CN116156492A

CN116156492A - Method, device and communication system for establishing secure tunnel

Info

Publication number: CN116156492A
Application number: CN202111383244.9A
Authority: CN
Inventors: 龙思锐; 尤正刚
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2021-11-22
Filing date: 2021-11-22
Publication date: 2023-05-23
Also published as: WO2023088404A1

Abstract

The application relates to a method, a device and a communication system for establishing a secure tunnel. In the method, the network function can generate the configuration of the secure tunnel according to the secure tunnel template and the interface address of the opposite network function, for example, the first network function and the second network function can automatically generate the configuration of the secure tunnel and automatically establish the secure tunnel, compared with the manual configuration of the secure tunnel, the method can reduce the workload of manual configuration and maintenance, can also reduce the error rate of configuration and maintenance, and improve the accuracy of data transmission.

Description

Method, device and communication system for establishing secure tunnel

Technical Field

The present disclosure relates to the field of wireless communications technologies, and in particular, to a method and apparatus for establishing a secure tunnel, and a communication system.

Background

The edge area where the user plane function (user plane function, UPF) is deployed may be an unsafe area, and when a user accesses a service through the UPF, interface signaling of the UPF may include key information such as offloading and charging, and communication content of the user, so that the interface of the UPF needs to be protected safely through a secure tunnel.

The secure tunnel encrypts and decrypts the data message through a secure algorithm and the like stored in the data stream source end and the destination end. Secure tunnels are a subject of considerable investigation.

Disclosure of Invention

The application provides a method, a device and a communication system for establishing a secure tunnel, which are used for improving the security of data message transmission.

In a first aspect, a secure tunnel method is provided, including the following procedures: the first network function generates a first configuration of the secure tunnel according to the secure tunnel template and the interface address of the second network function; the first network function establishes a secure tunnel with the second network function according to the first configuration of the secure tunnel, i.e. establishes a secure tunnel between the first network function and the second network function.

The second network function performs an operation corresponding to the first network function, and establishes a secure tunnel with the first network function. Specifically, the second network function generates a second configuration of the secure tunnel according to the secure tunnel template and the interface address of the first network function, and the second network function establishes a secure tunnel with the first network function, i.e. establishes a secure tunnel between the first network function and the second network function, according to the second configuration of the secure tunnel.

In actual deployment, a secure tunnel between the UPF and other network functions needs to be manually configured, the workload of configuration and maintenance is excessive, the error rate is high, and the accuracy of data transmission is affected. In the method provided by the application, the network equipment can automatically generate the configuration of the secure tunnel and automatically establish the secure tunnel according to the secure tunnel template and the interface address of the opposite-end network function, compared with the manual configuration of the secure tunnel, the method can reduce the workload of manual configuration and maintenance, can also reduce the error rate of configuration and maintenance, improve the accuracy of data transmission, can reduce the waiting time of manual configuration and improve the configuration efficiency.

One or more secure tunnel templates are configured in the first network function and the second network function. Alternatively, the secure tunnel templates configured in the first network function and the second network function may be preset, or may be configured by other network functions through signaling. If a plurality of security tunnel templates are configured in the first network function and the second network function, the first network function and the second network function can select one security tunnel template from the plurality of security tunnel templates, and the security tunnel templates selected by the first network function and the second network function are the same. The first network function and the second network function specifically select which secure tunnel template may be determined by negotiation of the first network function and the second network function, for example, after the first network function determines which secure tunnel template is selected, index information of the secure tunnel template is sent to the second network function.

When the first network function and the second network function establish the secure tunnel, the first network function or the second network function may receive a user uplink data packet, where the uplink data packet is used to trigger the first network function and the second network function to establish the secure tunnel, that is, after the first network function or the second network function receives the uplink data packet, a secure tunnel between the first network function and the second network function is jointly established through message interaction.

The first network function and the second network function communicate based on the secure tunnel, and the secure tunnel is used for carrying out security protection on the data message between the first network function and the second network function.

In one possible scenario, the first network function and/or the second network function need to establish a secure tunnel and have the capability to establish a secure tunnel. For example, whether a secure tunnel needs to be established may be determined according to a deployment location of a network function, where the first network function and/or the second network function are deployed in an unsafe area (e.g., in an edge area such as a county), and it is determined that the secure tunnel needs to be established. Taking the first network function as an example, it may be that the user accesses the first network function when creating a new session, or it may be that the user moves from the coverage area of the previously accessed network function into the coverage area of the first network function during the moving process, and then it is required to determine whether to establish a secure tunnel according to whether the first network function is deployed in an unsafe area.

In the method, the network function can automatically generate configuration of the secure tunnel according to the secure tunnel template and the interface address of the opposite network function, and automatically establish the secure tunnel, and the secure tunnel can carry out security protection on the data messages transmitted between the network functions, so that the security of the data message transmission can be improved. And the configuration of the security tunnel is automatically generated and the security tunnel is automatically established between the network functions, compared with manual configuration of the security tunnel, the workload of manual configuration and maintenance can be reduced, the error rate of configuration and maintenance can be reduced, the configuration efficiency is improved, and the accuracy of data transmission is improved.

In one possible implementation, the first network function and the second network function are user plane functions, i.e. a secure tunnel may be automatically established between the two user plane functions.

For example, the interface address may be an N9 interface address or an S5 interface address, for example, in a fifth generation mobile communication (5 th-generation, 5G) network, the interface address between two user plane functions may be an N9 interface address, and in a fourth generation mobile communication (4 th-generation, 4G) network, the interface address between two user plane functions may be an S5 interface address.

In one possible implementation, the first network function is a user plane function, the second network function is a control plane function, or the first network function is a control plane function, and the second network function is a user plane function, that is, a secure tunnel may be automatically established between the user plane function and the control plane function.

For example, the interface address may be an N4 interface address or a Sxa interface address or a Sxb interface address, for example, in a 5G network, the interface address between the user plane function and the control plane function may be an N4 interface address, and in a 4G network, the interface address between the user plane function and the control plane function may be a Sxa interface address or a Sxb interface address.

In one possible implementation, before generating the configuration of the secure tunnel, a negotiation may be made between the first network function and the second network function as to whether the secure tunnel needs to be established.

For example, before the first network function generates the first configuration of the secure tunnel according to the secure tunnel template and the interface address of the second network function, the first network function may further send, to the second network function, indication information for indicating that the first network function has the capability to establish the secure tunnel and/or that the secure tunnel needs to be established, or indication information for indicating that the secure tunnel is established between the first network function and the second network function. For convenience of description, the indication information sent by the first network function to the second network function is referred to herein as a first message, where the first message is used to indicate that the first network function has a capability of establishing a secure tunnel, and/or that a secure tunnel needs to be established, or the first message is used to indicate that a secure tunnel is established between the first network function and the second network function. Alternatively, the first message may be a request message for establishing a secure tunnel, and when the second network function receives the request message for establishing a secure tunnel, the second network function may determine that the first network function has the capability to establish the secure tunnel, and/or needs to establish the secure tunnel.

The second network function transmits, to the first network function, indication information for indicating that the second network function has a capability of establishing a secure tunnel, or transmits indication information for indicating that establishment of the secure tunnel is confirmed. The first network function performs the associated step of generating a first configuration of the secure tunnel in response to the indication information. For convenience of description, the indication information sent by the second network function to the first network function is referred to herein as a second message, where the second message is used to indicate that the second network function has a capability of establishing a secure tunnel, or the second message is used to indicate that establishment of the secure tunnel is confirmed.

The first network function may determine to establish a secure tunnel with the second network function based on a capability negotiation result (e.g., a second message) with the second network function.

Optionally, in the process of negotiating whether the secure tunnel needs to be established, the first network function and the second network function may also negotiate a secure tunnel template to be used, for example, the first message carries index information such as a name of the secure tunnel template, and the second message may also be used to confirm the secure tunnel template using the name.

In this implementation, the first network function and the second network function may negotiate whether the secure tunnel needs to be established by exchanging whether they have the capability of establishing the secure tunnel, thereby implementing automatic establishment of the secure tunnel.

In one possible implementation, the first network function and the second network function may receive signaling indications of other network functions prior to generating the configuration of the secure tunnel.

For example, before the first network function generates the first configuration of the secure tunnel according to the secure tunnel template and the interface address of the second network function, the first control plane function may send to the first network function indication information for indicating that the secure tunnel is established between the first network function and the second network function. When the first network function receives the indication information, the first network function may determine that a secure tunnel needs to be established between the first network function and the second network function. For convenience of description, the indication information sent by the first control plane function to the first network function is referred to herein as a third message, where the third message is used to indicate that a secure tunnel is established between the first network function and the second network function.

Accordingly, the first network function may send, to the second network function, indication information for indicating that a secure tunnel is established between the first network function and the second network function.

Or the first control plane function may provide the second network function with indication information for indicating that a secure tunnel is established between the first network function and the second network function. In a possible example, the first control plane function may directly send, to the second network function, indication information for indicating that a secure tunnel is established between the first network function and the second network function, and for convenience of description, the indication information sent by the first control plane function to the second network function is referred to herein as a seventh message, where the seventh message is used to indicate that a secure tunnel is established between the first network function and the second network function. Or in another possible example, the first network function may send, to the second control plane function, indication information for indicating that a secure tunnel is established between the first network function and the second network function, where the second control plane function may send, to the second network function, indication information for indicating that a secure tunnel is established between the first network function and the second network function, and for convenience of description, the indication information sent by the first control plane function to the second control plane function is referred to as a sixth message, where the sixth message is used to indicate that a secure tunnel is established between the first network function and the second network function. That is, there is no limitation in the manner in which the second network function knows whether or not a secure tunnel needs to be established.

Wherein establishing a secure tunnel between the first network function and the second network function (as needed) includes the first network function requiring establishment of a secure tunnel (e.g., when the first network function is deployed in an unsafe area) and/or the second network function requiring establishment of a secure tunnel (e.g., when the second network function is deployed in an unsafe area).

Optionally, the first control plane function may also indicate to the first network function and the second network function a secure tunnel template used in the process of establishing the secure tunnel.

For the first control plane function, the first control plane function may determine that a secure tunnel needs to be established between the first network function and the second network function by:

mode one: the first network function sends, to the first control plane function, indication information for indicating that the first network function has a capability of establishing a secure tunnel and/or needs to establish a secure tunnel, and for convenience of description, the indication information sent by the first network function to the first control plane function is referred to as a fourth message, where the fourth message is used to indicate that the first network function has a capability of establishing a secure tunnel and/or needs to establish a secure tunnel. The second network function sends, to the first control plane function, indication information for indicating that the second network function has a capability of establishing a secure tunnel and/or needs to establish a secure tunnel, and for convenience of description, the indication information sent by the second network function to the first control plane function is referred to herein as a fifth message, where the fifth message is used to indicate that the second network function has a capability of establishing a secure tunnel and/or needs to establish a secure tunnel.

The first network function and the second network function may report capability information and a location of the first network function during a coupling establishment process with the first control plane function, so that the first control plane function decides whether a secure tunnel needs to be established between the first network function and the second network function.

The fifth message may come from the second network function, which may then communicate directly with the first control plane function. Or the fifth message may come from the second control plane function, at which time the second network function may communicate with the first control plane function through the second control plane function, for example, the second network function sends, to the second control plane function, indication information for indicating that the second network function has a capability of establishing a secure tunnel and/or needs to establish a secure tunnel, and the second control plane function sends, to the first control plane function, indication information for indicating that the second network function has a capability of establishing a secure tunnel and/or needs to establish a secure tunnel. The second control plane function may be a relay control plane function.

Mode two: the first control plane function stores information that the first network function has the capability of establishing a secure tunnel and/or needs to establish a secure tunnel, and the first control plane function stores information that the second network function has the capability of establishing a secure tunnel and/or needs to establish a secure tunnel.

In one possible implementation, the first network function may obtain the interface address of the second network function from the first control plane function, or the first network function may obtain the interface address of the second network function from the second network function. For example, the first control plane function sends the interface address of the second network function to the first network function. Optionally, the interface address of the second network function is included in the third message.

Accordingly, the second network function may obtain the interface address of the first network function from the first control plane function, or the second network function may obtain the interface address of the first network function from the first network function.

In one possible implementation, after the first network function establishes the secure tunnel with the second network function according to the first configuration of the secure tunnel, when there is no session on the path corresponding to the secure tunnel, the first network function may delete the first configuration of the secure tunnel and/or delete the secure tunnel. Correspondingly, the second network function may also delete the second configuration of the secure tunnel and/or delete the secure tunnel. For example, when there is no session on the path corresponding to the secure tunnel, the first control plane function may send, to the first network function, indication information for indicating to delete the first configuration of the secure tunnel and/or to delete the secure tunnel, and the first network function may delete the first configuration of the secure tunnel and delete the secure tunnel according to the indication information; the first control plane function may further send, to the second network function, indication information for indicating to delete the second configuration of the secure tunnel and/or to delete the secure tunnel, and the second network function may delete the second configuration of the secure tunnel and/or to delete the secure tunnel according to the indication information. Or the first network function may indicate to the second network function to delete the second configuration of the secure tunnel and/or to delete the secure tunnel.

In the case that the second control plane function exists, the first control plane function may send, to the second control plane function, indication information for indicating that the second network function deletes the second configuration of the secure tunnel and/or deletes the secure tunnel, and the second control plane function sends, to the second network function, the indication information indicating that the second network function deletes the second configuration of the secure tunnel and/or deletes the secure tunnel. In this case, it is understood that the second network function, under indirect direction of the first control plane function, deletes the second configuration of the secure tunnel and/or deletes the secure tunnel.

The path corresponding to the secure tunnel may include one or more sessions.

In some scenarios, the location changes during the movement of the user, and the coverage area of the first network function is moved out, where the first network function cannot provide services for the user, and if there are no other sessions on the interface path, the first network function may delete the first configuration of the secure tunnel and delete the secure tunnel.

In a second aspect, a method for establishing a secure tunnel is provided, including the following steps: the first control plane function determines that a secure tunnel needs to be established between the first network function and the second network function, and the first control plane function sends indication information for indicating the establishment of the secure tunnel between the first network function and the second network function to the first network function.

Optionally, the first control plane function may further provide, to the second network function, indication information for indicating that a secure tunnel is established between the first network function and the second network function, or the first network function may send, to the second network function, indication information for indicating that a secure tunnel is established between the first network function and the second network function.

The first control surface function can determine the establishment of the secure tunnel and send the indication information for indicating the establishment of the secure tunnel between the first network function and the second network function to the first network function, so that the establishment of the secure tunnel between the first network function and the second network function is triggered, and the problem that the secure tunnel cannot be established timely and accurately due to the fact that the secure tunnel is triggered only manually is avoided.

In one possible implementation, the first control plane function may also send an interface address of the second network function to the first network function, e.g. the third message comprises the interface address of the second network function.

The first control surface function provides the interface address of the second network function for the first network function, so that the first network function can automatically generate the configuration of the safety tunnel and establish the safety tunnel according to the interface address of the opposite end network function, compared with manual configuration of the safety tunnel, the manual configuration and maintenance workload can be reduced, the error rate of configuration and maintenance can be reduced, and the accuracy of data transmission is improved.

The first control plane function may also send an interface address of the first network function to the second network function. Specifically, the first control plane function directly sends the interface address of the first network function to the second network function or the first control plane function sends the interface address of the first network function to the second network function through the second control plane function.

The first control surface function provides the interface address of the first network function for the second network function, so that the second network function can also automatically generate the configuration of the safety tunnel and establish the safety tunnel according to the interface address of the opposite end network function, compared with manual configuration of the safety tunnel, the workload of manual configuration and maintenance can be reduced, the error rate of configuration and maintenance can be reduced, and the accuracy of data transmission is improved.

In one possible implementation, the first control plane function determining that a secure tunnel needs to be established between the first network function and the second network function includes:

the first control plane function obtains a fourth message, the fourth message being used for indicating that the first network function has the capability of establishing a secure tunnel and/or needs to establish a secure tunnel, and the first control plane function obtains a fifth message, the fifth message being used for indicating that the second network function has the capability of establishing a secure tunnel and/or needs to establish a secure tunnel.

Or the first control plane function stores information that the first network function has the capability of establishing the secure tunnel and/or needs to establish the secure tunnel, and the first control plane function stores information that the second network function has the capability of establishing the secure tunnel and/or needs to establish the secure tunnel.

Different ways in which the first network function determines that a secure tunnel needs to be established between the first network function and the second network function are provided in this implementation.

In one possible implementation, the fifth message is from the second network function, or the fifth message is from the second control plane function.

In one possible implementation, the first control plane function provides, to the second network function, indication information for indicating that a secure tunnel is established between the first network function and the second network function, including:

the first control plane function may also send a sixth message to the second control plane function, the sixth message being for indicating that a secure tunnel is established between the first network function and the second network function. The second control plane function may instruct the second network function to establish a secure tunnel between the first network function and the second network function based on the sixth message.

Or the first control plane function may further send a seventh message to the second network function, where the seventh message is used to instruct the first network function to establish a secure tunnel with the second network function. If the first network function is deployed in an unsafe area, establishing a secure tunnel between the first network function and the second network function includes the first network function needing to establish the secure tunnel.

In this implementation, the first control plane function may indicate to the second network function, directly or indirectly, that a secure tunnel is established between the first network function and the second network function.

In one possible implementation, when there is no session on the path corresponding to the secure tunnel, the first control plane function may further indicate to the first network function to delete the first configuration of the secure tunnel and/or delete the secure tunnel.

The first control plane function may also indicate (optionally via the second control plane function) to the second network function to delete the second configuration of the secure tunnel and/or to delete the secure tunnel.

In a third aspect, a communication system is provided that includes a first network function and a second network function.

The first network function can be used for generating a first configuration of the secure tunnel according to the secure tunnel template and the interface address of the second network function, establishing the secure tunnel between the first network function and the second network function according to the first configuration of the secure tunnel, and communicating based on the secure tunnel, wherein the secure tunnel is used for carrying out security protection on the data message between the first network function and the second network function.

The second network function can be used for generating a second configuration of the secure tunnel according to the secure tunnel template and the interface address of the first network function, establishing the secure tunnel between the first network function and the second network function according to the second configuration of the secure tunnel, and communicating based on the secure tunnel.

In one possible implementation, the first network function and the second network function are user plane functions.

For example, the interface address is an N9 interface address or an S5 interface address; or alternatively

The first network function is a user plane function, the second network function is a control plane function, or the first network function is a control plane function, and the second network function is a user plane function.

For example, the interface address is an N4 interface address or Sxa interface address or Sxb interface address.

In one possible implementation, the first network function may be further configured to send a first message to the second network function, where the first message is used to indicate that the first network function has a capability to establish a secure tunnel, and/or needs to establish the secure tunnel; and receiving a second message from the second network function, the second message indicating that the second network function has the capability to establish a secure tunnel.

The second network function may also be configured to receive the first message and to send the second message to the first network function.

Optionally, the second network function may determine to establish a secure tunnel with the first network function based on the first message.

In one possible implementation, the communication system may further include a first control plane function;

The first control plane function may determine that a secure tunnel needs to be established between the first network function and the second network function, and send, to the first network function, indication information for indicating that the secure tunnel is established between the first network function and the second network function.

The first network function may be further configured to receive indication information for indicating establishment of a secure tunnel between the first network function and the second network function.

In one possible implementation, the first control plane function may be further configured to send a seventh message to the second network function, where the seventh message is configured to instruct the first network function to establish a secure tunnel with the second network function;

the second network function is further configured to receive a seventh message.

In one possible implementation, the communication system may further include a second control plane function;

the first control plane function may be further configured to send a sixth message to the second control plane function, where the sixth message is used to instruct the first network function to establish a secure tunnel with the second network function;

and the second control surface function is used for receiving the sixth message and indicating the establishment of the secure tunnel between the first network function and the second network function to the second network function.

In one possible implementation, the first network function may be further configured to send a fourth message to the first control plane function, where the fourth message is used to indicate that the first network function has a capability to establish a secure tunnel and/or needs to establish the secure tunnel;

The first control plane may also be configured to receive a fourth message.

In one possible implementation, the second network function may be further configured to send a fifth message to the first control plane function, where the fifth message is used to indicate that the second network function has a capability to establish a secure tunnel, and/or that the secure tunnel needs to be established.

The first control plane function may also be configured to receive a fifth message.

It will be appreciated that the time sequence in which the first network function sends the fourth message and the second network function sends the fifth message is not limited.

In one possible implementation, the second network function may also indicate to the second control plane function that the second network function has the capability to establish a secure tunnel and/or that a secure tunnel needs to be established.

And the second control plane function is further used for sending a fifth message to the first control plane function according to the indication of the second network function.

In one possible implementation, the first control plane function may also be used to send the interface address of the second network function to the first network function.

The first network function may also be configured to obtain an interface address of the second network function.

In one possible implementation, the first control plane function may be further configured to send an interface address of the first network function to the second network function;

The second network function may also be configured to obtain an interface address of the first network function.

In one possible implementation, the first control plane function is further configured to send, to the first network function, indication information for indicating to delete the first configuration of the secure tunnel and/or to delete the secure tunnel when there is no session on the path corresponding to the secure tunnel;

the first network function may be further configured to delete the first configuration of the secure tunnel and/or delete the secure tunnel according to the indication information.

In one possible implementation, the first control plane function is further configured to send, to the second network function, indication information for indicating to delete the second configuration of the secure tunnel and/or to delete the secure tunnel when there is no session on the path corresponding to the secure tunnel;

the second network function may be further configured to delete the second configuration of the secure tunnel and/or delete the secure tunnel according to the indication information.

Alternatively, the first control plane function may send, to the second control plane function, indication information for indicating to delete the second configuration of the secure tunnel and/or to delete the secure tunnel, and then the second control plane function sends, to the second network function, indication information for indicating to delete the second configuration of the secure tunnel and/or to delete the secure tunnel.

In a fourth aspect, a communication device is provided, which may be a network function or a control plane function, or a chip provided as a network function or a control plane function. The communication device may implement the method provided by the design of either of the first or second aspects.

The communication device comprises corresponding modules, units or means (means) for implementing the above method, where the modules, units or means may be implemented by hardware, software, or implemented by hardware executing corresponding software. The hardware or software includes one or more modules or units corresponding to the functions described above.

In a fifth aspect, a communication device is provided, including a transceiver unit. Optionally, the communication device further comprises a processing unit. The communication device may implement the method provided by the design of either the first or the second aspect.

In a sixth aspect, a communication device is provided that includes a processor. The processor may be adapted to perform the method provided by the design of any one of the first or second aspects above. Optionally, the apparatus further comprises a memory, the processor being coupled to the memory, the memory storing a computer program or instructions, the processor being executable to cause the apparatus to perform the method provided by the design of any one of the first or second aspects.

In a seventh aspect, a communication device is provided that includes an interface circuit and a logic circuit coupled to the interface circuit. The interface circuit may be a code/data read/write interface circuit for receiving computer-executable instructions (stored in memory, possibly read directly from memory, or possibly via other means) and transmitting them to the logic circuit to cause the logic circuit to execute the computer-executable instructions to perform the methods provided by the designs of either the first or second aspects described above.

In some possible designs, the communication device may be a chip or a system-on-chip.

In an eighth aspect, a communications apparatus is provided that includes a processor and a memory. The processor is configured to read instructions stored in the memory and to receive signals via the receiver and to transmit signals via the transmitter to perform the method provided by the design of any one of the first or second aspects.

In the alternative, the processor may be one or more, and the memory may be one or more. Alternatively, the memory may be integrated with the processor or the memory may be separate from the processor.

In a specific implementation process, the memory may be a non-transient (non-transitory) memory, for example, a Read Only Memory (ROM), which may be integrated on the same chip as the processor, or may be separately disposed on different chips, where the type of the memory and the manner of disposing the memory and the processor are not limited in this application.

The communication device may be a chip, and the processor may be implemented by hardware or software, and when implemented by hardware, the processor may be a logic circuit, an integrated circuit, or the like; when implemented in software, the processor may be a general-purpose processor, implemented by reading software code stored in a memory, which may be integrated in the processor, or may reside outside the processor, and exist separately.

In a ninth aspect, there is provided a processor comprising: input circuit, output circuit and processing circuit. The processing circuitry is configured to receive signals via the input circuitry and to transmit signals via the output circuitry such that the processor performs the method provided by the design of any one of the first or second aspects described above.

In a specific implementation process, the processor may be a chip, the input circuit may be an input pin, the output circuit may be an output pin, and the processing circuit may be a transistor, a gate circuit, a trigger, various logic circuits, and the like. The input signal received by the input circuit may be received and input by, for example and without limitation, a receiver, the output signal may be output by, for example and without limitation, a transmitter and transmitted by a transmitter, and the input circuit and the output circuit may be the same circuit, which functions as the input circuit and the output circuit, respectively, at different times. The specific implementation of the processor and various circuits is not limited in this application.

In a tenth aspect, there is provided a communication apparatus comprising: logic circuitry and an input-output interface for communicating with a module external to the communication device; the logic circuitry is to run a computer program or instructions to perform the methods provided by any of the designs of any of the above aspects. The communication device may be a network function or a control plane function in the above first aspect or the second aspect, or a device including the above network function or control plane function, such as a chip.

Alternatively, the input/output interface may be a code/data read/write interface circuit, or a communication interface, for receiving a computer program or instructions (stored in a memory, possibly read directly from the memory, or possibly via other means) and transmitting to the input/output interface for causing the input/output interface to run the computer program or instructions to perform the method of any of the above aspects.

Alternatively, the communication device may be a chip.

In an eleventh aspect, there is provided a computer program product comprising: a computer program (which may also be referred to as code, or instructions) which, when executed, causes a computer to perform the method provided by the design of any one of the first or second aspects described above.

In a twelfth aspect, there is provided a computer readable medium storing a computer program (which may also be referred to as code, or instructions) which, when run on a computer, causes the computer to carry out the method provided by the design of any one of the first or second aspects described above.

In a thirteenth aspect, a chip system is provided, the chip system comprising a processor and an interface for supporting a communication device to implement the functionality provided by the design of any one of the above first or second aspects. In one possible design, the chip system further includes a memory for holding the necessary information and data of the aforementioned communication device. The chip system can be composed of chips, and can also comprise chips and other discrete devices.

In a fourteenth aspect, a chip arrangement is provided, the chip arrangement comprising an input interface and/or an output interface. The input interface may implement the receiving function provided by the design of any one of the first aspect or the second aspect, and the output interface may implement the transmitting function provided by the design of any one of the first aspect or the second aspect.

A fifteenth aspect provides a functional entity for implementing the method provided by the design of any one of the first or second aspects.

A sixteenth aspect provides a communication system comprising the first network function and the second network function of the first or second aspect.

Optionally, the communication system may further comprise a first control plane function. The communication system may also include a second control plane function.

The technical effects of any one of the designs of the second aspect to the sixteenth aspect may be referred to the technical effects of the first aspect, and will not be described herein.

Drawings

FIG. 1 is a schematic diagram of a communication system;

FIG. 2 is a schematic diagram of a communication system;

FIG. 3 is a schematic diagram of a communication system;

FIG. 4 is a schematic diagram of a communication system architecture;

fig. 5 is a schematic diagram of a secure tunnel establishment process according to an embodiment of the present application;

fig. 6 is a schematic diagram of a secure tunnel establishment procedure according to an embodiment of the present application;

fig. 7 is a schematic diagram of a secure tunnel template according to an embodiment of the present application;

fig. 8 is a schematic diagram of a secure tunnel establishment procedure according to an embodiment of the present application;

fig. 9 is a schematic diagram of a secure tunnel establishment procedure according to an embodiment of the present application;

fig. 10 is a schematic diagram of a secure tunnel establishment procedure according to an embodiment of the present application;

Fig. 11 is a schematic diagram of a secure tunnel establishment process according to an embodiment of the present application;

fig. 12 is a schematic diagram of a secure tunnel establishment procedure according to an embodiment of the present application;

fig. 13 is a schematic diagram of a security tunnel establishment process according to an embodiment of the present application;

fig. 14 is a schematic architecture diagram of a communication system according to an embodiment of the present application;

fig. 15 is a schematic structural diagram of a communication device according to an embodiment of the present application;

fig. 16 is a schematic structural diagram of a communication device according to an embodiment of the present application;

fig. 17 is a schematic structural diagram of a communication device according to an embodiment of the present application.

Detailed Description

The present application will be described in further detail with reference to the accompanying drawings.

The present application will present various aspects, embodiments, or features about a system that may include multiple devices, components, modules, etc. It is to be understood and appreciated that the various systems may include additional devices, components, modules, etc. and/or may not include all of the devices, components, modules etc. discussed in connection with the figures. Furthermore, combinations of these schemes may also be used.

In addition, in the embodiments of the present application, the term "exemplary" is used to mean serving as an example, instance, or illustration. Any embodiment or design described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, the use of the term "exemplary" is intended to present concepts in a concrete fashion.

The network architecture and the service scenario described in the embodiments of the present application are for more clearly describing the technical solution of the embodiments of the present application, and do not constitute a limitation on the technical solution provided in the embodiments of the present application, and those skilled in the art can know that, with the evolution of the network architecture and the appearance of the new service scenario, the technical solution provided in the embodiments of the present application is also applicable to similar technical problems.

The following is a description of some of the terms of the embodiments of the present application to facilitate understanding by those skilled in the art.

1) A network device refers to a device that may provide a wireless access function for a User Equipment (UE). Wherein the network device may support at least one wireless communication technology, such as long term evolution (long term evolution, LTE), new Radio (NR), etc.

The network device may include a core network device, among other things. By way of example, network devices include, but are not limited to: user plane functions UPF in 5G networks, session management functions (session management function, SMF), serving Gateway (SGW) -control plane functions (control plane function, C) in 4G networks, public data network (public data network, PDN) Gateway (PGW) -C, SGW-user plane functions (user plane function, U), PGW-U, etc. For example, the network functions referred to in the embodiments of the present application may refer to core network devices.

The network device may also include an access network device. By way of example, network devices include, but are not limited to: next generation base stations or next generation node bs (gnbs), evolved node bs (enbs), etc. in a 5G network. The network device may also be a Centralized Unit (CU), and/or a Distributed Unit (DU), or the network device may be a relay station, an access point, an in-vehicle device, a terminal, a wearable device, a network device in future mobile communication, or a network device in a future evolved PLMN, etc.

2) And the secure tunnel is used for providing security protection for the data streams of both communication parties. The secure tunnel may be an internet protocol security protocol (internet protocol security, IPsec) tunnel and the communication partner may be referred to as an IPsec peer. The security association (security association, SA) is a convention established by negotiation between IPsec peers, and contents of the convention may include security protocol type, encapsulation mode of IP packet, authentication algorithm, encryption algorithm, key for protecting IP packet, lifetime of key, and the like. That is, the secure tunnel may enable both parties to perform data encryption and data integrity protection at the IP layer, ensuring privacy, integrity, authenticity, and replay attack prevention of the end-to-end communication data.

In an embodiment of the present application, establishing (where necessary) a secure tunnel between the first network function and the second network function includes: the first network function needs to establish a secure tunnel and/or the second network function needs to establish a secure tunnel. Establishing a secure tunnel may also be referred to as securing. For example, when the first network function is deployed in an unsafe area, it is considered that the first network function needs to establish a secure tunnel, or the first network function needs to be secured, or a data packet of the first network function needs to be secured.

In the present application, "and/or" describing the association relationship of the association object, it means that there may be three relationships, for example, a and/or B may mean: a exists alone, A and B exist together, and B exists alone. The character "/" generally indicates that the context-dependent object is an "or" relationship.

Reference herein to at least one means one or more, and a plurality means two or more.

In addition, it should be understood that in the description of this application, the words "first," "second," and the like are used merely for distinguishing between the descriptions and not for indicating or implying any relative importance or order.

The technical scheme of the embodiment of the application can be applied to various communication systems. For example, a 4G system, an LTE frequency division duplex (frequency division duplex, FDD) system, an LTE time division duplex (time division duplex, TDD), a 5G communication system or NR, and other communication systems in the future such as 6G, etc. In the embodiments of the present application, "system" and "network" may be used interchangeably.

Fig. 1 is a 3GPP defined 5G network architecture, which may include a user equipment UE, a network equipment part, and a Data Network (DN) part.

The network device portion includes, among other things, (radio) access network (R) AN, UPF, access and mobility management functions (access and mobility management function, AMF), session management functions (session management function, SMF), policy control functions (policy control function, PCF), unified data management (unified data management, UDM), network slice selection functions (network slice selection function, NSSF), authentication server functions (authentication server function, AUSF), network Slice Specific Authentication and Authorization Functions (NSSAAF), application functions (application function, AF), and the like. The network devices involved in fig. 1 may each be one or more at deployment.

The N4 interface is an interface for connecting the SMF and the UPF, the SMF interacts with the UPF through the N4 interface to complete the creation, modification, release and the like of the user plane session, and the user (namely the UE) can surf the internet through the UPF.

The N9 interface is a user plane interface between the intermediate (I) -UPF and the UPF for transferring upstream and downstream user data flows between the UPFs. When the anchor point UPF can cover the position of the user, the anchor point UPF is directly connected with the (R) AN through AN N3 interface, and when the anchor point UPF can not cover the position of the user, AN I-UPF is inserted between the anchor point UPF and the (R) AN, the I-UPF is decoupled through the N3 interface and connected with the (R) AN, and the I-UPF is connected with the anchor point UPF through AN N9 interface. In another possible scenario, when a user needs to split locally, the upstream (uplink classifier, ULCL) UPF interfaces with the UPF of the auxiliary anchor and the UPF of the primary anchor, respectively, through an N9 interface.

In fig. 1, N2, N5, N6, N7, N8, N10, N11, N12, N13, N15, N22, N58, and N59 are interface serial numbers. For example, the meaning of the interface sequence number and the network device such as AMF, PCF, UDM, NSSF, AUSF, NSSAAF, AF may be referred to the meaning defined in the 3GPP standard protocol.

Fig. 2 is a 3 GPP-defined 4G network architecture in which the network device parts include SGW-C, PGW-C, traffic detection function (traffic detection function, TDF) -C, SGW-U, PGW-U, TDF-U, etc.

The Sxa/Sxb interface is an interface for connecting the SGW-C/PGW-C and the SGW-U/PGW-U, the SGW-C/PGW-C interacts with the SGW-U/PGW-U through the Sxa/Sxb interface to complete the creation, modification and release of the user plane session, and realize the user surfing through the SGW-U/PGW-U.

The S5 interface is a user interface between the SGW-U and the PGW-U and is used for transmitting uplink and downlink user data streams between UPFs.

The meaning of the sequence numbers of the interfaces in fig. 2, and the network devices such as TDF-C, TDF-U can be seen from the meaning defined in the 3GPP standard protocol.

It should be noted that the interface names between the network functions in fig. 1 and fig. 2 are also merely an example, and in a specific implementation, the interface names of the system architecture may also be other names, which is not limited in this application.

The description is made with a 5G network architecture, that is, the description is made with a user plane function as a UPF, and as shown in fig. 3, the UPF has deployment scenarios such as provincial lines, local cities, county edges, and the like. Under the provincial line deployment scene, UPF is deployed in a provincial center in a centralized way, so that the requirement of 5G users for accessing the private line service can be met. Under the deployment scene of the city, the UPF is deployed in the city, and the requirements of 5G users on the media surface service processing and forwarding of the 5G network, the service continuity and the like can be met. In a county edge deployment scene, UPF deployment is arranged at the edge and is mainly applied to a campus scene, and when a user needs to access a home park business in a cross-city or cross-province roaming mode, the user needs to access the UPF of a home place from the I-UPF of a visiting place city to access the park business.

When the UPF is deployed to the edge area, the edge area may be an unsafe area, so the N4 interface and the N9 interface of the UPF need to be safeguarded through a secure tunnel (such as an IPsec tunnel). One possible deployment scenario is shown in fig. 4, deployment scenario 1, where a user UE1 accesses a campus service, a resident UPF (i.e., a UPF applied to a local campus) is deployed in batch, and a large number of UPFs need to be docked by an SMF in a 5G core network (5 th-generation core,5 GC), and security protection is required because the N4 interface signaling contains key information such as shunting and charging, and user sensitive data. In deployment scenario 2, user UE2 accesses a campus service across municipalities, and inter-municipalities UPFs interface through an N9 interface, and the N9 interface user communication content needs to be secured.

IPsec encrypts and decrypts data by the convention (i.e., the SA described above) stored at the source and destination of the data stream. In actual deployment, if the N4 and N9 interfaces need to be secured, IPsec tunnels need to be manually configured. For example, the N4 interface needs to be protected, there are 10 SMFs and 500 resident UPFs in the province, and 10 (SMF) x 500+500 (UPF) x 10=10000 times need to be configured. For another example, the N9 interface needs to be protected, and there are 50 UPFs in the province and 500 resident UPFs in the province, and 50 (UPFs in the province) 500+500 (resident UPFs) 50=50000 are required to be configured. When the IPsec tunnel is manually configured, the configuration and maintenance workload is excessive, the error rate is high, and the accuracy of data transmission is affected.

Based on this, the embodiment of the application provides a method for establishing a secure tunnel, which can be applied to the communication system shown in fig. 1 or fig. 2. According to the method, the network function can generate configuration of the secure tunnel according to the secure tunnel template and the interface address of the opposite-end network function, further establish the secure tunnel with the opposite-end network function, and communicate based on the established secure tunnel, the secure tunnel can carry out security protection on data messages transmitted between the network functions, so that security of data message transmission can be improved, the network function can automatically generate configuration of the secure tunnel and automatically establish the secure tunnel, workload of manual configuration and maintenance can be reduced, error rate is reduced, configuration efficiency is improved, and accuracy of data transmission is improved.

Fig. 5 is a schematic diagram of a possible method for establishing a secure tunnel according to an embodiment of the present application, including the following steps:

s501: the first network function generates a first configuration of the secure tunnel based on the secure tunnel template and the interface address of the second network function.

Correspondingly, the second network function generates a second configuration of the secure tunnel according to the secure tunnel template and the interface address of the first network function.

The security tunnel templates used by the first network function and the second network function are the same, the first network function and the second network function store the same selection strategy of the security tunnel templates, or the first network function and the second network function can negotiate the security tunnel templates used, for example, the first network function can send index information of the selected security tunnel templates to the second network function, or the second network function can send index information of the selected security tunnel templates to the first network function. See later for a description of the secure tunnel template.

In the embodiment of the application, the first network function and the second network function have the capability of establishing the secure tunnel, and the configuration of the secure tunnel can be automatically generated. The configuration of the security tunnel is configuration information related to the security tunnel, and is used for configuring security policies and objects of security protection used when the security tunnel performs security protection. Wherein the security policy used when the security tunnel performs security protection can be represented by a security tunnel template. The object of the security protection is a data packet, and the data packet may be sent to the opposite end network function through an interface address of the opposite end network function, for example, a first configuration of a security tunnel generated by the first network function may include an interface address of the second network function, and a second configuration of the security tunnel generated by the second network function may include the interface address of the first network function.

In one possible scenario, the first network function and the second network function are user plane functions.

For example, the interface address may be an N9 interface address or an S5 interface address, that is, the security tunnel secures the N9 path or the S5 path between the user plane functions.

In another possible scenario, the first network function is a user plane function, the second network function is a control plane function, or the first network function is a control plane function, and the second network function is a user plane function.

For example, the interface address may be an N4 interface address or a Sxa interface address or a Sxb interface address, i.e. the security tunnel secures the N4 path or the Sxa path or the Sxb path between the user plane function and the control plane function.

By way of example, the interface address of the first network function and the interface address of the second network function may be internet protocol (internet protocol, IP) addresses.

The first network function may obtain an interface address of the second network function. Accordingly, the second network function may obtain the interface address of the first network function. For example, the first control plane function may send the interface address of the second network function to the first network function and send the interface address of the first network function to the second network function. As another example, the second network function may send an interface address of the second network function to the first network function, and the first network function may send an interface address of the first network function to the second network function.

Alternatively, the first network function and the second network function may determine that a secure tunnel needs to be established prior to this S501. Generally, whether the data message of the network function needs to be secured or not may be determined according to the deployment location of the network function, that is, whether the network function needs to be secured or not through a secure tunnel is determined according to the deployment location of the network function. For example, if the first network function is deployed at the border of county, it is considered that the first network function is deployed in an unsafe area, and the first network function needs to establish a secure tunnel for security protection.

In one example, the first network function and the second network function may negotiate a secure tunnel establishment, with the understanding that negotiating a secure tunnel establishment includes negotiating a need to establish a secure tunnel and/or negotiating a capability to establish a secure tunnel.

For example, before the step S501, the first network function sends a first message to the second network function, where the first message is used to indicate that the first network function has a capability of establishing a secure tunnel and/or needs to establish a secure tunnel, or the first message is used to request or indicate that a secure tunnel needs to be established between the first network function and the second network function; the first network function receives a second message from the second network function, the second message indicating that the second network function has the capability to establish a secure tunnel, or the second message indicating that the secure tunnel is confirmed to be established, so that the first network function can determine that the secure tunnel with the second network function is to be established based on the second message. For the second network function, after receiving the first message, the second network function may determine that the first network function has a capability of establishing a secure tunnel, and/or needs to establish a secure tunnel, that is, may determine to establish a secure tunnel with the first network function.

Alternatively, the first message may be a request message to establish a secure tunnel. In the case that one of the first network function and the second network function is a control plane function and the other is a user plane function, in the process of negotiating whether a secure tunnel needs to be established, the first message and the second message may be multiplexed with a current coupling establishment message, and a private cell is added to the coupling establishment message to implement.

In the process of negotiating whether the secure tunnel needs to be established, the first network function and the second network function can also negotiate the used secure tunnel template, for example, the first message carries index information such as the name of the secure tunnel template, and the second message can also be used for confirming the secure tunnel template using the name.

It should be noted that, the "message" (e.g., the first message, the second message, etc.) in the embodiments of the present application may be defined in the standard, or may be private, i.e., non-standard, and is not limited herein.

In this example, one possible negotiation procedure is shown in fig. 6. Wherein the first network function is UPF, the second network function is I-UPF, and the negotiation decision of the UPF and the I-UPF can be performed through the data plane to decide whether to generate IPsec tunnel configuration (namely the configuration of the security tunnel), the process comprises the following steps:

S601: whether the UPF configures itself to need to be secured through an IPsec tunnel (i.e., the security tunnel described above).

S602: the UPF determines that negotiations with the I-UPF are required.

In this S602, the UPF receives a session establishment request or a session update request from the SMF, and if a session newly established with the I-UPF or the I-UPF changes and the session is the first session on the N9 interface path, the UPF determines that negotiation with the I-UPF is required.

S603: the UPF constructs a general packet radio service (general packet radio service, GPRS) tunneling protocol user plane (GPRS tunneling protocol user plane, GTPU) data packet (corresponding to the first message above), and carries, through the GTPU private extension header, a request for establishing an IPsec tunnel on the N9 interface path to which the current session belongs.

Wherein the load of the GTPU data message is null.

The I-UPF receives the GTPU data message.

S604: if the I-UPF has the capability of generating the IPsec tunnel, constructing a GTPU data message (corresponding to the second message), and informing the UPF I-UPF of the capability of generating the IPsec tunnel through a GTPU private extension header.

Wherein the load of the GTPU data message is null.

The UPF receives the GTPU data message and can determine that the negotiation result supports the establishment of the IPsec tunnel.

S605: the I-UPF acquires the N9 interface address of the UPF, generates IPsec tunnel configuration and generates an IPsec tunnel.

For example, the I-UPF may obtain the N9 interface address of the UPF from the GTPU data packet, or may obtain the N9 interface address of the UPF from a session message sent by the SMF to the N4 interface.

S606: the UPF acquires the N9 interface address of the I-UPF, generates IPsec tunnel configuration and generates an IPsec tunnel.

S607: UPF and I-UPF delete IPsec tunnel configuration and IPsec tunnel.

This S607 is an optional step. If the user session is deleted or the position of the user moves to cause the change of the I-UPF, when the I-UPF/UPF receives a session deletion request or a session update request sent by the SMF, the I-UPF/UPF judges whether other user sessions exist on an N9 interface path with the opposite terminal, and if not, the I-UPF/UPF can delete the IPsec tunnel configuration and the IPsec tunnel generated by the I-UPF/UPF.

In another example, the control plane function informs the first network function and/or the second network function that a secure tunnel needs to be established.

For example, before the step S501, the first control plane function determines that a secure tunnel needs to be established between the first network function and the second network function, sends a third message to the first network function, and the first network function receives the third message, where the third message is used to instruct the first network function to establish the secure tunnel with the second network function. Correspondingly, the first control plane function indicates to the second network function that a secure tunnel is established between the first network function and the second network function. The third message may also include an interface address of the second network function. The third message may be a session setup message or a session update message. For another example, the first control plane function may send a third message to the first network function, the first network function may indicate to the second network function that a secure tunnel is established between the first network function and the second network function, or the first control plane function may indicate to the second network function that a secure tunnel is established between the first network function and the second network function, the second network function may indicate to the first network function that a secure tunnel is established between the first network function and the second network function.

In a scenario that the first network function and the second network function are user plane functions, the first control plane function may negotiate in an interface coupling process to determine whether a secure tunnel needs to be established, and in the negotiation process, the first network function and the second network function may report a message to the first control plane function to indicate whether the secure tunnel needs to be established and/or whether the first control plane function has the capability of establishing the secure tunnel. For example, the first network function may report a fourth message to the first control plane function, where the fourth message is used to indicate that the first network function has a capability of establishing a secure tunnel and/or needs to establish a secure tunnel, the second network function may report a fifth message to the first control plane function, where the fifth message is used to indicate that the second network function has a capability of establishing a secure tunnel and/or needs to establish a secure tunnel, so that the first control plane function may determine, according to the fourth message and the fifth message, that a secure tunnel needs to be established between the first network function and the second network function. The timing and sequencing of the sending of the fourth message by the first network function and the sending of the fifth message by the second network function are not limited herein.

Wherein the fifth message may be from the second network function or from the second control plane function. The second control plane function may be an I-SMF, and specifically, the second network function may report to the second control plane function whether the second network function needs to establish a secure tunnel and/or has a capability of establishing a secure tunnel, and the second control plane function sends a fifth message to the first control plane function according to information reported by the second network function. And under the condition that the second control surface function exists, the first control surface function sends a sixth message to the second control surface function, wherein the sixth message is used for indicating the establishment of a secure tunnel between the first network function and the second network function, and the second control surface function indicates the establishment of the secure tunnel between the first network function and the second network function to the second network function. In the absence of the second control plane function, the first control plane function sends a seventh message to the second network function, the seventh message being used to instruct the first network function to establish a secure tunnel with the second network function.

Or the first control plane function configures information about whether the network function needs to establish a secure tunnel and whether the network function has the capability of establishing the secure tunnel, and typically the network function is the network function governed by the first control plane function. For example, the first control plane function stores information that the first network function has the capability to establish a secure tunnel and/or information that the secure tunnel needs to be established, and the first control plane function stores information that the second network function has the capability to establish a secure tunnel and/or information that the secure tunnel needs to be established. Wherein in case the second network function is governed by the second control plane function, the second control plane function holds information that the second network function needs to establish a secure tunnel and/or has the capability to establish a secure tunnel, the second control plane function may send information that the second network function needs to establish a secure tunnel and/or has the capability to establish a secure tunnel to the first control plane function.

Optionally, the control plane may further indicate index information of a secure tunnel template used in the process of establishing the secure tunnel to the first network function and the second network function.

The first network function and the second network function select the same security tunnel template, the security tunnel template comprising one or more of the following security policies: algorithms for security protection, internet key exchange protocol (internet key exchange, IKE) security proposals, IKE peers, IPsec security proposals, or IPsec security policies, etc.

In this S501, the first network function may configure a parameter of the second network function, that is, an interface address of the second network function, in the secure tunnel template to generate a first configuration of the secure tunnel, and correspondingly, the second network function may configure the interface address of the first network function in the secure tunnel template to generate a second configuration of the secure tunnel. Referring to fig. 7, a process of generating a configuration of a secure tunnel by a first network function is described as an example, and a process of generating a second network function is similar to the first network function, and is not repeated. In step 701, the first network function may define the data flow to be protected, for example, setting the value of rule permissions ip (rule permit ip) in the security policy security access control list (access controller list, acl) a to the interface address of the second network function. In step 702, the first network function may configure IKE security proposals, such as IKE proposal (proposal B) including: encryption-algorism (encryption-algorism), authentication-method (authentication-method), authentication-algorism (authentication-algorism), diffie-hellman key exchange (Diffie-Hellman key exchange, dh), integrity-protection-algorism (integrity-algorism), and sa duration (duration). In step 703, the first network function may configure an IKE peer (peer), e.g., IKE peer D includes IKE proposal B (with optional reference to IKE proposal B configured in step 702), revocation version (undo version) 1, and authentication parameters configured according to the selected authentication-method. In step 704, the first network function may configure IPsec security proposals, e.g. IPsec security proposal C comprises translation (transform), encapsulation security payload (encapsulate security payload, est) encryption-algorism, esp authentication-algorism, authentication header (authentication header, ah) encryption-algorism, encapsulation mode (encapsulation-mode). In step 705, the first network function may configure IKE-mode IPsec security policies (policies), for example, IPsec policy F includes security acl a (having a reference relationship with security acl a configured in step 701), IKE-peer D (having a reference relationship with IKE-peer D configured in step 703), proposal C (having a reference relationship with IPsec proposal C configured in step 704), perfect forward security (perfect forward secrecy, pfs), and rate limiting (speed-limit). In step 706, the first network function applies the IPsec security policy group IPsec policy F via an interface (interface). If a security policy is optional, then the corresponding step of the security policy is also optional, e.g. the IKE peer is optional, step 703 is an optional step. It will be appreciated that the sequence of steps 701 to 706 is not limited, as long as the configuration of the security tunnel that is finally generated is not affected.

S502: the first network function establishes a secure tunnel with the second network function according to a first configuration of the secure tunnel, and communicates based on the secure tunnel.

Correspondingly, the second network function establishes a secure tunnel with the first network function according to the second configuration of the secure tunnel, and communicates based on the secure tunnel.

The first network function and the second network function together establish a secure tunnel, and the secure tunnel is used for carrying out security protection on the data message between the first network function and the second network function.

In a possible manner, the first network function receives an uplink data packet, where the uplink data packet is used to trigger the establishment of a secure tunnel between the first network function and the second network function, and the first network function may implement the establishment of the secure tunnel between the first network function and the second network function through the message interaction with the second network function. That is, the process of the first network function establishing a secure tunnel with the second network function and the process of the second network function establishing a secure tunnel with the first network function together constitute the process of establishing a secure tunnel between the first network function and the second network function.

The first network function and the second network function may include the following two phases when establishing a secure tunnel therebetween: stage 1) the two communication parties establish a channel (such as IKE SA) which is authenticated and secured, and stage 2) the two communication parties negotiate a specific security association (such as IPsec SA) for the security tunnel.

Or may establish the secure tunnel in other ways, for example, because the same secure tunnel template is selected between the first network function and the second network function, the first network function and the second network function may be considered to have selected the same security policy. At this time, the authentication of both sides is passed between the first network function and the second network function.

When communication is performed based on the secure tunnel, the secure tunnel is taken as an IPsec tunnel, and when the data packet is encapsulated by the data stream source, the IPsec packet header can be inserted after the original data packet header without changing the original IP packet header (including the destination IP address, i.e. the IP address of the destination end of the data stream). For example, the format of a data message which is not communicated by adopting the IPsec tunnel is "original IP header+data (protected part)", the format of a data message which is communicated by adopting the IPsec tunnel is "original IP header+ipsec header+data", and the data under the format can be subjected to security protection by adopting one or more security policies. It can be understood that when the first network function sends a data packet to the second network function, the first network function is a data stream source end, the second network function is a data stream destination end, and vice versa, when the second network function sends a data packet to the first network function, the second network function is a data stream source end, and the first network function is a data stream destination end.

Optionally, after the secure tunnel is established, if the coverage area of the network function (such as the original network function) is exceeded in the moving process of the user, the original network function cannot continue to provide services for the user, and if no other user exists between the original network function and the first network function, that is, when no session exists on the path corresponding to the secure tunnel, the first control plane function may indicate to the first network function and the second network function to delete the configuration of the secure tunnel and/or delete the secure tunnel. For example, the first control plane function may also send a ninth message to the first network function, the ninth message being a session delete message or a session update message or a join delete message. The first network function may delete the first configuration of the secure tunnel and/or delete the secure tunnel in response to the ninth message. Optionally, the first network function may further instruct the second network function to delete the second configuration of the secure tunnel and/or delete the secure tunnel, or the first control plane function may instruct the second network function to delete the second configuration of the secure tunnel and/or delete the secure tunnel.

According to the method for establishing the secure tunnel, the network function can generate configuration of the secure tunnel according to the secure tunnel template and the interface address of the opposite-end network function, so that the secure tunnel between the network function and the opposite-end network function is established, and based on the established secure tunnel, the secure tunnel can carry out security protection on data messages transmitted between the network functions, so that the security of data message transmission can be improved. And the network function can automatically generate the configuration of the secure tunnel and automatically establish the secure tunnel, so that the workload of manual configuration and maintenance can be reduced, the error rate can be reduced, the configuration efficiency can be improved, and the accuracy of data transmission can be improved.

The above-described secure tunnel establishment method will be described below in terms of several specific communication flows.

For example one, a secure tunnel is established for the N9 interface path during session establishment, and the communication flow has no I-SMF participation. The first network function is UPF, the second network function is I-UPF, the first control plane function is SMF, see fig. 8, comprising the steps of:

s801: the SMF obtains information whether the UPF and the I-UPF need to establish an IPsec tunnel and whether they have the capability to establish an IPsec tunnel.

Depending on the deployment location of the UPF, it may be decided whether security protection through the IPsec tunnel is required. For example, a UPF deployed at an edge (e.g., a UPF deployed at an edge in FIG. 3 or FIG. 4) belongs to an unsafe area, and needs to be secured through an IPsec tunnel when establishing an N9 path with other UPFs (e.g., I-UPFs). The UPF capability determines whether the UPF supports automatically generating IPsec tunnel configurations.

The SMF may obtain the above information in two ways:

mode one: negotiating in the process of establishing the coupling through the N4 interface. The UPF reports the information by carrying the private information element in the coupling establishment/update message (corresponding to the fourth message) of the N4 interface, namely, whether the UPF needs to be protected by an IPsec tunnel or not, and whether the UPF has the capability information of establishing the IPsec tunnel or not. Wherein the coupling setup/update message may be a packet forwarding control protocol (packet forwarding control protocol, PFCP) coupling setup response (PFCP Association Setup Response) or a PFCP coupling update request (PFCP Association Update Request) or a PFCP coupling update response (PFCP Association Update Response).

Mode two: the SMF is configured with the above information. For example, the SMF is configured with information about whether each UPF needs to be protected by an IPsec tunnel, and whether each UPF has capability information for establishing the IPsec tunnel.

In the first and second modes, information whether the UPF needs to be protected through the IPsec tunnel may be indicated by the location information of the UPF.

S802: the AMF sends a session establishment request to the SMF, which receives the session establishment request.

For example, the user roams across the city or accesses a campus service via a split-flow mode of the ULCL, and sends a session establishment request to the AMF. After receiving the session establishment request, the AMF sends the session establishment request to the SMF.

S803: the SMF selects the edge UPF as an anchor UPF according to the service accessed by the user.

In offloading, an edge UPF (hereinafter referred to as UPF) serves as an auxiliary anchor UPF.

When the edge UPF cannot cover the user location, the SMF may select the UPF of the user location city as the I-UPF according to the user location. At the time of diversion, the UPF of the user's place of business is referred to as the ULCL UPF.

S804: the SMF determines that the UPF needs to establish an IPsec tunnel.

In this S804, the SMF determines whether or not the IPsec tunnel needs to be established between the UPF and the I-UPF according to the information acquired in S801, and whether or not the IPsec tunnel needs to be established according to whether or not the UPF needs to establish the IPsec tunnel.

For example, the process of the SMF determining whether the UPF needs to establish the IPsec tunnel may be shown in fig. 9, including the following steps:

s901: the SMF determines whether the currently created session is the first session on the N9 path between the UPF and the peer I-UPF. If so, S902 is performed; if not, S905 is performed.

There may be multiple sessions on the N9 path between the UPF and the I-UPF, and if the currently created session corresponding to the session establishment request is the first session on the N9 path between the UPF and the peer I-UPF, the SMF may decide whether the IPsec tunnel needs to be established on the N9 path of the session according to the information acquired in S801.

S902: the SMF judges whether the UPF needs to be subjected to safety protection through the IPsec tunnel. If so, S903 is performed; if not, S905 is performed.

S903: the SMF determines whether the I-UPF has the capability to establish an IPsec tunnel. If so, S904 is performed; if not, S905 is performed.

S904: the SMF determines that the N9 path for this session requires the establishment of an IPsec tunnel.

I.e., the SMF determines that an IPsec tunnel needs to be established between the UPF and the I-UPF.

S905: the SMF determines that the N9 path for this session does not require establishment of an IPsec tunnel.

I.e., the SMF determines that an IPsec tunnel does not need to be established between the UPF and the I-UPF.

S805: IPsec tunnel templates are configured on UPF and I-UPF.

Configuration parameters required for establishing the IPsec tunnel may be templated, and then IPsec tunnel templates are configured on the UPF and the I-UPF in advance, for example, as shown in fig. 7.

S806: and configuring N9 interfaces of the UPF and the I-UPF, and binding security policies of IPsec.

It is understood that the steps S801 to S806 described above do not distinguish the order of execution.

S807: the SMF indicates that UPF and I-UPF need to generate IPsec tunnel configuration.

In this S807, the SMF may indicate that the UPF and the I-UPF need to generate an IPsec tunnel configuration by indicating that an IPsec tunnel needs to be established between the UPF and the I-UPF.

The SMF may indicate in the private cell of the session setup/update message (corresponding to the third message or the seventh message described above) that the UPF and I-UPF need to generate an IPsec tunnel configuration. The SMF indicates that the private cell is carried in a forwarding operation rule (forwarding action rule, FAR) cell of the PFCP session establishment request (PFCP Session Establishment Request) or the PFCP session modification request (PFCP Session Modification Request) of the N4 interface, for example.

Correspondingly, the UPF (or a service processing module of the UPF) may receive the session establishment/update message, and determine that an IPsec tunnel configuration with the I-UPF needs to be generated according to the indication of the private cell in the FAR cell, that is, may determine that an IPsec tunnel with the I-UPF needs to be established.

Optionally, the UPF knows whether or not it needs to secure through the IPsec tunnel. If the SMF does not indicate that the UPF and the I-UPF need to generate an IPsec tunnel configuration, the UPF may determine that the I-UPF does not have the capability to establish an IPsec tunnel, the UPF may report an alarm message based on the N9 path, or return a session establishment failure message.

S808: when the IPsec tunnel is required to be established, the UPF acquires the N9 interface address of the I-UPF, and the I-UPF acquires the N9 interface address of the UPF.

The UPF (e.g., a service processing module) may obtain the N9 interface address of the I-UPF from the session establishment request, and the I-UPF may obtain the N9 interface address of the UPF from the session establishment request.

S809: and the UPF and the I-UPF select an IPsec tunnel template according to service requirements to generate IPsec tunnel configuration.

The IPsec tunnel module such as the UPF and the IPsec tunnel module of the I-UPF generate an IPsec tunnel configuration. The IPsec tunnel templates selected by UPF and I-UPF are the same.

The IPsec tunnel configuration includes an index of the selected IPsec tunnel template and the N9 interface address of the peer UPF. The UPF generated IPsec tunnel configuration includes the N9 interface address of the I-UPF, and the I-UPF generated IPsec tunnel includes the N9 interface address of the UPF.

S810: UPF and I-UPF acquire policy identification of IPsec tunnel.

For example, the IPsec tunnel module of the UPF notifies the service processing module of the UPF, carries the policy identifier of the IPsec tunnel, and the IPsec tunnel module of the I-UPF notifies the service processing module of the I-UPF, carries the policy identifier of the IPsec tunnel.

S811: and the I-UPF receives the uplink message of the user and establishes an IPsec tunnel with the UPF according to the configuration of the IPsec tunnel.

The user's uplink message can trigger the I-UPF to initiate the IPsec tunnel establishment flow to the UPF, and because the IPsec tunnel configuration between the I-UPF and the UPF is already generated, the I-UPF and the UPF can successfully establish the IPsec tunnel according to the IPsec tunnel configuration.

For example two, a secure tunnel is established for the N9 interface path during the session establishment procedure, and the communication flow has I-SMF participation. The first network function is UPF, the second network function is I-UPF, the first control plane function is SMF, the second control plane function is I-SMF, see FIG. 10, comprising the steps of:

s1001: the AMF selects SMF and I-SMF according to the service accessed by the user.

The user roams across provinces to access the campus service, and the AMF selects an anchor SMF (hereinafter referred to as SMF) according to the user access service during session establishment. If the AMF finds that the anchor SMF cannot cover the range of the user, the AMF selects the I-SMF according to the range of the user.

S1002: the SMF selects the edge UPF as an anchor UPF according to the service accessed by the user, and the I-SMF selects the I-UPF according to the position of the user.

The I-SMF may learn from the information acquired in S901 whether the I-UPF has the capability of establishing an IPsec tunnel. The I-SMF may also tell if the SMF I-UPF has the capability to establish an IPsec tunnel, for example, in a PDU session establishment Request message (nsmf_pdustion_create Request) of the N16a interface in the session establishment Request path, by a private extension cell.

S1003: the SMF acquires information whether the UPF needs to establish the IPsec tunnel and whether the UPF has the capability of establishing the IPsec tunnel, and the I-SMF acquires information whether the I-UPF has the capability of establishing the IPsec tunnel.

See S801 for similarities, and are not described here in detail.

S1004: the SMF determines that the UPF needs to establish an IPsec tunnel.

The SMF may determine, according to the information obtained in S1001 and the information of the I-UPF notified by the I-SMF, whether the N9 interface path to which the session currently created belongs needs to establish an IPsec tunnel, and similar points are described in S804 above.

S1005: the SMF indicates that the UPF needs to generate an IPsec tunnel configuration.

For example, the SMF notifies the UPF that the private cell is carried in the FAR cell of PFCP Session Establishment Request (corresponding to the third message described above) of the N4 interface when the session is established.

The SMF may also send (optionally via the I-SMF) an indication to the I-UPF that the I-UPF needs to generate an IPsec tunnel configuration.

S1006: the SMF informs the I-SMF UPF that an IPsec tunnel needs to be established for security protection.

For example, the SMF may notify, through a private cell, that the I-SMF UPF needs to establish an IPsec tunnel for security protection in a PDU session establishment response message (nsmf_pduse_create response) message (corresponding to the sixth message described above).

S1007: the I-SMF determines that the UPF needs to generate an IPsec tunnel configuration.

The I-SMF may decide, according to the information acquired in S1001 and the notification information in S1006, that the N9 interface path to which the currently created session belongs needs to establish an IPsec tunnel.

S1008: I-SMF informs I-UPF that an IPsec tunnel needs to be established for security protection.

For example, the I-SMF indicates that a private cell is carried in the FAR of PFCP Session Modification Request of the N4 interface when the session is established through the I-UPF, such as indicating that the I-UPF needs to generate an IPsec tunnel configuration with the UPF.

The process of S1009 to S1012 is referred to S808 to S811.

Example three, a secure tunnel is established for the N9 interface path during user movement, and the communication flow has no I-SMF participation. The first network function is UPF, the second network function is I-UPF, the first control plane function is SMF, see fig. 11, comprising the steps of:

s1101: the SMF reselects the I-UPF based on the user's moved location.

The user location during the user movement may exceed the coverage of the original I-UPF, and the SMF reselects the I-UPF according to the user location after the user movement.

The process of S1102-S1112 is described in S801-S811 above.

It should be noted that the I-UPF in S1102-S1112 refers to the I-UPF reselected in S1101. For example, the SMF re-decides whether the N9 interface address of the current user session needs to establish an IPsec tunnel according to the capability of the reselected I-UPF. For another example, if it is determined that an IPsec tunnel needs to be established, the SMF notifies the reselected I-UPF of the establishment of the session and notifies the UPF of the need to establish the IPsec tunnel when the session is updated.

Alternatively, if the UPF determines that there are no other users between the UPF and the I-UPF before the user moves, the IPsec tunnel configuration and the IPsec tunnel of the N9 interface path between the UPF and the I-UPF before the user moves can be deleted.

Example four, a secure tunnel is established for the N9 interface path during user movement, the communication flow having I-SMF participation. The first network function is UPF, the second network function is I-UPF, the first control plane function is SMF, the second control plane function is I-SMF, see FIG. 12, comprising the steps of:

s1201: the AMF reselects the SMF and/or the I-SMF according to the service accessed by the user.

Wherein S1101 is an optional step. The location of the user may exceed the coverage of the original SMF and the original I-SMF during the movement of the user, and the AMF reselects the SMF and the I-SMF according to the location after the movement of the user.

S1202: the I-SMF reselects the I-UPF based on the location of the user.

If the I-SMF is known or if the I-SMF is unchanged, the user movement may be out of coverage of the original I-UPF, and the I-SMF may reselect the I-UPF from the user's moved location.

Where the anchor UPF does not change during the user movement, the SMF does not need to reselect the anchor UPF in S1202.

The process of S1203-S1212 is referred to as S1003-S1012.

It is noted that if SMF, I-SMF or I-UPF is reselected, then SMF, I-SMF or I-UPF in S1202-S1212 is reselected.

Example five, a secure tunnel is established for the S5 interface path during user movement. The first network function is SGW-U, the second network function is PGW-U, the first control plane function is SGW-C, and the second control plane function is PGW-C.

The user accesses from the 4G network, the SGW-C can acquire information whether the SGW-U needs to establish the IPsec tunnel and has the capability of establishing the IPsec tunnel, and the PGW-C can acquire information whether the PGW-U needs to establish the IPsec tunnel and has the capability of establishing the IPsec tunnel. The private cell is used in the create session request (Create Session Request)/create session response (Create Session Response) message between SGW-C and PGW-C over the S5 interface to convey information as to whether the SGW-U needs to establish an IPsec tunnel and whether it has the capability to establish an IPsec tunnel.

For example, the user location changes during the user movement, and the SGW-C reselects the SGW-U beyond the coverage of the original SGW-U.

For another example, the user initially accesses from the 5G network, moves to the coverage of the 4G network, switches to the 4G access, uses a private cell in a Create Session Request/Create Session Response message between the SGW-C and PGW-C/SMF via the S5 interface, and conveys information whether the SGW-U needs to establish an IPsec tunnel and has the capability to establish an IPsec tunnel.

Alternatively, if the PGW-U/UPF determines that there is no other user between the PGW-U and the SGW-U before the user moves, the IPsec tunnel configuration and the IPsec tunnel of the N9 interface path between the PGW-U and the SGW-U before the user moves can be deleted.

For example six, a secure tunnel is established for the N4 interface path, where the first network function is UPF and the second network function is SMF, as shown in fig. 13, and includes the following steps:

s1301: IPsec tunnel templates are configured on UPF and SMF.

S1302: and configuring N4 interfaces of the UPF and the SMF, and binding security policies of IPsec.

S1303: the SMF informs the UPF whether the SMF has the capability to establish an IPsec tunnel.

For example, the SMF is informed by a private cell when it sends a coupling setup message or a coupling update message. The coupling setup message or coupling update message may be PFCP Association Setup Request, PFCP Association Update Request, PFCP Association Setup Response, or PFCP Association Update Response.

S1304: the UPF informs the SMF whether the UPF needs to establish an IPsec tunnel and whether the UPF has information on the capability to establish the IPsec tunnel.

For example, the UPF informs the SMF via a private cell when sending a coupling setup message or a coupling update message.

S1305: the SMF and the UPF determine that an IPsec tunnel needs to be established, respectively.

For example, when the UPF needs to establish an IPsec tunnel and the SMF has the capability to establish an IPsec tunnel, it is determined that the IPsec tunnel needs to be established.

S1306: the SMF acquires the N4 interface address of the UPF, and the UPF acquires the N4 interface address of the SMF.

For example, the SMF may obtain the N4 interface address of the UPF through a local configuration or NRF service discovery procedure. The UPF acquires the N4 interface address of the SMF in the coupling establishment flow.

The UPF can also know that the SMF has the capability of establishing the IPsec tunnel through the private cell, determines that the IPsec tunnel needs to be established, and carries the information that the UPF needs to establish the IPsec tunnel in the coupling response message through the private cell.

S1307: and the UPF and the SMF select an IPsec tunnel template according to service requirements to generate IPsec tunnel configuration.

S1308: the SMF sends a session establishment message to trigger the SMF to initiate an IPsec tunnel establishment flow to the UPF.

Since the IPsec tunnel configuration between the SMF and the UPF has been generated, the SMF and the UPF can successfully establish the IPsec tunnel according to the IPsec tunnel configuration.

The session between the SMF and the UPF is secured through the IPsec tunnel.

Based on the same technical conception as the above-mentioned method for establishing the secure tunnel, the embodiment of the application also provides a communication system. As shown in fig. 14, the communication system 1400 includes a first network function 1401 and a second network function 1402. The first network function 1401 and the second network function 1402 may implement the methods described in the method embodiments described above.

For example, the first network function 1401 may be configured to generate a first configuration of a secure tunnel according to a secure tunnel template and an interface address of the second network function 1402, establish a secure tunnel between the first network function 1401 and the second network function 1402 according to the first configuration of the secure tunnel, and communicate based on the secure tunnel, where the secure tunnel is configured to secure data packets between the first network function 1401 and the second network function 1402.

The second network function 1402 may be configured to generate a second configuration of the secure tunnel according to the secure tunnel template and the interface address of the first network function 1401, establish the secure tunnel between the first network function 1401 and the second network function 1402 according to the second configuration of the secure tunnel, and communicate based on the secure tunnel.

In one implementation, the first network function 1401 and the second network function 1402 are user plane functions.

For example, the interface address is an N9 interface address or an S5 interface address.

In one implementation, the first network function 1401 is a user plane function, the second network function 1402 is a control plane function, or the first network function 1401 is a control plane function, and the second network function 1402 is a user plane function.

In one implementation, the first network function 1401 may be further configured to send a first message to the second network function 1402, where the first message is used to indicate that the first network function 1401 has a capability to establish a secure tunnel and/or needs to establish a secure tunnel; and receiving a second message from the second network function 1402, the second message indicating that the second network function 1402 has the capability to establish a secure tunnel.

The second network function 1402 may also be configured to receive the first message and send the second message to the first network function 1401.

Alternatively, the second network function 1402 may determine to establish a secure tunnel with the first network function 1401 based on the first message, and the first network function 1401 determines to establish a secure tunnel with the second network function 1402 based on the second message.

In one implementation, the communication system may also include a first control plane function 1403;

the first control plane function 1403 may determine that a secure tunnel needs to be established between the first network function 1401 and the second network function 1402, and send a third message to the first network function 1401, where the third message is used to instruct the first network function 1401 to establish the secure tunnel with the second network function 1402.

The first network function 1402 may also be configured to receive a third message.

In one implementation, the first control plane function 1403 may be further configured to send a seventh message to the second network function 1402, where the seventh message is used to indicate that a secure tunnel needs to be established between the first network function 1401 and the second network function 1402;

the second network function 1402 is further configured to receive the seventh message.

In one implementation, the communication system may further include a second control plane function 1404;

the first control plane function 1403 may be further configured to send a sixth message to the second control plane function 1404, where the sixth message is used to indicate that a secure tunnel needs to be established between the first network function 1401 and the second network function 1402;

the second control plane function 1404 is configured to receive the sixth message and indicate to the second network function 1402 that a secure tunnel needs to be established between the first network function 1401 and the second network function 1402.

In one implementation, the first network function 1401 may be further configured to send a fourth message to the first control plane function 1403, where the fourth message is used to indicate that the first network function 1401 has a capability to establish a secure tunnel and/or needs to establish a secure tunnel;

The second network function 1402 may be further configured to send a fifth message to the first control plane function 1403, where the sixth message is used to indicate that the second network function 1402 has the capability to establish a secure tunnel and/or needs to establish a secure tunnel.

The first control plane function 1402 may also be configured to receive a fourth message and receive a fifth message.

In one implementation, the second network function 1402 may also indicate to the second control plane function 1404 that the second network function 1402 has the capability to establish a secure tunnel and/or that a secure tunnel needs to be established.

The second control plane function 1404 is further configured to send a fifth message to the first control plane function 1403 according to the indication of the second network function.

In one implementation, the first control plane function 1403 may also be configured to send the interface address of the second network function 1402 to the first network function 1401 and send the interface address of the first network function 1401 to the second network function 1402;

the first network function 1401 may be further configured to receive an interface address of the second network function 1402;

the second network function 1402 may also be used to receive an interface address of the first network function 1401.

In one implementation method, the first control plane function 1403 is further configured to send, to the first network function 1401, indication information for indicating to delete the first configuration of the secure tunnel and/or deleting the secure tunnel, and send, to the second network function 1402, indication information for indicating to delete the second configuration of the secure tunnel and/or deleting the secure tunnel, when there is no session on the path corresponding to the secure tunnel;

The first network function 1401 may be further configured to delete a first configuration of a secure tunnel and delete a secure tunnel according to the configuration for instructing deletion of the secure tunnel and/or the instruction information for deleting the secure tunnel;

the second network function 1402 may be further configured to delete the second configuration of the secure tunnel and delete the secure tunnel according to the second configuration for indicating deletion of the secure tunnel and/or the indication information for deleting the secure tunnel.

Based on the same technical concept as the above-described method for establishing a secure tunnel, the present embodiment also provides a communication apparatus, as shown in fig. 15, where the communication apparatus 1500 includes a processing unit 1501 and a transceiver unit 1502, and the communication apparatus 1500 may be used to implement the method described in the above-described method embodiment. The apparatus 1500 may be applied to or located in a network function or a control plane function. The functions performed by the optional transceiver unit 1502 may be performed by a communication interface.

In one possible embodiment, the apparatus 1500 is applied to a network function.

For example, the processing unit 1501 is configured to generate a first configuration of the secure tunnel according to the secure tunnel template and the interface address of the second network function; and establishing a secure tunnel with the second network function according to the first configuration of the secure tunnel, wherein the secure tunnel is used for performing security protection on the data message between the device 1500 and the second network function.

The transceiver unit 1502 is configured to perform communication based on a secure tunnel.

In one implementation, the apparatus 1500 and the second network function are user plane functions; or alternatively

The apparatus 1500 is a user plane function, the second network function is a control plane function, or the apparatus 1500 is a control plane function, the second network function is a user plane function.

In one implementation, the transceiver unit 1502 is further configured to send a first message to the second network function, where the first message is used to indicate that the apparatus 1500 has a capability to establish a secure tunnel and/or needs to establish a secure tunnel; and receiving a second message from the second network function, the second message indicating that the second network function has the capability to establish a secure tunnel.

The processing unit 1501 is further configured to determine to establish a secure tunnel with the second network function based on the second message.

In one implementation, the transceiver unit 1502 is further configured to receive a third message from the first control plane function, where the third message is used to instruct the apparatus 1500 to establish a secure tunnel with the second network function.

In one implementation, the transceiver unit 1502 is further configured to send a fourth message to the first control plane function, where the fourth message is used to indicate that the apparatus 1500 has a capability to establish a secure tunnel and/or needs to establish a secure tunnel.

In one implementation, the transceiver unit 1502 is further configured to obtain an interface address of the second network function.

In one implementation, the processing unit 1501 is further configured to delete the first configuration of the secure tunnel and/or delete the secure tunnel when there is no session on the path corresponding to the secure tunnel.

In another possible embodiment, the apparatus 1500 is applied to a control plane function.

For example, the processing unit 1501 is configured to determine that a secure tunnel needs to be established between the first network function and the second network function;

the transceiver unit 1502 is configured to send a third message to the first network function, where the third message is used to instruct the first network function to establish a secure tunnel with the second network function.

In one implementation, the transceiver unit 1502 is further configured to send the interface address of the second network function to the first network function.

In one implementation, the transceiver unit 1502 is further configured to obtain a fourth message, where the fourth message is used to indicate that the first network function has a capability of establishing a secure tunnel and/or needs to establish a secure tunnel, and obtain a fifth message, where the fifth message is used to indicate that the second network function has a capability of establishing a secure tunnel and/or needs to establish a secure tunnel.

In one implementation, the communication device 1500 stores information that the first network function has the capability to establish a secure tunnel and/or needs to establish a secure tunnel, and stores information that the second network function has the capability to establish a secure tunnel and/or needs to establish a secure tunnel.

In one implementation, the fifth message is from the second network function, or the fifth message is from the second control plane function.

In one implementation, the transceiver unit 1502 is further configured to provide, to the second network function, indication information for indicating that a secure tunnel is established between the first network function and the second network function.

In one implementation, the transceiver unit 1502 is further configured to indicate to the first network function to delete the first configuration of the secure tunnel and/or delete the secure tunnel when there is no session on the path corresponding to the secure tunnel.

It should be noted that, in the embodiments of the present application, the division of the modules is merely schematic, and there may be another division manner in actual implementation, and in addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units. For example, the transceiver unit may comprise a receiving unit and/or a transmitting unit.

The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the integrated unit may be stored as a computer software product in a storage medium, comprising instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) or a processor (processor) to perform all or part of the steps of the methods of the various embodiments of this application.

As shown in fig. 16, the embodiment of the application further provides a schematic structural diagram of the communication device 1600. Apparatus 1600 may be used to implement the methods described in the method embodiments described above, see the description of the method embodiments described above.

The apparatus 1600 includes one or more processors 1601. The processor 1601 may be a general purpose processor or a special purpose processor, or the like. For example, a baseband processor, or a central processing unit. The baseband processor may be used to process communication protocols and communication data, and the central processor may be used to control a communication device (e.g., a base station, a terminal, or a chip, etc.), execute a software program, and process the data of the software program. The communication device may comprise a transceiver unit for enabling input (reception) and output (transmission) of signals. For example, the transceiver unit may be a transceiver, a radio frequency chip, or the like.

The apparatus 1600 includes one or more processors 1601, where the one or more processors 1601 may implement the methods described in the embodiments illustrated above. Alternatively, the processor 1601 may implement other functions in addition to the methods of the embodiments shown above.

In one design, processor 1601 may execute instructions to cause apparatus 1600 to perform the method described in the method embodiments above. Instructions may be stored in whole or in part within processor 1601, such as instructions 1603 may be stored in whole or in part within processor 1601, or instructions 1603 may be stored in processor 1601, and instructions 1604 may be stored in memory 1602 coupled to the processor 1601, the processor 1601 may execute instructions 1603 and instructions 1604 in synchronization to cause apparatus 1600 to perform the methods described in the method embodiments described above.

Instructions

1603 and 1604 are also referred to as computer programs.

In yet another possible design, communication device 1600 may further include circuitry that may perform the functions of the previously described method embodiments.

In yet another possible design, the apparatus 1600 may include one or more memories 1602 having instructions 1604 stored thereon that are executable on the processor 1601 to cause the apparatus 1600 to perform the methods described in the method embodiments above. Optionally, the memory 1602 may also have data stored therein. The optional processor 1601 may also store instructions and/or data. For example, the one or more memories 1602 may store the correspondence described in the above embodiments, or related parameters or tables, etc. involved in the above embodiments. The processor and the memory may be provided separately or may be integrated.

In yet another possible design, device 1600 may further include a transceiver 1605 and an antenna 1606. The processor 1601 may be referred to as a processing unit, controlling the apparatus (terminal or base station). The transceiver 1605 may be referred to as a transceiver, transceiving circuit, transceiving unit, or the like, for implementing a transceiving function of the device through the antenna 1606.

The processor may be a general purpose central processing unit (central processing unit, CPU), microprocessor, application-specific integrated circuit (ASIC), one or more integrated circuits for controlling the execution of programs in accordance with the present application, a general purpose processor, digital signal processor (digital signal processor, DSP), off-the-shelf programmable gate array (field programmable gate asrray, FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components. The disclosed methods, steps, and logic blocks in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of a method disclosed in connection with the embodiments of the present application may be embodied directly in hardware, in a decoded processor, or in a combination of hardware and software modules in a decoded processor. The software modules may be in a storage medium located in a memory.

The memory may be volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. The nonvolatile Memory may be a Read-Only Memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an Electrically Erasable EPROM (EEPROM), or a flash Memory. The volatile memory may be random access memory (Random Access Memory, RAM) which acts as an external cache. By way of example, and not limitation, many forms of RAM are available, such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (Double Data Rate SDRAM), enhanced SDRAM (ESDRAM), synchronous DRAM (SLDRAM), and Direct RAM (DR RAM). It should be noted that the memory of the systems and methods described herein is intended to comprise, without being limited to, these and any other suitable types of memory. The memory may be stand alone and be coupled to the processor via a communication line. The memory may also be integrated with the processor.

The present application also provides a computer readable medium having stored thereon a computer program which, when executed by a computer, implements the secure tunnel establishment method of any of the method embodiments described above.

The embodiment of the application also provides a computer program product, which comprises a computer program, and the computer program realizes the method for establishing the secure tunnel according to any one of the method embodiments when being executed by a computer.

In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer instructions are loaded and executed on a computer, the processes or functions in accordance with embodiments of the present application are produced in whole or in part. The computer may be the communication device described above. Computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another. The computer readable storage medium may be the storage medium described above or the memory described above.

In one possible design, when the communication device is a chip, such as a chip in a network device, or a chip, such as a chip in a terminal device, the determining unit or processor 1601 may be one or more logic circuits, and the transmitting unit or receiving unit or transceiver 1605 may be an input-output interface, also referred to as a communication interface, or an interface circuit, or an interface, or the like. Or the transceiver 1605 may be a transmitting unit and a receiving unit, the transmitting unit may be an output interface, and the receiving unit may be an input interface, and the transmitting unit and the receiving unit are integrated into one unit, for example, the input/output interface. As shown in fig. 17, the communication apparatus shown in fig. 17 includes a logic circuit 1701 and an interface circuit 1702. That is, the above-described determining unit or processor 1601 may be implemented with a logic circuit 1701, and the transmitting unit or receiving unit or transceiver 1605 may be implemented with an interface circuit 1702. The logic circuit 1701 may be a chip, a processing circuit, an integrated circuit, a system on chip (SoC) chip, or the like, and the interface circuit 1702 may be a communication interface, an input-output interface, or the like. In the embodiment of the application, the logic circuit and the interface circuit may also be coupled to each other. The embodiments of the present application are not limited to specific connection modes of the logic circuit and the interface circuit.

In some embodiments of the present application, the logic 1701 and interface 1702 may be used to perform functions or operations performed by the network functions or control plane functions described above, and the like. The interface circuit 1702 may be used to receive signals from other communication devices than the communication device 1700 and transmit to the logic circuit 1701 or transmit signals from the logic circuit 1701 to other communication devices than the communication device 1700. The logic 1701 may be configured to implement any of the method embodiments described above by executing code instructions.

The interface circuit 1702 is illustratively used to communicate based on the established secure tunnel. The functions or operations performed by the communication device may refer to the foregoing method embodiments, and are not described herein.

Those of ordinary skill in the art will appreciate that the elements and algorithm steps described in connection with the embodiments disclosed herein may be embodied in electronic hardware, in computer software, or in a combination of the two, and that the elements and steps of the examples have been generally described in terms of function in the foregoing description to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.

In the several embodiments provided in this application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of elements is merely a logical functional division, and there may be additional divisions of actual implementation, e.g., multiple elements or components may be combined or integrated into another system, or some features may be omitted, or not performed. In addition, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices, or elements, or may be an electrical, mechanical, or other form of connection.

The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purposes of the embodiments of the present application.

In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.

From the above description of embodiments, it will be apparent to those skilled in the art that the present application may be implemented in hardware, or firmware, or a combination thereof. When implemented in software, the functions described above may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a computer.

In summary, the foregoing is merely an example of the technical solution of the present application, and is not intended to limit the protection scope of the present application. Any modification, equivalent replacement, improvement, etc. made within the principles of the present application should be included in the protection scope of the present application.

Claims

1. A method for establishing a secure tunnel, comprising:

the first network function generates a first configuration of the secure tunnel according to the secure tunnel template and the interface address of the second network function;

the first network function establishes a secure tunnel with the second network function according to the first configuration of the secure tunnel, and communicates based on the secure tunnel, wherein the secure tunnel is used for carrying out security protection on data messages between the first network function and the second network function.

2. The method of claim 1, wherein the first network function and the second network function are user plane functions; or alternatively

3. The method of claim 1 or 2, wherein the first network function is further, prior to generating the first configuration of the secure tunnel from the secure tunnel template and the interface address of the second network function, the method further comprising:

the first network function sends a first message to the second network function, wherein the first message is used for indicating that the first network function has the capability of establishing a secure tunnel and/or needs to establish the secure tunnel;

The first network function receives a second message from the second network function, the second message being used to indicate that the second network function has the capability to establish a secure tunnel.

4. A method according to any of claims 1-3, wherein before the first network function generates the first configuration of the secure tunnel based on the secure tunnel template and the interface address of the second network function, the method further comprises:

the first network function receives a third message from the first control plane function, the third message being used to instruct a secure tunnel to be established between the first network function and the second network function.

5. The method of claim 4, wherein prior to the first network function receiving the third message from the first control plane function, the method further comprises:

the first network function sends a fourth message to the first control plane function, where the fourth message is used to indicate that the first network function has a capability of establishing a secure tunnel and/or needs to establish a secure tunnel.

6. The method of any of claims 1-5, wherein prior to generating the first configuration of the secure tunnel from the secure tunnel template and the interface address of the second network function, the method further comprises:

The first network function obtains an interface address of the second network function.

7. The method according to any of claims 1-6, wherein after the first network function establishes a secure tunnel with the second network function according to the first configuration of the secure tunnel, the method further comprises:

and when the path corresponding to the secure tunnel has no session, the first network function deletes the first configuration of the secure tunnel and/or deletes the secure tunnel.

8. A method for establishing a secure tunnel, comprising:

the first control plane function determines that a secure tunnel needs to be established between the first network function and the second network function;

the first control plane function sends indication information for indicating that a secure tunnel is established between the first network function and the second network function to the first network function.

9. The method of claim 8, wherein the method further comprises:

the first control plane function sends an interface address of the second network function to the first network function.

10. The method of claim 8 or 9, wherein the first control plane function determining that a secure tunnel needs to be established between the first network function and the second network function comprises:

The first control plane function obtains a fourth message, wherein the fourth message is used for indicating that the first network function has the capability of establishing a secure tunnel and/or needs to establish the secure tunnel, and the first control plane function obtains a fifth message, and the fifth message is used for indicating that the second network function has the capability of establishing the secure tunnel and/or needs to establish the secure tunnel; or alternatively

The first control plane function stores information that the first network function has the capability of establishing a secure tunnel and/or needs to establish the secure tunnel, and stores information that the second network function has the capability of establishing the secure tunnel and/or needs to establish the secure tunnel.

11. The method of claim 10, wherein the fifth message is from the second network function or the fifth message is from a second control plane function.

12. The method of any one of claims 8-11, wherein the method further comprises:

the first control plane function provides the second network function with indication information for indicating that a secure tunnel is established between the first network function and the second network function.

13. The method of any one of claims 8-12, wherein the method further comprises:

and when the path corresponding to the secure tunnel has no session, the first control plane function indicates to the first network function to delete the first configuration of the secure tunnel and/or delete the secure tunnel.

14. A communication system, the communication system comprising a first network function and a second network function;

the first network function is configured to generate a first configuration of a secure tunnel according to a secure tunnel template and an interface address of a second network function, establish the secure tunnel between the first network function and the second network function according to the first configuration of the secure tunnel, and communicate based on the secure tunnel, where the secure tunnel is configured to secure a data packet between the first network function and the second network function;

the second network function is configured to generate a second configuration of the secure tunnel according to the secure tunnel template and an interface address of the first network function, establish the secure tunnel between the first network function and the second network function according to the second configuration of the secure tunnel, and perform communication based on the secure tunnel.

15. The communication system of claim 14, wherein the first network function and the second network function are user plane functions; or alternatively

16. The communication system according to claim 14 or 15, wherein the first network function is further configured to send a first message to the second network function, the first message being configured to indicate that the first network function has a capability to establish a secure tunnel and/or that a secure tunnel needs to be established; receiving a second message from the second network function, wherein the second message is used for indicating that the second network function has the capability of establishing a secure tunnel;

the second network function is further configured to receive the first message and send a second message.

17. The communication system according to any of claims 14-16, wherein the communication system further comprises a first control plane function;

the first control plane function is configured to determine that a secure tunnel needs to be established between the first network function and the second network function, and send, to the first network function, indication information for indicating that the secure tunnel is established between the first network function and the second network function;

The first network function is further configured to receive the indication information for indicating that a secure tunnel is established between the first network function and the second network function.

18. The communication system of claim 17, wherein the communication system further comprises a second control plane function;

the first control plane function is further configured to send a sixth message to the second control plane function, where the sixth message is used to instruct the first network function to establish a secure tunnel with the second network function;

the second control plane function is configured to receive the sixth message, and instruct the second network function to establish a secure tunnel between the first network function and the second network function.

19. The communication system of claim 17, wherein the first control plane function is further configured to send a seventh message to the second network function, the seventh message being configured to instruct establishment of a secure tunnel between the first network function and the second network function;

the second network function is further configured to receive the seventh message.

20. The communication system according to claim 18, wherein the first network function is further configured to send a fourth message to the first control plane function, the fourth message being configured to indicate that the first network function has a capability to establish a secure tunnel and/or that a secure tunnel needs to be established;

The second network function is further configured to send a fifth message to the first control plane function, where the fifth message is used to indicate that the second network function has a capability of establishing a secure tunnel and/or needs to establish a secure tunnel;

the first control plane function is configured to receive the fourth message and receive the fifth message.

21. A communication system according to any of claims 20, wherein the second network function is configured to indicate to the second control plane function that the second network function has the capability to establish a secure tunnel and/or that a secure tunnel needs to be established;

the second control plane function is configured to send a fifth message to the first control plane function according to the indication of the second network function.

22. The communication system according to any of the claims 17-21, wherein the first control plane function is further configured to send an interface address of a second network function to the first network function, and to send an interface address of the first network function to the second network function;

the first network function is further configured to receive an interface address of the second network function;

the second network function is further configured to receive an interface address of the first network function.

23. The communication system according to any of claims 17-22, wherein the first control plane function is further configured to send, to the first network function, indication information for indicating to delete a first configuration of the secure tunnel and/or to delete the secure tunnel, and send, to the second network function, indication information for indicating to delete a second configuration of the secure tunnel and/or to delete the secure tunnel, when there is no session on a path corresponding to the secure tunnel;

the first network function is further configured to delete the first configuration of the secure tunnel and/or delete the secure tunnel according to the indication information for indicating to delete the first configuration of the secure tunnel and/or delete the secure tunnel;

the second network function is further configured to delete the second configuration of the secure tunnel and/or delete the secure tunnel according to the indication information for indicating to delete the second configuration of the secure tunnel and/or delete the secure tunnel.

24. A communication device, comprising:

the processing unit is used for generating a first configuration of a secure tunnel according to the secure tunnel template and an interface address of a second network function, and establishing the secure tunnel between the secure tunnel and the second network function according to the first configuration of the secure tunnel, wherein the secure tunnel is used for carrying out security protection on data messages between the first network function and the second network function;

And the receiving and transmitting unit is used for carrying out communication based on the secure tunnel.

25. A communication device, characterized by a processing unit configured to determine that a secure tunnel needs to be established between a first network function and a second network function;

and the receiving and transmitting unit is used for transmitting indication information for indicating the establishment of the secure tunnel between the first network function and the second network function to the first network function.

26. A communication device comprising functionality and/or means for performing the method according to any of claims 1-13.

27. A communications apparatus comprising a processor and a memory, the processor coupled to the memory;

the memory stores a computer program or instructions;

the processor for executing a computer program or instructions in the memory to cause the apparatus to perform the method of any of claims 1-13.

28. A communication device comprising logic circuitry and interface circuitry, the interface circuitry to receive signals from or transmit signals to other communication devices than the communication device, the logic circuitry to implement the method of any of claims 1-13 by executing code instructions.

29. A computer-readable storage medium comprising a computer program or instructions which, when run on a computer, cause the method of any one of claims 1-13 to be performed.

30. A computer program product comprising a computer program or instructions which, when run on a computer, cause the method of any of claims 1-13 to be performed.