CN113194518B

CN113194518B - Redirection allocation method, device and system

Info

Publication number: CN113194518B
Application number: CN202110515971.XA
Authority: CN
Inventors: 王鑫; 肖吉
Original assignee: China United Network Communications Group Co Ltd
Current assignee: China United Network Communications Group Co Ltd
Priority date: 2021-05-12
Filing date: 2021-05-12
Publication date: 2022-04-26
Anticipated expiration: 2041-05-12
Also published as: CN113194518A

Abstract

The invention discloses a redirection allocation method, a device and a system. The method comprises the following steps: responding to an access of a terminal which is currently connected and a redirection request of a mobile management function network element AMF, and acquiring identification information of the current AMF and identification information of a target AMF from the redirection request; redirecting the terminal from the current AMF to an interface AMF in the first AMF set, and jumping the terminal from the interface AMF in the first AMF set to an interface AMF in the second AMF set; and redirecting the terminal from the interface AMF in the second AMF set to the target AMF to obtain a redirection path from the terminal to the target AMF. According to the method, the problem that the AMF redirection of the terminal equipment fails due to the security isolation of the network slice service can be solved.

Description

Redirection allocation method, device and system

Technical Field

The present invention relates to the field of communications technologies, and in particular, to a method, an apparatus, and a system for redirection allocation.

Background

In the communication network system, an Access and Mobility Management Function (AMF) element may be responsible for Mobility Management and Access Management of a terminal core network.

Due to the requirement of the security isolation between the network slices, when a terminal device needs to connect two network slices at the same time or wants to switch from one network slice to another network slice, due to the different security isolation of the network slice services, when the terminal wants to access two slice services with different isolation at the same time, failure of AMF redirection may be caused, that is, it is impossible to quickly jump from the AMF corresponding to the current slice to the target AMF corresponding to the new slice.

Disclosure of Invention

Therefore, the invention provides a redirection allocation method, a redirection allocation device and a redirection allocation system, which are used for solving the problem that in the prior art, the AMF redirection of terminal equipment fails due to the security isolation of network slicing services.

In order to achieve the above object, a first aspect of the present invention provides a redirection allocation method applied to a network slice management network element, where the method includes: responding to an access of a terminal which is currently connected and a redirection request of a mobile management function network element AMF, and acquiring identification information of the current AMF and identification information of a target AMF from the redirection request;

the current AMF belongs to a preset first AMF set, the target AMF belongs to a preset second AMF set, and the first AMF set and the second AMF set are used for serving different types of network slices with the security isolation degree larger than a preset threshold value;

redirecting the terminal from the current AMF to an interface AMF in the first AMF set, and jumping the terminal from the interface AMF in the first AMF set to an interface AMF in the second AMF set;

the interface AMF in the first AMF set is used for being connected with other AMFs in the first AMF set, and the interface AMF in the second AMF set is used for being connected with other AMFs in the second AMF set;

and redirecting the terminal from the interface AMF in the second AMF set to the target AMF to obtain a redirection path from the terminal to the target AMF.

A second aspect of the present invention provides a redirection allocation apparatus, including: the information acquisition module is used for responding to the access of the current connection of the terminal and the redirection request of the mobile management function network element AMF, and acquiring the identification information of the current AMF and the identification information of the target AMF from the redirection request;

the redirection processing module is used for redirecting the terminal from the current AMF to an interface AMF in the first AMF set and jumping the terminal from the interface AMF in the first AMF set to an interface AMF in the second AMF set;

and the redirection processing module is further used for redirecting the terminal from the interface AMF in the second AMF set to the target AMF to obtain a redirection path from the terminal to the target AMF.

A third aspect of the present invention provides a network system, including: a network slice management network element and at least two access and mobility management function network element AMF sets; wherein the content of the first and second substances,

each AMF set comprises an interface AMF, the interface AMF is connected with other AMFs in the AMF set, and the interfaces AMFs in each AMF set are connected in a ring shape; and wherein the one or more of the one or more,

network slice management network element for managing different types of network slices and at least two sets of AMFs, the different sets of AMFs being for serving the different types of network slices, and for performing the method of any of claims 1 to 7 in dependence of a received request for redirection of an access and mobility management function network element AMF to which the terminal is currently connected.

A fourth aspect of the present invention provides a redirection allocation processing system, including: one or more processors; a memory having one or more programs stored thereon, which when executed by the one or more processors, cause the one or more processors to implement any one of the methods in the embodiments of the present invention.

The invention has the following advantages: according to the redirection allocation method, the redirection allocation device and the redirection allocation system in the embodiment of the invention, when the terminal is connected with multiple network slices with the security isolation degree larger than the preset threshold value or switched with slice services, the terminal can be redirected to the interface AMF in the AMF set where the current AMF is located, then the terminal jumps to the interface in the AMF set where the target AMF is located, and then the terminal is redirected to the target AMF through the interface in the AMF set where the target AMF is located. According to the method, the slice AMF set safety isolation degree can be realized, and the redirection between high-isolation AMF sets can be considered, so that the problem of terminal equipment AMF redirection failure caused by the safety isolation degree of network slice service in the prior art is solved.

Drawings

The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention and not to limit the invention.

FIG. 1 illustrates a flow diagram of AMF redirection of an embodiment;

FIG. 2 is a flow diagram illustrating a redirection assignment method according to an embodiment of the present invention;

fig. 3 shows a schematic connection structure diagram of the interface AMF of the exemplary embodiment of the present invention;

FIG. 4 shows a schematic diagram of the failure of redirection between existing high-isolation slices and between high-isolation AMF sets;

FIG. 5 is a diagram illustrating an AMF redirection path and a security context transfer flow in an embodiment of the present invention;

FIG. 6 is a schematic structural diagram of a redirection allocation apparatus according to an embodiment of the present invention;

fig. 7 is a schematic structural diagram of a network system according to an embodiment of the present invention;

FIG. 8 is a block diagram illustrating an exemplary hardware architecture of a computing device capable of implementing the redirection allocation method and apparatus in accordance with embodiments of the present invention.

Detailed Description

The following detailed description of embodiments of the invention refers to the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating the present invention, are given by way of illustration and explanation only, not limitation. It will be apparent to one skilled in the art that the present invention may be practiced without some of these specific details. The following description of the embodiments is merely intended to provide a better understanding of the present invention by illustrating examples of the present invention.

It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

In the embodiment of the invention, because the AMF sets of the service are different and the safety isolation of the two slices is higher, failure of AMF redirection can be caused, namely, the AMF corresponding to the current slice cannot be quickly jumped to the target AMF corresponding to the new slice; if all AMF sets are completely opened without differentiating and isolating the AMFs, the safety isolation of the slices is affected.

For better understanding of the present invention, the following describes a redirection allocation method, apparatus and system according to embodiments of the present invention in detail with reference to the accompanying drawings, and it should be noted that these embodiments are not intended to limit the scope of the present disclosure.

The communication network system in the embodiment of the present invention may be a 5th Generation wireless systems (5G) mobile communication system or a communication network system supporting 5G mobile communication.

Fig. 1 shows a flow diagram of AMF redirection of an embodiment. As shown in fig. 1, the redirection flow of the AMF may include the following steps.

S01, the terminal initiates an attach request (Requested-NSSAI).

Wherein, the Single Network Slice Selection Assistance Information (NSSAI) is used for uniquely identifying one Network Slice.

In this step, the terminal does not carry slice information. If the terminal supports carrying the slice information, S02-S05 is skipped, a wireless Access Network (RAN) directly selects a private Network AMF according to S-NSSAI-DDD reported by the terminal, the private Network AMF queries a Unified Data Management function Network element (UDM), and the terminal acquires the signature and authenticates the authentication, and the post-attachment is successful.

S02, the RAN selects a default amf (default amf).

In this step, the RAN may also directly select the default AMF.

S03, the Default AMF obtains the terminal subscription NSSAI (Subscribed-NSSAI) by querying the UDM.

S04, the Default AMF cannot serve the terminal, the portable terminal signs NSSAI to query a Network Slice Selection Function (NSSF), and the NSSF returns target AMF information that can serve the terminal.

In this step, the information may include an S-nsais value (Allowed nsai) and a target amf (target amf) indicating that the UE can use in the current registration domain.

S05, the Default AMF redirects the attach request of the terminal to the target AMF, i.e. reroutes to the target AMF (target AMF).

S06, the target AMF obtains the user subscription and policy information by querying the policy control function network element (PCF).

In this step, the user subscription and Policy information may be a Network Slice Selection Policy (NSSP).

S07, the target AMF issues an attachment success message, and the terminal completes attachment.

In fig. 1, the NSSF issues all-NSSAI and TARGET AMF to the current AMF, informs the current AMF of all the information of the redirected target AMF, and then disconnects the current AMF and redirects the current AMF to the target AMF.

In an embodiment of the present invention, a slice with high isolation indicates a network slice with a security isolation greater than a predetermined threshold. When a terminal wants to connect two network slices (hereinafter, referred to as slices for short) at the same time, or wants to switch from one slice to another slice, because AMF sets of services are different and have high isolation and the security isolation of the two slices is high, failure of AMF redirection may be caused, that is, it is impossible to quickly jump from the AMF corresponding to the current slice to the target AMF corresponding to the new slice; if all AMF sets are completely opened without differentiating and isolating the AMFs, the safety isolation of the slices is affected.

In an actual application scenario, the AMF sets are usually classified according to 5G slice service types, and different AMF sets serve different slices. Due to the different security isolation of the slicing services, when a terminal wants to access two slicing services with high isolation simultaneously, the problem that AMF redirection cannot be quickly realized may occur.

Fig. 2 is a flowchart illustrating a redirection assignment method according to an embodiment of the present invention. As shown in fig. 2, the redirection allocation method in the embodiment of the present invention may be applied to a network slice management network element NSSF, and may include the following steps:

s210, in response to the access of the current connection of the terminal and the redirection request of the network element AMF with the mobility management function, obtaining the identification information of the current AMF and the identification information of the target AMF from the redirection request.

The current AMF belongs to a preset first AMF set, the target AMF belongs to a preset second AMF set, and the first AMF set and the second AMF set are used for serving different types of network slices with security isolation degrees larger than a preset threshold value.

S220, redirecting the terminal from the current AMF to an interface AMF in the first AMF set, and jumping the terminal from the interface AMF in the first AMF set to an interface AMF in the second AMF set.

The interface AMF in the first AMF set is used for connecting with other AMFs in the first AMF set, and the interface AMF in the second AMF set is used for connecting with other AMFs in the second AMF set.

S230, the terminal is redirected to the target AMF from the interface AMF in the second AMF set, and a redirection path from the terminal to the target AMF is obtained.

According to the redirection allocation method provided by the embodiment of the invention, by setting the interface AMF for each AMF set, when the terminal performs multi-slice connection or slice service switching, the terminal can redirect to the interface AMF in the AMF set where the current AMF is located, which is marked as AMF1, then jump to the interface in the AMF set where the target AMF is located by AMF1, which is marked as AMF2, and then redirect to the target AMF by AMF 2. According to the redirection allocation method provided by the embodiment of the invention, the slice AMF sets can be safely isolated, and redirection can be carried out between high-isolation AMF sets.

For better understanding of the present invention, the redirection allocation method according to the embodiment of the present invention is described in detail below with reference to fig. 3. Fig. 3 shows a schematic connection structure diagram of the interface AMF according to an exemplary embodiment of the present invention. In fig. 3, the terminal 310, the radio access network 320, and the NSSF330 are included, and the NSSF330 includes a new addition management module 331 and a new addition key derivation module 332.

It should be understood that the network slice management element in the embodiment of the present invention may be a network slice selection function element NSSF. The redirection allocation method of the embodiment of the invention is executed through an NSSF or a newly added management module in the NSSF. Taking the newly added management module in NSSF as an example, in the following description of the embodiment, the module may be referred to as a newly added management module 331 for short.

In some embodiments, the first AMF set and the second AMF set in step S210 are any two of a plurality of preset AMF sets; before responding to the redirection request of the AMF to which the terminal is currently connected in step S210, the method further includes the following steps.

And S11, taking the network slices with the safety isolation degree larger than the preset threshold value as high-isolation network slices, and classifying the AMF serving the high-isolation network slices according to a preset classification rule to obtain a plurality of AMF sets of different classifications.

In this step, the set of AMFs that are isolated may be classified, for example: classified according to the service capabilities of the AMF. Exemplarily, in fig. 3, the AMF set (first set) whose service capability needs to guarantee network latency of 10ms and whose reliability is 99.5% may include: AMF11, AMF12 and AMF 17; the service capability needs to guarantee a network delay of 50ms, and the AMF set (second set) with 80% reliability may include, for example: AMF2, AMF8, and AMF 10; the service capability guarantees network bandwidth 5M, and the AMF set (third set) of rate 1G may include, for example: AMF1, AMF9, and the like.

S12, establishing a corresponding relationship between each AMF set in the plurality of AMF sets and the identification information of one set of network slices in the preset plurality of sets of different types of network slices, so as to serve the set of different types of network slices through each AMF set.

In this step, the information of the AMF sets of different classifications may be stored in the network slice management network element NSSF of the embodiment of the present invention, and correspond to the network slice identification information (NSSAI-ID) in a relationship, for example, a car networking slice with NSSAI-ID of 1 corresponds to the first AMF set, a video slice with NSSAI-ID of 2 corresponds to the second AMF set, and an industrial scene slice with NSSAI-ID of 3 corresponds to the third AMF set.

And S13, respectively selecting one interface AMF from each AMF set, wherein the selected interface AMF is used for being connected with other AMFs in the AMF set.

In this step, one AMF is selected from the AMFs of the above-mentioned differently classified AMF sets as an interface to connect with other AMFs. For example: AMF11 is selected from the first set, AMF8 is selected from the second set, and AMF1 is selected from the third set. The AMF selected as the interface in each AMF set may be referred to as an interface AMF, and the load balancing of the interface AMF requires that a predetermined condition be satisfied.

For example, the load balancing that needs to be set for these interfaces AMF needs to be kept below a preset load balancing threshold, and no terminal has priority access to the AMF. In the embodiment of the invention, in the process of redirection between the high-isolation AMF sets, when the terminal performs multi-slice connection or slice service switching, the terminal can be redirected to the interface AMF1, then the interface AMF1 jumps to the interface AMF2 of the target AMF set, and after the security context between the terminal and the network is successfully transmitted, the connection with the interface AMF is disconnected.

And S14, connecting the selected interfaces AMF, so that each AMF set establishes a connection relationship through the selected interfaces AMF.

In this step, as shown in fig. 3, the interfaces AMF may be connected in a ring, so as to ensure that each AMF set may form a connection through the interfaces AMF, thereby achieving the effect of cross-interconnection.

In some embodiments, the method further comprises the following step before the request for redirection of the access and mobility management function network element AMF in response to the terminal being currently connected in step S210.

S21, responding to a slice service request of the terminal, acquiring slice information of the request connection reported by the terminal, and receiving the identification information of the current AMF reported by the terminal after the terminal successfully connects the current AMF corresponding to the current slice.

S22, responding to another slice service request of the terminal, sending the identification information of the target AMF corresponding to another network slice which is requested to be connected by the terminal to the current AMF; and if the current AMF is in the same AMF set, the current AMF is rerouted, and then the terminal is directly redirected to the target AMF.

S23, receiving a redirection request, where the redirection request is a request sent by the current AMF to the NSSF when it is determined that the target AMF and the current AMF are not in the same AMF set, so as to request redirection to a target AMF corresponding to another network slice.

In the embodiment of the present invention, when a terminal initiates a slice service request, it needs to report the current slice number to a network slice management network element (or a newly added management module in the network slice management network element), and after the terminal successfully accesses the current AMF, it also needs to report the ID of the current AMF to the network slice management network element (or a newly added management module in the network slice management network element).

In this embodiment, after the terminal has connected to a slice, if a second slice service request is initiated, the current AMF acquires the user slice information from the NSSF.

The process flow of acquiring the user information may include, for example: the NSSF sends a response message of slice selection (NSSF _ NSSelection _ Get) to the AMF, and issues ALLOW-NSSAI and TARGET AMF corresponding to the second slice to the current AMF, informing the current AMF of all redirected target AMFs.

The current AMF judges whether the Target AMF of the second slice is in a set with the currently connected AMF, if the Target AMF of the second slice is in the same AMF set, the AMF reconnection can be directly carried out, for example, the current AMF17 is directly switched to the AMF12 through rerouting; if the current terminal is not in the same AMF set, the AMF connected to the current terminal cannot directly jump to or be redirected to another AMF set, so that the current AMF reports to a network slice management network element (or a newly added management module in the network slice management network element) that redirection to another AMF set with high security isolation is required, and the network slice management network element (or the newly added management module in the network slice management network element) executes the steps S220 to S230 to perform redirection allocation processing according to the embodiment of the present invention.

In some embodiments, redirecting the terminal from the current AMF to the interface AMF in the first AMF set in step S220 may specifically include the following steps.

S31, sending a first redirection instruction to the current AMF, where the first redirection instruction includes: and the identification information of the interface AMF in the first AMF set and the corresponding AMF routing address.

The first redirection instruction is used for controlling the current AMF to redirect the terminal to the interface AMF in the first AMF set according to the identification information of the interface AMF in the first AMF set and the corresponding AMF routing address.

The first redirection instruction is further configured to control the current AMF to send a first security context message to the interface AMF in the first AMF set in a process of redirecting the terminal to the interface AMF in the first AMF set, where the first security context message includes a first key derivation instruction, and a temporary key in the first key derivation instruction is derived by the current AMF.

S32, receiving a first successful connection confirmation message of the interface AMF in the first AMF set, and determining that the terminal has successfully jumped to the interface AMF in the first AMF set, where the first successful connection confirmation message is a connection confirmation message generated after the interface AMF in the first AMF set derives the NAS key, and establishes a new security context, from the temporary key in the first key derivation instruction.

For example, first, a network slice management network element (or a newly added management module in the network slice management network element) may send an AMF redirection instruction to a current AMF connected to a current slice 1, where the instruction may include an ID number of an interface AMF corresponding to a current AMF set and an AMF routing address.

Referring to fig. 3, in this process, the current AMF may transfer the security context to the interface AMF of the current set (first set), specifically, according to the Communication protocol flow, that is, the current AMF sends a Namf _ Communication _ N1message notification service operation message to the target AMF, where the message includes a Permanent Identifier (SUPI) of the returning user, a Mobility Management (MM) context, SMF information, a key derivation indication (key _ hdrivendiderivitized), and the key _ amff hdrived includes a temporary key Kamf (e.g., Kamf1) for generating the AMF, and Kamf1 is derived from the current AMF 17. In this step, since the target AMF that needs redirection is the interface AMF11, and the AMF11 is in a set with the current AMF, the network slice management network element does not serve the temporary key Kamf1, and the Kamf1 is directly derived from the current AMF.

As an example, as shown in fig. 3, the first slice where the current terminal is located is connected to AMF17, and an allow NSSAI issued by NSSF for the second slice needs to be connected to AMF 9.

Because the AMF17 cannot directly transfer the whole set of security context to the AMF9 due to consideration of security isolation, the network slice management network element (or a newly added management module in the network slice management network element) sends a redirection instruction, instructing the AMF17 to redirect to the AMF11 first.

The security context (Namf _ Communication _ N1MessageNotify message) may be passed directly from AMF17 to AMF11 during this redirection process.

Through the above steps S31-S32, the network slice management network element may redirect the terminal from the currently connected AMF to the interface AMF of the current AMF set.

In some embodiments, the jumping the terminal from the interface AMF in the first AMF set to the interface AMF in the second AMF set in step S220 may specifically include the following steps.

S41, in response to the first successful connection confirmation message of the interface AMF in the first AMF set, sending a second redirection instruction to the interface AMF in the first AMF set, where the second redirection instruction includes: and the identification information of the interface AMF in the second AMF set and the corresponding AMF routing address.

Illustratively, referring to fig. 3, after the terminal is redirected to AMF11, AMF11 derives K nasint and K nasenc keys from Kamf1 (currently derived from AMF 17) and establishes a new NAS security context. After establishing the new NAS security context, the AMF11 sends a confirmation message of successful connection to the network slice management element (or a new management module in the network slice management element).

After receiving the confirmation message, the network slice management network element (or the newly added management module in the network slice management network element) continues to dispatch a redirection instruction to the AMF 11: the instruction includes an ID number of an interface AMF corresponding to the target AMF set (third set) and an AMF routing address.

S42, generating a new temporary key as the first temporary key, sending the first temporary key to the interface AMF in the first AMF set, and generating a new temporary key as the second temporary key, sending the second temporary key to the interface AMF in the second AMF set.

And the second redirection instruction is used for controlling the interface AMF in the first AMF set and jumping the terminal to the interface AMF in the second AMF set according to the identification information of the interface AMF in the second AMF set and the corresponding AMF routing address.

And the second redirection instruction is further configured to control the interface AMF in the first AMF set, and send a second security context message to the interface AMF in the second AMF set in the process of jumping the terminal to the interface AMF in the second AMF set, where the second security context message includes a second key derivation instruction, and a temporary key in the second key derivation instruction is updated to the first temporary key by the interface AMF in the first AMF set.

The first temporary key and the second temporary key are used for merging in the interface AMF in the second AMF set and deriving a third temporary key corresponding to merged data.

In this step, if the network slice management element determines that the current AMF is not in the same set as the target AMF, the newly added key derivation module 332 may generate and send a new temporary key (denoted as a first temporary key Kamf-a, to which the network slice management element is assigned) to the AMF11, and generate and send a new temporary key (denoted as a second temporary key Kamf-B, to which the network slice management element is assigned) to the AMF 1.

For the consideration of security isolation, a key derivation module in the newly added management module can serve a pair of temporarily and continuously updated keys, instead of directly sending Kamf of the existing AMF to an interface AMF of another AMF set, since the Kamf is sent to two specified interfaces AMF, the security and reliability of loop interface AMF security context transfer are increased.

In this embodiment, after relocation to AMF11, current AMF11 transfers security context to interface AMF1 of the target set (third set), i.e. current AMF11 sends a Namf _ Communication _ N1MessageNotify message to the target AMF, and replaces the Kamf-AMF11 derivative with "Kamf-management module dispatch a" in this message, so that the message contains SUPI (permanent identity of returning user), MM (mobile management) context, SMF information, keyamfderinivationind (including Kamf-newly added management module dispatch a). Redirection of the terminal from the interface AMF11 of the first set of current connections onto the interface AMF1 of the target AMF set (third set) is achieved.

And S43, receiving a second successful connection confirmation message of the interface AMF in the second AMF set, and determining that the terminal has successfully jumped to the interface AMF in the second AMF set, wherein the second successful connection confirmation message is a connection confirmation message generated after the interface AMF in the second AMF set deduces a second NAS key according to the third temporary key and establishes a new security context.

Through the above steps S41-S43, the terminal is enabled to jump from the interface AMF in the first AMF set to the interface AMF in the second AMF set.

In some embodiments, redirecting the terminal from the interface AMF in the second AMF set to the target AMF in step S230 may include the following steps.

S51, in response to the second successful connection confirmation message of the interface AMF in the second AMF set, sending a third redirection instruction to the interface AMF in the second AMF set, where the third redirection instruction includes: identification information of a target AMF in the second set of AMFs and a corresponding AMF routing address.

And the third redirection instruction is used for controlling the interface AMF in the second AMF set to redirect the terminal to the target AMF according to the identification information of the target AMF and the corresponding AMF routing address.

The third redirection instruction is further configured to control the interface AMF in the second AMF set to send a third security context message to the target AMF in a process of redirecting the terminal to the target AMF, where the third security context message includes a third key derivation instruction, and a temporary key in the third key derivation instruction is derived by the interface AMF in the second AMF set.

As an example, after receiving the N1MessageNotify message sent by the AMF11, the AMF1 combines the first temporary key Kamf-a (NSSF distribution or new management module distribution in NSSF) and the second temporary key Kamf-B (NSSF distribution or new management module distribution in NSSF) together according to a certain algorithm to derive Kamf-C (denoted as a third temporary key), and then derives nasint and Knasenc keys from Kamf-C and establishes a new NAS security context. The current AMF becomes the AMF1 and the AMF1 continues to send a successful connection acknowledgement message to the add management module.

And S52, receiving a third successful connection confirmation message of the target AMF to determine that the terminal has successfully jumped to the target AMF, where the third successful connection confirmation message is a connection confirmation message generated after the target AMF derives the third NAS key from the temporary key in the third key derivation instruction, and establishes a new security context.

Illustratively, referring to fig. 3, in this step, after the network slice management network element (or the newly added management module in the network slice management network element) receives the confirmation message from the AMF1, the redirected instruction is continuously dispatched to the AMF1, and the redirected instruction may include the ID number of the target AMF (e.g., AMF9) and the AMF routing address.

Because the current AMF and the target AMF are in a set, the network slice management network element (or a newly-added management module in the network slice management network element) does not newly add data bits to distribute the temporary secret key to the AMF. Therefore, the current AMF (AMF1) will directly transfer the complete set of security context to the target AMF9, i.e. AMF1 sends a Namf _ Communication _ N1MessageNotify message to AMF9, which contains the permanent identity SUPI returned to the user, the mobility management MM context, SMF information, keyamfdhrerivatind (including Kamf dispatched by the current AMF1), and redirects the terminal from the current connection interface AMF1 to the final target AMF 9.

After the terminal completes the redirection to the AMF9, the AMF9 derives K nasint and K nasenc keys from the dispatch Kamf of the current AMF1 and establishes a new NAS security context. When the current AMF becomes the AMF9, the AMF9 continues to send a successful connection confirmation message to the network slice management element (or to a new management module in the network slice management element). When the network slice management network element (or the newly added management module in the network slice management network element) determines that the AMF9 is the final target AMF of slice 2, that is, the terminal redirection is completed, so that the network slice management network element (or the newly added management module in the network slice management network element) fixes the termination point allocated by this redirection as the AMF 9. The terminal no longer needs to redirect to other AMFs.

Through the steps S51-S52, the terminal is redirected from the interface AMF in the second AMF set to the target AMF, and a redirection path for the terminal to be redirected to the target AMF is obtained.

In some embodiments, the load balancing value of the interface AMF in the first AMF set and the load balancing value of the interface AMF in the second AMF set are both less than or equal to a predetermined balanced load threshold; and if the load balance value of the interface AMF of any one of the first AMF set and the second AMF set is greater than a preset balanced load threshold value, obtaining the AMF with the load balance exceeding the standard in the first AMF set and the second AMF set.

In this embodiment, the redirection allocation method according to the embodiment of the present invention may further include: s61, selecting one AMF with the load balance value less than or equal to the preset balance load threshold value from the AMF set to which the AMF with the excessive load balance belongs as an auxiliary interface AMF, and using the auxiliary interface AMF as a new interface AMF in the AMF set to which the AMF with the excessive load balance belongs.

In this embodiment, if the load balancing exceeds the standard, the terminal cannot be redirected to the AMF, and therefore, the preset load balancing of the interface AMF cannot exceed the threshold, which is to ensure that the interface AMF is smooth and the number of load users does not exceed the standard. Therefore, the number of AMFs in each set may be greater than or equal to 1, for example, when the load balance of the primary interface AMF exceeds a preset load balance threshold, another AMF in the set is selected as the secondary interface AMF to meet the redirection requirement of the other set AMF, and the redirection allocation method of the embodiment of the present invention is performed.

According to the redirection allocation method provided by the embodiment of the invention, by setting the interface AMF for each AMF set, when the terminal performs multi-slice connection or slice service switching, the terminal can redirect to the interface AMF in the AMF set where the current AMF is located, which is marked as AMF1, then jump to the interface in the AMF set where the target AMF is located by AMF1, which is marked as AMF2, and then redirect to the target AMF by AMF 2. The scheme can realize the safety isolation of the slice AMF sets and can also realize the redirection among the high-isolation AMF sets.

In addition, in the process of transferring the security context between the interface AMFs in the two AMF sets, the network slice management network element (or an added management module in the network slice management network element) dispatches a pair of K AMF keys to the current AMF interface and the target AMF set interface instead of self-derivation of the current AMF, so that it can be ensured that the NAS context and the user identity between the two different sets are not directly transmitted, and meanwhile, the service integrity of AMF redirection is also ensured.

The following describes processing flow diagrams of different processing methods of a redirection path and a security context transfer flow in the redirection allocation method according to the embodiment of the present invention, with reference to fig. 4 and 5.

FIG. 4 shows a schematic diagram of the failure of redirection between existing high-isolation slices and between high-isolation AMF sets; fig. 5 shows a redirection path and a security context transfer flow diagram of the AMF in the embodiment of the present invention.

As shown in fig. 4, in the prior art, due to the requirement of security isolation between network slices, when a terminal device needs to connect two network slices AMF17 and AMF9 simultaneously, or wants to switch from one network slice AMF17 to another network slice AMF9, due to the difference of security isolation of network slice traffic, when the terminal desires to access two slice traffic with different isolation simultaneously, failure of AMF redirection may be caused, that is, it is impossible to quickly jump from the AMF corresponding to the current slice to the target AMF corresponding to the new slice.

As shown in fig. 5, according to the redirection allocation method of the embodiment of the present invention, the security context transmission process may specifically include the following steps.

S501, when the current AMF is the AMF17, the network slice management network element (or a newly added management module in the network slice management network element) controls the current AMF17 to send a full set of security context (a first security context message) to the interface AMF11 in the first AMF set in a process of redirecting the terminal to the interface AMF11 in the first AMF set, where the first security context message includes a first key derivation instruction, and a temporary key in the first key derivation instruction is derived from the current AMF 17.

In this step, the interface AMF11 in the first AMF set derives the first network attached storage NAS key from the temporary key in the first key derivation instruction, establishes a new security context, and then generates and sends a connection confirmation message to the network slice management network element.

In this step, the network slice management network element (or a newly added management module in the network slice management network element) receives the first successful connection confirmation message of the interface AMF11 in the first AMF set, and determines that the terminal has successfully jumped to the interface AMF11 in the first AMF set, where the current AMF is AMF 11.

S502, the network slice management network element (or a newly added management module in the network slice management network element) determines that the current AMF11 is not in the same set as the target AMF 9. Thus, generating a new temporary key as the first temporary key sends the first temporary key to interface AMF11 in the first set of AMFs, and generating a new temporary key as the second temporary key sends the second temporary key to interface AMF1 in the second set of AMFs.

In this step, the terminal identifier may be a Globally Unique Temporary terminal identifier (Globally Unique Temporary UE Identity, GUTI).

The current AMF11 passes the security context to the interface AMF1 and replaces the Kamf derived from the current AMF11 with the first temporary key to effect redirection of the terminal from the interface AMF11 of the first set of current connections to the interface AMF1 of the target AMF set (third set).

In this step, AMF1 receives the security context message sent by AMF11, and combines the first temporary key and the second temporary key together according to a certain algorithm to derive a third temporary key, and then derives the nasint and K nasenc keys from the third temporary key and establishes a new NAS security context. The current AMF becomes the AMF1, and the AMF1 continues to send a confirmation message of successful connection to the network slice management element (or to an addition management module in the network slice management element).

S503, AMF9 derives K nasint and K nasenc keys from Kamf distributed by AMF1 and establishes a new NAS security context. The current AMF becomes the AMF9 and the AMF9 continues to send a successful connection acknowledgement message to the add management module.

Through the steps S501-S503, redirection from the high-isolation slice AMF17 to the AMF9 is completed, so that the slice AMF set can be safely isolated, and redirection between the high-isolation AMF sets can be realized.

The following describes a redirection allocation device according to an embodiment of the present invention in detail with reference to the accompanying drawings.

Fig. 6 is a schematic structural diagram of a redirection allocation apparatus according to an embodiment of the present invention. As shown in fig. 6, the redirection allocation apparatus may include the following modules.

The information obtaining module 610 is configured to, in response to a redirection request of an access and mobility management function network element AMF currently connected to the terminal, obtain, from the redirection request, identification information of the current AMF and identification information of the target AMF.

And a redirection processing module 620, configured to redirect the terminal from the current AMF to an interface AMF in the first AMF set, and jump the terminal from the interface AMF in the first AMF set to an interface AMF in the second AMF set.

the redirection processing module 620 is further configured to redirect the terminal from the interface AMF in the second AMF set to the target AMF, so as to obtain a redirection path where the terminal is redirected to the target AMF.

In some embodiments, the first and second sets of AMFs are any two of a plurality of sets of AMFs; the redirection allocation device further comprises: the AMF classification module is used for taking the network slice with the safety isolation degree larger than a preset threshold value as a high-isolation network slice before responding to the redirection request of the AMF currently connected with the terminal, and classifying the AMF serving the high-isolation network slice according to a preset classification rule to obtain a plurality of AMF sets of different classifications; the corresponding relation establishing module is used for establishing a corresponding relation between each AMF set in the multiple AMF sets and the identification information of one group of network slices in the preset multiple groups of network slices of different types so as to serve the group of network slices of different types through each AMF set; the interface AMF selecting module is used for selecting one interface AMF from each AMF set respectively, and the selected interface AMF is used for being connected with other AMFs in the AMF set to which the interface AMF belongs; and the interface AMF connection establishing module is used for connecting the selected interfaces AMF so that each AMF set establishes a connection relationship through the selected interfaces AMF.

In some embodiments, the redirection allocation means further comprises: the system comprises a slicing service request module, a mobile management function network element AMF redirection module and a slicing service processing module, wherein the slicing service request module is used for responding to a slicing service request of a terminal before responding to an access of the current connection of the terminal and a redirection request of the AMF of the mobile management function network element, acquiring slicing information of connection request reported by the terminal, and receiving identification information of the current AMF reported by the terminal after the terminal is successfully connected with the current AMF corresponding to the current slice; and sending the identification information of the target AMF corresponding to another network slice to which the terminal requests to connect to the current AMF in response to another slice service request of the terminal; the identification information of the target AMF is used for judging whether the identification information is in the same AMF set with the current AMF or not in the current AMF, and if the identification information is in the same AMF set, the current AMF is rerouted and then the terminal is directly redirected to the target AMF; and the redirection request receiving module is used for receiving a redirection request, wherein the redirection request is a request sent to the network element by the current AMF under the condition that the target AMF and the current AMF are not in the same AMF set, and is used for requesting redirection to a target AMF corresponding to another network slice.

In some embodiments, redirection processing module 620 includes the following elements.

A first redirection instruction sending unit, configured to send a first redirection instruction to the current AMF, where the first redirection instruction includes: and the identification information of the interface AMF in the first AMF set and the corresponding AMF routing address.

The first redirection instruction is further configured to control the current AMF to send a first security context message to the interface AMF in the first AMF set in the process of redirecting the terminal to the interface AMF in the first AMF set, where the first security context message includes a first key derivation instruction, and a temporary key in the first key derivation instruction is derived by the current AMF.

A first acknowledgement message receiving unit, configured to receive a first successful connection acknowledgement message of an interface AMF in the first AMF set, and determine that the terminal has successfully hopped to the interface AMF in the first AMF set, where the first successful connection acknowledgement message is a connection acknowledgement message generated after the interface AMF in the first AMF set derives a first network attached storage NAS key from a temporary key in the first key derivation instruction, and establishes a new security context.

A second redirection instruction sending unit, configured to send a second redirection instruction to the interface AMF in the first AMF set in response to a first successful connection acknowledgement message of the interface AMF in the first AMF set, where the second redirection instruction includes: and the identification information of the interface AMF in the second AMF set and the corresponding AMF routing address.

And the temporary key generation unit is used for generating a new temporary key as a first temporary key and sending the first temporary key to the interface AMF in the first AMF set, and generating a new temporary key as a second temporary key and sending the second temporary key to the interface AMF in the second AMF set.

The second redirection instruction is further configured to control an interface AMF in the first AMF set, and send a second security context message to the interface AMF in the second AMF set in the process of jumping the terminal to the interface AMF in the second AMF set, where the second security context message includes a second key derivation instruction, and a temporary key in the second key derivation instruction is updated to the first temporary key by the interface AMF in the first AMF set; the first temporary key and the second temporary key are used for merging in the interface AMF in the second AMF set and deriving a third temporary key corresponding to merged data.

And a second confirmation message receiving unit, configured to receive a second successful connection confirmation message of the interface AMF in the second AMF set, and determine that the terminal has successfully hopped to the interface AMF in the second AMF set, where the second successful connection confirmation message is a connection confirmation message generated after the interface AMF in the second AMF set derives a second NAS key according to the third temporary key and establishes a new security context.

A third redirection instruction sending unit, configured to send, in response to a second successful connection confirmation message of the interface AMF in the second AMF set, a third redirection instruction to the interface AMF in the second AMF set, where the third redirection instruction includes: identification information of a target AMF in the second set of AMFs and a corresponding AMF routing address.

And a third acknowledgement message receiving unit, configured to receive a third successful connection acknowledgement message of the target AMF to determine that the terminal has successfully jumped to the target AMF, where the third successful connection acknowledgement message is a connection acknowledgement message generated by the target AMF after deriving a third NAS key from a temporary key in the third key derivation instruction and establishing a new security context.

The redirection allocation device further comprises: and the interface AMF selection module is also used for selecting one AMF with the load balance value smaller than or equal to a preset balance load threshold value from the AMF set to which the AMF with the excessive load balance belongs as an auxiliary interface AMF, and the selected AMF is used as a new interface AMF in the AMF set to which the AMF with the excessive load balance belongs.

According to the redirection allocation device of the embodiment of the invention, by setting the interface AMF for each AMF set, when the terminal performs multi-slice connection or slice service switching, the terminal can redirect to the interface AMF in the AMF set where the current AMF is located, which is marked as AMF1, then jump to the interface in the AMF set where the target AMF is located by AMF1, which is marked as AMF2, and then redirect to the target AMF by AMF 2. The scheme can realize the safety isolation of the slice AMF sets and can also realize the redirection among the high-isolation AMF sets.

Fig. 7 is a schematic structural diagram of a network system according to an embodiment of the present invention. As shown in fig. 7, the network system may include: a network slice management network element 710 and at least two access and mobility management function network element AMF sets, for example: AMF set 721, AMF set 722, and AMF set 723. In fig. 7, each AMF set includes an interface AMF, the interface AMF is connected to other AMFs in the AMF set, and the interfaces AMFs in each AMF set are connected in a ring.

By way of example, the AMF set 721 includes an interface AMF721-01, other AMFs such as: AMF721-02 and AMF 721-03; the AMF set 722 includes an interface AMF722-01, and other AMFs include, for example: AMF 721-02; the AMF set 723 includes an interface AMF723-01, and other AMFs such as: AMF723-02 and AMF 723-03; and, the interface AMF722-01 and the interface AMF723-01 are annularly connected.

It should be understood that the number of AMF sets and the number of AMFs included in the AMF sets are merely illustrative, and in an actual application scenario, the number may be flexibly adjusted according to the actual application requirement.

With continued reference to fig. 7, the network slice management network element 710 is configured to manage different types of network slices and at least two AMF sets, where different AMF sets may be used to serve different types of network slices, and is configured to perform any redirection allocation method according to a received redirection request of an access and mobility management function network element AMF to which the terminal is currently connected.

It is to be understood that the invention is not limited to the particular arrangements and instrumentality described in the above embodiments and shown in the drawings. For convenience and brevity of description, detailed description of a known method is omitted here, and for the specific working processes of the system, the module and the unit described above, reference may be made to corresponding processes in the foregoing method embodiments, which are not described herein again.

As shown in fig. 8, computing device 800 includes an input device 801, an input interface 802, a central processor 803, a memory 804, an output interface 805, and an output device 806. The input interface 802, the central processing unit 803, the memory 804, and the output interface 805 are connected to each other via a bus 810, and the input device 801 and the output device 806 are connected to the bus 810 via the input interface 802 and the output interface 805, respectively, and further connected to other components of the computing device 800.

Specifically, the input device 801 receives input information from the outside, and transmits the input information to the central processor 803 through the input interface 802; the central processor 803 processes input information based on computer-executable instructions stored in the memory 804 to generate output information, temporarily or permanently stores the output information in the memory 804, and then transmits the output information to the output device 806 via the output interface 805; output device 806 outputs output information external to computing device 800 for use by a user.

In one embodiment, computing device 800 shown in FIG. 8 may be implemented as a redirection allocation processing system that may include: a memory configured to store a program; a processor configured to execute the program stored in the memory to perform the redirection allocation processing method described in the above embodiments.

According to an embodiment of the invention, the process described above with reference to the flow chart may be implemented as a computer software program. For example, embodiments of the invention include a computer program product comprising a computer program tangibly embodied on a machine-readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network, and/or installed from a removable storage medium.

In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product comprises one or more computer instructions which, when run on a computer, cause the computer to perform the methods described in the various embodiments above. The procedures or functions according to the embodiments of the invention are brought about in whole or in part when the computer program instructions are loaded and executed on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by wire (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wirelessly (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid state disk), among others.

The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.

It will be understood that the above embodiments are merely exemplary embodiments taken to illustrate the principles of the present invention, which is not limited thereto. It will be apparent to those skilled in the art that various modifications and improvements can be made without departing from the spirit and substance of the invention, and these modifications and improvements are also considered to be within the scope of the invention.

Claims

1. A redirection allocation method is applied to a network slice management network element, and the method comprises the following steps:

responding to a redirection request of an access and mobility management function network element AMF currently connected with a terminal, and acquiring identification information of the current AMF and identification information of a target AMF from the redirection request;

the current AMF belongs to a preset first AMF set, the target AMF belongs to a preset second AMF set, and the first AMF set and the second AMF set are used for serving different types of network slices with security isolation degrees larger than a preset threshold value;

wherein the interface AMF in the first AMF set is used for connecting with other AMFs in the first AMF set, and the interface AMF in the second AMF set is used for connecting with other AMFs in the second AMF set;

and redirecting the terminal from the interface AMF in the second AMF set to the target AMF to obtain a redirection path of the terminal redirected to the target AMF.

2. The method of claim 1, wherein the first AMF set and the second AMF set are any two of a plurality of AMF sets; before responding to the redirection request of the AMF to which the terminal is currently connected, the method further comprises the following steps:

taking the network slices with the safety isolation degree larger than a preset threshold value as high-isolation network slices, and classifying the AMF serving the high-isolation network slices according to a preset classification rule to obtain a plurality of AMF sets with different classifications;

establishing a corresponding relation between each AMF set in the plurality of AMF sets and identification information of one group of preset network slices in a plurality of groups of different types of network slices so as to serve the group of different types of network slices through each AMF set;

respectively selecting an interface AMF from each AMF set, wherein the selected interface AMF is used for being connected with other AMFs in the AMF set;

and connecting the selected interfaces AMF, so that each AMF set establishes a connection relationship through the selected interfaces AMF.

3. The method according to claim 1, characterized in that before responding to the request for redirection of the access and mobility management function network element AMF to which the terminal is currently connected, the method further comprises:

responding to a slice service request of the terminal, acquiring slice information which is reported by the terminal and is requested to be connected, and receiving identification information of a current AMF (advanced metering framework) reported by the terminal after the terminal is successfully connected with the current AMF corresponding to the current slice;

responding to another slice service request of the terminal, and sending the identification information of a target AMF corresponding to another network slice to which the terminal requests to connect to the current AMF; the identification information of the target AMF is used for judging whether the identification information is in the same AMF set with the current AMF or not in the current AMF, and if the identification information is in the same AMF set, the current AMF is rerouted and then the terminal is directly redirected to the target AMF;

and receiving the redirection request, wherein the redirection request is a request sent by the current AMF to the local network element for requesting redirection to a target AMF corresponding to another network slice under the condition that the current AMF is judged not to be in the same AMF set as the target AMF.

4. The method according to claim 1, wherein said redirecting the terminal from the current AMF to an interface AMF in the first set of AMFs comprises:

sending a first redirection instruction to the current AMF, wherein the first redirection instruction comprises: identification information of an interface AMF in the first AMF set and a corresponding AMF routing address; wherein the content of the first and second substances,

the first redirection instruction is used for controlling the current AMF to redirect the terminal to the interface AMF in the first AMF set according to the identification information of the interface AMF in the first AMF set and the corresponding AMF routing address;

the first redirection instruction is further configured to control the current AMF to send a first security context message to an interface AMF in the first AMF set in a process of redirecting the terminal to the interface AMF in the first AMF set, where the first security context message includes a first key derivation instruction, and a temporary key in the first key derivation instruction is derived by the current AMF;

and receiving a first successful connection confirmation message of the interface AMF in the first AMF set, and determining that the terminal successfully jumps to the interface AMF in the first AMF set, wherein the first successful connection confirmation message is a connection confirmation message generated after the interface AMF in the first AMF set derives a first network attached storage NAS key from a temporary key in the first key derivation instruction and establishes a new security context.

5. The method according to claim 1, wherein said jumping the terminal from the interface AMF in the first AMF set to the interface AMF in the second AMF set comprises:

responding to a first successful connection confirmation message of an interface AMF in the first AMF set, and sending a second redirection instruction to the interface AMF in the first AMF set, wherein the second redirection instruction comprises: identification information of an interface AMF in the second AMF set and a corresponding AMF routing address;

generating a new temporary key as a first temporary key, sending the first temporary key to an interface AMF in the first AMF set, and generating a new temporary key as a second temporary key, sending the second temporary key to an interface AMF in the second AMF set;

the second redirection instruction is used for controlling an interface AMF in the first AMF set, and according to the identification information of the interface AMF in the second AMF set and a corresponding AMF routing address, the terminal is switched to the interface AMF in the second AMF set;

the second redirection instruction is further configured to control an interface AMF in the first AMF set, and send a second security context message to the interface AMF in the second AMF set in a process of jumping the terminal to the interface AMF in the second AMF set, where the second security context message includes a second key derivation instruction, and a temporary key in the second key derivation instruction is updated to the first temporary key by the interface AMF in the first AMF set;

the first temporary key and the second temporary key are used for merging and deriving a third temporary key corresponding to merged data in an interface AMF in the second AMF set;

and receiving a second successful connection confirmation message of the interface AMF in the second AMF set, and determining that the terminal has successfully jumped to the interface AMF in the second AMF set, wherein the second successful connection confirmation message is a connection confirmation message generated after the interface AMF in the second AMF set deduces a second NAS key according to the third temporary key and establishes a new security context.

6. The method according to claim 1, wherein said redirecting the terminal from the interface AMF in the second AMF set to the target AMF comprises:

in response to a second successful connection acknowledgement message of an interface AMF in the second AMF set, sending a third redirection instruction to the interface AMF in the second AMF set, where the third redirection instruction includes: identification information of a target AMF in the second AMF set and a corresponding AMF routing address;

the third redirection instruction is used for controlling an interface AMF in the second AMF set to redirect the terminal to the target AMF according to the identification information of the target AMF and the corresponding AMF routing address;

the third redirection instruction is further configured to control an interface AMF in a second AMF set to send a third security context message to the target AMF in a process of redirecting the terminal to the target AMF, where the third security context message includes a third key derivation instruction, and a temporary key in the third key derivation instruction is derived by the interface AMF in the second AMF set;

and receiving a third successful connection confirmation message of the target AMF to determine that the terminal has successfully jumped to the target AMF, wherein the third successful connection confirmation message is a connection confirmation message generated by the target AMF after deriving a third NAS key and establishing a new security context from a temporary key in the third key derivation instruction.

7. The method of claim 1,

the load balance value of the interface AMF in the first AMF set and the load balance value of the interface AMF in the second AMF set are both smaller than or equal to a preset balance load threshold value;

if the load balancing value of the interface AMF of any one of the first AMF set and the second AMF set is greater than the predetermined balanced load threshold, obtaining an AMF with a load balancing exceeding the standard in the first AMF set and the second AMF set, and the method further comprises:

and selecting one AMF with the load balancing value smaller than or equal to a preset balancing load threshold value from the AMF set to which the AMF with the excessive load balancing value belongs as an auxiliary interface AMF, and using the selected AMF as a new interface AMF in the AMF set to which the AMF with the excessive load balancing value belongs.

8. A redirect allocation apparatus, comprising:

the information acquisition module is used for responding to a redirection request of an access and mobility management function network element AMF currently connected with a terminal, and acquiring the identification information of the current AMF and the identification information of a target AMF from the redirection request;

a redirection processing module, configured to redirect the terminal from a current AMF to an interface AMF in the first AMF set, and jump the terminal from the interface AMF in the first AMF set to an interface AMF in the second AMF set;

the redirection processing module is further configured to redirect the terminal from the interface AMF in the second AMF set to the target AMF, so as to obtain a redirection path where the terminal is redirected to the target AMF.

9. A network system is characterized by comprising a network slice management network element and at least two access and mobility management function network element AMF sets; wherein the content of the first and second substances,

the network slice management network element, configured to manage different types of network slices and the at least two AMF sets, where different AMF sets are configured to serve different types of network slices, and configured to perform the method according to a received redirection request of an access and mobility management function network element AMF to which a terminal is currently connected.

10. A redirection allocation processing system, comprising:

one or more processors;

memory having one or more programs stored thereon that, when executed by the one or more processors, cause the one or more processors to implement the method of any of claims 1-7.