CN113873522B - Wide area mobile communication safety private network construction method capable of supporting international roaming - Google Patents
Wide area mobile communication safety private network construction method capable of supporting international roaming Download PDFInfo
- Publication number
- CN113873522B CN113873522B CN202111066310.XA CN202111066310A CN113873522B CN 113873522 B CN113873522 B CN 113873522B CN 202111066310 A CN202111066310 A CN 202111066310A CN 113873522 B CN113873522 B CN 113873522B
- Authority
- CN
- China
- Prior art keywords
- network
- core network
- security
- self
- built
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
- H04W12/086—Access security using security domains
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W16/00—Network planning, e.g. coverage or traffic planning tools; Network deployment, e.g. resource partitioning or cells structures
- H04W16/18—Network planning tools
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a wide area mobile communication safety private network construction method capable of supporting international roaming, which divides an operator public network into an access network and a core network, and defines the existing core networks of operators at home and abroad as a core network visit domain of the safety private network; the method comprises the steps that a self-built core network is built by industry self-building or industry and operators in a combined mode, and the self-built core network is divided into a non-roaming scene and a roaming scene according to different places where mobile users access positions; in a non-roaming scene, mobile users are all local and access locally through a base station where a self-built core network is located, and the self-built core network is defined as a complete core network of a security private network; in roaming scenario, the mobile user is not local, and all access is performed through the existing base station of the operator, and the self-built core network is defined as the core network home domain of the security private network. The invention can solve the problem that the private network constructed in the traditional mode can not simultaneously consider the safety and wide area coverage, and meets the requirements of smaller investment cost, higher acceptance of operators and the like in the industry.
Description
Technical Field
The invention relates to the technical field of mobile communication systems, in particular to a wide area mobile communication safety private network construction method capable of supporting international roaming.
Background
The security of the mobile communication system is mainly based on the native security capability of 3 GPP. The key protection object of the primary security capability of 5G is mainly an air interface, including the security protection of air interface signaling and the security protection of air interface service, but the parameters used by the security mechanism related to the protection are mainly derived from a core network.
There are three conventional ways to construct a secure private network based on a mobile communication system:
the first is that industry users build independent base stations and core networks;
the second is that industry users build independent core networks by themselves, multiplexing base stations of the public network of operators;
and thirdly, multiplexing the base station and the core network of the public network of the operator by the industry user.
In either way, there are individual advantages and disadvantages to self-building private networks. The following is a specific analysis of the three traditional private network construction modes.
In the first mode, the user self-builds an independent base station and a core network according to self-safety and coverage requirements, and the base station and the core network can be customized and improved. The base station and the core network can be embedded with the enhanced security capability of the third party in a customized mode, so that high security is realized, and the network scale is limited and the cost is low. Specifically, the base station can block access of most users through the customized frequency points, and meanwhile, the effect higher than the 3GPP security capability can be achieved through a customized air interface algorithm; the core network can realize autonomous management of user subscription information and safety enhancement of access authentication through customization, and achieves the effect higher than the safety capability of 3 GPP. But has the disadvantage of smaller scale of the whole network and weaker coverage, and cannot solve the wide area coverage problem. If coverage is to be increased, industry users are required to invest huge capital for large-area construction of the bearing network and the base station.
In the second way, the user builds an independent core network by himself, multiplexes the public network base stations of the operators, realizes local coverage or wide area coverage by a non-roaming architecture, and depends on the cooperation of the domestic operators on the configuration of the access network in the implementation level. The method has the advantages that the core network can be customized, so that higher safety is realized, the network scale depends on the accessed base station, the domestic full coverage can be realized at maximum, and only the core network is built, so that the cost is moderate. Specifically, the base station multiplexes the base station of the public network of the home operator, so that the frequency point is a standard frequency point and the safety of the air interface is completely equal to the safety capability of 3 GPP; the core network can realize autonomous management of user subscription information and safety enhancement of access authentication through customization, and achieves the effect higher than the safety capability of 3 GPP. However, the disadvantage is that the coordination of the operators outside the country in terms of the configuration of the access network cannot be obtained, so that the network scale can only cover the country at most, and the international roaming problem cannot be solved.
And in a third mode, multiplexing the base station and the core network of the public network of the operator by the user, and superposing user plane security enhancement measures on the periphery according to security requirements. The method has the advantages that the standardization degree is highest, the global coverage can be realized by depending on international roaming of operators, and meanwhile, the cost is low because public network resources are directly used. But has the disadvantage of lower security, and the overall security is completely equivalent to the security capability of 3GPP because both the base station and the core network multiplex the operator public network. Specifically, the user subscription information is managed by the operator and the common public user together; the security enhancement of the user plane can only be solved, the security of the control plane is completely equivalent to the security capability of 3GPP, and since the access authentication adopts an AES foreign algorithm, the risk of the back door exists; the user identity is easy to get the situation by an attacker on the air interface and the core network, so that the user identity is easy to track and locate, and the safety requirement of the key industry cannot be met.
In order to solve the problems, the invention provides a wide area mobile communication safety private network construction method capable of supporting international roaming, which adopts a mode of 'commercial mobile communication network + third party safety enhancement facility + self-built core network home domain' to construct a wide area mobile communication private network, uses the non-roaming architecture and roaming architecture of a mobile communication system specified in 3GPP standard to define the concept of 'self-built core network home domain', and forms a control surface + user surface dual safety enhancement 'capability root' by embedding the safety enhancement capability of the third party in the self-built core network home domain, thereby realizing the non-inductive extension of the safety enhancement capability to the core network visit domain, access network, base station and the like, achieving the effect of covering the safety enhancement capability direct terminal, particularly completely non-inductive to foreign operators, ensuring the sustainability, flexibility and expandability of the wide area mobile communication safety private network, effectively keeping up with the information technology trend, adapting to the ICT fusion trend, solving the problems that the traditional safety private network can not cover simultaneously and Gu Anyu, the construction operation and maintenance investment is small, the requirement of high deployment feasibility and the like, and being capable of being applied to various wide and wide-ranging wide-range and wide-ranging requirements of the future application and being applicable to the future very good and very good future development.
Disclosure of Invention
In order to solve the problems, the invention provides a wide area mobile communication security private network construction method capable of supporting international roaming, which constructs a wide area mobile communication private network by adopting a mode of 'commercial mobile communication network + third party security enhancement facility + self-built core network home domain', and by referring to a non-roaming architecture and a roaming architecture of a mobile communication system specified in 3GPP standard, defines a concept of 'self-built core network home domain', and forms a control plane + user plane dual security enhancement 'capability root' by embedding security enhancement capability of a third party in the self-built core network home domain, thereby realizing non-inductive extension of security enhancement capability to a core network visit domain, an access network, a base station and the like, achieving the effect of covering a security enhancement capability direct terminal, particularly completely non-inductive to foreign operators, ensuring the sustainability, flexibility and expandability of the wide area mobile communication security private network, effectively keeping up with information technology trend, solving the problems that the traditional security private network can not cover simultaneously and Gu Anyu, has small construction operation and maintenance investment, and the like, being capable of meeting the requirements of wide application in various fields, and meeting the requirements of wide future wide application in the future, and being applicable to the wide-ranging requirements of new basic industries.
The technical scheme adopted by the invention is as follows:
a wide area mobile communication safety private network construction method capable of supporting international roaming includes:
the public network of the operators is divided into an access network and a core network, and the existing core networks of the operators at home and abroad are defined as core network visit domains of the security private network;
the method comprises the steps that a self-built core network is built by industry self-building or industry and operators in a combined mode, and the self-built core network is divided into a non-roaming scene and a roaming scene according to different places where mobile users access positions;
in the non-roaming scene, the mobile users are all local and are all accessed locally through the base station where the self-built core network is located, and the self-built core network is defined as a complete core network of a safety private network; in this scenario, no core network visit domain exists, and the self-built core network and the local access network where the self-built core network is located form a complete mobile communication security private network, namely a security private network with local properties;
under the roaming scene, the mobile user is not in the local area and is accessed through the base station existing in the operator, and the self-built core network is defined as the core network home domain of the safety private network; under the scene, the self-built core network, the core network of the public network of the operator and the access network form a complete mobile communication safety private network, namely a safety private network with wide area property.
Furthermore, no matter the non-roaming scene or the roaming scene, only a third party security function unit or a third party security function library is required to be deployed in the self-built core network, and the embedding of the third party security enhancement capability is realized through the customized core network element; the customized core network element calls a third-party security function through an external call mode and/or an internal call mode, the external call mode comprises calling the third-party security function unit deployed outside through a service interface, and the internal call mode comprises calling the third-party security function library integrated inside the customized core network element through a local interface.
Further, for the 4G network architecture, all functional units of an access network and all functional units of the core network visit domain are set as standard network elements, and public network infrastructure of operators is multiplexed; the core network home domain is set as the self-built core network, only slight customization is carried out on network elements HSS and PGW of the core network home domain, namely, a third party security function is called through an external calling mode and/or an internal calling mode, the customized HSS calls a control plane security enhancement function, and the customized PGW calls a user plane security enhancement function, so that the capability embedding of the control plane security and the user plane security enhancement function is realized; and customizing the user terminal at the user terminal to realize the embedding of the security enhanced USIM card and the security module.
Further, all the functional units of the access network comprise 2G base station GERAN, 3G base station UTRAN and 4G base station E-UTRAN, and all the functional units of the core network visit domain comprise 4G core network MME, 4G core network SGW and 3G core network element SGSN.
Furthermore, the network element HSS of the home domain of the core network invokes the control plane security enhancement function of the third party security function unit through a server Z1 interface, and the network element PGW invokes the user plane security enhancement function of the third party security function unit through a server Z2 interface.
Further, the security enhanced USIM card at the user side cooperates with a network element HSS of the home domain of the core network and the third party security function unit to realize autonomous management of user subscription information, autonomous generation and management of a root key, security enhancement of access authentication and tracking prevention and positioning prevention of user identity; the security module at the user side cooperates with the network element PGW of the core network home domain and the third party security function unit to realize the end-to-end encryption protection of the service data.
Further, for the 5G network architecture, all functional units of an access network and all functional units of the core network visit domain are set as standard network elements, and public network infrastructure of operators is multiplexed; the core network home domain is set as the self-built core network, only the network elements UDM and h-UPF of the core network home domain are slightly customized, namely, a third party security function is called through an external calling mode and/or an internal calling mode, a control plane security enhancement function is called through the customized UDM, a user plane security enhancement function is called through the customized h-PCF, and therefore the capability embedding of the control plane security and the user plane security enhancement function is achieved; and customizing the user terminal at the user side to realize the embedding of the security enhanced USIM card and the security module.
Further, all functional units of the access network comprise a 4G base station E-UTRAN, a 5G NSA base station NR-RAN and a 5G SA base station NR-RAN, all functional units of the core network visit domain comprise a 4G core network MME and SGW, a 5G core network element AMF and v-SMF and v-UPF and v-PCF, and network elements of the core network home domain comprise h-PCF, h-SMF, h-UPF, AUSF and UDM.
Furthermore, the network element UDM of the home domain of the core network invokes the control plane security enhancement function of the third party security function unit through a server Z1 interface, and the network element h-UPF invokes the user plane security enhancement function of the third party security function unit through a server Z2 interface. The user terminal uses the control plane security enhancement function provided by the security enhancement USIM card 501 through 7816 protocol, and passes through Z ue The interface invokes a user plane security enhancement function of the security module 502.
Furthermore, the security enhanced USIM card at the user side is matched with a network element UDM of the home domain of the core network and the third party security function unit to realize the autonomous management of user subscription information, the autonomous generation and management of a root key, the security enhancement of access authentication and the tracking prevention and positioning prevention of the user identity; the security module at the user side cooperates with the network element h-UPF of the core network home domain and the third party security function unit to realize the end-to-end encryption protection of the service data.
The invention has the beneficial effects that:
the invention provides a wide area mobile communication safety private network construction method capable of supporting international roaming, which creates a method for constructing a wide area safety private network with control surface and user surface dual safety enhancement capability based on a mobile communication system, not only ensures the safety enhancement capability of a third party to be embedded in the mobile communication system at a lower cost, forms a brand new control surface and user surface dual safety enhancement capability, solves the problem that the traditional safety private network constructed based on an operator public infrastructure can only provide the user surface safety enhancement capability and cannot meet the safety requirement of the vertical industry, and meets the requirements of high industry safety requirement and the process and protocol of the 3GPP standard is not changed by the third party safety capability embedding; the wide area coverage characteristics of the public infrastructure of the mobile operators can be fully utilized, and the public infrastructure of the operators can be matched with the home domain of the core network only by a standard roaming mechanism and interfaces, so that the problem that the private network constructed in the traditional mode cannot simultaneously consider the safety and the wide area coverage is solved, and the requirements of small investment cost, high acceptance of the operators and good implementation property of the industry are met. The invention has strong universality and good compatibility, and is suitable for vertical industries with safety requirements and flexible business application modes, such as manufacturing, education, traffic and the like, key industries with higher safety requirements, such as electric power, finance, medical treatment and the like, and special industries with special safety and confidentiality requirements, such as party administration, army and the like.
Drawings
Fig. 1 is a conceptual diagram of a secure private network for a non-roaming scenario in accordance with embodiment 1 of the present invention.
Fig. 2 is a conceptual diagram of a roaming scenario security private network according to embodiment 1 of the present invention.
Fig. 3 is a schematic diagram of a 4G-based wide area security private network according to embodiment 2 of the present invention.
Fig. 4 is a schematic diagram of a wide area security private network constructed based on 5G according to embodiment 3 of the present invention.
Reference numerals: 100-access network, 200-complete core network, 201-standard control plane network element, 202-dedicated control plane network element and security function, 210-core network visited domain, 220-core network home domain, 221-control plane security enhancement, 222-user plane security enhancement, 300-user application domain, 301-dedicated application, 400-wide area private network, 501-security enhancement USIM card, 502-security module, 600-security isolation, 700-MEC splitting, 800-edge local application, 900-mobile operator public network, NPN-non-public network, PLMN-public land mobile network, DN-data network.
Detailed Description
Specific embodiments of the present invention will now be described in order to provide a clearer understanding of the technical features, objects and effects of the present invention. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the invention, i.e., the embodiments described are merely some, but not all, of the embodiments of the invention. All other embodiments, which can be made by a person skilled in the art without making any inventive effort, are intended to be within the scope of the present invention.
Example 1
Aiming at the problem that the traditional mobile communication safety private network construction method can not simultaneously meet two requirements of wide area coverage and safety capability enhancement, namely: the safety private network constructed based on the public network of the operator can have wide area coverage capability, but can only provide user plane safety enhancement, and has the problem that the safety risk of the control plane is not recognized by the vertical industry with safety requirements; the security private network constructed based on the self-built infrastructure can have the control plane and user plane security enhancement capability, but the core network element needs to be modified, so that the deployment and implementation in the public network of an operator are difficult, and the wide area coverage characteristic cannot be achieved.
The embodiment provides a wide area mobile communication security private network construction method capable of supporting international roaming, which divides an operator public network into an access network 100 and a core network, and defines the existing core networks of operators at home and abroad as a core network visit domain 210 of the security private network; the self-built core network is built by industry self-building or industry and operators jointly, and is divided into a non-roaming scene and a roaming scene according to different places where mobile users access positions, wherein:
as shown in fig. 1, in a non-roaming scenario, mobile users are all local and all access locally through a base station where a self-built core network is located, and the self-built core network is defined as a complete core network 200 of a secure private network; in this scenario, there is no core network visited domain 210, and the self-built core network and the local access network 100 where it is located form a complete mobile communication security private network, i.e. a security private network with local properties;
as shown in fig. 2, in the roaming scenario, the mobile subscriber is not local, and all access is performed through the base station existing in the operator, and the self-built core network is defined as the core network home domain 220 of the security private network; in this scenario, the self-built core network, the core network of the operator public network, and the access network 100 together form a complete mobile communication security private network, i.e. a security private network with wide area property.
Whether the network is a non-roaming scene or a roaming scene, only a third party security function unit or a third party security function library is required to be deployed in the self-built core network, the embedding of the third party security enhancement capability is realized through the customized core network element, a control plane and user plane dual security enhancement capability root is formed, the security enhancement capability is extended in a noninductive manner to the core network visiting domain 210, the access network 100, the base station and the like, and finally the security enhancement capability reaches the user terminal, so that the wide area coverage effect of the security enhancement capability reaching the tail end is achieved. In particular, in roaming scenarios, the security enhancement of home domain by visited domain operators, in particular foreign operators, is completely insensitive. Preferably, the customized core network element invokes the third party security function in an external invoking mode and/or an internal invoking mode, the external invoking mode comprises invoking a third party security function unit deployed outside through a service interface, and the internal invoking mode comprises invoking a third party security function library integrated inside the customized core network element through a local interface.
The construction method of the wide area mobile communication security private network of the embodiment maintains the existing architecture of the public infrastructure of the existing mobile operator, establishes the core network home domain 220 by industry independence or combination with the operator, forms the core network element with security enhancement capability by slightly customizing individual network elements of the core network, opening part interfaces and embedding security enhancement capability of a third party, replaces the existing standard core network element in situ, and forms the core network home domain 220 with security enhancement capability together with other standard core network home domain network elements to serve as a 'capability root' of dual security enhancement of a control plane and a user plane. And then the security enhancement capability of the security enhancement capability root is extended to the core network visited domain 210 and the access network 100 by using the roaming mechanism and interface of the standard 3GPP, and finally a wide area mobile communication security private network is formed. The method not only can solve the problem that the traditional construction of the safety private network based on the public network of the operator has insufficient control plane safety and is not approved by the vertical industry with safety requirements, but also can solve the problem that the traditional construction of the safety private network based on the self-built foundation has huge investment and can not meet wide area coverage capability, and can also solve the problem that the visiting domain and the access network 100 of the operator, particularly foreign operators, are not felt, so that global coverage is realized under extreme conditions.
Example 2
This example is based on example 1:
the embodiment takes 4G as an example to provide a wide area mobile communication security private network construction method capable of supporting international roaming. As shown in fig. 3, the functional units of the wide area security private network constructed based on 4G include a terminal, a 2G base station GERAN, a 3G base station UTRAN, a 4G base station E-UTRAN of the access network 100, a 4G core network MME, SGW and 3G core network element SGSN of the core network visited domain 210, a network element PCRF, HSS, PGW of the core network home domain 220, and a data network.
All functional units of the access network 100 and all functional units of the core network visited domain 210 are set as standard network elements, and directly multiplex the public network infrastructure of the operator, without modification and customization at all. The core network home domain 220 is set as a self-built core network, and only slight customization is performed on the network elements HSS and PGW of the core network home domain 220, that is, the third party security function is invoked by an external invocation mode and/or an internal invocation mode, the customized HSS invokes the control plane security enhancement function, and the customized PGW invokes the user plane security enhancement function, thereby implementing capability embedding of the control plane security and the user plane security enhancement function. Custom-making the user terminal at the user realizes the embedding of the security enhanced USIM card 501 and the security module 502. Preferably, the network element HSS of the core network attribution domain 220 invokes the control plane security enhancing function of the third party security function unit through the server Z1 interface, the network element PGW invokes the user plane security enhancing function of the third party security function unit through the server Z2 interface, and the user terminal uses the control plane security enhancing function provided by the security enhancing USIM card 501 through 7816 protocol, and passes through Z ue The interface invokes user plane security enhancement functions of the security module 502.
Under the standard condition, the access authentication is completed by the common USIM card and the network side HSS, but in the embodiment, the security enhanced USIM card 501 at the user side cooperates with the network element HSS of the core network home domain 220 and the third party security function unit to realize self-management of user subscription information, autonomous generation and management of a root key, security enhancement of access authentication and tracking prevention and positioning prevention of user identity. Preferably, in the case of the control plane security enhancement 221, the user side directly customizes the USIM card to form the security enhanced USIM card 501, wherein the root key, the third party authentication algorithm and the user identity anti-tracking and anti-positioning function are all directly added to the security enhanced USIM card 501. In order to reduce the algorithm coupling, the network side is to implement the root key, the third party authentication algorithm and the user identity tracking and positioning preventing function in the third party security function, while the HSS is only an open interface, and the security enhancing capability is realized by calling the third party security function, and the network side is to actually customize the HSS and the third party security enhancing function to replace the standard HSS together.
In addition, the security module 502 at the user side cooperates with the network element PGW of the core network home domain 220 and the third party security function unit to realize end-to-end encryption protection of the service data. Preferably, in the presence of the user plane security enhancement 222, the user side deploys the security module 502 directly, providing the traffic encryption functionality. In order to reduce the algorithm coupling, the network side is to implement the service encryption function in the third party security function, and the PGW is only an open interface, and the security enhancement capability is implemented by calling the third party security function, so that the network side actually customizes the pgw+the third party security enhancement function to replace the standard PGW together.
Example 3
This example is based on example 1:
the embodiment provides a method for constructing a wide area mobile communication security private network capable of supporting international roaming by taking 5G as an example. As shown in fig. 4, the functional units of the wide area security private network constructed based on 5G include a terminal, a 4G base station E-UTRAN, a 5G NSA base station NR-RAN, a 5G SA base station NR-RAN of the access network 100, 4G core network MME, SGW and 5G core network elements AMF, v-SMF, v-UPF, v-PCF of the core network visited domain 210, network elements h-PCF, h-SMF, h-UPF, AUSF, UDM of the core network home domain 220, and a data network. It should be noted that, in order to be compatible with 4G access, the network element UDM of the core network home domain 220 is combined with the HSS of 4G, the h-PCF is combined with the PCRF of 4G, the h-SMF is combined with the PGW-c (control plane portion) of 4G, and the h-UPF is combined with the PGW-u (user plane portion) of 4G.
All functional units of the access network 100 and all functional units of the core network visited domain 210 are set as standard network elements, and directly multiplex the public network infrastructure of the operator, without modification and customization at all. The core network home domain 220 is set as a self-built core network, and only the network elements UDM and h-UPF of the core network home domain 220 are slightly customized, namely, a third party security function is called through an external calling mode and/or an internal calling mode, a control plane security enhancement function is called through the customized UDM, a user plane security enhancement function is called through the customized h-PCF, and therefore the control plane security and the capability embedding of the user plane security enhancement function are realized; the user terminal is customized at the user side, and the security enhanced USIM card 501 and the security module 502 are embedded. Preferably, the network element UDM of the core network home domain 220 invokes the control plane security enhancement function of the third party security function unit through the server Z1 interface, the network element h-UPF invokes the user plane security enhancement function of the third party security function unit through the server Z2 interface, and the user terminal uses the control plane security enhancement function provided by the security enhancement USIM card 501 through 7816 protocol, and passes through Z ue The interface invokes user plane security enhancement functions of the security module 502.
Under the standard condition, the access authentication is completed by the common USIM card and the network side UDM, but in the embodiment, the security enhancement USIM card 501 at the user side is matched with the network element UDM of the core network home domain 220 and the third party security function unit, so that autonomous management of user subscription information, autonomous generation and management of a root key, security enhancement of access authentication and tracking prevention and positioning prevention of user identity are realized. In the case of the control plane security enhancement 221, the user side directly customizes the USIM card to form the security enhanced USIM card 501, wherein the root key, the third party authentication algorithm and the user identity anti-tracking and anti-positioning function are all directly added in the security enhanced USIM card 501. In order to reduce the algorithm coupling, the network side is to implement the root key, the third party authentication algorithm and the user identity tracking and positioning preventing function in the third party security function, and the UDM is only an open interface, and the security enhancement capability is realized by calling the third party security function, so that the network side is to customize the UDM and the third party security enhancement function to replace the standard UDM.
In addition, the security module 502 at the user side cooperates with the network element h-UPF of the core network home domain 220 and the third party security function unit to realize the end-to-end encryption protection of the service data. In the case of the user plane security enhancement 222, the user side deploys the security module 502 directly to provide the service encryption function. In order to reduce the algorithm coupling, the network side is to embody the service encryption function in the third party security function, and the UPF is only an open interface, and realize the security enhancement capability by calling the third party security function, and the network side is to customize the UPF and the third party security enhancement function to replace the standard UPF together.
As can be seen from the above embodiments, the wide area mobile private network is constructed by adopting the mode of "commercial mobile communication network+third party security enhancement facility+self-built core network home domain 220", which solves the problem that the conventional construction of the secure private network based on the operator public network has insufficient security of the control plane and is not approved by the industry with vertical security requirements, and also solves the problem that the conventional construction of the secure private network based on the self-built infrastructure has huge investment and cannot satisfy wide area coverage capability, and also solves the problem that the access network 100 of the operator, especially the foreign operator, is not sensitive, so that global coverage is realized in extreme cases.
The foregoing is merely a preferred embodiment of the invention, and it is to be understood that the invention is not limited to the form disclosed herein but is not to be construed as excluding other embodiments, but is capable of use in various other combinations, modifications and environments and is capable of modifications within the scope of the inventive concept, either as described hereinabove or as otherwise known in the art. And that modifications and variations which do not depart from the spirit and scope of the invention are intended to be within the scope of the appended claims.
Claims (9)
1. A wide area mobile communication security private network construction method capable of supporting international roaming, comprising:
the public network of the operators is divided into an access network and a core network, and the existing core networks of the operators at home and abroad are defined as core network visit domains of the security private network;
the method comprises the steps that a self-built core network is built by industry self-building or industry and operators in a combined mode, and the self-built core network is divided into a non-roaming scene and a roaming scene according to different places where mobile users access positions;
in the non-roaming scene, the mobile users are all local and are all accessed locally through the base station where the self-built core network is located, and the self-built core network is defined as a complete core network of a safety private network; in this scenario, no core network visit domain exists, and the self-built core network and the local access network where the self-built core network is located form a complete mobile communication security private network, namely a security private network with local properties;
under the roaming scene, the mobile user is not in the local area and is accessed through the base station existing in the operator, and the self-built core network is defined as the core network home domain of the safety private network; under the scene, the self-built core network, the core network of the public network of the operator and the access network form a complete mobile communication safety private network, namely a safety private network with wide area property;
whether the non-roaming scene or the roaming scene, only a third party security function unit or a third party security function library is required to be deployed in the self-built core network, and the embedding of the third party security enhancement capability is realized through the customized core network element; the customized core network element calls a third-party security function through an external call mode and/or an internal call mode, the external call mode comprises calling the third-party security function unit deployed outside through a service interface, and the internal call mode comprises calling the third-party security function library integrated inside the customized core network element through a local interface.
2. The method for constructing a secure private network for wide area mobile communication supporting international roaming according to claim 1, wherein all functional units of an access network and all functional units of a visited domain of the core network are set as standard network elements for a 4G network architecture, and an operator public network infrastructure is multiplexed; the core network home domain is set as the self-built core network, and only slight customization is carried out on network elements HSS and PGW of the core network home domain, namely, a third party security function is called through an external calling mode and/or an internal calling mode, the customized HSS calls a control plane security enhancement function, and the customized PGW calls a user plane security enhancement function, so that the capability embedding of the control plane security and the user plane security enhancement function is realized; and customizing the user terminal at the user terminal to realize the embedding of the security enhanced USIM card and the security module.
3. The method according to claim 2, wherein all functional units of the access network include 2G GERAN, 3G UTRAN and 4G E-UTRAN, and all functional units of the core visited domain include MME, SGW and SGSN.
4. The method according to claim 2, wherein the network element HSS of the home domain of the core network invokes the control plane security enhancement function of the third party security function unit through a server Z1 interface, and the network element PGW invokes the user plane security enhancement function of the third party security function unit through a server Z2 interface.
5. The method for constructing a secure private network for wide area mobile communication capable of supporting international roaming according to any one of claims 2 to 4, wherein the security enhanced USIM card at the user side cooperates with a HSS (home subscriber server) of a domain to which the core network belongs and the third party security function unit to achieve autonomous management of subscription information of the user, autonomous generation and management of a root key, security enhancement of access authentication, and tracking prevention and positioning prevention of user identity; the security module at the user side cooperates with the network element PGW of the core network home domain and the third party security function unit to realize the end-to-end encryption protection of the service data.
6. The method for constructing a secure private network for wide area mobile communication supporting international roaming according to claim 1, wherein all functional units of an access network and all functional units of a visited domain of the core network are set as standard network elements for a 5G network architecture, and an operator public network infrastructure is multiplexed; the core network home domain is set as the self-built core network, only the network elements UDM and h-UPF of the core network home domain are slightly customized, namely, a third party security function is called through an external calling mode and/or an internal calling mode, a control plane security enhancement function is called through the customized UDM, a user plane security enhancement function is called through the customized h-PCF, and therefore the capability embedding of the control plane security and the user plane security enhancement function is achieved; and customizing the user terminal at the user side to realize the embedding of the security enhanced USIM card and the security module.
7. The method according to claim 6, wherein all functional units of the access network include 4G base station E-UTRAN, 5G NSA base station NR-RAN, 5G SA base station NR-RAN, all functional units of the core network visited domain include 4G core network MME and SGW, 5G core network elements AMF and v-SMF and v-UPF and v-PCF, and network elements of the core network home domain include h-PCF, h-SMF, h-UPF, AUSF and UDM.
8. The method according to claim 6, wherein the network element UDM of the home domain of the core network invokes the control plane security enhancement function of the third party security function unit through a server Z1 interface, and the network element h-UPF invokes the user plane security enhancement function of the third party security function unit through a server Z2 interface.
9. The method for constructing a secure private network for wide area mobile communication capable of supporting international roaming according to any one of claims 6 to 8, wherein the security enhanced USIM card at the user side cooperates with a network element UDM of the home domain of the core network and the third party security function unit to achieve autonomous management of subscription information of the user, autonomous generation and management of a root key, security enhancement of access authentication, and tracking prevention and positioning prevention of user identity; the security module at the user side cooperates with the network element h-UPF of the core network home domain and the third party security function unit to realize the end-to-end encryption protection of the service data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111066310.XA CN113873522B (en) | 2021-09-13 | 2021-09-13 | Wide area mobile communication safety private network construction method capable of supporting international roaming |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111066310.XA CN113873522B (en) | 2021-09-13 | 2021-09-13 | Wide area mobile communication safety private network construction method capable of supporting international roaming |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113873522A CN113873522A (en) | 2021-12-31 |
| CN113873522B true CN113873522B (en) | 2023-07-21 |
Family
ID=78995360
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111066310.XA Active CN113873522B (en) | 2021-09-13 | 2021-09-13 | Wide area mobile communication safety private network construction method capable of supporting international roaming |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113873522B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115776657B (en) * | 2022-11-14 | 2024-04-30 | 中国联合网络通信集团有限公司 | Management system suitable for 5G public and private network cross-domain roaming |
| CN116017404A (en) * | 2022-12-30 | 2023-04-25 | 中国联合网络通信集团有限公司 | Network element driving method and device for private park network, electronic equipment and storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103905565A (en) * | 2014-04-21 | 2014-07-02 | 国家电网公司 | Wireless broadband electric power private network |
| US9113332B2 (en) * | 2009-03-31 | 2015-08-18 | France Telecom | Method and device for managing authentication of a user |
| CN109743726A (en) * | 2018-12-05 | 2019-05-10 | 江苏鑫软图无线技术股份有限公司 | The method of static terminal is shared under a kind of LTE system roaming scence |
| CN104618895B (en) * | 2014-12-29 | 2019-07-05 | 京信通信系统(中国)有限公司 | Safe communication system based on micro-base station |
| CN111131258A (en) * | 2019-12-26 | 2020-05-08 | 中移(成都)信息通信科技有限公司 | Safe private network architecture system based on 5G network slice |
| CN111405557A (en) * | 2020-03-19 | 2020-07-10 | 中国电子科技集团公司第三十研究所 | Method and system for enabling 5G network to flexibly support multiple main authentication algorithms |
| WO2020194210A1 (en) * | 2019-03-25 | 2020-10-01 | Telefonaktiebolaget Lm Ericsson (Publ) | Resource allocation in mu-mimo ofdma wireless systems based on data rate of users set |
| CN112738791A (en) * | 2020-12-28 | 2021-04-30 | 恒安嘉新(北京)科技股份公司 | User information correlation backfill method, device, equipment and medium based on 5G core network |
-
2021
- 2021-09-13 CN CN202111066310.XA patent/CN113873522B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9113332B2 (en) * | 2009-03-31 | 2015-08-18 | France Telecom | Method and device for managing authentication of a user |
| CN103905565A (en) * | 2014-04-21 | 2014-07-02 | 国家电网公司 | Wireless broadband electric power private network |
| CN104618895B (en) * | 2014-12-29 | 2019-07-05 | 京信通信系统(中国)有限公司 | Safe communication system based on micro-base station |
| CN109743726A (en) * | 2018-12-05 | 2019-05-10 | 江苏鑫软图无线技术股份有限公司 | The method of static terminal is shared under a kind of LTE system roaming scence |
| WO2020194210A1 (en) * | 2019-03-25 | 2020-10-01 | Telefonaktiebolaget Lm Ericsson (Publ) | Resource allocation in mu-mimo ofdma wireless systems based on data rate of users set |
| CN111131258A (en) * | 2019-12-26 | 2020-05-08 | 中移(成都)信息通信科技有限公司 | Safe private network architecture system based on 5G network slice |
| CN111405557A (en) * | 2020-03-19 | 2020-07-10 | 中国电子科技集团公司第三十研究所 | Method and system for enabling 5G network to flexibly support multiple main authentication algorithms |
| CN112738791A (en) * | 2020-12-28 | 2021-04-30 | 恒安嘉新(北京)科技股份公司 | User information correlation backfill method, device, equipment and medium based on 5G core network |
Non-Patent Citations (5)
| Title |
|---|
| 5G安全技术研究;赵文;罗敏;田永春;康令州;;通信技术(第08期);全文 * |
| 5G安全架构分析;赵文;田永春;曾浩洋;;电讯技术(第08期);全文 * |
| 5G网络安全技术与发展;张传福;《智能建筑》;全文 * |
| Application of 5G network slicing technology in smart grid;ran liu ect.;《Self-built core network》;全文 * |
| CN1.NP-010487 "CN1#19 Meeting Report".3GPP tsg_cn\TSG_CN.2001,(第TSGN_13期),全文. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113873522A (en) | 2021-12-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113873522B (en) | Wide area mobile communication safety private network construction method capable of supporting international roaming | |
| US8750864B2 (en) | Method and system for call management based on geographical location | |
| US8135362B2 (en) | Symbol stream virtual radio organism method and apparatus | |
| CN108886758A (en) | Terminal installation, base station apparatus, mobility management entity MME and communication control method | |
| US20060050680A1 (en) | Method and system for providing authentication of a mobile terminal in a hybrid network for data and voice services | |
| CN101521958B (en) | Method and system for operating a hands-free device | |
| AU2005299838A1 (en) | Methods and apparatus for implementing telemetry applications on a subscriber identity module | |
| CN101478747A (en) | Method for concealing cell identifiers or area codes for locating a mobile network in relation to a mobile terminal | |
| CN106209908A (en) | Call-establishing method and device between Internet communication environment and mobile communication environment | |
| CN107342838A (en) | A kind of realization method and system of private network communication | |
| CN103200645B (en) | A kind of gsm system communication control and specific user's communication support system and method | |
| US7489658B2 (en) | Dual stack mobile communication system | |
| EP1164810A3 (en) | Apparatus, method and system for providing default mode for authentication failures in mobile telecommunication networks | |
| KR19990063908A (en) | How to Install Short Code Dialing Devices and Telecommunication Links | |
| US7062256B2 (en) | Network supported new feature notification and trial | |
| Pandya | Mobile and personal communication services and systems | |
| US20090116629A1 (en) | Subscriber calling method (variants) and a communications device system for carrying out said method | |
| CN102176792B (en) | Method and system for operating bluetooth hands-free device | |
| Stoll | The need for decentralization and privacy in mobile communications networks | |
| JP6378064B2 (en) | Method for fine location of a mobile user equipment that is a call recipient in a telecommunications network implementing open mode femtocells | |
| US6701147B1 (en) | Method and system for handling a call from a mobile station within a wireless communication network | |
| EP1496718A1 (en) | Method and system for virtual roaming and communication in cellular system | |
| CN106375981B (en) | A kind of private network Subscriber Number based on intelligent network business breaks up method | |
| Kerihuel et al. | How the intelligent network will federate services related to mobility | |
| US7551924B2 (en) | System and method for using a dual-mode mobile station |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |