WO2013037273A1 - User equipment capability processing method and system - Google Patents

User equipment capability processing method and system Download PDF

Info

Publication number
WO2013037273A1
WO2013037273A1 PCT/CN2012/081004 CN2012081004W WO2013037273A1 WO 2013037273 A1 WO2013037273 A1 WO 2013037273A1 CN 2012081004 W CN2012081004 W CN 2012081004W WO 2013037273 A1 WO2013037273 A1 WO 2013037273A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
key exchange
packet data
authentication
evolved packet
Prior art date
Application number
PCT/CN2012/081004
Other languages
French (fr)
Chinese (zh)
Inventor
周星月
朱春晖
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2013037273A1 publication Critical patent/WO2013037273A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/22Processing or transfer of terminal data, e.g. status or physical capabilities

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a method and system for processing user equipment capabilities.
  • the Evolved Packet System (EPS) in the 3rd Generation Partnership Project (3GPP) is evolved by the Evolved Universal Terrestrial Radio Access Network (Evolved Universal Terrestrial Radio Access Network).
  • E-UTRAN Mobility Management Entity
  • S-GW Serving Gateway
  • P-GW Packet Data Network Gateway
  • HSS Home Subscriber Server
  • PCRF Policy and Charging Rules Function
  • the EPS system supports interworking with non-3GPP systems.
  • the interworking with non-3GPP systems is implemented through the S2a/S2b/S2c interface, and the anchor point between the 3GPP and non-3GPP systems is the P-GW.
  • Non-3GPP systems are classified into trusted non-3GPP IP access and untrusted non-3GPP IP access.
  • the trusted non-3GPP IP access can be directly connected to the P-GW through the S2a interface; the untrusted non-3GPP IP access needs to be connected to the PDN GW through an Evolved Packet Data Gateway (ePDG), ePDG and PDN GW.
  • ePDG Evolved Packet Data Gateway
  • the interface between S2b and S2c provides user plane-related control and mobility support between the UE and the P-GW.
  • the supported mobility management protocol is Mobile IPv6 Support for Dual Stack Hosts and Routers, referred to as DSMIPv6).
  • the MME mobility management unit is responsible for control planes such as mobility management, non-access stratum signaling processing, and user mobility management context management; and the S-GW is an access gateway device connected to the E-UTRAN. Forwarding data between E-UTRAN and P-GW, and responsible for buffering paging waiting data; P-GW is EPS and packet data network (Packet Data Network, referred to as A border gateway for PDN), responsible for PDN access and forwarding data between EPS and PDN; PCRF is a policy and charging rule function entity that receives the interface Rx and the carrier network protocol (Internet Protocol, referred to as IP) The service network is connected to obtain the service information. In addition, it is connected to the gateway device in the network through the Gx/Gxa/Gxc interface, and is responsible for initiating the establishment of the IP bearer and ensuring the quality of service (QoS) of the service data. And charge control.
  • QoS quality of service
  • the UE needs to select an appropriate ePDG by connecting to the EPS system through the untrusted access system.
  • the current technology UE selects an ePDG that is located close to the access system where the UE is located.
  • the 3GPP AAA server may be based on the UE's IP address or the access network system.
  • the information is selected by the UE, which is performed by the UE and the ePDG to establish an IKEv2 security association to establish an IPSec tunnel for authentication and authorization.
  • the UE and the ePDG are required to support the IKEv2 redirection mechanism defined by the IETF (Redirect Mechanism for the IKEv2 in RFC5685).
  • This mechanism can be used to redirect the IKEv2 server in the IKE SA INIT, IKE AUTH process or after the IKEv2 session is established.
  • the ePDG can be used to initiate the UE redirection to another ePDG.
  • the current problem is that the 3GPP AAA server does not know whether the UE has the capability of IKEv2 redirection (this capability of the UE is not mandatory). If the 3GPP AAA server finds that the ePDG closer to the UE will notify the current ePDG, If the current ePDG notifies the UE that does not support the IKEv2 redirection, the UE will not be able to identify the content of the message or even report the error. If the current ePDG ignores the redirection indication of the 3GPP AAA, the authentication and authorization process cannot be completed. An error occurred in establishing the authentication and authorization process for the entire IKEv2 tunnel. Summary of the invention
  • the technical problem to be solved by the present invention is to provide a method and system for performing an evolved packet data gateway redirection decision, and solving the authentication authorization caused by the AAA server selecting a new ePDG for capability information without the Internet key exchange protocol redirection function. Process error problem.
  • the present invention provides a method for processing user equipment capabilities, wherein, in the process of creating an Internet Key Exchange Protocol tunnel between a terminal and an evolved packet data gateway, the evolved packet data gateway will The capability information of the terminal having the Internet Key Exchange Protocol redirection function is notified to the authentication authorization accounting server, that is, the AAA server.
  • the AAA server determines, according to the capability information, whether to reselect an evolved packet data gateway for the terminal.
  • the above method may also have the following features:
  • Determining, by the AAA server, whether to reselect the evolved packet data gateway for the terminal according to the capability information includes:
  • the AAA server selects an evolved packet data gateway closest to the terminal for the terminal and performs an authentication process, which is selected by the authentication process.
  • the identifier of the evolved packet data gateway is notified to the terminal;
  • the AAA server directly performs an authentication process.
  • the above method may also have the following features:
  • the terminal notifies the evolved packet data gateway of capability information of whether the terminal has an Internet Key Exchange Protocol redirection function in a network key exchange security association initialization procedure with the evolved packet data gateway.
  • the above method may also have the following features:
  • the manner in which the evolved packet data gateway notifies the AAA server whether the terminal has the capability information of the Internet Key Exchange Protocol redirection function is one of the following modes:
  • the terminal When the redirection capability identifier is sent in the extended authentication protocol response message sent to the AAA server, the terminal has the Internet key exchange protocol redirection function. When the redirection capability identifier is not carried, the terminal does not have the Internet key exchange protocol redirection.
  • the extended authentication protocol response message sent to the AAA server carries a redirection capability, and the different values of the redirection capability identifier indicate that the terminal has or does not have the Internet Key Exchange Protocol redirection function.
  • the present invention further provides a system for processing a user equipment capability, including a terminal, an evolved packet data gateway, and an authentication and authorization accounting server, that is, an AAA server, where the evolved packet data gateway includes an Internet secret.
  • a system for processing a user equipment capability including a terminal, an evolved packet data gateway, and an authentication and authorization accounting server, that is, an AAA server, where the evolved packet data gateway includes an Internet secret.
  • Key exchange redirection function module
  • the Internet key exchange redirection function module is configured to: whether the terminal has an Intel The capability information of the network key exchange protocol redirection function is notified to the authentication function module.
  • the AAA server includes an authentication function module.
  • the authentication function module is configured to: determine, according to the capability information, whether to reselect an evolved packet data gateway for the terminal.
  • the above system may also have the following characteristics:
  • the authentication function module is further configured to: determine that the capability information indicates that the terminal has an Internet Key Exchange Protocol redirection function, select an evolved packet data gateway that is closest to the terminal for the terminal, and perform an authentication process, The authentication process notifies the selected identifier of the evolved packet data gateway to the terminal; and when the capability information indicates that the terminal does not have the Internet Key Exchange Protocol redirection function, the authentication process is directly executed.
  • the above system may also have the following characteristics:
  • the terminal is configured to: notify the evolved packet data gateway of the capability information of whether the terminal has the Internet Key Exchange Protocol redirection function in the network key exchange security association initialization procedure with the evolved packet data gateway.
  • the present invention further provides an evolved packet data gateway, including an Internet key exchange redirection function module, where the Internet key exchange redirection function module is configured to: The capability information of the Internet Key Exchange Protocol Redirection function is notified to the Authentication Authorization Accounting Server.
  • the present invention further provides an authentication and authorization accounting server, wherein the authentication and authorization accounting server includes an authentication function module; and the authentication function module is configured to: according to a terminal learned from an evolved packet data gateway. Whether the capability information of the Internet Key Exchange Protocol redirection function determines whether to reselect the evolved packet data gateway for the terminal; and when the capability information indicates that the terminal has the Internet Key Exchange Protocol redirection function, the terminal is Selecting an evolving packet data gateway that is closest to the terminal and performing an authentication process, notifying, by the authentication process, an identifier of the selected evolved packet data gateway to the terminal; determining that the capability information indicates that the terminal does not have an Internet key exchange When the protocol redirection function is performed, the authentication process is directly executed.
  • the capability information of the terminal having the Internet Key Exchange Protocol redirection function is notified to the 3GPP AAA server, and the 3GPP AAA server determines, according to the capability information, whether to reselect the evolved packet data gateway for the terminal, that is, the 3GPP AAA server. Only for this ability The terminal selects a new ePDG, which can solve the problem that the AAA server selects a new ePDG for the authentication authorization process error problem for the capability information without the Internet Key Exchange Protocol redirection function.
  • FIG. 1 is a schematic diagram of an interworking architecture between an EPS system and a non-3GPP system in the related art
  • FIG. 2 is a schematic diagram of a method for processing user equipment capabilities
  • FIG. 3 is a flowchart of a method for processing user equipment capabilities in a specific embodiment
  • FIG. 4 is a specific flowchart of a WLAN as an access system in the first embodiment
  • FIG. 5 is a flowchart of a method for processing a user equipment capability in a second embodiment
  • FIG. 6 is a specific flowchart of a WLAN as an access system in the second embodiment.
  • the system for processing the user equipment capability includes a terminal, an ePDG, and an authentication and authorization accounting server, that is, an AAA server, where the ePDG includes an Internet key exchange redirection function module.
  • the Internet key exchange redirection function module is configured to notify the authentication function module whether the terminal has the capability information of the Internet key exchange protocol redirection function after receiving the Internet key exchange authentication request sent by the terminal.
  • the AAA server includes an authentication function module.
  • the authentication function module is configured to determine, according to the capability information, whether to reselect the ePDG for the terminal. Specifically, the authentication function module determines that the capability information indicates that the terminal has an Internet Key Exchange Protocol redirection function, selects an ePDG that is closest to the terminal for the terminal, and performs an authentication process, and selects through an authentication process. The identifier of the ePDG is notified to the terminal; and when the capability information indicates that the terminal does not have the Internet Key Exchange Protocol redirection function, the authentication process is directly executed.
  • the terminal is configured to notify the ePDG of the capability information of whether the terminal has the Internet Key Exchange Protocol redirection function in the network key exchange security association initialization procedure with the ePDG.
  • An evolved packet data gateway including an internet key exchange redirection function module, Medium,
  • the Internet key exchange redirection function module is configured to: notify the authentication authorization charging server whether the terminal has capability information of the Internet Key Exchange Protocol redirection function.
  • An authentication and authorization accounting server where the authentication and authorization accounting server includes an authentication function module
  • the authentication function module is configured to: determine, according to capability information of the terminal that is obtained by the evolving packet data gateway, whether the terminal has the Internet Key Exchange Protocol redirection function, whether to reselect the evolved packet data gateway for the terminal; wherein, the capability information is determined
  • the terminal selects an evolving packet data gateway that is closest to the terminal and performs an authentication process, and notifies the identifier of the selected evolving packet data gateway to the identifier through the authentication process.
  • determining, by the terminal, that the capability information indicates that the terminal does not have an Internet Key Exchange Protocol redirection function, directly performing an authentication process.
  • the method applied to the foregoing system includes: in an Internet Key Exchange Protocol tunnel process between a terminal and an ePDG, an ePDG that receives an Internet Key Exchange Authentication Request sent by a terminal whether the terminal has The capability information of the Internet Key Exchange Protocol Redirection function is notified to the AAA server.
  • the AAA server determines, according to the capability information, whether to reselect the ePDG for the terminal. Specifically, the AAA server determines, according to the capability information, whether to reselect the ePDG finger for the terminal:
  • the AAA server selects an ePDG that is closest to the terminal for the terminal and performs an authentication process, and the selected ePDG identifier is determined by the authentication process. Notifying to the terminal;
  • the AAA server directly performs an authentication process.
  • the terminal notifies the ePDG of the capability information of whether the terminal has the Internet Key Exchange Protocol redirection function in the network key exchange security association initialization procedure with the ePDG.
  • the ePDG notifies the AAA server whether the terminal has an Internet Key Exchange Protocol redirection
  • the way of functional capability information is one of the following:
  • the terminal When the redirection capability identifier is carried in the extended authentication protocol response message sent to the AAA server, the terminal has the Internet key exchange protocol redirection function. When the redirection capability identifier is not carried, the terminal does not have the Internet key exchange protocol. Redirection function;
  • the extended authentication protocol response message sent to the AAA server carries the redirection capability, and the different values of the redirection capability identifier indicate that the terminal has or does not have the Internet Key Exchange Protocol redirection function.
  • the UE is connected to the untrusted non-3GPP access system.
  • the ePDG In the EPS system, UE and ePDG, in the process of creating an Internet Key Exchange Protocol (IKEv2) tunnel, the ePDG notifies the 3GPP AAA server that the UE has IKEv2 redirection capability information, and the 3GPP AAA server reselects the ePDG according to the UE.
  • IKEv2 Internet Key Exchange Protocol
  • Step 301 The UE is connected to the non-3GPP access system, and optionally performs the authentication authorization of the non-3GPP access.
  • the 3GPP AAA server may send the related policy information and the subscription information of the operator to the access network.
  • Step 302 The UE and the ePDG exchange the first pair of messages IKE_SA_INIT to negotiate an encryption algorithm, perform random number exchange, etc., in this process, the UE notifies the IKEv2 redirection capability by the REDIRECT SUPPORTED message (defined by RFC5685) ePDG;
  • Step 303 The UE performs the interaction of the identity authentication information by using the ePDG and the AAA server.
  • IKE AUTH Internet Key Exchange Authentication
  • EAP Extensible Authentication Protocol
  • the ePDG is configured to respond to the authentication challenge received during the identity authentication interaction, and the UE may further include the identifier information of the access network as the location information in the message;
  • Step 305 The ePDG sends an EAP-Response response message (with AKA challenge information) to
  • the 3GPP AAA server and carries the identifier of the UE with the IKEv2 redirection capability in the message, or the flag position 1 used to indicate the UE capability information;
  • Steps 306-307 After receiving the response message, the 3GPP AAA server learns that the UE has IKEv2 redirection capability, according to the location information of the current UE, a neighboring ePDG identifier (which may be an IPv4 or IPv6 address of the ePDG, or an FQDN) is included in the authentication response message and sent to the ePDG;
  • a neighboring ePDG identifier which may be an IPv4 or IPv6 address of the ePDG, or an FQDN
  • Step 308 The ePDG sends an Internet Key Exchange Authentication (IKE AUTH) response message to the UE through IKEv2.
  • IKE AUTH response message includes the redirect indication information and the new ePDG identity information from the 3GPP AAA Server, which may be the IPv4 of the ePDG or IPv6 address, or FQDN;
  • Step 309 The UE initiates an IKEv2 authentication to the new ePDG according to the redirection indication information to establish an IPSec tunnel.
  • the WLAN system includes an Access Point (AP) such as a WiFi access point/Access Control Point (AC), a Residential Gateway (RG), and an access broadband access server (Broadband Remote).
  • AP Access Point
  • AC WiFi access point/Access Control Point
  • RG Residential Gateway
  • Broadband Remote Access broadband access server
  • BRAS Broadband Network Gateway
  • BNG Broadband Network Gateway
  • Step 401 The user equipment establishes a wireless connection to the WLAN access system, establishes a three-layer connection, and the BRAS/BNG allocates an IP address to the user equipment.
  • Step 402 The UE performs authentication for non-3GPP access through the WLAN access system.
  • the 3GPP AAA server may send the relevant policy information and subscription information of the operator to the BRAS/BNG, and the 3GPP AAA Server may also The location information of the WLAN access system is obtained at the BNG/BRAS.
  • Step 403 The UE and the ePDG exchange the first pair of messages IKE_SA_INIT to negotiate an encryption algorithm, perform random number exchange, etc., in this process, the UE notifies the IKEv2 redirection capability by REDIRECT SUPPORTED (defined by RFC5685) ePDG.
  • Step 404 The UE performs the interaction of the identity authentication information by using the ePDG and the AAA server.
  • Step 405 The UE sends an Internet Key Exchange Authentication (IKE AUTH) request message containing an EAP message to the ePDG to the ePDG in response to the authentication challenge received during the identity authentication interaction.
  • Step 406 The ePDG sends an EAP-Response response message (with AKA challenge information) to the 3GPP AAA server, and carries the identifier of the UE with the IKEv2 redirection capability, or the flag position 1 for indicating the UE capability information.
  • IKE AUTH Internet Key Exchange Authentication
  • Steps 407-408 After receiving the foregoing response message, the 3GPP AAA server learns that the UE has the IKEv2 redirection capability, and selects a neighboring ePDG identifier according to the location information of the current UE (which may be an IPv4 or IPv6 address of the ePDG, or may be an FQDN). The information is sent to the ePDG in the authentication reply message.
  • the 3GPP AAA server learns that the UE has the IKEv2 redirection capability, and selects a neighboring ePDG identifier according to the location information of the current UE (which may be an IPv4 or IPv6 address of the ePDG, or may be an FQDN).
  • the information is sent to the ePDG in the authentication reply message.
  • Step 409 The ePDG sends an Internet Key Exchange Authentication (IKE AUTH) response message to the UE through the IKEv2, where the IKE-AUTH response message includes the redirection indication information and the new ePDG identity information received from the 3GPP AAA server.
  • IKE AUTH Internet Key Exchange Authentication
  • Step 410 The UE initiates an IKEv2 authentication to the new ePDG to establish an IPSec tunnel.
  • the UE connects to the EPS system through the untrusted non-3GPP access system, and the UE and the ePDG notify the 3GPP AAA server of the UE during the creation of the Internet Key Exchange Protocol (IKEv2) tunnel. Without the IKEv2 redirection capability information, the 3GPP AAA server does not reselect the ePDG for the UE.
  • IKEv2 Internet Key Exchange Protocol
  • Step 501 The UE is connected to the non-3GPP access system, and optionally performs the authentication authorization of the non-3GPP access.
  • the 3GPP AAA server may send the related policy information and the subscription information of the operator to the access network.
  • Step 502 The UE and the ePDG exchange the first pair of messages IKE_SA_INIT to negotiate an encryption algorithm, perform random number exchange, etc., in this process, the UE not supports the IKEv2 redirection capability by the REDIRECT SUPPORTED message (defined by RFC5685).
  • the REDIRECT SUPPORTED message defined by RFC5685.
  • Step 503 The UE performs the interaction of the identity authentication information by using the ePDG and the AAA server.
  • the Internet Key Exchange Authentication (IKE AUTH) request message of the protocol (EAP) message is sent to the ePDG to respond to the authentication challenge received during the identity authentication interaction, and the UE may also include the identification information of the access network as the location information.
  • the ePDG sends an EAP-Response response message (with AKA challenge information) to the 3GPP AAA server, and does not carry the IKEv2 redirection capability identifier of the UE, or the flag position 0 used to indicate the UE capability information.
  • Steps 506-507 After receiving the foregoing response message, the 3GPP AAA server learns that the UE does not have the IKEv2 redirection capability, and continues the subsequent authentication and authorization;
  • Step 508 The ePDG sends an Internet Key Exchange Authentication (IKE AUTH) response message to the UE through IKEv2.
  • IKE AUTH Internet Key Exchange Authentication
  • Step 509 The UE and the ePDG complete the subsequent IKEv2 authentication process to establish an IPSec tunnel.
  • the WLAN system is used as a special case of a non-trusted non-3GPP access system, and the foregoing execution process is specifically described.
  • the specific processes include:
  • Step 601 The user equipment establishes a wireless connection to the WLAN access system, establishes a three-layer connection, and the BRAS/BNG allocates an IP address to the user equipment.
  • Step 602 The UE performs authentication for non-3GPP access through the WLAN access system.
  • the 3GPP AAA server may send the relevant policy information and subscription information of the operator to the BRAS/BNG, and the 3GPP AAA Server may also The location information of the WLAN access system is obtained at the BNG/BRAS.
  • Step 603 The UE and the ePDG exchange the first pair of messages IKE_SA_INIT to negotiate an encryption algorithm, perform random number exchange, and the like, in this process, the UE notifies the IKEv2 redirection capability by REDIRECT SUPPORTED (defined by RFC5685) ePDG.
  • Step 604 The UE sends an Internet key exchange authentication including an EAP message to the ePDG.
  • IKE AUTH Requests a message to the ePDG in response to the authentication challenge received during the identity authentication interaction.
  • Step 605 The ePDG sends an EAP-Response response message (with AKA challenge information) to the 3GPP AAA server, where the message does not carry the IKEv2 redirection capability identifier of the UE, or the flag position 0 indicating the UE capability information is used;
  • Step 606-607 After receiving the foregoing response message, the 3GPP AAA server learns that the UE does not have the 3GPP AAA server.
  • the IKEv2 redirection capability continues the subsequent authentication and authorization process.
  • Step 608 The ePDG sends an Internet Key Exchange Authentication (IKE AUTH) response message to the UE through IKEv2.
  • Step 609 The UE and the ePDG complete the subsequent IKEv2 authentication process to establish an IPSec tunnel.
  • the ePDG notifies the capability of the UE to the 3GPP AAA server, and is not limited to the IKEv2 redirection capability of the UE, and may also be whether the UE has the gateway capability.
  • the 3GPP AAA server determines whether to perform the corresponding operation according to the capability of the UE.
  • the capability information of the terminal having the Internet Key Exchange Protocol redirection function is notified to the 3GPP AAA server, and the 3GPP AAA server determines, according to the capability information, whether to reselect the evolved packet data gateway for the terminal, that is, The 3GPP AAA server only selects a new ePDG for the terminal with this capability, which can solve the problem of the authentication authorization process error caused by the AAA server selecting the new ePDG for the capability information without the Internet Key Exchange Protocol redirection function.

Landscapes

  • Engineering & Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A user equipment capability processing method comprises: during the establishment of an Internet key exchange protocol tunnel between a terminal and an evolved packet data gateway, the evolved packet data gateway provides an authentication authorization accounting (AAA) server with capability information stating whether the terminal has the Internet key exchange protocol redirection function.

Description

一种对用户设备能力进行处理的方法和系统  Method and system for processing user equipment capabilities
技术领域 Technical field
本发明涉及通信技术领域, 尤其涉及一种对用户设备能力进行处理的方 法和系统。  The present invention relates to the field of communications technologies, and in particular, to a method and system for processing user equipment capabilities.
背景技术 Background technique
第三代合作伙伴计划 ( 3rd Generation Partnership Project, 简称为 3GPP ) 中演进的分组系统( Evolved Packet System , 简称为 EPS ) 由演进的通用移 动通信系统陆地无线接入网 (Evolved Universal Terrestrial Radio Access Network, 简称为 E-UTRAN ) 、 移动管理单元( Mobility Management Entity, 简称为 MME ) 、 服务网关( Serving Gateway, 简称为 S-GW ) 、 分组数据网 络网关 ( Packet Data Network Gateway, 简称为 P-GW或者 PDN GW)、 归属 用户服务器(Home Subscriber Server, 简称为 HSS ) 、 策略和计费规则功能 ( Policy and Charging Rules Function , 简称为 PCRF ) 实体及其他支撑节点组 成。  The Evolved Packet System (EPS) in the 3rd Generation Partnership Project (3GPP) is evolved by the Evolved Universal Terrestrial Radio Access Network (Evolved Universal Terrestrial Radio Access Network). Referred to as E-UTRAN, Mobility Management Entity (MME), Serving Gateway (S-GW), Packet Data Network Gateway (P-GW or PDN) GW), Home Subscriber Server (HSS), Policy and Charging Rules Function (PCRF) entity and other supporting nodes.
如图 1所示, EPS系统支持与非 3GPP系统的互通, 其中, 与非 3GPP系 统的互通通过 S2a/S2b/S2c接口实现, 3GPP与非 3GPP系统间的锚点为 P-GW。 非 3GPP系统被分为可信任非 3GPP IP接入和不可信任非 3GPP IP接入。 可 信任非 3GPP IP接入可直接通过 S2a接口与 P-GW连接;不可信任非 3GPP IP 接入需经过演进分组数据网关( Evolved Packet Data Gateway, 简称为 ePDG ) 与 PDN GW相连, ePDG与 PDN GW间的接口为 S2b , S2c提供了 UE与 P-GW 之间的用户面相关的控制和移动性支持, 其支持的移动性管理协议为支持双 栈的移动 IPv6 ( Mobile IPv6 Support for Dual Stack Hosts and Routers, 简称为 DSMIPv6 )。  As shown in Figure 1, the EPS system supports interworking with non-3GPP systems. The interworking with non-3GPP systems is implemented through the S2a/S2b/S2c interface, and the anchor point between the 3GPP and non-3GPP systems is the P-GW. Non-3GPP systems are classified into trusted non-3GPP IP access and untrusted non-3GPP IP access. The trusted non-3GPP IP access can be directly connected to the P-GW through the S2a interface; the untrusted non-3GPP IP access needs to be connected to the PDN GW through an Evolved Packet Data Gateway (ePDG), ePDG and PDN GW. The interface between S2b and S2c provides user plane-related control and mobility support between the UE and the P-GW. The supported mobility management protocol is Mobile IPv6 Support for Dual Stack Hosts and Routers, referred to as DSMIPv6).
图 1中, MME移动管理单元负责移动性管理、非接入层信令的处理和用 户移动管理上下文的管理等控制面的相关工作; S-GW是与 E-UTRAN相连的 接入网关设备, 在 E-UTRAN和 P-GW之间转发数据, 并且负责对寻呼等待 数据进行緩存; P-GW则是 EPS与分组数据网络( Packet Data Network, 简称 为 PDN )的边界网关,负责 PDN的接入及在 EPS与 PDN间转发数据等功能; PCRF是策略和计费规则功能实体, 它通过接收接口 Rx和运营商网络协议 ( Internet Protocol , 简称为 IP )业务网络相连, 获取业务信息, 此外, 它通 过 Gx/Gxa/Gxc接口与网络中的网关设备相连, 负责发起 IP承载的建立, 保 证业务数据的服务质量( Quality of Service, 简称为 QoS ) , 并进行计费控制。 In FIG. 1, the MME mobility management unit is responsible for control planes such as mobility management, non-access stratum signaling processing, and user mobility management context management; and the S-GW is an access gateway device connected to the E-UTRAN. Forwarding data between E-UTRAN and P-GW, and responsible for buffering paging waiting data; P-GW is EPS and packet data network (Packet Data Network, referred to as A border gateway for PDN), responsible for PDN access and forwarding data between EPS and PDN; PCRF is a policy and charging rule function entity that receives the interface Rx and the carrier network protocol (Internet Protocol, referred to as IP) The service network is connected to obtain the service information. In addition, it is connected to the gateway device in the network through the Gx/Gxa/Gxc interface, and is responsible for initiating the establishment of the IP bearer and ensuring the quality of service (QoS) of the service data. And charge control.
UE 通过非信任的接入系统连接到 EPS 系统需要先选择一个合适的 ePDG, 当前技术 UE选择一个位置靠近 UE所处接入系统的 ePDG可以由 3GPP AAA服务器根据 UE的 IP地址或者接入网系统的信息为 UE选择, 这 是 UE和 ePDG创建 IKEv2安全联盟建立 IPSec隧道进行认证授权的过程中进 行的,要求 UE和 ePDG支持 IETF定义的 IKEv2的重定向机制( RFC5685 中 Redirect Mechanism for the IKEv2 ) , 此机制可以在 IKE SA INIT, IKE AUTH 过程中或者 IKEv2会话建立完成后都可以实现 IKEv2 Server的重定向, 在 3GPP场景下, 可以看做 ePDG发起 UE重定向到另外一个 ePDG。 目前存在 的问题是, 3GPP AAA服务器不知道 UE是否有 IKEv2重定向的能力(UE的 这种能力不是必选的) , 如果 3GPP AAA服务器查到离 UE的更近的 ePDG 会通知到当前 ePDG,当前 ePDG如果向不支持 IKEv2重定向的 UE通知重定 向, 会导致 UE无法识别消息内容甚至进行报错处理; 当前 ePDG如果忽略 3GPP AAA的重定向指示, 认证授权流程也无法完成, 此问题会会导致整个 IKEv2 Tunnel建立认证授权流程出错。 发明内容  The UE needs to select an appropriate ePDG by connecting to the EPS system through the untrusted access system. The current technology UE selects an ePDG that is located close to the access system where the UE is located. The 3GPP AAA server may be based on the UE's IP address or the access network system. The information is selected by the UE, which is performed by the UE and the ePDG to establish an IKEv2 security association to establish an IPSec tunnel for authentication and authorization. The UE and the ePDG are required to support the IKEv2 redirection mechanism defined by the IETF (Redirect Mechanism for the IKEv2 in RFC5685). This mechanism can be used to redirect the IKEv2 server in the IKE SA INIT, IKE AUTH process or after the IKEv2 session is established. In the 3GPP scenario, the ePDG can be used to initiate the UE redirection to another ePDG. The current problem is that the 3GPP AAA server does not know whether the UE has the capability of IKEv2 redirection (this capability of the UE is not mandatory). If the 3GPP AAA server finds that the ePDG closer to the UE will notify the current ePDG, If the current ePDG notifies the UE that does not support the IKEv2 redirection, the UE will not be able to identify the content of the message or even report the error. If the current ePDG ignores the redirection indication of the 3GPP AAA, the authentication and authorization process cannot be completed. An error occurred in establishing the authentication and authorization process for the entire IKEv2 tunnel. Summary of the invention
本发明要解决的技术问题是提供一种进行演进分组数据网关重定向决策 的方法及系统,解决 AAA服务器为不具有因特网密钥交换协议重定向功能的 能力信息选择新的 ePDG的引起的认证授权流程出错问题。  The technical problem to be solved by the present invention is to provide a method and system for performing an evolved packet data gateway redirection decision, and solving the authentication authorization caused by the AAA server selecting a new ePDG for capability information without the Internet key exchange protocol redirection function. Process error problem.
为了解决上述技术问题, 本发明提供了一种对用户设备能力进行处理的 方法, 其中, 在创建终端与演进分组数据网关之间的因特网密钥交换协议隧 道过程中, 演进分组数据网关将所述终端是否具有因特网密钥交换协议重定 向功能的能力信息通知至认证授权计费服务器即 AAA服务器。  In order to solve the above technical problem, the present invention provides a method for processing user equipment capabilities, wherein, in the process of creating an Internet Key Exchange Protocol tunnel between a terminal and an evolved packet data gateway, the evolved packet data gateway will The capability information of the terminal having the Internet Key Exchange Protocol redirection function is notified to the authentication authorization accounting server, that is, the AAA server.
优选地, 上述方法还可以具有以下特点: 所述 AAA服务器根据所述能力信息决定是否为所述终端重新选择演进 分组数据网关。 Preferably, the above method may also have the following features: The AAA server determines, according to the capability information, whether to reselect an evolved packet data gateway for the terminal.
优选地, 上述方法还可以具有以下特点:  Preferably, the above method may also have the following features:
所述 AAA服务器根据所述能力信息决定是否为所述终端重新选择演进 分组数据网关包括:  Determining, by the AAA server, whether to reselect the evolved packet data gateway for the terminal according to the capability information includes:
所述能力信息表示所述终端具有因特网密钥交换协议重定向功能时, 所 述 AAA服务器为所述终端选择距离所述终端最近的演进分组数据网关并执 行认证流程, 通过认证流程将选择出的演进分组数据网关的标识通知至所述 终端;  When the capability information indicates that the terminal has an Internet Key Exchange Protocol redirection function, the AAA server selects an evolved packet data gateway closest to the terminal for the terminal and performs an authentication process, which is selected by the authentication process. The identifier of the evolved packet data gateway is notified to the terminal;
所述能力信息表示所述终端不具有因特网密钥交换协议重定向功能时, 所述 AAA服务器直接执行认证流程。  When the capability information indicates that the terminal does not have the Internet Key Exchange Protocol redirection function, the AAA server directly performs an authentication process.
优选地, 上述方法还可以具有以下特点:  Preferably, the above method may also have the following features:
所述终端在与演进分组数据网关进行网络密钥交换安全联盟初始化程序 中将所述终端是否具有因特网密钥交换协议重定向功能的能力信息通知至所 述演进分组数据网关。  The terminal notifies the evolved packet data gateway of capability information of whether the terminal has an Internet Key Exchange Protocol redirection function in a network key exchange security association initialization procedure with the evolved packet data gateway.
优选地, 上述方法还可以具有以下特点:  Preferably, the above method may also have the following features:
所述演进分组数据网关向 AAA服务器通知所述终端是否具有因特网密 钥交换协议重定向功能的能力信息的方式是以下方式的一种:  The manner in which the evolved packet data gateway notifies the AAA server whether the terminal has the capability information of the Internet Key Exchange Protocol redirection function is one of the following modes:
在向所述 AAA服务器发送的扩展认证协议响应消息中携带重定向能力 标识时表示终端具有因特网密钥交换协议重定向功能, 不携带重定向能力标 识时表示终端不具有因特网密钥交换协议重定向功能;  When the redirection capability identifier is sent in the extended authentication protocol response message sent to the AAA server, the terminal has the Internet key exchange protocol redirection function. When the redirection capability identifier is not carried, the terminal does not have the Internet key exchange protocol redirection. Features;
在向所述 AAA服务器发送的扩展认证协议响应消息中携带重定向能力, 通过此重定向能力标识的不同取值表示终端具有或者不具有因特网密钥交换 协议重定向功能。  The extended authentication protocol response message sent to the AAA server carries a redirection capability, and the different values of the redirection capability identifier indicate that the terminal has or does not have the Internet Key Exchange Protocol redirection function.
为了解决上述技术问题, 本发明还提供了一种对用户设备能力进行处理 的系统,包括终端、演进分组数据网关、认证授权计费服务器即 AAA服务器, 其中, 所述演进分组数据网关包括因特网密钥交换重定向功能模块,  In order to solve the above technical problem, the present invention further provides a system for processing a user equipment capability, including a terminal, an evolved packet data gateway, and an authentication and authorization accounting server, that is, an AAA server, where the evolved packet data gateway includes an Internet secret. Key exchange redirection function module,
所述因特网密钥交换重定向功能模块设置为: 将所述终端是否具有因特 网密钥交换协议重定向功能的能力信息通知至所述认证功能模块。 所述 AAA服务器包括认证功能模块; 所述认证功能模块设置为: 根据所 述能力信息决定是否为所述终端重新选择演进分组数据网关。 The Internet key exchange redirection function module is configured to: whether the terminal has an Intel The capability information of the network key exchange protocol redirection function is notified to the authentication function module. The AAA server includes an authentication function module. The authentication function module is configured to: determine, according to the capability information, whether to reselect an evolved packet data gateway for the terminal.
优选地, 上述系统还可以具有以下特点:  Preferably, the above system may also have the following characteristics:
所述认证功能模块还设置为: 判断所述能力信息表示所述终端具有因特 网密钥交换协议重定向功能时, 为所述终端选择距离所述终端最近的演进分 组数据网关并执行认证流程, 通过认证流程将选择出的演进分组数据网关的 标识通知至所述终端; 判断所述能力信息表示所述终端不具有因特网密钥交 换协议重定向功能时, 直接执行认证流程。  The authentication function module is further configured to: determine that the capability information indicates that the terminal has an Internet Key Exchange Protocol redirection function, select an evolved packet data gateway that is closest to the terminal for the terminal, and perform an authentication process, The authentication process notifies the selected identifier of the evolved packet data gateway to the terminal; and when the capability information indicates that the terminal does not have the Internet Key Exchange Protocol redirection function, the authentication process is directly executed.
优选地, 上述系统还可以具有以下特点:  Preferably, the above system may also have the following characteristics:
所述终端设置为: 在与演进分组数据网关进行网络密钥交换安全联盟初 始化程序中将所述终端是否具有因特网密钥交换协议重定向功能的能力信息 通知至此演进分组数据网关。  The terminal is configured to: notify the evolved packet data gateway of the capability information of whether the terminal has the Internet Key Exchange Protocol redirection function in the network key exchange security association initialization procedure with the evolved packet data gateway.
为了解决上述技术问题, 本发明还提供了一种进行演进分组数据网关, 包括因特网密钥交换重定向功能模块, 其中, 所述因特网密钥交换重定向功 能模块设置为: 将所述终端是否具有因特网密钥交换协议重定向功能的能力 信息通知至认证授权计费服务器。  In order to solve the above technical problem, the present invention further provides an evolved packet data gateway, including an Internet key exchange redirection function module, where the Internet key exchange redirection function module is configured to: The capability information of the Internet Key Exchange Protocol Redirection function is notified to the Authentication Authorization Accounting Server.
为了解决上述技术问题, 本发明还提供了一种认证授权计费服务器, 其 中, 所述认证授权计费服务器包括认证功能模块; 所述认证功能模块设置为: 根据从演进分组数据网关获知的终端是否具有因特网密钥交换协议重定向功 能的能力信息决定是否为所述终端重新选择演进分组数据网关; 判断所述能 力信息表示所述终端具有因特网密钥交换协议重定向功能时, 为所述终端选 择距离所述终端最近的演进分组数据网关并执行认证流程, 通过认证流程将 选择出的演进分组数据网关的标识通知至所述终端; 判断所述能力信息表示 所述终端不具有因特网密钥交换协议重定向功能时, 直接执行认证流程。  In order to solve the above technical problem, the present invention further provides an authentication and authorization accounting server, wherein the authentication and authorization accounting server includes an authentication function module; and the authentication function module is configured to: according to a terminal learned from an evolved packet data gateway. Whether the capability information of the Internet Key Exchange Protocol redirection function determines whether to reselect the evolved packet data gateway for the terminal; and when the capability information indicates that the terminal has the Internet Key Exchange Protocol redirection function, the terminal is Selecting an evolving packet data gateway that is closest to the terminal and performing an authentication process, notifying, by the authentication process, an identifier of the selected evolved packet data gateway to the terminal; determining that the capability information indicates that the terminal does not have an Internet key exchange When the protocol redirection function is performed, the authentication process is directly executed.
本方案中将终端是否具有因特网密钥交换协议重定向功能的能力信息通 知至 3GPP AAA服务器, 3GPP AAA服务器根据此所述能力信息决定是否为 所述终端重新选择演进分组数据网关, 即 3GPP AAA服务器只为具有此能力 的终端选择新的 ePDG, 可解决 AAA服务器为不具有因特网密钥交换协议重 定向功能的能力信息选择新的 ePDG的引起的认证授权流程出错问题。 附图概述 In this solution, the capability information of the terminal having the Internet Key Exchange Protocol redirection function is notified to the 3GPP AAA server, and the 3GPP AAA server determines, according to the capability information, whether to reselect the evolved packet data gateway for the terminal, that is, the 3GPP AAA server. Only for this ability The terminal selects a new ePDG, which can solve the problem that the AAA server selects a new ePDG for the authentication authorization process error problem for the capability information without the Internet Key Exchange Protocol redirection function. BRIEF abstract
图 1是相关技术中 EPS系统支持与非 3GPP系统的互通架构图; 图 2是对用户设备能力进行处理的方法示意图;  1 is a schematic diagram of an interworking architecture between an EPS system and a non-3GPP system in the related art; FIG. 2 is a schematic diagram of a method for processing user equipment capabilities;
图 3是具体实施例一中对用户设备能力进行处理的方法流程图; 图 4是具体实施例一中以 WLAN为接入系统的具体流程图;  3 is a flowchart of a method for processing user equipment capabilities in a specific embodiment; FIG. 4 is a specific flowchart of a WLAN as an access system in the first embodiment;
图 5是具体实施例二中对用户设备能力进行处理的方法流程图; 图 6是具体实施例二中以 WLAN为接入系统的具体流程图。 本发明的较佳实施方式  FIG. 5 is a flowchart of a method for processing a user equipment capability in a second embodiment; FIG. 6 is a specific flowchart of a WLAN as an access system in the second embodiment. Preferred embodiment of the invention
对用户设备能力进行处理的系统包括终端、 ePDG、认证授权计费服务器 即 AAA服务器, 其中, ePDG包括因特网密钥交换重定向功能模块。  The system for processing the user equipment capability includes a terminal, an ePDG, and an authentication and authorization accounting server, that is, an AAA server, where the ePDG includes an Internet key exchange redirection function module.
因特网密钥交换重定向功能模块, 用于在收到终端发送的因特网密钥交 换认证请求后, 将所述终端是否具有因特网密钥交换协议重定向功能的能力 信息通知至所述认证功能模块。  The Internet key exchange redirection function module is configured to notify the authentication function module whether the terminal has the capability information of the Internet key exchange protocol redirection function after receiving the Internet key exchange authentication request sent by the terminal.
其中, AAA服务器包括认证功能模块。 所述认证功能模块, 用于根据所 述能力信息决定是否为所述终端重新选择 ePDG。具体的,所述认证功能模块 判断所述能力信息表示所述终端具有因特网密钥交换协议重定向功能时, 为 所述终端选择距离所述终端最近的 ePDG并执行认证流程, 通过认证流程将 选择出的 ePDG的标识通知至所述终端; 判断所述能力信息表示所述终端不 具有因特网密钥交换协议重定向功能时, 直接执行认证流程。  The AAA server includes an authentication function module. The authentication function module is configured to determine, according to the capability information, whether to reselect the ePDG for the terminal. Specifically, the authentication function module determines that the capability information indicates that the terminal has an Internet Key Exchange Protocol redirection function, selects an ePDG that is closest to the terminal for the terminal, and performs an authentication process, and selects through an authentication process. The identifier of the ePDG is notified to the terminal; and when the capability information indicates that the terminal does not have the Internet Key Exchange Protocol redirection function, the authentication process is directly executed.
其中, 终端, 用于在与 ePDG进行网络密钥交换安全联盟初始化程序中 将所述终端是否具有因特网密钥交换协议重定向功能的能力信息通知至此 ePDG„  The terminal is configured to notify the ePDG of the capability information of whether the terminal has the Internet Key Exchange Protocol redirection function in the network key exchange security association initialization procedure with the ePDG.
一种进行演进分组数据网关, 包括因特网密钥交换重定向功能模块, 其 中, An evolved packet data gateway, including an internet key exchange redirection function module, Medium,
所述因特网密钥交换重定向功能模块设置为: 将所述终端是否具有因特 网密钥交换协议重定向功能的能力信息通知至认证授权计费服务器。  The Internet key exchange redirection function module is configured to: notify the authentication authorization charging server whether the terminal has capability information of the Internet Key Exchange Protocol redirection function.
一种认证授权计费服务器, 其中, 所述认证授权计费服务器包括认证功 能模块;  An authentication and authorization accounting server, where the authentication and authorization accounting server includes an authentication function module;
所述认证功能模块设置为: 根据从演进分组数据网关获知的终端是否具 有因特网密钥交换协议重定向功能的能力信息决定是否为所述终端重新选择 演进分组数据网关; 其中, 判断所述能力信息表示所述终端具有因特网密钥 交换协议重定向功能时, 为所述终端选择距离所述终端最近的演进分组数据 网关并执行认证流程, 通过认证流程将选择出的演进分组数据网关的标识通 知至所述终端; 判断所述能力信息表示所述终端不具有因特网密钥交换协议 重定向功能时, 直接执行认证流程。  The authentication function module is configured to: determine, according to capability information of the terminal that is obtained by the evolving packet data gateway, whether the terminal has the Internet Key Exchange Protocol redirection function, whether to reselect the evolved packet data gateway for the terminal; wherein, the capability information is determined When the terminal has the Internet Key Exchange Protocol redirection function, the terminal selects an evolving packet data gateway that is closest to the terminal and performs an authentication process, and notifies the identifier of the selected evolving packet data gateway to the identifier through the authentication process. And determining, by the terminal, that the capability information indicates that the terminal does not have an Internet Key Exchange Protocol redirection function, directly performing an authentication process.
如图 2所示, 应用于上述系统的方法包括: 在创建终端与 ePDG之间的 因特网密钥交换协议隧道过程中, 收到终端发送的因特网密钥交换认证请求 的 ePDG将所述终端是否具有因特网密钥交换协议重定向功能的能力信息通 知至 AAA服务器。 As shown in FIG. 2, the method applied to the foregoing system includes: in an Internet Key Exchange Protocol tunnel process between a terminal and an ePDG, an ePDG that receives an Internet Key Exchange Authentication Request sent by a terminal whether the terminal has The capability information of the Internet Key Exchange Protocol Redirection function is notified to the AAA server.
其中,所述 AAA服务器根据所述能力信息决定是否为所述终端重新选择 ePDG。 具体的, AAA服务器根据所述能力信息决定是否为所述终端重新选 择 ePDG指:  The AAA server determines, according to the capability information, whether to reselect the ePDG for the terminal. Specifically, the AAA server determines, according to the capability information, whether to reselect the ePDG finger for the terminal:
所述能力信息表示所述终端具有因特网密钥交换协议重定向功能时, 所 述 AAA服务器为所述终端选择距离所述终端最近的 ePDG并执行认证流程, 通过认证流程将选择出的 ePDG的标识通知至所述终端;  When the capability information indicates that the terminal has the Internet Key Exchange Protocol redirection function, the AAA server selects an ePDG that is closest to the terminal for the terminal and performs an authentication process, and the selected ePDG identifier is determined by the authentication process. Notifying to the terminal;
所述能力信息表示所述终端不具有因特网密钥交换协议重定向功能时, 所述 AAA服务器直接执行认证流程。  When the capability information indicates that the terminal does not have the Internet Key Exchange Protocol redirection function, the AAA server directly performs an authentication process.
其中, 终端在与 ePDG进行网络密钥交换安全联盟初始化程序中将所述 终端是否具有因特网密钥交换协议重定向功能的能力信息通知至所述 ePDG。  The terminal notifies the ePDG of the capability information of whether the terminal has the Internet Key Exchange Protocol redirection function in the network key exchange security association initialization procedure with the ePDG.
ePDG向 AAA服务器通知所述终端是否具有因特网密钥交换协议重定向 功能的能力信息的方式是以下方式的一种: The ePDG notifies the AAA server whether the terminal has an Internet Key Exchange Protocol redirection The way of functional capability information is one of the following:
一,在向所述 AAA服务器发送的扩展认证协议响应消息中携带重定向能 力标识时表示终端具有因特网密钥交换协议重定向功能, 不携带重定向能力 标识时表示终端不具有因特网密钥交换协议重定向功能;  When the redirection capability identifier is carried in the extended authentication protocol response message sent to the AAA server, the terminal has the Internet key exchange protocol redirection function. When the redirection capability identifier is not carried, the terminal does not have the Internet key exchange protocol. Redirection function;
二,在向所述 AAA服务器发送的扩展认证协议响应消息中携带重定向能 力, 通过此重定向能力标识的不同取值表示终端具有或者不具有因特网密钥 交换协议重定向功能。  Second, the extended authentication protocol response message sent to the AAA server carries the redirection capability, and the different values of the redirection capability identifier indicate that the terminal has or does not have the Internet Key Exchange Protocol redirection function.
具体实施例一 Specific embodiment 1
如图 3所示, 此实施例中, UE通过非信任的非 3GPP接入系统连接到 As shown in FIG. 3, in this embodiment, the UE is connected to the untrusted non-3GPP access system.
EPS系统, UE和 ePDG在创建因特网密钥交换协议( IKEv2 ) 隧道过程中, ePDG向 3GPP AAA服务器通知 UE具有 IKEv2重定向能力信息, 3GPP AAA 服务器根据为 UE重新选择 ePDG。 具体流程如下: In the EPS system, UE and ePDG, in the process of creating an Internet Key Exchange Protocol (IKEv2) tunnel, the ePDG notifies the 3GPP AAA server that the UE has IKEv2 redirection capability information, and the 3GPP AAA server reselects the ePDG according to the UE. The specific process is as follows:
步骤 301 : UE连接到非 3GPP接入系统, 可选地进行非 3GPP接入的认 证授权, 在此过程中, 3GPP AAA服务器可以将运营商的相关策略信息和签 约信息发送给接入网络;  Step 301: The UE is connected to the non-3GPP access system, and optionally performs the authentication authorization of the non-3GPP access. In this process, the 3GPP AAA server may send the related policy information and the subscription information of the operator to the access network.
步骤 302: UE和 ePDG交换第一对消息 IKE— SA— INIT协商加密算法,进 行随机数的交换等, 在此流程中 UE 将自己支持 IKEv2 重定向能力通过 REDIRECT SUPPORTED消息 (由 RFC5685定义)通知给 ePDG;  Step 302: The UE and the ePDG exchange the first pair of messages IKE_SA_INIT to negotiate an encryption algorithm, perform random number exchange, etc., in this process, the UE notifies the IKEv2 redirection capability by the REDIRECT SUPPORTED message (defined by RFC5685) ePDG;
步骤 303: UE通过 ePDG和 AAA服务器进行的身份认证信息的交互; 步骤 304: UE发送包含可扩展的身份验证协议( Extension Authentication Protocol, 简称 EAP )消息的因特网密钥交换认证 ( IKE AUTH )请求消息到 ePDG, 响应身份认证交互过程中收到的认证挑战, 同时 UE还可以将所处接 入网络的标识信息作为位置信息包含在该消息中;  Step 303: The UE performs the interaction of the identity authentication information by using the ePDG and the AAA server. Step 304: The UE sends an Internet Key Exchange Authentication (IKE AUTH) request message including an Extensible Authentication Protocol (EAP) message. The ePDG is configured to respond to the authentication challenge received during the identity authentication interaction, and the UE may further include the identifier information of the access network as the location information in the message;
步骤 305: ePDG将 EAP-Response响应消息(带 AKA挑战信息 )发送给 Step 305: The ePDG sends an EAP-Response response message (with AKA challenge information) to
3GPP AAA服务器,并在此消息中携带 UE具备 IKEv2重定向能力的标识, 或 者将用于表示 UE能力信息的标志位置 1 ; The 3GPP AAA server, and carries the identifier of the UE with the IKEv2 redirection capability in the message, or the flag position 1 used to indicate the UE capability information;
步骤 306-307: 3GPP AAA服务器收到上述响应消息后, 获知 UE具备 IKEv2重定向能力,根据当前 UE的位置信息选择一个靠近的 ePDG标识(可 以是 ePDG的 IPv4或 IPv6地址,也可以是 FQDN )信息包含在认证回答消息 中发送给 ePDG; Steps 306-307: After receiving the response message, the 3GPP AAA server learns that the UE has IKEv2 redirection capability, according to the location information of the current UE, a neighboring ePDG identifier (which may be an IPv4 or IPv6 address of the ePDG, or an FQDN) is included in the authentication response message and sent to the ePDG;
步骤 308: ePDG通过 IKEv2向 UE发送因特网密钥交换认证( IKE AUTH ) 响应消息, IKE— AUTH响应消息包含携带重定向指示信息和来自 3GPP AAA Server的新的 ePDG身份信息, 可以是 ePDG的 IPv4或 IPv6地址, 也可以是 FQDN;  Step 308: The ePDG sends an Internet Key Exchange Authentication (IKE AUTH) response message to the UE through IKEv2. The IKE-AUTH response message includes the redirect indication information and the new ePDG identity information from the 3GPP AAA Server, which may be the IPv4 of the ePDG or IPv6 address, or FQDN;
步骤 309: UE根据重定向指示信息向新的 ePDG发起 IKEv2认证建立 IPSec隧道。  Step 309: The UE initiates an IKEv2 authentication to the new ePDG according to the redirection indication information to establish an IPSec tunnel.
如图 4所示, 以 WLAN系统作为非信任的非 3GPP接入系统的特例, 具 体说明上述执行流程。 WLAN系统包括接入点 (Access Point, 简称 AP )例 如 WiFi 接入点 /接入控制点 (Access Controller , 简称 AC) , 家庭网关 ( Residential Gateway,简称 RG )以及接入宽带接入服务器( Broadband Remote Access Server, 简称 BRAS ) /宽带网络网关 ( Broadband Network Gateway, 简称 BNG )等主要设备网元。 具体流程包括: As shown in FIG. 4, the above-mentioned execution flow is specifically described by using the WLAN system as a special case of the untrusted non-3GPP access system. The WLAN system includes an Access Point (AP) such as a WiFi access point/Access Control Point (AC), a Residential Gateway (RG), and an access broadband access server (Broadband Remote). Access device (abbreviated as BRAS) / Broadband Network Gateway (BNG) and other major equipment network elements. The specific process includes:
步骤 401 :用户设备建立到 WLAN接入系统的无线连接,建立三层连接, BRAS/BNG为用户设备分配 IP地址。  Step 401: The user equipment establishes a wireless connection to the WLAN access system, establishes a three-layer connection, and the BRAS/BNG allocates an IP address to the user equipment.
步骤 402: UE通过 WLAN接入系统进行非 3GPP接入的认证授权,这里, 3GPP AAA 服务器可以将运营商的相关策略信息和签约信息发送给 BRAS/BNG, 3GPP AAA Server在此流程中也可以从 BNG/BRAS 处获取 WLAN接入系统的位置信息。  Step 402: The UE performs authentication for non-3GPP access through the WLAN access system. Here, the 3GPP AAA server may send the relevant policy information and subscription information of the operator to the BRAS/BNG, and the 3GPP AAA Server may also The location information of the WLAN access system is obtained at the BNG/BRAS.
步骤 403: UE和 ePDG交换第一对消息 IKE— SA— INIT协商加密算法,进 行随机数的交换等, 在此流程中 UE会将自己支持 IKEv2 重定向能力通过 REDIRECT SUPPORTED (由 RFC5685定义)通知给 ePDG。  Step 403: The UE and the ePDG exchange the first pair of messages IKE_SA_INIT to negotiate an encryption algorithm, perform random number exchange, etc., in this process, the UE notifies the IKEv2 redirection capability by REDIRECT SUPPORTED (defined by RFC5685) ePDG.
步骤 404: UE通过 ePDG和 AAA服务器进行的身份认证信息的交互。 步骤 405 : UE 向 ePDG发送包含 EAP 消息的因特网密钥交换认证 ( IKE AUTH )请求消息到 ePDG,响应身份认证交互过程中收到的认证挑战。 步骤 406: ePDG将 EAP-Response响应消息(带 AKA挑战信息)发送给 3GPP AAA服务器, 并在此消息中携带 UE具备 IKEv2重定向能力的标识, 或者将用于表示 UE能力信息的标志位置 1。 Step 404: The UE performs the interaction of the identity authentication information by using the ePDG and the AAA server. Step 405: The UE sends an Internet Key Exchange Authentication (IKE AUTH) request message containing an EAP message to the ePDG to the ePDG in response to the authentication challenge received during the identity authentication interaction. Step 406: The ePDG sends an EAP-Response response message (with AKA challenge information) to the 3GPP AAA server, and carries the identifier of the UE with the IKEv2 redirection capability, or the flag position 1 for indicating the UE capability information.
步骤 407-408: 3GPP AAA服务器收到上述响应消息后, 获知 UE具备 IKEv2重定向能力,根据当前 UE的位置信息选择一个靠近的 ePDG标识(可 以是 ePDG的 IPv4或 IPv6地址,也可以是 FQDN )信息包含在认证回答消息 中发送给 ePDG。  Steps 407-408: After receiving the foregoing response message, the 3GPP AAA server learns that the UE has the IKEv2 redirection capability, and selects a neighboring ePDG identifier according to the location information of the current UE (which may be an IPv4 or IPv6 address of the ePDG, or may be an FQDN). The information is sent to the ePDG in the authentication reply message.
步骤 409: ePDG通过 IKEv2向 UE发送因特网密钥交换认证( IKE AUTH ) 响应消息, IKE— AUTH响应消息包含携带重定向指示信息和从 3GPP AAA服 务器收到的新的 ePDG身份信息。  Step 409: The ePDG sends an Internet Key Exchange Authentication (IKE AUTH) response message to the UE through the IKEv2, where the IKE-AUTH response message includes the redirection indication information and the new ePDG identity information received from the 3GPP AAA server.
步骤 410: UE向新的 ePDG发起 IKEv2认证建立 IPSec隧道。  Step 410: The UE initiates an IKEv2 authentication to the new ePDG to establish an IPSec tunnel.
具体实施例二 Specific embodiment 2
如图 5所示, 此实施例中, UE通过非信任的非 3GPP接入系统连接到 EPS系统, UE和 ePDG在创建因特网密钥交换协议( IKEv2 ) 隧道过程中, ePDG向 3GPP AAA服务器通知 UE不具有 IKEv2重定向能力信息, 3GPP AAA 服务器不为 UE重新选择 ePDG。 具体流程如下:  As shown in FIG. 5, in this embodiment, the UE connects to the EPS system through the untrusted non-3GPP access system, and the UE and the ePDG notify the 3GPP AAA server of the UE during the creation of the Internet Key Exchange Protocol (IKEv2) tunnel. Without the IKEv2 redirection capability information, the 3GPP AAA server does not reselect the ePDG for the UE. The specific process is as follows:
步骤 501 : UE连接到非 3GPP接入系统, 可选地进行非 3GPP接入的认 证授权, 在此过程中, 3GPP AAA服务器可以将运营商的相关策略信息和签 约信息发送给接入网络;  Step 501: The UE is connected to the non-3GPP access system, and optionally performs the authentication authorization of the non-3GPP access. In this process, the 3GPP AAA server may send the related policy information and the subscription information of the operator to the access network.
步骤 502: UE和 ePDG交换第一对消息 IKE— SA— INIT协商加密算法,进 行随机数的交换等, 在此流程中 UE将自己不支持 IKEv2 重定向能力通过 REDIRECT SUPPORTED消息 (由 RFC5685定义)通知给 ePDG;  Step 502: The UE and the ePDG exchange the first pair of messages IKE_SA_INIT to negotiate an encryption algorithm, perform random number exchange, etc., in this process, the UE not supports the IKEv2 redirection capability by the REDIRECT SUPPORTED message (defined by RFC5685). To ePDG;
步骤 503: UE通过 ePDG和 AAA服务器进行的身份认证信息的交互; 步骤 504: UE发送包含可扩展的身份验证协议( Extension Authentication Step 503: The UE performs the interaction of the identity authentication information by using the ePDG and the AAA server. Step 504: The UE sends an Extensible Authentication Protocol (Extension Authentication Protocol)
Protocol, 简称 EAP )消息的因特网密钥交换认证 ( IKE AUTH )请求消息到 ePDG, 响应身份认证交互过程中收到的认证挑战, 同时 UE还可以将所处接 入网络的标识信息作为位置信息包含在该消息中; 步骤 505: ePDG将 EAP-Response响应消息(带 AKA挑战信息)发送给 3GPP AAA服务器,并在此消息中不携带 UE的 IKEv2重定向能力标识, 或者 将用于表示 UE能力信息的标志位置 0; The Internet Key Exchange Authentication (IKE AUTH) request message of the protocol (EAP) message is sent to the ePDG to respond to the authentication challenge received during the identity authentication interaction, and the UE may also include the identification information of the access network as the location information. In the message; Step 505: The ePDG sends an EAP-Response response message (with AKA challenge information) to the 3GPP AAA server, and does not carry the IKEv2 redirection capability identifier of the UE, or the flag position 0 used to indicate the UE capability information.
步骤 506-507: 3GPP AAA服务器收到上述响应消息后, 获知 UE不具备 IKEv2重定向能力, 继续后续认证授权;  Steps 506-507: After receiving the foregoing response message, the 3GPP AAA server learns that the UE does not have the IKEv2 redirection capability, and continues the subsequent authentication and authorization;
步骤 508: ePDG通过 IKEv2向 UE发送因特网密钥交换认证( IKE AUTH ) 响应消息。  Step 508: The ePDG sends an Internet Key Exchange Authentication (IKE AUTH) response message to the UE through IKEv2.
步骤 509: UE和 ePDG完成后续 IKEv2认证流程建立 IPSec隧道。  Step 509: The UE and the ePDG complete the subsequent IKEv2 authentication process to establish an IPSec tunnel.
如图 6所示, 以 WLAN系统作为非信任的非 3GPP接入系统的特例, 具 体说明上述执行流程, 具体流程包括:  As shown in FIG. 6, the WLAN system is used as a special case of a non-trusted non-3GPP access system, and the foregoing execution process is specifically described. The specific processes include:
步骤 601 :用户设备建立到 WLAN接入系统的无线连接,建立三层连接, BRAS/BNG为用户设备分配 IP地址。  Step 601: The user equipment establishes a wireless connection to the WLAN access system, establishes a three-layer connection, and the BRAS/BNG allocates an IP address to the user equipment.
步骤 602: UE通过 WLAN接入系统进行非 3GPP接入的认证授权,这里, 3GPP AAA 服务器可以将运营商的相关策略信息和签约信息发送给 BRAS/BNG, 3GPP AAA Server在此流程中也可以从 BNG/BRAS 处获取 WLAN接入系统的位置信息。  Step 602: The UE performs authentication for non-3GPP access through the WLAN access system. Here, the 3GPP AAA server may send the relevant policy information and subscription information of the operator to the BRAS/BNG, and the 3GPP AAA Server may also The location information of the WLAN access system is obtained at the BNG/BRAS.
步骤 603: UE和 ePDG交换第一对消息 IKE— SA— INIT协商加密算法,进 行随机数的交换等, 在此流程中 UE会将自己支持 IKEv2 重定向能力通过 REDIRECT SUPPORTED (由 RFC5685定义)通知给 ePDG。  Step 603: The UE and the ePDG exchange the first pair of messages IKE_SA_INIT to negotiate an encryption algorithm, perform random number exchange, and the like, in this process, the UE notifies the IKEv2 redirection capability by REDIRECT SUPPORTED (defined by RFC5685) ePDG.
步骤 604: UE 向 ePDG发送包含 EAP 消息的因特网密钥交换认证 Step 604: The UE sends an Internet key exchange authentication including an EAP message to the ePDG.
( IKE AUTH )请求消息到 ePDG,响应身份认证交互过程中收到的认证挑战。 (IKE AUTH) Requests a message to the ePDG in response to the authentication challenge received during the identity authentication interaction.
步骤 605: ePDG将 EAP-Response响应消息(带 AKA挑战信息 )发送给 3GPP AAA服务器,在此消息中不携带 UE的 IKEv2重定向能力标识, 或者将 用于表示 UE能力信息的标志位置 0;  Step 605: The ePDG sends an EAP-Response response message (with AKA challenge information) to the 3GPP AAA server, where the message does not carry the IKEv2 redirection capability identifier of the UE, or the flag position 0 indicating the UE capability information is used;
步骤 606-607: 3GPP AAA服务器收到上述响应消息后, 获知 UE不具备 Step 606-607: After receiving the foregoing response message, the 3GPP AAA server learns that the UE does not have the
IKEv2重定向能力, 继续后续的认证授权流程。 The IKEv2 redirection capability continues the subsequent authentication and authorization process.
步骤 608: ePDG通过 IKEv2向 UE发送因特网密钥交换认证( IKE AUTH ) 响应消息。 步骤 609: UE和 ePDG完成后续 IKEv2认证流程建立 IPSec隧道。 本方案中 ePDG将 UE的能力通知至 3GPP AAA服务器, 不限于 UE的 IKEv2重定向能力,还可以是 UE是否具有网关能力, 3GPP AAA服务器根据 UE的能力来决定是否执行相应的操作。 Step 608: The ePDG sends an Internet Key Exchange Authentication (IKE AUTH) response message to the UE through IKEv2. Step 609: The UE and the ePDG complete the subsequent IKEv2 authentication process to establish an IPSec tunnel. In this solution, the ePDG notifies the capability of the UE to the 3GPP AAA server, and is not limited to the IKEv2 redirection capability of the UE, and may also be whether the UE has the gateway capability. The 3GPP AAA server determines whether to perform the corresponding operation according to the capability of the UE.
需要说明的是, 在不冲突的情况下, 本申请中的实施例及实施例中的特 征可以相互任意组合。 当然, 本发明还可有其他多种实施例, 在不背离本发明精神及其实质的 但这些相应的改变和变形都应属于本发明所附的权利要求的保护范围。 It should be noted that the features in the embodiments and the embodiments of the present application may be arbitrarily combined with each other without conflict. It is a matter of course that the invention may be embodied in various other forms and modifications without departing from the spirit and scope of the invention.
本领域普通技术人员可以理解上述方法中的全部或部分步骤可通过程序 来指令相关硬件完成, 所述程序可以存储于计算机可读存储介质中, 如只读 存储器、 磁盘或光盘等。 可选地, 上述实施例的全部或部分步骤也可以使用 一个或多个集成电路来实现。 相应地, 上述实施例中的各模块 /单元可以釆用 硬件的形式实现, 也可以釆用软件功能模块的形式实现。 本发明不限制于任 何特定形式的硬件和软件的结合。  One of ordinary skill in the art will appreciate that all or a portion of the above steps may be accomplished by a program instructing the associated hardware, such as a read-only memory, a magnetic disk, or an optical disk. Alternatively, all or part of the steps of the above embodiments may also be implemented using one or more integrated circuits. Correspondingly, each module/unit in the above embodiment may be implemented in the form of hardware or in the form of a software function module. The invention is not limited to any specific form of combination of hardware and software.
工业实用性 本方案中将终端是否具有因特网密钥交换协议重定向功能的能力信息通 知至 3GPP AAA服务器, 3GPP AAA服务器根据此所述能力信息决定是否为 所述终端重新选择演进分组数据网关, 即 3GPP AAA服务器只为具有此能力 的终端选择新的 ePDG, 可解决 AAA服务器为不具有因特网密钥交换协议重 定向功能的能力信息选择新的 ePDG的引起的认证授权流程出错问题。 Industrial Applicability In the present solution, the capability information of the terminal having the Internet Key Exchange Protocol redirection function is notified to the 3GPP AAA server, and the 3GPP AAA server determines, according to the capability information, whether to reselect the evolved packet data gateway for the terminal, that is, The 3GPP AAA server only selects a new ePDG for the terminal with this capability, which can solve the problem of the authentication authorization process error caused by the AAA server selecting the new ePDG for the capability information without the Internet Key Exchange Protocol redirection function.

Claims

权 利 要 求 书 Claim
1、 一种对用户设备能力进行处理的方法, 其中,  1. A method for processing user equipment capabilities, wherein
在创建终端与演进分组数据网关之间的因特网密钥交换协议隧道过程 中, 演进分组数据网关将所述终端是否具有因特网密钥交换协议重定向功能 的能力信息通知至认证授权计费服务器即 AAA服务器。  In the process of creating an Internet Key Exchange Protocol tunnel between the terminal and the evolved packet data gateway, the evolved packet data gateway notifies the capability information of the Internet key exchange protocol redirection function to the authentication and authorization accounting server, ie, AAA. server.
2、 如权利要求 1所述的方法, 其中,  2. The method of claim 1 wherein
所述 AAA服务器根据所述能力信息决定是否为所述终端重新选择演进 分组数据网关。  The AAA server determines whether to reselect the evolved packet data gateway for the terminal according to the capability information.
3、 如权利要求 2所述的方法, 其中,  3. The method of claim 2, wherein
所述 AAA服务器根据所述能力信息决定是否为所述终端重新选择演进 分组数据网关包括:  Determining, by the AAA server, whether to reselect the evolved packet data gateway for the terminal according to the capability information includes:
所述能力信息表示所述终端具有因特网密钥交换协议重定向功能时, 所 述 AAA服务器为所述终端选择距离所述终端最近的演进分组数据网关并执 行认证流程, 通过认证流程将选择出的演进分组数据网关的标识通知至所述 终端;  When the capability information indicates that the terminal has an Internet Key Exchange Protocol redirection function, the AAA server selects an evolved packet data gateway closest to the terminal for the terminal and performs an authentication process, which is selected by the authentication process. The identifier of the evolved packet data gateway is notified to the terminal;
所述能力信息表示所述终端不具有因特网密钥交换协议重定向功能时, 所述 AAA服务器直接执行认证流程。  When the capability information indicates that the terminal does not have the Internet Key Exchange Protocol redirection function, the AAA server directly performs an authentication process.
4、 如权利要求 1、 2或 3所述的方法, 其中,  4. The method of claim 1, 2 or 3, wherein
所述终端在与演进分组数据网关进行网络密钥交换安全联盟初始化程序 中将所述终端是否具有因特网密钥交换协议重定向功能的能力信息通知至所 述演进分组数据网关。  The terminal notifies the evolved packet data gateway of capability information of whether the terminal has an Internet Key Exchange Protocol redirection function in a network key exchange security association initialization procedure with the evolved packet data gateway.
5、 如权利要求 1、 2或 3所述的方法, 其中,  5. The method of claim 1, 2 or 3, wherein
所述演进分组数据网关向 AAA服务器通知所述终端是否具有因特网密 钥交换协议重定向功能的能力信息的方式是以下方式的一种:  The manner in which the evolved packet data gateway notifies the AAA server whether the terminal has the capability information of the Internet Key Exchange Protocol redirection function is one of the following modes:
在向所述 AAA服务器发送的扩展认证协议响应消息中携带重定向能力 标识时表示终端具有因特网密钥交换协议重定向功能, 不携带重定向能力标 识时表示终端不具有因特网密钥交换协议重定向功能; 在向所述 AAA服务器发送的扩展认证协议响应消息中携带重定向能力, 通过此重定向能力标识的不同取值表示终端具有或者不具有因特网密钥交换 协议重定向功能。 When the redirection capability identifier is sent in the extended authentication protocol response message sent to the AAA server, the terminal has the Internet key exchange protocol redirection function. When the redirection capability identifier is not carried, the terminal does not have the Internet key exchange protocol redirection. Features; The redirection capability is carried in the extended authentication protocol response message sent to the AAA server. The different values of the redirection capability identifier indicate that the terminal has or does not have the Internet Key Exchange Protocol redirection function.
6、 一种对用户设备能力进行处理的系统,包括终端、演进分组数据网关、 认证授权计费服务器即 AAA服务器,其中, 所述演进分组数据网关包括因特 网密钥交换重定向功能模块;  A system for processing user equipment capabilities, including a terminal, an evolved packet data gateway, and an authentication and authorization accounting server, that is, an AAA server, wherein the evolved packet data gateway includes an Internet key exchange redirection function module;
所述因特网密钥交换重定向功能模块设置为: 将所述终端是否具有因特 网密钥交换协议重定向功能的能力信息通知至所述 AAA服务器。  The Internet Key Exchange Redirection function module is configured to: notify the AAA server whether the terminal has capability information of the Internet Key Exchange Protocol redirection function.
7、 如权利要求 6所述的系统, 其中,  7. The system of claim 6 wherein
所述 AAA服务器包括认证功能模块;  The AAA server includes an authentication function module;
所述认证功能模块设置为: 根据所述能力信息决定是否为所述终端重新 选择演进分组数据网关; 其中, 判断所述能力信息表示所述终端具有因特网 密钥交换协议重定向功能时, 为所述终端选择距离所述终端最近的演进分组 数据网关并执行认证流程, 通过认证流程将选择出的演进分组数据网关的标 识通知至所述终端; 判断所述能力信息表示所述终端不具有因特网密钥交换 协议重定向功能时, 直接执行认证流程。  The authentication function module is configured to: determine, according to the capability information, whether to reselect an evolved packet data gateway for the terminal; where, when determining that the capability information indicates that the terminal has an Internet key exchange protocol redirection function, Determining, by the terminal, an evolved packet data gateway that is closest to the terminal, and performing an authentication process, notifying, by the authentication process, an identifier of the selected evolved packet data gateway to the terminal; determining that the capability information indicates that the terminal does not have Internet secret When the key exchange protocol redirection function is performed, the authentication process is directly executed.
8、 如权利要求 6所述的系统, 其中,  8. The system of claim 6 wherein
所述终端设置为: 在与演进分组数据网关进行网络密钥交换安全联盟初 始化程序中将所述终端是否具有因特网密钥交换协议重定向功能的能力信息 通知至此演进分组数据网关。  The terminal is configured to: notify the evolved packet data gateway of the capability information of whether the terminal has the Internet Key Exchange Protocol redirection function in the network key exchange security association initialization procedure with the evolved packet data gateway.
9、 一种进行演进分组数据网关, 包括因特网密钥交换重定向功能模块, 其中,  9. An evolved packet data gateway, comprising an internet key exchange redirection function module, wherein
所述因特网密钥交换重定向功能模块设置为: 将所述终端是否具有因特 网密钥交换协议重定向功能的能力信息通知至认证授权计费服务器。  The Internet key exchange redirection function module is configured to: notify the authentication authorization charging server whether the terminal has capability information of the Internet Key Exchange Protocol redirection function.
10、 一种认证授权计费服务器, 其中, 所述认证授权计费服务器包括认 证功能模块;  An authentication and authorization accounting server, where the authentication and authorization accounting server includes an authentication function module;
所述认证功能模块设置为: 根据从演进分组数据网关获知的终端是否具 有因特网密钥交换协议重定向功能的能力信息决定是否为所述终端重新选择 演进分组数据网关; 其中, 判断所述能力信息表示所述终端具有因特网密钥 交换协议重定向功能时, 为所述终端选择距离所述终端最近的演进分组数据 网关并执行认证流程, 通过认证流程将选择出的演进分组数据网关的标识通 知至所述终端; 判断所述能力信息表示所述终端不具有因特网密钥交换协议 重定向功能时, 直接执行认证流程。 The authentication function module is configured to: determine, according to capability information of the terminal that is learned by the evolved packet data gateway, whether the terminal has the Internet key exchange protocol redirection function, whether to reselect the terminal An evolved packet data gateway; wherein, when determining that the capability information indicates that the terminal has an Internet Key Exchange Protocol redirection function, selecting an evolved packet data gateway closest to the terminal for the terminal and performing an authentication process, and performing an authentication process Notifying the selected identity of the evolved packet data gateway to the terminal; determining that the capability information indicates that the terminal does not have the Internet Key Exchange Protocol redirection function, directly performing the authentication process.
PCT/CN2012/081004 2011-09-13 2012-09-05 User equipment capability processing method and system WO2013037273A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201110269720.4A CN103002429B (en) 2011-09-13 2011-09-13 Method and system for processing UE (user equipment) capability
CN201110269720.4 2011-09-13

Publications (1)

Publication Number Publication Date
WO2013037273A1 true WO2013037273A1 (en) 2013-03-21

Family

ID=47882606

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2012/081004 WO2013037273A1 (en) 2011-09-13 2012-09-05 User equipment capability processing method and system

Country Status (2)

Country Link
CN (1) CN103002429B (en)
WO (1) WO2013037273A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107682895A (en) * 2016-08-01 2018-02-09 大唐移动通信设备有限公司 A kind of reorientation method and device
CN109428852A (en) * 2017-07-18 2019-03-05 中兴通讯股份有限公司 Communication tunnel end-point addresses separation method, terminal, ePDG and storage medium
US10237795B2 (en) 2015-10-11 2019-03-19 Qualcomm Incorporated Evolved packet data gateway (EPDG) reselection

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3054738B1 (en) 2013-11-01 2020-01-01 Huawei Technologies Co., Ltd. Apparatus and method for establishing connection with packet data network

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101282287A (en) * 2007-04-02 2008-10-08 华为技术有限公司 Method and apparatus for negotiation mobility management protocol
CN101351019A (en) * 2007-07-20 2009-01-21 华为技术有限公司 Access gateway, terminal as well as method and system for establishing data connection
CN101483922A (en) * 2008-01-09 2009-07-15 华为技术有限公司 Method for access control, access gateway and authentication server
CN101998442A (en) * 2009-08-10 2011-03-30 北京三星通信技术研究有限公司 Remote access method and system
CN102045811A (en) * 2009-10-12 2011-05-04 中兴通讯股份有限公司 Access network information acquisition method, access network finding and selecting functional unit and terminal
CN102056154A (en) * 2009-10-30 2011-05-11 华为技术有限公司 IKE (Internet Key Exchange) authentication method and system, IKE response equipment and IKE initiating equipment

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101064938A (en) * 2006-04-28 2007-10-31 华为技术有限公司 Method for applying MIP when the mobile terminal switched between 3GPP and non-3GPP access system
US8249551B2 (en) * 2008-06-05 2012-08-21 Bridgewater Systems Corp. Long-term evolution (LTE) policy control and charging rules function (PCRF) selection

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101282287A (en) * 2007-04-02 2008-10-08 华为技术有限公司 Method and apparatus for negotiation mobility management protocol
CN101351019A (en) * 2007-07-20 2009-01-21 华为技术有限公司 Access gateway, terminal as well as method and system for establishing data connection
CN101483922A (en) * 2008-01-09 2009-07-15 华为技术有限公司 Method for access control, access gateway and authentication server
CN101998442A (en) * 2009-08-10 2011-03-30 北京三星通信技术研究有限公司 Remote access method and system
CN102045811A (en) * 2009-10-12 2011-05-04 中兴通讯股份有限公司 Access network information acquisition method, access network finding and selecting functional unit and terminal
CN102056154A (en) * 2009-10-30 2011-05-11 华为技术有限公司 IKE (Internet Key Exchange) authentication method and system, IKE response equipment and IKE initiating equipment

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10237795B2 (en) 2015-10-11 2019-03-19 Qualcomm Incorporated Evolved packet data gateway (EPDG) reselection
CN107682895A (en) * 2016-08-01 2018-02-09 大唐移动通信设备有限公司 A kind of reorientation method and device
CN109428852A (en) * 2017-07-18 2019-03-05 中兴通讯股份有限公司 Communication tunnel end-point addresses separation method, terminal, ePDG and storage medium
CN109428852B (en) * 2017-07-18 2023-09-15 中兴通讯股份有限公司 Communication tunnel endpoint address separation method, terminal, ePDG and storage medium

Also Published As

Publication number Publication date
CN103002429A (en) 2013-03-27
CN103002429B (en) 2017-04-26

Similar Documents

Publication Publication Date Title
EP1693995B1 (en) A method for implementing access authentication of wlan user
US8510455B2 (en) Method and apparatus for IP mobility management selection
US20100048161A1 (en) Method, system and apparatuses thereof for realizing emergency communication service
WO2013189217A1 (en) Method for updating identity information about packet gateway, aaa server and packet gateway
US9973338B2 (en) Configuration of liveness check using internet key exchange messages
WO2012152185A1 (en) Gateway selection method and device
WO2011003313A1 (en) Method and system for access network discovery and selection function (andsf) to provide function for selecting access network protocol
EP2601815A1 (en) Network initiated alerts to devices using a local connection
JP2018537927A (en) Emergency service support via WLAN access to 3GPP evolved packet core for unauthenticated users
US20110271117A1 (en) User equipment (ue), home agent node (ha), methods, and telecommunications system for home network prefix (hnp) assignment
WO2011127774A1 (en) Method and apparatus for controlling mode for user terminal to access internet
WO2009000124A1 (en) A method for selecting the gateway in the wireless network
WO2005039110A1 (en) A method of analyzing the accessing process of the selected service in the wireless local area network
WO2012167500A1 (en) Method for establishing data security channel for tunnel
WO2012003760A1 (en) Method and system for information transmission
WO2009152676A1 (en) Aaa server, p-gw, pcrf, method and system for obtaining the ue's id
WO2016011832A1 (en) Method and device for implementing flow mobility triggering, and storage medium
WO2010069202A1 (en) Authentication negotiation method and the system thereof, security gateway, home node b
WO2009046598A1 (en) A method for establishing a dedicated bearer for a user terminal
WO2014063530A1 (en) Method and system for mobile user to access fixed network
WO2013174190A1 (en) Routing selection method and functional network element
WO2014106318A1 (en) Method, device and system for packet gateway selection
WO2013037273A1 (en) User equipment capability processing method and system
WO2014048197A1 (en) Method, system and device for user equipment to select visited public land mobile network
WO2014048191A1 (en) Method and system for selecting vplmn and packet data network gateway

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12831324

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12831324

Country of ref document: EP

Kind code of ref document: A1