel packet carries security group information corresponding to the source address according to the operator policy), the UPF may search the security group information corresponding to the destination MAC address, and process the packet according to the security group policy between the security group to which the source MAC address belongs and the security group to which the destination MAC address belongs, e.g., decide to forward or discard the packet.
Or, if the operator policy is that the downlink message is not subjected to security group policy control, the message may also be directly forwarded.
It is to be understood that the above description is intended to be illustrative, and not restrictive. The scheme that the UPE can execute the security group policy in the embodiment of the present application is applicable to the embodiment of the present application as long as it can implement the scheme. It should also be understood that in actual communication, the adjustment can be flexibly performed according to different communication environments or scenes.
It should also be understood that in the scenario illustrated in fig. 16, the source address may be in the form of a MAC address, and the source address and the source MAC address are sometimes used interchangeably, and it should be understood that they are used to refer to the same meaning, both referring to the messaging address or source address of the message. In the scenario shown in fig. 16, the destination address may be in the form of a MAC address, and the destination address and the destination MAC address are sometimes used interchangeably, and it should be understood that they are used to represent the destination address of the message in the same sense.
One possible flow for the UPF to perform security group policy is described above in connection with steps 1610-1681 shown in fig. 16, such as the scenario where the PDU session type is Ethernet. It should be understood that the above steps are only exemplary, and are not strictly limited thereto. In addition, the sequence numbers of the above processes do not mean the execution sequence, and the execution sequence of each process should be determined by the function and the inherent logic of each process, and should not limit the implementation process of the embodiment of the present application.
Based on the above scheme, for the scenario that the PDU session type is IP, the VN group security group policy is executed by the UPF, that is, the UPF determines the forwarding rule according to the security group policy, and completes the message intercommunication control of the communication device, thereby improving the security of communication between devices. In addition, the UPF is used for executing the security group strategy, so that the signaling overhead caused by inquiring the forwarding rule from the SMF by the UPF can be saved, and the data transmission performance is improved.
A possible flow of security group policy enforcement applicable to embodiments of the present application is described above in conjunction with fig. 13-16. An exemplary flow for security group updates for embodiments of the present application is described below in conjunction with fig. 17 and 18.
FIG. 17 is a schematic flow diagram of security group updates suitable for use with embodiments of the present application.
As shown in fig. 17, the method 1700 is mainly illustrated by the interaction between the device, CPE/UE, RAN, AMF, SMF, UDM, UPF. By way of example and not limitation, the method 1700 shown in fig. 17 may be used for a flow of forwarding rule aging corresponding to UPF security group policies.
The flow of aging UPF forwarding rules is described below in conjunction with possible conditions that trigger deletion of forwarding rules (e.g., forwarding rules corresponding to security group policies).
And (3) under the condition of 1, releasing the CPE/UE session, and triggering and deleting all forwarding rules corresponding to the CPE/UE.
Based on this condition 1, method 1700 may include steps 1711-1713.
1711, CPE/UE requests release of CPE/UE session from SMF.
1712, SMF sends a forwarding rule deleting indication to UPF to indicate UPF to delete the forwarding rule corresponding to CPE/UE.
For example, the SMF may issue a forwarding rule deletion instruction to all UPFs in the VN group, and instruct the UPFs to delete all forwarding rules corresponding to all MAC/IP addresses in the CPE/UE. For example, the forwarding rule deletion instruction issued by the SMF to the UPF may be used to instruct the UPF to delete the security groups corresponding to all MAC/IP addresses of the CPE/UE. After receiving the indication, the UPF may delete all forwarding rules corresponding to all MAC/IP addresses under the CPE/UE.
1713, the CPE/UE session release is completed.
It should be understood that the above is only an exemplary illustration, and the embodiments of the present application are not limited to the specific manner of releasing the CPE/UE session. For example, reference may be made to the existing manner, or any manner that may be implemented to release a CPE/UE session in the future may be applied to the embodiments of the present application.
And 2, under the condition that the MAC address learned by the UPF is aged, triggering and deleting all forwarding rules corresponding to the MAC address.
For the scenario that the PDU session type is Ethernet, the MAC address aging may be triggered by the MAC address aging time learned by the UPF. Based on this condition 2, method 1700 may include steps 1721-1723.
1721, the timeout of the MAC address aging time triggers the UPF to age the learned MAC address.
The embodiment of the present application is not strictly limited with respect to the aging time of the MAC address. For example, the aging time of the MAC address may be configured by the operator. For another example, the aging times corresponding to different MAC addresses may be the same or different, and are not limited thereto.
1722, the upf deletes all forwarding rules corresponding to the aged MAC address.
1723, UPF reports MAC address aging message to SMF.
In the following, in combination with the two cases,
in case 1, the aged MAC address originates from the UPF N3 interface.
In this case, the MAC address aging message reported by the UPF to the SMF may include one or more of the following information: DNN, VN group, aged MAC address, N3 interface. And the DNN indicates the DNN to which the aged MAC address belongs. A VN group indicating a VN group to which the MAC address being aged belongs. An N3 interface indicating that the MAC address originates from the N3 interface.
In this case 1, the method 1700 may further include step 17231.
17231, SMF disassociates MAC addresses from CPE/UE sessions and MAC addresses from UPF.
After receiving the MAC address aging message reported by the UPF, the SMF may index its associated CPE/UE session according to the MAC address, and may release the association between the MAC address and the CPE/UE session and between the MAC address and the UPF.
In case 2, the aged MAC address is derived from the UPF N6 interface.
In this case, the MAC address aging message reported by the UPF to the SMF may include one or more of the following information: DNN, VN group, aged MAC address, N6 interface. Wherein the DNN indicates the DNN attributed by the aged MAC address. A VN group indicating a VN group to which the MAC address being aged belongs. An N6 interface indicating that the MAC address originates from the N6 interface.
In this case 2, the method 1700 may further include step 17232.
17232, SMF disassociates MAC addresses from DNN and group sessions.
After receiving the MAC address aging message reported by the UPF, the SMF may index its associated VN group session according to the MAC address, and release the association between the MAC address and the DNN and group session.
Conditional 3, smf proactively deletes forwarding rules.
The triggering condition for the SMF delete forwarding rule is not limited. For example, the forwarding rules may be deleted periodically and actively.
Based on this condition 3, method 1700 may include step 1731.
1731, SMF sends MAC/IP address forwarding rule deleting indication to UPF, which instructs UPF to delete all forwarding rules of specified MAC/IP address.
For example, the SMF may issue a designated MAC/IP address forwarding rule deletion indication to all UPFs within the VN group instructing the UPFs to delete all forwarding rules for the designated MAC/IP address. For example, the MAC/IP address carrying the MAC/IP identification may be used to indicate that the forwarding rule is to be deleted.
It is to be understood that the above description is intended to be illustrative, and not restrictive.
By way of example and not limitation, the above-described method 1700 may be used in a scenario where SMF enforces security group policies. For example, method 1700 may be used in conjunction with method 1300 (or method 1400), e.g., an SMF may enforce security group policies according to a scheme as described in method 1300 (or method 1400), an SMF or a UPF may timely delete aged forwarding rules according to a scheme as described in method 1700 (e.g., an SMF is based on forwarding rules corresponding to security group policies).
It should be understood that the above steps are only exemplary, and are not strictly limited thereto. In addition, the sequence numbers of the above processes do not mean the execution sequence, and the execution sequence of each process should be determined by the function and the inherent logic of each process, and should not limit the implementation process of the embodiment of the present application.
Based on the scheme, after the forwarding rules are aged (such as the forwarding rules corresponding to the security group policies are aged), the aged forwarding rules can be deleted in time, so that not only can the storage space be saved, the resource utilization rate be improved, but also the conversion rules can be updated in time (such as the security group policies are updated in time), and the communication performance is improved.
FIG. 18 is another schematic flow diagram of security group updates suitable for use with embodiments of the present application.
As shown in FIG. 18, the method 1800 is illustrated primarily with an example of interactions between devices, CPE/UE, RAN, AMF, SMF, UDM, UPF. By way of example and not limitation, the method 1800 shown in fig. 18 may be used for the flow of security groups to which UPF aging devices belong.
The flow of the security group to which the UPF aging device belongs is described below in connection with possible conditions that trigger the deletion of the security group.
And (1) releasing the session of the CPE/UE, and triggering to delete the security group information corresponding to the CPE/UE.
Based on this condition 1, method 1800 may include steps 1811-1813.
1811, CPE/UE requests to SMF to release CPE/UE session.
1812, the SMF sends a security group information deleting indication to the UPF, and the UPF is instructed to delete the security group information corresponding to the CPE/UE.
For example, the SMF may issue a security group information deletion instruction to all UPFs in the VN group, instructing the UPFs to delete security group information corresponding to all MAC/IP addresses in the CPE/UE.
1813, completing CPE/UE session release.
It should be understood that the foregoing is only an exemplary illustration, and the embodiments of the present application are not limited in terms of the specific manner of releasing the CPE/UE session. For example, reference may be made to the existing manner, or any manner that may implement CPE/UE session release in the future may be applied to the embodiments of the present application.
And 2, under the condition that the MAC address learned by the UPF is aged, triggering and deleting the security group information to which the MAC address belongs.
For the scenario that the PDU session type is Ethernet, the MAC address aging may be triggered by the arrival aging time of the MAC address learned by the UPF. Based on this condition 2, method 1800 may include steps 1821-1824.
1821, the MAC address aging time is overtime to trigger UPF to age the learned MAC address.
In one possible implementation, the UPF may age the learned MAC address, for example, by deleting information associated with the MAC address, such as deleting a forwarding rule corresponding to the MAC address.
The embodiment of the present application is not strictly limited with respect to the aging time of the MAC address. For example, the aging time of the MAC address may be configured by the operator. For another example, the aging times corresponding to different MAC addresses may be the same or different, and this is not limited.
1822 UPF reports MAC address aging messages to SMF.
The MAC address aging message reported by the UPF to the SMF may include one or more of the following information: DNN, VN group, aged MAC address, UE SUPI. And the DNN indicates the DNN to which the aged MAC address belongs. A VN group indicating a VN group to which the MAC address being aged belongs. UE SUPI indicating the UE session to which the aged MAC address belongs.
1823, SMF issues security group information to UPF indicating deletion of MAC address.
After receiving the indication, the UPF may delete the security group information to which the MAC address belongs according to the indication.
For example, after receiving the MAC address aging message reported by the UPF, the SMF may issue, to all UPFs in the VN group, information indicating to delete the security group information to which the MAC address belongs, where the information is used to indicate the UPF to delete the security group information to which the specified MAC address belongs.
It is to be understood that the above description is intended to be illustrative, and not restrictive.
By way of example and not limitation, the above-described method 1800 may be used in scenarios where UPF enforces security group policies. For example, method 1800 may be used in conjunction with method 1500 (or method 1600), e.g., a UPF may enforce security group policies according to a scheme as described in method 1500 (or method 1600), an SMF or a UPF may age timely security group information according to a scheme as described in method 1800.
It should be understood that the above steps are only exemplary, and are not strictly limited thereto. In addition, the sequence numbers of the above processes do not mean the execution sequence, and the execution sequence of each process should be determined by the function and the inherent logic of each process, and should not limit the implementation process of the embodiment of the present application.
Based on the scheme, after the security group information is aged (such as the security group information corresponding to the MAC address or the IP address is aged), the aged security group information can be deleted in time, so that the storage space can be saved, the resource utilization rate can be improved, the security group information can be updated in time, and the communication performance can be improved.
It should be understood that, in some embodiments, some message names are referred to, for example, a message for which a message forwarding rule is unknown, and the name of the message name does not limit the scope of protection of the embodiments of the present application.
It should also be understood that, in some of the above embodiments, the example is mainly given by taking the communication policy including the access permission and the access prohibition as an example, and it should be understood that other forms of communication policies are applicable to the embodiments of the present application.
It should also be appreciated that in some embodiments described above, reference is made multiple times to enforcing security group policies, which means determining forwarding rules based on communication policies between security groups, or otherwise considering security group policies in formulating forwarding rules.
It should also be understood that, in some embodiments described above, the security group is mainly defined for the 5G VN group as an example, and it should be understood that other VN groups, such as the VN group under the 6G architecture, may also use the security group-based secure communication provided by the present application.
It should be further understood that, in some embodiments described above, the SMF or UPF is mainly used for example, and is not limited to, after receiving the service data, making the forwarding rule according to the communication policy between the security groups, and any scheme for executing the forwarding rule through the communication policy between the security groups is applicable to the embodiments of the present application.
In a possible implementation manner, after obtaining the information of the security group, the SMF may formulate a forwarding rule for the UE, that is, how to forward (or discard) data between the UE and other group members, or how to forward (or discard) data between the UE and UEs corresponding to other security groups. For example, after acquiring the information of the security group, the SMF generates forwarding rules (such as PDR and FAR) according to communication policies between the security group where the UE is located and other security groups, and sends the established forwarding rules (such as PDR and FAR) to the UPF, so that the UPF can perform data forwarding according to the forwarding rules (such as PDR and FAR). In the following, UE, SMF and UPF are taken as examples, and a specific example is simply listed.
The SMF receives a session establishment request from UE1, including the identity of the VN group. Assume that UE1 is a device in the first security group in the VN group. The SMF formulates forwarding rules for the UE1 according to communication strategies between the first security group and other security groups in the VN group, and sends the forwarding rules formulated for the UE1 to the UPF.
As one possible scenario, the communication policy between the first security group and the second security group is to allow communication. In this case, the forwarding rule is used to indicate a forwarding path of the first data. The first data is data interacted between the UE1 and the UE2, wherein the UE1 belongs to a first security group, and the UE2 is any one VN group member belonging to a second security group.
Yet another possible scenario is where the communication policy between the first security group and the second security group is to prohibit communications. In this case, the forwarding rule is used to indicate that the first data is discarded. The first data is data interacted between the UE1 and the UE2, wherein the UE1 belongs to a first security group, the UE2 belongs to any member of a second security group, and the UE2 and the UE1 both belong to the same VN group.
After receiving the data sent by the UE1, the UPF may perform data forwarding according to a forwarding rule corresponding to the UE 1.
As one possible scenario, the communication policy between the first security group and the second security group is to allow communication. In this case, the UPF may forward the data according to the forwarding path indicated by the forwarding rule.
Yet another possible scenario is where the communication policy between the first security group and the second security group is to disallow communication. In this case, the UPF may discard or ignore data sent by UE1 to UE2 according to the forwarding rule.
It should be appreciated that the above is merely exemplary, and in particular, reference may be made to the above description as to how the SMF formulates forwarding rules based on communication policies between security groups, and so on.
It will also be appreciated that the above described arrangements may be used alone with any of figures 9 to 18 or may also be used in combination.
As an example, the above-mentioned solution is used in combination with the solution shown in fig. 13. The SMF may formulate a forwarding rule for the UE and send the forwarding rule to the UPF. After receiving the data sent by the UE, the UPF may perform rule matching based on the source address and the destination address of the data packet, and if the matching fails, may execute the scheme of step 1330a in method 1300; in case the matching is successful, the scheme of step 1330b in method 1300, i.e. processing the data based on the forwarding rules, may be performed.
As another example, the above-described scheme is used in combination with the scheme shown in fig. 15 as an example. The SMF may formulate a forwarding rule for the UE and send the forwarding rule to the UPF. After receiving the data sent by the UE, the UPF may perform rule matching based on the source address and the destination address of the data packet, and when the matching fails, determine how to process the data based on the communication policy between the security groups corresponding to the source address and the destination address of the data based on the scheme of the method 1500.
As a further example, the above-described scheme is used in combination with the scheme shown in fig. 17 or fig. 18 as an example. The SMF may formulate a forwarding rule for the UE and send the forwarding rule to the UPF. After receiving the data sent by the UE, the UPF may perform rule matching based on the source address and the destination address of the data packet. And may also update the security groups in time based on a scheme as shown in method 1700 or method 1800.
The various embodiments described herein may be implemented as stand-alone solutions or combined in accordance with inherent logic and are intended to fall within the scope of the present application.
It is to be understood that, in the foregoing method embodiments, the method and the operation implemented by the terminal device may also be implemented by a component (e.g., a chip or a circuit) available for the terminal device, and the method and the operation implemented by a network device (e.g., a core network element), and may also be implemented by a component (e.g., a chip or a circuit) available for the network device.
The method provided by the embodiment of the present application is described in detail above with reference to fig. 9 to 18. Hereinafter, the apparatus for secure communication according to the embodiment of the present application will be described in detail with reference to fig. 19 to 21. It should be understood that the description of the apparatus embodiments corresponds to the description of the method embodiments, and therefore, for brevity, details are not repeated here, since the details that are not described in detail may be referred to the above method embodiments.
Fig. 19 is a schematic block diagram of a device for secure communication provided by an embodiment of the present application. The apparatus 1900 includes a transceiving unit 1910 and a processing unit 1920. The transceiving unit 1910 can implement corresponding communication functions, and the processing unit 1920 is configured to perform data processing. The transceiving unit 1910 may also be referred to as a communication interface or a communication unit.
Optionally, the apparatus 1900 may further include a storage unit, which may be used to store instructions and/or data, and the processing unit 1920 may read the instructions and/or data in the storage unit, so as to enable the apparatus to implement the foregoing method embodiments.
The apparatus 1900 may be configured to perform the actions performed by the network device in the foregoing method embodiment, in this case, the apparatus 1900 may be a network device or a component configurable in the network device, the transceiver 1910 is configured to perform operations related to transceiving of the network device side in the foregoing method embodiment, and the processing unit 1920 is configured to perform operations related to processing of the network device side in the foregoing method embodiment.
In a possible implementation manner, the transceiver unit 1910 is configured to receive information of service data sent by a first communications device to a second communications device; the transceiving unit 1910 is further configured to obtain a communication policy between a first security group and a second security group, where the first security group is a security group corresponding to the first communication device, and the second security group is a security group corresponding to the second communication device; the processing unit 1920 is configured to formulate a forwarding rule for the service data according to a communication policy between the first security group and the second security group; the first communication device and the second communication device are devices in the same virtual network VN group, the VN group comprises a plurality of security groups, and the plurality of security groups comprise a first security group and a second security group.
An example is that the communication policy between the first security group and the second security group is to allow communication or the communication policy between the first security group and the second security group is to disallow communication.
In yet another example, the first network element is a session management function network element.
As yet another example, in a case where the communication policy between the first security group and the second security group is to allow communication, the forwarding rule is used to indicate a forwarding path of the traffic data; or; and under the condition that the communication policy between the first security group and the second security group is the communication prohibition, the forwarding rule is used for indicating to discard the service data.
For another example, the transceiving unit 1910 is specifically configured to receive a forwarding-rule unknown message from a second network element, where the forwarding-rule unknown message includes source address information and destination address information of the service data, the source address corresponds to the first security group, and the destination address corresponds to the second security group; the processing unit 1920 is specifically configured to formulate a forwarding rule for the service data according to a communication policy between a first security group corresponding to the source address and a second security group corresponding to the destination address; the transceiving unit 1910 is further configured to send the forwarding rule to the second network element.
For another example, the transceiving unit 1910 is further configured to: and sending first indication information to a second network element, wherein the first indication information is used for indicating that the reporting forwarding rule is unknown.
For another example, the transceiving unit 1910 is further configured to: and sending second indication information to the second network element, wherein the second indication information is used for indicating deletion of the forwarding rule.
For another example, the transceiving unit 1910 is specifically configured to: and sending second indication information to the second network element under the condition that the session of the first communication equipment is determined to be released or the address related to the forwarding rule is determined to be aged.
In yet another example, the second network element is a user plane function network element.
In yet another example, the first network element is a user plane function network element.
For another example, the transceiving unit 1910 is further configured to: receiving information from a plurality of security groups of a second network element, the information of the plurality of security groups comprising: information of communication policies between any two of the plurality of security groups.
For another example, the transceiving unit 1910 is specifically configured to: receiving service data sent to second communication equipment by first communication equipment; when it is determined that the first communication device belongs to a communication device corresponding to a first security group in the VN group and the second communication device belongs to a communication device corresponding to a second security group in the VN group, a communication policy between the first security group and the second security group is acquired from information of the plurality of security groups.
For another example, in a case that the communication policy between the first security group and the second security group is to allow communication, the forwarding rule is used to indicate a forwarding path of the traffic data, and the transceiving unit 1910 is further configured to: forwarding the service data according to the forwarding path of the service data indicated by the forwarding rule; or, in a case that the communication policy between the first security group and the second security group is to prohibit communication, the forwarding rule is used to instruct to discard the traffic data, and the processing unit 1920 is configured to discard the traffic data according to the forwarding rule.
For another example, the transceiving unit 1910 is further configured to: and sending third indication information to the second network element, wherein the third indication information is used for indicating the address aging related to the forwarding rule.
For another example, the transceiving unit 1910 is further configured to: and receiving fourth indication information from the second network element, wherein the fourth indication information is used for indicating deletion of the forwarding rule.
In yet another example, the second network element is a session management function network element.
For yet another example, each security group includes one or more of the following information: the data network corresponding to the security group, the external identifier of the VN group to which the security group belongs, the identifier of the security group, the name of the security group, the communication device corresponding to the security group, and the communication policy between the security group and another security group in the plurality of security groups in the VN group.
The apparatus 1900 may implement the steps or the flow corresponding to the steps executed by the network device (e.g., the core network element SMF or UPF) in the method embodiment according to the embodiment of the present application, and the apparatus 1900 may include a unit for executing the method executed by the network device (e.g., the core network element SMF or UPF) in fig. 9, fig. 13 to fig. 18. Also, the units and other operations and/or functions in the apparatus 1900 are respectively for implementing corresponding flows of the method embodiments of the network device (such as the core network element SMF or UPF) in fig. 9, fig. 13 to fig. 18.
It should be understood that the specific processes of the units for executing the corresponding steps are already described in detail in the above method embodiments, and therefore, for brevity, detailed descriptions thereof are omitted.
In yet another possible implementation manner, the transceiving unit 1910 is configured to receive a first request message from a fourth network element, where the first request message is used to request to create a security group for a virtual network VN group; a processing unit 1920 configured to create a plurality of security groups for the VN group based on the first request message; the VN group comprises a plurality of security groups, each security group corresponds to one or more communication devices, the plurality of security groups comprises a first security group, and communication policies are arranged between the first security group and other security groups in the plurality of security groups, and the communication policies are used for controlling communication between the communication device corresponding to the first security group and the communication devices corresponding to the other security groups.
An example, the communication policy between the first security group and the second security group is to allow communication or the communication policy between the first security group and the second security group is to disallow communication.
For yet another example, the first request message includes one or more of the following information: the method comprises the steps of external identification of a VN group to which a security group to be created belongs, a data network corresponding to the security group to be created, identification of the security group to be created, name of the security group to be created and communication strategy among the security groups to be created.
For another example, the first request message includes a communication policy between security groups to be created, and the processing unit 1920 is specifically configured to set the communication policy for the security group to be created according to the communication policy between security groups to be created, where the communication policy is to allow communication or prohibit communication.
For yet another example, the transceiving unit 1910 is further configured to receive a second request message from a fourth network element, the second request message requesting to add one or more communication devices for the first security group.
For yet another example, the second request message includes one or more of the following information: the data network corresponding to the first security group, the external identifier of the VN group to which the first security group belongs, the identifier of the first security group, the name of the first security group, and the information of one or more communication devices to be added.
For yet another example, each security group includes one or more of the following: the data network corresponding to the security group, the external identifier of the VN group to which the security group belongs, the identifier of the security group, the name of the security group, the communication device corresponding to the security group, and the communication policy between the security group and another security group of the plurality of security groups of the VN group.
In another example, the apparatus 1900 is a capability openness function network element, and the fourth network element is an application function network element.
The apparatus 1900 may implement the steps or the flow corresponding to the steps executed by the network device (e.g., the third network element) in the method embodiment according to the embodiment of the present application, and the apparatus 1900 may include units for executing the methods executed by the network device (e.g., the third network element) in fig. 10, fig. 11, and fig. 12. Also, the units and other operations and/or functions in the apparatus 1900 are respectively for implementing corresponding flows of the method embodiments of the network device in fig. 10, fig. 11, and fig. 12.
It should be understood that, the specific processes of the units for executing the corresponding steps are already described in detail in the above method embodiments, and are not described herein again for brevity.
The processing unit 1920 in the above embodiments may be implemented by at least one processor or processor-related circuits. The transceiving unit 1910 may be implemented by a transceiver or transceiver-related circuitry. The storage unit may be implemented by at least one memory.
As shown in fig. 20, the embodiment of the present application further provides a device 2000 for secure communication. The apparatus 2000 comprises a processor 2010, the processor 2010 being coupled to a memory 2020, the memory 2020 being adapted to store computer programs or instructions and/or data, the processor 2010 being adapted to execute the computer programs or instructions and/or data stored by the memory 2020 such that the method in the above method embodiments is performed.
Optionally, the apparatus 2000 includes one or more processors 2010.
Optionally, as shown in fig. 20, the apparatus 2000 may further include a memory 2020.
Optionally, the apparatus 2000 may include one or more of the memory 2020.
Alternatively, the memory 2020 may be integrated with the processor 2010 or provided separately.
Optionally, as shown in fig. 20, the apparatus 2000 may further include a transceiver 2030, and the transceiver 2030 is used for receiving and/or transmitting signals. For example, processor 2010 is configured to control transceiver 2030 to receive and/or transmit signals.
As an approach, the apparatus 2000 is configured to implement the operations performed by the network device in the foregoing method embodiments.
For example, the processor 2010 is configured to implement processing-related operations performed by the SMF in the above method embodiments, and the transceiver 2030 is configured to implement transceiving-related operations performed by the SMF in the above method embodiments.
As another example, processor 2010 is configured to implement the processing-related operations performed by the UPF in the above method embodiments, and transceiver 2030 is configured to implement the transceiving-related operations performed by the UPF in the above method embodiments.
As another example, processor 2010 is configured to implement process-related operations performed by the AF in the above method embodiments, and transceiver 2030 is configured to implement transmit-receive-related operations performed by the AF in the above method embodiments.
As another example, processor 2010 is configured to implement processing-related operations performed by NEF in the above method embodiments, and transceiver 2030 is configured to implement transceiving-related operations performed by NEF in the above method embodiments.
The embodiment of the present application further provides a communication apparatus 2100, where the communication apparatus 2100 may be a network device or a chip. The communications apparatus 2100 may be used to perform the operations performed by the network device in the method embodiments described above.
When the communication apparatus 2100 is a network device, a simplified schematic diagram of the network device is shown in fig. 21. The network device includes a portion 2110 and a portion 2120. The 2110 part is mainly used for transceiving radio frequency signals and converting the radio frequency signals and baseband signals; the 2120 part is mainly used for baseband processing, network device control, and the like. Portion 2110 may be generally referred to as a transceiver unit, transceiver, transceiving circuitry, or transceiver, etc. Part 2120 is typically a control center of the network device, which may be referred to generally as a processing unit, for controlling the network device to perform the processing operations in the above-described method embodiments.
The transceiver unit of part 2110, which may also be referred to as a transceiver or transceiver, includes an antenna and a radio frequency circuit, where the radio frequency circuit is mainly used for radio frequency processing. Alternatively, the device for implementing the receiving function in the part 2110 may be regarded as a receiving unit, and the device for implementing the transmitting function may be regarded as a transmitting unit, that is, the part 2110 includes a receiving unit and a transmitting unit. The receiving unit may also be referred to as a receiver, a receiving circuit, or the like, and the sending unit may be referred to as a transmitter, a transmitting circuit, or the like.
It should be understood that fig. 21 is merely an example and not a limitation, and the network device including the transceiving unit and the processing unit described above may not depend on the structure shown in fig. 21.
When the apparatus 2100 is a chip, the chip includes a transceiver unit and a processing unit. The receiving and sending unit can be an input and output circuit and a communication interface; the processing unit is a processor or microprocessor or an integrated circuit integrated on the chip. Of course, the apparatus 2100 may also be a chip system or a processing system, so that the device on which the apparatus 2100 is installed can implement the methods and functions of the embodiments of the present application. For example, the processing unit 2120 may be a chip system or a processing circuit in a processing system to implement control on a device on which the chip system or the processing system is installed, and may further be coupled and linked to the storage unit to call instructions in the storage unit, so that the device may implement the method and the function of the embodiment of the present application, and the transceiver 2110 may be an input/output circuit in the chip system or the processing system to output information processed by the chip system, or input data or signaling information to be processed into the chip system for processing.
Embodiments of the present application also provide a computer-readable storage medium on which computer instructions for implementing the method performed by the network device in the foregoing method embodiments are stored.
For example, the computer program, when executed by a computer, causes the computer to implement the method performed by the network device in the above-described method embodiments.
Embodiments of the present application further provide a computer program product including instructions, which when executed by a computer, cause the computer to implement the method performed by the network device in the foregoing method embodiments.
An embodiment of the present application further provides a communication system, where the communication system includes the network device in the foregoing embodiment, the first network element and the second network element, or the third network element and the fourth network element.
Illustratively, the communication system includes the SMF and UPF, or AF and NEF, in the above embodiments.
For the explanation and beneficial effects of the related content in any one of the above-mentioned apparatuses, reference may be made to the corresponding method embodiments provided above, and details are not repeated here.
It should be understood that the processor referred to in the embodiments of the present application may be a Central Processing Unit (CPU), and may also be other general purpose processors, digital Signal Processors (DSPs), application Specific Integrated Circuits (ASICs), field Programmable Gate Arrays (FPGAs) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
It should also be understood that the memories referred to in the embodiments of the present application may be volatile memories and/or nonvolatile memories. The non-volatile memory may be a read-only memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an Electrically Erasable PROM (EEPROM), or a flash memory. Volatile memory can be Random Access Memory (RAM). For example, RAM can be used as external cache memory. By way of example and not limitation, RAM may include the following forms: static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), synchronous Dynamic Random Access Memory (SDRAM), double data rate synchronous dynamic random access memory (DDR SDRAM), enhanced synchronous SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), and direct bus RAM (DR RAM).
It should be noted that when the processor is a general-purpose processor, a DSP, an ASIC, an FPGA or other programmable logic device, a discrete gate or transistor logic device, or a discrete hardware component, the memory (memory module) may be integrated into the processor.
It should also be noted that the memory described herein is intended to comprise, without being limited to, these and any other suitable types of memory.
Those of ordinary skill in the art will appreciate that the various illustrative elements and steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the technical solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implementing, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not implemented. Furthermore, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one position, or may be distributed on multiple network units. Some or all of the units can be selected according to actual needs to implement the scheme provided by the application.
In addition, functional units in the embodiments of the present application may be integrated into one unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, it may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the application to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. For example, the computer may be a personal computer, a server, or a network appliance, etc. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that includes one or more available media. For example, the aforementioned usable medium may include, but is not limited to, various media capable of storing program code, such as a U disk, a removable disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (27)
1.A method of secure communication, comprising:
a first network element receives information of service data sent to a second communication device by a first communication device;
the first network element obtains a communication policy between a first security group and a second security group, wherein the first security group is a security group corresponding to the first communication device, and the second security group is a security group corresponding to the second communication device;
according to a communication strategy between the first security group and the second security group, the first network element formulates a forwarding rule for the service data;
the first communication device and the second communication device are devices in the same Virtual Network (VN) group, the VN group comprises a plurality of security groups, and the plurality of security groups comprise the first security group and the second security group.
2. The method of claim 1,
the communication policy between the first security group and the second security group is to allow communication, or,
the communication policy between the first security group and the second security group is to disallow communication.
3. The method according to claim 1 or 2, wherein the first network element is a session management function network element.
4. The method of claim 3,
the forwarding rule is used for indicating a forwarding path of the service data when a communication policy between the first security group and the second security group is communication permission; or,
and under the condition that the communication policy between the first security group and the second security group is communication prohibition, the forwarding rule is used for indicating to discard the service data.
5. The method according to claim 3 or 4, wherein the receiving, by the first network element, the information of the service data sent by the first communication device to the second communication device comprises:
the first network element receives a forwarding rule unknown message from a second network element, wherein the forwarding rule unknown message comprises source address information and destination address information of the service data, the source address corresponds to the first security group, and the destination address corresponds to the second security group;
the making, by the first network element, a forwarding rule for the service data according to the communication policy between the first security group and the second security group includes:
the first network element formulates a forwarding rule for the service data according to a communication strategy between the first security group corresponding to the source address and the second security group corresponding to the destination address;
and the first network element sends the forwarding rule to the second network element.
6. The method of claim 5, wherein before the first network element receives the forwarding-rule-unknown message from the second network element, the method further comprises:
and the first network element sends first indication information to the second network element, wherein the first indication information is used for indicating that the reporting forwarding rule is unknown.
7. The method of claim 5 or 6, further comprising:
and the first network element sends second indication information to the second network element, wherein the second indication information is used for indicating to delete the forwarding rule.
8. The method of claim 7, wherein the sending, by the first network element, the second indication information to the second network element comprises:
and sending, by the first network element, the second indication information to the second network element when it is determined that the session of the first communication device is released or it is determined that the address associated with the forwarding rule is aged.
9. The method according to any of claims 5 to 8, wherein the second network element is a user plane function network element.
10. The method according to claim 1 or 2, wherein the first network element is a user plane function network element.
11. The method of claim 10, further comprising:
the first network element receives information of the plurality of security groups from a second network element, wherein the information of the plurality of security groups comprises: information of communication policies between any two security groups of the plurality of security groups.
12. The method of claim 11,
the receiving, by the first network element, information of service data sent by the first communication device to the second communication device includes:
the first network element receives the service data sent to the second communication device by the first communication device;
the first network element obtaining a communication policy between a first security group and a second security group includes:
when the first network element judges that the first communication device belongs to a communication device corresponding to the first security group in the VN group and the second communication device belongs to a communication device corresponding to a second security group in the VN group, the first network element acquires a communication policy between the first security group and the second security group from information of the security groups.
13. The method of claim 12,
when the communication policy between the first security group and the second security group is communication permission, the forwarding rule is used to indicate a forwarding path of the service data, and the first network element forwards the service data according to the forwarding path of the service data indicated by the forwarding rule; or,
and under the condition that the communication policy between the first security group and the second security group is communication prohibition, the forwarding rule is used for indicating to discard the service data, and the first network element discards the service data according to the forwarding rule.
14. The method according to any one of claims 12 or 13, further comprising:
and the first network element sends third indication information to a second network element, wherein the third indication information is used for indicating the address aging related to the forwarding rule.
15. The method of claim 14, further comprising:
and the first network element receives fourth indication information from the second network element, wherein the fourth indication information is used for indicating to delete the forwarding rule.
16. The method according to claim 14 or 15, wherein the second network element is a session management function network element.
17. The method of any of claims 1-16, wherein each security group includes one or more of the following:
a data network corresponding to the security group, an external identification of the VN group to which the security group belongs, an identification of the security group, a name of the security group, a communication device corresponding to the security group, a communication policy between the security group and other security groups of the plurality of security groups in the VN group.
18. A method of secure communication, comprising:
a third network element receives a first request message from a fourth network element, wherein the first request message is used for requesting to create a security group for a Virtual Network (VN) group;
the third network element creating a plurality of security groups for the VN group based on the first request message;
wherein the VN group includes a plurality of security groups, each security group corresponding to one or more communication devices, the plurality of security groups including a first security group having communication policies therebetween, the communication policies for controlling communications between communication devices corresponding to the first security group and communication devices corresponding to the other security groups.
19. The method of claim 18, wherein the first request message includes one or more of the following information:
the method comprises the steps of external identification of the VN group to which the security group to be created belongs, a data network corresponding to the security group to be created, identification of the security group to be created, name of the security group to be created, and communication strategies among the security groups to be created.
20. The method of claim 19, wherein the first request message includes a communication policy between the security groups to be created, and wherein the method further comprises:
and according to the communication strategy among the security groups to be created, the third network element sets a communication strategy for the security groups to be created, wherein the communication strategy is communication permission or communication prohibition.
21. The method of any one of claims 18 to 20, further comprising:
the third network element receives a second request message from the fourth network element, the second request message requesting that one or more communication devices be added for the first security group.
22. The method of claim 21, wherein the second request message includes one or more of the following information:
a data network corresponding to the first security group, an external identifier of the VN group to which the first security group belongs, an identifier of the first security group, a name of the first security group, and information of the one or more communication devices to be added.
23. The method of any of claims 18-22, wherein each security group includes one or more of the following:
a data network corresponding to the security group, an external identity of the VN group to which the security group belongs, an identity of the security group, a name of the security group, a communication device corresponding to the security group, a communication policy between the security group and other security groups of a plurality of security groups of the VN group.
24. The method according to any one of claims 18 to 23,
the third network element is a capability open function network element, and the fourth network element is an application function network element.
25. An apparatus for secure communication, characterized in that it comprises means for implementing the method according to any one of claims 1 to 24.
26. An apparatus for secure communications, comprising:
a processor to execute computer instructions stored in the memory to cause the apparatus to perform: the method of any one of claims 1 to 24.
27. A computer-readable storage medium, on which a computer program is stored which, when executed by a computer, causes the method of any one of claims 1 to 24 to be carried out.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110295551.5A CN115175194A (en) | 2021-03-19 | 2021-03-19 | Method and apparatus for secure communication |
| PCT/CN2022/081583 WO2022194262A1 (en) | 2021-03-19 | 2022-03-18 | Security communication method and apparatus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110295551.5A CN115175194A (en) | 2021-03-19 | 2021-03-19 | Method and apparatus for secure communication |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115175194A true CN115175194A (en) | 2022-10-11 |
Family
ID=83321896
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110295551.5A Pending CN115175194A (en) | 2021-03-19 | 2021-03-19 | Method and apparatus for secure communication |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN115175194A (en) |
| WO (1) | WO2022194262A1 (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115550288A (en) * | 2022-11-29 | 2022-12-30 | 广东省新一代通信与网络创新研究院 | Method and system for forwarding Ethernet data stream |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160234234A1 (en) * | 2015-02-05 | 2016-08-11 | Cisco Technology, Inc. | Orchestrating the Use of Network Resources in Software Defined Networking Applications |
| US10171507B2 (en) * | 2016-05-19 | 2019-01-01 | Cisco Technology, Inc. | Microsegmentation in heterogeneous software defined networking environments |
| CN107995144B (en) * | 2016-10-26 | 2020-11-06 | 北京金山云网络技术有限公司 | Access control method and device based on security group |
| CN109587065B (en) * | 2017-09-28 | 2021-02-23 | 北京金山云网络技术有限公司 | Method, device, switch, equipment and storage medium for forwarding message |
| CN111010340B (en) * | 2019-12-19 | 2022-04-29 | 华云数据有限公司 | Data message forwarding control method and device and computing device |
-
2021
- 2021-03-19 CN CN202110295551.5A patent/CN115175194A/en active Pending
-
2022
- 2022-03-18 WO PCT/CN2022/081583 patent/WO2022194262A1/en active Application Filing
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115550288A (en) * | 2022-11-29 | 2022-12-30 | 广东省新一代通信与网络创新研究院 | Method and system for forwarding Ethernet data stream |
| CN115550288B (en) * | 2022-11-29 | 2023-02-28 | 广东省新一代通信与网络创新研究院 | Method and system for forwarding Ethernet data stream |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2022194262A1 (en) | 2022-09-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20230217510A1 (en) | Network-initiated pdu session connection update method between terminal and network | |
| WO2023284584A1 (en) | Communication method and apparatus | |
| CN104272707B (en) | The method and apparatus for supporting neighbouring discovery procedure | |
| WO2023279776A1 (en) | Multi-mode terminal access control method and apparatus, electronic device, and storage medium | |
| CN114143871B (en) | Network connection method, network disconnection method and communication device | |
| CN101399728B (en) | Network, method and access point for sharing bandwidth | |
| US20230171672A1 (en) | Route configuration method and apparatus | |
| WO2021196440A1 (en) | Wireless communication method, terminal device, and network device | |
| WO2020150876A1 (en) | Session establishment method, terminal device, and network device | |
| US11877251B2 (en) | Time synchronization method, electronic device and storage medium | |
| US20230132454A1 (en) | Method and apparatus for supporting edge computing service for roaming ue in wireless communication system | |
| CN113595911B (en) | Data forwarding method and device, electronic equipment and storage medium | |
| WO2022194262A1 (en) | Security communication method and apparatus | |
| WO2023124875A1 (en) | Communication method and apparatus | |
| US20230031092A1 (en) | Data transmission method and communication apparatus | |
| CN115884153A (en) | Communication method and device | |
| KR20220106623A (en) | Method and apparatus for session management in mobile communication systems | |
| CN114915929A (en) | Method and communication device for determining policy | |
| CN116250214A (en) | Method and device for avoiding loop | |
| CN115152255A (en) | Relay method and communication device | |
| WO2023133871A1 (en) | Communication method and apparatus | |
| WO2023202503A1 (en) | Communication method and apparatus | |
| WO2023143448A1 (en) | Group communication method and apparatus | |
| WO2023197737A1 (en) | Message sending method, pin management method, communication apparatus, and communication system | |
| WO2023040728A1 (en) | Network element selection method, communication apparatus, and communication system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |