WO2019015618A1 - Communication tunnel endpoint address separation method, terminal, gateway and storage medium - Google Patents

Communication tunnel endpoint address separation method, terminal, gateway and storage medium Download PDF

Info

Publication number
WO2019015618A1
WO2019015618A1 PCT/CN2018/096172 CN2018096172W WO2019015618A1 WO 2019015618 A1 WO2019015618 A1 WO 2019015618A1 CN 2018096172 W CN2018096172 W CN 2018096172W WO 2019015618 A1 WO2019015618 A1 WO 2019015618A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
request message
tunnel
epdg
ipsec
Prior art date
Application number
PCT/CN2018/096172
Other languages
French (fr)
Chinese (zh)
Inventor
李道红
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2019015618A1 publication Critical patent/WO2019015618A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/009Security arrangements; Authentication; Protecting privacy or anonymity specially adapted for networks, e.g. wireless sensor networks, ad-hoc networks, RFID networks or cloud networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/047Key management, e.g. using generic bootstrapping architecture [GBA] without using a trusted network node as an anchor
    • H04W12/0471Key exchange

Definitions

  • the present disclosure relates to the field of communications technologies, and in particular, to a communication tunnel endpoint address separation method, a terminal, a gateway, and a storage medium.
  • the non-credited 3rd Generation Partnership Project (3GPP) access network can access the network architecture of the 3GPP Evolved Packet Core Network.
  • Internet Protocol Security IPSec
  • the two ends of the tunnel are the terminal and ePDG (Evolved Packet Data Gateway), and on the terminal side, the Internet Key Exchange (IKE) Security Association (SA) tunnel and The endpoint address of the IPSec SA tunnel is the same.
  • IKE Internet Key Exchange
  • SA Internet Key Exchange
  • SA Internet Key Exchange
  • SA Internet Key Exchange
  • SA Internet Key Exchange
  • SA Internet Key Exchange
  • the IKE SA tunnel function and the IPSec SA tunnel function can be deployed on different virtual machines (VMs).
  • VMs virtual machines
  • the endpoint addresses of the IKE SA tunnel and the IPSec SA tunnel must be the same on the terminal side and the ePDG side. This prevents the function of the IKE SA tunnel and the function of the IPSec SA tunnel from being deployed on different VMs.
  • the present disclosure provides a method for separating a communication tunnel endpoint address, including the following steps: when an evolved packet data gateway ePDG receives a first request message sent by a terminal, establishing an Internet Key Exchange IKE Security Association SA according to the first request message Tunneling, and generating a first response message corresponding to the first request message, returning the first response message to the terminal; and the ePDG receiving a second request message sent by the terminal, according to the The second request message establishes an Internet Protocol Security IPSec SA tunnel, and generates a second response message corresponding to the second request message, and returns the second response message to the terminal to complete establishment of an IPSec SA tunnel, where
  • the second request message carries a separation identifier, where the separation identifier indicates that the endpoints of the IKE SA tunnel and the IPSec SA tunnel that the terminal supports the ePDG are separated.
  • the present disclosure further provides a communication tunnel endpoint address separation method, including the steps of: sending a first request message to an evolved packet data gateway ePDG; and when receiving the ePDG, establishing an Internet key exchange IKE security according to the first request message Generating a second request message after the SA tunnel is sent, and generating the second request message, and sending the second request message to the ePDG; and receiving the ePDG to establish an Internet Protocol security IPSec SA according to the second request message.
  • a second response message sent after the tunnel to complete the establishment of the IPSec SA tunnel, where the second request message carries a separate identifier, where the separated identifier indicates that the terminal supports the IKE SA tunnel and the IPSec SA of the ePDG.
  • the endpoint address of the tunnel is separated.
  • the present disclosure also provides a terminal, the terminal comprising a memory, a processor, and a communication tunnel endpoint address separation program stored on the memory and operable on the processor, the communication tunnel endpoint address separation program being When the processor is executed, the following steps are implemented: sending a first request message to the evolved packet data gateway ePDG; and receiving the first sent after the ePDG establishes an Internet Key Exchange IKE SA SA tunnel according to the first request message.
  • the present disclosure also provides an evolved packet data gateway ePDG, the ePDG including a memory, a processor, and a communication tunnel endpoint address separation program stored on the memory and operable on the processor, the communication tunnel endpoint
  • the address separation program executes the following steps: when receiving the first request message sent by the terminal, establishing an Internet Key Exchange IKE SA SA tunnel according to the first request message, and generating the Receiving, by the first response message corresponding to the request message, the first response message to the terminal; and receiving a second request message sent by the terminal, and establishing an Internet Protocol security IPSec SA tunnel according to the second request message, And generating a second response message corresponding to the second request message, and returning the second response message to the terminal, to complete establishment of an IPSec SA tunnel, where the second request message carries a separate identifier
  • the separation identifier indicates that the terminal supports the separation of the endpoint addresses of the IKE SA tunnel and the IPSec SA tunnel of the ePDG.
  • the present disclosure also provides a computer readable storage medium having stored thereon a communication tunnel endpoint address separation program, wherein the computer readable storage medium stores a communication tunnel endpoint address separation program, the communication
  • the tunnel endpoint address separation program is executed by the processor, the following steps are performed: when receiving the first request message sent by the terminal, establishing an Internet Key Exchange IKE SA SA tunnel according to the first request message, and generating the Receiving, by the first response message corresponding to the request message, the first response message to the terminal; receiving a second request message sent by the terminal, establishing an Internet Protocol security IPSec SA tunnel according to the second request message, and Generating a second response message corresponding to the second request message, and returning the second response message to the terminal, to complete establishment of an IPSec SA tunnel, where the second request message carries a separation identifier, The separation identifier indicates that the terminal supports the endpoint address of the IKE SA tunnel and the IPSec SA tunnel of the ePDG. from.
  • 1 is a network architecture of a non-trusted non-3GPP access network provided in accordance with an embodiment of the present disclosure.
  • FIG. 2 is a schematic flowchart of a method for separating a communication tunnel endpoint address according to an embodiment of the present disclosure.
  • FIG. 3 is a schematic diagram of implementing IKE SA tunnel and IPSec SA tunnel endpoint address separation on the ePDG side according to an embodiment of the present disclosure.
  • FIG. 4 is a schematic diagram of implementing IKE SA tunnel and IPSec SA tunnel endpoint address separation on the terminal side according to an embodiment of the present disclosure.
  • FIG. 5 is a schematic diagram of implementing IKE SA tunnel and IPSec SA tunnel endpoint address separation on both the terminal side and the ePDG side according to an embodiment of the present disclosure.
  • FIG. 6 is a schematic flowchart diagram of another communication tunnel endpoint address separation method according to an embodiment of the present disclosure.
  • FIG. 7 is a schematic diagram of data interaction in implementing an IKE SA tunnel and an IPSec SA tunnel endpoint address separation process on an ePDG side according to an embodiment of the present disclosure.
  • FIG. 8 is a schematic diagram of data interaction in an IKE SA tunnel and an IPSec SA tunnel endpoint address separation process performed on a terminal side according to an embodiment of the present disclosure.
  • FIG. 9 is a schematic diagram of data interaction in an IKE SA tunnel and an IPSec SA tunnel endpoint address separation process performed on both the terminal side and the ePDG side according to an embodiment of the present disclosure.
  • a non-trusted non-3GPP access network refers to a Wireless Local Area Networks (WLAN), and the terminal can communicate with a Long Term Evolution (LTE) network through a WLAN network. For example, a voice service is performed.
  • WLAN Wireless Local Area Networks
  • LTE Long Term Evolution
  • the network architecture shown in FIG. 1 mainly includes the following devices/network elements: user equipment, evolved universal mobile communication system terrestrial radio access network, mobility management entity, home subscriber server, service gateway, packet data network gateway, policy and meter Fee rule function unit, wireless local area network, 3GPP authentication and authorization billing server, evolved packet data gateway, and internet protocol multimedia subsystem.
  • the User Equipment can be understood as a terminal, and the terminal can access a WLAN or an LTE network to access services of the 3GPP Evolved Packet Core Network.
  • E-UTRAN Evolved UMTS Terrestrial Radio Access Network
  • the Mobility Management Entity is a control plane function entity, which temporarily stores a user data server, and is responsible for managing and storing the terminal context (such as terminal/user identity, mobility management state, user security parameters, etc.).
  • the user is assigned a temporary identity and handles all non-access stratum messages between the MME and the terminal.
  • the Home Subscriber Server (HSS) is used to permanently store user subscription data.
  • the Serving Gateway is a user plane entity, which is responsible for processing user plane data routing, and is used for managing and storing a bearer context of the terminal, such as IP (Internet Protocol). Protocol) carries service parameters and internal routing information of the network.
  • Serving GW is the anchor point of the internal user plane of the 3GPP system. A user can only have one Serving GW at a time;
  • the Packet Data Network Gateway which is a PGW, is responsible for the terminal accessing the PDN (Public Data Network) and allocating the user IP address, and is also a 3GPP and non-3GPP access system. Mobility anchor, users can access multiple PDN GWs at the same time.
  • PDN GW Public Data Network
  • the Policy and Charging Rule Functionality is used to generate a QOS (Quality of Service) rule for controlling user data transmission according to the service information and the user subscription information and the configuration information of the operator.
  • QOS Quality of Service
  • the charging rule, the functional entity can also control the establishment and release of bearers in the access network.
  • the Wireless Local Area Network is a non-trusted non-3GPP access network.
  • the 3GPP Authentication Authorization Accounting Server (3GPP Authentication, Authorization, Accounting Server, 3GPP AAA Server) is responsible for authentication and signing of the terminal.
  • the evolved Packet Data Network Gateway is an access gateway for non-trusted non-3GPP networks (WLANs) and 3GPP networks interworking.
  • the terminal accessing from the WLAN can authenticate and sign the ePDG to the 3GPP AAA Server, and access the PDN GW through the ePDG to further use the resources of the LTE core network.
  • the Internet Multimedia Subsystem is a subsystem supported by the 3GPP to support IP multimedia services.
  • the salient features are: Session Initial Protocol (SIP) system; communication and access mode Irrelevant; with multiple multimedia services, control functions and bearer separation, call and session separation, application and service separation, service and network separation, and mobile network and Internet service integration capabilities.
  • SIP Session Initial Protocol
  • IPSec Internet Protocol Security
  • IKE_SA_INIT Internet Key Exchange_Security Association Initialization
  • IKE_AUTH Internet Key Exchange_Authentication
  • the present disclosure also provides an ePDG that includes a memory, a processor, and a communication tunnel endpoint address separation program stored on the memory and operable on the processor.
  • the memory may be a high speed RAM memory or a non-volatile memory such as a disk memory.
  • the memory may also be a storage device that is separate from the aforementioned processor.
  • the processor may be configured to invoke a communication tunnel endpoint address separation procedure stored in the memory to perform the following steps: when receiving the first request message sent by the terminal, establishing an Internet Key Exchange IKE Security Alliance according to the first request message An SA tunnel, and generating a first response message corresponding to the first request message, returning the first response message to the terminal; and receiving a second request message sent by the terminal, according to the second request
  • the message establishes an Internet Protocol Security IPSec SA tunnel, and generates a second response message corresponding to the second request message, and returns the second response message to the terminal to complete establishment of an IPSec SA tunnel, where
  • the second request message carries a separate identifier, where the separated identifier indicates that the terminal supports the separation of the endpoint addresses of the IKE SA tunnel and the IPSec SA tunnel of the ePDG.
  • the second request message carries an IPSec SA tunnel endpoint address of the terminal.
  • the second response message carries an IPSec SA tunnel endpoint address of the ePDG.
  • the step of returning the first response message to the terminal includes the following steps: when receiving the first request message sent by the terminal, negotiating a key parameter with the terminal according to the first request message, and exchanging with the terminal a random number and a Diffie-Hellman Diffie-Hellman value to establish an IKE SA tunnel; and generating a first response message based on the key parameter and the exchanged random number and the Diffie-Hellman value, and the first A response message is sent to the terminal.
  • the step of returning the second response message to the terminal to complete the establishment of the IPSec SA tunnel includes the following steps: when receiving the second request message that is sent by the terminal and encrypted by the encryption algorithm corresponding to the encryption parameter, The decryption algorithm corresponding to the encryption algorithm decrypts the encrypted second request message to obtain plaintext information corresponding to the second request message, and sends the plaintext information to the authentication and authorization accounting server; and receives the authentication And authenticating, by the authorized accounting server, the authentication result obtained by the terminal according to the plaintext information, and generating a second response message according to the authentication result, encrypting the second response message, and encrypting the second response message Return to the terminal.
  • the processor may further be configured to invoke the communication tunnel endpoint address separation procedure stored in the memory to perform the following steps: when receiving the terminal to send Encrypting the Internet Protocol security data, decrypting the Internet Protocol security data, and transmitting the decrypted Internet Protocol security data to the packet data network gateway PGW; and receiving the PGW in response to the Internet Protocol security data Sending response data, and transmitting the response data to the terminal to implement data interaction between the terminal and the PGW.
  • the step of returning the first response message to the terminal includes the following steps: when receiving the first request message sent by the terminal using a protocol IP address interconnected between the local networks as a source address, according to the first request The message establishes an IKE SA tunnel, and generates a first response message corresponding to the first request message; and sends the first response message to the local IP address of the terminal by using an IKE SA tunnel endpoint address of the ePDG side as a source address.
  • the processor when receiving the first request message sent by the terminal, establishing an IKE SA tunnel according to the first request message, and generating a first response message corresponding to the first request message, the processor may further be configured to invoke a communication tunnel endpoint address separation program stored in the memory to perform the following steps: when receiving the request for creating the child security association sent by the terminal The message creates a child security association according to the request message for creating a child security association, and returns a response message for creating a child security association to the terminal.
  • the above structure can be utilized to implement the communication tunnel endpoint address separation method.
  • FIG. 2 is a schematic flowchart of a method for separating a communication tunnel endpoint address according to an embodiment of the present disclosure.
  • the communication tunnel endpoint address separation method includes the following steps S10-S40.
  • step S10 when the evolved packet data gateway ePDG receives the first request message sent by the terminal, the Internet Key Exchange IKE SA SA tunnel is established according to the first request message, and the first request message is generated. And corresponding to the first response message, returning the first response message to the terminal.
  • the present disclosure is applicable to a scenario in which an IKE version 2 (IKEv2) protocol establishes an IPSec tunnel.
  • IKEv2 IKE version 2
  • the IKE SA tunnel is used to protect the IKE signaling packet between the terminal and the ePDG, and is the SA that belongs to the control plane.
  • the IPSec SA tunnel is used to protect data packets between the terminal and the ePDG.
  • the terminal may be used as an initiator initiator of the IKEv2 mechanism
  • the ePDG is used as a responder responder of the IKEv2 mechanism.
  • the endpoint address of the IKE SA tunnel and the IPSec SA tunnel may be separated on the ePDG side, or the endpoint address of the IKE SA tunnel and the IPSec SA tunnel may be separated on the terminal side, or both on the ePDG side and the terminal side.
  • the endpoint address separation between the IKE SA tunnel and the IPSec SA tunnel is implemented. Specifically, reference may be made to FIG. 3, FIG. 4, and FIG. 5, wherein FIG.
  • FIG. 3 is a schematic diagram of implementing IKE SA tunnel and IPSec SA tunnel endpoint address separation on the ePDG side according to an embodiment of the present disclosure
  • a schematic diagram of implementing an IKE SA tunnel and an IPSec SA tunnel endpoint address separation on the terminal side is provided by the embodiment.
  • FIG. 5 is an implementation of an IKE SA tunnel and an IPSec SA tunnel endpoint on both the terminal side and the ePDG side according to an embodiment of the present disclosure.
  • the terminal sends a first request message to the ePDG, where the first request message is an Internet Key Exchange_Security Association_Initialization Request message (IKE_SA_INIT).
  • the terminal may request to negotiate key parameters with the ePDG, exchange temporary random numbers, and exchange Diffie-Hellman values through the first request message.
  • the temporary random number of the terminal is the current time payload of the terminal.
  • the terminal may provide a key algorithm for the ePDG to select.
  • the key algorithm includes, but is not limited to, Data Encryption Standard (DES) and Advanced Encryption Standard (AES).
  • DES may include multiple key lengths
  • AES has more than one encryption form.
  • the Diffie-Hellman algorithm is a key exchange algorithm that can be used to ensure that a shared key securely traverses an insecure network and is an integral part of the OAKLEY algorithm.
  • the Internet Key Exchange_Security Association (IKE SA) tunnel is established according to the first request message. Specifically, when the ePDG negotiates the key parameters with the terminal and completes the exchange of the temporary random number and the Diffie-Hellman value, it indicates that the IKE SA tunnel is successfully established. After the IKE SA tunnel is successfully established, the ePDG generates a first response message corresponding to the first request message, and returns the first response message to the terminal, so that the terminal sends the second request message after receiving the first response message. Give ePDG.
  • IKE SA Internet Key Exchange_Security Association
  • the second request message carries a separate identifier, and the separated identifier indicates that the control plane address and the user plane address of the ePDG are separated, that is, the terminal supports the separation of the endpoint addresses of the IKE SA tunnel and the IPSec SA tunnel on the ePDG side.
  • the second request message is an Internet Key Exchange_Authentication Request message (IKE_AUTH), and the separation identifier is a Control Plane User Face_Separation_Support (CU_SEPARATE_SUPPORT) Notify payload.
  • the second request message may also carry a terminal identifier and an Access Point Name (APN) information.
  • API Access Point Name
  • step S10 includes the following steps a-b.
  • the ePDG when the ePDG receives the first request message sent by the terminal using the protocol IP address interconnected between the local networks as the source address, the ePDG establishes an IKE SA tunnel according to the first request message. And generating a first response message corresponding to the first request message.
  • step b the ePDG sends the first response message to the local IP address of the terminal by using the IKE SA tunnel endpoint address of the ePDG side as the source address.
  • the terminal sends a negotiation request of the IKE_SA_INIT to the endpoint address (SWu IKE IP) of the IKE SA tunnel on the ePDG side using the local IP as the source address to request the ePDG negotiation key parameter, and the temporary random number and the Diffie.
  • the -Hellman value is sent to the ePDG.
  • the ePDG receives the negotiation request of the IKE_SA_INIT and the temporary random number and the Diffie-Hellman value of the terminal, the ePDG negotiates the key parameter according to the negotiation request of the IKE_SA_INIT, and exchanges the temporary random number with the temporary random number of the terminal.
  • the ePDG And exchanging its Diffie-Hellman value with the Diffie-Hellman value of the terminal to establish an IKE SA tunnel.
  • the ePDG generates a response message of the IKE_SA_INIT negotiation according to the negotiated key parameter, its temporary random number, and the Diffie-Hellman value, that is, generates a first response message, and sends the first address to the local IP of the terminal by using its SWu IKE IP as the source address. Response message.
  • the IKE signaling packet transmitted by the terminal and the ePDG is protected by the IKE SA.
  • step S10 includes the following step c-d.
  • step c when the ePDG receives the first request message sent by the terminal, negotiates a key parameter with the terminal according to the first request message, and exchanges a random number with the terminal and Diffie-Hell. Man Diffie-Hellman value to establish an IKE SA tunnel.
  • the ePDG generates a first response message according to the key parameter and the exchanged random number and the Diffie-Hellman value, and sends the first response message to the terminal.
  • the ePDG When receiving the first request message sent by the terminal, the ePDG negotiates a key parameter with the terminal according to the first request message, and exchanges a random number and a Diffie-Hellman value with the terminal to establish an IKE SA tunnel.
  • the ePDG generates a first response message according to the negotiated key parameter and the exchanged random number and the Diffie-Hellman value, and sends the first response message to the terminal.
  • the terminal After receiving the first response message, the terminal generates a second request message, and obtains an encryption algorithm corresponding to the key parameter in the first response message.
  • the terminal encrypts the second request message by using the encryption algorithm to obtain the encrypted second request message, and sends the encrypted second request message to the ePDG.
  • the encryption algorithm for the terminal to encrypt the second request message is an encryption algorithm negotiated between the ePDG and the terminal during the establishment of the IKE SA tunnel.
  • step S20 the ePDG receives the second request message sent by the terminal, establishes an Internet Protocol security IPSec SA tunnel according to the second request message, and generates a second response message corresponding to the second request message, Returning the second response message to the terminal, to complete the establishment of the IPSec SA tunnel, where the second request message carries a separate identifier, where the separated identifier indicates that the terminal supports the IKE SA tunnel of the ePDG and The endpoint address of the IPSec SA tunnel is separated.
  • step S20 further comprises the following steps e-f.
  • the ePDG when the ePDG receives the second request message that is sent by the terminal and is encrypted by using a key parameter corresponding to an encryption algorithm, the ePDG decrypts and encrypts by using a decryption algorithm corresponding to the encryption algorithm.
  • the second request message is used to obtain the plaintext information corresponding to the second request message, and the plaintext information is sent to the authentication and authorization charging server.
  • the ePDG receives the authentication result obtained by the authentication and authorization accounting server to authenticate the terminal according to the plaintext information, and generates a second response message according to the authentication result, and encrypts the second response.
  • the message returns the encrypted second response message to the terminal.
  • the ePDG decrypts the encrypted second request message by using a decryption algorithm negotiated with the terminal, that is, using a decryption algorithm corresponding to the terminal encrypting the second request message encryption algorithm. Decrypting the encrypted second request message to obtain plaintext information corresponding to the second request message. It can be understood that the encryption algorithm of the terminal encrypting the second request message is the same algorithm as the decryption algorithm of the second request message after the ePDG decrypts the encrypted.
  • the illegitimate information is sent to the authentication and authorization accounting server AAA Server, so that the AAA server completes the authentication and authentication of the terminal according to the plaintext information, and obtains the authentication result, and returns the authentication result to the ePDG.
  • the authentication of the terminal may adopt a pre-shared key (PSK), a public key infrustructure (PK3) RSA, and an Extensible Authentication Protocol (EPA) algorithm.
  • PSK pre-shared key
  • PK3 RSA public key infrustructure
  • EPA Extensible Authentication Protocol
  • the EPA algorithm can be used for the authentication of the terminal.
  • the ePDG After receiving the authentication result sent by the AAA server, the ePDG generates a second response message according to the authentication result, and encrypts the second response message by using an encryption algorithm negotiated with the terminal to obtain the encrypted second response, and the encrypted second response.
  • the second response message is returned to the terminal.
  • the ePDG identifier and the authentication payload may be carried.
  • the second response message carries an IPSec SA tunnel endpoint address of the ePDG.
  • the terminal When the endpoint address of the IKE SA tunnel and the IPSec SA tunnel are separated on the ePDG side, the terminal sends the first request message and the second request message to the control plane of the ePDG, and the control plane of the ePDG returns the corresponding first response message and the first Second response message.
  • the second response message further carries the IPSec SA tunnel endpoint address of the ePDG, that is, the second response message carries the Internet Protocol security_Security Management_Address_Responder Notification Load (IPSEC_SA_ADDRESSES_R Notify payload)
  • IPSEC_SA_ADDRESSES_R Notify payload the Internet Protocol security_Security Management_Address_Responder Notification Load
  • the second request message carries an IPSec SA tunnel endpoint address of the terminal.
  • the control plane of the terminal sends the first request message and the second request message to the ePDG, and the corresponding first response message and the second are returned by the ePDG. Response message.
  • the second request message carries the IPSec SA tunnel endpoint address (UE SWu IPSec IP) of the terminal, that is, the second request message carries the Internet Protocol security_Security Management_Address_Initiator Notification Load (IPSEC_SA_ADDRESSES_I Notify) Payload), and the IPSEC_SA_ADDRESSES_I Notify payload contains the IPSec SA tunnel endpoint address of the terminal. If the second request message does not carry the IPSEC_SA_ADDRESSES_I Notify payload, the endpoint address of the IKE SA tunnel and the IPSec SA tunnel on the terminal side are the same.
  • the first control message and the second request message are sent by the terminal control plane to the ePDG control plane, and then The corresponding first response message and second response message are returned by the ePDG control plane to the terminal control plane.
  • the second request message carries the IPSEC_SA_ADDRESSES_I Notify payload
  • the second response message carries the IPSEC_SA_ADDRESSES_R Notify payload.
  • different message types may be defined in the notification payloads CU_SEPARATE_SUPPORT, IPSEC_SA_ADDRESSES_R, and IPSEC_SA_ADDRESSES_I, and the payload data corresponding to IPSEC_SA_ADDRESSES_R and IPSEC_SA_ADDRESSES_I may be Internet Protocol version 4 (Internet Protocol version 4). , IPv4) address or Internet Protocol version 6, (IPv6) address.
  • IP version 4 Internet Protocol version 4
  • IPv6 Internet Protocol version 6
  • the ePDG when the first request message sent by the terminal is received, the ePDG establishes an Internet Key Exchange IKE SA SA tunnel according to the first request message, and generates a first corresponding to the first request message. Responding to the message, returning the first response message to the terminal; and the ePDG receiving a second request message sent by the terminal, and establishing an Internet Protocol security IPSec SA tunnel with the terminal according to the second request message, And generating a second response message corresponding to the second request message, and returning the second response message to the terminal, to complete establishment of an IPSec SA tunnel, where the second request message carries a separate identifier
  • the separation identifier indicates that the terminal supports address separation of the IKE SA tunnel and the IPSec SA tunnel of the ePDG.
  • the endpoint address of the IKE SA tunnel and the IPSec SA tunnel are separated on the terminal side and/or the ePDG side, so that the IKE SA tunnel function and the IPSec SA tunnel function are deployed on different virtual machines, thereby improving the IPSec SA.
  • Data processing efficiency of the tunnel user plane is improved.
  • the present disclosure also provides another embodiment of the communication tunnel endpoint address separation method.
  • Another embodiment of the communication tunnel endpoint address separation method differs from the above embodiments in that it further includes the following steps S30-S40 (see FIG. 6).
  • step S30 when the ePDG receives the encrypted Internet Protocol security data sent by the terminal, decrypting the Internet Protocol security data, and transmitting the decrypted Internet Protocol security data to the packet data network gateway.
  • PGW packet data network gateway
  • the ePDG receives response data sent by the PGW after responding to the Internet Protocol security data, and sends the response data to the terminal to implement data between the terminal and the PGW. Interaction.
  • the terminal After the IPSec SA tunnel is established, the terminal encrypts the Internet Protocol security data and sends the encrypted Internet Protocol security data to the ePDG.
  • the ePDG decrypts the encrypted Internet Protocol security data to obtain the decrypted Internet Protocol security data, and transmits the decrypted Internet Protocol security data to the PGW through the S2b interface.
  • the PGW After receiving the Internet Protocol security data, the PGW obtains response data in response to the Internet Protocol security data, and transmits the response data to the ePDG through the S2b interface.
  • the ePDG When the ePDG receives the response data returned by the PGW, the response data is encrypted to obtain the encrypted response data, and the encrypted response data is sent to the terminal to implement data interaction between the terminal and the PGW.
  • the encryption algorithm of the terminal encryption Internet Protocol security data, the decryption algorithm of the ePDG decryption Internet protocol security data, and the encryption algorithm for encrypting the response data are negotiated by the terminal and the ePDG.
  • FIG. 7 is a schematic diagram of providing data interaction in an IKE SA tunnel and an IPSec SA tunnel endpoint address separation process on an ePDG side according to an embodiment of the present disclosure.
  • FIG. 8 is a schematic diagram of providing data interaction in an IKE SA tunnel and an IPSec SA tunnel endpoint address separation process on a terminal side according to an embodiment of the present disclosure.
  • FIG. 9 is a schematic diagram of providing data interaction between an IKE SA tunnel and an IPSec SA tunnel endpoint address separation process on both the terminal side and the ePDG side according to an embodiment of the present disclosure.
  • the encryption and decryption function of the ePDG is separately described as one component (ie, the encryption and decryption component), and in other embodiments, the encryption and decryption function of the ePDG and the ePDG control plane function may be The body or ePDG user plane functions are combined.
  • the terminal after the IKE SA tunnel and the IPSec SA tunnel endpoint address are separated on the terminal side and/or the ePDG side, the terminal performs data interaction with the ePDG through the separated endpoint address to improve data interaction efficiency between the terminal and the PGW.
  • the present disclosure also provides yet another embodiment of the communication tunnel endpoint address separation method.
  • a further embodiment of the communication tunnel endpoint address separation method differs from the foregoing embodiments in that it further comprises the following step g.
  • the ePDG when the ePDG receives the request message for creating a sub-security association sent by the terminal, the ePDG creates a sub-security association according to the request message for creating a sub-security association, and returns to create a sub-security alliance. A response message is sent to the terminal.
  • the terminal After the IKE SA tunnel is established, the terminal directly sends a request message for creating a sub-security association (CREATE_CHILD_SA) to the ePDG.
  • CREATE_CHILD_SA a request message for creating a sub-security association
  • the ePDG Upon receiving the request message for creating a sub-security association sent by the terminal, the ePDG creates a sub-security association according to the request message, that is, creates a CHILD_SA, and after creating the CHILD_SA, returns a response message for creating a sub-security association to the terminal.
  • the terminal control plane sends a request message for creating a sub-security association to the ePDG; when the IKE SA tunnel and the IPSec SA tunnel are implemented on the ePDG side, When the address is separated, the terminal sends a sub-security association request message to the ePDG control plane.
  • the terminal control plane creates a sub-security association. The request message is sent to the ePDG control plane.
  • the terminal in the key negotiation process between the terminal and the ePDG, if the terminal needs to send a message or needs to notify the ePDG of certain events, for example, the terminal finds that the first request message sent to the ePDG is In case of an error, the terminal sends an information request message to the ePDG. Upon receiving the information request message, the ePDG responds to the information request message and returns a corresponding information response message to the terminal. If the ePDG needs to send a message or needs to notify the terminal of certain events, for example, the ePDG finds that the first response message sent to the terminal has an error, the ePDG sends an information request message to the terminal. The terminal receives the information request message, responds to the information request message, and returns a corresponding information response message to the ePDG.
  • the terminal control plane sends an information request message to the ePDG.
  • the terminal sends an information request message to the ePDG control plane.
  • the terminal control plane sends an information request message to the ePDG control plane.
  • the user plane and the control plane of the terminal and/or the ePDG are separately deployed in different virtual machines by separating the endpoint addresses of the IKE SA tunnel and the IPSec SA tunnel of the ePDG, thereby improving the terminal and the ePDG data transmission efficiency.
  • the present disclosure further provides a communication tunnel endpoint address separation method, including the steps of: sending a first request message to an evolved packet data gateway ePDG; and when receiving the ePDG, establishing an internet key exchange according to the first request message And generating, by the IKE SA, the first response message sent by the SA tunnel, and sending the second request message to the ePDG; and receiving the ePDG to establish an Internet protocol security according to the second request message.
  • a communication tunnel endpoint address separation method including the steps of: sending a first request message to an evolved packet data gateway ePDG; and when receiving the ePDG, establishing an internet key exchange according to the first request message And generating, by the IKE SA, the first response message sent by the SA tunnel, and sending the second request message to the ePDG; and receiving the ePDG to establish an Internet protocol security according to the second request message.
  • a second response message sent after the IPSec SA tunnel to complete the establishment of the IPSec SA tunnel where the second request message carries a separate identifier, where the separated identifier indicates that the terminal supports the IKE SA tunnel of the ePDG and The endpoint address of the IPSec SA tunnel is separated.
  • the second request message carries an IPSec SA tunnel endpoint address of the terminal.
  • the second response message carries an IPSec SA tunnel endpoint address of the ePDG.
  • the ePDG after receiving the first response message sent by the ePDG, generating a second request message, and encrypting the second request message by using an encryption algorithm corresponding to the key parameter, and encrypting the The second request message is sent to the ePDG.
  • the present disclosure also provides a terminal, the terminal including a memory, a processor, and a communication tunnel endpoint address separating program stored on the memory and operable on the processor, the communication tunnel endpoint address separating program
  • the following steps are implemented: sending a first request message to the evolved packet data gateway ePDG; and transmitting after receiving the ePDG establishing an Internet Key Exchange IKE SA SA tunnel according to the first request message And generating, by the first response message, a second request message, and sending the second request message to the ePDG; and receiving a second sent by the ePDG after establishing an Internet Protocol security IPSec SA tunnel according to the second request message
  • the response message is used to complete the establishment of the IPSec SA tunnel, where the second request message carries a separate identifier, and the split identifier indicates that the endpoint address of the IKE SA tunnel and the IPSec SA tunnel that the terminal supports the ePDG is separated.
  • the present disclosure also provides a computer readable storage medium having a communication tunnel endpoint address separation program stored thereon, and the communication tunnel endpoint address separation program is implemented by a processor to implement the above The steps of the described communication tunnel endpoint address separation method. The specific steps of the method for separating the endpoint address of each communication tunnel are not described herein again.
  • the present disclosure also provides a communication tunnel endpoint address separation apparatus that is applied to an evolved packet data gateway ePDG.
  • the communication tunnel endpoint address separation device includes: a first setup module and a second setup module.
  • the first establishing module is configured to: when receiving the first request message sent by the terminal, establish an Internet Key Exchange IKE SA SA tunnel according to the first request message, and generate a corresponding to the first request message The first response message returns the first response message to the terminal.
  • the second establishing module is configured to: receive a second request message sent by the terminal, establish an Internet Protocol security IPSec SA tunnel according to the second request message, and generate a second response message corresponding to the second request message Returning the second response message to the terminal, to complete the establishment of the IPSec SA tunnel, where the second request message carries a separate identifier, where the separated identifier indicates that the terminal supports the ePDG IKE.
  • the endpoint addresses of the SA tunnel and the IPSec SA tunnel are separated.
  • the second request message carries an IPSec SA tunnel endpoint address of the terminal.
  • the second response message carries an IPSec SA tunnel endpoint address of the ePDG.
  • the first establishing module comprises: a negotiating unit, an exchanging unit and a first generating unit.
  • the negotiating unit is configured to: when receiving the first request message sent by the terminal, negotiate a key parameter with the terminal according to the first request message.
  • the switching unit is configured to exchange a random number and a Diffie-Hellman Diffie-Hellman value with the terminal to establish an IKE SA tunnel.
  • the first generating unit is configured to: generate a first response message according to the key parameter, and the exchanged random number and the Diffie-Hellman value, and send the first response message to the terminal.
  • the second establishing module comprises: a decrypting unit, a transmitting unit, a second generating unit, and an encrypting unit.
  • the decrypting unit is configured to: when receiving the second request message that is sent by the terminal and encrypted by using a key parameter corresponding to an encryption algorithm, decrypting the encrypted second by using a decryption algorithm corresponding to the encryption algorithm The message is requested to obtain the plaintext information corresponding to the second request message.
  • the sending unit is configured to send the plaintext information to an authentication and authorization charging server.
  • the second generating unit is configured to receive an authentication result that is obtained by the authentication authorization charging server and that is used to authenticate the terminal according to the plaintext information, and generate a second response message according to the authentication result.
  • the encryption unit is configured to encrypt the second response message, and return the encrypted second response message to the terminal.
  • the communication tunnel endpoint address separation device further includes: a decryption module, a sending module, and a receiving module.
  • the decryption module is configured to decrypt the Internet Protocol security data when the encrypted Internet Protocol security data sent by the terminal is received.
  • the sending module is configured to send the decrypted Internet Protocol security data to the packet data network gateway PGW.
  • the receiving module is configured to receive response data sent by the PGW after responding to the Internet Protocol security data.
  • the sending module is further configured to send the response data to the terminal to implement data interaction between the terminal and the PGW.
  • the first establishing module is further configured to: according to the first request message, when receiving, by the terminal, a first request message sent by using a protocol IP address interconnected between local networks as a source address Establishing an IKE SA tunnel, and generating a first response message corresponding to the first request message; and sending the first response message to the local IP address of the terminal by using an IKE SA tunnel endpoint address of the ePDG side as a source address.
  • the communication tunnel endpoint address separation device further includes: a creation module.
  • the creating module is configured to: when receiving a request message for creating a child security association sent by the terminal, create a child security association according to the request message for creating a child security association, and return a response message for creating a child security association to the terminal.
  • an essential part of the technical solution of the present disclosure or a part contributing to the prior art can be embodied in the form of a software product that can be stored in a storage medium (such as ROM/RAM, magnetic A disc, an optical disc, and a number of instructions for causing a terminal device (which may be a cell phone, a computer, a server, an air conditioner, or a network device, etc.) to perform the methods described in various embodiments of the present disclosure.
  • a storage medium such as ROM/RAM, magnetic A disc, an optical disc, and a number of instructions for causing a terminal device (which may be a cell phone, a computer, a server, an air conditioner, or a network device, etc.) to perform the methods described in various embodiments of the present disclosure.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Disclosed are a communication tunnel endpoint address separation method, a terminal, a gateway and a storage medium. The method comprises the following steps: an evolved packet data gateway (ePDG) establishing an Internet key exchange (IKE) security association (SA) tunnel according to a first request message sent by a terminal, generating a corresponding first response message and returning said first response message to the terminal; and the ePDG establishing an Internet protocol security (IPSec) SA tunnel according to a received second request message sent by the terminal, generating a corresponding second response message and returning said second response message to the terminal, so as to complete establishment of the IPSec SA tunnel, the second request message carrying a separation tag, the separation tag indicating that the terminal supports endpoint address separation of the ePDG IKE SA tunnel and the IPSec SA tunnel.

Description

通信隧道端点地址分离方法、终端、网关及存储介质Communication tunnel endpoint address separation method, terminal, gateway and storage medium 技术领域Technical field
本公开涉及通信技术领域,尤其涉及一种通信隧道端点地址分离方法、终端、网关及存储介质。The present disclosure relates to the field of communications technologies, and in particular, to a communication tunnel endpoint address separation method, a terminal, a gateway, and a storage medium.
背景技术Background technique
非授信的非第三代合作伙伴计划(3rd Generation Partnership Project,3GPP)接入网络可以接入3GPP演进分组核心网的网络架构中,在这种情况下,因特网协议安全(Internet Protocol Security,IPSec)隧道的两端端点分别是终端和ePDG(Evolved Packet Data Gateway,演进的分组数据网关),并且在终端侧,因特网密钥交换协议(Internet key exchange,IKE)安全联盟(Security Association,SA)隧道和IPSec SA隧道的端点地址相同,而在ePDG侧,IKE SA隧道和IPSec SA隧道的端点地址相同。由此可知,在现有的架构下,在终端侧和ePDG侧,IKE SA隧道和IPSec SA隧道的端点地址必须相同。The non-credited 3rd Generation Partnership Project (3GPP) access network can access the network architecture of the 3GPP Evolved Packet Core Network. In this case, Internet Protocol Security (IPSec) The two ends of the tunnel are the terminal and ePDG (Evolved Packet Data Gateway), and on the terminal side, the Internet Key Exchange (IKE) Security Association (SA) tunnel and The endpoint address of the IPSec SA tunnel is the same. On the ePDG side, the IKE SA tunnel and the IPSec SA tunnel have the same endpoint address. Therefore, in the existing architecture, the endpoint addresses of the IKE SA tunnel and the IPSec SA tunnel must be the same on the terminal side and the ePDG side.
在虚拟化环境下,为了优化控制面和用户面的性能,可以将IKE SA隧道的功能体和IPSec SA隧道的功能体部署在不同的虚拟机(Virtual Machine,VM)上,其中每个VM对应一个业务地址。然而,由于目前在终端侧和ePDG侧,IKE SA隧道和IPSec SA隧道的端点地址必须相同,这导致不能将IKE SA隧道的功能体和IPSec SA隧道的功能体部署在不同的VM上。In a virtualized environment, in order to optimize the performance of the control plane and the user plane, the IKE SA tunnel function and the IPSec SA tunnel function can be deployed on different virtual machines (VMs). A business address. However, the endpoint addresses of the IKE SA tunnel and the IPSec SA tunnel must be the same on the terminal side and the ePDG side. This prevents the function of the IKE SA tunnel and the function of the IPSec SA tunnel from being deployed on different VMs.
发明内容Summary of the invention
本公开提供一种通信隧道端点地址分离方法,包括以下步骤:当演进的分组数据网关ePDG接收到终端发送的第一请求消息时,根据所述第一请求消息建立因特网密钥交换IKE安全联盟SA隧道,并生成与所述第一请求消息对应的第一响应消息,将所述第一响应消息返回给所述终端;以及所述ePDG接收所述终端发送的第二请求消息, 根据所述第二请求消息建立因特网协议安全IPSec SA隧道,并生成与所述第二请求消息对应的第二响应消息,将所述第二响应消息返回给所述终端,以完成IPSec SA隧道的建立,其中,所述第二请求消息中携带有分离标识,所述分离标识表示所述终端支持所述ePDG的IKE SA隧道和IPSec SA隧道的端点地址分离。The present disclosure provides a method for separating a communication tunnel endpoint address, including the following steps: when an evolved packet data gateway ePDG receives a first request message sent by a terminal, establishing an Internet Key Exchange IKE Security Association SA according to the first request message Tunneling, and generating a first response message corresponding to the first request message, returning the first response message to the terminal; and the ePDG receiving a second request message sent by the terminal, according to the The second request message establishes an Internet Protocol Security IPSec SA tunnel, and generates a second response message corresponding to the second request message, and returns the second response message to the terminal to complete establishment of an IPSec SA tunnel, where The second request message carries a separation identifier, where the separation identifier indicates that the endpoints of the IKE SA tunnel and the IPSec SA tunnel that the terminal supports the ePDG are separated.
本公开还提供一种通信隧道端点地址分离方法,包括以下步骤:发送第一请求消息给演进的分组数据网关ePDG;当接收到所述ePDG根据所述第一请求消息建立因特网密钥交换IKE安全联盟SA隧道后发送的第一响应消息时,生成第二请求消息,并将所述第二请求消息发送给所述ePDG;以及接收所述ePDG根据所述第二请求消息建立因特网协议安全IPSec SA隧道后发送的第二响应消息,以完成IPSec SA隧道的建立,其中,所述第二请求消息中携带有分离标识,所述分离标识表示所述终端支持所述ePDG的IKE SA隧道和IPSec SA隧道的端点地址分离。The present disclosure further provides a communication tunnel endpoint address separation method, including the steps of: sending a first request message to an evolved packet data gateway ePDG; and when receiving the ePDG, establishing an Internet key exchange IKE security according to the first request message Generating a second request message after the SA tunnel is sent, and generating the second request message, and sending the second request message to the ePDG; and receiving the ePDG to establish an Internet Protocol security IPSec SA according to the second request message. a second response message sent after the tunnel to complete the establishment of the IPSec SA tunnel, where the second request message carries a separate identifier, where the separated identifier indicates that the terminal supports the IKE SA tunnel and the IPSec SA of the ePDG. The endpoint address of the tunnel is separated.
本公开还提供一种终端,所述终端包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的通信隧道端点地址分离程序,所述通信隧道端点地址分离程序被所述处理器执行时实现如下步骤:发送第一请求消息给演进的分组数据网关ePDG;当接收到所述ePDG根据所述第一请求消息建立因特网密钥交换IKE安全联盟SA隧道后发送的第一响应消息时,生成第二请求消息,并将所述第二请求消息发送给所述ePDG;以及接收所述ePDG根据所述第二请求消息建立因特网协议安全IPSec SA隧道后发送的第二响应消息,以完成IPSec SA隧道的建立,其中,所述第二请求消息中携带有分离标识,所述分离标识表示所述终端支持所述ePDG的IKE SA隧道和IPSec SA隧道的端点地址分离。The present disclosure also provides a terminal, the terminal comprising a memory, a processor, and a communication tunnel endpoint address separation program stored on the memory and operable on the processor, the communication tunnel endpoint address separation program being When the processor is executed, the following steps are implemented: sending a first request message to the evolved packet data gateway ePDG; and receiving the first sent after the ePDG establishes an Internet Key Exchange IKE SA SA tunnel according to the first request message. And responding to the message, generating a second request message, and sending the second request message to the ePDG; and receiving a second response message sent by the ePDG after establishing an Internet Protocol security IPSec SA tunnel according to the second request message And completing the establishment of the IPSec SA tunnel, where the second request message carries a separate identifier, where the separated identifier indicates that the endpoint address of the IKE SA tunnel and the IPSec SA tunnel that the terminal supports the ePDG is separated.
本公开还提供一种演进的分组数据网关ePDG,所述ePDG包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的通信隧道端点地址分离程序,所述通信隧道端点地址分离程序被所述处理器执行时实现如下步骤:当接收到终端发送的第一请求消息时,根据所述第一请求消息建立因特网密钥交换IKE安全联盟SA隧道,并生 成与所述第一请求消息对应的第一响应消息,将所述第一响应消息返回给所述终端;以及接收所述终端发送的第二请求消息,根据所述第二请求消息建立因特网协议安全IPSec SA隧道,并生成与所述第二请求消息对应的第二响应消息,将所述第二响应消息返回给所述终端,以完成IPSec SA隧道的建立,其中,所述第二请求消息中携带有分离标识,所述分离标识表示所述终端支持所述ePDG的IKE SA隧道和IPSec SA隧道的端点地址分离。The present disclosure also provides an evolved packet data gateway ePDG, the ePDG including a memory, a processor, and a communication tunnel endpoint address separation program stored on the memory and operable on the processor, the communication tunnel endpoint When the address separation program is executed by the processor, the following steps are implemented: when receiving the first request message sent by the terminal, establishing an Internet Key Exchange IKE SA SA tunnel according to the first request message, and generating the Receiving, by the first response message corresponding to the request message, the first response message to the terminal; and receiving a second request message sent by the terminal, and establishing an Internet Protocol security IPSec SA tunnel according to the second request message, And generating a second response message corresponding to the second request message, and returning the second response message to the terminal, to complete establishment of an IPSec SA tunnel, where the second request message carries a separate identifier The separation identifier indicates that the terminal supports the separation of the endpoint addresses of the IKE SA tunnel and the IPSec SA tunnel of the ePDG.
本公开还提供一种计算机可读存储介质,所述计算机可读存储介质上存储有通信隧道端点地址分离程序,所所述计算机可读存储介质上存储有通信隧道端点地址分离程序,所述通信隧道端点地址分离程序被处理器执行时实现如下步骤:当接收到终端发送的第一请求消息时,根据所述第一请求消息建立因特网密钥交换IKE安全联盟SA隧道,并生成与所述第一请求消息对应的第一响应消息,将所述第一响应消息返回给所述终端;接收所述终端发送的第二请求消息,根据所述第二请求消息建立因特网协议安全IPSec SA隧道,并生成与所述第二请求消息对应的第二响应消息,将所述第二响应消息返回给所述终端,以完成IPSec SA隧道的建立,其中,所述第二请求消息中携带有分离标识,所述分离标识表示所述终端支持所述ePDG的IKE SA隧道和IPSec SA隧道的端点地址分离。The present disclosure also provides a computer readable storage medium having stored thereon a communication tunnel endpoint address separation program, wherein the computer readable storage medium stores a communication tunnel endpoint address separation program, the communication When the tunnel endpoint address separation program is executed by the processor, the following steps are performed: when receiving the first request message sent by the terminal, establishing an Internet Key Exchange IKE SA SA tunnel according to the first request message, and generating the Receiving, by the first response message corresponding to the request message, the first response message to the terminal; receiving a second request message sent by the terminal, establishing an Internet Protocol security IPSec SA tunnel according to the second request message, and Generating a second response message corresponding to the second request message, and returning the second response message to the terminal, to complete establishment of an IPSec SA tunnel, where the second request message carries a separation identifier, The separation identifier indicates that the terminal supports the endpoint address of the IKE SA tunnel and the IPSec SA tunnel of the ePDG. from.
附图说明DRAWINGS
图1是根据本公开实施例提供的非授信的非3GPP接入网络的一种网络架构。1 is a network architecture of a non-trusted non-3GPP access network provided in accordance with an embodiment of the present disclosure.
图2为根据本公开实施例提供的一种通信隧道端点地址分离方法的流程示意图。FIG. 2 is a schematic flowchart of a method for separating a communication tunnel endpoint address according to an embodiment of the present disclosure.
图3为根据本公开实施例提供的在ePDG侧实现IKE SA隧道和IPSec SA隧道端点地址分离的一种示意图。FIG. 3 is a schematic diagram of implementing IKE SA tunnel and IPSec SA tunnel endpoint address separation on the ePDG side according to an embodiment of the present disclosure.
图4为根据本公开实施例提供的在终端侧实现IKE SA隧道和IPSec SA隧道端点地址分离的一种示意图。FIG. 4 is a schematic diagram of implementing IKE SA tunnel and IPSec SA tunnel endpoint address separation on the terminal side according to an embodiment of the present disclosure.
图5为根据本公开实施例提供的在终端侧和ePDG侧都实现IKE  SA隧道和IPSec SA隧道端点地址分离的一种示意图。FIG. 5 is a schematic diagram of implementing IKE SA tunnel and IPSec SA tunnel endpoint address separation on both the terminal side and the ePDG side according to an embodiment of the present disclosure.
图6为根据本公开实施例提供的另一种通信隧道端点地址分离方法的流程示意图。FIG. 6 is a schematic flowchart diagram of another communication tunnel endpoint address separation method according to an embodiment of the present disclosure.
图7为根据本公开实施例提供的在ePDG侧实现IKE SA隧道和IPSec SA隧道端点地址分离过程中数据交互的一种示意图。FIG. 7 is a schematic diagram of data interaction in implementing an IKE SA tunnel and an IPSec SA tunnel endpoint address separation process on an ePDG side according to an embodiment of the present disclosure.
图8为根据本公开实施例提供的在终端侧实现IKE SA隧道和IPSec SA隧道端点地址分离过程中数据交互的一种示意图。FIG. 8 is a schematic diagram of data interaction in an IKE SA tunnel and an IPSec SA tunnel endpoint address separation process performed on a terminal side according to an embodiment of the present disclosure.
图9为根据本公开实施例提供的在终端侧和ePDG侧都实现IKE SA隧道和IPSec SA隧道端点地址分离过程中数据交互的一种示意图。FIG. 9 is a schematic diagram of data interaction in an IKE SA tunnel and an IPSec SA tunnel endpoint address separation process performed on both the terminal side and the ePDG side according to an embodiment of the present disclosure.
本公开目的的实现、功能特点及优点将结合实施例并参照附图做进一步说明。The implementation, functional features, and advantages of the present disclosure will be further described in conjunction with the embodiments and the accompanying drawings.
具体实施方式Detailed ways
应当理解,此处所描述的具体实施例仅仅用以解释本公开,并不用于限定本公开。It is understood that the specific embodiments described herein are merely illustrative of the disclosure and are not intended to limit the disclosure.
图1是根据本公开实施例提供的非授信的非3GPP接入网络的一种网络架构。如图1所示,在该架构中,非授信的非3GPP接入网络指的是无线局域网(Wireless Local Area Networks,WLAN),终端可以通过WLAN网络与长期演进(Long Term Evolution,LTE)网络互通,以例如进行语音业务。1 is a network architecture of a non-trusted non-3GPP access network provided in accordance with an embodiment of the present disclosure. As shown in FIG. 1 , in this architecture, a non-trusted non-3GPP access network refers to a Wireless Local Area Networks (WLAN), and the terminal can communicate with a Long Term Evolution (LTE) network through a WLAN network. For example, a voice service is performed.
图1所示的网络架构主要包含了如下设备/网元:用户设备、演进的通用移动通讯系统陆地无线接入网、移动管理实体、归属用户服务器、服务网关、分组数据网网关、策略与计费规则功能单元、无线局域网、3GPP认证授权计费服务器、演进的分组数据网关以及网际协议多媒体子系统。The network architecture shown in FIG. 1 mainly includes the following devices/network elements: user equipment, evolved universal mobile communication system terrestrial radio access network, mobility management entity, home subscriber server, service gateway, packet data network gateway, policy and meter Fee rule function unit, wireless local area network, 3GPP authentication and authorization billing server, evolved packet data gateway, and internet protocol multimedia subsystem.
所述用户设备(User Equipment,UE)可理解为终端,所述终端可以接入WLAN或LTE网络,以访问3GPP演进分组核心网的业务。The User Equipment (UE) can be understood as a terminal, and the terminal can access a WLAN or an LTE network to access services of the 3GPP Evolved Packet Core Network.
所述演进的通用移动通讯系统陆地无线接入网(Evolved UMTS Terrestrial Radio Access Network,E-UTRAN)是LTE中的移动通信无线网络。The evolved universal mobile communication system Evolved UMTS Terrestrial Radio Access Network (E-UTRAN) is a mobile communication wireless network in LTE.
所述移动管理实体(Mobility Management Entity,MME)是控制面功能实体,其临时存储用户数据的服务器,负责管理和存储终端上下文(比如终端/用户标识、移动性管理状态、用户安全参数等),为用户分配临时标识,并处理MME和终端之间的所有非接入层消息。The Mobility Management Entity (MME) is a control plane function entity, which temporarily stores a user data server, and is responsible for managing and storing the terminal context (such as terminal/user identity, mobility management state, user security parameters, etc.). The user is assigned a temporary identity and handles all non-access stratum messages between the MME and the terminal.
所述归属用户服务器(Home Subscriber Server,HSS)用于永久存储用户签约数据。The Home Subscriber Server (HSS) is used to permanently store user subscription data.
所述服务网关(Serving Gateway,SGW)是一个用户面实体,其负责用户面数据路由的处理,用于管理和存储终端的承载(bearer)上下文,如IP(Internet Protocol,网络之间互连的协议)承载业务参数和网络内部路由信息等。Serving GW是3GPP系统内部用户面的锚点,一个用户在一个时刻只能有一个Serving GW;The Serving Gateway (SGW) is a user plane entity, which is responsible for processing user plane data routing, and is used for managing and storing a bearer context of the terminal, such as IP (Internet Protocol). Protocol) carries service parameters and internal routing information of the network. Serving GW is the anchor point of the internal user plane of the 3GPP system. A user can only have one Serving GW at a time;
所述分组数据网网关(Packet Data Network Gateway,PDN GW)也即PGW,其负责终端接入PDN(Public Data Network,公共数据网),分配用户IP地址,同时也是3GPP和非3GPP接入系统的移动性锚点,用户在同一时刻能够接入多个PDN GW。The Packet Data Network Gateway (PDN GW), which is a PGW, is responsible for the terminal accessing the PDN (Public Data Network) and allocating the user IP address, and is also a 3GPP and non-3GPP access system. Mobility anchor, users can access multiple PDN GWs at the same time.
所述策略与计费规则功能单元(Policy and Charging Rule Functionality,PCRF)用于根据业务信息和用户签约信息以及运营商的配置信息产生控制用户数据传递的Qos(Quality of Service,服务质量)规则以及计费规则,该功能实体也可以控制接入网中承载的建立和释放。The Policy and Charging Rule Functionality (PCRF) is used to generate a QOS (Quality of Service) rule for controlling user data transmission according to the service information and the user subscription information and the configuration information of the operator. The charging rule, the functional entity can also control the establishment and release of bearers in the access network.
所述无线局域网(Wireless Local Area Network,WLAN)是非授信的非3GPP接入网络。The Wireless Local Area Network (WLAN) is a non-trusted non-3GPP access network.
所述3GPP认证授权计费服务器(3GPP Authentication、Authorization、Accounting Server,3GPP AAA Server)负责对终端的认证和签约。The 3GPP Authentication Authorization Accounting Server (3GPP Authentication, Authorization, Accounting Server, 3GPP AAA Server) is responsible for authentication and signing of the terminal.
所述演进的分组数据网关(evolved Packet Data Network Gateway,ePDG)是非授信的非3GPP网络(WLAN)和3GPP网络互操作的接入网关。从WLAN接入的终端可以通过ePDG到3GPP AAA Server进行认证和签约,并通过ePDG接入PDN GW,以进一步使用LTE核心网的资源。The evolved Packet Data Network Gateway (ePDG) is an access gateway for non-trusted non-3GPP networks (WLANs) and 3GPP networks interworking. The terminal accessing from the WLAN can authenticate and sign the ePDG to the 3GPP AAA Server, and access the PDN GW through the ePDG to further use the resources of the LTE core network.
所述网际协议多媒体子系统(IP Multimedia Subsystem,IMS)是3GPP提出的支持IP多媒体业务的子系统,其显著特征是:采用了会话初始协议(Session Initial Protocol,SIP)体系;通信与接入方式无关;具备多种多媒体业务的控制功能与承载能力分离、呼叫与会话分离、应用与服务分离、业务与网络分离,以及移动网与因特网业务融合等多种能力。The Internet Multimedia Subsystem (IMS) is a subsystem supported by the 3GPP to support IP multimedia services. The salient features are: Session Initial Protocol (SIP) system; communication and access mode Irrelevant; with multiple multimedia services, control functions and bearer separation, call and session separation, application and service separation, service and network separation, and mobile network and Internet service integration capabilities.
在非授信非3GPP IP接入网络(WLAN)中,终端和EPC(Evolved Packet Core,4G核心网络)之间的通信是不授信且不安全的。终端和EPC之间的安全通信需要通过在终端和ePDG之间建立因特网协议安全(Internet Protocol Security,IPSec)隧道来保证。IPSec隧道的建立主要包括以下三个阶段。In a non-trusted non-3GPP IP access network (WLAN), communication between a terminal and an EPC (Evolved Packet Core, 4G core network) is untrustworthy and unsecure. Secure communication between the terminal and the EPC needs to be ensured by establishing an Internet Protocol Security (IPSec) tunnel between the terminal and the ePDG. The establishment of an IPSec tunnel mainly includes the following three phases.
1)因特网密钥交换_安全联盟初始化(IKE_SA_INIT)交互阶段。在该阶段期间,为IKE SA(因特网密钥交换_安全联盟)协商安全参数,发送临时随机数(nonce),并发送Diffie-Hellman值。;1) Internet Key Exchange_Security Association Initialization (IKE_SA_INIT) interaction phase. During this phase, security parameters are negotiated for IKE SA (Internet Key Exchange_Security Association), a temporary random number (nonce) is sent, and a Diffie-Hellman value is sent. ;
2)因特网密钥交换_认证(IKE_AUTH)交互阶段。在该阶段期间,为第一个(通常只有一个)CHILD_SA(子_安全联盟)建立SA(安全联盟),所述SA即第一IPSec SA(因特网协议安全_安全联盟)。2) Internet Key Exchange_Authentication (IKE_AUTH) interaction phase. During this phase, an SA (Security Association) is established for the first (usually only one) CHILD_SA (Child_Security Association), which is the first IPSec SA (Internet Protocol Security_Security Association).
3)创建_子_安全联盟(CREATE_CHILD_SA)交互阶段。在该阶段期间,创建一个CHILD_SA。3) Create a _ child_secure alliance (CREATE_CHILD_SA) interaction phase. During this phase, create a CHILD_SA.
本公开还提供一种ePDG,所述ePDG包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的通信隧道端点地址分离程序。所述存储器可以是高速RAM存储器,也可以是稳定的存储器(non-volatile memory),例如磁盘存储器。所述存储器还可以是独立于前述处理器的存储装置。所述处理器可以用于调用存储器中存储的通信隧道端点地址分离程序来执行以下步骤:当接收到终端发送的第一请求消息时,根据所述第一请求消息建立因特网密钥交换IKE安全联盟SA隧道,并生成与所述第一请求消息对应的第一响应消息,将所述第一响应消息返回给所述终端;以及接收所述终端发送的第二请求消息,根据所述第二请求消息建立因特网协议安全IPSec SA隧 道,并生成与所述第二请求消息对应的第二响应消息,将所述第二响应消息返回给所述终端,以完成IPSec SA隧道的建立,其中,所述第二请求消息中携带有分离标识,所述分离标识表示所述终端支持所述ePDG的IKE SA隧道和IPSec SA隧道的端点地址分离。The present disclosure also provides an ePDG that includes a memory, a processor, and a communication tunnel endpoint address separation program stored on the memory and operable on the processor. The memory may be a high speed RAM memory or a non-volatile memory such as a disk memory. The memory may also be a storage device that is separate from the aforementioned processor. The processor may be configured to invoke a communication tunnel endpoint address separation procedure stored in the memory to perform the following steps: when receiving the first request message sent by the terminal, establishing an Internet Key Exchange IKE Security Alliance according to the first request message An SA tunnel, and generating a first response message corresponding to the first request message, returning the first response message to the terminal; and receiving a second request message sent by the terminal, according to the second request The message establishes an Internet Protocol Security IPSec SA tunnel, and generates a second response message corresponding to the second request message, and returns the second response message to the terminal to complete establishment of an IPSec SA tunnel, where The second request message carries a separate identifier, where the separated identifier indicates that the terminal supports the separation of the endpoint addresses of the IKE SA tunnel and the IPSec SA tunnel of the ePDG.
在一个实施例中,所述第二请求消息中携带所述终端的IPSec SA隧道端点地址。In an embodiment, the second request message carries an IPSec SA tunnel endpoint address of the terminal.
在一个实施例中,所述第二响应消息中携带所述ePDG的IPSec SA隧道端点地址。In an embodiment, the second response message carries an IPSec SA tunnel endpoint address of the ePDG.
在一个实施例中,所述当接收到终端发送的第一请求消息时,根据所述第一请求消息建立IKE SA隧道,并生成与所述第一请求消息对应的第一响应消息,将所述第一响应消息返回给所述终端的步骤包括以下步骤:当接收到终端发送的第一请求消息时,根据所述第一请求消息与所述终端协商密钥参数,并与所述终端交换随机数和迪菲-赫尔曼Diffie-Hellman值,以建立IKE SA隧道;以及根据所述密钥参数以及交换后的随机数和Diffie-Hellman值生成第一响应消息,并将所述第一响应消息发送给所述终端。In an embodiment, when receiving the first request message sent by the terminal, establishing an IKE SA tunnel according to the first request message, and generating a first response message corresponding to the first request message, The step of returning the first response message to the terminal includes the following steps: when receiving the first request message sent by the terminal, negotiating a key parameter with the terminal according to the first request message, and exchanging with the terminal a random number and a Diffie-Hellman Diffie-Hellman value to establish an IKE SA tunnel; and generating a first response message based on the key parameter and the exchanged random number and the Diffie-Hellman value, and the first A response message is sent to the terminal.
在一个实施例中,所述接收所述终端发送的第二请求消息,根据所述第二请求消息建立IPSec SA隧道,并生成与所述第二请求消息对应的第二响应消息,将所述第二响应消息返回给所述终端,以完成IPSec SA隧道的建立的步骤包括以下步骤:当接收到所述终端发送的采用密钥参数对应加密算法加密后的所述第二请求消息时,采用与所述加密算法对应的解密算法解密加密后的所述第二请求消息,以得到第二请求消息对应的明文信息,并将所述明文信息发送给认证授权计费服务器;以及接收所述认证授权计费服务器发送的根据所述明文信息认证所述终端所得的认证结果,并根据所述认证结果生成第二响应消息,加密所述第二响应消息,将加密后的所述第二响应消息返回给所述终端。In an embodiment, the receiving the second request message sent by the terminal, establishing an IPSec SA tunnel according to the second request message, and generating a second response message corresponding to the second request message, The step of returning the second response message to the terminal to complete the establishment of the IPSec SA tunnel includes the following steps: when receiving the second request message that is sent by the terminal and encrypted by the encryption algorithm corresponding to the encryption parameter, The decryption algorithm corresponding to the encryption algorithm decrypts the encrypted second request message to obtain plaintext information corresponding to the second request message, and sends the plaintext information to the authentication and authorization accounting server; and receives the authentication And authenticating, by the authorized accounting server, the authentication result obtained by the terminal according to the plaintext information, and generating a second response message according to the authentication result, encrypting the second response message, and encrypting the second response message Return to the terminal.
在一个实施例中,所述接收所述终端发送的第二请求消息,根据所述第二请求消息建立IPSec SA隧道,并生成与所述第二请求消息对应的第二响应消息,将所述第二响应消息返回给所述终端,以完 成IPSec SA隧道的建立的步骤之后,处理器还可以用于调用存储器中存储的通信隧道端点地址分离程序来执行以下步骤:当接收到所述终端发送的加密后的因特网协议安全数据时,解密所述因特网协议安全数据,并将解密后的所述因特网协议安全数据发送给分组数据网网关PGW;以及接收所述PGW响应所述因特网协议安全数据后发送的响应数据,并将所述响应数据发送给所述终端,以实现所述终端和所述PGW之间的数据交互。In an embodiment, the receiving the second request message sent by the terminal, establishing an IPSec SA tunnel according to the second request message, and generating a second response message corresponding to the second request message, After the second response message is returned to the terminal to complete the establishment of the IPSec SA tunnel, the processor may further be configured to invoke the communication tunnel endpoint address separation procedure stored in the memory to perform the following steps: when receiving the terminal to send Encrypting the Internet Protocol security data, decrypting the Internet Protocol security data, and transmitting the decrypted Internet Protocol security data to the packet data network gateway PGW; and receiving the PGW in response to the Internet Protocol security data Sending response data, and transmitting the response data to the terminal to implement data interaction between the terminal and the PGW.
在一个实施例中,所述当接收到终端发送的第一请求消息时,根据所述第一请求消息建立IKE SA隧道,并生成与所述第一请求消息对应的第一响应消息,将所述第一响应消息返回给所述终端的步骤包括以下步骤:当接收到所述终端使用本地网络之间互连的协议IP地址作为源地址发送的第一请求消息时,根据所述第一请求消息建立IKE SA隧道,并生成与所述第一请求消息对应的第一响应消息;以及使用ePDG侧的IKE SA隧道端点地址作为源地址向所述终端的本地IP地址发送所述第一响应消息。In an embodiment, when receiving the first request message sent by the terminal, establishing an IKE SA tunnel according to the first request message, and generating a first response message corresponding to the first request message, The step of returning the first response message to the terminal includes the following steps: when receiving the first request message sent by the terminal using a protocol IP address interconnected between the local networks as a source address, according to the first request The message establishes an IKE SA tunnel, and generates a first response message corresponding to the first request message; and sends the first response message to the local IP address of the terminal by using an IKE SA tunnel endpoint address of the ePDG side as a source address. .
在一个实施例中,所述当接收到终端发送的第一请求消息时,根据所述第一请求消息建立IKE SA隧道,并生成与所述第一请求消息对应的第一响应消息,将所述第一响应消息返回给所述终端的步骤之后,处理器还可以用于调用存储器中存储的通信隧道端点地址分离程序来执行以下步骤:当接收到所述终端发送的创建子安全联盟的请求消息,根据所述创建子安全联盟的请求消息创建子安全联盟,并返回创建子安全联盟的响应消息给所述终端。In an embodiment, when receiving the first request message sent by the terminal, establishing an IKE SA tunnel according to the first request message, and generating a first response message corresponding to the first request message, After the step of returning the first response message to the terminal, the processor may further be configured to invoke a communication tunnel endpoint address separation program stored in the memory to perform the following steps: when receiving the request for creating the child security association sent by the terminal The message creates a child security association according to the request message for creating a child security association, and returns a response message for creating a child security association to the terminal.
可以利用上述结构来实现通信隧道端点地址分离方法。The above structure can be utilized to implement the communication tunnel endpoint address separation method.
参照图2,图2为根据本公开实施例提供的一种通信隧道端点地址分离方法的流程示意图。Referring to FIG. 2, FIG. 2 is a schematic flowchart of a method for separating a communication tunnel endpoint address according to an embodiment of the present disclosure.
需要说明的是,虽然在流程图中示出了所述通信隧道端点地址分离方法的示例性顺序,但是在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤。It should be noted that although an exemplary sequence of the communication tunnel endpoint address separation methods is shown in the flowchart, in some cases, the steps shown or described may be performed in an order different from that herein.
所述通信隧道端点地址分离方法包括以下步骤S10-S40。The communication tunnel endpoint address separation method includes the following steps S10-S40.
在步骤S10处,当演进的分组数据网关ePDG接收到终端发送的 第一请求消息时,根据所述第一请求消息建立因特网密钥交换IKE安全联盟SA隧道,并生成与所述第一请求消息对应的第一响应消息,将所述第一响应消息返回给所述终端。At step S10, when the evolved packet data gateway ePDG receives the first request message sent by the terminal, the Internet Key Exchange IKE SA SA tunnel is established according to the first request message, and the first request message is generated. And corresponding to the first response message, returning the first response message to the terminal.
本公开可应用于IKE版本2(IKEv2)协议建立IPSec隧道的场景,例如,可应用于在非授信非3GPP IP接入网络(WLAN)或者接入EPC网络中,终端和ePDG之间建立IPSec隧道的场景。在这种场景中,IKE SA隧道用于保护终端和ePDG之间的IKE信令报文,并是属于控制面的SA;IPSec SA隧道用于保护终端和ePDG之间的数据报文,并是属于用户面的SA。在本公开实施例中,可以以终端作为IKEv2机制的发起者initiator,以ePDG作为IKEv2机制的响应者responder。The present disclosure is applicable to a scenario in which an IKE version 2 (IKEv2) protocol establishes an IPSec tunnel. For example, it can be applied to establish an IPSec tunnel between a terminal and an ePDG in a non-trusted non-3GPP IP access network (WLAN) or an access EPC network. Scene. In this scenario, the IKE SA tunnel is used to protect the IKE signaling packet between the terminal and the ePDG, and is the SA that belongs to the control plane. The IPSec SA tunnel is used to protect data packets between the terminal and the ePDG. The SA that belongs to the user plane. In the embodiment of the present disclosure, the terminal may be used as an initiator initiator of the IKEv2 mechanism, and the ePDG is used as a responder responder of the IKEv2 mechanism.
在本公开实施例中,可在ePDG侧实现IKE SA隧道和IPSec SA隧道的端点地址分离,也可在终端侧实现IKE SA隧道和IPSec SA隧道的端点地址分离,或者在ePDG侧和终端侧都实现IKE SA隧道和IPSec SA隧道的端点地址分离。具体地,可参照图3、图4和图5,其中,图3为根据本公开实施例提供的在ePDG侧实现IKE SA隧道和IPSec SA隧道端点地址分离的一种示意图;图4为根据本公开实施例提供的在终端侧实现IKE SA隧道和IPSec SA隧道端点地址分离的一种示意图;图5为根据本公开实施例提供的在终端侧和ePDG侧都实现IKE SA隧道和IPSec SA隧道端点地址分离的一种示意图。In the embodiment of the present disclosure, the endpoint address of the IKE SA tunnel and the IPSec SA tunnel may be separated on the ePDG side, or the endpoint address of the IKE SA tunnel and the IPSec SA tunnel may be separated on the terminal side, or both on the ePDG side and the terminal side. The endpoint address separation between the IKE SA tunnel and the IPSec SA tunnel is implemented. Specifically, reference may be made to FIG. 3, FIG. 4, and FIG. 5, wherein FIG. 3 is a schematic diagram of implementing IKE SA tunnel and IPSec SA tunnel endpoint address separation on the ePDG side according to an embodiment of the present disclosure; A schematic diagram of implementing an IKE SA tunnel and an IPSec SA tunnel endpoint address separation on the terminal side is provided by the embodiment. FIG. 5 is an implementation of an IKE SA tunnel and an IPSec SA tunnel endpoint on both the terminal side and the ePDG side according to an embodiment of the present disclosure. A schematic diagram of address separation.
在建立IPSec SA隧道之前先建立IKE SA隧道时,终端向ePDG发送第一请求消息,其中,所述第一请求消息为因特网密钥交换_安全联盟_初始化请求消息(IKE_SA_INIT)。终端可通过第一请求消息请求与ePDG协商密钥参数、交换临时随机数、以及交换Diffie-Hellman值。终端的临时随机数为终端的当前时间载荷。在终端通过第一请求消息请求与ePDG协商密钥参数过程中,终端可以提供密钥算法,以供ePDG选择。所述密钥算法包括但不限于数据加密标准(Data Encryption Standard,DES)和高级加密标准(Advanced Encryption Standard,AES)。需要说明的是,DES可包括多种密钥长度,AES的加密形式也不止一种。迪菲-赫尔曼(Diffie-Hellman) 算法是一种密钥交换算法,其能够用于确保共享密钥安全地穿越不安全网络的方法,并且其是OAKLEY算法的一个组成部分。The terminal sends a first request message to the ePDG, where the first request message is an Internet Key Exchange_Security Association_Initialization Request message (IKE_SA_INIT). The terminal may request to negotiate key parameters with the ePDG, exchange temporary random numbers, and exchange Diffie-Hellman values through the first request message. The temporary random number of the terminal is the current time payload of the terminal. In the process of the terminal requesting to negotiate the key parameters with the ePDG through the first request message, the terminal may provide a key algorithm for the ePDG to select. The key algorithm includes, but is not limited to, Data Encryption Standard (DES) and Advanced Encryption Standard (AES). It should be noted that DES may include multiple key lengths, and AES has more than one encryption form. The Diffie-Hellman algorithm is a key exchange algorithm that can be used to ensure that a shared key securely traverses an insecure network and is an integral part of the OAKLEY algorithm.
当ePDG接收到终端发送的第一请求消息时,根据第一请求消息建立因特网密钥交换_安全联盟(IKE SA)隧道。具体地,当ePDG与终端协商了密钥参数,并完成临时随机数和Diffie-Hellman值交换后,即表明成功建立了IKE SA隧道。当成功建立IKE SA隧道后,ePDG生成与第一请求消息对应的第一响应消息,并将所述第一响应消息返回给终端,以供终端在接收到第一响应消息后发送第二请求消息给ePDG。第二请求消息中携带有分离标识,所述分离标识表示终端支持ePDG的控制面地址和用户面地址分离,即终端支持ePDG侧的IKE SA隧道和IPSec SA隧道的端点地址分离。第二请求消息为因特网密钥交换_认证请求消息(IKE_AUTH),分离标识为控制面用户面_分离_支持(CU_SEPARATE_SUPPORT)通知载荷(Notify payload)。第二请求消息还可携带有终端标识和接入点名称(Access Point Name,APN)信息。When the ePDG receives the first request message sent by the terminal, the Internet Key Exchange_Security Association (IKE SA) tunnel is established according to the first request message. Specifically, when the ePDG negotiates the key parameters with the terminal and completes the exchange of the temporary random number and the Diffie-Hellman value, it indicates that the IKE SA tunnel is successfully established. After the IKE SA tunnel is successfully established, the ePDG generates a first response message corresponding to the first request message, and returns the first response message to the terminal, so that the terminal sends the second request message after receiving the first response message. Give ePDG. The second request message carries a separate identifier, and the separated identifier indicates that the control plane address and the user plane address of the ePDG are separated, that is, the terminal supports the separation of the endpoint addresses of the IKE SA tunnel and the IPSec SA tunnel on the ePDG side. The second request message is an Internet Key Exchange_Authentication Request message (IKE_AUTH), and the separation identifier is a Control Plane User Face_Separation_Support (CU_SEPARATE_SUPPORT) Notify payload. The second request message may also carry a terminal identifier and an Access Point Name (APN) information.
在一个实施例中,步骤S10包括以下步骤a-b。In one embodiment, step S10 includes the following steps a-b.
在步骤a处,当所述ePDG接收到所述终端使用本地网络之间互连的协议IP地址作为源地址发送的第一请求消息时,所述ePDG根据所述第一请求消息建立IKE SA隧道,并生成与所述第一请求消息对应的第一响应消息。At step a, when the ePDG receives the first request message sent by the terminal using the protocol IP address interconnected between the local networks as the source address, the ePDG establishes an IKE SA tunnel according to the first request message. And generating a first response message corresponding to the first request message.
在步骤b处,所述ePDG使用ePDG侧的IKE SA隧道端点地址作为源地址向所述终端的本地IP地址发送所述第一响应消息。In step b, the ePDG sends the first response message to the local IP address of the terminal by using the IKE SA tunnel endpoint address of the ePDG side as the source address.
具体地,终端使用本地IP(Local IP)作为源地址向ePDG侧的IKE SA隧道的端点地址(SWu IKE IP)发送IKE_SA_INIT的协商请求以请求ePDG协商密钥参数,并将其临时随机数和Diffie-Hellman值发送给ePDG。当ePDG接收到IKE_SA_INIT的协商请求以及终端的临时随机数和Diffie-Hellman值时,所述ePDG根据IKE_SA_INIT的协商请求来协商密钥参数,并将其临时随机数和终端的临时随机数进行交换,以及将其Diffie-Hellman值与终端的Diffie-Hellman值进行交换,以建立IKE SA隧道。ePDG根据协商所 得的密钥参数、其临时随机数和Diffie-Hellman值来生成IKE_SA_INIT协商的响应消息,即生成第一响应消息,并使用其SWu IKE IP作为源地址向终端的Local IP发送第一响应消息。需要说明的是,在建立IKE SA隧道后,终端和ePDG在后续传输IKE信令报文时,所传输的IKE信令报文受IKE SA保护。Specifically, the terminal sends a negotiation request of the IKE_SA_INIT to the endpoint address (SWu IKE IP) of the IKE SA tunnel on the ePDG side using the local IP as the source address to request the ePDG negotiation key parameter, and the temporary random number and the Diffie. The -Hellman value is sent to the ePDG. When the ePDG receives the negotiation request of the IKE_SA_INIT and the temporary random number and the Diffie-Hellman value of the terminal, the ePDG negotiates the key parameter according to the negotiation request of the IKE_SA_INIT, and exchanges the temporary random number with the temporary random number of the terminal. And exchanging its Diffie-Hellman value with the Diffie-Hellman value of the terminal to establish an IKE SA tunnel. The ePDG generates a response message of the IKE_SA_INIT negotiation according to the negotiated key parameter, its temporary random number, and the Diffie-Hellman value, that is, generates a first response message, and sends the first address to the local IP of the terminal by using its SWu IKE IP as the source address. Response message. It should be noted that, after the IKE SA tunnel is established, the IKE signaling packet transmitted by the terminal and the ePDG is protected by the IKE SA.
在一个实施例中,步骤S10包括以下步骤c-d。In one embodiment, step S10 includes the following step c-d.
在步骤c处,当所述ePDG接收到终端发送的第一请求消息时,根据所述第一请求消息与所述终端协商密钥参数,并与所述终端交换随机数和迪菲-赫尔曼Diffie-Hellman值,以建立IKE SA隧道。At step c, when the ePDG receives the first request message sent by the terminal, negotiates a key parameter with the terminal according to the first request message, and exchanges a random number with the terminal and Diffie-Hell. Man Diffie-Hellman value to establish an IKE SA tunnel.
在步骤d处,所述ePDG根据所述密钥参数以及交换后的随机数和Diffie-Hellman值生成第一响应消息,并将所述第一响应消息发送给所述终端。At step d, the ePDG generates a first response message according to the key parameter and the exchanged random number and the Diffie-Hellman value, and sends the first response message to the terminal.
当ePDG接收到终端发送的第一请求消息时,根据第一请求消息与终端协商密钥参数,并与终端交换随机数和Diffie-Hellman值,以建立IKE SA隧道。ePDG根据协商所得的密钥参数以及交换后的随机数和Diffie-Hellman值生成第一响应消息,并将第一响应消息发送给终端。终端在接收到第一响应消息后生成第二请求消息,并获取第一响应消息中的密钥参数对应的加密算法。终端采用该加密算法加密第二请求消息,以得到加密后的第二请求消息,并将加密后的第二请求消息发送给ePDG。需要说明的是,终端加密第二请求消息的加密算法是在建立IKE SA隧道过程中ePDG与终端协商的加密算法。When receiving the first request message sent by the terminal, the ePDG negotiates a key parameter with the terminal according to the first request message, and exchanges a random number and a Diffie-Hellman value with the terminal to establish an IKE SA tunnel. The ePDG generates a first response message according to the negotiated key parameter and the exchanged random number and the Diffie-Hellman value, and sends the first response message to the terminal. After receiving the first response message, the terminal generates a second request message, and obtains an encryption algorithm corresponding to the key parameter in the first response message. The terminal encrypts the second request message by using the encryption algorithm to obtain the encrypted second request message, and sends the encrypted second request message to the ePDG. It should be noted that the encryption algorithm for the terminal to encrypt the second request message is an encryption algorithm negotiated between the ePDG and the terminal during the establishment of the IKE SA tunnel.
在步骤S20处,所述ePDG接收所述终端发送的第二请求消息,根据所述第二请求消息建立因特网协议安全IPSec SA隧道,并生成与所述第二请求消息对应的第二响应消息,将所述第二响应消息返回给所述终端,以完成IPSec SA隧道的建立,其中,所述第二请求消息中携带有分离标识,所述分离标识表示所述终端支持ePDG的IKE SA隧道和IPSec SA隧道的端点地址分离。In step S20, the ePDG receives the second request message sent by the terminal, establishes an Internet Protocol security IPSec SA tunnel according to the second request message, and generates a second response message corresponding to the second request message, Returning the second response message to the terminal, to complete the establishment of the IPSec SA tunnel, where the second request message carries a separate identifier, where the separated identifier indicates that the terminal supports the IKE SA tunnel of the ePDG and The endpoint address of the IPSec SA tunnel is separated.
在一个实施例中,步骤S20还包括以下步骤e-f。In an embodiment, step S20 further comprises the following steps e-f.
在步骤e处,当所述ePDG接收到所述终端发送的采用密钥参数对应加密算法加密后的所述第二请求消息时,所述ePDG采用与所述 加密算法对应的解密算法解密加密后的所述第二请求消息,以得到第二请求消息对应的明文信息,并将所述明文信息发送给认证授权计费服务器。At step e, when the ePDG receives the second request message that is sent by the terminal and is encrypted by using a key parameter corresponding to an encryption algorithm, the ePDG decrypts and encrypts by using a decryption algorithm corresponding to the encryption algorithm. The second request message is used to obtain the plaintext information corresponding to the second request message, and the plaintext information is sent to the authentication and authorization charging server.
在步骤f处,所述ePDG接收所述认证授权计费服务器发送的根据所述明文信息认证所述终端所得的认证结果,并根据所述认证结果生成第二响应消息,加密所述第二响应消息,将加密后的所述第二响应消息返回给所述终端。At step f, the ePDG receives the authentication result obtained by the authentication and authorization accounting server to authenticate the terminal according to the plaintext information, and generates a second response message according to the authentication result, and encrypts the second response. The message returns the encrypted second response message to the terminal.
具体地,当ePDG接收到终端发送加密后的第二请求消息时,采用与终端协商的解密算法解密加密后的第二请求消息,即采用与终端加密第二请求消息加密算法对应的解密算法来解密加密后的第二请求消息,以得到第二请求消息对应的明文信息。可以理解的是,终端加密第二请求消息的加密算法与ePDG解密加密后的第二请求消息的解密算法是同一算法。Specifically, when the ePDG receives the encrypted second request message, the ePDG decrypts the encrypted second request message by using a decryption algorithm negotiated with the terminal, that is, using a decryption algorithm corresponding to the terminal encrypting the second request message encryption algorithm. Decrypting the encrypted second request message to obtain plaintext information corresponding to the second request message. It can be understood that the encryption algorithm of the terminal encrypting the second request message is the same algorithm as the decryption algorithm of the second request message after the ePDG decrypts the encrypted.
当ePDG得到明文信息后,将明文信息发送给认证授权计费服务器AAA Server,以供AAA Server根据明文信息完成对终端的鉴权认证并得到认证结果,并将认证结果返回给ePDG。具体地,对终端的认证可采用预共享密钥模式(pre-shared key,PSK)、公钥基础设施(public key infrustructure,PK3)RSA、以及可扩展认证协议(Extensible Authentication Protocol,EPA)等算法。在使用WLAN接入EPC的场景下,对终端的认证可以采用EPA算法。After the ePDG obtains the plaintext information, the illegitimate information is sent to the authentication and authorization accounting server AAA Server, so that the AAA server completes the authentication and authentication of the terminal according to the plaintext information, and obtains the authentication result, and returns the authentication result to the ePDG. Specifically, the authentication of the terminal may adopt a pre-shared key (PSK), a public key infrustructure (PK3) RSA, and an Extensible Authentication Protocol (EPA) algorithm. . In the scenario where the WLAN is used to access the EPC, the EPA algorithm can be used for the authentication of the terminal.
当ePDG接收到AAA Server发送的认证结果后,根据认证结果生成第二响应消息,并采用与终端协商好的加密算法加密第二响应消息,以得到加密后的第二响应,并将加密后的第二响应消息返回给终端。在第二响应消息中,可以携带有ePDG标识以及认证载荷。After receiving the authentication result sent by the AAA server, the ePDG generates a second response message according to the authentication result, and encrypts the second response message by using an encryption algorithm negotiated with the terminal to obtain the encrypted second response, and the encrypted second response. The second response message is returned to the terminal. In the second response message, the ePDG identifier and the authentication payload may be carried.
在一个实施例中,所述第二响应消息中携带所述ePDG的IPSec SA隧道端点地址。In an embodiment, the second response message carries an IPSec SA tunnel endpoint address of the ePDG.
当在ePDG侧实现IKE SA隧道和IPSec SA隧道的端点地址分离时,终端将第一请求消息、第二请求消息发送给ePDG的控制面,并且ePDG的控制面返回对应的第一响应消息和第二响应消息。在这种情况下,所述第二响应消息中还携带有ePDG的IPSec SA隧道端点地 址,即第二响应消息中携带有因特网协议安全_安全管理_地址_响应者通知载荷(IPSEC_SA_ADDRESSES_R Notify payload),以将ePDG用户面地址告知终端,即将ePDG侧的IPSec SA隧道端点地址告知终端,以供终端后续根据ePDG侧IPSec SA隧道的端点地址与ePDG进行数据交互。When the endpoint address of the IKE SA tunnel and the IPSec SA tunnel are separated on the ePDG side, the terminal sends the first request message and the second request message to the control plane of the ePDG, and the control plane of the ePDG returns the corresponding first response message and the first Second response message. In this case, the second response message further carries the IPSec SA tunnel endpoint address of the ePDG, that is, the second response message carries the Internet Protocol security_Security Management_Address_Responder Notification Load (IPSEC_SA_ADDRESSES_R Notify payload) To inform the terminal of the ePDG user plane address, and inform the terminal of the IPSec SA tunnel endpoint address of the ePDG side, so that the terminal can perform data interaction with the ePDG according to the endpoint address of the ePDG side IPSec SA tunnel.
在一个实施例中,所述第二请求消息中携带所述终端的IPSec SA隧道端点地址。In an embodiment, the second request message carries an IPSec SA tunnel endpoint address of the terminal.
当在终端侧实现IKE SA隧道和IPSec SA隧道的端点地址分离时,由终端的控制面将第一请求消息、第二请求消息发送给ePDG,并由ePDG返回对应的第一响应消息和第二响应消息。在这种情况下,第二请求消息携带有终端的IPSec SA隧道端点地址(UE SWu IPSec IP),即第二请求消息中携带有因特网协议安全_安全管理_地址_发起者通知载荷(IPSEC_SA_ADDRESSES_I Notify payload),并且所述IPSEC_SA_ADDRESSES_I Notify payload中包含终端的IPSec SA隧道端点地址。若第二请求消息中不携带IPSEC_SA_ADDRESSES_I Notify payload,则表示终端侧的IKE SA隧道和IPSec SA隧道的端点地址相同。When the endpoint address of the IKE SA tunnel and the IPSec SA tunnel are separated on the terminal side, the control plane of the terminal sends the first request message and the second request message to the ePDG, and the corresponding first response message and the second are returned by the ePDG. Response message. In this case, the second request message carries the IPSec SA tunnel endpoint address (UE SWu IPSec IP) of the terminal, that is, the second request message carries the Internet Protocol security_Security Management_Address_Initiator Notification Load (IPSEC_SA_ADDRESSES_I Notify) Payload), and the IPSEC_SA_ADDRESSES_I Notify payload contains the IPSec SA tunnel endpoint address of the terminal. If the second request message does not carry the IPSEC_SA_ADDRESSES_I Notify payload, the endpoint address of the IKE SA tunnel and the IPSec SA tunnel on the terminal side are the same.
在一个实施例中,当在终端侧和ePDG侧都实现IKE SA隧道并且IPSec SA隧道的端点地址都分离时,由终端控制面将第一请求消息和第二请求消息发送给ePDG控制面,然后由ePDG控制面返回对应的第一响应消息和第二响应消息给终端控制面。在这种情况下,第二请求消息携带有IPSEC_SA_ADDRESSES_I Notify payload,并且第二响应消息携带有IPSEC_SA_ADDRESSES_R Notify payload。In an embodiment, when the IKE SA tunnel is implemented on both the terminal side and the ePDG side, and the endpoint addresses of the IPSec SA tunnel are separated, the first control message and the second request message are sent by the terminal control plane to the ePDG control plane, and then The corresponding first response message and second response message are returned by the ePDG control plane to the terminal control plane. In this case, the second request message carries the IPSEC_SA_ADDRESSES_I Notify payload, and the second response message carries the IPSEC_SA_ADDRESSES_R Notify payload.
在一个实施例中,在本实施例所涉及的到通知载荷CU_SEPARATE_SUPPORT、IPSEC_SA_ADDRESSES_R以及IPSEC_SA_ADDRESSES_I中,可定义不同的消息类型,且IPSEC_SA_ADDRESSES_R和IPSEC_SA_ADDRESSES_I对应到的载荷数据可为因特网协议版本4(Internet Protocol version 4,IPv4)地址或因特网协议版本6(Internet Protocol version 6,IPv6)地址。In an embodiment, different message types may be defined in the notification payloads CU_SEPARATE_SUPPORT, IPSEC_SA_ADDRESSES_R, and IPSEC_SA_ADDRESSES_I, and the payload data corresponding to IPSEC_SA_ADDRESSES_R and IPSEC_SA_ADDRESSES_I may be Internet Protocol version 4 (Internet Protocol version 4). , IPv4) address or Internet Protocol version 6, (IPv6) address.
根据以上各实施例,当ePDG接收到终端发送的第一请求消息时,根据所述第一请求消息建立因特网密钥交换IKE安全联盟SA隧道,并生成与所述第一请求消息对应的第一响应消息,将所述第一响应消息返回给所述终端;以及所述ePDG接收所述终端发送的第二请求消息,根据所述第二请求消息与所述终端建立因特网协议安全IPSec SA隧道,并生成与所述第二请求消息对应的第二响应消息,将所述第二响应消息返回给所述终端,以完成IPSec SA隧道的建立,其中,所述第二请求消息中携带有分离标识,所述分离标识表示所述终端支持ePDG的IKE SA隧道和IPSec SA隧道的端点地址分离。由此,在终端侧和/或ePDG侧实现IKE SA隧道和IPSec SA隧道的端点地址分离,以将IKE SA隧道的功能体和IPSec SA隧道的功能体部署在不同的虚拟机,从而提高IPSec SA隧道用户面的数据处理效率。According to the above embodiments, when the first request message sent by the terminal is received, the ePDG establishes an Internet Key Exchange IKE SA SA tunnel according to the first request message, and generates a first corresponding to the first request message. Responding to the message, returning the first response message to the terminal; and the ePDG receiving a second request message sent by the terminal, and establishing an Internet Protocol security IPSec SA tunnel with the terminal according to the second request message, And generating a second response message corresponding to the second request message, and returning the second response message to the terminal, to complete establishment of an IPSec SA tunnel, where the second request message carries a separate identifier The separation identifier indicates that the terminal supports address separation of the IKE SA tunnel and the IPSec SA tunnel of the ePDG. Therefore, the endpoint address of the IKE SA tunnel and the IPSec SA tunnel are separated on the terminal side and/or the ePDG side, so that the IKE SA tunnel function and the IPSec SA tunnel function are deployed on different virtual machines, thereby improving the IPSec SA. Data processing efficiency of the tunnel user plane.
本公开还提供了所述通信隧道端点地址分离方法的另一实施例。The present disclosure also provides another embodiment of the communication tunnel endpoint address separation method.
所述通信隧道端点地址分离方法的另一实施例与上述各实施例的区别在于还包括以下步骤S30-S40(见图6)。Another embodiment of the communication tunnel endpoint address separation method differs from the above embodiments in that it further includes the following steps S30-S40 (see FIG. 6).
在步骤S30处,当所述ePDG接收到所述终端发送的加密后的因特网协议安全数据时,解密所述因特网协议安全数据,并将解密后的所述因特网协议安全数据发送给分组数据网网关PGW。At step S30, when the ePDG receives the encrypted Internet Protocol security data sent by the terminal, decrypting the Internet Protocol security data, and transmitting the decrypted Internet Protocol security data to the packet data network gateway. PGW.
在步骤S40处,所述ePDG接收所述PGW响应所述因特网协议安全数据后发送的响应数据,并将所述响应数据发送给所述终端,以实现所述终端和所述PGW之间的数据交互。At step S40, the ePDG receives response data sent by the PGW after responding to the Internet Protocol security data, and sends the response data to the terminal to implement data between the terminal and the PGW. Interaction.
当IPSec SA隧道建立完成后,终端加密因特网协议安全数据,并将加密后的因特网协议安全数据发送给ePDG。ePDG接收到终端发送的加密后的因特网协议安全数据时,解密加密后的因特网协议安全数据,以得到解密后的因特网协议安全数据,并将解密后的因特网协议安全数据通过S2b接口发送给PGW。当PGW接收到因特网协议安全数据后,响应该因特网协议安全数据而得到响应数据,并通过S2b接口将响应数据发送给ePDG。当ePDG接收到PGW返回的响应数据时,加密所述响应数据以得到加密后的响应数据,并将加密后的响应数据发送给终端,以实现终端和PGW之间的数据交互。需要说明的是,终 端加密因特网协议安全数据的加密算法、ePDG解密因特网协议安全数据的解密算法、以及加密响应数据的加密算法是终端和ePDG之前协商好的。After the IPSec SA tunnel is established, the terminal encrypts the Internet Protocol security data and sends the encrypted Internet Protocol security data to the ePDG. When receiving the encrypted Internet Protocol security data sent by the terminal, the ePDG decrypts the encrypted Internet Protocol security data to obtain the decrypted Internet Protocol security data, and transmits the decrypted Internet Protocol security data to the PGW through the S2b interface. After receiving the Internet Protocol security data, the PGW obtains response data in response to the Internet Protocol security data, and transmits the response data to the ePDG through the S2b interface. When the ePDG receives the response data returned by the PGW, the response data is encrypted to obtain the encrypted response data, and the encrypted response data is sent to the terminal to implement data interaction between the terminal and the PGW. It should be noted that the encryption algorithm of the terminal encryption Internet Protocol security data, the decryption algorithm of the ePDG decryption Internet protocol security data, and the encryption algorithm for encrypting the response data are negotiated by the terminal and the ePDG.
当在ePDG侧实现IKE SA隧道和IPSec SA隧道的端点地址分离时,终端向ePDG用户面发送因特网协议安全数据。具体地,终端通过IPSEC_SA_ADDRESSES_R Notify payload中携带的ePDG用户面IPSec SA隧道端点地址将因特网协议安全数据发送给ePDG用户面,再由ePDG用户面与PGW进行数据交互。具体过程可以参照图7,图7为根据本公开实施例提供在ePDG侧实现IKE SA隧道和IPSec SA隧道端点地址分离过程中数据交互的一种示意图。When the endpoint address separation of the IKE SA tunnel and the IPSec SA tunnel is implemented on the ePDG side, the terminal sends Internet Protocol security data to the ePDG user plane. Specifically, the terminal sends the Internet Protocol security data to the ePDG user plane through the ePDG user plane IPSec SA tunnel endpoint address carried in the IPSEC_SA_ADDRESSES_R Notify payload, and then the ePDG user plane performs data interaction with the PGW. For a specific process, reference may be made to FIG. 7. FIG. 7 is a schematic diagram of providing data interaction in an IKE SA tunnel and an IPSec SA tunnel endpoint address separation process on an ePDG side according to an embodiment of the present disclosure.
当在终端侧实现IKE SA隧道和IPSec SA隧道的端点地址分离时,终端用户面向ePDG发送因特网协议安全数据。具体地,终端通过IPSEC_SA_ADDRESSES_I Notify payload中携带的终端用户面IPSec SA隧道端点地址将因特网协议安全数据发送给ePDG,再由ePDG与PGW进行数据交互。具体过程可以参照图8,图8为根据本公开实施例提供在终端侧实现IKE SA隧道和IPSec SA隧道端点地址分离过程中数据交互的一种示意图。When the endpoint address separation of the IKE SA tunnel and the IPSec SA tunnel is implemented on the terminal side, the terminal user sends Internet Protocol security data to the ePDG. Specifically, the terminal sends the Internet Protocol security data to the ePDG through the end user plane IPSec SA tunnel endpoint address carried in the IPSEC_SA_ADDRESSES_I Notify payload, and then the ePDG performs data interaction with the PGW. For a specific process, reference may be made to FIG. 8. FIG. 8 is a schematic diagram of providing data interaction in an IKE SA tunnel and an IPSec SA tunnel endpoint address separation process on a terminal side according to an embodiment of the present disclosure.
当在终端侧和ePDG侧的IKE SA隧道以及IPSec SA隧道的端点地址都分离时,由终端用户面向ePDG用户面发送因特网协议安全数据。具体地,终端用户面通过IPSEC_SA_ADDRESSES_I Notify payload中携带的终端用户面IPSec SA隧道端点地址将因特网协议安全数据发送给ePDG用户面,终端用户面通过IPSEC_SA_ADDRESSES_R Notify payload中携带的ePDG用户面IPSec SA隧道端点地址确定ePDG用户面,再由ePDG用户面与PGW进行数据交互。具体过程可以参照图9,图9为根据本公开实施例提供在终端侧和ePDG侧都实现IKE SA隧道和IPSec SA隧道端点地址分离过程中数据交互的一种示意图。When the IKE SA tunnel on the terminal side and the ePDG side and the endpoint address of the IPSec SA tunnel are separated, the end user sends the Internet Protocol security data to the ePDG user plane. Specifically, the end user plane sends the Internet Protocol security data to the ePDG user plane through the end user plane IPSec SA tunnel endpoint address carried in the IPSEC_SA_ADDRESSES_I Notify payload, and the end user plane passes the ePDG user plane IPSec SA tunnel endpoint address carried in the IPSEC_SA_ADDRESSES_R Notify payload. The ePDG user plane is determined, and then the ePDG user plane interacts with the PGW. For a specific process, reference may be made to FIG. 9. FIG. 9 is a schematic diagram of providing data interaction between an IKE SA tunnel and an IPSec SA tunnel endpoint address separation process on both the terminal side and the ePDG side according to an embodiment of the present disclosure.
需要说明的是,在本实施例中,将ePDG的加密解密功能单独作为一个组件(即,加解密组件)进行描述,而在其它实施例中,可将ePDG的加密解密功能与ePDG控制面功能体或ePDG用户面功能体相结合。It should be noted that, in this embodiment, the encryption and decryption function of the ePDG is separately described as one component (ie, the encryption and decryption component), and in other embodiments, the encryption and decryption function of the ePDG and the ePDG control plane function may be The body or ePDG user plane functions are combined.
本实施例在终端侧和/或ePDG侧实现IKE SA隧道和IPSec SA隧道端点地址分离后,终端通过分离后的端点地址与ePDG进行数据交互,以提高终端和PGW之间的数据交互效率。In this embodiment, after the IKE SA tunnel and the IPSec SA tunnel endpoint address are separated on the terminal side and/or the ePDG side, the terminal performs data interaction with the ePDG through the separated endpoint address to improve data interaction efficiency between the terminal and the PGW.
本公开还提供所述通信隧道端点地址分离方法的又一实施例。The present disclosure also provides yet another embodiment of the communication tunnel endpoint address separation method.
所述通信隧道端点地址分离方法的又一实施例与前述各实施例的区别在于还包括以下步骤g。A further embodiment of the communication tunnel endpoint address separation method differs from the foregoing embodiments in that it further comprises the following step g.
在步骤g处,当所述ePDG接收到所述终端发送的创建子安全联盟的请求消息时,所述ePDG根据所述创建子安全联盟的请求消息创建子安全联盟,并返回创建子安全联盟的响应消息给所述终端。At step g, when the ePDG receives the request message for creating a sub-security association sent by the terminal, the ePDG creates a sub-security association according to the request message for creating a sub-security association, and returns to create a sub-security alliance. A response message is sent to the terminal.
在建立IKE SA隧道后,如果后续需要进行IKE信令交互,则终端直接发送创建子安全联盟(CREATE_CHILD_SA)的请求消息给ePDG。ePDG在接收到终端发送的创建子安全联盟的请求消息时,根据该请求消息创建子安全联盟,即创建CHILD_SA,并在创建CHILD_SA后,返回创建子安全联盟的响应消息给终端。After the IKE SA tunnel is established, the terminal directly sends a request message for creating a sub-security association (CREATE_CHILD_SA) to the ePDG. Upon receiving the request message for creating a sub-security association sent by the terminal, the ePDG creates a sub-security association according to the request message, that is, creates a CHILD_SA, and after creating the CHILD_SA, returns a response message for creating a sub-security association to the terminal.
具体地,当在终端侧实现IKE SA隧道和IPSec SA隧道的端点地址分离时,终端控制面将创建子安全联盟的请求消息发送给ePDG;当在ePDG侧实现IKE SA隧道和IPSec SA隧道的端点地址分离时,终端将创建子安全联盟的请求消息发送给ePDG控制面;当在终端侧和ePDG侧都实现IKE SA隧道并且IPSec SA隧道的端点地址分离时,终端控制面将创建子安全联盟的请求消息发送给ePDG控制面。Specifically, when the endpoint address of the IKE SA tunnel and the IPSec SA tunnel are separated on the terminal side, the terminal control plane sends a request message for creating a sub-security association to the ePDG; when the IKE SA tunnel and the IPSec SA tunnel are implemented on the ePDG side, When the address is separated, the terminal sends a sub-security association request message to the ePDG control plane. When both the terminal side and the ePDG side implement the IKE SA tunnel and the endpoint address of the IPSec SA tunnel is separated, the terminal control plane creates a sub-security association. The request message is sent to the ePDG control plane.
在一个实施例中,在建立IKE SA隧道后,在终端和ePDG在密钥协商过程中,若是终端需要发送消息或者需要通知ePDG某些事件时,例如终端发现发送给ePDG的第一请求消息有错误时,终端向ePDG发送信息请求消息。ePDG在接收到该信息请求消息时,响应该信息请求消息,并返回对应的信息响应消息给终端。若是ePDG需要发送消息或者需要通知终端某些事件时,例如ePDG发现发送给终端的第一响应消息有错误时,ePDG向终端发送信息请求消息。终端接收到该信息请求消息,响应该信息请求消息,并返回对应的信息响应消息给ePDG。In an embodiment, after the IKE SA tunnel is established, in the key negotiation process between the terminal and the ePDG, if the terminal needs to send a message or needs to notify the ePDG of certain events, for example, the terminal finds that the first request message sent to the ePDG is In case of an error, the terminal sends an information request message to the ePDG. Upon receiving the information request message, the ePDG responds to the information request message and returns a corresponding information response message to the terminal. If the ePDG needs to send a message or needs to notify the terminal of certain events, for example, the ePDG finds that the first response message sent to the terminal has an error, the ePDG sends an information request message to the terminal. The terminal receives the information request message, responds to the information request message, and returns a corresponding information response message to the ePDG.
具体地,当在终端侧实现IKE SA隧道和IPSec SA隧道的端点 地址分离时,终端控制面将信息请求消息发送给ePDG;当在ePDG侧实现IKE SA隧道和IPSec SA隧道的端点地址分离时,终端将信息请求消息发送给ePDG控制面;当在终端侧和ePDG侧都实现IKE SA隧道并且IPSec SA隧道的端点地址分离时,终端控制面将信息请求消息发送给ePDG控制面。Specifically, when the endpoint address of the IKE SA tunnel and the IPSec SA tunnel are separated on the terminal side, the terminal control plane sends an information request message to the ePDG. When the endpoint address of the IKE SA tunnel and the IPSec SA tunnel are separated on the ePDG side, The terminal sends an information request message to the ePDG control plane. When the IKE SA tunnel is implemented on both the terminal side and the ePDG side, and the endpoint address of the IPSec SA tunnel is separated, the terminal control plane sends an information request message to the ePDG control plane.
本实施例通过将终端和/或ePDG的IKE SA隧道和IPSec SA隧道的端点地址分离,以实现将终端和/或ePDG的用户面和控制面分离部署在不同的虚拟机中,从而提高终端和ePDG数据传输效率。In this embodiment, the user plane and the control plane of the terminal and/or the ePDG are separately deployed in different virtual machines by separating the endpoint addresses of the IKE SA tunnel and the IPSec SA tunnel of the ePDG, thereby improving the terminal and the ePDG data transmission efficiency.
此外,本公开还提供一种通信隧道端点地址分离方法,包括以下步骤:发送第一请求消息给演进的分组数据网关ePDG;当接收到所述ePDG根据所述第一请求消息建立因特网密钥交换IKE安全联盟SA隧道后发送的第一响应消息时,生成第二请求消息,并将所述第二请求消息发送给所述ePDG;以及接收所述ePDG根据所述第二请求消息建立因特网协议安全IPSec SA隧道后发送的第二响应消息,以完成IPSec SA隧道的建立,其中,所述第二请求消息中携带有分离标识,所述分离标识表示所述终端支持所述ePDG的IKE SA隧道和IPSec SA隧道的端点地址分离。In addition, the present disclosure further provides a communication tunnel endpoint address separation method, including the steps of: sending a first request message to an evolved packet data gateway ePDG; and when receiving the ePDG, establishing an internet key exchange according to the first request message And generating, by the IKE SA, the first response message sent by the SA tunnel, and sending the second request message to the ePDG; and receiving the ePDG to establish an Internet protocol security according to the second request message. a second response message sent after the IPSec SA tunnel to complete the establishment of the IPSec SA tunnel, where the second request message carries a separate identifier, where the separated identifier indicates that the terminal supports the IKE SA tunnel of the ePDG and The endpoint address of the IPSec SA tunnel is separated.
在一个实施例中,所述第二请求消息中携带所述终端的IPSec SA隧道端点地址。In an embodiment, the second request message carries an IPSec SA tunnel endpoint address of the terminal.
在一个实施例中,所述第二响应消息中携带所述ePDG的IPSec SA隧道端点地址。In an embodiment, the second response message carries an IPSec SA tunnel endpoint address of the ePDG.
在一个实施例中,在接收到所述ePDG发送的第一响应消息后生成第二请求消息,并采用所述密钥参数对应的加密算法来加密所述第二请求消息,将加密后的所述第二请求消息发送给所述ePDG。In an embodiment, after receiving the first response message sent by the ePDG, generating a second request message, and encrypting the second request message by using an encryption algorithm corresponding to the key parameter, and encrypting the The second request message is sent to the ePDG.
此外,本公开还提供一种终端,所述终端包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的通信隧道端点地址分离程序,所述通信隧道端点地址分离程序被所述处理器执行时实现如下步骤:发送第一请求消息给演进的分组数据网关ePDG;当接收到所述ePDG根据所述第一请求消息建立因特网密钥交换IKE安全联盟SA隧道后发送的第一响应消息时,生成第二请求消息,并将所 述第二请求消息发送给所述ePDG;以及接收所述ePDG根据所述第二请求消息建立因特网协议安全IPSec SA隧道后发送的第二响应消息,以完成IPSec SA隧道的建立,其中,所述第二请求消息中携带有分离标识,所述分离标识表示所述终端支持所述ePDG的IKE SA隧道和IPSec SA隧道的端点地址分离。此外,本公开还提供一种计算机可读存储介质,所述计算机可读存储介质上存储有通信隧道端点地址分离程序,所述通信隧道端点地址分离程序被处理器执行时实现以上结合各附图所描述的通信隧道端点地址分离方法的步骤。所述各通信隧道端点地址分离方法的具体步骤在此不再赘述。In addition, the present disclosure also provides a terminal, the terminal including a memory, a processor, and a communication tunnel endpoint address separating program stored on the memory and operable on the processor, the communication tunnel endpoint address separating program When executed by the processor, the following steps are implemented: sending a first request message to the evolved packet data gateway ePDG; and transmitting after receiving the ePDG establishing an Internet Key Exchange IKE SA SA tunnel according to the first request message And generating, by the first response message, a second request message, and sending the second request message to the ePDG; and receiving a second sent by the ePDG after establishing an Internet Protocol security IPSec SA tunnel according to the second request message The response message is used to complete the establishment of the IPSec SA tunnel, where the second request message carries a separate identifier, and the split identifier indicates that the endpoint address of the IKE SA tunnel and the IPSec SA tunnel that the terminal supports the ePDG is separated. In addition, the present disclosure also provides a computer readable storage medium having a communication tunnel endpoint address separation program stored thereon, and the communication tunnel endpoint address separation program is implemented by a processor to implement the above The steps of the described communication tunnel endpoint address separation method. The specific steps of the method for separating the endpoint address of each communication tunnel are not described herein again.
此外,本公开还提供一种通信隧道端点地址分离装置,所述通信隧道端点地址分离装置应用于演进的分组数据网关ePDG。通信隧道端点地址分离装置包括:第一建立模块和第二建立模块。In addition, the present disclosure also provides a communication tunnel endpoint address separation apparatus that is applied to an evolved packet data gateway ePDG. The communication tunnel endpoint address separation device includes: a first setup module and a second setup module.
所述第一建立模块设置为:当接收到终端发送的第一请求消息时,根据所述第一请求消息建立因特网密钥交换IKE安全联盟SA隧道,并生成与所述第一请求消息对应的第一响应消息,将所述第一响应消息返回给所述终端。The first establishing module is configured to: when receiving the first request message sent by the terminal, establish an Internet Key Exchange IKE SA SA tunnel according to the first request message, and generate a corresponding to the first request message The first response message returns the first response message to the terminal.
所述第二建立模块设置为:接收所述终端发送的第二请求消息,根据所述第二请求消息建立因特网协议安全IPSec SA隧道,并生成与所述第二请求消息对应的第二响应消息,将所述第二响应消息返回给所述终端,以完成IPSec SA隧道的建立,其中,所述第二请求消息中携带有分离标识,所述分离标识表示所述终端支持所述ePDG的IKE SA隧道和IPSec SA隧道的端点地址分离。The second establishing module is configured to: receive a second request message sent by the terminal, establish an Internet Protocol security IPSec SA tunnel according to the second request message, and generate a second response message corresponding to the second request message Returning the second response message to the terminal, to complete the establishment of the IPSec SA tunnel, where the second request message carries a separate identifier, where the separated identifier indicates that the terminal supports the ePDG IKE. The endpoint addresses of the SA tunnel and the IPSec SA tunnel are separated.
在一个实施例中,所述第二请求消息中携带所述终端的IPSec SA隧道端点地址。In an embodiment, the second request message carries an IPSec SA tunnel endpoint address of the terminal.
在一个实施例中,所述第二响应消息中携带所述ePDG的IPSec SA隧道端点地址。In an embodiment, the second response message carries an IPSec SA tunnel endpoint address of the ePDG.
在一个实施例中,所述第一建立模块包括:协商单元、交换单元和第一生成单元。In an embodiment, the first establishing module comprises: a negotiating unit, an exchanging unit and a first generating unit.
所述协商单元设置为:当接收到终端发送的第一请求消息时,根据所述第一请求消息与所述终端协商密钥参数。The negotiating unit is configured to: when receiving the first request message sent by the terminal, negotiate a key parameter with the terminal according to the first request message.
所述交换单元设置为:与所述终端交换随机数和迪菲-赫尔曼Diffie-Hellman值,以建立IKE SA隧道。The switching unit is configured to exchange a random number and a Diffie-Hellman Diffie-Hellman value with the terminal to establish an IKE SA tunnel.
所述第一生成单元设置为:根据所述密钥参数,以及交换后的随机数和Diffie-Hellman值生成第一响应消息,并将所述第一响应消息发送给所述终端。The first generating unit is configured to: generate a first response message according to the key parameter, and the exchanged random number and the Diffie-Hellman value, and send the first response message to the terminal.
在一个实施例中,所述第二建立模块包括:解密单元、发送单元、第二生成单元和加密单元。In an embodiment, the second establishing module comprises: a decrypting unit, a transmitting unit, a second generating unit, and an encrypting unit.
所述解密单元设置为当接收到所述终端发送的采用密钥参数对应加密算法加密后的所述第二请求消息时,采用与所述加密算法对应的解密算法解密加密后的所述第二请求消息,以得到第二请求消息对应的明文信息。The decrypting unit is configured to: when receiving the second request message that is sent by the terminal and encrypted by using a key parameter corresponding to an encryption algorithm, decrypting the encrypted second by using a decryption algorithm corresponding to the encryption algorithm The message is requested to obtain the plaintext information corresponding to the second request message.
所述发送单元设置为将所述明文信息发送给认证授权计费服务器。The sending unit is configured to send the plaintext information to an authentication and authorization charging server.
所述第二生成单元设置为接收所述认证授权计费服务器发送的根据所述明文信息认证所述终端所得的认证结果,根据所述认证结果生成第二响应消息。The second generating unit is configured to receive an authentication result that is obtained by the authentication authorization charging server and that is used to authenticate the terminal according to the plaintext information, and generate a second response message according to the authentication result.
所述加密单元设置为加密所述第二响应消息,将加密后的所述第二响应消息返回给所述终端。The encryption unit is configured to encrypt the second response message, and return the encrypted second response message to the terminal.
在一个实施例中,所述通信隧道端点地址分离装置还包括:解密模块、发送模块和接收模块。In an embodiment, the communication tunnel endpoint address separation device further includes: a decryption module, a sending module, and a receiving module.
所述解密模块设置为当接收到所述终端发送的加密后的因特网协议安全数据时,解密所述因特网协议安全数据。The decryption module is configured to decrypt the Internet Protocol security data when the encrypted Internet Protocol security data sent by the terminal is received.
发送模块设置为将解密后的所述因特网协议安全数据发送给分组数据网网关PGW。The sending module is configured to send the decrypted Internet Protocol security data to the packet data network gateway PGW.
接收模块设置为接收所述PGW响应所述因特网协议安全数据后发送的响应数据。The receiving module is configured to receive response data sent by the PGW after responding to the Internet Protocol security data.
所述发送模块还设置为将所述响应数据发送给所述终端,以实现所述终端和所述PGW之间的数据交互。The sending module is further configured to send the response data to the terminal to implement data interaction between the terminal and the PGW.
在一个实施例中,所述第一建立模块还设置为当接收到所述终端使用本地网络之间互连的协议IP地址作为源地址发送的第一请求 消息时,根据所述第一请求消息建立IKE SA隧道,并生成与所述第一请求消息对应的第一响应消息;以及使用ePDG侧的IKE SA隧道端点地址作为源地址向所述终端的本地IP地址发送所述第一响应消息。In an embodiment, the first establishing module is further configured to: according to the first request message, when receiving, by the terminal, a first request message sent by using a protocol IP address interconnected between local networks as a source address Establishing an IKE SA tunnel, and generating a first response message corresponding to the first request message; and sending the first response message to the local IP address of the terminal by using an IKE SA tunnel endpoint address of the ePDG side as a source address.
在一个实施例中,所述通信隧道端点地址分离装置还包括:创建模块。In one embodiment, the communication tunnel endpoint address separation device further includes: a creation module.
所述创建模块设置为当接收到所述终端发送的创建子安全联盟的请求消息时,根据所述创建子安全联盟的请求消息创建子安全联盟,并返回创建子安全联盟的响应消息给所述终端。The creating module is configured to: when receiving a request message for creating a child security association sent by the terminal, create a child security association according to the request message for creating a child security association, and return a response message for creating a child security association to the terminal.
需要说明的是,在本文中,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者装置不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者装置所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素并不排除在包括该要素的过程、方法、物品或者装置中还存在另外的相同要素。It is to be understood that the term "comprises", "comprising", or any other variants thereof, is intended to encompass a non-exclusive inclusion, such that a process, method, article, or device comprising a series of elements includes those elements. It also includes other elements that are not explicitly listed, or elements that are inherent to such a process, method, article, or device. An element that is defined by the phrase "comprising a ..." does not exclude the presence of additional elements in the process, method, article, or device that comprises the element.
上述本公开实施例序号仅仅是为了描述的目的,而不代表实施例的优劣。The above-mentioned embodiments of the present disclosure are for the purpose of description only, and do not represent the advantages and disadvantages of the embodiments.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到上述实施例方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件的方式来实现。基于这样的理解,本公开的技术方案的本质部分或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品可以存储在一个存储介质(如ROM/RAM、磁碟、光盘)中,并包括用以使得一台终端设备(可以是手机、计算机、服务器、空调器或者网络设备等)执行本公开各个实施例所述的方法的若干指令。Through the description of the above embodiments, those skilled in the art can clearly understand that the foregoing method can be implemented by means of software plus a necessary general hardware platform, and can also be implemented by hardware. Based on such understanding, an essential part of the technical solution of the present disclosure or a part contributing to the prior art can be embodied in the form of a software product that can be stored in a storage medium (such as ROM/RAM, magnetic A disc, an optical disc, and a number of instructions for causing a terminal device (which may be a cell phone, a computer, a server, an air conditioner, or a network device, etc.) to perform the methods described in various embodiments of the present disclosure.
以上各实施例仅为本公开的示例性实施例,其并非旨在限制本公开的专利范围。凡是利用本公开说明书及附图内容所作的等效结构或等效流程变换、或是将本公开的实施例及其变型直接或间接在其他相关的技术领域的应用,均包括在本公开的专利保护范围内。The above embodiments are merely exemplary embodiments of the present disclosure, and are not intended to limit the scope of the disclosure. The equivalent structure or equivalent flow transformations made by the present disclosure and the contents of the drawings, or the application of the embodiments and variations thereof, directly or indirectly in other related technical fields, are included in the patents of the present disclosure. Within the scope of protection.

Claims (12)

  1. 一种通信隧道端点地址分离方法,包括以下步骤:A communication tunnel endpoint address separation method includes the following steps:
    当演进的分组数据网关ePDG接收到终端发送的第一请求消息时,根据所述第一请求消息建立因特网密钥交换IKE安全联盟SA隧道,并生成与所述第一请求消息对应的第一响应消息,将所述第一响应消息返回给所述终端;以及When the evolved packet data gateway ePDG receives the first request message sent by the terminal, establishes an Internet Key Exchange IKE SA SA tunnel according to the first request message, and generates a first response corresponding to the first request message. a message, returning the first response message to the terminal;
    所述ePDG接收所述终端发送的第二请求消息,根据所述第二请求消息建立因特网协议安全IPSec SA隧道,并生成与所述第二请求消息对应的第二响应消息,将所述第二响应消息返回给所述终端,以完成IPSec SA隧道的建立,Receiving, by the ePDG, the second request message sent by the terminal, establishing an Internet Protocol security IPSec SA tunnel according to the second request message, and generating a second response message corresponding to the second request message, where the second A response message is returned to the terminal to complete establishment of the IPSec SA tunnel.
    其中,所述第二请求消息中携带有分离标识,所述分离标识表示所述终端支持所述ePDG的IKE SA隧道和IPSec SA隧道的端点地址分离。The second request message carries a separate identifier, where the separated identifier indicates that the endpoint address of the IKE SA tunnel and the IPSec SA tunnel that the terminal supports the ePDG is separated.
  2. 如权利要求1所述的通信隧道端点地址分离方法,其中,所述第二请求消息中携带所述终端的IPSec SA隧道端点地址。The communication tunnel endpoint address separation method according to claim 1, wherein the second request message carries an IPSec SA tunnel endpoint address of the terminal.
  3. 如权利要求2所述的通信隧道端点地址分离方法,其中,所述第二响应消息中携带所述ePDG的IPSec SA隧道端点地址。The communication tunnel endpoint address separation method of claim 2, wherein the second response message carries an IPSec SA tunnel endpoint address of the ePDG.
  4. 如权利要求1所述的通信隧道端点地址分离方法,其中,所述当ePDG接收到终端发送的第一请求消息时,根据所述第一请求消息建立IKE SA隧道,并生成与所述第一请求消息对应的第一响应消息,将所述第一响应消息返回给所述终端的步骤包括以下步骤:The communication tunnel endpoint address separation method according to claim 1, wherein when the ePDG receives the first request message sent by the terminal, the IKE SA tunnel is established according to the first request message, and is generated with the first The first response message corresponding to the request message, the step of returning the first response message to the terminal includes the following steps:
    当所述ePDG接收到终端发送的第一请求消息时,根据所述第一请求消息与所述终端协商密钥参数,并与所述终端交换随机数和迪菲-赫尔曼Diffie-Hellman值,以建立IKE SA隧道;以及And when the ePDG receives the first request message sent by the terminal, negotiates a key parameter with the terminal according to the first request message, and exchanges a random number and a Diffie-Hellman Diffie-Hellman value with the terminal. To establish an IKE SA tunnel;
    所述ePDG根据所述密钥参数以及交换后的随机数和Diffie-Hellman值生成第一响应消息,并将所述第一响应消息发送 给所述终端。The ePDG generates a first response message according to the key parameter and the exchanged random number and the Diffie-Hellman value, and sends the first response message to the terminal.
  5. 如权利要求4所述的通信隧道端点地址分离方法,其中,所述ePDG接收所述终端发送的第二请求消息,根据所述第二请求消息建立IPSec SA隧道,并生成与所述第二请求消息对应的第二响应消息以及将所述第二响应消息返回给所述终端,以完成IPSec SA隧道的建立的步骤包括以下步骤:The communication tunnel endpoint address separation method according to claim 4, wherein the ePDG receives a second request message sent by the terminal, establishes an IPSec SA tunnel according to the second request message, and generates a second request The step of responding to the second response message and returning the second response message to the terminal to complete the establishment of the IPSec SA tunnel includes the following steps:
    当所述ePDG接收到所述终端发送的采用密钥参数对应加密算法加密后的所述第二请求消息时,所述ePDG采用与所述加密算法对应的解密算法解密加密后的所述第二请求消息,以得到第二请求消息对应的明文信息,并将所述明文信息发送给认证授权计费服务器;以及When the ePDG receives the second request message that is sent by the terminal and is encrypted by using a key parameter corresponding to an encryption algorithm, the ePDG decrypts the encrypted second by using a decryption algorithm corresponding to the encryption algorithm. Requesting a message to obtain the plaintext information corresponding to the second request message, and sending the plaintext information to the authentication and authorization charging server;
    所述ePDG接收所述认证授权计费服务器发送的根据所述明文信息认证所述终端所得的认证结果,并根据所述认证结果生成第二响应消息,加密所述第二响应消息,将加密后的所述第二响应消息返回给所述终端。The ePDG receives the authentication result obtained by the authentication and authorization accounting server according to the plaintext information, and generates a second response message according to the authentication result, encrypting the second response message, and encrypting the second response message. The second response message is returned to the terminal.
  6. 如权利要求1所述的通信隧道端点地址分离方法,其中,所述ePDG接收所述终端发送的第二请求消息,根据所述第二请求消息建立IPSec SA隧道,并生成与所述第二请求消息对应的第二响应消息,将所述第二响应消息返回给所述终端,以完成IPSec SA隧道的建立的步骤之后,还包括以下步骤:The communication tunnel endpoint address separation method according to claim 1, wherein the ePDG receives a second request message sent by the terminal, establishes an IPSec SA tunnel according to the second request message, and generates a second request After the step of returning the second response message to the terminal to complete the establishment of the IPSec SA tunnel, the second response message corresponding to the message further includes the following steps:
    当所述ePDG接收到所述终端发送的加密后的因特网协议安全数据时,解密所述因特网协议安全数据,并将解密后的所述因特网协议安全数据发送给分组数据网网关PGW;以及And when the ePDG receives the encrypted Internet Protocol security data sent by the terminal, decrypting the Internet Protocol security data, and transmitting the decrypted Internet Protocol security data to the packet data network gateway PGW;
    所述ePDG接收所述PGW响应所述因特网协议安全数据后发送的响应数据,并将所述响应数据发送给所述终端,以实现所述终端和所述PGW之间的数据交互。The ePDG receives the response data sent by the PGW after responding to the Internet Protocol security data, and sends the response data to the terminal to implement data interaction between the terminal and the PGW.
  7. 如权利要求1所述的通信隧道端点地址分离方法,其中,所述当ePDG接收到终端发送的第一请求消息时,根据所述第一请求消 息建立IKE SA隧道,并生成与所述第一请求消息对应的第一响应消息,将所述第一响应消息返回给所述终端的步骤包括以下步骤:The communication tunnel endpoint address separation method according to claim 1, wherein when the ePDG receives the first request message sent by the terminal, the IKE SA tunnel is established according to the first request message, and is generated with the first The first response message corresponding to the request message, the step of returning the first response message to the terminal includes the following steps:
    当所述ePDG接收到所述终端使用本地网络之间互连的协议IP地址作为源地址发送的第一请求消息时,所述ePDG根据所述第一请求消息建立IKE SA隧道,并生成与所述第一请求消息对应的第一响应消息;以及When the ePDG receives the first request message sent by the terminal using the protocol IP address interconnected between the local networks as the source address, the ePDG establishes an IKE SA tunnel according to the first request message, and generates an Decoding a first response message corresponding to the first request message;
    所述ePDG使用ePDG侧的IKE SA隧道端点地址作为源地址向所述终端的本地IP地址发送所述第一响应消息。The ePDG sends the first response message to the local IP address of the terminal by using the IKE SA tunnel endpoint address of the ePDG side as the source address.
  8. 如权利要求1至7任一项所述的通信隧道端点地址分离方法,其中,所述当ePDG接收到终端发送的第一请求消息时,根据所述第一请求消息建立IKE SA隧道,并生成与所述第一请求消息对应的第一响应消息,将所述第一响应消息返回给所述终端的步骤之后,还包括以下步骤:The communication tunnel endpoint address separation method according to any one of claims 1 to 7, wherein when the ePDG receives the first request message sent by the terminal, the IKE SA tunnel is established according to the first request message, and is generated. After the step of returning the first response message to the terminal, the first response message corresponding to the first request message further includes the following steps:
    当所述ePDG接收到所述终端发送的创建子安全联盟的请求消息时,所述ePDG根据所述创建子安全联盟的请求消息创建子安全联盟,并返回创建子安全联盟的响应消息给所述终端。When the ePDG receives the request message for creating a sub-security association sent by the terminal, the ePDG creates a sub-security association according to the request message for creating a sub-security association, and returns a response message for creating a sub-security association to the terminal.
  9. 一种通信隧道端点地址分离方法,包括以下步骤:A communication tunnel endpoint address separation method includes the following steps:
    发送第一请求消息给演进的分组数据网关ePDG;Sending a first request message to the evolved packet data gateway ePDG;
    当接收到所述ePDG根据所述第一请求消息建立因特网密钥交换IKE安全联盟SA隧道后发送的第一响应消息时,生成第二请求消息,并将所述第二请求消息发送给所述ePDG;以及And after receiving the first response message sent by the ePDG after establishing the Internet Key Exchange IKE SA SA tunnel according to the first request message, generating a second request message, and sending the second request message to the ePDG; and
    接收所述ePDG根据所述第二请求消息建立因特网协议安全IPSec SA隧道后发送的第二响应消息,以完成IPSec SA隧道的建立,Receiving a second response message sent by the ePDG after establishing an Internet Protocol security IPSec SA tunnel according to the second request message, to complete establishment of an IPSec SA tunnel,
    其中,所述第二请求消息中携带有分离标识,所述分离标识表示所述终端支持所述ePDG的IKE SA隧道和IPSec SA隧道的端点地址分离。The second request message carries a separate identifier, where the separated identifier indicates that the endpoint address of the IKE SA tunnel and the IPSec SA tunnel that the terminal supports the ePDG is separated.
  10. 一种终端,所述终端包括存储器、处理器及存储在所述存储 器上并可在所述处理器上运行的通信隧道端点地址分离程序,所述通信隧道端点地址分离程序被所述处理器执行时实现如下步骤:A terminal, the terminal comprising a memory, a processor, and a communication tunnel endpoint address separation program stored on the memory and operable on the processor, the communication tunnel endpoint address separation program being executed by the processor The following steps are implemented:
    发送第一请求消息给演进的分组数据网关ePDG;Sending a first request message to the evolved packet data gateway ePDG;
    当接收到所述ePDG根据所述第一请求消息建立因特网密钥交换IKE安全联盟SA隧道后发送的第一响应消息时,生成第二请求消息,并将所述第二请求消息发送给所述ePDG;以及And after receiving the first response message sent by the ePDG after establishing the Internet Key Exchange IKE SA SA tunnel according to the first request message, generating a second request message, and sending the second request message to the ePDG; and
    接收所述ePDG根据所述第二请求消息建立因特网协议安全IPSec SA隧道后发送的第二响应消息,以完成IPSec SA隧道的建立,Receiving a second response message sent by the ePDG after establishing an Internet Protocol security IPSec SA tunnel according to the second request message, to complete establishment of an IPSec SA tunnel,
    其中,所述第二请求消息中携带有分离标识,所述分离标识表示所述终端支持所述ePDG的IKE SA隧道和IPSec SA隧道的端点地址分离。The second request message carries a separate identifier, where the separated identifier indicates that the endpoint address of the IKE SA tunnel and the IPSec SA tunnel that the terminal supports the ePDG is separated.
  11. 一种演进的分组数据网关ePDG,所述ePDG包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的通信隧道端点地址分离程序,所述通信隧道端点地址分离程序被所述处理器执行时实现如下步骤:An evolved packet data gateway ePDG, the ePDG comprising a memory, a processor, and a communication tunnel endpoint address separation program stored on the memory and operable on the processor, the communication tunnel endpoint address separation procedure being The processor implements the following steps when executed:
    当接收到终端发送的第一请求消息时,根据所述第一请求消息建立因特网密钥交换IKE安全联盟SA隧道,并生成与所述第一请求消息对应的第一响应消息,将所述第一响应消息返回给所述终端;以及When receiving the first request message sent by the terminal, establishing an Internet Key Exchange IKE SA SA tunnel according to the first request message, and generating a first response message corresponding to the first request message, where the a response message is returned to the terminal;
    接收所述终端发送的第二请求消息,根据所述第二请求消息建立因特网协议安全IPSec SA隧道,并生成与所述第二请求消息对应的第二响应消息,将所述第二响应消息返回给所述终端,以完成IPSec SA隧道的建立,Receiving a second request message sent by the terminal, establishing an Internet Protocol security IPSec SA tunnel according to the second request message, and generating a second response message corresponding to the second request message, and returning the second response message Giving the terminal to complete the establishment of the IPSec SA tunnel,
    其中,所述第二请求消息中携带有分离标识,所述分离标识表示所述终端支持所述ePDG的IKE SA隧道和IPSec SA隧道的端点地址分离。The second request message carries a separate identifier, where the separated identifier indicates that the endpoint address of the IKE SA tunnel and the IPSec SA tunnel that the terminal supports the ePDG is separated.
  12. 一种计算机可读存储介质,所述计算机可读存储介质上存储有通信隧道端点地址分离程序,所述通信隧道端点地址分离程序被处 理器执行时实现如下步骤:A computer readable storage medium having a communication tunnel endpoint address separation program stored thereon, the communication tunnel endpoint address separation program being executed by a processor to implement the following steps:
    当接收到终端发送的第一请求消息时,根据所述第一请求消息建立因特网密钥交换IKE安全联盟SA隧道,并生成与所述第一请求消息对应的第一响应消息,将所述第一响应消息返回给所述终端;以及When receiving the first request message sent by the terminal, establishing an Internet Key Exchange IKE SA SA tunnel according to the first request message, and generating a first response message corresponding to the first request message, where the a response message is returned to the terminal;
    接收所述终端发送的第二请求消息,根据所述第二请求消息建立因特网协议安全IPSec SA隧道,并生成与所述第二请求消息对应的第二响应消息,将所述第二响应消息返回给所述终端,以完成IPSec SA隧道的建立,Receiving a second request message sent by the terminal, establishing an Internet Protocol security IPSec SA tunnel according to the second request message, and generating a second response message corresponding to the second request message, and returning the second response message Giving the terminal to complete the establishment of the IPSec SA tunnel,
    其中,所述第二请求消息中携带有分离标识,所述分离标识表示所述终端支持所述ePDG的IKE SA隧道和IPSec SA隧道的端点地址分离。The second request message carries a separate identifier, where the separated identifier indicates that the endpoint address of the IKE SA tunnel and the IPSec SA tunnel that the terminal supports the ePDG is separated.
PCT/CN2018/096172 2017-07-18 2018-07-18 Communication tunnel endpoint address separation method, terminal, gateway and storage medium WO2019015618A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201710588081.5A CN109428852B (en) 2017-07-18 2017-07-18 Communication tunnel endpoint address separation method, terminal, ePDG and storage medium
CN201710588081.5 2017-07-18

Publications (1)

Publication Number Publication Date
WO2019015618A1 true WO2019015618A1 (en) 2019-01-24

Family

ID=65015448

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/096172 WO2019015618A1 (en) 2017-07-18 2018-07-18 Communication tunnel endpoint address separation method, terminal, gateway and storage medium

Country Status (2)

Country Link
CN (1) CN109428852B (en)
WO (1) WO2019015618A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114448747A (en) * 2020-10-19 2022-05-06 南京中兴新软件有限责任公司 Communication control method, communication terminal, and storage medium

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114697989A (en) * 2020-12-31 2022-07-01 大唐移动通信设备有限公司 Communication transmission method, device and system
WO2022178888A1 (en) * 2021-02-27 2022-09-01 华为技术有限公司 Communication method and apparatus
CN114422205B (en) * 2021-12-30 2024-03-01 广西电网有限责任公司电力科学研究院 Method for establishing network layer data tunnel of special CPU chip for electric power

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012022212A1 (en) * 2010-08-20 2012-02-23 中兴通讯股份有限公司 Method, apparatus and system for user equipment access
CN105812322A (en) * 2014-12-30 2016-07-27 华为数字技术(苏州)有限公司 Method and device for establishing Internet safety protocol safety alliance
WO2016187871A1 (en) * 2015-05-28 2016-12-01 Telefonaktiebolaget Lm Ericsson (Publ) Multiple pdn connections over untrusted wlan access
CN106686589A (en) * 2015-11-09 2017-05-17 中国电信股份有限公司 VoWiFi business achieving method, system and AAA server

Family Cites Families (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100759489B1 (en) * 2004-11-18 2007-09-18 삼성전자주식회사 Method and appratus for security of ip security tunnel using public key infrastructure in a mobile communication network
WO2006068450A1 (en) * 2004-12-24 2006-06-29 Samsung Electronics Co., Ltd. System and method for providing mobility and secure tunnel using mobile internet protocol within internet key exchange protocol version 2
US7979901B2 (en) * 2005-12-30 2011-07-12 Nokia Corporation Controlling the number of internet protocol security (IPsec) security associations
US7606191B1 (en) * 2006-05-01 2009-10-20 Sprint Spectrum L.P. Methods and systems for secure mobile-IP traffic traversing network address translation
US7907595B2 (en) * 2006-09-29 2011-03-15 Avaya, Inc. Method and apparatus for learning endpoint addresses of IPSec VPN tunnels
US8687804B2 (en) * 2006-11-01 2014-04-01 Microsoft Corporation Separating control and data operations to support secured data transfers
CN101188542A (en) * 2006-11-17 2008-05-28 华为技术有限公司 Method for establishing IP tunnel and device for distributing IP address
CN101217435B (en) * 2008-01-16 2011-03-16 中兴通讯股份有限公司 L2TP over IPSEC remote access method and device
US20120096269A1 (en) * 2010-10-14 2012-04-19 Certes Networks, Inc. Dynamically scalable virtual gateway appliance
CN102833359A (en) * 2011-06-14 2012-12-19 中兴通讯股份有限公司 Tunnel information acquiring method, SeGW (security gateway), evolution H(e)NB (home node B)/H(e)NB
CN102223280B (en) * 2011-06-17 2017-04-12 中兴通讯股份有限公司 Method and network element for rebuilding tunnel
CN103002429B (en) * 2011-09-13 2017-04-26 中兴通讯股份有限公司 Method and system for processing UE (user equipment) capability
EP2942992B1 (en) * 2013-01-31 2020-01-01 Huawei Technologies Co., Ltd. Customizable mobile broadband network system, and method for customizing mobile broadband network and corresponding device
CN104883687B (en) * 2014-02-28 2019-02-26 华为技术有限公司 WLAN tunnel establishing method, device and access net system
CN105991562B (en) * 2015-02-05 2019-07-23 华为技术有限公司 IPSec accelerated method, apparatus and system
CN106686666A (en) * 2015-11-09 2017-05-17 中兴通讯股份有限公司 Method and device for updating information of gateway

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012022212A1 (en) * 2010-08-20 2012-02-23 中兴通讯股份有限公司 Method, apparatus and system for user equipment access
CN105812322A (en) * 2014-12-30 2016-07-27 华为数字技术(苏州)有限公司 Method and device for establishing Internet safety protocol safety alliance
WO2016187871A1 (en) * 2015-05-28 2016-12-01 Telefonaktiebolaget Lm Ericsson (Publ) Multiple pdn connections over untrusted wlan access
CN106686589A (en) * 2015-11-09 2017-05-17 中国电信股份有限公司 VoWiFi business achieving method, system and AAA server

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114448747A (en) * 2020-10-19 2022-05-06 南京中兴新软件有限责任公司 Communication control method, communication terminal, and storage medium

Also Published As

Publication number Publication date
CN109428852B (en) 2023-09-15
CN109428852A (en) 2019-03-05

Similar Documents

Publication Publication Date Title
US11588626B2 (en) Key distribution method and system, and apparatus
CN107079023B (en) User plane security for next generation cellular networks
US8667151B2 (en) Bootstrapping method for setting up a security association
US7389412B2 (en) System and method for secure network roaming
US7984298B2 (en) Method, system and authentication centre for authenticating in end-to-end communications based on a mobile network
JP5069320B2 (en) Support for calls without UICC
CN107615825B (en) Multiple PDN connections over untrusted WLAN access
EP3284276B1 (en) Security improvements in a cellular network
WO2019015618A1 (en) Communication tunnel endpoint address separation method, terminal, gateway and storage medium
US7979901B2 (en) Controlling the number of internet protocol security (IPsec) security associations
WO2020133543A1 (en) Communication method and related product
WO2008006312A1 (en) A realizing method for push service of gaa and a device
WO2006137625A1 (en) Device for realizing security function in mac of portable internet system and authentication method using the device
WO2010094244A1 (en) Method, device and system for performing access authentication
JP6123035B1 (en) Protection of WLCP message exchange between TWAG and UE
US20120254615A1 (en) Using a dynamically-generated symmetric key to establish internet protocol security for communications between a mobile subscriber and a supporting wireless communications network
WO2015165250A1 (en) Method, device and communication system for terminal to access communication network
US11838428B2 (en) Certificate-based local UE authentication
Allard et al. IKE context transfer in an IPv6 mobility environment
Mizikovsky et al. CDMA 1x EV-DO security
Narmadha et al. Performance analysis of signaling cost on EAP-TLS authentication protocol based on cryptography
WO2016015347A1 (en) Data processing method, apparatus, and system
Vintilă Potential Applications of IPsec in Next Generation Networks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18834745

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 23/06/2020)

122 Ep: pct application non-entry in european phase

Ref document number: 18834745

Country of ref document: EP

Kind code of ref document: A1