CN103250446A - Method for determining access mode of user equipment, and system and device thereof - Google Patents

Method for determining access mode of user equipment, and system and device thereof Download PDF

Info

Publication number
CN103250446A
CN103250446A CN2011800036385A CN201180003638A CN103250446A CN 103250446 A CN103250446 A CN 103250446A CN 2011800036385 A CN2011800036385 A CN 2011800036385A CN 201180003638 A CN201180003638 A CN 201180003638A CN 103250446 A CN103250446 A CN 103250446A
Authority
CN
China
Prior art keywords
corresponding relation
user equipment
sent
access network
network discovery
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2011800036385A
Other languages
Chinese (zh)
Other versions
CN103250446B (en
Inventor
周伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Honor Device Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of CN103250446A publication Critical patent/CN103250446A/en
Application granted granted Critical
Publication of CN103250446B publication Critical patent/CN103250446B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/08Access restriction or access information delivery, e.g. discovery data delivery

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Embodiments of the present invention provide a method for determining an access mode of a user equipment (UE), and a system and device thereof. The method comprises: a data gateway acquiring access network discovery and selection function policy information corresponding to a UE, the access network discovery and selection function policy information comprising a first correspondence corresponding to the UE, and the first correspondence being a correspondence between application information and an access mode; the data gateway acquiring a second correspondence corresponding to the UE, the second correspondence being a correspondence between the application information and safety information; the data gateway determining an access mode of the UE according to the first correspondence, the second correspondence, and a data packet to be sent to the UE and being processed by safety protection. By means of the technical solution of the present invention, the access mode of the UE can be determined based on application information in the safety scenario, thereby splitting service flow of the UE.

Description

Determine method and system, the equipment of user equipment access way
Determine method and system, the equipment technical field of user equipment access way
The present embodiments relate to communication technical field, more particularly to a kind of method and system, equipment for determining user equipment access way.Background technology
System Architecture Evolution (System Architecture Evolution, SAE) be third generation partner program (3rd Generation Partnership Proj ect, 3 GPP) start an evolution network framework.Under the guidance of SAE evolution plans, the grouping system of new the mobile communications network framework, i.e. evolution that have separated chain of command and data surface is defined( Evolved Packet System, EPS ) .
In SAE, after the operator deployment EPS of a variety of access styles, user equipment(User Equipment, UE) in the environment with a variety of wireless access, it is necessary to which according to certain strategy, a suitable wireless access way is such as selected according to signal intensity or price factor.It is that UE recommends a suitable wireless access way that operator, which is also required to according to current network state such as signal intensity and network load condition etc., simultaneously.Therefore, 3GPP tissues propose access network discovery and selection function (Access Network Discovery and Selection Function, ANDSF) entity, on the premise of the ANDSF entities can be with comprehensive wireless access network information and carrier policy, group policy rule is formulated, a suitable access way can be selected for UE according to the policing rule.Such as ANDSF entities can set execution FTP (the File Transfer Protocol between at 8 points in the morning at 8 points in evening, FTP) the UE selection WiFi access ways of business, so, UE can the selection WiFi access way accesses between at 8 points in the morning at 8 points in evening.In the EPS for being introduced into ANDSF entities, the technical scheme shunted to UE Business Stream, it is by policy charging rule function (Policy Charging Rule Function, PCRF) entity and ANDSF entity interactions acquisition strategy rule, further according to the policing rule generation strategy and charging control(Policy and Charging Control, PCC) rule, then by packet data gateway(Packet Data Network Gateway, PDN-GW) corresponding carrying is selected according to the application message of PCC rules and UE, and triage operator is carried out to UE Business Stream.
In practice, it is above-mentioned that the technical scheme of UE Business Stream shunting can not be answered based on application message Under security scenario, UE access way can not be determined by causing, so that the shunting to UE Business Stream can not be realized.The content of the invention
The embodiment of the present invention provides a kind of method and system, packet data gateway for being used to determine user equipment access way, the defect of the access way to solve not determining UE based on application message under security scenario in the prior art.
The embodiment of the present invention provides a kind of method for determining user equipment access way, including:Data gateway obtains the corresponding access network discovery of user equipment and selection function policy information;The access network discovery and selection function policy information include corresponding first corresponding relation of the user equipment, and first corresponding relation is the corresponding relation of application message and access way;
The data gateway obtains corresponding second corresponding relation of the user equipment, and second corresponding relation is the corresponding relation of the application message and security information;
The data gateway is according to first corresponding relation, second corresponding relation and to be sent to the data message through safe protection treatment of the user equipment, determines the access way of the user equipment.
The embodiment of the present invention also provides a kind of method for determining user equipment access way, including:Access network discovery access network discovery corresponding with selection functional entity acquisition user equipment and selection function policy information;The access network discovery and selection function policy information include corresponding first corresponding relation of the user equipment, and first corresponding relation is the corresponding relation of application message and access way;
The access network discovery and selection functional entity obtain corresponding second corresponding relation of the user equipment, and second corresponding relation is the corresponding relation of the application message and security information;
The access network discovery sends first corresponding relation and second corresponding relation to data gateway with selection functional entity; so that the data gateway is according to first corresponding relation, second corresponding relation and to be sent to the data message through safe protection treatment of the user equipment, the access way of the user equipment is determined.
The embodiment of the present invention also provides a kind of data gateway, including:
First acquisition module, for obtaining the corresponding access network discovery of user equipment and selection function policy information;The access network discovery and selection function policy information include corresponding first corresponding relation of the user equipment, and first corresponding relation is the corresponding relation of application message and access way; Second acquisition module, for obtaining corresponding second corresponding relation of the user equipment, second corresponding relation is the corresponding relation of the application message and security information;
Determining module, for according to first corresponding relation, second corresponding relation and to be sent to the data message through safe protection treatment of the user equipment, determines the access way of the user equipment.
The embodiment of the present invention also provides a kind of access network discovery and selection functional entity, including:First acquisition module, for obtaining the corresponding access network discovery of user equipment and selection function policy information;The access network discovery and selection function policy information include corresponding first corresponding relation of the user equipment, and first corresponding relation is the corresponding relation of application message and access way;
Second acquisition module, for obtaining corresponding second corresponding relation of the user equipment, second corresponding relation is the corresponding relation of the application message and security information;
Sending module; for sending first corresponding relation and second corresponding relation to data gateway; so that the data gateway is according to first corresponding relation, second corresponding relation and to be sent to the data message through safe protection treatment of the user equipment, the access way of the user equipment is determined.
The embodiment of the present invention also provides a kind of system for determining user equipment access way, including:Data gateway and access network discovery and selection functional entity;
The data gateway, for receiving the corresponding access network discovery of user equipment and selection function policy information;The access network discovery and selection function policy information include corresponding first corresponding relation of the user equipment, and first corresponding relation is the corresponding relation of application message and access way;Corresponding second corresponding relation of the user equipment is received, second corresponding relation is the corresponding relation of the application message and security information;According to first corresponding relation, second corresponding relation and the data message through safe protection treatment of the user equipment is sent to, determine the access way of the user equipment;
The access network discovery and selection functional entity, for obtaining the corresponding access network discovery of the user equipment and selection function policy information;Obtain corresponding second corresponding relation of the user equipment;The access network discovery and selection function policy information and second corresponding relation are sent to data gateway.
The method and system of the determination user equipment access way of the embodiment of the present invention, data gateway, by using above-mentioned technical proposal, UE access way can be determined based on application message under security scenario, so as to realize the triage operator to UE Business Stream.Brief description of the drawings The accompanying drawing used required in embodiment or description of the prior art is briefly described, apparently, drawings in the following description are some embodiments of the present invention, for those of ordinary skill in the art, without having to pay creative labor, other accompanying drawings can also be obtained according to these accompanying drawings.
The signaling diagram that Fig. 1 is shunted for a kind of Business Stream to UE that prior art is provided;The flow chart of the method for the determination UE access ways that Fig. 2 provides for one embodiment of the invention;The flow chart of the method for the determination UE access ways that Fig. 3 provides for another embodiment of the present invention;The flow chart of the method for the determination UE access ways that Fig. 4 provides for yet another embodiment of the invention;The flow chart of the method for the determination UE access ways that Fig. 5 provides for further embodiment of this invention;The signaling diagram of the method for the determination user equipment access way that Fig. 6 provides for one embodiment of the invention;
The signaling diagram of the method for the determination user equipment access way that Fig. 7 provides for yet another embodiment of the invention;
The structural representation for the data gateway that Fig. 8 provides for one embodiment of the invention;
The structural representation for the data gateway that Fig. 9 provides for another embodiment of the present invention;
Figure 10 is the structural representation of ANDSF entities provided in an embodiment of the present invention;
The structural representation of the system for the determination UE access ways that Fig. 11 provides for one embodiment of the invention.Embodiment is to make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is a part of embodiment of the invention, rather than whole embodiments.Based on the embodiment in the present invention, the every other embodiment that those of ordinary skill in the art are obtained under the premise of creative work is not made belongs to the scope of protection of the invention.
Technical scheme provided in an embodiment of the present invention can apply to various cordless communication networks, such as CDMA(Code Division Multiple Access, CDMA), time division multiple acess(Time division multiple access, TDMA), frequency division multiple access (Frequency Division Multiple Access, FDMA), OFDM (Orthogonal Frequency-Division Multiple Access, OFDMA), single-carrier frequency division multiple access(Single Carrier FDMA, SC-FDMA) and other nets Network etc..Term " network, and " system, can mutually it replace.Cdma network can realize such as wireless universal land access (Universal Terrestrial Radio Access, UTRA), the wireless technology such as CDMA2000.UTRA can include CDMA, WCDMA and other CDMA deformation.CDMA2000 can cover Interim Standard (Interim Standard, IS) 2000 (IS-2000), IS-95 and IS-856 standards.TDMA networks can realize such as global system for mobile communications(Global System for Mobile Communication, GSM) etc. wireless technology.OFDMA networks can realize such as evolved universal Radio Terrestrial access(Evolved UTRA, E-UTRA), super mobile broadband (Ultra Mobile Broadband, UMB), IEEE 802.11 (Wi-Fi), IEEE 802.16 (WiMAX), the wireless technologys such as IEEE 802.20, Flash OFDMA.UTRA and E-UTRA are UMTS and UMTS evolution versions.3 GPP are senior in Long Term Evolution (Long Term Evolution, LTE) and LTE(LTE Advanced, LTE-A) be using E-UTRA UMTS redaction.UTRA, E-UTRA, UMTS, LTE, LTE-A and GSM description on the books in the document of 3GPP normal structures.CDMA2000 and UMB descriptions on the books in the document of 3GPP2 normal structures.The technology of description of the embodiment of the present invention can also be applied in wireless network and wireless technology described above.
In embodiments of the present invention, base station(Base Station, BS) can be and user equipment(User Equipment, UE) or other communication sites, such as relay, the website communicated, base station can provide the communication overlay of specific physical region.The base station can be macrocell, skin cell(Pico cell), femtocell(Femto cell), and/or other types of cell offer communication overlay.Macrocell can cover relatively large geographic area, and such as radius is several kilometers of scope, and allows the UE for having carried out service contracting unrestrictedly to access.Pico cell can cover relatively small geographic area, it is possible to allow the UE for having carried out service contracting unrestrictedly to access.Femto cell cover relatively small geographic area, such as family, and allow the UE associated with the femto cell to carry out limitation access.Base station for macrocell service is properly termed as macro base station, is that the base station of pico cell serves is properly termed as pico base stations, is that the base station of femto cell services is properly termed as femto base stations or home base stations.Base station can support one or more cells.
In embodiments of the present invention, UE can be distributed in whole wireless network, and each UE can be static or moved.UE is properly termed as terminal(Terminal), mobile station(Mobile station), subscriber unit(Subscriber unit), platform(Station) etc..UE can be cell phone(Cellular phone), personal digital assistant (Personal Digital Assistant, PDA), wireless-modulated solution Adjust device(Modem), Wireless Telecom Equipment, handheld device(), handheld laptop computer(Laptop computer), wireless phone (cordless phone), WLL (Wireless Local Loop, WLL) platform etc..UE can be communicated with macro base station, pico base stations, femto base stations etc..
In the embodiment of the present invention, ANDSF entities are stored with ANDSF policy informations.ANDSF policy informations include corresponding first corresponding relations of UE, and first corresponding relation includes the corresponding relation between application message and access way, for example:" application message A, access way B ".
In the embodiment of the present invention, aaa server is used for the server for storing the second corresponding relation.Second corresponding relation includes the corresponding relation of security information and application message, for example:" AES C, application message A ".
In the embodiment of the present invention, data gateway can be PDN-GW or gateway general packet radio service(General Packet Radio Service, GPRS) supporting node(Gateway GPRS Support Node, GGSN), with advances in technology, it is also possible to be the network element that other are used to carry out Business Stream triage operator.Those skilled in the art are, it should be understood that the data gateway under different network scenarios is different.
Exemplary, application message can be application identities, for distinguishing different applicating categories.Exemplary, application message can be content type, such as text or video, for distinguishing different content types.Exemplary, application message can also be what other needs were obtained by parsing data message, and to distinguish the information of different data messages.The present invention is not construed as limiting to application message.
For ease of preferably illustrating embodiments of the invention, illustrated below in conjunction with data gateway for PDN-GW scene.
The signaling diagram that Fig. 1 is shunted for a kind of Business Stream to UE that prior art is provided.The method shunted to UE Business Stream as shown in Figure 1, can specifically include as follows:
100th, attach request is initiated after UE starts, so as to be attached in core net.UE is carried out data transmission by the PDN-GW in core net;
101st, UE reports application message to application function (Application Function, AF) server;Such as UE can pass through specific signaling message, such as session initiation protocol (Session
Initiation Protocol, SIP) signaling, the application message of operation is reported into AF servers.The application message is identical with the application message that the progress communication of Correspondent Node server is related to the UE.
102nd, AF servers generation session information, and the session information is sent to PCRF entities; Such as AF servers generate corresponding session information after the application message that UE is sended over is received(Substantially, the information for the application message that can be identified for that UE is also carried in the session information), and Rx sessions are set up with PCRF entities, session information is sent to PCRF entities on Rx interface.
103rd, connection is set up between PCRF entities and ANDSF entities, the UE corresponding ANDSF policy informations of application message are obtained from ANDSF entities;
104th, the PCC rules that PCRF entities are generated according to the ANDSF policy informations of acquisition, and PCC rules are sent to PDN-GW;
Such as PCRF entities send PCC rules by Gx interfaces to PDN-GW.The PCC that PCC rules as UE application message is corresponding is regular.PCC rule includes application message and access way --- the corresponding relation of the UE.
Alternatively, if without deployment PCC frameworks in network, above-mentioned 103 and 104 can be acted on behalf of using following 105;
105th, connection is set up between PDN-GW and ANDSF entities, PDN-GW obtains corresponding ANDSF policy informations from ANDSF entities.
When Correspondent Node server issues the Business Stream that be sent to the UE to PDN-GW,
PDN-GW can obtain the application message of the UE from Business Stream, then according to the application message of ANDSF policy informations and UE, obtain the corresponding PCC rules of the UE.
Further, it can also include:
106th, PDN-GW performs corresponding carrying operation, as performed corresponding carrying operation according to the corresponding PCC rules of the application message for being handed down to the UE in UE Business Stream, corresponding carrying can be for example increased, modified or deleted, the Business Stream progress shunting processing that Correspondent Node server is sent to UE is received so as to achieve a butt joint.
Such as PDN-GW can determine UE access way according to PCC rules, so as to perform corresponding carrying operation.
The technical scheme of above-mentioned shunting processing is not under the scene of safeguard protection applied to UE; but when UE is under security scenario; communication data between UE and Correspondent Node server is obtained for effectively safeguard protection; PDN-GW can not know UE application message; so as to which UE access way can not be determined, UE Business Stream is shunted so as to can not realize.Therefore it can be realized using following technical schemes under security scenario, determine UE access way, UE Business Stream is shunted so as to realize. The flow chart of the method for the determination UE access ways that Fig. 2 provides for one embodiment of the invention.Exemplary, the executive agent of the method for the determination UE access ways of the present embodiment is PDN-GW, as shown in Fig. 2 the method for the determination UE access ways of the present embodiment, including it is as follows:
200th, the corresponding ANDSF policy informations of UE are obtained;
The ANDSF policy informations of this in the present embodiment include corresponding first corresponding relations of UE, and first corresponding relation is the corresponding relation of application message and access way.
201st, corresponding second corresponding relations of UE are obtained;
It is the corresponding relation of the application message and security information in the second corresponding relation in the present embodiment.202nd, according to the first corresponding relation, the second corresponding relation and the UE data message through safe protection treatment is sent to, determines UE access way.
The application scenarios of the present embodiment are that UE is under security scenario.The security scenario shows to establish secure connection between UE and Correspondent Node server, and the context data of UE transmission has by encipherment protection, so as to protect the data that UE is transmitted from external attack.
The method of the determination user equipment access way of the present embodiment; by the corresponding relation of the corresponding relation of application message and access way, application message and security information and the UE data message through safe protection treatment is sent to, determine UE access way.Using the technical scheme of the present embodiment, the problem of UE access way can not being determined based on application message under security scenario in the prior art can be overcome, UE Business Stream is shunted based on application message so as to realize under security scenario.
It should be noted that the security information in above-described embodiment includes the information such as key certificate, symmetric key, security algorithm.
The flow chart of the method for the determination UE access ways that Fig. 3 provides for another embodiment of the present invention.As shown in figure 3, the method for the determination UE access ways of the present embodiment introduces technical scheme in further detail on the basis of above-mentioned embodiment illustrated in fig. 2.The method of the determination UE access ways of the present embodiment, including it is as follows:
300th, PDN-GW receives the data message that Correspondent Node server is sent;
The data message will be sent to UE, and the data message passes through safe protection treatment.301st, PDN-GW sends the ANDSF strategy request information for carrying UE marks to ANDSF entities, so that ANDSF entities obtain the corresponding ANDSF policy informations of UE;
Wherein UE mark is specifically as follows the IP address of the UE.The ANDSF policy informations are identical with above-mentioned embodiment illustrated in fig. 2, including corresponding first corresponding relations of UE, and first correspondence is closed System includes the corresponding relation of application message and access way.Wherein, ANDSF entities obtain the corresponding ANDSF policy informations of UE and are specifically as follows ANDSF entities obtains the corresponding ANDSF policy informations of UE from the policy database pre-seted.ANDSF policy informations can also include corresponding first corresponding relations of multiple UE.
The application scenarios of the present embodiment are also under security scenario for UE, and the physical significance that the security scenario shows is same as the previously described embodiments, and the record of above-described embodiment is may be referred in detail, is not repeating herein.
Alternatively, before 300, UE can interact the demand information such as UE marks of some Provisioning Policy information, UE application message and security information designator etc. with ANDSF entities, and UE marks here can be UE IP address.Security information designator is used to identify the UE under security scenario, and the data message that the UE is sent to the Correspondent Node server of the UE communication is by safe protection treatment.Therefore the ANDSF entities can obtain corresponding second corresponding relations of the UE after ANDSF strategy request information is received from security server.Or ANDSF entities can also obtain corresponding second corresponding relations of the UE before 300 from security server in advance, second corresponding relation includes the corresponding relation of application message and security information.
302nd, PDN-GW receives ANDSF policy informations the second corresponding relation corresponding with the UE that ANDSF entities are sent;
The second corresponding relation in the present embodiment is identical with above-mentioned embodiment illustrated in fig. 2, and the second corresponding relation includes the corresponding relation of application message and security information.
303rd, PDN-GW is according to the second corresponding relation and to be sent to the UE data message through safe protection treatment, obtains the application message of the data message;
For example, being parsed using the security information in the second corresponding relation to the data message through safe protection treatment that be sent to the UE, the application message of the data message can be obtained after parsing;Judge whether the application message of the data message obtained after parsing is corresponding with the application message in second corresponding relation, the successfully resolved if correspondence, it may be determined that the corresponding security information of the data message and application message are the security information and application message in the second corresponding relation.Parsed if not corresponding to not successfully, if also there are corresponding other second corresponding relations of UE, can continue to use the security information in other second corresponding relations to proceed parsing.
Security information in the present embodiment is specifically as follows the information such as key certificate, symmetric key, security algorithm;, can be using key certificate on certificate server for example when security information is key certificate Key information is obtained after being verified, and data message is parsed using the key information, when successfully resolved determines that the security information is the corresponding security information of the UE.Or when security information is symmetric key, data message is parsed using this symmetric key, when successfully resolved determines that the security information is the corresponding security information of the UE.Or when security information is security algorithm, itself existing key information is combined using this security algorithm data message is parsed, when successfully resolved determines that the security information is the corresponding security information of the UE.Other similar security information are referred to above example to handle.
304th, PDN-GW determines UE access way according to the first corresponding relation in the corresponding ANDSF strategy requests information of application message and UE of the data message of acquisition;
It is the access way of the UE for example, according to the application message for the data message having determined, from corresponding first corresponding relations of UE, obtaining the corresponding access way of application message of the data message.
The method of the determination user equipment access way of the present embodiment; by the way that PDN-GW is according to the corresponding relation of application message and security information and to be sent to the UE data message through safe protection treatment; the application message of the data message is obtained, and determines according to the corresponding relation of application message and access way UE access way.Using the technical scheme of the present embodiment, the problem of UE access way can not being determined based on application message under security scenario in the prior art can be overcome, UE Business Stream is shunted based on application message so as to realize under security scenario.
Security server in above-described embodiment can be certification, authorize charging(Authentication Authorization and Accounting;Hereinafter referred to as AAA) server, home subscriber server (Home Subscriber Server;Hereinafter referred to as HSS), certificate server or application server etc. others can store the server of security information and the second corresponding relation.
The flow chart of the method for the determination UE access ways that Fig. 4 provides for yet another embodiment of the invention.As shown in figure 4, the method for the determination UE access ways of the present embodiment introduces technical scheme in further detail on the basis of above-mentioned embodiment illustrated in fig. 2.The method of the determination UE access ways of the present embodiment, including it is as follows:
400th, PDN-GW sends the ANDSF strategy request information for carrying UE marks to ANDSF entities, so that ANDSF entities obtain the corresponding ANDSF policy informations of UE;
The ANDSF policy informations are identical with embodiment illustrated in fig. 3 with above-mentioned Fig. 2, including corresponding first corresponding relations of UE, and first corresponding relation includes application message pass corresponding with access way System.
401st, PDN-GW receives the ANDSF policy informations that ANDSF entities are sent;
402nd, PDN-GW receives the data message that Correspondent Node server is sent;
The data message will be sent to UE, and UE is under security scenario, and the data message is handled by encipherment protection.
403rd, PDN-GW sends the security information request for carrying UE marks to security server, so that security server obtains corresponding second corresponding relations of UE according to UE marks;
The second corresponding relation in the present embodiment is identical with above-mentioned Fig. 2 and embodiment illustrated in fig. 3, and the second corresponding relation includes application message and the corresponding relation in security information.
404th, PDN-GW receives corresponding second corresponding relations of UE that security server is sent;When not having interface between PDN-GW and security server, in 403, PDN-GW can send the security information request for carrying UE marks by PCRF entities to security server.Accordingly in 404, PDN-GW receives corresponding second corresponding relations of UE that security server is sent by PCRF entities.
405th, PDN-GW is according to the second corresponding relation and to be sent to the UE data message through safe protection treatment, obtains the application message of the data message;
406th, PDN-GW determines UE access way according to the first corresponding relation in the corresponding ANDSF strategy requests information of application message and UE of the data message.
405-406 is identical with the 303-304 in above-mentioned embodiment illustrated in fig. 3, and the record of above-described embodiment is may be referred in detail, be will not be repeated here.
The application scenarios of the present embodiment are still under security scenario for UE, now UE establishes secure connection with Correspondent Node server, the physical significance that security scenario shows is identical with above-mentioned related embodiment, and the record of above-described embodiment is may be referred in detail, is not repeating herein.
The method of the determination user equipment access way of the present embodiment; by the way that PDN-GW is according to the corresponding relation of application message and security information and to be sent to the UE data message through safe protection treatment; the application message of the data message is obtained, and determines according to the corresponding relation of application message and access way UE access way.Using the technical scheme of the present embodiment, the problem of UE access way can not being determined based on application message under security scenario in the prior art can be overcome, UE Business Stream is shunted based on application message so as to realize under security scenario.
The flow chart of the method for the determination UE access ways that Fig. 5 provides for further embodiment of this invention. The executive agent of the method for the determination UE access ways of the present embodiment can be ANDSF entities.As shown in figure 5, the method for the determination UE access ways of the present embodiment, can specifically include as follows:500th, the corresponding access network discoveries of UE and selection function policy information are obtained;
Wherein, access network discovery and selection function policy information include corresponding first corresponding relations of UE, and first corresponding relation is the corresponding relation of application message and access way;
501st, corresponding second corresponding relations of UE are obtained;
Wherein, the second corresponding relation is the corresponding relation of the application message and security information.
502nd, the first corresponding relation and the second corresponding relation are sent to data gateway.
First corresponding relation and the second corresponding relation are sent to data gateway, so that data gateway is according to the first corresponding relation, the second corresponding relation and to be sent to the UE data message through safe protection treatment, UE access way is determined.
ANDSF policy informations in the present embodiment are identical with above-mentioned Fig. 2-embodiment illustrated in fig. 4, including corresponding first corresponding relations of UE, and first corresponding relation includes the corresponding relation of application message and access way.
Data message in the present embodiment can be for the data message for the process safe protection treatment for being handed down to the UE, what the data message was specifically sent from the Correspondent Node server communicated with UE to PDN-GW.
The application scenarios of the present embodiment are still under security scenario for UE, now UE establishes secure connection with Correspondent Node server, the physical significance that security scenario shows is identical with above-mentioned related embodiment, and the record of above-described embodiment is may be referred in detail, is not repeating herein.
The method of the determination user equipment access way of the present embodiment, by by the corresponding relation of the application message of acquisition and access way, and the corresponding relation of application message and security information is sent to data gateway, so that data gateway determines UE access way, the problem of UE access way can not being determined based on application message under security scenario in the prior art can be overcome, UE Business Stream is shunted based on application message so as to realize under security scenario.
Alternatively, on the basis of the technical scheme of above-described embodiment, in 501 " the corresponding access network discoveries of UE and selection function policy information are obtained, it is specifically as follows and the ANDSF policy informations that UE identifies corresponding UE is obtained from the policy database pre-seted.
Alternatively, on the basis of the technical scheme of above-described embodiment, UE marks, UE application message and the security information designator of UE transmissions, ANDSF entities can also be received before 501 Can according to UE mark and UE application message; obtain UE access network discovery corresponding with the application message and selection function policy information; ANDSF entities can also be known according to security information designator establishes secure connection between UE and Correspondent Node server, the data message transmitted between UE and Correspondent Node server is by encipherment protection.Exemplary, when UE mark, UE application message and security information designator can interact the demand information of some Provisioning Policy information between UE and ANDSF entities, the ANDSF entities are reported by UE.
Still optionally further, method with the determination user equipment access way of the PDN-GW sides shown in above-mentioned Fig. 3 is similar, in the present embodiment, when ANDSF entities receive the UE marks of UE transmissions, after UE application message and security information designator, just it can learn that Correspondent Node server is sent to the data message of the UE and all sent under security scenario according to security information designator, now, ANDSF entities can be in PDN-GW to before or after ANDSF entity requests ANDSF policy informations, the second corresponding relation of the UE is obtained from security server.Second corresponding relation of acquisition can also be sent to PDN-GW by ANDSF entities.Exemplary, it may be referred to following steps:
Al, the security information for carrying UE marks to security server transmission are asked, so that security server is according to corresponding second corresponding relations of UE mark acquisitions UE;
A2, corresponding second corresponding relations of UE for receiving security server transmission;
A3, to PDN-GW send second corresponding relation.
When not having interface between ANDSF entities and security server, above-mentioned A1 is specifically as follows:ANDSF entities send the security information request for carrying UE marks by PCRF entities to security server.Accordingly, above-mentioned A2 can receive corresponding second corresponding relations of UE that security server is sent by PCRF entities for ANDSF entities.
Second corresponding relation of acquisition and ANDSF policy informations can also be sent jointly to PDN-GW by ANDSF entities.
By using the method for above-mentioned determination user equipment access way, the problem of UE access way can not being determined based on application message under security scenario in the prior art can be overcome, UE Business Stream is shunted based on application message so as to realize under security scenario.
The signaling diagram of the method for the determination user equipment access way that Fig. 6 provides for one embodiment of the invention.As shown in fig. 6, the method for the determination user equipment access way of the present embodiment, can specifically include as follows: 600th, after UE starts, it is attached in core net;
601st, UE and Correspondent Node server set up secure connection;
So, the data message between follow-up UE and Correspondent Node server will all be transmitted under security scenario, and the physical significance that security scenario shows is identical with above-mentioned related embodiment, and the record of above-described embodiment is may be referred in detail, is not repeating herein.
602nd, UE and ANDSF entity interactions policy information, wherein UE reports UE IP address, application message and security information designator to ANDSF entities;
603rd, ANDSF entities send the security information request of the IP address for carrying UE and application message to aaa server;
604th, aaa server is according to corresponding second corresponding relation of the security information acquisition request UE, and sends second corresponding relation to ANDSF entities;
It should be noted that when not having interface between ANDSF entities and aaa server, ANDSF entities send the security information request of the IP address and application message that carry UE by PCRF entities to aaa server in 603.Aaa server sends second corresponding relation by PCRF entities to ANDSF entities in 604.
605th, ANDSF entities obtain the first corresponding relation according to UE IP address and application message in the policy database pre-seted;
The first corresponding relation and the second corresponding relation in the present embodiment is identical with above-mentioned Fig. 2-embodiment illustrated in fig. 5.First corresponding relation includes the corresponding relation of application message access way.Second corresponding relation includes the corresponding relation of application message and security information.
606th, Correspondent Node server is issued to PDN-GW will be sent to the data message through safeguard protection of the UE;
Alternatively, this 606 can also be located between 601 and 602.
607th, PDN-GW sends ANDSF strategy request information to ANDSF entities;
608th, ANDSF entities send ANDSF policy informations and the second corresponding relation to PDN-GW;The ANDSF policy informations are identical with above-mentioned Fig. 2-embodiment illustrated in fig. 5.
609th, security information parsings of the PDN-GW in the second corresponding relation is sent to the UE data message through safe protection treatment; obtain the datagram through safe protection treatment that this is sent to UE corresponding with the application message in the second corresponding relation; PDN-GW according to the first corresponding relation, it is determined that UE access way.
Step 609 is identical with the 303-304 in above-mentioned embodiment illustrated in fig. 3, and the record of above-described embodiment is may be referred in detail, be will not be repeated here.
Method provided in an embodiment of the present invention can determine the access way of the UE under security scenario based on application message in summary, newly-built or modification carrying flow can be subsequently performed according to the change of access way, and according to the access way streamed data message of determination, so that the data distribution under realizing security scenario.
The method of the determination user equipment access way of the present embodiment; by the way that PDN-GW is according to the corresponding relation of application message and security information and to be sent to the UE data message through safe protection treatment; the application message of the data message is obtained, and determines according to the corresponding relation of application message and access way UE access way.Using the technical scheme of the present embodiment, the problem of UE access way can not being determined based on application message under security scenario in the prior art can be overcome, UE Business Stream is shunted based on application message so as to realize under security scenario.
The signaling diagram of the method for the determination user equipment access way that Fig. 7 provides for yet another embodiment of the invention.As shown in fig. 7, the method for the determination user equipment access way of the present embodiment, can specifically include as follows:
700th, after UE starts, it is attached in core net;
701st, UE and Correspondent Node server set up secure connection;
So, the data message between follow-up UE and Correspondent Node server will all be transmitted under security scenario, and the physical significance that security scenario shows is identical with above-mentioned related embodiment, and the record of above-described embodiment is may be referred in detail, is not repeating herein.
702nd, PDN-GW sends the ANDSF strategy request information for the IP address for carrying UE to ANDSF entities;
703rd, ANDSF entities obtain ANDSF policy informations according to ANDSF strategy requests information in the policy database pre-seted;
The ANDSF of this in the present embodiment policy informations are identical with above-mentioned Fig. 2-embodiment illustrated in fig. 6, do not repeat herein.
704th, ANDSF entities send ANDSF policy informations to PDN-GW;
705th, Correspondent Node server issues the data message through safeguard protection for being sent to the UE to PDN-GW; 706th, the security information that PDN-GW sends the IP address for carrying UE to aaa server is asked;
707th, aaa server is according to corresponding second corresponding relation of the security information acquisition request UE, and sends second corresponding relation to PDN-GW;
It should be noted that when there is no interface between PDN-GW and aaa server, in 706
The security information that PDN-GW sends the IP address for carrying UE by PCRF entities to aaa server is asked.Aaa server sends second corresponding relation by PCRF entities to PDN-GW in 707.
708th, security information parsings of the PDN-GW in the second corresponding relation is sent to the UE data message through safe protection treatment; obtain the datagram through safe protection treatment that this is sent to UE corresponding with the application message in the second corresponding relation; PDN-GW determines UE access way according to the first corresponding relation.
Step 708 is identical with the 303-304 in above-mentioned embodiment illustrated in fig. 3, and the record of above-described embodiment is may be referred in detail, be will not be repeated here.
Method provided in an embodiment of the present invention can determine the access way of the UE under security scenario based on application message in summary, newly-built or modification carrying flow can be subsequently performed according to the change of access way, and according to the access way streamed data message of determination, so that the data distribution under realizing security scenario.
The method of the determination user equipment access way of the present embodiment; by the way that PDN-GW is according to the corresponding relation of application message and security information and to be sent to the UE data message through safe protection treatment; the application message of the data message is obtained, and determines according to the corresponding relation of application message and access way UE access way.Using the technical scheme of the present embodiment, the problem of UE access way can not being determined based on application message under security scenario in the prior art can be overcome, UE Business Stream is shunted based on application message so as to realize under security scenario.
Above-mentioned Fig. 6 and Fig. 7 are to illustrate the technical scheme of the embodiment of the present invention so that security server is aaa server as an example, in practical application, the aaa server in above-described embodiment other can store the server of security information and the second corresponding relation to replace using HSS, certificate server or application server etc..
Security information in the second corresponding relation and application message and first in the embodiment of the present invention The corresponding relation of application message and access way in corresponding relation is --- security information one application message of correspondence of corresponding relation, i.e., one, an a kind of access way of application message correspondence.
One of ordinary skill in the art will appreciate that:Realizing all or part of step of above method embodiment can be completed by the related hardware of programmed instruction, foregoing program can be stored in a computer read/write memory medium, the program upon execution, performs the step of including above method embodiment;And foregoing storage medium includes:ROM, RAM, magnetic disc or CD etc. are various can be with the medium of store program codes.
The structural representation for the data gateway that Fig. 8 provides for one embodiment of the invention.As shown in figure 8, the data gateway of the present embodiment, including:First acquisition module M10, the second acquisition module Mi l and determining module M12.
In the data gateway of the present embodiment, the first acquisition module M10 is used to take the corresponding access network discovery of user equipment and selection function policy information;The access network discovery and selection function policy information include corresponding first corresponding relation of the user equipment, and first corresponding relation is the corresponding relation of application message and access way;Second acquisition module Mi l are used to obtain corresponding second corresponding relation of the user equipment, and second corresponding relation is the corresponding relation of the application message and security information;Determining module M12 is connected with the first acquisition module M10 and the second acquisition module Mi l respectively; determining module M12 is used for according to first corresponding relation, second corresponding relation and to be sent to the data message through safe protection treatment of the user equipment, determines the access way of the user equipment.
The data gateway of the present embodiment, realizes that the realization mechanism for the access way for determining UE is identical with realizing for above-mentioned related method embodiment by using above-mentioned module, the record of above-mentioned related method embodiment is may be referred in detail, is not being repeated herein.
The data gateway of the present embodiment, UE access way can be determined by using above-mentioned module under security scenario based on application message, and UE Business Stream is shunted so as to be realized in follow-up.
The structural representation for the data gateway that Fig. 9 provides for another embodiment of the present invention.As shown in figure 9, the data gateway of the present embodiment is on the basis of above-mentioned embodiment illustrated in fig. 8, it can also specifically include as follows:
In the data gateway of the present embodiment, the first acquisition module M10 can include the first transmitting element U101 and the first receiving unit U102.Wherein the first transmitting element U101 is used to send the ANDSF strategy request information for carrying UE marks to ANDSF entities, so that ANDSF entities obtain UE Corresponding ANDSF policy informations, the ANDSF policy informations include corresponding first corresponding relations of UE.First receiving unit U102 is used for the ANDSF policy informations for receiving the transmission of ANDSF entities.Now corresponding determining module M12 is connected with the first receiving unit U102; corresponding first corresponding relations of UE and to be sent to the UE data message through safe protection treatment that determining module M12 is used in the ANDSF policy informations that the second corresponding relation according to the second acquisition module Mi l acquisitions, the first receiving unit U102 are received, determine UE access way.
Alternatively, in the PDN-GW equipment of the present embodiment, the second acquisition module Ml 1 specifically can be used for receiving at least one corresponding security information of UE and at least one corresponding second corresponding relation that ANDSF entities are sent;At least one corresponding security information of the UE and at least one corresponding second corresponding relation are what ANDSF entities were obtained from security server.
Still optionally further, in the data gateway of the present embodiment, the second acquisition module Mi l can also include the second transmitting element U111 and the second receiving unit U112.Wherein the second transmitting element U111 is used to send the security information request for carrying UE marks to security server, so that security server obtains corresponding second corresponding relations of UE according to UE marks.Second receiving unit U112 is used for corresponding second corresponding relations of UE for receiving security server transmission.Now accordingly, determining module M12 can also be connected with the second receiving unit U112, the second corresponding relation, the first acquisition module M10 that determining module M12 is used to be received according to the second receiving unit U112 (are specifically as follows the first receiving unit U102 in above-mentioned technical proposal, as shown in Figure 9)Corresponding first corresponding relations of UE in the ANDSF policy informations of acquisition and UE data message is sent to, determine UE access way.
Still optionally further, the second transmitting element U111 specifically can be used for sending the security information request for carrying UE marks to security server by PCRF entities.Second receiving unit U112 specifically can be used for receiving corresponding second corresponding relations of UE that security server is sent by PCRF entities.
Alternatively, the determining module M12 in above-described embodiment can further include:Acquiring unit U121 and determining unit U122.Wherein acquiring unit U121 is connected with the second receiving unit U112; the security information that acquiring unit U121 is used in second corresponding relation according to the second receiving unit U112 receptions parses the data message through safe protection treatment for being sent to the user equipment, obtains the application message of the data message through safe protection treatment for being sent to the user equipment;Determining unit U122 is connected with acquiring unit U121 and the second receiving unit U112 and the first receiving unit U102 respectively, and determining unit U122 is used for when this is sent to the number through safe protection treatment of the user equipment According to message application message and the application message in second corresponding relation to it is corresponding when the ANDSF policy informations that are received according to the first receiving unit U102 in corresponding first corresponding relations of UE determine the access way of the user equipment.
Alternatively, the data gateway of the present embodiment, can also include receiving module M13.Receiving module M13 is used for the data message through safe protection treatment for receiving the transmission of Correspondent Node server.Specifically; receiving module M13 is connected with acquiring unit U121; so acquiring unit U121 can be used for being sent to the data message through safe protection treatment of user equipment according to what the second receiving unit U112 the second corresponding relations received and receiving module M13 were received, obtain the application message of the data message.
It should be noted that, as shown in Figure 9, above-mentioned all optional technical schemes are only combined to a kind of alternative embodiment to form the present invention together, in practical application, above-mentioned plurality of optional technical scheme can also can be combined to the plurality of optional embodiment to form the present invention using combinative mode, do not repeated herein in detail.
The data gateway of the present embodiment, by using above-mentioned module and unit, realizes the record for connecing related method embodiment for determining UE, is not repeating herein.
The data gateway of the present embodiment, UE access way can be determined by using above-mentioned module under security scenario based on application message, and UE Business Stream is shunted so as to be realized in follow-up.
Figure 10 is access network discovery provided in an embodiment of the present invention and the structural representation of selection functional entity.As shown in Figure 10, the ANDSF entity devices of the present embodiment include:First acquisition module M20, the second acquisition module M21 and sending module M22.
In the ANDSF entity devices of the present embodiment, the first acquisition module M20 is used to obtain the corresponding access network discovery of user equipment and selection function policy information;The access network discovery and selection function policy information include corresponding first corresponding relation of the user equipment, and first corresponding relation is the corresponding relation of application message and access way;Second acquisition module M21 is used to obtain corresponding second corresponding relation of the user equipment, and second corresponding relation is the corresponding relation of the application message and security information.Sending module M22 is connected respectively with the first acquisition module M20 and the second acquisition module M21, sending module M22 is used to send first corresponding relation and second corresponding relation to data gateway, so that the data gateway is according to first corresponding relation, second corresponding relation and to be sent to the use The data message through safe protection treatment of family equipment, determines the access way of the user equipment.
The ANDSF entities of the present embodiment, the record for the access side's embodiment of the method for determining UE is realized by using above-mentioned module, is not stated herein praising.
The ANDSF entities of the present embodiment, can be easy to data gateway to determine UE access way based on application message under security scenario, UE Business Stream is shunted so as to be realized in follow-up by using above-mentioned module.
Alternatively, the first acquisition module M20 in above-described embodiment can specifically obtain the ANDSF policy informations that UE identifies corresponding UE from the policy database pre-seted.
Alternatively, the second acquisition module M21 can include indicating receiving unit, transmitting element and receiving unit.Indicate that receiving unit is used for the customer equipment identification and security information designator for receiving the user equipment;Transmitting element is used to send the security information request for carrying the customer equipment identification to security server, so that the security server obtains corresponding second corresponding relation of the user equipment according to the customer equipment identification;Receiving unit is used for corresponding second corresponding relation of the user equipment for receiving security server transmission.
The ANDSF entities of above-described embodiment, realize that the record of embodiment of the method is closed in the access for determining UE, is not repeating herein by using above-mentioned module.
The ANDSF entities of above-described embodiment, can be easy to data gateway to determine UE access way based on application message under security scenario, UE Business Stream is shunted so as to be realized in follow-up by using above-mentioned module.
Security server in said apparatus embodiment can be still the other servers that can store the corresponding relation between security information and security information and application message of aaa server, HSS, certificate server or application server etc..
The structural representation of the system for the determination UE access ways that Figure 11 provides for one embodiment of the invention.As shown in figure 11, the system of the determination UE access ways of the present embodiment, can include:Data gateway 30, ANDSF entities 40.
The data gateway 30, for receiving the corresponding access network discovery of user equipment and selection function policy information;The access network discovery and selection function policy information include corresponding first corresponding relation of the user equipment, and first corresponding relation is the corresponding relation of application message and access way;Receiving should Corresponding second corresponding relation of user equipment, second corresponding relation is the corresponding relation of the application message and security information;According to first corresponding relation, second corresponding relation and the data message through safe protection treatment of the user equipment is sent to, determine the access way of the user equipment;
The ANDSF40, for obtaining the corresponding access network discovery of the user equipment and selection function policy information;Obtain corresponding second corresponding relation of the user equipment;The access network discovery and selection function policy information and second corresponding relation are sent to data gateway.
Further, data gateway 30 is specifically for obtaining the corresponding access network discovery of user equipment and selection function policy information;The access network discovery and selection function policy information include corresponding first corresponding relation of the user equipment, and first corresponding relation is the corresponding relation of application message and access way;Corresponding second corresponding relation of the user equipment is obtained, second corresponding relation is the corresponding relation of the application message and security information;Security information in second corresponding relation parses the data message through safe protection treatment that this is sent to the user equipment, obtains the application message of the data message through safe protection treatment for being sent to the user equipment;When this be sent to the application message of the data message through safe protection treatment of the user equipment and the application message in second corresponding relation to it is corresponding when the access way of the user equipment is determined according to first corresponding relation.
Further, ANDSF40 is specifically for obtaining the corresponding access network discovery of the user equipment and selection function policy information;Receive the customer equipment identification and security information designator of the user equipment;The security information request for carrying the customer equipment identification is sent to security server, so that the security server obtains corresponding second corresponding relation of the user equipment according to the customer equipment identification;Receive corresponding second corresponding relation of the user equipment of security server transmission;The access network discovery and selection function policy information and second corresponding relation are sent to data gateway.
The system of the determination UE access ways of the present embodiment, by using above-mentioned data gateway 30 and ANDSF entities 40, realize that the realization mechanism for the access way for determining UE is identical with realizing for above-mentioned related method embodiment, the record of above-mentioned related method embodiment is may be referred in detail, is not stated herein praising.
The system of the determination UE access ways of the present embodiment, UE access way can be determined based on application message under security scenario by using above-mentioned data gateway 30 and ANDSF entities 40, UE Business Stream is shunted so as to be realized in follow-up.
Art technology is any it will also be appreciated that the various illustrative components, blocks that the embodiment of the present invention is listed(Illustrative logical block) and step(Step) can be soft by electronic hardware, computer Part, or both combination realized.To clearly show that the replaceability of hardware and software
(interchangeability), above-mentioned various explanations '!" raw part (illustrative components) and step universally describe their function.Such function is that the design requirement depending on specific application and whole system is realized by hardware or software.Those skilled in the art can use various methods to realize described function for every kind of specific application, but this realization is understood not to the scope beyond protection of the embodiment of the present invention.
Various illustrative logical blocks described in the embodiment of the present invention, module and circuit can pass through general processor, digital signal processor, application specific integrated circuit(ASIC), field programmable gate array(FPGA) or other programmable logic devices, discrete gate or transistor logic, discrete hardware components, or any of the above described combination design come the function described by realizing or operate.General processor can be microprocessor, and alternatively, the general processor can also be any traditional processor, controller, microcontroller or state machine.Processor can also be realized by the combination of computing device, such as digital signal processor and microprocessor, multi-microprocessor, and one or more microprocessors combine a Digital Signal Processor Core, or any other like configuration is realized.
The step of method described in the embodiment of the present invention or algorithm, can be directly embedded into hardware, the software module of computing device or the combination of both.Software module can be stored in RAM memory, flash memory, ROM memory, eprom memory, eeprom memory, register, hard disk, moveable magnetic disc, CD-ROM or this area in other any form of storage media.Exemplarily, storage medium can be connected with processor, to allow processor to read information from storage medium, it is possible to deposit write information to storage medium.Alternatively, storage medium can also be integrated into processor.Processor and storage medium can be arranged in ASIC, and ASIC can be arranged in user terminal.Alternatively, processor and storage medium can also be arranged in the different parts in user terminal.
In one or more exemplary designs, the above-mentioned functions described by the embodiment of the present invention can be realized in hardware, software, firmware or any combination of this three.If realized in software, these functions can be stored on the medium with computer-readable, or are transmitted in one or more instructions or code form on the medium of computer-readable.Computer readable medium includes computer storage medium and is easy to so that allowing computer program to be transferred to other local telecommunication medias from a place.It can be that any general or special computer can be with the useable medium of access to store medium.For example, such computer readable media can include but is not limited to RAM, ROM, EEPROM, CD-ROM or other optical disc storages, disk are deposited Storage or other magnetic storage devices, or it is other it is any can be used for carrying store with instruct or data structure and it is other can be by general or special computer or the medium of the program code of general or special processor reading form.In addition, any connection can be properly termed computer readable medium, if for example, software is to pass through a coaxial cable, optical fiber computer, twisted-pair feeder, Digital Subscriber Line from web-site, server or other remote resources(DSL) or with computer readable medium defined in being also contained in of the wireless way for transmitting such as infrared, wireless and microwave.Described disk() and disk disk(Disc Zip disk, radium-shine disk, CD, DVD, floppy disk and Blu-ray Disc) are included, disk is generally with magnetic duplication data, and disk generally carries out optical reproduction data with laser.Combinations of the above can also be included in computer readable medium.
The foregoing description of description of the invention can cause art technology is any can utilize or realize present disclosure, any modification based on disclosure is all considered as this area it will be apparent that basic principle described in the invention may apply to the inventive nature and scope without departing from the present invention in other deformations.Therefore, content disclosed in this invention is not limited solely to described embodiment and design, can be extended to the maximum magnitude consistent with disclosed new feature with principle of the present invention.

Claims (17)

  1. Claims
    1st, a kind of method for determining user equipment access way, it is characterised in that including:
    Data gateway obtains the corresponding access network discovery of user equipment and selection function policy information;The access network discovery and selection function policy information include corresponding first corresponding relation of the user equipment, and first corresponding relation is the corresponding relation of application message and access way;
    The data gateway obtains corresponding second corresponding relation of the user equipment, and second corresponding relation is the corresponding relation of the application message and security information;
    The data gateway is according to first corresponding relation, second corresponding relation and to be sent to the data message through safe protection treatment of the user equipment, determines the access way of the user equipment.
    2nd, according to the method described in claim 1, it is characterised in that the data gateway obtains corresponding second corresponding relation of the user equipment, including:
    The data gateway receives the access network discovery the second corresponding relation corresponding with the user equipment that selection functional entity is sent;Corresponding second corresponding relation of the user equipment obtains for the access network discovery with selection functional entity from security server.
    3rd, according to the method described in claim 1, it is characterised in that the data gateway obtains corresponding second corresponding relation of the user equipment, including:
    The data gateway sends the security information request for carrying the customer equipment identification to security server, so that the security server obtains corresponding second corresponding relation of the user equipment according to the customer equipment identification;
    The data gateway receives corresponding second corresponding relation of the user equipment that the security server is sent.
    4th, method according to claim 3, it is characterised in that
    The data gateway sends the security information request for carrying the customer equipment identification to security server, including:The data gateway sends the security information request for carrying the customer equipment identification by policy charging rule functional entity to the security server;
    The data gateway receives corresponding second corresponding relation of the user equipment that the security server is sent, including:The data gateway receives corresponding second corresponding relation of the user equipment that the security server is sent by the policy charging rule functional entity.
    5th, according to any described methods of claim 1-4, it is characterised in that the data gateway according to first corresponding relation, second corresponding relation and to be sent to the user equipment through safety The data message of processing is protected, the access way of the user equipment is determined, including:
    The security information parsing data message through safe protection treatment that is sent to the user equipment of the data gateway in second corresponding relation, the application message of the data message through safe protection treatment of the user equipment is sent to described in acquisition;
    If the application message of the data message through safe protection treatment of the user equipment that is sent to is corresponding with the application message in second corresponding relation, the data gateway determines the access way of the user equipment according to first corresponding relation.
    6th, a kind of method for determining user equipment access way, it is characterised in that including:
    Access network discovery access network discovery corresponding with selection functional entity acquisition user equipment and selection function policy information;The access network discovery and selection function policy information include corresponding first corresponding relation of the user equipment, and first corresponding relation is the corresponding relation of application message and access way;The access network discovery the second corresponding relation corresponding with the selection functional entity acquisition user equipment, second corresponding relation is the corresponding relation of the application message and security information;
    The access network discovery sends first corresponding relation and second corresponding relation to data gateway with selection functional entity; so that the data gateway is according to first corresponding relation, second corresponding relation and to be sent to the data message through safe protection treatment of the user equipment, the access way of the user equipment is determined.
    7th, method according to claim 6, it is characterised in that the access network discovery the second corresponding relation corresponding with the selection functional entity acquisition user equipment, including:
    The access network discovery receives the customer equipment identification and security information designator of the user equipment with selection functional entity;
    The access network discovery sends the security information request for carrying the customer equipment identification with selection functional entity to security server, so that the security server obtains corresponding second corresponding relation of the user equipment according to the customer equipment identification;
    The access network discovery the second corresponding relation corresponding with the user equipment that selection functional entity receives the security server transmission.
    8th, a kind of data gateway, it is characterised in that including:
    First acquisition module, for obtaining the corresponding access network discovery of user equipment and selection function policy information;The access network discovery and selection function policy information include corresponding first corresponding relation of the user equipment, and first corresponding relation is the corresponding relation of application message and access way; Second obtains ear not block, and for obtaining corresponding second corresponding relation of the user equipment, second corresponding relation is the corresponding relation of the application message and security information;
    Determining module, for according to first corresponding relation, second corresponding relation and to be sent to the data message through safe protection treatment of the user equipment, determines the access way of the user equipment.
    9th, data gateway according to claim 8, it is characterised in that second acquisition module, specifically for receiving the access network discovery the second corresponding relation corresponding with the user equipment that selection functional entity is sent;Corresponding second corresponding relation of the user equipment obtains for the access network discovery with selection functional entity from security server.
    10th, data gateway according to claim 8, it is characterised in that second acquisition module, including:
    Second transmitting element, the security information that the customer equipment identification is carried for being sent to security server is asked, so that the security server obtains corresponding second corresponding relation of the user equipment according to the customer equipment identification;
    Second receiving unit, for receiving corresponding second corresponding relation of the user equipment that the security server is sent.
    11, data gateway according to claim 10, it is characterised in that:
    Second transmitting element, the security information that the customer equipment identification is carried specifically for being sent by policy charging rule functional entity to the security server is asked;
    Second receiving unit, specifically for receiving corresponding second corresponding relation of the user equipment that the security server is sent by the policy charging rule functional entity.
    12nd, according to any described data gateways of claim 8-1 1, it is characterised in that the determining module, including:
    Acquiring unit; for the security information parsing data message through safe protection treatment for being sent to the user equipment in second corresponding relation, the application message of the data message through safe protection treatment of the user equipment is sent to described in acquisition;
    Determining unit; for when it is described be sent to the application message of the data message through safe protection treatment of the user equipment and the application message in second corresponding relation to it is corresponding when the access way of the user equipment is determined according to first corresponding relation.
    13rd, a kind of access network discovery and selection functional entity, it is characterised in that including: First acquisition module, for obtaining the corresponding access network discovery of user equipment and selection function policy information;The access network discovery and selection function policy information include corresponding first corresponding relation of the user equipment, and first corresponding relation is the corresponding relation of application message and access way;
    Second obtains ear not block, and for obtaining corresponding second corresponding relation of the user equipment, second corresponding relation is the corresponding relation of the application message and security information;
    Sending module; for sending first corresponding relation and second corresponding relation to data gateway; so that the data gateway is according to first corresponding relation, second corresponding relation and to be sent to the data message through safe protection treatment of the user equipment, the access way of the user equipment is determined.
    14th, access network discovery according to claim 13 and selection functional entity, it is characterised in that second acquisition module, including:
    Receiving unit is indicated, indicates to pay for receiving the customer equipment identification and security information of the user equipment;
    Transmitting element, the security information that the customer equipment identification is carried for being sent to security server is asked, and should be related to so that the security server obtains corresponding 2nd ^ of the user equipment according to the customer equipment identification;
    Receiving unit, for receiving corresponding second corresponding relation of the user equipment that the security server is sent.
    15th, a kind of system for determining user equipment access way, it is characterised in that including:Data gateway and access network discovery and selection functional entity;
    The data gateway, for receiving the corresponding access network discovery of user equipment and selection function policy information;The access network discovery and selection function policy information include corresponding first corresponding relation of the user equipment, and first corresponding relation is the corresponding relation of application message and access way;Corresponding second corresponding relation of the user equipment is received, second corresponding relation is the corresponding relation of the application message and security information;According to first corresponding relation, second corresponding relation and the data message through safe protection treatment of the user equipment is sent to, determine the access way of the user equipment;The access network discovery and selection functional entity, for obtaining the corresponding access network discovery of the user equipment and selection function policy information;Obtain corresponding second corresponding relation of the user equipment;The access network discovery and selection function policy information and second corresponding relation are sent to data gateway.
    16th, system according to claim 15, it is characterised in that the data gateway, specifically for obtaining the corresponding access network discovery of user equipment and selection function policy information;The access network hair Now include corresponding first corresponding relation of the user equipment with selection function policy information, first corresponding relation is the corresponding relation of application message and access way;Corresponding second corresponding relation of the user equipment is obtained, second corresponding relation is the corresponding relation of the application message and security information;The security information parsing data message through safe protection treatment for being sent to the user equipment in second corresponding relation, the application message of the data message through safe protection treatment of the user equipment is sent to described in acquisition;When it is described be sent to the application message of the data message through safe protection treatment of the user equipment and the application message in second corresponding relation to it is corresponding when the access way of the user equipment is determined according to first corresponding relation.
    17th, the system according to claim 15 or 16, it is characterised in that the access network discovery and selection functional entity, specifically for obtaining the corresponding access network discovery of the user equipment and selection function policy information;Receive the customer equipment identification and security information designator of the user equipment;The security information request for carrying the customer equipment identification is sent to security server, so that the security server obtains corresponding second corresponding relation of the user equipment according to the customer equipment identification;Receive corresponding second corresponding relation of the user equipment that the security server is sent;The access network discovery and selection function policy information and second corresponding relation are sent to data gateway.
CN201180003638.5A 2011-12-02 2011-12-02 Determine the method and system of subscriber equipment access way, equipment Active CN103250446B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2011/083375 WO2013078678A1 (en) 2011-12-02 2011-12-02 Method for determining access mode of user equipment, and system and device thereof

Publications (2)

Publication Number Publication Date
CN103250446A true CN103250446A (en) 2013-08-14
CN103250446B CN103250446B (en) 2015-12-02

Family

ID=48534650

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201180003638.5A Active CN103250446B (en) 2011-12-02 2011-12-02 Determine the method and system of subscriber equipment access way, equipment

Country Status (2)

Country Link
CN (1) CN103250446B (en)
WO (1) WO2013078678A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109756919B (en) * 2017-11-01 2021-02-26 华为技术有限公司 Method, device and system for processing proprietary bearer stream

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101599904A (en) * 2009-06-26 2009-12-09 中国电信股份有限公司 The method and system that a kind of virtual dial-up safe inserts
CN101730192A (en) * 2009-02-10 2010-06-09 中兴通讯股份有限公司 Method and device for transmitting access network policy information and interaction system
CN101945456A (en) * 2009-07-08 2011-01-12 中兴通讯股份有限公司 Method and system for providing access network protocol selection function by access network discovery and selection function (ANDSF)
CN102223634A (en) * 2010-04-15 2011-10-19 中兴通讯股份有限公司 Method and device for controlling mode of accessing user terminal into Internet

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101577909B (en) * 2008-05-05 2011-03-23 大唐移动通信设备有限公司 Method, system and device for acquiring trust type of non-3GPP access system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101730192A (en) * 2009-02-10 2010-06-09 中兴通讯股份有限公司 Method and device for transmitting access network policy information and interaction system
CN101599904A (en) * 2009-06-26 2009-12-09 中国电信股份有限公司 The method and system that a kind of virtual dial-up safe inserts
CN101945456A (en) * 2009-07-08 2011-01-12 中兴通讯股份有限公司 Method and system for providing access network protocol selection function by access network discovery and selection function (ANDSF)
CN102223634A (en) * 2010-04-15 2011-10-19 中兴通讯股份有限公司 Method and device for controlling mode of accessing user terminal into Internet

Also Published As

Publication number Publication date
WO2013078678A1 (en) 2013-06-06
CN103250446B (en) 2015-12-02

Similar Documents

Publication Publication Date Title
US10848967B2 (en) Security anchor function in 5G systems
CN101878669B (en) Switching with the method keeping radio bearer and MIP session continuity as possible of multiple mode mobile units
US11849389B2 (en) Management of security contexts at idle mode mobility between different wireless communication systems
CN110831243B (en) Method, device and system for realizing user plane security policy
CN104885519B (en) Shunting method, user equipment, base station and access point
CN109565904A (en) Technology for the secure connection via access node established between wireless device and local area network
CN106465227A (en) Methods and apparatus to support network-based IP flow mobility via multiple wireless accesses for a wireless device
CN101754191A (en) Method of handling handover security configuration and related communication device
CN103002511A (en) Data distribution triggering method, network side equipment, user equipment and network system
CN102905265A (en) Mobile equipment (ME) attaching method and device
CN101730150A (en) Method for controlling network resources during service flow transfer
CN104335641A (en) Method, device and system for processing data service under roaming scenario
CN107172684A (en) Cut-in method and system, user equipment and network side equipment
CN101330740A (en) Method for selecting gateway in wireless network
US8521161B2 (en) System and method for communications device and network component operation
CN104469977A (en) Mobile communication method, device and system
CN105165039A (en) Mechanism for gateway discovery layer-2 mobility
CN102696261A (en) Method and device for access control of user equipment
CN109787799A (en) A kind of service quality QoS control method and equipment
CN104506406B (en) A kind of authentication equipment
CN102369695A (en) Method, apparatus and system for correlating session
CN111405607A (en) Network switching method, equipment and block chain system
CN103686656B (en) A kind of strategy identified based on wlan network and billing control method and system
CN103229525A (en) Method, device and system for processing closed subscriber group subscription data request
CN101483929A (en) Method and apparatus for obtaining interaction mode with policy making entity by non-3GPP access gateway

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20210427

Address after: Unit 3401, unit a, building 6, Shenye Zhongcheng, No. 8089, Hongli West Road, Donghai community, Xiangmihu street, Futian District, Shenzhen, Guangdong 518040

Patentee after: Honor Device Co.,Ltd.

Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen

Patentee before: HUAWEI TECHNOLOGIES Co.,Ltd.