WO2018053856A1 - Message forwarding method and apparatus, and access gateway - Google Patents

Message forwarding method and apparatus, and access gateway Download PDF

Info

Publication number
WO2018053856A1
WO2018053856A1 PCT/CN2016/100173 CN2016100173W WO2018053856A1 WO 2018053856 A1 WO2018053856 A1 WO 2018053856A1 CN 2016100173 W CN2016100173 W CN 2016100173W WO 2018053856 A1 WO2018053856 A1 WO 2018053856A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
message
core network
eap
network element
Prior art date
Application number
PCT/CN2016/100173
Other languages
French (fr)
Chinese (zh)
Inventor
陈璟
李欢
李�赫
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2016/100173 priority Critical patent/WO2018053856A1/en
Publication of WO2018053856A1 publication Critical patent/WO2018053856A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a method, an apparatus, and an access gateway for message forwarding.
  • the entire wireless communication network architecture is divided into two parts, an access network and a core network, and according to different ways for users to access the core network, it can be divided into 3GPP (3rd Generation Partnership Project) access mode. And non-3GPP access methods.
  • 3GPP access mode generally refers to the way that the user accesses the core network by using the technology specified by the 3GPP.
  • the user accesses the core network by using the base station mode
  • the non-3GPP access mode generally refers to the user accessing the technology by the non-3GPP.
  • the core network mode for example, the user accesses the core network by using Wifi.
  • the existing 4G network is taken as an example.
  • the UE accesses the core network through the eNodeB (base station), which is 3GPP access.
  • the UE passes the WLAN-AP (Wireless Local). Area Networks Access Point (WLAN access point) accesses the core network in a non-3GPP access mode.
  • WLAN-AP Wireless Local Area Networks Access Point
  • non-3GPP access In the prior art, according to different entities deploying non-3GPP access methods, it can be divided into trusted non-3GPP access and non-trusted non-3GPP access, for example, when a user adopts a communication carrier (such as China Mobile and China).
  • a communication carrier such as China Mobile and China.
  • the core network When the non-3GPP access mode deployed by China Unicom is connected to the core network, the core network considers that the current access is trusted. At this time, the core network can consider that the current access mode is trusted non-3GPP access, and when the user adopts non-operation.
  • a non-3GPP access mode deployed by a business such as a Starbucks business scenario
  • the core network considers that the current access is not trusted, and the current access mode is considered to be non-trusted non-3GPP access.
  • the core network element first initiates the user-side device to the core network.
  • the authentication of the element is as follows: the core network element sends an authentication request message to the user side device, where the authentication request message includes an authentication parameter; and the user side device according to the authentication request message The weight parameter authenticates the core network element.
  • the core network element when the core network element sends an authentication request message to the user side device, the core network element first sends an authentication request message to the access gateway, and the access gateway re- The authentication request message is forwarded to the user side device.
  • the core network element and the user side device generally adopt the EAP authentication method when performing authentication, and now in the 5G network, the core network element and the user side device also use non-EAP authentication.
  • the method performs the authentication requirement, and the method for the existing access gateway to forward the authentication request message is only applicable to the EAP authentication method. For the non-EAP authentication method, how does the access gateway forward the message, and there is no good solution.
  • the embodiment of the invention provides a method, a device and an access gateway for message forwarding.
  • the method, the device and the access gateway of the present invention can forward the user authentication request message sent by the core network element to the user side device.
  • the first aspect provides a method for message forwarding, where the method includes: an access gateway receives a user authentication request message sent by a core network element; and the access gateway determines a selected one of the core network element.
  • the weight method is a non-EAP scalable authentication protocol authentication method
  • the user authentication request message is forwarded by using a non-EAP payload in the IKEV2 second version key exchange protocol message, where the IKEV2 message includes at least a non-EAP payload.
  • the non-EAP payload is used to carry other parameters than the EAP authentication method.
  • the user authentication request message sent by the core network element can be forwarded to the user side device.
  • the access gateway uses the non-EAP payload in the IKEV2 message to forward the user authentication request message, including: the access gateway sends an IKEV2 message to the user side.
  • the device, the non-EAP payload of the IKEV2 message carries the user authentication request message.
  • a second aspect provides a method for forwarding a message, where the method includes: an access gateway receives a user authentication request message sent by a core network element; and the access gateway determines the core network element.
  • the selected authentication method is the EAP extensible authentication protocol authentication method
  • the user authentication request message is forwarded by using at least the EAP payload of the IKEV2 second version key exchange protocol message, where the IKEV2 message includes at least the EAP payload.
  • the EAP payload is used to carry related parameters of the EAP authentication method.
  • the user authentication request message sent by the core network element can also be forwarded to the user side device.
  • the user authentication request message includes only an authentication parameter related to the authentication method, and the access gateway forwards the at least the EAP payload in the IKEV2 message.
  • the user authentication request message includes: the access gateway sends an IKEV2 message to the user side device, where the EAP payload of the IKEV2 message carries the authentication parameter in the user authentication request message.
  • the user authentication request includes an authentication parameter related to the authentication method and an additional parameter that is not related to the authentication method
  • the IKEV2 message further includes a non-EAP
  • the access gateway forwards the user authentication request message by using the EAP payload in the IKEV2 message, including: the access gateway sends an IKEV2 message to the user equipment, and the EAP payload of the IKEV2 message carries An authentication parameter in the user authentication request message, where the non-EAP payload of the IKEV2 message carries an additional parameter in the user authentication request message.
  • the access gateway forwards the user authentication request message by using the EAP payload in the IKEV2 message, including: the access gateway sends an IKEV2 message to the user side.
  • the EAP payload of the IKEV2 message carries the entire user authentication request message.
  • a third aspect provides a method for selecting an authentication method, including: receiving, by a core network element, an attach request sent by an access gateway, where the attach request does not carry indication information, where the indication information may indicate that the user side device is connected The method of entering the core network; the core network element determines the authentication method used when the core network element and the user side device mutually authenticate each other according to the authentication vector set.
  • an authentication method used when the core network element and the user side device mutually authenticate each other can be determined.
  • the authentication vector set includes at least an indication bit
  • the core network element determines the core network element and the user side according to the authentication vector set.
  • the authentication method used includes: the core network element obtains an indication bit of the authentication vector set; and the indication bit of the core network element in the authentication vector set is first In the case of data, when the core network element and the user side device are mutually authenticated, the method used is an EAP method; and the core network element determines the location when the indication bit of the authentication vector set is the second data.
  • the method adopted is a non-EAP method.
  • a fourth aspect provides a method for selecting an authentication method, including: receiving, by a core network element, an attach request sent by an access gateway, where the attach request carries indication information, where the indication information may indicate that the user side device accesses The method of the core network; the core network element determines an authentication method used when the core network element and the user side device mutually authenticate each other according to the access method corresponding to the indication information in the attach request.
  • the core network element determines, according to the access method corresponding to the indication information in the attach request, the core network element and the user side device
  • the authentication method used includes: determining, by the core network element, that the access mode corresponding to the indication information in the attach request is a 3GPP third-generation partner plan access mode, determining the core network When the network element and the user side device authenticate each other, the non-EAP authentication method is adopted; when the access mode corresponding to the indication information in the attach request is the non-3GPP access mode, the core network element determines the When the core network element and the user side device authenticate each other, the EAP authentication method is adopted.
  • the fifth aspect provides an apparatus for message forwarding, where the apparatus includes: a first receiving unit, configured to receive a user authentication request message sent by a core network element; and a first forwarding unit, configured to determine the core network
  • the authentication method selected by the network element is a non-EAP extensible authentication protocol authentication method
  • the user authentication request message is forwarded by using a non-EAP payload in the IKEV2 second version key exchange protocol message, where the IKEV2 message is used.
  • At least non-EAP payloads are included, the non-EAP payloads being used to carry other parameters than the EAP authentication method.
  • the user authentication request message sent by the core network element can be forwarded to the user side device.
  • the first forwarding unit is specifically configured to: send an IKEV2 message to the user side device, where the IKEV2 message carries the non-EAP payload. With the user authentication request message.
  • the sixth aspect provides an apparatus for message forwarding, where the apparatus includes: a second receiving unit, configured to receive a user authentication request message sent by a core network element; and a second forwarding unit, configured to determine the core
  • the authentication method selected by the network element is the EAP extensible authentication protocol authentication method
  • the user authentication request message is forwarded by using at least the EAP payload of the IKEV2 second version key exchange protocol message, where the IKEV2 message is at least An EAP payload is included, and the EAP payload is used to carry related parameters of the EAP authentication method.
  • the user authentication request message sent by the core network element can also be forwarded to the user side device.
  • the second forwarding unit when the second forwarding unit includes only the authentication parameter related to the authentication method in the user authentication request message, the second forwarding unit specifically The IKEV2 message carries the authentication parameter in the user authentication request message.
  • the second forwarding unit includes, in the user authentication request, an authentication parameter related to the authentication method and an additional parameter that is not related to the authentication method,
  • the second forwarding unit is configured to: send an IKEV2 message to the user side device, where the EAP payload of the IKEV2 message carries an authentication parameter in the user authentication request message, where the IKEV2 message carries the non-EAP payload There are additional parameters in the user authentication request message.
  • the second forwarding unit is specifically configured to: send an IKEV2 message to the user side device, where the EAP payload of the IKEV2 message carries the entire user authentication request. Message.
  • the seventh aspect provides a device for selecting an authentication method, including: a third receiving unit, configured to receive an attach request sent by an access gateway, where the attach request does not carry indication information, where the indication information may indicate a user A method for the side device to access the core network; the first determining unit is configured to determine, according to the authentication vector set, an authentication method used when the core network element and the user side device mutually authenticate each other.
  • a third receiving unit configured to receive an attach request sent by an access gateway, where the attach request does not carry indication information, where the indication information may indicate a user A method for the side device to access the core network
  • the first determining unit is configured to determine, according to the authentication vector set, an authentication method used when the core network element and the user side device mutually authenticate each other.
  • the set of authentication vectors includes at least Instructing a bit
  • the first determining unit is specifically configured to: obtain an indication bit of the authentication vector set; and when the indication bit of the authentication vector set is the first data, determine the core network element and the user
  • the method used is an EAP method
  • the indication bit of the authentication vector set is the second data
  • the method used by the core network element and the user side device to authenticate each other is determined.
  • the eighth aspect provides a device for selecting an authentication method, including: a fourth receiving unit, configured to receive an attach request sent by an access gateway, where the attach request carries indication information, where the indication information may indicate a user side a method for the device to access the core network; the second determining unit is configured to determine, according to the access method corresponding to the indication information in the attach request, the authentication used by the core network element and the user side device Right method.
  • the authentication method used when the core network element and the user side device mutually authenticate each other can also be determined.
  • the second determining unit is specifically configured to: the access mode corresponding to the indication information in the attach request is a 3GPP third-generation partner plan In the case of the entry mode, it is determined that the core network element and the user side device use a non-EAP authentication method when the mutual authentication is performed; when the access mode corresponding to the indication information in the attach request is a non-3GPP access mode, The EAP authentication method is adopted when the core network element and the user side device are mutually authenticated.
  • the ninth aspect provides an access gateway, including: a transceiver, configured to receive a user authentication request message sent by a core network element, and forward the encapsulated IKEV2 second version key exchange protocol message to the user side device; At least one processor, configured to encapsulate the user authentication request message into a non-EAP payload in the IKEV2 message when determining that the authentication method selected by the core network is a non-EAP extensible authentication protocol authentication method Or, when determining that the authentication method selected by the core network is an EAP authentication method, the user authentication request message is encapsulated in an EAP payload of the IKEV2 message.
  • the access gateway of the present invention the user authentication request message sent by the core network element can be forwarded to the user side device.
  • the tenth aspect provides a core network element, including: a transceiver, configured to receive an attach request sent by the access gateway; and at least one processor, configured to not carry the indication information in the attach request And determining, according to the authentication vector set, the authentication method used when the core network element and the user side device mutually authenticate, or when the indication request carries the indication information, according to the attach request
  • the access method corresponding to the indication information determines the authentication method used when the core network element and the user side device authenticate each other; the indication information may indicate the manner in which the user side device accesses the core network.
  • FIG. 1 is a schematic structural diagram of an existing 4G network according to an embodiment of the present invention.
  • FIG. 2 is a schematic diagram of an access gateway forwarding an authentication request message
  • FIG. 3 is a schematic structural diagram of a 5G network according to an embodiment of the present disclosure.
  • FIG. 4 is a schematic flowchart of a terminal accessing a core network by using a non-trusted non-3GPP method according to an embodiment of the present disclosure
  • FIG. 5 is a schematic flowchart of a terminal accessing a core network by using a non-trusted non-3GPP method according to an embodiment of the present disclosure
  • FIG. 6 is a schematic flowchart of a terminal accessing a core network by using a non-trusted non-3GPP mode according to an embodiment of the present disclosure
  • FIG. 7 is a schematic flowchart of a terminal accessing a core network by using a non-trusted non-3GPP method according to an embodiment of the present disclosure
  • FIG. 8 is a schematic flowchart of a terminal accessing a core network by using a non-trusted non-3GPP method according to an embodiment of the present disclosure
  • FIG. 9 is a schematic diagram of a message forwarding apparatus according to an embodiment of the present invention.
  • FIG. 10 is another schematic diagram of a message forwarding apparatus according to an embodiment of the present disclosure.
  • FIG. 11 is a schematic diagram of a device for selecting an authentication method according to an embodiment of the present invention.
  • FIG. 12 is another schematic diagram of an apparatus for selecting an authentication method according to an embodiment of the present invention.
  • FIG. 13 is a schematic structural diagram of an access gateway according to an embodiment of the present disclosure.
  • FIG. 14 is a schematic structural diagram of a core network element according to an embodiment of the present invention.
  • the entire wireless communication network architecture is divided into two parts, an access network and a core network, and according to different ways for users to access the core network, it can be divided into 3GPP (3rd Generation Partnership Project) access mode. And non-3GPP access methods.
  • 3GPP access mode generally refers to the way that the user accesses the core network by using the technology specified by the 3GPP.
  • the user accesses the core network by using the base station mode
  • the non-3GPP access mode generally refers to the user accessing the technology by the non-3GPP.
  • the core network mode for example, the user accesses the core network by using Wifi.
  • the existing 4G network is taken as an example.
  • the UE accesses the core network through the eNodeB (base station), which is 3GPP access.
  • the UE passes the WLAN-AP (Wireless Local). Area Networks Access Point (WLAN access point) accesses the core network in a non-3GPP access mode.
  • WLAN-AP Wireless Local Area Networks Access Point
  • non-3GPP access In the prior art, according to different entities deploying non-3GPP access methods, it can be divided into trusted non-3GPP access and non-trusted non-3GPP access, for example, when a user adopts a communication carrier (such as China Mobile and China).
  • a communication carrier such as China Mobile and China.
  • the core network When the non-3GPP access mode deployed by China Unicom is connected to the core network, the core network considers that the current access is trusted. At this time, the core network can consider that the current access mode is trusted non-3GPP access, and when the user adopts non-operation.
  • a non-3GPP access mode deployed by a business such as a Starbucks business scenario
  • the core network considers that the current access is not trusted, and the current access mode is considered to be non-trusted non-3GPP access.
  • the present invention provides A flow of a non-trusted non-3GPP access core network in a 5G network, which will be described in detail in Embodiment 1 below.
  • the entire 5G network includes the following devices:
  • the UE can be specifically a device for the user to access the network.
  • NR NextGen Radio: an upgraded version of an eNodeB (Evolved NodeB) in a 4G network;
  • Non-3GPP RAT Non-3GPP Radio Access Technology
  • the UE may use WIFI (WIreless-Fidelity) or CDMA (Code Division Multiple Access). Access to the core network.
  • WIFI WIreless-Fidelity
  • CDMA Code Division Multiple Access
  • SSF/MM SSF (slice select function) mainly selects a suitable MM (mobility management mobility management entity) for the UE.
  • MM mobility management mobility management entity
  • the SSF needs to select an appropriate MM for the UE.
  • CP-AU Authentication function point.
  • HSS Home Subscriber Server: Stores subscription information of users.
  • N3CNGW Non-3GPP Core Network Gateway
  • the UE and the N3CNGW establish a secure tunnel, and the secure tunnel is used to protect the delivery of messages from being seen and destroyed by the non-3GPP RAT.
  • CN-UP User plane network element, used to provide communication between the UE and the Internet (Internet).
  • the UE is a user side device
  • the NR and the Non-3GPP RAT belong to the access side device
  • the SSF/MM, the CP-AU, and the HSS belong to the core network side device
  • the N3CNGW, in the current 5G network has not yet Specifically, the S3/GW, the CP-AU, and the HSS are referred to as the core network element. .
  • the present invention provides a process for a UE to access a core network through a non-trusted non-3GPP mode in a 5G network (that is, a method for accessing a core network by using a Non-3GPP RAT in FIG. 3), as shown in FIG. as follows:
  • Step S40 The UE and the N3CNGW establish a secure tunnel by using an IKEV2 (Internet Key Exchange Protocol Version 2, second version key exchange protocol) message;
  • IKEV2 Internet Key Exchange Protocol Version 2, second version key exchange protocol
  • Step S41 The UE sends an attach request to the N3CNGW.
  • the UE may specifically place the attach request in the payload of the IKEV2 message, and the payload may be specifically a V payload, an N payload, a CP payload, or a new payload.
  • Step S42 The N3CNGW takes out the attach request in the IKEV2 message and forwards the request to the SSF/MM.
  • Step S43 The SSF/MM generates an authentication request message, and sends an authentication request message to the CP-AU.
  • the SSF/MM may specifically adopt any one of the following manners to generate an authentication request message, as follows:
  • the instruction information of the non-3GPP access mode is added, and the added indication information may be specifically 1; for example, when the attach request is from the NR, the UE that is currently requesting access may be considered to be accessed through the 3GPP mode, and is added for the attach request.
  • the indication information of the 3GPP access mode, the added indication information may be specifically 0;
  • the attach request is directly used as an authentication request message.
  • Step S44 The CP-AU obtains an authentication vector set through the HSS
  • the authentication vector set may include an indication bit and a characterization bit; the indication bit may indicate that the CP-AU determines an authentication method, and the characterization bit may specifically represent the authentication method determined by the indication bit.
  • the specific authentication sub-method for example, the indication bit may specifically occupy one bit, specifically 1 indicates an EAP extensible authentication protocol authentication method, 0 indicates a non-EAP authentication method; and EAP authentication method and non-EAP
  • the authentication methods all include multiple authentication sub-methods, and the characterization bits may represent specific authentication sub-methods; the characterization bits may occupy 3 to 5 bits, for example, when the indication bit is 0, indicating non-EAP
  • the authentication method assumes that the EAP authentication method specifically includes an authentication sub-method such as EAP-AKA', EAP-TLS, and EAP-TTLS, and the characterization bit may specifically represent 00 for the EAP-AKA authentication sub-method, and 01 for EAP-
  • the AKA's authentication submethod uses 02 for the EAP-TLS authentication submethod and
  • Step S45 The CP-AU determines an authentication method used between the UE and the UE;
  • the authentication method may be specifically determined in two ways, as follows:
  • the first type when the indication request carries the indication information, the CP-AU first obtains the indication information in the attachment request, and then determines, according to the access method corresponding to the indication information, that the UE and the UE are mutually authenticated. Authentication method;
  • the authentication method used between the CP-AU and the UE may be specifically determined to be a non-EAP authentication method, and the specific non-EAP authentication method is specifically
  • the weight sub-method may determine the specific non-EAP authentication sub-method according to the correspondence between the representation bit and the non-EAP authentication sub-method in the authentication vector value.
  • the authentication method used between the CP-AU and the UE may be specifically determined to be an EAP authentication method, and the same is true.
  • the specific relationship between the bit and the EAP authentication sub-method in the authentication vector set can be specifically referred to.
  • the CP-AU determines the authentication method used by the CP-AU according to the authentication vector set to identify the mutual authentication with the UE, as follows; and details about the authentication vector set For discussion, refer to step S44.
  • the CP-AU obtains an indication bit that obtains the set of authentication vectors; and the CP-AU determines that it is with the UE when the indication bit of the authentication vector set is the first data (for example, the first data may be 1)
  • the method adopted is an EAP method; and when the indication bit of the authentication vector set is the second data (for example, the second data may be 0), it is determined that the UE and the UE are mutually authenticated.
  • the method is a non-EAP method.
  • Step S46 The CP-AU initiates an authentication challenge to the UE, and the specific CP-AU may send an authentication challenge message to the SSF/MM.
  • the authentication challenge message may be specifically a user authentication request message.
  • the authentication challenge message includes an authentication parameter, and the specific content of the authentication parameter is related to the selected authentication method.
  • the selected authentication method is EPS-AKA or NG-AKA
  • the authentication parameters in the authentication challenge message may be specifically RAND and AUTN
  • the weighting method is EAP-AKA or EAP-AKA'
  • the authentication parameter in the authentication challenge message may be specifically EAP-REQ, AKA-Challenge, EAP-REQ or AKA'-Challenge
  • the selected authentication method is selected For EAP-TLS, the authentication parameter in the authentication challenge message is EAP-REQ or Access-Challeng.
  • the communication protocol used may be specifically an air interface-access network interface protocol
  • the air interface-access network interface protocol may be specifically a NAS ( Non-Access Stratum (Non-Access Stratum) protocol, or other protocols in the 5G network; therefore, in the embodiment of the present invention, the CP-AU may specifically encapsulate the authentication parameters by using an air interface-access network interface protocol to generate an authentication parameter.
  • the challenge challenge message is sent and the encapsulated message is sent to the SSF/MM.
  • Step S47 The SSF/MM forwards the authentication challenge message to the N3CNGW.
  • Step S48 The N3CNGW selects a forwarding mode for the authentication challenge message, where the forwarding mode is a mode for forwarding the authentication challenge message to the UE.
  • the N3CNGW may first obtain an authentication parameter in the authentication challenge message; and then, according to the authentication parameter, determine an authentication method used by the CP-AU and the UE when mutually authenticating, the method
  • the weighting method may be specifically an EAP authentication method or a non-EAP authentication method; finally, different forwarding modes are selected according to different selected authentication methods;
  • the IKEV2 message may be introduced.
  • the IKEV2 message may include an EAP payload and a non-EAP payload.
  • the EAP payload is used to carry related parameters of the EAP authentication method
  • the non-EAP payload is used to carry the EAP payload.
  • Other parameters outside the authentication method; and the entire authentication challenge message may include an authentication parameter related to the authentication method and an additional parameter that is not related to the authentication method;
  • the first type When the authentication method used by the CP-AU and the UE is mutually authenticated, the N3CNGW can use the non-EAP payload in the IKEV2 message to forward the authentication challenge message. Specifically, the authentication challenge message can be used. The entire authentication challenge message is encapsulated in the non-EAP payload of the IKEV2 message, that is, the non-EAP payload of the IKEV2 message carries the authentication challenge message.
  • the second type When the authentication method used by the CP-AU and the UE is mutually authenticated, the authentication method used by the N3CNGW encapsulates the authentication parameter of the authentication challenge message in the EAP of the IKEV2 message.
  • the EAP payload of the IKEV2 message carries the authentication parameter in the authentication challenge message.
  • the third type When the authentication method used by the CP-AU and the UE is mutually authenticated, the authentication method used in the authentication is the EAP authentication method, and the N3CNGW encapsulates the authentication parameter in the authentication challenge message in the EAP payload of the IKEV2 message.
  • the additional parameters in the QoS challenge message are encapsulated in the non-EAP payload of the IKEV2 message, that is, the EAP payload of the IKEV2 message carries the authentication parameter in the authentication challenge message, and the non-EAP payload carries the additional parameter in the authentication challenge message. .
  • the fourth type When the authentication method used by the CP-AU and the UE is the EAP authentication method, the N3CNGW can encapsulate the entire authentication challenge message in the EAP payload of the IKEV2 message, that is, the EAP of the IKEV2 message. The entire user authentication request message is carried in the payload.
  • Step S49 The N3CNGW forwards the authentication challenge message to the UE by using the selected forwarding mode.
  • Step S410 The UE authenticates the core network, and after the authentication is passed, sends an authentication message to the N3CNGW.
  • Step S411 The N3CNGW selects a forwarding mode.
  • the N3CNGW may select the same forwarding mode as in step S48, and forward the authentication message to the SSF/MM.
  • the N3CNGW selects the first forwarding mode in step S48, and forwards the authentication challenge message to the UE;
  • the N3CNGW can also select the first forwarding mode to forward the authentication message to the SSF/MM.
  • Step S412 The N3CNGW forwards the authentication message to the SSF/MM according to the selected forwarding mode.
  • Step S413 The SSF/MM forwards the authentication message to the CP-AU; at this time, the CP-AU can authenticate the validity of the UE.
  • Step S414 The CP-AU generates a key Kmm and sends it to the MM.
  • the CP-AU may generate Kmm according to the key request of the MM, and send Kmm to MM. In the embodiment of the present invention, the CP-AU may also generate Kmm according to other trigger conditions or spontaneously, and Send Kmm to MM;
  • the MM/SSF Based on the received Kmm, the MM/SSF initiates a NAS SMC (Security mode command, The security mode command) process, the SMC process is as follows:
  • Step S415 The MM/SSF sends an accept message to the N3CNGW.
  • the MM/SSF encapsulates the keys used by the NAS SMC, the Attach accept, and the N3cNGW in the EAP-success, forming an accept-attached message, and sending the N3CNGW;
  • the MM/SSF encapsulates the NAS SMC and the Attach accept in the V payload, the N payload, the CP payload, or the new payload of the IKEv2 message to form an acceptance. Attach a message to the N3CNGW;
  • Step S416 The N3CNGW forwards the accepting message to the UE by using any of the forwarding modes described above;
  • Step S417 The UE authenticates the N3CNGW, and after the authentication is passed, sends a complete attach message to the N3CNGW.
  • the UE may generate a corresponding key, and after verifying the SMC and the AUTH with the key, encapsulate the NAS SMP and the Attach accept to generate an completion attachment message.
  • Step S418 The N3CNGW forwards the complete attach message to the SSF/MM.
  • Step S419 The N3CNGW authenticates the UE, and after the authentication is passed, sends an authentication success message to the UE;
  • the UE can access the core network through a non-trusted non-3GPP manner.
  • the data can be sent only on the user plane.
  • the UE can also send information on the control plane, as follows:
  • Step S420 The UE sends a NAS message to the N3CNGW.
  • the UE may encapsulate the NAS message in the V payload, the N payload, the CP payload, or the new payload of the IKEv2, and the message type of the NAS is INFO (Information, message).
  • Step S421 The N3CNGW forwards the NAS message to the core network.
  • Step S422 The N3CNGW directly encapsulates the NAS message sent by the core network into the V payload, the N payload, the CP payload, or the new payload of the IKEv2_INFO message, and sends the message to the UE.
  • the UE in the 5G network, can pass the foregoing method.
  • the untrusted non-3GPP access mode accesses the core network; and the UE does not need to distinguish whether the current access to the core network is 3GPP access or non-3GPP access, and directly sends a NAS message to implement network access.
  • the present invention also provides another process for the UE to access the core network through the non-trusted non-3GPP mode in the 5G network, as shown in FIG. 5, which is as follows:
  • Step S50 A secure tunnel is established between the UE and the N3CNGW.
  • Step S51 The UE sends an attach request to the N3CNGW, and the attach request may be specifically encapsulated in a V payload, an N payload, a CP payload, or a new payload of the IKEV2 message.
  • Step S52 The N3CNGW adds the EAP-RSP/Identity information to the attach request, and sends the attach request after adding the message to the SSF/MM.
  • the N3CNGW may specifically encapsulate the EAP-RSP/Identity information into the NAS message of the attach request.
  • Step S53 The SSF/MM sends an authentication request to the CP-AU.
  • the process of generating an authentication request by the SSF/MM may be specifically referred to the discussion in the foregoing Embodiment 1, and details are not described herein again.
  • Step S54 The CP-AU obtains an authentication vector set.
  • Step S55 The CP-AU determines that the authentication method is an EAP authentication method.
  • the authentication method since the EAP-RSP/Identity information is carried in the attach request, the authentication method may be determined as an EAP authentication method.
  • Step S56 The CP-AU sends an authentication challenge message to the SSF/MM.
  • the process of encapsulating the authentication parameter in the NAS message is as follows:
  • the authentication parameters such as EAP-REQ/AKA-Challenge or EAP-REQ/AKA'-Challenge are encapsulated in the authentication challenge message. If EAP-TLS authentication is used The method uses an authentication parameter such as EAP-REQ/Access-Challenge;
  • Step S57 The SSF/MM forwards the authentication challenge message to the N3CNGW.
  • Step S58 The N3CNGW forwards the authentication challenge message to the UE.
  • the N3CNGW forwards the authentication challenge message
  • the authentication method is EAP
  • the EAP authentication method may be used in any embodiment of the present invention.
  • the forwarding mode forwards the authentication challenge message, and details are not described herein.
  • Step S59 The UE authenticates the core network, and after the authentication is passed, sends an authentication message to the N3CNGW.
  • Step S510 The N3CNGW forwards the authentication message to the SSF/MM.
  • the N3CNGW may select the same forwarding mode as the above step S58, and forward the authentication response message to the SSF/MM;
  • Step S511 The SSF/MM forwards the authentication message to the CP-AU, and the CP-AU authenticates the access of the UE.
  • Step S512 The CP-AU generates a key Kmm and sends it to the MM;
  • the CP-AU may generate Kmm according to the key request of the MM, and send Kmm to MM. In the embodiment of the present invention, the CP-AU may also generate Kmm according to other trigger conditions or spontaneously, and Send Kmm;
  • Step S513 MM selects a security algorithm
  • Step S514 MM sends the NAS SMC to the N3CNGW;
  • Step S515 The N3CNGW sends a NAS SMC message to the UE;
  • the MM may specifically encapsulate the NAS SMC to generate a NAS SMC message.
  • Step S516 The UE authenticates the core network, and after the authentication is passed, sends a NAS SMP message to the N3CNGW.
  • Step S517 The N3CNGW forwards the NAS SMP message to the MM;
  • Step S518 The MM authenticates the UE, and after the authentication is passed, sends an accept message to the N3CNGW.
  • Step S519 The N3CNGW forwards the accept message to the UE.
  • the UE can implement access to the core network.
  • signaling is sent on the control plane.
  • the specific process refer to the method in the first embodiment. Related steps are not described here.
  • the UE in the 5G network, can access the core network through the non-trusted non-3GPP access mode.
  • the present invention also provides another process for the UE to access the core network through the non-trusted non-3GPP mode in the 5G network, as shown in FIG. 6, which is as follows:
  • Step S61 The UE sends an initial security negotiation message to the N3CNGW, where the initial security negotiation message may carry an attach request.
  • the attach request may be specifically encapsulated in a V load, an N load, a CP load, or a new load of the initial security negotiation message.
  • Step S62 The N3CNGW sends an initial security negotiation response message to the UE, and sends an attach request to the SSF/MM.
  • the order of the initial security negotiation response message and the attach request sent by the N3CNGW is not limited, and the N3CNGW may simultaneously send the initial security negotiation response message and the attach request, or may send the initial security negotiation response message first, and then send the attached.
  • the request may also send an attach request first, and then send an initial security negotiation response message.
  • Step S63 The SSF/MM sends an authentication request message, where the authentication request message carries EAP-Res/Identity;
  • Step S64 The CP-AU obtains an authentication vector set.
  • Step S65 The CP-AU determines that the authentication method is an EAP authentication method.
  • Step S66 The CP-AU sends an authentication challenge message to the SSF/MM.
  • the authentication challenge message is encapsulated with EAP-REQ/EAP-Challenge;
  • Step S67 The SSF/MM forwards the authentication challenge message to the N3CNGW.
  • Step S68 The N3CNGW forwards the authentication challenge message to the UE.
  • Step S69 The UE authenticates the core network, and after the authentication is passed, sends an authentication message to the N3CNGW.
  • Step S610 The N3CNGW forwards the authentication message to the SSF/MM.
  • Step S611 The SSF/MM forwards the authentication message to the CP-AU; and the CP-AU authenticates the access of the UE;
  • Step S612 After the authentication of the UE is passed, the CP-AU sends an authentication success message to the SSF/MM.
  • the authentication success message is encapsulated with EAP-Success;
  • Step S613 The SSF/MM forwards the authentication success message to the N3CNGW.
  • Step S614 The N3CNGW forwards the authentication success message to the UE.
  • the N3CNGW may specifically leave the key in the authentication success message, and the remaining information is forwarded to the UE;
  • Step S615 The CP-AU generates a key Kmm and sends it to the MM;
  • the CP-AU may generate Kmm according to the key request of the MM, and send Kmm to MM. In the embodiment of the present invention, the CP-AU may also generate Kmm according to other trigger conditions or spontaneously, and Send Kmm;
  • Step S616 MM selects a security algorithm
  • Step S617 The MM sends the NAS SMC to the N3CNGW;
  • Step S618 The N3CNGW forwards the NAS SMC message to the UE.
  • the N3CNGW may encapsulate the NAS SMC message in a V payload, an N payload, a CP payload, or a new payload of the IKEv2 message.
  • Step S619 The UE authenticates the N3CNGW, and after the authentication is passed, sends an SMP message to the N3CNGW, where the SMP message may be specifically encapsulated in the V payload, the N payload, the CP payload, or the new payload of the IKEv2 message.
  • Step S620 The N3CNGW sends an SMP message to the MM.
  • Step S621 The MM sends an accept message to the N3CNGW.
  • Step S622 The N3CNGW forwards the accept message to the UE.
  • the attach request message may be specifically encapsulated in a V payload, an N payload, a CP payload, or a new payload of the IKEV2 message.
  • the UE can implement access to the core network; in the embodiment of the present invention, After the UE accesses the core network, the signaling is sent by the control plane.
  • the control plane For the specific process, refer to the related steps in the first embodiment, and details are not described herein.
  • the UE in the 5G network, can access the core network through the non-trusted non-3GPP access mode.
  • the present invention also provides another process for the UE to access the core network through the non-trusted non-3GPP mode in the 5G network, as shown in FIG. 7, which is as follows:
  • Step S71 The UE sends an initial security negotiation message to the N3CNGW, where the initial security negotiation message may carry an attach request.
  • the attach request may be specifically encapsulated in a V load, an N load, a CP load, or a new load of the initial security negotiation message.
  • Step S72 The N3CNGW forwards the attach request to the SSF/MM.
  • Step S73 The SSF/MM sends an authentication request message to the CP-AU.
  • Step S74 The CP-AU obtains an authentication vector set.
  • Step S75 The CP-AU determines that the authentication method is UMTS-AKA, EPS-AKA or NG-AKA;
  • Step S76 The CP-AU sends an authentication challenge message to the SSF/MM.
  • Step S77 The SSF/MM forwards the authentication challenge message to the N3CNGW.
  • Step S78 The N3CNGW encapsulates the authentication challenge message in the initial security negotiation response message and sends the message to the UE, which may be specifically encapsulated in the V payload, the N payload, the CP payload, or the new payload of the initial security negotiation response message.
  • Step S79 The UE authenticates the core network, and after the authentication succeeds, generates a key that is mutually authenticated and used by the N3CNGW, and calculates the AUTH by using the key;
  • Step S710 The UE generates an authentication message, and sends an authentication message to the N3CNGW.
  • the UE may send the generated content that needs to be verified by the core network and the N3CNGW to the V payload, the N payload, the CP payload, or the new payload of the authentication message, and send the content to the N3CNGW.
  • Step S711 The N3CNGW generates a key used to verify the AUTH, and verifies the AUTH.
  • Step S712 After the AUTH verification succeeds, the N3CNGW sends an authentication response message to the SSF/MM.
  • Step S713 The SSF/MM forwards the authentication response message to the CP-AU; and the CP-AU authenticates the access of the UE;
  • Step S714 The CP-AU generates a key Kmm and sends it to the MM;
  • the CP-AU may generate Kmm according to the key request of the MM, and send Kmm to MM. In the embodiment of the present invention, the CP-AU may also generate Kmm according to other trigger conditions or spontaneously, and Send Kmm;
  • Step S715 MM selects a security algorithm
  • Step S716 The MM sends the NAS SMC to the N3CNGW.
  • Step S717 The N3CNGW sends a NAS SMC message to the UE.
  • the N3CNGW may encapsulate the NAS SMC message in a V payload, an N payload, a CP payload, or a new payload of the IKEv2 message.
  • Step S718 The UE verifies the SMC and simultaneously verifies the correctness of the AUTH. Reply to SMP if everything is correct.
  • Step S719 The UE replies to the SMP message to the N3CNGW, and the SMP message may be encapsulated in a V payload or an N payload, a CP payload or a new payload of the IKE_INFO message.
  • Step S720 The N3CNGW forwards the SMP message to the MM.
  • Step S721 The MM sends an accept message to the N3CNGW.
  • Step S722 The N3CNGW forwards the accept message to the UE, and may specifically encapsulate the attach request message in the V payload or the N payload, the CP payload, or the new payload of the IKE_INFO.
  • the UE may implement access to the core network.
  • the signaling may be sent to the control plane after the UE accesses the core network.
  • the specific process refer to the related steps in the first embodiment. , will not repeat them here.
  • the UE in the 5G network, can access the core network through the non-trusted non-3GPP access mode.
  • the present invention also provides another process for the UE to access the core network through the non-trusted non-3GPP mode in the 5G network, as shown in FIG. 8, which is as follows:
  • Step S81 The UE sends an initial security negotiation message to the N3CNGW, where the initial security negotiation message may carry an attach request.
  • the attach request may be specifically encapsulated in a V load, an N load, a CP load, or a new load of the initial security negotiation message.
  • Step S82 The N3CNGW forwards the attach request to the SSF/MM.
  • Step S83 The SF/MM sends an authentication request message to the CP-AU.
  • Step S84 The CP-AU obtains an authentication vector set.
  • Step S85 The CP-AU determines that the authentication method is UMTS-AKA, EPS-AKA or NG-AKA;
  • Step S86 The CP-AU sends an authentication challenge message to the SSF/MM.
  • Step S87 The SSF/MM forwards the authentication challenge message to the N3CNGW.
  • Step S88 The N3CNGW encapsulates the authentication challenge message in the initial security negotiation response message, and may be specifically encapsulated in the V payload, the N payload, the CP payload, or the new payload of the initial security negotiation response message.
  • Step S89 The UE authenticates the core network, and after the authentication succeeds, generates a key that is mutually authenticated and used by the N3CNGW, and calculates the AUTH by using the key;
  • Step S810 The UE generates an authentication message, and sends an authentication message to the N3CNGW.
  • Step S811 The N3CNGW generates a key used to verify the AUTH, and verifies the AUTH.
  • Step S812 After the AUTH verification succeeds, the N3CNGW sends an authentication response message to the SSF/MM.
  • Step S813 The SSF/MM forwards the authentication response message to the CP-AU; and the CP-AU authenticates the access of the UE;
  • Step S814 After the authentication of the UE is passed, the CP-AU sends an authentication success message to the SSF/MM.
  • Step S815 The SSF/MM forwards the authentication success message to the N3CNGW.
  • Step S816 The N3CNGW forwards the authentication success message to the UE.
  • Step S817 The UE verifies the AUTH and completes the authentication of the N3CNGW.
  • Step S818 The CP-AU generates a key Kmm and sends it to the MM.
  • the CP-AU may generate Kmm according to the key request of the MM, and send Kmm to MM. In the embodiment of the present invention, the CP-AU may also generate Kmm according to other trigger conditions or spontaneously, and Send Kmm;
  • Step S819 MM selects a security algorithm
  • Step S820 The MM sends the NAS SMC to the N3CNGW.
  • Step S821 The N3CNGW sends a NAS SMC message to the UE.
  • the N3CNGW may encapsulate the NAS SMC message in a V payload, an N payload, a CP payload, or a new payload of the IKEv2 message.
  • Step S822 The UE verifies the SMC and simultaneously verifies the correctness of the AUTH. Reply to SMP if everything is correct.
  • Step S823 The UE replies to the SMP message to the N3CNGW, and the SMP message may be encapsulated in the V payload or the N payload, the CP payload or the new payload of the IKE_INFO message.
  • Step S824 The N3CNGW forwards the SMP message to the MM.
  • Step S825 The MM sends an accept message to the N3CNGW.
  • Step S826 The N3CNGW forwards the accept message to the UE, and may specifically encapsulate the attach request message in the V payload or the N payload, the CP payload, or the new payload of the IKE_INFO.
  • the UE may implement access to the core network.
  • the signaling may be sent to the control plane after the UE accesses the core network.
  • the specific process refer to the related steps in the first embodiment. , will not repeat them here.
  • the UE in the 5G network, can access the core network through the non-trusted non-3GPP access mode.
  • the present invention further provides a device for message forwarding.
  • the message forwarding device 900 includes at least:
  • the first receiving unit 901 is configured to receive a user authentication request message sent by the core network element.
  • the first forwarding unit 902 is configured to use the non-EAP payload in the IKEV2 second version key exchange protocol message when determining that the authentication method selected by the core network element is a non-EAP extensible authentication protocol authentication method. Forwarding the user authentication request message, where the IKEV2 message includes at least a non-EAP payload, and the non-EAP payload is used to carry other parameters except the EAP authentication method.
  • the first forwarding unit 902 is specifically configured to: send an IKEV2 message to the user side device, where the non-EAP payload of the IKEV2 message carries the user authentication request message.
  • the user side device can access the core network in a non-3GPP non-trusted manner.
  • the present invention further provides an apparatus for forwarding a data packet.
  • the apparatus 100 for message forwarding includes:
  • the second receiving unit 101 is configured to receive a user authentication request message sent by the core network element.
  • the second forwarding unit 102 is configured to: when determining that the authentication method selected by the core network element is an EAP extensible authentication protocol authentication method, use at least an EAP payload forwarding of the IKEV2 second version key exchange protocol message.
  • the user authentication request message, the IKEV2 message includes at least an EAP payload, and the EAP payload is used to carry related parameters of the EAP authentication method.
  • the second forwarding unit 102 when the second forwarding unit 102 includes the authentication parameter related to the authentication method, the second forwarding unit is specifically configured to: send the IKEV2 message to the user side device, where The EAP payload of the IKEV2 message carries the authentication parameter in the user authentication request message.
  • the second forwarding unit 102 includes, in the user authentication request, an authentication parameter related to the authentication method and an additional parameter that is not related to the authentication method, where the second forwarding unit is specifically configured to: send an IKEV2 message.
  • the EAP payload of the IKEV2 message carries the authentication parameter in the user authentication request message
  • the non-EAP payload of the IKEV2 message carries the additional parameter in the user authentication request message.
  • the second forwarding unit 102 is specifically configured to: send an IKEV2 message to the user side device,
  • the EAP payload of the IKEV2 message carries the entire user authentication request message.
  • the user side device can access the core network in a non-3GPP non-trusted manner.
  • the present invention also provides an apparatus for selecting an authentication method.
  • the selection apparatus 110 of the authentication method includes at least:
  • the third receiving unit 111 is configured to receive an attach request sent by the access gateway, where the attach request does not carry the indication information, where the indication information may indicate a manner in which the user side device accesses the core network;
  • the first determining unit 112 is configured to determine, according to the set of authentication vectors, an authentication method used when the core network element and the user side device mutually authenticate each other.
  • the set of the authentication vector includes at least the indication bit
  • the first determining unit 112 is specifically configured to: obtain the indication bit of the authentication vector set; and the indication bit in the authentication vector set is the first data.
  • the method used is an EAP method; when the indication bit of the authentication vector set is the second data, the core network element and the user are determined.
  • the method adopted is a non-EAP method.
  • the device of the present invention can determine the authentication method used when the core network element and the user side device mutually authenticate each other when the indication information is not carried in the attachment request.
  • the present invention also provides a device for selecting an authentication method.
  • the device 120 for selecting an authentication method includes at least:
  • the fourth receiving unit 121 is configured to receive an attach request sent by the access gateway, where the attach request carries indication information, where the indication information may indicate a manner in which the user side device accesses the core network;
  • the second determining unit 122 is configured to determine, according to the access method corresponding to the indication information in the attach request, an authentication method used when the core network element and the user side device mutually authenticate each other.
  • the second determining unit 122 is specifically configured to: indicate information in the attach request When the corresponding access mode is the 3GPP third-generation partner plan access mode, it is determined that the core network element and the user-side device use a non-EAP authentication method when authenticating each other; the indication information in the attach request When the corresponding access mode is the non-3GPP access mode, the EAP authentication method is adopted when the core network element and the user side device are mutually authenticated.
  • the authentication method used when the core network element and the user side device mutually authenticate are determined.
  • the present invention also provides an access gateway. As shown in FIG. 13, the access gateway 130 includes at least:
  • the transceiver 131 is configured to receive a user authentication request message sent by the core network element, and forward the encapsulated IKEV2 second version key exchange protocol message to the user side device;
  • At least one processor 132 configured to encapsulate the user authentication request message into a non-EAP payload in the IKEV2 message when determining that the authentication method selected by the core network is a non-EAP extensible authentication protocol authentication method Or, when determining that the authentication method selected by the core network is an EAP authentication method, the user authentication request message is encapsulated in an EAP payload of the IKEV2 message.
  • the user authentication request message can be forwarded to the user side device.
  • the present invention further provides a core network element.
  • the core network element 140 includes at least:
  • the transceiver 141 receives an attach request sent by the access gateway
  • the at least one processor 142 does not carry the indication information in the attach request, determining, according to the authentication vector set, the authentication method used when the core network element and the user side device mutually authenticate, or When the indication request carries the indication information, the authentication method used when the core network element and the user side device mutually authenticate are determined according to the access method corresponding to the indication information in the attachment request;
  • the indication information may indicate the manner in which the user side device accesses the core network.
  • the core network element of the present invention can determine the authentication method used when the user side device and the user side device authenticate each other.
  • FIG. 1 These computer program instructions can be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine for the execution of instructions for execution by a processor of a computer or other programmable data processing device.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present invention provides a message forwarding method and apparatus, and an access gateway. The method comprises: an access gateway receives a user authentication request message sent by a core network element; the access gateway forwards the user authentication request message by using a non-extensible authentication protocol (EAP) load in an Internet key exchange version 2 (IKEv2) protocol message when determining the authentication method selected by the core network element is a non-EAP authentication method, the IKEv2 message comprising at least a non-EAP load that is used for bearing other parameters except the EAP authentication method. By means of the method and apparatus, and the access gateway of the present invention, the user authentication request message sent by a core network element can be forwarded to a user device.

Description

一种消息转发的方法、装置及接入网关Method, device and access gateway for message forwarding 技术领域Technical field
本发明涉及通信技术领域,尤其涉及一种消息转发的方法、装置及接入网关。The present invention relates to the field of communications technologies, and in particular, to a method, an apparatus, and an access gateway for message forwarding.
背景技术Background technique
目前,整个无线通信网络架构分为接入网和核心网两部分,而根据用户接入核心网的方式不同,又可分为3GPP(3rd Generation Partnership Project,第三代合作伙伴计划)接入方式和非3GPP接入方式。所谓3GPP接入方式一般是指用户采用3GPP规定的技术接入核心网的方式,比如,用户采用基站方式接入核心网;而非3GPP接入方式一般是指用户通过非3GPP规定的技术接入核心网的方式,比如,用户采用Wifi方式接入核心网。如图1所示,以现有的4G网络为例,图1上方,UE通过eNodeB(基站)接入核心网的方式即为3GPP接入,而图1下方,UE通过WLAN-AP(Wireless Local Area Networks Access Point,无线局域网接入点)接入核心网的方式,即为非3GPP接入。At present, the entire wireless communication network architecture is divided into two parts, an access network and a core network, and according to different ways for users to access the core network, it can be divided into 3GPP (3rd Generation Partnership Project) access mode. And non-3GPP access methods. The so-called 3GPP access mode generally refers to the way that the user accesses the core network by using the technology specified by the 3GPP. For example, the user accesses the core network by using the base station mode; the non-3GPP access mode generally refers to the user accessing the technology by the non-3GPP. The core network mode, for example, the user accesses the core network by using Wifi. As shown in Figure 1, the existing 4G network is taken as an example. In the upper part of Figure 1, the UE accesses the core network through the eNodeB (base station), which is 3GPP access. In the lower part of Figure 1, the UE passes the WLAN-AP (Wireless Local). Area Networks Access Point (WLAN access point) accesses the core network in a non-3GPP access mode.
在现有技术中,根据部署非3GPP接入方式的主体不同,又可分为可信非3GPP接入和非可信非3GPP接入,比如,当用户采用通信运营商(比如中国移动和中国联通)部署的非3GPP接入方式接入核心网时,核心网认为当前接入可信,此时核心网即可认为当前接入方式为可信的非3GPP接入,而当用户采用非运营商(比如星巴克等营业场景)部署的非3GPP接入方式接入核心网时,核心网即认为当前接入非可信,即可认为当前接入方式为非可信的非3GPP接入。In the prior art, according to different entities deploying non-3GPP access methods, it can be divided into trusted non-3GPP access and non-trusted non-3GPP access, for example, when a user adopts a communication carrier (such as China Mobile and China). When the non-3GPP access mode deployed by China Unicom is connected to the core network, the core network considers that the current access is trusted. At this time, the core network can consider that the current access mode is trusted non-3GPP access, and when the user adopts non-operation. When a non-3GPP access mode deployed by a business (such as a Starbucks business scenario) accesses the core network, the core network considers that the current access is not trusted, and the current access mode is considered to be non-trusted non-3GPP access.
目前,在用户采用非可信的非3GPP方式接入核心网时,要对当前接入的用户侧设备进行验证,而在验证过程中,核心网网元要先发起用户侧设备对核心网网元的验证,具体如下:核心网网元向用户侧设备发送鉴权请求消息,该鉴权请求消息中包括鉴权参数;而用户侧设备将根据鉴权请求消息中的鉴 权参数对核心网网元进行鉴权。At present, when the user accesses the core network in a non-trusted non-3GPP manner, the currently-accessed user-side device is authenticated, and in the verification process, the core network element first initiates the user-side device to the core network. The authentication of the element is as follows: the core network element sends an authentication request message to the user side device, where the authentication request message includes an authentication parameter; and the user side device according to the authentication request message The weight parameter authenticates the core network element.
在现有技术中,如图2所示,在核心网网元向用户侧设备发送鉴权请求消息时,核心网网元会首先将鉴权请求消息发送至接入网关,而接入网关再将鉴权请求消息转发至用户侧设备。而目前,在4G网络中,核心网网元和用户侧设备在进行鉴权时,一般采用EAP鉴权方法,而现在在5G网络中,核心网网元和用户侧设备还有采用非EAP鉴权方法进行鉴权的需求,而现有的接入网关转发鉴权请求消息的方法,仅适用于EAP鉴权方法,对于非EAP鉴权方法,接入网关如何进行转发消息,并没有较好的解决方案。In the prior art, as shown in FIG. 2, when the core network element sends an authentication request message to the user side device, the core network element first sends an authentication request message to the access gateway, and the access gateway re- The authentication request message is forwarded to the user side device. At present, in the 4G network, the core network element and the user side device generally adopt the EAP authentication method when performing authentication, and now in the 5G network, the core network element and the user side device also use non-EAP authentication. The method performs the authentication requirement, and the method for the existing access gateway to forward the authentication request message is only applicable to the EAP authentication method. For the non-EAP authentication method, how does the access gateway forward the message, and there is no good solution.
发明内容Summary of the invention
本发明实施例提供一种消息转发的方法、装置及接入网关,采用本发明的方法、装置及接入网关,可将核心网网元发送的用户鉴权请求消息转发至用户侧设备。The embodiment of the invention provides a method, a device and an access gateway for message forwarding. The method, the device and the access gateway of the present invention can forward the user authentication request message sent by the core network element to the user side device.
第一方面,提供一种消息转发的方法,所述方法包括:接入网关接收核心网网元发送的用户鉴权请求消息;所述接入网关在确定所述核心网网元所选择的鉴权方法为非EAP可扩展鉴权协议鉴权方法时,利用IKEV2第二版本密钥交换协议消息中的非EAP载荷转发所述用户鉴权请求消息,所述IKEV2消息中至少包括非EAP载荷,所述非EAP载荷用于承载除EAP鉴权方法外的其它参数。采用本发明的方法,可将核心网网元发送的用户鉴权请求消息转发至用户侧设备。The first aspect provides a method for message forwarding, where the method includes: an access gateway receives a user authentication request message sent by a core network element; and the access gateway determines a selected one of the core network element. When the weight method is a non-EAP scalable authentication protocol authentication method, the user authentication request message is forwarded by using a non-EAP payload in the IKEV2 second version key exchange protocol message, where the IKEV2 message includes at least a non-EAP payload. The non-EAP payload is used to carry other parameters than the EAP authentication method. With the method of the present invention, the user authentication request message sent by the core network element can be forwarded to the user side device.
结合第一方面,在第一种可能的实现方式中,所述接入网关利用IKEV2消息中的非EAP载荷转发所述用户鉴权请求消息,包括:所述接入网关发送IKEV2消息至用户侧设备,所述IKEV2消息的非EAP载荷中携带有所述用户鉴权请求消息。With reference to the first aspect, in a first possible implementation manner, the access gateway uses the non-EAP payload in the IKEV2 message to forward the user authentication request message, including: the access gateway sends an IKEV2 message to the user side. The device, the non-EAP payload of the IKEV2 message carries the user authentication request message.
第二方面,提供另一种消息转发的方法,所述方法包括:接入网关接收核心网网元发送的用户鉴权请求消息;所述接入网关在确定所述核心网网元 所选择的鉴权方法为EAP可扩展鉴权协议鉴权方法时,至少利用IKEV2第二版本密钥交换协议消息的EAP载荷转发所述用户鉴权请求消息,所述IKEV2消息中至少包括EAP载荷,所述EAP载荷用于承载EAP鉴权方法的相关参数。采用本发明的方法,同样可将核心网网元发送的用户鉴权请求消息转发至用户侧设备。A second aspect provides a method for forwarding a message, where the method includes: an access gateway receives a user authentication request message sent by a core network element; and the access gateway determines the core network element. When the selected authentication method is the EAP extensible authentication protocol authentication method, the user authentication request message is forwarded by using at least the EAP payload of the IKEV2 second version key exchange protocol message, where the IKEV2 message includes at least the EAP payload. The EAP payload is used to carry related parameters of the EAP authentication method. With the method of the present invention, the user authentication request message sent by the core network element can also be forwarded to the user side device.
结合第二方面,在第一种可能的实现方式中,所述用户鉴权请求消息中仅包括鉴权方法相关的鉴权参数,所述接入网关至少利用IKEV2消息中的EAP载荷转发所述用户鉴权请求消息,包括:所述接入网关发送IKEV2消息至用户侧设备,所述IKEV2消息的EAP载荷中携带有所述用户鉴权请求消息中的鉴权参数。With reference to the second aspect, in a first possible implementation manner, the user authentication request message includes only an authentication parameter related to the authentication method, and the access gateway forwards the at least the EAP payload in the IKEV2 message. The user authentication request message includes: the access gateway sends an IKEV2 message to the user side device, where the EAP payload of the IKEV2 message carries the authentication parameter in the user authentication request message.
结合第二方面,在第二种可能的实现方式中,所述用户鉴权请求中包括鉴权方法相关的鉴权参数和鉴权方法不相关的附加参数,所述IKEV2消息中还包括非EAP载荷,所述接入网关至少利用IKEV2消息中的EAP载荷转发所述用户鉴权请求消息,包括:所述接入网关发送IKEV2消息至用户侧设备,所述IKEV2消息的EAP载荷中携带有所述用户鉴权请求消息中的鉴权参数,所述IKEV2消息的非EAP载荷中携带有所述用户鉴权请求消息中的附加参数。With reference to the second aspect, in a second possible implementation manner, the user authentication request includes an authentication parameter related to the authentication method and an additional parameter that is not related to the authentication method, and the IKEV2 message further includes a non-EAP The load, the access gateway forwards the user authentication request message by using the EAP payload in the IKEV2 message, including: the access gateway sends an IKEV2 message to the user equipment, and the EAP payload of the IKEV2 message carries An authentication parameter in the user authentication request message, where the non-EAP payload of the IKEV2 message carries an additional parameter in the user authentication request message.
结合第二方面,在第三种可能的实现方式中,所述接入网关至少利用IKEV2消息中的EAP载荷转发所述用户鉴权请求消息,包括:所述接入网关发送IKEV2消息至用户侧设备,所述IKEV2消息的EAP载荷中携带有整个用户鉴权请求消息。With reference to the second aspect, in a third possible implementation, the access gateway forwards the user authentication request message by using the EAP payload in the IKEV2 message, including: the access gateway sends an IKEV2 message to the user side. The EAP payload of the IKEV2 message carries the entire user authentication request message.
第三方面,提供一种鉴权方法的选择方法,包括:核心网网元接收接入网关发送的附着请求,所述附着请求中未携带有指示信息,所述指示信息可指示用户侧设备接入核心网的方式;所述核心网网元根据鉴权向量集,确定所述核心网网元和用户侧设备相互鉴权时,所采用的鉴权方法。采用本发明的方法,可确定核心网网元和用户侧设备相互鉴权时,所采用的鉴权方法。A third aspect provides a method for selecting an authentication method, including: receiving, by a core network element, an attach request sent by an access gateway, where the attach request does not carry indication information, where the indication information may indicate that the user side device is connected The method of entering the core network; the core network element determines the authentication method used when the core network element and the user side device mutually authenticate each other according to the authentication vector set. By using the method of the present invention, an authentication method used when the core network element and the user side device mutually authenticate each other can be determined.
结合第三方面,在第一种可能的实现方式中,所述鉴权向量集至少包括指示比特,所述核心网网元根据鉴权向量集,确定所述核心网网元和用户侧 设备相互鉴权时,所采用的鉴权方法,包括:所述核心网网元获得所述鉴权向量集的指示比特;所述核心网网元在所述鉴权向量集的指示比特为第一数据时,确定所述核心网网元和用户侧设备相互鉴权时,所采用的方法为EAP方法;所述核心网网元在所述鉴权向量集的指示比特为第二数据时,确定所述核心网网元和用户侧设备在相互鉴权时,所采用的方法为非EAP方法。With reference to the third aspect, in a first possible implementation manner, the authentication vector set includes at least an indication bit, and the core network element determines the core network element and the user side according to the authentication vector set. When the devices authenticate each other, the authentication method used includes: the core network element obtains an indication bit of the authentication vector set; and the indication bit of the core network element in the authentication vector set is first In the case of data, when the core network element and the user side device are mutually authenticated, the method used is an EAP method; and the core network element determines the location when the indication bit of the authentication vector set is the second data. When the core network element and the user side device authenticate each other, the method adopted is a non-EAP method.
第四方面,提供一种鉴权方法的选择方法,包括:核心网网元接收接入网关发送的附着请求,所述附着请求中携带有指示信息,所述指示信息可指示用户侧设备接入核心网的方式;所述核心网网元根据所述附着请求中的指示信息所对应的接入方法,确定所述核心网网元和用户侧设备相互鉴权时,所采用的鉴权方法。A fourth aspect provides a method for selecting an authentication method, including: receiving, by a core network element, an attach request sent by an access gateway, where the attach request carries indication information, where the indication information may indicate that the user side device accesses The method of the core network; the core network element determines an authentication method used when the core network element and the user side device mutually authenticate each other according to the access method corresponding to the indication information in the attach request.
结合第四方面,在第一种可能的实现方式中,所述核心网网元根据所述附着请求中的指示信息所对应的接入方法,确定所述核心网网元和用户侧设备相互鉴权时,所采用的鉴权方法,包括:所述核心网网元在所述附着请求中的指示信息所对应的接入方式为3GPP第三代合作伙伴计划接入方式时,确定所述核心网网元和用户侧设备在相互鉴权时,采用非EAP鉴权方法;所述核心网网元在所述附着请求中的指示信息所对应的接入方式为非3GPP接入方式时,确定所述核心网网元和用户侧设备在相互鉴权时,采用EAP鉴权方法。With reference to the fourth aspect, in a first possible implementation manner, the core network element determines, according to the access method corresponding to the indication information in the attach request, the core network element and the user side device The authentication method used includes: determining, by the core network element, that the access mode corresponding to the indication information in the attach request is a 3GPP third-generation partner plan access mode, determining the core network When the network element and the user side device authenticate each other, the non-EAP authentication method is adopted; when the access mode corresponding to the indication information in the attach request is the non-3GPP access mode, the core network element determines the When the core network element and the user side device authenticate each other, the EAP authentication method is adopted.
第五方面,提供一种消息转发的装置,所述装置包括:第一接收单元,用于接收核心网网元发送的用户鉴权请求消息;第一转发单元,用于在确定所述核心网网元所选择的鉴权方法为非EAP可扩展鉴权协议鉴权方法时,利用IKEV2第二版本密钥交换协议消息中的非EAP载荷转发所述用户鉴权请求消息,所述IKEV2消息中至少包括非EAP载荷,所述非EAP载荷用于承载除EAP鉴权方法外的其它参数。采用本发明的装置,可将核心网网元发送的用户鉴权请求消息转发至用户侧设备。The fifth aspect provides an apparatus for message forwarding, where the apparatus includes: a first receiving unit, configured to receive a user authentication request message sent by a core network element; and a first forwarding unit, configured to determine the core network When the authentication method selected by the network element is a non-EAP extensible authentication protocol authentication method, the user authentication request message is forwarded by using a non-EAP payload in the IKEV2 second version key exchange protocol message, where the IKEV2 message is used. At least non-EAP payloads are included, the non-EAP payloads being used to carry other parameters than the EAP authentication method. With the device of the present invention, the user authentication request message sent by the core network element can be forwarded to the user side device.
结合第五方面,在第一种可能的实现方式中,,所述第一转发单元,具体用于:发送IKEV2消息至用户侧设备,所述IKEV2消息的非EAP载荷中携 带有所述用户鉴权请求消息。With reference to the fifth aspect, in a first possible implementation, the first forwarding unit is specifically configured to: send an IKEV2 message to the user side device, where the IKEV2 message carries the non-EAP payload. With the user authentication request message.
第六方面,提供一种消息转发的的装置,所述装置包括:第二接收单元,用于接收核心网网元发送的用户鉴权请求消息;第二转发单元,用于在确定所述核心网网元所选择的鉴权方法为EAP可扩展鉴权协议鉴权方法时,至少利用IKEV2第二版本密钥交换协议消息的EAP载荷转发所述用户鉴权请求消息,所述IKEV2消息中至少包括EAP载荷,所述EAP载荷用于承载EAP鉴权方法的相关参数。采用本发明的装置,同样可将核心网网元发送的用户鉴权请求消息转发至用户侧设备。The sixth aspect provides an apparatus for message forwarding, where the apparatus includes: a second receiving unit, configured to receive a user authentication request message sent by a core network element; and a second forwarding unit, configured to determine the core When the authentication method selected by the network element is the EAP extensible authentication protocol authentication method, the user authentication request message is forwarded by using at least the EAP payload of the IKEV2 second version key exchange protocol message, where the IKEV2 message is at least An EAP payload is included, and the EAP payload is used to carry related parameters of the EAP authentication method. With the device of the present invention, the user authentication request message sent by the core network element can also be forwarded to the user side device.
结合第六方面,在第一种可能的实现方式中,所述第二转发单元在所述用户鉴权请求消息中仅包括鉴权方法相关的鉴权参数时,所述第二转发单元,具体用于:发送IKEV2消息至用户侧设备,所述IKEV2消息的EAP载荷中携带有所述用户鉴权请求消息中的鉴权参数。With reference to the sixth aspect, in a first possible implementation manner, when the second forwarding unit includes only the authentication parameter related to the authentication method in the user authentication request message, the second forwarding unit specifically The IKEV2 message carries the authentication parameter in the user authentication request message.
结合第六方面,在第二种可能的实现方式中,所述第二转发单元在所述用户鉴权请求中包括鉴权方法相关的鉴权参数和鉴权方法不相关的附加参数,所述第二转发单元,具体用于:发送IKEV2消息至用户侧设备,所述IKEV2消息的EAP载荷中携带有所述用户鉴权请求消息中的鉴权参数,所述IKEV2消息的非EAP载荷中携带有所述用户鉴权请求消息中的附加参数。With reference to the sixth aspect, in a second possible implementation, the second forwarding unit includes, in the user authentication request, an authentication parameter related to the authentication method and an additional parameter that is not related to the authentication method, The second forwarding unit is configured to: send an IKEV2 message to the user side device, where the EAP payload of the IKEV2 message carries an authentication parameter in the user authentication request message, where the IKEV2 message carries the non-EAP payload There are additional parameters in the user authentication request message.
结合第六方面,在第三种可能的实现方式中,,所述第二转发单元,具体用于:发送IKEV2消息至用户侧设备,所述IKEV2消息的EAP载荷中携带有整个用户鉴权请求消息。With reference to the sixth aspect, in a third possible implementation, the second forwarding unit is specifically configured to: send an IKEV2 message to the user side device, where the EAP payload of the IKEV2 message carries the entire user authentication request. Message.
第七方面,提供一种鉴权方法的选择装置,包括:第三接收单元,用于接收接入网关发送的附着请求,所述附着请求中未携带有指示信息,所述指示信息可指示用户侧设备接入核心网的方式;第一确定单元,用于根据鉴权向量集,确定所述核心网网元和用户侧设备相互鉴权时,所采用的鉴权方法。采用本发明的装置,可确定核心网网元和用户侧设备相互鉴权时,所采用的鉴权方法。The seventh aspect provides a device for selecting an authentication method, including: a third receiving unit, configured to receive an attach request sent by an access gateway, where the attach request does not carry indication information, where the indication information may indicate a user A method for the side device to access the core network; the first determining unit is configured to determine, according to the authentication vector set, an authentication method used when the core network element and the user side device mutually authenticate each other. With the device of the present invention, an authentication method used when the core network element and the user side device mutually authenticate each other can be determined.
结合第七方面,在第一种可能的实现方式中,所述鉴权向量集至少包括 指示比特,所述第一确定单元,具体用于:获得所述鉴权向量集的指示比特;在所述鉴权向量集的指示比特为第一数据时,确定所述核心网网元和用户侧设备相互鉴权时,所采用的方法为EAP方法;在所述鉴权向量集的指示比特为第二数据时,确定所述核心网网元和用户侧设备在相互鉴权时,所采用的方法为非EAP方法。With reference to the seventh aspect, in a first possible implementation manner, the set of authentication vectors includes at least Instructing a bit, the first determining unit is specifically configured to: obtain an indication bit of the authentication vector set; and when the indication bit of the authentication vector set is the first data, determine the core network element and the user When the side devices authenticate each other, the method used is an EAP method; when the indication bit of the authentication vector set is the second data, the method used by the core network element and the user side device to authenticate each other is determined. For non-EAP methods.
第八方面,提供一种鉴权方法的选择装置,包括:第四接收单元,用于接收接入网关发送的附着请求,所述附着请求中携带有指示信息,所述指示信息可指示用户侧设备接入核心网的方式;第二确定单元,用于根据所述附着请求中的指示信息所对应的接入方法,确定所述核心网网元和用户侧设备相互鉴权时,所采用的鉴权方法。采用本发明的装置,同样可确定核心网网元和用户侧设备相互鉴权时,所采用的鉴权方法。The eighth aspect provides a device for selecting an authentication method, including: a fourth receiving unit, configured to receive an attach request sent by an access gateway, where the attach request carries indication information, where the indication information may indicate a user side a method for the device to access the core network; the second determining unit is configured to determine, according to the access method corresponding to the indication information in the attach request, the authentication used by the core network element and the user side device Right method. With the device of the present invention, the authentication method used when the core network element and the user side device mutually authenticate each other can also be determined.
结合第八方面,在第一种可能的实现方式中,所述第二确定单元,具体用于:在所述附着请求中的指示信息所对应的接入方式为3GPP第三代合作伙伴计划接入方式时,确定所述核心网网元和用户侧设备在相互鉴权时,采用非EAP鉴权方法;在所述附着请求中的指示信息所对应的接入方式为非3GPP接入方式时,确定所述核心网网元和用户侧设备在相互鉴权时,采用EAP鉴权方法。With reference to the eighth aspect, in a first possible implementation, the second determining unit is specifically configured to: the access mode corresponding to the indication information in the attach request is a 3GPP third-generation partner plan In the case of the entry mode, it is determined that the core network element and the user side device use a non-EAP authentication method when the mutual authentication is performed; when the access mode corresponding to the indication information in the attach request is a non-3GPP access mode, The EAP authentication method is adopted when the core network element and the user side device are mutually authenticated.
第九方面,提供一种接入网关,包括:收发器,用于接收核心网网元发送的用户鉴权请求消息,以及转发封装后的IKEV2第二版本密钥交换协议消息至用户侧设备;至少一个处理器,用于在确定所述核心网所选择的鉴权方法为非EAP可扩展鉴权协议鉴权方法时,将所述用户鉴权请求消息封装至IKEV2消息中的非EAP载荷中,或,在确定所述核心网所选择的鉴权方法为EAP鉴权方法时,将所述用户鉴权请求消息封装在IKEV2消息的EAP载荷中。采用本发明的接入网关,可将核心网网元发送的用户鉴权请求消息转发至用户侧设备。The ninth aspect provides an access gateway, including: a transceiver, configured to receive a user authentication request message sent by a core network element, and forward the encapsulated IKEV2 second version key exchange protocol message to the user side device; At least one processor, configured to encapsulate the user authentication request message into a non-EAP payload in the IKEV2 message when determining that the authentication method selected by the core network is a non-EAP extensible authentication protocol authentication method Or, when determining that the authentication method selected by the core network is an EAP authentication method, the user authentication request message is encapsulated in an EAP payload of the IKEV2 message. With the access gateway of the present invention, the user authentication request message sent by the core network element can be forwarded to the user side device.
第十方面,提供一种核心网网元,包括:收发器,用于接收接入网关发送的附着请求;至少一个处理器,用于在所述附着请求中未携带有指示信息 时,根据鉴权向量集,确定所述核心网网元和用户侧设备相互鉴权时,所采用的鉴权方法,或,在所述附着请求中携带有指示信息时,根据所述附着请求中的指示信息所对应的接入方法,确定所述核心网网元和用户侧设备相互鉴权时,所采用的鉴权方法;所述指示信息可指示用户侧设备接入核心网的方式。采用本发明的核心网网元,可确定其与用户侧设备在相互鉴权时,所采用的鉴权方法。The tenth aspect provides a core network element, including: a transceiver, configured to receive an attach request sent by the access gateway; and at least one processor, configured to not carry the indication information in the attach request And determining, according to the authentication vector set, the authentication method used when the core network element and the user side device mutually authenticate, or when the indication request carries the indication information, according to the attach request The access method corresponding to the indication information determines the authentication method used when the core network element and the user side device authenticate each other; the indication information may indicate the manner in which the user side device accesses the core network. By using the core network element of the present invention, the authentication method used when the user side device and the user side device are mutually authenticated can be determined.
附图说明DRAWINGS
图1为本发明实施例提供的现有4G网络的结构示意图;FIG. 1 is a schematic structural diagram of an existing 4G network according to an embodiment of the present invention;
图2为接入网关转发鉴权请求消息的示意图;2 is a schematic diagram of an access gateway forwarding an authentication request message;
图3为本发明实施例提供的5G网络的结构示意图;FIG. 3 is a schematic structural diagram of a 5G network according to an embodiment of the present disclosure;
图4为本发明实施例提供的终端利用非可信非3GPP方式接入核心网的一流程示意图;4 is a schematic flowchart of a terminal accessing a core network by using a non-trusted non-3GPP method according to an embodiment of the present disclosure;
图5为本发明实施例提供的终端利用非可信非3GPP方式接入核心网的一流程示意图;FIG. 5 is a schematic flowchart of a terminal accessing a core network by using a non-trusted non-3GPP method according to an embodiment of the present disclosure;
图6为本发明实施例提供的终端利用非可信非3GPP方式接入核心网的一流程示意图;FIG. 6 is a schematic flowchart of a terminal accessing a core network by using a non-trusted non-3GPP mode according to an embodiment of the present disclosure;
图7为本发明实施例提供的终端利用非可信非3GPP方式接入核心网的一流程示意图;FIG. 7 is a schematic flowchart of a terminal accessing a core network by using a non-trusted non-3GPP method according to an embodiment of the present disclosure;
图8为本发明实施例提供的终端利用非可信非3GPP方式接入核心网的一流程示意图;FIG. 8 is a schematic flowchart of a terminal accessing a core network by using a non-trusted non-3GPP method according to an embodiment of the present disclosure;
图9为本发明实施例提供的消息转发装置的一示意图;FIG. 9 is a schematic diagram of a message forwarding apparatus according to an embodiment of the present invention;
图10为本发明实施例提供的消息转发装置的另一示意图;FIG. 10 is another schematic diagram of a message forwarding apparatus according to an embodiment of the present disclosure;
图11为本发明实施例提供的鉴权方法的选择装置的一示意图;FIG. 11 is a schematic diagram of a device for selecting an authentication method according to an embodiment of the present invention;
图12为本发明实施例提供的鉴权方法的选择装置的另一示意图;FIG. 12 is another schematic diagram of an apparatus for selecting an authentication method according to an embodiment of the present invention;
图13为本发明实施例提供的接入网关的结构示意图;FIG. 13 is a schematic structural diagram of an access gateway according to an embodiment of the present disclosure;
图14为本发明实施例提供的核心网网元的结构示意图。 FIG. 14 is a schematic structural diagram of a core network element according to an embodiment of the present invention.
具体实施方式detailed description
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are a part of the embodiments of the present invention, but not all embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
目前,整个无线通信网络架构分为接入网和核心网两部分,而根据用户接入核心网的方式不同,又可分为3GPP(3rd Generation Partnership Project,第三代合作伙伴计划)接入方式和非3GPP接入方式。所谓3GPP接入方式一般是指用户采用3GPP规定的技术接入核心网的方式,比如,用户采用基站方式接入核心网;而非3GPP接入方式一般是指用户通过非3GPP规定的技术接入核心网的方式,比如,用户采用Wifi方式接入核心网。如图1所示,以现有的4G网络为例,图1上方,UE通过eNodeB(基站)接入核心网的方式即为3GPP接入,而图1下方,UE通过WLAN-AP(Wireless Local Area Networks Access Point,无线局域网接入点)接入核心网的方式,即为非3GPP接入。At present, the entire wireless communication network architecture is divided into two parts, an access network and a core network, and according to different ways for users to access the core network, it can be divided into 3GPP (3rd Generation Partnership Project) access mode. And non-3GPP access methods. The so-called 3GPP access mode generally refers to the way that the user accesses the core network by using the technology specified by the 3GPP. For example, the user accesses the core network by using the base station mode; the non-3GPP access mode generally refers to the user accessing the technology by the non-3GPP. The core network mode, for example, the user accesses the core network by using Wifi. As shown in Figure 1, the existing 4G network is taken as an example. In the upper part of Figure 1, the UE accesses the core network through the eNodeB (base station), which is 3GPP access. In the lower part of Figure 1, the UE passes the WLAN-AP (Wireless Local). Area Networks Access Point (WLAN access point) accesses the core network in a non-3GPP access mode.
在现有技术中,根据部署非3GPP接入方式的主体不同,又可分为可信非3GPP接入和非可信非3GPP接入,比如,当用户采用通信运营商(比如中国移动和中国联通)部署的非3GPP接入方式接入核心网时,核心网认为当前接入可信,此时核心网即可认为当前接入方式为可信的非3GPP接入,而当用户采用非运营商(比如星巴克等营业场景)部署的非3GPP接入方式接入核心网时,核心网即认为当前接入非可信,即可认为当前接入方式为非可信的非3GPP接入。In the prior art, according to different entities deploying non-3GPP access methods, it can be divided into trusted non-3GPP access and non-trusted non-3GPP access, for example, when a user adopts a communication carrier (such as China Mobile and China). When the non-3GPP access mode deployed by China Unicom is connected to the core network, the core network considers that the current access is trusted. At this time, the core network can consider that the current access mode is trusted non-3GPP access, and when the user adopts non-operation. When a non-3GPP access mode deployed by a business (such as a Starbucks business scenario) accesses the core network, the core network considers that the current access is not trusted, and the current access mode is considered to be non-trusted non-3GPP access.
由于目前5G网络与4G网络的架构、网元以及接口等均不同,因此现有4G网络的非可信非3GPP接入核心网的方式,在5G网络中并无法使用,基于此,本发明提供一种在5G网络下非可信非3GPP接入核心网的流程,该流程将在下述实施例一中详细介绍。Since the architecture, network element, and interface of the 5G network and the 4G network are different, the manner in which the non-trusted non-3GPP accesses the core network of the existing 4G network cannot be used in the 5G network. Based on this, the present invention provides A flow of a non-trusted non-3GPP access core network in a 5G network, which will be described in detail in Embodiment 1 below.
下面首先介绍一下5G网络,如图3所示,整个5G网络包括以下设备:The following first introduces the 5G network. As shown in Figure 3, the entire 5G network includes the following devices:
UE(User Equipment,用户设备):UE可具体为用户接入网络的设备, 比如智能手机、可穿戴设备以及便携式计算机等。UE (User Equipment): The UE can be specifically a device for the user to access the network. Such as smart phones, wearable devices and portable computers.
NR(NextGen Radio,下一代基站):是4G网络中eNodeB(Evoleved NodeB,演进型基站)的升级版;NR (NextGen Radio): an upgraded version of an eNodeB (Evolved NodeB) in a 4G network;
Non-3GPP RAT(Non-3GPP Radio Access Technology,非3GPP接入无线接入技术)设备:UE可采用WIFI(WIreless-Fidelity,无线保真)或CDMA(Code Division Multiple Access,码分多址)等方式接入核心网。Non-3GPP RAT (Non-3GPP Radio Access Technology) device: The UE may use WIFI (WIreless-Fidelity) or CDMA (Code Division Multiple Access). Access to the core network.
SSF/MM:SSF(slice select function,切片选择功能实体)主要为UE选择一个合适的MM(mobility management移动管理实体)。5G架构中,网络中会有多个MM,UE在入网的时候不会提供接入到哪个MM的信息,因此需要SSF为UE选择合适的MM。SSF/MM: SSF (slice select function) mainly selects a suitable MM (mobility management mobility management entity) for the UE. In the 5G architecture, there are multiple MMs in the network. When the UE enters the network, it does not provide information about which MM to access. Therefore, the SSF needs to select an appropriate MM for the UE.
CP-AU:鉴权功能点。CP-AU: Authentication function point.
HSS(Home Subscriber Server,归属签约用户服务器):存储用户的签约信息。HSS (Home Subscriber Server): Stores subscription information of users.
N3CNGW(Non-3GPP Core Network Gateway,非3GPP核心网网关):是非可信非3GPP接入下的安全网关。UE和N3CNGW会建立安全隧道,安全隧道用于保护消息的传递不被non-3GPP RAT看见和破坏。N3CNGW (Non-3GPP Core Network Gateway): A security gateway under non-trusted non-3GPP access. The UE and the N3CNGW establish a secure tunnel, and the secure tunnel is used to protect the delivery of messages from being seen and destroyed by the non-3GPP RAT.
CN-UP:用户面网元,用于提供UE和Internet(互联网)间的通信。CN-UP: User plane network element, used to provide communication between the UE and the Internet (Internet).
需要说明的是,UE为用户侧设备,NR和Non-3GPP RAT属于接入侧设备,SSF/MM、CP-AU和HSS属于核心网侧设备,而N3CNGW,在目前的5G网络中,还未具体规定其为接入侧设备还是核心网侧设备;因此,在本发明实施例中,具体将N3CNGW称为接入网关,而将SSF/MM、CP-AU和HSS均称为核心网网元。It should be noted that the UE is a user side device, the NR and the Non-3GPP RAT belong to the access side device, the SSF/MM, the CP-AU, and the HSS belong to the core network side device, and the N3CNGW, in the current 5G network, has not yet Specifically, the S3/GW, the CP-AU, and the HSS are referred to as the core network element. .
实施例一 Embodiment 1
本发明提供一种在5G网络中,UE通过非可信非3GPP方式接入核心网的流程(即利用图3中的Non-3GPP RAT接入核心网的方法),如图4所示,具体如下: The present invention provides a process for a UE to access a core network through a non-trusted non-3GPP mode in a 5G network (that is, a method for accessing a core network by using a Non-3GPP RAT in FIG. 3), as shown in FIG. as follows:
步骤S40:UE和N3CNGW通过IKEV2(Internet Key Exchange protocol Version 2,第二版本密钥交换协议)消息建立安全隧道;Step S40: The UE and the N3CNGW establish a secure tunnel by using an IKEV2 (Internet Key Exchange Protocol Version 2, second version key exchange protocol) message;
步骤S41:UE向N3CNGW发送附着请求;Step S41: The UE sends an attach request to the N3CNGW.
在本发明实施例中,UE可具体将附着请求中置于IKEV2消息的载荷中,所述载荷可具体为V载荷、N载荷、CP载荷或新载荷。In the embodiment of the present invention, the UE may specifically place the attach request in the payload of the IKEV2 message, and the payload may be specifically a V payload, an N payload, a CP payload, or a new payload.
步骤S42:N3CNGW取出IKEV2消息中的附着请求,转发给SSF/MM;Step S42: The N3CNGW takes out the attach request in the IKEV2 message and forwards the request to the SSF/MM.
步骤S43:SSF/MM生成鉴权请求消息,且发送鉴权请求消息至CP-AU;Step S43: The SSF/MM generates an authentication request message, and sends an authentication request message to the CP-AU.
在本发明实施例中,SSF/MM可具体采用下述任一种方式,生成鉴权请求消息,具体如下:In the embodiment of the present invention, the SSF/MM may specifically adopt any one of the following manners to generate an authentication request message, as follows:
第一种:SSF/MMS根据附着请求的来源不同,为附着请求添加指示信息,比如,当附着请求来自N3CNGW时,可认为当前请求接入的UE为通过非3GPP方式接入的,为附着请求添加非3GPP接入方式的指示信息,所添加的指示信息可具体为1;再如,当附着请求来自NR时,可认为当前请求接入的UE为通过3GPP方式接入的,为附着请求添加3GPP接入方式的指示信息,所添加的指示信息可具体为0;The first type: the SSF/MMS adds the indication information to the attach request according to the source of the attach request. For example, when the attach request is from the N3CNGW, the UE that is currently requesting access is considered to be accessed through the non-3GPP mode, and is an attach request. The instruction information of the non-3GPP access mode is added, and the added indication information may be specifically 1; for example, when the attach request is from the NR, the UE that is currently requesting access may be considered to be accessed through the 3GPP mode, and is added for the attach request. The indication information of the 3GPP access mode, the added indication information may be specifically 0;
第二种:将附着请求直接作为鉴权请求消息。Second: The attach request is directly used as an authentication request message.
步骤S44:CP-AU通过HSS获得鉴权向量集;Step S44: The CP-AU obtains an authentication vector set through the HSS;
在本发明实施例中,所述鉴权向量集可包括指示比特和表征比特;所述指示比特可指示CP-AU确定鉴权方法,所述表征比特可具体表征指示比特所确定鉴权方法的具体鉴权子方法;比如,所述指示比特可具体占用一个比特位,具体用1表示EAP可扩展鉴权协议鉴权方法,用0表示非EAP鉴权方法;而EAP鉴权方法和非EAP鉴权方法均包括多种鉴权子方法,而表征比特可表示具体是那种鉴权子方法;所述表征比特可占用3至5个比特,比如,在指示比特为0时,表示非EAP鉴权方法,假设EAP鉴权方法具体包括EAP-AKA’、EAP-TLS和EAP-TTLS等鉴权子方法,而表征比特可具体用00表示EAP-AKA鉴权子方法,用01表示EAP-AKA’鉴权子方法,用02表示EAP-TLS鉴权子方法,用03表示EAP-TTLS鉴权子方法。 In the embodiment of the present invention, the authentication vector set may include an indication bit and a characterization bit; the indication bit may indicate that the CP-AU determines an authentication method, and the characterization bit may specifically represent the authentication method determined by the indication bit. The specific authentication sub-method; for example, the indication bit may specifically occupy one bit, specifically 1 indicates an EAP extensible authentication protocol authentication method, 0 indicates a non-EAP authentication method; and EAP authentication method and non-EAP The authentication methods all include multiple authentication sub-methods, and the characterization bits may represent specific authentication sub-methods; the characterization bits may occupy 3 to 5 bits, for example, when the indication bit is 0, indicating non-EAP The authentication method assumes that the EAP authentication method specifically includes an authentication sub-method such as EAP-AKA', EAP-TLS, and EAP-TTLS, and the characterization bit may specifically represent 00 for the EAP-AKA authentication sub-method, and 01 for EAP- The AKA's authentication submethod uses 02 for the EAP-TLS authentication submethod and 03 for the EAP-TTLS authentication submethod.
步骤S45:CP-AU确定其与UE之间所采用的鉴权方法;Step S45: The CP-AU determines an authentication method used between the UE and the UE;
在本发明实施例中,根据所述附着请求中是否携带指示信息,可具体分两种方式确定鉴权方法,具体如下:In the embodiment of the present invention, according to whether the indication information carries the indication information, the authentication method may be specifically determined in two ways, as follows:
第一种:当附着请求中携带有指示信息时,CP-AU首先获取附着请求中的指示信息,然后根据所述指示信息所对应的接入方法,确定其与UE在相互鉴权时,所采用的鉴权方法;The first type: when the indication request carries the indication information, the CP-AU first obtains the indication information in the attachment request, and then determines, according to the access method corresponding to the indication information, that the UE and the UE are mutually authenticated. Authentication method;
比如,当附着请求中的指示信息指示当前UE通过3GPP方式接入时,可具体确定CP-AU与UE之间所采用的鉴权方法为非EAP鉴权方法,而关于具体为何种非EAP鉴权子方法,可具体根据鉴权向量值中表示比特与非EAP鉴权子方法的对应关系,确定具体为何种非EAP鉴权子方法。For example, when the indication information in the attach request indicates that the current UE accesses through the 3GPP manner, the authentication method used between the CP-AU and the UE may be specifically determined to be a non-EAP authentication method, and the specific non-EAP authentication method is specifically The weight sub-method may determine the specific non-EAP authentication sub-method according to the correspondence between the representation bit and the non-EAP authentication sub-method in the authentication vector value.
再如,当附着请求的指示信息指示当前UE通过非3GPP方式接入时,可具体确定CP-AU与UE之间所采用的鉴权方法为EAP鉴权方法,同理,而关于具体为那种EAP鉴权子方法,可具体参见鉴权向量集中表征比特与EAP鉴权子方法的对应关系。For example, when the indication information of the attach request indicates that the current UE accesses through the non-3GPP manner, the authentication method used between the CP-AU and the UE may be specifically determined to be an EAP authentication method, and the same is true. For the EAP authentication sub-method, the specific relationship between the bit and the EAP authentication sub-method in the authentication vector set can be specifically referred to.
第二种,当附着请求中未携带有指示信息时,CP-AU根据鉴权向量集,确定其与UE相互鉴权时,所采用的鉴权方法,具体如下;而关于鉴权向量集的详细论述,可参见步骤S44。Secondly, when the indication request does not carry the indication information, the CP-AU determines the authentication method used by the CP-AU according to the authentication vector set to identify the mutual authentication with the UE, as follows; and details about the authentication vector set For discussion, refer to step S44.
CP-AU获得获得所述鉴权向量集的指示比特;且CP-AU在所述鉴权向量集的指示比特为第一数据时(比如,第一数据可为1),确定其与UE在相互鉴权时,所采用的方法为EAP方法;而在所述鉴权向量集的指示比特为第二数据时(比如,第二数据可为0),确定其与UE在相互鉴权时,所采用的方法为非EAP方法。The CP-AU obtains an indication bit that obtains the set of authentication vectors; and the CP-AU determines that it is with the UE when the indication bit of the authentication vector set is the first data (for example, the first data may be 1) In the mutual authentication, the method adopted is an EAP method; and when the indication bit of the authentication vector set is the second data (for example, the second data may be 0), it is determined that the UE and the UE are mutually authenticated. The method is a non-EAP method.
步骤S46:CP-AU向UE发起鉴权挑战,具体的CP-AU可发送鉴权挑战消息至SSF/MM;所述鉴权挑战消息可具体为用户鉴权请求消息。Step S46: The CP-AU initiates an authentication challenge to the UE, and the specific CP-AU may send an authentication challenge message to the SSF/MM. The authentication challenge message may be specifically a user authentication request message.
具体的,鉴权挑战消息中包括鉴权参数,所述鉴权参数的具体内容与其所选择的鉴权方法有关。比如,如果选择的鉴权方法为EPS-AKA或NG-AKA,其鉴权挑战消息中的鉴权参数可具体为RAND和AUTN;而如果所选择的鉴 权方法为EAP-AKA或EAP-AKA’,则鉴权挑战消息中的鉴权参数可具体为EAP-REQ、AKA-Challenge、EAP-REQ或AKA‘-Challenge;而如果所选择的鉴权方法为EAP-TLS,则鉴权挑战消息中的鉴权参数为EAP-REQ或Access-Challeng。Specifically, the authentication challenge message includes an authentication parameter, and the specific content of the authentication parameter is related to the selected authentication method. For example, if the selected authentication method is EPS-AKA or NG-AKA, the authentication parameters in the authentication challenge message may be specifically RAND and AUTN; The weighting method is EAP-AKA or EAP-AKA', and the authentication parameter in the authentication challenge message may be specifically EAP-REQ, AKA-Challenge, EAP-REQ or AKA'-Challenge; and if the selected authentication method is selected For EAP-TLS, the authentication parameter in the authentication challenge message is EAP-REQ or Access-Challeng.
在本发明实施例中,不同的核心网网元之间在相互通信时,所采用的通信协议可具体为空口-接入网接口协议,所述空口-接入网接口协议可具体为NAS(Non-Access Stratum,非接入层)协议,或5G网络中的其它协议;因此,在本发明实施例中,CP-AU可具体采用空口—接入网接口协议对鉴权参数进行封装,生成鉴权挑战消息,且将封装后的消息发送至SSF/MM。In the embodiment of the present invention, when the network elements of different core network are in communication with each other, the communication protocol used may be specifically an air interface-access network interface protocol, and the air interface-access network interface protocol may be specifically a NAS ( Non-Access Stratum (Non-Access Stratum) protocol, or other protocols in the 5G network; therefore, in the embodiment of the present invention, the CP-AU may specifically encapsulate the authentication parameters by using an air interface-access network interface protocol to generate an authentication parameter. The challenge challenge message is sent and the encapsulated message is sent to the SSF/MM.
步骤S47:SSF/MM将鉴权挑战消息转发至N3CNGW;Step S47: The SSF/MM forwards the authentication challenge message to the N3CNGW.
步骤S48:N3CNGW为鉴权挑战消息选择转发模式,所述转发模式为转发鉴权挑战消息至UE的模式;Step S48: The N3CNGW selects a forwarding mode for the authentication challenge message, where the forwarding mode is a mode for forwarding the authentication challenge message to the UE.
在在本发明实施例中,N3CNGW可首先获取鉴权挑战消息中的鉴权参数;然后,根据鉴权参数,确定CP-AU与UE在相互鉴权时,所采用的鉴权方法,所述鉴权方法可具体为EAP鉴权方法或非EAP鉴权方法;最后,根据所选择鉴权方法的不同,选择不同的转发模式;In the embodiment of the present invention, the N3CNGW may first obtain an authentication parameter in the authentication challenge message; and then, according to the authentication parameter, determine an authentication method used by the CP-AU and the UE when mutually authenticating, the method The weighting method may be specifically an EAP authentication method or a non-EAP authentication method; finally, different forwarding modes are selected according to different selected authentication methods;
在本发明实施例中,提供以下四种转发模式,具体为:In the embodiment of the present invention, the following four forwarding modes are provided, specifically:
在介绍四种转发模式之前,首先介绍一下IKEV2消息,IKEV2消息可包括EAP载荷和非EAP载荷,所述EAP载荷用于承载EAP鉴权方法的相关参数,所述非EAP载荷用于承载除EAP鉴权方法外的其它参数;而整个鉴权挑战消息中可包括鉴权方法相关的鉴权参数和鉴权方法不相关的附加参数;Before introducing the four forwarding modes, the IKEV2 message may be introduced. The IKEV2 message may include an EAP payload and a non-EAP payload. The EAP payload is used to carry related parameters of the EAP authentication method, and the non-EAP payload is used to carry the EAP payload. Other parameters outside the authentication method; and the entire authentication challenge message may include an authentication parameter related to the authentication method and an additional parameter that is not related to the authentication method;
第一种:当CP-AU与UE在相互鉴权时,所采用的鉴权方法为非EAP鉴权方法时,N3CNGW可利用IKEV2消息中的非EAP载荷转发鉴权挑战消息,具体的,可将整个鉴权挑战消息封装在IKEV2消息的非EAP载荷中,即IKEV2消息的非EAP载荷中携带有鉴权挑战消息。The first type: When the authentication method used by the CP-AU and the UE is mutually authenticated, the N3CNGW can use the non-EAP payload in the IKEV2 message to forward the authentication challenge message. Specifically, the authentication challenge message can be used. The entire authentication challenge message is encapsulated in the non-EAP payload of the IKEV2 message, that is, the non-EAP payload of the IKEV2 message carries the authentication challenge message.
第二种:当CP-AU与UE在相互鉴权时,所采用的鉴权方法为EAP鉴权方法时,N3CNGW将鉴权挑战消息的鉴权参数封装在IKEV2消息的EAP载 荷中,即IKEV2消息的EAP载荷中携带有鉴权挑战消息中的鉴权参数。The second type: When the authentication method used by the CP-AU and the UE is mutually authenticated, the authentication method used by the N3CNGW encapsulates the authentication parameter of the authentication challenge message in the EAP of the IKEV2 message. The EAP payload of the IKEV2 message carries the authentication parameter in the authentication challenge message.
第三种:当CP-AU与UE在相互鉴权时,所采用的鉴权方法为EAP鉴权方法时,N3CNGW将鉴权挑战消息中的鉴权参数封装在IKEV2消息的EAP载荷中,将鉴权挑战消息中的附加参数封装在IKEV2消息的非EAP载荷中,即IKEV2消息的EAP载荷中携带有鉴权挑战消息中的鉴权参数,非EAP载荷中携带有鉴权挑战消息中的附加参数。The third type: When the authentication method used by the CP-AU and the UE is mutually authenticated, the authentication method used in the authentication is the EAP authentication method, and the N3CNGW encapsulates the authentication parameter in the authentication challenge message in the EAP payload of the IKEV2 message. The additional parameters in the QoS challenge message are encapsulated in the non-EAP payload of the IKEV2 message, that is, the EAP payload of the IKEV2 message carries the authentication parameter in the authentication challenge message, and the non-EAP payload carries the additional parameter in the authentication challenge message. .
第四种:当CP-AU与UE在相互鉴权时,所采用的鉴权方法为EAP鉴权方法时,N3CNGW可将整个鉴权挑战消息封装在IKEV2消息的EAP载荷中,即IKEV2消息的EAP载荷中携带有整个用户鉴权请求消息。The fourth type: When the authentication method used by the CP-AU and the UE is the EAP authentication method, the N3CNGW can encapsulate the entire authentication challenge message in the EAP payload of the IKEV2 message, that is, the EAP of the IKEV2 message. The entire user authentication request message is carried in the payload.
步骤S49:N3CNGW利用所选择的转发模式,将鉴权挑战消息转发至UE;Step S49: The N3CNGW forwards the authentication challenge message to the UE by using the selected forwarding mode.
步骤S410:UE对核心网进行认证,且在认证通过后,向N3CNGW发送认证消息;Step S410: The UE authenticates the core network, and after the authentication is passed, sends an authentication message to the N3CNGW.
步骤S411:N3CNGW选择转发模式;Step S411: The N3CNGW selects a forwarding mode.
在本发明实施例中,N3CNGW可选择与步骤S48中相同的转发模式,转发认证消息至SSF/MM,比如,N3CNGW在步骤S48选择第一种转发模式,将鉴权挑战消息转发至UE;那么相应的,N3CNGW可同样选择第一种转发模式,将认证消息转发至SSF/MM;In the embodiment of the present invention, the N3CNGW may select the same forwarding mode as in step S48, and forward the authentication message to the SSF/MM. For example, the N3CNGW selects the first forwarding mode in step S48, and forwards the authentication challenge message to the UE; Correspondingly, the N3CNGW can also select the first forwarding mode to forward the authentication message to the SSF/MM.
步骤S412:N3CNGW根据所选择的转发模式,将认证消息转发至SSF/MM;Step S412: The N3CNGW forwards the authentication message to the SSF/MM according to the selected forwarding mode.
步骤S413:SSF/MM将认证消息转发至CP-AU;此时CP-AU可对UE的合法性进行鉴权。Step S413: The SSF/MM forwards the authentication message to the CP-AU; at this time, the CP-AU can authenticate the validity of the UE.
步骤S414:CP-AU生成密钥Kmm,且发送给MM。Step S414: The CP-AU generates a key Kmm and sends it to the MM.
在本发明实施例中,CP-AU可根据MM的密钥请求,生成Kmm,且发送Kmm至MM;在本发明实施例中,CP-AU也可根据其它触发条件或自发,生成Kmm,且发送Kmm至MM;In the embodiment of the present invention, the CP-AU may generate Kmm according to the key request of the MM, and send Kmm to MM. In the embodiment of the present invention, the CP-AU may also generate Kmm according to other trigger conditions or spontaneously, and Send Kmm to MM;
MM/SSF根据收到的Kmm,发起NAS SMC(Security mode command, 安全模式命令)流程,所述SMC流程具体如下:Based on the received Kmm, the MM/SSF initiates a NAS SMC (Security mode command, The security mode command) process, the SMC process is as follows:
步骤S415:MM/SSF发送接受附着消息给N3CNGW;Step S415: The MM/SSF sends an accept message to the N3CNGW.
在本发明实施例中,如果使用的鉴权方法为EAP鉴权方法,MM/SSF则将NAS SMC、Attach accept以及N3cNGW使用的密钥一起封装在EAP-success中,形成接受附着消息,发送给N3CNGW;In the embodiment of the present invention, if the authentication method used is the EAP authentication method, the MM/SSF encapsulates the keys used by the NAS SMC, the Attach accept, and the N3cNGW in the EAP-success, forming an accept-attached message, and sending the N3CNGW;
在本发明实施例中,如果使用的鉴权方法为非EAP鉴权方法,则MM/SSF将NAS SMC以及Attach accept封装在IKEv2消息的V载荷、N载荷、CP载荷或新载荷中,形成接受附着消息,发送给N3CNGW;In the embodiment of the present invention, if the authentication method used is a non-EAP authentication method, the MM/SSF encapsulates the NAS SMC and the Attach accept in the V payload, the N payload, the CP payload, or the new payload of the IKEv2 message to form an acceptance. Attach a message to the N3CNGW;
步骤S416:N3CNGW采用上面所述的任一种转发模式,将接受附着消息转发送UE;Step S416: The N3CNGW forwards the accepting message to the UE by using any of the forwarding modes described above;
步骤S417:UE对N3CNGW进行鉴权,且在鉴权通过后,发送完成附着消息至N3CNGW;Step S417: The UE authenticates the N3CNGW, and after the authentication is passed, sends a complete attach message to the N3CNGW.
在本发明实施例中,UE可生成相应的密钥,并用密钥验证SMC和AUTH后,对NAS SMP和Attach accept进行封装,生成完成附着消息;In the embodiment of the present invention, the UE may generate a corresponding key, and after verifying the SMC and the AUTH with the key, encapsulate the NAS SMP and the Attach accept to generate an completion attachment message.
步骤S418:N3CNGW将完成附着消息转发至SSF/MM;Step S418: The N3CNGW forwards the complete attach message to the SSF/MM.
步骤S419:N3CNGW对UE进行鉴权,且在鉴权通过后,发送鉴权成功消息给UE;Step S419: The N3CNGW authenticates the UE, and after the authentication is passed, sends an authentication success message to the UE;
通过上述过程,UE即可通过非可信的非3GPP方式接入核心网。Through the above process, the UE can access the core network through a non-trusted non-3GPP manner.
由于在目前的4G网络中,在UE接入核心网后,仅可在用户面发送数据,而在本发明实施例中,UE也可在控制平面发送信息,具体如下:In the current 4G network, after the UE accesses the core network, the data can be sent only on the user plane. In the embodiment of the present invention, the UE can also send information on the control plane, as follows:
步骤S420:UE发送NAS消息至N3CNGW;Step S420: The UE sends a NAS message to the N3CNGW.
在本发明实施例中,UE可将NAS消息封装在IKEv2的V载荷、N载荷、CP载荷或新载荷中,且该NAS的消息类型为INFO(Information,消息)In the embodiment of the present invention, the UE may encapsulate the NAS message in the V payload, the N payload, the CP payload, or the new payload of the IKEv2, and the message type of the NAS is INFO (Information, message).
步骤S421:N3CNGW将NAS消息转发至核心网;Step S421: The N3CNGW forwards the NAS message to the core network.
步骤S422:N3CNGW将核心网发送的NAS消息直接封装到IKEv2_INFO消息的V载荷、N载荷、CP载荷或新载荷中,发送至UE。Step S422: The N3CNGW directly encapsulates the NAS message sent by the core network into the V payload, the N payload, the CP payload, or the new payload of the IKEv2_INFO message, and sends the message to the UE.
由上可见,在本发明实施例,采用上述方法,在5G网络中,UE可通过 非可信非3GPP接入方式接入核心网;且UE无需区分当前接入核心网的方式为3GPP接入还是非3GPP接入,直接发一个NAS消息即可实现入网。It can be seen from the above that in the embodiment of the present invention, in the 5G network, the UE can pass the foregoing method. The untrusted non-3GPP access mode accesses the core network; and the UE does not need to distinguish whether the current access to the core network is 3GPP access or non-3GPP access, and directly sends a NAS message to implement network access.
实施例二Embodiment 2
本发明还提供另一种在5G网络中,UE通过非可信的非3GPP方式接入核心网的流程,如图5所示,具体如下:The present invention also provides another process for the UE to access the core network through the non-trusted non-3GPP mode in the 5G network, as shown in FIG. 5, which is as follows:
步骤S50:UE与N3CNGW之间建立安全隧道;Step S50: A secure tunnel is established between the UE and the N3CNGW.
步骤S51:UE向N3CNGW发送附着请求,该附着请求可具体封装在IKEV2消息的V载荷、N载荷、CP载荷或新载荷中。Step S51: The UE sends an attach request to the N3CNGW, and the attach request may be specifically encapsulated in a V payload, an N payload, a CP payload, or a new payload of the IKEV2 message.
步骤S52:N3CNGW为附着请求添加EAP-RSP/Identity信息,且将添加消息后的附着请求,发送至SSF/MM;Step S52: The N3CNGW adds the EAP-RSP/Identity information to the attach request, and sends the attach request after adding the message to the SSF/MM.
N3CNGW可具体将EAP-RSP/Identity信息封装到附着请求的NAS消息中。The N3CNGW may specifically encapsulate the EAP-RSP/Identity information into the NAS message of the attach request.
步骤S53:SSF/MM发送鉴权请求至CP-AU;Step S53: The SSF/MM sends an authentication request to the CP-AU.
在本发明实施例中,SSF/MM生成鉴权请求的过程可具体参见上述实施例一的论述,在此不再赘述。In the embodiment of the present invention, the process of generating an authentication request by the SSF/MM may be specifically referred to the discussion in the foregoing Embodiment 1, and details are not described herein again.
步骤S54:CP-AU获取鉴权向量集;Step S54: The CP-AU obtains an authentication vector set.
步骤S55:CP-AU确定鉴权方法为EAP鉴权方法;Step S55: The CP-AU determines that the authentication method is an EAP authentication method.
在本发明实施例中,由于附着请求中携带EAP-RSP/Identity信息,因此可确定鉴权方法为EAP鉴权方法;In the embodiment of the present invention, since the EAP-RSP/Identity information is carried in the attach request, the authentication method may be determined as an EAP authentication method.
步骤S56:CP-AU发送鉴权挑战消息给SSF/MM;Step S56: The CP-AU sends an authentication challenge message to the SSF/MM.
在本发明实施例中,在NAS消息中封装鉴权参数的过程具体如下:In the embodiment of the present invention, the process of encapsulating the authentication parameter in the NAS message is as follows:
如果采用EAP-AKA或EAP-AKA’鉴权方法,则在鉴权挑战消息中封装EAP-REQ/AKA-Challenge或EAP-REQ/AKA‘-Challenge等鉴权参数.如果采用EAP-TLS鉴权方法,则采用EAP-REQ/Access-Challenge等鉴权参数;If the EAP-AKA or EAP-AKA' authentication method is adopted, the authentication parameters such as EAP-REQ/AKA-Challenge or EAP-REQ/AKA'-Challenge are encapsulated in the authentication challenge message. If EAP-TLS authentication is used The method uses an authentication parameter such as EAP-REQ/Access-Challenge;
步骤S57:SSF/MM转发鉴权挑战消息给N3CNGW。Step S57: The SSF/MM forwards the authentication challenge message to the N3CNGW.
步骤S58:N3CNGW将鉴权挑战消息转发给UE; Step S58: The N3CNGW forwards the authentication challenge message to the UE.
关于N3CNGW转发鉴权挑战消息的方式,可具体参见实施一中,当鉴权方法为EAP时,所采用的转发模式;而在本发明实施例中,可采用为EAP鉴权方法时,任一种转发模式转发鉴权挑战消息,在此不再赘述。For the manner in which the N3CNGW forwards the authentication challenge message, refer to the forwarding mode used when the authentication method is EAP, and the EAP authentication method may be used in any embodiment of the present invention. The forwarding mode forwards the authentication challenge message, and details are not described herein.
步骤S59:UE对核心网进行鉴权,且在鉴权通过后,发送认证消息至N3CNGW;Step S59: The UE authenticates the core network, and after the authentication is passed, sends an authentication message to the N3CNGW.
步骤S510:N3CNGW转发认证消息至SSF/MM;Step S510: The N3CNGW forwards the authentication message to the SSF/MM.
在本发明实施例中,N3CNGW可选择与上述步骤S58相同的转发模式,转发鉴权响应消息至SSF/MM;In the embodiment of the present invention, the N3CNGW may select the same forwarding mode as the above step S58, and forward the authentication response message to the SSF/MM;
步骤S511:SSF/MM转发认证消息给CP-AU;而CP-AU将对UE的接入进行认证;Step S511: The SSF/MM forwards the authentication message to the CP-AU, and the CP-AU authenticates the access of the UE.
步骤S512:CP-AU生成密钥Kmm,且发送给MM;Step S512: The CP-AU generates a key Kmm and sends it to the MM;
在本发明实施例中,CP-AU可根据MM的密钥请求,生成Kmm,且发送Kmm至MM;在本发明实施例中,CP-AU也可根据其它触发条件或自发,生成Kmm,且发送Kmm;In the embodiment of the present invention, the CP-AU may generate Kmm according to the key request of the MM, and send Kmm to MM. In the embodiment of the present invention, the CP-AU may also generate Kmm according to other trigger conditions or spontaneously, and Send Kmm;
步骤S513:MM选择安全算法;Step S513: MM selects a security algorithm;
步骤S514:MM发送NAS SMC向N3CNGW;Step S514: MM sends the NAS SMC to the N3CNGW;
步骤S515:N3CNGW发送NAS SMC消息向UE;Step S515: The N3CNGW sends a NAS SMC message to the UE;
在本发明实施例中,MM可具体对NAS SMC进行封装,生成NAS SMC消息;In the embodiment of the present invention, the MM may specifically encapsulate the NAS SMC to generate a NAS SMC message.
步骤S516:UE对核心网进行鉴权,且在鉴权通过后,发送NAS SMP消息至N3CNGW;Step S516: The UE authenticates the core network, and after the authentication is passed, sends a NAS SMP message to the N3CNGW.
步骤S517:N3CNGW转发NAS SMP消息至MM;Step S517: The N3CNGW forwards the NAS SMP message to the MM;
步骤S518:MM对UE进行鉴权,且在鉴权通过后,发送接受附着消息至N3CNGW;Step S518: The MM authenticates the UE, and after the authentication is passed, sends an accept message to the N3CNGW.
步骤S519:N3CNGW转发接受附着消息至UE。Step S519: The N3CNGW forwards the accept message to the UE.
通过上述过程,UE可实现接入核心网;而在本发明实施例中,亦可实现在UE接入核心网后,在控制平面发送信令,其具体过程可参见实施例一中的 相关步骤,在此不再赘述。Through the foregoing process, the UE can implement access to the core network. In the embodiment of the present invention, after the UE accesses the core network, signaling is sent on the control plane. For the specific process, refer to the method in the first embodiment. Related steps are not described here.
由上可见,在本发明实施例中,采用上述方法,在5G网络中,UE可通过非可信非3GPP接入方式接入核心网It can be seen that, in the embodiment of the present invention, in the 5G network, the UE can access the core network through the non-trusted non-3GPP access mode.
实施例三Embodiment 3
本发明还提供另一种在5G网络中,UE通过非可信的非3GPP方式接入核心网的流程,如图6所示,具体如下:The present invention also provides another process for the UE to access the core network through the non-trusted non-3GPP mode in the 5G network, as shown in FIG. 6, which is as follows:
步骤S61:UE向N3CNGW发送初始安全协商消息,该初始安全协商消息中可携带附着请求;Step S61: The UE sends an initial security negotiation message to the N3CNGW, where the initial security negotiation message may carry an attach request.
在本发明实施例中,所述附着请求可具体封装在初始安全协商消息的V载荷、N载荷、CP载荷或新载载荷中。In the embodiment of the present invention, the attach request may be specifically encapsulated in a V load, an N load, a CP load, or a new load of the initial security negotiation message.
步骤S62:N3CNGW向UE发送初始安全协商响应消息,向SSF/MM发送附着请求;Step S62: The N3CNGW sends an initial security negotiation response message to the UE, and sends an attach request to the SSF/MM.
在本发明实施例中,并不限制N3CNGW发送初始安全协商响应消息和附着请求的先后顺序,N3CNGW可同时发送初始安全协商响应消息和附着请求,也可先发送初始安全协商响应消息,再发送附着请求,也可先发送附着请求,再发送初始安全协商响应消息。In the embodiment of the present invention, the order of the initial security negotiation response message and the attach request sent by the N3CNGW is not limited, and the N3CNGW may simultaneously send the initial security negotiation response message and the attach request, or may send the initial security negotiation response message first, and then send the attached. The request may also send an attach request first, and then send an initial security negotiation response message.
步骤S63:SSF/MM发送鉴权请求消息,其中,该鉴权请求消息中携带有EAP-Res/Identity;Step S63: The SSF/MM sends an authentication request message, where the authentication request message carries EAP-Res/Identity;
步骤S64:CP-AU获取鉴权向量集;Step S64: The CP-AU obtains an authentication vector set.
步骤S65:CP-AU确定鉴权方法为EAP鉴权方法;Step S65: The CP-AU determines that the authentication method is an EAP authentication method.
步骤S66:CP-AU发送鉴权挑战消息给SSF/MM;Step S66: The CP-AU sends an authentication challenge message to the SSF/MM.
在本发明实施例中,鉴权挑战消息中封装有EAP-REQ/EAP-Challenge;In the embodiment of the present invention, the authentication challenge message is encapsulated with EAP-REQ/EAP-Challenge;
步骤S67:SSF/MM转发鉴权挑战消息给N3CNGW;Step S67: The SSF/MM forwards the authentication challenge message to the N3CNGW.
步骤S68:N3CNGW将鉴权挑战消息转发给UE;Step S68: The N3CNGW forwards the authentication challenge message to the UE.
步骤S69:UE对核心网进行鉴权,且在鉴权通过后,发送认证消息至N3CNGW; Step S69: The UE authenticates the core network, and after the authentication is passed, sends an authentication message to the N3CNGW.
步骤S610:N3CNGW转发认证消息至SSF/MM;Step S610: The N3CNGW forwards the authentication message to the SSF/MM.
步骤S611:SSF/MM转发认证消息给CP-AU;而CP-AU将对UE的接入进行认证;Step S611: The SSF/MM forwards the authentication message to the CP-AU; and the CP-AU authenticates the access of the UE;
步骤S612:CP-AU在对UE的认证通过后,发送认证成功消息至SSF/MM;Step S612: After the authentication of the UE is passed, the CP-AU sends an authentication success message to the SSF/MM.
其中,所述认证成功消息中封装有EAP-Success;The authentication success message is encapsulated with EAP-Success;
步骤S613:SSF/MM转发认证成功消息给N3CNGW;Step S613: The SSF/MM forwards the authentication success message to the N3CNGW.
步骤S614:N3CNGW将认证成功消息转发给UE;Step S614: The N3CNGW forwards the authentication success message to the UE.
在本发明实施例中,N3CNGW可具体将认证成功消息中的密钥留下,剩余的信息转发给UE;In the embodiment of the present invention, the N3CNGW may specifically leave the key in the authentication success message, and the remaining information is forwarded to the UE;
步骤S615:CP-AU生成密钥Kmm,且发送给MM;Step S615: The CP-AU generates a key Kmm and sends it to the MM;
在本发明实施例中,CP-AU可根据MM的密钥请求,生成Kmm,且发送Kmm至MM;在本发明实施例中,CP-AU也可根据其它触发条件或自发,生成Kmm,且发送Kmm;In the embodiment of the present invention, the CP-AU may generate Kmm according to the key request of the MM, and send Kmm to MM. In the embodiment of the present invention, the CP-AU may also generate Kmm according to other trigger conditions or spontaneously, and Send Kmm;
步骤S616:MM选择安全算法;Step S616: MM selects a security algorithm;
步骤S617:MM发送NAS SMC向N3CNGW;Step S617: The MM sends the NAS SMC to the N3CNGW;
步骤S618:N3CNGW转发NAS SMC消息至UE;Step S618: The N3CNGW forwards the NAS SMC message to the UE.
在本发明实施例中,N3CNGW可将NAS SMC消息封装在IKEv2消息的V载荷、N载荷、CP载荷或新载荷中。In an embodiment of the present invention, the N3CNGW may encapsulate the NAS SMC message in a V payload, an N payload, a CP payload, or a new payload of the IKEv2 message.
步骤S619:UE对N3CNGW进行认证,且在认证通过后,发送SMP消息给N3CNGW,所述SMP消息可具体封装在IKEv2消息的V载荷、N载荷、CP载荷或新载荷中。Step S619: The UE authenticates the N3CNGW, and after the authentication is passed, sends an SMP message to the N3CNGW, where the SMP message may be specifically encapsulated in the V payload, the N payload, the CP payload, or the new payload of the IKEv2 message.
步骤S620:N3CNGW发送SMP消息至MM;Step S620: The N3CNGW sends an SMP message to the MM.
步骤S621:MM发送接受附着消息给N3CNGW;Step S621: The MM sends an accept message to the N3CNGW.
步骤S622:N3CNGW转发接受附着消息给UE;Step S622: The N3CNGW forwards the accept message to the UE.
在本发明实施例中,所述附着请求消息可具体封装在IKEV2消息的V载荷、N载荷、CP载荷或新载荷。In the embodiment of the present invention, the attach request message may be specifically encapsulated in a V payload, an N payload, a CP payload, or a new payload of the IKEV2 message.
通过上述过程,UE可实现接入核心网;而在本发明实施例中,亦可实现 在UE接入核心网后,在控制平面发送信令,其具体过程可参见实施例一中的相关步骤,在此不再赘述。Through the foregoing process, the UE can implement access to the core network; in the embodiment of the present invention, After the UE accesses the core network, the signaling is sent by the control plane. For the specific process, refer to the related steps in the first embodiment, and details are not described herein.
由上可见,在本发明实施例中,采用上述方法,在5G网络中,UE可通过非可信非3GPP接入方式接入核心网It can be seen that, in the embodiment of the present invention, in the 5G network, the UE can access the core network through the non-trusted non-3GPP access mode.
实施例四Embodiment 4
本发明还提供另一种在5G网络中,UE通过非可信的非3GPP方式接入核心网的流程,如图7所示,具体如下:The present invention also provides another process for the UE to access the core network through the non-trusted non-3GPP mode in the 5G network, as shown in FIG. 7, which is as follows:
步骤S71:UE向N3CNGW发送初始安全协商消息,该初始安全协商消息中可携带附着请求;Step S71: The UE sends an initial security negotiation message to the N3CNGW, where the initial security negotiation message may carry an attach request.
在本发明实施例中,所述附着请求可具体封装在初始安全协商消息的V载荷、N载荷、CP载荷或新载载荷中。In the embodiment of the present invention, the attach request may be specifically encapsulated in a V load, an N load, a CP load, or a new load of the initial security negotiation message.
步骤S72:N3CNGW转发附着请求至SSF/MM;Step S72: The N3CNGW forwards the attach request to the SSF/MM.
步骤S73:SSF/MM向CP-AU发送鉴权请求消息;Step S73: The SSF/MM sends an authentication request message to the CP-AU.
步骤S74:CP-AU获取鉴权向量集;Step S74: The CP-AU obtains an authentication vector set.
步骤S75:CP-AU确定鉴权方法为UMTS-AKA、EPS-AKA或NG-AKA;Step S75: The CP-AU determines that the authentication method is UMTS-AKA, EPS-AKA or NG-AKA;
步骤S76:CP-AU发送鉴权挑战消息给SSF/MM;Step S76: The CP-AU sends an authentication challenge message to the SSF/MM.
步骤S77:SSF/MM转发鉴权挑战消息给N3CNGW;Step S77: The SSF/MM forwards the authentication challenge message to the N3CNGW.
步骤S78:N3CNGW将鉴权挑战消息封装在初始安全协商响应消息中发送至UE,可具体封装在初始安全协商响应消息的V载荷、N载荷、CP载荷或新载荷中。Step S78: The N3CNGW encapsulates the authentication challenge message in the initial security negotiation response message and sends the message to the UE, which may be specifically encapsulated in the V payload, the N payload, the CP payload, or the new payload of the initial security negotiation response message.
步骤S79:UE对核心网进行认证,且在认证成功后,生成与N3CNGW互相认证使用的密钥,并用密钥计算AUTH;Step S79: The UE authenticates the core network, and after the authentication succeeds, generates a key that is mutually authenticated and used by the N3CNGW, and calculates the AUTH by using the key;
步骤S710:UE生成认证消息,且发送认证消息至N3CNGW;Step S710: The UE generates an authentication message, and sends an authentication message to the N3CNGW.
在本发明实施例中,UE可将生成的需要核心网和N3CNGW验证的内容放到认证消息的V载荷、N载荷、CP载荷或新载荷中,发送给N3CNGW。In the embodiment of the present invention, the UE may send the generated content that needs to be verified by the core network and the N3CNGW to the V payload, the N payload, the CP payload, or the new payload of the authentication message, and send the content to the N3CNGW.
步骤S711:N3CNGW生成验证AUTH使用的密钥,并且验证AUTH。 Step S711: The N3CNGW generates a key used to verify the AUTH, and verifies the AUTH.
步骤S712:N3CNGW在对AUTH验证成功后,发送鉴权响应消息给SSF/MM。Step S712: After the AUTH verification succeeds, the N3CNGW sends an authentication response message to the SSF/MM.
步骤S713:SSF/MM转发鉴权响应消息给CP-AU;而CP-AU将对UE的接入进行认证;Step S713: The SSF/MM forwards the authentication response message to the CP-AU; and the CP-AU authenticates the access of the UE;
步骤S714:CP-AU生成密钥Kmm,且发送给MM;Step S714: The CP-AU generates a key Kmm and sends it to the MM;
在本发明实施例中,CP-AU可根据MM的密钥请求,生成Kmm,且发送Kmm至MM;在本发明实施例中,CP-AU也可根据其它触发条件或自发,生成Kmm,且发送Kmm;In the embodiment of the present invention, the CP-AU may generate Kmm according to the key request of the MM, and send Kmm to MM. In the embodiment of the present invention, the CP-AU may also generate Kmm according to other trigger conditions or spontaneously, and Send Kmm;
步骤S715:MM选择安全算法;Step S715: MM selects a security algorithm;
步骤S716:MM发送NAS SMC向N3CNGW;Step S716: The MM sends the NAS SMC to the N3CNGW.
步骤S717:N3CNGW发送NAS SMC消息至UE;Step S717: The N3CNGW sends a NAS SMC message to the UE.
在本发明实施例中,N3CNGW可将NAS SMC消息封装在IKEv2消息的V载荷、N载荷、CP载荷或新载荷中。In an embodiment of the present invention, the N3CNGW may encapsulate the NAS SMC message in a V payload, an N payload, a CP payload, or a new payload of the IKEv2 message.
步骤S718:UE验证SMC,同时验证AUTH的正确性。在所有都正确的情况下,回复SMP。Step S718: The UE verifies the SMC and simultaneously verifies the correctness of the AUTH. Reply to SMP if everything is correct.
步骤S719:UE回复SMP消息给N3CNGW,所述SMP消息可封装在IKE_INFO消息的V载荷或N载荷、CP载荷或新载荷中。Step S719: The UE replies to the SMP message to the N3CNGW, and the SMP message may be encapsulated in a V payload or an N payload, a CP payload or a new payload of the IKE_INFO message.
步骤S720:N3CNGW转发SMP消息至MM;Step S720: The N3CNGW forwards the SMP message to the MM.
步骤S721:MM发送接受附着消息给N3CNGW;Step S721: The MM sends an accept message to the N3CNGW.
步骤S722:N3CNGW转发接受附着消息给UE,可具体将附着请求消息封装在IKE_INFO的V载荷或N载荷、CP载荷或新载荷中。Step S722: The N3CNGW forwards the accept message to the UE, and may specifically encapsulate the attach request message in the V payload or the N payload, the CP payload, or the new payload of the IKE_INFO.
通过上述过程,UE可实现接入核心网;而在本发明实施例中,亦可实现在UE接入核心网后,在控制平面发送信令,其具体过程可参见实施例一中的相关步骤,在此不再赘述。Through the foregoing process, the UE may implement access to the core network. In the embodiment of the present invention, the signaling may be sent to the control plane after the UE accesses the core network. For the specific process, refer to the related steps in the first embodiment. , will not repeat them here.
由上可见,在本发明实施例中,采用上述方法,在5G网络中,UE可通过非可信非3GPP接入方式接入核心网 It can be seen that, in the embodiment of the present invention, in the 5G network, the UE can access the core network through the non-trusted non-3GPP access mode.
实施例五Embodiment 5
本发明还提供另一种在5G网络中,UE通过非可信的非3GPP方式接入核心网的流程,如图8所示,具体如下:The present invention also provides another process for the UE to access the core network through the non-trusted non-3GPP mode in the 5G network, as shown in FIG. 8, which is as follows:
步骤S81:UE向N3CNGW发送初始安全协商消息,该初始安全协商消息中可携带附着请求;Step S81: The UE sends an initial security negotiation message to the N3CNGW, where the initial security negotiation message may carry an attach request.
在本发明实施例中,所述附着请求可具体封装在初始安全协商消息的V载荷、N载荷、CP载荷或新载载荷中。In the embodiment of the present invention, the attach request may be specifically encapsulated in a V load, an N load, a CP load, or a new load of the initial security negotiation message.
步骤S82:N3CNGW转发附着请求至SSF/MM;Step S82: The N3CNGW forwards the attach request to the SSF/MM.
步骤S83:SF/MM向CP-AU发送鉴权请求消息;Step S83: The SF/MM sends an authentication request message to the CP-AU.
步骤S84:CP-AU获取鉴权向量集;Step S84: The CP-AU obtains an authentication vector set.
步骤S85:CP-AU确定鉴权方法为UMTS-AKA、EPS-AKA或NG-AKA;Step S85: The CP-AU determines that the authentication method is UMTS-AKA, EPS-AKA or NG-AKA;
步骤S86:CP-AU发送鉴权挑战消息给SSF/MM;Step S86: The CP-AU sends an authentication challenge message to the SSF/MM.
步骤S87:SSF/MM转发鉴权挑战消息给N3CNGW;Step S87: The SSF/MM forwards the authentication challenge message to the N3CNGW.
步骤S88:N3CNGW将鉴权挑战消息封装在初始安全协商响应消息中,可具体封装在初始安全协商响应消息的V载荷、N载荷、CP载荷或新载荷中。Step S88: The N3CNGW encapsulates the authentication challenge message in the initial security negotiation response message, and may be specifically encapsulated in the V payload, the N payload, the CP payload, or the new payload of the initial security negotiation response message.
步骤S89:UE对核心网进行认证,且在认证成功后,生成与N3CNGW互相认证使用的密钥,并用密钥计算AUTH;Step S89: The UE authenticates the core network, and after the authentication succeeds, generates a key that is mutually authenticated and used by the N3CNGW, and calculates the AUTH by using the key;
步骤S810:UE生成认证消息,且发送认证消息至N3CNGW;Step S810: The UE generates an authentication message, and sends an authentication message to the N3CNGW.
步骤S811:N3CNGW生成验证AUTH使用的密钥,并且验证AUTH。Step S811: The N3CNGW generates a key used to verify the AUTH, and verifies the AUTH.
步骤S812:N3CNGW在对AUTH验证成功后,发送鉴权响应消息给SSF/MM。Step S812: After the AUTH verification succeeds, the N3CNGW sends an authentication response message to the SSF/MM.
步骤S813:SSF/MM转发鉴权响应消息给CP-AU;而CP-AU将对UE的接入进行鉴权;Step S813: The SSF/MM forwards the authentication response message to the CP-AU; and the CP-AU authenticates the access of the UE;
步骤S814:CP-AU在对UE的鉴权通过后,发送鉴权成功消息至SSF/MM;Step S814: After the authentication of the UE is passed, the CP-AU sends an authentication success message to the SSF/MM.
步骤S815:SSF/MM转发鉴权成功消息至N3CNGW;Step S815: The SSF/MM forwards the authentication success message to the N3CNGW.
步骤S816:N3CNGW转发鉴权成功消息至UE;Step S816: The N3CNGW forwards the authentication success message to the UE.
步骤S817:UE验证AUTH,完成对N3CNGW的认证; Step S817: The UE verifies the AUTH and completes the authentication of the N3CNGW.
步骤S818:CP-AU生成密钥Kmm,且发送给MM;Step S818: The CP-AU generates a key Kmm and sends it to the MM.
在本发明实施例中,CP-AU可根据MM的密钥请求,生成Kmm,且发送Kmm至MM;在本发明实施例中,CP-AU也可根据其它触发条件或自发,生成Kmm,且发送Kmm;In the embodiment of the present invention, the CP-AU may generate Kmm according to the key request of the MM, and send Kmm to MM. In the embodiment of the present invention, the CP-AU may also generate Kmm according to other trigger conditions or spontaneously, and Send Kmm;
步骤S819:MM选择安全算法;Step S819: MM selects a security algorithm;
步骤S820:MM发送NAS SMC向N3CNGW;Step S820: The MM sends the NAS SMC to the N3CNGW.
步骤S821:N3CNGW发送NAS SMC消息至UE;Step S821: The N3CNGW sends a NAS SMC message to the UE.
在本发明实施例中,N3CNGW可将NAS SMC消息封装在IKEv2消息的V载荷、N载荷、CP载荷或新载荷中。In an embodiment of the present invention, the N3CNGW may encapsulate the NAS SMC message in a V payload, an N payload, a CP payload, or a new payload of the IKEv2 message.
步骤S822:UE验证SMC,同时验证AUTH的正确性。在所有都正确的情况下,回复SMP。Step S822: The UE verifies the SMC and simultaneously verifies the correctness of the AUTH. Reply to SMP if everything is correct.
步骤S823:UE回复SMP消息给N3CNGW,所述SMP消息可封装在IKE_INFO消息的V载荷或N载荷、CP载荷或新载荷中。Step S823: The UE replies to the SMP message to the N3CNGW, and the SMP message may be encapsulated in the V payload or the N payload, the CP payload or the new payload of the IKE_INFO message.
步骤S824:N3CNGW转发SMP消息至MM;Step S824: The N3CNGW forwards the SMP message to the MM.
步骤S825:MM发送接受附着消息给N3CNGW;Step S825: The MM sends an accept message to the N3CNGW.
步骤S826:N3CNGW转发接受附着消息给UE,可具体将附着请求消息封装在IKE_INFO的V载荷或N载荷、CP载荷或新载荷中。Step S826: The N3CNGW forwards the accept message to the UE, and may specifically encapsulate the attach request message in the V payload or the N payload, the CP payload, or the new payload of the IKE_INFO.
通过上述过程,UE可实现接入核心网;而在本发明实施例中,亦可实现在UE接入核心网后,在控制平面发送信令,其具体过程可参见实施例一中的相关步骤,在此不再赘述。Through the foregoing process, the UE may implement access to the core network. In the embodiment of the present invention, the signaling may be sent to the control plane after the UE accesses the core network. For the specific process, refer to the related steps in the first embodiment. , will not repeat them here.
由上可见,在本发明实施例中,采用上述方法,在5G网络中,UE可通过非可信非3GPP接入方式接入核心网It can be seen that, in the embodiment of the present invention, in the 5G network, the UE can access the core network through the non-trusted non-3GPP access mode.
实施例六Embodiment 6
与上述构思相同,本发明还提供一种消息转发的装置,如图9所示,消息转发的装置900至少包括:As with the above concept, the present invention further provides a device for message forwarding. As shown in FIG. 9, the message forwarding device 900 includes at least:
第一接收单元901,用于接收核心网网元发送的用户鉴权请求消息; The first receiving unit 901 is configured to receive a user authentication request message sent by the core network element.
第一转发单元902,用于在确定所述核心网网元所选择的鉴权方法为非EAP可扩展鉴权协议鉴权方法时,利用IKEV2第二版本密钥交换协议消息中的非EAP载荷转发所述用户鉴权请求消息,所述IKEV2消息中至少包括非EAP载荷,所述非EAP载荷用于承载除EAP鉴权方法外的其它参数。The first forwarding unit 902 is configured to use the non-EAP payload in the IKEV2 second version key exchange protocol message when determining that the authentication method selected by the core network element is a non-EAP extensible authentication protocol authentication method. Forwarding the user authentication request message, where the IKEV2 message includes at least a non-EAP payload, and the non-EAP payload is used to carry other parameters except the EAP authentication method.
可选的,第一转发单元902,具体用于:发送IKEV2消息至用户侧设备,所述IKEV2消息的非EAP载荷中携带有所述用户鉴权请求消息。Optionally, the first forwarding unit 902 is specifically configured to: send an IKEV2 message to the user side device, where the non-EAP payload of the IKEV2 message carries the user authentication request message.
采用本发明的装置,用户侧设备采用非3GPP非可信的方式,可接入至核心网。With the device of the present invention, the user side device can access the core network in a non-3GPP non-trusted manner.
实施例七Example 7
与上述构思相同,本发明还提供一种转发数据包的装置,如图10所示,消息转发的装置100包括:As with the above concept, the present invention further provides an apparatus for forwarding a data packet. As shown in FIG. 10, the apparatus 100 for message forwarding includes:
第二接收单元101,用于接收核心网网元发送的用户鉴权请求消息;The second receiving unit 101 is configured to receive a user authentication request message sent by the core network element.
第二转发单元102,用于在确定所述核心网网元所选择的鉴权方法为EAP可扩展鉴权协议鉴权方法时,至少利用IKEV2第二版本密钥交换协议消息的EAP载荷转发所述用户鉴权请求消息,所述IKEV2消息中至少包括EAP载荷,所述EAP载荷用于承载EAP鉴权方法的相关参数。The second forwarding unit 102 is configured to: when determining that the authentication method selected by the core network element is an EAP extensible authentication protocol authentication method, use at least an EAP payload forwarding of the IKEV2 second version key exchange protocol message. The user authentication request message, the IKEV2 message includes at least an EAP payload, and the EAP payload is used to carry related parameters of the EAP authentication method.
可选的,第二转发单元102在所述用户鉴权请求消息中仅包括鉴权方法相关的鉴权参数时,所述第二转发单元,具体用于:发送IKEV2消息至用户侧设备,所述IKEV2消息的EAP载荷中携带有所述用户鉴权请求消息中的鉴权参数。Optionally, when the second forwarding unit 102 includes the authentication parameter related to the authentication method, the second forwarding unit is specifically configured to: send the IKEV2 message to the user side device, where The EAP payload of the IKEV2 message carries the authentication parameter in the user authentication request message.
可选的,第二转发单元102在所述用户鉴权请求中包括鉴权方法相关的鉴权参数和鉴权方法不相关的附加参数,所述第二转发单元,具体用于:发送IKEV2消息至用户侧设备,所述IKEV2消息的EAP载荷中携带有所述用户鉴权请求消息中的鉴权参数,所述IKEV2消息的非EAP载荷中携带有所述用户鉴权请求消息中的附加参数。Optionally, the second forwarding unit 102 includes, in the user authentication request, an authentication parameter related to the authentication method and an additional parameter that is not related to the authentication method, where the second forwarding unit is specifically configured to: send an IKEV2 message. Up to the user side device, the EAP payload of the IKEV2 message carries the authentication parameter in the user authentication request message, and the non-EAP payload of the IKEV2 message carries the additional parameter in the user authentication request message. .
可选的,第二转发单元102,具体用于:发送IKEV2消息至用户侧设备, 所述IKEV2消息的EAP载荷中携带有整个用户鉴权请求消息。Optionally, the second forwarding unit 102 is specifically configured to: send an IKEV2 message to the user side device, The EAP payload of the IKEV2 message carries the entire user authentication request message.
采用本发明的装置,用户侧设备采用非3GPP非可信的方式,可接入至核心网。With the device of the present invention, the user side device can access the core network in a non-3GPP non-trusted manner.
实施例八Example eight
本发明还提供一种鉴权方法的选择装置,如图11所示,鉴权方法的选择装置110,至少包括:The present invention also provides an apparatus for selecting an authentication method. As shown in FIG. 11, the selection apparatus 110 of the authentication method includes at least:
第三接收单元111,用于接收接入网关发送的附着请求,所述附着请求中未携带有指示信息,所述指示信息可指示用户侧设备接入核心网的方式;The third receiving unit 111 is configured to receive an attach request sent by the access gateway, where the attach request does not carry the indication information, where the indication information may indicate a manner in which the user side device accesses the core network;
第一确定单元112,用于根据鉴权向量集,确定所述核心网网元和用户侧设备相互鉴权时,所采用的鉴权方法。The first determining unit 112 is configured to determine, according to the set of authentication vectors, an authentication method used when the core network element and the user side device mutually authenticate each other.
可选的,所述鉴权向量集至少包括指示比特,第一确定单元112,具体用于:获得所述鉴权向量集的指示比特;在所述鉴权向量集的指示比特为第一数据时,确定所述核心网网元和用户侧设备相互鉴权时,所采用的方法为EAP方法;在所述鉴权向量集的指示比特为第二数据时,确定所述核心网网元和用户侧设备在相互鉴权时,所采用的方法为非EAP方法。Optionally, the set of the authentication vector includes at least the indication bit, and the first determining unit 112 is specifically configured to: obtain the indication bit of the authentication vector set; and the indication bit in the authentication vector set is the first data. When the core network element and the user side device are mutually authenticated, the method used is an EAP method; when the indication bit of the authentication vector set is the second data, the core network element and the user are determined. When the side devices authenticate each other, the method adopted is a non-EAP method.
采用本发明的装置,可在附着请求中未携带有指示信息时,确定所述核心网网元和用户侧设备相互鉴权时,所采用的鉴权方法。The device of the present invention can determine the authentication method used when the core network element and the user side device mutually authenticate each other when the indication information is not carried in the attachment request.
实施例九Example nine
本发明还提供一种鉴权方法的选择装置,如图12所示,鉴权方法的选择装置120,至少包括:The present invention also provides a device for selecting an authentication method. As shown in FIG. 12, the device 120 for selecting an authentication method includes at least:
第四接收单元121,用于接收接入网关发送的附着请求,所述附着请求中携带有指示信息,所述指示信息可指示用户侧设备接入核心网的方式;The fourth receiving unit 121 is configured to receive an attach request sent by the access gateway, where the attach request carries indication information, where the indication information may indicate a manner in which the user side device accesses the core network;
第二确定单元122,用于根据所述附着请求中的指示信息所对应的接入方法,确定所述核心网网元和用户侧设备相互鉴权时,所采用的鉴权方法。The second determining unit 122 is configured to determine, according to the access method corresponding to the indication information in the attach request, an authentication method used when the core network element and the user side device mutually authenticate each other.
可选的,第二确定单元122,具体用于:在所述附着请求中的指示信息所 对应的接入方式为3GPP第三代合作伙伴计划接入方式时,确定所述核心网网元和用户侧设备在相互鉴权时,采用非EAP鉴权方法;在所述附着请求中的指示信息所对应的接入方式为非3GPP接入方式时,确定所述核心网网元和用户侧设备在相互鉴权时,采用EAP鉴权方法。Optionally, the second determining unit 122 is specifically configured to: indicate information in the attach request When the corresponding access mode is the 3GPP third-generation partner plan access mode, it is determined that the core network element and the user-side device use a non-EAP authentication method when authenticating each other; the indication information in the attach request When the corresponding access mode is the non-3GPP access mode, the EAP authentication method is adopted when the core network element and the user side device are mutually authenticated.
采用本发明的装置,可在附着请求中携带有指示信息时,确定所述核心网网元和用户侧设备相互鉴权时,所采用的鉴权方法。With the device of the present invention, when the indication information is carried in the attach request, the authentication method used when the core network element and the user side device mutually authenticate are determined.
实施例十Example ten
本发明还提供一种接入网关,如图13所示,接入网关130至少包括:The present invention also provides an access gateway. As shown in FIG. 13, the access gateway 130 includes at least:
收发器131,用于接收核心网网元发送的用户鉴权请求消息,以及转发封装后的IKEV2第二版本密钥交换协议消息至用户侧设备;The transceiver 131 is configured to receive a user authentication request message sent by the core network element, and forward the encapsulated IKEV2 second version key exchange protocol message to the user side device;
至少一个处理器132,用于在确定所述核心网所选择的鉴权方法为非EAP可扩展鉴权协议鉴权方法时,将所述用户鉴权请求消息封装至IKEV2消息中的非EAP载荷中,或,在确定所述核心网所选择的鉴权方法为EAP鉴权方法时,将所述用户鉴权请求消息封装在IKEV2消息的EAP载荷中。At least one processor 132, configured to encapsulate the user authentication request message into a non-EAP payload in the IKEV2 message when determining that the authentication method selected by the core network is a non-EAP extensible authentication protocol authentication method Or, when determining that the authentication method selected by the core network is an EAP authentication method, the user authentication request message is encapsulated in an EAP payload of the IKEV2 message.
采用本发明的接入网关,可转发用户鉴权请求消息至用户侧设备。With the access gateway of the present invention, the user authentication request message can be forwarded to the user side device.
实施例十一Embodiment 11
本发明还提供一种核心网网元,如图14所示,核心网网元140至少包括:The present invention further provides a core network element. As shown in FIG. 14, the core network element 140 includes at least:
收发器141接收接入网关发送的附着请求;The transceiver 141 receives an attach request sent by the access gateway;
至少一个处理器142在所述附着请求中未携带有指示信息时,根据鉴权向量集,确定所述核心网网元和用户侧设备相互鉴权时,所采用的鉴权方法,或,在所述附着请求中携带有指示信息时,根据所述附着请求中的指示信息所对应的接入方法,确定所述核心网网元和用户侧设备相互鉴权时,所采用的鉴权方法;所述指示信息可指示用户侧设备接入核心网的方式。When the at least one processor 142 does not carry the indication information in the attach request, determining, according to the authentication vector set, the authentication method used when the core network element and the user side device mutually authenticate, or When the indication request carries the indication information, the authentication method used when the core network element and the user side device mutually authenticate are determined according to the access method corresponding to the indication information in the attachment request; The indication information may indicate the manner in which the user side device accesses the core network.
采用本发明的核心网网元可确定其与用户侧设备在相互鉴权时,所采用的鉴权方法。 The core network element of the present invention can determine the authentication method used when the user side device and the user side device authenticate each other.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分步骤是可以通过程序来指令处理器完成,所述的程序可以存储于计算机可读存储介质中,所述存储介质是非短暂性(英文:non-transitory)介质,例如随机存取存储器,只读存储器,快闪存储器,硬盘,固态硬盘,磁带(英文:magnetic tape),软盘(英文:floppy disk),光盘(英文:optical disc)及其任意组合。It will be understood by those skilled in the art that all or part of the steps of implementing the above embodiments may be performed by a program, and the program may be stored in a computer readable storage medium, which is non-transitory ( English: non-transitory) media, such as random access memory, read-only memory, flash memory, hard disk, solid state disk, magnetic tape (English: magnetic tape), floppy disk (English: floppy disk), CD (English: optical disc) And any combination thereof.
本发明是参照本发明实施例的方法和设备各自的流程图和方框图来描述的。应理解可由计算机程序指令实现流程图和方框图中的每一流程和方框、以及流程图和方框图中的流程和方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和方框图一个方框或多个方框中指定的功能的装置。The present invention has been described with reference to the respective flowcharts and block diagrams of the method and apparatus of the embodiments of the invention. It will be understood that each flow and block of the flowchart illustrations. FIG. These computer program instructions can be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine for the execution of instructions for execution by a processor of a computer or other programmable data processing device. A device that implements the functions specified in one or more blocks of a flowchart or a plurality of flows and block diagrams.
以上所述,仅为本发明较佳的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到的变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应该以权利要求的保护范围为准。 The above is only a preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of changes or within the technical scope disclosed by the present invention. Alternatives are intended to be covered by the scope of the present invention. Therefore, the scope of protection of the present invention should be determined by the scope of the claims.

Claims (22)

  1. 一种消息转发的方法,其特征在于,所述方法包括:A method for message forwarding, characterized in that the method comprises:
    接入网关接收核心网网元发送的用户鉴权请求消息;The access gateway receives the user authentication request message sent by the core network element;
    所述接入网关在确定所述核心网网元所选择的鉴权方法为非EAP可扩展鉴权协议鉴权方法时,利用IKEV2第二版本密钥交换协议消息中的非EAP载荷转发所述用户鉴权请求消息,所述IKEV2消息中至少包括非EAP载荷,所述非EAP载荷用于承载除EAP鉴权方法外的其它参数。When the access gateway determines that the authentication method selected by the core network element is a non-EAP extensible authentication protocol authentication method, the access gateway uses the non-EAP payload in the IKEV2 second version key exchange protocol message to forward the A user authentication request message, the IKEV2 message includes at least a non-EAP payload, and the non-EAP payload is used to carry other parameters than the EAP authentication method.
  2. 根据权利要求1所述的方法,其特征在于,所述接入网关利用IKEV2消息中的非EAP载荷转发所述用户鉴权请求消息,包括:The method according to claim 1, wherein the access gateway forwards the user authentication request message by using a non-EAP payload in the IKEV2 message, including:
    所述接入网关发送IKEV2消息至用户侧设备,所述IKEV2消息的非EAP载荷中携带有所述用户鉴权请求消息。The access gateway sends an IKEV2 message to the user side device, where the non-EAP payload of the IKEV2 message carries the user authentication request message.
  3. 一种消息转发的方法,其特征在于,所述方法包括:A method for message forwarding, characterized in that the method comprises:
    接入网关接收核心网网元发送的用户鉴权请求消息;The access gateway receives the user authentication request message sent by the core network element;
    所述接入网关在确定所述核心网网元所选择的鉴权方法为EAP可扩展鉴权协议鉴权方法时,至少利用IKEV2第二版本密钥交换协议消息的EAP载荷转发所述用户鉴权请求消息,所述IKEV2消息中至少包括EAP载荷,所述EAP载荷用于承载EAP鉴权方法的相关参数。When the access gateway determines that the authentication method selected by the core network element is the EAP extensible authentication protocol authentication method, the access gateway forwards the user profile by using at least the EAP payload of the IKEV2 second version key exchange protocol message. The right request message, the IKEV2 message includes at least an EAP payload, and the EAP payload is used to carry related parameters of the EAP authentication method.
  4. 根据权利要求3所述的方法,其特征在于,所述用户鉴权请求消息中仅包括鉴权方法相关的鉴权参数,所述接入网关至少利用IKEV2消息中的EAP载荷转发所述用户鉴权请求消息,包括:The method according to claim 3, wherein the user authentication request message includes only an authentication parameter related to the authentication method, and the access gateway forwards the user profile by using at least an EAP payload in the IKEV2 message. Right request message, including:
    所述接入网关发送IKEV2消息至用户侧设备,所述IKEV2消息的EAP载荷中携带有所述用户鉴权请求消息中的鉴权参数。The access gateway sends an IKEV2 message to the user side device, where the EAP payload of the IKEV2 message carries the authentication parameter in the user authentication request message.
  5. 根据权利要求3所述的方法,其特征在于,所述用户鉴权请求中包括鉴权方法相关的鉴权参数和鉴权方法不相关的附加参数,所述IKEV2消息中还包括非EAP载荷,所述接入网关至少利用IKEV2消息中的EAP载荷转发所述用户鉴权请求消息,包括: The method according to claim 3, wherein the user authentication request includes an authentication parameter related to the authentication method and an additional parameter that is not related to the authentication method, and the IKEV2 message further includes a non-EAP payload. The access gateway forwards the user authentication request message by using at least the EAP payload in the IKEV2 message, including:
    所述接入网关发送IKEV2消息至用户侧设备,所述IKEV2消息的EAP载荷中携带有所述用户鉴权请求消息中的鉴权参数,所述IKEV2消息的非EAP载荷中携带有所述用户鉴权请求消息中的附加参数。The access gateway sends an IKEV2 message to the user equipment, where the EAP payload of the IKEV2 message carries the authentication parameter in the user authentication request message, where the non-EAP payload of the IKEV2 message carries the user. Additional parameters in the authentication request message.
  6. 根据权利要求3所述的方法,其特征在于,所述接入网关至少利用IKEV2消息中的EAP载荷转发所述用户鉴权请求消息,包括:The method according to claim 3, wherein the access gateway forwards the user authentication request message by using at least an EAP payload in the IKEV2 message, including:
    所述接入网关发送IKEV2消息至用户侧设备,所述IKEV2消息的EAP载荷中携带有整个用户鉴权请求消息。The access gateway sends an IKEV2 message to the user side device, where the EAP payload of the IKEV2 message carries the entire user authentication request message.
  7. 一种鉴权方法的选择方法,其特征在于,包括:A method for selecting an authentication method, comprising:
    核心网网元接收接入网关发送的附着请求,所述附着请求中未携带有指示信息,所述指示信息可指示用户侧设备接入核心网的方式;The core network element receives the attach request sent by the access gateway, where the attach request does not carry the indication information, and the indication information may indicate the manner in which the user side device accesses the core network;
    所述核心网网元根据鉴权向量集,确定所述核心网网元和用户侧设备相互鉴权时,所采用的鉴权方法。The core network element determines, according to the set of authentication vectors, an authentication method used when the core network element and the user side device mutually authenticate each other.
  8. 根据权利要求7所述的方法,其特征在于,所述鉴权向量集至少包括指示比特,所述核心网网元根据鉴权向量集,确定所述核心网网元和用户侧设备相互鉴权时,所采用的鉴权方法,包括:The method according to claim 7, wherein the set of authentication vectors includes at least an indication bit, and the core network element determines, according to the set of authentication vectors, that the core network element and the user side device mutually authenticate each other. The authentication method used, including:
    所述核心网网元获得所述鉴权向量集的指示比特;The core network element obtains an indication bit of the authentication vector set;
    所述核心网网元在所述鉴权向量集的指示比特为第一数据时,确定所述核心网网元和用户侧设备相互鉴权时,所采用的方法为EAP方法;When the indication bit of the authentication vector set is the first data, the core network element determines that the core network element and the user side device mutually authenticate each other, and the method used is an EAP method;
    所述核心网网元在所述鉴权向量集的指示比特为第二数据时,确定所述核心网网元和用户侧设备在相互鉴权时,所采用的方法为非EAP方法。When the indication bit of the authentication vector set is the second data, the core network element determines that the method used by the core network element and the user side device to authenticate each other is a non-EAP method.
  9. 一种鉴权方法的选择方法,其特征在于,包括:A method for selecting an authentication method, comprising:
    核心网网元接收接入网关发送的附着请求,所述附着请求中携带有指示信息,所述指示信息可指示用户侧设备接入核心网的方式;The core network element receives the attach request sent by the access gateway, where the attach request carries the indication information, where the indication information may indicate the manner in which the user side device accesses the core network;
    所述核心网网元根据所述附着请求中的指示信息所对应的接入方法,确定所述核心网网元和用户侧设备相互鉴权时,所采用的鉴权方法。And determining, by the core network element, an authentication method used when the core network element and the user side device mutually authenticate each other according to the access method corresponding to the indication information in the attach request.
  10. 根据权利要求9所述的方法,其特征在于,所述核心网网元根据所述附着请求中的指示信息所对应的接入方法,确定所述核心网网元和用户侧 设备相互鉴权时,所采用的鉴权方法,包括:The method according to claim 9, wherein the core network element determines the core network element and the user side according to an access method corresponding to the indication information in the attach request When the devices authenticate each other, the authentication methods used include:
    所述核心网网元在所述附着请求中的指示信息所对应的接入方式为3GPP第三代合作伙伴计划接入方式时,确定所述核心网网元和用户侧设备在相互鉴权时,采用非EAP鉴权方法;When the access mode corresponding to the indication information in the attach request is the 3GPP third-generation partner plan access mode, the core network element determines that the core network element and the user-side device are mutually authenticated. Adopt a non-EAP authentication method;
    所述核心网网元在所述附着请求中的指示信息所对应的接入方式为非3GPP接入方式时,确定所述核心网网元和用户侧设备在相互鉴权时,采用EAP鉴权方法。When the access mode corresponding to the indication information in the attach request is a non-3GPP access mode, the core network element and the user side device determine that the core network element and the user side device use the EAP authentication method when mutually authenticating each other. .
  11. 一种消息转发的装置,其特征在于,所述装置包括:A device for message forwarding, characterized in that the device comprises:
    第一接收单元,用于接收核心网网元发送的用户鉴权请求消息;a first receiving unit, configured to receive a user authentication request message sent by a core network element;
    第一转发单元,用于在确定所述核心网网元所选择的鉴权方法为非EAP可扩展鉴权协议鉴权方法时,利用IKEV2第二版本密钥交换协议消息中的非EAP载荷转发所述用户鉴权请求消息,所述IKEV2消息中至少包括非EAP载荷,所述非EAP载荷用于承载除EAP鉴权方法外的其它参数。The first forwarding unit is configured to use the non-EAP payload forwarding in the IKEV2 second version key exchange protocol message when determining that the authentication method selected by the core network element is a non-EAP extensible authentication protocol authentication method The user authentication request message includes at least a non-EAP payload in the IKEV2 message, and the non-EAP payload is used to carry other parameters except the EAP authentication method.
  12. 根据权利要求11所述的装置,其特征在于,所述第一转发单元,具体用于:The device according to claim 11, wherein the first forwarding unit is specifically configured to:
    发送IKEV2消息至用户侧设备,所述IKEV2消息的非EAP载荷中携带有所述用户鉴权请求消息。The IKEV2 message is sent to the user equipment, and the user authentication request message is carried in the non-EAP payload of the IKEV2 message.
  13. 一种消息转发的的装置,其特征在于,所述装置包括:A device for message forwarding, characterized in that the device comprises:
    第二接收单元,用于接收核心网网元发送的用户鉴权请求消息;a second receiving unit, configured to receive a user authentication request message sent by a core network element;
    第二转发单元,用于在确定所述核心网网元所选择的鉴权方法为EAP可扩展鉴权协议鉴权方法时,至少利用IKEV2第二版本密钥交换协议消息的EAP载荷转发所述用户鉴权请求消息,所述IKEV2消息中至少包括EAP载荷,所述EAP载荷用于承载EAP鉴权方法的相关参数。a second forwarding unit, configured to: when determining that the authentication method selected by the core network element is an EAP extensible authentication protocol authentication method, forwarding the EAP payload by using at least the IKEV2 second version key exchange protocol message The user authentication request message includes at least an EAP payload in the IKEV2 message, where the EAP payload is used to carry related parameters of the EAP authentication method.
  14. 根据权利要求13所述的装置,其特征在于,所述第二转发单元在所述用户鉴权请求消息中仅包括鉴权方法相关的鉴权参数时,所述第二转发单元,具体用于:The device according to claim 13, wherein when the second forwarding unit includes only the authentication parameter related to the authentication method in the user authentication request message, the second forwarding unit is specifically configured to: :
    发送IKEV2消息至用户侧设备,所述IKEV2消息的EAP载荷中携带有 所述用户鉴权请求消息中的鉴权参数。Sending an IKEV2 message to the user equipment, where the EAP payload of the IKEV2 message carries The authentication parameter in the user authentication request message.
  15. 根据权利要求13所述的装置,其特征在于,所述第二转发单元在所述用户鉴权请求中包括鉴权方法相关的鉴权参数和鉴权方法不相关的附加参数,所述第二转发单元,具体用于:The apparatus according to claim 13, wherein the second forwarding unit includes, in the user authentication request, an authentication parameter related to the authentication method and an additional parameter irrelevant to the authentication method, the second Forwarding unit, specifically for:
    发送IKEV2消息至用户侧设备,所述IKEV2消息的EAP载荷中携带有所述用户鉴权请求消息中的鉴权参数,所述IKEV2消息的非EAP载荷中携带有所述用户鉴权请求消息中的附加参数。Sending an IKEV2 message to the user equipment, where the EAP payload of the IKEV2 message carries the authentication parameter in the user authentication request message, where the non-EAP payload of the IKEV2 message carries the user authentication request message. Additional parameters.
  16. 根据权利要求13所述的装置,其特征在于,所述第二转发单元,具体用于:The device according to claim 13, wherein the second forwarding unit is specifically configured to:
    发送IKEV2消息至用户侧设备,所述IKEV2消息的EAP载荷中携带有整个用户鉴权请求消息。The IKEV2 message is sent to the user side device, and the EAP payload of the IKEV2 message carries the entire user authentication request message.
  17. 一种鉴权方法的选择装置,其特征在于,包括:A device for selecting an authentication method, comprising:
    第三接收单元,用于接收接入网关发送的附着请求,所述附着请求中未携带有指示信息,所述指示信息可指示用户侧设备接入核心网的方式;a third receiving unit, configured to receive an attach request sent by the access gateway, where the attach request does not carry the indication information, where the indication information may indicate a manner in which the user side device accesses the core network;
    第一确定单元,用于根据鉴权向量集,确定所述核心网网元和用户侧设备相互鉴权时,所采用的鉴权方法。The first determining unit is configured to determine, according to the set of authentication vectors, an authentication method used when the core network element and the user side device mutually authenticate each other.
  18. 根据权利要求17所述的装置,其特征在于,所述鉴权向量集至少包括指示比特,所述第一确定单元,具体用于:The device according to claim 17, wherein the set of authentication vectors includes at least an indication bit, and the first determining unit is specifically configured to:
    获得所述鉴权向量集的指示比特;Obtaining an indication bit of the set of authentication vectors;
    在所述鉴权向量集的指示比特为第一数据时,确定所述核心网网元和用户侧设备相互鉴权时,所采用的方法为EAP方法;When the indication bit of the authentication vector set is the first data, when the core network element and the user side device are mutually authenticated, the method used is an EAP method;
    在所述鉴权向量集的指示比特为第二数据时,确定所述核心网网元和用户侧设备在相互鉴权时,所采用的方法为非EAP方法。When the indication bit of the authentication vector set is the second data, the method used by the core network element and the user side device to authenticate each other is determined to be a non-EAP method.
  19. 一种鉴权方法的选择装置,其特征在于,包括:A device for selecting an authentication method, comprising:
    第四接收单元,用于接收接入网关发送的附着请求,所述附着请求中携带有指示信息,所述指示信息可指示用户侧设备接入核心网的方式;a fourth receiving unit, configured to receive an attach request sent by the access gateway, where the attach request carries indication information, where the indication information may indicate a manner in which the user side device accesses the core network;
    第二确定单元,用于根据所述附着请求中的指示信息所对应的接入方法, 确定所述核心网网元和用户侧设备相互鉴权时,所采用的鉴权方法。a second determining unit, configured to use, according to the access method corresponding to the indication information in the attach request, The authentication method used when the core network element and the user side device authenticate each other.
  20. 根据权利要求19所述的装置,其特征在于,所述第二确定单元,具体用于:The device according to claim 19, wherein the second determining unit is specifically configured to:
    在所述附着请求中的指示信息所对应的接入方式为3GPP第三代合作伙伴计划接入方式时,确定所述核心网网元和用户侧设备在相互鉴权时,采用非EAP鉴权方法;When the access mode corresponding to the indication information in the attach request is the 3GPP third-generation partner plan access mode, determining that the core network element and the user-side device use the non-EAP authentication method when mutually authenticating each other ;
    在所述附着请求中的指示信息所对应的接入方式为非3GPP接入方式时,确定所述核心网网元和用户侧设备在相互鉴权时,采用EAP鉴权方法。When the access mode corresponding to the indication information in the attach request is a non-3GPP access mode, it is determined that the core network element and the user side device use the EAP authentication method when mutually authenticating.
  21. 一种接入网关,其特征在于,包括:An access gateway, comprising:
    收发器,用于接收核心网网元发送的用户鉴权请求消息,以及转发封装后的IKEV2第二版本密钥交换协议消息至用户侧设备;The transceiver is configured to receive a user authentication request message sent by the core network element, and forward the encapsulated IKEV2 second version key exchange protocol message to the user side device;
    至少一个处理器,用于在确定所述核心网所选择的鉴权方法为非EAP可扩展鉴权协议鉴权方法时,将所述用户鉴权请求消息封装至IKEV2消息中的非EAP载荷中,或,在确定所述核心网所选择的鉴权方法为EAP鉴权方法时,将所述用户鉴权请求消息封装在IKEV2消息的EAP载荷中。At least one processor, configured to encapsulate the user authentication request message into a non-EAP payload in the IKEV2 message when determining that the authentication method selected by the core network is a non-EAP extensible authentication protocol authentication method Or, when determining that the authentication method selected by the core network is an EAP authentication method, the user authentication request message is encapsulated in an EAP payload of the IKEV2 message.
  22. 一种核心网网元,其特征在于,包括:A core network element, characterized by comprising:
    收发器,用于接收接入网关发送的附着请求;a transceiver, configured to receive an attach request sent by an access gateway;
    至少一个处理器,用于在所述附着请求中未携带有指示信息时,根据鉴权向量集,确定所述核心网网元和用户侧设备相互鉴权时,所采用的鉴权方法,或,在所述附着请求中携带有指示信息时,根据所述附着请求中的指示信息所对应的接入方法,确定所述核心网网元和用户侧设备相互鉴权时,所采用的鉴权方法;所述指示信息可指示用户侧设备接入核心网的方式。 At least one processor, configured to determine, when the indication information is not carried in the attach request, the authentication method used when the core network element and the user side device mutually authenticate each other according to the authentication vector set, or When the indication request carries the indication information, the authentication method used when the core network element and the user side device mutually authenticate are determined according to the access method corresponding to the indication information in the attachment request; The indication information may indicate a manner in which the user side device accesses the core network.
PCT/CN2016/100173 2016-09-26 2016-09-26 Message forwarding method and apparatus, and access gateway WO2018053856A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2016/100173 WO2018053856A1 (en) 2016-09-26 2016-09-26 Message forwarding method and apparatus, and access gateway

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2016/100173 WO2018053856A1 (en) 2016-09-26 2016-09-26 Message forwarding method and apparatus, and access gateway

Publications (1)

Publication Number Publication Date
WO2018053856A1 true WO2018053856A1 (en) 2018-03-29

Family

ID=61689839

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/100173 WO2018053856A1 (en) 2016-09-26 2016-09-26 Message forwarding method and apparatus, and access gateway

Country Status (1)

Country Link
WO (1) WO2018053856A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006135217A1 (en) * 2005-06-16 2006-12-21 Samsung Electronics Co., Ltd. System and method for otimizing tunnel authentication procedure over a 3g-wlan interworking system
CN101083839A (en) * 2007-06-29 2007-12-05 中兴通讯股份有限公司 Cipher key processing method for switching among different mobile access systems
CN101160924A (en) * 2005-05-09 2008-04-09 诺基亚公司 Method for distributing certificates in a communication system
CN102281524A (en) * 2007-05-11 2011-12-14 华为技术有限公司 Registration processing method and user terminal

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101160924A (en) * 2005-05-09 2008-04-09 诺基亚公司 Method for distributing certificates in a communication system
WO2006135217A1 (en) * 2005-06-16 2006-12-21 Samsung Electronics Co., Ltd. System and method for otimizing tunnel authentication procedure over a 3g-wlan interworking system
CN102281524A (en) * 2007-05-11 2011-12-14 华为技术有限公司 Registration processing method and user terminal
CN101083839A (en) * 2007-06-29 2007-12-05 中兴通讯股份有限公司 Cipher key processing method for switching among different mobile access systems

Similar Documents

Publication Publication Date Title
CN108141754B (en) Apparatus and method for mobility procedures involving mobility management entity relocation
KR102033465B1 (en) Security equipment in communication between communication devices and network devices
US10798082B2 (en) Network authentication triggering method and related device
JP2019512942A (en) Authentication mechanism for 5G technology
CN107211273B (en) Wireless communications involving fast initial link setup FILS discovery frames for network signaling
US20170359719A1 (en) Key generation method, device, and system
EP3175639B1 (en) Authentication during handover between two different wireless communications networks
US20170134947A1 (en) Methods And Arrangements For Identification Of User Equipments For Authentication Purposes
CN114145032B (en) Method, device and communication system for acquiring security context
EP2648437B1 (en) Method, apparatus and system for key generation
KR20230124621A (en) UE authentication method and system for non-3GPP service access
WO2020094475A1 (en) Authentication and key agreement for a terminal device
US11316670B2 (en) Secure communications using network access identity
JP2017524273A (en) Protection of WLCP message exchange between TWAG and UE
WO2018053856A1 (en) Message forwarding method and apparatus, and access gateway
WO2017000620A1 (en) Re-authentication and recognition method, and evolved packet data gateway and system
KR102144023B1 (en) Authentication method using ft protocol and device for performing the method
EP4369760A1 (en) Secure communication method and apparatus
CN118317302A (en) Authentication method and communication device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16916595

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16916595

Country of ref document: EP

Kind code of ref document: A1