CN110417708B - Information transmission method and related equipment - Google Patents

Information transmission method and related equipment Download PDF

Info

Publication number
CN110417708B
CN110417708B CN201810391847.5A CN201810391847A CN110417708B CN 110417708 B CN110417708 B CN 110417708B CN 201810391847 A CN201810391847 A CN 201810391847A CN 110417708 B CN110417708 B CN 110417708B
Authority
CN
China
Prior art keywords
user plane
plane data
address
data message
protocol
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810391847.5A
Other languages
Chinese (zh)
Other versions
CN110417708A (en
Inventor
刘强生
王爱成
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Huawei Technologies Co Ltd
Original Assignee
Shanghai Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Huawei Technologies Co Ltd filed Critical Shanghai Huawei Technologies Co Ltd
Priority to CN201810391847.5A priority Critical patent/CN110417708B/en
Priority to PCT/CN2019/082017 priority patent/WO2019205934A1/en
Publication of CN110417708A publication Critical patent/CN110417708A/en
Application granted granted Critical
Publication of CN110417708B publication Critical patent/CN110417708B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/162Implementing security features at a particular protocol layer at the data link layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Small-Scale Networks (AREA)

Abstract

The embodiment of the application discloses an information transmission method and related equipment, which are used for reducing the consumption of CPU resources and reducing the cost while ensuring the data security. The method in the embodiment of the application comprises the following steps: the method comprises the steps that a central unit CU and user equipment UE carry out security negotiation to obtain a negotiation result, wherein the negotiation result is used for indicating whether an air interface between the CU and the UE uses a packet data convergence layer PDCP protocol for encryption or not; the CU sends a first message to a distributed unit DU; when the negotiation result indicates that the air interface uses the PDCP protocol encryption, the first message is used for indicating that the user plane bearer between the CU and the DU is not encrypted by using an Internet protocol security (IPSec) protocol.

Description

Information transmission method and related equipment
Technical Field
The present application relates to the field of wireless communication technologies, and in particular, to an information transmission method and a related device.
Background
In the process of transmitting uplink data sent by a User Equipment (UE) to a core network via a base station (eNodeB, eNB), the uplink data needs to undergo the following encryption/decryption processes, as shown in fig. 1, which is a schematic diagram of possible existing base station encryption, including: 1. the UE encrypts the air interface of the uplink data to protect the safety of the uplink data in the wireless transmission process; 2. and after receiving the uplink data sent by the UE, the eNB decrypts the uplink data, and encrypts the decrypted uplink data again before sending the decrypted uplink data to the core network so as to protect the safety of the uplink data in the network transmission process on the return network. Similarly, the downlink data sent from the core network to the UE also needs to undergo two encryption and decryption processes.
In the prior art, a conventional eNB node can be decomposed into a Central Unit (CU) and a plurality of Distributed Units (DUs), and communication between the CUs and the DUs needs to cross a backhaul network. In order to ensure the security of communication between CU-DUs, internet protocol security (IPSec) is introduced, and accordingly, in order to ensure the security of the data transmission process between CU-DUs, IPSec encryption/decryption needs to be performed on the data in the transmission process.
However, in the prior art, IPSec encryption/decryption requires consumption of a large amount of cpu resources, resulting in an increase in cost.
Disclosure of Invention
The embodiment of the application provides an information transmission method and related equipment, which are used for reducing the consumption of CPU resources and reducing the cost while ensuring the data security.
A first aspect of an embodiment of the present application provides an information transmission method, including: the method comprises the steps that a central unit CU and user equipment UE carry out security negotiation to obtain a negotiation result, wherein the negotiation result is used for indicating whether an air interface between the CU and the UE uses a packet data convergence layer PDCP protocol for encryption or not; the CU sends a first message to a distributed unit DU; when the negotiation result indicates that the air interface uses the PDCP protocol encryption, the first message is used for indicating that the user plane bearer between the CU and the DU is not encrypted by using an Internet protocol security (IPSec) protocol.
In a possible design, in a first implementation manner of the first aspect of the embodiment of the present application, the DU has a first interface, and the first interface is an interface for the DU to perform user plane communication with the CU; the first interface configures a first encryption address and a first non-encryption address, wherein the first encryption address is used for indicating that the IPSec protocol is used for carrying out encryption/decryption processing on a user plane data message; the first non-encrypted address is used for indicating that the IPSec protocol is not used for encrypting/decrypting the user plane data message; after the CU sends the first message to the DU, the method further includes: and the CU receives a first response message sent by the DU, wherein the first response message is used for indicating that the address carried by the user plane at the DU end is the first non-encrypted address.
In a possible design, in a second implementation manner of the first aspect of the embodiment of the present application, after the CU receives the first response message sent by the DU, the method further includes: the CU uses the PDCP protocol to encrypt a downlink user plane data message; the CU sets a destination address of the downlink user plane data message as the first non-encrypted address; the CU determines according to the first non-encrypted address and does not use the IPSec protocol to encrypt the downlink user plane data message; and the CU sends the downlink user plane data message to the DU.
In a possible design, in a third implementation manner of the first aspect of the embodiment of the present application, when the negotiation result indicates that the air interface does not use the PDCP protocol for ciphering, the first message is used to instruct the user plane bearer to use the IPSec protocol for ciphering; the first response message is used to indicate that the address carried by the user plane at the DU end is the first encrypted address.
In a possible design, in a fourth implementation manner of the first aspect of this embodiment of the present application, when the negotiation result indicates that the air interface does not use the PDCP protocol for ciphering, the method further includes: the CU sets a destination address of the downlink user plane data message as the first encryption address; the CU determines according to the first encryption address, and encrypts the downlink user plane data message by using the IPSec protocol to obtain an encrypted downlink user plane data message; and the CU sends the encrypted downlink user plane data message to the DU.
In one possible design, in a fifth implementation manner of the first aspect of the embodiment of the present application, when the negotiation result indicates that the air interface is encrypted using the PDCP protocol and communication between the CU and the DU passes through a security gateway SeGW, the method further includes: the CU uses the PDCP protocol to encrypt a downlink user plane data message; the CU sets a destination address of the downlink user plane data message as the first non-encrypted address; and the CU sends the downlink user plane data message to the SeGW.
In a possible design, in a sixth implementation manner of the first aspect of the embodiment of the present application, when the negotiation result indicates that the air interface is not ciphered using the PDCP protocol and that communication between the CU and the DU passes through a SeGW, the method further includes: the CU sets a destination address of the downlink user plane data message as the first encryption address; and the CU sends the downlink user plane data message to the SeGW.
In a possible design, in a seventh implementation manner of the first aspect of the embodiment of the present application, the CU is provided with a second interface, and the second interface is an interface for the CU to perform user plane communication with the DU; the second interface configures a second encryption address and a second non-encryption address, wherein the second encryption address is used for indicating that the IPSec protocol is used for encrypting/decrypting a user plane data message; and the second non-encrypted address is used for indicating that the IPSec protocol is not used for encrypting/decrypting the user plane data message.
In a possible design, in an eighth implementation manner of the first aspect of the embodiment of the present application, when the negotiation result indicates that the air interface does not use the PDCP protocol for ciphering, the first message carries the second ciphering address.
In a possible design, in a ninth implementation manner of the first aspect of the embodiment of the present application, when the negotiation result indicates that the air interface uses the PDCP protocol for ciphering, the first message carries the second non-ciphered address.
In one possible design, in a tenth implementation manner of the first aspect of the embodiment of the present application, the method further includes: the CU receives a target user plane data message; when the protocol port number used by the target user plane data message is contained in a first interval, the CU determines to use the IPSec protocol to encrypt/decrypt the target user plane data message; when the protocol port number used by the target user plane data message is contained in a second interval, the CU determines not to use the IPSec protocol to encrypt/decrypt the target user plane data message; or, when the protocol used by the target user plane data message is the first protocol, the CU determines to encrypt/decrypt the target user plane data message by using the IPSec protocol; and when the protocol used by the target user plane data message is a second protocol, the CU determines not to use the IPSec protocol to encrypt/decrypt the target user plane data message.
A second aspect of the embodiments of the present application provides an information transmission method, including: when the air interface between a central unit CU and a user equipment UE is encrypted using the packet data convergence layer PDCP protocol, a distributed unit DU receives a first message sent by the CU, the first message being used to instruct a user plane bearer between the CU and the DU not to be encrypted using the internet protocol security IPSec protocol.
In a possible design, in a first implementation manner of the second aspect of the embodiment of the present application, the DU has a first interface, and the first interface is an interface for the DU to perform user plane communication with the CU; the first interface configures a first encryption address and a first non-encryption address, wherein the first encryption address is used for indicating that the IPSec protocol is used for carrying out encryption/decryption processing on a user plane data message; the first non-encrypted address is used for indicating that the IPSec protocol is not used for encrypting/decrypting the user plane data message; when the air interface is ciphered using the PDCP protocol, the method further comprises: and the DU sends a first response message to the CU, wherein the first response message is used for indicating that the address carried by the user plane at the DU end is the first non-encrypted address.
In a possible design, in a second implementation manner of the second aspect of the embodiment of the present application, when the air interface uses the PDCP protocol for ciphering, the method further includes: the DU receives an uplink user plane data message sent by the UE; the DU sets a source address of the uplink user plane data message as the first non-encrypted address; the DU is determined according to the first non-encrypted address, and the IPSec protocol is not used for encrypting the uplink user plane data message; and the DU sends the uplink user plane data message to the CU.
In a possible design, in a third implementation manner of the second aspect of the embodiment of the present application, when the air interface does not use the PDCP protocol for ciphering, the first message is used to instruct the user plane bearer to use the IPSec protocol for ciphering; the first response message is used to indicate that the address carried by the user plane at the DU end is the first encrypted address.
In a possible design, in a fourth implementation manner of the second aspect of the embodiment of the present application, when the air interface does not use the PDCP protocol for ciphering, the method further includes: the DU receives an uplink user plane data message sent by the UE; the DU sets a source address of the uplink user plane data message as the first encryption address; the DU is determined according to the first encryption address, and the IPSec protocol is used for encrypting the uplink user plane data message to obtain an encrypted uplink user plane data message; and the DU sends the encrypted uplink user plane data message to the CU.
In a possible design, in a fifth implementation manner of the second aspect of the embodiment of the present application, when the air interface is ciphered using the PDCP protocol and communication between the DU and the CU passes through a SeGW, the method further includes: the DU receives an uplink user plane data message sent by the UE; the DU sets a source address of the uplink user plane data message as the first non-encrypted address; the DU is determined according to the first non-encrypted address, and the IPSec protocol is not used for encrypting the uplink user plane data message; and the DU sends the uplink user plane data message to the SeGW.
In a possible design, in a sixth implementation manner of the second aspect of the embodiment of the present application, when the air interface is not ciphered using the PDCP protocol and communication between the DU and the CU passes through a SeGW, the method further includes: the DU receives an uplink user plane data message sent by the UE; the DU sets a source address of the uplink user plane data message as the first encryption address; the DU is determined according to the first encryption address, and the IPSec protocol is used for encrypting the uplink user plane data message to obtain an encrypted uplink user plane data message; and the DU sends the encrypted uplink user plane data message to the SeGW.
In a possible design, in a seventh implementation manner of the second aspect of the embodiment of the present application, the CU is provided with a second interface, and the second interface is an interface for the CU to perform user plane communication with the DU; the second interface configures a second encryption address and a second non-encryption address, wherein the second encryption address is used for indicating that the IPSec protocol is used for encrypting/decrypting a user plane data message; and the second non-encrypted address is used for indicating that the IPSec protocol is not used for encrypting/decrypting the user plane data message.
In a possible design, in an eighth implementation manner of the second aspect of the embodiment of the present application, when the air interface is ciphered using the PDCP protocol, the first message carries the second non-ciphered address.
In a possible design, in a ninth implementation manner of the second aspect of the embodiment of the present application, when the air interface is not ciphered using the PDCP protocol, the first message carries the second ciphering address.
In a possible design, in a tenth implementation manner of the second aspect of the embodiment of the present application, when the air interface uses the PDCP protocol for ciphering, the method further includes: the DU receives an uplink user plane data message sent by the UE; the DU sets the destination address of the uplink user plane data message as the second non-encrypted address; the DU is determined according to the second non-encrypted address, and the IPSec protocol is not used for encrypting the uplink user plane data message; and the DU sends the uplink user plane data message to the CU.
In a possible design, in an eleventh implementation manner of the second aspect of the embodiment of the present application, when the air interface does not use the PDCP protocol for ciphering, the method further includes: the DU receives an uplink user plane data message sent by the UE; the DU sets the destination address of the uplink user plane data message as the second encryption address; the DU is determined according to the second encryption address, and the IPSec protocol is used for encrypting the uplink user plane data message to obtain an encrypted uplink user plane data message; and the DU sends the encrypted uplink user plane data message to the CU.
In a possible design, in a twelfth implementation manner of the second aspect of the embodiment of the present application, when the air interface is ciphered using the PDCP protocol and communication between the DU and the CU passes through a SeGW, the method further includes: the DU receives an uplink user plane data message sent by the UE; the DU sets the destination address of the uplink message as the second non-encrypted address; the DU determines according to the second non-encrypted address, and the uplink user plane data message is not encrypted by using the second protocol; and the DU sends the uplink user plane data message to the SeGW.
In a possible design, in a thirteenth implementation manner of the second aspect of the embodiment of the present application, when the air interface is not ciphered using the PDCP protocol and communication between the DU and the CU passes through a SeGW, the method further includes: the DU receives an uplink user plane data message sent by the UE; the DU sets the destination address of the uplink user plane data message as the second encryption address; the DU is determined according to the second encryption address, and the IPSec protocol is used for encrypting the uplink user plane data message to obtain an encrypted uplink user plane data message; and the DU sends the encrypted uplink user plane data message to the SeGW.
A third aspect of an embodiment of the present application provides a central unit CU, including: a first transceiver unit, configured to perform security negotiation with a User Equipment (UE) to obtain a negotiation result, where the negotiation result is used to indicate whether an air interface between the CU and the UE uses a packet data convergence layer (PDCP) protocol for ciphering; the second transceiving unit is used for sending the first message to the distributed unit DU; when the negotiation result indicates that the air interface uses the PDCP protocol encryption, the first message is used for indicating that the user plane bearer between the CU and the DU is not encrypted by using an Internet protocol security (IPSec) protocol.
In a possible design, in a first implementation manner of the third aspect of the embodiment of the present application, the DU has a first interface, and the first interface is an interface for the DU to perform user plane communication with the CU; the first interface configures a first encryption address and a first non-encryption address, wherein the first encryption address is used for indicating that the IPSec protocol is used for carrying out encryption/decryption processing on a user plane data message; the first non-encrypted address is used for indicating that the IPSec protocol is not used for encrypting/decrypting the user plane data message; the second transceiving unit is further configured to: and receiving a first response message sent by the DU, wherein the first response message is used for indicating that the address borne by the user plane at the DU end is the first non-encrypted address.
In a possible design, in a second implementation manner of the third aspect of the embodiment of the present application, the CU further includes: a processing unit, configured to encrypt a downlink user plane data packet using the PDCP protocol; setting the destination address of the downlink user plane data message as the first non-encrypted address; a determining unit, configured to determine, according to the first non-encrypted address, that the downlink user plane data packet is not encrypted using the IPSec protocol; the second transceiver unit is further configured to send the downlink user plane data packet to the DU.
In a possible design, in a third implementation manner of the third aspect of this embodiment of the present application, when the negotiation result indicates that the air interface does not use the PDCP protocol for ciphering, the first message is used to instruct the user plane bearer to use the IPSec protocol for ciphering; the first response message is used to indicate that the address carried by the user plane at the DU end is the first encrypted address.
In a possible design, in a fourth implementation manner of the third aspect of the embodiment of the present application, when the negotiation result indicates that the air interface is encrypted using the PDCP protocol and communication between the CU and the DU passes through a security gateway SeGW, the CU further includes: the processing unit is further configured to encrypt a downlink user plane data packet using the PDCP protocol; setting the destination address of the downlink user plane data message as the first non-encrypted address; and a third transceiving unit, configured to send the downlink user plane data packet to the SeGW.
In a possible design, in a fifth implementation manner of the third aspect of the embodiment of the present application, the CU is provided with a second interface, and the second interface is an interface for the CU to perform user plane communication with the DU; the second interface configures a second encryption address and a second non-encryption address, wherein the second encryption address is used for indicating that the IPSec protocol is used for encrypting/decrypting a user plane data message; and the second non-encrypted address is used for indicating that the IPSec protocol is not used for encrypting/decrypting the user plane data message.
A fourth aspect of the embodiments of the present application provides a distributed unit DU, including: a first transceiving unit, configured to receive a first message sent by a central unit CU when an air interface between the CU and a user equipment UE is ciphered using a packet data convergence layer PDCP protocol, the first message being used to indicate that a user plane bearer between the CU and the DU is not ciphered using an internet protocol security IPSec protocol.
In a possible design, in a first implementation manner of the fourth aspect of the embodiment of the present application, the DU has a first interface, and the first interface is an interface for the DU to perform user plane communication with the CU; the first interface configures a first encryption address and a first non-encryption address, wherein the first encryption address is used for indicating that the IPSec protocol is used for carrying out encryption/decryption processing on a user plane data message; the first non-encrypted address is used for indicating that the IPSec protocol is not used for encrypting/decrypting the user plane data message; when the air interface is ciphered using the PDCP protocol, the first transceiving unit is further configured to: and sending a first response message to the CU, wherein the first response message is used for indicating that the address carried by the user plane at the DU end is the first non-encrypted address.
In a possible design, in a second implementation manner of the fourth aspect of the embodiment of the present application, when the air interface is encrypted using the PDCP protocol, the DU further includes: the second transceiver unit is further configured to receive an uplink user plane data packet sent by the UE; the processing unit is used for setting a source address of the uplink user plane data message as the first non-encrypted address; the determining unit is further configured to determine, according to the first non-encrypted address, that the uplink user plane data packet is not encrypted using the IPSec protocol; the first transceiver unit is further configured to send the uplink user plane data packet to the CU.
In a possible design, in a third implementation manner of the fourth aspect of the embodiment of the present application, when the air interface is encrypted using the PDCP protocol and communication between the DU and the CU passes through a SeGW, the DU further includes: the second transceiver unit is further configured to receive an uplink user plane data packet sent by the UE; the processing unit is further configured to set a source address of the uplink user plane data packet as the first unencrypted address; the determining unit is further configured to determine, according to the first non-encrypted address, that the uplink user plane data packet is not encrypted using the IPSec protocol; the third transceiving unit is further configured to send the uplink user plane data packet to the SeGW.
In a possible design, in a fourth implementation manner of the fourth aspect of the embodiment of the present application, the CU is provided with a second interface, and the second interface is an interface for the CU to perform user plane communication with the DU; the second interface configures a second encryption address and a second non-encryption address, wherein the second encryption address is used for indicating that the IPSec protocol is used for encrypting/decrypting a user plane data message; the second non-encrypted address is used for indicating that the IPSec protocol is not used for encrypting/decrypting the user plane data message; when the air interface is ciphered using the PDCP protocol, the DU further includes: the second transceiver unit is further configured to receive an uplink user plane data packet sent by the UE; the processing unit is further configured to set a destination address of the uplink user plane data packet as the second unencrypted address; the determining unit is further configured to determine, according to the second unencrypted address, that the uplink user plane data packet is not encrypted using the IPSec protocol; the first transceiver unit is further configured to send the uplink user plane data packet to the CU.
A fifth aspect of the present application provides a computer-readable storage medium having stored therein instructions, which, when run on a computer, cause the computer to perform the method of the above-described aspects.
A sixth aspect of the present application provides a computer program product comprising instructions which, when run on a computer, cause the computer to perform the method of the above aspects.
According to the technical scheme, the embodiment of the application has the following advantages: the method comprises the steps that a central unit CU and user equipment UE carry out security negotiation to obtain a negotiation result, wherein the negotiation result is used for indicating whether an air interface between the CU and the UE uses a packet data convergence layer PDCP protocol for encryption or not; the CU sends a first message to a distributed unit DU; when the negotiation result indicates that the air interface uses the PDCP protocol encryption, the first message is used for indicating that the user plane bearer between the CU and the DU is not encrypted by using an Internet protocol security (IPSec) protocol. In the embodiment of the application, when the result of negotiation between the CU and the UE is that the air interface between the CU and the UE uses the PDCP protocol for encryption, the CU notifies the user plane bearer between the DUCU and the DU that the IPSec protocol for encryption is not used, so that the data security is ensured, the consumption of CPU resources is reduced, and the cost is reduced.
Drawings
FIG. 1 is a schematic diagram of a possible conventional encryption of a base station;
FIG. 2 is a schematic diagram of a possible function provided by an embodiment of the present application;
fig. 3 is a schematic diagram of a possible data encryption transmission provided by an embodiment of the present application;
fig. 4a is a flowchart of a possible information transmission method provided in an embodiment of the present application;
fig. 4b is a flowchart of another possible information transmission method provided in the embodiment of the present application;
fig. 4c is a schematic diagram of a possible interface provided by the embodiment of the present application;
fig. 4d is a schematic diagram of a possible data packet transmission provided by an embodiment of the present application;
fig. 5a is a flowchart of another possible information transmission method provided in the embodiment of the present application;
fig. 5b is a flowchart of another possible information transmission method provided in the embodiment of the present application;
fig. 6a is a flowchart of another possible information transmission method provided in the embodiment of the present application;
fig. 6b is a flowchart of another possible information transmission method provided in the embodiment of the present application;
fig. 7a is a schematic diagram of another possible data encryption transmission provided by the embodiment of the present application;
fig. 7b is a flowchart of another possible information transmission method provided by the embodiment of the present application;
fig. 7c is a flowchart of another possible information transmission method provided by the embodiment of the present application;
fig. 8a is a flowchart of another possible information transmission method provided in the embodiment of the present application;
fig. 8b is a flowchart of another possible information transmission method provided in the embodiment of the present application;
fig. 9a is a flowchart of another possible information transmission method provided in the embodiment of the present application;
fig. 9b is a flowchart of another possible information transmission method provided in the embodiment of the present application;
FIG. 10 is a schematic diagram of an embodiment of a possible central unit provided in the embodiments of the present application;
FIG. 11 is a schematic diagram of an embodiment of a possible distributed unit provided by an embodiment of the present application;
fig. 12 is a schematic block diagram of a communication device according to an embodiment of the present application;
fig. 13 is a schematic structural diagram of a communication device according to an embodiment of the present application;
fig. 14 is a schematic structural diagram of a system according to an embodiment of the present application.
Detailed Description
The embodiment of the application provides an information transmission method and related equipment, which are used for reducing the consumption of CPU resources and accelerating the running speed of a system while ensuring the data security.
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments.
In the process of continuous evolution, the wireless base station has a demand for re-splitting the eNB function. The function of the eNB node is divided into a CU part and a DU part, and the functions of the CU part and the DU part are separately deployed in a remote mode, wherein the DU part is deployed at the position of an original access network, and the CU part is deployed in a mode of moving upwards to be close to a core network. In addition, as shown in fig. 2, for a possible functional diagram provided by the present application, in fig. 2, an air interface of an eNB adopts a layered structure, which is layered from top to bottom in sequence by Radio Resource Control (RRC) -PDCP-Radio Link Control (RLC) -Media Access Control (MAC) -physical layer (PHY), and the eNB is connected to an Evolved Packet Core (EPC) through an S1 interface for signaling or data transmission, under the eNB re-segmentation architecture, RRC and PDCP in the original eNB are deployed on CU, RLC, MAC and PHY are deployed on DU, the CU and the EPC are connected through an S1 interface, and the CU and the DU are connected through an introduced new interface Itf-CuDu to transmit signaling or data, where it should be noted that a naming mode of the new interface is not limited in this application.
In the eNB re-partition scenario, during the process of delivering user data transmitted by the UE to the CU, the following encryption/decryption processes need to be performed, as shown in fig. 3, which is a schematic diagram of possible data encryption transmission, including: the user data flow goes from the UE through the DU to the CU, where,
air interface encryption is carried out between the UE and the CU to ensure the safety of user data in the wireless transmission process, and it needs to be noted that the air interface encryption/decryption is processed by the PDCP in the 3gpp protocol, so that corresponding processing modules are arranged on the UE and the CU to be responsible for the PDCP encryption and the PDCP decryption;
the IPSec protocol is introduced between the CU and the DU for encryption to ensure the safety of user data transmission between the CU and the DU, so that corresponding processing modules are arranged on the DU and the CU to be responsible for IPSec encryption and IPSec decryption.
It should be noted that, in many scenarios, UE-to-CU user data has been encrypted by using PDCP, and the user data is transmitted over CU-DU interface, and from the viewpoint of user data security, it is unnecessary to use IPSec encryption again, and IPSec encryption and decryption also consume a lot of CPU resources. In view of this, an embodiment of the present application provides a data encryption method, which is applicable to a plurality of application scenarios, including:
a: when communication between CU and DU does not pass through SeGW:
scene 1: a DU-side specific IP address is configured on the first interface of the DU side to establish a user plane bearer, where the DU-side specific IP address is used to distinguish whether the user plane bearer between the DU and the CU is encrypted using the IPSec protocol, for example, the DU-side specific IP address includes a first encrypted address and a first non-encrypted address, where the first encrypted address is used to instruct encryption/decryption processing on the user plane data packet using the IPSec protocol, the first non-encrypted address is used to instruct encryption/decryption processing on the user plane data packet without using the IPSec protocol, and the first interface is an interface for user plane communication between the DU and the CU; in addition, the IP address on the second interface on the CU side does not need to distinguish whether the user plane bearer between the DU and the CU is encrypted using the IPSec protocol, where the second interface is an interface for the CU to perform user plane communication with the DU;
scene 2: a first interface of a DU side is configured with a DU side specific IP address to establish a user plane bearer, a second interface of the CU side is also configured with a CU side specific IP address to establish the user plane bearer, the CU side specific IP address is used for distinguishing whether the user plane bearer between the CU and the DU is encrypted by using an IPSec protocol, if the CU side specific IP address comprises a second encryption address and a second non-encryption address, the second encryption address is used for indicating that the user plane data message is encrypted/decrypted by using the IPSec protocol, and the second non-encryption address is used for indicating that the user plane data message is not encrypted/decrypted by using the IPSec protocol;
scene 3: the second interface of the CU side is configured with a CU side specific IP address to establish the user plane bearer, and the IP address on the first interface of the DU side does not need to distinguish whether the user plane bearer between the DU and the CU is encrypted by using an IPSec protocol or not.
B: when communication between CU and DU passes through SeGW:
scene 4: a first interface at the DU side is configured with a specific IP address at the DU side to establish a user plane bearer, and the IP address at a second interface at the CU side does not need to distinguish whether the user plane bearer between the DU and the CU is encrypted by an IPSec protocol or not;
scene 5: a first interface of the DU side is configured with a specific IP address of the DU side to establish a user plane bearer, and a second interface of the CU side is also configured with a specific IP address of the CU side to establish a user plane bearer;
scene 6: the second interface of the CU side is configured with a CU side specific IP address to establish the user plane bearer, and the IP address on the first interface of the DU side does not need to distinguish whether the user plane bearer between the DU and the CU is encrypted by using an IPSec protocol or not.
Based on the above-described scenarios, the following description will be made separately with reference to specific embodiments.
Referring to fig. 4a and 4b, an embodiment of a method in scene 1 according to the embodiment of the present application is described, which specifically includes:
401. and the CU and the UE carry out security negotiation to obtain a negotiation result.
And the CU and the UE carry out security negotiation and obtain a negotiation result, wherein the negotiation result is used for indicating whether an air interface between the CU and the UE uses PDCP protocol encryption or not, and the air interface is an interface between the UE and the base station.
It should be noted that there are various ways for the CU to perform security negotiation with the UE to obtain a negotiation result, including: the UE sends algorithm set information to the CU, wherein the algorithm set information comprises information of algorithms supported by the UE; and the CU receives the algorithm set information, compares the algorithms in the algorithm set information with the algorithms supported by the CU, and determines an intersection algorithm, wherein the intersection algorithm is the algorithm supported by both the CU and the UE. It is to be understood that the intersection algorithm may include one or more algorithms, and when the intersection algorithm includes one algorithm, the CU sends information of the intersection algorithm to the UE, and if the intersection algorithm is a ciphering algorithm, the negotiation result is that the air interface between the CU and the UE uses PDCP protocol ciphering; if the intersection algorithm is an algorithm without encryption, the negotiation result is that the air interface between the CU and the UE does not use PDCP protocol encryption. When the intersection algorithm comprises a plurality of algorithms, the CU can select one encryption algorithm from the plurality of algorithms to send to the UE, namely the negotiation result is that the air interface uses the PDCP protocol for encryption; or, the CU may select any algorithm from the plurality of algorithms to send to the UE, and if the selected algorithm is the ciphering algorithm, the negotiation result is that the air interface uses the PDCP protocol for ciphering; otherwise, the negotiation result is that the air interface does not use PDCP protocol encryption. In summary, there are various ways for the CU to perform the security negotiation with the DU to obtain the negotiation result, and the method is not limited herein.
It is understood that the security negotiation between the CU and the UE results in different results, and the subsequent procedures are different and independent from each other. Therefore, after the CU obtains the negotiation result, if the negotiation result indicates that the air interface between the CU and the UE uses the PDCP protocol for ciphering, step 402-; if the negotiation result indicates that the air interface between the CU and the UE does not use PDCP protocol ciphering, step 412 and 421 in fig. 4b are executed; the method comprises the following specific steps:
402. the CU sends first indication information to the DU.
And when the negotiation result indicates that the air interface uses the PDCP protocol for encryption, the CU sends a first message to the DU through a first control plane interface, the first message carries first indication information, the first indication information is used for indicating that the user plane bearer between the CU and the DU does not use the IPSec protocol for encryption, and the first control plane interface is an interface for the CU and the DU to perform control plane communication. For easy understanding, an encryption indication bit of 1bit may be set in the first message, and when the encryption indication bit is set to 0, it indicates that the user plane bearer between the CU and the DU is not encrypted using the IPSec protocol; when the encryption indication bit is set to 1, the user plane bearer between the CU and the DU is encrypted by using an IPSec protocol; optionally, a 2-bit encryption indication bit may also be set in the first message, and when the encryption indication bit is set to 01, it indicates that the user plane bearer between the CU and the DU is not encrypted using the IPSec protocol; when the encryption indication bit is set to 10, it indicates that the user plane bearer between the CU and the DU is encrypted using the IPSec protocol. Therefore, the CU indicates to the DU whether the user plane bearer uses the IPSec protocol encryption method, which is not limited in this application.
The user plane bearer between the CU and the DU may be understood as a GTP-U tunnel established between the CU and the DU for transmitting the user plane data stream.
It should be noted that the first message may be a user plane bearer establishment request message, or may also be other existing messages or new messages, which is not limited in the present application.
In addition, when the first message is a user plane bearer establishment request message, the first message may carry a user plane address of the CU side.
403. The DU sends first response information to the CU.
It should be noted that, the first interface on the DU side is configured with a DU-side specific IP address for establishing a user plane bearer with the CU, and the DU-side specific IP address is used to distinguish whether the user plane bearer between the DU and the CU is encrypted using the IPSec protocol. For easy understanding, please refer to fig. 4c, which is a schematic diagram of a possible DU-side interface provided in an embodiment of the present application, where a first interface is an interface on the DU side for communicating with a CU, and the first interface includes at least two specific user plane IP addresses, that is, a first non-encrypted address and a second non-encrypted address, where the first encrypted address is used in an IPSec communication scenario and indicates that an IPSec protocol is used to encrypt/decrypt a user plane data packet; the first non-encrypted address is used for a non-IPSec communication scene and indicates that the user plane data message is not encrypted/decrypted by using an IPSec protocol. It should be noted that fig. 4c is only an exemplary illustration, and the first interface, the first encrypted address and the second unencrypted address can be understood as a logical concept, and are not physically present.
Therefore, after receiving first indication information carried by a first message sent by a CU, the DU determines that IPSec encryption is not required for user plane bearer between the DU and the CU according to the first indication information, and selects a first non-encrypted address as a user plane address of a first interface to establish a GTP-U tunnel, which is the user plane bearer between the CU and the DU, and sends a first response message in response to the first message to the CU, where the first response message carries first response information, and the first response message includes the first non-encrypted address, so as to indicate to the CU that an address of the user plane bearer between the DU and the CU at the DU end is the first non-encrypted address.
The first response message may be a response message established for the user plane bearer, or may be other existing messages or new messages, and the specific application is not limited thereto. Therefore, when the DU obtains the user plane address of the CU side and the CU obtains the user plane address of the DU side, the establishment of the user plane bearer between the CU and the DU can be achieved.
404. UE sends a first uplink user plane data message to DU;
it should be noted that, after the bearers between the CU and the DU and the bearers between the UE and the core network are established, the UE transmits the user plane data to the core network through the DU and the CU. Specifically, when the negotiation result between the CU and the UE is that the air interface between the CU and the UE uses the PDCP protocol for ciphering, the UE performs PDCP ciphering on the first uplink user plane data packet, and sends the ciphered first uplink user plane data packet to the DU through the air interface.
405. The DU determines that the first uplink user plane data packet is not encrypted using the IPSec protocol.
406. And the DU sends a first uplink user plane data message to the CU.
To facilitate understanding of the present application, please refer to fig. 4d, which is a schematic diagram of a possible packet transmission, in which a UE sends out a packet, the packet will have the address of the UE as a source address, the address of an internet server to be reached is a destination address, the UE transmits the packet to an eNB, the eNB encapsulates the packet into a GTP packet that can be transmitted in a GTP tunnel, and the source address of the packet is replaced with the address of the eNB, and the destination address is replaced with the address of a Serving Gateway (SGW) to be reached. When the data packet arrives at the SGW, the source address of the data packet is changed to the address of the SGW, the destination address of the data packet is changed to the address of a PDN gateway (P-GW), and the transmitted tunnel is changed from the S1 GTP tunnel to the S5 GTP tunnel. And when the data packet reaches the P-GW, the P-GW unlocks the data packet to obtain the real destination address of the data packet, and then transmits the data packet to a server corresponding to the destination address so as to finish uploading of the data packet from the UE to the Internet.
Therefore, after receiving the first uplink user plane data message sent by the UE after PDCP ciphering, the DU uses the first non-ciphered address as the source address of the first uplink user plane data message to complete the GTP-U tunnel encapsulation. And the DU determines not to use an IPSec protocol to encrypt the first uplink user plane data message according to the first non-encrypted address, and directly sends the first uplink user plane data message to the CU through a first interface at the DU side.
407a, CU determines not to decrypt the first uplink user plane data packet using IPSec protocol.
407b, the CU sends the first uplink user plane data packet to the SGW.
After a CU receives a first uplink user plane data message which is not encrypted by using an IPSec protocol through a second interface at the CU side, the CU carries out GTP-U decapsulation on the first uplink user plane data message to obtain a decapsulated first uplink user plane data message, and then directly carries out subsequent processing, wherein the subsequent processing comprises the following steps: the CU uses a PDCP protocol to perform air interface decryption on the first uplink user plane data message, and encrypts the first uplink user plane data message again before sending the first uplink user plane data message to the SGW, so as to ensure the transmission security of the first uplink user plane data message between the CU and the SGW. Therefore, the CU sends the first uplink user plane data packet after the subsequent processing to the SGW.
408a and SGW sends the first downlink user plane data message to CU.
408b, the CU determines not to encrypt the first downstream user plane data packet using the IPSec protocol.
409. And the CU sends a first downlink user plane data message to the DU.
And when the core network needs to send a first downlink user plane data message to the UE through the CU and the DU, the CU receives the first downlink user plane data message from the core network. And if the negotiation result of the CU and the UE is that the air interface between the CU and the UE needs to use the PDCP protocol for encryption, the CU also needs to carry out PDCP encryption processing on the first downlink data.
In addition, the CU uses the first non-encrypted address as the destination address of the first downlink user plane data message to complete the encapsulation of the GTP-U tunnel. And the CU determines not to use an IPSec protocol to encrypt the first downlink user plane data message according to the first non-encrypted address, and directly sends the first downlink user plane data message to the DU through a second interface at the CU side.
410. The DU determines not to decrypt the first downlink user plane data packet using the IPSec protocol.
411. And the DU sends a first downlink user plane data message to the UE.
After the DU receives a first downlink user plane data packet that is not encrypted by using the IPSec protocol through a first interface on the DU side, it can determine not to decrypt the first downlink user plane data packet by using the IPSec protocol according to the format of the first downlink user plane data packet, and then directly perform GTP-U decapsulation on the first downlink user plane data packet to obtain the decapsulated first downlink user plane data packet, and perform subsequent processing, where the subsequent processing includes: and sending the first downlink user plane data message to the UE through an air interface, so that the UE decrypts the first downlink user plane data message by using a PDCP protocol to obtain the decrypted first downlink user plane data message.
It should be noted that, in the present application, the transmission of the first uplink user plane data packet from the UE to the SGW is implemented through steps 404 to 407b, and the transmission of the first downlink user plane data packet from the SGW to the UE is implemented through steps 408a to 411, where there is no sequence of steps between the two processes, that is, steps 404 to 407b may be executed first, or steps 408a to 411 may be executed first, or executed simultaneously, and a specific example is not limited herein.
If the negotiation result indicates that the air interface between the CU and the UE does not use PDCP protocol ciphering, please refer to fig. 4b, which specifically includes:
412. the CU sends second indication information to the DU.
And when the negotiation result indicates that the air interface does not use the PDCP protocol encryption, a first message sent by the CU to the DU through the first control plane interface carries second indication information, and the second indication information is used for indicating that the user plane bearer between the CU and the DU uses the IPSec protocol encryption.
413. The DU sends second response information to the CU.
After receiving second indication information carried by a first message sent by a CU, the DU determines that IPSec encryption is required for user plane bearer between the DU and the CU according to the second indication information, and uses a first encryption address as a user plane address of a first interface to establish the user plane bearer between the CU and the DU, namely a GTP-U tunnel, and sends a first response message carrying second response information to the CU, wherein the second response information comprises the first encryption address so as to indicate the address of the user plane bearer between the DU and the CU at the DU end as the first encryption address to the CU.
414. UE sends a second uplink user plane data message to DU;
specifically, when the negotiation result between the CU and the UE is that the air interface between the CU and the UE does not use the PDCP protocol for ciphering, the UE does not perform the PDCP ciphering on the second uplink user plane data packet, but directly sends the second uplink user plane data packet to the DU through the air interface.
415. The DU determines to encrypt the second uplink user plane data packet using the IPSec protocol.
416. And the DU sends a second uplink user plane data message to the CU.
Therefore, after the DU receives the second uplink user plane data packet sent by the UE, the DU uses the first encrypted address as the source address of the second uplink user plane data packet to complete the GTP-U tunnel encapsulation. And the DU determines to encrypt the second uplink user plane data message by using an IPSec protocol according to the first encryption address so as to obtain the second uplink user plane data message after IPSec encryption, so as to finish the IPSec encryption of the second uplink user plane data message. Therefore, the DU directly sends the IPSec-encrypted second uplink user plane data packet to the CU through the first interface on the DU side.
417a, the CU determines to decrypt the second uplink user plane data packet using the IPSec protocol.
417b, the CU sends a second uplink user plane data packet to the SGW.
And after receiving the second uplink user plane data message through the second interface at the CU side, the CU decrypts the second uplink user plane data message by using the IPSec protocol, and then decapsulates the GTP-U tunnel to obtain the decapsulated second uplink user plane data message. Before sending the decapsulated second uplink user plane data packet to the SGW, the CU performs subsequent processing on the second uplink user plane data packet, where the subsequent processing may include: and encrypting the second uplink user plane data message by using an IPSec protocol according to the security configuration between the CU and the SGW so as to ensure the transmission security of the second uplink user plane data message between the CU and the core network.
And then the CU sends the second uplink user plane data message after the subsequent processing to the SGW.
418a, the SGW sends a second downlink user plane data message to the CU.
418b, the CU determines to encrypt the second downlink user plane data packet using the IPSec protocol.
419. And the CU sends a second downlink user plane data message to the DU.
And when the core network needs to send a second downlink user plane data message to the UE through the CU and the DU, the CU receives the second downlink user plane data message from the core network. And the CU determines not to use the PDCP protocol to encrypt the second downlink user plane data message according to the negotiation result.
In addition, the CU uses the first encryption address as the destination address of the second downlink user plane data message to complete the encapsulation of the GTP-U tunnel. And the CU determines that the second downlink user plane data message needs to be encrypted by using an IPSec protocol according to the first encryption address to obtain the IPSec-encrypted second downlink user plane data message. And the second downlink user plane data message encrypted by the IPSec is sent to the DU through a second interface at the CU side.
420. And the DU determines to decrypt the second downlink user plane data message by using the IPSec protocol.
421. And the DU sends a second downlink user plane data message to the UE.
And after receiving the second downlink user plane data message through the first interface at the DU side, the DU decrypts the second uplink user plane data message by using an IPSec protocol, and then decapsulates the GTP-U tunnel to obtain the decapsulated second downlink user plane data message. And then, performing subsequent processing on the decapsulated second downlink user plane data message, wherein the subsequent processing comprises: and sending the decapsulated second downlink user plane data message to the UE through an air interface, wherein the UE does not need to decrypt the decapsulated second downlink user plane data message by using a PDCP (packet data convergence protocol).
It should be noted that, in this application, the transmission of the second uplink user plane data packet from the UE to the core network is implemented through steps 414 to 417b, and the transmission of the second downlink user plane data packet from the core network to the UE is implemented through steps 418a to 411, where there is no sequence of steps between the two processes, that is, steps 414 to 417b may be executed first, steps 418a to 421 may be executed first, or the two processes may be executed simultaneously, and a specific example is not limited herein.
Optionally, in this embodiment of the present application, a first encryption address and a first non-encryption address are configured in the first interface of the DU to distinguish whether the user plane data stream needs IPSec encryption. It can be understood that, in practical applications, there are various ways to distinguish whether IPSec encryption is required for a user plane data stream, including: protocol port number based differentiation: for example, 10000 + 29999 port numbers are used for the user plane data stream requiring IPSec encryption, and 30000 + 49999 port numbers are used for the user plane data stream not requiring IPSec encryption; or based on protocol type differentiation: for example, the GTPU protocol is used for user plane data streams requiring IPSec encryption, and the UDP protocol is used for user plane data streams not requiring IPSec encryption. Therefore, there are various ways to distinguish whether IPSec encryption is required, and the details are not limited herein.
It should be noted that the embodiments of the present application may be implemented not only in the network architecture of LTE, but also in the network architectures of 5G radio access network, mobile communication system (UMTS), Code Division Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA), and the like.
In the embodiment of the application, whether IPSec encryption/decryption is used for transmission of the user plane data stream in the CU-DU interface can be flexibly determined according to whether the UE air interface carries out PDCP encryption or not, namely when the UE air interface carries out PDCP encryption, the IPSec encryption/decryption is not used for transmission of the user plane data stream in the CU-DU interface; when the UE air interface does not carry out PDCP encryption, the IPSec encryption/decryption is needed to be used for transmitting the user plane data flow in the CU-DU interface, so that the IPSec encryption/decryption is more flexibly carried out while the safety of the user data is ensured, the consumption of CPU resources is reduced, and the running speed of the system is accelerated.
Referring to fig. 5a and 5b, an embodiment of a method in scene 2 according to the embodiment of the present application specifically includes:
501. and the CU and the UE carry out security negotiation to obtain a negotiation result.
It should be noted that, after the CU obtains the negotiation result, if the negotiation result indicates that the air interface between the CU and the UE uses the PDCP protocol for ciphering, step 502 and 511 in fig. 5a are executed; if the negotiation result indicates that the air interface between the CU and the UE does not use PDCP protocol ciphering, step 512-521 in fig. 5b is executed; the method comprises the following specific steps:
502. the CU sends first indication information to the DU.
503. The DU sends first response information to the CU.
504. And the UE sends a first uplink user plane data message to the DU.
In the embodiment of the present application, steps 501 to 504 are similar to steps 401 to 404 in the embodiment shown in fig. 4a, and detailed description thereof is omitted here.
505. The DU determines that the first uplink user plane data packet is not encrypted using the IPSec protocol.
506. And the DU sends a first uplink user plane data message to the CU.
It should be noted that, in this embodiment of the present application, a CU-side specific IP address is also configured on the second interface on the CU side to establish a user plane bearer, where the CU-side specific IP address is used to distinguish whether the user plane bearer between the CU and the DU is encrypted using an IPSec protocol, and includes a second encrypted address and a second non-encrypted address, where the second encrypted address is used in an IPSec communication scenario and indicates that a packet is encrypted/decrypted using the IPSec protocol; the second non-encrypted address is used in a non-IPSec communication scenario to indicate that the IPSec protocol is not used to encrypt/decrypt packets.
Therefore, after receiving the first uplink user plane data message sent by the UE after PDCP ciphering, the DU uses the second non-ciphered address as the destination address of the first uplink user plane data message to complete the GTP-U tunnel encapsulation. And the DU determines not to use an IPSec protocol to encrypt the first uplink user plane data message according to the second non-encrypted address, and directly sends the first uplink user plane data message to the CU through a first interface at the DU side.
507a, CU determines not to use IPSec protocol to decrypt the first uplink user plane data message.
507b, the CU sends a first uplink user plane data message to the SGW.
After the CU receives a first uplink user plane data message which is not encrypted by using the IPSec protocol through a second interface at the CU side, the CU can determine not to decrypt the first uplink user plane data message by using the IPSec protocol according to the format of the first uplink user plane data message, and further directly perform GTP-U decapsulation on the first uplink user plane data message to obtain the decapsulated first uplink user plane data message. And then, performing subsequent processing on the decapsulated first uplink user plane data message, wherein the subsequent processing comprises: the CU uses a PDCP protocol to perform air interface decryption on the first uplink user plane data message, and encrypts the first uplink user plane data message again before sending the first uplink user plane data message to the SGW, so as to ensure the transmission security of the first uplink user plane data message between the CU and the core network. Therefore, the CU sends the first uplink user plane data packet after the subsequent processing to the SGW.
508a, SGW sends the first downlink user plane data message to CU.
508b, the CU determines not to encrypt the first downstream user plane data packet using the IPSec protocol.
509. And the CU sends a first downlink user plane data message to the DU.
510. The DU determines not to decrypt the first downlink user plane data packet using the IPSec protocol.
511. And the DU sends a first downlink user plane data message to the UE.
In the embodiment of the present application, steps 508a to 511 are similar to steps 408a to 411 in the embodiment shown in fig. 4a, and detailed description thereof is omitted here.
It should be noted that, in the present application, the transmission of the first uplink data from the UE to the SGW is implemented through steps 504 to 507b, and the transmission of the first downlink data from the SGW to the UE is implemented through steps 508a to 511, where there is no sequence of steps between the two processes, that is, steps 504 to 507b may be executed first, steps 508a to 511 may be executed first, or steps are executed simultaneously, and a specific example is not limited herein.
If the negotiation result indicates that the air interface between the CU and the UE does not use PDCP protocol ciphering, please refer to fig. 5b, which specifically includes:
512. the CU sends second indication information to the DU.
513. The DU sends second response information to the CU.
514. UE sends a second uplink user plane data message to DU;
in the embodiment of the present application, steps 512 to 514 are similar to steps 412 to 414 in the embodiment shown in fig. 4b, and detailed description thereof is omitted here.
515. The DU determines to encrypt the second uplink user plane data packet using the IPSec protocol.
516. And the DU sends a second uplink user plane data message to the CU.
Therefore, after the DU receives the second uplink user plane data packet sent by the UE, the DU uses the second encrypted address as the destination address of the second uplink user plane data packet to complete the GTP-U tunnel encapsulation. And the DU determines to encrypt the second uplink user plane data message by using an IPSec protocol according to the second encryption address, and directly sends the second uplink user plane data message to the CU through a first interface at the DU side.
517a, CU determines to decrypt the second uplink user plane data packet using IPSec protocol.
517b, the CU sends the second uplink user plane data packet to the SGW.
And after receiving the second uplink user plane data message through the second interface at the CU side, the CU decrypts the second uplink user plane data message by using the IPSec protocol, and then decapsulates the GTP-U tunnel to obtain the decapsulated second uplink user plane data message. And then, performing subsequent processing on the decapsulated second uplink user plane data packet, where the subsequent processing may include: before the second uplink user plane data message is sent to the SGW, the IPSec protocol is used to encrypt the second uplink user plane data message according to the security configuration between the CU and the SGW, so as to ensure the security of the transmission of the second uplink user plane data message between the CU and the core network. And then the CU sends the second uplink user plane data message after the subsequent processing to the SGW.
518a, the SGW sends a second downlink user plane data message to the CU.
518b, the CU determines to encrypt the second downlink user plane data message by using the IPSec protocol.
519. And the CU sends a second downlink user plane data message to the DU.
520. And the DU determines to decrypt the second downlink user plane data message by using the IPSec protocol.
521. And the DU sends a second downlink user plane data message to the UE.
In the embodiment of the present application, steps 518 to 521 are similar to steps 418 to 421 in the embodiment shown in fig. 4a, and detailed description thereof is omitted here.
It should be noted that, in the present application, the transmission of the second uplink data from the UE to the SGW is implemented through steps 514 to 517b, and the transmission of the second downlink data from the SGW to the UE is implemented through steps 518a to 511, where there is no sequence of steps between the two processes, that is, steps 514 to 517b may be executed first, steps 518a to 521 may be executed first, or the two processes may be executed simultaneously, and a specific example is not limited herein.
In this embodiment of the present application, a second encryption address and a second non-encryption address may also be configured on a second interface on the CU side to distinguish whether the user plane data stream requiring IPSec encryption is needed, which increases the implementation manners of this embodiment of the present application.
Referring to fig. 6a and 6b, in scenario 3, in the method embodiment of the present invention, in scenario 3, a CU-side specific IP address is also configured on a second interface on the CU side to establish a user plane bearer, where the CU-side specific IP address is used to distinguish whether the user plane bearer between the CU and the DU is encrypted using an IPSec protocol, and includes a second encrypted address and a second unencrypted address, where the second encrypted address is used in an IPSec communication scenario and indicates that a packet is encrypted/decrypted using the IPSec protocol; the second non-encrypted address is used in a non-IPSec communication scenario to indicate that the IPSec protocol is not used to encrypt/decrypt packets. In addition, in scenario 3, the IP address of the first interface on the DU side does not need to distinguish whether the user plane bearer between the DU and the CU is encrypted using the IPSec protocol.
The method specifically comprises the following steps:
601. and the CU and the UE carry out security negotiation to obtain a negotiation result.
In the embodiment of the present application, step 601 is similar to step 401 in the embodiment shown in fig. 4a, and details thereof are not repeated here.
After the CU obtains the negotiation result, if the negotiation result indicates that the air interface between the CU and the UE uses the PDCP protocol for ciphering, step 602 and 611 in fig. 6a are executed; if the negotiation result indicates that the air interface between the CU and the UE does not use PDCP protocol ciphering, step 612 and 621 in fig. 6b are executed; the method comprises the following specific steps:
602. the CU sends first indication information to the DU.
When the negotiation result indicates that the air interface uses the PDCP protocol for encryption, the CU sends a first message to the DU through the first control plane interface, where the first message carries first indication information, where the second indication information is used to indicate that the user plane bearer between the CU and the DU is not encrypted using the IPSec protocol, and a second non-encrypted address is used as the user plane address of the second interface, that is, the address of the user plane bearer between the CU and the DU at the CU end is the second non-encrypted address.
603. The DU sends first response information to the CU.
And after receiving first indication information carried by a first message sent by the CU, the DU determines that the user plane bearer between the DU and the CU does not need to carry out IPSec encryption according to the first indication information, and determines that a second non-encrypted address is the user plane address of a second interface at the CU side. Optionally, in response to the first message carrying the first indication information, the DU sends a first response message to the CU, where the first response message includes the first response information, and the first response information includes a user plane bearer address on the DU side.
604. And the UE sends a first uplink user plane data message to the DU.
605. The DU determines that the first uplink user plane data packet is not encrypted using the IPSec protocol.
606. And the DU sends a first uplink user plane data message to the CU.
607a, the CU determines not to decrypt the first upstream user plane data packet using the IPSec protocol.
607b, the CU sends a first uplink user plane data message to the SGW.
In the embodiment of the present application, steps 604 to 607b are similar to steps 504 to 507b in the embodiment shown in fig. 5a, and detailed description thereof is omitted here.
608a, SGW sends the first downlink user plane data packet to CU.
608b, the CU determines not to encrypt the first downstream user plane data packet using the IPSec protocol.
609. And the CU sends a first downlink user plane data message to the DU.
And when the SGW needs to send a first downlink user plane data message to the UE through the CU and the DU, the CU receives the first downlink user plane data message from the SGW. And if the negotiation result of the CU and the UE is that the air interface between the CU and the UE needs to use the PDCP protocol for encryption, the CU also needs to carry out PDCP encryption processing on the first downlink data.
In addition, the CU uses the second non-encrypted address as the source address of the first downlink user plane data message to complete the encapsulation of the GTP-U tunnel. And the CU determines not to use an IPSec protocol to encrypt the first downlink user plane data message according to the second non-encrypted address, and directly sends the first downlink user plane data message to the DU through a second interface at the CU side.
610. The DU determines not to decrypt the first downlink user plane data packet using the IPSec protocol.
611. And the DU sends a first downlink user plane data message to the UE.
In the embodiment of the present application, steps 610 to 611 are similar to steps 410 to 411 in the embodiment shown in fig. 4a, and detailed description thereof is omitted here.
It should be noted that, in this application, the transmission of the first uplink user plane data packet from the UE to the SGW is implemented through steps 604 to 607b, and the transmission of the first downlink user plane data packet from the core network to the UE is implemented through steps 608a to 611, where there is no sequence of steps between the two processes, that is, steps 604 to 607b may be executed first, steps 608a to 611 may be executed first, or the two processes may be executed simultaneously, and a specific example is not limited herein.
If the negotiation result indicates that the air interface between the CU and the UE does not use PDCP protocol ciphering, please refer to fig. 6b, which specifically includes:
612. the CU sends second indication information to the DU.
When the negotiation result indicates that the air interface does not use the PDCP protocol for encryption, the CU sends a first message to the DU through the first control plane interface, where the first message carries second indication information, where the second indication information is used to indicate that the user plane bearer between the CU and the DU uses the IPSec protocol for encryption, and uses a second encryption address as a user plane address of the second interface, that is, an address of the user plane bearer between the CU and the DU at the CU end is a second encryption address.
613. The DU sends second response information to the CU.
And after receiving second indication information carried by the first message sent by the CU, the DU determines that the user plane bearer between the DU and the CU needs to be subjected to IPSec encryption according to the second indication information, and determines that a second encryption address is the user plane address of a second interface at the CU side. Optionally, in response to the first message carrying the second indication information, the DU sends, to the CU, a first response message carrying second response information, where the second response information includes a user plane bearer address on the DU side.
614. UE sends a second uplink user plane data message to DU;
615. the DU determines to encrypt the second uplink user plane data packet using the IPSec protocol.
616. And the DU sends a second uplink user plane data message to the CU.
617a, CU determines to decrypt the second upstream user plane data packet using IPSec protocol.
617b, the CU sends a second uplink user plane data message to the SGW.
In this embodiment of the application, steps 614 to 617b are similar to steps 514 to 517b in the embodiment shown in fig. 5b, and are not described herein again.
618a, SGW sends the second downlink user plane data packet to CU.
618b, the CU determines to encrypt the second downlink user plane data packet using the IPSec protocol.
619. And the CU sends a second downlink user plane data message to the DU.
And when the SGW needs to send a second downlink user plane data message to the UE through the CU and the DU, the CU receives the second downlink user plane data message from the SGW. And the CU determines not to use the PDCP protocol to encrypt the second downlink user plane data message according to the negotiation result.
In addition, the CU uses the second encryption address as the source address of the second downlink user plane data message to complete the encapsulation of the GTP-U tunnel. And the CU determines that the second downlink user plane data message needs to be encrypted by using an IPSec protocol according to the second encryption address to obtain the second downlink user plane data message encrypted by the IPSec protocol. And sending the encrypted second downlink user plane data message to the DU through a second interface at the CU side.
620. And the DU determines to decrypt the second downlink user plane data message by using the IPSec protocol.
621. And the DU sends a second downlink user plane data message to the UE.
In the embodiment of the present application, steps 620 to 621 are similar to steps 520 to 521 in the embodiment shown in fig. 5b, and detailed description thereof is omitted here.
It should be noted that, in this application, the transmission of the second uplink user plane data packet from the UE to the SGW is implemented through steps 614 to 617b, and the transmission of the second downlink user plane data packet from the SGW to the UE is implemented through steps 618a to 611, where there is no sequence of steps between the two processes, that is, steps 614 to 617b may be executed first, steps 618a to 611 may be executed first, or the two processes may be executed simultaneously, and a specific example is not limited herein.
It should be noted that, after the communication between the CU and the DU may pass through the SeGW and the CU is deployed in the SeGW, please refer to fig. 7a, which is another possible schematic diagram of data encryption transmission, including: the user data flow passes from the UE to the CU via DU, SeGW in turn, wherein,
air interface encryption is carried out between the UE and the CU to ensure the safety of user data in the wireless transmission process, and it needs to be noted that the air interface encryption/decryption is processed by the PDCP in the 3gpp protocol, so that corresponding processing modules are arranged on the UE and the CU to be responsible for the PDCP encryption and the PDCP decryption;
the DU and the SeGW are encrypted by using an IPSec protocol to ensure the security of user data transmission over a backhaul (backhaul) line, and therefore, corresponding processing modules are provided on both the DU and the SeGW to be responsible for IPSec encryption and IPSec decryption.
Therefore, when the communication between the CU and the DU passes through the SeGW, please refer to fig. 7b and fig. 7c, which describe an embodiment of the method in scene 4 according to the present application, specifically including:
701. and the CU and the UE carry out security negotiation to obtain a negotiation result.
It should be noted that, in the embodiment of the present application, step 701 is similar to step 401 in the embodiment shown in fig. 4a, and details are not repeated here.
After the CU obtains the negotiation result, if the negotiation result indicates that the air interface between the CU and the UE uses the PDCP protocol for ciphering, step 702 and 713 in fig. 4a are executed; if the negotiation result indicates that the air interface between the CU and the UE does not use PDCP protocol ciphering, step 714 and 725 in fig. 4b are executed; the method comprises the following specific steps:
702. the CU sends first indication information to the DU.
It should be noted that, in this embodiment of the application, the first indication information sent by the CU to the DU in step 702 is similar to the first indication information sent by the CU to the DU in step 402 in the embodiment shown in fig. 4a, and details thereof are not repeated here.
In this embodiment, the CU sends the first indication information to the DU through the relay of the SeGW.
703. The DU sends first response information to the CU.
It should be noted that, in this embodiment of the application, the first response information sent by the CU to the DU in step 703 is similar to the first response information sent by the CU to the DU in step 403 in the embodiment shown in fig. 4a, and details thereof are not repeated here.
In this embodiment, the DU sends the first response message to the CU through the transit of the SeGW.
704. And the UE sends a first uplink user plane data message to the DU.
705. The DU determines that the first uplink user plane data packet is not encrypted using the IPSec protocol.
In the embodiment of the present application, steps 704 to 705 are similar to steps 404 to 405 in the embodiment shown in fig. 4a, and detailed description thereof is omitted here.
706. And the DU sends a first uplink user plane data message to the SeGW.
And after determining that the IPSec protocol is not used for encrypting the first uplink user plane data message according to the first non-encrypted address, the DU directly sends the first uplink user plane data message to the SeGW.
707. The SeGW determines not to decrypt the first uplink user plane data packet using the IPSec protocol.
After receiving the first uplink user plane data message, the SeGW determines not to decrypt the first uplink user plane data message by using an IPSec protocol according to the message format of the first uplink user plane data message.
708a, the SeGW sends a first uplink user plane data message to the CU.
708b, the CU sends a first uplink user plane data message to the SGW.
After determining that the IPSec protocol is not used for decrypting the first uplink user plane data message, the SeGW sends the first uplink user plane data message to the CU, so that the CU can perform GTP-U tunnel decapsulation processing on the first uplink user plane data message to obtain the decapsulated first uplink user plane data message. And the CU then performs subsequent operations on the decapsulated first uplink user plane data packet, where the subsequent processing includes: the CU uses a PDCP protocol to perform air interface decryption on the first uplink user plane data message, and encrypts the first uplink user plane data message again before sending the first uplink user plane data message to the core network so as to ensure the transmission security of the first uplink user plane data message between the CU and the core network. Therefore, the CU sends the first uplink user plane data packet after the subsequent processing to the SGW.
709a, the SGW sends the first downlink user plane data message to the CU.
709b, CU sends the first downlink user plane data packet to SwGW.
When the SGW needs to sequentially pass through the CU, the SeGW, and the DU to send a first downlink user plane data packet to the UE, the CU receives the first downlink user plane data packet from the SGW. And the negotiation result of the CU and the UE is that the air interface between the CU and the UE needs to be encrypted by using a PDCP protocol, and the CU performs PDCP encryption processing on the first downlink data based on the negotiation result.
In addition, the CU uses the first non-encrypted address as the destination address of the first downlink user plane data message to complete the encapsulation of the GTP-U tunnel, and sends the encapsulated first downlink user plane data message to the SeGW.
710. The SeGW determines not to encrypt the first downlink user plane data packet using the IPSec protocol.
711. The SeGW sends a first downlink user plane data packet to the DU.
After receiving the first downlink user plane data message, the SeGW obtains that the destination address of the first downlink user plane data message is a first non-encrypted address, determines according to the first non-encrypted address, does not use the IPSec protocol to encrypt the first downlink user plane data message, and then directly sends the first downlink user plane data message to the DU.
712. The DU determines not to decrypt the first downlink user plane data packet using the IPSec protocol.
713. And the DU sends a first downlink user plane data message to the UE.
After receiving the first downlink user plane data message, the DU determines whether to decrypt the first downlink user plane data message using the IPSec protocol, and then performs decapsulation of the GTP-U tunnel, including: the DU determines that the IPSec protocol is not used for decrypting the first downlink user plane data message according to the format of the first downlink user plane data message, so that the GTP-U tunnel is directly decapsulated for the first downlink user plane data message to obtain the decapsulated first downlink user plane data message. And performing subsequent processing on the decapsulated first downlink user plane data message, wherein the subsequent processing comprises: and sending the first downlink user plane data message to the UE through an air interface, so that the UE decrypts the first downlink user plane data message by using a PDCP protocol to obtain the decrypted first downlink user plane data message.
It should be noted that, in the present application, the transmission of the first uplink user plane data packet from the UE to the SGW is implemented through steps 704 to 708b, and the transmission of the first downlink user plane data packet from the SGW to the UE is implemented through steps 709a to 713, where there is no sequence of steps between the two processes, that is, steps 704 to 708b may be executed first, or steps 709a to 713 may be executed first, or executed simultaneously, and a specific example is not limited herein.
If the negotiation result indicates that the air interface between the CU and the UE does not use PDCP protocol ciphering, please refer to fig. 7c, which specifically includes:
714. the CU sends second indication information to the DU.
It should be noted that, in this embodiment of the application, the second indication information sent by the CU to the DU in step 714 is similar to the second indication information sent by the CU to the DU in step 412 in the embodiment shown in fig. 4a, and details thereof are not repeated here.
In this embodiment, the CU sends the second indication information to the DU through the relay of the SeGW.
715. The DU sends second response information to the CU.
It should be noted that, in this embodiment of the application, the second response information sent by the CU to the DU in step 715 is similar to the second response information sent by the CU to the DU in step 413 in the embodiment shown in fig. 4a, and details are not repeated here.
In this embodiment, the DU sends the second response message to the CU through the transit of the SeGW.
716. UE sends a second uplink user plane data message to DU;
717. the DU determines to encrypt the second uplink user plane data packet using the IPSec protocol.
In the embodiment of the present application, steps 716 to 717 are similar to steps 414 to 415 in the embodiment shown in fig. 4b, and detailed description thereof is omitted here.
718. And the DU sends a second uplink user plane data message to the SeGW.
And the DU determines to encrypt the second uplink user plane data message by using an IPSec protocol according to the first encryption address, then performs IPSec encryption on the second uplink user plane data message, obtains the second uplink user plane data message encrypted by the IPSec protocol, and further sends the encrypted second uplink user plane data message to the SeGW.
719. And the SeGW determines to decrypt the second uplink user plane data message by using the IPSec protocol.
After receiving the second uplink user plane data message, the SeGW obtains a source address of the second uplink user plane data message as a first encryption address, and determines that the IPSec protocol needs to be used for decrypting the second uplink user plane data message.
720a, the SeGW sends a second uplink user plane data message to the CU.
720b, the CU sends a second uplink user plane data packet to the SGW.
After determining that the IPSec protocol is used to decrypt the second uplink user plane data packet, the SeGW decrypts the second uplink user plane data packet by using the IPSec protocol to obtain a decrypted second uplink user plane data packet, and further sends the decrypted second uplink user plane data packet to the CU, so that the CU performs GTP-U tunnel decapsulation on the second uplink user plane data packet to obtain a decapsulated second uplink user plane data packet. The CU then performs subsequent processing on the decapsulated second uplink user plane data packet, where the subsequent processing may include: before the decapsulated second uplink user plane data message is sent to the core network, the decapsulated second uplink user plane data message is encrypted again to ensure the security of the transmission of the second uplink user plane data message between the CU and the core network.
721a and SGW send the second downlink user plane data message to CU.
721b, the CU sends a second downlink user plane data message to the SeGW.
And when the SGW needs to sequentially pass through the CU, the SeGW and the DU to send a second downlink user plane data message to the UE, the CU receives the second downlink user plane data message from the core network. And the CU determines not to use the PDCP protocol to encrypt the second downlink user plane data message according to the negotiation result.
In addition, the CU uses the first encryption address as a destination address of the second downlink user plane data message to complete the encapsulation of the GTP-U tunnel, and sends the encapsulated second downlink user plane data message to the SeGW.
722. And the SeGW determines to encrypt the second downlink user plane data message by using the IPSec protocol.
After receiving a second downlink user plane data message sent by the CU, the SeGW obtains that the destination address of the second downlink user plane data message is a first encryption address, and determines that the IPSec protocol needs to be used for encrypting the second downlink user plane data message according to the first encryption address.
723. The SeGW sends a second downlink user plane data message to the DU.
After determining that the IPSec protocol is used to encrypt the second downlink user plane data packet, the SeGW performs IPSec encryption on the second downlink user plane data packet to obtain an encrypted second downlink user plane data packet. And further sending the encrypted second downlink user plane data message to the DU.
724. And the DU determines to decrypt the second downlink user plane data message by using the IPSec protocol.
725. And the DU sends a second downlink user plane data message to the UE.
And after the DU receives the second downlink user plane data message which is encrypted by using the IPSec protocol, the second downlink user plane data message is decrypted by using the IPSec protocol, and then the GTP-U tunnel is decapsulated to obtain the decapsulated second downlink user plane data message. And the DU carries out subsequent processing on the second downlink user plane data message after the decapsulation. Wherein the subsequent processing comprises: and sending the second downlink user plane data message to the UE through an air interface, wherein the UE does not need to decrypt the second downlink user plane data message by using a PDCP protocol.
It should be noted that, in the embodiment shown in fig. 7c, the transmission of the second uplink data from the UE to the SGW is implemented through steps 716 to 720b, and the transmission of the second downlink data from the SGW to the UE is implemented through steps 721a to 725, where there is no sequence of steps between the two processes, that is, steps 716 to 720b may be executed first, or steps 721a to 725 may be executed first, or executed simultaneously, and the specific implementation is not limited herein.
In the embodiment of the application, for a scenario in which the SeGW is deployed between the CU and the DU, whether IPSec encryption/decryption is used for transmission of a user plane data stream in the DU-SeGW can be flexibly determined according to whether PDCP encryption is performed on an air interface of the UE, so that consumption of CPU resources is reduced, and cost is reduced.
Referring to fig. 8a and 8b, an embodiment of a method in scene 5 according to the embodiment of the present application specifically includes:
801. and the CU and the UE carry out security negotiation to obtain a negotiation result.
After the CU obtains the negotiation result, if the negotiation result indicates that the air interface between the CU and the UE uses PDCP protocol for ciphering, step 802 and 813 in fig. 8a are executed; if the negotiation result indicates that the air interface between the CU and the UE does not use PDCP protocol ciphering, step 814 and step 825 in fig. 8b are executed; the method comprises the following specific steps:
802. the CU sends first indication information to the DU.
803. The DU sends first response information to the CU.
804. And the UE sends a first uplink user plane data message to the DU.
In the embodiment of the present application, steps 801 to 804 are similar to steps 701 to 704 shown in fig. 7b, and detailed description thereof is omitted here.
805. The DU determines that the first uplink user plane data packet is not encrypted using the IPSec protocol.
In the embodiment of the present application, step 805 is similar to step 505 shown in fig. 5a, and details thereof are not repeated herein.
806. And the DU sends a first uplink user plane data message to the SeGW.
In the embodiment of the present application, step 806 is similar to step 706 shown in fig. 7b, and details thereof are not repeated here.
807. The SeGW determines not to decrypt the first uplink user plane data packet using the IPSec protocol.
After receiving the first uplink user plane data packet that is not encrypted by using the IPSec protocol, the SeGW may determine not to decrypt the first uplink user plane data packet by using the IPSec protocol according to the format of the first uplink user plane data packet.
808a, sending a first uplink user plane data message to the CU by the SeGW.
808b, sending the first uplink user plane data message to the SGW by the CU.
809a, the SGW sends the first downlink user plane data message to the CU.
809b, the CU sends a first downlink user plane data message to the SwGW.
810. The SeGW determines not to encrypt the first downlink user plane data packet using the IPSec protocol.
811. The SeGW sends a first downlink user plane data packet to the DU.
812. The DU determines not to decrypt the first downlink user plane data packet using the IPSec protocol.
813. And the DU sends a first downlink user plane data message to the UE.
In the embodiment of the present application, steps 808a to 813 are similar to steps 708a to 713 shown in fig. 7b, and are not limited herein.
If the negotiation result indicates that the air interface between the CU and the UE does not use PDCP protocol ciphering, please refer to fig. 8b, which specifically includes;
814. the CU sends second indication information to the DU.
815. The DU sends second response information to the CU.
816. UE sends a second uplink user plane data message to DU;
in the embodiment of the present invention, steps 814 to 816 are similar to steps 714 to 716 shown in fig. 7c, and are not limited herein.
817. The DU determines to encrypt the second uplink user plane data packet using the IPSec protocol.
In the embodiment of the present application, step 817 is similar to step 515 shown in fig. 5b, and details thereof are not repeated here.
818. And the DU sends a second uplink user plane data message to the SeGW.
In the embodiment of the present application, step 818 is similar to step 718 shown in fig. 7c, and is not limited herein.
819. And the SeGW determines to decrypt the second uplink user plane data message by using the IPSec protocol.
After receiving the second uplink user plane data message, the SeGW obtains that the destination address of the second uplink user plane data message is a second encryption address, and can determine according to the format of the second uplink user plane data message, and decrypts the second uplink user plane data message by using the IPSec protocol.
820a, the SeGW sends a second uplink user plane data message to the CU.
820b, the CU sends a second uplink user plane data message to the SGW.
821a and SGW send a second downlink user plane data message to CU.
821b, the CU sends a second downlink user plane data message to the SeGW.
822. And the SeGW determines to encrypt the second downlink user plane data message by using the IPSec protocol.
823. The SeGW sends a second downlink user plane data message to the DU.
824. And the DU determines to decrypt the second downlink user plane data message by using the IPSec protocol.
825. And the DU sends a second downlink user plane data message to the UE.
In the embodiment of the present application, steps 820a to 825 are similar to steps 720a to 725 shown in fig. 7c, and are not limited herein.
In the embodiment of the present application, for a scenario in which the SeGW is deployed between the CU and the DU, a second encryption address and a second non-encryption address may also be configured on a second interface on the CU side to distinguish whether the user plane data stream requiring IPSec encryption is needed, so that the implementation manners of the embodiment of the present application are increased.
Referring to fig. 9a and 9b, an embodiment of a method under scene 6 according to the embodiment of the present application specifically includes:
901. and the CU and the UE carry out security negotiation to obtain a negotiation result.
After the CU obtains the negotiation result, if the negotiation result indicates that the air interface between the CU and the UE uses the PDCP protocol for ciphering, step 902-913 in fig. 9a is executed; if the negotiation result indicates that the air interface between the CU and the UE does not use PDCP protocol ciphering, step 914 and 925 in fig. 9b are executed; the method comprises the following specific steps:
902. the CU sends first indication information to the DU.
903. The DU sends first response information to the CU.
904. And the UE sends a first uplink user plane data message to the DU.
905. The DU determines that the first uplink user plane data packet is not encrypted using the IPSec protocol.
In the embodiment of the present application, steps 901 to 905 are similar to steps 601 to 605 shown in fig. 6a, and are not described herein again.
906. And the DU sends a first uplink user plane data message to the SeGW.
907. The SeGW determines not to decrypt the first uplink user plane data packet using the IPSec protocol.
908a, the SeGW sends a first uplink user plane data message to the CU.
908b, the CU sends a first uplink user plane data message to the SGW.
In the embodiment of the present application, steps 906 to 908b are similar to steps 806 to 808b shown in fig. 8a, and detailed description thereof is omitted here.
909a, SGW sends the first downlink user plane data packet to CU.
909b, CU sends the first downlink user plane data message to SwGW.
And when the SGW needs to send a first downlink user plane data message to the UE through the CU and the DU, the CU receives the first downlink user plane data message from the core network. And if the negotiation result of the CU and the UE is that the air interface between the CU and the UE needs to use the PDCP protocol for encryption, the CU also needs to carry out PDCP encryption processing on the first downlink data.
In addition, the CU uses the second non-encrypted address as the source address of the first downlink user plane data message to complete the encapsulation of the GTP-U tunnel, and directly sends the encapsulated first downlink user plane data message to the SeGW.
910. The SeGW determines not to encrypt the first downlink user plane data packet using the IPSec protocol.
In this embodiment of the present application, the manner in which the SeGW determines not to use the IPSec protocol to encrypt the first downlink user plane data packet in step 910 is similar to the manner in which the CU determines not to use the IPSec protocol to encrypt the first downlink user plane data packet in step 608 shown in fig. 6a, and details thereof are not described here again.
911. The SeGW sends a first downlink user plane data packet to the DU.
After determining that the IPSec protocol is not used to encrypt the first downlink user plane data packet, the SeGW directly sends the first downlink user plane data packet to the DU.
912. The DU determines not to decrypt the first downlink user plane data packet using the IPSec protocol.
913. And the DU sends a first downlink user plane data message to the UE.
In the embodiment of the present application, steps 912 to 913 are similar to steps 610 to 611 shown in fig. 6a, and detailed description thereof is omitted here.
If the negotiation result indicates that the air interface between the CU and the UE does not use PDCP protocol ciphering, please refer to fig. 9b, which specifically includes:
914. the CU sends second indication information to the DU.
915. The DU sends second response information to the CU.
916. UE sends a second uplink user plane data message to DU;
917. the DU determines to encrypt the second uplink user plane data packet using the IPSec protocol.
In the embodiment of the present application, steps 914 to 917 are similar to steps 612 to 615 shown in fig. 6b, and are not described herein again.
918. And the DU sends a second uplink user plane data message to the SeGW.
919. And the SeGW determines to decrypt the second uplink user plane data message by using the IPSec protocol.
920a, the SeGW sends a second uplink user plane data message to the CU.
920b, the CU sends a second uplink user plane data message to the SGW.
In the embodiment of the present application, steps 918 to 920b are similar to steps 818 to 820b shown in fig. 8b, and detailed description thereof is omitted here.
921a, the SGW sends the second downlink user plane data packet to the CU.
921b, the CU sends a second downlink user plane data packet to the SeGW.
In this embodiment, step 921a is similar to step 821a shown in fig. 8b, and details thereof are not repeated here.
The way in which the CU sends the second downlink user plane data packet to the SeGW in step 921b is similar to the way in which the CU sends the second downlink user plane data packet to the DU in step 619 shown in fig. 6b, and details are not described here again.
922. And the SeGW determines to encrypt the second downlink user plane data message by using the IPSec protocol.
In this embodiment of the present application, the manner in which the SeGW determines to encrypt the second downlink user plane data packet using the IPSec protocol in step 922 is similar to the manner in which the CU determines to encrypt the second downlink user plane data packet using the IPSec protocol in step 618 shown in fig. 6b, and details thereof are not repeated here.
923. The SeGW sends a second downlink user plane data message to the DU.
After determining that the IPSec protocol is used to encrypt the second downlink user plane data packet, the SeGW sends the encrypted second downlink user plane data packet to the DU.
924. And the DU determines to decrypt the second downlink user plane data message by using the IPSec protocol.
925. And the DU sends a second downlink user plane data message to the UE.
In the embodiment of the present invention, steps 924 to 925 are similar to steps 824 to 825 shown in fig. 8b, and are not limited herein.
In the embodiment of the present application, for a scenario in which a SeGW is deployed between a CU and a DU, a second encryption address and a second non-encryption address may also be configured only on a second interface on the CU side to distinguish whether a user plane data stream requiring IPSec encryption is needed, so that the implementation manners of the embodiment of the present application are increased.
With reference to fig. 10, the method for transmitting information in the embodiment of the present application is described above, and a central unit in the embodiment of the present application is described below, where the central unit may perform operations of a CU in the embodiment of the method, where the CU includes:
a first transceiving unit 1001, configured to perform security negotiation with a user equipment UE to obtain a negotiation result, where the negotiation result is used to indicate whether an air interface between the CU and the UE uses a packet data convergence layer PDCP protocol for ciphering;
a second transceiving unit 1002, configured to send a first message to a distributed unit DU;
when the negotiation result indicates that the air interface uses the PDCP protocol encryption, the first message is used for indicating that the user plane bearer between the CU and the DU is not encrypted by using an Internet protocol security (IPSec) protocol.
Optionally, in some possible implementations, the DU has a first interface, and the first interface is an interface for the DU to perform user plane communication with the CU; the first interface configures a first encryption address and a first non-encryption address, wherein the first encryption address is used for indicating that the IPSec protocol is used for carrying out encryption/decryption processing on a user plane data message; the first non-encrypted address is used for indicating that the IPSec protocol is not used for encrypting/decrypting the user plane data message;
the second transceiving unit 1002 is further configured to:
and receiving a first response message sent by the DU, wherein the first response message is used for indicating that the address borne by the user plane at the DU end is the first non-encrypted address.
Optionally, in some possible implementations, the CU further includes:
a processing unit 1003, configured to encrypt a downlink user plane data packet using the PDCP protocol; setting the destination address of the downlink user plane data message as the first non-encrypted address;
a determining unit 1004, configured to determine, according to the first unencrypted address, that the downlink user plane data packet is not encrypted using the IPSec protocol;
the second transceiver unit 1002 is further configured to send the downlink user plane data packet to the DU.
Optionally, in some possible implementations, when the negotiation result indicates that the air interface does not use the PDCP protocol for ciphering, the first message is used to instruct the user plane bearer to use the IPSec protocol for ciphering; the first response message is used to indicate that the address carried by the user plane at the DU end is the first encrypted address.
Optionally, in some possible implementations, when the negotiation result indicates that the air interface is encrypted using the PDCP protocol and communication between the CU and the DU passes through a security gateway SeGW, the CU further includes:
the processing unit 1003 is further configured to encrypt a downlink user plane data packet using the PDCP protocol; setting the destination address of the downlink user plane data message as the first non-encrypted address;
a third transceiving unit 1005, configured to send the downlink user plane data packet to the SeGW.
Optionally, in some possible implementations, the CU is provided with a second interface, and the second interface is an interface for the CU to perform user plane communication with the DU; the second interface configures a second encryption address and a second non-encryption address, wherein the second encryption address is used for indicating that the IPSec protocol is used for encrypting/decrypting a user plane data message; and the second non-encrypted address is used for indicating that the IPSec protocol is not used for encrypting/decrypting the user plane data message.
Referring to fig. 11, an embodiment of a distributed unit in the embodiment of the present application may perform the operations of the DU in the above method embodiment, where the DU includes:
the first transceiving unit 1101 is configured to receive a first message sent by a central unit CU when an air interface between the CU and a user equipment UE is ciphered using a packet data convergence layer, PDCP, protocol, the first message being indicative of a user plane bearer between the CU and the DU not being ciphered using an internet protocol security, IPSec, protocol.
Optionally, in some possible implementations, the DU has a first interface, and the first interface is an interface for the DU to perform user plane communication with the CU; the first interface configures a first encryption address and a first non-encryption address, wherein the first encryption address is used for indicating that the IPSec protocol is used for carrying out encryption/decryption processing on a user plane data message; the first non-encrypted address is used for indicating that the IPSec protocol is not used for encrypting/decrypting the user plane data message;
when the air interface is ciphered using the PDCP protocol, the first transceiving unit 1101 is further configured to:
and sending a first response message to the CU, wherein the first response message is used for indicating that the address carried by the user plane at the DU end is the first non-encrypted address.
Optionally, in some possible implementations, when the air interface is encrypted using the PDCP protocol, the DU further includes:
the second transceiver unit 1103 is further configured to receive an uplink user plane data packet sent by the UE;
the processing unit 1104 is configured to set a source address of the uplink user plane data packet to the first unencrypted address;
a determining unit 1102, configured to determine, according to the first non-encrypted address, that the uplink user plane data packet is not encrypted using the IPSec protocol;
the first transceiver unit 1101 is further configured to send the uplink user plane data packet to the CU.
Optionally, in some possible implementations, when the air interface is encrypted using the PDCP protocol and communication between the DU and the CU passes through a SeGW, the DU further includes:
the second transceiver unit 1103 is further configured to receive an uplink user plane data packet sent by the UE;
the processing unit 1104 is further configured to set a source address of the uplink user plane data packet to be the first unencrypted address;
the determining unit 1102 is further configured to determine, according to the first non-encrypted address, that the uplink user plane data packet is not encrypted by using the IPSec protocol;
the third transceiving unit 1105 is configured to send the uplink user plane data packet to the SeGW.
Optionally, in some possible implementations, the CU is provided with a second interface, and the second interface is an interface for the CU to perform user plane communication with the DU; the second interface configures a second encryption address and a second non-encryption address, wherein the second encryption address is used for indicating that the IPSec protocol is used for encrypting/decrypting a user plane data message; the second non-encrypted address is used for indicating that the IPSec protocol is not used for encrypting/decrypting the user plane data message;
when the air interface is ciphered using the PDCP protocol, the DU further includes:
the second transceiver unit 1103 is further configured to receive an uplink user plane data packet sent by the UE;
the processing unit 1104 is further configured to set a destination address of the uplink user plane data packet as the second unencrypted address;
the determining unit 1102 is further configured to determine, according to the second non-encrypted address, that the uplink user plane data packet is not encrypted by using the IPSec protocol;
the first transceiver unit 1101 is further configured to send the uplink user plane data packet to the CU.
The CU and the DU in the embodiment of the present application are described in detail in the above fig. 10 to 11 from the perspective of the modular functional entity, and the CU and the DU in the embodiment of the present application are described in detail in the following from the perspective of hardware processing.
Please refer to fig. 12. Fig. 12 shows a possible structural representation of a communication device in the case of an integrated unit. The communication apparatus 1200 includes: a processing unit 1202 and a communication unit 1203. The processing unit 1202 is configured to control and manage the operation of the communication apparatus. The communication apparatus 1200 may further include a storage unit 1201 for storing program codes and data required for the communication apparatus.
In one embodiment, the communication device may be the CU described above. For example, processing unit 1202 is configured to support the CU to perform steps 401, 407a, and 408b of fig. 4a, steps 401, 417a, and 418b of fig. 4b, steps 501, 507a, and 508b of fig. 5a, steps 501, 517a, and 518b of fig. 5b, steps 601, 607a, and 608b of fig. 6a, steps 601, 617a, and 618b of fig. 6b, and/or other processes for the techniques described herein. The communication unit 1203 is configured to support the CU to communicate with other devices, for example, the communication unit 1203 is configured to support the CU to perform steps 402 to 403, step 406, step 407b, step 408a, and step 409 in fig. 4a, steps 412 to 413, step 416, step 417b, step 418a, and step 419 in fig. 4b, steps 502 to 503, step 506, step 507b, step 508a, and step 509 in fig. 5a, steps 512 to 513, step 516, step 517b, step 518a, and step 519 in fig. 5b, steps 602 to 603, step 606, step 607b, step 608a, and step 609 in fig. 6a, steps 612 to 613, step 616, step 617b, step 618a, and step 619 in fig. 6b, steps 702 to 703, steps 708a to 709b in fig. 7b, steps 720a to 721b in fig. 7c, steps 802 to 803, and 809b in fig. 8a, steps 820 a-821 b in fig. 8b, steps 902-903, steps 908 a-909 b in fig. 9a, steps 920 a-921 b in fig. 9b, and/or other processes for the techniques described herein.
In another embodiment, the communication device may be the DU described above. For example, the processing unit 1202 is configured to support the DU to perform step 405 in fig. 4a, step 410, step 415 in fig. 4b, step 420, step 505 in fig. 5a, step 510, step 515 in fig. 5b, step 520, step 605 in fig. 6a, step 610, step 615 in fig. 6b, step 620, step 705 in fig. 7b, step 712, step 717 in fig. 7c, step 724, step 805 in fig. 8a, step 812, step 817 in fig. 8b, step 824, step 905 in fig. 9a, step 912, step 917 in fig. 9b, step 924, and/or other processes for the techniques described herein. The communication unit 1203 is configured to support communication of the DU with other devices, for example, the communication unit 1203 is configured to support the DU to perform steps 402 to 404, step 406, step 409, and step 411, steps 412 to 414 in fig. 4b, step 416, step 419, and step 421, steps 502 to 504 in fig. 5a, step 506, step 509, and step 511, steps 512 to 514 in fig. 5b, step 516, step 519, and step 521, steps 602 to 604 in fig. 6a, step 606, step 609, and step 611, steps 612 to 614 in fig. 6b, step 616, step 619, and step 621, steps 702 to 704 in fig. 7b, step 706, step 711, and step 713, steps 714 to 716, step 718, step 723, and step 725, steps 802 to 804 in fig. 8a, step 806, step 811, and step 814 to 816 in fig. 8b, step 818, step 823, and step 825, steps 902 through 904 in fig. 9a, step 906, step 911, and step 913, steps 914 through 916, step 918, step 923, and step 925 in fig. 9b, and/or other processes for the techniques described herein.
The processing unit 1202 may be a processor or a controller, such as a Central Processing Unit (CPU), a general-purpose processor, a Digital Signal Processor (DSP), an application-specific integrated circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, a transistor logic device, a hardware component, or any combination thereof. Which may implement or perform the various illustrative logical blocks, modules, and circuits described in connection with the disclosure. A processor may also be a combination of computing functions, e.g., comprising one or more microprocessors, a DSP and a microprocessor, or the like. The communication unit 1203 may be a communication interface, a transceiver circuit, etc., wherein the communication interface is a generic term and may include one or more interfaces, such as a transceiver interface. The memory unit 701 may be a memory.
When the processing unit 1202 can be a processor, the communication unit 1203 can be a communication interface, and the storage unit 1201 can be a memory, referring to fig. 13, the communication device 1310 includes: a processor 1312, a communication interface 1313, and a memory 1311. Optionally, the communication device 1310 may also include a bus 1314. Wherein, the communication interface 1313, the processor 1312, and the memory 1311 may be connected to each other through a bus 1314; the bus 1314 may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The bus 1314 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in FIG. 13, but this is not intended to represent only one bus or type of bus.
Similarly, in one embodiment, communication device 1310 may be used to indicate the steps of a CU as described above. In another embodiment, the communication device 1310 may be used to indicate the steps of the DU described above. And will not be described in detail herein.
Embodiments of the present application also provide a system, as shown in fig. 14, which is a schematic structural diagram of one possible system provided by the present application, and the system may include one or more central processing units 1422 and a memory 1432, one or more storage media 1430 (e.g., one or more mass storage devices) storing application programs 1442 or data 1444. Memory 1432 and storage media 1430, among other things, may be transient or persistent storage. The program stored on storage medium 1430 may include one or more modules (not shown), each of which may include a sequence of instructions for operating on the system. Still further, a central processor 1422 may be disposed in communication with storage medium 1430 for executing a series of instruction operations on storage medium 1430 on system 1400. The system 1400 may also include one or more power supplies 1426, one or more wired or wireless network interfaces 1450, one or more input-output interfaces 1458, and/or one or more operating systems 1441, such as Windows Server, Mac OS X, Unix, Linux, FreeBSD, etc.
The embodiments of the information transmission method described in fig. 4a to 9b above can be implemented based on the system structure shown in fig. 14.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product.
The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the application to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored on a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website, computer, server, or data center to another website, computer, server, or data center via wire (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that a computer can store or a data storage device, such as a server, a data center, etc., that is integrated with one or more available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions in the embodiments of the present application.

Claims (23)

1. An information transmission method, comprising:
the method comprises the steps that a central unit CU and user equipment UE carry out security negotiation to obtain a negotiation result, wherein the negotiation result is used for indicating whether an air interface between the CU and the UE uses a packet data convergence layer PDCP protocol for encryption or not;
the CU sends a first message to a distributed unit DU;
when the negotiation result indicates that the air interface uses the PDCP protocol encryption, the first message is used for indicating that the user plane bearer between the CU and the DU is not encrypted by using an Internet protocol security (IPSec) protocol.
2. The method of claim 1, wherein the DU has a first interface, and wherein the first interface is an interface for the DU to perform user plane communication with the CU; the first interface configures a first encryption address and a first non-encryption address, wherein the first encryption address is used for indicating that the IPSec protocol is used for carrying out encryption/decryption processing on a user plane data message; the first non-encrypted address is used for indicating that the IPSec protocol is not used for encrypting/decrypting the user plane data message;
after the CU sends the first message to the DU, the method further includes:
and the CU receives a first response message sent by the DU, wherein the first response message is used for indicating that the address carried by the user plane at the DU end is the first non-encrypted address.
3. The method of claim 2, wherein after the CU receives the first response message sent by the DU, the method further comprises:
the CU uses the PDCP protocol to encrypt a downlink user plane data message;
the CU sets a destination address of the downlink user plane data message as the first non-encrypted address;
the CU determines according to the first non-encrypted address and does not use the IPSec protocol to encrypt the downlink user plane data message;
and the CU sends the downlink user plane data message to the DU.
4. The method of claim 2, wherein when the negotiation result indicates that the air interface is not ciphered using the PDCP protocol, the first message is used to instruct the user plane bearer to be ciphered using the IPSec protocol; the first response message is used to indicate that the address carried by the user plane at the DU end is the first encrypted address.
5. The method of claim 2, wherein when the negotiation result indicates that the air interface is ciphered using the PDCP protocol and that communication between the CU and the DU passes through a security gateway SeGW, the method further comprises:
the CU uses the PDCP protocol to encrypt a downlink user plane data message;
the CU sets a destination address of the downlink user plane data message as the first non-encrypted address;
and the CU sends the downlink user plane data message to the SeGW.
6. The method according to any of claims 1 to 5, wherein the CU is provided with a second interface, the second interface being an interface for the CU to communicate with the DU on the user plane; the second interface configures a second encryption address and a second non-encryption address, wherein the second encryption address is used for indicating that the IPSec protocol is used for encrypting/decrypting a user plane data message; and the second non-encrypted address is used for indicating that the IPSec protocol is not used for encrypting/decrypting the user plane data message.
7. An information transmission method, comprising:
when the air interface between a central unit CU and a user equipment UE is encrypted using the packet data convergence layer PDCP protocol, a distributed unit DU receives a first message sent by the CU, the first message being used to instruct a user plane bearer between the CU and the DU not to be encrypted using the internet protocol security IPSec protocol.
8. The method of claim 7, wherein the DU has a first interface, and wherein the first interface is an interface for the DU to perform user plane communication with the CU; the first interface configures a first encryption address and a first non-encryption address, wherein the first encryption address is used for indicating that the IPSec protocol is used for carrying out encryption/decryption processing on a user plane data message; the first non-encrypted address is used for indicating that the IPSec protocol is not used for encrypting/decrypting the user plane data message;
when the air interface is ciphered using the PDCP protocol, the method further comprises:
and the DU sends a first response message to the CU, wherein the first response message is used for indicating that the address carried by the user plane at the DU end is the first non-encrypted address.
9. The method of claim 8, wherein when the air interface is ciphered using the PDCP protocol, the method further comprises:
the DU receives an uplink user plane data message sent by the UE;
the DU sets a source address of the uplink user plane data message as the first non-encrypted address;
the DU is determined according to the first non-encrypted address, and the IPSec protocol is not used for encrypting the uplink user plane data message;
and the DU sends the uplink user plane data message to the CU.
10. The method of claim 8, wherein when the air interface is ciphered using the PDCP protocol and communication between the DU and the CU passes through a SeGW, the method further comprises:
the DU receives an uplink user plane data message sent by the UE;
the DU sets a source address of the uplink user plane data message as the first non-encrypted address;
the DU is determined according to the first non-encrypted address, and the IPSec protocol is not used for encrypting the uplink user plane data message;
and the DU sends the uplink user plane data message to the SeGW.
11. The method according to any of claims 7 to 10, wherein the CU is provided with a second interface, the second interface being an interface for the CU to communicate with the DU on the user plane; the second interface configures a second encryption address and a second non-encryption address, wherein the second encryption address is used for indicating that the IPSec protocol is used for encrypting/decrypting a user plane data message; and the second non-encrypted address is used for indicating that the IPSec protocol is not used for encrypting/decrypting the user plane data message.
12. The method of claim 11, wherein when the air interface is ciphered using the PDCP protocol, the method further comprises:
the DU receives an uplink user plane data message sent by the UE;
the DU sets the destination address of the uplink user plane data message as the second non-encrypted address;
the DU is determined according to the second non-encrypted address, and the IPSec protocol is not used for encrypting the uplink user plane data message;
and the DU sends the uplink user plane data message to the CU.
13. A Central Unit (CU), comprising:
a first transceiver unit, configured to perform security negotiation with a User Equipment (UE) to obtain a negotiation result, where the negotiation result is used to indicate whether an air interface between the CU and the UE uses a packet data convergence layer (PDCP) protocol for ciphering;
the second transceiving unit is used for sending the first message to the distributed unit DU;
when the negotiation result indicates that the air interface uses the PDCP protocol encryption, the first message is used for indicating that the user plane bearer between the CU and the DU is not encrypted by using an Internet protocol security (IPSec) protocol.
14. The CU of claim 13, wherein the DU has a first interface, the first interface being an interface for user plane communication between the DU and the CU; the first interface configures a first encryption address and a first non-encryption address, wherein the first encryption address is used for indicating that the IPSec protocol is used for carrying out encryption/decryption processing on a user plane data message; the first non-encrypted address is used for indicating that the IPSec protocol is not used for encrypting/decrypting the user plane data message;
the second transceiving unit is further configured to:
and receiving a first response message sent by the DU, wherein the first response message is used for indicating that the address borne by the user plane at the DU end is the first non-encrypted address.
15. The CU of claim 14, wherein the CU further comprises:
a processing unit, configured to encrypt a downlink user plane data packet using the PDCP protocol; setting the destination address of the downlink user plane data message as the first non-encrypted address;
a determining unit, configured to determine, according to the first non-encrypted address, that the downlink user plane data packet is not encrypted using the IPSec protocol;
the second transceiver unit is further configured to send the downlink user plane data packet to the DU.
16. The CU of claim 14, wherein when said negotiation result indicates that said air interface is not ciphered using said PDCP protocol, said first message is used to instruct said user plane bearer to be ciphered using said IPSec protocol; the first response message is used to indicate that the address carried by the user plane at the DU end is the first encrypted address.
17. The CU of claim 14, wherein when the negotiation result indicates that the air interface is ciphered using the PDCP protocol and that communication between the CU and the DU passes through a security gateway SeGW, the CU further comprises:
the processing unit is further configured to encrypt a downlink user plane data packet using the PDCP protocol; setting the destination address of the downlink user plane data message as the first non-encrypted address;
and a third transceiving unit, configured to send the downlink user plane data packet to the SeGW.
18. The CU of any of claims 13 to 17, wherein said CU is provided with a second interface, said second interface being an interface for user plane communication of said CU with said DU; the second interface configures a second encryption address and a second non-encryption address, wherein the second encryption address is used for indicating that the IPSec protocol is used for encrypting/decrypting a user plane data message; and the second non-encrypted address is used for indicating that the IPSec protocol is not used for encrypting/decrypting the user plane data message.
19. A distributed unit, DU, comprising:
a first transceiving unit, configured to receive a first message sent by a central unit CU when an air interface between the CU and a user equipment UE is ciphered using a packet data convergence layer PDCP protocol, the first message being used to indicate that a user plane bearer between the CU and the DU is not ciphered using an internet protocol security IPSec protocol.
20. The DU of claim 19, wherein the DU has a first interface, the first interface is an interface for user plane communication between the DU and the CU; the first interface configures a first encryption address and a first non-encryption address, wherein the first encryption address is used for indicating that the IPSec protocol is used for carrying out encryption/decryption processing on a user plane data message; the first non-encrypted address is used for indicating that the IPSec protocol is not used for encrypting/decrypting the user plane data message;
when the air interface is ciphered using the PDCP protocol, the first transceiving unit is further configured to:
and sending a first response message to the CU, wherein the first response message is used for indicating that the address carried by the user plane at the DU end is the first non-encrypted address.
21. The DU of claim 20, wherein when the air interface is ciphered using the PDCP protocol, the DU further comprises:
the second transceiving unit is further configured to receive an uplink user plane data packet sent by the UE;
the processing unit is further configured to set a source address of the uplink user plane data packet as the first unencrypted address;
a determining unit, configured to determine, according to the first non-encrypted address, that the uplink user plane data packet is not encrypted using the IPSec protocol;
the first transceiver unit is further configured to send the uplink user plane data packet to the CU.
22. The DU of claim 21, wherein when the air interface is ciphered using the PDCP protocol and communication between the DU and the CU passes through a SeGW, the DU further comprises:
the second transceiver unit is further configured to receive an uplink user plane data packet sent by the UE;
the processing unit is further configured to set a source address of the uplink user plane data packet as the first unencrypted address;
the determining unit is further configured to determine, according to the first non-encrypted address, that the uplink user plane data packet is not encrypted using the IPSec protocol;
the third transceiving unit is further configured to send the uplink user plane data packet to the SeGW.
23. A DU according to any of claims 19-22, characterized in that the CU is provided with a second interface for the CU to communicate user plane with the DU; the second interface configures a second encryption address and a second non-encryption address, wherein the second encryption address is used for indicating that the IPSec protocol is used for encrypting/decrypting a user plane data message; the second non-encrypted address is used for indicating that the IPSec protocol is not used for encrypting/decrypting the user plane data message;
when the air interface is ciphered using the PDCP protocol, the DU further includes:
the second transceiver unit is further configured to receive an uplink user plane data packet sent by the UE;
the processing unit is configured to set a destination address of the uplink user plane data packet as the second unencrypted address;
the determining unit is further configured to determine, according to the second unencrypted address, that the uplink user plane data packet is not encrypted using the IPSec protocol;
the first transceiver unit is further configured to send the uplink user plane data packet to the CU.
CN201810391847.5A 2018-04-26 2018-04-26 Information transmission method and related equipment Active CN110417708B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201810391847.5A CN110417708B (en) 2018-04-26 2018-04-26 Information transmission method and related equipment
PCT/CN2019/082017 WO2019205934A1 (en) 2018-04-26 2019-04-10 Information transmission method and relevant device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810391847.5A CN110417708B (en) 2018-04-26 2018-04-26 Information transmission method and related equipment

Publications (2)

Publication Number Publication Date
CN110417708A CN110417708A (en) 2019-11-05
CN110417708B true CN110417708B (en) 2021-04-20

Family

ID=68293500

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810391847.5A Active CN110417708B (en) 2018-04-26 2018-04-26 Information transmission method and related equipment

Country Status (2)

Country Link
CN (1) CN110417708B (en)
WO (1) WO2019205934A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111757322B (en) * 2020-06-19 2023-11-17 兴唐通信科技有限公司 Cellular mobile communication network protection method and system for base station password service centralization
CN113438178B (en) * 2021-06-22 2023-04-18 北京天融信网络安全技术有限公司 Message forwarding method and device, computer equipment and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102246552A (en) * 2009-09-27 2011-11-16 华为技术有限公司 Method and apparatus for signaling transmission
CN106714153A (en) * 2015-11-13 2017-05-24 华为技术有限公司 Key distribution, generation and reception method, and related device

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007130637A2 (en) * 2006-05-05 2007-11-15 Interdigital Technology Corporation Apparatuses for performing ciphering with pdcp layer sequence number or by pdcp entities
US10455414B2 (en) * 2014-10-29 2019-10-22 Qualcomm Incorporated User-plane security for next generation cellular networks
EP3437350A1 (en) * 2016-03-31 2019-02-06 Intel IP Corporation Maintaining a wifi connection during handover of a user equipment in a lte network

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102246552A (en) * 2009-09-27 2011-11-16 华为技术有限公司 Method and apparatus for signaling transmission
CN106714153A (en) * 2015-11-13 2017-05-24 华为技术有限公司 Key distribution, generation and reception method, and related device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"High Layer Functional Spilt with Separated Control and User Planes";Vodafone;《3GPP TSG-RAN WG3 #95bis R3-171203》;20170324;第7节,图7 *

Also Published As

Publication number Publication date
CN110417708A (en) 2019-11-05
WO2019205934A1 (en) 2019-10-31

Similar Documents

Publication Publication Date Title
JP6928143B2 (en) Network architecture and security with encrypted client device context
JP6882255B2 (en) Network security architecture
USRE48631E1 (en) Method and system for selective protection of data exchanged between user equipment and network
TWI652957B (en) Base station and communication device that can be switched between two base stations
EP3078164B1 (en) Data communication via data packet headers
CN111835767B (en) Method of performing device-to-device communication between user equipments
EP3393188A1 (en) Method and device for relay transmission, and relay terminal apparatus
JP6633745B2 (en) Node for use in a communication network and method for operating it
US10742476B2 (en) Data packet processing method and device
CN107113901A (en) Data forwarding in dual link is supported
CN110417708B (en) Information transmission method and related equipment
EP3360357B1 (en) A radio access node and a method of operating the same
JP4344750B2 (en) Method and apparatus for in-line encryption and decryption of radio station
JP2019511154A (en) Security parameter transmission method and related devices
EP3873121A1 (en) Data transmission method, user equipment, and control plane node
US20240357423A1 (en) Methods and apparatus for reducing communications delay
JP4843660B2 (en) Method and apparatus for encrypting data in the PDCP layer of a wireless communication system
US9397831B2 (en) Encrypted communication device and method for performing encrypted communication while reducing traffic in communication system
CN107529202B (en) Method, device and network architecture for downlink data transmission
CN108513324B (en) Data transmission method and device
CN109565706B (en) Data encryption method and device
EP2984783B1 (en) Secure radio information transfer over mobile radio bearer
US20230283592A1 (en) Data transmission method with selective latency reduction
CN110769416B (en) Communication method, device, system and readable storage medium
CN108391252B (en) Data packet processing method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant