CN101227494B - Method for establishing Internet safety protocol safe alliance when accessing multi grouping data network - Google Patents
Method for establishing Internet safety protocol safe alliance when accessing multi grouping data network Download PDFInfo
- Publication number
- CN101227494B CN101227494B CN2008100015641A CN200810001564A CN101227494B CN 101227494 B CN101227494 B CN 101227494B CN 2008100015641 A CN2008100015641 A CN 2008100015641A CN 200810001564 A CN200810001564 A CN 200810001564A CN 101227494 B CN101227494 B CN 101227494B
- Authority
- CN
- China
- Prior art keywords
- pdn
- message
- ipsec
- load
- gateway
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention discloses an IPSec SA establishment process when a plurality of PDN are switched in, which is suitable to the conditions that UE has switched in at least one PDN, and builds up an IKE SA with a data gateway, or at least an IPSec SA under the IKE SA. The process comprises sending the request message to the data gateway under the IKE SA which is established when the UE decides to switch in anther PDN, wherein the request message at least comprises the identity mark ID and the request of dynamic distribution IP address of the PDN which is needed to be switched in, choosing the PDN or the gateway which is connected with the PDN by the data gateway according to the ID of the PDN which is carried in the request message, distributing the IP address or prefix for the UE by the data gateway or the gateway which is connected with the PDN or the PDN, returning replay message to the UE by the data gateway, and carrying the IP address or the prefix which are distributed for the UE in the replay message.
Description
Technical field
The present invention relates to wireless communication field, the method for building up of IPSec (internet safety protocol) SA (Security Association, Security Association) when relating in particular to the many PDN of a kind of access (Packet Data Network).
Background technology
Internet safety protocol (IPSec), by IETF (Internet Engineering Task Force, the internet engineering task group) one of definition be enclosed within the agreement that network layer provides Internet Protocol (IP) fail safe, formed by a series of RFC (internet draft) document.Wherein RFC2401 defines the basic structure of IPSec; The checking head (AH) of RFC2402 definition IPSec; The ESP (ESP) of RFC2406 definition IPSec; The Internet Key Exchange version 2 (IKEv2) of RFC4306 definition IPSec.
3GPP (3rd Generation Partnership Project, third generation partner program) the grouping system EPS of evolution (Evolved Packet System) is the evolution of UMTS (Universal Mobile Telecommunications System) system, support and the interconnection and interflow of non-3 GPP system, wherein exist the application of a large amount of IKEv2/IPSec.P-GW, claim again PDN GW (Packet Data Network Gateway, grouped data network gateway) be the borde gateway of EPS and PDN (Packet Data Network, packet data network) network, be responsible for the access of PDN and the function such as forwarding data between EPS and PDN.The AAA of HSS (HomeSubscriber Server, home subscriber server) and 3GPP (Authentication, Authorization and Accounting, authentication and authorization charging) server is responsible for the authentication and authorization of access user.UE (User Equipment, subscriber equipment) can access 3GPP system (non-roaming framework as shown in Figure 1) by trusted non-3GPP IP Access Network and trustless non-3GPP IP Access Network.When UE accesses by trustless non-3 GPP system, must pass through ePDG (Evolved PacketData Gateway, the packet data gateway of evolution) could access, must set up the IKEv2/IPSec tunnel and just can guarantee the fail safe that accesses between ePDG and trustless non-3 GPP access network, ePDG can think a security gateway.Wu
*Interface is used for supporting the associative operation in IPsec tunnel between UE and ePDG.S2a interface between S2b interface between ePDG and P-GW, trusted non-3 GPP access network pass and P-GW is all supported the PMIPv6 mobility management protocol.And UE also can adopt the DSMIPv6 agreement by S2c interface access 3GPP.DSMIPv6 adopts the IKEv2/IPSec agreement that its signaling message is protected.
The many PDN accesses of EPS system's support simultaneously, namely UE can be linked into a plurality of PDN simultaneously by a plurality of P-GW or a P-GW.Fig. 2 is that UE adopts the scene graph of the many PDN of PMIPv6 agreement access by trustless non-3GPP IP Access Network, wherein the different different PDN of P-GW access.UE obtains by P-GW1 the IP operation 1 that operator provides, and obtains by P-GW2 the IP operation 2 that operator provides simultaneously.Fig. 3 is that UE adopts the scene graph of PMIPv6 or the many PDN of DSMIPv6 agreement access by trustless non-3GPP IP Access Network, the different PDN of one of them P-GW access.UE has obtained by P-GW IP operation 1 and IP operation 2 that operator provides simultaneously.
Fig. 4 is that UE accesses and adopt the initial attachment flow of PMIPv6 agreement by trustless non-3GPP between ePDG and P-GW.By this flow process, UE can be established to according to the CAMEL-Subscription-Information of oneself connection of a PDN.In conjunction with this flow process, also can understand IKEv2 and set up IPSec SA mechanism.Its step is described below:
Step 204, UE sends the IKE_AUTH request message to ePDG, IDi (Identification-Initiator in message, initiator's identity) carry user ID (identify label) in load, CP (Configuration, configuration) carry the dynamic IP address allocation request in load, carry the IPSec SA parameter that to consult in SAi (SecurityAssociation-Initiator, initiator's Security Association) load.Do not carry simultaneously AUTH (Authentication, authentication) load in message, expression UE wishes to initiate EAP (Extensible Authentication Protocol, Extensible Authentication Protocol) authentication.
Step 206, ePDG and HSS/AAA initiate EAP-AKA (ExtensibleAuthentication Protocol Method for 3rd Generation Authentication and KeyAgreement alternately, third generation authentication and cipher key change Extensible Authentication Protocol) authentication, HSS/AAA returns to the selection information of P-GW to ePDG simultaneously, information comprises P-GW address and APN (Access PointName, Access Point Name) or indication and the APN of no permission access visited place P-GW.
Step 208, ePDG sends the IKE_AUTH response message to UE, and in message, EAP load is carried EAP-request/AKA-challenge, and IDr (Identification-Initiator, answer party identity) carries the ID of ePDG, carries out the EAP authentication.
Step 210, the parameters for authentication of UE supervising network side and response authentication challenge, and bring ePDG by the EAP load in the IKE_AUTH request message with challenge response.
Step 212, ePDG and HSS/AAA carry out alternately the challenge response of UE being tested, and after authentication success, its access are authorized, and return to EAP authentication success message.
Step 214, ePDG sends the IKE_AUTH response message to UE, carries authentication success message in EAP load.
Step 216, the UE master session key MSK that authentication generates according to EAP generates parameters for authentication, and brings ePDG with it by the AUTH load in the IKE_AUTH request message, so that article one IKE_SA_INIT message of oneself sending out is carried out authentication.
Step 218, ePDG sends agent binding update according to the IP address of the selection information acquisition P-GW of P-GW to this P-GW, carries UE ID and APN in message.
Step 220, P-GW upgrades its IP address to HSS/AAA.
Step 222, P-GW sends agent binding to ePDG and confirms, carries IP address or the prefix of distributing into UE in message.
Step 224, the parameters for authentication that ePDG sends UE authenticate the parameters for authentication of calculating simultaneously oneself and in order to UE, the IKE_SA_INIT message that oneself sends are authenticated.EPDG sends the IKE_AUTH response message to UE, in message, AUTH load is carried the ePDG parameters for authentication, CP load is carried the IP address distributed into UE or prefix and SAr (Security Association-Responder, answer party Security Association) load and is carried the negotiation of IPSec SA and reply.
Step 226 is set up ipsec security alliance between UE and ePDG.Set up the PMIPv6 tunnel between ePDG and P-GW.
By above-mentioned flow process, an IKE SA (internet cryptographic key exchanging safety alliance) and an IPSec SA under this IKE SA have been set up between UE and ePDG.With the PMIPv6 building tunnel connection between UE and P-GW by ipsec tunnel.
Can see simultaneously, the Binding Update flow process in the PMIPv6 tunnel of ePDG and P-GW is by setting up UE to the trigger flow of the IKEv2/IPSec SA of ePDG, and the 4 pairs of IKEv2 message of process need of setting up of whole IKEv2/IPSec SA are completed.Wherein the 1st pair of message is used for setting up IKE SA, and rear 3 pairs of message are used for carrying out the EAP authentication and setting up IPSec SA at IKE SA.
Under the scene of many PDN, the APN of first PDN of UE access is that ePDG obtains from HSS/AAA, and UE will access in addition the APN of PDN and needs bring network side by UE.In prior art, can bring network side by the IDr load in the 3rd message (being article one message of IKE_AUTH---above-mentioned steps 204) of IKEv2.Although the IKEv2 agreement can be set up a plurality of IPSec SA by CREATE_CHILD_SA (establishment _ child _ Security Association) exchange under an IKE SA, CREATE_CHILD_SA does not carry ID load, thereby can't bring network side with APN.This means the Establishing process that again to initiate an IKEv2/IPSec SA, provide APN to trigger simultaneously the Establishing process in PMIPv6 tunnel to network side.This will certainly increase complexity, namely needs at least 4 pairs of IKEv2 message alternately between UE and ePDG, will have a plurality of IKE SA simultaneously between them.
Summary of the invention
The method for building up of internet safety protocol safe alliance when the technical problem to be solved in the present invention is to provide a kind of accessing multi grouping data network, be applied to the communications field, when making UE pass through many PDN of the long-range access of data gateway, only need to set up an IKE SA between UE and data gateway and just can be established to the connection of a plurality of PDN.
In order to address the above problem, the method for building up of internet safety protocol safe alliance when the invention provides a kind of accessing multi grouping data network, be applicable to terminal UE and be linked at least one grouped data network PDN, and and data gateway between set up an internet cryptographic key exchanging safety IKE SA of alliance and in the situation that at least one the internet safety protocol safe alliance IPSec SA under the IKE SA that this terminal UE has been set up comprise:
When A, UE determine the other PDN of access, send under the IKE SA that has set up set up IPSecSA request message to data gateway, carry at least identify label ID, and the request of dynamic IP address allocation of the PDN that will access in described request message;
The gateway that B, data gateway select this PDN or are connected with this PDN according to the ID of the PDN that carries in described request message, and be UE distributing IP address or prefix by data gateway or PDN or the gateway that is connected with this PDN;
C, data gateway return to response message to UE, carry IP address or the prefix of distributing into UE in described response message.
Further, in steps A, the request message of the described IPSec of foundation SA is the CREAT_CHILD_SA request message; This message is carried the ID that will access PDN by answer party identity IDr load; Carry the dynamic IP address allocation request by configuration CP load;
In step B, data gateway is selected corresponding PDN or the gateway that is connected with this PDN according to the ID of the PDN in described IDr load;
In step C, described response message is the CREAT_CHILD_SA response message; This message is carried IP address or the prefix of distributing into UE by CP load.
Further, in steps A, also carry the identify label ID of UE in described request message and be used for the parameter that IPSec SA consults;
In step C, also carry the negotiation of IPSec SA in described response message and reply parameter;
Also comprise after step C:
Set up a new IPSec SA between D, UE and data gateway, UE accesses the described PDN that will access.
Further, in steps A, the request message of the described IPSec of foundation SA is the CREAT_CHILD_SA request message; This message is carried the ID that will access PDN by answer party identity IDr load; Carry the dynamic IP address allocation request by configuration CP load; Carry the parameter of consulting for IPSec SA by initiator's Security Association load;
In step B, data gateway is selected corresponding PDN or the gateway that is connected with this PDN according to the ID of the PDN in described IDr load;
In step C, described response message is the CREAT_CHILD_SA response message; This message is carried IP address or the prefix of distributing into UE by CP load; Carry the negotiation of IPSec SA by answer party Security Association load and reply parameter.
Further, the ID of described PDN is Access Point Name corresponding to this PDN.
Further, described data gateway is packet data gateway or the grouped data network gateway of evolution.
Further, in steps A, carry the ID of UE in described request message by initiator's identity IDi load.
Further, the ID of described UE is network access Identifier.
Further, in step B, described data gateway is not initiated the Extensible Authentication Protocol authentication after receiving described request message.
Use the method for the invention, when making UE access many PDN by data gateway, only need to set up an IKE SA between UE and data gateway and just can be established to the connection of a plurality of PDN.Carried out mutual authentication and authorization when first PDN is connected setting up between UE and data gateway, therefore can not carry out the EAP authentication when the PDN that sets up subsequently connects, its security performance accesses guarantee.Method of the present invention has been saved the foundation of a plurality of IKE SA and has been used for the signaling of authentication, has reduced expense and the access delay of interface-free resources.
Description of drawings
Fig. 1 is the system architecture schematic diagram of EPS in prior art;
Fig. 2 is that in prior art, UE adopts the scene schematic diagram of the many PDN of PMIPv6 agreement access by trustless non-3GPP IP Access Network, wherein the different different PDN of P-GW access;
Fig. 3 is that in prior art, UE adopts the scene schematic diagram of PMIPv6 or the many PDN of DSMIPv6 agreement access by trustless non-3GPP IP Access Network, the different PDN of one of them P-GW access;
Fig. 4 is that in prior art, UE accesses and adopt the initial attachment flow schematic diagram of PMIPv6 agreement between ePDG and P-GW by trustless non-3GPP;
The concrete implementing procedure figure of the method for building up of IPSec SA when Fig. 5 is many PDN of access of the present invention;
Fig. 6 is the flow chart of the embodiment of the present invention one;
Fig. 7 is the flow chart of the embodiment of the present invention two.
Embodiment
Below in conjunction with drawings and Examples, technical scheme of the present invention is described in detail.
Thought of the present invention is: in the situation that UE has set up the connection of a PDN, when UE determines to initiate the request of other PDN access, send the CREAT_CHILD_SA request message under the IKE SA that has set up, the IDi load of carrying in this message is used for the identify label of UE, CP load is used for the dynamic IP address allocation request, and negotiation and IDr load that SAi load is used for IPSec SA are used for showing the sign that will access PDN.The gateway that data gateway is selected PDN or is connected with this PDN according to the PDN in IDr load sign, and be the UE long-range access IP of distribution address by data gateway or the gateway that is connected with this PDN or PDN.Data gateway sends the CREAT_CHILD_SA response message to UE, and the SAr load of carrying in message is used for the negotiation of IPSec SA and replys IP address or the prefix that is used for the UE distribution with CP load.。
The method for building up of IPSec SA when the invention provides a kind of many PDN of access, be applicable to UE and be linked at least one PDN, and and data gateway between set up an IKE SA and in the situation that at least one the IPSec SA under this IKESA as shown in Figure 5, comprise the following steps:
A, when UE determines the other PDN of access, send under the IKE SA that has set up set up IPSecSA request message to data gateway, carry at least ID, and the request of dynamic IP address allocation of the PDN that will access in this message; Also carry ID, and the IPSec SA parameter of consulting of UE.
The request message of the described IPSec of foundation SA is the CREAT_CHILD_SA request message; Carry the ID of UE in described request message by IDi load; Carry the ID that will access PDN by IDr load; Carry the dynamic IP address allocation request by CP load.
Also carry the parameter of consulting for IPSec SA by SAi load in described message.
The ID of described UE can but be not limited to NAI (Network Access Identity, network access Identifier).The ID of described PDN can but be not limited to APN corresponding to this PDN.
Described data gateway can but be not limited to ePDG or P-GW.
The gateway that the ID of the PDN that carries in B, the request message of data gateway according to the described IPSec of foundation SA selects this PDN or is connected with this PDN, and be that UE distributes long-range access IP address or prefix by data gateway or the gateway that is connected with this PDN or PDN.
Data gateway select this PDN or with gateway that this PDN is connected after, can same prior art to the realization that distributes access IP address or prefix.
When the request message of the described IPSec of foundation SA was the CREAT_CHILD_SA request message, data gateway was selected corresponding PDN or the gateway that is connected with this PDN according to the ID of the PDN in described IDr load.
Because request message sends under IKE SA, this UE is through authentication, so data gateway is received and do not initiated the EAP authentication after described request message.
C, data gateway return to response message to UE, carry long-range access IP address or the prefix of distributing into UE in this message; Also carry the negotiation of IPSec SA and reply parameter.
Described response message is the CREAT_CHILD_SA response message; Carry IP address or the prefix of distributing into UE by CP load in described response message; Parameter is replied in the negotiation of also carrying IPSec SA by SAr load.
Set up a new IPSec SA between D, UE and data gateway, UE accesses the described PDN that will access.
The below further is illustrated with two application examples of the present invention.
Application example one, description be as shown in Figure 2 scene, in UE was in the coverage of trustless non-3GPPIP Access Network, the 3GPP core net was EPS, and the flow process when adopting many PDN of PMIPv6 access, the wherein different different PDN of P-GW access.The flow chart of application example one as shown in Figure 6, each step is described below:
302, UE by initially adhering to, is connected to P-GW1, and is linked into PDN1 by P-GW1.
304, set up an IKE SA and IPSec SA by IKEv2 between UE and ePDG.Set up a PMIPv6 tunnel between ePDG and P-GW1.
306, UE determines to be linked into another one PDN, i.e. PDN2.
308, UE sends the CREAT_CHILD_SA request message to ePDG under the IKE SA that has set up, in message, IDi load is carried UE sign NAI (Network Access Identity, network access Identifier), IDr load is carried the APN2 corresponding to PDN2 that will access and is used for ePDG selection P-GW, and CP load carries the dynamic IP address allocation request and SAi load is carried the parameter that IPSec SA consults.
310, because request message sends under IKE SA, this UE is through authentication, so ePDG determines not initiate the EAP authentication.EPDG has selected to provide the P-GW2 that is linked into PDN2 according to APN2, and sends agent binding update messages to P-GW2.Carry NAI in message, APN2 and IP Address requests.
312, P-GW2 and HSS/AAA are mutual, authorize, and set up banding cache entry Bingding Cache Entry according to NAI and APN2;
314, P-GW2 upgrades the IP address of P-GW2 to HSS/AAA.
316, P-GW2 returns to the agent binding update acknowledge message to ePDG, carries the IP address of distributing to UE in message;
318, ePDG sends the CREAT_CHILD_SA response message to UE, and in message, CP load is carried the IP address of distributing to UE, parameter is replied in the negotiation that SAr load is carried IPSec SA.
320, between UE and ePDG except already present IKEv2 SA and IPSec SA, newly set up again IPSec SA; Set up a new PMIPv6 tunnel between ePDG and P-GW2, UE accesses PDN2.
Application example two, what describe is as shown in Figure 3 scene, and in UE was in the coverage of trustless non-3 GPP access network, the 3GPP core net was EPS, adopt the flow process of the many PDN of DSMIPv6 access, and UE is by two different PDN's of a P-GW access.The flow chart of application example two as shown in Figure 7, each step is described below:
402, UE by initially adhering to, is connected to P-GW, and is linked into PDN1 by P-GW;
404, set up an IKE SA and IPSec SA by IKEv2 between UE and P-GW.UE binds Care-of Address CoA and home address HoA1 by the DISMIPv6 binding message, sets up the DSMIPv6 tunnel;
406, UE determines to be linked into another one PDN, and namely PDN2, also chosen the P-GW that access PDN2 can be provided with APN2, namely with access PDN1 be same P-GW.
408, UE sends the CREAT_CHILD_SA request message under the IKE SA that has set up, in message, IDi load is carried UE sign NAI (Network Access Identity, network access Identifier), IDr load is carried the APN2 corresponding to PDN that will access, CP load carries the dynamic IP address allocation request and SAi load is carried the parameter that IPSec SA consults, TSi (Traffic Selector-Initiator, initiator's service selector) carry arbitrary address in load, TSr (Traffic Selector-Responder, the answer party service selector) load is carried the IP address of P-GW,
410, because request message sends under IKE SA, this UE is through authentication, so P-GW does not initiate the EAP authentication; P-GW and HSS/AAA are mutual, authorize.
412, P-GW selects PDN2 according to APN2, for it distributes home address HoA2.Return to the CREAT_CHILD_SA response message to UE, in message, CP load is carried the negotiation that the HoA2 that distributes to UE and SAr load carries IPSec SA and is replied parameter, carries HoA2 in TSi load, and TSr load is carried the IP address of P-GW;
414, UE and P-GW are mutual, and Care-of Address CoA and home address HoA2 are bound;
416, between UE and P-GW except already present IKEv2/IPSec SA and DSMIPv6 tunnel, newly set up again IPSec SA and DSMIPv6 tunnel, UE accesses PDN2.
Certainly; the present invention also can have other various embodiments; in the situation that do not deviate from spirit of the present invention and essence thereof; those of ordinary skill in the art work as can make according to the present invention various corresponding changes and distortion, but these corresponding changes and distortion all should belong to the protection range of the appended claim of the present invention.
Claims (9)
1. the method for building up of internet safety protocol safe alliance during an accessing multi grouping data network, be applicable to terminal UE and be linked at least one grouped data network PDN, and and data gateway between set up an internet cryptographic key exchanging safety IKE SA of alliance and in the situation that at least one the internet safety protocol safe alliance IPSec SA under described IKE SA, it is characterized in that, comprising:
When A, UE determine the other PDN of access, send under the IKE SA that has set up set up IPSecSA request message to data gateway, carry at least identify label ID, and the request of dynamic IP address allocation of the PDN that will access in described request message;
The gateway that B, data gateway select this PDN or are connected with this PDN according to the ID of the PDN that carries in described request message, and be UE distributing IP address or prefix by data gateway or PDN or the gateway that is connected with this PDN;
C, data gateway return to response message to UE, carry IP address or the prefix of distributing into UE in described response message.
2. method for building up as claimed in claim 1 is characterized in that:
In steps A, the request message of the described IPSec of foundation SA is the CREAT_CHILD_SA request message; This message is carried the ID that will access PDN by the answer party identification load; Carry the dynamic IP address allocation request by configuration load;
In step B, data gateway is selected corresponding PDN or the gateway that is connected with this PDN according to the ID of the PDN in described answer party identification load;
In step C, described response message is the CREAT_CHILD_SA response message; This message is carried IP address or the prefix of distributing into UE by described configuration load.
3. method for building up as claimed in claim 1 is characterized in that:
In steps A, also carry the identify label ID of UE in described request message and be used for the parameter that IPSec SA consults;
In step C, also carry the negotiation of IPSec SA in described response message and reply parameter;
Also comprise after step C:
Set up a new IPSec SA between D, UE and data gateway, UE accesses the described PDN that will access.
4. method for building up as claimed in claim 3 is characterized in that:
In steps A, the request message of the described IPSec of foundation SA is the CREAT_CHILD_SA request message; This message is carried the ID that will access PDN by the answer party identification load; Carry the dynamic IP address allocation request by configuration load; Carry the parameter of consulting for IPSec SA by initiator's Security Association load;
In step B, data gateway is selected corresponding PDN or the gateway that is connected with this PDN according to the ID of the PDN in described answer party identification load;
In step C, described response message is the CREAT_CHILD_SA response message; This message is carried IP address or the prefix of distributing into UE by described configuration load; Carry the negotiation of IPSec SA by answer party Security Association load and reply parameter.
5. according to any one of claims 1 to 4 method for building up is characterized in that:
The ID of described PDN is Access Point Name corresponding to this PDN.
6. according to any one of claims 1 to 4 method for building up is characterized in that:
Described data gateway is packet data gateway or the grouped data network gateway of evolution.
7. method for building up as claimed in claim 4 is characterized in that:
In steps A, carry the ID of UE in described request message by initiator's identification load.
8. as claim 3,4 or 7 described method for building up, it is characterized in that:
The ID of described UE is network access Identifier.
9. method for building up as claimed in claim 1 is characterized in that:
In step B, described data gateway is not initiated the Extensible Authentication Protocol authentication after receiving described request message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008100015641A CN101227494B (en) | 2008-01-09 | 2008-01-09 | Method for establishing Internet safety protocol safe alliance when accessing multi grouping data network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008100015641A CN101227494B (en) | 2008-01-09 | 2008-01-09 | Method for establishing Internet safety protocol safe alliance when accessing multi grouping data network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101227494A CN101227494A (en) | 2008-07-23 |
| CN101227494B true CN101227494B (en) | 2013-06-12 |
Family
ID=39859242
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008100015641A Active CN101227494B (en) | 2008-01-09 | 2008-01-09 | Method for establishing Internet safety protocol safe alliance when accessing multi grouping data network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101227494B (en) |
Families Citing this family (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101626374B (en) | 2008-07-11 | 2013-08-28 | 成都市华为赛门铁克科技有限公司 | Method, system and equipment for negotiating security association (SA) in internet protocol version 6 (IPv6) network |
| CN101635914A (en) * | 2008-07-23 | 2010-01-27 | 华为技术有限公司 | Method and device for selecting packet data network (PDN) |
| CN101656956B (en) * | 2008-08-22 | 2012-05-23 | 华为技术有限公司 | Method, system and gateway for accessing 3GPP network |
| JP5607631B2 (en) * | 2008-09-15 | 2014-10-15 | サムスン エレクトロニクス カンパニー リミテッド | Method and system for generating a mobile internet protocol version 4 link |
| CN101426030B (en) * | 2008-12-09 | 2012-06-27 | 华为技术有限公司 | Method and terminal for acquiring network address |
| CN101841798B (en) * | 2009-03-20 | 2014-01-01 | 中兴通讯股份有限公司 | Correlation method and device of charging identifier |
| EP2413621B1 (en) * | 2009-03-27 | 2017-10-11 | Sharp Kabushiki Kaisha | Mobile communication between a mobile terminal device and at least one information terminal device over a packet data network connection (pdn) based on an access point name (apn), an evolved packet system (eps) bearer id and an address block which are received from an external gateway device |
| CN101730071B (en) * | 2009-05-19 | 2012-09-05 | 中兴通讯股份有限公司 | Realization method and system of multi-packet data network connection |
| CN101730142B (en) * | 2009-06-30 | 2012-09-05 | 中兴通讯股份有限公司 | Establishment method of multi-packet data network connection and device |
| CN102238241B (en) * | 2010-04-26 | 2015-09-16 | 中兴通讯股份有限公司 | A kind of application method of elongated prefix, device and system |
| WO2011157186A2 (en) * | 2011-06-03 | 2011-12-22 | 华为技术有限公司 | Method for building packet data network connection, accessing gateway, user equipment and system |
| CN102546154B (en) * | 2011-12-19 | 2015-09-16 | 上海顶竹通讯技术有限公司 | The changing method of terminal in mobile communications network |
| CN107682900B (en) * | 2012-09-29 | 2020-11-17 | 华为终端有限公司 | Data flow control method and related equipment and communication system |
| CN107666668B (en) * | 2016-07-27 | 2021-02-12 | 中兴通讯股份有限公司 | Method, device and system for establishing multiple PDN (packet data network) connections |
| WO2018096449A1 (en) * | 2016-11-23 | 2018-05-31 | Telefonaktiebolaget Lm Ericsson (Publ) | User identity privacy protection in public wireless local access network, wlan, access |
| EP3641226B1 (en) * | 2017-08-31 | 2023-10-04 | Huawei Technologies Co., Ltd. | Address allocation method and related device |
| WO2022178888A1 (en) * | 2021-02-27 | 2022-09-01 | 华为技术有限公司 | Communication method and apparatus |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1259886A1 (en) * | 2000-03-03 | 2002-11-27 | Nexland, Inc. | Network address translation gateway for local area networks using local ip addresses and non-translatable port addresses |
| CN1406005A (en) * | 2001-09-17 | 2003-03-26 | 华为技术有限公司 | Safety-alliance (SA) generation method for safety communication between nodes of network area |
| CN1893391A (en) * | 2005-07-05 | 2007-01-10 | 华为技术有限公司 | Method for supplying network layer to safety pass through network address conversion |
-
2008
- 2008-01-09 CN CN2008100015641A patent/CN101227494B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1259886A1 (en) * | 2000-03-03 | 2002-11-27 | Nexland, Inc. | Network address translation gateway for local area networks using local ip addresses and non-translatable port addresses |
| CN1406005A (en) * | 2001-09-17 | 2003-03-26 | 华为技术有限公司 | Safety-alliance (SA) generation method for safety communication between nodes of network area |
| CN1893391A (en) * | 2005-07-05 | 2007-01-10 | 华为技术有限公司 | Method for supplying network layer to safety pass through network address conversion |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101227494A (en) | 2008-07-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101227494B (en) | Method for establishing Internet safety protocol safe alliance when accessing multi grouping data network | |
| CN101159563B (en) | Method and system for selecting strategy charging control server | |
| CN101150782B (en) | A selection method for policy billing control server | |
| KR100762644B1 (en) | WLAN-UMTS Interworking System and Authentication Method Therefor | |
| CN101150418B (en) | A selection method for policy billing control server | |
| CN101083839B (en) | Cipher key processing method for switching among different mobile access systems | |
| CA2755142C (en) | Method for user terminal authentication and authentication server and user terminal thereof | |
| CN102917354B (en) | A kind of cut-in method, system and intelligent movable access point | |
| US20060294363A1 (en) | System and method for tunnel management over a 3G-WLAN interworking system | |
| CN101374334A (en) | Method and system for transferring packet data network identification information | |
| CN102695236B (en) | A kind of data routing method and system | |
| CN111726228B (en) | Configuring liveness check using internet key exchange messages | |
| CN105393630A (en) | Method for establishing network connection, gateway and terminal | |
| CN101102600A (en) | Secret key processing method for switching between different mobile access systems | |
| KR20080086127A (en) | A method and apparatus of security and authentication for mobile telecommunication system | |
| CN102223634A (en) | Method and device for controlling mode of accessing user terminal into Internet | |
| CN101335675A (en) | Policy control method | |
| Fang et al. | Security requirement and standards for 4G and 5G wireless systems | |
| CN107683615B (en) | Method, apparatus and storage medium for protecting WLCP message exchange between TWAG and UE | |
| CN101984724B (en) | Method and system for building tunnel in converged network | |
| CN103702327A (en) | Method, system and equipment for selecting VPLMN (Visited Public Land Mobile Network) by UE (User Equipment) | |
| CN106304056A (en) | The inspection method of a kind of device identification and system, equipment | |
| CN101605373B (en) | Method and system for controlling UE to access to APN | |
| JP6861285B2 (en) | Methods and devices for parameter exchange during emergency access | |
| CN103002429A (en) | Method and system for processing UE (user equipment) capability |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |