CN115913964A - Network slice determining method, system, network device and storage medium - Google Patents

Network slice determining method, system, network device and storage medium Download PDF

Info

Publication number
CN115913964A
CN115913964A CN202211367324.XA CN202211367324A CN115913964A CN 115913964 A CN115913964 A CN 115913964A CN 202211367324 A CN202211367324 A CN 202211367324A CN 115913964 A CN115913964 A CN 115913964A
Authority
CN
China
Prior art keywords
slice
app
network
target
identifier
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211367324.XA
Other languages
Chinese (zh)
Inventor
李金慧
王锦华
黄铖斌
张越
王骞然
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN202211367324.XA priority Critical patent/CN115913964A/en
Publication of CN115913964A publication Critical patent/CN115913964A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

The present disclosure relates to a method, a system, a network device and a storage medium for determining a network slice, and relates to the technical field of communications, wherein the method comprises the following steps: when a target application APP initiates an access request, user Equipment (UE) determines a slice identifier S-NSSAI of a target network slice to which the target application APP should be accessed from a preset NSSP strategy based on an application APP ID and a corresponding security identifier carried in the access request, wherein the security identifier is generated by a Policy Control Function (PCF) network element according to a slice signing request of an application server, the preset NSSP strategy is used for representing the corresponding relation among the application APP ID, the security identifier and the slice identifier S-NSSAI, and the UE forwards the access flow of the target application APP to a target User Plane Function (UPF) network element indicated by the slice identifier S-NSSAI. Like this, through the mode that increases the security identification, realize the NSSP strategy reinforcing in the URSP rule, guarantee that the APP of signing can insert corresponding section, prevent that non-APP of signing from inserting corresponding section, realize the section safe transmission and the detection of APP level.

Description

Network slice determining method, system, network device and storage medium
Technical Field
The disclosed embodiments relate to the field of communications technologies, and in particular, to a method, a system, a network device, and a storage medium for determining a network slice.
Background
A Network Slice Selection Policy (NSSP, network Slice Selection Policy) of a terminal in a user equipment (URSP, UE) routing Policy specifies that an application identity (APP ID) is used to map an accessed Network Slice (NS), that is, an accessed Network Slice is selected for the APP in the terminal according to a corresponding relationship between the APP ID in the NSSP Policy and single Network Slice Selection auxiliary information (S-NSSAI). However, since the APP ID is not a security identifier and is filled by an APP or a service on the terminal, there may be a problem of spoofing the APP ID, for example, if the UE downloads a second application (possibly malicious APP) in a different application mall, and the APP ID is the same as the APP ID of the first application, the UE transmits traffic for its slice corresponding to the first application according to the NSSP policy in the URSP rule in the terminal. This may destroy the possibility that the operator network provides a differentiated service provisioning mechanism for the contracted APP and the non-contracted APP through network slicing.
However, since the APP ID is not a secure identifier and is filled in by an APP or a service on the terminal, problems such as imposition of the APP ID exist, that is, malicious applications tamper with the APP ID information, which results in flow transmission of non-signed APPs in the slice.
It is noted that the information of the invention in the above background section is only for enhancement of understanding of the background of the present disclosure and therefore may include information that does not constitute prior art that is already known to a person of ordinary skill in the art.
Disclosure of Invention
To overcome the problems in the related art, the present disclosure provides a network slice determining method, system, network device, and storage medium.
According to an aspect of the present disclosure, there is provided a network slice determining method, the method including:
when a target application APP initiates an access request, user Equipment (UE) determines a slice identifier S-NSSAI of a target network slice to which the target application APP should be accessed from a preset NSSP strategy based on an application APP ID and a corresponding security identifier carried in the access request; the security identifier is generated by a policy control function PCF network element according to a slice signing request of an application server, and the preset NSSP policy is used for representing the corresponding relation among the application APP ID, the security identifier and a slice identifier S-NSSAI;
and the user equipment UE forwards the access flow of the target application APP to a target user plane function UPF network element indicated by the slice identifier S-NSSAI.
Optionally, the method further includes:
responding to a network slice signing request of an application server for the target application APP, and determining a slice identifier S-NSSAI of the target network slice and a security identifier corresponding to the application APP ID, which the target application APP should access, by the PCF network element based on network slice signing related information;
and the PCF network element returns the application APP ID and the corresponding security identifier to the application server.
Optionally, the method further includes:
and the PCF network element establishes the preset NSSP strategy based on the corresponding relation among the application APP ID, the safety identification and the slice identification S-NSSAI.
Optionally, the method further includes:
and the PCF sends the preset NSSP strategy to the user equipment UE.
Optionally, the method further includes:
the user equipment UE detects whether the security identifier carried in the target application APP access request or access flow is valid information according to the preset NSSP strategy issued by the PCF network element;
if the security identifier is the valid information, executing an operation of determining, by the user equipment UE, a target slice S-NSSAI to which the target application APP access traffic should be accessed from a preset NSSP policy based on the application APP ID and the corresponding security identifier;
and if the security identifier is not the effective information or has no security identifier, the user equipment UE refuses the target application APP to access the traffic to the target slice S-NSSAI.
According to an aspect of the present disclosure, there is provided a network slice determination system, the system comprising:
the method comprises the steps that User Equipment (UE) determines a slice identifier S-NSSAI of a target network slice to which a target application APP is to be accessed from a preset NSSP strategy based on an application APP ID and a corresponding security identifier carried in an access request when the target application APP initiates the access request; the security identifier is generated by a policy control function PCF network element according to a slice subscription request of an application server, and the preset NSSP policy is used for representing the corresponding relation among the application APP ID, the security identifier and a slice identifier S-NSSAI; and forwarding the access flow of the target application APP to a target user plane function UPF network element indicated by the slice identifier S-NSSAI.
Optionally, the system further includes:
the PCF network element responds to a network slice signing request of an application server for the target application APP to carry out network slice instantiation operation, and determines a slice identifier S-NSSAI of the target application APP to be accessed to the target network slice and a safety identifier corresponding to the application APP ID based on network slice signing related information; and returning the application APP ID and the corresponding security identifier to the application server.
Optionally, the system further includes:
and the PCF network element establishes the preset NSSP strategy based on the corresponding relation among the application APP ID, the safety identification and the slice identification S-NSSAI.
Optionally, the system further includes:
and the PCF network element issues the preset NSSP strategy to the user equipment UE.
Optionally, the system further includes:
the user equipment UE detects whether the security identifier carried in the target application APP access request or access flow is valid information according to the preset NSSP strategy issued by the PCF network element; if the security identifier is the valid information, executing an operation of determining a target slice S-NSSAI to which the target application APP access traffic should be accessed from a preset NSSP policy by the UE based on the application APP ID and the corresponding security identifier; and if the security identifier is not the effective information or has no security identifier, the user equipment UE refuses the target application APP to access the traffic to the target slice S-NSSAI.
According to an aspect of the present disclosure, there is provided a network device including:
a processor; and
a memory for storing executable instructions of the processor;
wherein the processor is configured to perform any of the network slice determination methods described above via execution of the executable instructions.
According to an aspect of the present disclosure, there is provided a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the network slice determination method of any one of the above.
In summary, the method for determining a network slice provided in the embodiment of the present invention may be configured to, when a target APP initiates an access request, determine, from a preset NSSP policy, a slice identifier S-NSSAI of the target APP, where the target APP should access a target network slice, based on an APP ID and a corresponding security identifier carried in the access request, where the security identifier is generated by a policy control function PCF network element according to a slice subscription request of an application server, the preset NSSP policy is used to represent a correspondence between the APP ID, the security identifier, and the slice identifier S-NSSAI, and the user equipment UE forwards an access traffic of the target APP to a target user plane function UPF network element indicated by the slice identifier S-NSSAI. Like this, through the mode that increases the security identification, on the one hand, can realize the NSSP tactics reinforcing in the URSP rule, guarantee that signing APP can insert corresponding section, prevent that non-signing APP from inserting corresponding section to realize section safe transmission and the detection of APP level, also prevented because of APP ID uses falsely, lead to the unable safe service guarantee problem that provides the differentiation for different application APP through the network section of signing of operator, on the other hand, need not to transmit the session request to core network UPF, improve the efficiency that network section detected.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure. It is to be understood that the drawings in the following description are merely exemplary of the disclosure, and that other drawings may be derived from those drawings by one of ordinary skill in the art without the exercise of inventive faculty.
Fig. 1 schematically illustrates an architecture diagram of a wireless communication system provided by an embodiment of the present disclosure;
fig. 2 schematically illustrates a flowchart of steps of a network slice determination method provided by an embodiment of the present disclosure;
fig. 3 is a flow chart schematically illustrating a step of assigning a slice identifier according to an embodiment of the present disclosure;
fig. 4 is a schematic diagram schematically illustrating a network slice determination process provided by an embodiment of the present disclosure;
fig. 5 is a schematic diagram schematically illustrating a network slice determination provided by an embodiment of the present disclosure;
fig. 6 schematically illustrates a structural diagram of a network device provided in an embodiment of the present disclosure.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the subject matter of the present disclosure can be practiced without one or more of the specific details, or with other methods, components, devices, steps, and the like. In other instances, well-known technical solutions have not been shown or described in detail to avoid obscuring aspects of the present disclosure.
Furthermore, the drawings are merely schematic illustrations of the present disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus their repetitive description will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.
In order to facilitate understanding of the technical solutions of the embodiments of the present application, a brief description of the related art of the present application is first given as follows:
network Slice (NS), which may also be referred to as a slice network or simply as a slice, refers to customizing different logical networks according to service requirements of services of different tenants (tenants) on a physical or virtual network infrastructure. The network slice may be a complete end-to-end network including a User Equipment (UE), an access network, a transmission network, a core network, and a service server, or a complete end-to-end network including only a core network but assisted by a UE, an access network, a transmission network, and a service server, which can provide a complete communication service and has a certain network capability, and may be a communication resource that ensures that a bearer service or a service can meet a service level agreement requirement, or may be considered as a combination of a network function and a communication resource that is required to complete a certain communication service or certain communication services. A network slice may be identified by single network slice selection assistance information (S-NSSAI). The S-NSSAI is composed of a slice/service type (SST) and a slice differentiation identifier (SD). Wherein SST and SD may be defined by a standard or customized by an operator; SD is optional information that supplements SST to distinguish multiple network slices of the same SST, such as may be used to characterize the affiliation of a network slice. The type and effect of NSSAI as defined in the 23.501 standard is shown in table 1 below.
TABLE 1
Figure BDA0003923277800000061
In addition, after the introduction of slice authentication and authorization, there is also a type of NSSAI to be allowed (which may be referred to as pending NSSAI), which may also be referred to as NSSAI requiring authentication and authorization or pending NSSAI. The pending NSSAI may be included in the allowed NSSAI after the pending NSSAI is authorized by the authentication, that is, the UE may be allowed to access the pending NSSAI after the pending NSSAI is authorized by the authentication.
Protocol Data Unit (PDU) session (session): an association between the UE and a data network provides a PDU connect service. Within a communication system, such as a 5G network or a 5G communication system, a PDU session may contain one or more quality of service (QoS) flows. A QoS flow refers to a data transmission channel of a UE in the communication system (e.g., in a 5G network or a 5G communication system) that meets a specific QoS quality requirement, and may be identified by a QoS Flow Identity (QFI). On the UE and network side, a PDU session may contain the following attribute information: a Data Network Name (DNN), address information (such as an Internet Protocol (IP) address, a Media Access Control (MAC) address, etc.), S-NSSAI, a Service and Session Continuity (SSC) mode, etc. A PDU session is typically identified by a PDU session identity, which may be assigned by the UE.
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
Fig. 1 is a schematic diagram of a communication system architecture according to an embodiment of the present application. As shown in fig. 1, the communication system includes: UE, radio access network (RAN/AN) and core network. Further, the communication system may further include a Data Network (DN), where the DN may refer to a service network providing data transmission service for the user, such as an IP Multimedia Service (IMS), an internet (internet), and the like.
The UE may be a Terminal Equipment (TE), a handheld terminal, a notebook, a subscriber unit (subscriber unit), a cellular phone (cellular phone), a smart phone (smart phone), a wireless data card, a Personal Digital Assistant (PDA) computer, a tablet computer, a vehicle terminal, a wearable device, a wireless modem (modem), a handheld device (hand-held), a laptop computer (laptop computer), a cordless phone (cordless phone), a Wireless Local Loop (WLL) station, a Machine Type Communication (MTC) terminal, or other devices that can access a network. The UE and the access network equipment adopt a certain air interface technology to communicate with each other.
In addition, the access network is used to implement wireless access-related functions, and may include a third generation partnership project (3 GPP) access network and a non-3GPP access network. The access network device may refer to a device providing access service for the UE, and includes a RAN device and AN device. The RAN device is mainly a wireless network device in a 3GPP network, and the AN may be AN access network device defined by non-3 GPP. The RAN device is mainly responsible for functions of radio resource management, quality of service (QoS) management, data compression and encryption, etc. on the air interface side. The RAN equipment may include various forms of base stations, such as: macro base stations, micro base stations (also referred to as small stations), relay stations, access points, etc. In systems using different radio access technologies, the names of devices with base station functions may vary, for example, in the fifth generation (5 th generation, 5G) system, referred to as RAN or gNB (5G NodeB); in an LTE system, referred to as an evolved node B (eNB or eNodeB); in third generation (3 rd generation, 3G) systems, they are referred to as Node Bs, etc. The AN device allows interworking between the UE and the 3GPP core network using non-3GPP technologies, such as: wireless fidelity (Wi-Fi), worldwide Interoperability for Microwave Access (WiMAX), code Division Multiple Access (CDMA) networks, and the like.
Furthermore, the core network may include the following logical network elements: a Session Management Function (SMF) network element, an access and mobility management Function (AMF) network element, an authentication server Function (AUSF) network element, a User Plane Function (UPF) network element, an Application Function (AF) network element, a Unified Data Management (UDM) network element, a Policy Control Function (PCF) network element, a network storage Function (NRF) network element, a network open network Function (NEF) network element, and a Network Slice Selection Function (NSSF) network element, among others. The functions of different core network elements are described below, and specifically shown below.
SMF network element: a core network control plane network element, which is mainly responsible for session management in the mobile network, such as session establishment, modification and release; the specific functions include allocating an IP address to a user, selecting a UPF providing a message forwarding function, and the like.
AMF network element: the core network control plane network element is mainly responsible for mobility management in a mobile network, such as user location update, user registration network, user handover, and the like.
AUSF network element: the core network control plane network element is a control plane network element provided by an operator, and is used for performing authentication, for example, for performing authentication of a subscriber of the 3GPP network.
UPF network element: the core network user plane network element is used for forwarding and receiving user data in the UE, receiving the user data from the DN and transmitting the user data to the UE through the access network equipment; the UPF network element may also receive user data from the UE via the access network device and forward the user data to the DN.
AF network element: mainly supports the interaction with the 3GPP core network to provide services, such as influencing data routing decision, strategy control function or providing some services of a third party to the network side.
UDM network element: the core network control plane network element is used for storing user subscription data, generating an authentication trust shape, processing a user identifier (for example, storing and managing a user permanent identity, and the like), accessing authorization control, subscription data management, and the like.
PCF network element: the core network control plane network element mainly supports providing a unified strategy framework to control network behaviors, provides strategy rules for a control layer network function, and is responsible for acquiring user subscription information related to strategy decision.
NRF network element: and the core network control plane network element is used for supporting the service discovery function and also used for maintaining the information of the available network function network elements and the services supported by the network function network elements.
NEF network element: and the core network control plane network element is mainly used for being responsible for the external opening of the mobile network capability.
NSSF network element: the core network control plane network element is mainly used for a slicing service of 5G, for example, is responsible for selecting a target Network Slice Instance (NSI). Optionally, the NSSF network element may also be replaced with a Network Slice Specific Authentication and Authorization Function (NSSAAF) network element.
Optionally, in order to implement the functions related to authentication and authorization for the slice, a network slice-specific authentication and authorization function (nsaaf) network element may be introduced.
In the communication system shown in fig. 1, a UE may communicate with AN AMF network element through AN N1 interface, AN R (AN) device may communicate with the AMF network element through AN N2 interface, AN R (AN) device may communicate with a UPF network element through AN N3 interface, and a UPF network element may communicate with a DN through AN N4 interface. In addition, the network elements in the core network may communicate through a service interface, for example, the service interface may include: the Nnssf interface, the Nnef interface, the Nnrf interface, the Npcf interface, the Nudm interface, the Naf interface, the Nausf interface, the NAMF interface, the Nnsm interface and the like. It is to be understood that in the communication system shown in fig. 1, the functions and interfaces of the network elements are only exemplary, and not all the functions of the network elements are necessary when the network elements are applied to the embodiments of the present application.
Further, in the present application, the communication system may further include: an Authentication Authorization and Accounting (AAA) server, which may also be referred to as AAA-S. The AAA-S may communicate with the AMF network element through an intermediate network element supporting the AAA-S to communicate with the AMF network element, where the intermediate network element may be an AUSF network element, a NEF network element, an NSSAAF network element, or other network elements used for authentication and authorization procedures, etc. Optionally, the communication system may further include: authentication authorization and accounting proxy (AAA-P). When the AAA-S is communicated with the AMF network element, the AAA-S can be communicated with the AAA-P firstly, and the AAA-P sends the communication information of the AAA-S to the AMF network element through an intermediate network element such as an AUSF network element, a NEF network element or an NSSAAF network element; similarly, the AMF network element sends the communication information to the AAA-P through an intermediate network element such as an AUSF network element, an NEF network element, or an NSSAAF network element, and the AAA-P sends the communication information to the AAA-S.
Fig. 2 schematically illustrates a flowchart of steps of a network slice determining method provided by an embodiment of the present disclosure, and as shown in fig. 2, the method may include:
step S101, when a target application APP initiates an access request, user Equipment (UE) determines a slice identifier S-NSSAI of a target network slice to which the target application APP should be accessed from a preset NSSP strategy based on an application APP ID and a corresponding security identifier carried in the access request; the security identification is generated by a policy control function PCF network element according to a slice signing request of an application server, and the preset NSSP policy is used for representing the corresponding relation among the application APP ID, the security identification and the slice identification S-NSSAI.
In the embodiment of the disclosure, when an application service manufacturer develops an application, a unique application APP ID is set for each application, and in order that the application can be used in a normal network, the application service manufacturer may further send a network slice subscription application of the application to a policy control function PCF network element, and accordingly, the PCF network element may return slice information to be accessed and a security identifier corresponding to the application, which are allocated to the application, so that the user equipment UE downloads or updates the target application APP from an application server, where the target application APP carries the application APP ID and the corresponding security identifier. The security identifier may be allocated and determined for the target APP by the PCF network element, and the security identifier may be generated according to the APP ID application slicing time source, may also be generated according to a Message Authentication Code (MAC), and may also be a random number set according to other conditions, which is not limited in this disclosure.
In the embodiment of the present disclosure, when the target APP initiates an access request, that is, the target APP initiates a networking request, the user equipment UE may determine, according to the APP ID and the corresponding security identifier, a target slice identifier S-NSSAI to which the target APP should be accessed from a preset NSSP policy, where the preset NSSP policy may be used to represent a correspondence relationship between the APP ID, the security identifier, and the slice identifier S-NSSAI, that is, the slice identifier to which the application APP should be accessed may be determined by searching the APP ID and the security identifier.
Step S102, the user equipment UE forwards the access flow of the target application APP to a target user plane function UPF network element indicated by the slice identifier S-NSSAI.
In the embodiment of the present disclosure, a target UPF network element indicated by a slice identifier S-NSSAI may be determined first, and then the user equipment UE directly forwards an access request traffic of a target application APP to the target UPF network element, so that the target application APP accesses a target slice and establishes a communication connection with the target UPF network element.
In summary, the network slice determining method provided in the embodiment of the present invention may be configured to, when a target APP initiates an access request, determine, from a preset NSSP policy, a slice identifier S-NSSAI of the target APP, where the target APP should be accessed to a target network slice, based on an APP ID and a corresponding security identifier carried in the access request, where the security identifier is generated by a policy control function PCF network element according to a slice subscription request of an application server, the preset NSSP policy is used to represent a correspondence relationship between the APP ID, the security identifier, and the slice identifier S-NSSAI, and the user equipment UE forwards an access traffic of the target APP to a target user plane function UPF network element indicated by the slice identifier S-NSSAI. Like this, through the mode that increases the security identification, on the one hand, can realize the NSSP tactics reinforcing in the URSP rule, guarantee that signing APP can insert corresponding section, prevent that non-signing APP from inserting corresponding section to realize section safe transmission and the detection of APP level, also prevented because of APP ID uses falsely, lead to the unable safe service guarantee problem that provides the differentiation for different application APP through the network section of signing of operator, on the other hand, need not to transmit the session request to core network UPF, improve the efficiency that network section detected.
Optionally, in the slice determining method according to the embodiment of the present disclosure, as shown in fig. 3, the method may further include:
step S201, in response to a network slice subscription request of the application server for the target application APP, the PCF network element performs a network slice instantiation operation and determines, based on network slice subscription related information, a slice identifier S-NSSAI and a security identifier corresponding to the application APP ID, where the target application APP should access the target network slice.
In the embodiment of the present disclosure, the operator 5G core network PCF network element may receive a network slice subscription request of a target application APP sent by an application server, in response to the network slice subscription request, the PCF network element performs instantiation operation on a network slice to determine a network slice to which the target application APP should be accessed, and the PCF network element generates a security identifier corresponding to an application APP ID of the target application APP based on that the slice subscription request carries the application APP ID of the target application APP and a slice identifier S-NSSAI of the network slice to which the target application APP should be accessed.
Step S202, the PCF network element returns the application APP ID and the corresponding security identifier to the application server.
In the embodiment of the present disclosure, the PCF network element may return the security identifier corresponding to the APP ID to the application server, so that the application server configures the security identifier into the target APP to be associated with the APP AAP ID, thereby preventing other APPs from counterfeiting the APP ID.
Optionally, the method for determining a network slice in the embodiment of the present disclosure may further include:
and the PCF network element establishes the preset NSSP strategy based on the corresponding relation among the application APP ID, the safety identification and the target slice identification S-NSSAI.
In the embodiment of the present disclosure, the PCF network element may establish a corresponding relationship association table according to the APP ID of each APP, the corresponding security identifier, and the allocated slice identifier S-NSSAI that should be accessed to the network slice, so as to generate the preset NSSP policy. For example, the preset NSSP policy may indicate the following content in table 1, where the APP id1 corresponding to the target application APP1 is identified as 1, the allocated network slice identifier is S-NSSAI1, the APP id2 corresponding to the target application APP2 is identified as 2, and the allocated network slice identifier is S-NSSAI2.
TABLE 1
Figure BDA0003923277800000121
Optionally, the method for determining a network slice in the embodiment of the present disclosure may further include:
and the PCF sends the preset NSSP strategy to the user equipment UE.
In the embodiment of the present disclosure, the PCF network element may return the application ID of the target application APP and the corresponding security identifier to the application server, and the PCF network element issues the established preset NSSP policy to the UE. When a target application APP initiates an access request, UE determines a target slice identifier S-NSSAI to which the target application APP should be accessed from a preset NSSP strategy based on an application APP ID and a corresponding security identifier.
Optionally, the method for determining a network slice in the embodiment of the present disclosure may further include:
the user equipment UE detects whether the security identifier carried in the target application APP access request or access flow is valid information according to the preset NSSP strategy issued by the PCF network element; if the security identifier is the valid information, executing an operation of determining, by the user equipment UE, a target slice S-NSSAI to which the target application APP access traffic should be accessed from a preset NSSP policy based on the application APP ID and the corresponding security identifier; and if the safety identification is not the effective information or has no safety identification, the user equipment UE refuses the target application APP access flow to access the target network.
In the implementation of the present disclosure, the user equipment UE may detect whether a security identifier carried in a target application APP access request or access traffic is valid information, and when the security identifier is valid information, that is, information of the security identifier is not null and information of the security identifier and an associated application APP ID are consistent with those recorded in a preset NSSP policy, may execute an operation in which the user equipment UE determines a target slice identifier S-NSSAI to which the target application APP should be accessed from the preset NSSP policy based on the application APP ID and a corresponding security identifier; when the security identifier is not valid information, that is, the information of the security identifier is null information, or the information of the security identifier is inconsistent with the information recorded in the preset NSSP policy, or the APP ID associated with the security identifier is inconsistent with the information recorded in the preset NSSP policy, any one of the above situations occurs, then the user equipment UE may reject the target APP to initiate an access request. It should be noted that, in an implementation manner, if the security identifier is not valid information or has no security identifier, after the user equipment UE rejects the target application APP access traffic to access the target network slice, the target application APP access traffic may be transferred to a default network slice, where the default network slice may be a preset public network slice.
For example, fig. 4 schematically illustrates a schematic diagram of a network slice determining process provided by the embodiment of the present disclosure, as shown in fig. 4, S301, an application server develops an APP service, and configures an APP ID for a target APP; s302, an application server applies for opening a slice service for an application APP ID to a PCF network element of an operator, for example, opening an acceleration slice; s303, when the PCF network element instantiates a network slice and allocates a slice identifier S-NSSAI for the APP ID, a security identifier can be allocated for the target APP; s304, the PCF network element can generate or update a preset NSSP strategy according to the corresponding relation between the APP ID and the APP security identifier and the S-NSSAI; s305, the PCF network element returns the application APP ID and the corresponding safety identification to an application service provider (AF); s306, the PCF network element issues the preset NSSP strategy to the UE; s307, when downloading or updating the target application APP, the UE can obtain an application APP ID and a corresponding security identifier of the target application APP; s308, when the target application APP initiates a service request to the UE, the target application APP can carry an APP ID and a safety identification; s309, in the process of session establishment, the UE determines a network slice identifier S-NSSAI to which the target application APP is to be accessed according to a preset NSSP strategy, and establishes connection between the target application APP and a slice identifier S-NSSAI slice; and S310, the UE forwards the flow of the application APP ID to a UPF network element corresponding to the S-NSSAI.
For example, fig. 5 schematically illustrates a schematic diagram of determining a network slice provided by the embodiment of the present disclosure, as shown in fig. 5, an application APP1 developed by an application server 1 and a configured application APP ID, where the application server 1 applies to a PCF network element in an operator 5G core network 42 to provision a slice service for the application APP ID, a security identifier and a corresponding slice identifier S-NSSAI are allocated to the APP1 by a PCF, a preset NSSP policy is generated or updated according to a correspondence between the APP ID and the APP security identifier and the S-NSSAI, the PCF issues the preset NSSP policy to a terminal 43, and determines, in a session establishment process of the APP1, a network slice identifier S-NSSAI to which the APP1 should be accessed according to the preset NSSP policy, and forwards a traffic of the APP1 to an UPF1 corresponding to the network slice identifier S-NSSAI.
The network slice determining system provided by the embodiment of the present disclosure may include:
the method comprises the steps that User Equipment (UE) determines a slice identifier S-NSSAI of a target network slice to which a target Application (APP) is to be accessed from a preset NSSP strategy based on an APP ID and a corresponding security identifier carried in an access request when the target APP initiates the access request; the security identifier is generated by a policy control function PCF network element according to a slice signing request of an application server, and the preset NSSP policy is used for representing the corresponding relation among the application APP ID, the security identifier and a slice identifier S-NSSAI; and forwarding the access flow of the target application APP to a target user plane function UPF network element indicated by the slice identifier S-NSSAI.
In summary, the network slice determining system provided in the embodiment of the present invention may determine, when a target APP initiates an access request, a slice identifier S-NSSAI of the target APP, where the target APP should be accessed to a target network slice, from a preset NSSP policy based on an APP ID and a corresponding security identifier carried in the access request, where the security identifier is generated by a policy control function PCF network element according to a slice subscription request of an application server, the preset NSSP policy is used to represent a correspondence relationship between the APP ID, the security identifier, and the slice identifier S-NSSAI, and the user equipment UE forwards an access traffic of the target APP to a target user plane function UPF network element indicated by the slice identifier S-NSSAI. Like this, through the mode that increases the security identification, on the one hand, can realize the NSSP tactics reinforcing in the URSP rule, guarantee that signing APP can insert corresponding section, prevent that non-signing APP from inserting corresponding section to realize section safe transmission and the detection of APP level, also prevented because of APP ID uses falsely, lead to the unable safe service guarantee problem that provides the differentiation for different application APP through the network section of signing of operator, on the other hand, need not to transmit the session request to core network UPF, improve the efficiency that network section detected.
The system further comprises:
the PCF network element responds to a slice signing request of the target application APP by an application server to perform network slice instantiation operation and determines a slice identifier S-NSSAI of the target network slice to which the target application APP should be accessed and a security identifier corresponding to the application APP ID based on network slice signing related information; and returning the application APP ID and the corresponding security identifier to the application server.
Optionally, the system further includes:
and the PCF network element establishes the preset NSSP strategy based on the corresponding relation among the application APP ID, the safety identification and the slice identification S-NSSAI.
Optionally, the system further includes:
and the PCF network element issues the preset NSSP strategy to the user equipment UE.
Optionally, the system further includes:
the user equipment UE detects whether the security identifier carried in the target application APP access request or access flow is valid information according to the preset NSSP strategy issued by the PCF network element; if the security identifier is the valid information, executing an operation of determining, by the user equipment UE, a target slice S-NSSAI to which the target application APP access traffic should be accessed from a preset NSSP policy based on the application APP ID and the corresponding security identifier; and if the safety identification is not the effective information or has no safety identification, the user equipment UE refuses the target application APP access flow to access the target slice S-NSSAI, and the target application APP access flow can be switched to a default network slice.
The specific details of each network element or device in the network slice determining system have been described in detail in the corresponding network slice determining method, and therefore are not described herein again.
It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit, according to embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.
Moreover, although the steps of the methods of the present disclosure are depicted in the drawings in a particular order, this does not require or imply that these steps must be performed in this particular order, or that all of the depicted steps must be performed, to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken into multiple step executions, etc.
It should be noted that, the division of the modules in the embodiments of the present application is schematic, and is only a logical function division, and in actual implementation, there may be another division manner, and in addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or may exist alone physically, or two or more units are integrated in one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, a network device, or the like) or a processor (processor) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
Based on the same concept as the network slice determining method, as shown in fig. 6, an embodiment of the present application further provides a schematic structural diagram of a network device 600. The apparatus 600 may be used to implement the methods described in the above method embodiments, and reference may be made to the description in the above method embodiments.
The device 600 includes one or more processors 601. The processor 601 may be a general purpose processor, a special purpose processor, or the like. For example, a baseband processor, or a central processor. The baseband processor may be used to process communication protocols and communication data, and the central processor may be used to control a network device (e.g., a base station, a terminal, or a chip), execute a software program, and process data of the software program. The network device may include a transceiving unit to enable input (reception) and output (transmission) of signals. For example, the transceiver unit may be a transceiver, a radio frequency chip, or the like.
The device 600 comprises one or more of the processors 601, and the one or more processors 601 may implement the methods of the illustrated embodiments described above. Optionally, the processor 601 may also implement other functions besides implementing the methods of the above-described illustrated embodiments.
Alternatively, in one design, the processor 601 may execute instructions to cause the apparatus 600 to perform the methods described in the above method embodiments. The instructions may be stored in whole or in part in the processor, such as instructions 603, or may be stored in whole or in part in a memory 602 coupled to the processor, such as instructions 604, or may collectively cause apparatus 600 to perform the methods described in the above method embodiments, through instructions 603 and 604.
In yet another possible design, the network device 600 may also include circuitry that may implement the functionality of the foregoing method embodiments.
In yet another possible design, the apparatus 600 may include one or more memories 602 having instructions 604 stored thereon, which are executable on the processor to cause the apparatus 600 to perform the methods described in the above method embodiments. Optionally, the memory may further store data therein. Instructions and/or data may also be stored in the optional processor. For example, the one or more memories 602 may store the corresponding relations described in the above embodiments, or the related parameters or tables referred to in the above embodiments, and the like. The processor and the memory may be provided separately or may be integrated together.
In yet another possible design, the device 600 may also include a transceiver 605 and an antenna 606. The processor 601 may be referred to as a processing unit and controls a device (terminal or base station). The transceiver 605 may be referred to as a transceiver, a transceiving circuit, a transceiving unit, or the like, and is used for performing transceiving functions of the apparatus through the antenna 606.
It should be noted that the processor in the embodiments of the present application may be an integrated circuit chip having signal processing capability. In implementation, the steps of the above method embodiments may be performed by integrated logic circuits of hardware in a processor or instructions in the form of software. The Processor may be a general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in a memory, and a processor reads information in the memory and completes the steps of the method in combination with hardware of the processor.
It will be appreciated that the memory in the embodiments of the subject application can be either volatile memory or nonvolatile memory, or can include both volatile and nonvolatile memory. The non-volatile Memory may be a Read-Only Memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an Electrically Erasable PROM (EEPROM), or a flash Memory. Volatile Memory can be Random Access Memory (RAM), which acts as external cache Memory. By way of example, but not limitation, many forms of RAM are available, such as Static random access memory (Static RAM, SRAM), dynamic Random Access Memory (DRAM), synchronous Dynamic random access memory (Synchronous DRAM, SDRAM), double Data rate Synchronous Dynamic random access memory (DDR SDRAM), enhanced Synchronous SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), and direct memory bus RAM (DR RAM). It should be noted that the memory of the systems and methods described herein is intended to comprise, without being limited to, these and any other suitable types of memory.
An embodiment of the present application further provides a computer-readable medium, on which a computer program is stored, where the computer program, when executed by a computer, implements the network slice determining method described in any of the above method embodiments.
The embodiment of the present application further provides a computer program product, and when executed by a computer, the computer program product implements the network slice determining method according to any of the above method embodiments.
In the above embodiments, all or part of the implementation may be realized by software, hardware, firmware, or any combination thereof. When implemented in software, it may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the application to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center via wire (e.g., coaxial cable, fiber optic, digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a Digital Video Disk (DVD)), or a semiconductor medium (e.g., a Solid State Disk (SSD)), among others.
The embodiment of the application also provides a processing device, which comprises a processor and an interface; the processor is configured to execute the network slice determining method according to any of the above method embodiments.
It should be understood that the processing device may be a chip, the processor may be implemented by hardware or software, and when implemented by hardware, the processor may be a logic circuit, an integrated circuit, or the like; when implemented in software, the processor may be a general-purpose processor implemented by reading software code stored in a memory, which may be integrated in the processor, located external to the processor, or stand-alone.
Those of ordinary skill in the art will appreciate that the elements and algorithm steps of the examples described in connection with the embodiments disclosed herein may be embodied in electronic hardware, computer software, or combinations of both, and that the components and steps of the examples have been described in a functional general in the foregoing description for the purpose of illustrating clearly the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, a division of a unit is merely a logical division, and an actual implementation may have another division, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may also be an electric, mechanical or other form of connection.
Units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiments of the present application.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
Through the above description of the embodiments, those skilled in the art will clearly understand that the present application can be implemented in hardware, firmware, or a combination thereof. When implemented in software, the functions described above may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a computer. Taking this as an example but not limiting: computer-readable media can include RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. Furthermore, the method is simple. Any connection is properly termed a computer-readable medium. For example, if software is transmitted from a website, a server, or other remote source using a coaxial cable, a fiber optic cable, a twisted pair, a Digital Subscriber Line (DSL), or a wireless technology such as infrared, radio, and microwave, the coaxial cable, the fiber optic cable, the twisted pair, the DSL, or the wireless technology such as infrared, radio, and microwave are included in the fixation of the medium. Disk (Disk) and disc (disc), as used herein, includes Compact Disc (CD), laser disc, optical disc, digital Versatile Disc (DVD), floppy Disk and blu-ray disc where disks usually reproduce data magnetically, while discs reproduce data optically with lasers. Combinations of the above should also be included within the scope of computer-readable media.
In short, the above description is only a preferred embodiment of the present disclosure, and is not intended to limit the scope of the present disclosure. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.

Claims (10)

1. A method for network slice determination, the method comprising:
when a target application APP initiates an access request, user Equipment (UE) determines a slice identifier S-NSSAI of a target application APP to be accessed to a target network slice from a preset NSSP strategy based on an application APP ID and a corresponding security identifier carried in the access request; the security identifier is generated by a policy control function PCF network element according to a slice subscription request of an application server, and the preset NSSP policy is used for representing the corresponding relation among the application APP ID, the security identifier and a slice identifier S-NSSAI;
and the user equipment UE forwards the access flow of the target application APP to a target user plane function UPF network element indicated by the slice identifier S-NSSAI.
2. The method of claim 1, further comprising:
responding to a network slice signing request of an application server for the target application APP, and determining a slice identifier S-NSSAI of the target network slice and a security identifier corresponding to the application APP ID, which the target application APP should access, by the PCF network element based on network slice signing related information;
and the PCF network element returns the application APP ID and the corresponding security identifier to the application server.
3. The method of claim 2, further comprising:
and the PCF network element establishes the preset NSSP strategy based on the corresponding relation among the application APP ID, the safety identification and the slice identification S-NSSAI.
4. The method of claim 3, further comprising:
and the PCF network element transmits the preset NSSP strategy to the user equipment UE.
5. The method of claim 1, further comprising:
the user equipment UE detects whether the security identifier carried in the target application APP access request or access flow is valid information according to the preset NSSP strategy issued by the PCF network element;
if the security identifier is the valid information, the user equipment UE determines the slice identifier S-NSSAI of the target network slice to which the target application APP should be accessed from a preset NSSP strategy based on the application APP ID and the corresponding security identifier carried in the access request;
and if the safety identification is not the effective information or has no safety identification, the user equipment UE refuses the target application APP access flow to access the target network slice.
6. A network slice determination system, the system comprising:
the method comprises the steps that User Equipment (UE) determines a slice identifier S-NSSAI of a target network slice to which a target Application (APP) is to be accessed from a preset NSSP strategy based on an APP ID and a corresponding security identifier carried in an access request when the target APP initiates the access request; the security identifier is generated by a policy control function PCF network element according to a slice subscription request of an application server, and the preset NSSP policy is used for representing the corresponding relation among the application APP ID, the security identifier and a slice identifier S-NSSAI; and forwarding the access flow of the target application APP to a target user plane function UPF network element indicated by the slice identifier S-NSSAI.
7. The system of claim 6, further comprising:
the PCF network element responds to a network slice signing request of an application server for the target application APP to carry out network slice instantiation operation, and determines a slice identifier S-NSSAI of the target application APP to be accessed to the target network slice and a safety identifier corresponding to the application APP ID based on network slice signing related information; and returning the application APP ID and the corresponding security identifier to the application server.
8. The system of claim 7, further comprising:
and the PCF network element establishes the preset NSSP strategy based on the corresponding relation among the application APP ID, the safety identification and the slice identification S-NSSAI.
9. A network device, comprising:
a processor; and
a memory for storing executable instructions of the processor;
wherein the processor is configured to perform the network slice determination method of any of claims 1-5 via execution of the executable instructions.
10. A computer-readable storage medium having a computer program stored thereon, the computer-readable storage medium comprising: computer software instructions;
the computer software instructions, when executed in a network device, cause the network device to implement the network slice determination method of any of claims 1-5.
CN202211367324.XA 2022-11-02 2022-11-02 Network slice determining method, system, network device and storage medium Pending CN115913964A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211367324.XA CN115913964A (en) 2022-11-02 2022-11-02 Network slice determining method, system, network device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211367324.XA CN115913964A (en) 2022-11-02 2022-11-02 Network slice determining method, system, network device and storage medium

Publications (1)

Publication Number Publication Date
CN115913964A true CN115913964A (en) 2023-04-04

Family

ID=86491809

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211367324.XA Pending CN115913964A (en) 2022-11-02 2022-11-02 Network slice determining method, system, network device and storage medium

Country Status (1)

Country Link
CN (1) CN115913964A (en)

Similar Documents

Publication Publication Date Title
CN110049070B (en) Event notification method and related equipment
EP3541105A1 (en) Communication method and related apparatus
US20200296142A1 (en) User Group Establishment Method and Apparatus
CN113424564A (en) System and method for device triggered re-authentication supporting slice-specific secondary authentication and authorization
CN113630749B (en) Method and device for acquiring edge service
JP2020518183A (en) Wireless communication method, network device and terminal device
US20210045050A1 (en) Communications method and apparatus
CN110557846B (en) Data transmission method, terminal equipment and network equipment
CN112637785B (en) Method and apparatus for multicast transmission
CN109891921B (en) Method, apparatus and computer-readable storage medium for authentication of next generation system
JP2021513825A (en) Methods and devices for determining SSC mode
JP2022530961A (en) Handover processing method and device
US20240031798A1 (en) Communication method and apparatus
CN114173384A (en) QoS control method, device and processor readable storage medium
EP4042733A1 (en) Security for groupcast message in d2d communication
WO2023087965A1 (en) Communication method and apparatus
CN113746649A (en) Network slice control method and communication device
JP2013513986A (en) Smart card security function profile in the server
KR20220152950A (en) Network slice admission control (nsac) discovery and roaming enhancements
CN115913964A (en) Network slice determining method, system, network device and storage medium
CN114788364B (en) Session management function registration and de-registration
CN115706997A (en) Authorization verification method and device
CN116097751A (en) Re-anchoring with SMF reselection
US11881961B2 (en) Communication method and related apparatus
CN113938880B (en) Application verification method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination