CN116033429A - Slice routing rule tamper-proof method, network element and medium - Google Patents
Slice routing rule tamper-proof method, network element and medium Download PDFInfo
- Publication number
- CN116033429A CN116033429A CN202211605268.9A CN202211605268A CN116033429A CN 116033429 A CN116033429 A CN 116033429A CN 202211605268 A CN202211605268 A CN 202211605268A CN 116033429 A CN116033429 A CN 116033429A
- Authority
- CN
- China
- Prior art keywords
- slice
- random code
- application program
- network element
- terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The disclosure provides a slice routing rule tamper-proof method, a network element and a medium, wherein the method comprises the following steps: the network slice selection function network element distributes a first random code of each network slice to each application program corresponding to each network slice to form a first random code sequence; and respectively issuing the first random code sequence to a user plane functional network element and a terminal, so that after the terminal initiates a slicing session establishment request to a core network, the user plane functional network element verifies whether a first random code which is sent by the terminal and can use a first application program of the slicing is in the first random code sequence sent by the network slicing selection functional network element, and if not, the slicing session is prevented from being carried out. The embodiment of the disclosure can at least effectively improve the safety of URSP rules and prevent unauthorized application programs from illegally using slice services.
Description
The application is a divisional application of an invention patent application with the application number of 202110257234.4, wherein the invention is filed on 3-9-2021 and is named as a slice routing rule tamper-proof method, a terminal, a network element and a medium.
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a slice routing rule tamper-proof method, a network slice management function network element, a user plane function network element, and a computer readable storage medium.
Background
The network slicing technology is one of key technologies of 5G (5 th generation mobile networks, fifth generation mobile communication technology), and can increase flexibility of network resources by configuring a network so that a user obtains the most suitable network service as required.
The third generation partnership project (the 3rd generation partnership project,3GPP) R15 stage, the 5G core network already has a policy configuration scheme partially aiming at users and services, defines the rules of a user equipment routing policy (user equipment routing selectionpolicy, URSP), mainly defines the configuration and management policy of service level, and provides flexible configuration and management means for the functions of network slicing, service and session continuity and the like defined by the 5G core network. The security of the current urs rule is not strong, and once the urs rule is tampered, an unauthorized application program can illegally use the slicing service, for example, in the process of 5G slicing registration, the terminal side can report slicing policy information to the network, wherein the slicing policy information includes an application program ID needing to use the slicing service and a corresponding traffic routing policy, and the unauthorized application program may have the condition of stealing the ID of the authorized application program and using the slicing service.
Disclosure of Invention
The present disclosure provides a slice routing rule tamper-proof method, a terminal, a network slice management function network element and a computer readable storage medium, so as to at least solve the above-mentioned problems.
According to an aspect of the embodiments of the present disclosure, there is provided a slice routing rule tamper-proof method, applied to a terminal, including:
defining a description identifier for describing an application identifier in the slice routing rule;
establishing a relation mapping table between the description identifications of the application programs and the application identifications of the application programs;
after a registration request of a slice session is initiated to a core network, receiving a routing rule and a slice identification rule returned by the core network, wherein the routing rule carries a first application identification of a first application program capable of using the slice;
judging whether the first application identifier and the object description identifier mapped by the first application identifier exist in the relation mapping table or not;
and if the first application identifier and the mapped description identifier exist, matching the first application program corresponding to the first application identifier with the routing rule and the slice identifier rule based on the first application identifier and the mapped description identifier.
According to a second aspect of embodiments of the present disclosure, there is provided another slice routing rule tamper-proof method applied to a network slice selection function network element, including:
Each application program corresponding to each network slice is respectively allocated with a first random code to form a first random code sequence; the method comprises the steps of,
and respectively issuing the first random code sequence to a user plane function network element and a terminal so that after the terminal initiates a slicing session establishment request to a core network, the user plane function network element verifies whether a first random code which is sent by the terminal and can use a first application program of the slicing is in the first random code sequence sent by the network slicing selection function network element, and if not, the slicing session is prevented from being carried out.
According to a third aspect of embodiments of the present disclosure, there is provided a slice routing rule tamper-proof method applied to a user plane function network element, including:
receiving a first random code sequence sent by a network slice selection function network element, wherein the first random code sequence is formed by respective first random codes distributed by the network slice selection function network element to each application program corresponding to each network slice;
after a terminal initiates a slice session establishment request to a core network, receiving a first random code which is sent by the terminal and can use a first application program of the slice;
Verifying whether a first random code of a first application program capable of using the slice transmitted by the terminal is in the first random code sequence transmitted by the network slice selection function network element;
and if the slice session is not in the first random code sequence, stopping the slice session.
According to a fourth aspect of the embodiments of the present disclosure, a terminal is provided, including a memory and a processor, where the memory stores a computer program, and the processor executes the slice routing rule tamper-proof method when the processor runs the computer program stored in the memory.
According to a fifth aspect of embodiments of the present disclosure, there is provided a network slice selection function network element, including a memory and a processor, the memory storing a computer program therein, the processor executing the other slice routing rule tamper-resistant method when the processor runs the computer program stored in the memory.
According to a sixth aspect of embodiments of the present disclosure, there is provided a user plane function network element, including a memory and a processor, where the memory stores a computer program, and when the processor runs the computer program stored in the memory, the processor executes the further slice routing rule tamper-proof method.
According to a seventh aspect of embodiments of the present disclosure, there is provided a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the one slice routing rule tamper-resistant method, the other slice routing rule tamper-resistant method, or the further slice routing rule tamper-resistant method.
The technical scheme provided by the embodiment of the disclosure can comprise the following beneficial effects:
according to the embodiment of the disclosure, the mapping relation table between the application program description identifier and the application identifier is established, the description identifier of the application program in the terminal is used as the identifier of the APP ID in the routing rule, so that the APP-ID plaintext is prevented from being directly used in the slicing strategy URSP, the APP ID in the terminal side URSP can be effectively prevented from being stolen and tampered when other application programs use the slicing service, at least the safety of the URSP rule can be effectively improved, and the illegal use of the slicing service by an unauthorized application program is prevented.
Additional features and advantages of the disclosure will be set forth in the description which follows, and in part will be apparent from the description, or may be learned by practice of the disclosure. The objectives and other advantages of the disclosure will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
The accompanying drawings are included to provide a further understanding of the disclosed embodiments and are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description serve to explain, without limitation, the disclosed embodiments.
Fig. 1 is a schematic flow chart of a slice routing rule tamper-proof method according to an embodiment of the disclosure;
fig. 2 is a schematic flow chart of another slice routing rule tamper-proof method according to an embodiment of the present disclosure;
fig. 3 is a schematic flow chart of another slice routing rule tamper-proof method according to an embodiment of the present disclosure;
fig. 4 is a schematic flow chart of another slice routing rule tamper-proof method according to an embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of a terminal according to an embodiment of the present disclosure;
fig. 6 is a schematic structural diagram of a network element with a network slice selection function according to an embodiment of the present disclosure;
fig. 7 is a schematic structural diagram of a user plane function network element according to an embodiment of the present disclosure.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present disclosure more apparent, the following detailed description of the specific embodiments of the present disclosure will be given with reference to the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating and illustrating the disclosure, are not intended to limit the disclosure.
It should be noted that the terms "first," "second," and the like in the description and claims of the present disclosure and the above-described figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order; moreover, embodiments of the present disclosure and features of embodiments may be arbitrarily combined with each other without conflict.
In the following description, suffixes such as "module", "component", or "unit" for representing elements are used only for facilitating the description of the present disclosure, and are not of specific significance per se. Thus, "module," "component," or "unit" may be used in combination.
In order to solve the above problems, the embodiment of the disclosure performs vulnerability monitoring on an application program from both a terminal side and a network side. Specifically, in this embodiment, the terminal side does not directly use APP ID plaintext as a urs slice routing rule, but uses a description identifier of the application program, for example, a physical storage location where the application program is located as an identifier, and since the storage location is unique, the risk of tampering is reduced, and meanwhile, a distributed storage manner may be adopted, and information of the storage location is stored and managed by all application programs, so that the risk of tampering with a single application program identifier is avoided. And, the function network element (Network SliceSelection Function, abbreviated as NSSF) of network slice selection of the network side issues the identification to the user plane function network element (User plane Function, abbreviated as UPF) in the area, which is used for distinguishing the data packet of each application program, and UPF verifies whether the route of the data packet points to a specific DN (Domain Name) server set, thereby further judging whether a certain slice service is stolen or not according to the route point of the data packet, further ensuring that the routing rule is not tampered, and preventing illegal use of the slice service.
Referring to fig. 1, fig. 1 is a flowchart of a slice routing rule tamper-proof method provided in an embodiment of the present disclosure, which is applied to a newly added management unit of a terminal, and the method includes steps S101 to S105.
In step S101, a description flag describing an application flag in the slice routing rule is defined.
In this embodiment, a new identifier, a description identifier, is defined for describing an application identifier in the slicing routing rule urs, so that situations that APP-ID plaintext is directly used in the slicing policy urs, and APP IDs in terminal side urs are embezzled and tampered when other application programs use slicing services can be effectively avoided.
Specifically, description identifiers are defined according to attributes of all application programs, the description identifiers are identification information which is commonly owned by all application programs and can be respectively distinguished to represent application program identities, in this embodiment, the description identifiers are defined as physical storage area position information of the application programs, and the storage physical positions of the application programs APK/APP are not repeated, so that the physical ROM storage area position of the application programs in a terminal is used as an identifier of an APP ID in a URSP.
In step S102, a relationship map between the description identifications for the respective application programs and their respective application identifications is established.
In order to ensure the compatibility of the application identifier APP ID of the slicing strategy URSP, an application program and a network slice, the APP ID of the URSP is uniformly fixed in the PCF/NSSF of the network side, for example, the WeChat APP ID is fixed to be 010101, and the related technology is that a terminal directly adopts 010101 as the APP ID. In order to avoid that other application programs steal and tamper the APP ID in the URSP of the terminal side when using the slicing service, the terminal side avoids directly using APP-ID plaintext in the slicing strategy URSP by establishing a relation mapping table of the APP-ID and the position information of a physical storage area of the application program, and because the storage physical position of the APK/APP of the application program is not repeated, the position of the application program in a physical ROM storage area of the terminal is used as an identification of the APP ID in the URSP, for example, the storage address of WeChat in the ROM area of the terminal is H012F0023, and then a mapping relation list is established between H012F0023 and 010101 every time the URSP is called, and the H012F0023 is adopted instead of directly using 010101.
In step S103, after a registration request of a slice session is initiated to a core network, a routing rule and a slice identifier rule returned by the core network are received, where the routing rule carries a first application identifier of a first application program capable of using the slice.
Specifically, the terminal first initiates a slice registration request to the core network, and after receiving the slice registration request, the core network returns a proper urs (UE routing policy) and nsai (slice identifier) rule to the terminal, and the terminal obtains the APP ID (assumed to be 000111) of "traffic descriptor" in the urs.
In some embodiments, to further improve the management of security of, for example, storage addresses in the application description table, the mapping relationship list may be distributed, specifically, step S103 includes the following steps:
establishing a relation mapping table between the description identifier of each application program and the application identifier of each application program in each application program to obtain a plurality of relation mapping tables;
after judging whether the first application identifier and the mapped description identifier thereof exist in the relation mapping table, and before matching the first application program corresponding to the first application identifier with the routing rule and the slice identifier rule based on the first application identifier and the mapped description identifier thereof, the method further comprises the following steps:
if the first application identifier and the mapped description identifier exist, judging whether the first application identifiers and the mapped description identifiers in the relation mapping tables are consistent, and if so, executing the step of matching the first application program corresponding to the first application identifier with the routing rule and the slicing identifier rule based on the first application identifier and the mapped description identifiers.
Specifically, each time the terminal newly downloads an application program, the new application program sends its ROM area storage address to all other application programs, and if there is an unloading of an application program, other application programs are notified: the physical storage address of the application to be offloaded is cleared. Thus, each application will record the physical storage address of all other applications, avoiding malicious programs from having their own APP ID or physical storage address.
In step S104, it is determined whether the first application identifier and the mapped description identifier thereof exist in the relationship mapping table, if yes, step S104 is executed, otherwise, the flow is ended.
The terminal obtains the APP ID 000111 of 'traffic descriptor' in the slice URSP, the newly added management unit calls the mapping relation list to the application program of the terminal, and judges whether the physical addresses in the mapping relation list are consistent with the APP ID, and the situation that the two physical addresses or the APP ID are identical does not exist.
In some embodiments, if the relation mapping table is stored in a distributed manner, the terminal newly-added management unit determines that the physical addresses and the APP IDs correspond to each other, and then, N application programs are selected according to randomness or a specific rule, and report the stored mapping relation list to the terminal by the N application programs, so as to determine whether the physical addresses and the APP IDs in the N mapping relation lists are consistent.
In step S105, the first application program corresponding to the first application identifier is matched with the routing rule and the slice identifier rule based on the first application identifier and the description identifier mapped thereto.
Specifically, the application program with the fixed physical storage address (FF 0110a78 is assumed) in the terminal accords with the urs p rule issued by the network side, and the network slice with the number NSSAI can be used, so that the application program is verified from the terminal side, and the risk vulnerability of matching the application program with the urs p\nssai only through the APP ID is avoided. It can be understood that the next step of slice registration can be entered only after the first application program corresponding to the first application identifier is matched with the routing rule and the slice identifier rule, so that the slice is registered, and the slice cannot be used if the first application program is not matched with the routing rule and the slice identifier rule.
In one embodiment, to further improve tamper resistance of the slice routing rule, a random code is allocated to each application program of the network slice by the network slice selection function network element, and consistency of the random code is verified when a slice session is established, so as to ensure validity of the application program, and specifically, the method further includes the following steps:
After the slicing session registration is successful, a slicing session establishment request is initiated to the core network, so that the core network establishes the slicing session based on the slicing session establishment request;
receiving a first random code sequence issued by a network slice selection function network element, wherein the network slice selection function network element distributes a first random code of each application program corresponding to each network slice to form the first random code sequence, and issues the first random code sequence to a user plane function network element and the terminal respectively;
invoking a first random code of the first application from the first random code sequence; and transmitting the first random code of the first application program to the user plane function network element, so that the user plane function network element verifies whether the first random code of the first application program transmitted by the terminal is in the first random code sequence transmitted by the network slice selection function network element, and if not, the slicing session is prevented. Specifically, in a network element of a core network NSSF, a string of random codes is respectively allocated to each application program corresponding to a network slice with a slice identifier NSSAI-1; distributing a string of random codes for each application program corresponding to NSSAI-2; and so on. That is, under the same PLMN (Public Land Mobile Network ), each application program of the slice service has a string of random codes, and there is a plurality of random codes allocated by the same application program, and the random codes of the same application program of different users are the same, and the random codes are sent to the terminal and the user plane function network element respectively.
After the slicing session registration is successful, the terminal initiates a PDU (Protocol Data Unit ) session establishment request based on the slicing to the core network, and the newly added management unit of the terminal invokes the random code allocated to the 000111 application program by the network element NSSF of the core network in the above procedure.
In one embodiment, to further improve the security of the random code, an update principle for the random code setting is proposed: the NSSF performs random code refreshing according to two factors of geographic location and time, for example, the NSSF of the first slice and the NSSF of the second slice are different in random codes allocated to the same application program carried by the same slice, and the refresh time period of each slice can be different. Logical partition management of the UPFs is performed for the NSSFs of the areas one, two, etc. (since the logical partitions can perform normal signaling communication even though the NSSFs and the UPFs do not belong to one logical area, but not physical partitions), so as to ensure that the NSSFs and the UPF partition rules conform to the following correspondence, one NSSF can correspond to at least one or more UPFs, and each UPF can only belong to one NSSF.
Therefore, a data bit can be added after the number of the UPF, and the data bit represents the NSSF logical tile to which the UPF belongs. After the NSSF updates the random code allocated to the application program, the NSSF transmits the random code to the UPF of the logic area, and the storage unit or the matched MEC on the UPF completes the updating of the random code. Wherein the terminal initiates a slice session request to the network, the SMF will select a PDU according to the session type. The SMF (Session Management Function, process management function) simultaneously tells the AMF the selected PDU number when sending < namf_communication_n1n2message > to the AMF (Access and Mobility Management Function ), which forwards these messages to the gNB and the terminal.
In one embodiment, after receiving the first random code sequence issued by the network slice selection function network element, the method further comprises the steps of: judging whether the user plane function network element allocated by the slicing session always belongs to a logic slice area managed by the network slice selection function network element, wherein the network slice selection function network elements of different areas respectively perform logic slice area partition on the user plane function network element, the network slice selection function network element of each area distributes second random codes to each application program corresponding to each network slice to form second random code sequences, and if the user plane function network element allocated by the slicing session does not belong to the logic slice area managed by the network slice selection function network element, the network slice selection function network element sends a request for acquiring the second random code sequences to the network slice selection function network element so that the network slice selection function network element interacts with the network slice selection function network element in the new logic slice area, and the network slice selection function network element in the new logic slice area distributes the second random code sequences of each application program corresponding to each network slice to form the second random code sequences, and then distributes the second random code sequences to the user plane function network element and the terminal;
Receiving a second random code sequence issued by a network slice selection function network element in the new logic slice area;
invoking a second random code of the first application from the second random code sequence; the method comprises the steps of,
and transmitting the second random code of the first application program to the user plane function network element so that the user plane function network element verifies whether the second random code of the first application program transmitted by the terminal is in the second random code sequence transmitted by the network slice selection function network element, and if not, stopping the slice session.
The new management unit of the terminal monitors whether the logic area of the PDU belongs to the old NSSF area, namely judging whether the new data bit of the PDU number is changed, if so, the session PDU logic carried by the current slice of the terminal belongs to the new NSSF, reporting the request to the AMF and NSSF by the terminal, requesting to send a broadcast message to the terminal, sending the random code allocated to the new logic area NSSF to the terminal, and if the new data bit of the PDU number is not changed, indicating that the logical attribution of the session PDU carried by the current slice of the terminal is not changed, then the NSSF does not need to repeatedly send the allocated random code to the terminal again.
Further, if the terminal has connected one slice (8 slices are connected at the same time at most), in the above procedure, it is further required to determine whether the PDU connected by the new slice and the PDU connected by the existing slice belong to the same NSSF logical tile, if so, it is not required to issue the random code allocated by the NSSF again, and if not, it is also required to issue the random code to the NSSF.
The terminal stores the received random code in the newly added management unit, only the management unit has decryption authority, and other application programs cannot directly call the random code or decrypt the random code through the newly added management unit so as to ensure that the random code cannot be stolen or tampered.
In one embodiment, in order to avoid theft of the random code by other applications during transmission, the newly added management unit of the terminal does not directly send the random code to the application. After the PDU session is established successfully, that is, after the terminal receives the configuration of the core network to issue the IP address to the terminal, the new management unit inserts the random code corresponding to the application program on the packet header position or other specific positions of the (uplink) data packet on the uplink data link of the application program with the physical storage address FF0110a78, so as to further strengthen the security of the random code. Specifically, the sending the first random code of the first application program to the user plane function network element includes the following steps:
Inserting a first random code of the first application program into a preset position of an uplink data link data packet of the first application program; the method comprises the steps of,
and transmitting a first random code of the first application program to the user plane function network element based on the uplink data packet of the first application program, so that the user plane function network element acquires the first random code of the first application program from the uplink data packet of the first application program, verifying whether the random code of the first application program transmitted by the network slice selection function network element is consistent with the random code of the first application program transmitted by the terminal based on the first random code, and if not, stopping the slice session.
Furthermore, in order to reduce signaling overhead and avoid resource waste, the uplink data packet with the inserted random code does not need to be covered completely, and in order to enable the UPF to quickly locate which data packet has the inserted random code, an identification bit can be added at the same time of inserting the random code, for example, if the identification bit is 1, the uplink data packet has the added random code, and if the identification bit is 0, the data packet has no added random code.
Specifically, after receiving the session uplink data packet, the UPF performs random code verification on the data packet with the identification bit of 1: if the random codes are inconsistent, the situation that the application program is stolen and the like can exist, and the UPF prevents the session from being carried out at the moment, specifically, the UPF initiates an interception flow, and prompts the SMF to prompt that the session cannot be normally carried out. In some embodiments, if the random codes are identical, then: a. a packet header or a random code of a specific location is obtained. And the DN server address to which the packet points. b. Because the random codes stored in the random codes and the random codes carried by the uplink data packet of the terminal are matched and consistent, the UPF can compare DN server addresses contained in a set of DN server addresses pointed by the data packet with the same random code in the history record, if the set of DN server addresses does not contain the DN server addresses, the UPF continues to search whether the set of DN server addresses pointed by the data packet with the same random code in other UPF nodes in the NSSF logic area contains the DN server address or not. The UPF lookup manner of the same NSSF logic region can be referred to above.
In short, if the UPF verifies that the DN servers to which the data packets of the same random code are directed belong to the same set of addresses, the session can proceed and the slicing service can continue to carry the application. If the UPF verifies that the data packet to which the random code belongs does not belong to the DN server set to which other data packets point, the UPF initiates an interception flow to prompt the SMF that the session cannot be normally performed.
In the related art, the application ID of the slice service is not secured. Because the signature and the APP-ID of each application program are disclosed when the application program is initially installed on the terminal, the related technology generally encrypts the application program ID and the slice selection strategy, but if an illegal application program steals the APP ID of a legal application program, the APP ID can be encrypted according to a set encryption flow, or the encrypted information can be directly stolen. After the network side decrypts the encrypted message, the network side still agrees to use the network slice because it is not known whether the actual application program is a legal subscription program. Thus, merely encrypting the APP ID is not a solution to tamper with, and misappropriate, the vulnerability of the APP ID.
The embodiment of the disclosure monitors the loopholes of the application programs from two aspects of a terminal side and a network side. Firstly, the terminal side does not directly adopt APP ID plaintext as URSP slice routing rule, but adopts the physical storage position of the application program as an identifier, and the storage position is unique, so that the risk of tampering is reduced, meanwhile, a distributed storage mode can be adopted, and all application programs can save and manage the information of the storage position, thereby avoiding the risk of tampering with the identifier of a single application program. Secondly, the network side slice management network element issues an identifier to the UPF in the area, which is used for distinguishing the data packet of each application program, and the UPF verifies whether the route of the data packet points to a specific DN server set, so that whether a certain slice service is stolen or not is further judged according to the route point of the data packet.
Referring to fig. 2, fig. 2 is a flowchart of a slice routing rule tamper-proof method applied to a network element with a network slice selection function according to an embodiment of the present disclosure, where the method includes step S201 and step S202.
In step S201, each application program corresponding to each network slice is allocated with its own first random code to form a first random code sequence; the method comprises the steps of,
in step S202, the first random code sequence is issued to a user plane function network element and a terminal, so that after the terminal initiates a slice session establishment request to a core network, the user plane function network element verifies whether a first random code capable of using the first application program of the slice sent by the terminal is in the first random code sequence sent by the network slice selection function network element, and if not, the slice session is prevented from proceeding.
Specifically, in a network element of a core network NSSF, a string of random codes is respectively allocated to each application program corresponding to a network slice with a slice identifier NSSAI-1; distributing a string of random codes for each application program corresponding to NSSAI-2; and so on. That is, under the same PLMN network, each application program of slicing service has a string of random codes, and there will be a plurality of random codes allocated by the same application program, and the random codes of the same application program of different users are the same.
In one embodiment, the method further comprises the steps of:
the network slice selection function network elements of different areas respectively perform logic slice area partition on the user plane function network elements;
the step of issuing the first random code sequence to a user function network element comprises the following steps:
and the network slice selection function network element of each area transmits the first random code sequence to the user plane function network element of the logic slice area under the management of each area.
For example, performing logical partition management of the UPF for the NSSFs of the areas one, two, etc. (since it is a logical partition that can perform normal signaling communication even if the NSSFs and the UPF do not belong to one logical area, instead of a physical partition), it is ensured that NSSFs and UPF partition rules conform to the following correspondence, one NSSF may correspond to at least one or more UPFs, and each UPF may only belong to one NSSF. Therefore, a data bit can be added after the number of the UPF, and the data bit represents the NSSF logical tile to which the UPF belongs.
After the NSSF updates the random code allocated to the application program, the NSSF transmits the random code to the UPF of the logic area, and the storage unit or the matched MEC on the UPF completes the updating of the random code.
Wherein the terminal initiates a slice session request to the network, the SMF will select a PDU according to the session type. The SMF simultaneously tells the AMF the selected PDU number when sending < namf_communication_n1n2message transfer > to the AMF. The AMF then forwards these messages to the gNB and the terminal. The terminal newly added management unit monitors whether the logic area of the PDU belongs to the old NSSF area, namely judging whether the data bit of the PDU number newly added changes, if so, the session PDU logic carried by the current slice of the terminal belongs to the new NSSF, the terminal reports to the AMF and NSSF, requests to issue a broadcast message for the terminal, and sends the random code allocated to the new logic area NSSF to the terminal, if the data bit of the PDU number newly added does not change, which indicates that the session PDU logic carried by the current slice of the terminal does not change, the NSSF does not need to repeatedly issue the allocated random code to the terminal again.
In one embodiment, the method further comprises the steps of:
and updating the first random code sequence based on the position information of the network element of the first random code sequence and a preset time period.
In order to further improve the security of the random code, in this embodiment, the random code sets an update principle: the NSSF performs random code refreshing according to two factors of geographic location and time, for example, the NSSF of the first slice and the NSSF of the second slice are different in random codes allocated to the same application program carried by the same slice, and the refresh time period of each slice can be different.
Referring to fig. 3, fig. 3 is a flow chart of a slice routing rule tamper-proof method applied to a user plane function network element according to an embodiment of the present disclosure, and the method includes steps S301 to S304.
In step S301, a first random code sequence sent by a network slice selection function network element is received, where the first random code sequence is formed by respective first random codes allocated by the network slice selection function network element to each application program corresponding to each network slice;
in step S302, after the terminal initiates a slice session establishment request to the core network, a first random code of a first application program capable of using the slice sent by the terminal is received;
In step S303, it is verified whether a first random code of a first application program capable of using the slice transmitted by the terminal is in the first random code sequence transmitted by the network slice selection function network element, if not, it is determined that the first random code transmitted by the network slice selection function network element and received by the user plane function network element are inconsistent with the first random code transmitted by the terminal, step S304 is executed, and if in the first random code sequence, the flow is ended, and the slice session proceeds normally.
In step S304, the progress of the slicing session is prevented.
In one embodiment, the first random code of the first application program capable of using the slice, sent by the receiving terminal, includes the following steps:
receiving an uplink data packet of the first application program sent by the terminal, wherein the terminal inserts a first random code of the first application program into a preset position of the uplink data packet of the first application program; the method comprises the steps of,
and acquiring a first random code of the first application program from an uplink data link data packet of the first application program.
In one embodiment, after verifying whether a first random code of a first application capable of using the slice transmitted by the terminal is in the first random code sequence transmitted by the network slice selection function network element, the method further includes:
if the first random code sequence is in the first random code sequence, obtaining a DN server address pointed by an uplink data packet of the first application program;
acquiring a DN server address set pointed by a data packet in which a random code identical to a first random code of the first application program is located in a history record;
judging whether the DN server address exists in the DN server address set, and if not, stopping the slicing session.
The set of DN server addresses may include a set to which a DN server address pointed by a data packet where a random code is located in the present UPF belongs, and a set to which a DN server address pointed by a data packet where the same random code is located in other UPF nodes in a NSSF logic area belongs.
It should be noted that, the above flow of the present embodiment is described in detail in the corresponding portions of the other embodiments, and is not described herein.
For further understanding, referring to fig. 4, fig. 4 is a schematic diagram of another slice routing rule tamper-proof method according to an embodiment of the present disclosure, including the following steps:
1. Before the slice bearing session is established, configuring the terminal:
s401, in a core network NSSF network element, a string of random codes is respectively allocated to each application program corresponding to a network slice with a slice identifier NSSAI-1; distributing a string of random codes for each application program corresponding to NSSAI-2; and so on. That is, under the same PLMN network, each application program of slicing service has a string of random codes, and there will be a plurality of random codes allocated by the same application program, and the random codes of the same application program of different users are the same.
Wherein, in order to improve the security of the random code, an update principle needs to be set for the random code in step 1: the NSSF performs random code refreshing according to two factors of geographic location and time, for example, the NSSF of the first slice and the NSSF of the second slice are different in random codes allocated to the same application program carried by the same slice, and the refresh time period of each slice can be different.
S402, performing logical partition management on the UPF for NSSF of the first area and the second area (because the logical partition can perform normal signaling communication even though NSSF and UPF do not belong to one logical area, but not a physical partition), ensuring that NSSF and UPF partition rules conform to the following correspondence, one NSSF can correspond to at least one or a plurality of UPFs, and each UPF can only belong to one NSSF. Therefore, a data bit can be added after the number of the UPF, and the data bit represents the NSSF logical tile to which the UPF belongs.
S403, after the NSSF updates the random code allocated to the application program, the NSSF transmits the random code to the UPF of the logic area, and a storage unit or a matched MEC on the UPF completes the updating of the random code. Meanwhile, S404, NSSF issues a random code to the terminal.
S405, a terminal initiates a slice session request to a network; s406, the SMF will select the UPF according to the session type.
S407, the SMF transmits the UPF selection information to the AMF. The SMF simultaneously tells the AMF the selected UPF number when sending < namf_communication_n1n2message transfer > to the AMF. S408, the AMF forwards these messages to the gNB and the terminal again.
S409, the terminal newly added management unit monitors a logical area accessed to the UPF by the terminal newly added management unit: if the logical area where the PDU is located belongs to the old NSSF area, that is, whether the data bit with the newly increased UPF number changes is judged, step S410 is executed if the data bit with the newly increased UPF number changes, and if the data bit with the newly increased UPF number does not change to indicate that the logical attribution of the session UPF carried by the current slice of the terminal is not changed, the NSSF does not need to repeatedly issue the allocated random code to the terminal again.
S410, the session UPF logic carried by the current slice of the terminal is attributed to a new NSSF, and the terminal reports to the AMF and NSSF.
S411, NSSF requests to issue broadcast information for the terminal, and random codes allocated by the NSSF of the new logic area are sent to the terminal.
If the terminal has connected one slice (8 are connected at the same time), the above steps also need to determine whether the PDU connected by the new slice and the PDU connected by the existing slice belong to the same NSSF logical slice region, if so, it is not necessary to issue the random code allocated by the NSSF again, and if not, it is requested to issue the random code to the NSSF. The random code adopts an encryption mode in the process of being issued to the terminal, the terminal stores the received random code in the newly added management unit, and only the management unit has decryption authority, and other application programs cannot directly call the random code or decrypt the random code through the newly added management unit.
S412, in order to ensure compatibility of the APP ID of the slicing strategy URSP with the application program and the network slice, the APP ID of the URSP is uniformly fixed in the PCF/NSSF of the network side, for example, the WeChat APP ID is fixed to be 010101, and the related technology is that the terminal directly adopts 010101 as the APP ID. In order to avoid that other application programs steal and tamper the APP ID in the URSP of the terminal side when using the slicing service, the terminal side also establishes a relation mapping table of the APP-ID, avoids directly using the APP-ID plaintext in the slicing strategy URSP, and uses the physical ROM storage area position of the application program in the terminal as the identification of the APP ID in the URSP because the storage physical position of the APK/APP is not repeated, for example, the WeChat is H012F0023 in the ROM area of the terminal, and establishes a mapping relation list between H012F0023 and 010101 every time the URSP is called, and H012F0023 is adopted instead of directly using 010101.
S413, in order to further improve the management of the security of the application storage address, the mapping relationship list may be distributed managed: each time the terminal newly downloads an application program, the new application program transmits the ROM area storage address to all other application programs, and if the application program is unloaded, other application programs are notified: the physical storage address of the application to be offloaded is cleared. Thus, each application will record the physical storage address of all other applications, avoiding malicious programs from having their own APP ID or physical storage address.
2. When the slice bearing session is established, verifying whether an application program has the risk of falsifying the APP ID to steal a certain slice service or not:
s414, after the terminal initiates a slice registration request to the core network, the core network receives the slice registration request, and the PCF returns proper URSP (UE routing strategy) and NSSAI (slice identification) rules to the terminal.
S415, after the terminal obtains the APP ID (assumed to be 000111) of "traffic descriptor" in the slice URSP, the newly added management unit calls the mapping relation table of the application program of the terminal.
S416, verifying whether physical addresses and APP IDs in N mapping table relation lists in the mapping table are consistent:
a. The newly added management unit of the terminal can randomly select N application programs according to specific rules, and the N application programs report the mapping relation list stored by the N application programs to the newly added management unit.
b. The newly added management unit judges whether the physical addresses in the N mapping relation lists and the APP IDs are consistent, and the situation that the two physical addresses or the APP IDs are identical does not exist.
c. The new management unit can judge through the steps: the application program with the fixed physical storage address (FF 0110a 78) in the terminal accords with the urs rule issued by the network, and the network slice with the number NSSAI can be used. Therefore, the application program is verified from the terminal side, and the risk vulnerability that the application program is matched with the URSP\NSSAI only through the APP ID is avoided.
S417, after the slice registration is successful, the terminal initiates a PDU session establishment request based on the slice to the core network, and the newly added management unit of the terminal invokes the random code allocated to the 000111 application program by the network element NSSF of the core network, so as to avoid the random code being stolen by other application programs in the transmission process, and the newly added management unit of the terminal does not directly send the random code to the application program. After the PDU session is established successfully, that is, after the terminal receives the configuration of the core network to issue the IP address to the terminal, the new management unit inserts the random code corresponding to the application program on the packet header position or the specific position of the (uplink) data packet on the uplink data link of the application program with the physical storage address FF0110a 78. In order to reduce signaling overhead and avoid resource waste, the uplink data packet with the inserted random code does not need to be covered completely, and in order to enable the UPF to quickly locate which data packet is inserted with the random code in the next step, an identification bit can be added at the same time of inserting the random code, for example, if the identification bit is 1, the uplink data packet has the added random code, and if the identification bit is 0, the data packet has no added random code.
S418, sending the uplink data packet of the application program to the core network.
S419, after the UPF receives the session uplink data packet, carrying out random code verification on the data packet with the identification bit of 1:
a. the method comprises the steps of obtaining a random code of a packet header or a specific position of a data packet and a DN server address pointed by the data packet.
b. Because the random codes stored in the random codes and carried by the uplink data packet of the terminal are matched and consistent, the UPF can compare whether the set of DN server addresses pointed by the data packet with the same random code in the history record contains the DN server address, if not, the UPF continues to search whether the set of DN server addresses pointed by the data packet with the same random code in other UPF nodes in the NSSF logic area comprises the DN server address. The UPF search method for the same NSSF logic region is not described here.
If the UPF verifies that the DN server to which the data packet with the same verification code points belongs to the same address set, the session can proceed and the slicing service can continue to carry the application. If the UPF verifies that the data packet to which the verification code belongs does not belong to the DN server set pointed by other data packets, the UPF initiates an interception flow to prompt the SMF that the session cannot be normally performed.
Based on the same technical concept, the embodiment of the disclosure correspondingly provides a terminal, as shown in fig. 5, where the terminal 50 includes a memory 51 and a processor 52, the memory stores a computer program, and when the processor runs the computer program stored in the memory, the processor executes the slice routing rule tamper-proof method.
Based on the same technical concept, the embodiments of the present disclosure correspondingly further provide a network slice selection function network element, as shown in fig. 6, where the network slice selection function network element 60 includes a memory 61 and a processor 62, where the memory 61 stores a computer program, and when the processor 62 runs the computer program stored in the memory, the processor 62 executes the another slice routing rule tamper-proof method.
Based on the same technical concept, the embodiments of the present disclosure correspondingly further provide a user plane function network element, as shown in fig. 7, where the user plane function network element includes a memory 71 and a processor 72, where the memory 71 stores a computer program, and when the processor 72 runs the computer program stored in the memory 71, the processor 72 executes the further slice routing rule tamper-proof method.
Based on the same technical concept, the embodiment of the present disclosure correspondingly further provides a computer readable storage medium, on which a computer program is stored, wherein when the computer program is executed by a processor, the processor executes the one slice routing rule tamper-proof method, the other slice routing rule tamper-proof method, or the further slice routing rule tamper-proof method.
In summary, the embodiments of the present disclosure at least include the following beneficial effects: 1) The terminal uses the fixed physical storage address (uniqueness) of the APK/APP as the identifier of the APP ID in the URSP, and stores the identifiers in a distributed manner, all application programs store the storage positions of other application programs, so that the difficulty of tampering the identifier is increased, and the tampering of the identifier by a certain application program is avoided; 2) And logically partitioning the UPF area managed by NSSF, and issuing the same set of random codes for the terminal entering the logical area and the UPF, wherein each random code serves a certain application program of a certain slice. And the terminal adds a random code to the data packet of the application program, the UPF judges the route direction of the data packet of the application program carried by the current slice, and if the data packet belongs to a set of DN addresses with the route direction of the same random code in the history record, the application program is proved to not steal the slice service.
Those of ordinary skill in the art will appreciate that all or some of the steps, systems, functional modules/units in the apparatus, and methods disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between the functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed cooperatively by several physical components. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes both volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as known to those skilled in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by a computer. Furthermore, as is well known to those of ordinary skill in the art, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present disclosure, and not for limiting the same; although the present disclosure has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the corresponding technical solutions from the scope of the technical solutions of the embodiments of the present disclosure.
Claims (9)
1. The slice routing rule tamper-proof method is characterized by being applied to a network slice selection function network element and comprising the following steps of:
each application program corresponding to each network slice is respectively allocated with a first random code to form a first random code sequence; the method comprises the steps of,
and respectively issuing the first random code sequence to a user plane function network element and a terminal so that after the terminal initiates a slicing session establishment request to a core network, the user plane function network element verifies whether a first random code which is sent by the terminal and can use a first application program of the slicing is in the first random code sequence sent by the network slicing selection function network element, and if not, the slicing session is prevented from being carried out.
2. The method as recited in claim 1, further comprising:
the network slice selection function network elements of different areas respectively perform logic slice area partition on the user plane function network elements;
the step of issuing the first random code sequence to a user function network element comprises the following steps:
and the network slice selection function network element of each area transmits the first random code sequence to the user plane function network element of the logic slice area under the management of each area.
3. The method as recited in claim 1, further comprising:
and updating the first random code sequence based on the position information of the network element of the first random code sequence and a preset time period.
4. The slice routing rule tamper-proof method is characterized by being applied to a user plane function network element and comprising the following steps:
receiving a first random code sequence sent by a network slice selection function network element, wherein the first random code sequence is formed by respective first random codes distributed by the network slice selection function network element to each application program corresponding to each network slice;
after a terminal initiates a slice session establishment request to a core network, receiving a first random code which is sent by the terminal and can use a first application program of the slice;
Verifying whether a first random code of a first application program capable of using the slice transmitted by the terminal is in the first random code sequence transmitted by the network slice selection function network element;
and if the slice session is not in the first random code sequence, stopping the slice session.
5. The method of claim 4, wherein the receiving the first random code of the first application capable of using the slice transmitted by the terminal comprises:
receiving an uplink data packet of the first application program sent by the terminal, wherein the terminal inserts a first random code of the first application program into a preset position of the uplink data packet of the first application program; the method comprises the steps of,
and acquiring a first random code of the first application program from an uplink data link data packet of the first application program.
6. The method of claim 5, further comprising, after verifying whether a first random code of a first application capable of using the slice transmitted by the terminal is in the first random code sequence transmitted by the network slice selection function network element:
if the first random code sequence is in the first random code sequence, obtaining a DN server address pointed by an uplink data packet of the first application program;
Acquiring a DN server address set pointed by a data packet in which a random code identical to a first random code of the first application program is located in a history record;
judging whether the DN server address exists in the DN server address set, and if not, stopping the slicing session.
7. A network slice selection function network element comprising a memory and a processor, the memory having stored therein a computer program which, when executed by the processor, performs the slice routing rule tamper resistant method according to any one of claims 1 to 3.
8. A user plane function network element comprising a memory and a processor, the memory having stored therein a computer program, which when executed by the processor performs the slice routing rule tamper resistant method according to any of claims 4 to 6.
9. A computer readable storage medium having stored thereon a computer program, characterized in that the computer program, when executed by a processor, performs the slice routing rule tamper-proof method according to any one of claims 1 to 3 or the slice routing rule tamper-proof method according to any one of claims 4 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211605268.9A CN116033429A (en) | 2021-03-09 | 2021-03-09 | Slice routing rule tamper-proof method, network element and medium |
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110257234.4A CN113038477B (en) | 2021-03-09 | 2021-03-09 | Slice routing rule tamper-proof method, terminal and medium |
| CN202211605268.9A CN116033429A (en) | 2021-03-09 | 2021-03-09 | Slice routing rule tamper-proof method, network element and medium |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110257234.4A Division CN113038477B (en) | 2021-03-09 | 2021-03-09 | Slice routing rule tamper-proof method, terminal and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116033429A true CN116033429A (en) | 2023-04-28 |
Family
ID=76467472
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110257234.4A Active CN113038477B (en) | 2021-03-09 | 2021-03-09 | Slice routing rule tamper-proof method, terminal and medium |
| CN202211605268.9A Pending CN116033429A (en) | 2021-03-09 | 2021-03-09 | Slice routing rule tamper-proof method, network element and medium |
Family Applications Before (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110257234.4A Active CN113038477B (en) | 2021-03-09 | 2021-03-09 | Slice routing rule tamper-proof method, terminal and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (2) | CN113038477B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113993129B (en) * | 2021-10-27 | 2023-07-14 | 中国联合网络通信集团有限公司 | PDU session establishment method, terminal and computer readable storage medium |
Family Cites Families (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP3840464A1 (en) * | 2016-05-12 | 2021-06-23 | Convida Wireless, LLC | Connecting to virtualized mobile core networks |
| WO2019127038A1 (en) * | 2017-12-26 | 2019-07-04 | Oppo广东移动通信有限公司 | Method for data transmission, terminal device and network device |
| CN112087815B (en) * | 2019-06-13 | 2023-03-10 | 华为技术有限公司 | Communication method, device and system |
| CN110430590B (en) * | 2019-08-15 | 2022-04-19 | 广东工业大学 | Network slice matching method and device |
| CN111314475B (en) * | 2020-02-21 | 2021-05-04 | 北京紫光展锐通信技术有限公司 | Session creation method and related equipment |
| CN114338406A (en) * | 2020-05-13 | 2022-04-12 | 北京紫光展锐通信技术有限公司 | Route access method, device, electronic equipment and storage medium |
| CN111641989B (en) * | 2020-06-01 | 2021-04-09 | 展讯通信(天津)有限公司 | Protocol data unit session establishing method and related device |
| CN111787533B (en) * | 2020-06-30 | 2022-08-26 | 中国联合网络通信集团有限公司 | Encryption method, slice management method, terminal and access and mobility management entity |
| CN111885590B (en) * | 2020-07-29 | 2022-04-08 | 中国联合网络通信集团有限公司 | Correlation method and system |
| CN112073979B (en) * | 2020-08-13 | 2022-02-22 | 展讯通信(天津)有限公司 | Channel descriptor transmission method and related device |
-
2021
- 2021-03-09 CN CN202110257234.4A patent/CN113038477B/en active Active
- 2021-03-09 CN CN202211605268.9A patent/CN116033429A/en active Pending
Also Published As
| Publication number | Publication date |
|---|---|
| CN113038477B (en) | 2023-01-10 |
| CN113038477A (en) | 2021-06-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109511115B (en) | Authorization method and network element | |
| CN108848502B (en) | Method for protecting SUPI (supl interconnection) by using 5G-AKA (alkyl ketene dimmer) | |
| US9706512B2 (en) | Security method and system for supporting re-subscription or additional subscription restriction policy in mobile communications | |
| JP6231054B2 (en) | Verification and management of wireless device platforms | |
| US8046583B2 (en) | Wireless terminal | |
| CN111246471B (en) | Terminal access method and device | |
| CN108683690B (en) | Authentication method, user equipment, authentication device, authentication server and storage medium | |
| CN112235798B (en) | Method, terminal and newly added network element for redirecting to AMF in idle state | |
| CN110830990B (en) | Identity information processing method and device and storage medium | |
| JP2009509463A (en) | Method and apparatus for utilizing a mobile node for state transfer | |
| JP2007511122A (en) | How to manage application security with security modules | |
| WO2008115984A1 (en) | Vehicle segment certificate management using shared certificate schemes | |
| CN111246474B (en) | Base station authentication method and device | |
| CN109792443B (en) | Blacklist management method of distributed authentication framework based on IBC | |
| WO2019206286A1 (en) | Method, apparatus and system for accessing network slice | |
| CN111787533A (en) | Encryption method, slice management method, terminal and access and mobility management entity | |
| US20100095003A1 (en) | Policy Control Architecture Comprising an Independent Identity Provider | |
| CN112512044A (en) | Subscription data updating method, device, node and storage medium | |
| CN113038477B (en) | Slice routing rule tamper-proof method, terminal and medium | |
| CN112243224B (en) | Edge computing network implementation method and device | |
| EP3518491A1 (en) | Registering or authenticating user equipment to a visited public land mobile network | |
| CN112118549B (en) | Authentication method, SMF, CHF, computer device, and storage medium | |
| US20200186995A1 (en) | Proof-of-presence indicator | |
| CN114978741B (en) | Inter-system authentication method and system | |
| CN113347627B (en) | Wireless network access method, device and mobile terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |