WO2022165745A1

WO2022165745A1 - Data configuration method and apparatus, system, and storage medium

Info

Publication number: WO2022165745A1
Application number: PCT/CN2021/075493
Authority: WO
Inventors: 王亚鑫; 李岩
Original assignee: 华为技术有限公司
Priority date: 2021-02-05
Filing date: 2021-02-05
Publication date: 2022-08-11

Abstract

The present application relates to the technical field of communications, and in particular, to a data configuration method and apparatus, a system, and a storage medium. The method is used in a network device. The method comprises: sending first information to a local security gateway, the first information being used for acquiring address information of the local security gateway; and receiving the address information of the local security gateway, the address information of the local security gateway being routing destination address information configured for a first PSA and used for transmitting data from a UE, the first PSA being a PSA after a DNAI in the UE changes. According to embodiments of the present application, in the change process of a DNAI, an information exchange process of a local security gateway and a network device is designed, and related configuration in a ULCL insertion process is implemented, so that the subsequent ULCL insertion process can be completed normally after the local security gateway is introduced, thereby ensuring the reliability of data transmission.

Description

Data configuration method, device, system and storage medium

technical field

The present application relates to the field of communication technologies, and in particular, to a data configuration method, apparatus, system, and storage medium.

Background technique

In the related art, the data network access identifier (Data Network Access Identifier, DNAI) transformation in the multi-access edge computing (Multi-access Edge Computing, MEC) scenario mainly includes the following processes: application function (Application Function, AF) to Influence process of service routing, Uplink classifier (ULCL) insertion process and AF device notification process.

Based on the methods in the related art, in the MEC scenario, the connection and path adjustment of the MEC server are mainly realized by the relevant process of the influence process of the AF device on the service routing. First, the AF device controls the network element (Policy Control Function, PCF) through the policy. The device provides the Session Management Function (SMF) device with DNAI available for related applications (that is, the access network entity where the MEC server is located), and the SMF device moves or detects the corresponding data flow due to the user equipment (User Equipment, UE). Then, trigger the new protocol data unit session anchor (PDU session anchor, PSA)/ULCL insertion process, after selecting the corresponding PSA/ULCL, notify the AF device of the DNAI change, and obtain the PSA/ULCL through the reply information of the AF device Required N6 configuration options and related routing rules, and then configure the new PSA/ULCL.

In the scenario in the related art, after adding an additional security gateway, the devices that establish connections with the MEC server and the updated PSA need to be modified to be security gateways, resulting in the problem that the subsequent inserting ULCL process cannot be completed normally.

SUMMARY OF THE INVENTION

In view of this, a data configuration method, device, system and storage medium are proposed. The embodiments of the present application provide a data configuration method, device, system, and storage medium. By designing the information exchange process between the local security gateway and the network device in the process of DNAI change, the related configuration inserted into the ULCL process is realized, Therefore, after the introduction of the local security gateway, the subsequent inserting ULCL process can be completed normally, which ensures the reliability of data transmission.

In a first aspect, an embodiment of the present application provides a data configuration method for use in a network device, the method comprising:

sending first information to the local security gateway, where the first information is used to obtain address information of the local security gateway;

The address information of the local security gateway is received, where the address information of the local security gateway is the routing destination address information configured for the first PSA and used to transmit data from the UE, and the first PSA is the PSA after the UE has changed its DNAI.

In this implementation manner, a data configuration method is provided. After the network device sends the first information for obtaining the address information of the local security gateway to the local security gateway, the network device receives the address information of the local security gateway, the address of the local security gateway. The information is configured for the first PSA, that is, the PSA after the UE has undergone DNAI change, and provides the routing destination address information for transmitting data from the UE; that is, in the process of DNAI change, the information of the local security gateway and network equipment is designed. The interaction process realizes the relevant configuration in the insertion ULCL process, so that the subsequent insertion ULCL process can be completed normally after the introduction of the local security gateway, and the reliability of data transmission is ensured.

With reference to the first aspect, in a first possible implementation manner of the first aspect, the first information includes routing path information of the MEC server, and the routing path information is used to configure the connection between the local security gateway and the MEC server.

In this implementation manner, the first information sent by the network device to the local security gateway includes routing path information of the MEC server, which is used to configure the connection between the local security gateway and the MEC server, so as to realize the connection between the local security gateway and the MEC server. establishment of the pathway.

In combination with the first possible implementation manner of the first aspect, in the second possible implementation manner of the first aspect, the method further includes:

First response information corresponding to the first information fed back by the local security gateway is received, where the first response information is used to indicate that the connection establishment between the local security gateway and the MEC server is completed, and the first response information includes uplink tunnel information of the local security gateway.

In this implementation manner, after the connection between the local security gateway and the MEC server is established, the network device receives the first response information corresponding to the first information fed back by the local security gateway, so that the network device determines the relationship between the local security gateway and the MEC server. The establishment of the connection between the two is completed, and the uplink tunnel information of the local security gateway is obtained from the first response information.

With reference to the first aspect, in a third possible implementation manner of the first aspect, the method further includes:

Send update information to the local security gateway, where the update information includes downlink tunnel information of the first PSA, and the downlink tunnel information is used to configure a downlink tunnel between the local security gateway and the first PSA.

In this implementation manner, the network device sends the update information including the downlink tunnel information of the first PSA to the local security gateway, which is used to configure the downlink tunnel between the local security gateway and the first PSA, thereby realizing the establishment during the ULCL insertion process Pathway of the first PSA to the local security gateway.

With reference to the third possible implementation manner of the first aspect, in the fourth possible implementation manner of the first aspect, the method further includes:

Second response information corresponding to the update information fed back by the local security gateway is received, where the second response information is used to indicate that the establishment of the downlink tunnel between the local security gateway and the first PSA is completed.

In this implementation manner, the network device receives the second response information corresponding to the update information fed back by the local security gateway, so that the network device determines that the establishment of the downlink tunnel between the local security gateway and the first PSA is completed.

With reference to the first aspect and any one of the possible implementation manners of the first to fourth possible implementation manners of the first aspect, in a fifth possible implementation manner of the first aspect, the network device includes a The gateway establishes a centralized security gateway with communication connections.

In this implementation, the security gateway is divided into a centralized security gateway and a local security gateway, and the message transmission between the two gateways is designed to enhance the function of the centralized security gateway and realize the security in the ULCL insertion process in the MEC scenario. The relevant configuration of the gateway is almost unchanged to the UE.

With reference to the fifth possible implementation manner of the first aspect, in the sixth possible implementation manner of the first aspect, before the centralized security gateway sends the first information to the local security gateway, the method further includes:

Subscribe DNAI change notification events to SMF devices;

The local security gateway is selected upon receiving the first DNAI change notification from the SMF device.

In this implementation, the centralized security gateway subscribes the DNAI change notification event to the SMF device, so as to select the local security gateway when receiving the first DNAI change notification from the SMF device, thus realizing the function of the centralized security gateway as a proxy network element .

With reference to the sixth possible implementation manner of the first aspect, in the seventh possible implementation manner of the first aspect, the first DNAI change notification includes the changed DNAI and the security link SA of the path to be changed, and the method further includes:

According to the changed DNAI and the SA of the path to be changed, query the application of the path to be changed;

According to the queried application, send an AF notification to the corresponding AF device, and the AF notification is used to indicate DNAI changes;

Receive the routing path information of the MEC server fed back by the AF device.

In this implementation manner, the centralized security gateway, as a proxy network element, undertakes the function of interacting with the AF device and performing the connection configuration of the MEC server.

With reference to the sixth possible implementation manner of the first aspect, in the eighth possible implementation manner of the first aspect, the method further includes:

After receiving the first response information corresponding to the first information fed back by the local security gateway, feeding back the fourth response information corresponding to the first DNAI change notification to the SMF device;

Wherein, both the first response information and the fourth response message include uplink tunnel information of the local security gateway, and both the first response information and the fourth response message are used to indicate that the connection establishment between the local security gateway and the MEC server is completed.

In this implementation manner, after receiving the first response information corresponding to the first information fed back by the local security gateway, the centralized security gateway feeds back the fourth response information corresponding to the first DNAI change notification to the SMF device, and cooperates with the SMF device to construct a local The path from the security gateway to the MEC server.

With reference to the sixth possible implementation manner of the first aspect, in the ninth possible implementation manner of the first aspect, before sending the update information to the local security gateway, the method further includes:

A second DNAI change notification from the SMF device is received, where the second DNAI change notification includes downlink tunnel information of the first PSA.

In this implementation manner, after receiving the second DNAI change notification from the SMF device, the centralized security gateway sends update information to the local security gateway to configure the downlink tunnel between the local security gateway and the first PSA.

With reference to the ninth possible implementation manner of the first aspect, in the tenth possible implementation manner of the first aspect, the method further includes:

After receiving the second response information corresponding to the update information fed back by the local security gateway, feeding back the fifth response information corresponding to the second DNAI change notification to the SMF device;

The second response information and the fifth response information are both used to indicate that the establishment of the downlink tunnel between the local security gateway and the first PSA is completed.

In this implementation manner, after receiving the second response information corresponding to the update information fed back by the local security gateway, the centralized security gateway feeds back the fifth response information corresponding to the second DNAI change notification to the SMF device, and cooperates with the SMF device to construct local security The pathway between the gateway and the first PSA.

With reference to any one of the sixth to tenth possible implementations of the first aspect, in the eleventh possible implementation of the first aspect, the centralized security gateway establishes an IKE relationship with the UE. SA, the method also includes:

After sending the first sub-SA establishment request to the local security gateway, receive the first sub-SA establishment response fed back by the local security gateway;

After sending the second sub-SA establishment request to the UE, receive the second sub-SA establishment response fed back by the UE;

The context information of the sub-SA sent to the local security gateway, where the context information of the sub-SA is used to configure the sub-SA for transmitting user plane data between the UE and the local security gateway;

The third response information corresponding to the context information of the sub-SA fed back by the local security gateway is received, and the third response message is used to indicate that the establishment of the sub-SA is completed.

In this implementation, the centralized security gateway acts as a proxy for the local security gateway to establish a sub-SA with the UE for user plane data transmission, and sends the context information of the corresponding sub-SA to the local security gateway, so that in the centralized security gateway scenario Next, the establishment of a sub-SA for transmitting user plane data between the UE and the local security gateway is implemented.

With reference to the eleventh possible implementation manner of the first aspect, in the twelfth possible implementation manner of the first aspect,

The first sub-SA establishment request includes the first data characteristic of the data to be encrypted and transmitted and the corresponding first SA;

The first sub-SA establishment response includes the second data feature accepted by the local security gateway, the corresponding second SA, the key generation material of the local security gateway, and the random number of the local security gateway;

The second sub-SA establishment request includes the second data characteristic, the second SA, the key generation material of the local security gateway, and the random number of the local security gateway;

The second sub-SA establishment response includes the confirmed third data feature, the corresponding third SA, the key generation material of the UE, and the random number of the UE.

In this implementation, in the process of establishing a sub-SA for user plane data transmission between the centralized security gateway and the UE as a proxy for the local security gateway, the first sub-SA establishment request, the first sub-SA establishment response, the second sub-SA The information exchange of the establishment request and the establishment response of the second sub SA, so that the local security gateway and the UE respectively determine the data flow characteristic information, such as the above-mentioned first data characteristic, second data characteristic, and third data characteristic, so as to realize the information on the local security gateway. The establishment of a sub-SA with the UE.

With reference to the eleventh possible implementation manner of the first aspect, in the thirteenth possible implementation manner of the first aspect, the third response information includes a data packet detection rule and a forwarding action rule corresponding to the data flow feature information, and the Methods also include:

Send third notification information to the SMF device, where the third notification information includes data packet detection rules and forwarding action rules.

In this implementation, due to the use of the transmission mode, the destination IP address of the uplink data packet and the source IP address of the downlink data packet are not the local security gateway, so the centralized security gateway needs to report to the SMF device the sub-SA of the local security gateway. and reconfigure the ULCL to ensure the normal forwarding of the corresponding data packets through the local security gateway.

With reference to the first aspect and any one of the possible implementation manners of the first to fourth possible implementation manners of the first aspect, in the fourteenth possible implementation manner of the first aspect, the network device includes a The security gateway establishes a communication connection with the SMF device.

In this implementation manner, the data configuration method provided by the embodiment of the present application is applied to the distributed security gateway scenario, and the ULCL insertion in the distributed security gateway scenario is realized through the information exchange process between the local security gateway and the SMF device. The relevant configuration of the security gateway in the process.

With reference to the fourteenth possible implementation manner of the first aspect, in the fifteenth possible implementation manner of the first aspect, the method further includes:

The first notification information sent by the local security gateway is received, where the first notification information is used to indicate that the establishment of the Internet Key Exchange (Internet Key Exchange, IKE) between the UE and the local security gateway is completed.

In this implementation, the SMF device receives the first notification information sent by the local security gateway, so that the SMF device determines that the establishment of the IKE SA between the UE and the local security gateway is complete.

With reference to the fifteenth possible implementation manner of the first aspect, in the sixteenth possible implementation manner of the first aspect, the method further includes:

Send a user plane SA establishment request to the local security gateway, where the user plane SA establishment request includes service detection rules;

Receive second notification information fed back by the local security gateway, where the second notification information is used to indicate that the establishment of the sub-SA for user plane data transmission between the UE and the local security gateway is completed, and the second notification information includes data packets corresponding to data flow feature information Detection rules and forwarding action rules.

In this implementation, the SMF device instructs the local security gateway to establish a sub-SA for user plane transmission with the UE by providing service detection rules to the local security gateway, thereby saving the NAS signaling overhead sent to the UE and ensuring local security. Efficiency of gateway and UE establishing sub-SA.

With reference to the fifteenth possible implementation manner of the first aspect, in the seventeenth possible implementation manner of the first aspect, the method further includes:

In this implementation manner, the SMF device receives the second notification information fed back by the local security gateway, so that the SMF device determines that the establishment of the sub-SA between the UE and the local security gateway for user plane data transmission is completed, and determines the corresponding data flow characteristic information. Packet inspection rules and forwarding action rules.

With reference to the fifteenth possible implementation manner of the first aspect, in the eighteenth possible implementation manner of the first aspect, the method further includes:

After inserting the ULCL or branch point (Branch Point, BP), a NAS message is sent to the UE through the AMF device, and the NAS message includes the address of the local security gateway.

In this implementation, the NAS message is enhanced, the SMF device sends the NAS message to the UE through the AMF device, and the NAS message includes the address of the local security gateway, so that the UE and the local security gateway are used for user plane data transmission. The establishment of the sub-SA is initiated by the UE, which saves the signaling interaction between the SMF device and the local security gateway.

With reference to the fifteenth possible implementation manner of the first aspect, in the nineteenth possible implementation manner of the first aspect, the NAS message includes a service detection rule for a service data packet that needs to be transmitted from the local security gateway.

In this implementation, the SMF device can control the local security gateway, and notify the UE of the service detection rules of the service data packets that need to be transmitted from the local security gateway through the NAS message, so that the connection between the UE and the local security gateway is used for the user plane. The establishment of the sub-SA for data transmission is initiated by the UE, which further saves the signaling interaction between the SMF device and the local security gateway.

In a second aspect, the embodiments of the present application provide a data configuration method for use in a local security gateway, the method comprising:

receiving first information, where the first information is used to obtain address information of the local security gateway;

The address information of the local security gateway is sent, where the address information of the local security gateway is the routing destination address information configured for the first PSA and used to transmit data from the user equipment UE, and the first PSA is the PSA after the UE has a DNAI change.

With reference to the second aspect, in a first possible implementation manner of the second aspect, the first information includes routing path information of the MEC server, and the routing path information is used to configure the connection between the local security gateway and the MEC server.

With reference to the first possible implementation manner of the second aspect, in the second possible implementation manner of the second aspect, the method further includes:

After the connection between the local security gateway and the MEC server is established, the first response information corresponding to the first information is fed back, and the first response information includes uplink tunnel information of the local security gateway.

With reference to the first possible implementation manner of the second aspect, in a third possible implementation manner of the second aspect, the method further includes:

Update information is received, where the update information includes downlink tunnel information of the first PSA, and the downlink tunnel information is used to configure a downlink tunnel between the local security gateway and the first PSA.

With reference to the third possible implementation manner of the second aspect, in the fourth possible implementation manner of the second aspect, the method further includes:

After the establishment of the downlink tunnel between the local security gateway and the first PSA is completed, the second response information corresponding to the update information is fed back.

In combination with the second aspect and any one of the first to fourth possible implementations, in a fifth possible implementation of the second aspect, the local security gateway and the centralized security gateway establish communication connection, the method further includes:

After receiving the first sub-SA establishment request sent by the centralized security gateway, feeding back the first sub-SA establishment response to the centralized security gateway;

receiving the context information of the sub-SA sent by the centralized security gateway, where the context information of the sub-SA is used to configure the sub-SA used for transmitting user plane data between the user equipment UE and the local security gateway;

After the establishment of the sub-SA is completed, the third response information corresponding to the context information of the sub-SA is fed back to the centralized security gateway.

With reference to the fifth possible implementation manner of the second aspect, in the sixth possible implementation manner of the second aspect, the first sub-SA establishment request includes the first data feature of the data to be encrypted and transmitted and the corresponding first SA , the first sub-SA establishment response includes the second data feature accepted by the local security gateway, the corresponding second SA, the key generation material of the local security gateway, and the random number of the local security gateway.

In combination with the second aspect and any one of the first to fourth possible implementations, in a seventh possible implementation of the second aspect, the local security gateway and the session management function SMF device establish a communication connection, the method further includes:

After the establishment of the IKE SA between the UE and the local security gateway is completed, the first notification information is sent to the SMF device.

With reference to the seventh possible implementation manner of the second aspect, in the eighth possible implementation manner of the second aspect, the method further includes:

Receive a user plane SA establishment request sent by the SMF device, and the user plane SA establishment request includes a service detection rule;

According to the service detection rule, the corresponding data flow feature information is generated, and a sub-SA for user plane data transmission between the UE and the local security gateway is established;

After the establishment of the sub-SA is completed, the second notification information is fed back to the SMF device, where the second notification information includes the data packet detection rule and the forwarding action rule corresponding to the data flow characteristic information.

With reference to the seventh possible implementation manner of the second aspect, in the ninth possible implementation manner of the second aspect, the method further includes:

After the establishment of the sub-SA between the UE and the local security gateway for user plane data transmission is completed, second notification information is fed back to the SMF device, where the second notification information includes data packet detection rules and forwarding action rules corresponding to data flow feature information.

In a third aspect, an embodiment of the present application provides a data configuration method, which is used in a data configuration system, where the data configuration system includes a local security gateway and a network device that establishes a communication connection with the local security gateway, and the method includes:

The network device sends first information to the local security gateway, where the first information is used to obtain address information of the local security gateway;

After receiving the first information, the local security gateway sends the address information of the local security gateway. The address information of the local security gateway is the routing destination address information configured for the first PSA and used to transmit data from the UE. The first PSA occurs for the UE. PSA after DNAI changes;

The network device receives the address information of the local security gateway.

In a fourth aspect, embodiments of the present application provide a data configuration apparatus for use in a network device, the apparatus comprising: a processor; a memory for storing instructions executable by the processor; wherein the processor is configured to execute the instructions When implementing the data configuration method provided by the first aspect or any one of the possible implementation manners of the first aspect.

In a fifth aspect, embodiments of the present application provide a data configuration apparatus for use in a local security gateway, the apparatus comprising: a processor; a memory for storing instructions executable by the processor; wherein the processor is configured to execute The data configuration method provided by the second aspect or any one of the possible implementation manners of the second aspect is implemented when the instruction is executed.

In a sixth aspect, an embodiment of the present application provides a data configuration apparatus, the apparatus includes at least one unit, and the at least one unit is configured to implement the first aspect or any one of the possible implementations of the first aspect. Data configuration method.

In a seventh aspect, an embodiment of the present application provides a data configuration apparatus, the apparatus includes at least one unit, and the at least one unit is configured to implement the second aspect or any one of the possible implementations of the second aspect. Data configuration method.

In an eighth aspect, embodiments of the present application provide a computer program product, comprising computer-readable codes, or a non-volatile computer-readable storage medium carrying computer-readable codes, when the computer-readable codes are stored in an electronic device When running, the processor in the electronic device executes the data configuration method provided by the first aspect or any one of the possible implementation manners of the first aspect.

In a ninth aspect, embodiments of the present application provide a computer program product, comprising computer-readable codes, or a non-volatile computer-readable storage medium carrying computer-readable codes, when the computer-readable codes are stored in an electronic device When running, the processor in the electronic device executes the data configuration method provided by the second aspect or any one of the possible implementation manners of the second aspect.

In a tenth aspect, embodiments of the present application provide a non-volatile computer-readable storage medium on which computer program instructions are stored, and when the computer program instructions are executed by a processor, the first aspect or the first aspect is implemented. The data configuration method provided by any possible implementation.

In an eleventh aspect, embodiments of the present application provide a non-volatile computer-readable storage medium, on which computer program instructions are stored, and when the computer program instructions are executed by a processor, the second aspect or the second aspect is implemented The data configuration method provided by any of the possible implementations.

In a twelfth aspect, an embodiment of the present application provides a data configuration system, where the data configuration system includes a local security gateway and a network device that establishes a communication connection with the local security gateway:

The network device includes the data configuration device according to the fourth aspect, the local security gateway includes the data configuration device according to the fifth aspect; or, the network device includes the data configuration device according to the sixth aspect, and the local security gateway includes The data configuration apparatus according to the above seventh aspect.

Description of drawings

FIG. 1 shows a schematic structural diagram of an IPSec protocol system.

Figure 2 shows a schematic diagram of a gateway architecture deploying a security gateway between a UPF device and a DN.

FIG. 3 shows a flowchart of a process of AF influencing service routing in the related art.

FIG. 4 shows a flowchart of a ULCL insertion process in the related art.

FIG. 5 shows a flowchart of an AF device notification process in the related art.

FIG. 6 shows a schematic structural diagram of a data configuration system provided by an exemplary embodiment of the present application.

FIG. 7 shows a flowchart of a data configuration method provided by an exemplary embodiment of the present application.

FIG. 8 shows a schematic structural diagram of a centralized security gateway scenario provided by an exemplary embodiment of the present application.

FIG. 9 shows a schematic structural diagram of a distributed security gateway scenario provided by an exemplary embodiment of the present application.

FIG. 10 shows a flowchart of a data configuration method provided by an exemplary embodiment of the present application.

FIG. 11 shows a flowchart of a data configuration method provided by another exemplary embodiment of the present application.

FIG. 12 shows a schematic diagram of the principle of a data configuration method provided by another exemplary embodiment of the present application.

FIG. 13 shows a flowchart of a data configuration method provided by another exemplary embodiment of the present application.

FIG. 14 shows a flowchart of a data configuration method provided by another exemplary embodiment of the present application.

FIG. 15 shows a flowchart of a data configuration method provided by another exemplary embodiment of the present application.

FIG. 16 shows a flowchart of a data configuration method provided by another exemplary embodiment of the present application.

FIG. 17 shows a schematic diagram of the principle of a data configuration method provided by another exemplary embodiment of the present application.

FIG. 18 shows a block diagram of a data configuration apparatus provided by an exemplary embodiment of the present application.

FIG. 19 shows a block diagram of a data configuration apparatus provided by an exemplary embodiment of the present application.

FIG. 20 shows a schematic structural diagram of a network device provided by an exemplary embodiment of the present application.

FIG. 21 shows a schematic structural diagram of a local security gateway provided by an exemplary embodiment of the present application.

Detailed ways

Various exemplary embodiments, features and aspects of the present application will be described in detail below with reference to the accompanying drawings. The same reference numbers in the figures denote elements that have the same or similar functions. While various aspects of the embodiments are shown in the drawings, the drawings are not necessarily drawn to scale unless otherwise indicated.

In this embodiment of the present application, "/" may indicate that the objects associated before and after are an "or" relationship, for example, A/B may indicate A or B; "and/or" may be used to describe that there are three types of associated objects A relationship, for example, A and/or B, can mean that A exists alone, A and B exist at the same time, and B exists alone, where A and B can be singular or plural. In order to facilitate the description of the technical solutions of the embodiments of the present application, in the embodiments of the present application, words such as "first" and "second" may be used to distinguish technical features with the same or similar functions. The words "first", "second" and the like do not limit the quantity and execution order, and the words "first", "second" and the like do not limit the difference. In the embodiments of the present application, words such as "exemplary" or "for example" are used to represent examples, illustrations or illustrations, and any embodiment or design solution described as "exemplary" or "for example" should not be construed are preferred or advantageous over other embodiments or designs. The use of words such as "exemplary" or "such as" is intended to present the relevant concepts in a specific manner to facilitate understanding.

In the embodiments of the present application, for a technical feature, the technical feature is distinguished by "first", "second", "third", "A", "B", "C" and "D", etc. The technical features described in the "first", "second", "third", "A", "B", "C" and "D" described technical features in no order or order of magnitude.

In addition, in order to better illustrate the present application, numerous specific details are given in the following detailed description. It should be understood by those skilled in the art that the present application may be practiced without certain specific details. In some instances, methods, means, components and circuits well known to those skilled in the art have not been described in detail so as not to obscure the subject matter of the present application.

First, some terms involved in the embodiments of the present application are introduced.

1. 5th Generation Mobile Networks (5G) system architecture: including access network and core network.

The access network is used to implement functions related to wireless access. The core network includes but is not limited to the following logical network elements: radio access network (Radio Access Network, (R)AN), access and mobility management function (Access and Mobility Management Function, AMF) equipment, session management function (Session Management Function, SMF) equipment, User Plane Function (UPF) equipment, Policy Control Function (Policy Control Function) equipment, Unified Data Management (Unified Data Management, UDM) equipment.

User Equipment (UE) is a network terminal device, such as a mobile phone, an Internet of Things terminal device, and the like. Base station (Radio Access Network, RAN) equipment provides wireless access equipment for UE, including but not limited to eNodeB, WiFi AP, WiMAX BS, etc. The AMF device is used for mobility management in the mobile network, such as user location update, user registration network, user handover, etc. The SMF device is used for session management in the mobile network, such as session establishment, modification, and release. Specific functions include assigning IP addresses to users and selecting UPF devices that provide packet forwarding functions. The PCF device is responsible for providing policies, such as QoS policies, slice selection policies, and the like, to the AMF device and the SMF device. The UDM device is used to store user data, such as subscription information and authentication/authorization information. The AF device is responsible for providing services to the 3GPP network, such as affecting service routing, interacting with the PCF device for policy control, and the like. The UPF device is used to process user packets, such as forwarding and accounting. A data network (DN, Data Network) is a network used to provide users with data transmission services, such as IP Multi-media Service (IMS), Internet, and so on. The UE accesses the DN by establishing a session (PDU session) between the UE to the RAN to the UPF device to the DN.

2. Internet Protocol Security (IPSec) protocol: realizes security protection at the IP layer and provides protection for the transmission of sensitive data in an insecure network environment. The two communicating parties perform encryption and data source authentication at the IP layer to ensure the confidentiality of data packets, data consistency, data source authentication and anti-replay during network transmission.

The security services provided by IPSec include: (1) Data source authentication: peer-to-peer identity authentication, non-repudiation; (2) Integrity protection: to ensure that data is not tampered with during transmission; (3) Confidentiality: for transmission (4) Replay protection: refuse to receive old or duplicate messages.

Security Association (SA): It is an agreement established by two communication entities through negotiation to create a one-way logical connection for security purposes. All data flows passing through the same SA will receive the same security service, which determines the use of IPSec protocol to protect data packet security, key and key validity time, etc. SA is the foundation that constitutes IPSec. SAs are unidirectional (inbound and outbound) and "protocol dependent", requiring one SA for each security protocol (AH and ESP).

Security Association Database (SAD): A storage structure for storing all state data associated with SA.

Security Parameter Index (SPI): A 32-bit value used to find SA. SPI, IP destination address, and security protocol number are combined to form a triplet, which is used to uniquely identify a specific SA.

Security policy (security policy, SP): Configured by the user, it decides what kind of protection to provide for IP data packets, and in what way to implement the protection. SP attributes include protected data flow (ACL), security proposal (encapsulation mode, security protocol, encryption and authentication algorithm), key configuration method, local/peer IP address of the secure tunnel, IKE peer, etc.

Security policy database (SPD): Usually an ordered structure that uses access control lists to describe data flow characteristics. The interfaces that define the way data flows and security services are implementation-dependent. When an IP packet is received or is about to be sent, the first thing to do is to look up the SPD to decide what to do with it. There are 3 possible processing methods: drop, not use IPSec and use IPSec.

How IPSec works: IPSec provides security services based on policy rules defined by SPD, and these rules are added by administrators or applications. There are three processing methods when data packets pass through IPSec entities: IPSec protection, discarding or bypassing. The judgment basis for the protocol to make processing decisions is called Selectors, which includes the IP of the data packet and the header information of the next layer. Selectors are defined for each policy in SPD.

3. IPSec protocol system: including two security processing protocols and a key exchange protocol.

As shown in FIG. 1 , the IPSec protocol system 10 includes an Authentication Header (Authentication Header, AH) protocol 11 , an Encapsulating Security Payload (Encapsulating Security Payload, ESP) protocol 12 and an IKE protocol 13 . AH protocol 11 is used to provide functions such as data source authentication, data integrity verification, and anti-replay attack; it does not support data encryption. ESP protocol 12 is used to provide functions such as data source authentication, data integrity verification, anti-replay attack, and data encryption. AH protocol 11 and ESP protocol 12 can be used alone or nested. These combinations can be used between two hosts, two security gateways (firewall and router), or between a host and a security gateway. The IKE protocol 13 is used for key management, and defines the methods for performing identity authentication, negotiating encryption algorithms and generating shared session keys between communicating entities. Protocol 13 negotiates the protocol uniform allocation identifier of the SA. The IKE protocol 13 keeps the result of the key negotiation in the SA for later use by the AH protocol 11 and the ESP protocol 12.

IPSec encapsulation modes include transport mode and tunnel mode. Among them, in the transmission mode, no new IP header is generated, and the AH packet or ESP packet header is inserted after the IP header of the original data packet but before all transport layer protocols, usually used between the host and the host ( IPSec scenarios where the data transmission point is equal to the encryption point). In tunnel mode, the AH or ESP header is inserted before the original IP header, and a new IP header is generated and placed before the AH or ESP. It is usually used in the scenario where the private network communicates with the private network through the public network.

4. End-to-end encryption via IPSec gateway

Currently, there is a requirement for encrypted transmission from UE to CN. A solution without changing the current network architecture is to deploy a security gateway between the UPF device and the DN. The gateway architecture is shown in Figure 2. A new security gateway 20 is established between the interface between the UPF device and the DN, and the communication between the UE22 and the security gateway 20 implements E2E encryption at the IP layer, and the encryption key is derived from the negotiated key based on the IPsec protocol between the UE22 and the security gateway 20, The encryption policy is managed by the security gateway 20 and the UE 22 through negotiation.

In the related art, the data network access identifier (Data Network Access Identifier, DNAI) transformation in the MEC scenario is mainly implemented by the following three processes.

In a possible implementation manner, the flowchart of the process of AF's influence on service routing is shown in Figure 3. The AF device notifies the SMF device of the information such as the DNAI supporting the MEC service, the corresponding location area, and service flow through the PCF. .

Step 301, the AF device generates an AF request, where the AF request includes an AF service identifier and an AF notification receiving method (if the AF notification needs to be received). The AF request may also include the AF device identifier, the corresponding DNAI list, the application identifier of the corresponding service, and the traffic filtering information. The traffic filtering information is used to identify the application service flow. The AF request may also include N6 routing information, N6 routing information. The information is used to establish the port information of the N6 connection with the UPF device.

Step 302, the AF device sends the generated AF request to a Network Exposure Function (NEF) device.

Step 303a, the NEF device stores the information in the AF request in a Unified Data Repository (Unified Data Repository, UDR) device.

Step 303b, the NEF device notifies the AF device of the storage/update/deletion of the information.

Step 304, if the PCF device has subscribed to the notification of the AF request, the UDR device will notify the PCF device of the modification of the corresponding AF request.

Step 305, the PCF device decides to modify the current PDU session according to the information requested by the AF, generates a policy and charging control rule (Policy and Charging Control Rule-PCC Rule, PCC rule) according to the AF request, and interacts with the SMF device. This can include subscription events for AF notifications.

Step 306, the SMF device receives the PCC rule sent by the PCF device, and adjusts the current PDU session according to the PCC rule.

In a possible implementation manner, the flowchart of the ULCL insertion process is shown in FIG. 4 . The SMF decides to execute the rules issued by the process of Figure 1 and inserts the ULCL by detecting the corresponding service flow through the change of the area. In this process, the SMF needs to adjust the forwarding rules of PSA1, PSA2, and ULCL respectively to ensure that the corresponding uplink and downlink data packets are transmitted from the correct user plane network element. The ULCL insertion process includes but is not limited to the following steps:

Step 401, the UE establishes a PDU session with PSA1. At this time, the SMF device locally stores the uplink port information used by the session PSA1 to connect with the RAN device, and the RAN device uses the downlink port information to connect to the PSA1.

Step 402, the SMF device selects and configures the PSA2, including configuring the N6 port of the PSA2, and acquiring the uplink port of the PSA2.

Step 403, the SMF device selects and configures the ULCL/Branching Point (Branching Point, BP). The BP is a distribution point for IPv6, and can also be expressed as BP(IPv6). Selecting and configuring ULCL/BP by the SMF device includes: configuring the uplink tunnel from ULCL to PSA1 and PSA2 according to the uplink port information of PSA1 and PSA2, and configuring the downlink tunnel from ULCL to RAN according to the downlink port information of RAN. And obtain the downlink port information that ULCL uses for PSA1 and PSA2 and the uplink port information that ULCL uses for RAN. At the same time, you also need to configure the forwarding rules related to each port.

Step 404, the SMF device updates the downlink data forwarding rule of PSA1. Optionally, the downlink tunnel from PSA1 to ULCL is configured according to the downlink port information of ULCL for PSA1.

Step 405, the SMF device updates the forwarding rule of PSA2. Optionally, the downlink tunnel of PSA2 is configured according to the downlink port information of ULCL for PSA2.

Step 406, the SMF device updates the forwarding rules of the RAN uplink data. Optionally, an uplink tunnel from the RAN to the ULCL is established according to the uplink port information used by the ULCL for the RAN.

Step 407, the SMF device notifies the UE of the new IP prefix list (IP-prefix) of PSA2, which can also be expressed as IPv6 prefix or IP-prefix (IPv6).

Step 408, the SMF device updates the IP prefix list of PSA1, which can also be expressed as IPv6 prefix or IP-prefix (IPv6).

The above steps 407 and 408 update the respective IPv6 addresses for the IPv6 address transmission mechanism. After the BP is inserted, the routing path is changed, and the information of the BP will be added to the IPv6 addresses of PSA1 and PSA2.

In a possible implementation manner, the flowchart of the notification process of the AF device is shown in FIG. 5 . The notification information includes one of an early notification and a late notification. The AF device notification process includes but is not limited to the following steps:

Step 501, the SMF device is triggered by the condition of the AF notification subscribed by the AF device.

It should be noted that, if the AF device subscribes to the early notification through the NEF device, step 502a is performed; if the AF device subscribes to the late notification through the NEF device, step 504a is performed.

Step 502a, if the AF device subscribes to the early notification through the NEF device, the SMF device notifies the NEF device of the target DNAI of the current PDU session.

Step 502b, the NEF device sends a service impact notification to the AF device.

After the NEF device receives the early notification, the NEF device performs message mapping, selects the corresponding AF transaction identifier (transaction ID), etc., and sends the service impact notification to the subscribed AF device. It should be noted that in this case, step 502c is not executed.

Step 502c, the SMF device notifies the AF device of the target DNAI of the current PDU session.

If the AF device subscribes to the early notification of direct notification, the SMF device directly notifies the AF device of the target DNAI of the current PDU session.

Step 502d, the AF device sends reply information to the NEF device.

The AF device responds to the NEF device immediately or after redeploying the application of the target DNAI to the NEF device. The AF device will carry the N6 routing information corresponding to the target DNAI in the reply message.

Step 502e, the NEF device notifies the SMF device of application redeployment information.

After the NEF device receives the reply information from the AF device, the NEF device triggers a matching notification message to notify the SMF device of the redeployment information of the application, where the redeployment information includes the N6 routing information of the target DNAI of the application redeployment.

Step 502f, the AF device sends reply information to the SMF device.

The AF device directly replies to the SMF device immediately or replies to the SMF device after redeploying the application of the target DNAI. The AF device will carry detailed N6 routing information to the target DNAI in the reply message.

Step 503, the SMF device performs DNAI change or addition/modification/removal of the UPF device.

If the AF's subscription to the SMF device includes an AF acknowledgment to be expected indication, the SMF device may wait for the AF device's reply information before step 503, and then proceed to the step after receiving the AF device's reply information. 503.

Step 504a, if the AF device subscribes to the late notification through the NEF device, the SMF device notifies the NEF device of the target DNAI of the current PDU session.

If the subscription of the AF device to the SMF device includes an indication of waiting for the AF reply, the SMF device may have been waiting for the reply information from the AF before this step, and then activate the new user plane transmission path after receiving the reply information from the AF device.

Step 504b, the NEF device sends a service impact notification to the AF device.

After the NEF device receives the late notification, the NEF device performs message mapping, selects the corresponding AF transaction identifier, etc., and sends it to the subscribed AF device through the service impact notification. It should be noted that in this case, step 504c is not executed.

Step 504c, the SMF device notifies the AF device of the target DNAI of the current PDU session.

If the AF device subscribes to the late notification of direct notification, the SMF device directly notifies the AF device of the target DNAI of the current PDU session.

Step 504d, after the AF device receives the notification message from the NEF device or the SMF device, the AF device detects whether it can serve the target DNAI.

If the AF device needs to be replaced, the AF device selects the target AF device for the target DNAI and performs AF device migration.

Step 504e, the AF device sends reply information to the NEF device.

The AF device responds to the NEF device immediately or after redeploying the application of the target DNAI to the NEF device. The AF device will carry the N6 routing information corresponding to the target DNAI in the reply message. If the AF device is changed, the AF device will include an AF device switching instruction in the reply message, including the target AF device identifier and notify the target AF device of the target address.

Step 504f, the NEF device notifies the SMF device of application redeployment information.

Step 504g, the AF device sends reply information to the SMF device.

The AF device directly replies to the SMF device immediately or replies to the SMF device after redeploying the application of the target DNAI. The AF device will carry detailed N6 routing information to the target DNAI in the reply message. If the AF device is changed, the AF device will include an AF device switching instruction in the reply message, including the target AF device identifier and notify the target AF device of the target address.

Based on the methods in related technologies, in the MEC scenario, the connection and path adjustment of the MEC server are mainly realized by the related processes of AF influence on service routing (AF influence traffic routing). Applying the available DNAI (that is, the access network entity where the MEC server is located), the SMF device triggers the new PSA/ULCL insertion process due to UE movement or detection of the corresponding data flow. The device notifies the DNAI change, and obtains the N6 configuration options and related routing rules required by the PSA/ULCL through the reply information of the AF device, and then configures the new PSA/ULCL.

In the scenario in the related art, after adding an additional security gateway, the device that needs to establish a connection with the MEC server and the updated PSA is changed to a security gateway, so that the current process related to the impact of AF on service routing cannot be completed normally. The problem. A reasonable and effective technical solution has not been provided in the related art.

The embodiment of the present application provides a data configuration method. In the DNAI change process, the information exchange process between the local security gateway and the network device is designed, and the relevant configuration inserted into the ULCL process is implemented, so that after the local security gateway is introduced The subsequent inserting ULCL process can be completed normally, which ensures the reliability of data transmission.

Please refer to FIG. 6 , which shows a schematic structural diagram of a data configuration system 60 provided by an exemplary embodiment of the present application. The data configuration system 60 includes a local security gateway 62 , a MEC server 64 and a PSA 66 .

The local security gateway 62 is a security gateway established between the interface of the UPF device and the DN.

The MEC server 64 includes an edge application server (Edge Application Server, EAS).

PSA66 is a UPF device. In the embodiment of the present application, PSA66 includes a first PSA and a second PSA, the first PSA is the updated PSA, that is, "new PSA", and the second PSA is the PSA before updating, that is, "old PSA".

In the embodiment of the present application, the local security gateway 62 is used to receive the first information, and the first information is used to obtain the address information of the local security gateway 62; the local security gateway 62 is also used to send the address information of the local security gateway 62, and the local security gateway 62 The address information of the gateway 62 is the routing destination address information configured for the first PSA and used to transmit data from the UE, and the first PSA is the PSA after the UE has undergone a DNAI change.

The following describes the data configuration method provided by the embodiments of the present application by using several exemplary examples.

Please refer to FIG. 7 , which shows a flowchart of a data configuration method provided by an exemplary embodiment of the present application, and the method is used in the data configuration system shown in FIG. 1 . The method includes the following steps.

Step 701: The network device sends first information to the local security gateway, where the first information is used to obtain address information of the local security gateway.

Optionally, the network device may be a centralized security gateway, or a core network element, such as an SMF device. This embodiment of the present application does not limit this. It should be noted that, for the introduction of the centralized security gateway and the SMF device, reference may be made to the relevant descriptions in the following embodiments, which will not be introduced here.

The network device sends first information to the local security gateway, where the first information is used to instruct the local security gateway to feed back the address information of the local security gateway.

Step 702, after receiving the first information, the local security gateway sends the address information of the local security gateway. The address information of the local security gateway is the routing destination address information configured for the first PSA and used to transmit data from the UE. The first PSA PSA after DNAI changes in UE.

The local security gateway receives the first information sent by the network device. After receiving the first information, the address information of the local security gateway is sent to the network device.

The address information of the local security gateway is configured for the first PSA, that is, the PSA after the UE has undergone DNAI changes, the address information is used to transmit data from the UE, and the address information is the routing purpose of the local security gateway corresponding to the data Address information.

After receiving the first information, the local security gateway sends first response information corresponding to the first information to the network device, where the first response information includes address information of the local security gateway.

The address information of the local security gateway is used to identify the local security gateway.

Optionally, the first information includes routing path information of the MEC server, where the routing path information is used to configure the connection between the local security gateway and the MEC server. The local security gateway establishes a connection between the local security gateway and the MEC server according to the first information.

Optionally, after the connection between the local security gateway and the MEC server is established, the local security gateway feeds back first response information corresponding to the first information. That is, the local security gateway sends the first response information to the network device, and the first response information is also called feedback completion information. The first response information is used to indicate the connection establishment situation between the local security gateway and the MEC server.

The first response information includes address information of the local security gateway. Optionally, the first response information further includes uplink tunnel information of the local security gateway. The uplink tunnel information of the local security gateway is information of the uplink tunnel used by the local security gateway to receive uplink data.

Step 703, the network device receives the address information of the local security gateway.

The network device receives the address information of the local security gateway sent by the local security gateway. Wherein, the address information of the local security gateway is the routing destination address information configured for the first PSA and used for transmitting data from the UE, and the first PSA is the PSA after the DNAI changes of the UE.

To sum up, the embodiment of the present application provides a data configuration method. After the network device sends the first information for obtaining the address information of the local security gateway to the local security gateway, it receives the address information of the local security gateway. The address information of the gateway is configured for the first PSA, that is, the PSA after the DNAI changes of the UE, and provides the routing destination address information for transmitting data from the UE; that is, in the process of DNAI change, the local security gateway and network are designed. The information exchange process of the device realizes the relevant configuration in the insertion ULCL process, so that the subsequent insertion ULCL process can be completed normally after the introduction of the local security gateway, and the reliability of data transmission is ensured.

The application scenarios involved in the embodiments of the present application may include two application scenarios, a centralized security gateway scenario and a distributed security gateway scenario. The interaction with the local security gateway is added to the ULCL insertion process, and the ULCL insertion process can interact with the local security gateway. The normal interaction of the security gateway, thereby establishing the SA with the local security gateway for the UE. The two application scenarios are described below.

Please refer to FIG. 8 , which shows a schematic structural diagram of a centralized security gateway scenario provided by an exemplary embodiment of the present application. The centralized security gateway scenario includes IKE gateway 801 , IPSec gateway 802 , UE 803 , gNB 804 , UPF device 805 , application server 806 , AMF device 807 , SMF device 808 , NEF device 809 , AF device 810 , and PCF device 811 .

The IKE gateway 801 is a centralized security gateway, and the centralized security gateway is a centralized deployment gateway. The IPSec gateway 802 is a distributed security gateway, that is, a local security gateway, and the local security gateway is a distributed deployment gateway for user plane data transmission. Supports transport mode in IPSec encapsulation mode.

The IKE gateway 801 is configured to establish a connection with the SMF device 808 by subscribing to the PCF device 811 . The IKE gateway 801 is further configured to directly communicate with the SMF device 808 in the form of notification and response after the connection is established with the SMF device 808 .

The IKE gateway 801 is also used to select, configure and manage the IPSec gateway 802 . Optionally, the IKE gateway 801 is also used to control the distribution of keys and certificates of the IPSec gateway 802 and the establishment of the SA. That is, the sub-SA of the IPSec gateway 802 is established by the IKE gateway 801, and the IKE gateway 801 configures the local security context and N6 forwarding rules.

Optionally, the IKE gateway 801 is configured to configure IP addresses of other network elements when establishing a sub-SA. The target IP address can be additionally carried when the sub-SA is established. The IKE gateway 801 is also used to configure user-face SA for other IP addresses.

The IPSec gateway 802 is used for establishing a user face SA with the UE 803, encrypting data and protecting integrity.

A user plane forwarding channel exists between the UPF device 805 and the IKE gateway 801 , and the UPF device 805 is configured to forward the user plane IPSec signaling of the UE 803 to the IKE gateway 801 through the user plane forwarding channel.

The IPSec gateway 802 and the UPF device 805 are connected through the N6 tunnel, the downlink data packets are encrypted by the IPSec gateway 802 and then sent to the UE 803 , and the uplink data packets are decrypted by the IPSec gateway 802 and then sent to the application server 806 . The application server 806 is an EMC server, ie EAS.

Please refer to FIG. 9 , which shows a schematic structural diagram of a distributed security gateway scenario provided by an exemplary embodiment of the present application. The distributed security gateway scenario includes IPSec gateway 901 , UE 902 , gNB 903 , UPF device 904 , application server 905 , AMF device 906 , SMF device 907 , NEF device 908 , and AF device 909 .

The IPSec gateway 901 is a distributed security gateway, that is, a local security gateway, and the local security gateway is a gateway deployed in a distributed manner for user plane data transmission.

In this distributed security gateway scenario, there is no centralized security gateway. Each (group) of UPF devices has its own independent IPSec gateway 901 . The SMF device can obtain the address of the IPSec gateway 901 and configure the IPSec gateway 901 . That is, each (group) UPF device 904 is jointly deployed with a specific IPSec gateway 901, the UPF device 904 is associated with the IPSec gateway 901, and each IPSec gateway 901 has complete IKE and user plane functions. Every time the UE 902 replaces the UPF device 904 or establishes a connection with the new UPF device 904, it needs to re-establish a new SA (including IKE and user face SA) with the corresponding IPSec gateway 901.

In this distributed security gateway scenario, the IPSec gateway 901 is controlled and configured by the SMF device 907, and supports the tunnel mode and the transmission mode in the IPSec encapsulation mode.

The IPSec gateway 901 and the UPF device 904 are connected through the N6 tunnel, the downlink data packets are encrypted by the IPSec gateway 901 and sent to the UE 902, and the uplink data packets are decrypted by the IPSec gateway 901 and then sent to the application server 905. The UPF device 904 is a PSA, and the application server 905 is an EMC server, ie, EAS.

Please refer to FIG. 10 , which shows a flowchart of a data configuration method provided by another exemplary embodiment of the present application, and the method is used in the centralized security gateway scenario shown in FIG. 8 . The method includes the following steps.

Step 1001: The centralized security gateway sends first information to the local security gateway, where the first information is used to obtain address information of the local security gateway.

The centralized security gateway establishes a communication connection with the local security gateway, and the centralized security gateway sends the first information to the local security gateway.

Optionally, the first information includes routing path information of the MEC server, where the routing path information is used to configure the connection between the local security gateway and the MEC server.

Optionally, the centralized security gateway is an IKE gateway, and the local security gateway is an IPSec gateway.

It should be noted that, for the introduction of the centralized security gateway, the distributed security gateway, the first information, and the routing path information, reference may be made to the relevant descriptions in the foregoing embodiments, and details are not repeated here.

Step 1002, after receiving the first information sent by the centralized security gateway, the local security gateway feeds back the address information of the local security gateway, and the address information of the local security gateway is configured for the first PSA for the routing purpose of transmitting data from the UE Address information.

The first PSA is the PSA after the UE undergoes DNAI changes.

After receiving the first information sent by the centralized security gateway, the local security gateway obtains the address information of the local security gateway, and feeds back the address information of the local security gateway to the centralized security gateway.

Optionally, the first information includes routing path information of the MEC server. After receiving the first information sent by the centralized security gateway, the local security gateway establishes a connection between the local security gateway and the MEC server. After the connection between the local security gateway and the MEC server is established, the local security gateway feeds back first response information corresponding to the first information to the centralized security gateway. The first response information includes uplink tunnel information of the local security gateway.

It should be noted that the connection between the local security gateway and the MEC server can be established before the centralized security gateway sends the first information to the local security gateway, or the first information sent by the centralized security gateway to the local security gateway can be completed. information to configure. This embodiment of the present application does not limit this. For convenience of description below, only the first information includes routing path information of the MEC server as an example for description.

Another point that needs to be explained is that, for the introduction of the first response information and the uplink tunnel information, reference may be made to the relevant descriptions in the foregoing embodiments, and details are not repeated here.

Step 1003, the centralized security gateway receives the address information of the local security gateway.

Correspondingly, the centralized security gateway receives the address information of the local security gateway sent by the local security gateway. Wherein, the address information of the local security gateway is the routing destination address information configured for the first PSA and used for transmitting data from the UE, and the first PSA is the PSA after the DNAI changes of the UE.

To sum up, the embodiments of the present application provide a data configuration method. After the centralized security gateway sends the first information for obtaining the address information of the local security gateway to the local security gateway, it receives the address information of the local security gateway. The address information of the local security gateway is configured for the first PSA, that is, the PSA after the DNAI changes of the UE, and provides the routing destination address information for transmitting data from the UE; that is, in the process of DNAI change, the local security gateway is designed. The information exchange process with the centralized security gateway implements the relevant configuration of the insertion ULCL process, so that the subsequent insertion ULCL process can be completed normally after the introduction of the local security gateway, ensuring the reliability of data transmission.

Please refer to FIG. 11 , which shows a flowchart of a data configuration method provided by another exemplary embodiment of the present application, and the method is used in the centralized security gateway scenario shown in FIG. 8 . The method includes the following steps.

Step 1100, the centralized security gateway establishes an IKE SA with the UE through the IKEv2 protocol.

Optionally, during the session establishment process, the centralized security gateway establishes an IKE SA with the UE through the IKEv2 protocol.

The centralized security gateway establishes a communication connection with the local security gateway. Optionally, the centralized security gateway is an IKE gateway, and the local security gateway is an IPSec gateway.

Step 1101, the AF device subscribes the DNAI change notification event to the SMF device through the centralized security gateway proxy through the PCF device.

The AF device sends an AF request to the centralized security gateway, and the IKE gateway summarizes the AF request, maps each AF request to a corresponding SA according to a preset mapping relationship, and provides the mapped SA to the SMF device.

Step 1102, the SMF device triggers a DNAI change notification event, and selects the updated first PSA.

The SMF device triggers the DNAI change notification event, and selects the local UPF device in the corresponding area as the updated first PSA.

Step 1103, the SMF device sends the first DNAI change notification to the centralized security gateway.

The SMF device sends a first DNAI change notification to the centralized security gateway, where the first DNAI change notification is used to indicate a DNAI change notification event. The first DNAI change notification includes the changed DNAI and the SA of the path to be changed.

Step 1104, the centralized security gateway selects the local security gateway.

The centralized security gateway selects the local security gateway when receiving the first DNAI change notification.

The centralized security gateway receives the DNAI change notification sent by the SMF device, and the DNAI change notification includes the changed DNAI and the corresponding SA. The centralized security gateway queries the application to be changed in the route according to the changed DNAI and the SA of the route to be changed. Optionally, the centralized security gateway maps the provided DNAI and SA to an application identifier, where the application identifier is the identifier of the application whose path is to be changed, and selects the local security gateway according to the DNAI and the application identifier.

Step 1105, the centralized security gateway sends an AF notification to the corresponding AF device according to the queried application.

The centralized security gateway sends an AF notification to the corresponding AF device according to the queried application, and the AF notification is used to indicate DNAI changes.

Optionally, the centralized security gateway determines the corresponding AF transaction identifier according to the queried application identifier, and feeds back the AF notification to the AF device corresponding to the AF transaction identifier.

Step 1106, the AF device feeds back the routing path information of the MEC server to the centralized security gateway.

After receiving the AF notification, the AF device selects the corresponding MEC server for adjustment, and feeds back the routing path information of the MEC server to the centralized security gateway. The adjustment includes service activation, user information transfer, and the like.

Step 1107, the centralized security gateway sends the first information to the local security gateway.

The first information is used to obtain address information of the local security gateway.

Optionally, the centralized security gateway receives the routing path information of the MEC server fed back by the AF device. After receiving the routing path information of the MEC server, the centralized security gateway sends first information to the local security gateway, where the first information includes routing path information of the MEC server, and the routing path information is used to configure the connection between the local security gateway and the MEC server .

It should be noted that, for the introduction of the first information and the routing path information, reference may be made to the relevant descriptions in the foregoing embodiments, and details are not repeated here.

Step 1108, the local security gateway feeds back first response information corresponding to the first information to the centralized security gateway.

Wherein, the first response information includes address information of the local security gateway.

After the configuration of the local security gateway is completed, the local security gateway feeds back the first response information corresponding to the first information to the centralized security gateway.

After receiving the first information sent by the centralized security gateway, the local security gateway establishes a connection between the local security gateway and the MEC server. After the connection between the local security gateway and the MEC server is established, that is, after the configuration of the local security gateway is completed, the local security gateway feeds back first response information corresponding to the first information to the centralized security gateway. The first response information further includes uplink tunnel information of the local security gateway.

It should be noted that, for the introduction of the first response information, the address information of the local security gateway, and the uplink tunnel information, reference may be made to the relevant descriptions in the foregoing embodiments, and details are not repeated here.

Step 1109, the centralized security gateway feeds back fourth response information corresponding to the first DNAI change notification to the SMF device.

After receiving the first response information, the centralized security gateway feeds back the fourth response information corresponding to the first DNAI change notification to the SMF device.

After receiving the first response information corresponding to the first information fed back by the local security gateway, the centralized security gateway feeds back fourth response information corresponding to the first DNAI change notification to the SMF device, where the fourth response message includes uplink tunnel information of the local security gateway. Wherein, the first response information and the fourth response message are both used to indicate that the connection establishment between the local security gateway and the MEC server is completed.

Step 1110, the SMF device establishes an N4 session with the selected first PSA.

The SMF device initiates the N4 session establishment process to the selected first PSA, configures the N4 context, and sends the N4 first information to the first PSA. The N4 first information includes the upstream tunnel information of the local security gateway and the upstream tunnel information of the local security gateway. Used to establish an upstream tunnel from the first PSA to the local security gateway. After receiving the N4 first information, the first PSA sends the downlink tunnel information of the first PSA to the SMF device.

Step 1111, the SMF device sends a second DNAI change notification to the centralized security gateway, where the second DNAI change notification includes downlink tunnel information of the first PSA.

That is, the SMF device sends the downlink tunnel information of the first PSA to the centralized security gateway through the second DNAI change notification.

Step 1112, the centralized security gateway sends update information to the local security gateway.

The centralized security gateway sends update information to the local security gateway, the update information is used to instruct the PSA to be updated from the second PSA to the first PSA.

The update information includes the updated downlink tunnel information of the first PSA, and the downlink tunnel information is used to configure the downlink tunnel between the local security gateway and the first PSA. The downlink tunnel information of the first PSA is information of the downlink tunnel used by the first PSA to receive downlink data.

Step 1113, the local security gateway feeds back the second response information corresponding to the update information to the centralized security gateway.

After the establishment of the downlink tunnel between the local security gateway and the first PSA is completed, the local security gateway feeds back second response information corresponding to the update information. The second response information is used to indicate the establishment of the downlink tunnel between the local security gateway and the first PSA.

Optionally, after receiving the update information sent by the centralized security gateway, the local security gateway establishes a downlink tunnel between the local security gateway and the first PSA. After the establishment of the downlink tunnel between the local security gateway and the first PSA is completed, the second response information corresponding to the update information is fed back.

It should be noted that, for the introduction of the second response information, reference may be made to the relevant descriptions in the foregoing embodiments, and details are not repeated here.

Step 1114, the centralized security gateway feeds back fifth response information corresponding to the second DNAI change notification to the SMF device.

The centralized security gateway receives the second response information corresponding to the update information fed back by the local security gateway; and feeds back the fifth response information corresponding to the second DNAI change notification to the SMF device; wherein the second response information and the fifth response information are both used to indicate The establishment of the downlink tunnel between the local security gateway and the first PSA is completed.

The centralized security gateway feeds back the fifth response information to the SMF device, notifying the SMF device that the connection between the first PSA, the local security gateway and the MEC server has been established.

Step 1115, the SMF device selects and configures the ULCL.

The SMF device selects and configures the ULCL, establishes an N4 context for the ULCL, and configures the N3 connection between the ULCL and the RAN, the uplink tunnel from the ULCL to the first PSA, the uplink tunnel from the ULCL to the second PSA, and the forwarding rules for uplink data packets.

Step 1116, the SMF device configures the downlink tunnel from the second PSA to the ULCL through the N4 session modification process.

Step 1117, the SMF device configures the downlink tunnel from the first PSA to the ULCL through the N4 session modification process.

Step 1118, the SMF device sends a third DNAI change notification to the centralized security gateway, where the third DNAI change notification is used to indicate that the ULCL insertion is completed.

Step 1119, the centralized security gateway sends a first sub-SA establishment request to the local security gateway.

The centralized security gateway sends the first sub-SA establishment request to the local security gateway.

Optionally, the first sub-SA establishment request includes a first data feature of the data to be encrypted and transmitted and a corresponding first SA, and the first SA includes an encryption algorithm and a security parameter index (security parameter index, SPI).

For example, the first data feature is TS1, and the first SA is SA1.

Step 1120, the local security gateway feeds back the first sub-SA establishment response to the centralized security gateway.

After receiving the first SA establishment request sent by the centralized security gateway, the local security gateway feeds back a first sub-SA establishment response to the centralized security gateway.

Optionally, the first sub-SA establishment response includes the second data feature accepted by the local security gateway, the corresponding second SA, the key generation material of the local security gateway, and the random number of the local security gateway. This random number is used to generate the key.

For example, the second data feature is TS1*, the second SA is SA1*, the key generation material of the local security gateway is Ke1, and the random number of the local security gateway is N1.

Step 1121, the centralized security gateway sends a second sub-SA establishment request to the UE.

The centralized security gateway initiates a procedure for establishing a sub-SA to the UE, so that the UE and the local security gateway establish a sub-SA for user plane data transmission through the transmission mode.

The centralized security gateway sends a second sub-SA establishment request to the UE. Optionally, the second sub-SA establishment request includes the second data feature, the second SA, the key generation material of the local security gateway, and the random number of the local security gateway;

Step 1122, the UE feeds back the second sub-SA establishment response to the centralized security gateway.

The UE feeds back the second sub-SA establishment response to the centralized security gateway. Optionally, the second sub-SA establishment response includes the confirmed third data feature, the corresponding third SA, the key generation material of the UE, and the random number of the UE.

For example, the confirmed third data feature and the corresponding third SA are the TS2 and the corresponding SA2 confirmed by the UE. The key generation material of the UE and the random number of the UE are Ke2 and N2 on the UE side.

It should be noted that the above-mentioned first data feature, second data feature, and third data feature are all bidirectional data flow feature information, that is, it includes not only the filtering rules of data packets sent out, but also the data received inward. The filtering rules for packets may change due to the need for confirmation by the local security gateway and the UE respectively.

Step 1123, the centralized security gateway sends the context information of the sub-SA to the local security gateway.

The context information of the sub-SA sent by the centralized security gateway to the local security gateway, where the context information of the sub-SA is used to configure the sub-SA for transmitting user plane data between the UE and the local security gateway.

Wherein, the context information of the sub-SA includes SPI, bidirectional data flow characteristic information, encryption algorithm, encryption key or encryption material, and random number used to generate the encryption key. Optionally, the context information of the sub-SA further includes a security certificate and authentication information for verifying the user's identity.

Step 1124, the local security gateway feeds back the third response information corresponding to the context information of the sub-SA to the centralized security gateway.

The local security gateway receives the context information of the sub-SA sent by the centralized security gateway; after the establishment of the sub-SA is completed, it feeds back the third response information corresponding to the context information of the sub-SA to the centralized security gateway. The centralized security gateway receives third response information corresponding to the context information of the sub-SA fed back by the local security gateway, and the third response message is used to indicate that the establishment of the sub-SA is completed.

Step 1125, the centralized security gateway sends the third notification information to the SMF device, and the third notification information includes the packet detection rule (Packet Detection Rule, PDR) and the forwarding action rule (Forwarding action rule, FAR) corresponding to the data flow feature information.

Since the UE and the local security gateway are sub-SAs established in the transmission mode, after the sub-SA is established, the centralized security gateway needs to send the third notification information sent from the local security gateway to the SMF device. The third notification information includes Data packet detection rules and forwarding action rules corresponding to data flow feature information.

The data flow characteristic information is the data flow characteristic information of the local security gateway. That is, the data packet detection rules and the forwarding action rules are the data packet detection rules and the forwarding action rules of the local security gateway.

Optionally, the local security gateway sends the data packet detection rules and forwarding action rules corresponding to the data flow feature information to the centralized security gateway, and after the centralized security gateway receives it, it will include the data packet detection rules and forwarding action rules. Notification messages are sent to the SMF device.

Step 1126, the SMF device updates the first information of the ULCL according to the third notification information.

After receiving the third notification information sent by the centralized security gateway, the SMF device updates the first information of the ULCL according to the packet detection rules and forwarding action rules in the third notification information, so that the data protected by the sub-SA of the local security gateway Packets are forwarded through the local security gateway.

In an illustrative example, as shown in Figure 12, the centralized security gateway is the IKE gateway, and the local security gateway is the IPSec gateway 2. The data configuration method applied in the centralized security gateway scenario includes but is not limited to the following steps:

Step 120, the IKE gateway establishes an IKE SA with the UE through the IKEv2 protocol;

Step 121, the AMF/SMF/PCF device executes the above-mentioned ULCL/BP insertion process;

Step 122, the above-mentioned DNAI change process is performed between the IKE gateway and the AMF/SMF/PCF device;

Step 123a, the IKE gateway distributes the key to the IPSec gateway 2;

Step 123b, the IKE gateway initiates the establishment process of the sub-SA to the UE, so that the UE and the IPSec gateway 2 establish the sub-SA for user plane data transmission through the transmission mode;

Step 124, the IKE gateway notifies the application server of 2DNAI changes or routing rules.

To sum up, an embodiment of the present application provides a data configuration method, which is applied in a centralized security gateway scenario. The centralized security gateway, as a proxy network element, undertakes to interact with AF devices and perform MEC Functions for server connection configuration. The centralized IKE gateway is still changing in the DNAI, inserted into the ULCL process, and cooperates with the SMF device to build a path from the ULCL to the first PSA to the local security gateway to the MEC server. After the path is established, the centralized security gateway acts as a proxy for the local security gateway and the UE to establish a sub-SA for user plane data transmission, and sends the corresponding security context and other information to the local security gateway, so that in the centralized security gateway scenario , when the SMF device triggers the DNAI change, the insertion of the ULCL is completed and the transmission mode SA path between the UE and the local security gateway is established.

In this embodiment of the present application, the security gateway is divided into a centralized security gateway and a local security gateway, and the message transmission between the two gateways is designed to enhance the function of the centralized security gateway, and realize the ULCL insertion process of the security gateway in the MEC scenario. The relevant configuration is almost unchanged to the UE.

In addition, due to the use of the transmission mode, the destination IP address of the uplink data packet and the source IP address of the downlink data packet are not the local security gateway, so the centralized security gateway needs to report the data packet detection on the sub-SA of the local security gateway to the SMF device. rules and forwarding action rules, and reconfigure the ULCL to ensure that the corresponding data packets are forwarded normally through the local security gateway.

Please refer to FIG. 13 , which shows a flowchart of a data configuration method provided by another exemplary embodiment of the present application, and the method is used in the distributed security gateway scenario shown in FIG. 9 . The method includes the following steps.

Step 1301, the SMF device sends first information to the local security gateway, where the first information is used to acquire address information of the local security gateway.

A communication connection is established between the SMF device and the local security gateway, and the SMF device sends the first information to the local security gateway.

It should be noted that, for the introduction of the SMF device, the distributed security gateway, the first information, and the routing path information, reference may be made to the relevant descriptions in the foregoing embodiments, and details are not repeated here.

Step 1302, after receiving the first information sent by the SMF device, the local security gateway feeds back address information of the local security gateway, where the address information of the local security gateway is the routing destination address information configured for the first PSA and used to transmit data from the UE .

The first PSA is the PSA after the UE undergoes DNAI changes.

After receiving the first information sent by the SMF device, the local security gateway acquires address information of the local security gateway, and feeds back the address information of the local security gateway to the SMF device.

Optionally, the first information includes routing path information of the MEC server. After receiving the first information sent by the SMF device, the local security gateway establishes a connection between the local security gateway and the MEC server. After the connection between the local security gateway and the MEC server is established, the local security gateway feeds back first response information corresponding to the first information to the SMF device. The first response information includes uplink tunnel information of the local security gateway.

It should be noted that the connection between the local security gateway and the MEC server can be established before the SMF device sends the first information to the local security gateway, or it can be configured through the first information sent by the SMF device to the local security gateway. . This embodiment of the present application does not limit this. For convenience of description below, only the first information includes routing path information of the MEC server as an example for description.

Step 1303, the SMF device receives the address information of the local security gateway.

Correspondingly, the SMF device receives the address information of the local security gateway sent by the local security gateway. Wherein, the address information of the local security gateway is the routing destination address information configured for the first PSA and used for transmitting data from the UE, and the first PSA is the PSA after the DNAI changes of the UE.

To sum up, the embodiment of the present application provides a data configuration method. After the SMF device sends the first information for obtaining the address information of the local security gateway to the local security gateway, it receives the address information of the local security gateway. The address information of the gateway is configured for the first PSA, that is, the PSA after the DNAI changes of the UE, and provides the routing destination address information for transmitting data from the UE; that is, in the process of DNAI change, the local security gateway and SMF are designed. The information exchange process of the device realizes the relevant configuration in the insertion ULCL process, so that the subsequent insertion ULCL process can be completed normally after the introduction of the local security gateway, and the reliability of data transmission is ensured.

Please refer to FIG. 14 , which shows a flowchart of a data configuration method provided by an exemplary embodiment of the present application. The method is used in the distributed security gateway scenario shown in FIG. 9 , and the SMF device establishes communication with the local security gateway. connect. The method includes the following steps.

Step 1400, the SMF device performs the discovery of the MEC server and the selection process of the first PSA and the ULCL.

Optionally, after the UE moves or detects the corresponding UE service, the SMF device triggers and executes the discovery of the MEC server and the selection process of the first PSA and ULCL. The SMF device selects and configures the ULCL, establishes an N4 context for the ULCL, and configures the N3 connection between the ULCL and the RAN, the uplink tunnel from the ULCL to the first PSA, the uplink tunnel from the ULCL to the second PSA, and the forwarding rules for uplink data packets. For related details, reference can be made to the related descriptions in the foregoing embodiments by analogy, and details are not repeated here.

The SMF device selects the first PSA. Since the PSA is associated with the local security gateway in the distributed security gateway scenario, when the first PSA is selected, the local security gateway corresponding to the first PSA can also be determined.

Step 1401, the SMF device sends an AF notification to the AF device.

The SMF device sends an AF notification to the AF device, and the AF notification is used to indicate DNAI changes. The AF device feeds back the AF notification response after receiving the AF notification.

The SMF device sends an AF notification to the AF device, and obtains the routing path information of the MEC server from the AF device. The MEC server is EAS.

The routing path information of the MEC server includes port information used by the MEC server to establish an N6 connection.

Step 1402, the SMF device sends the first information to the local security gateway.

Optionally, the first information includes routing path information of the MEC server. The routing path information is used to configure the connection between the local security gateway and the MEC server. The SMF device sends the routing path information of the MEC server to the local security gateway through the first information, so as to configure the connection between the local security gateway and the MEC server.

Step 1403, the local security gateway feeds back the first response information corresponding to the first information to the SMF device.

Optionally, after receiving the first information sent by the SMF device, the local security gateway establishes a connection between the local security gateway and the MEC server. After the connection between the local security gateway and the MEC server is established, the local security gateway feeds back first response information corresponding to the first information to the SMF device. The first response information includes uplink tunnel information of the local security gateway.

It should be noted that the relevant details of the process in which the SMF device sends the first information to the local security gateway and the local security gateway feeds back the first response information corresponding to the first information to the SMF device can refer to the relevant descriptions in the above embodiments, here No longer.

Step 1404, the SMF device establishes an N4 session with the first PSA.

The SMF device initiates an N4 session establishment process to the first PSA, that is, the SMF device sends the upstream tunnel information of the local security gateway to the first PSA, and obtains the downlink tunnel information for receiving downlink data from the local security gateway from the first PSA.

Step 1405, the SMF device sends update information to the local security gateway, where the update information includes the updated downlink tunnel information of the first PSA.

The downlink tunnel information is used to configure the downlink tunnel between the local security gateway and the first PSA.

Step 1406, the local security gateway feeds back the second response information corresponding to the update information to the SMF device.

After receiving the update information sent by the SMF device, the local security gateway establishes a downlink tunnel between the local security gateway and the first PSA. After the establishment of the downlink tunnel between the local security gateway and the first PSA is completed, the second response information corresponding to the update information is fed back.

It should be noted that the relevant details of the process in which the SMF device sends the update information to the local security gateway and the local security gateway feeds back the second response information corresponding to the update information to the SMF device can refer to the relevant descriptions in the above embodiments, which are not repeated here. Repeat.

Step 1407, the SMF device selects and configures the ULCL.

Step 1408, the SMF device configures the downlink tunnel from the second PSA to the ULCL through the N4 session modification process.

Step 1409, the SMF device configures the downlink tunnel from the first PSA to the ULCL through the N4 session modification process.

To sum up, the embodiments of the present application provide a data configuration method, which is applied to a distributed security gateway scenario, through the information exchange between the local security gateway and core network elements such as SMF devices and AF devices. The process implements establishing a path from the ULCL to the first PSA to the local security gateway to the MEC server during the ULCL insertion process. The SMF device can control the local security gateway, and configure the context related to its connection establishment, so that in the scenario of the distributed security gateway, the corresponding data path is configured while ULCL insertion is performed.

Please refer to FIG. 15 , which shows a flowchart of a data configuration method provided by another exemplary embodiment of the present application. The method is used in the distributed security gateway scenario shown in FIG. 9 , where the SMF device and the local security gateway establish a communication connection. The method includes the following steps.

Step 1500, the SMF device performs the process of MEC server discovery and ULCL/BP insertion.

It should be noted that, for the process of the discovery of the MEC server and the insertion of the ULCL/BP performed by the SMF device, reference may be made to the relevant descriptions in the foregoing embodiments, and details are not repeated here.

Step 1501, the SMF device sends an N1 message to the AMF device, where the N1 message includes the address of the local security gateway.

The SMF device queries the address of the local security gateway after inserting the ULCL/BP, and encapsulates the address of the local security gateway in an N1 message and sends it to the AMF device.

Step 1502, the AMF device sends a NAS message to the UE, where the NAS message includes the address of the local security gateway.

After receiving the N1 message sent by the SMF device, the AMF device sends the enhanced NAS message to the UE,

The NAS message includes the address of the local security gateway. The NAS message is used to instruct the UE to establish an IKE SA with the local security gateway.

Step 1503, the UE establishes an IKE SA with the local security gateway.

The UE receives an enhanced NAS message sent by the AMF device, where the enhanced NAS message includes the address of the local security gateway. After the UE receives the enhanced NAS message, the UE initiates the IKE SA establishment process with the local security gateway.

Step 1504, the local security gateway sends first notification information to the SMF device, where the first notification information is used to indicate that the establishment of the IKE SA between the UE and the local security gateway is completed.

The SMF device receives the first notification information sent by the local security gateway.

Step 1505, the SMF device sends a user plane SA establishment request to the local security gateway.

The SMF device sends a user plane SA establishment request to the local security gateway, and the user plane SA establishment request includes service detection rules. Optionally, the service detection rule includes a data packet detection rule that needs to be encrypted and decrypted through the local security gateway

The sending form of the service detection rule may be in the form of PDR, or may be in the form of data flow characteristic information. Both PDR and data flow feature information here are bidirectional.

Step 1506, the local security gateway generates corresponding data flow feature information according to the service detection rule, and establishes a sub-SA between the UE and the local security gateway for user plane data transmission.

The local security gateway receives the user plane SA establishment request sent by the SMF device, and the user plane SA establishment request includes service detection rules; according to the service detection rules, the corresponding data flow feature information is generated, and the connection between the UE and the local security gateway is used for user plane data. Transported child SA.

Step 1507, the local security gateway feeds back second notification information to the SMF device, where the second notification information is used to indicate that the establishment of the sub-SA between the UE and the local security gateway for user plane data transmission is completed.

Optionally, the second notification information includes a data packet detection rule and a forwarding action rule corresponding to the data flow feature information.

Step 1508, the SMF device updates the routing and forwarding rules to the ULCL.

The SMF device updates the routing and forwarding rules to the ULCL according to the packet detection rules and forwarding action rules fed back by the local security gateway.

Optionally, in the transmission mode, the SMF device updates the routing and forwarding rules to the ULCL according to the packet detection rules and forwarding action rules fed back by the local security gateway.

To sum up, the embodiments of the present application provide a data configuration method, which is applied to a distributed security gateway scenario, realizes the configuration of SA after inserting ULCL and establishing a relevant data transmission tunnel, and realizes the After the ULCL insertion procedure is completed, the SA between the UE and the local security gateway is established. The SMF device can control the local security gateway, and send to it the data packet detection rules and forwarding action rules that need to be sent from the local security gateway. The embodiment of the present application further enhances the NAS message, and the SMF device can notify the UE through the NAS message, instructing the UE to establish an IKE SA with the local security gateway. In addition, by providing service detection rules to the local security gateway, the SMF device instructs the local security gateway and the UE to establish a sub-SA for user plane transmission, thereby saving the NAS signaling overhead sent to the UE and ensuring the establishment of the local security gateway and the UE. The efficiency of the sub-SA.

Please refer to FIG. 16 , which shows a flowchart of a data configuration method provided by another exemplary embodiment of the present application. The method is used in the distributed security gateway scenario shown in FIG. 9 , where the SMF device and the local security gateway establish a communication connection. The method includes the following steps.

Step 1600, the SMF device performs the process of MEC server discovery and ULCL/BP insertion.

Step 1601, the SMF device sends an N1 message to the AMF device, where the N1 message includes the address of the local security gateway.

Step 1602, the AMF device sends a NAS message to the UE, where the NAS message includes the address of the local security gateway and the service detection rule of the local security gateway.

After receiving the N1 message sent by the SMF device, the AMF device sends the enhanced NAS message to the UE, where the NAS message includes the address of the local security gateway. The NAS message is used to instruct the UE to establish an IKE SA with the security gateway.

The service detection rules of the local security gateway are service detection rules of service data packets that need to be transmitted from the local security gateway. Wherein, the detection rule of the service data packet may be in the form of PDR, or may be in the form of data flow characteristic information.

Step 1603, the UE establishes an IKE SA with the local security gateway.

Step 1604, the UE establishes a sub-SA for user plane data transmission with the local security gateway according to the service detection rule issued by the AMF device.

Step 1605, the local security gateway feeds back notification information to the SMF device, where the notification information is used to indicate that the IKE SA and the sub-SA for user plane data transmission are established.

Wherein, the notification information is used to indicate that the establishment of the IKE SA between the UE and the local security gateway is completed, and the establishment of the sub-SA for user plane data transmission between the UE and the local security gateway is completed.

Optionally, the notification information includes first notification information and second notification information. The first notification information is used to indicate that the establishment of the IKE SA between the UE and the local security gateway is completed. The second notification information is used to indicate that the establishment of the sub-SA for user plane data transmission between the UE and the local security gateway is completed.

Correspondingly, the SMF device receives notification information fed back by the local security gateway.

Step 1606, the SMF device updates the routing and forwarding rules to the ULCL.

To sum up, the embodiments of the present application provide a data configuration method, which is applied in a distributed security gateway scenario, and realizes the configuration of SA after inserting ULCL and establishing a related data transmission tunnel. The device sends a NAS message to the UE, and the NAS message includes the address of the local security gateway and the service detection rules of the local security gateway, so that the establishment of the sub-SA between the UE and the local security gateway for user plane data transmission is initiated by the UE, saving energy The signaling interaction between the SMF device and the local security gateway is implemented.

In an illustrative example, as shown in Figure 17, the local security gateway is IPSec gateway 2, and the data configuration method applied in the distributed security gateway scenario includes but is not limited to the following steps:

Step 171, the AMF/SMF/PCF device executes the ULCL/BP insertion process;

Step 172, the AMF/SMF/PCF device performs session modification (address of IPSec gateway 2);

Step 173, establish IKE SA and IPSec SA between UE and IPSec gateway 2;

Step 174, the IPSec gateway 2 notifies the application server 2 of DNAI changes or routing rules.

Please refer to FIG. 18 , which shows a block diagram of a data configuration apparatus provided by an exemplary embodiment of the present application. The data configuration apparatus can be implemented as a whole or a part of the network device through software, hardware or a combination of the two. The data configuration apparatus may include: a sending unit 1810 and a receiving unit 1820 .

a sending unit 1810, configured to send first information to the local security gateway, where the first information is used to obtain address information of the local security gateway;

The receiving unit 1820 is configured to receive address information of the local security gateway, where the address information of the local security gateway is the routing destination address information configured for the first PSA and used to transmit data from the user equipment UE, and the first PSA is a DNAI change for the UE Post PSA.

In a possible implementation manner, the first information includes routing path information of the MEC server, and the routing path information is used to configure the connection between the local security gateway and the MEC server.

In another possible implementation manner, the device further includes:

The receiving unit 1820 is further configured to receive first response information corresponding to the first information fed back by the local security gateway, where the first response information is used to indicate that the connection establishment between the local security gateway and the MEC server is completed, and the first response information includes the local security gateway. Gateway's uplink tunnel information.

In another possible implementation manner, the device further includes:

The sending unit 1810 is further configured to send update information to the local security gateway, where the update information includes downlink tunnel information of the first PSA, and the downlink tunnel information is used to configure a downlink tunnel between the local security gateway and the first PSA.

In another possible implementation manner, the device further includes:

The receiving unit 1820 is further configured to receive second response information corresponding to the update information fed back by the local security gateway, where the second response information is used to indicate that the establishment of the downlink tunnel between the local security gateway and the first PSA is completed.

In another possible implementation manner, the network device includes a centralized security gateway that establishes a communication connection with the local security gateway.

In another possible implementation manner, the device further includes:

The sending unit 1810 is further configured to subscribe the DNAI change notification event to the SMF device;

The processing unit is further configured to select the local security gateway when receiving the first DNAI change notification of the SMF device.

In another possible implementation manner, the first DNAI change notification includes the changed DNAI and the safety link SA of the path to be changed, and the apparatus further includes:

The processing unit is further configured to query the application of the path to be changed according to the changed DNAI and the SA of the path to be changed;

The sending unit 1810 is further configured to send an AF notification to the corresponding application function AF device according to the queried application, where the AF notification is used to indicate DNAI changes;

The receiving unit 1820 is further configured to receive the routing path information of the MEC server fed back by the AF device.

In another possible implementation manner, the device further includes:

The sending unit 1810 is further configured to feed back the fourth response information corresponding to the first DNAI change notification to the SMF device after receiving the first response information corresponding to the first information fed back by the local security gateway;

In another possible implementation manner, the device further includes:

The receiving unit 1820 is further configured to receive a second DNAI change notification from the SMF device, where the second DNAI change notification includes downlink tunnel information of the first PSA.

In another possible implementation manner, the device further includes:

The sending unit 1810 is further configured to, after receiving the second response information corresponding to the update information fed back by the local security gateway, feed back the fifth response information corresponding to the second DNAI change notification to the SMF device;

In another possible implementation manner, the centralized security gateway establishes an IKE SA with the UE, and the apparatus further includes:

The receiving unit 1820 is further configured to, after sending the first sub-SA establishment request to the local security gateway, receive the first sub-SA establishment response fed back by the local security gateway;

The receiving unit 1820 is further configured to, after sending the second sub-SA establishment request to the UE, receive the second sub-SA establishment response fed back by the UE; the context information of the sub-SA sent to the local security gateway, the context information of the sub-SA is used for configuration A sub-SA for transmitting user plane data between the UE and the local security gateway;

The receiving unit 1820 is further configured to receive third response information corresponding to the context information of the sub-SA fed back by the local security gateway, where the third response message is used to indicate that the establishment of the sub-SA is completed.

In another possible implementation,

In another possible implementation manner, the third response information includes data packet detection rules and forwarding action rules corresponding to the data flow feature information, and the device further includes:

The sending unit 1810 is further configured to send third notification information to the SMF device, where the third notification information includes data packet detection rules and forwarding action rules.

In another possible implementation manner, the network device includes an SMF device that has established a communication connection with the local security gateway.

In another possible implementation manner, the device further includes:

The receiving unit 1820 is further configured to receive the first notification information sent by the local security gateway, where the first notification information is used to indicate that the establishment of the Internet Key Exchange Protocol IKE SA between the UE and the local security gateway is completed.

In another possible implementation manner, the device further includes:

The sending unit 1810 is further configured to send a user plane SA establishment request to the local security gateway, where the user plane SA establishment request includes a service detection rule;

The receiving unit 1820 is further configured to receive second notification information fed back by the local security gateway, where the second notification information is used to indicate that the establishment of a sub-SA for user plane data transmission between the UE and the local security gateway is completed, and the second notification information includes data Packet detection rules and forwarding action rules corresponding to flow feature information.

In another possible implementation manner, the device further includes:

The sending unit 1810 is further configured to send a NAS message to the UE through the AMF device after inserting the ULCL or BP, where the NAS message includes the address of the local security gateway.

In another possible implementation manner, the NAS message includes service detection rules for service data packets that need to be transmitted from the local security gateway.

It should be noted that when the device provided in the above-mentioned embodiment realizes its functions, only the division of the above-mentioned units is used as an example. The content structure is divided into different units to accomplish all or part of the functions described above.

Regarding the apparatus in the above-mentioned embodiments, the specific manner in which each unit performs operations has been described in detail in the embodiments of the method, and the relevant details can be combined with reference to the above-mentioned method embodiments, which will not be described in detail here.

Please refer to FIG. 19 , which shows a block diagram of a data configuration apparatus provided by an exemplary embodiment of the present application. The data configuration device can be implemented as all or a part of the local security gateway through software, hardware or a combination of the two. The data configuration apparatus may include: a receiving unit 1910 and a sending unit 1920 .

a receiving unit 1910, configured to receive first information, where the first information is used to obtain address information of the local security gateway;

The sending unit 1920 is configured to send the address information of the local security gateway, where the address information of the local security gateway is the routing destination address information configured for the first PSA and used to transmit data from the UE, and the first PSA is after the UE has a DNAI change. PSA.

In another possible implementation manner, the device further includes:

The sending unit 1920 is further configured to feed back first response information corresponding to the first information after the connection between the local security gateway and the MEC server is established, where the first response information includes uplink tunnel information of the local security gateway.

In another possible implementation manner, the device further includes:

The receiving unit 1910 is further configured to receive update information, where the update information includes downlink tunnel information of the first PSA, and the downlink tunnel information is used to configure a downlink tunnel between the local security gateway and the first PSA.

In another possible implementation manner, the device further includes:

The sending unit 1920 is further configured to feed back second response information corresponding to the update information after the establishment of the downlink tunnel between the local security gateway and the first PSA is completed.

In another possible implementation manner, the local security gateway establishes a communication connection with the centralized security gateway, and the apparatus further includes:

The sending unit 1920 is further configured to, after receiving the first sub-SA establishment request sent by the centralized security gateway, feed back the first sub-SA establishment response to the centralized security gateway;

The receiving unit 1910 is further configured to receive the context information of the sub-SA sent by the centralized security gateway, where the context information of the sub-SA is used to configure the sub-SA for transmitting user plane data between the user equipment UE and the local security gateway;

The sending unit 1920 is further configured to feed back the third response information corresponding to the context information of the sub-SA to the centralized security gateway after the sub-SA is established.

In another possible implementation manner, the first sub-SA establishment request includes the first data characteristic of the data to be encrypted and transmitted and the corresponding first SA, and the first sub-SA establishment response includes the second data characteristic accepted by the local security gateway , the corresponding second SA, the key generation material of the local security gateway, and the random number of the local security gateway.

In another possible implementation manner, the local security gateway establishes a communication connection with the session management function SMF device, and the apparatus further includes:

The sending unit 1920 is further configured to send the first notification information to the SMF device after the establishment of the IKE SA between the UE and the local security gateway is completed.

In another possible implementation manner, the device further includes:

The receiving unit 1910 is further configured to receive a user plane SA establishment request sent by the SMF device, where the user plane SA establishment request includes a service detection rule;

a processing unit, configured to generate corresponding data flow feature information according to the service detection rule, and establish a sub-SA for user plane data transmission between the UE and the local security gateway;

The sending unit 1920 is further configured to feed back second notification information to the SMF device after the establishment of the sub-SA is completed, where the second notification information includes a data packet detection rule and a forwarding action rule corresponding to the data flow feature information.

In another possible implementation, the device further includes:

The sending unit 1920 is further configured to feed back second notification information to the SMF device after the sub-SA for user plane data transmission between the UE and the local security gateway is established, where the second notification information includes data packets corresponding to the data flow feature information Detection rules and forwarding action rules.

Please refer to FIG. 20 , which shows a schematic structural diagram of a network device provided by an exemplary embodiment of the present application, where the network device may be the above-mentioned centralized security gateway or SMF device. The network device includes: a processor 201 , a receiver 202 , a transmitter 203 , a memory 204 and a bus 205 .

The processor 201 includes one or more processing cores, and the processor 201 executes various functional applications and information processing by running software programs and modules.

The receiver 202 and the transmitter 203 may be implemented as a communication component, which may be a communication chip, and the communication chip may include a receiving module, a transmitting module, a modulation and demodulation module, etc., for modulating and/or demodulating information. tune and receive or transmit that information via wireless signals.

The memory 204 is connected to the processor 201 through the bus 205 . The memory 204 stores program instructions and data necessary for the network device.

The processor 201 is configured to execute program instructions and data in the memory 204 to implement the functions of each step performed by the network device in each method embodiment of the present application.

The processor 201 controls the receiver 202 to implement the receiving function on the called network device side in the above steps by running at least one program instruction in the memory 204; the processor 201 controls the transmitter by running at least one program instruction in the memory 204 203 to implement the sending function on the called network device side in each of the above steps.

Additionally, memory 204 may be implemented by any type of volatile or non-volatile storage device or combination thereof, such as static anytime access memory (SRAM), electrically erasable programmable read only memory (EEPROM), erasable Except programmable read only memory (EPROM), programmable read only memory (PROM), read only memory (ROM), magnetic memory, flash memory, magnetic disk or optical disk.

It will be appreciated that Figure 20 only shows a simplified design of the network device. In other embodiments, the network device may include any number of transmitters, receivers, processors, controllers, memories, communication units, etc., and all network devices that can implement the present application are within the protection scope of the present application .

Please refer to FIG. 21 , which shows a schematic structural diagram of a local security gateway provided by an exemplary embodiment of the present application. The local security gateway includes: a processor 211 , a receiver 212 , a transmitter 213 , a memory 214 and a bus 215 .

The processor 211 includes one or more processing cores, and the processor 211 executes various functional applications and information processing by running software programs and modules.

The receiver 212 and the transmitter 213 may be implemented as a communication component, which may be a communication chip, and the communication chip may include a receiving module, a transmitting module, a modulation and demodulation module, etc., for modulating and/or demodulating information. tune and receive or transmit that information via wireless signals.

The memory 214 is connected to the processor 211 through the bus 215 . The memory 214 stores necessary program instructions and data for the local security gateway.

The processor 211 is configured to execute program instructions and data in the memory 214 to implement the functions of each step performed by the local security gateway in each method embodiment of the present application.

The processor 211 controls the receiver 212 to implement the receiving function on the called local security gateway side in the above steps by running at least one program instruction in the memory 214; the processor 211 controls the transmission by running at least one program instruction in the memory 214. The device 213 is used to implement the sending function on the called local security gateway side in the above steps.

Additionally, memory 214 may be implemented by any type of volatile or non-volatile storage device or combination thereof, such as static anytime access memory (SRAM), electrically erasable programmable read only memory (EEPROM), erasable Except programmable read only memory (EPROM), programmable read only memory (PROM), read only memory (ROM), magnetic memory, flash memory, magnetic disk or optical disk.

It will be appreciated that Figure 21 only shows a simplified design of the local security gateway. In other embodiments, the local security gateway may include any number of transmitters, receivers, processors, controllers, memories, communication units, etc., and all local security gateways that can implement the present application are within the protection scope of the present application within.

An embodiment of the present application provides a data configuration apparatus, the apparatus includes: a processor; a memory for storing instructions executable by the processor; wherein the processor is configured to implement the above method executed by a network device when the processor is configured to execute the instructions.

An embodiment of the present application provides a data configuration device, the device includes: a processor; a memory for storing instructions executable by the processor; wherein the processor is configured to implement the above method executed by the local security gateway when the processor is configured to execute the instructions .

Embodiments of the present application provide a computer program product, including computer-readable codes, or a non-volatile computer-readable storage medium carrying computer-readable codes, when the computer-readable codes are executed in a processor of an electronic device , the processor in the electronic device executes the above method executed by the network device.

Embodiments of the present application provide a computer program product, including computer-readable codes, or a non-volatile computer-readable storage medium carrying computer-readable codes, when the computer-readable codes are executed in a processor of an electronic device , the processor in the electronic device executes the above method executed by the local security gateway.

An embodiment of the present application provides a data configuration system, where the data configuration system includes a local security gateway and a network device that establishes a communication connection with the local security gateway. The network device includes a data configuration device as shown in FIG. 18 . The security gateway includes the data configuration apparatus shown in FIG. 19 ; or, the network device includes the network device shown in FIG. 20 , and the local security gateway includes the local security gateway shown in FIG. 21 .

Embodiments of the present application provide a non-volatile computer-readable storage medium on which computer program instructions are stored, and when the computer program instructions are executed by a processor, the foregoing method executed by a network device is implemented.

Embodiments of the present application provide a non-volatile computer-readable storage medium on which computer program instructions are stored, and when the computer program instructions are executed by a processor, implement the above method executed by the local security gateway.

A computer-readable storage medium may be a tangible device that can hold and store instructions for use by the instruction execution device. The computer-readable storage medium may be, for example, but not limited to, an electrical storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of computer-readable storage media include: portable computer disks, hard disks, random access memory (RAM), read only memory (ROM), erasable programmable read-only memory (Electrically Programmable Read-Only-Memory, EPROM or flash memory), static random access memory (Static Random-Access Memory, SRAM), portable compact disk read-only memory (Compact Disc Read-Only Memory, CD - ROM), Digital Video Disc (DVD), memory sticks, floppy disks, mechanically encoded devices, such as punch cards or raised structures in grooves on which instructions are stored, and any suitable combination of the foregoing .

Computer readable program instructions or code described herein may be downloaded to various computing/processing devices from a computer readable storage medium, or to an external computer or external storage device over a network such as the Internet, a local area network, a wide area network, and/or a wireless network. The network may include copper transmission cables, fiber optic transmission, wireless transmission, routers, firewalls, switches, gateway computers, and/or edge servers. A network adapter card or network interface in each computing/processing device receives computer-readable program instructions from a network and forwards the computer-readable program instructions for storage in a computer-readable storage medium in each computing/processing device .

The computer program instructions used to perform the operations of the present application may be assembly instructions, Instruction Set Architecture (ISA) instructions, machine instructions, machine-related instructions, microcode, firmware instructions, state setting data, or in one or more source or object code written in any combination of programming languages, including object-oriented programming languages such as Smalltalk, C++, etc., and conventional procedural programming languages such as the "C" language or similar programming languages. The computer readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer, or entirely on the remote computer or server implement. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network—including a Local Area Network (LAN) or a Wide Area Network (WAN)—or, may be connected to an external computer (eg, use an internet service provider to connect via the internet). In some embodiments, electronic circuits, such as programmable logic circuits, Field-Programmable Gate Arrays (FPGA), or Programmable Logic Arrays (Programmable Logic Arrays), are personalized by utilizing state information of computer-readable program instructions. Logic Array, PLA), the electronic circuit can execute computer readable program instructions to implement various aspects of the present application.

Aspects of the present application are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the present application. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer readable program instructions.

These computer readable program instructions may be provided to the processor of a general purpose computer, special purpose computer or other programmable data processing apparatus to produce a machine that causes the instructions when executed by the processor of the computer or other programmable data processing apparatus , resulting in means for implementing the functions/acts specified in one or more blocks of the flowchart and/or block diagrams. These computer readable program instructions can also be stored in a computer readable storage medium, these instructions cause a computer, programmable data processing apparatus and/or other equipment to operate in a specific manner, so that the computer readable medium on which the instructions are stored includes An article of manufacture comprising instructions for implementing various aspects of the functions/acts specified in one or more blocks of the flowchart and/or block diagrams.

Computer readable program instructions can also be loaded onto a computer, other programmable data processing apparatus, or other equipment to cause a series of operational steps to be performed on the computer, other programmable data processing apparatus, or other equipment to produce a computer-implemented process , thereby causing instructions executing on a computer, other programmable data processing apparatus, or other device to implement the functions/acts specified in one or more blocks of the flowcharts and/or block diagrams.

The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of apparatuses, systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more functions for implementing the specified logical function(s) executable instructions. In some alternative implementations, the functions noted in the blocks may occur out of the order noted in the figures. For example, two blocks in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved.

It is also noted that each block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations, can be implemented in hardware (eg, circuits or ASICs (Application) that perform the corresponding functions or actions. Specific Integrated Circuit, application-specific integrated circuit)), or can be implemented by a combination of hardware and software, such as firmware.

Although the application is described herein in conjunction with the various embodiments, those skilled in the art will understand and understand from a review of the drawings, the disclosure, and the appended claims in practicing the claimed application. Other variations of the disclosed embodiments are implemented. In the claims, the word "comprising" does not exclude other components or steps, and "a" or "an" does not exclude a plurality. A single processor or other unit may fulfill the functions of several items recited in the claims. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that these measures cannot be combined to advantage.

Various embodiments of the present application have been described above, and the foregoing descriptions are exemplary, not exhaustive, and not limiting of the disclosed embodiments. Numerous modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments. The terminology used herein was chosen to best explain the principles of the various embodiments, the practical application or improvement over the technology in the marketplace, or to enable others of ordinary skill in the art to understand the various embodiments disclosed herein.

Claims

A data configuration method, characterized in that it is used in a network device, the method comprising:

sending first information to the local security gateway, where the first information is used to obtain address information of the local security gateway;

receiving address information of the local security gateway, where the address information of the local security gateway is routing destination address information configured for the first protocol data unit session anchor PSA for transmitting data from the user equipment UE, the first The PSA is the PSA after the data network access identifier DNAI of the UE is changed.
The method according to claim 1, wherein the first information comprises routing path information of a multi-access edge computing MEC server, and the routing path information is used to configure the connection between the local security gateway and the MEC server Connection.
The method according to claim 2, wherein the method further comprises:

Receive first response information corresponding to the first information fed back by the local security gateway, where the first response information is used to indicate that the connection establishment between the local security gateway and the MEC server is completed, and the first response information is used to indicate that the connection establishment between the local security gateway and the MEC server is completed. The response information includes uplink tunnel information of the local security gateway.
The method according to claim 1, wherein the method further comprises:

Send update information to the local security gateway, where the update information includes downlink tunnel information of the first PSA, where the downlink tunnel information is used to configure a downlink tunnel between the local security gateway and the first PSA.
The method according to claim 4, wherein the method further comprises:

Second response information corresponding to the update information fed back by the local security gateway is received, where the second response information is used to indicate that the establishment of the downlink tunnel between the local security gateway and the first PSA is completed.
The method according to any one of claims 1 to 5, wherein the network device comprises a centralized security gateway that establishes a communication connection with the local security gateway.
The method according to claim 6, wherein before the sending the first information to the local security gateway, the method further comprises:

Subscribe the DNAI change notification event to the session management function SMF device;

The local security gateway is selected when the first DNAI change notification of the SMF device is received.
The method according to claim 7, wherein the first DNAI change notification includes the changed DNAI and the safety link SA of the path to be changed, and the method further comprises:

According to the changed DNAI and the SA of the path to be changed, query the application of the path to be changed;

According to the queried application, send an AF notification to the corresponding application function AF device, where the AF notification is used to indicate the DNAI change;

Receive the routing path information of the MEC server fed back by the AF device.
The method according to claim 7, wherein the method further comprises:

After receiving the first response information corresponding to the first information fed back by the local security gateway, feeding back the fourth response information corresponding to the first DNAI change notification to the SMF device;

Wherein, both the first response information and the fourth response message include uplink tunnel information of the local security gateway, and both the first response information and the fourth response message are used to indicate that the local security gateway communicates with The connection establishment between the MEC servers is completed.
The method according to claim 7, wherein before the sending the update information to the local security gateway, the method further comprises:

A second DNAI change notification from the SMF device is received, where the second DNAI change notification includes downlink tunnel information of the first PSA.
The method of claim 10, wherein the method further comprises:

After receiving the second response information corresponding to the update information fed back by the local security gateway, feeding back fifth response information corresponding to the second DNAI change notification to the SMF device;

Wherein, the second response information and the fifth response information are both used to indicate that the establishment of the downlink tunnel between the local security gateway and the first PSA is completed.
The method according to any one of claims 7 to 11, wherein the centralized security gateway establishes an IKE SA with the UE, and the method further comprises:

After sending the first sub-SA establishment request to the local security gateway, receiving a first sub-SA establishment response fed back by the local security gateway;

After sending a second sub-SA establishment request to the UE, receive a second sub-SA establishment response fed back by the UE; and send the context information of the sub-SA to the local security gateway, where the context information of the sub-SA is used for configuring a sub-SA between the UE and the local security gateway for transmitting user plane data;

Third response information corresponding to the context information of the sub-SA fed back by the local security gateway is received, where the third response message is used to indicate that the establishment of the sub-SA is completed.
The method of claim 12, wherein:

The first sub-SA establishment request includes the first data characteristic of the data to be encrypted and transmitted and the corresponding first SA;

The first sub-SA establishment response includes the second data feature accepted by the local security gateway, the corresponding second SA, the key generation material of the local security gateway, and the random number of the local security gateway;

The second sub-SA establishment request includes the second data feature, the second SA, the key generation material of the local security gateway, and the random number of the local security gateway;

The second sub-SA establishment response includes the confirmed third data feature, the corresponding third SA, the key generation material of the UE, and the random number of the UE.
The method according to claim 12, wherein the third response information includes a data packet detection rule and a forwarding action rule corresponding to the data flow characteristic information, and the method further comprises:

Send third notification information to the SMF device, where the third notification information includes the data packet detection rule and the forwarding action rule.
The method according to any one of claims 1 to 5, wherein the network device comprises an SMF device that has established a communication connection with the local security gateway.
The method of claim 15, wherein the method further comprises:

Receive the first notification information sent by the local security gateway, where the first notification information is used to indicate that the establishment of the Internet Key Exchange Protocol IKE SA between the UE and the local security gateway is completed.
The method of claim 16, wherein the method further comprises:

sending a user plane SA establishment request to the local security gateway, where the user plane SA establishment request includes a service detection rule;

Receive second notification information fed back by the local security gateway, where the second notification information is used to indicate that the establishment of a sub-SA for user plane data transmission between the UE and the local security gateway is complete, and the second notification information The information includes data packet detection rules and forwarding action rules corresponding to the data flow feature information.
The method of claim 16, wherein the method further comprises:

Receive second notification information fed back by the local security gateway, where the second notification information is used to indicate that the establishment of a sub-SA for user plane data transmission between the UE and the local security gateway is complete, and the second notification information The information includes data packet detection rules and forwarding action rules corresponding to the data flow feature information.
The method of claim 16, wherein the method further comprises:

After inserting the uplink classifier ULCL or the branch point BP, a NAS message is sent to the UE through the AMF device, and the NAS message includes the address of the local security gateway.
The method of claim 16, wherein the NAS message includes a service detection rule for a service data packet that needs to be transmitted from the local security gateway.
A data configuration method, characterized in that it is used in a local security gateway, the method comprising:

receiving first information, where the first information is used to obtain address information of the local security gateway;

Sending address information of the local security gateway, where the address information of the local security gateway is routing destination address information configured for a first PSA for transmitting data from a user equipment UE, and the first PSA occurs for the UE PSA after DNAI changes.
The method according to claim 21, wherein the first information comprises routing path information of an MEC server, and the routing path information is used to configure a connection between the local security gateway and the MEC server.
The method of claim 22, wherein the method further comprises:

After the connection between the local security gateway and the MEC server is established, first response information corresponding to the first information is fed back, where the first response information includes uplink tunnel information of the local security gateway.
The method of claim 21, wherein the method further comprises:

Update information is received, the update information includes downlink tunnel information of the first PSA, and the downlink tunnel information is used to configure a downlink tunnel between the local security gateway and the first PSA.
The method of claim 24, wherein the method further comprises:

After the establishment of the downlink tunnel between the local security gateway and the first PSA is completed, the second response information corresponding to the update information is fed back.
The method according to any one of claims 21 to 25, wherein a communication connection is established between the local security gateway and the centralized security gateway, and the method further comprises:

After receiving the first sub-SA establishment request sent by the centralized security gateway, feeding back a first sub-SA establishment response to the centralized security gateway;

receiving the context information of the sub-SA sent by the centralized security gateway, where the context information of the sub-SA is used to configure the sub-SA used for transmitting user plane data between the user equipment UE and the local security gateway;

After the establishment of the sub-SA is completed, the third response information corresponding to the context information of the sub-SA is fed back to the centralized security gateway.
The method according to claim 26, wherein the first sub-SA establishment request includes a first data characteristic of data to be encrypted and transmitted and a corresponding first SA, and the first sub-SA establishment response includes the The second data feature accepted by the local security gateway, the corresponding second SA, the key generation material of the local security gateway, and the random number of the local security gateway.
The method according to any one of claims 21 to 25, wherein the local security gateway establishes a communication connection with a session management function SMF device, and the method further comprises:

After the establishment of the Internet Key Exchange Protocol IKE SA between the UE and the local security gateway is completed, first notification information is sent to the SMF device.
The method of claim 28, wherein the method further comprises:

receiving a user plane SA establishment request sent by the SMF device, where the user plane SA establishment request includes a service detection rule;

generating corresponding data flow feature information according to the service detection rule, and establishing a sub-SA between the UE and the local security gateway for user plane data transmission;

After the establishment of the sub-SA is completed, second notification information is fed back to the SMF device, where the second notification information includes a data packet detection rule and a forwarding action rule corresponding to the data flow characteristic information.
The method of claim 28, wherein the method further comprises:

After the establishment of the sub-SA for user plane data transmission between the UE and the local security gateway is completed, second notification information is fed back to the SMF device, where the second notification information includes data corresponding to data flow feature information Packet inspection rules and forwarding action rules.
A data configuration method, characterized in that it is used in a data configuration system, wherein the data configuration system includes a local security gateway and a network device that establishes a communication connection with the local security gateway, and the method includes:

sending, by the network device, first information to the local security gateway, where the first information is used to acquire address information of the local security gateway;

After receiving the first information, the local security gateway sends address information of the local security gateway, where the address information of the local security gateway is a routing destination address configured for the first PSA for transmitting data from the UE information, the first PSA is the PSA after the UE has undergone DNAI changes;

The network device receives the address information of the local security gateway.
A data configuration apparatus, characterized in that it is used in network equipment, the apparatus comprising:

processor;

memory for storing processor-executable instructions;

Wherein, the processor is configured to implement the method of any one of claims 1-20 when executing the instructions.
A data configuration device, characterized in that it is used in a local security gateway, the device comprising:

processor;

memory for storing processor-executable instructions;

Wherein, the processor is configured to implement the method of any one of claims 21-30 when executing the instructions.
A data configuration system, characterized in that the data configuration system includes a local security gateway and a network device that establishes a communication connection with the local security gateway:

the network device, configured to execute the method of any one of claims 1-20;

The local security gateway is configured to execute the method of any one of claims 21-30.
A non-volatile computer-readable storage medium on which computer program instructions are stored, characterized in that, when the computer program instructions are executed by a processor, the method described in any one of claims 1-20 is implemented.
A non-volatile computer-readable storage medium on which computer program instructions are stored, characterized in that, when the computer program instructions are executed by a processor, the method described in any one of claims 21-30 is implemented.