CN110999256A - Communication method, terminal equipment and core network equipment - Google Patents

Communication method, terminal equipment and core network equipment Download PDF

Info

Publication number
CN110999256A
CN110999256A CN201980003697.9A CN201980003697A CN110999256A CN 110999256 A CN110999256 A CN 110999256A CN 201980003697 A CN201980003697 A CN 201980003697A CN 110999256 A CN110999256 A CN 110999256A
Authority
CN
China
Prior art keywords
core network
terminal device
information
network device
sent
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201980003697.9A
Other languages
Chinese (zh)
Other versions
CN110999256B (en
Inventor
许阳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong Oppo Mobile Telecommunications Corp Ltd
Original Assignee
Guangdong Oppo Mobile Telecommunications Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong Oppo Mobile Telecommunications Corp Ltd filed Critical Guangdong Oppo Mobile Telecommunications Corp Ltd
Publication of CN110999256A publication Critical patent/CN110999256A/en
Application granted granted Critical
Publication of CN110999256B publication Critical patent/CN110999256B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/24Negotiation of communication capabilities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The communication method comprises the following steps: the method comprises the steps that a terminal device sends first information to a core network device, wherein the first information indicates one or more encryption flow detection methods supported by the terminal device; the terminal device receives second information from the core network device, the second information indicating an encrypted traffic detection method to be used in communication with the terminal device, which is determined by the core network device based on the first information; and the terminal device performs processing according to the encrypted traffic detection method to be used.

Description

Communication method, terminal equipment and core network equipment
Cross Reference to Related Applications
The present application, based on and claiming priority of the united states provisional patent application entitled "negotiation mechanism for traffic detection method between UE and network" filed on 2018, 5/23/h, serial No. 62/675,274, is incorporated herein by reference in its entirety.
Technical Field
The embodiments of the present application relate generally to the field of communications, and in particular, to a communication method, a terminal device, and a core network device.
Background
In network communications, HTTP (hypertext transfer protocol) + TLS (transport layer security) is becoming a trend, which means that more and more HTTP traffic will be encrypted. Currently, in operator networks, SNI (server name indication) is typically used to identify to which service encrypted traffic belongs, and then to associate the IP tuple of the traffic with a filter installed in the network for further traffic detection.
However, the problem is that the SNI is plain text, which can be forged by any attacker, even if the SNI is to be encrypted in the future TLS protocol. Thus, the SNI cannot be used anymore for identifying traffic of the service.
In order to solve the above problems, various encryption traffic detection methods are proposed, each having advantages and disadvantages. One or more of these methods may be supported by the user equipment or the core network device, and therefore, it is possible that a mismatch in the used encryption traffic detection method occurs between the user equipment and the core network device.
Disclosure of Invention
Embodiments of the present application provide a communication method and apparatus that enable negotiation between a terminal device and a core network device regarding the use of an encrypted traffic detection method, thereby avoiding mismatch of use.
In a first aspect, there is provided a communication method comprising:
the method comprises the steps that a terminal device sends first information indicating one or more encryption flow detection methods supported by the terminal device to a core network device;
the terminal device receives, from the core network device, second information indicating an encrypted traffic detection method to be used in communication with the terminal device, which is determined by the core network device based on the first information; and
the terminal device performs processing according to the encrypted traffic detection method to be used.
It can be seen that, in the first aspect of the embodiments of the present application, by sending information about methods supported by the terminal device to the core network device, the core network device determining a method to be used based on the information, and notifying the terminal device of the determined method to be used, negotiation for use of an encrypted traffic detection method between the terminal device and the core network device can be achieved, and thus mismatching of use of the methods can be avoided.
With reference to the first aspect, in a first possible implementation manner of the first aspect, the sending, by a terminal device, first information indicating one or more encrypted traffic detection methods supported by the terminal device to a core network device includes:
the terminal equipment includes the first information in an uplink signaling message to be sent to the core network equipment;
and the terminal equipment sends the uplink signaling message comprising the first information to the core network equipment.
In an embodiment of the present application, the terminal device including the first information in an uplink signaling message to be sent to the core network device includes:
the terminal device includes the first information in an uplink signaling message to be sent to the core network device during at least one of the following procedures:
registering the terminal equipment;
an attach procedure (attach procedure) of the terminal device;
PDU session establishment process;
PDU session modification procedure (PDU session modification).
In another embodiment of the application, in case the terminal device includes the first information in an uplink signaling message to be sent to the core network device during a registration procedure of the terminal device, the uplink signaling message is a registration request of the registration procedure to be sent from the terminal device to the core network device.
In another embodiment of the application, in case the terminal device includes the first information in an uplink signaling message to be sent to the core network device during an attach procedure of the terminal device, the uplink signaling message is an attach request of the attach procedure to be sent from the terminal device to the core network device.
In another embodiment of the application, in case the terminal device includes the first information in an uplink signaling message to be sent to the core network device during the PDU session setup procedure, the uplink signaling message is a PDU session setup request of the PDU session setup procedure to be sent from the terminal device to the core network device.
In another embodiment of the application, in case the terminal device includes the first information in an upstream signaling message to be sent to the core network device during the PDU session modification procedure, the upstream signaling message is a PDU session modification request of the PDU session modification procedure to be sent from the terminal device to the core network device.
With reference to the first aspect or any one of the foregoing possible implementations, in a second possible implementation of the first aspect, the receiving, by the terminal device, second information indicating an encrypted traffic detection method to be used in communication with the terminal device from the core network device includes:
the terminal device receives a downlink signaling message including the second information from the core network device.
In an embodiment of the present application, the receiving, by the terminal device, the downlink signaling message including the second information from the core network device includes:
the terminal device receives a downlink signaling message including the second information from the core network device during at least one of the following procedures:
registering the terminal equipment;
an attaching process of the terminal device;
PDU session establishment process;
PDU session modification procedure.
In another embodiment of the application, in case the terminal device receives a downlink signaling message comprising the second information from the core network device during a registration procedure of the terminal device, the downlink signaling message is a registration response of the registration procedure to be sent from the core network device to the terminal device.
In another embodiment of the application, in case the terminal device receives a downlink signaling message comprising the second information from the core network device during an attach procedure of the terminal device, the downlink signaling message is an attach response of the attach procedure to be sent from the core network device to the terminal device.
In another embodiment of the application, in case the terminal device receives a downlink signaling message comprising the second information from the core network device during the PDU session setup procedure, the downlink signaling message is a PDU session setup response of the PDU session setup procedure to be sent from the core network device to the terminal device.
In another embodiment of the application, in case the terminal device receives a downlink signaling message comprising the second information from the core network device during the PDU session modification procedure, the downlink signaling message is a PDU session modification response of the PDU session modification procedure to be sent from the core network device to the terminal device.
With reference to the first aspect or any one of the foregoing possible implementations, in a third possible implementation of the first aspect, the first information indicates at least one of:
whether the terminal equipment supports the encrypted flow detection method assisted by the user equipment or not;
the type of the user equipment-assisted encryption flow detection method supported by the terminal equipment;
the user equipment supported by the terminal equipment assists in encrypting the subtype of the flow detection method.
With reference to the first aspect or any one of the foregoing possible implementations, in a fourth possible implementation of the first aspect, the first information indicates a priority of one or more methods determined by the terminal device.
With reference to the first aspect or any one of the foregoing possible implementations, in a fifth possible implementation of the first aspect, the core network device selects an encrypted traffic detection method to be used from one or more methods indicated by the first information.
In a second aspect, there is provided a communication method comprising:
the method comprises the steps that core network equipment receives first information indicating one or more encryption flow detection methods supported by terminal equipment from the terminal equipment;
the core network device determines an encrypted traffic detection method to be used in communication with the terminal device based on the first information;
the core network device transmits second information indicating an encrypted traffic detection method to be used to the terminal device.
It can be seen that, in the second aspect of the embodiments of the present application, by sending information about methods supported by the terminal device to the core network device, the core network device determining a method to be used based on the information, and notifying the terminal device of the determined method to be used, negotiation for use of an encrypted traffic detection method between the terminal device and the core network device can be implemented, and thus mismatching of use of the methods can be avoided.
With reference to the second aspect, in a first possible implementation manner of the second aspect, the receiving, by a core network device, first information indicating one or more encrypted traffic detection methods supported by a terminal device from the terminal device includes:
the core network equipment receives an uplink signaling message which is sent from the terminal equipment and comprises first information.
With reference to the second aspect or any one of the foregoing possible implementation manners, in a second possible implementation manner of the second aspect, the receiving, by the core network device, the uplink signaling message including the first information sent from the terminal device includes:
the core network device receives an uplink signaling message including first information transmitted from the terminal device during at least one of the following procedures:
registering the terminal equipment;
an attaching process of the terminal device;
PDU session establishment process;
PDU session modification procedure.
With reference to the second aspect or any one of the foregoing possible implementations, in a third possible implementation of the second aspect, in a case that the core network device receives an uplink signaling message including the first information, which is sent from the terminal device, during a registration procedure of the terminal device, the uplink signaling message is a registration request of the registration procedure to be sent from the terminal device to the core network device.
With reference to the second aspect or any one of the foregoing possible implementations, in a fourth possible implementation of the second aspect, in a case that the core network device receives an uplink signaling message including the first information, which is sent from the terminal device, during an attach procedure of the terminal device, the uplink signaling message is an attach request of the attach procedure to be sent from the terminal device to the core network device.
With reference to the second aspect or any one of the foregoing possible implementations, in a fifth possible implementation of the second aspect, in a case that the core network device receives an uplink signaling message including the first information, which is sent from the terminal device, during the PDU session establishment procedure, the uplink signaling message is a PDU session establishment request of the PDU session establishment procedure to be sent from the terminal device to the core network device.
With reference to the second aspect or any one of the foregoing possible implementations, in a sixth possible implementation of the second aspect, in a case where the core network device receives an uplink signaling message including the first information sent from the terminal device during the PDU session modification procedure, the uplink signaling message is a PDU session modification request of the PDU session modification procedure to be sent from the terminal device to the core network device.
With reference to the second aspect or any one of the foregoing possible implementations, in a seventh possible implementation of the second aspect, the sending, by the core network device, second information indicating an encrypted traffic detection method to be used to the terminal device, includes:
the core network equipment includes the second information in a downlink signaling message to be sent to the terminal equipment;
and the core network equipment sends the downlink signaling message comprising the second information to the terminal equipment.
With reference to the second aspect or any one of the foregoing possible implementation manners, in an eighth possible implementation manner of the second aspect, the including, by the core network device, the second information in the downlink signaling message to be sent to the terminal device includes:
the core network device includes the second information in a downlink signaling message to be sent to the terminal device during at least one of the following procedures:
registering the terminal equipment;
an attaching process of the terminal device;
PDU session establishment process;
PDU session modification procedure.
With reference to the second aspect or any one of the foregoing possible implementations, in a ninth possible implementation of the second aspect, in a case that the core network device includes the second information in a downlink signaling message to be sent to the terminal device during a registration procedure of the terminal device, the downlink signaling message is a registration response of the registration procedure to be sent from the core network device to the terminal device.
With reference to the second aspect or any one of the foregoing possible implementations, in a tenth possible implementation of the second aspect, in a case that the core network device includes the second information in a downlink signaling message to be sent to the terminal device during an attach procedure of the terminal device, the downlink signaling message is an attach response of the attach procedure to be sent from the core network device to the terminal device.
With reference to the second aspect or any one of the foregoing possible implementations, in an eleventh possible implementation of the second aspect, in a case that the core network device includes the second information in a downlink signaling message to be sent to the terminal device during the PDU session setup procedure, the downlink signaling message is a PDU session setup response of the PDU session setup procedure to be sent from the core network device to the terminal device.
With reference to the second aspect or any one of the foregoing possible implementations, in a twelfth possible implementation of the second aspect, in a case that the core network device includes the second information in a downlink signaling message to be sent to the terminal device during the PDU session modification procedure, the downlink signaling message is a PDU session modification response of the PDU session modification procedure to be sent from the core network device to the terminal device.
With reference to the second aspect or any one of the above possible implementations, in a thirteenth possible implementation of the second aspect, the first information indicates at least one of:
whether the terminal equipment supports the encrypted flow detection method assisted by the user equipment or not;
the type of the user equipment-assisted encryption flow detection method supported by the terminal equipment;
the user equipment supported by the terminal equipment assists in encrypting the subtype of the flow detection method.
With reference to the second aspect or any one of the foregoing possible implementations, in a fourteenth possible implementation of the second aspect, the first information indicates a priority of one or more encrypted traffic detection methods determined by the terminal device.
With reference to the second aspect or any one of the foregoing possible implementations, in a fifteenth possible implementation of the second aspect, the determining, by the core network device, a ciphered traffic detection method to be used in communication with the terminal device based on the first information includes:
the core network device compares one or more methods indicated in the first information with one or more methods supported by the core network device;
the core network device selects at least one matching one of the one or more methods supported by the core network device from the one or more methods indicated in the first information as the encrypted traffic detection method to be used.
With reference to the second aspect or any one of the foregoing possible implementations, in a sixteenth possible implementation of the second aspect, the method further includes:
the core network device performs processing according to an encrypted traffic detection method to be used.
In a third aspect, there is provided a communication method comprising:
the core network device transmitting, to the terminal device, first information indicating one or more encrypted traffic detection methods determined by the core network device as candidate methods for an encrypted traffic detection method to be used in communication with the terminal device;
the core network device receives, from the terminal device, second information indicating an encrypted traffic detection method used in communication with the terminal device, which is determined by the terminal device based on the first information;
the core network device performs processing according to the encrypted traffic detection method to be used.
It can be seen that in the third aspect of the embodiments of the present application, by transmitting information on a candidate method for an encrypted traffic detection method to be used to a terminal device, the terminal device determining a method to be used based on the information, and notifying a core network device of the determined method to be used, negotiation for use of the encrypted traffic detection method between the terminal device and the core network device can be achieved, whereby mismatching of use of the method can be avoided.
With reference to the third aspect, in a first possible implementation manner of the third aspect, the sending, by a core network device, first information indicating one or more encrypted traffic detection methods to a terminal device includes:
the core network equipment includes the first information in a downlink signaling message to be sent to the terminal equipment;
and the core network equipment sends a downlink signaling message comprising the first information to the terminal equipment.
With reference to the third aspect or any one of the foregoing possible implementations, in a second possible implementation manner of the third aspect, the including, by the core network device, the first information in the downlink signaling message to be sent to the terminal device includes:
the core network device includes the first information in a user equipment configuration update request to be sent to the terminal device during a user equipment configuration update procedure,
wherein the core network device receiving, from the terminal device, second information indicating an encrypted traffic detection method to be used in communication with the terminal device includes:
the core network device receives a confirmation message for the user equipment configuration update request from the terminal device, the confirmation message including the second information.
With reference to the third aspect or any one of the foregoing possible implementations, in a third possible implementation of the third aspect, the first information indicates a priority of one or more encrypted traffic detection methods determined by the core network device.
With reference to the third aspect or any one of the foregoing possible implementations, in a fourth possible implementation of the third aspect, the terminal device selects an encrypted traffic detection method to be used from among the one or more encrypted traffic detection methods indicated by the first information.
In a fourth aspect, there is provided a communication method comprising:
the terminal device receiving, from the core network device, first information indicating one or more encrypted traffic detection methods determined by the core network device as candidate methods for the encrypted traffic detection method to be used in communication with the terminal device;
the terminal device determines an encrypted traffic detection method to be used in communication with the terminal device based on the first information;
the terminal device transmits second information indicating an encrypted traffic detection method to be used to the core network device.
It can be seen that in the fourth aspect of the embodiments of the present application, by transmitting information on a candidate method for an encrypted traffic detection method to be used to a terminal device, the terminal device determining a method to be used based on the information, and notifying the core network device of the determined method to be used, negotiation for use of the encrypted traffic detection method between the terminal device and the core network device can be achieved, whereby mismatching of use of the method can be avoided.
With reference to the fourth aspect, in a first possible implementation manner of the fourth aspect, the receiving, by a terminal device, first information indicating one or more encrypted traffic detection methods from a core network device includes:
the terminal equipment receives a downlink signaling message which is sent from the core network equipment and comprises first information.
With reference to the fourth aspect, in a second possible implementation manner of the fourth aspect, the receiving, by the terminal device, the first information indicating one or more encrypted traffic detection methods from the core network device includes:
the terminal device receives a user equipment configuration update request including first information sent from the core network device during a user equipment configuration update procedure.
With reference to the fourth aspect, in a third possible implementation manner of the fourth aspect, the determining, by the terminal device, an encrypted traffic detection method to be used in communication with the terminal device based on the first information includes: the terminal equipment compares one or more encrypted flow detection methods indicated in the first information with one or more encrypted flow detection methods supported by the terminal equipment;
the terminal device selects at least one matching one of the one or more encrypted traffic detection methods supported by the terminal device from the one or more encrypted traffic detection methods indicated in the first information as an encrypted traffic detection method to be used.
With reference to the fourth aspect, in a fourth possible implementation manner of the fourth aspect, the sending, by the terminal device, second information to the core network device, where the second information indicates a method for detecting encrypted traffic, includes:
the terminal equipment includes the second information in an uplink signaling message to be sent to the core network equipment;
and the terminal equipment sends an uplink signaling message to the core network equipment.
With reference to the fourth aspect, in a fifth possible implementation manner of the fourth aspect, the step of including, by the terminal device, the second information in the uplink signaling message to be sent to the core network device includes:
the terminal device includes the second information in a confirmation message for the user equipment configuration update request during the user equipment configuration update procedure.
With reference to the fourth aspect, in a sixth possible implementation manner of the fourth aspect, the first information indicates a priority of one or more encrypted traffic detection methods indicated in the first information.
In a fifth aspect, there is provided a terminal device comprising means for performing the method of the first aspect or a possible implementation thereof or the fourth aspect or a possible implementation thereof.
In a sixth aspect, there is provided a core network device comprising means for performing the second aspect or a possible implementation thereof or the method of the third aspect or a possible implementation thereof.
In a seventh aspect, a terminal device is provided, comprising a processor and a transceiver, wherein the processor is configured to perform the method of the first aspect or its possible implementation based on the transceiver or to perform the method of the fourth aspect or its possible implementation based on the transceiver.
In an eighth aspect, there is provided a core network device comprising a processor and a transceiver, wherein the processor is configured to perform the method of the second aspect or a possible implementation thereof based on the transceiver, or to perform the method of the third aspect or a possible implementation thereof based on the transceiver.
In a ninth aspect, there is provided a computer readable medium for storing program code, wherein the program code comprises instructions for performing the method of any one of the first, second, third or fourth aspects or possible implementations thereof.
In a tenth aspect, there is provided a system on chip (system on chip) comprising a processor and a memory, wherein the processor is configured to execute code in the memory and to implement the method in any of the first, second, third or fourth aspects or possible implementations thereof when executing the code.
Additional features, advantages, and embodiments of the application may be set forth or made apparent from consideration of the following detailed description, drawings, and claims. Furthermore, it is to be understood that both the foregoing general description and the following detailed description are exemplary and are intended to provide further explanation without limiting the scope of the claimed application. However, the detailed description and specific examples are intended to be only exemplary embodiments of the application.
Drawings
The drawings for describing the embodiments or the prior art will be briefly introduced to more clearly illustrate the technical method of the embodiments of the present application. It is obvious that the drawings in the following description are for some embodiments of the application only, and that a person skilled in the art may derive other drawings on the basis of these drawings without inventive effort.
Fig. 1 is a schematic diagram of a communication system according to an embodiment of the present application.
Fig. 2 is a schematic flow chart diagram of a communication method 200 according to an embodiment of the present application.
Fig. 3 is a schematic diagram of a registration/attach procedure according to an embodiment of the application.
Fig. 4 is a schematic diagram of a PDU session setup/modification procedure according to an embodiment of the present application.
Fig. 5 is a schematic diagram of a communication method 500 according to an embodiment of the present application.
Fig. 6 is a schematic block diagram of a terminal device 600 according to an embodiment of the present application.
Fig. 7 is a schematic block diagram of a core network device 700 according to an embodiment of the present application.
Fig. 8 is a schematic block diagram of a terminal device 800 according to another embodiment of the present application.
Fig. 9 is a schematic block diagram of a core network device 900 according to another embodiment of the present application.
Fig. 10 is a schematic block diagram of a terminal device 1000 according to an embodiment of the present application.
Fig. 11 is a schematic block diagram of a core network device 1100 according to an embodiment of the present application.
FIG. 12 is a schematic block diagram of a system-on-chip 1200 according to an embodiment of the present application.
Detailed Description
The technical method of the embodiments of the present application will be described below with reference to the drawings of the embodiments of the present application.
The embodiments of the present application may be applied to various communication systems, such as a Global System of Mobile communication (GSM) System, a Code Division Multiple Access (CDMA) System, a Wideband Code Division Multiple Access (WCDMA) System, a General Packet Radio Service (GPRS), a Long Term Evolution (Long Term Evolution, LTE) System, an LTE Frequency Division Duplex (FDD) System, an LTE Time Division Duplex (TDD), a Universal Mobile Telecommunications System (UMTS), a Worldwide Interoperability for Microwave Access (WiMAX) communication System, a 5G System, a PLMN (public land Mobile network) for future Evolution, and the like.
Fig. 1 shows a wireless communication system 100 applied in an embodiment of the present application. The wireless communication system 100 may include one or more terminal devices 120, a core network 130, and one or more core network devices 110 located in the core network 130. Three terminal devices 120 are shown in fig. 1 as examples of terminal devices used in the embodiment of the present application, and two core network devices 110 are shown in fig. 1 as examples of core network devices used in the embodiment of the present application. Each of the one or more terminal devices 120 is capable of accessing the core network 130, e.g., through an access network, and communicating with one or more core network devices 110.
As an example, the core network device 100 may be a communication device in a core network of a wireless communication system as described above, which enables or supports certain functions of the core network. For example, the core network device 100 may be a functional entity of the core network in a 5G system, such as an AMF (access and mobility management function) or a PCF (policy control function).
Terminal device 120 may be mobile or stationary. By way of example, terminal device 120 can be an access terminal, UE (user equipment), subscriber unit, subscriber station, mobile wireless station, mobile station, remote terminal, mobile device, user terminal, wireless communication device, user agent, or user equipment. An access terminal may be a cellular telephone, a cordless telephone, a SIP (session initiation protocol) phone, a WLL (wireless local loop) station, a PDA (personal digital assistant), a handheld device with wireless communication capability, a computing device or other processing device connected to a wireless modem, a vehicle mounted device, a wearable device, a terminal device in a future 5G network or a terminal device in a future evolved Public Land Mobile Network (PLMN) network, etc. Alternatively, the 5G system or network may also be referred to as an NR (New Radio) system or network.
It should be understood that the wireless communication system 100 may also include other network entities such as network controllers, mobility management entities, and the like. The embodiments of the present application do not have any limitation in this regard.
It should be understood that the terms "system" and "network" are interchangeable herein. The term "and/or" herein merely describes an association relationship between associated objects and indicates that three relationships may exist. For example, a and/or B may indicate that there are three cases: a exists independently, A and B exist simultaneously, and B exists independently. In addition, the character "/" herein generally indicates that there is an "or" relationship between the associated objects.
In this application, the term "send/transmitted" refers to a direct transmission from one party to another, or an indirect transmission between the two, such as forwarding through a third party. Similarly, the term "receive/received" in this application means to receive directly from a party or indirectly from a party, e.g. via a third party forwarding.
As described above, various encrypted traffic detection methods have been proposed, which can be classified into the following three types.
Type I: method for UE (user equipment) assisted control plane
When certain application data is present, the UE will report the application ID of the network (e.g., core network) and corresponding filter information to detect the next traffic. Coordination is required between the third party and the UE. To achieve this, some new functions are introduced, such as ETRF (encrypted traffic reporting), ETDF (encrypted traffic detection function), and ETD (encrypted traffic detection).
Type II: method for user plane based on UE assistance
When certain application data appears, the UE will add a token/AppKey in the first user plane packet (user plane packet). Tokens may be added in certain parts, for example, by adding in a TCP header using a new TCP Option, by adding in a TLS header using a new TLS extension type, by adding in a new IPv6 extension header, or in an extension header between the PDCP and IP layers. To implement application ID transmission and token derivation (tokenization), ETDF (encrypted traffic detection function) and third party functions embedded in the UE are introduced. The third party function will provide the network and the UE with a list of application IDs to detect and material related to the token. The UE may derive the token based on token-related material and add it to the user bread for detection by the network.
In the third category: network-based method
The third party will inform the network of the application ID and the corresponding characteristics of the encrypted traffic including IP tuples, SNI, etc., and the network will then install the filter accordingly to perform the encrypted traffic detection.
From an architectural point of view, each of these approaches has its advantages and disadvantages, as shown below.
For type I: method for controlling surface based on UE assistance
The advantages are that:
this approach has no impact on the user plane. The impact is only focused on NAS (non access stratum) signaling and/or rule distribution. For UE implementations, extensions with NAS messages are easy to implement. For the implementation of the network side, since only the enhancement of the control plane NF (network function) is required, the implementation is easy. It is also only applicable to deploy several control plane entities (e.g., SMFs) for ETD functions. In this case, the supported SMFs may be selected using the UE to report specific S-NSSAI (single network slice selection assistance information) and/or DNN (data network name). For coordination with other WGs (workgroup), there is no need for any other WG or SDO (standards organization) to extend the current protocol, and thus the impact can be limited to SA2 (service and system side, workgroup # 2). It does not require an ott (over The top) server to support Rx triggering.
The disadvantages are as follows:
when encrypted traffic occurs, the first few packets may be lost before the filter is properly installed. Furthermore, it requires additional signaling.
For type II: method based on UE assisted user plane.
The advantages are that:
it does not lose any encrypted packets. It does not require an OTT server to support Rx triggering.
The disadvantages are as follows:
for UE implementations, the user bread needs to be extended, but this is difficult for product design. For the implementation on the network side, it needs to deploy features (features) on all UPFs (user plane functions), otherwise the routing path will be restricted. This is a relatively large challenge for UPF, as it must detect tokens that are only added in the first packet or first few packets. Furthermore, it requires the UPF to count the first detected packets into a temporary capacity before installing the filter and then associate the temporary capacity into the capacity of the application ID. For coordination with other WGs, CT4 (core network technology 4) and/or RAN2 (radio access network 2) may be required to extend existing user plane protocols. If free space (free space) defined in other SDOs (e.g., IETF (Internet Engineering Task Force)) is reused, it should be ensured that the free space is not used for other purposes and is large enough.
For type III: method based on network side
The advantages are that:
it does not affect the UE and does not reuse existing functions in large quantities.
The disadvantages are as follows:
for network side implementation, each OTT server needs to be connected to the PCF (policy control function) of the MNO (mobile network operator). This approach is very inflexible and expensive for network side implementation, resulting in a very long TTM (time to market). It is very difficult for roaming situations, e.g. in LBO (local breakout) situations, it is difficult to support outbound roaming. As traffic increases, the amount of network signaling required for interface capacity may expand over and over.
As analyzed above, each method has its own advantages and disadvantages, and one set of these methods can be supported by either the UE or the network. Therefore, in the embodiments of the present invention, it is proposed to introduce a negotiation for a ciphered traffic detection method to avoid mismatch between the UE and the network.
Fig. 2 is a schematic flow chart of a communication method 200 for negotiation between a terminal device and a core network device according to an embodiment of the present application. The terminal device and the core network device may be those described above with reference to fig. 1. As shown in fig. 2, from the perspective of the terminal device, the method 200 includes the following.
S210, the terminal device sends first information to the core network device, where the first information indicates one or more encrypted traffic detection methods supported by the terminal device.
In an embodiment of the present application, the terminal device may send an uplink signaling message including the first information to the core network device. For example, the terminal device includes the first information in an uplink signaling message to be transmitted to the core network device, and then transmits the uplink signaling message to the core network device. Specifically, the terminal device determines an encrypted traffic detection method supported by the terminal device itself, and generates first information. In an example, a terminal device generates first information indicating all methods it supports. In another example, a terminal device generates first information indicating one or more methods supported by the terminal device.
In one embodiment of the present application, the first information indicates at least one of:
(1) whether the terminal equipment supports the encrypted flow detection method assisted by the user equipment or not;
(2) the type of the user equipment-assisted encryption flow detection method supported by the terminal equipment;
(3) the user equipment supported by the terminal equipment assists in encrypting the subtype of the flow detection method.
First, item (1) is determined, for example, whether the terminal device supports any of the type I and type II methods described above. If the terminal device supports either of the type I and II methods, item (2) is determined in order to determine the type of method supported by the terminal device, e.g., type I or type II or both. Then, the subtype of the supported method is determined (item (3)). For example, a subtype of the supported method may be any of the following: control plane based type with OTT layer provided detection rules, control plane based type with core network provided detection rules, user plane based type where tokens can be added to a specific layer for traffic detection. It can be seen that the levels of items (1) to (3) are gradually decreased. In one embodiment of the application, the terminal device does not need to report information about the lower level in the first information if the terminal device can support all methods with a specific level. For example, if the terminal device supports all control plane based methods but not other types, it reports in the first information that the terminal device supports the control plane based method only (level 2).
In one embodiment of the application, the first information further indicates a priority of one or more methods supported by the terminal device. The priority may be determined by the terminal device and represents a preference order in which the terminal device uses the respective methods.
The uplink signaling message may be any signaling message from the terminal device to the core network device, which may be a network functional entity in a network such as the core network 130 shown in fig. 1. In some embodiments of the application, the terminal device includes the first information in an upstream signaling message to be sent to the core network device (e.g. in the first upstream signaling message as a NAS message) during at least one of the following processes: registering the terminal equipment; an attaching process of the terminal device; PDU session establishment process; or a PDU session modification procedure.
For example, during a registration or attach procedure of a terminal device, the terminal device first sends a registration or attach request to a core network device. In this case, the terminal device may include the first information in the registration or attach request and transmit the registration or attach request including the first information to the core network device. Similarly, during a PDU session setup or modification procedure, the terminal device may include the first information in a PDU session setup or modification request and send the PDU session setup or modification request including the first information to the core network device.
S230, the terminal device receives second information from the core network device, the second information indicating an encrypted traffic detection method to be used in communication with the terminal device.
The core network device may determine an encrypted traffic detection method to be used based on the first information (S220). For example, the core network device selects an encrypted traffic detection method to be used from one or more methods indicated in the first information. In one example, the method to be used is a method. In another example, the method to be used is two or more methods, such as a prioritized list of methods. Details of determining a method to be used will be described later in the communication method from the perspective of the core network device.
In one embodiment of the application, the terminal device receives second information from the core network device, the second information being included in a downlink signaling message sent from the core network device to the terminal device. The downlink signaling message may be any signaling message sent from the core network device to the terminal device, in particular a downlink signaling message as a response to the uplink message comprising the first information. For example, the terminal device receives a downlink signaling message including the second information from the core network device during at least one of the following procedures: registering the terminal equipment; an attaching process of the terminal device; PDU session establishment process; or a PDU session modification procedure.
Fig. 3 to 4 show four examples of the communication method as during the above-described four procedures, respectively. Fig. 3 shows a terminal device registration or attachment procedure and fig. 4 shows a PDU session establishment or modification procedure initiated by the terminal device. It should be noted that each of fig. 3 and 4 only shows some steps of the procedure related to an embodiment of negotiation between a terminal device and a core network device according to the present application, rather than a complete registration/attach procedure or a complete PDU session establishment/modification procedure.
As shown in fig. 3, the first information is included in the registration or attach request and is transmitted from the terminal device to the core network device (S310). The registration may refer to an initial registration of the terminal device or a registration due to a location update. As known from e.g. 3GPP (third generation partnership project), when a terminal device registers or attaches to the core network with a registration or attach request, a registration or attach response is sent from the core network side to the terminal device. In some embodiments of the present application, the terminal device receives the second information by receiving a registration or attach response including the second information sent from the core network device (S320). In this way, a negotiation regarding the use of the encrypted traffic detection method is achieved during the registration/attachment procedure between the terminal device and the core network side.
Similarly, as shown in fig. 4, the first information is included in the PDU session setup or modification request and is transmitted from the terminal device to the core network device (S410). Similarly, during the PDU session setup/modification procedure, a PDU session setup/modification response to the PDU session setup/modification request is sent from the core network side to the terminal device. In some embodiments of the present application, the terminal device receives the second information by receiving a PDU session setup/modification response including the second information, which is transmitted from the core network device (S420). In this way, a negotiation regarding the use of the ciphered traffic detection method is achieved during the PDU session setup/modification procedure between the terminal device and the core network side.
S240, the terminal device performs processing according to the encrypted traffic detection method to be used.
Returning to fig. 2. The terminal device, after receiving second information indicating an encrypted traffic detection method to be used in communication between the terminal device and the core network side, performs processing according to the method determined to be used. For example, if the method to be used is a control plane-based method, the terminal device reports an application id (application id) and corresponding filter information to the network side. For another example, if the method to be used is a user plane-based method, the terminal device adds the token/AppKey to the first user plane into the core network side. Accordingly, the core network side performs encrypted traffic detection according to the method to be used.
As described above, the second information may indicate more than one method to be used. In particular, the second information also indicates a priority of the methods to be used, which may be determined by the core network device and represents a preference of the core network device. In this case, the terminal device may select one of the methods indicated in the second information as the final method to be used after receiving the second information, and perform processing according to the final method to be used, as described above. In one example, the terminal device may optionally select the final method to be used. In another example, the terminal device may select the final method based on a priority of the method indicated in the second information and/or a priority of the methods supported by the terminal device. For example, the terminal device may select the method with the highest priority.
In one embodiment of the application, if the terminal device does not support any UE-assisted ciphered traffic detection method, any information about the methods supported by the terminal device will be indicated in the first information or will not be reported. For example, during those procedures described above, if the core network device receives first information indicating that the terminal device does not support any UE-assisted method or no information about methods supported by the terminal device, the core network device determines that the terminal device does not support any UE-assisted method, and may detect encrypted traffic using a network-side based method (type III). Similarly, if the terminal device does not receive second information from the core network device indicating a method to use, or does not receive second information indicating that a network-side based method is determined to be used, the terminal device will not apply any UE-assisted ciphered traffic detection method to communications with the core network.
The above description is from the perspective of the terminal device. An embodiment of the communication method according to the present application will be described below from the perspective of the core network side with reference to fig. 2. In this case, the communication method includes the following steps.
S210, the core network device receives, from the terminal device, first information indicating one or more encrypted traffic detection methods supported by the terminal device.
This receiving step of the core network device corresponds to the transmitting step of the terminal device at S210, as described above from the perspective of the terminal device. As described above, the first information may be included in an uplink signaling message sent from the terminal device to the core network device. For example, the core network device receives a first uplink signaling message including first information from the terminal device during at least one of the following procedures: registering the terminal equipment; an attaching process of the terminal device; PDU (protocol data unit) session establishment procedure; or a PDU session modification procedure. More specifically, the core network device receives a registration/attachment request including the first information from the terminal device during a registration/attachment procedure or receives a PDU session setup/modification request including the first information from the terminal device during a PDU session setup/modification procedure.
At S220, the core network device determines an encrypted traffic detection method to be used in communication with the terminal device based on the first information.
In one embodiment of the present application, after receiving and acquiring the first information, the core network device compares one or more methods indicated in the first information with one or more methods supported by the core network device, and selects one method matching one of the methods supported by the core network device from the methods indicated in the first information as the encrypted traffic detection method to be used. In an example, information about methods supported by the core network device is stored in, for example, a UDM (unified data management) entity, which may be the same or different for different terminal devices. In this case, the core network device, upon receiving the first information, compares the methods indicated in the correspondence information stored in the UDM with those indicated in the first information, and determines the methods supported by both the terminal device and the core network device. If the matched method is only one method, the core network device determines the method as a method to be used. The core network device also selects a method from the matching methods if the matching methods are more than one. For example, the core network device may select one of the matching methods based on the priorities of the matching methods. For example, the core network device selects one of these matching methods with the highest priority. The priority may refer to a priority of a method supported by the terminal device, which may be indicated in the first information as described above. Further, priority may refer to the priority of those methods supported by the core network device. For example, the information about methods supported by the core network device may indicate priorities for the methods, which priorities may be determined by the core network device and represent preferences of the core network device for using the respective methods. Alternatively, the core network device may select a method to be used from the matched methods based on the respective two priorities of the terminal device and the core network device.
Alternatively, the core network device selects more than one method to use and returns them to the terminal device in the second information. In particular, the second information indicates the priority of the methods to be used. As described above, the terminal can select one of these methods as the final method to be used.
In one embodiment of the application, the core network device does not determine any method as the method to be used if the comparison result indicates that none of the methods indicated in the first information match those supported by the core network device.
At S230, the core network device transmits second information indicating the encrypted traffic detection method to be used to the terminal device.
This transmitting step of the core network device corresponds to the receiving step of the terminal device at S230 described above from the perspective of the terminal device. The core network device may include the second information in a downlink signaling message to be transmitted to the terminal device and transmit the downlink signaling message to the terminal device.
As mentioned in the description from the point of view of the terminal device, the downlink signaling message may be any one of the signaling messages sent from the core network device to the terminal device, in particular the downlink signaling message as a response to the uplink message comprising the first information. For example, the core network device sends a downlink signaling message including the second information during at least one of the following procedures: registering the terminal equipment; an attaching process of the terminal device; PDU session establishment process; or a PDU session modification procedure. Referring to fig. 3 to 4, as an example, the core network device may include the second information in the registration/attachment response during the registration/attachment procedure or in the PDU session setup/modification response during the PDU session setup/modification procedure.
In addition, the core network device may perform a process according to a method to be used S240. As described above, for example, the core network side performs encrypted traffic detection according to a method to be used.
For other relevant details of the method described from the perspective of the core network device, please refer to the description from the perspective of the terminal device, and for brevity, the details are not repeated herein.
It should be noted that the term "core network device" may refer to one or more communication devices in the core network, and each step performed by the core network device may be performed by one or more of the one or more communication devices corresponding to the core network device, either alone or in combination. For example, in a 5G network, the core network device referred to in this application may correspond to one or more network functional entities. As an example, the core network device may refer to an AMF entity, in which case the AMF entity may perform each of the steps S210-S230 to implement the embodiments of the communication method described above. As another example, the core network device may refer to both the AMF entity and the PCF entity, in which case the PCF entity may determine the method to be used at S220 and send the second information to the AMF entity, which then forwards the second information to the terminal device, e.g. by including the second information in a downlink signaling message and sending the downlink signaling message to the terminal device.
As can be seen from the above description, by transmitting information on methods supported by the terminal device to the core network device, the core network device determining a method to be used based on the information, and notifying the terminal device of the determined method to be used, negotiation for use of the encrypted traffic detection method between the terminal device and the core network device can be achieved, whereby mismatching of method use can be avoided.
Fig. 5 is a schematic flow chart diagram of a communication method 500 for negotiation between a terminal device and a core network device according to another embodiment of the present application. The terminal device and the core network device may be those described above.
The communication method 500 will be described below from the perspective of the terminal device.
At S510, the core network device transmits first information indicating one or more encrypted traffic detection methods determined by the core network device as candidate methods for the encrypted traffic detection method to be used in communication with the terminal device to the terminal device.
In an embodiment of the present application, the core network device may send a downlink signaling message including the first information to the terminal device. For example, the core network device includes the first information in a downlink signaling message to be transmitted to the terminal device, and then transmits the downlink signaling message to the core network device. Specifically, the core network device determines an encrypted traffic detection method supported by the core network device itself, and generates first information. In an example, information about methods supported by the core network device is stored in, for example, a UDM (unified data management) entity, which may be the same or different for different terminal devices. In one example, a core network device generates first information indicating all supported methods. That is, all the methods supported thereby are determined by the core network device as candidates for the encrypted traffic detection method to be used in communication with the terminal device. In another example, a core network device generates first information indicating one or more methods it supports. That is, the core network device determines one or some of the supported methods as candidate methods for the encrypted traffic detection method to be used in communication with the terminal device.
In one embodiment of the present application, the first information indicates at least one of:
(1) whether the core network equipment supports the encrypted flow detection method assisted by the user equipment or not;
(2) a type of user equipment assisted encrypted traffic detection method supported by a core network device;
(3) the user equipment supported by the core network equipment assists in encrypting the subtype of the traffic detection method.
First, it is determined whether item (1), e.g., the core network device, supports any of the type I and type II methods described above. If the core network device supports either of the type I and II methods, item (2) is determined in order to determine the type of method supported by the core network device, e.g., type I or type II or both. Then, the subtype of the supported method is determined (item (3)). For example, a subtype of the supported method may be any of the following: control plane based type with OTT layer provided detection rules, control plane based type with core network provided detection rules, user plane based type where tokens can be added to a specific layer for traffic detection. It can be seen that the levels of items (1) to (3) are gradually decreased. In one embodiment of the present application, if the core network device can support all methods with a specific level, the core network device does not need to report information about the lower level in the first information. For example, if the core network device supports all control plane based methods but not other types, it reports in the first information that the core network device supports the control plane based method only (level 2).
In one embodiment of the application, the first information further indicates a priority of one or more methods supported by the core network device. The priority may be determined by the core network device and represents an order of preference of the core network device to use the respective method.
The downlink signaling message may be any signaling message from the core network device to the terminal device. For example, the core network device includes the first information in an UCU (UE configuration update) request to be transmitted to the terminal device during an UCU procedure.
At S530, the core network device receives second information from the terminal device, the second information indicating an encrypted traffic detection method to be used in communication with the terminal device, which is determined by the terminal device based on the first information.
The terminal device may determine an encrypted traffic detection method to be used based on the first information (S220). For example, the terminal device selects a method of encrypted traffic detection to be used from candidate methods indicated in the first information. In one example, the method to be used is a method. In another example, the method to be used is two or more methods, such as a list of methods ordered by priority. Details of determining a method to be used will be described later in the communication method from the viewpoint of the terminal device.
In one embodiment of the present application, the core network device receives second information from the terminal device, where the second information is included in an uplink signaling message sent from the terminal device to the core network device. The uplink signalling message may be any signalling message sent from the terminal device to the core network device, in particular an uplink signalling message as a response to a downlink message comprising the first information. As described above, the core network device may include the first information in a UCU (UE configuration update) request and transmit it to the terminal device during the UCU procedure. In this case, the core network device receives an acknowledgement message for the UCU request from the terminal device during the UCU procedure, the acknowledgement message including the second information. In this way, by passing the first and second information between the core network device and the terminal device, a negotiation for the use of the encrypted traffic detection method can be achieved during the UCU procedure.
At S540, the core network device performs processing according to the encrypted traffic detection method to be used.
After receiving second information indicating an encrypted traffic detection method to be used in communication between the terminal device and the core network side, the core network device performs processing according to the method determined to be used. For example, the core network device performs encrypted traffic detection according to the method to be used. Accordingly, the terminal device also performs processing according to the method to be used. For example, if the method to be used is a control plane-based method, the terminal device reports the application ID and corresponding filter information to the network side. For another example, if the method to be used is a user plane-based method, the terminal device adds the token/AppKey to the first user plane into the core network side.
As described above, the second information may indicate more than one method to be used. For example, the method to be used indicated in the second information is a prioritized list of one or more methods to be used. The priority of these methods to be used may be determined by the terminal device and represents the terminal device's preference. In this case, the core network device may select one of the methods indicated in the second information as the final method to be used after receiving the second information, and perform processing according to the final method to be used, as described above. In one example, the core network device may optionally select the final method to be used. In another example, the core network device may select the final method based on a priority of the method indicated in the second information and/or a priority of the methods supported by the core network device. For example, the core network device may select the method with the highest priority.
In one embodiment of the application, if the core network device does not support any UE assisted ciphered traffic detection method, any information about the methods supported by the core network device will be indicated in the first information or not reported. For example, in the UCU procedure, if the terminal device receives first information indicating that the core network device does not support any UE-assisted method or no information on methods supported by the core network device, the terminal device determines that the core network device does not support any UE-assisted method and may detect encrypted traffic using a network-side based method (type III). Similarly, if the core network device does not receive second information from the terminal device indicating the method to be used, the core network device will not apply any UE-assisted ciphered traffic detection method to the communication with the terminal device.
The above description is from the perspective of a core network device. An embodiment of a communication method according to the present application will be described below from the perspective of the terminal device side with reference to fig. 5. In this case, the communication method includes the following steps.
At S510, the terminal device receives, from the core network device, first information indicating one or more encrypted traffic detection methods determined by the core network device as candidate methods for the encrypted traffic detection method to be used in communication with the terminal device.
This receiving step of the terminal device corresponds to the transmitting step of the core network device at S510 as described above from the perspective of the core network device. As described above, the first information may be included in a downlink signaling message sent from the core network device to the terminal device. For example, a terminal device receives an UCU request including first information during an UCU procedure.
At S520, the terminal device determines an encrypted traffic detection method to be used in communication with the terminal device based on the first information.
In one embodiment of the application, after the terminal device receives and acquires the first information, the one or more methods indicated in the first information are compared with the one or more methods supported by the terminal device, and one method matching one of the methods supported by the terminal device is selected from the methods indicated in the first information as an encrypted traffic detection method to be used. In one embodiment of the application, after the terminal device receives and acquires the first information, the methods supported by the terminal device are compared with those indicated in the first information, and the methods supported by both the terminal device and the core network device are determined. If the matching method is only one method, the terminal device determines the method as a method to be used. The terminal device also selects one of these matching methods if the matching method is more than one. For example, the terminal device may select one of the matching methods based on the priorities of the matching methods. For example, the terminal device selects one of these matching methods with the highest priority. The priority may refer to a priority of a method supported by the core network device, which may be indicated in the first information, as described above. Further, priority may refer to the priority of those methods supported by the terminal device. For example, the information about the methods supported by the terminal device may indicate priorities of the methods, which may be determined by the terminal device and indicate preferences of the terminal device for using the respective methods. Alternatively, the terminal device may select a method to be used from the matched methods based on the respective two priorities of the terminal device and the core network device.
Alternatively, the terminal device selects more than one method to use and returns them to the core network device in the second information. In particular, the second information indicates the priority of the methods to be used. As described above, the core network device may select one of these methods as the final method to be used.
In one embodiment of the application, the terminal device does not determine any method as the method to be used if the comparison result indicates that none of the methods indicated in the first information match those supported by the terminal device.
At S530, the terminal device transmits second information indicating the encrypted traffic detection method to be used to the core network device.
This transmitting step of the terminal device corresponds to the receiving step of the core network device at S530 as described above from the perspective of the core network device. The terminal device may include the second information in an uplink signaling message to be transmitted to the core network device and transmit the uplink signaling message to the core network device.
As mentioned in the description from the perspective of the core network device, the uplink signaling message may be any of the signaling messages sent from the terminal device to the core network device, in particular the uplink signaling message as a response to the downlink message comprising the first information. As mentioned, the core network device may include the first information in the UCU request during the UCU procedure. Accordingly, the terminal device includes the second information in an acknowledgement message for the UCU request and transmits the acknowledgement message to the core network device during the UCU procedure.
Additionally, at S540, the terminal device may perform processing according to the method to be used. For example, as described above, if the method to be used is a control plane-based method, the terminal device reports the application ID and the corresponding filter information to the network side, or if the method to be used is a user plane-based method, the terminal device adds a token/AppKey to the first user bread to the core network side.
For other relevant details of the method described from the perspective of the terminal device, please refer to the description from the perspective of the core network device, and for brevity, the details are not repeated herein.
It should be noted that the term "core network device" may refer to one or more communication devices in the core network, and each step performed by the core network device may be performed by one or more of the one or more communication devices corresponding to the core network device, either alone or in combination. For example, in a 5G network, the core network device referred to in this application may correspond to one or more network functional entities. As an example, the core network device may refer to an AMF entity, in which case the AMF entity may perform each of S510 and S530 to implement the embodiments of the communication method described above. As another example, the core network device may refer to both the AMF entity and the PCF entity, in which case the PCF entity may determine a candidate method for the method to be used and send the first information to the AMF entity, which then forwards the first information to the terminal device, e.g. by including the first information in a downlink signaling message and sending the downlink signaling message to the terminal device.
As can be seen from the above description, by transmitting information on a candidate method for an encrypted traffic detection method to be used to a terminal device, the terminal device determining a method to be used based on the information, and notifying the core network device of the determined method to be used, negotiation for use of the encrypted traffic detection method between the terminal device and the core network device can be achieved, whereby mismatching of method use can be avoided.
Fig. 6 is a schematic block diagram of a terminal device 600 according to an embodiment of the present application. As shown in fig. 6, the terminal apparatus 600 includes: a sending unit 610 configured to send first information indicating one or more encrypted traffic detection methods supported by the terminal device to the core network device.
A receiving unit 620 configured to receive second information indicating an encrypted traffic detection method to be used in communication with the terminal device, which is determined by the core network device based on the first information, from the core network device;
a processing unit 630 configured to cause the terminal device to execute the encrypted traffic detection method to be used.
In an example, the sending unit 610 is configured to:
including the first information in an uplink signaling message to be sent to the core network device;
and sending an uplink signaling message including the first information to the core network equipment.
In an example, the sending unit 610 is configured to:
the terminal device includes the first information in an uplink signaling message to be sent to the core network device during at least one of the following procedures:
registering the terminal equipment;
an attaching process of the terminal device;
PDU session establishment process;
PDU session modification procedure.
In one example, in a case where the terminal device includes the first information in an uplink signaling message to be sent to the core network device during a registration procedure of the terminal device, the uplink signaling message is a registration request of the registration procedure to be sent from the terminal device to the core network device.
In one example, in case the terminal device includes the first information in an uplink signaling message to be sent to the core network device during an attach procedure of the terminal device, the uplink signaling message is an attach request of the attach procedure to be sent from the terminal device to the core network device.
In one example, where the terminal device includes the first information in an upstream signaling message to be sent to the core network device during a PDU session setup procedure, the upstream signaling message is a PDU session setup request of the PDU session setup procedure to be sent from the terminal device to the core network device.
In one example, where the terminal device includes the first information in an upstream signaling message to be sent to the core network device during the PDU session modification procedure, the upstream signaling message is a PDU session modification request of the PDU session modification procedure to be sent from the terminal device to the core network device.
In an example, the receiving unit 620 is configured to:
receiving a downlink signaling message including the second information from the core network device.
In one example, the receiving unit 620 is configured to:
the terminal device receives a downlink signaling message including the second information from the core network device during at least one of the following procedures:
registering the terminal equipment;
an attaching process of the terminal device;
PDU session establishment process;
PDU session modification procedure.
In one example, in case a downlink signaling message comprising the second information is received from the core network device during the registration procedure of the terminal device, the downlink signaling message is a registration response of the registration procedure to be sent from the core network device to the terminal device.
In one example, in case a downlink signaling message comprising the second information is received from the core network device during the attach procedure of the terminal device, the downlink signaling message is an attach response of the attach procedure to be sent from the core network device to the terminal device.
In one example, in case a downlink signaling message comprising the second information is received from the core network device during the PDU session setup procedure, the downlink signaling message is a PDU session setup response of the PDU session setup procedure to be sent from the core network device to the terminal device.
In one example, in case a downlink signaling message comprising the second information is received from the core network device during the PDU session modification procedure, the downlink signaling message is a PDU session modification response of the PDU session modification procedure to be sent from the core network device to the terminal device.
It should be understood that the terminal device 600 may correspond to the terminal device in the embodiment of the method 200, and may implement the corresponding function of the terminal device, and for brevity, will not be described herein again.
Fig. 7 is a schematic block diagram of a core network device 700 according to an embodiment of the present application. As shown in fig. 7, the core network device 700 includes:
a receiving unit 710 configured to receive, from a terminal device, first information indicating one or more encrypted traffic detection methods supported by the terminal device;
a processing unit 720 configured to determine an encrypted traffic detection method to be used in communication with the terminal device based on the first information;
a transmitting unit 730 configured to transmit second information indicating an encrypted traffic detection method to be used to the terminal device.
In an example, the receiving unit 710 is configured to:
and receiving an uplink signaling message which is sent from the terminal equipment and comprises the first information.
In an example, the receiving unit 710 is configured to:
the core network device receives an uplink signaling message including first information transmitted from the terminal device during at least one of the following procedures:
registering the terminal equipment;
an attaching process of the terminal device;
PDU session establishment process;
PDU session modification procedure.
In one example, in a case where an uplink signaling message including the first information transmitted from the terminal device is received during a registration procedure of the terminal device, the uplink signaling message is a registration request of the registration procedure to be transmitted from the terminal device to the core network device.
In one example, in a case where the core network device receives an uplink signaling message including the first information sent from the terminal device during an attach procedure of the terminal device, the uplink signaling message is an attach request of the attach procedure to be sent from the terminal device to the core network device.
In one example, in the case of receiving an upstream signaling message including the first information sent from the terminal device during the PDU session setup procedure, the upstream signaling message is a PDU session setup request of the PDU session setup procedure to be sent from the terminal device to the core network device.
In one example, where an upstream signaling message including the first information sent from the terminal device is received during the PDU session modification procedure, the upstream signaling message is a PDU session modification request of the PDU session modification procedure to be sent from the terminal device to the core network device.
In an example, the transmitting unit 730 is configured to:
the second information is included in a downlink signaling message to be sent to the terminal equipment;
and sending the downlink signaling message comprising the second information to the terminal equipment.
In an example, the transmitting unit 730 is configured to:
including the second information in a downlink signaling message to be sent to the terminal device during at least one of the following procedures:
registering the terminal equipment;
an attaching process of the terminal device;
PDU session establishment process;
PDU session modification procedure.
In one example, in the case where the second information is included in a downlink signaling message to be sent to the terminal device during a registration procedure of the terminal device, the downlink signaling message is a registration response of the registration procedure to be sent from the core network device to the terminal device.
In one example, in case the second information is included in a downlink signaling message to be sent from the core network device to the terminal device during an attach procedure of the terminal device, the downlink signaling message is an attach response of the attach procedure to be sent from the core network device to the terminal device.
In one example, where the second information is included in a downlink signaling message to be sent to the terminal device during the PDU session setup procedure, the downlink signaling message is a PDU session setup response of the PDU session setup procedure to be sent from the core network device to the terminal device.
In one example, where the second information is included in a downlink signalling message to be sent to the terminal device during the PDU session modification procedure, the downlink signalling message is a PDU session modification response to the PDU session modification procedure to be sent from the core network device to the terminal device.
In an example, the processing unit 720 is configured to:
matching the one or more methods indicated in the first information with one or more methods supported by the core network device;
at least one method matching one of the one or more methods supported by the core network device is selected from the one or more methods indicated in the first information as an encrypted traffic detection method to be used.
In an example, the processing unit 720 is further configured to:
the core network device is enabled to perform the encrypted traffic detection method to be used.
It should be understood that the core network device 700 may correspond to the core network device in the embodiment of the method 200 and may implement the corresponding functions of the core network device, and for brevity, will not be described again here.
Fig. 8 is a schematic block diagram of a terminal device 800 according to another embodiment of the present application. As shown in fig. 8, the terminal apparatus 800 includes:
a receiving unit 810 configured to receive, from a core network device, first information indicating one or more encrypted traffic detection methods determined by the core network device as candidate methods for an encrypted traffic detection method to be used in communication with a terminal device;
a processing unit 820 configured to determine an encrypted traffic detection method used in communication with the terminal device based on the first information;
a transmitting unit 830 configured to transmit second information indicating an encrypted traffic detection method to be used to the core network device.
In an example, the receiving unit 810 is configured to:
and receiving a downlink signaling message which is sent from the core network equipment and comprises the first information.
In an example, the receiving unit 810 is configured to:
in the user equipment configuration updating process, a user equipment configuration updating request which is sent from the core network equipment and comprises first information is received.
In one example, the processing unit 820 is configured to: matching one or more encrypted flow detection methods indicated in the first information with one or more encrypted flow detection methods supported by the terminal equipment;
at least one method matching one of the one or more encrypted traffic detection methods supported by the terminal device is selected from the one or more encrypted traffic detection methods indicated in the first information as an encrypted traffic detection method to be used.
In an example, the transmitting unit 830 is configured to:
including the second information in an uplink signaling message to be sent to the core network device;
and sending the uplink signaling message to the core network equipment.
In an example, the transmitting unit 830 is configured to:
the second information is included in a confirmation message for the user equipment configuration update request during the user equipment configuration update procedure.
It should be understood that the terminal device 800 may correspond to the terminal device in the embodiment of the method 500, and may implement the corresponding functions of the terminal device, and for brevity, will not be described herein again.
Fig. 9 is a schematic block diagram of a core network device 900 according to another embodiment of the present application. As shown in fig. 9, the core network device 900 includes:
a transmitting unit 910 configured to transmit first information indicating one or more encrypted traffic detection methods determined by a core network device as candidate methods of encrypted traffic detection methods to be used in communication with a terminal device, to the terminal device;
a receiving unit 920 configured to receive second information indicating an encrypted traffic detection method used in communication with the terminal device determined by the terminal device based on the first information from the terminal device;
a processing unit 930 configured to cause the core network device to perform the encrypted traffic detection method to be used.
In an example, the transmitting unit 910 is configured to:
the first information is included in a downlink signaling message to be sent to the terminal equipment;
and sending a downlink signaling message including the first information to the terminal equipment.
In an example, the transmitting unit 910 is configured to:
the first information is included in a user equipment configuration update request to be sent to the terminal device during a user equipment configuration update procedure,
wherein the receiving unit 920 is configured to:
receiving a confirmation message for the user equipment configuration update request from the terminal equipment, wherein the confirmation message comprises the second information.
It should be understood that the core network device 900 may correspond to the core network device in the embodiment of the method 500 and may implement the corresponding functions of the core network device, and for brevity, will not be described again here.
Fig. 10 is a schematic block diagram of a terminal device 1000 according to an embodiment of the present application. As shown in fig. 10, the terminal device 1000 comprises a transceiver 1010 and a processor 1020, wherein the processor 1020 is configured to perform any of the embodiments of the communication method 200 or any of the embodiments of the communication method 500 based on the transceiver 1010.
It should be understood that the terminal device 1000 may correspond to the terminal device in the embodiments of the method 200 or 500, and may implement the corresponding functions of the terminal device, and for brevity, the description is not repeated here.
Fig. 11 is a schematic block diagram of a core network device 1100 according to an embodiment of the present application. As shown in fig. 11, the core network device 1100 includes a transceiver 1110 and a processor 1120, wherein the processor 1120 is configured to perform any of the embodiments of the communication method 200 or any of the embodiments of the communication method 500 based on the transceiver 1110.
It should be understood that the core network device 1100 may correspond to the core network device in the embodiments of the methods 200 or 500 and may implement the corresponding functions of the core network device, and for brevity, will not be described again here.
Fig. 12 is a schematic block diagram of a system on chip (SoC) according to an embodiment of the present application. Soc1200 includes a processor 1210 and a memory 1220, wherein processor 1210 and memory 1220 are connected via bus 1230 and processor 1210 is configured to execute code in memory 1220. In an example, the Soc1200 may further include an input interface 1240 and an output interface 1250, as shown in fig. 12.
In one example, when executing the code, processor 1210 implements any of the embodiments of the communication method 200 or 500 in the method embodiment implemented by the terminal device, which are not described herein again for the sake of brevity.
In one example, when executing the code, the processor 1210 implements any of the embodiments of the communication method 200 or 500 in the method embodiment implemented by the core network device, and for brevity, will not be described again here.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present disclosure, it should be understood that the disclosed system, apparatus, and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some interfaces, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
If the functional units are implemented in the form of software functional units and sold or used as separate products, they may be stored in a computer-readable storage medium. Based on this understanding, the technical solutions of the present application may be embodied in the form of software products, or portions thereof, which essentially contribute to the prior art. The computer software product is stored in a storage medium and includes instructions for instructing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: any medium that can store program code, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The foregoing description is of specific embodiments of the present application and is not intended to limit the scope of the present application. Any equivalent modifications or substitutions that may occur to those skilled in the art and which are within the scope of the disclosed technology will fall within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope defined by the claims.

Claims (101)

1. A method of communication, comprising:
the method comprises the steps that a terminal device sends first information indicating one or more encryption flow detection methods supported by the terminal device to a core network device;
the terminal device receives, from the core network device, second information indicating an encrypted traffic detection method to be used in communication with the terminal device, which is determined by the core network device based on the first information; and
the terminal device performs processing according to the encrypted traffic detection method to be used.
2. The method of claim 1, wherein the terminal device sending first information to the core network device indicating one or more encrypted traffic detection methods supported by the terminal device comprises:
the terminal equipment includes the first information in an uplink signaling message to be sent to the core network equipment;
and the terminal equipment sends the uplink signaling message comprising the first information to the core network equipment.
3. The method of claim 2, wherein the terminal device including the first information in an uplink signaling message to be sent to a core network device comprises:
the terminal device includes the first information in an uplink signaling message to be sent to the core network device during at least one of the following procedures:
registering the terminal equipment;
an attaching process of the terminal device;
PDU session establishment process;
PDU session modification procedure.
4. A method according to claim 2 or 3, wherein in the event that the terminal device includes the first information in an uplink signalling message to be sent to the core network device during a registration procedure of the terminal device, the uplink signalling message is a registration request for the registration procedure to be sent from the terminal device to the core network device.
5. A method according to claim 2 or 3, wherein in the event that the terminal device includes the first information in an uplink signalling message to be sent to the core network device during an attach procedure of the terminal device, the uplink signalling message is an attach request for an attach procedure to be sent from the terminal device to the core network device.
6. A method according to claim 2 or 3, wherein in the event that the terminal device includes the first information in an upstream signalling message to be sent to the core network device during the PDU session set-up procedure, the upstream signalling message is a PDU session set-up request for a PDU session set-up procedure to be sent from the terminal device to the core network device.
7. A method according to claim 2 or 3, wherein in the event that the terminal device includes the first information in an upstream signalling message to be sent to the core network device during the PDU session modification procedure, the upstream signalling message is a PDU session modification request for the PDU session modification procedure to be sent from the terminal device to the core network device.
8. The method of claim 1, wherein the terminal device receiving second information from a core network device indicating an encrypted traffic detection method to be used in communication with the terminal device comprises:
the terminal device receives a downlink signaling message including the second information from the core network device.
9. The method of claim 8, wherein the terminal device receiving a downlink signaling message including the second information from a core network device comprises:
the terminal device receives a downlink signaling message including the second information from the core network device during at least one of the following procedures:
registering the terminal equipment;
an attaching process of the terminal device;
PDU session establishment process;
PDU session modification procedure.
10. A method according to claim 8 or 9, wherein, in the event that the terminal device receives a downlink signalling message comprising the second information from the core network device during a registration procedure of the terminal device, the downlink signalling message is a registration response of the registration procedure to be sent from the core network device to the terminal device.
11. The method according to claim 8 or 9, wherein, in case the terminal device receives a downlink signaling message comprising the second information from the core network device during the attach procedure of the terminal device, the downlink signaling message is an attach response of the attach procedure to be sent from the core network device to the terminal device.
12. A method according to claim 8 or 9, wherein in the event that the terminal device receives a downlink signalling message including the second information from the core network device during the PDU session set-up procedure, the downlink signalling message is a PDU session set-up response of the PDU session set-up procedure to be sent from the core network device to the terminal device.
13. A method according to claim 8 or 9, wherein in the event that the terminal device receives a downlink signalling message including the second information from the core network device during the PDU session modification procedure, the downlink signalling message is a PDU session modification response of the PDU session modification procedure to be sent from the core network device to the terminal device.
14. The method of any of claims 1 to 13, wherein the first information indicates at least one of:
whether the terminal equipment supports the encrypted flow detection method assisted by the user equipment or not;
the type of the user equipment-assisted encryption flow detection method supported by the terminal equipment;
the user equipment supported by the terminal equipment assists in encrypting the subtype of the flow detection method.
15. The method of any of claims 1-13, wherein the first information indicates a priority of the one or more methods determined by a terminal device.
16. The method according to any of claims 1 to 13, wherein the core network device selects a ciphered traffic detection method to use from the one or more methods indicated by the first information.
17. The method according to any one of claims 1 to 13, wherein the encrypted traffic detection method to be used indicated in the second information includes a plurality of encrypted traffic detection methods.
18. The method according to any one of claims 1 to 13, wherein in a case where the encrypted traffic detection method to be used indicated in the second information includes a plurality of encrypted traffic detection methods, the terminal device performing processing according to the encrypted traffic detection method to be used includes:
the terminal device selects one of the plurality of methods as an encrypted traffic detection method to be finally used, based on the priorities of the plurality of methods.
19. A method of communication, comprising:
the method comprises the steps that core network equipment receives first information indicating one or more encryption flow detection methods supported by terminal equipment from the terminal equipment;
the core network device determines an encrypted traffic detection method to be used in communication with the terminal device based on the first information;
the core network device transmits second information indicating an encrypted traffic detection method to be used to the terminal device.
20. The method of claim 19, wherein the core network device receiving first information from the terminal device indicating one or more ciphered traffic detection methods supported by the terminal device comprises:
the core network equipment receives an uplink signaling message which is sent from the terminal equipment and comprises first information.
21. The method of claim 20, wherein the core network device receiving the uplink signaling message including the first information sent from the terminal device comprises:
the core network device receives an uplink signaling message including first information transmitted from the terminal device during at least one of the following procedures:
registering the terminal equipment;
an attaching process of the terminal device;
PDU session establishment process;
PDU session modification procedure.
22. A method according to claim 20 or 21, wherein in the event that the uplink signalling message including the first information sent from the terminal device is received by the core network device during the registration procedure of the terminal device, the uplink signalling message is a registration request for the registration procedure to be sent from the terminal device to the core network device.
23. A method according to claim 20 or 21, wherein in the event that the uplink signalling message including the first information sent from the terminal device is received by the core network device during the attach procedure of the terminal device, the uplink signalling message is an attach request for the attach procedure to be sent from the terminal device to the core network device.
24. A method according to claim 20 or 21, wherein in the event that the core network device receives an upstream signalling message including the first information sent from the terminal device during the PDU session set-up procedure, the upstream signalling message is a PDU session set-up request of a PDU session set-up procedure to be sent from the terminal device to the core network device.
25. A method according to claim 20 or 21, wherein in the event that the core network device receives an upstream signalling message including the first information sent from the terminal device during the PDU session modification procedure, the upstream signalling message is a PDU session modification request of the PDU session modification procedure to be sent from the terminal device to the core network device.
26. The method of claim 19, wherein the core network device sending second information indicating the encrypted traffic detection method to be used to the terminal device comprises:
the core network equipment includes the second information in a downlink signaling message to be sent to the terminal equipment;
and the core network equipment sends the downlink signaling message comprising the second information to the terminal equipment.
27. The method of claim 26, wherein the core network device including the second information in a downlink signaling message to be sent to the terminal device comprises:
the core network device includes the second information in a downlink signaling message to be sent to the terminal device during at least one of the following procedures:
registering the terminal equipment;
an attaching process of the terminal device;
PDU session establishment process;
PDU session modification procedure.
28. A method according to claim 26 or 27, wherein in the event that the core network device includes the second information in a downlink signalling message to be sent to the terminal device during the registration procedure of the terminal device, the downlink signalling message is a registration response to the registration procedure to be sent from the core network device to the terminal device.
29. A method according to claim 26 or 27, wherein in the event that the core network device includes the second information in a downlink signalling message to be sent to the terminal device during an attach procedure of the terminal device, the downlink signalling message is an attach response to the attach procedure to be sent from the core network device to the terminal device.
30. A method according to claim 26 or 27, wherein in the event that the core network device includes the second information in a downlink signalling message to be sent to the terminal device during the PDU session set-up procedure, the downlink signalling message is a PDU session set-up response to the PDU session set-up procedure to be sent from the core network device to the terminal device.
31. A method according to claim 26 or claim 27, wherein in the event that the second information is included by the core network device in a downlink signalling message to be sent to the terminal device during the PDU session modification procedure, the downlink signalling message is a PDU session modification response to the PDU session modification procedure to be sent from the core network device to the terminal device.
32. The method of any of claims 19 to 31, wherein the first information indicates at least one of:
whether the terminal equipment supports the encrypted flow detection method assisted by the user equipment or not;
the type of the user equipment-assisted encryption flow detection method supported by the terminal equipment;
the user equipment supported by the terminal equipment assists in encrypting the subtype of the flow detection method.
33. The method of any of claims 19 to 31, wherein the first information indicates a priority of the one or more encrypted traffic detection methods determined by a terminal device.
34. The method of any of claims 19 to 31, wherein the core network device determining, based on the first information, a ciphered traffic detection method to be used in communication with the terminal device, comprises:
the core network device compares the one or more methods indicated in the first information with one or more methods supported by the core network device;
the core network device selects at least one method matching one of the one or more methods supported by the core network device from the one or more methods indicated in the first information as the encrypted traffic detection method to be used.
35. The method of any of claims 19 to 31, further comprising:
the core network device performs processing according to an encrypted traffic detection method to be used.
36. A method of communication, comprising:
the core network device transmitting, to the terminal device, first information indicating one or more encrypted traffic detection methods determined by the core network device as candidate methods for an encrypted traffic detection method to be used in communication with the terminal device;
the core network device receives, from the terminal device, second information indicating an encrypted traffic detection method used in communication with the terminal device, which is determined by the terminal device based on the first information;
the core network device performs processing according to the encrypted traffic detection method to be used.
37. The method of claim 36, wherein the core network device sending first information indicating one or more encrypted traffic detection methods to the terminal device comprises:
the core network equipment includes the first information in a downlink signaling message to be sent to the terminal equipment;
and the core network equipment sends a downlink signaling message comprising the first information to the terminal equipment.
38. The method of claim 37, wherein the core network device including the first information in a downlink signaling message to be sent to the terminal device comprises:
the core network device includes the first information in a user equipment configuration update request to be sent to the terminal device during a user equipment configuration update procedure;
wherein the core network device receiving, from the terminal device, second information indicating an encrypted traffic detection method to be used in communication with the terminal device includes:
the core network device receives a confirmation message for the user equipment configuration update request from the terminal device, wherein the confirmation message comprises the second information.
39. The method of any of claims 36 to 38, wherein the first information indicates at least one of:
whether the core network equipment supports the encrypted flow detection method assisted by the user equipment or not;
a type of user equipment assisted encrypted traffic detection method supported by a core network device;
the user equipment supported by the core network equipment assists in encrypting the subtype of the traffic detection method.
40. The method of any of claims 36 to 38, wherein the first information indicates a priority of the one or more encrypted traffic detection methods determined by a core network device.
41. The method according to any one of claims 36 to 38, wherein the terminal device selects an encrypted traffic detection method to be used from the one or more encrypted traffic detection methods indicated in the first information.
42. The method according to any one of claims 36 to 38, wherein the encrypted traffic detection method to be used indicated in the second information comprises a plurality of encrypted traffic detection methods.
43. The method according to any one of claims 36 to 38, wherein in a case where the encrypted traffic detection method to be used indicated in the second information includes a plurality of encrypted traffic detection methods, the core network device performing processing according to the encrypted traffic detection method to be used includes:
the core network device selects one method from the plurality of methods as an encrypted traffic detection method to be finally used based on the priorities of the plurality of methods.
44. A method of communication, comprising:
the terminal device receiving, from the core network device, first information indicating one or more encrypted traffic detection methods determined by the core network device as candidate methods for the encrypted traffic detection method to be used in communication with the terminal device;
the terminal device determines an encrypted traffic detection method to be used in communication with the terminal device based on the first information;
the terminal device transmits second information indicating an encrypted traffic detection method to be used to the core network device.
45. The method of claim 44, wherein the terminal device receiving first information indicating one or more encrypted traffic detection methods from a core network device comprises:
the terminal equipment receives a downlink signaling message which is sent from the core network equipment and comprises first information.
46. The method of claim 44 or 45, wherein the terminal device receiving first information indicating one or more encrypted traffic detection methods from a core network device comprises:
the terminal device receives a user equipment configuration update request including first information sent from the core network device during a user equipment configuration update procedure.
47. The method of claim 44, wherein the terminal device determining, based on the first information, an encrypted traffic detection method to be used in communication with the terminal device, comprises:
the terminal equipment compares the one or more encrypted traffic detection methods indicated in the first information with one or more encrypted traffic detection methods supported by the terminal equipment;
the terminal device selects, as the encrypted traffic detection method to be used, at least one method that matches one of the one or more encrypted traffic detection methods supported by the terminal device, from the one or more encrypted traffic detection methods indicated in the first information.
48. The method of claim 44, wherein the terminal device sending second information to a core network device indicating a ciphered traffic detection method to use comprises:
the terminal equipment includes the second information in an uplink signaling message to be sent to the core network equipment;
and the terminal equipment sends an uplink signaling message to the core network equipment.
49. The method of claim 48, wherein the terminal device including the second information in an uplink signaling message to be sent to a core network device comprises:
the terminal device includes the second information in a confirmation message for the user equipment configuration update request during the user equipment configuration update procedure.
50. The method of any of claims 44-49, wherein the first information indicates at least one of:
whether the core network equipment supports the encrypted flow detection method assisted by the user equipment or not;
a type of user equipment assisted encrypted traffic detection method supported by a core network device;
the user equipment supported by the core network equipment assists in encrypting the subtype of the traffic detection method.
51. The method of claim 44, wherein the first information indicates a priority of the one or more encrypted traffic detection methods indicated in the first information.
52. A terminal device, comprising:
a transmitting unit configured to transmit first information indicating one or more encrypted traffic detection methods supported by a terminal device to a core network device;
a receiving unit configured to receive second information from the core network device, the second information indicating an encrypted traffic detection method to be used in communication with the terminal device, which is determined by the core network device based on the first information;
a processing unit configured to cause the terminal device to execute an encrypted traffic detection method to be used.
53. The terminal device of claim 52, wherein the transmitting unit is configured to:
including the first information in an uplink signaling message to be sent to the core network device;
and sending an uplink signaling message including the first information to the core network equipment.
54. The terminal device of claim 52 or 53, wherein the transmitting unit is configured to:
the terminal device includes the first information in an uplink signaling message to be sent to the core network device during at least one of the following procedures:
registering the terminal equipment;
an attaching process of the terminal device;
PDU session establishment process;
PDU session modification procedure.
55. A terminal device according to claim 54, wherein in the event that the terminal device includes the first information in an uplink signalling message to be sent to the core network device during a registration procedure of the terminal device, the uplink signalling message is a registration request for the registration procedure to be sent from the terminal device to the core network device.
56. A terminal device according to claim 54, wherein in the event that the terminal device includes the first information in an uplink signalling message to be sent to the core network device during an attach procedure for the terminal device, the uplink signalling message is an attach request for an attach procedure to be sent from the terminal device to the core network device.
57. A terminal device according to claim 54, wherein in the event that the terminal device includes the first information in an uplink signalling message to be sent to the core network device during the PDU session set-up procedure, the uplink signalling message is a PDU session set-up request for a PDU session set-up procedure to be sent from the terminal device to the core network device.
58. A terminal device according to claim 54, wherein in the event that the terminal device includes the first information in an upstream signalling message to be sent to the core network device during the PDU session modification procedure, the upstream signalling message is a PDU session modification request to be sent from the terminal device to the core network device for the PDU session modification procedure.
59. The terminal device of claim 52, wherein the receiving unit is configured to:
receiving a downlink signaling message including the second information from the core network device.
60. The terminal device of claim 52 or 59, wherein the receiving unit is configured to:
the terminal device receives a downlink signaling message including the second information from the core network device during at least one of the following procedures:
registering the terminal equipment;
an attaching process of the terminal device;
PDU session establishment process;
PDU session modification procedure.
61. The terminal device of claim 60, wherein, in case of receiving a downlink signaling message comprising the second information from the core network device during the registration procedure of the terminal device, the downlink signaling message is a registration response of the registration procedure sent from the core network device to the terminal device.
62. The terminal device of claim 60, wherein, in case of receiving a downlink signaling message comprising the second information from the core network device during the attach procedure of the terminal device, the downlink signaling message is an attach response of the attach procedure sent from the core network device to the terminal device.
63. The terminal device of claim 60, wherein in case of receiving a downlink signaling message including the second information from the core network device during the PDU session establishment procedure, the downlink signaling message is a PDU session establishment response of the PDU session establishment procedure sent from the core network device to the terminal device.
64. The terminal device of claim 60, wherein in the event that a downlink signaling message including the second information is received from the core network device during the PDU session modification procedure, the downlink signaling message is a PDU session modification response of the PDU session modification procedure sent from the core network device to the terminal device.
65. The terminal device of any one of claims 52-64, wherein the first information indicates at least one of:
whether the terminal equipment supports the encrypted flow detection method assisted by the user equipment or not;
the type of the user equipment-assisted encryption flow detection method supported by the terminal equipment;
the user equipment supported by the terminal equipment assists in encrypting the subtype of the flow detection method.
66. The terminal device of any of claims 52-64, wherein the first information indicates a priority of the one or more methods determined by the terminal device.
67. The terminal device of any of claims 52 to 64, wherein the core network device selects a ciphered traffic detection method to use from the one or more methods indicated by the first information.
68. A core network device, comprising:
a receiving unit configured to receive, from a terminal device, first information indicating one or more encrypted traffic detection methods supported by the terminal device;
a processing unit configured to determine an encrypted traffic detection method to be used in communication with the terminal device based on the first information;
a transmission unit configured to transmit second information indicating an encrypted traffic detection method to be used to the terminal device.
69. The core network device of claim 68, wherein the receiving unit is configured to:
and receiving an uplink signaling message which is sent from the terminal equipment and comprises the first information.
70. The core network device of claim 68 or 69, wherein the receiving unit is configured to:
the core network device receives an uplink signaling message including first information transmitted from the terminal device during at least one of the following procedures:
registering the terminal equipment;
an attaching process of the terminal device;
PDU session establishment process;
PDU session modification procedure.
71. The core network device of claim 70, wherein in case of receiving an uplink signaling message including the first information sent from the terminal device during a registration procedure of the terminal device, the uplink signaling message is a registration request of the registration procedure sent from the terminal device to the core network device.
72. The core network device of claim 70, wherein in case the core network device receives an uplink signaling message including the first information sent from the terminal device during an attach procedure of the terminal device, the uplink signaling message is an attach request of the attach procedure sent from the terminal device to the core network device.
73. The core network device of claim 70, wherein in case of receiving an upstream signaling message including the first information sent from the terminal device during the PDU session setup procedure, the upstream signaling message is a PDU session setup request of the PDU session setup procedure to be sent from the terminal device to the core network device.
74. The core network device of claim 70, wherein in the event that an upstream signaling message including the first information sent from the terminal device is received during the PDU session modification procedure, the upstream signaling message is a PDU session modification request sent from the terminal device to the PDU session modification procedure of the core network device.
75. The core network device of claim 68, wherein the transmitting unit is configured to:
the second information is included in a downlink signaling message to be sent to the terminal equipment;
and sending the downlink signaling message comprising the second information to the terminal equipment.
76. The core network device of claim 68 or 75, wherein the transmitting unit is configured to:
including the second information in a downlink signaling message to be sent to the terminal device during at least one of the following procedures:
registering the terminal equipment;
an attaching process of the terminal device;
PDU session establishment process;
PDU session modification procedure.
77. The core network device of claim 76, wherein, in the event that the second information is included in a downlink signalling message to be sent to the terminal device during a registration procedure of the terminal device, the downlink signalling message is a registration response to the registration procedure to be sent from the core network device to the terminal device.
78. The core network device of claim 76, wherein in the event that the second information is included in a downlink signalling message to be sent from the core network device to the terminal device during an attach procedure of the terminal device, the downlink signalling message is an attach response of the attach procedure to be sent from the core network device to the terminal device.
79. The core network device of claim 76, wherein in the event that the second information is included in a downlink signalling message to be sent to the terminal device during the PDU session setup procedure, the downlink signalling message is a PDU session setup response to the PDU session setup procedure to be sent from the core network device to the terminal device.
80. The core network device of claim 76, wherein in the event that the second information is included in a downlink signalling message to be sent to the terminal device during the PDU session modification procedure, the downlink signalling message is a PDU session modification response to the PDU session modification procedure to be sent from the core network device to the terminal device.
81. The core network device of any of claims 68 to 80, wherein the first information indicates at least one of:
whether the terminal equipment supports the encrypted flow detection method assisted by the user equipment or not;
the type of the user equipment-assisted encryption flow detection method supported by the terminal equipment;
the user equipment supported by the terminal equipment assists in encrypting the subtype of the flow detection method.
82. The core network device of any of claims 68 to 80, wherein the first information indicates a priority of the one or more encrypted traffic detection methods determined by a terminal device.
83. The core network device of any one of claims 68-80, wherein the processing unit is configured to:
matching the one or more methods indicated in the first information with one or more methods supported by the core network device;
selecting at least one method matching one of the one or more methods supported by the core network device from the one or more methods indicated in the first information as an encrypted traffic detection method to be used.
84. The core network device of any one of claims 68 to 80, wherein the processing unit is further configured to:
the core network device is enabled to perform the encrypted traffic detection method to be used.
85. A core network device, comprising:
a transmission unit configured to transmit first information indicating one or more encrypted traffic detection methods determined by a core network device as candidate methods of encrypted traffic detection methods to be used in communication with a terminal device to the terminal device;
a receiving unit configured to receive second information from the terminal device, the second information indicating an encrypted traffic detection method used in communication with the terminal device, which is determined by the terminal device based on the first information;
a processing unit configured to cause the core network device to execute an encrypted traffic detection method to be used.
86. The core network device of claim 85, wherein the transmitting unit is configured to:
the first information is included in a downlink signaling message to be sent to the terminal equipment;
and sending a downlink signaling message including the first information to the terminal equipment.
87. The core network device of claim 85 or 86, wherein the transmitting unit is configured to:
including the first information in a user equipment configuration update request to be sent to the terminal device during a user equipment configuration update procedure;
wherein the receiving unit is configured to:
receiving a confirmation message for the user equipment configuration update request from the terminal equipment, wherein the confirmation message comprises the second information.
88. The core network device of any one of claims 85 to 87, wherein the first information indicates a priority of the one or more encrypted traffic detection methods determined by the core network device.
89. The core network device of any one of claims 85 to 87, wherein the terminal device selects the ciphered traffic detection method to use from the one or more ciphered traffic detection methods indicated in the first information.
90. A terminal device, comprising:
a receiving unit configured to receive, from a core network device, first information indicating one or more encrypted traffic detection methods determined by the core network device as candidate methods for an encrypted traffic detection method to be used in communication with a terminal device;
a processing unit configured to determine an encrypted traffic detection method used in communication with the terminal device based on the first information;
a transmitting unit configured to transmit second information indicating an encrypted traffic detection method to be used to the core network device.
91. The terminal device of claim 90, wherein the receiving unit is configured to:
and receiving a downlink signaling message which is sent from the core network equipment and comprises the first information.
92. The terminal device of claim 90 or 91, wherein the receiving unit is configured to:
during a user equipment configuration update procedure, a user equipment configuration update request including first information sent from a core network device is received.
93. The terminal device of claim 90, wherein the processing unit is configured to:
matching the one or more encrypted traffic detection methods indicated in the first information with one or more encrypted traffic detection methods supported by the terminal equipment;
selecting at least one method matching one of the one or more encrypted traffic detection methods supported by the terminal device from the one or more encrypted traffic detection methods indicated in the first information as an encrypted traffic detection method to be used.
94. The terminal device of claim 90, wherein the transmitting unit is configured to:
including the second information in an uplink signaling message to be sent to the core network device;
and sending the uplink signaling message to the core network equipment.
95. The terminal device of claim 90 or 94, wherein the transmitting unit is configured to:
the second information is included in a confirmation message for the user equipment configuration update request during the user equipment configuration update procedure.
96. The terminal device of any of claims 90 to 95, wherein the first information indicates a priority of the one or more encrypted traffic detection methods indicated in the first information.
97. A terminal device comprising a transceiver and a processor, wherein the processor is configured to perform the communication method of any one of claims 1-16 or the communication method of any one of claims 39-45 based on the transceiver.
98. A core network device comprising a transceiver and a processor, wherein the processor is configured to perform the communication method of any one of claims 17-33 or the communication method of any one of claims 34-38 based on the transceiver.
99. A system on a chip comprising a processor and a memory, wherein the processor is configured to execute code in the memory and to implement the communication method of any one of claims 1 to 18, or the communication method of any one of claims 19 to 35, or the communication method of any one of claims 36 to 43, or the communication method of any one of claims 44 to 51.
100. A system on a chip comprising a processor and a memory, wherein the processor is configured to execute code in the memory and to implement the communication method of any one of claims 1 to 18, or the communication method of any one of claims 19 to 35, or the communication method of any one of claims 36 to 43, or the communication method of any one of claims 44 to 51.
101. A computer readable medium for storing program code, wherein the program code comprises instructions for performing the communication method according to any one of claims 1 to 18, or the communication method according to any one of claims 19 to 35, or the communication method according to any one of claims 36-43, or the communication method according to any one of claims 44-51.
CN201980003697.9A 2018-05-23 2019-05-21 Communication method, terminal equipment and core network equipment Active CN110999256B (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US201862675274P 2018-05-23 2018-05-23
US62/675,274 2018-05-23
PCT/CN2019/087839 WO2019223697A1 (en) 2018-05-23 2019-05-21 Communication method, terminal device and core network device

Publications (2)

Publication Number Publication Date
CN110999256A true CN110999256A (en) 2020-04-10
CN110999256B CN110999256B (en) 2021-12-03

Family

ID=68617116

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201980003697.9A Active CN110999256B (en) 2018-05-23 2019-05-21 Communication method, terminal equipment and core network equipment

Country Status (2)

Country Link
CN (1) CN110999256B (en)
WO (1) WO2019223697A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116016284A (en) * 2022-12-09 2023-04-25 中国联合网络通信集团有限公司 Data analysis method, device, electronic equipment and storage medium

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050188219A1 (en) * 2003-12-26 2005-08-25 Orange France Method and a system for communication between a terminal and at least one communication equipment
US20060064749A1 (en) * 2004-09-17 2006-03-23 Aaron Jeffrey A Detection of encrypted packet streams using feedback probing
CN104506488A (en) * 2014-11-25 2015-04-08 深圳市金印达科技有限公司 Multi-user encryption system capable of automatically identifying communication protocol and communication method thereof
CN104660589A (en) * 2015-01-20 2015-05-27 中兴通讯股份有限公司 Method and system for controlling encryption of information and analyzing information as well as terminal
CN105165045A (en) * 2013-06-07 2015-12-16 英特尔公司 Device-to-device discovery information encryption
CN105406993A (en) * 2015-10-28 2016-03-16 中国人民解放军信息工程大学 Encrypted stream recognition method and device
US20170013000A1 (en) * 2014-02-28 2017-01-12 British Telecommunications Public Limited Company Profiling for malicious encrypted network traffic identification
US20170237777A1 (en) * 2016-02-15 2017-08-17 Netscout Systems Texas, Llc System and method to estimate quality of experience for consumption of encrypted media network traffic
US20170244705A1 (en) * 2016-02-18 2017-08-24 Electronics And Telecommunications Research Institute Method of using converged core network service, universal control entity, and converged core network system
CN107360159A (en) * 2017-07-11 2017-11-17 中国科学院信息工程研究所 A kind of method and device for identifying abnormal encryption flow
CN107547564A (en) * 2017-09-28 2018-01-05 新华三信息安全技术有限公司 A kind of method and device of Message processing

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015128612A1 (en) * 2014-02-28 2015-09-03 British Telecommunications Public Limited Company Malicious encrypted traffic inhibitor
CN105721242B (en) * 2016-01-26 2018-10-12 国家信息技术安全研究中心 A kind of encryption method for recognizing flux based on comentropy
US11444850B2 (en) * 2016-05-02 2022-09-13 Huawei Technologies Co., Ltd. Method and apparatus for communication network quality of service capability exposure

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050188219A1 (en) * 2003-12-26 2005-08-25 Orange France Method and a system for communication between a terminal and at least one communication equipment
US20060064749A1 (en) * 2004-09-17 2006-03-23 Aaron Jeffrey A Detection of encrypted packet streams using feedback probing
CN105165045A (en) * 2013-06-07 2015-12-16 英特尔公司 Device-to-device discovery information encryption
US20170013000A1 (en) * 2014-02-28 2017-01-12 British Telecommunications Public Limited Company Profiling for malicious encrypted network traffic identification
CN104506488A (en) * 2014-11-25 2015-04-08 深圳市金印达科技有限公司 Multi-user encryption system capable of automatically identifying communication protocol and communication method thereof
CN104660589A (en) * 2015-01-20 2015-05-27 中兴通讯股份有限公司 Method and system for controlling encryption of information and analyzing information as well as terminal
CN105406993A (en) * 2015-10-28 2016-03-16 中国人民解放军信息工程大学 Encrypted stream recognition method and device
US20170237777A1 (en) * 2016-02-15 2017-08-17 Netscout Systems Texas, Llc System and method to estimate quality of experience for consumption of encrypted media network traffic
US20170244705A1 (en) * 2016-02-18 2017-08-24 Electronics And Telecommunications Research Institute Method of using converged core network service, universal control entity, and converged core network system
CN107360159A (en) * 2017-07-11 2017-11-17 中国科学院信息工程研究所 A kind of method and device for identifying abnormal encryption flow
CN107547564A (en) * 2017-09-28 2018-01-05 新华三信息安全技术有限公司 A kind of method and device of Message processing

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116016284A (en) * 2022-12-09 2023-04-25 中国联合网络通信集团有限公司 Data analysis method, device, electronic equipment and storage medium

Also Published As

Publication number Publication date
WO2019223697A1 (en) 2019-11-28
CN110999256B (en) 2021-12-03

Similar Documents

Publication Publication Date Title
AU2017436351B2 (en) Data transmission method, terminal device, and network device
CN113286291A (en) Connection processing method and device in multi-access scene
US20210168151A1 (en) Method for implementing user plane security policy, apparatus, and system
CN110366112B (en) Positioning method and related equipment
US11388661B2 (en) Network slice configuration update
EP3076710A1 (en) Offload method, user equipment, base station and access point
CN110622544A (en) ANR configuration method, terminal equipment, base station and core network equipment
CN109429366B (en) PDU session processing method and device
CN110463340A (en) Paging method and paging equipment
CN114342549A (en) Method and apparatus for connecting network
CN111491394B (en) Method and device for user plane security protection
CN110710187B (en) Method and apparatus for flow detection and computer readable storage medium
CN111641946B (en) Method for processing data, network device and computer storage medium
CN110999256B (en) Communication method, terminal equipment and core network equipment
CN108702303B (en) Method and equipment for carrying out security configuration on radio bearer
EP3499834B1 (en) Key negotiation method and apparatus
US20150026775A1 (en) Access mode selection based on user equipment selected access network identity
US20200036715A1 (en) Mobile terminal, network node server, method and computer program
CN111034316B (en) Method for transmitting data, terminal device and session management function SMF device
JP6732794B2 (en) Method for establishing a connection of a mobile terminal to a mobile wireless communication network and a communication network device
WO2024065857A1 (en) Method and apparatus for providing a security mechanism for a steering of roaming procedure
WO2019028795A1 (en) Method and device for determining service path
CN106664195B (en) Data processing method, device and system
WO2023017036A1 (en) Methods and systems for steering of roaming
CN106465350B (en) Method and apparatus for assisting a UE in reducing interference

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant