WO2020147643A1 - Security protection method and apparatus - Google Patents

Security protection method and apparatus Download PDF

Info

Publication number
WO2020147643A1
WO2020147643A1 PCT/CN2020/071237 CN2020071237W WO2020147643A1 WO 2020147643 A1 WO2020147643 A1 WO 2020147643A1 CN 2020071237 W CN2020071237 W CN 2020071237W WO 2020147643 A1 WO2020147643 A1 WO 2020147643A1
Authority
WO
WIPO (PCT)
Prior art keywords
identifier
network device
sessions
target
access network
Prior art date
Application number
PCT/CN2020/071237
Other languages
French (fr)
Chinese (zh)
Inventor
张博
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2020147643A1 publication Critical patent/WO2020147643A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/0011Control or signalling for completing the hand-off for data sessions of end-to-end connection
    • H04W36/0033Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/0011Control or signalling for completing the hand-off for data sessions of end-to-end connection
    • H04W36/0033Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information
    • H04W36/0038Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information of security context information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/12Reselecting a serving backbone network switching or routing node
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]

Definitions

  • the embodiments of the present application relate to the field of communications, and in particular to a security protection method and device.
  • an end-to-end protection mechanism is adopted between the terminal and the core network to protect the information in the session.
  • the end-to-end protection mechanism does not encrypt the information (for example, session ID, bearer ID, etc.) used to identify the session in the data packet, so an attacker can easily obtain this information during the air interface transmission stage and track it based on this information To the session, thereby threatening the security of the session.
  • the industry proposes a technical solution: during the session establishment process, the access network device generates a short-term identifier corresponding to the session, and sends the short-term identifier to the terminal. Therefore, the data packet transmitted between the access network device and the terminal does not carry information for identifying the session, but carries the short-term identifier. In this way, even if the attacker obtains the short-term identifier, since the attacker does not know the correspondence between the short-term identifier and the information used to identify the session, the attacker cannot track the session, thereby ensuring the security of the session.
  • This application provides a security protection method and device, which are used to ensure the security of the session in a handover scenario.
  • a security protection method including: a second access network device receives a handover request, the handover request is used to instruct the terminal to switch from the first access network device to the second access network device, and the handover request includes M
  • the information of each session, the information of each session in the information of M sessions includes the first identifier of the session, where M is a positive integer; the second access network device determines N target sessions from the M sessions; the N target sessions are A non-zero subset of M sessions, N is less than or equal to M, and N is a positive integer; the second access network device determines the second identifier of each target session in the N target sessions; the second access network device sends to the terminal N pieces of correspondence information, the N pieces of correspondence information correspond to the N target sessions one-to-one, and each piece of correspondence information in the N pieces of correspondence information is used to indicate the correspondence between the first identifier and the second identifier of the corresponding target session.
  • both the terminal and the second access network device can obtain N correspondence information.
  • the correspondence information is used to indicate the correspondence between the first identifier and the second identifier of the target session
  • the terminal and the second access network device send the message of the target session
  • the message of the target session does not carry the first identifier, but carries the second identifier, thereby preventing the target session from being tracked by an attacker and ensuring the security of the target session.
  • the second access network device determining the second identifier of each of the N target sessions includes: the second access network device sends information about the N target sessions to the core network device; second The access network device receives the second identifier of each target session in the N target sessions from the core network device.
  • the second access network device determines the second identifier of each target session in the N target sessions, including: the second access network device generates each target in the N target sessions according to a preset rule The second identifier of the session.
  • the first identifier of the session includes at least one of the following parameters: the identifier of the link between the terminal and the user plane function (UPF), and the link between the terminal and the UPF Tunnel ID, session ID, UPF address, terminal ID, quality of service flow ID, bearer ID, slice ID, and UPF ID.
  • UPF user plane function
  • the correspondence information includes the first identifier and the second identifier of the target session.
  • a security protection method including: a second AMF receives information about M sessions sent by a first AMF, the information about each session in the information about M sessions includes a first identifier of the session, and M is a positive integer ; The second AMF determines N target sessions from M sessions, where N target sessions are a non-zero subset of M sessions, where N is less than or equal to M, and N is a positive integer; the second AMF determines each of the N target sessions The second identifier of a target session; the second AMF sends N pieces of correspondence information to the second access network device, and the N pieces of correspondence information correspond to the N pieces of target sessions one-to-one, and each piece of correspondence information in the N pieces of correspondence information The corresponding relationship between the first identifier and the second identifier used to indicate the corresponding target session; the second AMF sends N pieces of corresponding relationship information to the terminal.
  • both the terminal and the second access network device can obtain N correspondence information.
  • the correspondence information is used to indicate the correspondence between the first identifier and the second identifier of the target session
  • the terminal and the second access network device send the message of the target session
  • the message of the target session does not carry the first identifier, but carries the second identifier, thereby preventing the target session from being tracked by an attacker and ensuring the security of the target session.
  • the second AMF receives information about M sessions sent by the first AMF, including: the second AMF receives a registration request, and the registration request includes the identification of the terminal; the second AMF sends a context establishment request to the first AMF , The context establishment request is used to request the information of the session of the terminal; the second AMF receives the information of the M sessions sent by the first AMF.
  • the second AMF determines N target sessions from M sessions, including: the second AMF sends M session information to the network device; after that, the second AMF receives N target session information sent by the network device .
  • the network device may be a second access network device or a session management function network element (session management function, SMF).
  • the second AMF determines the second identifier of each of the N target sessions, including: the second AMF sends information about the N target sessions to the network device; after that, the second AMF receives the information sent by the network device N correspondence information of.
  • the second AMF sending N pieces of correspondence information to the terminal includes: the second AMF sends N pieces of correspondence information to the terminal through the second access network device.
  • the second AMF sending N pieces of correspondence information to the terminal includes: the second AMF sends N pieces of correspondence information to the terminal through the first access network device and the first AMF.
  • a security protection method including: AMF receives M bearer information sent by MME; AMF sends M bearer information to SMF; AMF receives M session information from SMF, and M session information There is a one-to-one correspondence with the information carried by M.
  • the information of each session in the information of the M sessions includes the first identifier of the session, where M is a positive integer; AMF determines N target sessions from M sessions, and N is less than or equal to M , N is a positive integer; AMF determines the second identifier of each target session in N target sessions; AMF sends N correspondence information to the second access network device, and N correspondence information corresponds to N target sessions one-to-one Each of the N correspondence information is used to indicate the correspondence between the first identifier and the second identifier of the corresponding target session; the AMF sends N correspondence information to the terminal. Based on this technical solution, in the handover process, both the terminal and the second access network device can obtain N correspondence information.
  • the correspondence information is used to indicate the correspondence between the first identifier and the second identifier of the target session
  • the terminal and the second access network device send the message of the target session
  • the message of the target session does not carry the first identifier, but carries the second identifier, thereby preventing the target session from being tracked by an attacker and ensuring the security of the target session.
  • the AMF before the AMF receives the M bearer information sent by the MME, it includes: the MME receives a handover request, the handover request is used to instruct the terminal to switch from the first access network device to the second access network Device, the handover request includes M bearer information.
  • the AMF before the AMF receives the M bearer information sent by the MME, it includes: the AMF receives a registration request, the registration request includes the identification of the terminal; the AMF sends a context establishment request to the MME, and the context establishment request is used for the request Information carried by the terminal.
  • the AMF determines N target sessions from the M sessions, including: the AMF sends M session information to the network device; after that, the AMF receives the N target session information sent by the network device.
  • the network device may be a second access network device or a session management function network element (session management function, SMF).
  • the AMF determines the second identifier of each of the N target sessions, including: the second AMF sends the information of the N target sessions to the network device; after that, the AMF receives the N corresponding information sent by the network device Relationship information.
  • the AMF sending N pieces of correspondence information to the terminal includes: the AMF sends N pieces of correspondence information to the terminal through the second access network device.
  • the second AMF sending N pieces of correspondence information to the terminal includes: the AMF sends N pieces of correspondence information to the terminal through the first access network device and the MME.
  • a security protection method including: a first access network device determines N target sessions from M sessions of a terminal, where N is less than or equal to M, and both M and N are positive integers; The network access device determines the second identifier of each target session in the N target sessions; the first access network device sends N correspondence information to the second access network device, and the N correspondence information is one for the N target sessions Correspondingly, each of the N correspondence information is used to indicate the correspondence between the first identifier and the second identifier of the corresponding target session; the first access network device sends N correspondence information to the terminal. Based on this technical solution, both the terminal and the second access network device can obtain N correspondence information.
  • the correspondence information is used to indicate the correspondence between the first identifier and the second identifier of the target session
  • the terminal and the second access network device send the message of the target session
  • the message of the target session does not carry the first identifier, but carries the second identifier, thereby preventing the target session from being tracked by an attacker and ensuring the security of the target session.
  • the method before the first access network device determines N target sessions from the M sessions of the terminal, the method further includes: the first access network device determines to initiate a handover procedure.
  • a security protection method including: a first AMF receives a handover request sent by a first access network device, the handover request is used to instruct the terminal to switch from the first access network device to the second access network Device, the handover request includes information about M sessions, and the information about each session in the information about M sessions includes the first identifier of the session, where M is a positive integer; the first AMF determines N target sessions from the M sessions, and N is less than Or equal to M, both M and N are positive integers; the first AMF determines the second identifier of each target session in N target sessions; the first AMF sends N correspondence information to the second access network device through the second AMF , The N correspondence information corresponds to the N target sessions one-to-one, and each correspondence information in the N correspondence information is used to indicate the correspondence between the first identifier and the second identifier of the corresponding target session; the first AMF passes the first An access network device sends N correspondence information to the terminal.
  • both the terminal and the second access network device can obtain N correspondence information.
  • the correspondence information is used to indicate the correspondence between the first identifier and the second identifier of the target session
  • the terminal and the second access network device send the message of the target session
  • the message of the target session does not carry the first identifier, but carries the second identifier, thereby preventing the target session from being tracked by an attacker and ensuring the security of the target session.
  • a communication device including: a receiving module, a processing module, and a sending module.
  • the communication device is configured to execute the method according to any one of the first aspect or the fifth aspect.
  • a communication device including: a processor, configured to couple with a memory, read instructions in the memory, and implement any one of the first to fifth aspects according to the instructions The method described.
  • a computer-readable storage medium stores instructions that, when run on a communication device, enable the communication device to execute any one of the first to fifth aspects. The method described.
  • a computer program product containing instructions which when running on a communication device, enables the communication device to execute the method described in any one of the first aspect to the fifth aspect.
  • a chip in a tenth aspect, includes a processing module and a communication interface.
  • the communication interface is used to transmit received code instructions to the processing module.
  • the processing module is used to run the code instructions to support the communication device to execute the first aspect to The method of any one of the fifth aspect.
  • the code instruction can come from the memory of the chip content, or from the memory outside the chip.
  • the processing module may be a processor or a microprocessor or an integrated circuit integrated on the chip.
  • the communication interface may be an input/output circuit or a transceiver pin on the chip.
  • FIG. 1 is a schematic structural diagram of a communication system provided by an embodiment of the present application.
  • FIG. 2 is a schematic structural diagram of a communication device provided by an embodiment of this application.
  • FIG. 3 is a flowchart of a security protection method provided by an embodiment of the application.
  • FIG. 5 is a flowchart of another security protection method provided by an embodiment of the application.
  • FIG. 6 is a flowchart of another security protection method provided by an embodiment of the application.
  • FIG. 7 is a flowchart of another security protection method provided by an embodiment of the application.
  • FIG. 8 is a flowchart of another security protection method provided by an embodiment of the application.
  • FIG. 9 is a flowchart of another security protection method provided by an embodiment of the application.
  • FIG. 10 is a schematic structural diagram of a communication device provided by an embodiment of your application.
  • the first access network device, the second access network device, the first AMF, and the second AMF 1. The first access network device, the second access network device, the first AMF, and the second AMF
  • the first access network device is the access network device that the terminal is connected to before the handover.
  • the first access network device may also be referred to as the source access network device.
  • the second access network device is an access network device to which the terminal is connected after handover, or an access network device to which the second access network device is connected after the terminal is reregistered.
  • the second access network device may also be referred to as a target access network device.
  • the first AMF is the AMF that provides services to the terminal before handover.
  • the first AMF may also be referred to as the source AMF.
  • the second AMF is the AMF that provides services for the terminal after the handover.
  • the second AMF may also be referred to as the target AMF.
  • the first identifier of the session is one of the following parameters: the identifier of the link between the terminal and the UPF, the tunnel identifier of the link between the terminal and the UPF, the slice identifier, the session identifier, the address of the UPF, the address of the UPF Identifier, terminal identifier, quality of service (QoS) flow identifier, and bearer identifier.
  • the address of the UPF includes: an internet protocol (IP) address of the UPF, a media access control (MAC) address of the UPF, or an instance identifier of the UPF.
  • IP internet protocol
  • MAC media access control
  • the above-mentioned bearer identifier includes: a radio bearer identifier, an evolved packet system (evolved packet system, EPS) bearer identifier, an evolved radio access bearer (E-RAB) identifier or a future network bearer identifier.
  • EPS evolved packet system
  • E-RAB evolved radio access bearer
  • the second identifier of the session has a corresponding relationship with the first identifier of the session.
  • the second identifier of the session is used to ensure the security of the session. It is understandable that in this embodiment of the application, the second identifier of the session is not required to reflect the relevant information of the session, even if the attacker intercepts the second identifier of the session, because the attacker does not know the second identifier of the session and the first Correspondence between one identifier, so the attacker cannot track the session through the second identifier of the session.
  • the second identifier of the session can be a value generated using a certain derivation rule, or a random number generated randomly, or some existing identifiers, such as the relevant identifier of the cell where the terminal is located, the cell terminal identifier, and the temporary wireless network identifier (radio network temporary identity, RNTI), or carrier frequency, or identification related to air interface resources.
  • the carrier frequency may be a 5G carrier frequency, or a 4G carrier frequency, etc.
  • the 4G carrier frequency can also be called the long-term evolution radio access network absolute radio frequency channel number (E-UTRA absolute radio frequency channel number, EARFCN).
  • the wireless network temporary identity may be a cell radio network temporary identity (C-RNTI), a temporary C-RNTI, a paging RNTI, a multicast broadcast RNTI, an inactive RNTI, etc., without limitation.
  • the network architecture and business scenarios described in the embodiments of the present application are intended to more clearly explain the technical solutions of the embodiments of the present application, and do not constitute a limitation on the technical solutions provided by the embodiments of the present application.
  • the technical solutions provided by the embodiments of the present application are also applicable to similar technical problems.
  • the technical solutions provided in the embodiments of the present application may be applied to various communication systems, for example, a new radio (NR) communication system using 5th generation (5G) communication technology, a future evolution system, or multiple communication fusion Systems, etc.
  • the technical solution provided in this application can be applied to a variety of application scenarios, such as machine to machine (M2M), macro and micro communications, enhanced mobile broadband (eMBB), ultra-high reliability and ultra-low latency Scenarios such as communication (ultra-reliable&low latency communication, uRLLC) and massive Internet of Things communication (massive machine type communication, mMTC).
  • M2M machine to machine
  • eMBB enhanced mobile broadband
  • uRLLC ultra-high reliability and ultra-low latency Scenarios
  • mMTC massive Internet of Things communication
  • FIG. 1 it is a schematic structural diagram of a communication system provided by an embodiment of this application.
  • the communication system includes: terminals, access network (AN) equipment, and core network (core network).
  • AN access network
  • core network core network
  • the terminal is used to provide users with voice and/or data connectivity services.
  • the terminal may have different names, such as user equipment (UE), access terminal, terminal unit, terminal station, mobile station, mobile station, remote station, remote terminal, mobile device, wireless communication device, terminal agent Or terminal devices, etc.
  • the terminal may be various handheld devices with communication functions, vehicle-mounted devices, wearable devices, and computers, which are not limited in this embodiment of the present application.
  • the handheld device may be a smart phone or a virtual reality (VR) device.
  • the vehicle-mounted device may be a vehicle-mounted navigation system.
  • the wearable device may be a smart bracelet.
  • the computer can be a personal digital assistant (PDA) computer, a tablet computer, and a laptop computer.
  • PDA personal digital assistant
  • the access network device can be an access point for wireless communication or wired communication, such as a base station or a base station controller, an access point or wifi controller for wireless-fidelity (wifi), or an access for fixed network access Wait.
  • the base station may include various types of base stations, such as micro base stations (also called small stations), macro base stations, relay stations, access points, etc., which are not specifically limited in the embodiment of the present application.
  • the base station may be a base station (BTS) in the global system for mobile communication (GSM), code division multiple access (CDMA), and broadband
  • BTS base station
  • GSM global system for mobile communication
  • CDMA code division multiple access
  • WCDMA wideband code division multiple access
  • eNB or e-NodeB evolutional node B
  • LTE long term evolution
  • eNB Internet of Things
  • NB-IoT narrowband-internet of things
  • PLMN public land mobile network
  • the core network provides an interface from a terminal to a data network (data network, DN), provides communication connection, authentication, management, policy control, and completes the bearing of data services for the terminal.
  • the core network includes various core network equipment, such as access and mobility management function (AMF), UPF, SMF, etc.
  • the AMF is used for access control and mobility management for the terminal to access the network, and the AMF communicates with the access network equipment through the N2 interface.
  • SMF is used to manage the user's packet data unit (PDU) session and QoS flow, and to formulate packet inspection and forwarding rules for UPF.
  • PDU packet data unit
  • UPF is used for functions such as routing and forwarding of user data.
  • AMF, SMF, and UPF are only a name, which does not constitute a limitation on the device itself. It is understandable that in the 5G network and other future networks, AMF, SMF, and UPF may also be other names, which are not specifically limited in the embodiment of the present application.
  • the UPF may also be referred to as a UPF network element or a UPF entity, and a unified description is provided here, and details are not described below.
  • the core network device may be implemented by one device, or jointly implemented by multiple devices, or may be a functional module in one device, which is not specifically limited in the embodiment of the present application.
  • the above-mentioned functional modules can be network elements in hardware devices, software functional modules running on dedicated hardware, or virtualized functional modules instantiated on a platform (for example, a cloud platform).
  • the terminal, access network equipment, and core network equipment in FIG. 1 can be implemented by the communication device in FIG. 2.
  • the communication device includes: at least one processor 101, a communication line 102, a memory 103 and at least one communication interface 104.
  • the processor 101 may be a general-purpose central processing unit (central processing unit, CPU), a microprocessor, an application-specific integrated circuit (ASIC), or one or more used to control the execution of the program program of the present application integrated circuit.
  • CPU central processing unit
  • ASIC application-specific integrated circuit
  • the communication line 102 may include a path to transfer information between the aforementioned components.
  • the communication interface 104 uses any transceiver-like device to communicate with other devices or communication networks, such as Ethernet, RAN, wireless local area networks (WLAN), and so on.
  • Ethernet Ethernet
  • RAN wireless local area networks
  • WLAN wireless local area networks
  • the memory 103 may be a read-only memory (ROM) or other types of static storage devices that can store static information and instructions, random access memory (random access memory, RAM), or other types of information and instructions that can be stored
  • the dynamic storage device can also be electrically erasable programmable read-only memory (electrically erasable programmable-read-only memory (EEPROM), read-only compact disc (compact disc read-only memory (CD-ROM) or other optical disc storage, optical disc storage (Including compact discs, laser discs, optical discs, digital versatile discs, Blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or can be used to carry or store desired program code in the form of instructions or data structures and can be used by a computer Any other media accessed, but not limited to this.
  • EEPROM electrically erasable programmable read-only memory
  • CD-ROM compact disc read-only memory
  • optical disc storage including compact discs, laser discs, optical discs, digital versatile discs, Blu-ray discs
  • the memory can exist independently and is connected to the processor through the communication line 102.
  • the memory can also be integrated with the processor.
  • the memory provided by the embodiments of the present application may generally be non-volatile.
  • the memory 103 is used to store computer execution instructions for executing the solution of the present application, and the processor 101 controls the execution.
  • the processor 101 is configured to execute computer-executable instructions stored in the memory 103, so as to implement the methods provided in the following embodiments of the present application.
  • the computer execution instructions in the embodiments of the present application may also be called application program codes, which are not specifically limited in the embodiments of the present application.
  • the processor 101 may include one or more CPUs, such as CPU0 and CPU1 in FIG. 2.
  • the communication device may include multiple processors, such as the processor 101 and the processor 107 in FIG. 2.
  • processors may be a single-core (single-CPU) processor or a multi-core (multi-CPU) processor.
  • the processor here may refer to one or more devices, circuits, and/or processing cores for processing data (for example, computer program instructions).
  • the communication apparatus may further include an output device 105 and an input device 106.
  • the output device 105 communicates with the processor 101 and can display information in various ways.
  • the output device 105 may be a liquid crystal display (LCD), a light emitting diode (LED) display device, a cathode ray tube (CRT) display device, or a projector. Wait.
  • the input device 106 communicates with the processor 101 and can receive user input in a variety of ways.
  • the input device 106 may be a mouse, a keyboard, a touch screen device, or a sensing device.
  • a security protection method provided by an embodiment of the present application is applied in a scenario where a handover occurs between a terminal and an access network device.
  • the handover request can be transmitted through the interface between the two access network devices.
  • the interface between two access network devices can be called an Xn interface.
  • Xn switching or Xn interface switching
  • the method shown in Figure 3 includes the following steps:
  • the first access network device sends a handover request to the second access network device.
  • the handover request is used to instruct to handover the terminal from the first access network device to the second access network device.
  • the handover request includes information about M sessions, and M is a positive integer.
  • the session information includes the first identifier of the session.
  • the session information further includes at least one of the following parameters: session type, access type, data network name (DNN) and single network slice selection assistance information, S-NSSAI).
  • the handover request may further include at least one of the terminal's identity and the slice identity (ID).
  • the reason why the first access network device initiates the handover process can refer to the description in the prior art, which is not repeated here.
  • the first access network device may initiate a handover procedure.
  • the second access network device determines N target sessions from the M sessions.
  • N target sessions are a non-zero subset of M sessions.
  • N is less than or equal to M, and N is a positive integer.
  • the target session is a session that requires security protection from the terminal to the UPF.
  • the target session is the session for which the second identifier needs to be allocated.
  • Implementation method 1 M sessions are all target sessions by default.
  • the protocol defines that all sessions of the terminal are target sessions.
  • the network pre-configures all sessions of the terminal to be target sessions.
  • the core network device may send indication information to notify the second access network device to determine all the M sessions as target sessions.
  • Implementation manner 2 For each of the M sessions, the second access network device determines whether the session is a target session according to at least one parameter included in the session information.
  • the second access network device determines whether the session is a target session according to the session type included in the session information. For example, if the session belongs to the first session type, the second access network device determines that the session is a target session; if the session belongs to the second session type, the second access network device determines that the session is not a target session.
  • the second access network device determines whether the session is a target session according to the S-NSSAI and/or DNN included in the session information.
  • the second access network device is pre-configured with whitelist information, and the whitelist information includes one or more S-NSSAIs. It is understandable that if the S-NSSAI included in the session information is in the whitelist information, the session is the target session. If the S-NSSAI part contained in the session information and the whitelist information, the session is not a target session.
  • Implementation manner 3 For each of the M sessions, the second access network device determines whether the session is a target session according to the first indication information corresponding to the session. Wherein, the first indication information is used to indicate whether the session is a target session.
  • the first indication information corresponding to the session may be carried in the information of the session.
  • the first indication information corresponding to the session is obtained by the second access network device from other network devices (for example, the access network device or the core network device).
  • the second access network device may send all or part of the session information to other network devices, so that other network devices can determine whether the session is a target session; after that, the second access network device receives the information sent by other network devices.
  • the first instruction information It is understandable that other network devices can refer to the second implementation manner above to determine whether the session is a target session.
  • the first indication information may be represented by one or more bits. Taking 1 bit as an example, “0" indicates that the session is a target session, and “1" indicates that the session is not a target session.
  • Implementation manner 4 For each of the M sessions, if the session information carries second indication information, the second access network device determines that the session is the target session. If the information of the session does not carry the second indication information, the second access network device determines that the session is not a target session.
  • Implementation manner 5 The second access network device determines whether the M sessions are all target sessions according to the third indication information. Wherein, the third indication information is used to indicate whether the M sessions are all target sessions.
  • the third indication information is carried in the handover request.
  • the third indication information is obtained by the second access network device from other network devices.
  • the second access network device may send information about M sessions to other network devices. After that, the second access network device receives the third indication information sent by other network devices.
  • the third indication information may be represented by one or more bits. Taking 1 bit as an example, “0" indicates that M sessions are all target sessions, and “1" indicates that M sessions are not all target sessions.
  • the second access network device may determine N target sessions from the M sessions according to the foregoing implementation manner 1 to implementation manner 4.
  • Implementation manner 6 If the second access network device receives the fourth indication information, the second access network device determines that the M sessions are all target sessions; if the second access network device does not receive the fourth indication information, then The second access network device determines that the M sessions are not all target sessions.
  • the second access network device may determine N target sessions from the M sessions according to the foregoing implementation manner 1 to implementation manner 4.
  • the fourth indication information may be carried in the handover request or other signaling.
  • the first access network device may use a third indication information or fourth indication information to enable the second access network device to learn that the M sessions are all target sessions, so that Conducive to saving signaling overhead.
  • the second access network device determines the second identifier of each target session in the N target sessions.
  • the second access network device may generate the second identifier of the target session according to a preset rule.
  • the preset rules are pre-configured or defined in the protocol. For example, taking the preset rule as an encryption algorithm as an example, the second access network device encrypts the first identifier of the target session according to the preset encryption algorithm to generate the second identifier of the target session. For another example, taking the preset rule as a hash type algorithm as an example, the second access network device performs a hash operation on the first identifier of the target session according to the preset hash type algorithm to generate the second identifier of the target session.
  • the hash type algorithm is a function designed based on a hash algorithm or an extended hash algorithm.
  • the second access network device may obtain the second identifier of the target session from other network devices. For example, the second access network device sends fifth indication information to the network device, where the fifth indication information includes information about the target session, and the fifth indication information is used to enable the network device to generate a second identifier of the target session; after that, The second access network device receives the second identifier of the target session sent by the network device.
  • the second access network device will store the correspondence between the second identifier of the target session and the first identifier of the target session.
  • the message of the target session sent by the second access network device to the terminal carries the second identifier instead of the first identifier, which prevents the session from being tracked by an attacker and ensures the security of the session.
  • the second access network device uses the corresponding relationship between the first identifier of the target session and the second identifier of the target The first identifier replaces the second identifier included in the message of the target session to ensure that the message of the target session sent by the terminal can be normally transmitted in the core network.
  • the second access network device sends N pieces of correspondence information to the first access network device.
  • N pieces of correspondence information correspond to N pieces of target sessions one-to-one.
  • the corresponding relationship information is used to indicate the corresponding relationship between the first identifier and the second identifier of the corresponding target session; in other words, the corresponding relationship information is used to indicate the corresponding relationship between the corresponding target session and the second identifier.
  • the correspondence information includes a first identifier of the target session and a second identifier of the target session.
  • N correspondence information can be sent independently, or can be encapsulated in one signaling and sent together.
  • the second access network device sends handover request response information to the first access network device, where the handover request response information carries N pieces of correspondence information.
  • the first access network device sends N pieces of correspondence information to the terminal.
  • the first access network device sends handover command information to the terminal.
  • the switching command information is used to request the terminal to switch the interface between the terminal and the access network device, and the switching command information carries N correspondence information.
  • the interface between the terminal and the access network device can be the interface between the terminal and the 4G access network device (such as the UU interface), or the interface between the terminal and the 5G access network device, or the terminal and the future network Interfaces between access network devices are not restricted in this embodiment of the application.
  • the interface between the terminal and the access network equipment can also be called the air interface.
  • the terminal after receiving the handover command information, the terminal sends a handover complete message to the second access network device to complete the handover.
  • the terminal will store the corresponding relationship between the second identifier of the target session and the first identifier of the target session.
  • the message of the target session sent by the terminal to the second access network device carries the second identifier instead of the first identifier, which prevents the session from being tracked by an attacker and ensures the security of the session.
  • the terminal after the terminal receives the message of the target session, the terminal replaces the message location of the target session with the first identifier of the target session according to the correspondence between the first identifier of the target session and the second identifier of the target session.
  • steps S102-S103 can be replaced with steps S201-S204.
  • the second access network device sends information about M sessions to the core network device.
  • the core network device may be AMF.
  • the core network device determines N target sessions from the M sessions.
  • the core network device determines the second identifier of each target session in the N target sessions.
  • S204 The core network device sends N pieces of correspondence information to the second access network device.
  • both the terminal and the second access network device can obtain N correspondence information, so that after the handover, the N For each target session in the two target sessions, the terminal and the second access network device can ensure the security of the session.
  • FIG. 4 another security protection method provided by this embodiment of the present application is applied in a scenario where a handover occurs between a terminal and an access network device.
  • the handover request can be transmitted through the interface (for example, the N2 interface) between the two AMFs.
  • the switching scenario involved in FIG. 3 is referred to as N2 switching (or N2 interface switching) for short.
  • the method shown in Figure 4 includes the following steps:
  • the first access network device sends a handover request to the first AMF, where the handover request includes information about M sessions.
  • the first AMF sends information about M sessions to the second AMF.
  • the first AMF sends context establishment request information to the second AMF, and the context establishment request information includes information about M sessions.
  • the second AMF determines N target sessions from the M sessions.
  • the second AMF determines the second identifier of each target session in the N target sessions.
  • the second AMF sends N pieces of correspondence information to the second access network device.
  • the second AMF sends a handover request to the second access network device, and the handover request carries N correspondence information.
  • the second access network device receives the handover request sent by the second AMF, the second access network device sends handover request response information to the second AMF.
  • the second AMF sends N pieces of correspondence information to the first AMF.
  • the second AMF sends context establishment response information to the first AMF, and the context establishment response information includes N pieces of correspondence information.
  • step S306 may be executed first, and then step S305 may be executed.
  • steps S305 and S306 can be executed simultaneously.
  • the first AMF sends N pieces of correspondence information to the first access network device.
  • the first AMF sends handover request response information to the first access network device, and the handover request response information carries N correspondence information.
  • S308 The first access network device sends N pieces of correspondence information to the terminal.
  • both the terminal and the second access network device can obtain N correspondence information, so that after the switching, the For each of the N target sessions, the terminal and the second access network device can ensure the security of the session.
  • steps S303-S305 can be replaced with steps S401-S405.
  • the second AMF sends M session information to the SMF.
  • the second AMF when the handover request sent by the first access network device carries the second indication information, the second AMF sends the second indication information and information of M sessions to the SMF.
  • the SMF determines N target sessions from the M sessions.
  • steps S401-S402 can be replaced with: the second AMF determines N target sessions from the M sessions; after that, the second AMF sends information about the N target sessions to the SMF.
  • the SMF determines the second identifier of each target session in the N target sessions.
  • the SMF sends N pieces of correspondence information to the second AMF.
  • the second AMF sends N pieces of correspondence information to the second access network device.
  • steps S303-S305 can be replaced with steps S501-S504.
  • the second AMF sends M session information to the second access network device.
  • the second AMF sends a handover request to the second access network device, and the handover request carries information of M sessions.
  • the second access network device determines N target sessions from the M sessions.
  • steps S501-S502 can also be replaced with the following implementation: the second AMF determines N target sessions from the M sessions; after that, the second AMF sends a message to the second access network The device sends information about N target sessions.
  • the second access network device determines a second identifier corresponding to each of the N target sessions.
  • the second access network device sends N pieces of correspondence information to the second AMF.
  • the second access network device sends handover request response information to the second AMF, and the handover request response information carries N pieces of correspondence information.
  • the N2 handover procedure is triggered by the first access network device.
  • the handover process can also be triggered by the terminal.
  • a security protection method provided in an embodiment of this application is applied to a scenario where a terminal triggers an N2 handover process. The method includes the following steps:
  • the terminal sends a registration request to the second AMF through the second access network device.
  • the registration request is used to access the network.
  • the registration request includes the identification of the terminal.
  • step S601 includes the following steps: S601a and S601b.
  • the terminal sends a registration request to the second access network device.
  • the second access network device sends a registration request to the second AMF.
  • the second AMF sends a context establishment request to the first AMF.
  • the context establishment request is used to request session information of the terminal, so that the second AMF can reuse the existing session information.
  • the second AMF determines the first AMF according to the identification of the terminal included in the registration request.
  • S603 The first AMF sends information about M sessions to the second AMF.
  • the second AMF determines N target sessions from the M sessions.
  • the second AMF determines the second identifier of each target session in the N target sessions.
  • the second AMF sends N pieces of correspondence information to the second access network device.
  • the second access network device sends N pieces of correspondence information to the terminal.
  • both the terminal and the second access network device can obtain N correspondence information, so that after the handover, for the N2 target sessions For each target session, the terminal and the second access network device can ensure the security of the session.
  • steps S604-S606 can be replaced with steps S701-S705.
  • steps S701-S705 reference may be made to the related descriptions of steps S401-S405 in FIG. 4, which will not be repeated here.
  • steps S604-S606 can be replaced with steps S801-S803.
  • steps S801-S803 reference may be made to the related descriptions of steps S501-S503 in FIG. 4, which will not be repeated here.
  • a security protection method provided by this embodiment of the present application is applied to a communication system switching scenario, for example, a terminal switches from a 4G communication system to a 5G communication system.
  • the method includes the following steps:
  • the first access network device sends a handover request to a mobility management entity (MME).
  • MME mobility management entity
  • the handover request includes M bearer information.
  • the carried information includes: terminal identification, bearer identification, S-NSSAI, access type, access network identification, target network IP address, packet data network (PDN) type, public data network (public data network) At least one of network, PDN) type and DNN.
  • PDN packet data network
  • public data network public data network
  • the MME is a key control node in the LTE communication system and is responsible for functions such as access control, mobility management, attachment and detachment.
  • the MME sends M bearer information to the AMF.
  • the AMF sends M bearer information to the SMF.
  • the SMF determines the information of the M sessions according to the information of the M bearers.
  • the information carried by M has a one-to-one correspondence with the information of M sessions. That is, the information carried by one of the M carried information corresponds to the information of one session in the information of the M sessions.
  • the SMF can map the bearer identifier to the first identifier of the corresponding session according to the preset mapping rule to determine the information of the session.
  • the SMF determines N target sessions from the M sessions.
  • step S1005 can be specifically implemented as: SMF sends information about M sessions to AMF; AMF determines N target sessions from the M sessions; AMF sends information about N target sessions to SMF, so that SMF determines N target sessions from the M sessions.
  • S906 The SMF determines the second identifier of each target session in the N target sessions.
  • the SMF sends N pieces of correspondence information to the AMF.
  • steps S906 and S907 can also be replaced by the following implementation: SMF sends information about N target sessions to AMF; after that, AMF determines the second of each target session in the N target sessions Logo.
  • the AMF sends N pieces of correspondence information to the second access network device.
  • the AMF sends N correspondence information to the MME.
  • steps S908 and S909 are not limited in the embodiment of the present application.
  • step S909 may be executed first, and then step S908 may be executed.
  • steps S908 and S909 can be executed simultaneously.
  • the MME sends N pieces of correspondence information to the first access network device.
  • S911 The first access network device sends the N correspondence information to the terminal.
  • both the terminal and the second access network device can obtain N correspondence information, so that after the handover, for these N For each target session in the two target sessions, the terminal and the second access network device can ensure the security of the session.
  • steps S905-S908 in FIG. 6 can be replaced with steps S1001-S1004.
  • the SMF sends information about M sessions to the AMF.
  • the AMF determines N target sessions from the M sessions.
  • the AMF determines the second identifier of each target session in the N target sessions.
  • the AMF sends N correspondences to the second access network device.
  • steps S905-S908 in FIG. 6 can be replaced with steps S1101-S1105.
  • the SMF sends information about M sessions to the AMF.
  • the AMF sends information about M sessions to the second access network device.
  • the second access network device determines N target sessions from the M sessions.
  • steps S1102 and S1103 can also be replaced with the following implementation: AMF determines N target sessions from the M sessions; after that, AMF sends N target sessions to the second access network device. Information about the target session.
  • the second access network device determines the second identifier of each target session in the N target sessions.
  • the second access network device sends N pieces of correspondence information to the AMF.
  • the handover process of the communication system is triggered by the first access network device.
  • the communication system switching process can also be triggered by the terminal.
  • a security protection method provided in this embodiment of the present application is applied to a scenario where a terminal triggers a handover process of a communication system. The method includes the following steps:
  • the terminal sends a registration request to the AMF through the second access network device.
  • the registration request is used to access the network.
  • the registration request includes the identification of the terminal.
  • the registration request includes the identification of the terminal.
  • step S1201 includes the following steps S1201a and S1201b.
  • the terminal sends a registration request to the second access network device.
  • the second access network device sends a registration request to the AMF.
  • the AMF sends a context establishment request to the MME.
  • the AMF determines the MME according to the terminal identifier included in the registration request.
  • the context establishment request is used to request the bearer information of the terminal.
  • the MME sends M bearer information to the AMF.
  • the AMF sends M bearer information to the SMF.
  • the SMF determines the information of the M sessions according to the information of the M bearers.
  • the SMF determines N target sessions from the M sessions.
  • the SMF determines the second identifier of each target session in the N target sessions.
  • the SMF sends N correspondence information to the AMF.
  • the SMF sends N pieces of correspondence information to the second access network device.
  • steps S1204-S1209 please refer to the steps S903-S908 in FIG. 6, which will not be repeated here.
  • the second access network device sends N pieces of correspondence information to the terminal.
  • both the terminal and the second access network device can obtain N correspondence information, so that after the handover, for each of the N target sessions For a target session, the terminal and the second access network device can ensure the security of the session.
  • steps S1206-S1209 can be replaced with steps S1301-S1304.
  • steps S1301-S1314 please refer to steps S1001-S1004 in FIG. 6, which will not be repeated here.
  • steps S1206-S1209 can be replaced with steps S1401-S1404.
  • steps S1401-S1404 can refer to steps S1101-S1104 in FIG. 6, which will not be repeated here.
  • another security protection method provided by this embodiment of the application includes the following steps S1501-S1505:
  • the first access network device determines to initiate a handover procedure.
  • the first access network device may determine whether to initiate the handover process according to whether the terminal moves out of the area covered by the first access network device. That is, when the terminal moves out of the area covered by the first access network device, the first access network device initiates a handover procedure.
  • the first access network device determines N target sessions from the M sessions of the terminal.
  • the first access network device determines the second identifier of each target session in the N target sessions.
  • the first access network device sends N pieces of correspondence information to the second access network device.
  • the N correspondence information may be carried in the handover request.
  • the first access network device directly sends the N correspondence information to the second access network device.
  • the first access network device sends the N correspondence information to the first AMF; after that, the first AMF sends the N correspondence information to the second AMF; the second AMF sends the N correspondence information to the second AMF. 2.
  • the access network device sends N correspondence information.
  • the first access network device sends N pieces of correspondence information to the terminal.
  • step S1505 may be executed first, and then step S1504 may be executed.
  • step S1504 and step S1505 can be executed simultaneously.
  • both the terminal and the second access network device can obtain N correspondence information, so that after the handover, for each of the N target sessions, the terminal and The second access network device can ensure the security of the target session.
  • the first access network device sends a handover request to the first AMF, where the handover request includes information about M sessions.
  • the first AMF determines N target sessions from the M sessions of the terminal.
  • the first AMF determines the second identifier of each target session in the N target sessions.
  • the first AMF sends N pieces of correspondence information to the second AMF.
  • the second AMF sends N pieces of correspondence information to the second access network device.
  • the first AMF sends N pieces of correspondence information to the first access network device.
  • the first access network device sends N pieces of correspondence information to the terminal.
  • steps S1606-S1607 may be executed first, and then steps S1604-S1605 may be executed; or, steps S1604-S1605 and steps S1606-S1607 may be executed simultaneously.
  • both the terminal and the second access network device can obtain N correspondence information, so that after the handover, for each of the N target sessions, the terminal and The second access network device can ensure the security of the target session.
  • the N correspondence information sent by the first access network device (or the second access network device) to the terminal can be carried in radio resource control (radio resource control).
  • radio resource control radio resource control
  • RRC radio resource control
  • media access control media access control
  • CE control element
  • DCI downlink control information
  • any device for example, the first AMF, the second AMF, etc.
  • step S103 For the implementation of determining the second identifier of the target session by any device, refer to step S103, which will not be repeated here.
  • the terminal after the terminal receives N pieces of correspondence information, the terminal sends handover completion information to the second access network device and/or the first access network device.
  • the second access network device after the second access network device receives the handover completion information sent by the terminal, the second access network device sends the N correspondence information to the AMF , So that the AMF saves the N correspondence information.
  • the steps executed by the SMF may be executed by other core network equipment, such as UPF.
  • FIGS. 3 to 9 only introduce the steps related to the embodiment of the present application in the handover process, and other steps in the handover process can refer to the prior art, which will not be repeated here.
  • Each step in the above technical solution may be executed by a communication device or a chip in the communication device.
  • each network element such as an access network device and a core network device
  • each network element includes hardware structures and/or software modules corresponding to each function in order to realize the aforementioned functions.
  • the present application can be implemented in hardware, or a combination of hardware and computer software. Whether a function is performed by hardware or computer software driven hardware depends on the specific application of the technical solution and design constraints. Professional technicians can use different methods to implement the described functions for each specific application, but such implementation should not be considered beyond the scope of this application.
  • each functional module can be divided corresponding to each function, or two or more functions can be integrated in In a processing module.
  • the above integrated modules can be implemented in the form of hardware or software function modules. It should be noted that the division of the modules in the embodiments of the present application is schematic, and is only a division of logical functions. In actual implementation, there may be another division manner. The following uses an example of dividing each function module corresponding to each function as an example:
  • FIG. 10 is a schematic structural diagram of a communication device provided by an embodiment of this application.
  • the schematic structural diagram shown in FIG. 10 can be used to implement various devices such as the first access network device, the second access network device, the first AMF, the second AMF, and the SMF in the embodiment of the present application.
  • the communication device includes a receiving module 201, a processing module 202, and a sending module 203.
  • the receiving module 201 can be used to perform the steps related to receiving in the embodiment of the present application, and the receiving module 201 can be a receiver, a receiver, a receiving circuit, and the like.
  • the sending module 203 may be used to perform the steps related to sending in the embodiment of the present application.
  • the sending module 203 may be a transmitter, a transmitter, a sending circuit, and the like.
  • the receiving module 201 is used to receive a handover request, and the handover request is used to instruct the terminal to switch from the first access network device to the second
  • the handover request includes information about M sessions, the information about each session in the information about M sessions includes the first identifier of the session, and M is a positive integer.
  • the processing module 202 is configured to determine N target sessions from M sessions; N target sessions are a non-zero subset of M sessions, N is less than or equal to M, and N is a positive integer.
  • the processing module 202 is further configured to determine the second identifier of each target session in the N target sessions.
  • the sending module 203 is configured to send N pieces of correspondence information to the terminal.
  • the N pieces of correspondence information correspond to the N target sessions one-to-one, and each piece of correspondence information in the N pieces of correspondence information is used to indicate the first identifier of the corresponding target session. Correspondence with the second identifier.
  • the processing module 202 is specifically configured to send information about N target sessions to the core network device through the sending module 203; and receive information about each of the N target sessions sent by the core network device through the receiving module 201.
  • the second logo is specifically configured to send information about N target sessions to the core network device through the sending module 203; and receive information about each of the N target sessions sent by the core network device through the receiving module 201.
  • the processing module 202 is specifically configured for the second access network device to generate the second identifier of each of the N target sessions according to a preset rule.
  • the first identifier of the session includes at least one of the following parameters: the identifier of the link between the terminal and the UPF, the tunnel identifier of the link between the terminal and the UPF, the session identifier, the address of the UPF, and the terminal ID, QoS flow ID, bearer ID, slice ID, and UPF ID.
  • the correspondence information includes the first identifier and the second identifier of the target session.
  • the receiving module 201 is used to receive information about M sessions sent by the first AMF, and the information about each session in the information about the M sessions includes the session
  • the first identifier of M is a positive integer.
  • the processing module 202 is configured to determine N target sessions from M sessions, where N target sessions are a non-zero subset of M sessions, N is less than or equal to M, and N is a positive integer.
  • the processing module 202 is further configured to determine the second identifier of each target session in the N target sessions.
  • the sending module 203 is configured to send N pieces of correspondence information to the second access network device.
  • the N pieces of correspondence information correspond to N target sessions one-to-one, and each piece of correspondence information in the N pieces of correspondence information is used to indicate the corresponding target.
  • the sending module 203 is also used to send N correspondence information to the terminal.
  • the receiving module 201 is further configured to receive a registration request, and the registration request includes the identification of the terminal.
  • the sending module 203 is further configured to send a context establishment request to the first AMF, and the context establishment request is used to request information about the session of the terminal.
  • the processing module 202 is specifically configured to send M session information to the network device through the sending module 203; and to receive N target session information sent by the network device through the receiving module 201.
  • the network device may be a second access network device or SMF.
  • the processing module 202 is specifically configured to send information of N target sessions to the network device through the sending module 203; and, to receive the N correspondence information sent by the network device through the receiving module 201.
  • the sending module 203 is specifically configured to send N pieces of correspondence information to the terminal through the second access network device.
  • the sending module 203 is specifically configured to send N pieces of correspondence information to the terminal through the first access network device and the first AMF.
  • the receiving module 201 is used to receive M bearer information sent by the MME.
  • the sending module 203 is configured to send M carried information to the SMF.
  • the receiving module 201 is configured to receive information about M sessions from the SMF.
  • the information about the M sessions corresponds to the information carried by the M, and the information about each session in the information about the M sessions includes the first identifier of the session, and M is positive. Integer.
  • the processing module 202 is configured to determine N target sessions from the M sessions.
  • the processing module 202 is further configured to determine the second identifier of each target session in the N target sessions.
  • the sending module 203 is further configured to send N pieces of correspondence information to the second access network device.
  • the N pieces of correspondence information correspond to the N target sessions one-to-one, and each piece of correspondence information in the N pieces of correspondence information is used to indicate the corresponding The corresponding relationship between the first identifier and the second identifier of the target session.
  • the sending module 203 is also used to send N correspondence information to the terminal.
  • the receiving module 201 is also used to receive a registration request, the registration request includes the terminal identification; the sending module 203 is also used to send a context establishment request to the MME, the context establishment request is used to request the terminal bearer information .
  • the processing module 202 is specifically configured to send M session information to the network device through the sending module 203; and to receive N target session information sent by the network device through the receiving module 201.
  • the processing module 202 is specifically configured to send information of N target sessions to the network device through the sending module 203; and, to receive the N correspondence information sent by the network device through the receiving module 201.
  • the sending module 203 is specifically configured to send N pieces of correspondence information to the terminal through the second access network device.
  • the sending module 203 is specifically configured to send N pieces of correspondence information to the terminal through the first access network device and the MME.
  • the processing module 202 is used to determine N target sessions from M sessions of the terminal, where N is less than or equal to M, M, N All are positive integers.
  • the processing module 202 is further configured to determine the second identifier of each target session in the N target sessions.
  • the sending module 203 is configured to send N pieces of correspondence information to the second access network device.
  • the N pieces of correspondence information correspond to N target sessions one-to-one, and each piece of correspondence information in the N pieces of correspondence information is used to indicate the corresponding target.
  • the sending module 203 is also used to send N correspondence information to the terminal.
  • the processing module 202 is also used to determine the initiation of the handover procedure.
  • the receiving module 201 is used to receive a handover request sent by the first access network device, and the handover request is used to instruct the terminal to switch from the first access network
  • the device switches to the second access network device, the switching request includes information about M sessions, the information about each session in the information about M sessions includes the first identifier of the session, and M is a positive integer.
  • the processing module 202 is configured to determine N target sessions from M sessions, where N is less than or equal to M, and both M and N are positive integers.
  • the processing module 202 is further configured to determine the second identifier of each target session in the N target sessions.
  • the sending module 203 is also configured to send N pieces of correspondence information to the second access network device through the second AMF.
  • the N pieces of correspondence information correspond to the N target sessions one-to-one, and each piece of the N correspondence information is used for To indicate the corresponding relationship between the first identifier and the second identifier of the corresponding target session.
  • the sending module 203 is further configured to send N pieces of correspondence information to the terminal through the first access network device.
  • the sending module 203 and the receiving module 201 in FIG. 10 may be implemented by the communication interface 104 in FIG. 2, and the processing module 202 in FIG. 10 may be implemented by the processing in FIG.
  • the embodiment of the present application does not impose any limitation on this.
  • the embodiment of the present application also provides a computer-readable storage medium in which computer instructions are stored; when the computer-readable storage medium runs on the communication device shown in FIG. 2, the communication The device executes the method shown in Figure 3-9.
  • the computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be from a website site, computer, server or data center Transmission to another website, computer, server or data center via wired (such as coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (such as infrared, wireless, microwave, etc.).
  • wired such as coaxial cable, optical fiber, digital subscriber line (DSL)
  • wireless such as infrared, wireless, microwave, etc.
  • the computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device including one or more servers and data centers that can be integrated with the medium.
  • the usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, a magnetic tape), an optical medium, or a semiconductor medium (for example, a solid state disk (SSD)) or the like.
  • An embodiment of the present application also provides a chip, which includes a processing module and a communication interface.
  • the communication interface is used to transmit received code instructions to the processing module.
  • the code instructions may come from the internal memory of the chip or from the chip.
  • An external memory or other device, the processing is used to execute code instructions to support the communication device to execute the methods shown in FIGS. 3-9.
  • the processing module is a processor or microprocessor or integrated circuit integrated on the chip.
  • the communication interface may be an input/output circuit or a transceiver pin.
  • the embodiment of the present application also provides a computer program product containing computer instructions, when it runs on the communication device shown in FIG. 2, the communication device can execute the methods shown in FIGS. 3 to 9.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present application provides a security protection method and apparatus, relating to the technical field of communications and used for ensuring the security of a session in a switching scene. The method comprises: a second access network device receives a switching request, wherein the switching request is used for indicating to switch a terminal from a first access network device to the second access network device, and comprises the information of M sessions, and the information of each session in the information of the M sessions comprises the first identifier of the session; the second access network device determines N target sessions from the M sessions, wherein the N target sessions are the non-zero subset of the M sessions; the second access network device determines the second identifier of each of the N target sessions; the second access network device transmits N pieces of correspondence information to the terminal, wherein the N pieces of correspondence information has one-to-one correspondence to the N target sessions, and each of the N pieces of correspondence information is used for indicating a correspondence between the first identifier and the second identifier of a corresponding target session.

Description

安全保护方法及装置Safety protection method and device
本申请要求于2019年1月15日提交国家知识产权局、申请号为201910037122.0、申请名称为“安全保护方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the State Intellectual Property Office, the application number is 201910037122.0, and the application name is "Security Protection Method and Device" on January 15, 2019, the entire content of which is incorporated into this application by reference.
技术领域Technical field
本申请实施例涉通信领域,尤其涉及一种安全保护方法及装置。The embodiments of the present application relate to the field of communications, and in particular to a security protection method and device.
背景技术Background technique
在无线通信系统中,终端到核心网之间采用端到端地保护机制来保护会话中的信息。但是,端到端地保护机制并未对数据包中用于标识会话的信息(例如,会话标识、承载标识等)进行加密,因此攻击者可以轻易在空口传输阶段获取该信息并根据该信息追踪到该会话,从而对该会话的安全带来威胁。In the wireless communication system, an end-to-end protection mechanism is adopted between the terminal and the core network to protect the information in the session. However, the end-to-end protection mechanism does not encrypt the information (for example, session ID, bearer ID, etc.) used to identify the session in the data packet, so an attacker can easily obtain this information during the air interface transmission stage and track it based on this information To the session, thereby threatening the security of the session.
为了解决这一技术问题,业界提出一种技术方案:接入网设备在会话建立流程时,生成与会话对应的短期标识,并将该短期标识发送给终端。从而,接入网设备与终端之间传输的数据包不携带用于标识会话的信息,而是携带该短期标识。这样一来,即使攻击者获取到该短期标识,由于攻击者不知道短期标识与用于标识会话的信息之间的对应关系,因此攻击者不能追踪该会话,从而保证会话的安全性。In order to solve this technical problem, the industry proposes a technical solution: during the session establishment process, the access network device generates a short-term identifier corresponding to the session, and sends the short-term identifier to the terminal. Therefore, the data packet transmitted between the access network device and the terminal does not carry information for identifying the session, but carries the short-term identifier. In this way, even if the attacker obtains the short-term identifier, since the attacker does not know the correspondence between the short-term identifier and the information used to identify the session, the attacker cannot track the session, thereby ensuring the security of the session.
但是,在接入网设备发生切换的场景下,如何保证会话的安全性,业界尚未给出相应的解决方案。However, in a scenario where the access network device is switched, the industry has not yet provided a corresponding solution on how to ensure the security of the session.
发明内容Summary of the invention
本申请提供一种安全保护方法及装置,用于在切换场景下,保证会话的安全性。This application provides a security protection method and device, which are used to ensure the security of the session in a handover scenario.
为达到上述目的,本申请采用如下技术方案:In order to achieve the above purpose, this application adopts the following technical solutions:
第一方面,提供一种安全保护方法,包括:第二接入网设备接收切换请求,切换请求用于指示将终端从第一接入网设备切换到第二接入网设备,切换请求包括M个会话的信息,M个会话的信息中每一个会话的信息包括会话的第一标识,M为正整数;第二接入网设备从M个会话中确定N个目标会话;N个目标会话为M个会话的非零子集,N小于或等于M,N为正整数;第二接入网设备确定N个目标会话中每一个目标会话的第二标识;第二接入网设备向终端发送N个对应关系信息,N个对应关系信息与N个目标会话一一对应,N个对应关系信息中每一个对应关系信息用于指示对应的目标会话的第一标识与第二标识的对应关系。基于上述技术方案,在切换流程中,终端与第二接入网设备均能获取到N个对应关系信息。这样一来,在切换完成之后,由于对应关系信息用于指示目标会话的第一标识和第二标识之间的对应关系,从而终端与第二接入网设备在发送目标会话的报文时,目标会话的报文不携带第一标识,而是携带第二标识,从而避免目标会话被攻击者追踪,保证目标会话的安全性。In a first aspect, a security protection method is provided, including: a second access network device receives a handover request, the handover request is used to instruct the terminal to switch from the first access network device to the second access network device, and the handover request includes M The information of each session, the information of each session in the information of M sessions includes the first identifier of the session, where M is a positive integer; the second access network device determines N target sessions from the M sessions; the N target sessions are A non-zero subset of M sessions, N is less than or equal to M, and N is a positive integer; the second access network device determines the second identifier of each target session in the N target sessions; the second access network device sends to the terminal N pieces of correspondence information, the N pieces of correspondence information correspond to the N target sessions one-to-one, and each piece of correspondence information in the N pieces of correspondence information is used to indicate the correspondence between the first identifier and the second identifier of the corresponding target session. Based on the above technical solution, in the handover process, both the terminal and the second access network device can obtain N correspondence information. In this way, after the handover is completed, since the correspondence information is used to indicate the correspondence between the first identifier and the second identifier of the target session, when the terminal and the second access network device send the message of the target session, The message of the target session does not carry the first identifier, but carries the second identifier, thereby preventing the target session from being tracked by an attacker and ensuring the security of the target session.
一种可能的设计中,第二接入网设备确定N个目标会话中每一个目标会话的第二标识,包括:第二接入网设备向核心网设备发送N个目标会话的信息;第二接入网设备从核心网设备接收N个目标会话中每一个目标会话的第二标识。In a possible design, the second access network device determining the second identifier of each of the N target sessions includes: the second access network device sends information about the N target sessions to the core network device; second The access network device receives the second identifier of each target session in the N target sessions from the core network device.
一种可能的设计中,第二接入网设备确定N个目标会话中每一个目标会话的第二标识,包括:第二接入网设备根据预设规则,生成N个目标会话中每一个目标会话的第二标识。In a possible design, the second access network device determines the second identifier of each target session in the N target sessions, including: the second access network device generates each target in the N target sessions according to a preset rule The second identifier of the session.
一种可能的设计中,会话的第一标识包括以下参数中的至少一项:终端与用户面功能网元(user plane function,UPF)之间链路的标识、终端与UPF之间链路的隧道标识、会话标识、UPF的地址、终端的标识、服务质量流标识、承载标识、切片的标识、以及UPF的标识。In a possible design, the first identifier of the session includes at least one of the following parameters: the identifier of the link between the terminal and the user plane function (UPF), and the link between the terminal and the UPF Tunnel ID, session ID, UPF address, terminal ID, quality of service flow ID, bearer ID, slice ID, and UPF ID.
一种可能的设计中,对应关系信息包括目标会话的第一标识和第二标识。In a possible design, the correspondence information includes the first identifier and the second identifier of the target session.
第二方面,提供一种安全保护方法,包括:第二AMF接收第一AMF发送的M个会话的信息,M个会话的信息中每一个会话的信息包括会话的第一标识,M为正整数;第二AMF从M个会话中确定N个目标会话,N个目标会话为M个会话的非零子集,N小于或等于M,N为正整数;第二AMF确定N个目标会话中每一个目标会话的第二标识;第二AMF向第二接入网设备发送N个对应关系信息,N个对应关系信息与N个目标会话一一对应,N个对应关系信息中每一个对应关系信息用于指示对应的目标会话的第一标识与第二标识的对应关系;第二AMF向终端发送N个对应关系信息。基于上述技术方案,在切换流程中,终端与第二接入网设备均能获取到N个对应关系信息。这样一来,在切换完成之后,由于对应关系信息用于指示目标会话的第一标识和第二标识之间的对应关系,从而终端与第二接入网设备在发送目标会话的报文时,目标会话的报文不携带第一标识,而是携带第二标识,从而避免目标会话被攻击者追踪,保证目标会话的安全性。In a second aspect, a security protection method is provided, including: a second AMF receives information about M sessions sent by a first AMF, the information about each session in the information about M sessions includes a first identifier of the session, and M is a positive integer ; The second AMF determines N target sessions from M sessions, where N target sessions are a non-zero subset of M sessions, where N is less than or equal to M, and N is a positive integer; the second AMF determines each of the N target sessions The second identifier of a target session; the second AMF sends N pieces of correspondence information to the second access network device, and the N pieces of correspondence information correspond to the N pieces of target sessions one-to-one, and each piece of correspondence information in the N pieces of correspondence information The corresponding relationship between the first identifier and the second identifier used to indicate the corresponding target session; the second AMF sends N pieces of corresponding relationship information to the terminal. Based on the above technical solution, in the handover process, both the terminal and the second access network device can obtain N correspondence information. In this way, after the handover is completed, since the correspondence information is used to indicate the correspondence between the first identifier and the second identifier of the target session, when the terminal and the second access network device send the message of the target session, The message of the target session does not carry the first identifier, but carries the second identifier, thereby preventing the target session from being tracked by an attacker and ensuring the security of the target session.
一种可能的设计中,第二AMF接收第一AMF发送的M个会话的信息,包括:第二AMF接收到注册请求,注册请求包括终端的标识;第二AMF向第一AMF发送上下文建立请求,上下文建立请求用于请求终端的会话的信息;第二AMF接收第一AMF发送的M个会话的信息。In a possible design, the second AMF receives information about M sessions sent by the first AMF, including: the second AMF receives a registration request, and the registration request includes the identification of the terminal; the second AMF sends a context establishment request to the first AMF , The context establishment request is used to request the information of the session of the terminal; the second AMF receives the information of the M sessions sent by the first AMF.
一种可能的设计中,第二AMF从M个会话中确定N个目标会话,包括:第二AMF向网络设备发送M个会话信息;之后,第二AMF接收网络设备发送的N个目标会话信息。示例性的,网络设备可以为第二接入网设备或者会话管理功能网元(session management function,SMF)。In a possible design, the second AMF determines N target sessions from M sessions, including: the second AMF sends M session information to the network device; after that, the second AMF receives N target session information sent by the network device . Exemplarily, the network device may be a second access network device or a session management function network element (session management function, SMF).
一种可能的设计中,第二AMF确定N个目标会话中每一个目标会话的第二标识,包括:第二AMF向网络设备发送N个目标会话的信息;之后,第二AMF接收网络设备发送的N个对应关系信息。In a possible design, the second AMF determines the second identifier of each of the N target sessions, including: the second AMF sends information about the N target sessions to the network device; after that, the second AMF receives the information sent by the network device N correspondence information of.
一种可能的设计中,第二AMF向终端发送N个对应关系信息,包括:第二AMF通过第二接入网设备向终端发送N个对应关系信息。In a possible design, the second AMF sending N pieces of correspondence information to the terminal includes: the second AMF sends N pieces of correspondence information to the terminal through the second access network device.
一种可能的设计中,第二AMF向终端发送N个对应关系信息,包括:第二AMF通过第一接入网设备以及第一AMF向终端发送N个对应关系信息。In a possible design, the second AMF sending N pieces of correspondence information to the terminal includes: the second AMF sends N pieces of correspondence information to the terminal through the first access network device and the first AMF.
第三方面,提供一种安全保护方法,包括:AMF接收MME发送的M个承载的信息;AMF将M个承载的信息发送给SMF;AMF从SMF接收M个会话的信息,M个会话的信息与M个承载的信息一一对应,M个会话的信息中每一个会话的信息包括会话的第一标识,M为正整数;AMF从M个会话中确定N个目标会话,N小于或等于 M,N为正整数;AMF确定N个目标会话中每一个目标会话的第二标识;AMF向第二接入网设备发送N个对应关系信息,N个对应关系信息与N个目标会话一一对应,N个对应关系信息中每一个对应关系信息用于指示对应的目标会话的第一标识与第二标识的对应关系;AMF向终端发送N个对应关系信息。基于该技术方案,在切换流程中,终端与第二接入网设备均能获取到N个对应关系信息。这样一来,在切换完成之后,由于对应关系信息用于指示目标会话的第一标识和第二标识之间的对应关系,从而终端与第二接入网设备在发送目标会话的报文时,目标会话的报文不携带第一标识,而是携带第二标识,从而避免目标会话被攻击者追踪,保证目标会话的安全性。In a third aspect, a security protection method is provided, including: AMF receives M bearer information sent by MME; AMF sends M bearer information to SMF; AMF receives M session information from SMF, and M session information There is a one-to-one correspondence with the information carried by M. The information of each session in the information of the M sessions includes the first identifier of the session, where M is a positive integer; AMF determines N target sessions from M sessions, and N is less than or equal to M , N is a positive integer; AMF determines the second identifier of each target session in N target sessions; AMF sends N correspondence information to the second access network device, and N correspondence information corresponds to N target sessions one-to-one Each of the N correspondence information is used to indicate the correspondence between the first identifier and the second identifier of the corresponding target session; the AMF sends N correspondence information to the terminal. Based on this technical solution, in the handover process, both the terminal and the second access network device can obtain N correspondence information. In this way, after the handover is completed, since the correspondence information is used to indicate the correspondence between the first identifier and the second identifier of the target session, when the terminal and the second access network device send the message of the target session, The message of the target session does not carry the first identifier, but carries the second identifier, thereby preventing the target session from being tracked by an attacker and ensuring the security of the target session.
一种可能的设计中,在AMF接收MME发送的M个承载的信息之前,包括:MME接收到切换请求,该切换请求用于指示将终端从第一接入网设备切换到第二接入网设备,该切换请求包括M个承载的信息。In a possible design, before the AMF receives the M bearer information sent by the MME, it includes: the MME receives a handover request, the handover request is used to instruct the terminal to switch from the first access network device to the second access network Device, the handover request includes M bearer information.
一种可能的设计中,在AMF接收MME发送的M个承载的信息之前,包括:AMF接收注册请求,该注册请求包括终端的标识;AMF向MME发送上下文建立请求,该上下文建立请求用于请求终端的承载的信息。In a possible design, before the AMF receives the M bearer information sent by the MME, it includes: the AMF receives a registration request, the registration request includes the identification of the terminal; the AMF sends a context establishment request to the MME, and the context establishment request is used for the request Information carried by the terminal.
一种可能的设计中,AMF从M个会话中确定N个目标会话,包括:AMF向网络设备发送M个会话信息;之后,AMF接收网络设备发送的N个目标会话信息。示例性的,网络设备可以为第二接入网设备或者会话管理功能网元(session management function,SMF)。In a possible design, the AMF determines N target sessions from the M sessions, including: the AMF sends M session information to the network device; after that, the AMF receives the N target session information sent by the network device. Exemplarily, the network device may be a second access network device or a session management function network element (session management function, SMF).
一种可能的设计中,AMF确定N个目标会话中每一个目标会话的第二标识,包括:第二AMF向网络设备发送N个目标会话的信息;之后,AMF接收网络设备发送的N个对应关系信息。In a possible design, the AMF determines the second identifier of each of the N target sessions, including: the second AMF sends the information of the N target sessions to the network device; after that, the AMF receives the N corresponding information sent by the network device Relationship information.
一种可能的设计中,AMF向终端发送N个对应关系信息,包括:AMF通过第二接入网设备向终端发送N个对应关系信息。In a possible design, the AMF sending N pieces of correspondence information to the terminal includes: the AMF sends N pieces of correspondence information to the terminal through the second access network device.
一种可能的设计中,第二AMF向终端发送N个对应关系信息,包括:AMF通过第一接入网设备以及MME向终端发送N个对应关系信息。In a possible design, the second AMF sending N pieces of correspondence information to the terminal includes: the AMF sends N pieces of correspondence information to the terminal through the first access network device and the MME.
第四方面,提供一种安全保护的方法,包括:第一接入网设备从终端的M个会话中确定N个目标会话,N小于或等于M,M、N均为正整数;第一接入网设备确定N个目标会话中每一个目标会话的第二标识;第一接入网设备向第二接入网设备发送N个对应关系信息,N个对应关系信息与N个目标会话一一对应,N个对应关系信息中每一个对应关系信息用于指示对应的目标会话的第一标识与第二标识的对应关系;第一接入网设备向终端发送N个对应关系信息。基于该技术方案,终端与第二接入网设备均能获取到N个对应关系信息。这样一来,在切换完成之后,由于对应关系信息用于指示目标会话的第一标识和第二标识之间的对应关系,从而终端与第二接入网设备在发送目标会话的报文时,目标会话的报文不携带第一标识,而是携带第二标识,从而避免目标会话被攻击者追踪,保证目标会话的安全性。In a fourth aspect, a security protection method is provided, including: a first access network device determines N target sessions from M sessions of a terminal, where N is less than or equal to M, and both M and N are positive integers; The network access device determines the second identifier of each target session in the N target sessions; the first access network device sends N correspondence information to the second access network device, and the N correspondence information is one for the N target sessions Correspondingly, each of the N correspondence information is used to indicate the correspondence between the first identifier and the second identifier of the corresponding target session; the first access network device sends N correspondence information to the terminal. Based on this technical solution, both the terminal and the second access network device can obtain N correspondence information. In this way, after the handover is completed, since the correspondence information is used to indicate the correspondence between the first identifier and the second identifier of the target session, when the terminal and the second access network device send the message of the target session, The message of the target session does not carry the first identifier, but carries the second identifier, thereby preventing the target session from being tracked by an attacker and ensuring the security of the target session.
一种可能的设计中,在第一接入网设备从终端的M个会话中确定N个目标会话之前,该方法还包括:第一接入网设备确定发起切换流程。In a possible design, before the first access network device determines N target sessions from the M sessions of the terminal, the method further includes: the first access network device determines to initiate a handover procedure.
第五方面,提供一种安全保护的方法,包括:第一AMF接收第一接入网设备发送的切换请求,切换请求用于指示将终端从第一接入网设备切换到第二接入网设备, 切换请求包括M个会话的信息,M个会话的信息中每一个会话的信息包括会话的第一标识,M为正整数;第一AMF从M个会话中确定N个目标会话,N小于或等于M,M、N均为正整数;第一AMF确定N个目标会话中每一个目标会话的第二标识;第一AMF通过第二AMF向第二接入网设备发送N个对应关系信息,N个对应关系信息与N个目标会话一一对应,N个对应关系信息中每一个对应关系信息用于指示对应的目标会话的第一标识与第二标识的对应关系;第一AMF通过第一接入网设备向终端发送N个对应关系信息。基于该技术方案,在切换流程中,终端与第二接入网设备均能获取到N个对应关系信息。这样一来,在切换完成之后,由于对应关系信息用于指示目标会话的第一标识和第二标识之间的对应关系,从而终端与第二接入网设备在发送目标会话的报文时,目标会话的报文不携带第一标识,而是携带第二标识,从而避免目标会话被攻击者追踪,保证目标会话的安全性。In a fifth aspect, a security protection method is provided, including: a first AMF receives a handover request sent by a first access network device, the handover request is used to instruct the terminal to switch from the first access network device to the second access network Device, the handover request includes information about M sessions, and the information about each session in the information about M sessions includes the first identifier of the session, where M is a positive integer; the first AMF determines N target sessions from the M sessions, and N is less than Or equal to M, both M and N are positive integers; the first AMF determines the second identifier of each target session in N target sessions; the first AMF sends N correspondence information to the second access network device through the second AMF , The N correspondence information corresponds to the N target sessions one-to-one, and each correspondence information in the N correspondence information is used to indicate the correspondence between the first identifier and the second identifier of the corresponding target session; the first AMF passes the first An access network device sends N correspondence information to the terminal. Based on this technical solution, in the handover process, both the terminal and the second access network device can obtain N correspondence information. In this way, after the handover is completed, since the correspondence information is used to indicate the correspondence between the first identifier and the second identifier of the target session, when the terminal and the second access network device send the message of the target session, The message of the target session does not carry the first identifier, but carries the second identifier, thereby preventing the target session from being tracked by an attacker and ensuring the security of the target session.
第六方面,提供一种通信装置,包括:接收模块、处理模块和发送模块。所述通信装置用于执行上述第一方面或第五方面任一项所述的方法。In a sixth aspect, a communication device is provided, including: a receiving module, a processing module, and a sending module. The communication device is configured to execute the method according to any one of the first aspect or the fifth aspect.
第七方面,提供一种通信装置,包括:处理器,所述处理器用于与存储器耦合,并读取存储器中的指令,并根据所述指令实现如上述第一方面至第五方面任一项所述的方法。In a seventh aspect, a communication device is provided, including: a processor, configured to couple with a memory, read instructions in the memory, and implement any one of the first to fifth aspects according to the instructions The method described.
第八方面,提供一种计算机可读存储介质,该计算机可读存储介质中存储有指令,当其在通信装置上运行时,使得通信装置可以执行上述第一方面至第五方面任一项所述的方法。In an eighth aspect, a computer-readable storage medium is provided. The computer-readable storage medium stores instructions that, when run on a communication device, enable the communication device to execute any one of the first to fifth aspects. The method described.
第九方面,提供一种包含指令的计算机程序产品,当其在通信装置上运行时,使得通信装置可以执行上述第一方面至第五方面任一项所述的方法。In a ninth aspect, a computer program product containing instructions is provided, which when running on a communication device, enables the communication device to execute the method described in any one of the first aspect to the fifth aspect.
第十方面,提供一种芯片,该芯片包括处理模块和通信接口,通信接口用于将接收的代码指令传输至处理模块,处理模块用于运行所述代码指令支持通信装置执行上述第一方面至第五方面任一项所述的方法。该代码指令可以来自芯片内容的存储器,也可以来自芯片外部的存储器。可选的,处理模块可以为该芯片上集成的处理器或者微处理器或者集成电路。通信接口可以为芯片上的输入输出电路或者收发管脚。In a tenth aspect, a chip is provided. The chip includes a processing module and a communication interface. The communication interface is used to transmit received code instructions to the processing module. The processing module is used to run the code instructions to support the communication device to execute the first aspect to The method of any one of the fifth aspect. The code instruction can come from the memory of the chip content, or from the memory outside the chip. Optionally, the processing module may be a processor or a microprocessor or an integrated circuit integrated on the chip. The communication interface may be an input/output circuit or a transceiver pin on the chip.
其中,第六方面至第十方面中任一种设计方式所带来的技术效果可参见上文所提供的对应的方法中的有益效果同设计方式所带来的技术效果,此处不再赘述。Among them, the technical effects brought by any of the design methods of the sixth aspect to the tenth aspect can be referred to the beneficial effects of the corresponding method provided above, which are the same as the technical effects brought about by the design method, and will not be repeated here. .
附图说明BRIEF DESCRIPTION
图1为本申请实施例提供的一种通信系统的架构示意图;1 is a schematic structural diagram of a communication system provided by an embodiment of the present application;
图2为本申请实施例提供的一种通信装置的结构示意图;2 is a schematic structural diagram of a communication device provided by an embodiment of this application;
图3为本申请实施例提供的一种安全保护方法的流程图;FIG. 3 is a flowchart of a security protection method provided by an embodiment of the application;
图4为本申请实施例提供的另一种安全保护方法的流程图;4 is a flowchart of another security protection method provided by an embodiment of the application;
图5为本申请实施例提供的另一种安全保护方法的流程图;FIG. 5 is a flowchart of another security protection method provided by an embodiment of the application;
图6为本申请实施例提供的另一种安全保护方法的流程图;FIG. 6 is a flowchart of another security protection method provided by an embodiment of the application;
图7为本申请实施例提供的另一种安全保护方法的流程图;FIG. 7 is a flowchart of another security protection method provided by an embodiment of the application;
图8为本申请实施例提供的另一种安全保护方法的流程图;FIG. 8 is a flowchart of another security protection method provided by an embodiment of the application;
图9为本申请实施例提供的另一种安全保护方法的流程图;FIG. 9 is a flowchart of another security protection method provided by an embodiment of the application;
图10为本你申请实施例提供的一种通信装置的结构示意图。FIG. 10 is a schematic structural diagram of a communication device provided by an embodiment of your application.
具体实施方式detailed description
为例便于理解本申请的技术方案,下面先对一些概念进行简单介绍。As an example to facilitate the understanding of the technical solutions of the present application, some concepts will be briefly introduced below.
1、第一接入网设备、第二接入网设备、第一AMF、第二AMF1. The first access network device, the second access network device, the first AMF, and the second AMF
第一接入网设备即为终端在切换前连接的接入网设备。第一接入网设备还可以称为源接入网设备。The first access network device is the access network device that the terminal is connected to before the handover. The first access network device may also be referred to as the source access network device.
第二接入网设备为终端在切换后连接的接入网设备,或者,第二接入网设备在终端重新注册后连接的接入网设备。第二接入网设备还可以称为目标接入网设备。The second access network device is an access network device to which the terminal is connected after handover, or an access network device to which the second access network device is connected after the terminal is reregistered. The second access network device may also be referred to as a target access network device.
第一AMF为切换前为终端提供服务的AMF。第一AMF还可以称为源AMF。The first AMF is the AMF that provides services to the terminal before handover. The first AMF may also be referred to as the source AMF.
第二AMF为切换后为终端提供服务的AMF。第二AMF还可以称为目标AMF。The second AMF is the AMF that provides services for the terminal after the handover. The second AMF may also be referred to as the target AMF.
2、会话的第一标识、第二标识2. The first identification and the second identification of the session
可选的,会话的第一标识为以下参数中的一项:终端与UPF之间链路的标识、终端与UPF之间链路的隧道标识、切片标识,会话标识、UPF的地址、UPF的标识,终端的标识、服务质量(quality of service,QoS)流(flow)标识、承载标识。其中,上述UPF的地址包括:UPF的互联网协议(internet protocol,IP)地址、UPF的介质访问控制(media access control,MAC)地址、或者UPF的实例(instance)标识。上述承载标识包括:无线承载的标识、演进分组系统(evolved packet system,EPS)承载的标识、演进的无线接入承载(Evolved Radio Access Bearer,E-RAB)标识或者未来网络承载的标识。Optionally, the first identifier of the session is one of the following parameters: the identifier of the link between the terminal and the UPF, the tunnel identifier of the link between the terminal and the UPF, the slice identifier, the session identifier, the address of the UPF, the address of the UPF Identifier, terminal identifier, quality of service (QoS) flow identifier, and bearer identifier. Wherein, the address of the UPF includes: an internet protocol (IP) address of the UPF, a media access control (MAC) address of the UPF, or an instance identifier of the UPF. The above-mentioned bearer identifier includes: a radio bearer identifier, an evolved packet system (evolved packet system, EPS) bearer identifier, an evolved radio access bearer (E-RAB) identifier or a future network bearer identifier.
会话的第二标识与会话的第一标识具有对应关系。会话的第二标识用于保证会话的安全性。可以理解的是,在本申请实施例中,会话的第二标识不要求体现会话的相关信息,即使攻击者截取到会话的第二标识,由于攻击者不知道会话的第二标识与会话的第一标识之间的对应关系,因此攻击者不能通过该会话的第二标识,追踪会话。The second identifier of the session has a corresponding relationship with the first identifier of the session. The second identifier of the session is used to ensure the security of the session. It is understandable that in this embodiment of the application, the second identifier of the session is not required to reflect the relevant information of the session, even if the attacker intercepts the second identifier of the session, because the attacker does not know the second identifier of the session and the first Correspondence between one identifier, so the attacker cannot track the session through the second identifier of the session.
会话的第二标识可以为采用一定推衍规则生成的值,也可以为随机生成的随机数,也可以采用一些已有标识,例如,终端所在小区的相关标识,小区终端标识,无线网络临时标识(radio network temporary identity,RNTI),或者载频频点,又或者空口资源相关的标识等。示例性的,载频频点可以为5G的载频频点,或者4G的载频频点等。其中,4G的载频频点又可以称为长期演进无线接入网络绝对无线电频道号码(E-UTRA absolute radio frequency channel number,EARFCN)。其中,无线网络临时标识可以为小区无线网络临时标识(cell radio network temporary identity,C-RNTI),临时C-RNTI,寻呼RNTI,多播广播RNTI,非激活RNTI等,不做限制。The second identifier of the session can be a value generated using a certain derivation rule, or a random number generated randomly, or some existing identifiers, such as the relevant identifier of the cell where the terminal is located, the cell terminal identifier, and the temporary wireless network identifier (radio network temporary identity, RNTI), or carrier frequency, or identification related to air interface resources. Exemplarily, the carrier frequency may be a 5G carrier frequency, or a 4G carrier frequency, etc. Among them, the 4G carrier frequency can also be called the long-term evolution radio access network absolute radio frequency channel number (E-UTRA absolute radio frequency channel number, EARFCN). Among them, the wireless network temporary identity may be a cell radio network temporary identity (C-RNTI), a temporary C-RNTI, a paging RNTI, a multicast broadcast RNTI, an inactive RNTI, etc., without limitation.
在本申请的描述中,除非另有说明,“/”表示“或”的意思,例如,A/B可以表示A或B。本文中的“和/或”仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。此外,“至少一个”是指一个或多个,“多个”是指两个或两个以上。“第一”、“第二”等字样并不对数量和执行次序进行限定,并且“第一”、“第二”等字样也并不限定一定不同。In the description of this application, unless otherwise stated, "/" means "or", for example, A/B may mean A or B. The "and/or" in this article is only an association relationship describing the associated objects, which means that there can be three relationships, for example, A and/or B, which can mean: A alone exists, A and B exist at the same time, and B exists alone These three situations. In addition, "at least one" means one or more, and "multiple" means two or more. The words "first" and "second" do not limit the number and execution order, and the words "first" and "second" are not necessarily different.
需要说明的是,本申请中,“示例性的”或者“例如”等词用于表示作例子、例证或说明。本申请中被描述为“示例性的”或者“例如”的任何实施例或设计方案不应被解释为比其他实施例或设计方案更优选或更具优势。确切而言,使用“示例性的”或者“例如”等词旨在以具体方式呈现相关概念。It should be noted that, in this application, the words "exemplary" or "for example" are used as examples, illustrations or explanations. Any embodiment or design described in this application as "exemplary" or "for example" should not be construed as being more preferred or advantageous than other embodiments or design. Rather, the use of words such as "exemplary" or "for example" is intended to present relevant concepts in a specific manner.
此外,本申请实施例描述的网络架构以及业务场景是为了更加清楚的说明本申请实施例的技术方案,并不构成对于本申请实施例提供的技术方案的限定,本领域普通技术人员可知,随着网络架构的演变和新业务场景的出现,本申请实施例提供的技术方案对于类似的技术问题,同样适用。In addition, the network architecture and business scenarios described in the embodiments of the present application are intended to more clearly explain the technical solutions of the embodiments of the present application, and do not constitute a limitation on the technical solutions provided by the embodiments of the present application. With the evolution of the network architecture and the emergence of new business scenarios, the technical solutions provided by the embodiments of the present application are also applicable to similar technical problems.
本申请实施例提供的技术方案可以应用于各种通信系统,例如,采用第五代(5th generation,5G)通信技术的新空口(new radio,NR)通信系统,未来演进系统或者多种通信融合系统等等。本申请提供的技术方案可以应用于多种应用场景,例如,机器对机器(machine to machine,M2M)、宏微通信、增强型移动互联网(enhanced mobile broadband,eMBB)、超高可靠超低时延通信(ultra-reliable&low latency communication,uRLLC)以及海量物联网通信(massive machine type communication,mMTC)等场景。The technical solutions provided in the embodiments of the present application may be applied to various communication systems, for example, a new radio (NR) communication system using 5th generation (5G) communication technology, a future evolution system, or multiple communication fusion Systems, etc. The technical solution provided in this application can be applied to a variety of application scenarios, such as machine to machine (M2M), macro and micro communications, enhanced mobile broadband (eMBB), ultra-high reliability and ultra-low latency Scenarios such as communication (ultra-reliable&low latency communication, uRLLC) and massive Internet of Things communication (massive machine type communication, mMTC).
如图1所示,为本申请实施例提供的一种通信系统的架构示意图。通信系统包括:终端、接入网(access network,AN)设备、以及核心网(core network)。As shown in FIG. 1, it is a schematic structural diagram of a communication system provided by an embodiment of this application. The communication system includes: terminals, access network (AN) equipment, and core network (core network).
其中,终端用于向用户提供语音和/或数据连通性服务。所述终端可以有不同的名称,例如用户设备(user equipment,UE)、接入终端、终端单元、终端站、移动站、移动台、远方站、远程终端、移动设备、无线通信设备、终端代理或终端装置等。可选的,所述终端可以为各种具有通信功能的手持设备、车载设备、可穿戴设备、计算机,本申请实施例对此不作任何限定。例如,手持设备可以是智能手机、虚拟现实(virtual reality,VR)设备。车载设备可以是车载导航系统。可穿戴设备可以是智能手环。计算机可以是个人数字助理(personal digital assistant,PDA)电脑、平板型电脑以及膝上型电脑(laptop computer)。Among them, the terminal is used to provide users with voice and/or data connectivity services. The terminal may have different names, such as user equipment (UE), access terminal, terminal unit, terminal station, mobile station, mobile station, remote station, remote terminal, mobile device, wireless communication device, terminal agent Or terminal devices, etc. Optionally, the terminal may be various handheld devices with communication functions, vehicle-mounted devices, wearable devices, and computers, which are not limited in this embodiment of the present application. For example, the handheld device may be a smart phone or a virtual reality (VR) device. The vehicle-mounted device may be a vehicle-mounted navigation system. The wearable device may be a smart bracelet. The computer can be a personal digital assistant (PDA) computer, a tablet computer, and a laptop computer.
接入网设备可以是无线通信或者有线通信的接入点,例如基站或基站控制器,无线保真(wireless-fidelity,wifi)的接入点或者wifi控制器,或者固网接入的接入点等。其中,所述基站可以包括各种类型的基站,例如:微基站(也称为小站),宏基站,中继站,接入点等,本申请实施例对此不作具体限定。在本申请实施例中,所述基站可以是全球移动通信系统(global system for mobile communication,GSM),码分多址(code division multiple access,CDMA)中的基站(base transceiver station,BTS),宽带码分多址(wideband code division multiple access,WCDMA)中的基站(node B),长期演进(long term evolution,LTE)中的演进型基站(evolutional node B,eNB或e-NodeB),物联网(internet of things,IoT)或者窄带物联网(narrow band-internet of things,NB-IoT)中的eNB,未来5G移动通信网络或者未来演进的公共陆地移动网络(public land mobile network,PLMN)中的基站,本申请实施例对此不作任何限制。The access network device can be an access point for wireless communication or wired communication, such as a base station or a base station controller, an access point or wifi controller for wireless-fidelity (wifi), or an access for fixed network access Wait. The base station may include various types of base stations, such as micro base stations (also called small stations), macro base stations, relay stations, access points, etc., which are not specifically limited in the embodiment of the present application. In the embodiment of this application, the base station may be a base station (BTS) in the global system for mobile communication (GSM), code division multiple access (CDMA), and broadband The base station (node B) in wideband code division multiple access (WCDMA), the evolutional node B (eNB or e-NodeB) in the long term evolution (LTE), the Internet of Things ( eNB in internet of things (IoT) or narrowband-internet of things (NB-IoT), base station in future 5G mobile communication network or future evolution of public land mobile network (PLMN) The embodiment of this application does not impose any restriction on this.
核心网作为承载网络提供终端到数据网络(data network,DN)的接口,为终端提供通信连接、认证、管理、策略控制以及对数据业务完成承载等。核心网包括各种核心网设备,例如接入与移动管理功能网元(access and mobility management function,AMF)、UPF、SMF等。As a bearer network, the core network provides an interface from a terminal to a data network (data network, DN), provides communication connection, authentication, management, policy control, and completes the bearing of data services for the terminal. The core network includes various core network equipment, such as access and mobility management function (AMF), UPF, SMF, etc.
其中,AMF用于负责终端接入网络的接入控制和移动性管理,AMF与接入网设备之间通过N2接口通信。Among them, the AMF is used for access control and mobility management for the terminal to access the network, and the AMF communicates with the access network equipment through the N2 interface.
SMF用于管理用户的分组数据单元(packet data unit,PDU)会话和QoS flow,为UPF制定包检测和转发规则等。SMF is used to manage the user's packet data unit (PDU) session and QoS flow, and to formulate packet inspection and forwarding rules for UPF.
UPF用于负责用户的数据的路由和转发等功能。UPF is used for functions such as routing and forwarding of user data.
上述AMF、SMF以及UPF仅是一个名称,对设备本身不构成限定。可以理解的是,在5G网络以及未来其它的网络中,AMF、SMF以及UPF也可以是其他的名称,本申请实施例对此不作具体限定。例如,UPF还可以被称为UPF网元或者UPF实体,在此进行统一说明,以下不再赘述。The foregoing AMF, SMF, and UPF are only a name, which does not constitute a limitation on the device itself. It is understandable that in the 5G network and other future networks, AMF, SMF, and UPF may also be other names, which are not specifically limited in the embodiment of the present application. For example, the UPF may also be referred to as a UPF network element or a UPF entity, and a unified description is provided here, and details are not described below.
可选的,核心网设备可以由一个设备实现,也可以由多个设备共同实现,还可以是一个设备内的一个功能模块,本申请实施例对此不作具体限定。可以理解的是,上述功能模块既可以是硬件设备中的网络元件,也可以是在专用硬件上运行的软件功能模块,或者是平台(例如,云平台)上实例化的虚拟化功能模块。Optionally, the core network device may be implemented by one device, or jointly implemented by multiple devices, or may be a functional module in one device, which is not specifically limited in the embodiment of the present application. It is understandable that the above-mentioned functional modules can be network elements in hardware devices, software functional modules running on dedicated hardware, or virtualized functional modules instantiated on a platform (for example, a cloud platform).
图1中的终端、接入网设备以及核心网设备可以通过图2中的通信装置来实现。如图2所示,该通信装置包括:至少一个处理器101,通信线路102,存储器103以及至少一个通信接口104。The terminal, access network equipment, and core network equipment in FIG. 1 can be implemented by the communication device in FIG. 2. As shown in FIG. 2, the communication device includes: at least one processor 101, a communication line 102, a memory 103 and at least one communication interface 104.
处理器101可以是一个通用中央处理器(central processing unit,CPU),微处理器,特定应用集成电路(application-specific integrated circuit,ASIC),或一个或多个用于控制本申请方案程序执行的集成电路。The processor 101 may be a general-purpose central processing unit (central processing unit, CPU), a microprocessor, an application-specific integrated circuit (ASIC), or one or more used to control the execution of the program program of the present application integrated circuit.
通信线路102可包括一通路,在上述组件之间传送信息。The communication line 102 may include a path to transfer information between the aforementioned components.
通信接口104,使用任何收发器一类的装置,用于与其他设备或通信网络通信,如以太网,RAN,无线局域网(wireless local area networks,WLAN)等。The communication interface 104 uses any transceiver-like device to communicate with other devices or communication networks, such as Ethernet, RAN, wireless local area networks (WLAN), and so on.
存储器103可以是只读存储器(read-only memory,ROM)或可存储静态信息和指令的其他类型的静态存储设备,随机存取存储器(random access memory,RAM)或者可存储信息和指令的其他类型的动态存储设备,也可以是电可擦可编程只读存储器(electrically erasable programmable read-only memory,EEPROM)、只读光盘(compact disc read-only memory,CD-ROM)或其他光盘存储、光碟存储(包括压缩光碟、激光碟、光碟、数字通用光碟、蓝光光碟等)、磁盘存储介质或者其他磁存储设备、或者能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质,但不限于此。存储器可以是独立存在,通过通信线路102与处理器相连接。存储器也可以和处理器集成在一起。本申请实施例提供的存储器通常可以具有非易失性。其中,存储器103用于存储执行本申请方案的计算机执行指令,并由处理器101来控制执行。处理器101用于执行存储器103中存储的计算机执行指令,从而实现本申请下述实施例提供的方法。The memory 103 may be a read-only memory (ROM) or other types of static storage devices that can store static information and instructions, random access memory (random access memory, RAM), or other types of information and instructions that can be stored The dynamic storage device can also be electrically erasable programmable read-only memory (electrically erasable programmable-read-only memory (EEPROM), read-only compact disc (compact disc read-only memory (CD-ROM) or other optical disc storage, optical disc storage (Including compact discs, laser discs, optical discs, digital versatile discs, Blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or can be used to carry or store desired program code in the form of instructions or data structures and can be used by a computer Any other media accessed, but not limited to this. The memory can exist independently and is connected to the processor through the communication line 102. The memory can also be integrated with the processor. The memory provided by the embodiments of the present application may generally be non-volatile. The memory 103 is used to store computer execution instructions for executing the solution of the present application, and the processor 101 controls the execution. The processor 101 is configured to execute computer-executable instructions stored in the memory 103, so as to implement the methods provided in the following embodiments of the present application.
可选的,本申请实施例中的计算机执行指令也可以称之为应用程序代码,本申请实施例对此不作具体限定。Optionally, the computer execution instructions in the embodiments of the present application may also be called application program codes, which are not specifically limited in the embodiments of the present application.
在具体实现中,作为一种实施例,处理器101可以包括一个或多个CPU,例如图2中的CPU0和CPU1。In a specific implementation, as an embodiment, the processor 101 may include one or more CPUs, such as CPU0 and CPU1 in FIG. 2.
在具体实现中,作为一种实施例,通信装置可以包括多个处理器,例如图2中的处理器101和处理器107。这些处理器中的每一个可以是一个单核(single-CPU)处理器,也可以是一个多核(multi-CPU)处理器。这里的处理器可以指一个或多个设备、电路、和/或用于处理数据(例如计算机程序指令)的处理核。In a specific implementation, as an embodiment, the communication device may include multiple processors, such as the processor 101 and the processor 107 in FIG. 2. Each of these processors may be a single-core (single-CPU) processor or a multi-core (multi-CPU) processor. The processor here may refer to one or more devices, circuits, and/or processing cores for processing data (for example, computer program instructions).
在具体实现中,作为一种实施例,通信装置还可以包括输出设备105和输入设备 106。输出设备105和处理器101通信,可以以多种方式来显示信息。例如,输出设备105可以是液晶显示器(liquid crystal display,LCD),发光二级管(light emitting diode,LED)显示设备,阴极射线管(cathode ray tube,CRT)显示设备,或投影仪(projector)等。输入设备106和处理器101通信,可以以多种方式接收用户的输入。例如,输入设备106可以是鼠标、键盘、触摸屏设备或传感设备等。In a specific implementation, as an embodiment, the communication apparatus may further include an output device 105 and an input device 106. The output device 105 communicates with the processor 101 and can display information in various ways. For example, the output device 105 may be a liquid crystal display (LCD), a light emitting diode (LED) display device, a cathode ray tube (CRT) display device, or a projector. Wait. The input device 106 communicates with the processor 101 and can receive user input in a variety of ways. For example, the input device 106 may be a mouse, a keyboard, a touch screen device, or a sensing device.
下面结合本申请实施例中的附图,对本申请实施例中的技术方案进行描述。The technical solutions in the embodiments of the present application will be described below in conjunction with the drawings in the embodiments of the present application.
实施例一Example one
如图3所示,本申请实施例提供的一种安全保护方法,应用于终端与接入网设备之间发生切换的场景下。切换请求可以通过两个接入网设备之间的接口传输。两个接入网设备之间的接口可以称为Xn接口。下文为了便于描述,将图3所涉及的切换场景简称为Xn切换(或者Xn接口切换)。图3所示的方法包括以下步骤:As shown in FIG. 3, a security protection method provided by an embodiment of the present application is applied in a scenario where a handover occurs between a terminal and an access network device. The handover request can be transmitted through the interface between the two access network devices. The interface between two access network devices can be called an Xn interface. Hereinafter, for ease of description, the switching scenario involved in FIG. 3 is referred to as Xn switching (or Xn interface switching) for short. The method shown in Figure 3 includes the following steps:
S101、第一接入网设备向第二接入网设备发送切换请求。S101. The first access network device sends a handover request to the second access network device.
其中,所述切换请求用于指示将终端从第一接入网设备切换到第二接入网设备。Wherein, the handover request is used to instruct to handover the terminal from the first access network device to the second access network device.
所述切换请求包括M个会话的信息,M为正整数。其中,会话的信息包括会话的第一标识。可选的,会话的信息还包括以下参数中的至少一项:会话类型、接入类型、以及数据网络名称(data network name,DNN)和单网络切片选择辅助信息(single network slice selection assistance information,S-NSSAI)。The handover request includes information about M sessions, and M is a positive integer. Wherein, the session information includes the first identifier of the session. Optionally, the session information further includes at least one of the following parameters: session type, access type, data network name (DNN) and single network slice selection assistance information, S-NSSAI).
在本申请实施例中,所述切换请求还可以包括终端的标识和切片标识(identity,ID)中的至少一项。In the embodiment of the present application, the handover request may further include at least one of the terminal's identity and the slice identity (ID).
需要说明的是,第一接入网设备发起切换流程的原因可参考现有技术中的描述,在此不予赘述。例如,当第一接入网设备检测到终端移动出第一接入网设备所覆盖的区域时,第一接入网设备可以发起切换流程。It should be noted that the reason why the first access network device initiates the handover process can refer to the description in the prior art, which is not repeated here. For example, when the first access network device detects that the terminal moves out of the area covered by the first access network device, the first access network device may initiate a handover procedure.
S102、第二接入网设备从M个会话中确定N个目标会话。S102. The second access network device determines N target sessions from the M sessions.
其中,N个目标会话是M个会话的非零子集。N小于或等于M,N为正整数。Among them, N target sessions are a non-zero subset of M sessions. N is less than or equal to M, and N is a positive integer.
在本申请实施例中,目标会话是需要终端到UPF的安全保护的会话。或者说,目标会话是需要分配第二标识的会话。In the embodiment of the present application, the target session is a session that requires security protection from the terminal to the UPF. In other words, the target session is the session for which the second identifier needs to be allocated.
实现方式一、M个会话均默认为目标会话。Implementation method 1: M sessions are all target sessions by default.
可选的,协议定义终端所有的会话均为目标会话。或者,网络预先配置终端所有的会话均为目标会话。例如,核心网设备可以发送指示信息,以通知第二接入网设备将所述M个会话均确定为目标会话。Optionally, the protocol defines that all sessions of the terminal are target sessions. Or, the network pre-configures all sessions of the terminal to be target sessions. For example, the core network device may send indication information to notify the second access network device to determine all the M sessions as target sessions.
实现方式二、对于M个会话中的每一个会话来说,第二接入网设备根据会话的信息所包含的至少一项参数,确定该会话是否是目标会话。Implementation manner 2: For each of the M sessions, the second access network device determines whether the session is a target session according to at least one parameter included in the session information.
例如,第二接入网设备根据会话的信息所包含的会话类型,确定会话是否是目标会话。举例来说,若会话属于第一会话类型,则第二接入网设备确定该会话为目标会话;若会话属于第二会话类型,则第二接入网设备确定该会话不为目标会话。For example, the second access network device determines whether the session is a target session according to the session type included in the session information. For example, if the session belongs to the first session type, the second access network device determines that the session is a target session; if the session belongs to the second session type, the second access network device determines that the session is not a target session.
又例如,第二接入网设备根据会话的信息所包含的S-NSSAI和/或DNN,确定会话是否是目标会话。举例来说,第二接入网设备预先配置白名单信息,所述白名单信息包括一个或多个S-NSSAI。可以理解的是,若会话的信息包含的S-NSSAI位于所述白名单信息中,则所述会话为目标会话。若会话的信息包含的S-NSSAI部位与所述白 名单信息中,则所述会话不为目标会话。For another example, the second access network device determines whether the session is a target session according to the S-NSSAI and/or DNN included in the session information. For example, the second access network device is pre-configured with whitelist information, and the whitelist information includes one or more S-NSSAIs. It is understandable that if the S-NSSAI included in the session information is in the whitelist information, the session is the target session. If the S-NSSAI part contained in the session information and the whitelist information, the session is not a target session.
实现方式三、对于M个会话中的每一个会话来说,第二接入网设备根据会话对应的第一指示信息,确定该会话是否是目标会话。其中,该第一指示信息用于指示会话是否是目标会话。Implementation manner 3: For each of the M sessions, the second access network device determines whether the session is a target session according to the first indication information corresponding to the session. Wherein, the first indication information is used to indicate whether the session is a target session.
可选的,会话对应的第一指示信息可以承载于会话的信息中。Optionally, the first indication information corresponding to the session may be carried in the information of the session.
又或者,会话对应的第一指示信息是第二接入网设备从其他网络设备(例如接入网设备或者核心网设备)获取到的。例如,第二接入网设备可以将会话的信息中的全部或者一部分发送给其他网络设备,以便于其他网络设备确定该会话是否目标会话;之后,第二接入网设备接收其他网络设备发送的第一指示信息。可以理解的是,其他网络设备可以参照上述实现方式二,确定会话是否是目标会话。Or, the first indication information corresponding to the session is obtained by the second access network device from other network devices (for example, the access network device or the core network device). For example, the second access network device may send all or part of the session information to other network devices, so that other network devices can determine whether the session is a target session; after that, the second access network device receives the information sent by other network devices. The first instruction information. It is understandable that other network devices can refer to the second implementation manner above to determine whether the session is a target session.
可选的,该第一指示信息可以以一个或多个比特来表示。以1个比特为例,“0”表示会话为目标会话,“1”表示会话不为目标会话。Optionally, the first indication information may be represented by one or more bits. Taking 1 bit as an example, "0" indicates that the session is a target session, and "1" indicates that the session is not a target session.
实现方式四、对于M个会话中的每一个会话来说,若该会话的信息携带第二指示信息,则第二接入网设备确定该会话为目标会话。若该会话的信息未携带第二指示信息,则第二接入网设备确定该会话不为目标会话。Implementation manner 4: For each of the M sessions, if the session information carries second indication information, the second access network device determines that the session is the target session. If the information of the session does not carry the second indication information, the second access network device determines that the session is not a target session.
实现方式五、第二接入网设备根据第三指示信息,确定M个会话是否均为目标会话。其中,该第三指示信息用于指示M个会话是否均为目标会话。Implementation manner 5: The second access network device determines whether the M sessions are all target sessions according to the third indication information. Wherein, the third indication information is used to indicate whether the M sessions are all target sessions.
可选的,第三指示信息承载于切换请求中。Optionally, the third indication information is carried in the handover request.
又或者,第三指示信息是第二接入网设备从其他网络设备获取到的。例如,第二接入网设备可以将M个会话的信息发送给其他网络设备。之后,第二接入网设备接收其他网络设备发送的第三指示信息。Or, the third indication information is obtained by the second access network device from other network devices. For example, the second access network device may send information about M sessions to other network devices. After that, the second access network device receives the third indication information sent by other network devices.
可选的,该第三指示信息可以以一个或多个比特来表示。以1个比特为例,“0”表示M个会话均为目标会话,“1”表示M个会话不都是目标会话。Optionally, the third indication information may be represented by one or more bits. Taking 1 bit as an example, "0" indicates that M sessions are all target sessions, and "1" indicates that M sessions are not all target sessions.
可以理解的是,在M个会话不都是目标会话的情况下,第二接入网设备可以根据上述实现方式一至实现方式四,从M个会话中确定N个目标会话。It can be understood that, in the case where the M sessions are not all target sessions, the second access network device may determine N target sessions from the M sessions according to the foregoing implementation manner 1 to implementation manner 4.
实现方式六、若第二接入网设备接收到第四指示信息,则第二接入网设备确定M个会话均为目标会话;若第二接入网设备未接收到第四指示信息,则第二接入网设备确定M个会话不都是目标会话。Implementation manner 6. If the second access network device receives the fourth indication information, the second access network device determines that the M sessions are all target sessions; if the second access network device does not receive the fourth indication information, then The second access network device determines that the M sessions are not all target sessions.
可以理解的是,在M个会话不都是目标会话的情况下,第二接入网设备可以根据上述实现方式一至实现方式四,从M个会话中确定N个目标会话。It can be understood that, in the case where the M sessions are not all target sessions, the second access network device may determine N target sessions from the M sessions according to the foregoing implementation manner 1 to implementation manner 4.
可选的,第四指示信息可以承载于切换请求中,也可以承载于其他信令中。Optionally, the fourth indication information may be carried in the handover request or other signaling.
可以理解的是,采用实现方式五或者实现方式六,第一接入网设备可以通过一个第三指示信息或者第四指示信息,使得第二接入网设备获知M个会话均为目标会话,从而有利于节省信令开销。It is understandable that, by adopting implementation manner 5 or implementation manner 6, the first access network device may use a third indication information or fourth indication information to enable the second access network device to learn that the M sessions are all target sessions, so that Conducive to saving signaling overhead.
以上实现方式一至实现方式六为第二接入网设备确定目标会话的方法示例,不构成具体限定。The foregoing implementation manners 1 to 6 are examples of methods for the second access network device to determine the target session, and do not constitute specific limitations.
S103、第二接入网设备确定N个目标会话中每一个目标会话的第二标识。S103. The second access network device determines the second identifier of each target session in the N target sessions.
对于每一个目标会话来说,第二接入网设备可以按照预设规则,生成目标会话的第二标识。所述预设规则为预先配置的,或者是协议中定义的。例如,以预设规则为 加密算法为例,第二接入网设备根据预设的加密算法,对目标会话的第一标识进行加密,生成目标会话的第二标识。又例如,以预设规则为哈希类型算法为例,第二接入网设备根据预设的哈希类型算法,对目标会话的第一标识进行哈希运算,生成目标会话的第二标识。其中,哈希类型算法是基于哈希算法或者扩展的哈希算法设计的函数。For each target session, the second access network device may generate the second identifier of the target session according to a preset rule. The preset rules are pre-configured or defined in the protocol. For example, taking the preset rule as an encryption algorithm as an example, the second access network device encrypts the first identifier of the target session according to the preset encryption algorithm to generate the second identifier of the target session. For another example, taking the preset rule as a hash type algorithm as an example, the second access network device performs a hash operation on the first identifier of the target session according to the preset hash type algorithm to generate the second identifier of the target session. Among them, the hash type algorithm is a function designed based on a hash algorithm or an extended hash algorithm.
又或者,对于每一个目标会话来说,第二接入网设备可以从其他网络设备获取目标会话的第二标识。例如,第二接入网设备向网络设备发送第五指示信息,所述第五指示信息包括目标会话的信息,所述第五指示信息用于使网络设备生成目标会话的第二标识;之后,第二接入网设备接收网络设备发送的目标会话的第二标识。Or, for each target session, the second access network device may obtain the second identifier of the target session from other network devices. For example, the second access network device sends fifth indication information to the network device, where the fifth indication information includes information about the target session, and the fifth indication information is used to enable the network device to generate a second identifier of the target session; after that, The second access network device receives the second identifier of the target session sent by the network device.
可以理解的是,对于每一个目标会话来说,第二接入网设备会存储目标会话的第二标识与目标会话的第一标识之间的对应关系。一方面,第二接入网设备向终端发送的目标会话的报文中携带该第二标识,而不是携带第一标识,避免会话被攻击者追踪,保证会话的安全性。另一方面,在第二接入网设备接收到目标会话的报文之后,第二接入网设备根据目标会话的第一标识与目标会话的第二标识之间的对应关系,以目标会话的第一标识替换目标会话的报文所包含的第二标识,以保证终端发送的目标会话的报文能够在核心网中正常传输。It is understandable that, for each target session, the second access network device will store the correspondence between the second identifier of the target session and the first identifier of the target session. On the one hand, the message of the target session sent by the second access network device to the terminal carries the second identifier instead of the first identifier, which prevents the session from being tracked by an attacker and ensures the security of the session. On the other hand, after the second access network device receives the message of the target session, the second access network device uses the corresponding relationship between the first identifier of the target session and the second identifier of the target The first identifier replaces the second identifier included in the message of the target session to ensure that the message of the target session sent by the terminal can be normally transmitted in the core network.
S104、第二接入网设备向第一接入网设备发送N个对应关系信息。S104. The second access network device sends N pieces of correspondence information to the first access network device.
其中,N个对应关系信息与N个目标会话一一对应。对应关系信息用于指示对应的目标会话的第一标识与第二标识的对应关系;或者说,所述对应关系信息用于指示对应的目标会话与第二标识之间的对应关系。可选的,对应关系信息包括目标会话的第一标识,以及目标会话的第二标识。Among them, N pieces of correspondence information correspond to N pieces of target sessions one-to-one. The corresponding relationship information is used to indicate the corresponding relationship between the first identifier and the second identifier of the corresponding target session; in other words, the corresponding relationship information is used to indicate the corresponding relationship between the corresponding target session and the second identifier. Optionally, the correspondence information includes a first identifier of the target session and a second identifier of the target session.
可以理解的是,所述N个对应关系信息可以各自独立的发送,也可以封装在一个信令中一起发送。It can be understood that the N correspondence information can be sent independently, or can be encapsulated in one signaling and sent together.
作为一种实现方式,第二接入网设备向第一接入网设备发送切换请求响应信息,所述切换请求响应信息携带N个对应关系信息。As an implementation manner, the second access network device sends handover request response information to the first access network device, where the handover request response information carries N pieces of correspondence information.
S105、第一接入网设备向终端发送N个对应关系信息。S105. The first access network device sends N pieces of correspondence information to the terminal.
作为一种实现方式,第一接入网设备向终端发送切换命令信息。其中,所述切换命令信息用于请求终端切换终端与接入网设备之间的接口,所述切换命令信息携带N个对应关系信息。需要说明的是,终端与接入网设备之间的接口可以为终端与4G接入网设备之间接口(例如UU接口),或者终端与5G接入网设备之间接口,或者终端与未来网络接入网设备之间接口,本申请实施例对此不作任何限制。终端与接入网设备之间的接口又可以称为空中接口。As an implementation manner, the first access network device sends handover command information to the terminal. Wherein, the switching command information is used to request the terminal to switch the interface between the terminal and the access network device, and the switching command information carries N correspondence information. It should be noted that the interface between the terminal and the access network device can be the interface between the terminal and the 4G access network device (such as the UU interface), or the interface between the terminal and the 5G access network device, or the terminal and the future network Interfaces between access network devices are not restricted in this embodiment of the application. The interface between the terminal and the access network equipment can also be called the air interface.
可选的,在接收到切换命令信息之后,终端发送切换完成消息至第二接入网设备,完成切换。Optionally, after receiving the handover command information, the terminal sends a handover complete message to the second access network device to complete the handover.
需要说明的是,对于每一个目标会话来说,终端会存储目标会话的第二标识与目标会话的第一标识之间的对应关系。一方面,终端向第二接入网设备发送的目标会话的报文中携带该第二标识,而不是携带第一标识,避免会话被攻击者追踪,保证会话的安全性。另一方面,在终端接收到目标会话的报文之后,终端根据目标会话的第一标识与目标会话的第二标识之间的对应关系,以目标会话的第一标识替换目标会话的报文所包含的第二标识,以确定该报文所属的会话。It should be noted that, for each target session, the terminal will store the corresponding relationship between the second identifier of the target session and the first identifier of the target session. On the one hand, the message of the target session sent by the terminal to the second access network device carries the second identifier instead of the first identifier, which prevents the session from being tracked by an attacker and ensures the security of the session. On the other hand, after the terminal receives the message of the target session, the terminal replaces the message location of the target session with the first identifier of the target session according to the correspondence between the first identifier of the target session and the second identifier of the target session. The second identifier included to determine the session to which the message belongs.
可选的,如图3所示,上述步骤S102-S103可替换为步骤S201-S204。Optionally, as shown in FIG. 3, the above steps S102-S103 can be replaced with steps S201-S204.
S201、第二接入网设备向核心网设备发送M个会话的信息。S201. The second access network device sends information about M sessions to the core network device.
可选的,所述核心网设备可以为AMF。Optionally, the core network device may be AMF.
S202、核心网设备从M个会话中确定N个目标会话。S202. The core network device determines N target sessions from the M sessions.
S203、核心网设备确定N个目标会话中每一个目标会话的第二标识。S203. The core network device determines the second identifier of each target session in the N target sessions.
S204、核心网设备向第二接入网设备发送N个对应关系信息。S204: The core network device sends N pieces of correspondence information to the second access network device.
基于图3所示的技术方案,在第一接入网设备触发Xn切换流程的场景下,终端与第二接入网设备均能获取到N个对应关系信息,从而在切换之后,对于这N个目标会话中的每一个目标会话,终端与第二接入网设备能够保证会话的安全性。Based on the technical solution shown in Figure 3, in the scenario where the first access network device triggers the Xn handover procedure, both the terminal and the second access network device can obtain N correspondence information, so that after the handover, the N For each target session in the two target sessions, the terminal and the second access network device can ensure the security of the session.
实施例二Example 2
如图4所示,为本申请实施例提供的另一种安全保护方法,该方法应用于终端与接入网设备之间发生切换的场景下。切换请求可以通过两个AMF之间的接口(例如N2接口)传输。下文为了便于描述,将图3所涉及的切换场景简称为N2切换(或者N2接口切换)。图4所示的方法包括以下步骤:As shown in FIG. 4, another security protection method provided by this embodiment of the present application is applied in a scenario where a handover occurs between a terminal and an access network device. The handover request can be transmitted through the interface (for example, the N2 interface) between the two AMFs. Hereinafter, for ease of description, the switching scenario involved in FIG. 3 is referred to as N2 switching (or N2 interface switching) for short. The method shown in Figure 4 includes the following steps:
S301、第一接入网设备向第一AMF发送切换请求,所述切换请求包括M个会话的信息。S301. The first access network device sends a handover request to the first AMF, where the handover request includes information about M sessions.
S302、第一AMF向第二AMF发送M个会话的信息。S302. The first AMF sends information about M sessions to the second AMF.
作为一种实现方式,第一AMF向第二AMF发送上下文建立请求信息,该上下文建立请求信息包括M个会话的信息。As an implementation manner, the first AMF sends context establishment request information to the second AMF, and the context establishment request information includes information about M sessions.
S303、第二AMF从所述M个会话中确定N个目标会话。S303. The second AMF determines N target sessions from the M sessions.
S304、第二AMF确定N个目标会话中每一个目标会话的第二标识。S304. The second AMF determines the second identifier of each target session in the N target sessions.
S305、第二AMF向第二接入网设备发送N个对应关系信息。S305. The second AMF sends N pieces of correspondence information to the second access network device.
作为一种实现方式,第二AMF向第二接入网设备发送切换请求,该切换请求携带N个对应关系信息。可选的,在第二接入网设备在接收到第二AMF发送的切换请求之后,第二接入网设备向第二AMF发送切换请求响应信息。As an implementation manner, the second AMF sends a handover request to the second access network device, and the handover request carries N correspondence information. Optionally, after the second access network device receives the handover request sent by the second AMF, the second access network device sends handover request response information to the second AMF.
S306、第二AMF向第一AMF发送N个对应关系信息。S306. The second AMF sends N pieces of correspondence information to the first AMF.
作为一种实现方式,第二AMF向第一AMF发送上下文建立响应信息,该上下文建立响应信息包含N个对应关系信息。As an implementation manner, the second AMF sends context establishment response information to the first AMF, and the context establishment response information includes N pieces of correspondence information.
需要说明的是,本申请实施例不限制步骤S305和S306的执行顺序。例如,可以先执行步骤S306,再执行步骤S305。又例如,可以同时执行步骤S305和S306。It should be noted that the embodiment of the present application does not limit the execution sequence of steps S305 and S306. For example, step S306 may be executed first, and then step S305 may be executed. For another example, steps S305 and S306 can be executed simultaneously.
S307、第一AMF向第一接入网设备发送N个对应关系信息。S307: The first AMF sends N pieces of correspondence information to the first access network device.
作为一种实现方式,第一AMF向第一接入网设备发送切换请求响应信息,该切换请求响应信息携带N个对应关系信息。As an implementation manner, the first AMF sends handover request response information to the first access network device, and the handover request response information carries N correspondence information.
S308、第一接入网设备向终端发送N个对应关系信息。S308: The first access network device sends N pieces of correspondence information to the terminal.
基于图4所示的技术方案,在第一接入网设备触发N2接口切换流程的场景下,终端与第二接入网设备均能获取到N个对应关系信息,从而在切换之后,对于这N个目标会话中的每一个目标会话,终端与第二接入网设备能够保证会话的安全性。Based on the technical solution shown in Figure 4, in a scenario where the first access network device triggers the N2 interface switching process, both the terminal and the second access network device can obtain N correspondence information, so that after the switching, the For each of the N target sessions, the terminal and the second access network device can ensure the security of the session.
可选的,如图4所示,上述步骤S303-S305可替换为步骤S401-S405。Optionally, as shown in FIG. 4, the above steps S303-S305 can be replaced with steps S401-S405.
S401、第二AMF向SMF发送M个会话信息。S401. The second AMF sends M session information to the SMF.
作为一种实现方式,在第一接入网设备发送的切换请求携带第二指示信息的情况下,所述第二AMF向SMF发送第二指示信息和M个会话的信息。As an implementation manner, when the handover request sent by the first access network device carries the second indication information, the second AMF sends the second indication information and information of M sessions to the SMF.
S402、SMF从所述M个会话中确定N个目标会话。S402. The SMF determines N target sessions from the M sessions.
可选的,步骤S401-S402可替换为:第二AMF从所述M个会话中确定N个目标会话;之后,第二AMF向SMF发送N个目标会话的信息。Optionally, steps S401-S402 can be replaced with: the second AMF determines N target sessions from the M sessions; after that, the second AMF sends information about the N target sessions to the SMF.
S403、SMF确定N个目标会话中每一个目标会话的第二标识。S403. The SMF determines the second identifier of each target session in the N target sessions.
S404、SMF向第二AMF发送N个对应关系信息。S404. The SMF sends N pieces of correspondence information to the second AMF.
S405、第二AMF向第二接入网设备发送N个对应关系信息。S405. The second AMF sends N pieces of correspondence information to the second access network device.
或者,如图4所示,上述步骤S303-S305可替换为步骤S501-S504。Or, as shown in FIG. 4, the above steps S303-S305 can be replaced with steps S501-S504.
S501、第二AMF向第二接入网设备发送M个会话信息。S501. The second AMF sends M session information to the second access network device.
作为一种实现方式,第二AMF向第二接入网设备发送切换请求,该切换请求携带M个会话的信息。As an implementation manner, the second AMF sends a handover request to the second access network device, and the handover request carries information of M sessions.
S502、第二接入网设备从所述M个会话中确定N个目标会话。S502. The second access network device determines N target sessions from the M sessions.
可选的,在本申请实施例中,步骤S501-S502还可以替换为以下实现方式:第二AMF从所述M个会话中确定N个目标会话;之后,第二AMF向第二接入网设备发送N个目标会话的信息。Optionally, in this embodiment of the application, steps S501-S502 can also be replaced with the following implementation: the second AMF determines N target sessions from the M sessions; after that, the second AMF sends a message to the second access network The device sends information about N target sessions.
S503、第二接入网设备确定N个目标会话中每一个目标会话对应的第二标识。S503. The second access network device determines a second identifier corresponding to each of the N target sessions.
S504、第二接入网设备向第二AMF发送N个对应关系信息。S504. The second access network device sends N pieces of correspondence information to the second AMF.
作为一种实现方式,第二接入网设备向第二AMF发送切换请求响应信息,该切换请求响应信息携带N个对应关系信息。As an implementation manner, the second access network device sends handover request response information to the second AMF, and the handover request response information carries N pieces of correspondence information.
实施例三Example three
在图4中,N2切换流程由第一接入网设备触发。在实际的应用场景中,切换流程还可以由终端来触发。可选的,如图5所示,为本申请实施例提供的一种安全保护方法,应用于终端触发N2切换流程的场景下。该方法包括以下步骤:In Figure 4, the N2 handover procedure is triggered by the first access network device. In actual application scenarios, the handover process can also be triggered by the terminal. Optionally, as shown in FIG. 5, a security protection method provided in an embodiment of this application is applied to a scenario where a terminal triggers an N2 handover process. The method includes the following steps:
S601、终端通过第二接入网设备向第二AMF发送注册请求。S601. The terminal sends a registration request to the second AMF through the second access network device.
其中,所述注册请求用于接入到网络。所述注册请求包括终端的标识。Wherein, the registration request is used to access the network. The registration request includes the identification of the terminal.
可选的,步骤S601包括以下步骤:S601a和S601b。Optionally, step S601 includes the following steps: S601a and S601b.
S601a、终端向第二接入网设备发送注册请求。S601a. The terminal sends a registration request to the second access network device.
S601b、第二接入网设备向第二AMF发送注册请求。S601b. The second access network device sends a registration request to the second AMF.
S602、第二AMF向第一AMF发送上下文建立请求。S602. The second AMF sends a context establishment request to the first AMF.
其中,所述上下文建立请求用于请求终端的会话信息,以使第二AMF可以重用已有的会话信息。Wherein, the context establishment request is used to request session information of the terminal, so that the second AMF can reuse the existing session information.
在本申请实施例中,第二AMF根据注册请求所包含的终端的标识,确定第一AMF。In the embodiment of the present application, the second AMF determines the first AMF according to the identification of the terminal included in the registration request.
S603、第一AMF向第二AMF发送M个会话的信息。S603: The first AMF sends information about M sessions to the second AMF.
S604、第二AMF从所述M个会话中确定N个目标会话。S604. The second AMF determines N target sessions from the M sessions.
S605、第二AMF确定N个目标会话中每一个目标会话的第二标识。S605. The second AMF determines the second identifier of each target session in the N target sessions.
S606、第二AMF向第二接入网设备发送N个对应关系信息。S606. The second AMF sends N pieces of correspondence information to the second access network device.
S607、第二接入网设备向终端发送N个对应关系信息。S607: The second access network device sends N pieces of correspondence information to the terminal.
基于图5所示的技术方案,在终端触发N2切换流程的场景下,终端与第二接入 网设备均能获取到N个对应关系信息,从而在切换之后,对于这N个目标会话中的每一个目标会话,终端与第二接入网设备能够保证会话的安全性。Based on the technical solution shown in Figure 5, in the scenario where the terminal triggers the N2 handover process, both the terminal and the second access network device can obtain N correspondence information, so that after the handover, for the N2 target sessions For each target session, the terminal and the second access network device can ensure the security of the session.
可选的,如图5所示,步骤S604-S606可替换为步骤S701-S705。其中,步骤S701-S705可参考图4中步骤S401-S405的相关描述,在此不再赘述。Optionally, as shown in FIG. 5, steps S604-S606 can be replaced with steps S701-S705. For steps S701-S705, reference may be made to the related descriptions of steps S401-S405 in FIG. 4, which will not be repeated here.
或者,如图5所示,步骤S604-S606可替换为步骤S801-S803。其中,步骤S801-S803可参考图4中步骤S501-S503的相关描述,在此不再赘述。Or, as shown in FIG. 5, steps S604-S606 can be replaced with steps S801-S803. For steps S801-S803, reference may be made to the related descriptions of steps S501-S503 in FIG. 4, which will not be repeated here.
实施例四Example 4
如图6所示,为本申请实施例提供的一种安全保护方法,该方法应用于通信系统切换的场景下,例如终端从4G通信系统切换到5G通信系统。该方法包括以下步骤:As shown in FIG. 6, a security protection method provided by this embodiment of the present application is applied to a communication system switching scenario, for example, a terminal switches from a 4G communication system to a 5G communication system. The method includes the following steps:
S901、第一接入网设备向移动控制节点(mobility management entity,MME)发送切换请求。S901. The first access network device sends a handover request to a mobility management entity (MME).
其中,所述切换请求包括M个承载的信息。所述承载的信息包括:终端的标识、承载标识、S-NSSAI、接入类型、接入网络标识、目标网络IP地址、分组数据网(packet data network,PDN)类型、公用数据网(public data network,PDN)类型和DNN中的至少一项。Wherein, the handover request includes M bearer information. The carried information includes: terminal identification, bearer identification, S-NSSAI, access type, access network identification, target network IP address, packet data network (PDN) type, public data network (public data network) At least one of network, PDN) type and DNN.
需要说明的是,MME是LTE通信系统中的关键控制节点,用于负责接入控制、移动性管理、附着与去附着等功能。It should be noted that the MME is a key control node in the LTE communication system and is responsible for functions such as access control, mobility management, attachment and detachment.
S902、MME向AMF发送M个承载的信息。S902. The MME sends M bearer information to the AMF.
S903、AMF向SMF发送M个承载的信息。S903. The AMF sends M bearer information to the SMF.
S904、SMF根据M个承载的信息,确定M个会话的信息。S904. The SMF determines the information of the M sessions according to the information of the M bearers.
其中,M个承载的信息与M个会话的信息一一对应。也就是说,M个承载的信息中的一个承载的信息对应于M个会话的信息中的一个会话的信息。Among them, the information carried by M has a one-to-one correspondence with the information of M sessions. That is, the information carried by one of the M carried information corresponds to the information of one session in the information of the M sessions.
需要说明的是,承载的信息与会话的信息的主要区别在于,承载的信息包括承载标识,会话的信息包括会话的第一标识。因此,SMF可以根据预设映射规则,将承载标识映射为对应的会话的第一标识,以确定会话的信息。It should be noted that the main difference between the carried information and the session information is that the carried information includes the bearer identifier, and the session information includes the first identifier of the session. Therefore, the SMF can map the bearer identifier to the first identifier of the corresponding session according to the preset mapping rule to determine the information of the session.
S905、SMF从所述M个会话中确定N个目标会话。S905. The SMF determines N target sessions from the M sessions.
可选的,步骤S1005可具体实现为:SMF将M个会话的信息发送给AMF;AMF从所述M个会话中确定N个目标会话;AMF将N个目标会话的信息发送给SMF,以使得SMF从所述M个会话中确定N个目标会话。Optionally, step S1005 can be specifically implemented as: SMF sends information about M sessions to AMF; AMF determines N target sessions from the M sessions; AMF sends information about N target sessions to SMF, so that SMF determines N target sessions from the M sessions.
S906、SMF确定N个目标会话中每一个目标会话的第二标识。S906: The SMF determines the second identifier of each target session in the N target sessions.
S907、SMF向AMF发送N个对应关系信息。S907. The SMF sends N pieces of correspondence information to the AMF.
可选的,在本申请实施例中,步骤S906和S907还可以替换为以下实现方式:SMF向AMF发送N个目标会话的信息;之后,AMF确定N个目标会话中每一个目标会话的第二标识。Optionally, in this embodiment of the application, steps S906 and S907 can also be replaced by the following implementation: SMF sends information about N target sessions to AMF; after that, AMF determines the second of each target session in the N target sessions Logo.
S908、AMF向第二接入网设备发送N个对应关系信息。S908. The AMF sends N pieces of correspondence information to the second access network device.
S909、AMF向MME发送N个对应关系信息。S909. The AMF sends N correspondence information to the MME.
需要说明的是,本申请实施例中不限制步骤S908和S909的执行顺序。例如,可以先执行步骤S909,再执行步骤S908。又例如,可以同时执行步骤S908和S909。It should be noted that the execution sequence of steps S908 and S909 is not limited in the embodiment of the present application. For example, step S909 may be executed first, and then step S908 may be executed. For another example, steps S908 and S909 can be executed simultaneously.
S910、MME向第一接入网设备发送N个对应关系信息。S910. The MME sends N pieces of correspondence information to the first access network device.
S911、第一接入网设备向终端发送所述N个对应关系信息。S911: The first access network device sends the N correspondence information to the terminal.
基于图6所示的技术方案,在第一接入网设备触发通信系统切换的场景下,终端与第二接入网设备均能获取到N个对应关系信息,从而在切换之后,对于这N个目标会话中的每一个目标会话,终端与第二接入网设备能够保证会话的安全性。Based on the technical solution shown in FIG. 6, in the scenario where the first access network device triggers the handover of the communication system, both the terminal and the second access network device can obtain N correspondence information, so that after the handover, for these N For each target session in the two target sessions, the terminal and the second access network device can ensure the security of the session.
可选的,图6中的步骤S905-S908可替换为步骤S1001-S1004。Optionally, steps S905-S908 in FIG. 6 can be replaced with steps S1001-S1004.
S1001、SMF向AMF发送M个会话的信息。S1001. The SMF sends information about M sessions to the AMF.
S1002、AMF从所述M个会话中确定N个目标会话。S1002. The AMF determines N target sessions from the M sessions.
S1003、AMF确定N个目标会话中每一个目标会话的第二标识。S1003. The AMF determines the second identifier of each target session in the N target sessions.
S1004、AMF向第二接入网设备发送N个对应关系。S1004. The AMF sends N correspondences to the second access network device.
或者,图6中的步骤S905-S908可替换为步骤S1101-S1105。Alternatively, steps S905-S908 in FIG. 6 can be replaced with steps S1101-S1105.
S1101、SMF向AMF发送M个会话的信息。S1101. The SMF sends information about M sessions to the AMF.
S1102、AMF向第二接入网设备发送M个会话的信息。S1102. The AMF sends information about M sessions to the second access network device.
S1103、第二接入网设备从所述M个会话中确定N个目标会话。S1103. The second access network device determines N target sessions from the M sessions.
可选的,在本申请实施例中,步骤S1102和S1103还可以替换为以下实现方式:AMF从所述M个会话中确定N个目标会话;之后,AMF向第二接入网设备发送N个目标会话的信息。Optionally, in this embodiment of the application, steps S1102 and S1103 can also be replaced with the following implementation: AMF determines N target sessions from the M sessions; after that, AMF sends N target sessions to the second access network device. Information about the target session.
S1104、第二接入网设备确定N个目标会话中每一个目标会话的第二标识。S1104. The second access network device determines the second identifier of each target session in the N target sessions.
S1105、第二接入网设备向AMF发送N个对应关系信息。S1105. The second access network device sends N pieces of correspondence information to the AMF.
实施例五Example 5
在图6中,通信系统的切换流程由第一接入网设备触发。在实际的应用场景中,通信系统切换流程还可以由终端来触发。可选的,如图7所示,为本申请实施例提供的一种安全保护方法,应用于终端触发通信系统的切换流程的场景下。该方法包括以下步骤:In Figure 6, the handover process of the communication system is triggered by the first access network device. In actual application scenarios, the communication system switching process can also be triggered by the terminal. Optionally, as shown in FIG. 7, a security protection method provided in this embodiment of the present application is applied to a scenario where a terminal triggers a handover process of a communication system. The method includes the following steps:
S1201、终端通过第二接入网设备向AMF发送注册请求。S1201. The terminal sends a registration request to the AMF through the second access network device.
其中,所述注册请求用于接入到网络。所述注册请求包括终端的标识。所述注册请求包括终端的标识。Wherein, the registration request is used to access the network. The registration request includes the identification of the terminal. The registration request includes the identification of the terminal.
可选的,步骤S1201包括以下步骤S1201a和S1201b。Optionally, step S1201 includes the following steps S1201a and S1201b.
S1201a、终端向第二接入网设备发送注册请求。S1201a. The terminal sends a registration request to the second access network device.
S1201b、第二接入网设备向AMF发送注册请求。S1201b. The second access network device sends a registration request to the AMF.
S1202、AMF向MME发送上下文建立请求。S1202. The AMF sends a context establishment request to the MME.
在本申请实施例中,AMF根据注册请求所包含的终端的标识,确定MME。In the embodiment of this application, the AMF determines the MME according to the terminal identifier included in the registration request.
其中,所述上下文建立请求用于请求终端的承载的信息。Wherein, the context establishment request is used to request the bearer information of the terminal.
S1203、MME向AMF发送M个承载的信息。S1203. The MME sends M bearer information to the AMF.
S1204、AMF向SMF发送M个承载的信息。S1204. The AMF sends M bearer information to the SMF.
S1205、SMF根据M个承载的信息,确定M个会话的信息。S1205. The SMF determines the information of the M sessions according to the information of the M bearers.
S1206、SMF从M个会话中确定N个目标会话。S1206. The SMF determines N target sessions from the M sessions.
S1207、SMF确定N个目标会话中每一个目标会话的第二标识。S1207. The SMF determines the second identifier of each target session in the N target sessions.
S1208、SMF向AMF发送N个对应关系信息。S1208: The SMF sends N correspondence information to the AMF.
S1209、SMF向第二接入网设备发送N个对应关系信息。S1209. The SMF sends N pieces of correspondence information to the second access network device.
其中,上述步骤S1204-S1209的相关描述可参考图6中的步骤S903-S908,在此不再赘述。For the related description of the above steps S1204-S1209, please refer to the steps S903-S908 in FIG. 6, which will not be repeated here.
S1210、第二接入网设备向终端发送N个对应关系信息。S1210. The second access network device sends N pieces of correspondence information to the terminal.
基于图7的技术方案,在终端触发通信系统切换流程的场景下,终端与第二接入网设备均能获取到N个对应关系信息,从而在切换之后,对于这N个目标会话中的每一个目标会话,终端与第二接入网设备能够保证会话的安全性。Based on the technical solution of Figure 7, in the scenario where the terminal triggers the communication system handover procedure, both the terminal and the second access network device can obtain N correspondence information, so that after the handover, for each of the N target sessions For a target session, the terminal and the second access network device can ensure the security of the session.
可选的,步骤S1206-S1209可替换为步骤S1301-S1304。其中,步骤S1301-S1304的相关描述可参考图6中的步骤S1001-S1004,在此不再赘述。Optionally, steps S1206-S1209 can be replaced with steps S1301-S1304. For the related description of steps S1301-S1304, please refer to steps S1001-S1004 in FIG. 6, which will not be repeated here.
或者,步骤S1206-S1209可替换为步骤S1401-S1404。其中,步骤S1401-S1404的相关描述可参考图6中的步骤S1101-S1104,在此不再赘述。Alternatively, steps S1206-S1209 can be replaced with steps S1401-S1404. Among them, the related description of steps S1401-S1404 can refer to steps S1101-S1104 in FIG. 6, which will not be repeated here.
实施例六Example Six
如图8所示,为本申请实施例提供的另一种安全保护的方法,该方法包括以下步骤S1501-S1505:As shown in FIG. 8, another security protection method provided by this embodiment of the application includes the following steps S1501-S1505:
S1501、第一接入网设备确定发起切换流程。S1501. The first access network device determines to initiate a handover procedure.
例如,第一接入网设备可以根据终端是否移动出第一接入网设备所覆盖的区域,以确定是否发起切换流程。也即,当终端移动出第一接入网设备所覆盖的区域时,第一接入网设备发起切换流程。For example, the first access network device may determine whether to initiate the handover process according to whether the terminal moves out of the area covered by the first access network device. That is, when the terminal moves out of the area covered by the first access network device, the first access network device initiates a handover procedure.
S1502、第一接入网设备从终端的M个会话中确定N个目标会话。S1502. The first access network device determines N target sessions from the M sessions of the terminal.
S1503、第一接入网设备确定N个目标会话中每一个目标会话的第二标识。S1503. The first access network device determines the second identifier of each target session in the N target sessions.
S1504、第一接入网设备向第二接入网设备发送N个对应关系信息。S1504. The first access network device sends N pieces of correspondence information to the second access network device.
可选的,所述N个对应关系信息可承载于切换请求中。Optionally, the N correspondence information may be carried in the handover request.
在Xn接口切换的场景下,第一接入网设备直接向第二接入网设备发送所述N个对应关系信息。In the scenario of Xn interface handover, the first access network device directly sends the N correspondence information to the second access network device.
在N2接口切换的场景下,第一接入网设备向第一AMF发送所述N个对应关系信息;之后,第一AMF向第二AMF发送所述N个对应关系信息;第二AMF向第二接入网设备发送N个对应关系信息。In the scenario of N2 interface handover, the first access network device sends the N correspondence information to the first AMF; after that, the first AMF sends the N correspondence information to the second AMF; the second AMF sends the N correspondence information to the second AMF. 2. The access network device sends N correspondence information.
S1505、第一接入网设备向终端发送N个对应关系信息。S1505. The first access network device sends N pieces of correspondence information to the terminal.
需要说明的是,本申请实施例不限制步骤S1504和S1505的执行顺序。例如,可以先执行步骤S1505,再执行步骤S1504。又例如,可以同时执行步骤S1504和步骤S1505。It should be noted that the embodiment of the present application does not limit the execution sequence of steps S1504 and S1505. For example, step S1505 may be executed first, and then step S1504 may be executed. For another example, step S1504 and step S1505 can be executed simultaneously.
基于图8的技术方案,在切换过程中,终端与第二接入网设备均能获取到N个对应关系信息,从而在切换之后,对于这N个目标会话中的每一个目标会话,终端与第二接入网设备能够保证该目标会话的安全性。Based on the technical solution in Figure 8, during the handover process, both the terminal and the second access network device can obtain N correspondence information, so that after the handover, for each of the N target sessions, the terminal and The second access network device can ensure the security of the target session.
实施例七Example 7
如图9所示,为本申请实施例提供的另一种安全保护的方法,应用于N2接口切换的场景下,该方法包括以下步骤S1601-S1607:As shown in FIG. 9, another security protection method provided by this embodiment of the application is applied to the scenario of N2 interface handover, and the method includes the following steps S1601-S1607:
S1601、第一接入网设备向第一AMF发送切换请求,所述切换请求包括M个会话的信息。S1601. The first access network device sends a handover request to the first AMF, where the handover request includes information about M sessions.
S1602、第一AMF从终端的M个会话中确定N个目标会话。S1602. The first AMF determines N target sessions from the M sessions of the terminal.
S1603、第一AMF确定N个目标会话中每一个目标会话的第二标识。S1603. The first AMF determines the second identifier of each target session in the N target sessions.
S1604、第一AMF向第二AMF发送N个对应关系信息。S1604. The first AMF sends N pieces of correspondence information to the second AMF.
S1605、第二AMF向第二接入网设备发送N个对应关系信息。S1605. The second AMF sends N pieces of correspondence information to the second access network device.
S1606、第一AMF向第一接入网设备发送N个对应关系信息。S1606. The first AMF sends N pieces of correspondence information to the first access network device.
S1607、第一接入网设备向终端发送N个对应关系信息。S1607. The first access network device sends N pieces of correspondence information to the terminal.
需要说明的是,本申请实施例不限制步骤S1604-S1605与S1606-S1607的执行顺序。例如,可以先执行步骤S1606-S1607,在执行步骤S1604-S1605;或者,同时执行步骤S1604-S1605和步骤S1606-S1607。It should be noted that the embodiment of the present application does not limit the execution sequence of steps S1604-S1605 and S1606-S1607. For example, steps S1606-S1607 may be executed first, and then steps S1604-S1605 may be executed; or, steps S1604-S1605 and steps S1606-S1607 may be executed simultaneously.
基于图9的技术方案,在切换过程中,终端与第二接入网设备均能获取到N个对应关系信息,从而在切换之后,对于这N个目标会话中的每一个目标会话,终端与第二接入网设备能够保证该目标会话的安全性。Based on the technical solution of FIG. 9, during the handover process, both the terminal and the second access network device can obtain N correspondence information, so that after the handover, for each of the N target sessions, the terminal and The second access network device can ensure the security of the target session.
需要说明的是,在图3至图9的技术方案中,第一接入网设备(或者第二接入网设备)发送给终端的N个对应关系信息可承载于无线资源控制(radio resource control,RRC)信令、介质访问控制(media access control,MAC)-控制单元(control element,CE)信令、或者下行控制信息(downlink control information,DCI)中。It should be noted that, in the technical solutions of FIGS. 3 to 9, the N correspondence information sent by the first access network device (or the second access network device) to the terminal can be carried in radio resource control (radio resource control). , RRC) signaling, media access control (media access control, MAC)-control element (CE) signaling, or downlink control information (DCI).
在图3至图9所示的技术方案中,任一设备(例如第一AMF、第二AMF等)从M个会话中确定N个目标会话的实现方式均可参考步骤S102,在此不再赘述。任一设备确定目标会话的第二标识的实现方式均可参考步骤S103,在此不再赘述。In the technical solutions shown in FIG. 3 to FIG. 9, any device (for example, the first AMF, the second AMF, etc.) can refer to step S102 for the implementation manner of determining N target sessions from M sessions, which will not be repeated here. Repeat. For the implementation of determining the second identifier of the target session by any device, refer to step S103, which will not be repeated here.
可选的,在图3至图9所示的技术方案中,终端在接收到N个对应关系信息之后,终端向第二接入网设备和/或第一接入网设备发送切换完成信息。Optionally, in the technical solutions shown in FIGS. 3 to 9, after the terminal receives N pieces of correspondence information, the terminal sends handover completion information to the second access network device and/or the first access network device.
可选的,在图3至图9所示的技术方案中,在第二接入网设备接收到终端发送的切换完成信息之后,第二接入网设备向AMF发送所述N个对应关系信息,以使得AMF保存所述N个对应关系信息。Optionally, in the technical solutions shown in FIGS. 3 to 9, after the second access network device receives the handover completion information sent by the terminal, the second access network device sends the N correspondence information to the AMF , So that the AMF saves the N correspondence information.
可选的,在图3至图9所示的技术方案中,SMF所执行的步骤可以由其他核心网设备来执行,例如UPF。Optionally, in the technical solutions shown in FIG. 3 to FIG. 9, the steps executed by the SMF may be executed by other core network equipment, such as UPF.
图3至图9所示的技术方案仅介绍了目标会话的相关流程,对于非目标会话可以采用现有技术中的方案执行相应的切换操作,在此不予赘述。The technical solutions shown in FIG. 3 to FIG. 9 only introduce the relevant procedures of the target session, and for non-target sessions, the solution in the prior art can be used to perform the corresponding switching operation, which will not be repeated here.
图3至图9所示的技术方案仅介绍了切换流程中与本申请实施例相关的步骤,切换流程中的其他步骤可参考现有技术,在此不予赘述。The technical solutions shown in FIGS. 3 to 9 only introduce the steps related to the embodiment of the present application in the handover process, and other steps in the handover process can refer to the prior art, which will not be repeated here.
上述技术方案中的各个步骤可由通信装置执行,或者通信装置中的芯片来执行。Each step in the above technical solution may be executed by a communication device or a chip in the communication device.
上述主要从每一个网元之间交互的角度对本申请实施例提供的方案进行了介绍。可以理解的是,每一个网元,例如接入网设备和核心网设备,为了实现上述功能,其包含了执行每一个功能相应的硬件结构和/或软件模块。本领域技术人员应该很容易意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,本申请能够以硬件来实现,或者以硬件和计算机软件的结合形式来实现。某个功能究竟以硬件还是计算机软件驱动硬件的方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。The above mainly introduces the solutions provided by the embodiments of the present application from the perspective of interaction between each network element. It can be understood that each network element, such as an access network device and a core network device, includes hardware structures and/or software modules corresponding to each function in order to realize the aforementioned functions. Those skilled in the art should easily realize that, in conjunction with the exemplary units and algorithm steps described in the embodiments disclosed herein, the present application can be implemented in hardware, or a combination of hardware and computer software. Whether a function is performed by hardware or computer software driven hardware depends on the specific application of the technical solution and design constraints. Professional technicians can use different methods to implement the described functions for each specific application, but such implementation should not be considered beyond the scope of this application.
本申请实施例可以根据上述方法示例对接入网设备和核心网设备进行功能模块的 划分,例如,可以对应每一个功能划分每一个功能模块,也可以将两个或两个以上的功能集成在一个处理模块中。上述集成的模块既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。需要说明的是,本申请实施例中对模块的划分是示意性的,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式。下面以采用对应每一个功能划分每一个功能模块为例进行说明:The embodiments of the present application can divide the access network equipment and the core network equipment into functional modules according to the foregoing method examples. For example, each functional module can be divided corresponding to each function, or two or more functions can be integrated in In a processing module. The above integrated modules can be implemented in the form of hardware or software function modules. It should be noted that the division of the modules in the embodiments of the present application is schematic, and is only a division of logical functions. In actual implementation, there may be another division manner. The following uses an example of dividing each function module corresponding to each function as an example:
图10为本申请实施例提供的一种通信装置的结构示意图。图10所示的结构示意图可用于实现本申请实施例中的第一接入网设备、第二接入网设备、第一AMF、第二AMF、SMF等各个设备。如图10所示,通信装置包括接收模块201、处理模块202以及发送模块203。其中,接收模块201可用于执行本申请实施例中关于接收的步骤,接收模块201可以为接收机、接收器、接收电路等。发送模块203可用于执行本申请实施例中关于发送的步骤,发送模块203可以为发送机、发送器、发送电路等。FIG. 10 is a schematic structural diagram of a communication device provided by an embodiment of this application. The schematic structural diagram shown in FIG. 10 can be used to implement various devices such as the first access network device, the second access network device, the first AMF, the second AMF, and the SMF in the embodiment of the present application. As shown in FIG. 10, the communication device includes a receiving module 201, a processing module 202, and a sending module 203. Wherein, the receiving module 201 can be used to perform the steps related to receiving in the embodiment of the present application, and the receiving module 201 can be a receiver, a receiver, a receiving circuit, and the like. The sending module 203 may be used to perform the steps related to sending in the embodiment of the present application. The sending module 203 may be a transmitter, a transmitter, a sending circuit, and the like.
图10所示的结构示意图用于实现上述实施例中的第二接入网设备时,接收模块201用于接收切换请求,切换请求用于指示将终端从第一接入网设备切换到第二接入网设备,切换请求包括M个会话的信息,M个会话的信息中每一个会话的信息包括会话的第一标识,M为正整数。处理模块202用于从M个会话中确定N个目标会话;N个目标会话为M个会话的非零子集,N小于或等于M,N为正整数。处理模块202还用于确定N个目标会话中每一个目标会话的第二标识。发送模块203用于向终端发送N个对应关系信息,N个对应关系信息与N个目标会话一一对应,N个对应关系信息中每一个对应关系信息用于指示对应的目标会话的第一标识与第二标识的对应关系。When the schematic structural diagram shown in FIG. 10 is used to implement the second access network device in the above embodiment, the receiving module 201 is used to receive a handover request, and the handover request is used to instruct the terminal to switch from the first access network device to the second For the access network device, the handover request includes information about M sessions, the information about each session in the information about M sessions includes the first identifier of the session, and M is a positive integer. The processing module 202 is configured to determine N target sessions from M sessions; N target sessions are a non-zero subset of M sessions, N is less than or equal to M, and N is a positive integer. The processing module 202 is further configured to determine the second identifier of each target session in the N target sessions. The sending module 203 is configured to send N pieces of correspondence information to the terminal. The N pieces of correspondence information correspond to the N target sessions one-to-one, and each piece of correspondence information in the N pieces of correspondence information is used to indicate the first identifier of the corresponding target session. Correspondence with the second identifier.
一种可能的设计中,处理模块202具体用于通过发送模块203向核心网设备发送N个目标会话的信息;以及通过接收模块201接收核心网设发送的N个目标会话中每一个目标会话的第二标识。In a possible design, the processing module 202 is specifically configured to send information about N target sessions to the core network device through the sending module 203; and receive information about each of the N target sessions sent by the core network device through the receiving module 201. The second logo.
一种可能的设计中,处理模块202具体用于第二接入网设备根据预设规则,生成N个目标会话中每一个目标会话的第二标识。In a possible design, the processing module 202 is specifically configured for the second access network device to generate the second identifier of each of the N target sessions according to a preset rule.
一种可能的设计中,会话的第一标识包括以下参数中的至少一项:终端与UPF之间链路的标识、终端与UPF之间链路的隧道标识、会话标识、UPF的地址、终端的标识、服务质量流标识、承载标识、切片的标识、以及UPF的标识。In a possible design, the first identifier of the session includes at least one of the following parameters: the identifier of the link between the terminal and the UPF, the tunnel identifier of the link between the terminal and the UPF, the session identifier, the address of the UPF, and the terminal ID, QoS flow ID, bearer ID, slice ID, and UPF ID.
一种可能的设计中,对应关系信息包括目标会话的第一标识和第二标识。In a possible design, the correspondence information includes the first identifier and the second identifier of the target session.
图10所示的结构示意图用于实现上述实施例中的第二AMF时,接收模块201用于接收第一AMF发送的M个会话的信息,M个会话的信息中每一个会话的信息包括会话的第一标识,M为正整数。处理模块202用于从M个会话中确定N个目标会话,N个目标会话为M个会话的非零子集,N小于或等于M,N为正整数。处理模块202还用于确定N个目标会话中每一个目标会话的第二标识。发送模块203用于向第二接入网设备发送N个对应关系信息,N个对应关系信息与N个目标会话一一对应,N个对应关系信息中每一个对应关系信息用于指示对应的目标会话的第一标识与第二标识的对应关系。发送模块203还用于向终端发送N个对应关系信息。When the schematic structural diagram shown in FIG. 10 is used to implement the second AMF in the foregoing embodiment, the receiving module 201 is used to receive information about M sessions sent by the first AMF, and the information about each session in the information about the M sessions includes the session The first identifier of M is a positive integer. The processing module 202 is configured to determine N target sessions from M sessions, where N target sessions are a non-zero subset of M sessions, N is less than or equal to M, and N is a positive integer. The processing module 202 is further configured to determine the second identifier of each target session in the N target sessions. The sending module 203 is configured to send N pieces of correspondence information to the second access network device. The N pieces of correspondence information correspond to N target sessions one-to-one, and each piece of correspondence information in the N pieces of correspondence information is used to indicate the corresponding target. The correspondence between the first identifier and the second identifier of the session. The sending module 203 is also used to send N correspondence information to the terminal.
一种可能的设计中,接收模块201还用于接收到注册请求,注册请求包括终端的标识。发送模块203还用于向第一AMF发送上下文建立请求,上下文建立请求用于请求终端的会话的信息。In a possible design, the receiving module 201 is further configured to receive a registration request, and the registration request includes the identification of the terminal. The sending module 203 is further configured to send a context establishment request to the first AMF, and the context establishment request is used to request information about the session of the terminal.
一种可能的设计中,处理模块202具体用于通过发送模块203向网络设备发送M个会话信息;以及,通过接收模块201接收网络设备发送的N个目标会话信息。示例性的,网络设备可以为第二接入网设备或者SMF。In a possible design, the processing module 202 is specifically configured to send M session information to the network device through the sending module 203; and to receive N target session information sent by the network device through the receiving module 201. Exemplarily, the network device may be a second access network device or SMF.
一种可能的设计中,处理模块202具体用于通过发送模块203向网络设备发送N个目标会话的信息;以及,通过接收模块201接收网络设备发送的N个对应关系信息。In a possible design, the processing module 202 is specifically configured to send information of N target sessions to the network device through the sending module 203; and, to receive the N correspondence information sent by the network device through the receiving module 201.
一种可能的设计中,发送模块203具体用于通过第二接入网设备向终端发送N个对应关系信息。In a possible design, the sending module 203 is specifically configured to send N pieces of correspondence information to the terminal through the second access network device.
一种可能的设计中,发送模块203具体用于通过第一接入网设备以及第一AMF向终端发送N个对应关系信息。In a possible design, the sending module 203 is specifically configured to send N pieces of correspondence information to the terminal through the first access network device and the first AMF.
图10所示的结构示意图用于实现图6或图7所示的AMF时,接收模块201用于接收MME发送的M个承载的信息。发送模块203用于将M个承载的信息发送给SMF。接收模块201用于从SMF接收M个会话的信息,M个会话的信息与M个承载的信息一一对应,M个会话的信息中每一个会话的信息包括会话的第一标识,M为正整数。处理模块202用于从M个会话中确定N个目标会话。处理模块202还用于确定N个目标会话中每一个目标会话的第二标识。发送模块203还用于向第二接入网设备发送N个对应关系信息,N个对应关系信息与N个目标会话一一对应,N个对应关系信息中每一个对应关系信息用于指示对应的目标会话的第一标识与第二标识的对应关系。发送模块203还用于向终端发送N个对应关系信息。When the schematic structural diagram shown in FIG. 10 is used to implement the AMF shown in FIG. 6 or FIG. 7, the receiving module 201 is used to receive M bearer information sent by the MME. The sending module 203 is configured to send M carried information to the SMF. The receiving module 201 is configured to receive information about M sessions from the SMF. The information about the M sessions corresponds to the information carried by the M, and the information about each session in the information about the M sessions includes the first identifier of the session, and M is positive. Integer. The processing module 202 is configured to determine N target sessions from the M sessions. The processing module 202 is further configured to determine the second identifier of each target session in the N target sessions. The sending module 203 is further configured to send N pieces of correspondence information to the second access network device. The N pieces of correspondence information correspond to the N target sessions one-to-one, and each piece of correspondence information in the N pieces of correspondence information is used to indicate the corresponding The corresponding relationship between the first identifier and the second identifier of the target session. The sending module 203 is also used to send N correspondence information to the terminal.
一种可能的设计中,接收模块201还用于接收注册请求,该注册请求包括终端的标识;发送模块203还用于向MME发送上下文建立请求,该上下文建立请求用于请求终端的承载的信息。In a possible design, the receiving module 201 is also used to receive a registration request, the registration request includes the terminal identification; the sending module 203 is also used to send a context establishment request to the MME, the context establishment request is used to request the terminal bearer information .
一种可能的设计中,处理模块202具体用于通过发送模块203向网络设备发送M个会话信息;以及,通过接收模块201接收网络设备发送的N个目标会话信息。In a possible design, the processing module 202 is specifically configured to send M session information to the network device through the sending module 203; and to receive N target session information sent by the network device through the receiving module 201.
一种可能的设计中,处理模块202具体用于通过发送模块203向网络设备发送N个目标会话的信息;以及,通过接收模块201接收网络设备发送的N个对应关系信息。In a possible design, the processing module 202 is specifically configured to send information of N target sessions to the network device through the sending module 203; and, to receive the N correspondence information sent by the network device through the receiving module 201.
一种可能的设计中,发送模块203具体用于通过第二接入网设备向终端发送N个对应关系信息。In a possible design, the sending module 203 is specifically configured to send N pieces of correspondence information to the terminal through the second access network device.
一种可能的设计中,发送模块203具体用于通过第一接入网设备以及MME向终端发送N个对应关系信息。In a possible design, the sending module 203 is specifically configured to send N pieces of correspondence information to the terminal through the first access network device and the MME.
图10所示的结构示意图用于实现上述实施例中的第一接入网设备时,处理模块202用于从终端的M个会话中确定N个目标会话,N小于或等于M,M、N均为正整数。处理模块202还用于确定N个目标会话中每一个目标会话的第二标识。发送模块203用于向第二接入网设备发送N个对应关系信息,N个对应关系信息与N个目标会话一一对应,N个对应关系信息中每一个对应关系信息用于指示对应的目标会话的第一标识与第二标识的对应关系。发送模块203还用于向终端发送N个对应关系信息。When the structural diagram shown in FIG. 10 is used to implement the first access network device in the above embodiment, the processing module 202 is used to determine N target sessions from M sessions of the terminal, where N is less than or equal to M, M, N All are positive integers. The processing module 202 is further configured to determine the second identifier of each target session in the N target sessions. The sending module 203 is configured to send N pieces of correspondence information to the second access network device. The N pieces of correspondence information correspond to N target sessions one-to-one, and each piece of correspondence information in the N pieces of correspondence information is used to indicate the corresponding target. The correspondence between the first identifier and the second identifier of the session. The sending module 203 is also used to send N correspondence information to the terminal.
一种可能的设计中,处理模块202还用于确定发起切换流程。In a possible design, the processing module 202 is also used to determine the initiation of the handover procedure.
图10所示的结构示意图用于实现上述实施例中的第一AMF时,接收模块201用于接收第一接入网设备发送的切换请求,切换请求用于指示将终端从第一接入网设备切换到第二接入网设备,切换请求包括M个会话的信息,M个会话的信息中每一个会 话的信息包括会话的第一标识,M为正整数。处理模块202用于从M个会话中确定N个目标会话,N小于或等于M,M、N均为正整数。处理模块202还用于确定N个目标会话中每一个目标会话的第二标识。发送模块203还用于通过第二AMF向第二接入网设备发送N个对应关系信息,N个对应关系信息与N个目标会话一一对应,N个对应关系信息中每一个对应关系信息用于指示对应的目标会话的第一标识与第二标识的对应关系。发送模块203还用于通过第一接入网设备向终端发送N个对应关系信息。When the schematic structural diagram shown in FIG. 10 is used to implement the first AMF in the foregoing embodiment, the receiving module 201 is used to receive a handover request sent by the first access network device, and the handover request is used to instruct the terminal to switch from the first access network The device switches to the second access network device, the switching request includes information about M sessions, the information about each session in the information about M sessions includes the first identifier of the session, and M is a positive integer. The processing module 202 is configured to determine N target sessions from M sessions, where N is less than or equal to M, and both M and N are positive integers. The processing module 202 is further configured to determine the second identifier of each target session in the N target sessions. The sending module 203 is also configured to send N pieces of correspondence information to the second access network device through the second AMF. The N pieces of correspondence information correspond to the N target sessions one-to-one, and each piece of the N correspondence information is used for To indicate the corresponding relationship between the first identifier and the second identifier of the corresponding target session. The sending module 203 is further configured to send N pieces of correspondence information to the terminal through the first access network device.
作为一个示例,结合图2所示的通信装置,图10中的发送模块203和接收模块201可以由图2中的通信接口104来实现,图10中的处理模块202可以由图2中的处理器101来实现,本申请实施例对此不作任何限制。As an example, combined with the communication device shown in FIG. 2, the sending module 203 and the receiving module 201 in FIG. 10 may be implemented by the communication interface 104 in FIG. 2, and the processing module 202 in FIG. 10 may be implemented by the processing in FIG. The embodiment of the present application does not impose any limitation on this.
本申请实施例还提供一种计算机可读存储介质,所述计算机可读存储介质中存储有计算机指令;当所述计算机可读存储介质在图2所示的通信装置上运行时,使得该通信装置执行如图3-图9所示的方法。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机、服务器或者数据中心通过有线(例如同轴电缆、光纤、数字用户线(digital subscriber line,DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可以用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质(例如,软盘、硬盘、磁带),光介质、或者半导体介质(例如固态硬盘(solid state disk,SSD))等。The embodiment of the present application also provides a computer-readable storage medium in which computer instructions are stored; when the computer-readable storage medium runs on the communication device shown in FIG. 2, the communication The device executes the method shown in Figure 3-9. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be from a website site, computer, server or data center Transmission to another website, computer, server or data center via wired (such as coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (such as infrared, wireless, microwave, etc.). The computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device including one or more servers and data centers that can be integrated with the medium. The usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, a magnetic tape), an optical medium, or a semiconductor medium (for example, a solid state disk (SSD)) or the like.
本申请实施例还提供一种芯片,该芯片包括处理模块和通信接口,所述通信接口用于将接收的代码指令传输至处理模块,该代码指令可以是来自芯片内部的存储器,也可以来自芯片外部的存储器或者其他器件,所述处理用于执行代码指令用于支持通信装置执行如图3-图9所示的方法。其中,处理模块为该芯片上集成的处理器或者微处理器或者集成电路。通信接口可以为输入输出电路或者收发管脚。An embodiment of the present application also provides a chip, which includes a processing module and a communication interface. The communication interface is used to transmit received code instructions to the processing module. The code instructions may come from the internal memory of the chip or from the chip. An external memory or other device, the processing is used to execute code instructions to support the communication device to execute the methods shown in FIGS. 3-9. The processing module is a processor or microprocessor or integrated circuit integrated on the chip. The communication interface may be an input/output circuit or a transceiver pin.
本申请实施例还提供一种包含计算机指令的计算机程序产品,当其在图2所示的通信装置上运行时,使得通信装置可以执行图3至图9所示的方法。The embodiment of the present application also provides a computer program product containing computer instructions, when it runs on the communication device shown in FIG. 2, the communication device can execute the methods shown in FIGS. 3 to 9.
上述本申请实施例提供的通信装置、计算机存储介质、芯片以及计算机程序产品均用于执行上文所提供的方法,因此,其所能达到的有益效果可参考上文所提供的方法对应的有益效果,在此不再赘述。The communication devices, computer storage media, chips, and computer program products provided in the above embodiments of the present application are all used to execute the methods provided above. Therefore, the beneficial effects that can be achieved can refer to the corresponding benefits of the methods provided above. The effect will not be repeated here.
尽管结合具体特征及其实施例对本申请进行了描述,显而易见的,在不脱离本申请的精神和范围的情况下,可对其进行各种修改和组合。相应地,本说明书和附图仅仅是所附权利要求所界定的本申请的示例性说明,且视为已覆盖本申请范围内的任意和所有修改、变化、组合或等同物。显然,本领域的技术人员可以对本申请进行各种改动和变型而不脱离本申请的精神和范围。这样,倘若本申请的这些修改和变型属于本申请权利要求及其等同技术的范围之内,则本申请也意图包含这些改动和变型在内。Although the present application has been described with reference to specific features and embodiments, it is obvious that various modifications and combinations can be made without departing from the spirit and scope of the present application. Accordingly, the specification and drawings are merely exemplary illustrations of the present application as defined by the appended claims, and are deemed to cover any and all modifications, changes, combinations, or equivalents within the scope of the present application. Obviously, those skilled in the art can make various modifications and variations to this application without departing from the spirit and scope of this application. In this way, if these modifications and variations of the present application fall within the scope of the claims of the present application and their equivalent technologies, the present application is also intended to include these modifications and variations.

Claims (11)

  1. 一种安全保护方法,其特征在于,所述方法包括:A security protection method, characterized in that the method includes:
    第二接入网设备接收切换请求,所述切换请求用于指示将终端从第一接入网设备切换到所述第二接入网设备,所述切换请求包括M个会话的信息,所述M个会话的信息中每一个会话的信息包括会话的第一标识,M为正整数;The second access network device receives a handover request, the handover request is used to instruct the terminal to switch from the first access network device to the second access network device, the handover request includes information about M sessions, the The information of each of the M sessions includes the first identifier of the session, and M is a positive integer;
    所述第二接入网设备从所述M个会话中确定N个目标会话;所述N个目标会话为所述M个会话的非零子集,N小于或等于M,N为正整数;The second access network device determines N target sessions from the M sessions; the N target sessions are a non-zero subset of the M sessions, N is less than or equal to M, and N is a positive integer;
    所述第二接入网设备确定所述N个目标会话中每一个目标会话的第二标识;Determining, by the second access network device, the second identifier of each target session in the N target sessions;
    所述第二接入网设备向终端发送N个对应关系信息,所述N个对应关系信息与所述N个目标会话一一对应,所述N个对应关系信息中每一个对应关系信息用于指示对应的目标会话的第一标识与第二标识的对应关系。The second access network device sends N pieces of correspondence information to the terminal, the N pieces of correspondence information correspond to the N target sessions one-to-one, and each piece of correspondence information in the N pieces of correspondence information is used for The corresponding relationship between the first identifier and the second identifier of the corresponding target session is indicated.
  2. 根据权利要求1所述的安全保护方法,其特征在于,所述第二接入网设备确定所述N个目标会话中每一个目标会话的第二标识,包括:The security protection method according to claim 1, wherein the second access network device determining the second identifier of each of the N target sessions comprises:
    所述第二接入网设备向核心网设备发送所述N个目标会话的信息;Sending, by the second access network device, information about the N target sessions to a core network device;
    所述第二接入网设备从所述核心网设备接收所述N个目标会话中每一个目标会话的第二标识。The second access network device receives the second identifier of each target session in the N target sessions from the core network device.
  3. 根据权利要求1所述的安全保护方法,其特征在于,所述第二接入网设备确定所述N个目标会话中每一个目标会话的第二标识,包括:The security protection method according to claim 1, wherein the second access network device determining the second identifier of each of the N target sessions comprises:
    所述第二接入网设备根据预设规则,生成所述N个目标会话中每一个目标会话的第二标识。The second access network device generates a second identifier of each target session in the N target sessions according to a preset rule.
  4. 根据权利要求1至3任一项所述的安全保护方法,其特征在于,会话的第一标识包括以下参数中的至少一项:终端与用户面功能网元UPF之间链路的标识、终端与UPF之间链路的隧道标识、会话标识、UPF的地址、终端的标识、服务质量流标识、承载标识、切片的标识、以及UPF的标识。The security protection method according to any one of claims 1 to 3, wherein the first identifier of the session includes at least one of the following parameters: the identifier of the link between the terminal and the user plane function network element UPF, the terminal The tunnel identifier, session identifier, UPF address, terminal identifier, quality of service flow identifier, bearer identifier, slice identifier, and UPF identifier of the link with the UPF.
  5. 根据权利要求1至4任一项所述的安全保护方法,其特征在于,所述对应关系信息包括目标会话的第一标识和第二标识。The security protection method according to any one of claims 1 to 4, wherein the correspondence information includes a first identifier and a second identifier of the target session.
  6. 一种通信装置,其特征在于,包括:A communication device, characterized in that it includes:
    接收模块,用于接收切换请求,所述切换请求用于指示将终端从第一接入网设备切换到第二接入网设备,所述切换请求包括M个会话的信息,所述M个会话的信息中每一个会话的信息包括会话的第一标识,M为正整数;The receiving module is configured to receive a handover request, the handover request is used to instruct the terminal to switch from the first access network device to the second access network device, the handover request includes information about M sessions, and the M sessions The information of each session in the information includes the first identifier of the session, and M is a positive integer;
    处理模块,用于从所述M个会话中确定N个目标会话;所述N个目标会话为所述M个会话的非零子集,N小于或等于M,N为正整数;A processing module, configured to determine N target sessions from the M sessions; the N target sessions are a non-zero subset of the M sessions, N is less than or equal to M, and N is a positive integer;
    所述处理模块,还用于确定所述N个目标会话中每一个目标会话的第二标识;The processing module is further configured to determine the second identifier of each target session in the N target sessions;
    发送模块,用于向终端发送N个对应关系信息,所述N个对应关系信息与所述N个目标会话一一对应,所述N个对应关系信息中每一个对应关系信息用于指示对应的目标会话的第一标识与第二标识的对应关系。The sending module is configured to send N pieces of correspondence information to the terminal, where the N pieces of correspondence information correspond to the N target sessions one-to-one, and each piece of correspondence information in the N pieces of correspondence information is used to indicate the corresponding The corresponding relationship between the first identifier and the second identifier of the target session.
  7. 根据权利要求6所述的通信装置,其特征在于,所述处理模块,具体用于通过发送模块向核心网设备发送所述N个目标会话的信息;以及通过接收模块接收核心网设备发送的所述N个目标会话中每一个目标会话的第二标识。The communication device according to claim 6, wherein the processing module is specifically configured to send information about the N target sessions to a core network device through a sending module; and receive all information sent by the core network device through a receiving module. The second identifier of each of the N target sessions.
  8. 根据权利要求6所述的通信装置,其特征在于,所述处理模块,具体用于根据预设规则,生成所述N个目标会话中每一个目标会话的第二标识。The communication device according to claim 6, wherein the processing module is specifically configured to generate the second identifier of each of the N target sessions according to a preset rule.
  9. 根据权利要求6至8任一项所述的通信装置,其特征在于,会话的第一标识包括以下参数中的至少一项:终端与用户面功能网元UPF之间链路的标识、终端与UPF之间链路的隧道标识、会话标识、UPF的地址、终端的标识、服务质量流标识、承载标识、切片的标识、以及UPF的标识。The communication device according to any one of claims 6 to 8, wherein the first identifier of the session includes at least one of the following parameters: the identifier of the link between the terminal and the user plane function network element UPF, the terminal and The tunnel identifier, session identifier, UPF address, terminal identifier, quality of service flow identifier, bearer identifier, slice identifier, and UPF identifier of the link between UPFs.
  10. 根据权利要求6至9任一项所述的通信装置,其特征在于,所述对应关系信息包括目标会话的第一标识和第二标识。The communication device according to any one of claims 6 to 9, wherein the correspondence information includes a first identifier and a second identifier of the target session.
  11. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质存储有指令,当所述指令被通信装置运行时,使得通信装置执行权利要求1至5任一项的安全保护方法。A computer-readable storage medium, wherein the computer-readable storage medium stores instructions that, when executed by a communication device, cause the communication device to execute the security protection method of any one of claims 1 to 5.
PCT/CN2020/071237 2019-01-15 2020-01-09 Security protection method and apparatus WO2020147643A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910037122.0 2019-01-15
CN201910037122.0A CN111436086B (en) 2019-01-15 2019-01-15 Safety protection method and device

Publications (1)

Publication Number Publication Date
WO2020147643A1 true WO2020147643A1 (en) 2020-07-23

Family

ID=71580094

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/071237 WO2020147643A1 (en) 2019-01-15 2020-01-09 Security protection method and apparatus

Country Status (2)

Country Link
CN (1) CN111436086B (en)
WO (1) WO2020147643A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018145670A1 (en) * 2017-02-07 2018-08-16 中兴通讯股份有限公司 Base station handover method, system, and computer storage medium
CN108632917A (en) * 2017-03-21 2018-10-09 电信科学技术研究院 A kind of bearing mapping method, access network entity and SMF
CN108811016A (en) * 2017-05-05 2018-11-13 北京三星通信技术研究有限公司 A method of supporting switching
CN109151924A (en) * 2017-06-16 2019-01-04 华为技术有限公司 Communication means and access network equipment, equipment of the core network

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103795632B (en) * 2012-10-31 2017-02-22 华为技术有限公司 Data message transmission method, related equipment and system
WO2014116757A1 (en) * 2013-01-23 2014-07-31 Wang xiao hua System and method for concurrent call session(s) handover to ip network or cellular cs network
CN108738082B (en) * 2017-04-13 2020-06-16 华为技术有限公司 Session processing method, device and system
CN109392038B (en) * 2017-08-11 2022-09-09 华为技术有限公司 Communication method, source base station, target base station, core network equipment and terminal equipment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018145670A1 (en) * 2017-02-07 2018-08-16 中兴通讯股份有限公司 Base station handover method, system, and computer storage medium
CN108632917A (en) * 2017-03-21 2018-10-09 电信科学技术研究院 A kind of bearing mapping method, access network entity and SMF
CN108811016A (en) * 2017-05-05 2018-11-13 北京三星通信技术研究有限公司 A method of supporting switching
CN109151924A (en) * 2017-06-16 2019-01-04 华为技术有限公司 Communication means and access network equipment, equipment of the core network

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
HUAWEI; HISILICON: "Transfer Security Policy in Xn HO", 3GPP DRAFT; S3-180643, 2 March 2018 (2018-03-02), San Diego, US, pages 1 - 2, XP051409070 *
HUAWEI; HISILICON: "TS23.502: Clarification of the PDU Session IDs Sent by the Source AMF to the Target AMF during Handover Procedure", 3GPP DRAFT; S2-178997, 1 December 2017 (2017-12-01), Reno, Nevada, pages 1 - 8, XP051367091 *

Also Published As

Publication number Publication date
CN111436086A (en) 2020-07-21
CN111436086B (en) 2021-02-23

Similar Documents

Publication Publication Date Title
EP3694181B1 (en) Session establishment method, device and system
EP3668054B1 (en) Data transmission method, device and system
WO2020259509A1 (en) Method and device for application migration
EP4221439A2 (en) Session management method, apparatus, and system
WO2018082221A1 (en) Network switching method, apparatus and related equipment
KR102313165B1 (en) Data transmission method, device and system
US11533610B2 (en) Key generation method and related apparatus
WO2019128671A1 (en) Session establishment method, device and system
WO2018232570A1 (en) Registration and session establishment methods, terminal, and amf entity
WO2021042742A1 (en) Communication method, apparatus, and system
WO2020135850A1 (en) Communication method and apparatus
US11877150B2 (en) Information obtaining method and apparatus
WO2020199991A1 (en) Communication method, device and system
JP7389225B2 (en) Method and apparatus for determining security protection mode
CN113841443B (en) Data transmission method and device
CN113938911A (en) Communication method, device and system
CN113811025A (en) Method, equipment and system for releasing relay connection
WO2021031055A1 (en) Communication method and device
EP4185010A1 (en) Method and device for accessing local network
WO2020147643A1 (en) Security protection method and apparatus
US20230137283A1 (en) Systems and methods to optimize registration and session establishment in a wireless network
JP7381586B2 (en) COMMUNICATION METHODS, DEVICES AND SYSTEMS
WO2022068336A1 (en) Routing information updating method, communication apparatus and storage medium
EP4274310A1 (en) Network intercommunication method and apparatus
WO2023071866A1 (en) Indication information transmission method, message transmission method, and related apparatus

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20740918

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20740918

Country of ref document: EP

Kind code of ref document: A1