WO2022028030A1

WO2022028030A1 - Slice authentication method and corresponding apparatus

Info

Publication number: WO2022028030A1
Application number: PCT/CN2021/093587
Authority: WO
Inventors: 戚彩霞; 银宇
Original assignee: 华为技术有限公司
Priority date: 2020-08-07
Filing date: 2021-05-13
Publication date: 2022-02-10
Also published as: CN114095925A

Abstract

Provided in the embodiments of the present application are a slice authentication method and a corresponding apparatus. After a terminal device moves from a service range of a second access management network element that does not support a network slice authentication function to a service range of a third access management network element that supports the network slice authentication function, the third access management network element can send a first request message to a first network element to acquire an authentication result of a first slice that needs to be authenticated, such that the third access management network element does not need to execute a network slice authentication process, and the system signaling overheads can thus be effectively saved. In addition, the terminal device no longer needs to wait for the third access management network element to completely execute the network slice authentication process before establishing a session for a specific network slice, thereby accelerating the process of service establishment, and reducing the service delay of the terminal device.

Description

A slice authentication method and corresponding device

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the priority of the Chinese patent application with the application number 202010791231.4 and the application title "A Slice Authentication Method and Corresponding Device" filed with the China Patent Office on August 7, 2020, the entire contents of which are incorporated herein by reference Applying.

technical field

The present application relates to the field of communication technologies, and in particular, to a slice authentication method and a corresponding device.

Background technique

At present, after the terminal device enters the service range of the new access management node from the service range of the old access management node, the new access management node is allowed to obtain the authentication result of the network slice from the old access management node, and then The new access management node can eliminate the need to perform the network slice authentication process on the terminal device, which can effectively reduce signaling overhead. However, the premise that the new access management node can obtain the authentication result of the network slice from the old access management node is that the old access management node supports the network slice authentication function. This is because only the network slice authentication function is supported. Only the access management node has the authentication result of the network slice.

However, in practical applications, the old access management node may not support the network slice authentication function (ie, there is no network slice authentication result). For example, the old access management node is an access management node in the fourth generation (4th-Generation, 4G) mobile communication network, or the old access management node is not supported in the fifth generation (5th-Generation, 5G) The access management node of the network slice authentication function. These situations will cause the new access management node to fail to obtain the authentication result of the network slice from the old access management node. When the terminal device moves to the service range of the new access management node, the new access management node must The terminal device can obtain the authentication result only by executing the network slice authentication process, which increases the system signaling overhead and increases the service delay of the terminal device.

SUMMARY OF THE INVENTION

Embodiments of the present application provide a slice authentication method and a corresponding device, which are used to save system signaling overhead and reduce service delay of terminal equipment.

In a first aspect, a slice authentication method is provided, including: after a terminal device moves from a second access management network element that does not support the network slice authentication function to a third access management network element that supports the network slice authentication function, The third access management network element sends a first request message to the first network element, wherein the first request message includes identification information of a first slice, and the first slice is a slice that needs to be authenticated; The third access management network element receives a first response message from the first network element, where the first response message includes an authentication result corresponding to the first slice.

In this embodiment of the present application, after the terminal device moves from the service scope of the second access management network element that does not support the network slice authentication function to the service scope of the third access management network element that supports the network slice authentication function, the first The three access management network elements can obtain the authentication result of the first slice that needs to be authenticated from the first network element, so that the network slice authentication process does not need to be performed, and the system signaling overhead can be effectively saved; It is necessary to wait for the third access management network element to complete the network slice authentication process before establishing a session to a specific network slice, which speeds up the process of service establishment and reduces the service delay of the terminal device.

In a possible implementation manner, the first network element is a data management network element; before the terminal device moves from the second access management network element to the third access management network element, the The terminal device moves from the first access management network element supporting the network slice authentication function to the second access management network element, and the method further includes: the first access management network element or the first slice authentication The authority network element stores the authentication result corresponding to the first slice to the data management network element.

Through this embodiment, the first access management network element or the first slice authentication network element stores the authentication result corresponding to the first slice in the data management network element, so that the terminal device never supports the network slice authentication function. After the service scope of the second access management network element is moved to the service scope of the third access management network element that supports the network slice authentication function, the third access management network element can obtain the data that needs to be authenticated from the data management network element. The authentication result of the first slice ensures the reliability of the solution.

In a possible implementation manner, the first network element is a second slice authentication network element.

Through this embodiment, after the terminal device moves from the service scope of the second access management network element that does not support the network slice authentication function to the service scope of the third access management network element that supports the network slice authentication function, the third access management network element The incoming management network element can obtain the authentication result of the first slice that needs to be authenticated from the second slice authentication network element, and thus does not need to perform the network slice authentication process for the first slice, which can save system signaling overhead, Reduce the service delay of terminal equipment.

In a possible implementation manner, after the third access management network element sends the first request message to the first network element, the method further includes: the second slice authentication network element sends a data management network element to the data management network element. Send the identification information of the first slice; the second slice authentication network element receives the authentication result corresponding to the first slice from the data management network element; the second slice authentication network element Send the authentication result corresponding to the first slice to the third access management network element.

Through this embodiment, after the terminal device moves from the service scope of the second access management network element that does not support the network slice authentication function to the service scope of the third access management network element that supports the network slice authentication function, the third access management network element The incoming management network element can obtain the authentication result corresponding to the first slice on the data management network element through the second slice authentication network element, and thus does not need to perform the network slice authentication process for the first slice, which can save system information. Reduce the overhead and reduce the service delay of the terminal equipment.

In a possible implementation manner, before the terminal device moves from the second access management network element to the third access management network element, the terminal device moves from the first access management network element that supports the network slice authentication function. The access management network element is moved to the second access management network element, and the method further includes: the first access management network element or the first slice authentication network element The authentication result is stored in the data management network element.

Through this embodiment, the first access management network element or the first slice authentication network element stores the authentication result corresponding to the first slice in the data management network element, so that the terminal device never supports the network slice authentication function. After the service scope of the second access management network element is moved to the service scope of the third access management network element that supports the network slice authentication function, the third access management network element can be authenticated by the second slice from the network element. The data management network element obtains the authentication result corresponding to the first slice, which ensures the reliability of the solution.

In a possible implementation manner, before the terminal device moves from the second access management network element to the third access management network element, the terminal device is located in the second access management network element When the scope of service is limited, the method further includes: the first slice authentication network element or the second slice authentication network element receives an authentication revocation message from the verification, authorization and accounting AAA server, and according to the authentication revocation message , modify the authentication result corresponding to the first slice stored in the data management network element to an authentication failure; or, the first slice authentication network element or the second slice authentication network element receives the data from the AAA server The re-authentication message, according to the re-authentication message, delete the authentication result corresponding to the first slice stored in the data management network element.

Through this implementation, after the data management network element stores the authentication result of the first slice, the AAA server can also trigger the re-authentication or the authentication result withdrawal process for the first slice, which improves the flexibility of network slice authentication. sex.

In a possible implementation manner, after the third access management network element sends the first request message to the first network element, the method further includes: the second slice authentication network element sends the first slice to the first network element. The authentication network element sends the identification information of the first slice; the second slice authentication network element receives the authentication result corresponding to the first slice from the first slice authentication network element; The second slice authentication network element sends the authentication result corresponding to the first slice to the third access management network element.

Through this embodiment, after the terminal device moves from the service scope of the second access management network element that does not support the network slice authentication function to the service scope of the third access management network element that supports the network slice authentication function, the third access management network element The access management network element can obtain the authentication result corresponding to the first slice from the first slice authentication network element, so it is not necessary to perform the network slice authentication process for the first slice, which can save system signaling overhead and reduce terminal The service delay of the device.

In a possible implementation manner, before the second slice authentication network element sends the third request message to the first slice authentication network element, the method further includes: the second slice authentication network element to the first slice authentication network element. The data management network element sends a request message; the second slice authentication network element receives the identifier of the first slice authentication network element from the data management network element; the second slice authentication network element reports to the first slice authentication network element Sending a third request message by all slice authentication network elements includes: the second slice authentication network element sends, according to the identifier of the first slice authentication network element, to the first slice authentication network element Identification information of the first slice.

Through this implementation, the second slice authentication network element can query the storage location of the authentication result corresponding to the first slice (that is, the first slice authentication network element) from the data management network element, and then send the first slice authentication network element to the first slice. The authentication network element sends the identification information of the first slice to obtain the authentication result corresponding to the first slice from the first slice authentication network element, which ensures the reliability of the solution.

In a possible implementation manner, before the terminal device moves from the second access management network element to the third access management network element, the method further includes: corresponding to the first slice After the authentication of the first slice is completed, the first slice authentication network element saves the authentication result corresponding to the first slice, and registers the identity of the first slice authentication network element to the data management network Yuan.

Through this embodiment, the first slice authentication network element not only stores the authentication result corresponding to the first slice, but also registers the identifier of the first slice authentication network element to the data management network element, so as to facilitate subsequent network elements of other networks. The storage location of the authentication result corresponding to the first slice is meta-queried, which further improves the reliability of the solution.

In a possible implementation manner, the first network element is a first slice authentication network element; when the terminal equipment moves from the second access management network element to the third access management network element Before, the terminal device moves from the first access management network element supporting the network slice authentication function to the second access management network element, and the method further includes: storing the first slice authentication network element The authentication result corresponding to the first slice.

Through this embodiment, the first slice management network element stores the authentication result corresponding to the first slice, and the terminal device moves from the service scope of the second access management network element that does not support the network slice authentication function to the network slice authentication function that supports network slice authentication. After the service scope of the third access management network element with the authorization function, the third access management network element directly obtains the authentication result corresponding to the first slice from the first slice management network element, and does not need to target all the first slices. The slice performs the network slice authentication process, which can save the system signaling overhead and reduce the service delay of the terminal equipment.

In a possible implementation manner, before the terminal device moves from the second access management network element to the third access management network element, the terminal device is located in the second access management network element When the service scope is limited, the method further includes: the first slice authentication network element or the second slice authentication network element receives an authentication revocation message from the AAA server, and according to the authentication revocation message, revoking the first slice authentication The authentication result corresponding to the first slice stored in the slice authentication network element is modified to be an authentication failure; The authentication message, according to the re-authentication message, deletes the authentication result corresponding to the first slice stored in the first slice authentication network element.

Through this implementation, after the first slice authentication network element stores the authentication result of the first slice, the AAA server can also trigger the re-authentication or authentication result withdrawal process for the first slice, which improves the network slice authentication. flexibility of rights.

In a possible implementation manner, after the terminal device moves from the second access management network element to the third access management network element, the third access management network element sends the first network element to the first network element. Before the request message, it further includes: the second access management network element is a mobility management node MME of a 4G network, and the third access management network element determines that the second access management network element does not support network slicing authentication function; or, the third access management network element obtains the user context of the terminal device from the second access management network element, wherein the user context does not include the corresponding first slice the authentication result, the third access management network element determines that the second access management network element does not support the network slice authentication function; The access management network element obtains a list of features supported by the second access management network element, and determines, according to the supported feature list, that the second access management network element does not support the network slice authentication function.

This embodiment provides various implementation manners for the third access management network element to determine that the second access management network element does not support the network slice authentication function, which improves the flexibility of the solution.

In a second aspect, a slice authentication method is provided, including: after a terminal device moves from a second access management network element that does not support the network slice authentication function to a third access management network element that supports the network slice authentication function, The third access management network element sends a first request message to the first network element, wherein the first request message includes identification information of a first slice, and the first slice is a slice that needs to be authenticated; The third access management network element receives a first response message from the first network element, where the first response message includes an authentication result corresponding to the first slice.

In a possible implementation manner, the first network element is a data management network element, a first slice authentication network element, or a second slice authentication network element.

In a possible implementation manner, after the terminal device moves from the second access management network element to the third access management network element, the third access management network element sends the first network element to the first network element. Before the request message, it further includes: the second access management network element is an MME of the 4G network, then the third access management network element determines that the second access management network element does not support the network slice authentication function ; or, the third access management network element obtains the user context of the terminal device from the second access management network element, wherein the user context does not include the authentication corresponding to the first slice As a result, the third access management network element determines that the second access management network element does not support the network slice authentication function; or, the third access management network element obtains information from the second access management network element The element obtains a feature list supported by the second access management network element, and determines, according to the supported feature list, that the second access management network element does not support a network slice authentication function.

In a third aspect, a slice authentication method is provided, including: after a terminal device moves from a second access management network element that does not support the network slice authentication function to a third access management network element that supports the network slice authentication function, The data management network element receives a request message from the third access management network element, where the request message includes identification information of a first slice, and the first slice is a slice that needs to be authenticated; the data management The network element returns a response message to the third access management network element, where the response message includes the authentication result corresponding to the first slice.

In a possible implementation manner, the data management network element receiving the request message from the third access management network element includes: the data management network element receiving the request message sent by the second slice authentication network element, wherein the third access management network element receives the request message sent by the second slice authentication network element. The request message sent by the two-slice authentication network element is sent by the third access management network element to the second slice authentication network element; the data management network element returns a response message to the third access management network element network element, including: the data management network element sends a response message to the second slice authentication network element, and sends the response message to the third access management network element through the second slice authentication network element network element.

In a possible implementation manner, before the terminal device moves from the second access management network element to the third access management network element, the terminal device moves from the first access management network element that supports the network slice authentication function. The access management network element is moved to the second access management network element, and the method further includes: the data management network element receives the first access management network element from the first access management network element or the first slice authentication network element. The authentication result corresponding to the slice; the data management network element stores the authentication result corresponding to the first slice.

In a possible implementation manner, before the terminal device moves from the second access management network element to the third access management network element, the terminal device is located in the second access management network element When the service scope is limited, the method further includes: receiving, by the data management network element, a first message from the first slice authentication network element or the second slice authentication network element, and storing the stored data according to the first message. The authentication result corresponding to the first slice is modified to be an authentication failure; or, the data management network element receives the second message from the first slice authentication network element or the second slice authentication network element, according to the described The second message deletes the stored authentication result corresponding to the first slice.

In a fourth aspect, a slice authentication method is provided, including: after a terminal device moves from a second access management network element that does not support the network slice authentication function to a third access management network element that supports the network slice authentication function, The first slice authentication network element receives a request message from the second slice authentication network element, where the request message includes identification information of the first slice, and the first slice is a slice that needs to be authenticated; the The first slice authentication network element returns a response message to the second slice authentication network element, where the response message includes an authentication result corresponding to the first slice.

In a possible implementation manner, before the terminal device moves from the second access management network element to the third access management network element, the terminal device moves from the first access management network element that supports the network slice authentication function. The access management network element is moved to the second access management network element, and the method further includes: after the authentication corresponding to the first slice is completed, the first slice authentication network element saves the The authentication result corresponding to the first slice is registered, and the identifier of the authentication network element of the first slice is registered to the data management network element.

In a possible implementation manner, before the terminal device moves from the second access management network element to the third access management network element, the terminal device is located in the second access management network element When the service scope is limited, the method further includes: the first slice authentication network element receives an authentication revocation message from the AAA server, and stores the authentication revocation message corresponding to the first slice according to the authentication revocation message. The authorization result is modified to authentication failure; or, the first slice authentication network element receives the re-authentication message from the AAA server, and according to the re-authentication message, stores the authentication corresponding to the first slice. or, the first slice authentication network element receives the third message from the second slice authentication network element, and stores the authentication result corresponding to the first slice according to the third message Modified as authentication failure; or, the first slice authentication network element receives the fourth message from the second slice authentication network element, and according to the fourth message, stores the corresponding first slice The authentication result is deleted.

A fifth aspect provides a slice authentication system, including: a terminal device, a second access management network element that does not support the network slice authentication function, a third access management network element that supports the network slice authentication function, and a first access management network element. network element; wherein, the third access management network element is configured to: after the terminal equipment moves from the second access management network element to the third access management network element, to the first access management network element The network element sends a first request message, wherein the first request message includes identification information of a first slice, and the first slice is a slice that needs to be authenticated; the first network element is used for: receiving the the first request message, and send a first response message to the third access management network element, where the first response message includes the authentication result corresponding to the first slice; the third access management network element is further used for: receiving the first response message from the first network element.

In a possible implementation manner, the first network element is a data management network element, and the system further includes a first access management network element and a first slice authentication network element; Before the second access management network element moves to the third access management network element, the terminal device moves from the first access management network element supporting the network slice authentication function to the second access management network element ; the first access management network element or the first slice authentication network element is used for: storing the authentication result corresponding to the first slice to the data management network element.

In a possible implementation manner, the second slice authentication network element is configured to: after the third access management network element sends the first request message to the first network element, send the identification information of the first slice; receiving the authentication result corresponding to the first slice from the data management network element; sending the authentication corresponding to the first slice to the third access management network element result.

In a possible implementation manner, the system further includes a first access management network element and a first slice authentication network element; when the terminal device moves from the second access management network element to the first access management network element Before the third access management network element, the terminal device moves from the first access management network element supporting the network slice authentication function to the second access management network element; the first access management network element or the third access management network element The one slice authentication network element is used for: storing the authentication result corresponding to the first slice to the data management network element.

In a possible implementation manner, the system further includes the first slice authentication network element; the second slice authentication network element is used for: sending the third access management network element to the first network element. After sending the first request message, the first slice authentication network element sends the identification information of the first slice to the first slice authentication network element; the first slice authentication network element is used for: receiving the authentication information from the second slice The identification information of the first slice of the network element, and send the authentication result corresponding to the first slice to the second slice authentication network element; the second slice authentication network element is further used for: receiving The authentication result corresponding to the first slice from the first slice authentication network element; and sending the authentication result corresponding to the first slice to the third access management network element.

In a possible implementation manner, the second slice authentication network element is further configured to: before the second slice authentication network element sends the third request message to the first slice authentication network element, send a request message to the data management network element. The network element sends a request message; receives the identifier of the first slice authentication network element from the data management network element; the second slice authentication network element is sending the third slice authentication network element to the first slice authentication network element. When the request message is used, it is specifically used for: sending the identification information of the first slice to the first slice authentication network element according to the identifier of the first slice authentication network element.

In a possible implementation manner, the first slice authentication network element is further configured to: before the terminal device moves from the second access management network element to the third access management network element, After the authentication corresponding to the first slice is completed, the authentication result corresponding to the first slice is saved, and the identifier of the authentication network element of the first slice is registered to the data management network element.

In a possible implementation manner, the first network element is a first slice authentication network element; when the terminal equipment moves from the second access management network element to the third access management network element Before, the terminal device moves from the first access management network element supporting the network slice authentication function to the second access management network element; the first slice authentication network element is further used for: storing the The authentication result corresponding to the first slice.

In a possible implementation manner, before the terminal device moves from the second access management network element to the third access management network element, the terminal device is located in the second access management network element When the service scope of the first slice authentication network element or the second slice authentication network element is also used for: receiving the authentication revocation message from the verification, authorization and accounting AAA server, and according to the authentication revocation message, The authentication result corresponding to the first slice stored in the data management network element is modified to be an authentication failure; or, receiving a re-authentication message from the AAA server, and according to the re-authentication message, the data The authentication result corresponding to the first slice stored in the management network element is deleted.

In a possible implementation manner, before the terminal device moves from the second access management network element to the third access management network element, the terminal device is located in the second access management network element When the service scope of the first slice authentication network element or the second slice authentication network element is further used to: receive an authentication revocation message from the AAA server, and according to the authentication revocation message, convert the first slice authentication The authentication result corresponding to the first slice stored in the authentication network element is modified to be an authentication failure; or, a re-authentication message from the AAA server is received, and according to the re-authentication message, the first The authentication result corresponding to the first slice stored in the slice authentication network element is deleted.

In a possible implementation manner, after the terminal device moves from the second access management network element to the third access management network element, the third access management network element sends the first network element to the first network element. Before a request message, the third access management network element is further configured to: the second access management network element is a mobility management node MME of the 4G network, and then determine that the second access management network element does not support the network slice authentication function; or, obtain the user context of the terminal device from the second access management network element, where the user context does not contain the authentication result corresponding to the first slice, then determine the user context of the terminal device. the second access management network element does not support the network slice authentication function; or, obtain a feature list supported by the second access management network element from the second access management network element, according to the supported feature list It is determined that the second access management network element does not support the network slice authentication function.

A sixth aspect provides a slice authentication device, which can be, for example, a network element of a third access management node or a chip set inside the network element of the third access management node, and the device includes a device for performing the second aspect or the first Modules of the method described in any possible implementation manner of the second aspect.

Exemplarily, the apparatus may include: a sending unit, configured to: after the terminal device moves from the second access management network element that does not support the network slice authentication function to the apparatus that supports the network slice authentication function, send the message to the first A network element sends a first request message, wherein the first request message includes identification information of a first slice, and the first slice is a slice that needs to be authenticated; a receiving unit is configured to receive information from the first slice. The first response message of the network element, where the first response message includes the authentication result corresponding to the first slice.

In a seventh aspect, a slice authentication device is provided, which can be, for example, a data management network element or a chip set inside the data management network element, and the device includes the third aspect or any possible implementation of the third aspect. A module of the method described in the manner.

Exemplarily, the apparatus may include: a receiving unit configured to, after the terminal device moves from the second access management network element that does not support the network slice authentication function to the third access management network element that supports the network slice authentication function , receiving a request message from the third access management network element, where the request message includes the identification information of the first slice, and the first slice is the slice that needs to be authenticated; the sending unit is used to send a response message to the third access management network element, and the response message includes the authentication result corresponding to the first slice.

In an eighth aspect, a slice authentication device is provided, which can be, for example, a first slice authentication network element or a chip arranged inside the first slice authentication network element, and the device includes a device for performing the fourth aspect or the first A module of the method described in any possible implementation manner of the four aspects.

Exemplarily, the apparatus may include: a receiving unit, configured to: when the terminal device moves from a second access management network element that does not support the network slice authentication function to a third access management network element that supports the network slice authentication function Then, receive a request message from the second slice authentication network element, where the request message includes the identification information of the first slice, and the first slice is the slice that needs to be authenticated; the sending unit is used to send a response message The network element is authenticated for the second slice, and the response message includes the authentication result corresponding to the first slice.

In a ninth aspect, a communication apparatus is provided, comprising: at least one processor; and a communication interface communicatively connected to the at least one processor; The communication interface executes as in the second aspect or any possible implementation manner of the second aspect or the third aspect or any possible implementation manner of the third aspect or the fourth aspect or any possible implementation manner of the fourth aspect the method described.

Optionally, the memory is located outside the device.

Optionally, the apparatus includes the memory connected to the at least one processor, the memory storing instructions executable by the at least one processor.

In a tenth aspect, a computer-readable storage medium is provided, comprising a program or an instruction, when the program or instruction is executed on a computer, such as the second aspect or any possible implementation manner of the second aspect or the third aspect, the program or instruction is executed. or any of the possible embodiments of the third aspect or the method described in the fourth aspect or any of the possible embodiments of the fourth aspect is performed.

In an eleventh aspect, a chip is provided, the chip is coupled with a memory, and is used for reading and executing program instructions stored in the memory, so that the second aspect or any possible implementation manner of the second aspect or the first The method described in the third aspect or any possible embodiment of the third aspect or the fourth aspect or any possible embodiment of the fourth aspect is performed.

A twelfth aspect provides a computer program product comprising instructions which, when run on a computer, cause as in the second aspect or any of the possible embodiments of the second aspect or the third aspect or any of the third aspects The method described in the possible embodiments or the fourth aspect or any of the possible embodiments of the fourth aspect is performed.

Description of drawings

Fig. 1 is the flow chart of network slice authentication;

FIG. 2 is a network architecture diagram of a communication system to which an embodiment of the present application is applicable;

3 is a flowchart of a slice authentication method provided by an embodiment of the present application;

4 is a flowchart of a specific slice authentication method provided in this embodiment;

5 is a flowchart of a method for withdrawing an authentication result and a method for re-authentication provided by an embodiment of the present application;

6 is a flowchart of another specific slice authentication method provided by an embodiment of the present application;

7 is a flowchart of another authentication result withdrawal method and re-authentication method provided by an embodiment of the present application;

FIG. 8 is a flowchart of another specific slice authentication method provided in this embodiment;

9 is a flowchart of another authentication result withdrawal method and re-authentication method provided by an embodiment of the present application;

10 is a flowchart of another specific slice authentication method provided in this embodiment;

11 is a flowchart of another authentication result withdrawal method and re-authentication method provided by an embodiment of the present application;

12 is a schematic structural diagram of a slice authentication apparatus provided by an embodiment of the present application;

13 is a schematic structural diagram of another slice authentication apparatus provided by an embodiment of the present application;

14 is a schematic structural diagram of another slice authentication apparatus provided by an embodiment of the present application;

FIG. 15 is a schematic structural diagram of a communication apparatus according to an embodiment of the present application.

detailed description

The Network Slice-Specific Authentication and Authorization (NSSAA) function is used to authenticate and authorize slices subscribed by terminal devices.

Figure 1 is a flowchart of network slice authentication. As shown in Figure 1, the access management node triggers the network slice authentication process for the slice that needs to perform network slice authentication according to the slice information signed in the subscription data of the terminal device:

S101. The access management node sends a network slice authentication request message to the terminal device, where the request message includes a slice identifier: single network slice selection assistance information (Single Network Slice Selection Assistance Information, S-NSSAI).

S102. After receiving the request message, the terminal device replies to the terminal device with a response message, where the response message includes the slice identifier S-NSSAI and the Extensible Authentication Protocol (EAP) message, and the EAP message includes the information allocated by the terminal device. EAP ID.

S103. The access management node sends a request message to the slice authentication function, where the request message includes a user identifier: a Generic Public Subscription Identifier (GPSI), a slice identifier S-NSSAI, and the access management node in step S102 EAP message received.

S104, the slice authentication function sends an authentication, authorization, and accounting (Authentication, Authorization, Accounting, AAA) protocol message to the AAA server, where the AAA protocol message includes the user identifier GPSI, slice identifier received by the slice authentication function in step S103 S-NSSAI and EAP messages.

S105, the AAA server replies an AAA protocol message to the slice authentication function, where the AAA protocol message includes the user identifier GPSI, the slice identifier S-NSSAI, and the EAP message sent to the terminal device.

S106 , the slice authentication function replies to the access management node with a response message, where the response message includes the user identifier GPSI, slice identifier S-NSSAI and EAP message received by the slice authentication function in step S105 .

S107: The access management node sends a request message to the terminal device, where the request message includes the slice identifier S-NSSAI and the EAP message.

S108. After receiving the network slice authentication request message, the terminal device replies to the access management node with a response message, where the response message includes the slice identifier S-NSSAI and an EAP message sent to the AAA server.

S109, the access management node sends a request message to the slice authentication function, where the request message includes the user identifier GPSI, the slice identifier S-NSSAI, and the EAP message received by the access management node in step S108.

S1010. The slice authentication function sends an AAA protocol message to the AAA server, where the AAA protocol message includes the user identifier GPSI, slice identifier S-NSSAI and EAP message received by the slice authentication function in step S109.

It should be noted that steps S105 to S1010 are the process of completing an EAP message interaction between the AAA server and the terminal device (EAP authentication process), and the terminal device and the AAA server complete mutual authentication through the EAP authentication process, such as the AAA server. Verify the legal identity of the terminal device, and the terminal device verifies the legal identity of the AAA server, etc. The access management node and slice authentication function are only used to forward EAP messages between the terminal device and the AAA server in this process. If multiple EAP message exchanges are required between the AAA server and the terminal device to complete the authentication process, steps S105 to S1010 may be performed multiple times, which will not be repeated here.

S1011, the AAA server replies an AAA protocol message to the slice authentication function, where the AAA protocol message includes the user identity GPSI, the slice identity S-NSSAI, the EAP message sent to the terminal device, and the authentication result for the slice (EAP success/failure). ).

S1012, the slice authentication function replies a response message to the access management node, and the response message includes the user identifier GPSI, slice identifier S-NSSAI, EAP message and authentication result (EAP success/ Fail);

S1013 , the access management node sends a network slice authentication result notification message to the terminal device, where the notification message includes the slice identifier S-NSSAI and an EAP message, and the EAP message includes information about EAP authentication success or failure.

Through the above network slice authentication process, the access management node can learn that the authentication result of the network slice is EAP success/failure, and perform corresponding operations according to the authentication result. For example, for a network slice where EAP succeeds, the access management node allows the terminal device to establish a session to the network slice; for a network slice where EAP fails, the access management node does not allow the terminal device to establish a session to the network slice.

It can be seen from the above network slice authentication process that the network slice authentication process involves multiple signaling interactions between the terminal device and the AAA server. However, the terminal equipment may move out of the service range of the old access management node during the moving process, and a new access management node needs to be selected for access. In this case, in order to save signaling overhead, the new access management node can obtain the authentication result of the network slice from the old access management node, so that it is not necessary to perform the above network operation again for the new access management node. Slice authentication process.

However, the network slicing authentication function is a function that the 5th-Generation (5G) mobile communication network has only begun to have. When the terminal device moves from the 5G network (the first access management node) to the 4G network (the second access management node) management node), and then move to the 5G network (the third access management node, the third access management node and the first access management node are the same or different), because the second access management node does not support the network slice authentication function , so the authentication result of the network slice will not be obtained from the first access management node, so that the third access management node cannot obtain the authentication result of the network slice from the second access management node, so the terminal device moves to the third access management node. When entering the management node, the above-mentioned network slice authentication process needs to be re-executed to obtain the authentication result.

Not only that, in the actual deployment of the 5G mobile communication network, only some access management nodes support the network slice authentication function, and other access management nodes do not support the network slice authentication function. When the terminal device is in the 5G network, it moves from the first access management node that supports the network slice authentication function to the second access management node that does not support the network slice authentication function, and then moves to the second access management node that supports the network slice authentication function. When three access management nodes are used, since the second access management node does not support the network slice authentication function, the third access management node cannot obtain the authentication result of the network slice from the second access management node, so the terminal equipment moves When reaching the third access management node, the above-mentioned network slice authentication process still needs to be re-executed to obtain the authentication result.

In the above two terminal equipment moving scenarios, the third access management node needs to re-execute the network slice authentication process to obtain the authentication result corresponding to the network slice, which increases signaling overhead. Moreover, since the third access management node needs to obtain the authentication result to know whether the terminal device can establish a session to the network slice, and the network slice authentication process involves multiple signaling interactions between the terminal device and the AAA server, It takes a certain amount of time, so it also brings a certain delay to the service of the terminal device.

In view of this, embodiments of the present application provide a slice authentication method and a corresponding device. When the terminal device is in the service scope of any access management node, if the network slice authentication process is performed for any network slice in the system, and the authentication result of the network slice is obtained, the authentication result of the network slice can be saved to the specified Network element (the specified network element may be a data management function or a slice authentication function, etc., which is not limited in this embodiment of the present application). In this way, when the terminal device moves to the service range of the new access management node, if the old access management node supports the network slice authentication function, the new access management node can not only obtain network access from the old access management node The authentication result of the slice can also be obtained from the specified network element. If the old access management node does not support the network slice authentication function, the new access management node can obtain the network slice from the specified network element. the authentication result. It can be seen that, through the embodiments of the present application, after the terminal device enters the service range of the new access management node from the service range of the old access management node, no matter whether the old access management node supports the network slice authentication function, it does not need to be The authentication result of the network slicing can be obtained by re-executing the network slicing authentication process, thereby saving the system signaling overhead and improving the service performance of the terminal device. The specific scheme will be introduced in further detail later.

The technical solutions of the embodiments of the present application may be applied to various communication systems, for example, a fifth generation (5th generation, 5G) communication system, a sixth generation (6th generation, 6G) communication system, or other future evolution systems, or other various A wireless communication system adopting a wireless access technology, etc., as long as there is a network slice authentication requirement in the communication system, the technical solutions of the embodiments of the present application can be adopted.

FIG. 2 shows a network architecture diagram of a communication system to which an embodiment of the present application is applied, where the communication system includes a terminal device, an access node, an access management network element, a data management network element, a slice authentication network element, and an AAA server etc., the terminal device accesses the wireless network through the access node at the current location. It should be noted that each network element in FIG. 2 is only shown as one, and in practical applications, there may be multiple network elements in the communication system.

The access management network element is used for device registration, security authentication, mobility management, and location management of terminal devices.

The data management network element is used to manage the subscription data of the terminal equipment.

The slice authentication network element is used to forward relevant messages between the terminal device and the AAA server for slice authentication/slice re-authentication/revocation of authentication results.

The AAA server is used to perform EAP authentication for network slicing.

A terminal device, also referred to as a terminal, includes a device that provides voice and/or data connectivity to a user, and may include, for example, a handheld device with wireless connectivity, or a processing device connected to a wireless modem. The terminal equipment may communicate with the core network via a radio access network (RAN), and exchange voice and/or data with the RAN. The terminal equipment may include user equipment (UE), wireless terminal equipment, mobile terminal equipment, device-to-device (D2D) terminal equipment, V2X terminal equipment, machine-to-machine/machine-type communication ( machine-to-machine/machine-type communications, M2M/MTC) terminal equipment, Internet of things (IoT) terminal equipment, subscriber unit (subscriber unit), subscriber station (subscriber station), mobile station (mobile station) , remote station (remote station), access point (access point, AP), remote terminal (remote terminal), access terminal (access terminal), user terminal (user terminal), user agent (user agent), or user equipment (user device), etc. For example, these may include mobile telephones (or "cellular" telephones), computers with mobile terminal equipment, portable, pocket-sized, hand-held, computer-embedded mobile devices, and the like. For example, personal communication service (PCS) phones, cordless phones, session initiation protocol (SIP) phones, wireless local loop (WLL) stations, personal digital assistants (personal digital assistants), PDA), etc. Also includes constrained devices, such as devices with lower power consumption, or devices with limited storage capacity, or devices with limited computing power, etc. For example, it includes information sensing devices such as barcodes, radio frequency identification (RFID), sensors, global positioning system (GPS), and laser scanners.

As an example and not a limitation, in this embodiment of the present application, the terminal device may also be a wearable device. Wearable devices can also be called wearable smart devices or smart wearable devices, etc. It is a general term for the application of wearable technology to intelligently design daily wear and develop wearable devices, such as glasses, gloves, watches, clothing and shoes. Wait. A wearable device is a portable device that is worn directly on the body or integrated into the user's clothing or accessories. Wearable device is not only a hardware device, but also realizes powerful functions through software support, data interaction, and cloud interaction. In a broad sense, wearable smart devices include full-featured, large-scale, complete or partial functions without relying on smart phones, such as smart watches or smart glasses, and only focus on a certain type of application function, which needs to cooperate with other devices such as smart phones. Use, such as all kinds of smart bracelets, smart helmets, smart jewelry, etc. for physical sign monitoring.

The various terminal devices described above, if they are located on the vehicle (for example, placed in the vehicle or installed in the vehicle), can be considered as on-board terminal equipment. For example, the on-board terminal equipment is also called on-board unit (OBU). ).

An access node, for example, includes an access network (AN) device, a radio access network (RAN) device, and an access network device such as a base station (eg, an access point), which may refer to an access network A device that communicates with a wireless terminal device over the air interface through one or more cells. The base station may be used to convert received air frames to and from Internet Protocol (IP) packets and act as a router between the terminal device and the rest of the access network, which may include the IP network. The network device can also coordinate the attribute management of the air interface. For example, the network device may include a long term evolution (long term evolution, LTE) system or an evolved base station (NodeB or eNB or e-NodeB, evolved Node B) in long term evolution-advanced (LTE-A), Or it can also include the next generation node B (gNB) or the next generation evolved base station (next generation evolved base station) in the new radio (new radio, NR) system of the fifth generation mobile communication technology (the 5th generation, 5G). nodeB, ng-eNB), en-gNB (enhanced next generation node B, gNB): Enhanced next-generation base station; can also include a centralized unit (centralized unit in a cloud radio access network, Cloud RAN) system unit, CU) and distributed unit (distributed unit, DU), or may also include a relay device, which is not limited in this embodiment of the present application.

It should be understood that the network architecture shown in FIG. 2 can be applied to an actual mobile communication network. For example, when applied to a 5G mobile communication network, the access management node may be the access and mobility management function (AMF) in the 5G network, and the data management function may be the unified data management function (Unified Data Management) in the 5G network. Management, UDM), the slice authentication function can be the network slice authentication function (Network Slice-Specific Authentication and Authorization Function, NSSAAF) in the 5G network, and the AAA server can be the AAA server in the 5G network (AAA Server, AAA-S ).

In order to make the objectives, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions of the embodiments of the present application will be further described in detail below with reference to the accompanying drawings.

The terms "network slice" and "slice" in the embodiments of this application refer to the same content, and one of the descriptions is used in different places, and the two are interchangeable.

Each network element in this embodiment of the present application may be a physical concept, for example, it may be a single device or node physically, or at least two network elements may be integrated on the same physical device or node, or the network shown in this document An element can also be a logical concept, such as a software module or a network function corresponding to the service provided by each network element. A network function can be understood as a virtualized function under virtualization implementation, or as a service provided under a service-oriented network. For example, a network function dedicated to allocating PDU session resources for the user plane, or a network function dedicated to performing EAP authentication of network slices, etc., which are not specifically limited in this embodiment of the present application.

The term "network element" in the embodiments of the present application may also be replaced with other terms, for example, "function" or "node" and the like. For example, "access management network element" can also be replaced with "access management node", "data management network element" can also be replaced with "data management function", and "slice authentication network element" can also be replaced with "Slice authentication function", etc.

The terms "system" and "network" in the embodiments of the present application may be used interchangeably. "At least one" means one or more, and "plurality" means two or more. "And/or", which describes the relationship of the associated objects, indicates that there can be three kinds of relationships, for example, A and/or B, it can indicate that A exists alone, A and B exist at the same time, and B exists alone, where A, B can be singular or plural. The character "/" generally indicates that the associated objects are an "or" relationship. "At least one of the following items" or similar expressions, refers to any combination of these items, including any combination of single item(s) or plural items(s), such as at least one of a, b or c (a), can mean: a, or b, or c, or a and b, or b and c, or a and c, or a and b and c.

Unless stated to the contrary, ordinal numbers such as “first” and “second” mentioned in the embodiments of the present application are used to distinguish multiple objects, and are not used to limit the order, sequence, priority, or importance of multiple objects . For example, the first priority criterion and the second priority criterion are only for distinguishing different criteria, and do not indicate the difference in content, priority, or importance of the two criteria.

The terms "comprising" and "having" in the embodiments and claims of the present application and the drawings are not exclusive. For example, a process, method, system, product or device that includes a series of steps or modules is not limited to the listed steps or modules, and may also include unlisted steps or modules.

As shown in FIG. 3 , it is a flowchart of a slice authentication method provided by an embodiment of the present application, and the method can be applied to the communication system shown in FIG. 2 . Methods include:

S301. After the terminal device moves from the second access management network element that does not support the network slice authentication function to the third access management network element that supports the network slice authentication function, the third access management network element sends a request to the first network element. A first request message is sent, where the first request message includes identification information of the first slice; the first network element receives the first request message from the third access management network element.

The first request message is used to request to obtain the authentication result corresponding to the first slice, and the first slice is the slice that needs to be authenticated.

The third access management network element determines that the second access management network element does not support the network slice authentication function, including the following three cases:

Scenario 1. After the terminal equipment moves from the second access management network element to the third access management network element, it learns that the second access management network element is the mobility management node MME of the 4G network, then the third access management network element determines The second access management network element does not support the network slice authentication function.

Scenario 2: After the terminal device moves from the second access management network element to the third access management network element, the third access management network element obtains the user context of the terminal device from the second access management network element, and the user context does not exist in the user context. If the authentication result corresponding to the first slice is included, the third access management network element determines that the second access management network element does not support the network slice authentication function.

Case 3: After the terminal device moves from the second access management network element to the third access management network element, the third access management network element obtains the features supported by the second access management network element from the second access management network element list, and it is determined according to the supported feature list that the second access management network element does not support the network slice authentication function. For example, the feature list includes various features supported by the second access management network element, and the feature list does not include the feature of the network slice authentication function, then the third access management network element determines that the second access management network element Meta does not support the network slice authentication function.

S302. The first network element returns a first response message to the third access management network element, where the first response message includes the authentication result corresponding to the first slice; the third access management network element receives the first response message returned by the first network element. A response message.

In the embodiment of the present application, the authentication result corresponding to the first slice is stored on the designated network element in the communication system, and the authentication result is authentication success or authentication failure. The authentication result corresponding to the first slice stored by the designated network element is before the terminal device moves from the second access management network element to the third access management network element, and after the authentication corresponding to the first slice is completed. , which is stored in the specified NE.

For example, before the terminal device moves from the second access management network element to the third access management network element, the terminal device moves from the first access management network element supporting the network slice authentication function to the second access management network element , wherein the first access management network element and the third access management network element are the same or different. When the terminal device is located within the service range of the first access management network element, if the communication system performs the network slice authentication process for the first slice, after the authentication corresponding to the first slice is completed, the first slice The corresponding authentication result is saved to the designated network element. The method for the communication system to perform the network slice authentication process for the first slice may refer to FIG. 1 , which will not be described in detail here.

For another example, before the terminal device moves from the second access management network element to the third access management network element, the terminal device first moves from the first access management network element that supports the network slice authentication function to the first access management network element that does not support the network slice authentication function. The fourth access management network element with the authorization function is moved from the fourth access management network element to the second access management network element that does not support the network slice authentication function, wherein the first access management network element is connected to the third access management network element. The incoming management network elements are the same or different. When the terminal device is located within the service range of the first access management network element, the communication system performs the network slice authentication process for the first slice, and after the authentication corresponding to the first slice is completed, the first slice corresponds to The authentication result is saved to the specified network element.

Of course, before the terminal device moves from the second access management network element to the third access management network element, it may also experience more switching of the access management network element, which is not limited here. As long as the terminal device is in the service range of any access management network element before moving from the second access management network element to the third access management network element, the communication system performs network slice authentication for the first slice process, the communication system can save the authentication result corresponding to the first slice to the designated network element. For ease of description, in the following embodiments, the terminal equipment is mainly moved from the first access management network element that supports the network slice authentication function to the second access management network element that does not support the network slice authentication function, Another example is the process of moving from the second access management network that does not support the network slice authentication function to the third access management network element that supports the network slice authentication function.

In this embodiment of the present application, the slice authentication network elements connected to the first access management network element and the third access management network element may be the same or different, depending on the actual deployment of the network architecture. For example, the first access management network element is connected to the first slice authentication network element, the second access management network element is connected to the second slice authentication network element, and the first slice authentication network element and the second slice authentication network element The network elements are different. For another example, the first access management network element is connected to the first slice authentication network element, the second access management network element is connected to the second slice authentication network element, and the first slice authentication network element and the second slice authentication network element are connected. The authority network elements are the same (both the first access management network element and the second access management network element are connected to the first slice authentication network element).

In a possible design, the designated network element is the first network element. In other words, if the first network element stores the authentication result corresponding to the first slice, after receiving the first request message, the first network element reads the authentication result corresponding to the first slice from its own storage unit. Then, the first response message is generated and returned to the third access management network element.

For example, the first network element is specifically a data management network element. Before the terminal equipment moves from the second access management network element to the third access management network element, the terminal equipment moves from the first access management network element supporting the network slice authentication function to the second access management network element, the terminal equipment When in the service range of the first access management network element, after the authentication corresponding to the first slice is completed, the first access management network element or the first slice of the first access management network element connected to the authentication network element The authentication result corresponding to the first slice is stored in the data management network element.

Or, for example, the first network element is specifically the first slice authentication network element. Before the terminal equipment moves from the second access management network element to the third access management network element, the terminal equipment moves from the first access management network element supporting the network slice authentication function to the second access management network element, the terminal equipment When in the service range of the first access management network element, after the authentication corresponding to the first slice is completed, the first slice authentication network element connected to the first access management network element stores the authentication corresponding to the first slice. rights results.

In another possible design, the designated network element is a second network element, and the second network element is different from the first network element. In other words, the first network element does not store the authentication result corresponding to the first slice, but the first network element can obtain the first information from the second network element that stores the authentication result corresponding to the first slice. The authentication result corresponding to the slice. After receiving the first request message, the first network element obtains the authentication result corresponding to the first slice from the second network element, and then generates a first response message and returns it to the third access management network element.

For example, the first network element is specifically the second slice authentication network element, and the second network element is specifically the data management network element. Before the terminal equipment moves from the second access management network element to the third access management network element, the terminal equipment moves from the first access management network element supporting the network slice authentication function to the second access management network element, the terminal equipment When the device is in the service range of the first access management network element, after the authentication corresponding to the first slice is completed, the first access management network element or the first slice authentication network element authenticates the authentication corresponding to the first slice. The result is stored in the data management network element. After the terminal device moves from the second access management network element to the third access management network element, the third access management network element sends the first request message to the second slice authentication network element; the second slice authentication network element After receiving the first request message, first obtain the authentication result corresponding to the first slice from the data management network element (for example, the second slice authentication network element sends the identification information of the first slice to the data management network element, and the data The management network element returns the authentication result corresponding to the first slice to the second slice authentication network element according to the identification information of the first slice); after that, the second slice authentication network element sends the third access management network element to the third access management network element. The authentication result (first response message) corresponding to each slice.

Or, for example, the first network element is specifically the second slice authentication network element, and the second network element is specifically the first slice authentication network element. Before the terminal equipment moves from the second access management network element to the third access management network element, the terminal equipment moves from the first access management network element supporting the network slice authentication function to the second access management network element, the terminal equipment When the device is in the service range of the first access management network element, after the authentication corresponding to the first slice is completed, the first slice authentication network element connected to the first access management network element saves the first slice corresponding to the first slice. The authentication result is obtained, and the identifier of the authentication network element of the first slice is registered to the data management network element, so that subsequent network elements can query the storage location of the authentication result corresponding to the first slice. After the terminal device moves from the second access management network element to the third access management network element, the third access management network element sends the first request message to the second slice authentication network element; the second slice authentication network element After receiving the first request message, first send a request message (including the identification information of the first slice to query the storage location of the authentication result corresponding to the first slice) to the data management network element, and the data management network element receives the After the request message, the identifier of the first slice authentication network element (that is, the storage location of the authentication result corresponding to the first slice) is returned to the second slice authentication network element; the second slice authentication network element is based on the received The identification of each slice authentication network element determines that the authentication result corresponding to the first slice is stored in the first slice authentication network element, and sends the identification information of the first slice to the first slice authentication network element; first The slice authentication network element returns the authentication result corresponding to the first slice to the second slice authentication network element, and the second slice authentication network element receives the corresponding first slice returned by the first slice authentication network element. After the authentication result, the authentication result corresponding to the first slice is returned to the third access management network element (the first response message).

Of course, the above is only an example of the storage location of the authentication result and the specific implementation of the first network element, but not a limitation. In practical applications, the possibility of the storage location of the authentication result, the first network element and other implementations is not excluded. .

Optionally, after the first access management network element or the first slice authentication network element stores the authentication result corresponding to the first slice in the designated network element, the AAA server may trigger the authentication corresponding to the first slice. The revocation process or re-authentication process of the authorization result.

The AAA server triggers the withdrawal process or re-authentication process for the authentication result corresponding to the first slice, including but not limited to the following four cases:

In case 1, when the authentication result corresponding to the first slice is stored in the data management network element, and the terminal device is in the service range of the second access management network element, the AAA server can trigger the authentication corresponding to the first slice. The revocation process or re-authentication process of the authorization result. Since the second access management network element does not support the slice authentication function, and the slice authentication result is stored in the designated network element, the slice authentication network element can notify the designated network element to perform authentication result withdrawal or re-authentication.

1) The AAA server triggers the withdrawal process for the authentication result corresponding to the first slice:

Specifically, when the authentication result is that the authentication is successful, the AAA server may send an authentication withdrawal message to the first slice authentication network element or the second slice authentication network element; the first slice authentication network element or the second slice authentication network element The slice authentication network element modifies the authentication result corresponding to the first slice stored in the data management network element to an authentication failure according to the authentication withdrawal message. The specific manner in which the first slice authentication network element or the second slice authentication network element modifies the authentication result corresponding to the first slice stored in the data management network element to an authentication failure may be: the first slice authentication The right network element or the second slice authentication network element sends a first message (including the identifier of the first slice to the data management network element, which is used to notify the data management network element to modify the authentication result corresponding to the first slice to an authentication failure), the data management network element modifies the authentication result corresponding to the first slice stored by itself to the authentication failure according to the first message.

Optionally, the data management network element may specifically modify the authentication result corresponding to the first slice to EAP failure.

Of course, if there are other slice authentication network elements in the system, other slice authentication network elements can also be used to replace the first slice authentication network element or the second slice authentication network element to perform the above authentication result withdrawal process.

2) The AAA server triggers the re-authentication process for the first slice:

Specifically, when the authentication result is that the authentication succeeds or the authentication fails, the AAA server sends a re-authentication message to the first slice authentication network element or the second slice authentication network element; the first slice authentication network element Or the second slice authentication network element deletes the authentication result corresponding to the first slice stored in the data management network element according to the re-authentication message. Further, the specific manner in which the first slice authentication network element or the second slice authentication network element deletes the authentication result corresponding to the first slice stored in the data management network element may be: the first slice authentication network element. or the second slice authentication network element sends a second message (including the identifier of the first slice to the data management network element to notify the data management network element to delete the authentication result corresponding to the first slice), and the data management network The element deletes the authentication result corresponding to the first slice stored by itself according to the second message.

Of course, if there are other slice authentication network elements in the system, other slice authentication network elements can also be used to replace the first slice authentication network element or the second slice authentication network element to perform the above re-authentication process.

After the authentication result corresponding to the first slice stored in the data management network element is deleted, the third access management network element finds that the data management network element does not have an authentication result corresponding to the first slice, and triggers the third access management network element. The incoming management network element performs the re-authentication process for the first slice.

Optionally, if the authentication result corresponding to the first slice is specifically stored in the subscription data of the terminal device (the subscription data of the terminal device is stored on the data management network element), the above-mentioned first message and the second message may specifically be is a subscription data update request message.

In case 2, when the authentication result corresponding to the first slice is stored in the authentication network element of the first slice, and the terminal device is in the service range of the second access management network element, the AAA server can trigger the The withdrawal process or the re-authentication process of the authentication result corresponding to the slice. Since the second access management network element does not support the slice authentication function, the authentication result of the slice is stored in the first slice authentication network element. Therefore, the slice authentication network element can notify the first slice authentication network element to perform the operation. The authentication result is withdrawn or re-authenticated.

Specifically, when the authentication result is that the authentication is successful, the AAA server sends an authentication revocation message to the first slice authentication network element, and the first slice authentication network element stores the first The authentication result corresponding to the slice is modified to be an authentication failure; or, the AAA server sends an authentication revocation message to the second slice authentication network element, and the second slice authentication network element sends the first slice authentication network element according to the authentication revocation message to the first slice authentication network element. element sends a third message (including the identifier of the first slice, which is used to notify the first slice authentication network element to modify the authentication result corresponding to the first slice to an authentication failure), and the first slice authentication network element According to the third message, the authentication result corresponding to the first slice stored by itself is modified to be authentication failure. Optionally, the first slice authentication network element may specifically modify the authentication result corresponding to the first slice to EAP failure.

2) The AAA server triggers the re-authentication process corresponding to the first slice:

Specifically, when the authentication result is that the authentication succeeds or the authentication fails, the AAA server sends a re-authentication message to the first slice authentication network element, and the first slice authentication network element stores itself according to the re-authentication message. The authentication result corresponding to the first slice is deleted; or, the AAA server sends a re-authentication message to the second slice authentication network element, and the second slice authentication network element sends the element sends a fourth message (including the identifier of the first slice, used to notify the first slice authentication network element to delete the authentication result corresponding to the first slice), and the first slice authentication network element according to the fourth message Delete the authentication result corresponding to the first slice stored by itself.

In case 3, when the authentication result corresponding to the first slice is stored in the data management network element, and the terminal device is in the service range of the first access management network element, the AAA server can trigger the authentication corresponding to the first slice. The revocation process or re-authentication process of the authorization result. Since the first access management network element supports the slice authentication function, and the authentication result of the slice is stored in the first access management network element and the designated network element, the slice authentication network element can notify the first access management network element to Perform authentication result revocation or re-authentication.

Specifically, when the authentication result is that the authentication is successful, the AAA server sends an authentication revocation message (including the identifier of the first slice) to the first slice authentication network element or the second slice authentication network element, and the first slice authentication network element After receiving the message, the slice authentication network element or the second slice authentication network element sends an authentication withdrawal message (including the identifier of the first slice) to the first access management network element; the first access management network element obtains the After the authentication revocation message, send a fifth message (including the identifier of the first slice to notify the data management network element to modify the authentication result corresponding to the first slice to an authentication failure) to the data management network element; data management After receiving the fifth message, the network element modifies the authentication result corresponding to the first slice stored by itself to the authentication failure.

Specifically, when the authentication result is that the authentication succeeds or the authentication fails, the AAA server sends a re-authentication message (including the identifier of the first slice) to the first slice authentication network element or the second slice authentication network element. ; After the first slice authentication network element or the second slice authentication network element receives the re-authentication message, it sends the re-authentication message (including the identity of the first slice) to the first access management network element; the first After the access management network element obtains the re-authentication message, it sends a sixth message (including the identifier of the first slice to notify the data management network element to delete the authentication result corresponding to the first slice) to the data management network element; the data After receiving the sixth message, the management network element deletes the authentication result corresponding to the first slice stored by itself.

Of course, in this case, the authentication result revocation or re-authentication may also be performed through the slice authentication network element, and the specific method may refer to the above-mentioned case 1, which will not be repeated here.

Optionally, if the authentication result corresponding to the first slice is specifically stored in the subscription data of the terminal device (the subscription data of the terminal device is stored in the data management network element), then the fifth message and the sixth message may specifically be the subscription data. Data update request message.

In case 4, when the authentication result corresponding to the first slice is stored in the authentication network element of the first slice, and the terminal device is in the service range of the first access management network element, the AAA server can trigger the The withdrawal process or the re-authentication process of the authentication result corresponding to the slice. Since the first access management network element supports the slice authentication function, and the authentication result of the slice is stored in the first access management network element, the slice authentication network element can notify the first access management network element to execute the authentication result. Withdraw or re-authenticate.

Specifically, when the authentication result is that the authentication is successful, first, the AAA server sends an authentication revocation message to the first slice authentication network element or the second slice authentication network element; then the first slice authentication network element or the third slice authentication network element sends an authentication revocation message; The two-slice authentication network element sends an authentication revocation message to the first access management network element; after the first access management network element obtains the authentication revocation message, it sends a seventh message (including the identifier of the first slice to notify the The first slice authentication network element modifies the authentication result corresponding to the first slice as authentication failure) to the first slice authentication network element; after receiving the seventh message, the first slice authentication network element sends the The authentication result corresponding to the first slice stored by itself is modified as authentication failure.

Specifically, when the authentication result is that the authentication succeeds or the authentication fails, the AAA server first sends a re-authentication message to the first slice authentication network element or the second slice authentication network element; then the first slice authentication The network element or the second slice authentication network element sends a re-authentication message to the first access management network element; after the first access management network element obtains the re-authentication message, it sends an eighth message (containing the identifier of the first slice). is used to notify the first slice authentication network element to delete the authentication result corresponding to the first slice) to the first slice authentication network element; after receiving the eighth message, the first slice authentication network element re- The authentication result corresponding to the first slice stored by the authentication itself.

Of course, in this case, the authentication result revocation or re-authentication may also be performed by using the slice authentication network element, and the specific method may refer to the above-mentioned case 2, which will not be repeated here.

It can be seen from the above that in this embodiment of the present application, when the terminal device moves from the service scope of the second access management network element that does not support the network slice authentication function to the service scope of the third access management network element that supports the network slice authentication function After the range, the third access management network element can obtain the authentication result of the network slice (such as the first slice) that needs to be authenticated from the specified network element (such as the first slice authentication network element, data management network element, etc.) , there is no need to re-execute the network slice authentication process, which can effectively save the system signaling overhead. At the same time, the terminal device no longer needs to wait for the third access management network element to complete the network slice authentication process before establishing a session to a specific network slice, which speeds up the process of service establishment and reduces the service delay of the terminal device.

It should be understood that the above embodiments can be combined with each other to achieve different technical effects.

In order to facilitate a clearer understanding of the technical solutions provided by the embodiments of the present application, several more specific implementations are introduced below.

Example 1

This embodiment mainly introduces: the authentication result of the network slice is stored on the data management network element, and the first access management network element stores the authentication result on the data management network element during the network slice authentication process; the third access management network element stores the authentication result on the data management network element; The network element obtains the authentication result from the data management network element. Optionally, in the re-authentication or authentication result withdrawal process triggered by the AAA server, when the terminal device is in the service range of the second access management network element, the second slice authentication network element is based on the data from the data management network element. After obtaining the access management network element registration information, after learning that the second access management network element does not support the network slice authentication function, directly modify the authentication result on the data management network element; or, when the terminal device is in the first access management network In the service scope of the network element, the second slice authentication network element learns that the first access management network element supports the network slice authentication function according to the access management network element registration information obtained from the data management network element. The authentication network element notifies the first access management network element, and the first access management network element modifies the authentication result on the data management network element.

As shown in FIG. 4 , a specific slice authentication method provided in this embodiment can be applied to the network architecture shown in FIG. 2 , and the method includes:

S401. A first access management network element triggers a network slice authentication process.

Specifically, the terminal device accesses the first access management network element, the first access management network element obtains the subscription data of the terminal device from the data management network element, and the first access management network element obtains the subscription data of the terminal device according to the slice identifier S included in the subscription data. -NSSAI, and its network slice authentication indication information If the network slice identified by S-NSSAI (equivalent to the first slice above) needs to perform network slice authentication, the first access management network element triggers the network slice authentication The specific process is the same as that in Figure 1. The first access management network element corresponds to the access management node in FIG. 1 , and the first slice authentication network element corresponds to the slice authentication function in FIG. 1 .

When the first access management network element learns the authentication result of the network slicing (that is, after performing S1012 shown in FIG. 1 ), it continues to perform the following steps:

S402. The first access management network element sends a request message to the data management network element, where the request message includes the slice identifier S-NSSAI and its authentication result (ie, the authentication result corresponding to the network slice identified by the S-NSSAI). After receiving the message, the data management network element updates the subscription data, and stores the authentication result in the data corresponding to the slice identifier S-NSSAI in the subscription data. It should be noted that, if the slice identifier S-NSSAI does not exist in the subscription data of the terminal device, the data management network element may not update the subscription data.

S403: The data management network element replies a response message to the first access management network element, which is used to indicate whether the subscription data update succeeds or fails.

It should be noted that the terminal device can subscribe to multiple slice identifiers S-NSSAI (that is, multiple different first slices) that need to perform network slice authentication, and the first access management network element can perform multiple requests, each time The request is used to store one or more slice identifiers S-NSSAI, and the authentication result corresponding to the slice identified by each S-NSSAI.

The above S401 to S403 describe the process that the first access management network element stores the authentication result in the data management network element. element) the process of obtaining the authentication result from the data management network element.

Scenario 1. The terminal device moves from the 5G network to the 4G network, selects the second access management network element service of the 4G network, and then moves the terminal device to the 5G network and selects the third access management network element service of the 5G network. The third access management network element and the first access management network element may be the same or different. For the 4G network, the access management network element may specifically be a mobility management entity (Mobility Management Entity, MME).

Scenario 2: The terminal device moves in the 5G network, from the first access management network element that supports the network slice authentication function to the second access management network element that does not support the network slice authentication function, and then moves to the second access management network element that supports the network slice authentication function. The third access management network element of the network slice authentication function, wherein the third access management network element and the first access management network element may be the same or different. For the 5G network, the access management network element may specifically be an access and mobility management function (Access & Mobility Function, AMF).

When any of the above scenarios occurs when the terminal equipment moves, after the terminal equipment moves from the first access management network element to the second access management network element, the second access management network element obtains the information on the first access management network element. The user context of the end device. Because the second access management network element is a node of the 4G network, or the second access management network element does not support the network slice authentication function, the user context sent by the first access management network element does not contain the slice identifier S-NSSAI, and its authentication results. Or, the user context sent by the first access management network element includes the slice identifier S-NSSAI and its authentication result, but the second access management network element directly discards the slice identifier S-NSSAI and its authentication result because it does not recognize the slice identifier S-NSSAI and its authentication result. . However, after the first access management network element sends the user context to the second access management section, the locally stored user context is deleted.

Subsequently, when the terminal device moves from the second access management network element to the third access management network element, the process is similar, and the third access management network element obtains the user context of the terminal device on the second access management network element. The slice identifier S-NSSAI and its authentication result are not included in the user context.

Please continue to refer to FIG. 4 , in the process of moving the terminal device from the second access management network element to the third access management network element, the terminal device triggers the registration update process:

S404: In the registration process, the terminal device sends a registration update request message to the third access management network element.

S405: In the registration process, the third access management network element sends a subscription data request message (a first request message) to acquire the subscription data of the terminal device from the data management node.

S406: The data management node sends a subscription data response message (a first response message) to the third access management network element, where the subscription data includes the authentication result.

Optionally, the subscription data also includes the slice identifier S-NSSAI.

Optionally, the subscription data may further include multiple slice identifiers S-NSSAI (ie, multiple first slices), and authentication results thereof.

After the third access management network element obtains the slice identifier S-NSSAI and the authentication result, it performs the operation of allowing or not allowing the terminal device to establish a session to the network slice according to the authentication result, and does not repeat the network slice authentication. Process.

Alternatively, in the above processes of S401 to S403, the authentication result of the network slice may also be stored in the subscription data of the terminal device by the slice authentication network element. The specific difference is that the above S401 to S403 are sequentially replaced by the following steps 1) ~3):

1) The terminal device accesses the first access management network element, the first access management network element obtains the subscription data of the terminal device from the data management network element, and the first access management network element obtains the subscription data of the terminal device according to the slice identifier S- NSSAI, and its network slice authentication indication information learn that the network slice identified by S-NSSAI (equivalent to the first slice above) needs to perform network slice authentication, then the first access management network element triggers network slice authentication The specific process is the same as that in Figure 1. The first access management network element corresponds to the access management node in FIG. 1 , and the first slice authentication network element corresponds to the slice authentication function in FIG. 1 .

When the first slice authentication network element learns the authentication result of the network slice (that is, after performing S1011 shown in Figure 1), continue to perform the following steps:

2) The first slice authentication network element sends a request message to the data management network element, and the message includes the slice identifier S-NSSAI and its authentication result. After receiving the message, the data management network element updates the subscription data, and stores the authentication result in the data corresponding to the slice identifier S-NSSAI in the subscription data. If there is no slice identifier S-NSSAI in the subscription data of the terminal device, the data management network element does not update the subscription data;

3) The data management network element replies with a response message to the first slice authentication network element, which is used to indicate the success or failure of the subscription data update.

In the same way, the terminal device can subscribe to multiple slice identifiers S-NSSAI that need to perform network slice authentication, and the first slice authentication network element can perform multiple requests, and each request is used to store one or more slice identifiers S-NSSAI. NSSAI, and its corresponding authentication result.

After the first access management network element or the first slice authentication network element stores the authentication result in the subscription data, the AAA service may also trigger the process of withdrawing the authentication result or re-authentication.

The following describes the method for the AAA service to trigger the authentication result withdrawal or re-authentication process.

As shown in FIG. 5 , a flowchart of a method for withdrawing an authentication result provided in an embodiment of the present application can be applied to the network architecture shown in FIG. 2 . Or it is executed when the second access management network element is accessed. Methods include:

S501: The AAA server sends an AAA protocol message to the second slice authentication network element, which is used to trigger an authentication result withdrawal or re-authentication process.

Specifically, due to the modification of configuration information on the AAA server, the withdrawal of the authentication result (ie, S501a shown in FIG. 5 ), or the re-authentication process (ie, S501b shown in FIG. 5 ) is triggered. The authentication result revocation is used for the network slice whose authentication result is EAP success, and the authentication result is changed to EAP failure; EAP authentication. The AAA server sends a corresponding AAA protocol message to the second slice authentication network element, and the second slice authentication network element may be the same as or different from the first slice authentication network element.

S502: After receiving the message, the second slice authentication network element sends a request message to the data management network element, where the request message is used to query the registration information of the mobility management network element serving the terminal device;

S503: The data management network element replies a response message to the second slice authentication network element, where the response message includes the mobility management network element registration information, and the mobility management network element registration information includes the access management network element identifier. For example, the access management network element identifier is a network function instance identifier (Network function Instance Identity, NF Instance ID).

The content of the registration information of the mobility management network element includes but is not limited to the following three cases (Case):

Case 1, the mobility management network element registration information includes the access management network element identifier, and when the terminal device is currently accessing the first access management network element, the access management network element identifier is the identifier of the first access management network element.

Case 2, the mobility management network element registration information includes the access management network element identifier. When the terminal device moves from the first access management network element to the second access management network element, that is, the scenario of the above scenario 1, the second access management network element If the management network element is in the 4G network, the access management network element identifier is the identifier of the first access management network element; and the registration information of the mobility management network element also includes a clear indication, and the clear indication is used to indicate the first access management network element. Elements have been separated.

Case 3, the registration information of the mobility management network element includes the access management network element identifier. When the terminal device moves from the first access management network element to the second access management network element, the above scenario of the second access management network element, the second access management network element If the network element is in the 5G network, the access management network element identifier is the identifier of the second access management network element, and the mobility management network element registration information also includes the features supported by the second access management network element, indicating the second access management network element. The inbound management NE does not support the network slice authentication function.

The second slice authentication network element performs different processing according to the specific content of the received mobility management network element registration information:

A. If the mobile management network element registration information contains the identity of the access management network element, and the clear indication indicates that the access management network element is separated, or the supported feature information indicates that the access management network element does not support the network slice authentication function, that is In the above case 2 or 3, the second slice authentication network element executes S504a and S505a.

S504a: The second slice authentication network element sends a subscription data update request message to the data management network element, where the message includes the slice identifier S-NSSAI. Optionally, the message also includes the authentication result.

Specifically, according to the AAA protocol message received by the second slice authentication network element in step S501, if the AAA server triggers the authentication result withdrawal process, the subscription data update request message is used to notify the data management network element to modify the authentication result , the subscription data update request message carries the authentication result and the authentication result is EAP failure. If the AAA server triggers the re-authentication process, the subscription data update request message is used to notify the data management network element to delete the authentication result. The subscription data update request message may not contain the authentication result, or contain an empty authentication result, or Contains the authentication result and also contains deletion indication information. Correspondingly, if the AAA server triggers the authentication result withdrawal process, the second slice authentication network element modifies the authentication result corresponding to the slice identifier S-NSSAI in the subscription data on the data management network element to EAP failure; The server triggers the re-authentication process, and the second slice authentication network element deletes the authentication result corresponding to the slice identifier S-NSSAI in the subscription data on the data management network element.

S505a: The data management network element replies a subscription data update response message to the second slice authentication network element, which is used to indicate whether the subscription data update succeeds or fails.

B. If the registration information of the mobility management network element contains the identification of the access management network element, and the clear indication indicates that the access management network element is not separated, or the registration information of the mobility management network element does not contain the clear indication information, and the supported feature information Indicates that the access management network element supports the network slice authentication function, that is, the above case 1, the second slice authentication network element performs step S504b and subsequent steps or S504c and subsequent steps.

The following describes the procedures for withdrawing the authentication result and re-authentication.

If the AAA server triggers the re-authentication process, execute:

S504b: The second slice authentication network element sends a re-authentication notification message to the first access management network element, where the message includes the user identifier and the slice identifier S-NSSAI.

S505b: The first access management network element replies with a re-authentication notification response message.

S506b: The first access management network element triggers a network slice authentication process for the re-authenticated network slice, and the specific process is the same as the process in FIG. 1 .

S507b: The first access management network element sends a subscription data update request message to the data management network element, where the subscription data update request message carries the slice identifier and the authentication result obtained after re-authentication.

S508: The data management network element replies a subscription data update response message to the first access management network element, which is used to indicate whether the subscription data update succeeds or fails.

If the AAA server triggers the authentication result revocation process, execute:

S504c: The second slice authentication network element sends an authentication result withdrawal notification message to the first access management network element, where the message includes the user identifier and the slice identifier S-NSSAI.

S505c: The first access management network element replies with an authentication result withdrawal notification response message.

S506a: The first access management network element sends a subscription data update request message to the data management network element, where the message includes the slice identifier S-NSSAI and its authentication result. The message is used to modify the authentication result corresponding to the slice identifier S-NSSAI to EAP failure. After receiving the message, the data management network element updates the subscription data, and stores the authentication result in the data corresponding to the slice identifier S-NSSAI in the subscription data.

S507a: The data management network element replies a subscription data update response message to the first access management network element, which is used to indicate success or failure of the subscription data update.

It should be noted that, in the above process, S507b and S506a can also be performed by the second slice authentication network element, and the authentication result obtained after re-authentication is stored in the subscription data of the terminal device, or the slice identifier S-NSSAI is stored. The corresponding authentication result is changed to EAP failure.

In the above-mentioned first embodiment, the first access management network element stores the authentication result on the data management network element during the network slice authentication process, so that the terminal device in the mobile scenarios listed in the above-mentioned first and second scenarios, the first The three access management network elements can obtain the authentication results from the data management network elements, so that the network slice authentication process does not need to be performed for network slices, which saves network signaling overhead, and the terminal equipment does not need to wait for the third access A session to a specific network slice can be established only after the management NE completes the network slice authentication process, which speeds up the process of service establishment and improves the service experience of terminal devices. In addition, after the data management network element stores the authentication result, the AAA server can also trigger the re-authentication or authentication result withdrawal process, which improves the flexibility of network slice authentication.

Embodiment 2

This embodiment mainly introduces: the authentication result is stored on the data management network element, the first slice authentication network element is stored on the data management network element during the network slice authentication process; the third access management network element reports to the second The slice authentication network element requests the authentication result, and the second slice authentication network element requests the authentication result from the data management network element. Optionally, in the process of re-authentication or authentication result withdrawal triggered by the AAA server, the second slice authentication network element modifies the authentication result on the data management network element.

The differences from the first embodiment include: in the second embodiment, the authentication result is stored in the data management network element by the slice authentication network element, and is also obtained from the data management network element by the slice authentication network element; The result is stored in the data management network element by the access management network element, and is also obtained from the data management network element by the access management network element.

As shown in FIG. 6 , a flowchart of another specific slice authentication method provided by an embodiment of the present application, the method can be applied to the network architecture shown in FIG. 2 , and the method includes:

S601. A first access management network element triggers a network slice authentication process.

Specifically, the terminal device accesses the first access management network element, the first access management network element obtains the subscription data of the terminal device from the data management network element, and the first access management network element obtains the subscription data of the terminal device according to the slice identifier S included in the subscription data. -NSSAI, and its network slice authentication indication information If the network slice identified by S-NSSAI (equivalent to the first slice above) needs to perform network slice authentication, the first access management network element triggers the network slice authentication The specific process is the same as that in Figure 1. The first access management network element corresponds to the access management network element in FIG. 1 , and the first slice authentication network element corresponds to the slice authentication function in FIG. 1 .

When the first slice authentication network element learns the authentication result of the network slice (that is, after performing S1011 shown in FIG. 1 ), it continues to perform the following steps:

S602: The first slice authentication network element sends a request message to the data management network element, where the message includes the slice identifier S-NSSAI and its authentication result. After receiving the message, the data management network element stores the slice identifier S-NSSAI and its authentication result.

Optionally, the data management network element may determine whether the subscription slice identifier S-NSSAI is in the subscription data of the terminal device. If the slice identifier S-NSSAI does not exist in the subscription data of the terminal device, the data management network element does not store the slice identifier S-NSSAI. NSSAI and its authentication results.

S603: The data management network element replies a response message to the first slice authentication network element, which is used to indicate whether the update of the authentication result succeeds or fails.

It should be noted that the terminal device can subscribe to multiple slice identifiers S-NSSAI that need to perform network slice authentication, and the first slice authentication network element can perform multiple requests, and each request is used to store one or more slice identifiers. S-NSSAI, and its corresponding authentication result.

The above S601 to S603 describe the process that the first slice authentication network element stores the authentication result in the data management network element. element) the process of obtaining the authentication result from the data management network element.

For a scenario in which the terminal device moves, reference may be made to scenario 1 and scenario 2 in Embodiment 1, and details are not described herein again.

Please continue to refer to FIG. 6 , in the process of moving the terminal device from the second access management network element to the third access management network element, the terminal device triggers the registration update process:

S604: The terminal device sends a registration update request message to the third access management network element.

S605: In the registration update process, the third access management network element sends an authentication result request message (the first request message) to the second slice authentication network element to obtain the authentication result of the terminal device, and the message includes The identifier of the terminal device also includes one or more slice identifiers S-NSSAI.

S606: The second slice authentication network element sends a request message for obtaining the authentication result to the data management network element, where the message includes the identifier of the terminal device and also includes one or more slice identifiers S-NSSAI.

S607: The data management network element replies the obtaining authentication result response message to the second slice authentication network element, and the message includes the authentication result.

Optionally, the message may also include the slice identifier S-NSSAI.

Optionally, the authentication result response message may specifically include multiple slice identifiers S-NSSAI, and an authentication result corresponding to each slice.

S608: The second slice authentication network element replies to the third access management network element with a response message for obtaining the authentication result (the first response message), and the response message for obtaining the authentication result includes the authentication result. Optionally, the obtaining authentication result response message also includes the slice identifier S-NSSAI.

Specifically, the authentication result response message may include one or more slice identifiers S-NSSAI and the authentication result thereof.

After the first slice authentication network element stores the authentication result in the authentication result data, the AAA service may also trigger the process of withdrawing the authentication result or re-authentication. The following describes the method for the AAA service to trigger the authentication result withdrawal or re-authentication process.

As shown in FIG. 7 , a flowchart of another authentication result withdrawal method provided in this embodiment of the present application can be applied to the network architecture shown in FIG. 2 . Executed when the network element or the second access management network element is accessed. Methods include:

S701: The AAA server sends an AAA protocol message to the second slice authentication network element, which is used to trigger an authentication result withdrawal or re-authentication process.

For the specific implementation process of S701, reference may be made to the specific implementation process of S501 above, which will not be repeated here.

S702: After receiving the message, the second slice authentication network element sends a request message to the data management network element, where the request message is used to query the registration information of the mobility management network element of the service terminal device.

S703: The data management network element replies a response message to the second slice authentication network element, where the message includes the mobility management network element registration information, and the mobility management network element registration information includes the access management network element identifier. For example, the access management network element is identified as NF Instance ID.

For the content of the registration information of the mobility management network element, reference may be made to the three cases (Case1, Case2, and Case3) in the first embodiment, which will not be repeated here.

Further, the second slice authentication network element performs different processing according to the specific content of the received mobility management network element registration information:

A. If the mobile management network element registration information contains the identity of the access management network element, and the clear indication indicates that the access management network element is separated, or the supported feature information indicates that the access management network element does not support the network slice authentication function, that is In the above case 2 or 3, the second slice authentication network element executes S704a and S705a.

S704a: The second slice authentication network element sends an authentication result update request message to the data management network element, where the authentication result update request message includes the slice identifier S-NSSAI. Optionally, the authentication result update request message further includes the authentication result.

After the data management network element receives the authentication result update request message, if the AAA server triggers the authentication result withdrawal process, the second slice authentication network element will authenticate the slice identifier S-NSSAI corresponding to the authentication result data. The authorization result is modified to EAP failure; if the AAA server triggers the re-authentication process, the second slice authentication network element deletes the authentication result corresponding to the slice identifier S-NSSAI in the subscription data.

Specifically, according to the AAA protocol message received by the second slice authentication network element in step S701, if the AAA server triggers the authentication result withdrawal process, the authentication result update request message is used to notify the data management network element to modify the authentication As a result, the subscription data update request message carries the authentication result and the authentication result is EAP failure. If the AAA server triggers the re-authentication process, the authentication result update request message is used to notify the data management network element to delete the authentication result. The subscription data update request message may not contain the authentication result, or contain an empty authentication result. Or include the authentication result and also include deletion indication information.

It should be noted that, in this embodiment, the slice identifier S-NSSAI and the authentication result are stored in the authentication result data of the data management network element. The difference from Embodiment 1 is that Embodiment 1 stores the authentication result. In the subscription data of the data management network element, the slice identifier S-NSSAI corresponds to the data, so in this embodiment S704a, the second slice authentication network element sends an authentication result update request message to the data management network element, while in the embodiment In S504a, the second slice authentication network element sends a subscription data update request message to the data management network element.

S705a: The data management network element replies an authentication result update response message to the second slice authentication network element, which is used to indicate whether the authentication result data update succeeds or fails.

B. If the registration information of the mobility management network element contains the identification of the access management network element, and the clear indication indicates that the access management network element is not separated, or the registration information of the mobility management network element does not contain the clear indication information, and the supported feature information Indicates that the access management network element supports the network slice authentication function, that is, the above case 1, the second slice authentication network element executes step S704b and subsequent steps or S704c and subsequent steps.

If the AAA server triggers the re-authentication process, execute:

S704b: The second slice authentication network element sends a re-authentication notification message to the first access management network element, where the message includes the user identifier and the slice identifier S-NSSAI.

S705b: The first access management network element replies with a re-authentication notification response message.

S706b: The first access management network element triggers a network slice authentication process for the re-authenticated network slice, and the specific process is the same as the process in FIG. 1 .

S707b: The second slice authentication network element sends an authentication result update request message to the data management network element, where the message carries the slice identifier and the authentication result obtained after re-authentication.

S708: The data management network element replies an authentication result update response message to the second slice authentication network element, which is used to indicate whether the subscription data update succeeds or fails.

S704c: The second slice authentication network element sends an authentication result withdrawal notification message to the first access management network element, where the message includes the user identifier and the slice identifier S-NSSAI;

S705c: The first access management network element replies with an authentication result withdrawal notification response message;

S706a: The second slice authentication network element sends an authentication result update request message to the data management network element, where the message includes the slice identifier S-NSSAI and the authentication result. The message is used to modify the authentication result corresponding to the slice identifier S-NSSAI to EAP failure. After receiving the message, the data management network element stores the slice identifier S-NSSAI and its authentication result.

S707a: The data management network element replies an authentication result update response message to the second slice authentication network element, which is used to indicate whether the authentication result update succeeds or fails.

In the above-mentioned second embodiment, the first slice authentication network element stores the authentication result on the data management network element during the network slice authentication process, so that the terminal device in the mobile scenarios listed in the above-mentioned first and second scenarios, The third access management network element can obtain the authentication result from the data management network element, so that the network slice authentication process does not need to be performed for the network slice, which saves network signaling overhead, and the terminal device does not need to wait for the third access management network element. A session to a specific network slice can be established only after the inbound management NE completes the network slice authentication process, which speeds up the process of service establishment and improves the service experience of terminal devices. In addition, after the data management network element stores the authentication result, the AAA server can also trigger the re-authentication or authentication result withdrawal process, which improves the flexibility of network slice authentication.

Embodiment 3

This embodiment mainly introduces: the authentication result is stored on the first slice authentication network element, the first slice authentication network element stores the authentication result during the network slice authentication process, and the first slice authentication network element also Register the registration information of the first slice authentication network element to the data management network element; the third access management network element requests the authentication result from the second slice authentication network element, and the second slice authentication network element obtains the authentication result from the data management network element. The element obtains the registration information of the first slice authentication network element, and requests the authentication result from the first slice authentication network element according to the registration information of the first slice authentication network element. Optionally, in the process of re-authentication or authentication result withdrawal triggered by the AAA server, the second slice authentication network element notifies the first slice authentication network element to update the authentication result.

As shown in FIG. 8, another specific slice authentication method provided in this embodiment can be applied to the network architecture shown in FIG. 2, and the method includes:

S801. A first access management network element triggers a network slice authentication process.

S802: The first slice authentication network element stores the user identifier, the network slice S-NSSAI and the authentication result.

S803: The first slice authentication network element sends a registration request message to the data management network element, which is used to register the information of the first slice authentication network element in the data management network element, where the message includes the user identifier, the network slice S-NSSAI and first slice authentication network element identifier. For example, the first slice authentication network element identifier may be a network function instance identifier.

S804: The data management network element replies a registration response message to the first slice authentication network element, which is used to indicate whether the registration of the first slice authentication network element information succeeds or fails.

S805: The data management network element stores the registration information of the first slice authentication network element.

The above S801 to S805 describe the process of storing the authentication result of the first slice authentication network element and registering the registration information of the first slice authentication network element to the data management network element. A process in which the access management network element (third access management network element) obtains the authentication result from the first slice authentication network element.

For a scenario in which the terminal device moves, reference may be made to scenario 1 and scenario 2 in Embodiment 1, and details are not repeated here.

Please continue to refer to FIG. 8 , in the process of moving the terminal device from the second access management network element to the third access management network element, the terminal device triggers the registration update process:

S806: In the registration process, the terminal device sends a registration update request message to the third access management network element;

S807: In the registration process, the third access management network element selects the second slice authentication network element, and sends a request message for obtaining the authentication result (the first request message) to the second slice authentication network element, and the message includes the user ID , Network slice S-NSSAI.

S808: The second slice authentication network element does not have an authentication result corresponding to the user identifier and the network slice S-NSSAI locally, and sends a message of obtaining slice authentication registration information to the data management network element, where the message includes the user identifier and the network slice S-NSSAI .

S809: The data management network element replies a response message for obtaining slice authentication registration information to the second slice authentication network element, where the message includes slice authentication network element registration information, and the slice authentication network element registration information includes the first slice authentication network element Element ID.

Optionally, the slice authentication network element registration information further includes the network slice S-NSSAI.

The data management network element queries the slice authentication network element registration information corresponding to the parameter according to the parameters in the message in step S807, and sends the slice authentication network element registration information to the second slice authentication network element.

S8010: The second slice authentication network element sends a request message for obtaining the authentication result to the first slice authentication network element according to the identifier of the first slice authentication, where the message includes the user identifier and the network slice S-NSSAI.

S8011: The first slice authentication network element replies a response message for obtaining the authentication result to the second slice authentication network element, where the authentication result response message includes the authentication result.

Optionally, the authentication result response message further includes the user identifier and the network slice S-NSSAI.

S8012: The second slice authentication network element replies an acquisition authentication result response message to the third access management network element (the first response message), where the authentication result response message includes the authentication result.

Optionally, the authentication result response message may further include the user identifier, the network slice S-NSSAI.

It should be noted that the terminal device can subscribe to multiple slice identifiers S-NSSAI that need to perform network slice authentication, and the second slice authentication network element can perform multiple requests to obtain the authentication results, and each request is used to request one or more S-NSSAI. Multiple slices identify S-NSSAI and their corresponding authentication results.

It should be understood that, in the above process of obtaining slice authentication registration information, the access management network element may also go to the data management network element to obtain slice authentication registration information, and then obtain the authentication result of the network slice. Specifically, S807-S8012 are replaced by For the following steps 1) to 4):

1) The third access management network element sends a message of obtaining slice authentication registration information to the data management network element, and the message includes the user identifier and the network slice S-NSSAI.

2) The data management network element replies to the third access management network element with a response message for obtaining slice authentication registration information. The message includes the slice authentication network element registration information, and the slice authentication network element registration information includes the network slice S-NSSAI and the third access management network element. Identifier of all slice authentication network elements.

3) The third access management network element sends a request message for obtaining the authentication result to the first slice authentication network element according to the identifier of the first slice authentication network element, and the message includes the user identifier and the network slice S-NSSAI.

4) The first slice authentication network element replies with a response message for obtaining the authentication result, and the message includes the user identifier, the network slice S-NSSAI and the authentication result.

After the first slice authentication network element saves the authentication result, the AAA service may also trigger the process of withdrawing the authentication result or re-authentication.

As shown in FIG. 9 , it is a flowchart of another method for withdrawing an authentication result provided by an embodiment of the present application. The method can be applied to the network architecture shown in FIG. 2 . Executed when the network element or the second access management network element is accessed. Methods include:

S901: The AAA server sends an AAA protocol message to the second slice authentication network element, which is used to trigger an authentication result withdrawal or re-authentication process.

For the specific implementation process of S901, reference may be made to the specific implementation process of S501 above, which will not be repeated here.

S902: After receiving the message, the second slice authentication network element sends a request message to the data management network element, where the request message is used to query the registration information of the mobility management network element of the service terminal device.

S903: The data management network element replies a response message to the second slice authentication network element, where the message includes the mobility management network element registration information, and the mobility management network element registration information includes the access management network element identifier. For example, the access management network element is identified as NF Instance ID.

A. If the mobile management network element registration information contains the identity of the access management network element, and the clear indication indicates that the access management network element is separated, or the supported feature information indicates that the access management network element does not support the network slice authentication function, that is In the above case 2 or 3, the second slice authentication network element performs steps S904, S905, S906a and S907a. Optionally, steps S908a and S909a may also be performed.

S904: The second slice authentication network element does not have the authentication result corresponding to the user identifier and the network slice S-NSSAI locally, and sends a message of obtaining slice authentication registration information to the data management network element, where the message includes the user identifier and the network slice S-NSSAI .

S905: The data management network element replies a response message for obtaining slice authentication registration information to the second slice authentication network element, where the message includes the slice authentication network element registration information, and the slice authentication network element registration information includes the network slice S-NSSAI and the first slice authentication network element. Identifier of all slice authentication network elements. Specifically, the data management network element queries the slice authentication network element registration information corresponding to the parameters according to the parameters in the S904 message, and sends the slice authentication network element registration information to the second slice authentication network element. S906a: The second slice authentication network element sends an update authentication result request message to the first slice authentication network element, where the message includes the user identifier, the slice identifier S-NSSAI and its authentication result. After receiving the message, the first slice authentication network element updates the authentication result. If the AAA server triggers the authentication result withdrawal process, the second slice authentication network element modifies the authentication result corresponding to the slice identifier S-NSSAI in the first slice authentication network element to EAP failure. If the AAA server triggers the re-authentication process, the second slice authentication network element deletes the authentication result corresponding to the slice identifier S-NSSAI in the first slice authentication network element.

S907a: The first slice authentication network element replies an update authentication result response message to the second slice authentication network element, which is used to indicate whether the authentication result update succeeds or fails.

If in S906a, the re-authentication process is triggered by the AAA server, and the authentication result corresponding to the slice identifier S-NSSAI in the first slice authentication network element needs to be deleted, then the first slice authentication network element executes S908a and S909a.

S908a: The first slice authentication network element sends a deregistration request message to the data management network element, where the message includes the slice identifier S-NSSAI, and may also include the identifier of the first slice authentication network element.

S909a: The data management network element replies a de-registration response message to the first slice authentication network element, which is used to indicate the success or failure of the first slice authentication network element to de-register.

If the registration information of the mobility management network element contains the identity of the access management network element, and the clear indication indicates that the access management network element is not separated, or the registration information of the mobility management network element does not contain the clear indication information, and the supported feature information indicates that the access management network element is not separated The incoming management network element supports the network slice authentication function, that is, the above case 1, and the second slice authentication network element performs steps S904, S905, S906b or S906c and subsequent steps.

S905: The data management network element replies a response message for obtaining slice authentication registration information to the second slice authentication network element, where the message includes the slice authentication network element registration information, and the slice authentication network element registration information includes the network slice S-NSSAI and the first slice authentication network element. Identifier of all slice authentication network elements. Specifically, the data management network element queries the slice authentication network element registration information corresponding to the parameters according to the parameters in the S904 message, and sends the slice authentication network element registration information to the second slice authentication network element.

Here, the process of withdrawing the right result triggered by the AAA server and the process of re-authentication are introduced separately.

1) AAA server triggers re-authentication:

S906b: The second slice authentication network element sends a re-authentication notification message to the first access management network element, where the message includes the user identifier and the slice identifier S-NSSAI.

S907b: The first access management network element replies with a re-authentication notification response message.

S908b: The first access management network element triggers a network slice authentication process for the re-authenticated network slice, and the specific process is the same as that in FIG. 1 .

S909b: After obtaining the authentication result sent by the AAA server in the network slice authentication process, the second slice authentication network element notifies the first slice authentication network element to update the authentication result of the network slice.

For the detailed implementation process, please refer to S906a and S907a, which will not be described in detail here.

2) The AAA server triggers the authentication result withdrawal process:

S906c: The second slice authentication network element sends an authentication result withdrawal notification message to the first access management network element, where the message includes the user identifier and the slice identifier S-NSSAI.

S907c: The first access management network element replies with an authentication result withdrawal notification response message.

S908c: After receiving the withdrawal of the authentication result from the AAA server, the second slice authentication network element notifies the first slice authentication network element to update the authentication result of the network slice, and changes the authentication result to EAP failure.

In the above-mentioned third embodiment, the first slice authentication network element stores the authentication result in the network slice authentication process, and registers the registration information of the first slice authentication network element to the data management network element, so that the terminal device is in the above-mentioned In the mobile scenarios listed in Scenario 1 and Scenario 2, the third access management network element can obtain the authentication result through the second slice authentication network element (that is, triggering the second slice authentication network element to obtain the first slice authentication network element from the data management network element. All slice authentication network element registration information, after obtaining the authentication result from the first slice authentication network element according to the first slice authentication network element registration information, return the authentication result to the third access management network element), Furthermore, it is not necessary to perform the network slice authentication process for the network slice, which saves network signaling overhead, and the terminal device does not need to wait for the third access management network element to complete the network slice authentication process before establishing a session to a specific network slice. The process of establishing a service is accelerated, and the service experience of the terminal device can be improved. In addition, after the data management network element stores the authentication result, the AAA server can also trigger the re-authentication or authentication result withdrawal process, which improves the flexibility of network slice authentication.

Embodiment 4

This embodiment mainly introduces: the authentication result is stored on the first slice authentication network element, and the first slice authentication network element stores the authentication result during the network slice authentication process; the third access management network element reports to the first slice authentication network element. All slice authentication network elements request the authentication result. Optionally, in the re-authentication or authentication result withdrawal process triggered by the AAA server, the AAA server directly notifies the first slice authentication network element to update the authentication result.

The differences between Embodiment 4 and Embodiment 3 include: in Embodiment 4, the first slice authentication network element does not need to register the registration information of the first slice authentication network element to the data management network element, and the third access management The network element may directly obtain the authentication result from the first slice authentication network element. For example, this embodiment may be applicable to a scenario in which only one slice authentication network element (ie, the above-mentioned first slice authentication network element) is deployed in the current network.

As shown in FIG. 10 , another specific slice authentication method provided in this embodiment can be applied to the network architecture shown in FIG. 2 , and the method includes:

S1001. A first access management network element triggers a network slice authentication process.

S1002: The first slice authentication network element stores the user identifier, the network slice S-NSSAI and the authentication result.

The above S1001 to S1002 describe the process of the first slice authentication network element storing the authentication result. Next, it is introduced that after the terminal device moves, the new access management network element (third access management network element) starts from the first slice of the authentication network element. The process of obtaining the authentication result by the slice authentication network element.

Please continue to refer to FIG. 10 , in the process of moving the terminal device from the second access management network element to the third access management network element, the terminal device triggers the registration update process:

S1003. In the registration process, the terminal device sends a registration update request message to a third access management network element;

S1004: The third access management network element sends a request message (first request message) for obtaining the authentication result to the first slice authentication network element, where the message includes the user identifier and the network slice S-NSSAI.

Specifically, the message may contain one or more network slice identifiers S-NSSAI.

S1005: The first slice authentication network element replies with a response message for obtaining the authentication result (a first response message), and the message includes the authentication result.

Optionally, the authentication result response message further includes the user identifier, the network slice S-NSSAI.

As shown in FIG. 11 , it is a flowchart of another authentication result withdrawal method provided in this embodiment of the present application. The method can be applied to the network architecture shown in FIG. 2 . Executed when the network element or the second access management network element is accessed. Methods include:

S1101: The AAA server sends an AAA protocol message to the first slice authentication network element, which is used to trigger an authentication result withdrawal or re-authentication process.

Specifically, the AAA server triggers the withdrawal of the authentication result (ie S1101a shown in FIG. 11 ) or the re-authentication process (ie, S1101b shown in FIG. 11 ) due to the modification of configuration information. The authentication result revocation is used for the network slice whose authentication result is EAP success, and the authentication result is changed to EAP failure; EAP authentication. The AAA server sends a corresponding AAA protocol message to the first slice authentication network element.

S1102: After receiving the AAA protocol message, the first slice authentication network element sends a request message to the data management network element, where the request message is used to query the mobile management network element registration information of the service terminal device.

S1103: The data management network element replies a response message to the first slice authentication network element, where the message includes mobility management network element registration information, and the mobility management network element registration information includes an access management network element identifier. For example, the access management network element is identified as NF Instance ID.

Further, the first slice authentication network element performs different processing according to the specific content of the received mobility management network element registration information:

A. If the mobile management network element registration information contains the identity of the access management network element, and the clear indication indicates that the access management network element is separated, or the supported feature information indicates that the access management network element does not support the network slice authentication function, that is In case 2 or 3 above, execute S1104c.

S1104c: The first slice authentication network element updates the locally stored authentication result corresponding to the slice identifier S-NSSAI.

Specifically, if the authentication result is withdrawn, the first slice authentication network element changes the authentication result to EAP failure, and if it is re-authentication, the first slice authentication network element deletes the authentication result.

B. If the registration information of the mobility management network element contains the identification of the access management network element, and the clear indication indicates that the access management network element is not separated, or the registration information of the mobility management network element does not contain the clear indication information, and the supported feature information Indicates that the access management network element supports the network slice authentication function, that is, the above case 1, the first slice authentication network element performs step S1104a or S1104b and subsequent steps.

Here, the process of withdrawing the authentication result triggered by the AAA server and the process of re-authentication are introduced separately.

1) AAA server triggers re-authentication:

S1104a: The first slice authentication network element sends a re-authentication notification message to the first access management network element, where the message includes the user identifier and the slice identifier S-NSSAI.

S1105a: The first access management network element replies with a re-authentication notification response message.

S1106a: The first access management network element triggers a network slice authentication process for the re-authenticated network slice, and the specific process is the same as the process in FIG. 1 .

S1107a: After obtaining the authentication result sent by the AAA server in the network slice authentication process, the first slice authentication network element updates the locally stored authentication result of the network slice, and changes the authentication result to EAP failure.

2) The AAA server triggers the authentication result withdrawal process:

S1104b: The first slice authentication network element sends an authentication result withdrawal notification message to the first access management network element, where the message includes the user identifier and the slice identifier S-NSSAI.

S1105b: The first access management network element replies with an authentication result withdrawal notification response message.

S1106b: The first slice authentication network element updates the authentication result, and deletes the locally stored authentication result of the network slice.

In the above-mentioned Embodiment 4, the first slice authentication network element stores the authentication result in the network slice authentication process, so that the third access management network element in the mobile scenarios listed in the above-mentioned scenarios 1 and 2 for the terminal device The authentication result can be obtained directly from the first slice authentication network element, so that the network slice authentication process does not need to be performed for the network slice, which saves network signaling overhead, and the terminal device does not need to wait for the third access management network element to execute. A session to a specific network slice can be established only after the network slice authentication process is completed, which speeds up the process of service establishment and improves the service experience of terminal devices. In addition, after the data management network element stores the authentication result, the AAA server can also trigger the re-authentication or authentication result withdrawal process, which improves the flexibility of network slice authentication.

It should be noted that, in the embodiments shown in FIG. 3 to FIG. 11 , it is introduced that after the terminal equipment moves to the new access management network element (third access management network element), the old access management network element does not In the scenario where the network slice authentication function is supported, the new access management network element obtains the authentication result from the specified network element. In practical applications, if the old access management network element supports the network slice authentication function and saves the authentication result (for example, the second access management network element supports the network slice authentication function), the new access management network element In addition to obtaining the authentication result from the old access management network element (for example, obtaining the user context from the second access management network element, the user context carries the authentication result), the method can also be provided according to the embodiment of the present application, Obtain the authentication result from the specified network element.

The methods provided by the embodiments of the present application are described above with reference to FIGS. 3 to 11 , and the apparatuses provided by the embodiments of the present application are described below with reference to FIGS. 12 to 15 .

Referring to FIG. 12 , based on the same technical concept, an embodiment of the present application provides a slice authentication device 1200, which may be, for example, a third access management node network element or a chip set inside the third access management node network element. It includes a module for executing the method executed by the network element of the third access management node in the method embodiments shown in FIG. 3 to FIG. 11 .

Exemplarily, the apparatus 1200 may include:

The sending unit 1201 is configured to: after the terminal device moves from the second access management network element that does not support the network slice authentication function to the device that supports the network slice authentication function, send a first request message to the first network element , wherein the first request message includes identification information of a first slice, and the first slice is a slice that needs to be authenticated;

The receiving unit 1202 is configured to receive a first response message from the first network element, where the first response message includes an authentication result corresponding to the first slice.

In a possible implementation manner, the apparatus further includes a processing unit 1203; after the terminal device moves from the second access management network element to the apparatus, the apparatus sends a first request message to the first network element Previously, the processing unit 1203 was used to:

If the second access management network element is an MME of the 4G network, it is determined that the second access management network element does not support the network slice authentication function; or,

Obtain the user context of the terminal device from the second access management network element, wherein the user context does not contain the authentication result corresponding to the first slice, then determine that the second access management network Meta does not support the network slice authentication function; or,

Obtain a feature list supported by the second access management network element from the second access management network element, and determine according to the supported feature list that the second access management network element does not support the network slice authentication function.

The dashed box in FIG. 12 is used to indicate that the processing unit 1203 is optional for the apparatus 1200 .

It should be understood that, all relevant contents of the steps involved in the above method embodiments can be cited in the functional descriptions of the corresponding functional modules, which will not be repeated here.

Referring to FIG. 13 , based on the same technical concept, an embodiment of the present application provides a slice authentication apparatus 1300, which may be, for example, a data management network element or a chip arranged inside the data management network element. The modules of the method executed by the data management network element in the method embodiment shown in FIG. 11 .

Exemplarily, the apparatus 1300 may include:

The receiving unit 1301 is configured to, after the terminal device moves from the second access management network element that does not support the network slice authentication function to the third access management network element that supports the network slice authentication function, to receive the information from the third access management network element. A request message for entering a management network element, the request message includes identification information of a first slice, and the first slice is a slice that needs to be authenticated;

The sending unit 1302 is configured to send a response message to the third access management network element, where the response message includes an authentication result corresponding to the first slice.

In a possible implementation manner, the receiving unit 1301 is configured to: receive a request message sent by a second slice authentication network element, wherein the request message sent by the second slice authentication network element is the third access sent by the management network element to the second slice authentication network element;

The sending unit 1302 is configured to: send a response message to the second slice authentication network element, and send the response message to the third access management network element through the second slice authentication network element.

In a possible implementation manner, before the terminal device moves from the second access management network element to the third access management network element, the terminal device moves from the first access management network element that supports the network slice authentication function. moving the access management network element to the second access management network element;

The receiving unit 1301 is further configured to: receive the authentication result corresponding to the first slice from the first access management network element or the first slice authentication network element;

The apparatus further includes a storage unit 1303 for storing the authentication result corresponding to the first slice.

In a possible implementation manner, before the terminal device moves from the second access management network element to the third access management network element, the terminal device is located in the second access management network element the scope of services;

The receiving unit 1301 is further configured to: receive the first message from the first slice authentication network element or the second slice authentication network element; the apparatus further includes a processing unit 1304, configured to send the message according to the first message. The authentication result corresponding to the first slice stored by the device is modified as authentication failure; or,

The receiving unit 1301 is further configured to: receive a second message from the first slice authentication network element or the second slice authentication network element; the apparatus further includes a processing unit 1304, configured to, according to the second message, The authentication result corresponding to the first slice stored by the device is deleted.

The dotted box in FIG. 13 is used to indicate that the storage unit 1303 and the processing unit 1304 are optional to the apparatus 1300 .

Referring to FIG. 14, based on the same technical concept, an embodiment of the present application provides a slice authentication device 1400, which may be, for example, a first slice authentication network element or a chip arranged inside the first slice authentication network element. It includes a module for executing the method executed by the first slice authentication network element in the method embodiments shown in FIG. 3 to FIG. 11 .

Exemplarily, the apparatus 1400 may include:

The receiving unit 1401 is configured to: after the terminal device moves from the second access management network element that does not support the network slice authentication function to the third access management network element that supports the network slice authentication function A request message from a network element for authorization, the request message includes identification information of a first slice, and the first slice is a slice that needs to be authenticated;

The sending unit 1402 is configured to send a response message to the second slice authentication network element, where the response message includes an authentication result corresponding to the first slice.

In a possible implementation manner, before the terminal device moves from the second access management network element to the third access management network element, the terminal device moves from the first access management network element that supports the network slice authentication function. The access management network element is moved to the second access management network element, and the apparatus further includes:

Storage unit 1403 is used to save the authentication result corresponding to the first slice after the authentication corresponding to the first slice is completed;

The processing unit 1404 registers the identifier of the device with the data management network element.

The receiving unit 1401 is further configured to: receive an authentication revocation message from the AAA server; the apparatus further includes a processing unit 1404, configured to store the authentication corresponding to the first slice according to the authentication revocation message The result is modified to authentication failure; or,

The receiving unit 1401 is further configured to: receive a re-authentication message from the AAA server; the apparatus further includes a processing unit 1404, configured to, according to the re-authentication message, store the authentication corresponding to the first slice. the right to result deletion; or,

The receiving unit 1401 is further configured to: receive a third message from the second slice authentication network element; the apparatus further includes a processing unit 1404, configured to correspond to the stored first slice according to the third message. The authentication result of is modified to authentication failure; or,

The receiving unit 1401 is further configured to: receive a fourth message from the second slice authentication network element; the apparatus further includes a processing unit 1404, configured to store the stored first slice according to the fourth message The corresponding authentication result is deleted.

The dotted box in FIG. 14 is used to indicate that the storage unit 1403 and the processing unit 1404 are optional to the apparatus 1400 .

Based on the same technical concept, referring to FIG. 15 , an embodiment of the present application further provides a communication apparatus 1500, including:

At least one processor 1501; and a communication interface 1503 communicatively connected to the at least one processor 1501; the at least one processor 1501 executes the instructions stored in the memory 1502 by executing the at least one processor 1502, so that the apparatus executes the above-mentioned diagrams through the communication interface 1503. 3 to the method steps performed by any network element in the method embodiment shown in FIG. 11 .

Optionally, the memory 1502 is located outside the apparatus 1500 .

Optionally, the apparatus 1500 includes the memory 1502, the memory 1502 is connected to the at least one processor 1501, and the memory 1502 stores instructions executable by the at least one processor 1501.

Optionally, the memory 1502 is located outside the apparatus 1500 .

Optionally, the apparatus 1500 includes the memory 1502, the memory 1502 is connected to the at least one processor 1501, and the memory 1502 stores instructions executable by the at least one processor 1501. Figure 15 shows with dashed lines that memory 1502 is optional to apparatus 1500.

The processor 1501 and the memory 1502 may be coupled through an interface circuit, or may be integrated together, which is not limited here.

The specific connection medium between the processor 1501, the memory 1502, and the communication interface 1503 is not limited in the embodiments of the present application. In this embodiment of the present application, the processor 1501, the memory 1502, and the communication interface 1503 are connected through a bus 1504 in FIG. 15. The bus is represented by a thick line in FIG. 15. The connection between other components is only for schematic illustration. , is not limited. The bus can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in FIG. 15, but it does not mean that there is only one bus or one type of bus.

It should be understood that the processor mentioned in the embodiments of the present application may be implemented by hardware or software. When implemented in hardware, the processor may be a logic circuit, an integrated circuit, or the like. When implemented in software, the processor may be a general-purpose processor implemented by reading software codes stored in memory.

Exemplarily, the processor may be a central processing unit (Central Processing Unit, CPU), or other general-purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuit (Application Specific Integrated Circuit, ASIC) , Off-the-shelf Programmable Gate Array (Field Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.

It should be understood that the memory mentioned in the embodiments of the present application may be volatile memory or non-volatile memory, or may include both volatile and non-volatile memory. Wherein, the non-volatile memory may be a read-only memory (Read-Only Memory, ROM), a programmable read-only memory (Programmable ROM, PROM), an erasable programmable read-only memory (Erasable PROM, EPROM), an electrically programmable read-only memory (Erasable PROM, EPROM). Erase programmable read-only memory (Electrically EPROM, EEPROM) or flash memory. Volatile memory may be Random Access Memory (RAM), which acts as an external cache. By way of illustration and not limitation, many forms of RAM are available, such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (Double Data Eate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (Enhanced SDRAM, ESDRAM), synchronous link dynamic random access memory (Synchlink DRAM, SLDRAM) ) and direct memory bus random access memory (Direct Rambus RAM, DR RAM).

It should be noted that when the processor is a general-purpose processor, DSP, ASIC, FPGA or other programmable logic devices, discrete gate or transistor logic devices, or discrete hardware components, the memory (storage module) can be integrated in the processor.

It should be noted that the memory described herein is intended to include, but not be limited to, these and any other suitable types of memory.

Based on the same technical concept, an embodiment of the present application further provides a computer-readable storage medium, including a program or an instruction. When the program or instruction is run on a computer, the above-mentioned method embodiments shown in FIG. 3 to FIG. 11 are implemented. The method executed by any one network element is executed.

Based on the same technical concept, an embodiment of the present application further provides a chip, which is coupled to a memory and used to read and execute program instructions stored in the memory, so that the method embodiments shown in FIG. 3 to FIG. 11 above are The method executed by any one of the network elements is executed.

Based on the same technical concept, an embodiment of the present application further provides a computer program product, which includes instructions, when running on a computer, to make the method executed by any one of the network elements in the method embodiments shown in FIG. 3 to FIG. 11 above. be executed.

Since the apparatus 1200, the apparatus 1300, the apparatus 1400, and the apparatus 1500 provided in the embodiments of the present application can be used to execute the methods provided by the corresponding embodiments in the embodiments shown in FIG. 3 to FIG. For the effect, reference may be made to the above method embodiments, and details are not described herein again.

The embodiments of the present application are described with reference to flowcharts and/or block diagrams of methods, apparatuses (systems), and computer program products according to the embodiments of the present application. It will be understood that each flow and/or block in the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to the processor of a general purpose computer, special purpose computer, embedded processor or other programmable data processing device to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing device produce Means for implementing the functions specified in a flow or flow of a flowchart and/or a block or blocks of a block diagram.

In the above-mentioned embodiments, it may be implemented in whole or in part by software, hardware, firmware or any combination thereof. When implemented in software, it can be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, all or part of the processes or functions described in the embodiments of the present application are generated. The computer may be a general purpose computer, special purpose computer, computer network, or other programmable device. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another, for example, from a website site, computer, server, or data center via Transmission to another website site, computer, server, or data center by wired (eg, coaxial cable, optical fiber, digital subscriber line, DSL) or wireless (eg, infrared, wireless, microwave, etc.) means. The computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that includes an integration of one or more available media. The available media may be magnetic media (eg, floppy disks, hard disks, magnetic tapes), optical media (eg, digital versatile discs (DVDs)), or semiconductor media (eg, solid state disks (SSDs) ))Wait.

Obviously, those skilled in the art can make various changes and modifications to the embodiments of the present application without departing from the spirit and scope of the present application. Thus, if these modifications and variations of the embodiments of the present application fall within the scope of the claims of the present application and their equivalents, the present application is also intended to include these modifications and variations.

Claims

A method for slice authentication, comprising:

After the terminal device moves from the second access management network element that does not support the network slice authentication function to the third access management network element that supports the network slice authentication function, the third access management network element sends a message to the first network element. sending a first request message, wherein the first request message includes identification information of a first slice, and the first slice is a slice that needs to be authenticated;

The third access management network element receives a first response message from the first network element, where the first response message includes an authentication result corresponding to the first slice.
The method of claim 1, wherein the first network element is a data management network element;

Before the terminal equipment moves from the second access management network element to the third access management network element, the terminal equipment moves from the first access management network element supporting the network slice authentication function to the third access management network element. The second access management network element, the method further includes:

The first access management network element or the first slice authentication network element stores the authentication result corresponding to the first slice in the data management network element.
The method of claim 1, wherein the first network element is a second slice authentication network element.
The method according to claim 3, wherein after the third access management network element sends the first request message to the first network element, the method further comprises:

The second slice authentication network element sends the identification information of the first slice to the data management network element;

The second slice authentication network element receives the authentication result corresponding to the first slice from the data management network element;

The second slice authentication network element sends the authentication result corresponding to the first slice to the third access management network element.
The method according to claim 4, wherein, before the terminal device moves from the second access management network element to the third access management network element, the terminal device switches from the network slice authentication support moving the first access management network element of the authorization function to the second access management network element, and the method further includes:

The first access management network element or the first slice authentication network element stores the authentication result corresponding to the first slice in the data management network element.
The method according to claim 3, wherein after the third access management network element sends the first request message to the first network element, the method further comprises:

sending, by the second slice authentication network element, the identification information of the first slice to the first slice authentication network element;

The second slice authentication network element receives the authentication result corresponding to the first slice from the first slice authentication network element;

The second slice authentication network element sends the authentication result corresponding to the first slice to the third access management network element.
The method according to claim 6, wherein before the second slice authentication network element sends a third request message to the first slice authentication network element, the method further comprises:

The second slice authentication network element sends a request message to the data management network element;

The second slice authentication network element receives the identifier of the first slice authentication network element from the data management network element;

The second slice authentication network element sends a third request message to the first slice authentication network element, including:

The second slice authentication network element sends the identification information of the first slice to the first slice authentication network element according to the identifier of the first slice authentication network element.
The method according to claim 7, wherein before the terminal equipment moves from the second access management network element to the third access management network element, the method further comprises:

After the authentication corresponding to the first slice is completed, the first slice authentication network element saves the authentication result corresponding to the first slice, and stores the authentication result corresponding to the first slice authentication network element. The identity is registered with the data management network element.
The method of claim 1, wherein the first network element is a first slice authentication network element;

Before the terminal equipment moves from the second access management network element to the third access management network element, the terminal equipment moves from the first access management network element supporting the network slice authentication function to the third access management network element. The second access management network element, the method further includes:

The first slice authentication network element stores the authentication result corresponding to the first slice.
A method for slice authentication, comprising:

After the terminal device moves from the second access management network element that does not support the network slice authentication function to the third access management network element that supports the network slice authentication function, the third access management network element sends a message to the first network element. sending a first request message, wherein the first request message includes identification information of a first slice, and the first slice is a slice that needs to be authenticated;

The third access management network element receives a first response message from the first network element, where the first response message includes an authentication result corresponding to the first slice.
The method of claim 10, wherein the first network element is a data management network element, a first slice authentication network element, or a second slice authentication network element.
A method for slice authentication, comprising:

After the terminal device moves from the second access management network element that does not support the network slice authentication function to the third access management network element that supports the network slice authentication function, the data management network element receives data from the third access management network element. element request message, the request message includes the identification information of the first slice, and the first slice is the slice that needs to be authenticated;

The data management network element returns a response message to the third access management network element, where the response message includes the authentication result corresponding to the first slice.
The method according to claim 12, wherein the data management network element receives the request message from the third access management network element, comprising:

The data management network element receives the request message sent by the second slice authentication network element, wherein the request message sent by the second slice authentication network element is sent by the third access management network element to the second slice authentication network element network element;

The data management network element returns a response message to the third access management network element, including:

The data management network element sends a response message to the second slice authentication network element, and sends the response message to the third access management network element through the second slice authentication network element.
The method according to claim 12, wherein, before the terminal device moves from the second access management network element to the third access management network element, the terminal device switches from the network slice authentication support moving the first access management network element of the authorization function to the second access management network element, and the method further includes:

The data management network element receives the authentication result corresponding to the first slice from the first access management network element or the first slice authentication network element; the data management network element stores the corresponding authentication result of the first slice. Authentication result.
A slice authentication system, comprising: a terminal device, a second access management network element that does not support the network slice authentication function, a third access management network element that supports the network slice authentication function, and a first network element Yuan;

Wherein, the third access management network element is configured to: after the terminal device moves from the second access management network element to the third access management network element, send the message to the first network element A first request message, wherein the first request message includes identification information of a first slice, and the first slice is a slice that needs to be authenticated;

The first network element is configured to: receive the first request message, and send a first response message to the third access management network element, where the first response message includes the authentication corresponding to the first slice. right result;

The third access management network element is further configured to: receive the first response message from the first network element.
The system according to claim 15, wherein the first network element is a data management network element, and the system further comprises a first access management network element and a first slice authentication network element; Before the terminal equipment moves from the second access management network element to the third access management network element, the terminal equipment moves from the first access management network element supporting the network slice authentication function to the second access management network element access management network element;

The first access management network element or the first slice authentication network element is used for: storing the authentication result corresponding to the first slice in the data management network element.
The system of claim 15, wherein the first network element is a second slice authentication network element.
The system according to claim 17, wherein the second slice authentication network element is configured to: after the third access management network element sends the first request message to the first network element, send the data management network element to the data management network element. The network element sends the identification information of the first slice; receives the authentication result corresponding to the first slice from the data management network element; sends the first information to the third access management network element The authentication result corresponding to the slice.
The system according to claim 18, wherein the system further comprises a first access management network element and a first slice authentication network element; Before moving to the third access management network element, the terminal device moves from the first access management network element supporting the network slice authentication function to the second access management network element;

The first access management network element or the first slice authentication network element is used for: storing the authentication result corresponding to the first slice in the data management network element.
The system of claim 17, wherein the system further comprises the first slice authentication network element;

The second slice authentication network element is configured to: after the third access management network element sends the first request message to the first network element, send the first slice to the first slice authentication network element identification information;

The first slice authentication network element is configured to: receive the identification information of the first slice from the second slice authentication network element, and send the first slice to the second slice authentication network element. The authentication result corresponding to the slice;

The second slice authentication network element is further configured to: receive the authentication result corresponding to the first slice from the first slice authentication network element; The authentication result corresponding to the first slice is described.
The system according to claim 20, wherein the second slice authentication network element is further configured to: send a third request message to the first slice authentication network element at the second slice authentication network element before, sending a request message to the data management network element; receiving the identifier of the first slice authentication network element from the data management network element;

When the second slice authentication network element sends the third request message to the first slice authentication network element, it is specifically configured to: according to the identifier of the first slice authentication network element, send the request message to the first slice authentication network element. The slice authentication network element sends the identification information of the first slice.
The system according to claim 21, wherein the first slice authentication network element is further configured to: when the terminal equipment moves from the second access management network element to the third access network element Before managing the network element, after the authentication corresponding to the first slice is completed, save the authentication result corresponding to the first slice, and register the identity of the authentication network element of the first slice to the Data management network element.
The system according to claim 15, wherein the first network element is a first slice authentication network element; when the terminal device moves from the second access management network element to the third Before accessing the management network element, the terminal device moves from the first access management network element supporting the network slice authentication function to the second access management network element;

The first slice authentication network element is further configured to: store an authentication result corresponding to the first slice.
A slice authentication device, comprising:

a sending unit, configured to: after the terminal device moves from the second access management network element that does not support the network slice authentication function to the device that supports the network slice authentication function, send the first request message to the first network element, The first request message includes identification information of a first slice, and the first slice is a slice that needs to be authenticated;

A receiving unit, configured to receive a first response message from the first network element, where the first response message includes an authentication result corresponding to the first slice.
The apparatus of claim 24, wherein the first network element is a data management network element, a first slice authentication network element, or a second slice authentication network element.
A slice authentication device, comprising:

a receiving unit, configured to receive an access from the third access management network element after the terminal device moves from the second access management network element that does not support the network slice authentication function to the third access management network element that supports the network slice authentication function a request message for the management network element, where the request message includes identification information of a first slice, and the first slice is a slice that needs to be authenticated;

A sending unit, configured to send a response message to the third access management network element, where the response message includes an authentication result corresponding to the first slice.
The apparatus according to claim 26, wherein the receiving unit is configured to: receive a request message sent by a second slice authentication network element, wherein the request message sent by the second slice authentication network element is the sent by the third access management network element to the second slice authentication network element;

The sending unit is configured to: send a response message to the second slice authentication network element, and send the response message to the third access management network element through the second slice authentication network element.
The apparatus according to claim 26, wherein before the terminal device moves from the second access management network element to the third access management network element, the terminal device switches from the network slice authentication support moving the first access management network element of the authorization function to the second access management network element;

The receiving unit is further configured to: receive an authentication result corresponding to the first slice from the first access management network element or the first slice authentication network element;

The device further includes a storage unit for storing the authentication result corresponding to the first slice.
A communication device, characterized in that it includes:

at least one processor; and a memory, a communication interface communicatively coupled to the at least one processor;

Wherein, the memory stores instructions that can be executed by the at least one processor, and the at least one processor executes the instructions stored in the memory to cause the apparatus to perform the method according to claims 10-11 through the communication interface or the method of any one of 12-14.
A computer-readable storage medium, characterized in that it includes a program or an instruction, which, when the program or instruction is run on a computer, causes the method according to any one of claims 10-11 or 12-14 to be executed .