CN114339753A - Communication data processing method, system, electronic device and readable storage medium - Google Patents

Communication data processing method, system, electronic device and readable storage medium Download PDF

Info

Publication number
CN114339753A
CN114339753A CN202111664360.8A CN202111664360A CN114339753A CN 114339753 A CN114339753 A CN 114339753A CN 202111664360 A CN202111664360 A CN 202111664360A CN 114339753 A CN114339753 A CN 114339753A
Authority
CN
China
Prior art keywords
terminal
core network
target core
wifi
hotspot
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111664360.8A
Other languages
Chinese (zh)
Inventor
邵震
王姣姣
沈骁
钮颖彬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN202111664360.8A priority Critical patent/CN114339753A/en
Publication of CN114339753A publication Critical patent/CN114339753A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

The present disclosure provides a communication data processing method, system, electronic device, and computer-readable storage medium. The hotspot of the first terminal is a near-domain service trusted hotspot, and the communication data processing method for the first terminal after the near-domain service trusted hotspot is opened comprises the following steps: responding to a connection request of a second terminal for a near domain service trusted hotspot of a first terminal, and establishing a first wifi wireless connection between the first terminal and the second terminal; the first terminal acquires a first identifier of a second terminal through first wifi wireless connection; the first terminal forwards the first identifier to a target core network through a user plane channel so that the target core network can carry out subscription authentication on the second terminal; and after the second terminal passes the subscription authentication, the first terminal and the target core network establish a first IPSec tunnel so that the second terminal can perform information interaction with the target core network through the first wifi wireless connection and the first IPSec tunnel.

Description

Communication data processing method, system, electronic device and readable storage medium
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a method and a system for processing communication data, an electronic device, and a computer-readable storage medium.
Background
The 3GPP defines a Proximity Services (ProSe) scheme, which can provide communication Services between terminals in a short distance. Under the control of the mobile core Network, Device-to-Device (D2D) communication between terminals may be performed, and terminal-to-Network (UE-to-Network) communication may also be performed. In a UE-to-Network Relay scene, if a terminal A is in a region without a mobile Network signal and a terminal B is in a region with a mobile Network signal, and the distance between the A and the B is short, the A can carry out Relay and Network communication through the B.
In the current ProSe scheme, all terminals need to perform a service authorization process under the coverage of a mobile network first, and after the provisioning is completed, the subsequent data communication service between the terminals can be performed. That is, in a UE-to-Network Relay scenario, a Remote device (Remote UE) needs to have valid ProSe service authorization information in advance, and can communicate with a mobile Network through a Relay terminal (Relay UE). If the Remote device (Remote UE) is started up or the cell is updated in the environment without the mobile Network signal, the ProSe service authorization process cannot be completed, and thus, a UE-to-Network Relay scene cannot be used.
Disclosure of Invention
The present disclosure is directed to a communication data processing method, a system, an electronic device, and a computer-readable storage medium, which provide a secure and trusted relay channel for a second terminal (the second terminal may not be under no mobile network signal coverage during registration, that is, the second terminal may not obtain authorization of a near domain service in advance when using the near domain service), so that the second terminal can access a mobile core network to complete ProSe service authorization for the second terminal.
Additional features and advantages of the disclosure will be set forth in the detailed description which follows, or in part will be obvious from the description, or may be learned by practice of the disclosure.
The embodiment of the present disclosure provides a communication data processing method, where a hotspot of a first terminal is a near-domain service trusted hotspot, and the near-domain service trusted hotspot of the first terminal is opened, the communication data processing method including: responding to a connection request of a second terminal for a near domain service trusted hotspot of the first terminal, and establishing a first wifi wireless connection between the first terminal and the second terminal; the first terminal acquires a first identifier of the second terminal through the first wifi wireless connection; the first terminal forwards the first identifier to a target core network through a user plane channel so that the target core network can conveniently carry out subscription authentication on the second terminal; and after the second terminal passes the subscription authentication, the first terminal and the target core network establish a first IPSec tunnel so that the second terminal can perform information interaction with the target core network through the first wifi wireless connection and the first IPSec tunnel.
In some embodiments, prior to responding to a connection request by a second terminal for a near-domain service trusted hotspot of the first terminal, the method comprises: the first terminal sends an authorization request aiming at the near domain service to the target core network through a user plane channel; the first terminal receives an authorization confirmation message returned by the target core network for the authorization request; and the first terminal configures the wifi hotspot of the first terminal as the near-domain service trusted hotspot according to the authorization confirmation message, and opens the near-domain service trusted hotspot of the first terminal.
In some embodiments, the first identity is a MAC address of the second terminal; the forwarding, by the first terminal, the first identifier to a target core network through a user plane channel, so that the target core network performs subscription authentication on the second terminal, including: the first terminal acquires the MAC address of the second terminal through the first wifi wireless connection; and the first terminal forwards the MAC address of the second terminal to a target core network through a user plane channel, so that the target core network determines that the second terminal has signed the near-domain service based on the MAC address of the second terminal, and the second terminal is signed and authenticated.
In some embodiments, the performing, by the second terminal, information interaction with the target core network through the first wifi wireless connection and the first IPSec tunnel includes: the first terminal informs the second terminal to initiate trusted wifi authentication through the first wifi wireless connection; the first terminal receives a first authorization authentication request sent by the second terminal through the first wifi wireless connection; the first terminal forwards the first authorization authentication request to the target core network through the first IPSec tunnel, so that the target core network can perform trusted wifi access authentication on the second terminal, and the second terminal can perform information interaction with the target core network through the first wifi wireless connection and the first IPSec tunnel after the trusted authentication is passed.
In some embodiments, the method further comprises: after the second terminal does not pass the subscription authentication, the first terminal disconnects the first wifi wireless connection; and bringing the second terminal into a blacklist, and avoiding the second terminal from being connected with the near-domain service trusted hotspot of the first terminal again.
In some embodiments, the target core network comprises a trusted wifi convergence gateway; after the second terminal passes the subscription authentication, the establishing, by the first terminal, a first IPSec tunnel with the target core network includes: after the second terminal passes the signing authentication, the first terminal acquires the IP address of the trusted wifi convergence gateway; and establishing the first IPSec tunnel with the trusted wifi convergence gateway based on the IP address of the trusted wifi convergence gateway.
In some embodiments, the hotspot of the second terminal is a near-domain service trusted hotspot, and the near-domain service trusted hotspot of the second terminal has been opened, the method further comprising: responding to a connection request of a third terminal for a near-domain service trusted hotspot of the second terminal, and establishing a second wifi wireless connection between the second terminal and the third terminal; the second terminal acquires a second identifier of the third terminal through the second wifi wireless connection; the second terminal forwards the second identifier to the target core network through the first wifi wireless connection and the first IPSec tunnel, so that the target core network performs subscription authentication on the third terminal; and after the third terminal passes the subscription authentication, the second terminal and the target core network establish a second IPSec tunnel so that the third terminal can perform information interaction with the target core network through the second wifi wireless connection and the second IPSec tunnel.
An embodiment of the present disclosure provides a communication data processing system, including: the first terminal is used for sending an authorization request aiming at the near domain service to a target core network; receiving an authorization confirmation message returned by the target core network aiming at the authorization request; configuring the wifi hotspot of the first terminal into a near-domain service trusted hotspot according to the authorization confirmation message, and opening the near-domain service trusted hotspot of the first terminal; responding to a connection request of a second terminal aiming at a near-domain service trusted hotspot of the first terminal, and establishing a first wifi wireless connection with the second terminal; acquiring a first identifier of the second terminal through the first wifi wireless connection; forwarding the first identifier to a target core network through a user plane channel so that the target core network can perform subscription authentication on the second terminal; after the subscription authentication is passed, the first terminal and the target core network establish a first IPSec tunnel, so that the second terminal and the target core network perform information interaction through the first wifi wireless connection and the first IPSec tunnel.
An embodiment of the present disclosure provides an electronic device, including: one or more processors; a storage device, configured to store one or more programs, which when executed by the one or more processors, cause the one or more processors to implement any of the communication data processing methods described above.
The disclosed embodiments provide a computer-readable storage medium, on which a computer program is stored, which when executed by a processor implements a communication data processing method as described in any one of the above.
Embodiments of the present disclosure provide a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the computer device executes the communication data processing method.
The communication data processing method, the system, the electronic device, and the computer-readable storage medium provided by the embodiments of the present disclosure provide a secure and trusted relay channel for a second terminal (the second terminal may not obtain authorization information in advance before using a near domain service), so that the second terminal can access a mobile core network to complete ProSe service authorization for the second terminal.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure. It is to be understood that the drawings in the following description are merely exemplary of the disclosure, and that other drawings may be derived from those drawings by one of ordinary skill in the art without the exercise of inventive faculty.
Fig. 1 is a diagram of a ProSe networking reference architecture (taking 4G networking as an example) shown according to the related art.
Fig. 2 is a diagram showing a protocol stack of a PC3 interface control plane according to the related art.
Fig. 3 is a diagram showing a relay communication architecture of a terminal to a network (taking 4G networking as an example) according to the related art.
Fig. 4 is a user plane protocol stack diagram illustrating a relay communication of a terminal to a network according to the related art.
Fig. 5 is a flowchart illustrating a UE requesting service authorization according to the related art.
Fig. 6 is a diagram of a trusted wifi access networking reference architecture (taking 4G networking as an example) shown according to the related art.
Fig. 7 is a basic flowchart of trusted wifi access shown according to the related art (taking 4G networking as an example).
Fig. 8 is a flow chart illustrating a method of communication data processing according to an example embodiment.
Fig. 9 is a diagram illustrating a communication data processing architecture in accordance with an exemplary embodiment.
Fig. 10 is a flow chart illustrating a method of communication data processing according to an example embodiment.
FIG. 11 illustrates an overall business process diagram in accordance with an exemplary embodiment.
Fig. 12 is a flow chart illustrating a method of communication data processing according to an example embodiment.
Fig. 13 is a diagram illustrating a communication data processing architecture in accordance with an exemplary embodiment.
FIG. 14 shows a schematic structural diagram of an electronic device suitable for use in implementing embodiments of the present disclosure.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The same reference numerals denote the same or similar parts in the drawings, and thus, a repetitive description thereof will be omitted.
The described features, structures, or characteristics of the disclosure may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the subject matter of the present disclosure can be practiced without one or more of the specific details, or with other methods, components, systems, steps, and the like. In other instances, well-known methods, systems, implementations, or operations have not been shown or described in detail to avoid obscuring aspects of the present disclosure.
The drawings are merely schematic illustrations of the present disclosure, in which the same reference numerals denote the same or similar parts, and thus, a repetitive description thereof will be omitted. Some of the block diagrams shown in the figures do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.
The flow charts shown in the drawings are merely illustrative and do not necessarily include all of the contents and steps, nor do they necessarily have to be performed in the order described. For example, some steps may be decomposed, and some steps may be combined or partially combined, so that the actual execution sequence may be changed according to the actual situation.
In this specification, the terms "a", "an", "the", "said" and "at least one" are used to indicate the presence of one or more elements/components/etc.; the terms "comprising," "including," and "having" are intended to be inclusive and mean that there may be additional elements/components/etc. other than the listed elements/components/etc.; the terms "first," "second," and "third," etc. are used merely as labels, and are not limiting on the number of their objects.
In order that the above objects, features and advantages of the present invention can be more clearly understood, the present invention will be described in further detail below with reference to the accompanying drawings and specific embodiments, it being understood that the embodiments and features of the embodiments of the present application can be combined with each other without conflict.
The related art will be explained below with reference to fig. 1 to 7.
Fig. 1 is a diagram of a ProSe networking reference architecture (taking 4G networking as an example) shown according to the related art.
The chinese-english comparison of the nouns referred to in fig. 1 is as follows:
3GPP (3rd Generation Partnership Project, third Generation Partnership Project);
the near-domain service application comprises the following steps: ProSe application;
land radio access network: e _ UTRAN (UMTS Terrestrial Radio Access Network, UMTS);
a mobility management entity: mobility Management Entity, MME;
the service gateway: serving Gateway, SGW;
PDN gateway: PDN Gateway, PGW; wherein, PDN: public Data Network, Public Data Network;
a home subscriber server: home Subscriber Server, HSS;
session initiation protocol: session Initiation Protocol SLP;
near-domain service functions: a Prose Function;
near-domain service application server: a Prose Application server;
EPC: an Evolved Packet Core, 4G Core network;
5 GC: 5G Core, 5G Core network;
ProSe Application Codes: near domain services application code;
ProSe reserved Code: code that limits near domain services;
PLMN: public Land Mobile Network, Public Land Mobile Network;
as shown in fig. 1, the ProSe Function is a network element newly introduced by ProSe in the core network, and is used for logic functions of network-related operations required by ProSe. The PC3 interface, a communication interface, is the reference point between the UE (user terminal) and the ProSe Function. PC3 relies on the EPC (4G core network) user plane for transmission (i.e., "over IP (according to IP protocol)"). The PC3 is used to authorize ProSe direct discovery and EPC-level ProSe discovery requests and perform the allocation of ProSe Application Codes/ProSe managed Codes corresponding to the ProSe Application identity used for ProSe direct discovery. PC3 is also used to define authorization policies for ProSe direct discovery (for Public Safety and non-Public Safety) and ProSe direct communication (for Public Safety only) between UEs per PLMN and ProSe Function. The 5G networking scenario is similar to the networking scenario described above.
Fig. 2 is a diagram showing a protocol stack of a PC3 interface control plane according to the related art. The ProSe control signaling is carried on the user plane (i.e., "over IP").
The chinese-english comparison of the nouns referred to in fig. 2 is as follows:
PC3 Control, Control unit;
PDCP: packet Data Convergence Protocol;
RLC: radio Link Control, Radio Link layer Control protocol;
MAC address: media Access Control Address, translated as a Media Access Control Address;
the L1 layer refers to the physical layer;
the L2 layer refers to the data link layer;
relay: relaying;
GTP: GPRS Tunnel Protocol, GPRS tunneling Protocol, GTP-U is one of GTP;
UDP, User Datagram Protocol, the chinese name being the User Datagram Protocol;
eNodeB, a radio base station in an LTE network;
prose Fcn, Prose function, near domain service function.
Fig. 3 is a diagram illustrating a UE-to-Network Relay communication architecture (taking 4G networking as an example) according to the related art.
The chinese-english comparison of the nouns referred to in fig. 3 is as follows:
PC5, direct communication interface: a communication interface between the terminals;
uu, a cellular network communication interface, a communication interface between a terminal and a base station;
E-UTRAN: an Evolved Universal Radio Access Network (UMTS) refers to an Evolved UMTS Terrestrial Radio Access Network, namely a mobile communication wireless Network in LTE;
eMBMS: the evolved Multimedia Broadcast Multicast Services enhances the Multimedia Broadcast Multicast service.
In fig. 3, the Remote device Remote UE can be located in the coverage area of E-UTRAN (wireless Network of 4G) or out of the coverage area, and the ProSe UE-to-Network Relay must Relay the unicast traffic between the Network and the Remote UE, which should provide a general function of relaying any IP data. The ProSe UE-to-Network Relay supports unicast data Relay through an One-to-One Direct Communication process, simultaneously supports Relay eMBMS service, and supports One-to-many Direct Communication process. The 5 gpp ose networking is similar to the networking described above. The 5G networking scenario is similar to the networking scenario described above. Among them, for Relay UE, the following functions need to be supported:
ProSe Direct discovery (Direct discovery in near domain services) of ProSe UE-to-Network Relay (Relay communication terminal to Network in near domain services);
1 to 1 ProSe direct communication (1 to 1 near domain services direct communication);
-serving as a default route for Remote UEs, forwarding IP packets;
-relaying eMBMS data using 1-pair multiple ProSe direct communication;
-priority handling of downlink unicast and eMBMS traffic;
-if IPv6(Internet Protocol version 6, version 6 of the Internet Protocol) is used, assigning an IPv6 prefix to Remote UEs;
-if IPv4(Internet Protocol version 4 ) is used, assigning an IPv4 address assignment to Remote UEs;
UE-to-Network Relay UE, PCRF (Policy and Charging Rules Function) and PDN GW supporting PDN (Public Data Network) connections should support extended TFT format in order to authorize traffic separately for each Remote UE;
-there must be a dedicated PDN connection to support the UE-to-Network Relay connection;
for a UE-to-Network Relay connection, the UE-to-Network Relay UE, the PCRF and the PDN GW must configure one dedicated APN;
policy control and charging functions need to be supported to enable resource utilization for Remote UEs.
Fig. 4 is a user plane protocol stack diagram illustrating UE-to-Network Relay communication according to the related art.
The chinese-english comparison of the nouns referred to in fig. 4 is as follows:
application: application;
IP-Relay: IP relay;
relay.
As shown in fig. 4, the Relay UE establishes a dedicated PDN connection for the Remote UE as a Relay channel, and terminates with the PDN GW.
Fig. 5 is a flowchart illustrating a UE requesting service authorization according to the related art.
The chinese-english comparison of the nouns referred to in fig. 5 is as follows:
HPLMN: home PLMN, PLMN to which the terminal user belongs;
VPLMN: visited PLMN, Visited PLMN;
local PLMN: a home PLMN;
as shown in fig. 5, the UE acquires authorization information of ProSe Direct Discovery or ProSe Direct Communication from the ProSe Function. Both Relay UE and Remote UE need to acquire authorization information first to execute the subsequent procedures.
Establishing connection between UE and PDN GW, and sending an authorization request to a home near field communication server after acquiring a user IP address from the PDN GW. The UE queries a corresponding IP address through DNS according to a Fully Qualified Domain Name (FQDN) of the home proximity communication server, and then communicates with the IP address. The FQDN of the home nfc server may be statically configured in the UE or may be derived from the home PLMN ID. The IP address of the home near field communication server may also be configured in the UE. The authorization message includes PLMN information where the Subscriber currently resides and a Subscriber identity IMSI (International Mobile Subscriber identity).
2. If the home near field communication server does not have the user subscription information, the home near field communication server requests the user subscription information from the home user server, and the request is provided with a user identifier IMSI (the home near field communication server is stored in a local database after acquiring the subscription information from the HSS);
3. the home near field communication server acquires authorization information and authorization effective time from the local/visiting near field communication server according to the acquired PLMN list; the local/visit near field communication server returns an authorization response and returns the effective time of authorization;
4. according to the user subscription information and local configuration, the attributive close range communication server returns the ProSe authorization information of the user, wherein the authorization information comprises the following information: a PLMN list allowing the ProSe service by complete authorization, a local PLMN list of the current position of the user, and authorization effective time corresponding to each PLMN. And after receiving the authorization information, the UE starts a timer for each PLMN, and when the timer is overtime, the UE needs to send an authorization request to the home near field communication server again.
Meanwhile, 3GPP defines a scheme for accessing a wifi (Wireless local area network) to a mobile core network, and introduces a wifi convergence Gateway (4G is a TWAG (Trusted WLAN Access Gateway) network element, a 5G TNGF (Trusted Non-3GPP Gateway Function)) into the mobile core network to connect with the wifi network configured as a Trusted one, so as to bring wifi users under the wifi network into the mobile network for unified management, and the capabilities of 4G/5G, such as user authentication, service management, charging management, and the like, can be completely reused for wifi Access.
Fig. 6 is a diagram of a trusted wifi access networking reference architecture (taking 4G networking as an example) shown according to the related art.
The chinese-english comparison of the nouns referred to in fig. 6 is as follows:
HSS: home Subscriber Server, Home Subscriber Server;
serving Gateway, S-GW, Serving Gateway;
operator's IP service (e.g. IMS), Operator's IP services (e.g. IMS, PSS, ETC)
IMS, IP multimedia subsystem
PSS: synchronization signal
ETC: electronic Toll Collection (ETC) system
AAA server: authentication (Authentication), Authorization (Authorization) and Accounting (Accounting) servers;
trusted WLAN Access Network: the trusted WLAN accesses the network.
As shown in fig. 6, wifi user access controlled by the mobile core network is implemented by introducing a TWAG network element. The trusted wifi network requires wifi AP (Access Point, wireless Access Point) device to independently use an SSID (Service Set Identifier) as an SSID dedicated for EAP-AKA/AKA' authentication (security management authentication and authorization), supports a function as an 802.1x (a port-based network Access control protocol) authentication Point, and can configure an 802.1x authentication agent address as an IP address of TWAG. The 5G networking scenario is similar to the networking scenario described above.
Fig. 7 is a basic flowchart of trusted wifi access shown according to the related art (taking 4G networking as an example).
The chinese-english comparison of the nouns referred to in fig. 7 is as follows:
radius, Remote Authentication Dial-In User Server, Remote Authentication Dial-In User service;
AC: access Controller, Access Controller;
diameter, a protocol, is a basic protocol requirement for various types of application implementations.
Referring to fig. 7, the basic flow of the above-mentioned trusted wifi access may include the following steps.
The UE associates with the AP (wireless access point) and initiates authentication.
2, TWAG receives the Radius Access-Request message sent by AP/AC, extracts key information such as User-Name, NASIP (NAS), MAC (Media Access Control address) address of UE (equipment), SSID and the like from the message, 3.TWAG converts the Radius Access-Request message into a Diameter Access-Request message (Diameter Access Request message) and sends the Diameter Access-Request message to 3GPP AAA).
The TWAG receives a Diameter Access-Change message replied by the 3GPP AAA.
And 5, the TWAG converts the Diameter Access-Change message into a Radius Access-Change message (Radius Access Challenge message) and sends the Radius Access-Change message to the AP/AC.
The AP/AC sends an EAP-Request (Extensible Authentication Protocol Request) message to the UE.
And 7, the AP/AC receives an Extensible Authentication Protocol (EAP) -Response sent by the UE.
And 8, sending a Radius Access-Request message to the TWAG by the AP/AC, wherein the Radius Access-Request message carries the EAP-Response in the step 7.
And 9, converting the Radius Access-Request message into a Diameter Access-Request message by the TWAG, and sending the Diameter Access-Request message to the 3GPP AAA.
10. And repeating the steps 4-9 for multiple times according to the requirements of the authentication process of the EAP-AKA/AKA'.
The TWAG receives the Diameter Access-Accept message replied by the 3GPP AAA, and extracts key information such as IMSI (International Mobile Subscriber Identity), ISDN (Integrated Services Digital Network), authorized IP address, QoS (Quality of Service), Session-Timeout/Idle-Timeout (Idle Timeout), and the like from the message.
The TWAG initiates the establishment of a GTP tunnel to a PGW (PDN), which is the Gateway (Gateway) of the PDN.
And 13, the TWAG converts the Diameter Access-Access (Diameter Access acceptance) into a Radius Access-Access message and sends the Radius Access-Access message to the AP/AC.
The AP/AC sends an EAP-Success message (EAP Success message) to the UE.
And 15, the UE initiates a DHCP (Dynamic Host Configuration Protocol) flow to request an IP address, a BRAS (Broadband Remote Access Server) serves as a DHCP Relay to transfer a DHCP message to the TWAG, the TWAG serves as the DHCP Server to respond to the DHCP message, and the IP address is sent to the user.
And 16, the TWAG receives a Radius Accounting-request (start) message (Radius Accounting start request) sent by the AP/AC, and extracts key information such as Acct-Session-Id (Accounting Session ID) from the message.
The TWAG sends a Radius Accounting-request (Start) message to the 3GPP AAA.
The TWAG receives a Radius Accounting-response (Start) message sent by the 3GPP AAA.
The TWAG acts as AAA Proxy and sends a Radius Accounting-response (Start) message to the AP/AC.
In the ProSe scheme provided in the related art, all terminals need advanced business authorization procedures, and can perform subsequent data communication services between terminals after the provisioning is completed. That is, in the UE-to-Network Relay scenario, the Remote UE needs to have valid ProSe service authorization information in advance, and can communicate with the mobile Network through the Relay UE. If the Remote UE is powered on or the cell is updated in the environment without the mobile Network signal, the ProSe service authorization process cannot be completed, so that the UE-to-Network Relay scenario cannot be used (problem one). This also results in a Relay that the Remote UE in the non-mobile network area of the ProSe can only do one hop (problem two). Meanwhile, a simple forwarding request of a Remote UE (user equipment) authorization request of a WiFi (wireless fidelity) hotspot in the existing Relay UE is utilized, so that potential safety hazards of user data information exist (problem III).
In view of the above problems, the present disclosure provides the following communication data processing method.
Fig. 8 is a flow chart illustrating a method of communication data processing according to an example embodiment.
In some embodiments, the first terminal may be a terminal device that has signed up for near-domain services, the hotspot of the first terminal may be a trusted hotspot of the near-domain services (i.e., a hotspot authorized to be trusted by the near-domain services), and the near-domain services trusted hotspot of the first terminal has been opened. Through the trusted hotspot, the first terminal may assume a relay function in the near-domain service.
The first terminal may be any device capable of performing mobile communication connection, for example, a mobile phone, a computer, a notebook, a wearable device, and the like, which is not limited in this disclosure.
Referring to fig. 8, a communication data processing method provided by an embodiment of the present disclosure may include the following steps.
Step S802, in response to a connection request of the second terminal for the near-domain service trusted hotspot of the first terminal, the first terminal establishes a first wifi wireless connection with the second terminal.
In some embodiments, after a trusted hotspot of a first terminal (e.g., the terminal-to-one-hop relay device in the network shown in fig. 9) is opened, devices around the first terminal (e.g., a second terminal (e.g., a remote device in fig. 9)) may each connect to the first terminal through the trusted hotspot to establish a wifi wireless connection with the first terminal. The second terminal may be in a coverage of a mobile network, or may not be in the coverage of the mobile network, which is limited by the present disclosure.
The second terminal may be any device capable of performing mobile communication connection, for example, a mobile phone, a computer, a notebook, a wearable device, and the like, which is not limited in this disclosure.
Step S804, the first terminal obtains a first identifier of the second terminal through the first wifi wireless connection.
The first identifier may be identification information for uniquely identifying the first terminal, for example, a MAC address, an IP address, and the like of the first terminal, which is not limited in this disclosure.
Step S806, the first terminal forwards the first identifier to the target core network through the user plane channel, so that the target core network performs subscription authentication on the second terminal.
In some embodiments, the first terminal may be within a coverage of a mobile network, and then, after responding to a connection request of the second terminal for the near-domain service trusted hotspot, the first terminal may forward the first identifier of the second terminal to a target core network (e.g., EPC or 5GC shown in fig. 9) through a mobile network user plane (as shown in fig. 9, through a network interface Uu) so that the target core network performs subscription authentication on the second terminal.
In some embodiments, the target core network may include a trusted wifi convergence gateway (which may be a TWAG gateway in 4G and a TNGF gateway in 5G). After the target core network receives the first identifier forwarded by the first terminal, the trusted wifi convergence gateway determines whether the second terminal has signed a near domain service according to the first identifier, and if the second terminal has signed the near domain service, the trusted wifi convergence gateway can determine that the second terminal passes the subscription authentication.
Step S808, after the second terminal passes the subscription authentication, the first terminal and the target core network establish a first IPSec tunnel, so that the second terminal performs information interaction with the target core network through the first wifi wireless connection and the first IPSec tunnel.
In some embodiments, if the second terminal does not pass the subscription authentication, the first terminal disconnects the first wifi wireless connection; and bringing the second terminal into the blacklist, and avoiding the second terminal from being connected with the near-domain service trusted hotspot of the first terminal again.
In some embodiments, if the second terminal passes the subscription authentication, the first terminal may establish a first IPSec tunnel with the target core network.
In some embodiments, the target core network includes a trusted wifi convergence gateway. Then, the establishing, by the first terminal, the first IPSec tunnel with the target core network may include: after the second terminal passes the signing authentication, the first terminal acquires the IP address of the trusted wifi convergence gateway; and establishing the first IPSec tunnel with the trusted wifi convergence gateway based on the IP address of the trusted wifi convergence gateway.
In some embodiments, the gateway of the IP address of the trusted wifi convergence gateway may issue and store the IP address in the first terminal when the first terminal signs a subscription, or may issue the IP address to the first terminal from the target core network after the second terminal signs a subscription and passes authentication, which is not limited by the disclosure.
In some embodiments, the information interaction between the second terminal and the target core network through the first wifi wireless connection and the first IPSec tunnel may include access authentication of trusted wifi, and may also include transmission interaction of common data, which is not limited in this disclosure.
If the second terminal performs trusted wifi access authentication to the target core network through the first wifi wireless connection and the first IPSec tunnel, the method may specifically include: the first terminal informs the second terminal to initiate trusted wifi authentication through the first wifi wireless connection; the first terminal receives a first authorization authentication request sent by the second terminal through the first wifi wireless connection; the first terminal forwards the first authorization and authentication request to the target core network through the first IPSec tunnel, so that the target core network performs access authentication of trusted wifi (i.e. near domain service authorization) on the second terminal, so that the second terminal performs information interaction with the target core network through the first wifi wireless connection and the first IPSec tunnel after the trusted authentication is passed (refer to the embodiment shown in fig. 7 in a specific process).
In some embodiments, when no other remote terminal under the first terminal takes it as a relay, the first ipsec channel may be released.
Under the control of a mobile core network, by combining with a trusted wifi access architecture, a wifi hotspot of a first terminal with a mobile network signal is changed into a trusted wifi network, a safe and credible relay channel is provided for a second terminal (the second terminal can not be covered by no mobile network signal), so that the second terminal can access the mobile core network, and the authorization of the ProSe service of the second terminal is completed.
Fig. 10 is a flow chart illustrating a method of communication data processing according to an example embodiment.
Referring to fig. 10, a communication data processing method provided by an embodiment of the present disclosure may include the following steps.
Step S1002, the first terminal sends an authorization request for the near domain service to the target core network through the user plane channel.
In some embodiments, the first terminal may send an authorization request for the near domain service to the target core network through the user plane tunnel under the coverage of the mobile network, so as to be authorized to become a relay device in the near domain service.
Step S1004, the first terminal receives an authorization confirmation message returned by the target core network for the authorization request.
Step S1006, the first terminal configures the wifi hotspot of the first terminal as a near domain service trusted hotspot according to the authorization confirmation message, and opens the near domain service trusted hotspot of the first terminal.
In some embodiments, after receiving the authorization confirmation message, the first terminal may configure its wifi hotspot as a trusted hotspot of the near domain service, and open its hotspot for peripheral devices to search and connect to become a relay device in the near domain service.
Step S1008, responding to a connection request of a second terminal aiming at a near-domain service trusted hotspot of a first terminal, and establishing a first wifi wireless connection between the first terminal and the second terminal;
step S1010, the first terminal obtains a first identifier of the second terminal through the first wifi wireless connection.
Step S1012, the first terminal forwards the first identifier to the target core network through the user plane channel, so that the target core network performs subscription authentication on the second terminal.
Step 1014, after the second terminal passes the subscription authentication, the first terminal establishes a first IPSec tunnel with the target core network, so that the second terminal performs information interaction with the target core network through the first wifi wireless connection and the first IPSec tunnel.
In the technical solution provided in this embodiment, the second terminal may request authorization for the near-domain service from the target core network in the area with network coverage in advance, and then becomes a relay device for the near-domain service, so as to provide the relay service for other devices (which may be devices in the area without the network). According to the technical scheme provided by the embodiment, the second terminal does not need to obtain authorization in advance when requesting the near-domain service, and can initiate the near-domain service authorization to the core network through the relay device after connecting with the hotspot of the relay device of the near-domain service. In this way, even if the second terminal initiates registration under the condition of no network, the second terminal can still communicate with the target core network through the first terminal.
Under the control of a mobile core network, by combining with a 3GPP trusted wifi access architecture, a wifi hotspot of a terminal with a mobile network signal (capable of accessing a ProSe Function) is changed into a trusted wifi network, a safe and trusted relay channel is provided for the terminal without the mobile network signal, so that the terminal can access the mobile core network, and the authorization of the ProSe service is completed. The method solves the problem that the terminal cannot perform ProSe service authorization under the condition of no mobile Network signal, expands the scene that the UE-to-Network Relay only supports one hop into the scene capable of supporting the multiple hops, and solves the problem of user information safety existing in the common wifi hotspot forwarding. The terminal or the core network of the present disclosure is added with the following functions and modules:
wifi hotspots on the UE support new 802.11i functionality and wifi network control module for near domain services (to ensure security of near domain communication). The near-domain service wifi network control module is responsible for enabling a wifi hotspot function after the UE is used as Relay UE to complete ProSe service authorization, configuring the wifi hotspot as a trusted wifi hotspot, using a specified SSID (name of a wireless signal sent by a router), configuring an authentication point (based on a network access control protocol of a port) as 802.1x, acquiring an IP address of TWAG/TNGF issued by the near-domain service UE wifi management module, and configuring the address of an 802.1x authentication agent as the IP address of the TWAG/TNGF; when receiving wifi wireless association information of Rometo UE, Relay UE can use Rometo UE MAC address to remove ProSe Function inquiry to confirm whether Rometo UE can enter ProSe service authorization flow or not through a user plane forwarding mode, and after receiving confirmation information, can initiate a Function of establishing IPSec tunnel with TWAG/TNGF, and inform Rometo UE that trusted wifi authentication can be initiated.
As shown in fig. 9, a wifi management module of the near domain service UE is added in a near domain service Function network element (ProSe Function) of the target core network, and is responsible for trusted wifi hotspot control of the UE, and can query and confirm whether the romeo UE can enter the ProSe service authorization process in a white list manner.
As shown in fig. 9, a wifi network control module is added in the UE, which is responsible for opening and configuring a trusted wifi hotspot, initiating establishment of an IPSec tunnel with a trusted wifi convergence gateway (such as a TWAG in a 4G network or a TNGF in a 5G network), initiating availability query of a Rometo UE with which wifi wireless association occurs, and the wifi hotspot is added with an 802.11i support function and is responsible for terminating the IPSec tunnel established by the Relay UE, and forwarding control plane signaling such as EAP authentication initiated by the Rometo UE loaded in the tunnel and ProSe service authorization interaction, service data flow, and other user plane messages to an EPC/5GC, and then the trusted wifi authentication access procedure defined according to a 3GPP standard is followed by the ProSe service authorization procedure, thereby completing ProSe service authorization, and finally enabling normal use of data services through an SGi interface of the UPF.
-adding a function of terminating an IPSec tunnel established by a Relay UE with a trusted convergence gateway (e.g. TNGF of TWAG network element/5 GC of 4G EPC).
FIG. 11 illustrates an overall business process diagram in accordance with an exemplary embodiment.
Referring to fig. 11 in conjunction with the block diagram of fig. 9, the service flow diagram may include the following steps.
S101: the near domain service UE wifi management module of the ProSe Function configures a white list of an IP address of a trusted wifi convergence gateway (such as TWAG/TNGF) in the same core network (4G core network EPC/5G core network 5GC) and a MAC address of the UE wifi module capable of using the ProSe service.
S102: the UE completes ProSe service authorization in a mobile network signal area, and has the capability of becoming a Relay UE (Relay terminal).
S103: after receiving the ProSe service authorization confirmation message, a wifi network control module in the UE starts its wifi hotspot Function, configures the wifi hotspot as a trusted wifi, uses the SSID uniformly specified by the wifi network of the near domain service (i.e., all trusted wifi hotspots use the SSID), configures as an 802.1x authentication point, obtains an IP address of TWAG/TNGF issued by the ProSe Function, and configures the IP address as an address of an 802.1x authentication agent.
S104: and starting a wifi function at the UE (namely Remote UE) in a mobile network signal-free area, searching the SSID of the wifi network of the near domain service, and performing wifi wireless association with the Relay UE.
S105: the Relay UE acquires the MAC address of the wifi module of the Remote UE through a wifi wireless association process, and forwards and reports the MAC address to the near domain service UE wifi management module of the ProSe Function through a 4G/5G user plane channel.
S106: and the ProSe Function carries out white list matching query confirmation.
S107: and if the matching fails, the ProSe Function feeds back to Relay UE, the Relay UE interrupts wifi wireless association with the Remote UE, brings the Remote UE into a blacklist, and does not inquire the ProSe Function any more when association occurs subsequently.
S108: and if the matching is passed, the ProSe Function is fed back to the Relay UE, and the IP address of the TWAG/TNGF is issued.
S109: and after receiving the matching passing message, the Relay UE establishes an IPSec tunnel with the TWAG/TNGF based on the acquired IP address of the TWAG/TNGF and informs the Rometo UE of initiating the trusted wifi authentication.
S110: the Remote UE passes through the Relay UE-TWAG/TNGF-EPC/5GC channel, during which, TWAG/TNGF will finish terminating the IPSec tunnel established for the Relay UE, and forward control plane signaling such as EAP Authentication Protocol (Extensible Authentication Protocol) initiated by the romeo UE and/or NAS signaling carried in the tunnel to the EPC/5GC, thereby completing access Authentication of trusted wifi, and having the capability of accessing the ProSe Function through the SGi interface (the trusted wifi access Authentication procedure is shown in fig. 11).
S111: the Remote UE passes through a Relay UE-TWAG/TNGF-EPC/5GC-ProSe Function channel, during which, the TWAG/TNGF will finish terminating the IPSec tunnel established by the Relay UE, and forward the user plane messages such as ProSe service authorization interaction initiated by the Rometo UE loaded in the tunnel to the EPC/5GC, thereby completing the ProSe service authorization (the ProSe service authorization process is shown in fig. 7).
S112: the Remote UE uses a UE-to-Network Relay communication process through a Relay UE-TWAG/TNGF-EPC/5GC channel, and finally uses data services normally through an SGi interface of UPF.
The above embodiment has the following technical effects:
1. compared with a simple forwarding channel scheme using a wifi hotspot in Relay UE, the method and the system realize a trusted wifi access scheme at the wifi hotspot of the terminal, and provide a safe and reliable Relay channel.
2. On individual network elements in the standardized trusted wifi access and ProSe networking scheme, the ProSe authorization flow and the communication mechanism can be completely utilized by organically combining the trusted wifi access and the ProSe networking scheme through adding a simple functional module, and no change requirements are required on related network elements and protocols.
Fig. 12 is a flow chart illustrating a method of communication data processing according to an example embodiment.
Referring to fig. 12, a communication data processing method provided by an embodiment of the present disclosure may include the following steps.
In some embodiments, the second terminal may be a terminal device that has signed up for near-domain services, the hotspot of the second terminal may be a trusted hotspot of the near-domain services (i.e., a hotspot authorized to be trusted by the near-domain services), and the near-domain services trusted hotspot of the second terminal has been opened. Through the trusted hotspot, the second terminal may assume a relay function in the near domain service (the second terminal may be, for example, a terminal-to-network two-hop relay device in fig. 13).
Step S1202, responding to a connection request of the third terminal for the near-domain service trusted hotspot of the second terminal, and establishing a second wifi wireless connection between the second terminal and the third terminal.
In some embodiments, after the trusted hotspot of the second terminal is opened, devices around the second terminal (e.g., a third terminal (which may be, for example, a remote device in fig. 13)) may connect to the second terminal through the trusted hotspot to establish a wifi wireless connection with the second terminal. The second terminal may be in a coverage of a mobile network, or may not be in the coverage of the mobile network, which is limited by the present disclosure.
The second terminal may be any device capable of performing mobile communication connection, for example, a mobile phone, a computer, a notebook, a wearable device, and the like, which is not limited in this disclosure.
Step S1204, the second terminal obtains a second identifier of the third terminal through a second wifi wireless connection.
The second identifier may be identification information for uniquely identifying the third terminal, for example, a MAC address, an IP address, and the like of the third terminal, which is not limited in this disclosure.
Step S1206, the second terminal forwards the second identifier to the target core network through the first wifi wireless connection and the first IPSec tunnel, so that the target core network performs subscription authentication on the third terminal.
In some embodiments, the target core network may include a trusted wifi convergence gateway (which may be a TWAG gateway in 4G and a TNGF gateway in 5G). And after the target core network receives the third identifier forwarded by the third terminal, the trusted wifi convergence gateway determines whether the third terminal has signed a near domain service according to the third identifier, and if the third terminal has signed the near domain service, the trusted wifi convergence gateway can determine that the third terminal passes the signing authentication.
Step S1208, after the third terminal passes the subscription authentication, the third terminal establishes a second IPSec tunnel with the target core network, so that the third terminal performs information interaction with the target core network through the second wifi wireless connection and the second IPSec tunnel.
In some embodiments, if the third terminal does not pass the subscription authentication, the second terminal disconnects the second wifi wireless connection; and bringing the third terminal into the blacklists of the second terminal and the first terminal, thereby avoiding the third terminal from being connected with the near-domain service trusted hotspot of the second terminal and the first terminal again.
In some embodiments, the second terminal may establish a second IPSec tunnel with the target core network if the third terminal subscription authentication passes.
In some embodiments, the target core network includes a trusted wifi convergence gateway. Then, the second terminal may establish the second IPSec tunnel with the target core network may include: after the third terminal passes the signing authentication, the second terminal acquires the IP address of the trusted wifi convergence gateway; and establishing the second IPSec tunnel with the trusted wifi convergence gateway based on the IP address of the trusted wifi convergence gateway.
In some embodiments, the gateway that can trust the IP address of the wifi convergence gateway may issue the IP address to be stored in the second terminal when the second terminal signs a subscription, or may issue the IP address to the second terminal from the target core network after the third subscription passes, which is not limited by the present disclosure.
In some embodiments, the information interaction between the third terminal and the target core network through the second wifi wireless connection and the second IPSec tunnel may include access authentication of trusted wifi, and may also include transmission interaction of common data, which is not limited in this disclosure.
If the third terminal performs trusted wifi access authentication to the target core network through the second wifi wireless connection and the second IPSec tunnel, the method may specifically include: the second terminal informs the third terminal to initiate trusted wifi authentication through the second wifi wireless connection; the second terminal receives a second authorization authentication request sent by the third terminal through the second wifi wireless connection; the second terminal forwards the second authorization and authentication request to the target core network through the second IPSec tunnel, so that the target core network performs trusted wifi access authentication (i.e. near domain service authorization) on the third terminal, so that the third terminal performs information interaction with the target core network through the second wifi wireless connection and the second IPSec tunnel after the trusted authentication is passed (refer to the embodiment shown in fig. 7 in a specific process).
In the embodiment, under the 3GPP ProSe UE-to-Network Relay architecture, in a region without a mobile Network signal, the wifi technology can be used for realizing the multi-hop terminal cascade access, and compared with the existing standard, only one hop can be used, so that the coverage range of a near field communication Network is expanded.
Therefore, the technical scheme provided by the embodiment solves the problem that the terminal cannot perform ProSe service authorization under the condition of no mobile Network signal, and simultaneously expands the scenario that the UE-to-Network Relay only supports one hop into the scenario that can support multiple hops, and solves the problem of user information safety existing in the forwarding of a common wifi hotspot.
An embodiment of the present disclosure further provides a communication data processing system, where the communication data processing system may include:
the first terminal is used for sending an authorization request aiming at the near domain service to a target core network; receiving an authorization confirmation message returned by the target core network for the authorization request; configuring the wifi hotspot of the first terminal into a near-domain service trusted hotspot according to the authorization confirmation message, and opening the near-domain service trusted hotspot of the first terminal; responding to a connection request of a second terminal for a near-domain service trusted hotspot of a first terminal, and establishing a first wifi wireless connection with the second terminal; acquiring a first identifier of a second terminal through a first wifi wireless connection; the first identifier is forwarded to a target core network through a user plane channel so that the target core network can conveniently carry out subscription authentication on the second terminal; after the subscription authentication is passed, the first terminal and the target core network establish a first IPSec tunnel, so that the second terminal can perform information interaction with the target core network through the first wifi wireless connection and the first IPSec tunnel.
The second terminal is used for sending an authorization request aiming at the near domain service to the target core network; receiving an authorization confirmation message returned by the target core network for the authorization request; configuring the wifi hotspot of the second terminal into a near-domain service trusted hotspot according to the authorization confirmation message, and opening the near-domain service trusted hotspot of the second terminal; responding to a connection request of a third terminal for a near-domain service trusted hotspot of a second terminal, and establishing a second wifi wireless connection with the third terminal; acquiring a second identifier of a third terminal through a second wifi wireless connection; forwarding the second identifier to the target core network through the first wifi wireless connection and the first IPSec tunnel so that the target core network performs subscription authentication on the third terminal; and after the subscription authentication is passed, the second terminal and the target core network establish a second IPSec tunnel so that the third terminal can perform information interaction with the target core network through the second wifi wireless connection and the second IPSec tunnel.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Furthermore, the above-described figures are merely schematic illustrations of processes included in methods according to exemplary embodiments of the present disclosure, and are not intended to be limiting. It will be readily understood that the processes shown in the above figures are not intended to indicate or limit the chronological order of the processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, e.g., in multiple modules.
FIG. 14 shows a schematic structural diagram of an electronic device suitable for use in implementing embodiments of the present disclosure. It should be noted that the electronic device 1400 shown in fig. 14 is only an example, and should not bring any limitation to the functions and the scope of the embodiments of the present disclosure.
As shown in fig. 14, the electronic device 1400 includes a Central Processing Unit (CPU)1401 that can perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)1402 or a program loaded from a storage portion 1408 into a Random Access Memory (RAM) 1403. In the RAM 1403, various programs and data necessary for the operation of the electronic device 1400 are also stored. The CPU 1401, ROM 1402, and RAM 1403 are connected to each other via a bus 1404. An input/output (I/O) interface 1405 is also connected to bus 1404.
The following components are connected to the I/O interface 1405: an input portion 1406 including a keyboard, a mouse, and the like; an output portion 1407 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker and the like; a storage portion 1408 including a hard disk and the like; and a communication portion 1409 including a network interface card such as a LAN card, a modem, or the like. The communication section 1409 performs communication processing via a network such as the internet. The driver 1410 is also connected to the I/O interface 1405 as necessary. A removable medium 1411 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 1410 as necessary, so that a computer program read out therefrom is installed into the storage section 1408 as necessary.
In particular, according to an embodiment of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable storage medium, the computer program containing program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via the communication portion 1409 and/or installed from the removable medium 1411. The above-described functions defined in the system of the present application are executed when the computer program is executed by a Central Processing Unit (CPU) 1401.
It should be noted that the computer readable storage medium shown in the present disclosure may be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present application, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In this application, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable storage medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable storage medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
As another aspect, the present application also provides a computer-readable storage medium, which may be contained in the apparatus described in the above embodiments; or may be separate and not incorporated into the device. The computer readable storage medium carries one or more programs which, when executed by a device, cause the device to perform functions including: responding to a connection request of a second terminal for a near domain service trusted hotspot of the first terminal, and establishing a first wifi wireless connection between the first terminal and the second terminal; the first terminal acquires a first identifier of the second terminal through the first wifi wireless connection; the first terminal forwards the first identifier to a target core network through a user plane channel so that the target core network can conveniently carry out subscription authentication on the second terminal; and after the second terminal passes the subscription authentication, the first terminal and the target core network establish a first IPSec tunnel so that the second terminal can perform information interaction with the target core network through the first wifi wireless connection and the first IPSec tunnel.
According to an aspect of the application, a computer program product or computer program is provided, comprising computer instructions, the computer instructions being stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions to cause the computer device to perform the method provided in the various alternative implementations of the embodiments described above.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution of the embodiment of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.), and includes several instructions for enabling a computing device (which may be a personal computer, a server, a mobile terminal, or a smart device, etc.) to execute the method according to the embodiment of the present disclosure, such as the steps shown in one or more of fig. 8, fig. 10, fig. 11, or fig. 12.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This disclosure is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
It is to be understood that the disclosure is not limited to the details of construction, the arrangements of the drawings, or the manner of implementation that have been set forth herein, but on the contrary, is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.

Claims (10)

1. A communication data processing method is characterized in that a hotspot of a first terminal is a near-domain service trusted hotspot, and the near-domain service trusted hotspot of the first terminal is opened, and comprises the following steps:
responding to a connection request of a second terminal for a near domain service trusted hotspot of the first terminal, and establishing a first wifi wireless connection between the first terminal and the second terminal;
the first terminal acquires a first identifier of the second terminal through the first wifi wireless connection;
the first terminal forwards the first identifier to a target core network through a user plane channel so that the target core network can conveniently carry out subscription authentication on the second terminal;
and after the second terminal passes the subscription authentication, the first terminal and the target core network establish a first IPSec tunnel so that the second terminal can perform information interaction with the target core network through the first wifi wireless connection and the first IPSec tunnel.
2. The method according to claim 1, wherein prior to responding to a connection request of a second terminal for a near-domain service trusted hotspot of the first terminal, the method comprises:
the first terminal sends an authorization request aiming at the near domain service to the target core network through a user plane channel;
the first terminal receives an authorization confirmation message returned by the target core network for the authorization request;
and the first terminal configures the wifi hotspot of the first terminal as the near-domain service trusted hotspot according to the authorization confirmation message, and opens the near-domain service trusted hotspot of the first terminal.
3. The method of claim 1, wherein the first identifier is a MAC address of the second terminal; the forwarding, by the first terminal, the first identifier to a target core network through a user plane channel, so that the target core network performs subscription authentication on the second terminal, including:
and the first terminal forwards the MAC address of the second terminal to a target core network through a user plane channel, so that the target core network determines that the second terminal has signed the near-domain service based on the MAC address of the second terminal, and the second terminal is signed and authenticated.
4. The method of claim 1, wherein the second terminal performs information interaction with the target core network through the first wifi wireless connection and the first IPSec tunnel, and the method comprises:
the first terminal informs the second terminal to initiate trusted wifi authentication through the first wifi wireless connection;
the first terminal receives a first authorization authentication request sent by the second terminal through the first wifi wireless connection;
the first terminal forwards the first authorization authentication request to the target core network through the first IPSec tunnel, so that the target core network can perform trusted wifi access authentication on the second terminal, and the second terminal can perform information interaction with the target core network through the first wifi wireless connection and the first IPSec tunnel after the trusted authentication is passed.
5. The method of claim 1, further comprising:
after the second terminal does not pass the subscription authentication, the first terminal disconnects the first wifi wireless connection; and the number of the first and second electrodes,
and bringing the second terminal into a blacklist, and avoiding the second terminal from being connected with the near-domain service trusted hotspot of the first terminal again.
6. The method of claim 1, wherein the target core network comprises a trusted wifi convergence gateway; after the second terminal passes the subscription authentication, the establishing, by the first terminal, a first IPSec tunnel with the target core network includes:
after the second terminal passes the signing authentication, the first terminal acquires the IP address of the trusted wifi convergence gateway;
and establishing the first IPSec tunnel with the trusted wifi convergence gateway based on the IP address of the trusted wifi convergence gateway.
7. The method of claim 1, wherein the hotspot of the second terminal is a near-domain service trusted hotspot, and wherein the near-domain service trusted hotspot of the second terminal has been opened, the method further comprising:
responding to a connection request of a third terminal for a near-domain service trusted hotspot of the second terminal, and establishing a second wifi wireless connection between the second terminal and the third terminal;
the second terminal acquires a second identifier of the third terminal through the second wifi wireless connection;
the second terminal forwards the second identifier to the target core network through the first wifi wireless connection and the first IPSec tunnel, so that the target core network performs subscription authentication on the third terminal;
and after the third terminal passes the subscription authentication, the second terminal and the target core network establish a second IPSec tunnel so that the third terminal can perform information interaction with the target core network through the second wifi wireless connection and the second IPSec tunnel.
8.A communication data processing system, characterized in that the communication data processing system comprises:
the first terminal is used for sending an authorization request aiming at the near domain service to a target core network; receiving an authorization confirmation message returned by the target core network aiming at the authorization request; configuring the wifi hotspot of the first terminal into a near-domain service trusted hotspot according to the authorization confirmation message, and opening the near-domain service trusted hotspot of the first terminal; responding to a connection request of a second terminal aiming at a near-domain service trusted hotspot of the first terminal, and establishing a first wifi wireless connection with the second terminal; acquiring a first identifier of the second terminal through the first wifi wireless connection; forwarding the first identifier to a target core network through a user plane channel so that the target core network can perform subscription authentication on the second terminal; after the subscription authentication is passed, the first terminal and the target core network establish a first IPSec tunnel, so that the second terminal and the target core network perform information interaction through the first wifi wireless connection and the first IPSec tunnel.
9. An electronic device, comprising:
a memory; and
the electronic device is adapted to perform the communication data processing method of any of claims 1-7 based on instructions stored in the memory.
10. A computer-readable storage medium on which a program is stored, which when executed by a processor implements the communication data processing method according to any one of claims 1 to 7.
CN202111664360.8A 2021-12-31 2021-12-31 Communication data processing method, system, electronic device and readable storage medium Pending CN114339753A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111664360.8A CN114339753A (en) 2021-12-31 2021-12-31 Communication data processing method, system, electronic device and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111664360.8A CN114339753A (en) 2021-12-31 2021-12-31 Communication data processing method, system, electronic device and readable storage medium

Publications (1)

Publication Number Publication Date
CN114339753A true CN114339753A (en) 2022-04-12

Family

ID=81021022

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111664360.8A Pending CN114339753A (en) 2021-12-31 2021-12-31 Communication data processing method, system, electronic device and readable storage medium

Country Status (1)

Country Link
CN (1) CN114339753A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114928830A (en) * 2022-05-09 2022-08-19 中国电信股份有限公司 Near-field communication method, device, equipment and medium
CN115150217A (en) * 2022-06-30 2022-10-04 青岛海信移动通信技术股份有限公司 Network distribution method, device and equipment for intelligent household equipment

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104618891A (en) * 2013-11-04 2015-05-13 华为终端有限公司 Communication method, terminal and core network entity
WO2019023825A1 (en) * 2017-07-30 2019-02-07 华为技术有限公司 Method and device for protecting privacy
US20190110238A1 (en) * 2017-10-05 2019-04-11 Blackberry Limited Authenticating user equipments through relay user equipments
CN111182542A (en) * 2018-11-09 2020-05-19 中国电信股份有限公司 Method, system, base station and readable storage medium for establishing proximity service
WO2021045859A1 (en) * 2019-09-06 2021-03-11 Convida Wireless, Llc Path selection or path switching and charging for proximity service communication
US20210136570A1 (en) * 2019-11-05 2021-05-06 Qualcomm Incorporated Proximity service authorization and provisioning
WO2021136211A1 (en) * 2019-12-31 2021-07-08 华为技术有限公司 Method and device for determining authorization result
WO2021138511A1 (en) * 2020-01-03 2021-07-08 Qualcomm Incorporated Methods and apparatuses for supporting connectivity of remote user equipments with relay access via an interworking function
WO2021222769A1 (en) * 2020-05-01 2021-11-04 Qualcomm Incorporated Relay sidelink communications for secure link establishment
WO2021219102A1 (en) * 2020-04-30 2021-11-04 维沃移动通信有限公司 Device interaction method and core network device

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104618891A (en) * 2013-11-04 2015-05-13 华为终端有限公司 Communication method, terminal and core network entity
WO2019023825A1 (en) * 2017-07-30 2019-02-07 华为技术有限公司 Method and device for protecting privacy
US20190110238A1 (en) * 2017-10-05 2019-04-11 Blackberry Limited Authenticating user equipments through relay user equipments
CN111182542A (en) * 2018-11-09 2020-05-19 中国电信股份有限公司 Method, system, base station and readable storage medium for establishing proximity service
WO2021045859A1 (en) * 2019-09-06 2021-03-11 Convida Wireless, Llc Path selection or path switching and charging for proximity service communication
US20210136570A1 (en) * 2019-11-05 2021-05-06 Qualcomm Incorporated Proximity service authorization and provisioning
WO2021136211A1 (en) * 2019-12-31 2021-07-08 华为技术有限公司 Method and device for determining authorization result
WO2021138511A1 (en) * 2020-01-03 2021-07-08 Qualcomm Incorporated Methods and apparatuses for supporting connectivity of remote user equipments with relay access via an interworking function
WO2021219102A1 (en) * 2020-04-30 2021-11-04 维沃移动通信有限公司 Device interaction method and core network device
WO2021222769A1 (en) * 2020-05-01 2021-11-04 Qualcomm Incorporated Relay sidelink communications for secure link establishment
US20210345104A1 (en) * 2020-05-01 2021-11-04 Qualcomm Incorporated Relay sidelink communications for secure link establishment

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114928830A (en) * 2022-05-09 2022-08-19 中国电信股份有限公司 Near-field communication method, device, equipment and medium
CN114928830B (en) * 2022-05-09 2024-04-30 中国电信股份有限公司 Near field communication method, device, equipment and medium
CN115150217A (en) * 2022-06-30 2022-10-04 青岛海信移动通信技术股份有限公司 Network distribution method, device and equipment for intelligent household equipment

Similar Documents

Publication Publication Date Title
US8769626B2 (en) Web authentication support for proxy mobile IP
EP2658301B1 (en) Non-mobile authentication for mobile network gateway connectivity
US9549317B2 (en) Methods and apparatuses to provide secure communication between an untrusted wireless access network and a trusted controlled network
EP3029997B1 (en) Network handover method and system
US8665819B2 (en) System and method for providing mobility between heterogenous networks in a communication environment
US9167430B2 (en) Access method and system, and mobile intelligent access point
RU2503147C2 (en) Handover method and handover apparatus
US10244381B2 (en) Supporting multiple concurrent service contexts with a single connectivity context
US10419994B2 (en) Non-access stratum based access method and terminal supporting the same
WO2013054121A1 (en) Access point
US10091160B2 (en) Wireless access gateway
US20170244705A1 (en) Method of using converged core network service, universal control entity, and converged core network system
JP2019533960A (en) Dual card / dual active communication method, terminal, network, system
CN106470465B (en) WIFI voice service initiating method, LTE communication equipment, terminal and communication system
WO2016155012A1 (en) Access method in wireless communication network, related device and system
CN114339753A (en) Communication data processing method, system, electronic device and readable storage medium
KR102362078B1 (en) Server and primary terminal for controlling a dedicated network connection of secondary terminal connecting to the dedicated network using the primary terminal
WO2018058680A1 (en) Local service authorization method and related device
US20190223013A1 (en) Method for establishing public data network connection and related device
WO2010133107A1 (en) Method and system for home node b gateway forwarding messages to home node b
WO2012130133A1 (en) Access point and terminal access method
KR20110031097A (en) Method and apparatus for supporting local breakout service in wireless communication system
US10595254B2 (en) Non-access stratum based access method and terminal supporting the same
WO2017129101A1 (en) Routing control method, apparatus and system
WO2022067540A1 (en) Relay device selection method and apparatus, and device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination