WO2019017836A1 - 一种会话处理方法及设备 - Google Patents
一种会话处理方法及设备 Download PDFInfo
- Publication number
- WO2019017836A1 WO2019017836A1 PCT/SG2017/050367 SG2017050367W WO2019017836A1 WO 2019017836 A1 WO2019017836 A1 WO 2019017836A1 SG 2017050367 W SG2017050367 W SG 2017050367W WO 2019017836 A1 WO2019017836 A1 WO 2019017836A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- session
- data network
- smf
- network element
- address
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W76/00—Connection management
- H04W76/10—Connection setup
- H04W76/12—Setup of transport tunnels
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5007—Internet protocol [IP] addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W76/00—Connection management
- H04W76/10—Connection setup
- H04W76/11—Allocation or use of connection identifiers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W84/00—Network topologies
- H04W84/02—Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
- H04W84/04—Large scale networks; Deep hierarchical networks
- H04W84/042—Public Land Mobile systems, e.g. cellular systems
Definitions
- the present application relates to the field of communications, and in particular, to a session processing method and device.
- the 3rd generation partnership project (3GPP) network first needs to perform primary authentication on the UE. After a UE passes the primary authentication, it can access the 3GPP network, and further requests the 3GPP network to establish a data packet ( PDU ) session with the data network ( DN ). To access the DN.
- the DN may also need to perform secondary authentication and/or authorization on the UE. The UE is allowed to establish a PDU ses sion only if it passes this authentication and/or 4 authorization.
- the prior art has already supported the DN to authenticate and authorize the UE, but does not support the DN to modify and cancel the UE authorization, that is, does not support the deletion and modification of the DN triggered PDU session.
- the DN detects that a UE that has accessed the DN (that is, the 3GPP network has established a PDU sion for the UE) as a malicious or illegal UE, the DN cannot terminate the UE access DN; for example, the UE is After the DN's signing is cancelled or changed (or the UE's trust level changes), the DN cannot trigger the authority revocation and modification of the UE's PDU session accordingly.
- the lack of DN function brings security risks and abuse of network resources, and cannot achieve effective access control.
- the embodiment of the present invention provides a session control method and device, and the DN can control the deletion and modification of the PDU ses sion according to the monitored abnormality to implement effective access control.
- the embodiment of the present invention uses the following technical solutions:
- a session processing method including:
- the session management function network element S MF receives the session establishment request from the UE, and further determines the session address to be used by the UE session; further, the S MF sends a data network access request to the data network element in the DN, the request including the session address And the identifier of the UE, which may instruct the data network element to authenticate and/or authorize the UE.
- the SMF may receive a response message sent by the data network element, indicating that the UE is allowed to access the data network, that is, the UE is successfully authenticated and/or the authorization is successful. Then, the SMF can establish a session of the UE.
- the SMF predetermines the session address of the UE.
- the SMF provides the session address and the identifier of the UE to the data network element, and then according to the session address.
- the UE establishes a session.
- the data network element detects that the session of the UE needs to be processed (for example, the traffic of the session changes)
- the data network element may be associated with the session of the UE according to the received session address or the identifier of the user, to the SMF or
- the PCF send request triggers processing of the session.
- the method further includes: the SMF receiving the session processing request triggered by the data network element, and processing the UE according to the session processing request Conversation.
- the DN of the prior art cannot trigger the processing of the session.
- the data network of the DN The network can trigger the processing of the session in the above manner to achieve effective access control.
- determining, by using the session address that the session of the UE is to use specifically includes: if the session to be established for the UE The type is Ethernet type, then the UE adds its own Ethernet address to the session establishment request, then the S MF resolves the session establishment request, and can obtain the Ethernet address of the UE in the session establishment request, and uses the Ethernet address as The session address; of course, the SMF can also allocate a session address to the UE.
- the SMF allocates an IP address to the UE as a session address; or, the SMF allocates an IP prefix to the UE as a session address;
- the session type to be established for the UE is an unstructured type, and the SMF allocates a tunnel IP address as a session address to the user plane function network element UPF.
- the SMF allocates a tunnel IP prefix as a session address for the UPF.
- the SMF can determine the session address to be used by the UE, so that the session address can be sent to the data network element, and the data network element can monitor the session.
- the data network access request is an authentication request
- the response message is an authentication response message
- the authentication response is The message carries the authentication success identifier.
- the SMF can authenticate the UE before establishing a session for the UE, and establish a session for the UE only when the authentication result of the UE is successful. In this way, the legitimacy of the UE can be ensured, the session is established for the illegal UE, and the security of the network communication is improved.
- the data network access request is an authentication request
- the response message is an authentication response message
- the authorization request identifier is carried, and the authentication response message carries the authentication success identifier and the 4 authorized success identifier.
- the S MF can authenticate and authorize the UE before establishing a session for the UE, and establish a session for the UE only when the UE is successfully authenticated and the authorization is successful. In this way, the legitimacy of the UE can be ensured, the session is established for the illegal UE, and the security of the network communication is improved.
- the data network access request is an authorization request
- the response message is an authorization response message
- the message carries an authorization success identifier
- the SMF can authorize the UE before establishing a session for the UE, and establish a session for the UE only when the UE is authorized successfully. In this way, the legitimacy of the UE can be guaranteed, the session is established for the illegal UE, and the security of the network communication is improved.
- the receiving, by the S MF, the session processing request triggered by the data network network element specifically includes: receiving The first session processing request sent by the data network element; or, the third session processing request sent by the network element of the policy control function, the third session processing request is the second session processing sent by the network element of the network control function network element Sended to the SMF after the request.
- the data network element can trigger the SMF to process the session of the UE in two ways, and the data network element can directly notify the SMF to process the session of the UE, and the data network network The element may also notify the policy control function network element PCF, and the PCF notifies the S MF to process the session of the UE.
- the processing, by the session processing request, the session of the UE includes: deleting the session of the UE or modifying the UE Conversation.
- the session of deleting the UE is released as a session established by the UE, and the resources of the session are deleted.
- Modifying the session of the UE may be modifying the rights of the session, such as: adding an NE that allows the UE to access through the session.
- a session processing method including:
- the data network element receives the data network access request sent by the SMF, where the request includes the identifier of the UE and the session address that the UE will use; further, the data network element can authenticate and/or authorize the UE, and then the data network element moves to the SMF.
- Sending a response message the S MF learns to allow the UE to access the data network according to the response message, and establishes a session of the UE.
- a session processing request is generated, and the session processing request is used to instruct the SMF to process the session of the UE.
- the SMF predetermines the session address of the UE.
- the SMF provides the session address and the identifier of the UE to the data network element, and then according to the session address.
- the UE establishes a session.
- the data network element detects that the session of the UE needs to be processed (for example, the traffic of the session changes)
- the data network element may be associated with the session of the UE according to the received session address or the identifier of the user, to the SMF or
- the PCF send request triggers processing of the session.
- the data network access request is an authentication request
- the response message is an authentication response message
- the authentication response message carries an authentication success identifier
- the SMF can authenticate the UE before establishing a session for the UE, and establish a session for the UE only when the authentication result of the UE is successful. In this way, the legitimacy of the UE can be ensured, the session is established for the illegal UE, and the security of the network communication is improved.
- the data network access request is an authentication request
- the response message is an authentication response message
- the authorization request identifier is carried, and the authentication response message carries the authentication success identifier and the 4 authorized success identifier.
- the S MF can authenticate and authorize the UE before establishing a session for the UE, and establish a session for the UE only when the UE is successfully authenticated and the authorization is successful. In this way, the legitimacy of the UE can be ensured, the session is established for the illegal UE, and the security of the network communication is improved.
- the data network access request is an authorization request
- the response message is an authorization response message
- the message carries an authorization success identifier
- the SMF can authorize the UE before establishing a session for the UE, and establish a session for the UE only when the UE authorization is successful. In this way, the legitimacy of the UE can be guaranteed and the illegal UE can be avoided. Establish a session to improve the security of network communication.
- the data network network element detects that the UE needs to be processed according to the session address or the identifier of the UE.
- the session specifically includes: detecting that the UE is in an abnormal access state, determining that the session corresponding to the identifier of the UE needs to be processed; the abnormal access state includes: the UE is an illegal UE, the subscription status of the UE changes, and the trust degree of the UE changes. Or, if the traffic corresponding to the session address is changed, it is determined that the session corresponding to the session address needs to be processed.
- the data network element can be associated with a session according to the received session address or identifier, and the processing of the session can be triggered.
- the method before the data network element detects that the session of the UE needs to be processed, the method further includes: Receiving an authentication request sent by the UE through the session of the UE, and authenticating the UE.
- the UE may also be authenticated to ensure the legitimacy of the UE.
- the data network network element detects that the session that needs to be processed by the UE specifically includes: If the authentication result of the authentication of the UE is that the authentication succeeds, it is determined that the session corresponding to the identifier of the UE needs to be modified, and the maximum transmission rate when the UE uses the session of the UE for data transmission is increased, and/or the UE can use the session access of the UE.
- Other network elements outside the data network element are possible network elements outside the data network element.
- the data network element can determine, according to the authentication result, what kind of processing is specifically performed on the session of the UE, and the permission for establishing the session for the UE is to allow the UE to access only the data network element. Accessing other network elements through the session requires expanding the permissions of the session. Of course, the threshold of the session transmission rate can also be increased.
- the data network network element detects that the session that needs to be processed by the UE specifically includes: If the authentication result of the authentication of the UE is that the authentication fails, it is determined that the session corresponding to the identifier of the UE needs to be deleted.
- the data network element may determine, according to the authentication result, what kind of processing is specifically performed on the UE's session.
- the UE authentication fails, the UE may be an illegal UE.
- the UE may be released. Conversation.
- the data network element detects that the session that needs to be processed by the UE specifically includes: The data network element starts the timer after receiving the data network access request, and the data packet sent by the UE through the session of the UE is not received in the first time window determined by the timer, and the session corresponding to the identifier of the UE needs to be deleted; or After the data network element sends a response message to the S MF, the timer is started, and the data packet sent by the UE through the session of the UE is not received in the second time window determined by the timer, and the session corresponding to the identifier of the UE needs to be deleted.
- the session established for the UE can be released. Specifically, the timer is started in advance, and when the PDU is not received by the UE through the session when the timer expires, it is considered that the UE does not use the session to transmit the PDU.
- the data network network element generates a session processing request, and uses the session processing request to instruct the SMF to process the UE.
- the session specifically includes: sending a first session processing request to the SMF to instruct the SMF to process the session of the UE.
- the data network may directly notify the SMF to process the UE's session.
- the data network element generates a session processing request, and uses the session processing request to instruct the SMF to process the UE.
- the session specifically includes: sending a second session processing request to the policy control function network element PCF to instruct the PCF to send a second session processing request to the S MF to trigger the SMF to process the session of the UE.
- the data network element may also notify the policy control function network element PCF, and the PCF notifies the SMF to process the session of the UE.
- the second session processing request carries the session address.
- the session address may be carried in the second session request to inform the SMF of the address of the session to be processed, so that the SMF processes the session of the UE.
- the method before the data network element sends the second session processing request to the PCF, the method further The method includes: the data network element sends the foregoing session address to the PCF.
- the data network element may also inform the address of the session to be processed by the SMF before transmitting the second session processing request, so that the SMF processes the session of the UE.
- the session management function network element S MF comprising: a receiving unit, configured to receive a session establishment request from the user equipment UE; a determining unit, configured to determine a session address to be used by the UE session; And sending a data network access request to the data network element; the data network access request includes a session address and an identifier of the UE; the receiving unit is further configured to: receive a response message sent by the data network element, and the response message indicates that the UE is allowed to access the data network; Unit, used to establish a session of the UE.
- the processing unit is further included.
- the receiving unit is further configured to: after the establishing unit establishes the session of the UE, receive a session processing request triggered by the data network element; and the processing unit is configured to process the session of the UE according to the session processing request.
- the determining unit is specifically configured to: resolve the session establishment request, and obtain the UE in the session establishment request
- the Ethernet address is used as the session address; or, the UE is assigned an IP address as the session address; or, the UE is assigned an IP prefix as the session address; or, the user plane function network element UPF is assigned a tunnel IP address as the session address; or, The UPF allocates the tunnel IP prefix as Session address.
- the data network access request is an authentication request
- the response message is an authentication response message
- the authentication response message is Carry the authentication success logo
- the data network access request is an authentication request
- the response message is an authentication response message
- the authentication response message carries the authentication success identifier and the 4 authorized success identifier.
- the data network access request is an authorization request
- the response message is an authorization response message
- the receiving unit is configured to: receive, by the data network network element, the first session processing request Or, the third session processing request sent by the network element of the policy control function is received, and the third session processing request is sent by the policy control function network element to the S MF after receiving the second session processing request sent by the data network element.
- the processing unit is specifically configured to delete the session of the UE or modify the session of the UE.
- a data network element including: a receiving unit, configured to receive a data network access request sent by a session management function network element S MF; and the data network access request includes an identifier of the user equipment UE and a UE to use a sending unit, configured to send a response message to the S MF, the response message indicates that the UE is allowed to access the data network, so that the SMF establishes a session of the UE, and the detecting unit is configured to detect, according to the session address or the identifier of the UE, that the UE needs to be processed.
- a session unit configured to: when the detecting unit detects a session that needs to process the UE, generate a session processing request; and the sending unit is further configured to use the session processing request generated by the generating unit to instruct the SMF to process the session of the UE.
- the data network access request is an authentication request
- the response message is an authentication response message
- the authentication response message carries an authentication success identifier
- the data network access request is an authentication request
- the response message is an authentication response message
- the authentication response message carries the authentication success identifier and the 4 authorized success identifier.
- the data network access request is an authorization request
- the response message is an authorization response message
- the detecting unit is specifically configured to: when the UE is detected to be in an abnormal access state, determine the required Handling the session corresponding to the identifier of the UE; the abnormal access state includes at least: UE If the traffic of the session is changed, the session corresponding to the session address needs to be processed.
- the receiving unit is further configured to: before the detecting unit detects the session that needs to process the UE, Receiving an authentication request sent by the UE through the session of the UE, and authenticating the UE.
- the detecting unit is specifically configured to: if the authentication result of the UE authentication is successful, Then, it is determined that the session corresponding to the identifier of the UE needs to be modified, and the maximum transmission rate when the UE uses the session of the UE for data transmission is improved, and/or the UE can use the session of the UE to access other network elements except the data network element.
- the detecting unit is specifically configured to: if the authentication result of the UE authentication is an authentication failure, Then, it is determined that the session corresponding to the identifier of the UE needs to be deleted.
- the detecting unit is specifically configured to: after receiving the data network access request, the first time window If the inner receiving unit does not receive the data packet sent by the UE through the session of the UE, it is determined that the session corresponding to the identifier of the UE needs to be deleted; or the receiving unit does not receive the UE through the second time window after sending the response message to the S MF.
- the data packet sent by the session of the UE determines that the session corresponding to the identifier of the UE needs to be deleted.
- the sending unit is configured to send, by the S MF, the first session processing request indication S MF Handling the session of the UE
- the sending unit is configured to send the second session processing to the policy control function network element PCF.
- the request instructs the PCF to send a second session processing request to the S MF to trigger the SMF to process the UE's session.
- the second session processing request carries the session address.
- the sending unit is further configured to: before sending the second session processing request to the PCF, Send the session address to the PCF.
- a fifth aspect of the embodiments of the present application provides an SMF, where the SMF may include: at least one processor, a memory, a communication interface, and a communication bus;
- At least one processor is coupled to the memory and the communication interface via a communication bus, and the memory is configured to store the computer execution instructions.
- the processor executes the memory storage computer to execute the instructions to enable the base station to perform the first aspect or the first aspect.
- a sixth aspect of the embodiments of the present application provides a data network element, where the data network element may include: at least one processor, a memory, and a transceiver;
- the at least one processor is connected to the memory and the communication interface through a communication bus, and the memory is configured to store the computer execution instructions.
- the processor executes the memory stored computer execution instructions, so that the UE performs the second aspect or the second aspect.
- a computer storage medium for storing computer software instructions for use in the SMF is disclosed, the computer software instructions including a program involved in executing the session processing method.
- another computer storage medium for storing computer software instructions for use in the data network element is disclosed, the computer software instructions including a program involved in executing the session processing method.
- Figure 1 is a schematic diagram of an existing 5 G system architecture
- FIG. 2 is a schematic diagram of a composition of a session function management network element according to an embodiment of the present invention
- FIG. 3 is a schematic diagram of a composition of a data network element according to an embodiment of the present invention
- FIG. 4 is a schematic flowchart of a session processing method according to an embodiment of the present invention.
- FIG. 5 is a schematic flowchart diagram of another session processing method according to an embodiment of the present disclosure.
- FIG. 6 is a schematic flowchart diagram of another session processing method according to an embodiment of the present disclosure.
- FIG. 7 is a schematic flowchart diagram of another session processing method according to an embodiment of the present disclosure.
- FIG. 8 is a schematic flowchart diagram of another session processing method according to an embodiment of the present disclosure.
- FIG. 9 is a schematic flowchart diagram of another session processing method according to an embodiment of the present disclosure.
- FIG. 10 is a schematic diagram of another composition of a session function management network element according to an embodiment of the present invention
- FIG. 11 is another schematic diagram of a composition of a session function management network element according to an embodiment of the present invention.
- FIG. 13 is a schematic diagram of another composition of a data network element according to an embodiment of the present invention.
- FIG. 1 is a schematic diagram of the 5G system architecture developed by the 3GPP labeling organization.
- the network element other than the UE and the DN constitutes a 3 GPP network.
- the so-called 3 GPP network is a network that is operated by the operator and conforms to the 3GPP standard.
- the 3GPP network is not limited to the 5G network defined by the 3GPP, and may also include 2G. , 3 G, 4G networks, and even 6G networks that 3 GPP may define in the future.
- the network element involved in the embodiment of the present application is described in detail:
- the access and mobility management function is a control plane network element provided by the operator, which can perform access control when the UE accesses the carrier network, or Conduct mobility management.
- the session management function is also a control plane network element provided by the operator, which is responsible for establishing and managing the PDU session of the UE.
- a data network also known as a PDN (packet data network)
- PDN packet data network
- the DN can be a company's internal office network, and the company's employee's terminal (ie, UE) can access the DN through the 3GPP network to view the company's internal resources.
- the UE accesses the DN by accessing the carrier network, and uses the services provided by the operator or third party on the DN.
- Unified data management is a control plane network element provided by the operator. It is responsible for storing data of 3GPP network subscription users, such as the Subscriber Permanent Identifier (SUPI) and the credential. , signing data, etc.
- SUPI Subscriber Permanent Identifier
- SUPI Subscriber Permanent Identifier
- signing data etc.
- the authentication server function is a control plane network element provided by the operator.
- the 3GPP network uses the AUSF to authenticate the 3GPP network subscription users, which can be called the primary authentication for the UE.
- the AUSF can perform primary authentication on the UE by using the user data stored on the UDM.
- the network exposure function is a control plane network element provided by the operator.
- NEF exposes the external interface of the 3GPP network to third parties in a secure manner.
- a network element such as an SMF needs to communicate with a third-party network element
- NEF can be used as a relay for communication.
- NEF can translate internal and external identifiers. For example, when the ID of the UE inside the 3GPP network is sent from the 3GPP network to the third party, the NEF may translate the internal ID of the UE into its corresponding eve ID. Conversely, the NEF can translate the external ID into the UE's internal ID when it is sent to the 3GPP network.
- the user plane function is a user plane network element provided by the operator and is a gateway for communication between the 3GPP network and the DN.
- the policy control function is a control plane network element provided by the operator to provide a PDU session policy to the SMF.
- Policies may include billing related policies, quality of service (QoS) related policies, authorization related policies, and the like.
- a packet data unit is a unit for transmitting data between a UE and a DN.
- PDUs can be classified into IP type PDUs, Ethernet (Ethernet) type PDUs, unstructured (types), type PDUs, and the like. Further, IP type PDUs can be further classified into IPv4 type PDUs and IPv6 type PDUs.
- IP type PDU may be referred to as an IP PDU
- Ethernet type PDU may be referred to as an Ethernet PDU or an Ethernet frame. It should be noted that the 3GPP network does not perceive PDUs of unstructured type, and the UE and the DN can communicate using unstructured PDUs of any custom format.
- the PDU session is a channel between the UE and the DN for transmitting PDUs.
- the UE and the DN send PDUs to each other through the PDU session to communicate.
- the path of the PDU session is UE-(R)AN-UPF-DN. . That is to say, the 3GPP network can provide communication services for the UE and the DN through the PDU session.
- the PDU session is established and managed by the SMF.
- PDU sessions can also be classified into IP type, Ethernet type, and unstructured type.
- IP class The PDU ses sion can be further divided into an IPv4 type PDU ses sion and an IPv6 type PDU sss sio .
- the 3GPP network first performs primary authentication on the UE.
- the so-called primary authentication is performed on the SUPI provided by the UE to verify whether the UE's SUPI is legal and authentic.
- a UE can access the 3GPP network only after passing the primary authentication, and further requests to establish a PDU session to access the DN.
- the DN may also need to further authenticate the UE (which may be referred to as secondary authentication) and/or authorization. Only through this authentication and / or 4 authorized UEs, the establishment of a PDU session is permitted.
- the ID of the UE (which may be referred to as the secondary ID) verified by the secondary authentication is usually different from the SUPI and device ID verified by the primary authentication.
- the SUPI format may be IMSI and the device ID may be IMEI.
- the 3GPP network may perform primary authentication on the UE by using the IMEI of the UE, and the DN may also perform secondary authentication on the UE by using the IMEI of the UE.
- the secondary ID can be other identifiers of the terminal, such as: DN is a company's internal office network, the company's employee terminal (ie, UE) can access the DN by accessing the 3GPP network, and the secondary ID can be the employee in the company. Job number.
- the 3GPP network establishes a PDU session for the UE.
- the PDU session of the UE needs to be processed according to the latest subscription status or traffic condition of the UE. For example, when the UE's subscription is modified or cancelled, or the UE's trust or credibility changes, or the UE's PDU session traffic is abnormal, the PDU ses sion needs to be processed, including deleting the PDU ses sion, or modifying the PDU. Ses sion (can expand or shrink the permissions of the session).
- the SMF is usually triggered by the PCF to process the PDU session. It can be seen that the prior art cannot implement the processing of the PDU ses sion triggered by the DN, such as: deleting the PDU session and ! "Change PDU ses sion.
- the prior art has already supported the DN to authenticate and authorize the UE, but does not support the DN triggering processing (such as deletion and modification) of the PDU session.
- the DN detects that a UE that has accessed the DN (that is, the 3GPP network has established a PDU session for the UE) as a malicious or illegal UE, but the DN cannot terminate the UE access DN; for example, the UE signs the DN. Cancellation or change, or the UE's trust degree changes, the DN cannot trigger the revoke and modification of the PDU session of the UE correspondingly, and cannot implement effective access control.
- the lack of DN to trigger the processing of PDU ses sion leads to security risks and abuse of network resources, and effective access control cannot be achieved.
- the principle of the present application is as follows:
- the SMF provides the session address and the UE that the UE will use to the data network element (the network element used for authentication and authorization in the DN, such as AAA).
- the identity of the PDU ses sion is then established for the UE based on the session address.
- the data network element may be associated with a PDU ses sion according to the received session address or the identity of the UE, and the PDU ses sion is monitored.
- the data network element When the data network element detects that the PDU ses sion needs to be processed (for example, the traffic of the PDU session changes), triggering processing on the PDU ses sion, and sending a request for release or modification of the PDU ses sion to the S MF or PCF .
- FIG. 2 is a schematic diagram of a composition of a session function management network element SMF according to an embodiment of the present invention.
- the session function management network element may be an SMF in the system architecture shown in FIG. 1.
- the session function management network element may include at least one processor 11, a memory 12, and a communication interface.
- the components of the session function management network element are specifically described below with reference to FIG. 2.
- the processor 11 is a control center of the session function management network element, and may be a processor or a collective name of multiple processing elements.
- the processor 11 is a central processing unit (CPU), or may be an Application Specific Integrated Circuit (ASIC), or one or more integrated circuits configured to implement the embodiments of the present invention.
- DSPs digital signal processors
- FPGAs Field Programmable Gate Arrays
- the processor 11 can perform various functions of the session function management network element by running or executing a software program stored in the memory 12 and calling data stored in the memory 12.
- processor 11 may include one or more CPUs, such as CPU0 and CPU1 shown in FIG.
- the session function management network element may include a plurality of processors, such as the processor 11 and the processor 15 as shown in FIG.
- processors can be a single-core processor (single-CPU) or a multi-core processor (multi-CPU).
- a processor herein may refer to one or more session function management network elements, circuits, and/or processing cores for processing data (e.g., computer program instructions).
- the memory 12 can be a read-only memory (ROM) or other type of static storage session function management network element that can store static information and instructions, a random access memory (RAM) or can store information and Other types of dynamic storage session function management network elements of the instruction, or Electro Scientific Erasable Programmable Read-Only Memory (EEPROM), CD-ROM (Compact Disc Read-Only Memory, CD-ROM) ) or other disc storage, disc storage (including compact discs, laser discs, optical discs, digital versatile discs, Blu-ray discs, etc.), disk storage media or other magnetic storage session function management network elements, or can be used to carry or store instructions or The desired program code in the form of a data structure and any other medium that can be accessed by a computer, but is not limited thereto.
- the memory 12 can be independently present and connected to the processor 11 via the communication bus 14.
- the memory 12 can also be integrated with the processor 11.
- the memory 12 is used to store a software program that executes the solution of the present invention, and is controlled by the processor 11.
- the communication interface 13 may include a sending interface for transmitting data and a receiving interface for receiving data from the external session function management network element, that is, the session function management network element may implement data separately through two different communication interfaces. Receive and send data.
- the communication interface 13 can integrate the data receiving function and the data transmitting function on a communication interface having a data receiving function and a data transmitting function.
- the session function management network element structure shown in Fig. 2 does not constitute a limitation of the session function management network element, and may include more or less components than those illustrated, or some components may be combined, or different component arrangements.
- FIG. 3 is a schematic diagram of a composition of a data network element according to an embodiment of the present invention.
- the data network element may be used for authenticating a UE in a DN in the system architecture shown in FIG.
- Authorized network element AAA ( authentication authorization accounting), or AAA Proxy server.
- the data network element may include at least one processor 21, a memory 22, and a communication interface 23.
- the processor 21 is a control center of the data network element, and may be a processor or a collective name of a plurality of processing elements.
- the processor 21 is a central processing unit (CPU), or may be an Application Specific Integrated Circuit (ASIC), or one or more integrated circuits configured to implement the embodiments of the present invention.
- CPU central processing unit
- ASIC Application Specific Integrated Circuit
- DSPs digital signal processors
- FPGAs Field Programmable Gate Arrays
- the processor 21 can perform various functions of the data network element by running or executing a software program stored in the memory 22 and calling data stored in the memory 22.
- processor 21 may include one or more CPUs, such as CPU0 and CPU1 shown in FIG.
- the data network element may include multiple processors, such as processor 21 and processor 25 shown in FIG.
- processors can be a single-core processor (single-CPU) or a multi-core processor (multi-CPU).
- a processor herein may refer to one or more data network elements, circuits, and/or processing cores for processing data (e.g., computer program instructions).
- the memory 22 can be a read-only memory (ROM) or other type of static storage data network element that can store static information and instructions, a random access memory (RAM) or can store information and instructions. Other types of dynamic storage data network elements, or Electrically Erasable Programmable Read-Only Memory (EEPROM), Compact Disc Read-Only Memory (CD-ROM) or Other optical disc storage, optical disc storage (including compact discs, laser discs, optical discs, digital versatile discs, Blu-ray discs, etc.), disk storage media or other magnetic storage data network elements, or can be used to carry or store in the form of instructions or data structures The desired program code and any other medium that can be accessed by the computer, but is not limited thereto.
- the memory 22 can be stored independently and connected to the processor 21 via a communication bus 24.
- the memory 22 can also be integrated with the processor 21.
- the memory 22 is used to store a software program that executes the solution of the present invention, and is controlled by the processor 21 for execution.
- the communication interface 23 may include a sending interface for transmitting data and a receiving interface for receiving data from the external data network element, that is, the data network element may respectively receive data through two different communication interfaces. The transmission of data.
- the communication interface 23 can integrate the data receiving function and the data transmitting function on a communication interface having a data receiving function and a data transmitting function.
- the data network element structure shown in Figure 3 does not constitute a limitation of the data network element, and may include more or fewer components than those illustrated, or some components may be combined, or different component arrangements.
- the embodiment of the invention provides a session processing method. As shown in FIG. 4, the method includes the following steps:
- the S MF receives a session establishment request from the UE.
- the UE first sends a session establishment request to the AMF, and then sends the UE by the AMF.
- the session establishment request is forwarded to the S MF.
- an Ethernet class session (ie, PDU ses sio n ) needs to be established for the UE.
- the address of the session to be established for the UE is the Ethernet address of the UE. Then, the UE will carry its own Ethernet address in the session establishment request and send it to the AMF.
- the session established for the UE in the embodiment of the present invention is a PDU session. Therefore, the "session" in the embodiment of the present invention refers to a PDU session.
- the S MF determines a session address to be used by the UE.
- the session of the UE may be established according to the address of the UE, so the session address that the UE will use may be the address of the UE.
- the type of session established for the UE depends on the type of PDU transmitted by the UE.
- the types of PDUs transmitted by the UE include the IP type, the Ethernet type, and the unstructured type. If the PDU transmitted by the UE is of the Ethernet type, the UE will carry its own Ethernet address in the session establishment request and send it to the AMF.
- the SMF receives the session establishment request forwarded by the AMF, and can parse the request to obtain the Ethernet of the UE included therein. Address, the Ethernet address is the above session address.
- the S MF allocates an address for the UE. Specifically, if the PDU transmitted by the UE is of the IPv4 type, the session of the UE is also of the IPv4 type, and the SMF allocates an IP address to the UE as the session address to be used by the UE; if the PDU transmitted by the UE is of the IPv6 type, the session of the UE It is also of the IPv6 type, and the S MF assigns an IP prefix to the UE as the session address that the UE will use.
- the S MF also assigns an address to the UE. Specifically, the SMF allocates a tunnel IP address to the UPF, and uses the tunnel IP address of the UPF as the session address to be used by the UE; or, the SMF allocates a tunnel IP prefix for the UPF, and uses the tunnel IP prefix of the UPF as the session address.
- the SMF sends a data network access request to the data network element.
- the data network access request includes the foregoing session address and an identifier of the UE.
- the data network element may be a network element used for authentication and authorization in the DN, such as an AAA server or an AAA proxy server.
- the data network access request may be an authentication request, such as: DER (diameter EAP reque st ) message, requesting the data network network element to authenticate the UE; further, the authentication request may further carry an authorization request identifier (identity), requesting data
- the network element authorizes the UE.
- the data network access request may also be an authorization request, requesting the data network element to authorize the UE.
- the identifier of the UE is a secondary ID of the UE, and the data network element may use the identifier of the UE to authenticate the UE.
- the data network element sends a response message to the S MF, where the response message indicates that the UE is allowed to access the data network.
- the data network element performs authentication on the UE between step 103 and step 104.
- the response message here is an authentication response message, and the authentication response message carries an authentication success identifier.
- the data network access request is an authentication request, and the authentication request carries the authorization request identifier
- the data network element performs authentication and authorization on the UE between step 103 and step 104, and the response message is the authentication response message.
- the message carries an authentication success identifier and an authorization success identifier.
- the data network element authorizes the UE between step 103 and step 104. Then, the response message is an authorization response message, and the authorization response message carries an authorization success identifier.
- the SMF establishes a session of the UE.
- the address of the session is the session address determined in step 102.
- the SMF since the data network element sends a response message to the SF to indicate that the UE is allowed to access the data network, the SMF will then establish a session for the UE according to the session address.
- the SMF sends information to the PCF about the session to be established for the UE, including at least the session address.
- one or more IDs of the UE may also be sent.
- the PCF then sends the authorization scope of the session to the S MF.
- the SMF informs the UPF of the session information, which contains the session address and the policy of the session.
- the UPF guarantees that the PDU session will not exceed the scope of the PCF license.
- the UPF responds to the S MF.
- the SMF sends a session establishment request response to the UE via the AMF. So far, the establishment of the UE's session is completed. It should be noted that the permission of the session established for the UE here is "only access to the data network element".
- the data network element detects that the session of the UE needs to be processed.
- the data network element can directly determine a session according to the session address received in step 103 above, and monitor the traffic of the session. Once the traffic to the session is detected to change, it is determined that the session needs to be processed. It should be noted that the decision made by the data network element to monitor the traffic of the session may be “deleting the session of the UE” or “changing the session of the UE”, which is not limited herein, and the data network element may be specific according to the session traffic. Change the situation to decide how to handle the UE's session. For example, if the traffic of this session is abnormal, you may need to delete the session.
- the uplink traffic of the PDU ses sion (that is, the traffic from the UE to the DN direction) can be identified by the source address or the source tunnel address of the PDU, and the downlink traffic of the PDU ses sion (that is, the traffic from the DN to the UE direction) can pass.
- the destination address or destination tunnel address of the PDU is identified. If the PDU type is IPv4, the source IP address of the uplink PDU and the destination IP address of the downlink PDU are the same as the IP address of the UE (that is, the session address).
- the source IP address of the uplink PDU and the downlink PDU are The destination IP address matches the IP prefix of the UE (ie, the session address;); if the PDU type is Ethernet, the source Ethernet address of the uplink PDU, the destination Ethernet address of the downlink PDU, and the Ethernet address of the UE (ie, the session) The address is consistent. If the PDU type is unstructured, the source tunnel address of the uplink PDU and the destination tunnel address of the downlink PDU match the tunnel IP address of the UPF or the tunnel IP prefix (that is, the session address).
- the data network searches for the access status of the UE by using the identifier of the UE, and monitors the access status of the UE. Once the UE is detected as an illegal UE, the subscription status of the UE changes, or the UE's trust status changes. In any case, the UE can be determined to be in an abnormal access state, and thus It is necessary to process the session of the UE. Further, the data network element needs to determine which session is the session of the UE. Specifically, the session of the UE can be determined in the following two manners.
- the data network element since the data network element receives the identifier and the session address of the UE, the data network element may be associated with a session address according to the identifier of the UE, and a session may be determined according to the associated session address (ie, the UE). The identity of the corresponding session), that is, the session of the UE, and thus can determine that the session needs to be processed.
- the data network element maintains a corresponding diameter session for each PDU session, and a diameter session has a corresponding ID, that is, a diameter session ID can be used to identify a PDU session. .
- the UE when the UE is detected to be in an abnormal access state, it may be associated with a diameter of the session according to the identifier of the UE, and a session (ie, a session corresponding to the identifier of the UE) may be determined according to the associated diameter of the dialog.
- the session which in turn determines that the session needs to be processed.
- the decision made by the data network element according to the access status of the UE may be “deleting the session of the UE, or “modifying the session of the UE”, which is not limited herein, and the data network element may be based on the current actual situation of the UE. Access to decide how to handle the session of the UE. For example, if the UE is an illegal UE, the session of the UE is deleted.
- the UE may also initiate authentication to the data network element network element. Therefore, in step 106, the data network element may further determine whether the UE needs to be processed according to the authentication result. . Specifically, if the authentication result is that the authentication fails, it is proved that the UE may be an illegal UE, and the data network element determines that the session of the UE needs to be deleted. If the authentication result is that the authentication succeeds, the UE may be a legitimate UE, and the data network element determines that the session of the UE needs to be modified, and may modify the session permission, so that the UE can use the session to access the network network element except the data network element. Other network elements.
- the data network element needs to determine which session is the session of the UE. Similarly, the data network element can determine the session of the UE by using the foregoing two methods. Specifically, according to the identifier of the UE, it is associated with a session address, and the session matched by the address is the session of the UE. Or, according to the identifier of the UE, it is associated with a diameter session ID, and the session matched by the diameter session ID is the session of the UE.
- the data network element may further start a timer after step 103. After the session is established for the UE in step 105, the timer expires, and the data network element does not receive the data packet sent by the UE through the session. That is, PDU), the data network element determines the session that needs to delete the UE. Similarly, the data network element can determine the UE's session in the above two ways. Specifically, according to the identifier of the UE, it is associated with a session address, and the session matched by the address is the session of the UE. Or, according to the identifier of the UE, it is associated with a diameter session ID, and the session matched by the diameter session ID is the session of the UE.
- the data network element may also start the timer after the step 104, and the rest of the process is the same as the process of starting the timer after the step 103, and details are not described herein.
- the “traffic abnormality” in the embodiment of the present invention may be a feature that the traffic deviates from the normal traffic, for example, the traffic is too large, the accessed port number is not the service, the accessed address is too large, and the packet size distribution is Larger than usual, or traffic contains attack packets.
- the data network element generates a session processing request, and the session processing request is used to instruct the SMF to process the session of the UE.
- the data network element may send the session processing request to the PCF, requesting to use the STR message or the AAR message of the diameter protocol.
- the PCF triggers the SMF to process the session of the UE.
- the request contains a session address that identifies the session. If the data network element has previously sent this information to the PCF, it does not need to include this information.
- the data network element may also send the request to the SMF requesting the use of the ASR message of the diameter protocol.
- the session processing request sent at this time does not need to carry the session address, that is, the S MF does not need to provide the session address to identify the session.
- the SMF and the data network element maintain a corresponding diameter session for each PDU session (ie, the session described in the embodiment of the present invention) in steps 103 and 104, the SMF can query the diameter message sent by the data network element. It is determined which PDU session the data network element indicates. Or, for each diameter session, a diameter session ID is maintained, and the data network element can carry a diameter session ID in the session processing request, and the SMF can also know which PDU session the data network element requests to process according to the received diameter session ID. .
- the SMF when the DN authenticates the UE or the authorized UE, the SMF provides the session address and the identifier of the UE to the data network element, and then establishes a session for the UE according to the session address.
- the data network element detects that the session of the UE needs to be processed (for example, the traffic of the session changes)
- the data network element may be associated with the session of the UE according to the received session address or the identifier of the user, to the SMF or the PCF. Sending a request triggers processing of the session.
- the embodiment of the present invention further provides a session processing method, which uses the data network element as the AAA as an example to introduce the authentication authorization and authorization cancellation of the AAA session by the AAA.
- the method includes the following steps:
- the UE sends a PDU session (session) to establish a request to the AMF.
- the type of the PDU sent by the UE is Ethernet type
- the type of PDU session to be established for the UE is also the Ethernet type, and the UE sends its own Ethernet address along with the request to the AMF.
- the AMF sends the UE PDU session establishment request and the UE's SUPI and PEI to the SMF.
- the PEI is the permanent equipment identifier of the UE
- the common format is the IMEI format.
- the SMF determines that a PDU session of the AAA-authenticated UE or the 4 authorized UE is required.
- the SMF may determine whether an AAA authentication UE or an authorized UE PDU session is required according to a locally pre-stored policy (for example, AAA authentication and authorization is required for accessing the DN); or, the PDU session establishment request sent by the UE is related.
- the indication is the judgment basis; or, between the SMF steps 202 and 203, the subscription information of the UE is read from the UDM, and whether the AAA session of the AAA authentication UE or the 4 authorized UE is required is determined according to the read correlation policy in the subscription information.
- the SMF allocates a session address to the UE.
- the SMF uses the Ethernet address of the UE received in step 203 as the session address that the UE will use. .
- step 204 is performed. Specifically, if the PDU session type is IPv4, the SMF allocates an IP address to the UE as the UE. If the PDU session type is IPv6, the SMF allocates an IP prefix to the UE as the session address that the UE will use; if the PDU session type is unstructured, the SMF allocates a tunnel IP address or a tunnel IP prefix to the UE as the UE will use Session address. The tunnel IP address or tunnel IP prefix is assigned to the UPF.
- the SMF sends an EAP-identity request to the UE.
- the UE sends an EAP-identity response to the SMF, where the UE carries the secondary ID of the UE.
- the DER message of the diameter protocol is the data network access request in the embodiment of the present invention, and carries the session address and the identifier of the UE.
- the identifier of the UE is the secondary ID of the UE in this embodiment.
- steps 205 and 206 are optional steps. If steps 205, 206 are performed, the SMF, after receiving the EAP-identity response message, generates a DER message including the EAP-identity response message and the session protocol's diameter protocol, and then forwards the DER message to the AAA. If the steps 205, 206 are not performed, the UE may carry the secondary ID of the UE in the message sent in step 201, and the message forwarded by the AMF to the SMF in step 202 also carries the secondary ID of the UE. In this way, the SMF obtains the secondary ID and session address of the UE. Further, the SMF generates a DER message of the diameter protocol carrying the secondary ID and the session address of the UE, and sends the generated DER message of the diameter protocol to the AAA.
- the SMF may also obtain the UE's external ID, SUPI, and PEI from the UE's subscription data, and add the SUPI, PEI, or external ID to the DER message of the diameter protocol.
- the external ID is obtained by the SUPI mapping.
- the external ID corresponding to the SUPI can be provided.
- the AAA authenticates the UE by using the EAP protocol.
- this step is optional, and the AAA may not authenticate the UE.
- the AAA sends a diameter DEA message to the SMF, including the authentication result and the authorization result.
- the diameter DEA message sent here is a response message sent by the data network element to the SMF in the embodiment of the present invention.
- the authentication result is an EAP-success message, indicating that the authentication is successful.
- the authorization result is authorization information, which represents the authority of the PDU session that will be established for the UE.
- the AAA sends the diameter DEA message to the SMF or does not include the authorization information, and the SMF can obtain the authorized policy (that is, the above authorization information) from the PCF.
- the SMF informs the PCF of the information of the PDU session, which includes the address of the PDU session.
- the address of the PDU session that is, the session address, may be an Ethernet address sent by the UE to the AMF in step 201, or may be an address allocated by the SMF to the UE in step 204.
- one or more IDs of the UE such as a secondary ID of the UE, an external ID of the UE, and the like, may also be included.
- the PCF sends the policy of the PDU session to the SMF.
- the SMF informs the UPF of the information of the PDU session, where the address of the PDU session and the policy of the PDU session are included.
- the UPF implements the PDU session policy to ensure that the PDU session does not exceed the authorized Scope.
- the UPF replies to the SMF.
- the SMF sends a PDU session to the AMF to establish a response and an EAP-success indicating that the authentication is successful.
- the AMF forwards the received PDU session establishment response and the EAP-success to the UE.
- the UE obtains an address of the PDU session.
- the PDU session address is the Ethernet address of the UE. Step 216 is not performed here, and step 217 is directly executed.
- the PDU session address is allocated by the SMF for the UE, and the SMF sends an address assigned to the UE to the UE through another message, such as using a dynamic host configuration protocol ( Dynamic host configuration protocol, DHCP).
- a message may be sent in steps 214-215 to notify the address assigned to the UE.
- the AAA detects that the PDU session needs to be released.
- the DN obtained by the step 207 can identify the traffic of the PDU session.
- the DN detects that the traffic of the PDU session is abnormal, it is determined that the PDU session of the UE needs to be deleted.
- the specific traffic monitoring includes: the uplink traffic of the PDU session (that is, the traffic from the UE to the DN direction) can be identified by the source address or the source tunnel address of the PDU, and the downlink traffic (that is, the traffic from the DN to the UE direction) can pass.
- the destination address or destination tunnel address of the PDU is identified.
- the source IP address of the uplink PDU and the destination IP address of the downlink PDU are the same as the IP address obtained in step 207 (that is, the session address, which is also the address of the PDU session); if the PDU type is IPv6, The source IP address of the uplink PDU and the destination IP address of the downlink PDU match the IP prefix obtained in step 207 (that is, the session address, which is also the address of the PDU session); if the PDU type is Ethernet, the source Ethernet address of the uplink PDU The destination Ethernet address of the downlink PDU is the same as the Ethernet address obtained in step 207 (that is, the session address, which is also the address of the PDU session).
- the source tunnel address of the uplink PDU and the destination of the downlink PDU are The tunnel address matches the tunnel IP address or tunnel IP prefix obtained in step 207 (that is, the session address, which is also the address of the PDU session).
- the AAA determines that the PDU session corresponding to the UE address needs to be released. It should be noted that the "release” in this embodiment means “delete”.
- the AAA sends a request to release the PDU session.
- the AAA can send the request directly to the SMF using the ASR message of the diameter protocol (step 218a).
- the PDU sent by the AAA does not carry the PDU session, that is, the SMF is not required to provide the address of the PDU session to identify the PDU session.
- the four diameter messages 207, 209, 218a, and 220a in the figure are all in the same diameter session.
- the AAA requests to release or modify the PDU session in the diameter session corresponding to the PDU session.
- the SMF can know that the PDU session requesting the operation is the PDU S6sskm corresponding to the session.
- the AAA uses the STR message of the diameter protocol or the AAR message of the diameter protocol,
- the request is sent to the PCF (step 218M), and the PCF sends a request to release the PDU session to the SMF to trigger the SMF release PDU session (step 218b2).
- the request sent by the AAA includes the address of the PDU session, which is used to identify the PDU session, and may also include one or more IDs of the UE for assisting the identification of the PDU session.
- the AAA has previously sent the information to the PCF (for example, the AAA has previously sent a request to modify the PDU session through the PCF, the request contains such information), then it is not necessary to include such information.
- the SMF releases the PDU session.
- the SMF notifies the UPF to release the resources occupied by the PDU session, and stops forwarding the PDU of the PDU session.
- the SMF notifies (R) AN to release the resources of the PDU session, and the notification is forwarded via the AMF.
- the (R)AN releases the resources occupied by the PDU session and notifies the UE.
- the AN informs the SMF that the resources occupied by the PDU session have been released, and the notification is forwarded by the AMF.
- the SMF notifies the AMF to delete the context information of the PDU session, and the SMF notifies the PCF to delete the policy context information of the PDU session.
- the AAA receives a response to the PDU session release request.
- the SMF sends a response to the PDU session release request to the AAA using the ASA message of the diameter protocol (step 220a).
- the SMF sends a response to the PDU session release request to the PCF (step 220b 1), and the PCF sends a response to the PDU session release request to the AAA by using the STA message or the AAA message of the diameter protocol (step 220b2).
- the address of the PDU session in the above step is: if the PDU session type is IPv4, the address of the PDU session (that is, the above session address) is the IP address assigned by the SMF to the UE; if the PDU session type is IPv6, the address of the PDU session is SMF.
- the SMF obtains the Ethernet address of the UE in step 202, or allocates the IP address/prefix used by the UE or used by the UE in step 204.
- the SMF sends the address to the AAA in the identifier message of the authentication/authorization request, so that the AAA can identify the PDU of the PDU session and detect the PDU of the PDU session by determining the P traffic of the PDU session. No abnormality.
- the AAA triggers the modification or release of the PDU session through the PCF. This enables the DN to control the deletion and modification of the PDU ses sion based on the detected abnormal conditions to achieve effective access control.
- the embodiment of the present invention further provides a session processing method, where the data network element is used as an AAA, and the authorization process and the authorization modification process of the PDU session are established, which is different from the previous embodiment.
- the AAA is only Authorized, the UR is not authenticated, and the EAP protocol is not used.
- the AAA triggers the PDU session modification instead of triggering the PDU session release.
- the PDU session establishment process in this embodiment and the first embodiment can be interchanged without affecting the subsequent trigger PDU session modification/release process. As shown in FIG. 6, the method includes the following steps:
- the UE sends a message requesting to establish a PDU session to the AMF and a secondary ID of the UE.
- the UE sends its own Ethernet address to the AMF along with the request.
- the AMF sets the PDU session establishment request of the UE, the SUPI of the UE, the PEI of the UE, and the UE.
- the secondary ID is sent to the SMF.
- the AMF will receive the Ethernet address sent by the UE, and the Ethernet address of the UE also needs to be sent to the SMF.
- the SMF determines a PDU session that requires an AAA authentication UE or a 4 authorized UE.
- the SMF can determine whether an AAA authentication UE or an authorized UE PDU session is required according to a locally pre-stored policy (for example, AAA authentication and authorization is required to access the DN); or the relevant indication carried by the PDU session establishment request sent by the UE is Or the basis of the judgment; or, between the SMF steps 302 and 303, the subscription information of the UE is read from the UDM, and the AAA session of the AAA authentication UE or the authorized UE is determined according to the read related policy in the subscription information.
- a locally pre-stored policy for example, AAA authentication and authorization is required to access the DN
- the relevant indication carried by the PDU session establishment request sent by the UE is Or the basis of the judgment; or, between the SMF steps 302 and 303, the subscription information of the UE is read from the UDM, and the AAA session of the AAA authentication UE or the authorized UE is determined according to the read related policy in the subscription information.
- the SMF allocates a session address to the UE.
- the SMF uses the Ethernet address of the UE received in step 303 as the session address that the UE will use, and may skip step 304 and directly perform step 305. .
- step 304 is required. Specifically, if the PDU session type is IPv4, the SMF allocates an IP address to the UE as the session address that the UE will use; For IPv6, the SMF allocates an IP prefix to the UE as the session address to be used by the UE. If the PDU session type is unstructured, the SMF allocates a tunnel IP address or a tunnel IP prefix to the UE as the session address to be used by the UE. The tunnel IP address or tunnel IP prefix is assigned to the UPF.
- the SMF sends an AAR message of the diameter protocol to the AAA, where the message carries the authorization request, the session address, and the secondary ID of the UE.
- the SMF may also find the external ID of the UE from the subscription data of the UE, and add the SUPI, the PEI, or the external ID of the UE to the AAR message of the diameter protocol, and send the AAA to the AAA.
- the AAA sends an AAA message of the diameter protocol to the SMF, including 4 authorized results.
- the authorization result may be an authorization information indicating the authority of the PDU session to be established for the UE.
- the SMF informs the PCF of the information of the PDU session, which includes the address of the PDU session (that is, the above session address).
- the information of the PDU session may further include one or more IDs of the UE.
- the PCF sends the policy of the PDU session to the SMF.
- the SMF informs the UPF of the information of the PDU session, where the address of the PDU session and the processing rule of the PDU session are included.
- the processing rule of the foregoing PDU session is generated by the SMF according to the policy of the received PDU session, and the UPF ensures that the PDU session does not exceed the authorized range by executing the processing rule of the PDU session.
- the UPF responds to the SMF.
- the SMF sends a PDU session to the AMF to establish a response.
- the AMF forwards the PDU session to the UE to establish a response.
- the UE obtains an address of the PDU session.
- the PDU session address is the Ethernet ground of the UE. Address. If the PDU type is not an Ethernet type, such as an IP type or an unstructured type, the address of the PDU session is allocated by the SMF for the UE, and the SMF sends the session address allocated to the UE to the UE through another message, such as using the DHCP protocol. The message was sent. Alternatively, a message may be sent in steps 314-315 to inform the UE of the session address assigned.
- the AAA detects that the PDU session needs to be modified.
- the AAA detects that the UE's subscription to the DN is modified according to the ID of the UE (obtained in step 307), or the DN detects that the UE's trust or credibility changes, or the DN detects the PDU session.
- the specific method of traffic monitoring refer to the related explanation of step 217 in the previous embodiment, and details are not described herein.
- the AAA sends a request to modify the PDU session.
- the AAA may send a request for modifying the PDU session to the SMF by using the RAR message of the diameter protocol (step 315a).
- the message sent by the AAA does not carry the PDU session, that is, the MF session is not required to be provided to the SMF.
- SMF and AAA maintain a corresponding diameter session for each PDU session, the four diameter messages 305, 306, 315a, and 317a in the figure are all in the same diameter session.
- the AAA requests to release or modify the PDU session in the diameter session corresponding to the PDU session.
- the SMF can know that the PDU session requesting the operation is the PDU session corresponding to the session.
- the AAA sends a request to modify the PDU session to the PCF using the AAR message of the diameter protocol (step 315bl), and the PCF further triggers the SMF to modify the PDU session (step 315b2).
- the request sent by the AAA includes the address of the PDU session, which is used to identify the PDU session, and may also include one or more IDs of the UE to assist in identifying the PDU session.
- the previous AAA has sent this information to the PCF (for example, the AAA has previously sent a request to modify the PDU session through the PCF, the request contains this information), then it is not necessary to include this information.
- the SMF modifies the PDU session.
- the SMF requests (R) AN to modify the configuration of the PDU session, and the request is forwarded by the AMF.
- the (R)AN informs the UE about the modification of the PDU session, and the (R)AN notifies the SMF that the configuration of the PDU session has been modified, and the notification is forwarded by the AMF.
- the SMF requests the UPF to modify the configuration of the PDU session and get a response.
- the AAA receives a response to the PDU session modification request.
- the SMF sends the message to the AAA, and the message is the RAA message of the diameter protocol (step 317a).
- the PCF receives the response of the PDU session modification request sent by the SMF (step 317M), and the PCF sends a response to the PDU session modification request to the AAA by using the AAA message of the diameter protocol (step 317b2).
- the address in the above step is: If the PDU session type is IPv4, the address is the IP address assigned by the SMF to the UE; if the PDU session type is IPv6, the address is the IP prefix assigned by the SMF to the UE; if the PDU session type is unstructured The address is the tunnel IP address or tunnel IP prefix assigned by the SMF to the UE. If the PDU session type is Ethernet, the address is the Ethernet address of the UE.
- the SMF obtains the Ethernet address of the UE in step 302, or in step 604
- the UE allocates an IP address/prefix used by the session or used by the tunnel.
- the SMF sends the addresses to the AAA in the diameter message of the authorization request, so that the DN can identify the PDU of the PDU session and detect whether there is an abnormality or judge the trust or reputation value of the UE, thereby determining
- the PDU session needs to be modified; or when the subscription condition of the UE changes, the AAA may associate with the PDU session to determine to modify the PDU session.
- AAA triggers the modification of the PDU session through the PCF.
- the embodiment of the present invention further provides a session processing method.
- the data network element as an AAA as an example
- the AAA uses the authorization release and authorization modification or cancellation of the PDU session to implement authentication on the user plane, as shown in FIG. 7 .
- the method includes the following steps:
- the UE sends a PDU session establishment request to the AMF and a secondary ID of the UE.
- the UE sends its own Ethernet address along with the request to the AMF.
- the AMF sends the PDU session establishment request of the UE together with the SUPI of the UE, the PEI of the UE, and the secondary ID of the UE to the SMF.
- the Ethernet address of the UE is also sent to the SMF.
- the SMF determines a PDU session that requires an AAA authentication UE or a 4 authorized UE.
- the SMF may determine whether an AAA authentication UE or an authorized UE PDU session is required according to a locally pre-stored policy (for example, AAA authentication and authorization is required for accessing the DN); or, the PDU session establishment request sent by the UE is related.
- the indication is the judgment basis; or, between the SMF steps 402 and 403, the subscription information of the UE is read from the UDM, and whether the AAA session of the AAA authentication UE or the 4 authorized UE is required is determined according to the read correlation policy in the subscription information.
- the SMF allocates a session address to the UE.
- Step 404 directly performs step 405.
- step 404 is performed. Specifically, if the PDU session type is IPv4, the SMF allocates an IP address to the UE as the session address that the UE will use; For IPv6, the SMF allocates an IP prefix to the UE as the session address to be used by the UE. If the PDU session type is unstructured, the SMF allocates a tunnel IP address or a tunnel IP prefix to the UE as the session address to be used by the UE. The tunnel IP address or tunnel IP prefix is assigned to the UPF.
- the SMF sends an authorization request to the AAA, and simultaneously sends the session address and the secondary ID of the UE to the AAA.
- the SMF may also send any one or more of the UE's SUPI, the UE's PEI, and the UE's external ID to the AAA.
- the SMF may find the external ID of the UE from the subscription data of the UE.
- the S MF may send the message to be sent to the AAA through the A AR message of the diameter protocol.
- AAA checks whether the UE has the right to access the DN. If the UE does not have permission to access the DN, the return authorization fails. If the UE has access to the DN, the process continues.
- the AAA sends an AAA message of the diameter protocol to the SMF, including 4 authorized results.
- the authorization result is authorization information, indicating the authority of the PDU session to be established for the UE.
- the authorization information indicates that the PDU session only allows access to the AAA, and further limits the maximum transmission rate of the PDU session to a small value.
- the PDU session has permission to access AAA as well as a DNS server and/or a DHCP server.
- the PDU session is allowed to access the DHCP server, so that the UE can obtain an IP address through DHCP.
- the PDU session is allowed to access the DNS server, so that the UE can query the address of the AAA/AAA proxy through the DNS.
- the SMF informs the PCF of the information of the PDU session, where the address of the PDU session (ie, the session address) is included.
- the SMF may also send one or more IDs of the UE to the PCF.
- the PCF sends the policy of the PDU session to the SMF.
- the policy of the PDU session indicates that the PDU session only allows access to the AAA, and further, the threshold value of the maximum transmission rate of the PDU session can be characterized, and the threshold is a small transmission rate.
- At least one of the steps 407 and 409 indicates that the PDU session only allows access to the AAA.
- the SMF informs the UPF of the information of the PDU session, where the address and processing rule of the PDU session are included.
- the processing rule of the foregoing PDU session is generated by the SMF according to the policy of the received PDU session, and the UPF ensures that the PDU session does not exceed the authorized range by executing the processing rule of the PDU session.
- the processing rule may indicate that the PDU session only allows access to the AAA, and the maximum transmission rate of the PDU session cannot exceed a threshold.
- the UPF responds to the SMF.
- the SMF sends a PDU session to the AMF to establish a response.
- the AMF forwards the PDU session to the UE to establish a response.
- the UE obtains an address of the PDU session.
- the address of the PDU session is the Ethernet address of the UE. If the PDU type is not an Ethernet type, such as an IP type or an unstructured type, the PDU session address is allocated by the SMF for the UE, and the SMF sends an address assigned to the UE to the UE through another message, such as sending a message using the DHCP protocol. . Alternatively, a message may be sent between steps 414-415 to inform the UE of the assigned address.
- the AAA authenticates the UE by using the established PDU session.
- the authentication message is transmitted through the PDU.
- the PDU type is IP
- the PDU type is Ethernet
- any Ethernet-based authentication protocol such as PPPoE and EAPoL, can be used.
- the AAA judges that the PDU needs to be changed or released according to the authentication result. session ⁇
- the AAA determines that the PDU session needs to be modified, so that the PDU session can access the network element except the AAA, and/or, so that the UE can access the other network except the AAA through the PDU session by using the larger transmission rate. yuan. If the authentication is successful, the AAA determines that the PDU session needs to be released.
- the correspondence between the authentication result and the PDU session can be determined by the address of the PDU session.
- the source address or the source tunnel address of the PDU carrying the authentication result is the address of the PDU session corresponding to the authentication result.
- the AAA sends a request to modify the PDU session or release the PDU session.
- the request can be sent to the SMF. If the request to modify the PDU session is used, the RAR message of the diameter protocol is used. If the request to release the PDU session is used, the ASR message of the diameter protocol is used.
- the request may also be sent to the PCF; if the request for modifying the PDU session is used, the AAR message of the diameter protocol is used; if the request for releasing the PDU session is used, the AAR message or the STR message of the diameter protocol is used.
- the request sent by the AAA includes the address of the PDU session, which is used to identify the PDU session, and may also include one or more IDs of the UE to assist in identifying the PDU session.
- the previous AAA has sent this information to the PCF (for example, the previous AAA has sent a request to modify the PDU session through the PCF, the request contains this information), then it is not necessary to include this information.
- PCF further triggers SMF modification or release PDU session.
- the SMF changes or releases the PDU session.
- the AAA receives a response to modify the PDU session or release the PDU session.
- the response can be sent by the SMF to AAA (step 419a). If the response of the PDU session is modified, the response message is the RAA message of the diameter protocol. If the response to the PDU session is released, the response message is the ASA message of the diameter protocol.
- the PCF receives the response of the SMF (step 419bl); further, the PCF sends a response to the AAA (step 419b2). If the response of the PDU session is modified, the response message sent by the PCF is the AAA message of the diameter protocol (the name of the message in the diameter protocol is the same as the AAA network element in the standard). If the response to the PDU session is released, the response message is an AAA message or a STA message of the diameter protocol.
- the SMF obtains the Ethernet address of the UE, or allocates an IP address/prefix used by the UE or used by the UE for the UE.
- the SMF sends the address to the AAA in the diameter message of the authorization request, so that the DN can identify the PDU of the PDU session, so that when the UE is authenticated again after the PDU session is established, the PDU session corresponding to the authentication result can be associated. Then, when the authentication succeeds or fails, the AAA knows which PDU session is modified or released.
- this embodiment implements support for multiple authentication protocols by using AAA to trigger modification and release of the PDU session without requiring additional modification of the 3GPP network.
- the embodiment of the present invention further provides a session processing method, which uses an agent network element AAA proxy whose data network element is AAA as an example, and introduces an authorization process for granting and canceling/authorizing the PDU session to implement the authentication process on the user plane, such as As shown in FIG. 8, the method includes the following steps:
- the UE sends a PDU session establishment request to the AMF and a secondary ID of the UE.
- the UE sends its own Ethernet address along with the request to the AMF.
- the AMF sends the PDU session establishment request of the UE together with the SUPI of the UE, the PEI of the UE, and the secondary ID of the UE to the SMF.
- the Ethernet address of the UE is also sent to the SMF.
- the SMF determines that a PDU session of the AAA-authenticated UE or the 4 authorized UE is required.
- the SMF may determine whether an AAA authentication UE or an authorized UE PDU session is required according to a locally pre-stored policy (for example, AAA authentication and authorization is required for accessing the DN); or, the PDU session establishment request sent by the UE is related.
- the indication is the judgment basis; or, between the SMF steps 502 and 503, the subscription information of the UE is read from the UDM, and whether the AAA session of the AAA authentication UE or the 4 authorized UE is required is determined according to the read correlation policy in the subscription information.
- the SMF allocates a session address to the UE.
- the SMF uses the Ethernet address of the UE received in step 503 as the session address to be used by the UE, that is, the session address, and then can be skipped.
- Step 504 directly performs step 505.
- step 504 is performed. Specifically, if the PDU session type is IPv4, the SMF allocates an IP address to the UE as the session address that the UE will use; For IPv6, the SMF allocates an IP prefix to the UE as the session address to be used by the UE. If the PDU session type is unstructured, the SMF allocates a tunnel IP address or a tunnel IP prefix to the UE as the session address to be used by the UE. The tunnel IP address or tunnel IP prefix is assigned to the UPF.
- the SMF sends an authorization request to the AAA proxy, and sends the session address and the secondary ID to the AAA proxy.
- the SMF may further send any one or more of the UE's SUPI, the UE's PEI, and the UE's external ID to the AAA proxy.
- the SMF may find the external ID of the UE from the subscription data of the UE.
- the SMF may send the message to be sent to the AAA proxy through the AAR message of the diameter protocol.
- the AAA proxy sends a 4 authorized request to the AAA, where the request includes the secondary ID of the UE.
- the AAA checks whether the UE has the right to access the DN. If there is permission, the return authorization is successful and the process continues.
- steps 506 and 507 are optional steps.
- the AAA proxy sends an AAA message of the diameter protocol to the SMF, and includes 4 authorized results.
- the authorization result is authorization information, indicating the authority of the PDU session to be established for the UE.
- the authorization information indicates that the PDU session only allows access to the AAA proxy, and further, the maximum transmission rate of the PDU session can be limited to a smaller value.
- the PDU session has permission to access the AAA proxy and the DNS server and/or the DHCP server.
- the PDU session is allowed to access the DHCP server, so that the UE can obtain an IP address through DHCP.
- the PDU session is allowed to access the DNS server, so that the UE can query the address of the AAA/AAA proxy through the DNS.
- the SMF informs the PCF of the information of the PDU session, which includes the address of the PDU session.
- the SMF may also send one or more IDs of the UE to the PCF.
- the PCF sends the policy of the PDU session to the SMF.
- the policy of the PDU session indicates that the PDU session only allows access to the AAA, and further, the threshold value of the maximum transmission rate of the PDU session can be characterized, and the threshold is a small transmission rate. It should be noted that at least one of the two steps of step 508 and step 510 indicates that the PDU session only allows access to the AAA proxy.
- the SMF informs the UPF of the PDU session information, including the address of the PDU session and the processing rules of the PDU session.
- the processing rule of the foregoing PDU session is generated by the SMF according to the policy of the received PDU session, and the UPF ensures that the PDU session does not exceed the authorized range by executing the processing rule of the PDU session.
- the processing rule may indicate that the PDU session only allows access to the AAA, and the maximum transmission rate of the PDU session cannot exceed a threshold.
- the UPF responds to the SMF.
- the SMF sends a PDU session to the AMF to establish a response.
- the AMF forwards the PDU session to the UE to establish a response.
- the UE obtains an address of the PDU session.
- the address of the PDU session is the Ethernet address of the UE. If the PDU type is not an Ethernet type, such as an IP type or an unstructured type, the address of the PDU session is allocated by the SMF for the UE, and the SMF sends an address assigned to the UE to the UE through another message, such as a message using the DHCP protocol. send. Alternatively, a message may be sent between steps 515-516 to inform the UE of the assigned address.
- the AAA authenticates the UE by using the established PDU session.
- the authentication message is transmitted between the UE and the AAA proxy through the PDU, and the AAA proxy forwards the authentication message to the AAA and the UE.
- any IP-based authentication protocol such as the SIP protocol
- any Ethernet-based authentication protocol such as PPPoE protocol and EAPoL protocol, can be used.
- the AAA proxy determines whether the PDU session needs to be changed or released according to the authentication result.
- the AAA determines that the PDU session needs to be modified, so that the PDU session can access the network element except AAA, and/or, so that the UE can access the other network except the AAA proxy by using the PDU session with a larger transmission rate. yuan. If the authentication is successful, AAA judges that the PDU S6sskm needs to be released.
- the correspondence between the authentication result and the PDU session can be determined by the address of the PDU session.
- the source address or the source tunnel address identifier of the PDU of the uplink traffic may determine that the authentication corresponds to the PDU session.
- the source address or the source tunnel address of the PDU carrying the authentication result is the address of the PDU session corresponding to the authentication result.
- the destination address or the destination tunnel address of the PDU of the downstream traffic may determine that the authentication corresponds to the PDU session. If the PDU type is IPv4, the source IP address of the uplink PDU and the destination IP address of the downlink PDU are the same as the IP address obtained in step 505.
- the PDU type is IPv6, the source IP address of the uplink PDU and the destination IP address of the downlink PDU. Matching with the IP prefix obtained in step 507; if the PDU type is Ethernet, the source Ethernet address of the uplink PDU and the destination Ethernet address of the downlink PDU are the same as the Ethernet address obtained in step 505; if the PDU type is unstructured The source tunnel address of the uplink PDU and the destination tunnel address of the downlink PDU match the tunnel IP address or tunnel IP prefix obtained in step 505. 518. According to the result of step 517, the AAA proxy sends a request to modify the PDU session or release the PDU session.
- the request can be sent to the SMF. If the request to modify the PDU session is used, the RAR message of the diameter protocol is used. If the request to release the PDU session is used, the ASR message of the diameter protocol is used.
- the request may also be sent to the PCF; if the request for modifying the PDU session is used, the AAR message of the diameter protocol is used; if the request for releasing the PDU session is used, the AAR message or the STR message of the diameter protocol is used.
- the request sent by the AAA includes the address of the PDU session, which is used to identify the PDU session, and may also include one or more IDs of the UE to assist in identifying the PDU session.
- the previous AAA has sent this information to the PCF (for example, the previous AAAproxy has sent a request to modify the PDU session through the PCF, the request contains this information), then it is not necessary to include this information.
- PCF further triggers SMF modification or release PDU session.
- the SMF changes or releases the PDU session.
- the AAA proxy receives a response to change the PDU session or release a response of the PDU session.
- the response can be sent by the SMF to the AAA proxy (step 520a). If the response of the PDU session is modified, the response message is the RAA message of the diameter protocol. If the response to the PDU session is released, the response message is the ASA message of the diameter protocol.
- the PCF receives the response of the SMF (step 520M); further, the PCF sends a response to the AAA proxy (step 520b2). If the response of the PDU session is modified, the response message sent by the PCF is the AAA message of the diameter protocol (the name of the message in the diameter protocol is the same as the AAA network element in the standard). If the response of the PDU session is released, the response message is an AAA message or a STA message of the diameter protocol.
- AAA proxy AAA proxy is added, and most steps performed by the AAA in the previous embodiment are transferred to the AAA proxy.
- the AAA in this embodiment may be an S-CSCF network element in an IP multimedia subsystem (IMS), and the AAA proxy may be a P-CSCF network element in the IMS.
- IMS IP multimedia subsystem
- the SMF obtains the Ethernet address of the UE, or allocates the IP address/prefix used by the UE or used by the UE for the UE.
- the SMF sends the address to the AAA proxy in the diameter message of the authorization request, so that the AAA proxy can only use the PDU of the PDU session, so that when the UE is authenticated again after the PDU session is established, the authentication result can be associated.
- the AAA proxy knows which PDU session is modified or released.
- the embodiment of the present invention further provides a session processing method, which uses an agent network element AAA proxy whose data network element is AAA as an example, and introduces an authorization process for granting and canceling/authorizing the PDU session to implement the authentication process on the user plane, such as As shown in FIG. 9, the method includes the following steps:
- the UE sends a PDU session establishment request to the AMF and a secondary ID of the UE.
- the UE sends its own Ethernet address along with the request to the AMF.
- the AMF sends the PDU session establishment request of the UE together with the SUPI of the UE, the PEI of the UE, and the secondary ID of the UE to the SMF.
- the Ethernet address of the UE is also sent to the SMF.
- the SMF determines that the AAA session of the UE is required to be authenticated and/or authorized.
- the SMF determines that a PDU session of the AAA-authenticated UE or the 4 authorized UE is required.
- the SMF may determine whether an AAA authentication UE or an authorized UE PDU session is required according to a locally pre-stored policy (for example, AAA authentication and authorization is required for accessing the DN); or, the PDU session establishment request sent by the UE is related.
- the indication is the judgment basis; or, between the SMF steps 602 and 603, the subscription information of the UE is read from the UDM, and whether the AAA session of the AAA authentication UE or the 4 authorized UE is required is determined according to the read correlation policy in the subscription information.
- the SMF allocates a session address to the UE.
- the SMF uses the Ethernet address of the UE received in step 603 as the session address that the UE will use, that is, the session address, and the steps may be skipped. 604 directly performs step 605.
- step 604 is performed. Specifically, if the PDU session type is IPv4, the SMF allocates an IP address to the UE as the session address that the UE will use; For IPv6, the SMF allocates an IP prefix to the UE as the session address to be used by the UE. If the PDU session type is unstructured, the SMF allocates a tunnel IP address or a tunnel IP prefix to the UE as the session address to be used by the UE. The tunnel IP address or tunnel IP prefix is assigned to the UPF.
- the SMF sends an authorization request to the AAA or AAA proxy, and also sends the session address and the secondary ID to the AAA or AAA proxy.
- the SMF may also send any one or more of the UE's SUPI, the UE's PEI, and the UE's external ID to the AAA proxy or AAA.
- the SMF may find the external ID of the UE from the subscription data of the UE.
- the SMF may send the message to be sent to the AAA proxy or AAA through the AAR message of the diameter protocol.
- the AAA/AAA proxy starts a timer.
- the AAA/AAA proxy sends an AAA message or a DEA message of the diameter protocol to the SMF, including the authorization result.
- the authorization result is authorization information, indicating the authority of the PDU session to be established for the UE.
- the authorization information indicates that the PDU session only allows access to the AAA or AAA proxy, and further, the maximum transmission rate of the PDU session can be limited to a smaller value.
- the PDU session has permission to access the AAA proxy and the DNS server and/or the DHCP server.
- the PDU session is allowed to access the DHCP server, so that the UE can obtain an IP address through DHCP.
- the PDU session is allowed to access the DNS server, so that the UE can query the address of the AAA/AAA proxy through the DNS.
- step 606 can be exchanged with the step 607. That is, after the AAA/AAA proxy sends the AAA message or the DEA message of the diameter protocol to the SMF, the timer is started.
- the SMF informs the PCF of the information of the PDU session, where the address of the PDU session is included.
- the SMF may also send one or more IDs of the UE to the PCF.
- the PCF sends the policy of the PDU session to the SMF.
- the policy of the PDU session indicates that the PDU session only allows access to the AAA, and further, the threshold value of the maximum transmission rate of the PDU session may be characterized, and the threshold is a smaller transmission speed. Rate.
- At least one of the steps 607 and 609 indicates that the PDU session only allows access to the AAA or AAA proxy.
- the SMF informs the UPF of the information of the PDU session, where the address of the PDU session and the processing rule of the PDU session are included.
- the processing rule of the foregoing PDU session is generated by the SMF according to the policy of the received PDU session, and the UPF ensures that the PDU session does not exceed the authorized range by executing the processing rule of the PDU session.
- the processing rule may indicate that the PDU session only allows access to the AAA or AAA proxy, and the maximum transmission rate of the PDU session cannot exceed a threshold.
- the UPF responds to the SMF.
- the SMF sends a PDU session to the AMF to establish a response.
- the AMF forwards the PDU session to the UE to establish a response.
- the UE obtains a PDU session address.
- the PDU session address is the Ethernet address of the UE. If the PDU type is not an Ethernet type, such as an IP type or an unstructured type, the PDU session address is allocated by the SMF for the UE, and the SMF sends an address assigned to the UE to the UE through another message, such as sending a message using the DHCP protocol. . Alternatively, a message may be sent between steps 614-615 to inform the UE of the assigned address.
- the timer expires, and the AAA/AAA proxy has not received the PDU of the PDU session sent by the UE, and determines that the PDU session needs to be released.
- the AAA/AAA proxy can identify the PDU of the PDU session according to the address obtained in step 605.
- the source address or source tunnel address identification of the PDU can determine whether the PDU corresponds to the PDU session. For example, if the PDU type is IPv4, the source IP address of the PDU is consistent with the IP address obtained in step 605; if the PDU type is IPv6, the source IP address of the PDU matches the IP prefix obtained in step 605; If the type is Ethernet, the source Ethernet address of the PDU is the same as the Ethernet address obtained in step 605. If the PDU type is unstructured, the source tunnel address of the PDU is the tunnel IP address or tunnel IP prefix obtained in step 605. match.
- the AAA/AAA proxy sends a request to release the PDU session.
- the AAA/AAA proxy can send the request to the SMF.
- the request to release the PDU session uses the ASR message of the diameter protocol.
- the AAA/AAA proxy sends the request to the PCF; releases the request of the PDU session, uses the AAR message or the STR message of the diameter protocol.
- the request sent by AAAproxy/AAA includes the address of the PDU session, which is used to identify the PDU session, and may also include one or more IDs of the UE for auxiliary identification of the PDU session 0. If the AAAproxy/AAA has previously sent these to the PCF, Information (for example, if AAAproxy/AAA has sent a request to modify the PDU session through the PCF, the request contains this information), you do not need to include this information.
- PCF further triggers the SMF to release the PDU session.
- the SMF releases the PDU session.
- the AAA proxy/AAA receives a response to release the PDU session.
- the response can be sent by the SMF to the AAA proxy (step 618a).
- the response message for releasing the PDU session is the ASA message of the diameter protocol.
- the PCF receives the response of the SMF (step 618b1); further, the PCF sends a response to the AAA proxy (step 618b2).
- the response message for releasing the PDU session is the AAA message or the STA message of the diameter protocol.
- the SMF can obtain the Ethernet address of the UE, or allocate the IP address/prefix used by the UE or used by the UE to the UE.
- the SMF sends the address to the AAA/AAA proxy in the diameter message of the authorization request, so that the AAA/AAA proxy can identify the PDU of the PDU session, so that when the timeout has not received the PDU for authentication of the PDU session,
- the AA/AAA proxy determines to release the PDU session 0 and the AAA/AAA proxy triggers the release of the PDU session through the PCF.
- each network element such as an SMF and a data network element, includes a hardware structure and/or a software module for performing each function in order to implement the above functions.
- a hardware structure for performing each function in order to implement the above functions.
- the present application can be implemented in a combination of hardware or hardware and computer software in conjunction with the algorithm steps of the various examples described in the embodiments disclosed herein. Whether a function is implemented in hardware or computer software to drive hardware depends on the specific application and design constraints of the solution. The skilled person can use different methods for each particular application to implement the described functionality, but such implementation should not be considered beyond the scope of this application.
- the embodiments of the present application may perform functional module division on the SMF and the data network element according to the foregoing method.
- each functional module may be divided according to each function, or two or more functions may be integrated into one processing module.
- the above integrated modules can be implemented in the form of hardware or in the form of software functional modules. It should be noted that the division of the modules in the embodiment of the present application is schematic, and only one logical function is divided, and the actual implementation may have another division manner.
- FIG. 10 is a schematic diagram showing a possible composition of the session management function network element SMF involved in the foregoing embodiment.
- the base station may include: The receiving unit 701, the determining unit 702, the transmitting unit 703, and the establishing unit 704.
- the receiving unit 701 is configured to support the SMF to perform step 101 in the session processing method shown in FIG. 4.
- the determining unit 702 is configured to support the SMF to perform step 102 in the session processing method shown in FIG.
- the sending unit 703 is configured to support the SMF to perform step 103 in the session processing method shown in FIG. 4.
- the sending unit 704 is configured to support the SMF to perform step 104 in the session processing method shown in FIG. 4.
- the SMF provided by the embodiment of the present application is used to perform the transmission method of the above-mentioned discovery signal, so that the same effect as the transmission method of the above-mentioned discovery signal can be achieved.
- Fig. 11 shows another possible composition diagram of the SMF involved in the above embodiment.
- the SMF includes: a processing module 801 and a communication module 802.
- the processing module 801 is configured to control the management of the actions of the server.
- the processing module 801 is configured to support the SMF to perform steps 102, 105, and/or other processes for the techniques described herein in FIG.
- the communication module 802 is configured to support communication between the SMF and other network entities, such as the UPF shown in FIG. Letter.
- the SMF may further include a storage module 803 for storing program code and data of the server.
- the processing module 801 can be a processor or a controller. It is possible to implement or carry out the various illustrative logical blocks, modules and circuits described in connection with the present disclosure.
- the processor can also be a combination of computing functions, for example, including one or more microprocessor combinations, a combination of a DSP and a microprocessor, and the like.
- the communication module 802 can be a transceiver, a transceiver circuit, a communication interface, or the like.
- the storage module 803 can be a memory.
- the SMF involved in the embodiment of the present application may be the session management function network element shown in FIG. 2.
- FIG. 12 is a schematic diagram showing a possible composition of the data network element involved in the foregoing and the embodiment.
- the data network element may be The method includes: a receiving unit 901, a sending unit 902, a detecting unit 903, and a generating unit 904.
- the data network element may be a network element in the DN shown in FIG.
- the receiving unit 901 is configured to support the data network element to perform step 103 in the session processing method shown in FIG. 4.
- a sending unit 902 configured to support the data network element to perform step 104 in the session processing method shown in FIG. 4, and in step 107, the session processing request generated by the generating unit instructs the SMF to process the UE Steps of the session
- the detecting unit 903 is configured to support the data network element to perform the steps in the session processing method shown in FIG.
- the generating unit 904 is configured to support the step of the data network element performing the "generating the session processing request" in step 107 in the session processing method shown in FIG.
- the data network element provided by the embodiment of the present application is configured to perform the foregoing transmission method of the discovery signal, so that the same effect as the transmission method of the discovery signal described above can be achieved.
- Fig. 13 shows another possible composition diagram of the data network element involved in the above embodiment.
- the data network element includes: a processing module 1001 and a communication module 1002.
- the processing module 1001 is configured to control and manage the actions of the data network element.
- the processing module 1001 is configured to support the SMF to perform steps 106, 107, and/or other processes for the techniques described herein.
- Communication module 1002 is operative to support communication between data network elements and other network entities, such as the UPF shown in FIG.
- the data network element may further include a storage module 1003 for storing program code and data of the data network element.
- the processing module 1001 can be a processor or a controller. It is possible to implement or carry out the various illustrative logical blocks, modules and circuits described in connection with the disclosure herein.
- the processor can also be a combination of computing functions, such as one or more microprocessor combinations, a combination of a DSP and a microprocessor, and the like.
- the communication module 1002 can be a transceiver, a transceiver circuit, a communication interface, or the like.
- the storage module 1003 can be a memory.
- the processing module 1001 is a processor
- the communication module 502 is a transceiver
- the storage module 503 is a memory
- the data network element involved in the embodiment of the present application may be the data network element shown in FIG. 3.
- the disclosed system, apparatus, and method may be implemented in other manners.
- the device embodiments described above are merely illustrative.
- the division of the modules or units is only a logical function division.
- there may be another division manner for example, multiple units or components may be used. Combined or can be integrated into another system, or some features can be ignored, or not executed.
- the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be electrical, mechanical or other form.
- the units described as separate components may or may not be physically separate, and the components displayed as units may or may not be physical units, i.e., may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solution of the embodiment.
- each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
- the above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
- the integrated unit if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium.
- a computer readable storage medium includes: a medium that can store program code, such as a flash memory, a removable hard disk, a read only memory, a random access memory, a magnetic disk, or an optical disk.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Description
Claims
Priority Applications (7)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
BR112020001139-8A BR112020001139A2 (pt) | 2017-07-20 | 2017-07-20 | Método de processamento de sessão, elemento de rede de função de gerenciamento de sessão smf, elemento de rede da rede de dados e elemento de rede degerenciamento de sessão |
CN201780082837.7A CN110199513B (zh) | 2017-07-20 | 2017-07-20 | 一种会话处理方法及设备 |
PCT/SG2017/050367 WO2019017836A1 (zh) | 2017-07-20 | 2017-07-20 | 一种会话处理方法及设备 |
EP23188049.3A EP4325988A1 (en) | 2017-07-20 | 2017-07-20 | Session processing method and device |
JP2020502608A JP6926317B2 (ja) | 2017-07-20 | 2017-07-20 | セッション処理方法およびデバイス |
EP17918431.2A EP3565371A4 (en) | 2017-07-20 | 2017-07-20 | SESSION PROCESSING METHOD AND DEVICE |
US16/659,334 US11425202B2 (en) | 2017-07-20 | 2019-10-21 | Session processing method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/SG2017/050367 WO2019017836A1 (zh) | 2017-07-20 | 2017-07-20 | 一种会话处理方法及设备 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/659,334 Continuation US11425202B2 (en) | 2017-07-20 | 2019-10-21 | Session processing method and device |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2019017836A1 true WO2019017836A1 (zh) | 2019-01-24 |
Family
ID=65015280
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/SG2017/050367 WO2019017836A1 (zh) | 2017-07-20 | 2017-07-20 | 一种会话处理方法及设备 |
Country Status (6)
Country | Link |
---|---|
US (1) | US11425202B2 (zh) |
EP (2) | EP4325988A1 (zh) |
JP (1) | JP6926317B2 (zh) |
CN (1) | CN110199513B (zh) |
BR (1) | BR112020001139A2 (zh) |
WO (1) | WO2019017836A1 (zh) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111836319A (zh) * | 2019-08-23 | 2020-10-27 | 维沃移动通信有限公司 | 域名地址获取的方法和设备 |
CN113115468A (zh) * | 2021-02-26 | 2021-07-13 | 深圳艾灵网络有限公司 | 5g本地网络的控制方法及装置、服务器、系统和存储介质 |
CN114040514A (zh) * | 2021-12-08 | 2022-02-11 | 中国联合网络通信集团有限公司 | 一种通信方法及设备 |
JP2022530238A (ja) * | 2019-04-29 | 2022-06-28 | テレフオンアクチーボラゲット エルエム エリクソン(パブル) | ユーザプレーン完全性保護 |
CN115150829A (zh) * | 2022-09-02 | 2022-10-04 | 北京首信科技股份有限公司 | 一种网络访问权限管理方法及装置 |
EP4044637A4 (en) * | 2019-10-29 | 2022-12-07 | China Mobile Communication Co., Ltd. Research Institute | METHOD AND APPARATUS FOR ASSIGNING USER DEVICE IDENTIFIERS AND COMPUTER READABLE STORAGE MEDIA |
WO2023016397A1 (zh) * | 2021-08-10 | 2023-02-16 | 维沃移动通信有限公司 | 计算会话释放方法、设备及可读存储介质 |
WO2023174150A1 (zh) * | 2022-03-17 | 2023-09-21 | 华为技术有限公司 | 一种接入控制方法及装置 |
WO2024017181A1 (zh) * | 2022-07-22 | 2024-01-25 | 维沃移动通信有限公司 | 设备授权方法、装置及网络侧设备 |
Families Citing this family (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111211912B (zh) * | 2018-04-28 | 2020-11-10 | 华为技术有限公司 | 计费的方法和装置 |
CN112640370B (zh) * | 2018-08-13 | 2023-05-09 | 交互数字专利控股公司 | 用于多播分组的层2转发的方法和装置 |
CN113079505B (zh) * | 2019-12-18 | 2023-03-21 | 中移雄安信息通信科技有限公司 | 用户认证方法、核心网侧设备及计算机可读存储介质 |
CN113382375B (zh) * | 2020-03-09 | 2022-10-25 | 华为技术有限公司 | 通信方法、装置及系统 |
US20230224272A1 (en) * | 2020-05-13 | 2023-07-13 | Telefonaktiebolaget Lm Ericsson (Publ) | Reuse of ip addresses |
CN111970333A (zh) * | 2020-07-29 | 2020-11-20 | 深圳市钱海网络技术有限公司 | 一种基于同一客户端实现两个会话共存的方法及装置 |
CN112153641B (zh) * | 2020-09-09 | 2022-09-13 | 上海微波技术研究所(中国电子科技集团公司第五十研究所) | 基于边缘upf的二次认证增强与端到端加密方法及系统 |
CN112671647B (zh) * | 2020-11-26 | 2022-07-12 | 新华三技术有限公司 | 一种建立路径检测会话的方法以及设备 |
CN113114650B (zh) * | 2021-04-02 | 2024-04-23 | 腾讯科技(深圳)有限公司 | 网络攻击的解决方法、装置、设备及介质 |
WO2023152844A1 (ja) * | 2022-02-09 | 2023-08-17 | 日本電信電話株式会社 | 移動網制御装置、外部ネットワーク制御装置、移動網制御方法、外部ネットワーク制御方法、移動網制御プログラム及び外部ネットワーク制御プログラム |
CN114980066B (zh) * | 2022-05-11 | 2024-03-01 | 维沃移动通信有限公司 | 语音通话方法、装置及电子设备 |
CN115842697B (zh) * | 2023-02-01 | 2023-05-23 | 阿里巴巴(中国)有限公司 | 专网的访问控制方法、虚拟现实设备的控制方法及设备 |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106302638A (zh) * | 2016-07-27 | 2017-01-04 | 华为技术有限公司 | 一种数据管理方法、转发设备及系统 |
Family Cites Families (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6154465A (en) | 1998-10-06 | 2000-11-28 | Vertical Networks, Inc. | Systems and methods for multiple mode voice and data communications using intelligenty bridged TDM and packet buses and methods for performing telephony and data functions using the same |
US20090059818A1 (en) | 1998-04-03 | 2009-03-05 | Pickett Scott K | Systems and methods for providing configurable caller id iformation |
US7415026B2 (en) | 2002-02-04 | 2008-08-19 | Qualcomm Incorporated | Method and apparatus for session release in a communication system |
CN1232079C (zh) | 2002-09-30 | 2005-12-14 | 华为技术有限公司 | 无线局域网与移动通信系统互通时的用户主动下线处理方法 |
JP3987539B2 (ja) | 2005-02-02 | 2007-10-10 | 株式会社エヌ・ティ・ティ・ドコモ | セッション情報管理方法およびセッション情報管理装置 |
CN101202710A (zh) * | 2006-12-11 | 2008-06-18 | 华为技术有限公司 | 消息发送报告处理方法、系统及用于消息互通实体、终端 |
CN102883376B (zh) * | 2011-07-11 | 2015-09-30 | 华为终端有限公司 | 一种集中控制业务用户建立优先级会话的方法、服务器及系统 |
WO2014173252A1 (zh) | 2013-07-26 | 2014-10-30 | 中兴通讯股份有限公司 | 会话管理方法、应用功能实体、策略服务器和协议转换器 |
EP3180944B1 (en) * | 2014-08-11 | 2018-10-24 | Telefonaktiebolaget LM Ericsson (publ) | Access controlling of abnormal terminal devices |
US9882894B2 (en) * | 2015-12-15 | 2018-01-30 | Verizon Patent And Licensing Inc. | Secure authentication service |
CN108702723B (zh) * | 2016-11-27 | 2021-10-08 | Lg 电子株式会社 | 无线通信系统中的注销方法及其装置 |
CN110235423B (zh) * | 2017-01-27 | 2022-10-21 | 瑞典爱立信有限公司 | 对用户设备的辅认证 |
US10841084B2 (en) * | 2017-02-03 | 2020-11-17 | Qualcomm Incorporated | Session management authorization token |
US10448239B2 (en) * | 2017-02-06 | 2019-10-15 | Qualcomm Incorporated | Mechanism to enable optimized user plane anchoring for minimization of user plane relocation due to user equipment mobility |
-
2017
- 2017-07-20 CN CN201780082837.7A patent/CN110199513B/zh active Active
- 2017-07-20 BR BR112020001139-8A patent/BR112020001139A2/pt unknown
- 2017-07-20 EP EP23188049.3A patent/EP4325988A1/en active Pending
- 2017-07-20 EP EP17918431.2A patent/EP3565371A4/en not_active Ceased
- 2017-07-20 WO PCT/SG2017/050367 patent/WO2019017836A1/zh unknown
- 2017-07-20 JP JP2020502608A patent/JP6926317B2/ja active Active
-
2019
- 2019-10-21 US US16/659,334 patent/US11425202B2/en active Active
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106302638A (zh) * | 2016-07-27 | 2017-01-04 | 华为技术有限公司 | 一种数据管理方法、转发设备及系统 |
Non-Patent Citations (6)
Title |
---|
ANONYMUS: "procedures for the 5G system; stage 2 (resease 15)", 3GPP TS 23.502 V0.5.0, 14 July 2017 (2017-07-14), XP055570882, Retrieved from the Internet <URL:http://www.3gpp.org/ftp//Specs/archive/23_series/23.502/> * |
HUAWEI; HISILICON: "TS 23.501: Align PDU session establishment with AF influence on traffic routing and update to DN authorization of PDU session establishment", 3GPP DRAFT, no. S2-174435, 25 June 2017 (2017-06-25), XP051303286 * |
QUALCOMM INCORPORATED: "TS 23.501: Completion of PDU session establishment authentication and alignment to SA3", 3GPP DRAFT, no. S2-175042, 29 June 2017 (2017-06-29), XP051303740 * |
QUALCOMM INCORPORATED: "TS 23.501: Completion of PDU session establishment authentication and alignment to SA3", TS 23.501, no. S2-173113, 19 May 2017 (2017-05-19), XP051281619 * |
SAMSUNG; NEC; ETRI: "23.502: CN-initiated PDU Session Deactivation", 3GPP DRAFT, no. S2-174821, 3 July 2017 (2017-07-03), XP051309880 * |
See also references of EP3565371A4 * |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2022530238A (ja) * | 2019-04-29 | 2022-06-28 | テレフオンアクチーボラゲット エルエム エリクソン(パブル) | ユーザプレーン完全性保護 |
CN111836319A (zh) * | 2019-08-23 | 2020-10-27 | 维沃移动通信有限公司 | 域名地址获取的方法和设备 |
CN111836319B (zh) * | 2019-08-23 | 2023-04-07 | 维沃移动通信有限公司 | 域名地址获取的方法和设备 |
EP4044637A4 (en) * | 2019-10-29 | 2022-12-07 | China Mobile Communication Co., Ltd. Research Institute | METHOD AND APPARATUS FOR ASSIGNING USER DEVICE IDENTIFIERS AND COMPUTER READABLE STORAGE MEDIA |
CN113115468A (zh) * | 2021-02-26 | 2021-07-13 | 深圳艾灵网络有限公司 | 5g本地网络的控制方法及装置、服务器、系统和存储介质 |
WO2023016397A1 (zh) * | 2021-08-10 | 2023-02-16 | 维沃移动通信有限公司 | 计算会话释放方法、设备及可读存储介质 |
CN114040514A (zh) * | 2021-12-08 | 2022-02-11 | 中国联合网络通信集团有限公司 | 一种通信方法及设备 |
CN114040514B (zh) * | 2021-12-08 | 2024-01-12 | 中国联合网络通信集团有限公司 | 一种通信方法及设备 |
WO2023174150A1 (zh) * | 2022-03-17 | 2023-09-21 | 华为技术有限公司 | 一种接入控制方法及装置 |
WO2024017181A1 (zh) * | 2022-07-22 | 2024-01-25 | 维沃移动通信有限公司 | 设备授权方法、装置及网络侧设备 |
CN115150829A (zh) * | 2022-09-02 | 2022-10-04 | 北京首信科技股份有限公司 | 一种网络访问权限管理方法及装置 |
CN115150829B (zh) * | 2022-09-02 | 2022-11-08 | 北京首信科技股份有限公司 | 一种网络访问权限管理方法及装置 |
Also Published As
Publication number | Publication date |
---|---|
EP3565371A4 (en) | 2020-03-25 |
BR112020001139A2 (pt) | 2020-09-08 |
US20200053165A1 (en) | 2020-02-13 |
JP2020527315A (ja) | 2020-09-03 |
CN110199513A (zh) | 2019-09-03 |
CN110199513B (zh) | 2022-07-19 |
JP6926317B2 (ja) | 2021-08-25 |
EP4325988A1 (en) | 2024-02-21 |
US11425202B2 (en) | 2022-08-23 |
EP3565371A1 (en) | 2019-11-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11425202B2 (en) | Session processing method and device | |
US9112909B2 (en) | User and device authentication in broadband networks | |
US7809003B2 (en) | Method for the routing and control of packet data traffic in a communication system | |
JP5069320B2 (ja) | Uiccなしコールのサポート | |
JP4376711B2 (ja) | アクセス管理方法及びその装置 | |
WO2019017840A1 (zh) | 网络验证方法、相关设备及系统 | |
US20100048161A1 (en) | Method, system and apparatuses thereof for realizing emergency communication service | |
JP2018517352A (ja) | ネットワークアクセストークンを使用したダウンリンクトラフィックのための効率的なポリシー実施−制御プレーン手法 | |
KR102390380B1 (ko) | 비인증 사용자에 대한 3gpp 진화된 패킷 코어로의 wlan 액세스를 통한 긴급 서비스의 지원 | |
US20180198786A1 (en) | Associating layer 2 and layer 3 sessions for access control | |
JP2015537471A (ja) | ホットスポットネットワークにおける未知のデバイスに対する制限付き証明書登録 | |
WO2013056619A1 (zh) | 一种身份联合的方法、IdP、SP及系统 | |
WO2013013481A1 (zh) | 接入认证方法、设备、服务器及系统 | |
US9137661B2 (en) | Authentication method and apparatus for user equipment and LIPA network entities | |
KR101628534B1 (ko) | 가상 802.1x 기반 네트워크 접근 제어 장치 및 네트워크 접근 제어 방법 | |
WO2014047923A1 (zh) | 接入网络的方法和装置 | |
JP2011054182A (ja) | ディジタルバトンを使用するシステムおよび方法、メッセージを認証するためのファイアウォール、装置、および、コンピュータ読み取り可能な媒体 | |
US20180343559A1 (en) | Method and device for obtaining user equipment identifier, and method and device for sending user equipment identifier | |
US10721603B1 (en) | Managing network connectivity using network activity requests | |
JP2006345302A (ja) | ゲートウェイ装置およびプログラム | |
US20230336535A1 (en) | Method, device, and system for authentication and authorization with edge data network | |
WO2021185347A1 (zh) | 接入控制方法及通信设备 | |
TWI448128B (zh) | 用於雙堆疊操作互通授權的方法及裝置 | |
CN117676576A (zh) | 一种非3gpp设备的接入系统及方法 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
ENP | Entry into the national phase |
Ref document number: 2017918431 Country of ref document: EP Effective date: 20190722 |
|
ENP | Entry into the national phase |
Ref document number: 2020502608 Country of ref document: JP Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
REG | Reference to national code |
Ref country code: BR Ref legal event code: B01A Ref document number: 112020001139 Country of ref document: BR |
|
ENP | Entry into the national phase |
Ref document number: 112020001139 Country of ref document: BR Kind code of ref document: A2 Effective date: 20200117 |