WO2012171430A1 - Method for obtaining tunnel information, a security gateway(segw) and an evolved home base station/ a home base station - Google Patents

Method for obtaining tunnel information, a security gateway(segw) and an evolved home base station/ a home base station Download PDF

Info

Publication number
WO2012171430A1
WO2012171430A1 PCT/CN2012/076020 CN2012076020W WO2012171430A1 WO 2012171430 A1 WO2012171430 A1 WO 2012171430A1 CN 2012076020 W CN2012076020 W CN 2012076020W WO 2012171430 A1 WO2012171430 A1 WO 2012171430A1
Authority
WO
WIPO (PCT)
Prior art keywords
segw
address
tunnel information
message
request
Prior art date
Application number
PCT/CN2012/076020
Other languages
French (fr)
Chinese (zh)
Inventor
毕以峰
刘国燕
宗在峰
周晓云
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2012171430A1 publication Critical patent/WO2012171430A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/256NAT traversal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2592Translation of Internet protocol [IP] addresses using tunnelling or encapsulation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W92/00Interfaces specially adapted for wireless communication networks
    • H04W92/04Interfaces between hierarchically different network devices
    • H04W92/12Interfaces between hierarchically different network devices between access points and access point controllers

Definitions

  • the present invention relates to the field of communications, and in particular to a tunnel information acquisition method, a security gateway, and an evolved home base station/home base station.
  • EPS Evolved Packet System
  • 3GPP 3rd Generation Partnership Project
  • E- UTRAN Evolved Universal Terrestrial Radio Access Network
  • MME Mobility Management Entity
  • S-GW Serving Gateway
  • P-GW Packet Data Network Gateway
  • HSS Home Subscriber Server
  • 3GPP's Authentication Authorization and Accounting (AAA) server Policy and Charging Rules Function (PCRF) and other supporting nodes.
  • FIG. 1 is a structural diagram of a HeNB accessing EPS convergence according to the related art.
  • the MME is responsible for control planes such as mobility management, processing of non-access stratum signaling, and management of user mobility management context;
  • S-GW is connected to E-UTRAN.
  • Access gateway device forwarding data between E-UTRAN and P-GW, and responsible for buffering paging waiting data;
  • P-GW is a border gateway of EPS and Packet Data Network (PDN), It is responsible for the access of the PDN and the forwarding of data between the EPS and the PDN.
  • the S-GW and the P-GW can be set up or set up in the network deployment.
  • the Evolved Packet Core can be called the Evolved Packet Core. , referred to as EPC) Gateway or Integrated Services Gateway.
  • the PCRF is a policy and charging rule function entity. It is connected to the carrier network protocol service network through the receiving interface Rx to obtain service information. In addition, it is connected to the gateway device in the network through the Gx/Gxc interface, and is responsible for initiating the IP bearer. Establish, ensure the quality of service (Quality of Service, QoS for short), and perform charging control.
  • the EPS system supports Home evolved NodeB (HeNB) access, as shown in Figure 1.
  • HeNB is a small, low-power base station deployed in indoor locations such as homes, offices, and corporate buildings.
  • the HeNB usually accesses the core network of the EPS through a leased fixed line.
  • the security gateway (SeGW) is shielded in the core network.
  • HeNB Internet Protocol Security
  • IP Security Internet Protocol Security
  • HeNB can pass After being connected to the IPSec tunnel established by the SeGW, the MME and the S-GW that are directly connected to the core network may also be connected to the MME and the P S-GW through the HeNB GW, that is, the HeNB GW is an optional network element.
  • a Home eNodeB Management System HeMS
  • the GPRS General Packet Radio Service
  • HNB Home NodeB
  • the related art is similar to HeNB.
  • the QoS of the fixed line that is accessed by H(e)B (that is, the collective name of HeNB and HNB) is usually restricted by the contract of the owner of H(e) B and the fixed network operator. Therefore, when the 3GPP UE passes the H (e) When B accesses the 3GPP core network access service, the required QoS cannot exceed the QoS of the fixed line subscription that the fixed network operator can provide. Otherwise, the QoS of the UE access service will not be guaranteed, especially the service of Guaranteed Bitrates (GBR). Therefore, for 3GPP networks and fixed networks, a unified control mechanism is needed to implement user/connection/service admission control, as shown in Figure 1 (HeNB case).
  • the Policy Control and Charging (PCC) network element PCRF of the 3GPP system is connected to the fixed-band policy control function (BPCF) of the fixed network through the S9* interface to implement policy interworking and resources. Management, so that the reasonable control and management of fixed network resources can be realized, and the higher priority resources accessed through H(e) B are preferentially guaranteed.
  • the fixed network if the fixed network is required to provide QoS guarantee for the accessed H(e)B line, the fixed network needs to locate the fixed line where the current H(e) B is located (the technical specification is called backhaul, that is, the fixed network backhaul network). ). In the prior art, the fixed network line is located through the tunnel information of H(e)B.
  • the information is sent by the terminal from the H(e)B attaching process or the PDN connection establishing process to the PCRF. Based on the information, the PCRF finds the BPCF of the fixed network line that manages the H(e)B and establishes an S9* session with the resource.
  • the home base station HeNB HNB-like
  • NAT Network Address Translation
  • the outer IP address of the HeNB is allocated by the fixed network/wireless LAN access network, specifically by the broadband access service gateway/broadband remote access server (Broadband Network Gateway/ The Broadband Remote Access Server (BNG/BRAS for short) is assigned to it.
  • BNG/BRAS Broadband Network Gateway/ The Broadband Remote Access Server
  • This address is a valid local/outer IP address and is part of constructing tunnel information. If there is network address translation in the WLAN network, as shown in FIG. 3, the NAT converter allocates a private network IP address to the HeNB, and the address is invalid as the local/outer IP address of the terminal to locate the fixed network link.
  • BNG/BRAS assigns a public network IP address to the RG, and there is a one-to-one correspondence between the private local/outer IP address of He B and the public IP address of the RG plus the port number on the RG.
  • the data packet is transmitted between the HeNB and the RG.
  • the outer layer encapsulates the private address of the HeNB.
  • the outer layer encapsulates the public IP address of the RG plus the corresponding port number.
  • the private local/outer IP address of the HeNB is invalid, and the public IP address of the RG (or the external port number) is the effective information for locating the fixed line, so it is called RG here.
  • the public IP address is also the effective outer/local IP address/port number of the HeNB, or simply the outer/local IP address/port number of the HeNB. This information is also part of the tunnel information.
  • the tunnel information may include the following information: Fully Qualified Domain Name (FQDN) of the BPCF; Endpoint of the IPsec tunnel The address and/or the port number of the SeGW; the identity of the HeNB, such as the International Mobile Station Identity (IMSI); the Virtual Local Area Network Identity (VLAN ID) where the HeNB is located. .
  • FQDN Fully Qualified Domain Name
  • IMSI International Mobile Station Identity
  • VLAN ID Virtual Local Area Network Identity
  • H(e) B can obtain information such as its own valid outer or local IP address and port number, ie part of the tunnel information.
  • H(e) B establishes an IPSec tunnel with SeGW, if there is no device responsible for address translation between H(e)B and SeGW, such as RG, then H(e)B itself can know its own effective outer layer. Or information such as the local IP address and port number; but if there is a device responsible for address translation between H(e) B and SeGW, H(e) B knows its own outer or local IP address and port number, etc.
  • the address and port number information is private and invalid (invalid for locating the fixed network link) and cannot be used to locate the fixed network link where H(e)B is located.
  • a tunnel information acquisition method including: establishing an IPSec tunnel between a security gateway SeGW and an evolved home base station/home base station H(e)B; and sending, by the SeGW, tunnel information to H(e)B
  • the tunnel information includes a valid local IP address of H(e)B.
  • the method further includes: the SeGW receiving the first message from the H(e)NB for requesting the tunnel information.
  • the first message carries the initial address of H(e) B detected by H(e)B and the initial address of the SeGW detected by H(e)NB.
  • the sending, by the SeGW, the tunnel information to the H(e)NB comprises: the SeGW sending a second message to the H(e)NB, where the second message carries the valid local IP address of the H(e)B.
  • the second message further carries an initial address of the SeGW detected by the SeGW.
  • the second message also carries a valid local port number of H(e)B.
  • the first message is one of the following: IKE_SA_INIT request/response (Internet Key Exchange-Security Association initial request/response, Internet Key Exchange Security Alliance initial request/response), IKE AUTH request/response (Internet Key Exchange Authentication) Request/Response), CREATE CHILD SA request/response (Create a child SA request/response).
  • the second message is one of the following: IKE_SA_INIT request/response IKE AUTH request/response, CRE ATE CHILD SA request/response.
  • the second message carries the TSi and the TSr, where the TSi carries the initial address of the initiator HCe)NB detected by the responder SeGW, and the TSr carries the initial address of the responder SeGW detected by the responder SeGW.
  • H(e) B reports the tunnel information to the fixed network side to which it is connected via the EPC network; the fixed network side locates the fixed network link of H(e) B according to the tunnel information.
  • a security gateway including: a first tunnel module, configured to establish an IPSec tunnel between the SeGW and the evolved home base station/home base station H(e)B; and a tunnel information sending module, configured to The tunnel information is sent to H(e) B, where the tunnel information includes a valid local IP address of H(e)B.
  • the SeGW further comprises: a receiving module, configured to receive the first message from H(e) B to request tunnel information.
  • the tunnel information sending module comprises: a sending submodule, configured to send a second message to H(e)B, where the second message carries a valid local IP address of H(e)B.
  • the second message also carries a valid local port number of H(e)B.
  • an evolved home base station/home base station including: a second tunnel module, configured to establish an IPSec tunnel between the security gateway SeGW and H(e)B; and a tunnel information receiving module, configured to Receiving tunnel information from the SeGW, where the tunnel information includes a valid local IP address of H(e)B.
  • the tunnel information including the valid local IP address of the H(e)NB is sent to the H(e) B through the SeGW, thereby solving how the H(e) B obtains its effective locality in the NAT scenario.
  • FIG. 1 is a schematic diagram of an HeNB accessing an EPS convergence according to the related art
  • FIG. 2 is a schematic diagram of an address allocation in a NAT-free scenario according to the related art
  • FIG. 3 is a NAT scenario according to the related art.
  • FIG. 4 is a flowchart of a method for acquiring tunnel information according to an embodiment of the present invention
  • FIG. 5 is a flowchart of a method for acquiring tunnel information according to Embodiment 1 of the present invention
  • FIG. 6 is a tunnel information according to Embodiment 2 of the present invention
  • FIG. 7 is a schematic structural diagram of a SeGW according to an embodiment of the present invention
  • FIG. 8 is a schematic structural diagram of an evolved home base station/home base station according to an embodiment of the present invention.
  • FIG. 4 is a flowchart of a method for acquiring tunnel information according to an embodiment of the present invention. As shown in FIG. 4, the method includes the following steps: Step S402: An IPSec tunnel is established between a security gateway SeGW and an evolved home base station/home base station H(e)B. Step S404, the SeGW sends the tunnel information to H(e)B, where the tunnel information includes a valid local IP address of H(e)B.
  • the tunnel information including the valid local IP address of the H(e)NB is sent to the H(e) B through the SeGW, thereby solving the problem that how the H(e) B obtains itself in the NAT scenario.
  • the problem of the local IP address enables the fixed network side to locate the fixed network link of H(e) B according to the tunnel information to ensure the quality of service on the fixed network link.
  • Embodiment 1 when an IPsec tunnel is established between H(e)B and SeGW in the Quick Mode of IKEvl (The Internet Key Exchange Protocol version 1), the two parties negotiate each other. The process of the address.
  • the data security between H(e)B and SeGW is the tunnel mode adopted.
  • Step S502 H(e)B sends a first message to the SeGW.
  • NAT-OAi refers to the initial address (OA, original address) of the initiator (i, initiator) H(e) B observed by the initiator H(e) B, and the actual value of the address is laddr (Initiator address, ie RG is the private IP address assigned to the terminal);
  • NAT-OAr refers to the initial address (original address, OA for short) of the responding party (r, responder), and the actual value of the address is Raddr (Responder address), which is the actual address of the SeGW; wherein the first message may be an IKE_SA_INIT request/response or an IKE AUTH request/response, CREATE CHILD SA request/response message.
  • the first message may carry an indication, where the indication is used to indicate that the local/outer IP address of the H(e)B request is valid to the SeGW.
  • the SeGW may not change the first message, and the SeGW defaults.
  • Step S504 the SeGW sends a second message to ⁇ ⁇ ;> ⁇ .
  • NAT-OAi refers to the initial address (0A, original address) of the initiator (i, initiator) H(e) B observed by the responding party SeGW after NAT traversal.
  • the actual value of the address is NATPub (NAT public Address, ie RG's public IP address); where NAT-OAr refers to the respondent (r, responder) SeGW's initial address (Original Address, OA for short) after NAT traversal, the actual value of the address is Raddr (Responder address), which is the actual address of SeGW.
  • H(e)B obtains the valid local/outer IP address after NAT conversion, that is, NATPub in the above process.
  • the port number can also be carried to H(e)B by extending the cell NAT-OAi, or by adding a similar cell to enable H(e)B to obtain its valid local/outer port number.
  • the initial address of the initiator H(e) B that can be observed by the foregoing SeGW means that the SeGW obtains the source address of the first message as the observed initiator H after receiving the first message of step 502. ) The initial address of B.
  • Step S506 H(e) B acquires the valid local/outer address of the H(e)NB observed by the SeGW (ie, the IP address of the RG) by step S504, and H(e)B constructs the local as a component. Tunnel information.
  • Step S508 when the terminal initiates an attach, a PDN connection establishment, a handover, a TAU (Tracking Area Update), a RAU (Routing Area Update), and the like from H(e)B, H(e) B.
  • the tunnel message between the H(e)NB and the 3GPP core network element (the MME for the HeNB and the SGSN for the HNB) (the SI interface message for the HeNB and the Iu interface message for the HNB), the "tunnel information" Send to the 3GPP core network element (MME/SGSN).
  • the GPP core network After receiving the tunnel information, the GPP core network transmits the tunnel information through the path of the MME S-GW (P-GW ⁇ ) PCRF fixed network (BPCF) or through the SGSN GGSN PCRF fixed network (BPCF).
  • the PCRF uses the tunnel information to locate the fixed network BPCF, and the fixed network related network element (BPCF or other proxy network element) receives the tunnel information and locates the fixed network line where the H(e) B is located. Resources on fixed line lines (such as QoS guarantees, etc.).
  • the second embodiment describes the processing flow in which the two parties negotiate each other's addresses when the IPsec tunnel is established between the H(e)B and the SeGW in the scenario of the IKEv2 (The Internet Key Exchange Protocol version 2), where The address is passed through the Traffic Selector (TS).
  • IKEv2 The Internet Key Exchange Protocol version 2
  • TS Traffic Selector
  • the data security between H(e)B and SeGW is the tunnel mode adopted.
  • Step S602 H(e) B sends a first message to the SeGW.
  • the first message carries the TSi and the TSr.
  • the TSi specifies the source address of the service data sent by the initiator of the security association, or the destination address of the service data sent to the initiator of the security association.
  • the TSr specifies the source address of the service data sent by the responder of the security association, or the destination address of the service data sent to the responder of the security association.
  • the TSi carries the initial address of the initiator (i, initiator) H ( ⁇ ), and the actual value of the address is the private IP address assigned by the RG to the terminal; where the TSr carries the initiator H ( e) The observed respondent (r, responder) The initial address of the SeGW, the actual value of the address is the actual address of the SeGW; wherein the first message may be IKE_SA_INIT request/response (Internet Key Exchange-Security Association initial request/ Response, Internet Key Exchange Security Association Initial Request/Response) or IKE_AUTH request/response, CREATE CHILD SA request/response message.
  • IKE_SA_INIT request/response Internet Key Exchange-Security Association initial request/ Response, Internet Key Exchange Security Association Initial Request/Response
  • IKE_AUTH request/response CREATE CHILD SA request/response message.
  • the message carries an indication, where the indication is used to indicate that the local/outer IP address of the H(e)B request is valid to the SeGW; wherein the first message is not changed, and the SeGW receives the first message by default. Sending its valid local/outer IP address to H(e) B. Step S604, the SeGW sends a second message to ⁇ ( ⁇ ⁇ .
  • the second message carries TSi and TSr
  • the TSI carries the initial address of the initiator (i, initiator) H(e) B observed by the responding party SeGW after the NAT traversal, and the actual value of the address is the public IP address of the RG; wherein the TSr carries the NAT traversal After the respondent SeGW observes the respondent (r, responder) the initial address of the SeGW, the actual value of the address is the actual address of the SeGW.
  • the second message may be IKE SA INIT request/response or IKE AUTH request/ Response, CREATE CHILD SA request/response message, wherein the second message can only carry TSi to H(e) B.
  • H(e) B obtains the valid local/outer IP address after NAT conversion.
  • the port number can also be carried to H(e) B by extending the cell TSi, or H(e) B can be obtained by adding a similar cell. Its valid local/outer port number.
  • the initial address of the initiator H(e) B that can be observed by the foregoing SeGW is that the SeGW obtains the source address of the first message as the observed initiator H after receiving the first message of step 602. ) The initial address of B.
  • Step S606 H(e) B acquires the valid local/outer address of the H(e)NB observed by the SeGW (ie, the IP address of the RG) by step S604, and H(e)B constructs the local as a component. Tunnel information.
  • Step S608 when the terminal initiates an operation such as attach, PDN connection establishment, handover, TAU (Tracking Area Update), RAlKRouting Area Update, and routing area update from H(e)B, ⁇ 0) ⁇ passes H ( e) an interface message between the NB and the 3GPP core network element (the HeNB is the MME and the HNB is the SGSN) (the SI interface is the SI interface message and the HNB is the Iu interface message), and the "tunnel information" is sent to the 3GPP core.
  • Network element MME/SGSN).
  • FIG. 7 is a schematic structural diagram of a SeGW according to an embodiment of the present invention.
  • the SeGW 100 includes: a first tunnel module 102 and a tunnel information sending module 104.
  • the first tunnel module 102 is configured to establish an IPSec tunnel between the SeGW and the evolved home base station/home base station H(e)B.
  • the tunnel information sending module 104 is configured to send tunnel information to H(e) B, where the tunnel information includes a valid local IP address of H(e)B.
  • the tunnel information including the valid local IP address of the H(e)NB is sent to the H(e) B through the SeGW, thereby solving the problem that how the H(e) B obtains itself in the NAT scenario.
  • the problem of the local IP address enables the fixed network side to locate the fixed network link of H(e) B according to the tunnel information, and guarantees the service quality of H(e) B in the fixed network.
  • the SeGW further includes a receiving module 106 (not shown), and the receiving module 106 is configured to receive the first message from H(e) B to request tunnel information.
  • FIG. 8 is a schematic structural diagram of an evolved home base station/home base station according to an embodiment of the present invention.
  • the H(e)B 200 includes: a second tunnel module 202 and a tunnel information receiving module 204.
  • the second tunnel module 202 is configured to establish an IPSec tunnel between the security gateway SeGW and the H(e)NB.
  • the tunnel information receiving module 204 is configured to receive tunnel information from the SeGW, wherein the tunnel information includes a valid local IP address of H(e)B.
  • the tunnel information including the valid local IP address of the H(e) B is sent to the H(e) B through the SeGW, thereby solving the H(e) B in the NAT scenario.
  • the problem of obtaining a valid local IP address is such that the fixed network side can locate the fixed network link of H(e) B according to the tunnel information, thereby ensuring the quality of service on the fixed network link.
  • the computing device may be implemented by program code executable by the computing device, such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein.
  • the steps shown or described are performed, or they are separately fabricated into individual integrated circuit modules, or a plurality of modules or steps are fabricated as a single integrated circuit module.
  • the invention is not limited to any specific combination of hardware and software.
  • the above is only the preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes can be made to the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A method for obtaining tunnel information, a security gateway(SeGW) and an evolved home base station/ a home base station is provided in the invention. The method comprises: a tunnel is established between the SeGW and the evolved home base station/ home base station(H(e)NB), the SeGW sends the tunnel information to the H(e)NB, and wherein the tunnel information comprises a local IP address of the H(e)NB. In the invention, by the SeGW sending the tunnel information which comprises the local IP address of the H(e)NB to the H(e)NB, the problem how the H(e)NB obtains the effective local IP address of itself in the circumstance of the network address transition(NAT) is solved, which enables a fixed network side locates the fixed link in which the H(e)NB locates according to the tunnel information, so that the service quality is ensured in the fixed network link.

Description

隧道信息获取方法、 安全网关及演进家庭基站 /家庭基站 技术领域 本发明涉及通信领域, 具体而言, 涉及一种隧道信息获取方法、 安全网关及演进 家庭基站 /家庭基站。 背景技术 第三代合作伙伴计划(3rd Generation Partnership Project, 简称 3GPP)的演进的分 组系统 (Evolved Packet System, 简称 EPS) 由演进的通用地面无线接入网 (Evolved Universal Terrestrial Radio Access Network, 简称 E-UTRAN)、 移动管理单元 (Mobility Management Entity, 简称 MME)、 服务网关 ( Serving Gateway, 简称 S-GW)、 分组数 据网络网关 (Packet Data Network Gateway, 简称 P-GW)、 归属用户服务器 (Home Subscriber Server,简称 HSS)、 3 GPP的认证授权计费(Authentication Authorization and Accounting, 简称 AAA)服务器、策略和计费规则功能实体(Policy and Charging Rules Function, 简称 PCRF) 及其他支撑节点组成。 图 1是根据相关技术的 HeNB接入 EPS融合的架构图。如图 1中的 EPS框体内所 示, 其中, MME 负责移动性管理、 非接入层信令的处理和用户移动管理上下文的管 理等控制面的相关工作; S-GW是与 E-UTRAN相连的接入网关设备, 在 E-UTRAN 和 P-GW之间转发数据, 并且负责对寻呼等待数据进行缓存; P-GW是 EPS与分组数 据网络 (Packet Data Network, 简称 PDN) 的边界网关, 负责 PDN的接入及在 EPS 与 PDN间转发数据等功能; 其中 S-GW和 P-GW在网络部署实现时可以合设也可以 分设, 合设后可以称为演进分组核心网 (Evolved Packet Core, 简称 EPC) 网关或者集 成业务网关。 PCRF是策略和计费规则功能实体, 它通过接收接口 Rx和运营商网络协 议业务网络相连, 获取业务信息, 此外, 它还通过 Gx/Gxc接口与网络中的网关设备 相连, 负责发起 IP承载的建立, 保证业务数据的服务质量 (Quality of Service, 简称 QoS), 并进行计费控制。 EPS系统支持演进家庭基站 (Home evolved NodeB, 简称 HeNB) 接入, 如图 1 所示。 HeNB 是一种小型、 低功率的基站, 部署在家庭、 办公室及企业大楼等室内场 所。 HeNB通常通过租用的固网线路接入 EPS的核心网。 为了保障接入的安全, 核心 网中引入安全网关 (Security Gateway, 简称 SeGW) 进行屏蔽, HeNB与 SeGW之间 的数据将采用因特网协议安全性 (IP Security, 简称 IPSec) 进行封装。 HeNB可以通 过与 SeGW建立的 IPSec隧道后直接连接到核心网的 MME和 S-GW,也可以通过 HeNB GW连接到 MME禾 P S-GW, 即 HeNB GW是个可选网元。 同时, 为了实现对 HeNB 进行管理, 引入了网元家庭基站管理系统 (Home eNodeB Management System, 简称 HeMS)。 此外, 属于第三代移动通信的 GPRS (General Packet Radio Service, 通用分 组无线服务)系统支持家庭基站(Home NodeB,简称 HNB)的接入。相关技术与 HeNB 类似。 由于 H(e) B(即 HeNB和 HNB的统称)接入的固网线路的 QoS通常是受到 H(e) B 的拥有者与固网运营商的签约限制的, 因此, 当 3GPP UE通过 H(e) B接入 3GPP核 心网访问业务时, 所需的 QoS不能超过固网运营商所能提供的固网线路签约的 QoS。 否则, UE访问业务的 QoS将得不到保障, 尤其保障比特率 (Guaranteed Bitrates, 简 称 GBR) 的业务更是如此。 因此, 对于 3GPP网络和固网来说, 需要一套统一的管控 机制来实现用户 /连接 /业务的接纳控制, 如图 1所示(HeNB情况)。 3GPP系统的策略 控制和计费(Policy Control and Charging, 简称 PCC) 网元 PCRF通过 S9*接口与固网 的策略控制功能实体 (Broadband Policy Control Function, 简称 BPCF) 相连, 实现策 略的互通和对资源的管理, 这样就能实现固网资源的合理控制和管理, 优先保证了通 过 H(e) B接入的优先级较高的资源。 如上所述, 如果要求固网为接入的 H(e) B线路提供 QoS保证, 固网需要定位当 前 H(e) B所在的固网线路(技术规范中称作 backhaul, 即固网回程网)。现有技术中, 是通过 H(e) B的隧道信息定位固网线路的。该信息通过终端从 H(e) B附着的流程或 者 PDN连接建立流程发送到 PCRF, PCRF根据该信息找到资源管控该 H(e) B的固 网线路的 BPCF, 并与其建立 S9*会话。 家庭基站 HeNB (HNB类同) 在接入 EPC时, HeNB与 SeGW之间建立 IPsec隧 道, 如图 1所示的管道, 其中 HeNB和 SeGW分别为该 IPsec隧道的两个端点。 其中, 如果固网 /无线局域网中不存在网络地址转换(Network Address Translation, 简称 NAT), 如图 2所示, 也就是说不存在家庭网关 RG (Residential Gateway) 或者 家庭网关 RG充当的是桥接模式的时候,该 HeNB的外层 IP地址,或者称作本地地址, 由固网 /无线局域网接入网为其分配的,具体是由宽带接入服网关 /宽带远程接入服务器 (Broadband Network Gateway/Broadband Remote Access Server, 简称 BNG/BRAS ) 为 其分配的, 该地址就是有效的本地 /外层 IP地址, 是构造隧道信息的一部分。 如果 WLAN网络中存在网络地址转换, 如图 3所示, NAT转换器为 HeNB分配 一个私网的 IP地址, 该地址作为终端的本地 /外层 IP地址对定位固网链路是一个无效 的地址,但是 BNG/BRAS为 RG分配了一个公网的 IP地址, 并且在 RG上存在 He B 的私有本地 /外层 IP地址和 RG的公有 IP地址外加端口号的一一对应关系, 这样当数 据包再 HeNB和 RG之间传输是,外层封装的是 HeNB的私有地址,当数据包穿越 NAT 后,外层封装的是 RG的公有 IP地址外加对应端口号。对于定位固网链路来说, HeNB 的私有的本地 /外层 IP地址是无效的, 而 RG的公有 IP地址 (或者外加端口号) 是定 位固网线路的有效信息, 因此在这里称 RG的公有 IP地址也为 HeNB的有效外层 /本 地 IP地址 /端口号, 或者简称 HeNB的外层 /本地 IP地址 /端口号, 该信息也是构造隧 道信息的一部分。 隧道信息中除了含有 HeNB的有效本地 /外层 IP地址 (和端口号)等固网信息外, 还有可能包括以下信息: BPCF的全域名(Fully Qualified Domain Name,简称 FQDN); IPsec隧道的端点之一 SeGW的地址和 /或端口号; HeNB的身份标识, 如全球移动站 / 终端标识(International Mobile Station Identity, 简称 IMSI); HeNB所在的虚拟局域网 标识 ( Virtual Local Area Network Identity, 简称 VLAN ID )。 当前的问题是, H(e) B如何能够获取自己的有效的外层或本地 IP地址和端口号 等信息, 即隧道信息的一部分。 当 H(e) B与 SeGW建立 IPSec隧道时, 如果 H(e) B 和 SeGW之间没有负责地址转换的设备,例如 RG,那么 H(e) B的本身就能获知自己 的有效的外层或本地 IP地址和端口号等信息; 但如果 H(e) B和 SeGW之间存在负责 地址转换的设备, 则 H(e) B虽然知道自己的外层或本地 IP地址和端口号等信息, 该 地址和端口号信息都是私有的、 无效的 (对定位固网链路来说是无效的), 无法用于定 位 H(e) B所在的固网链路的。 因此在存在 NAT的场景下, H(e) B如何能够获取自 己的有效的外层或本地 IP地址和端口号等信息是有待解决的问题。 发明内容 本发明提供了一种隧道信息获取方法、 安全网关及演进家庭基站 /家庭基站, 以至 少解决上述在存在 NAT的场景下, H(e)NB如何能够获取自身的有效本地 IP地址的问 题。 根据本发明的一个方面, 提供了一种隧道信息获取方法, 包括: 安全网关 SeGW 与演进家庭基站 /家庭基站 H(e) B 之间建立 IPSec 隧道; SeGW将隧道信息发送给 H(e) B, 其中, 隧道信息包括 H(e) B的有效本地 IP地址。 优选地, SeGW将隧道信息发送给 H(e)NB之前还包括: SeGW接收来自 H(e)NB 的用于请求隧道信息的第一消息。 优选地, 第一消息中携带有 H(e) B检测到的 H(e) B的初始地址和 H(e)NB检测 到的 SeGW的初始地址。 优选地, SeGW将隧道信息发送给 H(e)NB包括: SeGW向 H(e)NB发送第二消息, 第二消息携带有 H(e) B的有效本地 IP地址。 优选地, 第二消息还携带有 SeGW检测到的 SeGW的初始地址。 优选地, 第二消息还携带有 H(e) B的有效本地端口号。 优选地, 第一消息为以下之一: IKE_SA_INIT request/response ( Internet Key Exchange—Security Association initial request/response, 因特网密钥交换安全联盟初始 请求 /响应)、 IKE AUTH request/response (因特网密钥交换认证请求 /响应)、 CREATE CHILD S A request/response (创建子安全联盟请求 /响应)。 优选地, 第二消息为以下之一: IKE_SA_INIT request/response IKE AUTH request/response、 CRE ATE CHILD S A request/response。 优选地,第二消息中携带有 NAT-OAi=NATPub和 NAT-OAr=Raddr,其中, NAT-OAi 为回应方 SeGW检测到的发起方 H(e)NB的初始地址, NAT-OAr为回应方 SeGW检测 到的回应方 SeGW的初始地址。 优选地, 第二消息中携带有 TSi和 TSr, 其中, TSi携带回应方 SeGW检测到的发 起方 HCe)NB的初始地址, TSr携带回应方 SeGW检测到的回应方 SeGW的初始地址。 优选地, H(e) B将隧道信息经 EPC网络上报至其所接入的固网侧; 固网侧根据 隧道信息定位 H(e) B的固网链路。 根据本发明的另一方面,提供了一种安全网关,包括:第一隧道模块,设置为 SeGW 与演进家庭基站 /家庭基站 H(e) B之间建立 IPSec隧道; 隧道信息发送模块, 设置为 将隧道信息发送给 H(e) B, 其中, 隧道信息包括 H(e) B的有效本地 IP地址。 优选地, SeGW还包括: 接收模块, 设置为接收来自 H(e) B 的以请求隧道信息 的第一消息。 优选地, 隧道信息发送模块包括: 发送子模块, 设置为向 H(e) B发送第二消息, 第二消息携带有 H(e) B的有效本地 IP地址。 优选地, 第二消息还携带有 H(e) B的有效本地端口号。 根据本发明的又一方面, 提供了一种演进家庭基站 /家庭基站, 包括: 第二隧道模 块, 设置为安全网关 SeGW与 H(e) B之间建立 IPSec隧道; 隧道信息接收模块, 设 置为接收来自 SeGW的隧道信息, 其中, 隧道信息包括 H(e) B的有效本地 IP地址。 在本发明中, 通过 SeGW将包括有 H(e)NB的有效本地 IP地址的隧道信息发送给 H(e) B, 从而解决了在 NAT的场景下 H(e) B如何获取自身的有效本地 IP地址的问 题, 使得固网侧能够根据隧道信息定位 H(e)NB所在的固网链路, 保证该固网链路上 的服务质量。 附图说明 此处所说明的附图用来提供对本发明的进一步理解, 构成本申请的一部分, 本发 明的示意性实施例及其说明用于解释本发明, 并不构成对本发明的不当限定。 在附图 中: 图 1是根据相关技术的 HeNB接入 EPS融合的架构图; 图 2是根据相关技术的在无 NAT场景下地址分配情况示意图; 图 3是根据相关技术的在有 NAT场景下地址分配情况示意图; 图 4是根据本发明实施例的隧道信息获取方法流程图; 图 5是根据本发明实施例一的隧道信息获取方法流程图; 图 6是根据本发明实施例二的隧道信息获取方法流程图; 图 7是根据本发明实施例的 SeGW结构示意图; 以及 图 8是根据本发明实施例的演进家庭基站 /家庭基站结构示意图。 具体实施方式 下文中将参考附图并结合实施例来详细说明本发明。 需要说明的是, 在不冲突的 情况下, 本申请中的实施例及实施例中的特征可以相互组合。 图 4是根据本发明实施例的隧道信息获取方法流程图, 如图 4所示, 包括步骤: 步骤 S402,安全网关 SeGW与演进家庭基站 /家庭基站 H(e) B之间建立 IPSec隧 道。 步骤 S404, SeGW将隧道信息发送给 H(e) B, 其中, 隧道信息包括 H(e) B的有 效本地 IP地址。 在本实施例中, 通过 SeGW将包括有 H(e)NB的有效本地 IP地址的隧道信息发送 给 H(e) B, 从而解决了在 NAT的场景下 H(e) B如何获取自身的有效本地 IP地址的 问题, 使得固网侧能够根据隧道信息定位 H(e) B 的固网链路, 保证该固网链路上的 服务质量。 实施例一 在本实施例中, 描述了在 IKEvl ( The Internet Key Exchange Protocol version 1 )的 快速模式 (Quick Mode)下, H(e) B与 SeGW之间建立 IPsec隧道时, 双方互相协商 对方的地址的流程。 本实施例中 H(e) B和 SeGW之间的数据安全是采用的隧道模式, 因此, H(e) B 和 SeGW之间要互相协商对方的地址信息。 如图 5所示, 包括以下步骤: 步骤 S502, H(e) B发送第一消息给 SeGW。 其中, 第一消息中可以携带 NAT-OAi=Iaddr和 NAT-OAr=Raddr。 其中 NAT-OAi 是指发起方 H(e) B观测到的发起方 (i, initiator) H(e) B的初始地址 (OA, original address), 其地址的实际值就是 laddr (Initiator address, 即 RG为终端分配的私有 IP地 址); 其中 NAT-OAr是指发起方 Η0)ΝΒ观测到的回应方 (r, responder) SeGW的初 始地址 (original address, 简称 OA), 其地址的实际值就是 Raddr(Responder address), 即 SeGW 的实际地址; 其中该第一消息可以是 IKE_SA_INIT request/response 或者 IKE AUTH request/response, CREATE CHILD SA request/response消息。 其中, 第一消息中可携带指示, 该指示用于表明向 SeGW请求该 H(e) B请求有 效的本地 /外层 IP地址; 其中, SeGW可对第一消息不做任何改动, SeGW默认会在接收到该第一消息后 向 H(e) B发送其有效的本地 /外层 IP地址。 步骤 S504, SeGW发送第二消息给 Ηθ;> Β。 其中,第二消息中同时携带 NAT-OAi=NATPub和 NAT-OAr=Raddr。其中 NAT-OAi 是指经过 NAT穿越后的, 回应方 SeGW观测到的发起方(i, initiator) H(e) B的初始 地址 (0A, original address), 其地址的实际值就是 NATPub (NAT public address, 即 RG的公有 IP地址); 其中 NAT-OAr是指经过 NAT穿越后的, 回应方 SeGW观测到 的回应方 (r, responder) SeGW的初始地址 (Original Address, 简称 OA), 其地址的 实际值就是 Raddr (Responder address), 即 SeGW的实际地址。 其中该第二消息可以 是 IKE SA INIT request/response 或 者 IKE AUTH request/response , CREATE CHILD SA request/response消息。 其中, 第二消息仅仅携带 NAT-OAi=NATPub给 Η( ;) Β。 经过以上交互, H(e) B获取了经过 NAT转换以后的有效本地 /外层 IP地址, 即上 述流程中的 NATPub。 另外, 还可以通过扩展信元 NAT-OAi, 将端口号也携带给 H(e) B, 或者在增加 一个类似的信元, 来使得 H(e) B获取其有效的本地 /外层端口号。 其中, 上述的 SeGW能够观测到的发起方 H(e) B的初始地址, 是指 SeGW在接 收到步骤 502的第一消息后, 获取第一消息的源地址作为观测到的发起方 H(e) B的 初始地址。 步骤 S506, H(e) B通过步骤 S504获取了 SeGW观测到的 H(e)NB的有效的本地 /外层地址 (即 RG的 IP地址), H(e) B把本地作为一个组成部分构造隧道信息。 步骤 S508, 当终端从 H(e) B并发起附着、 PDN连接建立、切换、 TAU (Tracking Area Update,跟踪区更新)、 RAU( Routing Area Update,路由区更新)等操作时, H(e) B 通过 H(e)NB和 3GPP核心网网元 (对 HeNB是 MME, 对 HNB是 SGSN) 之间的接 口消息(对 HeNB是 SI接口消息,对 HNB是 Iu接口消息),把"隧道信息"发送给 3GPP 核心网网元 (MME/SGSN)。 3 GPP 核心网收到隧道信息后, 通过 MME S-GW (P-GW^ ) PCRF 固网 (BPCF) 的路径, 或者通过 SGSN GGSN PCRF 固网 (BPCF)把隧道信息传递。隧道信息到达 PCRF后, PCRF用隧道信息定位固网 BPCF, 而固网相关网元(BPCF或者其他代理网元)收到隧道信息后据此定位 H(e) B所在的 固网线路, 保证该固网线路上的资源 (例如 QoS保障等)。 实施例二 实施例二描述的是在 IKEv2 (The Internet Key Exchange Protocol version 2)的场景 下, H(e) B与 SeGW之间建立 IPsec隧道时, 双方互相协商对方的地址的处理流程, 其中, 地址是通过业务选择器 (Traffic Selector, 简称 TS) 传递的。 本实施例中 H(e) B和 SeGW之间的数据安全是采用的隧道模式, 因此, H(e) B 和 SeGW之间要互相协商对方的地址信息, 如图 6所示, 包括以下步骤: 步骤 S602, H(e) B发送第一消息给 SeGW。 其中, 第一消息中携带 TSi和 TSr。 TSi指定了由安全联盟的发起方发出的业务数 据的源地址, 或者发送到安全联盟的发起方的业务数据的目的地址。 TSr指定了由安 全联盟的响应方发出业务数据的源地址, 或者发送到安全联盟的响应方的业务数据的 目的地址。 TSi携带了 H(e;> B观测到的发起方 (i, initiator) Η(^ Β的初始地址, 其 地址的实际值就是 RG为终端分配的私有 IP地址; 其中 TSr携带了发起方 H(e) B观 测到的回应方 (r, responder) SeGW的初始地址, 其地址的实际值就是 SeGW的实际 地址; 其中该第一消息可以是 IKE_SA_INIT request/response ( Internet Key Exchange—Security Association initial request/response, 因特网密钥交换安全联盟初始 请求 /响应) 或者 IKE_AUTH request/response (因特网密钥交换认证请求 /响应), CREATE CHILD S A request/response (创建子安全联盟请求 /响应) 消息。 其中, 第一消息中携带指示, 该指示用于表明向 SeGW请求该 H(e) B请求有效 的本地 /外层 IP地址; 其中, 第一消息不做任何改动, SeGW 默认会在接收到该第一消息后向 H(e) B 发送其有效的本地 /外层 IP地址。 步骤 S604, SeGW发送第二消息给 Η(^ Β。 其中,第二消息中携带 TSi和 TSr。其中 TSi携带经过 NAT穿越后的,回应方 SeGW 观测到的发起方 (i, initiator) H(e) B的初始地址, 其地址的实际值就是 RG的公有 IP地址;其中 TSr携带经过 NAT穿越后的,回应方 SeGW观测到的回应方(r, responder) SeGW的初始地址, 其地址的实际值就是 SeGW的实际地址。 其中该第二消息可以是 IKE SA INIT request/response或者 IKE AUTH request/response, CREATE CHILD SA request/response消息。 其中, 第二消息可仅仅携带 TSi给 H(e) B。 经过以上操作, H(e) B获取了经过 NAT转换以后的有效本地 /外层 IP地址, RG 的公有地址。 另外, 在本实施例中, 还可以通过扩展信元 TSi, 将端口号也携带给 H(e) B, 或 者在增加一个类似的信元, 来使得 H(e) B获取其有效的本地 /外层端口号。 其中, 上述的 SeGW能够观测到的发起方 H(e) B的初始地址, 是指 SeGW在接 收到步骤 602的第一消息后, 获取第一消息的源地址作为观测到的发起方 H(e) B的 初始地址。 步骤 S606, H(e) B通过步骤 S604获取了 SeGW观测到的 H(e)NB的有效的本地 /外层地址 (即 RG的 IP地址), H(e) B把本地作为一个组成部分构造隧道信息。 步骤 S608, 当终端从 H(e) B并发起附着、 PDN连接建立、切换、 TAU (Tracking Area Update,跟踪区更新)、 RAlKRouting Area Update,路由区更新)等操作时, Η0)ΝΒ 通过 H(e)NB和 3GPP核心网网元 (对 HeNB是 MME, 对 HNB是 SGSN) 之间的接 口消息(对 HeNB是 SI接口消息,对 HNB是 Iu接口消息),把"隧道信息"发送给 3GPP 核心网网元 (MME/SGSN)。 3 GPP 核心网收到隧道信息后, 通过 MME S-GW (P-GW^ ) PCRF 固网 (BPCF) 的路径, 或者通过 SGSN GGSN PCRF 固网 (BPCF)把隧道信息传递。隧道信息到达 PCRF后, PCRF用隧道信息定位固网 BPCF, 而固网相关网元(BPCF或者其他代理网元)收到隧道信息后据此定位 H(e) B所在的 固网线路, 保证该固网线路上的资源 (例如 QoS保障等)。 图 7是根据本发明实施例的 SeGW结构示意图,如图 7所示,该 SeGW 100包括: 第一隧道模块 102和隧道信息发送模块 104。 其中, 第一隧道模块 102设置为 SeGW与演进家庭基站 /家庭基站 H(e) B之间建 立 IPSec隧道。 隧道信息发送模块 104设置为将隧道信息发送给 H(e) B, 其中, 隧道 信息包括 H(e) B的有效本地 IP地址。 在本实施例中, 通过 SeGW将包括有 H(e)NB的有效本地 IP地址的隧道信息发送 给 H(e) B, 从而解决了在 NAT的场景下 H(e) B如何获取自身的有效本地 IP地址的 问题, 使得固网侧能够根据隧道信息定位 H(e) B的固网链路, 保证 H(e) B在固网中 的服务质量。 其中, SeGW还包括接收模块 106 (图中未示出), 接收模块 106设置为接收来自 H(e) B的以请求隧道信息的第一消息。 图 8是根据本发明实施例的演进家庭基站 /家庭基站结构示意图, 如图 8所示, 该 H(e) B 200包括: 第二隧道模块 202和隧道信息接收模块 204。 其中, 第二隧道模块 202设置为安全网关 SeGW与 H(e)NB之间建立 IPSec隧道。 隧道信息接收模块 204设置为接收来自 SeGW的隧道信息,其中,隧道信息包括 H(e) B 的有效本地 IP地址。 在本发明的上述各实施例中, 通过 SeGW将包括有 H(e) B的有效本地 IP地址的 隧道信息发送给 H(e) B, 从而解决了在 NAT的场景下 H(e) B如何获取自身的有效 本地 IP地址的问题, 使得固网侧能够根据隧道信息定位 H(e) B的固网链路, 保证该 固网链路上的服务质量。 显然, 本领域的技术人员应该明白, 上述的本发明的各模块或各步骤可以用通用 的计算装置来实现, 它们可以集中在单个的计算装置上, 或者分布在多个计算装置所 组成的网络上, 可选地, 它们可以用计算装置可执行的程序代码来实现, 从而, 可以 将它们存储在存储装置中由计算装置来执行, 并且在某些情况下, 可以以不同于此处 的顺序执行所示出或描述的步骤, 或者将它们分别制作成各个集成电路模块, 或者将 它们中的多个模块或步骤制作成单个集成电路模块来实现。 这样, 本发明不限制于任 何特定的硬件和软件结合。 以上所述仅为本发明的优选实施例而已, 并不用于限制本发明, 对于本领域的技 术人员来说, 本发明可以有各种更改和变化。 凡在本发明的精神和原则之内, 所作的 任何修改、 等同替换、 改进等, 均应包含在本发明的保护范围之内。 The present invention relates to the field of communications, and in particular to a tunnel information acquisition method, a security gateway, and an evolved home base station/home base station. BACKGROUND OF THE INVENTION The Evolved Packet System (EPS) of the 3rd Generation Partnership Project (3GPP) is evolved by the Evolved Universal Terrestrial Radio Access Network (E- UTRAN), Mobility Management Entity (MME), Serving Gateway (S-GW), Packet Data Network Gateway (P-GW), Home Subscriber Server , referred to as HSS), 3GPP's Authentication Authorization and Accounting (AAA) server, Policy and Charging Rules Function (PCRF) and other supporting nodes. FIG. 1 is a structural diagram of a HeNB accessing EPS convergence according to the related art. As shown in the EPS frame in FIG. 1, the MME is responsible for control planes such as mobility management, processing of non-access stratum signaling, and management of user mobility management context; S-GW is connected to E-UTRAN. Access gateway device, forwarding data between E-UTRAN and P-GW, and responsible for buffering paging waiting data; P-GW is a border gateway of EPS and Packet Data Network (PDN), It is responsible for the access of the PDN and the forwarding of data between the EPS and the PDN. The S-GW and the P-GW can be set up or set up in the network deployment. The Evolved Packet Core can be called the Evolved Packet Core. , referred to as EPC) Gateway or Integrated Services Gateway. The PCRF is a policy and charging rule function entity. It is connected to the carrier network protocol service network through the receiving interface Rx to obtain service information. In addition, it is connected to the gateway device in the network through the Gx/Gxc interface, and is responsible for initiating the IP bearer. Establish, ensure the quality of service (Quality of Service, QoS for short), and perform charging control. The EPS system supports Home evolved NodeB (HeNB) access, as shown in Figure 1. The HeNB is a small, low-power base station deployed in indoor locations such as homes, offices, and corporate buildings. The HeNB usually accesses the core network of the EPS through a leased fixed line. To ensure the security of the access, the security gateway (SeGW) is shielded in the core network. The data between the HeNB and the SeGW is encapsulated by Internet Protocol Security (IP Security). HeNB can pass After being connected to the IPSec tunnel established by the SeGW, the MME and the S-GW that are directly connected to the core network may also be connected to the MME and the P S-GW through the HeNB GW, that is, the HeNB GW is an optional network element. At the same time, in order to implement management of the HeNB, a Home eNodeB Management System (HeMS) is introduced. In addition, the GPRS (General Packet Radio Service) system belonging to the third generation mobile communication supports access of a Home NodeB (HNB). The related art is similar to HeNB. The QoS of the fixed line that is accessed by H(e)B (that is, the collective name of HeNB and HNB) is usually restricted by the contract of the owner of H(e) B and the fixed network operator. Therefore, when the 3GPP UE passes the H (e) When B accesses the 3GPP core network access service, the required QoS cannot exceed the QoS of the fixed line subscription that the fixed network operator can provide. Otherwise, the QoS of the UE access service will not be guaranteed, especially the service of Guaranteed Bitrates (GBR). Therefore, for 3GPP networks and fixed networks, a unified control mechanism is needed to implement user/connection/service admission control, as shown in Figure 1 (HeNB case). The Policy Control and Charging (PCC) network element PCRF of the 3GPP system is connected to the fixed-band policy control function (BPCF) of the fixed network through the S9* interface to implement policy interworking and resources. Management, so that the reasonable control and management of fixed network resources can be realized, and the higher priority resources accessed through H(e) B are preferentially guaranteed. As described above, if the fixed network is required to provide QoS guarantee for the accessed H(e)B line, the fixed network needs to locate the fixed line where the current H(e) B is located (the technical specification is called backhaul, that is, the fixed network backhaul network). ). In the prior art, the fixed network line is located through the tunnel information of H(e)B. The information is sent by the terminal from the H(e)B attaching process or the PDN connection establishing process to the PCRF. Based on the information, the PCRF finds the BPCF of the fixed network line that manages the H(e)B and establishes an S9* session with the resource. The home base station HeNB (HNB-like) establishes an IPsec tunnel between the HeNB and the SeGW when accessing the EPC, as shown in Figure 1, where the HeNB and the SeGW are the two endpoints of the IPsec tunnel, respectively. If there is no Network Address Translation (NAT) in the fixed network/wireless LAN, as shown in Figure 2, that is, there is no residential gateway RG (Residential Gateway) or the home gateway RG acts as the bridge mode. The outer IP address of the HeNB, or local address, is allocated by the fixed network/wireless LAN access network, specifically by the broadband access service gateway/broadband remote access server (Broadband Network Gateway/ The Broadband Remote Access Server (BNG/BRAS for short) is assigned to it. This address is a valid local/outer IP address and is part of constructing tunnel information. If there is network address translation in the WLAN network, as shown in FIG. 3, the NAT converter allocates a private network IP address to the HeNB, and the address is invalid as the local/outer IP address of the terminal to locate the fixed network link. Address, but BNG/BRAS assigns a public network IP address to the RG, and there is a one-to-one correspondence between the private local/outer IP address of He B and the public IP address of the RG plus the port number on the RG. The data packet is transmitted between the HeNB and the RG. The outer layer encapsulates the private address of the HeNB. When the data packet traverses the NAT, the outer layer encapsulates the public IP address of the RG plus the corresponding port number. For the fixed-line link, the private local/outer IP address of the HeNB is invalid, and the public IP address of the RG (or the external port number) is the effective information for locating the fixed line, so it is called RG here. The public IP address is also the effective outer/local IP address/port number of the HeNB, or simply the outer/local IP address/port number of the HeNB. This information is also part of the tunnel information. In addition to the fixed network information such as the effective local/outer IP address (and port number) of the HeNB, the tunnel information may include the following information: Fully Qualified Domain Name (FQDN) of the BPCF; Endpoint of the IPsec tunnel The address and/or the port number of the SeGW; the identity of the HeNB, such as the International Mobile Station Identity (IMSI); the Virtual Local Area Network Identity (VLAN ID) where the HeNB is located. . The current question is how H(e) B can obtain information such as its own valid outer or local IP address and port number, ie part of the tunnel information. When H(e) B establishes an IPSec tunnel with SeGW, if there is no device responsible for address translation between H(e)B and SeGW, such as RG, then H(e)B itself can know its own effective outer layer. Or information such as the local IP address and port number; but if there is a device responsible for address translation between H(e) B and SeGW, H(e) B knows its own outer or local IP address and port number, etc. The address and port number information is private and invalid (invalid for locating the fixed network link) and cannot be used to locate the fixed network link where H(e)B is located. Therefore, in the scenario where NAT exists, how H(e) B can obtain its own valid outer or local IP address and port number is a problem to be solved. SUMMARY OF THE INVENTION The present invention provides a tunnel information acquisition method, a security gateway, and an evolved home base station/home base station, to at least solve the problem of how the H(e)NB can obtain its own effective local IP address in the scenario where there is a NAT. . According to an aspect of the present invention, a tunnel information acquisition method is provided, including: establishing an IPSec tunnel between a security gateway SeGW and an evolved home base station/home base station H(e)B; and sending, by the SeGW, tunnel information to H(e)B The tunnel information includes a valid local IP address of H(e)B. Preferably, before the SeGW sends the tunnel information to the H(e)NB, the method further includes: the SeGW receiving the first message from the H(e)NB for requesting the tunnel information. Preferably, the first message carries the initial address of H(e) B detected by H(e)B and the initial address of the SeGW detected by H(e)NB. Preferably, the sending, by the SeGW, the tunnel information to the H(e)NB comprises: the SeGW sending a second message to the H(e)NB, where the second message carries the valid local IP address of the H(e)B. Preferably, the second message further carries an initial address of the SeGW detected by the SeGW. Preferably, the second message also carries a valid local port number of H(e)B. Preferably, the first message is one of the following: IKE_SA_INIT request/response (Internet Key Exchange-Security Association initial request/response, Internet Key Exchange Security Alliance initial request/response), IKE AUTH request/response (Internet Key Exchange Authentication) Request/Response), CREATE CHILD SA request/response (Create a child SA request/response). Preferably, the second message is one of the following: IKE_SA_INIT request/response IKE AUTH request/response, CRE ATE CHILD SA request/response. Preferably, the second message carries NAT-OAi=NATPub and NAT-OAr=Raddr, wherein NAT-OAi is the initial address of the initiator H(e)NB detected by the responding party SeGW, and the NAT-OAr is the responding party. The initial address of the responding party SeGW detected by the SeGW. Preferably, the second message carries the TSi and the TSr, where the TSi carries the initial address of the initiator HCe)NB detected by the responder SeGW, and the TSr carries the initial address of the responder SeGW detected by the responder SeGW. Preferably, H(e) B reports the tunnel information to the fixed network side to which it is connected via the EPC network; the fixed network side locates the fixed network link of H(e) B according to the tunnel information. According to another aspect of the present invention, a security gateway is provided, including: a first tunnel module, configured to establish an IPSec tunnel between the SeGW and the evolved home base station/home base station H(e)B; and a tunnel information sending module, configured to The tunnel information is sent to H(e) B, where the tunnel information includes a valid local IP address of H(e)B. Preferably, the SeGW further comprises: a receiving module, configured to receive the first message from H(e) B to request tunnel information. Preferably, the tunnel information sending module comprises: a sending submodule, configured to send a second message to H(e)B, where the second message carries a valid local IP address of H(e)B. Preferably, the second message also carries a valid local port number of H(e)B. According to still another aspect of the present invention, an evolved home base station/home base station is provided, including: a second tunnel module, configured to establish an IPSec tunnel between the security gateway SeGW and H(e)B; and a tunnel information receiving module, configured to Receiving tunnel information from the SeGW, where the tunnel information includes a valid local IP address of H(e)B. In the present invention, the tunnel information including the valid local IP address of the H(e)NB is sent to the H(e) B through the SeGW, thereby solving how the H(e) B obtains its effective locality in the NAT scenario. The problem of the IP address enables the fixed network side to locate the fixed network link where the H(e)NB is located according to the tunnel information, and guarantee the quality of service on the fixed network link. BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings, which are set to illustrate,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, In the drawings: FIG. 1 is a schematic diagram of an HeNB accessing an EPS convergence according to the related art; FIG. 2 is a schematic diagram of an address allocation in a NAT-free scenario according to the related art; FIG. 3 is a NAT scenario according to the related art. FIG. 4 is a flowchart of a method for acquiring tunnel information according to an embodiment of the present invention; FIG. 5 is a flowchart of a method for acquiring tunnel information according to Embodiment 1 of the present invention; FIG. 6 is a tunnel information according to Embodiment 2 of the present invention; FIG. 7 is a schematic structural diagram of a SeGW according to an embodiment of the present invention; and FIG. 8 is a schematic structural diagram of an evolved home base station/home base station according to an embodiment of the present invention. BEST MODE FOR CARRYING OUT THE INVENTION Hereinafter, the present invention will be described in detail with reference to the accompanying drawings. It should be noted that the embodiments in the present application and the features in the embodiments may be combined with each other without conflict. FIG. 4 is a flowchart of a method for acquiring tunnel information according to an embodiment of the present invention. As shown in FIG. 4, the method includes the following steps: Step S402: An IPSec tunnel is established between a security gateway SeGW and an evolved home base station/home base station H(e)B. Step S404, the SeGW sends the tunnel information to H(e)B, where the tunnel information includes a valid local IP address of H(e)B. In this embodiment, the tunnel information including the valid local IP address of the H(e)NB is sent to the H(e) B through the SeGW, thereby solving the problem that how the H(e) B obtains itself in the NAT scenario. The problem of the local IP address enables the fixed network side to locate the fixed network link of H(e) B according to the tunnel information to ensure the quality of service on the fixed network link. Embodiment 1 In this embodiment, when an IPsec tunnel is established between H(e)B and SeGW in the Quick Mode of IKEvl (The Internet Key Exchange Protocol version 1), the two parties negotiate each other. The process of the address. In this embodiment, the data security between H(e)B and SeGW is the tunnel mode adopted. Therefore, H(e)B and SeGW must mutually negotiate the address information of the other party. As shown in FIG. 5, the following steps are included: Step S502: H(e)B sends a first message to the SeGW. The first message may carry NAT-OAi=Iaddr and NAT-OAr=Raddr. Where NAT-OAi refers to the initial address (OA, original address) of the initiator (i, initiator) H(e) B observed by the initiator H(e) B, and the actual value of the address is laddr (Initiator address, ie RG is the private IP address assigned to the terminal); where NAT-OAr refers to the initial address (original address, OA for short) of the responding party (r, responder), and the actual value of the address is Raddr (Responder address), which is the actual address of the SeGW; wherein the first message may be an IKE_SA_INIT request/response or an IKE AUTH request/response, CREATE CHILD SA request/response message. The first message may carry an indication, where the indication is used to indicate that the local/outer IP address of the H(e)B request is valid to the SeGW. The SeGW may not change the first message, and the SeGW defaults. After receiving the first message, it sends its valid local/outer IP address to H(e)B. Step S504, the SeGW sends a second message to Η θ;> Β. The second message carries both NAT-OAi=NATPub and NAT-OAr=Raddr. NAT-OAi refers to the initial address (0A, original address) of the initiator (i, initiator) H(e) B observed by the responding party SeGW after NAT traversal. The actual value of the address is NATPub (NAT public Address, ie RG's public IP address); where NAT-OAr refers to the respondent (r, responder) SeGW's initial address (Original Address, OA for short) after NAT traversal, the actual value of the address is Raddr (Responder address), which is the actual address of SeGW. The second message may be an IKE SA INIT request/response or an IKE AUTH request/response , CREATE CHILD SA request/response message. Among them, the second message only carries NAT-OAi=NATPub to Η( ;) Β. After the above interaction, H(e)B obtains the valid local/outer IP address after NAT conversion, that is, NATPub in the above process. In addition, the port number can also be carried to H(e)B by extending the cell NAT-OAi, or by adding a similar cell to enable H(e)B to obtain its valid local/outer port number. . The initial address of the initiator H(e) B that can be observed by the foregoing SeGW means that the SeGW obtains the source address of the first message as the observed initiator H after receiving the first message of step 502. ) The initial address of B. Step S506, H(e) B acquires the valid local/outer address of the H(e)NB observed by the SeGW (ie, the IP address of the RG) by step S504, and H(e)B constructs the local as a component. Tunnel information. Step S508, when the terminal initiates an attach, a PDN connection establishment, a handover, a TAU (Tracking Area Update), a RAU (Routing Area Update), and the like from H(e)B, H(e) B. The tunnel message between the H(e)NB and the 3GPP core network element (the MME for the HeNB and the SGSN for the HNB) (the SI interface message for the HeNB and the Iu interface message for the HNB), the "tunnel information" Send to the 3GPP core network element (MME/SGSN). After receiving the tunnel information, the GPP core network transmits the tunnel information through the path of the MME S-GW (P-GW^) PCRF fixed network (BPCF) or through the SGSN GGSN PCRF fixed network (BPCF). After the tunnel information arrives at the PCRF, the PCRF uses the tunnel information to locate the fixed network BPCF, and the fixed network related network element (BPCF or other proxy network element) receives the tunnel information and locates the fixed network line where the H(e) B is located. Resources on fixed line lines (such as QoS guarantees, etc.). The second embodiment describes the processing flow in which the two parties negotiate each other's addresses when the IPsec tunnel is established between the H(e)B and the SeGW in the scenario of the IKEv2 (The Internet Key Exchange Protocol version 2), where The address is passed through the Traffic Selector (TS). In this embodiment, the data security between H(e)B and SeGW is the tunnel mode adopted. Therefore, H(e)B and SeGW must mutually negotiate the address information of each other, as shown in FIG. 6, including the following steps. Step S602: H(e) B sends a first message to the SeGW. The first message carries the TSi and the TSr. The TSi specifies the source address of the service data sent by the initiator of the security association, or the destination address of the service data sent to the initiator of the security association. The TSr specifies the source address of the service data sent by the responder of the security association, or the destination address of the service data sent to the responder of the security association. The TSi carries the initial address of the initiator (i, initiator) H (^), and the actual value of the address is the private IP address assigned by the RG to the terminal; where the TSr carries the initiator H ( e) The observed respondent (r, responder) The initial address of the SeGW, the actual value of the address is the actual address of the SeGW; wherein the first message may be IKE_SA_INIT request/response (Internet Key Exchange-Security Association initial request/ Response, Internet Key Exchange Security Association Initial Request/Response) or IKE_AUTH request/response, CREATE CHILD SA request/response message. The message carries an indication, where the indication is used to indicate that the local/outer IP address of the H(e)B request is valid to the SeGW; wherein the first message is not changed, and the SeGW receives the first message by default. Sending its valid local/outer IP address to H(e) B. Step S604, the SeGW sends a second message to Η(^ Β. wherein the second message carries TSi and TSr The TSI carries the initial address of the initiator (i, initiator) H(e) B observed by the responding party SeGW after the NAT traversal, and the actual value of the address is the public IP address of the RG; wherein the TSr carries the NAT traversal After the respondent SeGW observes the respondent (r, responder) the initial address of the SeGW, the actual value of the address is the actual address of the SeGW. The second message may be IKE SA INIT request/response or IKE AUTH request/ Response, CREATE CHILD SA request/response message, wherein the second message can only carry TSi to H(e) B. After the above operation, H(e) B obtains the valid local/outer IP address after NAT conversion. In addition, in this embodiment, the port number can also be carried to H(e) B by extending the cell TSi, or H(e) B can be obtained by adding a similar cell. Its valid local/outer port number. The initial address of the initiator H(e) B that can be observed by the foregoing SeGW is that the SeGW obtains the source address of the first message as the observed initiator H after receiving the first message of step 602. ) The initial address of B. Step S606, H(e) B acquires the valid local/outer address of the H(e)NB observed by the SeGW (ie, the IP address of the RG) by step S604, and H(e)B constructs the local as a component. Tunnel information. Step S608, when the terminal initiates an operation such as attach, PDN connection establishment, handover, TAU (Tracking Area Update), RAlKRouting Area Update, and routing area update from H(e)B, Η0)ΝΒ passes H ( e) an interface message between the NB and the 3GPP core network element (the HeNB is the MME and the HNB is the SGSN) (the SI interface is the SI interface message and the HNB is the Iu interface message), and the "tunnel information" is sent to the 3GPP core. Network element (MME/SGSN). After receiving the tunnel information, the GPP core network transmits the tunnel information through the path of the MME S-GW (P-GW^) PCRF fixed network (BPCF) or through the SGSN GGSN PCRF fixed network (BPCF). After the tunnel information arrives at the PCRF, the PCRF uses the tunnel information to locate the fixed network BPCF, and the fixed network related network element (BPCF or other proxy network element) receives the tunnel information and locates the fixed network line where the H(e) B is located. Resources on fixed line lines (such as QoS guarantees, etc.). FIG. 7 is a schematic structural diagram of a SeGW according to an embodiment of the present invention. As shown in FIG. 7, the SeGW 100 includes: a first tunnel module 102 and a tunnel information sending module 104. The first tunnel module 102 is configured to establish an IPSec tunnel between the SeGW and the evolved home base station/home base station H(e)B. The tunnel information sending module 104 is configured to send tunnel information to H(e) B, where the tunnel information includes a valid local IP address of H(e)B. In this embodiment, the tunnel information including the valid local IP address of the H(e)NB is sent to the H(e) B through the SeGW, thereby solving the problem that how the H(e) B obtains itself in the NAT scenario. The problem of the local IP address enables the fixed network side to locate the fixed network link of H(e) B according to the tunnel information, and guarantees the service quality of H(e) B in the fixed network. The SeGW further includes a receiving module 106 (not shown), and the receiving module 106 is configured to receive the first message from H(e) B to request tunnel information. FIG. 8 is a schematic structural diagram of an evolved home base station/home base station according to an embodiment of the present invention. As shown in FIG. 8, the H(e)B 200 includes: a second tunnel module 202 and a tunnel information receiving module 204. The second tunnel module 202 is configured to establish an IPSec tunnel between the security gateway SeGW and the H(e)NB. The tunnel information receiving module 204 is configured to receive tunnel information from the SeGW, wherein the tunnel information includes a valid local IP address of H(e)B. In the foregoing embodiments of the present invention, the tunnel information including the valid local IP address of the H(e) B is sent to the H(e) B through the SeGW, thereby solving the H(e) B in the NAT scenario. The problem of obtaining a valid local IP address is such that the fixed network side can locate the fixed network link of H(e) B according to the tunnel information, thereby ensuring the quality of service on the fixed network link. Obviously, those skilled in the art should understand that the above modules or steps of the present invention can be implemented by a general-purpose computing device, which can be concentrated on a single computing device or distributed over a network composed of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device, such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein. The steps shown or described are performed, or they are separately fabricated into individual integrated circuit modules, or a plurality of modules or steps are fabricated as a single integrated circuit module. Thus, the invention is not limited to any specific combination of hardware and software. The above is only the preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes can be made to the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.

Claims

权 利 要 求 书 Claim
1. 一种隧道信息获取方法, 包括: A method for acquiring tunnel information, including:
安全网关 SeGW与演进家庭基站 /家庭基站 H(e) B之间建立因特网协议安 全性 IPSec隧道;  Establishing an Internet Protocol Security IPSec tunnel between the security gateway SeGW and the evolved home base station/home base station H(e)B;
所述 SeGW将所述隧道信息发送给所述 H(e) B, 其中, 所述隧道信息包 括所述 H(e) B的本地 IP地址。  The SeGW sends the tunnel information to the H(e)B, where the tunnel information includes a local IP address of the H(e)B.
2. 根据权利要求 1所述的方法,其中,所述 SeGW将隧道信息发送给所述 H(e) B 之前还包括: 2. The method according to claim 1, wherein before the SeGW sends the tunnel information to the H(e)B, the method further includes:
所述 SeGW接收来自所述 H(e) B的设置为请求所述隧道信息的第一消息。  The SeGW receives a first message from the H(e) B set to request the tunnel information.
3. 根据权利要求 2所述的方法, 其中, 所述第一消息中携带有所述 H(e) B检测 到的所述 HCe) B的初始地址和所述 HCe) B检测到的所述 SeGW的初始地址。 The method according to claim 2, wherein the first message carries an initial address of the HCe) B detected by the H(e)B and the detected by the HCe) B The initial address of SeGW.
4. 根据权利要求 1 或 2所述的方法, 其中, 所述 SeGW将隧道信息发送给所述 H(e) B包括: The method according to claim 1 or 2, wherein the sending, by the SeGW, the tunnel information to the H(e) B includes:
所述 SeGW 向所述 H(e)NB 发送第二消息, 所述第二消息携带有所述 H(e) B的本地 IP地址。  The SeGW sends a second message to the H(e)NB, where the second message carries the local IP address of the H(e)B.
5. 根据权利要求 4所述的方法, 其中, 所述第二消息还携带有所述 SeGW检测到 的所述 SeGW的初始地址。 The method according to claim 4, wherein the second message further carries an initial address of the SeGW detected by the SeGW.
6. 根据权利要求 4所述的方法, 其中, 所述第二消息还携带有所述 H(e) B的本 地端口号。 The method according to claim 4, wherein the second message further carries a local port number of the H(e)B.
7. 根据权利要求 2所述的方法, 其中, 所述第一消息为以下之一: 7. The method according to claim 2, wherein the first message is one of the following:
因特网密钥交换安全联盟初始请求 /响应 IKE_SA_INIT request/response、因 特网密钥交换认证请求 /响应 IKE_AUTH request/response 创建子安全联盟请求 /响应 CREATE_CHILD_SA request/response。  Internet Key Exchange Security Association Initial Request/Response IKE_SA_INIT request/response, Internet Key Exchange Authentication Request/Response IKE_AUTH request/response Create a child security association request/response CREATE_CHILD_SA request/response.
8. 根据权利要求 4所述的方法, 其中, 所述第二消息为以下之一: 因特网密钥交换安全联盟初始请求 /响应 IKE_SA_INIT request/response、因 特网密钥交换认证请求 /响应 IKE_AUTH request/response 创建子安全联盟请求 /响应 CREATE_CHILD_SA request/response。 8. The method according to claim 4, wherein the second message is one of the following: Internet Key Exchange Security Association Initial Request/Response IKE_SA_INIT request/response, Internet Key Exchange Authentication Request/Response IKE_AUTH request/response Create a child security association request/response CREATE_CHILD_SA request/response.
9. 根据权利要求 8所述的方法, 其中, 所述第二消息中携带有 NAT-OAi=NATPub 禾口 NAT-OAr=Raddr, 其中, NAT-OAi为回应方 SeGW检测到的发起方 Η(» Β 的初始地址, NAT-OAr为回应方 SeGW检测到的回应方 SeGW的初始地址。 The method according to claim 8, wherein the second message carries a NAT-OAi=NATPub and a NAT-OAr=Raddr, wherein the NAT-OAi is an initiator detected by the responding party SeGW ( » 初始 Initial address, NAT-OAr is the initial address of the responding party SeGW detected by the responding party SeGW.
10. 根据权利要求 8所述的方法, 其中, 所述第二消息中携带有 TSi和 TSr, 其中, TSi携带回应方 SeGW检测到的发起方 H(e)NB的初始地址, TSr携带回应方 SeGW检测到的回应方 SeGW的初始地址。 10. The method according to claim 8, wherein the second message carries a TSi and a TSr, where the TSi carries an initial address of the initiator H(e)NB detected by the responding party SeGW, and the TSr carries the responder The initial address of the responding party SeGW detected by the SeGW.
11. 根据权利要求 1所述的方法, 其中, 11. The method according to claim 1, wherein
所述 H(e) B将所述隧道信息经演进分组核心 EPC网络上报至其所接入的 固网侧; 所述固网侧根据所述隧道信息定位 H(e) B的固网链路。  The H(e) B reports the tunnel information to the fixed network side to which the enhanced packet core EPC network is connected; the fixed network side locates the fixed network link of the H(e) B according to the tunnel information. .
12. 一种安全网关 SeGW, 包括: 12. A security gateway SeGW, including:
第一隧道模块, 设置为所述 SeGW与演进家庭基站 /家庭基站 H(e) B之间 建立因特网协议安全性 IPSec隧道;  a first tunnel module, configured to establish an Internet Protocol security IPSec tunnel between the SeGW and the evolved home base station/home base station H(e)B;
隧道信息发送模块, 设置为将所述隧道信息发送给所述 H(e) B, 其中, 所 述隧道信息包括所述 H(e) B的本地 IP地址。  The tunnel information sending module is configured to send the tunnel information to the H(e) B, where the tunnel information includes a local IP address of the H(e) B.
13. 根据权利要求 12所述的 SeGW, 其中, 所述 SeGW还包括: The SeGW according to claim 12, wherein the SeGW further includes:
接收模块, 设置为接收来自所述 H(e) B 的以请求所述隧道信息的第一消 息。  And a receiving module, configured to receive a first message from the H(e) B to request the tunnel information.
14. 根据权利要求 12所述的 SeGW, 其中, 隧道信息发送模块包括: The SeGW according to claim 12, wherein the tunnel information sending module comprises:
发送子模块, 设置为向所述 H(e) B发送第二消息, 所述第二消息携带有 所述 H(e)NB的本地 IP地址。  The sending submodule is configured to send a second message to the H(e) B, where the second message carries a local IP address of the H(e)NB.
15. 根据权利要求 14所述的 SeGW, 其中, 所述第二消息还携带有所述 H(e) B的 本地端口号。 种演进家庭基站 /家庭基站 H(e) B, 包括: 第二隧道模块, 设置为安全网关 SeGW与所述 H(e) B之间建立因特网协 议安全性 IPSec隧道; The SeGW according to claim 14, wherein the second message further carries a local port number of the H(e)B. Evolved Home Base Station/Home Base Station H(e) B, including: a second tunnel module, configured to establish an Internet Protocol security IPSec tunnel between the security gateway SeGW and the H(e)B;
隧道信息接收模块, 设置为接收来自所述 SeGW的隧道信息, 其中, 所述 隧道信息包括所述 H(e) B的本地 IP地址。  The tunnel information receiving module is configured to receive tunnel information from the SeGW, where the tunnel information includes a local IP address of the H(e)B.
PCT/CN2012/076020 2011-06-14 2012-05-24 Method for obtaining tunnel information, a security gateway(segw) and an evolved home base station/ a home base station WO2012171430A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201110159243.6 2011-06-14
CN2011101592436A CN102833359A (en) 2011-06-14 2011-06-14 Tunnel information acquiring method, SeGW (security gateway), evolution H(e)NB (home node B)/H(e)NB

Publications (1)

Publication Number Publication Date
WO2012171430A1 true WO2012171430A1 (en) 2012-12-20

Family

ID=47336326

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2012/076020 WO2012171430A1 (en) 2011-06-14 2012-05-24 Method for obtaining tunnel information, a security gateway(segw) and an evolved home base station/ a home base station

Country Status (2)

Country Link
CN (1) CN102833359A (en)
WO (1) WO2012171430A1 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105516062B (en) * 2014-09-25 2020-07-31 南京中兴软件有限责任公司 Method for realizing L2 TP over IPsec access
CN109428852B (en) * 2017-07-18 2023-09-15 中兴通讯股份有限公司 Communication tunnel endpoint address separation method, terminal, ePDG and storage medium
US20190306116A1 (en) * 2018-03-27 2019-10-03 Microsoft Technology Licensing, Llc Multiplexing security tunnels
CN109152096B (en) * 2018-09-27 2020-09-25 安科讯(福建)科技有限公司 Message transmission method of EPS (evolved packet System) architecture and computer-readable storage medium
WO2020034378A1 (en) * 2018-10-12 2020-02-20 Zte Corporation Location reporting for mobile devices

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101426030A (en) * 2008-12-09 2009-05-06 华为技术有限公司 Method and terminal for acquiring network address
CN101437223A (en) * 2007-11-16 2009-05-20 华为技术有限公司 Access method, system and apparatus for household base station
CN101621433A (en) * 2008-07-02 2010-01-06 上海华为技术有限公司 Method, device and system for configuring access equipment
WO2011053040A2 (en) * 2009-11-02 2011-05-05 Lg Electronics Inc. Nat traversal for local ip access

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101729337B (en) * 2008-10-31 2012-08-29 华为技术有限公司 Method, equipment and system for establishing transmission load-bearing and method for transmitting downlink data
CN101754211A (en) * 2008-12-15 2010-06-23 华为技术有限公司 Authentication and negotiation method, system, security gateway and wireless family access point
WO2010096963A1 (en) * 2009-02-27 2010-09-02 华为技术有限公司 Configuration method and apparatus for wireless backhaul ip address
CN102457974B (en) * 2010-11-01 2015-08-12 中兴通讯股份有限公司 A kind of service admission control method and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101437223A (en) * 2007-11-16 2009-05-20 华为技术有限公司 Access method, system and apparatus for household base station
CN101621433A (en) * 2008-07-02 2010-01-06 上海华为技术有限公司 Method, device and system for configuring access equipment
CN101426030A (en) * 2008-12-09 2009-05-06 华为技术有限公司 Method and terminal for acquiring network address
WO2011053040A2 (en) * 2009-11-02 2011-05-05 Lg Electronics Inc. Nat traversal for local ip access

Also Published As

Publication number Publication date
CN102833359A (en) 2012-12-19

Similar Documents

Publication Publication Date Title
US9860934B2 (en) Correlation ID for local IP access
JP5972290B2 (en) Mobile router in EPS
JP3778129B2 (en) Wireless network and authentication method in wireless network
WO2012130085A1 (en) Method and device for establishing connection with network management system, and communication system
WO2012065499A1 (en) Method and system for realizing service quality control
WO2012094919A1 (en) Policy control method and system
WO2012006909A1 (en) Method and system for reporting fixed network access information
WO2012003764A1 (en) Method for policy and charging rules function (pcrf) informing centralized deployment functional architecture (bpcf) of user equipment access information
WO2011026392A1 (en) Method and system for acquiring route strategies
WO2012003760A1 (en) Method and system for information transmission
WO2012051897A1 (en) System and method for integrating fixed network with mobile network
JP5972467B2 (en) Method and system for notifying location information of access network
WO2014000520A1 (en) Method, apparatus and system for policy control
WO2012171430A1 (en) Method for obtaining tunnel information, a security gateway(segw) and an evolved home base station/ a home base station
WO2013082987A1 (en) Method and system for performing resource control on local offload data
WO2012174977A1 (en) Method and device for processing service data streams
WO2012022212A1 (en) Method, apparatus and system for user equipment access
WO2013075580A1 (en) Method and system for resource control of local unload data
WO2012152198A1 (en) Policy session deletion method and system
WO2012059043A1 (en) Method and system for controlling service admission
WO2011131064A1 (en) Home nodeb (hnb) access control method and system
WO2012136088A1 (en) Method and system for reporting tunnel information
WO2012079443A1 (en) Method for switching resource control among base stations
WO2012130047A1 (en) Method and system for obtaining local gateway ip address
WO2012041128A1 (en) Communication network system, method and device for finding home node b strategy network element

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12800646

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12800646

Country of ref document: EP

Kind code of ref document: A1