WO2012130068A1

WO2012130068A1 - Data packet transmission method and related apparatus

Info

Publication number: WO2012130068A1
Application number: PCT/CN2012/072705
Authority: WO
Inventors: 张爱琴; 朱文若; 刘海; 靳维生
Original assignee: 华为技术有限公司
Priority date: 2011-03-30
Filing date: 2012-03-21
Publication date: 2012-10-04
Also published as: CN102724713B; CN102724713A

Abstract

Disclosed are a data packet transmission method and a related apparatus; the method comprises: obtaining the priority level value of an uplink data packet that needs to be transmitted; searching for a corresponding relationship between the set priority level value and a tunnel identifier according to the priority level value, each priority level value corresponding to at least one tunnel identifier; if a corresponding tunnel identifier is found, then transmitting the uplink data packet to a security gateway via a secure tunnel corresponding to the found tunnel identifier. The present invention can reduce the number of data packets determined by the security gateway to be re-transmitted data packets, thereby reducing the probability of packet loss.

Description

The present invention claims the priority of the Chinese application filed on March 30, 2011, the application number is 201110078843.X, and the invention name is "data packet transmission method and related device", the entire contents of which are The citations are incorporated herein by reference. Technical field

The present invention relates to the field of wireless communication technologies, and in particular, to a data packet transmission method and related devices.

Background technique

The Home NodeB (H(e)NB) is a type of base station that is deployed as a dedicated resource in a home, group, company, or school. The home base station is connected through an Internet Protocol (IP) broadband network communication network.

In the prior art, when the base station is powered on, an Internet Protocol Security (IPsec) tunnel (referred to as a secure tunnel) is established between the security gateway and the security gateway (SeGW). Traffic under the home base station is transmitted through the secure tunnel. The transmitting end, for example, the home base station, after receiving the data packet to be transmitted, assigns the serial number to the data packet in order, and then transmits it to the receiving end (for example, the security gateway) through the established IPsec tunnel. The data packet sent by the sender is forwarded through a Broadband Remote Access Server (BRAS) or a Broadband Network Gateway (BNG) in the broadband network. The broadband network gateway or the broadband access server performs different priority processing according to the Differentiated Services Code Point (DSCP) of the outer IP packet in the data packet, and the differentiated service point code indicates the priority value.

In the prior art, when the data packet is transmitted, the transmitting end transmits the data packet through at least one secure tunnel, and the DSCP has a higher priority and the data packet with a larger sequence number is preferentially processed, and the DSCP has a lower priority and a smaller serial number. The data packets are delayed by BRAS or BNG. When these data packets arrive at the receiving end, the receiving end needs to perform anti-replay processing. The receiving end determines whether the sequence number of the received data packet is smaller than the maximum sequence number of the previously received data packet, and if so, treats the data packet with the smaller sequence number as the replayed data packet, and directly discards the data. Packet, which causes packet loss with a packet with a smaller sequence number. Summary of the invention

The present invention provides a data packet transmission method and related equipment, which can transmit data packets of different DSCP priorities through multiple secure tunnels.

To solve the above technical problem, the embodiment of the present invention is implemented by the following technical solutions: According to an aspect of the present invention, a data packet transmission method is provided, including:

Obtain a priority value of an upstream packet that needs to be transmitted;

And determining, according to the priority value, a correspondence between the set priority value and the tunnel identifier, where each priority value corresponds to at least one tunnel identifier;

If the corresponding tunnel identifier is found, the uplink data packet is transmitted to the security gateway by using the secure tunnel corresponding to the found tunnel identifier.

According to an aspect of the present invention, a data packet transmission method is provided, including:

Obtain a priority value of a downlink packet that needs to be transmitted;

If the corresponding tunnel identifier is found, the downlink data packet is transmitted to the base station by using the secure tunnel corresponding to the found tunnel identifier.

According to an aspect of the present invention, a base station is provided, including:

a first priority acquiring unit, configured to obtain a priority value of an uplink data packet to be transmitted; a first correspondence relationship searching unit, configured to search for a priority value set according to a priority value obtained by the first priority acquiring unit Corresponding relationship between the tunnel identifier and each of the tunnel identifiers, each priority value corresponding to at least one tunnel identifier;

The uplink data sending unit is configured to: when the first correspondence search unit finds the corresponding tunnel identifier, transmit the uplink data packet to the security gateway by using the secure tunnel corresponding to the found tunnel identifier.

According to an aspect of the present invention, a security gateway is provided, including:

a second priority acquiring unit, configured to obtain a priority value of the downlink data packet to be transmitted; a second correspondence relationship searching unit, configured to search for the priority value set according to the priority value obtained by the second priority acquiring unit Corresponding relationship between the tunnel identifier and each of the tunnel identifiers, each priority value corresponding to at least one tunnel identifier;

a downlink data sending unit, configured to search for a corresponding tunnel in the second correspondence search unit When the track is identified, the downlink data packet is transmitted to the base station by using the secure tunnel corresponding to the found tunnel identifier.

In the data packet transmission method provided by the embodiment of the present invention, the base station acquires the tunnel identifier of the corresponding security tunnel according to the priority value of the uplink data packet, and the base station may use the uplink data packet because each priority value corresponds to at least one tunnel identifier. Transmission through multiple secure tunnels, so that after receiving the data packet, the security gateway separately performs anti-replay processing on the data packets received by each secure tunnel, thereby reducing the number of packets that are determined by the security gateway to be played back. , in turn, can reduce the probability of packet loss.

DRAWINGS

In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings used in the prior art and the embodiments will be briefly described below. Obviously, the drawings in the following description are only some of the present invention. For the embodiments, those skilled in the art can obtain other drawings according to the drawings without any creative work.

1 is a flowchart of a data packet transmission method according to Embodiment 1 of the present invention;

2 is a flowchart of a data packet transmission method according to Embodiment 2 of the present invention;

3 is a flowchart of a data packet transmission method according to Embodiment 3 of the present invention;

4 is a flowchart of a data packet transmission method according to Embodiment 4 of the present invention;

5 is a flowchart of a method for establishing a correspondence between a base station establishing a priority value and a tunnel identifier of at least one security tunnel in a data packet transmission method according to an embodiment of the present disclosure;

6 is a flowchart of a data packet transmission method according to Embodiment 5 of the present invention;

7 is a flowchart of a data packet transmission method according to Embodiment 6 of the present invention;

8 is a flowchart of a data packet transmission method according to Embodiment 7 of the present invention;

9 is a flowchart of a data packet transmission method according to Embodiment 8 of the present invention;

10 is a flowchart of a data packet transmission method according to Embodiment 9 of the present invention;

11 is a flowchart of a data packet transmission method according to Embodiment 10 of the present invention;

12 is a flowchart of a data packet transmission method according to Embodiment 11 of the present invention;

13 is an application scenario diagram of a data packet transmission method according to an embodiment of the present invention;

14 is a schematic structural diagram of a base station according to Embodiment 12 of the present invention;

15 is a schematic structural diagram of a base station according to Embodiment 13 of the present invention;

16 is a schematic structural diagram of a base station according to Embodiment 14 of the present invention; 17 is a schematic structural diagram of a base station according to Embodiment 15 of the present invention;

18 is a schematic structural diagram of a base station according to Embodiment 16 of the present invention;

19 is a schematic structural diagram of a security gateway according to Embodiment 17 of the present invention;

20 is a schematic structural diagram of a security gateway according to Embodiment 18 of the present invention;

21 is a schematic structural diagram of a security gateway according to Embodiment 19 of the present invention;

22 is a schematic structural diagram of a security gateway according to Embodiment 20 of the present invention;

FIG. 23 is a schematic structural diagram of a security gateway according to Embodiment 21 of the present invention.

detailed description

The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.

The invention provides a data packet transmission method, a base station and a security gateway. In order to better understand the technical solutions of the present invention, the embodiments provided by the present invention will be described in detail below with reference to the accompanying drawings.

Referring to FIG. 1, FIG. 1 is a flowchart of a data packet transmission method according to Embodiment 1 of the present invention.

The data packet transmission method provided in Embodiment 1 of the present invention includes.

101. Obtain a priority value of an uplink data packet that needs to be transmitted.

In the embodiment of the present invention, the base station may receive an uplink data packet sent by the user equipment. The priority value can be carried in the upstream packet.

In the embodiment of the present invention, the priority value may be a differentiated service point code (DSCP) of the data packet, or may be a QoS Class Identifier (QCI) of the radio bearer. After receiving the data packet, the base station can use the DSCP value of the inner IP packet of the data packet as the priority value of the data packet.

102. Search for a correspondence between the set priority value and the tunnel identifier according to the priority value, where each priority value corresponds to at least one tunnel identifier.

Specifically, the base station searches for the correspondence between the set priority value and the tunnel identifier according to the obtained priority value. The different tunnel identifiers in the corresponding relationship respectively correspond to different priority values, and each priority value corresponds to at least one tunnel identifier, and the corresponding relationship may be established in advance when establishing a secure tunnel, or may receive a bearer setup request at the base station. When the message or bearer setup complete message or the initial context setup request message or the initial context setup complete message or the base station receives the uplink data packet Standing. In all embodiments of the present invention, the secure tunnel may also be referred to as a Child Security Association (Child SA).

103. If the corresponding tunnel identifier is found, the uplink data packet is transmitted to the security gateway by using the secure tunnel corresponding to the found tunnel identifier.

Specifically, the base station transmits the uplink data packet by using a secure tunnel corresponding to the found tunnel identifier. When the base station transmits the uplink data packet through the secure tunnel, the tunnel identifier is marked in the encapsulation process of the uplink data packet header.

Further, in the embodiment of the present invention, the base station can obtain the priority value of the inner layer IP packet in the uplink data packet to be transmitted, and use the priority value as the priority value of the uplink data packet. The priority value of the inner IP packet is in the original IP Header field of the packet. Referring to FIG. 2, FIG. 2 is a flowchart of a data packet transmission method according to Embodiment 2 of the present invention.

The data packet transmission method provided by the second embodiment of the present invention includes:

201. Send a key exchange request message carrying a priority value to the security gateway when the base station is powered on, and receive the returned key exchange response message to establish at least one secure tunnel with the security gateway.

The established secure tunnel includes an uplink secure tunnel and a downlink secure tunnel, and each uplink or downlink secure tunnel has a tunnel identifier. The key exchange request message may carry one or more priority values to mark the priority value attribute of the secure tunnel. Through the interaction of multiple key exchange requests and key exchange response messages, multiple two-way secure tunnels are established between the base station and the security gateway.

202. Establish a correspondence between a priority value and a tunnel identifier of at least one security tunnel. Specifically, the base station establishes a correspondence between the priority value and the tunnel identifier of the at least one security tunnel. The tunnel identifier includes an uplink tunnel identifier and a downlink tunnel identifier.

Referring to Table 1, Table 1 is the correspondence between the tunnel identifier and the priority value of the security tunnel established in the embodiment of the present invention. This correspondence is synchronized between the base station and the security gateway, or The uplink security tunnel and the downlink security tunnel of a security tunnel have the same priority value (including a combination of multiple priority values).

Table 1

The priority value of the uplink data packet or the downlink data packet includes 9 levels, which are 1 to 9 levels respectively. In the embodiment of the present invention, multiple security tunnels are respectively established for different priority values. The correspondence between the priority value and the tunnel identifier is as shown above. For example, 1A indicates the uplink tunnel identifier of the first security tunnel, and 1B indicates the downlink tunnel identifier of the first security tunnel.

Further, as another implementation method of the foregoing steps 201 and 202,

201. Send a key exchange request message to the security gateway when the base station is powered on, receive the returned key exchange response message, and establish at least one secure tunnel with the security gateway.

Specifically, the base station and the security gateway establish multiple security tunnels by using multiple key exchange requests and key exchange response messages.

202. The base station establishes a correspondence between a priority value and a tunnel identifier of at least one secure tunnel.

Specifically, the corresponding relationship between the tunnel identifier and the priority value of the secure tunnel established by the local base station and the security gateway respectively is maintained on both sides of the base station and the security gateway, and synchronization is not required. That is to say, in the same security tunnel (including the uplink security tunnel and the downlink security, the two correspondences are independently set and maintained on both sides of the base station and the security gateway, as shown in Table 2 and Table 3, for example: 1A indicates the first security tunnel. The uplink tunnel identifier, 1B represents the downlink tunnel identifier of the first security tunnel.

2A 2

3A 3

4A 4, 5, 6

5A 7, 8, 9

Table 2

The correspondence between the uplink tunnel identifier and the priority value established on the station side of Table 2.

table 3

Table 3 is the correspondence between the downlink tunnel identifier and the priority value established by the security gateway. The data packet transmission method provided by the second embodiment of the present invention may further include:

203. Obtain a priority value of an uplink data packet that needs to be transmitted.

204. Search for a correspondence between the priority value and the tunnel identifier according to the priority value, where each priority value corresponds to at least one tunnel identifier.

205. If the corresponding tunnel identifier is found, the uplink data packet is transmitted to the security gateway by using the secure tunnel corresponding to the found tunnel identifier.

The execution process of the steps 203-205 in the embodiment of the present invention is the same as the execution process of the steps 101-103 in the foregoing embodiment, and the description is not repeated here.

Further, the data transmission method provided in the second embodiment of the present invention may further include:

206. If the corresponding tunnel identifier is not found, send a key exchange request message to the security gateway. Specifically, the base station sends a key exchange request message to the security gateway to establish a new secure tunnel if the corresponding tunnel identifier is not found.

207. Receive a key exchange response message returned by the security gateway to establish a new security tunnel with the security gateway, and establish a correspondence between the tunnel identifier and the priority value of the new security tunnel. Correspondence between the tunnel ID and the priority value of the new security tunnel. Among them, the established correspondence The relationship includes the correspondence between the uplink tunnel identifier of the security tunnel and the priority value and/or the correspondence between the downlink tunnel identifier and the priority value.

208. Transmit uplink data packets to the security gateway by using a new secure tunnel.

Specifically, the base station transmits the uplink data packet to the security gateway by using the newly established security tunnel.

In the data packet transmission method provided by the second embodiment of the present invention, the secure tunnel corresponding to the priority value of the data packet is established or independently established between the base station and the security gateway. The base station acquires the tunnel identifier of the corresponding security tunnel according to the priority value of the uplink data packet, and each priority value corresponds to the tunnel for transmission, and then the security gateway receives the data packet for each security tunnel after receiving the data packet. The packet is separately subjected to anti-replay processing, thereby reducing the number of packets that are considered to be playback packets by the security gateway, thereby reducing the probability of packet loss.

If the base station does not find the corresponding tunnel identifier, the base station establishes a new security tunnel and establishes a correspondence between the tunnel identifier and the priority value of the new security tunnel, so that the uplink data packet with the same priority value can be subsequently received. The tunnel identifier is obtained according to the corresponding relationship, and the uplink data packet is transmitted through the corresponding secure tunnel of the tunnel identifier.

In addition, the embodiment of the present invention transmits multiple security tunnels with different priority value data packets, and different priority values may correspond to different services. Therefore, the embodiments of the present invention may transmit different services through multiple tunnels. . Referring to FIG. 3, FIG. 3 is a flowchart of an improved data packet transmission method according to Embodiment 3 of the present invention. The data packet transmission method provided in Embodiment 3 of the present invention includes:

301: Send at least two key exchange request messages to the security gateway when the base station is powered on, and receive the returned key exchange response message to establish at least two security tunnels with the security gateway.

In the embodiment of the present invention, the base station may send at least two key exchange request messages to the security gateway when the power is turned on. The sending at least two key agreement exchange requests may be used to establish at least two secure tunnels. Each of the newly established security tunnels includes an uplink security tunnel and a downlink security tunnel. The uplink tunnel identifier and the downlink tunnel identifier of the security tunnel correspond to each other.

In addition, the base station may also establish a secure tunnel between the base station and the security gateway when the bearer of the user equipment is established. For example, the base station receives the radio bearer setup request or the base station receives the radio bearer. A key exchange request message is sent to the security gateway when the establishment or initial context establishment request or the initial context establishment is completed, the returned key exchange response message is received, and the security gateway establishes a secure tunnel.

302. Obtain a priority value of an uplink data packet that needs to be transmitted.

303. Search, according to the priority value, a correspondence between the set priority value and the tunnel identifier, where each priority value corresponds to at least one tunnel identifier.

304. If the corresponding tunnel identifier is found, the uplink data packet is transmitted to the security gateway by using the secure tunnel corresponding to the found tunnel identifier.

The execution process of the steps 302-304 in the embodiment of the present invention is the same as the execution process of the steps 101-103 in the foregoing embodiment, and the description is not repeated here.

Further, the data transmission method provided in Embodiment 3 of the present invention may further include:

305. If the corresponding tunnel identifier is not found, determine that there is a secure tunnel that is not used. The base station determines the currently existing unused security tunnel if the corresponding tunnel identifier is not found according to the set correspondence. In the present invention, the so-called unused secure tunnel is a secure tunnel for transmitting data packets, i.e., the uplink or downlink secure tunnel is not assigned a packet priority attribute.

306. The uplink data packet is transmitted to the security gateway by using the unused security tunnel, and the correspondence between the tunnel identifier and the priority value of the unused security tunnel is established.

In the embodiment of the present invention, step 301 establishes a security tunnel that is not used. In the embodiment of the present invention, when the step 305 is performed, the unused security tunnel may be determined. In addition, the base station also establishes a correspondence between the tunnel identifier of the determined unused security tunnel and the priority value, so as to subsequently search for the corresponding tunnel identifier according to the correspondence.

Further, the data packet transmission method provided by the embodiment of the present invention further includes:

307. If the corresponding tunnel identifier is not found, and it is determined that there is no unused security tunnel, send a key exchange request message to the security gateway, and receive a key exchange response message returned by the security gateway to establish a new with the security gateway. The secure tunnel transmits the uplink data packet to the security gateway through the new secure tunnel, and establishes a correspondence between the tunnel identifier and the priority value of the new secure tunnel.

Wherein, when the base station does not find the corresponding tunnel identifier and determines that there is no unused security tunnel, for example, the initially established unused security tunnel is used to transmit data of other priority values, the base station The security gateway sends a key exchange request message, receives a key exchange response message returned by the security gateway, and establishes a new secure tunnel with the security gateway. Established in a new secure tunnel After the completion, the uplink packet is transmitted to the security gateway through the new secure tunnel, and the correspondence between the tunnel identifier and the priority value of the new secure tunnel is established.

After receiving the uplink data packet transmitted by the base station through the secure tunnel, the security gateway may obtain the priority value of the uplink data packet, and establish a correspondence between the priority value and the tunnel identifier of the security tunnel that receives the data packet. And then forward the upstream packet.

In the embodiment of the present invention, the step of establishing a correspondence between the tunnel identifier and the priority value of the new security tunnel, or establishing the correspondence between the tunnel identifier and the priority value of the unused security tunnel may be adopted. The key exchange message carries the packet priority to implement. For example, the steps 201 and 202 in the foregoing Embodiment 2 are shown; or the method in which the base station and the security gateway are independently set locally, as shown in steps 201 and 202 in Embodiment 2, of course, the two methods are The priority value of the uplink packet is obtained.

In the embodiment of the present invention, by not finding the corresponding tunnel identifier, it is determined that there is an unused security tunnel, the data packet is transmitted through the unused secure tunnel, and the priority value and the unused security tunnel are established. Correspondence between the tunnel identifiers, so that the base station and the security gateway do not need to establish a correspondence between the priority value and the tunnel identifier of the newly established security tunnel after establishing the security tunnel, but wait until the data packet is transmitted. And determining the correspondence between the priority value and the tunnel identifier of the unused security tunnel when there is an unused security tunnel. At the same time, after receiving the uplink data packet through the secure tunnel, the security gateway obtains the priority value of the uplink data packet, and establishes a correspondence between the tunnel identifier of the security tunnel that receives the data packet and the priority value. Referring to FIG. 4, FIG. 4 is a flowchart of a data packet transmission method according to Embodiment 4 of the present invention.

The data packet transmission method provided in Embodiment 4 of the present invention includes:

401. Receive a radio bearer setup request or an initial context setup request that carries a priority value. Specifically, in the process of establishing a user equipment bearer, the base station may receive a radio bearer setup request or an initial context setup request sent by the mobility management entity, where the user priority, the service priority, and the service quality level identifier are carried (Quantity of Service Class) Identifier, QCI).

402. Send a notification message carrying a priority value to the security gateway.

Specifically, the base station sends a notification (Notify) message to the security gateway, where the priority is carried. 403. Receive a key exchange request message that carries a priority value sent by the security gateway, and return a key exchange response message to the security gateway to establish at least one secure tunnel with the security gateway.

Specifically, after receiving the notification message, the security gateway sends a key exchange request message carrying a priority value to the base station, and the base station returns a key exchange response message to the security gateway, and the security gateway establishes at least one security tunnel, including the uplink. Secure tunnel and downlink security tunnel.

In the embodiment of the present invention, the base station triggers the security gateway to establish a secure tunnel. The embodiment of the present invention may also directly start the process of establishing a secure tunnel by the base station. For example, after the base station obtains the priority value corresponding to the QoS level identifier, the base station sends a key exchange request message to the security gateway. Optionally, the key exchange request message may carry a priority value, as shown in step 201 above. Or the key exchange request message does not carry a priority value, as shown in step 201 above. The base station receives the returned key exchange response message and establishes at least one secure tunnel with the security gateway.

404. Establish a correspondence between a priority value and a tunnel identifier of at least one security tunnel. The corresponding relationship may be implemented by, for example, step 202 as shown in Table 1, or the corresponding relationship is as shown in Table 2 or 3, and is implemented by step 202.

405. Obtain a priority value of an uplink data packet that needs to be transmitted.

406. Search for a correspondence between the set priority value and the tunnel identifier according to the priority value, where each priority value corresponds to at least one tunnel identifier.

407. If the corresponding tunnel identifier is found, the uplink data packet is transmitted to the security gateway by using the secure tunnel corresponding to the found tunnel identifier.

The execution process of the steps 405-407 is similar to the execution process of the steps 101-103 in the foregoing embodiment. For details, refer to the description of the foregoing embodiment, which is not repeated here.

Further, in the embodiment of the present invention, after receiving the radio bearer setup request or the initial context setup request carrying the priority value, the tunnel identifier corresponding to the priority value may be searched, and if the corresponding tunnel identifier is not found, the security gateway is sent to the security gateway. The key exchange request message receives the returned key exchange response message to establish at least one secure tunnel with the security gateway. After the base station establishes at least one security tunnel with the security gateway, the base station establishes a correspondence between the priority value and the tunnel identifier of the at least one security tunnel. If the corresponding tunnel identifier is found, the uplink data packet is transmitted through the secure tunnel corresponding to the found tunnel identifier.

Further, the embodiment of the present invention receives the radio bearer setup request or the initial context setup request that carries the priority value, and searches for the tunnel identifier corresponding to the priority value, if no corresponding The tunnel identifier determines that there is an unused secure tunnel, and transmits an uplink packet to the security gateway through the unused secure tunnel. After the base station determines that there is an unused security tunnel, it establishes

Referring to FIG. 5, FIG. 5 is a flowchart of a method for establishing a correspondence between a base station establishing a priority value and a tunnel identifier of at least one security tunnel in a data packet transmission method according to an embodiment of the present invention.

Further, in the data packet transmission method provided by the fourth embodiment of the present invention, the radio bearer setup request or the initial context setup request carries information such as user priority or service priority or whether the core network has the capability of interworking with the fixed network, and the priority is The value may specifically be a differentiated service point code, and the process of the base station performing the correspondence between the establishment of the priority value and the tunnel identifier of the at least one security tunnel may include:

501. Fill the user priority or service priority or the core network with the information of the fixed network interworking capability into the field of the differentiated service point code, and use the padded differentiated service point code as the priority value.

In the embodiment of the present invention, the priority value is a differentiated service point code, and the differentiated service point code includes a differentiated service point code value and other idle fields, and the differentiated service point code value may occupy 4 bits. The base station may fill the user priority or the service priority or the core network with the information of the fixed network interworking capability into the field of the differentiated service point code, and use the padded differentiated service point code as the priority value. The user priority may be, for example, a level of gold, silver, or copper. The service priority may be, for example, a voice service or a non-voice service.

502. Establish a correspondence between the padded differentiated service point code and the tunnel identifier.

Specifically, the base station establishes a correspondence between the padded differentiated service point code and the tunnel identifier. Further, after the data packet transmission method provided in the fourth embodiment of the present invention establishes the correspondence between the priority value and the tunnel identifier, the correspondence between the tunnel identifier and the priority value of the uplink data packet is established through S1. Sending to the mobility management entity, so that the mobility management entity sends the correspondence to the packet data network gateway, and the packet data network gateway sends the correspondence to the Policy and Charging Rule Function (PCRF) device. The PCRF device sends the corresponding relationship and the aggregated Quality of Service (QoS) requirements to the Broadband Policy Control Framework (BPCF) device, so that the BPCF device in the fixed network can secure each tunnel according to QoS. Perform QoS control. In the embodiment of the present invention, the base station sends the priority value, and the correspondence between the priority value and the tunnel identifier to the mobility management entity, so that the fixed network device, for example, the BRAS device, can combine the priority of the user in the priority value. The level or service priority schedules the data packet, for example, when the network is congested, the data packet of the user with high priority is preferentially guaranteed. In addition, the BPCF device in the fixed network controls the QoS of each security tunnel according to the QoS, and can implement QoS control of the entire network of the user equipment. Referring to FIG. 6, FIG. 6 is a flowchart of a data packet transmission method according to Embodiment 5 of the present invention.

The data packet transmission method provided in Embodiment 5 of the present invention includes:

601. Receive a downlink data packet sent by the security gateway through the secure tunnel.

In the embodiment of the present invention, a secure tunnel may be established in advance between the base station and the security gateway when the base station is powered on. The base station can receive the downlink data packet sent by the security gateway through the secure tunnel.

602. Obtain a priority value of an inner layer IP packet in the downlink data packet and a priority value of the outer layer IP packet. Specifically, the base station acquires a priority value of an inner layer IP packet in the downlink data packet and a priority value of the outer layer IP packet.

In the embodiment of the present invention, the priority value of the outer IP packet may change during the transmission of the downlink data packet, and the priority value of the inner IP packet remains unchanged.

603. Establish a correspondence between a tunnel identifier of the security tunnel and a priority value of the inner layer IP packet, and a correspondence between the tunnel identifier of the security tunnel and the priority value of the outer IP packet.

After completing the foregoing correspondence, the base station may forward the downlink data packet, and then obtain an uplink data packet that needs to be forwarded.

604. Obtain a priority value of an uplink data packet that needs to be transmitted.

605. Search for a correspondence between the set priority value and the tunnel identifier according to the priority value, where each priority value corresponds to at least one tunnel identifier.

The execution process of the steps 604-605 in the embodiment of the present invention is similar to the steps 101-102 in the foregoing embodiment, and the description is not repeated here.

In the embodiment of the present invention, the step of the base station transmitting the uplink data packet to the security gateway by using the tunnel tunnel corresponding to the discovered tunnel identifier (the foregoing step 103) may specifically include: 606. According to the correspondence between the tunnel identifier and the priority value of the inner IP packet, and the correspondence between the tunnel identifier and the priority value of the outer IP packet, and the priority of the inner IP packet of the uplink data packet. The value finds the priority value of the outer IP packet of the uplink packet and the corresponding tunnel identifier.

Specifically, the base station first searches for the correspondence between the tunnel identifier and the priority value of the inner layer IP packet according to the priority value of the inner IP packet of the uplink data packet, obtains the tunnel identifier, and searches for the security according to the previously found tunnel identifier. The correspondence between the tunnel identifier of the tunnel and the priority value of the outer IP packet obtains the priority value of the outer IP packet.

607. Use a priority value of an outer IP packet of the uplink data packet as a priority value of the uplink data packet. In the embodiment of the present invention, the base station uses the priority value of the outer IP packet of the uplink data packet as the priority value of the uplink data packet. Specifically, the base station may update the priority value of the outer IP packet of the uplink data packet to the found priority value.

608. The uplink data packet is transmitted to the security gateway by using the secure tunnel corresponding to the found tunnel identifier.

In the embodiment of the present invention, since the data packet priority of the outer IP packet determines the processing priority of the data packet in the fixed network, the base station uses the priority value of the outer IP packet of the found uplink data packet as the uplink data. The priority value of the packet can ensure that the downlink data packet of the same service has the same priority as the uplink data packet in the transmission of the fixed network device (for example, BRAS), so that the fixed network device performs the downlink symmetry of the same service. Referring to FIG. 7, FIG. 7 is a flowchart of a data packet transmission method according to Embodiment 6 of the present invention.

The data packet transmission method provided by the embodiment of the present invention includes:

701. Receive a downlink data packet sent by the security gateway through the secure tunnel.

702. Obtain a priority value of the downlink data packet, and establish a correspondence between the tunnel identifier and the priority value of the security tunnel.

Specifically, the base station may obtain the downlink data packet received by the first time through a certain security tunnel, obtain the priority value of the downlink data packet, and establish a correspondence between the priority value and the tunnel identifier of the security tunnel.

703. Forward the downlink data packet. Specifically, the base station may forward the downlink data packet to the user equipment.

704. Obtain a priority value of an uplink data packet that needs to be transmitted.

705. Search for a correspondence between the set priority value and the tunnel identifier according to the priority value, where each priority value corresponds to at least one tunnel identifier.

706. If the corresponding tunnel identifier is found, the uplink data packet is transmitted to the security gateway by using the secure tunnel corresponding to the found tunnel identifier.

The execution process of the steps 704-706 is similar to the execution process of the steps 101-103 in the foregoing embodiment. For details, refer to the description of the foregoing embodiment, which is not repeated here. The data packet transmission method provided by the embodiment of the present invention is described above from the base station side. The data packet transmission method provided by the embodiment of the present invention is described below from the security gateway side.

Referring to FIG. 8, FIG. 8 is a flowchart of a data packet transmission method according to Embodiment 7 of the present invention.

801. Obtain a priority value of a downlink data packet that needs to be transmitted.

In the embodiment of the present invention, the security gateway may receive downlink data packets sent by the core network (for example, a packet data network gateway, a base station gateway, etc.). The downstream packet carries a priority value.

The security gateway may use the priority value of the Internet Protocol IP packet of the downlink data packet as the priority value of the downlink data packet.

802. Search for a correspondence between the set priority value and the tunnel identifier according to the priority value, where each priority value corresponds to at least one tunnel identifier.

Specifically, the security gateway searches for the correspondence between the set priority value and the tunnel identifier according to the obtained priority value. The different tunnel identifiers in the corresponding relationship respectively correspond to different priority values, and each priority value corresponds to at least one tunnel identifier, which may be established in advance when establishing a secure tunnel, or when there is a downlink data transmission requirement. Specifies the correspondence between an unused security tunnel ID and a priority value.

803. If the corresponding tunnel identifier is found, the downlink data packet is transmitted to the base station by using the secure tunnel corresponding to the found tunnel identifier.

When the security gateway transmits the downlink data packet through the secure tunnel, the tunnel identifier is identified in the header encapsulation of the downlink data packet. In the data packet transmission method provided by the embodiment of the present invention, the security gateway acquires the tunnel identifier of the corresponding security tunnel according to the priority value of the downlink data packet. Since each priority value corresponds to at least one tunnel identifier, the security gateway may The downlink data packets with different packet priorities are transmitted through multiple secure tunnels, so that after receiving the data packets, the base station separately performs anti-replay processing on the data packets received by each secure tunnel, thereby reducing the considered by the receiving end. It is the number of replayed packets, which in turn reduces the probability of packet loss. Referring to FIG. 9, FIG. 9 is a flowchart of a data packet transmission method according to Embodiment 8 of the present invention.

901. Receive an uplink data packet sent by a base station through a secure tunnel.

Specifically, the base station and the security gateway may pre-establish at least one secure tunnel when the base station is powered on, and the security gateway first receives the uplink data packet sent by the base station through the secure tunnel.

902. Obtain a priority value of the uplink data packet, and establish a relationship between the tunnel identifier of the security tunnel and the priority value.

The uplink data packet carries a priority value. In the embodiment of the present invention, the priority value may be a DSCP value. The security gateway establishes a correspondence between the tunnel identifier of the security tunnel and the priority value.

Specifically, the correspondence between the tunnel identifier and the priority value of the security tunnel that establishes the security tunnel is as shown in Table 1. The correspondence between the uplink tunnel identifier and the priority value of the security tunnel is established by the security gateway.

In addition, the relationship established by the security gateway is shown in Table 1, and can also be shown in Table 3. The method and logic it creates are similar to steps 201 and 202; methods similar to 20 Γ, 202 can also be used. The only difference is that in this embodiment, the key exchange request is initiated by the security gateway instead of the base station, and the key response message is sent by the base station.

903. Forward the uplink data packet.

Specifically, the security gateway forwards the data packet to the base station gateway or the packet data network gateway. There is no order between the security gateway forwarding the uplink data packet and establishing the foregoing correspondence relationship. After the security gateway forwards the upper and lower data packets, it can receive the downlink data packet of the user equipment, and the security device begins to perform step 904. 904. Obtain a priority value of a downlink data packet that needs to be transmitted.

905. Search for a correspondence between the set priority value and the tunnel identifier according to the priority value, where each priority value corresponds to at least one tunnel identifier.

906. If the corresponding tunnel identifier is found, the downlink data packet is transmitted to the base station by using the secure tunnel corresponding to the found tunnel identifier.

The execution process of the steps 904-906 is similar to the execution process of the steps 801-803 in the above embodiment 8, and the description is not repeated here.

An embodiment in which the security gateway pre-establishes the correspondence between the identity and the priority value of the secure tunnel is given above, and further embodiments are given below. Referring to FIG. 10, FIG. 10 is a flowchart of a data packet transmission method according to Embodiment 9 of the present invention. The data packet transmission method provided by the embodiment of the present invention includes:

1001. Receive a key exchange request message that carries a priority value sent by the base station, and return a key exchange response message to establish at least one secure tunnel with the base station.

Specifically, the security gateway receives the key exchange request message that carries the priority value sent by the base station, returns a key exchange response message, and establishes at least one secure tunnel with the base station.

1002. Establish a correspondence between a priority value and a tunnel identifier of at least one secure tunnel. Specifically, after the security tunnel is established, the security gateway establishes a correspondence between the priority value and the tunnel identifier of at least one security tunnel.

1003. Obtain a priority value of a downlink data packet that needs to be transmitted.

1004. Search, according to the priority value, a correspondence between the set priority value and the tunnel identifier, where each priority value corresponds to at least one tunnel identifier.

1005. If the corresponding tunnel identifier is found, the downlink data packet is transmitted to the base station by using the secure tunnel corresponding to the found tunnel identifier.

The execution process of the steps 1003-1005 is similar to the execution process of the steps 801-803 in the foregoing embodiment 8. The description is not repeated here. Further, the data packet transmission method provided by the embodiment of the present invention may further include:

1006. If the corresponding tunnel identifier is not found, send a key exchange request message to the base station. Specifically, the security gateway sends a key exchange request message to the security gateway to establish a new secure tunnel if the corresponding tunnel identifier is not found.

1007. Receive a key exchange response message returned by the base station, to establish a new security tunnel with the base station, and establish a correspondence between the tunnel identifier and the priority value of the new security tunnel.

The established security tunnel includes an uplink security tunnel and a downlink security tunnel. The security gateway establishes the correspondence between the tunnel ID and the priority value of the new security tunnel. The corresponding relationship between the uplink tunnel identifier and the priority value of the security tunnel and the correspondence between the downlink tunnel identifier and the priority value are included.

1008. Transmit downlink data packets to the base station by using a new secure tunnel.

Specifically, the security gateway transmits the downlink data packet to the base station by using the newly established security tunnel. In the data packet transmission method provided by the embodiment of the present invention, a secure tunnel corresponding to the priority value of the data packet is established between the base station and the security gateway. The security gateway obtains the tunnel identifier of the corresponding security tunnel according to the priority value of the downlink data packet. Since each priority value corresponds to at least one tunnel identifier, the security gateway can transmit the downlink data packet through multiple secure tunnels, thereby enabling the base station to After receiving the data packet, the data packet received by each secure tunnel is separately subjected to anti-replay processing, thereby reducing the number of playback data packets, thereby reducing the probability of packet loss.

The security gateway establishes a new security tunnel and establishes a correspondence between the tunnel identifier and the priority value of the new security tunnel, so that subsequent downlink data with the same priority value is received. After the packet is obtained, the tunnel identifier is obtained according to the corresponding relationship, and the downlink data packet is transmitted through the corresponding secure tunnel of the tunnel identifier. For the transmission, the different priority values may correspond to different services. Therefore, the embodiments of the present invention may transmit different services through multiple tunnels. Referring to FIG. 11, FIG. 11 is a flowchart of a data packet transmission method according to Embodiment 10 of the present invention. The data packet transmission method provided by the embodiment of the present invention includes:

1101. Receive a notification message sent by the base station, where the notification message carries a priority value. Specifically, the security gateway may receive a notification message sent by the base station during the bearer process of establishing the user equipment, where the notification message is used to trigger the security gateway to establish a secure tunnel.

1102. Send a key exchange request message carrying a priority value to the base station, receive the returned key exchange response message, and establish at least one secure tunnel with the base station.

Specifically, a secure tunnel is established between the security gateway and the base station. At least one secure tunnel is established between the security gateway and the base station.

1103. Establish a correspondence between a priority value and a tunnel identifier of at least one security tunnel. After the security tunnel is established, the security gateway establishes a correspondence between the priority value and the tunnel identifier of at least one security tunnel.

1104. Obtain a priority value of a downlink data packet that needs to be transmitted.

1105. Search for a correspondence between the set priority value and the tunnel identifier according to the priority value, where each priority value corresponds to at least one tunnel identifier.

1106. If the corresponding tunnel identifier is found, the downlink data packet is transmitted to the base station by using the secure tunnel corresponding to the found tunnel identifier.

The execution process of the steps 1104-1106 is similar to the execution process of the steps 801-803 in the foregoing embodiment 8. The description is not repeated here.

Further, the data packet transmission method provided by the embodiment of the present invention may further include:

1107. If the corresponding tunnel identifier is not found, it is determined that there is a secure tunnel that is not used. Specifically, the security gateway determines that there is an unused security tunnel when the corresponding tunnel identifier is not found according to the set correspondence. In the present invention, the so-called unused secure tunnel is a secure tunnel that has never been used to transmit data packets, i.e., this upstream or downstream secure tunnel is not given a packet priority attribute.

1108. Transmit a downlink data packet to the base station by using the unused security tunnel, and establish a correspondence between the tunnel identifier of the unused security tunnel and the priority value.

In the embodiment of the present invention, when the base station is powered on, the security gateway establishes one or more secure tunnels that are not used, and then send the downlink data packet to the base station. In addition, the security gateway also establishes a correspondence between the tunnel identifier of the unused security tunnel and the priority value, so as to find the corresponding tunnel identifier according to the correspondence.

Further, the data packet transmission method provided by the embodiment of the present invention may further include: 1109. If the corresponding tunnel identifier is not found, and it is determined that there is no unused security tunnel, send a key exchange request message to the base station, and receive a key exchange response message returned by the base station to establish a new secure tunnel with the base station. The downlink data packet is transmitted to the base station through the new secure tunnel, and the correspondence between the tunnel identifier and the priority value of the new secure tunnel is established.

If the security gateway does not find the unused tunnel, for example, the initially established unused tunnel is used to transmit data of other priority values, the security gateway sends a key exchange request message to the base station. Receiving a key exchange response message returned by the base station to establish a new secure tunnel with the base station. After the new security tunnel is established, the downlink packet is transmitted to the base station through the new secure tunnel, and the correspondence between the tunnel identifier and the priority value of the new security tunnel is established.

In the embodiment of the present invention, by not finding the corresponding tunnel identifier, it is determined that there is an unused security tunnel, the data packet is transmitted through the unused secure tunnel, and the priority value and the unused security tunnel are established. Correspondence between the tunnel identifiers, so that the base station and the security gateway do not need to establish a correspondence between the priority value and the tunnel identifier of the newly established security tunnel after establishing the security tunnel, but wait until the data packet is transmitted. And determining the correspondence between the priority value and the tunnel identifier of the unused security tunnel when there is an unused security tunnel.

At the same time, after receiving the downlink data packet transmitted by the security gateway through the secure tunnel, the base station can obtain the priority value of the downlink data packet, and establish a correspondence between the priority value and the tunnel identifier of the security tunnel that receives the data packet. And then forward the downstream packet.

In the data packet transmission method provided by the embodiment of the present invention, after the tunnel identifier is found, the security gateway may send the correspondence between the found tunnel identifier and the priority value to the broadband policy control architecture device, so as to facilitate the broadband policy. The control architecture device sends the correspondence to the BPCF device. Referring to FIG. 12, FIG. 12 is a flowchart of a data packet transmission method according to Embodiment 11 of the present invention. The data packet transmission method provided by the embodiment of the present invention includes:

1201. Receive an uplink data packet sent by a base station through a secure tunnel.

In the embodiment of the present invention, a secure tunnel may be established in advance between the base station and the security gateway when the base station is powered on. The security gateway can receive uplink data packets sent by the base station through the secure tunnel. Specifically, the base station acquires a priority value of an inner layer IP packet in the uplink data packet and a priority value of the outer layer IP packet. In the embodiment of the present invention, the priority value of the outer IP packet may change during the transmission of the uplink data packet, and the priority value of the inner IP packet remains unchanged.

1203. The correspondence between the tunnel identifier of the security tunnel and the priority value of the inner IP packet, and the correspondence between the tunnel identifier of the secure tunnel and the priority value of the outer IP packet.

After completing the foregoing correspondence, the base station may forward the downlink data packet and obtain a downlink data packet that needs to be forwarded.

1204. Obtain a priority value of a downlink data packet that needs to be transmitted.

1205. Search, according to the priority value, a correspondence between the set priority value and the tunnel identifier, where each priority value corresponds to at least one tunnel identifier.

The execution process of the steps 1204-1205 in the embodiment of the present invention is similar to the steps 801-802 in the foregoing embodiment, and the description is not repeated here.

In the embodiment of the present invention, the step of the security gateway transmitting the downlink data packet to the security gateway by the security tunnel corresponding to the discovered tunnel identifier (the foregoing step 803) may specifically include:

1206. Corresponding relationship between the tunnel identifier and the priority value of the inner IP packet, and the correspondence between the tunnel identifier of the security tunnel and the priority value of the outer IP packet, and the inner IP packet of the downlink data packet. The priority value finds the priority value of the outer IP packet of the downlink packet and the corresponding tunnel identifier.

Specifically, the security gateway first searches for the correspondence between the tunnel identifier and the priority value of the inner layer IP packet according to the priority value of the inner IP packet of the downlink data packet, obtains the tunnel identifier, and further searches according to the previously found tunnel identifier. The correspondence between the tunnel identifier of the security tunnel and the priority value of the outer IP packet obtains the priority value of the outer IP packet of the downlink data packet.

1207. The priority value of the outer IP packet of the downlink data packet is used as the priority value of the uplink data packet. In the embodiment of the present invention, the base station uses the priority value of the outer IP packet of the downlink data packet as the priority value of the downlink data packet. Specifically, the base station may update the priority value of the outer IP packet of the downlink data packet to the found priority value.

1208. The downlink data packet is transmitted to the base station by using the secure tunnel corresponding to the found tunnel identifier. In the embodiment of the present invention, since the data packet priority of the outer IP packet determines the processing priority of the data in the fixed network, the security gateway uses the priority value of the outer IP packet of the found downlink data packet as the downlink data. The priority value of the packet can guarantee that the downlink data packet for the same service is in the fixed network device. The transmission (e.g., BRAS) has the same priority as the upstream packet, so that the fixed network device performs the symmetry of the downlink transmission on the same service. For a more detailed understanding of the embodiments of the present invention, a specific application scenario of the data packet transmission method provided by the embodiment of the present invention is given below.

Referring to FIG. 13, FIG. 13 is an application scenario diagram of a data packet transmission method according to an embodiment of the present invention. The data packet transmission method provided by the embodiment of the present invention includes:

510. The base station receives an initial context setup request that carries the QCI and the user priority or service priority.

In the embodiment of the present invention, the base station receives an initial context establishment request for establishing an initial context in the process of establishing a bearer of the user equipment. The initial context establishment request carries the QCI and the user priority or the service priority. The user priority is taken as an example in the embodiment of the present invention.

In addition, in the embodiment of the present invention, when the base station is powered on, an unused security tunnel is established with the security gateway, and the tunnel identifiers of the security tunnel are 1A and 1B. 1A is the uplink tunnel identifier of the security tunnel, and 1B is the downlink tunnel identifier of the security tunnel.

In the embodiment of the present invention, the tunnel identifier may be specifically a Security Parameter Index (SPI) of the security tunnel.

511. The base station acquires a priority value.

The base station obtains the differentiated service point code corresponding to the QCI according to the mapping policy between the network (the fixed network and the core network), and then fills the user priority or the service priority into the reserved field of the converted differentiated service point code, and The populated differentiated service point code is used as the priority value.

In the embodiment of the present invention, the information to be filled is illustrated by taking the user priority as an example. The differentiated service point code corresponding to the QCI is 1, and the user priority is the gold medal, and the flag is 1, and the differentiated service point code obtained by the base station is obtained. Specifically, it can be:

0 1 2 3 4 5 6 7

+ + + + + + + + +

1 0 1 0 0 0 1 I CU I

+ + + + + + + + +

Among them, 0-1 digits identify user priority, 01 identifies gold medal users, 10 identifies 4 plaque users, and 11 identifies bronze users. The 2-5 digits identify the differentiated service point code value, and the 0001 identifier differentiates the service point code to 1.

It should be noted that the CU field in the priority value can also fill the service priority. For example, a 1 flag is an interworking guarantee, and a 0 flag is not an interworking guarantee. S12. The base station sends a notification message carrying a priority value to the security gateway.

513. The security gateway sends a key exchange request message carrying a priority value to the base station.

514. The base station sends a key exchange response message to the security gateway to establish a secure tunnel.

After the base station sends a key exchange response message to the security gateway, the establishment of the secure tunnel between the base station and the security gateway is completed, and the tunnel identifier of the established security tunnel is 2A and 2B. 2A is the identifier of the uplink security tunnel, and 2B is the identifier of the downlink security tunnel.

515. The base station establishes a correspondence between the tunnel identifier and the priority value.

In the embodiment of the present invention, the correspondence between the tunnel identifier and the priority value in the base station may be as shown in Table 4.

Table 4

The above table also contains an unused security tunnel. The tunnel ID of the security tunnel is 1A/1B.

S16. The base station sends the foregoing correspondence to the mobility management entity.

Specifically, the base station sends the foregoing correspondence to the mobility management entity by using an S1 setup message. The mobility management entity sends the S1 setup message to a Packed Data Network Gateway (PDNGW). The PDN GW is sent to the PCRF through the Gx interface. The PCRF sends the tunnel identification and the QoS requirements of the aggregation to the BPCF through the S9* interface. The BPCF transmits the tunnel identifier and the aggregation to the BRAS in the fixed network. The BRAS receives the correspondence between the tunnel identifier and the bearer QCI and the aggregation. After the QoS requirement, the data packet in the security tunnel is directly processed according to the tunnel identifier, and whether the DSCP value of the outer IP packet of the IP data packet received by the BRAS changes, the BRAS does not affect the processing of the IP data packet. The BRAS can control the QoS of each secure tunneled packet according to the aggregated QoS requirements.

In the embodiment of the present invention, the update of the security tunnel between the H(e)NB and the SeGW includes the creation, deletion, and update of the security tunnel (for example, the update of the tunnel information due to the end of the Ipsec lifetime), causing the foregoing relationship to occur. Update, the updated correspondence is sent to the mobility management entity through the S1 setup message. 517. The base station receives an uplink data packet of the user equipment.

Specifically, the base station receives an uplink IP data packet sent by the user equipment.

518. The base station acquires a priority value of the uplink data packet.

In the embodiment of the present invention, the priority value of the inner layer IP packet of the uplink data packet and the priority value of the outer layer IP packet are the same. The base station can obtain the priority value of the inner IP packet of the uplink data packet, and can also obtain the priority value of the outer IP packet of the uplink data packet.

In the embodiment of the present invention, the priority value of the uplink data packet is specifically 0001.

519. The base station queries, according to the obtained priority value, a correspondence relationship between the set priority value and the tunnel identifier.

Specifically, the base station queries the upper ten relationship according to the priority value obtained in step S18, and obtains the corresponding tunnel identifier. In the embodiment of the present invention, the base station searches for a corresponding tunnel identifier according to 0001, which is specifically 2A/2B.

520. The base station sends the uplink data packet to the security gateway by using an uplink secure tunnel corresponding to the 2A. Specifically, the base station sends the uplink data packet to the security gateway by using the uplink secure tunnel corresponding to the 2A, and the security gateway receives the uplink data packet sent by the base station by using the secure tunnel corresponding to the 2A.

In the embodiment of the present invention, since the priority value includes the user priority, devices in the fixed network, such as the BRAS, preferentially process the data packets of the gold medal user when encountering congestion.

521. The security gateway obtains a priority value of the uplink data packet, and establishes a correspondence between a tunnel identifier of the security tunnel that receives the uplink data packet and a priority value of the uplink data packet.

Specifically, after receiving the uplink data packet sent by a certain security tunnel for the first time, the security gateway obtains the priority value 0001 of the uplink data packet and the tunnel identifier 2A of the security tunnel, and then establishes the uplink and downlink tunnel identifiers 2A, 2B and priority of the security tunnel. The correspondence between the level values. In addition, when the security tunnel between the base station and the security gateway is updated, the correspondence between the priority value and the tunnel identifier to be updated should be inherited to the new secure tunnel.

In the embodiment of the present invention, the correspondence between the tunnel identifier and the priority value in the security gateway may be as shown in Table 5.

table 5

S22. The security gateway forwards the uplink data packet.

The security gateway may forward the uplink data packet to a core network (for example, a base station gateway, a packet data network gateway).

S23. The security gateway sends the foregoing correspondence to the PCRF.

Specifically, the corresponding relationship saved on the security gateway SeGW is sent/synchronized to the PCRF through the S16 interface. The PCRF converts the above relationship into a correspondence between the QCI value and the tunnel identifier and saves it. The PCRF stores the correspondence between the priority value and the QCI value negotiated between the mobile operator and the fixed network operator.

In addition, in the process of the bearer establishment initiated by the user equipment, the PCRF aggregates the QoS requirements (QCI, ARP, bandwidth, etc.) of the bearer to become the QoS requirement of the granularity of the home base station. After converting the correspondence sent by the SeGW, the PCRF sends the correspondence between the tunnel identifier and the carried QCI and the aggregated QoS request to the BPCF through the S9* interface, and the BPCF sends the correspondence and the QoS requirement to the BRAS. After receiving the correspondence between the tunnel identifier and the carried QCI and the aggregated QoS requirements, the BRAS directly processes the data packet in the security tunnel according to the tunnel identifier, regardless of the outer IP packet of the IP data packet received by the BRAS. Whether the DSCP value changes will not affect the BRAS's processing of IP packets. The BRAS can control the QoS of each secure tunneled packet according to the aggregated QoS requirements.

In the embodiment of the present invention, the update of the security tunnel between the H(e)NB and the SeGW includes the creation, deletion, and update of the security tunnel (for example, the update of the tunnel information due to the end of the Ipsec lifetime), causing the foregoing relationship to occur. After the update, the security gateway sends the updated correspondence to the PCRF to facilitate the QoS guarantee of the fixed network.

524. The security gateway receives the downlink data packet, and obtains a priority value of the downlink data packet.

Specifically, the security gateway can receive the downlink data packet of the user equipment, and obtain the priority value of the downlink data packet. In the embodiment of the present invention, the priority value of the downlink data packet of the user equipment is equal to the priority value of the uplink data packet, and all are 0001.

525. The security gateway searches for the corresponding relationship according to the obtained priority value of the downlink data packet, and obtains a corresponding tunnel identifier.

Specifically, the security gateway finds that the corresponding tunnel identifier is 2B according to 0001.

526. The security gateway sends the downlink data packet to the base station by using a secure tunnel corresponding to the 2B. After receiving the downlink data packet sent by the security gateway, the base station forwards the downlink data packet to the user equipment.

In the data packet transmission method provided by the embodiment of the present invention, the priority value in the correspondence relationship received by the BRAS further includes a user priority or a service priority, which may enable the BRAS to distinguish different levels of users or different levels according to different tunnel identifiers. The IP packets corresponding to the service perform different processing on the security packets in different security tunnels. For example, when network congestion occurs, the data packets of the gold card users are preferentially forwarded or the packets with Interworking guarantee are preferentially forwarded.

The data packet transmission method provided by the embodiment of the present invention is described in detail above. Embodiments of the present invention also provide a base station and a security gateway corresponding to the above methods. Referring to FIG. 14, FIG. 14 is a schematic structural diagram of a base station according to Embodiment 12 of the present invention.

The base station provided by the embodiment of the present invention includes:

The first priority obtaining unit 11 is configured to obtain a priority value of the uplink data packet that needs to be transmitted. The first correspondence relationship searching unit 12 is configured to search for the priority of the priority value according to the priority value obtained by the first priority acquiring unit 11. a correspondence between the value and the tunnel identifier, where each priority value corresponds to at least one tunnel identifier;

The uplink data sending unit 13 is configured to: when the first correspondence search unit 12 finds the corresponding tunnel identifier, transmit the uplink data packet to the security gateway by using the secure tunnel corresponding to the found tunnel identifier.

The base station provided by the embodiment of the present invention can be used in the foregoing first embodiment of the method. For details, refer to the description of the first embodiment, which is not repeated here.

The base station provided by the embodiment of the present invention obtains the tunnel identifier of the corresponding security tunnel according to the priority value of the uplink data packet. Since each priority value corresponds to at least one tunnel identifier, the base station may perform the uplink data packet through multiple secure tunnels. The transmission, after receiving the data packet, separately performs anti-replay processing on the data packets received by each security tunnel, thereby reducing the number of playback data packets, thereby reducing the probability of packet loss.

Further, the base station provided by the embodiment of the present invention may further include:

The second tunnel establishing unit 14 is configured to send at least two key exchanges to the security gateway at the time of power-on before the first priority acquiring unit 11 obtains the priority value of the uplink data packet to be transmitted. The request message receives the returned key exchange response message to establish at least two secure tunnels with the security gateway.

For other structures and functions of the base station, reference may be made to the above method embodiments.

Referring to FIG. 15, FIG. 15 is a schematic structural diagram of a base station according to Embodiment 13 of the present invention.

The base station provided by the embodiment of the present invention includes:

The first tunnel establishing unit 21 is configured to send a key exchange request message carrying the priority value to the security gateway at the time of power-on before the first priority acquiring unit 23 obtains the priority value of the uplink data packet to be transmitted. Receiving a returned key exchange response message to establish at least one secure tunnel with the security gateway; or

Receiving a radio bearer setup request or an initial context setup request that carries the quality of service level identifier, obtaining a priority value corresponding to the quality of service level identifier, and transmitting, to the security gateway, a notification that carries the priority value or the quality of service level identifier Receiving, by the security gateway, a key exchange request message carrying the priority value, and returning a key exchange response message to the security gateway to establish at least one secure tunnel with the security gateway; or

Receiving a radio bearer setup request or an initial context setup request that carries a quality of service level identifier, obtaining a priority value corresponding to the quality of service level identifier, and sending a key exchange carrying the priority value or the quality of service level identifier to the security gateway. Receiving a message, receiving a returned key exchange response message, to establish at least one secure tunnel with the security gateway;

The first correspondence establishing unit 22 is configured to establish a correspondence between the priority value obtained by the first priority acquiring unit 23 and the tunnel identifier of the at least one security tunnel established by the first tunnel establishing unit;

The first priority obtaining unit 23 is configured to obtain a priority value of the uplink data packet to be transmitted, and the first correspondence relationship searching unit 24 is configured to search for the priority of the setting according to the priority value acquired by the first priority acquiring unit 23 a correspondence between the value and the tunnel identifier, where each priority value corresponds to at least one tunnel identifier;

The uplink data sending unit 25 is configured to: when the corresponding tunnel identifier is found, transmit the uplink data packet to the security gateway by using the secure tunnel corresponding to the found tunnel identifier.

The base station provided by the embodiment of the present invention may be in the foregoing method embodiment 4 of the corresponding method. For details, refer to the description of the foregoing embodiment. Referring to FIG. 16, FIG. 16 is a schematic structural diagram of a base station according to Embodiment 14 of the present invention.

The base station provided by the embodiment of the present invention includes:

The first priority obtaining unit 31 is configured to obtain a priority value of the uplink data packet to be transmitted; the first correspondence relationship searching unit 32 is configured to search for the priority of the priority value according to the priority value obtained by the first priority acquiring unit 31. a correspondence between the value and the tunnel identifier, where each priority value corresponds to at least one tunnel identifier;

The uplink data sending unit 33 is configured to: when the corresponding tunnel identifier is found, transmit the uplink data packet to the security gateway by using the secure tunnel corresponding to the found tunnel identifier.

The third tunnel establishing unit 34 is configured to send a key exchange request message to the security gateway after receiving the corresponding tunnel identifier, and receive a key exchange response message returned by the security gateway to establish a new with the security gateway. Safe tunnel

The uplink data sending unit 33 is further configured to transmit the uplink data packet to the security gateway by using a new secure tunnel established by the third tunnel establishing unit 34;

The second correspondence relationship establishing unit 35 is configured to establish a new tunnel identifier and the first priority established by the third tunnel establishing unit 34. The base station provided by the embodiment of the present invention may be in the foregoing corresponding method embodiment 2. Description of the embodiments. Referring to FIG. 17, FIG. 17 is a schematic structural diagram of a base station according to Embodiment 15 of the present invention.

The base station provided by the embodiment of the present invention includes:

The first priority obtaining unit 41 is configured to obtain a priority value of the uplink data packet to be transmitted; the first correspondence relationship searching unit 42 is configured to search for the priority of the setting according to the priority value acquired by the first priority acquiring unit 41. a correspondence between the value and the tunnel identifier, where each priority value corresponds to at least one tunnel identifier;

The uplink data sending unit 43 is configured to: when the corresponding tunnel identifier is found, transmit the uplink data packet to the security gateway by using the secure tunnel corresponding to the discovered tunnel identifier.

The tunnel judging unit 44 is configured to determine that there is a secure tunnel that is not used when the corresponding tunnel identifier is not found; The uplink data sending unit 43 is further configured to: when the tunnel determining unit 44 determines that there is a secure tunnel that is not used, transmit the uplink data packet to the security gateway by using the unused secure tunnel; the third correspondence relationship establishing unit 45 And a correspondence between the tunnel identifier of the unused security tunnel determined by the tunnel judging unit 44 and the priority value obtained by the first priority acquiring unit 41.

The tunnel judging unit 44 is configured to determine that there is no unused security tunnel when the corresponding tunnel identifier is not found;

The fourth tunnel establishing unit 46 is configured to: when the tunnel determining unit 44 determines that there is no unused secure tunnel, send a key exchange request message to the security gateway, and receive a key exchange response message returned by the security gateway, Establishing a new secure tunnel with the security gateway, and transmitting the uplink data packet to the security gateway by using the new secure tunnel;

The third correspondence establishing unit 45 is further configured to establish a correspondence between the tunnel identifier of the new security tunnel established by the fourth tunnel establishing unit 46 and the priority value acquired by the first priority acquiring unit 41.

The base station provided by the embodiment of the present invention may be in the foregoing third embodiment of the method. For details, refer to the description of the foregoing embodiment. Referring to FIG. 18, FIG. 18 is a schematic structural diagram of a base station according to Embodiment 16 of the present invention.

The base station provided by the embodiment of the present invention includes:

The first priority obtaining unit 51 is configured to obtain a priority value of the uplink data packet to be transmitted; the first correspondence relationship searching unit 52 is configured to search for the priority of the setting according to the priority value acquired by the first priority acquiring unit 51. a correspondence between the value and the tunnel identifier, where each priority value corresponds to at least one tunnel identifier;

The uplink data sending unit 53 is configured to: when the corresponding tunnel identifier is found, transmit the uplink data packet to the security gateway by using the secure tunnel corresponding to the discovered tunnel identifier.

The first receiving unit 54 is configured to receive, after the first priority acquiring unit 51 obtains the priority value of the uplink data packet to be transmitted, the downlink data packet sent by the security gateway through the secure tunnel;

The first priority obtaining unit 51 is further configured to acquire a priority value of the downlink data packet received by the first receiving unit 54; The fourth correspondence establishing unit 55 is configured to establish a correspondence between the priority value acquired by the first priority acquiring unit 51 and the tunnel identifier of the security tunnel;

The first forwarding unit 56 is configured to forward the downlink data packet received by the first receiving unit 54.

The base station provided by the embodiment of the present invention may be in the foregoing corresponding method embodiment 6. For details, refer to the description of the foregoing embodiment. The base station provided by the embodiment of the present invention is described in detail above. The embodiment of the present invention further provides a corresponding security gateway embodiment.

Referring to FIG. 19, FIG. 19 is a schematic structural diagram of a security gateway according to Embodiment 17 of the present invention. The security gateway provided by the embodiment of the present invention includes:

The second priority obtaining unit 61 is configured to obtain a priority value of the downlink data packet to be transmitted, and the second correspondence relationship searching unit 62 is configured to search for the priority of the priority value according to the priority value obtained by the second priority acquiring unit 61. a correspondence between the value and the tunnel identifier, where each priority value corresponds to at least one tunnel identifier;

The downlink data sending unit 63 is configured to: when the second correspondence search unit 62 finds the corresponding tunnel identifier, transmit the downlink data packet to the base station by using the secure tunnel corresponding to the found tunnel identifier.

Further, the security gateway provided by the embodiment of the present invention may further include:

The fifth tunnel establishing unit 64 is configured to receive a key exchange request message carrying a priority value sent by the base station, and return a key before the second priority acquiring unit 61 obtains the priority value of the downlink data packet to be transmitted. Exchanging a response message to establish at least one secure tunnel with the base station;

The fifth correspondence establishing unit 65 is configured to establish a correspondence between the priority value acquired by the second priority acquiring unit 61 and the tunnel identifier of the at least one security tunnel established by the fifth tunnel establishing unit 64.

The security gateway provided by the embodiment of the present invention may be used in the foregoing corresponding method embodiment 7. For details, refer to the description of the method embodiment.

In the embodiment of the present invention, the security gateway obtains the tunnel identifier of the corresponding security tunnel according to the priority value of the downlink data packet. Since each priority value corresponds to at least one tunnel identifier, the security gateway may pass the downlink data packet through multiple security tunnels. Transmitting, so that the base station receives the data After the packet, the data packets received by each secure tunnel are separately subjected to anti-replay processing, thereby reducing the number of playback packets, thereby reducing the probability of packet loss.

Further, for the correspondence between the security tunnel and the priority value described in all the foregoing embodiments, when the lifetime of the security association corresponding to the security tunnel reaches the maximum and the security association update occurs, the foregoing security tunnel and data The correspondence of packet priorities should be inherited to the new security tunnel, which is the new security association. For example, the priority of the packet corresponding to SPI=1A is 2. When the security association corresponding to SPI=1A occurs due to the refresh of the lifetime update, the new security association identifier is also updated to be SPI=1C, which corresponds to SPI=1C. The priority value should also be equal to 2. This process does not require negotiation, does not require signaling interaction, and is a natural attribute inheritance process on the relevant node. Referring to FIG. 20, FIG. 20 is a schematic structural diagram of a security gateway according to Embodiment 18 of the present invention. The security gateway provided by the embodiment of the present invention includes:

The second priority obtaining unit 71 is configured to obtain a priority value of the downlink data packet to be transmitted, and the second correspondence relationship searching unit 72 is configured to search for the priority of the setting according to the priority value acquired by the second priority acquiring unit 71. a correspondence between the value and the tunnel identifier, where each priority value corresponds to at least one tunnel identifier;

The downlink data sending unit 73 is configured to: when the corresponding tunnel identifier is found, transmit the downlink data packet to the base station by using the secure tunnel corresponding to the found tunnel identifier.

The first notification message receiving unit 74 is configured to receive, after the second priority acquiring unit 71 obtains the priority value of the downlink data packet to be transmitted, the notification message sent by the base station gateway, where the notification message carries the priority value. ;

The sixth tunnel establishing unit 75 is configured to send a key exchange request message carrying the priority value received by the first notification message receiving unit 74 to the base station, and receive the returned key exchange response message to establish at least one with the base station. Safety tunnel

The sixth correspondence establishing unit 76 is configured to establish a correspondence between the priority value acquired by the second priority acquiring unit 71 and the tunnel identifier of the at least one security tunnel established by the sixth tunnel establishing unit 75.

The security gateway provided by the embodiment of the present invention may be used in the foregoing corresponding method embodiment 10. For details, refer to the description of the foregoing method embodiment, which is not repeated here. Referring to FIG. 21, FIG. 21 is a schematic structural diagram of a security gateway according to Embodiment 19 of the present invention. The security gateway provided by the embodiment of the present invention includes:

The second priority obtaining unit 81 is configured to obtain a priority value of the downlink data packet to be transmitted, and the second correspondence relationship searching unit 82 is configured to search for the priority of the setting according to the priority value acquired by the second priority acquiring unit 81. a correspondence between the value and the tunnel identifier, where each priority value corresponds to at least one tunnel identifier;

The downlink data sending unit 83 is configured to: when the corresponding tunnel identifier is found, transmit the downlink data packet to the base station by using the secure tunnel corresponding to the found tunnel identifier.

The second notification message receiving unit 84 is configured to: before the second priority acquiring unit 81 obtains the priority value of the downlink data packet to be transmitted, receive a notification message sent by the base station gateway, where the notification message carries a quality of service level Identification

The seventh tunnel establishing unit 85 is configured to send, to the base station, a key exchange request message carrying the quality of service level identifier received by the second notification message receiving unit 84, and receive the returned key exchange response message to establish at least one security with the base station. Tunnel

The seventh correspondence establishing unit 86 is configured to obtain a priority value corresponding to the QoS level identifier, and establish a correspondence between the priority value and a tunnel identifier of at least one security tunnel established by the seventh tunnel establishing unit 85.

The security gateway provided by the embodiment of the present invention may be used in the foregoing corresponding method embodiment 10. For details, refer to the description of the foregoing method embodiment, which is not repeated here. Referring to FIG. 22, FIG. 22 is a schematic structural diagram of a security gateway according to Embodiment 20 of the present invention. The security gateway provided by the embodiment of the present invention includes:

The second priority obtaining unit 91 is configured to obtain a priority value of the downlink data packet to be transmitted, and the second correspondence relationship searching unit 92 is configured to search for the priority of the setting according to the priority value acquired by the second priority acquiring unit 91. a correspondence between the value and the tunnel identifier, where each priority value corresponds to at least one tunnel identifier;

The downlink data sending unit 93 is configured to: when the corresponding tunnel identifier is found, transmit the downlink data packet to the base station by using the secure tunnel corresponding to the found tunnel identifier.

Further, the security gateway provided by the embodiment of the present invention may further include: The eighth tunnel establishing unit 94 is configured to: when the second correspondence search unit 92 does not find the corresponding tunnel identifier, send a key exchange request message to the base station, and receive a key exchange response message returned by the base station, to Establish a new secure tunnel;

The downlink data sending unit 93 is further configured to transmit the downlink data packet to the base station by using a new secure tunnel established by the eighth tunnel establishing unit 94;

The eighth correspondence establishing unit 95 is configured to establish a correspondence between the tunnel identifier of the new security tunnel established by the eighth tunnel establishing unit 94 and the priority value acquired by the second priority acquiring unit 91.

The security gateway provided by the embodiment of the present invention may be used in the foregoing corresponding method embodiment 10. For details, refer to the description of the foregoing method embodiment, which is not repeated here. Referring to FIG. 23, FIG. 23 is a schematic structural diagram of a security gateway according to Embodiment 21 of the present invention. The security gateway provided by the embodiment of the present invention includes:

The second priority acquiring unit 110 is configured to obtain a priority value of the downlink data packet to be transmitted, and the second correspondence relationship searching unit 120 is configured to search for the priority of the setting according to the priority value acquired by the second priority acquiring unit 110. a correspondence between the value and the tunnel identifier, where each priority value corresponds to at least one tunnel identifier;

The downlink data sending unit 130 is configured to: when the corresponding tunnel identifier is found, transmit the downlink data packet to the base station by using the secure tunnel corresponding to the found tunnel identifier.

The second receiving unit 140 is configured to receive an uplink data packet sent by the base station through the secure tunnel before the second priority acquiring unit 110 obtains the priority value of the downlink data packet to be transmitted.

The second priority acquiring unit 110 is further configured to acquire a priority value of the uplink data packet received by the second receiving unit 140.

The ninth correspondence establishing unit 150 is configured to establish a correspondence between the priority value obtained by the second priority acquiring unit 110 and the tunnel identifier of the security tunnel;

The second forwarding unit 160 is configured to forward the uplink data packet.

The security gateway provided by the embodiment of the present invention may be used in the foregoing corresponding method embodiment XI. For details, refer to the description of the foregoing method embodiment, which is not repeated here.

It should be noted that the information exchange, the execution process, and the like between the units in the foregoing base station and the security gateway are based on the same concept as the method embodiment of the present invention, and the specific content can be referred to the present invention. The description in the method embodiment is not described here.

A person skilled in the art can understand that all or part of the processes in the above embodiments are implemented by a computer program to instruct related hardware, and the program can be stored in a computer readable storage medium. The flow of an embodiment of the methods as described above may be included. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), or a random access memory (RAM).

The data packet transmission method and the related device provided by the embodiment of the present invention are described in detail above. For those skilled in the art, according to the idea of the embodiment of the present invention, there are changes in the specific implementation manner and application scope. The contents of this specification are not to be construed as limiting the invention.

Claims

Claim

A data packet transmission method, comprising:

Obtain a priority value of an upstream packet that needs to be transmitted;

2. The method according to claim 1, wherein before the obtaining the priority value of the uplink data packet to be transmitted, the method further comprises:

Sending, by the base station, a key exchange request message carrying the priority value to the security gateway, and receiving the returned key exchange response message, to establish at least one secure tunnel with the security gateway, and establishing a data packet priority value. Corresponding relationship with the tunnel identifier of the at least one secure tunnel; or

Receiving a radio bearer setup request or an initial context setup request carrying a priority value, sending a notification message carrying the priority value to the security gateway, and receiving a key exchange request message that is sent by the security gateway and carrying the priority value, Returning a key exchange response message to the security gateway to establish at least one secure tunnel with the security gateway, and establishing a correspondence between a data packet priority value and a tunnel identifier of the at least one secure tunnel; or

Receiving a radio bearer setup request or an initial context setup request carrying a priority value, sending a key exchange request message carrying the priority value to the security gateway, and receiving a returned key exchange response message to establish at least the security gateway with the security gateway A secure tunnel and establishing a relationship between the packet priority value and the tunnel identifier of the at least one secure tunnel.

The method according to claim 1, wherein before the obtaining the priority value of the uplink data packet to be transmitted, the method further includes:

Receiving a radio bearer setup request or an initial context setup request carrying a priority value, and searching for a tunnel identifier corresponding to the priority value. If the corresponding tunnel identifier is not found, sending a key exchange request message to the security gateway, and receiving the returned The key exchange response message is configured to establish at least one security tunnel with the security gateway, and establish a correspondence between the priority value and a tunnel identifier of the at least one security tunnel; or Receiving a radio bearer setup request or an initial context setup request carrying a priority value, and searching for a tunnel identifier corresponding to the priority value. If the corresponding tunnel identifier is not found, determining that there is an unused tunnel is not used. The used secure tunnel transmits the number of uplinks to the security gateway

The base station sends at least two key exchange request messages to the security gateway when the base station is powered on, and receives the returned key exchange response message to establish at least two security tunnels with the security gateway.

5. The method according to claim 1, further comprising:

And if the corresponding tunnel identifier is not found, sending a key exchange request message to the security gateway; receiving a key exchange response message returned by the security gateway, to establish a new security tunnel with the security gateway, and establishing a Determining a correspondence between a tunnel identifier of the new security tunnel and the priority value;

Transmitting the uplink data packet to the security gateway by using the new secure tunnel.

6. The method according to claim 1, further comprising:

If the corresponding tunnel identifier is not found, determining that there is an unused security tunnel; transmitting the uplink data packet to the security gateway by using the unused secure tunnel, and establishing the unused security tunnel Correspondence between the tunnel identifier and the priority value.

7. The method according to claim 6, further comprising:

If the corresponding tunnel identifier is not found, and it is determined that there is no unused security tunnel, send a key exchange request message to the security gateway, and receive a key exchange response message returned by the security gateway, The security gateway establishes a new security tunnel, and transmits the uplink data packet to the security gateway by using the new security tunnel, and establishes a correspondence between the tunnel identifier of the new security tunnel and the priority value.

The method according to claim 2, wherein the radio bearer setup request or the initial context setup request carries information about a user priority or a service priority or whether the core network has a fixed network interworking capability, The priority value is a differentiated service point code;

The correspondence between the establishment of the priority value and the tunnel identifier of the at least one security tunnel includes: Filling in the field of the user priority or the service priority or the core network with the fixed network interworking capability into the field of the differentiated service point code;

Establish a correspondence between the padded differentiated service point code and the tunnel identifier.

The method according to claim 8, wherein the method further comprises: transmitting a correspondence between the tunnel identifier and a priority value to a mobility management entity, to facilitate the mobility management entity. The correspondence between the tunnel identifier and the priority value is sent to the BPCF device.

The method according to claim 1, wherein before obtaining the priority value of the uplink data packet to be transmitted, the method further includes:

Receiving a downlink data packet sent by the security gateway through the secure tunnel;

Obtaining a priority value of the inner layer IP packet in the downlink data packet and a priority value of the outer layer IP packet; establishing a correspondence between the tunnel identifier of the security tunnel and a priority value of the inner layer IP packet, and establishing Corresponding relationship between the tunnel identifier of the security tunnel and the priority value of the outer IP packet; the transmitting, by the secure tunnel corresponding to the discovered tunnel identifier, the uplink data packet to the security gateway, including:

Corresponding relationship between the tunnel identifier and the priority value of the inner layer IP packet, and a correspondence between the tunnel identifier and the priority value of the outer layer IP packet, and an inner layer IP of the uplink data packet The priority value of the packet finds the priority value of the outer IP packet of the uplink data packet and the corresponding tunnel identifier;

Setting a priority value of an outer IP packet of the uplink data packet as a priority value of the uplink data packet;

And transmitting the uplink data packet to the security gateway by using the secure tunnel corresponding to the found tunnel identifier.

The method according to claim 1, wherein before the obtaining the priority value of the uplink data packet to be transmitted, the method further includes

Obtaining a priority value of the downlink data packet, and establishing a correspondence between the tunnel identifier of the security tunnel and the priority value;

Forwarding the downlink data packet.

12. A method according to any one of claims 1 to 11, characterized in that: The priority value is a differentiated service point code of the data packet or a quality of service level identifier of the radio bearer.

13. A data packet transmission method, comprising:

Obtain a priority value of a downlink packet that needs to be transmitted;

The method according to claim 13, wherein before the obtaining the priority value of the downlink data packet to be transmitted, the method further includes:

Receiving, by the base station, a key exchange request message carrying the priority value, and returning a key exchange response message, to establish at least one secure tunnel with the base station;

A correspondence between the priority value and a tunnel identifier of at least one secure tunnel is established.

Receiving a notification message sent by the base station gateway, where the notification message carries a priority value; sending a key exchange request message carrying the priority value to the base station, and receiving the returned key exchange response message, to establish at least the base station with the base station a safe tunnel;

16. The method according to claim 13, further comprising:

And if the corresponding tunnel identifier is not found, sending a key exchange request message to the base station; receiving a key exchange response message returned by the base station, to establish a new security tunnel with the base station, and establishing the new security Corresponding relationship between the uplink and downlink tunnel identifier of the tunnel and the priority value;

Transmitting the downlink data packet to the base station by using the new secure tunnel.

17. The method according to claim 13, further comprising:

If the corresponding tunnel identifier is not found, it is determined that there is an unused security tunnel; the downlink data packet is transmitted to the base station by using the unused secure tunnel, and the tunnel of the unused secure tunnel is established. A correspondence between the identifier and the priority value.

The method according to claim 17, further comprising: If the corresponding tunnel identifier is not found, determining that there is no unused security tunnel, sending a key exchange request message to the base station, and receiving a key exchange response message returned by the base station, to establish a new The security tunnel transmits the downlink data packet to the base station by using the new secure tunnel, and establishes a correspondence between the tunnel identifier of the new security tunnel and the priority value.

The method according to claim 13, further comprising:

And transmitting the found tunnel identifier and the corresponding relationship to the broadband policy control architecture device.

Receiving an uplink data packet sent by the base station through the secure tunnel;

Obtaining a priority value of the inner layer IP packet in the uplink data packet and a priority value of the outer layer IP packet; establishing a correspondence between the tunnel identifier of the security tunnel and a priority value of the inner layer IP packet, and establishing Corresponding relationship between the tunnel identifier of the security tunnel and the priority value of the outer IP packet; the transmitting, by the secure tunnel corresponding to the discovered tunnel identifier, the downlink data packet to the base station, including:

Corresponding relationship between the tunnel identifier and the priority value of the inner layer IP packet, and the correspondence between the tunnel identifier of the security tunnel and the priority value of the outer IP packet, and the downlink data packet The priority value of the inner layer IP packet finds the priority value of the outer IP packet of the downlink data packet and the corresponding tunnel identifier;

Setting a priority value of an outer IP packet of the downlink data packet as a priority value of the downlink data packet;

And transmitting the downlink data packet to the base station by using the secure tunnel corresponding to the found tunnel identifier.

The method according to claim 13, wherein before the obtaining the priority value of the downlink data packet to be transmitted, the method further includes

Obtaining a priority value of the uplink data packet, and establishing a correspondence between the priority value and a tunnel identifier of the security tunnel;

Forwarding the upstream packet.

22. A method according to any of claims 13-21, characterized in that: The priority value is a differentiated service point code of the data packet or a quality of service level identifier of the radio bearer.

A base station, comprising:

The base station according to claim 23, further comprising:

a first tunnel establishing unit, configured to send, after the first priority acquiring unit obtains a priority value of the uplink data packet to be transmitted, a key exchange request message carrying the priority value to the security gateway at power-on Receiving a returned key exchange response message to establish at least one secure tunnel with the security gateway; or

Receiving a radio bearer setup request or an initial context setup request carrying a priority value, sending a notification message carrying the priority value to the security gateway, and receiving a key exchange request message that is sent by the security gateway and carrying the priority value, Returning a key exchange response message to the security gateway to establish at least one secure tunnel with the security gateway; or

Receiving a radio bearer setup request or an initial context setup request carrying a priority value, sending a key exchange request message carrying the priority value to the security gateway, and receiving a returned key exchange response message to establish at least the security gateway with the security gateway a safe tunnel;

And a first correspondence establishing unit, configured to establish a correspondence between a priority value obtained by the first priority acquiring unit and a tunnel identifier of at least one security tunnel established by the first tunnel establishing unit.

The base station according to claim 23, further comprising:

a second tunnel establishing unit, configured to send at least two key exchange request messages to the security gateway at the time of power-on, before the first priority acquiring unit obtains the priority value of the uplink data packet to be transmitted, and receive the returned The key exchange response message is to establish at least two secure tunnels with the security gateway.

The base station according to claim 23, further comprising:

a third tunnel establishing unit, configured to send a key exchange request message to the security gateway after receiving the corresponding tunnel identifier, and receive a key exchange response message returned by the security gateway, to establish with the security gateway New safe tunnel;

The uplink data sending unit is further configured to transmit the uplink data packet to the security gateway by using a new secure tunnel established by the third tunnel establishing unit;

And a second correspondence establishing unit, configured to establish a correspondence between a tunnel identifier of the new security tunnel established by the third tunnel establishing unit and a priority value obtained by the first priority acquiring unit.

The base station according to claim 23, further comprising:

a tunnel judging unit, configured to determine that there is an unused security tunnel when the corresponding tunnel identifier is not found;

The uplink data sending unit is further configured to: when the tunnel determining unit determines that there is an unused secure tunnel, transmit the uplink data packet to the security gateway by using the unused secure tunnel;

And a third correspondence establishing unit, configured to establish a correspondence between a tunnel identifier of the unused security tunnel determined by the tunnel determining unit and a priority value obtained by the first priority acquiring unit.

The base station according to claim 27, further comprising:

The tunnel judging unit is configured to: when the corresponding tunnel identifier is not found, determine that there is no unused security tunnel; when the tunnel is full, send a key exchange request message to the security gateway, and receive the secret returned by the security gateway. Key exchange response message, to establish a new security tunnel with the security gateway, and transmit the uplink data packet to the security gateway by using the new secure tunnel;

The third correspondence establishing unit is further configured to establish a correspondence between the tunnel identifier of the new security tunnel and the priority value.

29. The base station according to claim 23, further comprising

a first receiving unit, configured to receive, after the first priority acquiring unit obtains a priority value of an uplink data packet to be transmitted, a downlink data packet that is sent by the security gateway through the secure tunnel; The first priority acquiring unit is further configured to acquire a priority value of the downlink data packet received by the first receiving unit;

a fourth correspondence establishing unit, configured to establish a correspondence between a priority value obtained by the first priority acquiring unit and a tunnel identifier of the security tunnel;

The first forwarding unit is configured to forward the downlink data packet received by the first receiving unit.

30. A security gateway, comprising:

And a downlink data sending unit, configured to: when the second corresponding relationship searching unit finds the corresponding tunnel identifier, transmit the downlink data packet to the base station by using the secure tunnel corresponding to the found tunnel identifier.

31. The security gateway of claim 30, wherein:

a fifth tunnel establishing unit, configured to receive, after the second priority acquiring unit obtains a priority value of the downlink data packet to be transmitted, a key exchange request message that is sent by the base station and carries the priority value, and returns a key Exchanging a response message to establish at least one security tunnel with the base station; a fifth correspondence establishing unit, configured to establish a priority value obtained by the second priority acquiring unit and at least one established by the fifth tunnel establishing unit Correspondence between tunnel identifiers of security tunnels.

The security gateway according to claim 30, further comprising: a first notification message receiving unit, configured to: before the second priority acquiring unit obtains a priority value of a downlink data packet to be transmitted, Receiving a notification message sent by the base station gateway, where the notification message carries a priority value;

a sixth tunnel establishing unit, configured to send, to the base station, a key exchange request message that carries the priority value received by the first notification message receiving unit, and receive the returned key exchange response message to establish at least one with the base station Safety tunnel

The sixth correspondence establishing unit is configured to establish a correspondence between the priority value obtained by the second priority acquiring unit and the tunnel identifier of the at least one security tunnel established by the sixth tunnel establishing unit.

The security gateway according to claim 30, further comprising: a second notification message receiving unit, configured to: before the second priority acquiring unit obtains a priority value of the downlink data packet to be transmitted, Receiving a notification message sent by the base station gateway, where the notification message carries a priority value;

a seventh tunnel establishing unit, configured to send, to the base station, a key exchange request message carrying a priority value received by the second notification message receiving unit, and receive a returned key exchange response message to establish at least one security with the base station Tunnel

And a seventh correspondence establishing unit, configured to establish a correspondence between the priority value and a tunnel identifier of at least one security tunnel established by the seventh tunnel establishing unit.

The security gateway according to claim 30, further comprising: an eighth tunnel establishing unit, configured to send, to the base station, when the second correspondence search unit does not find the corresponding tunnel identifier a key exchange request message, receiving a key exchange response message returned by the base station, to establish a new security tunnel with the base station;

The downlink data sending unit is further configured to transmit the downlink data packet to the base station by using a new secure tunnel established by the eighth tunnel establishing unit;

The eighth correspondence establishing unit is configured to establish a correspondence between a tunnel identifier of the new security tunnel established by the eighth tunnel establishing unit and a priority value acquired by the second priority acquiring unit.

The security gateway according to claim 30, further comprising: a second receiving unit, configured to: before the second priority acquiring unit obtains a priority value of the downlink data packet to be transmitted, the receiving base station passes the security The uplink data packet sent by the tunnel;

The second priority acquiring unit is further configured to acquire a priority value of the uplink data packet received by the second receiving unit;

a ninth correspondence establishing unit, configured to establish a correspondence between a priority value obtained by the second priority acquiring unit and a tunnel identifier of the security tunnel;

The second forwarding unit is configured to forward the uplink data packet.