WO2019154017A1 - 多路径建立方法及装置 - Google Patents
多路径建立方法及装置 Download PDFInfo
- Publication number
- WO2019154017A1 WO2019154017A1 PCT/CN2019/071509 CN2019071509W WO2019154017A1 WO 2019154017 A1 WO2019154017 A1 WO 2019154017A1 CN 2019071509 W CN2019071509 W CN 2019071509W WO 2019154017 A1 WO2019154017 A1 WO 2019154017A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- network
- terminal
- path
- address
- service
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/24—Multipath
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0884—Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W76/00—Connection management
- H04W76/10—Connection setup
- H04W76/15—Setup of multiple wireless link connections
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W76/00—Connection management
- H04W76/30—Connection release
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W76/00—Connection management
- H04W76/10—Connection setup
- H04W76/15—Setup of multiple wireless link connections
- H04W76/16—Involving different core network technologies, e.g. a packet-switched [PS] bearer in combination with a circuit-switched [CS] bearer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W76/00—Connection management
- H04W76/30—Connection release
- H04W76/38—Connection release triggered by timers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W80/00—Wireless network protocols or protocol adaptations to wireless operation
- H04W80/06—Transport layer protocols, e.g. TCP [Transport Control Protocol] over wireless
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W88/00—Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
- H04W88/18—Service support devices; Network management devices
- H04W88/182—Network node acting on behalf of an other network entity, e.g. proxy
Definitions
- the present application relates to the field of communications technologies, and in particular, to a multipath establishing method and apparatus.
- terminals can generally support Wireless-Fidelity (Wi-Fi) communication and the same. 3rd Generation Partnership Project (3GPP) communication.
- 3GPP 3rd Generation Partnership Project
- TCP Transmission Control Protocol
- MPTCP Multipath Transmission Control Protocol
- the terminal implements multi-path access through the MPTCP proxy server. Specifically, the multi-path MPTCP transmission is performed between the terminal and the MPTCP proxy server, and the single-path TCP is performed between the MPTCP proxy server and the service server where the terminal needs to perform the service. transmission.
- the security of multiple paths accessed by the terminal cannot be guaranteed, which will seriously affect the security of data transmission of the terminal. Therefore, there is a need for a multi-path establishment method that can improve the security of data transmission.
- the present application provides a multi-path establishment method and apparatus, which can solve the problem of low security of data transmission in the related art.
- the technical solution is as follows:
- a multi-path establishment method which is applied to a proxy device, the method comprising:
- the first network access device is used to access the first network, and the first network is to implement communication through the base station, that is, the first network may be a network that complies with the 3GPP specifications, for example, the first network may be a long-term evolution (Long Term Evolution, LTE) network, etc.
- the terminal accesses the first network through the first network access device, that is, the terminal attaches to the first network.
- the second network access device is configured to access the second network, and the second network is a network outside the first network, and the second network does not need to communicate through the base station, that is, the second network may be incompatible with the 3GPP specifications.
- the network such as the second network, may be a Digital Subscriber Line (DSL) network, a Wi-Fi network, or the like.
- DSL Digital Subscriber Line
- the terminal accesses the second network through the second network access device, that is, the terminal attaches to the second network.
- the proxy device is used for performing user authentication, that is, for performing identity verification, admission check, and the like for the terminal.
- the proxy device may be a system manager or a proxy server.
- the system manager tube can provide management and allocation of the proxy server under the deployment of a multi-proxy server (ie, a proxy server cluster), that is, the system manager can allocate a suitable proxy server to the terminal.
- the proxy server is used to implement multi-path access of the terminal under MPTCP, that is, the proxy server can provide the MPTCP proxy function, and the proxy server can perform MPTCP transmission with the terminal and perform TCP transmission with the service server.
- the proxy device after the terminal accesses the first network through the first network access device, the proxy device performs identity verification on the terminal, and after the terminal accesses the second network through the second network access device, the proxy device pairs The terminal performs an admission check. After the terminal's identity verification and admission check are passed, the terminal indicates that the multipath access of the terminal is legal. Therefore, the proxy device establishes a first path between the terminal and the service server on the first network, and The second path between the terminal and the service server is established on the second network. The security of the first path and the second path established at this time is high, so that the data transmission security of the subsequent terminal can be ensured.
- the performing identity verification on the terminal that accesses the first network by using the first network access device includes:
- the first network access device And receiving, by the first network access device, an identity verification request that carries a first network address, where the first network address is a network address that is allocated by the first network access device to the terminal;
- the first network address allocated by the first network access device to the terminal is an Internet Protocol (IP) address of the terminal in the first network
- the proxy device may access the device according to the first network.
- IP Internet Protocol
- the first network address assigned to the terminal is used to accurately authenticate the terminal, so that the validity of the terminal in the first network can be effectively determined.
- the performing the access check on the terminal that accesses the second network by using the second network access device includes:
- the authentication server is used to provide a security management mechanism for performing access control in network security, and the authentication server may record the login status of the physical address of the device that successfully performs access authentication in the authentication server.
- the proxy device can learn whether the terminal is currently connected to the second network by using the login status of the physical address of the terminal obtained from the authentication server, and accurately implement the admission check of the terminal according to the Effectively determine the legitimacy of the terminal in the second network.
- the login status query request carrying the physical address is sent to the authentication server, and the authentication server queries the login of the physical address. status;
- the second path is deleted.
- the proxy device when the proxy device detects that the second path does not perform data transmission within a preset duration, it indicates that the terminal has not used the second path for a long time, and thus the terminal may be triggered to go offline, that is, Obtaining the login status of the physical address of the terminal from the authentication server.
- the terminal When the login status of the physical address of the terminal is offline, the terminal is not connected to the second network, and the proxy device can delete the second path, thereby effectively avoiding the network. Waste of resources.
- the performing the access check on the terminal that accesses the second network by using the second network access device includes:
- the second network address allocated by the second network access device to the terminal is the IP address of the terminal in the second network
- the proxy device may allocate the second network to the terminal according to the second network access device.
- the address is used to accurately check the access of the terminal, so that the validity of the terminal in the second network can be effectively determined.
- the first path between the terminal and the service server is established on the first network
- the second path between the terminal and the service server is established on the second network, including :
- the terminal and the service are established on the first network. a first path between the servers, and establishing a second path between the terminal and the service server on the second network.
- the proxy device may include the network address of the service server in the service white list, or establish the terminal and the service server on the first network if the service blacklist does not include the network address of the service server.
- a first path between the terminal and the service server is established on the second network. The first path and the second path are not only highly secure but also meet the service access requirements. The data transmission security of the subsequent terminal can be further ensured.
- a second aspect provides a multi-path establishment method, which is applied to a terminal, where the method includes:
- the stored service white list includes the network address of the service server, or if the stored service blacklist does not include the network address of the service server, establish a relationship with the service server on the first network. a first path, the second path between the service server and the service server is established on the second network, where the service whitelist or the service blacklist is obtained from the proxy device;
- Data transmission is performed with the service server using at least one of the first path and the second path.
- the terminal after the terminal accesses the first network through the first network access device, the terminal performs identity verification by using the proxy device, and after the terminal accesses the second network through the second network access device, the terminal performs the proxy device. After the access check is performed, the terminal's multi-path access is legal, and the terminal can obtain the network address of the service server.
- the service whitelist includes the network address of the service server, or when the service blacklist does not include the network address of the service server, the terminal establishes a first path with the service server on the first network, and is on the second network.
- a multipath establishing apparatus having a function of implementing the behavior of the multipath establishing method in the above first aspect.
- the multipath establishing apparatus includes at least one module for implementing the multipath establishing method provided by the above first aspect.
- a multipath establishing apparatus having a function of implementing the behavior of the multipath establishing method in the second aspect described above.
- the multipath establishing apparatus includes at least one module, and the at least one module is configured to implement the multipath establishing method provided by the second aspect.
- a multipath establishing apparatus in a fifth aspect, includes a processor and a memory, and the memory is used for storing a multipath establishing apparatus to perform the multipath establishment provided by the first aspect.
- the processor is configured to execute a program stored in the memory.
- the multipath establishing device can also include a communication bus for establishing a connection between the processor and the memory.
- a multipath establishing apparatus includes a processor and a memory, and the memory is used for storing a multipath establishing apparatus to perform the multipath establishment provided by the second aspect.
- the processor is configured to execute a program stored in the memory.
- the multipath establishing device can also include a communication bus for establishing a connection between the processor and the memory.
- a computer readable storage medium is provided, the instructions being stored in the computer readable storage medium, when executed on a computer, causing the computer to perform the multipath establishment method described in the first aspect above.
- a computer readable storage medium is provided, the instructions being stored in the computer readable storage medium, when executed on a computer, causing the computer to perform the multipath establishment method described in the second aspect above.
- a computer program product comprising instructions which, when run on a computer, cause the computer to perform the multipath establishment method of the first aspect described above.
- a computer program product comprising instructions which, when run on a computer, cause the computer to perform the multipath establishment method of the second aspect described above.
- the proxy device after the terminal accesses the first network through the first network access device, the proxy device performs identity verification on the terminal, and the terminal accesses the second through the second network access device. After the network, the proxy device performs an admission check on the terminal. After the terminal's identity verification and admission check are passed, the multipath access of the terminal is legal. Therefore, the first connection between the terminal and the service server can be established on the first network. a path, and establishing a second path between the terminal and the service server on the second network, where the security of the first path and the second path established is high, and then the first between the terminal and the service server is used. At least one of the path and the second path performs data transmission, thereby ensuring data transmission security of the terminal.
- FIG. 1A is a schematic structural diagram of a communication system according to an embodiment of the present application.
- FIG. 1B is a schematic structural diagram of another communication system according to an embodiment of the present application.
- FIG. 2A is a schematic structural diagram of a computer device according to an embodiment of the present application.
- FIG. 2B is a schematic structural diagram of another computer device according to an embodiment of the present application.
- FIG. 3 is a flowchart of a multipath establishment method provided by an embodiment of the present application.
- 4A is a flowchart of a path establishment operation provided by an embodiment of the present application.
- 4B is a flowchart of a path deletion operation provided by an embodiment of the present application.
- 4C is a flowchart of a terminal acquiring a service policy operation according to an embodiment of the present application.
- 4D is a flowchart of a service policy update operation provided by an embodiment of the present application.
- 4E is a flowchart of a service policy control operation provided by an embodiment of the present application.
- 4F is a flowchart of another service policy control operation provided by an embodiment of the present application.
- FIG. 5A is a schematic structural diagram of a multipath establishing apparatus according to an embodiment of the present application.
- FIG. 5B is a schematic structural diagram of an identity verification module according to an embodiment of the present disclosure.
- 5C is a schematic structural diagram of an admission check module according to an embodiment of the present application.
- 5D is a schematic structural diagram of another multipath establishing apparatus according to an embodiment of the present application.
- 5E is a schematic structural diagram of another admission check module provided by an embodiment of the present application.
- FIG. 5F is a schematic structural diagram of a path establishment module according to an embodiment of the present disclosure.
- FIG. 6 is a schematic structural diagram of still another multipath establishing apparatus according to an embodiment of the present application.
- a communication system includes a terminal 101, a first network access device 102, a second network access device 103, and a proxy device 104.
- the terminal 101 can access the first network through the first network access device 102, and can access the second network through the second network access device 103.
- the first network access device 102 accesses the first network in the terminal 101.
- the terminal 101 can be authenticated by the proxy device 104, and after the terminal 101 accesses the second network, the second network access device 103 can perform an admission check on the terminal 101 through the proxy device 104; After the verification and the admission check are both passed, the first path between the terminal 101 and the service server can be established on the first network, and the second path between the terminal 101 and the service server is established on the second network; the terminal 101 and At least one of the first path and the second path may be used for data transmission between the service servers.
- the communication system may further include a proxy server 105 and a service server 106.
- a sub-flow between the terminal 101 and the proxy server 105 may be established on the first network, and the terminal 101 is established on the second network.
- Another sub-flow between the proxy servers 105 establishes a connection between the proxy server 105 and the service server 106, thereby establishing the establishment of the first path and the second path between the terminal 101 and the service server 106.
- the terminal 101 and the proxy server 105 are MPTCP transmission
- the proxy server 105 and the service server 106 are TCP transmissions, so that the terminal 101 can perform services with the service server 106 through multipath.
- FIG. 2A is a schematic structural diagram of a computer device according to an embodiment of the present application.
- the computer device may be the proxy device 104 shown in FIG. 1A.
- the computer device includes at least one processor 2011, a communication bus 2021, a memory 2031, and at least one communication interface 2041.
- the processor 2011 can be a general purpose central processing unit (CPU), a microprocessor, an application-specific integrated circuit (ASIC), or one or more for controlling the execution of the program of the present application. integrated circuit.
- CPU general purpose central processing unit
- ASIC application-specific integrated circuit
- Communication bus 2021 can include a path for communicating information between the components described above.
- the memory 2031 may be a read-only memory (ROM) or other type of static storage device that can store static information and instructions, a random access memory (RAM) or other type that can store information and instructions.
- the dynamic storage device can also be an Electrically Erasable Programmable Read-Only Memory (EEPROM), a Compact Disc Read-Only Memory (CD-ROM) or other optical disc storage, and a disc storage device. (including compact discs, laser discs, optical discs, digital versatile discs, Blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or can be used to carry or store desired program code in the form of instructions or data structures and can be Any other medium accessed, but is not limited to this.
- the memory 2031 may be independent and connected to the processor 2011 via the communication bus 2021.
- the memory 2031 can also be integrated with the processor 2011.
- the communication interface 2041 uses a device such as any transceiver for communicating with other devices or communication networks, such as Ethernet, Radio Access Network (RAN), Wireless Local Area Networks (WLAN), etc. .
- a device such as any transceiver for communicating with other devices or communication networks, such as Ethernet, Radio Access Network (RAN), Wireless Local Area Networks (WLAN), etc. .
- RAN Radio Access Network
- WLAN Wireless Local Area Networks
- processor 2011 may include one or more CPUs, such as CPU0 and CPU1 shown in FIG. 2A.
- a computer device can include multiple processors, such as processor 2011 and processor 2051 shown in FIG. 2A.
- processors can be a single core processor (CPU) or a multi-core processor (multi-CPU).
- a processor herein may refer to one or more devices, circuits, and/or processing cores for processing data, such as computer program instructions.
- the memory 2031 is configured to store the program code 2101 for executing the solution of the present application
- the processor 2011 is configured to execute the program code 2101 stored in the memory 2031.
- the computer device can implement the operations performed by the proxy device in the multipath establishment method provided by the embodiment of FIG. 3 below through the processor 2011 and the program code 2101 in the memory 2031.
- FIG. 2B is a schematic structural diagram of a computer device according to an embodiment of the present application.
- the computer device may be the terminal 101 shown in FIG. 1A or FIG. 1B.
- the computer device includes at least one processor 2012, a communication bus 2022, a memory 2032, and at least one communication interface 2042.
- Processor 2012 can be a general purpose CPU, microprocessor, ASIC, or one or more integrated circuits for controlling the execution of the program of the present application.
- Communication bus 2022 can include a path for communicating information between the components described above.
- the memory 2032 can be a ROM or other type of static storage device that can store static information and instructions, RAM or other types of dynamic storage devices that can store information and instructions, and can also be EEPROM, CD-ROM or other optical disk storage, optical disk storage. (including compact discs, laser discs, optical discs, digital versatile discs, Blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or can be used to carry or store desired program code in the form of instructions or data structures and can be Any other medium accessed, but is not limited to this.
- Memory 2032 can exist independently and is coupled to processor 2012 via communication bus 2022. The memory 2032 can also be integrated with the processor 2012.
- Communication interface 2042 using any type of transceiver, is used to communicate with other devices or communication networks, such as Ethernet, RAN, WLAN, and the like.
- processor 2012 may include one or more CPUs, such as CPU0 and CPU1 shown in Figure 2B.
- a computer device can include multiple processors, such as processor 2012 and processor 2052 shown in FIG. 2B. Each of these processors can be a single-CPU or a multi-CPU.
- a processor herein may refer to one or more devices, circuits, and/or processing cores for processing data, such as computer program instructions.
- the computer device may further include an output device 2062 and an input device 2072.
- Output device 2062 communicates with processor 2012, which can display information in a variety of ways.
- the output device 2062 can be a liquid crystal display (LCD), a light emitting diode (LED) display device, a cathode ray tube (CRT) display device, or a projector. Wait.
- Input device 2072 communicates with processor 2012, which can receive user input in a variety of ways.
- input device 2072 can be a mouse, keyboard, touch screen device, or sensing device, and the like.
- the memory 2032 is configured to store the program code 2102 that executes the solution of the present application, and the processor 2012 is configured to execute the program code 2102 stored in the memory 2032.
- the computer device can implement the operations performed by the terminal in the multipath establishment method provided in the embodiment of FIG. 3 below through the processor 2012 and the program code 2102 in the memory 2032.
- FIG. 3 is a flowchart of a method for establishing a multipath according to an embodiment of the present application. Referring to Figure 3, the method includes:
- Step 301 The proxy device performs identity verification on the terminal accessing the first network by using the first network access device.
- the first network access device is used to access the first network, for example, the first network access device may be a public data network gateway (PGW), a serving gateway (SGW), or the like. .
- PGW public data network gateway
- SGW serving gateway
- the first network is to implement communication through the base station, that is, the first network may be a network conforming to the 3GPP specifications, for example, the first network may be an LTE network or the like.
- the terminal accesses the first network through the first network access device, that is, the terminal attaches to the first network.
- the proxy device is used for performing user authentication, that is, for performing identity verification, admission check, and the like for the terminal.
- the proxy device may be a system manager or a proxy server.
- the system manager can be called MP-manager.
- the system manager can provide management and allocation of the proxy server under the deployment of the multi-proxy server (that is, the proxy server cluster). That is, the system manager can allocate a suitable proxy server to the terminal, such as A proxy server that is closer to the first network access device is allocated to the terminal for use.
- the proxy server is used to implement multi-path access of the terminal under MPTCP, that is, the proxy server can provide the MPTCP proxy function, the proxy server can perform MPTCP transmission with the terminal, and perform TCP transmission with the service server, for example, the proxy server can be multiple Multipath Gateway (MPGW), Hybrid Access Gateway (HAG), and the like.
- MPGW Multipath Gateway
- HOG Hybrid Access Gateway
- step 301 may be: after the terminal accesses the first network by using the first network access device, the first network access device allocates a first network address to the terminal; the first network access device carries the first An authentication request of a network address is sent to the proxy device; when the proxy device receives the authentication request, the terminal is authenticated according to the first network address, and the identity verification result of the terminal is obtained.
- the first network address allocated by the first network access device to the terminal is the IP address of the terminal in the first network, and the first network address may be the Internet Protocol Version 4 (IPv4).
- IPv4 Internet Protocol Version 4
- the address, the Internet Protocol Version 6, IPv6 address, and the like are not limited in this embodiment of the present application.
- the process that the first network access device sends the identity verification request carrying the first network address to the proxy device may be implemented according to a remote authentication dial in user service (RADIUS) carbon copy mechanism.
- the authentication request may be a RADIUS message, and the first network access device uses the RADIUS message to advertise the first network address to the proxy device.
- RADIUS remote authentication dial in user service
- the agent device performs identity verification on the terminal according to the first network address, and when obtaining the identity verification result of the terminal, the proxy device may determine that the identity verification of the terminal passes when the first network address is within the preset network address range, when the first When the network address is not within the preset network address range, it is determined that the identity verification of the terminal fails, to obtain the identity verification result of the terminal.
- the preset network address range may be set in advance, and may be set according to the network condition of the operator and the application policy.
- the network address in the preset network address range may be a predetermined security.
- the network address and the like are not limited in this embodiment of the present application.
- the identity verification request may carry not only the first network address, but also other information related to the identity of the terminal, such as an international mobile subscriber identity (International Mobile Subscriber Identification Number). (IMSI), an access point name (APN), etc., after which the proxy device can authenticate the terminal according to the first network address carried in the identity verification request and other information related to the identity of the terminal, The authentication result of the terminal.
- IMSI International Mobile Subscriber Identification Number
- API access point name
- the proxy device can authenticate the terminal according to the first network address carried in the identity verification request and other information related to the identity of the terminal, The authentication result of the terminal.
- Step 302 The proxy device performs an admission check on the terminal accessing the second network through the second network access device.
- the second network access device is used to access the second network.
- the second network access device may be a broadband remote access server (BRAS) or a broadband network gateway (Broadband Network Gateway, BNG), an evolved packet data gateway (ePDG), a transparent gateway (TGW), and the like.
- BRAS broadband remote access server
- BNG broadband network gateway
- ePDG evolved packet data gateway
- TGW transparent gateway
- the second network is a network outside the first network, and the second network does not need to communicate through the base station, that is, the second network may be a network that does not comply with the 3GPP specifications, for example, the second network may be a DSL network or a Wi-Fi network.
- the terminal accesses the second network through the second network access device, that is, the terminal attaches to the second network.
- step 302 may include the following two manners.
- the first mode after the terminal accesses the second network through the second network access device, the second network access device acquires the physical address of the terminal, and sends a first admission check request carrying the physical address to the proxy device.
- the proxy device receives the first admission check request, the proxy status query request carrying the physical address is sent to the authentication server; when the authentication server receives the login status query request, the login status of the physical address is queried. And sending the login status of the physical address to the proxy device; when the proxy device receives the login status of the physical address, determining the admission check result of the terminal according to the login status of the physical address.
- the authentication server is used to provide a security management mechanism for access control in network security.
- the authentication server may record the login status of the physical address of the device that successfully authenticates the access authentication server, for example, the authentication server may be authenticated.
- Authorized Accounting (AAA) server etc.
- a device when a device attempts to access the second network, it needs to perform access authentication in the authentication server, and when the device performs the access authentication successfully in the authentication server, the physicality of the device will be recorded in the authentication server.
- the login status of the address and when the login status of the physical address of the device is online, it indicates that the device is currently connected to the second network. When the login status of the physical address of the device is offline, the device is not currently connected. Second network.
- the physical address of the terminal is the hardware address of the terminal, which is also called the Media Access Control (MAC) address, and the physical address of the terminal can uniquely identify the terminal.
- MAC Media Access Control
- the proxy device can determine that the terminal's admission check passes when the login status of the physical address of the terminal is online, and the physical address of the terminal When the login status is offline, it is determined that the terminal's admission check fails, so as to obtain the terminal's admission check result.
- the second network access device may actively obtain the physical address of the terminal from the terminal.
- the terminal may also actively send the physical address of the terminal to the second network access device.
- the terminal may first obtain the address of the proxy device, and then report the physical address of the terminal to the proxy device according to the address of the proxy device.
- the process of the terminal transmitting the physical address of the terminal to the proxy device that is, the terminal actively sends the physical address of the terminal to the second network access device, and then the second network access device carries the first standard of the physical address.
- the process of sending an inspection request to the proxy device is described in the proxy device.
- the terminal may send an address query request carrying the domain name of the proxy device to the first network access device or the second network access device; when the first network access device or the second network accesses
- the device receives the address query request, if the address of the proxy device is already stored, the address of the proxy device is sent to the terminal, and if the address of the proxy device is not stored, the address corresponding to the domain name of the proxy device is obtained from the domain name server, The obtained address is sent to the terminal as the address of the proxy device.
- the second mode after the terminal accesses the second network through the second network access device, the second network access device allocates a second network address to the terminal; the second network access device carries the second network address.
- the second admission check request is sent to the proxy device; when the proxy device receives the second admission check request, the terminal admission check result is determined according to the second network address and the preset admission address range.
- the second network address allocated by the second network access device to the terminal is the IP address of the terminal in the second network, and the second network address may be an IPv4 address, an IPv6 address, or the like. This is not limited.
- the preset access address range may be set in advance, and may be set according to the network condition of the operator and the application policy.
- the preset access address range may include 161.1.1.0-161.1.1.255, 161.1.2.0-161.1. .2.255, 10.111.0.0-10.111.255.255, etc.
- the proxy device may determine the admission check of the terminal when the second network address is within the preset admission address range. When the second network address is outside the preset admission address range, it is determined that the terminal's admission check fails, to obtain the terminal admission check result.
- Step 303 After the identity verification and the admission check of the terminal are both passed, the first path between the terminal and the service server is established on the first network, and the second path between the terminal and the service server is established on the second network. .
- first path and the second path are used for data transmission between the terminal and the service server, that is, establishing a first path between the terminal and the service server on the first network, and establishing on the second network.
- the second path between the terminal and the service server at least one of the first path and the second path may be used between the terminal and the service server for data transmission.
- the terminal and the service can be established on the first network.
- the first path between the servers and the second path between the terminal and the service server are established on the second network.
- the security of the first path and the second path established at this time is high, so that the data of the subsequent terminal can be guaranteed. Transmission security.
- the proxy device may generate a third address corresponding to the first network address and the second network address to be allocated to the terminal. And subsequently establishing a first path between the terminal and the service server on the first network, and establishing a second path between the terminal and the service server on the second network, that is, the terminal establishes a path with the service server through the proxy server.
- the process that is, the terminal establishes a sub-flow between the proxy server and the proxy server according to the first network address, and establishes another sub-flow between the proxy server and the proxy server according to the second network address, and the proxy server establishes and services according to the third address.
- the third address is a general IP address of the terminal, and the third address may be used when the connection between the proxy server and the service server is established.
- the third address may be an IPv4 address, an IPv6 address, or the like. limited.
- the first path between the terminal and the service server may be directly established on the first network, and the terminal and the service server are directly established on the second network.
- the second path of course, the first path between the terminal and the service server is established on the first network according to the preset service policy, and the second path between the terminal and the service server is established on the second network,
- the path establishment operation may include the following manner 1 or mode 2.
- Method 1 The terminal acquires the network address of the service server; if the stored service white list includes the network address of the service server, or if the stored service blacklist does not include the network address of the service server, the terminal establishes on the first network The first path between the service servers establishes a second path with the service server on the second network.
- the terminal does not establish the first path between the service server and the service server. And not establishing a second path with the service server on the second network, but falling back to the traditional TCP chain-building process to establish a single path with the service server.
- the service white list stores the network address of the service server where the service that can perform multi-path acceleration is located, that is, the service server indicated by the network address stored in the service white list, when the terminal needs to cooperate with the service When the server performs services, it can directly perform the normal processing of multipath construction and offload transmission according to the MPTCP link establishment process.
- the service blacklist stores the network address of the service server where the service that cannot perform multipath acceleration is located, that is, the service server indicated by the network address stored in the service blacklist, when the terminal needs to perform with the service server.
- multipath establishment cannot be established, but the process of single path construction and single stream transmission needs to be performed according to the traditional TCP chain construction process.
- the proxy device can also receive the proxy server while assigning the third address to the terminal.
- the port number is sent to the terminal. Specifically, if the proxy device is a proxy server, the proxy device may send the local receiving port number to the terminal, so that the subsequent terminal establishes a substream with the proxy device according to the receiving port number, and then establishes a path with the service server.
- the proxy device may allocate a proxy server to the terminal, and send the address and the receiving port number of the proxy server to the terminal, so that the subsequent terminal establishes the address according to the address and the receiving port number of the proxy server.
- the proxy device when the proxy device allocates the proxy server to the terminal, the proxy device may obtain the address of the first network access device, and select one proxy server from the plurality of managed proxy servers to allocate to the terminal according to the address of the first network access device. For example, a proxy server that is closest to the first network access device may be selected and allocated to the terminal.
- the proxy device may actively obtain the address of the first network access device from the first network access device, or the first network access device may actively The address of a network access device is sent to the proxy device.
- the process of the first network access device actively sending the address of the first network access device to the proxy device may be implemented based on the RADIUS copy mechanism, where the first network access device may notify the proxy device by using the RADIUS message.
- the address of the network access device in this case, in order to reduce the number of interactions, the first network access device may carry the address of the first network access device and the first network address required for performing identity verification of the terminal in step 301. Copies to the proxy device in a RADIUS message.
- the terminal may further obtain a service whitelist from the proxy device. Or business blacklist. Specifically, the terminal may send a policy control request (PCR) to the proxy device, and when the proxy device receives the PCR, the stored service whitelist or service blacklist may be sent to the terminal. In this case, in order to reduce the number of interactions, the terminal may carry the physical address of the terminal required for the terminal's admission check in the first mode of step 302 in the PCR to be sent to the proxy device.
- PCR policy control request
- Method 2 The terminal obtains the network address of the service server, and sends the network address of the service server to the proxy device.
- the proxy device receives the network address of the service server, if the stored service white list includes the network address of the service server, or If the stored service blacklist does not include the network address of the service server, the first path between the terminal and the service server is established on the first network, and the second path between the terminal and the service server is established on the second network.
- the proxy device when the terminal sends the network address of the service server to the proxy device, the terminal may send the network address of the service server to the proxy device in the process of establishing a target path with the service server. .
- the proxy device receives the network address of the service server, if the stored service white list includes the network address of the service server, or if the stored service blacklist does not include the network address of the service server, the terminal and the service server are continuously established.
- the network address of the service server interrupts the establishment of the target path between the terminal and the service server, and does not establish a path other than the target path between the terminal and the service server, but indicates that the terminal falls back to the traditional TCP construction.
- the target path is a path that needs to be preferentially established in the first path and the second path, and the path outside the target path is another path except the target path in the first path and the second path.
- the terminal when the terminal sends the network address of the service server to the proxy device in the process of establishing the target path with the service server, the terminal may be in the process of establishing the first substream between the proxy device and the The network address of the service server is sent to the proxy device, or the terminal may send the network address of the service server to the proxy device after the first sub-flow between the proxy and the proxy device is established, which is not limited in this embodiment of the present application.
- the proxy device when the proxy device is a proxy server, in order to facilitate the terminal to establish a path with the service server through the proxy device, after the terminal's identity verification and admission check are passed, the proxy device allocates the third address to the terminal, The local receiving port number can be sent to the terminal, so that the subsequent terminal can establish a substream with the proxy device according to the receiving port number, and then establish a path with the service server.
- the proxy device is a system management device
- the terminal may send the network address of the service server to the proxy device before establishing the target path with the service server.
- the proxy device receives the network address of the service server, if the stored service white list includes the network address of the service server, or if the stored service blacklist does not include the network address of the service server, the system manager allocates a proxy for the terminal. a server, and sending the address and the receiving port number of the proxy server to the terminal, so that the terminal establishes two sub-flows with the proxy server according to the address and the receiving port number of the proxy server, and then establishes a relationship with the service server.
- the proxy device instructs the terminal to fall back to the traditional TCP link establishment
- the process is to establish a single path between the terminal and the service server.
- the foregoing mode 1 and mode 2 can be used at the same time, and when the service policy results of the mode 1 and the mode 2 are inconsistent, the result of the service policy of the mode 2 can be prioritized, and the embodiment of the present application is correct. This is not limited.
- the service whitelist or service blacklist stored in the proxy device may be generated by the proxy device itself, or may be dynamically sent by other devices, such as a policy and charging rule function unit (Policy and Charging Rules).
- Policy and Charging Rules Policy and Charging Rules
- the function, the PCRF, is dynamically issued, which is not limited by the embodiment of the present application.
- the proxy device may actively update the updated after the update is completed.
- a service whitelist or service blacklist is sent to the terminal.
- the service whitelist or the service blacklist is dynamically sent by other devices, if the other device updates the stored service whitelist or service blacklist, the other device may update the service after the update is completed.
- the whitelist or the service blacklist is sent to the proxy device.
- the proxy device receives the updated service whitelist or service blacklist, the proxy device can send the updated service whitelist or service blacklist to the terminal.
- the first path or the second path may also be deleted.
- the terminal may send a first path deletion request to the first network access device when the first path is deleted, and may delete the first path when the first network access device receives the first path deletion request; or When the server or the system management device detects that the first path does not perform data transmission within a preset duration, the first path may be deleted.
- the terminal may send a second path deletion request to the second network access device when the second path is deleted, and may delete the second path when the second network access device receives the second path deletion request; or, when the agent
- the server or the system management device may detect that the second path does not perform data transmission within a preset duration, and may delete the second path; or when the proxy server or the system management device detects that the second path does not perform data transmission within a preset duration
- the login status query request carrying the physical address of the terminal may be sent to the authentication server.
- the authentication server receives the login status query request
- the authentication server queries the login status of the physical address, and sends the login status of the physical address to the login status.
- the proxy server or the system management device deletes the second path if the login status of the physical address is offline when the proxy server or the system management device receives the login status of the physical address.
- the preset duration can be set in advance, and the preset duration can be set longer, for example, the preset duration can be 1 hour, 2 hours, 3 hours, and the like.
- the proxy server or the system management device detects that the first path or the second path does not perform data transmission within a preset duration, it indicates that the terminal has not used the first path or the second path for a long time, and thus may directly The first path or the second path is deleted, or the second path may be further confirmed, that is, the proxy server or the system management device may obtain the login status of the physical address of the terminal, when the login status of the physical address of the terminal is offline. , indicating that the terminal is not connected to the second network at this time, and thus the second path can be deleted.
- the first network access device or the second network access device may send the system management device and the proxy to the system.
- the server sends a path deletion notification message, so that both the system management device and the proxy server can delete the context resource of the first path or the context resource of the second path after a certain length of time (eg, after the service keep-alive timer expires).
- the path deletion notification may be sent to the other party, so that both the system management device and the proxy server may delete the context of the first path after a certain length of time.
- the proxy device after the terminal accesses the first network through the first network access device, the proxy device performs identity verification on the terminal, and after the terminal accesses the second network through the second network access device, the proxy device pairs The terminal performs the admission check. After the terminal's identity verification and the admission check are both passed, the terminal indicates that the multipath access of the terminal is legal. Therefore, the first path between the terminal and the service server can be established on the first network, and the first path is established. The second path between the terminal and the service server is established on the network. The security of the first path and the second path established is high. Then, the first path and the second path are used between the terminal and the service server. At least one path is used for data transmission, thereby ensuring data transmission security of the terminal.
- the multi-path establishment method mainly involves a path establishment operation, a path deletion operation, a terminal acquisition service policy operation, a service policy update operation, and a service policy control operation, and then the proxy device is a proxy.
- the server is taken as an example, and the six operations are respectively illustrated in detail.
- the path establishment operation may include the following steps 1 - 8.
- Step 1 (including Step 11 - Step 14): The terminal accesses the first network through the first network access device, that is, the terminal attaches to the first network.
- the process of attaching the terminal to the first network can be implemented through a Policy and Charging Control (PCC) process.
- the terminal sends a first attach request to the first network access device.
- the first network access device sends the terminal information to the PCRF.
- Credit-Control-Request CCR
- the PCRF performs access authentication on the terminal based on the terminal information, and accesses the first network after the access authentication succeeds.
- the device returns a Credit-Control-Answer (CCA); in step 14, when the first network access device receives the CCA, the terminal allocates a first network address, and sends the first network to the terminal.
- the first attachment response of the address at which point the terminal accesses the first network.
- the terminal information is information related to the identity of the terminal, and the terminal information may include information such as the IMSI and the APN of the terminal, which is not limited in this embodiment of the present application.
- Step 2 (including steps 21 - 22): The proxy server authenticates the terminal.
- the first network access device carries the first network address in the RADIUS message to the proxy server; in step 22, when the proxy server receives the RADIUS message, according to the first network address The terminal is authenticated to obtain the authentication result of the terminal.
- Step 3 the terminal accesses the second network through the second network access device, that is, the terminal attaches to the second network.
- the terminal sends a second attach request to the second network access device.
- the second network access device after receiving the second attach request, sends a terminal authentication request to the authentication server.
- the authentication server receives the terminal authentication request, the terminal performs access authentication, and after the access authentication succeeds, returns an authentication response to the second network access device;
- the network access device allocates a second network address to the terminal, and sends a second attach response carrying the second network address to the terminal, and the terminal accesses the second network.
- Step 4 (including steps 41-43): The terminal acquires the address of the proxy server.
- step 41 the terminal sends an address query request carrying the domain name of the proxy server to the first network access device.
- step 42 when the first network access device receives the address query request, the terminal directly obtains The address of the stored proxy server, or the address corresponding to the domain name of the proxy server is obtained from the domain name server as the address of the proxy server; in step 43, the first network access device carries the address of the proxy server in the address query response and sends it to terminal.
- Step 5 The proxy server performs an admission check on the terminal.
- the terminal reports the physical address of the terminal to the proxy server according to the address of the proxy server, that is, in step 51, the terminal sends the physical address of the terminal to the second network access device according to the address of the proxy server, and then in step 52, the second network access device sends a first admission check request carrying the physical address of the terminal to the proxy server; in step 53, when the proxy server receives the physical address of the terminal, the terminal will carry the terminal The login status query request of the physical address is sent to the authentication server. In step 54, when the authentication server receives the login status query request, the login status of the physical address of the terminal is queried, and the login status of the physical address of the terminal is sent to the agent. The server; in step 55, when the proxy server receives the login status of the physical address of the terminal, determines the admission check result of the terminal according to the login status of the physical address of the terminal.
- Step 6 (including steps 61-63):
- the proxy server allocates a third address to the terminal.
- the proxy server in step 61, after both the identity verification and the admission check of the terminal are passed, the proxy server generates a third address corresponding to the first network address and the second network address; in step 62, the proxy server will be the third The address is sent to the terminal; in step 63, when the terminal receives the third address, the third address is recorded as an alias of the first network address and the second network address.
- Step 7 When the terminal needs to perform services with the service server, establish a first path and a second path between the terminal and the service server.
- Step 8 The terminal and the service server use at least one of the first path and the second path for data transmission.
- the path deletion operation may include the following steps 9 to 12.
- Step 9 (including step 91 - step 93): the first network access device deletes the first path.
- step 91 the terminal sends a first path deletion request to the first network access device; in step 92, when the first network access device receives the first path deletion request, the IP is used between the PCRF and the PCRF.
- IP-CAN IP-Connectivity Access Network
- step 93 the first network access device sends a first path deletion response to the terminal.
- Step 10 The first network access device sends a path deletion notification message to the proxy server.
- the path deletion notification message may be a RADIUS message, and the path deletion notification message may carry the terminal information, the first network address, the address of the first network access device, the cause value, and the like.
- Step 11 (including steps 111-113): The proxy server deletes the second path.
- step 111 when the proxy server detects that the second path does not perform data transmission within a preset duration, the terminal triggers the offline query; in step 112, the proxy server carries the login status of the physical address of the terminal.
- the query request is sent to the authentication server; in step 113, when the authentication server receives the login status query request, the login status of the physical address of the terminal is queried, and the login status of the physical address of the terminal is sent to the proxy server;
- the proxy server receives the login status of the physical address of the terminal, if the login status of the physical address of the terminal is offline, the second path is deleted.
- Step 12 The proxy server deletes the context resources of the first path and the second path after a certain length of time.
- Terminal obtains business policy operation
- the terminal may establish the first path and the second path with the service server according to the preset service policy.
- the terminal needs to obtain a business policy in advance.
- the terminal acquiring the service policy operation may be performed after the terminal has accessed the first network and the second network, that is, may be performed after the foregoing steps 1 and 3, and may establish the first path and the second path between the service server and the service server. Executed before, it can be executed before step 7 above. Referring to FIG. 4C, the terminal acquiring the service policy operation may include the following steps 131-134.
- Step 131 The terminal sends a PCR to the proxy server.
- the terminal may also carry the physical address of the terminal used for performing the access check of the terminal in the above step 5 in the PCR and send it to the proxy server.
- the process in which the terminal sends the PCR to the proxy server that is, the process in which the terminal sends the PCR to the second network access device, and then the second network access device sends the PCR to the proxy server.
- the PCR is the first admission check request in the above step 5.
- Step 132 When the proxy server receives the PCR, if the service whitelist and the service blacklist are not stored, the CCR carrying the terminal information is sent to the PCRF.
- Step 133 When the PCRF receives the CCR, send a CCA carrying a service whitelist or a service blacklist corresponding to the terminal information to the proxy server.
- Step 134 When the proxy server receives the CCA, the service whitelist or the service blacklist is stored, and the service whitelist or the service blacklist is carried in a Policy Control Answer (PCA) and sent to the terminal.
- PCA Policy Control Answer
- the proxy server can obtain the service whitelist and the service blacklist by interacting with the PCRF after receiving the PCR, and can also obtain the physical of the terminal by interacting with the authentication server. The login status of the address, and the admission check result of the terminal is determined accordingly.
- the PCA returned by the proxy server to the terminal can carry not only the service whitelist or the service blacklist, but also the third address, the receiving port number, etc. Information created by multipathing.
- the device that generates the service policy may also update the service policy and send the updated service policy to the device that has the requirement to use the service policy.
- the business policy update operation may include the following steps 141-144.
- Step 141 The PCRF updates the stored service whitelist or service blacklist. After the update is completed, the updated service whitelist or service blacklist is carried in a Re-Auth-Request (RAR) and sent to the Re-Auth-Request (RAR). Proxy server.
- RAR Re-Auth-Request
- Proxy server Proxy server.
- Step 142 When the proxy server receives the RAR, it returns a Re-Auth-Answer (RAA) to the PCRF, and updates the stored service whitelist or service blacklist.
- RAA Re-Auth-Answer
- Step 143 The proxy server sends the updated service whitelist or service blacklist to the terminal by using a Policy-Update-Request (PUR).
- PUR Policy-Update-Request
- Step 144 When the terminal receives the PUR, it returns a Policy-Update-Answer (PUA) to the proxy server, and updates the stored service whitelist or service blacklist.
- PUA Policy-Update-Answer
- the terminal or the proxy server may establish the first path and the second path between the terminal and the service server according to the preset service policy.
- the proxy server establishes the first path and the second path between the terminal and the service server according to the preset service policy.
- the service policy control operation may include the following two situations: see FIG. 4E. One case includes the following steps 15 - 16; see Figure 4F, the second case includes the following steps 17 - 18.
- the first case is a first case:
- Step 15 (including steps 151 - 154): the terminal sends the network address of the service server to the proxy server in the process of establishing the first substream between the proxy server, and completes the relationship between the terminal and the proxy server. The establishment of a substream.
- step 151 the terminal sends a SYN MP_CAPABLE message carrying the connection key (Key-A) of the terminal and the network address of the service server to the proxy server; in step 152, when the proxy server receives the SYN MP_CAPABLE message Returning, to the terminal, a SYN ACK MP_CAPABLE message carrying a connection key (Key-B) of the proxy server; in step 153, when the terminal receives the SYN ACK MP_CAPABLE message, sending the connection secret carrying the terminal to the proxy server Key (A) and the ACK MP_CAPABLE message of the proxy server's connection key (Key-B) to complete the establishment of the first substream between the terminal and the proxy server.
- the proxy server receives the ACK MP_CAPABLE message
- the ACK ADDR_ADDR message carrying the network address and the port number of the proxy server for the second substream is also sent to the terminal, so that the subsequent terminal can Establish a second subflow between the proxy server and the proxy server.
- Step 16 When the proxy server receives the network address of the service server, it performs business policy control on the path establishment of the terminal.
- step 161 if the stored service white list includes the network address of the service server, or if the stored service blacklist does not include the network address of the service server, the proxy server establishes a connection with the service server;
- the terminal sends a SYN MP_JOIN message carrying a token (Token-B) and a terminal number (RA) of the proxy server to the proxy server;
- step 163 when the proxy server receives the SYN MP_JOIN message, The terminal returns a SYN ACK MP_JOIN message carrying the physical address (MAC-B) of the proxy server and the proxy server number (RB);
- step 164 when the terminal receives the SYN ACK MP_JOIN message, the terminal returns to the proxy server to carry the terminal.
- step 165 when the proxy server receives the ACK MP_JOIN message, it returns an ACK message to the terminal to complete the second substream between the terminal and the proxy server. set up.
- the second case is a first case
- Step 17 After establishing the first sub-flow between the terminal and the proxy server, the terminal sends the network address of the service server to the proxy server.
- step 171 the terminal sends a SYN MP_CAPABLE message carrying the connection key (Key-A) of the terminal to the proxy server; in step 172, when the proxy server receives the SYN MP_CAPABLE message, it returns to the terminal to carry a SYN ACK MP_CAPABLE message with a connection key (Key-B) of the proxy server; in step 173, when the terminal receives the SYN ACK MP_CAPABLE message, the connection key (Key-A) carrying the terminal is sent to the proxy server.
- the terminal will carry the ACK of the network address of the service server
- the MP_EXTENSION_FIELD message is sent to the proxy server; in step 175, when the proxy server receives the ACK MP_EXTENSION_FIELD message, it sends an MP_EXTENSION_ACK message to the terminal.
- Step 18 (including steps 181 - 182):
- the proxy server receives the network address of the service server, it performs business policy control on the path establishment of the terminal.
- step 181 if the stored service white list does not include the network address of the service server, or if the stored service black list includes the network address of the service server, the proxy server sends the terminal with the link indication and The ACK MP_FASTCLOSE ERR_CODE message of the error code, thereby disconnecting the first substream with the terminal, and not establishing the second substream with the terminal; in step 182, when the terminal receives the ACK MP_FASTCLOSE When the ERR_CODE message is returned to the traditional TCP link-building process, the service to the service server is re-initiated, and the data is transmitted according to the standard TCP.
- the ACK MP_FASTCLOSE ERR_CODE message can be obtained by extending the MP_FASTCLOSE message in the original MPTCP protocol, that is, adding an error code field to the original MP_FASTCLOSE message to obtain an ACK MP_FASTCLOSE ERR_CODE message.
- the error code field can contain multiple types of data, and each type of data represents a different error cause.
- the error code field can contain six types of data of AF, wherein A is effective when set to 1, representing lack of If the B is set to 1, it will take effect on the service server. If the C is set to 1, the data will be invalid on the service server. If the D is set to 1, the network address of the service server belongs to the service blacklist or not.
- the foregoing six operations can solve the problem of the user authentication in the process of the multi-path access of the terminal, and solve the problem of the service policy of the multi-stream hybrid access of the terminal, thereby ensuring the terminal and the service server.
- the security of the first path and the second path are established to ensure the security of data transmission between the subsequent terminal and the service server using at least one of the first path and the second path.
- FIG. 5A is a schematic structural diagram of a multipath establishing apparatus according to an embodiment of the present disclosure.
- the multipath establishing apparatus may be implemented as part or all of a computer device by software, hardware, or a combination of the two.
- the computer apparatus may be FIG. 2A.
- the authentication module 501 is configured to perform step 301 in the foregoing embodiment of FIG. 3;
- the admission check module 502 is configured to perform step 302 in the foregoing embodiment of FIG. 3;
- the path establishing module 503 is configured to perform step 303 in the foregoing embodiment of FIG. 3.
- the identity verification module 501 includes:
- the first receiving unit 5011 is configured to receive an identity verification request that is sent by the first network access device and that carries the first network address, where the first network address is a network address that is allocated by the first network access device to the terminal;
- the identity verification unit 5012 is configured to perform identity verification on the terminal according to the first network address, to obtain an identity verification result of the terminal.
- the admission check module 502 includes:
- the second receiving unit 5021 is configured to receive a first admission check request that is sent by the second network access device and carries the physical address of the terminal.
- the sending unit 5022 is configured to send a login status query request carrying a physical address to the authentication server, where the authentication server queries the login status of the physical address.
- the third receiving unit 5023 is configured to receive a login status of a physical address sent by the authentication server.
- the first determining unit 5024 is configured to determine an admission check result of the terminal according to the login status of the physical address.
- the apparatus further includes:
- the sending module 504 is configured to: if it is detected that the second path does not perform data transmission within a preset duration, send a login status query request carrying the physical address to the authentication server, where the authentication server queries the login status of the physical address;
- the receiving module 505 is configured to receive a login status of a physical address sent by the authentication server.
- the path deletion module 506 is configured to delete the second path if the login status of the physical address is an offline status.
- the admission check module 502 includes:
- the fourth receiving unit 5025 is configured to receive a second admission check request that is sent by the second network access device and that carries the second network address, where the second network address is a network address that is allocated by the second network access device to the terminal;
- the second determining unit 5026 is configured to determine an admission check result of the terminal according to the second network address and the preset admission address range.
- the path establishing module 503 includes:
- the fifth receiving unit 5031 is configured to receive a network address of the service server sent by the terminal.
- the path establishing unit 5032 is configured to: if the stored service white list includes the network address of the service server, or if the stored service blacklist does not include the network address of the service server, establish a connection between the terminal and the service server on the first network.
- the first path establishes a second path between the terminal and the service server on the second network.
- the first network is an LTE network
- the second network is a DSL network or a Wi-Fi network.
- the proxy device after the terminal accesses the first network through the first network access device, the proxy device performs identity verification on the terminal, and after the terminal accesses the second network through the second network access device, the proxy device pairs The terminal performs an admission check. After the terminal's identity verification and admission check are passed, the terminal indicates that the multipath access of the terminal is legal. Therefore, the proxy device establishes a first path between the terminal and the service server on the first network, and The second path between the terminal and the service server is established on the second network. The security of the first path and the second path established at this time is high, so that the data transmission security of the subsequent terminal can be ensured.
- FIG. 6 is a schematic structural diagram of a multipath establishing apparatus according to an embodiment of the present disclosure.
- the multipath establishing apparatus may be implemented as part or all of a computer device by software, hardware, or a combination of the two.
- the computer device may be FIG. 2B.
- the apparatus includes an identity verification module 601, an admission check module 602, an acquisition module 603, a path establishment module 604, and a data transmission module 605.
- the identity verification module 601 is configured to perform identity verification by using a proxy device after accessing the first network by using the first network access device, where the first network implements communication by using the base station;
- the admission check module 602 is configured to perform an admission check by using the proxy device after accessing the second network by using the second network access device.
- the obtaining module 603 is configured to obtain a network address of the service server after both the authentication and the admission check are passed;
- the path establishing module 604 is configured to: if the stored service white list includes the network address of the service server, or if the stored service blacklist does not include the network address of the service server, establish a relationship with the service server on the first network. a first path, where a second path between the service server and the service server is established, and the service whitelist or the service blacklist is obtained from the proxy device;
- the data transmission module 605 is configured to perform data transmission with the service server by using at least one of the first path and the second path.
- the terminal after the terminal accesses the first network through the first network access device, the terminal performs identity verification by using the proxy device, and after the terminal accesses the second network through the second network access device, the terminal performs the proxy device. After the access check is performed, the terminal's multi-path access is legal, and the terminal can obtain the network address of the service server.
- the service whitelist includes the network address of the service server, or when the service blacklist does not include the network address of the service server, the terminal establishes a first path with the service server on the first network, and is on the second network.
- the multi-path establishing apparatus provided by the foregoing embodiment is only illustrated by the division of each functional module in the multi-path establishment. In actual applications, the function allocation may be completed by different functional modules as needed. The internal structure of the device is divided into different functional modules to perform all or part of the functions described above.
- the multi-path establishing apparatus and the multi-path establishing method embodiment are provided in the same concept, and the specific implementation process is described in detail in the method embodiment, and details are not described herein again.
- the computer program product includes one or more computer instructions.
- the computer can be a general purpose computer, a special purpose computer, a computer network, or other programmable device.
- the computer instructions can be stored in a computer readable storage medium or transferred from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions can be from a website site, computer, server or data center Transfer to another website site, computer, server, or data center by wire (eg, coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (eg, infrared, wireless, microwave, etc.).
- the computer readable storage medium can be any available media that can be accessed by a computer or a data storage device such as a server, data center, or the like that includes one or more available media.
- the usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, a magnetic tape), an optical medium (for example, a digital versatile disc (DVD)), or a semiconductor medium (for example, a solid state disk (SSD)). )Wait.
- a magnetic medium for example, a floppy disk, a hard disk, a magnetic tape
- an optical medium for example, a digital versatile disc (DVD)
- DVD digital versatile disc
- SSD solid state disk
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Mobile Radio Communication Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
Claims (16)
- 一种多路径建立方法,其特征在于,应用于代理设备,所述方法包括:对通过第一网络接入设备接入第一网络的终端进行身份验证,所述第一网络是通过基站实现通信;对通过第二网络接入设备接入第二网络的所述终端进行准入检查;在所述终端的身份验证和准入检查均通过后,在所述第一网络上建立所述终端与业务服务器之间的第一路径,并在所述第二网络上建立所述终端与所述业务服务器之间的第二路径,所述第一路径和所述第二路径用于在所述终端与所述业务服务器之间进行数据传输。
- 如权利要求1所述的方法,其特征在于,所述对通过第一网络接入设备接入第一网络的终端进行身份验证,包括:接收所述第一网络接入设备发送的携带有第一网络地址的身份验证请求,所述第一网络地址是所述第一网络接入设备为所述终端分配的网络地址;根据所述第一网络地址对所述终端进行身份验证,得到所述终端的身份验证结果。
- 如权利要求1所述的方法,其特征在于,所述对通过第二网络接入设备接入第二网络的所述终端进行准入检查,包括:接收所述第二网络接入设备发送的携带有所述终端的物理地址的第一准入检查请求;将携带有所述物理地址的登录状态查询请求发送给认证服务器,由所述认证服务器查询所述物理地址的登录状态;接收所述认证服务器发送的所述物理地址的登录状态;根据所述物理地址的登录状态,确定所述终端的准入检查结果。
- 如权利要求3所述的方法,其特征在于,所述在所述第一网络上建立所述终端与业务服务器之间的第一路径,并在所述第二网络上建立所述终端与所述业务服务器之间的第二路径之后,还包括:如果检测到所述第二路径在预设时长内未进行数据传输,则将携带有所述物理地址的登录状态查询请求发送给所述认证服务器,由所述认证服务器查询所述物理地址的登录状态;接收所述认证服务器发送的所述物理地址的登录状态;如果所述物理地址的登录状态为离线状态,则删除所述第二路径。
- 如权利要求1所述的方法,其特征在于,所述对通过第二网络接入设备接入第二网络的所述终端进行准入检查,包括:接收所述第二网络接入设备发送的携带有第二网络地址的第二准入检查请求,所述第二网络地址是所述第二网络接入设备为所述终端分配的网络地址;根据所述第二网络地址和预设准入地址范围,确定所述终端的准入检查结果。
- 如权利要求1所述的方法,其特征在于,所述在所述第一网络上建立所述终端与业务服务器之间的第一路径,并在所述第二网络上建立所述终端与所述业务服务器之间的第二路径,包括:接收所述终端发送的所述业务服务器的网络地址;如果存储的业务白名单中包括所述业务服务器的网络地址,或者如果存储的业务黑名单中不包括所述业务服务器的网络地址,则在所述第一网络上建立所述终端与所述业务服务器之间的第一路径,在所述第二网络上建立所述终端与所述业务服务器之间的第二路径。
- 如权利要求1-6任一所述的方法,其特征在于,所述第一网络为长期演进技术LTE网络,所述第二网络为数字用户线路DSL网络或无线保真Wi-Fi网络。
- 一种多路径建立方法,其特征在于,应用于终端,所述方法包括:在通过第一网络接入设备接入第一网络后,通过代理设备进行身份验证,所述第一网络是通过基站实现通信;在通过第二网络接入设备接入第二网络后,通过所述代理设备进行准入检查;在身份验证和准入检查均通过后,获取业务服务器的网络地址;如果存储的业务白名单中包括所述业务服务器的网络地址,或者如果存储的业务黑名单中不包括所述业务服务器的网络地址,则在所述第一网络上建立与所述业务服务器之间的第一路径,在所述第二网络上建立与所述业务服务器之间的第二路径,所述业务白名单或所述业务黑名单是从所述代理设备中获取得到;与所述业务服务器之间使用所述第一路径和所述第二路径中的至少一条路径进行数据传输。
- 一种多路径建立装置,其特征在于,应用于代理设备,所述装置包括:身份验证模块,用于对通过第一网络接入设备接入第一网络的终端进行身份验证,所述第一网络是通过基站实现通信;准入检查模块,用于对通过第二网络接入设备接入第二网络的所述终端进行准入检查;路径建立模块,用于在所述终端的身份验证和准入检查均通过后,在所述第一网络上建立所述终端与业务服务器之间的第一路径,并在所述第二网络上建立所述终端与所述业务服务器之间的第二路径,所述第一路径和所述第二路径用于在所述终端与所述业务服务器之间进行数据传输。
- 如权利要求9所述的装置,其特征在于,所述身份验证模块包括:第一接收单元,用于接收所述第一网络接入设备发送的携带有第一网络地址的身份验证请求,所述第一网络地址是所述第一网络接入设备为所述终端分配的网络地址;身份验证单元,用于根据所述第一网络地址对所述终端进行身份验证,得到所述终端的身份验证结果。
- 如权利要求9所述的装置,其特征在于,所述准入检查模块包括:第二接收单元,用于接收所述第二网络接入设备发送的携带有所述终端的物理地址的第一准入检查请求;发送单元,用于将携带有所述物理地址的登录状态查询请求发送给认证服务器,由所述认证服务器查询所述物理地址的登录状态;第三接收单元,用于接收所述认证服务器发送的所述物理地址的登录状态;第一确定单元,用于根据所述物理地址的登录状态,确定所述终端的准入检查结果。
- 如权利要求11所述的装置,其特征在于,所述装置还包括:发送模块,用于如果检测到所述第二路径在预设时长内未进行数据传输,则将携带有所述物理地址的登录状态查询请求发送给所述认证服务器,由所述认证服务器查询所述物理地址的登录状态;接收模块,用于接收所述认证服务器发送的所述物理地址的登录状态;路径删除模块,用于如果所述物理地址的登录状态为离线状态,则删除所述第二路径。
- 如权利要求9所述的装置,其特征在于,所述准入检查模块包括:第四接收单元,用于接收所述第二网络接入设备发送的携带有第二网络地址的第二准入检查请求,所述第二网络地址是所述第二网络接入设备为所述终端分配的网络地址;第二确定单元,用于根据所述第二网络地址和预设准入地址范围,确定所述终端的准入检查结果。
- 如权利要求9所述的装置,其特征在于,所述路径建立模块包括:第五接收单元,用于接收所述终端发送的所述业务服务器的网络地址;路径建立单元,用于如果存储的业务白名单中包括所述业务服务器的网络地址,或者如果存储的业务黑名单中不包括所述业务服务器的网络地址,则在所述第一网络上建立所述终端与所述业务服务器之间的第一路径,在所述第二网络上建立所述终端与所述业务服务器之间的第二路径。
- 如权利要求9-14任一所述的装置,其特征在于,所述第一网络为长期演进技术LTE网络,所述第二网络为数字用户线路DSL网络或无线保真Wi-Fi网络。
- 一种多路径建立装置,其特征在于,应用于终端,所述装置包括:身份验证模块,用于在通过第一网络接入设备接入第一网络后,通过代理设备进行身份验证,所述第一网络是通过基站实现通信;准入检查模块,用于在通过第二网络接入设备接入第二网络后,通过所述代理设备进行准入检查;获取模块,用于在身份验证和准入检查均通过后,获取业务服务器的网络地址;路径建立模块,用于如果存储的业务白名单中包括所述业务服务器的网络地址,或者如果存储的业务黑名单中不包括所述业务服务器的网络地址,则在所述 第一网络上建立与所述业务服务器之间的第一路径,在所述第二网络上建立与所述业务服务器之间的第二路径,所述业务白名单或所述业务黑名单是从所述代理设备中获取得到;数据传输模块,用于与所述业务服务器之间使用所述第一路径和所述第二路径中的至少一条路径进行数据传输。
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
BR112020015926-3A BR112020015926A2 (pt) | 2018-02-06 | 2019-01-13 | Método e aparelho de estabelecimento de múltiplos percursos |
KR1020207024924A KR102367707B1 (ko) | 2018-02-06 | 2019-01-13 | 다중 경로 구축 방법 및 장치 |
JP2020542402A JP7065985B2 (ja) | 2018-02-06 | 2019-01-13 | マルチパスを確立する方法および装置 |
EP19750437.6A EP3737065A4 (en) | 2018-02-06 | 2019-01-13 | PROCESS AND APPARATUS FOR ESTABLISHING MULTIPLE PATHS |
US16/983,708 US11432357B2 (en) | 2018-02-06 | 2020-08-03 | Multipath establishment method and apparatus |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810119602.7A CN110120932B (zh) | 2018-02-06 | 2018-02-06 | 多路径建立方法及装置 |
CN201810119602.7 | 2018-02-06 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/983,708 Continuation US11432357B2 (en) | 2018-02-06 | 2020-08-03 | Multipath establishment method and apparatus |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2019154017A1 true WO2019154017A1 (zh) | 2019-08-15 |
Family
ID=67520147
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2019/071509 WO2019154017A1 (zh) | 2018-02-06 | 2019-01-13 | 多路径建立方法及装置 |
Country Status (7)
Country | Link |
---|---|
US (1) | US11432357B2 (zh) |
EP (1) | EP3737065A4 (zh) |
JP (1) | JP7065985B2 (zh) |
KR (1) | KR102367707B1 (zh) |
CN (1) | CN110120932B (zh) |
BR (1) | BR112020015926A2 (zh) |
WO (1) | WO2019154017A1 (zh) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112005533B (zh) * | 2018-02-22 | 2023-11-07 | 瑞典爱立信有限公司 | 代理多路径协议连接的方法和设备 |
US20230112305A1 (en) * | 2021-10-08 | 2023-04-13 | Comcast Cable Communications, Llc | Diverse pathway integration |
CN114760096A (zh) * | 2022-03-11 | 2022-07-15 | 延锋伟世通电子科技(上海)有限公司 | 网络通讯加密策略mac实现方法、系统、发送端及接收端 |
US20240205126A1 (en) * | 2022-12-14 | 2024-06-20 | Comcast Cable Communications, Llc | Methods, apparatuses, and systems for network accessibility |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101360110A (zh) * | 2008-10-06 | 2009-02-04 | 中国电信股份有限公司 | 机顶盒应用安全性检查方法、装置及系统 |
CN102892111A (zh) * | 2011-07-19 | 2013-01-23 | Sk电信有限公司 | 发送装置、接收装置及其操作方法 |
CN104092698A (zh) * | 2014-07-21 | 2014-10-08 | 北京网秦天下科技有限公司 | 对网络资源的访问控制方法及装置 |
CN105578463A (zh) * | 2015-07-22 | 2016-05-11 | 宇龙计算机通信科技(深圳)有限公司 | 一种双连接安全通讯的方法及装置 |
US20170105239A1 (en) * | 2013-01-16 | 2017-04-13 | Behzad Mohebbi | Methods and apparatus for a network-agnostic wireless router |
Family Cites Families (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7551619B2 (en) | 2005-10-13 | 2009-06-23 | Trapeze Networks, Inc. | Identity-based networking |
JP5191830B2 (ja) * | 2008-07-22 | 2013-05-08 | パナソニック株式会社 | 無線基地局、無線通信端末、無線通信システム |
US9451415B2 (en) * | 2011-06-17 | 2016-09-20 | Qualcomm Incorporated | Cooperative data transport |
WO2013013286A1 (en) * | 2011-07-22 | 2013-01-31 | Research In Motion Limited | Using non-ims connections in ims sessions |
US8909706B2 (en) * | 2012-01-12 | 2014-12-09 | Facebook, Inc. | Social networking data augmented gaming kiosk |
US8903360B2 (en) * | 2012-05-17 | 2014-12-02 | International Business Machines Corporation | Mobile device validation |
US8875287B2 (en) * | 2012-10-04 | 2014-10-28 | Akamai Technologies, Inc. | Server with mechanism for reducing internal resources associated with a selected client connection |
JP6301358B2 (ja) * | 2012-12-14 | 2018-03-28 | テレフオンアクチーボラゲット エルエム エリクソン(パブル) | 通信ネットワークにおけるマルチパス伝送制御プロトコル信号伝達の処理 |
JP6142702B2 (ja) * | 2013-07-04 | 2017-06-07 | 富士通株式会社 | 監視装置、監視方法及びプログラム |
US10201029B2 (en) * | 2014-04-04 | 2019-02-05 | Nokia Technologies Oy | Access management with multipath transport |
WO2015199340A1 (ko) * | 2014-06-27 | 2015-12-30 | 주식회사 케이티 | 다중 경로 통신을 위한 네트워크 장치 및 단말, 이들의 동작 방법, 그리고 동작 방법을 구현한 프로그램 |
WO2016007050A1 (en) * | 2014-07-07 | 2016-01-14 | Telefonaktiebolaget L M Ericsson (Publ) | Multipath transmission control protocol |
US9148408B1 (en) * | 2014-10-06 | 2015-09-29 | Cryptzone North America, Inc. | Systems and methods for protecting network devices |
US9621579B2 (en) | 2014-11-21 | 2017-04-11 | Symantec Corporation | Systems and methods for protecting against unauthorized network intrusions |
WO2016112860A1 (zh) | 2015-01-15 | 2016-07-21 | 天地融科技股份有限公司 | 无线设备的通讯方法、无线设备和服务器 |
US10587498B2 (en) | 2015-03-12 | 2020-03-10 | Telefonaktiebolaget Lm Ericsson (Publ) | Methods and arrangements for multipath traffic aggregation |
US10602560B2 (en) * | 2015-06-26 | 2020-03-24 | Telefonaktiebolaget Lm Ericsson (Publ) | First network node and methods therein, for determining whether a second multi path transmission control protocol connection is to be initiated |
US10430607B2 (en) * | 2016-05-05 | 2019-10-01 | Ribbon Communications Operating Company, Inc. | Use of AKA methods and procedures for authentication of subscribers without access to SIM credentials |
KR101837150B1 (ko) * | 2016-06-30 | 2018-03-09 | (주)넷비젼텔레콤 | 프록시 서비스 제공을 위한 프록시 인증시스템 및 인증방법 |
-
2018
- 2018-02-06 CN CN201810119602.7A patent/CN110120932B/zh active Active
-
2019
- 2019-01-13 BR BR112020015926-3A patent/BR112020015926A2/pt unknown
- 2019-01-13 WO PCT/CN2019/071509 patent/WO2019154017A1/zh unknown
- 2019-01-13 EP EP19750437.6A patent/EP3737065A4/en not_active Withdrawn
- 2019-01-13 KR KR1020207024924A patent/KR102367707B1/ko active IP Right Grant
- 2019-01-13 JP JP2020542402A patent/JP7065985B2/ja active Active
-
2020
- 2020-08-03 US US16/983,708 patent/US11432357B2/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101360110A (zh) * | 2008-10-06 | 2009-02-04 | 中国电信股份有限公司 | 机顶盒应用安全性检查方法、装置及系统 |
CN102892111A (zh) * | 2011-07-19 | 2013-01-23 | Sk电信有限公司 | 发送装置、接收装置及其操作方法 |
US20170105239A1 (en) * | 2013-01-16 | 2017-04-13 | Behzad Mohebbi | Methods and apparatus for a network-agnostic wireless router |
CN104092698A (zh) * | 2014-07-21 | 2014-10-08 | 北京网秦天下科技有限公司 | 对网络资源的访问控制方法及装置 |
CN105578463A (zh) * | 2015-07-22 | 2016-05-11 | 宇龙计算机通信科技(深圳)有限公司 | 一种双连接安全通讯的方法及装置 |
Non-Patent Citations (1)
Title |
---|
See also references of EP3737065A4 * |
Also Published As
Publication number | Publication date |
---|---|
CN110120932B (zh) | 2020-10-23 |
EP3737065A1 (en) | 2020-11-11 |
KR102367707B1 (ko) | 2022-02-24 |
CN110120932A (zh) | 2019-08-13 |
US20200367306A1 (en) | 2020-11-19 |
JP7065985B2 (ja) | 2022-05-12 |
KR20200112960A (ko) | 2020-10-05 |
BR112020015926A2 (pt) | 2021-03-30 |
JP2021513262A (ja) | 2021-05-20 |
US11432357B2 (en) | 2022-08-30 |
EP3737065A4 (en) | 2020-12-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP6908334B2 (ja) | モノのインターネット通信方法、モノのインターネット装置、及びモノのインターネットシステム | |
JP7252305B2 (ja) | データ伝送方法、デバイス、およびシステム | |
JP7047113B2 (ja) | アプリケーションのサービスレベル合意を保証するための方法、デバイスおよびシステム | |
WO2020147760A1 (zh) | 一种局域网通信方法、装置及系统 | |
EP3886404B1 (en) | Domain name server allocation method and device | |
CN109996346B (zh) | 会话建立方法、设备及系统 | |
WO2019154017A1 (zh) | 多路径建立方法及装置 | |
WO2021057889A1 (zh) | 一种数据处理方法、装置、电子设备及存储介质 | |
JP6946607B2 (ja) | 通信システム、セッション管理機能エンティティ、およびプログラム | |
EP3800934A1 (en) | Method for routing internet of things service | |
WO2021037175A1 (zh) | 一种网络切片的管理方法及相关装置 | |
CN110800331A (zh) | 网络验证方法、相关设备及系统 | |
WO2020015634A1 (zh) | 一种mec信息获取方法及装置 | |
WO2020216339A1 (zh) | 接入网关的方法及装置 | |
WO2019157909A1 (zh) | 一种通信方法及通信装置 | |
WO2019011203A1 (zh) | 设备接入方法、设备及系统 | |
US8848579B1 (en) | Methods and systems for using transport-layer source ports to identify sources of packet payloads in mixed tethering and non-tethering environments | |
US8605736B2 (en) | Method, system and apparatus for heterogeneous addressing mapping | |
JP2023519997A (ja) | 端末パラメータ更新を保護するための方法および通信装置 | |
US20240098583A1 (en) | PDU session continuity for a UE moving between a telecommunications network and a gateway device | |
US20120300776A1 (en) | Method for creating virtual link, communication network element, and ethernet network system | |
JP2022524738A (ja) | 課金方法および装置 | |
WO2021057342A1 (zh) | 一种网络切片的计费方法及装置 | |
WO2021057020A1 (zh) | 一种网络切片的计费方法及装置 | |
JP2021513250A (ja) | セッション管理方法およびシステム、ならびに装置 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 19750437 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2020542402 Country of ref document: JP Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 2019750437 Country of ref document: EP Effective date: 20200805 |
|
ENP | Entry into the national phase |
Ref document number: 20207024924 Country of ref document: KR Kind code of ref document: A |
|
REG | Reference to national code |
Ref country code: BR Ref legal event code: B01A Ref document number: 112020015926 Country of ref document: BR |
|
ENP | Entry into the national phase |
Ref document number: 112020015926 Country of ref document: BR Kind code of ref document: A2 Effective date: 20200805 |