WO2007056925A1 - A session control method and equipment in ims network - Google Patents

A session control method and equipment in ims network Download PDF

Info

Publication number
WO2007056925A1
WO2007056925A1 PCT/CN2006/002799 CN2006002799W WO2007056925A1 WO 2007056925 A1 WO2007056925 A1 WO 2007056925A1 CN 2006002799 W CN2006002799 W CN 2006002799W WO 2007056925 A1 WO2007056925 A1 WO 2007056925A1
Authority
WO
WIPO (PCT)
Prior art keywords
session
user
behalf
information
initiate
Prior art date
Application number
PCT/CN2006/002799
Other languages
French (fr)
Chinese (zh)
Inventor
Yajuan Wu
Fenqin Zhu
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2007056925A1 publication Critical patent/WO2007056925A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management

Definitions

  • the present invention relates to the field of network communication technologies, and in particular, to a session control method and apparatus in an IMS network. Background of the invention
  • multimedia services combining multiple media types such as audio, video, pictures and text will be gradually developed, through with presence (presentation services), groups Management, short message, WEB (web) browsing, location information, PUSH (push service), file sharing and other data services can meet the diverse needs of users.
  • IP Multimedia Subsystem IMS
  • IMS IP Multimedia Subsystem
  • IMS IP Multimedia Subsystem
  • IMS IP Multimedia Subsystem
  • CSCF Call Session Control Function
  • MGCF Media Gateway Control Function, Media
  • the gateway control function the MR Multimedia Resource Function
  • HSS Home Subscriber Server
  • S-CSCF Serving CSCF
  • P- CSCF Proxy CSCF, Proxy CSCF
  • I-CSCF Interrogating CSCF, Query CSCF
  • the S-CSCF is the service switching center of the IMS, performs session control, maintains session state, is responsible for managing user information, and generates charging information.
  • the P-CSCF is an access point for the terminal user to access the IMS, completes user registration, and is responsible for QoS.
  • the I-CSCF is responsible for interworking between MS domains, managing the allocation of S-CSCFs, hiding network topology and configuration, and generating billing data.
  • the MGCF controls the gateway to implement interworking between the IMS network and other networks.
  • the MRF provides media resources such as audio and video, codec and multimedia conference bridge.
  • the HSS is a user database that stores subscription data and configuration information of IMS users.
  • the IMS network can also be applied to other packet networks outside the 3GPP defined packet domain network.
  • Each user who has signed an IMS service is assigned one or more private user identifiers IMPI by the home network operator for use in the registration, authorization, management, and accounting processes.
  • IMPI uses NAI (Network Access Identifier).
  • NAI Network Access Identifier
  • each IMS user also has one or more public user identifiers IMPU, which are used to identify themselves and find each other when communicating with other users.
  • Private user IDs are generally not publicly available, and public user IDs are publicly available and used during conversations using various types of services.
  • PSI Public Service Identitity, Public Service Identity
  • the difference between the public service identifier and the public user identifier is that the public user identifier is used to identify the user and find the identity of the other party in the use of various services, and the public service identifier is the service, and the services generally reside in the service.
  • the application server AS such as a local service, can also be used to identify a group. For example, in a chat room service, a public service identifier such as sip:chatlist_X@example.com can It is used to represent a chat group. Each user can establish a session with this PSI, and send and receive messages through the AS where the PSI is located and other participants in the chat session.
  • the format of the PSI can be a SIP URI or a TEL URL.
  • the AS in the IMS network can initiate a call on behalf of a user represented by a public user identifier or a service represented by a public service identifier.
  • the request message indicates that the domain of the initiator is filled. The identity of the user.
  • the AS When the AS initiates a session on behalf of the IMPUL (IP Multimedia Public User Identity) or the PSI, the AS needs to obtain the address of the S-CSCF. If the AS initiates a session request on behalf of the user, the AS cannot obtain one for the IMPU. The address of the serving S-CSCF, the AS cannot initiate this session request on behalf of the user. If the AS initiates a session request using the PSI and the PSI is not assigned an S-CSCF address, the AS uses a mechanism such as DNS to complete the routing process of the SIP message and directly sends the session initiation request to the called network. If the AS obtains the address of the S-CSCF serving the IMPU or PSI, the AS sends a session initiation request to the S-CSCF.
  • IP Multimedia Public User Identity IP Multimedia Public User Identity
  • the AS allows the list to check whether the AS that sends the query request is allowed to perform the query. The check is performed in the AS granularity. Only the AS that has passed the check of the list can process the subsequent messages.
  • the AS initiates a service request on behalf of the user, if an AS located in the AS allow list obtains user information in some way, the AS can replace other users in the IMS network according to the user information obtained by the AS. Initiating a call, although the AS may only be able to initiate a call request on the IMS network on its own behalf, such as an advertisement push service. Other users or application servers in the network will receive call requests initiated by the user in the AS, which will cause hidden dangers to the network security and damage the legitimate interests of the users.
  • the object of the present invention is to provide a session control method and device in an MS network, which can detect the security risks existing in the network and ensure the legality of the user by detecting the authority of the AS to initiate a session on the user.
  • the benefits are not compromised.
  • the method for controlling a session in an IMS network includes: Having an AS on the IMS network to perform the permission information of the user on behalf of the user, the method specifically includes: initiating a session process on the AS on behalf of the user.
  • the IMS network function entity obtains the rights information, and determines, according to the obtained rights information, the rights of the AS that initiates the session on behalf of the user, and the IMS network function entity performs the session process initiated by the AS on behalf of the user according to the determined rights. control.
  • the method includes: the IMS network function entity determining, according to the obtained rights information, whether the AS that initiates the session on behalf of the user has the right to initiate a session on behalf of the user. If the AS has the right to initiate a session on behalf of the user, the IMS network function entity allows the AS representative The user initiates a session. If the AS does not have the right to initiate a session on behalf of the user, the IMS network function entity prohibits the AS from initiating a session on behalf of the user.
  • the IMS network function entity is: HSS or S-CSCF.
  • the AS is set in the HSS on behalf of the user to initiate the session.
  • the method includes:
  • the AS sends a query request for user data to the HSS;
  • the HSS checks and controls the session process initiated by the AS on behalf of the user according to the information carried in the query request and the information stored in the AS allow list.
  • the query request of the user data includes: a query request for address information of the S-CSCF corresponding to the user; and the step of checking and controlling the HSS includes:
  • the HSS obtains the corresponding entry in the AS allowed list according to the user data index information carried in the query request;
  • the HSS determines whether the query is successful according to the AS identifier information, the user identifier, and the entry information carried in the query request.
  • the S-CSCF address information is carried in the response message of the successful query and transmitted to the AS;
  • the S-CSCF address information is carried in the response message of the query failure and transmitted to the AS.
  • the predetermined field in the User Profile of the HSS is set to the authority information of the AS to initiate a session on behalf of the user.
  • the predetermined field is AS information, and the method includes:
  • the S-CSCF determines, according to the SIP session establishment request message sent by the AS, that the session to be established is an AS originating session, and determines whether the AS profile downloaded from the HSS includes the AS information.
  • the AS information is included, determining that the AS has the right to initiate a session on behalf of the user, allowing subsequent processing of the SIP session establishment request message;
  • the AS information is not included, it is determined that the AS does not have the right to initiate a session on behalf of the user, and the subsequent processing of the SIP session establishment request message is refused.
  • the method includes:
  • the S-CSCF determines, according to the SIP session establishment request message sent by the AS, the information carried in the SIP session establishment request message and the filtering rule in the User Profile downloaded from the HSS when the session to be established is the AS originating session. The information is matched, and it is determined whether the AS identification information that allows the AS to initiate the session on behalf of the user and the AS that sends the SIP session establishment request message are successfully matched;
  • the step of determining that the session to be established is an AS originating session specifically includes:
  • the session to be established is determined to be an AS originating session according to the contents of the orig field, the record route header field, and the p-asserted-identity in the SIP session establishment request message.
  • the present invention also provides a session control apparatus in an IMS network, including: an acquisition authority information module: in the process of the AS initiating a session on behalf of the user, obtaining the authority information of the AS on behalf of the user to initiate the session, and transmitting the permission information to the determining permission module; T N2006/002799 determining the privilege module: determining, according to the privilege information received by the AS, the information carried in the request message transmitted by the AS, whether the AS is allowed to initiate a session on behalf of the user, and transmitting the permitted or prohibited information to the session control module;
  • the session control module performs corresponding control processing on the process in which the AS initiates a session on behalf of the user according to the information that is allowed or prohibited.
  • the device is: S-CSCF or HSS.
  • the present invention can enable the IMS network function entity to detect whether the AS has the authority to initiate a session on behalf of the user according to the authority information, so that the AS representative can effectively control the AS representative.
  • the session initiated by the user avoids the phenomenon that the AS arbitrarily initiates a call on the IMS network on behalf of other users, and eliminates the security risks existing in the network.
  • the AS information of the present invention can be set in the HSS on behalf of the user to initiate the session, and the setting is set.
  • the method is flexible, such as setting user identification information that allows and/or prohibits the AS to initiate a session on the user in the AS allow list or the User Profile, and uses the original field content in the User Profile, etc.; the present invention provides multiple ASs to initiate a session on behalf of the user.
  • the privilege detection implementation process enables the present invention to meet various detection requirements in an actual network, such as detecting the user's initiation of session authority on behalf of the user in the process of querying the user data that the AS is allowed to read, and then sending a SIP session on the AS.
  • the AS initiates the detection of the session authority on behalf of the user; thus, the technical solution provided by the invention achieves the purpose of improving network security and improving user satisfaction.
  • FIG. 1 is a schematic diagram of a session control device of the present invention. Mode for carrying out the invention
  • the AS can check the eligibility of the user to initiate a session on behalf of the user, the AS can effectively prevent the AS from initiating a call on the IMS network on behalf of the user, thus avoiding the security risks in the network. , so that the legitimate interests of users are effectively guaranteed.
  • the main technical content of the present invention is: setting the privilege information of the AS on behalf of the user to initiate the session in the IMS network, and the IMS network function entity acquires the privilege information, and the AS is based on the privilege information. Controls the session process initiated on behalf of the user.
  • the IMS network of the present invention is provided with the privilege information that the AS initiates the session on behalf of the user, and the privilege information can be set in the HSS, such as in the AS allow list or in the User Profile.
  • the limit information may be information newly added for the permission.
  • the permission information is set in the AS allow list of the HSS
  • the extended AS allow list is set, and the new field content is set in the AS' allow list.
  • the content of the field is the authority information of the AS on behalf of the user to initiate the session, such as setting the user identification information that allows the AS to initiate the session on behalf of the user, or setting the user identification information that prohibits the AS from initiating the session on behalf of the user, or setting the user identification information that allows the AS to initiate the session on behalf of the user.
  • the user identification information set by the above may be: IMPU or MSISDN (Mobile Subscriber ISDN Number) information.
  • the privilege information can also utilize the original information content, such as when the privilege information is set in the User Profile, using the original AS information, and the like.
  • the present invention can fully utilize the process in which the AS queries the HSS for the user data that is allowed to be read by the AS to implement the session control of the present invention.
  • the basic implementation principle is :
  • the AS When the AS needs to initiate a session establishment request on behalf of the user, the AS sends a query request to the HSS to obtain user data, the HSS receives the query request, and obtains index information of the user data from the query request, and determines the AS allow list according to the index information. The corresponding entry is determined according to the user data that the AS allows to read and the authority information of the AS on behalf of the user to initiate the session. The AS is allowed to initiate a session on behalf of the user, and returns a corresponding response message to the AS according to the judgment result.
  • the session control process of the present invention is described in detail below by taking the S-CSCF address information of the calling party user as an example.
  • the AS is allowed to add user identification information that allows the AS to initiate a session on behalf of the user, such as IMPU or MSISDN information.
  • the AS needs to initiate a session on behalf of the user IMPUa.
  • the AS Since the S-CSCF allocated for the user is dynamically changed according to the registration status of the user, the AS first needs to send a query request to the HSS to obtain the address of the S-CSCF currently serving the user.
  • the user here is a user with an IMPU.
  • the AS sends a query request message to the HSS through the sh interface.
  • the query request message carries the public user identifier IMPUa of the user, indicating that the user data that the AS needs to query is the S-CSCF address currently serving the IMPUa.
  • the HSS After receiving the query request from the AS on the Sh interface, the HSS determines the corresponding entry in the AS allow list according to the index of the user data to be queried carried in the query request message, and then, according to the AS identifier carried in the query request message. And the IMPUA to determine whether the AS is allowed to read the S-CSCF address information of the user IMPUA, and the user identification information of the entry that allows the AS to initiate the session on the user includes the IMPUA; if the S-CSCF address information is allowed to be read And the user identification information in the entry that allows the AS to initiate a session on behalf of the user. In the case of the ICMPa, the S-CSCF address information of the user's IMPUA is returned to the AS through the successful response message.
  • the response message of the query failure is returned to the AS when the S-CSCF address is obtained from the response message of the successful query, and the session establishment request is initiated on behalf of the IMPUA.
  • the session establishment request message received by the S-CSCF is a process of detecting the session authority initiated by the AS on behalf of the user, and detecting the message sent by the successful AS, which is a secure aggregation setup request message.
  • the method can be conveniently applied to the newly implemented IMS system.
  • the present invention implements the authority detection of the AS on behalf of the user to initiate a session in the query request detection process of the AS, thereby improving the service processing efficiency.
  • the present invention can also add an additional processing procedure to check the S-CSCF process. Whether the AS has the right to initiate a session on behalf of the user, so that the process of checking the authority of the AS on behalf of the user to initiate the session introduced by the present invention does not affect the existing process of detecting the query request to the AS.
  • an additional process is added to implement the specific process of the AS to initiate a session on behalf of the user.
  • the AS sends a query request message to the HSS through the sh interface.
  • the query request message carries the public user identifier MSISDNb of the user, indicating that the user data that the AS needs to query is the S-CSCF address currently serving the MSISDNb.
  • the HSS After receiving the query request message from the AS on the Sh interface, the HSS determines the corresponding entry in the AS allow list according to the index of the user data to be queried carried in the query request message, and then, according to the AS identifier carried in the query message.
  • the MSISDNb determines whether the AS is allowed to read the S-CSCF address of the user MSISDNb.
  • the AS After the foregoing process ends, and after determining that the AS is allowed to read the S-CSCF address information, the AS performs a permission check process for the user to initiate a session.
  • the specific process is as follows: The HSS needs to query the user according to the query request message. The data index information is retrieved to the corresponding entry in the AS allow list. Then, according to the AS identifier, the MSISDNb, and the corresponding entry of the list in the query request message, the AS identifies the user identification information that the AS initiates the session on behalf of the user to determine whether the AS is Allows a user to initiate a session.
  • the HSS returns the S-CSCF address information of the user MSISDNb to the AS through a successful response message, and the AS obtains the S-CSCF address according to the obtained S-CSCF address.
  • the PT/CN2006/002799 initiates a session establishment request on behalf of the MSISDNb.
  • the session establishment request message received by the S-CSCF is a message that is sent by the AS on behalf of the user to initiate the session authority detection process and detects the successful AS. Aggregate the setup request message.
  • the HSS returns the response message of the query failure to the AS, and the AS cannot obtain the S-CSCF address corresponding to the MSISDNb. Therefore, the session establishment request cannot be initiated on behalf of the MSISDNb, thereby avoiding the insecure reception by the S-CSCF. Request message.
  • the AS can query the address information of the S-CSCF from the HSS through the SH interface, or obtain the address of the S-CSCF through static configuration, and directly send the session establishment request message to the specified S- CSCF.
  • static configuration it is not possible to use the AS Allow List to implement the eligibility check process for the AS to initiate a session on behalf of the user.
  • the address of the S-CSCF is configured on the AS, which means that the IMS operator has a certain trust relationship with the AS.
  • the invention proposes another method to avoid the phenomenon that the AS may represent a PSI that the user does not have to represent on the basis of the configuration: the IMPU initiates a session request to establish a session.
  • the authority information of the AS on behalf of the user to initiate the session can be set in the User Profile.
  • the S-CSCF After the AS sends a SIP session establishment request message to the S-CSCF, the S-CSCF treats it as a normal SIP session establishment request message, and checks according to the User Profile information downloaded from the HSS, such as performing iFC (filter rule).
  • the matching process the matching process is the same as the existing iFC matching process, in that each triggering rule is matched according to each information field in the received SIP message, and if the matching is successful, it corresponds to an AS.
  • the difference is that when the S-CSCF determines that the call is an AS originated call, it is necessary to add an AS to perform a permission check on the user initiated session in the above matching process.
  • Example 1 Set the permission information of the AS on behalf of the user to initiate a session as the predetermined field information already in the User Profile, such as AS information.
  • the S-CSCF For the call initiated by the AS on behalf of the IMPU/PSI, the S-CSCF is downloaded from the HSS according to it.
  • the AS that initiates the session establishment request message appears in the user's iFC list, that is, the user's session information, such as registration information, can be routed to the AS that initiated the session establishment request message, indicating that the AS The AS can initiate a session on behalf of the user; when the AS that initiated the session establishment request message does not appear in the user's iFC list, that is, the user's session information, such as registration information, cannot be routed to the AS that initiated the session establishment request message, indicating that the AS The AS cannot initiate a session on behalf of the user.
  • PT/CN2006/002799 This method is more suitable for IMS networks that have applied S-CSCF and HSS, and this method has no effect on the existing network architecture of IMS and the message transmission between S-CSCF and HSS.
  • Example 2 Setting the rights information of the AS to initiate a session on the user is the newly added field content in the User Profile.
  • the content of the field is used to indicate the authorization list that allows the AS to initiate a session on behalf of the user, such as adding/disabling the user profile.
  • the AS initiates the AS identification information of the user on behalf of the user.
  • the newly added field content in the User Profile needs to be detected to detect whether the AS is in the authorization list. If the AS is in the authorization list, the AS can initiate a session on behalf of the user. - The CSCF allows the session establishment request sent by the AS; if the AS is not in the authorization list, it indicates that the AS cannot initiate a session on behalf of the user, and the S-CSCF rejects the session establishment request sent by the AS.
  • Example 2 is applicable to the case where the S-CSCF and HSS are newly applied to the IMS network.
  • the S-CSCF determines that the AS-initiated session is the originating call of the AS on behalf of the IMPU/PSI: the orig (source) field in the session establishment request message is used to discriminate the The call is the originating call, and the AS originating call is identified by the record route header field.
  • the p-asserted-identity (p is the private header field) is used to identify which IMPU/PSI the AS represents. Originated originating call.
  • the download of the iFC needs to distinguish the user registration status. Therefore, when the iFC is configured, if the AS initiates a session establishment request on behalf of the user. If the current registration status of the user needs to be distinguished, the iFC used to check the validity of the AS on behalf of the user will be configured only in the user profile of the corresponding registration status, such as only in the REGISTERED section, or only configured.
  • the UNREGISTERED section is not configured, or is configured in a User Profile that is not related to the registration status.
  • the AS initiates a session establishment request on behalf of the user, it does not need to distinguish the current registration status of the user, that is, regardless of the current registration status of the user, and the user profile of the HSS distinguishes the user data according to the registration status, and may be in different registrations.
  • the configuration of this iFC is added to the user profile of the state.
  • the invention enhances the inspection process of the AS in the existing IMS network, that is, increases the detection of the AS initiated by the user on the IMS network, so that the IMS network can check the AS not only for the AS itself, but also for the AS itself.
  • the AS is a user who initiates a call, thereby avoiding the phenomenon that an application server located in the AS allow list replaces a user to initiate a call when the user does not have the right to initiate a call, thereby eliminating the security risks in the IMS network. Protect the legitimate interests of users.
  • the session control apparatus in the IMS network provided by the present invention is as shown in FIG.
  • the device in FIG. 1 mainly includes: an acquisition permission information module, a determination permission module, and a session control module.
  • the obtaining permission information module is mainly used to obtain the permission information of the AS on behalf of the user to initiate the session, and transmit the permission information to the determining permission module.
  • the privilege information of the AS on behalf of the user to initiate the session may be set in the privilege information module, and the privilege information of the AS on behalf of the user to initiate the session may be stored in the form of an AS allow list, as described in the foregoing method.
  • the obtaining permission information module may obtain the permission information of the corresponding AS on behalf of the user to initiate the session according to the query request sent by the AS to obtain the user data that is allowed to be read by the AS, and transmit the permission information to the determined permission module.
  • the session control device is an S-CSCF
  • the right information of the AS on behalf of the user to initiate the session may be set in the HSS, so that the obtaining permission information module needs to obtain the authority information of the AS on behalf of the user to initiate the session from the HSS, as in the above method. description.
  • the determining permission module is mainly used to determine, according to the rights information received by the AS, the information carried in the request message transmitted by the AS, whether the AS is allowed to initiate a session on behalf of the user, and transmit the permitted or prohibited information to the session control module.
  • the request message transmitted by the AS is a query request message of the user data that is allowed to be read, and the process of determining the permission of the permission module may be performed simultaneously with the processing request process of the HSS to the S-CSCF, or After the query request processing process of the S-CSCF, it is specifically described in the method.
  • the request message transmitted by the AS is a session establishment request message
  • the permission module determines that the session to be established is the initial session of the AS on behalf of the user, according to the rights information received by the AS, AS.
  • the information carried in the transmitted request message determines whether the AS is allowed to initiate a session on behalf of the user.
  • the session control module is mainly used to perform corresponding control processing on the process in which the AS initiates a session on behalf of the user according to the information that is allowed or prohibited.
  • the session control module can control the process of the AS initiating a session on behalf of the user by denying the address information of the S-CSCF to the AS or the address information of the S-CSCF to the AS. Specifically, it is described in the above method.
  • the session control module can control the process of the AS initiating the session on behalf of the user by rejecting the session establishment request message sent by the AS or the session establishment request message sent by the AS. Specifically, it is described in the above method.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

A session control method and equipment in IMS network, it configures the authority information of AS (application server) which represents user to initiate session, during the AS represents the user to initiate the session, the IMS network function entity obtains the authority information, and controls the session process initiated by AS representing the user according to the authority information. The present invention detects the authority whether AS has representing the user to initiate the session by IMS network function entity, so that it can effectively control the session process initiated by AS representing the user, and avoids that AS make bold to represent the other users to initiate the session, so the security hidden trouble existed in network is removed; the set manner of the authority information that AS represents the user to initiate the session is flexible, and many of the authority detect realization process that AS represents the user to initiate the session are provided, it makes the present invention meets the all sorts of detect need in the real network, and realizes the intent of improving the network security and user’s satisfaction.

Description

一种 IMS网络中的会话控制方法和装置 技术领域  Session control method and device in IMS network
本发明涉及网络通讯技术领域, 具体涉及一种 IMS网络中的会话控制方法和装置。 发明背景  The present invention relates to the field of network communication technologies, and in particular, to a session control method and apparatus in an IMS network. Background of the invention
随着宽带网络的发展,移动通信将不仅仅局限于传统的话音通信,结合音频、视频、 图片和文本等多种媒体类型的多媒体业务将逐渐开展起来,通过与 presence (呈现业务)、 群组管理, 短消息、 WEB (网页)浏览、 定位信息、 PUSH (推送业务)、 文件共享等数 据业务的结合, 可以满足用户的多种需求。  With the development of broadband networks, mobile communications will not only be limited to traditional voice communications, multimedia services combining multiple media types such as audio, video, pictures and text will be gradually developed, through with presence (presentation services), groups Management, short message, WEB (web) browsing, location information, PUSH (push service), file sharing and other data services can meet the diverse needs of users.
IP多媒体子系统域, 简称 IMS (IP Multimedia Subsystem, IP多媒体子系统), IMS 叠加在分组域网络之上, 由 CSCF ( Call Session Control Function, 呼叫状态控制功能)、 MGCF( Media Gateway Control Function,媒体网关控制功能)、 MR Multimedia Resource Function, 媒体资源功能)和 HSS (Home Subscriber Server, 归属签约用户服务器)等 功能实体组成,其中: CSCF又可以分成 S-CSCF ( Serving CSCF, 服务 CSCF)、 P-CSCF (Proxy CSCF, 代理 CSCF)和 I-CSCF ( Interrogating CSCF, 査询 CSCF)三个功能实 体。. S-CSCF是 IMS的业务交换中心, 执行会话控制, 维持会话状态, 负责管理用户信 息, 产生计费信息等; P-CSCF是终端用户接入 IMS的接入点, 完成用户注册, 负责 QoS控制和安全管理等, I-CSCF负责 MS域之间的互通, 管理 S-CSCF的分配, 对外 隐藏网络拓扑和配置, 产生计费数据等。 MGCF控制网关, 实现 IMS网络和其它网络 的互通, MRF提供媒体资源, 如收放音, 编解码和多媒体会议桥等。 HSS是用户数据 库, 存储 IMS用户的签约数据和配置信息等。  IP Multimedia Subsystem (IMS), IMS (IP Multimedia Subsystem), IMS superimposed on the packet domain network, CSCF (Call Session Control Function), MGCF (Media Gateway Control Function, Media) The gateway control function), the MR Multimedia Resource Function, and the HSS (Home Subscriber Server) are composed of functional entities, such as: CSCF can be further divided into S-CSCF (Serving CSCF, Serving CSCF), P- CSCF (Proxy CSCF, Proxy CSCF) and I-CSCF (Interrogating CSCF, Query CSCF) three functional entities. The S-CSCF is the service switching center of the IMS, performs session control, maintains session state, is responsible for managing user information, and generates charging information. The P-CSCF is an access point for the terminal user to access the IMS, completes user registration, and is responsible for QoS. For control and security management, the I-CSCF is responsible for interworking between MS domains, managing the allocation of S-CSCFs, hiding network topology and configuration, and generating billing data. The MGCF controls the gateway to implement interworking between the IMS network and other networks. The MRF provides media resources such as audio and video, codec and multimedia conference bridge. The HSS is a user database that stores subscription data and configuration information of IMS users.
因为 IMS网络的结构做到了和底层携带网络无关, 因此, IMS网络也可以应用在 3GPP定义的分组域网络之外的其他分组网络上。  Since the structure of the IMS network is independent of the underlying bearer network, the IMS network can also be applied to other packet networks outside the 3GPP defined packet domain network.
每个签约了 IMS业务的用户都由归属网络运营商分配了一个或者多个私有用户标 识 IMPI, 用于在注册、授权、管理和计费过程中使用, IMPI使用 NAI (Network Access Identifier, 网络接入标识)格式,每个 IMS用户还有一个或者多个公共用户标识 IMPU, 用于和其他用户通信的时候标识自己, 找到对方。 私有用户标识一般不对外公开, 而公 共用户标识是对外公开的, 在使用各类业务的会话过程中使用。  Each user who has signed an IMS service is assigned one or more private user identifiers IMPI by the home network operator for use in the registration, authorization, management, and accounting processes. IMPI uses NAI (Network Access Identifier). In the identification format, each IMS user also has one or more public user identifiers IMPU, which are used to identify themselves and find each other when communicating with other users. Private user IDs are generally not publicly available, and public user IDs are publicly available and used during conversations using various types of services.
随着 PRESENCE (呈现业务)、 MESSAGING (消息业务)、 CONFERENCING (会 议业务)、群组业务等业务能力被组件化和标准化,并在 IMS网络中应用,一种新的 PSI (Public Service Identitity, 公共业务标识)被引入。 As the business capabilities of PRESENCE, MESSAGING, CONFERENCING, and group services are componentized and standardized, and applied in the IMS network, a new PSI (Public Service Identitity, Public Service Identity) was introduced.
公共业务标识和公共用户标识的不同之处在于:公共用户标识是用户在各类业务的 使用中用来标识自己、 找到对方的标识, 而公共业务标识的是业务, 这些业务一般都驻 留在应用服务器 AS上, 比如本地业务(Local Service) 等, 此外, 公共业务标识还可 以用来标识一个群组, 比如在聊天室业务中, 一个公共业务标识如 sip:chatlist— X@example.com可以用来表示一个聊天群组,每个用户可以和这个 PSI建立 会话, 通过这个 PSI所在的 AS和聊天会话中的其他参与者进行消息的收发。  The difference between the public service identifier and the public user identifier is that the public user identifier is used to identify the user and find the identity of the other party in the use of various services, and the public service identifier is the service, and the services generally reside in the service. The application server AS, such as a local service, can also be used to identify a group. For example, in a chat room service, a public service identifier such as sip:chatlist_X@example.com can It is used to represent a chat group. Each user can establish a session with this PSI, and send and receive messages through the AS where the PSI is located and other participants in the chat session.
PSI的格式可以是 SIP URI或者 TEL URL  The format of the PSI can be a SIP URI or a TEL URL.
目前, IMS网络中 AS可以代表一个使用公共用户标识表示的用户或者一个使用公 共业务标识表示的业务发起呼叫, 在 AS代表用户发起会话建立的时候, 请求消息中表 示发起方的域中填的就是用户本身的标识。  At present, the AS in the IMS network can initiate a call on behalf of a user represented by a public user identifier or a service represented by a public service identifier. When the AS initiates a session establishment on behalf of the user, the request message indicates that the domain of the initiator is filled. The identity of the user.
AS在代表 IMPU (IP Multimedia PUblic identity, IP多媒体公共用户标识)或者 PSI 发起会话的时候, 首先需要获得 S-CSCF的地址, 如果 AS代表用户使用 IMPU发起会 话请求, 而 AS无法获得一个为该 IMPU服务的 S-CSCF的地址, 则 AS不能代表用户 发起这个会话请求。如果 AS使用 PSI发起会话请求,而这个 PSI没有被分配一个 S-CSCF 地址,则 AS使用 DNS等机制完成 SIP消息的路由过程,直接将会话发起请求发送给被 叫网络。 如果 AS获得了为 IMPU或者 PSI服务的 S-CSCF的地址, 则 AS发送会话发 起请求到这个 S-CSCF。  When the AS initiates a session on behalf of the IMPUL (IP Multimedia Public User Identity) or the PSI, the AS needs to obtain the address of the S-CSCF. If the AS initiates a session request on behalf of the user, the AS cannot obtain one for the IMPU. The address of the serving S-CSCF, the AS cannot initiate this session request on behalf of the user. If the AS initiates a session request using the PSI and the PSI is not assigned an S-CSCF address, the AS uses a mechanism such as DNS to complete the routing process of the SIP message and directly sends the session initiation request to the called network. If the AS obtains the address of the S-CSCF serving the IMPU or PSI, the AS sends a session initiation request to the S-CSCF.
由于需要防止 AS发起的业务请求以及后续的业务流量是欺诈的或者是不安全的, 所以, 需要对 AS执行必要的安全和鉴权过程。 IMS网络对 AS的安全和鉴权过程是通 过 AS permission list (AS允许列表)来实现的。  Since it is necessary to prevent the service request initiated by the AS and the subsequent service traffic from being fraudulent or insecure, it is necessary to perform necessary security and authentication procedures for the AS. The security and authentication process of the IMS network to the AS is implemented through the AS permission list.
AS允许列表对发送査询请求的 AS是否是被允许进行査询的资格进行检查, 该检 査以 AS为粒度, 只有通过了这个列表检查的 AS才可以进行后续消息的处理过程。  The AS allows the list to check whether the AS that sends the query request is allowed to perform the query. The check is performed in the AS granularity. Only the AS that has passed the check of the list can process the subsequent messages.
但是, 在 AS代表用户发起业务请求的情况下, 如果有一个位于 AS允许列表中的 AS通过某种方式得到了用户信息, 则这个 AS能够根据其得到的用户信息擅自代替其 他用户在 IMS网络中发起呼叫, 虽然这个 AS可能只能代表自己发起在 IMS网络中的 呼叫请求, 比如广告推送服务等。 网络中的其他用户或者应用服务器将会收到以 AS得 到的用户名义发起的呼叫请求,从而使网络安全存在隐患,使用户的合法利益受到损害。 发明内容 T/CN2006/002799 本发明的目的在于, 提供一种 MS网络中的会话控制方法和装置, 通过对 AS代表用户 发起会话的权限进行检测, 消除了网络中存在的安全隐患、保证了用户的合法利益不受 损害。 However, if the AS initiates a service request on behalf of the user, if an AS located in the AS allow list obtains user information in some way, the AS can replace other users in the IMS network according to the user information obtained by the AS. Initiating a call, although the AS may only be able to initiate a call request on the IMS network on its own behalf, such as an advertisement push service. Other users or application servers in the network will receive call requests initiated by the user in the AS, which will cause hidden dangers to the network security and damage the legitimate interests of the users. Summary of the invention T/CN2006/002799 The object of the present invention is to provide a session control method and device in an MS network, which can detect the security risks existing in the network and ensure the legality of the user by detecting the authority of the AS to initiate a session on the user. The benefits are not compromised.
为达到上述目的, 本发明提供的一种 IMS网络中的会话控制方法, 包括: IMS网络 中设置有 AS代表用户发起会 i舌的权限信息, 所述方法具体包括- 在 AS代表用户发起会话过程中, IMS网络功能实体获取所述权限信息, 并根据所述 获取的权限信息确定代表用户发起会话的 AS的权限, IMS网络功能实体根据所述确定出 的权限对 AS代表用户发起的会话过程进行控制。  In order to achieve the above object, the method for controlling a session in an IMS network provided by the present invention includes: Having an AS on the IMS network to perform the permission information of the user on behalf of the user, the method specifically includes: initiating a session process on the AS on behalf of the user The IMS network function entity obtains the rights information, and determines, according to the obtained rights information, the rights of the AS that initiates the session on behalf of the user, and the IMS network function entity performs the session process initiated by the AS on behalf of the user according to the determined rights. control.
所述方法包括: IMS网络功能实体根据所述获取的权限信息判断代表用户发起会话 的 AS是否具有代表用户发起会话的权限, 如果 AS具有代表用户发起会话的权限, 则 IMS网络功能实体允许 AS代表用户发起会话, 如果 AS不具有代表用户发起会话的权 限, 则 IMS网络功能实体禁止 AS代表用户发起会话。  The method includes: the IMS network function entity determining, according to the obtained rights information, whether the AS that initiates the session on behalf of the user has the right to initiate a session on behalf of the user. If the AS has the right to initiate a session on behalf of the user, the IMS network function entity allows the AS representative The user initiates a session. If the AS does not have the right to initiate a session on behalf of the user, the IMS network function entity prohibits the AS from initiating a session on behalf of the user.
所述 IMS网络功能实体为: HSS或 S-CSCF。  The IMS network function entity is: HSS or S-CSCF.
所述 AS代表用户发起会话的权限信息设置于 HSS中。  The AS is set in the HSS on behalf of the user to initiate the session.
在 HSS的 AS允许列表中增加允许和 /或禁止 AS代表用户发起会话的用户标识信 息; 所述方法包括:  Adding user identification information that allows and/or prohibits the AS to initiate a session on behalf of the user in the AS allow list of the HSS; the method includes:
AS向 HSS发送用户数据的查询请求;  The AS sends a query request for user data to the HSS;
HSS根据查询请求中携带的信息、 AS允许列表中存储的信息对 AS代表用户发起 的会话过程进行检査和控制。  The HSS checks and controls the session process initiated by the AS on behalf of the user according to the information carried in the query request and the information stored in the AS allow list.
所述用户数据的查询请求包括: 用户对应的 S-CSCF的地址信息的査询请求; 且所 述 HSS进行检査和控制的步骤包括- The query request of the user data includes: a query request for address information of the S-CSCF corresponding to the user; and the step of checking and controlling the HSS includes:
HSS 根据所述査询请求中携带的用户数据索引信息获取 AS 允许列表中的对应表 项; The HSS obtains the corresponding entry in the AS allowed list according to the user data index information carried in the query request;
HSS根据査询请求中携带的 AS标识信息、 所述用户标识、 所述表项信息判断査询 是否成功;  The HSS determines whether the query is successful according to the AS identifier information, the user identifier, and the entry information carried in the query request.
如果确定允许査询 S-CSCF地址信息、 且允许 AS代表用户发起会话, 将 S-CSCF 地址信息携带于查询成功的响应消息中传输至 AS;  If it is determined that the S-CSCF address information is allowed to be queried, and the AS is allowed to initiate a session on behalf of the user, the S-CSCF address information is carried in the response message of the successful query and transmitted to the AS;
如果确定不允许查询 S-CSCF地址信息、 或查询不到 S-CSCF地址信息、 或不允许 AS代表用户发起会话, 将 S-CSCF地址信息携带于查询失败的响应消息中传输至 AS。  If it is determined that the S-CSCF address information is not allowed to be queried, or the S-CSCF address information is not queried, or the AS is not allowed to initiate a session on behalf of the user, the S-CSCF address information is carried in the response message of the query failure and transmitted to the AS.
设置 HSS的 User Profile中的预定字段为 AS代表用户发起会话的权限信息。 所述预定字段为 AS信息, 且所述方法包括: The predetermined field in the User Profile of the HSS is set to the authority information of the AS to initiate a session on behalf of the user. The predetermined field is AS information, and the method includes:
S-CSCF根据 AS传送来的 SIP会话建立请求消息确定需要建立的会话为 AS始发会 话时, 判断从 HSS处下载的 User Profile中是否包含有所述 AS信息;  The S-CSCF determines, according to the SIP session establishment request message sent by the AS, that the session to be established is an AS originating session, and determines whether the AS profile downloaded from the HSS includes the AS information.
如果包含有所述 AS信息, 确定该 AS具有代表用户发起会话的权限, 允许进行所 述 SIP会话建立请求消息的后续处理;  If the AS information is included, determining that the AS has the right to initiate a session on behalf of the user, allowing subsequent processing of the SIP session establishment request message;
如果不包含有所述 AS信息, 确定该 AS不具有代表用户发起会话的权限, 拒绝进 行所述 SIP会话建立请求消息的后续处理。  If the AS information is not included, it is determined that the AS does not have the right to initiate a session on behalf of the user, and the subsequent processing of the SIP session establishment request message is refused.
在 HSS的 User Profile中设置允许 AS代表用户发起会话的 AS标识信息。  Set the AS ID information that allows the AS to initiate a session on behalf of the user in the User Profile of the HSS.
在处于 registered (注册状态) 的 User Profile中设置允许 AS代表用户发起会话的 AS标识信息; 或  Set the AS identity information that allows the AS to initiate a session on behalf of the user in the User Profile in the registered state; or
在处于 unregistered (未注册状态)的 User Profile中设置允许 AS代表用户发起会话 的 AS标识信息; 或  Set the AS identity information that allows the AS to initiate a session on behalf of the user in the unregistered User Profile; or
在处于注册状态和未注册状态的 User Profile中均设置允许 AS代表用户发起会话的 AS标识信息; 或  Set the AS identification information that allows the AS to initiate a session on behalf of the user in both the registered and unregistered user profiles; or
在和注册状态无关的 User Profile中设置允许 AS代表用户发起会话的 AS标识信息。 所述方法包括:  Set the AS identification information that allows the AS to initiate a session on behalf of the user in the User Profile that is not related to the registration status. The method includes:
S-CSCF根据 AS传送来的 SIP会话建立请求消息确定需要建立的会话为 AS始发会 话时,根据其接收的 SIP会话建立请求消息中携带的信息和从 HSS处下载的 User Profile 中的过滤规则信息进行匹配, 并判断允许 AS代表用户发起会话的 AS标识信息和发送 SIP会话建立请求消息的 AS是否匹配成功;  The S-CSCF determines, according to the SIP session establishment request message sent by the AS, the information carried in the SIP session establishment request message and the filtering rule in the User Profile downloaded from the HSS when the session to be established is the AS originating session. The information is matched, and it is determined whether the AS identification information that allows the AS to initiate the session on behalf of the user and the AS that sends the SIP session establishment request message are successfully matched;
如果匹配成功, 确定所述代表用户发起会话的 AS具有代表用户发起会话的权限, 允许进行所述 SIP会话建立请求消息的后续处理;  If the matching is successful, determining that the AS that initiates the session on behalf of the user has the right to initiate a session on behalf of the user, and allows subsequent processing of the SIP session establishment request message;
如果匹配不成功, 确定所述代表用户发起会话的 AS不具有代表用户发起会话的权 限, 拒绝进行所述 SIP会话建立请求消息的后续处理。  If the matching is unsuccessful, it is determined that the AS that initiates the session on behalf of the user does not have the authority to initiate the session on behalf of the user, and the subsequent processing of the SIP session establishment request message is refused.
所述确定需要建立的会话为 AS始发会话的步骤具体包括:  The step of determining that the session to be established is an AS originating session specifically includes:
根据 SIP会话建立请求消息中的 orig字段、 record route头域和 p-asserted-identity中 的内容确定需要建立的会话为 AS始发会话。  The session to be established is determined to be an AS originating session according to the contents of the orig field, the record route header field, and the p-asserted-identity in the SIP session establishment request message.
本发明还提供一种 IMS网络中会话控制装置, 包括- 获取权限信息模块: 在 AS代表用户发起会话过程中, 获取 AS代表用户发起会话 的权限信息, 并将其传输至确定权限模块; T N2006/002799 确定权限模块: 根据其接收的权限信息、 AS传送来的请求消息中携带的信息确定 该 AS是否允许代表用户发起会话, 并将允许或禁止的信息传输至会话控制模块; The present invention also provides a session control apparatus in an IMS network, including: an acquisition authority information module: in the process of the AS initiating a session on behalf of the user, obtaining the authority information of the AS on behalf of the user to initiate the session, and transmitting the permission information to the determining permission module; T N2006/002799 determining the privilege module: determining, according to the privilege information received by the AS, the information carried in the request message transmitted by the AS, whether the AS is allowed to initiate a session on behalf of the user, and transmitting the permitted or prohibited information to the session control module;
会话控制模块: 根据其接收的允许或禁止的信息对 AS代表用户发起会话的过程进 行相应的控制处理。  The session control module: performs corresponding control processing on the process in which the AS initiates a session on behalf of the user according to the information that is allowed or prohibited.
所述装置为: S-CSCF或 HSS。 通过上述技术方案的描述可知,本发明通过设置 AS代表用户发起会话的权限信息, 使 IMS网络功能实体能够根据该权限信息对 AS是否具有代表用户发起会话的权限进行 检测, 从而能够有效控制 AS代表用户发起的会话过程, 避免了 AS擅自代表其他用户在 IMS网络中发起呼叫的现象, 消除了网络中存在的安全隐患; 本发明的 AS代表用户发起 会话的权限信息可设置于 HSS中, 且设置方式灵活, 如在 AS允许列表或 User Profile中设 置允许和 /或禁止 AS代表用户发起会话的用户标识信息, 再如利用 User Profile中原有的 字段内容等;本发明提供多种 AS代表用户发起会话的权限检测实现过程,使本发明能够 满足实际网络中的各种检测需求, 如在查询允许 AS读取的用户数据的过程中对 AS代表 用户发起会话权限进行检测, 再如在 AS发送 SIP会话建立请求消息到 S-CSCF时, 对 AS 代表用户发起会话权限进行检测;从而通过本发明提供的技术方案实现了提高网络安全 性, 提高用户满意度的目的。 附图简要说明  The device is: S-CSCF or HSS. According to the description of the foregoing technical solution, the present invention can enable the IMS network function entity to detect whether the AS has the authority to initiate a session on behalf of the user according to the authority information, so that the AS representative can effectively control the AS representative. The session initiated by the user avoids the phenomenon that the AS arbitrarily initiates a call on the IMS network on behalf of other users, and eliminates the security risks existing in the network. The AS information of the present invention can be set in the HSS on behalf of the user to initiate the session, and the setting is set. The method is flexible, such as setting user identification information that allows and/or prohibits the AS to initiate a session on the user in the AS allow list or the User Profile, and uses the original field content in the User Profile, etc.; the present invention provides multiple ASs to initiate a session on behalf of the user. The privilege detection implementation process enables the present invention to meet various detection requirements in an actual network, such as detecting the user's initiation of session authority on behalf of the user in the process of querying the user data that the AS is allowed to read, and then sending a SIP session on the AS. When creating a request message to the S-CSCF The AS initiates the detection of the session authority on behalf of the user; thus, the technical solution provided by the invention achieves the purpose of improving network security and improving user satisfaction. BRIEF DESCRIPTION OF THE DRAWINGS
图 1是本发明的会话控制装置示意图。 实施本发明的方式  1 is a schematic diagram of a session control device of the present invention. Mode for carrying out the invention
如果在 AS代表用户发起会话过程中, 对 AS能否代表用户发起会话的资格进行检 查, 则能够有效避免 AS擅自代表其他用户在 IMS网络中发起呼叫的现象, 从而避免了网 络中存在的安全隐患, 使用户合法利益得到有效保证。  If the AS can check the eligibility of the user to initiate a session on behalf of the user, the AS can effectively prevent the AS from initiating a call on the IMS network on behalf of the user, thus avoiding the security risks in the network. , so that the legitimate interests of users are effectively guaranteed.
因此, 本发明的主要技术内容是: 在 IMS网络中设置 AS代表用户发起会话的权限信 息, 在 AS代表用户发起会话过程中, IMS网络功能实体获取所述权限信息, 并根据该权 限信息对 AS代表用户发起的会话过程进行控制。  Therefore, the main technical content of the present invention is: setting the privilege information of the AS on behalf of the user to initiate the session in the IMS network, and the IMS network function entity acquires the privilege information, and the AS is based on the privilege information. Controls the session process initiated on behalf of the user.
下面对本发明实施例提供的技术方案做进一步的描述。  The technical solutions provided by the embodiments of the present invention are further described below.
本发明的 IMS网络中设置有 AS代表用户发起会话的权限信息, 该权限信息可设 置于 HSS中, 如设置于 AS允许列表中或设置于 User Profile (用户描述信息)中。该权 限信息可以为专为权限而新增加设置的信息,如当该权限信息设置于 HSS的 AS允许列 表中时, 扩展 AS允许列表, 在 AS'允许列表中设置新的字段内容, 这个新设置的字段 内容为 AS代表用户发起会话的权限信息, 如设置允许 AS代表用户发起会话的用户标 识信息、 或设置禁止 AS代表用户发起会话的用户标识信息、 或设置允许 AS代表用户 发起会话的用户标识信息和禁止 AS代表用户发起会话的用户标识信息等。 上述设置的 用户标识信息可以为: IMPU或 MSISDN (Mobile Subscriber ISDN Number, 移动签约 用户 ISDN号码)信息。 该权限信息也可以利用原有的信息内容, 如当该权限信息设置 于 User Profile中时, 利用原有 AS信息等。 The IMS network of the present invention is provided with the privilege information that the AS initiates the session on behalf of the user, and the privilege information can be set in the HSS, such as in the AS allow list or in the User Profile. Right The limit information may be information newly added for the permission. For example, when the permission information is set in the AS allow list of the HSS, the extended AS allow list is set, and the new field content is set in the AS' allow list. The content of the field is the authority information of the AS on behalf of the user to initiate the session, such as setting the user identification information that allows the AS to initiate the session on behalf of the user, or setting the user identification information that prohibits the AS from initiating the session on behalf of the user, or setting the user identification information that allows the AS to initiate the session on behalf of the user. And user identification information that prohibits the AS from initiating a session on behalf of the user. The user identification information set by the above may be: IMPU or MSISDN (Mobile Subscriber ISDN Number) information. The privilege information can also utilize the original information content, such as when the privilege information is set in the User Profile, using the original AS information, and the like.
当 AS代表用户发起会话的权限信息设置于 AS允许列表中时, 本发明可充分利用 AS向 HSS査询允许其读取的用户数据的过程, 来实现本发明的会话控制, 其基本实现 原理为:  When the AS determines that the rights information of the user initiated the session is set in the AS allow list, the present invention can fully utilize the process in which the AS queries the HSS for the user data that is allowed to be read by the AS to implement the session control of the present invention. The basic implementation principle is :
当 AS需要代表用户发起会话建立请求时, AS向 HSS发送査询请求以获取用户数 据, HSS接收该查询请求, 并从查询请求中获取用户数据的索引信息, 根据该索引信息 确定 AS允许列表中的对应表项, 根据该表项中的 AS允许读取的用户数据和 AS代表 用户发起会话的权限信息判断是否允许 AS代表用户发起会话, 并根据判断结果向 AS 返回相应的响应消息。  When the AS needs to initiate a session establishment request on behalf of the user, the AS sends a query request to the HSS to obtain user data, the HSS receives the query request, and obtains index information of the user data from the query request, and determines the AS allow list according to the index information. The corresponding entry is determined according to the user data that the AS allows to read and the authority information of the AS on behalf of the user to initiate the session. The AS is allowed to initiate a session on behalf of the user, and returns a corresponding response message to the AS according to the judgment result.
下面根据上述实现原理、 以 AS査询主叫侧用户的 S-CSCF地址信息为例, 对本发 明的会话控制过程进行详细描述。  The session control process of the present invention is described in detail below by taking the S-CSCF address information of the calling party user as an example.
设定 AS允许列表中增加了允许 AS代表用户发起会话的用户标识信息, 如 IMPU 或者 MSISDN信息等, AS需要代表用户 IMPUa发起会话。  The AS is allowed to add user identification information that allows the AS to initiate a session on behalf of the user, such as IMPU or MSISDN information. The AS needs to initiate a session on behalf of the user IMPUa.
由于为用户分配的 S-CSCF是根据用户的注册情况动态变化的, 所以, AS首先需 要向 HSS发送查询请求以获得当前为该用户服务的 S-CSCF的地址。这里的用户为具有 IMPU的用户。  Since the S-CSCF allocated for the user is dynamically changed according to the registration status of the user, the AS first needs to send a query request to the HSS to obtain the address of the S-CSCF currently serving the user. The user here is a user with an IMPU.
AS通过 sh接口向 HSS发送査询请求消息, 该査询请求消息中携带了用户的公共 用户标识 IMPUa,表示 AS需要查询的用户数据是当前为该 IMPUa服务的 S-CSCF地址。  The AS sends a query request message to the HSS through the sh interface. The query request message carries the public user identifier IMPUa of the user, indicating that the user data that the AS needs to query is the S-CSCF address currently serving the IMPUa.
HSS在 Sh接口上收到来自 AS的查询请求之后, 根据查询请求消息中携带的需要 査询的用户数据的索引确定 AS允许列表中的相应表项, 然后, 根据查询请求消息中携 带的 AS标识和 IMPUa来判断该 AS是否被允许读取用户 IMPUa的 S-CSCF地址信息、 且该表项的允许 AS代表用户发起会话的用户标识信息中是否包含有 IMPUa ; 如果允 许读取 S-CSCF地址信息、 且该表项中允许 AS代表用户发起会话的用户标识信息中包 2006/002799 含有 IMPUa,则将用户 IMPUa的 S-CSCF地址信息通过查询成功的响应消息返回给 AS; 如果不允许读取 S-CSCF地址信息或查找不到 S-CSCF地址信息或该表项中允许 AS代 表用户发起会话的用户标识信息中不包含有 IMPUa, 则将查询失败的响应消息返回给 当 AS从査询成功的响应消息中获得 S-CSCF地址,并代表 IMPUa发起会话建立请 求时, S-CSCF收到的这个会话建立请求消息是经过了 AS代表用户发起会话权限检测 过程, 并检测成功的 AS发送的消息, 是安全的汇聚建立请求消息。 当 AS接收到査询 失败的响应消息时, AS无法得到 IMPUa对应的 S-CSCF地址, 因此, 无法代表 IMPUa 发起会话建立请求, 从而避免了 S-CSCF处收到这个不安全的会话建立请求消息。 After receiving the query request from the AS on the Sh interface, the HSS determines the corresponding entry in the AS allow list according to the index of the user data to be queried carried in the query request message, and then, according to the AS identifier carried in the query request message. And the IMPUA to determine whether the AS is allowed to read the S-CSCF address information of the user IMPUA, and the user identification information of the entry that allows the AS to initiate the session on the user includes the IMPUA; if the S-CSCF address information is allowed to be read And the user identification information in the entry that allows the AS to initiate a session on behalf of the user. In the case of the ICMPa, the S-CSCF address information of the user's IMPUA is returned to the AS through the successful response message. If the S-CSCF address information is not allowed to be read or the S-CSCF address information is not found or is in the entry, If the user identification information that allows the AS to initiate the session on the user does not include the IMPUA, the response message of the query failure is returned to the AS when the S-CSCF address is obtained from the response message of the successful query, and the session establishment request is initiated on behalf of the IMPUA. The session establishment request message received by the S-CSCF is a process of detecting the session authority initiated by the AS on behalf of the user, and detecting the message sent by the successful AS, which is a secure aggregation setup request message. When the AS receives the response message of the query failure, the AS cannot obtain the S-CSCF address corresponding to the IMPUA. Therefore, the session establishment request cannot be initiated on behalf of the IMPUA, thereby preventing the S-CSCF from receiving the insecure session establishment request message. .
该方法可方便的适用于新实现的 IMS系统, 由于本发明在 AS的查询请求检测过程 中实现了 AS代表用户发起会话的权限检测, 提高了业务处理效率。  The method can be conveniently applied to the newly implemented IMS system. The present invention implements the authority detection of the AS on behalf of the user to initiate a session in the query request detection process of the AS, thereby improving the service processing efficiency.
考虑到目前已有的 MS系统已经比较稳定,为了尽量减少使本发明实施例的技术方 案对现有应用造成的影响, 本发明还可以在查询 S-CSCF过程之外增加额外的处理过程 来检查 AS是否有权限代表用户发起会话, 这样, 本发明引入的对 AS代表用户发起会 话的权限检查处理过程不会影响已有的对 AS的査询请求检测的处理过程。  In view of the fact that the existing MS system has been relatively stable, in order to minimize the impact of the technical solution of the embodiment of the present invention on the existing application, the present invention can also add an additional processing procedure to check the S-CSCF process. Whether the AS has the right to initiate a session on behalf of the user, so that the process of checking the authority of the AS on behalf of the user to initiate the session introduced by the present invention does not affect the existing process of detecting the query request to the AS.
在查询 S-CSCF过程之外, 增加额外的处理过程实现 AS代表用户发起会话的权限 检测的具体过程为- In addition to querying the S-CSCF process, an additional process is added to implement the specific process of the AS to initiate a session on behalf of the user.
AS通过 sh接口向 HSS发送查询请求消息, 该査询请求消息中携带了用户的公共 用户标识 MSISDNb,表示 AS需要查询的用户数据是当前为该 MSISDNb服务的 S-CSCF 地址。 The AS sends a query request message to the HSS through the sh interface. The query request message carries the public user identifier MSISDNb of the user, indicating that the user data that the AS needs to query is the S-CSCF address currently serving the MSISDNb.
HSS在 Sh接口上收到来自 AS的查询请求消息之后, 根据查询请求消息中携带的 需要查询的用户数据的索引确定 AS允许列表中的相应表项, 然后, 根据査询消息中携 带的 AS标识、 MSISDNb来判断该 AS是否被允许读取用户 MSISDNb的 S-CSCF地址 息。  After receiving the query request message from the AS on the Sh interface, the HSS determines the corresponding entry in the AS allow list according to the index of the user data to be queried carried in the query request message, and then, according to the AS identifier carried in the query message. The MSISDNb determines whether the AS is allowed to read the S-CSCF address of the user MSISDNb.
在上述过程结束、 且在确定允许 AS读取 S-CSCF地址信息后, 再进行 AS代表用 户发起会话的权限检査过程, 具体过程为: HSS根据査询请求消息中携带的需要査询的 用户数据索引信息检索到 AS允许列表中的相应表项, 然后, 根据查询请求消息中携带 的 AS标识、 MSISDNb和列表的相应表项中允许 AS代表用户发起会话的用户标识信息 来判断该 AS是否被允许代表用户发起会话。 如果允许, 则 HSS将用户 MSISDNb的 S-CSCF地址信息通过查询成功的响应消息返回给 AS, AS根据得到的 S-CSCF地址, P T/CN2006/002799 代表 MSISDNb发起会话建立请求, 此时, S-CSCF收到的这个会话建立请求消息是经 过了 AS代表用户发起会话权限检测过程、 并检测成功的 AS发送的消息, 是安全的汇 聚建立请求消息。 如果不允许, 则 HSS将査询失败的响应消息返回给 AS, AS无法得 到 MSISDNb对应的 S-CSCF地址, 因此, 无法代表 MSISDNb发起会话建立请求, 从 而避免了 S-CSCF处收到这个不安全的请求消息。 After the foregoing process ends, and after determining that the AS is allowed to read the S-CSCF address information, the AS performs a permission check process for the user to initiate a session. The specific process is as follows: The HSS needs to query the user according to the query request message. The data index information is retrieved to the corresponding entry in the AS allow list. Then, according to the AS identifier, the MSISDNb, and the corresponding entry of the list in the query request message, the AS identifies the user identification information that the AS initiates the session on behalf of the user to determine whether the AS is Allows a user to initiate a session. If allowed, the HSS returns the S-CSCF address information of the user MSISDNb to the AS through a successful response message, and the AS obtains the S-CSCF address according to the obtained S-CSCF address. The PT/CN2006/002799 initiates a session establishment request on behalf of the MSISDNb. At this time, the session establishment request message received by the S-CSCF is a message that is sent by the AS on behalf of the user to initiate the session authority detection process and detects the successful AS. Aggregate the setup request message. If not allowed, the HSS returns the response message of the query failure to the AS, and the AS cannot obtain the S-CSCF address corresponding to the MSISDNb. Therefore, the session establishment request cannot be initiated on behalf of the MSISDNb, thereby avoiding the insecure reception by the S-CSCF. Request message.
AS代表一个 PSI发起会话请求的时候, 可以通过 SH接口从 HSS 中查询得到 S-CSCF的地址信息, 也可以通过静态配置获知 S-CSCF的地址, 直接将会话建立请求 消息发送给指定的 S-CSCF。 对于静态配置的情况, 就不能够使用 AS允许列表来实现 AS代表用户发起会话的资格检査过程了。  When the AS initiates a session request on the PSI, the AS can query the address information of the S-CSCF from the HSS through the SH interface, or obtain the address of the S-CSCF through static configuration, and directly send the session establishment request message to the specified S- CSCF. In the case of static configuration, it is not possible to use the AS Allow List to implement the eligibility check process for the AS to initiate a session on behalf of the user.
. S-CSCF的地址配置在 AS上,意味着 IMS运营商对这个 AS是有一定信任关系的, 但是, 仍然存在可能的安全漏洞, 因此, 当 S-CSCF的地址配置在 AS上时, 本发明提 出另一种方法来避免这种配置下可能出现的 AS代表自己无权代表的 PSI或: IMPU发 起会话请求建立会话的现象。  The address of the S-CSCF is configured on the AS, which means that the IMS operator has a certain trust relationship with the AS. However, there are still possible security vulnerabilities. Therefore, when the address of the S-CSCF is configured on the AS, The invention proposes another method to avoid the phenomenon that the AS may represent a PSI that the user does not have to represent on the basis of the configuration: the IMPU initiates a session request to establish a session.
在这种方法中, AS代表用户发起会话的权限信息可设置于 User Profile中。  In this method, the authority information of the AS on behalf of the user to initiate the session can be set in the User Profile.
当 AS向 S-CSCF发送 SIP会话建立请求消息后, S-CSCF将其视为一个普通的 SIP 会话建立请求消息,根据其从 HSS中下载的 User Profile信息进行检査,如执行 iFC (过 滤规则)匹配过程, 这个匹配过程和现有的 iFC匹配过程的相同之处在于, 都是根据收 到的 SIP消息中的各个信息域去匹配每一条触发规则, 如果匹配成功, 就会对应到一个 AS; 不同之处在于, 当 S-CSCF判断该呼叫为 AS 始发的呼叫时, 需要在上述匹配过 程中增加一个 AS代表用户发起会话的权限检查。  After the AS sends a SIP session establishment request message to the S-CSCF, the S-CSCF treats it as a normal SIP session establishment request message, and checks according to the User Profile information downloaded from the HSS, such as performing iFC (filter rule). The matching process, the matching process is the same as the existing iFC matching process, in that each triggering rule is matched according to each information field in the received SIP message, and if the matching is successful, it corresponds to an AS. The difference is that when the S-CSCF determines that the call is an AS originated call, it is necessary to add an AS to perform a permission check on the user initiated session in the above matching process.
下面以两个具体的例子对本发明实施方式的 AS代表用户.发起会话的权限检査过程 进行说明。  The following describes the permission checking process of the AS on behalf of the user to initiate a session in the embodiment of the present invention by two specific examples.
例 1、设定 AS代表用户发起会话的权限信息为 User Profile中已有的预定字段信息, 如 AS信息。  Example 1. Set the permission information of the AS on behalf of the user to initiate a session as the predetermined field information already in the User Profile, such as AS information.
对于 AS始发的代表 IMPU/PSI发起的呼叫, S-CSCF在根据其从 HSS中下载的 For the call initiated by the AS on behalf of the IMPU/PSI, the S-CSCF is downloaded from the HSS according to it.
User Profile信息进行 iFC匹配过程中, 当发起会话建立请求消息的 AS在用户的 iFC 列表中曾出现过, 即用户的会话信息如注册信息等可以路由到发起会话建立请求消息的 AS时, 表示该 AS可以代表该用户发起会话; 当发起会话建立请求消息的 AS在用户 的 iFC列表中没有出现过, 即用户的会话信息如注册信息等不能够路由到发起会话建 立请求消息的 AS时, 表示该 AS不可以代表该用户发起会话。 P T/CN2006/002799 该方法比较适用于目前已经应用了 S-CSCF、 HSS的 IMS网络, 且该方法对 IMS 现有的网络架构以及 S-CSCF和 HSS之间的消息传输没有任何影响。 During the iFC matching process, when the AS that initiates the session establishment request message appears in the user's iFC list, that is, the user's session information, such as registration information, can be routed to the AS that initiated the session establishment request message, indicating that the AS The AS can initiate a session on behalf of the user; when the AS that initiated the session establishment request message does not appear in the user's iFC list, that is, the user's session information, such as registration information, cannot be routed to the AS that initiated the session establishment request message, indicating that the AS The AS cannot initiate a session on behalf of the user. PT/CN2006/002799 This method is more suitable for IMS networks that have applied S-CSCF and HSS, and this method has no effect on the existing network architecture of IMS and the message transmission between S-CSCF and HSS.
例 2、 设定 AS代表用户发起会话的权限信息为在 User Profile 中新引入的字段内 容,该字段的内容用于表示允许 AS代表用户发起会话的授权列表,如在 User Profile 中 增加允许 /禁止 AS代表用户发起会 i舌的 AS标识信息。  Example 2: Setting the rights information of the AS to initiate a session on the user is the newly added field content in the User Profile. The content of the field is used to indicate the authorization list that allows the AS to initiate a session on behalf of the user, such as adding/disabling the user profile. The AS initiates the AS identification information of the user on behalf of the user.
对于 AS代表 IMPU/PSI 的始发呼叫, 需要检测 User Profile 中新增加的字段内 容, 检测 AS是否在该授权列表中, 如果 AS在该授权列表中, 则表示该 AS可以代表 用户发起会话, S-CSCF允许 AS发送的这个会话建立请求;如果 AS不在该授权列表中, 则表示该 AS不能够代表用户发起会话, S-CSCF拒绝 AS发送的这个会话建立请求。  For the originating call of the AS on behalf of the IMPU/PSI, the newly added field content in the User Profile needs to be detected to detect whether the AS is in the authorization list. If the AS is in the authorization list, the AS can initiate a session on behalf of the user. - The CSCF allows the session establishment request sent by the AS; if the AS is not in the authorization list, it indicates that the AS cannot initiate a session on behalf of the user, and the S-CSCF rejects the session establishment request sent by the AS.
例 2比较适用于 S-CSCF、 HSS新应用于 IMS网络的情况。  Example 2 is applicable to the case where the S-CSCF and HSS are newly applied to the IMS network.
在上述例 1、例 2的描述过程中, S-CSCF确定 AS发起的会话为 AS代表 IMPU/PSI 的始发呼叫的方法为: 通过会话建立请求消息中的 orig (源端)字段来判别该呼叫为始 发呼叫, 通过 record route (记录路由) 头域来识别为是哪个 AS 始发的呼叫, 通过 p-asserted-identity (p即 private header, 私有头域)来识别 AS代表哪个 IMPU/PSI发起 的始发呼叫。  In the description of the foregoing example 1, the example 2, the S-CSCF determines that the AS-initiated session is the originating call of the AS on behalf of the IMPU/PSI: the orig (source) field in the session establishment request message is used to discriminate the The call is the originating call, and the AS originating call is identified by the record route header field. The p-asserted-identity (p is the private header field) is used to identify which IMPU/PSI the AS represents. Originated originating call.
在上述使用 iFC (过滤规则) 匹配机制实现会话控制过程中, 考虑到在 R6版本中, iFC的下载需要区分用户注册状态, 因此, 在配置 iFC的时候, 如果 AS在代表用户发 起会话建立请求时, 需要区分用户当前的注册状态, 则这个用于检査 AS代表用户发起 会话合法性的 iFC将只配置在相应注册状态的 user profile中,如只配置在 REGISTERED (已注册)部分, 或者只配置 UNREGISTERED (未注册)部分、 或者配置在和注册状 态无关的 User Profile中。如果 AS在代表用户发起会话建立请求时,不需要区分用户当 前的注册状态, 即与用户当前的注册状态无关, 且 HSS的 user profile中是按照注册状 态区分用户数据的, 则可以在不同的注册状态的 user profile中都增加这个 iFC的配置。  In the process of implementing session control using the iFC (filtering rule) matching mechanism, it is considered that in the R6 version, the download of the iFC needs to distinguish the user registration status. Therefore, when the iFC is configured, if the AS initiates a session establishment request on behalf of the user. If the current registration status of the user needs to be distinguished, the iFC used to check the validity of the AS on behalf of the user will be configured only in the user profile of the corresponding registration status, such as only in the REGISTERED section, or only configured. The UNREGISTERED section is not configured, or is configured in a User Profile that is not related to the registration status. If the AS initiates a session establishment request on behalf of the user, it does not need to distinguish the current registration status of the user, that is, regardless of the current registration status of the user, and the user profile of the HSS distinguishes the user data according to the registration status, and may be in different registrations. The configuration of this iFC is added to the user profile of the state.
本发明通过对现有的 IMS网络中的 AS的检査过程进行增强,即在 IMS网络中增加 AS代表用户发起会话权限的检测, 使 IMS网络对 AS的检査不但可以针对 AS本身, 还可以进一步针对 AS代为发起呼叫的用户, 从而避免了一个位于 AS允许列表中的应 用服务器在无权代替某个用户发起呼叫时, 代替某用户发起呼叫的现象, 消除了 IMS 网络中存在的安全隐患, 保护了用户的合法利益。  The invention enhances the inspection process of the AS in the existing IMS network, that is, increases the detection of the AS initiated by the user on the IMS network, so that the IMS network can check the AS not only for the AS itself, but also for the AS itself. Further, the AS is a user who initiates a call, thereby avoiding the phenomenon that an application server located in the AS allow list replaces a user to initiate a call when the user does not have the right to initiate a call, thereby eliminating the security risks in the IMS network. Protect the legitimate interests of users.
本发明提供的 IMS网络中会话控制装置如附图 1所示。  The session control apparatus in the IMS network provided by the present invention is as shown in FIG.
图 1中的装置主要包括: 获取权限信息模块、 确定权限模块和会话控制模块。 获取权限信息模块主要用于在 AS代表用户发起会话过程中, 获取 AS代表用户发 起会话的权限信息, 并将其传输至确定权限模块。 The device in FIG. 1 mainly includes: an acquisition permission information module, a determination permission module, and a session control module. The obtaining permission information module is mainly used to obtain the permission information of the AS on behalf of the user to initiate the session, and transmit the permission information to the determining permission module.
当会话控制装置为 HSS时, AS代表用户发起会话的权限信息可设置于获取权限信 息模块中, AS代表用户发起会话的权限信息可以以 AS允许列表的形式存储, 具体如 上述方法中的描述。 获取权限信息模块可以根据 AS发送来的获取允许其读取的用户数 据的查询请求获取对应的 AS代表用户发起会话的权限信息, 并将其传输至确定权限模 块。  When the session control device is an HSS, the privilege information of the AS on behalf of the user to initiate the session may be set in the privilege information module, and the privilege information of the AS on behalf of the user to initiate the session may be stored in the form of an AS allow list, as described in the foregoing method. The obtaining permission information module may obtain the permission information of the corresponding AS on behalf of the user to initiate the session according to the query request sent by the AS to obtain the user data that is allowed to be read by the AS, and transmit the permission information to the determined permission module.
当会话控制装置为 S-CSCF时, AS代表用户发起会话的权限信息可设置于 HSS中, 这样,获取权限信息模块需要从 HSS中获取 AS代表用户发起会话的权限信息,具体如 上述方法中的描述。  When the session control device is an S-CSCF, the right information of the AS on behalf of the user to initiate the session may be set in the HSS, so that the obtaining permission information module needs to obtain the authority information of the AS on behalf of the user to initiate the session from the HSS, as in the above method. description.
确定权限模块主要用于根据其接收的权限信息、 AS传输来的请求消息中携带的信 息确定该 AS是否允许代表用户发起会话,并将允许或禁止的信息传输至会话控制模块。  The determining permission module is mainly used to determine, according to the rights information received by the AS, the information carried in the request message transmitted by the AS, whether the AS is allowed to initiate a session on behalf of the user, and transmit the permitted or prohibited information to the session control module.
当会话控制装置为 HSS时, AS传输来的请求消息为允许读取的用户数据的查询请 求消息,确定权限模块判断的过程可以与 HSS对 S-CSCF的査询请求处理过程同时进行, 也可以发生在 S-CSCF的查询请求处理过程之后, 具体如方法中的描述。  When the session control device is an HSS, the request message transmitted by the AS is a query request message of the user data that is allowed to be read, and the process of determining the permission of the permission module may be performed simultaneously with the processing request process of the HSS to the S-CSCF, or After the query request processing process of the S-CSCF, it is specifically described in the method.
当会话控制装置为 S-CSCF时, AS传输来的请求消息为会话建立请求消息,确定权 限模块在确定这个需要建立的会话为 AS代表用户的始发会话时, 根据其接收的权限信 息、 AS传输来的请求消息中携带的信息确定该 AS是否允许代表用户发起会话, 具体 实现过程如上述方法中的描述。  When the session control device is the S-CSCF, the request message transmitted by the AS is a session establishment request message, and the permission module determines that the session to be established is the initial session of the AS on behalf of the user, according to the rights information received by the AS, AS. The information carried in the transmitted request message determines whether the AS is allowed to initiate a session on behalf of the user. The specific implementation process is as described in the foregoing method.
会话控制模块主要用于根据其接收的允许或禁止的信息对 AS代表用户发起会话的 过程进行相应的控制处理。  The session control module is mainly used to perform corresponding control processing on the process in which the AS initiates a session on behalf of the user according to the information that is allowed or prohibited.
当会话控制装置为 HSS时, 会话控制模块可以通过拒绝向 AS提供 S-CSCF的地址信 息或者向 AS提供 S-CSCF的地址信息来控制 AS代表用户发起会话的过程。具体如上述方 法中的描述。  When the session control device is an HSS, the session control module can control the process of the AS initiating a session on behalf of the user by denying the address information of the S-CSCF to the AS or the address information of the S-CSCF to the AS. Specifically, it is described in the above method.
当会话控制装置为 S-CSCF时, 会话控制模块可以通过拒绝 AS发送来的会话建立请 求消息或者允许 AS发送来的会话建立请求消息来控制 AS代表用户发起会话的过程。 具 体如上述方法中的描述。  When the session control device is the S-CSCF, the session control module can control the process of the AS initiating the session on behalf of the user by rejecting the session establishment request message sent by the AS or the session establishment request message sent by the AS. Specifically, it is described in the above method.
虽然通过实施例描绘了本发明, 本领域普通技术人员知道, 本发明有许多变形和变 化而不脱离本发明的精神, 本发明的申请文件的权利要求包括这些变形和变化。  While the invention has been described by the embodiments of the invention, it will be understood that

Claims

权利要求 Rights request
1、一种 IMS网络中的会话控制方法, 包括: AS (应用服务器)代表用户发起会话, 其特征在于, IMS网络中设置有 AS代表用户发起会话的权限信息,所述方法具体包括: 在 AS代表用户发起会话过程中, IMS网络功能实体获取所述权限信息, 并根据所述 获取的权'限信息确定代表用户发起会话的 AS的权限, IMS网络功能实体根据所述确定出 的权限对 AS代表用户发起的会话过程进行控制。 A method for controlling a session in an IMS network, comprising: an AS (application server) initiating a session on behalf of a user, wherein the IMS network is provided with the authority information of the AS on behalf of the user to initiate the session, and the method specifically includes: During the process of initiating a session on behalf of the user, the IMS network function entity acquires the rights information, and determines the authority of the AS that initiates the session on behalf of the user according to the obtained right's limit information, and the IMS network function entity performs the AS according to the determined authority. Controls the session process initiated on behalf of the user.
2、 如权利要求 1所述的方法, 其特征在于, 所述方法包括: IMS网络功能实体根 据所述获取的权限信息判断代表用户发起会话的 AS 是否具有代表用户发起会话的权 限, 如果 AS具有代表用户发起会话的权限, 则 IMS网络功能实体允许 AS代表用户发 起会话, 如果 AS不具有代表用户发起会话的权限, 则 IMS网络功能实体禁止 AS代表 用户发起会话。  The method according to claim 1, wherein the method comprises: determining, by the IMS network function entity, whether the AS that represents the user initiated the session has the right to initiate the session on behalf of the user, according to the acquired right information, if the AS has On behalf of the user to initiate a session, the IMS network function entity allows the AS to initiate a session on behalf of the user. If the AS does not have the authority to initiate a session on behalf of the user, the IMS network function entity prohibits the AS from initiating the session on behalf of the user.
3、 如权利要求 1所述的方法, 其特征在于, 所述 IMS 网络功能实体为: HSS或 S-CSCF。  3. The method according to claim 1, wherein the IMS network functional entity is: an HSS or an S-CSCF.
4、 如权利要求 1所述的方法, 其特征在于, 所述 AS代表用户发起会话的权限信 息设置于 HSS中。  4. The method according to claim 1, wherein the AS is set in the HSS on behalf of the user to initiate a session.
 •
5、如权利要求 4所述的方法, 其特征在于, 在 HSS的 AS允许列表中增加允许和 /或禁止 AS代表用户发起会话的用户标识信息; 所述方法包括: The method according to claim 4, wherein user identification information that allows and/or prohibits the AS to initiate a session on behalf of the user is added to the AS allow list of the HSS; the method includes:
AS向 HSS发送用户数据的査询请求;  The AS sends a query request for user data to the HSS;
HSS根据査询请求中携带的信息、 AS允许列表中存储的信息对 AS代表用户发起 的会话过程进行检查和控制。  The HSS checks and controls the session process initiated by the AS on behalf of the user according to the information carried in the query request and the information stored in the AS allow list.
6、 如权利要求 5所述的方法, 其特征在于: 所述用户数据的查询请求包括: 用户 对应的 S-CSCF的地址信息的查询请求; 且所述 HSS进行检查和控制的步骤包括: The method of claim 5, wherein: the query request of the user data comprises: a query request for address information of the S-CSCF corresponding to the user; and the step of the HSS performing the checking and controlling comprises:
HSS根据所述査询请求中携带的用户数据索引信息获取 AS 允许列表中的对应表 项; The HSS obtains the corresponding entry in the AS allow list according to the user data index information carried in the query request.
HSS根据查询请求中携带的 AS标识信息、 所述用户标识、 所述表项信息判断査询 是否成功;  The HSS determines whether the query is successful according to the AS identifier information, the user identifier, and the entry information carried in the query request.
如果确定允许查询 S-CSCF地址信息、 且允许 AS代表用户发起会话, 将 S-CSCF 地址信息携带于査询成功的响应消息中传输至 AS;  If it is determined that the S-CSCF address information is allowed to be queried, and the AS is allowed to initiate a session on behalf of the user, the S-CSCF address information is carried in the response message of the successful query and transmitted to the AS;
如果确定不允许查询 S-CSCF地址信息、 或查询不到 S-CSCF地址信息、 或不允许 AS代表用户发起会话, 将 S-CSCF地址信息携带于查询失败的响应消息中传输至 AS。 If it is determined that the S-CSCF address information is not allowed to be queried, or the S-CSCF address information is not queried, or the AS is not allowed to initiate a session on behalf of the user, the S-CSCF address information is carried in the response message of the query failure and transmitted to the AS.
7、如权利要求 1所述的方法, 其特 在于, 设置 HSS的 User Profile中的预定字段 为 AS代表用户发起会话的权限信息。 The method of claim 1, wherein the predetermined field in the User Profile of the HSS is set to the authority information of the AS to initiate the session on behalf of the user.
8、如权利要求 7所述的方法, 其特征在于, 所述预定字段为 AS信息, 且所述方法 包括- S-CSCF根据 AS传送来的 SIP会话建立请求消息确定需要建立的会话为 AS始发会 话时, 判断从 HSS处下载的 User Profile中是否包含有所述 AS信息;  The method according to claim 7, wherein the predetermined field is AS information, and the method includes: the S-CSCF determines, according to the SIP session establishment request message sent by the AS, that the session to be established is an AS. When the session is sent, it is determined whether the AS information is included in the User Profile downloaded from the HSS;
如果包含有所述 AS信息, 确定该 AS具有代表用户发起会话的权限, 允许进行所 述 SIP会话建立请求消息的后续处理;  If the AS information is included, determining that the AS has the right to initiate a session on behalf of the user, allowing subsequent processing of the SIP session establishment request message;
如果不包含有所述 AS信息, 确定该 AS不具有代表用户发起会话的权限, 拒绝进 行所述 SIP会话建立请求消息的后续处理。  If the AS information is not included, it is determined that the AS does not have the right to initiate a session on behalf of the user, and the subsequent processing of the SIP session establishment request message is refused.
9、 如权利要求 1所述的方法, 其特征在于, 在 HSS的 User Profile中设置允许 AS 代表用户发起会话的 AS标识信息。  9. The method according to claim 1, wherein the AS identification information that allows the AS to initiate a session on behalf of the user is set in the User Profile of the HSS.
10、 如权利要求 9所述的方法, 其特征在于:  10. The method of claim 9 wherein:
在处于 registered (注册状态) 的 User Profile中设置允许 AS代表用户发起会话的 AS标识信息; 或  Set the AS identity information that allows the AS to initiate a session on behalf of the user in the User Profile in the registered state; or
在处于 unregistered (未注册状态)的 User Profile中设置允许 AS代表用户发起会话 的 AS标识信息; 或  Set the AS identity information that allows the AS to initiate a session on behalf of the user in the unregistered User Profile; or
在处于注册状态和未注册状态的 User Profile中均设置允许 AS代表用户发起会话的 AS标识信息; 或  Set the AS identification information that allows the AS to initiate a session on behalf of the user in both the registered and unregistered user profiles; or
在和注册状态无关的 User Profile中设置允许 AS代表用户发起会话的 AS标识信息。 Set the AS identification information that allows the AS to initiate a session on behalf of the user in the User Profile that is not related to the registration status.
11、 如权利要求 9所述的方法, 其特征在于, 所述方法包括: 11. The method of claim 9, wherein the method comprises:
S-CSCF根据 AS传送来的 SIP会话建立请求消息确定需要建立的会话为 AS始发会 话时,根据其接收的 SIP会话建立请求消息中携带的信息和从 HSS处下载的 User Profile 中的过滤规则信息进行匹配, 并判断允许 AS代表用户发起会话的 AS标识信息和发送 SIP会话建立请求消息的 AS是否匹配成功;  The S-CSCF determines, according to the SIP session establishment request message sent by the AS, the information carried in the SIP session establishment request message and the filtering rule in the User Profile downloaded from the HSS when the session to be established is the AS originating session. The information is matched, and it is determined whether the AS identification information that allows the AS to initiate the session on behalf of the user and the AS that sends the SIP session establishment request message are successfully matched;
如果匹配成功, 确定所述代表用户发起会话的 AS具有代表用户发起会话的权限, 允许进行所述 SIP会话建立请求消息的后续处理;  If the matching is successful, determining that the AS that initiates the session on behalf of the user has the right to initiate a session on behalf of the user, and allows subsequent processing of the SIP session establishment request message;
如果匹配不成功, 确定所述代表用户发起会话的 AS不具有代表用户发起会话的权 限, 拒绝进行所述 SIP会话建立请求消息的后续处理。  If the matching is unsuccessful, it is determined that the AS that initiates the session on behalf of the user does not have the authority to initiate the session on behalf of the user, and the subsequent processing of the SIP session establishment request message is refused.
12、 如权利要求 8或 11所述的方法, 其特征在于, 所述确定需要建立的会话为 AS 始发会话的步骤具体包括: The method according to claim 8 or 11, wherein the determining the session to be established is an AS The steps of the initial session include:
根据 SIP会话建立请求消息中的 orig字段、 record route头域和 p-asserted-identity中 的内容确定需要建立的会话为 AS始发会话。  The session to be established is determined to be an AS originating session according to the contents of the orig field, the record route header field, and the p-asserted-identity in the SIP session establishment request message.
13、 一种 IMS网络中会话控制装置, 其特征在于, 所述装置包括:  13. A session control device in an IMS network, the device comprising:
获取权限信息模块: 在 AS代表用户发起会话过程中, 获取 AS代表用户发起会话 的权限信息, 并将其传输至确定权限模块;  Obtaining the permission information module: During the process of the AS initiating the session on behalf of the user, obtaining the permission information of the AS on behalf of the user to initiate the session, and transmitting the permission information to the determining permission module;
确定权限模块: 根据其接收的权限信息、 AS传送来的请求消息中携带的信息确定 该 AS是否允许代表用户发起会话, 并将允许或禁止的信息传输至会话控制模块; 会话控制模块: 根据其接收的允许或禁止的信息对 AS代表用户发起会话的过程进 行相应的控制处理。  Determining the permission module: determining, according to the rights information received by the AS, the information carried in the request message transmitted by the AS, whether the AS is allowed to initiate a session on behalf of the user, and transmitting the permitted or prohibited information to the session control module; the session control module: according to the The received allowed or forbidden information performs corresponding control processing on the process in which the AS initiates a session on behalf of the user.
14、 如权利要求 13所述的装置, 其特征在于, 所述装置为: S-CSCF或 HSS。  14. Apparatus according to claim 13 wherein said apparatus is: S-CSCF or HSS.
PCT/CN2006/002799 2005-11-15 2006-10-20 A session control method and equipment in ims network WO2007056925A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200510123209.8 2005-11-15
CN 200510123209 CN1968262B (en) 2005-11-15 2005-11-15 Session control method and apparatus in IMS network

Publications (1)

Publication Number Publication Date
WO2007056925A1 true WO2007056925A1 (en) 2007-05-24

Family

ID=38048285

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2006/002799 WO2007056925A1 (en) 2005-11-15 2006-10-20 A session control method and equipment in ims network

Country Status (2)

Country Link
CN (1) CN1968262B (en)
WO (1) WO2007056925A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101163344B (en) * 2007-10-24 2011-04-20 中兴通讯股份有限公司 Method of processing call initiated from application server camouflaged by user facility
CN101621772B (en) 2008-07-02 2012-06-06 中国移动通信集团公司 Session control method and equipment
CN101364874B (en) * 2008-09-27 2011-07-06 华为终端有限公司 Medium transferring method, terminal and application server

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH11328117A (en) * 1998-05-14 1999-11-30 Hitachi Ltd User managing method of authentication system
WO2002061604A1 (en) * 2001-01-31 2002-08-08 Telcordia Technologies, Inc. System and method for out-sourcing the functionality of session initiation protocol (sip) user agents to proxies
CN1483265A (en) * 2000-08-01 2004-03-17 ��˹��ŵ�� Techniques for performing UMTS (universal mobile telecommunications system) authentication using SIP (session initiation protocol) messages
WO2004032415A1 (en) * 2002-10-03 2004-04-15 Nokia Corporation Method and apparatus enabling reauthentication in a cellular communication system
EP1583312A1 (en) * 2004-04-02 2005-10-05 France Telecom Apparatuses and method for controlling access to an IP multimedia system from an application server

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH11328117A (en) * 1998-05-14 1999-11-30 Hitachi Ltd User managing method of authentication system
CN1483265A (en) * 2000-08-01 2004-03-17 ��˹��ŵ�� Techniques for performing UMTS (universal mobile telecommunications system) authentication using SIP (session initiation protocol) messages
WO2002061604A1 (en) * 2001-01-31 2002-08-08 Telcordia Technologies, Inc. System and method for out-sourcing the functionality of session initiation protocol (sip) user agents to proxies
WO2004032415A1 (en) * 2002-10-03 2004-04-15 Nokia Corporation Method and apparatus enabling reauthentication in a cellular communication system
EP1583312A1 (en) * 2004-04-02 2005-10-05 France Telecom Apparatuses and method for controlling access to an IP multimedia system from an application server

Also Published As

Publication number Publication date
CN1968262A (en) 2007-05-23
CN1968262B (en) 2011-04-06

Similar Documents

Publication Publication Date Title
KR101507632B1 (en) Method and apparatus for remote access to a local network
US7822407B2 (en) Method for selecting the authentication manner at the network side
KR101139072B1 (en) Method for initiating ims based communications
KR100966516B1 (en) System and method for carrying trusted network provided access network information in session initiation protocol
US8929360B2 (en) Systems, methods, media, and means for hiding network topology
JP5345154B2 (en) Message handling in IP multimedia subsystem
JP2007516485A (en) Method and system for permitting access to user information in a network
US8844011B2 (en) IP multimedia subsystem user identity handling method and apparatus
RU2434351C2 (en) Method, system and apparatus for using ims communication service identifier in communication system
CN101193068B (en) A response request method and device
WO2006136097A1 (en) A method for processing the register abnormality during the user register procedure
US20070055874A1 (en) Bundled subscriber authentication in next generation communication networks
WO2006136106A1 (en) A method and system for authenticating user terminal
WO2006099815A1 (en) A method for implementing the user registering in the ip multimedia subsystem and the system thereof
US20080275988A1 (en) Method And System For Lawful Interception In Next Generation Networks
US20070289009A1 (en) Authentication in a multiple-access environment
US7600116B2 (en) Authentication of messages in a communication system
KR100928247B1 (en) Method and system for providing secure communication between communication networks
WO2008011819A1 (en) Method and device for transmitting legal intercepting information
CN101192920A (en) A response request method and device
US20130212646A1 (en) Usage authentication via intercept and challege for network services
WO2007090348A1 (en) A method, apparatus and system for checking the validity for globally routable user agent uri
WO2007056925A1 (en) A session control method and equipment in ims network
WO2007112642A1 (en) A method and device for implementing the user's multimedia identifier service
WO2009074063A1 (en) A method and apparatus for deciding the authorization pattern for ue to access ims

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06805009

Country of ref document: EP

Kind code of ref document: A1