CN110519750B

CN110519750B - Message processing method, device and system

Info

Publication number: CN110519750B
Application number: CN201810491118.7A
Authority: CN
Inventors: 周润泽; 聂胜贤; 陈中平
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2018-05-21
Filing date: 2018-05-21
Publication date: 2021-04-20
Anticipated expiration: 2038-05-21
Also published as: CN110519750A

Abstract

The embodiment of the application provides a message processing method, device and system, so that the influence on an AS (application server) caused by the fact that a 5GC (gas chromatography) device acquires a service identifier which does not belong to a certain terminal can be reduced. The method comprises the following steps: a user plane network element acquires a first corresponding relation among an identifier of a first terminal, one or more service identifiers corresponding to a first service and one or more message processing strategies; a user plane network element receives a first encrypted message from a first terminal, wherein the first encrypted message carries a first service identifier and an identifier of the first terminal, and the first service identifier is any one of one or more service identifiers; the user plane network element determines a first message processing strategy corresponding to the identifier of the first terminal and the first service identifier according to the first service identifier, the identifier of the first terminal and the first corresponding relation; and the user plane network element processes the first encrypted message according to the first message processing strategy.

Description

Message processing method, device and system

Technical Field

The present application relates to the field of communications, and in particular, to a method, device, and system for processing a packet.

Background

Currently, users pay more and more attention to protection of their own communication content when accessing networks. For example, in a network transaction or a scenario in which a user name and a password are required to log in an application, communication content between a terminal and an Application Server (AS) is encrypted. The encrypted message sent between the terminal and the AS is also referred to AS an encrypted message.

Generally, only the terminal and the AS can decrypt the encrypted message, and the intermediate device for message transmission does not need to analyze or verify the encrypted message, and only needs to perform pure routing forwarding on the encrypted message. However, in some scenarios, the intermediate device for message transmission needs to parse the encrypted message. For example, in a mobile communication operator network, because transmission resources such as bandwidth or air interface resources are limited, an intermediate device for message transmission needs to analyze an encrypted message to identify a service corresponding to the encrypted message, and then transmit the encrypted message by using different transmission resource guarantee mechanisms for different services. Such as: the message of the video service needs to ensure low time delay and high bandwidth; the message of the web browsing service does not need such guarantee. If the intermediate device for message transmission cannot identify the service corresponding to the encrypted message, only default transmission processing can be performed on the encrypted message, for example, high bandwidth transmission is not guaranteed for the video service, so that video playing is likely to be blocked, and user experience is poor.

As shown in fig. 1, in the current fifth generation (5rd generation, 5G) network, an intermediate device for message transmission, that is, a 5G core network (5G core network, 5GC) device, identifies a service corresponding to an encrypted message by the following method:

step S101, the AS sends the service identifier to the first terminal, so that the first terminal receives the service identifier from the AS. Step S102, in order to enable the 5GC device to determine the service corresponding to the encrypted message, the terminal adds the service identifier to the header of the encrypted message, that is, the service identifier is not encrypted. And step S103, the terminal sends the encrypted message to the 5GC equipment. Step S104, 5GC equipment detects the encrypted message sent by the first terminal, determines the service corresponding to the encrypted message according to the service identification of the head part of the encrypted message, and further can determine what message processing strategy is adopted for the encrypted message. Such as: and 5, the GC equipment can determine that the service corresponding to the encrypted message is 'ordinary user or advanced user service of the video under the application A' according to the service identification abc of the encrypted message header. However, the above-described scheme has the following problems:

when the AS allocates more than one service identifier for one service of the AS, if a certain terminal obtains a service identifier which does not belong to the AS through an illegal method, the terminal adds the service identifier to the head of an encrypted message of the terminal and sends the encrypted message to the 5GC equipment, the 5GC equipment determines that the service corresponding to the encrypted message according to the service identifier of the head of the encrypted message is not the service corresponding to the terminal, and the 5GC equipment determines that a processing strategy according to the service identifier of the head of the encrypted message is not the processing strategy aiming at the terminal, so that adverse effects can be caused to the AS. For example, the video service in the application a is a service identifier abc allocated to a paid user, and a service identifier def allocated to an ordinary user. The processing strategy corresponding to the service identifier abc is as follows: the transmission bandwidth is guaranteed to be 10mb/s, and the charging mode is post-payment. The processing strategy corresponding to the service identifier def is as follows: the transmission bandwidth is ensured to be 5mb/s, and the charging mode is prepayment. If the terminal of the ordinary user acquires the service identifier of the paid user and adds the service identifier to the header of the encrypted message and sends the encrypted message to the 5GC device, the ordinary user can enjoy the policy of high bandwidth and post-payment, which is obviously not desired by the AS.

Therefore, how to reduce the influence of the 5GC device on the AS due to acquiring the service identifier not belonging to a certain terminal is a problem to be solved at present.

Disclosure of Invention

The embodiment of the application provides a message processing method, device and system, so that the influence on an AS (application server) caused by the fact that a 5GC (gas chromatography) device acquires a service identifier which does not belong to a certain terminal can be reduced.

In order to achieve the above purpose, the embodiment of the present application adopts the following technical solutions:

in a first aspect, a method for processing a packet is provided, where the method includes: a user plane network element acquires a first corresponding relation among an identifier of a first terminal, one or more service identifiers corresponding to a first service and one or more message processing strategies, wherein the one or more message processing strategies correspond to the one or more service identifiers respectively; a user plane network element receives a first encrypted message from the first terminal, wherein the first encrypted message carries a first service identifier and an identifier of the first terminal, and the first service identifier is any one of the one or more service identifiers; the user plane network element determines a first message processing strategy corresponding to the identifier of the first terminal and the first service identifier according to the first service identifier, the identifier of the first terminal and the first corresponding relation; and the user plane network element processes the first encrypted message according to the first message processing strategy. Based on the scheme, since the embodiment of the present application can configure the identifier of the first terminal, the one or more service identifiers corresponding to the first service, and the first corresponding relationship of the one or more message processing policies on the user plane network element, where the one or more service identifiers correspond to the one or more message processing policies, respectively. Therefore, after the user plane network element receives any one of the one or more service identifiers from the first terminal, the corresponding message processing strategy can be determined according to the first corresponding relationship, and the received encrypted message is processed by using the determined message processing strategy, so that the influence of the 5GC equipment on the AS due to the fact that the service identifier which does not belong to a certain terminal is obtained can be reduced.

In one possible design, the one or more service identities corresponding to the first service include one or more of service identities available to the first terminal or service identities unavailable to the first terminal.

In a possible design, the obtaining, by a user plane network element, a first correspondence between an identifier of a first terminal, one or more service identifiers corresponding to a first service, and one or more packet processing policies includes: a user plane network element receives a second message from a control plane network element, wherein the second message carries an identifier of the first terminal, one or more service identifiers corresponding to the first service, and identifiers of the one or more message processing strategies, and the identifiers of the one or more message processing strategies correspond to the one or more service identifiers respectively; the user plane functional network element determines the one or more message processing strategies according to the identifiers of the one or more message processing strategies and the second corresponding relations between the identifiers of the one or more message processing strategies and the one or more message processing strategies; the user plane network element establishes a first corresponding relation among the identifier of the first terminal, one or more service identifiers corresponding to the first service, and the one or more message processing strategies. That is, based on the scheme, the identifier of the first terminal, one or more service identifiers corresponding to the first service, and the first corresponding relationship of one or more message processing policies may be configured on the user plane network element.

In a possible design, the message processing method provided in the embodiment of the present application may further include: and the user plane network element receives a third message from the control plane network element, wherein the third message carries the identifier of the one or more message processing strategies and the second corresponding relation of the one or more message processing strategies. Based on the scheme, the identifier of one or more message processing strategies and the second corresponding relation of one or more message processing strategies can be configured on the user plane network element, and then, the identifier of the message processing strategy can be directly sent subsequently when the one or more message processing strategies corresponding to the first terminal are configured, the corresponding message processing strategy can be determined according to the identifier of the message processing strategy and the second corresponding relation, the message processing strategy does not need to be sent again, the consumption of signaling is reduced, and therefore signaling resources can be saved.

In a possible design, the obtaining, by a user plane network element, a first correspondence between an identifier of a first terminal, one or more service identifiers corresponding to a first service, and one or more packet processing policies includes: and the user plane network element receives a second message from the control plane network element, wherein the second message carries the identifier of the first terminal, one or more service identifiers corresponding to the first service and the first corresponding relation of the one or more message processing strategies. That is, based on the scheme, the identifier of the first terminal, one or more service identifiers corresponding to the first service, and the first corresponding relationship of one or more message processing policies may be configured on the user plane network element.

In a possible design, the first service identifier in the embodiment of the present application may be a service identifier that is not available to the first terminal. Furthermore, before the user plane network element receives the first encrypted message from the first terminal, the message processing method provided in the embodiment of the present application may further include: and the user plane network element sends first indication information to the control plane network element, wherein the first indication information is used for indicating the user plane network element to identify that the first terminal uses the first service identifier. After detecting that the first terminal uses the unavailable service identifier, the user plane network element can report the unavailable service identifier to the control plane network element in time, and the control plane network element can report the unavailable service identifier to the application function network element in time, so that the application function network element can inform the first terminal of stopping using the service identifier in time, and further, the influence of the 5GC equipment on the AS due to the fact that the service identifier which does not belong to a certain terminal is obtained can be reduced.

In a possible design, before the user plane network element sends the first indication information to the control plane network element, the message processing method provided in this embodiment of the present application may further include: and the user plane network element receives a fourth message from the control plane network element, wherein the fourth message carries the first service identifier and is used for requesting the user plane network element to report when detecting that the first terminal uses the first service identifier. That is to say, in the embodiment of the present application, the control plane network element may subscribe in advance a behavior that the user plane network element reports when detecting the unavailable service identifier of the first terminal, and then the user plane network element may report the unavailable service identifier of the first terminal to the control plane network element in time after detecting the unavailable service identifier of the first terminal.

In a second aspect, a method for processing a packet is provided, where the method includes: an application function network element acquires an identifier of a first terminal, one or more service identifiers corresponding to a first service and identifiers of one or more message processing strategies, wherein the identifiers of the one or more message processing strategies correspond to the one or more service identifiers respectively; the application function network element sends a first message to a control plane network element, where the first message carries an identifier of the first terminal, one or more service identifiers corresponding to the first service, and identifiers of the one or more message processing policies, where the identifiers of the one or more message processing policies are used to determine the one or more message processing policies, and the one or more message processing policies are used to process an encrypted message received from the first terminal. Based on the scheme, the identifier of the first terminal, one or more service identifiers corresponding to the first service, and the first corresponding relationship of one or more message processing strategies can be configured on the user plane network element. Therefore, after the user plane network element receives any one of the one or more service identifiers from the first terminal, the corresponding message processing strategy can be determined according to the first corresponding relationship, and the received encrypted message is processed by adopting the determined message processing strategy, so that the influence of the 5GC equipment on the AS due to the fact that the service identifier which does not belong to a certain terminal is obtained can be reduced.

In one possible design, the acquiring, by an application function network element, an identifier of a first terminal, one or more service identifiers corresponding to a first service, and identifiers of one or more message processing policies includes: after determining that a first terminal initiates a session of a first service to the application network element, the application functional network element determines one or more service identifiers corresponding to the first service according to information of the first service; the application function network element determines a second service identifier according to the identifier of the first terminal and the information of the first service, wherein the second service identifier is a service identifier available to the first terminal in one or more service identifiers corresponding to the first service; the application function network element determines an identifier of a second message processing strategy corresponding to the second service identifier according to the second service identifier; and the application function network element determines the identifier of the message processing strategy corresponding to the other service identifier except the second service identifier in the one or more service identifiers.

In one possible design, the determining, by the application function network element, an identifier of a packet processing policy corresponding to a service identifier other than the second service identifier in the one or more service identifiers includes: and the application function network element determines the identifier of the message processing strategy corresponding to the other service identifiers except the first service identifier in the one or more service identifiers as the identifier of the default message processing strategy. Illustratively, the default message handling policy may be, for example, to drop a message.

In one possible design, the determining, by the application function network element, an identifier of a packet processing policy corresponding to a service identifier other than the second service identifier in the one or more service identifiers includes: and the application function network element determines that the identifier of the message processing strategy corresponding to the other service identifier except the first service identifier in the one or more service identifiers is the identifier without the second message processing strategy.

In a possible design, the message processing method provided in the embodiment of the present application may further include: and the application function network element sends a fifth message to the control plane network element, wherein the fifth message carries the identifier of the one or more message processing strategies and the second corresponding relation of the one or more message processing strategies. Based on the scheme, the identifier of one or more message processing strategies and the second corresponding relation of one or more message processing strategies can be configured on the user plane network element, and then, the identifier of the message processing strategy can be directly sent subsequently when the one or more message processing strategies corresponding to the first terminal are configured, the corresponding message processing strategy can be determined according to the identifier of the message processing strategy and the second corresponding relation, the message processing strategy does not need to be sent again, the consumption of signaling is reduced, and therefore signaling resources can be saved.

In a third aspect, a method for processing a packet is provided, where the method includes: an application function network element acquires an identifier of a first terminal, one or more service identifiers corresponding to a first service, and a first corresponding relationship of one or more message processing strategies, wherein the one or more message processing strategies correspond to the one or more service identifiers respectively; the application function network element sends a first message to a control plane network element, where the first message carries an identifier of the first terminal, one or more service identifiers corresponding to the first service, and a first correspondence relationship between the one or more message processing policies, where the one or more message processing policies are used to process an encrypted message received from the first terminal. For technical effects of the third aspect, reference may be made to the second aspect, which is not described herein again.

In a possible design, the obtaining, by an application function network element, a first correspondence between an identifier of a first terminal, one or more service identifiers corresponding to a first service, and one or more packet processing policies includes: after determining that a first terminal initiates a session of a first service to the application network element, the application functional network element determines one or more service identifiers corresponding to the first service according to information of the first service; the application function network element determines a second service identifier according to the identifier of the first terminal and the information of the first service, wherein the second service identifier is a service identifier available to the first terminal in one or more service identifiers corresponding to the first service; the application function network element determines a second message processing strategy corresponding to the second service identifier according to the second service identifier; the application function network element determines the message processing strategy corresponding to other service identifiers except the second service identifier in the one or more service identifiers; the application function network element establishes a first corresponding relation among the identifier of the first terminal, one or more service identifiers corresponding to the first service and one or more message processing strategies.

In a possible design, the determining, by the application function network element, a packet processing policy corresponding to a service identifier other than the second service identifier in the one or more service identifiers includes: and the application function network element determines the message processing strategy corresponding to the other service identification except the second service identification in the one or more service identifications as a default message processing strategy. Illustratively, the default message handling policy may be, for example, to drop a message.

In a possible design, the determining, by the application function network element, a packet processing policy corresponding to a service identifier other than the second service identifier in the one or more service identifiers includes: and the application function network element determines the message processing strategy corresponding to the other service identifiers except the second service identifier in the one or more service identifiers as a second message processing strategy.

With reference to the second aspect or the third aspect, in a possible design, the first service identifier in the embodiment of the present application may be a service identifier that is not available to the first terminal. Furthermore, the message processing method provided in the embodiment of the present application may further include: the application function network element receives second indication information from the control network element, wherein the second indication information is used for indicating the control plane network element to identify that the first terminal is using the first service identifier; and the application function network element sends a sixth message to the first terminal, wherein the sixth message is used for indicating the first terminal to stop using the first service identifier. After detecting that the first terminal uses the unavailable service identifier, the user plane network element can report the unavailable service identifier to the control plane network element in time, and the control plane network element can report the unavailable service identifier to the application function network element in time, so that the application function network element can inform the first terminal of stopping using the service identifier in time, and the influence of the 5GC equipment on the AS due to the fact that the service identifier which does not belong to a certain terminal is obtained can be further reduced.

In a possible design, before the application function network element receives the second indication information from the control plane network element, the message processing method provided in this embodiment of the present application may further include: and the application function network element sends a seventh message to the control plane network element, wherein the seventh message carries the first service identifier and is used for requesting the control plane network element to report when the first terminal detects that the first service identifier is used by the first terminal. That is to say, in the embodiment of the present application, the application function network element may subscribe in advance a behavior reported by the control plane network element when detecting that the first terminal uses the unavailable service identifier, and then the control plane network element may report the unavailable service identifier to the control plane network element in time after detecting that the first terminal uses the unavailable service identifier.

With reference to the first aspect, the second aspect, or the third aspect, in a possible design, the first service identifier in this embodiment may be a service identifier that is not available to the first terminal.

In this case, for example, the first packet processing policy may be the same as the second packet processing policy; the second message processing policy is a message processing policy corresponding to a second service identifier, and the second service identifier is a service identifier available to the first terminal. That is, in this embodiment of the application, when the first service identifier is a service identifier that is not available to the first terminal, the message processing policy corresponding to the first service identifier may be a message processing policy corresponding to a service identifier that is available to the first terminal. For example, the user of the first terminal is a normal user of the first service, and if the first service identifier is a service identifier corresponding to a high-level user of the first service, the first packet processing policy corresponding to the first service identifier should be a packet processing policy corresponding to the normal user of the first service, that is, degradation processing is enforced.

Optionally, in this case, for example, the first packet processing policy may be to discard the encrypted packet.

With reference to the first aspect, the second aspect, or the third aspect, in a possible design, the first service identifier in this embodiment may be a service identifier available to the first terminal.

In a fourth aspect, a method for processing a packet is provided, where the method includes: an application function network element acquires an identifier of a first terminal and a first service identifier, wherein the first service identifier is a service identifier available to the first terminal in a plurality of service identifiers corresponding to a first service; an application function network element sends a first message to a first terminal, wherein the first message carries a first corresponding relation between a first service identifier and a first secret key, and the first secret key is used for encrypting the first service identifier; and the application function network element sends a second message to the control plane network element, wherein the second message carries the identifier of the first terminal, a second key and a second corresponding relation of the first service identifier, and the second key is used for decrypting the first service identifier.

It should be noted that the first key and the second key in this embodiment of the application are a pair of keys having a corresponding relationship, that is, after the first terminal encrypts the first service identifier using the first key, the control plane network element may decrypt the encrypted first service identifier using the second key, so as to obtain the first service identifier, which is described in this specification in a unified manner and is not described in detail below.

Based on the scheme, because the service identifier at the head of the encrypted message is the service identifier encrypted by the first key, the user plane network element can obtain the second key corresponding to the first key and used for decrypting the service identifier, if the service identifier which is not encrypted by the first key is obtained by the user plane network element, the service identifier cannot be obtained by successful decryption, and further the received encrypted message cannot be processed by adopting a corresponding message processing strategy, so that the influence of the 5GC equipment on the AS caused by obtaining the service identifier which does not belong to a certain terminal can be reduced.

In a fifth aspect, a method for processing a packet is provided, where the method includes: a user plane network element receives a third message from a control plane network element, wherein the third message carries an identifier of a first terminal, a second key and a second corresponding relation of a first service identifier, the first service identifier is a service identifier available to the first terminal in a plurality of service identifiers corresponding to a first service, and the second key is used for decrypting the first service identifier; a user plane network element receives a first encrypted message from the first terminal, wherein the head of the first encrypted message carries a first service identifier encrypted by a first key; the user plane network element decrypts the encrypted first service identifier by adopting a second key to obtain the first service identifier; and the user plane network element determines a first message processing strategy corresponding to the first service identifier and processes the first encrypted message according to the first message processing strategy. The technical effects of the fifth aspect can refer to the fourth aspect, and are not described herein again.

A sixth aspect provides a message processing method, including: a first terminal receives a first message from an application function network element, wherein the first message carries a first corresponding relation between a first service identifier and a first key, the first service identifier is a service identifier available to the first terminal in a plurality of service identifiers corresponding to a first service, and the first key is used for encrypting the first service identifier; the first terminal encrypts a first service identifier carried by the head of a first encrypted message to be sent by adopting a first secret key; and the first terminal sends the first encrypted message to the user plane network element. The technical effects of the sixth aspect can refer to the fourth aspect, and are not described herein again.

With reference to the fourth aspect, the fifth aspect, or the sixth aspect, in a possible design, the first key in the embodiment of the present application may be a private key, and the second key may be a public key.

In a seventh aspect, there is provided a user plane network element having a function of implementing the method of any one of the first aspect or the fifth aspect. The function can be realized by hardware, and can also be realized by executing corresponding software by hardware. The hardware or software includes one or more modules corresponding to the functions described above.

In an eighth aspect, there is provided a user plane network element, comprising: a processor and a memory; the memory is configured to store computer-executable instructions, and when the user plane network element runs, the processor executes the computer-executable instructions stored in the memory, so as to enable the user plane network element to perform the message processing method according to any one of the first aspect or the fifth aspect.

In a ninth aspect, there is provided a user plane network element, comprising: a processor; the processor is configured to couple with the memory, and after reading an instruction in the memory, execute the message processing method according to any one of the first aspect or the fifth aspect.

A tenth aspect provides a computer-readable storage medium having stored therein instructions, which, when run on a computer, cause the computer to perform the message processing method of any one of the first or fifth aspects.

In an eleventh aspect, there is provided a computer program product containing instructions which, when run on a computer, enable the computer to perform the message processing method of any of the first or fifth aspects.

In a twelfth aspect, an apparatus (for example, the apparatus may be a system on a chip) is provided, where the apparatus includes a processor, configured to support a user plane network element to implement the functions referred to in the first aspect, for example, to obtain a first correspondence between an identifier of a first terminal, one or more service identifiers corresponding to a first service, and one or more message processing policies. In one possible design, the apparatus further includes a memory for storing program instructions and data necessary for the user plane web element. When the device is a chip system, the device may be composed of a chip, or may include a chip and other discrete devices.

For technical effects brought by any one of the design manners in the seventh aspect to the twelfth aspect, reference may be made to technical effects brought by different design manners in the first aspect or the fifth aspect, and details are not described here.

In a thirteenth aspect, there is provided an application function network element having a function of implementing the method of any one of the second aspect, the third aspect or the fourth aspect. The function can be realized by hardware, and can also be realized by executing corresponding software by hardware. The hardware or software includes one or more modules corresponding to the functions described above.

In a fourteenth aspect, there is provided an application function network element, including: a processor and a memory; the memory is configured to store computer-executable instructions, and when the application function network element runs, the processor executes the computer-executable instructions stored in the memory, so as to enable the application function network element to execute the message processing method according to any one of the second aspect, the third aspect, or the fourth aspect.

In a fifteenth aspect, an application function network element is provided, including: a processor; the processor is configured to couple with the memory, and after reading the instruction in the memory, execute the message processing method according to any one of the second aspect, the third aspect, or the fourth aspect.

In a sixteenth aspect, there is provided a computer-readable storage medium having instructions stored therein, which when run on a computer, enable the computer to perform the message processing method of any of the second or third or fourth aspects.

A seventeenth aspect provides a computer program product comprising instructions which, when run on a computer, enable the computer to perform the message processing method of any of the second or third or fourth aspects.

In an eighteenth aspect, an apparatus (for example, the apparatus may be a system on a chip) is provided, where the apparatus includes a processor, configured to support an application function network element to implement the functions related to any of the second aspect, the third aspect, or the fourth aspect, for example, to obtain an identifier of the first terminal, one or more service identifiers corresponding to the first service, and identifiers of one or more message processing policies. In one possible design, the apparatus further includes a memory for storing program instructions and data necessary for the application function network element. When the device is a chip system, the device may be composed of a chip, or may include a chip and other discrete devices.

For technical effects brought by any one of the design manners in the thirteenth aspect to the eighteenth aspect, reference may be made to technical effects brought by different design manners in the second aspect, the third aspect, or the fourth aspect, and details are not repeated here.

A nineteenth aspect provides a first terminal having a function of implementing the method of any one of the above sixth aspects. The function can be realized by hardware, and can also be realized by executing corresponding software by hardware. The hardware or software includes one or more modules corresponding to the functions described above.

In a twentieth aspect, there is provided a first terminal comprising: a processor and a memory; the memory is configured to store computer execution instructions, and when the first terminal runs, the processor executes the computer execution instructions stored in the memory, so that the first terminal executes the message processing method according to any one of the above sixth aspects.

In a twenty-first aspect, there is provided a first terminal comprising: a processor; the processor is configured to be coupled to the memory, and after reading the instruction in the memory, execute the message processing method according to any one of the above sixth aspects according to the instruction.

In a twenty-second aspect, there is provided a computer-readable storage medium having stored therein instructions, which, when run on a computer, enable the computer to execute the message processing method of any one of the above-mentioned sixth aspects.

A twenty-third aspect provides a computer program product containing instructions which, when run on a computer, enable the computer to perform the message processing method of any of the sixth aspects above.

A twenty-fourth aspect provides an apparatus (which may be a system-on-chip, for example), which includes a processor configured to enable a first terminal to implement the functions referred to in the above-mentioned sixth aspect, such as encrypting, by using a first key, a first service identifier carried in a header of a first encrypted message to be sent. In one possible design, the apparatus further includes a memory for storing necessary program instructions and data for the first terminal. When the device is a chip system, the device may be composed of a chip, or may include a chip and other discrete devices.

The technical effects brought by any one of the design manners in the nineteenth aspect to the twenty-fourth aspect can be seen in the technical effects brought by different design manners in the sixth aspect, and are not described herein again.

A twenty-fifth aspect provides a message processing system, where the message processing system includes a user plane network element, and the user plane network element is configured to execute the steps executed by the user plane network element in the first aspect or the fifth aspect or in the scheme provided in this embodiment.

In a possible design, the message processing system may further include an application function network element, where the application function network element is configured to perform the steps performed by the application function network element in the second aspect, the third aspect, or the fourth aspect, or in the scheme provided in this embodiment of the present application.

In a possible design, the message processing system may further include other devices, such as a control plane network element or a first terminal, for interacting with the user plane network element and/or the application function network element in the solution provided in the embodiment of the present application.

These and other aspects of the present application will be more readily apparent from the following description of the embodiments.

Drawings

Fig. 1 illustrates a conventional message processing method;

fig. 2 is a schematic structural diagram of a message processing system according to an embodiment of the present application;

fig. 3 is a schematic architecture diagram of a 5G network according to an embodiment of the present application;

fig. 4 is a schematic hardware structure diagram of a communication device according to an embodiment of the present application;

fig. 5 is a first schematic flow chart of a message processing method according to an embodiment of the present application;

fig. 6 is a schematic flow chart of a message processing method according to an embodiment of the present application;

fig. 7 is a third schematic flowchart of a message processing method according to an embodiment of the present application;

fig. 8 is a schematic structural diagram of a user plane network element according to an embodiment of the present application;

fig. 9 is a schematic structural diagram of an application function network element according to an embodiment of the present application;

fig. 10 is a schematic structural diagram of a first terminal according to an embodiment of the present application.

Detailed Description

The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application. Where in the description of the present application, "/" indicates an OR meaning, for example, A/B may indicate A or B; "and/or" herein is merely an association describing an associated object, and means that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. Also, in the description of the present application, "a plurality" means two or more than two unless otherwise specified. In addition, in order to facilitate clear description of technical solutions of the embodiments of the present application, in the embodiments of the present application, terms such as "first" and "second" are used to distinguish the same items or similar items having substantially the same functions and actions. Those skilled in the art will appreciate that the terms "first," "second," etc. do not denote any order or quantity, nor do the terms "first," "second," etc. denote any order or importance.

In addition, the network architecture and the service scenario described in the embodiment of the present application are for more clearly illustrating the technical solution of the embodiment of the present application, and do not constitute a limitation to the technical solution provided in the embodiment of the present application, and it can be known by a person skilled in the art that the technical solution provided in the embodiment of the present application is also applicable to similar technical problems along with the evolution of the network architecture and the appearance of a new service scenario.

As shown in fig. 2, a message processing system 20 according to an embodiment of the present invention is provided. The message processing system 20 comprises a user plane network element 201 and an application function network element 202. Optionally, as shown in fig. 2, the message processing system 20 may further include a control plane network element 203.

Optionally, based on the message processing system 20, in a possible implementation manner:

the application function network element 202 is configured to obtain an identifier of the first terminal, one or more service identifiers corresponding to the first service, and identifiers of one or more message processing policies, where the one or more message processing policies correspond to the one or more service identifiers, respectively.

The application function network element 202 is further configured to send a first message to the control plane network element 203, where the first message carries an identifier of the first terminal, one or more service identifiers, and one or more identifiers of the message processing policy.

And the control plane network element 203 is configured to receive a first message from the application function network element 202, and send a second message to the user plane network element 201, where the second message carries an identifier of the first terminal, one or more service identifiers, and one or more identifiers of the message processing policies.

And the user plane network element 201 is configured to receive the second message from the control plane network element 203, and establish a first corresponding relationship between the identifier of the first terminal, the one or more service identifiers, and the one or more packet processing policies after determining the one or more packet processing policies according to the identifier of the one or more packet processing policies and the second corresponding relationship between the identifier of the one or more packet processing policies and the one or more packet processing policies.

The user plane network element 201 is further configured to receive a first encrypted message from the first terminal, where the first encrypted message carries an identifier of the first terminal and a first service identifier.

The user plane network element 201 is further configured to, after determining a first packet processing policy corresponding to the identifier of the first terminal and the first service identifier according to the first service identifier, the identifier of the first terminal, and the first corresponding relationship, process the first encrypted packet according to the first packet processing policy.

Optionally, based on the message processing system 20, in another possible implementation manner:

the application function network element 202 is configured to obtain a first correspondence relationship between an identifier of the first terminal, one or more service identifiers corresponding to the first service, and one or more message processing policies, where the one or more message processing policies correspond to the one or more service identifiers, respectively.

The application function network element 202 is further configured to send a first message to the control plane network element 203, where the first message carries the first corresponding relationship.

And the control plane network element 203 is configured to receive the first message from the application function network element 202, and send a second message to the user plane network element 201, where the second message carries the first corresponding relationship.

The user plane network element 201 is configured to receive a first message from the control plane network element 203.

Optionally, the first service identifier in this embodiment of the application may be a service identifier available to the first terminal, or the first service identifier may be a service identifier unavailable to the first terminal, which is not specifically limited in this embodiment of the application.

Optionally, in this embodiment of the application, when the first service identifier is a service identifier available to the first terminal, the first packet processing policy in this embodiment of the application may be a packet processing policy that is the same as a second packet processing policy, where the second packet processing policy is a packet processing policy corresponding to the second service identifier, and the second service identifier is a service identifier available to the first terminal. That is, in this embodiment of the application, when the first service identifier is a service identifier that is not available to the first terminal, the message processing policy corresponding to the first service identifier may be a message processing policy corresponding to a service identifier that is available to the first terminal. For example, the user of the first terminal is a normal user of the first service, and if the first service identifier is a service identifier corresponding to a high-level user of the first service, the first packet processing policy corresponding to the first service identifier should be a packet processing policy corresponding to the normal user of the first service, that is, degradation processing is enforced.

Optionally, in this embodiment of the application, when the first service identifier is a service identifier available to the first terminal, the first packet processing policy in this embodiment of the application may be to discard a packet, which is not specifically limited in this embodiment of the application.

Optionally, the application function network element 202 and the control plane network element 203 in this embodiment may communicate directly, or communicate through forwarding of other devices, which is not specifically limited in this embodiment.

Optionally, the user plane network element 201 and the control plane network element 203 in this embodiment may communicate directly, or communicate through forwarding of other devices, which is not specifically limited in this embodiment of the present application.

Based on the message processing system provided in the embodiment of the present application, since the embodiment of the present application can configure the identifier of the first terminal, the one or more service identifiers corresponding to the first service, and the first corresponding relationship of the one or more message processing policies on the user plane network element, where the one or more service identifiers correspond to the one or more message processing policies, respectively. Therefore, after the user plane network element receives any one of the one or more service identifiers from the first terminal, the corresponding message processing strategy can be determined according to the first corresponding relationship, and the received encrypted message is processed by using the determined message processing strategy, so that the influence of the 5GC equipment on the AS due to the fact that the service identifier which does not belong to a certain terminal is obtained can be reduced.

Optionally, the message processing system 20 shown in fig. 2 may be applied to a Software Defined Network (SDN) network, a current fourth generation (4G) network, a current 5G network, and other future networks, which is not specifically limited in this embodiment of the present application.

For example, assuming that the message processing system 20 shown in fig. 2 is applied to the current 5G network, as shown in fig. 3, a network element or an entity corresponding to the user plane network element 201 may be a User Plane Function (UPF) network element in the 5G network; the network element or entity corresponding to the control plane network element 203 may be a Session Management Function (SMF) network element or a Policy Control Function (PCF) network element in a 5G network; the network element or entity corresponding to the application function network element 202 may be an AS in a 5G network.

In addition, as shown in fig. 3, the 5G network may further include an access and mobility management function (AMF) network element, an authentication server function (AUSF) network element, or a Unified Data Management (UDM) network element, and specifically, reference may be made to an existing 5G network architecture, which is not specifically limited in this embodiment of the present invention.

As shown in fig. 3, in the embodiment of the present application, a terminal accesses a 5G core network through an access device, and the terminal communicates with an AMF network element through a Next generation network (N) 1 interface (abbreviated as N1); the access equipment communicates with the AMF network element through an N2 interface (N2 for short); the access equipment communicates with the UPF network element through an N3 interface (N3 for short); the AMF network element communicates with the SMF network element through an N11 interface (N11 for short); the AMF network element communicates with the UDM network element through an N8 interface (N8 for short); the AMF network element communicates with the AUSF network element through an N12 interface (N12 for short); the AMF network element communicates with the PCF network element through an N15 interface (N15 for short); the SMF network element communicates with the PCF network element through an N7 interface (N7 for short); the SMF network element communicates with the UPF network element through an N4 interface (N4 for short); the PCF network element communicates with the AS over an N5 interface (abbreviated N5).

It should be noted that the interface name between each network element in fig. 3 is only an example, and the interface name may be other names in a specific implementation, which is not specifically limited in this embodiment of the present application.

It should be noted that the terminal, the access device, the AMF network element, the SMF network element, the UDM network element, the AUSF network element, the PCF network element, the UPF network element, or the AS in fig. 3 is only a name, and the name does not limit the device itself. In the 5G network and other future networks, a network element or an entity corresponding to a terminal, an access device, an AMF network element, an SMF network element, a UDM network element, an AUSF network element, a PCF network element, a UPF network element, or an AS may also be another name, which is not specifically limited in this embodiment of the present application.

Optionally, the terminal (terminal) referred to in the embodiments of the present application may include various handheld devices with wireless communication functions, vehicle-mounted devices, wearable devices, computing devices, or other processing devices connected to a wireless modem; a subscriber unit (subscriber unit), a cellular phone (cellular phone), a smart phone (smart phone), a wireless data card, a Personal Digital Assistant (PDA) computer, a tablet computer, a wireless modem (modem), a handheld device (dhhand), a laptop computer (laptop computer), a cordless phone (cordless phone) or a Wireless Local Loop (WLL) station, a Machine Type Communication (MTC) terminal, a User Equipment (UE), a Mobile Station (MS), a terminal equipment (terminal device) or a relay user equipment, etc. may also be included. The relay user equipment may be, for example, a 5G home gateway (RG). For convenience of description, the above-mentioned devices are collectively referred to as a terminal in this application.

Optionally, the access device referred to in this embodiment of the present application refers to a device accessing a core network, and may be, for example, a base station, a broadband network service gateway (BNG), a convergence switch, a non-third generation partnership project (3rd generation partnership project, 3GPP) access device, and the like. The base stations may include various forms of base stations, such as: macro base stations, micro base stations (also referred to as small stations), relay stations, access points, etc.

Optionally, in this embodiment of the present application, the user plane network element, the application function network element, or the control plane network element in fig. 2 may be implemented by one device, may also be implemented by multiple devices together, or may be one functional module in one device, which is not specifically limited in this embodiment of the present application. It is understood that the above functions may be either network elements in a hardware device, software functions running on dedicated hardware, or virtualized functions instantiated on a platform (e.g., a cloud platform).

For example, in the embodiment of the present application, the user plane network element, the application function network element, or the control plane network element in fig. 2 may be implemented by the communication device in fig. 4. Fig. 4 is a schematic diagram illustrating a hardware structure of a communication device according to an embodiment of the present application. The communication device 400 includes at least one processor 401, communication lines 402, memory 403 and at least one communication interface 404.

The processor 401 may be a general-purpose Central Processing Unit (CPU), a microprocessor, an application-specific integrated circuit (ASIC), or one or more ics for controlling the execution of programs in accordance with the present invention.

The communication link 402 may include a path for communicating information between the aforementioned components.

The communication interface 404 may be any device, such as a transceiver, for communicating with other devices or communication networks, such as an ethernet, a Radio Access Network (RAN), a Wireless Local Area Network (WLAN), etc.

The memory 403 may be a read-only memory (ROM) or other type of static storage device that can store static information and instructions, a Random Access Memory (RAM) or other type of dynamic storage device that can store information and instructions, an electrically erasable programmable read-only memory (EEPROM), a compact disc read-only memory (CD-ROM) or other optical disk storage, optical disk storage (including compact disc, laser disc, optical disc, digital versatile disc, blu-ray disc, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to these. The memory may be separate and coupled to the processor via a communication line 402. The memory may also be integral to the processor.

The memory 403 is used for storing computer-executable instructions for executing the present invention, and is controlled by the processor 401. The processor 401 is configured to execute the computer-executable instructions stored in the memory 403, so as to implement the message processing method provided in the following embodiments of the present application.

Optionally, the computer-executable instructions in the embodiments of the present application may also be referred to as application program codes, which are not specifically limited in the embodiments of the present application.

In particular implementations, processor 401 may include one or more CPUs such as CPU0 and CPU1 in fig. 4 as an example.

In particular implementations, communication device 400 may include multiple processors, such as processor 401 and processor 408 in fig. 4, for example, as an embodiment. Each of these processors may be a single-core (single-CPU) processor or a multi-core (multi-CPU) processor. A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data (e.g., computer program instructions).

In particular implementations, communication device 400 may also include an output device 405 and an input device 406, as one embodiment. An output device 405 is in communication with the processor 401 and may display information in a variety of ways. For example, the output device 405 may be a Liquid Crystal Display (LCD), a Light Emitting Diode (LED) display device, a Cathode Ray Tube (CRT) display device, a projector (projector), or the like. The input device 406 is in communication with the processor 401 and may receive user input in a variety of ways. For example, the input device 406 may be a mouse, a keyboard, a touch screen device, or a sensing device, among others.

The communication device 400 described above may be a general purpose device or a special purpose device. In a specific implementation, the communication device 400 may be a desktop, a laptop, a web server, a Personal Digital Assistant (PDA), a mobile phone, a tablet, a wireless terminal device, an embedded device, or a device with a similar structure as in fig. 4. The embodiment of the present application does not limit the type of the communication apparatus 400.

The following describes the message processing method provided in the embodiment of the present application in detail with reference to fig. 2 to 4.

It should be noted that, in the following embodiments of the present application, names of messages between network elements or names of parameters in messages are only an example, and other names may also be used in a specific implementation, which is not specifically limited in this embodiment of the present application.

First, taking AS an example that the message processing system shown in fig. 2 is applied to the 5G network shown in fig. 3, where a user plane network element is specifically a UPF network element in the 5G network, a control plane network element is specifically an SMF network element in the 5G network, and an application function network element is specifically an AS in the 5G network, AS shown in fig. 5, a message processing method provided in an embodiment of the present application includes the following steps:

optionally, the message processing method provided in the embodiment of the present application includes the following steps S501 to S503:

s501, the AS sends a request message 1 to the SMF network element, so that the SMF network element receives the request message 1 from the AS. The request message 1 carries one or more message processing policies and a second correspondence of the identifiers of the one or more message processing policies.

It should be noted that, the identifier of the message processing policy in the embodiment of the present application is used to identify the message processing policy, and may be an identifier in any form. The message processing policy in the embodiment of the present application refers to information used for processing the received encrypted message, such as what the guaranteed transmission bandwidth of the encrypted message is, what the charging mode is, and the like, and is described in a unified manner herein and will not be described in detail below.

The AS in the embodiment of the present application may include one or more applications, one application may include one or more services, one service may correspond to one or more service identifiers, and one service identifier may correspond to one packet processing policy. Therefore, the one or more message processing policies in the embodiment of the present application may include, for example, one or more message processing policies respectively corresponding to one or more service identifiers under the AS.

For example, the AS may include an application 1, the application 1 may include a video service and a music service, and the video service in the application 1 may include a service identifier 1 and a service identifier 2, where the service identifier 1 is used to represent a general user service corresponding to a video in the application 1, and the service identifier 2 is used to represent a high-level user service corresponding to a video in the application 1. The message processing policy 1 corresponding to the service identifier 1 may be: ensuring the transmission bandwidth to be 5mb/s, and the charging mode is prepayment; the message processing policy 2 corresponding to the service identifier 2 may be: the transmission bandwidth is guaranteed to be 10mb/s, and the charging mode is postpaid. Therefore, in this embodiment of the present application, the one or more message processing policies may include, for example, the message processing policy 1 corresponding to the service identifier 1 and the message processing policy 2 corresponding to the service identifier 2.

Optionally, in this embodiment of the present application, the message processing policies corresponding to different service identifiers may be the same or different, and this is not specifically limited in this embodiment of the present application. The different service identifiers may be service identifiers of different services under the same application, or service identifiers under different applications, which is not specifically limited in this embodiment of the present application.

Illustratively, the message processing policy corresponding to the service identifier 1 of the service 1 under the application 1 may be the same as or different from the message processing policy corresponding to the service identifier 4 of the service 2 under the application 1; or, the message processing policy corresponding to the service identifier 1 of the service 1 in the application 1 may be the same as or different from the message processing policy corresponding to the service identifier 4 of the service 1 in the application 2, which is not specifically limited in this embodiment of the present application.

In addition, the one or more message processing policies in this embodiment may further include a default message processing policy, so that the default message processing policy may be mapped to the non-available service identifier of the first terminal in the following. Furthermore, after receiving the encrypted message carrying the non-available service identifier of the first terminal from the first terminal, the UPF network element may process the encrypted message according to the default message processing policy, which is not specifically limited in this embodiment of the present application. Illustratively, the default message handling policy may be, for example, to drop a message.

Based on this, the request message 1 may carry one or more packet processing policies and the identifier corresponding relationship of the one or more packet processing policies as shown in table one:

watch 1

Identification of message processing policies	Message processing strategy
		Identifier 1 of message processing strategy	Message processing strategy 1
Identification of message processing policy 2	Message processing strategy 2
		Identification of message handling policy 3	Message processing strategy 3
Identifier 4 of message processing strategy	Message processing strategy 4 (default message processing strategy)
		……	……

S502, the SMF network element sends a request message 2 to the UPF network element, so that the UPF network element receives the request message 2 from the SMF network element. The request message 2 carries one or more message processing policies and a second correspondence of the identifiers of the one or more message processing policies.

Step S501 may be referred to for the related description of the second corresponding relationship, and is not repeated here.

It should be noted that, in this embodiment of the present application, if a plurality of message processing policies and identifiers of corresponding message processing policies need to be configured, the plurality of message processing policies and identifiers of corresponding message processing policies may be configured once through steps S501 and S502, or configured for multiple times through repeatedly executing steps S501 and S502, for example, one message processing policy and an identifier of a corresponding message processing policy are configured once, which is not specifically limited in this embodiment of the present application.

It should be noted that, in this embodiment of the present application, if there are multiple message processing policies, the second corresponding relationship of the multiple message processing policies and the identifiers of the multiple message processing policies may be sent to the UPF network element through step S501 and step S502 at a time; the step S501 and the step S502 may be repeatedly executed to send the second corresponding relationship of the identifiers of the multiple message processing policies and the multiple message processing policies to the UPF network element. For example, step S501 and step S502 are executed once, and the correspondence 1 between the packet processing policy 1 and the identifier 1 of the packet processing policy may be sent to the UPF network element; step S501 and step S502 are executed again, and the corresponding relationship 2 between the message processing policy 2 and the identifier 2 of the message processing policy may be sent to the UPF network element, and the like, which is not specifically limited in this embodiment of the present application.

S503, the UPF network element stores the second corresponding relation between the identifier of the one or more message processing strategies and the one or more message processing strategies.

For example, after the UPF network element receives the request message 2 from the SMF network element, the corresponding relationship shown in table one may be stored according to the request message 2, and the relevant description may refer to step S501, which is not described herein again.

In the message processing method provided in the embodiment of the present application, the steps S501 to S503 are optional steps, which are described in a unified manner and are not described in detail below.

The message processing method provided in the embodiment of the present application may further include the following steps S504 to S507 (it can be understood that one or more terminals exist in the network, and the following description is given by taking the first terminal as an example):

s504, the AS determines one or more message processing strategies corresponding to the identifier of the first terminal and one or more service identifiers corresponding to the first service, wherein the one or more message processing strategies correspond to the one or more service identifiers respectively.

Optionally, in this embodiment of the application, after the first terminal initiates a session of a first service of the AS, the AS may determine one or more packet processing policies corresponding to the identifier of the first terminal and one or more service identifiers corresponding to the first service. For example, after the first terminal initiates a session of a first service to the AS, the AS may know the identity of the first terminal and information of the first service, which may be, for example, a name of the first service, such AS a video service of application 1. Furthermore, the AS may obtain, according to the identifier of the first terminal and the information of the first service, a service identifier available to the first terminal under the first service and a message processing policy corresponding to the service identifier available to the first terminal, in combination with subscription data of the first terminal (for example, the user of the first terminal is a common user of the video service under application 1). If the service identifier available to the first terminal is service identifier 1, service identifier 1 is used to characterize the general user service corresponding to the video in application 1. The message processing policy corresponding to the service identifier 1 is a message processing policy 1, and the message processing policy 1 may be, for example, a transmission bandwidth guaranteed to be "5 mb/s", and the charging mode is prepaid.

However, since the first service may correspond to a plurality of service identifiers, for the first service, the AS may further store the correspondence between other service identifiers except for the service identifier 1 and the packet processing policies respectively corresponding to the other service identifiers, for example, for the first service, the AS may store the correspondence between one or more service identifiers shown in the table two and one or more packet processing policies respectively corresponding to the one or more service identifiers:

watch two

Service identification	Message processing strategy
		Service identification 1	Message processing strategy 1
Service identification 2	Message processing strategy 2
		Service identification 3	Message processing strategy 3
……	……

If the service identifier 2 is used to represent a high-level user service corresponding to a video under the application 1, the packet processing policy 2 corresponding to the service identifier 2 may be: ensuring the transmission bandwidth to be 10mb/s, and the charging mode is post-payment; the service identifier 3 is used for representing a star-level user service corresponding to the video under the application 1, and the message processing policy 3 corresponding to the service identifier 3 may be: the transmission bandwidth is ensured to be 20mb/s, and the charging mode is postpaid.

Therefore, after the AS acquires the service identifier available to the first terminal under the first service and the message processing policy corresponding to the available service identifier, the AS may further acquire a service identifier unavailable to the first terminal under the first service, and determine a message processing policy corresponding to the service identifier unavailable to the first terminal.

Optionally, in order to reduce the influence of the 5GC device on the AS due to acquiring a service identifier that does not belong to a certain terminal, the AS may determine that the packet processing policy corresponding to the service identifier that is not available to the first terminal may be a packet processing policy corresponding to the service identifier that is available to the first terminal or the default packet processing policy, which is not specifically limited in this embodiment of the present application.

For example, it is assumed that, for the first service, the AS may store the correspondence between one or more service identifiers and one or more packet processing policies respectively corresponding to the one or more service identifiers. And, assume that the service identifier 1 is a service identifier available to the first terminal, and the service identifiers 2 and 3 are service identifiers unavailable to the first terminal. Then, one or more message processing policies corresponding to the identifier of the first terminal and the one or more service identifiers corresponding to the first service, which are determined by the AS, may be AS shown in table three or table four:

watch III

Watch four

S505, the AS sends a request message 3 to the SMF network element, so that the SMF network element receives the request message 3 from the AS. The request message 3 carries an identifier of the first terminal, one or more service identifiers corresponding to the first service, and identifiers of one or more message processing policies, and is configured to configure one or more message processing policies corresponding to the first terminal, where the identifiers of the one or more message processing policies correspond to the one or more service identifiers, respectively.

For example, assuming that the correspondence between one or more packet processing policies and the identifiers of the corresponding one or more packet processing policies is shown in table one, and one or more packet processing policies determined by the AS and corresponding to the identifier of the first terminal and the one or more service identifiers corresponding to the first service are shown in table three, the request message 3 may include the correspondence between the identifier of the first terminal, the one or more service identifiers corresponding to the first service, and the identifiers of the one or more packet processing policies, AS shown in table five:

watch five

Or, for example, assuming that the correspondence between one or more packet processing policies and the identifiers of the corresponding one or more packet processing policies is shown in table one, and the one or more packet processing policies determined by the AS and corresponding to the identifier of the first terminal and the one or more service identifiers corresponding to the first service are shown in table four, the request message 3 may include the correspondence between the identifier of the first terminal, the one or more service identifiers corresponding to the first service, and the identifiers of the one or more packet processing policies, AS shown in table six:

watch six

S506, the SMF network element sends a request message 4 to the UPF network element, so that the UPF network element receives the request message 4 from the SMF network element. The request message 4 carries an identifier of the first terminal, one or more service identifiers corresponding to the first service, and identifiers of one or more message processing policies, and is configured to configure one or more message processing policies corresponding to the first terminal, where the one or more message processing policies correspond to the one or more service identifiers, respectively.

For the description of the one or more service identifiers corresponding to the first service and the message processing policy corresponding to the one or more service identifiers, reference may be made to step S505, which is not described herein again.

It should be noted that, in this embodiment of the application, if the first service includes multiple service identifiers, the identifier of the first terminal, multiple service identifiers corresponding to the first service, and identifiers of multiple message processing policies may be sent to the UPF network element once through step S505 and step S506; the identifier of the first terminal, the identifiers of the services corresponding to the first service, and the identifiers of the message processing policies may also be sent to the UPF network element by repeatedly executing steps S505 and S506. For example, step S505 and step S506 are executed once, and the identifier of the first terminal, the service identifier 1 corresponding to the first service, and the identifier 1 corresponding to the message processing policy may be sent to the UPF network element; step S505 and step S506 are executed again, and the identifier of the first terminal, the service identifier 2 corresponding to the first service, and the identifier 2 corresponding to the message processing policy may be sent to the UPF network element, and so on, which is not specifically limited in this embodiment of the application.

S507, the UPF network element establishes a first corresponding relation among the identifier of the first terminal, one or more service identifiers corresponding to the first service and one or more message processing strategies.

Optionally, in this embodiment of the application, after the UPF network element receives the request message 4 from the SMF network element, one or more packet processing policies respectively corresponding to the identifiers of the one or more packet processing policies may be determined according to the identifiers of the one or more packet processing policies carried in the request message 4 and the correspondence between the identifiers of the one or more packet processing policies and the one or more packet processing policies established in step S503, and then the UPF network element may establish one or more service identifiers corresponding to the identifier first service of the first terminal and the first correspondence between the one or more packet processing policies.

For example, it is assumed that the correspondence between one or more packet processing policies and the identifiers of the corresponding one or more packet processing policies is shown in table one and shown in table one; the correspondence between the identifier of the first terminal, the one or more service identifiers corresponding to the first service, and the identifier of the one or more message processing policies is shown in table five, and the correspondence between the identifier of the first terminal, the one or more service identifiers corresponding to the first service, and the first correspondence between the one or more message processing policies may be shown in table three above, which is not described herein again.

Or, for example, it is assumed that the correspondence between one or more packet processing policies and the identifiers of the corresponding one or more packet processing policies is as shown in table one and as shown in table one; the correspondence between the identifier of the first terminal, the one or more service identifiers corresponding to the first service, and the identifier of the one or more message processing policies is shown in table six, and the correspondence between the identifier of the first terminal, the one or more service identifiers corresponding to the first service, and the first correspondence between the one or more message processing policies may be shown in table four above, which is not described herein again.

The steps S501 to S507 exemplarily provide a configuration flow of one or more message processing policies corresponding to the first terminal. Optionally, the message processing method provided in this embodiment of the present application may further include the following steps S508 to S509:

s508, the AS sends indication information 1 to the SMF network element, so that the SMF network element receives the indication information 1 from the AS, where the indication information 1 is used to indicate the SMF network element to report when the service identifier a used by the first terminal is detected.

Optionally, in this embodiment of the application, the service identifier a is a service identifier that is not available to the first terminal. For example, the service identifier a may be the service identifier 2 or the service identifier 3 in the above example, which is not specifically limited in this embodiment of the application.

S509, the SMF sends an indication information 2 to the UPF network element, so that the SMF network element receives the indication information 2 from the AS, where the indication information 2 is used to indicate that the UPF network element reports when detecting that the first terminal uses the service identifier a.

In the message processing method provided in the embodiment of the present application, the steps S508 to S508 are optional steps, which are described in a unified manner and are not described in detail below.

Further, in this embodiment of the present application, after one or more packet processing policies corresponding to the first terminal are configured, the packet processing method provided in this embodiment of the present application may further include the following steps S510 to S513:

s510, the first terminal adds the first service identifier to a header of the first encrypted message, that is, the first service identifier is not encrypted.

The first service identifier may be a service identifier available to the first terminal in the one or more service identifiers corresponding to the first service, or may be a service identifier unavailable to the first terminal in the one or more service identifiers corresponding to the first service, which is not specifically limited in this embodiment of the present application.

For example, the service identifier added to the header of the first encrypted message may be the service identifier 1, the service identifier 2, the service identifier 3, or the like in the above table two, which is not specifically limited in this embodiment of the application.

S511, the first terminal sends the first encrypted message to the UPF network element, so that the UPF network element receives the first encrypted message from the first terminal.

The first encrypted message carries a first service identifier and an identifier of the first terminal.

S512, the UPF network element determines, according to the first service identifier, the identifier of the first terminal, and the first corresponding relationship established in step S507, a first packet processing policy corresponding to the identifier of the first terminal and the first service identifier.

For example, assuming that the available service identifier of the first terminal is service identifier 1, according to table seven, whether the first service identifier of the header of the first encrypted message is service identifier 1, service part identifier 2, or service part identifier 3, the determined first message processing policy is message processing policy 1.

Or, for example, assuming that the available service identifier of the first terminal is service identifier 1, according to table eight, if the first service identifier of the header of the first encrypted message is service identifier 1, the determined first message processing policy is message processing policy 1; if the first service identifier of the header of the first encrypted message is the service identifier 2 or the service identifier 3, the determined first message processing policy is the message processing policy 4.

S513, the UPF network element processes the received first encrypted message by adopting the determined first message processing strategy.

For example, assume that the determined first packet processing policy is: the transmission bandwidth is ensured to be 5mb/s, and the charging mode is prepayment. The UPF network element transmits the first encrypted message by using the guaranteed transmission bandwidth of 5mb/s, and the charging mode is pre-paid.

Or, for example, it is assumed that the determined first packet processing policy is: the transmission bandwidth is guaranteed to be 10mb/s, and the charging mode is postpaid. The UPF network element transmits the first encrypted message by using the guaranteed transmission bandwidth of 10mb/s, and the charging mode is postpaid.

Or, for example, it is assumed that the determined first packet processing policy is: and discarding the message. The UPF network element discards the encrypted message.

Optionally, if the message processing method provided in this embodiment of the present application includes steps S508 to S509, and the first service identifier in steps S510 to S513 is the service identifier a in step S508, the message processing method provided in this embodiment of the present application further includes the following steps:

s514, the UPF network element sends indication information 3 to the SMF network element, so that the SMF network element receives the indication information 3 from the UPF network element.

Wherein, the indication information 3 is used to indicate the UPF network element to recognize that the first terminal is using the service identifier a.

S515, the SMF network element sends indication information 4 to the AS, so that the SMF network element receives the indication information 4 from the UPF network element.

Wherein, the indication information 4 is used to indicate the SMF network element to recognize that the first terminal is using the service identifier a.

S516, the AS sends a notification message to the first terminal, so that the first terminal receives the notification message from the AS.

Wherein the notification message is used for notifying the first terminal to stop using the service identifier a.

And S517, the first terminal stops using the first service identifier, namely the service identifier A, according to the notification message.

For example, assuming that the first service is a video service under application 1, a "you are using a wrong service identifier and please stop using the service immediately" may be displayed on a video service interface under application 1, otherwise, the service is terminated ", so that a user of the first terminal knows that the service identifier a being used is a service identifier that is unavailable to the first terminal, and may stop using the service identifier a being used.

In the message processing method provided in the embodiment of the present application, the steps S514 to S517 are optional steps, which are described in a unified manner herein and are not described in detail below.

On the one hand, because the identifier of the first terminal, the one or more service identifiers corresponding to the first service, and the first corresponding relationship of the one or more message processing policies can be configured on the UPF network element, and the one or more message processing policies correspond to the one or more service identifiers, on the other hand, after the UPF network element receives any one of the one or more service identifiers from the first terminal, the corresponding message processing policy can be determined according to the first corresponding relationship, and then the determined message processing policy is used to process the received encrypted message, so that the influence of the 5GC device on the AS due to the fact that the service identifier which does not belong to a certain terminal is obtained can be reduced. On the other hand, after acquiring the unavailable service identifier of the first terminal, the UPF network element can report the unavailable service identifier to the AS in time, so that the AS can notify the first terminal to stop using the service identifier in time, thereby further reducing the influence on the AS caused by the 5GC device acquiring the service identifier not belonging to a certain terminal.

The actions of the UPF network element or AS in steps S501 to S517 may be executed by the processor 401 in the communication device 400 shown in fig. 4 calling the application code stored in the memory 403, which is not limited in this embodiment.

Optionally, taking AS an example that the message processing system shown in fig. 2 is applied to the 5G network shown in fig. 3, the user plane network element is specifically a UPF network element in the 5G network, the control plane network element is specifically an SMF network element in the 5G network, and the application function network element is specifically an AS in the 5G network, AS shown in fig. 6, another message processing method provided in the embodiment of the present application includes the following steps:

s601 and the synchronization step S504, the related description may refer to the embodiment shown in fig. 5, and will not be repeated herein.

S602, the AS sends a request message 1 to the SMF network element, so that the SMF network element receives the request message 1 from the AS. The request message 1 carries a first correspondence between an identifier of the first terminal, one or more service identifiers corresponding to the first service, and one or more message processing policies, and is configured to configure one or more message processing policies corresponding to the first terminal, where the one or more message processing policies correspond to the one or more service identifiers, respectively.

For example, the request message 1 may carry the corresponding relationship shown in the table three or table four, which is not described herein again.

S603, the SMF network element sends the request message 2 to the UPF network element, so that the UPF network element receives the request message 2 from the SMF network element. The request message 2 carries a first correspondence between an identifier of the first terminal, one or more service identifiers corresponding to the first service, and one or more message processing policies, and is configured to configure one or more message processing policies corresponding to the first terminal, where the one or more message processing policies correspond to the one or more service identifiers, respectively.

For example, the request message 2 may carry the corresponding relationship shown in the table three or table four, which is not described herein again.

It should be noted that, in this embodiment of the application, if the first service includes multiple service identifiers, the identifier of the first terminal, multiple service identifiers corresponding to the first service, and a first correspondence relationship between multiple message processing policies may be sent to the UPF network element through step S602 and step S603 at a time; or the step S602 and the step S603 may be repeatedly executed to send the identifier of the first terminal, the plurality of service identifiers corresponding to the first service, and the first correspondence relationship of the plurality of message processing policies to the UPF network element in multiple times. For example, step S602 and step S603 are executed once, and the identifier of the first terminal, the service identifier 1 corresponding to the first service, and the corresponding relationship 1 of the packet processing policy 1 corresponding to the service identifier 1 may be sent to the UPF network element; step S602 and step S603 are executed again, and the identifier of the first terminal, the service identifier 2 corresponding to the first service, and the corresponding relationship 2 of the packet processing policy 2 corresponding to the service identifier 2 may be sent to the UPF network element, and so on, which is not specifically limited in this embodiment of the application.

S604, the UPF network element stores the identifier of the first terminal, one or more service identifiers corresponding to the first service, and a first corresponding relationship of one or more message processing policies.

For example, after the UPF network element receives the request message 2 from the SMF network element, the correspondence relationship shown in table three or table four may be stored according to the request message 2.

In the message processing method provided in this embodiment of the present application, the step S604 is an optional step, which is described in a unified manner and is not described in detail below.

The steps S601 to S604 exemplarily provide a configuration flow of one or more message processing policies corresponding to the first terminal. Optionally, the message processing method provided in the embodiment of the present application may further include the following steps S605 to S606:

S605-S606 and synchronization steps S508-S509, the related description may refer to the embodiment shown in fig. 5, and will not be repeated herein.

Further, in this embodiment of the present application, after one or more message processing policies corresponding to the first terminal are configured, the message processing method provided in this embodiment of the present application may further include the following steps S607 to S610:

S607-S610 and synchronization steps S510-S513, the related description may refer to the embodiment shown in fig. 5, and will not be repeated herein.

Optionally, if the message processing method provided in the embodiment of the present application includes the above steps S605 to S606, and the first service identifier in the steps S607 to S610 is the service identifier a in the step S605, the message processing method provided in the embodiment of the present application further includes the following steps:

s611 to S614 and S514 to S517, the related description may refer to the embodiment shown in fig. 5, and will not be repeated herein.

The technical effects of the embodiment shown in fig. 6 can refer to the embodiment shown in fig. 5, and are not described herein again.

In addition, compared with the embodiment shown in fig. 6, because the identifiers of the one or more message processing policies carried in the request message 3 in step S505 and the request message 4 in step S506 are much smaller in byte number than the identifiers of the one or more message processing policies carried in the request message 1 in step S602 and the request message 2 in step S603, the embodiment shown in fig. 5 and the embodiment shown in fig. 6 can reduce signaling consumption, thereby saving signaling resources.

The actions of the UPF network element or AS in steps S601 to S614 may be executed by the processor 401 in the communication device 400 shown in fig. 4 calling the application program code stored in the memory 403, which is not limited in this embodiment.

Optionally, taking AS an example that the message processing system shown in fig. 2 is applied to the 5G network shown in fig. 3, the user plane network element is specifically a UPF network element in the 5G network, the control plane network element is specifically an SMF network element in the 5G network, and the application function network element is specifically an AS in the 5G network, AS shown in fig. 7, another message processing method provided in the embodiment of the present application includes the following steps:

s701, the first terminal initiates a session of a first service of the AS.

The specific implementation of step S701 may refer to an existing implementation manner, which is not described herein again.

S702, the AS sends a request message 1 to the first terminal, so that the first terminal receives the request message 1 from the AS.

Wherein, the request message 1 carries a first corresponding relationship between a first key and a first service identifier. The first service identifier is a service identifier available to the first terminal in one or more service identifiers corresponding to the first service, and the first key is used to encrypt the first service identifier.

S703, the first terminal stores the first corresponding relationship between the first service identifier and the first key.

Optionally, in this embodiment of the application, the same key may be used to encrypt one or more available service identifiers respectively corresponding to one or more services of the first terminal, which is not specifically limited in this embodiment of the application.

In the message processing method provided in the embodiment of the present application, the step S703 is an optional step, and is described in a unified manner here, and will not be described again below.

S704, the AS sends a request message 2 to the SMF network element, so that the SMF network element receives the request message 2 from the AS.

The request message 2 carries an identifier of the first terminal, a first service identifier, and a second correspondence relationship of a second key, where the first service identifier is a service identifier available to the first terminal in one or more service identifiers corresponding to the first service, and the second key is used to decrypt the first service identifier.

Optionally, the first key in this embodiment of the present application may be a private key, and the second key may be a public key, which is not specifically limited in this embodiment of the present application.

It should be noted that the first key and the second key in this embodiment of the application are a pair of keys having a corresponding relationship, that is, after the first terminal encrypts the first service identifier using the first key, the UPF network element may decrypt the encrypted first service identifier using the second key, so as to obtain the first service identifier, which is described in a unified manner and is not described in detail below.

It should be noted that, in the embodiment of the present application, there is no inevitable execution sequence between step S702 and step S704, and step S702 may be executed first, and then step S704 is executed; step S704 may be executed first, and then step S702 may be executed; steps S702 and S704 may also be executed simultaneously, which is not specifically limited in this embodiment of the application.

S705, the SMF network element sends a request message 3 to the UPF network element, so that the UPF network element receives the request message 3 from the SMF network element. The request message 3 carries a second correspondence relationship between an identifier of the first terminal, the first service identifier, and the second key, where the first service identifier is a service identifier available to the first terminal in one or more service identifiers corresponding to the first service, and the second key is used to decrypt the first service identifier.

S706, the UPF network element establishes a second corresponding relation of the identifier of the first terminal, the first service identifier and the second key.

In the message processing method provided in the embodiment of the present application, the step S706 is an optional step, and is described in a unified manner here, and will not be described again below.

Further, in this embodiment of the present application, after the configuration of the first key that can be used to encrypt the first service identifier and the second key that can be used to decrypt the first service identifier is completed, the message processing method provided in this embodiment of the present application may further include the following steps:

s707, the first terminal adds the first service identifier encrypted by the first key to the header of the first encrypted message.

S708, the first terminal sends the first encrypted message to the UPF network element, so that the UPF network element receives the first encrypted message from the first terminal.

And S709, the UPF network element decrypts the encrypted first service identifier by adopting the second key to obtain the first service identifier.

Optionally, if the service identifier obtained after decryption by using the second key is different from the first service identifier, it may be stated that the first encrypted message header carries the first service identifier that is not encrypted by using the first key, and the UPF network element may discard the encrypted message at this time.

S710, the UPF network element determines a first message processing strategy corresponding to the first service identifier.

And S711, the UPF network element processes the received first encrypted message by adopting the determined first message processing strategy.

For the specific implementation of steps S710 and S711, reference may be made to an existing implementation manner, which is not described herein again.

Optionally, the above examples in this embodiment of the application are all described by taking an example that the service identifier may include an application identifier, for example, a first service identifier of a service 1 in an application 1 may be characterized as an application 1, a service 1.1; the second service identity of service 1 under application 1 can be characterized as application 1, service 1.2. Of course, the service identifier in the embodiment of the present application may not include information of the application, and at this time, optionally, the service identifier and the application identifier in the embodiment of the present application should be bound together. The description is unified here and will not be repeated below.

Based on the service message processing method provided by the embodiment of the application, because the service identifier at the head of the encrypted message is the service identifier encrypted by the first key, and the UPF network element can acquire the second key corresponding to the first key and used for decrypting the service identifier, if the service identifier acquired by the UPF network element is not the service identifier encrypted by the first key, the service identifier cannot be obtained by successful decryption, and further the received encrypted message cannot be processed by adopting a corresponding message processing strategy, so that the influence of the 5GC device on the AS caused by acquiring the service identifier which does not belong to a certain terminal can be reduced.

The actions of the UPF network element or AS in steps S701 to S711 may be executed by the processor 401 in the communication device 400 shown in fig. 4 calling the application program code stored in the memory 403, which is not limited in this embodiment.

Optionally, the examples in fig. 5 to fig. 7 are all described by taking an identifier that may include an application in the service identifier as an example, for example, the service identifier 1 of the service 1 under the application 1 may be characterized as application 1, service 1.1; the service identity 2 of service 1 under application 1 can be characterized as application 1, service 1.2. Of course, the service identifier in the embodiment of the present application may not include information of the application, and at this time, optionally, the service identifier and the identifier of the application in the embodiment of the present application should be bound together. For example, in tables two to eight in the embodiment shown in fig. 5, the correspondence between the service identifier and the application identifier needs to be added; or, for example, in the embodiment shown in fig. 7, the request message 1 in step S702, the request message 2 in step S704, and the request message 3 in step S705 also carry the identifier of the first application. Correspondingly, in step S703, a corresponding relationship between the identifier of the first application, the first service identifier, and the first key needs to be established; similarly, in step S706, a corresponding relationship between the identifier of the first terminal, the identifier of the first application, the first service identifier, and the second key needs to be established, which is described in a unified manner herein and is not described in detail below.

The above-mentioned scheme provided by the embodiment of the present application is introduced mainly from the perspective of interaction between network elements. It is to be understood that the above-mentioned user plane network element or application function network element, in order to implement the above-mentioned functions, includes a corresponding hardware structure and/or software module for performing each function. Those of skill in the art would readily appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is performed as hardware or computer software drives hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

In the embodiment of the present application, according to the above method example, the user plane network element or the application function network element may be divided into the functional modules, for example, each functional module may be divided corresponding to each function, or two or more functions may be integrated into one processing module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. It should be noted that, in the embodiment of the present application, the division of the module is schematic, and is only one logic function division, and there may be another division manner in actual implementation.

For example, in the case of dividing each functional module in an integrated manner, fig. 8 shows a schematic structural diagram of a user plane network element 80. The user plane network element 80 includes: a transceiver module 801 and a processing module 802.

Based on the user plane network element 80 shown in fig. 8, in a possible implementation:

the processing module 802 is configured to obtain a first correspondence between an identifier of the first terminal, one or more service identifiers corresponding to the first service, and one or more message processing policies, where the one or more message processing policies correspond to the one or more service identifiers, respectively. A transceiver module 801, configured to receive a first encrypted packet from a first terminal, where the first encrypted packet carries a first service identifier and an identifier of the first terminal, and the first service identifier is any one of one or more service identifiers; the processing module 802 is further configured to determine a first packet processing policy corresponding to the identifier of the first terminal and the first service identifier according to the first service identifier, the identifier of the first terminal, and the first corresponding relationship, and process the first encrypted packet according to the first packet processing policy.

Optionally, the processing module 802 is configured to obtain a first correspondence between an identifier of the first terminal, one or more service identifiers corresponding to the first service, and one or more message processing policies, and includes: the second message is used for receiving a second message from the control plane network element, and the second message carries an identifier of the first terminal, one or more service identifiers corresponding to the first service, and identifiers of one or more message processing strategies, wherein the identifiers of the one or more message processing strategies correspond to the one or more service identifiers respectively; determining one or more message processing strategies according to the identifiers of the one or more message processing strategies and the second corresponding relations between the identifiers of the one or more message processing strategies and the one or more message processing strategies; and establishing a first corresponding relation among the identifier of the first terminal, one or more service identifiers corresponding to the first service and one or more message processing strategies.

Optionally, the transceiver module 801 is further configured to receive a third message from the control plane network element, where the third message carries the identifier of the one or more packet processing policies and the second corresponding relationship of the one or more packet processing policies.

Or, optionally, the processing module 802 is configured to obtain a first correspondence between an identifier of the first terminal, one or more service identifiers corresponding to the first service, and one or more message processing policies, where the first correspondence includes: and the second message is used for receiving a second message from the control plane network element, and the second message carries the identifier of the first terminal, one or more service identifiers corresponding to the first service, and the first corresponding relation of one or more message processing strategies.

Optionally, the first service identifier is a service identifier that is unavailable for the first terminal; correspondingly, the transceiver module 801 is further configured to send first indication information to the control plane network element, where the first indication information is used to indicate the user plane network element to identify that the first terminal is using the first service identifier.

Optionally, the transceiver module 801 is further configured to receive a fourth message from the control plane network element, where the fourth message carries the first service identifier, and is used to request the user plane network element to report when detecting that the first terminal uses the first service identifier.

Alternatively, based on the user plane network element 80 shown in fig. 8, in another possible implementation:

a transceiver module 801, configured to receive a third message from a control plane network element, where the third message carries an identifier of a first terminal, a second key, and a second correspondence relationship of a first service identifier, where the first service identifier is a service identifier available to the first terminal in a plurality of service identifiers corresponding to a first service, and the second key is used to decrypt the first service identifier; the transceiver module 801 is further configured to receive a first encrypted message from the first terminal, where a header of the first encrypted message carries a first service identifier encrypted with a first key; the processing module 802 is configured to decrypt the encrypted first service identifier with the second key to obtain the first service identifier; the processing module 802 is further configured to determine a first packet processing policy corresponding to the first service identifier, and process the first encrypted packet according to the first packet processing policy.

All relevant contents of each step related to the above method embodiment may be referred to the functional description of the corresponding functional module, and are not described herein again.

In the present embodiment, the user plane network element 80 is presented in a form of dividing each functional module in an integrated manner. A "module" herein may refer to a particular ASIC, a circuit, a processor and memory that execute one or more software or firmware programs, an integrated logic circuit, and/or other device that provides the described functionality. In a simple embodiment, those skilled in the art will appreciate that the user plane network element 80 may take the form shown in fig. 4.

For example, the processor 401 in fig. 4 may cause the user plane network element 80 to execute the message processing method in the above-described method embodiment by calling a computer stored in the memory 403 to execute the instructions.

In particular, the functions/implementation procedures of the transceiver module 801 and the processing module 802 in fig. 8 may be implemented by the processor 401 in fig. 4 calling a computer executing instruction stored in the memory 403. Alternatively, the functions/implementation procedures of the transceiver module 801 in fig. 8 may be implemented by the communication interface 404 in fig. 4; the functions/implementation of processing module 802 in fig. 8 may be implemented by processor 401 in fig. 4 calling computer-executable instructions stored in memory 403.

Since the user plane network element 80 provided in this embodiment can execute the above-mentioned message processing method, the technical effect obtained by the user plane network element can refer to the above-mentioned method embodiment, and is not described herein again.

Optionally, an apparatus (for example, the apparatus may be a chip system) is further provided in this embodiment of the present application, where the apparatus includes a processor, configured to support the user plane network element 80 to implement the above message processing method, for example, to obtain an identifier of the first terminal, one or more service identifiers corresponding to the first service, and a first corresponding relationship of one or more message processing policies. In one possible design, the apparatus further includes a memory. The memory is used for storing program instructions and data necessary for the user plane network element 80. Of course, the memory may not be in the device. In addition, when the apparatus is a chip system, the apparatus may be composed of a chip, or may include a chip and other discrete devices, which is not specifically limited in this embodiment of the present application.

Or, for example, in a case that the functional modules are divided in an integrated manner, fig. 9 shows a schematic structural diagram of an application functional network element 90. The application function network element 90 includes: a transceiver module 901 and a processing module 902.

Based on the application function network element 90 shown in fig. 9, in a possible implementation manner:

the processing module 902 is configured to obtain an identifier of the first terminal, one or more service identifiers corresponding to the first service, and identifiers of one or more message processing policies, where the identifiers of the one or more message processing policies correspond to the one or more service identifiers, respectively. A transceiver module 901, configured to send a first message to a control plane network element, where the first message carries an identifier of a first terminal, one or more service identifiers corresponding to the first service, and identifiers of one or more message processing policies, where the identifier of the one or more message processing policies is used to determine the one or more message processing policies, and the one or more message processing policies are used to process an encrypted message received from the first terminal.

Optionally, the processing module 902 is configured to obtain an identifier of the first terminal, one or more service identifiers corresponding to the first service, and identifiers of one or more message processing policies, and includes: after determining that the first terminal initiates a session of a first service to the application network element, determining one or more service identifiers corresponding to the first service according to information of the first service; determining a second service identifier according to the identifier of the first terminal and the information of the first service, wherein the second service identifier is a service identifier available to the first terminal in one or more service identifiers corresponding to the first service; determining an identifier of a second message processing strategy corresponding to the second service identifier according to the second service identifier; and determining the identifiers of the message processing strategies corresponding to other service identifiers except the second service identifier in the one or more service identifiers.

Optionally, the processing module 902 is configured to determine an identifier of a packet processing policy corresponding to another service identifier, except the second service identifier, in the one or more service identifiers, and includes: and the identifier is used for determining the identifier of the message processing strategy corresponding to the service identifier except the second service identifier in the one or more service identifiers to be the identifier of the default message processing strategy. Illustratively, the default message handling policy may be, for example, to drop a message.

Or, optionally, the processing module 902 is configured to determine an identifier of a packet processing policy corresponding to another service identifier, except the second service identifier, in the one or more service identifiers, and includes: and the identifier of the message processing policy corresponding to the service identifier except the second service identifier in the one or more service identifiers is determined to be the identifier of the second message processing policy.

Optionally, the transceiver module 901 is further configured to send a fifth message to the control plane network element, where the fifth message carries the identifier of the one or more packet processing policies and the second correspondence of the one or more packet processing policies.

Or, based on the application function network element 90 shown in fig. 9, in another possible implementation manner:

the processing module 902 is configured to obtain a first correspondence between an identifier of the first terminal, one or more service identifiers corresponding to the first service, and one or more message processing policies, where the one or more message processing policies correspond to the one or more service identifiers, respectively. A transceiver module 901, configured to send a first message to a control plane network element, where the first message carries an identifier of a first terminal, one or more service identifiers corresponding to a first service, and a first correspondence relationship of one or more message processing policies, where the one or more message processing policies are used to process an encrypted message received from the first terminal.

Optionally, the processing module 902 is configured to obtain a first correspondence between an identifier of the first terminal, one or more service identifiers corresponding to the first service, and one or more message processing policies, and includes: after determining that the first terminal initiates a session of a first service to the application network element, determining one or more service identifiers corresponding to the first service according to information of the first service; determining a second service identifier according to the identifier of the first terminal and the information of the first service, wherein the second service identifier is a service identifier available to the first terminal in one or more service identifiers corresponding to the first service; determining a second message processing strategy corresponding to the second service identifier according to the second service identifier; determining message processing strategies corresponding to other service identifications except the second service identification in the one or more service identifications; and establishing a first corresponding relation among the identifier of the first terminal, one or more service identifiers corresponding to the first service and one or more message processing strategies.

Optionally, the processing module 902 is configured to determine a packet processing policy corresponding to another service identifier, except the second service identifier, in the one or more service identifiers, and includes: and the message processing policy corresponding to the other service identifier except the second service identifier in the one or more service identifiers is determined to be a default message processing policy. Illustratively, the default message handling policy may be, for example, to drop a message.

Or, optionally, the processing module 902 is configured to determine a packet processing policy corresponding to another service identifier, except the second service identifier, in the one or more service identifiers, where the determining includes: and the message processing policy corresponding to the other service identifier except the second service identifier in the one or more service identifiers is determined to be the second message processing policy.

Optionally, the first service identifier is a service identifier that is not available to the first terminal. Correspondingly, the transceiver module 901 is further configured to receive second indication information from the control network element, where the second indication information is used to indicate the control plane network element to recognize that the first terminal is using the first service identifier. The transceiver module 901 is further configured to send a sixth message to the first terminal, where the sixth message is used to instruct the first terminal to stop using the first service identifier.

Optionally, the transceiver module 901 is further configured to send a seventh message to the control plane network element, where the seventh message is used to request the control plane network element to report when it is detected that the first terminal uses the first service identifier.

the processing module 902 is configured to obtain an identifier of a first terminal and a first service identifier, where the first service identifier is a service identifier available to the first terminal in a plurality of service identifiers corresponding to a first service. A transceiver module 901, configured to send a first message to a first terminal, where the first message carries a first correspondence between a first service identifier and a first key, and the first key is used to encrypt the first service identifier; the transceiver module 901 is further configured to send a second message to the control plane network element, where the second message carries the identifier of the first terminal, a second key, and a second correspondence relationship of the first service identifier, and the second key is used to decrypt the first service identifier.

In the present embodiment, the application function network element 90 is presented in a form of dividing each function module in an integrated manner. A "module" herein may refer to a particular ASIC, a circuit, a processor and memory that execute one or more software or firmware programs, an integrated logic circuit, and/or other device that provides the described functionality. In a simple embodiment, the application function network element 90 may take the form shown in fig. 4, as will be appreciated by those skilled in the art.

For example, the processor 401 in fig. 4 may cause the application function network element 90 to execute the message processing method in the foregoing method embodiment by calling a computer stored in the memory 403 to execute the instructions.

In particular, the functions/implementation procedures of the transceiver module 901 and the processing module 902 in fig. 9 can be implemented by the processor 401 in fig. 4 calling a computer executing instruction stored in the memory 403. Alternatively, the function/implementation process of the transceiver module 901 in fig. 9 can be implemented by the communication interface 404 in fig. 4; the functions/implementation of processing module 902 in fig. 9 may be implemented by processor 401 in fig. 4 invoking computer-executable instructions stored in memory 403.

Since the application function network element 90 provided in this embodiment can execute the above-mentioned message processing method, the technical effect obtained by the application function network element can refer to the above-mentioned method embodiment, and is not described herein again.

Optionally, an apparatus (for example, the apparatus may be a chip system) is further provided in this embodiment of the present application, where the apparatus includes a processor, and is configured to support the application function network element 90 to implement the above-mentioned message processing method, for example, to obtain an identifier of the first terminal, one or more service identifiers corresponding to the first service, and identifiers of one or more message processing policies. In one possible design, the apparatus further includes a memory. The memory is used for storing program instructions and data necessary for the application function network element 90. Of course, the memory may not be in the device. In addition, when the apparatus is a chip system, the apparatus may be composed of a chip, or may include a chip and other discrete devices, which is not specifically limited in this embodiment of the present application.

Alternatively, for example, in the case where the functional modules are divided in an integrated manner, fig. 10 shows a schematic configuration diagram of the first terminal 100. The first terminal 100 includes: a transceiver module 1001 and a processing module 1002. The receiving and sending module 1001 is configured to receive a first message from an application function network element, where the first message carries a first correspondence between a first service identifier and a first key, the first service identifier is a service identifier available to a first terminal in a plurality of service identifiers corresponding to a first service, and the first key is used to encrypt the first service identifier; the processing module 1002 is configured to encrypt, by using a first key, a first service identifier carried in a header of a first encrypted message to be sent. The transceiver module 1001 is further configured to send a first encrypted message to a user plane network element.

In the present embodiment, the first terminal 100 is presented in a form of dividing each functional module in an integrated manner. A "module" herein may refer to a particular ASIC, a circuit, a processor and memory that execute one or more software or firmware programs, an integrated logic circuit, and/or other device that provides the described functionality. In a simple embodiment, those skilled in the art will appreciate that the first terminal 100 may take the form shown in fig. 4.

For example, the processor 401 in fig. 4 may cause the first terminal 100 to execute the message processing method in the foregoing method embodiment by calling a computer stored in the memory 403 to execute the instructions.

Specifically, the functions/implementation procedures of the transceiver module 1001 and the processing module 1002 in fig. 10 may be implemented by the processor 401 in fig. 4 calling a computer executing instruction stored in the memory 403. Alternatively, the function/implementation process of the transceiver module 1001 in fig. 10 may be implemented by the communication interface 404 in fig. 4; the functions/implementation of processing module 1002 in fig. 10 may be implemented by processor 401 in fig. 4 invoking computer-executable instructions stored in memory 403.

Since the first terminal 100 provided in this embodiment can execute the above-mentioned message processing method, the technical effects obtained by the first terminal 100 can refer to the above-mentioned method embodiment, and are not described herein again.

Optionally, an apparatus (for example, the apparatus may be a system on a chip) is further provided in this embodiment of the present application, where the apparatus includes a processor, and is configured to support the first terminal 100 to implement the message processing method, for example, encrypt, by using a first key, a first service identifier carried in a header of a first encrypted message to be sent. In one possible design, the apparatus further includes a memory. The memory is used for storing necessary program instructions and data of the first terminal 100. Of course, the memory may not be in the device. In addition, when the apparatus is a chip system, the apparatus may be composed of a chip, or may include a chip and other discrete devices, which is not specifically limited in this embodiment of the present application.

In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented using a software program, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. The procedures or functions described in accordance with the embodiments of the present application are all or partially generated upon loading and execution of computer program instructions on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored on a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website, computer, server, or data center to another website, computer, server, or data center via wire (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or can comprise one or more data storage devices, such as a server, a data center, etc., that can be integrated with the medium. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.

While the present application has been described in connection with various embodiments, other variations to the disclosed embodiments can be understood and effected by those skilled in the art in practicing the claimed application, from a review of the drawings, the disclosure, and the appended claims. In the claims, the word "comprising" does not exclude other elements or steps, and the word "a" or "an" does not exclude a plurality. A single processor or other unit may fulfill the functions of several items recited in the claims. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.

Although the present application has been described in conjunction with specific features and embodiments thereof, it will be evident that various modifications and combinations can be made thereto without departing from the spirit and scope of the application. Accordingly, the specification and figures are merely exemplary of the present application as defined in the appended claims and are intended to cover any and all modifications, variations, combinations, or equivalents within the scope of the present application. It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims

1. A message processing method is characterized by comprising the following steps:

a user plane network element acquires a first corresponding relation among an identifier of a first terminal, one or more service identifiers corresponding to a first service and one or more message processing strategies, wherein the one or more message processing strategies correspond to the one or more service identifiers respectively;

the user plane network element receives a first encrypted message from the first terminal, where the first encrypted message carries a first service identifier and an identifier of the first terminal, and the first service identifier is any one of the one or more service identifiers;

the user plane network element determines a first message processing strategy corresponding to the identifier of the first terminal and the first service identifier according to the first service identifier, the identifier of the first terminal and the first corresponding relation;

and the user plane network element processes the first encrypted message according to the first message processing strategy.

2. The method of claim 1, wherein the first service identifier is a service identifier that is not available to the first terminal.

3. The method of claim 2, wherein the first message handling policy is the same as the second message handling policy; the second message processing strategy is a message processing strategy corresponding to a second service identifier, and the second service identifier is a service identifier available to the first terminal;

or, the first message processing policy is to discard the encrypted message.

4. The method of claim 1, wherein the first service identifier is a service identifier available to the first terminal.

5. The method according to any one of claims 1 to 4, wherein the obtaining, by the user plane network element, the first correspondence between the identifier of the first terminal, the one or more service identifiers corresponding to the first service, and the one or more message processing policies comprises:

the user plane network element receives a second message from a control plane network element, where the second message carries an identifier of the first terminal, one or more service identifiers corresponding to the first service, and identifiers of the one or more packet processing policies, where the identifiers of the one or more packet processing policies correspond to the one or more service identifiers, respectively;

the user plane functional network element determines the one or more message processing strategies according to the identifiers of the one or more message processing strategies, and the second corresponding relations between the identifiers of the one or more message processing strategies and the one or more message processing strategies;

and the user plane network element establishes a first corresponding relation among the identifier of the first terminal, one or more service identifiers corresponding to the first service and the one or more message processing strategies.

6. The method according to any one of claims 1-4, further comprising:

and the user plane network element receives a third message from the control plane network element, wherein the third message carries the identifier of the one or more message processing strategies and the second corresponding relation of the one or more message processing strategies.

7. The method according to any one of claims 1 to 4, wherein the obtaining, by the user plane network element, the first correspondence between the identifier of the first terminal, the one or more service identifiers corresponding to the first service, and the one or more message processing policies comprises:

and the user plane network element receives a second message from a control plane network element, wherein the second message carries the identifier of the first terminal, one or more service identifiers corresponding to the first service, and a first corresponding relation of the one or more message processing strategies.

8. A method according to claim 2 or 3, wherein before the user plane network element receives the first encrypted message from the first terminal, the method further comprises:

and the user plane network element sends first indication information to a control plane network element, wherein the first indication information is used for indicating the user plane network element to identify that the first terminal uses the first service identifier.

9. The method of claim 8, wherein before the user plane network element sends the first indication information to the control plane network element, the method further comprises:

and the user plane network element receives a fourth message from the control plane network element, wherein the fourth message carries the first service identifier and is used for requesting the user plane network element to report when the first terminal detects that the first service identifier is used by the first terminal.

10. A message processing method is characterized by comprising the following steps:

an application function network element acquires an identifier of a first terminal, one or more service identifiers corresponding to a first service and identifiers of one or more message processing strategies, wherein the identifiers of the one or more message processing strategies correspond to the one or more service identifiers respectively;

the application function network element sends a first message to a control plane network element, where the first message carries an identifier of the first terminal, one or more service identifiers corresponding to the first service, and identifiers of the one or more packet processing policies, where the identifiers of the one or more packet processing policies are used to determine the one or more packet processing policies, and the one or more packet processing policies are used to process a received first encrypted packet from the first terminal; the first encrypted message includes a first service identifier, and the first service identifier is any one of the one or more service identifiers.

11. The method of claim 10, further comprising:

and the application function network element sends a fifth message to the control plane network element, wherein the fifth message carries the identifier of the one or more message processing strategies and the second corresponding relation of the one or more message processing strategies.

12. A message processing method is characterized by comprising the following steps:

an application function network element acquires an identifier of a first terminal, one or more service identifiers corresponding to a first service, and a first corresponding relationship of one or more message processing strategies, wherein the one or more message processing strategies correspond to the one or more service identifiers respectively;

the application function network element sends a first message to a control plane network element, where the first message carries an identifier of the first terminal, one or more service identifiers corresponding to the first service, and a first correspondence relationship between the one or more message processing policies, where the one or more message processing policies are used to process a received first encrypted message from the first terminal; the first encrypted message includes a first service identifier, and the first service identifier is any one of the one or more service identifiers.

13. A method according to any of claims 10-12, characterized in that said first service identity is a service identity not available to said first terminal.

14. The method of claim 13, wherein the first message handling policy is the same as the second message handling policy; the second message processing strategy is a message processing strategy corresponding to a second service identifier, and the second service identifier is a service identifier available to the first terminal;

or, the first message processing policy is to discard the encrypted message.

15. A method according to any of claims 10-12, characterized in that said first service identity is a service identity available to said first terminal.

16. The method of claim 14, further comprising:

the application function network element receives second indication information from the control plane network element, where the second indication information is used to indicate the control plane network element to recognize that the first terminal is using the first service identifier;

and the application function network element sends a sixth message to the first terminal, wherein the sixth message is used for indicating the first terminal to stop using the first service identifier.

17. The method of claim 16, wherein before the application function network element receives the second indication information from the control plane network element, the method further comprises:

and the application function network element sends a seventh message to the control plane network element, where the seventh message carries the first service identifier and is used to request the control plane network element to report when detecting that the first terminal uses the first service identifier.

18. A user plane network element, wherein the user plane network element comprises: the device comprises a processing module and a transmitting-receiving module;

the processing module is configured to obtain a first correspondence between an identifier of a first terminal, one or more service identifiers corresponding to a first service, and one or more packet processing policies, where the one or more packet processing policies correspond to the one or more service identifiers, respectively;

the transceiver module is configured to receive a first encrypted packet from the first terminal, where the first encrypted packet carries a first service identifier and an identifier of the first terminal, and the first service identifier is any one of the one or more service identifiers;

the processing module is further configured to determine a first packet processing policy corresponding to the identifier of the first terminal and the first service identifier according to the first service identifier, the identifier of the first terminal, and the first correspondence, and process the first encrypted packet according to the first packet processing policy.

19. The user plane network element of claim 18, wherein the processing module is configured to obtain a first correspondence between an identifier of the first terminal, one or more service identifiers corresponding to the first service, and one or more message processing policies, and includes:

the second message is used for receiving a second message from a control plane network element, where the second message carries an identifier of the first terminal, one or more service identifiers corresponding to the first service, and identifiers of the one or more packet processing policies, where the identifiers of the one or more packet processing policies correspond to the one or more service identifiers, respectively; determining the one or more message processing strategies according to the identifiers of the one or more message processing strategies and the second corresponding relations between the identifiers of the one or more message processing strategies and the one or more message processing strategies; and establishing a first corresponding relation among the identifier of the first terminal, one or more service identifiers corresponding to the first service and one or more message processing strategies.

20. The user plane network element of claim 19,

the transceiver module is further configured to receive a third message from the control plane network element, where the third message carries the identifier of the one or more packet processing policies and the second correspondence of the one or more packet processing policies.

21. The user plane network element of claim 18, wherein the processing module is configured to obtain a first correspondence between an identifier of the first terminal, one or more service identifiers corresponding to the first service, and one or more message processing policies, and includes:

and the second message is used for receiving a second message from a control plane network element, where the second message carries the identifier of the first terminal, one or more service identifiers corresponding to the first service, and the first correspondence of the one or more message processing policies.

22. The user plane network element of any of claims 18 to 21, wherein the first service identity is a service identity that is not available to the first terminal;

the transceiver module is further configured to send first indication information to a control plane network element, where the first indication information is used to indicate that the user plane network element recognizes that the first terminal is using the first service identifier.

23. The user plane network element of claim 22,

the transceiver module is further configured to receive a fourth message from the control plane network element, where the fourth message carries the first service identifier and is used to request the user plane network element to report when it detects that the first terminal uses the first service identifier.

24. An application function network element, wherein the application function network element comprises: the device comprises a processing module and a transmitting-receiving module;

the processing module is configured to acquire an identifier of a first terminal, one or more service identifiers corresponding to a first service, and identifiers of one or more message processing policies, where the identifiers of the one or more message processing policies correspond to the one or more service identifiers, respectively;

the transceiver module is configured to send a first message to a control plane network element, where the first message carries an identifier of the first terminal, one or more service identifiers corresponding to the first service, and identifiers of the one or more packet processing policies, where the identifiers of the one or more packet processing policies are used to determine the one or more packet processing policies, and the one or more packet processing policies are used to process a received first encrypted packet from the first terminal; the first encrypted message includes a first service identifier, and the first service identifier is any one of the one or more service identifiers.

25. The application function network element of claim 24,

the transceiver module is further configured to send a fifth message to the control plane network element, where the fifth message carries the identifier of the one or more packet processing policies and the second correspondence of the one or more packet processing policies.

26. An application function network element, wherein the application function network element comprises: the device comprises a processing module and a transmitting-receiving module;

the transceiver module is configured to send a first message to a control plane network element, where the first message carries an identifier of the first terminal, one or more service identifiers corresponding to the first service, and a first correspondence relationship between the one or more packet processing policies, where the one or more packet processing policies are used to process a received first encrypted packet from the first terminal; the first encrypted message includes a first service identifier, and the first service identifier is any one of the one or more service identifiers.

27. The network element of any of claims 24-26, wherein the first service identity is a service identity that is not available to the first terminal;

the transceiver module is further configured to receive second indication information from the control plane network element, where the second indication information is used to indicate the control plane network element to identify that the first terminal is using the first service identifier;

the transceiver module is further configured to send a sixth message to the first terminal, where the sixth message is used to instruct the first terminal to stop using the first service identifier.

28. The application function network element of claim 27,

the transceiver module is further configured to send a seventh message to the control plane network element, where the seventh message carries the first service identifier, and is used to request the control plane network element to report when it detects that the first terminal uses the first service identifier.

29. A message processing system is characterized in that the message processing system comprises a user plane network element and an application function network element;

the application function network element is configured to acquire an identifier of a first terminal, one or more service identifiers corresponding to a first service, and identifiers of one or more message processing policies, where the identifiers of the one or more message processing policies correspond to the one or more service identifiers, respectively;

the application function network element is further configured to send a first message to a control plane network element, where the first message carries an identifier of the first terminal, the one or more service identifiers, and identifiers of the one or more packet processing policies;

the user plane network element is configured to receive a second message from the control plane network element, and determine the one or more packet processing policies according to the identifiers of the one or more packet processing policies and the second correspondence between the identifiers of the one or more packet processing policies and the one or more packet processing policies;

the user plane network element is further configured to establish a first corresponding relationship between the identifier of the first terminal, the one or more service identifiers, and the one or more packet processing policies;

the user plane network element is further configured to receive a first encrypted packet from the first terminal, where the first encrypted packet carries a first service identifier and an identifier of the first terminal, and the first service identifier is any one of the one or more service identifiers;

the user plane network element is further configured to determine a first packet processing policy corresponding to the identifier of the first terminal and the first service identifier according to the first service identifier, the identifier of the first terminal, and the first correspondence, and process the first encrypted packet according to the first packet processing policy.

30. A message processing system is characterized in that the message processing system comprises a user plane network element and an application function network element;

the application function network element is configured to obtain a first correspondence between an identifier of a first terminal, one or more service identifiers corresponding to a first service, and one or more packet processing policies, where the one or more packet processing policies correspond to the one or more service identifiers, respectively;

the application function network element is further configured to send a first message to a control plane network element, where the first message carries the first corresponding relationship;

the user plane network element is configured to receive a second message from the control plane network element;