WO2013078678A1 - Method for determining access mode of user equipment, and system and device thereof - Google Patents

Method for determining access mode of user equipment, and system and device thereof Download PDF

Info

Publication number
WO2013078678A1
WO2013078678A1 PCT/CN2011/083375 CN2011083375W WO2013078678A1 WO 2013078678 A1 WO2013078678 A1 WO 2013078678A1 CN 2011083375 W CN2011083375 W CN 2011083375W WO 2013078678 A1 WO2013078678 A1 WO 2013078678A1
Authority
WO
WIPO (PCT)
Prior art keywords
user equipment
correspondence
security
information
access network
Prior art date
Application number
PCT/CN2011/083375
Other languages
French (fr)
Chinese (zh)
Inventor
周伟
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2011/083375 priority Critical patent/WO2013078678A1/en
Priority to CN201180003638.5A priority patent/CN103250446B/en
Publication of WO2013078678A1 publication Critical patent/WO2013078678A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/08Access restriction or access information delivery, e.g. discovery data delivery

Definitions

  • the embodiments of the present invention relate to the field of communications technologies, and in particular, to a method, system, and device for determining a user equipment access mode. Background technique
  • SAE System Architecture Evolution
  • 3GPP 3rd Generation Partnership Projective
  • EPS Evolved Packet System
  • UE User Equipment
  • 3GPP organization proposes an Access Network Discovery and Selection Function (ANDSF) entity, which can formulate a set of policy rules based on the combination of wireless access network information and operator policies.
  • the policy rule can select a suitable access mode for the UE.
  • ANDSF Access Network Discovery and Selection Function
  • the ANDSF entity can set the UE to perform the File Transfer Protocol (FTP) service between 8:00 am and 8:00 pm to select the WiFi access mode, so that the UE can select between 8:00 am and 8:00 pm. WiFi access mode access.
  • FTP File Transfer Protocol
  • the technical solution for offloading the service flow of the UE is that the Policy Charging Rule Function (PCRF) entity interacts with the ANDSF entity to obtain a policy rule, and then generates a policy according to the policy rule. And the Policy and Charging Control (PCC) rule, and then the Packet Data Network Gateway (PDN-GW) selects the corresponding bearer according to the PCC rule and the application information of the UE, and performs the service flow of the UE.
  • PCRF Policy Charging Rule Function
  • PCN-GW Packet Data Network Gateway
  • the embodiment of the invention provides a method and a system for determining a user equipment access mode, and a packet data gateway, which is used to solve the defect that the access mode of the UE cannot be determined based on the application information in the security scenario in the prior art.
  • An embodiment of the present invention provides a method for determining a user equipment access mode, including: the data gateway acquiring the access network discovery and selection function policy information corresponding to the user equipment; the access network discovery and selection function policy information includes the user equipment Corresponding first correspondence, the first correspondence is a correspondence between application information and an access method;
  • the data gateway obtains a second correspondence corresponding to the user equipment, where the second correspondence is a correspondence between the application information and the security information;
  • the data gateway determines the access mode of the user equipment according to the first correspondence, the second correspondence, and the data packet that is to be sent to the user equipment for security protection processing.
  • the embodiment of the present invention further provides a method for determining a user equipment access mode, including: accessing a network discovery and selection function entity to obtain an access network discovery and selection function policy information corresponding to a user equipment; the access network discovery and selection function
  • the policy information includes a first correspondence corresponding to the user equipment, where the first correspondence is a correspondence between the application information and the access mode.
  • the access network discovery and selection function entity acquires a second correspondence relationship corresponding to the user equipment, where the second correspondence relationship is a correspondence between the application information and the security information;
  • the access network discovery and selection function entity sends the first correspondence relationship and the second correspondence relationship to the data gateway, so that the data gateway is sent to the user equipment according to the first correspondence relationship, the second correspondence relationship, and the The data packet processed by the security protection determines the access mode of the user equipment.
  • the embodiment of the invention further provides a data gateway, including:
  • the first obtaining module is configured to obtain the access network discovery and selection function policy information corresponding to the user equipment; the access network discovery and selection function policy information includes a first correspondence corresponding to the user equipment, where the first correspondence is Correspondence between application information and access methods; a second acquiring module, configured to acquire a second correspondence corresponding to the user equipment, where the second correspondence is a correspondence between the application information and the security information;
  • a determining module configured to determine, according to the first correspondence, the second correspondence, and the data packet to be sent to the user equipment, the access mode of the user equipment.
  • the embodiment of the present invention further provides an access network discovery and selection function entity, including: a first acquiring module, configured to acquire access network discovery and selection function policy information corresponding to the user equipment; and the access network discovery and selection function policy
  • the information includes a first correspondence corresponding to the user equipment, where the first correspondence is a correspondence between the application information and the access mode;
  • a second acquiring module configured to acquire a second correspondence corresponding to the user equipment, where the second corresponding relationship is a correspondence between the application information and the security information;
  • a sending module configured to send the first correspondence and the second correspondence to the data gateway, where the data gateway performs security protection processing according to the first correspondence, the second correspondence, and the user equipment to be sent to the user equipment
  • the data packet determines the access mode of the user equipment.
  • An embodiment of the present invention further provides a system for determining a user equipment access mode, including: a data gateway and an access network discovery and selection function entity;
  • the data gateway is configured to receive the access network discovery and selection function policy information corresponding to the user equipment;
  • the access network discovery and selection function policy information includes a first correspondence corresponding to the user equipment, where the first correspondence is an application Corresponding relationship between the information and the access mode; receiving a second correspondence corresponding to the user equipment, where the second correspondence is a correspondence between the application information and the security information; according to the first correspondence, the second correspondence, and Dedicating a data packet sent by the user equipment to the user equipment to determine an access mode of the user equipment;
  • the access network discovery and selection function entity is configured to obtain access network discovery and selection function policy information corresponding to the user equipment; acquire a second correspondence corresponding to the user equipment; and send the access network discovery and selection function policy information And the second correspondence to the data gateway.
  • the method and system for determining the access mode of the user equipment and the data gateway in the embodiment of the present invention can determine the access mode of the UE based on the application information in the security scenario, so that the service flow of the UE can be implemented. operating.
  • DRAWINGS The drawings used in the embodiments or the description of the prior art are briefly described. It is obvious that the drawings in the following description are some embodiments of the present invention, and are not creative to those skilled in the art. Other drawings can also be obtained from these drawings on the premise of labor.
  • FIG. 1 is a signaling diagram of a method for determining a UE's access mode according to an embodiment of the present invention
  • FIG. 2 is a flowchart of a method for determining a UE access mode according to an embodiment of the present invention
  • FIG. 4 is a flowchart of a method for determining a UE access mode according to another embodiment of the present invention
  • FIG. 5 is a determining UE according to another embodiment of the present invention.
  • FIG. 6 is a signaling diagram of a method for determining a user equipment access manner according to an embodiment of the present invention
  • FIG. 7 is a signaling diagram of a method for determining a user equipment access manner according to another embodiment of the present invention.
  • FIG. 8 is a schematic structural diagram of a data gateway according to an embodiment of the present invention.
  • FIG. 9 is a schematic structural diagram of a data gateway according to another embodiment of the present invention.
  • FIG. 10 is a schematic structural diagram of an ANDSF entity according to an embodiment of the present disclosure.
  • FIG. 1 is a schematic structural diagram of a system for determining a UE access mode according to an embodiment of the present invention.
  • the technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention.
  • the embodiments are a part of the embodiments of the invention, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
  • CDMA Code Division Multiple Access
  • TDMA Time Division Multiple Access
  • OFDMA Frequency Division Multiple Access
  • SC-FDMA Single Carrier FDMA
  • a CDMA network can implement wireless technologies such as Universal Terrestrial Radio Access (UTRA) and CDMA2000.
  • UTRA can include variants of CDMA, WCDMA, and other CDMA.
  • CDMA2000 can cover the Interim Standard (IS) 2000 (IS-2000), IS-95 and IS-856 standards.
  • the TDMA network can implement wireless technologies such as Global System for Mobile Communication (GSM).
  • GSM Global System for Mobile Communication
  • An OFDMA network can implement such as Evolved UTRA (E-UTRA), Ultra Mobile Broadband (UMB), IEEE 802.11 (Wi-Fi), IEEE 802.16 (WiMAX), IEEE 802.20, Flash OFDMA. And other wireless technologies.
  • E-UTRA Evolved UTRA
  • UMB Ultra Mobile Broadband
  • Wi-Fi IEEE 802.11
  • WiMAX IEEE 802.16
  • IEEE 802.20 Flash OFDMA.
  • UTRA and E-UTRA are UMTS and UMTS evolved versions.
  • 3 GPP is a new version of UMTS that uses E-UTRA in Long Term Evolution (LTE) and LTE Advanced (LTE-A).
  • LTE Long Term Evolution
  • LTE-A LTE Advanced
  • UTRA, E-UTRA, UMTS, LTE, LTE-A and GSM are described in the documentation of the 3GPP
  • a base station may be a station that communicates with a User Equipment (UE) or other communication station, such as a relay station, and the base station may provide communication coverage of a specific physical area.
  • the base station may provide communication coverage for macro cells, pico cells, femto cells, and/or other types of cells.
  • the macro cell may cover a relatively large geographic area, such as a radius of a few kilometers, and allows unrestricted access by UEs that have subscribed to the service.
  • the Pico cell can cover a relatively small geographical area and can allow unrestricted access by UEs that have subscribed to the service.
  • the Femto cell covers a relatively small geographical area, such as a home, and allows UEs associated with the femto cell to restrict access.
  • the base station serving the macro cell may be referred to as a macro base station
  • the base station serving the pico cell may be referred to as a pico base station
  • the base station serving the femto cell may be referred to as a femto base station or a home base station.
  • a base station can support one or more cells.
  • UEs may be distributed throughout the wireless network, and each UE may be static or mobile.
  • a UE may be referred to as a terminal, a mobile station, a subscriber unit, a station, or the like.
  • the UE can be a cellular phone, a personal digital assistant (PDA), a wireless modem solution.
  • PDA personal digital assistant
  • a modem a wireless communication device, a handheld device, a laptop computer, a cordless phone, a Wireless Local Loop (WLL) station, and the like.
  • WLL Wireless Local Loop
  • the UE can communicate with a macro base station, a pico base station, a femto base station, and the like.
  • the ANDSF entity stores ANDSF policy information.
  • the ANDSF policy information includes a first correspondence corresponding to the UE, where the first correspondence includes a correspondence between the application information and the access mode, for example, "application information A, access mode B".
  • the AAA server is used to store the server of the second correspondence.
  • the second correspondence includes the correspondence between the security information and the application information, for example: "Encryption Algorithm C, Application Information A”.
  • the data gateway may be a PDN-GW, or may be a Gateway General Packet Radio Service (GPRS) Support Node (GGSN).
  • GPRS General Packet Radio Service
  • GGSN Gateway General Packet Radio Service Support Node
  • the application information may be an application identifier, which is used to distinguish different application categories.
  • the application information can be a content type, such as text or video, to distinguish between different content categories.
  • the application information may also be other information that needs to be obtained by parsing the data message and used to distinguish different data messages. The present invention does not limit the application information.
  • the data gateway is a PDN-GW.
  • FIG. 1 is a signaling diagram of offloading a service flow of a UE according to the prior art.
  • the method for offloading the service flow of the UE as shown in FIG. 1 may specifically include the following:
  • an attach request is initiated, so as to be attached to the core network.
  • the UE performs data transmission through the PDN-GW in the core network;
  • the UE reports application information to an application function (AF) server; for example, the UE can pass a specific signaling message, such as a session initiation protocol (Session).
  • AF application function
  • Session session initiation protocol
  • the Initiation Protocol (SIP) signaling reports the running application information to the AF server.
  • the application information is the same as the application information involved in the communication between the UE and the communication peer server.
  • the AF server generates session information, and sends the session information to the PCRF entity. For example, after receiving the application information sent by the UE, the AF server generates corresponding session information (in essence, the session information also carries information that can identify the application information of the UE), and establishes an Rx session with the PCRF entity, at the Rx. The session information is sent to the PCRF entity on the interface.
  • a connection is established between the PCRF entity and the ANDSF entity, and the ANDSF policy information corresponding to the application information of the UE is obtained from the ANDSF entity.
  • the PCRF entity generates a PCC rule according to the acquired ANDSF policy information, and sends a PCC rule to the PDN-GW.
  • the PCRF entity sends a PCC rule to the PDN-GW through the Gx interface.
  • the PCC rule is a PCC rule corresponding to the application information of the UE.
  • the PCC rule includes the correspondence between the application information of the UE and the access mode.
  • the following 105 proxy may be used.
  • the PDN-GW establishes a connection with the ANDSF entity, and the PDN-GW obtains corresponding ANDSF policy information from the ANDSF entity.
  • the PDN-GW can obtain the application information of the UE from the service flow, and then obtain the PCC rule corresponding to the UE according to the ANDSF policy information and the application information of the UE.
  • the method may further include:
  • the PDN-GW performs a corresponding bearer operation, for example, performing a corresponding bearer operation according to a PCC rule corresponding to the application information of the UE in the service flow that is sent to the UE, for example, adding, modifying, or deleting the corresponding bearer, thereby implementing
  • the traffic flow sent to the UE by the receiving communication peer server is offloaded.
  • the PDN-GW can determine the access mode of the UE according to the PCC rule, so that the corresponding bearer operation can be performed.
  • FIG. 2 is a flowchart of a method for determining an access mode of a UE according to an embodiment of the present invention.
  • the method for determining the UE access mode in this embodiment is the PDN-GW.
  • the method for determining the UE access mode in this embodiment includes the following:
  • the ANDSF policy information includes a first correspondence corresponding to the UE, where the first correspondence is a correspondence between the application information and the access mode.
  • the second correspondence in the embodiment is the correspondence between the application information and the security information. 202. Determine, according to the first correspondence, the second correspondence, and the data packet that is to be sent to the UE for security protection processing, determine an access mode of the UE.
  • the application scenario of this embodiment is that the UE is in a security scenario.
  • the security scenario indicates that a secure connection is established between the UE and the communication peer server, and the context data transmitted by the UE is protected by encryption, thereby protecting the data transmitted by the UE from external attacks.
  • the method for determining the access mode of the user equipment in this embodiment determines the UE by using the correspondence between the application information and the access mode, the correspondence between the application information and the security information, and the data packet to be sent to the UE for security protection processing. Access method.
  • the technical solution of the present embodiment can overcome the problem that the access mode of the UE cannot be determined based on the application information in the security scenario in the prior art, so that the service flow of the UE can be offloaded based on the application information in the security scenario.
  • the security information in the foregoing embodiment includes information such as a key certificate, a symmetric key, and a security algorithm.
  • FIG. 3 is a flowchart of a method for determining a UE access mode according to another embodiment of the present invention. As shown in FIG. 3, the method for determining the access mode of the UE in this embodiment is based on the foregoing embodiment shown in FIG. 2, and the technical solution of the present invention is introduced in more detail.
  • the method for determining the UE access mode in this embodiment includes the following:
  • the PDN-GW receives the data packet sent by the communication peer server.
  • the data packet is sent to the UE, and the data packet is subjected to security protection processing. 301.
  • the PDN-GW sends the ANDSF policy request information that carries the UE identifier to the ANDSF entity, where the ANDSF entity obtains the ANDSF policy information corresponding to the UE.
  • the identifier of the UE may specifically be an IP address of the UE.
  • the ANDSF policy information is the same as the embodiment shown in FIG. 2, and includes a first correspondence corresponding to the UE, where the first correspondence is closed.
  • the system includes the correspondence between application information and access methods.
  • the ANDSF entity obtains the ANDSF policy information corresponding to the UE, and the ANDSF entity may obtain the ANDSF policy information corresponding to the UE from the preset policy database.
  • the ANDSF policy information may also include a first correspondence corresponding to multiple UEs.
  • the application scenario of this embodiment is also in the security scenario of the UE.
  • the physical meaning of the security scenario is the same as that of the foregoing embodiment.
  • the UE may have interacted with the ANDSF entity with some requirement information for setting policy information, such as a UE identifier, application information of the UE, and a security information indicator, etc., where the UE identifier may be an IP address of the UE.
  • the security information indicator is used to identify that the UE is in a security scenario, and the data packet sent by the communication peer server that communicates with the UE to the UE is security-protected. Therefore, after receiving the ANDSF policy request information, the ANDSF entity may obtain the second correspondence corresponding to the UE from the security server. Or the ANDSF entity may obtain the second correspondence corresponding to the UE from the security server before 300.
  • the second correspondence includes the correspondence between the application information and the security information.
  • the PDN-GW receives the ANDSF policy information sent by the ANDSF entity and the second correspondence corresponding to the UE.
  • the second correspondence in this embodiment is the same as the embodiment shown in FIG. 2, and the second correspondence includes the correspondence between the application information and the security information.
  • the PDN-GW obtains application information of the data packet according to the second correspondence and the data packet that is to be sent to the UE for security protection processing.
  • the security information in the second correspondence is used to parse the security-protected data packet to be sent to the UE, and the application information of the data packet is obtained after parsing; and the data packet obtained after the parsing is determined.
  • the application information corresponds to the application information in the second correspondence relationship, and if the response is successful, the security information and the application information corresponding to the data packet are determined as the security information and the application information in the second correspondence relationship. If the correspondence is not successful, the analysis is not successful. If there is another second correspondence corresponding to the UE, the security information in the other second correspondence may continue to be used for analysis.
  • the security information in this embodiment may be a key certificate, a symmetric key, a security algorithm, and the like; for example, when the security information is a key certificate, the key certificate may be used on the certificate server. After the verification, the key information is obtained, and the data information is parsed by the key information. When the analysis is successful, the security information is determined to be the security information corresponding to the UE. Or, when the security information is a symmetric key, the symmetric message is used to parse the data packet. When the parsing is successful, the security information is determined to be the security information corresponding to the UE. Or when the security information is a security algorithm, the security algorithm is used to parse the data packet with the existing key information, and the security information is determined to be the security information corresponding to the UE. Other similar security information can be handled by referring to the above example.
  • the PDN-GW determines the access mode of the UE according to the obtained application information of the data packet and the first correspondence between the ANDSF policy request information corresponding to the UE.
  • the access mode corresponding to the application information of the data packet is obtained from the first corresponding relationship corresponding to the UE according to the determined application information of the data packet, that is, the access mode of the UE.
  • the PDN-GW obtains the application information of the data packet according to the correspondence between the application information and the security information, and the data packet that is to be sent to the UE for security protection processing. And determining the access mode of the UE according to the correspondence between the application information and the access mode.
  • the technical solution of the present embodiment can overcome the problem that the access mode of the UE is determined based on the application information in the security scenario in the prior art, so that the service flow of the UE can be offloaded based on the application information in the security scenario.
  • the security server in the foregoing embodiment may be an Authentication Authorization and Accounting (hereinafter referred to as AAA) server, a Home Subscriber Server (HSS), a certificate server or an application server, and the like.
  • AAA Authentication Authorization and Accounting
  • HSS Home Subscriber Server
  • certificate server or an application server, and the like.
  • FIG. 4 is a flowchart of a method for determining a UE access mode according to still another embodiment of the present invention. As shown in FIG. 4, the method for determining the access mode of the UE in this embodiment is based on the foregoing embodiment shown in FIG. 2, and the technical solution of the present invention is introduced in more detail.
  • the method for determining the UE access mode in this embodiment includes the following:
  • the PDN-GW sends the ANDSF policy request information that carries the UE identifier to the ANDSF entity, so that the ANDSF entity obtains the ANDSF policy information corresponding to the UE.
  • the ANDSF policy information is the same as the embodiment shown in FIG. 2 and FIG. 3, and includes a first correspondence corresponding to the UE, where the first correspondence includes a corresponding relationship between the application information and the access mode. Department.
  • the PDN-GW receives the ANDSF policy information sent by the ANDSF entity.
  • the PDN-GW receives the data packet sent by the communication peer server.
  • the data packet is sent to the UE, and the UE is in a security scenario, and the data packet is encrypted and protected.
  • the PDN-GW sends a security information request that carries the UE identifier to the security server, so that the security server obtains the second correspondence corresponding to the UE according to the UE identifier.
  • the second correspondence in this embodiment is the same as the embodiment shown in FIG. 2 and FIG. 3, and the second correspondence includes the correspondence between the application information and the security information.
  • the PDN-GW receives the second correspondence corresponding to the UE sent by the security server.
  • the PDN-GW can send the security of the UE identifier to the security server by using the PCRF entity. Information request.
  • the PDN-GW receives the second correspondence corresponding to the UE sent by the security server through the PCRF entity.
  • the PDN-GW obtains application information of the data packet according to the second correspondence and the data packet that is to be sent to the UE for security protection processing.
  • the PDN-GW determines the access mode of the UE according to the first correspondence between the application information of the data packet and the ANDSF policy request information corresponding to the UE.
  • the application scenario of the embodiment is still in the security scenario of the UE, and the UE establishes a secure connection with the communication peer server.
  • the physical meaning of the security scenario is the same as that of the related embodiment. For details, refer to the description of the foregoing embodiment. This is not to repeat.
  • the PDN-GW obtains the application information of the data packet according to the correspondence between the application information and the security information, and the data packet that is to be sent to the UE for security protection processing. And determining the access mode of the UE according to the correspondence between the application information and the access mode.
  • the technical solution of the present embodiment can overcome the problem that the access mode of the UE is determined based on the application information in the security scenario in the prior art, so that the service flow of the UE can be offloaded based on the application information in the security scenario.
  • FIG. 5 is a flowchart of a method for determining an access mode of a UE according to another embodiment of the present invention.
  • the execution body of the method for determining the UE access mode in this embodiment may be an ANDSF entity.
  • the method for determining the access mode of the UE in this embodiment may include the following steps: 500: Acquire access network discovery and selection function policy information corresponding to the UE;
  • the access network discovery and selection function policy information includes a first correspondence corresponding to the UE, where the first correspondence is a correspondence between the application information and the access mode;
  • the second correspondence relationship is a correspondence between the application information and the security information.
  • the ANDSF policy information in this embodiment is the same as the foregoing embodiment shown in FIG. 2 to FIG. 4, and includes a first correspondence corresponding to the UE, where the first correspondence includes a correspondence between the application information and the access mode.
  • the data packet in this embodiment may be a security-processed data packet that is sent to the UE, and the data packet is specifically sent by the communication peer server that communicates with the UE to the PDN-GW.
  • the application scenario of the embodiment is still in the security scenario of the UE, and the UE establishes a secure connection with the communication peer server.
  • the physical meaning of the security scenario is the same as that of the related embodiment. For details, refer to the description of the foregoing embodiment. This is not to repeat.
  • the method for determining the access mode of the user equipment in this embodiment is to send the corresponding relationship between the acquired application information and the access mode, and the correspondence between the application information and the security information to the data gateway, so that the data gateway determines the access of the UE.
  • the method can be used to overcome the problem that the access mode of the UE is determined based on the application information in the security scenario in the prior art, so that the service flow of the UE is offloaded based on the application information in the security scenario.
  • the 501 obtains the access network discovery and selection function policy information corresponding to the UE, and may specifically obtain the UE corresponding to the UE identifier from the preset policy database. ANDSF policy information.
  • the UE identifier, the UE application information, and the security information indicator sent by the UE may be received before the 501, and the ANDSF entity is
  • the access network discovery and selection function policy information corresponding to the application information of the UE may be obtained according to the identifier of the UE and the application information of the UE, and the ANDSF entity may further learn that the UE and the communication peer server are established according to the security information indicator.
  • the secure connection, the data packets transmitted between the UE and the communication peer server are protected by encryption.
  • the identifier of the UE, the application information of the UE, and the security information indicator may be reported by the UE to the ANDSF entity when the UE and the ANDSF entity exchange some requirement information for setting policy information.
  • the method is similar to the method for determining the access mode of the user equipment on the PDN-GW side shown in FIG. 3, in this embodiment, when the ANDSF entity receives the UE identifier sent by the UE, application information of the UE, and security. After the information indicator, the data message sent by the communication peer server to the UE is sent in the security scenario according to the security information indicator. At this time, the ANDSF entity may request the ANDSF from the PDN-GW to the ANDSF entity. Before or after the policy information, the second correspondence of the UE is obtained from the security server. The ANDSF entity may also send the acquired second correspondence to the PDN-GW. For example, you can refer to the following steps:
  • A2. Receive a second correspondence corresponding to the UE sent by the security server.
  • the foregoing A1 may be:
  • the ANDSF entity sends a security information request carrying the UE identifier to the security server through the PCRF entity.
  • the A2 may be a second correspondence between the UE and the UE that the security server sends through the PCRF entity.
  • the ANDSF entity may also send the acquired second correspondence to the PDN-GW along with the ANDSF policy information.
  • the method for determining the access mode of the user equipment can be used to overcome the problem that the access mode of the UE cannot be determined based on the application information in the security scenario in the prior art, so that the service flow of the UE based on the application information in the security scenario can be implemented. Diversion.
  • FIG. 6 is a signaling diagram of a method for determining a user equipment access mode according to an embodiment of the present invention. As shown in FIG. 6, the method for determining the access mode of the user equipment in this embodiment may specifically include the following: 600. After the UE is powered on, it is attached to the core network;
  • the UE establishes a secure connection with the communication peer server.
  • the data packet between the subsequent UE and the communication peer server will be transmitted in the security scenario.
  • the physical meaning of the security scenario is the same as that of the foregoing embodiment. For details, refer to the description of the foregoing embodiment, and details are not described herein.
  • the UE and the ANDSF entity exchange policy information, where the UE reports the UE's IP address, application information, and security information indicator to the ANDSF entity.
  • the ANDSF entity sends a security information request that carries the IP address and application information of the UE to the AAA server.
  • the AAA server obtains a second correspondence corresponding to the UE according to the security information request, and sends the second correspondence to the ANDSF entity.
  • the ANDSF entity in 603 sends a security information request carrying the IP address and application information of the UE to the AAA server through the PCRF entity.
  • the AAA server sends the second correspondence to the ANDSF entity by using the PCRF entity.
  • the ANDSF entity obtains the first correspondence in the preset policy database according to the IP address and the application information of the UE.
  • the first correspondence relationship and the second correspondence relationship in this embodiment are the same as the embodiment shown in Figs. 2 to 5 described above.
  • the first correspondence includes the correspondence between the application information access modes.
  • the second correspondence includes the correspondence between the application information and the security information.
  • the communication peer server sends, to the PDN-GW, a security-protected data packet to be sent to the UE.
  • the 606 may also be located between 601 and 602.
  • the PDN-GW sends an ANDSF policy request information to the ANDSF entity.
  • the ANDSF entity sends the ANDSF policy information and the second correspondence to the PDN-GW.
  • the ANDSF policy information is the same as the embodiment shown in FIG. 2-5.
  • the PDN-GW parses the security-protected data packet sent to the UE according to the security information in the second correspondence, and obtains the security-protected datagram sent to the UE and the application information in the second correspondence. Correspondingly, the PDN-GW determines according to the first correspondence The access mode of the UE.
  • Step 609 is the same as 303-304 in the embodiment shown in FIG. 3 above.
  • Step 609 is the same as 303-304 in the embodiment shown in FIG. 3 above.
  • the method provided by the embodiment of the present invention can determine the access mode of the UE based on the application information in a security scenario, and subsequently perform a new or modified bearer process according to the change of the access mode, and perform the traffic according to the determined access mode.
  • Data packets which enable data distribution in a security scenario.
  • the PDN-GW obtains the application information of the data packet according to the correspondence between the application information and the security information, and the data packet that is to be sent to the UE for security protection processing. And determining the access mode of the UE according to the correspondence between the application information and the access mode.
  • the technical solution of the present embodiment can overcome the problem that the access mode of the UE is determined based on the application information in the security scenario in the prior art, so that the service flow of the UE can be offloaded based on the application information in the security scenario.
  • FIG. 7 is a signaling diagram of a method for determining a user equipment access mode according to still another embodiment of the present invention. As shown in FIG. 7, the method for determining the access mode of the user equipment in this embodiment may specifically include the following:
  • the UE After the UE is powered on, it is attached to the core network;
  • the UE establishes a secure connection with the communication peer server.
  • the data packet between the subsequent UE and the communication peer server will be transmitted in the security scenario.
  • the physical meaning of the security scenario is the same as that of the foregoing embodiment. For details, refer to the description of the foregoing embodiment, and details are not described herein.
  • the PDN-GW sends an ANDSF policy request message carrying an IP address of the UE to the ANDSF entity.
  • the ANDSF entity obtains ANDSF policy information in a preset policy database according to the ANDSF policy request information.
  • the ANDSF policy information in this embodiment is the same as the embodiment shown in FIG. 2 to FIG. 6 above, and details are not described herein.
  • the ANDSF entity sends ANDSF policy information to the PDN-GW.
  • the communication peer server sends a security-protected data packet sent to the UE to the PDN-GW. 706.
  • the PDN-GW sends a security information request that carries the IP address of the UE to the AAA server.
  • the AAA server obtains a second correspondence corresponding to the UE according to the security information request, and sends the second correspondence to the PDN-GW.
  • the PDN-GW sends a security information request carrying the IP address of the UE to the AAA server through the PCRF entity.
  • the AAA server sends the second correspondence to the PDN-GW through the PCRF entity.
  • the PDN-GW parses the security-protected data packet sent to the UE according to the security information in the second correspondence, and obtains the security-protected datagram sent to the UE and the application information in the second correspondence. Correspondingly, the PDN-GW determines the access mode of the UE according to the first correspondence.
  • the step 708 is the same as the 303-304 in the embodiment shown in FIG. 3, and the details of the foregoing embodiment may be referred to, and details are not described herein again.
  • the method provided by the embodiment of the present invention may determine the access mode of the UE based on the application information in a security scenario, and subsequently perform a new or modified bearer process according to the change of the access mode, and according to the determined access mode. Divide data packets to implement data distribution in a security scenario.
  • the PDN-GW obtains the application information of the data packet according to the correspondence between the application information and the security information, and the data packet that is to be sent to the UE for security protection processing. And determining the access mode of the UE according to the correspondence between the application information and the access mode.
  • the technical solution of the present embodiment can overcome the problem that the access mode of the UE is determined based on the application information in the security scenario in the prior art, so that the service flow of the UE can be offloaded based on the application information in the security scenario.
  • FIG. 6 and FIG. 7 illustrate the technical solution of the embodiment of the present invention by using the security server as an AAA server.
  • the AAA server in the foregoing embodiment may adopt an HSS, a certificate server, an application server, or the like.
  • a server capable of storing security information and a second correspondence is replaced.
  • the corresponding relationship between the application information and the access mode in the correspondence relationship is a corresponding relationship, that is, one security information corresponds to one application information, and one application information corresponds to one access mode.
  • FIG. 8 is a schematic structural diagram of a data gateway according to an embodiment of the present invention. As shown in FIG. 8, the data gateway of this embodiment includes: a first acquiring module M10, a second acquiring module Mi1, and a determining module M12.
  • the first acquiring module M10 is configured to obtain the access network discovery and selection function policy information corresponding to the user equipment; the access network discovery and selection function policy information includes the first correspondence corresponding to the user equipment. Relationship, the first correspondence is a correspondence between the application information and the access mode; the second obtaining module Mi1 is configured to obtain a second correspondence corresponding to the user equipment, where the second correspondence is the application information and the security information Corresponding relationship; the determining module M12 is respectively connected to the first obtaining module M10 and the second acquiring module Mi l, and the determining module M12 is configured to perform security protection according to the first correspondence, the second correspondence, and the user equipment to be sent to the user equipment.
  • the processed data packet determines the access mode of the user equipment.
  • the implementation mechanism for determining the access mode of the UE by using the foregoing module is the same as the implementation of the foregoing related method embodiment.
  • the implementation mechanism for determining the access mode of the UE by using the foregoing module is the same as the implementation of the foregoing related method embodiment.
  • the data gateway of this embodiment can determine the access mode of the UE based on the application information in the security scenario by using the foregoing module, so that the service flow of the UE can be offloaded in the subsequent manner.
  • FIG. 9 is a schematic structural diagram of a data gateway according to another embodiment of the present invention. As shown in FIG. 9, the data gateway of this embodiment may further include the following in the foregoing embodiment of FIG.
  • the first obtaining module M10 may include a first sending unit U101 and a first receiving unit U102.
  • the first sending unit U101 is configured to send an ANDSF policy request information that carries the UE identifier to the ANDSF entity, where the ANDSF entity acquires the UE.
  • the ANDSF policy information includes a first correspondence corresponding to the UE.
  • the first receiving unit U102 is configured to receive ANDSF policy information sent by the ANDSF entity.
  • the corresponding determining module M12 is connected to the first receiving unit U102, and the determining module M12 is configured to use the second corresponding relationship acquired by the second acquiring module Mi1 and the UE corresponding to the ANDSF policy information received by the first receiving unit U102.
  • a correspondence relationship and a data packet to be sent to the UE for security protection processing determine the access mode of the UE.
  • the second acquiring module M11 may be configured to receive at least one security information corresponding to the UE that is sent by the ANDSF entity, and corresponding at least one second correspondence relationship; The at least one security information and the corresponding at least one second correspondence are obtained by the ANDSF entity from the security server.
  • the second obtaining module Mi l may further include a second sending unit U111 and a second receiving unit U112.
  • the second sending unit U111 is configured to send a security information request that carries the UE identifier to the security server, so that the security server obtains the second correspondence corresponding to the UE according to the UE identifier.
  • the second receiving unit U112 is configured to receive a second correspondence corresponding to the UE sent by the security server.
  • the determining module M12 is further connected to the second receiving unit U112, and the determining module M12 is configured to be used according to the second corresponding relationship received by the second receiving unit U112, and the first acquiring module M10.
  • the first receiving unit U102 obtains the first correspondence between the UE and the data packet to be sent to the UE in the ANDSF policy information, and determines the access mode of the UE.
  • the second sending unit U111 is specifically configured to send, by using the PCRF entity, a security information request that carries the UE identifier to the security server.
  • the second receiving unit U112 may be specifically configured to receive a second correspondence corresponding to the UE that is sent by the security server by using the PCRF entity.
  • the determining module M12 in the foregoing embodiment may further include: an obtaining unit U121 and a determining unit U122.
  • the obtaining unit U121 is connected to the second receiving unit U112, and the obtaining unit U121 is configured to parse the security-protected data packet sent to the user equipment according to the security information in the second correspondence received by the second receiving unit U112.
  • the determining unit U122 is respectively connected to the obtaining unit U121 and the second receiving unit U112 and the first receiving unit U102, and the determining unit U122 is configured to Number of security-protected processes sent to the user device And determining, according to the first correspondence corresponding to the UE in the ANDSF policy information received by the first receiving unit U102, the access mode of the user equipment, according to the application information of the message corresponding to the application information in the second corresponding relationship.
  • the data gateway of this embodiment may further include a receiving module M13.
  • the receiving module M13 is configured to receive the security-protected data packet sent by the communication peer server.
  • the receiving module M13 is connected to the acquiring unit U121, so that the acquiring unit U121 can be used for the second corresponding relationship received by the second receiving unit U112 and the data of the security protection process to be sent to the user equipment received by the receiving module M13.
  • a packet obtains application information of the data packet.
  • the data gateway of this embodiment implements the description of the method for determining the connection method of the UE by using the above-mentioned modules and units, and details are not described herein.
  • the data gateway of this embodiment can determine the access mode of the UE based on the application information in the security scenario by using the foregoing module, so that the service flow of the UE can be offloaded in the subsequent manner.
  • FIG. 10 is a schematic structural diagram of an access network discovery and selection function entity according to an embodiment of the present invention.
  • the ANDSF entity device of this embodiment includes: a first acquiring module M20, a second acquiring module M21, and a sending module M22.
  • the first acquiring module M20 is configured to obtain the access network discovery and selection function policy information corresponding to the user equipment; the access network discovery and selection function policy information includes the first corresponding to the user equipment.
  • the first correspondence is a correspondence between the application information and the access mode;
  • the second obtaining module M21 is configured to obtain a second correspondence corresponding to the user equipment, where the second correspondence is the application information and the security information Correspondence relationship.
  • the sending module M22 is respectively connected to the first obtaining module M20 and the second obtaining module M21.
  • the sending module M22 is configured to send the first correspondence and the second correspondence to the data gateway, so that the data gateway is based on the first correspondence.
  • the second correspondence and the content to be sent to the user The data packet processed by the security protection of the user equipment determines the access mode of the user equipment.
  • the ANDSF entity in this embodiment implements the description of the method for determining the access method of the UE by using the foregoing module, and is not described here.
  • the ANDSF entity of this embodiment can facilitate the data gateway to determine the access mode of the UE based on the application information in the security scenario by using the foregoing module, so that the service flow of the UE can be offloaded in the subsequent manner.
  • the first obtaining module M20 in the foregoing embodiment may obtain the ANDSF policy information of the UE corresponding to the UE identifier from the preset policy database.
  • the second obtaining module M21 may include an indication receiving unit, a sending unit, and a receiving unit.
  • the receiving unit is configured to receive the user equipment identifier and the security information indicator of the user equipment
  • the sending unit is configured to send, to the security server, a security information request that carries the user equipment identifier, where the security server obtains the user according to the user equipment identifier.
  • the second correspondence corresponding to the device; the receiving unit is configured to receive a second correspondence corresponding to the user equipment sent by the security server.
  • the ANDSF entity of the foregoing embodiment implements the description of the method for determining the access method of the UE by using the foregoing module, and details are not described herein.
  • the ANDSF entity of the foregoing embodiment can facilitate the data gateway to determine the access mode of the UE based on the application information in the security scenario by using the foregoing module, so that the service flow of the UE can be offloaded in the subsequent manner.
  • the security server in the above device embodiment may still be an AAA server, an HSS, a certificate server, an application server, or the like, which is capable of storing security information and a correspondence between the security information and the application information.
  • FIG. 11 is a schematic structural diagram of a system for determining a UE access mode according to an embodiment of the present invention.
  • the system for determining the access mode of the UE in this embodiment may include: a data gateway 30 and an ANDSF entity 40.
  • the data gateway 30 is configured to receive the access network discovery and selection function policy information corresponding to the user equipment; the access network discovery and selection function policy information includes a first correspondence corresponding to the user equipment, where the first correspondence is Correspondence between application information and access method; receiving the a second correspondence corresponding to the user equipment, where the second correspondence is a correspondence between the application information and the security information; according to the first correspondence, the second correspondence, and the security protection process to be sent to the user equipment Data packet, determining the access mode of the user equipment;
  • the ANDSF 40 is configured to obtain access network discovery and selection function policy information corresponding to the user equipment, obtain a second correspondence corresponding to the user equipment, and send the access network discovery and selection function policy information and the second correspondence to Data gateway.
  • the data gateway 30 is specifically configured to obtain the access network discovery and selection function policy information corresponding to the user equipment; the access network discovery and selection function policy information includes a first correspondence corresponding to the user equipment, and the first correspondence
  • the relationship is the correspondence between the application information and the access mode; the second correspondence corresponding to the user equipment is obtained, where the second correspondence is the correspondence between the application information and the security information; and the security information is parsed according to the second correspondence
  • the security-processed data packet sent to the user equipment obtains the application information of the security-protected data packet sent to the user equipment; and the security-protected data sent to the user equipment
  • the access mode of the user equipment is determined according to the first correspondence.
  • the ANDSF 40 is specifically configured to obtain the access network discovery and selection function policy information corresponding to the user equipment, receive the user equipment identifier and the security information indicator of the user equipment, and send a security information request that carries the user equipment identifier to the security server. And obtaining, by the security server, the second correspondence corresponding to the user equipment according to the user equipment identifier; receiving a second correspondence corresponding to the user equipment sent by the security server; sending the access network discovery and selection function policy information and The second correspondence is to the data gateway.
  • the system for determining the access mode of the UE in this embodiment is implemented by using the foregoing data gateway 30 and the ANDSF entity 40, and the implementation mechanism for determining the access mode of the UE is the same as that of the foregoing related method embodiment.
  • the record of the example is not mentioned here.
  • the data gateway 30 and the ANDSF entity 40 can determine the access mode of the UE based on the application information in the security scenario, so that the service flow of the UE can be offloaded in the subsequent manner. .
  • the various illustrative logic blocks, modules and circuits described in the embodiments of the invention may be implemented by general purpose processors, digital signal processors, application specific integrated circuits (ASICs), field programmable gate arrays (FPGAs) or other programmable logic.
  • the device, discrete gate or transistor logic, discrete hardware components, or any combination of the above are designed to implement or operate the functions described.
  • the general purpose processor may be a microprocessor, which may alternatively be any conventional processor, controller, microcontroller or state machine.
  • the processor may also be implemented by a combination of computing devices, such as a digital signal processor and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a digital signal processor core, or any other similar configuration. achieve.
  • the steps of the method or algorithm described in the embodiments of the present invention may be directly embedded in hardware, a software module executed by a processor, or a combination of the two.
  • the software modules can be stored in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, removable disk, CD-ROM, or any other form of storage medium in the art.
  • the storage medium can be coupled to the processor such that the processor can read information from the storage medium and can write information to the storage medium.
  • the storage medium can also be integrated into the processor.
  • the processor and the storage medium can be placed in an ASIC, and the ASIC can be placed in the user terminal.
  • the processor and the storage medium may also be provided in different components in the user terminal.
  • the above-described functions described in the embodiments of the present invention may be implemented in hardware, software, firmware, or any combination of the three. If implemented in software, these functions may be stored on a computer readable medium, or transmitted in a form or code, on a computer readable medium.
  • Computer readable media includes computer storage media and communication media that facilitates the transfer of computer programs from one place to another.
  • the storage medium can be any available media that any general purpose or special computer can access.
  • Such computer readable media can include, but is not limited to, RAM, ROM, EEPROM, CD-ROM or other optical disk storage, disk storage Storage or other magnetic storage device, or any other medium that can be used to carry or store program code in the form of instructions or data structures and other forms that can be read by a general purpose or special computer, or general or special processor.
  • any connection can be appropriately defined as a computer readable medium, for example, if the software is from a website site, server or other remote resource through a coaxial cable, fiber optic computer, twisted pair, digital subscriber line (DSL) Or wirelessly transmitted in, for example, infrared, wireless, and microwave, is also included in a defined computer readable medium.
  • DSL digital subscriber line
  • the disks and discs include compact disks, laser disks, optical disks, DVDs, floppy disks, and Blu-ray disks. Disks typically replicate data magnetically, while disks typically optically replicate data with a laser. Combinations of the above may also be included in a computer readable medium.

Abstract

Embodiments of the present invention provide a method for determining an access mode of a user equipment (UE), and a system and device thereof. The method comprises: a data gateway acquiring access network discovery and selection function policy information corresponding to a UE, the access network discovery and selection function policy information comprising a first correspondence corresponding to the UE, and the first correspondence being a correspondence between application information and an access mode; the data gateway acquiring a second correspondence corresponding to the UE, the second correspondence being a correspondence between the application information and safety information; the data gateway determining an access mode of the UE according to the first correspondence, the second correspondence, and a data packet to be sent to the UE and being processed by safety protection. By means of the technical solution of the present invention, the access mode of the UE can be determined based on application information in the safety scenario, thereby splitting service flow of the UE.

Description

确定用户设备接入方式的方法及系统、 设备 技术领域  Method, system and device for determining user equipment access mode
本发明实施例涉及通信技术领域, 尤其涉及一种确定用户设备接入方 式的方法及系统、 设备。 背景技术  The embodiments of the present invention relate to the field of communications technologies, and in particular, to a method, system, and device for determining a user equipment access mode. Background technique
系统架构演进 ( System Architecture Evolution, SAE )是第三代合作伙 伴计划 ( 3rd Generation Partnership Proj ect, 3 GPP ) 启动的一项演进网络架 构。 在 SAE 演进计划的指导下, 定义了一个新的分离了控制面和数据面 的移动通信网络框架, 即演进的分组系统( Evolved Packet System, EPS ) 。  System Architecture Evolution (SAE) is an evolutionary network architecture initiated by the 3rd Generation Partnership Projective (3GPP). Under the guidance of the SAE evolution plan, a new mobile communication network framework with separate control planes and data planes, namely Evolved Packet System (EPS), is defined.
在 SAE中, 运营商部署了多种接入类型的 EPS后, 用户设备(User Equipment, UE )在具有多种无线接入的环境中, 需要根据一定的策略, 如 根据信号强度或者价格因素等来选择一个合适的无线接入方式。 同时运营 商也需要根据当前的网络状态如信号强度和网络负载情况等为 UE推荐一 个合适的无线接入方式。 因此, 3GPP 组织提出了接入网络发现与选择功 能 ( Access Network Discovery and Selection Function, ANDSF ) 实体, 该 ANDSF 实体可以综合无线接入网络信息和运营商策略的前提下, 制定一 组策略规则, 根据该策略规则可以为 UE选择一个合适的接入方式。 例如 ANDSF实体可以设置上午八点到晚上八点之间的执行文件传输协议 ( File Transfer Protocol, FTP )业务的 UE选择 WiFi接入方式, 这样, UE可以在 上午八点到晚上八点之间选择 WiFi接入方式接入。在引入 ANDSF实体的 EPS 中, 对 UE 的业务流进行分流的技术方案, 是由策略计费规则功能 ( Policy Charging Rule Function, PCRF )实体与 ANDSF实体交互获取策略 规则,再根据该策略规则生成策略和计费控制( Policy and Charging Control, PCC )规则, 再由分组数据网关( Packet Data Network Gateway, PDN-GW ) 根据该 PCC规则以及 UE的应用信息选择对应的承载, 并对 UE的业务流 进行分流操作。  In an SAE, after an operator deploys EPSs of multiple access types, User Equipment (UE) needs to be based on certain policies, such as signal strength or price factors, in an environment with multiple wireless accesses. To choose a suitable wireless access method. At the same time, the operator also needs to recommend a suitable wireless access mode for the UE according to the current network state, such as signal strength and network load. Therefore, the 3GPP organization proposes an Access Network Discovery and Selection Function (ANDSF) entity, which can formulate a set of policy rules based on the combination of wireless access network information and operator policies. The policy rule can select a suitable access mode for the UE. For example, the ANDSF entity can set the UE to perform the File Transfer Protocol (FTP) service between 8:00 am and 8:00 pm to select the WiFi access mode, so that the UE can select between 8:00 am and 8:00 pm. WiFi access mode access. In the EPS of the ANDSF entity, the technical solution for offloading the service flow of the UE is that the Policy Charging Rule Function (PCRF) entity interacts with the ANDSF entity to obtain a policy rule, and then generates a policy according to the policy rule. And the Policy and Charging Control (PCC) rule, and then the Packet Data Network Gateway (PDN-GW) selects the corresponding bearer according to the PCC rule and the application information of the UE, and performs the service flow of the UE. Split operation.
在实践中, 上述基于应用信息对 UE的业务流分流的技术方案无法应 用在安全场景下, 致使无法确定 UE的接入方式, 从而无法实现对 UE的 业务流的分流。 发明内容 In practice, the above technical solution for offloading the service flow of the UE based on the application information cannot be applied. In the security scenario, the access mode of the UE cannot be determined, and the traffic of the UE cannot be offloaded. Summary of the invention
本发明实施例提供一种用于确定用户设备接入方式的方法及系统、 分 组数据网关, 用以解决现有技术中在安全场景下无法基于应用信息确定 UE的接入方式的缺陷。  The embodiment of the invention provides a method and a system for determining a user equipment access mode, and a packet data gateway, which is used to solve the defect that the access mode of the UE cannot be determined based on the application information in the security scenario in the prior art.
本发明实施例提供一种确定用户设备接入方式的方法, 包括: 数据网关获取用户设备对应的接入网络发现与选择功能策略信息; 该 接入网络发现与选择功能策略信息中包括该用户设备对应的第一对应关 系, 该第一对应关系为应用信息与接入方式的对应关系;  An embodiment of the present invention provides a method for determining a user equipment access mode, including: the data gateway acquiring the access network discovery and selection function policy information corresponding to the user equipment; the access network discovery and selection function policy information includes the user equipment Corresponding first correspondence, the first correspondence is a correspondence between application information and an access method;
该数据网关获取该用户设备对应的第二对应关系, 该第二对应关系为 该应用信息与安全信息的对应关系;  The data gateway obtains a second correspondence corresponding to the user equipment, where the second correspondence is a correspondence between the application information and the security information;
该数据网关根据该第一对应关系、 该第二对应关系以及要发送给该用 户设备的经安全保护处理的数据报文, 确定该用户设备的接入方式。  The data gateway determines the access mode of the user equipment according to the first correspondence, the second correspondence, and the data packet that is to be sent to the user equipment for security protection processing.
本发明实施例还提供一种确定用户设备接入方式的方法, 包括: 接入网络发现与选择功能实体获取用户设备对应的接入网络发现与 选择功能策略信息; 该接入网络发现与选择功能策略信息中包括该用户设 备对应的第一对应关系, 该第一对应关系为应用信息与接入方式的对应关 系;  The embodiment of the present invention further provides a method for determining a user equipment access mode, including: accessing a network discovery and selection function entity to obtain an access network discovery and selection function policy information corresponding to a user equipment; the access network discovery and selection function The policy information includes a first correspondence corresponding to the user equipment, where the first correspondence is a correspondence between the application information and the access mode.
该接入网络发现与选择功能实体获取该用户设备对应的第二对应关 系, 该第二对应关系为该应用信息与安全信息的对应关系;  The access network discovery and selection function entity acquires a second correspondence relationship corresponding to the user equipment, where the second correspondence relationship is a correspondence between the application information and the security information;
该接入网络发现与选择功能实体发送该第一对应关系和该第二对应 关系至数据网关, 以供该数据网关根据该第一对应关系、 该第二对应关系 以及要发送给该用户设备的经安全保护处理的数据报文, 确定该用户设备 的接入方式。  The access network discovery and selection function entity sends the first correspondence relationship and the second correspondence relationship to the data gateway, so that the data gateway is sent to the user equipment according to the first correspondence relationship, the second correspondence relationship, and the The data packet processed by the security protection determines the access mode of the user equipment.
本发明实施例还提供一种数据网关, 包括:  The embodiment of the invention further provides a data gateway, including:
第一获取模块, 用于获取用户设备对应的接入网络发现与选择功能策 略信息; 该接入网络发现与选择功能策略信息中包括该用户设备对应的第 一对应关系, 该第一对应关系为应用信息与接入方式的对应关系; 第二获取模块, 用于获取该用户设备对应的第二对应关系, 该第二对 应关系为该应用信息与安全信息的对应关系; The first obtaining module is configured to obtain the access network discovery and selection function policy information corresponding to the user equipment; the access network discovery and selection function policy information includes a first correspondence corresponding to the user equipment, where the first correspondence is Correspondence between application information and access methods; a second acquiring module, configured to acquire a second correspondence corresponding to the user equipment, where the second correspondence is a correspondence between the application information and the security information;
确定模块, 用于根据该第一对应关系、 该第二对应关系以及要发送给 该用户设备的经安全保护处理的数据报文, 确定该用户设备的接入方式。  And a determining module, configured to determine, according to the first correspondence, the second correspondence, and the data packet to be sent to the user equipment, the access mode of the user equipment.
本发明实施例还提供一种接入网络发现与选择功能实体, 包括: 第一获取模块, 用于获取用户设备对应的接入网络发现与选择功能策 略信息; 该接入网络发现与选择功能策略信息中包括该用户设备对应的第 一对应关系, 该第一对应关系为应用信息与接入方式的对应关系;  The embodiment of the present invention further provides an access network discovery and selection function entity, including: a first acquiring module, configured to acquire access network discovery and selection function policy information corresponding to the user equipment; and the access network discovery and selection function policy The information includes a first correspondence corresponding to the user equipment, where the first correspondence is a correspondence between the application information and the access mode;
第二获取模块, 用于获取该用户设备对应的第二对应关系, 该第二对 应关系为该应用信息与安全信息的对应关系;  a second acquiring module, configured to acquire a second correspondence corresponding to the user equipment, where the second corresponding relationship is a correspondence between the application information and the security information;
发送模块, 用于发送该第一对应关系和该第二对应关系至数据网关, 以供该数据网关根据该第一对应关系、 该第二对应关系以及要发送给该用 户设备的经安全保护处理的数据报文, 确定该用户设备的接入方式。  a sending module, configured to send the first correspondence and the second correspondence to the data gateway, where the data gateway performs security protection processing according to the first correspondence, the second correspondence, and the user equipment to be sent to the user equipment The data packet determines the access mode of the user equipment.
本发明实施例还提供一种确定用户设备接入方式的系统, 包括: 数据 网关和接入网络发现与选择功能实体;  An embodiment of the present invention further provides a system for determining a user equipment access mode, including: a data gateway and an access network discovery and selection function entity;
该数据网关, 用于接收用户设备对应的接入网络发现与选择功能策略 信息; 该接入网络发现与选择功能策略信息中包括该用户设备对应的第一 对应关系, 该第一对应关系为应用信息与接入方式的对应关系; 接收该用 户设备对应的第二对应关系, 该第二对应关系为该应用信息与安全信息的 对应关系; 根据该第一对应关系、 该第二对应关系以及要发送给该用户设 备的经安全保护处理的数据报文, 确定该用户设备的接入方式;  The data gateway is configured to receive the access network discovery and selection function policy information corresponding to the user equipment; the access network discovery and selection function policy information includes a first correspondence corresponding to the user equipment, where the first correspondence is an application Corresponding relationship between the information and the access mode; receiving a second correspondence corresponding to the user equipment, where the second correspondence is a correspondence between the application information and the security information; according to the first correspondence, the second correspondence, and Dedicating a data packet sent by the user equipment to the user equipment to determine an access mode of the user equipment;
该接入网络发现与选择功能实体, 用于获取该用户设备对应的接入网 络发现与选择功能策略信息; 获取该用户设备对应的第二对应关系; 发送 该接入网络发现与选择功能策略信息和该第二对应关系至数据网关。  The access network discovery and selection function entity is configured to obtain access network discovery and selection function policy information corresponding to the user equipment; acquire a second correspondence corresponding to the user equipment; and send the access network discovery and selection function policy information And the second correspondence to the data gateway.
本发明实施例的确定用户设备接入方式的方法及系统、 数据网关, 通 过采用上述技术方案, 能够在安全场景下基于应用信息确定 UE的接入方 式, 从而能够实现对 UE的业务流的分流操作。 附图说明 实施例或现有技术描述中所需要使用的附图作一简单地介绍, 显而易见 地, 下面描述中的附图是本发明的一些实施例, 对于本领域普通技术人 员来讲, 在不付出创造性劳动性的前提下, 还可以根据这些附图获得其 他的附图。 The method and system for determining the access mode of the user equipment and the data gateway in the embodiment of the present invention can determine the access mode of the UE based on the application information in the security scenario, so that the service flow of the UE can be implemented. operating. DRAWINGS The drawings used in the embodiments or the description of the prior art are briefly described. It is obvious that the drawings in the following description are some embodiments of the present invention, and are not creative to those skilled in the art. Other drawings can also be obtained from these drawings on the premise of labor.
图 1为现有技术提供的一种对 UE的业务流进行分流的信令图; 图 2为本发明一实施例提供的确定 UE接入方式的方法的流程图; 图 3为本发明另一实施例提供的确定 UE接入方式的方法的流程图; 图 4为本发明再一实施例提供的确定 UE接入方式的方法的流程图; 图 5为本发明又一实施例提供的确定 UE接入方式的方法的流程图; 图 6 为本发明一实施例提供的确定用户设备接入方式的方法的信令 图;  FIG. 1 is a signaling diagram of a method for determining a UE's access mode according to an embodiment of the present invention; FIG. 2 is a flowchart of a method for determining a UE access mode according to an embodiment of the present invention; A flowchart of a method for determining a UE access mode provided by an embodiment; FIG. 4 is a flowchart of a method for determining a UE access mode according to another embodiment of the present invention; FIG. 5 is a determining UE according to another embodiment of the present invention. A flowchart of a method for determining an access mode; FIG. 6 is a signaling diagram of a method for determining a user equipment access manner according to an embodiment of the present invention;
图 7为本发明再一实施例提供的确定用户设备接入方式的方法的信令 图;  FIG. 7 is a signaling diagram of a method for determining a user equipment access manner according to another embodiment of the present invention;
图 8为本发明一实施例提供的数据网关的结构示意图;  FIG. 8 is a schematic structural diagram of a data gateway according to an embodiment of the present invention;
图 9为本发明另一实施例提供的数据网关的结构示意图;  FIG. 9 is a schematic structural diagram of a data gateway according to another embodiment of the present invention;
图 10为本发明实施例提供的 ANDSF实体的结构示意图;  FIG. 10 is a schematic structural diagram of an ANDSF entity according to an embodiment of the present disclosure;
图 1 1为本发明一实施例提供的确定 UE接入方式的系统的结构示意 图。 具体实施方式 为使本发明实施例的目的、 技术方案和优点更加清楚, 下面将结合本 发明实施例中的附图, 对本发明实施例中的技术方案进行清楚、 完整地描 述, 显然, 所描述的实施例是本发明一部分实施例, 而不是全部的实施例。 基于本发明中的实施例, 本领域普通技术人员在没有作出创造性劳动前提 下所获得的所有其他实施例, 都属于本发明保护的范围。  FIG. 1 is a schematic structural diagram of a system for determining a UE access mode according to an embodiment of the present invention. The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. The embodiments are a part of the embodiments of the invention, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
本发明实施例提供的技术方案可以应用于各种无线通信网络, 例如码 分多址( Code Division Multiple Access, CDMA )、 时分多址( Time division multiple access, TDMA ) 、 频分多址 ( Frequency Division Multiple Access, FDMA ) 、 正交频分多址 ( Orthogonal Frequency-Division Multiple Access, OFDMA ) 、 单载波频分多址( Single Carrier FDMA, SC-FDMA )和其它网 络等。 术语"网络,,和"系统,,可以相互替换。 CDMA网络可以实现例如通用 无线陆地接入 ( Universal Terrestrial Radio Access, UTRA ) , CDMA2000 等无线技术。 UTRA可以包括 CDMA、 WCDMA和其他 CDMA的变形。 CDMA2000可以覆盖临时标准 ( Interim Standard, IS ) 2000 ( IS-2000 ) , IS-95和 IS-856标准。 TDMA网络可以实现例如全球移动通信系统( Global System for Mobile Communication, GSM ) 等无线技术。 OFDMA网络可以 实现诸如演进通用无线陆地接入(Evolved UTRA, E-UTRA ) 、 超级移动 宽带 ( Ultra Mobile Broadband, UMB ) 、 IEEE 802.11 ( Wi-Fi ) , IEEE 802.16 ( WiMAX ) , IEEE 802.20, Flash OFDMA等无线技术。 UTRA和 E-UTRA 是 UMTS以及 UMTS演进版本。 3 GPP在长期演进 ( Long Term Evolution, LTE ) 和 LTE高级(LTE Advanced, LTE-A )是使用 E-UTRA的 UMTS 的新版本。 UTRA、 E-UTRA, UMTS , LTE、 LTE-A和 GSM在 3GPP标 准组织的文档中有记载描述。 CDMA2000和 UMB在 3GPP2标准组织的文 档中有记载描述。 本发明实施例描述的技术也可以应用到上述所述的无线 网络和无线技术中。 The technical solution provided by the embodiments of the present invention can be applied to various wireless communication networks, such as Code Division Multiple Access (CDMA), Time Division Multiple Access (TDMA), and Frequency Division Multiple Access (Frequency Division). Multiple Access, FDMA), Orthogonal Frequency-Division Multiple Access (OFDMA), Single Carrier FDMA (SC-FDMA) and other networks Network and so on. The terms "network," and "system" can be replaced with each other. A CDMA network can implement wireless technologies such as Universal Terrestrial Radio Access (UTRA) and CDMA2000. UTRA can include variants of CDMA, WCDMA, and other CDMA. CDMA2000 can cover the Interim Standard (IS) 2000 (IS-2000), IS-95 and IS-856 standards. The TDMA network can implement wireless technologies such as Global System for Mobile Communication (GSM). An OFDMA network can implement such as Evolved UTRA (E-UTRA), Ultra Mobile Broadband (UMB), IEEE 802.11 (Wi-Fi), IEEE 802.16 (WiMAX), IEEE 802.20, Flash OFDMA. And other wireless technologies. UTRA and E-UTRA are UMTS and UMTS evolved versions. 3 GPP is a new version of UMTS that uses E-UTRA in Long Term Evolution (LTE) and LTE Advanced (LTE-A). UTRA, E-UTRA, UMTS, LTE, LTE-A and GSM are described in the documentation of the 3GPP standards organization. CDMA2000 and UMB are described in the documentation of the 3GPP2 standards organization. The technology described in the embodiments of the present invention can also be applied to the wireless network and the wireless technology described above.
在本发明实施例中,基站( Base Station, BS )可以是与用户设备( User Equipment, UE )或其它通信站点 , 如中继站点 , 进行通信的站点 , 基站可 以提供特定物理区域的通信覆盖。 所述基站可以为宏小区、 皮小区 (pico cell ) 、 毫微微蜂窝小区 (femto cell ) , 和 /或其它类型的小区提供通信覆 盖。 宏小区可以覆盖相对较大的地理区域, 例如半径为几公里的范围, 以 及允许已进行业务签约的 UE可以无限制接入。 Pico cell可以覆盖相对较 小的地理区域,并可以允许已进行业务签约的 UE可以无限制接入。 Femto cell覆盖相对较小的地理区域, 例如家庭, 并且允许与该 femto cell相关联 的 UE进行限制接入。 为宏小区服务的基站可以称为宏基站, 为 pico小区 服务的基站可以称为 pico基站,为 femto cell服务的基站可以称为 femto 基 站或 home基站。 基站可以支持一个或多个小区。  In the embodiment of the present invention, a base station (BS) may be a station that communicates with a User Equipment (UE) or other communication station, such as a relay station, and the base station may provide communication coverage of a specific physical area. The base station may provide communication coverage for macro cells, pico cells, femto cells, and/or other types of cells. The macro cell may cover a relatively large geographic area, such as a radius of a few kilometers, and allows unrestricted access by UEs that have subscribed to the service. The Pico cell can cover a relatively small geographical area and can allow unrestricted access by UEs that have subscribed to the service. The Femto cell covers a relatively small geographical area, such as a home, and allows UEs associated with the femto cell to restrict access. The base station serving the macro cell may be referred to as a macro base station, the base station serving the pico cell may be referred to as a pico base station, and the base station serving the femto cell may be referred to as a femto base station or a home base station. A base station can support one or more cells.
在本发明实施例中, UE可以分布于整个无线网络中, 每个 UE可以 是静态的或移动的。 UE可以称为终端( terminal ),移动台( mobile station ) , 用户单元( subscriber unit ),站台( station )等。 UE可以为蜂窝电话( cellular phone ) , 个人数字助理 ( Personal Digital Assistant, PDA ) , 无线调制解 调器( modem ) ,无线通信设备,手持设备( handheld ) ,膝上型电脑( laptop computer ) , 无绳电话 ( cordless phone ) , 无线本地环路 ( Wireless Local Loop, WLL ) 台等。 UE可以与宏基站、 pico基站, femto基站等进行通 信。 In this embodiment of the present invention, UEs may be distributed throughout the wireless network, and each UE may be static or mobile. A UE may be referred to as a terminal, a mobile station, a subscriber unit, a station, or the like. The UE can be a cellular phone, a personal digital assistant (PDA), a wireless modem solution. A modem, a wireless communication device, a handheld device, a laptop computer, a cordless phone, a Wireless Local Loop (WLL) station, and the like. The UE can communicate with a macro base station, a pico base station, a femto base station, and the like.
本发明实施例中, ANDSF实体存储有 ANDSF策略信息。 ANDSF策 略信息中包括 UE对应的第一对应关系, 该第一对应关系中包括应用信息 与接入方式之间的对应关系, 例如: "应用信息 A, 接入方式 B"。  In the embodiment of the present invention, the ANDSF entity stores ANDSF policy information. The ANDSF policy information includes a first correspondence corresponding to the UE, where the first correspondence includes a correspondence between the application information and the access mode, for example, "application information A, access mode B".
本发明实施例中, AAA服务器用于存储第二对应关系的服务器。 第 二对应关系中包括安全信息与应用信息的对应关系, 例如: "加密算法 C, 应用信息 A"。  In the embodiment of the present invention, the AAA server is used to store the server of the second correspondence. The second correspondence includes the correspondence between the security information and the application information, for example: "Encryption Algorithm C, Application Information A".
本发明实施例中, 数据网关可以是 PDN-GW, 也可以是网关通用分组 无线业务( General Packet Radio Service, GPRS )支持节点( Gateway GPRS Support Node, GGSN ) , 随着技术的进步, 也有可能是其他用于进行业务 流分流操作的网元。 本领域技术人员应知, 在不同的网络场景下的数据网 关不同。  In the embodiment of the present invention, the data gateway may be a PDN-GW, or may be a Gateway General Packet Radio Service (GPRS) Support Node (GGSN). With the advancement of technology, it may also be Other network elements used to perform service flow offloading operations. Those skilled in the art should be aware that the data gateways in different network scenarios are different.
示例性的, 应用信息可以是应用标识, 用来区分不同的应用类别。 示 例性的, 应用信息可以是内容类型, 例如文本或者视频, 用来区分不同的 内容类别。 示例性的, 应用信息还可以是其他需要通过解析数据报文来获 得的,并且用以区分不同的数据报文的信息。本发明对应用信息不作限定。  Exemplarily, the application information may be an application identifier, which is used to distinguish different application categories. Illustratively, the application information can be a content type, such as text or video, to distinguish between different content categories. Exemplarily, the application information may also be other information that needs to be obtained by parsing the data message and used to distinguish different data messages. The present invention does not limit the application information.
为便于更好的阐述本发明的实施例,下面将结合数据网关为 PDN-GW 的场景进行说明。  In order to better illustrate the embodiments of the present invention, the following describes the scenario in which the data gateway is a PDN-GW.
图 1为现有技术提供的一种对 UE的业务流进行分流的信令图。 如图 1所示的对 UE的业务流进行分流的方法, 具体可以包括如下:  FIG. 1 is a signaling diagram of offloading a service flow of a UE according to the prior art. The method for offloading the service flow of the UE as shown in FIG. 1 may specifically include the following:
100、 UE开机后发起附着请求, 从而附着到核心网上。 UE通过核心 网中的 PDN-GW进行数据传输;  100. After the UE is powered on, an attach request is initiated, so as to be attached to the core network. The UE performs data transmission through the PDN-GW in the core network;
101、 UE向应用功能 (Application Function, AF )服务器上报应用信息; 例如该 UE可以通过特定的信令消息, 例如会话初始化协议 ( Session 101. The UE reports application information to an application function (AF) server; for example, the UE can pass a specific signaling message, such as a session initiation protocol (Session).
Initiation Protocol, SIP )信令, 将运行的应用信息上报给 AF服务器。 该应 用信息与该 UE与通信对端服务器进行通信涉及到的应用信息相同。 The Initiation Protocol (SIP) signaling reports the running application information to the AF server. The application information is the same as the application information involved in the communication between the UE and the communication peer server.
102、 AF服务器生成会话信息, 并向 PCRF实体发送该会话信息; 例如 AF服务器在收到 UE发送过来的应用信息后, 生成对应的会话 信息(实质上, 该会话信息中还携带有能够标识 UE的应用信息的信息), 并与 PCRF实体建立 Rx会话,在 Rx接口上将会话信息发送给 PCRF实体。 102. The AF server generates session information, and sends the session information to the PCRF entity. For example, after receiving the application information sent by the UE, the AF server generates corresponding session information (in essence, the session information also carries information that can identify the application information of the UE), and establishes an Rx session with the PCRF entity, at the Rx. The session information is sent to the PCRF entity on the interface.
103、 PCRF实体与 ANDSF实体之间建立连接, 从 ANDSF实体获取 UE的应用信息相应的 ANDSF策略信息;  103. A connection is established between the PCRF entity and the ANDSF entity, and the ANDSF policy information corresponding to the application information of the UE is obtained from the ANDSF entity.
104、 PCRF实体根据获取的 ANDSF策略信息生成的 PCC规则, 并向 PDN-GW发送 PCC规则;  104. The PCRF entity generates a PCC rule according to the acquired ANDSF policy information, and sends a PCC rule to the PDN-GW.
例如该 PCRF实体通过 Gx接口向 PDN-GW发送 PCC规则。 该 PCC 规则即为 UE的应用信息相对应的 PCC规则。 该 PCC规则中包括该 UE 的应用信息与接入方式的——对应关系。  For example, the PCRF entity sends a PCC rule to the PDN-GW through the Gx interface. The PCC rule is a PCC rule corresponding to the application information of the UE. The PCC rule includes the correspondence between the application information of the UE and the access mode.
可选地, 如果网络中没有部署 PCC架构, 则可以采用如下 105代理 上述 103和 104;  Optionally, if the PCC architecture is not deployed in the network, the following 105 proxy may be used;
105、 PDN-GW与 ANDSF 实体之间建立连接, PDN-GW从 ANDSF 实体中获取相应的 ANDSF策略信息。  105. The PDN-GW establishes a connection with the ANDSF entity, and the PDN-GW obtains corresponding ANDSF policy information from the ANDSF entity.
当通信对端服务器向 PDN-GW 下发要发送给该 UE 的业务流时, When the communication peer server delivers the service flow to be sent to the UE to the PDN-GW,
PDN-GW可以从业务流中获取该 UE的应用信息, 然后根据 ANDSF策略 信息和 UE的应用信息, 获取该 UE对应的 PCC规则。 The PDN-GW can obtain the application information of the UE from the service flow, and then obtain the PCC rule corresponding to the UE according to the ANDSF policy information and the application information of the UE.
进一步地, 还可以包括:  Further, the method may further include:
106、 PDN-GW执行相应的承载操作, 如根据下发给 UE的业务流中 该 UE的应用信息对应的 PCC规则执行相应的承载操作, 例如可以新增、 修改或删除相应的承载, 从而实现对接收通信对端服务器发送给 UE的业 务流进行分流处理。  106. The PDN-GW performs a corresponding bearer operation, for example, performing a corresponding bearer operation according to a PCC rule corresponding to the application information of the UE in the service flow that is sent to the UE, for example, adding, modifying, or deleting the corresponding bearer, thereby implementing The traffic flow sent to the UE by the receiving communication peer server is offloaded.
例如 PDN-GW能够根据该 PCC规则确定 UE的接入方式, 从而可以 执行相应的承载操作。  For example, the PDN-GW can determine the access mode of the UE according to the PCC rule, so that the corresponding bearer operation can be performed.
上述分流处理的技术方案应用于 UE未处于安全保护的场景下, 但是 当 UE处于安全场景下, UE与通信对端服务器之间的通信数据都得到了 有效地安全保护, PDN-GW无法获知 UE的应用信息, 从而无法确定 UE 的接入方式, 从而无法实现对 UE的业务流进行分流。 因此可以采用下述 本发明的技术方案实现在安全场景下, 确定 UE的接入方式, 从而实现对 UE的业务流进行分流。 图 2为本发明一实施例提供的确定 UE接入方式的方法的流程图。 示 例性的, 本实施例的确定 UE接入方式的方法的执行主体为 PDN-GW, 如 图 2所示, 本实施例的确定 UE接入方式的方法, 包括如下: The technical solution of the above-mentioned offload processing is applied to the scenario in which the UE is not in the security protection. However, when the UE is in the security scenario, the communication data between the UE and the communication peer server is effectively protected, and the PDN-GW cannot learn the UE. The application information can not determine the access mode of the UE, so that the service flow of the UE cannot be offloaded. Therefore, the following technical solution of the present invention can be used to determine the access mode of the UE in a security scenario, so as to implement traffic offloading of the UE. FIG. 2 is a flowchart of a method for determining an access mode of a UE according to an embodiment of the present invention. For example, the method for determining the UE access mode in this embodiment is the PDN-GW. As shown in FIG. 2, the method for determining the UE access mode in this embodiment includes the following:
200、 获取 UE对应的 ANDSF策略信息;  200. Obtain an ANDSF policy information corresponding to the UE.
本实施例中该 ANDSF策略信息中包括 UE对应的第一对应关系, 该 第一对应关系为应用信息与接入方式的对应关系。  In this embodiment, the ANDSF policy information includes a first correspondence corresponding to the UE, where the first correspondence is a correspondence between the application information and the access mode.
201、 获取 UE对应的第二对应关系;  201. Acquire a second correspondence corresponding to the UE.
本实施例中的第二对应关系中为该应用信息与安全信息的对应关系。 202、根据第一对应关系、第二对应关系以及要发送给 UE的经安全保 护处理的数据报文, 确定 UE的接入方式。  The second correspondence in the embodiment is the correspondence between the application information and the security information. 202. Determine, according to the first correspondence, the second correspondence, and the data packet that is to be sent to the UE for security protection processing, determine an access mode of the UE.
本实施例的应用场景为 UE处于安全场景下。 该安全场景表明 UE与 通信对端服务器之间建立了安全连接, UE 传输的上下文数据有受到加密 保护, 从而保护 UE传输的数据免受外来攻击。  The application scenario of this embodiment is that the UE is in a security scenario. The security scenario indicates that a secure connection is established between the UE and the communication peer server, and the context data transmitted by the UE is protected by encryption, thereby protecting the data transmitted by the UE from external attacks.
本实施例的确定用户设备接入方式的方法, 通过应用信息和接入方式 的对应关系、 应用信息和安全信息的对应关系以及要发送给 UE的经安全 保护处理的数据报文, 确定 UE的接入方式。 采用本实施例的技术方案, 能够克服现有技术中无法在安全场景下基于应用信息确定 UE的接入方式 的问题,从而能够实现安全场景下基于应用信息对 UE的业务流进行分流。  The method for determining the access mode of the user equipment in this embodiment determines the UE by using the correspondence between the application information and the access mode, the correspondence between the application information and the security information, and the data packet to be sent to the UE for security protection processing. Access method. The technical solution of the present embodiment can overcome the problem that the access mode of the UE cannot be determined based on the application information in the security scenario in the prior art, so that the service flow of the UE can be offloaded based on the application information in the security scenario.
需要说明的是, 上述实施例中的安全信息包括密钥证书、 对称密钥、 安全算法等信息。  It should be noted that the security information in the foregoing embodiment includes information such as a key certificate, a symmetric key, and a security algorithm.
图 3为本发明另一实施例提供的确定 UE接入方式的方法的流程图。 如图 3所示, 本实施例的确定 UE接入方式的方法在上述图 2所示实施例 的基础上, 更加详细地介绍本发明的技术方案。 本实施例的确定 UE接入 方式的方法, 包括如下:  FIG. 3 is a flowchart of a method for determining a UE access mode according to another embodiment of the present invention. As shown in FIG. 3, the method for determining the access mode of the UE in this embodiment is based on the foregoing embodiment shown in FIG. 2, and the technical solution of the present invention is introduced in more detail. The method for determining the UE access mode in this embodiment includes the following:
300、 PDN-GW接收通信对端服务器发送的数据报文;  300. The PDN-GW receives the data packet sent by the communication peer server.
该数据报文是要发送给 UE的, 且该数据报文经过安全保护处理。 301、 PDN-GW向 ANDSF实体发送携带 UE标识的 ANDSF策略请求 信息, 以供 ANDSF实体获取 UE对应的 ANDSF策略信息;  The data packet is sent to the UE, and the data packet is subjected to security protection processing. 301. The PDN-GW sends the ANDSF policy request information that carries the UE identifier to the ANDSF entity, where the ANDSF entity obtains the ANDSF policy information corresponding to the UE.
其中 UE的标识具体可以为该 UE的 IP地址。 该 ANDSF策略信息同 上述图 2所示实施例相同, 包括 UE对应的第一对应关系, 该第一对应关 系中包括应用信息与接入方式的对应关系。 其中, ANDSF 实体获取 UE 对应的 ANDSF策略信息具体可以为 ANDSF实体从预设置的策略数据库 中获取 UE对应的 ANDSF策略信息。 ANDSF策略信息也可以包含多个 UE对应的第一对应关系。 The identifier of the UE may specifically be an IP address of the UE. The ANDSF policy information is the same as the embodiment shown in FIG. 2, and includes a first correspondence corresponding to the UE, where the first correspondence is closed. The system includes the correspondence between application information and access methods. The ANDSF entity obtains the ANDSF policy information corresponding to the UE, and the ANDSF entity may obtain the ANDSF policy information corresponding to the UE from the preset policy database. The ANDSF policy information may also include a first correspondence corresponding to multiple UEs.
本实施例的应用场景也为 UE处于安全场景下, 该安全场景表明的物 理意义与上述实施例相同, 详细可以参考上述实施例的记载, 在此不在赘 述。  The application scenario of this embodiment is also in the security scenario of the UE. The physical meaning of the security scenario is the same as that of the foregoing embodiment. For details, refer to the description of the foregoing embodiment, which is not described herein.
可选地,在 300之前, UE可以与 ANDSF实体已经交互了一些设置策 略信息的需求信息如 UE标识、 UE的应用信息以及安全信息指示符等等, 这里的 UE标识可以为 UE的 IP地址。 安全信息指示符用于标识该 UE处 于安全场景下, 与该 UE通信的通信对端服务器发送给该 UE的数据报文 是经过安全保护处理的。 因此该 ANDSF实体在收到 ANDSF策略请求信 息之后, 可以从安全服务器中获取该 UE 对应的第二对应关系。 或者 ANDSF实体也可以预先在 300之前从安全服务器中获取该 UE对应的第二 对应关系, 该第二对应关系中包括应用信息与安全信息的对应关系。  Optionally, before 300, the UE may have interacted with the ANDSF entity with some requirement information for setting policy information, such as a UE identifier, application information of the UE, and a security information indicator, etc., where the UE identifier may be an IP address of the UE. The security information indicator is used to identify that the UE is in a security scenario, and the data packet sent by the communication peer server that communicates with the UE to the UE is security-protected. Therefore, after receiving the ANDSF policy request information, the ANDSF entity may obtain the second correspondence corresponding to the UE from the security server. Or the ANDSF entity may obtain the second correspondence corresponding to the UE from the security server before 300. The second correspondence includes the correspondence between the application information and the security information.
302、 PDN-GW接收 ANDSF实体发送的 ANDSF策略信息和该 UE对 应的第二对应关系;  302. The PDN-GW receives the ANDSF policy information sent by the ANDSF entity and the second correspondence corresponding to the UE.
本实施例中的第二对应关系同上述图 2所示实施例相同, 第二对应关 系中包括应用信息与安全信息的对应关系。  The second correspondence in this embodiment is the same as the embodiment shown in FIG. 2, and the second correspondence includes the correspondence between the application information and the security information.
303、 PDN-GW根据第二对应关系以及要发送给 UE的经安全保护处 理的数据报文, 获得该数据报文的应用信息;  303. The PDN-GW obtains application information of the data packet according to the second correspondence and the data packet that is to be sent to the UE for security protection processing.
例如, 采用第二对应关系中的安全信息对要发送给该 UE的经安全保 护处理的数据报文进行解析, 解析后可以得到该数据报文的应用信息; 判 断解析后得到的该数据报文的应用信息是否与该第二对应关系中的应用 信息对应, 若对应则解析成功, 可以确定该数据报文对应的安全信息和应 用信息即为第二对应关系中的安全信息和应用信息。 若不对应则解析未成 功, 若还存在 UE对应的其他的第二对应关系, 则可以继续采用其他的第 二对应关系中的安全信息继续进行解析。  For example, the security information in the second correspondence is used to parse the security-protected data packet to be sent to the UE, and the application information of the data packet is obtained after parsing; and the data packet obtained after the parsing is determined. Whether the application information corresponds to the application information in the second correspondence relationship, and if the response is successful, the security information and the application information corresponding to the data packet are determined as the security information and the application information in the second correspondence relationship. If the correspondence is not successful, the analysis is not successful. If there is another second correspondence corresponding to the UE, the security information in the other second correspondence may continue to be used for analysis.
本实施例中的安全信息具体可以为密钥证书、 对称密钥、 安全算法等 信息; 例如当安全信息为密钥证书时, 可以采用密钥证书在证书服务器上 进行验证后获取密钥信息, 并采用该密钥信息对数据报文进行解析, 当解 析成功确定该安全信息为该 UE对应的安全信息。 或者当安全信息为对称 密钥时, 采用此对称密钥对数据报文进行解析, 当解析成功确定该安全信 息为该 UE对应的安全信息。 或者当安全信息为安全算法时, 采用此安全 算法结合自身已有密钥信息对数据报文进行解析, 当解析成功确定该安全 信息为该 UE对应的安全信息。 其他类似安全信息可以参照上面的例子来 处理。 The security information in this embodiment may be a key certificate, a symmetric key, a security algorithm, and the like; for example, when the security information is a key certificate, the key certificate may be used on the certificate server. After the verification, the key information is obtained, and the data information is parsed by the key information. When the analysis is successful, the security information is determined to be the security information corresponding to the UE. Or, when the security information is a symmetric key, the symmetric message is used to parse the data packet. When the parsing is successful, the security information is determined to be the security information corresponding to the UE. Or when the security information is a security algorithm, the security algorithm is used to parse the data packet with the existing key information, and the security information is determined to be the security information corresponding to the UE. Other similar security information can be handled by referring to the above example.
304、 PDN-GW 根据获得的该数据报文的应用信息以及 UE 对应的 ANDSF策略请求信息中的第一对应关系, 确定 UE的接入方式;  The PDN-GW determines the access mode of the UE according to the obtained application information of the data packet and the first correspondence between the ANDSF policy request information corresponding to the UE.
例如, 根据已经确定的该数据报文的应用信息, 从 UE对应的第一对 应关系中, 获取该数据报文的应用信息对应的接入方式, 即为该 UE的接 入方式。  For example, the access mode corresponding to the application information of the data packet is obtained from the first corresponding relationship corresponding to the UE according to the determined application information of the data packet, that is, the access mode of the UE.
本实施例的确定用户设备接入方式的方法, 通过 PDN-GW根据应用 信息与安全信息的对应关系以及要发送给 UE的经安全保护处理的数据报 文, 获得该数据报文的应用信息, 并根据应用信息与接入方式的对应关系 确定 UE的接入方式。 采用本实施例的技术方案, 能够克服现有技术中无 法在安全场景下基于应用信息确定 UE的接入方式的问题, 从而能够实现 安全场景下基于应用信息对 UE的业务流进行分流。  The method for determining the access mode of the user equipment in this embodiment, the PDN-GW obtains the application information of the data packet according to the correspondence between the application information and the security information, and the data packet that is to be sent to the UE for security protection processing. And determining the access mode of the UE according to the correspondence between the application information and the access mode. The technical solution of the present embodiment can overcome the problem that the access mode of the UE is determined based on the application information in the security scenario in the prior art, so that the service flow of the UE can be offloaded based on the application information in the security scenario.
上述实施例中的安全服务器可以为认证、 授权与计费 (Authentication Authorization and Accounting; 以下简称 AAA )服务器、 归属用户服务器 ( Home Subscriber Server; 以下简称 HSS ) 、 证书服务器或者应用服务器 等等其他的能够存储安全信息以及第二对应关系的服务器。  The security server in the foregoing embodiment may be an Authentication Authorization and Accounting (hereinafter referred to as AAA) server, a Home Subscriber Server (HSS), a certificate server or an application server, and the like. A server that stores security information and a second correspondence.
图 4为本发明再一实施例提供的确定 UE接入方式的方法的流程图。 如图 4所示, 本实施例的确定 UE接入方式的方法在上述图 2所示实施例 的基础上, 更加详细地介绍本发明的技术方案。 本实施例的确定 UE接入 方式的方法, 包括如下:  FIG. 4 is a flowchart of a method for determining a UE access mode according to still another embodiment of the present invention. As shown in FIG. 4, the method for determining the access mode of the UE in this embodiment is based on the foregoing embodiment shown in FIG. 2, and the technical solution of the present invention is introduced in more detail. The method for determining the UE access mode in this embodiment includes the following:
400、 PDN-GW向 ANDSF实体发送携带 UE标识的 ANDSF策略请求 信息, 以供 ANDSF实体获取 UE对应的 ANDSF策略信息;  400. The PDN-GW sends the ANDSF policy request information that carries the UE identifier to the ANDSF entity, so that the ANDSF entity obtains the ANDSF policy information corresponding to the UE.
该 ANDSF策略信息同上述图 2和图 3所示实施例相同, 包括 UE对 应的第一对应关系, 该第一对应关系中包括应用信息与接入方式的对应关 系。 The ANDSF policy information is the same as the embodiment shown in FIG. 2 and FIG. 3, and includes a first correspondence corresponding to the UE, where the first correspondence includes a corresponding relationship between the application information and the access mode. Department.
401、 PDN-GW接收 ANDSF实体发送的 ANDSF策略信息;  401. The PDN-GW receives the ANDSF policy information sent by the ANDSF entity.
402、 PDN-GW接收通信对端服务器发送的数据报文;  402. The PDN-GW receives the data packet sent by the communication peer server.
该数据报文是要发送给 UE的, UE处于安全场景下, 该数据报文经 过加密保护处理。  The data packet is sent to the UE, and the UE is in a security scenario, and the data packet is encrypted and protected.
403、 PDN-GW向安全服务器发送携带 UE标识的安全信息请求, 以 供安全服务器根据 UE标识获取 UE对应的第二对应关系;  403. The PDN-GW sends a security information request that carries the UE identifier to the security server, so that the security server obtains the second correspondence corresponding to the UE according to the UE identifier.
本实施例中的第二对应关系与上述图 2和图 3所示实施例相同, 第二 对应关系中包括应用信息与安全信息中的对应关系。  The second correspondence in this embodiment is the same as the embodiment shown in FIG. 2 and FIG. 3, and the second correspondence includes the correspondence between the application information and the security information.
404、 PDN-GW接收安全服务器发送的 UE对应的第二对应关系; 当 PDN-GW与安全服务器之间没有接口时, 403 中, PDN-GW可以 通过 PCRF实体向安全服务器发送携带 UE标识的安全信息请求。 对应地 404中, PDN-GW接收安全服务器通过 PCRF实体发送的 UE对应的第二 对应关系。  404. The PDN-GW receives the second correspondence corresponding to the UE sent by the security server. When there is no interface between the PDN-GW and the security server, in 403, the PDN-GW can send the security of the UE identifier to the security server by using the PCRF entity. Information request. Correspondingly, in the 404, the PDN-GW receives the second correspondence corresponding to the UE sent by the security server through the PCRF entity.
405、 PDN-GW根据第二对应关系以及要发送给 UE的经安全保护处 理的数据报文, 获得该数据报文的应用信息;  405. The PDN-GW obtains application information of the data packet according to the second correspondence and the data packet that is to be sent to the UE for security protection processing.
406、 PDN-GW根据该数据报文的应用信息以及 UE对应的 ANDSF 策略请求信息中的第一对应关系, 确定 UE的接入方式。  406. The PDN-GW determines the access mode of the UE according to the first correspondence between the application information of the data packet and the ANDSF policy request information corresponding to the UE.
405-406与上述图 3所示实施例中的 303-304相同, 详细可以参考上 述实施例的记载, 在此不再赘述。  405-406 is the same as 303-304 in the embodiment shown in FIG. 3 above. For details, refer to the description of the above embodiment, and details are not described herein again.
本实施例的应用场景仍为 UE处于安全场景下, 此时 UE与通信对端 服务器建立了安全连接, 安全场景表明的物理意义与上述相关实施例相 同, 详细可以参考上述实施例的记载, 在此不在赘述。  The application scenario of the embodiment is still in the security scenario of the UE, and the UE establishes a secure connection with the communication peer server. The physical meaning of the security scenario is the same as that of the related embodiment. For details, refer to the description of the foregoing embodiment. This is not to repeat.
本实施例的确定用户设备接入方式的方法, 通过 PDN-GW根据应用 信息与安全信息的对应关系以及要发送给 UE的经安全保护处理的数据报 文, 获得该数据报文的应用信息, 并根据应用信息与接入方式的对应关系 确定 UE的接入方式。 采用本实施例的技术方案, 能够克服现有技术中无 法在安全场景下基于应用信息确定 UE的接入方式的问题, 从而能够实现 安全场景下基于应用信息对 UE的业务流进行分流。  The method for determining the access mode of the user equipment in this embodiment, the PDN-GW obtains the application information of the data packet according to the correspondence between the application information and the security information, and the data packet that is to be sent to the UE for security protection processing. And determining the access mode of the UE according to the correspondence between the application information and the access mode. The technical solution of the present embodiment can overcome the problem that the access mode of the UE is determined based on the application information in the security scenario in the prior art, so that the service flow of the UE can be offloaded based on the application information in the security scenario.
图 5为本发明又一实施例提供的确定 UE接入方式的方法的流程图。 本实施例的确定 UE接入方式的方法的执行主体可以为 ANDSF实体。 如 图 5所示, 本实施例的确定 UE接入方式的方法, 具体可以包括如下: 500、 获取 UE对应的接入网络发现与选择功能策略信息; FIG. 5 is a flowchart of a method for determining an access mode of a UE according to another embodiment of the present invention. The execution body of the method for determining the UE access mode in this embodiment may be an ANDSF entity. As shown in FIG. 5, the method for determining the access mode of the UE in this embodiment may include the following steps: 500: Acquire access network discovery and selection function policy information corresponding to the UE;
其中, 接入网络发现与选择功能策略信息中包括 UE对应的第一对应 关系, 该第一对应关系为应用信息与接入方式的对应关系;  The access network discovery and selection function policy information includes a first correspondence corresponding to the UE, where the first correspondence is a correspondence between the application information and the access mode;
501、 获取 UE对应的第二对应关系;  501. Obtain a second correspondence corresponding to the UE.
其中, 第二对应关系为该应用信息与安全信息的对应关系。  The second correspondence relationship is a correspondence between the application information and the security information.
502、 发送第一对应关系和第二对应关系至数据网关。  502. Send a first correspondence and a second correspondence to a data gateway.
将第一对应关系和第二对应关系发送至数据网关, 以供数据网关根据 第一对应关系、 第二对应关系以及要发送给 UE的经安全保护处理的数据 报文, 确定 UE的接入方式。  Sending the first correspondence and the second correspondence to the data gateway, so that the data gateway determines the access mode of the UE according to the first correspondence, the second correspondence, and the data packet that is to be sent to the UE for security protection processing. .
本实施例中的 ANDSF策略信息同上述图 2-图 4所示实施例相同, 包 括 UE对应的第一对应关系, 该第一对应关系中包括应用信息与接入方式 的对应关系。  The ANDSF policy information in this embodiment is the same as the foregoing embodiment shown in FIG. 2 to FIG. 4, and includes a first correspondence corresponding to the UE, where the first correspondence includes a correspondence between the application information and the access mode.
本实施例中的数据报文可以为用于下发给该 UE的经过安全保护处理 的数据报文, 该数据报文具体由与 UE 相通信的通信对端服务器向 PDN-GW发送的。  The data packet in this embodiment may be a security-processed data packet that is sent to the UE, and the data packet is specifically sent by the communication peer server that communicates with the UE to the PDN-GW.
本实施例的应用场景仍为 UE处于安全场景下, 此时 UE与通信对端 服务器建立了安全连接, 安全场景表明的物理意义与上述相关实施例相 同, 详细可以参考上述实施例的记载, 在此不在赘述。  The application scenario of the embodiment is still in the security scenario of the UE, and the UE establishes a secure connection with the communication peer server. The physical meaning of the security scenario is the same as that of the related embodiment. For details, refer to the description of the foregoing embodiment. This is not to repeat.
本实施例的确定用户设备接入方式的方法, 通过将获取的应用信息和 接入方式的对应关系, 以及应用信息和安全信息的对应关系发送至数据网 关, 以供数据网关确定 UE的接入方式, 能够克服现有技术中无法在安全 场景下基于应用信息确定 UE的接入方式的问题, 从而能够实现安全场景 下基于应用信息对 UE的业务流进行分流。  The method for determining the access mode of the user equipment in this embodiment is to send the corresponding relationship between the acquired application information and the access mode, and the correspondence between the application information and the security information to the data gateway, so that the data gateway determines the access of the UE. The method can be used to overcome the problem that the access mode of the UE is determined based on the application information in the security scenario in the prior art, so that the service flow of the UE is offloaded based on the application information in the security scenario.
可选地, 在上述实施例的技术方案的基础上, 501中"获取 UE对应的 接入网络发现与选择功能策略信息,,具体可以为从预设置的策略数据库中 获取 UE标识对应的 UE的 ANDSF策略信息。  Optionally, on the basis of the technical solution of the foregoing embodiment, the 501 obtains the access network discovery and selection function policy information corresponding to the UE, and may specifically obtain the UE corresponding to the UE identifier from the preset policy database. ANDSF policy information.
可选地, 在上述实施例的技术方案的基础上, 还可以在 501 前接收 UE发送的 UE标识、 UE的应用信息以及安全信息指示符, ANDSF实体 可以根据 UE的标识和 UE的应用信息, 获得 UE的与该应用信息对应的 接入网络发现与选择功能策略信息, ANDSF 实体还可以根据安全信息指 示符获知 UE与通信对端服务器之间建立了安全连接, UE与通信对端服 务器之间传输的数据报文受到加密保护。 示例性的, UE的标识、 UE的应 用信息以及安全信息指示符可以在 UE与 ANDSF实体之间进行交互一些 设置策略信息的需求信息时, 由 UE上报给该 ANDSF实体的。 Optionally, on the basis of the foregoing technical solution, the UE identifier, the UE application information, and the security information indicator sent by the UE may be received before the 501, and the ANDSF entity is The access network discovery and selection function policy information corresponding to the application information of the UE may be obtained according to the identifier of the UE and the application information of the UE, and the ANDSF entity may further learn that the UE and the communication peer server are established according to the security information indicator. The secure connection, the data packets transmitted between the UE and the communication peer server are protected by encryption. Exemplarily, the identifier of the UE, the application information of the UE, and the security information indicator may be reported by the UE to the ANDSF entity when the UE and the ANDSF entity exchange some requirement information for setting policy information.
进一步可选地, 与上述图 3所示的 PDN-GW侧的确定用户设备接入 方式的方法相类似, 本实施例中, 当 ANDSF 实体接收到 UE发送的 UE 标识、 UE 的应用信息以及安全信息指示符之后, 便可以根据安全信息指 示符得知通信对端服务器发送给该 UE的数据报文都是在安全场景下发送 的, 此时, ANDSF实体可以在 PDN-GW向 ANDSF实体请求 ANDSF策 略信息之前或者之后, 从安全服务器获取该 UE的第二对应关系。 ANDSF 实体还可以将获取的第二对应关系发送给 PDN-GW。 示例性的, 可以参考 如下步骤:  Further, the method is similar to the method for determining the access mode of the user equipment on the PDN-GW side shown in FIG. 3, in this embodiment, when the ANDSF entity receives the UE identifier sent by the UE, application information of the UE, and security. After the information indicator, the data message sent by the communication peer server to the UE is sent in the security scenario according to the security information indicator. At this time, the ANDSF entity may request the ANDSF from the PDN-GW to the ANDSF entity. Before or after the policy information, the second correspondence of the UE is obtained from the security server. The ANDSF entity may also send the acquired second correspondence to the PDN-GW. For example, you can refer to the following steps:
Al、 向安全服务器发送携带 UE标识的安全信息请求, 以供安全服务 器根据 UE标识获取 UE对应的第二对应关系;  And sending, by the security server, a security information request that carries the UE identifier, where the security server obtains the second correspondence corresponding to the UE according to the UE identifier.
A2、 接收安全服务器发送的 UE对应的第二对应关系;  A2. Receive a second correspondence corresponding to the UE sent by the security server.
A3、 向 PDN-GW发送该第二对应关系。  A3. Send the second correspondence to the PDN-GW.
当 ANDSF实体与安全服务器之间没有接口时, 上述 A1具体可以为: ANDSF实体通过 PCRF实体向安全服务器发送携带 UE标识的安全信息请 求。 对应地, 上述 A2可以为 ANDSF实体接收安全服务器通过 PCRF实 体发送的 UE对应的第二对应关系。  When there is no interface between the ANDSF entity and the security server, the foregoing A1 may be: The ANDSF entity sends a security information request carrying the UE identifier to the security server through the PCRF entity. Correspondingly, the A2 may be a second correspondence between the UE and the UE that the security server sends through the PCRF entity.
ANDSF 实体还可以将获取的第二对应关系与 ANDSF 策略信息一起 发送给 PDN-GW。  The ANDSF entity may also send the acquired second correspondence to the PDN-GW along with the ANDSF policy information.
通过采用上述确定用户设备接入方式的方法, 能够克服现有技术中无 法在安全场景下基于应用信息确定 UE的接入方式的问题, 从而能够实现 安全场景下基于应用信息对 UE的业务流进行分流。  The method for determining the access mode of the user equipment can be used to overcome the problem that the access mode of the UE cannot be determined based on the application information in the security scenario in the prior art, so that the service flow of the UE based on the application information in the security scenario can be implemented. Diversion.
图 6 为本发明一实施例提供的确定用户设备接入方式的方法的信令 图。 如图 6所示, 本实施例的确定用户设备接入方式的方法, 具体可以包 括如下: 600、 UE开机后, 附着到核心网中; FIG. 6 is a signaling diagram of a method for determining a user equipment access mode according to an embodiment of the present invention. As shown in FIG. 6, the method for determining the access mode of the user equipment in this embodiment may specifically include the following: 600. After the UE is powered on, it is attached to the core network;
601、 UE与通信对端服务器建立安全连接;  601. The UE establishes a secure connection with the communication peer server.
这样, 后续 UE与通信对端服务器之间的数据报文都将在安全场景下 传输, 安全场景表明的物理意义与上述相关实施例相同, 详细可以参考上 述实施例的记载, 在此不在赘述。  In this manner, the data packet between the subsequent UE and the communication peer server will be transmitted in the security scenario. The physical meaning of the security scenario is the same as that of the foregoing embodiment. For details, refer to the description of the foregoing embodiment, and details are not described herein.
602、 UE与 ANDSF实体交互策略信息, 其中 UE向 ANDSF实体上 报 UE的 IP地址、 应用信息和安全信息指示符;  602. The UE and the ANDSF entity exchange policy information, where the UE reports the UE's IP address, application information, and security information indicator to the ANDSF entity.
603、 ANDSF实体向 AAA服务器发送携带 UE的 IP地址和应用信息 的安全信息请求;  603. The ANDSF entity sends a security information request that carries the IP address and application information of the UE to the AAA server.
604、 AAA服务器根据安全信息请求获取该 UE对应的第二对应关系, 并向 ANDSF实体发送该第二对应关系;  604. The AAA server obtains a second correspondence corresponding to the UE according to the security information request, and sends the second correspondence to the ANDSF entity.
需要说明的是当 ANDSF实体与 AAA服务器之间没有接口时, 603中 ANDSF实体通过 PCRF实体向 AAA服务器发送携带 UE的 IP地址和应用 信息的安全信息请求。 604中 AAA服务器通过 PCRF实体向 ANDSF实体 发送该第二对应关系。  It should be noted that when there is no interface between the ANDSF entity and the AAA server, the ANDSF entity in 603 sends a security information request carrying the IP address and application information of the UE to the AAA server through the PCRF entity. In 604, the AAA server sends the second correspondence to the ANDSF entity by using the PCRF entity.
605、 ANDSF实体根据 UE的 IP地址和应用信息在预设置的策略数据 库中获取第一对应关系;  605. The ANDSF entity obtains the first correspondence in the preset policy database according to the IP address and the application information of the UE.
本实施例中的第一对应关系和第二对应关系与上述图 2-图 5所示实施 例相同。 第一对应关系中包括应用信息接入方式的对应关系。 第二对应关 系中包括应用信息与安全信息的对应关系。  The first correspondence relationship and the second correspondence relationship in this embodiment are the same as the embodiment shown in Figs. 2 to 5 described above. The first correspondence includes the correspondence between the application information access modes. The second correspondence includes the correspondence between the application information and the security information.
606、 通信对端服务器向 PDN-GW下发要发送给该 UE的经安全保护 的数据报文;  606. The communication peer server sends, to the PDN-GW, a security-protected data packet to be sent to the UE.
可选地, 该 606也可以位于 601与 602之间。  Alternatively, the 606 may also be located between 601 and 602.
607、 PDN-GW向 ANDSF实体发送 ANDSF策略请求信息;  607. The PDN-GW sends an ANDSF policy request information to the ANDSF entity.
608、 ANDSF实体向 PDN-GW发送 ANDSF策略信息和第二对应关系; 该 ANDSF策略信息与上述图 2-图 5所示实施例相同。  608. The ANDSF entity sends the ANDSF policy information and the second correspondence to the PDN-GW. The ANDSF policy information is the same as the embodiment shown in FIG. 2-5.
609、 PDN-GW根据第二对应关系中的安全信息解析发送给 UE的经 安全保护处理的数据报文, 获得该发送给 UE的经安全保护处理的数据报 与第二对应关系中的应用信息对应, PDN-GW根据第一对应关系, 确定 UE的接入方式。 609. The PDN-GW parses the security-protected data packet sent to the UE according to the security information in the second correspondence, and obtains the security-protected datagram sent to the UE and the application information in the second correspondence. Correspondingly, the PDN-GW determines according to the first correspondence The access mode of the UE.
步骤 609与上述图 3所示实施例中的 303-304相同, 详细可以参考上 述实施例的记载, 在此不再赘述。  Step 609 is the same as 303-304 in the embodiment shown in FIG. 3 above. For details, refer to the description of the above embodiment, and details are not described herein again.
综上所述本发明实施例提供的方法可以在安全场景下基于应用信息 确定该 UE的接入方式, 后续可以根据接入方式的变化执行新建或者修改 承载流程, 并按照确定的接入方式分流数据报文, 从而实现安全场景下的 数据分流。  The method provided by the embodiment of the present invention can determine the access mode of the UE based on the application information in a security scenario, and subsequently perform a new or modified bearer process according to the change of the access mode, and perform the traffic according to the determined access mode. Data packets, which enable data distribution in a security scenario.
本实施例的确定用户设备接入方式的方法, 通过 PDN-GW根据应用 信息与安全信息的对应关系以及要发送给 UE的经安全保护处理的数据报 文, 获得该数据报文的应用信息, 并根据应用信息与接入方式的对应关系 确定 UE的接入方式。 采用本实施例的技术方案, 能够克服现有技术中无 法在安全场景下基于应用信息确定 UE的接入方式的问题, 从而能够实现 安全场景下基于应用信息对 UE的业务流进行分流。  The method for determining the access mode of the user equipment in this embodiment, the PDN-GW obtains the application information of the data packet according to the correspondence between the application information and the security information, and the data packet that is to be sent to the UE for security protection processing. And determining the access mode of the UE according to the correspondence between the application information and the access mode. The technical solution of the present embodiment can overcome the problem that the access mode of the UE is determined based on the application information in the security scenario in the prior art, so that the service flow of the UE can be offloaded based on the application information in the security scenario.
图 7为本发明再一实施例提供的确定用户设备接入方式的方法的信令 图。 如图 7所示, 本实施例的确定用户设备接入方式的方法, 具体可以包 括如下:  FIG. 7 is a signaling diagram of a method for determining a user equipment access mode according to still another embodiment of the present invention. As shown in FIG. 7, the method for determining the access mode of the user equipment in this embodiment may specifically include the following:
700、 UE开机后, 附着到核心网中;  700. After the UE is powered on, it is attached to the core network;
701、 UE与通信对端服务器建立安全连接;  701. The UE establishes a secure connection with the communication peer server.
这样, 后续 UE与通信对端服务器之间的数据报文都将在安全场景下 传输, 安全场景表明的物理意义与上述相关实施例相同, 详细可以参考上 述实施例的记载, 在此不在赘述。  In this manner, the data packet between the subsequent UE and the communication peer server will be transmitted in the security scenario. The physical meaning of the security scenario is the same as that of the foregoing embodiment. For details, refer to the description of the foregoing embodiment, and details are not described herein.
702、 PDN-GW向 ANDSF实体发送携带 UE的 IP地址的 ANDSF策 略请求信息;  702. The PDN-GW sends an ANDSF policy request message carrying an IP address of the UE to the ANDSF entity.
703、 ANDSF实体根据 ANDSF策略请求信息在预设置的策略数据库 中获取 ANDSF策略信息;  703. The ANDSF entity obtains ANDSF policy information in a preset policy database according to the ANDSF policy request information.
本实施例中该 ANDSF策略信息同上述图 2-图 6所示实施例相同, 此 处不作赘述。  The ANDSF policy information in this embodiment is the same as the embodiment shown in FIG. 2 to FIG. 6 above, and details are not described herein.
704、 ANDSF实体向 PDN-GW发送 ANDSF策略信息;  704. The ANDSF entity sends ANDSF policy information to the PDN-GW.
705、 通信对端服务器向 PDN-GW下发发送给该 UE的经安全保护的 数据报文; 706、 PDN-GW向 AAA服务器发送携带 UE的 IP地址的安全信息请 求; 705. The communication peer server sends a security-protected data packet sent to the UE to the PDN-GW. 706. The PDN-GW sends a security information request that carries the IP address of the UE to the AAA server.
707、 AAA服务器根据安全信息请求获取该 UE对应的第二对应关系, 并向 PDN-GW发送该第二对应关系;  707. The AAA server obtains a second correspondence corresponding to the UE according to the security information request, and sends the second correspondence to the PDN-GW.
需要说明的是当 PDN-GW与 AAA服务器之间没有接口时, 706 中 It should be noted that when there is no interface between the PDN-GW and the AAA server, in the 706
PDN-GW通过 PCRF实体向 AAA服务器发送携带 UE的 IP地址的安全信 息请求。 707中 AAA服务器通过 PCRF实体向 PDN-GW发送该第二对应 关系。 The PDN-GW sends a security information request carrying the IP address of the UE to the AAA server through the PCRF entity. In 707, the AAA server sends the second correspondence to the PDN-GW through the PCRF entity.
708、 PDN-GW根据第二对应关系中的安全信息解析发送给 UE的经 安全保护处理的数据报文, 获得该发送给 UE的经安全保护处理的数据报 与第二对应关系中的应用信息对应, PDN-GW根据第一对应关系, 确定 UE的接入方式。  708. The PDN-GW parses the security-protected data packet sent to the UE according to the security information in the second correspondence, and obtains the security-protected datagram sent to the UE and the application information in the second correspondence. Correspondingly, the PDN-GW determines the access mode of the UE according to the first correspondence.
步骤 708与上述图 3所示实施例中的 303-304相同, 详细可以参考上 述实施例的记载, 在此不再赘述。  The step 708 is the same as the 303-304 in the embodiment shown in FIG. 3, and the details of the foregoing embodiment may be referred to, and details are not described herein again.
综上所述本发明实施例提供的方法可以可以在安全场景下基于应用 信息确定该 UE的接入方式, 后续可以根据接入方式的变化执行新建或者 修改承载流程, 并按照确定的接入方式分流数据报文, 从而实现安全场景 下的数据分流。  In summary, the method provided by the embodiment of the present invention may determine the access mode of the UE based on the application information in a security scenario, and subsequently perform a new or modified bearer process according to the change of the access mode, and according to the determined access mode. Divide data packets to implement data distribution in a security scenario.
本实施例的确定用户设备接入方式的方法, 通过 PDN-GW根据应用 信息与安全信息的对应关系以及要发送给 UE的经安全保护处理的数据报 文, 获得该数据报文的应用信息, 并根据应用信息与接入方式的对应关系 确定 UE的接入方式。 采用本实施例的技术方案, 能够克服现有技术中无 法在安全场景下基于应用信息确定 UE的接入方式的问题, 从而能够实现 安全场景下基于应用信息对 UE的业务流进行分流。  The method for determining the access mode of the user equipment in this embodiment, the PDN-GW obtains the application information of the data packet according to the correspondence between the application information and the security information, and the data packet that is to be sent to the UE for security protection processing. And determining the access mode of the UE according to the correspondence between the application information and the access mode. The technical solution of the present embodiment can overcome the problem that the access mode of the UE is determined based on the application information in the security scenario in the prior art, so that the service flow of the UE can be offloaded based on the application information in the security scenario.
上述图 6和图 7是以安全服务器为 AAA服务器为例来说明本发明实 施例的技术方案,实际应用中,上述实施例中的 AAA服务器可以采用 HSS、 证书服务器或者应用服务器等等能够其他的能够存储安全信息以及第二 对应关系的服务器来代替。  The foregoing FIG. 6 and FIG. 7 illustrate the technical solution of the embodiment of the present invention by using the security server as an AAA server. In an actual application, the AAA server in the foregoing embodiment may adopt an HSS, a certificate server, an application server, or the like. A server capable of storing security information and a second correspondence is replaced.
本发明实施例中的第二对应关系中的安全信息与应用信息以及第一 对应关系中的应用信息与接入方式的对应关系均为——对应关系, 即一个 安全信息对应一个应用信息, 一个应用信息对应一种接入方式。 Safety information and application information in the second correspondence relationship in the embodiment of the present invention and the first The corresponding relationship between the application information and the access mode in the correspondence relationship is a corresponding relationship, that is, one security information corresponds to one application information, and one application information corresponds to one access mode.
本领域普通技术人员可以理解: 实现上述方法实施例的全部或部分步 骤可以通过程序指令相关的硬件来完成, 前述的程序可以存储于一计算机 可读取存储介质中, 该程序在执行时, 执行包括上述方法实施例的步骤; 而前述的存储介质包括: ROM、 RAM, 磁碟或者光盘等各种可以存储程 序代码的介质。  A person skilled in the art can understand that all or part of the steps of implementing the above method embodiments may be completed by using hardware related to program instructions, and the foregoing program may be stored in a computer readable storage medium, and the program is executed when executed. The foregoing steps include the steps of the foregoing method embodiments; and the foregoing storage medium includes: a medium that can store program codes, such as a ROM, a RAM, a magnetic disk, or an optical disk.
图 8为本发明一实施例提供的数据网关的结构示意图。 如图 8所示, 本实施例的数据网关, 包括: 第一获取模块 M10、 第二获取模块 Mi l 和 确定模块 M12。  FIG. 8 is a schematic structural diagram of a data gateway according to an embodiment of the present invention. As shown in FIG. 8, the data gateway of this embodiment includes: a first acquiring module M10, a second acquiring module Mi1, and a determining module M12.
本实施例的数据网关中, 第一获取模块 M10 用于取用户设备对应的 接入网络发现与选择功能策略信息; 该接入网络发现与选择功能策略信息 中包括该用户设备对应的第一对应关系, 该第一对应关系为应用信息与接 入方式的对应关系; 第二获取模块 Mi l 用于获取该用户设备对应的第二 对应关系, 该第二对应关系为该应用信息与安全信息的对应关系; 确定模 块 M12分别与第一获取模块 M10和第二获取模块 Mi l 连接, 确定模块 M12用于根据该第一对应关系、该第二对应关系以及要发送给该用户设备 的经安全保护处理的数据报文, 确定该用户设备的接入方式。  In the data gateway of this embodiment, the first acquiring module M10 is configured to obtain the access network discovery and selection function policy information corresponding to the user equipment; the access network discovery and selection function policy information includes the first correspondence corresponding to the user equipment. Relationship, the first correspondence is a correspondence between the application information and the access mode; the second obtaining module Mi1 is configured to obtain a second correspondence corresponding to the user equipment, where the second correspondence is the application information and the security information Corresponding relationship; the determining module M12 is respectively connected to the first obtaining module M10 and the second acquiring module Mi l, and the determining module M12 is configured to perform security protection according to the first correspondence, the second correspondence, and the user equipment to be sent to the user equipment. The processed data packet determines the access mode of the user equipment.
本实施例的数据网关, 通过采用上述模块实现确定 UE的接入方式的 实现机制与上述相关方法实施例的实现相同, 详细可以参考上述相关方法 实施例的记载, 在此不在赘述。  For the data gateway of the present embodiment, the implementation mechanism for determining the access mode of the UE by using the foregoing module is the same as the implementation of the foregoing related method embodiment. For details, refer to the description of the foregoing related method embodiments, and details are not described herein.
本实施例的数据网关, 通过采用上述模块能够在安全场景下基于应用 信息确定 UE的接入方式, 从而能够在后续中实现对 UE的业务流进行分 流。  The data gateway of this embodiment can determine the access mode of the UE based on the application information in the security scenario by using the foregoing module, so that the service flow of the UE can be offloaded in the subsequent manner.
图 9为本发明另一实施例提供的数据网关的结构示意图。如图 9所示, 本实施例的数据网关在上述图 8所示实施例的基础上, 具体还可以包括如 下:  FIG. 9 is a schematic structural diagram of a data gateway according to another embodiment of the present invention. As shown in FIG. 9, the data gateway of this embodiment may further include the following in the foregoing embodiment of FIG.
本实施例的数据网关中, 第一获取模块 M10 可以包括第一发送单元 U101和第一接收单元 U102。 其中第一发送单元 U101用于向 ANDSF实 体发送携带 UE标识的 ANDSF策略请求信息, 以供 ANDSF实体获取 UE 对应的 ANDSF策略信息,该 ANDSF策略信息中包括 UE对应的第一对应 关系。第一接收单元 U102用于接收 ANDSF实体发送的 ANDSF策略信息。 此时对应的确定模块 M12与第一接收单元 U102连接, 确定模块 M12用 于根据第二获取模块 Mi l获取的第二对应关系、第一接收单元 U102接收 的 ANDSF策略信息中的 UE对应的第一对应关系以及要发送给 UE的经 安全保护处理的数据报文, 确定 UE的接入方式。 In the data gateway of this embodiment, the first obtaining module M10 may include a first sending unit U101 and a first receiving unit U102. The first sending unit U101 is configured to send an ANDSF policy request information that carries the UE identifier to the ANDSF entity, where the ANDSF entity acquires the UE. Corresponding ANDSF policy information, the ANDSF policy information includes a first correspondence corresponding to the UE. The first receiving unit U102 is configured to receive ANDSF policy information sent by the ANDSF entity. At this time, the corresponding determining module M12 is connected to the first receiving unit U102, and the determining module M12 is configured to use the second corresponding relationship acquired by the second acquiring module Mi1 and the UE corresponding to the ANDSF policy information received by the first receiving unit U102. A correspondence relationship and a data packet to be sent to the UE for security protection processing determine the access mode of the UE.
可选地, 本实施例的 PDN-GW设备中, 第二获取模块 Ml 1具体可以 用于接收 ANDSF实体发送的 UE对应的至少一个安全信息以及对应的至 少一个第二对应关系; 该 UE对应的至少一个安全信息以及对应的至少一 个第二对应关系为 ANDSF实体从安全服务器获取的。  Optionally, in the PDN-GW device of the embodiment, the second acquiring module M11 may be configured to receive at least one security information corresponding to the UE that is sent by the ANDSF entity, and corresponding at least one second correspondence relationship; The at least one security information and the corresponding at least one second correspondence are obtained by the ANDSF entity from the security server.
进一步可选地, 本实施例的数据网关中, 第二获取模块 Mi l 还可以 包括第二发送单元 U111和第二接收单元 U112。 其中第二发送单元 U111 用于向安全服务器发送携带 UE标识的安全信息请求, 以供安全服务器根 据 UE标识获取 UE对应的第二对应关系。 第二接收单元 U112用于接收 安全服务器发送的 UE对应的第二对应关系。 此时对应地, 确定模块 M12 还可以与第二接收单元 U112连接,确定模块 M12用于根据第二接收单元 U112接收的第二对应关系、 第一获取模块 M10 (具体可以为上述技术方 案中的第一接收单元 U102, 如图 9所示) 获取的 ANDSF策略信息中的 UE对应的第一对应关系以及要发送给 UE的数据报文,确定 UE的接入方 式。  Further, in the data gateway of this embodiment, the second obtaining module Mi l may further include a second sending unit U111 and a second receiving unit U112. The second sending unit U111 is configured to send a security information request that carries the UE identifier to the security server, so that the security server obtains the second correspondence corresponding to the UE according to the UE identifier. The second receiving unit U112 is configured to receive a second correspondence corresponding to the UE sent by the security server. Correspondingly, the determining module M12 is further connected to the second receiving unit U112, and the determining module M12 is configured to be used according to the second corresponding relationship received by the second receiving unit U112, and the first acquiring module M10. The first receiving unit U102, as shown in FIG. 9), obtains the first correspondence between the UE and the data packet to be sent to the UE in the ANDSF policy information, and determines the access mode of the UE.
进一步可选地, 第二发送单元 U111具体可以用于通过 PCRF实体向 安全服务器发送携带 UE标识的安全信息请求。 第二接收单元 U112具体 可以用于接收安全服务器通过 PCRF实体发送的 UE对应的第二对应关系。  Further, the second sending unit U111 is specifically configured to send, by using the PCRF entity, a security information request that carries the UE identifier to the security server. The second receiving unit U112 may be specifically configured to receive a second correspondence corresponding to the UE that is sent by the security server by using the PCRF entity.
可选地, 上述实施例中的确定模块 M12 进一步可以包括: 获取单元 U121和确定单元 U122。 其中获取单元 U121与第二接收单元 U112连接, 获取单元 U121用于根据第二接收单元 U112接收的该第二对应关系中的 安全信息解析该发送给该用户设备的经安全保护处理的数据报文, 获得该 发送给该用户设备的经安全保护处理的数据报文的应用信息; 确定单元 U122分别与获取单元 U121和第二接收单元 U112以及第一接收单元 U102 连接, 确定单元 U122用于当该发送给该用户设备的经安全保护处理的数 据报文的应用信息与该第二对应关系中的应用信息对应时, 根据第一接收 单元 U102接收的 ANDSF策略信息中的 UE对应的该第一对应关系确定该 用户设备的接入方式。 Optionally, the determining module M12 in the foregoing embodiment may further include: an obtaining unit U121 and a determining unit U122. The obtaining unit U121 is connected to the second receiving unit U112, and the obtaining unit U121 is configured to parse the security-protected data packet sent to the user equipment according to the security information in the second correspondence received by the second receiving unit U112. Obtaining the application information of the security-protected data packet sent to the user equipment; the determining unit U122 is respectively connected to the obtaining unit U121 and the second receiving unit U112 and the first receiving unit U102, and the determining unit U122 is configured to Number of security-protected processes sent to the user device And determining, according to the first correspondence corresponding to the UE in the ANDSF policy information received by the first receiving unit U102, the access mode of the user equipment, according to the application information of the message corresponding to the application information in the second corresponding relationship.
可选地, 本实施例的数据网关, 还可以包括接收模块 M13。 该接收模 块 M13用于接收通信对端服务器发送的经安全保护处理的数据报文。 具体 地, 该接收模块 M13与获取单元 U121连接, 这样获取单元 U121可以用 于根据第二接收单元 U112接收的第二对应关系以及接收模块 M13接收的 要发送给用户设备的经安全保护处理的数据报文, 获取该数据报文的应用 信息。  Optionally, the data gateway of this embodiment may further include a receiving module M13. The receiving module M13 is configured to receive the security-protected data packet sent by the communication peer server. Specifically, the receiving module M13 is connected to the acquiring unit U121, so that the acquiring unit U121 can be used for the second corresponding relationship received by the second receiving unit U112 and the data of the security protection process to be sent to the user equipment received by the receiving module M13. A packet obtains application information of the data packet.
需要说明的是, 如图 9所示, 仅为将上述所有可选技术方案一起组合 形成本发明的一种可选实施例, 实际应用中, 还可以将上述多种可选技术 方案可以采用可结合的方式任意组合形成本发明的多种可选实施例, 详细 在此不在赘述。  It should be noted that, as shown in FIG. 9 , only all the foregoing optional technical solutions are combined to form an optional embodiment of the present invention. In practical applications, the foregoing multiple optional technical solutions may also be adopted. Any combination of the modes of the combination forms a plurality of alternative embodiments of the present invention, and details are not described herein.
本实施例的数据网关, 通过采用上述模块及单元, 实现确定 UE的接 相关方法实施例的记载, 在此不在赘述。  The data gateway of this embodiment implements the description of the method for determining the connection method of the UE by using the above-mentioned modules and units, and details are not described herein.
本实施例的数据网关, 通过采用上述模块能够在安全场景下基于应用 信息确定 UE的接入方式, 从而能够在后续中实现对 UE的业务流进行分 流。  The data gateway of this embodiment can determine the access mode of the UE based on the application information in the security scenario by using the foregoing module, so that the service flow of the UE can be offloaded in the subsequent manner.
图 10为本发明实施例提供的接入网络发现与选择功能实体的结构示 意图。 如图 10所示, 本实施例的 ANDSF 实体设备包括: 第一获取模块 M20、 第二获取模块 M21和发送模块 M22。  FIG. 10 is a schematic structural diagram of an access network discovery and selection function entity according to an embodiment of the present invention. As shown in FIG. 10, the ANDSF entity device of this embodiment includes: a first acquiring module M20, a second acquiring module M21, and a sending module M22.
本实施例的 ANDSF实体设备中,第一获取模块 M20用于获取用户设 备对应的接入网络发现与选择功能策略信息; 该接入网络发现与选择功能 策略信息中包括该用户设备对应的第一对应关系, 该第一对应关系为应用 信息与接入方式的对应关系; 第二获取模块 M21 用于获取该用户设备对 应的第二对应关系, 该第二对应关系为该应用信息与安全信息的对应关 系。 发送模块 M22与第一获取模块 M20和第二获取模块 M21分别连接, 发送模块 M22 用于发送该第一对应关系和该第二对应关系至数据网关, 以供该数据网关根据该第一对应关系、 该第二对应关系以及要发送给该用 户设备的经安全保护处理的数据报文, 确定该用户设备的接入方式。 In the ANDSF entity device of this embodiment, the first acquiring module M20 is configured to obtain the access network discovery and selection function policy information corresponding to the user equipment; the access network discovery and selection function policy information includes the first corresponding to the user equipment. Corresponding relationship, the first correspondence is a correspondence between the application information and the access mode; the second obtaining module M21 is configured to obtain a second correspondence corresponding to the user equipment, where the second correspondence is the application information and the security information Correspondence relationship. The sending module M22 is respectively connected to the first obtaining module M20 and the second obtaining module M21. The sending module M22 is configured to send the first correspondence and the second correspondence to the data gateway, so that the data gateway is based on the first correspondence. The second correspondence and the content to be sent to the user The data packet processed by the security protection of the user equipment determines the access mode of the user equipment.
本实施例的 ANDSF实体, 通过采用上述模块实现确定 UE的接入方 方法实施例的记载, 在此不在赞述。  The ANDSF entity in this embodiment implements the description of the method for determining the access method of the UE by using the foregoing module, and is not described here.
本实施例的 ANDSF实体, 通过采用上述模块能够便于数据网关在安 全场景下基于应用信息确定 UE的接入方式 ,从而能够在后续中实现对 UE 的业务流进行分流。  The ANDSF entity of this embodiment can facilitate the data gateway to determine the access mode of the UE based on the application information in the security scenario by using the foregoing module, so that the service flow of the UE can be offloaded in the subsequent manner.
可选地, 上述实施例中的第一获取模块 M20 具体可以从预设置的策 略数据库中获取 UE标识对应的 UE的 ANDSF策略信息。  Optionally, the first obtaining module M20 in the foregoing embodiment may obtain the ANDSF policy information of the UE corresponding to the UE identifier from the preset policy database.
可选地, 第二获取模块 M21 可以包括指示接收单元、 发送单元和接 收单元。 指示接收单元用于接收该用户设备的用户设备标识和安全信息指 示符; 发送单元用于向安全服务器发送携带该用户设备标识的安全信息请 求, 以供该安全服务器根据该用户设备标识获取该用户设备对应的第二对 应关系; 接收单元用于接收该安全服务器发送的该用户设备对应的第二对 应关系。  Optionally, the second obtaining module M21 may include an indication receiving unit, a sending unit, and a receiving unit. The receiving unit is configured to receive the user equipment identifier and the security information indicator of the user equipment, and the sending unit is configured to send, to the security server, a security information request that carries the user equipment identifier, where the security server obtains the user according to the user equipment identifier. The second correspondence corresponding to the device; the receiving unit is configured to receive a second correspondence corresponding to the user equipment sent by the security server.
上述实施例的 ANDSF实体, 通过采用上述模块实现确定 UE的接入 关方法实施例的记载, 在此不在赘述。  The ANDSF entity of the foregoing embodiment implements the description of the method for determining the access method of the UE by using the foregoing module, and details are not described herein.
上述实施例的 ANDSF实体, 通过采用上述模块能够便于数据网关在 安全场景下基于应用信息确定 UE的接入方式, 从而能够在后续中实现对 UE的业务流进行分流。  The ANDSF entity of the foregoing embodiment can facilitate the data gateway to determine the access mode of the UE based on the application information in the security scenario by using the foregoing module, so that the service flow of the UE can be offloaded in the subsequent manner.
上述装置实施例中的安全服务器仍可以为 AAA服务器、 HSS、 证书 服务器或者应用服务器等等其他的能够存储安全信息以及安全信息与应 用信息之间的对应关系的服务器。  The security server in the above device embodiment may still be an AAA server, an HSS, a certificate server, an application server, or the like, which is capable of storing security information and a correspondence between the security information and the application information.
图 11 为本发明一实施例提供的确定 UE接入方式的系统的结构示意 图。 如图 11所示, 本实施例的确定 UE接入方式的系统, 可以包括: 数据 网关 30、 ANDSF实体 40。  FIG. 11 is a schematic structural diagram of a system for determining a UE access mode according to an embodiment of the present invention. As shown in FIG. 11, the system for determining the access mode of the UE in this embodiment may include: a data gateway 30 and an ANDSF entity 40.
该数据网关 30,用于接收用户设备对应的接入网络发现与选择功能策 略信息; 该接入网络发现与选择功能策略信息中包括该用户设备对应的第 一对应关系, 该第一对应关系为应用信息与接入方式的对应关系; 接收该 用户设备对应的第二对应关系, 该第二对应关系为该应用信息与安全信息 的对应关系; 根据该第一对应关系、 该第二对应关系以及要发送给该用户 设备的经安全保护处理的数据报文, 确定该用户设备的接入方式; The data gateway 30 is configured to receive the access network discovery and selection function policy information corresponding to the user equipment; the access network discovery and selection function policy information includes a first correspondence corresponding to the user equipment, where the first correspondence is Correspondence between application information and access method; receiving the a second correspondence corresponding to the user equipment, where the second correspondence is a correspondence between the application information and the security information; according to the first correspondence, the second correspondence, and the security protection process to be sent to the user equipment Data packet, determining the access mode of the user equipment;
该 ANDSF40, 用于获取该用户设备对应的接入网络发现与选择功能 策略信息; 获取该用户设备对应的第二对应关系; 发送该接入网络发现与 选择功能策略信息和该第二对应关系至数据网关。  The ANDSF 40 is configured to obtain access network discovery and selection function policy information corresponding to the user equipment, obtain a second correspondence corresponding to the user equipment, and send the access network discovery and selection function policy information and the second correspondence to Data gateway.
进一步的, 数据网关 30具体用于获取用户设备对应的接入网络发现 与选择功能策略信息; 该接入网络发现与选择功能策略信息中包括该用户 设备对应的第一对应关系, 该第一对应关系为应用信息与接入方式的对应 关系; 获取该用户设备对应的第二对应关系, 该第二对应关系为该应用信 息与安全信息的对应关系; 根据该第二对应关系中的安全信息解析该发送 给该用户设备的经安全保护处理的数据报文, 获得该发送给该用户设备的 经安全保护处理的数据报文的应用信息; 当该发送给该用户设备的经安全 保护处理的数据报文的应用信息与该第二对应关系中的应用信息对应时, 根据该第一对应关系确定该用户设备的接入方式。  Further, the data gateway 30 is specifically configured to obtain the access network discovery and selection function policy information corresponding to the user equipment; the access network discovery and selection function policy information includes a first correspondence corresponding to the user equipment, and the first correspondence The relationship is the correspondence between the application information and the access mode; the second correspondence corresponding to the user equipment is obtained, where the second correspondence is the correspondence between the application information and the security information; and the security information is parsed according to the second correspondence The security-processed data packet sent to the user equipment obtains the application information of the security-protected data packet sent to the user equipment; and the security-protected data sent to the user equipment When the application information of the packet corresponds to the application information in the second correspondence, the access mode of the user equipment is determined according to the first correspondence.
进一步的, ANDSF40 具体用于获取该用户设备对应的接入网络发现 与选择功能策略信息; 接收该用户设备的用户设备标识和安全信息指示 符; 向安全服务器发送携带该用户设备标识的安全信息请求, 以供该安全 服务器根据该用户设备标识获取该用户设备对应的第二对应关系; 接收该 安全服务器发送的该用户设备对应的第二对应关系; 发送该接入网络发现 与选择功能策略信息和该第二对应关系至数据网关。  Further, the ANDSF 40 is specifically configured to obtain the access network discovery and selection function policy information corresponding to the user equipment, receive the user equipment identifier and the security information indicator of the user equipment, and send a security information request that carries the user equipment identifier to the security server. And obtaining, by the security server, the second correspondence corresponding to the user equipment according to the user equipment identifier; receiving a second correspondence corresponding to the user equipment sent by the security server; sending the access network discovery and selection function policy information and The second correspondence is to the data gateway.
本实施例的确定 UE接入方式的系统, 通过采用上述数据网关 30和 ANDSF实体 40, 实现确定 UE的接入方式的实现机制与上述相关方法实 施例的实现相同, 详细可以参考上述相关方法实施例的记载, 在此不在赞 述。  The system for determining the access mode of the UE in this embodiment is implemented by using the foregoing data gateway 30 and the ANDSF entity 40, and the implementation mechanism for determining the access mode of the UE is the same as that of the foregoing related method embodiment. The record of the example is not mentioned here.
本实施例的确定 UE接入方式的系统, 通过采用上述数据网关 30和 ANDSF实体 40能够在安全场景下基于应用信息确定 UE的接入方式, 从 而能够在后续中实现对 UE的业务流进行分流。  In the system for determining the access mode of the UE, the data gateway 30 and the ANDSF entity 40 can determine the access mode of the UE based on the application information in the security scenario, so that the service flow of the UE can be offloaded in the subsequent manner. .
本领域技术任何还可以了解到本发明实施例列出的各种说明性逻辑 块 (illustrative logical block ) 和步骤 (step ) 可以通过电子硬件、 电脑软 件, 或两者的结合进行实现。 为清楚展示硬件和软件的可替换性It is also known in the art that various illustrative logical blocks and steps listed in the embodiments of the present invention can be softened by electronic hardware or computer. , or a combination of both. To clearly demonstrate the interchangeability of hardware and software
( interchangeability ) , 上述的各种说明'! "生 件 ( illustrative components ) 和步骤已经通用地描述了它们的功能。 这样的功能是通过硬件还是软件来 实现取决于特定的应用和整个系统的设计要求。 本领域技术人员可以对于 每种特定的应用, 可以使用各种方法实现所述的功能, 但这种实现不应被 理解为超出本发明实施例保护的范围。 ( interchangeability ) , the various descriptions above! The functions of the "detail components" and the steps have been generally described. Whether such functions are implemented by hardware or software depends on the specific application and the design requirements of the overall system. Those skilled in the art can The application may be implemented in a variety of ways, but such implementation should not be construed as being beyond the scope of the embodiments of the invention.
本发明实施例中所描述的各种说明性的逻辑块, 模块和电路可以通过 通用处理器, 数字信号处理器, 专用集成电路(ASIC ) , 现场可编程门阵 列 (FPGA ) 或其它可编程逻辑装置, 离散门或晶体管逻辑, 离散硬件部 件, 或上述任何组合的设计来实现或操作所描述的功能。 通用处理器可以 为微处理器, 可选地, 该通用处理器也可以为任何传统的处理器、控制器、 微控制器或状态机。 处理器也可以通过计算装置的组合来实现, 例如数字 信号处理器和微处理器, 多个微处理器, 一个或多个微处理器联合一个数 字信号处理器核, 或任何其它类似的配置来实现。  The various illustrative logic blocks, modules and circuits described in the embodiments of the invention may be implemented by general purpose processors, digital signal processors, application specific integrated circuits (ASICs), field programmable gate arrays (FPGAs) or other programmable logic. The device, discrete gate or transistor logic, discrete hardware components, or any combination of the above are designed to implement or operate the functions described. The general purpose processor may be a microprocessor, which may alternatively be any conventional processor, controller, microcontroller or state machine. The processor may also be implemented by a combination of computing devices, such as a digital signal processor and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a digital signal processor core, or any other similar configuration. achieve.
本发明实施例中所描述的方法或算法的步骤可以直接嵌入硬件、 处理 器执行的软件模块、 或者这两者的结合。 软件模块可以存储于 RAM存储 器、 闪存、 ROM存储器、 EPROM存储器、 EEPROM存储器、 寄存器、 硬盘、 可移动磁盘、 CD-ROM或本领域中其它任意形式的存储媒介中。 示 例性地, 存储媒介可以与处理器连接, 以使得处理器可以从存储媒介中读 取信息, 并可以向存储媒介存写信息。 可选地, 存储媒介还可以集成到处 理器中。 处理器和存储媒介可以设置于 ASIC中, ASIC可以设置于用户终 端中。 可选地, 处理器和存储媒介也可以设置于用户终端中的不同的部件 中。  The steps of the method or algorithm described in the embodiments of the present invention may be directly embedded in hardware, a software module executed by a processor, or a combination of the two. The software modules can be stored in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, removable disk, CD-ROM, or any other form of storage medium in the art. Illustratively, the storage medium can be coupled to the processor such that the processor can read information from the storage medium and can write information to the storage medium. Alternatively, the storage medium can also be integrated into the processor. The processor and the storage medium can be placed in an ASIC, and the ASIC can be placed in the user terminal. Alternatively, the processor and the storage medium may also be provided in different components in the user terminal.
在一个或多个示例性的设计中, 本发明实施例所描述的上述功能可以 在硬件、 软件、 固件或这三者的任意组合来实现。 如果在软件中实现, 这 些功能可以存储与电脑可读的媒介上, 或以一个或多个指令或代码形式传 输于电脑可读的媒介上。 电脑可读媒介包括电脑存储媒介和便于使得让电 脑程序从一个地方转移到其它地方的通信媒介。 存储媒介可以是任何通用 或特殊电脑可以接入访问的可用媒体。 例如, 这样的电脑可读媒体可以包 括但不限于 RAM、 ROM, EEPROM, CD-ROM或其它光盘存储、 磁盘存 储或其它磁性存储装置, 或其它任何可以用于承载或存储以指令或数据结 构和其它可被通用或特殊电脑、 或通用或特殊处理器读取形式的程序代码 的媒介。 此外, 任何连接都可以被适当地定义为电脑可读媒介, 例如, 如 果软件是从一个网站站点、 服务器或其它远程资源通过一个同轴电缆、 光 纤电脑、 双绞线、 数字用户线 (DSL ) 或以例如红外、 无线和微波等无线 方式传输的也被包含在所定义的电脑可读媒介中。 所述的碟片 (disk ) 和 磁盘 (disc ) 包括压缩磁盘、 镭射盘、 光盘、 DVD、 软盘和蓝光光盘, 磁 盘通常以磁性复制数据, 而碟片通常以激光进行光学复制数据。 上述的组 合也可以包含在电脑可读媒介中。 In one or more exemplary designs, the above-described functions described in the embodiments of the present invention may be implemented in hardware, software, firmware, or any combination of the three. If implemented in software, these functions may be stored on a computer readable medium, or transmitted in a form or code, on a computer readable medium. Computer readable media includes computer storage media and communication media that facilitates the transfer of computer programs from one place to another. The storage medium can be any available media that any general purpose or special computer can access. For example, such computer readable media can include, but is not limited to, RAM, ROM, EEPROM, CD-ROM or other optical disk storage, disk storage Storage or other magnetic storage device, or any other medium that can be used to carry or store program code in the form of instructions or data structures and other forms that can be read by a general purpose or special computer, or general or special processor. In addition, any connection can be appropriately defined as a computer readable medium, for example, if the software is from a website site, server or other remote resource through a coaxial cable, fiber optic computer, twisted pair, digital subscriber line (DSL) Or wirelessly transmitted in, for example, infrared, wireless, and microwave, is also included in a defined computer readable medium. The disks and discs include compact disks, laser disks, optical disks, DVDs, floppy disks, and Blu-ray disks. Disks typically replicate data magnetically, while disks typically optically replicate data with a laser. Combinations of the above may also be included in a computer readable medium.
本发明说明书的上述描述可以使得本领域技术任何可以利用或实现 本发明的内容, 任何基于所公开内容的修改都应该被认为是本领域显而易 见的, 本发明所描述的基本原则可以应用到其它变形中而不偏离本发明的 发明本质和范围。 因此, 本发明所公开的内容不仅仅局限于所描述的实施 例和设计, 还可以扩展到与本发明原则和所公开的新特征一致的最大范 围。  The above description of the description of the present invention may enable any of the art to utilize or implement the present invention. Any modifications based on the disclosure should be considered as obvious in the art. The basic principles described herein can be applied to other variants. Without departing from the spirit and scope of the invention. Therefore, the present disclosure is not limited to the described embodiments and designs, but may be extended to the maximum extent consistent with the principles of the invention and the novel features disclosed.

Claims

权 利 要 求 书 Claim
1、 一种确定用户设备接入方式的方法, 其特征在于, 包括: A method for determining a user equipment access mode, comprising:
数据网关获取用户设备对应的接入网络发现与选择功能策略信息; 所述 接入网络发现与选择功能策略信息中包括所述用户设备对应的第一对应关 系, 所述第一对应关系为应用信息与接入方式的对应关系;  The data gateway obtains the access network discovery and selection function policy information corresponding to the user equipment; the access network discovery and selection function policy information includes a first correspondence corresponding to the user equipment, where the first correspondence relationship is application information. Correspondence with access methods;
所述数据网关获取所述用户设备对应的第二对应关系, 所述第二对应关 系为所述应用信息与安全信息的对应关系;  The data gateway obtains a second correspondence corresponding to the user equipment, where the second correspondence relationship is a correspondence between the application information and security information;
所述数据网关根据所述第一对应关系、 所述第二对应关系以及要发送给 所述用户设备的经安全保护处理的数据报文,确定所述用户设备的接入方式。  The data gateway determines the access mode of the user equipment according to the first correspondence, the second correspondence, and the data packet of the security protection process to be sent to the user equipment.
2、 根据权利要求 1所述的方法, 其特征在于, 所述数据网关获取所述用 户设备对应的第二对应关系, 包括:  The method according to claim 1, wherein the data gateway acquires the second correspondence corresponding to the user equipment, including:
所述数据网关接收所述接入网络发现与选择功能实体发送的所述用户设 备对应的第二对应关系; 所述用户设备对应的第二对应关系为所述接入网络 发现与选择功能实体从安全服务器获取的。  The data gateway receives the second correspondence corresponding to the user equipment that is sent by the access network and the user equipment, and the second correspondence corresponding to the user equipment is the access network discovery and selection function entity. Secure server obtained.
3、 根据权利要求 1所述的方法, 其特征在于, 所述数据网关获取所述用 户设备对应的第二对应关系, 包括:  The method according to claim 1, wherein the data gateway acquires the second correspondence corresponding to the user equipment, including:
所述数据网关向安全服务器发送携带所述用户设备标识的安全信息请 求, 以供所述安全服务器根据所述用户设备标识获取所述用户设备对应的第 二对应关系;  The data gateway sends a security information request that carries the user equipment identifier to the security server, so that the security server obtains the second correspondence corresponding to the user equipment according to the user equipment identifier;
所述数据网关接收所述安全服务器发送的所述用户设备对应的第二对应 关系。  The data gateway receives a second correspondence corresponding to the user equipment sent by the security server.
4、 根据权利要求 3所述的方法, 其特征在于,  4. The method of claim 3, wherein
所述数据网关向安全服务器发送携带所述用户设备标识的安全信息请 求, 包括: 所述数据网关通过策略计费规则功能实体向所述安全服务器发送 携带所述用户设备标识的所述安全信息请求;  And the sending, by the data gateway, the security information request that carries the user equipment identifier to the security server, where the data gateway sends the security information request that carries the user equipment identifier to the security server by using a policy charging rule function entity. ;
所述数据网关接收所述安全服务器发送的所述用户设备对应的第二对应 关系, 包括: 所述数据网关接收所述安全服务器通过所述策略计费规则功能 实体发送的所述用户设备对应的第二对应关系。  Receiving, by the data gateway, the second correspondence corresponding to the user equipment that is sent by the security server, where: the data gateway receives, by the data server, the user equipment that is sent by the security server by using the policy charging rule function entity The second correspondence.
5、 根据权利要求 1-4任一所述的方法, 其特征在于, 所述数据网关根据 所述第一对应关系、 所述第二对应关系以及要发送给所述用户设备的经安全 保护处理的数据报文, 确定所述用户设备的接入方式, 包括: The method according to any one of claims 1-4, wherein the data gateway is based on the first correspondence, the second correspondence, and security to be sent to the user equipment. The data packet to be processed is protected, and the access mode of the user equipment is determined, including:
所述数据网关根据所述第二对应关系中的安全信息解析所述发送给所述 用户设备的经安全保护处理的数据报文, 获得所述发送给所述用户设备的经 安全保护处理的数据报文的应用信息;  The data gateway parses the security-protected data packet sent to the user equipment according to the security information in the second correspondence, and obtains the security-protected data sent to the user equipment. Application information of the message;
若所述发送给所述用户设备的经安全保护处理的数据报文的应用信息与 所述第二对应关系中的应用信息对应,所述数据网关根据所述第一对应关系, 确定所述用户设备的接入方式。  And determining, by the data gateway, the user according to the first correspondence, if the application information of the security-protected data packet sent to the user equipment is corresponding to the application information in the second corresponding relationship Access mode of the device.
6、 一种确定用户设备接入方式的方法, 其特征在于, 包括:  A method for determining a user equipment access manner, which is characterized in that:
接入网络发现与选择功能实体获取用户设备对应的接入网络发现与选择 功能策略信息; 所述接入网络发现与选择功能策略信息中包括所述用户设备 对应的第一对应关系,所述第一对应关系为应用信息与接入方式的对应关系; 所述接入网络发现与选择功能实体获取所述用户设备对应的第二对应关 系, 所述第二对应关系为所述应用信息与安全信息的对应关系;  The access network discovery and selection function entity acquires access network discovery and selection function policy information corresponding to the user equipment; the access network discovery and selection function policy information includes a first correspondence corresponding to the user equipment, where the a correspondence relationship between the application information and the access mode; the access network discovery and selection function entity acquires a second correspondence corresponding to the user equipment, where the second correspondence relationship is the application information and the security information Correspondence relationship;
所述接入网络发现与选择功能实体发送所述第一对应关系和所述第二对 应关系至数据网关, 以供所述数据网关根据所述第一对应关系、 所述第二对 应关系以及要发送给所述用户设备的经安全保护处理的数据报文, 确定所述 用户设备的接入方式。  The access network discovery and selection function entity sends the first correspondence relationship and the second correspondence relationship to a data gateway, where the data gateway is configured according to the first correspondence relationship, the second correspondence relationship, and The security-processed data packet sent to the user equipment determines the access mode of the user equipment.
7、 根据权利要求 6所述的方法, 其特征在于, 所述接入网络发现与选择 功能实体获取所述用户设备对应的第二对应关系, 包括:  The method according to claim 6, wherein the access network discovery and the selection function entity acquire the second correspondence corresponding to the user equipment, including:
所述接入网络发现与选择功能实体接收所述用户设备的用户设备标识和 安全信息指示符;  Receiving, by the access network discovery and selection function entity, a user equipment identifier and a security information indicator of the user equipment;
所述接入网络发现与选择功能实体向安全服务器发送携带所述用户设备 标识的安全信息请求, 以供所述安全服务器根据所述用户设备标识获取所述 用户设备对应的第二对应关系;  The access network discovery and selection function entity sends a security information request carrying the user equipment identifier to the security server, so that the security server obtains the second correspondence corresponding to the user equipment according to the user equipment identifier;
所述接入网络发现与选择功能实体接收所述安全服务器发送的所述用户 设备对应的第二对应关系。  The access network discovery and selection function entity receives a second correspondence corresponding to the user equipment sent by the security server.
8、 一种数据网关, 其特征在于, 包括:  8. A data gateway, comprising:
第一获取模块, 用于获取用户设备对应的接入网络发现与选择功能策略 信息; 所述接入网络发现与选择功能策略信息中包括所述用户设备对应的第 一对应关系, 所述第一对应关系为应用信息与接入方式的对应关系; 第二获耳 莫块, 用于获取所述用户设备对应的第二对应关系, 所述第二 对应关系为所述应用信息与安全信息的对应关系; a first acquiring module, configured to acquire access network discovery and selection function policy information corresponding to the user equipment, where the access network discovery and selection function policy information includes a first correspondence corresponding to the user equipment, where the first Correspondence relationship is the correspondence between application information and access mode; And a second corresponding node, configured to acquire a second correspondence corresponding to the user equipment, where the second correspondence is a correspondence between the application information and security information;
确定模块, 用于根据所述第一对应关系、 所述第二对应关系以及要发送 给所述用户设备的经安全保护处理的数据报文, 确定所述用户设备的接入方 式。  And a determining module, configured to determine, according to the first correspondence, the second correspondence, and the data packet that is to be sent to the user equipment for security protection processing, determining an access mode of the user equipment.
9、 根据权利要求 8所述的数据网关, 其特征在于, 所述第二获取模块, 具体用于接收所述接入网络发现与选择功能实体发送的所述用户设备对应的 第二对应关系; 所述用户设备对应的第二对应关系为所述接入网络发现与选 择功能实体从安全服务器获取的。  The data gateway according to claim 8, wherein the second acquiring module is configured to receive a second correspondence corresponding to the user equipment sent by the access network discovery and selection function entity; The second correspondence corresponding to the user equipment is obtained by the access network discovery and selection function entity from the security server.
10、 根据权利要求 8所述的数据网关, 其特征在于, 所述第二获取模块, 包括:  The data gateway according to claim 8, wherein the second obtaining module comprises:
第二发送单元, 用于向安全服务器发送携带所述用户设备标识的安全信 息请求, 以供所述安全服务器根据所述用户设备标识获取所述用户设备对应 的第二对应关系;  a second sending unit, configured to send, to the security server, a security information request that carries the user equipment identifier, where the security server obtains a second correspondence corresponding to the user equipment according to the user equipment identifier;
第二接收单元, 用于接收所述安全服务器发送的所述用户设备对应的第 二对应关系。  And a second receiving unit, configured to receive a second correspondence corresponding to the user equipment sent by the security server.
1 1、 根据权利要求 10所述的数据网关, 其特征在于:  1 1. The data gateway according to claim 10, characterized in that:
所述第二发送单元, 具体用于通过策略计费规则功能实体向所述安全服 务器发送携带所述用户设备标识的所述安全信息请求;  The second sending unit is configured to send, by using a policy charging rule function entity, the security information request that carries the user equipment identifier to the security server;
所述第二接收单元, 具体用于接收所述安全服务器通过所述策略计费规 则功能实体发送的所述用户设备对应的第二对应关系。  The second receiving unit is configured to receive a second correspondence corresponding to the user equipment that is sent by the security server by using the policy charging rule function entity.
12、 根据权利要求 8-1 1任一所述的数据网关, 其特征在于, 所述确定模 块, 包括:  The data gateway according to any one of claims 8 to 1, wherein the determining module comprises:
获取单元, 用于根据所述第二对应关系中的安全信息解析所述发送给所 述用户设备的经安全保护处理的数据报文, 获得所述发送给所述用户设备的 经安全保护处理的数据报文的应用信息;  An obtaining unit, configured to parse the security-protected data packet sent to the user equipment according to the security information in the second correspondence, to obtain the security protection processing sent to the user equipment Application information of the data message;
确定单元, 用于当所述发送给所述用户设备的经安全保护处理的数据报 文的应用信息与所述第二对应关系中的应用信息对应时, 根据所述第一对应 关系确定所述用户设备的接入方式。  a determining unit, configured to determine, according to the first correspondence, when the application information of the security-protected data packet sent to the user equipment corresponds to the application information in the second corresponding relationship User equipment access method.
13、 一种接入网络发现与选择功能实体, 其特征在于, 包括: 第一获取模块, 用于获取用户设备对应的接入网络发现与选择功能策略 信息; 所述接入网络发现与选择功能策略信息中包括所述用户设备对应的第 一对应关系, 所述第一对应关系为应用信息与接入方式的对应关系; 13. An access network discovery and selection function entity, comprising: a first acquiring module, configured to acquire access network discovery and selection function policy information corresponding to the user equipment, where the access network discovery and selection function policy information includes a first correspondence corresponding to the user equipment, where the first Correspondence relationship is the correspondence between application information and access mode;
第二获耳 莫块, 用于获取所述用户设备对应的第二对应关系, 所述第二 对应关系为所述应用信息与安全信息的对应关系;  And a second corresponding node, configured to acquire a second correspondence corresponding to the user equipment, where the second correspondence is a correspondence between the application information and security information;
发送模块,用于发送所述第一对应关系和所述第二对应关系至数据网关, 以供所述数据网关根据所述第一对应关系、 所述第二对应关系以及要发送给 所述用户设备的经安全保护处理的数据报文,确定所述用户设备的接入方式。  a sending module, configured to send the first correspondence and the second correspondence to a data gateway, where the data gateway is sent to the user according to the first correspondence, the second correspondence, and the second gateway The data packet processed by the security protection of the device determines the access mode of the user equipment.
14、根据权利要求 13所述的接入网络发现与选择功能实体, 其特征在于, 所述第二获取模块, 包括:  The access network discovery and selection function entity according to claim 13, wherein the second obtaining module comprises:
指示接收单元, 用于接收所述用户设备的用户设备标识和安全信息指示 付;  And an indication receiving unit, configured to receive the user equipment identifier and the security information indication of the user equipment;
发送单元, 用于向安全服务器发送携带所述用户设备标识的安全信息请 求, 以供所述安全服务器根据所述用户设备标识获取所述用户设备对应的第 二^应关系;  a sending unit, configured to send, to the security server, a security information request that carries the user equipment identifier, where the security server obtains a second response relationship corresponding to the user equipment according to the user equipment identifier;
接收单元, 用于接收所述安全服务器发送的所述用户设备对应的第二对 应关系。  And a receiving unit, configured to receive a second corresponding relationship corresponding to the user equipment sent by the security server.
15、 一种确定用户设备接入方式的系统, 其特征在于, 包括: 数据网关 和接入网络发现与选择功能实体;  A system for determining a user equipment access mode, comprising: a data gateway and an access network discovery and selection function entity;
所述数据网关, 用于接收用户设备对应的接入网络发现与选择功能策略 信息; 所述接入网络发现与选择功能策略信息中包括所述用户设备对应的第 一对应关系, 所述第一对应关系为应用信息与接入方式的对应关系; 接收所 述用户设备对应的第二对应关系, 所述第二对应关系为所述应用信息与安全 信息的对应关系; 根据所述第一对应关系、 所述第二对应关系以及要发送给 所述用户设备的经安全保护处理的数据报文,确定所述用户设备的接入方式; 所述接入网络发现与选择功能实体, 用于获取所述用户设备对应的接入 网络发现与选择功能策略信息; 获取所述用户设备对应的第二对应关系; 发 送所述接入网络发现与选择功能策略信息和所述第二对应关系至数据网关。  The data gateway is configured to receive access network discovery and selection function policy information corresponding to the user equipment, where the access network discovery and selection function policy information includes a first correspondence corresponding to the user equipment, where the first Corresponding relationship is a correspondence between the application information and the access mode; receiving a second correspondence corresponding to the user equipment, where the second correspondence is a correspondence between the application information and the security information; according to the first correspondence Determining, by the second corresponding relationship, the data packet of the security protection process to be sent to the user equipment, the access mode of the user equipment; the access network discovery and selection function entity, The access network discovery and selection function policy information corresponding to the user equipment is obtained; the second correspondence corresponding to the user equipment is obtained; and the access network discovery and selection function policy information and the second correspondence relationship are sent to the data gateway.
16、 根据权利要求 15所述的系统, 其特征在于, 所述数据网关, 具体用 于获取用户设备对应的接入网络发现与选择功能策略信息; 所述接入网络发 现与选择功能策略信息中包括所述用户设备对应的第一对应关系, 所述第一 对应关系为应用信息与接入方式的对应关系; 获取所述用户设备对应的第二 对应关系, 所述第二对应关系为所述应用信息与安全信息的对应关系; 根据 所述第二对应关系中的安全信息解析所述发送给所述用户设备的经安全保护 处理的数据报文, 获得所述发送给所述用户设备的经安全保护处理的数据报 文的应用信息; 当所述发送给所述用户设备的经安全保护处理的数据报文的 应用信息与所述第二对应关系中的应用信息对应时, 根据所述第一对应关系 确定所述用户设备的接入方式。 The system according to claim 15, wherein the data gateway is specifically configured to acquire access network discovery and selection function policy information corresponding to the user equipment; And the first function corresponding to the user equipment, the first corresponding relationship is a correspondence between the application information and the access mode, and the second corresponding relationship corresponding to the user equipment is obtained. The second correspondence is a correspondence between the application information and the security information; and the security-processed data packet sent to the user equipment is parsed according to the security information in the second correspondence, to obtain the sending The application information of the security-protected data packet of the user equipment; the application information of the security-protected data packet sent to the user equipment and the application information in the second correspondence relationship Corresponding, determining, according to the first correspondence, an access mode of the user equipment.
17、 根据权利要求 15或 16所述的系统, 其特征在于, 所述接入网络发 现与选择功能实体, 具体用于获取所述用户设备对应的接入网络发现与选择 功能策略信息; 接收所述用户设备的用户设备标识和安全信息指示符; 向安 全服务器发送携带所述用户设备标识的安全信息请求, 以供所述安全服务器 根据所述用户设备标识获取所述用户设备对应的第二对应关系; 接收所述安 全服务器发送的所述用户设备对应的第二对应关系; 发送所述接入网络发现 与选择功能策略信息和所述第二对应关系至数据网关。  The system according to claim 15 or 16, wherein the access network discovery and selection function entity is specifically configured to acquire access network discovery and selection function policy information corresponding to the user equipment; a user equipment identifier and a security information indicator of the user equipment; sending, to the security server, a security information request that carries the user equipment identifier, where the security server obtains a second correspondence corresponding to the user equipment according to the user equipment identifier And receiving a second correspondence corresponding to the user equipment sent by the security server; and sending the access network discovery and selection function policy information and the second correspondence to the data gateway.
PCT/CN2011/083375 2011-12-02 2011-12-02 Method for determining access mode of user equipment, and system and device thereof WO2013078678A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2011/083375 WO2013078678A1 (en) 2011-12-02 2011-12-02 Method for determining access mode of user equipment, and system and device thereof
CN201180003638.5A CN103250446B (en) 2011-12-02 2011-12-02 Determine the method and system of subscriber equipment access way, equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2011/083375 WO2013078678A1 (en) 2011-12-02 2011-12-02 Method for determining access mode of user equipment, and system and device thereof

Publications (1)

Publication Number Publication Date
WO2013078678A1 true WO2013078678A1 (en) 2013-06-06

Family

ID=48534650

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2011/083375 WO2013078678A1 (en) 2011-12-02 2011-12-02 Method for determining access mode of user equipment, and system and device thereof

Country Status (2)

Country Link
CN (1) CN103250446B (en)
WO (1) WO2013078678A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109756919A (en) * 2017-11-01 2019-05-14 华为技术有限公司 The processing method of dedicated bearing stream, apparatus and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101577909A (en) * 2008-05-05 2009-11-11 大唐移动通信设备有限公司 Method, system and device for acquiring trust type of non-3GPP access system
CN101599904A (en) * 2009-06-26 2009-12-09 中国电信股份有限公司 The method and system that a kind of virtual dial-up safe inserts
CN101730192A (en) * 2009-02-10 2010-06-09 中兴通讯股份有限公司 Method and device for transmitting access network policy information and interaction system
CN101945456A (en) * 2009-07-08 2011-01-12 中兴通讯股份有限公司 Method and system for providing access network protocol selection function by access network discovery and selection function (ANDSF)

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102223634A (en) * 2010-04-15 2011-10-19 中兴通讯股份有限公司 Method and device for controlling mode of accessing user terminal into Internet

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101577909A (en) * 2008-05-05 2009-11-11 大唐移动通信设备有限公司 Method, system and device for acquiring trust type of non-3GPP access system
CN101730192A (en) * 2009-02-10 2010-06-09 中兴通讯股份有限公司 Method and device for transmitting access network policy information and interaction system
CN101599904A (en) * 2009-06-26 2009-12-09 中国电信股份有限公司 The method and system that a kind of virtual dial-up safe inserts
CN101945456A (en) * 2009-07-08 2011-01-12 中兴通讯股份有限公司 Method and system for providing access network protocol selection function by access network discovery and selection function (ANDSF)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109756919A (en) * 2017-11-01 2019-05-14 华为技术有限公司 The processing method of dedicated bearing stream, apparatus and system

Also Published As

Publication number Publication date
CN103250446A (en) 2013-08-14
CN103250446B (en) 2015-12-02

Similar Documents

Publication Publication Date Title
JP6185017B2 (en) Authentication in Secure User Plane Location (SUPL) system
US11051165B2 (en) Authentication failure handling for access to services through untrusted wireless networks
US20220272620A1 (en) Apparatus, system and method for enhancements to network slicing and the policy framework of a 5g network
US20220150699A1 (en) Efficient policy enforcement using network tokens for services - user-plane approach
US9819596B2 (en) Efficient policy enforcement using network tokens for services C-plane approach
CN110234070B (en) System and method for location reporting in untrusted network environments
US9800563B2 (en) Method and device for processing data security channel
KR101216066B1 (en) Policy control for encapsulated data flows
CA3072968A1 (en) Method and system for user plane traffic characteristics and network security
US20200137672A1 (en) Handling a ue that is in the idle state
WO2016110093A1 (en) D2d mode b discovery security method, terminal and system, and storage medium
CN108464027A (en) 3GPP evolution block cores are accessed by WLAN for unauthenticated user and support emergency services
WO2012167500A1 (en) Method for establishing data security channel for tunnel
JP2012531134A (en) Multi-access method and system for terminal in evolved packet system
WO2019219209A1 (en) Establishing new ipsec sas
JP2018518113A (en) Method for discovering handover function of mobile communication network, system for discovering handover function of mobile communication network, user apparatus, program and computer program product
TW201108829A (en) Fixed mobile convergence (FMC) with PDIF and SIP gateway
CN104506406B (en) A kind of authentication equipment
WO2015018272A1 (en) Pcf information updating method, apparatus, and system
US11729164B2 (en) Support of IMEI checking for WLAN access to a packet core of a mobile network
WO2015081784A1 (en) Method, device, and system for verifying security capability
US20140013392A1 (en) Ue access to circuit switched-based mobile telephony services using a fixed wireless terminal
WO2015157981A1 (en) Wireless local area network user side device and information processing method
WO2016183775A1 (en) Emergency call method, apparatus and device
WO2013078678A1 (en) Method for determining access mode of user equipment, and system and device thereof

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11876564

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11876564

Country of ref document: EP

Kind code of ref document: A1