CN115884177A - Communication method, device and system - Google Patents
Communication method, device and system Download PDFInfo
- Publication number
- CN115884177A CN115884177A CN202111130972.9A CN202111130972A CN115884177A CN 115884177 A CN115884177 A CN 115884177A CN 202111130972 A CN202111130972 A CN 202111130972A CN 115884177 A CN115884177 A CN 115884177A
- Authority
- CN
- China
- Prior art keywords
- service
- indication information
- network slice
- request
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
Abstract
The application discloses a communication method, a communication device and a communication system, which are used for improving the safety of data transmission. The method comprises the following steps: a first communication device in the mobile communication system can request whether the terminal device can realize the first service or not by sending a first request to a second communication device; after receiving the authentication result from the second communication device, the first communication device may determine whether to provide the first service for the terminal device according to the authentication result. By the scheme, the first communication equipment can obtain an authentication result of whether the terminal equipment can realize the requested service authentication, and according to the authentication result, the mobile communication system where the first communication equipment is located can provide the service which is successfully authenticated for the terminal equipment and does not provide the service which is failed in authentication for the terminal equipment, so that the safety of data transmission can be improved.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to a communication method, apparatus, and system.
Background
In the field of communications, a mobile communication system can provide transmission channels of various services for terminal devices. For example, the mobile communication system may provide a channel for service data transmission for a call service, a video service, a web service, and the like of the terminal device. In order to improve the security of data transmission, the mobile communication system authenticates the terminal device before providing a channel for data transmission for the terminal device.
Currently, a mobile communication system may authenticate a terminal device according to subscription information of the terminal device. Wherein the subscription information is related to identity information of the terminal device.
However, this method cannot adapt to various complicated situations, and further affects the security of data transmission.
Disclosure of Invention
The application provides a communication method, a communication device and a communication system, which are used for improving the safety of data transmission.
In a first aspect, an embodiment of the present application provides a communication method. The method may be applied in a communication system as shown in fig. 1-4 below. The method comprises the following steps: a first communication device in a mobile communication system may request whether a first service can be implemented by the terminal device by sending a first request to a second communication device, where the first request includes first service indication information indicating the first service requested by the terminal device. After receiving the first response from the second communication device, the first communication device may determine whether to provide the first service for the terminal device according to an authentication result in the first response, where the first response may include an authentication result obtained by the second communication device authenticating whether the terminal device is capable of implementing the first service.
By the method, the first communication equipment can obtain the authentication result of whether the terminal equipment can realize the requested service authentication, and according to the authentication result, the mobile communication system where the first communication equipment is located can provide the service which is successfully authenticated for the terminal equipment and does not provide the service which is failed in authentication for the terminal equipment, so that the safety of data transmission can be improved.
In one possible design, the first communication device may send the first request to the second communication device after receiving a second request from a third communication device. Wherein the second request includes the first traffic indication information; the second request is a registration request or a first session establishment request.
Through the design, in a registration flow or a session establishment flow, the first communication device can obtain an authentication result of whether the terminal device can realize the requested service authentication, and according to the authentication result, the mobile communication system where the first communication device is located can provide a service for which the authentication is successful for the terminal device and does not provide a service for which the authentication is failed for the terminal device, so that the security of data transmission can be improved.
In one possible design, the first service includes at least one service, and the authentication result includes: the terminal equipment can realize a second service in the first service. When the second request is the registration request, the first communication device is AN access and mobility management function AMF, the second communication device is AN authentication server function AUSF and/or AN authentication and authorization function NSSAAF selected by a network slice, and the third communication device is the terminal device or AN access network AN device accessed by the terminal device. After receiving the first response from the second communication device, the first communication device may accept or reject the session establishment request by, but not limited to:
mode 1:
the first communication device may send a first message to a unified data management, UDM, wherein the first message comprises: second service indication information for indicating the second service;
and after receiving a second session establishment request from the terminal equipment or AN equipment accessed by the terminal equipment, the first communication equipment sends a third request to the SMF. The second session establishment request may include third service indication information, where the third service indication information is used to indicate a third service requested to be executed by the terminal device; the third request may include the third service indication information, and the third request may request the SMF to accept or reject the second session establishment request according to the second service indication information and the third service indication information acquired from the UDM.
In this way, in the registration process, the UDM may obtain and store second service indication information (i.e., service indication information of a service that is successfully authenticated) of the second service that can be implemented by the terminal device, and in the subsequent session establishment process, the SMF may accept or reject the session establishment request according to the authentication result (including the second service indication information) in the registration process obtained from the UDM, so that the mobile communication system may provide the service that is successfully authenticated for the terminal device, but not provide the service that is failed in authentication, and may further improve the security of data transmission.
Mode 2:
the first communication device may hold second service indication information indicating the second service; and after receiving a second session establishment request from the terminal equipment or AN equipment accessed by the terminal equipment, the first communication equipment accepts or rejects the second session establishment request according to the locally stored second service indication information. The second session establishment request includes third service indication information, where the third service indication information is used to indicate a third service requested to be executed by the terminal device.
Optionally, when the second service that can be implemented by the terminal device includes the third service, the first communication device may accept the second session establishment request, and otherwise, the first communication device may reject the second session establishment request.
In this way, in the registration process, the first communication device may store the service indication information (i.e., the service indication information of the service that has been successfully authenticated) that the terminal device can implement the second service in the first service, and in the subsequent session establishment process, the first communication device may accept or reject the session establishment request according to the authentication result (including the second service indication information) stored locally in the registration process, so that the mobile communication system may provide the service that has been successfully authenticated for the terminal device, but not provide the service that has failed in authentication, and may further improve the security of data transmission.
In a possible design, when the second request is the registration request, the first communication device may be AN AMF, the second communication device may be AN NSSAAF, and the third communication device may be the terminal device or AN device accessed by the terminal device, and the second request may further include: first network slice indication information; the first network slice indication information is used for indicating a first network slice which is requested to be accessed by the terminal equipment; the first request may further include: the first network slice indication information; the authentication result may be obtained by the second communication device authenticating whether the terminal device can implement the first service on the first network slice.
Through the design, in the registration process, the first communication device can obtain an authentication result of whether the terminal device can realize the authentication of the requested service on the network slice requested by the terminal device, and according to the authentication result, the mobile communication system where the first communication device is located can provide the service of successful authentication for the terminal device and does not provide the service of failed authentication for the terminal device, so that the security of data transmission can be improved.
In one possible design, the first service may include at least one service, the first network slice may include at least one network slice, and the authentication result may include: the terminal equipment can realize a fourth service in the first services on a second network slice in the first network slice; after receiving the first response from the second communication device, the first communication device may accept or reject the session establishment request by, but not limited to:
the first method is as follows:
the first communication device sending a second message to the UDM; wherein the second message comprises: second network slice indication information and fourth service indication information, wherein the second network slice indication information is used for indicating the second network slice, and the fourth service indication information is used for indicating the fourth service that the terminal device can implement on the second network slice;
after receiving a third session establishment request from the terminal equipment or AN equipment accessed by the terminal equipment, the first communication equipment sends a fourth request to the SMF; the third session establishment request comprises third network slice indication information and fifth service indication information, wherein the third network slice indication information is used for indicating a third network slice, and the fifth service indication information is used for indicating the terminal equipment to request a fifth service executed on the third network slice; the fourth request includes the third network slice indication information and the fifth service indication information, and the fourth request is used to request the SMF to accept or reject the second session establishment request according to the second network slice indication information and the fourth service indication information, and the third network slice indication information and the fifth service indication information, which are acquired from the UDM.
Through the method, in the registration process, the UDM can acquire fourth service indication information (i.e., service indication information of the service successfully authenticated) and second network slice indication information (i.e., network slice indication information of the network slice successfully authenticated), and in the subsequent session establishment process, the SMF can accept or reject the session establishment request according to the authentication result (including the second network slice indication information and the fourth service indication information) in the registration process acquired from the UDM, so that the mobile communication system can provide the service successfully authenticated for the terminal device without providing the service failed in authentication, and further the security of data transmission can be improved.
The second method comprises the following steps:
the first communication device stores second network slice indication information and fourth service indication information, wherein the second network slice indication information is used for indicating the second network slice, and the fourth service indication information is used for indicating the fourth service which can be realized by the terminal device on the second network slice;
after receiving a second third session establishment request from the terminal device or AN device accessed by the terminal device, the first communication device may accept or reject the third session establishment request according to the second network slice indication information and the fourth service indication information stored locally. The third session establishment request includes third network slice indication information and fifth service indication information, where the third network slice indication information is used to indicate a third network slice, and the fifth service indication information is used to indicate that the terminal device requests a fifth service executed on the third network slice.
Optionally, when the second network slice includes the third network slice and the fourth service includes the fifth service, the first communication device may accept the third session establishment request, otherwise, the first communication device may reject the third session establishment request.
Through the method, in the registration process, the first communication device can store the fourth service indication information (i.e., the service indication information of the service successfully authenticated) and the second network slice indication information (i.e., the network slice indication information of the network slice successfully authenticated), and in the subsequent session establishment process, the first communication device can accept or reject the session establishment request according to the authentication result (including the second network slice indication information and the fourth service indication information) stored locally in the registration process, so that the mobile communication system can provide the service successfully authenticated for the terminal device, but does not provide the service failed in authentication, and further can improve the security of data transmission.
In one possible design, the second request may further include at least one of: the first indication information is used for indicating whether the terminal equipment needs to be authenticated by the first service, and the second indication information is used for indicating communication equipment executing authentication processing.
In one possible design, when the first communication device is an AMF or an SMF, before sending the first request to the second communication device, the first communication device may determine the second communication device according to the first traffic indication information; wherein the second communication device is at least one of AUSF, NSSAAF, UDM or AAA server outside the mobile communication system.
In one possible design, when the first communication device is an AMF or an SMF, after receiving the first response from the second communication device, the first communication device may send a third message to the terminal device according to the authentication result; wherein the third message comprises at least one of:
sixth service indication information for indicating a service that can be implemented by the terminal device;
seventh service indication information for indicating a service that the terminal device cannot implement;
fourth network slice indicating information for indicating a network slice accessible to the terminal device, and eighth service indicating information for indicating a service that the terminal device can implement on the network slice;
fifth network slice indication information for indicating a network slice that the terminal device can access, and ninth service indication information for indicating a service that the terminal device cannot implement on the network slice;
the network slice indicating information comprises sixth network slice indicating information used for indicating the network slice which can not be accessed by the terminal equipment, and tenth service indicating information used for indicating the service requested by the terminal equipment on the network slice.
With this design, the first communication device can notify the terminal device of the authentication result.
In one possible design, when the first communication device is the AMF, the first communication device may send a fourth message to the terminal device after receiving the first response from the second communication device; the fourth message may trigger the terminal device to authenticate whether the terminal device can implement the first service in the mobile communication system according to locally stored authentication information, where the authentication information includes service authentication information.
Through the design, the terminal equipment can authenticate whether the terminal equipment can realize the requested service in the mobile communication system according to the authentication information of the locally stored service, so that the terminal equipment can use the service which is successfully authenticated and does not use the service which is failed to authenticate, thereby improving the safety of data transmission.
In one possible design, the first traffic indication information may include at least one of: the identification of the first service, the indication information of the type of the first service, and the indication information of the provider of the first service.
In a second aspect, an embodiment of the present application provides a communication method. The method may be applied in a communication system as shown in fig. 1-4 below. The method comprises the following steps: the second communication equipment authenticates whether the terminal equipment can realize the first service requested by the terminal equipment after receiving the first request from the first communication equipment in the mobile communication system. The first request may include first service indication information indicating the first service, and the first request is used to request whether the terminal device is capable of implementing the first service. The second communication device sending a first response to the first communication device; the first response may include a first authentication result obtained by the second communication device authenticating whether the terminal device is capable of implementing the first service, where the first authentication result may be used by the first communication device to determine whether to provide the first service for the terminal device.
By the method, the second communication equipment can authenticate whether the terminal equipment can realize the requested service and send the authentication result to the first communication equipment, so that the mobile communication system where the first communication equipment is located can provide the service of successful authentication for the terminal equipment and does not provide the service of failed authentication for the terminal equipment, thereby improving the safety of data transmission.
In one possible design, the second communication device may authenticate by: and after sending a fifth request to a fourth communication device, the second communication device receives a fifth response from the fourth communication device, and authenticates whether the terminal device can realize the first service according to a second authentication result in the fifth response to obtain the first authentication result. Wherein the fifth request may include: the fifth request is used to request the fourth communication device to authenticate whether the terminal device can implement the first service, and the fifth response may include a second authentication result obtained by the fourth communication device authenticating whether the terminal device can implement the first service.
Through the design, the second communication device and the fourth communication device can jointly authenticate whether the service can be realized by the terminal device, after the first communication device obtains the authentication result, the mobile communication system where the first communication device is located can provide the service which is successfully authenticated for the terminal device, and does not provide the service which is failed to authenticate for the terminal device, so that the safety of data transmission can be improved.
In one possible design, the first request may further include: a first network slice indication information, which may indicate a first network slice to which the terminal device requests access. In this case, the second communication device may authenticate whether the terminal device can implement the first service on the first network slice; the first authentication result may be obtained by the second communication device authenticating whether the terminal device can implement the first service on the first network slice.
Through the design, in the registration process, the second communication device can authenticate whether the terminal device can realize the requested service on the network slice requested by the terminal device, and sends the authentication result to the first communication device, so that the mobile communication system where the first communication device is located can provide the service which is successfully authenticated for the terminal device, and does not provide the service which is failed in authentication for the terminal device, thereby improving the security of data transmission.
In one possible design, the second communication device may authenticate by:
and after sending a sixth request to a fourth communication device, the second communication device receives a sixth response from the second communication device, and authenticates whether the terminal device can realize the first service according to a second authentication result in the sixth response to obtain the first authentication result. Wherein the sixth request may include: the sixth request may request the fourth communication device to authenticate whether the terminal device can implement the first service on the first network slice; the sixth response may include a second authentication result obtained by the fourth communication device authenticating whether the terminal device can implement the first service on the first network slice.
Through the design, the second communication device and the fourth communication device can jointly authenticate whether the terminal device can realize the service in the requested network slice or not, after the first communication device obtains the authentication result, the mobile communication system where the first communication device is located can provide the service which is successfully authenticated for the terminal device, and does not provide the service which is failed in authentication for the terminal device, so that the safety of data transmission can be improved.
In one possible design, the second communication device may be an AUSF, and the fourth communication device may be a UDM; or the second communication device may be NSSAAF, and the fourth communication device may be an AAA server outside the mobile communication system.
In a possible design, the second communication device may authenticate whether the terminal device can implement the first service in the mobile communication system according to locally stored authentication information, where the authentication information includes service authentication information.
Through the design, the second communication device can authenticate whether the terminal device can realize the requested service in the mobile communication system according to the authentication information of the locally stored service. In this way, after the first communication device obtains the authentication result, the mobile communication system where the first communication device is located can provide a service for the terminal device that is successfully authenticated and does not provide a service for the terminal device that is unsuccessfully authenticated, so that the security of data transmission can be improved.
In one possible design, the first traffic indication information may include at least one of: the identification of the first service, the indication information of the type of the first service, and the indication information of the provider of the first service.
In a third aspect, an embodiment of the present application provides a communication apparatus, including means for performing each step in any one of the above aspects.
In a fourth aspect, an embodiment of the present application provides a communication device, including at least one processing element and at least one storage element, where the at least one storage element is configured to store programs and data, and the at least one processing element is configured to read and execute the programs and data stored by the storage element, so that the method provided in any one of the above aspects of the present application is implemented.
In a fifth aspect, an embodiment of the present application provides a communication system, including: a first communication device for performing the method provided by the first aspect, and a second communication device for performing the method provided by the second aspect.
In a sixth aspect, the present application further provides a computer program, which when run on a computer, causes the computer to perform the method provided in any one of the above aspects.
In a seventh aspect, this application embodiment further provides a computer-readable storage medium, in which a computer program is stored, and when the computer program is executed by a computer, the computer is caused to execute the method provided in any one of the above aspects.
In an eighth aspect, an embodiment of the present application further provides a chip, where the chip is configured to read a computer program stored in a memory, and execute the method provided in any of the foregoing aspects.
In a ninth aspect, an embodiment of the present application further provides a chip system, where the chip system includes a processor, and is used to support a computer device to implement the method provided in any one of the above aspects. In one possible design, the system-on-chip further includes a memory for storing programs and data necessary for the computer device. The chip system may be formed by a chip, and may also include a chip and other discrete devices.
The technical effects achieved by any one of the third to ninth aspects can be described with reference to any one of the possible designs of the first or second aspects, and the repetition points are not discussed.
Drawings
Fig. 1 is an architecture diagram of a communication system according to an embodiment of the present application;
fig. 2 is an architecture diagram of another communication system provided in an embodiment of the present application;
fig. 3 is an architecture diagram of another communication system provided in an embodiment of the present application;
fig. 4 is an architecture diagram of another communication system according to an embodiment of the present application;
fig. 5 is a flowchart of a first communication method according to an embodiment of the present application;
fig. 6 is a schematic view of an application scenario according to an embodiment of the present application;
FIG. 7 is a schematic view of another application scenario of the embodiment of the present application;
fig. 8 is a flowchart of a second communication method according to an embodiment of the present application;
fig. 9 is a flowchart of an authentication method in a second communication method according to an embodiment of the present application;
fig. 10 is a flowchart of another authentication method in the second communication method according to an embodiment of the present application;
fig. 11 is a flowchart of another authentication method in the second communication method according to the embodiment of the present application;
fig. 12 is a flowchart of a third and sixth communication methods provided in the embodiments of the present application;
fig. 13 is a flowchart of a fourth, fifth, and seventh communication methods provided in an embodiment of the present application;
fig. 14 is a flowchart of an authentication method of a fifth communication method according to an embodiment of the present application;
fig. 15 is a flowchart of an authentication method of a sixth communication method according to an embodiment of the present application;
fig. 16 is a flowchart of another authentication method of a sixth communication method according to an embodiment of the present application;
fig. 17 is a block diagram of a communication apparatus according to an embodiment of the present application;
fig. 18 is a block diagram of a communication device according to an embodiment of the present application.
Detailed Description
The application provides a communication method, a communication device and a communication system, which are used for improving the safety of data transmission. The method, the device and the system are based on the same technical conception, and because the principles of solving the problems are similar, the implementation of the device, the system and the method can be mutually referred, and repeated parts are not repeated.
Through the scheme provided by the embodiment of the application, the first communication equipment in the mobile communication system can send the first request to the second communication equipment to request whether the terminal equipment can realize the first service or not; after receiving the authentication result from the second communication device, the first communication device may determine whether to provide the first service for the terminal device according to the authentication result. By the scheme, the first communication equipment can obtain an authentication result of whether the terminal equipment can realize the requested service authentication, and according to the authentication result, the mobile communication system where the first communication equipment is located can provide the service which is successfully authenticated for the terminal equipment and does not provide the service which is failed in authentication for the terminal equipment, so that the safety of data transmission can be improved.
Hereinafter, some terms in the embodiments of the present application are explained to facilitate understanding by those skilled in the art.
1) Communication equipment generally refers to equipment having a communication function. Illustratively, the communication device may be, but is not limited to, a terminal device, AN Access Network (AN) device, AN access point, a Core Network (CN) device, and the like.
2) A terminal device is a device that provides voice and/or data connectivity to a user. The terminal device may provide a portal for the user to interact with the network. For example, the terminal device may display a service window to the user, accept an operation input from the user, and the like. The next generation terminal device may use a New Radio (NR) technology to establish a connection with AN device, so as to interact with the mobile communication system to control signals and service data. The terminal device may also be referred to as a User Equipment (UE), a Mobile Station (MS), a Mobile Terminal (MT), and so on.
For example, the terminal device may be a handheld device, an in-vehicle device, or the like having a wireless connection function. Currently, some examples of terminal devices are: a mobile phone (mobile phone), a tablet computer, a notebook computer, a palm top computer, a Mobile Internet Device (MID), a wearable device, a Virtual Reality (VR) device, an Augmented Reality (AR) device, a wireless terminal in industrial control (industrial control), a wireless terminal in self driving (self driving), a wireless terminal in remote surgery (remote medical supply), a wireless terminal in smart grid (smart grid), a wireless terminal in transportation safety (smart security), a wireless terminal in city (smart city), a wireless terminal in home (smart home), and the like.
3) The AN device is a device for accessing the terminal device to the wireless network in the mobile communication system. The AN device may provide services for authorized users in a specific area, and may provide quality of service (QoS) transmission tunnels for terminal devices used by the users according to the user level, the service requirements, and the like. The AN device, as a node in a radio access network, may also be referred to as a base station, a Radio Access Network (RAN) node (or device), and AN Access Point (AP).
Currently, some examples of AN apparatus are: a new generation Node B (gNB), a Transmission Reception Point (TRP), an evolved Node B (eNB), a Radio Network Controller (RNC), a Node B (NB), a Base Station Controller (BSC), a Base Transceiver Station (BTS), a home base station (e.g., a home evolved Node B or home Node B, HNB), or a Base Band Unit (BBU), etc.
In addition, in a network structure, the AN device may include a Centralized Unit (CU) node and a Distributed Unit (DU) node. The structure separates the protocol layers of AN equipment, the functions of partial protocol layers are controlled in the CU in a centralized way, the functions of the rest or all protocol layers are distributed in the DU, and the DU is controlled in the CU in a centralized way.
4) The CN device is a network element included in a CN part in a mobile communication system. The CN device can access the terminal device to different data networks, and perform services such as charging, mobility management, session management, user plane forwarding, subscription data maintenance, policy management, and security authentication.
When the terminal equipment requests to attach, the CN can perform security authentication on the terminal equipment; when the terminal equipment requests for service, the CN can allocate resources to the terminal equipment; when the terminal equipment moves, the CN can update resources for the terminal equipment; when the terminal equipment is in an idle state, the CN can provide a quick recovery mechanism for the terminal equipment; when the terminal equipment is detached, the CN can release resources for the terminal equipment; when the terminal equipment needs to transmit the service data packet, the CN can provide a data route for the terminal equipment.
In mobile communication systems of different standards, names of CN devices having the same function may differ. However, the embodiments of the present application do not limit specific names of CN devices having each function.
For example, in the 4 th generation (4) th generation,4G)In a Mobile communication system (i.e., long Term Evolution (LTE)), a network element responsible for access control, security control, signaling coordination, and other functions is a Mobility Management Entity (MME), a network element serving as a local mobility management anchor point is a serving gateway (S-GW), a network element responsible for Internet Protocol (IP) address allocation serving as an anchor point for handover of an external data network is a Packet Data Network (PDN) gateway (P-GW), a network element storing user-related data and subscription data is a Home Subscriber Server (HSS), and a network element responsible for policy and charging function is a policy and charging control rule function (PCRF) network element.
As another example, in the 5 th generation (5) th generation, 5G) mobile communication system, according to specific logical function division, a core network may be divided into a Control Plane (CP) and a User Plane (UP). The CN may be referred to as a control plane network element, and the CN may be referred to as a user plane network element. Specifically, in the user plane, the network element that serves as an interface of the data network and is responsible for functions such as user plane data forwarding is a User Plane Function (UPF) network element. In the control plane, a network element responsible for access control and mobility management functions is called an access and mobility management function (AMF) network element; a network element responsible for session management and execution of a control policy is called a Session Management Function (SMF) network element; a network element responsible for functions such as managing subscription data, user access authorization, and the like is called a Unified Data Management (UDM) network element; the network element responsible for charging and Policy control functions is called a Policy and Charging Function (PCF) network element; and an Application Function (AF) network element responsible for transmitting a requirement of the application side on the network side.
5) Data Network (DN), a network located outside the mobile communication system. The DN can be used for deploying various services and providing services such as data and/or voice and the like for terminal equipment. In this case, the client is typically located at the terminal device and the server is typically located at the DN. The DN may be a private network, e.g., a local area network; or an external network not controlled by the operator, for example, the Internet (Internet); it may also be an operator deployed proprietary network, such as a network providing IMS services (e.g., an IP Multimedia Services (IMS) network). This is not a limitation of the present application.
6) The session is a connection between a terminal device, an access network device, a user plane network element and a DN, which is established by a session management network element in a mobile communication system for the terminal device, and is used for transmitting user plane data between the terminal device and the DN, such as a Protocol Data Unit (PDU) session.
A terminal device may establish one or more PDU sessions with a mobile communication system (e.g., a 5G communication system), in each of which one or more quality of service (QoS) flows may be established.
Each QoS flow is used to transport data for the same QoS requirement (reliability or latency) in one service. The QoS flow may be identified by a QoS Flow Identifier (QFI).
There is a correspondence between the data flow in the DN and the QoS flow in the mobile communication system. For example, when a service packet in a data flow in the DN is transmitted to the mobile communication system, the mobile communication system maps the service packet to a corresponding QoS flow transmission. Correspondingly, when the service data packet in the QoS flow in the mobile communication system is transmitted to the DN, the service data packet is mapped to the corresponding data flow for transmission.
7) In the embodiment of the present application, "authentication" may be replaced with any one of the following: authentication and authentication.
8) In the embodiment of the present application, the "implementation" service may include a "use" service, and the "execution" service may include a "transmission" service.
9) In the embodiment of the application, if the authentication result indicates that the terminal device can implement the service or the terminal device can implement the service on the network slice, the service may be referred to as a service with successful authentication; if the authentication result indicates that the terminal device is not capable of implementing the service or the terminal device is not capable of implementing the service on the network slice, the service may be referred to as a service that failed authentication.
If the authentication result indicates that the terminal device can access the network slice, the network slice can be called a slice with successful authentication; if the authentication result indicates that the terminal device is unable to access the network slice, the network slice may be referred to as a network slice that failed authentication.
The "authentication success" may be replaced with "authentication passed" or "usable", and the "authentication failure" may be replaced with "authentication failed".
10 "successfully authenticated traffic" may be referred to as "successfully registered traffic", "failed authenticated traffic" may be referred to as "failed registered traffic" or "unsubscribed traffic", "successfully authenticated network slice" may be referred to as "successfully registered network slice", and "failed authenticated network slice" may be referred to as "failed registered network slice" or "successfully unregistered network slice".
11 In the embodiment of the present application, the service indication information is information for indicating a service, and may include, but is not limited to, at least one of the following: an identification of the service, an indication of the type of the service, an indication of the provider of the service.
For example, the identifier of the service may be a service identifier list (service ID list), the indication information of the type of the service may be a service type identifier list (service category ID list), and the indication information of the provider of the service may be a service provider identifier list (service provider ID list).
12 In the embodiment of the present application, the network slice indication information is information for indicating a network slice, and may include at least one of the following: a Requested NSSAI (Requested NSSAI), or a single network slice selection assistance information (S-NSSAI).
In addition, when the network slice indication information indicates a plurality of network slices, the network slice indication information may be a network slice ID list, for example: S-NSSAI List (S-NSSAI list).
13 In this embodiment of the present application, when one message includes both service indication information and network slice indication information, the service indicated by the service indication information may be: and the service related to the network slice indicated by the network slice indication information or the service corresponding to the network slice indicated by the network slice indication information.
In the embodiments of the present application, the number of nouns means "singular nouns or plural nouns" i.e., "one or more" unless otherwise specified. "at least one" means one or more, "a plurality" means two or more. "and/or" describes the association relationship of the association object, and indicates that three relationships may exist, for example, a and/or B, and may indicate: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. For example, A/B, represents: a or B. "at least one of the following" or similar expressions refer to any combination of the item(s), including any combination of the singular or plural item(s).
In addition, it is to be understood that the terms first, second, etc. in the description of the present application are used for distinguishing between similar elements and not necessarily for describing a sequential or chronological order.
A communication system to which the embodiments of the present application are applied will be described below with reference to the accompanying drawings.
Fig. 1 illustrates an architecture of a possible communication system to which the communication method provided in the embodiment of the present application is applied. As shown in fig. 1, the communication system includes: terminal equipment (UE is illustrated in the figure), a mobile communication system, and a DN. Wherein the mobile communication system may comprise two parts, AN and CN.
The UE and the mobile communication system are the main components of the communication system. Logically, the UE and the mobile communication system can be divided into a control plane and a user plane. The control plane may be responsible for management of the mobile communication system and the user plane may be responsible for transmission of traffic data.
As shown in fig. 1, there is AN interface NG2 between the AN control plane and the CN control plane; AN interface NG3 exists between the AN user plane and the CN user plane; an interface NG6 exists between the CN user plane and the DN. The components of the communication system may interact through respective interfaces.
The main components of the communication system are explained below.
The terminal device is an entity capable of receiving and transmitting wireless signals at the user side, and needs to access the DN through the mobile communication system. Optionally, the terminal device may be used as a relay device of other data collectors or other terminal devices, so that these devices can perform service communication with the DN through the mobile communication system.
The mobile communication system may access at least one DN, which may also be accessed by at least one mobile communication system.
The network device deployed in the AN is AN device, and may specifically be responsible for functions such as wireless access, air interface side radio resource management, quality of service (QoS) management, data compression and encryption, and user plane data forwarding.
The network elements deployed in the CN may be collectively referred to as CN devices. The following takes the CN in the 5G mobile communication system as an example, and with reference to fig. 2, the functions of the main network elements in the CN will be specifically described. As can be seen from the above description, the network elements in the CN of the 5G mobile communication system can be divided into two types, i.e., a control plane network element and a user plane network element.
The user plane network element includes a User Plane Function (UPF), is mainly responsible for packet data packet forwarding, qoS control, accounting information statistics, and the like, and can perform forwarding of a service data packet according to a routing rule from the SMF. For example, the UPF may send a service data packet in the uplink transmission direction to the DN or other UPFs; the service data packet in the downlink transmission direction can also be forwarded to other UPF or AN equipment.
The control plane network element is mainly responsible for service flow interaction, and issuing a data packet forwarding strategy, a QoS control strategy and the like to the user plane. The control plane of the CN adopts a service architecture. And the control plane network elements interact with each other in a service calling mode. In the service architecture, the control plane network element may open a service to other control plane network elements for the other control plane network elements to call.
The control plane network element mainly comprises: AMF, SMF, PCF, AF, network Exposure Function (NEF), UDM, authentication server function (AUSF), network Slice Selection Function (NSSF), network function repository function (NRF).
The AMF is mainly responsible for access management and mobility management of the UE, for example, is responsible for state maintenance of the UE, reachability management of the UE, forwarding of non-access-stratum (NAS) messages of non-Mobility Management (MM), forwarding of Session Management (SM) N2 messages, and the like.
The SMF is mainly responsible for session management of the UE, for example, managing establishment and deletion of a PDU session, maintaining a PDU session context, allocating resources for a session of the UE, releasing resources, and the like.
The PCF is primarily responsible for measurement control, e.g. generating and/or managing user, session, qoS flow handling policies, etc.
The AF is mainly responsible for providing various service services, and can interact with a core network through the NEF, and interact with a policy management framework to perform policy management, and the like.
The NEF is mainly responsible for providing a framework, authentication and interface related to network capability opening, passing information between the network functions of the mobile communication system and other network functions.
The AUSF is mainly responsible for performing security authentication of the UE.
The NSSF is primarily responsible for selecting a network slice for the UE.
The NRF is mainly responsible for providing the storage function and the selection function of the network function entity information for other network elements.
UDM is mainly responsible for user subscription context management.
Fig. 2 also shows interfaces between a plurality of network elements in the communication system, and the relevant interfaces are explained below. N1 is an interface between the UE and the core network control plane, and the UE and the AMF may interact through the N1 interface. N2 is an interface between the access network device and the core network control plane, and the access network device and the AMF may interact via the N2 interface. N3 is the communication interface between the access network equipment and the UPF for transmitting user data. N4 is a communication interface between the SMF and the UPF, for policy configuration and the like for the UPF. N6 is the communication port between the UPF and DN. Interfaces between the control plane network elements in the CN may be implemented by using corresponding service interfaces, which may be specifically shown in fig. 2.
The communication systems shown in fig. 1 and 2 do not limit the communication systems to which the embodiments of the present application can be applied. Therefore, the communication method provided by the embodiment of the present application may also be applicable to communication systems of various systems, for example: long Term Evolution (LTE) communication systems, 5G communication systems, the sixth generation (6G) communication systems, and future communication systems. In addition, it should be further noted that, in the embodiments of the present application, names of network elements in a communication system are also not limited, for example, in communication systems of different standards, each network element may have other names; for another example, when multiple network elements are merged in the same physical device, the physical device may have other names.
Fig. 3 and fig. 4 respectively show network architectures of another possible communication system to which the communication method provided in the embodiment of the present application is applicable. As shown in fig. 3 and 4, a Visited Public Land Mobile Network (VPLMN) and a Home Public Land Mobile Network (HPLMN) of a terminal device are included in a communication system, and the VPLMN and the HPLMN coexist and interwork.
The VPLMN may be a visited PLMN or a visited non-public network (NPN); indicating the network accessed by the terminal device in the current area. The HPLMN may be a home PLMN or a home NPN indicating a home network of the user.
The VPLMN can implement interworking with home security edge protection proxy (hSEPP) in the HPLMN through visited security edge protection proxy (vSEPP). The vSEPP and the hSEPP establish connection through an N32 interface and implement a protection strategy, and each control plane message in the cross-network signaling is processed.
In the HPLMN, an authentication and authorization function (NSSAAF) of network slice selection may implement authentication and authorization based on network slice selection.
The scheme provided by the application is explained in the following with reference to the attached drawings. The embodiment of the present application provides a communication method, which can be applied to the communication systems shown in fig. 1 to 4. The flow of the method will be described in detail with reference to the flow chart shown in fig. 5.
S501: a first communication device in a mobile communication system sends a first request to a second communication device. Accordingly, the second communication device receives the first request from the first communication device.
In this embodiment of the present application, the first communication device may be any one of: AMF and SMF. The second communication device may comprise at least one of: AUSF, NSSAAF, a Network Function (NF) inside the mobile communication system (hereinafter, UDM is described as an example), and an independent server outside the mobile communication system (AAA server is described as an example). The AAA server may be an authentication authorization accounting server (AAA-S).
The first request may include first service indication information, and the first service indication information may indicate a first service requested by a terminal device. The first request may request authentication of whether the terminal device is capable of implementing the first service.
Optionally, the first request may further include: the first network slice indication information. Wherein the first network slice indication information may indicate a first network slice to which the terminal device requests access. The first request may request authentication of whether the terminal device is capable of implementing the first service on the first network slice.
The first request may be an existing message (for example, an authentication request) multiplexed, or may be a dedicated message for requesting the second communication device to authenticate whether the terminal device is capable of implementing the first service.
Optionally, before sending the first request to the second communication device, the first communication device may determine the second communication device according to the first service indication information.
For example, if the first communication device determines that the UDM can authenticate all of the first services, the first communication device may determine that the second communication device includes at least one of: UDM, AUSF.
For another example, if the first communication device determines that an AAA server can authenticate all of the first traffic, the first communication device may determine that the second communication device includes at least one of: NSSAAF, AAA server.
For another example, if the first communication device determines that AAA server 1 may authenticate a part of the first service (e.g., service a with service id IDa) and AAA server 2 may authenticate another part of the first service (e.g., service b with service id IDb), the first communication device may determine that the second communication device includes at least one of the following: NSSAAF, the AAA server 1, and the AAA server 2.
For another example, if the first communication device determines that the UDM may authenticate a part of the first service (e.g., service 1 with service ID 1) and the AAA server may authenticate another part of the first service (e.g., service 2 with service ID 2), the first communication device may determine that the second communication device includes at least one of: UDM, AUSF, NSSAAF, AAA Server.
In some implementations, the first communication device may send the first request to the second communication device after receiving a second request from a third communication device. In this case, the second request may trigger the first communication device to send the first request to the second communication device. Wherein the second request may include the first traffic indication information.
The second request may be a multiplex of an existing message (for example, a registration request or a session establishment request (for convenience of distinction, it is hereinafter referred to as a first session establishment request)), or may be a dedicated message for triggering the first communication device to request authentication of whether the terminal device is capable of implementing the first service.
When the second request is the registration request, the first communication device may be AN AMF, the second communication device may be AN AUSF and/or AN NSSAAF, and the third communication device may be the terminal device or AN device accessed by the terminal device.
Optionally, when the second request is the registration request, the second request may further include: the first network slice indication information. In this case, the first request may include: the first network slice indication information. The first communication device may be AN AMF, the second communication device may be AN NSSAAF, and the third communication device may be the terminal device or AN device accessed by the terminal device.
When the second request is the first session establishment request, the first communication device may be an SMF, the second communication device may be the AAA server, and the third communication device may be an AMF.
Optionally, the second request may also include, but is not limited to, at least one of: the first indication information and the second indication information. The first indication information may indicate whether the terminal device needs to be authenticated for implementing the first service, and the second indication information may indicate a communication device (i.e., a second communication device, for example, an AAA server external to the mobile communication system) that performs an authentication process.
Wherein the first indication information may be a predetermined field. For example, when the value of the predetermined field is a first value, it is indicated whether the terminal device needs to be authenticated for implementing the first service. The second indication information may include, but is not limited to, at least one of: an ID of the communication apparatus that performs the authentication process, and address information of the communication apparatus that performs the authentication process.
After receiving the second request, the first communication device may determine whether the terminal device needs to be authenticated for implementing the first service according to the first indication information, determine a communication device (i.e., a second communication device) that performs authentication processing according to the second indication information, and then send the first request to the second communication device that performs authentication processing to request the second communication device to authenticate whether the terminal device is capable of implementing the first service.
S502: the second communication device authenticates whether the terminal device can implement the first service, and obtains an authentication result (for convenience of distinction, this is hereinafter referred to as a first authentication result).
Wherein the first authentication result may include, but is not limited to, at least one of: the service indication information of the service which can be realized by the terminal equipment, and the service indication information of the service which cannot be realized by the terminal equipment.
Optionally, when the first request includes the first service indication information and the first network slice indication information, the second communication device may authenticate whether the terminal device can implement the first service on the first network slice, so as to obtain the first authentication result.
Wherein the first authentication result may include, but is not limited to, at least one of: network slice indicating information for indicating a network slice to which the terminal device can access, and service indicating information for indicating a service that can be realized by the terminal device on the network slice; network slice indicating information for indicating a network slice which can be accessed by the terminal device, and service indicating information for indicating a service which cannot be realized by the terminal device on the network slice; the network slice indicating information is used for indicating the network slice which can not be accessed by the terminal equipment, and the service indicating information is used for indicating the service requested by the terminal equipment on the network slice.
The following describes an implementation of the authentication process.
In some implementation manners, the second communication device may authenticate whether the terminal device can implement the first service, so as to obtain the first authentication result.
Optionally, the second communication device may be a UDM or an AAA server outside the mobile communication system.
In other implementation manners, the second communication device may authenticate whether the terminal device can implement the first service according to a second authentication result obtained from a fourth communication device. This will be explained below.
The method I comprises the following steps:
a1: and the second communication equipment sends a fifth request to the fourth communication equipment. Wherein the fifth request may include: the first service indication information, the fifth request may request the fourth communication device to authenticate whether the terminal device can implement the first service.
The fifth request may be to multiplex an existing message (for example, an authentication request), or may be a dedicated message for requesting the fourth communication device to authenticate whether the terminal device can implement the first service.
a2: the second communication device receiving a fifth response from the fourth communication device; the fifth response may include a second authentication result obtained by the fourth communication device whether the terminal device can authenticate the first service.
The fifth response may be an existing message (e.g., an authentication response) or a dedicated message for transmitting the second authentication result.
Optionally, the second authentication result may include: and the fourth communication device is a first Authentication Vector (AV) for authenticating whether the terminal device can implement the first service.
a3: the second communication device may authenticate whether the terminal device can implement the first service according to the second authentication result, so as to obtain the first authentication result.
Optionally, the second communication device may execute a subsequent authentication procedure according to the first AV to obtain the first authentication result. The subsequent authentication procedure may refer to TS33.501.
The second method comprises the following steps:
b1: the second communication device sends a sixth request to the fourth communication device; wherein the sixth request may include: the sixth request may request the fourth communication device to authenticate whether the terminal device can implement the first service on the first network slice.
The sixth request may be to multiplex an existing message (for example, an authentication request), or may be a dedicated message for requesting a fourth communication device to authenticate whether the terminal device can implement the first service on the first network slice.
b2: the second communication device receiving a sixth response from the fourth communication device; the sixth response may include a second authentication result obtained by the fourth communication device authenticating whether the terminal device can implement the first service on the first network slice.
The sixth response may be an existing message (e.g., an authentication response) or a dedicated message for transmitting the second authentication result.
Optionally, the second authentication result may include: and the fourth communication equipment authenticates whether the terminal equipment can realize the second AV of the first service on the first network slice.
b3: the second communication device may authenticate whether the terminal device can implement the first service according to the second authentication result, so as to obtain the first authentication result.
Optionally, the second communication device executes a subsequent authentication procedure according to the second AV to obtain the first authentication result. The subsequent authentication procedure may refer to TS33.501.
Optionally, in the first and second manners, the second communication device may be an AUSF, and the fourth communication device may be a UDM; or the second communication device may be NSSAAF, and the fourth communication device may be an AAA server outside the mobile communication system.
In this embodiment of the present application, the second communication device and/or the fourth communication device may authenticate whether the terminal device can implement the first service in the mobile communication system according to locally stored first authentication information, where the first authentication information may include service authentication information. Wherein the first authentication information may include, but is not limited to, at least one of: the service indication information of the service which can be realized by the terminal equipment, and the service indication information of the service which cannot be realized by the terminal equipment.
Optionally, the first authentication information may be included in subscription information of the terminal device.
S503: the first communication device receives a first response from the second communication device. Correspondingly, the second communication device sends the first response to the first communication device.
Wherein the first response includes the first authentication result obtained in S502.
Optionally, the first response may multiplex an existing message (e.g., an authentication response), or may be a dedicated message for sending the second authentication result.
S504: and according to the first authentication result, the first communication equipment determines whether to provide the first service for the terminal equipment.
In this embodiment, when the second request is the registration request or the first session establishment request, the first communication device may accept or reject the second request according to the first authentication result.
For example, if it is determined that the second service in the first service requested by the terminal device is a service that can be implemented by the terminal device according to the first authentication result (i.e., the second service in the first service is authenticated), the first communication device may accept the second request; otherwise, the first communication device may deny the second request. The second service may be part or all of the first service.
For another example, when the second request is a registration request, if it is determined, according to the first authentication result, that a second network slice in a first network slice requested by the terminal device is a network slice that can be accessed by the terminal device (i.e., the second network slice in the first network slice is authenticated), and a fourth service in the first service requested by the terminal device is a service that can be implemented by the terminal device on the second network slice (i.e., the fourth service in the first service is authenticated), the first communication device accepts the second request; otherwise, the first communication device rejects the second request. The second network slice may be a part or all of the first network slice, and the fourth service may be a part or all of the first service.
When the first communication device accepts the second request, the first communication device may provide the first service for the terminal device, so that a subsequent registration procedure or a session establishment procedure may be performed.
When the first communication device rejects the second request, the first communication device may not provide the first service for the terminal device. In this case, the first communication device may send a failure indication to the terminal device, where the failure indication may include service indication information of a service that fails to be authenticated.
Optionally, the first communication device may further send a reject reason to the terminal device. Wherein the reject reason may include, but is not limited to, at least one of: service authentication failure, service registration failure, network slice authentication failure, and network slice registration failure.
The first communication device may send the failure indication and the rejection reason through an existing message (for example, a message sent by the AMF to the terminal device in the registration procedure or the session establishment procedure), or may send the failure indication and the rejection reason through a dedicated message.
The failure indication and the reject reason may be included in one message or may be included in a plurality of messages.
When the first service is a plurality of services and the second communication device is a plurality of communication devices (e.g., the second communication device is a plurality of AUSFs and/or NSSAAFs), the first communication device may accept or reject the second request by, but not limited to, the following implementation manners.
The implementation mode is as follows: the first communication device accepts or rejects the second request according to the received authentication results after receiving all the authentication results from the plurality of communication devices.
The second implementation mode is as follows: the first communication device accepts or rejects the second request according to authentication results from the plurality of communication devices received within a predetermined time.
The first communication device may determine the predetermined time through a first timer. For example, the first timer may be started when the first communication device sends the first request to the plurality of communication devices. The first communication device may receive one or more authentication results during the first timer opening to the first timer ending. After the first timer is finished, the first communication device may accept or reject the second request according to the received authentication result.
In this embodiment, when the second request is a registration request, the first communication device may determine whether to accept the second session establishment request from the terminal device or AN device accessed by the terminal device according to a registration procedure. This will be specifically explained below.
In some embodiments, if the first service includes at least one service and the first authentication result indicates that the terminal device is capable of implementing a second service of the first services (i.e., the second service of the first services is authenticated), it may be determined whether to accept a second session establishment request from the terminal device or AN device accessed by the terminal device by, but not limited to, the following manner.
Mode 1:
c1: the first communication device may send a first message to the UDM after receiving the first response from the second communication device. Accordingly, the UDM receives the first message from the first communication device.
In this mode 1, the first communication device may be an AMF.
Wherein the first message may include: second service indication information for indicating the second service.
Optionally, the first message may be an existing message (e.g., a message in a registration procedure (numdm UECM registration)) or may be a dedicated message for sending the second service indication information.
Wherein, after receiving the second service indication information, the UDM may store the second service indication information. For example, the UDM may locally store the second service indication information, or may store the second service indication information in a Unified Data Repository (UDR).
c2: and the first communication equipment receives a second session establishment request from the terminal equipment or AN equipment accessed by the terminal equipment. Correspondingly, the terminal device or AN device accessed by the terminal device sends the second session establishment request to the first communication device.
The second session establishment request may include third service indication information, where the third service indication information may indicate a third service that the terminal device requests to execute.
c3: and the first communication equipment sends a third request to the SMF according to the second session establishment request. Accordingly, the SMF receives the third request from the first communication device.
The third request may include the third service indication information, and the third request may request the SMF to accept or reject the second session establishment request according to the second service indication information and the third service indication information acquired from the UDM.
The third request may be an existing message (for example, an SM context setup request (Nsmf _ PDU session _ create SM context request)) or may be a dedicated message.
Optionally, after receiving the third request, the SMF may reuse an existing flow to obtain the second service indication information from the UDM, or may obtain the second service indication information from the UDM through a dedicated flow. For example, the SMF may initiate registration to the UDM, and acquire the session management subscription information of the terminal device and the service indication information of the service for which the terminal device is successfully registered from the UDM by acquiring the subscription information flow. Wherein the service indication information of the service which is successfully registered comprises the second service indication information.
When the SMF determines that at least one of the third services indicated by the third service indication information is included in the second service indicated by the obtained second service indication information (that is, the SMF determines that the terminal device can implement at least one of the third services), the SMF may accept the second session establishment request; when the SMF determines that the second service indicated by the obtained second service indication information does not include any service in the third services indicated by the third service indication information (that is, the SMF determines that the terminal device cannot implement any service in the third services), the SMF may reject the second session establishment request.
Upon accepting the second session establishment request, the SMF may perform a subsequent session establishment procedure.
In this mode 1, in the registration process, the UDM may obtain and store second service indication information (i.e., service indication information of a service that is successfully authenticated) of a second service that can be implemented by the terminal device, and in a subsequent session establishment process, the SMF may accept or reject the session establishment request according to an authentication result (including the second service indication information) obtained from the UDM in the registration process, so that the mobile communication system may provide a service that is successfully authenticated for the terminal device, but does not provide a service that is failed in authentication, thereby improving security of data transmission.
Mode 2:
d1: after receiving the first response from the second communication device, the first communication device saves second service indication information indicating the second service.
Optionally, the first communication device may store the second network slice indication information and the fourth service indication information in a registration procedure.
d2: and the terminal equipment or AN equipment accessed by the terminal equipment sends the second session establishment request to the first communication equipment. Correspondingly, the first communication device receives a second session establishment request from the terminal device or AN AN device accessed by the terminal device.
The second session establishment request may include third service indication information, where the third service indication information may indicate a third service that the terminal device requests to execute.
d3: when the first communication device determines that the second service indicated by the saved second service indication information includes at least one of the third services indicated by the third service indication information (that is, the first communication device determines that the terminal device can implement at least one of the third services or at least one of the third services is authenticated), the first communication device may accept the second session establishment request; when the first communication device determines that any one of the third services indicated by the third service indication information is not included in the second service indicated by the saved second service indication information (that is, the first communication device determines that the terminal device cannot implement any one of the third services or that the third service does not include an authenticated service), the first communication device may reject the second session establishment request.
The first communication device may perform a subsequent session establishment procedure when accepting the second session establishment request.
In this embodiment 2, in the registration process, the first communication device may store service indication information that the terminal device can implement the second service in the first service (i.e., service indication information of a service that is successfully authenticated), and in a subsequent session establishment process, the first communication device may accept or reject the session establishment request according to an authentication result (including the second service indication information) stored locally in the registration process, so that the mobile communication system may provide the service that is successfully authenticated for the terminal device, but does not provide the service that is failed in authentication, and thus may improve security of data transmission.
In further embodiments, when the second request is a registration request, if the first service includes at least one service, the first network slice includes at least one network slice, and the authentication result indicates that the terminal device is capable of implementing a fourth service in the first service on a second network slice in the first network slice, then it may be determined whether to accept the second session establishment request from the terminal device or AN apparatus accessed by the terminal device by, but not limited to, the following manners.
The method I comprises the following steps:
e1: after receiving the first response from the second communication device, the first communication device may send a second message to the UDM. Accordingly, the UDM receives the second message from the first communication device.
In this mode one, the first communication device may be an AMF.
Wherein the second message may include: second network slice indication information and fourth traffic indication information. The second network slice indication information may indicate the second network slice, and the fourth service indication information may indicate the fourth service that the terminal device can implement on the second network slice.
Alternatively, the second message may be an existing message (for example, a message in a registration procedure (numdm UECM registration)), or may be a dedicated message for transmitting the second network slice indication information and the fourth service indication information.
When the second message is a message in a registration flow, the second network slice may be a service for which the terminal device successfully registers, and the fourth service may be a service for which the terminal device successfully registers on the second network slice, that is, the second network slice indication information may indicate the service for which the terminal device successfully registers, and the fourth service indication information may indicate the service for which the terminal device successfully registers on the second network slice. The second network slice indication information and the fourth traffic indication information may be referred to as allowed NSSAI information.
Wherein, after receiving the second network slice indication information and the fourth traffic indication information, the UDM may save the second network slice indication information and the fourth traffic indication information. For example, the UDM may locally store the second network slice indication information and the fourth service indication information, or may locally store the second network slice indication information and the fourth service indication information in the UDR.
e2: the first communication device may receive a third session establishment request from the terminal device or AN device accessed by the terminal device. Correspondingly, the terminal device or AN device accessed by the terminal device sends the third session establishment request to the first communication device.
The third session establishment request may include third network slice indication information and fifth traffic indication information, where the third network slice indication information may indicate a third network slice, and the fifth traffic indication information may indicate that the terminal device requests a fifth service executed on the third network slice.
e3: the first communication device may send a fourth request to the SMF in accordance with the third session establishment request. Accordingly, the SMF receives the fourth request from the first communication device.
The fourth request may include the third network slice indication information and the fifth service indication information, and the fourth request may request the SMF to accept or reject the second session establishment request according to the second network slice indication information and the fourth service indication information, and the third network slice indication information and the fifth service indication information acquired from the UDM.
The fourth request may be an existing message (for example, an SM context setup request (Nsmf _ PDU session _ create SM context request)) or may be a dedicated message.
Optionally, after receiving the fourth request, the SMF may reuse an existing flow to obtain the second network slice indication information and the fourth service indication information from the UDM, or may obtain the second network slice indication information and the fourth service indication information from the UDM through a dedicated flow. For example, the SMF may initiate registration to the UDM, and acquire, through acquiring a subscription information flow, session management subscription information of the terminal device and indication information of a service that the terminal device has successfully registered (for example, including second network slice indication information and fourth service indication information) from the UDM.
When the SMF determines that the second network slice indicated by the obtained second network slice indication information includes at least one of the third network slices indicated by the third network slice indication information (that is, at least one of the third network slices is authenticated), and the SMF determines that at least one of the fifth services indicated by the fifth service indication information is included in the fourth services indicated by the obtained fourth service indication information (that is, at least one of the fifth services is authenticated), that is, when the SMF determines that the terminal device can implement at least one of the fifth services on at least one of the third network slices, the SMF may accept the third session establishment request; when the SMF determines that the second network slice indicated by the obtained second network slice indication information does not include any one of the third network slices indicated by the third network slice indication information (that is, the third network slice does not include an authenticated network slice), and/or the SMF determines that the fourth service indicated by the obtained fourth service indication information does not include any one of the fifth services indicated by the fifth service indication information (that is, the fifth service does not include an authenticated service), that is, when the SMF determines that the terminal device cannot implement any one of the fifth services on any one of the third network slices, the SMF may reject the third session establishment request.
Upon accepting the third session establishment request, the SMF may perform a subsequent session establishment procedure.
In the first embodiment, in the registration process, the UDM may obtain fourth service indication information (i.e., service indication information of a service that is successfully authenticated) and second network slice indication information (i.e., network slice indication information of a network slice that is successfully authenticated), and in the subsequent session establishment process, the SMF may accept or reject the session establishment request according to the authentication result (including the second network slice indication information and the fourth service indication information) obtained from the UDM in the registration process, so that the mobile communication system may provide the service that is successfully authenticated for the terminal device, but does not provide the service that is failed in authentication, and thus may improve the security of data transmission.
The second method comprises the following steps:
f1: the first communication device may save second network slice indication information and fourth traffic indication information after receiving the first response from the second communication device.
The second network slice indication information may indicate the second network slice, and the fourth service indication information may indicate the fourth service that the terminal device can implement on the second network slice.
Optionally, the first communication device may store the second network slice indication information and the fourth service indication information in a registration procedure.
f2: the first communication device may receive a third session establishment request from the terminal device or AN device accessed by the terminal device. Correspondingly, the terminal device or AN device accessed by the terminal device sends the third session establishment request to the first communication device.
The third session establishment request may include third network slice indication information and fifth traffic indication information, where the third network slice indication information may indicate a third network slice, and the fifth traffic indication information may indicate that the terminal device requests a fifth service executed on the third network slice.
f3: when the first communication device determines that the second network slice indicated by the saved second network slice indication information contains at least one of the third network slices indicated by the third network slice indication information (i.e., at least one of the third network slices is authenticated), and the first communication device determines that the fourth traffic indicated by the saved fourth traffic indication information contains at least one of the fifth traffic indicated by the fifth traffic indication information (i.e., at least one of the fifth traffic is authenticated), that is, when the first communication device determines that the terminal device can implement at least one of the fifth traffic on at least one of the third network slices, the first communication device may accept the third session establishment request; when the first communication device determines that the second network slice indicated by the saved second network slice indication information does not include any one of the third network slices indicated by the third network slice indication information (i.e., the third network slice does not include an authenticated network slice), and/or the first communication device determines that the fourth traffic indicated by the saved fourth traffic indication information does not include any one of the fifth traffic indicated by the fifth traffic indication information (i.e., the fifth traffic does not include an authenticated traffic), that is, when the first communication device determines that the terminal device cannot implement any one of the fifth traffic on any one of the third network slices, the first communication device may reject the third session establishment request.
The first communication device may perform a subsequent session establishment procedure when accepting the third session establishment request.
In the second embodiment, in the registration process, the first communication device may store the fourth service indication information (i.e., the service indication information of the service that is successfully authenticated) and the second network slice indication information (i.e., the network slice indication information of the network slice that is successfully authenticated), and in the subsequent session establishment process, the first communication device may accept or reject the session establishment request according to the authentication result (including the second network slice indication information and the fourth service indication information) stored locally in the registration process, so that the mobile communication system may provide the service that is successfully authenticated for the terminal device, but does not provide the service that is failed in authentication, and thus may improve the security of data transmission.
Optionally, after receiving the first response from the second communication device, the first communication device may send a third message to the terminal device according to the first authentication result.
Wherein the third message may include, but is not limited to, at least one of:
sixth service indication information for indicating a service that can be implemented by the terminal device;
seventh service indication information for indicating a service that the terminal device cannot implement;
fourth network slice indicating information for indicating a network slice accessible to the terminal device, and eighth service indicating information for indicating a service that the terminal device can implement on the network slice;
fifth network slice indication information for indicating a network slice that the terminal device can access, and ninth service indication information for indicating a service that the terminal device cannot implement on the network slice;
sixth network slice indication information for indicating a network slice that the terminal device cannot access, and tenth service indication information for indicating a service requested by the terminal device on the network slice.
In this embodiment, when the first communication device is the AMF, the first communication device may further send a fourth message to the terminal device after receiving the first response from the second communication device. After receiving the fourth message, the terminal device may authenticate whether the terminal device can implement the first service in the mobile communication system according to locally stored second authentication information, where the second authentication information may include service authentication information. The second authentication information may include, but is not limited to, at least one of: and the terminal equipment comprises indication information of services which can be realized by the terminal equipment and indication information of services which cannot be realized by the terminal equipment.
Optionally, the second authentication information may be included in subscription information of the terminal device. For example, the second authentication information is preconfigured in the subscription information of the terminal device. For another example, the terminal device obtains subscription information of the terminal device including the second authentication information through a configuration update procedure.
With the method shown in fig. 5, a first communication device in a mobile communication system may send a first request to a second communication device, requesting whether the terminal device can implement a first service; after receiving the authentication result from the second communication device, the first communication device may determine whether to provide the first service for the terminal device according to the authentication result. By the scheme, the first communication equipment can obtain an authentication result of whether the terminal equipment can realize the requested service authentication, and according to the authentication result, the mobile communication system where the first communication equipment is located can provide the service which is successfully authenticated for the terminal equipment and does not provide the service which is failed in authentication for the terminal equipment, so that the safety of data transmission can be improved.
Fig. 6 is a schematic diagram illustrating an example of applying the communication method shown in fig. 5 to a mobile communication system provided by the present application. The application of the method shown in fig. 5 in the application scenario shown in fig. 6 is described below with reference to the drawings.
As shown in fig. 6, the mobile communication system may be a stand-alone NPN (SNPN), and the mobile communication system may interact with an external AAA-S through an authentication authorization accounting proxy (AAA-P), and the AAA-S may include: AAA-S1 of Service Provider (SP) 1, AAA-S2 of SP2, and AAA-S3 of SP 3.
In this example, the AAA-S of the SPs may store the subscription information of the terminal device, and authenticate whether the terminal device can implement a service according to the stored subscription information. Specifically, the mobile communication system may receive a registration request or a session establishment request from a terminal device, where the registration request or the session establishment request may include service indication information of one or more services. The mobile communication system may determine, according to the service indication information, a communication device that authenticates whether the terminal device is capable of implementing the one or more services. For example, the mobile communication system may determine, according to the service indication information and the identity information of the terminal device, whether AAA-S1 can authenticate the terminal device for implementing service 1, determine whether AAA-S2 can authenticate the terminal device for implementing service 2, and determine whether AAA-S3 can authenticate the terminal device for implementing service 3. Then, the mobile communication system may request AAA-S1 to authenticate whether the terminal device can implement service 1, request AAA-S2 to authenticate whether the terminal device can implement service 2, and request AAA-S3 to authenticate whether the terminal device can implement service 3. AAA-S1, AAA-S2 and AAA-S3 can authenticate whether the terminal equipment can realize service according to the locally stored subscription information of the terminal equipment.
By this example, in the registration procedure or the session establishment procedure, the mobile communication system may request the external AAA-S to authenticate whether the terminal device can implement the service, and obtain an authentication result. Thus, the mobile communication system can provide the service of successful authentication for the terminal equipment according to the authentication result, and does not provide the service of failed authentication for the terminal equipment, thereby improving the security of data transmission.
Fig. 7 is a schematic diagram illustrating another example of applying the communication method shown in fig. 5 to a mobile communication system provided by the present application. The application of the method shown in fig. 5 in the application scenario shown in fig. 7 is described below with reference to the drawings.
As shown in fig. 7, the mobile communication system may be an NPN, which may be owned by an operator, and a plurality of SPs may provide services to a terminal device through the NPN. The AAA-S in the figure may be an AAA server in the DN, i.e., DN-AAA. In this example, the UDM and the AAA-S of the plurality of SPs may maintain subscription information for the terminal device.
In some implementations, the mobile communication system may receive a registration request or a session establishment request from a terminal device, which may include service indication information for one or more services. The mobile communication system may determine, according to the service indication information, a communication device that authenticates whether the terminal device is capable of implementing the one or more services. For example, the mobile communication system may determine, according to the service indication information of the one or more services and the identity information of the terminal device, whether the AAA-S can authenticate that the terminal device can implement service 1, and determine whether the UDM can authenticate that the terminal device can implement service 2. Then, the mobile communication system may request AAA-S to authenticate whether the terminal device can implement service 1, and request UDM to authenticate whether the terminal device can implement service 2. The AAA-S and the UDM can authenticate whether the terminal equipment can realize the service or not according to the locally stored subscription information of the terminal equipment.
In other implementations, the mobile communication system may receive a session establishment request from a terminal device, and the registration request or the session establishment request may include service indication information of one or more services. The mobile communication system may request the AAA-S to authenticate whether the terminal device is capable of implementing one or more services.
By this example, in the registration flow or the session establishment flow, the mobile communication system may obtain an authentication result of whether the terminal device can implement the requested service, and provide the service of successful authentication for the terminal device and not provide the service of failed authentication for the terminal device according to the authentication result, thereby improving the security of data transmission.
The embodiment of the application provides a communication method. The method may be applied to the communication systems shown in fig. 1-4, see fig. 8. The method can realize whether the terminal equipment can realize the service authentication in the registration process of the terminal equipment, so that the mobile communication system can provide the service of successful authentication for the terminal equipment, but not provide the service of failed authentication, thereby improving the safety of service transmission. In the figure, the first AMF is an AMF to be accessed by the terminal device), and the second AMF is an AMF previously accessed by the terminal device). In this example, the first AMF corresponds to the first communication device in the method shown in fig. 5, the AUSF and/or NSSAAF corresponds to the second communication device in the method shown in fig. 5, the UE and/or AN device corresponds to the third communication device in the method shown in fig. 5, and the UDM and/or AAA-S corresponds to the fourth communication device in the method shown in fig. 5. For convenience of description, the following description takes a terminal device as a UE as an example.
S801: the UE sends a registration request to the AN device to initiate a registration procedure. Correspondingly, the AN equipment receives a registration request from the UE.
Optionally, the registration request may include service indication information indicating the first service. The first service may be a service requested by the UE.
In some implementations, the registration request may further include: identity information of the UE. The identity information may include, but is not limited to, at least one of: a subscription permanent identifier (SUPI), a subscription hidden identifier (SUCI).
S802: and the AN equipment selects the first AMF according to the service indication information in the registration request.
S803: the AN device sends the registration request to the first AMF. Accordingly, the first AMF receives the registration request from the AN device.
Wherein the AN device may send the registration request to the first AMF via AN N2 message. The N2Message may be a multiplex of an existing Message, for example, an Uplink NAS Transport (Uplink NAS Transport) or an Initial UE Message (Initial UE Message), or may be another Message dedicated to sending the registration request, which is not limited in this application.
S804: and the first AMF initiates a UE context transfer process and an identity authentication process.
The specific contents of the UE context transfer procedure and the identity authentication procedure may refer to step 4-7 of TS23.502, chapter 4.2.2.2.
S805: and the first AMF selects a proper AUSF/NSSAAF for the UE according to the UE identity information in the registration request and the service indication information.
The selected AUSF/NSSAAF may be referred to as an authentication network element, among others.
The first AMF may select one or more authentication network elements by, but not limited to:
mode 1:
the first AMF may select one or more authentication network elements according to the service indication information.
For example, when the first service is a service that can be authenticated by the mobile communication system in which the first AMF is located (for example, an authentication server of the first service is a UDM), the first AMF may select the AUSF as an authentication network element.
For another example, when the first service is a service authenticated by a communication device outside the mobile communication system in which the first AMF is located (for example, an authentication server of the first service is a third-party AAA server (for example, AAA-S) outside the mobile communication system), the first AMF may select NSSAAF as an authentication network element.
For another example, when the first service includes both a service that can be authenticated by the mobile communication system in which the first AMF is located and a service that can be authenticated by a communication device outside the mobile communication system, the first AMF may select AUSF and NSSAAF as the authentication network element. For example, the service indication information in the registration request may include: service ID1 and service ID2. If the authentication server of the service 1 indicated by the service ID1 is the UDM and the authentication server of the service 2 indicated by the service ID2 is the AAA-S, the first AMF may select the AUSF and the NSSAAF as the authentication network elements.
Mode 2:
the first AMF may select one or more authentication network elements according to the identity information (e.g., SUPI and/or SUCI) of the UE and the traffic indication information.
For example, when the UE belongs to a UE that can be authenticated by a mobile communication system where the first AMF is located, and the first service is a service that can be authenticated by the mobile communication system, the first AMF may select an AUSF as an authentication network element.
For another example, when the UE belongs to a UE that can be authenticated by a communication device outside the mobile communication system where the first AMF is located, and when the first service is a service authenticated by the communication device outside the mobile communication system, the first AMF may select NSSAAF as an authentication network element.
For another example, when the first service includes both a service that can be authenticated by a mobile communication system in which the first AMF is located and a service that can be authenticated by a communication device outside the mobile communication system, and the UE can be authenticated by the mobile communication system and the communication device outside the mobile communication system, the first AMF may select AUSF and NSSAAF as the authentication network element.
S806: and the first AMF initiates an authentication process for judging whether the UE can realize the first service.
Wherein the first AMF may initiate an authentication procedure for the UE by sending an authentication request to the authentication network element. Correspondingly, the authentication network element receives an authentication request from the first AMF. The authentication request may include service indication information of a service requested by the UE and requiring the authentication by the authentication network element.
For example, when the first AMF determines that the authentication network element is an AUSF, the first AMF may send an authentication request to the AUSF, where the authentication request includes the first service indication information.
For another example, when the first AMF determines that the authentication network element is an NSSAAF, the first AMF may send an authentication request to the NSSAAF, where the authentication request includes the first service indication information.
For another example, when the AMF determines that the authentication network element is an AUSF and an NSSAAF, the first AMF may send an authentication request including a service ID1 to the AUSF, and send an authentication request including a service ID2 to the NSSAAF. The authentication server of the service indicated by the service ID1 is a UDM, and the authentication server of the service indicated by the service ID2 is an AAA server outside the mobile communication system where the first AMF is located.
S807: and the first AMF executes a subsequent registration process according to the authentication result.
Wherein the first AMF may determine to accept or reject the registration request according to an authentication result. S504 may be referred to for a specific procedure, and is not described herein again. Then, the first AMF may perform a subsequent registration procedure according to the determination result.
Optionally, the subsequent registration process may refer to TS23.502, chapter 4.2.2.2, step 10-25.
By the method, in the registration process, the AMF can obtain an authentication result for authenticating whether the UE can realize the requested service. Therefore, the mobile communication system where the AMF is located can provide a service of successful authentication for the UE according to the authentication result, and does not provide a service of failed authentication for the UE, thereby improving the security of data transmission.
Next, with reference to fig. 9 and fig. 10, a procedure of the authentication, initiated by the first AMF, for determining whether the UE can implement the first service is described.
Mode 1: the first AMF may initiate the authentication procedure by sending an authentication request to the AUSF. In this embodiment 1, the authentication server may be a UDM. This flow will be specifically described below with reference to fig. 9.
S901: the UE sends a registration request to the first AMF. Accordingly, the first AMF receives the registration request from the UE.
Wherein the registration request may include service indication information of the first service.
For specific contents of S901, reference may be made to S801-S802, which are not described herein again.
S902: the first AMF sends a first authentication request to the AUSF. Accordingly, the AUSF may receive the first authentication request from the first AMF.
Wherein the first authentication request may include service indication information of the first service.
Optionally, the first authentication request may further include at least one of the following: identity information (SUCI or SUPI), sequence Number (SN) name (SN name) of the UE.
S903: the AUSF may send a second authentication request to the UDM. Accordingly, the UDM may receive the second authentication request from the AUSF.
Wherein the second authentication request may include service indication information of the first service.
Optionally, the second authentication request may further include at least one of the following: identity information (SUCI or SUPI), SN name of the UE.
In some implementations, the AUSF may send the second authentication request to one or more authentication servers with the traffic indication information in the first authentication request.
S904: and the UDM authenticates whether the UE can realize the first service.
And the UDM may authenticate whether the UE can implement the first service according to the identity information of the UE in the authentication request and the first service indication information.
Optionally, the UDM may store authentication information for authenticating a service, and the UDM may authenticate whether the UE can implement the first service according to the authentication information.
For specific contents of S904, reference may be made to S502, which is not described herein again.
S905: the UDM sends a first authentication response to the AUSF. Accordingly, the AUSF receives the first authentication response from the UDM.
Wherein the first authentication response may include service indication information of the first service.
The first authentication response includes a first authentication result obtained by the UDM whether the UE can realize the authentication of the first service.
In some implementations, the UDM may send a first authentication response to the AUSF according to the UE identity information and/or the service indication information in the second authentication request.
S906: and the AUSF triggers a subsequent process for judging whether the UE can realize the first service authentication.
Optionally, reference may be made to chapter 6.1.3 of TS33.501 in a subsequent procedure of whether the UE can implement the first service for authentication.
In the embodiment of the present application, the UDM may also be replaced with an authentication credential storage processing Function (ARPF).
By the method, the AMF can initiate a service-based authentication process to an authentication server in the mobile communication system according to the service indication information in the registration request. Therefore, the mobile communication system where the AMF is located can provide a service of successful authentication for the UE according to the authentication result, and does not provide a service of failed authentication, thereby improving the security of service transmission.
Mode 2: the first AMF may initiate the authentication procedure by sending an authentication request to the NSSAAF. In this embodiment 2, the authentication server is an AAA-S outside the mobile communication system in which the first AMF is located. This flow will be specifically described below with reference to fig. 10.
S1001: the UE sends a registration request to the first AMF. Accordingly, the first AMF receives the registration request from the UE.
Wherein the registration request may include service indication information of the first service.
For details of S1001, reference may be made to S801-S802, which are not described herein again.
S1002: the first AMF sends a third authentication request to the NSSAAF. Accordingly, the NSSAAF receives the third authentication request from the first AMF.
Wherein the third authentication request may include service indication information of the first service.
Optionally, the third authentication request may further include at least one of the following: identity information (SUCI or SUPI), SN name of the UE.
S1003: the NSSAAF sends a fourth authentication request to the AAA-P. Accordingly, the AAA-P receives the fourth authentication request from the NSSAAF.
Wherein the fourth authentication request may include service indication information of the first service.
Optionally, the fourth authentication request may further include at least one of the following: identity information (SUCI or SUPI), SN name of the UE.
In some implementations, the NSSAAF may send the fourth authentication request to one or more authentication servers with the service indication information in the third authentication request.
S1004: the AAA-P sends the fourth authentication request to the AAA-S. Accordingly, the AAA-S receives the fourth authentication request from the AAA-P.
S1005: the AAA-S authenticates whether the UE can use the first service.
Wherein, the AAA-S may authenticate whether the UE can use the target service according to the identity information of the UE and the service indication of the first service in the fourth authentication request.
Optionally, the AAA-S may store authentication information for authenticating a service, and the AAA-S may authenticate whether the UE can implement the first service according to the authentication information.
Optionally, the specific content of S1005 may refer to S502, which is not described herein again.
S1006: the AAA-S sends a second authentication response to the AAA-P. Accordingly, the AAA-P receives the second authentication response from the AAA-S.
Wherein the second authentication response may include the service indication information.
Optionally, the authentication response includes a first authentication result obtained by the AAA-S authenticating whether the UE can implement the first service.
In some implementations, the AAA-S may send the second authentication response to the AAA-P according to the identity information and/or the service indication information of the UE in the fourth authentication request.
Optionally, the second authentication response may further include identity information (sui or SUPI) of the UE.
S1007: the AAA-P sends the second authentication response to the NSSAAF. Accordingly, the NSSAAF receives the second authentication response from the AAA-P.
S1008: the NSSAAF sends a third authentication response to the AMF. Accordingly, the AMF receives the third authentication response from the NSSAAF.
And the third authentication response comprises an authentication result obtained by the NSSAAF authenticating whether the UE can realize the first service according to the first authentication result.
Optionally, the third authentication response may include the service indication information.
In some implementations, the third authentication response may further include identity information (sui or SUPI) of the UE.
After receiving the second authentication response, the NSSAAF may trigger a subsequent authentication procedure, which may refer to TS33.501.
In the embodiment of the present application, NSSAAF may not interact with AAA-S through AAA-P. For example, S1003 and S1004 may be replaced with: the NSSAAF sends the fourth authentication request to AAA-S; s1006 and S1007 may be replaced with: the AAA-S sends the second authentication response to the NSSAAF.
By the method, the AMF can initiate a service-based authentication process to an authentication server outside the mobile communication system according to the service indication information in the registration request. Thus, the mobile communication system can provide the service of successful authentication for the UE according to the authentication result, and does not provide the service of failure authentication, thereby improving the safety of service transmission.
It can be understood that, in this embodiment of the present application, the first AMF may initiate an authentication request for one or more services to the AUSF/NSSAAF according to the service indication information in the registration request. As shown in fig. 11.
S1101: the UE sends a registration request to the AMF. Accordingly, the AMF receives a registration request from the UE.
For details of S1101, reference may be made to S801-S802, which are not described herein again.
Wherein the registration request may include: service ID1 and service ID2. The service ID1 is the ID of the service 1, and the service ID2 is the ID of the service 2.
S1102: the AMF sends a first authentication request to the AUSF.
Wherein the first authentication request comprises: service ID1.
Optionally, the AMF may send the first authentication request to the AUSF after determining whether the UDM authenticates that the UE can implement service 1.
The first authentication request may request the AUSF to authenticate whether the UE can implement the service 1 through the method shown in fig. 9. In this case, in the method shown in fig. 9, the first service is the service 1.
S1103: the AMF sends a third authentication request to the NSSAAF. Accordingly, the NSSAAF receives a third authentication request from the AMF.
Wherein the third authentication request comprises: service ID2.
Optionally, the AMF may send the third authentication request to the NSSAAF after determining whether the AAA-S authenticates the UE as capable of implementing service 2.
The third authentication request may request the NSSAAF to authenticate whether the UE can implement the service 2 in the manner shown in fig. 10. In this case, in the method shown in fig. 10, the first service is the service 2.
By the method, the AMF can initiate a service-based authentication process to the authentication server corresponding to the plurality of services according to the service indication information of the plurality of services in the registration request. Therefore, the mobile communication system where the AMF is located can provide a service of successful authentication for the UE according to the authentication result, and does not provide a service of failed authentication, thereby improving the security of service transmission.
The embodiment of the application provides a communication method. The method may be applied to the communication systems shown in fig. 1-4, see fig. 12. The method can realize whether the terminal equipment can realize the service authentication in the registration process of the terminal equipment, thus, the mobile communication system can provide the service of successful authentication for the terminal equipment, but not provide the service of failed authentication, thereby improving the safety of service transmission. In the figure, the first AMF is an AMF to be accessed by the terminal device, and the second AMF is an AMF previously accessed by the terminal device. In this example, the first AMF corresponds to the first communication device in the method shown in fig. 5, the AUSF and/or NSSAAF corresponds to the second communication device in the method shown in fig. 5, the UE and/or AN device corresponds to the third communication device in the method shown in fig. 5, and the UDM and/or AAA-S corresponds to the fourth communication device in the method shown in fig. 5. For convenience of description, the following description takes the terminal device as the UE as an example.
S1201-S1203 may be the same as S801-S803, and are not described in detail here.
S1204: the first AMF initiates a UE context transfer process and an authentication process.
The specific content of S1204 can refer to S804-S806 and TS23.502, chapter 4.2.2.2, step 10-13.
S1205a: the first AMF initiates a registration flow (Nudm _ UECM _ registration).
Optionally, the first AMF may initiate a registration request to the UDM according to at least one of: and whether the UE can realize the authentication result of the first service or not and service indication information corresponding to the authentication result. The service indication information corresponding to the authentication result may be the service indication information included in the first response in S503.
When the service indication information carried in the registration request sent by the UE indicates multiple services (that is, the first service is multiple services), the first AMF may initiate a registration procedure to the UDM by, but not limited to, at least one of the following manners:
mode 1:
the first AMF may select a service for which authentication is successful after receiving authentication results of all services among the plurality of services; and initiating a registration process to the UDM according to the service successfully authenticated.
Mode 2:
after receiving the authentication result of part or all of the services in the plurality of services within a predetermined time, the first AMF may select a service for which the received authentication is successful; and initiating a registration process to the UDM according to the service successfully authenticated.
Alternatively, the first AMF may determine the predetermined time through a second timer. For example, the second timer may be started when the first AMF sends an authentication request to the authentication network element. The first AMF may receive an authentication result of part or all of the plurality of traffics during a period from when the second timer is started to when the second timer is ended. After the second timer is finished, the first AMF may select the received service successfully authenticated, and initiate a registration procedure to the UDM according to the service successfully authenticated.
Mode 3:
the first AMF may initiate a registration procedure to the UDM after receiving an authentication result of successful authentication for at least one of the plurality of services.
When the first AMF initiates a registration procedure to the UDM, the first AMF may send service indication information of a service for which the UE is successfully authenticated to the UDM. Then, the UDM may store, in the UDM or the UDR, the service indication information of the service for which the authentication of the UE is successful and the identity information of the first AMF associated therewith.
S1205b: the first AMF initiates a subscription information acquisition procedure (Nudm _ SDM _ get).
Through the subscription information acquisition procedure, the first AMF may acquire the subscription information of the service of the UE from the UDM.
Wherein the subscription information may include, but is not limited to, at least one of: the UE comprises information of networks which can be accessed by the UE and service indication information of services which can be realized by the UE in the networks which can be accessed by the UE.
Optionally, the first AMF may further obtain SMF selection information. The SMF selection information may indicate a correspondence with a service and an SMF. In a session establishment procedure, the AMF may select a suitable SMF for the terminal device according to the SMF selection information and a service requested by the terminal device.
S1205c: and the first AMF initiates a signing process to the UDM.
Wherein S1205c is an optional step.
S1206: the mobile communication system performs a subsequent registration procedure.
Wherein, the specific content of the subsequent registration process can refer to the TS23.502, chapter 4.2.2.2, step 15-20.
S1207: the first AMF transmits a registration accept message (registration accept) to the UE. Accordingly, the UE receives the registration accept message from the first AMF.
The registration accept message may include indication information of an authentication result of each service in the first services requested by the UE. The indication information of the authentication result may indicate whether each service requested by the UE is successfully or unsuccessfully authenticated.
Optionally, the authentication result may further indicate a reason why each service authentication succeeds or fails.
In addition, the registration accept message may further include subscription information of the service requested by the UE. The UE may update locally stored subscription information after receiving the registration accept message.
Through the above procedures, the UE can successfully register in the mobile communication system.
In some implementations, after the UE registration is successful, the service for which the UE authentication is successful or fails may change. In this case, the mobile communication system may update the service in which the authentication of the UE is successful or fails. The update flow will be described below with reference to fig. 12.
S1208: the first AMF determines to initiate a UE configuration update procedure.
The first AMF may determine that a UE configuration update procedure needs to be initiated after receiving authentication update information from an authentication server. Wherein the authentication update information may indicate an update of an authentication result of a service of the UE. For example, the updating of the authentication result may be updating a service that has succeeded in authentication to a service that has failed in authentication, or updating a service that has failed in authentication to a service that has succeeded in authentication.
The authentication update information may include service indication information of a service whose authentication result changes.
For example, for a first target service for which the authentication of the UE fails, if the user corresponding to the UE subscribes to the first target service, the authentication server may update the first target service to a service for which the authentication succeeds.
S1209: the first AMF sends a UE configuration update command (UE configuration update command) to the UE, and accordingly, the UE receives the UE configuration update command from the first AMF.
Wherein the UE configuration update command may include the authentication update information.
S1210: and the mobile communication system executes a subsequent UE configuration updating process to update the successful authentication or the failed authentication of the UE.
By the method, in the registration process, the first AMF can obtain an authentication result for authenticating whether the UE can realize the requested service. In this way, the mobile communication system where the first AMF is located may provide a service for which authentication is successful for the UE and may not provide a service for which authentication is failed for the UE according to the authentication result, so that security of data transmission may be improved.
The embodiment of the application provides a communication method. The method may be applied to the communication system shown in fig. 1-4, see fig. 13. The method may be implemented based on the method shown in fig. 8 or fig. 12, and according to the method shown in fig. 8 or fig. 12, in the registration process, the authentication server authenticates whether the UE can use the service. In the method, the mobile communication system can provide the session of the service with successful authentication for the UE based on the authentication result of the registration process, but not provide the session of the service with failed authentication, thereby improving the security of service transmission. The AMF in fig. 13 may be the first AMF in fig. 8 or fig. 12. In this example, the AMF corresponds to the first communication device in the method shown in fig. 5. For convenience of description, the following description takes the terminal device as the UE as an example.
S1301: the UE sends a PDU session establishment request (PDU session establishment request) to the AMF. Accordingly, the AMF receives the PDU session establishment request from the UE.
Wherein the UE may send a PDU session setup request to the AMF after successfully registering to the mobile communication system, so as to initiate a PDU session setup procedure. The PDU session establishment procedure may be triggered by the UE or by the mobile communication system. The PDU session setup request may be an NAS message.
Optionally, the session establishment request may include service indication information of a third service requested to be transmitted by the UE. Wherein the third service may be one or more services.
In some possible implementations, the PDU session setup request may not include at least one of the following information: data Network Name (DNN), S-NSSAI, session and Service Continuity (SSC) patterns. The mobile communication system may configure such information according to the registered service information.
S1302: and the AMF selects a proper SMF for the UE according to the received PDU session establishment request.
Wherein the AMF may select the SMF based on the third traffic indication information in the PDU session establishment request.
Optionally, the AMF may further select the SMF according to at least one of: the AMF local configuration information, the subscription information of the UE obtained in the registration process, and the SMF selection information of the UE.
For example, the local configuration information or the subscription information includes SMF information corresponding to the UE. And the AMF selects a proper SMF according to the SMF information corresponding to the UE or the SMF selection information of the UE.
Optionally, the AMF may obtain the SMF selection information of the UE through, but not limited to, the following manners.
Mode 1: the AMF may acquire SMF selection information of the UE through a subscription information acquisition procedure.
Mode 2: the AMF may obtain SMF selection information of the UE in the PDU session setup request.
S1303: the AMF sends an SM context establishment request (Nsmf _ PDU session _ create SM context request) to the selected SMF. Accordingly, the SMF receives the establish SM context request from the AMF.
Wherein the request for establishing the SM context may include the third traffic indication information. The specific content of the third service indication information may refer to the method shown in fig. 5.
Optionally, the SM context setup request may include the PDU session setup request.
S1304: and the SMF acquires the subscription information (subscription data) of the UE from the UDM in the subscription information acquisition process.
The subscription information of the UE may indicate a service in which the registration of the UE is successful. For example, the subscription information of the UE may include service indication information of services that the UE can implement in the mobile communication system.
Optionally, the SMF may determine to accept or reject the PDU session establishment request according to, but not limited to, at least one of: and the service indication information of the third service and the service which is indicated by the subscription information and is successfully registered by the UE. When the third service is the service of successful registration of the UE, the SMF receives the PDU session establishment request and continues a subsequent PDU session establishment flow; otherwise, the SMF rejects the PDU session establishment request.
When rejecting the PDU session establishment request, the SMF may send a PDU session establishment failure reason to the AMF. The failure reasons may include: the service is not registered and the service is not authenticated.
S1305: the SMF sends an SM context setup response (Nsmf _ PDU session _ Create SM context response) to the AMF. Accordingly, the AMF receives an establish SM context response from the SMF. S1306: the mobile communication system performs a PDU session authentication/authorization (PDU session authorization) procedure.
S1307a: the SMF selects a PCF for the UE.
S1307b: the SMF initiates an SM policy association establishment/modification (SM policy association establishment/modification) procedure to the selected PCF to obtain Policy and Charging Control (PCC) rules and other information from the PCF entity.
S1307a and S1307b are optional steps.
S1308: and the SMF selects a proper UPF for the UE according to the position information and the subscription information of the UE, the SM strategy association and other information.
S1309: when the PCC rule acquired by the SMF in S1307 is a dynamic PCC rule, the SMF initiates an SM policy association modification procedure to the PCF to acquire an updated PCC rule from the PCF.
It should be noted that, if the PCC rule obtained by the SMF in S1307 is not a dynamic PCC rule, the SMF may not perform S1309, so S1309 is an optional step.
S1310a: the SMF sends an N4 session establishment/modification request (N4 session establishment/modification request) to the UPF.
S1310b: the UPF sends an N4 session establishment/modification response (N4 session establishment/modification response) to the SMF.
S1311: the mobile communication system performs a subsequent PDU session establishment procedure.
The details of the subsequent PDU session setup procedure can refer to TS23.502, chapter 4.3.2.3.
By the method, in the session establishment process, the mobile communication system can establish a limited PDU session for the UE according to the indication information of the service requested by the UE in the session establishment request and the service which is determined in the registration process and is successfully registered in the current network by the UE. That is to say, the mobile communication system establishes a session for a service for which the UE registration is successful, and does not establish a session for a service for which the UE registration is failed, so that the service for which the registration is successful can be provided for the UE, the service for which the registration is failed is not provided for the UE, and the security of service transmission can be improved.
In some implementations, the method shown in fig. 13 may also be implemented on the basis of a conventional registration procedure, where the conventional registration procedure may be a registration procedure in which an authentication server does not authenticate whether the UE is capable of implementing a service. In this example, the SMF corresponds to the first communication device in the method shown in FIG. 5, the AAA-S corresponds to the second communication device in the method shown in FIG. 5, and the AMF corresponds to the third communication device in the method shown in FIG. 5. This implementation is specifically described below.
S1304 may be replaced with: and the SMF acquires the subscription information (subscription data) of the UE from the UDM in the subscription information acquisition process. The subscription information acquired by the SMF may not indicate a service for which registration is successful. In S1306, the SMF may initiate an authentication procedure to an authentication server (e.g., AAA-S outside the mobile communication system) according to the service indication information in the session establishment request, and request the authentication server to authenticate whether the UE is capable of executing the service requested by the UE.
Optionally, in S1301 and S1303, the PDU session establishment request may further include at least one of the following: the first indication information and the second indication information. The first indication information may indicate whether the UE needs to perform service authentication, and the second indication information may indicate an authentication server that performs authentication processing. In S1306, the SMF may determine whether authentication of the UE for performing the service and an authentication server are required according to at least one of: the first indication information, the second indication information, the service indication information and the SMF local configuration information. Then, the SMF sends an authentication procedure to the authentication server, so as to authenticate whether the UE can perform the service requested by the UE.
The method of determining whether the UE needs to be authenticated for performing a service and authenticating a server may include, but is not limited to, at least one of:
mode 1: the SMF may determine, according to the second indication information, an address of an authentication server after determining whether the UE needs to perform service authentication according to the first indication information.
The method comprises the following steps: the SMF may determine, according to the first indication information, a plurality of authentication servers that can interact with the SMF after determining whether the UE needs to be authenticated for performing the service according to the local configuration information of the SMF, and then select, according to the second indication information, one authentication server from the plurality of authentication servers as an authentication server for authenticating whether the UE can perform the service.
Mode 3: the SMF may determine, according to the first indication information, a plurality of authentication servers that can interact with the SMF after determining whether the UE needs to be authenticated for performing the service according to the first indication information, and then select one authentication server from the plurality of authentication servers as an authentication server for authenticating whether the UE can perform the service according to the configuration information local to the SMF.
The SMF-initiated authentication procedure is described below with reference to fig. 14.
S1401: and the SMF initiates an N4 session establishment (N4 session establishment) flow to the UPF.
S1402: the SMF sends a fifth authentication request to the AAA-S in the DN. Accordingly, the AAA-S in the DN receives the fifth authentication request from the SMF.
The fifth authentication request may include service indication information of a service requested by the UE, and the fifth authentication request may request to authenticate whether the UE can implement the service requested by the UE.
S1403a: the AAA-S sends a fifth authentication response to the SMF. Accordingly, the SMF receives the fifth authentication response from the AAA-S.
The fifth authentication response may include service indication information of the service requested by the UE.
S1403b: the SMF initiates an N1N2message transfer (Namf _ communication _ N1N2 MessageTransfer) procedure to the AMF.
Optionally, the SMF may send, to the AMF, service indication information of a service requested by the UE through the N1N2message transfer procedure.
S1403c: the AMF sends a first NAS SM transport (NAS SM transport) message to the UE. Accordingly, the UE receives the first NAS SM transfer message from the AMF.
Wherein the first NAS SM transfer message may be an authentication message.
The first NAS SM transfer message may include service indication information of a service requested by the UE.
S1403d: the UE sends a second NAS SM transfer message to the AMF. Accordingly, the AMF receives the second NAS SM transfer message from the UE.
Wherein the second NAS SM transfer message may be an authentication message.
The second NAS SM transfer message may include service indication information of the service requested by the UE.
Optionally, the NAS SM transmission message may further include an authentication result of the UE on whether the UE can implement the requested service.
S1403e: the AMF initiates an SM context (Nsmf _ PDU session _ update SMcontext) updating flow to the SMF.
The message in the update SM context flow may be an N1 SM message (N1 SM message).
The message in the update SM context procedure may include service indication information of the service requested by the UE.
Optionally, the AMF may send, to the SMF, an authentication result of whether the UE can implement the requested service to the UE in the SM context update procedure.
S1403f: the SMF sends a sixth authentication request to the AAA-S. Accordingly, the AAA-S receives the sixth authentication request from the SMF.
The sixth authentication request may include service indication information of a service requested by the UE.
S1404: the AAA-S sends a sixth authentication response to the SMF. Accordingly, the SMF receives the sixth authentication response from the AAA-S.
The sixth authentication response may include service indication information of the service requested by the UE. The sixth authentication response includes a first authentication result of whether the UE can implement the requested service (e.g., an authentication result of whether the AAA-S can implement the requested service).
S1405: and the mobile communication system continues to execute a subsequent PDU session establishment process according to the first authentication result.
When the first authentication result contains the service which can realize the request of the UE, the PDU session establishment request is accepted; otherwise, rejecting the PDU session establishment request.
S1406: the SMF sends the allocated IP address to the AAA-S.
This step is optional.
Through the methods shown in fig. 13 and fig. 14, in the session establishment procedure, the SMF may request the AAA-S to authenticate whether the UE can implement the requested service, and obtain an authentication result. Thus, according to the authentication result, the mobile communication system where the SMF is located can provide a service for which the authentication is successful for the UE, and does not provide a service for which the authentication is failed for the UE, so that the security of data transmission can be improved.
The embodiment of the application provides a communication method. The method may be applied to the communication system shown in fig. 1-4, see fig. 15, 16 and 12. The method can realize whether the terminal equipment can realize the service authentication on the network slice in the authentication process of the network slice, so that the mobile communication system can provide the service of successful authentication for the terminal equipment, but not provide the service of failed authentication, thereby improving the safety of service transmission. In this example, the first AMF or AMF corresponds to the first communication device in the method shown in fig. 5, the NSSAAF corresponds to the second communication device in the method shown in fig. 5, the UE and/or AN device corresponds to the third communication device in the method shown in fig. 5, and the AAA-S corresponds to the fourth communication device in the method shown in fig. 5. For convenience of description, the following description takes the terminal device as the UE as an example.
Fig. 15 shows a brief flow of network slice authentication.
S1501: the UE sends a registration request to the AMF. Accordingly, the AMF receives the registration request from the UE.
Wherein the registration request may include first network slice indication information and first traffic indication information. The first network slice indication information may indicate first network slices requested by the UE, and the first traffic indication information may indicate first traffic associated with each of the first network slices.
S1502: the AMF sends a seventh authentication request to the NSSAAF. Accordingly, the NSSAAF receives the seventh authentication request from the AMF.
Wherein the seventh authentication request may include the first network slice indication information and the first traffic indication information. The seventh authentication request may request authentication of whether the UE is capable of implementing the first service on the first network slice.
S1503: the NSSAAF sends an eighth authentication request to the AAA-P. Accordingly, the AAA-P receives the eighth authentication request from the NSSAAF.
Wherein the eighth authentication request may include the first network slice indication information and the first traffic indication information.
S1504: the AAA-P sends the eighth authentication request to an AAA-S. Correspondingly, the AAA-S receives the eighth authentication request from the AAA-P.
The eighth authentication request may request the AAA-S to authenticate whether the UE is capable of implementing the first service on the first network slice.
In some implementations, the NSSAAF may interact directly with the AAA-S. In this case, S1503 and S1504 may be replaced with: the NSSAAF sends an eighth authentication request to the AAA-S.
Fig. 16 shows a specific flow of network slice authentication. The content of the flow can refer to TS23.502, chapter 4.2.9.2. In the embodiment of the present application, service indication information is added to each message on the basis of TS23.502, chapter 4.2.9.2. The flow is specifically described below with reference to the drawings.
S1601: the AMF triggers a slice-specific authentication and authorization (slice-specific authentication and authorization) procedure.
Optionally, the AMF may trigger a network slice authentication procedure according to a registration request of the UE; the network slice authentication procedure may also be triggered based on other content, e.g., the AMF may trigger the network slice authentication procedure based on the AAA-S triggered UE re-authentication and re-authorization procedure for S-NSSAI.
When the AMF triggers a network slice authentication procedure according to the registration request of the UE, the registration request may include: the UE requests network slice indication information of a first network slice and service indication information of service associated with each network slice.
S1602: the AMF sends a first NAS Mobility Management (MM) transport (NAS MM transport) message to the UE. Accordingly, the UE receives the first NAS MM transport message from the AMF.
Wherein the first NAS MM transport message may include at least one of: extended Authentication Protocol (EAP) ID request for S-NSSAI, S-NSSAI.
S1603: the UE sends a second NAS MM transmission message to the AMF. Accordingly, the AMF receives a second NAS MM transmission message from the UE.
Wherein the second NAS MM transport message may include at least one of: EAP ID response (EAP ID response) for S-NSSAI, S-NSSAI.
S1604: the AMF sends a ninth authentication Request (Nnssaaf _ NSSAA _ authentication Request) to NSSAAF. Accordingly, the NSSAAF receives the ninth authentication request from the AMF.
Wherein the ninth authentication request may include at least one of: an EAP ID response, S-NSSAI, generic public user identity (GPSI), service indication information associated with the S-NSSAI.
S1605: the NSSAAF sends a first AAA protocol message (AAA protocol message) to the AAA-P. Accordingly, the AAA-P receives the first AAA protocol message from the NSSAAF.
Wherein the first AAA protocol message may comprise at least one of: EAP ID response, S-NSSAI, GPSI, service indication information associated with the S-NSSAI.
S1606: the AAA-P sends a second AAA protocol message to the AAA-S. Accordingly, the AAA-S receives a second AAA protocol message from the AAA-P.
Wherein the second AAA protocol message may comprise at least one of: the EAP ID response, S-NSSAI, GPSI, service indication information associated with the S-NSSAI.
S1607: the AAA-S sends a third AAA protocol message to the AAA-P. Correspondingly, the AAA-P receives the third AAA protocol message from the AAA-S.
Wherein the third AAA protocol message may comprise at least one of: EAP message (EAP message), S-NSSAI, GPSI, service indication information associated with the S-NSSAI.
S1608: the AAA-P sends a fourth AAA protocol message to the NSSAAF. Accordingly, the NSSAAF receives the fourth AAA protocol message from the AAA-P.
Wherein the fourth AAA protocol message may comprise at least one of: EAP message, S-NSSAI, GPSI, service indication information associated with the S-NSSAI.
S1609: the NSSAAF sends a ninth authentication Response (NSSAAF _ NSSAA _ authentication Response) to the AMF. Accordingly, the AMF receives the ninth authentication response from the NSSAAF.
Wherein the ninth authentication response may comprise at least one of: EAP message, S-NSSAI, GPSI, service indication information associated with the S-NSSAI.
S1610: the AMF sends a third NAS MM transmission message to the UE. Accordingly, the UE receives the third NAS MM transport message from the AMF.
Wherein the third NAS MM transport message may comprise at least one of: EAP message, S-NSSAI, service indication information associated with the S-NSSAI.
S1611: the UE sends a fourth NAS MM transport message to the AMF. Accordingly, the AMF receives the fourth NAS MM transport message from the UE.
Wherein the fourth NAS MM transport message may comprise at least one of: EAP message, S-NSSAI, service indication information associated with the S-NSSAI.
S1612: the AMF sends a tenth authentication Request (Nnssaaf _ NSSAA _ authentication Request) to the NSSAAF. Accordingly, the NSSAAF receives the tenth authentication request from the AMF.
Wherein the tenth authentication request may include at least one of: the EAP message, S-NSSAI, GPSI, and service indication information associated with the S-NSSAI.
S1613: the NSSAAF sends a fifth AAA protocol message to the AAA-P. Accordingly, the AAA-P receives the fifth AAA protocol message from the NSSAAF.
Wherein the fifth AAA protocol message may comprise at least one of: the EAP message, S-NSSAI, GPSI, and service indication information associated with the S-NSSAI.
Optionally, the fifth AAA protocol message may further include an address of the AAA-S.
S1614: the AAA-P may send a sixth AAA protocol message to the AAA-S according to the address of the AAA-S, so that the AAA-S authenticates whether the UE can implement the requested service on the requesting network slice. Correspondingly, the AAA-S receives a sixth AAA protocol message from the AAA-P.
Wherein the sixth AAA protocol message may comprise at least one of: the EAP message, S-NSSAI, GPSI, and service indication information associated with the S-NSSAI.
Optionally, reference may be made to S502 for specific content of the AAA-S authenticating whether the UE can implement the requested service on the request network slice, which is not described herein again.
S1615: the AAA-S sends a seventh AAA protocol message to the AAA-P. Correspondingly, the AAA-P receives the seventh AAA protocol message from the AAA-S.
Wherein the seventh AAA protocol message may comprise at least one of: EAP Success/Failure message (EAP-Success/Failure message), S-NSSAI, GPSI, and service indication information associated with the S-NSSAI.
S1616: the AAA-P sends an eighth AAA protocol message to the NSSAAF. Accordingly, the NSSAAF receives the eighth AAA protocol message from the AAA-P.
Wherein the eighth AAA protocol message may comprise at least one of: an EAP success/failure message, an S-NSSAI, a GPSI, a service indication information associated with the S-NSSAI.
S1617: the NSSAAF sends a tenth authentication Response (NSSAAF _ NSSAA _ authentication Response) to the AMF. Accordingly, the AMF receives the tenth authentication response from the NSSAAF.
Wherein the tenth authentication response may include at least one of: an EAP success/failure message, an S-NSSAI, a GPSI, a service indication information associated with the S-NSSAI.
S1618: the AMF sends a fifth NAS MM transmission message to the UE. Accordingly, the UE receives the fifth NAS MM transport message from the AMF.
Wherein the fifth NAS MM transport message may include: an EAP success/failure message, an S-NSSAI, service indication information associated with the S-NSSAI.
Optionally, the AMF may store the authentication result for each S-NSSAI associated network slice.
S1619a: the AMF initiates a UE configuration update procedure.
S1619b: and the AMF initiates an unsubscribe process.
In some implementations, the NSSAAF may interact directly with the AAA-S. In this case, the NSSAAF may send the first AAA protocol message and the fifth AAA protocol message directly to an AAA-S, and the AAA-S may send the third AAA protocol message and the seventh AAA protocol message directly to the NSSAAF.
Through the methods shown in fig. 15 and fig. 16, in the network slice authentication process, the AMF may obtain an authentication result for authenticating whether the UE can implement the requested service on the network slice requested by the UE, and according to the authentication result, the mobile communication system where the AMF is located may provide a service for which authentication is successful for the UE and does not provide a service for which authentication is failed for the UE, so that the security of data transmission may be improved.
In some implementations, the flows shown in fig. 15 and 16 may be used in the method shown in fig. 12, in which case some variations of the method shown in fig. 12 may occur. Only the variations will be described below.
In S1201, the registration request may include: the first network slice indication information and the first service indication information.
In S1203, after receiving the registration request, the first AMF may trigger the network slice authentication procedure in S1601. And the subsequent steps of fig. 16 are performed.
In S1205a, the first AMF may send a registration request to the UDM according to at least one of: and the result of whether the UE can realize the authentication of the first service on the first network slice or not and service indication information associated with the authentication result are obtained.
Optionally, the registration request may include at least one of the following authentication information: indication information of the network slice of the UE that is successfully authenticated (for example, a list of network slices of the UE that are successfully authenticated), indication information of the traffic of each network slice that is successfully authenticated, indication information of all the traffic of each network slice that is successfully authenticated, and an authentication result of all the traffic of each network slice that is successfully authenticated. The UDM may then store the received information and the identity information of the first AMF associated therewith in the UDM or UDR.
It is to be understood that the first AMF may also send the registration information to other communication devices having a storage function, or store the registration information locally in the AMF.
In S1205b, the subscription information obtained by the first AMF from the UDM may indicate at least one of: the network slice of the UE which is successfully authenticated and the service which is associated with the network slice and successfully authenticated.
In S1207, the registration accept message may indicate: a network slice that the UE can use in the mobile communication system, traffic of the UE associated with the network slice.
Optionally, after receiving the registration accept message, the UE may locally store indication information of a network slice that the UE may use and information of a service associated with the network slice.
In some implementations, after the UE is successfully registered, the network slice in which the UE is successfully or unsuccessfully authenticated may be changed, and the authentication result of the service associated with the network slice may also be changed. In this case, the mobile communication system may update the authentication result of the network slice of the UE or the authentication result of the service. The update flow will be described below with reference to fig. 12.
In S1208, the authentication update information may be used to indicate at least one of: changing the network slice of the UE with successful authentication into the network slice with failed authentication; the network slice of the UE which fails to be authenticated becomes a network slice which succeeds in authentication; the newly added network slice of the UE becomes a network slice which is successfully authenticated; the newly added network slice of the UE becomes a network slice which fails to be authenticated; the service which is successfully authenticated and associated with the network slice becomes the service which is failed to be authenticated and associated with the network slice; the service of which the authentication associated with the network slice fails becomes the service of which the authentication associated with the network slice succeeds; the newly added service associated with the network slice becomes a service associated with the network slice and successfully authenticated; or the newly added service associated with the network slice becomes the authentication failure service associated with the network slice.
The authentication update information may include at least one of: network slice indication information of the network slice with the changed authentication result and service indication information of the service with the changed authentication result.
In S1210, the mobile communication system executes a subsequent UE configuration update procedure to update at least one of: the network slice of the UE which is successfully authenticated and/or fails to be authenticated, the service which is associated with the network slice which is successfully authenticated and/or fails to be authenticated, and the service which is associated with the network slice which fails to be authenticated.
By the method, in the registration process, the AMF can obtain the authentication result of whether the UE can realize the requested service on the network slice requested by the UE, and according to the authentication result, the mobile communication system where the AMF is located can provide the service which is successfully authenticated for the UE and does not provide the service which is failed in authentication for the UE, thereby improving the safety of data transmission.
In some implementations, the method shown in fig. 13 can also be implemented based on the flowchart shown in fig. 16 being used for the method shown in fig. 12. In this case, there are some variations to the method shown in fig. 13, and only the variations will be described below.
In S1301, the PDU session setup request may include: network slice indication information of the network slice requested by the UE, and service indication information of a service associated with each network slice.
In S1302, the AMF may select an SMF based on the network slice indication information and the traffic indication information in the PDU session setup request and the subscription information of the UE.
Wherein, the subscription information may include: the UE registers network slice indication information of a successful network slice in the current network, and registers service indication information of a successful service associated with the network slice which is successfully registered.
When the network slice requested by the UE is a network slice successfully registered by the UE in the current network, and the service requested by the UE and associated with the network slice successfully registered is a service successfully registered by the UE in the current network, the AMF can accept the PDU session establishment request and select the SMF to perform a subsequent PDU session establishment flow, otherwise, the AMF can reject the PDU session establishment request.
When the AMF rejects the PDU session setup request, the AMF may feed back a rejection reason. Wherein the reject cause may comprise at least one of: service unregistered, service unauthenticated, network slice unregistered, network slice unauthenticated, and so on.
In other implementations, the method shown in fig. 13 can also be implemented on the basis that the flow shown in fig. 16 is used for the method shown in fig. 12. In this case, there are some variations to the method shown in fig. 13, and only the variations will be described below.
In S1301, the PDU session setup request may include: network slice indication information of the network slice requested by the UE, and service indication information of a service associated with each network slice.
In S1303, the PDU session establishment request sent by the AMF to the SMF may include: network slice indication information of the network slice requested by the UE, and service indication information of a service associated with each network slice.
In S1304, the subscription information of the UE acquired by the SMF may indicate a network slice in which the registration of the UE is successful and a service associated with the network slice in which the registration is successful. For example, the subscription information of the UE may include: the network slice indication information of the network slice of the UE which is successfully registered, and the service indication information of the service which is successfully registered and is associated with the network slice which is successfully registered.
Optionally, the SMF may determine to accept or reject the PDU session establishment request according to, but not limited to, at least one of: the network slice indicating information of the requested network slice, the service indicating information of the service associated with the requested network slice, and the subscription information. When the network slice requested by the UE is the network slice successfully registered by the UE, and the service associated with the network slice successfully registered requested by the UE is the service successfully registered by the UE, the SMF receives the PDU session establishment request and continues a subsequent PDU session establishment flow; otherwise, the SMF rejects the PDU session establishment request.
When rejecting the PDU session setup request, the SMF may send a failure cause for PDU session setup to the AMF. The failure reasons may include: service unregistered, service unauthenticated, network slice unregistered, and network slice unauthenticated.
By the method, in the session establishment process, the mobile communication system can multiplex the authentication result of the registration process to establish the limited PDU session for the UE. That is to say, the mobile communication system establishes a session for the successfully registered service associated with the network slice successfully authenticated by the UE, and does not establish a session for the unsuccessfully authenticated service, so that the successfully authenticated service can be provided for the UE, the unsuccessfully authenticated service is not provided for the UE, and the security of service transmission can be further improved.
Based on the same technical concept, the present application also provides a communication apparatus having a structure as shown in fig. 17, including a communication unit 1701 and a processing unit 1702. The communication apparatus 1700 may be applied to AMF, SMF, AUSF, NSSAAF, UDM in the communication systems shown in fig. 1 to 4, or AAA-S outside the mobile communication system, and may implement the communication methods provided in the embodiments and examples of the present application. The functions of the various units in the apparatus 1700 are described below.
The communication unit 1701 is used for receiving and transmitting data.
When the communication apparatus 1700 is applied to an AMF, an SMF, an AUSF, an NSSAAF, a UDM, or an AAA-S outside the mobile communication system, the communication unit 1701 may be implemented by a physical interface, a communication module, a communication interface, and an input-output interface. The communication apparatus 1700 may connect a network cable or a cable through the communication unit, and further establish a physical connection with other devices.
In one embodiment, the communication apparatus 1700 is applied to a first communication device in the embodiment of the present application (e.g., the first communication device in fig. 5, the first AMF in fig. 8-10 and 12, the AMF in fig. 13, or the SMF). Wherein the second communication device comprises at least one of: AUSF, NSSAAF, UDM, or AAA-S outside of the mobile communication system. The specific function of the processing unit 1702 in this embodiment will be described below.
The processing unit 1702 is specifically configured to: sending a first request to the second communication device through the communication unit 1701; the first request may include first service indication information, where the first service indication information may indicate a first service requested by a terminal device, and the first request may request to authenticate whether the terminal device is capable of implementing the first service; receiving a first response from the second communication device through the communication unit 1701; the first response may include an authentication result obtained by the second communication device authenticating whether the terminal device can implement the first service; and determining whether to provide the first service for the terminal equipment or not according to the authentication result.
Optionally, the processing unit 1702 is specifically configured to: receiving a second request from a third communication apparatus through the communication unit 1701 before transmitting the first request to the second communication apparatus; wherein the second request may include the first traffic indication information; the second request may be a registration request or a first session establishment request.
Optionally, the first service includes at least one service, and the authentication result includes: the terminal equipment can realize a second service in the first service; when the second request is the registration request, the first communication device is AN access and mobility management function (AMF), the second communication device is AN authentication server function (AUSF) and/or AN authentication and authorization function (NSSAAF) selected by a network slice, and the third communication device is the terminal device or AN Access Network (AN) device accessed by the terminal device; the processing unit 1702 is specifically configured to:
after receiving the first response from the second communication device, a first message is sent to a unified data management UDM through the communication unit 1701, wherein the first message may include: second service indication information for indicating the second service;
receiving, by the communication unit 1701, a second session establishment request from the terminal device or AN device to which the terminal device accesses; the second session establishment request comprises third service indication information, and the third service indication information is used for indicating a third service requested to be executed by the terminal equipment;
a third request is sent to the SMF through the communication unit 1701 according to the second session establishment request, where the third request may include the third service indication information, and the third request may request the SMF to accept or reject the second session establishment request according to the second service indication information and the third service indication information acquired from the UDM.
Optionally, the first service includes at least one service, and the authentication result includes: the terminal equipment can realize a second service in the first service; when the second request is the registration request, the first communication device is AN AMF, the second communication device is AN AUSF and/or AN NSSAAF, and the third communication device is the terminal device or AN device accessed by the terminal device; the processing unit 1702 is specifically configured to:
after receiving the first response from the second communication device, saving second service indication information for indicating the second service;
receiving, by the communication unit 1701, a second session establishment request from the terminal device or AN device to which the terminal device is accessed; the second session establishment request may include third service indication information, where the third service indication information may indicate a third service requested to be executed by the terminal device;
and when the second service which can be realized by the terminal equipment comprises the third service, accepting the second session establishment request, otherwise, rejecting the second session establishment request.
Optionally, when the second request is the registration request, the first communication device is AN AMF, the second communication device is AN NSSAAF, the third communication device is the terminal device or AN device accessed by the terminal device, and the second request further includes: first network slice indication information; the first network slice indication information is used for indicating a first network slice which is requested to be accessed by the terminal equipment; the first request further comprises: the first network slice indication information; the authentication result is obtained by the second communication device authenticating whether the terminal device can realize the first service on the first network slice.
Optionally, the first service includes at least one service, the first network slice includes at least one network slice, and the authentication result includes: the terminal equipment can realize a fourth service in the first services on a second network slice in the first network slice; the processing unit 1702 is specifically configured to:
after receiving the first response from the second communication device, sending a second message to the UDM through the communication unit 1701; wherein the second message may include: second network slice indication information and fourth service indication information, where the second network slice indication information may indicate the second network slice, and the fourth service indication information may indicate the fourth service that the terminal device can implement on the second network slice;
receiving, by the communication unit 1701, a third session establishment request from the terminal device or AN device to which the terminal device accesses; the third session establishment request may include third network slice indication information and fifth service indication information, where the third network slice indication information may indicate a third network slice, and the fifth service indication information may indicate that the terminal device requests a fifth service to be executed on the third network slice;
a fourth request is sent to the SMF through the communication unit 1701 according to the third session establishment request, where the fourth request may include the third network slice indication information and the fifth traffic indication information, and the fourth request may request the SMF to accept or reject the second session establishment request according to the second network slice indication information and the fourth traffic indication information, and the third network slice indication information and the fifth traffic indication information, which are acquired from the UDM.
Optionally, the first service includes at least one service, the first network slice includes at least one network slice, and the authentication result includes: the terminal equipment can realize a fourth service in the first services on a second network slice in the first network slice; the processing unit 1702 is specifically configured to:
after receiving a first response from the second communication device, saving second network slice indication information and fourth service indication information, wherein the second network slice indication information may indicate the second network slice, and the fourth service indication information may indicate the fourth service that the terminal device can implement on the second network slice;
receiving, by the communication unit 1701, a third session establishment request from the terminal device or AN device to which the terminal device accesses; the third session establishment request comprises third network slice indication information and fifth service indication information, wherein the third network slice indication information is used for indicating a third network slice, and the fifth service indication information is used for indicating the terminal equipment to request a fifth service executed on the third network slice;
and when the second network slice comprises the third network slice and the fourth service comprises the fifth service, accepting the third session establishment request, otherwise, rejecting the third session establishment request.
Optionally, the second request further includes at least one of: the first indication information is used for indicating whether the terminal equipment needs to be authenticated by the first service, and the second indication information is used for indicating communication equipment executing authentication processing.
Optionally, the processing unit 1702 is specifically configured to: when the first communication equipment is AMF or SMF, before sending a first request to second communication equipment, determining the second communication equipment according to the first service indication information; wherein the second communication device is at least one of AUSF, NSSAAF, UDM or AAA server outside the mobile communication system.
Optionally, the processing unit 1702 is specifically configured to: when the first communication device is AMF or SMF, after receiving the first response from the second communication device, sending a third message to the terminal device through the communication unit 1701 according to the authentication result; wherein the third message comprises at least one of:
sixth service indication information for indicating a service that can be implemented by the terminal device;
seventh service indication information for indicating a service that the terminal device cannot implement;
fourth network slice indicating information for indicating a network slice which can be accessed by the terminal device, and eighth service indicating information for indicating a service which can be realized by the terminal device on the network slice;
fifth network slice indication information for indicating a network slice that the terminal device can access, and ninth service indication information for indicating a service that the terminal device cannot implement on the network slice;
sixth network slice indication information for indicating a network slice that the terminal device cannot access, and tenth service indication information for indicating a service requested by the terminal device on the network slice.
Optionally, the processing unit 1702 is specifically configured to: when the first communication device is the AMF, after receiving the first response from the second communication device, sending a fourth message to the terminal device through the communication unit 1701; the fourth message is used for triggering the terminal device to authenticate whether the terminal device can realize the first service in the mobile communication system according to authentication information stored locally, wherein the authentication information comprises service authentication information.
Optionally, the first service indication information includes at least one of the following: the identification of the first service, the indication information of the type of the first service, and the indication information of the provider of the first service.
In one embodiment, the communication apparatus 1700 is applied in the second communication device in the embodiment of the present application (for example, the second communication device in fig. 5, the AUSF and/or UDM in fig. 8, the AUSF and/or UDM/ARPF in fig. 9, the NSSAAF and/or AAA-S in fig. 10, the AUSF and/or UDM in fig. 12, the AAA-S in the DN in fig. 13, and the NSSAAF and/or AAA-S in fig. 16), and the first communication device may include at least one of the following: AMF and SMF. The specific function of the processing unit 1702 in this embodiment will be described below.
The processing unit 1702 is configured to:
receiving, by the communication unit 1701, a first request from a first communication device in the mobile communication system; the first request comprises first service indication information, the first service indication information is used for indicating a first service requested by a terminal device, and the first request is used for requesting whether the terminal device can realize the authentication of the first service or not;
whether the terminal equipment can realize the first service is authenticated;
transmitting a first response to the first communication apparatus through the communication unit 1701; the first response includes a first authentication result obtained by the second communication device authenticating whether the terminal device can implement the first service, and the first authentication result is used by the first communication device to determine whether to provide the first service for the terminal device.
Optionally, the processing unit 1702 is specifically configured to:
transmitting a fifth request to the fourth communication device through the communication unit 1701; wherein the fifth request comprises: the fifth request is used for requesting the fourth communication device to authenticate whether the terminal device can implement the first service or not;
receiving a fifth response from the fourth communication device through the communication unit 1701; the fifth response comprises a second authentication result obtained by the fourth communication device whether the terminal device can authenticate the first service or not;
and according to the second authentication result, whether the terminal equipment can realize the authentication of the first service is authenticated, and the first authentication result is obtained.
Optionally, the processing unit 1702 is specifically configured to:
when the first request further comprises: when the first network slice indicating information is received, whether the terminal equipment can realize the first service on the first network slice or not is authenticated, wherein the first network slice indicating information is used for indicating a first network slice which the terminal equipment requests to access; the first authentication result is obtained by the second communication device authenticating whether the terminal device can realize the first service on the first network slice.
Optionally, the processing unit 1702 is specifically configured to:
transmitting a sixth request to the fourth communication device through the communication unit 1701; wherein the sixth request comprises: the sixth request is used for requesting the fourth communication device to authenticate whether the terminal device can realize the first service on the first network slice;
receiving a sixth response from the fourth communication device through the communication unit 1701; the sixth response comprises a second authentication result obtained by the fourth communication device authenticating whether the terminal device can realize the first service on the first network slice;
and according to the second authentication result, authenticating whether the terminal equipment can realize the first service to obtain the first authentication result.
Optionally, the second communication device is an authentication server function AUSF, and the fourth communication device is a UDM; or, the second communication device is an authentication and authorization function NSSAAF selected by a network slice, and the fourth communication device is an authentication, authorization and accounting (AAA) server outside the mobile communication system.
Optionally, the processing unit 1702 is specifically configured to: and according to the authentication information stored locally, whether the terminal equipment can realize the authentication of the first service in the mobile communication system is judged, wherein the authentication information comprises the authentication information of the service.
Optionally, the first service indication information includes at least one of: the identification of the first service, the indication information of the type of the first service, and the indication information of the provider of the first service.
It should be noted that, in the above embodiments of the present application, the division of the module is schematic, and is only a logical function division, and in actual implementation, there may be another division manner, and in addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or may exist alone physically, or two or more units are integrated in one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, a network device, or the like) or a processor (processor) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
Based on the same technical concept, the present application further provides a communication device, which may be applied to AMF, SMF, AUSF, NSSAAF, UDM in the communication system shown in fig. 1 to 4, or AAA-S outside the mobile communication system, and may implement the communication method provided in the embodiments and examples of the present application, and has the function of the communication apparatus shown in fig. 17. Referring to fig. 18, the communication device 1800 includes: a communication module 1801, a processor 1802, and a memory 1803. The communication module 1801, the processor 1802, and the memory 1803 are connected to each other.
Optionally, the communication module 1801, the processor 1802, and the memory 1803 are connected to each other through a bus 1804. The bus 1804 may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 18, but this does not mean only one bus or one type of bus.
The communication module 1801 is configured to receive and send data, so as to implement communication interaction with other devices. For example, when the communication device 1800 is applied to AMF, SMF, AUSF, NSSAAF, UDM, or AAA-S outside the mobile communication system (in a scenario where the AN device interacts with a network element in a core network), the communication module 1801 may be implemented by a physical interface, a communication module, a communication interface, or AN input/output interface.
In one implementation, the communication device 1800 is applied to a first communication device in the embodiments of the present application (e.g., the first communication device of fig. 5, the first AMF of fig. 8-10, 12, the AMF of fig. 13, or the SMF). Wherein the second communication device comprises at least one of: AUSF, NSSAAF, UDM, or AAA-S outside of said mobile communication system. The processor 1802 is specifically configured to:
sending a first request to the second communication device; the first request may include first service indication information, where the first service indication information may indicate a first service requested by a terminal device, and the first request may request to authenticate whether the terminal device is capable of implementing the first service; receiving a first response from the second communication device; the first response may include an authentication result obtained by the second communication device authenticating whether the terminal device can implement the first service; and determining whether to provide the first service for the terminal equipment or not according to the authentication result.
In one embodiment, the communication device 1800 is applied to the second communication device in the embodiments of the present application (e.g., the second communication device of fig. 5, the AUSF and/or UDM of fig. 8, the AUSF and/or UDM/ARPF of fig. 9, the nsaaf and/or AAA-S of fig. 10, the AUSF and/or UDM of fig. 12, the AAA-S of the DN of fig. 13, the nsaaf and/or AAA-S of fig. 16), and the first communication device may include at least one of the following: AMF and SMF. The processor 1802 is specifically configured to:
receiving a first request from a first communication device in a mobile communication system; the first request comprises first service indication information, the first service indication information is used for indicating a first service requested by a terminal device, and the first request is used for requesting whether the terminal device can realize the authentication of the first service or not;
whether the terminal equipment can realize the first service is authenticated;
sending a first response to the first communication device; the first response includes a first authentication result obtained by the second communication device authenticating whether the terminal device can realize the first service, and the first authentication result is used by the first communication device to determine whether to provide the first service for the terminal device.
For specific functions of the processor 1802, reference may be made to the descriptions in the communication method provided in the embodiments and examples of the present application and the description of the specific functions of the communication apparatus 1700 in the embodiments of the present application shown in fig. 17, which are not described herein again.
The memory 1803 is used for storing program instructions, data, and the like. In particular, the program instructions may include program code comprising computer operational instructions. The memory 1803 may include a Random Access Memory (RAM) and may also include a non-volatile memory (non-volatile memory), such as at least one disk memory. The processor 1802 executes the program instructions stored in the memory 1803, and uses the data stored in the memory 1803 to implement the above functions, thereby implementing the communication method provided in the embodiment of the present application.
It will be appreciated that the memory 1803 in FIG. 18 can be either volatile memory or nonvolatile memory, or can include both volatile and nonvolatile memory. The non-volatile Memory may be a Read-Only Memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an Electrically Erasable PROM (EEPROM), or a flash Memory. Volatile Memory can be Random Access Memory (RAM), which acts as external cache Memory. By way of example, and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), synchronous Dynamic Random Access Memory (SDRAM), double Data Rate Synchronous Dynamic random access memory (DDR SDRAM), enhanced Synchronous SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), and Direct Rambus RAM (DR RAM). It should be noted that the memory of the systems and methods described herein is intended to comprise, without being limited to, these and any other suitable types of memory.
Based on the above embodiments, the present application further provides a computer program, which, when running on a computer, causes the computer to execute the communication method provided by the above embodiments.
Based on the above embodiments, the present application also provides a computer-readable storage medium, in which a computer program is stored, and when the computer program is executed by a computer, the computer program causes the computer to execute the communication method provided by the above embodiments.
Storage media may be any available media that can be accessed by a computer. Taking this as an example but not limiting: computer-readable media can include RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer.
Based on the above embodiments, the embodiments of the present application further provide a chip, where the chip is used to read a computer program stored in a memory, and implement the communication method provided by the above embodiments.
Based on the foregoing embodiments, an embodiment of the present application provides a chip system, where the chip system includes a processor, and is used to support a computer device to implement functions related to service equipment, forwarding equipment, or site equipment in the foregoing embodiments. In one possible design, the system-on-chip further includes a memory for storing programs and data necessary for the computer device. The chip system may be constituted by a chip, or may include a chip and other discrete devices.
To sum up, the embodiment of the present application provides a communication method, apparatus, and system, in the method, a first communication device in a mobile communication system may request to authenticate whether a first service can be implemented by a terminal device by sending a first request to a second communication device; after receiving the authentication result from the second communication device, the first communication device may determine whether to provide the first service for the terminal device according to the authentication result. By the scheme, the first communication equipment can obtain an authentication result of whether the terminal equipment can realize the requested service authentication, and according to the authentication result, the mobile communication system where the first communication equipment is located can provide the service which is successfully authenticated for the terminal equipment and does not provide the service which is failed in authentication for the terminal equipment, so that the safety of data transmission can be improved.
In the embodiments of the present application, unless otherwise specified or conflicting with respect to logic, the terms and/or descriptions in different embodiments have consistency and may be mutually cited, and technical features in different embodiments may be combined to form a new embodiment according to their inherent logic relationship.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.
Claims (24)
1. A communication method applied to a first communication device in a mobile communication system, the method comprising:
sending a first request to a second communication device; the first request comprises first service indication information, the first service indication information is used for indicating a first service requested by a terminal device, and the first request is used for requesting whether the terminal device can realize the authentication of the first service;
receiving a first response from the second communication device; the first response comprises an authentication result obtained by the second communication device whether the terminal device can realize the authentication of the first service or not;
and determining whether to provide the first service for the terminal equipment or not according to the authentication result.
2. The method of claim 1, wherein prior to sending the first request to the second communication device, the method further comprises:
receiving a second request from a third communication device; wherein the second request includes the first traffic indication information; the second request is a registration request or a first session establishment request.
3. The method of claim 2, wherein the first service comprises at least one service, and wherein the authentication result comprises: the terminal equipment can realize a second service in the first service; when the second request is the registration request, the first communication device is AN access and mobility management function (AMF), the second communication device is AN authentication server function (AUSF) and/or AN authentication and authorization function (NSSAAF) selected by a network slice, and the third communication device is the terminal device or AN Access Network (AN) device accessed by the terminal device; after receiving the first response from the second communication device, the method further comprises:
sending a first message to a unified data management, UDM, wherein the first message comprises: second service indication information for indicating the second service;
receiving a second session establishment request from the terminal equipment or AN equipment accessed by the terminal equipment; the second session establishment request comprises third service indication information, and the third service indication information is used for indicating a third service requested to be executed by the terminal equipment;
and sending a third request to the SMF according to the second session establishment request, wherein the third request includes the third service indication information, and the third request is used for requesting the SMF to accept or reject the second session establishment request according to the second service indication information and the third service indication information acquired from the UDM.
4. The method of claim 2, wherein the first service comprises at least one service, and wherein the authentication result comprises: the terminal equipment can realize a second service in the first service; when the second request is the registration request, the first communication device is AN AMF, the second communication device is AN AUSF and/or AN NSSAAF, and the third communication device is the terminal device or AN device accessed by the terminal device; after receiving the first response from the second communication device, the method further comprises:
second service indication information used for indicating the second service is saved;
receiving a second session establishment request from the terminal equipment or AN equipment accessed by the terminal equipment; the second session establishment request comprises third service indication information, and the third service indication information is used for indicating a third service requested to be executed by the terminal equipment;
and when the second service which can be realized by the terminal equipment comprises the third service, accepting the second session establishment request, otherwise, rejecting the second session establishment request.
5. The method of claim 2, wherein when the second request is the registration request, the first communication device is AMF, the second communication device is NSSAAF, the third communication device is the terminal device or AN AN device accessed by the terminal device, and the second request further comprises: first network slice indication information; the first network slice indication information is used for indicating a first network slice which is requested to be accessed by the terminal equipment;
the first request further comprises: the first network slice indication information;
the authentication result is obtained by the second communication device authenticating whether the terminal device can realize the first service on the first network slice.
6. The method of claim 5, wherein the first traffic comprises at least one traffic, wherein the first network slice comprises at least one network slice, and wherein the authentication result comprises: the terminal equipment can realize a fourth service in the first services on a second network slice in the first network slice; after receiving the first response from the second communication device, the method further comprises:
sending a second message to the UDM; wherein the second message comprises: second network slice indication information and fourth service indication information, wherein the second network slice indication information is used for indicating the second network slice, and the fourth service indication information is used for indicating the fourth service that the terminal device can implement on the second network slice;
receiving a third session establishment request from the terminal equipment or AN equipment accessed by the terminal equipment; the third session establishment request includes third network slice indication information and fifth service indication information, where the third network slice indication information is used to indicate a third network slice, and the fifth service indication information is used to indicate that the terminal device requests a fifth service executed on the third network slice;
and sending a fourth request to the SMF according to the third session establishment request, wherein the fourth request includes the third network slice indication information and the fifth service indication information, and the fourth request is used for requesting the SMF to accept or reject the second session establishment request according to the second network slice indication information and the fourth service indication information, and the third network slice indication information and the fifth service indication information, which are obtained from the UDM.
7. The method of claim 5, wherein the first traffic comprises at least one traffic, wherein the first network slice comprises at least one network slice, and wherein the authentication result comprises: the terminal equipment can realize a fourth service in the first services on a second network slice in the first network slice; after receiving the first response from the second communication device, the method further comprises:
saving second network slice indication information and fourth service indication information, wherein the second network slice indication information is used for indicating the second network slice, and the fourth service indication information is used for indicating the fourth service which can be realized by the terminal equipment on the second network slice;
receiving a third session establishment request from the terminal equipment or AN equipment accessed by the terminal equipment; the third session establishment request comprises third network slice indication information and fifth service indication information, wherein the third network slice indication information is used for indicating a third network slice, and the fifth service indication information is used for indicating the terminal equipment to request a fifth service executed on the third network slice;
and when the second network slice comprises the third network slice and the fourth service comprises the fifth service, accepting the third session establishment request, otherwise, rejecting the third session establishment request.
8. The method of any of claims 2 to 7, wherein the second request further comprises at least one of:
the first indication information and the second indication information,
the first indication information is used for indicating whether the terminal device needs to be authenticated by the first service, and the second indication information is used for indicating a communication device executing authentication processing.
9. The method of any of claims 1 to 8, wherein when the first communication device is an AMF or an SMF, before sending the first request to the second communication device, the method further comprises:
determining the second communication equipment according to the first service indication information; wherein the second communication device is at least one of AUSF, NSSAAF, UDM or AAA server outside the mobile communication system.
10. The method of any of claims 1 to 9, wherein after receiving the first response from the second communication device when the first communication device is an AMF or an SMF, the method further comprises:
sending a third message to the terminal equipment according to the authentication result; wherein the third message comprises at least one of:
sixth service indication information for indicating a service that can be implemented by the terminal device;
seventh service indication information for indicating a service that the terminal device cannot implement;
fourth network slice indicating information for indicating a network slice accessible to the terminal device, and eighth service indicating information for indicating a service that the terminal device can implement on the network slice;
fifth network slice indication information for indicating a network slice that the terminal device can access, and ninth service indication information for indicating a service that the terminal device cannot implement on the network slice;
the network slice indicating information comprises sixth network slice indicating information used for indicating the network slice which can not be accessed by the terminal equipment, and tenth service indicating information used for indicating the service requested by the terminal equipment on the network slice.
11. The method of any of claims 1 to 10, wherein after receiving the first response from the second communication device when the first communication device is the AMF, the method further comprises:
sending a fourth message to the terminal device; the fourth message is used for triggering the terminal device to authenticate whether the terminal device can realize the first service in the mobile communication system according to authentication information stored locally, wherein the authentication information comprises service authentication information.
12. The method according to any of claims 1 to 11, wherein the first traffic indication information comprises at least one of:
the identification of the first service, the indication information of the type of the first service, and the indication information of the provider of the first service.
13. A communication method, applied to a second communication device, the method comprising:
receiving a first request from a first communication device in a mobile communication system; the first request comprises first service indication information, the first service indication information is used for indicating a first service requested by a terminal device, and the first request is used for requesting whether the terminal device can realize the authentication of the first service or not;
whether the terminal equipment can realize the first service is authenticated;
sending a first response to the first communication device; the first response includes a first authentication result obtained by the second communication device authenticating whether the terminal device can realize the first service, and the first authentication result is used by the first communication device to determine whether to provide the first service for the terminal device.
14. The method of claim 13, wherein the authenticating whether the terminal device is capable of implementing the first service comprises:
sending a fifth request to the fourth communication device; wherein the fifth request comprises: the fifth request is used for requesting the fourth communication device to authenticate whether the terminal device can implement the first service or not;
receiving a fifth response from the fourth communication device; the fifth response comprises a second authentication result obtained by the fourth communication device whether the terminal device can authenticate the first service or not;
and according to the second authentication result, whether the terminal equipment can realize the authentication of the first service is authenticated, and the first authentication result is obtained.
15. The method of claim 13,
the first request further comprises: first network slice indication information, wherein the first network slice indication information is used for indicating a first network slice which the terminal device requests to access;
authenticating whether the terminal device can realize the first service, including: whether the terminal equipment can realize the first service on the first network slice or not is authenticated;
the first authentication result is obtained by the second communication device authenticating whether the terminal device can realize the first service on the first network slice.
16. The method of claim 15, wherein the authenticating whether the terminal device is capable of implementing the first service comprises:
sending a sixth request to the fourth communication device; wherein the sixth request comprises: the sixth request is used for requesting the fourth communication device to authenticate whether the terminal device can realize the first service on the first network slice;
receiving a sixth response from the fourth communication device; the sixth response comprises a second authentication result obtained by the fourth communication device authenticating whether the terminal device can realize the first service on the first network slice;
and according to the second authentication result, authenticating whether the terminal equipment can realize the first service to obtain the first authentication result.
17. The method according to claim 14 or 16,
the second communication device is an authentication server function (AUSF), and the fourth communication device is a Universal Data Management (UDM); or alternatively
The second communication device is an authentication and authorization function NSSAAF selected by a network slice, and the fourth communication device is an authentication authorization accounting AAA server outside the mobile communication system.
18. The method according to any one of claims 13 to 17, wherein the authenticating whether the terminal device can implement the first service further comprises:
and according to locally stored authentication information, whether the terminal equipment can realize the authentication of the first service in the mobile communication system is determined, wherein the authentication information comprises service authentication information.
19. The method according to any of claims 13 to 18, wherein the first traffic indication information comprises at least one of:
the identification of the first service, the indication information of the type of the first service, and the indication information of the provider of the first service.
20. A communication apparatus applied to a first communication device, comprising:
a communication unit for receiving and transmitting data;
a processing unit for performing the method of any one of claims 1-12 by means of the communication unit.
21. A communication apparatus, applied to a second communication device, comprising:
a communication unit for receiving and transmitting data;
a processing unit for performing the method of any one of claims 13-19 by means of the communication unit.
22. A communication system, comprising:
a first communications device for implementing the method of any one of claims 1-12;
a second communication device for implementing the method of any one of claims 13-19.
23. A computer-readable storage medium, in which a computer program is stored which, when run on a computer, causes the computer to carry out the method of any one of claims 1-19.
24. A chip, wherein the chip is coupled to a memory, and wherein the chip reads a computer program stored in the memory and performs the method of any one of claims 1-19.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111130972.9A CN115884177A (en) | 2021-09-26 | 2021-09-26 | Communication method, device and system |
| PCT/CN2022/103065 WO2023045472A1 (en) | 2021-09-26 | 2022-06-30 | Communication method, apparatus and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111130972.9A CN115884177A (en) | 2021-09-26 | 2021-09-26 | Communication method, device and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115884177A true CN115884177A (en) | 2023-03-31 |
Family
ID=85720001
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111130972.9A Pending CN115884177A (en) | 2021-09-26 | 2021-09-26 | Communication method, device and system |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN115884177A (en) |
| WO (1) | WO2023045472A1 (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117040749A (en) * | 2023-07-05 | 2023-11-10 | 佰路威科技(上海)有限公司 | Information authentication method, apparatus, electronic device, storage medium, and program product |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109104394B (en) * | 2017-06-20 | 2022-01-21 | 华为技术有限公司 | Session processing method and device |
| CN110167025B (en) * | 2018-02-13 | 2021-01-29 | 华为技术有限公司 | Communication method and communication device |
| CN111654861B (en) * | 2019-03-04 | 2023-05-09 | 中国移动通信有限公司研究院 | Authentication method, authentication device, authentication equipment and computer readable storage medium |
| CN112243284B (en) * | 2020-10-14 | 2022-09-27 | 中国联合网络通信集团有限公司 | Method, device and storage medium for selecting AMF |
-
2021
- 2021-09-26 CN CN202111130972.9A patent/CN115884177A/en active Pending
-
2022
- 2022-06-30 WO PCT/CN2022/103065 patent/WO2023045472A1/en unknown
Also Published As
| Publication number | Publication date |
|---|---|
| WO2023045472A1 (en) | 2023-03-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10505718B1 (en) | Systems, devices, and techniques for registering user equipment (UE) in wireless networks using a native blockchain platform | |
| US11818608B2 (en) | Third party charging in a wireless network | |
| EP3627793B1 (en) | Session processing method and device | |
| CN111629401B (en) | Data distribution method and system for edge application | |
| US10129108B2 (en) | System and methods for network management and orchestration for network slicing | |
| CN107615732B (en) | Method for admitting session into virtual network and mobility management function entity | |
| US11297542B2 (en) | Base station handover method, system, and computer storage medium | |
| WO2020224622A1 (en) | Information configuration method and device | |
| CN112566149B (en) | Method for configuring service, communication device and communication system | |
| WO2016155298A1 (en) | Relay ue access control method and apparatus | |
| US8914867B2 (en) | Method and apparatus for redirecting data traffic | |
| CN112637819B (en) | Service opening method and device in converged network | |
| CN108701278B (en) | Method for providing a service to a user equipment connected to a first operator network via a second operator network | |
| CN111769964A (en) | Communication method and device | |
| CN114666859A (en) | Method and apparatus for selecting a session management entity serving a wireless communication device | |
| WO2023071316A1 (en) | Network capability exposure method, apparatus, and system | |
| CN113811025A (en) | Method, equipment and system for releasing relay connection | |
| WO2023045472A1 (en) | Communication method, apparatus and system | |
| CN115175162A (en) | Communication method and device | |
| CN116349197A (en) | Slice isolation method, device and system | |
| US11212663B2 (en) | Establishing a roaming connection via a bootstrap server | |
| US11606303B1 (en) | Device initiated quality of service | |
| KR102225394B1 (en) | Method and Apparatus for Controlling Network Node | |
| WO2022169693A1 (en) | Roaming between public and non-public 5g networks | |
| WO2021198552A1 (en) | Improved authorization in communication networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |