CN113676995A

CN113676995A - Terminal call processing method and device, terminal equipment and network equipment

Info

Publication number: CN113676995A
Application number: CN202010408799.3A
Authority: CN
Inventors: 谢振华; 柯小婉
Original assignee: Vivo Mobile Communication Co Ltd
Current assignee: Vivo Mobile Communication Co Ltd
Priority date: 2020-05-14
Filing date: 2020-05-14
Publication date: 2021-11-19

Abstract

The application discloses a final call processing method and device, terminal equipment and network equipment, and belongs to the field of communication. The final call processing method comprises the following steps: when a first secure channel between the first network function and the second network function is released, reserving the context of the first secure channel; in the case of receiving a first object from a first network sent via a first network function, processing the first object according to the context of a first secure channel; wherein the first object comprises a message or data. According to the embodiment of the application, network terminating can be achieved, and meanwhile communication efficiency is improved.

Description

Terminal call processing method and device, terminal equipment and network equipment

Technical Field

The present application relates to the field of communications, and in particular, to a method and an apparatus for processing a terminating call, a terminal device, and a network device.

Background

At present, when a User Equipment (UE, which may also be referred to as a terminal device or a User terminal device) needs to access a service of a Public Land Mobile Network (PLMN) after accessing an independent Non-Public Network (SNPN), a User Plane Function (UPF) of the SNPN Network needs to be connected with a Non-3G Interworking Function (N3 GPP IWF) of the PLMN Network, as shown in fig. 1, so as to access the PLMN Network; and vice versa.

However, in the process of implementing the present application, the inventors found that at least the following problems exist in the prior art: when the UE accesses the SNPN network, the PLMN network cannot terminate the UE, and vice versa.

Disclosure of Invention

An object of the embodiments of the present application is to provide a terminating processing method and apparatus, a terminal device, and a network device, so as to solve a problem that when a UE accesses one of two networks, the other of the two networks cannot terminate the UE, thereby reducing system communication efficiency.

In a first aspect, an embodiment of the present application provides a terminating processing method, which is applied to a user terminal device, and the method includes:

when a first secure channel between the first network function and the second network function is released, reserving the context of the first secure channel; in the case of receiving a first object from a first network sent via the first network function, processing the first object according to the context of the first secure channel; wherein the first object comprises a message or data.

In a second aspect, an embodiment of the present application provides a terminating processing apparatus, where the terminating processing apparatus is in a user terminal device, and includes:

the storage module is used for reserving the context of a first secure channel between the storage module and a first network function when the first secure channel is released; a first processing module, configured to, in a case that a first object sent via the first network function is received, process the first object according to a context of the first secure channel; wherein the first object comprises a message or data.

In a third aspect, an embodiment of the present application provides a terminal device, including: a memory, a processor and a program or instructions stored on the memory and executable on the processor, which when executed by the processor, implement the steps of the method according to the first aspect.

In a fourth aspect, embodiments of the present application provide a readable storage medium, on which a program or instructions are stored, which when executed by a processor implement the steps of the method according to the first aspect.

In a fifth aspect, an embodiment of the present application provides a terminating processing method, where the method includes:

when a first secure channel between a first network function and user terminal equipment is released, reserving the context of the first secure channel, or sending the context of the first secure channel to a second network function; and under the condition that a third object from a first network is received, processing the third object according to the context of a second secure channel corresponding to the third object, wherein the third object comprises information or data, and the context of the second secure channel is the context of the first secure channel or the context of one secure channel received from the second network function.

In a sixth aspect, an embodiment of the present application provides a terminating processing apparatus, where the terminating processing apparatus is in a first network device, and includes:

a first processing module, configured to, when a first secure channel between a first network function and a user terminal device is released, reserve a context of the first secure channel, or send the context of the first secure channel to a second network function; a second processing module, configured to, when a third object from a first network is received, process the third object according to a context of a second secure channel corresponding to the third object, where the third object includes a message or data, and the context of the second secure channel is the context of the first secure channel or the context of one secure channel received from the second network function.

In a seventh aspect, an embodiment of the present application provides a network device, including: a memory, a processor and a program or instructions stored on the memory and executable on the processor, which when executed by the processor, implement the steps of the method according to the fifth aspect.

In an eighth aspect, the present application provides a readable storage medium, on which a program or instructions are stored, and when executed by a processor, the program or instructions implement the steps of the method according to the fifth aspect.

In a ninth aspect, an embodiment of the present application provides a terminating processing method, where the method includes:

sending a second message to a user terminal device, wherein the second message carries second indication information, and the second indication information is used for indicating the user terminal device to reserve the context of a first security channel between the user terminal device and a first network function after the first security channel is released; or sending release auxiliary information to the first network function, where the release auxiliary information is used to indicate that the context of the first secure channel between the first network function and the user terminal device is reserved, or the release auxiliary information is used to indicate that the context of the first secure channel between the first network function and the user terminal device is sent to the second network function.

In a tenth aspect, an embodiment of the present application provides a terminating processing apparatus, where the terminating processing apparatus is in a second network device, and includes: a sending module; wherein the sending module is configured to: sending a second message to a user terminal device, wherein the second message carries second indication information, and the second indication information is used for indicating the user terminal device to reserve the context of a first security channel between the user terminal device and a first network function after the first security channel is released; or sending release auxiliary information to the first network function, where the release auxiliary information is used to indicate that the context of the first secure channel between the first network function and the user terminal device is reserved, or the release auxiliary information is used to indicate that the context of the first secure channel between the first network function and the user terminal device is sent to the second network function.

In an eleventh aspect, an embodiment of the present application provides a network device, including: a memory, a processor and a program or instructions stored on the memory and executable on the processor, which when executed by the processor, implement the steps of the method according to the ninth aspect.

In a twelfth aspect, the present application provides a readable storage medium, on which a program or instructions are stored, and when the program or instructions are executed by a processor, the program or instructions implement the steps of the method according to the fifth aspect.

In the embodiment of the application, the user terminal equipment can support to reserve the context of the first secure channel when the first secure channel between the user terminal equipment and the first network function is released; further, after the first secure channel is released, and the first object (i.e. the terminating message or the terminating data) sent by the first network function is received, the processing of the first object can still be completed according to the context of the first secure channel. Therefore, by reserving the context of the first secure channel released between the user terminal device and the first network function and continuing to adopt the reserved context of the first secure channel to accurately process the subsequent object sent by the first network function after the first secure channel is released, not only can the network terminating call be ensured to be realized, but also the communication efficiency of the system can be improved.

Drawings

The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:

fig. 1 is a schematic diagram of a system for accessing SNPN to a PLMN by a UE in the present application;

fig. 2 is a schematic flow chart of a terminating call processing method in an embodiment of the present application;

fig. 3 is a schematic diagram of a terminating process of accessing SNPN to a PLMN by a UE in an embodiment of the present application;

fig. 4 is a schematic diagram of a terminating process of a second UE accessing an SNPN access PLMN according to an embodiment of the present application;

fig. 5 is a schematic diagram of a terminating process of a third UE accessing an SNPN visited PLMN in the embodiment of the present application;

fig. 6 is a schematic flow chart of a second call termination processing method according to an embodiment of the present application;

fig. 7 is a schematic flowchart of a third terminating processing method in the embodiment of the present application;

fig. 8 is a schematic structural diagram of a terminating processing apparatus in an embodiment of the present application;

fig. 9 is a schematic structural diagram of a second call termination processing apparatus according to an embodiment of the present application;

fig. 10 is a schematic structural diagram of a third call processing apparatus according to an embodiment of the present application;

fig. 11 is a schematic structural diagram of a terminal device in an embodiment of the present application;

fig. 12 is a schematic structural diagram of a network device in an embodiment of the present application.

Detailed Description

The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some, but not all, embodiments of the present application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

The terms first, second and the like in the description and in the claims of the present application are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application are capable of operation in sequences other than those illustrated or described herein. In addition, "and/or" in the specification and claims means at least one of connected objects, a character "/" generally means that a preceding and succeeding related objects are in an "or" relationship.

The technical scheme of the application can be applied to various communication systems, such as: global System for Mobile communications (GSM), Code Division Multiple Access (CDMA) System, Wideband Code Division Multiple Access (WCDMA), General Packet Radio Service (GPRS), Long Term Evolution/enhanced Long Term Evolution (LTE-a), NR, and the like.

User Equipments (UEs), which may be Terminal equipments such as Mobile phones (or "cellular" phones) and computers with Terminal equipments, for example, portable, pocket, hand-held, computer-included or vehicle-mounted Mobile devices, exchange languages and/or data with a Radio Access Network (RAN), may also be referred to as Terminal equipments (Mobile Terminal), Mobile user equipments, user Terminal equipments, etc., and may communicate with one or more core networks via the RAN.

The network device, which may also be referred to as a Base Station, may be a Base Transceiver Station (BTS) in GSM or CDMA, a Base Station (NodeB) in WCDMA, an evolved Node B (eNB or e-NodeB) in LTE, and a 5G Base Station (gNB).

The technical solutions provided by the embodiments of the present application are described in detail below with reference to the accompanying drawings.

Referring to fig. 2, an embodiment of the present application provides a terminating processing method, which may optionally be executed by a user terminal device. Specifically, the method may comprise the following process steps:

step 101: when a first secure channel with a first network function is released, the context of the first secure channel is preserved.

Optionally, the condition that the first secure channel between the user terminal device and the first network function is released may include an active release condition or a passive release condition; the release can be realized through message interaction or can be only due to signal loss; and so on. And is not particularly limited herein.

Optionally, the context of the first secure channel includes: at least one of first security information and first network Protocol (IP) information.

Further optionally, in a case that the context of the first secure channel includes the first secure information, the first secure information includes at least one of: encryption key, security completion key, security calculation parameter, encryption activation indication, security completion activation indication and security algorithm. In this way, security during the transmission of messages or data can be ensured by means of the security information.

Optionally, in the call termination processing method according to the embodiment of the present application, in a case that the context of the first secure channel includes the first secure information, the step 103 may be executed as follows:

at least one of decrypting and integrity check the first object based on the first security information.

It is understood that at least one of accurate decryption and integrity check of the first object can be achieved through the first security information, and the security and integrity of the message or data received by the user terminal device are ensured. It can be seen that the first object is a result of at least encryption and/or security completion processing performed on an object that needs to be sent to the user terminal device before being sent via the first network function.

Further optionally, when the context of the first secure tunnel includes the first IP information, the first IP information includes: a first IP address or a first IP port number. The first IP address or the first IP port number may be understood as a target IP address or a target IP port number corresponding to the receiving end of the first object sent by the first network function, or may also be understood as an opposite IP address or an opposite IP port number of the sending end sending the first object.

Optionally, in the terminating processing method in this embodiment of the present application, when the context of the first secure tunnel includes the first IP information, before the step 103, the terminating processing method may further execute the following steps:

and determining that the source IP information corresponding to the first object is matched with the first IP information.

It will be appreciated that in order to achieve a correct parsing or understanding of a first object received from a first network function, the first object needs to be processed using the context of the first secure channel matching the first object. Then, in particular, the adaptation between the first object and the context of the corresponding secure channel may be implemented with the source IP information corresponding to the first object and the first IP information contained in the context of the currently reserved first secure channel.

As can be seen from the above, in the embodiment of the present application, the user terminal device may support to reserve the context of the first secure channel when the first secure channel between the user terminal device and the first network function is released; further, after the first secure channel is released, and the first object (i.e. the terminating message or the terminating data) sent by the first network function is received, the processing of the first object can still be completed according to the context of the first secure channel. Therefore, by reserving the context of the first secure channel released between the user terminal device and the first network function and continuing to adopt the reserved context of the first secure channel to accurately process the subsequent object sent by the first network function after the first secure channel is released, not only can the network terminating call be ensured to be realized, but also the communication efficiency of the system can be improved.

Optionally, in an example of the terminal call processing method according to the embodiment of the present application, before the first secure tunnel between the user terminal device and the first network function is released, the user terminal device may send a first message to the first network, for example, send a Registration Request (Registration Request) message, to notify that it supports actively reserving a context of the first secure tunnel after the first secure tunnel is released, so as to implement a network terminal call. That is, before the secure channel is released, the method may further include:

sending a first message to the first network through the first secure channel; wherein the first message carries first indication information, and the first indication information is used for indicating that the ue supports to reserve the context of the first security channel after the first security channel is released.

The first network function corresponds to a first network.

In some examples, as shown in step 2 in fig. 3, 4 and 5, the registration request message (i.e., the first message) may reach the AMF (i.e., the second network function) of the PLMN through the base station in the SNPN, the UPF and the N3IWF of the PLMN, and the first indication information may be carried in the message to indicate that the UE supports the context of reserving the security channel interacting with the N3 IWF.

Optionally, in another example of the terminal call processing method according to the embodiment of the present application, before the first secure tunnel between the user terminal device and the first network function is released, the user terminal device may obtain that it needs to reserve the context of the first secure tunnel according to the instruction after the user terminal device receives a second message sent by the first network, for example, a Registration Accept (Registration Accept) message, and the first secure tunnel is released, so as to implement the network terminal call. That is, before the secure channel is released, the method may further include:

receiving a second message from the first network through the first secure channel; wherein the second message carries second indication information, and the second indication information is used for indicating that the user terminal device reserves the context of the first secure channel after the secure channel is released.

In some of the above examples, as shown in steps 4 and 5 in fig. 3 to 5, further, the AMF of the PLMN network sends a registration accept message to the UE through the N3IWF of the PLMN network, where the registration accept message may carry second indication information for indicating that the UE retains the context of the secure tunnel interacting with the N3 IWF. Further, the N3IWF of the PLMN network forwards the registration accept message to the UE through the UPF of the SNPN network and the base station.

Further optionally, the second indication information includes one or more IP addresses, and the context of the first secure channel includes one or more IP addresses in the second indication information. Therefore, the user terminal equipment can reserve the context of the secure channel required by the network terminating call according to the second indication information.

Optionally, in the call termination processing method according to the embodiment of the application, the first secure channel with the first network function may be established in a second network after the user terminal device accesses the second network. Then, the step of receiving the first object transmitted via the first network function may be specifically performed as follows:

establishing or activating a Protocol Data Unit (PDU) session connection with the second network in case of receiving a third message from the second network; receiving the first object sent via the first network function over the PDU session connection. That is, the reception of the first object transmitted by the first network function may be achieved via the established PDU session with the second network; wherein the third message may comprise a paging message or the like.

In some examples, as shown in fig. 3, fig. 4 and fig. 5, the user terminal device UE accesses the SNPN network (i.e. the second network), and then establishes a security channel with the N3IWF (the first network function) of the PLMN (i.e. the first network) in the SNPN network, which may be interchanged. As shown in step 1 in each figure, the UE may establish a PDU session in the SNPN network, and may establish a secure channel with the N3IWF of the PLMN through the UPF corresponding to the PDU session, where the secure channel may be an IP Sec channel.

Further, as shown in step 19 in fig. 3 and 5 and step 15 in fig. 4, after the UE establishes the user plane resources of the session in the SNPN network, the UPF of the SNPN network forwards the received data from the N3IWF of the PLMN network to the UE.

Optionally, in the call termination processing method according to the embodiment of the present application, the following may be further included:

receiving a fourth message from the first network forwarded via the first network function, activating a PDU session connection with the first network.

It will be appreciated that to ensure successful transmission of the first object which needs to be sent to the user terminal via the first network function, a PDU session connection between the user terminal and the first network may be activated in response to a trigger of the first network function.

In some of the above examples, as shown in step 6 in fig. 3 to 5, when the UE releases the secure tunnel between the N3 IWFs with the PLMN at a certain time, the UE may also release the session user plane resources for carrying the interaction with the PLMN. Then, at this time, a PDU session connection with the PLMN network is activated based on the reception of the above fourth message.

Further, in some examples above, the following in fig. 3 to 5 may also be included:

the UPF of the SNPN network receives data targeting the IP address of the UE and sends a data arrival notification to the SMF of the SNPN network. The SMF of the SNPN network requests the AMF to send a terminating message, such as invoking a Namf _ Communication _ N1N2message transfer operation, carrying an N1 message. The AMF of the SNPN network pages the UE. The UE initiates a process of entering a connected state, such as initiating a Service Request process or a Registration Request process, in the SNPN network. Such as steps 15-18 shown in FIGS. 3 and 5, such as steps 11-14 shown in FIG. 4.

Optionally, in the call termination processing method according to the embodiment of the present application, one of the following contents may be further included:

(1) activating the first secure channel.

(2) And updating the first secure channel.

Optionally, after the duration of the first secure channel reaches or exceeds a preset effective duration, the first secure channel is updated.

(3) A new secure channel is established.

Optionally, after the duration of the first secure channel reaches or exceeds a preset effective duration, the new secure channel is established. In some of the examples described above, after step 19 as in fig. 3 and 5, the UE may update the secure tunnel, such as initiating a new secure tunnel establishment procedure and releasing the old secure tunnel. And as after step 15 in fig. 4, the UE may interact with the N3IWF of the PLMN to update the secure tunnel.

It should be noted that the preset time period is a settable parameter, and may be, for example, periodically valid or permanently valid.

Further optionally, in the call termination processing method according to the embodiment of the present application, the following may be further included:

and sending a second object to the first network through the activated first secure channel, the updated first secure channel or the new secure channel, wherein the second object comprises a message or data.

In some of the above examples, as shown in step 20 in fig. 3 and 5, and step 15 in fig. 4, the UE receives data, processes the data using the context of the reserved secure channel, such as performing operations like security check, decryption, etc.; the UE knows that the final call message from the PLMN network is packed in the data, and then initiates a process of entering a connected state, such as initiating a Service Request process or a Registration Request process, to the AMF of the PLMN network through the base station of the SNPN network, the UPF and the N3IWF of the PLMN network. The terminating Message may be N1 Message, and the N1 Message may be carried in a call naf _ Communication _ N1N2Message Transfer operation.

Referring to fig. 6, an embodiment of the present application provides a terminating processing method, which may include the following steps:

step 201: when the first secure channel between the first network function and the user terminal equipment is released, the context of the first secure channel is reserved, or the context of the first secure channel is sent to the second network function.

In some examples, as shown in fig. 3, 4 and 5, the first network is a PLMN, the first network function is an N3IWF in the PLMN, and the second network function is an AMF in the PLMN. Specifically, as shown in steps 8-10 in FIGS. 3 and 4, the N3IWF of the PLMN network reserves the user context for this secure channel. The N3IWF of the PLMN network informs the AMF to release the user plane resources for the user with the UPF of the PLMN. The AMF of the PLMN network triggers the SMF to perform the resource release procedure.

Specifically, as shown in steps 8-10 in fig. 5, the N3IWF of the PLMN network notifies the AMF to release the user plane resources for the user with the UPF of the PLMN, and the N3IWF also sends the user context of the secure channel to the AMF. The AMF of the PLMN network triggers the SMF to perform the resource release procedure. The AMF of the PLMN network retains the received user context.

Step 203: and under the condition that a third object from a first network is received, processing the third object according to the context of a second secure channel corresponding to the third object, wherein the third object comprises information or data, and the context of the second secure channel is the context of the first secure channel or the context of one secure channel received from the second network function.

In this embodiment, when the first secure channel between the first network function and any user terminal device is released, the context of the first secure channel may be supported to be reserved, or the context of the first secure channel may be sent to the second network function for reservation. Further, after the established secure channel is released, and when a third object (i.e., a terminating message or terminating data) from the first network and needing to be sent to any user terminal device is received, the third object may be processed into an object that needs to be sent finally according to a context of a second secure channel corresponding to the third object that is already reserved, where the second secure channel is the secure channel established between the user terminal device corresponding to the third object and the first network function, and the context of the second secure channel may be a context of a first secure channel that is reserved by itself, or one of contexts of multiple secure channels that are reserved for the second network function. Therefore, the third object is accurately processed by keeping the context of the released secure channel between the first network function and the user terminal equipment and continuously adopting the context of the reserved secure channel matched with the third object after the secure channel is released, so that not only can the network terminating call be ensured to be realized, but also the communication efficiency of the system can be improved.

Optionally, in step 203, the third object is processed according to a context of a second secure channel corresponding to the third object, so as to obtain the first object sent to the user terminal device, and specifically, the first object may be sent through the first network function. For the first object, reference may be made to relevant contents in the embodiment of the terminating call processing method shown in fig. 2, which is not described herein again.

Optionally, in the call termination processing method according to the embodiment of the present application, the context of the second secure tunnel includes: at least one of second security information and second network protocol, IP, information.

Further optionally, in a case that the context of the second secure channel includes the second secure information, the second secure information includes at least one of: encryption key, security completion key, security calculation parameter, encryption activation indication, security completion activation indication and security algorithm. In this way, security during the transmission of messages or data can be ensured by means of the security information.

Further optionally, in a case that the context of the second secure channel includes the second secure information, step 203 may be performed as at least one of the following operations:

(1) and encrypting the third object according to the second safety information.

(2) And finishing the protection of the third object according to the second safety information.

It is to be understood that at least one of an accurate encryption and a security completion process for the third object may be implemented by the second security information to ensure the security and security completion of the message or data that needs to be sent.

Optionally, the first object may be obtained after the third object is processed and/or completely protected according to a context of a second secure channel corresponding to the third object.

In some of the above examples, the UPF of the PLMN network, as shown in steps 11 to 14 in fig. 3 and 5, receives the downlink message data of the user and notifies the SMF of the data arrival. The SMF of the PLMN network requests the AMF to send a terminating message, such as invoking a Namf _ Communication _ N1N2message transfer operation, carrying an N1 message. The AMF of the PLMN network forwards the terminating message to the N3IWF, e.g. sending N1 message. The AMF also sends the secure channel user context for the user to the N3 IWF. And the N3IWF of the PLMN network packages the final call message according to the security channel context of the user, for example, after encryption is finished, the target address is set as the IP address of the UE in the user context, and then the packaged final call message is forwarded. And as shown in steps 9 and 10 in fig. 4, the UPF of the PLMN network receives the downlink message data of the user, and forwards the downlink message data to the N3 IWF. And the N3IWF of the PLMN network packages the downlink message data according to the reserved security channel context of the user, for example, after encryption is finished, sets a target address as an IP address of the UE in the user context, and then forwards the packaged downlink message data.

Further optionally, when the context of the second secure tunnel includes the second IP information, the second IP information includes: a second IP address or a second IP port number. The second IP address or the second IP port number may be understood as a target IP address or a target IP port number corresponding to a receiving end corresponding to the third object, or may also be understood as an opposite IP address or an opposite IP port number of an end that sends the third object.

Further optionally, in a case that the context of the second secure channel includes the second IP information, step 203 may be executed as follows:

and determining the second IP information as the target address of the processed third object. In this way, the processed third object can be accurately sent to a receiving end corresponding to the target address, such as a user terminal device.

Optionally, in the call termination processing method according to the embodiment of the present application, before the step 203, the method may further include the following steps:

determining the context of the second secure channel according to the target identifier corresponding to the third object; wherein the target identification comprises a user identification in the message or a target address of the data. In this way, based on the corresponding relationship between the target identifier of the third object and the context of the secure channel, the context of the adaptive secure channel for processing the third object can be determined quickly and accurately.

Optionally, in the call termination processing method according to the embodiment of the present application, before the step 201, the method may further include the following steps:

receiving release auxiliary information from the second network function, where the release auxiliary information is used to indicate that the context of the first secure channel is reserved or send the context of the first secure channel to the second network function.

In some examples, as shown in fig. 3, 4 and 5, the first network is a PLMN, the first network function is an N3IWF in the PLMN, and the second network function is an AMF in the PLMN. Specifically, as shown in step 4, the AMF of the PLMN network sends release assistance information to the N3IWF of the PLMN, which is used to instruct the N3IWF to reserve the user context after releasing the security tunnel with the UE.

(1) activating the first secure channel.

(2) And updating the first secure channel.

(3) A new secure channel is established.

Optionally, after the duration of the first secure channel reaches or exceeds a preset effective duration, the new secure channel is established. In some of the examples described above, after step 19 as in fig. 3 and 5, the N3IWF may update the secure channel, such as initiating a new secure channel establishment procedure and releasing the old secure channel. And as after step 15 in fig. 4, the N3IWF of the PLMN may interact with the UE to update the secure tunnel.

Referring to fig. 7, an embodiment of the present application provides a terminating processing method, which may include the following steps:

step 301: sending a second message to a user terminal device, wherein the second message carries second indication information, and the second indication information is used for indicating the user terminal device to reserve the context of a first security channel between the user terminal device and a first network function after the first security channel is released; or sending release auxiliary information to the first network function, where the release auxiliary information is used to indicate that the context of the first secure channel between the first network function and the user terminal device is reserved, or the release auxiliary information is used to indicate that the context of the first secure channel between the first network function and the user terminal device is sent to the second network function.

In this embodiment of the present application, by sending the indication information to the terminal device that establishes the first secure channel with the first network function, the user terminal device may support to reserve the context of the first secure channel when the first secure channel is released, so that the user terminal device may still process the message or the data according to the context of the first secure channel after subsequently receiving the message or the data sent by the first network function. Or, by sending the release auxiliary information to the first network function that establishes the first secure channel with the user terminal device, the first network function may support to reserve the context of the first secure channel or to send the context of the first secure channel to the second network function for reservation when the first secure channel is released, so that the first network function may still perform corresponding processing on the message or data according to the context of the secure channel that is reserved by itself and corresponds to the message or data or according to the context of the secure channel that is reserved from the second network function and corresponds to the message or data when the first network function needs to send the message or data to the user terminal device in the subsequent period. Therefore, not only can the network terminating call be realized, but also the system communication efficiency can be improved.

In some examples, as shown in fig. 3, 4 and 5, the first network is a PLMN, the first network function is an N3IWF in the PLMN, and the second network function is an AMF in the PLMN. Specifically, as shown in step 4, the AMF of the PLMN network sends a Registration Accept message, such as a Registration Accept message, to the UE through the N3IWF of the PLMN network. The message may carry second indication information for indicating that the UE retains the user context for interacting with the N3 IWF. The AMF of the PLMN network sends release assistance information to the N3IWF of the PLMN, which is used for indicating that the N3IWF reserves the user context after releasing the security channel with the UE. Further, the N3IWF of the PLMN network forwards the registration accept message to the UE through the UPF of the SNPN network and the base station, as shown in step 5.

Optionally, in the call termination processing method according to the embodiment of the application, the second indication information includes one or more network protocol IP addresses.

Optionally, in an example of the terminating call processing method according to the embodiment of the present application, before the step 301, the method may further include:

determining to send the second message or the release assistance information based on at least one of subscription information of the user, information of the PDU session established by the user terminal device, and capability of the first network function.

In some examples, as shown in step 3 of fig. 3 to 5, the AMF of the PLMN network may query the subscription information of the user of the UE, and determine whether the user needs to retain the user context interacting with the N3IWF by subscription.

Optionally, in another example of the terminating call processing method according to the embodiment of the present application, before the step 301, the method may further include:

receiving first indication information sent by the user terminal equipment, wherein the first indication information is used for indicating that the user terminal equipment supports the reservation of the context of the first secure channel after the secure channel is released; determining to send the second message or the release assistance information based on the first indication information.

Further optionally, in the call termination processing method according to the embodiment of the present application, in a case that the release assistance information is sent to the first network function, and the release assistance information is used to indicate that a context of a first secure channel between the second network function and the user terminal device is sent to the second network function, the method further includes one of the following operations:

(1) the context of the first secure channel is preserved.

(2) The context of the second secure channel is sent to the first network function.

Referring to fig. 8, an embodiment of the present application provides a terminating processing apparatus 400, where the terminating processing apparatus 400 is in a user terminal device, and the apparatus 400 includes: a storage module 401 and a first processing module 403.

The storage module 401 is configured to, when a first secure channel between the first network function and the storage module is released, reserve a context of the first secure channel; the first processing module 403 is configured to, in a case that a first object sent by the first network function is received, process the first object according to a context of the first secure channel; wherein the first object comprises a message or data.

Optionally, in the terminating processing apparatus 400 according to the embodiment of the present application, the context of the first secure channel includes: at least one of first security information and first network protocol, IP, information.

Optionally, the terminating processing apparatus 400 according to the embodiment of the present application may further include: a first determination module.

The first determining module is configured to determine, when the context of the first secure tunnel includes the first IP information, that source IP information corresponding to a first object matches the first IP information before the first object is processed according to the context of the first secure tunnel when the first object forwarded by the first network function is received.

Optionally, in the call termination processing apparatus 400 according to this embodiment of the application, the first processing module 403, when the context of the first secure channel includes the first secure information, may specifically be configured to:

Optionally, in the terminating call processing apparatus 400 according to the embodiment of the present application, in a case that the context of the first secure tunnel includes the first secure information, the first secure information includes at least one of: encryption key, security completion key, security calculation parameter, encryption activation indication, security completion activation indication and security algorithm; in a case where the context of the first secure tunnel includes the first IP information, the first IP information includes: a first IP address or a first IP port number.

Optionally, the terminating processing apparatus 400 according to the embodiment of the present application may further include: a first sending module.

The first sending module is configured to send a first message to the first network through the first secure channel before the secure channel is released; wherein the first message carries first indication information, and the first indication information is used for indicating that the ue supports to reserve the context of the first security channel after the first security channel is released.

Optionally, the terminating processing apparatus 400 according to the embodiment of the present application may further include: a first receiving module.

The first receiving module is configured to receive a second message from the first network through the first secure channel before the secure channel is released; wherein the second message carries second indication information, and the second indication information is used for indicating that the user terminal device reserves the context of the first secure channel after the secure channel is released.

Optionally, in the terminating processing apparatus 400 according to the embodiment of the present application, the second indication information includes one or more IP addresses, and the context of the first secure channel includes one or more IP addresses in the second indication information.

Optionally, the terminating processing apparatus 400 according to the embodiment of the present application may further include: and a second receiving module.

Wherein, in the case that the first secure channel is established in the second network by the user terminal device, the first processing module 403 may be further configured to: establishing or activating a protocol data unit, PDU, session connection with the second network upon receiving a third message from the second network; the second receiving module is configured to receive the first object sent by the first network function through the PDU session connection.

Optionally, in the terminating processing apparatus 400 according to the embodiment of the application, the second receiving module may be further configured to:

Optionally, the terminating processing apparatus 400 according to the embodiment of the present application may further include: and a second processing module.

Wherein the second processing module is configured to perform one of the following operations: activating the first secure channel; updating the first secure channel; a new secure channel is established.

Optionally, in the terminating processing apparatus 400 according to the embodiment of the present application, the first sending module may be further configured to: and sending a second object to the first network through the activated first secure channel, the updated first secure channel or the new secure channel, wherein the second object comprises a message or data.

Optionally, in the call termination processing apparatus 400 according to the embodiment of the application, the second processing module may be specifically configured to:

and after the duration of the first secure channel reaches or exceeds a preset effective duration, updating the first secure channel or establishing the new secure channel.

It can be understood that the terminating processing apparatus 400 provided in this embodiment of the present application can implement each process of any one of the terminating processing methods shown in fig. 2 to fig. 5, and the related descriptions about the terminating processing method are all applicable to the terminating processing apparatus 400, and are not described herein again.

Referring to fig. 9, an embodiment of the present application provides a terminating processing apparatus 500, where the terminating processing apparatus 500 is in a first network device, where the first network device includes a first network function, and the apparatus 500 includes: a first processing module 501 and a second processing module 503.

The first processing module 501 is configured to, when a first secure channel between a first network function and a user terminal device is released, reserve a context of the first secure channel, or send the context of the first secure channel to a second network function; the second processing module 503 is configured to, when a third object from a first network is received, process the third object according to a context of a second secure channel corresponding to the third object, where the third object includes a message or data, and the context of the second secure channel is a context of the first secure channel or a context of one secure channel received from a second network function.

Optionally, the terminating processing apparatus 500 according to the embodiment of the present application may further include: and determining a module.

The determining module is configured to determine, according to a target identifier corresponding to the third object, a context of a second secure channel before the third object is processed according to the context of the second secure channel corresponding to the third object; wherein the target identification comprises a user identification in the message or a target address of the data.

Optionally, in the terminating processing apparatus 500 according to the embodiment of the present application, the context of the second secure channel includes: at least one of second security information and second network protocol, IP, information.

Optionally, in the call termination processing apparatus 500 according to the embodiment of the application, the second processing module 503 may be specifically configured to, when the context of the second secure tunnel includes the second secure information, perform at least one of the following operations:

encrypting the third object according to the second security information; and finishing the protection of the third object according to the second safety information.

Optionally, in the call termination processing apparatus 500 according to the embodiment of the application, the second processing module 503 determines, when the context of the second secure tunnel includes the second IP information, the second IP information as the target address of the processed third object.

Optionally, in the terminating processing apparatus 500 according to the embodiment of the present application, in a case that the context of the second secure tunnel includes the second secure information, the second secure information includes at least one of the following: encryption key, security completion key, security calculation parameter, encryption activation indication, security completion activation indication and security algorithm; in a case where the context of the second secure tunnel includes the second IP information, the second IP information includes: a second IP address or a second IP port number.

Optionally, the terminating processing apparatus 500 according to the embodiment of the present application may further include: and a receiving module.

The receiving module is configured to receive release assistance information from a second network function before the context of the first secure channel is reserved or sent to the second network function when the first secure channel between the receiving module and the user terminal device is released, where the release assistance information is used to indicate that the context of the first secure channel is reserved or sent to the second network function.

Optionally, the terminating processing apparatus 500 according to the embodiment of the present application may further include: and a third processing module.

Wherein the third processing module is configured to perform one of the following operations: activating the first secure channel; updating the first secure channel; a new secure channel is established.

Optionally, in the final call processing apparatus 500 according to the embodiment of the present application, the third processing module may be specifically configured to:

It can be understood that the terminating processing apparatus 500 provided in this embodiment of the present application can implement each process of any one of the terminating processing methods shown in fig. 3 to fig. 6, and the related descriptions about the terminating processing method are all applicable to the terminating processing apparatus 500, and are not described herein again.

Referring to fig. 10, an embodiment of the present application provides a terminating processing apparatus 600, where the terminating processing apparatus 600 is in a second network device, where the second network device includes a second network function, and the apparatus 600 includes: a sending module 601.

Wherein the sending module 601 is configured to: sending a second message to a user terminal device, wherein the second message carries second indication information, and the second indication information is used for indicating the user terminal device to reserve the context of a first security channel between the user terminal device and a first network function after the first security channel is released; or sending release auxiliary information to the first network function, where the release auxiliary information is used to indicate that the context of the first secure channel between the first network function and the user terminal device is reserved, or the release auxiliary information is used to indicate that the context of the first secure channel between the first network function and the user terminal device is sent to the second network function.

Optionally, in the terminating call processing apparatus 600 according to the embodiment of the present application, the second indication information includes one or more network protocol IP addresses.

Optionally, the terminating processing apparatus 600 according to the embodiment of the present application may further include: a first determination module.

Wherein the determining module is configured to determine to send the second message or the release assistance information based on at least one of subscription information of the user, information of a PDU session established by the user terminal device, and a capability of the first network function before the sending of the second message to the user terminal device or the sending of the release assistance information to the first network function.

Optionally, the terminating processing apparatus 600 according to the embodiment of the present application may further include: the device comprises a receiving module and a second determining module.

The receiving module is configured to receive first indication information sent by the user terminal device before the sending of the second message to the user terminal device or the sending of the release assistance information to the first network function, where the first indication information is used to indicate that the user terminal device supports retaining a context of the first secure channel after the release of the secure channel; the second determining module is configured to determine to send the second message or the release assistance information based on the first indication information.

Optionally, the terminating processing apparatus 600 according to the embodiment of the present application may further include: and a processing module.

Wherein the processing module is configured to, when the release assistance information is sent to the first network function and the release assistance information is used to indicate that a context of a first secure channel between the second network function and a user terminal device is sent to the second network function, perform at least one of the following operations: reserving a context of the first secure channel; the context of the second secure channel is sent to the first network function.

It can be understood that the terminating processing apparatus 600 provided in this embodiment of the present application can implement each process of any one of the terminating processing methods shown in fig. 3 to fig. 5 and fig. 7, and the related explanations about the terminating processing method are all applicable to the terminating processing apparatus 600, and are not described herein again.

Fig. 11 is a block diagram of a terminal device according to another embodiment of the present application. The terminal device 700 shown in fig. 11 includes: at least one processor 701, a memory 702, at least one network interface 704, and a user interface 703. The various components in the terminal device 700 are coupled together by a bus system 705. It is understood that the bus system 705 is used to enable communications among the components. The bus system 705 includes a power bus, a control bus, and a status signal bus in addition to a data bus. But for clarity of illustration the various busses are labeled in figure 11 as the bus system 705.

The user interface 703 may include, among other things, a display, a keyboard, or a pointing device (e.g., a mouse, trackball, touch pad, or touch screen, among others.

It will be appreciated that the memory 702 in the subject embodiment can be either volatile memory or nonvolatile memory, or can include both volatile and nonvolatile memory. The non-volatile memory may be a Read-only memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an Electrically Erasable PROM (EEPROM), or a flash memory. Volatile Memory can be Random Access Memory (RAM), which acts as external cache Memory. By way of illustration and not limitation, many forms of RAM are available, such as Static random access memory (Static RAM, SRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic random access memory (Synchronous DRAM, SDRAM), Double Data Rate Synchronous Dynamic random access memory (ddr Data Rate SDRAM, ddr SDRAM), Enhanced Synchronous SDRAM (ESDRAM), Synchlink DRAM (SLDRAM), and Direct Rambus RAM (DRRAM). The memory 702 of the systems and methods described in embodiments herein is intended to comprise, without being limited to, these and any other suitable types of memory.

In some embodiments, memory 702 stores the following elements, executable modules or data structures, or a subset thereof, or an expanded set thereof: an operating system 7021 and application programs 7022.

The operating system 7021 includes various system programs, such as a framework layer, a core library layer, a driver layer, and the like, for implementing various basic services and processing hardware-based tasks. The application 7022 includes various applications, such as a Media Player (Media Player), a Browser (Browser), and the like, for implementing various application services. A program for implementing the methods according to embodiments of the present application may be included in application 7022.

In this embodiment of the present application, the terminal device 700 further includes: a program or instructions stored on the memory 702 and executable on the processor 701, which when executed by the processor 701, performs the steps of:

when a first secure channel between the first network function and the second network function is released, reserving the context of the first secure channel; in the case of receiving a first object sent via the first network function, processing the first object according to the context of the first secure channel; wherein the first object comprises a message or data.

The method disclosed in the embodiments of the present application may be applied to the processor 701, or implemented by the processor 701. The processor 701 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be implemented by integrated logic circuits of hardware or instructions in the form of software in the processor 701. The Processor 701 may be a general-purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, or discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software modules may reside in ram, flash memory, rom, prom, or eprom, registers, among other computer-readable storage media known in the art. The computer readable storage medium is located in the memory 702, and the processor 701 reads the information in the memory 702, and performs the steps of the above method in combination with the hardware thereof. In particular, the computer readable storage medium has stored thereon a computer program which, when executed by the processor 701, implements the steps of the above-described embodiments of the terminating processing method.

It is to be understood that the embodiments described in connection with the embodiments disclosed herein may be implemented by hardware, software, firmware, middleware, microcode, or any combination thereof. For a hardware implementation, the Processing units may be implemented within one or more Application Specific Integrated Circuits (ASICs), Digital Signal Processors (DSPs), Digital Signal Processing Devices (DSPDs), Programmable Logic Devices (PLDs), Field Programmable Gate Arrays (FPGAs), general purpose processors, controllers, micro-controllers, microprocessors, other electronic units configured to perform the functions described herein, or a combination thereof.

For a software implementation, the techniques described in this application may be implemented with modules (e.g., procedures, functions, and so on) that perform the functions described in this application. The software codes may be stored in a memory and executed by a processor. The memory may be implemented within the processor or external to the processor.

The terminal device 700 can implement each process implemented by the terminal device in the foregoing embodiments, and details are not described here to avoid repetition.

Preferably, an embodiment of the present application further provides a terminal device, which includes a processor, a memory, and a program or an instruction stored in the memory and capable of running on the processor, where the program or the instruction is executed by the processor to implement each process of any one of the terminal call processing methods shown in fig. 2 to 5, and can achieve the same technical effect, and in order to avoid repetition, details are not repeated here.

An embodiment of the present application further provides a readable storage medium, where a program or an instruction is stored on the readable storage medium, and when the program or the instruction is executed by a processor, the program or the instruction implements each process of any one of the terminating call processing methods shown in fig. 2 to fig. 5, and can achieve the same technical effect, and in order to avoid repetition, details are not repeated here.

The processor is the processor in the terminal device 700 described in the above embodiment. The readable storage medium includes a computer readable storage medium, such as a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and so on.

Referring to fig. 12, fig. 12 is a structural diagram of a network device applied in the embodiment of the present application, which can implement details of any one of the terminal call processing methods shown in fig. 3 to fig. 7, and achieve the same effect. As shown in fig. 12, the network device 800 includes: a processor 801, a transceiver 802, a memory 803, a user interface 804, and a bus interface 805, wherein:

in this embodiment, the network device 800 further includes: programs or instructions stored on the memory 803 and executable on the processor 801.

Optionally, when the program or the instructions are executed by the processor 801, the following steps may be implemented:

Optionally, when the program or the instructions are executed by the processor 801, the following steps may be further implemented:

In FIG. 12, the bus architecture may include any number of interconnected buses and bridges, with one or more processors, represented by the processor 801, and various circuits, represented by the memory 803, linked together. The bus architecture may also link together various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. Bus interface 805 provides an interface. The transceiver 802 may be a number of elements including a transmitter and a receiver that provide a means for communicating with various other apparatus over a transmission medium. The user interface 804 may also be an interface capable of interfacing with a desired device for different user devices, including but not limited to a keypad, display, speaker, microphone, joystick, etc.

The processor 801 is responsible for managing the bus architecture and general processing, and the memory 803 may store data used by the processor 801 in performing operations.

Preferably, an embodiment of the present application further provides a network device, which includes a processor, a memory, and a program or an instruction stored in the memory and capable of running on the processor, where the program or the instruction is executed by the processor to implement each process of any one of the terminal call processing methods shown in fig. 3 to 7, and can achieve the same technical effect, and in order to avoid repetition, details are not repeated here.

An embodiment of the present application further provides a readable storage medium, where a program or an instruction is stored on the readable storage medium, and when the program or the instruction is executed by a processor, the program or the instruction implements each process of any one of the terminating call processing methods shown in fig. 3 to fig. 7, and can achieve the same technical effect, and in order to avoid repetition, details are not repeated here.

The processor is the processor in the network device 800 described in the above embodiment. The readable storage medium includes a computer readable storage medium, such as a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and so on.

It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element. Further, it should be noted that the scope of the methods and apparatus of the embodiments of the present application is not limited to performing the functions in the order illustrated or discussed, but may include performing the functions in a substantially simultaneous manner or in a reverse order based on the functions involved, e.g., the methods described may be performed in an order different than that described, and various steps may be added, omitted, or combined. In addition, features described with reference to certain examples may be combined in other examples.

Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present application.

While the present embodiments have been described with reference to the accompanying drawings, it is to be understood that the invention is not limited to the precise embodiments described above, which are meant to be illustrative and not restrictive, and that various changes may be made therein by those skilled in the art without departing from the spirit and scope of the invention as defined by the appended claims.

Claims

1. A terminal call processing method is applied to user terminal equipment, and is characterized in that the method comprises the following steps:

when a first secure channel between the first network function and the second network function is released, reserving the context of the first secure channel;

in the case of receiving a first object sent via the first network function, processing the first object according to the context of the first secure channel; wherein the first object comprises a message or data.

2. The method of claim 1, wherein the context of the first secure channel comprises: at least one of first security information and first network protocol, IP, information.

3. The method of claim 2, wherein in the case that the context of the first secure channel includes the first IP information, the method further comprises, before processing the first object according to the context of the first secure channel in the case that the first object forwarded via the first network function is received:

4. The method of claim 2, wherein, in the case that the context of the first secure channel includes the first secure information, the processing the first object according to the context of the first secure channel comprises:

5. The method of claim 2, wherein in the case that the context of the first secure channel includes the first secure information, the first secure information includes at least one of: encryption key, security completion key, security calculation parameter, encryption activation indication, security completion activation indication and security algorithm;

in a case where the context of the first secure tunnel includes the first IP information, the first IP information includes: a first IP address or a first IP port number.

6. The method of claim 1, wherein before the secure channel is released, the method further comprises:

sending a first message to the first network through the first secure channel;

wherein the first message carries first indication information, and the first indication information is used for indicating that the ue supports to reserve the context of the first security channel after the first security channel is released.

7. The method of claim 1, wherein before the secure channel is released, the method further comprises:

receiving a second message from the first network through the first secure channel;

wherein the second message carries second indication information, and the second indication information is used for indicating that the user terminal device reserves the context of the first secure channel after the secure channel is released.

8. The method of claim 7, wherein the second indication information comprises one or more IP addresses, and wherein the one or more IP addresses in the second indication information are included in the context of the first secure channel.

9. The method according to claim 1, wherein in case that the first secure channel is established by the user terminal device in a second network, the method further comprises:

establishing or activating a protocol data unit, PDU, session connection with the second network upon receiving a third message from the second network;

receiving the first object sent via the first network function over the PDU session connection.

10. The method of claim 1, further comprising:

11. The method of claim 1, further comprising one of:

activating the first secure channel;

updating the first secure channel;

a new secure channel is established.

12. The method of claim 11, further comprising:

13. The method of claim 11, wherein the updating the first secure channel or the establishing a new secure channel comprises:

14. A method of terminating, the method comprising:

when a first secure channel between a first network function and user terminal equipment is released, reserving the context of the first secure channel, or sending the context of the first secure channel to a second network function;

and under the condition that a third object from a first network is received, processing the third object according to the context of a second secure channel corresponding to the third object, wherein the third object comprises information or data, and the context of the second secure channel is the context of the first secure channel or the context of one secure channel received from the second network function.

15. The method of claim 14, wherein before the processing the third object according to the context of the second secure channel corresponding to the third object, the method further comprises:

determining the context of the second secure channel according to the target identifier corresponding to the third object; wherein the target identification comprises a user identification in the message or a target address of the data.

16. The method of claim 14, wherein the context of the second secure channel comprises: at least one of second security information and second network protocol, IP, information.

17. The method according to claim 16, wherein, in a case that the context of the second secure channel includes the second secure information, the processing the third object according to the context of the second secure channel corresponding to the third object includes at least one of:

encrypting the third object according to the second security information;

and finishing the protection of the third object according to the second safety information.

18. The method according to claim 16, wherein, when the context of the second secure channel includes the second IP information, the processing the third object according to the context of the second secure channel corresponding to the third object includes:

and determining the second IP information as the target address of the processed third object.

19. The method of claim 16, wherein in the case that the context of the second secure channel includes the second secure information, the second secure information includes at least one of: encryption key, security completion key, security calculation parameter, encryption activation indication, security completion activation indication and security algorithm;

in a case where the context of the second secure tunnel includes the second IP information, the second IP information includes: a second IP address or a second IP port number.

20. The method according to claim 14, wherein before the step of retaining the context of the first secure channel when the first secure channel with the user terminal device is released or sending the context of the first secure channel to the second network function, the method further comprises:

receiving release assistance information from the second network function, the release assistance information indicating to reserve the context of the first secure channel or to send the context of the first secure channel to the second network function.

21. The method of claim 14, further comprising one of:

activating the first secure channel;

updating the first secure channel;

a new secure channel is established.

22. The method of claim 21, wherein the updating the first secure channel or the establishing a new secure channel comprises:

23. A method of terminating, the method comprising:

sending a second message to a user terminal device, wherein the second message carries second indication information, and the second indication information is used for indicating the user terminal device to reserve the context of a first security channel between the user terminal device and a first network function after the first security channel is released; alternatively, the first and second electrodes may be,

and sending release auxiliary information to the first network function, wherein the release auxiliary information is used for indicating to reserve the context of the first secure channel between the first network function and the user terminal equipment, or the release auxiliary information is used for indicating to send the context of the first secure channel between the first network function and the user terminal equipment to the second network function.

24. The method of claim 23, wherein the second indication information comprises one or more network protocol IP addresses.

25. The method according to claim 23, wherein before said sending the second message to the user terminal device or said sending the release assistance information to the first network function, the method further comprises:

26. The method according to claim 23, wherein before said sending the second message to the user terminal device or said sending the release assistance information to the first network function, the method further comprises:

receiving first indication information sent by the user terminal equipment, wherein the first indication information is used for indicating that the user terminal equipment supports the reservation of the context of the first secure channel after the secure channel is released;

determining to send the second message or the release assistance information based on the first indication information.

27. The method according to claim 23, wherein in case that the release assistance information is sent to the first network function and indicates that the context of the first secure channel between the second network function and the user terminal device is sent to the second network function, the method further comprises one of:

reserving a context of the first secure channel;

the context of the second secure channel is sent to the first network function.

28. An end call processing apparatus, wherein the end call processing apparatus is in a user terminal device, the apparatus comprising:

the storage module is used for reserving the context of a first secure channel between the storage module and a first network function when the first secure channel is released;

a first processing module, configured to, in a case that a first object sent via the first network function is received, process the first object according to a context of the first secure channel; wherein the first object comprises a message or data.

29. The apparatus of claim 28, further comprising:

a first sending module, configured to send a first message to the first network through the first secure channel before the secure channel is released;

30. The apparatus of claim 28, further comprising:

a first receiving module, configured to receive a second message from the first network through the first secure channel before the secure channel is released; wherein the second message carries second indication information, and the second indication information is used for indicating that the user terminal device reserves the context of the first secure channel after the secure channel is released.

31. An end call processing apparatus, in a first network device, comprising:

a first processing module, configured to, when a first secure channel between a first network function and a user terminal device is released, reserve a context of the first secure channel, or send the context of the first secure channel to a second network function;

a second processing module, configured to, when a third object from a first network is received, process the third object according to a context of a second secure channel corresponding to the third object, where the third object includes a message or data, and the context of the second secure channel is the context of the first secure channel or the context of one secure channel received from the second network function.

32. The apparatus of claim 31, further comprising:

a determining module, configured to determine, according to a target identifier corresponding to the third object, a context of a second secure channel before the third object is processed according to the context of the second secure channel corresponding to the third object; wherein the target identification comprises a user identification in the message or a target address of the data.

33. The apparatus of claim 31, further comprising:

a receiving module, configured to, when the first secure channel between the user terminal and the user terminal device is released, reserve a context of the first secure channel, or send the context of the first secure channel to a second network function, receive release assistance information from the second network function, where the release assistance information is used to indicate to reserve the context of the first secure channel or send the context of the first secure channel to the second network function.

34. An end call processing apparatus, in a second network device, the apparatus comprising: a sending module;

wherein the sending module is configured to: sending a second message to a user terminal device, wherein the second message carries second indication information, and the second indication information is used for indicating the user terminal device to reserve the context of a first security channel between the user terminal device and a first network function after the first security channel is released; alternatively, the first and second electrodes may be,

35. The apparatus of claim 34, further comprising:

a first determining module, configured to determine to send the second message or the release assistance information based on at least one of subscription information of the user, information of a PDU session established by the user terminal device, and a capability of the first network function before the sending of the second message to the user terminal device or the sending of the release assistance information to the first network function.

36. The apparatus of claim 34, further comprising:

a receiving module, configured to receive first indication information sent by a user terminal device before the sending of the second message to the user terminal device or the sending of the release assistance information to the first network function, where the first indication information is used to indicate that the user terminal device supports retaining a context of the first secure channel after the release of the secure channel;

a second determining module, configured to determine to send the second message or the release assistance information based on the first indication information.

37. A terminal device, comprising: memory, a processor and a program or instructions stored on the memory and executable on the processor, which when executed by the processor implements the steps of the method of any one of claims 1 to 13.

38. A network device, comprising: a memory, a processor and a program or instructions stored on the memory and executable on the processor, which when executed by the processor implements the steps of the method of any one of claims 14 to 22; or which when executed by the processor implements the steps of the method of any of claims 23 to 27.

39. A readable storage medium, characterized in that a program or instructions are stored thereon, which program or instructions, when executed by a processor, carry out the steps of the method according to any one of claims 1 to 13, or which program or instructions, when executed by a processor, carry out the steps of the method according to any one of claims 14 to 22, or which program or instructions, when executed by a processor, carry out the steps of the method according to any one of claims 23 to 27.