CN110881014B - Method and device for physically isolating services of wireless private network - Google Patents

Method and device for physically isolating services of wireless private network Download PDF

Info

Publication number
CN110881014B
CN110881014B CN201811029482.8A CN201811029482A CN110881014B CN 110881014 B CN110881014 B CN 110881014B CN 201811029482 A CN201811029482 A CN 201811029482A CN 110881014 B CN110881014 B CN 110881014B
Authority
CN
China
Prior art keywords
private network
gateway
target
target terminal
service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811029482.8A
Other languages
Chinese (zh)
Other versions
CN110881014A (en
Inventor
张晓静
张宝山
王永彬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Potevio Information Technology Co Ltd
Original Assignee
Potevio Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Potevio Information Technology Co Ltd filed Critical Potevio Information Technology Co Ltd
Priority to CN201811029482.8A priority Critical patent/CN110881014B/en
Publication of CN110881014A publication Critical patent/CN110881014A/en
Application granted granted Critical
Publication of CN110881014B publication Critical patent/CN110881014B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup

Abstract

The embodiment of the invention discloses a method and a device for physically isolating services of a wireless private network. The subscription data specifies the gateway device corresponding to the terminal when the terminal processes the private network service and establishes communication connection with the private network server. Based on this, after receiving the request information for establishing the communication connection of the private network service sent by the target terminal, the corresponding subscription data can be found directly according to the identifier of the target terminal, and the communication connection between the target terminal and the private network server is established according to the gateway specified in the subscription data. According to the method, when the communication connection of the private network is established through the subscription data, the gateways of different services for establishing the communication connection of the private network are physically isolated, so that the communication connection with the private network is established, the physical isolation of the different services in the communication process of the private network is realized, and the safety of data transmission is ensured.

Description

Method and device for physically isolating services of wireless private network
Technical Field
The present invention relates to the technical field of private network communication, and in particular, to a method and an apparatus for physically isolating services of a wireless private network.
Background
The TD-LTE electric power wireless private network is a wireless communication system used for intelligent power grid distribution automation, power utilization information acquisition, accurate load control and the like based on the TD-LTE technology. Since the electric power system affects various industries of the national civilization, higher requirements are put forward on the transmission safety of the communication network. According to the safety protection management regulation of the power system, the general principle of the safety protection of the power monitoring system is 'safety partition, network special, transverse isolation and longitudinal authentication'; the wireless access of the distribution automation service is authenticated by a national network security detection mechanism through a physical isolation device; the precise control load system is independent of network formation and is special for a private network. The accurate load control service function mainly solves the problems of rapid frequency drop at the initial stage of power grid fault, out-of-limit main channel tide, excessive power of inter-provincial connecting lines, insufficient rotating standby of a power grid and the like, and has high requirement level on time delay, service acquisition period telemetering is 80ms, and time delay of a remote control channel is less than 50 ms. Therefore, it is necessary to reduce the system access delay and transmission delay while ensuring service isolation and transmission security.
However, in the public network, if the UE user request message does not carry the APN, the MME needs to use an independent NAS or S6a message to acquire the UE APN information; meanwhile, the UE can be connected to the PDN through the PGW, but the core network side does not divide the PDN connected with the UE according to specific services, so that the problem that multiple services are transmitted through one SGI port or the same service is transmitted through multiple SGI ports exists, and the requirement that a power system isolates wireless private network services cannot be met. Even in the case of static PGW configuration, the MME may obtain the PGW IP or PGW FQDN from the subscription database, but does not classify the service types that the PGW may support. The requirement of the private communication system for physical isolation of services cannot be met.
In the process of implementing the embodiment of the invention, the inventor finds that the existing network can not isolate the specific private network service and can not ensure the security of data transmission.
Disclosure of Invention
The technical problem to be solved by the invention is how to solve the problems that the existing network can not isolate the specific private network service and can not ensure the safety of data transmission.
In view of the above technical problems, an embodiment of the present invention provides a method for physically isolating services of a wireless private network, including:
after receiving request information for establishing a session of a private network service, which is sent by a target terminal, acquiring identification information of the target terminal;
acquiring signing data corresponding to the identification information according to the identification information, acquiring a gateway identification corresponding to the session established by the target terminal according to the signing data, and determining a target gateway corresponding to the gateway identification;
establishing communication connection between the target terminal and a private network server corresponding to the target gateway;
different types of private network services correspond to different private network servers, and the different private network servers are in communication connection with the terminal through different gateways.
The embodiment provides a device for physically isolating services of a wireless private network, which includes:
the first acquisition module is used for acquiring the identification information of a target terminal after receiving request information for establishing a session of a private network service sent by the target terminal;
a second obtaining module, configured to obtain, according to the identifier information, subscription data corresponding to the identifier information, obtain, according to the subscription data, a gateway identifier corresponding to the session established by the target terminal, and determine a target gateway corresponding to the gateway identifier;
the establishing module is used for establishing communication connection between the target terminal and a private network server corresponding to the target gateway;
different types of private network services correspond to different private network servers, and the different private network servers are in communication connection with the terminal through different gateways.
The embodiment provides an electronic device, including:
at least one processor, at least one memory, a communication interface, and a bus; wherein the content of the first and second substances,
the processor, the memory and the communication interface complete mutual communication through the bus;
the communication interface is used for information transmission between the electronic equipment and communication equipment of a base station or communication equipment of other servers;
the memory stores program instructions executable by the processor, which when called by the processor are capable of performing the methods described above.
The present embodiments provide a non-transitory computer-readable storage medium, wherein the non-transitory computer-readable storage medium stores computer instructions that cause the computer to perform the method described above.
The embodiment of the invention provides a method and a device for physically isolating services of a wireless private network. The subscription data specifies the gateway device corresponding to the terminal when the terminal processes the private network service and establishes communication connection with the private network server. Based on this, after receiving the request information for establishing the communication connection of the private network service sent by the target terminal, the corresponding subscription data can be found directly according to the identifier of the target terminal, and the communication connection between the target terminal and the private network server is established according to the gateway specified in the subscription data. According to the method, when the communication connection of the private network is established through the subscription data, the gateways of different services for establishing the communication connection of the private network are physically isolated, so that the communication connection with the private network is established, the physical isolation of the communication process of the different services in the private network is realized, and the safety of data transmission is ensured.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
Fig. 1 is a schematic diagram of a network architecture comparing with a network architecture corresponding to the method provided in the present application according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating a method for physically isolating services of a wireless private network according to another embodiment of the present invention;
fig. 3 is a schematic network architecture diagram corresponding to the method for physically isolating services of a wireless private network provided in the present application according to another embodiment of the present invention;
fig. 4 is a schematic diagram of a data transmission process of a method for physically isolating services of a wireless private network according to another embodiment of the present invention;
fig. 5 is a block diagram of an apparatus for physically isolating services of a wireless private network according to another embodiment of the present invention;
fig. 6 is a schematic physical structure diagram of an electronic device according to another embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 shows a network architecture for comparison with a network architecture corresponding to the method provided in the present application, and referring to fig. 1, the wireless private network communication system is composed of a User Equipment (UE), a base station (Evolved Node B, eNB), and an Evolved Packet Core (EPC). The core network includes 4 kinds of logic entities, which are respectively a Mobility Management Entity (MME), a Serving GateWay (SGW), a PDN GateWay (PGW), and a Home Subscriber Server (HSS). The whole communication system is connected with the PDN network through the SGI port of the PGW. As shown in fig. 1, terminal data is transmitted to the PDN network via eNodeB, SGW, PGW. The SGW and the PGW may be combined on one physical board, and the transmission of data services to the terminal and the PDN network is completed through S1-U and the SGI.
As shown in fig. 1, in order to establish a data link between a UE and a PDN network, a PDN bearer between the UE and a PGW needs to be established first, and an MME selects which PGW to establish the PDN bearer for the UE. In the 3GPP standard LTE procedure, a UE subscription database configures a UE default PGW identifier (PDN-GW-Identity, PGW IP or fully qualified domain Name-FQDN), a Name of an Access Point, or an Access Point Name (APN). The UE carries the APN to the MME during access, and the MME analyzes the APN FQDN through the DNS server to acquire the routing information of the PGW; if the UE user Request message does not carry the APN, the UE can be inquired about the APN through the ESM Information Request, and the UE can inform the MME of the APN configuration message of the UE through the ESM Information Response; or, the MME may obtain an APN or PGW identifier (PGW IP or PGW FQDN) corresponding to the UE in the UE subscription database through an Update Location Request/Ack procedure of the S6a interface, and the MME analyzes the APN FQDN or PGW FQDN to obtain routing information of the PGW through the DNS server.
Under the network architecture shown in fig. 1, an MME selects a PGW to establish a PDN connection between a UE and the PGW according to a PGW FQDN or an APN FQDN, and supports a plurality of different service requests of the UE. When the UE does not carry APN Information in the access Request, the MME needs to use an ESM Information Request/Response flow to acquire the APN corresponding to the UE Request service.
Therefore, in the public network, because the service type of the terminal is complex and the PDN network is huge, the dynamic selection of the PGW by using the APN carried by the terminal can better meet the requirements of users on different services. However, in the private network, the terminal supports a fixed service type, different terminals correspond to different service requirements, and a corresponding service server responds to a terminal service request at the PDN network side. Therefore, the independent physical isolation network can better meet the requirement of users on sensitive data security.
To solve the above technical problem, fig. 2 is a flowchart illustrating a method for physically isolating services of a wireless private network according to this embodiment. Referring to fig. 2, the method includes:
201: after receiving request information for establishing a session of a private network service, which is sent by a target terminal, acquiring identification information of the target terminal;
202: acquiring signing data corresponding to the identification information according to the identification information, acquiring a gateway identification corresponding to the session established by the target terminal according to the signing data, and determining a target gateway corresponding to the gateway identification;
203: establishing communication connection between the target terminal and a private network server corresponding to the target gateway;
different types of private network services correspond to different private network servers, and the different private network servers are in communication connection with the terminal through different gateways.
The method provided by this embodiment is executed by a server or an ATCA board, and the server or the ATCA board is usually used as a Mobility Management Entity (MME) in a network architecture. Subscription data (PGW Identity) is typically stored in the user home server (HSS). The identification information of the target terminal may be the IMSI of the terminal. The gateway identification may be an IP address of the gateway.
Fig. 3 is a schematic diagram of a network architecture corresponding to the method for physically isolating services of a wireless private network provided in this embodiment, and referring to fig. 3, different service servers process different private network services (service server 1, service server 2, and service server 3 process different private network services), terminals are classified according to the processed private network services (for example, class 1 terminals, class 2 terminals, and class 3 terminals process different private network services), and each private network service corresponds to a gateway (SGW/PGW) that establishes a terminal of the private network service and a private network server.
In the embodiment corresponding to the method for physically isolating the services of the private wireless network provided by the invention, the mentioned "UE" refers to a dedicated service terminal; the mentioned "eNB" refers to a base station supporting a private network protocol flow, and the function is the same as that of a standard LTE base station; the mentioned "MME" refers to an MME supporting functions of private network access control, mobility management, resource management and the like; reference to "SGW" and "PGW" refers to SGW and PGW supporting private network session management, routing, and data forwarding; reference to "HSS" refers to an HSS that supports managing terminal subscription data.
For example, in the method provided in this embodiment, after receiving request information sent by a certain target terminal for processing a private network service, the MME acquires an IMSI of the target terminal. Because the HSS stores the subscription data in advance, the MME can obtain the subscription data corresponding to the IMSI from the HSS, thereby obtaining a gateway identifier for establishing a gateway (SGW/PGW) corresponding to the private network service. And establishing communication connection between the target terminal and a private network server for processing the private network service through the gateway corresponding to the gateway identifier.
The embodiment provides a method for physically isolating services of a wireless private network, wherein subscription data is configured in advance for a terminal used for the private network. The subscription data specifies the gateway device corresponding to the terminal when the terminal processes the private network service and establishes communication connection with the private network server. Based on this, after receiving the request information for establishing the communication connection of the private network service sent by the target terminal, the corresponding subscription data can be found directly according to the identifier of the target terminal, and the communication connection between the target terminal and the private network server is established according to the gateway specified in the subscription data. According to the method, when the communication connection of the private network is established through the subscription data, the gateways of different service types for establishing the communication connection of the private network are physically isolated, so that the communication connection with the private network is established, the physical isolation of different service communication processes in the private network communication is realized, and the safety of data transmission is ensured.
Further, on the basis of the foregoing embodiment, the acquiring, according to the identifier information, subscription data corresponding to the identifier information, acquiring, according to the subscription data, a gateway identifier corresponding to the session established by the target terminal, and determining a target gateway corresponding to the gateway identifier includes:
and sending the identification information to a user home server, judging whether a gateway corresponding to the gateway identification in the subscription data belongs to a pre-configured gateway or not after receiving the subscription data which is sent by the user home server and corresponds to the identification information, if so, determining a target gateway corresponding to the gateway identification, and otherwise, not establishing communication connection between the target terminal and a private network server corresponding to the target gateway.
Before establishing the communication connection, the MME searches for an IP of a corresponding gateway according to an ID in the subscription data, and establishes a session through the IP of the gateway, where the subscription data of the target terminal is obtained by the HSS, and the ID specifies an ID of a gateway (SGW/PGW) that establishes a private network service for the target terminal.
In this embodiment, after receiving the subscription data sent by the HSS, the MME needs to first determine whether an ID in the subscription data belongs to an ID in which a corresponding IP is stored in advance, and if so, determine an IP of a target gateway according to the ID in the subscription data, otherwise, not establish a communication connection between the target terminal and a private network server corresponding to the target gateway.
The embodiment provides a method for physically isolating services of a private wireless network, which is to determine whether an ID in subscription data belongs to a configured ID in an MME before establishing a communication connection according to a target gateway, and to exclude sessions that cannot be established by the MME in time.
As shown in fig. 3, the network architecture corresponding to the method provided by the present application is improved as follows compared with the network architecture in fig. 1:
(1) a flag bit is added to the subscription database (e.g., HSS): the PGW Identity is used for establishing a PDN connection with a PGW that specifies that the UE should establish a fixed Identity, and determining that all data of the terminal is transmitted to the service master station through an Sgi port of the PGW.
(2) The PGW needs to configure the master station information corresponding to the terminal service, and only receives configured master station data and non-configured master station data in the data transmission process, so that the PGW will discard the master station data.
(3) Configuring PGW information corresponding to the terminal subscription data in the MME, establishing session connection with a specific PGW in the attachment process, and establishing PDN connection between the terminal and the PGW.
(4) At the beginning of networking, the PGW and the master station corresponding to the UE are designed according to the service type of the UE, and the data is configured in the subscription database in the format in (1).
As shown in fig. 3, the access method of each device in the network architecture includes:
(1) designing a network according to the type of terminal service, taking 3 types of terminal services as an example, allocating different PGWs and service master stations for 3 types of terminals, ensuring that the PGWs and the master stations of different types of terminals are different, and configuring the PGWs and the master stations of the same type of terminals to be the same or different according to the size of the network.
(2) When the terminal initiates an attachment request to the MME, the MME acquires the PGW Identity of the UE from the subscription database according to the UE Imsi.
(3) The MME judges whether the PGW Identity is in the configuration data of the MME, if so, the IP of the PGW is found in the configuration, and the session establishment process is completed.
(4) And when the bearer modification is completed, the UE is successfully attached.
In summary, in the method for physically isolating services of the private wireless network provided in this embodiment, the PGW Identity item (PGW Identity is a logical configuration ID of the PGW in the MME) is added to the subscription database, and the entire network design is completed at the beginning of the network design, which does not need DNS resolution and reduces the difficulty and capital investment in network configuration. A certain service terminal is only allowed to access to the fixed PGW and the service master station. The MME is configured with PGW information, including PGW Identity and PGW IP, that needs to establish a session. The PGW is configured with corresponding service master station information, and when receiving data which is not configured with a master station, the PGW is directly discarded, so that data stealing by a fake master station is avoided.
The network architecture can realize complete physical isolation of the SGI port on the basis of simplifying the MME processing flow and reducing air interface messages, and sends different service terminal data to corresponding service master stations through different PGWs. Each service is independently transmitted, and the access to the PGW and the master station which are not the service is refused, so that the risk of divulgence is reduced; the key protection is performed on high-security services, the general security encryption is performed on low-security services, and the network security configuration in the networking is obviously reduced.
Further, on the basis of the foregoing embodiments, the acquiring a target gateway corresponding to the gateway identifier, and establishing a communication connection between the target terminal and a private network server corresponding to the target gateway includes:
judging whether the target gateway is a preconfigured gateway or not according to the gateway identifier, if so, acquiring the target gateway corresponding to the gateway identifier, establishing communication connection between the target terminal and a private network server corresponding to the target gateway, and sending first prompt information for establishing the session to the target terminal;
and if the target gateway is not a preconfigured gateway, not establishing the communication connection between the target terminal and a private network server corresponding to the target gateway, and sending second prompt information for failing to establish the session to the target terminal.
The first prompt message and the second prompt message may be messages sent to the target terminal. And after the MME acquires the gateway identifier from the HSS, judging whether the gateway corresponding to the gateway identifier is a gateway corresponding to a pre-configured private network service, if so, directly establishing communication connection, otherwise, rejecting a request for establishing the communication connection, and ensuring the safety of the established communication connection.
The embodiment provides a method for physically isolating services of a wireless private network, which avoids potential safety hazards caused by establishing communication connection through a gateway which is not corresponding to the private network service by judging whether a gateway identifier is preconfigured or not.
Further, on the basis of the foregoing embodiments, after receiving request information for establishing a session of a private network service sent by a target terminal, acquiring service information of the private network service includes:
after receiving request information for establishing a session of a private network service, sent by a target terminal, performing security check on the target terminal, if the security check is passed, acquiring service information of the private network service, otherwise, sending third prompt information that the security check is not passed.
Further, on the basis of the above embodiments, the subscription data is stored in the user home server.
The embodiment provides a method for physically isolating services of a wireless private network, wherein security check is authentication and security check performed on a target terminal, so that communication connection between a terminal which is not used for processing private network services and a private network server is prevented, and the security of a communication process is ensured from a terminal side.
Specifically, fig. 4 is a schematic diagram of a data transmission process of the method for physically isolating services of a wireless private network provided in this embodiment, referring to fig. 4, where the process includes:
(1) the terminal sends an Attach Request which carries UE Imsi;
(2) after the MME receives the Attach Request, firstly, the authentication and security process between the MME and the UE is completed;
(3) after the authentication and the safety process verification are successful, the MME takes the UE Imis as an index to request the HSS to obtain the UE subscription data;
(4) HSS sends UE subscription data (PGW Identity) searched from database to MME through Update Location Answer;
(5) the MME obtains the PGW Identity of the UE from the HSS, searches the PGW IP information from the self-configuration information of the MME, and rejects the attachment of the UE if the MME finds that the PGW configuration information does not exist in the configuration information;
(6) after acquiring the IP information of the PGW from the self configuration information, the MME initiates a session establishment process to the PGW;
(7) the PGW allocates UE IP for the UE to complete the session establishment process;
(8) and the MME sends the UE IP to the UE through an Attach Accept message.
(9) And the UE is successfully attached to the PGW, and a data transmission channel from the UE to the service master station is established.
Further, on the basis of the foregoing embodiments, after establishing a communication connection between the target terminal and a private network server corresponding to the target gateway, the method further includes:
the target terminal sends first service data to a base station, the base station sends the first service data to the target gateway according to the established communication connection, and the target gateway sends the first service data to a private network server corresponding to the target gateway.
After the communication connection between the target terminal and the private network server is established, the target terminal and the private network server can carry out service communication. And realizing the transmission of service data through a gateway of the private network.
The embodiment provides a method for physically isolating services of a wireless private network, which realizes a data transmission process through a base station and a gateway of the private network in the service data transmission process.
Further, on the basis of the foregoing embodiments, after establishing a communication connection between the target terminal and a private network server corresponding to the target gateway, the method further includes:
after receiving second service data to be sent to the target terminal, the target gateway acquires a source IP address corresponding to the second service data, and judges whether the source IP address belongs to an address corresponding to a private network server pre-configured in the target gateway;
if the source IP address belongs to an address corresponding to a private network server which is configured in the target gateway in advance, the second service data is sent to a base station, and the base station sends the second service data to the target terminal;
and if the source IP address does not belong to the address corresponding to the private network server which is configured in the target gateway in advance, discarding the second service data.
When the target gateway sends the service data to the target terminal, the data source of the service data needs to be identified, if the data does not come from the private network server, the data needs to be discarded in time, and information leakage caused after the data is sent to the target terminal is avoided.
Further, on the basis of the foregoing embodiments, after establishing a communication connection between the target terminal and a private network server corresponding to the target gateway, the method further includes:
and after receiving the service data, the target gateway judges whether the service corresponding to the service data is a pre-configured service, if so, the service data is sent to the target terminal or the private network server, and otherwise, the service data is discarded.
The gateway is configured with the information of the master station belonging to the service processed by the gateway, after receiving the service data, the gateway judges whether the service corresponding to the service data belongs to the service configured in advance according to the service data, if so, the service data is transmitted, otherwise, the service data avoids the data stealing by a fake master station. For example, the PGW is configured with the master station information of the service processed by the PGW in advance, and when the received service data does not belong to the configured service, the service data is discarded, so that the data transmitted through the gateway is prevented from being stolen.
In the service data transmission process of the next industry, the data source of the transmission data is identified through the gateway of the private network, so that the data which is not sent by the private network server is prevented from being transmitted to the target terminal.
Specifically, as shown in fig. 3, a communication process after establishing a communication connection may be described as follows (for example, in this embodiment, the type 1 UE is a terminal that processes a video service, the type 2 UE is a terminal that queries an electricity meter, and the type 3 UE is a terminal that processes a call service, which is not specifically limited in this embodiment):
(1) the type 1 UE is already attached to the SGW/PGW, and a user plane channel between the type 1 UE and the SGW/PGW is established;
(2) the type 2 UE is already attached to the SGW/PGW, and a user plane channel between the type 2 UE and the SGW/PGW is established;
(3) the 3-type UE is already attached to the SGW/PGW, and a user plane channel between the 3-type UE and the SGW/PGW is established;
(4) when the type 1 UE needs to perform uplink service data transmission with the service server 1, the UE sends the service data to the eNodeB through an air interface;
(5) the eNodeB finds out the UE bearing information and sends UE service data to a corresponding SGW/PGW through an S1-U port of the base station;
(6) after receiving the UE service data, the PGW sends the data to the service server 1 through the SGI port;
(7) when the service server needs to perform downlink data transmission with the UE, forwarding data sent to the type 1 UE to a PGW corresponding to the type 1 UE through network configuration;
(8) after receiving the downlink service data, the PGW judges whether the source IP address of the data packet is in the own master station list, if not, the data packet is directly discarded;
(9) after analyzing the data packet, the PGW determines that the data packet is data sent from the configuration master station, and forwards the data packet to the base station through an S1-U port of the SGW;
(10) after receiving the data packet, the base station sends the data packet to the UE through an air interface;
(11) when the type 2 and type 3 UEs initiate service data, the service data are consistent with the data forwarding processes (4) - (10), and the data are completely and physically isolated between the SGI of the PGW and the service master station.
As shown in fig. 5, an embodiment of the present invention provides an apparatus for physically isolating services of a wireless private network, including a first obtaining module 501, a second obtaining module 502, and an establishing module 503, wherein,
a first obtaining module 501, configured to obtain identification information of a target terminal after receiving request information for establishing a session of a private network service, which is sent by the target terminal;
a second obtaining module 502, configured to obtain, according to the identifier information, subscription data corresponding to the identifier information, obtain, according to the subscription data, a gateway identifier corresponding to the session established by the target terminal, and determine a target gateway corresponding to the gateway identifier;
an establishing module 503, configured to establish a communication connection between the target terminal and a private network server corresponding to the target gateway;
different types of private network services correspond to different private network servers, and the different private network servers are in communication connection with the terminal through different gateways.
The apparatus for physically isolating a service of a wireless private network provided in this embodiment is suitable for the method for physically isolating a service of a wireless private network in the foregoing embodiment, and is not described herein again.
The embodiment of the invention provides a device for physically isolating the service of a wireless private network, which is used for pre-configuring subscription data for a terminal of the private network. The subscription data specifies the gateway device corresponding to the terminal when the terminal processes the private network service and establishes communication connection with the private network server. Based on this, after receiving the request information for establishing the communication connection of the private network service sent by the target terminal, the corresponding subscription data can be found directly according to the identifier of the target terminal, and the communication connection between the target terminal and the private network server is established according to the gateway specified in the subscription data. When the private network communication connection is established through the subscription data, the device physically isolates the gateways of different services for establishing the private network communication connection, and further establishes the communication connection with the private network, so that the physical isolation of different services in the private network communication process is realized, and the safety of data transmission is ensured.
Fig. 6 is a block diagram showing the structure of the electronic apparatus provided in the present embodiment.
Referring to fig. 6, the electronic device includes: a processor (processor)601, a memory (memory)602, a communication Interface (Communications Interface)603, and a bus 604;
wherein the content of the first and second substances,
the processor 601, the memory 602 and the communication interface 603 complete mutual communication through the bus 604;
the communication interface 603 is used for information transmission between the electronic device and a communication device of a base station or a communication device of another server;
the processor 601 is configured to call program instructions in the memory 602 to perform the methods provided by the above-mentioned method embodiments, for example, including: after receiving request information for establishing a session of a private network service, which is sent by a target terminal, acquiring identification information of the target terminal; acquiring signing data corresponding to the identification information according to the identification information, acquiring a gateway identification corresponding to the session established by the target terminal according to the signing data, and determining a target gateway corresponding to the gateway identification; establishing communication connection between the target terminal and a private network server corresponding to the target gateway; different types of private network services correspond to different private network servers, and the different private network servers are in communication connection with the terminal through different gateways.
In a fourth aspect, the present embodiment provides a non-transitory computer-readable storage medium storing computer instructions that cause the computer to perform the method provided by the above method embodiments, for example, including: after receiving request information for establishing a session of a private network service, which is sent by a target terminal, acquiring identification information of the target terminal; acquiring signing data corresponding to the identification information according to the identification information, acquiring a gateway identification corresponding to the session established by the target terminal according to the signing data, and determining a target gateway corresponding to the gateway identification; establishing communication connection between the target terminal and a private network server corresponding to the target gateway; different types of private network services correspond to different private network servers, and the different private network servers are in communication connection with the terminal through different gateways.
The present embodiments disclose a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, enable the computer to perform the methods provided by the above-described method embodiments, for example, comprising: after receiving request information for establishing a session of a private network service, which is sent by a target terminal, acquiring identification information of the target terminal; acquiring signing data corresponding to the identification information according to the identification information, acquiring a gateway identification corresponding to the session established by the target terminal according to the signing data, and determining a target gateway corresponding to the gateway identification; establishing communication connection between the target terminal and a private network server corresponding to the target gateway; different types of private network services correspond to different private network servers, and the different private network servers are in communication connection with the terminal through different gateways.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
The above-described embodiments of the electronic device and the like are merely illustrative, where the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may also be distributed on multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only used for illustrating the technical solutions of the embodiments of the present invention, and are not limited thereto; although embodiments of the present invention have been described in detail with reference to the foregoing embodiments, those skilled in the art will understand that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.

Claims (9)

1. A method for physically isolating services of a private wireless network, comprising:
after receiving request information for establishing a session of a private network service, which is sent by a target terminal, acquiring identification information of the target terminal;
acquiring signing data corresponding to the identification information according to the identification information, acquiring a gateway identification corresponding to the session established by the target terminal according to the signing data, and determining a target gateway corresponding to the gateway identification;
establishing communication connection between the target terminal and a private network server corresponding to the target gateway;
different types of private network services correspond to different private network servers, and the different private network servers are in communication connection with the terminal through different gateways.
2. The method of claim 1, wherein the obtaining subscription data corresponding to the identification information according to the identification information, obtaining a gateway identifier corresponding to the session established by the target terminal according to the subscription data, and determining a target gateway corresponding to the gateway identifier comprises:
and sending the identification information to a user home server, judging whether a gateway corresponding to the gateway identification in the subscription data belongs to a pre-configured gateway or not after receiving the subscription data which is sent by the user home server and corresponds to the identification information, if so, determining a target gateway corresponding to the gateway identification, and otherwise, not establishing communication connection between the target terminal and a private network server corresponding to the target gateway.
3. The method of claim 1, wherein the establishing a communication connection between the target terminal and a private network server corresponding to the target gateway comprises:
judging whether the target gateway is a preconfigured gateway or not according to the gateway identifier, if so, acquiring the target gateway corresponding to the gateway identifier, establishing communication connection between the target terminal and a private network server corresponding to the target gateway, and sending first prompt information for establishing the session to the target terminal;
and if the target gateway is not a preconfigured gateway, not establishing the communication connection between the target terminal and a private network server corresponding to the target gateway, and sending second prompt information for failing to establish the session to the target terminal.
4. The method according to claim 2, wherein the obtaining the service information of the private network service after receiving the request information for establishing the session of the private network service sent by the target terminal comprises:
after receiving request information for establishing a session of a private network service, sent by a target terminal, performing security check on the target terminal, if the security check is passed, acquiring service information of the private network service, otherwise, sending third prompt information that the security check is not passed.
5. The method of claim 1, further comprising, after establishing the communication connection between the target terminal and the private network server corresponding to the target gateway:
the target terminal sends first service data to a base station, the base station sends the first service data to the target gateway according to the established communication connection, and the target gateway sends the first service data to a private network server corresponding to the target gateway.
6. The method of claim 1, further comprising, after establishing the communication connection between the target terminal and the private network server corresponding to the target gateway:
after receiving second service data to be sent to the target terminal, the target gateway acquires a source IP address corresponding to the second service data, and judges whether the source IP address belongs to an address corresponding to a private network server pre-configured in the target gateway;
if the source IP address belongs to an address corresponding to a private network server which is configured in the target gateway in advance, the second service data is sent to a base station, and the base station sends the second service data to the target terminal;
and if the source IP address does not belong to the address corresponding to the private network server which is configured in the target gateway in advance, discarding the second service data.
7. An apparatus for physically isolating services of a private wireless network, comprising:
the first acquisition module is used for acquiring the identification information of a target terminal after receiving request information for establishing a session of a private network service sent by the target terminal;
the second acquisition module is used for acquiring pre-stored subscription data of the target terminal according to the identification information; the subscription data prescribes a gateway identifier corresponding to the session established by the target terminal;
the establishing module is used for acquiring a target gateway corresponding to the gateway identifier and establishing communication connection between the target terminal and a private network server corresponding to the target gateway;
different types of private network services correspond to different private network servers, and the different private network servers are in communication connection with the terminal through different gateways.
8. An electronic device, comprising:
at least one processor, at least one memory, a communication interface, and a bus; wherein the content of the first and second substances,
the processor, the memory and the communication interface complete mutual communication through the bus;
the communication interface is used for information transmission between the electronic equipment and communication equipment of a base station or communication equipment of other servers;
the memory stores program instructions executable by the processor, the processor invoking the program instructions to perform the method of any of claims 1 to 6.
9. A non-transitory computer-readable storage medium storing computer instructions that cause a computer to perform the method of any one of claims 1 to 6.
CN201811029482.8A 2018-09-05 2018-09-05 Method and device for physically isolating services of wireless private network Active CN110881014B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811029482.8A CN110881014B (en) 2018-09-05 2018-09-05 Method and device for physically isolating services of wireless private network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811029482.8A CN110881014B (en) 2018-09-05 2018-09-05 Method and device for physically isolating services of wireless private network

Publications (2)

Publication Number Publication Date
CN110881014A CN110881014A (en) 2020-03-13
CN110881014B true CN110881014B (en) 2021-09-28

Family

ID=69727074

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811029482.8A Active CN110881014B (en) 2018-09-05 2018-09-05 Method and device for physically isolating services of wireless private network

Country Status (1)

Country Link
CN (1) CN110881014B (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113556787B (en) * 2020-04-23 2022-10-04 大唐移动通信设备有限公司 Private network service data transmission method and device
CN111741512B (en) * 2020-06-02 2022-08-12 中国联合网络通信集团有限公司 Private network access method and device
CN114071464B (en) * 2020-08-06 2023-08-15 中国移动通信集团上海有限公司 Private network implementation method, device and equipment based on 5G message and storage medium
CN111988218A (en) * 2020-08-13 2020-11-24 支付宝(杭州)信息技术有限公司 Data processing method, device, equipment and medium
CN114286450B (en) * 2020-09-27 2023-09-19 中国移动通信集团设计院有限公司 Bearer establishment method and device, electronic equipment and storage medium
CN114339716A (en) * 2020-09-29 2022-04-12 中国电信股份有限公司 Subscription data transmission method, system and server
CN113825225B (en) * 2021-09-10 2024-02-02 阿里巴巴达摩院(杭州)科技有限公司 Roaming registration method, AMF network element, equipment and system of private network
CN114301691B (en) * 2021-12-29 2022-10-25 威创集团股份有限公司 Distributed signal one-way transmission isolation method, device, equipment and storage medium
CN116347554B (en) * 2023-03-27 2023-08-18 哈尔滨商业大学 Data processing method, device and system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101686191A (en) * 2008-09-24 2010-03-31 华为技术有限公司 Method for accessing packet data network service, system, gateway and terminal
CN102098348A (en) * 2009-12-11 2011-06-15 中兴通讯股份有限公司 Selection method of packet data network gateway and mobility management network element
CN103096433A (en) * 2011-11-08 2013-05-08 中兴通讯股份有限公司 Service gateway choosing method and system of terminal group
CN105142128A (en) * 2014-06-05 2015-12-09 中兴通讯股份有限公司 Special-purpose network selection method and device
CN105959090A (en) * 2016-06-16 2016-09-21 国网信息通信产业集团有限公司 Service processing method and device of power wireless private network
CN107295507A (en) * 2016-04-01 2017-10-24 中兴通讯股份有限公司 A kind of private network cut-in method, apparatus and system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090262683A1 (en) * 2008-04-18 2009-10-22 Amit Khetawat Method and Apparatus for Setup and Release of User Equipment Context Identifiers in a Home Node B System

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101686191A (en) * 2008-09-24 2010-03-31 华为技术有限公司 Method for accessing packet data network service, system, gateway and terminal
CN102098348A (en) * 2009-12-11 2011-06-15 中兴通讯股份有限公司 Selection method of packet data network gateway and mobility management network element
CN103096433A (en) * 2011-11-08 2013-05-08 中兴通讯股份有限公司 Service gateway choosing method and system of terminal group
CN105142128A (en) * 2014-06-05 2015-12-09 中兴通讯股份有限公司 Special-purpose network selection method and device
CN107295507A (en) * 2016-04-01 2017-10-24 中兴通讯股份有限公司 A kind of private network cut-in method, apparatus and system
CN105959090A (en) * 2016-06-16 2016-09-21 国网信息通信产业集团有限公司 Service processing method and device of power wireless private network

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
电力无线专网多业务隔离技术研究;江华等;《宁夏电力》;20150628;全文 *

Also Published As

Publication number Publication date
CN110881014A (en) 2020-03-13

Similar Documents

Publication Publication Date Title
CN110881014B (en) Method and device for physically isolating services of wireless private network
EP3790311B1 (en) Network slice resource allocation methods and device
CN106060900B (en) Access control method and device for network slice, terminal cell and SDN controller
WO2018228505A1 (en) Communication method and system, network device and terminal device
CN108476405B (en) Communication system for communication in a communication network with subnetworks
US8504055B2 (en) Method and arrangement for load balancing in a wireless communication system
US8505081B2 (en) Method and apparatus for identity reuse for communications devices
US9094839B2 (en) Evolved packet core (EPC) network error mapping
US11233856B2 (en) Selecting an address of a device
US8837326B2 (en) Session management method and system based on M2M application, and apparatus
US20190058962A1 (en) Methods, systems, and computer readable media for optimizing machine type communication (mtc) device signaling
CN104798421A (en) Method and apparatus for controlling specific service in network congestion state in wireless communication system
US9681473B2 (en) MTC service management using NFV
US11871223B2 (en) Authentication method and apparatus and device
CN108476467B (en) Method for establishing a communication connection of a communication terminal via a communication network
CN112997518A (en) Security management in a disaggregated base station in a communication system
CN111356163A (en) System information notification method, base station equipment and computer storage equipment
US11653395B2 (en) Method for establishing a connection of a mobile terminal to a mobile radio communication network and radio access network component
CN104349497A (en) UE proximity discovering method and device
CN116210252A (en) Network operations to receive user consent for edge computation
JP2022174023A (en) Network slice admission control (nsac) discovery and roaming enhancement
CN114710789B (en) Network slice determining method and device and electronic equipment
CN114731732B (en) Control plane for multi-SIM devices
CN106686662B (en) Method and system for realizing MME pool
US20220060444A1 (en) Cellular telecommunications network

Legal Events

Date Code Title Description
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant