WO2024001524A1 - Communication method and apparatus - Google Patents

Communication method and apparatus Download PDF

Info

Publication number
WO2024001524A1
WO2024001524A1 PCT/CN2023/092717 CN2023092717W WO2024001524A1 WO 2024001524 A1 WO2024001524 A1 WO 2024001524A1 CN 2023092717 W CN2023092717 W CN 2023092717W WO 2024001524 A1 WO2024001524 A1 WO 2024001524A1
Authority
WO
WIPO (PCT)
Prior art keywords
message
security
target
session
terminal device
Prior art date
Application number
PCT/CN2023/092717
Other languages
French (fr)
Chinese (zh)
Inventor
王亚鑫
李岩
吴义壮
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2024001524A1 publication Critical patent/WO2024001524A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement

Definitions

  • the present application relates to the field of communication technology, and in particular, to a communication method and device.
  • the Internet Protocol Security (IPSec) protocol can achieve security protection at the Internet Protocol (IP) layer of the communication system and provide security protection for the transmission of sensitive data in an unsafe network environment.
  • IP Internet Protocol
  • communicating parties can perform security operations such as encryption and data source authentication at the IP layer to ensure the confidentiality, consistency, data source authentication, and anti-replay of data packets during network transmission.
  • the IPSec protocol is a protocol system that includes two security processing protocols and a key exchange protocol.
  • the security processing protocols include: authentication header (AH) protocol and encapsulating security payload (ESP) protocol;
  • the key exchange protocol is the Internet key exchange (IKE) protocol.
  • SA Security association
  • AH protocol and ESP protocol each security processing protocol (i.e., AH protocol and ESP protocol) needs to create a corresponding SA (which can be referred to as AH SA, ESP SA in the future) for implementation; the IKE protocol also requires a corresponding SA (referred to as IKE) SA) to achieve.
  • AH SA and ESP SA are both unidirectional logical connections. That is, when both communicating parties use the same secure processing protocol to send data to the other party, both communicating parties need to establish SAs of the secure processing protocol for different data transmission directions.
  • a security gateway is deployed between the user plane function (UPF) network element and the data network (DN). End-to-end data security protection at the IP layer can be achieved through the IPSec protocol between the terminal device and the security gateway.
  • UPF user plane function
  • DN data network
  • IPSec negotiation process needs to be carried out between the terminal device and the security gateway through user plane operations to create and maintain IPSec SAs, thereby ultimately realizing the IPSec security mechanism.
  • user plane operations may create new security risks, such as leakage of security parameters used to create IPSec SAs.
  • the target SA is a network key exchange IKE SA.
  • the first message is a first session establishment request message; and the fourth message is a first session establishment response message.
  • the first message also includes first indication information, and the first indication information is used to instruct the terminal device to request data encryption.
  • the session management function network element may also assign the target security gateway to the terminal device in order to establish the IKE SA.
  • the session management function network element can allocate the target security gateway to the terminal device through the following steps:
  • Allocate a user plane functional network element to the terminal device select the target security gateway from at least one security gateway associated with the user plane functional network element.
  • the session management function network element may select the target security gateway based on the load, physical location and other information of the at least one security gateway.
  • the target security gateway assigned to the terminal device is associated with the user plane functional network element of the terminal device, thereby ensuring that subsequent data packets transmitted between the target security gateway and the terminal device through IPSec sub-SA are in the mobile communication system.
  • the session transmission of the terminal device can be reused.
  • the second message also includes an identifier of the user plane functional network element.
  • the session management function network element or the user plane function network element can also assign an IP address to the terminal device.
  • the second message can also include the terminal device.
  • the first forwarding rule configuration information is used to instruct the user plane functional network element to map the data packets transmitted between the terminal device and the target security gateway through the IKE SA to the session of the terminal device.
  • first among Service quality is top notch.
  • the first quality of service flow may be a default quality of service flow in the session of the terminal device.
  • the session of the terminal device can be reused in the mobile communication system to transmit the data packets transmitted through IKE SA between the terminal device and the target security gateway.
  • the first security parameter includes at least one of the following: the security parameter index SPI of the terminal device, the key material of the terminal device, the IKE SA encryption algorithm supported by the terminal device, Or the first random number used to generate the IKE SA key;
  • the target SA is a security processing protocol SA.
  • the core network control plane network element can establish the security processing protocol SA in the process of creating QoS flows through the session modification process.
  • the session management function network element may also send a fifth message to the access and mobility management function network element.
  • message the fifth message is used to request the first security parameter
  • the first message is a response message to the fifth message.
  • the session management function network element can request the first security parameter from the access and mobility management function network element.
  • the session management function network element can trigger sending the fifth message to the access and mobility management function network element through the following steps:
  • the session management function network element can decide to establish the second quality of service flow after receiving the policy modification notification message, subscription modification notification message or session modification request message, thereby triggering the access and mobility management function
  • the network element requests the first security parameter.
  • the session management function network element can also create the second quality of service flow based on the information of the second quality of service flow. ; and send the second forwarding rule configuration information to the user plane functional network element; wherein the second forwarding rule configuration information is used to indicate that the user plane functional network element will receive the second forwarding rule configuration information from the terminal through the second QoS flow.
  • the device forwards packets to the destination Security gateway.
  • the user plane functional network element can map the data packet transmitted by the terminal device through the second QoS stream to the security processing protocol SA, so that the user plane functional network element can transmit the data packet to the target
  • the security gateway implements binding of the security processing protocol SA and the second quality of service flow.
  • the first security parameter includes at least one of the following: the SPI of the terminal device, the SPI of the target security gateway, the identity of the first processing entity in the terminal device, the Authentication information of the terminal device, the first security processing protocol SA encryption algorithm supported by the terminal device, the first data stream selection rule, or a third random number used to generate the first security processing protocol SA key;
  • the second security parameter includes at least one of the following: the SPI of the terminal device, the SPI of the target security gateway, the identification of the second processing entity in the target security gateway, the authentication information of the target security gateway, The first security processing protocol SA encryption algorithm supported by the target security gateway, the second data flow selection rule, or the fourth random number used to generate the first security processing protocol SA key.
  • the first message also includes a session identifier of the session of the terminal device; and the fourth message includes the session identifier.
  • embodiments of the present application provide a communication method, which can be applied to access and mobility management functional network elements.
  • the method may include the following steps:
  • control plane network elements in the mobile communication system can complete the transfer of security parameters through interaction and implement IPSec negotiation.
  • the target SA is a network key exchange IKE SA.
  • the first message is a first session establishment request message; the fourth message is a first session establishment response message; and the access and mobility management function network element sends a message to the session management function Before the network element sends the first message, it may also receive a second session establishment request message from the terminal device; after the access and mobility management function network element receives the fourth message from the session management function network element , and may also send a second session establishment response message to the terminal device.
  • core network control plane network elements can establish IKE SA through the session establishment process.
  • the access and mobility management function network element can obtain the first security parameter in the following manner:
  • Method 1 The second session establishment request message contains the first security parameter
  • the second session establishment request contains the first parameter part of the first security parameter; before sending the first message to the session management function network element, the access and mobility management function network element also
  • the second parameter part of the first security parameter may be obtained from the unified data management network element or the authentication service function network element according to the identification of the terminal device; wherein the first parameter part and the second parameter part Constituting the first safety parameter;
  • Method 3 Before sending the first message to the session management function network element, the access and mobility management function network element may also determine the first security parameter.
  • the second session establishment response message contains part or all of the first security parameters; and/or the second session establishment response message contains the second security parameters. part or all of.
  • the first message contains first indication information
  • the second session establishment request message contains the first indication information
  • the first indication information is used to instruct the terminal device Request data encryption.
  • the fourth message contains the Internet Protocol IP address of the target security gateway.
  • the first security parameter includes at least one of the following: the security parameter index SPI of the terminal device, the key material of the terminal device, the IKE SA encryption algorithm supported by the terminal device, Or the first random number used to generate the IKE SA key;
  • the second security parameter includes at least one of the following: the SPI of the target security gateway, the key material of the target security gateway, the IKE SA encryption algorithm supported by the target security gateway, or used to generate an IKE SA key the second random number.
  • the target SA is a security processing protocol SA.
  • the first message is a first session modification request message; the fourth message is a first session modification response message; before sending the first message to the session management function network element, the receiving
  • the access and mobility management function network element may also receive a second session modification request message from the terminal device; after receiving the fourth message from the session management function network element, the access and mobility management function network element
  • the element may also send a second session modification response message to the terminal device; wherein the first session modification request message and the second session modification request include information about the second quality of service stream requested by the terminal device to be established.
  • the core network control plane network element can establish the security processing protocol SA in the process of creating a quality of service flow through the session modification process.
  • the access and mobility management function network element can obtain the first security parameter in the following manner:
  • Method 1 The second session modification request message contains the first security parameter
  • Method 2 The second session modification request contains the first parameter part of the first security parameter; before sending the first message to the session management function network element, the access and mobility management function network element also The second parameter part in the saved first security parameter can be obtained; wherein the first parameter part and the second parameter part constitute the first security parameter;
  • Method 3 Before sending the first message to the session management function network element, the access and mobility management function network element may also obtain the saved first security parameter.
  • the access and mobility management function network element may also receive a fifth message from the session management function network element, where the fifth message is used to request the first security parameter;
  • the first message is a response message to the fifth message;
  • the fourth message is a first session modification response message; after receiving the fourth message from the session management function network element, the access and mobility
  • the sex management function network element may also send a second session modification response message to the terminal device.
  • the second session modification response message contains part or all of the first security parameters; and/or the second session modification response message contains the second security parameters. part or all of.
  • the first security parameter includes at least one of the following: SPI of the terminal device, The SPI of the target security gateway, the identification of the first processing entity in the terminal device, the authentication information of the terminal device, the security processing protocol SA encryption algorithm supported by the terminal device, and the first data flow selection rule, or a third random number used to generate the secure processing protocol SA key;
  • the second security parameter includes at least one of the following: the SPI of the terminal device, the SPI of the target security gateway, the identification of the second processing entity in the target security gateway, the authentication information of the target security gateway, The security processing protocol SA encryption algorithm supported by the target security gateway, the second data flow selection rule, or the fourth random number used to generate the security processing protocol SA key.
  • the first message also includes a session identifier of the session of the terminal device; and the fourth message includes the session identifier.
  • the access and mobility management function network element may also use the first security parameter, the second security parameter parameters, generate an SA key; and send the SA key to the terminal device.
  • the terminal device can use the SA key to securely protect the data packets transmitted through the target SA.
  • embodiments of the present application also provide a communication method, which can be applied to the target security gateway.
  • the method may include the following steps:
  • the target security association SA, the second message is used to request the establishment of the target SA; send a third message to the session management function network element; wherein the third message contains the second message of the target security gateway.
  • Security parameters, the second security parameters are used to establish the target SA, and the third message is a response message to the second message.
  • the core network control plane element of the mobile communication system can realize the transfer of the security parameters of the UE and the security parameters of the target security gateway through interaction with the target security gateway, thereby completing IPSec negotiation. Since the IPSec negotiation process is completed through the core network control plane, and the core network has high security, this method can avoid the risk of security parameter leakage caused by the user plane transmission of security parameters, ensure the security of the IPSec negotiation process, and then ensure The security of subsequent transmission of user data or signaling through the established SA.
  • the target SA is a network key exchange IKE SA.
  • the target security gateway may also allocate an Internet protocol IP address to the target security gateway for the target SA;
  • the third message also includes the IP address of the target security gateway;
  • the second message also includes the IP address of the terminal device.
  • the first security parameter includes at least one of the following: the security parameter index SPI of the terminal device, the key material of the terminal device, the IKE SA encryption algorithm supported by the terminal device, Or the first random number used to generate the IKE SA key;
  • the second security parameter includes at least one of the following: the SPI of the target security gateway, the key material of the target security gateway, the IKE SA encryption algorithm supported by the target security gateway, or used to generate an IKE SA key the second random number.
  • the target SA is a security processing protocol SA.
  • the first security parameter includes at least one of the following: SPI of the terminal device, The SPI of the target security gateway, the identification of the first processing entity in the terminal device, the authentication information of the terminal device, the security processing protocol SA encryption algorithm supported by the terminal device, and the first data flow selection rule, or a third random number used to generate the secure processing protocol SA key;
  • the second security parameter includes at least one of the following: the SPI of the terminal device, the SPI of the target security gateway, the identification of the second processing entity in the target security gateway, the authentication information of the target security gateway, The security processing protocol SA encryption algorithm supported by the target security gateway, the second data flow selection rule, or the fourth random number used to generate the security processing protocol SA key.
  • the target security gateway can use the SA key to securely protect data packets transmitted through the target SA.
  • embodiments of the present application provide a communication method, which can be applied to session management function network elements.
  • the method may include the following steps:
  • the core network control plane element of the mobile communication system can realize the transfer of the security parameters of the UE and the security parameters of the target security gateway through interaction with the target security gateway, thereby completing IPSec negotiation. Since the IPSec negotiation process is completed through the core network control plane, and the core network has high security, this method can avoid the risk of security parameter leakage caused by the user plane transmission of security parameters, ensure the security of the IPSec negotiation process, and then ensure The security of subsequent transmission of user data or signaling through the established SA.
  • the session management function network element can trigger sending the first message to the target security gateway through the following steps:
  • the session management function network element may decide to establish the first quality of service flow after receiving the policy modification notification message, subscription modification notification message or session modification request message, thereby triggering a request for the first security parameter from the target security gateway.
  • the third message is a first session modification command message, and the third message also contains information about the first quality of service stream; the fourth message is a first session modification confirmation. message, the fourth message also includes information about the first quality of service flow.
  • the session management function network element can also create the first quality of service flow based on the information of the first quality of service flow; and send the first forwarding rule configuration information to the user plane function network element. ;
  • the first forwarding rule configuration information is used to instruct the user plane functional network element to map data packets transmitted by the target security gateway through the security processing protocol SA to the first quality of service flow.
  • the mobile communication system can couple the security processing protocol SA with the service quality flow in the session, ensuring that the data flow in the security processing protocol SA can be transmitted through the corresponding quality of service flow, thereby ensuring the QoS requirements of the business .
  • the first security parameter includes at least one of the following: the SPI of the terminal device, the SPI of the target security gateway, the identity of the first processing entity in the target security gateway, the Authentication information of the target security gateway, the Security Processing Protocol SA encryption algorithm supported by the target security gateway, the first data stream selection rule, or the first random number used to generate the Security Processing Protocol SA key;
  • the second security parameter includes at least one of the following: the SPI of the terminal device, the SPI of the target security gateway, the identification of the second processing entity in the terminal device, the authentication information of the terminal device, the The secure processing protocol SA encryption algorithm supported by the terminal device, the second data stream selection rule, or the second random number used to generate the secure processing protocol SA key.
  • the first message contains a third security parameter of the target security gateway; the first security parameter is determined based on the third security parameter.
  • embodiments of the present application also provide a communication method, which can be applied to access and mobility management functional network elements.
  • the method may include the following steps:
  • the third message contains a first security parameter of the target security gateway, and the first security parameter is used to establish a connection between the terminal device and the target security gateway.
  • Security processing protocol security association SA the third message is used to request the establishment of the security processing protocol SA; send a fourth message to the session management function network element; wherein the fourth message contains the information of the terminal device
  • the second security parameter is used to establish the security processing protocol SA, and the fourth message is a response message to the third message.
  • control plane network elements in the mobile communication system can complete the transfer of security parameters through interaction and implement IPSec negotiation.
  • the third message is a first session modification command message, and the third message also contains information about the first quality of service stream that needs to be established in the session of the terminal device;
  • the fourth message is a first session modification confirmation message, and the fourth message also includes information about the first quality of service flow.
  • the core network control plane network element can establish the security processing protocol SA in the process of creating a quality of service flow through the session modification process.
  • the access and mobility management function network element may also send a session modification request message to the session management function network element, where , the meeting
  • the session modification request message includes information that the terminal device requests to establish the first quality of service flow in the session of the terminal device.
  • the access and mobility management function network element may also send a second session modification command message to the terminal device, where , the second session modification command includes the information of the first quality of service stream; receiving a second session modification confirmation message from the terminal device, the second session modification confirmation message includes the first quality of service Streaming information.
  • the second session modification command message also includes part or all of the first security parameters; and/or the second session modification confirmation message also includes the second security parameter. Some or all of the parameters.
  • the second session modification command message also includes a fourth security parameter of the terminal device; the second security parameter is determined based on the fourth security parameter.
  • the first security parameter includes at least one of the following: the SPI of the terminal device, the SPI of the target security gateway, the identity of the first processing entity in the target security gateway, the Authentication information of the target security gateway, the Security Processing Protocol SA encryption algorithm supported by the target security gateway, the first data stream selection rule, or the first random number used to generate the Security Processing Protocol SA key;
  • the second security parameter includes at least one of the following: the SPI of the terminal device, the SPI of the target security gateway, the identification of the second processing entity in the terminal device, the authentication information of the terminal device, the The secure processing protocol SA encryption algorithm supported by the terminal device, the second data stream selection rule, or the second random number used to generate the secure processing protocol SA key.
  • the access and mobility management function network element can also generate a security processing protocol SA key according to the first security parameter and the second security parameter; and provide the security processing protocol SA key to the terminal device. Send the Secure Handling Protocol SA key.
  • the terminal device can use the secure processing protocol SA key to securely protect the data packets transmitted through the secure processing protocol SA.
  • embodiments of the present application provide a communication method, which can be applied to the target security gateway.
  • the method may include the following steps:
  • message wherein, the second message contains the first security parameter of the target security gateway, the first security parameter is used to establish the security processing protocol SA, and the second message is the parameter of the first message.
  • Response message receiving a fifth message from the session management function network element; wherein the fifth message contains a second security parameter of the terminal device, and the second security parameter is used to establish the security processing protocol SA, the fifth message is used to request the establishment of the security processing protocol SA.
  • the core network control plane element of the mobile communication system can realize the transfer of the security parameters of the UE and the security parameters of the target security gateway through interaction with the target security gateway, thereby completing IPSec negotiation. Since the IPSec negotiation process is completed through the core network control plane, and the core network has high security, this method can avoid the risk of security parameter leakage caused by the user plane transmission of security parameters, ensure the security of the IPSec negotiation process, and then ensure The security of subsequent transmission of user data or signaling through the established SA.
  • the first message contains the third security parameter of the target security gateway; before sending the second message to the session management function network element, the target security gateway may also determine the target security gateway according to the second message.
  • the third safety parameter number to determine the first safety parameter.
  • the first security parameter includes at least one of the following: the SPI of the terminal device, the SPI of the target security gateway, the identity of the first processing entity in the target security gateway, the Authentication information of the target security gateway, the first security processing protocol SA encryption algorithm supported by the target security gateway, the first data flow selection rule, or the first random number used to generate the first security processing protocol SA key;
  • the second security parameter includes at least one of the following: the SPI of the terminal device, the SPI of the target security gateway, the identification of the second processing entity in the terminal device, the authentication information of the terminal device, the The first secure processing protocol SA encryption algorithm supported by the terminal device, the second data stream selection rule, or the second random number used to generate the first secure processing protocol SA key.
  • the target security gateway after receiving the fifth message from the session management function network element, can also generate a security processing protocol based on the first security parameter and the second security parameter. SA key.
  • the target security gateway can use the security processing protocol SA key to securely protect the data packets transmitted through the security processing protocol SA.
  • embodiments of the present application provide a communication method, which can be applied to session management function network elements.
  • the method may include the following steps:
  • Receive a first message wherein the first message contains information about a first quality of service flow that needs to be established in the session of the terminal device; create the first quality of service flow according to the information of the first quality of service flow; Obtain security parameters of the security processing protocol SA established between the terminal device and the target security gateway; send first forwarding rule configuration information to the user plane functional network element; wherein the first forwarding rule configuration information is used to indicate the The user plane functional network element forwards the data packet from the terminal device received through the first quality of service flow to the target security gateway, and/or the user plane functional network element forwards the target security gateway through the Data packets transmitted by the security processing protocol SA are mapped to the first quality of service flow.
  • the core network control plane network element can bind the security processing protocol SA to the quality of service flow in the session of the terminal device. In this way, the subsequent terminal device and the target security gateway can transmit the service data packet of the terminal device in the first QoS flow of the user plane through the security processing protocol SA.
  • the session management function network element may receive the first message in the following manner:
  • Method 1 Receive a policy modification notification message from the policy control function network element, wherein the policy modification notification message includes the first quality of service requested by the policy control function network element to be established in the session of the terminal device flow of information;
  • Method 2 Receive a subscription modification notification message from the unified data management network element, wherein the subscription modification notification message contains the first quality of service requested by the unified data management network element to be established in the session of the terminal device flow of information;
  • Method 3 Receive a session modification request message from the access and mobility management function network element, wherein the session modification request message includes the first service requested by the terminal device to be established in the session of the terminal device Mass flow information.
  • the session management function network element may, but is not limited to, obtain the security parameters of the security processing protocol SA established between the terminal device and the target security gateway in the following manner:
  • Method 1 Obtain the security parameters in the first message
  • an embodiment of the present application provides a communication device, including a unit for performing each of the steps in the above first to seventh aspects.
  • embodiments of the present application provide a communication device, including at least one processing element and at least one storage element, wherein the at least one storage element is used to store programs and data, and the at least one processing element is used to execute the above of the present application. Methods provided in the first to seventh aspects.
  • embodiments of the present application also provide a computer-readable storage medium.
  • the computer-readable storage medium stores a computer program.
  • the computer program When the computer program is executed by a computer, it causes the computer to execute the method provided in any of the above aspects. .
  • embodiments of the present application also provide a chip, which is used to read the computer program stored in the memory and execute the method provided in any of the above aspects.
  • the chip may include a processor and a memory, and the processor is configured to read the calculation program stored in the memory to implement the method provided in the above embodiment.
  • embodiments of the present application further provide a chip system.
  • the chip system includes a processor and is used to support a computer device to implement the method provided in any of the above aspects.
  • the chip system also includes a memory, and the memory is used to save necessary programs and data of the computer device.
  • the chip system can be composed of chips or include chips and other discrete devices.
  • Figure 1 is a schematic architectural diagram of a communication system provided by an embodiment of the present application.
  • FIG. 2 is a schematic architectural diagram of another communication system provided by an embodiment of the present application.
  • Figure 3 is a schematic diagram of the current establishment process of IKE SA and IP sub-SA;
  • Figure 4 is a schematic diagram of the protocol stack in the communication system supporting the IPSec protocol provided by the embodiment of the present application;
  • Figure 5 is a schematic diagram of an encapsulation mode of data packets under the IPSec protocol provided by an embodiment of the present application
  • Figure 6 is a flow chart of a communication method provided by an embodiment of the present application.
  • Figure 8 is a flow chart of a communication method provided by an embodiment of the present application.
  • Figure 9 is a flow chart of a communication method provided by an embodiment of the present application.
  • Figure 10 is a flow chart of a communication method provided by an embodiment of the present application.
  • Figure 11 is a flow chart of a communication method provided by an embodiment of the present application.
  • Figure 13 is a flow chart of a communication method provided by an embodiment of the present application.
  • Figure 14 is a structural diagram of a communication device provided by an embodiment of the present application.
  • Figure 15 is a structural diagram of a communication device provided by an embodiment of the present application.
  • This application provides a communication method and device for implementing security protection through the IPSec protocol in a mobile communication system. Ensure the security of the IPSec negotiation process in various scenarios. Among them, the method and the device are based on the same technical concept. Since the principles of the method and the device to solve the problem are similar, the implementation of the device and the method can be referred to each other, and the repeated points will not be repeated.
  • Base station is a device in a communication system that connects terminal equipment to a wireless network.
  • the base station can also be called a network device, a radio access network (RAN) node (or device), an access network (AN) node (or device), also known as access point (AP).
  • RAN radio access network
  • AN access network node
  • AP access point
  • base stations are: new generation Node B (gNB), transmission reception point (TRP), evolved Node B (evolved Node B, eNB), radio network controller (radio network controller, RNC), Node B (Node B, NB), access point (AP), base station controller (BSC), base transceiver station (BTS), home base station (for example, home evolved NodeB, or home Node B, HNB), or base band unit (base band unit, BBU), Enterprise LTE Discrete Spectrum Aggregation (eLTE-DSA) base station, etc.
  • gNB new generation Node B
  • TRP transmission reception point
  • eNB evolved Node B
  • RNC radio network controller
  • Node B Node B
  • AP access point
  • BSC base station controller
  • BTS base transceiver station
  • home base station for example, home evolved NodeB, or home Node B, HNB
  • base band unit base band unit
  • BBU Enterprise LTE Discrete Spectrum Aggregation
  • the base station may include a centralized unit (CU) node and a distributed unit (DU) node.
  • CU centralized unit
  • DU distributed unit
  • This structure separates the protocol layer of the base station. Some of the protocol layer functions are centralized controlled by the CU. The remaining part or all protocol layer functions are distributed in the DU, and the CU centrally controls the DU.
  • Terminal equipment is a device that provides voice and/or data connectivity to users and can access the base station through the Uu interface.
  • Terminal equipment can also be called user equipment (UE), mobile station (MS), mobile terminal (MT), etc.
  • UE user equipment
  • MS mobile station
  • MT mobile terminal
  • the terminal equipment is referred to as UE for description.
  • the terminal device can be a handheld device with wireless connection function, various vehicle-mounted devices, roadside units, etc.
  • some examples of terminal devices are: mobile phones, tablets, laptops, PDAs, mobile Internet devices (MID), smart point of sale terminals (POS), and wearable devices.
  • the session of the terminal device is the connection between the terminal device, the base station, the user plane function (UPF) and the data network (data network, DN) established by the mobile communication system for a single terminal device, and is used to connect the terminal device and the DN transfer user plane data between them.
  • the session involved in this application may be a protocol data unit (PDU) session.
  • PDU protocol data unit
  • the session of the terminal device includes the wireless bearer between the terminal device and the base station, the transmission tunnel between the base station and the UPF, and the transmission tunnel between the UPF and the DN.
  • the session of the terminal device is a dedicated communication connection for the terminal device.
  • a terminal device can establish one or more sessions with the mobile communication system, and any session can To establish one or more quality of service (QoS) flows.
  • QoS flow corresponds to one or more services and is used to transmit service data of services with the same QoS requirements.
  • at least one QoS flow in a session corresponds to a radio bearer (RB), and the service data of the at least one QoS flow is transmitted through the RB.
  • RB radio bearer
  • the data packets (service flows) transmitted through the session between the terminal device and the DN need to be mapped to the QoS flow for transmission.
  • QoS flows in a session can be identified by QoS flow identifier (QFI). It should be noted that one or more QFIs can be set for the same QoS flow. For example, a certain QoS flow in the uplink direction can be identified by a first QFI, and a certain QoS flow in the downlink direction can be identified by a second QFI.
  • QFI QoS flow identifier
  • the session of the terminal device may include a default QoS flow, and the default QoS flow may be created when the session is created.
  • the default QoS flow in the session of the terminal device can transmit the data packet of the session when the session does not establish a corresponding QoS flow for a specific service, or the data packet can be transmitted when the QoS flow corresponding to a certain data packet cannot be determined.
  • PCC rules also known as PCC rules, contain charging-related information and the charging key of the terminal device, and are used to create QoS flows. necessary factors. It should be noted that the PCC rule can be allocated based on the QoS flow in the session as the granularity, or it can be allocated based on the session as the granularity (for example, the default PCC rule allocated for the session).
  • the processing entity in the device is an instance used to implement a certain function in the device.
  • the processing entity can be, but is not limited to: a processing module, a software instance, a processing chip, an operating system, an application (APP), a client, etc. within the device.
  • APP application
  • the plurality involved in this application refers to two or more. At least one means one or more.
  • the communication method provided by the embodiment of the present application is suitable for a communication system.
  • the architecture of the communication system is shown in Figures 1 and 2. Among them, Figure 1 shows the system architecture based on the reference point, and Figure 2 shows the system architecture based on the service interface.
  • the communication system includes three parts: terminal equipment, mobile communication system and DN.
  • terminal equipment terminal equipment
  • mobile communication system mobile communication system
  • DN network address
  • Terminal equipment referred to as UE for short, is an entity on the user side that can receive and transmit wireless signals. It needs to access the DN through the mobile communication system to implement the UE's services.
  • the UE may be various devices that provide voice and/or data connectivity for users, which is not limited in this application.
  • DN also known as packet data network (PDN)
  • PDN packet data network
  • Servers that implement multiple services can be deployed on the DN and can provide data and/or voice services to UEs.
  • the mobile communication system can access at least one DN, and the same DN can also be accessed by at least one mobile communication system.
  • the DN may be the Internet (Internet), IP Multi-media Service (IMS) network, certain application-specific data networks, Ethernet, IP local network, etc., which is not limited in this application.
  • IMS IP Multi-media Service
  • the mobile communication system is deployed and maintained by operators to provide access services and end-to-end connection services for UEs. It can also be called a mobile communication network.
  • the UE can access the DN through the mobile communication system to implement specific services.
  • the mobile communication system may include two parts: a (radio) access network ((R)AN) and a core network (core network, CN).
  • R radio access network
  • CN core network
  • the mobile communication system can establish a session of the UE (for example, a PDU session) between the UE and the DN, so that communication between the two can be achieved.
  • (R)AN is mainly responsible for the wireless access function of UE, and the functions of (R)AN can be realized through the base station.
  • a base station is an entity on the network side that can receive and transmit wireless signals. It is responsible for providing wireless access-related services to UEs within its coverage area, implementing physical layer functions, resource scheduling and wireless resource management, QoS management, wireless access control, User plane data forwarding and mobility management functions.
  • the base station and UE implement air interface transmission through the Uu interface.
  • the CN is responsible for connecting the UE to different data networks according to the call request or service request sent by the UE through the access network, as well as services such as charging, mobility management, and session management.
  • CN can be divided into control plane (CP) and user plane (UP).
  • control plane CP
  • UP user plane
  • the network elements in the CN responsible for control plane functions can be collectively called control plane network elements
  • the network elements responsible for user plane functions can be collectively called user plane network elements.
  • the functions of the main network elements in the core network are introduced in detail below.
  • the user plane network element that is, the user plane function (UPF) network element, referred to as UPF, is mainly responsible for forwarding and receiving user plane data of the UE.
  • the user plane network element can receive user plane data from the DN and transmit it to the UE through the base station; the user plane network element can also receive user plane data from the UE through the base station and forward it to the DN.
  • the transmission resources and scheduling functions in the user plane network element that provide services for the UE are managed and controlled by the control plane network element.
  • Control plane network elements include: access and mobility management function (AMF) network elements, session management function (SMF) network elements, policy control function (PCF) network elements , authentication server function (AUSF) network element, network exposure function (NEF) network element, unified data repository (UDR) network element, unified data management (UDM) network elements, charging function (CHF) network elements and application function (AF) network elements, etc.
  • AMF access and mobility management function
  • SMF session management function
  • PCF policy control function
  • AUSF authentication server function
  • NEF network exposure function
  • UDR unified data repository
  • UDM unified data management
  • CHF charging function
  • AF application function
  • the AMF network element which can be referred to as AMF for short, is mainly responsible for mobility management, access authentication/authorization, and signaling processing in the mobile communication system, such as: access control, UE location update, UE registration and de-registration, and attachment. and detach, as well as select SMF and other functions.
  • AMF is also responsible for transmitting user policies between UE and PCF.
  • the SMF network element which can be referred to as SMF for short, is mainly responsible for session management in the mobile communication system, such as session establishment, modification, release, etc.
  • the functions of SMF include: UPF selection, UPF redirection, Internet protocol (internet protocol, IP) address allocation, bearer establishment, modification and release, and QoS control.
  • the PCF network element which can be referred to as PCF for short, is mainly responsible for supporting the provision of a unified policy framework to control network behavior, providing policy rules to other control plane network elements, and is responsible for obtaining policy-related user subscription information.
  • the AUSF network element which can be referred to as AUSF for short, is mainly responsible for providing authentication functions and supporting the authentication of third generation partnership project (3rd generation partnership project, 3GPP) access and non-3GPP (Non-3GPP) access.
  • 3GPP third generation partnership project
  • Non-3GPP non-3GPP
  • NEF network element which can be referred to as NEF for short, mainly supports the secure interaction between mobile communication systems and third-party applications, and can safely open network capabilities and events to third parties to enhance or improve application service quality.
  • Mobile communication systems can also securely obtain relevant data from third parties through NEF network elements to enhance the network's intelligent decision-making.
  • the UDR network element which can be referred to as UDR for short, is mainly responsible for storing UE's subscription data, policy data, application data and other types of data.
  • the UDM network element which can be referred to as UDM for short, is mainly responsible for storing and managing UE's subscription data, user access authorization, generating authentication credentials, user identification processing (such as storing and managing user permanent identity identification, etc.) and other functions.
  • the CHF network element which can be referred to as CHF for short, is mainly responsible for providing traffic quotas to SMF, authorizing the validity time of traffic quotas, processing billing information, and generating charging function-call detail record (CHF-CDR). ) functions such as call notes.
  • CHF-CDR charging function-call detail record
  • the AF network element which can be referred to as AF, mainly transmits the requirements of the application side to the network side and supports interaction with other network elements in the core network to provide services, such as affecting data routing decisions, policy control functions or providing third-party services to the network side. some services.
  • the AF network element can be a third-party functional entity or an application service deployed by the operator.
  • NSSF network element which can be referred to as NSSF for short, is mainly responsible for the selection of network slices.
  • the communication system provided by this application is also configured with a security gateway after the UPF, as shown in Figures 1 and 2.
  • the security gateway supports dynamic control of UE's access to the DN, and has user plane and control plane functions. For example, on the control plane, the security gateway can perform relevant configurations through the control plane interface of the SMF, and can also assign itself an IP address to transmit the user plane data of the UE. On the user plane, the security gateway maintains a user plane connection with UPF to provide IPSec protection for data. It should be noted that the security gateway and UPF can be deployed coupled together or deployed independently.
  • the security gateway can be used as a functional module in the UPF, as an independent network element in the CN, or as a device deployed outside the CN. This application does not limit this.
  • the security gateway may also be called a data access security function (DASF) network element.
  • DASF data access security function
  • the above network elements in the CN can be either network elements implemented on dedicated hardware, software instances running on dedicated hardware, or virtualized on a virtualization platform (such as a cloud platform). Function instance.
  • the embodiments of the present application do not limit the distribution form of each network element in the communication system.
  • each of the above network elements can be deployed in different physical devices, or multiple network elements can be integrated into the same physical device.
  • Figure 1 also shows the interactive relationships and corresponding interfaces between various network functional entities in the mobile communication system.
  • Figure 2 also shows the service-oriented interface adopted between some network functional entities in the mobile communication system. It should be noted that in the communication system provided by this application, the security gateway can share the N4 interface with the UPF to communicate with the SMF, as shown in the N4' interface in Figure 1 or Figure 2.
  • the mobile communication system shown in Figure 1 or Figure 2 does not constitute a limitation of the mobile communication systems to which the embodiments of the present application are applicable. Therefore, the communication method provided by the embodiments of the present application can also be applied to communication systems of various standards, such as: long term evolution (LTE) communication system, fifth generation (The 5th Generation, 5G) communication system, sixth generation (The 6th Generation, 6G) communication system and future communication system.
  • LTE long term evolution
  • 5G Fifth Generation
  • 6G The 6th Generation
  • Figure 1 or Figure 2 does not limit the communication scenarios of the mobile communication system.
  • this application can also be applied to various roaming scenarios.
  • each network element may have other names; for example, when multiple When network elements are integrated into the same physical device, the physical device can also have other names.
  • the Uu interface between the UE and the base station includes a control plane protocol stack and a user plane protocol stack.
  • the user plane protocol stack includes at least the following protocol layers: physical (PHY) layer, medium access control (MAC) layer, radio link control (RLC) layer and packet data aggregation Protocol (packet data convergence protocol, PDCP) layer, service data adaptation protocol (SDAP) layer;
  • the control plane protocol stack contains at least the following protocol layers: PHY layer, MAC layer, RLC layer, PDCP layer, wireless Resource control (radio resource control, RRC) layer.
  • the IPSec protocol can achieve security protection at the IP layer of the communication system and provide security protection for the transmission of sensitive data in an unsafe network environment.
  • the IPSec protocol can provide the following security services:
  • Data source authentication Authentication of the identity of the communication peer.
  • Integrity protection Ensure that data is not tampered with during transmission.
  • Replay protection Refuse to receive old or repeatedly sent data packets to prevent replay attacks.
  • the IPSec protocol system includes two security processing protocols and a key exchange protocol.
  • the security processing protocols include: AH protocol and ESP protocol. It should be noted that the AH protocol and the ESP protocol can be used individually or nested.
  • the key exchange protocol in the IPSec protocol is the IKE protocol.
  • the AH protocol can provide functions such as data source authentication, data integrity verification, and anti-replay attacks. It does not support data encryption.
  • the ESP protocol can provide functions such as data source authentication, data integrity verification, anti-replay function, and data encryption.
  • the IPSec protocol needs to be implemented by establishing an SA between the communicating parties.
  • SA is the basis of the IPSec protocol.
  • SA is an agreement established by two communication entities through negotiation. It is a logical connection created for the purpose of transmission security. All data flows passing through the same SA will receive the same level of security protection, which can determine the specific IPSec protocol, key, and key validity time for security protection.
  • each security processing protocol i.e., AH protocol and ESP protocol
  • AH SA corresponding SA
  • IKE corresponding SA
  • the AH protocol and the ESP protocol need to use the key negotiation results of the IKE protocol, and the establishment of the AH SA and the ESP SA requires the transmission of signaling through the IKE SA. Therefore, the AH SA and the ESP SA are not only It can be collectively called the security processing protocol SA, or it can also be called IPSec sub-SA.
  • S301-S302 is the IKE SA establishment process. In this process, it is assumed that communication device a is the initiator for establishing IKE SA, and communication device b is the responder for establishing IKE SA.
  • Communication device a sends an IKE SA establishment request to communication device b.
  • the IKE SA request includes various security parameters used by communication device a to establish IKE SA.
  • the IKE SA establishment request may include the IKE header (IKE header, denoted as HDR) 1, the IKE SA encryption algorithm (denoted as SA1_a) supported by communication device a, and the key material of communication device a (for example, , including the Diffie-Hellman value of communication device a, denoted as KE_a), which is used to generate IKE SA The random number of the key (denoted as N1_a).
  • HDR1 can include the security parameter indexes (SPI) of communication device a (used to identify communication device a in the IPSec protocol, recorded as SPI_a), the IKE protocol version number, and the encapsulation mode (transport mode). ) or tunnel mode), message ID and other information.
  • SPI security parameter indexes
  • Communication device b sends an IKE SA establishment response to communication device a according to the IKE SA establishment request.
  • the IKE SA request includes various security parameters used by communication device b to establish IKE SA.
  • the IKE SA establishment response may include HDR2, the IKE SA encryption algorithm supported by communication device b (denoted as SA1_b), the key material of communication device b (denoted as KE_b), and the key material of communication device b (denoted as KE_b).
  • the random number used to generate the IKE SA key (denoted as N1_b).
  • the IKE SA establishment response also includes an authentication request of communication device b (which can be recorded as CERTREQ).
  • HDR2 can refer to HDR1 in S301, and the similarities can be referred to each other, so I will not go into details here.
  • HDR2 not only contains the SPI of communication device b (denoted as SPI_b), but also contains SPI_a.
  • the communicating parties can obtain various security parameters used by the other party to establish IKE SA.
  • the communicating parties can establish IKE based on their own security parameters used to establish IKE SA and the security parameters used by the other party to establish IKE SA. SA, so that the relevant signaling for establishing IPSec sub-SA can be transmitted later through this IKE SA.
  • both communicating parties have obtained the other party's key material KE and the random numbers used to generate the IKE SA key (i.e. KE_a, KE_b, N1_a, N1_b). Therefore, communication device a and communication device b can generate the same Key seed (SKEYSEED) so that the IKE SA key can be generated later.
  • SKEYSEED Key seed
  • S303-S304 is the IPSec sub-SA establishment process. In this process, continue to assume that communication device a is the initiator of IPSec sub-SA, and communication device b is the responder of IPSec sub-SA.
  • the IPSec sub-SA establishment request may include HDR3, as well as encryption and authentication content through IKE SA (encrypted and authenticated, recorded as SK).
  • the SK contains the identification of the processing entity used to implement the IPSec sub-SA in communication device a (denoted as ID_a), the authentication information (Authentication) of communication device a (denoted as AUTH_a), the IPSec supported by communication device a Sub-SA encryption algorithm (denoted as SA2_a), the first data flow selection rule determined by communication device a (including the data flow selection rule on the side of communication device a (denoted as TS1_a), the data flow selection rule on the side of communication device b (denoted as TS1_a), the data flow selection rule on the side of communication device b (denoted as TS1_b)).
  • the content included in HDR3 can refer to HDR2, including SPI_b and SPI_a, which will not be described here.
  • the IPSec sub-SA establishment request may also include the identification (recorded as ID_b) of the processing entity of communication device a that designates communication device b to implement the IPSec sub-SA, and the response received in response to S302.
  • the certificate (certificate) of communication device a (denoted as CERT_a) sent by the authentication request in the IKE SA establishment response, and the authentication request of communication device a.
  • ID_a and AUTH_a are used for authentication verification and integrity protection
  • TS1_a and TS1_b are packet filtering rules applied to the encryption of the sub-SA.
  • TS1_a is used to specify the data packets (usually IP addresses or IP address segments) sent from communication device a to communication device b that need to be encrypted.
  • TS1_a is used to specify the data packets (usually IP addresses or IP address segments) sent from communication device a to communication device b that need to be encrypted.
  • the destination address of the data packet sent from communication device a is within the range of TS1_b, you need to use this Sub-SA encryption), or specify the data packets sent from communication device b to communication device a that need to be decrypted (usually an IP address or IP address segment, if the source address of the data packet sent from communication device b is within the TS1_b range, Need to use this sub-SA to decrypt).
  • Communication device b sends an IPSec sub-SA establishment response to communication device a according to the IPSec sub-SA establishment request.
  • the IPSec sub-SA establishment request includes various security parameters used by the communication device b to establish the IPSec sub-SA.
  • the IPSec sub-SA establishment response may include HDR4, as well as encryption and authentication content through IKE SA (encrypted and authenticated, recorded as SK).
  • the SK contains the identification of the processing entity used to implement the IPSec sub-SA in communication device b (denoted as ID_b), the authentication information of communication device b (denoted as AUTH_b), and the IPSec sub-SA encryption supported by communication device b.
  • SA2_b the second data flow selection rule determined by communication device b (including the data flow selection rule on the side of communication device a (denoted as TS2_a), the data flow selection rule on the side of communication device b (denoted as TS2_b)) .
  • communication device b can determine various contents in the IPSec sub-SA response based on the content in the IPSec sub-SA establishment request and local configuration, including at least one of the following: ID_b, SA2_b, TS2_a, TS2_b, etc.
  • the IPSec sub-SA establishment response may also include the certificate of communication device b (denoted as CERT_b).
  • ID_b and AUTH_b are used for authentication verification and integrity protection
  • TS2_a and TS2_b are the packet filtering rules applied to the encryption of the sub-SA after communication device b has passed the authentication.
  • TS2_a is the data packet sent from communication device a to communication device b that needs to be decrypted (usually an IP address or IP address segment. If the source address of the data packet sent from communication device a is within the TS2_a range, the sub-SA needs to be used decrypt), or a data packet that needs to be encrypted (usually an IP address or IP address segment) sent from communication device b to communication device a.
  • TS2_a is the data packet sent from communication device a to communication device b that needs to be decrypted (usually an IP address or IP address segment. If the destination address of the data packet sent from communication device a is within the TS2_b range, the sub-SA needs to be used decrypt), or a data packet that needs to be encrypted (usually an IP address or IP address segment) sent from communication device b to communication device a. If the source address of the data packet sent from communication device b is within the TS2_b range, you need to use this sub-SA encryption).
  • the second data flow selection rule may be determined by communication device b based on the first data flow selection rule. For example, communication device b determines TS2_a based on TS1_a, and determines TS2_b based on TS1_b.
  • the communicating parties can obtain various security parameters used by the other party to establish IPSec sub-SA.
  • the communicating parties can use the security parameters used by themselves to establish IPSec sub-SA and the security parameters used by the other party to establish IPSec sub-SA.
  • the communicating parties can obtain the random number used by the other party to generate the IPSec sub-SA, therefore, the communicating parties can use the key material KE of both parties and the random numbers used to generate the IPSec sub-SA (i.e. KE_a, KE_b , N2_a, N2_b), generate the key of the IPSec sub-SA in order to encrypt and protect the data packets transmitted through the IPSec sub-SA.
  • the key material KE of both parties and the random numbers used to generate the IPSec sub-SA i.e. KE_a, KE_b , N2_a, N2_b
  • IPSec sub-SA is a one-way connection
  • communication device b can also serve as the initiator to perform the IPSec sub-SA establishment process. That is, the initiator of the IPSec sub-SA can be the initiator of the IKE SA or the responder of the IKE SA.
  • the protocol stack for data packet encryption through the IPSec protocol in the mobile communication system is shown in Figure 4.
  • the security layer that supports the IPSec protocol on the UE side is located above the SDAP layer and below the PDU layer; on the UPF layer, the security layer It is located above the general packet radio service technology (general packet radio service, GPRS) tunnel protocol-user plane (GPRS tunnel protocol-User plane, GTP-U) layer and below the PDU layer.
  • general packet radio service technology general packet radio service, GPRS
  • GTP-U general packet radio service
  • the encapsulation modes of data packets under the IPSec protocol include: transmission mode and tunnel mode.
  • transmission mode the UE does not generate a new IP header, but inserts the IPSec header after the IP header of the original IP data packet and before all transport layer protocols, as shown in a in Figure 5
  • tunnel mode the UE inserts the IPSec header before the IP header of the original IP data packet, and generates a new IP header and places it before the IPSec header, as shown in b in Figure 5.
  • the SDAP layer of the UE uses the IP five-tuple in the IP data packet (i.e. source IP address, destination IP address, source port, destination port, and transmission layer protocol).
  • IP data packets i.e. source IP address, destination IP address, source port, destination port, and transmission layer protocol.
  • the SDAP layer cannot detect the quintuple of the IP data packet to be transmitted. Therefore, it cannot determine which QoS flow the IP data packet should be mapped to, and may eventually This IP packet can only be transmitted through the default QoS stream.
  • GTP-U on the UPF side has the same problem. IP data packets cannot be mapped to the corresponding QoS flow and can only be transmitted through the default QoS flow.
  • the UE's security layer only retains the IP header of the original IP packet, and the subsequent transport layer protocol headers are security protected (hidden).
  • the UE's SDAP layer The transport layer protocol, source port, and destination port cannot be known, so the SDAP layer cannot perform QoS flow mapping for this IP packet.
  • the IP header of the original IP data packet and the subsequent transport layer protocol header are securely protected (hidden), and the UE's SDAP layer cannot obtain the original IP data.
  • the quintuple of the packet cannot be QoS flow mapped for this IP packet.
  • the mobile communication system can only perform indiscriminate transmission of all the UE's business data. As a result, some of the UE's business data transmission may not meet the QoS requirements of the business, affecting users. business experience.
  • embodiments of the present application provide a communication method. This method can be applied to the communication system as shown in Figure 1 or Figure 2. This method will be described below with reference to the flow chart shown in Figure 6 .
  • AMF sends the first message to SMF.
  • the SMF receives the first message from the AMF.
  • the first message includes the first security parameter of the UE, and the first security parameter is used to establish an SA between the UE and the security gateway.
  • the AMF and the SMF are network elements in the core network that provide services for the UE.
  • the SMF sends a second message to the target security gateway.
  • the target security gateway receives the second message from the SMF.
  • the second message includes the first security parameter, and the second message is used to request the establishment of a target SA between the UE and the target security gateway.
  • the target security gateway is assigned by the SMF to the UE.
  • the target security gateway sends a third message to the SMF.
  • the SMF receives the third message from the target security gateway.
  • the third message contains the second security parameter of the target security gateway, the second security parameter is used to establish the target SA, and the third message is a response message to the second message.
  • the second message may be an SA request message
  • the third message may be an SA response message
  • the SMF sends a fourth message to the AMF.
  • the AMF receives the fourth message from the SMF.
  • the fourth message includes the second security parameter.
  • the AMF may configure the UE according to the first security parameter and the second security parameter to establish the security of the UE and the target.
  • the target SA between gateways.
  • the AMF may send some or all of the first security parameters and/or some or all of the second security parameters to the UE.
  • the AMF may also generate an SA key based on the first security parameter and the second security parameter; and then send the SA key to the UE. In this way, the UE can use the SA key to securely protect data packets transmitted through the target SA.
  • the target security gateway may also configure itself according to its second security parameter and the first security parameter received through S602 to establish the target SA.
  • the target security gateway may also generate an SA key based on the first security parameter and the second security parameter. In this way, the target security gateway can use the SA key to securely protect data packets transmitted through the target SA. Since the AMF and the target security gateway use the same security parameters to generate SA keys, the SA keys generated by both are the same, which can ensure that the data packets transmitted through the target SA can successfully achieve security protection.
  • the core network control plane network element of the mobile communication system can realize the transfer of the security parameters of the UE and the security parameters of the target security gateway through interaction with the target security gateway, thereby completing IPSec negotiation. Since the IPSec negotiation process is completed through the core network control plane, and the core network has high security, this method can avoid the risk of security parameter leakage caused by the user plane transmission of security parameters, ensure the security of the IPSec negotiation process, and then ensure The security of subsequent transmission of user data or signaling through the established SA.
  • Implementation method one Establish IKE SA. That is, the target SA in the embodiment shown in Figure 6 is IKE SA.
  • the core network control plane network element can establish the IKE SA through the session establishment process.
  • the first message may be a first session establishment request message sent by the AMF to the SMF; the fourth message may be a response message to the first message, which is a request message sent by the SMF to the SMF.
  • AMF sends the first session established Respond to the message.
  • the AMF may also receive a second session establishment request message from the UE; when the AMF receives the After the fourth message, the AMF may also send a second session establishment response message to the UE.
  • the AMF may obtain the first security parameter through, but is not limited to, the following methods:
  • the second session establishment request message includes the first security parameter.
  • the AMF may obtain the first security parameter from the second session establishment request message, and send the first security parameter to the SMF through S601.
  • the second session establishment request message includes the first parameter part of the first security parameters.
  • the AMF may also obtain the first security from UDM or AUSF based on the identity of the UE (such as the UE's subscription permanent identifier (SUPI)).
  • the second parameter part in the parameters; wherein the first parameter part and the second parameter part constitute the first security parameter.
  • the second parameter part of the first security parameter may be included in the subscription data of the UE. Therefore, the AMF may obtain the subscription data of the UE from the UDM or the AUSF, and obtain the second parameter part from the subscription data of the UE.
  • the mobile communication system can set the sensitive data in the first security parameter of the UE (such as the key material of the UE, etc.) in the subscription data of the UE. This can prevent the UE from transmitting these sensitive data through the air interface, causing the risk of leakage of these sensitive data.
  • the first security parameter of the UE such as the key material of the UE, etc.
  • Method 3 The second session establishment request message does not contain the first security parameter. Before sending the first message to the SMF through S601, the AMF may also determine the first security parameter.
  • the AMF may locally save or maintain the first security parameter of the UE. In this way, the AMF can directly obtain the locally saved first security parameter.
  • the AMF can locally save or maintain the first parameter part of the first security parameter. Then, the AMF can also obtain the second part of the first security parameter from UDM or AUSF through method two.
  • the parameter part please refer to the description in Method 2 for the specific process.
  • the AMF may directly obtain the first security parameter from the UDM or AUSF.
  • the AMF does not need to obtain the first security parameter from the UE, and the UE does not need to transmit the first security parameter through the air interface. This can prevent the UE from transmitting the first security parameter through the air interface, causing the first There is a risk of security parameters being leaked.
  • the second session establishment response sent by the AMF to the UE may include: part or all of the first security parameter, and/or part or all of the second security parameter. all.
  • the AMF may also notify the UE of part or all of the first security parameters and part or all of the second security parameters through other messages, which is not limited in this application.
  • the first message includes first indication information.
  • the second session establishment request also includes the first indication information.
  • the first indication information is used to instruct the UE to request data encryption.
  • the first indication information may be an E2E encryption request initiated by the UE.
  • the AMF determines that it is necessary to initiate an IPSec negotiation process for the UE according to the first indication information.
  • the SMF before executing S602, the SMF further includes: allocating the target security gateway to the UE. It can be known from the communication system shown in Figure 1 or Figure 2 that each UPF can be associated (connected or coupled) with at least one security gateway. Based on this, the SMF may allocate the target security gateway to the UE through the following steps:
  • the SMF allocates UPF to the UE
  • the SMF selects the target security gateway from at least one security gateway associated with the UPF.
  • the SMF may select the target security gateway based on the load, physical location and other information of the at least one security gateway; or the SMF may randomly select a security gateway among the at least one security gateway as the The target security gateway is not limited in this application.
  • the SMF and/or the UPF may allocate an IP address to the UE.
  • the second message sent by the SMF to the target security gateway may also include the identification of the UPF or the IP address of the UE.
  • the target security gateway can also obtain the identity of the UPF through other methods, such as determining the identity of the UPF through the UPF associated with the target security gateway, so that the UPF can be identified.
  • the target security gateway may also allocate an IP address to itself for the target SA, so that the subsequent communication between the UE and the target security gateway can be based on the IP address of the UE,
  • the IP address of the target security gateway is used for communication and interaction.
  • the third message may also include the IP address of the target security gateway, and the fourth message may also include the IP address of the target security gateway.
  • the core network after the core network establishes the session of the UE, it can also configure forwarding rules to the UPF to map the data packets transmitted between the UE and the target security gateway through the IKE SA. to a certain QoS flow of the session, as shown in S605a in Figure 6.
  • the SMF may send the first forwarding rule configuration information to the UPF.
  • the SMF may send the first forwarding rule configuration information to the UPF according to the first security parameter, the second security parameter, and the first QFI indicating the first QoS flow.
  • the first forwarding rule configuration information is used to instruct the UPF to map data packets transmitted between the UE and the target security gateway through the IKE SA to the first QoS flow corresponding to the first QFI. on the IKE SA to achieve coupling/binding with the first QoS flow.
  • the first forwarding rule configuration information is used to instruct the UPF to generate a first forwarding rule.
  • the first forwarding rule is used to map data packets transmitted between the UE and the target security gateway through the IKE SA to the first QoS flow corresponding to the first QFI.
  • the first QoS flow may be a default QoS flow in the session of the UE.
  • the first QoS flow (such as the default QoS flow) can transmit the IKE SA encrypted data packet, in this embodiment of the present application, the first QoS flow can also be called IKE QoS. flow.
  • the UE and the target security gateway can subsequently transmit the signaling involved in establishing the security processing protocol SA through the IKE SA.
  • the UPF can map these signalings to each other between the IKE SA and the first QoS flow, so as to implement IPSec negotiation of the security processing protocol through the IKE SA on the user plane of the communication system. For example, the UPF can map a data packet received from the UE through the first QoS flow to an IKE SA, thereby transmitting the data packet to the target security gateway; the UPF can also map the data packet from the target security gateway to the first QoS flow. on, thereby transmitting the data packet to the UE.
  • the first security parameter includes at least one of the following: SPI of the UE, key material of the UE, IKE SA encryption algorithm supported by the UE, or used to generate IKE SA The first random number of the key.
  • the second security parameter includes at least one of the following: the SPI of the target security gateway, the key material of the target security gateway, the IKE SA encryption algorithm supported by the target security gateway, or used to generate an IKE SA key the second random number.
  • the first forwarding rule configuration information may include the SPI of the UE, the SPI of the target security gateway, and the first QFI.
  • the first forwarding rule configuration information may also include the port of the target security gateway. In this way, when the UPF receives a data packet from the target security gateway that includes the SPI of the UE and the SPI of the target security gateway, the data packet can be directly mapped to the first QoS flow for transmission. When the UPF receives a data packet from the UE through the first QoS flow, the data packet may be transmitted to the target security gateway through a port of the target security gateway.
  • Implementation Mode 2 Establish a secure processing protocol SA. That is, the target SA in the embodiment shown in Figure 6 is the security processing protocol SA.
  • the core network control plane network element can establish the security processing protocol SA in the process of creating the QoS flow through the session modification process.
  • the session modification process may be initiated by the UE, or may be triggered by the SMF according to the policy modification notification message sent by the PCF or the subscription modification notification message sent by the UDM.
  • the security processing protocol SA may be the security processing protocol SA in the uplink direction from the UE to the target security gateway, that is, the uplink IPSec sub-SA.
  • the first message may be a first session modification request message sent by the AMF to the SMF; the fourth message may be a response message to the first message, which is the The first session modification response message sent by the SMF to the AMF.
  • the first message may also include information about the second QoS flow requested by the UE to be established.
  • the information of the second QoS flow may, but is not limited to, include QoS requirements (QoS parameters), the identifier of the second QoS flow - the second QFI, the filter detection rules of the second QoS flow, etc.
  • the AMF may also receive a second session modification request message from the UE; when the AMF receives the After the fourth message, the AMF may also send a second session modification response message to the UE.
  • the second session modification request message also includes information about the second QoS flow that the UE requests to establish in the session of the UE.
  • the AMF may obtain the first security parameter through, but is not limited to, the following methods:
  • the second session modification request message includes the first security parameter.
  • the AMF may obtain the first security parameter from the second session modification request message, and send the first security parameter to the SMF through S601.
  • the second session modification request includes the first parameter part of the first security parameters.
  • the AMF may also obtain the second parameter part of the locally saved first security parameter; wherein the first parameter part and the second parameter part constitute the first security parameter.
  • Method 3 The second session modification request does not include the first security parameter. Before sending the first message to the SMF through S601, the AMF may also obtain the saved first security parameter.
  • the SMF decides to establish the second QoS flow in the session of the UE, to send a fifth message to the AMF.
  • the fifth message is used to request the first security parameter.
  • the AMF may send the first message to the SMF. Therefore, in this design, the first message is the response message of the fifth message.
  • the SMF may, but is not limited to, decide to establish the second QoS flow in the following manner:
  • Method 1 The SMF receives a policy modification notification message from the PCF, where the policy modification notification message contains information about the second QoS flow requested by the PCF to be established in the session of the UE.
  • Method 2 The SMF receives a subscription modification notification message from UDM, where the subscription modification notification message contains information about the second QoS flow that the UDM requests to establish in the session of the UE.
  • Method 3 The SMF receives a first session modification request message from the AMF, wherein the first session modification request message contains information about the second QoS flow requested by the UE to be established in the session of the UE. .
  • the AMF may also receive a second session modification request message from the UE.
  • the second session modification request message also includes information about the second QoS flow.
  • the fourth message may be a first session modification response message.
  • the AMF may also send a second session modification response message to the UE.
  • the process by which the AMF obtains the first security parameter after receiving the fifth message may refer to the description in the previous design, and will not be described again here.
  • the second session modification response message sent by the AMF to the UE in the above design may include: some or all of the first security parameters; and/or the second Some or all of the security parameters.
  • the AMF may also notify the UE of part or all of the first security parameters and part or all of the second security parameters through other messages, which is not limited in this application.
  • the SMF may also provide the UE with The UPF of the service configures forwarding rules so that the UPF maps the data packet transmitted by the UE through the second QoS stream to the security processing protocol SA, so that the UPF can transmit the data packet to the target security gateway, that is, to achieve all Binding of the security processing protocol SA and the second QoS flow.
  • the SMF sends the second forwarding rule configuration information to the UPF serving the UE.
  • the second forwarding rule configuration information is used to indicate that the data packet from the UE received by the UPF through the second QoS flow is mapped to the security processing protocol SA, that is, the data packet is forwarded to the Target security gateway.
  • the second forwarding rule configuration information is used to instruct the UPF to generate a second forwarding rule.
  • the second forwarding rule is used by the UPF to forward data packets from the UE received through the second QoS flow to the target security gateway.
  • the target security gateway of the UE can subsequently transmit the uplink data packet of the UE through the security processing protocol SA.
  • the first security parameter includes at least one of the following: the SPI of the UE, the SPI of the target security gateway, and the first processing entity of the UE that uses the security processing protocol SA. Identity, authentication information of the UE, secure processing protocol SA encryption algorithm supported by the UE, first data stream selection rule, or a third random number used to generate a secure processing protocol SA key.
  • the second security parameter includes at least one of the following: the SPI of the UE, the SPI of the target security gateway, the identity of the second processing entity in the target security gateway that uses the security processing protocol SA, the target security The authentication information of the gateway, the Security Processing Protocol SA encryption algorithm supported by the target security gateway, the second data flow selection rule, or the fourth random number used to generate the Security Processing Protocol SA key.
  • the first processing entity is a processing entity used by the UE to implement the security processing protocol SA
  • the second processing entity is a processing entity used in the target security gateway to implement the security processing protocol SA.
  • the first data flow selection rule includes: the first data flow selection rule on the UE side, and the first data flow selection rule on the target security gateway side; correspondingly, the second data flow selection rule also includes: the The second data flow selection rule on the UE side, and the second data flow selection rule on the target security gateway side.
  • the second data flow selection rule may be determined by the target security gateway based on the first data flow selection rule. For example, the target security gateway determines the second data flow selection rule on the UE side based on the first data flow selection rule on the UE side; and determines the second data flow selection rule on the target security gateway side based on the first data flow selection rule on the target security gateway side. Select a rule.
  • the uplink data packet transmission process is as follows:
  • the UE After the UE generates the original IP data packet containing the service data, it can add an IPSec header before the securely protected IP data packet based on the first security parameter and the second security parameter, and generate a new IP header and place it before the IPSec header, as shown in the figure As shown in b in 5.
  • the new IP header contains the source IP address (the IP address of the UE) and the destination IP address (the IP address of the target security gateway).
  • the IPSec header can contain the SPI and security processing protocol information of the target security gateway.
  • the UE can maintain the mapping relationship between the security processing protocol SA and the second QoS flow (or second QFI), where the mapping relationship
  • the implementation form can be: identifying the security processing protocol SA through the SPI of the target security gateway, the IP address of the target security gateway, and security processing protocol information, and then determining the second QoS flow corresponding to the security processing protocol SA (that is, in the mapping relationship It can include the SPI of the target security gateway, the IP address of the target security gateway, security processing protocol information, and information such as the second QFI). Based on the mapping relationship, the UE can map data packets transmitted through the security processing protocol SA to the second QoS flow.
  • the UE after the UE performs security processing on the original IP data packet, it can determine the destination IP address in the new IP header based on the information in the IPsec header of the security-processed IP data packet (the SPI of the target security gateway and the security processing protocol information). address (the IP address of the target security gateway), and the mapping relationship, mapping the securely processed IP data packet to the second QoS stream indicated by the second QFI for transmission.
  • UPF After UPF receives the securely processed IP data packet through the second QoS flow, it can, according to the destination IP address (IP address of the target security gateway) in the new IP header in the securely processed IP datagram, the IPSec header SPI of the target security gateway, security processing protocol information (such as ESP, AH, etc.), and transmit the security-processed IP data packet to the target security gateway.
  • IP address IP address of the target security gateway
  • IPSec header SPI of the target security gateway security processing protocol information (such as ESP, AH, etc.)
  • the target security gateway After receiving the securely processed IP data packet, the target security gateway can perform security verification on the securely processed IP data packet, recover the original IP data packet, and verify the purpose based on the original IP header in the original IP data packet.
  • the IP address and the set routing rules continue to transmit the original IP packet to the next node.
  • UPF can transmit the securely processed IP packet to the target security gateway based on the new IP header in the received securely processed IP packet. Therefore, in the tunnel mode, the SMF does not need to perform S605b, that is, there is no need to send the second forwarding rule configuration information to the UPF.
  • the uplink data packet transmission process is as follows:
  • the UE After the UE generates the original IP data packet containing the service data, it performs security protection on the IP payload in the original IP data packet, and inserts the IPSec header generated based on the first security parameter and the second security parameter into the security-protected IP payload. and the original IP header, as shown in a in Figure 5.
  • the original IP header contains the source IP address (the IP address of the UE) and the destination IP address (the IP address of the service node (non-target security gateway)).
  • the IPSec header can contain the SPI and security processing protocol information of the target security gateway.
  • the UE can maintain the mapping relationship between the security processing protocol SA and the second QoS flow, where,
  • the implementation form of the mapping relationship can be: identifying the security processing protocol SA through the SPI and security processing protocol information of the target security gateway, and then determining the second QoS flow corresponding to the security processing protocol SA (that is, the mapping relationship can include the target security The gateway's SPI, security processing protocol information, and second QFI and other information).
  • the UE can map data packets transmitted through the security processing protocol SA to the second QoS flow.
  • the UE after the UE performs security processing on the original IP data packet, it can perform security processing based on the information in the IPSec header of the securely processed IP data packet (the SPI and security processing protocol information of the target security gateway) and the mapping relationship.
  • the subsequent IP data packet is mapped to the second QoS flow indicated by the second QFI for transmission.
  • the SMF can configure forwarding rules for the UPF, that is, perform S605b.
  • SMF can establish an association between the first security parameter, the second security transmission and the second QFI; after the core network creates the second QoS flow , the SMF executes S605b to send the second forwarding rule configuration information to the UPF.
  • the second forwarding rule configuration information may include the IP addresses of the second QFI and the target security gateway.
  • UPF can establish a forwarding rule (second QFI, IP address of the target security gateway) based on the second forwarding rule configuration information. In this way, when UPF receives the securely processed IP from the UE from the second QoS flow indicated by the second QFI, After receiving the data packet, the securely processed IP data packet can be forwarded to the target security gateway according to the forwarding rule.
  • second QFI IP address of the target security gateway
  • the target security gateway After receiving the securely processed IP data packet, the target security gateway can perform security verification on the securely processed IP data packet and recover the original IP data packet; and based on the purpose in the original IP header in the original IP data packet The IP address and the set routing rules continue to transmit the original IP data packet to the next node.
  • the process of establishing a UE session and the process of establishing a QoS flow in the UE session can refer to the existing process, and will not be described again here.
  • the embodiment of the present application provides a communication method.
  • the core network of the mobile communication system The control plane network element can realize the transfer of the security parameters of the UE and the security parameters of the target security gateway through interaction with the target security gateway, thereby completing IPSec negotiation. Since the IPSec negotiation process is completed through the core network control plane, and the core network has high security, this method can avoid the risk of security parameter leakage caused by the user plane transmission of security parameters, ensure the security of the IPSec negotiation process, and then ensure The security of subsequent transmission of user data or signaling through the established SA.
  • Embodiment A As shown in Figure 7, the core network control plane network element establishes an IKE SA between the UE and the target security gateway (hereinafter referred to as the target gateway (GW)) through the session establishment process.
  • the target gateway hereinafter referred to as the target gateway (GW)
  • the UE initiates the session establishment process and sends a session establishment request message to the AMF.
  • the session establishment request message may include: a session identifier of the session that the UE requests to establish (hereinafter referred to as session identifier for short).
  • the session establishment request message may also include an E2E encryption request, which is used to instruct the UE to request encryption of data transmitted between the UE and the security gateway.
  • the E2E encryption request in this embodiment is equivalent to the first indication information in the embodiment shown in FIG. 6 .
  • the session establishment request message may also carry some of the first security parameters of the UE used to establish the IKE SA (for example, data that is not sensitive and does not worry about the risk of leakage).
  • the session establishment request may also carry at least one of the following: SPI_UE used to identify the UE in the IPSec SA, and the first random value N1_UE used to generate the IKE SA key.
  • the UE supports IKE SA encryption algorithm SA1_UE.
  • the AMF After receiving the session establishment request message of the UE, the AMF (which may be based on the E2E encryption request) sends a KE query request message carrying the SUPI of the UE to UDM/AUSF to query the UE's key material in the UE's subscription data. KE_UE.
  • the AMF can obtain this information from the relevant information of the UE maintained locally; or use the same method to obtain KE_UE. method to obtain this information from UDM/AUSF. The specific process will not be described again in this embodiment.
  • UDM/AUSF sends a KE query response message to AMF.
  • the KE query response message contains KE_UE.
  • KE_UE Since the key information for generating keys for KE_UE is relatively sensitive, if it is maintained on the UE side, then during the session establishment process, the UE needs to transmit it to the core network through the air interface. This process will have the risk of leakage and will reduce the security of the IPSec negotiation process. Therefore, in this embodiment, KE_UE is maintained in the core network as the UE's subscription data, which can avoid leakage of this information and ensure the security of the IPSec negotiation process.
  • the session establishment request message includes: session identification, and the first security parameter of the UE (SPI_UE, KE_UE, N1_UE, SA1_UE).
  • the session establishment request message may also include an E2E encryption request.
  • the E2E encryption request is used to instruct the UE to request encryption of data transmitted between the UE and the security gateway, that is, to instruct the SMF to initiate an IPSec negotiation process and establish an IKE SA.
  • the SMF allocates UPF to the UE and performs N4 configuration with the UPF to complete the user plane configuration of the session.
  • the SMF or UPF may also allocate an IP address to the UE for the session of the UE.
  • the SMF selects the target GW among at least one security gateway associated with the UPF.
  • the SMF may select the target GW based on the load, physical location and other information of the at least one security gateway.
  • SMF sends an IKE SA establishment request message to the target GW.
  • the IKE SA establishment request message contains The IP address of the UE, the first security parameter of the UE (SPI_UE, KE_UE, N1_UE, SA1_UE).
  • the IKE SA home request message may also include a session identifier, UPF ID and other information, where the session identifier is used by the target GW to perform a session with the UE using the first security parameter in the IKE SA establishment request message. Binding, the UPF ID is used by the target GW to identify the UPF.
  • the target GW sends an IKE SA establishment response message to the SMF.
  • the IKE SA establishment response message contains the IP address of the target GW, the second security parameter of the target GW used to establish the IKE SA (that is, the SPI_GW used to identify the target GW in the IPSec SA, the key material KE_GW of the target GW , the second random value N1_GW used to generate the IKE SA key, the IKE SA encryption algorithm SA1_GW supported by the target GW.
  • the IP address of the target GW is assigned by the target GW to itself for the IKE SA.
  • SMF configures forwarding rules to UPF so that UPF maps the data packets transmitted through IKE SA in the session (which can be referred to as IKE data packets for short) to the first QoS flow of the session, realizing IKE SA and the first QoS flow. coupling.
  • the first QoS flow may be the default QoS flow in the session.
  • the SMF may send configuration information to the UPF, and the configuration information may include SPI_UE, SPI_GW, the first QFI identifying the first QoS flow, and the port IKE port_GW of the target GW.
  • UPF in the downlink direction, UPF can generate corresponding forwarding rules based on the configuration information, and map the data packets containing SPI_UE and SPI_GW received from the target security gateway to the first QoS flow for transmission to the UE.
  • the UPF In the upstream direction, when the UPF receives a data packet from the UE through the first QoS flow, it can transmit the data packet to the target security gateway through the IKE port_GW.
  • SMF sends a session establishment response message to AMF.
  • the session establishment response message includes the session identifier and the second security parameter (SPI_GW, KE_GW, N1_GW, SA1_GW) information of the target GW.
  • the session establishment response message may also include the IP address of the target GW.
  • the AMF sends a session establishment response message to the UE.
  • the session establishment response message contains the session identifier.
  • the session establishment response may also include: the second security parameter (SPI_GW, KE_GW, N1_GW, SA1_GW), the IP address of the target GW, or the first security parameter (SPI_UE, KE_UE, N1_UE, SA1_UE).
  • the AMF can generate an IKE SA key based on KE_UE, N1_UE, KE_GW, and N1_GW, and configure the IKE SA key to the UE, so that the UE can pass the IKE SA key pair based on the IKE SA key pair.
  • IKE SA transmits data packets for security protection.
  • the target GW can also generate an IKE SA key based on KE_UE, N1_UE, KE_GW, and N1_GW, so that the data packets transmitted through the IKE SA can be subsequently protected based on the IKE SA key.
  • the uplink data packets and downlink data packets passing through the IKE SA can be securely protected between the UE and the target GW according to the IKE SA key. Based on this, when the UE or the target GW needs to establish an IPSec sub-SA, the UE and the target GW can transmit the relevant signaling packets to establish the IPSec sub-SA on the user plane based on the IKE SA.
  • the specific process can be referred to Figure 3. The descriptions in S303-S304 will not be repeated here.
  • this embodiment can respectively support IKE SA being fully authorized by AMF, IKE SA being agented by AMF and synchronized to the UE, and AMF only Scenario of proxy UE key generation.
  • Example 1 The session establishment request message in S701 does not contain the first security parameter, and the session establishment response message in S711 does not carry the first security parameter and the second security parameter.
  • This scenario can be regarded as IKE SA being fully authorized by AMF. . No security parameters are stored on the UE side.
  • Example 2 The session establishment request message in S701 does not contain the first security parameter, and the session establishment response message in S711 contains the second security parameter and the first security parameter.
  • This scenario can be regarded as the IKE SA is proxied by AMF and synchronized to UE.
  • Example 3 The session establishment request message in S701 contains the first security parameter, and the session establishment response message in S711 does not need to carry the first security parameter, but carries the second security parameter.
  • This scenario can be regarded as AMF only performing encryption. Key material query and key generation.
  • the core network control plane network element can realize the transfer of the first security parameter of the UE and the second security parameter of the target GW, thereby completing the IPSec negotiation and configuring the UE to the target GW for the session.
  • the method provided by this embodiment can couple the IKE SA establishment process in the session establishment process, which can not only reduce the signaling overhead of the mobile communication system, but also establish the IKE SA through the core network control plane to avoid the security parameters caused by the user plane transmission of security parameters. Risk of leakage to ensure the security of the IPSec negotiation process.
  • Embodiment B Referring to Figure 8, after the UE establishes an IKE SA with the target GW (for example, establishing an IKE SA through the method provided in Embodiment A), the UE initiates the uplink IPSec sub-SA establishment process.
  • the core network control plane establishes the uplink IPSec sub-SA through the session modification process.
  • the uplink IPSec sub-SA is the IPSec sub-SA from the UE to the target GW.
  • the UE initiates a session modification process, sends a session modification request message to the AMF, and requests the establishment of a second QoS flow in the UE's session.
  • the session modification request message includes the session identifier of the UE's session (hereinafter referred to as the session identifier), and the information of the second QoS flow requested by the UE to be established.
  • the session modification request message may also include SPI_UE, SPI_GW; it may also include the identification ID1_UE of the first processing entity in the UE that implements the IPSec sub-SA, the UE's authentication information AUTH_UE, and the IPSec sub-SA supported by the UE.
  • the encryption algorithm SA2_UE is used to generate the third random number N2_UE of the IPSec sub-SA, the first data flow selection rule TS1_UE on the UE side, and the first data volume selection rule TS1_GW on the target GW side.
  • SPI_UE, SPI_GW, ID1_UE, Auth_UE, SA2_UE, N2_UE, TS1_UE, TS1_GW can be collectively referred to as the third security parameter of the UE used to establish IPSec sub-SA. That is, the session modification request message may contain part or all of the information in the third security parameter.
  • the information of the second QoS flow may, but is not limited to, include QoS requirements (QoS parameters), the identifier of the second QoS flow - the second QFI, the filter detection rules of the second QoS flow, etc.
  • S802 AMF sends a session modification request message to SMF.
  • the session modification request message includes: session identification, information about the second QoS flow, and third security parameters (SPI_UE, SPI_GW, ID1_UE, AUTH_UE, SA2_UE, N2_UE, TS1_UE, TS1_GW).
  • the AMF may also obtain the third security parameter from the locally maintained UE related information before executing S802. three security parameters, or obtain another part of the third security parameters.
  • the SMF decides to establish a second QoS flow in the UE's session based on the received session modification request message.
  • the SMF obtains the PCC rules of the second QoS flow from the PCF based on the information of the second QoS flow.
  • the SMF can create the second QoS flow according to the PCC rule.
  • the specific process please refer to the existing QoS flow establishment process, which will not be described again here.
  • the SMF sends an IPSec sub-SA establishment request message to the target GW.
  • the IPSec sub-SA establishment request message contains the third security parameters (SPI_UE, SPI_GW, ID1_UE, AUTH_UE, SA2_UE, N2_UE, TS1_UE, TS1_GW).
  • the target GW sends an IPSec sub-SA establishment response message to the SMF.
  • IPSec sub-SA establishment affects
  • the response message contains the fourth security parameter of the target GW used to establish the IPSec sub-SA.
  • the fourth security parameter includes SPI_UE, SPI_GW, the identification ID1_GW of the second processing entity that implements the IPSec sub-SA in the target GW, the authentication information AUTH_GW of the target GW, and the encryption algorithm SA2_GW of the IPSec sub-SA supported by the target GW.
  • the fourth random number N2_GW of the IPSec sub-SA Generate the fourth random number N2_GW of the IPSec sub-SA, the second data flow selection rule TS2_UE on the UE side, and the second data volume selection rule TS2_GW on the target GW side.
  • TS2_UE may be determined by the target GW based on TS1_UE, and TS2_GW may be determined by the target GW based on TS1_GW.
  • SMF configures forwarding rules to UPF so that UPF maps data packets transmitted through the IPSec sub-SA in the session to the second QoS flow of the session.
  • the UPF can process the uplink data packets according to the received security information.
  • the destination IP address (the IP address of the target GW) in the new IP header in the IP data packet is used to transmit the data packet to the target GW. Therefore, the SMF does not need to perform S806.
  • the SMF when the transmission mode is adopted between the UE and the target GW, the SMF can send a message containing an indication to the UPF. Forwarding rule configuration information of the second QFI of the second QoS flow and the IP address of the target GW. In this way, the UPF can forward packets from the second QoS flow to the target GW. Through this step, the UPF can forward the data packet from the UE received through the second QoS flow to the target GW, thereby realizing binding of the uplink IPSec sub-SA and the second QoS flow.
  • SMF sends a session modification response message to AMF.
  • the session modification response message may include the fourth security parameter (SPI_UE, SPI_GW, ID1_GW, AUTH_GW, SA2_GW, N2_GW, TS2_UE, TS2_GW).
  • the session modification response message may also include the session identifier and the second QFI.
  • the AMF sends a session modification response message to the UE.
  • the session modification response message includes the session identifier, the second QFI, and may also include SPI_UE and SPI_GW.
  • the session modification response message may also include part or all of the fourth security parameters, such as at least one of ID1_GW, AUTH_GW, SA2_GW, N2_GW, TS2_UE, and TS2_GW.
  • the session modification response message may also include part or all of the third security parameters, such as at least one of ID1_UE, AUTH_UE, SA2_UE, and N2_UE.
  • the AMF can generate an IPSec sub-SA key based on KE_UE, N2_UE, KE_GW, and N2_GW, and configure the IPSec sub-SA key to the UE, so that the UE can generate the IPSec sub-SA key according to the IPSec sub-SA key pair.
  • Data packets transmitted through IPSec sub-SA are protected.
  • the target GW can also generate an IPSec sub-SA key based on KE_UE, N2_UE, KE_GW, and N2_GW, so that subsequent data packets transmitted through the IPSec sub-SA can be securely protected based on the IPSec sub-SA key.
  • the uplink data packet passing through the IPSec sub-SA can be securely protected between the UE and the target GW according to the IPSec sub-SA key.
  • this embodiment can be divided into scenarios where the AMF acts as an agent for the UE to maintain the IPSec sub-SA, and the UE decides on its own to establish the IPSec sub-SA.
  • Example 1 when the session modification request message in S801 does not contain the third security parameter, this scenario can be regarded as a scenario in which the AMF acts as an agent for the maintenance of the IPSec sub-SA for the UE.
  • Example 2 When the session modification request message in S801 contains the third security parameter, this scenario can be regarded as the UE automatically Determine the scenario for establishing IPSec sub-SA.
  • the core network control plane network element can realize the transmission of the third security parameter of the UE and the fourth security parameter of the target GW, thereby completing the IPSec negotiation.
  • the method provided by this embodiment can couple the uplink IPSec sub-SA establishment process to the session modification process, and bind the uplink IPSec sub-SA with the second QoS flow established by the session modification process, so that the UPF can pass the second QoS
  • the streamed data packet is mapped to the upstream IPSec sub-SA, thereby forwarding the data packet to the target GW.
  • this method can couple the uplink IPSec sub-SA establishment process in the session modification process, it can not only reduce the signaling overhead of mobile communications, but also establish the uplink IPSec sub-SA through the core network control plane to avoid user plane transmission of security parameters causing security parameters. Risk of leakage to ensure the security of the IPSec negotiation process.
  • Embodiment C Referring to Figure 9, after the UE establishes an IKE SA with the target GW (for example, establishing an IKE SA through the method provided in Embodiment A), the SMF can initiate an uplink IPSec sub-SA establishment process.
  • the core network control plane establishes the uplink IPSec sub-SA through the session modification process.
  • the uplink IPSec sub-SA is the IPSec sub-SA from the UE to the target GW.
  • the SMF may decide to establish the second QoS flow through, but is not limited to, the following three methods, each method corresponding to a step in S900a-S900c.
  • the UE initiates a session modification process, sends a session modification request message to the SMF through the AMF, and requests the establishment of a second QoS flow in the UE's session.
  • the session modification request message includes the session identifier of the UE's session (hereinafter referred to as the session identifier), and the information of the second QoS flow requested by the UE to be established.
  • the policy modification notification message includes information about the second QoS flow that the PCF requests to establish in the session of the UE.
  • the UDM sends a subscription modification notification message to the SMF.
  • the subscription modification notification message includes information about the second QoS flow established in the session of the UE as requested by the UDM.
  • the SMF After receiving the session modification request message, the policy modification notification message, or the subscription modification notification message, the SMF decides to establish a second QoS flow in the UE's session. SMF sends an IPSec sub-SA establishment request message to AMF. Among them, the IPSec sub-SA establishment request message contains the session identifier and the information of the second QoS flow. Optionally, the IPSec sub-SA establishment request message may also contain SPI_UE and SPI_GW.
  • the AMF can forward the received IPSec sub-SA establishment request message to the UE.
  • the UE sends an IPSec sub-SA establishment response message to the AMF.
  • the IPSec sub-SA establishment response message contains the session identifier and the information of the second QoS flow.
  • the IPSec sub-SA establishment response message may contain some or all of the third security parameters.
  • the IPSec sub-SA establishment response message contains SPI_UE, SPI_GW, ID1_UE, AUTH_UE, SA2_UE, N2_UE, TS1_UE, and TS1_GW.
  • S904 AMF sends an IPSec sub-SA establishment response message to SMF.
  • the IPSec sub-SA establishment response message Contains session identification, information about the second QoS flow, and third security parameters.
  • the AMF when the AMF receives some of the third security parameters in the IPSec sub-SA establishment response message received through S903, the AMF can also obtain the third security parameters from the locally maintained UE related information before executing S904. Another part of the parameters.
  • S905-S910 are the same as S803-S808 in Embodiment B.
  • the specific processes can be referred to each other and will not be described again here.
  • the core network control plane network element can realize the transmission of the third security parameter of the UE and the fourth security parameter of the target GW, thereby completing the IPSec negotiation.
  • the method provided by this embodiment can couple the uplink IPSec sub-SA establishment process to the session modification process, and bind the uplink IPSec sub-SA with the second QoS flow established by the session modification process, so that the UPF can pass the second QoS
  • the streamed data packet is mapped to the upstream IPSec sub-SA, thereby forwarding the data packet to the target GW.
  • this method can couple the uplink IPSec sub-SA establishment process in the session modification process, it can not only reduce the signaling overhead of mobile communications, but also establish the uplink IPSec sub-SA through the core network control plane to avoid user plane transmission of security parameters causing security parameters. Risk of leakage to ensure the security of the IPSec negotiation process.
  • embodiments of the present application provide another communication method. This method can be applied to the communication system as shown in Figure 1 or Figure 2. This method will be described below with reference to the flow chart shown in Figure 10 .
  • this embodiment is used to establish the security processing protocol SA through the interaction of core network control plane network elements. Therefore, an IKE SA has been established between the UE and the target security gateway.
  • the establishment process of the IKE SA can refer to the user plane IPSec negotiation process in the existing technology, or can be done through the embodiment shown in Figure 6 or Figure 7. The IPSec negotiation process provided will not be described again here.
  • SMF has learned that an IKE SA has been established between the UE and the target security gateway.
  • SMF SMF
  • AMF target security gateway
  • UPF UPF
  • SMF sends the first message to the target security gateway.
  • the target security gateway receives the first message from the SMF.
  • the first message is used to request the establishment of a security processing agreement SA between the UE and the target security gateway.
  • the target security gateway sends a second message to the SMF.
  • the target security gateway receives the second message from the SMF.
  • the second message contains the first security parameter of the target security gateway, the first security parameter is used to establish the security processing protocol SA, and the second message is a response message to the first message. .
  • the SMF sends the third message to the AMF.
  • the AMF receives the third message from the SMF.
  • the third message contains the first security parameter, and the third message is used to request the establishment of the security processing protocol SA.
  • the AMF sends a fourth message to the SMF.
  • the SMF receives the fourth message from the AMF.
  • the fourth message contains the second security parameter of the UE, the second security parameter is used to establish the security processing protocol SA, and the fourth message is a response message to the third message.
  • the SMF sends a fifth message to the target security gateway.
  • the target security gateway receives the fifth message from the SMF.
  • the fifth message includes the second security parameter.
  • the fifth message is used to request the establishment of the secure processing protocol SA.
  • the AMF may configure the UE according to the first security parameter and the second security parameter to establish the UE and the security processing agreement SA between the target security gateway.
  • the AMF may send some or all of the first security parameters and/or some or all of the second security parameters to the UE.
  • the AMF may also generate a secure processing protocol SA key based on the first security parameter and the second security parameter; and then send the secure processing protocol SA key to the UE. In this way, the UE can use the SA key to communicate The data packets transmitted through the security processing protocol SA are securely protected.
  • the target security gateway may also configure itself according to its first security parameter and the second security parameter received through S1005 to establish the target security processing protocol SA.
  • the target security gateway may also generate a security processing protocol SA key based on the first security parameter and the second security outgoing parameter. In this way, the target security gateway can use the security processing protocol SA key to securely protect the data packets transmitted through the target security processing protocol SA. Since the AMF and the target security gateway use the same security parameters to generate the security processing protocol SA key, the security processing protocol SA keys generated by them are the same.
  • the core network control plane network element of the mobile communication system can realize the transfer of the security parameters of the UE and the security parameters of the target security gateway through interaction with the target security gateway, thereby completing IPSec negotiation. Since the IPSec negotiation process is completed through the core network control plane, and the core network has high security, this method can avoid the risk of security parameter leakage caused by the user plane transmission of security parameters, ensure the security of the IPSec negotiation process, and then ensure The security of subsequent transmission of user data or signaling through the established SA.
  • control plane network element in the embodiment of the present application can perform the above IPSec negotiation process through the session modification process.
  • the SMF may, but is not limited to, decide to establish the first QoS flow in the session of the UE in the following manner, thereby triggering execution of S1001:
  • Method 1 The SMF receives a policy modification notification message from the PCF, where the policy modification notification message contains information about the first QoS flow requested by the PCF to be established in the session of the UE.
  • Method 2 The SMF receives a subscription modification notification message from UDM, where the subscription modification notification message contains information about the first QoS flow that the UDM requests to establish in the session of the UE.
  • Method 3 The SMF receives a session modification request message from the AMF, where the session modification request message contains information about the first QoS flow requested by the UE to be established in the session of the UE.
  • the third message may be a first session modification command message, and the third message also includes information about the first QoS flow.
  • the fourth message may be a first session modification confirmation message, and the fourth message may further include information about the first QoS flow.
  • the AMF may also send a second session modification command message to the UE, and after receiving to the second session modification confirmation message from the UE.
  • the second session modification command message and the second session modification confirmation message include the information of the first QoS flow.
  • the second session modification command message may include part or all of the first security parameters; the second session modification confirmation message may also include part or all of the second security parameters.
  • the AMF may obtain another part of the second security parameters from the locally saved relevant information of the UE.
  • the first message may include the third security parameter of the target security gateway determined by the SMF (for example, the data flow selection rules determined by the SMF for the target security gateway based on the security management protocol SA, etc.) .
  • the target security gateway can determine the first security parameter based on the third security parameter.
  • the second session modification command message may also include the UE's third address determined by the AMF.
  • Four security parameters such as the data flow selection rules determined by the AMF for the UE for the security management protocol SA, etc.).
  • the UE can determine the second security parameter according to the fourth security parameter and feed it back to the AMF through the second session modification confirmation message.
  • the first security parameter includes at least one of the following: the SPI of the UE, the SPI of the target security gateway, the identity of the first processing entity in the target security gateway, the target The authentication information of the security gateway, the security processing protocol SA encryption algorithm supported by the target security gateway, the first data flow selection rule, or the first random number used to generate the security processing protocol SA key.
  • the second security parameter includes at least one of the following: the SPI of the UE, the SPI of the target security gateway, the identity of the second processing entity in the UE, the authentication information of the UE, the support of the UE the Secure Processing Protocol SA encryption algorithm, the second data stream selection rule, or the second random number used to generate the Secure Processing Protocol SA key.
  • the SMF may also configure forwarding rules to the UPF serving the UE so that the UE Data packets transmitted through the security processing protocol SA between the target security gateway and the target security gateway are mapped to the first QoS flow, as shown in S1006 in Figure 10, that is, the security processing protocol SA and the first QoS flow are implemented. QoS flow binding.
  • the SMF sends the first forwarding rule configuration information to the UPF serving the UE.
  • the first forwarding rule configuration information is used to instruct the UPF to map data packets transmitted by the target security gateway through the security processing protocol SA to the first QoS flow.
  • the first forwarding rule configuration information is used to instruct the UPF to generate a first forwarding rule.
  • the first forwarding rule is used to map data packets transmitted by the target security gateway to the UE through the security processing protocol SA to the first QoS flow.
  • the target security gateway of the UE can subsequently transmit the downlink data packet of the UE through the security processing protocol SA.
  • the UPF may map these data packets to the first QoS flow in the session of the UE for transmission to the UE.
  • the mobile communication system can couple the security processing protocol SA with the QoS flow in the session, ensuring that the data flow in the security processing protocol SA can be transmitted through the corresponding QoS flow, thereby ensuring the QoS requirements of the business.
  • the downlink data packet transmission process is as follows:
  • the target security gateway After receiving the original IP data packet containing business data, the target security gateway can add an IPSec header before the securely protected IP data packet based on the first security parameter and the second security parameter, and generate a new IP header before placing it before the IPSec header. , as shown in b in Figure 5.
  • the new IP header contains the source IP address (the IP address of the target security gateway) and the destination IP address (the IP address of the UE).
  • the IPSec header may contain the UE's SPI and security processing protocol information.
  • the target security gateway can send the securely processed IP data packet to UPF based on the destination IP address in the new IP header and the set routing rules.
  • the SMF may send the first forwarding rule configuration information to the UPF through 1006 (which may include, for example, the UE's SPI, the UE's IP address, security processing protocol information, and the first QFI).
  • the UPF can generate a forwarding rule (such as the UE's SPI, security processing protocol information, the UE's IP address, and the first QFI) based on the first forwarding rule configuration information.
  • This forwarding rule is used to implement the secure processing protocol SA and the Mapping between QoS flows, that is, the UPF can identify the security processing protocol SA according to the UE's SPI, the security processing protocol SA, and the UE's IP address, and then determine the first QoS flow corresponding to the security processing protocol SA. Therefore, when UPF receives the securely processed IP data packet from the target security gateway, it can generate a new IP header based on the information in the IPsec header (UE's SPI and security processing protocol information) in the securely processed IP datagram. The destination IP address (the IP address of the UE) in and the forwarding rule map the securely processed IP data packet to the first QoS stream indicated by the first QFI for transmission.
  • the UE After receiving the securely processed IP data packet, the UE can perform security verification on the securely processed IP data packet and recover the original IP data packet.
  • the downlink data packet transmission process is as follows:
  • the target security gateway After receiving the original IP data packet containing business data, the target security gateway performs security protection on the IP payload in the original IP data packet, and inserts the IPSec header generated based on the first security parameter and the second security parameter into the security protected Between the IP payload and the original IP header, as shown in a in Figure 5.
  • the original IP header contains the source IP address (the IP address of the service node (non-target security gateway)) and the destination IP address (the IP address of the UE).
  • the IPSec header may contain the UE's SPI and security processing protocol information.
  • the target security gateway can send the securely processed IP data packet to UPF based on the destination IP address in the original IP header and the set routing rules.
  • the SMF can send the first forwarding rule configuration information to the UPF through 1006 (which can include, for example, the UE's SPI, security processing protocol information, the UE's IP address, and the first QFI), in this way,
  • the UPF can generate a forwarding rule based on the first forwarding rule configuration information.
  • the UPF can generate a data packet whose IPSec header contains the UE's SPI and security processing protocol information, and the destination address in the IP header is the UE's IP address. Map to the first QoS flow indicated by the first QFI to implement mapping between the security processing protocol SA and the first QoS flow.
  • UPF when UPF receives the securely processed IP data packet from the target security gateway, it can generate a new IP header based on the information in the IPsec header (UE's SPI and security processing protocol SA) in the securely processed IP datagram.
  • the destination IP address (the IP address of the UE) in and the forwarding rule map the securely processed IP data packet to the first QoS stream indicated by the first QFI for transmission.
  • the UE After receiving the securely processed IP data packet, the UE can perform security verification on the securely processed IP data packet and recover the original IP data packet.
  • the message exchanged in this embodiment of the present application may also carry the session identifier of the UE's session.
  • the process of establishing the QoS flow in the session of the UE can refer to the existing process, and will not be described again here.
  • the embodiment of the present application provides a communication method.
  • the core network control plane network element of the mobile communication system can realize the transfer of the security parameters of the UE and the security parameters of the target security gateway through interaction with the target security gateway, thereby completing IPSec negotiation. Since the IPSec negotiation process is completed through the core network control plane, and the core network has high security, this method can avoid the risk of security parameter leakage caused by the user plane transmission of security parameters, ensure the security of the IPSec negotiation process, and then ensure The security of subsequent transmission of user data or signaling through the established SA.
  • Embodiment D Referring to Figure 11, after the UE establishes an IKE SA with the target GW (for example, establishing an IKE SA through the method provided in Embodiment A), the SMF can initiate a downlink IPSec sub-SA establishment process.
  • the core network control plane establishes the downlink IPSec sub-SA through the session modification process.
  • the downlink IPSec sub-SA is the IPSec sub-SA from the target GW to the UE.
  • the establishment process of the uplink IPSec sub-SA from the UE to the target GW may refer to the description in the embodiment shown in Figure 6, Figure 8 or Figure 9 above, and will not be described again here.
  • the SMF may decide to establish the first QoS flow through, but is not limited to, the following three methods, each method corresponding to a step in S1100a-S1100c.
  • the UE initiates the session modification process, sends a session modification request message to the SMF through the AMF, and requests to establish the first QoS flow in the UE's session.
  • the session modification request message includes the session identifier of the UE's session (hereinafter referred to as the session identifier), and the information of the first QoS flow requested by the UE to be established.
  • the policy modification notification message includes information about the first QoS flow that the PCF requests to establish in the session of the UE.
  • the UDM When the UE changes the subscription information, the UDM sends a subscription modification notification message to the SMF.
  • the subscription modification notification message includes the information of the first QoS flow established in the session of the UE as requested by the UDM.
  • the SMF After receiving the session modification request message, the policy modification notification message, or the subscription modification notification message, the SMF decides to establish the first QoS flow in the UE's session.
  • the SMF obtains the PCC rule of the first QoS flow from the PCF based on the information of the first QoS flow.
  • SMF can create the first QoS flow according to the PCC rule.
  • the specific process please refer to the existing QoS flow establishment process, which will not be described again here.
  • S1102 The SMF initiates the process of configuring the downlink IPSec sub-SA for the first QoS flow. SMF initiates an IPSec sub-SA establishment request message to the target GW. Among them, the IPSec sub-SA establishment request message contains SPI_UE and SPI_GW, which are used to identify the downlink IPSec sub-SA.
  • the SMF may also determine some security parameters of the target GW for the downlink IPSec sub-SA.
  • the IPSec sub-SA establishment request message may include the data flow selection rule TS1'_UE on the UE side determined by the SMF, and the data flow selection rule TS1'_GW on the target GW side.
  • the target GW can determine the first security parameter of the target GW for establishing the IPSec sub-SA based on the security parameters of the target GW included in the IPSec sub-SA establishment request message.
  • the target GW sends an IPSec sub-SA establishment response message to the SMF.
  • the IPSec sub-SA establishment response message contains the first security parameters determined by the target GW, including SPI_UE, SPI_GW, the identification ID1_GW of the processing entity that implements the IPSec sub-SA in the target GW, the authentication information AUTH_GW of the target GW, and the target GW
  • the supported encryption algorithm SA_GW of the IPSec sub-SA is used to generate the first random number N_GW of the IPSec sub-SA, the first data flow selection rule TS1_UE on the UE side, and the first data flow selection rule TS1_GW on the target GW side.
  • TS1_UE may be determined by the target GW based on TS1′_UE, and TS1_GW may be determined by the target GW based on TS1′_GW.
  • SMF sends a session modification command message to AMF.
  • the session modification command message includes a session identifier, used to identify the first QFI of the first QoS flow, and the first security parameters of the target GW (SPI_UE, SPI_GW, ID1_GW, AUTH_GW, SA_GW, N_GW, TS1_UE, TS1_GW).
  • the AMF sends a session modification command message to the UE.
  • the session modification command message includes the session identifier, the first QFI, and some or all of the first security parameters (for example, ID1_GW, AUTH_GW, SA_GW, N_GW, TS1_UE, TS1_GW).
  • the session modification command message may also include SPI_UE and SPI_GW.
  • the session modification command message may also include some security parameters of the UE determined by the AMF for the downlink IPSec sub-SA.
  • the session modification command message may include at least one of the following: the identification ID_UE of the first processing entity that implements the IPSec sub-SA in the UE, the authentication information AUTH_UE of the UE, and the encryption of the IPSec sub-SA supported by the UE.
  • Algorithm SA_UE is used to generate the second random number N_UE of IPSec sub-SA. In this way, the UE can determine the second security parameter used to establish the IPSec sub-SA based on the security parameter of the UE included in the session modification command message.
  • the UE sends a session modification confirmation message to the AMF.
  • the session modification confirmation message may include the session identifier, the first QFI.
  • the session modification confirmation message may also include part or all of the second security parameters.
  • the session modification confirmation message may include SPI_UE, SPI_GW; and/or include at least one of the following: the second data flow selection rule TS2_UE on the UE side, the second data flow selection rule TS2_GW of the target GW, ID_UE, AUTH_UE, SA_UE, N_UE.
  • AMF sends a session modification confirmation message to SMF.
  • the session modification confirmation message includes the session identifier, the first QFI, and the second security parameters of the UE (SPI_UE, SPI_GW, ID_UE, AUTH_UE, SA_UE, N_UE, TS2_UE, TS2_GW).
  • the SMF sends an IPSec sub-SA establishment request message to the target GW.
  • the IPSec sub-SA establishment request message contains the second security parameters of the UE (SPI_UE, SPI_GW, ID_UE, AUTH_UE, SA_UE, N_UE, TS2_UE, TS2_GW).
  • the target GW can also send an IPSec sub-SA establishment response message to the SMF.
  • the SMF configures forwarding rules to the UPF so that the UPF maps the data packets transmitted by the target GW through the IPSec sub-SA to the first QoS flow of the session and transmits them to the UE.
  • the SMF needs to send the forwarding rules to the UPF.
  • Configuration information which may include SPI_UE, the IP address of the UE, security processing protocol information, and the first QFI indicating the first QoS flow.
  • UPF can generate corresponding forwarding rules based on the configuration information.
  • the IPSec header received from the target GW contains SPI_UE and the security processing protocol information, and the included IP header contains data whose destination address is the IP address of the UE.
  • the packet is mapped to the first QoS stream and transmitted to the UE.
  • the AMF can generate an IPSec sub-SA key based on KE_UE, N_UE, KE_GW, and N_GW, and configure the IPSec sub-SA key to the UE, so that the UE can use the IPSec sub-SA key pair based on the Data packets transmitted through IPSec sub-SA are protected.
  • the target GW can also generate an IPSec sub-SA key based on KE_UE, N_UE, KE_GW, and N_GW, so that the data packets transmitted through the IPSec sub-SA can subsequently be securely protected based on the IPSec sub-SA key.
  • KE_UE and KE_GW are obtained during the process of establishing IKE SA between the UE and the target GW.
  • the UE and the target GW can perform security protection on downlink data packets passing through the downlink IPSec sub-SA based on the IPSec sub-SA key.
  • this embodiment can also be divided into scenarios in which the AMF establishes an IPSec sub-SA on behalf of the UE, and in which the UE processes the IPSec sub-SA by itself.
  • this scenario can be regarded as the establishment of the IPSec sub-SA by AMF for the UE agent. Scenes.
  • this scenario may be regarded as a scenario in which the UE handles the IPSec sub-SA by itself.
  • the core network control plane network element can realize the transfer of the first security parameter of the UE and the second security parameter of the target GW, thereby completing the IPSec negotiation.
  • the method provided by this embodiment can couple the downlink IPSec sub-SA establishment process to the session modification process, and bind the downlink IPSec sub-SA to the first QoS flow established in the session modification process, so that the target GW can pass the downlink IPSec sub-SA. All data packets transmitted by the SA can be mapped to the first QoS stream and then transmitted to the UE.
  • this method can couple the downlink IPSec sub-SA establishment process in the session modification process, it can not only reduce the signaling overhead of mobile communications, but also establish the downlink IPSec sub-SA through the core network control plane to avoid user plane transmission of security parameters causing security parameters. Risk of leakage to ensure the security of the IPSec negotiation process.
  • embodiments of the present application also provide a communication method. This method can be applied to the communication system as shown in Figure 1 or Figure 2. This method will be described below with reference to the flow chart shown in Figure 12 .
  • the method provided in this embodiment is executed when the IKE SA and the security management protocol SA have been established between the UE and the target security gateway.
  • the process of establishing an IKE SA may refer to the process in the prior art, or the description in the embodiment shown in Figure 6 or Figure 7.
  • the UE and the target GW can transmit related signaling packets to establish the security management protocol SA based on the established IKE SA.
  • the specific process can be referred to as follows: The description in S303-S304 in Figure 3 will not be repeated here.
  • SMF and UPF are both network elements that provide services for the UE, and will not be described later.
  • S1201 SMF receives the first message.
  • the first message contains information about the first QoS flow that needs to be established in the session of the UE.
  • the information of the first QoS flow may, but is not limited to, include QoS requirements (QoS parameters), the identification of the first QoS flow - the first QFI, the filter detection rules of the first QoS flow, etc.
  • QoS requirements QoS parameters
  • the identification of the first QoS flow - the first QFI the filter detection rules of the first QoS flow, etc.
  • the SMF may, but is not limited to, perform S1201 in the following manner:
  • Method 1 The SMF receives a policy modification notification message (ie, the first message) from the PCF, where the policy modification notification message contains the first QoS flow requested by the PCF to be established in the session of the UE. Information.
  • a policy modification notification message ie, the first message
  • Method 2 The SMF receives a subscription modification notification message (ie, the first message) from UDM, where the subscription modification notification message contains the first QoS flow that the UDM requests to establish in the session of the UE. Information.
  • Method 3 The SMF receives a session modification request message (ie, the first message) from the AMF, where the session modification request message includes the first QoS flow requested by the UE to be established in the session of the UE. Information.
  • a session modification request message ie, the first message
  • the SMF creates the first QoS flow according to the information of the first QoS flow.
  • the SMF obtains the PCC rule of the first QoS flow from the PCF based on the information of the first QoS flow.
  • the SMF can create the first QoS flow according to the PCC rule.
  • the existing QoS flow establishment process which will not be described again here.
  • the SMF obtains the security parameters of the security processing protocol SA established between the UE and the target security gateway.
  • the SMF may obtain the security parameters through, but is not limited to, the following methods:
  • Method 1 The SMF obtains the security parameters in the first message.
  • the session modification request message may carry the security parameter.
  • the SMF can obtain the security parameter from at least one of the following: the UE, the AMF, and the target security gateway.
  • the SMF may send a request message to the UE, the AMF or the target security gateway to request the security parameters; and then receive a request message from the UE, the AMF or the target security gateway. the security parameters.
  • the security parameters may include, but are not limited to, at least one of the following: SPI_UE, SPI_GW, ID_UE of the processing entity in the UE that implements the security processing protocol SA, and the identity of the processing entity in the target security gateway that implements the security processing protocol.
  • ID_UE the data flow selection rule TS_UE on the UE side
  • TS_GW the data flow selection rule TS_GW on the target GW side
  • the content included in the security parameters may refer to the description in the above embodiments, and will not be described again here.
  • the SMF sends the first forwarding rule configuration information to the UPF.
  • the first forwarding rule configuration information is used to instruct the UPF to forward data packets from the UE received through the first QoS flow to the target security gateway, and/or, the UPF forwards the Data packets transmitted by the target security gateway through the security processing protocol SA are mapped to the first QoS flow.
  • the first forwarding rule configuration information is used to instruct the UPF to generate a first forwarding rule.
  • the first forwarding rule is used by the UPF to forward data packets from the UE received through the first QoS flow to the target security gateway, and/or, the UPF forwards data packets between the target security gateway and Data packets transmitted through the security processing protocol SA are mapped to the first QoS flow.
  • the UE and the target security gateway can subsequently transmit the service data packet of the UE in the first QoS flow of the user plane through the security processing protocol SA.
  • the description of the first forwarding rule configuration information may refer to the implementation shown in Figure 6
  • the security management protocol SA established between the UE and the target security gateway is the downlink IPSec sub-SA
  • the first forwarding rule configuration information For description, reference may be made to the description in S1006 in the embodiment shown in FIG. 10 or the description in S1110 in the embodiment shown in FIG. 11, which will not be described again here.
  • the mobile communication system can couple the security processing protocol SA with the QoS flow in the session, ensuring that the data flow in the security processing protocol SA can be transmitted through the corresponding QoS flow, thereby ensuring the QoS requirements of the business.
  • Embodiment E This embodiment is executed after the UE and the target GW have established an IKE SA (for example, establishing an IKE SA through the method provided in Embodiment A). Therefore, in this embodiment, the UE and the target GW can perform IPSec negotiation by transmitting the established IKE SA on the user plane, and transmit the security parameters used to establish the IPSec sub-SA.
  • IKE SA for example, establishing an IKE SA through the method provided in Embodiment A. Therefore, in this embodiment, the UE and the target GW can perform IPSec negotiation by transmitting the established IKE SA on the user plane, and transmit the security parameters used to establish the IPSec sub-SA.
  • the UE and the target GW can establish the security parameters of the uplink IPSec sub-SA through S1301a-S1301b transmission. number to establish an upstream IPSec sub-SA:
  • S1301a The UE sends the first security parameter of the UE to the target GW through IKE SA. Among them, the first security parameter is used to establish the uplink IPSec sub-SA.
  • the target GW sends the second security parameter of the target GW to the user to the UE through IKE SA.
  • the second security parameter is used to establish the uplink IPSec sub-SA.
  • the UE and the target GW can also transmit the security parameters to establish the downlink IPSec sub-SA through S1302a-S1302b to establish the downlink IPSec sub-SA:
  • the target GW sends the third security parameter of the target GW to the user to the UE through IKE SA.
  • the third security parameter is used to establish the downlink IPSec sub-SA.
  • S1302b The UE sends the fourth security parameter of the UE to the target GW through IKE SA. Among them, the fourth security parameter is used to establish the downlink IPSec sub-SA.
  • the UE After the UE establishes an IPSec sub-SA (uplink IPSec sub-SA or downlink IPSec sub-SA) with the target GW, the UE can initiate a session modification request message to the SMF through the AMF.
  • the session modification request message includes the session identifier of the UE's session, the information of the first QoS flow requested by the UE, and the security parameters of the IPSec sub-SA.
  • the security parameter may include, but is not limited to, at least one of the following: SPI_UE, SPI_GW, ID_UE of the processing entity that implements the IPSec sub-SA in the UE, ID_UE of the processing entity that implements the IPSec sub-SA in the target GW, and ID_UE on the UE side.
  • S1304 The SMF obtains the PCC rule of the first QoS flow from the PCF based on the information of the first QoS flow in the session modification request message. In this way, SMF can create the first QoS flow according to the PCC rule.
  • the specific process please refer to the existing QoS flow establishment process, which will not be described again here.
  • the SMF configures forwarding rules to the UPF so that the UPF maps the data packets transmitted through the IPSec sub-SA in the UE's session to the first QoS flow of the session.
  • UPF can generate corresponding forwarding rules based on the configuration information, so that UPF can map data packets from the UE received through the first QoS flow to the uplink IPSec sub-SA for forwarding to the target GW, And/or, the UPF maps data packets transmitted between the target GWs through downlink IPSec sub-SAs onto the first QoS flow for forwarding to the UE.
  • the SMF sends a session modification response message to the UE through the AMF.
  • the core network control plane network element can bind the IPSec sub-SA to the established first QoS flow, so that the UE and the target security gateway can The service data packet of the UE is transmitted in the first QoS flow of the user plane through the IPSec sub-SA.
  • IPSec sub-SA is unidirectional, uplink IPSec sub-SA and downlink IPSec sub-SA can be established for the same QoS flow in the UE session. Furthermore, for the IPSec sub-SAs in different directions in the QoS flow, SMF can configure corresponding forwarding rules to the UPF so that the IPSec sub-SA transmission packets in different directions can be mapped to the QoS flow.
  • SMF can configure corresponding forwarding rules to the UPF so that the IPSec sub-SA transmission packets in different directions can be mapped to the QoS flow.
  • SMF does not configure forwarding rules to UPF for the upstream IPSec sub-SA of the QoS flow; however, SMF needs to configure forwarding rules to UPF for the downstream IPSec sub-SA of the QoS flow.
  • the configuration of this forwarding rule may include the UE's SPI, the UE's IP address, security processing protocol information, and the QFI of the QoS flow.
  • the configuration information of the first forwarding rule includes the QFI of the QoS flow and the IP address of the target security gateway; SMF also It is necessary to configure a second forwarding rule to the UPF for the downlink IPSec sub-SA of the QoS flow.
  • the configuration information of the second forwarding rule can include the UE's SPI, the UE's IP address, security processing protocol information, and the QFI of the QoS flow (with In the above tunnel mode scenario, the forwarding rules configured by SMF for the downlink IPSec sub-SA of the QoS flow to UPF are the same).
  • the embodiments provided in Figures 6 to 13 above can be implemented individually or in combination with each other, and this application is not limited to this. It should be noted that in the communication system, for the same QoS flow, the QFI that identifies the QoS flow in the upstream direction and the QFI that identifies the QoS flow in the downstream direction may be the same or different. Therefore, when an upstream IPSec sub-SA and a downstream IPSec sub-SA are established for the same QoS flow, the QFIs identifying the QoS flow in different directions may be the same or different.
  • the communication system uses the method provided by the embodiment shown in Figure 8 or Figure 9 to establish an uplink IPSec sub-SA for the upstream direction of the QoS flow, and uses the method provided by the embodiment shown in Figure 11 to establish a downstream IPSec sub-SA for the QoS flow.
  • IPSec sub-SA is downstream, the QFI that identifies the QoS flow in the upstream direction and the QFI that identifies the QoS flow in the downstream direction can be the same or different.
  • each step involved in the above embodiments can be executed by the corresponding device, or by components such as chips, processors, or chip systems in the device, which are not limited by the embodiments of the present application.
  • each of the above embodiments is only explained by taking execution by the corresponding device as an example.
  • each message such as the first message, the second message, the third message, etc. may be one or more messages, and this application is not limited thereto.
  • each security parameter in each of the above embodiments is the same as the security parameter in traditional IPSec negotiation. Therefore, the role or function of each security parameter in this application can be referred to the corresponding traditional security parameter, which will not be described in detail in this application.
  • each device involved in the above embodiments includes a corresponding hardware structure and/or software module to perform each function.
  • Those skilled in the art should easily realize that the units and method steps of each example described in conjunction with the embodiments disclosed in this application can be implemented in the form of hardware or a combination of hardware and computer software. Whether a certain function is executed by hardware or computer software driving the hardware depends on the specific application scenarios and design constraints of the technical solution.
  • steps in the embodiments of the present application are only illustrative, and are used to better understand the embodiments. They do not constitute a substantial limitation on the implementation of the solution of the present application.
  • the “steps” It can also be understood as “features”.
  • this step does not constitute any restriction on the execution order of the solution of this application. Any changes in the sequence of steps or the merging or splitting of steps made on this basis that do not affect the implementation of the overall solution will form new technologies.
  • the technical solution is also within the scope disclosed in this application.
  • all "steps” appearing in this application are applicable to this agreement and will be explained uniformly here. When they appear again, they will not be described again.
  • this application also provides a communication device, which is applied in the communication system as shown in Figure 1 or Figure 2.
  • the communication device is used to implement the communication method provided in the above embodiments.
  • the communication device 1400 includes a communication unit 1401 and a processing unit 1402 .
  • the communication unit 1401 is used to receive and send data.
  • the communication unit 1401 may include a communication interface, so that the communication device 1400 can use the communication interface to communicate with other network devices in the communication system.
  • the communication device 1400 can be applied to the SMF in the embodiment shown in Figures 6-9.
  • the processing unit 1402 is configured to perform the following steps through the communication unit 1401:
  • the first message contains the first security parameter of the UE, and the first security parameter is used to establish a security association SA between the UE and the security gateway;
  • the third message contains a second security parameter of the target security gateway, the second security parameter is used to establish the target SA, and the third The message is a response message to the second message;
  • the target SA is a network key exchange IKE SA.
  • the first message is a first session establishment request message; the fourth message is a first session establishment response message.
  • the first message also includes first indication information, and the first indication information is used to instruct the UE to request data encryption.
  • the processing unit 1402 is also configured to allocate the target security gateway to the UE before sending the second message to the target security gateway through the communication unit 1401.
  • the processing unit 1402 is specifically configured to:
  • the target security gateway is selected from at least one security gateway associated with the UPF.
  • the second message also includes the identifier of the UPF.
  • the second message also includes the Internet Protocol IP address of the UE;
  • the third message also includes the IP address of the target security gateway;
  • the fourth message contains the IP address of the target security gateway.
  • processing unit 1402 is also used to:
  • the first forwarding rule configuration information is used to instruct the UPF to map data packets transmitted through the IKE SA between the UE and the target security gateway to the first quality of service in the session of the UE.
  • the first quality of service flow may be a default quality of service flow in the session of the UE.
  • the first security parameter includes at least one of the following: the security parameter index SPI of the UE, the key material of the UE, the IKE SA encryption algorithm supported by the UE, or used to generate an IKE SA key.
  • the first random number of the key is the security parameter index SPI of the UE, the key material of the UE, the IKE SA encryption algorithm supported by the UE, or used to generate an IKE SA key. The first random number of the key;
  • the second security parameter includes at least one of the following: the SPI of the target security gateway, the key material of the target security gateway, the IKE SA encryption algorithm supported by the target security gateway, or used to generate an IKE SA key the second random number.
  • the target SA is a secure processing protocol SA.
  • the first message is a first session modification request message; the fourth message is a first session modification response message; the first message also includes the second quality of service stream requested by the UE to be established. information.
  • processing unit 1402 is also used to:
  • the first message is a response message to the fifth message.
  • processing unit 1402 is also configured to: before sending the fifth message to the AMF through the communication unit 1401, perform the following steps through the communication unit 1401:
  • a first session modification request message is received from the AMF, wherein the first session modification request message contains information about the second quality of service stream requested by the UE to be established in the session of the UE.
  • processing unit 1402 is also used to:
  • the second forwarding rule configuration information is used to instruct the UPF to forward data packets from the UE received through the second QoS flow to the target security gateway.
  • the first security parameter includes at least one of the following: the SPI of the UE, the SPI of the target security gateway, the identity of the first processing entity in the UE, the authentication information of the UE, The first security processing protocol SA encryption algorithm supported by the UE, the first data flow selection rule, or the third random number used to generate the first security processing protocol SA key;
  • the second security parameter includes at least one of the following: the SPI of the UE, the SPI of the target security gateway, the identification of the second processing entity in the target security gateway, the authentication information of the target security gateway, the The first security processing protocol SA encryption algorithm supported by the target security gateway, the second data flow selection rule, or the fourth random number used to generate the first security processing protocol SA key.
  • the first message also includes a session identifier of the session of the UE; the fourth message includes the session identifier.
  • the communication device 1400 can be applied to the AMF in the embodiment shown in Figures 6-9.
  • the processing unit 1402 is configured to perform the following steps through the communication unit 1401:
  • the SMF Send a first message to the SMF; wherein the first message contains the first security parameter of the UE, and the first security parameter is used to establish a security association SA between the UE and the security gateway;
  • the target SA is a network key exchange IKE SA.
  • the first message is a first session establishment request message; the fourth message is a first session establishment response message;
  • the processing unit 1402 is also used to:
  • a second session establishment response message is sent to the UE through the communication unit 1401.
  • the second session establishment request message contains the first security parameter
  • the second session establishment request contains the first parameter part of the first security parameter; the processing unit 1402 is also configured to: before sending the first message to the SMF through the communication unit 1401, according to the UE
  • the identification of the second parameter part in the first security parameter is obtained from the unified data management network element or the authentication service function network element; wherein the first parameter part and the second parameter part constitute the first security parameter part. parameters; or
  • the processing unit 1402 is also configured to determine the first security parameter before sending the first message to the SMF through the communication unit 1401.
  • the second session establishment response message includes: part or all of the first security parameters; and/or the second session establishment response message includes part of the second security parameters. Or all of them.
  • the first message includes first indication information
  • the second session establishment request message includes the first indication information
  • the first indication information is used to instruct the UE to request data encryption.
  • the fourth message includes the Internet Protocol IP address of the target security gateway.
  • the first security parameter includes at least one of the following: the security parameter index SPI of the UE, the key material of the UE, the IKE SA encryption algorithm supported by the UE, or used to generate an IKE SA key.
  • the first random number of the key is the security parameter index SPI of the UE, the key material of the UE, the IKE SA encryption algorithm supported by the UE, or used to generate an IKE SA key. The first random number of the key;
  • the second security parameter includes at least one of the following: the SPI of the target security gateway, the key material of the target security gateway, the IKE SA encryption algorithm supported by the target security gateway, or used to generate an IKE SA key the second random number.
  • the target SA is a secure processing protocol SA.
  • the first message is a first session modification request message; the fourth message is a first session modification response message;
  • the processing unit 1402 is also used to:
  • the first session modification request message and the second session modification request include information about the second quality of service stream requested by the UE to be established.
  • the second session modification request message contains the first security parameter
  • the second session modification request contains the first parameter part of the first security parameter; the processing unit 1402 is also configured to: before sending the first message to the SMF through the communication unit 1401, obtain all the saved The second parameter part in the first security parameter; wherein the first parameter part and the second parameter part constitute the first security parameter; or
  • the processing unit 1402 is also configured to obtain the saved first security parameter before sending the first message to the SMF through the communication unit 1401.
  • processing unit 1402 is also used to:
  • the first message is a response message to the fifth message
  • the fourth message is the first session modification response message
  • the processing unit 1402 is also used to:
  • a second session modification response message is sent to the UE through the communication unit 1401.
  • the second session modification response message contains part or all of the first security parameters; and/or,
  • the second session modification response message contains part or all of the second security parameters.
  • the first security parameter includes at least one of the following: the SPI of the UE, the SPI of the target security gateway, the identity of the first processing entity in the UE, the authentication information of the UE, The Secure Processing Protocol SA encryption algorithm supported by the UE, the first data stream selection rule, or the third random number used to generate the Secure Processing Protocol SA key;
  • the second security parameter includes at least one of the following: the SPI of the UE, the SPI of the target security gateway, the identification of the second processing entity in the target security gateway, the authentication information of the target security gateway, the The security processing protocol SA encryption algorithm supported by the target security gateway, the second data flow selection rule, or the fourth random number used to generate the security processing protocol SA key.
  • the first message also includes a session identifier of the session of the UE; the fourth message includes the session identifier.
  • processing unit 1402 is also used to:
  • the SA key is sent to the UE through the communication unit 1401.
  • the communication device 1400 can be applied to the target security gateway in the embodiment shown in Figures 6-9.
  • the processing unit 1402 is configured to perform the following steps through the communication unit 1401:
  • the second message contains the first security parameter of the UE, and the first security parameter is used to establish a target security association SA between the UE and the target security gateway, The second message is used to request the establishment of the target SA;
  • the target SA is a network key exchange IKE SA.
  • processing unit 1402 is also configured to: before sending the third message to the SMF through the communication unit 1401, allocate an Internet Protocol IP address to the target security gateway for the target SA;
  • the third message also includes the IP address of the target security gateway
  • the second message also includes the IP address of the UE.
  • the first security parameter includes at least one of the following: the security parameter index SPI of the UE, the key material of the UE, the IKE SA encryption algorithm supported by the UE, or used to generate an IKE SA key.
  • the first random number of the key is the security parameter index SPI of the UE, the key material of the UE, the IKE SA encryption algorithm supported by the UE, or used to generate an IKE SA key. The first random number of the key;
  • the second security parameter includes at least one of the following: the SPI of the target security gateway, the key material of the target security gateway, the IKE SA encryption algorithm supported by the target security gateway, or used to generate an IKE SA key the second random number.
  • the target SA is a secure processing protocol SA.
  • the first security parameter includes at least one of the following: the SPI of the UE, the SPI of the target security gateway, the identity of the first processing entity in the UE, the authentication information of the UE, The Secure Processing Protocol SA encryption algorithm supported by the UE, the first data stream selection rule, or the third random number used to generate the Secure Processing Protocol SA key;
  • the second security parameter includes at least one of the following: the SPI of the UE, the SPI of the target security gateway, the identification of the second processing entity in the target security gateway, the authentication information of the target security gateway, the The security processing protocol SA encryption algorithm supported by the target security gateway, the second data flow selection rule, or the fourth random number used to generate the security processing protocol SA key.
  • processing unit 1402 is also used to:
  • an SA key is generated according to the first security parameter and the second security parameter.
  • the communication device 1400 may be applied to the SMF in the embodiment shown in Figure 10 or 11.
  • the processing unit 1402 is configured to perform the following steps through the communication unit 1401:
  • the target security gateway contains a first security parameter of the target security gateway, the first security parameter is used to establish the security processing protocol SA, and the The second message is a response message to the first message;
  • the fourth message contains a second security parameter of the UE, the second security parameter is used to establish the security processing protocol SA, and the fourth message for the third elimination response message;
  • processing unit 1402 is also used to:
  • the subscription modification notification message contains information about the first quality of service flow requested by the unified data management network element to be established in the session of the UE;
  • the session modification request message contains information about the first quality of service stream that the UE requests to establish in the session of the UE.
  • the third message is a first session modification command message, and the third message also includes information about the first quality of service flow;
  • the fourth message is a first session modification confirmation message, and the fourth message also includes information about the first quality of service flow.
  • processing unit 1402 is also used to:
  • the first forwarding rule configuration information is used to instruct the UPF to map data packets transmitted by the target security gateway through the security processing protocol SA to the first quality of service flow.
  • the first security parameter includes at least one of the following: the SPI of the UE, the SPI of the target security gateway, the identity of the first processing entity in the target security gateway, the authentication of the target security gateway. Right information, the Security Processing Protocol SA encryption algorithm supported by the target security gateway, the first data flow selection rule, or the first random number used to generate the Security Processing Protocol SA key;
  • the second security parameter includes at least one of the following: the SPI of the UE, the SPI of the target security gateway, the identity of the second processing entity in the UE, the authentication information of the UE, the support of the UE the Secure Processing Protocol SA encryption algorithm, the second data stream selection rule, or the second random number used to generate the Secure Processing Protocol SA key.
  • the first message contains a third security parameter of the target security gateway; the first security parameter is determined based on the third security parameter.
  • the communication device 1400 may be applied to the AMF in the embodiment shown in Figure 10 or 11.
  • the processing unit 1402 is configured to perform the following steps through the communication unit 1401:
  • the third message contains a first security parameter of the target security gateway, and the first security parameter is used to establish a security processing protocol security association between the UE and the target security gateway.
  • SA the third message is used to request the establishment of the security processing protocol SA;
  • the fourth message contains a second security parameter of the UE, the second security parameter is used to establish the security processing protocol SA, and the fourth message is the The response message of the third message.
  • the third message is a first session modification command message, and the third message also contains the information that needs to be added to the Information about the first quality of service stream established in the UE's session;
  • the fourth message is a first session modification confirmation message, and the fourth message also includes information about the first quality of service flow.
  • processing unit 1402 is also used to:
  • a session modification request message is sent to the SMF through the communication unit 1401, wherein the session modification request message includes the UE request Information about the first quality of service flow established in the session.
  • processing unit 1402 is also used to:
  • the second session modification command includes the first quality of service flow of information
  • a second session modification confirmation message is received from the UE through the communication unit 1401, and the second session modification confirmation message contains the information of the first quality of service stream.
  • the second session modification command message also contains part or all of the first security parameters
  • the second session modification confirmation message also includes part or all of the second security parameter.
  • the second session modification command message also includes a fourth security parameter of the UE; the second security parameter is determined based on the fourth security parameter.
  • the first security parameter includes at least one of the following: the SPI of the UE, the SPI of the target security gateway, the identity of the first processing entity in the target security gateway, the authentication of the target security gateway. Right information, the Security Processing Protocol SA encryption algorithm supported by the target security gateway, the first data flow selection rule, or the first random number used to generate the Security Processing Protocol SA key;
  • the second security parameter includes at least one of the following: the SPI of the UE, the SPI of the target security gateway, the identity of the second processing entity in the UE, the authentication information of the UE, the support of the UE the Secure Processing Protocol SA encryption algorithm, the second data stream selection rule, or the second random number used to generate the Secure Processing Protocol SA key.
  • processing unit 1402 is also used to:
  • the secure processing protocol SA key is sent to the UE through the communication unit 1401.
  • the communication device 1400 can be applied to the target security gateway in the embodiment shown in Figure 10 or 11.
  • the processing unit 1402 is configured to perform the following steps through the communication unit 1401:
  • the second message contains the first security parameters of the target security gateway, the first security parameters are used to establish the security processing protocol SA, and the second message is a response message to the first message;
  • the fifth message contains a second security parameter of the UE, the second security parameter is used to establish the security processing protocol SA, and the fifth message is Upon request, the secure processing protocol SA is established.
  • the first message contains the third security parameter of the target security gateway; the processing unit 1402 is also used to:
  • the first security parameter is determined based on the third security parameter.
  • the first security parameter includes at least one of the following: the SPI of the UE, the SPI of the target security gateway, the identity of the first processing entity in the target security gateway, the authentication of the target security gateway. Right information, the first security processing protocol SA encryption algorithm supported by the target security gateway, the first data flow selection rule, or the first random number used to generate the first security processing protocol SA key;
  • the second security parameter includes at least one of the following: the SPI of the UE, the SPI of the target security gateway, the identity of the second processing entity in the UE, the authentication information of the UE, the support of the UE the first secure processing protocol SA encryption algorithm, the second data stream selection rule, or the second random number used to generate the first secure processing protocol SA key.
  • processing unit 1402 is also used to:
  • a secure processing protocol SA key is generated according to the first security parameter and the second security parameter.
  • the communication device 1400 may be applied to the SMF in the embodiment shown in Figure 12 or 13.
  • the processing unit 1402 is configured to perform the following steps through the communication unit 1401:
  • the first message contains information about a first quality of service flow that needs to be established in the session of the UE;
  • the UPF Send first forwarding rule configuration information to the UPF; wherein the first forwarding rule configuration information is used to instruct the UPF to forward data packets from the UE received through the first quality of service flow to the target security gateway. , and/or, the UPF maps the data packet transmitted by the target security gateway through the security processing protocol SA to the first quality of service flow.
  • the processing unit 1402 when receiving the first message through the communication unit 1401, the processing unit 1402 is specifically configured to:
  • the session modification request message contains information about the first quality of service stream that the UE requests to establish in the session of the UE.
  • the processing unit 1402 when acquiring the security parameters of the security processing protocol SA established between the UE and the target security gateway, the processing unit 1402 is specifically used to:
  • the security parameters are obtained from at least one of the following: the UE, the AMF, and the target security gateway.
  • each functional unit in each embodiment of the present application It can be integrated in a processing unit, or it can exist physically alone, or two or more units can be integrated in one unit.
  • the above integrated units can be implemented in the form of hardware or software functional units.
  • Integrated units may be stored in a computer-readable storage medium if they are implemented in the form of software functional units and sold or used as independent products.
  • the technical solution of the present application is essentially or contributes to the existing technology, or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , including several instructions to cause a computer device (which can be a personal computer, a server, or a network device, etc.) or a processor to execute all or part of the steps of the methods of various embodiments of the present application.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM), random access memory (RAM), magnetic disk or optical disk and other media that can store program code. .
  • embodiments of the present application also provide a communication device, which is applied in the communication system as shown in Figure 1 or Figure 2.
  • the communication device is used to implement the communication method provided in the above embodiment and has the functions of the communication device 1400 provided in the above embodiment.
  • the communication device 1500 includes: a communication interface 1501 and a processor 1502 .
  • the communication device 1500 also includes a memory 1503.
  • the communication interface 1501, the processor 1502 and the memory 1503 are connected to each other.
  • the communication interface 1501, the processor 1502 and the memory 1503 are connected to each other through a bus 1504.
  • the bus 1504 may be a peripheral component interconnect (PCI) bus or an extended industry standard architecture (EISA) bus, etc.
  • PCI peripheral component interconnect
  • EISA extended industry standard architecture
  • the bus can be divided into address bus, data bus, control bus, etc. For ease of presentation, only one thick line is used in Figure 15, but it does not mean that there is only one bus or one type of bus.
  • the communication interface 1501 is used to receive and send data and implement communication with other devices in the communication system.
  • the processor 1502 may refer to the descriptions in the above embodiments, and will not be described again here.
  • the processor 1502 can be a central processing unit (CPU), a network processor (network processor, NP) or a combination of CPU and NP, etc.
  • the processor 1502 may further include hardware chips.
  • the above-mentioned hardware chip can be an application-specific integrated circuit (ASIC), a programmable logic device (PLD) or a combination thereof.
  • the above-mentioned PLD can be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a general array logic (GAL) or any combination thereof.
  • CPLD complex programmable logic device
  • FPGA field-programmable gate array
  • GAL general array logic
  • the memory 1503 is used to store program instructions, etc.
  • program instructions may include program code including computer operating instructions.
  • the memory 1503 may include random access memory (RAM), and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
  • the processor 1502 executes the program instructions stored in the memory 1503 to implement the above functions, thereby implementing the method provided by the above embodiments.
  • embodiments of the present application also provide a computer program, which when the computer program is run on a computer, causes the computer to execute the method provided in the above embodiments.
  • embodiments of the present application also provide a computer-readable storage medium.
  • the computer-readable storage medium A computer program is stored in the storage medium. When the computer program is run on a computer, it causes the computer to execute the method provided in the above embodiment.
  • the storage medium may be any available medium that can be accessed by the computer. Taking this as an example but not limited to: computer-readable media may include RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage media or other magnetic storage devices, or can be used to carry or store instructions or data structures. Any other medium that contains the desired program code and is capable of being accessed by a computer.
  • embodiments of the present application also provide a chip, which is used to read the computer program stored in the memory and implement the method provided in the above embodiments.
  • the chip may include a processor and a memory, and the processor is configured to read the calculation program stored in the memory to implement the method provided in the above embodiment.
  • the chip system includes a processor and is used to support the computer device to implement the functions involved in the terminal device in the above embodiments.
  • the chip system further includes a memory, and the memory is used to store necessary programs and data of the computer device.
  • the chip system may be composed of chips, or may include chips and other discrete devices.
  • the embodiments of the present application provide a communication method and device.
  • the core network control plane network element of the mobile communication system can realize the transfer of the security parameters of the UE and the security parameters of the target security gateway through interaction with the target security gateway, thereby completing IPSec negotiation. Since the IPSec negotiation process is completed through the core network control plane, and the core network has high security, this method can avoid the risk of security parameter leakage caused by the user plane transmission of security parameters, ensure the security of the IPSec negotiation process, and then ensure The security of subsequent transmission of user data or signaling through the established SA.
  • embodiments of the present application may be provided as methods, systems, or computer program products. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment that combines software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
  • computer-usable storage media including, but not limited to, disk storage, CD-ROM, optical storage, etc.
  • These computer program instructions may also be stored in a computer-readable memory that causes a computer or other programmable data processing apparatus to operate in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction means, the instructions
  • the device implements the functions specified in a process or processes of the flowchart and/or a block or blocks of the block diagram.
  • These computer program instructions may also be loaded onto a computer or other programmable data processing device, causing a series of operating steps to be performed on the computer or other programmable device to produce computer-implemented processing, thereby executing on the computer or other programmable device.
  • Instructions provide steps for implementing the functions specified in a process or processes of a flowchart diagram and/or a block or blocks of a block diagram.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present application provides a communication method and apparatus. In the method, a control plane network element of a core network of a mobile communication system can interact with a target security gateway to achieve transmission of security parameters of a UE and security parameters of the target security gateway, so that IPSec negotiation is completed. Because an IPSec negotiation process is completed by means of a control plane of a core network and the security of the core network is high, the method can avoid the risk of security parameter leakage caused by transmission of security parameters by a user plane, ensure the security of the IPSec negotiation process, and thus ensure the security of subsequently transmitting user data or signaling by means of established SA.

Description

一种通信方法及装置A communication method and device
相关申请的交叉引用Cross-references to related applications
本申请要求在2022年06月29日提交中国专利局、申请号为202210756613.2、申请名称为“一种通信方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims priority to the Chinese patent application filed with the China Patent Office on June 29, 2022, with application number 202210756613.2 and application title "A communication method and device", the entire content of which is incorporated into this application by reference.
技术领域Technical field
本申请涉及通信技术领域,尤其涉及一种通信方法及装置。The present application relates to the field of communication technology, and in particular, to a communication method and device.
背景技术Background technique
因特网协议安全(internet protocol security,IPSec)协议能够在通信***的因特网协议(internet protocol,IP)层实现安全保护,为在不安全的网络环境中传输敏感数据提供安全保护。通过IPSec协议,通信双方可以在IP层执行加密、数据源认证等安全操作来确保网络传输时数据包的机密性、一致性、数据源认证,以及抗重放等。The Internet Protocol Security (IPSec) protocol can achieve security protection at the Internet Protocol (IP) layer of the communication system and provide security protection for the transmission of sensitive data in an unsafe network environment. Through the IPSec protocol, communicating parties can perform security operations such as encryption and data source authentication at the IP layer to ensure the confidentiality, consistency, data source authentication, and anti-replay of data packets during network transmission.
IPSec协议是包含两个安全处理协议和一个密钥交换协议的协议体系。其中,安全处理协议包括:认证头(authentication header,AH)协议和封装载荷安全(encapsulating security payload,ESP)协议;密钥交换协议为网络密钥交换(internet key exchange,IKE)协议。The IPSec protocol is a protocol system that includes two security processing protocols and a key exchange protocol. Among them, the security processing protocols include: authentication header (AH) protocol and encapsulating security payload (ESP) protocol; the key exchange protocol is the Internet key exchange (IKE) protocol.
安全关联(security association,SA)是IPSec协议的基础。SA是两个通信实体经协商建立起来的一种协定,是以传输安全的目的创建的一个逻辑连接。所有经过同一SA的数据流会得到相同级别的安全保护,其能够决定安全保护的具体IPSec协议、密钥、密钥的有效时间等。在IPSec协议体系中,每种安全处理协议(即AH协议和ESP协议)均需要创建对应的SA(后续可以简称为AH SA、ESP SA)来实现;IKE协议也需要对应的SA(简称为IKE SA)来实现。需要说明的是,除了IKE SA是双向逻辑连接以外,AH SA和ESP SA均是单向逻辑连接。即通信双方均采用同一安全处理协议向对方发送数据的情况下,需要通信双方针对不同的数据传输方向分别建立该安全处理协议的SA。Security association (SA) is the basis of the IPSec protocol. SA is an agreement established by two communication entities through negotiation. It is a logical connection created for the purpose of transmission security. All data flows passing through the same SA will receive the same level of security protection, which can determine the specific IPSec protocol, key, and key validity time for security protection. In the IPSec protocol system, each security processing protocol (i.e., AH protocol and ESP protocol) needs to create a corresponding SA (which can be referred to as AH SA, ESP SA in the future) for implementation; the IKE protocol also requires a corresponding SA (referred to as IKE) SA) to achieve. It should be noted that, except for IKE SA, which is a two-way logical connection, AH SA and ESP SA are both unidirectional logical connections. That is, when both communicating parties use the same secure processing protocol to send data to the other party, both communicating parties need to establish SAs of the secure processing protocol for different data transmission directions.
在移动通信***中,为了实现终端设备的用户面数据的安全传输,在用户面功能(UPF)网元和数据网络(data network,DN)之间部署了安全网关。终端设备与安全网关之间可以通过IPSec协议实现IP层的端到端的数据安全保护。In mobile communication systems, in order to achieve secure transmission of user plane data of terminal devices, a security gateway is deployed between the user plane function (UPF) network element and the data network (DN). End-to-end data security protection at the IP layer can be achieved through the IPSec protocol between the terminal device and the security gateway.
目前,终端设备与安全网关之间需要通过用户面操作进行IPSec协商过程以实现创建和维护IPSec SA,从而最终实现IPSec安全机制。然而,用户面操作可能会造成新的安全隐患,例如用于创建IPSec SA的安全参数泄露。Currently, the IPSec negotiation process needs to be carried out between the terminal device and the security gateway through user plane operations to create and maintain IPSec SAs, thereby ultimately realizing the IPSec security mechanism. However, user plane operations may create new security risks, such as leakage of security parameters used to create IPSec SAs.
发明内容Contents of the invention
本申请提供一种通信方法及装置,用于在移动通信***通过IPSec协议实现安全保护的场景下保证IPSec协商过程的安全性。This application provides a communication method and device for ensuring the security of the IPSec negotiation process in a scenario where the mobile communication system implements security protection through the IPSec protocol.
第一方面,本申请实施例提供了一种通信方法,该方法可以应用于会话管理功能网元。该方法包括以下步骤: In the first aspect, embodiments of the present application provide a communication method, which can be applied to session management function network elements. The method includes the following steps:
接收来自接入和移动性管理功能网元的第一消息;其中,所述第一消息中包含终端设备的第一安全参数,所述第一安全参数用于建立所述终端设备与安全网关之间的安全关联SA;向目标安全网关发送第二消息;其中,所述第二消息中包含所述第一安全参数,所述第二消息用于请求建立所述终端设备与所述目标安全网关之间的目标SA;接收来自所述目标安全网关的第三消息;其中,所述第三消息中包含所述目标安全网关的第二安全参数,所述第二安全参数用于建立所述目标SA,所述第三消息为所述第二消息的响应消息;向所述接入和移动性管理功能网元发送第四消息;其中,所述第四消息中包含所述第二安全参数。Receive a first message from the access and mobility management function network element; wherein the first message contains a first security parameter of the terminal device, and the first security parameter is used to establish a connection between the terminal device and the security gateway. The security association SA between between the target SA; receiving the third message from the target security gateway; wherein the third message contains the second security parameter of the target security gateway, and the second security parameter is used to establish the target SA, the third message is a response message to the second message; a fourth message is sent to the access and mobility management function network element; wherein the fourth message contains the second security parameter.
通过该方法,移动通信***的核心网控制面网元可以通过与目标安全网关的交互,实现UE的安全参数和目标安全网关的安全参数的传递,从而完成IPSec协商。由于IPSec协商过程是通过核心网控制面完成的,且核心网的安全性较高,因此,该方法可以避免用户面传输安全参数导致安全参数泄露的风险,保证IPSec协商过程的安全性,进而保证后续通过建立的SA传输用户数据或信令的安全性。Through this method, the core network control plane element of the mobile communication system can realize the transfer of the security parameters of the UE and the security parameters of the target security gateway through interaction with the target security gateway, thereby completing IPSec negotiation. Since the IPSec negotiation process is completed through the core network control plane, and the core network has high security, this method can avoid the risk of security parameter leakage caused by the user plane transmission of security parameters, ensure the security of the IPSec negotiation process, and then ensure The security of subsequent transmission of user data or signaling through the established SA.
在一种可能的设计中,所述目标SA为网络密钥交换IKE SA。In a possible design, the target SA is a network key exchange IKE SA.
在一种可能的设计中,所述第一消息为第一会话建立请求消息;所述第四消息为第一会话建立响应消息。In a possible design, the first message is a first session establishment request message; and the fourth message is a first session establishment response message.
通过该设计,核心网控制面网元可以通过会话建立过程建立IKE SA。Through this design, core network control plane network elements can establish IKE SA through the session establishment process.
在一种可能的设计中,所述第一消息中还包含第一指示信息,所述第一指示信息用于指示所述终端设备请求数据加密。In a possible design, the first message also includes first indication information, and the first indication information is used to instruct the terminal device to request data encryption.
通过该设计,会话管理功能网元可以根据第一指示信息针对该终端设备执行IPSec协商过程。Through this design, the session management function network element can perform the IPSec negotiation process for the terminal device according to the first instruction information.
在一种可能的设计中,所述会话管理功能网元在向目标安全网关发送第二消息之前,还可以为所述终端设备分配所述目标安全网关,以便建立该IKE SA。In a possible design, before sending the second message to the target security gateway, the session management function network element may also assign the target security gateway to the terminal device in order to establish the IKE SA.
在一种可能的设计中,所述会话管理功能网元可以通过以下步骤,为所述终端设备分配所述目标安全网关:In a possible design, the session management function network element can allocate the target security gateway to the terminal device through the following steps:
为所述终端设备分配用户面功能网元;在与所述用户面功能网元相关联的至少一个安全网关中选择所述目标安全网关。示例性的,所述会话管理功能网元可以根据所述至少一个安全网关的负载、物理位置等信息选择所述目标安全网关。Allocate a user plane functional network element to the terminal device; select the target security gateway from at least one security gateway associated with the user plane functional network element. For example, the session management function network element may select the target security gateway based on the load, physical location and other information of the at least one security gateway.
通过该设计,可以保证为终端设备分配的目标安全网关与终端设备的用户面功能网元相关联,进而保证后续目标安全网关与终端设备之间通过IPSec子SA传输的数据包在移动通信***中可以复用终端设备的会话传输。Through this design, it can be ensured that the target security gateway assigned to the terminal device is associated with the user plane functional network element of the terminal device, thereby ensuring that subsequent data packets transmitted between the target security gateway and the terminal device through IPSec sub-SA are in the mobile communication system. The session transmission of the terminal device can be reused.
在一种可能的设计中,所述第二消息中还包含所述用户面功能网元的标识。In a possible design, the second message also includes an identifier of the user plane functional network element.
在一种可能的设计中,所述会话管理功能网元或所述用户面功能网元还可以为所述终端设备分给IP地址,基于此,所述第二消息中还可以包含所述终端设备的IP地址;所述第三消息中还可以包含所述目标安全网关的IP地址;所述第四消息中可以包含所述目标安全网关的IP地址。In a possible design, the session management function network element or the user plane function network element can also assign an IP address to the terminal device. Based on this, the second message can also include the terminal device. The IP address of the device; the third message may also include the IP address of the target security gateway; the fourth message may include the IP address of the target security gateway.
在一种可能的设计中,所述会话管理功能网元在接收来自所述安全网关的第三消息之后,还可以向所述用户面功能网元发送第一转发规则配置信息;In a possible design, after receiving the third message from the security gateway, the session management function network element may also send the first forwarding rule configuration information to the user plane function network element;
其中,所述第一转发规则配置信息用于指示所述用户面功能网元将所述终端设备和所述目标安全网关之间通过所述IKE SA传输的数据包映射到所述终端设备的会话中的第一 服务质量流上。可选的,所述第一服务质量流可以为所述终端设备的会话中默认的服务质量流。Wherein, the first forwarding rule configuration information is used to instruct the user plane functional network element to map the data packets transmitted between the terminal device and the target security gateway through the IKE SA to the session of the terminal device. first among Service quality is top notch. Optionally, the first quality of service flow may be a default quality of service flow in the session of the terminal device.
通过该设计,在移动通信***内可以复用终端设备的会话来传输终端设备与目标安全网关之间通过IKE SA传输的数据包。Through this design, the session of the terminal device can be reused in the mobile communication system to transmit the data packets transmitted through IKE SA between the terminal device and the target security gateway.
在一种可能的设计中,所述第一安全参数包含以下至少一项:所述终端设备的安全参数索引SPI,所述终端设备的密钥材料,所述终端设备支持的IKE SA加密算法,或者用于生成IKE SA密钥的第一随机数;In a possible design, the first security parameter includes at least one of the following: the security parameter index SPI of the terminal device, the key material of the terminal device, the IKE SA encryption algorithm supported by the terminal device, Or the first random number used to generate the IKE SA key;
所述第二安全参数包含以下至少一项:所述目标安全网关的SPI,所述目标安全网关的密钥材料,所述目标安全网关支持的IKE SA加密算法,或者用于生成IKE SA密钥的第二随机数。The second security parameter includes at least one of the following: the SPI of the target security gateway, the key material of the target security gateway, the IKE SA encryption algorithm supported by the target security gateway, or used to generate an IKE SA key the second random number.
在一种可能的设计中,所述目标SA为安全处理协议SA。In a possible design, the target SA is a security processing protocol SA.
在一种可能的设计中,所述第一消息为第一会话修改请求消息;所述第四消息为第一会话修改响应消息;所述第一消息中还包含所述终端设备请求建立的第二服务质量流的信息。In a possible design, the first message is a first session modification request message; the fourth message is a first session modification response message; the first message also includes a third session request to be established by the terminal device. 2. Service quality flow information.
通过该设计,核心网控制面网元可以通过会话修改过程,在创建QoS流的过程中,建立所述安全处理协议SA。Through this design, the core network control plane network element can establish the security processing protocol SA in the process of creating QoS flows through the session modification process.
在一种可能的设计中,所述会话管理功能网元在接收来自接入和移动性管理功能网元的第一消息之前,还可以向所述接入和移动性管理功能网元发送第五消息,所述第五消息用于请求所述第一安全参数;In a possible design, before receiving the first message from the access and mobility management function network element, the session management function network element may also send a fifth message to the access and mobility management function network element. message, the fifth message is used to request the first security parameter;
所述第一消息为所述第五消息的响应消息。The first message is a response message to the fifth message.
通过该设计,所述会话管理功能网元可以向所述接入和移动性管理功能网元请求所述第一安全参数。Through this design, the session management function network element can request the first security parameter from the access and mobility management function network element.
在一种可能的设计中,所述会话管理功能网元可以通过以下步骤,触发向所述接入和移动性管理功能网元发送第五消息:In a possible design, the session management function network element can trigger sending the fifth message to the access and mobility management function network element through the following steps:
接收来自策略控制功能网元的策略修改通知消息,其中,所述策略修改通知消息中包含所述策略控制功能网元请求在所述终端设备的会话中建立的第二服务质量流的信息;或者Receive a policy modification notification message from a policy control function network element, wherein the policy modification notification message contains information that the policy control function network element requests to establish a second quality of service flow in the session of the terminal device; or
接收来自统一数据管理网元的签约修改通知消息,其中,所述签约修改通知消息中包含所述统一数据管理网元请求在所述终端设备的会话中建立的第二服务质量流的信息;或者Receive a subscription modification notification message from a unified data management network element, wherein the subscription modification notification message contains information that the unified data management network element requests to establish a second quality of service flow in the session of the terminal device; or
接收来自所述接入和移动性管理功能网元的第一会话修改请求消息,其中,所述第一会话修改请求消息中包含所述终端设备请求在所述终端设备的会话中建立的第二服务质量流的信息。Receive a first session modification request message from the access and mobility management function network element, wherein the first session modification request message includes a second session request that the terminal device requests to establish in the session of the terminal device. Service quality flow information.
通过该设计,所述会话管理功能网元可以在接收到策略修改通知消息、签约修改通知消息或会话修改请求消息后,决定建立第二服务质量流,从而可以触发向接入和移动性管理功能网元请求第一安全参数。Through this design, the session management function network element can decide to establish the second quality of service flow after receiving the policy modification notification message, subscription modification notification message or session modification request message, thereby triggering the access and mobility management function The network element requests the first security parameter.
在一种可能的设计中,所述会话管理功能网元在接收来自所述目标安全网关的第三消息之后,还可以根据所述第二服务质量流的信息,创建所述第二服务质量流;并向用户面功能网元发送第二转发规则配置信息;其中,所述第二转发规则配置信息用于指示所述用户面功能网元将通过所述第二QoS流接收的来自所述终端设备的数据包转发至所述目标 安全网关。In a possible design, after receiving the third message from the target security gateway, the session management function network element can also create the second quality of service flow based on the information of the second quality of service flow. ; and send the second forwarding rule configuration information to the user plane functional network element; wherein the second forwarding rule configuration information is used to indicate that the user plane functional network element will receive the second forwarding rule configuration information from the terminal through the second QoS flow. The device forwards packets to the destination Security gateway.
通过该设计,用户面功能网元可以将所述终端设备通过第二QoS流传输的数据包映射到该安全处理协议SA上,从而使用户面功能网元可以将该数据包传输至所述目标安全网关,即实现所述安全处理协议SA与所述第二服务质量流的绑定。Through this design, the user plane functional network element can map the data packet transmitted by the terminal device through the second QoS stream to the security processing protocol SA, so that the user plane functional network element can transmit the data packet to the target The security gateway implements binding of the security processing protocol SA and the second quality of service flow.
在一种可能的设计中,所述第一安全参数包含以下至少一项:所述终端设备的SPI,所述目标安全网关的SPI,所述终端设备中的第一处理实体的标识,所述终端设备的鉴权信息,所述终端设备支持的第一安全处理协议SA加密算法,第一数据流选择规则,或者用于生成第一安全处理协议SA密钥的第三随机数;In a possible design, the first security parameter includes at least one of the following: the SPI of the terminal device, the SPI of the target security gateway, the identity of the first processing entity in the terminal device, the Authentication information of the terminal device, the first security processing protocol SA encryption algorithm supported by the terminal device, the first data stream selection rule, or a third random number used to generate the first security processing protocol SA key;
所述第二安全参数包含以下至少一项:所述终端设备的SPI,所述目标安全网关的SPI,所述目标安全网关中第二处理实体的标识,所述目标安全网关的鉴权信息,所述目标安全网关支持的第一安全处理协议SA加密算法,第二数据流选择规则,或者用于生成第一安全处理协议SA密钥的第四随机数。The second security parameter includes at least one of the following: the SPI of the terminal device, the SPI of the target security gateway, the identification of the second processing entity in the target security gateway, the authentication information of the target security gateway, The first security processing protocol SA encryption algorithm supported by the target security gateway, the second data flow selection rule, or the fourth random number used to generate the first security processing protocol SA key.
在一种可能的设计中,所述第一消息中还包含所述终端设备的会话的会话标识;所述第四消息中包含所述会话标识。In a possible design, the first message also includes a session identifier of the session of the terminal device; and the fourth message includes the session identifier.
第二方面,本申请实施例提供了一种通信方法,该方法可以应用于接入和移动性管理功能网元。该方法可以包括以下步骤:In the second aspect, embodiments of the present application provide a communication method, which can be applied to access and mobility management functional network elements. The method may include the following steps:
向会话管理功能网元发送第一消息;其中,所述第一消息中包含终端设备的第一安全参数,所述第一安全参数用于建立所述终端设备与安全网关之间的安全关联SA;Send a first message to the session management function network element; wherein the first message contains a first security parameter of the terminal device, and the first security parameter is used to establish a security association SA between the terminal device and the security gateway. ;
接收来自所述会话管理功能网元的第四消息;其中,所述第四消息中包含目标安全网关的第二安全参数,所述第二安全参数用于建立所述终端设备与所述目标安全网关之间的目标SA。Receive a fourth message from the session management function network element; wherein the fourth message contains a second security parameter of the target security gateway, and the second security parameter is used to establish security between the terminal device and the target. Target SA between gateways.
通过该方法,移动通信***中的控制面网元可以通过交互,完成安全参数的传递,实现IPSec协商。Through this method, the control plane network elements in the mobile communication system can complete the transfer of security parameters through interaction and implement IPSec negotiation.
在一种可能的设计中,所述目标SA为网络密钥交换IKE SA。In a possible design, the target SA is a network key exchange IKE SA.
在一种可能的设计中,所述第一消息为第一会话建立请求消息;所述第四消息为第一会话建立响应消息;所述接入和移动性管理功能网元在向会话管理功能网元发送第一消息之前,还可以接收来自所述终端设备的第二会话建立请求消息;所述接入和移动性管理功能网元在接收来自所述会话管理功能网元的第四消息之后,还可以向所述终端设备发送第二会话建立响应消息。In a possible design, the first message is a first session establishment request message; the fourth message is a first session establishment response message; and the access and mobility management function network element sends a message to the session management function Before the network element sends the first message, it may also receive a second session establishment request message from the terminal device; after the access and mobility management function network element receives the fourth message from the session management function network element , and may also send a second session establishment response message to the terminal device.
通过该设计,核心网控制面网元可以通过会话建立过程建立IKE SA。Through this design, core network control plane network elements can establish IKE SA through the session establishment process.
在一种可能的设计中,所述接入和移动性管理功能网元可以通过以下方式获取所述第一安全参数:In a possible design, the access and mobility management function network element can obtain the first security parameter in the following manner:
方式一:所述第二会话建立请求消息中包含所述第一安全参数;Method 1: The second session establishment request message contains the first security parameter;
方式二:所述第二会话建立请求中包含所述第一安全参数中的第一参数部分;在向会话管理功能网元发送第一消息之前,所述接入和移动性管理功能网元还可以根据所述终端设备的标识,从统一数据管理网元或认证服务功能网元获取所述第一安全参数中的第二参数部分;其中,所述第一参数部分和所述第二参数部分组成所述第一安全参数;Method 2: The second session establishment request contains the first parameter part of the first security parameter; before sending the first message to the session management function network element, the access and mobility management function network element also The second parameter part of the first security parameter may be obtained from the unified data management network element or the authentication service function network element according to the identification of the terminal device; wherein the first parameter part and the second parameter part Constituting the first safety parameter;
方式三:在向会话管理功能网元发送第一消息之前,所述接入和移动性管理功能网元还可以确定所述第一安全参数。 Method 3: Before sending the first message to the session management function network element, the access and mobility management function network element may also determine the first security parameter.
在一种可能的设计中,所述第二会话建立响应消息中包含所述第一安全参数中的部分或全部;和/或,所述第二会话建立响应消息中包含所述第二安全参数中的部分或全部。In a possible design, the second session establishment response message contains part or all of the first security parameters; and/or the second session establishment response message contains the second security parameters. part or all of.
在一种可能的设计中,所述第一消息中包含第一指示信息,所述第二会话建立请求消息中包含所述第一指示信息;所述第一指示信息用于指示所述终端设备请求数据加密。In a possible design, the first message contains first indication information, and the second session establishment request message contains the first indication information; the first indication information is used to instruct the terminal device Request data encryption.
在一种可能的设计中,所述第四消息中包含所述目标安全网关的因特网协议IP地址。In a possible design, the fourth message contains the Internet Protocol IP address of the target security gateway.
在一种可能的设计中,所述第一安全参数包含以下至少一项:所述终端设备的安全参数索引SPI,所述终端设备的密钥材料,所述终端设备支持的IKE SA加密算法,或者用于生成IKE SA密钥的第一随机数;In a possible design, the first security parameter includes at least one of the following: the security parameter index SPI of the terminal device, the key material of the terminal device, the IKE SA encryption algorithm supported by the terminal device, Or the first random number used to generate the IKE SA key;
所述第二安全参数包含以下至少一项:所述目标安全网关的SPI,所述目标安全网关的密钥材料,所述目标安全网关支持的IKE SA加密算法,或者用于生成IKE SA密钥的第二随机数。The second security parameter includes at least one of the following: the SPI of the target security gateway, the key material of the target security gateway, the IKE SA encryption algorithm supported by the target security gateway, or used to generate an IKE SA key the second random number.
在一种可能的设计中,所述目标SA为安全处理协议SA。In a possible design, the target SA is a security processing protocol SA.
在一种可能的设计中,所述第一消息为第一会话修改请求消息;所述第四消息为第一会话修改响应消息;在向会话管理功能网元发送第一消息之前,所述接入和移动性管理功能网元还可以接收来自所述终端设备的第二会话修改请求消息;在接收来自所述会话管理功能网元的第四消息之后,所述接入和移动性管理功能网元还可以向所述终端设备发送第二会话修改响应消息;其中,所述第一会话修改请求消息、所述第二会话修改请求中包含所述终端设备请求建立的第二服务质量流的信息。In a possible design, the first message is a first session modification request message; the fourth message is a first session modification response message; before sending the first message to the session management function network element, the receiving The access and mobility management function network element may also receive a second session modification request message from the terminal device; after receiving the fourth message from the session management function network element, the access and mobility management function network element The element may also send a second session modification response message to the terminal device; wherein the first session modification request message and the second session modification request include information about the second quality of service stream requested by the terminal device to be established. .
通过该设计,核心网控制面网元可以通过会话修改过程,在创建服务质量流的过程中,建立所述安全处理协议SA。Through this design, the core network control plane network element can establish the security processing protocol SA in the process of creating a quality of service flow through the session modification process.
在一种可能的设计中,所述接入和移动性管理功能网元可以通过以下方式获取所述第一安全参数:In a possible design, the access and mobility management function network element can obtain the first security parameter in the following manner:
方式一:所述第二会话修改请求消息中包含所述第一安全参数;Method 1: The second session modification request message contains the first security parameter;
方式二:所述第二会话修改请求中包含所述第一安全参数中的第一参数部分;在向会话管理功能网元发送第一消息之前,所述接入和移动性管理功能网元还可以获取保存的所述第一安全参数中的第二参数部分;其中,所述第一参数部分和所述第二参数部分组成所述第一安全参数;Method 2: The second session modification request contains the first parameter part of the first security parameter; before sending the first message to the session management function network element, the access and mobility management function network element also The second parameter part in the saved first security parameter can be obtained; wherein the first parameter part and the second parameter part constitute the first security parameter;
方式三:在向会话管理功能网元发送第一消息之前,所述接入和移动性管理功能网元还可以获取保存的所述第一安全参数。Method 3: Before sending the first message to the session management function network element, the access and mobility management function network element may also obtain the saved first security parameter.
在一种可能的设计中,所述接入和移动性管理功能网元还可以接收来自所述会话管理功能网元的第五消息,所述第五消息用于请求所述第一安全参数;所述第一消息为所述第五消息的响应消息;所述第四消息为第一会话修改响应消息;在接收来自所述会话管理功能网元的第四消息之后,所述接入和移动性管理功能网元还可以向所述终端设备发送第二会话修改响应消息。In a possible design, the access and mobility management function network element may also receive a fifth message from the session management function network element, where the fifth message is used to request the first security parameter; The first message is a response message to the fifth message; the fourth message is a first session modification response message; after receiving the fourth message from the session management function network element, the access and mobility The sex management function network element may also send a second session modification response message to the terminal device.
通过该设计,所述接入和移动性管理功能网元可以在会话管理功能网元请求第一安全参数时,向所述会话管理功能网元发送所述第一安全参数。Through this design, the access and mobility management function network element can send the first security parameter to the session management function network element when the session management function network element requests the first security parameter.
在一种可能的设计中,所述第二会话修改响应消息中包含所述第一安全参数中的部分或全部;和/或,所述第二会话修改响应消息中包含所述第二安全参数中的部分或全部。In a possible design, the second session modification response message contains part or all of the first security parameters; and/or the second session modification response message contains the second security parameters. part or all of.
在一种可能的设计中,所述第一安全参数包含以下至少一项:所述终端设备的SPI, 所述目标安全网关的SPI,所述终端设备中的第一处理实体的标识,所述终端设备的鉴权信息,所述终端设备支持的安全处理协议SA加密算法,第一数据流选择规则,或者用于生成安全处理协议SA密钥的第三随机数;In a possible design, the first security parameter includes at least one of the following: SPI of the terminal device, The SPI of the target security gateway, the identification of the first processing entity in the terminal device, the authentication information of the terminal device, the security processing protocol SA encryption algorithm supported by the terminal device, and the first data flow selection rule, or a third random number used to generate the secure processing protocol SA key;
所述第二安全参数包含以下至少一项:所述终端设备的SPI,所述目标安全网关的SPI,所述目标安全网关中第二处理实体的标识,所述目标安全网关的鉴权信息,所述目标安全网关支持的安全处理协议SA加密算法,第二数据流选择规则,或者用于生成安全处理协议SA密钥的第四随机数。The second security parameter includes at least one of the following: the SPI of the terminal device, the SPI of the target security gateway, the identification of the second processing entity in the target security gateway, the authentication information of the target security gateway, The security processing protocol SA encryption algorithm supported by the target security gateway, the second data flow selection rule, or the fourth random number used to generate the security processing protocol SA key.
在一种可能的设计中,所述第一消息中还包含所述终端设备的会话的会话标识;所述第四消息中包含所述会话标识。In a possible design, the first message also includes a session identifier of the session of the terminal device; and the fourth message includes the session identifier.
在一种可能的设计中,在接收来自所述会话管理功能网元的第四消息之后,所述接入和移动性管理功能网元还可以根据所述第一安全参数、所述第二安全参数,生成SA密钥;并向所述终端设备发送所述SA密钥。In a possible design, after receiving the fourth message from the session management function network element, the access and mobility management function network element may also use the first security parameter, the second security parameter parameters, generate an SA key; and send the SA key to the terminal device.
通过该设计,所述终端设备可以使用所述SA密钥对通过所述目标SA传输的数据包进行安全保护。Through this design, the terminal device can use the SA key to securely protect the data packets transmitted through the target SA.
第三方面,本申请实施例还提供了一种通信方法,该方法可以应用于目标安全网关。该方法可以包括以下步骤:In the third aspect, embodiments of the present application also provide a communication method, which can be applied to the target security gateway. The method may include the following steps:
接收来自会话管理功能网元的第二消息;其中,所述第二消息中包含终端设备的第一安全参数,所述第一安全参数用于建立所述终端设备与所述目标安全网关之间的目标安全关联SA,所述第二消息用于请求建立所述目标SA;向所述会话管理功能网元发送第三消息;其中,所述第三消息中包含所述目标安全网关的第二安全参数,所述第二安全参数用于建立所述目标SA,所述第三消息为所述第二消息的响应消息。Receive a second message from the session management function network element; wherein the second message contains a first security parameter of the terminal device, and the first security parameter is used to establish a connection between the terminal device and the target security gateway. The target security association SA, the second message is used to request the establishment of the target SA; send a third message to the session management function network element; wherein the third message contains the second message of the target security gateway. Security parameters, the second security parameters are used to establish the target SA, and the third message is a response message to the second message.
通过该方法,移动通信***的核心网控制面网元可以通过与目标安全网关的交互,实现UE的安全参数和目标安全网关的安全参数的传递,从而完成IPSec协商。由于IPSec协商过程是通过核心网控制面完成的,且核心网的安全性较高,因此,该方法可以避免用户面传输安全参数导致安全参数泄露的风险,保证IPSec协商过程的安全性,进而保证后续通过建立的SA传输用户数据或信令的安全性。Through this method, the core network control plane element of the mobile communication system can realize the transfer of the security parameters of the UE and the security parameters of the target security gateway through interaction with the target security gateway, thereby completing IPSec negotiation. Since the IPSec negotiation process is completed through the core network control plane, and the core network has high security, this method can avoid the risk of security parameter leakage caused by the user plane transmission of security parameters, ensure the security of the IPSec negotiation process, and then ensure The security of subsequent transmission of user data or signaling through the established SA.
在一种可能的设计中,所述目标SA为网络密钥交换IKE SA。In a possible design, the target SA is a network key exchange IKE SA.
在一种可能的设计中,在向所述会话管理功能网元发送第三消息之前,所述目标安全网关还可以针对所述目标SA,为所述目标安全网关分配因特网协议IP地址;所述第三消息中还包含所述目标安全网关的IP地址;所述第二消息中还包含所述终端设备的IP地址。In a possible design, before sending the third message to the session management function network element, the target security gateway may also allocate an Internet protocol IP address to the target security gateway for the target SA; The third message also includes the IP address of the target security gateway; the second message also includes the IP address of the terminal device.
在一种可能的设计中,所述第一安全参数包含以下至少一项:所述终端设备的安全参数索引SPI,所述终端设备的密钥材料,所述终端设备支持的IKE SA加密算法,或者用于生成IKE SA密钥的第一随机数;In a possible design, the first security parameter includes at least one of the following: the security parameter index SPI of the terminal device, the key material of the terminal device, the IKE SA encryption algorithm supported by the terminal device, Or the first random number used to generate the IKE SA key;
所述第二安全参数包含以下至少一项:所述目标安全网关的SPI,所述目标安全网关的密钥材料,所述目标安全网关支持的IKE SA加密算法,或者用于生成IKE SA密钥的第二随机数。The second security parameter includes at least one of the following: the SPI of the target security gateway, the key material of the target security gateway, the IKE SA encryption algorithm supported by the target security gateway, or used to generate an IKE SA key the second random number.
在一种可能的设计中,所述目标SA为安全处理协议SA。In a possible design, the target SA is a security processing protocol SA.
在一种可能的设计中,所述第一安全参数包含以下至少一项:所述终端设备的SPI, 所述目标安全网关的SPI,所述终端设备中的第一处理实体的标识,所述终端设备的鉴权信息,所述终端设备支持的安全处理协议SA加密算法,第一数据流选择规则,或者用于生成安全处理协议SA密钥的第三随机数;In a possible design, the first security parameter includes at least one of the following: SPI of the terminal device, The SPI of the target security gateway, the identification of the first processing entity in the terminal device, the authentication information of the terminal device, the security processing protocol SA encryption algorithm supported by the terminal device, and the first data flow selection rule, or a third random number used to generate the secure processing protocol SA key;
所述第二安全参数包含以下至少一项:所述终端设备的SPI,所述目标安全网关的SPI,所述目标安全网关中第二处理实体的标识,所述目标安全网关的鉴权信息,所述目标安全网关支持的安全处理协议SA加密算法,第二数据流选择规则,或者用于生成安全处理协议SA密钥的第四随机数。The second security parameter includes at least one of the following: the SPI of the terminal device, the SPI of the target security gateway, the identification of the second processing entity in the target security gateway, the authentication information of the target security gateway, The security processing protocol SA encryption algorithm supported by the target security gateway, the second data flow selection rule, or the fourth random number used to generate the security processing protocol SA key.
在一种可能的设计中,在接收来自会话管理功能网元的第二消息之后,所述目标安全网关还可以根据所述第一安全参数、所述第二安全参数,生成SA密钥。In a possible design, after receiving the second message from the session management function network element, the target security gateway may also generate an SA key based on the first security parameter and the second security parameter.
通过该设计,所述目标安全网关可以使用所述SA密钥对通过所述目标SA传输的数据包进行安全保护。Through this design, the target security gateway can use the SA key to securely protect data packets transmitted through the target SA.
第四方面,本申请实施例提供了一种通信方法,该方法可以应用于会话管理功能网元。该方法可以包括以下步骤:In the fourth aspect, embodiments of the present application provide a communication method, which can be applied to session management function network elements. The method may include the following steps:
向目标安全网关发送第一消息;其中,所述第一消息用于请求建立终端设备与所述目标安全网关之间的安全处理协议安全关联SA;接收来自所述目标安全网关的第二消息;其中,所述第二消息中包含所述目标安全网关的第一安全参数,所述第一安全参数用于建立所述安全处理协议SA,所述第二消息为所述第一消息的响应消息;向接入和移动性管理功能网元发送第三消息;其中,所述第三消息中包含所述第一安全参数,所述第三消息用于请求建立所述安全处理协议SA;接收来自所述接入和移动性管理功能网元发送的第四消息;其中,所述第四消息中包含所述终端设备的第二安全参数,所述第二安全参数用于建立所述安全处理协议SA,所述第四消息为所述第三消息的响应消息;向所述目标安全网关发送第五消息;其中,所述第五消息中包含所述终端设备的第二安全参数,所述第五消息用于请求建立所述安全处理协议SA。Send a first message to the target security gateway; wherein the first message is used to request the establishment of a security processing protocol security association SA between the terminal device and the target security gateway; receive a second message from the target security gateway; Wherein, the second message contains the first security parameter of the target security gateway, the first security parameter is used to establish the security processing protocol SA, and the second message is a response message to the first message. ; Send a third message to the access and mobility management function network element; wherein the third message contains the first security parameter, and the third message is used to request the establishment of the security processing protocol SA; receive from The fourth message sent by the access and mobility management function network element; wherein the fourth message contains the second security parameter of the terminal device, the second security parameter is used to establish the security processing protocol SA, the fourth message is a response message to the third message; sending a fifth message to the target security gateway; wherein the fifth message contains the second security parameter of the terminal device, and the fifth message The fifth message is used to request the establishment of the secure processing protocol SA.
通过该方法,移动通信***的核心网控制面网元可以通过与目标安全网关的交互,实现UE的安全参数和目标安全网关的安全参数的传递,从而完成IPSec协商。由于IPSec协商过程是通过核心网控制面完成的,且核心网的安全性较高,因此,该方法可以避免用户面传输安全参数导致安全参数泄露的风险,保证IPSec协商过程的安全性,进而保证后续通过建立的SA传输用户数据或信令的安全性。Through this method, the core network control plane element of the mobile communication system can realize the transfer of the security parameters of the UE and the security parameters of the target security gateway through interaction with the target security gateway, thereby completing IPSec negotiation. Since the IPSec negotiation process is completed through the core network control plane, and the core network has high security, this method can avoid the risk of security parameter leakage caused by the user plane transmission of security parameters, ensure the security of the IPSec negotiation process, and then ensure The security of subsequent transmission of user data or signaling through the established SA.
在一种可能的设计中,所述会话管理功能网元可以通过以下步骤,触发向目标安全网关发送第一消息:In a possible design, the session management function network element can trigger sending the first message to the target security gateway through the following steps:
接收来自策略控制功能网元的策略修改通知消息,其中,所述策略修改通知消息中包含所述策略控制功能网元请求在所述终端设备的会话中建立的第一服务质量流的信息;或者Receive a policy modification notification message from the policy control function network element, wherein the policy modification notification message contains information about the first quality of service flow requested by the policy control function network element to be established in the session of the terminal device; or
接收来自统一数据管理网元的签约修改通知消息,其中,所述签约修改通知消息中包含所述统一数据管理网元请求在所述终端设备的会话中建立的第一服务质量流的信息;或者Receive a subscription modification notification message from a unified data management network element, wherein the subscription modification notification message contains information about a first quality of service stream requested by the unified data management network element to be established in a session of the terminal device; or
接收来自所述接入和移动性管理功能网元的会话修改请求消息,其中,所述会话修改请求消息中包含所述终端设备请求在所述终端设备的会话中建立的第一服务质量流的信息。 Receive a session modification request message from the access and mobility management function network element, wherein the session modification request message contains the first quality of service flow requested by the terminal device to be established in the session of the terminal device. information.
所述会话管理功能网元可以在接收到策略修改通知消息、签约修改通知消息或会话修改请求消息后,决定建立第一服务质量流,从而可以触发向所述目标安全网关请求第一安全参数。The session management function network element may decide to establish the first quality of service flow after receiving the policy modification notification message, subscription modification notification message or session modification request message, thereby triggering a request for the first security parameter from the target security gateway.
在一种可能的设计中,所述第三消息为第一会话修改命令消息,所述第三消息中还包含所述第一服务质量流的信息;所述第四消息为第一会话修改确认消息,所述第四消息中还包含所述第一服务质量流的信息。In a possible design, the third message is a first session modification command message, and the third message also contains information about the first quality of service stream; the fourth message is a first session modification confirmation. message, the fourth message also includes information about the first quality of service flow.
在一种可能的设计中,所述会话管理功能网元还可以根据所述第一服务质量流的信息,创建所述第一服务质量流;向用户面功能网元发送第一转发规则配置信息;In a possible design, the session management function network element can also create the first quality of service flow based on the information of the first quality of service flow; and send the first forwarding rule configuration information to the user plane function network element. ;
其中,所述第一转发规则配置信息用于指示所述用户面功能网元将所述目标安全网关通过所述安全处理协议SA传输的数据包映射到所述第一服务质量流上。Wherein, the first forwarding rule configuration information is used to instruct the user plane functional network element to map data packets transmitted by the target security gateway through the security processing protocol SA to the first quality of service flow.
通过该设计,移动通信***可以实现将安全处理协议SA与会话中的服务质量流耦合在一起,保证安全处理协议SA中的数据流可以通过对应的服务质量流传输,进而保证的业务的QoS需求。Through this design, the mobile communication system can couple the security processing protocol SA with the service quality flow in the session, ensuring that the data flow in the security processing protocol SA can be transmitted through the corresponding quality of service flow, thereby ensuring the QoS requirements of the business .
在一种可能的设计中,所述第一安全参数包含以下至少一项:所述终端设备的SPI,所述目标安全网关的SPI,所述目标安全网关中第一处理实体的标识,所述目标安全网关的鉴权信息,所述目标安全网关支持的安全处理协议SA加密算法,第一数据流选择规则,或者用于生成安全处理协议SA密钥的第一随机数;In a possible design, the first security parameter includes at least one of the following: the SPI of the terminal device, the SPI of the target security gateway, the identity of the first processing entity in the target security gateway, the Authentication information of the target security gateway, the Security Processing Protocol SA encryption algorithm supported by the target security gateway, the first data stream selection rule, or the first random number used to generate the Security Processing Protocol SA key;
所述第二安全参数包含以下至少一项:所述终端设备的SPI,所述目标安全网关的SPI,所述终端设备中的第二处理实体的标识,所述终端设备的鉴权信息,所述终端设备支持的安全处理协议SA加密算法,第二数据流选择规则,或者用于生成安全处理协议SA密钥的第二随机数。The second security parameter includes at least one of the following: the SPI of the terminal device, the SPI of the target security gateway, the identification of the second processing entity in the terminal device, the authentication information of the terminal device, the The secure processing protocol SA encryption algorithm supported by the terminal device, the second data stream selection rule, or the second random number used to generate the secure processing protocol SA key.
在一种可能的设计中,所述第一消息中包含所述目标安全网关的第三安全参数;所述第一安全参数是基于所述第三安全参数确定的。In a possible design, the first message contains a third security parameter of the target security gateway; the first security parameter is determined based on the third security parameter.
第五方面,本申请实施例还提供了一种通信方法,该方法可以应用于接入和移动性管理功能网元。该方法可以包括以下步骤:In the fifth aspect, embodiments of the present application also provide a communication method, which can be applied to access and mobility management functional network elements. The method may include the following steps:
接收来自会话管理功能网元的第三消息;其中,所述第三消息中包含目标安全网关的第一安全参数,所述第一安全参数用于建立终端设备与所述目标安全网关之间的安全处理协议安全关联SA,所述第三消息用于请求建立所述安全处理协议SA;向所述会话管理功能网元发送第四消息;其中,所述第四消息中包含所述终端设备的第二安全参数,所述第二安全参数用于建立所述安全处理协议SA,所述第四消息为所述第三消息的响应消息。Receive a third message from the session management function network element; wherein the third message contains a first security parameter of the target security gateway, and the first security parameter is used to establish a connection between the terminal device and the target security gateway. Security processing protocol security association SA, the third message is used to request the establishment of the security processing protocol SA; send a fourth message to the session management function network element; wherein the fourth message contains the information of the terminal device The second security parameter is used to establish the security processing protocol SA, and the fourth message is a response message to the third message.
通过该方法,移动通信***中的控制面网元可以通过交互,完成安全参数的传递,实现IPSec协商。Through this method, the control plane network elements in the mobile communication system can complete the transfer of security parameters through interaction and implement IPSec negotiation.
在一种可能的设计中,所述第三消息为第一会话修改命令消息,所述第三消息中还包含需要在所述终端设备的会话中建立的第一服务质量流的信息;所述第四消息为第一会话修改确认消息,所述第四消息中还包含所述第一服务质量流的信息。In a possible design, the third message is a first session modification command message, and the third message also contains information about the first quality of service stream that needs to be established in the session of the terminal device; The fourth message is a first session modification confirmation message, and the fourth message also includes information about the first quality of service flow.
通过该设计,核心网控制面网元可以通过会话修改过程,在创建服务质量流的过程中,建立所述安全处理协议SA。Through this design, the core network control plane network element can establish the security processing protocol SA in the process of creating a quality of service flow through the session modification process.
在一种可能的设计中,在接收来自会话管理功能网元的第三消息之前,所述接入和移动性管理功能网元还可以向所述会话管理功能网元发送会话修改请求消息,其中,所述会 话修改请求消息中包含所述终端设备请求在所述终端设备的会话中建立的所述第一服务质量流的信息。In a possible design, before receiving the third message from the session management function network element, the access and mobility management function network element may also send a session modification request message to the session management function network element, where , the meeting The session modification request message includes information that the terminal device requests to establish the first quality of service flow in the session of the terminal device.
在一种可能的设计中,在向所述会话管理功能网元发送第四消息之前,所述接入和移动性管理功能网元还可以向所述终端设备发送第二会话修改命令消息,其中,所述第二会话修改命令中包含所述第一服务质量流的信息;接收来自所述终端设备的第二会话修改确认消息,所述第二会话修改确认消息中包含所述第一服务质量流的信息。In a possible design, before sending the fourth message to the session management function network element, the access and mobility management function network element may also send a second session modification command message to the terminal device, where , the second session modification command includes the information of the first quality of service stream; receiving a second session modification confirmation message from the terminal device, the second session modification confirmation message includes the first quality of service Streaming information.
在一种可能的设计中,所述第二会话修改命令消息中还包含所述第一安全参数的部分或全部;和/或,所述第二会话修改确认消息中还包含所述第二安全参数的部分或全部。In a possible design, the second session modification command message also includes part or all of the first security parameters; and/or the second session modification confirmation message also includes the second security parameter. Some or all of the parameters.
在一种可能的设计中,所述第二会话修改命令消息中还包含所述终端设备的第四安全参数;所述第二安全参数是基于所述第四安全参数确定的。In a possible design, the second session modification command message also includes a fourth security parameter of the terminal device; the second security parameter is determined based on the fourth security parameter.
在一种可能的设计中,所述第一安全参数包含以下至少一项:所述终端设备的SPI,所述目标安全网关的SPI,所述目标安全网关中第一处理实体的标识,所述目标安全网关的鉴权信息,所述目标安全网关支持的安全处理协议SA加密算法,第一数据流选择规则,或者用于生成安全处理协议SA密钥的第一随机数;In a possible design, the first security parameter includes at least one of the following: the SPI of the terminal device, the SPI of the target security gateway, the identity of the first processing entity in the target security gateway, the Authentication information of the target security gateway, the Security Processing Protocol SA encryption algorithm supported by the target security gateway, the first data stream selection rule, or the first random number used to generate the Security Processing Protocol SA key;
所述第二安全参数包含以下至少一项:所述终端设备的SPI,所述目标安全网关的SPI,所述终端设备中的第二处理实体的标识,所述终端设备的鉴权信息,所述终端设备支持的安全处理协议SA加密算法,第二数据流选择规则,或者用于生成安全处理协议SA密钥的第二随机数。The second security parameter includes at least one of the following: the SPI of the terminal device, the SPI of the target security gateway, the identification of the second processing entity in the terminal device, the authentication information of the terminal device, the The secure processing protocol SA encryption algorithm supported by the terminal device, the second data stream selection rule, or the second random number used to generate the secure processing protocol SA key.
在一种可能的设计中,所述接入和移动性管理功能网元还可以根据所述第一安全参数、所述第二安全参数,生成安全处理协议SA密钥;并向所述终端设备发送所述安全处理协议SA密钥。In a possible design, the access and mobility management function network element can also generate a security processing protocol SA key according to the first security parameter and the second security parameter; and provide the security processing protocol SA key to the terminal device. Send the Secure Handling Protocol SA key.
通过该设计,所述终端设备可以使用所述安全处理协议SA密钥对通过所述安全处理协议SA传输的数据包进行安全保护。Through this design, the terminal device can use the secure processing protocol SA key to securely protect the data packets transmitted through the secure processing protocol SA.
第六方面,本申请实施例提供了一种通信方法,该方法可以应用于目标安全网关。该方法可以包括以下步骤:In the sixth aspect, embodiments of the present application provide a communication method, which can be applied to the target security gateway. The method may include the following steps:
接收来自会话管理功能网元的第一消息;其中,所述第一消息用于请求建立终端设备与所述目标安全网关之间的安全处理协议SA;向所述会话管理功能网元发送第二消息;其中,所述第二消息中包含所述目标安全网关的第一安全参数,所述第一安全参数用于建立所述安全处理协议SA,所述第二消息为所述第一消息的响应消息;接收来自所述会话管理功能网元的第五消息;其中,所述第五消息中包含所述终端设备的第二安全参数,所述第二安全参数用于建立所述安全处理协议SA,所述第五消息用于请求建立所述安全处理协议SA。Receive a first message from the session management function network element; wherein the first message is used to request the establishment of a security processing protocol SA between the terminal device and the target security gateway; and send a second message to the session management function network element. message; wherein, the second message contains the first security parameter of the target security gateway, the first security parameter is used to establish the security processing protocol SA, and the second message is the parameter of the first message. Response message; receiving a fifth message from the session management function network element; wherein the fifth message contains a second security parameter of the terminal device, and the second security parameter is used to establish the security processing protocol SA, the fifth message is used to request the establishment of the security processing protocol SA.
通过该方法,移动通信***的核心网控制面网元可以通过与目标安全网关的交互,实现UE的安全参数和目标安全网关的安全参数的传递,从而完成IPSec协商。由于IPSec协商过程是通过核心网控制面完成的,且核心网的安全性较高,因此,该方法可以避免用户面传输安全参数导致安全参数泄露的风险,保证IPSec协商过程的安全性,进而保证后续通过建立的SA传输用户数据或信令的安全性。Through this method, the core network control plane element of the mobile communication system can realize the transfer of the security parameters of the UE and the security parameters of the target security gateway through interaction with the target security gateway, thereby completing IPSec negotiation. Since the IPSec negotiation process is completed through the core network control plane, and the core network has high security, this method can avoid the risk of security parameter leakage caused by the user plane transmission of security parameters, ensure the security of the IPSec negotiation process, and then ensure The security of subsequent transmission of user data or signaling through the established SA.
在一种可能的设计中,所述第一消息中包含所述目标安全网关的第三安全参数;在向所述会话管理功能网元发送第二消息之前,所述目标安全网关还可以根据所述第三安全参 数,确定所述第一安全参数。In a possible design, the first message contains the third security parameter of the target security gateway; before sending the second message to the session management function network element, the target security gateway may also determine the target security gateway according to the second message. The third safety parameter number to determine the first safety parameter.
在一种可能的设计中,所述第一安全参数包含以下至少一项:所述终端设备的SPI,所述目标安全网关的SPI,所述目标安全网关中第一处理实体的标识,所述目标安全网关的鉴权信息,所述目标安全网关支持的第一安全处理协议SA加密算法,第一数据流选择规则,或者用于生成第一安全处理协议SA密钥的第一随机数;In a possible design, the first security parameter includes at least one of the following: the SPI of the terminal device, the SPI of the target security gateway, the identity of the first processing entity in the target security gateway, the Authentication information of the target security gateway, the first security processing protocol SA encryption algorithm supported by the target security gateway, the first data flow selection rule, or the first random number used to generate the first security processing protocol SA key;
所述第二安全参数包含以下至少一项:所述终端设备的SPI,所述目标安全网关的SPI,所述终端设备中的第二处理实体的标识,所述终端设备的鉴权信息,所述终端设备支持的第一安全处理协议SA加密算法,第二数据流选择规则,或者用于生成第一安全处理协议SA密钥的第二随机数。The second security parameter includes at least one of the following: the SPI of the terminal device, the SPI of the target security gateway, the identification of the second processing entity in the terminal device, the authentication information of the terminal device, the The first secure processing protocol SA encryption algorithm supported by the terminal device, the second data stream selection rule, or the second random number used to generate the first secure processing protocol SA key.
在一种可能的设计中,在接收来自所述会话管理功能网元的第五消息之后,所述目标安全网关还可以根据所述第一安全参数、所述第二安全参数,生成安全处理协议SA密钥。In a possible design, after receiving the fifth message from the session management function network element, the target security gateway can also generate a security processing protocol based on the first security parameter and the second security parameter. SA key.
通过该设计,所述目标安全网关可以使用所述安全处理协议SA密钥对通过所述安全处理协议SA传输的数据包进行安全保护。Through this design, the target security gateway can use the security processing protocol SA key to securely protect the data packets transmitted through the security processing protocol SA.
第七方面,本申请实施例提供了一种通信方法,该方法可以应用于会话管理功能网元。该方法可以包括以下步骤:In the seventh aspect, embodiments of the present application provide a communication method, which can be applied to session management function network elements. The method may include the following steps:
接收第一消息,其中,所述第一消息包含需要在终端设备的会话中建立的第一服务质量流的信息;根据所述第一服务质量流的信息,创建所述第一服务质量流;获取所述终端设备与目标安全网关之间建立的安全处理协议SA的安全参数;向用户面功能网元发送第一转发规则配置信息;其中,所述第一转发规则配置信息用于指示所述用户面功能网元通过所述第一服务质量流接收的来自所述终端设备的数据包转发至所述目标安全网关,和/或,所述用户面功能网元将所述目标安全网关通过所述安全处理协议SA传输的数据包映射到所述第一服务质量流上。Receive a first message, wherein the first message contains information about a first quality of service flow that needs to be established in the session of the terminal device; create the first quality of service flow according to the information of the first quality of service flow; Obtain security parameters of the security processing protocol SA established between the terminal device and the target security gateway; send first forwarding rule configuration information to the user plane functional network element; wherein the first forwarding rule configuration information is used to indicate the The user plane functional network element forwards the data packet from the terminal device received through the first quality of service flow to the target security gateway, and/or the user plane functional network element forwards the target security gateway through the Data packets transmitted by the security processing protocol SA are mapped to the first quality of service flow.
通过该方法,在终端设备与目标安全网关之间建立安全处理协议SA之后,核心网控制面网元可以将该安全处理协议SA与终端设备的会话中的服务质量流绑定。这样,后续终端设备与所述目标安全网关可以通过所述安全处理协议SA在用户面第一QoS流中传输所述终端设备的业务数据包。Through this method, after the security processing protocol SA is established between the terminal device and the target security gateway, the core network control plane network element can bind the security processing protocol SA to the quality of service flow in the session of the terminal device. In this way, the subsequent terminal device and the target security gateway can transmit the service data packet of the terminal device in the first QoS flow of the user plane through the security processing protocol SA.
在一种可能的设计中,所述会话管理功能网元可以通过以下方式接收第一消息:In a possible design, the session management function network element may receive the first message in the following manner:
方式一:接收来自策略控制功能网元的策略修改通知消息,其中,所述策略修改通知消息中包含所述策略控制功能网元请求在所述终端设备的会话中建立的所述第一服务质量流的信息;Method 1: Receive a policy modification notification message from the policy control function network element, wherein the policy modification notification message includes the first quality of service requested by the policy control function network element to be established in the session of the terminal device flow of information;
方式二:接收来自统一数据管理网元的签约修改通知消息,其中,所述签约修改通知消息中包含所述统一数据管理网元请求在所述终端设备的会话中建立的所述第一服务质量流的信息;Method 2: Receive a subscription modification notification message from the unified data management network element, wherein the subscription modification notification message contains the first quality of service requested by the unified data management network element to be established in the session of the terminal device flow of information;
方式三:接收来自接入和移动性管理功能网元的会话修改请求消息,其中,所述会话修改请求消息中包含所述终端设备请求在所述终端设备的会话中建立的所述第一服务质量流的信息。Method 3: Receive a session modification request message from the access and mobility management function network element, wherein the session modification request message includes the first service requested by the terminal device to be established in the session of the terminal device Mass flow information.
在一种可能的设计中,所述会话管理功能网元可以但不限于通过以下方式获取所述终端设备与目标安全网关之间建立的安全处理协议SA的安全参数:In one possible design, the session management function network element may, but is not limited to, obtain the security parameters of the security processing protocol SA established between the terminal device and the target security gateway in the following manner:
方式一:获取所述第一消息中的所述安全参数; Method 1: Obtain the security parameters in the first message;
方式二:从以下至少一项获取所述安全参数:所述终端设备、接入和移动性管理功能网元、所述目标安全网关。Method 2: Obtain the security parameter from at least one of the following: the terminal device, the access and mobility management function network element, and the target security gateway.
第八方面,本申请实施例提供了一种通信装置,包括用于执行以上第一方面至第七方面中各个步骤的单元。In an eighth aspect, an embodiment of the present application provides a communication device, including a unit for performing each of the steps in the above first to seventh aspects.
第九方面,本申请实施例提供了一种通信设备,包括至少一个处理元件和至少一个存储元件,其中该至少一个存储元件用于存储程序和数据,该至少一个处理元件用于执行本申请以上第一方面至第七方面中提供的方法。In a ninth aspect, embodiments of the present application provide a communication device, including at least one processing element and at least one storage element, wherein the at least one storage element is used to store programs and data, and the at least one processing element is used to execute the above of the present application. Methods provided in the first to seventh aspects.
第十方面,本申请实施例还提供了一种计算机程序,当计算机程序在计算机上运行时,使得计算机执行上述任一方面提供的方法。In a tenth aspect, embodiments of the present application also provide a computer program, which when the computer program is run on a computer, causes the computer to execute the method provided in any of the above aspects.
第十一方面,本申请实施例还提供了一种计算机可读存储介质,该计算机可读存储介质中存储有计算机程序,当计算机程序被计算机执行时,使得计算机执行上述任一方面提供的方法。In an eleventh aspect, embodiments of the present application also provide a computer-readable storage medium. The computer-readable storage medium stores a computer program. When the computer program is executed by a computer, it causes the computer to execute the method provided in any of the above aspects. .
第十二方面,本申请实施例还提供了一种芯片,芯片用于读取存储器中存储的计算机程序,执行上述任一方面提供的方法。可选的,所述芯片中可以包含处理器和存储器,所述处理器用于读取所述存储器中的存储的计算程序,实现以上实施例提供的方法。In a twelfth aspect, embodiments of the present application also provide a chip, which is used to read the computer program stored in the memory and execute the method provided in any of the above aspects. Optionally, the chip may include a processor and a memory, and the processor is configured to read the calculation program stored in the memory to implement the method provided in the above embodiment.
第十三方面,本申请实施例还提供了一种芯片***,该芯片***包括处理器,用于支持计算机装置实现上述任一方面提供的方法。在一种可能的设计中,芯片***还包括存储器,存储器用于保存该计算机装置必要的程序和数据。该芯片***可以由芯片构成,也可以包含芯片和其他分立器件。In a thirteenth aspect, embodiments of the present application further provide a chip system. The chip system includes a processor and is used to support a computer device to implement the method provided in any of the above aspects. In a possible design, the chip system also includes a memory, and the memory is used to save necessary programs and data of the computer device. The chip system can be composed of chips or include chips and other discrete devices.
附图说明Description of drawings
图1为本申请实施例提供的一种通信***的架构示意图;Figure 1 is a schematic architectural diagram of a communication system provided by an embodiment of the present application;
图2为本申请实施例提供的另一种通信***的架构示意图;Figure 2 is a schematic architectural diagram of another communication system provided by an embodiment of the present application;
图3为目前IKE SA和IP子SA的建立流程示意图;Figure 3 is a schematic diagram of the current establishment process of IKE SA and IP sub-SA;
图4为本申请实施例提供的支持IPSec协议的通信***中的协议栈示意图;Figure 4 is a schematic diagram of the protocol stack in the communication system supporting the IPSec protocol provided by the embodiment of the present application;
图5为本申请实施例提供的一种IPSec协议下的数据包的封装模式示意图;Figure 5 is a schematic diagram of an encapsulation mode of data packets under the IPSec protocol provided by an embodiment of the present application;
图6为本申请实施例提供的一种通信方法的流程图;Figure 6 is a flow chart of a communication method provided by an embodiment of the present application;
图7为本申请实施例提供的一种通信方法的流程图;Figure 7 is a flow chart of a communication method provided by an embodiment of the present application;
图8为本申请实施例提供的一种通信方法的流程图;Figure 8 is a flow chart of a communication method provided by an embodiment of the present application;
图9为本申请实施例提供的一种通信方法的流程图;Figure 9 is a flow chart of a communication method provided by an embodiment of the present application;
图10为本申请实施例提供的一种通信方法的流程图;Figure 10 is a flow chart of a communication method provided by an embodiment of the present application;
图11为本申请实施例提供的一种通信方法的流程图;Figure 11 is a flow chart of a communication method provided by an embodiment of the present application;
图12为本申请实施例提供的一种通信方法的流程图;Figure 12 is a flow chart of a communication method provided by an embodiment of the present application;
图13为本申请实施例提供的一种通信方法的流程图;Figure 13 is a flow chart of a communication method provided by an embodiment of the present application;
图14为本申请实施例提供的一种通信装置的结构图;Figure 14 is a structural diagram of a communication device provided by an embodiment of the present application;
图15为本申请实施例提供的一种通信设备的结构图。Figure 15 is a structural diagram of a communication device provided by an embodiment of the present application.
具体实施方式Detailed ways
本申请提供一种通信方法及装置,用于在移动通信***通过IPSec协议实现安全保护 的场景下保证IPSec协商过程的安全性。其中,方法和装置是基于同一技术构思的,由于方法及装置解决问题的原理相似,因此装置与方法的实施可以相互参见,重复之处不再赘述。This application provides a communication method and device for implementing security protection through the IPSec protocol in a mobile communication system. Ensure the security of the IPSec negotiation process in various scenarios. Among them, the method and the device are based on the same technical concept. Since the principles of the method and the device to solve the problem are similar, the implementation of the device and the method can be referred to each other, and the repeated points will not be repeated.
以下对本申请中的部分用语进行解释说明,以便于本领域技术人员理解。Some terms used in this application are explained below to facilitate understanding by those skilled in the art.
1)基站,是通信***中将终端设备接入到无线网络的设备。基站作为无线接入网中的节点,又可以称为网络设备,还可以称为无线接入网(radio access network,RAN)节点(或设备),接入网(access network,AN)节点(或设备),或者称为接入点(access point,AP)。1) Base station is a device in a communication system that connects terminal equipment to a wireless network. As a node in the wireless access network, the base station can also be called a network device, a radio access network (RAN) node (or device), an access network (AN) node (or device), also known as access point (AP).
目前,一些基站的举例为:新一代节点B(generation Node B,gNB)、传输接收点(transmission reception point,TRP)、演进型节点B(evolved Node B,eNB)、无线网络控制器(radio network controller,RNC)、节点B(Node B,NB)、接入点(access point,AP)基站控制器(base station controller,BSC)、基站收发台(base transceiver station,BTS)、家庭基站(例如,home evolved NodeB,或home Node B,HNB),或基带单元(base band unit,BBU),企业LTE离散窄带聚合(Enterprise LTE Discrete Spectrum Aggregation,eLTE-DSA)基站等。At present, some examples of base stations are: new generation Node B (gNB), transmission reception point (TRP), evolved Node B (evolved Node B, eNB), radio network controller (radio network controller, RNC), Node B (Node B, NB), access point (AP), base station controller (BSC), base transceiver station (BTS), home base station (for example, home evolved NodeB, or home Node B, HNB), or base band unit (base band unit, BBU), Enterprise LTE Discrete Spectrum Aggregation (eLTE-DSA) base station, etc.
另外,在一种网络结构中,基站可以包括集中单元(centralized unit,CU)节点和分布单元(distributed unit,DU)节点。这种结构将基站的协议层拆分开,部分协议层的功能放在CU集中控制,剩下部分或全部协议层的功能分布在DU中,由CU集中控制DU。In addition, in a network structure, the base station may include a centralized unit (CU) node and a distributed unit (DU) node. This structure separates the protocol layer of the base station. Some of the protocol layer functions are centralized controlled by the CU. The remaining part or all protocol layer functions are distributed in the DU, and the CU centrally controls the DU.
2)终端设备,是一种向用户提供语音和/或数据连通性,能够通过Uu接口接入基站的设备。终端设备又可以称为用户设备(user equipment,UE)、移动台(mobile station,MS)、移动终端(mobile terminal,MT)等。以下实施例中,以终端设备简称为UE进行描述。2) Terminal equipment is a device that provides voice and/or data connectivity to users and can access the base station through the Uu interface. Terminal equipment can also be called user equipment (UE), mobile station (MS), mobile terminal (MT), etc. In the following embodiments, the terminal equipment is referred to as UE for description.
例如,终端设备可以为具有无线连接功能的手持式设备、各种车载设备、路侧单元等。目前,一些终端设备的举例为:手机(mobile phone)、平板电脑、笔记本电脑、掌上电脑、移动互联网设备(mobile internet device,MID)、智能销售终端(point of sale,POS)、可穿戴设备,虚拟现实(virtual reality,VR)设备、增强现实(augmented reality,AR)设备、工业控制(industrial control)中的无线终端、无人驾驶(self driving)中的无线终端、远程手术(remote medical surgery)中的无线终端、智能电网(smart grid)中的无线终端、运输安全(transportation safety)中的无线终端、智慧城市(smart city)中的无线终端、智慧家庭(smart home)中的无线终端、各类智能仪表(智能水表、智能电表、智能燃气表)、车载电子控制单元(electronic control unit,ECU)等、车载电脑、车载巡航***、远程信息处理器(telematics box,T-BOX)等。For example, the terminal device can be a handheld device with wireless connection function, various vehicle-mounted devices, roadside units, etc. At present, some examples of terminal devices are: mobile phones, tablets, laptops, PDAs, mobile Internet devices (MID), smart point of sale terminals (POS), and wearable devices. Virtual reality (VR) equipment, augmented reality (AR) equipment, wireless terminals in industrial control, wireless terminals in self-driving, remote medical surgery Wireless terminals in smart grid, wireless terminals in transportation safety, wireless terminals in smart city, wireless terminals in smart home, various Smart meters (smart water meters, smart electricity meters, smart gas meters), vehicle electronic control units (ECU), etc., vehicle computers, vehicle cruise systems, telematics boxes (T-BOX), etc.
3)终端设备的会话,为移动通信***针对单个终端设备建立的该终端设备、基站、用户面功能(UPF)以及数据网络(data network,DN)之间的连接,用于在终端设备和DN之间传输用户面数据。示例性的,本申请涉及的会话可以为协议数据单元(protocol data unit,PDU)会话。3) The session of the terminal device is the connection between the terminal device, the base station, the user plane function (UPF) and the data network (data network, DN) established by the mobile communication system for a single terminal device, and is used to connect the terminal device and the DN transfer user plane data between them. For example, the session involved in this application may be a protocol data unit (PDU) session.
其中,在终端设备的会话中包含终端设备和基站之间的无线承载、基站和UPF之间传输隧道,以及UPF和DN之间的传输隧道。总之,终端设备的会话是针对该终端设备的专用的通信连接。Among them, the session of the terminal device includes the wireless bearer between the terminal device and the base station, the transmission tunnel between the base station and the UPF, and the transmission tunnel between the UPF and the DN. In short, the session of the terminal device is a dedicated communication connection for the terminal device.
应注意,一个终端设备可以与移动通信***建立一个或多个会话,且任一个会话中可 以建立一个或多个服务质量(quality of service,QoS)流(flow)。其中,每个QoS流对应一个或多个业务,用于传输具有同一QoS需求的业务的业务数据。其中,在终端设备和基站之间,一个会话中的至少一个QoS流与一个无线承载(radio bearer,RB)对应,通过该RB传输所述至少一个QoS流的业务数据。在移动通信***中,终端设备与DN之间通过会话传输的数据包(业务流)均需要映射到QoS流中传输。It should be noted that a terminal device can establish one or more sessions with the mobile communication system, and any session can To establish one or more quality of service (QoS) flows. Each QoS flow corresponds to one or more services and is used to transmit service data of services with the same QoS requirements. Among them, between the terminal device and the base station, at least one QoS flow in a session corresponds to a radio bearer (RB), and the service data of the at least one QoS flow is transmitted through the RB. In the mobile communication system, the data packets (service flows) transmitted through the session between the terminal device and the DN need to be mapped to the QoS flow for transmission.
会话中的QoS流可以由QoS流标识(QoS flow identifier,QFI)来标识。应注意,同一QoS流可以设置一个或多个QFI。例如,针对上行方向某个QoS流可以通过第一QFI标识,针对下行方向该QoS流可以通过第二QFI标识。QoS flows in a session can be identified by QoS flow identifier (QFI). It should be noted that one or more QFIs can be set for the same QoS flow. For example, a certain QoS flow in the uplink direction can be identified by a first QFI, and a certain QoS flow in the downlink direction can be identified by a second QFI.
需要说明的是,终端设备的会话中可以包含默认的QoS流,该默认的QoS流可以为创建会话时创建的。终端设备的会话中的默认的QoS流可以在该会话未针对具体的业务建立对应QoS流时传输该会话的数据包,或者在无法确定某个数据包对应的QoS流时传输该数据包。It should be noted that the session of the terminal device may include a default QoS flow, and the default QoS flow may be created when the session is created. The default QoS flow in the session of the terminal device can transmit the data packet of the session when the session does not establish a corresponding QoS flow for a specific service, or the data packet can be transmitted when the QoS flow corresponding to a certain data packet cannot be determined.
4)策略和计费控制(policy and charging control,PCC)规则(rule),又可以记为PCC rule,包含计费相关信息和终端设备的计费键值(charging key),是创建QoS流的必要因素。需要说明的是,PCC rule可以是以会话中的QoS流为粒度分配的,还可以是以会话为粒度分配的(例如,针对会话分配的默认(default)PCC rule)。4) Policy and charging control (PCC) rules, also known as PCC rules, contain charging-related information and the charging key of the terminal device, and are used to create QoS flows. necessary factors. It should be noted that the PCC rule can be allocated based on the QoS flow in the session as the granularity, or it can be allocated based on the session as the granularity (for example, the default PCC rule allocated for the session).
5)设备(例如终端设备或安全网关)内的处理实体,为设备内用于实现某个功能的实例。示例性的,处理实体可以但不限于为:设备内的处理模块、软件实例、处理芯片、操作***、应用(application,APP),客户端等。5) The processing entity in the device (such as a terminal device or security gateway) is an instance used to implement a certain function in the device. For example, the processing entity can be, but is not limited to: a processing module, a software instance, a processing chip, an operating system, an application (APP), a client, etc. within the device.
6)“和/或”,描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。字符“/”一般表示前后关联对象是一种“或”的关系。6) "And/or" describes the relationship between related objects, indicating that there can be three relationships. For example, A and/or B can mean: A alone exists, A and B exist simultaneously, and B exists alone. . The character "/" generally indicates that the related objects are in an "or" relationship.
需要说明的是,本申请中所涉及的多个,是指两个或两个以上。至少一个,是指一个或多个。It should be noted that the plurality involved in this application refers to two or more. At least one means one or more.
另外,需要理解的是,在本申请的描述中,“第一”、“第二”等词汇,仅用于区分描述的目的,而不能理解为指示或暗示相对重要性,也不能理解为指示或暗示顺序。In addition, it should be understood that in the description of this application, words such as "first" and "second" are only used for the purpose of distinguishing the description, and cannot be understood as indicating or implying relative importance, nor can they be understood as indicating. Or suggestive order.
下面结合附图,对本申请实施例进行详细描述。The embodiments of the present application will be described in detail below with reference to the accompanying drawings.
本申请实施例提供的通信方法适用于通信***,所述通信***的架构如图1和图2所示。其中,图1为基于参考点的***架构,图2为基于服务化接口的***架构。The communication method provided by the embodiment of the present application is suitable for a communication system. The architecture of the communication system is shown in Figures 1 and 2. Among them, Figure 1 shows the system architecture based on the reference point, and Figure 2 shows the system architecture based on the service interface.
参阅图1和图2所示,所述通信***包括三部分:终端设备、移动通信***和DN。下面参考附图分别对每个部分的功能和实体进行详细介绍。Referring to Figures 1 and 2, the communication system includes three parts: terminal equipment, mobile communication system and DN. The functions and entities of each part are introduced in detail below with reference to the accompanying drawings.
终端设备,简称为UE,为用户侧能够接收和发射无线信号的实体,需要通过移动通信***接入DN,以实现UE的业务。所述UE可以为各种为用户提供语音和/或数据连通性的设备,本申请对此不作限定。Terminal equipment, referred to as UE for short, is an entity on the user side that can receive and transmit wireless signals. It needs to access the DN through the mobile communication system to implement the UE's services. The UE may be various devices that provide voice and/or data connectivity for users, which is not limited in this application.
DN,也可以称为分组数据网络(packet data network,PDN),是位于移动通信***之外的网络。DN上可部署实现多种业务的服务器(sever),可为UE提供数据和/或语音等服务。其中,移动通信***可以接入至少一个DN,同一个DN也可以被至少一个移动通信***接入。例如,所述DN可以为因特网(Internet)、IP多媒体业务(IP Multi-media Service,IMS)网络、某些应用专用的数据网络、以太网、IP本地网络等,本申请对此不作限定。 DN, also known as packet data network (PDN), is a network located outside the mobile communication system. Servers (severs) that implement multiple services can be deployed on the DN and can provide data and/or voice services to UEs. Among them, the mobile communication system can access at least one DN, and the same DN can also be accessed by at least one mobile communication system. For example, the DN may be the Internet (Internet), IP Multi-media Service (IMS) network, certain application-specific data networks, Ethernet, IP local network, etc., which is not limited in this application.
移动通信***,由运营商部署和维护,为UE提供接入服务和端到端的连接服务,又可以称为移动通信网络。UE可以通过移动通信***访问DN,实现具体业务。其中,所述移动通信***又可以包括(无线)接入网((radio)access network,(R)AN)和核心网(core network,CN)两部分。在UE请求访问DN时,移动通信***可以在UE和DN之间建立UE的会话(例如PDU会话),以使二者之间可以实现通信。The mobile communication system is deployed and maintained by operators to provide access services and end-to-end connection services for UEs. It can also be called a mobile communication network. The UE can access the DN through the mobile communication system to implement specific services. Among them, the mobile communication system may include two parts: a (radio) access network ((R)AN) and a core network (core network, CN). When the UE requests access to the DN, the mobile communication system can establish a session of the UE (for example, a PDU session) between the UE and the DN, so that communication between the two can be achieved.
(R)AN主要负责UE的无线接入功能,(R)AN的功能具体可以通过基站来实现。基站是网络侧能够接收和发射无线信号的实体,负责为在其覆盖范围内的UE提供无线接入有关的服务,实现物理层功能、资源调度和无线资源管理、QoS管理、无线接入控制、用户面数据转发以及移动性管理功能。基站与UE通过Uu接口实现空口传输。(R)AN is mainly responsible for the wireless access function of UE, and the functions of (R)AN can be realized through the base station. A base station is an entity on the network side that can receive and transmit wireless signals. It is responsible for providing wireless access-related services to UEs within its coverage area, implementing physical layer functions, resource scheduling and wireless resource management, QoS management, wireless access control, User plane data forwarding and mobility management functions. The base station and UE implement air interface transmission through the Uu interface.
CN负责根据UE通过接入网发送的呼叫请求或业务请求将所述UE接续到不同的数据网络上,以及计费、移动性管理、会话管理等业务。按照具体的逻辑功能划分,CN可以划分为控制面(control plane,CP)和用户面(user plane,UP)。那么CN中负责控制面功能的网元可以统称为控制面网元,负责用户面功能的网元可以统称为用户面网元。下面分别对核心网中的主要网元的功能进行具体介绍。The CN is responsible for connecting the UE to different data networks according to the call request or service request sent by the UE through the access network, as well as services such as charging, mobility management, and session management. According to specific logical functions, CN can be divided into control plane (CP) and user plane (UP). Then the network elements in the CN responsible for control plane functions can be collectively called control plane network elements, and the network elements responsible for user plane functions can be collectively called user plane network elements. The functions of the main network elements in the core network are introduced in detail below.
用户面网元,即用户面功能(user plane function,UPF)网元,简称为UPF,主要负责UE的用户面数据的转发和接收。用户面网元可以从DN接收用户面数据,通过基站传输给UE;用户面网元还可以将通过基站从UE接收用户面数据,并将其转发到DN。其中,用户面网元中为UE提供服务的传输资源和调度功能是由控制面网元管理控制的。The user plane network element, that is, the user plane function (UPF) network element, referred to as UPF, is mainly responsible for forwarding and receiving user plane data of the UE. The user plane network element can receive user plane data from the DN and transmit it to the UE through the base station; the user plane network element can also receive user plane data from the UE through the base station and forward it to the DN. Among them, the transmission resources and scheduling functions in the user plane network element that provide services for the UE are managed and controlled by the control plane network element.
控制面网元包括:接入和移动性管理功能(access and mobility management function,AMF)网元、会话管理功能(session management function,SMF)网元、策略控制功能(policy control function,PCF)网元、认证服务功能(authentication server function,AUSF)网元、网络开放功能(network exposure function,NEF)网元、统一数据库(unified data repository,UDR)网元,统一数据管理(unified data management,UDM)网元、计费功能(charging function,CHF)网元和应用功能(application function,AF)网元等。下面分别对各个控制面网元进行简单介绍。Control plane network elements include: access and mobility management function (AMF) network elements, session management function (SMF) network elements, policy control function (PCF) network elements , authentication server function (AUSF) network element, network exposure function (NEF) network element, unified data repository (UDR) network element, unified data management (UDM) network elements, charging function (CHF) network elements and application function (AF) network elements, etc. The following is a brief introduction to each control plane network element.
AMF网元,可以简称为AMF,主要负责移动通信***中的移动性管理,接入鉴权/授权,和信令处理部分,例如:接入控制、UE位置更新、UE注册与去注册、附着与去附着,以及选择SMF等功能。此外AMF还负责在UE和PCF之间传递用户策略。The AMF network element, which can be referred to as AMF for short, is mainly responsible for mobility management, access authentication/authorization, and signaling processing in the mobile communication system, such as: access control, UE location update, UE registration and de-registration, and attachment. and detach, as well as select SMF and other functions. In addition, AMF is also responsible for transmitting user policies between UE and PCF.
SMF网元,可以简称为SMF,主要负责移动通信***中的会话管理,例如会话建立、修改、释放等。具体的,SMF的功能包括:UPF的选择,UPF重定向,因特网协议(internet protocol,IP)地址分配,承载的建立、修改和释放,以及QoS控制等。The SMF network element, which can be referred to as SMF for short, is mainly responsible for session management in the mobile communication system, such as session establishment, modification, release, etc. Specifically, the functions of SMF include: UPF selection, UPF redirection, Internet protocol (internet protocol, IP) address allocation, bearer establishment, modification and release, and QoS control.
PCF网元,可以简称为PCF,主要负责支持提供统一的策略框架来控制网络行为,提供策略规则给其他控制面网元,同时负责获取与策略相关的用户签约信息。The PCF network element, which can be referred to as PCF for short, is mainly responsible for supporting the provision of a unified policy framework to control network behavior, providing policy rules to other control plane network elements, and is responsible for obtaining policy-related user subscription information.
AUSF网元,可以简称为AUSF,主要负责提供认证功能,支持第三代合作伙伴计划(3rd generation partnership project,3GPP)接入和非3GPP(Non-3GPP)接入的认证。The AUSF network element, which can be referred to as AUSF for short, is mainly responsible for providing authentication functions and supporting the authentication of third generation partnership project (3rd generation partnership project, 3GPP) access and non-3GPP (Non-3GPP) access.
NEF网元,可以简称为NEF,主要支持移动通信***和第三方应用安全的交互,能够安全的向第三方开放网络能力和事件,用于加强或者改善应用服务质量。移动通信***也可以通过NEF网元安全地从第三方获取相关数据,用以增强网络的智能决策。NEF network element, which can be referred to as NEF for short, mainly supports the secure interaction between mobile communication systems and third-party applications, and can safely open network capabilities and events to third parties to enhance or improve application service quality. Mobile communication systems can also securely obtain relevant data from third parties through NEF network elements to enhance the network's intelligent decision-making.
UDR网元,可以简称为UDR,主要负责存储UE的签约数据、策略数据、应用数据等类型数据。 The UDR network element, which can be referred to as UDR for short, is mainly responsible for storing UE's subscription data, policy data, application data and other types of data.
UDM网元,可以简称为UDM,主要负责存储和管理UE的签约数据、用户接入授权,生成认证信任状,用户标识处理(如存储和管理用户永久身份标识等)等功能。The UDM network element, which can be referred to as UDM for short, is mainly responsible for storing and managing UE's subscription data, user access authorization, generating authentication credentials, user identification processing (such as storing and managing user permanent identity identification, etc.) and other functions.
CHF网元,可以简称为CHF,主要负责向SMF提供流量配额,以及为流量配额授权有效时间,处理计费信息,以及生成计费功能-呼叫详细记录(charging function-call detail record,CHF-CDR)话单等功能。The CHF network element, which can be referred to as CHF for short, is mainly responsible for providing traffic quotas to SMF, authorizing the validity time of traffic quotas, processing billing information, and generating charging function-call detail record (CHF-CDR). ) functions such as call notes.
AF网元,可以简称为AF,主要传输应用侧对网络侧的需求,支持与核心网中其他网元的交互来提供服务,例如影响数据路由决策,策略控制功能或者向网络侧提供第三方的一些服务。AF网元可以是第三方功能实体,也可以是运营商部署的应用服务。The AF network element, which can be referred to as AF, mainly transmits the requirements of the application side to the network side and supports interaction with other network elements in the core network to provide services, such as affecting data routing decisions, policy control functions or providing third-party services to the network side. some services. The AF network element can be a third-party functional entity or an application service deployed by the operator.
NSSF网元,可以简称为NSSF,主要负责网络切片的选择。NSSF network element, which can be referred to as NSSF for short, is mainly responsible for the selection of network slices.
与传统的通信***不同的是,本申请提供的通信***中,在UPF后还配置了安全网关,如图1和图2中所示。该安全网关支持动态控制UE对DN的访问,且具备用户面和控制面的功能。例如,在控制面,安全网关可以通过SMF的控制面接口进行相关配置,还可以为自身分配IP地址以传输UE的用户面数据。在用户面,安全网关与UPF之间保持用户面连接,为数据提供IPSec保护。应注意,安全网关与UPF可以耦合在一起部署,又或者独立部署。例如,安全网关可以作为UPF内的一个功能模块,还可以作为CN内的一个独立的网元,还可以为部署在CN以外的设备,本申请对此不作限定。可选的,所述安全网关还可以称为数据访问安全功能(data access security function,DASF)网元。Different from the traditional communication system, the communication system provided by this application is also configured with a security gateway after the UPF, as shown in Figures 1 and 2. The security gateway supports dynamic control of UE's access to the DN, and has user plane and control plane functions. For example, on the control plane, the security gateway can perform relevant configurations through the control plane interface of the SMF, and can also assign itself an IP address to transmit the user plane data of the UE. On the user plane, the security gateway maintains a user plane connection with UPF to provide IPSec protection for data. It should be noted that the security gateway and UPF can be deployed coupled together or deployed independently. For example, the security gateway can be used as a functional module in the UPF, as an independent network element in the CN, or as a device deployed outside the CN. This application does not limit this. Optionally, the security gateway may also be called a data access security function (DASF) network element.
需要理解的是,CN中的以上各网元既可以是在专用硬件上实现的网络元件,也可以是在专用硬件上运行的软件实例,或者是在虚拟化平台(例如云平台)上虚拟化功能的实例。此外,本申请实施例并不限定通信***中各个网元的分布形式。可选的,以上各个网元可以分别部署在不同的物理设备中,或者多个网元融合在同一物理设备中。It should be understood that the above network elements in the CN can be either network elements implemented on dedicated hardware, software instances running on dedicated hardware, or virtualized on a virtualization platform (such as a cloud platform). Function instance. In addition, the embodiments of the present application do not limit the distribution form of each network element in the communication system. Optionally, each of the above network elements can be deployed in different physical devices, or multiple network elements can be integrated into the same physical device.
另外,图1中还展示了移动通信***中各个网络功能实体之间的交互关系以及对应的接口。图2还展示了移动通信***中部分网络功能实体之间采用的服务化接口。应注意,在本申请提供的通信***中,安全网关可以与UPF共用N4接口与SMF实现通信,如图1或图2中的N4′接口所示。In addition, Figure 1 also shows the interactive relationships and corresponding interfaces between various network functional entities in the mobile communication system. Figure 2 also shows the service-oriented interface adopted between some network functional entities in the mobile communication system. It should be noted that in the communication system provided by this application, the security gateway can share the N4 interface with the UPF to communicate with the SMF, as shown in the N4' interface in Figure 1 or Figure 2.
需要说明的是,图1或图2所示的移动通信***并不构成本申请实施例能够适用的移动通信***的限定。因此本申请实施例提供的通信方法还可以适用于各种制式的通信***,例如:长期演进(long term evolution,LTE)通信***、第五代(The 5th Generation,5G)通信***、第六代(The 6th Generation,6G)通信***以及未来通信***。此外,图1或图2也不对移动通信***的通信场景进行限定,除图1和图2所示的非漫游场景以外,本申请还可以适用于各种漫游场景。It should be noted that the mobile communication system shown in Figure 1 or Figure 2 does not constitute a limitation of the mobile communication systems to which the embodiments of the present application are applicable. Therefore, the communication method provided by the embodiments of the present application can also be applied to communication systems of various standards, such as: long term evolution (LTE) communication system, fifth generation (The 5th Generation, 5G) communication system, sixth generation (The 6th Generation, 6G) communication system and future communication system. In addition, Figure 1 or Figure 2 does not limit the communication scenarios of the mobile communication system. In addition to the non-roaming scenarios shown in Figures 1 and 2, this application can also be applied to various roaming scenarios.
最后,还需要说明的是,本申请实施例也不对移动通信***中各网元的名称进行限定,例如,在不同制式的移动通信***中,各网元可以有其他名称;又例如,当多个网元融合在同一物理设备中时,该物理设备也可以有其他名称。Finally, it should be noted that the embodiments of the present application do not limit the names of each network element in the mobile communication system. For example, in mobile communication systems of different standards, each network element may have other names; for example, when multiple When network elements are integrated into the same physical device, the physical device can also have other names.
在上述图1或图2所述的移动通信***中,UE和基站之间的Uu接口,包括控制面协议栈和用户面协议栈。其中,用户面协议栈中均至少包含以下协议层:物理(physical,PHY)层、媒体访问控制(medium access control,MAC)层、无线链路控制(radio link control,RLC)层和分组数据汇聚协议(packet data convergence protocol,PDCP)层、服务数据适配协议(service data adaptation protocol,SDAP)层;控制面协议栈中至少包含以下协议层:PHY层、MAC层、RLC层、PDCP层、无线资源控制(radio resource control,RRC)层。 In the mobile communication system described in Figure 1 or 2 above, the Uu interface between the UE and the base station includes a control plane protocol stack and a user plane protocol stack. Among them, the user plane protocol stack includes at least the following protocol layers: physical (PHY) layer, medium access control (MAC) layer, radio link control (RLC) layer and packet data aggregation Protocol (packet data convergence protocol, PDCP) layer, service data adaptation protocol (SDAP) layer; the control plane protocol stack contains at least the following protocol layers: PHY layer, MAC layer, RLC layer, PDCP layer, wireless Resource control (radio resource control, RRC) layer.
下面先对IPSec协议进行简单介绍:The following is a brief introduction to the IPSec protocol:
IPSec协议能够在通信***的IP层实现安全保护,为在不安全的网络环境中传输敏感数据提供安全保护。IPSec协议可以提供如下安全服务:The IPSec protocol can achieve security protection at the IP layer of the communication system and provide security protection for the transmission of sensitive data in an unsafe network environment. The IPSec protocol can provide the following security services:
数据源认证:对通信对端进行身份认证。Data source authentication: Authentication of the identity of the communication peer.
完整性保护:保证数据在传输过程中不被篡改。Integrity protection: Ensure that data is not tampered with during transmission.
机密性:对传输的用户的敏感数据进行加密保护。Confidentiality: Encrypt and protect the user’s sensitive data being transmitted.
重放保护:拒绝接收旧的或者重复发送的数据包,防重放攻击。Replay protection: Refuse to receive old or repeatedly sent data packets to prevent replay attacks.
在IPSec协议体系中,包含两种安全处理协议和一种密钥交换协议。其中,安全处理协议包括:AH协议和ESP协议。应注意,AH协议和ESP协议可以单独使用,也可以嵌套使用。IPSec协议中的密钥交换协议为IKE协议。The IPSec protocol system includes two security processing protocols and a key exchange protocol. Among them, the security processing protocols include: AH protocol and ESP protocol. It should be noted that the AH protocol and the ESP protocol can be used individually or nested. The key exchange protocol in the IPSec protocol is the IKE protocol.
AH协议,能够提供数据源认证、数据完整性校验、防重放攻击等功能,不支持数据加密。The AH protocol can provide functions such as data source authentication, data integrity verification, and anti-replay attacks. It does not support data encryption.
ESP协议,能够提供数据源认证、数据完整性校验、防重放功能机,以及数据加密等功能。The ESP protocol can provide functions such as data source authentication, data integrity verification, anti-replay function, and data encryption.
IKE协议定义了通信双方之间进行身份认证、协商加密算法以及生成共享的会话密钥的方法。IKE协议可以将密钥协商结果保留到SA中,以供AH协议和ESP协议使用。The IKE protocol defines a method for identity authentication, encryption algorithm negotiation, and shared session key generation between communicating parties. The IKE protocol can save the key negotiation results in the SA for use by the AH protocol and the ESP protocol.
需要说明的是,IPSec协议需要通过通信双方之间建立SA来实现。SA是IPSec协议的基础。SA是两个通信实体经协商建立起来的一种协定,是以传输安全的目的创建的一个逻辑连接。所有经过同一SA的数据流会得到相同级别的安全保护,其能够决定安全保护的具体IPSec协议、密钥、密钥的有效时间等。It should be noted that the IPSec protocol needs to be implemented by establishing an SA between the communicating parties. SA is the basis of the IPSec protocol. SA is an agreement established by two communication entities through negotiation. It is a logical connection created for the purpose of transmission security. All data flows passing through the same SA will receive the same level of security protection, which can determine the specific IPSec protocol, key, and key validity time for security protection.
在IPSec协议体系中,每种安全处理协议(即AH协议和ESP协议)均需要创建对应的SA(后续可以简称为AH SA、ESP SA)来实现;IKE协议也需要对应的SA(简称为IKE SA)来实现。需要说明的是,除了IKE SA是双向逻辑连接以外,AH SA和ESP SA均是单向逻辑连接。即通信双方均可以采用同一安全处理协议互相发送数据的情况下,需要通信双方针对不同的数据传输方向分别建立该安全处理协议的SA。In the IPSec protocol system, each security processing protocol (i.e., AH protocol and ESP protocol) needs to create a corresponding SA (which can be referred to as AH SA, ESP SA in the future) for implementation; the IKE protocol also requires a corresponding SA (referred to as IKE) SA) to achieve. It should be noted that, except for IKE SA, which is a two-way logical connection, AH SA and ESP SA are both unidirectional logical connections. That is, when both communicating parties can use the same secure processing protocol to send data to each other, both communicating parties need to establish SAs of the secure processing protocol for different data transmission directions.
通过以上对IPSec协议体系的描述可知,AH协议和ESP协议需要使用IKE协议的密钥协商结果,且AH SA和ESP SA的建立需要通过IKE SA来传输信令,因此,AH SA和ESP SA不仅可以统称为安全处理协议SA,还可以称为IPSec子SA。From the above description of the IPSec protocol system, it can be seen that the AH protocol and the ESP protocol need to use the key negotiation results of the IKE protocol, and the establishment of the AH SA and the ESP SA requires the transmission of signaling through the IKE SA. Therefore, the AH SA and the ESP SA are not only It can be collectively called the security processing protocol SA, or it can also be called IPSec sub-SA.
下面以通信双方为通信设备a和通信设备b为例,参阅图3对目前IKE SA和IP子SA的建立流程(即IPSec协商过程)进行简单说明。应注意,在图3中的各个消息中,消息后的小括号()表示其中的内容为消息中包含的信息,中括号[]表示其中的内容为可选项,大括号{}表示其中的内容是通过IKE SA加密保护的。The following takes the communication parties as communication device a and communication device b as an example. Refer to Figure 3 for a brief explanation of the current establishment process of IKE SA and IP sub-SA (i.e., IPSec negotiation process). It should be noted that in each message in Figure 3, the parentheses () after the message indicate that the content is the information contained in the message, the square brackets [] indicate that the content is optional, and the curly brackets {} indicate that the content It is protected by IKE SA encryption.
S301-S302为IKE SA建立流程。在该流程中,假设通信设备a为建立IKE SA的发起者(initiator),那么通信设备b为建立IKE SA的响应者(responder)。S301-S302 is the IKE SA establishment process. In this process, it is assumed that communication device a is the initiator for establishing IKE SA, and communication device b is the responder for establishing IKE SA.
S301:通信设备a向通信设备b发送IKE SA建立请求。所述IKE SA请求中包含通信设备a用于建立IKE SA的各种安全参数。S301: Communication device a sends an IKE SA establishment request to communication device b. The IKE SA request includes various security parameters used by communication device a to establish IKE SA.
如图3中所示,IKE SA建立请求中可以包含IKE头(IKE header,记为HDR)1,通信设备a支持的IKE SA加密算法(记为SA1_a),通信设备a的密钥材料(例如,包含通信设备a的迪菲-赫尔曼(Diffie-Hellman)值,记为KE_a),通信设备a用于生成IKE SA 密钥的随机数(记为N1_a)。As shown in Figure 3, the IKE SA establishment request may include the IKE header (IKE header, denoted as HDR) 1, the IKE SA encryption algorithm (denoted as SA1_a) supported by communication device a, and the key material of communication device a (for example, , including the Diffie-Hellman value of communication device a, denoted as KE_a), which is used to generate IKE SA The random number of the key (denoted as N1_a).
其中,HDR1中可以包含通信设备a的安全参数索引(security parameter indexes,SPI)(用于在IPSec协议中标识通信设备a,记为SPI_a),IKE协议版本号,封装模式(传输模式(transport mode)或隧道模式(tunnel mode)),消息标识(Message ID)等信息。Among them, HDR1 can include the security parameter indexes (SPI) of communication device a (used to identify communication device a in the IPSec protocol, recorded as SPI_a), the IKE protocol version number, and the encapsulation mode (transport mode). ) or tunnel mode), message ID and other information.
S302:通信设备b根据所述IKE SA建立请求,向通信设备a发送IKE SA建立响应。所述IKE SA请求中包含通信设备b用于建立IKE SA的各种安全参数。S302: Communication device b sends an IKE SA establishment response to communication device a according to the IKE SA establishment request. The IKE SA request includes various security parameters used by communication device b to establish IKE SA.
如图3中所示,所述IKE SA建立响应中可以包含HDR2,通信设备b支持的IKE SA加密算法(记为SA1_b),通信设备b的密钥材料(记为KE_b),通信设备b用于生成IKE SA密钥的随机数(记为N1_b)。可选的,所述IKE SA建立响应中还包含通信设备b的身份验证请求(可以记为CERTREQ)。As shown in Figure 3, the IKE SA establishment response may include HDR2, the IKE SA encryption algorithm supported by communication device b (denoted as SA1_b), the key material of communication device b (denoted as KE_b), and the key material of communication device b (denoted as KE_b). The random number used to generate the IKE SA key (denoted as N1_b). Optionally, the IKE SA establishment response also includes an authentication request of communication device b (which can be recorded as CERTREQ).
需要说明的是,HDR2中包含的内容可以参考S301中的HDR1,相同之处可以相互参考,此处不再赘述。与HDR1不同的是,HDR2不仅包含通信设备b的SPI(记为SPI_b),还包含SPI_a。It should be noted that the content included in HDR2 can refer to HDR1 in S301, and the similarities can be referred to each other, so I will not go into details here. Different from HDR1, HDR2 not only contains the SPI of communication device b (denoted as SPI_b), but also contains SPI_a.
通过S301-S302,通信双方可以获取对方用于建立IKE SA的各种安全参数,这样,通信双方可以根据自身用于建立IKE SA的安全参数,以及对方用于建立IKE SA的安全参数,建立IKE SA,以便后续可以通过该IKE SA传输建立IPSec子SA的相关信令。另外,此时通信双方均已获得对方的密钥材料KE和用于生成IKE SA密钥的随机数(即KE_a,KE_b,N1_a,N1_b),因此,通信设备a和通信设备b可以生成相同的密钥种子(SKEYSEED),以便后续可以生成IKE SA密钥。Through S301-S302, the communicating parties can obtain various security parameters used by the other party to establish IKE SA. In this way, the communicating parties can establish IKE based on their own security parameters used to establish IKE SA and the security parameters used by the other party to establish IKE SA. SA, so that the relevant signaling for establishing IPSec sub-SA can be transmitted later through this IKE SA. In addition, at this time, both communicating parties have obtained the other party's key material KE and the random numbers used to generate the IKE SA key (i.e. KE_a, KE_b, N1_a, N1_b). Therefore, communication device a and communication device b can generate the same Key seed (SKEYSEED) so that the IKE SA key can be generated later.
S303-S304为IPSec子SA建立流程。在该流程中,继续假设通信设备a为IPSec子SA的发起者,通信设备b为IPSec子SA的响应者。S303-S304 is the IPSec sub-SA establishment process. In this process, continue to assume that communication device a is the initiator of IPSec sub-SA, and communication device b is the responder of IPSec sub-SA.
S303:通信设备a向通信设备b发送IPSec子SA建立请求。所述IPSec子SA建立请求中包含通信设备a用于建立IPSec子SA的各种安全参数。S303: Communication device a sends an IPSec sub-SA establishment request to communication device b. The IPSec sub-SA establishment request includes various security parameters used by the communication device a to establish the IPSec sub-SA.
如图3所示,所述IPSec子SA建立请求中可以包含HDR3,以及通过IKE SA加密和鉴权内容(encrypted and authenticated,记为SK)。其中,该SK中包含通信设备a中用于实现该IPSec子SA的处理实体的标识(记为ID_a),通信设备a的鉴权信息(Authentication)(记为AUTH_a),通信设备a支持的IPSec子SA加密算法(记为SA2_a),通信设备a确定的第一数据流选择规则(包括通信设备a侧的数据流选择规则(记为TS1_a),通信设备b侧的数据流选择规则(记为TS1_b))。HDR3中包含的内容可以参考HDR2,包含SPI_b和SPI_a,此处不再赘述。As shown in Figure 3, the IPSec sub-SA establishment request may include HDR3, as well as encryption and authentication content through IKE SA (encrypted and authenticated, recorded as SK). Among them, the SK contains the identification of the processing entity used to implement the IPSec sub-SA in communication device a (denoted as ID_a), the authentication information (Authentication) of communication device a (denoted as AUTH_a), the IPSec supported by communication device a Sub-SA encryption algorithm (denoted as SA2_a), the first data flow selection rule determined by communication device a (including the data flow selection rule on the side of communication device a (denoted as TS1_a), the data flow selection rule on the side of communication device b (denoted as TS1_a), the data flow selection rule on the side of communication device b (denoted as TS1_b)). The content included in HDR3 can refer to HDR2, including SPI_b and SPI_a, which will not be described here.
可选的,如图3所示,所述IPSec子SA建立请求中还可以包含通信设备a指定通信设备b实现该IPSec子SA的处理实体的标识(记为ID_b),以及响应于S302接收的所述IKE SA建立响应中的身份验证请求发送的通信设备a的证书(certificate)(记为CERT_a),以及通信设备a的身份验证请求。Optionally, as shown in Figure 3, the IPSec sub-SA establishment request may also include the identification (recorded as ID_b) of the processing entity of communication device a that designates communication device b to implement the IPSec sub-SA, and the response received in response to S302. The certificate (certificate) of communication device a (denoted as CERT_a) sent by the authentication request in the IKE SA establishment response, and the authentication request of communication device a.
其中,ID_a和AUTH_a用于鉴权验证和完整性保护,TS1_a和TS1_b为应用于该子SA加密的数据包过滤规则。TS1_a用于规定从通信设备a发往通信设备b的需要加密的数据包(通常为IP地址或IP地址段,若从通信设备a发送的数据包的源地址在该TS1_a范围内,则需要用该子SA加密),或者规定从通信设备b发往通信设备a的需要解密的数据包(通常为IP地址或IP地址段,若从通信设备b发送的数据包的目的地址在该TS1_a范 围内,则需要用该子SA解密)。TS1_b用于规定从通信设备a发往通信设备b的需要加密的数据包(通常为IP地址或IP地址段,若从通信设备a发送的数据包的目的地址在该TS1_b范围内,需要用该子SA加密),或者规定从通信设备b发往通信设备a的需要解密的数据包(通常为IP地址或IP地址段,若从通信设备b发送的数据包的源地址在该TS1_b范围内,需要用该子SA解密)。Among them, ID_a and AUTH_a are used for authentication verification and integrity protection, and TS1_a and TS1_b are packet filtering rules applied to the encryption of the sub-SA. TS1_a is used to specify the data packets (usually IP addresses or IP address segments) sent from communication device a to communication device b that need to be encrypted. If the source address of the data packet sent from communication device a is within the range of TS1_a, you need to use The sub-SA encrypts), or stipulates the data packets sent from communication device b to communication device a that need to be decrypted (usually an IP address or IP address segment, if the destination address of the data packet sent from communication device b is in the TS1_a range Within the range, the sub-SA needs to be used for decryption). TS1_b is used to specify the data packets (usually IP addresses or IP address segments) sent from communication device a to communication device b that need to be encrypted. If the destination address of the data packet sent from communication device a is within the range of TS1_b, you need to use this Sub-SA encryption), or specify the data packets sent from communication device b to communication device a that need to be decrypted (usually an IP address or IP address segment, if the source address of the data packet sent from communication device b is within the TS1_b range, Need to use this sub-SA to decrypt).
S304:通信设备b根据所述IPSec子SA建立请求,向通信设备a发送IPSec子SA建立响应。所述IPSec子SA建立请求中包含通信设备b用于建立IPSec子SA的各种安全参数。S304: Communication device b sends an IPSec sub-SA establishment response to communication device a according to the IPSec sub-SA establishment request. The IPSec sub-SA establishment request includes various security parameters used by the communication device b to establish the IPSec sub-SA.
如图3所示,所述IPSec子SA建立响应中可以包含HDR4,以及通过IKE SA加密和鉴权内容(encrypted and authenticated,记为SK)。其中,该SK中包含通信设备b中用于实现该IPSec子SA的处理实体的标识(记为ID_b),通信设备b的鉴权信息(记为AUTH_b),通信设备b支持的IPSec子SA加密算法(记为SA2_b),通信设备b确定的第二数据流选择规则(包括通信设备a侧的数据流选择规则(记为TS2_a),通信设备b侧的数据流选择规则(记为TS2_b))。As shown in Figure 3, the IPSec sub-SA establishment response may include HDR4, as well as encryption and authentication content through IKE SA (encrypted and authenticated, recorded as SK). Among them, the SK contains the identification of the processing entity used to implement the IPSec sub-SA in communication device b (denoted as ID_b), the authentication information of communication device b (denoted as AUTH_b), and the IPSec sub-SA encryption supported by communication device b. algorithm (denoted as SA2_b), the second data flow selection rule determined by communication device b (including the data flow selection rule on the side of communication device a (denoted as TS2_a), the data flow selection rule on the side of communication device b (denoted as TS2_b)) .
需要说明的是,通信设备b可以根据IPSec子SA建立请求中的内容,以及本地配置,确定IPSec子SA响应中的各项内容,包括以下至少一项:ID_b、SA2_b、TS2_a、TS2_b等。It should be noted that communication device b can determine various contents in the IPSec sub-SA response based on the content in the IPSec sub-SA establishment request and local configuration, including at least one of the following: ID_b, SA2_b, TS2_a, TS2_b, etc.
可选的,如图3所示,响应于S303接收的所述IPSec子SA建立响应中的身份验证请求,所述IPSec子SA建立响应中还可以包含通信设备b的证书(记为CERT_b)。Optionally, as shown in Figure 3, in response to the identity verification request in the IPSec sub-SA establishment response received in S303, the IPSec sub-SA establishment response may also include the certificate of communication device b (denoted as CERT_b).
其中,ID_b和AUTH_b用于鉴权验证和完整性保护,TS2_a、TS2_b为通信设备b认证通过的应用于该子SA加密的数据包过滤规则。TS2_a为从通信设备a发往通信设备b的需要解密的数据包(通常为IP地址或IP地址段,若从通信设备a发送的数据包的源地址在该TS2_a范围内,需要用该子SA解密),或者从通信设备b发往通信设备a的需要加密的数据包(通常为IP地址或IP地址段,若从通信设备b发送的数据包的目的地址在该TS2_a范围内,需要用该子SA加密)。TS2_a为从通信设备a发往通信设备b的需要解密的数据包(通常为IP地址或IP地址段,若从通信设备a发送的数据包的目的地址在该TS2_b范围内,需要用该子SA解密),或者从通信设备b发往通信设备a的需要加密的数据包(通常为IP地址或IP地址段,若从通信设备b发送的数据包的源地址在该TS2_b范围内,需要用该子SA加密)。Among them, ID_b and AUTH_b are used for authentication verification and integrity protection, and TS2_a and TS2_b are the packet filtering rules applied to the encryption of the sub-SA after communication device b has passed the authentication. TS2_a is the data packet sent from communication device a to communication device b that needs to be decrypted (usually an IP address or IP address segment. If the source address of the data packet sent from communication device a is within the TS2_a range, the sub-SA needs to be used decrypt), or a data packet that needs to be encrypted (usually an IP address or IP address segment) sent from communication device b to communication device a. If the destination address of the data packet sent from communication device b is within the TS2_a range, you need to use this sub-SA encryption). TS2_a is the data packet sent from communication device a to communication device b that needs to be decrypted (usually an IP address or IP address segment. If the destination address of the data packet sent from communication device a is within the TS2_b range, the sub-SA needs to be used decrypt), or a data packet that needs to be encrypted (usually an IP address or IP address segment) sent from communication device b to communication device a. If the source address of the data packet sent from communication device b is within the TS2_b range, you need to use this sub-SA encryption).
其中,第二数据流选择规则可以为通信设备b基于第一数据流选择规则确定的。例如,通信设备b根据TS1_a确定TS2_a,以及根据TS1_b确定TS2_b。The second data flow selection rule may be determined by communication device b based on the first data flow selection rule. For example, communication device b determines TS2_a based on TS1_a, and determines TS2_b based on TS1_b.
通过S303-S304,通信双方可以获取对方用于建立IPSec子SA的各种安全参数,这样,通信双方可以根据自身用于建立IPSec子SA的安全参数,以及对方用于建立IPSec子SA的安全参数,建立IPSec子SA,以便后续可以通过该IPSec子SA传输数据包。Through S303-S304, the communicating parties can obtain various security parameters used by the other party to establish IPSec sub-SA. In this way, the communicating parties can use the security parameters used by themselves to establish IPSec sub-SA and the security parameters used by the other party to establish IPSec sub-SA. , establish an IPSec sub-SA so that data packets can be subsequently transmitted through the IPSec sub-SA.
另外,由于通过S303-S304,通信双方可以获得对方用于生成IPSec子SA的随机数,因此,通信双方可以根据双方的密钥材料KE以及用于生成IPSec子SA的随机数(即KE_a,KE_b,N2_a,N2_b),生成该IPSec子SA的密钥,以便对通过该IPSec子SA传输的数据包进行加密保护。In addition, because through S303-S304, the communicating parties can obtain the random number used by the other party to generate the IPSec sub-SA, therefore, the communicating parties can use the key material KE of both parties and the random numbers used to generate the IPSec sub-SA (i.e. KE_a, KE_b , N2_a, N2_b), generate the key of the IPSec sub-SA in order to encrypt and protect the data packets transmitted through the IPSec sub-SA.
应注意的是,上述S303和S304可以多次发生,且每次都可以使用相同的IKE SA进行加密保护,用于建立多组IPSec子SA进行数据传输。由于IPSec子SA是单向连接,因 此,通信设备b也可以作为发起方执行IPSec子SA建立流程,即IPSec子SA的发起方可以为IKE SA的发起方,也可以为IKE SA的回应方。It should be noted that the above S303 and S304 can occur multiple times, and the same IKE SA can be used for encryption protection each time to establish multiple groups of IPSec sub-SAs for data transmission. Since IPSec sub-SA is a one-way connection, In this regard, communication device b can also serve as the initiator to perform the IPSec sub-SA establishment process. That is, the initiator of the IPSec sub-SA can be the initiator of the IKE SA or the responder of the IKE SA.
为了保证移动通信***中用户数据的传输安全,目前,已有在UE到CN之间进行数据保护的方案,即在现有的移动通信***的架构的基础上,在UPF和DN之间部署安全网关,以通过IPSec协议在IP层实现端到端(end to end,E2E)的数据安全保护。UE与安全网关之间基于IPSec协议进行密钥协商、加密策略管理等。然而,UE与安全网关需要通过用户面操作创建和维护IPSec SA,然而创建IPSec SA的安全参数在用户面传输和配置,可以会导致安全参数泄露的风险,造成新的安全隐患,反而无法保证用户的数据安全。In order to ensure the security of user data transmission in the mobile communication system, there are currently solutions for data protection between UE and CN, that is, based on the existing mobile communication system architecture, security is deployed between UPF and DN. Gateway to achieve end-to-end (E2E) data security protection at the IP layer through the IPSec protocol. Key negotiation, encryption policy management, etc. are performed between the UE and the security gateway based on the IPSec protocol. However, the UE and the security gateway need to create and maintain IPSec SA through user plane operations. However, the security parameters for creating IPSec SA are transmitted and configured on the user plane, which may lead to the risk of security parameter leakage and create new security risks. On the contrary, users cannot be guaranteed of data security.
在移动通信***中通过IPSec协议进行数据包加密的协议栈如图4所示,在UE侧支持IPSec协议的安全层(security layer)位于SDAP层之上,PDU层之下;在UPF层安全层位于通用分组无线服务技术(general packet radio service,GPRS)隧道协议-用户面(GPRS tunnel protocol-User plane,GTP-U)层之上,PDU层之下。The protocol stack for data packet encryption through the IPSec protocol in the mobile communication system is shown in Figure 4. The security layer that supports the IPSec protocol on the UE side is located above the SDAP layer and below the PDU layer; on the UPF layer, the security layer It is located above the general packet radio service technology (general packet radio service, GPRS) tunnel protocol-user plane (GPRS tunnel protocol-User plane, GTP-U) layer and below the PDU layer.
另外,基于图4所示的协议栈,IPSec协议下数据包的封装模式包括:传输模式、隧道模式。以UE侧封装IP数据包为例,在传输模式下,UE不产生新的IP头,而是将IPSec头***到原始IP数据包的IP头之后所有传输层协议之前,如图5中的a所示;在隧道模式下,UE将IPSec头插到原始IP数据包的IP头之前,并另外生成一个新的IP头放在IPSec头之前,如图5中的b所示。其中,IPSec头中包含目的设备的SPI以及通信双方IPSec协商的安全处理协议信息(例如,ESP或AH等)。可选的,IPSec头中还可以包含源设备的SPI。In addition, based on the protocol stack shown in Figure 4, the encapsulation modes of data packets under the IPSec protocol include: transmission mode and tunnel mode. Taking IP data packets encapsulated on the UE side as an example, in transmission mode, the UE does not generate a new IP header, but inserts the IPSec header after the IP header of the original IP data packet and before all transport layer protocols, as shown in a in Figure 5 As shown; in tunnel mode, the UE inserts the IPSec header before the IP header of the original IP data packet, and generates a new IP header and places it before the IPSec header, as shown in b in Figure 5. Among them, the IPSec header contains the SPI of the destination device and the security processing protocol information negotiated by the IPSec parties (for example, ESP or AH, etc.). Optionally, the IPSec header can also contain the SPI of the source device.
在通信***中,UE的SDAP层在对IP数据包进行QoS流映射时,使用的是IP数据包中的IP五元组(即源IP地址、目的IP地址、源端口、目的端口,以及传输层协议)。然而,当通信***通过IPSec协议对IP数据包进行保护时,SDAP层无法检测到待传输的IP数据包的五元组,因此,无法确定该IP数据包应该映射到哪个QoS流中,最终可能只能通过默认的QoS流传输该IP数据包。同理,UPF侧的GTP-U也是同样的问题,无法将IP数据包映射到对应的QoS流中,只能通过默认的QoS流传输。In the communication system, when the SDAP layer of the UE performs QoS flow mapping on IP data packets, it uses the IP five-tuple in the IP data packet (i.e. source IP address, destination IP address, source port, destination port, and transmission layer protocol). However, when the communication system protects IP data packets through the IPSec protocol, the SDAP layer cannot detect the quintuple of the IP data packet to be transmitted. Therefore, it cannot determine which QoS flow the IP data packet should be mapped to, and may eventually This IP packet can only be transmitted through the default QoS stream. Similarly, GTP-U on the UPF side has the same problem. IP data packets cannot be mapped to the corresponding QoS flow and can only be transmitted through the default QoS flow.
例如,如图5中的a所示,在传输模式下,UE的安全层仅保留了原始IP数据包的IP头,后面的传输层协议头都被安全保护(隐去),UE的SDAP层无法获知传输层协议,也无法获知源端口、目的端口,因此SDAP层无法针对该IP数据包进行QoS流映射。For example, as shown in a in Figure 5, in transmission mode, the UE's security layer only retains the IP header of the original IP packet, and the subsequent transport layer protocol headers are security protected (hidden). The UE's SDAP layer The transport layer protocol, source port, and destination port cannot be known, so the SDAP layer cannot perform QoS flow mapping for this IP packet.
又例如,如图5中的b所示,在隧道模式下,原始IP数据包的IP头,以及后面的传输层协议头均被安全保护(隐去),UE的SDAP层无法获取原始IP数据包的五元组,无法针对该IP数据包进行QoS流映射。For another example, as shown in b in Figure 5, in tunnel mode, the IP header of the original IP data packet and the subsequent transport layer protocol header are securely protected (hidden), and the UE's SDAP layer cannot obtain the original IP data. The quintuple of the packet cannot be QoS flow mapped for this IP packet.
显然,通过IPSec协议对UE的业务数据进行安全保护时,移动通信***只能对UE的所有业务数据执行无差别传输,导致UE的某些业务数据传输可能无法达到该业务的QoS需求,影响用户的业务体验。Obviously, when the IPSec protocol is used to securely protect the UE's business data, the mobile communication system can only perform indiscriminate transmission of all the UE's business data. As a result, some of the UE's business data transmission may not meet the QoS requirements of the business, affecting users. business experience.
为了在移动通信***通过IPSec协议对用户的业务数据进行安全保护的场景下保证IPSec协商过程的安全性,本申请实施例提供了一种通信方法。该方法可以适用于如图1或图2所示的通信***中。下面参阅图6所示的流程图,对该方法进行说明。In order to ensure the security of the IPSec negotiation process in a scenario where the mobile communication system uses the IPSec protocol to securely protect the user's business data, embodiments of the present application provide a communication method. This method can be applied to the communication system as shown in Figure 1 or Figure 2. This method will be described below with reference to the flow chart shown in Figure 6 .
S601:AMF向SMF发送第一消息。所述SMF接收来自所述AMF的所述第一消息。 其中,所述第一消息中包含UE的第一安全参数,所述第一安全参数用于建立所述UE与安全网关之间的SA。S601: AMF sends the first message to SMF. The SMF receives the first message from the AMF. The first message includes the first security parameter of the UE, and the first security parameter is used to establish an SA between the UE and the security gateway.
需要说明的是,所述AMF、所述SMF为核心网中为所述UE提供服务的网元。It should be noted that the AMF and the SMF are network elements in the core network that provide services for the UE.
可选的,所述第一安全参数可以用于建立所述UE与安全网关之间的IKE SA,或者建立所述UE与安全网关之间的安全处理协议SA(即IPSec子SA),本申请对此不作限定。Optionally, the first security parameter can be used to establish an IKE SA between the UE and the security gateway, or to establish a security processing protocol SA (i.e., IPSec sub-SA) between the UE and the security gateway. This application There is no limit to this.
S602:所述SMF向目标安全网关发送第二消息。所述目标安全网关接收来自所述SMF的第二消息。其中,所述第二消息中包含所述第一安全参数,所述第二消息用于请求建立所述UE与所述目标安全网关之间的目标SA。所述目标安全网关为所述SMF为所述UE分配的。S602: The SMF sends a second message to the target security gateway. The target security gateway receives the second message from the SMF. The second message includes the first security parameter, and the second message is used to request the establishment of a target SA between the UE and the target security gateway. The target security gateway is assigned by the SMF to the UE.
S603:所述目标安全网关向所述SMF发送第三消息。所述SMF接收来自所述目标安全网关的所述第三消息。其中,所述第三消息中包含所述目标安全网关的第二安全参数,所述第二安全参数用于建立所述目标SA,所述第三消息为所述第二消息的响应消息。S603: The target security gateway sends a third message to the SMF. The SMF receives the third message from the target security gateway. Wherein, the third message contains the second security parameter of the target security gateway, the second security parameter is used to establish the target SA, and the third message is a response message to the second message.
可选的,所述第二消息可以为SA请求消息,所述第三消息可以为SA响应消息。Optionally, the second message may be an SA request message, and the third message may be an SA response message.
S604:所述SMF向所述AMF发送第四消息。所述AMF接收来自所述SMF的所述第四消息。其中,所述第四消息中包含所述第二安全参数。S604: The SMF sends a fourth message to the AMF. The AMF receives the fourth message from the SMF. Wherein, the fourth message includes the second security parameter.
如图6中所示,所述AMF在接收到第二安全参数后,可以根据所述第一安全参数和所述第二安全参数,对UE进行配置,以建立所述UE和所述目标安全网关之间的所述目标SA。可选的,所述AMF可以将所述第一安全参数中的部分或全部参数,和/或,所述第二安全参数中的部分或全部参数发送给所述UE。可选的,所述AMF还可以根据所述第一安全参数、所述第二安全参数,生成SA密钥;然后向所述UE发送所述SA密钥。这样,所述UE可以使用所述SA密钥对通过所述目标SA传输的数据包进行安全保护。As shown in Figure 6, after receiving the second security parameter, the AMF may configure the UE according to the first security parameter and the second security parameter to establish the security of the UE and the target. The target SA between gateways. Optionally, the AMF may send some or all of the first security parameters and/or some or all of the second security parameters to the UE. Optionally, the AMF may also generate an SA key based on the first security parameter and the second security parameter; and then send the SA key to the UE. In this way, the UE can use the SA key to securely protect data packets transmitted through the target SA.
所述目标安全网关也可以根据自身的第二安全参数以及通过S602接收的第一安全参数,对自身进行配置,以建立所述目标SA。可选的,所述目标安全网关也可以根据所述第一安全参数、所述第二安全出参数,生成SA密钥。这样,所述目标安全网关可以使用所述SA密钥对通过所述目标SA传输的数据包进行安全保护。由于所述AMF和所述目标安全网关使用相同的安全参数生成SA密钥,因此,二者生成的SA密钥相同,进而可以保证通过该目标SA传输的数据包能够成功实现安全保护。The target security gateway may also configure itself according to its second security parameter and the first security parameter received through S602 to establish the target SA. Optionally, the target security gateway may also generate an SA key based on the first security parameter and the second security parameter. In this way, the target security gateway can use the SA key to securely protect data packets transmitted through the target SA. Since the AMF and the target security gateway use the same security parameters to generate SA keys, the SA keys generated by both are the same, which can ensure that the data packets transmitted through the target SA can successfully achieve security protection.
通过以上步骤,移动通信***的核心网控制面网元可以通过与目标安全网关的交互,实现UE的安全参数和目标安全网关的安全参数的传递,从而完成IPSec协商。由于IPSec协商过程是通过核心网控制面完成的,且核心网的安全性较高,因此,该方法可以避免用户面传输安全参数导致安全参数泄露的风险,保证IPSec协商过程的安全性,进而保证后续通过建立的SA传输用户数据或信令的安全性。Through the above steps, the core network control plane network element of the mobile communication system can realize the transfer of the security parameters of the UE and the security parameters of the target security gateway through interaction with the target security gateway, thereby completing IPSec negotiation. Since the IPSec negotiation process is completed through the core network control plane, and the core network has high security, this method can avoid the risk of security parameter leakage caused by the user plane transmission of security parameters, ensure the security of the IPSec negotiation process, and then ensure The security of subsequent transmission of user data or signaling through the established SA.
通过以上对IPSec协议的描述,以及图3所示的IPSec协商过程的描述可知,为了在UE和目标安全网关之间实现IPSec安全机制,需要先建立IKE SA,然后再建立安全处理协议SA。因此,针对建立该两种SA,本申请实施例提供了以下两种实施方式。From the above description of the IPSec protocol and the description of the IPSec negotiation process shown in Figure 3, it can be seen that in order to implement the IPSec security mechanism between the UE and the target security gateway, it is necessary to establish an IKE SA first, and then establish a security processing protocol SA. Therefore, for establishing these two types of SAs, the embodiments of this application provide the following two implementation methods.
实施方式一:建立IKE SA。即图6所示的实施例中的目标SA为IKE SA。Implementation method one: Establish IKE SA. That is, the target SA in the embodiment shown in Figure 6 is IKE SA.
在本申请实施例中,核心网控制面网元可以通过会话建立过程,建立所述IKE SA。可选的,所述第一消息可以为所述AMF向所述SMF发送的第一会话建立请求消息;所述第四消息可以作为所述第一消息的响应消息,为所述SMF向所述AMF发送的第一会话建立 响应消息。In this embodiment of the present application, the core network control plane network element can establish the IKE SA through the session establishment process. Optionally, the first message may be a first session establishment request message sent by the AMF to the SMF; the fourth message may be a response message to the first message, which is a request message sent by the SMF to the SMF. AMF sends the first session established Respond to the message.
可选的,在所述AMF向所述SMF发送所述第一消息之前,所述AMF还可以接收来自所述UE的第二会话建立请求消息;当所述AMF接收来自所述SMF的所述第四消息之后,所述AMF还可以向所述UE发送第二会话建立响应消息。Optionally, before the AMF sends the first message to the SMF, the AMF may also receive a second session establishment request message from the UE; when the AMF receives the After the fourth message, the AMF may also send a second session establishment response message to the UE.
可选的,所述AMF可以但不限于通过以下方式,获取所述第一安全参数:Optionally, the AMF may obtain the first security parameter through, but is not limited to, the following methods:
方式一:所述第二会话建立请求消息中包含所述第一安全参数。所述AMF可以从所述第二会话建立请求消息中获取所述第一安全参数,并将所述第一安全参数通过S601发送给所述SMF。Method 1: The second session establishment request message includes the first security parameter. The AMF may obtain the first security parameter from the second session establishment request message, and send the first security parameter to the SMF through S601.
方式二:所述第二会话建立请求消息中包含所述第一安全参数中的第一参数部分。所述AMF在通过S601向所述SMF发送第一消息之前,还可以根据所述UE的标识(例如UE的订阅永久标识(subscription permanent identifier,SUPI)),从UDM或AUSF获取所述第一安全参数中的第二参数部分;其中,所述第一参数部分和所述第二参数部分组成所述第一安全参数。Method 2: The second session establishment request message includes the first parameter part of the first security parameters. Before sending the first message to the SMF through S601, the AMF may also obtain the first security from UDM or AUSF based on the identity of the UE (such as the UE's subscription permanent identifier (SUPI)). The second parameter part in the parameters; wherein the first parameter part and the second parameter part constitute the first security parameter.
可选的,所述第一安全参数中的第二参数部分可以包含在所述UE的签约数据中。因此,所述AMF可以从所述UDM或所述AUSF中获取所述UE的签约数据,并从所述UE的签约数据中获取所述第二参数部分。Optionally, the second parameter part of the first security parameter may be included in the subscription data of the UE. Therefore, the AMF may obtain the subscription data of the UE from the UDM or the AUSF, and obtain the second parameter part from the subscription data of the UE.
通过方式二,移动通信***可以将UE的第一安全参数中的敏感数据(例如UE的密钥材料等)设置于UE的签约数据中。这样可以避免UE通过空口传输这些敏感数据,造成这些敏感数据有泄露的风险。Through the second method, the mobile communication system can set the sensitive data in the first security parameter of the UE (such as the key material of the UE, etc.) in the subscription data of the UE. This can prevent the UE from transmitting these sensitive data through the air interface, causing the risk of leakage of these sensitive data.
方式三:第二会话建立请求消息中不包含所述第一安全参数。所述AMF在通过S601向所述SMF发送第一消息之前,还可以确定所述第一安全参数。Method 3: The second session establishment request message does not contain the first security parameter. Before sending the first message to the SMF through S601, the AMF may also determine the first security parameter.
示例性的,所述AMF本地可以保存或维护所述UE的第一安全参数。这样,所述AMF可以直接获取本地保存的所述第一安全参数。For example, the AMF may locally save or maintain the first security parameter of the UE. In this way, the AMF can directly obtain the locally saved first security parameter.
又例如,所述AMF本地可以保存或维护所述第一安全参数中的第一参数部分,那么,所述AMF还可以通过方式二,从UDM或AUSF获取所述第一安全参数中的第二参数部分,具体过程可以参考方式二中的描述。For another example, the AMF can locally save or maintain the first parameter part of the first security parameter. Then, the AMF can also obtain the second part of the first security parameter from UDM or AUSF through method two. For the parameter part, please refer to the description in Method 2 for the specific process.
再例如,所述AMF可以直接从所述UDM或AUSF获取所述第一安全参数。For another example, the AMF may directly obtain the first security parameter from the UDM or AUSF.
通过方式三,所述AMF无需从所述UE获取所述第一安全参数,所述UE无需要通过空口传输第一安全参数,这样可以避免UE通过空口传输第一安全参数,造成所述第一安全参数有泄露的风险。Through the third method, the AMF does not need to obtain the first security parameter from the UE, and the UE does not need to transmit the first security parameter through the air interface. This can prevent the UE from transmitting the first security parameter through the air interface, causing the first There is a risk of security parameters being leaked.
在一种可能的设计中,所述AMF向所述UE发送的第二会话建立响应中可以包含:所述第一安全参数的部分或全部,和/或,所述第二安全参数的部分或全部。本申请对此不作限定。可选的,所述AMF还可以通过其他消息将第一安全参数中的部分或全部,第二安全参数中的部分或全部通知给所述UE,本申请对此不作限定。In a possible design, the second session establishment response sent by the AMF to the UE may include: part or all of the first security parameter, and/or part or all of the second security parameter. all. This application does not limit this. Optionally, the AMF may also notify the UE of part or all of the first security parameters and part or all of the second security parameters through other messages, which is not limited in this application.
在一种可能的设计中,所述第一消息中包含第一指示信息。可选的,所述第二会话建立请求中也包含所述第一指示信息。其中,所述第一指示信息用于指示所述UE请求数据加密。示例性的,所述第一指示信息可以为UE发起的E2E加密请求。所述AMF根据所述第一指示信息即可确定需要针对所述UE发起IPSec协商过程。 In a possible design, the first message includes first indication information. Optionally, the second session establishment request also includes the first indication information. Wherein, the first indication information is used to instruct the UE to request data encryption. For example, the first indication information may be an E2E encryption request initiated by the UE. The AMF determines that it is necessary to initiate an IPSec negotiation process for the UE according to the first indication information.
在一种可能的设计中,所述SMF在执行S602之前,还包括:为所述UE分配所述目标安全网关。通过图1或图2所示的通信***可知,每个UPF可以关联(连接或耦合)至少一个安全网关。基于此,所述SMF可以通过以下步骤为所述UE分配所述目标安全网关:In a possible design, before executing S602, the SMF further includes: allocating the target security gateway to the UE. It can be known from the communication system shown in Figure 1 or Figure 2 that each UPF can be associated (connected or coupled) with at least one security gateway. Based on this, the SMF may allocate the target security gateway to the UE through the following steps:
a1:所述SMF为所述UE分配UPF;a1: The SMF allocates UPF to the UE;
a2:所述SMF在与所述UPF相关联的至少一个安全网关中选择所述目标安全网关。示例性的,所述SMF可以根据所述至少一个安全网关的负载、物理位置等信息选择所述目标安全网关;或者所述SMF可以在所述至少一个安全网关中随机选择一个安全网关作为所述目标安全网关,本申请对此不作限定。a2: The SMF selects the target security gateway from at least one security gateway associated with the UPF. Exemplarily, the SMF may select the target security gateway based on the load, physical location and other information of the at least one security gateway; or the SMF may randomly select a security gateway among the at least one security gateway as the The target security gateway is not limited in this application.
可选的,当所述SMF为所述UE分配UPF后,所述SMF和/或所述UPF可以为所述UE分配IP地址。基于此,所述SMF向所述目标安全网关发送的第二消息中还可以包含所述UPF的标识或所述UE的IP地址。可选的,所述目标安全网关还可以通过其他方式获取所述UPF的标识,例如通过与所述目标安全网关相关联的UPF确定所述UPF的标识,以便可以识别所述UPF。Optionally, after the SMF allocates a UPF to the UE, the SMF and/or the UPF may allocate an IP address to the UE. Based on this, the second message sent by the SMF to the target security gateway may also include the identification of the UPF or the IP address of the UE. Optionally, the target security gateway can also obtain the identity of the UPF through other methods, such as determining the identity of the UPF through the UPF associated with the target security gateway, so that the UPF can be identified.
所述目标安全网关在接收到所述第二消息之后,还可以针对所述目标SA,为自身分配IP地址,以便后续所述UE与所述目标安全网关,可以基于所述UE的IP地址、所述目标安全网关的IP地址进行通信交互。可选的,所述第三消息中还可以包含所述目标安全网关的IP地址,所述第四消息中也可以包含所述目标安全网关的IP地址。After receiving the second message, the target security gateway may also allocate an IP address to itself for the target SA, so that the subsequent communication between the UE and the target security gateway can be based on the IP address of the UE, The IP address of the target security gateway is used for communication and interaction. Optionally, the third message may also include the IP address of the target security gateway, and the fourth message may also include the IP address of the target security gateway.
在一种可能的设计中,当核心网建立所述UE的会话后,还可以向UPF配置转发规则,以便将所述UE和所述目标安全网关之间通过所述IKE SA传输的数据包映射到所述会话的某个QoS流上,如图6中的S605a所示。In a possible design, after the core network establishes the session of the UE, it can also configure forwarding rules to the UPF to map the data packets transmitted between the UE and the target security gateway through the IKE SA. to a certain QoS flow of the session, as shown in S605a in Figure 6.
S605a:在S603之后,所述SMF可以向所述UPF发送第一转发规则配置信息。可选的,所述SMF可以根据所述第一安全参数、所述第二安全参数,以及指示第一QoS流的第一QFI,向所述UPF发送第一转发规则配置信息。S605a: After S603, the SMF may send the first forwarding rule configuration information to the UPF. Optionally, the SMF may send the first forwarding rule configuration information to the UPF according to the first security parameter, the second security parameter, and the first QFI indicating the first QoS flow.
其中,所述第一转发规则配置信息用于指示所述UPF将所述UE和所述目标安全网关之间通过所述IKE SA传输的数据包映射到所述第一QFI对应的第一QoS流上,实现IKE SA与所述第一QoS流的耦合/绑定。Wherein, the first forwarding rule configuration information is used to instruct the UPF to map data packets transmitted between the UE and the target security gateway through the IKE SA to the first QoS flow corresponding to the first QFI. on the IKE SA to achieve coupling/binding with the first QoS flow.
换而言之,该第一转发规则配置信息用于指示所述UPF生成第一转发规则。所述第一转发规则用于将所述UE和所述目标安全网关之间通过所述IKE SA传输的数据包映射到所述第一QFI对应的第一QoS流上。可选的,所述第一QoS流可以为所述UE的会话中默认的QoS流。可选的,由于所述第一QoS流(例如默认的QoS流)可以传输所述IKE SA加密的数据包,因此,在本申请实施例中,所述第一QoS流还可以称为IKE QoS流。In other words, the first forwarding rule configuration information is used to instruct the UPF to generate a first forwarding rule. The first forwarding rule is used to map data packets transmitted between the UE and the target security gateway through the IKE SA to the first QoS flow corresponding to the first QFI. Optionally, the first QoS flow may be a default QoS flow in the session of the UE. Optionally, since the first QoS flow (such as the default QoS flow) can transmit the IKE SA encrypted data packet, in this embodiment of the present application, the first QoS flow can also be called IKE QoS. flow.
这样,后续所述UE和所述目标安全网关可以通过所述IKE SA传输建立安全处理协议SA涉及的信令。所述UPF可以将这些信令在IKE SA与第一QoS流之间相互映射,以便在通信***的用户面通过IKE SA实现安全处理协议的IPSec协商。例如,UPF可以将通过第一QoS流接收来自UE的数据包映射到IKE SA,从而将该数据包传输给目标安全网关;UPF还可以将来自该目标安全网关的数据包映射到第一QoS流上,从而将该数据包传输给UE。 In this way, the UE and the target security gateway can subsequently transmit the signaling involved in establishing the security processing protocol SA through the IKE SA. The UPF can map these signalings to each other between the IKE SA and the first QoS flow, so as to implement IPSec negotiation of the security processing protocol through the IKE SA on the user plane of the communication system. For example, the UPF can map a data packet received from the UE through the first QoS flow to an IKE SA, thereby transmitting the data packet to the target security gateway; the UPF can also map the data packet from the target security gateway to the first QoS flow. on, thereby transmitting the data packet to the UE.
在一种可能的设计中,所述第一安全参数包含以下至少一项:所述UE的SPI,所述UE的密钥材料,所述UE支持的IKE SA加密算法,或者用于生成IKE SA密钥的第一随机数。所述第二安全参数包含以下至少一项:所述目标安全网关的SPI,所述目标安全网关的密钥材料,所述目标安全网关支持的IKE SA加密算法,或者用于生成IKE SA密钥的第二随机数。In a possible design, the first security parameter includes at least one of the following: SPI of the UE, key material of the UE, IKE SA encryption algorithm supported by the UE, or used to generate IKE SA The first random number of the key. The second security parameter includes at least one of the following: the SPI of the target security gateway, the key material of the target security gateway, the IKE SA encryption algorithm supported by the target security gateway, or used to generate an IKE SA key the second random number.
可选的,所述第一转发规则配置信息中可以包含所述UE的SPI,所述目标安全网关的SPI,以及所述第一QFI。可选的,所述第一转发规则配置信息中还可以包含所述目标安全网关的端口。这样,当所述UPF接收到来自目标安全网关的、包含所述UE的SPI和所述目标安全网关的SPI的数据包时,可以将该数据包直接映射到该第一QoS流上传输。当所述UPF通过所述第一QoS流接收到来自UE的数据包时,可以将该数据包通过目标安全网关的端口传输至目标安全网关。Optionally, the first forwarding rule configuration information may include the SPI of the UE, the SPI of the target security gateway, and the first QFI. Optionally, the first forwarding rule configuration information may also include the port of the target security gateway. In this way, when the UPF receives a data packet from the target security gateway that includes the SPI of the UE and the SPI of the target security gateway, the data packet can be directly mapped to the first QoS flow for transmission. When the UPF receives a data packet from the UE through the first QoS flow, the data packet may be transmitted to the target security gateway through a port of the target security gateway.
实施方式二:建立安全处理协议SA。即图6所示的实施例中的目标SA为安全处理协议SA。Implementation Mode 2: Establish a secure processing protocol SA. That is, the target SA in the embodiment shown in Figure 6 is the security processing protocol SA.
在本申请实施例中,核心网控制面网元可以通过会话修改过程,在创建QoS流的过程中,建立所述安全处理协议SA。可选的,所述会话修改过程可以为所述UE发起的,也可以为所述SMF根据PCF发送的策略修改通知消息或UDM发送的签约修改通知消息触发的。其中,所述安全处理协议SA可以为从所述UE到所述目标安全网关的上行方向的安全处理协议SA,即上行IPSec子SA。In this embodiment of the present application, the core network control plane network element can establish the security processing protocol SA in the process of creating the QoS flow through the session modification process. Optionally, the session modification process may be initiated by the UE, or may be triggered by the SMF according to the policy modification notification message sent by the PCF or the subscription modification notification message sent by the UDM. The security processing protocol SA may be the security processing protocol SA in the uplink direction from the UE to the target security gateway, that is, the uplink IPSec sub-SA.
在一种可能的设计中,所述第一消息可以为所述AMF向所述SMF发送的第一会话修改请求消息;所述第四消息可以作为所述第一消息的响应消息,为所述SMF向所述AMF发送的第一会话修改响应消息。可选的,在所述第一消息中还可以包含所述UE请求建立的第二QoS流的信息。所述第二QoS流的信息可以但不限于包含QoS需求(QoS参数),第二QoS流的标识——第二QFI,第二QoS流的过滤器检测规则等。In a possible design, the first message may be a first session modification request message sent by the AMF to the SMF; the fourth message may be a response message to the first message, which is the The first session modification response message sent by the SMF to the AMF. Optionally, the first message may also include information about the second QoS flow requested by the UE to be established. The information of the second QoS flow may, but is not limited to, include QoS requirements (QoS parameters), the identifier of the second QoS flow - the second QFI, the filter detection rules of the second QoS flow, etc.
可选的,在所述AMF向所述SMF发送所述第一消息之前,所述AMF还可以接收来自所述UE的第二会话修改请求消息;当所述AMF接收来自所述SMF的所述第四消息之后,所述AMF还可以向所述UE发送第二会话修改响应消息。其中,所述第二会话修改请求消息中还包含所述UE请求在所述UE的会话中建立的第二QoS流的信息。Optionally, before the AMF sends the first message to the SMF, the AMF may also receive a second session modification request message from the UE; when the AMF receives the After the fourth message, the AMF may also send a second session modification response message to the UE. The second session modification request message also includes information about the second QoS flow that the UE requests to establish in the session of the UE.
可选的,所述AMF可以但不限于通过以下方式,获取所述第一安全参数:Optionally, the AMF may obtain the first security parameter through, but is not limited to, the following methods:
方式一:所述第二会话修改请求消息中包含所述第一安全参数。所述AMF可以从所述第二会话修改请求消息中获取所述第一安全参数,并将所述第一安全参数通过S601发送给所述SMF。Method 1: The second session modification request message includes the first security parameter. The AMF may obtain the first security parameter from the second session modification request message, and send the first security parameter to the SMF through S601.
方式二:所述第二会话修改请求中包含所述第一安全参数中的第一参数部分。所述AMF在通过S601向所述SMF发送第一消息之前,还可以获取本地保存的所述第一安全参数中的第二参数部分;其中,所述第一参数部分和所述第二参数部分组成所述第一安全参数。Method 2: The second session modification request includes the first parameter part of the first security parameters. Before sending the first message to the SMF through S601, the AMF may also obtain the second parameter part of the locally saved first security parameter; wherein the first parameter part and the second parameter part constitute the first security parameter.
方式三:所述第二会话修改请求中不包含所述第一安全参数。所述AMF在通过S601向所述SMF发送第一消息之前,还可以获取保存的所述第一安全参数。Method 3: The second session modification request does not include the first security parameter. Before sending the first message to the SMF through S601, the AMF may also obtain the saved first security parameter.
在一种可能的设计中,所述SMF在决定在所述UE的会话中建立第二QoS流后,可 以向所述AMF发送第五消息。所述第五消息用于请求所述第一安全参数,所述AMF在接收到所述第五消息之后,可以向所述SMF发送所述第一消息。因此,在本设计中,所述第一消息为所述第五消息的响应消息。In a possible design, after the SMF decides to establish the second QoS flow in the session of the UE, to send a fifth message to the AMF. The fifth message is used to request the first security parameter. After receiving the fifth message, the AMF may send the first message to the SMF. Therefore, in this design, the first message is the response message of the fifth message.
可选的,在所述SMF向所述AMF发送所述第五消息之前,所述SMF可以但不限于通过以下方式,决定建立所述第二QoS流:Optionally, before the SMF sends the fifth message to the AMF, the SMF may, but is not limited to, decide to establish the second QoS flow in the following manner:
方式一:所述SMF接收来自PCF的策略修改通知消息,其中,所述策略修改通知消息中包含所述PCF请求在所述UE的会话中建立的第二QoS流的信息。Method 1: The SMF receives a policy modification notification message from the PCF, where the policy modification notification message contains information about the second QoS flow requested by the PCF to be established in the session of the UE.
方式二:所述SMF接收来自UDM的签约修改通知消息,其中,所述签约修改通知消息中包含所述UDM请求在所述UE的会话中建立的第二QoS流的信息。Method 2: The SMF receives a subscription modification notification message from UDM, where the subscription modification notification message contains information about the second QoS flow that the UDM requests to establish in the session of the UE.
方式三:所述SMF接收来自所述AMF的第一会话修改请求消息,其中,所述第一会话修改请求消息中包含所述UE请求在所述UE的会话中建立的第二QoS流的信息。在方式三中,在所述AMF向所述SMF发送第一会话修改请求消息之前,所述AMF还可以接收来自所述UE的第二会话修改请求消息。其中,所述第二会话修改请求消息中还包含所述第二QoS流的信息。Method 3: The SMF receives a first session modification request message from the AMF, wherein the first session modification request message contains information about the second QoS flow requested by the UE to be established in the session of the UE. . In manner three, before the AMF sends the first session modification request message to the SMF, the AMF may also receive a second session modification request message from the UE. Wherein, the second session modification request message also includes information about the second QoS flow.
在本设计中,所述第四消息可以为第一会话修改响应消息。当所述AMF接收到来自所述SMF的第四消息之后,所述AMF还可以向所述UE发送第二会话修改响应消息。In this design, the fourth message may be a first session modification response message. After the AMF receives the fourth message from the SMF, the AMF may also send a second session modification response message to the UE.
另外,所述AMF在接收到所述第五消息之后获取所述第一安全参数的过程可以参考前一种设计中的描述,此处不再赘述。In addition, the process by which the AMF obtains the first security parameter after receiving the fifth message may refer to the description in the previous design, and will not be described again here.
在一种可能的设计中,以上设计中的所述AMF向所述UE发送第二会话修改响应消息中可以包括:所述第一安全参数中的部分或全部;和/或,所述第二安全参数中的部分或全部。本申请对此不作限定。可选的,所述AMF还可以通过其他消息将第一安全参数中的部分或全部,第二安全参数中的部分或全部通知给所述UE,本申请对此不作限定。In a possible design, the second session modification response message sent by the AMF to the UE in the above design may include: some or all of the first security parameters; and/or the second Some or all of the security parameters. This application does not limit this. Optionally, the AMF may also notify the UE of part or all of the first security parameters and part or all of the second security parameters through other messages, which is not limited in this application.
在一种可能的设计中,当所述SMF根据所述第二QoS流的信息,创建所述第二QoS流后,如图6中的S605b所示,所述SMF还可以向为所述UE服务的UPF配置转发规则,以便UPF将所述UE通过第二QoS流传输的数据包映射到该安全处理协议SA上,从而使UPF可以将该数据包传输至所述目标安全网关,即实现所述安全处理协议SA与所述第二QoS流的绑定。In a possible design, after the SMF creates the second QoS flow according to the information of the second QoS flow, as shown in S605b in Figure 6, the SMF may also provide the UE with The UPF of the service configures forwarding rules so that the UPF maps the data packet transmitted by the UE through the second QoS stream to the security processing protocol SA, so that the UPF can transmit the data packet to the target security gateway, that is, to achieve all Binding of the security processing protocol SA and the second QoS flow.
S605b:所述SMF向为所述UE服务的UPF发送第二转发规则配置信息。S605b: The SMF sends the second forwarding rule configuration information to the UPF serving the UE.
其中,所述第二转发规则配置信息用于指示所述UPF通过所述第二QoS流接收的来自所述UE的数据包映射到所述安全处理协议SA上,即将该数据包转发至所述目标安全网关。换而言之,该第二转发规则配置信息用于指示所述UPF生成第二转发规则。所述第二转发规则用于所述UPF将通过所述第二QoS流接收的来自所述UE的数据包转发至所述目标安全网关。Wherein, the second forwarding rule configuration information is used to indicate that the data packet from the UE received by the UPF through the second QoS flow is mapped to the security processing protocol SA, that is, the data packet is forwarded to the Target security gateway. In other words, the second forwarding rule configuration information is used to instruct the UPF to generate a second forwarding rule. The second forwarding rule is used by the UPF to forward data packets from the UE received through the second QoS flow to the target security gateway.
这样,后续所述UE所述目标安全网关可以通过所述安全处理协议SA传输所述UE的上行数据包。In this way, the target security gateway of the UE can subsequently transmit the uplink data packet of the UE through the security processing protocol SA.
通过该步骤,移动通信***可以实现将安全处理协议SA与会话中的QoS流耦合在一起,保证安全处理协议SA中的数据流可以通过对应的QoS流传输,进而保证的业务的 QoS需求。Through this step, the mobile communication system can couple the security processing protocol SA with the QoS flow in the session, ensuring that the data flow in the security processing protocol SA can be transmitted through the corresponding QoS flow, thereby ensuring the security of the business. QoS requirements.
还需要说明是,在本申请实施例中交互的消息中,还可以携带UE的会话的会话标识。It should also be noted that the message exchanged in this embodiment of the present application may also carry the session identifier of the UE's session.
在一种可能的设计中,所述第一安全参数包含以下至少一项:所述UE的SPI,所述目标安全网关的SPI,所述UE中使用该安全处理协议SA的第一处理实体的标识,所述UE的鉴权信息,所述UE支持的安全处理协议SA加密算法,第一数据流选择规则,或者用于生成安全处理协议SA密钥的第三随机数。所述第二安全参数包含以下至少一项:所述UE的SPI,所述目标安全网关的SPI,所述目标安全网关中使用该安全处理协议SA的第二处理实体的标识,所述目标安全网关的鉴权信息,所述目标安全网关支持的安全处理协议SA加密算法,第二数据流选择规则,或者用于生成安全处理协议SA密钥的第四随机数。In a possible design, the first security parameter includes at least one of the following: the SPI of the UE, the SPI of the target security gateway, and the first processing entity of the UE that uses the security processing protocol SA. Identity, authentication information of the UE, secure processing protocol SA encryption algorithm supported by the UE, first data stream selection rule, or a third random number used to generate a secure processing protocol SA key. The second security parameter includes at least one of the following: the SPI of the UE, the SPI of the target security gateway, the identity of the second processing entity in the target security gateway that uses the security processing protocol SA, the target security The authentication information of the gateway, the Security Processing Protocol SA encryption algorithm supported by the target security gateway, the second data flow selection rule, or the fourth random number used to generate the Security Processing Protocol SA key.
其中,第一处理实体为所述UE用于实现该安全处理协议SA的处理实体,第二处理实体为目标安全网关中用于实现该安全处理协议SA的处理实体。The first processing entity is a processing entity used by the UE to implement the security processing protocol SA, and the second processing entity is a processing entity used in the target security gateway to implement the security processing protocol SA.
另外,第一数据流选择规则包含:所述UE侧的第一数据流选择规则,所述目标安全网关侧的第一数据流选择规则;相应的,第二数据流选择规则也包含:所述UE侧的第二数据流选择规则,所述目标安全网关侧的第二数据流选择规则。其中,第二数据流选择规则可以为所述目标安全网关基于所述第一数据流选择规则确定的。例如,目标安全网关根据UE侧的第一数据流选择规则,确定UE侧的第二数据流选择规则;根据目标安全网关侧的第一数据流选择规则,确定目标安全网关侧的第二数据流选择规则。In addition, the first data flow selection rule includes: the first data flow selection rule on the UE side, and the first data flow selection rule on the target security gateway side; correspondingly, the second data flow selection rule also includes: the The second data flow selection rule on the UE side, and the second data flow selection rule on the target security gateway side. The second data flow selection rule may be determined by the target security gateway based on the first data flow selection rule. For example, the target security gateway determines the second data flow selection rule on the UE side based on the first data flow selection rule on the UE side; and determines the second data flow selection rule on the target security gateway side based on the first data flow selection rule on the target security gateway side. Select a rule.
示例性的,在UE与目标安全网关之间采用隧道模式传输数据包的场景中,上行数据包传输过程如下:For example, in a scenario where tunnel mode is used to transmit data packets between the UE and the target security gateway, the uplink data packet transmission process is as follows:
UE生成包含业务数据的原始IP数据包后,可以基于第一安全参数、第二安全参数在安全保护的IP数据包前增加IPSec头,并且再生成新的IP头放在IPSec头之前,如图5中的b所示。其中,新的IP头中包含源IP地址(UE的IP地址)和目的IP地址(目标安全网关的IP地址)。IPSec头中可以包含目标安全网关的SPI、安全处理协议信息。After the UE generates the original IP data packet containing the service data, it can add an IPSec header before the securely protected IP data packet based on the first security parameter and the second security parameter, and generate a new IP header and place it before the IPSec header, as shown in the figure As shown in b in 5. Among them, the new IP header contains the source IP address (the IP address of the UE) and the destination IP address (the IP address of the target security gateway). The IPSec header can contain the SPI and security processing protocol information of the target security gateway.
由于当核心网创建第二QoS流,且AMF在S604之后对UE进行配置后,UE可以维护安全处理协议SA与第二QoS流(或第二QFI)之间的映射关系,其中,该映射关系的实现形式可以为:通过目标安全网关的SPI,目标安全网关的IP地址、安全处理协议信息识别该安全处理协议SA,进而确定该安全处理协议SA对应的第二QoS流(即该映射关系中可以包含目标安全网关的SPI、目标安全网关的IP地址、安全处理协议信息,以及第二QFI等信息)。基于该映射关系UE可以将通过该安全处理协议SA传输的数据包映射到第二QoS流上。因此,UE在对原始IP数据包进行安全处理后,可以根据安全处理后的IP数据包中IPsec头中的信息(目标安全网关的SPI和安全处理协议信息),新的IP头中的目的IP地址(目标安全网关的IP地址),以及该映射关系,将该安全处理后的IP数据包映射到第二QFI指示的第二QoS流上传输。Because when the core network creates the second QoS flow and the AMF configures the UE after S604, the UE can maintain the mapping relationship between the security processing protocol SA and the second QoS flow (or second QFI), where the mapping relationship The implementation form can be: identifying the security processing protocol SA through the SPI of the target security gateway, the IP address of the target security gateway, and security processing protocol information, and then determining the second QoS flow corresponding to the security processing protocol SA (that is, in the mapping relationship It can include the SPI of the target security gateway, the IP address of the target security gateway, security processing protocol information, and information such as the second QFI). Based on the mapping relationship, the UE can map data packets transmitted through the security processing protocol SA to the second QoS flow. Therefore, after the UE performs security processing on the original IP data packet, it can determine the destination IP address in the new IP header based on the information in the IPsec header of the security-processed IP data packet (the SPI of the target security gateway and the security processing protocol information). address (the IP address of the target security gateway), and the mapping relationship, mapping the securely processed IP data packet to the second QoS stream indicated by the second QFI for transmission.
UPF通过第二QoS流接收到该安全处理后的IP数据包后,可以根据该安全处理后的IP数据包中的新的IP头中的目的IP地址(目标安全网关的IP地址),IPSec头中的目标安全网关的SPI,安全处理协议信息(如ESP,AH等),将该安全处理后的IP数据包传输到目标安全网关。 After UPF receives the securely processed IP data packet through the second QoS flow, it can, according to the destination IP address (IP address of the target security gateway) in the new IP header in the securely processed IP datagram, the IPSec header SPI of the target security gateway, security processing protocol information (such as ESP, AH, etc.), and transmit the security-processed IP data packet to the target security gateway.
目标安全网关在接收到该安全处理后的IP数据包后,可以对该安全处理后的IP数据包进行安全验证,恢复出原始IP数据包,并基于原始IP数据包中原始IP头中的目的IP地址以及设定的路由规则继续将该原始IP数据包传输至下一节点。After receiving the securely processed IP data packet, the target security gateway can perform security verification on the securely processed IP data packet, recover the original IP data packet, and verify the purpose based on the original IP header in the original IP data packet. The IP address and the set routing rules continue to transmit the original IP packet to the next node.
基于以上对隧道模式下的数据包传输过程的描述可知,由于UPF可以根据接收的安全处理后的IP数据包中新的IP头,将该安全处理后的IP数据包传输到目标安全网关。因此,在隧道模式下,SMF可以无需执行S605b,即无需向UPF发送第二转发规则配置信息。Based on the above description of the packet transmission process in tunnel mode, it can be known that UPF can transmit the securely processed IP packet to the target security gateway based on the new IP header in the received securely processed IP packet. Therefore, in the tunnel mode, the SMF does not need to perform S605b, that is, there is no need to send the second forwarding rule configuration information to the UPF.
又例如,在UE与目标安全网关之间采用传输模式传输数据包的场景中,上行数据包传输过程如下:For another example, in a scenario where transmission mode is used to transmit data packets between the UE and the target security gateway, the uplink data packet transmission process is as follows:
UE生成包含业务数据的原始IP数据包后,对该原始IP数据包中的IP有效载荷进行安全保护,并将基于第一安全参数、第二安全参数生成的IPSec头***安全保护的IP有效载荷和原始IP头之间,如图5中的a所示。其中,该原始IP头中包含源IP地址(UE的IP地址)和目的IP地址(业务节点(非目标安全网关)的IP地址)。IPSec头中可以包含目标安全网关的SPI、安全处理协议信息。After the UE generates the original IP data packet containing the service data, it performs security protection on the IP payload in the original IP data packet, and inserts the IPSec header generated based on the first security parameter and the second security parameter into the security-protected IP payload. and the original IP header, as shown in a in Figure 5. The original IP header contains the source IP address (the IP address of the UE) and the destination IP address (the IP address of the service node (non-target security gateway)). The IPSec header can contain the SPI and security processing protocol information of the target security gateway.
与上述隧道模式中UE的类似的,当核心网创建第二QoS流,且AMF在S604之后对UE进行配置后,UE可以维护安全处理协议SA与第二QoS流之间的映射关系,其中,该映射关系的实现形式可以为:通过目标安全网关的SPI和安全处理协议信息识别该安全处理协议SA,进而确定该安全处理协议SA对应的第二QoS流(即该映射关系中可以包含目标安全网关的SPI、安全处理协议信息,以及第二QFI等信息)。基于该映射关系UE可以将通过该安全处理协议SA传输的数据包映射到第二QoS流上。因此,UE在对原始IP数据包进行安全处理后,可以根据安全处理后的IP数据包中IPSec头中的信息(目标安全网关的SPI和安全处理协议信息)以及该映射关系,将该安全处理后的IP数据包映射到第二QFI指示的第二QoS流上传输。Similar to the UE in the above tunnel mode, when the core network creates the second QoS flow and the AMF configures the UE after S604, the UE can maintain the mapping relationship between the security processing protocol SA and the second QoS flow, where, The implementation form of the mapping relationship can be: identifying the security processing protocol SA through the SPI and security processing protocol information of the target security gateway, and then determining the second QoS flow corresponding to the security processing protocol SA (that is, the mapping relationship can include the target security The gateway's SPI, security processing protocol information, and second QFI and other information). Based on the mapping relationship, the UE can map data packets transmitted through the security processing protocol SA to the second QoS flow. Therefore, after the UE performs security processing on the original IP data packet, it can perform security processing based on the information in the IPSec header of the securely processed IP data packet (the SPI and security processing protocol information of the target security gateway) and the mapping relationship. The subsequent IP data packet is mapped to the second QoS flow indicated by the second QFI for transmission.
由于安全处理后的IP数据包中的IP头为原始IP头,因此,UPF根据该原始IP头无法将该安全处理后的IP数据包传输到目标安全网关。为了使UPF可以将来自UE的安全处理后的IP数据包传输到该目标安全网关,SMF可以对UPF进行转发规则的配置,即执行S605b。可选的,SMF在通过S601-S604实现安全参数传递完成IPSec协商之后,SMF可以建立第一安全参数、第二安全传输与第二QFI之间的关联关系;当核心网创建第二QoS流之后,SMF执行S605b,向UPF发送第二转发规则配置信息。可选的,所述第二转发规则配置信息中可以包含所述第二QFI和目标安全网关的IP地址。Since the IP header in the securely processed IP packet is the original IP header, UPF cannot transmit the securely processed IP packet to the target security gateway based on the original IP header. In order to enable the UPF to transmit the securely processed IP data packets from the UE to the target security gateway, the SMF can configure forwarding rules for the UPF, that is, perform S605b. Optionally, after SMF implements security parameter transfer and completes IPSec negotiation through S601-S604, SMF can establish an association between the first security parameter, the second security transmission and the second QFI; after the core network creates the second QoS flow , the SMF executes S605b to send the second forwarding rule configuration information to the UPF. Optionally, the second forwarding rule configuration information may include the IP addresses of the second QFI and the target security gateway.
UPF根据第二转发规则配置信息,可以建立转发规则(第二QFI,目标安全网关的IP地址),这样,当UPF从第二QFI指示的第二QoS流接收到来自UE的安全处理后的IP数据包后,可以根据该转发规则将该安全处理后的IP数据包转发给目标安全网关。UPF can establish a forwarding rule (second QFI, IP address of the target security gateway) based on the second forwarding rule configuration information. In this way, when UPF receives the securely processed IP from the UE from the second QoS flow indicated by the second QFI, After receiving the data packet, the securely processed IP data packet can be forwarded to the target security gateway according to the forwarding rule.
目标安全网关在接收到该安全处理后的IP数据包后,可以对该安全处理后的IP数据包进行安全验证,恢复出原始IP数据包;并基于原始IP数据包中原始IP头中的目的IP地址以及设定的路由规则,继续将该原始IP数据包传输至下一节点。After receiving the securely processed IP data packet, the target security gateway can perform security verification on the securely processed IP data packet and recover the original IP data packet; and based on the purpose in the original IP header in the original IP data packet The IP address and the set routing rules continue to transmit the original IP data packet to the next node.
应注意,在本申请实施例中,建立UE的会话的流程,以及建立UE的会话中的QoS流的流程,均可以参考现有的流程,此处不再赘述。It should be noted that in this embodiment of the present application, the process of establishing a UE session and the process of establishing a QoS flow in the UE session can refer to the existing process, and will not be described again here.
综上所述,本申请实施例提供了一种通信方法。在该方法中,移动通信***的核心网 控制面网元可以通过与目标安全网关的交互,实现UE的安全参数和目标安全网关的安全参数的传递,从而完成IPSec协商。由于IPSec协商过程是通过核心网控制面完成的,且核心网的安全性较高,因此,该方法可以避免用户面传输安全参数导致安全参数泄露的风险,保证IPSec协商过程的安全性,进而保证后续通过建立的SA传输用户数据或信令的安全性。To sum up, the embodiment of the present application provides a communication method. In this method, the core network of the mobile communication system The control plane network element can realize the transfer of the security parameters of the UE and the security parameters of the target security gateway through interaction with the target security gateway, thereby completing IPSec negotiation. Since the IPSec negotiation process is completed through the core network control plane, and the core network has high security, this method can avoid the risk of security parameter leakage caused by the user plane transmission of security parameters, ensure the security of the IPSec negotiation process, and then ensure The security of subsequent transmission of user data or signaling through the established SA.
基于图6所示的实施例提供的方法,本申请实施例还提供了以下几种示例性实施例,下面参阅图7-图9分别对这几种实施例进行说明。Based on the method provided by the embodiment shown in Figure 6, the embodiment of this application also provides the following exemplary embodiments. These embodiments will be described below with reference to Figures 7-9.
实施例A:参阅图7所示,核心网控制面网元通过会话建立过程建立UE和目标安全网关(以下简称为目标网关(gateway,GW))之间的IKE SA。Embodiment A: As shown in Figure 7, the core network control plane network element establishes an IKE SA between the UE and the target security gateway (hereinafter referred to as the target gateway (GW)) through the session establishment process.
S701:UE发起会话建立流程,向AMF发送会话建立请求消息。其中,该会话建立请求消息中可以包含:UE请求建立的会话的会话标识(后续简称为会话标识)。S701: The UE initiates the session establishment process and sends a session establishment request message to the AMF. The session establishment request message may include: a session identifier of the session that the UE requests to establish (hereinafter referred to as session identifier for short).
可选的,该会话建立请求消息中还可以包含E2E加密请求,用于指示UE请求对该UE与安全网关之间传输的数据进行加密。本实施例中的E2E加密请求相当于图6所示实施例中的第一指示信息。Optionally, the session establishment request message may also include an E2E encryption request, which is used to instruct the UE to request encryption of data transmitted between the UE and the security gateway. The E2E encryption request in this embodiment is equivalent to the first indication information in the embodiment shown in FIG. 6 .
可选的,该会话建立请求消息中还可以携带用于建立IKE SA的UE的第一安全参数中的部分参数(例如非敏感性、不担心泄露风险的数据)。例如,如图7所示,该会话建立请求中还可能携带以下至少一项:用于在IPSec SA中标识该UE的SPI_UE,以及用于生成IKE SA密钥的第一随机值N1_UE,UE支持的IKE SA加密算法SA1_UE。Optionally, the session establishment request message may also carry some of the first security parameters of the UE used to establish the IKE SA (for example, data that is not sensitive and does not worry about the risk of leakage). For example, as shown in Figure 7, the session establishment request may also carry at least one of the following: SPI_UE used to identify the UE in the IPSec SA, and the first random value N1_UE used to generate the IKE SA key. The UE supports IKE SA encryption algorithm SA1_UE.
S702:AMF接收到UE的会话建立请求消息后,(可以根据E2E加密请求)向UDM/AUSF发送携带该UE的SUPI的KE查询请求消息,以在该UE的签约数据中查询UE的密钥材料KE_UE。S702: After receiving the session establishment request message of the UE, the AMF (which may be based on the E2E encryption request) sends a KE query request message carrying the SUPI of the UE to UDM/AUSF to query the UE's key material in the UE's subscription data. KE_UE.
需要说明的是,当UE发送的会话建立消息中不包含SPI_UE、N1_UE、SA1_UE中的至少一项时,AMF可以从本地维护的该UE的相关信息中获取这些信息;又或者采用获取KE_UE相同的方式,从UDM/AUSF获取这些信息,具体过程本实施例不再赘述。It should be noted that when the session establishment message sent by the UE does not contain at least one of SPI_UE, N1_UE, and SA1_UE, the AMF can obtain this information from the relevant information of the UE maintained locally; or use the same method to obtain KE_UE. method to obtain this information from UDM/AUSF. The specific process will not be described again in this embodiment.
S703:UDM/AUSF向AMF发送KE查询响应消息。其中,KE查询响应消息中包含KE_UE。S703: UDM/AUSF sends a KE query response message to AMF. Among them, the KE query response message contains KE_UE.
由于KE_UE为生成密钥的关键信息较为敏感,如果在UE侧维护,那么在会话建立过程中,UE需要通过空口传输到核心网,此过程会存在泄露风险,会降低IPSec协商过程的安全性。因此,在本实施例中,将KE_UE作为UE的签约数据维护在核心网中,可以避免该信息的泄露,保证IPSec协商过程的安全性。Since the key information for generating keys for KE_UE is relatively sensitive, if it is maintained on the UE side, then during the session establishment process, the UE needs to transmit it to the core network through the air interface. This process will have the risk of leakage and will reduce the security of the IPSec negotiation process. Therefore, in this embodiment, KE_UE is maintained in the core network as the UE's subscription data, which can avoid leakage of this information and ensure the security of the IPSec negotiation process.
S704:AMF向SMF发送会话建立请求消息。该会话建立请求消息中包含:会话标识,以及UE的第一安全参数(SPI_UE,KE_UE,N1_UE,SA1_UE)。可选的,所述会话建立请求消息中还可以包含E2E加密请求。所述E2E加密请求用于指示UE请求对该UE与安全网关之间传输的数据进行加密,也即指示SMF发起IPSec协商过程,建立IKE SA。S704: AMF sends a session establishment request message to SMF. The session establishment request message includes: session identification, and the first security parameter of the UE (SPI_UE, KE_UE, N1_UE, SA1_UE). Optionally, the session establishment request message may also include an E2E encryption request. The E2E encryption request is used to instruct the UE to request encryption of data transmitted between the UE and the security gateway, that is, to instruct the SMF to initiate an IPSec negotiation process and establish an IKE SA.
S705:SMF为UE分配UPF,并与UPF之间进行N4配置,完成会话的用户面配置。另外,在该过程中,SMF或UPF还可以针对该UE的会话为UE分配IP地址。S705: The SMF allocates UPF to the UE and performs N4 configuration with the UPF to complete the user plane configuration of the session. In addition, during this process, the SMF or UPF may also allocate an IP address to the UE for the session of the UE.
S706:SMF在与UPF相关联的至少一个安全网关中选择目标GW。可选的,所述SMF可以根据该至少一个安全网关的负载、物理位置等信息,选择该目标GW。S706: The SMF selects the target GW among at least one security gateway associated with the UPF. Optionally, the SMF may select the target GW based on the load, physical location and other information of the at least one security gateway.
S707:SMF向目标GW发送IKE SA建立请求消息。该IKE SA建立请求消息中包含 UE的IP地址,UE的第一安全参数(SPI_UE,KE_UE,N1_UE,SA1_UE)。可选的,该IKE SA家里请求消息中还可能包含会话标识,UPF ID等信息,其中,所述会话标识用于目标GW将该IKE SA建立请求消息中的第一安全参数与UE的会话进行绑定,所述UPF ID用于目标GW识别该UPF。S707: SMF sends an IKE SA establishment request message to the target GW. The IKE SA establishment request message contains The IP address of the UE, the first security parameter of the UE (SPI_UE, KE_UE, N1_UE, SA1_UE). Optionally, the IKE SA home request message may also include a session identifier, UPF ID and other information, where the session identifier is used by the target GW to perform a session with the UE using the first security parameter in the IKE SA establishment request message. Binding, the UPF ID is used by the target GW to identify the UPF.
S708:目标GW向SMF发送IKE SA建立响应消息。该IKE SA建立响应消息中包含该目标GW的IP地址,用于建立IKE SA的目标GW的第二安全参数(即用于在IPSec SA中标识该目标GW的SPI_GW,目标GW的密钥材料KE_GW,用于生成IKE SA密钥的第二随机值N1_GW,目标GW支持的IKE SA加密算法SA1_GW。S708: The target GW sends an IKE SA establishment response message to the SMF. The IKE SA establishment response message contains the IP address of the target GW, the second security parameter of the target GW used to establish the IKE SA (that is, the SPI_GW used to identify the target GW in the IPSec SA, the key material KE_GW of the target GW , the second random value N1_GW used to generate the IKE SA key, the IKE SA encryption algorithm SA1_GW supported by the target GW.
其中,目标GW的IP地址为目标GW针对该IKE SA为自身分配的。Among them, the IP address of the target GW is assigned by the target GW to itself for the IKE SA.
S709:SMF向UPF配置转发规则,以使UPF将该会话中通过IKE SA传输的数据包(可以简称为IKE数据包)映射到该会话的第一QoS流上,实现IKE SA与第一QoS流的耦合。其中,第一QoS流可以为该会话中的默认的QoS流。如图7中S709所示,所述SMF可以向UPF发送配置信息,该配置信息中可以包含SPI_UE、SPI_GW,标识第一QoS流的第一QFI,以及目标GW的端口IKE端口_GW。这样,在下行方向,UPF可以根据该配置信息生成相应的转发规则,将接收到来自目标安全网关的、包含SPI_UE、SPI_GW的数据包映射到第一QoS流上,以传输给UE。在上行方向,当UPF通过第一QoS流接收到来自UE的数据包时,可以通过该IKE端口_GW,将该数据包传输至目标安全网关。S709: SMF configures forwarding rules to UPF so that UPF maps the data packets transmitted through IKE SA in the session (which can be referred to as IKE data packets for short) to the first QoS flow of the session, realizing IKE SA and the first QoS flow. coupling. The first QoS flow may be the default QoS flow in the session. As shown in S709 in Figure 7 , the SMF may send configuration information to the UPF, and the configuration information may include SPI_UE, SPI_GW, the first QFI identifying the first QoS flow, and the port IKE port_GW of the target GW. In this way, in the downlink direction, UPF can generate corresponding forwarding rules based on the configuration information, and map the data packets containing SPI_UE and SPI_GW received from the target security gateway to the first QoS flow for transmission to the UE. In the upstream direction, when the UPF receives a data packet from the UE through the first QoS flow, it can transmit the data packet to the target security gateway through the IKE port_GW.
S710:SMF向AMF发送会话建立响应消息。其中,该会话建立响应消息中包含会话标识,目标GW的第二安全参数(SPI_GW,KE_GW,N1_GW,SA1_GW)信息。可选的,该会话建立响应消息中还可能包含目标GW的IP地址。S710: SMF sends a session establishment response message to AMF. The session establishment response message includes the session identifier and the second security parameter (SPI_GW, KE_GW, N1_GW, SA1_GW) information of the target GW. Optionally, the session establishment response message may also include the IP address of the target GW.
S711:AMF向UE发送会话建立响应消息。其中,该会话建立响应消息中包含会话标识。可选的,该会话建立响应中还可以包含:第二安全参数(SPI_GW,KE_GW,N1_GW,SA1_GW),目标GW的IP地址,或者第一安全参数(SPI_UE,KE_UE,N1_UE,SA1_UE)。S711: The AMF sends a session establishment response message to the UE. The session establishment response message contains the session identifier. Optionally, the session establishment response may also include: the second security parameter (SPI_GW, KE_GW, N1_GW, SA1_GW), the IP address of the target GW, or the first security parameter (SPI_UE, KE_UE, N1_UE, SA1_UE).
可选的,所述AMF在S710之后,可以根据KE_UE,N1_UE,KE_GW,N1_GW,生成IKE SA密钥,并将所述IKE SA密钥配置给UE,以便UE可以根据该IKE SA密钥对通过IKE SA传输的数据包进行安全保护。在S707之后,目标GW也可以根据KE_UE,N1_UE,KE_GW,N1_GW,生成IKE SA密钥,以便后续可以根据该IKE SA密钥对通过IKE SA传输的数据包进行安全保护。Optionally, after S710, the AMF can generate an IKE SA key based on KE_UE, N1_UE, KE_GW, and N1_GW, and configure the IKE SA key to the UE, so that the UE can pass the IKE SA key pair based on the IKE SA key pair. IKE SA transmits data packets for security protection. After S707, the target GW can also generate an IKE SA key based on KE_UE, N1_UE, KE_GW, and N1_GW, so that the data packets transmitted through the IKE SA can be subsequently protected based on the IKE SA key.
如图7所示中所示,UE和目标GW之间可以根据IKE SA密钥对通过该IKE SA的上行数据包和下行数据包进行安全保护。基于此,在UE或目标GW需要建立IPSec子SA时,UE和目标GW之间可以基于IKE SA在用户面传输建立该IPSec子SA的相关信令数据包,具体过程可以参考如图3中的S303-S304中的描述,此处不再赘述。As shown in Figure 7, the uplink data packets and downlink data packets passing through the IKE SA can be securely protected between the UE and the target GW according to the IKE SA key. Based on this, when the UE or the target GW needs to establish an IPSec sub-SA, the UE and the target GW can transmit the relevant signaling packets to establish the IPSec sub-SA on the user plane based on the IKE SA. The specific process can be referred to Figure 3. The descriptions in S303-S304 will not be repeated here.
还需要说明的是,根据S701中会话建立请求消息和S711中会话建立响应消息中包含的内容,本实施例可以分别支持IKE SA由AMF全权代理,IKE SA由AMF代理并同步到UE,AMF仅代理UE密钥生成的场景。It should also be noted that, according to the contents contained in the session establishment request message in S701 and the session establishment response message in S711, this embodiment can respectively support IKE SA being fully authorized by AMF, IKE SA being agented by AMF and synchronized to the UE, and AMF only Scenario of proxy UE key generation.
例1,S701中的会话建立请求消息中不包含第一安全参数,S711中的会话建立响应消息中也不携带第一安全参数和第二安全参数,此场景可以视为IKE SA由AMF全权代理。UE侧不存储任何安全参数。Example 1: The session establishment request message in S701 does not contain the first security parameter, and the session establishment response message in S711 does not carry the first security parameter and the second security parameter. This scenario can be regarded as IKE SA being fully authorized by AMF. . No security parameters are stored on the UE side.
例2,S701中的会话建立请求消息中不包含第一安全参数,S711中的会话建立响应消息中包含第二安全参数、第一安全参数,此场景可以视为IKE SA由AMF代理并同步到 UE。Example 2: The session establishment request message in S701 does not contain the first security parameter, and the session establishment response message in S711 contains the second security parameter and the first security parameter. This scenario can be regarded as the IKE SA is proxied by AMF and synchronized to UE.
例3,S701中的会话建立请求消息中包含第一安全参数,S711中的会话建立响应消息中可以无需携带第一安全参数,而是携带第二安全参数,此场景可以视为AMF仅进行密钥材料的查询和密钥生成。Example 3: The session establishment request message in S701 contains the first security parameter, and the session establishment response message in S711 does not need to carry the first security parameter, but carries the second security parameter. This scenario can be regarded as AMF only performing encryption. Key material query and key generation.
关于通信***建立会话的流程可以参考传统的会话建立流程,此处不再赘述。Regarding the process of establishing a session in the communication system, please refer to the traditional session establishment process, which will not be described again here.
在实施例A中,通过会话建立流程,核心网控制面网元可以实现UE的第一安全参数和目标GW的第二安全参数的传递,从而完成IPSec协商,并为该会话配置UE到目标GW之间的IKE SA。该实施例提供的方法可以在会话建立流程中耦合IKE SA的建立流程,不仅可以减低移动通信***的信令开销,还可以通过核心网控制面建立IKE SA,避免用户面传输安全参数导致安全参数泄露的风险,保证IPSec协商过程的安全性。In Embodiment A, through the session establishment process, the core network control plane network element can realize the transfer of the first security parameter of the UE and the second security parameter of the target GW, thereby completing the IPSec negotiation and configuring the UE to the target GW for the session. IKE SA between. The method provided by this embodiment can couple the IKE SA establishment process in the session establishment process, which can not only reduce the signaling overhead of the mobile communication system, but also establish the IKE SA through the core network control plane to avoid the security parameters caused by the user plane transmission of security parameters. Risk of leakage to ensure the security of the IPSec negotiation process.
实施例B:参阅图8所示,在UE与目标GW建立IKE SA(例如通过实施例A提供的方法建立IKE SA)之后,UE发起上行IPSec子SA建立流程。核心网控制面通过会话修改过程建立上行IPSec子SA。该上行IPSec子SA即从UE到目标GW的IPSec子SA。Embodiment B: Referring to Figure 8, after the UE establishes an IKE SA with the target GW (for example, establishing an IKE SA through the method provided in Embodiment A), the UE initiates the uplink IPSec sub-SA establishment process. The core network control plane establishes the uplink IPSec sub-SA through the session modification process. The uplink IPSec sub-SA is the IPSec sub-SA from the UE to the target GW.
S801:UE发起会话修改流程,向AMF发送会话修改请求消息,请求在UE的会话中建立第二QoS流。其中,该会话修改请求消息中包含UE的会话的会话标识(后续简称为会话标识),以及UE请求建立的第二QoS流的信息。S801: The UE initiates a session modification process, sends a session modification request message to the AMF, and requests the establishment of a second QoS flow in the UE's session. The session modification request message includes the session identifier of the UE's session (hereinafter referred to as the session identifier), and the information of the second QoS flow requested by the UE to be established.
可选的,该会话修改请求消息中还可以包含SPI_UE,SPI_GW;还可以包含UE中实现该IPSec子SA的第一处理实体的标识ID1_UE,UE的鉴权信息AUTH_UE,UE支持的IPSec子SA的加密算法SA2_UE,用于生成IPSec子SA的第三随机数N2_UE,UE侧的第一数据流选择规则TS1_UE,目标GW侧的第一数据量选择规则TS1_GW。Optionally, the session modification request message may also include SPI_UE, SPI_GW; it may also include the identification ID1_UE of the first processing entity in the UE that implements the IPSec sub-SA, the UE's authentication information AUTH_UE, and the IPSec sub-SA supported by the UE. The encryption algorithm SA2_UE is used to generate the third random number N2_UE of the IPSec sub-SA, the first data flow selection rule TS1_UE on the UE side, and the first data volume selection rule TS1_GW on the target GW side.
在本实施例中,SPI_UE,SPI_GW,ID1_UE,Auth_UE,SA2_UE,N2_UE,TS1_UE,TS1_GW,可以统称为用于建立IPSec子SA的UE的第三安全参数。即,该会话修改请求消息中可以包含第三安全参数中的部分或全部信息。In this embodiment, SPI_UE, SPI_GW, ID1_UE, Auth_UE, SA2_UE, N2_UE, TS1_UE, TS1_GW can be collectively referred to as the third security parameter of the UE used to establish IPSec sub-SA. That is, the session modification request message may contain part or all of the information in the third security parameter.
其中,第二QoS流的信息可以但不限于包含QoS需求(QoS参数),第二QoS流的标识——第二QFI,第二QoS流的过滤器检测规则等。The information of the second QoS flow may, but is not limited to, include QoS requirements (QoS parameters), the identifier of the second QoS flow - the second QFI, the filter detection rules of the second QoS flow, etc.
S802:AMF向SMF发送会话修改请求消息。该会话修改请求消息中包含:会话标识,第二QoS流的信息,以及第三安全参数(SPI_UE,SPI_GW,ID1_UE,AUTH_UE,SA2_UE,N2_UE,TS1_UE,TS1_GW)。S802: AMF sends a session modification request message to SMF. The session modification request message includes: session identification, information about the second QoS flow, and third security parameters (SPI_UE, SPI_GW, ID1_UE, AUTH_UE, SA2_UE, N2_UE, TS1_UE, TS1_GW).
可选的,当S801中的会话修改请求消息中不包含第三安全参数或者包含第三安全参数中的部分参数时,AMF在执行S802之前,还可以从本地维护的UE的相关信息中获取第三安全参数,或者获取第三安全参数中的另一部分参数。Optionally, when the session modification request message in S801 does not contain the third security parameter or contains some parameters in the third security parameter, the AMF may also obtain the third security parameter from the locally maintained UE related information before executing S802. three security parameters, or obtain another part of the third security parameters.
S803:SMF根据接收到的会话修改请求消息,决定在UE的会话中建立第二QoS流,SMF根据第二QoS流的信息,从PCF获取第二QoS流的PCC规则。S803: The SMF decides to establish a second QoS flow in the UE's session based on the received session modification request message. The SMF obtains the PCC rules of the second QoS flow from the PCF based on the information of the second QoS flow.
这样,所述SMF可以根据该PCC规则创建第二QoS流,具体过程可以参考现有的QoS流建立流程,此处不再赘述。In this way, the SMF can create the second QoS flow according to the PCC rule. For the specific process, please refer to the existing QoS flow establishment process, which will not be described again here.
S804:SMF向目标GW发送IPSec子SA建立请求消息。IPSec子SA建立请求消息中包含第三安全参数(SPI_UE,SPI_GW,ID1_UE,AUTH_UE,SA2_UE,N2_UE,TS1_UE,TS1_GW)。S804: The SMF sends an IPSec sub-SA establishment request message to the target GW. The IPSec sub-SA establishment request message contains the third security parameters (SPI_UE, SPI_GW, ID1_UE, AUTH_UE, SA2_UE, N2_UE, TS1_UE, TS1_GW).
S805:目标GW向SMF发送IPSec子SA建立响应消息。其中,IPSec子SA建立响 应消息中包含用于建立IPSec子SA的目标GW的第四安全参数。该第四安全参数中包含SPI_UE,SPI_GW,目标GW中实现该IPSec子SA的第二处理实体的标识ID1_GW,目标GW的鉴权信息AUTH_GW,目标GW支持的IPSec子SA的加密算法SA2_GW,用于生成IPSec子SA的第四随机数N2_GW,UE侧的第二数据流选择规则TS2_UE,目标GW侧的第二数据量选择规则TS2_GW。S805: The target GW sends an IPSec sub-SA establishment response message to the SMF. Among them, IPSec sub-SA establishment affects The response message contains the fourth security parameter of the target GW used to establish the IPSec sub-SA. The fourth security parameter includes SPI_UE, SPI_GW, the identification ID1_GW of the second processing entity that implements the IPSec sub-SA in the target GW, the authentication information AUTH_GW of the target GW, and the encryption algorithm SA2_GW of the IPSec sub-SA supported by the target GW. Generate the fourth random number N2_GW of the IPSec sub-SA, the second data flow selection rule TS2_UE on the UE side, and the second data volume selection rule TS2_GW on the target GW side.
可选的,TS2_UE可以为目标GW根据TS1_UE确定的,TS2_GW可以为目标GW根据TS1_GW确定的。Optionally, TS2_UE may be determined by the target GW based on TS1_UE, and TS2_GW may be determined by the target GW based on TS1_GW.
S806:可选的,SMF向UPF配置转发规则,以使UPF将会话中通过该IPSec子SA传输的数据包映射到该会话的第二QoS流上。S806: Optionally, SMF configures forwarding rules to UPF so that UPF maps data packets transmitted through the IPSec sub-SA in the session to the second QoS flow of the session.
在一种实施方式中,基于图6所示的实施例中对隧道模式传输上行数据包的过程描述可知,在UE与目标GW之间采用隧道模式的场景中,UPF可以根据接收的安全处理后的IP数据包中新的IP头中的目的IP地址(目标GW的IP地址)将该数据包传输至目标GW,因此,SMF无需执行S806。In one implementation, based on the description of the process of transmitting uplink data packets in tunnel mode in the embodiment shown in Figure 6, it can be seen that in the scenario where tunnel mode is used between the UE and the target GW, the UPF can process the uplink data packets according to the received security information. The destination IP address (the IP address of the target GW) in the new IP header in the IP data packet is used to transmit the data packet to the target GW. Therefore, the SMF does not need to perform S806.
在另一种实施方式中,基于图6所示的实施例中对传输模式传输上行数据包的过程描述可知,在UE与目标GW之间采用传输模式时,SMF可以向UPF发送包含用于指示第二QoS流的第二QFI和目标GW的IP地址的转发规则配置信息。这样,UPF可以将来自第二QoS流的数据包转发到目标GW。通过该步骤,UPF可以将通过所述第二QoS流接收的来自所述UE的数据包转发至所述目标GW,实现上行IPSec子SA与第二QoS流的绑定。In another implementation, based on the description of the process of transmitting uplink data packets in the transmission mode in the embodiment shown in Figure 6, when the transmission mode is adopted between the UE and the target GW, the SMF can send a message containing an indication to the UPF. Forwarding rule configuration information of the second QFI of the second QoS flow and the IP address of the target GW. In this way, the UPF can forward packets from the second QoS flow to the target GW. Through this step, the UPF can forward the data packet from the UE received through the second QoS flow to the target GW, thereby realizing binding of the uplink IPSec sub-SA and the second QoS flow.
S807:SMF向AMF发送会话修改响应消息。该会话修改响应消息中可以包含第四安全参数(SPI_UE,SPI_GW,ID1_GW,AUTH_GW,SA2_GW,N2_GW,TS2_UE,TS2_GW)。可选的,该会话修改响应消息中还可以包含会话标识和第二QFI。S807: SMF sends a session modification response message to AMF. The session modification response message may include the fourth security parameter (SPI_UE, SPI_GW, ID1_GW, AUTH_GW, SA2_GW, N2_GW, TS2_UE, TS2_GW). Optionally, the session modification response message may also include the session identifier and the second QFI.
S808:AMF向UE发送会话修改响应消息。该会话修改响应消息中包含会话标识,第二QFI,还可以包含SPI_UE,SPI_GW。可选的,该会话修改响应消息中还可以包含第四安全参数中的部分或全部,例如ID1_GW,AUTH_GW,SA2_GW,N2_GW,TS2_UE,TS2_GW中的至少一项。可选的,该会话修改响应消息中还可以包含第三安全参数中的部分或全部,例如ID1_UE,AUTH_UE,SA2_UE,N2_UE中的至少一项。S808: The AMF sends a session modification response message to the UE. The session modification response message includes the session identifier, the second QFI, and may also include SPI_UE and SPI_GW. Optionally, the session modification response message may also include part or all of the fourth security parameters, such as at least one of ID1_GW, AUTH_GW, SA2_GW, N2_GW, TS2_UE, and TS2_GW. Optionally, the session modification response message may also include part or all of the third security parameters, such as at least one of ID1_UE, AUTH_UE, SA2_UE, and N2_UE.
可选的,AMF在S807之后,可以根据KE_UE,N2_UE,KE_GW,N2_GW,生成IPSec子SA密钥,并将所述IPSec子SA密钥配置给UE,以便UE可以根据该IPSec子SA密钥对通过IPSec子SA传输的数据包进行安全保护。在S804之后,目标GW也可以根据KE_UE,N2_UE,KE_GW,N2_GW,生成IPSec子SA密钥,以便后续可以根据该IPSec子SA密钥对通过IPSec子SA传输的数据包进行安全保护。Optionally, after S807, the AMF can generate an IPSec sub-SA key based on KE_UE, N2_UE, KE_GW, and N2_GW, and configure the IPSec sub-SA key to the UE, so that the UE can generate the IPSec sub-SA key according to the IPSec sub-SA key pair. Data packets transmitted through IPSec sub-SA are protected. After S804, the target GW can also generate an IPSec sub-SA key based on KE_UE, N2_UE, KE_GW, and N2_GW, so that subsequent data packets transmitted through the IPSec sub-SA can be securely protected based on the IPSec sub-SA key.
如图8所示中所示,UE和目标GW之间可以根据IPSec子SA密钥对通过该IPSec子SA的上行数据包进行安全保护。As shown in Figure 8, the uplink data packet passing through the IPSec sub-SA can be securely protected between the UE and the target GW according to the IPSec sub-SA key.
还需要说明的是,根据S801中会话修改请求消息中是否包含第三安全参数,本实施例可以分为AMF为UE代理IPSec子SA的维护,以及UE自行决定IPSec子SA建立的场景。It should also be noted that, depending on whether the session modification request message in S801 contains the third security parameter, this embodiment can be divided into scenarios where the AMF acts as an agent for the UE to maintain the IPSec sub-SA, and the UE decides on its own to establish the IPSec sub-SA.
例1,当S801中的会话修改请求消息中不包含第三安全参数,此场景可以视为AMF为UE代理IPSec子SA的维护的场景。Example 1, when the session modification request message in S801 does not contain the third security parameter, this scenario can be regarded as a scenario in which the AMF acts as an agent for the maintenance of the IPSec sub-SA for the UE.
例2,当S801中的会话修改请求消息中包含第三安全参数,此场景可以视为UE自行 决定IPSec子SA建立的场景。Example 2: When the session modification request message in S801 contains the third security parameter, this scenario can be regarded as the UE automatically Determine the scenario for establishing IPSec sub-SA.
在实施例B中,通过会话修改流程,核心网控制面网元可以实现UE的第三安全参数和目标GW的第四安全参数的传递,从而完成IPSec协商。该实施例提供的方法可以将上行IPSec子SA建立流程耦合到会话修改流程中,并将该上行IPSec子SA与会话修改过程建立的第二QoS流绑定,以使UPF可以将通过第二QoS流传输的数据包映射到该上行IPSec子SA上,从而将该数据包转发至目标GW。由于该方法可以在会话修改流程中耦合上行IPSec子SA的建立流程,不仅可以降低移动通信的信令开销,还可以通过核心网控制面建立上行IPSec子SA,避免用户面传输安全参数导致安全参数泄露的风险,保证IPSec协商过程的安全性。In Embodiment B, through the session modification process, the core network control plane network element can realize the transmission of the third security parameter of the UE and the fourth security parameter of the target GW, thereby completing the IPSec negotiation. The method provided by this embodiment can couple the uplink IPSec sub-SA establishment process to the session modification process, and bind the uplink IPSec sub-SA with the second QoS flow established by the session modification process, so that the UPF can pass the second QoS The streamed data packet is mapped to the upstream IPSec sub-SA, thereby forwarding the data packet to the target GW. Since this method can couple the uplink IPSec sub-SA establishment process in the session modification process, it can not only reduce the signaling overhead of mobile communications, but also establish the uplink IPSec sub-SA through the core network control plane to avoid user plane transmission of security parameters causing security parameters. Risk of leakage to ensure the security of the IPSec negotiation process.
实施例C:参阅图9所示,在UE与目标GW建立IKE SA(例如通过实施例A提供的方法建立IKE SA)之后,SMF可以发起上行IPSec子SA建立流程。核心网控制面通过会话修改过程建立上行IPSec子SA。该上行IPSec子SA即从UE到目标GW的IPSec子SA。Embodiment C: Referring to Figure 9, after the UE establishes an IKE SA with the target GW (for example, establishing an IKE SA through the method provided in Embodiment A), the SMF can initiate an uplink IPSec sub-SA establishment process. The core network control plane establishes the uplink IPSec sub-SA through the session modification process. The uplink IPSec sub-SA is the IPSec sub-SA from the UE to the target GW.
需要说明的是,本实施例中涉及的第二QoS流的信息、第三安全参数、第四安全参数均可以参考实施例B中的描述,此处不再展开描述。It should be noted that the information of the second QoS flow, the third security parameter, and the fourth security parameter involved in this embodiment can refer to the description in Embodiment B, and the description will not be further elaborated here.
SMF可以但不限于通过以下三种方式决定建立第二QoS流,每种方式分别对应S900a-S900c中的一个步骤。The SMF may decide to establish the second QoS flow through, but is not limited to, the following three methods, each method corresponding to a step in S900a-S900c.
S900a:UE发起会话修改流程,通过AMF向SMF发送会话修改请求消息,请求在UE的会话中建立第二QoS流。其中,该会话修改请求消息中包含UE的会话的会话标识(后续简称为会话标识),以及UE请求建立的第二QoS流的信息。S900a: The UE initiates a session modification process, sends a session modification request message to the SMF through the AMF, and requests the establishment of a second QoS flow in the UE's session. The session modification request message includes the session identifier of the UE's session (hereinafter referred to as the session identifier), and the information of the second QoS flow requested by the UE to be established.
S900b:PCF在UE的策略信息发生变化时,向SMF发送策略修改通知消息。其中,所述策略修改通知消息中包含所述PCF请求在UE的会话中建立的第二QoS流的信息。S900b: When the UE's policy information changes, the PCF sends a policy modification notification message to the SMF. The policy modification notification message includes information about the second QoS flow that the PCF requests to establish in the session of the UE.
S900c:UDM在UE对签约信息发生变化时,向SMF发送签约修改通知消息。其中该签约修改通知消息中包含该UDM请求在UE的会话中建立的第二QoS流的信息。S900c: When the UE changes the subscription information, the UDM sends a subscription modification notification message to the SMF. The subscription modification notification message includes information about the second QoS flow established in the session of the UE as requested by the UDM.
S901:SMF在接收到会话修改请求消息、策略修改通知消息,或签约修改通知消息后,决定在UE的会话中建立第二QoS流。SMF向AMF发送IPSec子SA建立请求消息。其中,IPSec子SA建立请求消息中包含会话标识、第二QoS流的信息。可选的,IPSec子SA建立请求消息中还可以包含SPI_UE,SPI_GW。S901: After receiving the session modification request message, the policy modification notification message, or the subscription modification notification message, the SMF decides to establish a second QoS flow in the UE's session. SMF sends an IPSec sub-SA establishment request message to AMF. Among them, the IPSec sub-SA establishment request message contains the session identifier and the information of the second QoS flow. Optionally, the IPSec sub-SA establishment request message may also contain SPI_UE and SPI_GW.
S902:可选的,AMF可以将接收的IPSec子SA建立请求消息转发给UE。S902: Optionally, the AMF can forward the received IPSec sub-SA establishment request message to the UE.
S903:可选的,UE向AMF发送IPSec子SA建立响应消息。该IPSec子SA建立响应消息中包含会话标识、第二QoS流的信息。可选的,IPSec子SA建立响应消息中可以包含第三安全参数中的部分或全部。例如S903中所示,IPSec子SA建立响应消息中包含SPI_UE,SPI_GW,ID1_UE,AUTH_UE,SA2_UE,N2_UE,TS1_UE,TS1_GW。S903: Optionally, the UE sends an IPSec sub-SA establishment response message to the AMF. The IPSec sub-SA establishment response message contains the session identifier and the information of the second QoS flow. Optionally, the IPSec sub-SA establishment response message may contain some or all of the third security parameters. For example, as shown in S903, the IPSec sub-SA establishment response message contains SPI_UE, SPI_GW, ID1_UE, AUTH_UE, SA2_UE, N2_UE, TS1_UE, and TS1_GW.
S904:AMF向SMF发送IPSec子SA建立响应消息。该IPSec子SA建立响应消息。中包含会话标识、第二QoS流的信息,以及第三安全参数。S904: AMF sends an IPSec sub-SA establishment response message to SMF. The IPSec sub-SA establishment response message. Contains session identification, information about the second QoS flow, and third security parameters.
可选的,AMF通过S903接收的IPSec子SA建立响应消息中接收第三安全参数中的部分参数时,AMF在执行S904之前,还可以从本地维护的UE的相关信息中获取第三安全参数中的另一部分参数。Optionally, when the AMF receives some of the third security parameters in the IPSec sub-SA establishment response message received through S903, the AMF can also obtain the third security parameters from the locally maintained UE related information before executing S904. Another part of the parameters.
S905-S910同实施例B中的S803-S808,具体过程可以相互参考,此处不再赘述。 S905-S910 are the same as S803-S808 in Embodiment B. The specific processes can be referred to each other and will not be described again here.
在实施例C中,通过会话修改流程,核心网控制面网元可以实现UE的第三安全参数和目标GW的第四安全参数的传递,从而完成IPSec协商。该实施例提供的方法可以将上行IPSec子SA建立流程耦合到会话修改流程中,并将该上行IPSec子SA与会话修改过程建立的第二QoS流绑定,以使UPF可以将通过第二QoS流传输的数据包映射到该上行IPSec子SA上,从而将该数据包转发至目标GW。由于该方法可以在会话修改流程中耦合上行IPSec子SA的建立流程,不仅可以降低移动通信的信令开销,还可以通过核心网控制面建立上行IPSec子SA,避免用户面传输安全参数导致安全参数泄露的风险,保证IPSec协商过程的安全性。In Embodiment C, through the session modification process, the core network control plane network element can realize the transmission of the third security parameter of the UE and the fourth security parameter of the target GW, thereby completing the IPSec negotiation. The method provided by this embodiment can couple the uplink IPSec sub-SA establishment process to the session modification process, and bind the uplink IPSec sub-SA with the second QoS flow established by the session modification process, so that the UPF can pass the second QoS The streamed data packet is mapped to the upstream IPSec sub-SA, thereby forwarding the data packet to the target GW. Since this method can couple the uplink IPSec sub-SA establishment process in the session modification process, it can not only reduce the signaling overhead of mobile communications, but also establish the uplink IPSec sub-SA through the core network control plane to avoid user plane transmission of security parameters causing security parameters. Risk of leakage to ensure the security of the IPSec negotiation process.
为了在移动通信***通过IPSec协议对用户的业务数据进行安全保护的场景下保证IPSec协商过程的安全性,本申请实施例提供了另一种通信方法。该方法可以适用于如图1或图2所示的通信***中。下面参阅图10所示的流程图,对该方法进行说明。In order to ensure the security of the IPSec negotiation process in a scenario where the mobile communication system uses the IPSec protocol to securely protect the user's business data, embodiments of the present application provide another communication method. This method can be applied to the communication system as shown in Figure 1 or Figure 2. This method will be described below with reference to the flow chart shown in Figure 10 .
需要说明的,本实施例用于通过核心网控制面网元的交互,建立安全处理协议SA。因此,UE与目标安全网关之间已建立IKE SA,其中,IKE SA的建立过程可以参考现有技术中的用户面IPSec协商过程,又或者可以通过如图6或图7所示的实施例中提供的IPSec协商过程,此处不再赘述。总之,SMF已获知UE与目标安全网关之间已建立IKE SA。It should be noted that this embodiment is used to establish the security processing protocol SA through the interaction of core network control plane network elements. Therefore, an IKE SA has been established between the UE and the target security gateway. The establishment process of the IKE SA can refer to the user plane IPSec negotiation process in the existing technology, or can be done through the embodiment shown in Figure 6 or Figure 7. The IPSec negotiation process provided will not be described again here. In short, SMF has learned that an IKE SA has been established between the UE and the target security gateway.
在本实施例中,SMF、AMF、目标安全网关、UPF均是为UE提供服务的网元,后续不再展开描述。In this embodiment, SMF, AMF, target security gateway, and UPF are all network elements that provide services for the UE, and will not be described later.
S1001:SMF向目标安全网关发送第一消息。所述目标安全网关接收来自所述SMF的所述第一消息。其中,所述第一消息用于请求建立UE与所述目标安全网关之间的安全处理协议SA。S1001: SMF sends the first message to the target security gateway. The target security gateway receives the first message from the SMF. The first message is used to request the establishment of a security processing agreement SA between the UE and the target security gateway.
S1002:所述目标安全网关向所述SMF发送第二消息。所述目标安全网关接收来自所述SMF的第二消息。其中,所述第二消息中包含所述目标安全网关的第一安全参数,所述第一安全参数用于建立所述安全处理协议SA,所述第二消息为所述第一消息的响应消息。S1002: The target security gateway sends a second message to the SMF. The target security gateway receives the second message from the SMF. Wherein, the second message contains the first security parameter of the target security gateway, the first security parameter is used to establish the security processing protocol SA, and the second message is a response message to the first message. .
S1003:所述SMF向AMF发送第三消息。所述AMF接收来自所述SMF的所述第三消息。其中,所述第三消息中包含所述第一安全参数,所述第三消息用于请求建立所述安全处理协议SA。S1003: The SMF sends the third message to the AMF. The AMF receives the third message from the SMF. Wherein, the third message contains the first security parameter, and the third message is used to request the establishment of the security processing protocol SA.
S1004:所述AMF向所述SMF发送第四消息。所述SMF接收来自所述AMF的所述第四消息。其中,所述第四消息中包含所述UE的第二安全参数,所述第二安全参数用于建立所述安全处理协议SA,所述第四消息为所述第三消息的响应消息。S1004: The AMF sends a fourth message to the SMF. The SMF receives the fourth message from the AMF. Wherein, the fourth message contains the second security parameter of the UE, the second security parameter is used to establish the security processing protocol SA, and the fourth message is a response message to the third message.
S1005:所述SMF向所述目标安全网关发送第五消息。所述目标安全网关接收来自所述SMF的所述第五消息。其中,所述第五消息中包含所述第二安全参数。所述第五消息用于请求建立所述安全处理协议SA。S1005: The SMF sends a fifth message to the target security gateway. The target security gateway receives the fifth message from the SMF. Wherein, the fifth message includes the second security parameter. The fifth message is used to request the establishment of the secure processing protocol SA.
可选的,如图10中所示,所述AMF在S1004接收到第二安全参数后,可以根据所述第一安全参数和所述第二安全参数,对UE进行配置,以建立所述UE和所述目标安全网关之间的所述安全处理协议SA。可选的,所述AMF可以将所述第一安全参数中的部分或全部参数,和/或,所述第二安全参数中的部分或全部参数发送给所述UE。可选的,所述AMF还可以根据所述第一安全参数、所述第二安全参数,生成安全处理协议SA密钥;然后向所述UE发送所述安全处理协议SA密钥。这样,所述UE可以使用所述SA密钥对通 过所述安全处理协议SA传输的数据包进行安全保护。Optionally, as shown in Figure 10, after receiving the second security parameter in S1004, the AMF may configure the UE according to the first security parameter and the second security parameter to establish the UE and the security processing agreement SA between the target security gateway. Optionally, the AMF may send some or all of the first security parameters and/or some or all of the second security parameters to the UE. Optionally, the AMF may also generate a secure processing protocol SA key based on the first security parameter and the second security parameter; and then send the secure processing protocol SA key to the UE. In this way, the UE can use the SA key to communicate The data packets transmitted through the security processing protocol SA are securely protected.
所述目标安全网关也可以根据自身的第一安全参数以及通过S1005接收的第二安全参数,对自身进行配置,以建立所述目标安全处理协议SA。可选的,所述目标安全网关也可以根据所述第一安全参数、所述第二安全出参数,生成安全处理协议SA密钥。这样,所述目标安全网关可以使用所述安全处理协议SA密钥对通过所述目标安全处理协议SA传输的数据包进行安全保护。由于所述AMF和所述目标安全网关使用相同的安全参数生成安全处理协议SA密钥,因此,二者生成的安全处理协议SA密钥相同。The target security gateway may also configure itself according to its first security parameter and the second security parameter received through S1005 to establish the target security processing protocol SA. Optionally, the target security gateway may also generate a security processing protocol SA key based on the first security parameter and the second security outgoing parameter. In this way, the target security gateway can use the security processing protocol SA key to securely protect the data packets transmitted through the target security processing protocol SA. Since the AMF and the target security gateway use the same security parameters to generate the security processing protocol SA key, the security processing protocol SA keys generated by them are the same.
通过以上步骤,移动通信***的核心网控制面网元可以通过与目标安全网关的交互,实现UE的安全参数和目标安全网关的安全参数的传递,从而完成IPSec协商。由于IPSec协商过程是通过核心网控制面完成的,且核心网的安全性较高,因此,该方法可以避免用户面传输安全参数导致安全参数泄露的风险,保证IPSec协商过程的安全性,进而保证后续通过建立的SA传输用户数据或信令的安全性。Through the above steps, the core network control plane network element of the mobile communication system can realize the transfer of the security parameters of the UE and the security parameters of the target security gateway through interaction with the target security gateway, thereby completing IPSec negotiation. Since the IPSec negotiation process is completed through the core network control plane, and the core network has high security, this method can avoid the risk of security parameter leakage caused by the user plane transmission of security parameters, ensure the security of the IPSec negotiation process, and then ensure The security of subsequent transmission of user data or signaling through the established SA.
在一种实施方式中,本申请实施例中的控制面网元可以通过会话修改流程进行上述IPSec协商过程。In an implementation manner, the control plane network element in the embodiment of the present application can perform the above IPSec negotiation process through the session modification process.
在一种可能的设计中,所述SMF可以但不限于通过以下方式,决定在所述UE的会话中建立第一QoS流,从而触发执行S1001:In a possible design, the SMF may, but is not limited to, decide to establish the first QoS flow in the session of the UE in the following manner, thereby triggering execution of S1001:
方式一:所述SMF接收来自PCF的策略修改通知消息,其中,所述策略修改通知消息中包含所述PCF请求在所述UE的会话中建立的第一QoS流的信息。Method 1: The SMF receives a policy modification notification message from the PCF, where the policy modification notification message contains information about the first QoS flow requested by the PCF to be established in the session of the UE.
方式二:所述SMF接收来自UDM的签约修改通知消息,其中,所述签约修改通知消息中包含所述UDM请求在所述UE的会话中建立的第一QoS流的信息。Method 2: The SMF receives a subscription modification notification message from UDM, where the subscription modification notification message contains information about the first QoS flow that the UDM requests to establish in the session of the UE.
方式三:所述SMF接收来自所述AMF的会话修改请求消息,其中,所述会话修改请求消息中包含所述UE请求在所述UE的会话中建立的第一QoS流的信息。Method 3: The SMF receives a session modification request message from the AMF, where the session modification request message contains information about the first QoS flow requested by the UE to be established in the session of the UE.
在一种可能的设计中,所述第三消息可以为第一会话修改命令消息,所述第三消息中还包含第一QoS流的信息。所述第四消息可以为第一会话修改确认消息,所述第四消息中还可以包含第一QoS流的信息。In a possible design, the third message may be a first session modification command message, and the third message also includes information about the first QoS flow. The fourth message may be a first session modification confirmation message, and the fourth message may further include information about the first QoS flow.
可选的,所述AMF在通过S1003接收到第三消息之后,在通过S1004向所述SMF发送第四消息之前,所述AMF还可以向所述UE发送第二会话修改命令消息,并在接收到来自UE的第二会话修改确认消息。其中,所述第二会话修改命令消息,以及所述第二会话修改确认消息中包含所述第一QoS流的信息。Optionally, after the AMF receives the third message in S1003 and before sending the fourth message to the SMF in S1004, the AMF may also send a second session modification command message to the UE, and after receiving to the second session modification confirmation message from the UE. Wherein, the second session modification command message and the second session modification confirmation message include the information of the first QoS flow.
其中,所述第二会话修改命令消息中可以包含第一安全参数的部分或全部;所述第二会话修改确认消息中还包含所述第二安全参数的部分或全部。而当第二会话修改确认消息中包含第二安全参数中的部分参数时,所述AMF可以在本地保存的所述UE的相关信息中获取第二安全参数中的另一部分参数。The second session modification command message may include part or all of the first security parameters; the second session modification confirmation message may also include part or all of the second security parameters. When the second session modification confirmation message contains part of the second security parameters, the AMF may obtain another part of the second security parameters from the locally saved relevant information of the UE.
在一种可能的设计中,第一消息中可以包含SMF确定的所述目标安全网关的第三安全参数(例如SMF针对该安全管理协议SA为所述目标安全网关确定的数据流选择规则等)。这样,目标安全网关在接收到第一消息后,可以基于所述第三安全参数确定所述第一安全参数。In a possible design, the first message may include the third security parameter of the target security gateway determined by the SMF (for example, the data flow selection rules determined by the SMF for the target security gateway based on the security management protocol SA, etc.) . In this way, after receiving the first message, the target security gateway can determine the first security parameter based on the third security parameter.
在一种可能的设计中,第二会话修改命令消息还可以包含AMF确定的所述UE的第 四安全参数(例如所述AMF针对该安全管理协议SA为所述UE确定的数据流选择规则等)。这样,UE在接收到第二会话修改命令消息后,可以根据所述第四安全参数,确定所述第二安全参数,并通过所述第二会话修改确认消息反馈给所述AMF。In a possible design, the second session modification command message may also include the UE's third address determined by the AMF. Four security parameters (such as the data flow selection rules determined by the AMF for the UE for the security management protocol SA, etc.). In this way, after receiving the second session modification command message, the UE can determine the second security parameter according to the fourth security parameter and feed it back to the AMF through the second session modification confirmation message.
在一种可能的设计中,所述第一安全参数包含以下至少一项:所述UE的SPI,所述目标安全网关的SPI,所述目标安全网关中第一处理实体的标识,所述目标安全网关的鉴权信息,所述目标安全网关支持的安全处理协议SA加密算法,第一数据流选择规则,或者用于生成安全处理协议SA密钥的第一随机数。所述第二安全参数包含以下至少一项:所述UE的SPI,所述目标安全网关的SPI,所述UE中的第二处理实体的标识,所述UE的鉴权信息,所述UE支持的安全处理协议SA加密算法,第二数据流选择规则,或者用于生成安全处理协议SA密钥的第二随机数。In a possible design, the first security parameter includes at least one of the following: the SPI of the UE, the SPI of the target security gateway, the identity of the first processing entity in the target security gateway, the target The authentication information of the security gateway, the security processing protocol SA encryption algorithm supported by the target security gateway, the first data flow selection rule, or the first random number used to generate the security processing protocol SA key. The second security parameter includes at least one of the following: the SPI of the UE, the SPI of the target security gateway, the identity of the second processing entity in the UE, the authentication information of the UE, the support of the UE the Secure Processing Protocol SA encryption algorithm, the second data stream selection rule, or the second random number used to generate the Secure Processing Protocol SA key.
在一种可能的设计中,当所述SMF根据所述第一QoS流的信息,创建所述第一QoS流后,还可以向为所述UE服务的UPF配置转发规则,以便将所述UE和所述目标安全网关之间通过所述安全处理协议SA传输的数据包映射到所述第一QoS流,如图10中的S1006所示,即实现所述安全处理协议SA与所述第一QoS流的绑定。In a possible design, after the SMF creates the first QoS flow based on the information of the first QoS flow, it may also configure forwarding rules to the UPF serving the UE so that the UE Data packets transmitted through the security processing protocol SA between the target security gateway and the target security gateway are mapped to the first QoS flow, as shown in S1006 in Figure 10, that is, the security processing protocol SA and the first QoS flow are implemented. QoS flow binding.
S1006:所述SMF向为所述UE服务的UPF发送第一转发规则配置信息。S1006: The SMF sends the first forwarding rule configuration information to the UPF serving the UE.
其中,所述第一转发规则配置信息用于指示所述UPF将所述目标安全网关通过所述安全处理协议SA传输的数据包映射到所述第一QoS流上。换而言之,该第一转发规则配置信息用于指示所述UPF生成第一转发规则。所述第一转发规则用于将所述目标安全网关通过所述安全处理协议SA向所述UE传输的数据包映射到所述第一QoS流上。The first forwarding rule configuration information is used to instruct the UPF to map data packets transmitted by the target security gateway through the security processing protocol SA to the first QoS flow. In other words, the first forwarding rule configuration information is used to instruct the UPF to generate a first forwarding rule. The first forwarding rule is used to map data packets transmitted by the target security gateway to the UE through the security processing protocol SA to the first QoS flow.
这样,后续所述UE所述目标安全网关可以通过所述安全处理协议SA传输所述UE的下行数据包。所述UPF可以将这些数据包映射到所述UE的会话中的该第一QoS流中传输给所述UE。In this way, the target security gateway of the UE can subsequently transmit the downlink data packet of the UE through the security processing protocol SA. The UPF may map these data packets to the first QoS flow in the session of the UE for transmission to the UE.
通过该步骤,移动通信***可以实现将安全处理协议SA与会话中的QoS流耦合在一起,保证安全处理协议SA中的数据流可以通过对应的QoS流传输,进而保证的业务的QoS需求。Through this step, the mobile communication system can couple the security processing protocol SA with the QoS flow in the session, ensuring that the data flow in the security processing protocol SA can be transmitted through the corresponding QoS flow, thereby ensuring the QoS requirements of the business.
示例性的,在UE与目标安全网关之间采用隧道模式传输数据包的场景中,下行数据包传输过程如下:For example, in a scenario where tunnel mode is used to transmit data packets between the UE and the target security gateway, the downlink data packet transmission process is as follows:
目标安全网关接收到包含业务数据的原始IP数据包后,可以基于第一安全参数、第二安全参数在安全保护的IP数据包前增加IPSec头,并且再生成新的IP头放在IPSec头之前,如图5中的b所示。其中,新的IP头中包含源IP地址(目标安全网关的IP地址)和目的IP地址(UE的IP地址)。IPSec头中可以包含UE的SPI、安全处理协议信息。After receiving the original IP data packet containing business data, the target security gateway can add an IPSec header before the securely protected IP data packet based on the first security parameter and the second security parameter, and generate a new IP header before placing it before the IPSec header. , as shown in b in Figure 5. Among them, the new IP header contains the source IP address (the IP address of the target security gateway) and the destination IP address (the IP address of the UE). The IPSec header may contain the UE's SPI and security processing protocol information.
目标安全网关可以根据新的IP头中的目的IP地址,以及设定的路由规则,将安全处理后的IP数据包发送给UPF。The target security gateway can send the securely processed IP data packet to UPF based on the destination IP address in the new IP header and the set routing rules.
当核心网创建第二QoS流,且SMF可以通过1006向UPF发送第一转发规则配置信息(其中可以包含例如UE的SPI,UE的IP地址,安全处理协议信息,以及第一QFI)。这样,UPF可以基于该第一转发规则配置信息,生成转发规则(例如UE的SPI,安全处理协议信息,UE的IP地址,以及第一QFI)。该转发规则用于实现安全处理协议SA与第 一QoS流之间的映射,即UPF可以根据UE的SPI、安全处理协议SA,以及UE的IP地址识别该安全处理协议SA,继而确定该安全处理协议SA对应的第一QoS流。因此,当UPF接收到来自目标安全网关的安全处理后的IP数据包后,可以根据安全处理后的IP数据包中IPsec头中的信息(UE的SPI和安全处理协议信息),新的IP头中的目的IP地址(UE的IP地址),以及该转发规则,将该安全处理后的IP数据包映射到第一QFI指示的第一QoS流上传输。When the core network creates the second QoS flow, and the SMF may send the first forwarding rule configuration information to the UPF through 1006 (which may include, for example, the UE's SPI, the UE's IP address, security processing protocol information, and the first QFI). In this way, the UPF can generate a forwarding rule (such as the UE's SPI, security processing protocol information, the UE's IP address, and the first QFI) based on the first forwarding rule configuration information. This forwarding rule is used to implement the secure processing protocol SA and the Mapping between QoS flows, that is, the UPF can identify the security processing protocol SA according to the UE's SPI, the security processing protocol SA, and the UE's IP address, and then determine the first QoS flow corresponding to the security processing protocol SA. Therefore, when UPF receives the securely processed IP data packet from the target security gateway, it can generate a new IP header based on the information in the IPsec header (UE's SPI and security processing protocol information) in the securely processed IP datagram. The destination IP address (the IP address of the UE) in and the forwarding rule map the securely processed IP data packet to the first QoS stream indicated by the first QFI for transmission.
UE在接收到该安全处理后的IP数据包后,可以对该安全处理后的IP数据包进行安全验证,恢复出原始IP数据包。After receiving the securely processed IP data packet, the UE can perform security verification on the securely processed IP data packet and recover the original IP data packet.
又例如,在UE与目标安全网关之间采用传输模式传输数据包的场景中,下行数据包传输过程如下:For another example, in a scenario where transmission mode is used to transmit data packets between the UE and the target security gateway, the downlink data packet transmission process is as follows:
目标安全网关接收到包含业务数据的原始IP数据包后,对该原始IP数据包中的IP有效载荷进行安全保护,并将基于第一安全参数、第二安全参数生成的IPSec头***安全保护的IP有效载荷和原始IP头之间,如图5中的a所示。其中,该原始IP头中包含源IP地址(业务节点(非目标安全网关)的IP地址)和目的IP地址(UE的IP地址)。IPSec头中可以包含UE的SPI、安全处理协议信息。After receiving the original IP data packet containing business data, the target security gateway performs security protection on the IP payload in the original IP data packet, and inserts the IPSec header generated based on the first security parameter and the second security parameter into the security protected Between the IP payload and the original IP header, as shown in a in Figure 5. The original IP header contains the source IP address (the IP address of the service node (non-target security gateway)) and the destination IP address (the IP address of the UE). The IPSec header may contain the UE's SPI and security processing protocol information.
目标安全网关可以根据原始IP头中的目的IP地址,以及设定的路由规则,将安全处理后的IP数据包发送给UPF。The target security gateway can send the securely processed IP data packet to UPF based on the destination IP address in the original IP header and the set routing rules.
当核心网创建第二QoS流,且SMF可以通过1006向UPF发送第一转发规则配置信息(其中可以包含例如UE的SPI,安全处理协议信息,UE的IP地址,以及第一QFI),这样,UPF可以基于该第一转发规则配置信息,生成转发规则,基于该转发规则UPF可以将IPSec头中包含UE的SPI和安全处理协议信息,且IP头中的目的地址为UE的IP地址的数据包映射到第一QFI指示的第一QoS流上,实现安全处理协议SA与第一QoS流之间的映射。因此,当UPF接收到来自目标安全网关的安全处理后的IP数据包后,可以根据安全处理后的IP数据包中IPsec头中的信息(UE的SPI和安全处理协议SA),新的IP头中的目的IP地址(UE的IP地址),以及该转发规则,将该安全处理后的IP数据包映射到第一QFI指示的第一QoS流上传输。When the core network creates the second QoS flow, and the SMF can send the first forwarding rule configuration information to the UPF through 1006 (which can include, for example, the UE's SPI, security processing protocol information, the UE's IP address, and the first QFI), in this way, The UPF can generate a forwarding rule based on the first forwarding rule configuration information. Based on the forwarding rule, the UPF can generate a data packet whose IPSec header contains the UE's SPI and security processing protocol information, and the destination address in the IP header is the UE's IP address. Map to the first QoS flow indicated by the first QFI to implement mapping between the security processing protocol SA and the first QoS flow. Therefore, when UPF receives the securely processed IP data packet from the target security gateway, it can generate a new IP header based on the information in the IPsec header (UE's SPI and security processing protocol SA) in the securely processed IP datagram. The destination IP address (the IP address of the UE) in and the forwarding rule map the securely processed IP data packet to the first QoS stream indicated by the first QFI for transmission.
UE在接收到该安全处理后的IP数据包后,可以对该安全处理后的IP数据包进行安全验证,恢复出原始IP数据包。After receiving the securely processed IP data packet, the UE can perform security verification on the securely processed IP data packet and recover the original IP data packet.
还需要说明是,在本申请实施例中交互的消息中,还可以携带UE的会话的会话标识。It should also be noted that the message exchanged in this embodiment of the present application may also carry the session identifier of the UE's session.
应注意,在本申请实施例中,建立UE的会话中的QoS流的流程可以参考现有的流程,此处不再赘述。It should be noted that in this embodiment of the present application, the process of establishing the QoS flow in the session of the UE can refer to the existing process, and will not be described again here.
综上所述,本申请实施例提供了一种通信方法。在该方法中,移动通信***的核心网控制面网元可以通过与目标安全网关的交互,实现UE的安全参数和目标安全网关的安全参数的传递,从而完成IPSec协商。由于IPSec协商过程是通过核心网控制面完成的,且核心网的安全性较高,因此,该方法可以避免用户面传输安全参数导致安全参数泄露的风险,保证IPSec协商过程的安全性,进而保证后续通过建立的SA传输用户数据或信令的安全性。 To sum up, the embodiment of the present application provides a communication method. In this method, the core network control plane network element of the mobile communication system can realize the transfer of the security parameters of the UE and the security parameters of the target security gateway through interaction with the target security gateway, thereby completing IPSec negotiation. Since the IPSec negotiation process is completed through the core network control plane, and the core network has high security, this method can avoid the risk of security parameter leakage caused by the user plane transmission of security parameters, ensure the security of the IPSec negotiation process, and then ensure The security of subsequent transmission of user data or signaling through the established SA.
基于图10所示的实施例提供的方法,本申请实施例还提供了一种示例性实施例,下面参阅图11对该实施例进行说明。Based on the method provided by the embodiment shown in Figure 10, the embodiment of this application also provides an exemplary embodiment. This embodiment will be described below with reference to Figure 11.
实施例D:参阅图11所示,在UE与目标GW建立IKE SA(例如通过实施例A提供的方法建立IKE SA)之后,SMF可以发起下行IPSec子SA建立流程。核心网控制面通过会话修改过程建立下行IPSec子SA。该下行IPSec子SA即从目标GW到UE的IPSec子SA。Embodiment D: Referring to Figure 11, after the UE establishes an IKE SA with the target GW (for example, establishing an IKE SA through the method provided in Embodiment A), the SMF can initiate a downlink IPSec sub-SA establishment process. The core network control plane establishes the downlink IPSec sub-SA through the session modification process. The downlink IPSec sub-SA is the IPSec sub-SA from the target GW to the UE.
还需要说明的是,从UE到目标GW的上行IPSec子SA的建立过程可以参考以上图6、图8或图9所示的实施例中的描述,此处不再赘述。It should also be noted that the establishment process of the uplink IPSec sub-SA from the UE to the target GW may refer to the description in the embodiment shown in Figure 6, Figure 8 or Figure 9 above, and will not be described again here.
SMF可以但不限于通过以下三种方式决定建立第一QoS流,每种方式分别对应S1100a-S1100c中的一个步骤。The SMF may decide to establish the first QoS flow through, but is not limited to, the following three methods, each method corresponding to a step in S1100a-S1100c.
S1100a:UE发起会话修改流程,通过AMF向SMF发送会话修改请求消息,请求在UE的会话中建立第一QoS流。其中,该会话修改请求消息中包含UE的会话的会话标识(后续简称为会话标识),以及UE请求建立的第一QoS流的信息。S1100a: The UE initiates the session modification process, sends a session modification request message to the SMF through the AMF, and requests to establish the first QoS flow in the UE's session. The session modification request message includes the session identifier of the UE's session (hereinafter referred to as the session identifier), and the information of the first QoS flow requested by the UE to be established.
S1100b:PCF在UE的策略信息发生变化时,向SMF发送策略修改通知消息。其中,所述策略修改通知消息中包含所述PCF请求在UE的会话中建立的第一QoS流的信息。S1100b: When the UE's policy information changes, the PCF sends a policy modification notification message to the SMF. The policy modification notification message includes information about the first QoS flow that the PCF requests to establish in the session of the UE.
S1100c:UDM在UE对签约信息发生变化时,向SMF发送签约修改通知消息。其中该签约修改通知消息中包含该UDM请求在UE的会话中建立的第一QoS流的信息。S1100c: When the UE changes the subscription information, the UDM sends a subscription modification notification message to the SMF. The subscription modification notification message includes the information of the first QoS flow established in the session of the UE as requested by the UDM.
S1101:SMF在接收到会话修改请求消息、策略修改通知消息,或签约修改通知消息后,决定在UE的会话中建立第一QoS流。SMF根据第一QoS流的信息,从PCF获取第一QoS流的PCC规则。S1101: After receiving the session modification request message, the policy modification notification message, or the subscription modification notification message, the SMF decides to establish the first QoS flow in the UE's session. The SMF obtains the PCC rule of the first QoS flow from the PCF based on the information of the first QoS flow.
这样,SMF可以根据该PCC规则创建第一QoS流,具体过程可以参考现有的QoS流建立流程,此处不再赘述。In this way, SMF can create the first QoS flow according to the PCC rule. For the specific process, please refer to the existing QoS flow establishment process, which will not be described again here.
S1102:SMF发起为第一QoS流配置下行IPSec子SA的流程。SMF向目标GW发起IPSec子SA建立请求消息。其中,IPSec子SA建立请求消息中包含SPI_UE,SPI_GW,用于标识该下行IPSec子SA。S1102: The SMF initiates the process of configuring the downlink IPSec sub-SA for the first QoS flow. SMF initiates an IPSec sub-SA establishment request message to the target GW. Among them, the IPSec sub-SA establishment request message contains SPI_UE and SPI_GW, which are used to identify the downlink IPSec sub-SA.
可选的,IPSec子SA建立请求消息中还可以SMF针对该下行IPSec子SA确定目标GW的一些安全参数。如图11中所示,IPSec子SA建立请求消息中可以包含SMF确定的UE侧的数据流选择规则TS1′_UE,以及目标GW侧的数据流选择规则TS1′_GW。这样,目标GW可以基于IPSec子SA建立请求消息中包含的目标GW的安全参数,确定用于建立IPSec子SA的目标GW的第一安全参数。Optionally, in the IPSec sub-SA establishment request message, the SMF may also determine some security parameters of the target GW for the downlink IPSec sub-SA. As shown in Figure 11, the IPSec sub-SA establishment request message may include the data flow selection rule TS1'_UE on the UE side determined by the SMF, and the data flow selection rule TS1'_GW on the target GW side. In this way, the target GW can determine the first security parameter of the target GW for establishing the IPSec sub-SA based on the security parameters of the target GW included in the IPSec sub-SA establishment request message.
S1103:目标GW向SMF发送IPSec子SA建立响应消息。其中,该IPSec子SA建立响应消息中包含目标GW确定的第一安全参数,包括SPI_UE,SPI_GW,目标GW中实现该IPSec子SA的处理实体的标识ID1_GW,目标GW的鉴权信息AUTH_GW,目标GW支持的IPSec子SA的加密算法SA_GW,用于生成IPSec子SA的第一随机数N_GW,UE侧的第一数据流选择规则TS1_UE,目标GW侧的第一数据流选择规则TS1_GW。S1103: The target GW sends an IPSec sub-SA establishment response message to the SMF. The IPSec sub-SA establishment response message contains the first security parameters determined by the target GW, including SPI_UE, SPI_GW, the identification ID1_GW of the processing entity that implements the IPSec sub-SA in the target GW, the authentication information AUTH_GW of the target GW, and the target GW The supported encryption algorithm SA_GW of the IPSec sub-SA is used to generate the first random number N_GW of the IPSec sub-SA, the first data flow selection rule TS1_UE on the UE side, and the first data flow selection rule TS1_GW on the target GW side.
可选的,TS1_UE可以是目标GW根据TS1′_UE确定的,TS1_GW可以为目标GW根据TS1′_GW确定的。Optionally, TS1_UE may be determined by the target GW based on TS1′_UE, and TS1_GW may be determined by the target GW based on TS1′_GW.
S1104:SMF向AMF发送会话修改命令消息。该会话修改命令消息中包含会话标识,用于标识第一QoS流的第一QFI,以及目标GW的第一安全参数(SPI_UE,SPI_GW,ID1_GW,AUTH_GW,SA_GW,N_GW,TS1_UE,TS1_GW)。 S1104: SMF sends a session modification command message to AMF. The session modification command message includes a session identifier, used to identify the first QFI of the first QoS flow, and the first security parameters of the target GW (SPI_UE, SPI_GW, ID1_GW, AUTH_GW, SA_GW, N_GW, TS1_UE, TS1_GW).
S1105:AMF向UE发送会话修改命令消息。该会话修改命令消息中包含会话标识,第一QFI,以及第一安全参数中的部分或全部(例如ID1_GW,AUTH_GW,SA_GW,N_GW,TS1_UE,TS1_GW)。S1105: The AMF sends a session modification command message to the UE. The session modification command message includes the session identifier, the first QFI, and some or all of the first security parameters (for example, ID1_GW, AUTH_GW, SA_GW, N_GW, TS1_UE, TS1_GW).
可选的,该会话修改命令消息中还可以包含SPI_UE,SPI_GW。Optionally, the session modification command message may also include SPI_UE and SPI_GW.
可选的,该会话修改命令消息中还可以包含AMF针对该下行IPSec子SA确定的UE的一些安全参数。如图11中所示,会话修改命令消息中可以包含以下至少一项:UE中实现该IPSec子SA的第一处理实体的标识ID_UE,UE的鉴权信息AUTH_UE,UE支持的IPSec子SA的加密算法SA_UE,用于生成IPSec子SA的第二随机数N_UE。这样,UE可以基于会话修改命令消息中包含的UE的安全参数,确定用于建立IPSec子SA的第二安全参数。Optionally, the session modification command message may also include some security parameters of the UE determined by the AMF for the downlink IPSec sub-SA. As shown in Figure 11, the session modification command message may include at least one of the following: the identification ID_UE of the first processing entity that implements the IPSec sub-SA in the UE, the authentication information AUTH_UE of the UE, and the encryption of the IPSec sub-SA supported by the UE. Algorithm SA_UE is used to generate the second random number N_UE of IPSec sub-SA. In this way, the UE can determine the second security parameter used to establish the IPSec sub-SA based on the security parameter of the UE included in the session modification command message.
S1106:UE向AMF发送会话修改确认消息。其中,该会话修改确认消息中可以包含会话标识,第一QFI。可选的,该会话修改确认消息中还可以包含第二安全参数中的部分或全部。例如,该会话修改确认消息中可以包含SPI_UE,SPI_GW;和/或,包含以下至少一项:UE侧的第二数据流选择规则TS2_UE,目标GW的第二数据流选择规则TS2_GW,ID_UE,AUTH_UE,SA_UE,N_UE。S1106: The UE sends a session modification confirmation message to the AMF. The session modification confirmation message may include the session identifier, the first QFI. Optionally, the session modification confirmation message may also include part or all of the second security parameters. For example, the session modification confirmation message may include SPI_UE, SPI_GW; and/or include at least one of the following: the second data flow selection rule TS2_UE on the UE side, the second data flow selection rule TS2_GW of the target GW, ID_UE, AUTH_UE, SA_UE, N_UE.
S1107:AMF向SMF发送会话修改确认消息。其中,该会话修改确认消息中包含会话标识,第一QFI,以及UE的第二安全参数(SPI_UE,SPI_GW,ID_UE,AUTH_UE,SA_UE,N_UE,TS2_UE,TS2_GW)。S1107: AMF sends a session modification confirmation message to SMF. The session modification confirmation message includes the session identifier, the first QFI, and the second security parameters of the UE (SPI_UE, SPI_GW, ID_UE, AUTH_UE, SA_UE, N_UE, TS2_UE, TS2_GW).
S1108:SMF向目标GW发送IPSec子SA建立请求消息。该IPSec子SA建立请求消息中包含UE的第二安全参数(SPI_UE,SPI_GW,ID_UE,AUTH_UE,SA_UE,N_UE,TS2_UE,TS2_GW)。S1108: The SMF sends an IPSec sub-SA establishment request message to the target GW. The IPSec sub-SA establishment request message contains the second security parameters of the UE (SPI_UE, SPI_GW, ID_UE, AUTH_UE, SA_UE, N_UE, TS2_UE, TS2_GW).
S1109:可选的,目标GW还可以向SMF发送IPSec子SA建立响应消息。S1109: Optionally, the target GW can also send an IPSec sub-SA establishment response message to the SMF.
S1110:SMF向UPF配置转发规则,以使UPF将目标GW通过该IPSec子SA传输的数据包映射到该会话的第一QoS流上从而传输给所述UE。S1110: The SMF configures forwarding rules to the UPF so that the UPF maps the data packets transmitted by the target GW through the IPSec sub-SA to the first QoS flow of the session and transmits them to the UE.
基于图10所示的实施例中对隧道模式和传输模式传输下行数据包的过程描述可知,在UE与目标GW之间采用隧道模式或传输模式的场景中,SMF均需要向UPF发送转发规则的配置信息,该配置信息中可以包含SPI_UE、UE的IP地址、安全处理协议信息,以及指示该第一QoS流的第一QFI。这样,UPF可以根据该配置信息生成相应的转发规则,将从目标GW接收的、包含的IPSec头中包含SPI_UE和该安全处理协议信息,且包含的IP头中目的地址为UE的IP地址的数据包映射到第一QoS流上传输给UE。Based on the description of the process of transmitting downlink data packets in tunnel mode and transmission mode in the embodiment shown in Figure 10, it can be seen that in the scenario where tunnel mode or transmission mode is used between the UE and the target GW, the SMF needs to send the forwarding rules to the UPF. Configuration information, which may include SPI_UE, the IP address of the UE, security processing protocol information, and the first QFI indicating the first QoS flow. In this way, UPF can generate corresponding forwarding rules based on the configuration information. The IPSec header received from the target GW contains SPI_UE and the security processing protocol information, and the included IP header contains data whose destination address is the IP address of the UE. The packet is mapped to the first QoS stream and transmitted to the UE.
可选的,AMF在S1107之后,可以根据KE_UE,N_UE,KE_GW,N_GW,生成IPSec子SA密钥,并将所述IPSec子SA密钥配置给UE,以便UE可以根据该IPSec子SA密钥对通过IPSec子SA传输的数据包进行安全保护。在S1108之后,目标GW也可以根据KE_UE,N_UE,KE_GW,N_GW,生成IPSec子SA密钥,以便后续可以根据该IPSec子SA密钥对通过IPSec子SA传输的数据包进行安全保护。其中,KE_UE和KE_GW为在UE与目标GW建立IKE SA的过程中得到的。Optionally, after S1107, the AMF can generate an IPSec sub-SA key based on KE_UE, N_UE, KE_GW, and N_GW, and configure the IPSec sub-SA key to the UE, so that the UE can use the IPSec sub-SA key pair based on the Data packets transmitted through IPSec sub-SA are protected. After S1108, the target GW can also generate an IPSec sub-SA key based on KE_UE, N_UE, KE_GW, and N_GW, so that the data packets transmitted through the IPSec sub-SA can subsequently be securely protected based on the IPSec sub-SA key. Among them, KE_UE and KE_GW are obtained during the process of establishing IKE SA between the UE and the target GW.
如图11所示,UE和目标GW之间可以根据IPSec子SA密钥对通过该下行IPSec子SA的下行数据包进行安全保护。As shown in Figure 11, the UE and the target GW can perform security protection on downlink data packets passing through the downlink IPSec sub-SA based on the IPSec sub-SA key.
还需要说明的是,根据S1105和S1106中是否包含安全参数,本实施例还可以分为AMF为UE代理IPSec子SA建立,以及UE自行处理IPSec子SA的场景。 It should also be noted that, depending on whether S1105 and S1106 contain security parameters, this embodiment can also be divided into scenarios in which the AMF establishes an IPSec sub-SA on behalf of the UE, and in which the UE processes the IPSec sub-SA by itself.
例如,当S1105中的会话修改命令消息中不包含AMF为UE配置的安全参数,且S1106中也不包含UE的第二安全出参数时,该场景可以视为AMF为UE代理IPSec子SA建立的场景。For example, when the session modification command message in S1105 does not contain the security parameters configured by AMF for the UE, and S1106 does not contain the second security outgoing parameters of the UE, this scenario can be regarded as the establishment of the IPSec sub-SA by AMF for the UE agent. Scenes.
又例如,当S1105中的会话修改命令消息中可以包含AMF为UE配置的安全参数,且S1106中包含UE的第二安全出参数时,该场景可以视为UE自行处理IPSec子SA的场景。For another example, when the session modification command message in S1105 may include the security parameters configured by the AMF for the UE, and when S1106 includes the second security outbound parameter of the UE, this scenario may be regarded as a scenario in which the UE handles the IPSec sub-SA by itself.
在实施例D中,通过会话修改流程,核心网控制面网元可以实现UE的第一安全参数和目标GW的第二安全参数的传递,从而完成IPSec协商。该实施例提供的方法可以将下行IPSec子SA建立流程耦合到会话修改流程中,并将该下行IPSec子SA与会话修改过程建立的第一QoS流绑定,以使目标GW通过该下行IPSec子SA传输的数据包均可以映射到该第一QoS流上从而传输至UE。由于该方法可以在会话修改流程中耦合下行IPSec子SA的建立流程,不仅可以降低移动通信的信令开销,还可以通过核心网控制面建立下行IPSec子SA,避免用户面传输安全参数导致安全参数泄露的风险,保证IPSec协商过程的安全性。In Embodiment D, through the session modification process, the core network control plane network element can realize the transfer of the first security parameter of the UE and the second security parameter of the target GW, thereby completing the IPSec negotiation. The method provided by this embodiment can couple the downlink IPSec sub-SA establishment process to the session modification process, and bind the downlink IPSec sub-SA to the first QoS flow established in the session modification process, so that the target GW can pass the downlink IPSec sub-SA. All data packets transmitted by the SA can be mapped to the first QoS stream and then transmitted to the UE. Since this method can couple the downlink IPSec sub-SA establishment process in the session modification process, it can not only reduce the signaling overhead of mobile communications, but also establish the downlink IPSec sub-SA through the core network control plane to avoid user plane transmission of security parameters causing security parameters. Risk of leakage to ensure the security of the IPSec negotiation process.
在通过IPSec协议对UE的业务数据进行安全保护的场景中,为了保证UE的业务数据的QoS需求,本申请实施例还提供了一种通信方法。该方法可以适用于如图1或图2所示的通信***中。下面参阅图12所示的流程图,对该方法进行说明。In a scenario where the UE's service data is securely protected through the IPSec protocol, in order to ensure the QoS requirements of the UE's service data, embodiments of the present application also provide a communication method. This method can be applied to the communication system as shown in Figure 1 or Figure 2. This method will be described below with reference to the flow chart shown in Figure 12 .
应注意,本实施例提供的方法是在UE与目标安全网关之间已建立IKE SA,以及安全管理协议SA时执行的。可选的,建立IKE SA的流程可以参考现有技术中的流程,或者图6或图7所示的实施例中的描述。可选的,在UE或目标安全网关需要建立安全管理协议SA时,UE和目标GW之间可以基于已建立的IKE SA传输建立该安全管理协议SA的相关信令数据包,具体过程可以参考如图3中的S303-S304中的描述,此处不再赘述。It should be noted that the method provided in this embodiment is executed when the IKE SA and the security management protocol SA have been established between the UE and the target security gateway. Optionally, the process of establishing an IKE SA may refer to the process in the prior art, or the description in the embodiment shown in Figure 6 or Figure 7. Optionally, when the UE or the target security gateway needs to establish a security management protocol SA, the UE and the target GW can transmit related signaling packets to establish the security management protocol SA based on the established IKE SA. The specific process can be referred to as follows: The description in S303-S304 in Figure 3 will not be repeated here.
还应说明,本实施例中,SMF、UPF均是为UE提供服务的网元,后续不再展开描述。It should also be noted that in this embodiment, SMF and UPF are both network elements that provide services for the UE, and will not be described later.
S1201:SMF接收第一消息。其中,所述第一消息包含需要在UE的会话中建立的第一QoS流的信息。S1201: SMF receives the first message. Wherein, the first message contains information about the first QoS flow that needs to be established in the session of the UE.
可选的,所述第一QoS流的信息可以但不限于包含QoS需求(QoS参数),第一QoS流的标识——第一QFI,第一QoS流的过滤器检测规则等。Optionally, the information of the first QoS flow may, but is not limited to, include QoS requirements (QoS parameters), the identification of the first QoS flow - the first QFI, the filter detection rules of the first QoS flow, etc.
可选的,所述SMF可以但不限于通过以下方式执行S1201:Optionally, the SMF may, but is not limited to, perform S1201 in the following manner:
方式一:所述SMF接收来自PCF的策略修改通知消息(即第一消息),其中,所述策略修改通知消息中包含所述PCF请求在所述UE的会话中建立的所述第一QoS流的信息。Method 1: The SMF receives a policy modification notification message (ie, the first message) from the PCF, where the policy modification notification message contains the first QoS flow requested by the PCF to be established in the session of the UE. Information.
方式二:所述SMF接收来自UDM的签约修改通知消息(即第一消息),其中,所述签约修改通知消息中包含所述UDM请求在所述UE的会话中建立的所述第一QoS流的信息。Method 2: The SMF receives a subscription modification notification message (ie, the first message) from UDM, where the subscription modification notification message contains the first QoS flow that the UDM requests to establish in the session of the UE. Information.
方式三:所述SMF接收来自AMF的会话修改请求消息(即第一消息),其中,所述会话修改请求消息中包含所述UE请求在所述UE的会话中建立的所述第一QoS流的信息。Method 3: The SMF receives a session modification request message (ie, the first message) from the AMF, where the session modification request message includes the first QoS flow requested by the UE to be established in the session of the UE. Information.
S1202:所述SMF根据所述第一QoS流的信息,创建所述第一QoS流。S1202: The SMF creates the first QoS flow according to the information of the first QoS flow.
可选的,所述SMF根据第一QoS流的信息,从PCF获取第一QoS流的PCC规则。这样,所述SMF可以根据该PCC规则创建第一QoS流,具体过程可以参考现有的QoS流建立流程,此处不再赘述。 Optionally, the SMF obtains the PCC rule of the first QoS flow from the PCF based on the information of the first QoS flow. In this way, the SMF can create the first QoS flow according to the PCC rule. For the specific process, reference can be made to the existing QoS flow establishment process, which will not be described again here.
S1203:所述SMF获取所述UE与目标安全网关之间建立的安全处理协议SA的安全参数。S1203: The SMF obtains the security parameters of the security processing protocol SA established between the UE and the target security gateway.
可选的,所述SMF可以但不限于通过以下方式获取所述安全参数:Optionally, the SMF may obtain the security parameters through, but is not limited to, the following methods:
方式一:所述SMF获取所述第一消息中的所述安全参数。例如,当所述第一消息为UE通过AMF向SMF发送的会话修改请求消息时,该会话修改请求消息中可以携带所述安全参数。Method 1: The SMF obtains the security parameters in the first message. For example, when the first message is a session modification request message sent by the UE to the SMF through the AMF, the session modification request message may carry the security parameter.
方式二:所述SMF可以从以下至少一项获取所述安全参数:所述UE、AMF、所述目标安全网关。示例性的,所述SMF可以向所述UE、所述AMF或所述目标安全网关发送请求消息,以请求所述安全参数;然后接收来自所述UE、所述AMF或所述目标安全网关的所述安全参数。Method 2: The SMF can obtain the security parameter from at least one of the following: the UE, the AMF, and the target security gateway. Exemplarily, the SMF may send a request message to the UE, the AMF or the target security gateway to request the security parameters; and then receive a request message from the UE, the AMF or the target security gateway. the security parameters.
可选的,该安全参数中可以但不限于包括以下至少一项:SPI_UE,SPI_GW,UE中实现该安全处理协议SA的处理实体标识ID_UE,目标安全网关中实现该安全处理协议的处理实体的标识ID_UE,UE侧的数据流选择规则TS_UE,目标GW侧的数据流选择规则TS_GW等。所述安全参数中包含的内容可以参考以上实施例中的描述,此处不再赘述。Optionally, the security parameters may include, but are not limited to, at least one of the following: SPI_UE, SPI_GW, ID_UE of the processing entity in the UE that implements the security processing protocol SA, and the identity of the processing entity in the target security gateway that implements the security processing protocol. ID_UE, the data flow selection rule TS_UE on the UE side, the data flow selection rule TS_GW on the target GW side, etc. The content included in the security parameters may refer to the description in the above embodiments, and will not be described again here.
S1204:所述SMF向UPF发送第一转发规则配置信息。S1204: The SMF sends the first forwarding rule configuration information to the UPF.
其中,所述第一转发规则配置信息用于指示所述UPF通过所述第一QoS流接收的来自所述UE的数据包转发至所述目标安全网关,和/或,所述UPF将所述目标安全网关通过所述安全处理协议SA传输的数据包映射到所述第一QoS流上。换而言之,该第一转发规则配置信息用于指示所述UPF生成第一转发规则。所述第一转发规则用于所述UPF通过所述第一QoS流接收的来自所述UE的数据包转发至所述目标安全网关,和/或,所述UPF将所述目标安全网关之间通过所述安全处理协议SA传输的数据包映射到所述第一QoS流上。Wherein, the first forwarding rule configuration information is used to instruct the UPF to forward data packets from the UE received through the first QoS flow to the target security gateway, and/or, the UPF forwards the Data packets transmitted by the target security gateway through the security processing protocol SA are mapped to the first QoS flow. In other words, the first forwarding rule configuration information is used to instruct the UPF to generate a first forwarding rule. The first forwarding rule is used by the UPF to forward data packets from the UE received through the first QoS flow to the target security gateway, and/or, the UPF forwards data packets between the target security gateway and Data packets transmitted through the security processing protocol SA are mapped to the first QoS flow.
这样,后续所述UE与所述目标安全网关可以通过所述安全处理协议SA在用户面第一QoS流中传输所述UE的业务数据包。In this way, the UE and the target security gateway can subsequently transmit the service data packet of the UE in the first QoS flow of the user plane through the security processing protocol SA.
可选的,在本申请实施例中,当UE与目标安全网关之间建立的安全管理协议SA为上行IPSec子SA时,所述第一转发规则配置信息的描述可以参考图6所示的实施例中S605b中的描述,或图8所示的实施例中S806的描述;当UE与目标安全网关之间建立的安全管理协议SA为下行IPSec子SA时,所述第一转发规则配置信息的描述可以参考图10所示的实施例中S1006中的描述,或图11所示的实施例中S1110中的描述,此处不再赘述。Optionally, in this embodiment of the present application, when the security management protocol SA established between the UE and the target security gateway is the uplink IPSec sub-SA, the description of the first forwarding rule configuration information may refer to the implementation shown in Figure 6 The description in S605b in the example, or the description in S806 in the embodiment shown in Figure 8; when the security management protocol SA established between the UE and the target security gateway is the downlink IPSec sub-SA, the first forwarding rule configuration information For description, reference may be made to the description in S1006 in the embodiment shown in FIG. 10 or the description in S1110 in the embodiment shown in FIG. 11, which will not be described again here.
通过该方法,移动通信***可以实现将安全处理协议SA与会话中的QoS流耦合在一起,保证安全处理协议SA中的数据流可以通过对应的QoS流传输,进而保证的业务的QoS需求。Through this method, the mobile communication system can couple the security processing protocol SA with the QoS flow in the session, ensuring that the data flow in the security processing protocol SA can be transmitted through the corresponding QoS flow, thereby ensuring the QoS requirements of the business.
基于图12所示的实施例提供的方法,本申请实施例还提供了一种示例性的实施例,下面参阅图13对该实施例进行说明。Based on the method provided by the embodiment shown in Figure 12, the embodiment of this application also provides an exemplary embodiment. This embodiment will be described below with reference to Figure 13.
实施例E:本实施例是在UE与目标GW已建立IKE SA(例如通过实施例A提供的方法建立IKE SA)之后执行的。因此在本实施例中,UE与目标GW可以通过已建立的IKE SA在用户面传输进行IPSec协商,传输用于建立IPSec子SA的安全参数。Embodiment E: This embodiment is executed after the UE and the target GW have established an IKE SA (for example, establishing an IKE SA through the method provided in Embodiment A). Therefore, in this embodiment, the UE and the target GW can perform IPSec negotiation by transmitting the established IKE SA on the user plane, and transmit the security parameters used to establish the IPSec sub-SA.
可选的,UE与目标GW可以通过S1301a-S1301b传输建立上行IPSec子SA的安全参 数,以建立上行IPSec子SA:Optionally, the UE and the target GW can establish the security parameters of the uplink IPSec sub-SA through S1301a-S1301b transmission. number to establish an upstream IPSec sub-SA:
S1301a:UE通过IKE SA在用户面向目标GW发送UE的第一安全参数。其中,第一安全参数用于建立上行IPSec子SA。S1301a: The UE sends the first security parameter of the UE to the target GW through IKE SA. Among them, the first security parameter is used to establish the uplink IPSec sub-SA.
S1301b:目标GW通过IKE SA在用户面向UE发送目标GW的第二安全参数。其中,第二安全参数用于建立上行IPSec子SA。S1301b: The target GW sends the second security parameter of the target GW to the user to the UE through IKE SA. Among them, the second security parameter is used to establish the uplink IPSec sub-SA.
可选的,UE与目标GW也可以通过S1302a-S1302b传输建立下行IPSec子SA的安全参数,以建立下行IPSec子SA:Optionally, the UE and the target GW can also transmit the security parameters to establish the downlink IPSec sub-SA through S1302a-S1302b to establish the downlink IPSec sub-SA:
S1302a:目标GW通过IKE SA在用户面向UE发送目标GW的第三安全参数。其中,第三安全参数用于建立下行IPSec子SA。S1302a: The target GW sends the third security parameter of the target GW to the user to the UE through IKE SA. Among them, the third security parameter is used to establish the downlink IPSec sub-SA.
S1302b:UE通过IKE SA在用户面向目标GW发送UE的第四安全参数。其中,第四安全参数用于建立下行IPSec子SA。S1302b: The UE sends the fourth security parameter of the UE to the target GW through IKE SA. Among them, the fourth security parameter is used to establish the downlink IPSec sub-SA.
S1303:当UE与目标GW建立IPSec子SA(上行IPSec子SA或下行IPSec子SA)之后,UE可以通过AMF向SMF发起会话修改请求消息。该会话修改请求消息中包含UE的会话的会话标识,UE请求建立的第一QoS流的信息,还包含该IPSec子SA的安全参数。S1303: After the UE establishes an IPSec sub-SA (uplink IPSec sub-SA or downlink IPSec sub-SA) with the target GW, the UE can initiate a session modification request message to the SMF through the AMF. The session modification request message includes the session identifier of the UE's session, the information of the first QoS flow requested by the UE, and the security parameters of the IPSec sub-SA.
例如,该安全参数可以但不限于包括以下至少一项:SPI_UE,SPI_GW,UE中实现该IPSec子SA的处理实体标识ID_UE,目标GW中实现该IPSec子SA的处理实体的标识ID_UE,UE侧的数据流选择规则TS_UE,目标GW侧的数据流选择规则TS_GW。For example, the security parameter may include, but is not limited to, at least one of the following: SPI_UE, SPI_GW, ID_UE of the processing entity that implements the IPSec sub-SA in the UE, ID_UE of the processing entity that implements the IPSec sub-SA in the target GW, and ID_UE on the UE side. Data flow selection rule TS_UE, data flow selection rule TS_GW on the target GW side.
S1304:SMF根据该会话修改请求消息中的第一QoS流的信息,从PCF获取第一QoS流的PCC规则。这样,SMF可以根据该PCC规则创建第一QoS流,具体过程可以参考现有的QoS流建立流程,此处不再赘述。S1304: The SMF obtains the PCC rule of the first QoS flow from the PCF based on the information of the first QoS flow in the session modification request message. In this way, SMF can create the first QoS flow according to the PCC rule. For the specific process, please refer to the existing QoS flow establishment process, which will not be described again here.
S1305:SMF向UPF配置转发规则,以使UPF将UE的会话中通过该IPSec子SA传输的数据包映射到该会话的第一QoS流上。S1305: The SMF configures forwarding rules to the UPF so that the UPF maps the data packets transmitted through the IPSec sub-SA in the UE's session to the first QoS flow of the session.
其中,所述SMF在执行S1305过程中,向UPF发送的转发规则配置信息可以参考图12所示的实施例中S1204中的描述,此处不再赘述。For the forwarding rule configuration information sent by the SMF to the UPF during S1305, reference may be made to the description in S1204 in the embodiment shown in FIG. 12, which will not be described again here.
这样,UPF可以根据该配置信息生成相应的转发规则,从而使UPF可以将通过所述第一QoS流接收的来自所述UE的数据包映射到上行IPSec子SA上以转发至所述目标GW,和/或,所述UPF将所述目标GW之间通过下行IPSec子SA传输的数据包映射到所述第一QoS流上以转发至UE。In this way, UPF can generate corresponding forwarding rules based on the configuration information, so that UPF can map data packets from the UE received through the first QoS flow to the uplink IPSec sub-SA for forwarding to the target GW, And/or, the UPF maps data packets transmitted between the target GWs through downlink IPSec sub-SAs onto the first QoS flow for forwarding to the UE.
S1306:SMF通过AMF向UE发送会话修改响应消息。S1306: The SMF sends a session modification response message to the UE through the AMF.
通过该实施例E,在UE和目标GW协商IPSec子SA之后,核心网控制面网元可以该IPSec子SA与建立的第一QoS流绑定,以使所述UE与所述目标安全网关可以通过该IPSec子SA在用户面第一QoS流中传输所述UE的业务数据包。Through this embodiment E, after the UE and the target GW negotiate the IPSec sub-SA, the core network control plane network element can bind the IPSec sub-SA to the established first QoS flow, so that the UE and the target security gateway can The service data packet of the UE is transmitted in the first QoS flow of the user plane through the IPSec sub-SA.
通过以上各个实施例中的描述可知,由于IPSec子SA是单向的,因此,针对UE的会话中的同一个QoS流,可以建立上行IPSec子SA和下行IPSec子SA。并且,针对该QoS流中的不同方向的IPSec子SA,SMF可以向UPF配置相应的转发规则,以便将不同的方向的IPSec子SA传输数据包均可以映射到该QoS流上。另外,基于以上对隧道模式和传输模式传输数据包的场景的描述可以得出:It can be known from the descriptions in the above embodiments that since IPSec sub-SA is unidirectional, uplink IPSec sub-SA and downlink IPSec sub-SA can be established for the same QoS flow in the UE session. Furthermore, for the IPSec sub-SAs in different directions in the QoS flow, SMF can configure corresponding forwarding rules to the UPF so that the IPSec sub-SA transmission packets in different directions can be mapped to the QoS flow. In addition, based on the above description of the scenario of transmitting data packets in tunnel mode and transport mode, it can be concluded that:
在隧道模式场景中,SMF不针对QoS流的上行IPSec子SA向UPF配置转发规则;但是SMF需要针对该QoS流的下行IPSec子SA向UPF配置转发规则,该转发规则的配 置信息中可以包含UE的SPI、UE的IP地址、安全处理协议信息,以及该QoS流的QFI。In the tunnel mode scenario, SMF does not configure forwarding rules to UPF for the upstream IPSec sub-SA of the QoS flow; however, SMF needs to configure forwarding rules to UPF for the downstream IPSec sub-SA of the QoS flow. The configuration of this forwarding rule The configuration information may include the UE's SPI, the UE's IP address, security processing protocol information, and the QFI of the QoS flow.
在传输模式场景中,SMF需要针对QoS流的上行IPSec子SA向UPF配置第一转发规则,该第一转发规则的配置信息中包含该QoS流的QFI,以及目标安全网关的IP地址;SMF还需要针对QoS流的下行IPSec子SA向UPF配置第二转发规则,该第二转发规则的配置信息中可以包含UE的SPI、UE的IP地址、安全处理协议信息,以及该QoS流的QFI(与上述隧道模式场景中SMF针对QoS流的下行IPSec子SA向UPF配置的转发规则相同)。In the transmission mode scenario, SMF needs to configure the first forwarding rule to UPF for the upstream IPSec sub-SA of the QoS flow. The configuration information of the first forwarding rule includes the QFI of the QoS flow and the IP address of the target security gateway; SMF also It is necessary to configure a second forwarding rule to the UPF for the downlink IPSec sub-SA of the QoS flow. The configuration information of the second forwarding rule can include the UE's SPI, the UE's IP address, security processing protocol information, and the QFI of the QoS flow (with In the above tunnel mode scenario, the forwarding rules configured by SMF for the downlink IPSec sub-SA of the QoS flow to UPF are the same).
需要说明的是,以上图6-图13提供的实施例可以单独实现,也可以相互结合实现,本申请对此不作限定。应注意,在通信***中,针对同一QoS流,在上行方向标识该QoS流的QFI与在下行方向标识该QoS流的QFI可以相同,也可以不同。因此,当针对同一QoS流建立上行IPSec子SA和下行IPSec子SA时,在不同方向上标识该QoS流的QFI可以相同也可以不同。It should be noted that the embodiments provided in Figures 6 to 13 above can be implemented individually or in combination with each other, and this application is not limited to this. It should be noted that in the communication system, for the same QoS flow, the QFI that identifies the QoS flow in the upstream direction and the QFI that identifies the QoS flow in the downstream direction may be the same or different. Therefore, when an upstream IPSec sub-SA and a downstream IPSec sub-SA are established for the same QoS flow, the QFIs identifying the QoS flow in different directions may be the same or different.
例如,当通信***采用图8或图9所示的实施例提供的方法针对QoS流的上行方向建立上行IPSec子SA,并采用图11所示的实施例提供的方法针对QoS流的下行方向建立下行IPSec子SA时,在上行方向上标识该QoS流的QFI与在下行方向上标识该QoS流的QFI可以相同,也可以不同。For example, when the communication system uses the method provided by the embodiment shown in Figure 8 or Figure 9 to establish an uplink IPSec sub-SA for the upstream direction of the QoS flow, and uses the method provided by the embodiment shown in Figure 11 to establish a downstream IPSec sub-SA for the QoS flow. When IPSec sub-SA is downstream, the QFI that identifies the QoS flow in the upstream direction and the QFI that identifies the QoS flow in the downstream direction can be the same or different.
需要说明的是,以上各个实施例中涉及的每个步骤可以为相应的设备执行,也可以是该设备内的芯片、处理器或芯片***等部件执行,本申请实施例并不对其构成限定。以上各实施例仅以由相应设备执行为例进行说明。此外,在以上各个实施例中,第一消息、第二消息、第三消息等各个消息可以为一个或多个消息,本申请对此也不作限定。It should be noted that each step involved in the above embodiments can be executed by the corresponding device, or by components such as chips, processors, or chip systems in the device, which are not limited by the embodiments of the present application. Each of the above embodiments is only explained by taking execution by the corresponding device as an example. In addition, in the above embodiments, each message such as the first message, the second message, the third message, etc. may be one or more messages, and this application is not limited thereto.
另外,以上各个实施例中的各个安全参数与传统的IPSec协商中的安全参数相同,因此,本申请中各个安全参数的作用或功能可以参考对应的传统的安全参数,本申请不再详细赘述。In addition, each security parameter in each of the above embodiments is the same as the security parameter in traditional IPSec negotiation. Therefore, the role or function of each security parameter in this application can be referred to the corresponding traditional security parameter, which will not be described in detail in this application.
需要说明的是,在以上各个实施例中,可以增加一些步骤进行实施,或者可以选择部分步骤进行实施,还可以调整图示中步骤的顺序进行实施,本申请对此不做限定。应理解,增加步骤、执行图示中的部分步骤、调整步骤的顺序或相互结合进行具体实施,均落在本申请的保护范围内。It should be noted that in each of the above embodiments, some steps can be added for implementation, or some steps can be selected for implementation, or the order of the steps in the illustrations can be adjusted for implementation, which is not limited in this application. It should be understood that adding steps, performing some of the steps in the illustrations, adjusting the order of the steps, or combining them for specific implementation all fall within the protection scope of the present application.
可以理解的是,为了实现上述实施例中功能,上述实施例中涉及的各个设备包括了执行各个功能相应的硬件结构和/或软件模块。本领域技术人员应该很容易意识到,结合本申请中所公开的实施例描述的各示例的单元及方法步骤,本申请能够以硬件或硬件和计算机软件相结合的形式来实现。某个功能究竟以硬件还是计算机软件驱动硬件的方式来执行,取决于技术方案的特定应用场景和设计约束条件。It can be understood that, in order to implement the functions in the above embodiments, each device involved in the above embodiments includes a corresponding hardware structure and/or software module to perform each function. Those skilled in the art should easily realize that the units and method steps of each example described in conjunction with the embodiments disclosed in this application can be implemented in the form of hardware or a combination of hardware and computer software. Whether a certain function is executed by hardware or computer software driving the hardware depends on the specific application scenarios and design constraints of the technical solution.
可以理解的是,本申请实施例描述的上述网络架构以及应用场景是为了更加清楚的说明本发明实施例的技术方案,并不构成对于本发明实施例提供的技术方案的限定,本领域普通技术人员可知,随着网络架构的演变和新业务的出现,本发明实施例提供的技术方案对于类似的技术问题,同样适用。It can be understood that the above network architecture and application scenarios described in the embodiments of the present application are for the purpose of more clearly illustrating the technical solutions of the embodiments of the present invention, and do not constitute a limitation on the technical solutions provided by the embodiments of the present invention. Common skills in the art Personnel can know that with the evolution of network architecture and the emergence of new services, the technical solutions provided by the embodiments of the present invention are also applicable to similar technical problems.
应注意:本申请实施例中的“步骤”仅是个示意,是为了更好的理解实施例所采用的一种表现方法,不对本申请的方案的执行构成实质性限定,例如:该“步骤”还可以理解成“特征”。此外,该步骤不对本申请方案的执行顺序构成任何限定,任何在此基础上做出的不影响整体方案实现的步骤顺序改变或步骤合并或步骤拆分等操作,所形成的新的技 术方案也在本申请公开的范围之内。并且,本申请中出现的所有“步骤”都适用于该约定,在此做统一说明,当再次出现时,不再对其进行赘述。It should be noted that the “steps” in the embodiments of the present application are only illustrative, and are used to better understand the embodiments. They do not constitute a substantial limitation on the implementation of the solution of the present application. For example: the “steps” It can also be understood as "features". In addition, this step does not constitute any restriction on the execution order of the solution of this application. Any changes in the sequence of steps or the merging or splitting of steps made on this basis that do not affect the implementation of the overall solution will form new technologies. The technical solution is also within the scope disclosed in this application. Moreover, all "steps" appearing in this application are applicable to this agreement and will be explained uniformly here. When they appear again, they will not be described again.
基于相同的技术构思,本申请还提供了一种通信装置,所述通信装置应用于如图1或图2所示的通信***中。所述通信装置用于实现以上实施例提供的通信方法。参阅图14所示,通信装置1400中包含通信单元1401和处理单元1402。Based on the same technical concept, this application also provides a communication device, which is applied in the communication system as shown in Figure 1 or Figure 2. The communication device is used to implement the communication method provided in the above embodiments. Referring to FIG. 14 , the communication device 1400 includes a communication unit 1401 and a processing unit 1402 .
所述通信单元1401,用于接收和发送数据。可选的,所述通信单元1401中可以包含通信接口,这样所述通信装置1400可以使用通信接口与通信***中的其他网络设备进行通信。The communication unit 1401 is used to receive and send data. Optionally, the communication unit 1401 may include a communication interface, so that the communication device 1400 can use the communication interface to communicate with other network devices in the communication system.
在一种实施方式中,所述通信装置1400可以应用于如图6-9所示的实施例中的SMF。所述处理单元1402,用于通过所述通信单元1401执行以下步骤:In one implementation, the communication device 1400 can be applied to the SMF in the embodiment shown in Figures 6-9. The processing unit 1402 is configured to perform the following steps through the communication unit 1401:
接收来自AMF的第一消息;其中,所述第一消息中包含UE的第一安全参数,所述第一安全参数用于建立所述UE与安全网关之间的安全关联SA;Receive the first message from the AMF; wherein the first message contains the first security parameter of the UE, and the first security parameter is used to establish a security association SA between the UE and the security gateway;
向目标安全网关发送第二消息;其中,所述第二消息中包含所述第一安全参数,所述第二消息用于请求建立所述UE与所述目标安全网关之间的目标SA;Send a second message to the target security gateway; wherein the second message contains the first security parameter, and the second message is used to request the establishment of a target SA between the UE and the target security gateway;
接收来自所述目标安全网关的第三消息;其中,所述第三消息中包含所述目标安全网关的第二安全参数,所述第二安全参数用于建立所述目标SA,所述第三消息为所述第二消息的响应消息;Receive a third message from the target security gateway; wherein the third message contains a second security parameter of the target security gateway, the second security parameter is used to establish the target SA, and the third The message is a response message to the second message;
向所述AMF发送第四消息;其中,所述第四消息中包含所述第二安全参数。Send a fourth message to the AMF; wherein the fourth message contains the second security parameter.
可选的,所述目标SA为网络密钥交换IKE SA。Optionally, the target SA is a network key exchange IKE SA.
可选的,所述第一消息为第一会话建立请求消息;所述第四消息为第一会话建立响应消息。Optionally, the first message is a first session establishment request message; the fourth message is a first session establishment response message.
可选的,所述第一消息中还包含第一指示信息,所述第一指示信息用于指示所述UE请求数据加密。Optionally, the first message also includes first indication information, and the first indication information is used to instruct the UE to request data encryption.
可选的,所述处理单元1402还用于:在通过所述通信单元1401向目标安全网关发送第二消息之前,为所述UE分配所述目标安全网关。Optionally, the processing unit 1402 is also configured to allocate the target security gateway to the UE before sending the second message to the target security gateway through the communication unit 1401.
可选的,所述处理单元1402在为所述UE分配所述目标安全网关时,具体用于:Optionally, when allocating the target security gateway to the UE, the processing unit 1402 is specifically configured to:
为所述UE分配UPF;Allocate a UPF to the UE;
在与所述UPF相关联的至少一个安全网关中选择所述目标安全网关。The target security gateway is selected from at least one security gateway associated with the UPF.
可选的,所述第二消息中还包含所述UPF的标识。Optionally, the second message also includes the identifier of the UPF.
可选的,所述第二消息中还包含所述UE的因特网协议IP地址;所述第三消息中还包含所述目标安全网关的IP地址;Optionally, the second message also includes the Internet Protocol IP address of the UE; the third message also includes the IP address of the target security gateway;
所述第四消息中包含所述目标安全网关的IP地址。The fourth message contains the IP address of the target security gateway.
可选的,所述处理单元1402还用于:Optionally, the processing unit 1402 is also used to:
在通过所述通信单元1401接收来自所述安全网关的第三消息之后,通过所述通信单元1401向所述UPF发送第一转发规则配置信息;After receiving the third message from the security gateway through the communication unit 1401, sending first forwarding rule configuration information to the UPF through the communication unit 1401;
其中,所述第一转发规则配置信息用于指示所述UPF将所述UE和所述目标安全网关之间通过所述IKE SA传输的数据包映射到所述UE的会话中的第一服务质量流上。可选的,所述第一服务质量流可以为所述UE的会话中默认的服务质量流。 Wherein, the first forwarding rule configuration information is used to instruct the UPF to map data packets transmitted through the IKE SA between the UE and the target security gateway to the first quality of service in the session of the UE. Stream up. Optionally, the first quality of service flow may be a default quality of service flow in the session of the UE.
可选的,所述第一安全参数包含以下至少一项:所述UE的安全参数索引SPI,所述UE的密钥材料,所述UE支持的IKE SA加密算法,或者用于生成IKE SA密钥的第一随机数;Optionally, the first security parameter includes at least one of the following: the security parameter index SPI of the UE, the key material of the UE, the IKE SA encryption algorithm supported by the UE, or used to generate an IKE SA key. The first random number of the key;
所述第二安全参数包含以下至少一项:所述目标安全网关的SPI,所述目标安全网关的密钥材料,所述目标安全网关支持的IKE SA加密算法,或者用于生成IKE SA密钥的第二随机数。The second security parameter includes at least one of the following: the SPI of the target security gateway, the key material of the target security gateway, the IKE SA encryption algorithm supported by the target security gateway, or used to generate an IKE SA key the second random number.
可选的,所述目标SA为安全处理协议SA。Optionally, the target SA is a secure processing protocol SA.
可选的,所述第一消息为第一会话修改请求消息;所述第四消息为第一会话修改响应消息;所述第一消息中还包含所述UE请求建立的第二服务质量流的信息。Optionally, the first message is a first session modification request message; the fourth message is a first session modification response message; the first message also includes the second quality of service stream requested by the UE to be established. information.
可选的,所述处理单元1402,还用于:Optionally, the processing unit 1402 is also used to:
在通过所述通信单元1401接收来自AMF的第一消息之前,通过所述通信单元1401向所述AMF发送第五消息,所述第五消息用于请求所述第一安全参数;Before receiving the first message from the AMF through the communication unit 1401, sending a fifth message to the AMF through the communication unit 1401, the fifth message being used to request the first security parameter;
所述第一消息为所述第五消息的响应消息。The first message is a response message to the fifth message.
可选的,所述处理单元1402,还用于:在通过所述通信单元1401向所述AMF发送第五消息之前,可以通过所述通信单元1401执行以下步骤:Optionally, the processing unit 1402 is also configured to: before sending the fifth message to the AMF through the communication unit 1401, perform the following steps through the communication unit 1401:
接收来自PCF的策略修改通知消息,其中,所述策略修改通知消息中包含所述PCF请求在所述UE的会话中建立的第二服务质量流的信息;或者Receive a policy modification notification message from the PCF, wherein the policy modification notification message contains information about the second quality of service flow requested by the PCF to be established in the session of the UE; or
接收来自UDM的签约修改通知消息,其中,所述签约修改通知消息中包含所述UDM请求在所述UE的会话中建立的第二服务质量流的信息;或者Receive a subscription modification notification message from UDM, wherein the subscription modification notification message contains information about the second quality of service stream that the UDM requests to establish in the session of the UE; or
接收来自所述AMF的第一会话修改请求消息,其中,所述第一会话修改请求消息中包含所述UE请求在所述UE的会话中建立的第二服务质量流的信息。A first session modification request message is received from the AMF, wherein the first session modification request message contains information about the second quality of service stream requested by the UE to be established in the session of the UE.
可选的,所述处理单元1402,还用于:Optionally, the processing unit 1402 is also used to:
在通过所述通信单元1401接收来自所述目标安全网关的第三消息之后,根据所述第二服务质量流的信息,创建所述第二服务质量流;After receiving the third message from the target security gateway through the communication unit 1401, create the second quality of service flow according to the information of the second quality of service flow;
通过所述通信单元1401向UPF发送第二转发规则配置信息;Send the second forwarding rule configuration information to UPF through the communication unit 1401;
其中,所述第二转发规则配置信息用于指示所述UPF将通过所述第二QoS流接收的来自所述UE的数据包转发至所述目标安全网关。Wherein, the second forwarding rule configuration information is used to instruct the UPF to forward data packets from the UE received through the second QoS flow to the target security gateway.
可选的,所述第一安全参数包含以下至少一项:所述UE的SPI,所述目标安全网关的SPI,所述UE中的第一处理实体的标识,所述UE的鉴权信息,所述UE支持的第一安全处理协议SA加密算法,第一数据流选择规则,或者用于生成第一安全处理协议SA密钥的第三随机数;Optionally, the first security parameter includes at least one of the following: the SPI of the UE, the SPI of the target security gateway, the identity of the first processing entity in the UE, the authentication information of the UE, The first security processing protocol SA encryption algorithm supported by the UE, the first data flow selection rule, or the third random number used to generate the first security processing protocol SA key;
所述第二安全参数包含以下至少一项:所述UE的SPI,所述目标安全网关的SPI,所述目标安全网关中第二处理实体的标识,所述目标安全网关的鉴权信息,所述目标安全网关支持的第一安全处理协议SA加密算法,第二数据流选择规则,或者用于生成第一安全处理协议SA密钥的第四随机数。The second security parameter includes at least one of the following: the SPI of the UE, the SPI of the target security gateway, the identification of the second processing entity in the target security gateway, the authentication information of the target security gateway, the The first security processing protocol SA encryption algorithm supported by the target security gateway, the second data flow selection rule, or the fourth random number used to generate the first security processing protocol SA key.
可选的,所述第一消息中还包含所述UE的会话的会话标识;所述第四消息中包含所述会话标识。Optionally, the first message also includes a session identifier of the session of the UE; the fourth message includes the session identifier.
在一种实施方式中,所述通信装置1400可以应用于如图6-9所示的实施例中的AMF。 所述处理单元1402,用于通过所述通信单元1401执行以下步骤:In one implementation, the communication device 1400 can be applied to the AMF in the embodiment shown in Figures 6-9. The processing unit 1402 is configured to perform the following steps through the communication unit 1401:
向SMF发送第一消息;其中,所述第一消息中包含UE的第一安全参数,所述第一安全参数用于建立所述UE与安全网关之间的安全关联SA;Send a first message to the SMF; wherein the first message contains the first security parameter of the UE, and the first security parameter is used to establish a security association SA between the UE and the security gateway;
接收来自所述SMF的第四消息;其中,所述第四消息中包含目标安全网关的第二安全参数,所述第二安全参数用于建立所述UE与所述目标安全网关之间的目标SA。Receive a fourth message from the SMF; wherein the fourth message contains a second security parameter of the target security gateway, and the second security parameter is used to establish a target between the UE and the target security gateway. SA.
可选的,所述目标SA为网络密钥交换IKE SA。Optionally, the target SA is a network key exchange IKE SA.
可选的,所述第一消息为第一会话建立请求消息;所述第四消息为第一会话建立响应消息;Optionally, the first message is a first session establishment request message; the fourth message is a first session establishment response message;
所述处理单元1402还用于:The processing unit 1402 is also used to:
在通过所述通信单元1401向SMF发送第一消息之前,通过所述通信单元1401接收来自所述UE的第二会话建立请求消息;Before sending the first message to the SMF through the communication unit 1401, receiving a second session establishment request message from the UE through the communication unit 1401;
在通过所述通信单元1401接收来自所述SMF的第四消息之后,通过所述通信单元1401向所述UE发送第二会话建立响应消息。After receiving the fourth message from the SMF through the communication unit 1401, a second session establishment response message is sent to the UE through the communication unit 1401.
可选的,所述第二会话建立请求消息中包含所述第一安全参数;或者Optionally, the second session establishment request message contains the first security parameter; or
所述第二会话建立请求中包含所述第一安全参数中的第一参数部分;所述处理单元1402还用于:在通过所述通信单元1401向SMF发送第一消息之前,根据所述UE的标识,从统一数据管理网元或认证服务功能网元获取所述第一安全参数中的第二参数部分;其中,所述第一参数部分和所述第二参数部分组成所述第一安全参数;或者The second session establishment request contains the first parameter part of the first security parameter; the processing unit 1402 is also configured to: before sending the first message to the SMF through the communication unit 1401, according to the UE The identification of the second parameter part in the first security parameter is obtained from the unified data management network element or the authentication service function network element; wherein the first parameter part and the second parameter part constitute the first security parameter part. parameters; or
所述处理单元1402还用于:在通过所述通信单元1401向SMF发送第一消息之前,确定所述第一安全参数。The processing unit 1402 is also configured to determine the first security parameter before sending the first message to the SMF through the communication unit 1401.
可选的,所述第二会话建立响应消息中包含:所述第一安全参数中的部分或全部;和/或,所述第二会话建立响应消息中包含所述第二安全参数中的部分或全部。Optionally, the second session establishment response message includes: part or all of the first security parameters; and/or the second session establishment response message includes part of the second security parameters. Or all of them.
可选的,所述第一消息中包含第一指示信息,所述第二会话建立请求消息中包含所述第一指示信息;所述第一指示信息用于指示所述UE请求数据加密。Optionally, the first message includes first indication information, and the second session establishment request message includes the first indication information; the first indication information is used to instruct the UE to request data encryption.
可选的,所述第四消息中包含所述目标安全网关的因特网协议IP地址。Optionally, the fourth message includes the Internet Protocol IP address of the target security gateway.
可选的,所述第一安全参数包含以下至少一项:所述UE的安全参数索引SPI,所述UE的密钥材料,所述UE支持的IKE SA加密算法,或者用于生成IKE SA密钥的第一随机数;Optionally, the first security parameter includes at least one of the following: the security parameter index SPI of the UE, the key material of the UE, the IKE SA encryption algorithm supported by the UE, or used to generate an IKE SA key. The first random number of the key;
所述第二安全参数包含以下至少一项:所述目标安全网关的SPI,所述目标安全网关的密钥材料,所述目标安全网关支持的IKE SA加密算法,或者用于生成IKE SA密钥的第二随机数。The second security parameter includes at least one of the following: the SPI of the target security gateway, the key material of the target security gateway, the IKE SA encryption algorithm supported by the target security gateway, or used to generate an IKE SA key the second random number.
可选的,所述目标SA为安全处理协议SA。Optionally, the target SA is a secure processing protocol SA.
可选的,所述第一消息为第一会话修改请求消息;所述第四消息为第一会话修改响应消息;Optionally, the first message is a first session modification request message; the fourth message is a first session modification response message;
所述处理单元1402,还用于:The processing unit 1402 is also used to:
在通过所述通信单元1401向SMF发送第一消息之前,通过所述通信单元1401接收来自所述UE的第二会话修改请求消息;Before sending the first message to the SMF through the communication unit 1401, receiving a second session modification request message from the UE through the communication unit 1401;
在通过所述通信单元1401接收来自所述SMF的第四消息之后,通过所述通信单元1401向所述UE发送第二会话修改响应消息; After receiving the fourth message from the SMF through the communication unit 1401, sending a second session modification response message to the UE through the communication unit 1401;
其中,所述第一会话修改请求消息、所述第二会话修改请求中包含所述UE请求建立的第二服务质量流的信息。The first session modification request message and the second session modification request include information about the second quality of service stream requested by the UE to be established.
可选的,所述第二会话修改请求消息中包含所述第一安全参数;或者Optionally, the second session modification request message contains the first security parameter; or
所述第二会话修改请求中包含所述第一安全参数中的第一参数部分;所述处理单元1402还用于:在通过所述通信单元1401向SMF发送第一消息之前,获取保存的所述第一安全参数中的第二参数部分;其中,所述第一参数部分和所述第二参数部分组成所述第一安全参数;或者The second session modification request contains the first parameter part of the first security parameter; the processing unit 1402 is also configured to: before sending the first message to the SMF through the communication unit 1401, obtain all the saved The second parameter part in the first security parameter; wherein the first parameter part and the second parameter part constitute the first security parameter; or
所述处理单元1402,还用于:在通过所述通信单元1401向SMF发送第一消息之前,获取保存的所述第一安全参数。The processing unit 1402 is also configured to obtain the saved first security parameter before sending the first message to the SMF through the communication unit 1401.
可选的,所述处理单元1402,还用于:Optionally, the processing unit 1402 is also used to:
通过所述通信单元1401接收来自所述SMF的第五消息,所述第五消息用于请求所述第一安全参数;Receive a fifth message from the SMF through the communication unit 1401, the fifth message being used to request the first security parameter;
所述第一消息为所述第五消息的响应消息;The first message is a response message to the fifth message;
所述第四消息为第一会话修改响应消息;The fourth message is the first session modification response message;
所述处理单元1402,还用于:The processing unit 1402 is also used to:
在通过所述通信单元1401接收来自所述SMF的第四消息之后,通过所述通信单元1401向所述UE发送第二会话修改响应消息。After receiving the fourth message from the SMF through the communication unit 1401, a second session modification response message is sent to the UE through the communication unit 1401.
可选的,所述第二会话修改响应消息中包含所述第一安全参数中的部分或全部;和/或,Optionally, the second session modification response message contains part or all of the first security parameters; and/or,
所述第二会话修改响应消息中包含所述第二安全参数中的部分或全部。The second session modification response message contains part or all of the second security parameters.
可选的,所述第一安全参数包含以下至少一项:所述UE的SPI,所述目标安全网关的SPI,所述UE中的第一处理实体的标识,所述UE的鉴权信息,所述UE支持的安全处理协议SA加密算法,第一数据流选择规则,或者用于生成安全处理协议SA密钥的第三随机数;Optionally, the first security parameter includes at least one of the following: the SPI of the UE, the SPI of the target security gateway, the identity of the first processing entity in the UE, the authentication information of the UE, The Secure Processing Protocol SA encryption algorithm supported by the UE, the first data stream selection rule, or the third random number used to generate the Secure Processing Protocol SA key;
所述第二安全参数包含以下至少一项:所述UE的SPI,所述目标安全网关的SPI,所述目标安全网关中第二处理实体的标识,所述目标安全网关的鉴权信息,所述目标安全网关支持的安全处理协议SA加密算法,第二数据流选择规则,或者用于生成安全处理协议SA密钥的第四随机数。The second security parameter includes at least one of the following: the SPI of the UE, the SPI of the target security gateway, the identification of the second processing entity in the target security gateway, the authentication information of the target security gateway, the The security processing protocol SA encryption algorithm supported by the target security gateway, the second data flow selection rule, or the fourth random number used to generate the security processing protocol SA key.
可选的,所述第一消息中还包含所述UE的会话的会话标识;所述第四消息中包含所述会话标识。Optionally, the first message also includes a session identifier of the session of the UE; the fourth message includes the session identifier.
可选的,所述处理单元1402,还用于:Optionally, the processing unit 1402 is also used to:
在通过所述通信单元1401接收来自所述SMF的第四消息之后,根据所述第一安全参数、所述第二安全参数,生成SA密钥;After receiving the fourth message from the SMF through the communication unit 1401, generate an SA key according to the first security parameter and the second security parameter;
通过所述通信单元1401向所述UE发送所述SA密钥。The SA key is sent to the UE through the communication unit 1401.
在一种实施方式中,所述通信装置1400可以应用于如图6-9所示的实施例中的目标安全网关。所述处理单元1402,用于通过所述通信单元1401执行以下步骤:In one implementation, the communication device 1400 can be applied to the target security gateway in the embodiment shown in Figures 6-9. The processing unit 1402 is configured to perform the following steps through the communication unit 1401:
接收来自SMF的第二消息;其中,所述第二消息中包含UE的第一安全参数,所述第一安全参数用于建立所述UE与所述目标安全网关之间的目标安全关联SA,所述第二消息用于请求建立所述目标SA; receiving a second message from the SMF; wherein the second message contains the first security parameter of the UE, and the first security parameter is used to establish a target security association SA between the UE and the target security gateway, The second message is used to request the establishment of the target SA;
向所述SMF发送第三消息;其中,所述第三消息中包含所述目标安全网关的第二安全参数,所述第二安全参数用于建立所述目标SA,所述第三消息为所述第二消息的响应消息。Send a third message to the SMF; wherein the third message contains the second security parameter of the target security gateway, the second security parameter is used to establish the target SA, and the third message is the The response message of the second message.
可选的,所述目标SA为网络密钥交换IKE SA。Optionally, the target SA is a network key exchange IKE SA.
可选的,所述处理单元1402,还用于:在通过所述通信单元1401向所述SMF发送第三消息之前,针对所述目标SA,为所述目标安全网关分配因特网协议IP地址;Optionally, the processing unit 1402 is also configured to: before sending the third message to the SMF through the communication unit 1401, allocate an Internet Protocol IP address to the target security gateway for the target SA;
所述第三消息中还包含所述目标安全网关的IP地址;The third message also includes the IP address of the target security gateway;
所述第二消息中还包含所述UE的IP地址。The second message also includes the IP address of the UE.
可选的,所述第一安全参数包含以下至少一项:所述UE的安全参数索引SPI,所述UE的密钥材料,所述UE支持的IKE SA加密算法,或者用于生成IKE SA密钥的第一随机数;Optionally, the first security parameter includes at least one of the following: the security parameter index SPI of the UE, the key material of the UE, the IKE SA encryption algorithm supported by the UE, or used to generate an IKE SA key. The first random number of the key;
所述第二安全参数包含以下至少一项:所述目标安全网关的SPI,所述目标安全网关的密钥材料,所述目标安全网关支持的IKE SA加密算法,或者用于生成IKE SA密钥的第二随机数。The second security parameter includes at least one of the following: the SPI of the target security gateway, the key material of the target security gateway, the IKE SA encryption algorithm supported by the target security gateway, or used to generate an IKE SA key the second random number.
可选的,所述目标SA为安全处理协议SA。Optionally, the target SA is a secure processing protocol SA.
可选的,所述第一安全参数包含以下至少一项:所述UE的SPI,所述目标安全网关的SPI,所述UE中的第一处理实体的标识,所述UE的鉴权信息,所述UE支持的安全处理协议SA加密算法,第一数据流选择规则,或者用于生成安全处理协议SA密钥的第三随机数;Optionally, the first security parameter includes at least one of the following: the SPI of the UE, the SPI of the target security gateway, the identity of the first processing entity in the UE, the authentication information of the UE, The Secure Processing Protocol SA encryption algorithm supported by the UE, the first data stream selection rule, or the third random number used to generate the Secure Processing Protocol SA key;
所述第二安全参数包含以下至少一项:所述UE的SPI,所述目标安全网关的SPI,所述目标安全网关中第二处理实体的标识,所述目标安全网关的鉴权信息,所述目标安全网关支持的安全处理协议SA加密算法,第二数据流选择规则,或者用于生成安全处理协议SA密钥的第四随机数。The second security parameter includes at least one of the following: the SPI of the UE, the SPI of the target security gateway, the identification of the second processing entity in the target security gateway, the authentication information of the target security gateway, the The security processing protocol SA encryption algorithm supported by the target security gateway, the second data flow selection rule, or the fourth random number used to generate the security processing protocol SA key.
可选的,所述处理单元1402,还用于:Optionally, the processing unit 1402 is also used to:
在通过所述通信单元1401接收来自SMF的第二消息之后,根据所述第一安全参数、所述第二安全参数,生成SA密钥。After receiving the second message from the SMF through the communication unit 1401, an SA key is generated according to the first security parameter and the second security parameter.
在一种实施方式中,所述通信装置1400可以应用于如图10或11所示的实施例中的SMF。所述处理单元1402,用于通过所述通信单元1401执行以下步骤:In one implementation, the communication device 1400 may be applied to the SMF in the embodiment shown in Figure 10 or 11. The processing unit 1402 is configured to perform the following steps through the communication unit 1401:
向目标安全网关发送第一消息;其中,所述第一消息用于请求建立UE与所述目标安全网关之间的安全处理协议安全关联SA;Send a first message to the target security gateway; wherein the first message is used to request the establishment of a security processing protocol security association SA between the UE and the target security gateway;
接收来自所述目标安全网关的第二消息;其中,所述第二消息中包含所述目标安全网关的第一安全参数,所述第一安全参数用于建立所述安全处理协议SA,所述第二消息为所述第一消息的响应消息;Receive a second message from the target security gateway; wherein the second message contains a first security parameter of the target security gateway, the first security parameter is used to establish the security processing protocol SA, and the The second message is a response message to the first message;
向AMF发送第三消息;其中,所述第三消息中包含所述第一安全参数,所述第三消息用于请求建立所述安全处理协议SA;Send a third message to the AMF; wherein the third message contains the first security parameter, and the third message is used to request the establishment of the security processing protocol SA;
接收来自所述AMF发送的第四消息;其中,所述第四消息中包含所述UE的第二安全参数,所述第二安全参数用于建立所述安全处理协议SA,所述第四消息为所述第三消 息的响应消息;Receive a fourth message sent from the AMF; wherein the fourth message contains a second security parameter of the UE, the second security parameter is used to establish the security processing protocol SA, and the fourth message for the third elimination response message;
向所述目标安全网关发送第五消息;其中,所述第五消息中包含所述UE的第二安全参数,所述第五消息用于请求建立所述安全处理协议SA。Send a fifth message to the target security gateway; wherein the fifth message contains the second security parameter of the UE, and the fifth message is used to request establishment of the security processing protocol SA.
可选的,所述处理单元1402还用于:Optionally, the processing unit 1402 is also used to:
在通过所述通信单元1401向目标安全网关发送第一消息之前,还可以通过所述通信单元1401执行以下步骤:Before sending the first message to the target security gateway through the communication unit 1401, the following steps may also be performed through the communication unit 1401:
接收来自策略控制功能网元的策略修改通知消息,其中,所述策略修改通知消息中包含所述策略控制功能网元请求在所述UE的会话中建立的第一服务质量流的信息;或者Receive a policy modification notification message from the policy control function network element, wherein the policy modification notification message contains information about the first quality of service flow requested by the policy control function network element to be established in the session of the UE; or
接收来自统一数据管理网元的签约修改通知消息,其中,所述签约修改通知消息中包含所述统一数据管理网元请求在所述UE的会话中建立的第一服务质量流的信息;或者Receive a subscription modification notification message from the unified data management network element, wherein the subscription modification notification message contains information about the first quality of service flow requested by the unified data management network element to be established in the session of the UE; or
接收来自所述AMF的会话修改请求消息,其中,所述会话修改请求消息中包含所述UE请求在所述UE的会话中建立的第一服务质量流的信息。Receive a session modification request message from the AMF, wherein the session modification request message contains information about the first quality of service stream that the UE requests to establish in the session of the UE.
可选的,所述第三消息为第一会话修改命令消息,所述第三消息中还包含所述第一服务质量流的信息;Optionally, the third message is a first session modification command message, and the third message also includes information about the first quality of service flow;
所述第四消息为第一会话修改确认消息,所述第四消息中还包含所述第一服务质量流的信息。The fourth message is a first session modification confirmation message, and the fourth message also includes information about the first quality of service flow.
可选的,所述处理单元1402还用于:Optionally, the processing unit 1402 is also used to:
根据所述第一服务质量流的信息,创建所述第一服务质量流;Create the first quality of service flow according to the information of the first quality of service flow;
通过所述通信单元1401向UPF发送第一转发规则配置信息;Send the first forwarding rule configuration information to UPF through the communication unit 1401;
其中,所述第一转发规则配置信息用于指示所述UPF将所述目标安全网关通过所述安全处理协议SA传输的数据包映射到所述第一服务质量流上。The first forwarding rule configuration information is used to instruct the UPF to map data packets transmitted by the target security gateway through the security processing protocol SA to the first quality of service flow.
可选的,所述第一安全参数包含以下至少一项:所述UE的SPI,所述目标安全网关的SPI,所述目标安全网关中第一处理实体的标识,所述目标安全网关的鉴权信息,所述目标安全网关支持的安全处理协议SA加密算法,第一数据流选择规则,或者用于生成安全处理协议SA密钥的第一随机数;Optionally, the first security parameter includes at least one of the following: the SPI of the UE, the SPI of the target security gateway, the identity of the first processing entity in the target security gateway, the authentication of the target security gateway. Right information, the Security Processing Protocol SA encryption algorithm supported by the target security gateway, the first data flow selection rule, or the first random number used to generate the Security Processing Protocol SA key;
所述第二安全参数包含以下至少一项:所述UE的SPI,所述目标安全网关的SPI,所述UE中的第二处理实体的标识,所述UE的鉴权信息,所述UE支持的安全处理协议SA加密算法,第二数据流选择规则,或者用于生成安全处理协议SA密钥的第二随机数。The second security parameter includes at least one of the following: the SPI of the UE, the SPI of the target security gateway, the identity of the second processing entity in the UE, the authentication information of the UE, the support of the UE the Secure Processing Protocol SA encryption algorithm, the second data stream selection rule, or the second random number used to generate the Secure Processing Protocol SA key.
可选的,所述第一消息中包含所述目标安全网关的第三安全参数;所述第一安全参数是基于所述第三安全参数确定的。Optionally, the first message contains a third security parameter of the target security gateway; the first security parameter is determined based on the third security parameter.
在一种实施方式中,所述通信装置1400可以应用于如图10或11所示的实施例中的AMF。所述处理单元1402,用于通过所述通信单元1401执行以下步骤:In one implementation, the communication device 1400 may be applied to the AMF in the embodiment shown in Figure 10 or 11. The processing unit 1402 is configured to perform the following steps through the communication unit 1401:
接收来自SMF的第三消息;其中,所述第三消息中包含目标安全网关的第一安全参数,所述第一安全参数用于建立UE与所述目标安全网关之间的安全处理协议安全关联SA,所述第三消息用于请求建立所述安全处理协议SA;Receive a third message from the SMF; wherein the third message contains a first security parameter of the target security gateway, and the first security parameter is used to establish a security processing protocol security association between the UE and the target security gateway. SA, the third message is used to request the establishment of the security processing protocol SA;
向所述SMF发送第四消息;其中,所述第四消息中包含所述UE的第二安全参数,所述第二安全参数用于建立所述安全处理协议SA,所述第四消息为所述第三消息的响应消息。Send a fourth message to the SMF; wherein the fourth message contains a second security parameter of the UE, the second security parameter is used to establish the security processing protocol SA, and the fourth message is the The response message of the third message.
可选的,所述第三消息为第一会话修改命令消息,所述第三消息中还包含需要在所述 UE的会话中建立的第一服务质量流的信息;Optionally, the third message is a first session modification command message, and the third message also contains the information that needs to be added to the Information about the first quality of service stream established in the UE's session;
所述第四消息为第一会话修改确认消息,所述第四消息中还包含所述第一服务质量流的信息。The fourth message is a first session modification confirmation message, and the fourth message also includes information about the first quality of service flow.
可选的,所述处理单元1402,还用于:Optionally, the processing unit 1402 is also used to:
在通过所述通信单元1401接收来自SMF的第三消息之前,通过所述通信单元1401向所述SMF发送会话修改请求消息,其中,所述会话修改请求消息中包含所述UE请求在所述UE的会话中建立的所述第一服务质量流的信息。Before receiving the third message from the SMF through the communication unit 1401, a session modification request message is sent to the SMF through the communication unit 1401, wherein the session modification request message includes the UE request Information about the first quality of service flow established in the session.
可选的,所述处理单元1402,还用于:Optionally, the processing unit 1402 is also used to:
在通过所述通信单元1401向所述SMF发送第四消息之前,通过所述通信单元1401向所述UE发送第二会话修改命令消息;所述第二会话修改命令中包含所述第一服务质量流的信息;Before sending the fourth message to the SMF through the communication unit 1401, send a second session modification command message to the UE through the communication unit 1401; the second session modification command includes the first quality of service flow of information;
通过所述通信单元1401接收来自所述UE的第二会话修改确认消息,所述第二会话修改确认消息中包含所述第一服务质量流的信息。A second session modification confirmation message is received from the UE through the communication unit 1401, and the second session modification confirmation message contains the information of the first quality of service stream.
可选的,所述第二会话修改命令消息中还包含所述第一安全参数的部分或全部;Optionally, the second session modification command message also contains part or all of the first security parameters;
所述第二会话修改确认消息中还包含所述第二安全参数的部分或全部。The second session modification confirmation message also includes part or all of the second security parameter.
可选的,所述第二会话修改命令消息中还包含所述UE的第四安全参数;所述第二安全参数是基于所述第四安全参数确定的。Optionally, the second session modification command message also includes a fourth security parameter of the UE; the second security parameter is determined based on the fourth security parameter.
可选的,所述第一安全参数包含以下至少一项:所述UE的SPI,所述目标安全网关的SPI,所述目标安全网关中第一处理实体的标识,所述目标安全网关的鉴权信息,所述目标安全网关支持的安全处理协议SA加密算法,第一数据流选择规则,或者用于生成安全处理协议SA密钥的第一随机数;Optionally, the first security parameter includes at least one of the following: the SPI of the UE, the SPI of the target security gateway, the identity of the first processing entity in the target security gateway, the authentication of the target security gateway. Right information, the Security Processing Protocol SA encryption algorithm supported by the target security gateway, the first data flow selection rule, or the first random number used to generate the Security Processing Protocol SA key;
所述第二安全参数包含以下至少一项:所述UE的SPI,所述目标安全网关的SPI,所述UE中的第二处理实体的标识,所述UE的鉴权信息,所述UE支持的安全处理协议SA加密算法,第二数据流选择规则,或者用于生成安全处理协议SA密钥的第二随机数。The second security parameter includes at least one of the following: the SPI of the UE, the SPI of the target security gateway, the identity of the second processing entity in the UE, the authentication information of the UE, the support of the UE the Secure Processing Protocol SA encryption algorithm, the second data stream selection rule, or the second random number used to generate the Secure Processing Protocol SA key.
可选的,所述处理单元1402,还用于:Optionally, the processing unit 1402 is also used to:
根据所述第一安全参数、所述第二安全参数,生成安全处理协议SA密钥;Generate a security processing protocol SA key according to the first security parameter and the second security parameter;
通过所述通信单元1401向所述UE发送所述安全处理协议SA密钥。The secure processing protocol SA key is sent to the UE through the communication unit 1401.
在一种实施方式中,所述通信装置1400可以应用于如图10或11所示的实施例中的目标安全网关。所述处理单元1402,用于通过所述通信单元1401执行以下步骤:In one implementation, the communication device 1400 can be applied to the target security gateway in the embodiment shown in Figure 10 or 11. The processing unit 1402 is configured to perform the following steps through the communication unit 1401:
接收来自SMF的第一消息;其中,所述第一消息用于请求建立UE与所述目标安全网关之间的安全处理协议SA;Receive the first message from the SMF; wherein the first message is used to request the establishment of a security processing agreement SA between the UE and the target security gateway;
向所述SMF发送第二消息;其中,所述第二消息中包含所述目标安全网关的第一安全参数,所述第一安全参数用于建立所述安全处理协议SA,所述第二消息为所述第一消息的响应消息;Send a second message to the SMF; wherein the second message contains the first security parameters of the target security gateway, the first security parameters are used to establish the security processing protocol SA, and the second message is a response message to the first message;
接收来自所述SMF的第五消息;其中,所述第五消息中包含所述UE的第二安全参数,所述第二安全参数用于建立所述安全处理协议SA,所述第五消息用于请求建立所述安全处理协议SA。Receive a fifth message from the SMF; wherein the fifth message contains a second security parameter of the UE, the second security parameter is used to establish the security processing protocol SA, and the fifth message is Upon request, the secure processing protocol SA is established.
可选的,所述第一消息中包含所述目标安全网关的第三安全参数;所述处理单元1402,还用于: Optionally, the first message contains the third security parameter of the target security gateway; the processing unit 1402 is also used to:
在通过所述通信单元1401向所述SMF发送第二消息之前,根据所述第三安全参数,确定所述第一安全参数。Before sending the second message to the SMF through the communication unit 1401, the first security parameter is determined based on the third security parameter.
可选的,所述第一安全参数包含以下至少一项:所述UE的SPI,所述目标安全网关的SPI,所述目标安全网关中第一处理实体的标识,所述目标安全网关的鉴权信息,所述目标安全网关支持的第一安全处理协议SA加密算法,第一数据流选择规则,或者用于生成第一安全处理协议SA密钥的第一随机数;Optionally, the first security parameter includes at least one of the following: the SPI of the UE, the SPI of the target security gateway, the identity of the first processing entity in the target security gateway, the authentication of the target security gateway. Right information, the first security processing protocol SA encryption algorithm supported by the target security gateway, the first data flow selection rule, or the first random number used to generate the first security processing protocol SA key;
所述第二安全参数包含以下至少一项:所述UE的SPI,所述目标安全网关的SPI,所述UE中的第二处理实体的标识,所述UE的鉴权信息,所述UE支持的第一安全处理协议SA加密算法,第二数据流选择规则,或者用于生成第一安全处理协议SA密钥的第二随机数。The second security parameter includes at least one of the following: the SPI of the UE, the SPI of the target security gateway, the identity of the second processing entity in the UE, the authentication information of the UE, the support of the UE the first secure processing protocol SA encryption algorithm, the second data stream selection rule, or the second random number used to generate the first secure processing protocol SA key.
可选的,所述处理单元1402,还用于:Optionally, the processing unit 1402 is also used to:
在通过所述通信单元1401接收来自所述SMF的第五消息之后,根据所述第一安全参数、所述第二安全参数,生成安全处理协议SA密钥。After receiving the fifth message from the SMF through the communication unit 1401, a secure processing protocol SA key is generated according to the first security parameter and the second security parameter.
在一种实施方式中,所述通信装置1400可以应用于如图12或13所示的实施例中的SMF。所述处理单元1402,用于通过所述通信单元1401执行以下步骤:In one implementation, the communication device 1400 may be applied to the SMF in the embodiment shown in Figure 12 or 13. The processing unit 1402 is configured to perform the following steps through the communication unit 1401:
接收第一消息,其中,所述第一消息包含需要在UE的会话中建立的第一服务质量流的信息;Receive a first message, wherein the first message contains information about a first quality of service flow that needs to be established in the session of the UE;
根据所述第一服务质量流的信息,创建所述第一服务质量流;Create the first quality of service flow according to the information of the first quality of service flow;
获取所述UE与目标安全网关之间建立的安全处理协议SA的安全参数;Obtain the security parameters of the security processing protocol SA established between the UE and the target security gateway;
向UPF发送第一转发规则配置信息;其中,所述第一转发规则配置信息用于指示所述UPF通过所述第一服务质量流接收的来自所述UE的数据包转发至所述目标安全网关,和/或,所述UPF将所述目标安全网关通过所述安全处理协议SA传输的数据包映射到所述第一服务质量流上。Send first forwarding rule configuration information to the UPF; wherein the first forwarding rule configuration information is used to instruct the UPF to forward data packets from the UE received through the first quality of service flow to the target security gateway. , and/or, the UPF maps the data packet transmitted by the target security gateway through the security processing protocol SA to the first quality of service flow.
可选的,所述处理单元1402,在通过所述通信单元1401接收第一消息时,具体用于:Optionally, when receiving the first message through the communication unit 1401, the processing unit 1402 is specifically configured to:
接收来自策略控制功能网元的策略修改通知消息,其中,所述策略修改通知消息中包含所述策略控制功能网元请求在所述UE的会话中建立的所述第一服务质量流的信息;或者Receive a policy modification notification message from a policy control function network element, wherein the policy modification notification message contains information about the first quality of service flow requested by the policy control function network element to be established in the session of the UE; or
接收来自统一数据管理网元的签约修改通知消息,其中,所述签约修改通知消息中包含所述统一数据管理网元请求在所述UE的会话中建立的所述第一服务质量流的信息;或者Receive a subscription modification notification message from a unified data management network element, wherein the subscription modification notification message contains information about the first quality of service flow requested by the unified data management network element to be established in the session of the UE; or
接收来自AMF的会话修改请求消息,其中,所述会话修改请求消息中包含所述UE请求在所述UE的会话中建立的所述第一服务质量流的信息。Receive a session modification request message from the AMF, wherein the session modification request message contains information about the first quality of service stream that the UE requests to establish in the session of the UE.
可选的,所述处理单元1402,在获取所述UE与目标安全网关之间建立的安全处理协议SA的安全参数时,具体用于:Optionally, when acquiring the security parameters of the security processing protocol SA established between the UE and the target security gateway, the processing unit 1402 is specifically used to:
获取所述第一消息中的所述安全参数;或者Obtain the security parameter in the first message; or
从以下至少一项获取所述安全参数:所述UE、AMF、所述目标安全网关。The security parameters are obtained from at least one of the following: the UE, the AMF, and the target security gateway.
应理解,各单元执行上述相应步骤的具体过程在上述方法实施例中已经详细说明,为了简洁,在此不再赘述。 It should be understood that the specific process of each unit performing the above corresponding steps has been described in detail in the above method embodiments, and will not be described again for the sake of brevity.
需要说明的是,本申请实施例中对模块的划分是示意性的,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。It should be noted that the division of modules in the embodiments of the present application is schematic and is only a logical function division. In actual implementation, there may be other division methods. In addition, each functional unit in each embodiment of the present application It can be integrated in a processing unit, or it can exist physically alone, or two or more units can be integrated in one unit. The above integrated units can be implemented in the form of hardware or software functional units.
集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)或处理器(processor)执行本申请各个实施例方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(read-only memory,ROM)、随机存取存储器(random access memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。Integrated units may be stored in a computer-readable storage medium if they are implemented in the form of software functional units and sold or used as independent products. Based on this understanding, the technical solution of the present application is essentially or contributes to the existing technology, or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , including several instructions to cause a computer device (which can be a personal computer, a server, or a network device, etc.) or a processor to execute all or part of the steps of the methods of various embodiments of the present application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM), random access memory (RAM), magnetic disk or optical disk and other media that can store program code. .
基于以上实施例,本申请实施例还提供了一种通信设备,所述通信设备应用于如图1或图2所示的通信***中。所述通信设备用于实现以上实施例提供的通信方法,具有以上实施例提供的通信装置1400的功能。参阅图15所示,所述通信设备1500包括:通信接口1501、处理器1502。可选的,所述通信设备1500还包括存储器1503。其中,所述通信接口1501、所述处理器1502以及所述存储器1503之间相互连接。Based on the above embodiments, embodiments of the present application also provide a communication device, which is applied in the communication system as shown in Figure 1 or Figure 2. The communication device is used to implement the communication method provided in the above embodiment and has the functions of the communication device 1400 provided in the above embodiment. Referring to FIG. 15 , the communication device 1500 includes: a communication interface 1501 and a processor 1502 . Optionally, the communication device 1500 also includes a memory 1503. The communication interface 1501, the processor 1502 and the memory 1503 are connected to each other.
可选的,所述通信接口1501、所述处理器1502以及所述存储器1503之间通过总线1504相互连接。所述总线1504可以是外设部件互连标准(peripheral component interconnect,PCI)总线或扩展工业标准结构(extended industry standard architecture,EISA)总线等。所述总线可以分为地址总线、数据总线、控制总线等。为便于表示,图15中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。Optionally, the communication interface 1501, the processor 1502 and the memory 1503 are connected to each other through a bus 1504. The bus 1504 may be a peripheral component interconnect (PCI) bus or an extended industry standard architecture (EISA) bus, etc. The bus can be divided into address bus, data bus, control bus, etc. For ease of presentation, only one thick line is used in Figure 15, but it does not mean that there is only one bus or one type of bus.
所述通信接口1501,用于接收和发送数据,实现与通信***中的其他设备之间的通信。The communication interface 1501 is used to receive and send data and implement communication with other devices in the communication system.
所述处理器1502的功能可以参照以上实施例中的描述,此处不再赘述。其中,处理器1502可以是中央处理器(central processing unit,CPU),网络处理器(network processor,NP)或者CPU和NP的组合等等。处理器1502还可以进一步包括硬件芯片。上述硬件芯片可以是专用集成电路(application-specific integrated circuit,ASIC),可编程逻辑器件(programmable logic device,PLD)或其组合。上述PLD可以是复杂可编程逻辑器件(complex programmable logic device,CPLD),现场可编程逻辑门阵列(field-programmable gate array,FPGA),通用阵列逻辑(generic array logic,GAL)或其任意组合。处理器1502在实现上述功能时,可以通过硬件实现,当然也可以通过硬件执行相应的软件实现。The functions of the processor 1502 may refer to the descriptions in the above embodiments, and will not be described again here. Among them, the processor 1502 can be a central processing unit (CPU), a network processor (network processor, NP) or a combination of CPU and NP, etc. The processor 1502 may further include hardware chips. The above-mentioned hardware chip can be an application-specific integrated circuit (ASIC), a programmable logic device (PLD) or a combination thereof. The above-mentioned PLD can be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a general array logic (GAL) or any combination thereof. When the processor 1502 implements the above functions, it can be implemented by hardware, and of course it can also be implemented by hardware executing corresponding software.
所述存储器1503,用于存放程序指令等。具体地,程序指令可以包括程序代码,该程序代码包括计算机操作指令。存储器1503可能包含随机存取存储器(random access memory,RAM),也可能还包括非易失性存储器(non-volatile memory),例如至少一个磁盘存储器。处理器1502执行存储器1503所存放的程序指令,实现上述功能,从而实现上述实施例提供的方法。The memory 1503 is used to store program instructions, etc. Specifically, program instructions may include program code including computer operating instructions. The memory 1503 may include random access memory (RAM), and may also include non-volatile memory (non-volatile memory), such as at least one disk memory. The processor 1502 executes the program instructions stored in the memory 1503 to implement the above functions, thereby implementing the method provided by the above embodiments.
基于以上实施例,本申请实施例还提供了一种计算机程序,当所述计算机程序在计算机上运行时,使得所述计算机执行以上实施例提供的方法。Based on the above embodiments, embodiments of the present application also provide a computer program, which when the computer program is run on a computer, causes the computer to execute the method provided in the above embodiments.
基于以上实施例,本申请实施例还提供了一种计算机可读存储介质,该计算机可读存 储介质中存储有计算机程序,当所述计算机程序在计算机上运行时,使得所述计算机执行以上实施例提供的方法。Based on the above embodiments, embodiments of the present application also provide a computer-readable storage medium. The computer-readable storage medium A computer program is stored in the storage medium. When the computer program is run on a computer, it causes the computer to execute the method provided in the above embodiment.
其中,存储介质可以是计算机能够存取的任何可用介质。以此为例但不限于:计算机可读介质可以包括RAM、ROM、EEPROM、CD-ROM或其他光盘存储、磁盘存储介质或者其他磁存储设备、或者能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质。The storage medium may be any available medium that can be accessed by the computer. Taking this as an example but not limited to: computer-readable media may include RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage media or other magnetic storage devices, or can be used to carry or store instructions or data structures. Any other medium that contains the desired program code and is capable of being accessed by a computer.
基于以上实施例,本申请实施例还提供了一种芯片,所述芯片用于读取存储器中存储的计算机程序,实现以上实施例提供的方法。可选的,所述芯片中可以包含处理器和存储器,所述处理器用于读取所述存储器中的存储的计算程序,实现以上实施例提供的方法。Based on the above embodiments, embodiments of the present application also provide a chip, which is used to read the computer program stored in the memory and implement the method provided in the above embodiments. Optionally, the chip may include a processor and a memory, and the processor is configured to read the calculation program stored in the memory to implement the method provided in the above embodiment.
基于以上实施例,本申请实施例提供了一种芯片***,该芯片***包括处理器,用于支持计算机装置实现以上实施例中终端设备所涉及的功能。在一种可能的设计中,所述芯片***还包括存储器,所述存储器用于保存该计算机装置必要的程序和数据。该芯片***,可以由芯片构成,也可以包含芯片和其他分立器件。Based on the above embodiments, embodiments of the present application provide a chip system. The chip system includes a processor and is used to support the computer device to implement the functions involved in the terminal device in the above embodiments. In a possible design, the chip system further includes a memory, and the memory is used to store necessary programs and data of the computer device. The chip system may be composed of chips, or may include chips and other discrete devices.
综上所述,本申请实施例提供了一种通信方法及装置。在该方法中,移动通信***的核心网控制面网元可以通过与目标安全网关的交互,实现UE的安全参数和目标安全网关的安全参数的传递,从而完成IPSec协商。由于IPSec协商过程是通过核心网控制面完成的,且核心网的安全性较高,因此,该方法可以避免用户面传输安全参数导致安全参数泄露的风险,保证IPSec协商过程的安全性,进而保证后续通过建立的SA传输用户数据或信令的安全性。To sum up, the embodiments of the present application provide a communication method and device. In this method, the core network control plane network element of the mobile communication system can realize the transfer of the security parameters of the UE and the security parameters of the target security gateway through interaction with the target security gateway, thereby completing IPSec negotiation. Since the IPSec negotiation process is completed through the core network control plane, and the core network has high security, this method can avoid the risk of security parameter leakage caused by the user plane transmission of security parameters, ensure the security of the IPSec negotiation process, and then ensure The security of subsequent transmission of user data or signaling through the established SA.
本领域内的技术人员应明白,本申请的实施例可提供为方法、***、或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art will understand that embodiments of the present application may be provided as methods, systems, or computer program products. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment that combines software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
本申请是参照根据本申请的方法、设备(***)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to the present application. It will be understood that each process and/or block in the flowchart illustrations and/or block diagrams, and combinations of processes and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine, such that the instructions executed by the processor of the computer or other programmable data processing device produce a use A device for realizing the functions specified in one process or multiple processes of the flowchart and/or one block or multiple blocks of the block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory that causes a computer or other programmable data processing apparatus to operate in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction means, the instructions The device implements the functions specified in a process or processes of the flowchart and/or a block or blocks of the block diagram.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions may also be loaded onto a computer or other programmable data processing device, causing a series of operating steps to be performed on the computer or other programmable device to produce computer-implemented processing, thereby executing on the computer or other programmable device. Instructions provide steps for implementing the functions specified in a process or processes of a flowchart diagram and/or a block or blocks of a block diagram.
显然,本领域的技术人员可以对本申请进行各种改动和变型而不脱离本申请的精神和范围。这样,倘若本申请的这些修改和变型属于本申请权利要求及其等同技术的范围之内, 则本申请也意图包含这些改动和变型在内。 Obviously, those skilled in the art can make various changes and modifications to the present application without departing from the spirit and scope of the present application. In this way, if these modifications and variations of the present application fall within the scope of the claims of the present application and its equivalent technology, This application is also intended to include these changes and variations.

Claims (30)

  1. 一种通信方法,应用于会话管理功能网元,其特征在于,包括:A communication method applied to session management function network elements, which is characterized by including:
    接收来自接入和移动性管理功能网元的第一消息;其中,所述第一消息中包含终端设备的第一安全参数,所述第一安全参数用于建立所述终端设备与安全网关之间的安全关联SA;Receive a first message from the access and mobility management function network element; wherein the first message contains a first security parameter of the terminal device, and the first security parameter is used to establish a connection between the terminal device and the security gateway. The security association SA between
    向目标安全网关发送第二消息;其中,所述第二消息中包含所述第一安全参数,所述第二消息用于请求建立所述终端设备与所述目标安全网关之间的目标SA;Send a second message to the target security gateway; wherein the second message contains the first security parameter, and the second message is used to request the establishment of a target SA between the terminal device and the target security gateway;
    接收来自所述目标安全网关的第三消息;其中,所述第三消息中包含所述目标安全网关的第二安全参数,所述第二安全参数用于建立所述目标SA,所述第三消息为所述第二消息的响应消息;Receive a third message from the target security gateway; wherein the third message contains a second security parameter of the target security gateway, the second security parameter is used to establish the target SA, and the third The message is a response message to the second message;
    向所述接入和移动性管理功能网元发送第四消息;其中,所述第四消息中包含所述第二安全参数。Send a fourth message to the access and mobility management function network element; wherein the fourth message includes the second security parameter.
  2. 如权利要求1所述的方法,其特征在于,所述目标SA为网络密钥交换IKE SA。The method of claim 1, wherein the target SA is a network key exchange IKE SA.
  3. 如权利要求2所述的方法,其特征在于,所述第一消息为第一会话建立请求消息;所述第四消息为第一会话建立响应消息。The method of claim 2, wherein the first message is a first session establishment request message; and the fourth message is a first session establishment response message.
  4. 如权利要求2或3所述的方法,其特征在于,所述第一消息中还包含第一指示信息,所述第一指示信息用于指示所述终端设备请求数据加密。The method according to claim 2 or 3, characterized in that the first message further includes first indication information, and the first indication information is used to instruct the terminal device to request data encryption.
  5. 如权利要求2-4任一项所述的方法,其特征在于,在向目标安全网关发送第二消息之前,所述方法还包括:The method according to any one of claims 2-4, characterized in that before sending the second message to the target security gateway, the method further includes:
    为所述终端设备分配所述目标安全网关。The target security gateway is assigned to the terminal device.
  6. 如权利要求2-5任一项所述的方法,其特征在于,所述第二消息中还包含所述终端设备的因特网协议IP地址;所述第三消息中还包含所述目标安全网关的IP地址;The method according to any one of claims 2 to 5, characterized in that the second message also contains the Internet Protocol IP address of the terminal device; the third message also contains the IP address of the target security gateway. IP address;
    所述第四消息中包含所述目标安全网关的IP地址。The fourth message contains the IP address of the target security gateway.
  7. 如权利要求2-6任一项所述的方法,其特征在于,在接收来自所述安全网关的第三消息之后,所述方法还包括:The method according to any one of claims 2 to 6, characterized in that, after receiving the third message from the security gateway, the method further includes:
    向用户面功能网元发送第一转发规则配置信息;Send the first forwarding rule configuration information to the user plane functional network element;
    其中,所述第一转发规则配置信息用于指示所述用户面功能网元将所述终端设备和所述目标安全网关之间通过所述IKE SA传输的数据包映射到所述终端设备的会话中的第一服务质量流上。Wherein, the first forwarding rule configuration information is used to instruct the user plane functional network element to map the data packets transmitted between the terminal device and the target security gateway through the IKE SA to the session of the terminal device. on the first quality of service stream.
  8. 如权利要求2-7任一项所述的方法,其特征在于,所述第一安全参数包含以下至少一项:所述终端设备的安全参数索引SPI,所述终端设备的密钥材料,所述终端设备支持的IKE SA加密算法,或者用于生成IKE SA密钥的第一随机数;The method according to any one of claims 2 to 7, characterized in that the first security parameter includes at least one of the following: the security parameter index SPI of the terminal device, the key material of the terminal device, the The IKE SA encryption algorithm supported by the terminal device, or the first random number used to generate the IKE SA key;
    所述第二安全参数包含以下至少一项:所述目标安全网关的SPI,所述目标安全网关的密钥材料,所述目标安全网关支持的IKE SA加密算法,或者用于生成IKE SA密钥的第二随机数。The second security parameter includes at least one of the following: the SPI of the target security gateway, the key material of the target security gateway, the IKE SA encryption algorithm supported by the target security gateway, or used to generate an IKE SA key the second random number.
  9. 如权利要求1所述的方法,其特征在于,所述目标SA为安全处理协议SA。The method of claim 1, wherein the target SA is a secure processing protocol SA.
  10. 如权利要求9所述的方法,其特征在于,所述第一消息为第一会话修改请求消息;所述第四消息为第一会话修改响应消息;所述第一消息中还包含所述终端设备请求建立的 第二服务质量流的信息。The method of claim 9, wherein the first message is a first session modification request message; the fourth message is a first session modification response message; the first message also includes the terminal Device requested to establish Information about the second quality of service flow.
  11. 如权利要求9所述的方法,其特征在于,在接收来自接入和移动性管理功能网元的第一消息之前,所述方法还包括:The method of claim 9, wherein before receiving the first message from the access and mobility management function network element, the method further includes:
    向所述接入和移动性管理功能网元发送第五消息,所述第五消息用于请求所述第一安全参数;Send a fifth message to the access and mobility management function network element, where the fifth message is used to request the first security parameter;
    所述第一消息为所述第五消息的响应消息。The first message is a response message to the fifth message.
  12. 如权利要求11所述的方法,其特征在于,在向所述接入和移动性管理功能网元发送第五消息之前,所述方法还包括:The method of claim 11, wherein before sending the fifth message to the access and mobility management function network element, the method further includes:
    接收来自策略控制功能网元的策略修改通知消息,其中,所述策略修改通知消息中包含所述策略控制功能网元请求在所述终端设备的会话中建立的第二服务质量流的信息;或者Receive a policy modification notification message from a policy control function network element, wherein the policy modification notification message contains information that the policy control function network element requests to establish a second quality of service flow in the session of the terminal device; or
    接收来自统一数据管理网元的签约修改通知消息,其中,所述签约修改通知消息中包含所述统一数据管理网元请求在所述终端设备的会话中建立的第二服务质量流的信息;或者Receive a subscription modification notification message from a unified data management network element, wherein the subscription modification notification message contains information that the unified data management network element requests to establish a second quality of service flow in the session of the terminal device; or
    接收来自所述接入和移动性管理功能网元的第一会话修改请求消息,其中,所述第一会话修改请求消息中包含所述终端设备请求在所述终端设备的会话中建立的第二服务质量流的信息。Receive a first session modification request message from the access and mobility management function network element, wherein the first session modification request message includes a second session request that the terminal device requests to establish in the session of the terminal device. Service quality flow information.
  13. 如权利要求10或12所述的方法,其特征在于,在接收来自所述目标安全网关的第三消息之后,所述方法还包括:The method of claim 10 or 12, wherein after receiving the third message from the target security gateway, the method further includes:
    根据所述第二服务质量流的信息,创建所述第二服务质量流;Create the second quality of service flow according to the information of the second quality of service flow;
    向用户面功能网元发送第二转发规则配置信息;Send the second forwarding rule configuration information to the user plane functional network element;
    其中,所述第二转发规则配置信息用于指示所述用户面功能网元将通过所述第二服务质量流接收的来自所述终端设备的数据包转发至所述目标安全网关。Wherein, the second forwarding rule configuration information is used to instruct the user plane functional network element to forward data packets from the terminal device received through the second quality of service flow to the target security gateway.
  14. 如权利要求9-13任一项所述的方法,其特征在于,所述第一安全参数包含以下至少一项:所述终端设备的SPI,所述目标安全网关的SPI,所述终端设备中的第一处理实体的标识,所述终端设备的鉴权信息,所述终端设备支持的第一安全处理协议SA加密算法,第一数据流选择规则,或者用于生成第一安全处理协议SA密钥的第三随机数;The method according to any one of claims 9-13, characterized in that the first security parameter includes at least one of the following: SPI of the terminal device, SPI of the target security gateway, The identification of the first processing entity, the authentication information of the terminal device, the first security processing protocol SA encryption algorithm supported by the terminal device, the first data flow selection rule, or used to generate the first security processing protocol SA encryption algorithm. The third random number of the key;
    所述第二安全参数包含以下至少一项:所述终端设备的SPI,所述目标安全网关的SPI,所述目标安全网关中第二处理实体的标识,所述目标安全网关的鉴权信息,所述目标安全网关支持的第一安全处理协议SA加密算法,第二数据流选择规则,或者用于生成第一安全处理协议SA密钥的第四随机数。The second security parameter includes at least one of the following: the SPI of the terminal device, the SPI of the target security gateway, the identification of the second processing entity in the target security gateway, the authentication information of the target security gateway, The first security processing protocol SA encryption algorithm supported by the target security gateway, the second data flow selection rule, or the fourth random number used to generate the first security processing protocol SA key.
  15. 一种通信方法,应用于接入和移动性管理功能网元,其特征在于,包括:A communication method applied to access and mobility management function network elements, characterized by including:
    向会话管理功能网元发送第一消息;其中,所述第一消息中包含终端设备的第一安全参数,所述第一安全参数用于建立所述终端设备与安全网关之间的安全关联SA;Send a first message to the session management function network element; wherein the first message contains a first security parameter of the terminal device, and the first security parameter is used to establish a security association SA between the terminal device and the security gateway. ;
    接收来自所述会话管理功能网元的第四消息;其中,所述第四消息中包含目标安全网关的第二安全参数,所述第二安全参数用于建立所述终端设备与所述目标安全网关之间的目标SA。Receive a fourth message from the session management function network element; wherein the fourth message contains a second security parameter of the target security gateway, and the second security parameter is used to establish security between the terminal device and the target. Target SA between gateways.
  16. 如权利要求15所述的方法,其特征在于,所述目标SA为网络密钥交换IKE SA。The method of claim 15, wherein the target SA is a network key exchange IKE SA.
  17. 如权利要求16所述的方法,其特征在于,所述第一消息为第一会话建立请求消息; 所述第四消息为第一会话建立响应消息;The method of claim 16, wherein the first message is a first session establishment request message; The fourth message is a first session establishment response message;
    在向会话管理功能网元发送第一消息之前,所述方法还包括:Before sending the first message to the session management function network element, the method further includes:
    接收来自所述终端设备的第二会话建立请求消息;Receive a second session establishment request message from the terminal device;
    在接收来自所述会话管理功能网元的第四消息之后,所述方法还包括:After receiving the fourth message from the session management function network element, the method further includes:
    向所述终端设备发送第二会话建立响应消息。Send a second session establishment response message to the terminal device.
  18. 如权利要求17所述的方法,其特征在于,所述第二会话建立请求消息中包含所述第一安全参数;或者The method of claim 17, wherein the second session establishment request message contains the first security parameter; or
    所述第二会话建立请求中包含所述第一安全参数中的第一参数部分;在向会话管理功能网元发送第一消息之前,所述方法还包括:根据所述终端设备的标识,从统一数据管理网元或认证服务功能网元获取所述第一安全参数中的第二参数部分;其中,所述第一参数部分和所述第二参数部分组成所述第一安全参数;或者The second session establishment request includes the first parameter part of the first security parameter; before sending the first message to the session management function network element, the method further includes: according to the identification of the terminal device, from The unified data management network element or the authentication service function network element obtains the second parameter part of the first security parameter; wherein the first parameter part and the second parameter part constitute the first security parameter; or
    在向会话管理功能网元发送第一消息之前,所述方法还包括:确定所述第一安全参数。Before sending the first message to the session management function network element, the method further includes: determining the first security parameter.
  19. 如权利要求17或18所述的方法,其特征在于,所述第二会话建立响应消息中包含:所述第一安全参数中的部分或全部;和/或,The method of claim 17 or 18, wherein the second session establishment response message contains: some or all of the first security parameters; and/or,
    所述第二会话建立响应消息中包含所述第二安全参数中的部分或全部。The second session establishment response message contains part or all of the second security parameters.
  20. 如权利要求17-19任一项所述的方法,其特征在于,所述第一消息中包含第一指示信息,所述第二会话建立请求消息中包含所述第一指示信息;所述第一指示信息用于指示所述终端设备请求数据加密。The method according to any one of claims 17 to 19, characterized in that the first message contains first indication information, and the second session establishment request message contains the first indication information; An indication information is used to instruct the terminal device to request data encryption.
  21. 如权利要求16-20任一项所述的方法,其特征在于,所述第四消息中包含所述目标安全网关的因特网协议IP地址。The method according to any one of claims 16 to 20, wherein the fourth message contains the Internet Protocol IP address of the target security gateway.
  22. 如权利要求16-21任一项所述的方法,其特征在于,所述第一安全参数包含以下至少一项:所述终端设备的安全参数索引SPI,所述终端设备的密钥材料,所述终端设备支持的IKE SA加密算法,或者用于生成IKE SA密钥的第一随机数;The method according to any one of claims 16 to 21, wherein the first security parameter includes at least one of the following: a security parameter index SPI of the terminal device, a key material of the terminal device, The IKE SA encryption algorithm supported by the terminal device, or the first random number used to generate the IKE SA key;
    所述第二安全参数包含以下至少一项:所述目标安全网关的SPI,所述目标安全网关的密钥材料,所述目标安全网关支持的IKE SA加密算法,或者用于生成IKE SA密钥的第二随机数。The second security parameter includes at least one of the following: the SPI of the target security gateway, the key material of the target security gateway, the IKE SA encryption algorithm supported by the target security gateway, or used to generate an IKE SA key the second random number.
  23. 如权利要求15所述的方法,其特征在于,所述目标SA为安全处理协议SA。The method of claim 15, wherein the target SA is a secure processing protocol SA.
  24. 如权利要求23所述的方法,其特征在于,所述第一消息为第一会话修改请求消息;所述第四消息为第一会话修改响应消息;The method of claim 23, wherein the first message is a first session modification request message; the fourth message is a first session modification response message;
    在向会话管理功能网元发送第一消息之前,所述方法还包括:Before sending the first message to the session management function network element, the method further includes:
    接收来自所述终端设备的第二会话修改请求消息;Receive a second session modification request message from the terminal device;
    在接收来自所述会话管理功能网元的第四消息之后,所述方法还包括:After receiving the fourth message from the session management function network element, the method further includes:
    向所述终端设备发送第二会话修改响应消息;Send a second session modification response message to the terminal device;
    其中,所述第一会话修改请求消息、所述第二会话修改请求中包含所述终端设备请求建立的第二服务质量流的信息。Wherein, the first session modification request message and the second session modification request include information of the second quality of service stream requested by the terminal device to be established.
  25. 如权利要求24所述的方法,其特征在于,所述第二会话修改请求消息中包含所述第一安全参数;或者The method of claim 24, wherein the second session modification request message contains the first security parameter; or
    所述第二会话修改请求中包含所述第一安全参数中的第一参数部分;在向会话管理功能网元发送第一消息之前,所述方法还包括:获取保存的所述第一安全参数中的第二参数 部分;其中,所述第一参数部分和所述第二参数部分组成所述第一安全参数;或者The second session modification request contains the first parameter part of the first security parameter; before sending the first message to the session management function network element, the method further includes: obtaining the saved first security parameter The second parameter in part; wherein the first parameter part and the second parameter part constitute the first security parameter; or
    在向会话管理功能网元发送第一消息之前,所述方法还包括:获取保存的所述第一安全参数。Before sending the first message to the session management function network element, the method further includes: obtaining the saved first security parameter.
  26. 如权利要求23所述的方法,其特征在于,所述方法还包括:The method of claim 23, further comprising:
    接收来自所述会话管理功能网元的第五消息,所述第五消息用于请求所述第一安全参数;Receive a fifth message from the session management function network element, the fifth message being used to request the first security parameter;
    所述第一消息为所述第五消息的响应消息;The first message is a response message to the fifth message;
    所述第四消息为第一会话修改响应消息;The fourth message is the first session modification response message;
    在接收来自所述会话管理功能网元的第四消息之后,所述方法还包括:After receiving the fourth message from the session management function network element, the method further includes:
    向所述终端设备发送第二会话修改响应消息。Send a second session modification response message to the terminal device.
  27. 如权利要求24-26任一项所述的方法,其特征在于,所述第二会话修改响应消息中包含所述第一安全参数中的部分或全部;和/或,The method according to any one of claims 24 to 26, characterized in that the second session modification response message contains part or all of the first security parameters; and/or,
    所述第二会话修改响应消息中包含所述第二安全参数中的部分或全部。The second session modification response message contains part or all of the second security parameters.
  28. 如权利要求23-27任一项所述的方法,其特征在于,所述第一安全参数包含以下至少一项:所述终端设备的SPI,所述目标安全网关的SPI,所述终端设备中的第一处理实体的标识,所述终端设备的鉴权信息,所述终端设备支持的安全处理协议SA加密算法,第一数据流选择规则,或者用于生成安全处理协议SA密钥的第三随机数;The method according to any one of claims 23 to 27, wherein the first security parameter includes at least one of the following: SPI of the terminal device, SPI of the target security gateway, The identification of the first processing entity, the authentication information of the terminal device, the secure processing protocol SA encryption algorithm supported by the terminal device, the first data flow selection rule, or the third party used to generate the secure processing protocol SA key. random number;
    所述第二安全参数包含以下至少一项:所述终端设备的SPI,所述目标安全网关的SPI,所述目标安全网关中第二处理实体的标识,所述目标安全网关的鉴权信息,所述目标安全网关支持的安全处理协议SA加密算法,第二数据流选择规则,或者用于生成安全处理协议SA密钥的第四随机数。The second security parameter includes at least one of the following: the SPI of the terminal device, the SPI of the target security gateway, the identification of the second processing entity in the target security gateway, the authentication information of the target security gateway, The security processing protocol SA encryption algorithm supported by the target security gateway, the second data flow selection rule, or the fourth random number used to generate the security processing protocol SA key.
  29. 一种通信装置,其特征在于,包括:A communication device, characterized by including:
    通信单元,用于接收和发送数据;Communication unit for receiving and sending data;
    处理单元,用于通过所述通信单元,执行如权利要求1-28任一项所述的方法。A processing unit, configured to execute the method according to any one of claims 1-28 through the communication unit.
  30. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质中存储有计算机程序,当所述计算机程序在计算机上运行时,使得所述计算机执行权利要求1-28任一项所述的方法。 A computer-readable storage medium, characterized in that a computer program is stored in the computer-readable storage medium, and when the computer program is run on a computer, the computer is caused to execute any one of claims 1-28. method described.
PCT/CN2023/092717 2022-06-29 2023-05-08 Communication method and apparatus WO2024001524A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210756613.2 2022-06-29
CN202210756613.2A CN117376900A (en) 2022-06-29 2022-06-29 Communication method and device

Publications (1)

Publication Number Publication Date
WO2024001524A1 true WO2024001524A1 (en) 2024-01-04

Family

ID=89383190

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/092717 WO2024001524A1 (en) 2022-06-29 2023-05-08 Communication method and apparatus

Country Status (2)

Country Link
CN (1) CN117376900A (en)
WO (1) WO2024001524A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108347416A (en) * 2017-01-24 2018-07-31 华为技术有限公司 A kind of safeguard protection machinery of consultation and network element
CN110891269A (en) * 2018-09-10 2020-03-17 华为技术有限公司 Data protection method, equipment and system
US20200329511A1 (en) * 2017-12-29 2020-10-15 Huawei Technologies Co., Ltd. Session establishment method and system, and device
CN113873453A (en) * 2020-06-29 2021-12-31 华为技术有限公司 Communication method, device and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108347416A (en) * 2017-01-24 2018-07-31 华为技术有限公司 A kind of safeguard protection machinery of consultation and network element
US20200329511A1 (en) * 2017-12-29 2020-10-15 Huawei Technologies Co., Ltd. Session establishment method and system, and device
CN110891269A (en) * 2018-09-10 2020-03-17 华为技术有限公司 Data protection method, equipment and system
CN113873453A (en) * 2020-06-29 2021-12-31 华为技术有限公司 Communication method, device and system

Also Published As

Publication number Publication date
CN117376900A (en) 2024-01-09

Similar Documents

Publication Publication Date Title
US11695742B2 (en) Security implementation method, device, and system
US10555171B2 (en) WiFi protected access 2 (WPA2) pass-through virtualization partition
US10785683B2 (en) Native fragmentation in WiFi protected access 2 (WPA2) pass-through virtualization protocol
KR102601585B1 (en) Systems and method for security protection of nas messages
WO2018201506A1 (en) Communication method and related device
WO2020029938A1 (en) Secure conversation method and device
TWI713614B (en) Methods and apparatus for wireless communication using a security model to support multiple connectivity and service contexts
WO2019153994A1 (en) Security negotiation method and apparatus
CN113873453B (en) Communication method, apparatus, system and medium
US20210112437A1 (en) User Plane QOS Bearer Control Method for 5G Fixed Access
WO2022052798A1 (en) Qos control method and device, and processor-readable storage medium
US20230013500A1 (en) Radio bearer configuration method, apparatus, and system
WO2022143373A1 (en) Communication method and node
US20240015630A1 (en) Routing Between Networks Based on Identifiers
US20240022952A1 (en) Resource Allocation in Non-Public Network
WO2021031055A1 (en) Communication method and device
WO2023185558A1 (en) Communication method and apparatus
Lai et al. Achieving secure and seamless IP Communications for group-oriented software defined vehicular networks
WO2024001524A1 (en) Communication method and apparatus
WO2021073382A1 (en) Registration method and apparatus
WO2022151206A1 (en) Communication method and network device
CN111147273B (en) Data security realization method and related equipment
CN114302503B (en) Data transmission method based on non-3GPP access function network element and non-3GPP access function network element
WO2022165745A1 (en) Data configuration method and apparatus, system, and storage medium
WO2023066207A1 (en) Communication method and apparatus

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23829710

Country of ref document: EP

Kind code of ref document: A1