WO2019205934A1 - Information transmission method and relevant device - Google Patents

Information transmission method and relevant device Download PDF

Info

Publication number
WO2019205934A1
WO2019205934A1 PCT/CN2019/082017 CN2019082017W WO2019205934A1 WO 2019205934 A1 WO2019205934 A1 WO 2019205934A1 CN 2019082017 W CN2019082017 W CN 2019082017W WO 2019205934 A1 WO2019205934 A1 WO 2019205934A1
Authority
WO
WIPO (PCT)
Prior art keywords
user plane
data packet
encrypted
plane data
address
Prior art date
Application number
PCT/CN2019/082017
Other languages
French (fr)
Chinese (zh)
Inventor
刘强生
王爱成
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2019205934A1 publication Critical patent/WO2019205934A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/162Implementing security features at a particular protocol layer at the data link layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved

Definitions

  • the present application relates to the field of wireless communications technologies, and in particular, to an information transmission method and related devices.
  • the uplink data sent by the user equipment (UE) is transmitted to the core network through the base station (eNodeB, eNB), and the uplink data needs to undergo the following encryption/decryption process, as shown in FIG.
  • a base station encryption diagram includes: 1. The UE performs air interface encryption on the uplink data to protect the uplink data in the wireless transmission process; 2. After receiving the uplink data sent by the UE, the eNB decrypts the uplink data, and Before the decrypted uplink data is sent to the core network, encryption is performed again to protect the security of the network transmission process of the uplink data on the backhaul network. Similarly, the downlink data sent from the core network to the UE also needs to undergo two encryption and decryption processes.
  • a conventional eNB node can be decomposed into a central unit (CU) and a plurality of distributed units (DUs), and communication between the CU and the DU needs to cross the backhaul network.
  • CU central unit
  • DU distributed units
  • IPSec Internet Protocol Security
  • IPSec encryption/decryption requires a large amount of CPU resources to be consumed, resulting in an increase in cost.
  • the embodiment of the present application provides an information transmission method and related device, which are used to reduce CPU consumption and reduce cost while ensuring data security.
  • a first aspect of the embodiments of the present application provides an information transmission method, including: performing a security negotiation between a central unit CU and a user equipment UE, and obtaining a negotiation result, where the negotiation result is used to indicate between the CU and the UE.
  • the air interface is encrypted using a packet data convergence layer PDCP protocol
  • the CU transmitting a first message to the distributed unit DU; when the negotiation result indicates that the air interface is encrypted using the PDCP protocol, the first message is used
  • the user plane bearer between the CU and the DU is indicated not to be encrypted using the Internet Protocol Secure IPSec protocol.
  • the DU is provided with a first interface, where the first interface is a user plane communication between the DU and the CU.
  • the first interface is configured with a first encrypted address and a first unencrypted address, where the first encrypted address is used to indicate that the user plane data packet is subjected to encryption/decryption processing using the IPSec protocol;
  • the unencrypted address is used to indicate that the IPSec protocol is not used to perform encryption/decryption processing on the user plane data packet; after the CU sends the first message to the DU, the method further includes: the CU receiving the sent by the DU And a first response message, where the first response message is used to indicate that the address carried by the user plane at the DU end is the first unencrypted address.
  • the method further includes: using the CU The PDCP protocol encrypts the downlink user plane data packet; the CU sets the destination address of the downlink user plane data packet to the first unencrypted address; and the CU determines according to the first unencrypted address.
  • the downlink user plane data packet is not encrypted by using the IPSec protocol; the CU sends the downlink user plane data packet to the DU.
  • the negotiation result indicates that the air interface does not use the PDCP protocol to encrypt
  • the first message is used. And indicating that the user plane bearer is encrypted by using the IPSec protocol; the first response message is used to indicate that the address that the user plane bears at the DU end is the first encrypted address.
  • the method further includes: The CU sets the destination address of the downlink user plane data packet to the first encrypted address, and the CU determines, according to the first encrypted address, the downlink user plane data packet to be encrypted by using the IPSec protocol. Obtaining the encrypted downlink user plane data packet; the CU sends the encrypted downlink user plane data packet to the DU.
  • the method further includes: the CU encrypts the downlink user plane data packet by using the PDCP protocol; and the CU sets the destination address of the downlink user plane data packet to The first non-encrypted address; the CU sends the downlink user plane data packet to the SeGW.
  • the method further includes: the CU setting a destination address of the downlink user plane data packet as the first encrypted address; and sending, by the CU, the downlink user plane data packet The SeGW.
  • the CU has a second interface, where the second interface is a user plane communication between the CU and the DU
  • the second interface is configured with a second encrypted address and a second unencrypted address, where the second encrypted address is used to indicate that the user plane data packet is encrypted/decrypted using the IPSec protocol;
  • the non-encrypted address is used to indicate that the user plane data message is not subjected to encryption/decryption processing using the IPSec protocol.
  • the first message when the negotiation result indicates that the air interface does not use the PDCP protocol to encrypt, the first message carries The second encrypted address.
  • the first message when the negotiation result indicates that the air interface is encrypted by using the PDCP protocol, the first message carries Said second non-encrypted address.
  • the method further includes: the CU receiving a target user plane data packet; and when the target user plane data packet When the protocol port number used is included in the first interval, the CU determines to use the IPSec protocol to encrypt/decrypt the target user plane data packet; when the protocol port number used by the target user plane data packet includes In the second interval, the CU determines to use the IPSec protocol to encrypt/decrypt the target user plane data packet; or, when the protocol used by the target user plane data packet is the first protocol, The CU determines to use the IPSec protocol to add/decrypt the target user plane data packet; when the protocol used by the target user plane data packet is the second protocol, the CU determines not to use the IPSec The protocol adds/decrypts the target user plane data message.
  • a second aspect of the embodiments of the present application provides an information transmission method, including: when an air interface between a central unit CU and a user equipment UE is encrypted by using a packet data convergence layer PDCP protocol, the distributed unit DU receives the CU transmission.
  • the first message is used to indicate that the user plane bearer between the CU and the DU is not encrypted using the Internet Protocol Secure IPSec protocol.
  • the DU is provided with a first interface, where the first interface is user plane communication between the DU and the CU.
  • the first interface is configured with a first encrypted address and a first unencrypted address, where the first encrypted address is used to indicate that the user plane data packet is subjected to encryption/decryption processing using the IPSec protocol;
  • the non-encrypted address is used to indicate that the user plane data packet is not subjected to encryption/decryption processing using the IPSec protocol;
  • the method further includes: the DU to the CU Sending a first response message, where the first response message is used to indicate that the address carried by the user plane on the DU end is the first unencrypted address.
  • the method when the air interface is encrypted by using the PDCP protocol, the method further includes: the DU receiving the UE And sending, by the DU, the source address of the uplink user plane data packet to the first unencrypted address; the DU determining, according to the first unencrypted address, not using the The IPSec protocol encrypts the uplink user plane data packet, and the DU sends the uplink user plane data packet to the CU.
  • the first message is used to indicate the user plane.
  • the bearer is encrypted by using the IPSec protocol; the first response message is used to indicate that the address carried by the user plane on the DU end is the first encrypted address.
  • the method when the air interface does not use the PDCP protocol encryption, the method further includes: the DU receiving the The uplink user plane data packet sent by the UE; the DU sets the source address of the uplink user plane data packet to the first encrypted address; the DU determines, according to the first encrypted address, the IPSec The protocol encrypts the uplink user plane data packet to obtain the encrypted uplink user plane data packet, and the DU sends the encrypted uplink user plane data packet to the CU.
  • the method further includes: the DU receiving an uplink user plane data packet sent by the UE; the DU setting a source address of the uplink user plane data packet as the first unencrypted address; The DU is determined according to the first unencrypted address, and the uplink user plane data packet is not encrypted by using the IPSec protocol; the DU sends the uplink user plane data packet to the SeGW.
  • the method further includes: the DU receiving an uplink user plane data packet sent by the UE; and the DU setting a source address of the uplink user plane data packet as the first encrypted address; Determining, according to the first encrypted address, that the uplink user plane data packet is encrypted by using the IPSec protocol, to obtain an encrypted uplink user plane data packet; and the DU will be the encrypted uplink user.
  • the face data message is sent to the SeGW.
  • the CU has a second interface, where the second interface is a user plane communication between the CU and the DU.
  • the second interface is configured with a second encrypted address and a second unencrypted address, where the second encrypted address is used to indicate that the user plane data packet is encrypted/decrypted using the IPSec protocol;
  • the non-encrypted address is used to indicate that the user plane data message is not subjected to encryption/decryption processing using the IPSec protocol.
  • the first message when the air interface is encrypted by using the PDCP protocol, the first message carries the second non-encrypted address.
  • the first message carries the second encryption address.
  • the method when the air interface is encrypted by using the PDCP protocol, the method further includes: the DU receiving the UE The uplink user plane data packet sent; the DU sets the destination address of the uplink user plane data packet to the second unencrypted address; the DU determines according to the second unencrypted address, and does not use the The IPSec protocol encrypts the uplink user plane data packet, and the DU sends the uplink user plane data packet to the CU.
  • the method when the air interface does not use the PDCP protocol encryption, the method further includes: the DU receiving station An uplink user plane data packet sent by the UE; the DU sets a destination address of the uplink user plane data packet as the second encryption address; and the DU determines, according to the second encryption address, using the The IPSec protocol encrypts the uplink user plane data packet to obtain the encrypted uplink user plane data packet, and the DU sends the encrypted uplink user plane data packet to the CU.
  • the method further includes: the DU receiving an uplink user plane data packet sent by the UE; the DU setting a destination address of the uplink packet to the second unencrypted address; Determining, according to the second unencrypted address, the uplink user plane data packet is not encrypted by using the second protocol; the DU sending the uplink user plane data packet to the SeGW.
  • the method further includes: the DU receiving an uplink user plane data packet sent by the UE; the DU setting a destination address of the uplink user plane data packet as the second encrypted address; Determining, according to the second encrypted address, that the uplink user plane data packet is encrypted by using the IPSec protocol, to obtain an encrypted uplink user plane data packet; and the DU will be the encrypted
  • the uplink user plane data packet is sent to the SeGW.
  • a third aspect of the embodiments of the present application provides a central unit CU, including: a first transceiver unit, configured to perform security negotiation with a user equipment UE, to obtain a negotiation result, where the negotiation result is used to indicate the CU and the Whether the air interface between the UEs is encrypted using the packet data convergence layer PDCP protocol; the second transceiver unit is configured to send the first message to the distributed unit DU; when the negotiation result indicates that the air interface uses the PDCP protocol to encrypt The first message is used to indicate that the user plane bearer between the CU and the DU is not encrypted using the Internet Protocol Secure IPSec protocol.
  • a first transceiver unit configured to perform security negotiation with a user equipment UE, to obtain a negotiation result, where the negotiation result is used to indicate the CU and the Whether the air interface between the UEs is encrypted using the packet data convergence layer PDCP protocol
  • the second transceiver unit is configured to send the first message to the distributed unit DU; when the negotiation result indicates
  • the DU has a first interface, where the first interface is a user plane communication between the DU and the CU.
  • the first interface is configured with a first encrypted address and a first unencrypted address, where the first encrypted address is used to indicate that the user plane data packet is subjected to encryption/decryption processing using the IPSec protocol;
  • the non-encrypted address is used to indicate that the IPSec protocol is not used to perform encryption/decryption processing on the user plane data packet;
  • the second transceiver unit is further configured to: receive the first response message sent by the DU, the first response The message is used to indicate that the address carried by the user plane on the DU end is the first unencrypted address.
  • the CU further includes: a processing unit, configured to encrypt, by using the PDCP protocol, a downlink user plane data packet; Setting a destination address of the downlink user plane data packet to the first unencrypted address, and determining, configured to determine, according to the first unencrypted address, the downlink user plane data by using the IPSec protocol The packet is encrypted.
  • the second transceiver unit is further configured to send the downlink user plane data packet to the DU.
  • the negotiation result indicates that the air interface does not use the PDCP protocol to encrypt
  • the first message is used. And indicating that the user plane bearer is encrypted by using the IPSec protocol; the first response message is used to indicate that the address that the user plane bears at the DU end is the first encrypted address.
  • the processing unit is further configured to: encrypt the downlink user plane data packet by using the PDCP protocol; and use the destination address of the downlink user plane data packet
  • the third transceiver unit is configured to send the downlink user plane data packet to the SeGW.
  • the CU has a second interface, where the second interface is a user plane communication between the CU and the DU.
  • the second interface is configured with a second encrypted address and a second unencrypted address, where the second encrypted address is used to indicate that the user plane data packet is encrypted/decrypted using the IPSec protocol;
  • the non-encrypted address is used to indicate that the user plane data message is not subjected to encryption/decryption processing using the IPSec protocol.
  • a fourth aspect of the present application provides a distributed unit DU, including: a first transceiver unit, configured to receive when an air interface between a central unit CU and a user equipment UE is encrypted using a packet data convergence layer PDCP protocol.
  • the first message sent by the CU is used to indicate that the user plane bearer between the CU and the DU is not encrypted using the Internet Protocol Secure IPSec protocol.
  • the DU has a first interface, and the first interface is a user plane communication between the DU and the CU.
  • the first interface is configured with a first encrypted address and a first unencrypted address, where the first encrypted address is used to indicate that the user plane data packet is subjected to encryption/decryption processing using the IPSec protocol;
  • the non-encrypted address is used to indicate that the IPSec protocol is not used to perform encryption/decryption processing on the user plane data packet;
  • the first transceiver unit is further configured to: The CU sends a first response message, where the first response message is used to indicate that the address carried by the user plane on the DU end is the first unencrypted address.
  • the DU when the air interface is encrypted by using the PDCP protocol, the DU further includes: the second transceiver unit, And the processing unit is configured to: set a source address of the uplink user plane data packet to the first unencrypted address; the determining unit is further configured to: Determining, according to the first unencrypted address, that the uplink user plane data packet is not encrypted by using the IPSec protocol; the first transceiver unit is further configured to send the uplink user plane data packet to The CU.
  • the second transceiver unit is further configured to: receive an uplink user plane data packet sent by the UE; the processing unit is further configured to: source the uplink user plane data packet Setting the address as the first non-encrypted address; the determining unit is further configured to: according to the first unencrypted address, encrypt the uplink user plane data packet without using the IPSec protocol; The third transceiver unit is further configured to send the uplink user plane data packet to the SeGW.
  • the CU has a second interface, where the second interface is a user plane communication between the CU and the DU.
  • the second interface is configured with a second encrypted address and a second unencrypted address, where the second encrypted address is used to indicate that the user plane data packet is encrypted/decrypted using the IPSec protocol;
  • the non-encrypted address is used to indicate that the IPSec protocol is not used to perform encryption/decryption processing on the user plane data packet;
  • the DU further includes: the second transceiver unit,
  • the processing unit is further configured to: set the destination address of the uplink user plane data packet to the second unencrypted address; the determining unit is further configured to receive the uplink user plane data packet sent by the UE.
  • the method further includes: determining, according to the second unencrypted address, that the uplink user plane data packet is encrypted by using the IPSec
  • a fifth aspect of the present application provides a computer readable storage medium having stored therein instructions that, when executed on a computer, cause the computer to perform the methods described in the above aspects.
  • a sixth aspect of the present application provides a computer program product comprising instructions which, when run on a computer, cause the computer to perform the methods described in the various aspects above.
  • the embodiment of the present application has the following advantages: the central unit CU performs security negotiation with the user equipment UE, and obtains a negotiation result, where the negotiation result is used to indicate an air interface between the CU and the UE. Whether to use the packet data convergence layer PDCP protocol encryption; the CU sends a first message to the distributed unit DU; when the negotiation result indicates that the air interface uses the PDCP protocol to encrypt, the first message is used to indicate The user plane bearer between the CU and the DU is not encrypted using the Internet Protocol Secure IPSec protocol.
  • the CU when the result of the negotiation between the CU and the UE is that the air interface between the CU and the UE is encrypted by using the PDCP protocol, the CU notifies the user plane bearer between the DUCU and the DU that the IPSec protocol is not used for encryption, and the data is guaranteed. At the same time of security, it also reduces CPU resource consumption and reduces costs.
  • 1 is a schematic diagram of a possible existing base station encryption
  • FIG. 2 is a schematic diagram of a possible function provided by an embodiment of the present application.
  • FIG. 3 is a schematic diagram of a possible data encryption transmission according to an embodiment of the present application.
  • 4a is a flowchart of a possible information transmission method according to an embodiment of the present application.
  • FIG. 4b is a flowchart of another possible information transmission method according to an embodiment of the present application.
  • 4c is a schematic diagram of a possible interface provided by an embodiment of the present application.
  • FIG. 4 is a schematic diagram of a possible data packet transmission according to an embodiment of the present application.
  • FIG. 5 is a flowchart of another possible information transmission method according to an embodiment of the present application.
  • FIG. 5b is a flowchart of another possible information transmission method according to an embodiment of the present application.
  • FIG. 6 is a flowchart of another possible method for transmitting information according to an embodiment of the present application.
  • FIG. 6b is a flowchart of another possible information transmission method according to an embodiment of the present application.
  • FIG. 7 is a schematic diagram of another possible data encryption transmission provided by an embodiment of the present application.
  • FIG. 7b is a flowchart of another possible information transmission method according to an embodiment of the present application.
  • FIG. 7c is a flowchart of another possible method for transmitting information according to an embodiment of the present application.
  • FIG. 8 is a flowchart of another possible information transmission method according to an embodiment of the present application.
  • FIG. 8b is a flowchart of another possible information transmission method according to an embodiment of the present application.
  • FIG. 9 is a flowchart of another possible information transmission method according to an embodiment of the present application.
  • FIG. 9b is a flowchart of another possible information transmission method according to an embodiment of the present application.
  • FIG. 10 is a schematic diagram of an embodiment of a possible central unit according to an embodiment of the present application.
  • FIG. 11 is a schematic diagram of an embodiment of a possible distributed unit according to an embodiment of the present disclosure.
  • FIG. 12 is a schematic block diagram of a communication apparatus according to an embodiment of the present application.
  • FIG. 13 is a schematic structural diagram of a communication apparatus according to an embodiment of the present application.
  • FIG. 14 is a schematic structural diagram of a system according to an embodiment of the present application.
  • the embodiment of the present application provides an information transmission method and related equipment, which are used to ensure data security, reduce CPU resource consumption, and speed up the system.
  • the function of the eNB node is split into two parts: CU and DU, and the functions of the CU and the DU are separated and deployed.
  • the DU is deployed in the original access network and the CU is moved closer to the core network.
  • FIG. 2 a possible function diagram of the present application is provided.
  • the air interface of the eNB adopts a hierarchical structure, and the radio link control (RRC) is sequentially from top to bottom.
  • RRC radio link control
  • eNB through the S1 interface and evolved packet core network (evolved packet Core, EPC) is connected for signaling or data transmission.
  • RLC radio link control
  • MAC media access control
  • PHY physical layer
  • eNB evolved packet core network
  • RRC and PDCP in the original eNB are deployed on the CU
  • RLC, MAC, and PHY are deployed on the DU
  • the CU and EPC pass.
  • the S1 interface is connected, and the CU and the DU are connected by the new interface Itf-CuDu to transmit signaling or data. It should be noted that the naming manner of the new interface is not limited in this application.
  • the user data transmitted by the UE is transmitted to the CU, and needs to undergo the following encryption/decryption process.
  • FIG. 3 it is a possible data encryption transmission diagram, including: user data flow. The process from the UE through the DU to the CU, where
  • the air interface is encrypted between the UE and the CU to ensure the security of the user data in the wireless transmission process. It should be noted that the air interface encryption/decryption is handled by the PDCP in the 3gpp protocol, so there is corresponding processing on the UE and the CU.
  • the module is responsible for PDCP encryption and PDCP decryption;
  • the IPSec protocol is introduced between the CU and the DU for encryption to ensure the security of user data transmission between the CU and the DU. Therefore, there are corresponding processing modules on the DU and the CU to be responsible for IPSec encryption and IPSec decryption.
  • the user data of the UE to the CU has been PDCP encrypted in many scenarios, and the user data is transmitted on the CU-DU interface. From the perspective of user data security, it is unnecessary to use IPSec encryption again, and IPSec encryption and decryption also consume a lot of CPU resources.
  • the embodiment of the present application provides a data encryption method, which can be applied to various application scenarios, including:
  • the first interface on the DU side is configured with a specific IP address on the DU side to establish a user plane bearer.
  • the specific IP address on the DU side is used to distinguish whether the user plane bearer between the DU and the CU is encrypted by using the IPSec protocol.
  • the specific IP address of the DU side includes a first encrypted address and a first unencrypted address, where the first encrypted address is used to indicate that the user plane data packet is encrypted/decrypted by using the IPSec protocol, and the first non-encrypted address is used.
  • the user interface is instructed to perform encryption/decryption processing on the user plane data packet without using the IPSec protocol, and the first interface is an interface for the user plane communication between the DU and the CU.
  • the IP address on the second interface on the CU side does not need to distinguish between the DU and the Whether the user plane bearer between the CUs is encrypted by using the IPSec protocol, where the second interface is an interface for the user plane communication between the CU and the DU;
  • Scenario 2 The first interface on the DU side is configured with a specific IP address on the DU side to establish a user plane bearer, and the second interface on the CU side is also configured with a specific IP address on the CU side to establish a user plane bearer.
  • the IP address is used to distinguish whether the user plane bearer between the CU and the DU is encrypted by using the IPSec protocol, for example, the specific IP address of the CU side includes a second encrypted address and a second unencrypted address, where the second encrypted address is used to indicate The user plane data packet is encrypted/decrypted by using the IPSec protocol, and the second non-encrypted address is used to indicate that the user plane data packet is not encrypted/decrypted by using the IPSec protocol;
  • the second interface on the CU side is configured with a specific IP address on the CU side to establish a user plane bearer, and the IP address on the first interface on the DU side does not need to distinguish whether the user plane bearer between the DU and the CU is encrypted by using the IPSec protocol. .
  • the first interface on the DU side is configured with a specific IP address on the DU side to establish a user plane bearer, and the IP address on the second interface on the CU side does not need to distinguish whether the user plane bearer between the DU and the CU uses the IPSec protocol. encryption;
  • Scenario 5 The first interface on the DU side is configured with a specific IP address on the DU side to establish a user plane bearer, and the second interface on the CU side is also configured with a specific IP address on the CU side to establish a user plane bearer.
  • the second interface on the CU side is configured with a specific IP address on the CU side to establish a user plane bearer, and the IP address on the first interface on the DU side does not need to distinguish whether the user plane bearer between the DU and the CU is encrypted by using the IPSec protocol. .
  • an embodiment of the method in the scenario 1 of the embodiment of the present application is introduced, which specifically includes:
  • the CU performs security negotiation with the UE to obtain a negotiation result.
  • the CU performs security negotiation with the UE, and obtains a negotiation result.
  • the negotiation result is used to indicate whether the air interface between the CU and the UE is encrypted using the PDCP protocol, where the air interface is an interface between the UE and the base station.
  • the CU and the UE perform the security negotiation to obtain the negotiation result in multiple manners, including: the UE sends the algorithm set information to the CU, where the algorithm set information includes information of the algorithm supported by the UE; and the CU receives the algorithm set information. After comparing the algorithm in the algorithm set information with the algorithm supported by the CU, the intersection algorithm is determined, and the intersection algorithm is an algorithm supported by both the CU and the UE. It can be understood that the intersection algorithm may include one or more algorithms. When the intersection algorithm includes an algorithm, the CU sends the information of the intersection algorithm to the UE.
  • the negotiation result is CU and The air interface between the UEs is encrypted using the PDCP protocol; if the intersection algorithm is an unencrypted algorithm, the result of the negotiation is that the air interface between the CU and the UE is not encrypted using the PDCP protocol.
  • the intersection algorithm includes multiple algorithms, the CU may select one of the multiple algorithms to send to the UE, that is, the negotiation result is encrypted by the air interface using the PDCP protocol; or the CU may select any one of the multiple algorithms.
  • An algorithm sends to the UE.
  • the negotiation result is that the air interface uses the PDCP protocol to encrypt; otherwise, the negotiation result is that the air interface does not use the PDCP protocol to encrypt.
  • the CU and the DU perform security negotiation to obtain the negotiation result, which is not limited herein.
  • steps 402-411 in FIG. 4a are performed; if the negotiation result indicates that the air interface between the CU and the UE is not used. If the PDCP protocol is encrypted, steps 412-421 in Figure 4b are performed; the details are as follows:
  • the CU sends the first indication information to the DU.
  • the CU When the result of the negotiation indicates that the air interface is encrypted by using the PDCP protocol, the CU sends a first message to the DU through the first control plane interface, where the first message carries the first indication information, where the first indication information is used to indicate the CU and the DU.
  • the user plane bearer is not encrypted by using the IPSec protocol, and the first control plane interface is an interface for the control plane communication between the CU and the DU.
  • a 1-bit encryption indication bit may be set in the first message.
  • the encryption indication bit When the encryption indication bit is set to 0, it indicates that the user plane bearer between the CU and the DU is not encrypted using the IPSec protocol; when the encryption indication bit is set to At 1 o'clock, it indicates that the user plane bearer between the CU and the DU is encrypted by using the IPSec protocol; optionally, the 2 bit encryption indication bit may be set in the first message, and when the encryption indication bit is set to 01, the CU and the DU are indicated. The user plane bearer between the two is not encrypted by using the IPSec protocol; when the encryption indicator bit is set to 10, it indicates that the user plane bearer between the CU and the DU is encrypted using the IPSec protocol. Therefore, the CU indicates to the DU whether the user plane bearer is encrypted by using the IPSec protocol, which is not limited in this application.
  • the user plane bearer between the CU and the DU can be understood as a GTP-U tunnel established between the CU and the DU for transmitting the user plane data stream.
  • the first message may be a user plane bearer setup request message, or may be other existing messages or new messages, which is not limited in this application.
  • the first message when the first message is a user plane bearer setup request message, the first message may carry a user plane address on the CU side.
  • the DU sends a first response message to the CU.
  • the first interface on the DU side is configured with a specific IP address on the DU side to establish a user plane bearer with the CU, and the specific IP address on the DU side is used to distinguish the user plane bearer between the DU and the CU.
  • IPSec protocol encryption Whether to use IPSec protocol encryption.
  • FIG. 4c is a schematic diagram of a possible DU side interface provided by the embodiment of the present application.
  • the first interface is an interface used by the DU side to communicate with the CU, and the first interface includes at least two specific interfaces.
  • the user plane IP address that is, the first non-encrypted address and the second unencrypted address, wherein the first encrypted address is used in an IPSec communication scenario, and indicates that the user plane data packet is encrypted/decrypted by using the IPSec protocol;
  • the encrypted address is used in the non-IPSec communication scenario, indicating that the user plane data packet is not encrypted/decrypted by using the IPSec protocol.
  • FIG. 4c is merely an exemplary diagram in which the first interface, the first encrypted address, and the second unencrypted address may be understood as a logical concept, but not physically.
  • the DU determines, according to the first indication information, that the user plane bearer between the DU and the CU does not need to perform IPSec encryption, and selects the first unencrypted address as the first
  • the user plane address of the interface is used to establish a user plane bearer, that is, a GTP-U tunnel between the CU and the DU, and send a first response message to the CU in response to the first message, where the first response message carries the first response.
  • the first response information includes a first unencrypted address to indicate to the CU that the address of the user plane carried between the DU and the CU at the DU end is the first unencrypted address.
  • the first response message may be a user plane bearer setup response message, or may be another existing message or a new message, which is not limited in this application. Therefore, when the DU obtains the user plane address on the CU side, and the CU obtains the user plane address on the DU side, the establishment of the user plane bearer between the CU and the DU can be realized.
  • the UE sends a first uplink user plane data packet to the DU.
  • the UE transmits the user plane data to the core network through the DU and the CU.
  • the negotiation result between the CU and the UE is that the air interface between the CU and the UE is encrypted by using the PDCP protocol
  • the UE performs PDCP encryption processing on the first uplink user plane data packet, and performs encryption processing on the air interface.
  • the first uplink user plane data packet is sent to the DU.
  • the DU determines to encrypt the first uplink user plane data packet by using the IPSec protocol.
  • the DU sends a first uplink user plane data packet to the CU.
  • FIG. 4d is a schematic diagram of a possible data packet transmission.
  • the UE sends a data packet, and the data packet is marked with the address of the UE as the source address, and the server on the Internet to be reached.
  • the address is the destination address, and the UE transmits the data packet to the eNB.
  • the eNB encapsulates the data packet into a GTP packet that can be transmitted in the GTP tunnel, and the source address of the data packet is replaced with the address of the eNB, and the destination address is Replace with the address of the serving gateway (SGW) that will arrive.
  • SGW serving gateway
  • the source address of the data packet is changed to the address of the SGW
  • the destination address of the data packet is changed to the address of the packet data network gateway (P-GW)
  • the transmitted tunnel is also changed by the S1GTP tunnel.
  • the P-GW unpacks the data packet, obtains its real destination address, and then sends the data packet to the server corresponding to the destination address to complete a data packet from the UE to the Internet. Upload.
  • the DU uses the first unencrypted address as the source address of the first uplink user plane data packet to complete the encapsulation of the GTP-U tunnel. .
  • the DU determines, according to the first unencrypted address, that the first uplink user plane data packet is not encrypted by using the IPSec protocol, and the first uplink user plane data packet is directly sent to the CU by using the first interface on the DU side.
  • the CU determines to decrypt the first uplink user plane data packet by using the IPSec protocol.
  • the CU sends a first uplink user plane data packet to the SGW.
  • the CU After receiving the first uplink user plane data packet that is not encrypted by the IPSec protocol, the CU performs GTP-U decapsulation on the first uplink user plane data packet, and obtains the decapsulated
  • the first uplink user plane data packet is directly processed for subsequent processing, where the CU uses the PDCP protocol to perform air interface decryption on the first uplink user plane data packet, and the first uplink user plane datagram is used.
  • the first uplink user plane data packet Before the message is sent to the SGW, the first uplink user plane data packet is encrypted again to ensure the security of the first uplink user plane data packet transmitted between the CU and the SGW. Therefore, the CU sends the first uplink user plane data packet after the subsequent processing to the SGW.
  • the SGW sends a first downlink user plane data packet to the CU.
  • the CU determines that the first downlink user plane data packet is not encrypted by using the IPSec protocol.
  • the CU sends the first downlink user plane data packet to the DU.
  • the CU When the core network needs to send the first downlink user plane data packet to the UE through the CU and the DU, the CU receives the first downlink user plane data packet from the core network. If the result of the negotiation between the CU and the UE is that the air interface between the CU and the UE needs to be encrypted by using the PDCP protocol, the CU needs to perform PDCP encryption processing on the first downlink data.
  • the CU uses the first unencrypted address as the destination address of the first downlink user plane data packet to complete the encapsulation of the GTP-U tunnel. And the CU determines, according to the first unencrypted address, that the first downlink user plane data packet is not encrypted by using the IPSec protocol, and sends the first downlink user plane data packet directly to the second interface on the CU side to the first downlink user plane data packet. DU.
  • the DU determines to decrypt the first downlink user plane data packet by using the IPSec protocol.
  • the DU sends a first downlink user plane data packet to the UE.
  • the DU After receiving the first downlink user plane data packet that is not encrypted by the IPSec protocol, the DU can determine, by using the format of the first downlink user plane data packet, that the IPSec protocol is not used.
  • the first downlink user plane data packet is decrypted, and then the first downlink user plane data packet is directly GTP-U decapsulated, and the decapsulated first downlink user plane data packet is obtained, and then performed.
  • Processing, wherein the subsequent processing includes: sending, by using an air interface, the first downlink user plane data packet to the UE, so that the UE decrypts the first downlink user plane data packet by using a PDCP protocol to obtain the decrypted A downlink user plane data message.
  • the first uplink user plane data packet is transmitted from the UE to the SGW through steps 404 to 407b, and the first downlink user plane data packet is implemented from the SGW to the UE through steps 408a to 411.
  • steps 404 to 407b may be performed first, or steps 408a to 411 may be performed first, or may be performed at the same time, which is not limited herein.
  • FIG. 4b which specifically includes:
  • the CU sends the second indication information to the DU.
  • the first message sent by the CU to the DU through the first control plane interface carries the second indication information, where the second indication information is used to indicate the user plane between the CU and the DU.
  • the bearer is encrypted using the IPSec protocol.
  • the DU sends a second response message to the CU.
  • the DU After receiving the second indication information carried by the first message sent by the CU, the DU determines, according to the second indication information, that the user plane bearer between the DU and the CU needs to perform IPSec encryption, and uses the first encrypted address as the user of the first interface.
  • a face address to establish a user plane bearer between the CU and the DU, that is, a GTP-U tunnel, and send a first response message carrying the second response information to the CU, where the second response information includes the first encrypted address to the CU.
  • the address indicating that the user plane between the DU and the CU is carried on the DU end is the first encrypted address.
  • the UE sends a second uplink user plane data packet to the DU.
  • the UE when the result of the negotiation between the CU and the UE is that the air interface between the CU and the UE is not encrypted by using the PDCP protocol, the UE does not perform PDCP encryption processing on the second uplink user plane data packet, but uses the air interface to The second uplink user plane data packet is directly sent to the DU.
  • the DU determines to encrypt the second uplink user plane data packet by using the IPSec protocol.
  • the DU sends a second uplink user plane data packet to the CU.
  • the DU uses the first encrypted address as the source address of the second uplink user plane data packet to complete the encapsulation of the GTP-U tunnel.
  • the DU determines, according to the first encrypted address, the IPSec protocol to encrypt the second uplink user plane data packet, and then obtains the IPSec encrypted second uplink user plane data packet, to complete the second uplink user plane datagram.
  • IPSec encryption Therefore, the DU sends the IPSec-encrypted second uplink user plane data packet directly to the CU through the first interface on the DU side.
  • the CU determines to decrypt the second uplink user plane data packet by using the IPSec protocol.
  • the CU sends a second uplink user plane data packet to the SGW.
  • the CU After receiving the second uplink user plane data packet, the CU decrypts the second uplink user plane data packet by using the IPSec protocol, and then decapsulates the GTP-U tunnel to obtain a solution.
  • the second uplink user plane data packet after the packet is sealed.
  • the CU After the CU sends the second uplink user plane data packet to the SGW, the CU performs subsequent processing on the second uplink user plane data packet, where the subsequent processing may include: according to the security configuration between the CU and the SGW,
  • the IPSec protocol is used to encrypt the second uplink user plane data packet to ensure the security of the second uplink user plane data packet transmission between the CU and the core network.
  • the CU then sends the second uplink user plane data packet after the subsequent processing to the SGW.
  • the SGW sends a second downlink user plane data packet to the CU.
  • the CU determines to encrypt the second downlink user plane data packet by using the IPSec protocol.
  • the CU sends a second downlink user plane data packet to the DU.
  • the CU receives the second downlink user plane data packet from the core network.
  • the CU determines, according to the negotiation result, that the second downlink user plane data packet is encrypted without using the PDCP protocol.
  • the CU uses the first encrypted address as the destination address of the second downlink user plane data packet to complete the encapsulation of the GTP-U tunnel.
  • the CU determines, according to the first encrypted address, that the second downlink user plane data packet is to be encrypted by using the IPSec protocol, to obtain the second downlink user plane data packet after the IPSec encryption.
  • the IPSec-encrypted second downlink user plane data packet is sent to the DU through the second interface on the CU side.
  • the DU determines to decrypt the second downlink user plane data packet by using the IPSec protocol.
  • the DU sends a second downlink user plane data packet to the UE.
  • the DU After receiving the second downlink user plane data packet, the DU uses the IPSec protocol to decrypt the second uplink user plane data packet, and then decapsulates the GTP-U tunnel to obtain a solution.
  • the second downlink user plane data packet after the packet is sealed. And performing the subsequent processing on the decapsulated second downlink user plane data packet, where the subsequent processing includes: sending the decapsulated second downlink user plane data packet to the UE by using the air interface, and the UE does not need to use the PDCP
  • the protocol decrypts the decapsulated second downlink user plane data packet.
  • the second uplink user plane data packet is transmitted from the UE to the core network through steps 414 to 417b, and the second downlink user plane data packet is implemented from the core network through steps 418a to 411.
  • steps 414 to 417b may be performed first, or steps 418a to 421 may be performed first, or may be performed at the same time, which is not limited herein.
  • the first interface of the DU is configured with the first encrypted address and the first unencrypted address to distinguish whether the user plane data stream needs IPSec encryption.
  • IPSec IPSec encryption
  • the user plane data stream encrypted by IPSec uses the port number of 30000-49999; or it is distinguished based on the protocol type: for example, the user plane data stream requiring IPSec encryption uses the GTPU protocol, and the user plane data stream that does not require IPSec encryption uses the UDP protocol. Therefore, there are various ways to distinguish whether IPSec encryption is required, and the specifics are not limited herein.
  • the embodiment of the present application can be implemented not only in the network architecture of the LTE, but also in the 5G radio access network, the mobile communication system (UMTS), and the code division multiple access (code division multiple access, CDMA) or wideband code division multiple access (WCDMA) network architecture.
  • UMTS mobile communication system
  • CDMA code division multiple access
  • WCDMA wideband code division multiple access
  • IPSec encryption/decryption it is possible to flexibly determine whether the transmission of the user plane data stream in the CU-DU interface uses IPSec encryption/decryption according to whether the UE air interface performs PDCP encryption, that is, when the UE air interface performs PDCP encryption, the user plane
  • the transmission of the data stream in the CU-DU interface does not use IPSec encryption/decryption; when the UE air interface does not perform PDCP encryption, the transmission of the user plane data stream in the CU-DU interface needs to use IPSec encryption/decryption, which is guaranteed.
  • more flexible IPSec encryption/decryption reduces CPU resource consumption and speeds up the system.
  • an embodiment of the method in the scenario 2 of the embodiment of the present application includes:
  • the CU performs security negotiation with the UE to obtain a negotiation result.
  • step 502-511 in FIG. 5a is performed; if the negotiation result indicates the air between the CU and the UE. If the interface does not use PDCP encryption, perform steps 512-521 in Figure 5b; the details are as follows:
  • the CU sends the first indication information to the DU.
  • the DU sends a first response message to the CU.
  • the UE sends a first uplink user plane data packet to the DU.
  • the steps 501 to 504 are similar to the steps 401 to 404 in the embodiment shown in FIG. 4a, and details are not described herein again.
  • the DU determines to encrypt the first uplink user plane data packet by using the IPSec protocol.
  • the DU sends a first uplink user plane data packet to the CU.
  • the second interface on the CU side is also configured with a specific IP address on the CU side to establish a user plane bearer, and the specific IP address on the CU side is used to distinguish the user between the CU and the DU.
  • the bearer is encrypted by using the IPSec protocol, and includes a second encrypted address and a second unencrypted address, where the second encrypted address is used in an IPSec communication scenario, indicating that the packet is encrypted/decrypted using the IPSec protocol; and the second non-encrypted The address is used in a non-IPSec communication scenario, indicating that the packet is not encrypted or decrypted using the IPSec protocol.
  • the DU uses the second unencrypted address as the destination address of the first uplink user plane data packet to complete the encapsulation of the GTP-U tunnel.
  • the DU determines, according to the second unencrypted address, that the first uplink user plane data packet is not encrypted by using the IPSec protocol, and the first uplink user plane data packet is directly sent to the CU by using the first interface on the DU side.
  • the CU determines that the first uplink user plane data packet is not decrypted by using the IPSec protocol.
  • the CU sends a first uplink user plane data packet to the SGW.
  • the CU may determine, by using the format of the first uplink user plane data packet, that the first IPSec protocol is not used.
  • the uplink user plane data packet is decrypted, and then the first uplink user plane data packet is directly GTP-U decapsulated, and the decapsulated first uplink user plane data packet is obtained.
  • performing the subsequent processing on the first uplink user plane data packet where the CU uses the PDCP protocol to perform air interface decryption on the first uplink user plane data packet, and performs the first uplink on the first uplink user plane data packet.
  • the first uplink user plane data packet is encrypted again to ensure the security of the first uplink user plane data packet transmitted between the CU and the core network. Therefore, the CU sends the first uplink user plane data packet after the subsequent processing to the SGW.
  • the SGW sends a first downlink user plane data packet to the CU.
  • the CU determines that the first downlink user plane data packet is not encrypted by using the IPSec protocol.
  • the CU sends the first downlink user plane data packet to the DU.
  • the DU determines to decrypt the first downlink user plane data packet by using the IPSec protocol.
  • the DU sends a first downlink user plane data packet to the UE.
  • the steps 508a to 511 are similar to the steps 408a to 411 in the embodiment shown in FIG. 4a, and details are not described herein again.
  • the transmission of the first uplink data from the UE to the SGW is implemented by using the steps 504 to 507b, and the transmission of the first downlink data from the SGW to the UE is implemented by using the steps 508a to 511.
  • steps 504 to 507b may be performed first, or steps 508a to 511 may be performed first, or may be performed at the same time, which is not limited herein.
  • FIG. 5b which specifically includes:
  • the CU sends the second indication information to the DU.
  • the DU sends a second response message to the CU.
  • the UE sends a second uplink user plane data packet to the DU.
  • the steps 512 to 514 are similar to the steps 412 to 414 in the embodiment shown in FIG. 4b, and details are not described herein again.
  • the DU determines to encrypt the second uplink user plane data packet by using the IPSec protocol.
  • the DU sends a second uplink user plane data packet to the CU.
  • the DU uses the second encrypted address as the destination address of the second uplink user plane data packet to complete the encapsulation of the GTP-U tunnel.
  • the DU determines, according to the second encrypted address, the IPSec protocol to encrypt the second uplink user plane data packet, and sends the second uplink user plane data packet to the CU directly through the first interface on the DU side.
  • the CU determines to decrypt the second uplink user plane data packet by using the IPSec protocol.
  • the CU sends a second uplink user plane data packet to the SGW.
  • the CU After receiving the second uplink user plane data packet, the CU decrypts the second uplink user plane data packet by using the IPSec protocol, and then decapsulates the GTP-U tunnel to obtain a solution.
  • the second uplink user plane data packet after the packet is sealed. And performing the subsequent processing on the decapsulated second uplink user plane data packet, where the subsequent processing may include: performing security configuration between the CU and the SGW before sending the second uplink user plane data packet to the SGW.
  • the second uplink user plane data packet is encrypted by using the IPSec protocol to ensure the security of the second uplink user plane data packet transmitted between the CU and the core network.
  • the CU then sends the second uplink user plane data packet after the subsequent processing to the SGW.
  • the SGW sends a second downlink user plane data packet to the CU.
  • the CU determines to encrypt the second downlink user plane data packet by using the IPSec protocol.
  • the CU sends a second downlink user plane data packet to the DU.
  • the DU determines to decrypt the second downlink user plane data packet by using the IPSec protocol.
  • the DU sends a second downlink user plane data packet to the UE.
  • the steps 518 to 521 are similar to the steps 418 to 421 in the embodiment shown in FIG. 4a, and details are not described herein again.
  • the transmission of the second uplink data from the UE to the SGW is implemented by using steps 514 to 517b, and the transmission of the second downlink data from the SGW to the UE is implemented by steps 518a to 511, between the two processes.
  • steps 514 to 517b may be performed first, or steps 518a to 521 may be performed first, or may be performed at the same time, which is not limited herein.
  • the second interface and the second unencrypted address may be configured on the second interface of the CU to distinguish whether the IPSec-encrypted user plane data stream is required, and the achievable manner of the embodiment of the present application is added.
  • an embodiment of the method in the scenario 3 is performed in the scenario of the embodiment.
  • the second interface on the CU side is also configured with a specific IP address on the CU side to establish a user plane bearer.
  • the specific IP address of the CU is used to distinguish whether the user plane bearer between the CU and the DU is encrypted by using the IPSec protocol, and includes a second encrypted address and a second unencrypted address, where the second encrypted address is used in the IPSec communication scenario. Indicates that the packet is encrypted/decrypted by using the IPSec protocol.
  • the second non-encrypted address is used in the non-IPSec communication scenario, indicating that the packet is not encrypted or decrypted by using the IPSec protocol.
  • the IP address of the first interface on the DU side does not need to distinguish whether the user plane bearer between the DU and the CU is encrypted using the IPSec protocol.
  • the CU performs security negotiation with the UE to obtain a negotiation result.
  • the step 601 is similar to the step 401 in the embodiment shown in FIG. 4a, and details are not described herein again.
  • steps 602-611 in FIG. 6a are performed; if the negotiation result indicates that the air interface between the CU and the UE does not use the PDCP protocol. Encryption, then perform steps 612-621 in Figure 6b; the details are as follows:
  • the CU sends the first indication information to the DU.
  • the first message sent by the CU to the DU through the first control plane interface carries the first indication information, where the second indication information is used to indicate the user plane bearer between the CU and the DU.
  • the IPSec protocol is not used for encryption, and the second unencrypted address is used as the user plane address of the second interface, that is, the address carried by the user plane between the CU and the DU at the CU end is the second unencrypted address.
  • the DU sends a first response message to the CU.
  • the DU After receiving the first indication information carried by the first message sent by the CU, the DU determines, according to the first indication information, that the user plane bearer between the DU and the CU does not need to perform IPSec encryption, and determines that the second unencrypted address is the second CU side. User plane address of the interface.
  • the DU in response to the first message carrying the first indication information, the DU sends a first response message to the CU, where the first response message includes first response information, where the first response information includes a user plane bearer address on the DU side. .
  • the UE sends a first uplink user plane data packet to the DU.
  • the DU determines to encrypt the first uplink user plane data packet by using the IPSec protocol.
  • the DU sends a first uplink user plane data packet to the CU.
  • the CU determines that the first uplink user plane data packet is not decrypted by using the IPSec protocol.
  • the CU sends a first uplink user plane data packet to the SGW.
  • the steps 604 to 607b are similar to the steps 504 to 507b in the embodiment shown in FIG. 5a, and details are not described herein again.
  • the SGW sends a first downlink user plane data packet to the CU.
  • the CU determines that the first downlink user plane data packet is not encrypted by using the IPSec protocol.
  • the CU sends a first downlink user plane data packet to the DU.
  • the CU When the SGW needs to send the first downlink user plane data packet to the UE through the CU and the DU, the CU receives the first downlink user plane data packet from the SGW. If the result of the negotiation between the CU and the UE is that the air interface between the CU and the UE needs to be encrypted by using the PDCP protocol, the CU needs to perform PDCP encryption processing on the first downlink data.
  • the CU uses the second unencrypted address as the source address of the first downlink user plane data packet to complete the encapsulation of the GTP-U tunnel. And the CU determines, according to the second unencrypted address, that the first downlink user plane data packet is not encrypted by using the IPSec protocol, and sends the first downlink user plane data packet directly to the second interface on the CU side to the first downlink user plane data packet. DU.
  • the DU determines to decrypt the first downlink user plane data packet by using the IPSec protocol.
  • the DU sends a first downlink user plane data packet to the UE.
  • the steps 610 to 611 are similar to the steps 410 to 411 in the embodiment shown in FIG. 4a, and details are not described herein again.
  • the first uplink user plane data packet is transmitted from the UE to the SGW through steps 604 to 607b, and the first downlink user plane data packet is implemented from the core network through steps 608a to 611.
  • steps 604 to 607b may be performed first, or steps 608a to 611 may be performed first, or may be performed at the same time, which is not limited herein.
  • FIG. 6b which specifically includes:
  • the CU sends the second indication information to the DU.
  • the first message sent by the CU to the DU through the first control plane interface carries the second indication information, where the second indication information is used to indicate the user plane between the CU and the DU.
  • the bearer is encrypted by using the IPSec protocol, and the second encrypted address is used as the user plane address of the second interface, that is, the address carried by the user plane between the CU and the DU at the CU end is the second encrypted address.
  • the DU sends a second response message to the CU.
  • the DU After receiving the second indication information carried by the first message sent by the CU, the DU determines, according to the second indication information, that the user plane bearer between the DU and the CU needs to perform IPSec encryption, and determines that the second encrypted address is the second interface on the CU side. User face address.
  • the DU in response to the first message carrying the second indication information, the DU sends a first response message carrying the second response information to the CU, where the second response information includes a user plane bearer address on the DU side.
  • the UE sends a second uplink user plane data packet to the DU.
  • the DU determines to encrypt the second uplink user plane data packet by using the IPSec protocol.
  • the DU sends a second uplink user plane data packet to the CU.
  • the CU determines to decrypt the second uplink user plane data packet by using the IPSec protocol.
  • the CU sends a second uplink user plane data packet to the SGW.
  • the steps 614 to 617b are similar to the steps 514 to 517b in the embodiment shown in FIG. 5b, and details are not described herein again.
  • the SGW sends a second downlink user plane data packet to the CU.
  • the CU determines to encrypt the second downlink user plane data packet by using the IPSec protocol.
  • the CU sends a second downlink user plane data packet to the DU.
  • the CU receives the second downlink user plane data packet from the SGW.
  • the CU determines, according to the negotiation result, that the second downlink user plane data packet is encrypted without using the PDCP protocol.
  • the CU uses the second encrypted address as the source address of the second downlink user plane data packet to complete the encapsulation of the GTP-U tunnel. And the CU determines, according to the second encrypted address, that the second downlink user plane data packet is to be encrypted by using the IPSec protocol, to obtain the second downlink user plane data packet that is encrypted by the IPSec protocol. And sending the encrypted second downlink user plane data packet to the DU through the second interface on the CU side.
  • the DU determines to use the IPSec protocol to decrypt the second downlink user plane data packet.
  • the DU sends a second downlink user plane data packet to the UE.
  • the steps 620 to 621 are similar to the steps 520 to 521 in the embodiment shown in FIG. 5b, and details are not described herein again.
  • the second uplink user plane data packet is transmitted from the UE to the SGW through steps 614 to 617b, and the second downlink user plane data packet is implemented from the SGW to the UE through steps 618a to 611.
  • steps 614 to 617b may be performed first, or steps 618a to 611 may be performed first, or may be performed at the same time, which is not limited herein.
  • FIG. 7a is another possible data encryption transmission diagram, including: the user data stream passes through the DU from the UE in sequence. SeGW to CU process, where
  • the air interface is encrypted between the UE and the CU to ensure the security of the user data in the wireless transmission process. It should be noted that the air interface encryption/decryption is handled by the PDCP in the 3gpp protocol, so there is corresponding processing on the UE and the CU.
  • the module is responsible for PDCP encryption and PDCP decryption;
  • the IPSec protocol is used for encryption between the DU and the SeGW to ensure the security of user data transmission on the backhaul network. Therefore, there are corresponding processing modules on the DU and SeGW to be responsible for IPSec encryption and IPSec decryption.
  • the CU performs security negotiation with the UE to obtain a negotiation result.
  • the step 701 is similar to the step 401 in the embodiment shown in FIG. 4a, and details are not described herein again.
  • steps 702-713 in FIG. 4a are performed; if the negotiation result indicates that the air interface between the CU and the UE does not use the PDCP protocol. Encryption, then perform steps 714-725 in Figure 4b; as follows:
  • the CU sends the first indication information to the DU.
  • the first indication information sent by the CU to the DU in step 702 is similar to the first indication information sent by the CU to the DU in step 402 in the embodiment shown in FIG. 4a, specifically No longer.
  • the CU sends the first indication information to the DU through the transit of the SeGW.
  • the DU sends a first response message to the CU.
  • the first response information sent by the CU to the DU in step 703 is similar to the first response information sent by the CU to the DU in step 403 in the embodiment shown in FIG. 4a, specifically No longer.
  • the DU sends the first response information to the CU through the transit of the SeGW.
  • the UE sends a first uplink user plane data packet to the DU.
  • the DU determines to encrypt the first uplink user plane data packet by using the IPSec protocol.
  • the steps 704 to 705 are similar to the steps 404 to 405 in the embodiment shown in FIG. 4a, and details are not described herein again.
  • the DU sends a first uplink user plane data packet to the SeGW.
  • the DU determines, according to the first unencrypted address, that the first uplink user plane data packet is not encrypted by using the IPSec protocol, and then sends the first uplink user plane data packet to the SeGW.
  • the SeGW determines that the first uplink user plane data packet is not decrypted by using the IPSec protocol.
  • the SeGW After receiving the first uplink user plane data packet, the SeGW determines, according to the packet format of the first uplink user plane data packet, that the first uplink user plane data packet is not decrypted by using the IPSec protocol.
  • the SeGW sends a first uplink user plane data packet to the CU.
  • the CU sends a first uplink user plane data packet to the SGW.
  • the GW After the GW is used to decrypt the first uplink user plane data packet, the GW sends the first uplink user plane data packet to the CU, so that the CU performs GTP-U on the first uplink user plane data packet.
  • the tunnel unblocking process obtains the first uplink user plane data packet after decapsulation.
  • the CU performs a subsequent operation on the decapsulated first uplink user plane data packet, where the subsequent processing includes: the CU uses the PDCP protocol to perform the air interface decryption on the first uplink user plane data packet, and Before the uplink user plane data packet is sent to the core network, the first uplink user plane data packet is encrypted again to ensure the security of the first uplink user plane data packet transmitted between the CU and the core network. Therefore, the CU sends the first uplink user plane data packet after the subsequent processing to the SGW.
  • the SGW sends a first downlink user plane data packet to the CU.
  • the CU sends the first downlink user plane data packet to the SwGW.
  • the CU receives the first downlink user plane data packet from the SGW.
  • the result of the negotiation between the CU and the UE is that the air interface between the CU and the UE needs to be encrypted by using the PDCP protocol, and the CU performs PDCP encryption processing on the first downlink data based on the negotiation result.
  • the CU uses the first non-encrypted address as the destination address of the first downlink user plane data packet to complete the encapsulation of the GTP-U tunnel, and sends the encapsulated first downlink user plane data packet to the SeGW. .
  • the SeGW determines that the first downlink user plane data packet is not encrypted by using the IPSec protocol.
  • the SeGW sends the first downlink user plane data packet to the DU.
  • the SeGW After receiving the first downlink user plane data packet, the SeGW obtains the first non-encrypted address of the first downlink user plane data packet, and determines, according to the first non-encrypted address, that the IPSec protocol is not used.
  • the first downlink user plane data packet is encrypted, and the first downlink user plane data packet is directly sent to the DU.
  • the DU determines to decrypt the first downlink user plane data packet by using the IPSec protocol.
  • the DU sends a first downlink user plane data packet to the UE.
  • the DU After receiving the first downlink user plane data packet, the DU determines whether to use the IPSec protocol to decrypt the first downlink user plane data packet, and then performs the decapsulation of the GTP-U tunnel, including: the DU passes the first The format of the downlink user plane data packet determines that the first downlink user plane data packet is not decrypted by using the IPSec protocol, so the GTP-U tunnel is directly decapsulated for the first downlink user plane data packet. The first downlink user plane data packet after decapsulation is obtained. and
  • Performing a subsequent processing on the decapsulated first downlink user plane data packet includes: sending the first downlink user plane data packet to the UE by using an air interface, so that the UE uses the PDCP protocol to The first downlink user plane data packet is decrypted to obtain the decrypted first downlink user plane data packet.
  • the first uplink user plane data packet is transmitted from the UE to the SGW through steps 704 to 708b, and the first downlink user plane data packet is implemented from the SGW to the UE through steps 709a to 713.
  • steps 704 to 708b may be performed first, or steps 709a to 713 may be performed first, or may be performed at the same time, which is not limited herein.
  • FIG. 7c which specifically includes:
  • the CU sends the second indication information to the DU.
  • the second indication information sent by the CU to the DU in step 714 is similar to the second indication information sent by the CU to the DU in step 412 in the embodiment shown in FIG. 4a, specifically No longer.
  • the CU sends the second indication information to the DU through the transit of the SeGW.
  • the DU sends a second response message to the CU.
  • the second response information sent by the CU to the DU in step 715 is similar to the second response information sent by the CU to the DU in step 413 in the embodiment shown in FIG. 4a, specifically No longer.
  • the DU sends the second response information to the CU through the transit of the SeGW.
  • the UE sends a second uplink user plane data packet to the DU.
  • the DU determines to encrypt the second uplink user plane data packet by using the IPSec protocol.
  • the steps 716 to 717 are similar to the steps 414 to 415 in the embodiment shown in FIG. 4b, and details are not described herein again.
  • the DU sends a second uplink user plane data packet to the SeGW.
  • the IPSec After the IPSec protocol is used to encrypt the second uplink user plane data packet, the IPSec encrypts the second uplink user plane data packet, and obtains the second uplink user plane encrypted by the IPSec protocol.
  • the data packet is sent to the SeGW by the encrypted second uplink user plane data packet.
  • the SeGW determines to decrypt the second uplink user plane data packet by using the IPSec protocol.
  • the SeGW After receiving the second uplink user plane data packet, the SeGW obtains the source address of the second uplink user plane data packet as the first encrypted address, and determines that the second uplink user plane data packet needs to be decrypted by using the IPSec protocol. .
  • the SeGW sends a second uplink user plane data packet to the CU.
  • the CU sends a second uplink user plane data packet to the SGW.
  • the IPSec protocol decrypts the second uplink user plane data packet to obtain the decrypted second uplink user plane data packet, and then The decrypted second uplink user plane data packet is sent to the CU, so that the CU performs GTP-U tunnel decapsulation on the second uplink user plane data packet, and obtains the decapsulated second uplink user plane data packet.
  • the CU performs subsequent processing on the decapsulated second uplink user plane data packet, where the subsequent processing may include: before sending the decapsulated second uplink user plane data packet to the core network,
  • the decapsulated second uplink user plane data packet is encrypted to ensure the security of the second uplink user plane data packet transmitted between the CU and the core network.
  • the SGW sends a second downlink user plane data packet to the CU.
  • the CU sends a second downlink user plane data packet to the SeGW.
  • the CU receives the second downlink user plane data packet from the core network.
  • the CU determines, according to the negotiation result, that the second downlink user plane data packet is encrypted without using the PDCP protocol.
  • the CU uses the first encrypted address as the destination address of the second downlink user plane data packet to complete the encapsulation of the GTP-U tunnel, and sends the encapsulated second downlink user plane data packet to the SeGW.
  • the SeGW determines to encrypt the second downlink user plane data packet by using the IPSec protocol.
  • the SeGW After receiving the second downlink user plane data packet sent by the CU, the SeGW obtains the destination address of the second downlink user plane data packet as the first encrypted address, and determines, according to the first encrypted address, that the IPSec protocol is used.
  • the second downlink user plane data packet is encrypted.
  • the SeGW sends a second downlink user plane data packet to the DU.
  • the IPSec After the GWec uses the IPSec protocol to encrypt the second downlink user plane data packet, the IPSec encrypts the second downlink user plane data packet to obtain the encrypted second downlink user plane data packet. The encrypted second downlink user plane data packet is sent to the DU.
  • the DU determines to decrypt the second downlink user plane data packet by using the IPSec protocol.
  • the DU sends a second downlink user plane data packet to the UE.
  • the DU After receiving the second downlink user plane data packet that is encrypted by the IPSec protocol, the DU decrypts the second downlink user plane data packet by using the IPSec protocol, and then decapsulates the GTP-U tunnel to obtain a solution.
  • the DU performs subsequent processing on the decapsulated second downlink user plane data packet.
  • the subsequent processing includes: sending the second downlink user plane data packet to the UE by using the air interface, and the UE does not need to use the PDCP protocol to decrypt the second downlink user plane data packet.
  • the transmission of the second uplink data from the UE to the SGW is implemented through steps 716 to 720b, and the transmission of the second downlink data from the SGW to the UE is implemented through steps 721a to 725.
  • steps 716 to 720b may be performed first, or steps 721a to 725 may be performed first, or may be performed at the same time, which is not limited herein.
  • the PDCP encryption may be flexibly determined according to whether the UE air interface performs the IPSec encryption/decryption in the DU-SeGW, thereby reducing the CPU.
  • the consumption of resources reduces costs.
  • an embodiment of the method in the scenario 5 of the embodiment of the present application includes:
  • the CU performs security negotiation with the UE to obtain a negotiation result.
  • steps 802-813 in FIG. 8a are performed; if the negotiation result indicates that the air interface between the CU and the UE does not use the PDCP protocol. Encryption, then perform steps 814-825 in Figure 8b; the details are as follows:
  • the CU sends the first indication information to the DU.
  • the DU sends a first response message to the CU.
  • the UE sends a first uplink user plane data packet to the DU.
  • the steps 801 to 804 are similar to the steps 701 to 704 shown in FIG. 7b, and details are not described herein again.
  • the DU determines to encrypt the first uplink user plane data packet by using the IPSec protocol.
  • the step 805 is similar to the step 505 shown in FIG. 5a, and details are not described herein again.
  • the DU sends a first uplink user plane data packet to the SeGW.
  • the step 806 is similar to the step 706 shown in FIG. 7b, and details are not described herein again.
  • the SeGW determines that the first uplink user plane data packet is not decrypted by using the IPSec protocol.
  • the SeGW may determine, according to the format of the first uplink user plane data packet, that the first uplink user plane data packet is not decrypted by using the IPSec protocol. .
  • the SeGW sends a first uplink user plane data packet to the CU.
  • the CU sends a first uplink user plane data packet to the SGW.
  • the SGW sends the first downlink user plane data packet to the CU.
  • the CU sends the first downlink user plane data packet to the SwGW.
  • the SeGW determines that the first downlink user plane data packet is not encrypted by using the IPSec protocol.
  • the SeGW sends a first downlink user plane data packet to the DU.
  • the DU determines to decrypt the first downlink user plane data packet by using the IPSec protocol.
  • the DU sends a first downlink user plane data packet to the UE.
  • the steps 808a to 813 are similar to the steps 708a to 713 shown in FIG. 7b, and are not limited herein.
  • the CU sends the second indication information to the DU.
  • the DU sends a second response message to the CU.
  • the UE sends a second uplink user plane data packet to the DU.
  • the steps 814 to 816 are similar to the steps 714 to 716 shown in FIG. 7c, which are not limited herein.
  • the DU determines to encrypt the second uplink user plane data packet by using the IPSec protocol.
  • the step 817 is similar to the step 515 shown in FIG. 5b, and details are not described herein again.
  • the DU sends a second uplink user plane data packet to the SeGW.
  • the step 818 is similar to the step 718 shown in FIG. 7c, which is not limited herein.
  • the SeGW determines to decrypt the second uplink user plane data packet by using the IPSec protocol.
  • the SeGW After receiving the second uplink user plane data packet, the SeGW obtains the destination address of the second uplink user plane data packet as the second encrypted address, and determines the format of the second uplink user plane data packet, and uses IPSec. The protocol decrypts the second uplink user plane data packet.
  • the SeGW sends a second uplink user plane data packet to the CU.
  • the CU sends a second uplink user plane data packet to the SGW.
  • the SGW sends a second downlink user plane data packet to the CU.
  • the CU sends a second downlink user plane data packet to the SeGW.
  • the SeGW determines to encrypt the second downlink user plane data packet by using the IPSec protocol.
  • the SeGW sends a second downlink user plane data packet to the DU.
  • the DU determines to use the IPSec protocol to decrypt the second downlink user plane data packet.
  • the DU sends a second downlink user plane data packet to the UE.
  • the steps 820a to 825 are similar to the steps 720a to 725 shown in FIG. 7c, which are not limited herein.
  • the second interface of the CU side may be configured with the second encrypted address and the second unencrypted address to distinguish whether the IPSec encrypted user plane data stream is required, and The achievable manner of the embodiment of the present application.
  • an embodiment of the method in the scenario 6 of the embodiment of the present application includes:
  • the CU performs security negotiation with the UE to obtain a negotiation result.
  • steps 902-913 in FIG. 9a are performed; if the negotiation result indicates that the air interface between the CU and the UE does not use the PDCP protocol. Encryption, then steps 914-925 in Figure 9b are performed; the details are as follows:
  • the CU sends the first indication information to the DU.
  • the DU sends a first response message to the CU.
  • the UE sends a first uplink user plane data packet to the DU.
  • the DU determines to encrypt the first uplink user plane data packet by using the IPSec protocol.
  • the steps 901 to 905 are similar to the steps 601 to 605 shown in FIG. 6a, and details are not described herein again.
  • the DU sends a first uplink user plane data packet to the SeGW.
  • the SeGW determines that the first uplink user plane data packet is not decrypted by using the IPSec protocol.
  • the SeGW sends a first uplink user plane data packet to the CU.
  • the CU sends a first uplink user plane data packet to the SGW.
  • the steps 906 to 908b are similar to the steps 806 to 808b shown in FIG. 8a, and details are not described herein again.
  • the SGW sends a first downlink user plane data packet to the CU.
  • the CU sends the first downlink user plane data packet to the SwGW.
  • the CU When the SGW needs to send the first downlink user plane data packet to the UE through the CU and the DU, the CU receives the first downlink user plane data packet from the core network. If the result of the negotiation between the CU and the UE is that the air interface between the CU and the UE needs to be encrypted by using the PDCP protocol, the CU needs to perform PDCP encryption processing on the first downlink data.
  • the CU uses the second unencrypted address as the source address of the first downlink user plane data packet to complete the encapsulation of the GTP-U tunnel, and directly sends the encapsulated first downlink user plane data packet.
  • SeGW the second unencrypted address
  • the SeGW determines that the first downlink user plane data packet is not encrypted by using the IPSec protocol.
  • the SeGW determines that the first downlink user plane data packet is not encrypted by using the IPSec protocol, and the CU determines in step 608 of FIG. 6a that the IPSec protocol is not used for the first downlink user.
  • the manner in which the data packets are encrypted is similar, and details are not described here.
  • the SeGW sends the first downlink user plane data packet to the DU.
  • the SeGW determines that the first downlink user plane data packet is not directly encrypted by using the IPSec protocol, and the first downlink user plane data packet is directly sent to the DU.
  • the DU determines to decrypt the first downlink user plane data packet by using the IPSec protocol.
  • the DU sends a first downlink user plane data packet to the UE.
  • the steps 912 to 913 are similar to the steps 610 to 611 shown in FIG. 6a, and details are not described herein again.
  • FIG. 9b which specifically includes:
  • the CU sends the second indication information to the DU.
  • the DU sends a second response message to the CU.
  • the UE sends a second uplink user plane data packet to the DU.
  • the DU determines to encrypt the second uplink user plane data packet by using the IPSec protocol.
  • the steps 914 to 917 are similar to the steps 612 to 615 shown in FIG. 6b, and details are not described herein again.
  • the DU sends a second uplink user plane data packet to the SeGW.
  • the SeGW determines to decrypt the second uplink user plane data packet by using the IPSec protocol.
  • the SeGW sends a second uplink user plane data packet to the CU.
  • the CU sends a second uplink user plane data packet to the SGW.
  • the steps 918 to 920b are similar to the steps 818 to 820b shown in FIG. 8b, and details are not described herein again.
  • the SGW sends a second downlink user plane data packet to the CU.
  • the CU sends a second downlink user plane data packet to the SeGW.
  • the step 921a is similar to the step 821a shown in FIG. 8b, and details are not described herein again.
  • the manner in which the CU sends the second downlink user plane data packet to the SeGW in step 921b is similar to the manner in which the CU sends the second downlink user plane data packet to the DU in the step 619 shown in FIG. 6b, and details are not described herein again.
  • the SeGW determines to use the IPSec protocol to encrypt the second downlink user plane data packet.
  • the SeGW determines the manner of encrypting the second downlink user plane data packet by using the IPSec protocol, and the step 618 shown in FIG. 6b determines that the IPSec protocol uses the IPSec protocol to the second downlink user plane data packet.
  • the manner of encryption is similar, and will not be described here.
  • the SeGW sends a second downlink user plane data packet to the DU.
  • the SeGW determines to use the IPSec protocol to encrypt the second downlink user plane data packet, and then sends the encrypted second downlink user plane data packet to the DU.
  • the DU determines to decrypt the second downlink user plane data packet by using the IPSec protocol.
  • the DU sends a second downlink user plane data packet to the UE.
  • the steps 924 to 925 are similar to the steps 824 to 825 shown in FIG. 8b, and are not limited herein.
  • the second interface and the second unencrypted address may be configured on the second interface on the CU side to distinguish whether the IPSec encrypted user plane data stream is required.
  • the achievable manner of the embodiment of the present application is added.
  • the information transmission method in the embodiment of the present application is described above.
  • the following describes the central unit in the embodiment of the present application.
  • the central unit may perform the foregoing method.
  • the operation of the CU in the embodiment, the CU includes:
  • the first transceiver unit 1001 is configured to perform security negotiation with the user equipment UE to obtain a negotiation result, where the negotiation result is used to indicate whether an air interface between the CU and the UE is encrypted by using a packet data convergence layer PDCP protocol;
  • the second transceiver unit 1002 is configured to send a first message to the distributed unit DU.
  • the negotiation result indicates that the air interface is encrypted by using the PDCP protocol
  • the first message is used to indicate that the user plane bearer between the CU and the DU is not encrypted using the Internet Protocol Secure IPSec protocol.
  • the DU is provided with a first interface, where the first interface is an interface for the DU to perform user plane communication with the CU; An address and a first non-encrypted address, where the first encrypted address is used to indicate that the user plane data packet is encrypted/decrypted using the IPSec protocol; and the first non-encrypted address is used to indicate that the IPSec protocol is not used. Adding/decrypting the user plane data message;
  • the second transceiver unit 1002 is further configured to:
  • the CU further includes:
  • the processing unit 1003 is configured to encrypt the downlink user plane data packet by using the PDCP protocol, and set the destination address of the downlink user plane data packet to the first unencrypted address;
  • the determining unit 1004 is configured to determine, according to the first unencrypted address, that the downlink user plane data packet is not encrypted by using the IPSec protocol;
  • the second transceiver unit 1002 is further configured to send the downlink user plane data packet to the DU.
  • the first message is used to indicate that the user plane bearer is encrypted by using the IPSec protocol.
  • the first response message is used to indicate that the address carried by the user plane on the DU end is the first encrypted address.
  • the CU when the negotiation result indicates that the air interface is encrypted by using the PDCP protocol, and the communication between the CU and the DU passes through a security gateway SeGW, the CU also includes:
  • the processing unit 1003 is further configured to: encrypt, by using the PDCP protocol, a downlink user plane data packet; and set a destination address of the downlink user plane data packet to the first unencrypted address;
  • the third transceiver unit 1005 is configured to send the downlink user plane data packet to the SeGW.
  • the CU has a second interface, where the second interface is an interface for the CU to perform user plane communication with the DU; and the second interface is configured with a second encryption.
  • An address and a second unencrypted address where the second encrypted address is used to indicate that the user plane data packet is encrypted/decrypted using the IPSec protocol; and the second non-encrypted address is used to indicate that the IPSec protocol is not used. Add/decrypt the user plane data message.
  • the distributed unit may perform the operation of the DU in the foregoing method embodiment, where the DU includes:
  • the first transceiver unit 1101 is configured to receive a first message sent by the CU when the air interface between the central unit CU and the user equipment UE is encrypted by using a packet data convergence layer PDCP protocol, where the first message is used to indicate The user plane bearer between the CU and the DU is not encrypted using the Internet Protocol Secure IPSec protocol.
  • the DU is provided with a first interface, where the first interface is an interface for the DU to perform user plane communication with the CU; An address and a first non-encrypted address, where the first encrypted address is used to indicate that the user plane data packet is encrypted/decrypted using the IPSec protocol; and the first non-encrypted address is used to indicate that the IPSec protocol is not used. Adding/decrypting the user plane data message;
  • the first transceiver unit 1101 is further configured to:
  • the DU when the air interface is encrypted by using the PDCP protocol, the DU further includes:
  • the second transceiver unit 1103 is further configured to receive an uplink user plane data packet sent by the UE.
  • the processing unit 1104 is configured to: set a source address of the uplink user plane data packet to the first unencrypted address;
  • the determining unit 1102 is configured to determine, according to the first unencrypted address, that the uplink user plane data packet is not encrypted by using the IPSec protocol;
  • the first transceiver unit 1101 is further configured to send the uplink user plane data packet to the CU.
  • the DU when the air interface is encrypted by using the PDCP protocol, and the communication between the DU and the CU passes through the SeGW, the DU further includes:
  • the second transceiver unit 1103 is further configured to receive an uplink user plane data packet sent by the UE;
  • the processing unit 1104 is further configured to: set a source address of the uplink user plane data packet to the first unencrypted address;
  • the determining unit 1102 is further configured to: determine, according to the first unencrypted address, that the uplink user plane data packet is encrypted by using the IPSec protocol;
  • the third transceiver unit 1105 is configured to send the uplink user plane data packet to the SeGW.
  • the CU has a second interface, where the second interface is an interface for the CU to perform user plane communication with the DU; and the second interface is configured with a second encryption.
  • An address and a second unencrypted address where the second encrypted address is used to indicate that the user plane data packet is encrypted/decrypted using the IPSec protocol; and the second non-encrypted address is used to indicate that the IPSec protocol is not used.
  • the DU further includes:
  • the second transceiver unit 1103 is further configured to receive an uplink user plane data packet sent by the UE.
  • the processing unit 1104 is further configured to set a destination address of the uplink user plane data packet to the second unencrypted address;
  • the determining unit 1102 is further configured to: determine, according to the second unencrypted address, that the uplink user plane data packet is encrypted by using the IPSec protocol;
  • the first transceiver unit 1101 is further configured to send the uplink user plane data packet to the CU.
  • the CU and the DU in the embodiment of the present application are described in detail from the perspective of the modular functional entity, and the CU and the DU in the embodiment of the present application are described in detail below.
  • Figure 12 shows a possible schematic diagram of a communication device.
  • the communication device 1200 includes a processing unit 1202 and a communication unit 1203.
  • the processing unit 1202 is configured to control and manage the operation of the communication device.
  • the communication device 1200 can also include a storage unit 1201 for storing program codes and data required by the communication device.
  • the communication device can be the CU described above.
  • the processing unit 1202 is configured to support the CU to perform step 401, steps 407a and 408b in FIG. 4a, step 401, step 417a and step 418b in FIG. 4b, step 501, steps 507a and 508b in FIG. 5a, in FIG. 5b Step 501, step 517a and step 518b, steps 601, 607a and 608b in Fig. 6a, step 601, step 617a and step 618b in Fig. 6b, and/or other processes for the techniques described herein.
  • the communication unit 1203 is configured to support communication between the CU and other devices.
  • the communication unit 1203 is configured to support the CU to perform steps 402 to 403, step 406, step 407b, step 408a, and step 409 in FIG. 4a, step 412 in FIG. 4b. 413, 416, 417b, 418a and 419, steps 502 to 503, 506, 507b, 508a and 509 in FIG. 5a, steps 512 to 513, 516, 517b in FIG. 5b Step 518a and step 519, steps 602 to 603, step 606, step 607b, step 608a and step 609 in Fig. 6a, steps 612 to 613, step 616, step 617b, step 618a and step 619 in Fig. 6a, steps 612 to 613, step 616, step 617b, step 618a and step 619 in Fig.
  • the communication device can be the DU described above.
  • the processing unit 1202 is configured to support the DU to perform step 405, step 410 in FIG. 4a, step 415 in step 4b, step 420, step 505 in step 5a, step 510, step 515 in step 5b, step 520, Step 605 in step 6a, step 610, step 615 in step 6b, step 620, step 705 in step 7b, step 712, step 717 in step 7c, step 724, step 805 in step 8a, step 812, Step 817, step 824, step 905, step 912 of Figure 9a, step 917, step 924 of Figure 9b, and/or other processes for the techniques described herein.
  • the communication unit 1203 is configured to support communication of the DU with other devices.
  • the communication unit 1203 is configured to support the DU to perform steps 402 to 404, step 406, step 409, and step 411 in FIG. 4a, steps 412 to 414 in FIG. 4b.
  • the processing unit 1202 may be a processor or a controller, for example, may be a central processing unit (CPU), a general-purpose processor, a digital signal processor (DSP), and an application-specific integrated circuit (application-specific). Integrated circuit (ASIC), field programmable gate array (FPGA) or other programmable logic device, transistor logic device, hardware component, or any combination thereof. It is possible to implement or carry out the various illustrative logical blocks, modules and circuits described in connection with the present disclosure.
  • the processor can also be a combination of computing functions, for example, including one or more microprocessor combinations, a combination of a DSP and a microprocessor, and the like.
  • the communication unit 1203 may be a communication interface, a transceiver, a transceiver circuit, etc., wherein the communication interface is a collective name and may include one or more interfaces, such as a transceiver interface.
  • the storage unit 701 can be a memory.
  • the processing unit 1202 can be a processor, the communication unit 1203 can be a communication interface, and when the storage unit 1201 can be a memory, as shown in FIG. 13, the communication device 1310 includes a processor 1312, a communication interface 1313, and a memory 1311. Alternatively, the communication device 1310 may further include a bus 1314.
  • the communication interface 1313, the processor 1312, and the memory 1311 may be connected to each other through a bus 1314; the bus 1314 may be a peripheral component interconnect (PCI) bus or an extended industry standard architecture (EISA). Bus, etc.
  • PCI peripheral component interconnect
  • EISA extended industry standard architecture
  • Bus 1314 can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in FIG. 13, but it does not mean that there is only one bus or one type of bus.
  • communication device 1310 can be used to indicate the steps of the CU described above. In another embodiment, communication device 1310 can be used to indicate the steps of DU described above. I will not repeat them here.
  • the embodiment of the present application further provides a system, as shown in FIG. 14 , which is a schematic structural diagram of a possible system provided by the present application.
  • the system may include one or more central processing unit 1422 and memory 1432, one or more.
  • a storage medium 1430 of storage application 1442 or data 1444 (eg, one or one storage device in Shanghai).
  • the memory 1432 and the storage medium 1430 may be short-term storage or persistent storage.
  • Programs stored on storage medium 1430 may include one or more modules (not shown), each of which may include a series of instruction operations in the system.
  • central processor 1422 can be configured to communicate with storage medium 1430, executing a series of instruction operations in storage medium 1430 on system 1400.
  • System 1400 can also include one or more power sources 1426, one or more wired or wireless network interfaces 1450, one or more input and output interfaces 1458, and/or one or more operating systems 1441, such as Windows Server, Mac OS X, Unix, Linux, FreeBSD, etc.
  • operating systems 1441 such as Windows Server, Mac OS X, Unix, Linux, FreeBSD, etc.
  • the computer program product includes one or more computer instructions.
  • the computer can be a general purpose computer, a special purpose computer, a computer network, or other programmable device.
  • the computer instructions can be stored in a computer readable storage medium or transferred from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions can be from a website site, computer, server or data center Transmission to another website site, computer, server or data center via wired (eg coaxial cable, fiber optic, digital subscriber line (DSL)) or wireless (eg infrared, wireless, microwave, etc.).
  • wired eg coaxial cable, fiber optic, digital subscriber line (DSL)
  • wireless eg infrared, wireless, microwave, etc.
  • the computer readable storage medium can be any available media that can be stored by a computer or a data storage device such as a server, data center, or the like that includes one or more available media.
  • the usable medium may be a magnetic medium (eg, a floppy disk, a hard disk, a magnetic tape), an optical medium (eg, a DVD), or a semiconductor medium (such as a solid state disk (SSD)) or the like.
  • the disclosed system, apparatus, and method may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
  • the integrated unit if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium.
  • a computer readable storage medium A number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present application.
  • the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like, which can store program codes. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Small-Scale Networks (AREA)

Abstract

Disclosed are an information transmission method and a relevant device. Same are used for reducing CPU resource consumption and reducing cost while ensuring data security. The method of the embodiments of the present application comprises: a central unit (CU) performing security negotiation with a user equipment (UE) to obtain a negotiation result, wherein the negotiation result is used for indicating whether an air interface between the CU and the UE is encrypted using a packet data convergence protocol (PDCP); and the CU sending a first message to a distributed unit (DU), wherein when the negotiation result indicates that the air interface is encrypted using the PDCP protocol, the first message indicates that a user plane bearer between the CU and the DU is not encrypted using an Internet Protocol Security (IPSec) protocol.

Description

一种信息传输方法以及相关设备Information transmission method and related equipment
本申请要求于2018年4月26日提交中国专利局、申请号为201810391847.5、发明名称为“一种信息传输方法以及相关设备”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。The present application claims priority to Chinese Patent Application No. 20 181 039 184 7.5, filed on Apr. 26, 2018, the entire disclosure of which is incorporated herein by reference. in.
技术领域Technical field
本申请涉及无线通信技术领域,尤其涉及一种信息传输方法以及相关设备。The present application relates to the field of wireless communications technologies, and in particular, to an information transmission method and related devices.
背景技术Background technique
用户终端(user equipment,UE)发送的上行数据经过基站(eNodeB,eNB)传递到核心网的过程中,该上行数据需要经历以下加密/解密过程,如图1所示,为一种可能的现有基站加密示意图,包括:1、UE对上行数据进行空中接口加密,以保护上行数据在无线传输过程中的安全;2、eNB接收到UE发送的上行数据后,解密该上行数据,并在将解密后的上行数据发送给核心网之前,再次进行加密,以保护上行数据在回传网络上网络传输过程的安全。类似的,从核心网发送给UE的下行数据,也需要经过两次加密解密过程。The uplink data sent by the user equipment (UE) is transmitted to the core network through the base station (eNodeB, eNB), and the uplink data needs to undergo the following encryption/decryption process, as shown in FIG. A base station encryption diagram includes: 1. The UE performs air interface encryption on the uplink data to protect the uplink data in the wireless transmission process; 2. After receiving the uplink data sent by the UE, the eNB decrypts the uplink data, and Before the decrypted uplink data is sent to the core network, encryption is performed again to protect the security of the network transmission process of the uplink data on the backhaul network. Similarly, the downlink data sent from the core network to the UE also needs to undergo two encryption and decryption processes.
现有技术中,可将一个传统的eNB节点分解为一个中央单元(central unit,CU)和多个分布式单元(distributed unit,DU),而CU和DU之间的通信需要跨backhaul网络。为保证CU-DU之间通信的安全性,引入因特网协议安全性(internet protocol security,IPSec),因此对应的,为保证数据在CU-DU之间传输过程的安全,需要在该传输过程中对数据进行IPSec加/解密。In the prior art, a conventional eNB node can be decomposed into a central unit (CU) and a plurality of distributed units (DUs), and communication between the CU and the DU needs to cross the backhaul network. In order to ensure the security of communication between CU-DUs, Internet Protocol Security (IPSec) is introduced. Therefore, in order to ensure the security of data transmission between CU-DUs, it is necessary to The data is IPSec added/decrypted.
然而,现有技术中,IPSec加/解密需要消耗大量cpu资源,导致成本的增加。However, in the prior art, IPSec encryption/decryption requires a large amount of CPU resources to be consumed, resulting in an increase in cost.
发明内容Summary of the invention
本申请实施例提供了一种信息传输方法以及相关设备,用于在保证数据安全的同时,减少CPU资源的消耗,降低成本。The embodiment of the present application provides an information transmission method and related device, which are used to reduce CPU consumption and reduce cost while ensuring data security.
本申请实施例的第一方面提供了一种信息传输方法,包括:中央单元CU与用户设备UE进行安全协商,得到协商结果,所述协商结果用于表示所述CU与所述UE之间的空中接口是否使用分组数据汇聚层PDCP协议加密;所述CU向分布式单元DU发送第一消息;当所述协商结果表示所述空中接口使用所述PDCP协议加密时,所述第一消息用于指示所述CU与所述DU之间的用户面承载不使用因特网协议安全IPSec协议加密。A first aspect of the embodiments of the present application provides an information transmission method, including: performing a security negotiation between a central unit CU and a user equipment UE, and obtaining a negotiation result, where the negotiation result is used to indicate between the CU and the UE. Whether the air interface is encrypted using a packet data convergence layer PDCP protocol; the CU transmitting a first message to the distributed unit DU; when the negotiation result indicates that the air interface is encrypted using the PDCP protocol, the first message is used The user plane bearer between the CU and the DU is indicated not to be encrypted using the Internet Protocol Secure IPSec protocol.
在一种可能的设计中,在本申请实施例第一方面的第一种实现方式中,所述DU带有第一接口,所述第一接口为所述DU与所述CU进行用户面通信的接口;所述第一接口配置第一加密地址和第一非加密地址,所述第一加密地址用于指示使用所述IPSec协议对用户面数据报文进行加/解密处理;所述第一非加密地址用于指示不使用所述IPSec协议对用户面数据报文进行加/解密处理;所述CU向DU发送第一消息之后,所述方法还包括:所述CU接收所述DU发送的第一响应消息,所述第一响应消息用于指示所述用户面承载在所述DU 端的地址为所述第一非加密地址。In a possible implementation, in a first implementation manner of the first aspect of the embodiments, the DU is provided with a first interface, where the first interface is a user plane communication between the DU and the CU. The first interface is configured with a first encrypted address and a first unencrypted address, where the first encrypted address is used to indicate that the user plane data packet is subjected to encryption/decryption processing using the IPSec protocol; The unencrypted address is used to indicate that the IPSec protocol is not used to perform encryption/decryption processing on the user plane data packet; after the CU sends the first message to the DU, the method further includes: the CU receiving the sent by the DU And a first response message, where the first response message is used to indicate that the address carried by the user plane at the DU end is the first unencrypted address.
在一种可能的设计中,在本申请实施例第一方面的第二种实现方式中,所述CU接收所述DU发送的第一响应消息后,所述方法还包括:所述CU使用所述PDCP协议对下行用户面数据报文进行加密;所述CU将所述下行用户面数据报文的目的地址设置为所述第一非加密地址;所述CU根据所述第一非加密地址确定,不使用所述IPSec协议对所述下行用户面数据报文进行加密;所述CU向所述DU发送所述下行用户面数据报文。In a possible implementation, in a second implementation manner of the first aspect of the embodiment of the present application, after the CU receives the first response message sent by the DU, the method further includes: using the CU The PDCP protocol encrypts the downlink user plane data packet; the CU sets the destination address of the downlink user plane data packet to the first unencrypted address; and the CU determines according to the first unencrypted address. The downlink user plane data packet is not encrypted by using the IPSec protocol; the CU sends the downlink user plane data packet to the DU.
在一种可能的设计中,在本申请实施例第一方面的第三种实现方式中,当所述协商结果表示所述空中接口不使用所述PDCP协议加密时,所述第一消息用于指示所述用户面承载使用所述IPSec协议加密;所述第一响应消息用于指示所述用户面承载在所述DU端的地址为所述第一加密地址。In a possible design, in a third implementation manner of the first aspect of the embodiments of the present application, when the negotiation result indicates that the air interface does not use the PDCP protocol to encrypt, the first message is used. And indicating that the user plane bearer is encrypted by using the IPSec protocol; the first response message is used to indicate that the address that the user plane bears at the DU end is the first encrypted address.
在一种可能的设计中,在本申请实施例第一方面的第四种实现方式中,当所述协商结果表示所述空中接口不使用所述PDCP协议加密时,所述方法还包括:所述CU将下行用户面数据报文的目的地址设置为所述第一加密地址;所述CU根据所述第一加密地址确定,使用所述IPSec协议对所述下行用户面数据报文进行加密,得到加密后的下行用户面数据报文;所述CU向所述DU发送所述加密后的下行用户面数据报文。In a possible design, in a fourth implementation manner of the first aspect of the embodiments of the present application, when the negotiation result indicates that the air interface does not use the PDCP protocol to encrypt, the method further includes: The CU sets the destination address of the downlink user plane data packet to the first encrypted address, and the CU determines, according to the first encrypted address, the downlink user plane data packet to be encrypted by using the IPSec protocol. Obtaining the encrypted downlink user plane data packet; the CU sends the encrypted downlink user plane data packet to the DU.
在一种可能的设计中,在本申请实施例第一方面的第五种实现方式中,当所述协商结果表示所述空中接口使用所述PDCP协议加密,且所述CU与所述DU之间的通信经过安全网关SeGW时,所述方法还包括:所述CU使用所述PDCP协议对下行用户面数据报文进行加密;所述CU将所述下行用户面数据报文的目的地址设置为所述第一非加密地址;所述CU将所述下行用户面数据报文发送给所述SeGW。In a possible design, in a fifth implementation manner of the first aspect of the embodiments of the present application, when the negotiation result indicates that the air interface is encrypted by using the PDCP protocol, and the CU and the DU are The method further includes: the CU encrypts the downlink user plane data packet by using the PDCP protocol; and the CU sets the destination address of the downlink user plane data packet to The first non-encrypted address; the CU sends the downlink user plane data packet to the SeGW.
在一种可能的设计中,在本申请实施例第一方面的第六种实现方式中,当所述协商结果表示所述空中接口不使用所述PDCP协议加密,且所述CU与所述DU之间的通信经过SeGW时,所述方法还包括:所述CU将下行用户面数据报文的目的地址设置为所述第一加密地址;所述CU将所述下行用户面数据报文发送给所述SeGW。In a possible design, in a sixth implementation manner of the first aspect of the embodiments of the present application, when the negotiation result indicates that the air interface does not use the PDCP protocol encryption, and the CU and the DU When the communication between the two passes through the SeGW, the method further includes: the CU setting a destination address of the downlink user plane data packet as the first encrypted address; and sending, by the CU, the downlink user plane data packet The SeGW.
在一种可能的设计中,在本申请实施例第一方面的第七种实现方式中,所述CU带有第二接口,所述第二接口为所述CU与所述DU进行用户面通信的接口;所述第二接口配置第二加密地址和第二非加密地址,所述第二加密地址用于指示使用所述IPSec协议对用户面数据报文进行加/解密处理;所述第二非加密地址用于指示不使用所述IPSec协议对用户面数据报文进行加/解密处理。In a possible design, in a seventh implementation manner of the first aspect of the embodiments, the CU has a second interface, where the second interface is a user plane communication between the CU and the DU The second interface is configured with a second encrypted address and a second unencrypted address, where the second encrypted address is used to indicate that the user plane data packet is encrypted/decrypted using the IPSec protocol; The non-encrypted address is used to indicate that the user plane data message is not subjected to encryption/decryption processing using the IPSec protocol.
在一种可能的设计中,在本申请实施例第一方面的第八种实现方式中,当所述协商结果表示所述空中接口不使用所述PDCP协议加密时,所述第一消息携带有所述第二加密地址。In a possible design, in an eighth implementation manner of the first aspect of the embodiments of the present application, when the negotiation result indicates that the air interface does not use the PDCP protocol to encrypt, the first message carries The second encrypted address.
在一种可能的设计中,在本申请实施例第一方面的第九种实现方式中,当所述协商结果表示所述空中接口使用所述PDCP协议加密时,所述第一消息携带有所述第二非加密地址。In a possible design, in a ninth implementation manner of the first aspect of the embodiments of the present application, when the negotiation result indicates that the air interface is encrypted by using the PDCP protocol, the first message carries Said second non-encrypted address.
在一种可能的设计中,在本申请实施例第一方面的第十种实现方式中,所述方法还包括:所述CU接收目标用户面数据报文;当所述目标用户面数据报文使用的协议端口号包含 于第一区间时,所述CU确定使用所述IPSec协议对所述目标用户面数据报文进行加/解密;当所述目标用户面数据报文使用的协议端口号包含于第二区间时,所述CU确定不使用所述IPSec协议对所述目标用户面数据报文进行加/解密;或,当所述目标用户面数据报文使用的协议为第一协议时,所述CU确定使用所述IPSec协议对所述目标用户面数据报文进行加/解密;当所述目标用户面数据报文使用的协议为第二协议时,所述CU确定不使用所述IPSec协议对所述目标用户面数据报文进行加/解密。In a possible design, in a tenth implementation manner of the first aspect of the embodiments, the method further includes: the CU receiving a target user plane data packet; and when the target user plane data packet When the protocol port number used is included in the first interval, the CU determines to use the IPSec protocol to encrypt/decrypt the target user plane data packet; when the protocol port number used by the target user plane data packet includes In the second interval, the CU determines to use the IPSec protocol to encrypt/decrypt the target user plane data packet; or, when the protocol used by the target user plane data packet is the first protocol, The CU determines to use the IPSec protocol to add/decrypt the target user plane data packet; when the protocol used by the target user plane data packet is the second protocol, the CU determines not to use the IPSec The protocol adds/decrypts the target user plane data message.
本申请实施例的第二方面提供了一种信息传输方法,包括:当中央单元CU与用户设备UE之间的空中接口使用分组数据汇聚层PDCP协议加密时,分布式单元DU接收所述CU发送的第一消息,所述第一消息用于指示所述CU与所述DU之间的用户面承载不使用因特网协议安全IPSec协议加密。A second aspect of the embodiments of the present application provides an information transmission method, including: when an air interface between a central unit CU and a user equipment UE is encrypted by using a packet data convergence layer PDCP protocol, the distributed unit DU receives the CU transmission. The first message is used to indicate that the user plane bearer between the CU and the DU is not encrypted using the Internet Protocol Secure IPSec protocol.
在一种可能的设计中,在本申请实施例第二方面的第一种实现方式中,所述DU带有第一接口,所述第一接口为所述DU与所述CU进行用户面通信的接口;所述第一接口配置第一加密地址和第一非加密地址,所述第一加密地址用于指示使用所述IPSec协议对用户面数据报文进行加/解密处理;所述第一非加密地址用于指示不使用所述IPSec协议对用户面数据报文进行加/解密处理;当所述空中接口使用所述PDCP协议加密时,所述方法还包括:所述DU向所述CU发送第一响应消息,所述第一响应消息用于指示所述用户面承载在所述DU端的地址为所述第一非加密地址。In a possible implementation, in a first implementation manner of the second aspect of the embodiments, the DU is provided with a first interface, where the first interface is user plane communication between the DU and the CU. The first interface is configured with a first encrypted address and a first unencrypted address, where the first encrypted address is used to indicate that the user plane data packet is subjected to encryption/decryption processing using the IPSec protocol; The non-encrypted address is used to indicate that the user plane data packet is not subjected to encryption/decryption processing using the IPSec protocol; and when the air interface is encrypted by using the PDCP protocol, the method further includes: the DU to the CU Sending a first response message, where the first response message is used to indicate that the address carried by the user plane on the DU end is the first unencrypted address.
在一种可能的设计中,在本申请实施例第二方面的第二种实现方式中,当所述空中接口使用所述PDCP协议加密时,所述方法还包括:所述DU接收所述UE发送的上行用户面数据报文;所述DU将所述上行用户面数据报文的源地址设置为所述第一非加密地址;所述DU根据所述第一非加密地址确定,不使用所述IPSec协议对所述上行用户面数据报文进行加密;所述DU将所述上行用户面数据报文发送给所述CU。In a possible implementation, in a second implementation manner of the second aspect of the embodiments of the present application, when the air interface is encrypted by using the PDCP protocol, the method further includes: the DU receiving the UE And sending, by the DU, the source address of the uplink user plane data packet to the first unencrypted address; the DU determining, according to the first unencrypted address, not using the The IPSec protocol encrypts the uplink user plane data packet, and the DU sends the uplink user plane data packet to the CU.
在一种可能的设计中,在本申请实施例第二方面的第三种实现方式中,当所述空中接口不使用所述PDCP协议加密时,所述第一消息用于指示所述用户面承载使用所述IPSec协议加密;所述第一响应消息用于指示所述用户面承载在所述DU端的地址为所述第一加密地址。In a possible design, in a third implementation manner of the second aspect of the embodiments of the present application, when the air interface does not use the PDCP protocol to encrypt, the first message is used to indicate the user plane. The bearer is encrypted by using the IPSec protocol; the first response message is used to indicate that the address carried by the user plane on the DU end is the first encrypted address.
在一种可能的设计中,在本申请实施例第二方面的第四种实现方式中,当所述空中接口不使用所述PDCP协议加密时,所述方法还包括:所述DU接收所述UE发送的上行用户面数据报文;所述DU将所述上行用户面数据报文的源地址设置为所述第一加密地址;所述DU根据所述第一加密地址确定,使用所述IPSec协议对所述上行用户面数据报文进行加密,以得到加密后的上行用户面数据报文;所述DU向所述CU发送所述加密后的上行用户面数据报文。In a possible design, in a fourth implementation manner of the second aspect of the embodiments of the present application, when the air interface does not use the PDCP protocol encryption, the method further includes: the DU receiving the The uplink user plane data packet sent by the UE; the DU sets the source address of the uplink user plane data packet to the first encrypted address; the DU determines, according to the first encrypted address, the IPSec The protocol encrypts the uplink user plane data packet to obtain the encrypted uplink user plane data packet, and the DU sends the encrypted uplink user plane data packet to the CU.
在一种可能的设计中,在本申请实施例第二方面的第五种实现方式中,当所述空中接口使用所述PDCP协议加密,且所述DU与所述CU之间的通信经过SeGW时,所述方法还包括:所述DU接收所述UE发送的上行用户面数据报文;所述DU将所述上行用户面数据报文的源地址设置为所述第一非加密地址;所述DU根据所述第一非加密地址确定,不使用所述IPSec协议对所述上行用户面数据报文进行加密;所述DU将所述上行用户面数据报文发送 给所述SeGW。In a possible design, in a fifth implementation manner of the second aspect of the embodiments of the present application, when the air interface is encrypted by using the PDCP protocol, and communication between the DU and the CU passes through a SeGW The method further includes: the DU receiving an uplink user plane data packet sent by the UE; the DU setting a source address of the uplink user plane data packet as the first unencrypted address; The DU is determined according to the first unencrypted address, and the uplink user plane data packet is not encrypted by using the IPSec protocol; the DU sends the uplink user plane data packet to the SeGW.
在一种可能的设计中,在本申请实施例第二方面的第六种实现方式中,当所述空中接口不使用所述PDCP协议加密,且所述DU与所述CU之间的通信经过SeGW时,所述方法还包括:所述DU接收所述UE发送的上行用户面数据报文;所述DU将所述上行用户面数据报文的源地址设置为所述第一加密地址;所述DU根据所述第一加密地址确定,使用所述IPSec协议对所述上行用户面数据报文进行加密,得到加密后的上行用户面数据报文;所述DU将所述加密后的上行用户面数据报文发送给所述SeGW。In a possible design, in a sixth implementation manner of the second aspect of the embodiments of the present application, when the air interface does not use the PDCP protocol encryption, and the communication between the DU and the CU passes In the case of the SeGW, the method further includes: the DU receiving an uplink user plane data packet sent by the UE; and the DU setting a source address of the uplink user plane data packet as the first encrypted address; Determining, according to the first encrypted address, that the uplink user plane data packet is encrypted by using the IPSec protocol, to obtain an encrypted uplink user plane data packet; and the DU will be the encrypted uplink user. The face data message is sent to the SeGW.
在一种可能的设计中,在本申请实施例第二方面的第七种实现方式中,所述CU带有第二接口,所述第二接口为所述CU与所述DU进行用户面通信的接口;所述第二接口配置第二加密地址和第二非加密地址,所述第二加密地址用于指示使用所述IPSec协议对用户面数据报文进行加/解密处理;所述第二非加密地址用于指示不使用所述IPSec协议对用户面数据报文进行加/解密处理。In a possible design, in a seventh implementation manner of the second aspect of the embodiment, the CU has a second interface, where the second interface is a user plane communication between the CU and the DU. The second interface is configured with a second encrypted address and a second unencrypted address, where the second encrypted address is used to indicate that the user plane data packet is encrypted/decrypted using the IPSec protocol; The non-encrypted address is used to indicate that the user plane data message is not subjected to encryption/decryption processing using the IPSec protocol.
在一种可能的设计中,在本申请实施例第二方面的第八种实现方式中,当所述空中接口使用所述PDCP协议加密时,所述第一消息携带有所述第二非加密地址。In a possible design, in an eighth implementation manner of the second aspect of the embodiments of the present application, when the air interface is encrypted by using the PDCP protocol, the first message carries the second non-encrypted address.
在一种可能的设计中,在本申请实施例第二方面的第九种实现方式中,当所述空中接口不使用所述PDCP协议加密时,所述第一消息携带有所述第二加密地址。In a possible design, in a ninth implementation manner of the second aspect of the embodiments of the present application, when the air interface does not use the PDCP protocol to encrypt, the first message carries the second encryption address.
在一种可能的设计中,在本申请实施例第二方面的第十种实现方式中,当所述空中接口使用所述PDCP协议加密时,所述方法还包括:所述DU接收所述UE发送的上行用户面数据报文;所述DU将所述上行用户面数据报文的目的地址设置为所述第二非加密地址;所述DU根据所述第二非加密地址确定,不使用所述IPSec协议对所述上行用户面数据报文进行加密;所述DU将所述上行用户面数据报文发送给所述CU。In a possible design, in a tenth implementation manner of the second aspect of the embodiments of the present application, when the air interface is encrypted by using the PDCP protocol, the method further includes: the DU receiving the UE The uplink user plane data packet sent; the DU sets the destination address of the uplink user plane data packet to the second unencrypted address; the DU determines according to the second unencrypted address, and does not use the The IPSec protocol encrypts the uplink user plane data packet, and the DU sends the uplink user plane data packet to the CU.
在一种可能的设计中,在本申请实施例第二方面的第十一种实现方式中,当所述空中接口不使用所述PDCP协议加密时,所述方法还包括:所述DU接收所述UE发送的上行用户面数据报文;所述DU将所述上行用户面数据报文的目的地址设置为所述第二加密地址;所述DU根据所述第二加密地址确定,使用所述IPSec协议对所述上行用户面数据报文进行加密,以得到加密后的上行用户面数据报文;所述DU向所述CU发送所述加密后的上行用户面数据报文。In a possible design, in an eleventh implementation manner of the second aspect of the embodiments of the present application, when the air interface does not use the PDCP protocol encryption, the method further includes: the DU receiving station An uplink user plane data packet sent by the UE; the DU sets a destination address of the uplink user plane data packet as the second encryption address; and the DU determines, according to the second encryption address, using the The IPSec protocol encrypts the uplink user plane data packet to obtain the encrypted uplink user plane data packet, and the DU sends the encrypted uplink user plane data packet to the CU.
在一种可能的设计中,在本申请实施例第二方面的第十二种实现方式中,当所述空中接口使用所述PDCP协议加密,且所述DU与所述CU之间的通信经过SeGW时,所述方法还包括:所述DU接收所述UE发送的上行用户面数据报文;所述DU将所述上行报文的目的地址设置为所述第二非加密地址;所述DU根据所述第二非加密地址确定,不使用所述第二协议对所述上行用户面数据报文进行加密;所述DU将所述上行用户面数据报文发送给所述SeGW。In a possible design, in a twelfth implementation manner of the second aspect of the embodiments of the present application, when the air interface is encrypted by using the PDCP protocol, and the communication between the DU and the CU is In the case of the SeGW, the method further includes: the DU receiving an uplink user plane data packet sent by the UE; the DU setting a destination address of the uplink packet to the second unencrypted address; Determining, according to the second unencrypted address, the uplink user plane data packet is not encrypted by using the second protocol; the DU sending the uplink user plane data packet to the SeGW.
在一种可能的设计中,在本申请实施例第二方面的第十三种实现方式中,当所述空中接口不使用所述PDCP协议加密,且所述DU与所述CU之间的通信经过SeGW时,所述方法还包括:所述DU接收所述UE发送的上行用户面数据报文;所述DU将所述上行用户面数据报文的目的地址设置为所述第二加密地址;所述DU根据所述第二加密地址确定,使用所 述IPSec协议对所述上行用户面数据报文进行加密,以得到加密后的上行用户面数据报文;所述DU将所述加密后的上行用户面数据报文发送给所述SeGW。In a possible design, in a thirteenth implementation manner of the second aspect of the embodiments of the present application, when the air interface does not use the PDCP protocol encryption, and the communication between the DU and the CU The method further includes: the DU receiving an uplink user plane data packet sent by the UE; the DU setting a destination address of the uplink user plane data packet as the second encrypted address; Determining, according to the second encrypted address, that the uplink user plane data packet is encrypted by using the IPSec protocol, to obtain an encrypted uplink user plane data packet; and the DU will be the encrypted The uplink user plane data packet is sent to the SeGW.
本申请实施例的第三方面提供了一种中央单元CU,包括:第一收发单元,用于与用户设备UE进行安全协商,得到协商结果,所述协商结果用于表示所述CU与所述UE之间的空中接口是否使用分组数据汇聚层PDCP协议加密;第二收发单元,用于向分布式单元DU发送第一消息;当所述协商结果表示所述空中接口使用所述PDCP协议加密时,所述第一消息用于指示所述CU与所述DU之间的用户面承载不使用因特网协议安全IPSec协议加密。A third aspect of the embodiments of the present application provides a central unit CU, including: a first transceiver unit, configured to perform security negotiation with a user equipment UE, to obtain a negotiation result, where the negotiation result is used to indicate the CU and the Whether the air interface between the UEs is encrypted using the packet data convergence layer PDCP protocol; the second transceiver unit is configured to send the first message to the distributed unit DU; when the negotiation result indicates that the air interface uses the PDCP protocol to encrypt The first message is used to indicate that the user plane bearer between the CU and the DU is not encrypted using the Internet Protocol Secure IPSec protocol.
在一种可能的设计中,在本申请实施例第三方面的第一种实现方式中,所述DU带有第一接口,所述第一接口为所述DU与所述CU进行用户面通信的接口;所述第一接口配置第一加密地址和第一非加密地址,所述第一加密地址用于指示使用所述IPSec协议对用户面数据报文进行加/解密处理;所述第一非加密地址用于指示不使用所述IPSec协议对用户面数据报文进行加/解密处理;所述第二收发单元还用于:接收所述DU发送的第一响应消息,所述第一响应消息用于指示所述用户面承载在所述DU端的地址为所述第一非加密地址。In a possible implementation, in a first implementation manner of the third aspect of the embodiments, the DU has a first interface, where the first interface is a user plane communication between the DU and the CU. The first interface is configured with a first encrypted address and a first unencrypted address, where the first encrypted address is used to indicate that the user plane data packet is subjected to encryption/decryption processing using the IPSec protocol; The non-encrypted address is used to indicate that the IPSec protocol is not used to perform encryption/decryption processing on the user plane data packet; the second transceiver unit is further configured to: receive the first response message sent by the DU, the first response The message is used to indicate that the address carried by the user plane on the DU end is the first unencrypted address.
在一种可能的设计中,在本申请实施例第三方面的第二种实现方式中,所述CU还包括:处理单元,用于使用所述PDCP协议对下行用户面数据报文进行加密;将所述下行用户面数据报文的目的地址设置为所述第一非加密地址;确定单元,用于根据所述第一非加密地址确定,不使用所述IPSec协议对所述下行用户面数据报文进行加密;所述第二收发单元还用于,向所述DU发送所述下行用户面数据报文。In a possible implementation, in a second implementation manner of the third aspect of the embodiments of the present application, the CU further includes: a processing unit, configured to encrypt, by using the PDCP protocol, a downlink user plane data packet; Setting a destination address of the downlink user plane data packet to the first unencrypted address, and determining, configured to determine, according to the first unencrypted address, the downlink user plane data by using the IPSec protocol The packet is encrypted. The second transceiver unit is further configured to send the downlink user plane data packet to the DU.
在一种可能的设计中,在本申请实施例第三方面的第三种实现方式中,当所述协商结果表示所述空中接口不使用所述PDCP协议加密时,所述第一消息用于指示所述用户面承载使用所述IPSec协议加密;所述第一响应消息用于指示所述用户面承载在所述DU端的地址为所述第一加密地址。In a possible design, in a third implementation manner of the third aspect of the embodiments of the present application, when the negotiation result indicates that the air interface does not use the PDCP protocol to encrypt, the first message is used. And indicating that the user plane bearer is encrypted by using the IPSec protocol; the first response message is used to indicate that the address that the user plane bears at the DU end is the first encrypted address.
在一种可能的设计中,在本申请实施例第三方面的第四种实现方式中,当所述协商结果表示所述空中接口使用所述PDCP协议加密,且所述CU与所述DU之间的通信经过安全网关SeGW时,所述CU还包括:所述处理单元还用于,使用所述PDCP协议对下行用户面数据报文进行加密;将所述下行用户面数据报文的目的地址设置为所述第一非加密地址;第三收发单元,用于将所述下行用户面数据报文发送给所述SeGW。In a possible design, in a fourth implementation manner of the third aspect of the embodiments of the present application, when the negotiation result indicates that the air interface is encrypted by using the PDCP protocol, and the CU and the DU are The CU further includes: the processing unit is further configured to: encrypt the downlink user plane data packet by using the PDCP protocol; and use the destination address of the downlink user plane data packet And the third transceiver unit is configured to send the downlink user plane data packet to the SeGW.
在一种可能的设计中,在本申请实施例第三方面的第五种实现方式中,所述CU带有第二接口,所述第二接口为所述CU与所述DU进行用户面通信的接口;所述第二接口配置第二加密地址和第二非加密地址,所述第二加密地址用于指示使用所述IPSec协议对用户面数据报文进行加/解密处理;所述第二非加密地址用于指示不使用所述IPSec协议对用户面数据报文进行加/解密处理。In a possible implementation, in a fifth implementation manner of the third aspect of the embodiments, the CU has a second interface, where the second interface is a user plane communication between the CU and the DU. The second interface is configured with a second encrypted address and a second unencrypted address, where the second encrypted address is used to indicate that the user plane data packet is encrypted/decrypted using the IPSec protocol; The non-encrypted address is used to indicate that the user plane data message is not subjected to encryption/decryption processing using the IPSec protocol.
本申请实施例的第四方面提供了一种分布式单元DU,包括:第一收发单元,当中央单元CU与用户设备UE之间的空中接口使用分组数据汇聚层PDCP协议加密时,用于接收所述CU发送的第一消息,所述第一消息用于指示所述CU与所述DU之间的用户面承载不使用因特网协议安全IPSec协议加密。A fourth aspect of the present application provides a distributed unit DU, including: a first transceiver unit, configured to receive when an air interface between a central unit CU and a user equipment UE is encrypted using a packet data convergence layer PDCP protocol. The first message sent by the CU is used to indicate that the user plane bearer between the CU and the DU is not encrypted using the Internet Protocol Secure IPSec protocol.
在一种可能的设计中,在本申请实施例第四方面的第一种实现方式中,所述DU带有第一接口,所述第一接口为所述DU与所述CU进行用户面通信的接口;所述第一接口配置第一加密地址和第一非加密地址,所述第一加密地址用于指示使用所述IPSec协议对用户面数据报文进行加/解密处理;所述第一非加密地址用于指示不使用所述IPSec协议对用户面数据报文进行加/解密处理;当所述空中接口使用所述PDCP协议加密时,所述第一收发单元还用于:向所述CU发送第一响应消息,所述第一响应消息用于指示所述用户面承载在所述DU端的地址为所述第一非加密地址。In a possible design, in a first implementation manner of the fourth aspect of the embodiments of the present application, the DU has a first interface, and the first interface is a user plane communication between the DU and the CU. The first interface is configured with a first encrypted address and a first unencrypted address, where the first encrypted address is used to indicate that the user plane data packet is subjected to encryption/decryption processing using the IPSec protocol; The non-encrypted address is used to indicate that the IPSec protocol is not used to perform encryption/decryption processing on the user plane data packet; when the air interface is encrypted by using the PDCP protocol, the first transceiver unit is further configured to: The CU sends a first response message, where the first response message is used to indicate that the address carried by the user plane on the DU end is the first unencrypted address.
在一种可能的设计中,在本申请实施例第四方面的第二种实现方式中,当所述空中接口使用所述PDCP协议加密时,所述DU还包括:所述第二收发单元,还用于接收所述UE发送的上行用户面数据报文;处理单元用于,将所述上行用户面数据报文的源地址设置为所述第一非加密地址;所述确定单元还用于,根据所述第一非加密地址确定,不使用所述IPSec协议对所述上行用户面数据报文进行加密;所述第一收发单元还用于,将所述上行用户面数据报文发送给所述CU。In a possible design, in a second implementation manner of the fourth aspect of the embodiments of the present application, when the air interface is encrypted by using the PDCP protocol, the DU further includes: the second transceiver unit, And the processing unit is configured to: set a source address of the uplink user plane data packet to the first unencrypted address; the determining unit is further configured to: Determining, according to the first unencrypted address, that the uplink user plane data packet is not encrypted by using the IPSec protocol; the first transceiver unit is further configured to send the uplink user plane data packet to The CU.
在一种可能的设计中,在本申请实施例第四方面的第三种实现方式中,当所述空中接口使用所述PDCP协议加密,且所述DU与所述CU之间的通信经过SeGW时,所述DU还包括:所述第二收发单元还用于,接收所述UE发送的上行用户面数据报文;所述处理单元还用于,将所述上行用户面数据报文的源地址设置为所述第一非加密地址;所述确定单元,还用于根据所述第一非加密地址确定,不使用所述IPSec协议对所述上行用户面数据报文进行加密;所述第三收发单元还用于,将所述上行用户面数据报文发送给所述SeGW。In a possible design, in a third implementation manner of the fourth aspect of the embodiments of the present application, when the air interface is encrypted by using the PDCP protocol, and the communication between the DU and the CU passes through the SeGW The DU further includes: the second transceiver unit is further configured to: receive an uplink user plane data packet sent by the UE; the processing unit is further configured to: source the uplink user plane data packet Setting the address as the first non-encrypted address; the determining unit is further configured to: according to the first unencrypted address, encrypt the uplink user plane data packet without using the IPSec protocol; The third transceiver unit is further configured to send the uplink user plane data packet to the SeGW.
在一种可能的设计中,在本申请实施例第四方面的第四种实现方式中,所述CU带有第二接口,所述第二接口为所述CU与所述DU进行用户面通信的接口;所述第二接口配置第二加密地址和第二非加密地址,所述第二加密地址用于指示使用所述IPSec协议对用户面数据报文进行加/解密处理;所述第二非加密地址用于指示不使用所述IPSec协议对用户面数据报文进行加/解密处理;当所述空中接口使用所述PDCP协议加密时,所述DU还包括:所述第二收发单元,还用于接收所述UE发送的上行用户面数据报文;所述处理单元还用于,将所述上行用户面数据报文的目的地址设置为所述第二非加密地址;所述确定单元还用于,根据所述第二非加密地址确定,不使用所述IPSec协议对所述上行用户面数据报文进行加密;所述第一收发单元,还用于将所述上行用户面数据报文发送给所述CU。In a possible design, in a fourth implementation manner of the fourth aspect of the embodiments, the CU has a second interface, where the second interface is a user plane communication between the CU and the DU. The second interface is configured with a second encrypted address and a second unencrypted address, where the second encrypted address is used to indicate that the user plane data packet is encrypted/decrypted using the IPSec protocol; The non-encrypted address is used to indicate that the IPSec protocol is not used to perform encryption/decryption processing on the user plane data packet; when the air interface is encrypted by using the PDCP protocol, the DU further includes: the second transceiver unit, The processing unit is further configured to: set the destination address of the uplink user plane data packet to the second unencrypted address; the determining unit is further configured to receive the uplink user plane data packet sent by the UE. The method further includes: determining, according to the second unencrypted address, that the uplink user plane data packet is encrypted by using the IPSec protocol; the first transceiver unit is further configured to use the uplink user plane datagram Send to The CU.
本申请的第五方面提供了一种计算机可读存储介质,所述计算机可读存储介质中存储有指令,当其在计算机上运行时,使得计算机执行上述各方面所述的方法。A fifth aspect of the present application provides a computer readable storage medium having stored therein instructions that, when executed on a computer, cause the computer to perform the methods described in the above aspects.
本申请的第六方面提供了一种包含指令的计算机程序产品,当其在计算机上运行时,使得计算机执行上述各方面所述的方法。A sixth aspect of the present application provides a computer program product comprising instructions which, when run on a computer, cause the computer to perform the methods described in the various aspects above.
从以上技术方案可以看出,本申请实施例具有以下优点:中央单元CU与用户设备UE进行安全协商,得到协商结果,所述协商结果用于表示所述CU与所述UE之间的空中接口是否使用分组数据汇聚层PDCP协议加密;所述CU向分布式单元DU发送第一消息;当所述协商结果表示所述空中接口使用所述PDCP协议加密时,所述第一消息用于指示所述CU与所述DU之间的用户面承载不使用因特网协议安全IPSec协议加密。本申请实施例中,当 CU和UE协商的结果为CU与UE之间的空中接口使用PDCP协议加密时,则CU通知DUCU与DU之间的用户面承载不使用IPSec协议加密,在保证了数据安全的同时,也减少了CPU资源的消耗,降低了成本。As can be seen from the foregoing technical solutions, the embodiment of the present application has the following advantages: the central unit CU performs security negotiation with the user equipment UE, and obtains a negotiation result, where the negotiation result is used to indicate an air interface between the CU and the UE. Whether to use the packet data convergence layer PDCP protocol encryption; the CU sends a first message to the distributed unit DU; when the negotiation result indicates that the air interface uses the PDCP protocol to encrypt, the first message is used to indicate The user plane bearer between the CU and the DU is not encrypted using the Internet Protocol Secure IPSec protocol. In the embodiment of the present application, when the result of the negotiation between the CU and the UE is that the air interface between the CU and the UE is encrypted by using the PDCP protocol, the CU notifies the user plane bearer between the DUCU and the DU that the IPSec protocol is not used for encryption, and the data is guaranteed. At the same time of security, it also reduces CPU resource consumption and reduces costs.
附图说明DRAWINGS
图1为一种可能的现有基站加密示意图;1 is a schematic diagram of a possible existing base station encryption;
图2为本申请实施例提供的一种可能的功能示意图;FIG. 2 is a schematic diagram of a possible function provided by an embodiment of the present application;
图3为本申请实施例提供的一种可能的数据加密传输示意图;FIG. 3 is a schematic diagram of a possible data encryption transmission according to an embodiment of the present application;
图4a为本申请实施例提供的一种可能的信息传输方法的流程图;4a is a flowchart of a possible information transmission method according to an embodiment of the present application;
图4b为本申请实施例提供的另一可能的信息传输方法的流程图;FIG. 4b is a flowchart of another possible information transmission method according to an embodiment of the present application;
图4c为本申请实施例提供的一种可能的接口示意图;4c is a schematic diagram of a possible interface provided by an embodiment of the present application;
图4d为本申请实施例提供的一种可能的数据包传输示意图;FIG. 4 is a schematic diagram of a possible data packet transmission according to an embodiment of the present application;
图5a为本申请实施例提供的另一可能的信息传输方法的流程图;FIG. 5 is a flowchart of another possible information transmission method according to an embodiment of the present application;
图5b为本申请实施例提供的另一可能的信息传输方法的流程图;FIG. 5b is a flowchart of another possible information transmission method according to an embodiment of the present application;
图6a为本申请实施例提供的另一可能的信息传输方法的流程图;FIG. 6 is a flowchart of another possible method for transmitting information according to an embodiment of the present application;
图6b为本申请实施例提供的另一可能的信息传输方法的流程图;FIG. 6b is a flowchart of another possible information transmission method according to an embodiment of the present application;
图7a为本申请实施例提供的另一可能的数据加密传输示意图;FIG. 7 is a schematic diagram of another possible data encryption transmission provided by an embodiment of the present application;
图7b为本申请实施例提供的另一可能的信息传输方法的流程图;FIG. 7b is a flowchart of another possible information transmission method according to an embodiment of the present application;
图7c为本申请实施例提供的另一可能的信息传输方法的流程图;FIG. 7c is a flowchart of another possible method for transmitting information according to an embodiment of the present application;
图8a为本申请实施例提供的另一可能的信息传输方法的流程图;FIG. 8 is a flowchart of another possible information transmission method according to an embodiment of the present application;
图8b为本申请实施例提供的另一可能的信息传输方法的流程图;FIG. 8b is a flowchart of another possible information transmission method according to an embodiment of the present application;
图9a为本申请实施例提供的另一可能的信息传输方法的流程图;FIG. 9 is a flowchart of another possible information transmission method according to an embodiment of the present application;
图9b为本申请实施例提供的另一可能的信息传输方法的流程图;FIG. 9b is a flowchart of another possible information transmission method according to an embodiment of the present application;
图10为本申请实施例提供的一种可能的中央单元的实施例示意图;FIG. 10 is a schematic diagram of an embodiment of a possible central unit according to an embodiment of the present application; FIG.
图11为本申请实施例提供的一种可能的分布式单元的实施例示意图;FIG. 11 is a schematic diagram of an embodiment of a possible distributed unit according to an embodiment of the present disclosure;
图12为本申请实施例提供的一种通信装置的示意性框图;FIG. 12 is a schematic block diagram of a communication apparatus according to an embodiment of the present application;
图13为本申请实施例提供的一种通信装置的结构示意图;FIG. 13 is a schematic structural diagram of a communication apparatus according to an embodiment of the present application;
图14为本申请实施例提供的一种系统的结构示意图。FIG. 14 is a schematic structural diagram of a system according to an embodiment of the present application.
具体实施方式detailed description
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。The technical solutions in the embodiments of the present invention will be described with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments.
本发明的说明书和权利要求书及上述附图中的术语“第一”、“第二”、“第三”、“第四”等(如果存在)是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便这里描述的实施例能够以除了在这里图示或描述的内容以外的顺序实施。此外,术语“包括”和“具有”以及他们的任何变形,意图在于覆盖不排他的包含,例如,包含了一系列步骤或单元的过程、方法、系统、 产品或设备不必限于清楚地列出的那些步骤或单元,而是可包括没有清楚地列出的或对于这些过程、方法、产品或设备固有的其它步骤或单元。The terms "first", "second", "third", "fourth", etc. (if present) in the specification and claims of the present invention and the above figures are used to distinguish similar objects without having to use To describe a specific order or order. It is to be understood that the data so used may be interchanged where appropriate so that the embodiments described herein can be implemented in a sequence other than what is illustrated or described herein. In addition, the terms "comprises" and "comprises" and "the" and "the" are intended to cover a non-exclusive inclusion, for example, a process, method, system, product, or device that comprises a series of steps or units is not necessarily limited to Those steps or units may include other steps or units not explicitly listed or inherent to such processes, methods, products or devices.
本申请实施例提供了一种信息传输方法以及相关设备,用于在保证数据安全的同时,也减少了CPU资源的消耗,加快了系统的运行速度。The embodiment of the present application provides an information transmission method and related equipment, which are used to ensure data security, reduce CPU resource consumption, and speed up the system.
无线基站在不断演进的过程中,出现了将eNB功能重新切分的诉求。eNB节点的功能被拆分为CU和DU两部分,且CU和DU两部分功能分离拉远部署,其中,DU部署在原接入网的位置,CU则上移靠近核心网部署。另外,如图2所示,为本申请提供的一种可能的功能示意图,图2中,eNB的空中接口采用分层结构,从上到下依次为无线资源控制(radio link control,RRC)-PDCP-无线链路控制(radio link control,RLC)-媒体接入控制(media access control,MAC)-物理层(physical layer,PHY)等层次,eNB通过S1接口与演进的分组核心网(evolved packet core,EPC)相连以进行信令或者数据的传输,在eNB重切分的架构下,原eNB中的RRC和PDCP部署在CU上,RLC、MAC以及PHY部署在DU上,且CU和EPC通过S1接口相连,CU和DU通过引入的新接口Itf-CuDu相连来传输信令或者数据,需要说明的是,该新接口的命名方式本申请不做限定。In the process of continuous evolution of wireless base stations, there has been a demand to re-segment the eNB function. The function of the eNB node is split into two parts: CU and DU, and the functions of the CU and the DU are separated and deployed. The DU is deployed in the original access network and the CU is moved closer to the core network. In addition, as shown in FIG. 2, a possible function diagram of the present application is provided. In FIG. 2, the air interface of the eNB adopts a hierarchical structure, and the radio link control (RRC) is sequentially from top to bottom. PDCP-radio link control (RLC)-media access control (MAC)-physical layer (PHY) level, eNB through the S1 interface and evolved packet core network (evolved packet Core, EPC) is connected for signaling or data transmission. In the architecture of eNB re-segmentation, RRC and PDCP in the original eNB are deployed on the CU, RLC, MAC, and PHY are deployed on the DU, and the CU and EPC pass. The S1 interface is connected, and the CU and the DU are connected by the new interface Itf-CuDu to transmit signaling or data. It should be noted that the naming manner of the new interface is not limited in this application.
在eNB重切分场景下,UE传输的用户数据传递到CU的过程中,需要经历以下的加密/解密过程,如图3所示,为一种可能的数据加密传输示意图,包括:用户数据流从UE经过DU到CU的过程,其中,In the eNB re-segmentation scenario, the user data transmitted by the UE is transmitted to the CU, and needs to undergo the following encryption/decryption process. As shown in FIG. 3, it is a possible data encryption transmission diagram, including: user data flow. The process from the UE through the DU to the CU, where
UE和CU之间进行空口加密,以保障用户数据在无线传输过程中的安全,需要说明的是,空口加/解密在3gpp协议中由PDCP负责处理,因此在UE以及CU上均有相应的处理模块来负责PDCP加密和PDCP解密;The air interface is encrypted between the UE and the CU to ensure the security of the user data in the wireless transmission process. It should be noted that the air interface encryption/decryption is handled by the PDCP in the 3gpp protocol, so there is corresponding processing on the UE and the CU. The module is responsible for PDCP encryption and PDCP decryption;
CU和DU之间引入IPSec协议进行加密,以保障用户数据在CU与DU之间传输的安全性,因此在DU和CU上均有相应的处理模块来负责IPSec加密和IPSec解密。The IPSec protocol is introduced between the CU and the DU for encryption to ensure the security of user data transmission between the CU and the DU. Therefore, there are corresponding processing modules on the DU and the CU to be responsible for IPSec encryption and IPSec decryption.
需要说明的是,UE到CU的用户数据在很多场景下已经使用了PDCP加密,该用户数据在CU-DU接口上传递,从用户数据安全的角度上来看,再次使用IPSec加密显得不必要,且IPSec加解密还需要消耗大量的CPU资源。有鉴于此,本申请实施例提供了一种数据加密方法,可应用于多种应用场景,包括:It should be noted that the user data of the UE to the CU has been PDCP encrypted in many scenarios, and the user data is transmitted on the CU-DU interface. From the perspective of user data security, it is unnecessary to use IPSec encryption again, and IPSec encryption and decryption also consume a lot of CPU resources. In view of this, the embodiment of the present application provides a data encryption method, which can be applied to various application scenarios, including:
A:CU与DU之间的通信不经过SeGW时:A: When the communication between the CU and the DU does not pass through the SeGW:
场景1:DU侧的第一接口上配置有DU侧特定的IP地址来建立用户面承载,该DU侧特定的IP地址用于区分DU与CU之间的用户面承载是否使用IPSec协议加密,如,该DU侧特定的IP地址包括第一加密地址和第一非加密地址,其中,第一加密地址用于指示使用IPSec协议对用户面数据报文进行加/解密处理,第一非加密地址用于指示不使用IPSec协议对用户面数据报文进行加/解密处理,且该第一接口为DU与CU进行用户面通信的接口;另外,CU侧的第二接口上的IP地址无需区分DU与CU之间的用户面承载是否使用IPSec协议加密,其中,第二接口为CU与DU进行用户面通信的接口;Scenario 1: The first interface on the DU side is configured with a specific IP address on the DU side to establish a user plane bearer. The specific IP address on the DU side is used to distinguish whether the user plane bearer between the DU and the CU is encrypted by using the IPSec protocol. The specific IP address of the DU side includes a first encrypted address and a first unencrypted address, where the first encrypted address is used to indicate that the user plane data packet is encrypted/decrypted by using the IPSec protocol, and the first non-encrypted address is used. The user interface is instructed to perform encryption/decryption processing on the user plane data packet without using the IPSec protocol, and the first interface is an interface for the user plane communication between the DU and the CU. In addition, the IP address on the second interface on the CU side does not need to distinguish between the DU and the Whether the user plane bearer between the CUs is encrypted by using the IPSec protocol, where the second interface is an interface for the user plane communication between the CU and the DU;
场景2:DU侧的第一接口上配置有DU侧特定的IP地址来建立用户面承载,CU侧的第二接口上也配置有CU侧特定的IP地址来建立用户面承载,该CU侧特定的IP地址用于区分CU与DU之间的用户面承载是否使用IPSec协议加密,如该CU侧特定的IP地址包括第 二加密地址和第二非加密地址,其中,第二加密地址用于指示使用IPSec协议对用户面数据报文进行加/解密处理,第二非加密地址用于指示不使用IPSec协议对用户面数据报文进行加/解密处理;Scenario 2: The first interface on the DU side is configured with a specific IP address on the DU side to establish a user plane bearer, and the second interface on the CU side is also configured with a specific IP address on the CU side to establish a user plane bearer. The IP address is used to distinguish whether the user plane bearer between the CU and the DU is encrypted by using the IPSec protocol, for example, the specific IP address of the CU side includes a second encrypted address and a second unencrypted address, where the second encrypted address is used to indicate The user plane data packet is encrypted/decrypted by using the IPSec protocol, and the second non-encrypted address is used to indicate that the user plane data packet is not encrypted/decrypted by using the IPSec protocol;
场景3:CU侧的第二接口上配置有CU侧特定的IP地址来建立用户面承载,且DU侧第一接口上的IP地址无需区分DU与CU之间的用户面承载是否使用IPSec协议加密。Scenario 3: The second interface on the CU side is configured with a specific IP address on the CU side to establish a user plane bearer, and the IP address on the first interface on the DU side does not need to distinguish whether the user plane bearer between the DU and the CU is encrypted by using the IPSec protocol. .
B:CU与DU之间的通信经过SeGW时:B: When the communication between the CU and the DU passes through the SeGW:
场景4:DU侧的第一接口上配置有DU侧特定的IP地址来建立用户面承载,且CU侧的第二接口上的IP地址无需区分DU与CU之间的用户面承载是否使用IPSec协议加密;Scenario 4: The first interface on the DU side is configured with a specific IP address on the DU side to establish a user plane bearer, and the IP address on the second interface on the CU side does not need to distinguish whether the user plane bearer between the DU and the CU uses the IPSec protocol. encryption;
场景5:DU侧的第一接口上配置有DU侧特定的IP地址来建立用户面承载,且CU侧的第二接口上也配置有CU侧特定的IP地址来建立用户面承载;Scenario 5: The first interface on the DU side is configured with a specific IP address on the DU side to establish a user plane bearer, and the second interface on the CU side is also configured with a specific IP address on the CU side to establish a user plane bearer.
场景6:CU侧的第二接口上配置有CU侧特定的IP地址来建立用户面承载,且DU侧第一接口上的IP地址无需区分DU与CU之间的用户面承载是否使用IPSec协议加密。Scenario 6: The second interface on the CU side is configured with a specific IP address on the CU side to establish a user plane bearer, and the IP address on the first interface on the DU side does not need to distinguish whether the user plane bearer between the DU and the CU is encrypted by using the IPSec protocol. .
下面将基于上述场景,来结合具体的实施例分别进行说明。The following description will be respectively made based on the above-described scenarios in conjunction with specific embodiments.
请参阅图4a和图4b,介绍本申请实施例在场景1下的方法实施例,具体包括:Referring to FIG. 4a and FIG. 4b, an embodiment of the method in the scenario 1 of the embodiment of the present application is introduced, which specifically includes:
401、CU与UE进行安全协商,得到协商结果。401. The CU performs security negotiation with the UE to obtain a negotiation result.
CU与UE进行安全协商,并得到协商结果,该协商结果用于表示CU与UE之间的空中接口是否使用PDCP协议加密,其中空中接口为UE与基站之间的接口。The CU performs security negotiation with the UE, and obtains a negotiation result. The negotiation result is used to indicate whether the air interface between the CU and the UE is encrypted using the PDCP protocol, where the air interface is an interface between the UE and the base station.
需要说明的是,CU与UE进行安全协商得到协商结果的方式有多种,包括:UE向CU发送算法集信息,其中该算法集信息包括UE支持的算法的信息;CU接收到该算法集信息,并将该算法集信息中的算法与CU支持的算法比对后,确定交集算法,该交集算法即为CU和UE均支持的算法。可以理解的是,该交集算法可以包括一个或者多个算法,当该交集算法包括一个算法时,CU将该交集算法的信息发送给UE,若该交集算法为加密算法,则协商结果为CU与UE之间的空中接口使用PDCP协议加密;若该交集算法为不加密的算法,则协商结果为CU与UE之间的空中接口不使用PDCP协议加密。当该交集算法包括多个算法时,CU可在该多个算法中选择一个加密算法发送给UE,即协商结果为空中接口使用PDCP协议加密;或者,CU也可以在该多个算法中选择任一算法发送给UE,若选择的任一算法为加密算法,则协商结果为空中接口使用PDCP协议加密;反之则协商结果为空中接口不使用PDCP协议加密。综上,CU与DU进行安全协商得到协商结果的方式有多种,具体此处不做限定。It should be noted that the CU and the UE perform the security negotiation to obtain the negotiation result in multiple manners, including: the UE sends the algorithm set information to the CU, where the algorithm set information includes information of the algorithm supported by the UE; and the CU receives the algorithm set information. After comparing the algorithm in the algorithm set information with the algorithm supported by the CU, the intersection algorithm is determined, and the intersection algorithm is an algorithm supported by both the CU and the UE. It can be understood that the intersection algorithm may include one or more algorithms. When the intersection algorithm includes an algorithm, the CU sends the information of the intersection algorithm to the UE. If the intersection algorithm is an encryption algorithm, the negotiation result is CU and The air interface between the UEs is encrypted using the PDCP protocol; if the intersection algorithm is an unencrypted algorithm, the result of the negotiation is that the air interface between the CU and the UE is not encrypted using the PDCP protocol. When the intersection algorithm includes multiple algorithms, the CU may select one of the multiple algorithms to send to the UE, that is, the negotiation result is encrypted by the air interface using the PDCP protocol; or the CU may select any one of the multiple algorithms. An algorithm sends to the UE. If any algorithm selected is an encryption algorithm, the negotiation result is that the air interface uses the PDCP protocol to encrypt; otherwise, the negotiation result is that the air interface does not use the PDCP protocol to encrypt. In summary, there are various ways in which the CU and the DU perform security negotiation to obtain the negotiation result, which is not limited herein.
可以理解的是,CU与UE进行安全协商所得到的结果不同,后续流程也不同且彼此独立。因此,CU得到协商结果后,若协商结果表示CU与UE之间的空中接口使用PDCP协议加密,则执行图4a中的步骤402-411;若协商结果表示CU与UE之间的空中接口不使用PDCP协议加密,则执行图4b中的步骤412-421;具体如下:It can be understood that the results obtained by the CU and the UE for security negotiation are different, and the subsequent processes are different and independent of each other. Therefore, after the CU obtains the negotiation result, if the negotiation result indicates that the air interface between the CU and the UE is encrypted by using the PDCP protocol, steps 402-411 in FIG. 4a are performed; if the negotiation result indicates that the air interface between the CU and the UE is not used. If the PDCP protocol is encrypted, steps 412-421 in Figure 4b are performed; the details are as follows:
402、CU向DU发送第一指示信息。402. The CU sends the first indication information to the DU.
当协商结果表示空中接口使用PDCP协议加密时,CU通过第一控制面接口向DU发送第一消息,该第一消息中携带有第一指示信息,该第一指示信息用于指示CU与DU之间的用户面承载不使用IPSec协议加密,该第一控制面接口为CU与DU进行控制面通信的接口。 为便于理解,可以在第一消息中设置1bit的加密指示位,当该加密指示位设置为0时,表示CU与DU之间的用户面承载不使用IPSec协议加密;当该加密指示位设置为1时,表示CU与DU之间的用户面承载使用IPSec协议加密;可选的,也可以在第一消息中设置2bit的加密指示位,当该加密指示位设置为01时,表示CU与DU之间的用户面承载不使用IPSec协议加密;当该加密指示位设置为10时,表示CU与DU之间的用户面承载使用IPSec协议加密。因此,CU向DU指示用户面承载是否使用IPSec协议加密的方式,具体本申请不做限定。When the result of the negotiation indicates that the air interface is encrypted by using the PDCP protocol, the CU sends a first message to the DU through the first control plane interface, where the first message carries the first indication information, where the first indication information is used to indicate the CU and the DU. The user plane bearer is not encrypted by using the IPSec protocol, and the first control plane interface is an interface for the control plane communication between the CU and the DU. For ease of understanding, a 1-bit encryption indication bit may be set in the first message. When the encryption indication bit is set to 0, it indicates that the user plane bearer between the CU and the DU is not encrypted using the IPSec protocol; when the encryption indication bit is set to At 1 o'clock, it indicates that the user plane bearer between the CU and the DU is encrypted by using the IPSec protocol; optionally, the 2 bit encryption indication bit may be set in the first message, and when the encryption indication bit is set to 01, the CU and the DU are indicated. The user plane bearer between the two is not encrypted by using the IPSec protocol; when the encryption indicator bit is set to 10, it indicates that the user plane bearer between the CU and the DU is encrypted using the IPSec protocol. Therefore, the CU indicates to the DU whether the user plane bearer is encrypted by using the IPSec protocol, which is not limited in this application.
其中,该CU与DU之间的用户面承载可以理解为建立于CU和DU之间,用于传输用户面数据流的GTP-U隧道。The user plane bearer between the CU and the DU can be understood as a GTP-U tunnel established between the CU and the DU for transmitting the user plane data stream.
需要说明的是,该第一消息可以为用户面承载建立请求消息,也可以为其他现有消息或者新消息,具体本申请不做限定。It should be noted that the first message may be a user plane bearer setup request message, or may be other existing messages or new messages, which is not limited in this application.
另外,当该第一消息为用户面承载建立请求消息时,该第一消息可以携带有CU侧的用户面地址。In addition, when the first message is a user plane bearer setup request message, the first message may carry a user plane address on the CU side.
403、DU向CU发送第一响应信息。403. The DU sends a first response message to the CU.
需要说明的是,DU侧的第一接口上配置有DU侧特定的IP地址来建立与CU之间的用户面承载,该DU侧特定的IP地址用于区分DU与CU之间的用户面承载是否使用IPSec协议加密。为便于理解,请参阅图4c,为本申请实施例提供的一种可能的DU侧接口示意图,第一接口为DU侧用于与CU进行通信的接口,该第一接口包含至少两个特定的用户面IP地址,即第一非加密地址和第二非加密地址,其中,该第一加密地址用于IPSec通信场景,指示使用IPSec协议对用户面数据报文进行加/解密处理;第一非加密地址用于非IPSec通信场景,指示不使用IPSec协议对用户面数据报文进行加/解密处理。需要说明的是,图4c仅为一种示例性的图示,其中的第一接口、第一加密地址和第二非加密地址可以理解为是一种逻辑概念,而并非实体存在的。It should be noted that the first interface on the DU side is configured with a specific IP address on the DU side to establish a user plane bearer with the CU, and the specific IP address on the DU side is used to distinguish the user plane bearer between the DU and the CU. Whether to use IPSec protocol encryption. For ease of understanding, please refer to FIG. 4c, which is a schematic diagram of a possible DU side interface provided by the embodiment of the present application. The first interface is an interface used by the DU side to communicate with the CU, and the first interface includes at least two specific interfaces. The user plane IP address, that is, the first non-encrypted address and the second unencrypted address, wherein the first encrypted address is used in an IPSec communication scenario, and indicates that the user plane data packet is encrypted/decrypted by using the IPSec protocol; The encrypted address is used in the non-IPSec communication scenario, indicating that the user plane data packet is not encrypted/decrypted by using the IPSec protocol. It should be noted that FIG. 4c is merely an exemplary diagram in which the first interface, the first encrypted address, and the second unencrypted address may be understood as a logical concept, but not physically.
因此,DU接收到CU发送的第一消息携带的第一指示信息后,根据该第一指示信息确定DU和CU之间的用户面承载无须进行IPSec加密,并选择第一非加密地址作为第一接口的用户面地址,来建立CU与DU之间的用户面承载即GTP-U隧道,并向CU发送响应于第一消息的第一响应消息,其中,该第一响应消息携带有第一响应信息,该第一响应信息包括第一非加密地址,以向CU指示DU与CU之间的用户面承载在DU端的地址为第一非加密地址。Therefore, after receiving the first indication information carried by the first message sent by the CU, the DU determines, according to the first indication information, that the user plane bearer between the DU and the CU does not need to perform IPSec encryption, and selects the first unencrypted address as the first The user plane address of the interface is used to establish a user plane bearer, that is, a GTP-U tunnel between the CU and the DU, and send a first response message to the CU in response to the first message, where the first response message carries the first response. Information, the first response information includes a first unencrypted address to indicate to the CU that the address of the user plane carried between the DU and the CU at the DU end is the first unencrypted address.
其中,该第一响应消息可以为用户面承载建立响应消息,也可以为其他现有消息或者新消息,具体本申请不做限定。因此,当DU获得了CU侧的用户面地址,CU获得了DU侧的用户面地址后,即可实现CU和DU之间用户面承载的建立。The first response message may be a user plane bearer setup response message, or may be another existing message or a new message, which is not limited in this application. Therefore, when the DU obtains the user plane address on the CU side, and the CU obtains the user plane address on the DU side, the establishment of the user plane bearer between the CU and the DU can be realized.
404、UE向DU发送第一上行用户面数据报文;404. The UE sends a first uplink user plane data packet to the DU.
需要说明的是,当CU与DU之间的承载、以及UE与核心网之间的承载等建立完成后,UE经过DU和CU向核心网传输用户面数据。具体地,当CU与UE的协商结果为CU与UE之间的空中接口使用PDCP协议加密时,则UE对第一上行用户面数据报文进行PDCP加密处理,并通过空中接口将该经过加密处理后的第一上行用户面数据报文发送给DU。It should be noted that, after the bearer between the CU and the DU and the bearer between the UE and the core network are established, the UE transmits the user plane data to the core network through the DU and the CU. Specifically, when the negotiation result between the CU and the UE is that the air interface between the CU and the UE is encrypted by using the PDCP protocol, the UE performs PDCP encryption processing on the first uplink user plane data packet, and performs encryption processing on the air interface. The first uplink user plane data packet is sent to the DU.
405、DU确定不使用IPSec协议对第一上行用户面数据报文进行加密。405. The DU determines to encrypt the first uplink user plane data packet by using the IPSec protocol.
406、DU向CU发送第一上行用户面数据报文。406. The DU sends a first uplink user plane data packet to the CU.
为便于理解本申请,请参阅图4d,为一种可能的数据包传输示意图,图中,UE发出一个数据包,该数据包上会打上UE的地址作为源地址,要到达的互联网上服务器的地址为目的地址,UE将该数据包传送给eNB,eNB将该数据包封装成可以在GTP隧道里传输的GTP包,且该数据包的源地址被更换为eNB的地址,而目的地址则被更换为将要到达的服务网关(serving gateway,SGW)的地址。当数据包到达SGW后,数据包的源地址换为SGW的地址,数据包的目的地址换为PDN网关(packet data network gateway,P-GW)的地址,且传输的隧道也由S1GTP隧道变成了S5GTP隧道。当数据包到达P-GW后,P-GW将该数据包解开,获得其真正的目的地址,然后将该数据包送到目的地址对应的服务器上,以完成一个数据包从UE到互联网的上传。For ease of understanding of the present application, please refer to FIG. 4d, which is a schematic diagram of a possible data packet transmission. In the figure, the UE sends a data packet, and the data packet is marked with the address of the UE as the source address, and the server on the Internet to be reached. The address is the destination address, and the UE transmits the data packet to the eNB. The eNB encapsulates the data packet into a GTP packet that can be transmitted in the GTP tunnel, and the source address of the data packet is replaced with the address of the eNB, and the destination address is Replace with the address of the serving gateway (SGW) that will arrive. After the data packet arrives at the SGW, the source address of the data packet is changed to the address of the SGW, the destination address of the data packet is changed to the address of the packet data network gateway (P-GW), and the transmitted tunnel is also changed by the S1GTP tunnel. The S5GTP tunnel. After the data packet arrives at the P-GW, the P-GW unpacks the data packet, obtains its real destination address, and then sends the data packet to the server corresponding to the destination address to complete a data packet from the UE to the Internet. Upload.
因此,DU接收到UE发送的PDCP加密后的第一上行用户面数据报文后,使用第一非加密地址作为该第一上行用户面数据报文的源地址,以完成GTP-U隧道的封装。DU根据该第一非加密地址确定不使用IPSec协议对该第一上行用户面数据报文进行加密,并通过DU侧的第一接口将该第一上行用户面数据报文直接发送给CU。Therefore, after receiving the PDCP-encrypted first uplink user plane data packet sent by the UE, the DU uses the first unencrypted address as the source address of the first uplink user plane data packet to complete the encapsulation of the GTP-U tunnel. . The DU determines, according to the first unencrypted address, that the first uplink user plane data packet is not encrypted by using the IPSec protocol, and the first uplink user plane data packet is directly sent to the CU by using the first interface on the DU side.
407a、CU确定不使用IPSec协议对第一上行用户面数据报文进行解密。407a. The CU determines to decrypt the first uplink user plane data packet by using the IPSec protocol.
407b、CU向SGW发送第一上行用户面数据报文。407b. The CU sends a first uplink user plane data packet to the SGW.
CU通过CU侧的第二接口接收到未使用IPSec协议进行加密处理的第一上行用户面数据报文后,对该第一上行用户面数据报文进行GTP-U解封,得到解封后的第一上行用户面数据报文,进而直接进行后续处理,其中该后续处理包括:CU使用PDCP协议对该第一上行用户面数据报文进行空口解密,并在将该第一上行用户面数据报文发送给SGW之前,再次对该第一上行用户面数据报文进行加密,以保障第一上行用户面数据报文在CU和SGW之间传输的安全性。故CU再将经过后续处理后的第一上行用户面数据报文发送给SGW。After receiving the first uplink user plane data packet that is not encrypted by the IPSec protocol, the CU performs GTP-U decapsulation on the first uplink user plane data packet, and obtains the decapsulated The first uplink user plane data packet is directly processed for subsequent processing, where the CU uses the PDCP protocol to perform air interface decryption on the first uplink user plane data packet, and the first uplink user plane datagram is used. Before the message is sent to the SGW, the first uplink user plane data packet is encrypted again to ensure the security of the first uplink user plane data packet transmitted between the CU and the SGW. Therefore, the CU sends the first uplink user plane data packet after the subsequent processing to the SGW.
408a、SGW向CU发送第一下行用户面数据报文。408a. The SGW sends a first downlink user plane data packet to the CU.
408b、CU确定不使用IPSec协议对第一下行用户面数据报文进行加密。408b. The CU determines that the first downlink user plane data packet is not encrypted by using the IPSec protocol.
409、CU向DU发送第一下行用户面数据报文。409. The CU sends the first downlink user plane data packet to the DU.
当核心网需要经过CU和DU向UE发送第一下行用户面数据报文时,则CU从核心网接收到该第一下行用户面数据报文。且若CU与UE的协商结果为CU与UE之间的空中接口需使用PDCP协议加密时,则CU还需对该第一下行数据进行PDCP加密处理。When the core network needs to send the first downlink user plane data packet to the UE through the CU and the DU, the CU receives the first downlink user plane data packet from the core network. If the result of the negotiation between the CU and the UE is that the air interface between the CU and the UE needs to be encrypted by using the PDCP protocol, the CU needs to perform PDCP encryption processing on the first downlink data.
另外,CU使用第一非加密地址作为该第一下行用户面数据报文的目的地址,以完成GTP-U隧道的封装。且CU根据该第一非加密地址确定不使用IPSec协议对该第一下行用户面数据报文进行加密,并通过CU侧的第二接口将该第一下行用户面数据报文直接发送给DU。In addition, the CU uses the first unencrypted address as the destination address of the first downlink user plane data packet to complete the encapsulation of the GTP-U tunnel. And the CU determines, according to the first unencrypted address, that the first downlink user plane data packet is not encrypted by using the IPSec protocol, and sends the first downlink user plane data packet directly to the second interface on the CU side to the first downlink user plane data packet. DU.
410、DU确定不使用IPSec协议对第一下行用户面数据报文进行解密。410. The DU determines to decrypt the first downlink user plane data packet by using the IPSec protocol.
411、DU向UE发送第一下行用户面数据报文。411. The DU sends a first downlink user plane data packet to the UE.
DU通过DU侧的第一接口接收到未使用IPSec协议进行加密处理的第一下行用户面数据报文后,可通过该第一下行用户面数据报文的格式确定不使用IPSec协议对该第一下行 用户面数据报文进行解密,进而直接对该第一下行用户面数据报文进行GTP-U解封,得到解封后的第一下行用户面数据报文,再进行后续处理,其中该后续处理包括:通过空口将该第一下行用户面数据报文发送给UE,以使得UE使用PDCP协议对该第一下行用户面数据报文进行解密来获得解密后的第一下行用户面数据报文。After receiving the first downlink user plane data packet that is not encrypted by the IPSec protocol, the DU can determine, by using the format of the first downlink user plane data packet, that the IPSec protocol is not used. The first downlink user plane data packet is decrypted, and then the first downlink user plane data packet is directly GTP-U decapsulated, and the decapsulated first downlink user plane data packet is obtained, and then performed. Processing, wherein the subsequent processing includes: sending, by using an air interface, the first downlink user plane data packet to the UE, so that the UE decrypts the first downlink user plane data packet by using a PDCP protocol to obtain the decrypted A downlink user plane data message.
需要注意的是,本申请中,通过步骤404至步骤407b实现第一上行用户面数据报文从UE到SGW的传输,通过步骤408a至411实现第一下行用户面数据报文从SGW到UE的传输,这两个过程之间并不存在步骤的先后顺序,即可以先执行步骤404至407b,也可以先执行步骤408a至411,或者同时执行,具体此处不做限定。It is to be noted that, in the present application, the first uplink user plane data packet is transmitted from the UE to the SGW through steps 404 to 407b, and the first downlink user plane data packet is implemented from the SGW to the UE through steps 408a to 411. For the transmission, there is no sequence of steps between the two processes, that is, steps 404 to 407b may be performed first, or steps 408a to 411 may be performed first, or may be performed at the same time, which is not limited herein.
若协商结果表示CU与UE之间的空中接口不使用PDCP协议加密,请参阅图4b,具体包括:If the result of the negotiation indicates that the air interface between the CU and the UE is not encrypted by using the PDCP protocol, refer to FIG. 4b, which specifically includes:
412、CU向DU发送第二指示信息。412. The CU sends the second indication information to the DU.
当协商结果表示空中接口不使用PDCP协议加密时,CU通过第一控制面接口向DU发送的第一消息携带有第二指示信息,该第二指示信息用于指示CU与DU之间的用户面承载使用IPSec协议加密。When the result of the negotiation indicates that the air interface is not encrypted by using the PDCP protocol, the first message sent by the CU to the DU through the first control plane interface carries the second indication information, where the second indication information is used to indicate the user plane between the CU and the DU. The bearer is encrypted using the IPSec protocol.
413、DU向CU发送第二响应信息。413. The DU sends a second response message to the CU.
DU接收到CU发送的第一消息携带的第二指示信息后,根据该第二指示信息确定DU和CU之间的用户面承载需进行IPSec加密,并使用第一加密地址作为第一接口的用户面地址,来建立CU与DU之间的用户面承载即GTP-U隧道,并向CU发送携带有第二响应信息的第一响应消息,该第二响应信息包括第一加密地址,以向CU指示DU与CU之间的用户面承载在DU端的地址为第一加密地址。After receiving the second indication information carried by the first message sent by the CU, the DU determines, according to the second indication information, that the user plane bearer between the DU and the CU needs to perform IPSec encryption, and uses the first encrypted address as the user of the first interface. a face address, to establish a user plane bearer between the CU and the DU, that is, a GTP-U tunnel, and send a first response message carrying the second response information to the CU, where the second response information includes the first encrypted address to the CU. The address indicating that the user plane between the DU and the CU is carried on the DU end is the first encrypted address.
414、UE向DU发送第二上行用户面数据报文;414. The UE sends a second uplink user plane data packet to the DU.
具体地,当CU与UE的协商结果为CU与UE之间的空中接口不使用PDCP协议加密时,则UE对第二上行用户面数据报文不进行PDCP加密处理,而是通过空中接口将该第二上行用户面数据报文直接发送给DU。Specifically, when the result of the negotiation between the CU and the UE is that the air interface between the CU and the UE is not encrypted by using the PDCP protocol, the UE does not perform PDCP encryption processing on the second uplink user plane data packet, but uses the air interface to The second uplink user plane data packet is directly sent to the DU.
415、DU确定使用IPSec协议对第二上行用户面数据报文进行加密。415. The DU determines to encrypt the second uplink user plane data packet by using the IPSec protocol.
416、DU向CU发送第二上行用户面数据报文。416. The DU sends a second uplink user plane data packet to the CU.
因此,DU接收到UE发送的第二上行用户面数据报文后,使用第一加密地址作为将该第二上行用户面数据报文的源地址,以完成GTP-U隧道的封装。DU根据该第一加密地址确定使用IPSec协议对该第二上行用户面数据报文进行加密,进而得到IPSec加密后的第二上行用户面数据报文,以完成对该第二上行用户面数据报文的IPSec加密。故DU再通过DU侧的第一接口将该IPSec加密后的第二上行用户面数据报文直接发送给CU。Therefore, after receiving the second uplink user plane data packet sent by the UE, the DU uses the first encrypted address as the source address of the second uplink user plane data packet to complete the encapsulation of the GTP-U tunnel. The DU determines, according to the first encrypted address, the IPSec protocol to encrypt the second uplink user plane data packet, and then obtains the IPSec encrypted second uplink user plane data packet, to complete the second uplink user plane datagram. IPSec encryption. Therefore, the DU sends the IPSec-encrypted second uplink user plane data packet directly to the CU through the first interface on the DU side.
417a、CU确定使用IPSec协议对第二上行用户面数据报文进行解密。417a. The CU determines to decrypt the second uplink user plane data packet by using the IPSec protocol.
417b、CU向SGW发送第二上行用户面数据报文。417b. The CU sends a second uplink user plane data packet to the SGW.
CU通过CU侧的第二接口接收到第二上行用户面数据报文后,使用IPSec协议对该第二上行用户面数据报文进行解密处理,进而再进行GTP-U隧道的解封,得到解封后的第二上行用户面数据报文。CU在将解封后的第二上行用户面数据报文发送给SGW之前,对该第二上行用户面数据报文进行后续处理,其中该后续处理可包括:根据CU与SGW间的安全配 置,使用IPSec协议对第二上行用户面数据报文进行加密,以保障第二上行用户面数据报文在CU和核心网之间传输的安全性。After receiving the second uplink user plane data packet, the CU decrypts the second uplink user plane data packet by using the IPSec protocol, and then decapsulates the GTP-U tunnel to obtain a solution. The second uplink user plane data packet after the packet is sealed. After the CU sends the second uplink user plane data packet to the SGW, the CU performs subsequent processing on the second uplink user plane data packet, where the subsequent processing may include: according to the security configuration between the CU and the SGW, The IPSec protocol is used to encrypt the second uplink user plane data packet to ensure the security of the second uplink user plane data packet transmission between the CU and the core network.
进而CU再将经过后续处理后的第二上行用户面数据报文发送给SGW。The CU then sends the second uplink user plane data packet after the subsequent processing to the SGW.
418a、SGW向CU发送第二下行用户面数据报文。418a. The SGW sends a second downlink user plane data packet to the CU.
418b、CU确定使用IPSec协议对第二下行用户面数据报文进行加密。418b. The CU determines to encrypt the second downlink user plane data packet by using the IPSec protocol.
419、CU向DU发送第二下行用户面数据报文。419. The CU sends a second downlink user plane data packet to the DU.
当核心网需要经过CU和DU向UE发送第二下行用户面数据报文时,则CU从核心网接收到该第二下行用户面数据报文。且CU根据协商结果确定不使用PDCP协议对该第二下行用户面数据报文进行加密处理。When the core network needs to send the second downlink user plane data packet to the UE through the CU and the DU, the CU receives the second downlink user plane data packet from the core network. The CU determines, according to the negotiation result, that the second downlink user plane data packet is encrypted without using the PDCP protocol.
另外,CU使用第一加密地址作为该第二下行用户面数据报文的目的地址,以完成GTP-U隧道的封装。且CU根据该第一加密地址确定需使用IPSec协议对该第二下行用户面数据报文进行加密,来得到IPSec加密后的第二下行用户面数据报文。并通过CU侧的第二接口将该IPSec加密后的第二下行用户面数据报文发送给DU。In addition, the CU uses the first encrypted address as the destination address of the second downlink user plane data packet to complete the encapsulation of the GTP-U tunnel. The CU determines, according to the first encrypted address, that the second downlink user plane data packet is to be encrypted by using the IPSec protocol, to obtain the second downlink user plane data packet after the IPSec encryption. The IPSec-encrypted second downlink user plane data packet is sent to the DU through the second interface on the CU side.
420、DU确定使用IPSec协议对第二下行用户面数据报文进行解密。420. The DU determines to decrypt the second downlink user plane data packet by using the IPSec protocol.
421、DU向UE发送第二下行用户面数据报文。421. The DU sends a second downlink user plane data packet to the UE.
DU通过DU侧的第一接口接收到第二下行用户面数据报文后,使用IPSec协议对该第二上行用户面数据报文进行解密处理,进而再进行GTP-U隧道的解封,得到解封后的第二下行用户面数据报文。再对该解封后的第二下行用户面数据报文进行后续处理,其中该后续处理包括:通过空口将该解封后的第二下行用户面数据报文发送给UE,且UE无需使用PDCP协议对该解封后的第二下行用户面数据报文进行解密。After receiving the second downlink user plane data packet, the DU uses the IPSec protocol to decrypt the second uplink user plane data packet, and then decapsulates the GTP-U tunnel to obtain a solution. The second downlink user plane data packet after the packet is sealed. And performing the subsequent processing on the decapsulated second downlink user plane data packet, where the subsequent processing includes: sending the decapsulated second downlink user plane data packet to the UE by using the air interface, and the UE does not need to use the PDCP The protocol decrypts the decapsulated second downlink user plane data packet.
需要注意的是,本申请中,通过步骤414至步骤417b实现第二上行用户面数据报文从UE到核心网的传输,通过步骤418a至411实现第二下行用户面数据报文从核心网到UE的传输,这两个过程之间并不存在步骤的先后顺序,即可以先执行步骤414至417b,也可以先执行步骤418a至421,或者同时执行,具体此处不做限定。It should be noted that, in this application, the second uplink user plane data packet is transmitted from the UE to the core network through steps 414 to 417b, and the second downlink user plane data packet is implemented from the core network through steps 418a to 411. For the transmission of the UE, there is no sequence of steps between the two processes, that is, steps 414 to 417b may be performed first, or steps 418a to 421 may be performed first, or may be performed at the same time, which is not limited herein.
可选的,本申请实施例中,在DU的第一接口配置第一加密地址和第一非加密地址来区分用户面数据流是否需要IPSec加密。可以理解的是,实际应用中,区分用户面数据流是否需要IPSec加密的方式有多种,包括:基于协议端口号区分:例如需要IPSec加密的用户面数据流使用10000-29999端口号、不需要IPSec加密的用户面数据流使用30000-49999端口号;或者基于协议类型区分:例如需要IPSec加密的用户面数据流使用GTPU协议、不需要IPSec加密的用户面数据流使用UDP协议。故区分是否需要IPSec加密的方式有多种,具体此处不做限定。Optionally, in the embodiment of the present application, the first interface of the DU is configured with the first encrypted address and the first unencrypted address to distinguish whether the user plane data stream needs IPSec encryption. It can be understood that, in actual applications, there are various ways to distinguish whether the user plane data stream needs IPSec encryption, including: based on the protocol port number: for example, the user plane data stream that requires IPSec encryption uses the port number of 10000-29999, and does not need to be used. The user plane data stream encrypted by IPSec uses the port number of 30000-49999; or it is distinguished based on the protocol type: for example, the user plane data stream requiring IPSec encryption uses the GTPU protocol, and the user plane data stream that does not require IPSec encryption uses the UDP protocol. Therefore, there are various ways to distinguish whether IPSec encryption is required, and the specifics are not limited herein.
需要说明的是,本申请实施例不仅可以在LTE的网络架构中实现,也可以在5G无线接入网、移动通信系统(universal mobile telecommunicatons system,UMTS)、码分多址(code division multiple access,CDMA)或宽带码分多址(wideband code division multiple access,WCDMA)等网络架构中实现。It should be noted that the embodiment of the present application can be implemented not only in the network architecture of the LTE, but also in the 5G radio access network, the mobile communication system (UMTS), and the code division multiple access (code division multiple access, CDMA) or wideband code division multiple access (WCDMA) network architecture.
本申请实施例中,可以灵活的根据UE空口是否进行了PDCP加密来决定用户面数据流在CU-DU接口中的传输是否使用IPSec加/解密,即当UE空口进行PDCP加密时,则用户面 数据流在CU-DU接口中的传输不使用IPSec加/解密;当UE空口不进行PDCP加密时,则用户面数据流在CU-DU接口中的传输需使用IPSec加/解密,实现了在保证用户数据安全性的同时,更加灵活的进行IPSec加/解密,减少了CPU资源的消耗,加快了系统的运行速度。In the embodiment of the present application, it is possible to flexibly determine whether the transmission of the user plane data stream in the CU-DU interface uses IPSec encryption/decryption according to whether the UE air interface performs PDCP encryption, that is, when the UE air interface performs PDCP encryption, the user plane The transmission of the data stream in the CU-DU interface does not use IPSec encryption/decryption; when the UE air interface does not perform PDCP encryption, the transmission of the user plane data stream in the CU-DU interface needs to use IPSec encryption/decryption, which is guaranteed. At the same time of user data security, more flexible IPSec encryption/decryption reduces CPU resource consumption and speeds up the system.
请参阅图5a和图5b,为本申请实施例在场景2下的方法实施例,具体包括:Referring to FIG. 5a and FIG. 5b, an embodiment of the method in the scenario 2 of the embodiment of the present application includes:
501、CU与UE进行安全协商,得到协商结果。501. The CU performs security negotiation with the UE to obtain a negotiation result.
需要说明的是,CU得到协商结果后,若协商结果表示CU与UE之间的空中接口使用PDCP协议加密,则执行图5a中的步骤502-511;若协商结果表示CU与UE之间的空中接口不使用PDCP协议加密,则执行图5b中的步骤512-521;具体如下:It should be noted that, after the CU obtains the negotiation result, if the negotiation result indicates that the air interface between the CU and the UE is encrypted by using the PDCP protocol, step 502-511 in FIG. 5a is performed; if the negotiation result indicates the air between the CU and the UE. If the interface does not use PDCP encryption, perform steps 512-521 in Figure 5b; the details are as follows:
502、CU向DU发送第一指示信息。502. The CU sends the first indication information to the DU.
503、DU向CU发送第一响应信息。503. The DU sends a first response message to the CU.
504、UE向DU发送第一上行用户面数据报文。504. The UE sends a first uplink user plane data packet to the DU.
本申请实施例中,步骤501至步骤504与图4a所示的实施例中的步骤401至步骤404类似,具体此处不再赘述。In the embodiment of the present application, the steps 501 to 504 are similar to the steps 401 to 404 in the embodiment shown in FIG. 4a, and details are not described herein again.
505、DU确定不使用IPSec协议对第一上行用户面数据报文进行加密。505. The DU determines to encrypt the first uplink user plane data packet by using the IPSec protocol.
506、DU向CU发送第一上行用户面数据报文。506. The DU sends a first uplink user plane data packet to the CU.
需要说明的是,本申请实施例中,CU侧的第二接口也上配置有CU侧特定的IP地址来建立用户面承载,该CU侧特定的IP地址用于区分CU与DU之间的用户面承载是否使用IPSec协议加密,包括第二加密地址和第二非加密地址,其中,该第二加密地址用于IPSec通信场景,指示使用IPSec协议对报文进行加/解密处理;第二非加密地址用于非IPSec通信场景,指示不使用IPSec协议对报文进行加/解密处理。It should be noted that, in the embodiment of the present application, the second interface on the CU side is also configured with a specific IP address on the CU side to establish a user plane bearer, and the specific IP address on the CU side is used to distinguish the user between the CU and the DU. Whether the bearer is encrypted by using the IPSec protocol, and includes a second encrypted address and a second unencrypted address, where the second encrypted address is used in an IPSec communication scenario, indicating that the packet is encrypted/decrypted using the IPSec protocol; and the second non-encrypted The address is used in a non-IPSec communication scenario, indicating that the packet is not encrypted or decrypted using the IPSec protocol.
因此,DU接收到UE发送的PDCP加密后的第一上行用户面数据报文后,使用第二非加密地址作为第一上行用户面数据报文的目的地址,以完成GTP-U隧道的封装。DU根据该第二非加密地址确定不使用IPSec协议对该第一上行用户面数据报文进行加密,并通过DU侧的第一接口将该第一上行用户面数据报文直接发送给CU。Therefore, after receiving the PDCP-encrypted first uplink user plane data packet sent by the UE, the DU uses the second unencrypted address as the destination address of the first uplink user plane data packet to complete the encapsulation of the GTP-U tunnel. The DU determines, according to the second unencrypted address, that the first uplink user plane data packet is not encrypted by using the IPSec protocol, and the first uplink user plane data packet is directly sent to the CU by using the first interface on the DU side.
507a、CU确定不使用IPSec协议对第一上行用户面数据报文进行解密。507a. The CU determines that the first uplink user plane data packet is not decrypted by using the IPSec protocol.
507b、CU向SGW发送第一上行用户面数据报文。507b. The CU sends a first uplink user plane data packet to the SGW.
CU通过CU侧的第二接口接收到未使用IPSec协议进行加密处理的第一上行用户面数据报文后,可通过该第一上行用户面数据报文的格式确定不使用IPSec协议对该第一上行用户面数据报文进行解密,进而直接对该第一上行用户面数据报文进行GTP-U解封,得到解封后的第一上行用户面数据报文。再对该解封后的第一上行用户面数据报文进行后续处理,其中该后续处理包括:CU使用PDCP协议对该第一上行用户面数据报文进行空口解密,并在将该第一上行用户面数据报文发送给SGW之前,再次对该第一上行用户面数据报文进行加密,以保障第一上行用户面数据报文在CU和核心网之间传输的安全性。故CU再将经过后续处理后的第一上行用户面数据报文发送给SGW。After receiving the first uplink user plane data packet that is not encrypted by using the IPSec protocol, the CU may determine, by using the format of the first uplink user plane data packet, that the first IPSec protocol is not used. The uplink user plane data packet is decrypted, and then the first uplink user plane data packet is directly GTP-U decapsulated, and the decapsulated first uplink user plane data packet is obtained. And performing the subsequent processing on the first uplink user plane data packet, where the CU uses the PDCP protocol to perform air interface decryption on the first uplink user plane data packet, and performs the first uplink on the first uplink user plane data packet. Before the user plane data packet is sent to the SGW, the first uplink user plane data packet is encrypted again to ensure the security of the first uplink user plane data packet transmitted between the CU and the core network. Therefore, the CU sends the first uplink user plane data packet after the subsequent processing to the SGW.
508a、SGW向CU发送第一下行用户面数据报文。508a. The SGW sends a first downlink user plane data packet to the CU.
508b、CU确定不使用IPSec协议对第一下行用户面数据报文进行加密。508b. The CU determines that the first downlink user plane data packet is not encrypted by using the IPSec protocol.
509、CU向DU发送第一下行用户面数据报文。509. The CU sends the first downlink user plane data packet to the DU.
510、DU确定不使用IPSec协议对第一下行用户面数据报文进行解密。510. The DU determines to decrypt the first downlink user plane data packet by using the IPSec protocol.
511、DU向UE发送第一下行用户面数据报文。511. The DU sends a first downlink user plane data packet to the UE.
本申请实施例中,步骤508a至步骤511与图4a所示的实施例中的步骤408a至步骤411类似,具体此处不再赘述。In the embodiment of the present application, the steps 508a to 511 are similar to the steps 408a to 411 in the embodiment shown in FIG. 4a, and details are not described herein again.
需要注意的是,本申请中,通过步骤504至步骤507b实现第一上行数据从UE到SGW的传输,通过步骤508a至511实现第一下行数据从SGW到UE的传输,这两个过程之间并不存在步骤的先后顺序,即可以先执行步骤504至507b,也可以先执行步骤508a至511,或者同时执行,具体此处不做限定。It is to be noted that, in this application, the transmission of the first uplink data from the UE to the SGW is implemented by using the steps 504 to 507b, and the transmission of the first downlink data from the SGW to the UE is implemented by using the steps 508a to 511. There is no sequence of steps, that is, steps 504 to 507b may be performed first, or steps 508a to 511 may be performed first, or may be performed at the same time, which is not limited herein.
若协商结果表示CU与UE之间的空中接口不使用PDCP协议加密,请参阅图5b,具体包括:If the negotiation result indicates that the air interface between the CU and the UE is not encrypted by using the PDCP protocol, refer to FIG. 5b, which specifically includes:
512、CU向DU发送第二指示信息。512. The CU sends the second indication information to the DU.
513、DU向CU发送第二响应信息。513. The DU sends a second response message to the CU.
514、UE向DU发送第二上行用户面数据报文;514. The UE sends a second uplink user plane data packet to the DU.
本申请实施例中,步骤512至步骤514与图4b所示的实施例中的步骤412至步骤414类似,具体此处不再赘述。In the embodiment of the present application, the steps 512 to 514 are similar to the steps 412 to 414 in the embodiment shown in FIG. 4b, and details are not described herein again.
515、DU确定使用IPSec协议对第二上行用户面数据报文进行加密。515. The DU determines to encrypt the second uplink user plane data packet by using the IPSec protocol.
516、DU向CU发送第二上行用户面数据报文。516. The DU sends a second uplink user plane data packet to the CU.
因此,DU接收到UE发送的第二上行用户面数据报文后,使用第二加密地址作为该第二上行用户面数据报文的目的地址,以完成GTP-U隧道的封装。DU根据该第二加密地址确定使用IPSec协议对该第二上行用户面数据报文进行加密,并通过DU侧的第一接口将该第二上行用户面数据报文直接发送给CU。Therefore, after receiving the second uplink user plane data packet sent by the UE, the DU uses the second encrypted address as the destination address of the second uplink user plane data packet to complete the encapsulation of the GTP-U tunnel. The DU determines, according to the second encrypted address, the IPSec protocol to encrypt the second uplink user plane data packet, and sends the second uplink user plane data packet to the CU directly through the first interface on the DU side.
517a、CU确定使用IPSec协议对第二上行用户面数据报文进行解密。517a. The CU determines to decrypt the second uplink user plane data packet by using the IPSec protocol.
517b、CU向SGW发送第二上行用户面数据报文。517b. The CU sends a second uplink user plane data packet to the SGW.
CU通过CU侧的第二接口接收到第二上行用户面数据报文后,使用IPSec协议对该第二上行用户面数据报文进行解密处理,进而再进行GTP-U隧道的解封,得到解封后的第二上行用户面数据报文。再对该解封后的第二上行用户面数据报文进行后续处理,其中该后续处理可包括:在将该第二上行用户面数据报文发送给SGW之前,根据CU与SGW间的安全配置,使用IPSec协议对该第二上行用户面数据报文进行加密,以保障第二上行用户面数据报文在CU和核心网之间传输的安全性。进而CU再将经过后续处理后的第二上行用户面数据报文发送给SGW。After receiving the second uplink user plane data packet, the CU decrypts the second uplink user plane data packet by using the IPSec protocol, and then decapsulates the GTP-U tunnel to obtain a solution. The second uplink user plane data packet after the packet is sealed. And performing the subsequent processing on the decapsulated second uplink user plane data packet, where the subsequent processing may include: performing security configuration between the CU and the SGW before sending the second uplink user plane data packet to the SGW. The second uplink user plane data packet is encrypted by using the IPSec protocol to ensure the security of the second uplink user plane data packet transmitted between the CU and the core network. The CU then sends the second uplink user plane data packet after the subsequent processing to the SGW.
518a、SGW向CU发送第二下行用户面数据报文。518a. The SGW sends a second downlink user plane data packet to the CU.
518b、CU确定使用IPSec协议对第二下行用户面数据报文进行加密。518b. The CU determines to encrypt the second downlink user plane data packet by using the IPSec protocol.
519、CU向DU发送第二下行用户面数据报文。519. The CU sends a second downlink user plane data packet to the DU.
520、DU确定使用IPSec协议对第二下行用户面数据报文进行解密。520. The DU determines to decrypt the second downlink user plane data packet by using the IPSec protocol.
521、DU向UE发送第二下行用户面数据报文。521. The DU sends a second downlink user plane data packet to the UE.
本申请实施例中,步骤518至步骤521与图4a所示的实施例中的步骤418至步骤421类似,具体此处不再赘述。In the embodiment of the present application, the steps 518 to 521 are similar to the steps 418 to 421 in the embodiment shown in FIG. 4a, and details are not described herein again.
需要注意的是,本申请中,通过步骤514至步骤517b实现第二上行数据从UE到SGW的传输,通过步骤518a至511实现第二下行数据从SGW到UE的传输,这两个过程之间并不存在步骤的先后顺序,即可以先执行步骤514至517b,也可以先执行步骤518a至521,或者同时执行,具体此处不做限定。It should be noted that, in this application, the transmission of the second uplink data from the UE to the SGW is implemented by using steps 514 to 517b, and the transmission of the second downlink data from the SGW to the UE is implemented by steps 518a to 511, between the two processes. There is no sequence of steps, that is, steps 514 to 517b may be performed first, or steps 518a to 521 may be performed first, or may be performed at the same time, which is not limited herein.
本申请实施例中,还可以在CU侧的第二接口配置第二加密地址和第二非加密地址来区分是否需要IPSec加密的用户面数据流,增加了本申请实施例的可实现方式。In the embodiment of the present application, the second interface and the second unencrypted address may be configured on the second interface of the CU to distinguish whether the IPSec-encrypted user plane data stream is required, and the achievable manner of the embodiment of the present application is added.
请参阅图6a和图6b,为本申请实施例在场景3下的方法实施例,在该场景3下,CU侧的第二接口也上配置有CU侧特定的IP地址来建立用户面承载,该CU侧特定的IP地址用于区分CU与DU之间的用户面承载是否使用IPSec协议加密,包括第二加密地址和第二非加密地址,其中,该第二加密地址用于IPSec通信场景,指示使用IPSec协议对报文进行加/解密处理;第二非加密地址用于非IPSec通信场景,指示不使用IPSec协议对报文进行加/解密处理。另外,在场景3中,DU侧的第一接口的IP地址无需区分DU与CU之间的用户面承载是否使用IPSec协议加密。Referring to FIG. 6a and FIG. 6b, an embodiment of the method in the scenario 3 is performed in the scenario of the embodiment. In the scenario 3, the second interface on the CU side is also configured with a specific IP address on the CU side to establish a user plane bearer. The specific IP address of the CU is used to distinguish whether the user plane bearer between the CU and the DU is encrypted by using the IPSec protocol, and includes a second encrypted address and a second unencrypted address, where the second encrypted address is used in the IPSec communication scenario. Indicates that the packet is encrypted/decrypted by using the IPSec protocol. The second non-encrypted address is used in the non-IPSec communication scenario, indicating that the packet is not encrypted or decrypted by using the IPSec protocol. In addition, in scenario 3, the IP address of the first interface on the DU side does not need to distinguish whether the user plane bearer between the DU and the CU is encrypted using the IPSec protocol.
具体包括:Specifically include:
601、CU与UE进行安全协商,得到协商结果。601. The CU performs security negotiation with the UE to obtain a negotiation result.
本申请实施例中,步骤601与图4a所示的实施例中的步骤401类似,具体此处不再赘述。In the embodiment of the present application, the step 601 is similar to the step 401 in the embodiment shown in FIG. 4a, and details are not described herein again.
CU得到协商结果后,若协商结果表示CU与UE之间的空中接口使用PDCP协议加密,则执行图6a中的步骤602-611;若协商结果表示CU与UE之间的空中接口不使用PDCP协议加密,则执行图6b中的步骤612-621;具体如下:After the CU obtains the negotiation result, if the negotiation result indicates that the air interface between the CU and the UE is encrypted by using the PDCP protocol, steps 602-611 in FIG. 6a are performed; if the negotiation result indicates that the air interface between the CU and the UE does not use the PDCP protocol. Encryption, then perform steps 612-621 in Figure 6b; the details are as follows:
602、CU向DU发送第一指示信息。602. The CU sends the first indication information to the DU.
当协商结果表示空中接口使用PDCP协议加密时,CU通过第一控制面接口向DU发送的第一消息携带有第一指示信息,该第二指示信息用于指示CU与DU之间的用户面承载不使用IPSec协议加密,且使用第二非加密地址作为第二接口的用户面地址,即CU与DU之间的用户面承载在CU端的地址为第二非加密地址。When the result of the negotiation indicates that the air interface is encrypted by using the PDCP protocol, the first message sent by the CU to the DU through the first control plane interface carries the first indication information, where the second indication information is used to indicate the user plane bearer between the CU and the DU. The IPSec protocol is not used for encryption, and the second unencrypted address is used as the user plane address of the second interface, that is, the address carried by the user plane between the CU and the DU at the CU end is the second unencrypted address.
603、DU向CU发送第一响应信息。603. The DU sends a first response message to the CU.
DU接收到CU发送的第一消息携带的第一指示信息后,根据该第一指示信息确定DU和CU之间的用户面承载无须进行IPSec加密,并确定第二非加密地址为CU侧第二接口的用户面地址。可选的,响应于携带有第一指示信息的第一消息,DU向CU发送第一响应消息,该第一响应消息包括第一响应信息,该第一响应信息包括DU侧的用户面承载地址。After receiving the first indication information carried by the first message sent by the CU, the DU determines, according to the first indication information, that the user plane bearer between the DU and the CU does not need to perform IPSec encryption, and determines that the second unencrypted address is the second CU side. User plane address of the interface. Optionally, in response to the first message carrying the first indication information, the DU sends a first response message to the CU, where the first response message includes first response information, where the first response information includes a user plane bearer address on the DU side. .
604、UE向DU发送第一上行用户面数据报文。604. The UE sends a first uplink user plane data packet to the DU.
605、DU确定不使用IPSec协议对第一上行用户面数据报文进行加密。605. The DU determines to encrypt the first uplink user plane data packet by using the IPSec protocol.
606、DU向CU发送第一上行用户面数据报文。606. The DU sends a first uplink user plane data packet to the CU.
607a、CU确定不使用IPSec协议对第一上行用户面数据报文进行解密。607a. The CU determines that the first uplink user plane data packet is not decrypted by using the IPSec protocol.
607b、CU向SGW发送第一上行用户面数据报文。607b. The CU sends a first uplink user plane data packet to the SGW.
本申请实施例中,步骤604至步骤607b与图5a所示的实施例中的步骤504至步骤507b类似,具体此处不再赘述。In the embodiment of the present application, the steps 604 to 607b are similar to the steps 504 to 507b in the embodiment shown in FIG. 5a, and details are not described herein again.
608a、SGW向CU发送第一下行用户面数据报文。608a. The SGW sends a first downlink user plane data packet to the CU.
608b、CU确定不使用IPSec协议对第一下行用户面数据报文进行加密。608b. The CU determines that the first downlink user plane data packet is not encrypted by using the IPSec protocol.
609、CU向DU发送第一下行用户面数据报文。609. The CU sends a first downlink user plane data packet to the DU.
当SGW需要经过CU和DU向UE发送第一下行用户面数据报文时,则CU从SGW接收到该第一下行用户面数据报文。且若CU与UE的协商结果为CU与UE之间的空中接口需使用PDCP协议加密时,则CU还需对该第一下行数据进行PDCP加密处理。When the SGW needs to send the first downlink user plane data packet to the UE through the CU and the DU, the CU receives the first downlink user plane data packet from the SGW. If the result of the negotiation between the CU and the UE is that the air interface between the CU and the UE needs to be encrypted by using the PDCP protocol, the CU needs to perform PDCP encryption processing on the first downlink data.
另外,CU将第二非加密地址作为该第一下行用户面数据报文的源地址,以完成GTP-U隧道的封装。且CU根据该第二非加密地址确定不使用IPSec协议对该第一下行用户面数据报文进行加密,并通过CU侧的第二接口将该第一下行用户面数据报文直接发送给DU。In addition, the CU uses the second unencrypted address as the source address of the first downlink user plane data packet to complete the encapsulation of the GTP-U tunnel. And the CU determines, according to the second unencrypted address, that the first downlink user plane data packet is not encrypted by using the IPSec protocol, and sends the first downlink user plane data packet directly to the second interface on the CU side to the first downlink user plane data packet. DU.
610、DU确定不使用IPSec协议对第一下行用户面数据报文进行解密。610. The DU determines to decrypt the first downlink user plane data packet by using the IPSec protocol.
611、DU向UE发送第一下行用户面数据报文。611. The DU sends a first downlink user plane data packet to the UE.
本申请实施例中,步骤610至步骤611与图4a所示的实施例中的步骤410至步骤411类似,具体此处不再赘述。In the embodiment of the present application, the steps 610 to 611 are similar to the steps 410 to 411 in the embodiment shown in FIG. 4a, and details are not described herein again.
需要注意的是,本申请中,通过步骤604至步骤607b实现第一上行用户面数据报文从UE到SGW的传输,通过步骤608a至611实现第一下行用户面数据报文从核心网到UE的传输,这两个过程之间并不存在步骤的先后顺序,即可以先执行步骤604至607b,也可以先执行步骤608a至611,或者同时执行,具体此处不做限定。It is to be noted that, in the present application, the first uplink user plane data packet is transmitted from the UE to the SGW through steps 604 to 607b, and the first downlink user plane data packet is implemented from the core network through steps 608a to 611. For the transmission of the UE, there is no sequence of steps between the two processes, that is, steps 604 to 607b may be performed first, or steps 608a to 611 may be performed first, or may be performed at the same time, which is not limited herein.
若协商结果表示CU与UE之间的空中接口不使用PDCP协议加密,请参阅图6b,具体包括:If the result of the negotiation indicates that the air interface between the CU and the UE is not encrypted by using the PDCP protocol, refer to FIG. 6b, which specifically includes:
612、CU向DU发送第二指示信息。612. The CU sends the second indication information to the DU.
当协商结果表示空中接口不使用PDCP协议加密时,CU通过第一控制面接口向DU发送的第一消息携带有第二指示信息,该第二指示信息用于指示CU与DU之间的用户面承载使用IPSec协议加密,且使用第二加密地址作为第二接口的用户面地址,即CU与DU之间的用户面承载在CU端的地址为第二加密地址。When the result of the negotiation indicates that the air interface is not encrypted by using the PDCP protocol, the first message sent by the CU to the DU through the first control plane interface carries the second indication information, where the second indication information is used to indicate the user plane between the CU and the DU. The bearer is encrypted by using the IPSec protocol, and the second encrypted address is used as the user plane address of the second interface, that is, the address carried by the user plane between the CU and the DU at the CU end is the second encrypted address.
613、DU向CU发送第二响应信息。613. The DU sends a second response message to the CU.
DU接收到CU发送的第一消息携带的第二指示信息后,根据该第二指示信息确定DU和CU之间的用户面承载需要进行IPSec加密,并确定第二加密地址为CU侧第二接口的用户面地址。可选的,响应于携带有第二指示信息的第一消息,DU向CU发送携带有第二响应信息的第一响应消息,该第二响应信息包括DU侧的用户面承载地址。After receiving the second indication information carried by the first message sent by the CU, the DU determines, according to the second indication information, that the user plane bearer between the DU and the CU needs to perform IPSec encryption, and determines that the second encrypted address is the second interface on the CU side. User face address. Optionally, in response to the first message carrying the second indication information, the DU sends a first response message carrying the second response information to the CU, where the second response information includes a user plane bearer address on the DU side.
614、UE向DU发送第二上行用户面数据报文;614. The UE sends a second uplink user plane data packet to the DU.
615、DU确定使用IPSec协议对第二上行用户面数据报文进行加密。615. The DU determines to encrypt the second uplink user plane data packet by using the IPSec protocol.
616、DU向CU发送第二上行用户面数据报文。616. The DU sends a second uplink user plane data packet to the CU.
617a、CU确定使用IPSec协议对第二上行用户面数据报文进行解密。617a. The CU determines to decrypt the second uplink user plane data packet by using the IPSec protocol.
617b、CU向SGW发送第二上行用户面数据报文。617b. The CU sends a second uplink user plane data packet to the SGW.
本申请实施例中,步骤614至步骤617b与图5b所示的实施例中的步骤514至步骤517b类似,具体此处不再赘述。In the embodiment of the present application, the steps 614 to 617b are similar to the steps 514 to 517b in the embodiment shown in FIG. 5b, and details are not described herein again.
618a、SGW向CU发送第二下行用户面数据报文。618a. The SGW sends a second downlink user plane data packet to the CU.
618b、CU确定使用IPSec协议对第二下行用户面数据报文进行加密。618b. The CU determines to encrypt the second downlink user plane data packet by using the IPSec protocol.
619、CU向DU发送第二下行用户面数据报文。619. The CU sends a second downlink user plane data packet to the DU.
当SGW需要经过CU和DU向UE发送第二下行用户面数据报文时,则CU从SGW接收到该第二下行用户面数据报文。且CU根据协商结果确定不使用PDCP协议对该第二下行用户面数据报文进行加密处理。When the SGW needs to send the second downlink user plane data packet to the UE through the CU and the DU, the CU receives the second downlink user plane data packet from the SGW. The CU determines, according to the negotiation result, that the second downlink user plane data packet is encrypted without using the PDCP protocol.
另外,CU使用第二加密地址作为该第二下行用户面数据报文的源地址,以完成GTP-U隧道的封装。且CU根据该第二加密地址确定需使用IPSec协议对该第二下行用户面数据报文进行加密,来得到IPSec协议加密后的第二下行用户面数据报文。并通过CU侧的第二接口将该加密后的第二下行用户面数据报文发送给DU。In addition, the CU uses the second encrypted address as the source address of the second downlink user plane data packet to complete the encapsulation of the GTP-U tunnel. And the CU determines, according to the second encrypted address, that the second downlink user plane data packet is to be encrypted by using the IPSec protocol, to obtain the second downlink user plane data packet that is encrypted by the IPSec protocol. And sending the encrypted second downlink user plane data packet to the DU through the second interface on the CU side.
620、DU确定使用IPSec协议对第二下行用户面数据报文进行解密。620. The DU determines to use the IPSec protocol to decrypt the second downlink user plane data packet.
621、DU向UE发送第二下行用户面数据报文。621. The DU sends a second downlink user plane data packet to the UE.
本申请实施例中,步骤620至步骤621与图5b所示的实施例中步骤520至步骤521类似,具体此处不再赘述。In the embodiment of the present application, the steps 620 to 621 are similar to the steps 520 to 521 in the embodiment shown in FIG. 5b, and details are not described herein again.
需要注意的是,本申请中,通过步骤614至步骤617b实现第二上行用户面数据报文从UE到SGW的传输,通过步骤618a至611实现第二下行用户面数据报文从SGW到UE的传输,这两个过程之间并不存在步骤的先后顺序,即可以先执行步骤614至617b,也可以先执行步骤618a至611,或者同时执行,具体此处不做限定。It is to be noted that, in the present application, the second uplink user plane data packet is transmitted from the UE to the SGW through steps 614 to 617b, and the second downlink user plane data packet is implemented from the SGW to the UE through steps 618a to 611. For the transmission, there is no sequence of steps between the two processes, that is, steps 614 to 617b may be performed first, or steps 618a to 611 may be performed first, or may be performed at the same time, which is not limited herein.
需要说明的是,CU与DU之间的通信可经过SeGW,且CU部署于SeGW后,请参阅图7a,为另一种可能的数据加密传输示意图,包括:用户数据流从UE依次经过DU、SeGW到CU的过程,其中,It should be noted that the communication between the CU and the DU may pass through the SeGW, and after the CU is deployed in the SeGW, refer to FIG. 7a, which is another possible data encryption transmission diagram, including: the user data stream passes through the DU from the UE in sequence. SeGW to CU process, where
UE和CU之间进行空口加密,以保障用户数据在无线传输过程中的安全,需要说明的是,空口加/解密在3gpp协议中由PDCP负责处理,因此在UE以及CU上均有相应的处理模块来负责PDCP加密和PDCP解密;The air interface is encrypted between the UE and the CU to ensure the security of the user data in the wireless transmission process. It should be noted that the air interface encryption/decryption is handled by the PDCP in the 3gpp protocol, so there is corresponding processing on the UE and the CU. The module is responsible for PDCP encryption and PDCP decryption;
DU和SeGW之间使用IPSec协议进行加密,以保障用户数据在回程线路(backhaul network)传输的安全性,因此在DU和SeGW上均有相应的处理模块来负责IPSec加密和IPSec解密。The IPSec protocol is used for encryption between the DU and the SeGW to ensure the security of user data transmission on the backhaul network. Therefore, there are corresponding processing modules on the DU and SeGW to be responsible for IPSec encryption and IPSec decryption.
故当CU与DU之间的通信经过SeGW时,请参阅图7b和图7c,介绍本申请实施例在场景4下的方法实施例,具体包括:Therefore, when the communication between the CU and the DU passes through the SeGW, refer to FIG. 7b and FIG. 7c, and the method for the method in the scenario 4 of the embodiment of the present application is specifically introduced.
701、CU与UE进行安全协商,得到协商结果。701. The CU performs security negotiation with the UE to obtain a negotiation result.
需要说明的是,本申请实施例中,步骤701与图4a所示的实施例中的步骤401类似,具体此处不再赘述。It should be noted that, in the embodiment of the present application, the step 701 is similar to the step 401 in the embodiment shown in FIG. 4a, and details are not described herein again.
CU得到协商结果后,若协商结果表示CU与UE之间的空中接口使用PDCP协议加密,则执行图4a中的步骤702-713;若协商结果表示CU与UE之间的空中接口不使用PDCP协议加密,则执行图4b中的步骤714-725;具体如下:After the CU obtains the negotiation result, if the negotiation result indicates that the air interface between the CU and the UE is encrypted by using the PDCP protocol, steps 702-713 in FIG. 4a are performed; if the negotiation result indicates that the air interface between the CU and the UE does not use the PDCP protocol. Encryption, then perform steps 714-725 in Figure 4b; as follows:
702、CU向DU发送第一指示信息。702. The CU sends the first indication information to the DU.
需要说明的是,本申请实施例中,步骤702中CU向DU发送的第一指示信息与图4a所示的实施例中的步骤402中CU向DU发送的第一指示信息类似,具体此处不再赘述。It should be noted that, in the embodiment of the present application, the first indication information sent by the CU to the DU in step 702 is similar to the first indication information sent by the CU to the DU in step 402 in the embodiment shown in FIG. 4a, specifically No longer.
其中,在本实施例中,CU经过SeGW的中转将第一指示信息发送给DU。In this embodiment, the CU sends the first indication information to the DU through the transit of the SeGW.
703、DU向CU发送第一响应信息。703. The DU sends a first response message to the CU.
需要说明的是,本申请实施例中,步骤703中CU向DU发送的第一响应信息与图4a所示的实施例中的步骤403中CU向DU发送的第一响应信息类似,具体此处不再赘述。It should be noted that, in the embodiment of the present application, the first response information sent by the CU to the DU in step 703 is similar to the first response information sent by the CU to the DU in step 403 in the embodiment shown in FIG. 4a, specifically No longer.
其中,在本实施例中,DU经过SeGW的中转将第一响应信息发送给CU。In this embodiment, the DU sends the first response information to the CU through the transit of the SeGW.
704、UE向DU发送第一上行用户面数据报文。704. The UE sends a first uplink user plane data packet to the DU.
705、DU确定不使用IPSec协议对第一上行用户面数据报文进行加密。705. The DU determines to encrypt the first uplink user plane data packet by using the IPSec protocol.
本申请实施例中,步骤704至步骤705与图4a所示的实施例中的步骤404至步骤405类似,具体此处不再赘述。In the embodiment of the present application, the steps 704 to 705 are similar to the steps 404 to 405 in the embodiment shown in FIG. 4a, and details are not described herein again.
706、DU向SeGW发送第一上行用户面数据报文。706. The DU sends a first uplink user plane data packet to the SeGW.
DU根据该第一非加密地址确定不使用IPSec协议对该第一上行用户面数据报文进行加密后,将该第一上行用户面数据报文直接发送给SeGW。The DU determines, according to the first unencrypted address, that the first uplink user plane data packet is not encrypted by using the IPSec protocol, and then sends the first uplink user plane data packet to the SeGW.
707、SeGW确定不使用IPSec协议对第一上行用户面数据报文进行解密。707. The SeGW determines that the first uplink user plane data packet is not decrypted by using the IPSec protocol.
SeGW接收到第一上行用户面数据报文后,根据该第一上行用户面数据报文的报文格式确定不使用IPSec协议对该第一上行用户面数据报文进行解密。After receiving the first uplink user plane data packet, the SeGW determines, according to the packet format of the first uplink user plane data packet, that the first uplink user plane data packet is not decrypted by using the IPSec protocol.
708a、SeGW向CU发送第一上行用户面数据报文。708a. The SeGW sends a first uplink user plane data packet to the CU.
708b、CU向SGW发送第一上行用户面数据报文。708b. The CU sends a first uplink user plane data packet to the SGW.
SeGW确定不使用IPSec协议对第一上行用户面数据报文进行解密后,将该第一上行用户面数据报文发送给CU,以使得CU对该第一上行用户面数据报文进行GTP-U隧道解封处理,得到解封后的第一上行用户面数据报文。进而CU再对该解封后的第一上行用户面数据报文进行后续操作,其中该后续处理包括:CU使用PDCP协议对该第一上行用户面数据报文进行空口解密,并在将该第一上行用户面数据报文发送给核心网之前,再次对该第一上行用户面数据报文进行加密,以保障第一上行用户面数据报文在CU和核心网之间传输的安全性。故CU再将经过后续处理后的第一上行用户面数据报文发送给SGW。After the GW is used to decrypt the first uplink user plane data packet, the GW sends the first uplink user plane data packet to the CU, so that the CU performs GTP-U on the first uplink user plane data packet. The tunnel unblocking process obtains the first uplink user plane data packet after decapsulation. And the CU performs a subsequent operation on the decapsulated first uplink user plane data packet, where the subsequent processing includes: the CU uses the PDCP protocol to perform the air interface decryption on the first uplink user plane data packet, and Before the uplink user plane data packet is sent to the core network, the first uplink user plane data packet is encrypted again to ensure the security of the first uplink user plane data packet transmitted between the CU and the core network. Therefore, the CU sends the first uplink user plane data packet after the subsequent processing to the SGW.
709a、SGW向CU发送第一下行用户面数据报文。709a. The SGW sends a first downlink user plane data packet to the CU.
709b、CU向SwGW发送第一下行用户面数据报文。709b. The CU sends the first downlink user plane data packet to the SwGW.
当SGW需要依次经过CU、SeGW和DU,来向UE发送第一下行用户面数据报文时,CU从SGW接收到该第一下行用户面数据报文。且CU与UE的协商结果为CU与UE之间的空中接口需使用PDCP协议加密,则CU基于该协商结果对该第一下行数据进行PDCP加密处理。When the SGW needs to sequentially send the first downlink user plane data packet to the UE through the CU, the SeGW, and the DU, the CU receives the first downlink user plane data packet from the SGW. The result of the negotiation between the CU and the UE is that the air interface between the CU and the UE needs to be encrypted by using the PDCP protocol, and the CU performs PDCP encryption processing on the first downlink data based on the negotiation result.
另外,CU使用第一非加密地址作为该第一下行用户面数据报文的目的地址,以完成GTP-U隧道的封装,并将封装后的第一下行用户面数据报文发送给SeGW。In addition, the CU uses the first non-encrypted address as the destination address of the first downlink user plane data packet to complete the encapsulation of the GTP-U tunnel, and sends the encapsulated first downlink user plane data packet to the SeGW. .
710、SeGW确定不使用IPSec协议对第一下行用户面数据报文进行加密。710. The SeGW determines that the first downlink user plane data packet is not encrypted by using the IPSec protocol.
711、SeGW向DU发送第一下行用户面数据报文。711. The SeGW sends the first downlink user plane data packet to the DU.
SeGW接收到第一下行用户面数据报文后,获得该第一下行用户面数据报文的目的地址为第一非加密地址,并根据该第一非加密地址确定,不使用IPSec协议对该第一下行用户面数据报文进行加密,进而将该第一下行用户面数据报文直接发送给DU。After receiving the first downlink user plane data packet, the SeGW obtains the first non-encrypted address of the first downlink user plane data packet, and determines, according to the first non-encrypted address, that the IPSec protocol is not used. The first downlink user plane data packet is encrypted, and the first downlink user plane data packet is directly sent to the DU.
712、DU确定不使用IPSec协议对第一下行用户面数据报文进行解密。712. The DU determines to decrypt the first downlink user plane data packet by using the IPSec protocol.
713、DU向UE发送第一下行用户面数据报文。713. The DU sends a first downlink user plane data packet to the UE.
DU接收到第一下行用户面数据报文后,确定是否使用IPSec协议对该第一下行用户面数据报文进行解密,进而再进行GTP-U隧道的解封,包括:DU通过第一下行用户面数据报文的格式确定不使用IPSec协议对该第一下行用户面数据报文进行解密,故直接对该第一下行用户面数据报文进行GTP-U隧道的解封,得到解封后的第一下行用户面数据报文。并After receiving the first downlink user plane data packet, the DU determines whether to use the IPSec protocol to decrypt the first downlink user plane data packet, and then performs the decapsulation of the GTP-U tunnel, including: the DU passes the first The format of the downlink user plane data packet determines that the first downlink user plane data packet is not decrypted by using the IPSec protocol, so the GTP-U tunnel is directly decapsulated for the first downlink user plane data packet. The first downlink user plane data packet after decapsulation is obtained. and
对该解封后的第一下行用户面数据报文进行后续处理,其中该后续处理包括:通过空口将该第一下行用户面数据报文发送给UE,以使得UE使用PDCP协议对该第一下行用户面数据报文进行解密来获得解密后的第一下行用户面数据报文。Performing a subsequent processing on the decapsulated first downlink user plane data packet, where the subsequent processing includes: sending the first downlink user plane data packet to the UE by using an air interface, so that the UE uses the PDCP protocol to The first downlink user plane data packet is decrypted to obtain the decrypted first downlink user plane data packet.
需要注意的是,本申请中,通过步骤704至步骤708b实现第一上行用户面数据报文从UE到SGW的传输,通过步骤709a至713实现第一下行用户面数据报文从SGW到UE的传输,这两个过程之间并不存在步骤的先后顺序,即可以先执行步骤704至708b,也可以先执行步骤709a至713,或者同时执行,具体此处不做限定。It is to be noted that, in the present application, the first uplink user plane data packet is transmitted from the UE to the SGW through steps 704 to 708b, and the first downlink user plane data packet is implemented from the SGW to the UE through steps 709a to 713. For the transmission, there is no sequence of steps between the two processes, that is, steps 704 to 708b may be performed first, or steps 709a to 713 may be performed first, or may be performed at the same time, which is not limited herein.
若协商结果表示CU与UE之间的空中接口不使用PDCP协议加密,请参阅图7c,具体包括:If the result of the negotiation indicates that the air interface between the CU and the UE is not encrypted by using the PDCP protocol, refer to FIG. 7c, which specifically includes:
714、CU向DU发送第二指示信息。714. The CU sends the second indication information to the DU.
需要说明的是,本申请实施例中,步骤714中CU向DU发送的第二指示信息与图4a所示的实施例中的步骤412中CU向DU发送的第二指示信息类似,具体此处不再赘述。It should be noted that, in the embodiment of the present application, the second indication information sent by the CU to the DU in step 714 is similar to the second indication information sent by the CU to the DU in step 412 in the embodiment shown in FIG. 4a, specifically No longer.
其中,在本实施例中,CU经过SeGW的中转将第二指示信息发送给DU。In this embodiment, the CU sends the second indication information to the DU through the transit of the SeGW.
715、DU向CU发送第二响应信息。715. The DU sends a second response message to the CU.
需要说明的是,本申请实施例中,步骤715中CU向DU发送的第二响应信息与图4a所示的实施例中的步骤413中CU向DU发送的第二响应信息类似,具体此处不再赘述。It should be noted that, in the embodiment of the present application, the second response information sent by the CU to the DU in step 715 is similar to the second response information sent by the CU to the DU in step 413 in the embodiment shown in FIG. 4a, specifically No longer.
其中,在本实施例中,DU经过SeGW的中转将第二响应信息发送给CU。In this embodiment, the DU sends the second response information to the CU through the transit of the SeGW.
716、UE向DU发送第二上行用户面数据报文;716. The UE sends a second uplink user plane data packet to the DU.
717、DU确定使用IPSec协议对第二上行用户面数据报文进行加密。717. The DU determines to encrypt the second uplink user plane data packet by using the IPSec protocol.
本申请实施例中,步骤716至步骤717与图4b所示的实施例中的步骤414至步骤415类似,具体此处不再赘述。In the embodiment of the present application, the steps 716 to 717 are similar to the steps 414 to 415 in the embodiment shown in FIG. 4b, and details are not described herein again.
718、DU向SeGW发送第二上行用户面数据报文。718. The DU sends a second uplink user plane data packet to the SeGW.
DU根据第一加密地址确定使用IPSec协议对该第二上行用户面数据报文进行加密后,对该第二上行用户面数据报文进行IPSec加密,并得到IPSec协议加密后的第二上行用户面数据报文,进而将加密后的第二上行用户面数据报文发送给SeGW。After the IPSec protocol is used to encrypt the second uplink user plane data packet, the IPSec encrypts the second uplink user plane data packet, and obtains the second uplink user plane encrypted by the IPSec protocol. The data packet is sent to the SeGW by the encrypted second uplink user plane data packet.
719、SeGW确定使用IPSec协议对第二上行用户面数据报文进行解密。719. The SeGW determines to decrypt the second uplink user plane data packet by using the IPSec protocol.
SeGW接收到第二上行用户面数据报文后,获得该第二上行用户面数据报文的源地址为第一加密地址,并确定需使用IPSec协议对该第二上行用户面数据报文进行解密。After receiving the second uplink user plane data packet, the SeGW obtains the source address of the second uplink user plane data packet as the first encrypted address, and determines that the second uplink user plane data packet needs to be decrypted by using the IPSec protocol. .
720a、SeGW向CU发送第二上行用户面数据报文。720a. The SeGW sends a second uplink user plane data packet to the CU.
720b、CU向SGW发送第二上行用户面数据报文。720b. The CU sends a second uplink user plane data packet to the SGW.
SeGW确定使用IPSec协议对第二上行用户面数据报文进行解密后,使用IPSec协议对该第二上行用户面数据报文进行解密,得到解密后的第二上行用户面数据报文,进而将该 解密后的第二上行用户面数据报文发送给CU,以使得CU对该第二上行用户面数据报文进行GTP-U隧道解封,得到解封后的第二上行用户面数据报文。CU再对该解封后的第二上行用户面数据报文进行后续处理,其中该后续处理可包括:在将该解封后的第二上行用户面数据报文发送给核心网之前,再次对该解封后的第二上行用户面数据报文进行加密,以保障第二上行用户面数据报文在CU和核心网之间传输的安全性。After the GWec determines to use the IPSec protocol to decrypt the second uplink user plane data packet, the IPSec protocol decrypts the second uplink user plane data packet to obtain the decrypted second uplink user plane data packet, and then The decrypted second uplink user plane data packet is sent to the CU, so that the CU performs GTP-U tunnel decapsulation on the second uplink user plane data packet, and obtains the decapsulated second uplink user plane data packet. The CU performs subsequent processing on the decapsulated second uplink user plane data packet, where the subsequent processing may include: before sending the decapsulated second uplink user plane data packet to the core network, The decapsulated second uplink user plane data packet is encrypted to ensure the security of the second uplink user plane data packet transmitted between the CU and the core network.
721a、SGW向CU发送第二下行用户面数据报文。721a. The SGW sends a second downlink user plane data packet to the CU.
721b、CU向SeGW发送第二下行用户面数据报文。721b. The CU sends a second downlink user plane data packet to the SeGW.
当SGW需要依次经过CU、SeGW和DU,来向UE发送第二下行用户面数据报文时,CU从核心网接收到该第二下行用户面数据报文。且CU根据协商结果确定不使用PDCP协议对该第二下行用户面数据报文进行加密处理。When the SGW needs to pass the CU, the SeGW, and the DU in sequence to send the second downlink user plane data packet to the UE, the CU receives the second downlink user plane data packet from the core network. The CU determines, according to the negotiation result, that the second downlink user plane data packet is encrypted without using the PDCP protocol.
另外,CU使用第一加密地址作为第二下行用户面数据报文的目的地址,以完成GTP-U隧道的封装,并将封装后的第二下行用户面数据报文发送给SeGW。In addition, the CU uses the first encrypted address as the destination address of the second downlink user plane data packet to complete the encapsulation of the GTP-U tunnel, and sends the encapsulated second downlink user plane data packet to the SeGW.
722、SeGW确定使用IPSec协议对第二下行用户面数据报文进行加密。722. The SeGW determines to encrypt the second downlink user plane data packet by using the IPSec protocol.
SeGW接收到CU发送的第二下行用户面数据报文后,获得该第二下行用户面数据报文的目的地址为第一加密地址,并根据该第一加密地址确定需使用IPSec协议对该第二下行用户面数据报文进行加密。After receiving the second downlink user plane data packet sent by the CU, the SeGW obtains the destination address of the second downlink user plane data packet as the first encrypted address, and determines, according to the first encrypted address, that the IPSec protocol is used. The second downlink user plane data packet is encrypted.
723、SeGW向DU发送第二下行用户面数据报文。723. The SeGW sends a second downlink user plane data packet to the DU.
SeGW确定使用IPSec协议对第二下行用户面数据报文进行加密后,对该第二下行用户面数据报文进行IPSec加密,得到加密后的第二下行用户面数据报文。进而将该加密后的第二下行用户面数据报文发送给DU。After the GWec uses the IPSec protocol to encrypt the second downlink user plane data packet, the IPSec encrypts the second downlink user plane data packet to obtain the encrypted second downlink user plane data packet. The encrypted second downlink user plane data packet is sent to the DU.
724、DU确定使用IPSec协议对第二下行用户面数据报文进行解密。724. The DU determines to decrypt the second downlink user plane data packet by using the IPSec protocol.
725、DU向UE发送第二下行用户面数据报文。725. The DU sends a second downlink user plane data packet to the UE.
DU接收到使用IPSec协议进行加密处理后的第二下行用户面数据报文后,使用IPSec协议对该第二下行用户面数据报文进行解密,进而再进行GTP-U隧道的解封,得到解封后的第二下行用户面数据报文。DU再对该解封后的第二下行用户面数据报文进行后续处理。其中该后续处理包括:通过空口将该第二下行用户面数据报文发送给UE,且UE无需使用PDCP协议对该第二下行用户面数据报文进行解密。After receiving the second downlink user plane data packet that is encrypted by the IPSec protocol, the DU decrypts the second downlink user plane data packet by using the IPSec protocol, and then decapsulates the GTP-U tunnel to obtain a solution. The second downlink user plane data packet after the packet is sealed. The DU performs subsequent processing on the decapsulated second downlink user plane data packet. The subsequent processing includes: sending the second downlink user plane data packet to the UE by using the air interface, and the UE does not need to use the PDCP protocol to decrypt the second downlink user plane data packet.
需要注意的是,图7c所示得到实施例中,通过步骤716至步骤720b实现第二上行数据从UE到SGW的传输,通过步骤721a至725实现第二下行数据从SGW到UE的传输,这两个过程之间并不存在步骤的先后顺序,即可以先执行步骤716至720b,也可以先执行步骤721a至725,或者同时执行,具体此处不做限定。It should be noted that, in the embodiment shown in FIG. 7c, the transmission of the second uplink data from the UE to the SGW is implemented through steps 716 to 720b, and the transmission of the second downlink data from the SGW to the UE is implemented through steps 721a to 725. There is no sequence of steps between the two processes, that is, steps 716 to 720b may be performed first, or steps 721a to 725 may be performed first, or may be performed at the same time, which is not limited herein.
本申请实施例中,对于CU与DU之间部署SeGW的场景,可灵活的根据UE空口是否进行了PDCP加密来决定用户面数据流在DU-SeGW中传输是否使用IPSec加/解密,减少了CPU资源的消耗,降低了成本。In the embodiment of the present application, for the scenario in which the SeGW is deployed between the CU and the DU, the PDCP encryption may be flexibly determined according to whether the UE air interface performs the IPSec encryption/decryption in the DU-SeGW, thereby reducing the CPU. The consumption of resources reduces costs.
请参阅图8a和图8b,为本申请实施例在场景5下的方法实施例,具体包括:Referring to FIG. 8a and FIG. 8b, an embodiment of the method in the scenario 5 of the embodiment of the present application includes:
801、CU与UE进行安全协商,得到协商结果。801. The CU performs security negotiation with the UE to obtain a negotiation result.
CU得到协商结果后,若协商结果表示CU与UE之间的空中接口使用PDCP协议加密, 则执行图8a中的步骤802-813;若协商结果表示CU与UE之间的空中接口不使用PDCP协议加密,则执行图8b中的步骤814-825;具体如下:After the CU obtains the negotiation result, if the negotiation result indicates that the air interface between the CU and the UE is encrypted by using the PDCP protocol, steps 802-813 in FIG. 8a are performed; if the negotiation result indicates that the air interface between the CU and the UE does not use the PDCP protocol. Encryption, then perform steps 814-825 in Figure 8b; the details are as follows:
802、CU向DU发送第一指示信息。802. The CU sends the first indication information to the DU.
803、DU向CU发送第一响应信息。803. The DU sends a first response message to the CU.
804、UE向DU发送第一上行用户面数据报文。804. The UE sends a first uplink user plane data packet to the DU.
本申请实施例中,步骤801至步骤804与图7b所示的步骤701至步骤704类似,具体此处不再赘述。In the embodiment of the present application, the steps 801 to 804 are similar to the steps 701 to 704 shown in FIG. 7b, and details are not described herein again.
805、DU确定不使用IPSec协议对第一上行用户面数据报文进行加密。805. The DU determines to encrypt the first uplink user plane data packet by using the IPSec protocol.
本申请实施例中,步骤805与图5a所示的步骤505类似,具体此处不再赘述。In the embodiment of the present application, the step 805 is similar to the step 505 shown in FIG. 5a, and details are not described herein again.
806、DU向SeGW发送第一上行用户面数据报文。806. The DU sends a first uplink user plane data packet to the SeGW.
本申请实施例中,步骤806与图7b所示的步骤706类似,具体此处不再赘述。In the embodiment of the present application, the step 806 is similar to the step 706 shown in FIG. 7b, and details are not described herein again.
807、SeGW确定不使用IPSec协议对第一上行用户面数据报文进行解密。807. The SeGW determines that the first uplink user plane data packet is not decrypted by using the IPSec protocol.
SeGW接收到未使用IPSec协议进行加密处理的第一上行用户面数据报文后,可根据该第一上行用户面数据报文的格式确定不使用IPSec协议对第一上行用户面数据报文进行解密。After receiving the first uplink user plane data packet that is not encrypted by using the IPSec protocol, the SeGW may determine, according to the format of the first uplink user plane data packet, that the first uplink user plane data packet is not decrypted by using the IPSec protocol. .
808a、SeGW向CU发送第一上行用户面数据报文。808a. The SeGW sends a first uplink user plane data packet to the CU.
808b、CU向SGW发送第一上行用户面数据报文。808b. The CU sends a first uplink user plane data packet to the SGW.
809a、SGW向CU发送第一下行用户面数据报文。809a. The SGW sends the first downlink user plane data packet to the CU.
809b、CU向SwGW发送第一下行用户面数据报文。809b. The CU sends the first downlink user plane data packet to the SwGW.
810、SeGW确定不使用IPSec协议对第一下行用户面数据报文进行加密。810. The SeGW determines that the first downlink user plane data packet is not encrypted by using the IPSec protocol.
811、SeGW向DU发送第一下行用户面数据报文。811. The SeGW sends a first downlink user plane data packet to the DU.
812、DU确定不使用IPSec协议对第一下行用户面数据报文进行解密。812. The DU determines to decrypt the first downlink user plane data packet by using the IPSec protocol.
813、DU向UE发送第一下行用户面数据报文。813. The DU sends a first downlink user plane data packet to the UE.
本申请实施例中,步骤808a至步骤813与图7b所示的步骤708a至步骤713类似,具体此处不做限定。In the embodiment of the present application, the steps 808a to 813 are similar to the steps 708a to 713 shown in FIG. 7b, and are not limited herein.
若协商结果表示CU与UE之间的空中接口不使用PDCP协议加密,请参阅图8b,具体包括;If the result of the negotiation indicates that the air interface between the CU and the UE is not encrypted by using the PDCP protocol, refer to FIG. 8b, specifically including;
814、CU向DU发送第二指示信息。814. The CU sends the second indication information to the DU.
815、DU向CU发送第二响应信息。815. The DU sends a second response message to the CU.
816、UE向DU发送第二上行用户面数据报文;816. The UE sends a second uplink user plane data packet to the DU.
本申请实施例中,步骤814至步骤816与图7c所示的步骤714至步骤716类似,具体此处不做限定。In the embodiment of the present application, the steps 814 to 816 are similar to the steps 714 to 716 shown in FIG. 7c, which are not limited herein.
817、DU确定使用IPSec协议对第二上行用户面数据报文进行加密。817. The DU determines to encrypt the second uplink user plane data packet by using the IPSec protocol.
本申请实施例中,步骤817与图5b所示的步骤515类似,具体此处不再赘述。In the embodiment of the present application, the step 817 is similar to the step 515 shown in FIG. 5b, and details are not described herein again.
818、DU向SeGW发送第二上行用户面数据报文。818. The DU sends a second uplink user plane data packet to the SeGW.
本申请实施例中,步骤818与图7c所示的步骤718类似,具体此处不做限定。In the embodiment of the present application, the step 818 is similar to the step 718 shown in FIG. 7c, which is not limited herein.
819、SeGW确定使用IPSec协议对第二上行用户面数据报文进行解密。819. The SeGW determines to decrypt the second uplink user plane data packet by using the IPSec protocol.
SeGW接收到第二上行用户面数据报文后,获得该第二上行用户面数据报文的目的地址为第二加密地址,并可根据该第二上行用户面数据报文的格式确定,使用IPSec协议对该第二上行用户面数据报文进行解密。After receiving the second uplink user plane data packet, the SeGW obtains the destination address of the second uplink user plane data packet as the second encrypted address, and determines the format of the second uplink user plane data packet, and uses IPSec. The protocol decrypts the second uplink user plane data packet.
820a、SeGW向CU发送第二上行用户面数据报文。820a. The SeGW sends a second uplink user plane data packet to the CU.
820b、CU向SGW发送第二上行用户面数据报文。820b. The CU sends a second uplink user plane data packet to the SGW.
821a、SGW向CU发送第二下行用户面数据报文。821a. The SGW sends a second downlink user plane data packet to the CU.
821b、CU向SeGW发送第二下行用户面数据报文。821b. The CU sends a second downlink user plane data packet to the SeGW.
822、SeGW确定使用IPSec协议对第二下行用户面数据报文进行加密。822. The SeGW determines to encrypt the second downlink user plane data packet by using the IPSec protocol.
823、SeGW向DU发送第二下行用户面数据报文。823. The SeGW sends a second downlink user plane data packet to the DU.
824、DU确定使用IPSec协议对第二下行用户面数据报文进行解密。824. The DU determines to use the IPSec protocol to decrypt the second downlink user plane data packet.
825、DU向UE发送第二下行用户面数据报文。825. The DU sends a second downlink user plane data packet to the UE.
本申请实施例中,步骤820a至步骤825与图7c所示的步骤720a至步骤725类似,具体此处不做限定。In the embodiment of the present application, the steps 820a to 825 are similar to the steps 720a to 725 shown in FIG. 7c, which are not limited herein.
本申请实施例中,对于CU与DU之间部署SeGW的场景,也可以在CU侧的第二接口配置第二加密地址和第二非加密地址来区分是否需要IPSec加密的用户面数据流,增加了本申请实施例的可实现方式。In the embodiment of the present application, for the scenario in which the SeGW is deployed between the CU and the DU, the second interface of the CU side may be configured with the second encrypted address and the second unencrypted address to distinguish whether the IPSec encrypted user plane data stream is required, and The achievable manner of the embodiment of the present application.
请参阅图9a和图9b,为本申请实施例在场景6下的方法实施例,具体包括:Referring to FIG. 9a and FIG. 9b, an embodiment of the method in the scenario 6 of the embodiment of the present application includes:
901、CU与UE进行安全协商,得到协商结果。901. The CU performs security negotiation with the UE to obtain a negotiation result.
CU得到协商结果后,若协商结果表示CU与UE之间的空中接口使用PDCP协议加密,则执行图9a中的步骤902-913;若协商结果表示CU与UE之间的空中接口不使用PDCP协议加密,则执行图9b中的步骤914-925;具体如下:After the CU obtains the negotiation result, if the negotiation result indicates that the air interface between the CU and the UE is encrypted by using the PDCP protocol, steps 902-913 in FIG. 9a are performed; if the negotiation result indicates that the air interface between the CU and the UE does not use the PDCP protocol. Encryption, then steps 914-925 in Figure 9b are performed; the details are as follows:
902、CU向DU发送第一指示信息。902. The CU sends the first indication information to the DU.
903、DU向CU发送第一响应信息。903. The DU sends a first response message to the CU.
904、UE向DU发送第一上行用户面数据报文。904. The UE sends a first uplink user plane data packet to the DU.
905、DU确定不使用IPSec协议对第一上行用户面数据报文进行加密。905. The DU determines to encrypt the first uplink user plane data packet by using the IPSec protocol.
本申请实施例中,步骤901至步骤905与图6a所示的步骤601至步骤605类似,具体此处不再赘述。In the embodiment of the present application, the steps 901 to 905 are similar to the steps 601 to 605 shown in FIG. 6a, and details are not described herein again.
906、DU向SeGW发送第一上行用户面数据报文。906. The DU sends a first uplink user plane data packet to the SeGW.
907、SeGW确定不使用IPSec协议对第一上行用户面数据报文进行解密。907. The SeGW determines that the first uplink user plane data packet is not decrypted by using the IPSec protocol.
908a、SeGW向CU发送第一上行用户面数据报文。908a. The SeGW sends a first uplink user plane data packet to the CU.
908b、CU向SGW发送第一上行用户面数据报文。908b. The CU sends a first uplink user plane data packet to the SGW.
本申请实施例中,步骤906至步骤908b与图8a所示的步骤806至步骤808b类似,具体此处不再赘述。In the embodiment of the present application, the steps 906 to 908b are similar to the steps 806 to 808b shown in FIG. 8a, and details are not described herein again.
909a、SGW向CU发送第一下行用户面数据报文。909a. The SGW sends a first downlink user plane data packet to the CU.
909b、CU向SwGW发送第一下行用户面数据报文。909b. The CU sends the first downlink user plane data packet to the SwGW.
当SGW需要经过CU和DU向UE发送第一下行用户面数据报文时,则CU从核心网接收到该第一下行用户面数据报文。且若CU与UE的协商结果为CU与UE之间的空中接口需使 用PDCP协议加密时,则CU还需对该第一下行数据进行PDCP加密处理。When the SGW needs to send the first downlink user plane data packet to the UE through the CU and the DU, the CU receives the first downlink user plane data packet from the core network. If the result of the negotiation between the CU and the UE is that the air interface between the CU and the UE needs to be encrypted by using the PDCP protocol, the CU needs to perform PDCP encryption processing on the first downlink data.
另外,CU将第二非加密地址作为该第一下行用户面数据报文的源地址,以完成GTP-U隧道的封装,并将该封装后的第一下行用户面数据报文直接发送给SeGW。In addition, the CU uses the second unencrypted address as the source address of the first downlink user plane data packet to complete the encapsulation of the GTP-U tunnel, and directly sends the encapsulated first downlink user plane data packet. Give SeGW.
910、SeGW确定不使用IPSec协议对第一下行用户面数据报文进行加密。910. The SeGW determines that the first downlink user plane data packet is not encrypted by using the IPSec protocol.
本申请实施例中,步骤910中SeGW确定不使用IPSec协议对第一下行用户面数据报文进行加密的方式与图6a所示的步骤608中CU确定不使用IPSec协议对第一下行用户面数据报文进行加密的方式类似,具体此处不再赘述。In the embodiment of the present application, in step 910, the SeGW determines that the first downlink user plane data packet is not encrypted by using the IPSec protocol, and the CU determines in step 608 of FIG. 6a that the IPSec protocol is not used for the first downlink user. The manner in which the data packets are encrypted is similar, and details are not described here.
911、SeGW向DU发送第一下行用户面数据报文。911. The SeGW sends the first downlink user plane data packet to the DU.
SeGW确定不使用IPSec协议对第一下行用户面数据报文进行加密后,将该第一下行用户面数据报文直接发送给DU。The SeGW determines that the first downlink user plane data packet is not directly encrypted by using the IPSec protocol, and the first downlink user plane data packet is directly sent to the DU.
912、DU确定不使用IPSec协议对第一下行用户面数据报文进行解密。912. The DU determines to decrypt the first downlink user plane data packet by using the IPSec protocol.
913、DU向UE发送第一下行用户面数据报文。913. The DU sends a first downlink user plane data packet to the UE.
本申请实施例中,步骤912至步骤913与图6a所示的步骤610至步骤611类似,具体此处不再赘述。In the embodiment of the present application, the steps 912 to 913 are similar to the steps 610 to 611 shown in FIG. 6a, and details are not described herein again.
若协商结果表示CU与UE之间的空中接口不使用PDCP协议加密,请参阅图9b,具体包括:If the result of the negotiation indicates that the air interface between the CU and the UE is not encrypted by using the PDCP protocol, refer to FIG. 9b, which specifically includes:
914、CU向DU发送第二指示信息。914. The CU sends the second indication information to the DU.
915、DU向CU发送第二响应信息。915. The DU sends a second response message to the CU.
916、UE向DU发送第二上行用户面数据报文;916. The UE sends a second uplink user plane data packet to the DU.
917、DU确定使用IPSec协议对第二上行用户面数据报文进行加密。917. The DU determines to encrypt the second uplink user plane data packet by using the IPSec protocol.
本申请实施例中,步骤914至步骤917与图6b所示的步骤612至步骤615类似,具体此处不再赘述。In the embodiment of the present application, the steps 914 to 917 are similar to the steps 612 to 615 shown in FIG. 6b, and details are not described herein again.
918、DU向SeGW发送第二上行用户面数据报文。918. The DU sends a second uplink user plane data packet to the SeGW.
919、SeGW确定使用IPSec协议对第二上行用户面数据报文进行解密。919. The SeGW determines to decrypt the second uplink user plane data packet by using the IPSec protocol.
920a、SeGW向CU发送第二上行用户面数据报文。920a. The SeGW sends a second uplink user plane data packet to the CU.
920b、CU向SGW发送第二上行用户面数据报文。920b. The CU sends a second uplink user plane data packet to the SGW.
本申请实施例中,步骤918至步骤920b与图8b所示的步骤818至步骤820b类似,具体此处不再赘述。In the embodiment of the present application, the steps 918 to 920b are similar to the steps 818 to 820b shown in FIG. 8b, and details are not described herein again.
921a、SGW向CU发送第二下行用户面数据报文。921a. The SGW sends a second downlink user plane data packet to the CU.
921b、CU向SeGW发送第二下行用户面数据报文。921b. The CU sends a second downlink user plane data packet to the SeGW.
本申请实施例中,步骤921a与图8b所示的步骤821a类似,具体此处不再赘述。In the embodiment of the present application, the step 921a is similar to the step 821a shown in FIG. 8b, and details are not described herein again.
步骤921b中CU向SeGW发送第二下行用户面数据报文的方式与图6b所示的步骤619中CU向DU发送第二下行用户面数据报文的方式类似,具体此处不再赘述。The manner in which the CU sends the second downlink user plane data packet to the SeGW in step 921b is similar to the manner in which the CU sends the second downlink user plane data packet to the DU in the step 619 shown in FIG. 6b, and details are not described herein again.
922、SeGW确定使用IPSec协议对第二下行用户面数据报文进行加密。922. The SeGW determines to use the IPSec protocol to encrypt the second downlink user plane data packet.
本申请实施例中,步骤922中SeGW确定使用IPSec协议对第二下行用户面数据报文进行加密的方式与图6b所示的步骤618中CU确定使用IPSec协议对第二下行用户面数据报文进行加密的方式类似,具体此处不再赘述。In the embodiment of the present application, in step 922, the SeGW determines the manner of encrypting the second downlink user plane data packet by using the IPSec protocol, and the step 618 shown in FIG. 6b determines that the IPSec protocol uses the IPSec protocol to the second downlink user plane data packet. The manner of encryption is similar, and will not be described here.
923、SeGW向DU发送第二下行用户面数据报文。923. The SeGW sends a second downlink user plane data packet to the DU.
SeGW确定使用IPSec协议对第二下行用户面数据报文进行加密后,将加密后的第二下行用户面数据报文发送给DU。The SeGW determines to use the IPSec protocol to encrypt the second downlink user plane data packet, and then sends the encrypted second downlink user plane data packet to the DU.
924、DU确定使用IPSec协议对第二下行用户面数据报文进行解密。924. The DU determines to decrypt the second downlink user plane data packet by using the IPSec protocol.
925、DU向UE发送第二下行用户面数据报文。925. The DU sends a second downlink user plane data packet to the UE.
本申请实施例中,步骤924至步骤925与图8b所示的步骤824至步骤825类似,具体此处不做限定。In the embodiment of the present application, the steps 924 to 925 are similar to the steps 824 to 825 shown in FIG. 8b, and are not limited herein.
本申请实施例中,对于CU与DU之间部署SeGW的场景,也可以仅在CU侧的第二接口配置第二加密地址和第二非加密地址来区分是否需要IPSec加密的用户面数据流,增加了本申请实施例的可实现方式。In the embodiment of the present application, for the scenario in which the SeGW is deployed between the CU and the DU, the second interface and the second unencrypted address may be configured on the second interface on the CU side to distinguish whether the IPSec encrypted user plane data stream is required. The achievable manner of the embodiment of the present application is added.
上面对本申请实施例中的信息传输方法进行了描述,下面对本申请实施例中的中央单元进行描述,请参阅图10,本申请实施例的中央单元的一个实施例,该中央单元可以执行上述方法实施例中的CU的操作,所述CU包括:The information transmission method in the embodiment of the present application is described above. The following describes the central unit in the embodiment of the present application. Referring to FIG. 10, an embodiment of the central unit in the embodiment of the present application, the central unit may perform the foregoing method. The operation of the CU in the embodiment, the CU includes:
第一收发单元1001,用于与用户设备UE进行安全协商,得到协商结果,所述协商结果用于表示所述CU与所述UE之间的空中接口是否使用分组数据汇聚层PDCP协议加密;The first transceiver unit 1001 is configured to perform security negotiation with the user equipment UE to obtain a negotiation result, where the negotiation result is used to indicate whether an air interface between the CU and the UE is encrypted by using a packet data convergence layer PDCP protocol;
第二收发单元1002,用于向分布式单元DU发送第一消息;The second transceiver unit 1002 is configured to send a first message to the distributed unit DU.
当所述协商结果表示所述空中接口使用所述PDCP协议加密时,所述第一消息用于指示所述CU与所述DU之间的用户面承载不使用因特网协议安全IPSec协议加密。When the negotiation result indicates that the air interface is encrypted by using the PDCP protocol, the first message is used to indicate that the user plane bearer between the CU and the DU is not encrypted using the Internet Protocol Secure IPSec protocol.
可选的,在一些可能的实现方式中,所述DU带有第一接口,所述第一接口为所述DU与所述CU进行用户面通信的接口;所述第一接口配置第一加密地址和第一非加密地址,所述第一加密地址用于指示使用所述IPSec协议对用户面数据报文进行加/解密处理;所述第一非加密地址用于指示不使用所述IPSec协议对用户面数据报文进行加/解密处理;Optionally, in some possible implementations, the DU is provided with a first interface, where the first interface is an interface for the DU to perform user plane communication with the CU; An address and a first non-encrypted address, where the first encrypted address is used to indicate that the user plane data packet is encrypted/decrypted using the IPSec protocol; and the first non-encrypted address is used to indicate that the IPSec protocol is not used. Adding/decrypting the user plane data message;
所述第二收发单元1002还用于:The second transceiver unit 1002 is further configured to:
接收所述DU发送的第一响应消息,所述第一响应消息用于指示所述用户面承载在所述DU端的地址为所述第一非加密地址。Receiving a first response message sent by the DU, where the first response message is used to indicate that the address carried by the user plane on the DU end is the first unencrypted address.
可选的,在一些可能的实现方式中,所述CU还包括:Optionally, in some possible implementation manners, the CU further includes:
处理单元1003,用于使用所述PDCP协议对下行用户面数据报文进行加密;将所述下行用户面数据报文的目的地址设置为所述第一非加密地址;The processing unit 1003 is configured to encrypt the downlink user plane data packet by using the PDCP protocol, and set the destination address of the downlink user plane data packet to the first unencrypted address;
确定单元1004,用于根据所述第一非加密地址确定,不使用所述IPSec协议对所述下行用户面数据报文进行加密;The determining unit 1004 is configured to determine, according to the first unencrypted address, that the downlink user plane data packet is not encrypted by using the IPSec protocol;
所述第二收发单元1002还用于,向所述DU发送所述下行用户面数据报文。The second transceiver unit 1002 is further configured to send the downlink user plane data packet to the DU.
可选的,在一些可能的实现方式中,当所述协商结果表示所述空中接口不使用所述PDCP协议加密时,所述第一消息用于指示所述用户面承载使用所述IPSec协议加密;所述第一响应消息用于指示所述用户面承载在所述DU端的地址为所述第一加密地址。Optionally, in some possible implementation manners, when the negotiation result indicates that the air interface does not use the PDCP protocol to encrypt, the first message is used to indicate that the user plane bearer is encrypted by using the IPSec protocol. The first response message is used to indicate that the address carried by the user plane on the DU end is the first encrypted address.
可选的,在一些可能的实现方式中,当所述协商结果表示所述空中接口使用所述PDCP协议加密,且所述CU与所述DU之间的通信经过安全网关SeGW时,所述CU还包括:Optionally, in some possible implementation manners, when the negotiation result indicates that the air interface is encrypted by using the PDCP protocol, and the communication between the CU and the DU passes through a security gateway SeGW, the CU Also includes:
所述处理单元1003还用于,使用所述PDCP协议对下行用户面数据报文进行加密;将 所述下行用户面数据报文的目的地址设置为所述第一非加密地址;The processing unit 1003 is further configured to: encrypt, by using the PDCP protocol, a downlink user plane data packet; and set a destination address of the downlink user plane data packet to the first unencrypted address;
第三收发单元1005,用于将所述下行用户面数据报文发送给所述SeGW。The third transceiver unit 1005 is configured to send the downlink user plane data packet to the SeGW.
可选的,在一些可能的实现方式中,所述CU带有第二接口,所述第二接口为所述CU与所述DU进行用户面通信的接口;所述第二接口配置第二加密地址和第二非加密地址,所述第二加密地址用于指示使用所述IPSec协议对用户面数据报文进行加/解密处理;所述第二非加密地址用于指示不使用所述IPSec协议对用户面数据报文进行加/解密处理。Optionally, in some possible implementation manners, the CU has a second interface, where the second interface is an interface for the CU to perform user plane communication with the DU; and the second interface is configured with a second encryption. An address and a second unencrypted address, where the second encrypted address is used to indicate that the user plane data packet is encrypted/decrypted using the IPSec protocol; and the second non-encrypted address is used to indicate that the IPSec protocol is not used. Add/decrypt the user plane data message.
请参阅图11,本申请实施例中分布式单元的一个实施例,该分布式单元可以执行以上方法实施例中的DU的操作,该DU包括:Referring to FIG. 11, an embodiment of a distributed unit in the embodiment of the present application, the distributed unit may perform the operation of the DU in the foregoing method embodiment, where the DU includes:
第一收发单元1101,当中央单元CU与用户设备UE之间的空中接口使用分组数据汇聚层PDCP协议加密时,用于接收所述CU发送的第一消息,所述第一消息用于指示所述CU与所述DU之间的用户面承载不使用因特网协议安全IPSec协议加密。The first transceiver unit 1101 is configured to receive a first message sent by the CU when the air interface between the central unit CU and the user equipment UE is encrypted by using a packet data convergence layer PDCP protocol, where the first message is used to indicate The user plane bearer between the CU and the DU is not encrypted using the Internet Protocol Secure IPSec protocol.
可选的,在一些可能的实现方式中,所述DU带有第一接口,所述第一接口为所述DU与所述CU进行用户面通信的接口;所述第一接口配置第一加密地址和第一非加密地址,所述第一加密地址用于指示使用所述IPSec协议对用户面数据报文进行加/解密处理;所述第一非加密地址用于指示不使用所述IPSec协议对用户面数据报文进行加/解密处理;Optionally, in some possible implementations, the DU is provided with a first interface, where the first interface is an interface for the DU to perform user plane communication with the CU; An address and a first non-encrypted address, where the first encrypted address is used to indicate that the user plane data packet is encrypted/decrypted using the IPSec protocol; and the first non-encrypted address is used to indicate that the IPSec protocol is not used. Adding/decrypting the user plane data message;
当所述空中接口使用所述PDCP协议加密时,所述第一收发单元1101还用于:When the air interface is encrypted by using the PDCP protocol, the first transceiver unit 1101 is further configured to:
向所述CU发送第一响应消息,所述第一响应消息用于指示所述用户面承载在所述DU端的地址为所述第一非加密地址。Sending a first response message to the CU, where the first response message is used to indicate that the address carried by the user plane on the DU end is the first unencrypted address.
可选的,在一些可能的实现方式中,当所述空中接口使用所述PDCP协议加密时,所述DU还包括:Optionally, in some possible implementations, when the air interface is encrypted by using the PDCP protocol, the DU further includes:
所述第二收发单元1103,还用于接收所述UE发送的上行用户面数据报文;The second transceiver unit 1103 is further configured to receive an uplink user plane data packet sent by the UE.
处理单元1104用于,将所述上行用户面数据报文的源地址设置为所述第一非加密地址;The processing unit 1104 is configured to: set a source address of the uplink user plane data packet to the first unencrypted address;
确定单元1102,用于根据所述第一非加密地址确定,不使用所述IPSec协议对所述上行用户面数据报文进行加密;The determining unit 1102 is configured to determine, according to the first unencrypted address, that the uplink user plane data packet is not encrypted by using the IPSec protocol;
所述第一收发单元1101还用于,将所述上行用户面数据报文发送给所述CU。The first transceiver unit 1101 is further configured to send the uplink user plane data packet to the CU.
可选的,在一些可能的实现方式中,当所述空中接口使用所述PDCP协议加密,且所述DU与所述CU之间的通信经过SeGW时,所述DU还包括:Optionally, in some possible implementations, when the air interface is encrypted by using the PDCP protocol, and the communication between the DU and the CU passes through the SeGW, the DU further includes:
所述第二收发单元1103还用于,接收所述UE发送的上行用户面数据报文;The second transceiver unit 1103 is further configured to receive an uplink user plane data packet sent by the UE;
所述处理单元1104还用于,将所述上行用户面数据报文的源地址设置为所述第一非加密地址;The processing unit 1104 is further configured to: set a source address of the uplink user plane data packet to the first unencrypted address;
所述确定单元1102还用于,根据所述第一非加密地址确定,不使用所述IPSec协议对所述上行用户面数据报文进行加密;The determining unit 1102 is further configured to: determine, according to the first unencrypted address, that the uplink user plane data packet is encrypted by using the IPSec protocol;
第三收发单元1105用于,将所述上行用户面数据报文发送给所述SeGW。The third transceiver unit 1105 is configured to send the uplink user plane data packet to the SeGW.
可选的,在一些可能的实现方式中,所述CU带有第二接口,所述第二接口为所述CU与所述DU进行用户面通信的接口;所述第二接口配置第二加密地址和第二非加密地址,所述第二加密地址用于指示使用所述IPSec协议对用户面数据报文进行加/解密处理;所 述第二非加密地址用于指示不使用所述IPSec协议对用户面数据报文进行加/解密处理;Optionally, in some possible implementation manners, the CU has a second interface, where the second interface is an interface for the CU to perform user plane communication with the DU; and the second interface is configured with a second encryption. An address and a second unencrypted address, where the second encrypted address is used to indicate that the user plane data packet is encrypted/decrypted using the IPSec protocol; and the second non-encrypted address is used to indicate that the IPSec protocol is not used. Adding/decrypting the user plane data message;
当所述空中接口使用所述PDCP协议加密时,所述DU还包括:When the air interface is encrypted using the PDCP protocol, the DU further includes:
所述第二收发单元1103,还用于接收所述UE发送的上行用户面数据报文;The second transceiver unit 1103 is further configured to receive an uplink user plane data packet sent by the UE.
所述处理单元1104,还用于将所述上行用户面数据报文的目的地址设置为所述第二非加密地址;The processing unit 1104 is further configured to set a destination address of the uplink user plane data packet to the second unencrypted address;
所述确定单元1102,还用于根据所述第二非加密地址确定,不使用所述IPSec协议对所述上行用户面数据报文进行加密;The determining unit 1102 is further configured to: determine, according to the second unencrypted address, that the uplink user plane data packet is encrypted by using the IPSec protocol;
所述第一收发单元1101,还用于将所述上行用户面数据报文发送给所述CU。The first transceiver unit 1101 is further configured to send the uplink user plane data packet to the CU.
上面图10至图11从模块化功能实体的角度分别对本申请实施例中的CU和DU进行详细描述,下面从硬件处理的角度对本申请实施例中的CU和DU进行详细描述。The CU and the DU in the embodiment of the present application are described in detail from the perspective of the modular functional entity, and the CU and the DU in the embodiment of the present application are described in detail below.
请参阅图12。在采用集成的单元的情况下,图12示出了一种通信装置可能的结构示意图。该通信装置1200包括:处理单元1202和通信单元1203。处理单元1202用于对该通信装置的动作进行控制管理。该通信装置1200还可以包括存储单元1201,用于存储该通信装置所需的程序代码和数据。Please refer to Figure 12. In the case of an integrated unit, Figure 12 shows a possible schematic diagram of a communication device. The communication device 1200 includes a processing unit 1202 and a communication unit 1203. The processing unit 1202 is configured to control and manage the operation of the communication device. The communication device 1200 can also include a storage unit 1201 for storing program codes and data required by the communication device.
在一个实施例中,该通信装置可以是上述CU。例如,处理单元1202用于支持CU执行图4a中的步骤401、步骤407a和408b,图4b中的步骤401、步骤417a和步骤418b,图5a中的步骤501、步骤507a和508b,图5b中的步骤501、步骤517a和步骤518b,图6a中的步骤步骤601、607a和608b,图6b中的步骤601、步骤617a和步骤618b,和/或用于本文所描述的技术的其它过程。通信单元1203用于支持CU与其他设备的通信,例如,通信单元1203用于支持CU执行图4a中的步骤402至403、步骤406、步骤407b、步骤408a和步骤409,图4b中的步骤412至413、步骤416、步骤417b、步骤418a和步骤419,图5a中的步骤502至503、步骤506、步骤507b、步骤508a和步骤509,图5b中的步骤512至513、步骤516、步骤517b、步骤518a和步骤519,图6a中的步骤602至603、步骤606、步骤607b、步骤608a和步骤609,图6b中的步骤612至613、步骤616、步骤617b、步骤618a和步骤619,图7b中的步骤702至703、步骤708a至709b,图7c中的步骤720a至721b,图8a中的步骤802至803、步骤808a至809b,图8b中的步骤820a至821b,图9a中的步骤902至903、步骤908a至909b,图9b中的步骤920a至921b,和/或用于本文所描述的技术的其它过程。In one embodiment, the communication device can be the CU described above. For example, the processing unit 1202 is configured to support the CU to perform step 401, steps 407a and 408b in FIG. 4a, step 401, step 417a and step 418b in FIG. 4b, step 501, steps 507a and 508b in FIG. 5a, in FIG. 5b Step 501, step 517a and step 518b, steps 601, 607a and 608b in Fig. 6a, step 601, step 617a and step 618b in Fig. 6b, and/or other processes for the techniques described herein. The communication unit 1203 is configured to support communication between the CU and other devices. For example, the communication unit 1203 is configured to support the CU to perform steps 402 to 403, step 406, step 407b, step 408a, and step 409 in FIG. 4a, step 412 in FIG. 4b. 413, 416, 417b, 418a and 419, steps 502 to 503, 506, 507b, 508a and 509 in FIG. 5a, steps 512 to 513, 516, 517b in FIG. 5b Step 518a and step 519, steps 602 to 603, step 606, step 607b, step 608a and step 609 in Fig. 6a, steps 612 to 613, step 616, step 617b, step 618a and step 619 in Fig. 6b, Steps 702 to 703, 7a to 709b in 7b, steps 720a to 721b in Fig. 7c, steps 802 to 803 in Fig. 8a, steps 808a to 809b, steps 820a to 821b in Fig. 8b, steps in Fig. 9a 902 to 903, steps 908a through 909b, steps 920a through 921b in Figure 9b, and/or other processes for the techniques described herein.
在另一个实施例中,该通信装置可以是上述DU。例如,处理单元1202用于支持DU执行图4a中的步骤405,步骤410,图4b中的步骤415,步骤420,图5a中的步骤505,步骤510,图5b中的步骤515,步骤520,图6a中的步骤605,步骤610,图6b中的步骤615,步骤620,图7b中的步骤705,步骤712,图7c中的步骤717,步骤724,图8a中的步骤805,步骤812,图8b中的步骤817,步骤824,图9a中的步骤905,步骤912,图9b中的步骤917,步骤924,和/或用于本文所描述的技术的其它过程。通信单元1203用于支持DU与其他设备的通信,例如,通信单元1203用于支持DU执行图4a中的步骤402至404,步骤406,步骤409,和步骤411,图4b中的步骤412至414,步骤416,步骤419,和步骤421,图5a中的步骤502至504,步骤506,步骤509,和步骤511,图5b中的步骤 512至514,步骤516,步骤519,和步骤521,图6a中的步骤602至604,步骤606,步骤609,和步骤611,图6b中的步骤612至614,步骤616,步骤619,和步骤621,图7b中的步骤702至704,步骤706,步骤711,和步骤713,图7c中的步骤714至716,步骤718,步骤723,和步骤725,图8a中的步骤802至804,步骤806,步骤811,和步骤813,图8b中的步骤814至816,步骤818,步骤823,和步骤825,图9a中的步骤902至904,步骤906,步骤911,和步骤913,图9b中的步骤914至916,步骤918,步骤923,和步骤925,,和/或用于本文所描述的技术的其它过程。In another embodiment, the communication device can be the DU described above. For example, the processing unit 1202 is configured to support the DU to perform step 405, step 410 in FIG. 4a, step 415 in step 4b, step 420, step 505 in step 5a, step 510, step 515 in step 5b, step 520, Step 605 in step 6a, step 610, step 615 in step 6b, step 620, step 705 in step 7b, step 712, step 717 in step 7c, step 724, step 805 in step 8a, step 812, Step 817, step 824, step 905, step 912 of Figure 9a, step 917, step 924 of Figure 9b, and/or other processes for the techniques described herein. The communication unit 1203 is configured to support communication of the DU with other devices. For example, the communication unit 1203 is configured to support the DU to perform steps 402 to 404, step 406, step 409, and step 411 in FIG. 4a, steps 412 to 414 in FIG. 4b. Step 416, step 419, and step 421, steps 502 to 504, step 506, step 509, and step 511 in FIG. 5a, steps 512 to 514, step 516, step 519, and step 521 in FIG. 5b, Steps 602 to 604, step 606, step 609, and step 611 in 6a, steps 612 to 614, step 616, step 619, and step 621 in FIG. 6b, steps 702 to 704, step 706, and steps in FIG. 7b 711, and step 713, steps 714 to 716, step 718, step 723, and step 725 in FIG. 7c, steps 802 to 804, step 806, step 811, and step 813 in FIG. 8a, step 814 in FIG. 8b To 816, step 818, step 823, and step 825, steps 902 to 904, step 906, step 911, and step 913 in FIG. 9a, steps 914 to 916, step 918, step 923, and step 925 in FIG. 9b. ,, and/or other processes for the techniques described herein.
其中,处理单元1202可以是处理器或控制器,例如可以是中央处理器(central processing unit,CPU),通用处理器,数字信号处理器(digital signal processor,DSP),专用集成电路(application-specific integrated circuit,ASIC),现场可编程门阵列(field programmable gate array,FPGA)或者其他可编程逻辑器件、晶体管逻辑器件、硬件部件或者其任意组合。其可以实现或执行结合本申请公开内容所描述的各种示例性的逻辑方框,模块和电路。处理器也可以是实现计算功能的组合,例如包含一个或多个微处理器组合,DSP和微处理器的组合等等。通信单元1203可以是通信接口、收发器、收发电路等,其中,通信接口是统称,可以包括一个或多个接口,例如收发接口。存储单元701可以是存储器。The processing unit 1202 may be a processor or a controller, for example, may be a central processing unit (CPU), a general-purpose processor, a digital signal processor (DSP), and an application-specific integrated circuit (application-specific). Integrated circuit (ASIC), field programmable gate array (FPGA) or other programmable logic device, transistor logic device, hardware component, or any combination thereof. It is possible to implement or carry out the various illustrative logical blocks, modules and circuits described in connection with the present disclosure. The processor can also be a combination of computing functions, for example, including one or more microprocessor combinations, a combination of a DSP and a microprocessor, and the like. The communication unit 1203 may be a communication interface, a transceiver, a transceiver circuit, etc., wherein the communication interface is a collective name and may include one or more interfaces, such as a transceiver interface. The storage unit 701 can be a memory.
处理单元1202可以为处理器,通信单元1203可以为通信接口,存储单元1201可以为存储器时,参阅图13所示,该通信装置1310包括:处理器1312、通信接口1313、存储器1311。可选的,通信装置1310还可以包括总线1314。其中,通信接口1313、处理器1312以及存储器1311可以通过总线1314相互连接;总线1314可以是外设部件互连标准(peripheral component interconnect,PCI)总线或扩展工业标准结构(extended industry standard architecture,EISA)总线等。总线1314可以分为地址总线、数据总线、控制总线等。为便于表示,图13中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。The processing unit 1202 can be a processor, the communication unit 1203 can be a communication interface, and when the storage unit 1201 can be a memory, as shown in FIG. 13, the communication device 1310 includes a processor 1312, a communication interface 1313, and a memory 1311. Alternatively, the communication device 1310 may further include a bus 1314. The communication interface 1313, the processor 1312, and the memory 1311 may be connected to each other through a bus 1314; the bus 1314 may be a peripheral component interconnect (PCI) bus or an extended industry standard architecture (EISA). Bus, etc. The bus 1314 can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in FIG. 13, but it does not mean that there is only one bus or one type of bus.
类似的,在一个实施例中,通信装置1310可用于指示上述CU的步骤。在另一个实施例中,通信装置1310可用于指示上述DU的步骤。此处不再赘述。Similarly, in one embodiment, communication device 1310 can be used to indicate the steps of the CU described above. In another embodiment, communication device 1310 can be used to indicate the steps of DU described above. I will not repeat them here.
本申请实施例还提供一种系统,如图14所示,为本申请提供的一种可能的系统的结构示意图,该系统可以包括一个或多个中央处理器1422和存储器1432,一个或一个以上存储应用程序1442或数据1444的存储介质1430(例如一个或一个以上海量存储设备)。其中,存储器1432和存储介质1430可以是短暂存储或持久存储。存储在存储介质1430的程序可以包括一个或一个以上模块(图示没标出),每个模块可以包括对系统中的一系列指令操作。更进一步地,中央处理器1422可以设置为与存储介质1430通信,在系统1400上执行存储介质1430中的一系列指令操作。系统1400还可以包括一个或一个以上电源1426,一个或一个以上有线或无线网络接口1450,一个或一个以上输入输出接口1458,和/或,一个或一个以上操作系统1441,例如Windows Server,Mac OS X,Unix,Linux,FreeBSD等等。The embodiment of the present application further provides a system, as shown in FIG. 14 , which is a schematic structural diagram of a possible system provided by the present application. The system may include one or more central processing unit 1422 and memory 1432, one or more. A storage medium 1430 of storage application 1442 or data 1444 (eg, one or one storage device in Shanghai). Among them, the memory 1432 and the storage medium 1430 may be short-term storage or persistent storage. Programs stored on storage medium 1430 may include one or more modules (not shown), each of which may include a series of instruction operations in the system. Still further, central processor 1422 can be configured to communicate with storage medium 1430, executing a series of instruction operations in storage medium 1430 on system 1400. System 1400 can also include one or more power sources 1426, one or more wired or wireless network interfaces 1450, one or more input and output interfaces 1458, and/or one or more operating systems 1441, such as Windows Server, Mac OS X, Unix, Linux, FreeBSD, etc.
上述图4a至图9b所描述的信息传输方法的实施例可以基于该图14所示的系统结构来 实现。The embodiment of the information transmission method described above with reference to Figs. 4a to 9b can be realized based on the system configuration shown in Fig. 14.
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, it may be implemented in whole or in part in the form of a computer program product.
所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机程序指令时,全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程设备。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(digital subscriber line,DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存储的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质,(例如,软盘、硬盘、磁带)、光介质(例如,DVD)、或者半导体介质(例如固态硬盘(solid state disk,SSD))等。The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, the processes or functions described in accordance with embodiments of the present application are generated in whole or in part. The computer can be a general purpose computer, a special purpose computer, a computer network, or other programmable device. The computer instructions can be stored in a computer readable storage medium or transferred from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions can be from a website site, computer, server or data center Transmission to another website site, computer, server or data center via wired (eg coaxial cable, fiber optic, digital subscriber line (DSL)) or wireless (eg infrared, wireless, microwave, etc.). The computer readable storage medium can be any available media that can be stored by a computer or a data storage device such as a server, data center, or the like that includes one or more available media. The usable medium may be a magnetic medium (eg, a floppy disk, a hard disk, a magnetic tape), an optical medium (eg, a DVD), or a semiconductor medium (such as a solid state disk (SSD)) or the like.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统,装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。A person skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the system, the device and the unit described above can refer to the corresponding process in the foregoing method embodiment, and details are not described herein again.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统,装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided by the present application, it should be understood that the disclosed system, apparatus, and method may be implemented in other manners. For example, the device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner, for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit. The above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(Read-Only Memory,ROM)、随机存取存储器(Random Access Memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。The integrated unit, if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application, in essence or the contribution to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium. A number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present application. The foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like, which can store program codes. .
以上所述,以上实施例仅用以说明本申请的技术方案,而非对其限制;尽管参照前述 实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本申请各实施例技术方案的精神和范围。The above embodiments are only used to explain the technical solutions of the present application, and are not limited thereto; although the present application has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that they can still The technical solutions described in the embodiments are modified, or the equivalents of the technical features are replaced by the equivalents. The modifications and substitutions of the embodiments do not depart from the spirit and scope of the technical solutions of the embodiments of the present application.

Claims (25)

  1. 一种信息传输方法,其特征在于,包括:An information transmission method, comprising:
    中央单元CU与用户设备UE进行安全协商,得到协商结果,所述协商结果用于表示所述CU与所述UE之间的空中接口是否使用分组数据汇聚层PDCP协议加密;The central unit CU performs security negotiation with the user equipment UE to obtain a negotiation result, where the negotiation result is used to indicate whether the air interface between the CU and the UE is encrypted by using a packet data convergence layer PDCP protocol;
    所述CU向分布式单元DU发送第一消息;Sending, by the CU, a first message to the distributed unit DU;
    当所述协商结果表示所述空中接口使用所述PDCP协议加密时,所述第一消息用于指示所述CU与所述DU之间的用户面承载不使用因特网协议安全IPSec协议加密。When the negotiation result indicates that the air interface is encrypted by using the PDCP protocol, the first message is used to indicate that the user plane bearer between the CU and the DU is not encrypted using the Internet Protocol Secure IPSec protocol.
  2. 根据权利要求1所述的方法,其特征在于,所述DU带有第一接口,所述第一接口为所述DU与所述CU进行用户面通信的接口;所述第一接口配置第一加密地址和第一非加密地址,所述第一加密地址用于指示使用所述IPSec协议对用户面数据报文进行加/解密处理;所述第一非加密地址用于指示不使用所述IPSec协议对用户面数据报文进行加/解密处理;The method according to claim 1, wherein the DU has a first interface, and the first interface is an interface for the DU to perform user plane communication with the CU; And an encrypted address and a first unencrypted address, where the first encrypted address is used to indicate that the user plane data packet is encrypted/decrypted using the IPSec protocol; and the first non-encrypted address is used to indicate that the IPSec is not used. The protocol performs encryption/decryption processing on the user plane data message;
    所述CU向DU发送第一消息之后,所述方法还包括:After the CU sends the first message to the DU, the method further includes:
    所述CU接收所述DU发送的第一响应消息,所述第一响应消息用于指示所述用户面承载在所述DU端的地址为所述第一非加密地址。The CU receives the first response message sent by the DU, and the first response message is used to indicate that the address carried by the user plane on the DU end is the first unencrypted address.
  3. 根据权利要求2所述的方法,其特征在于,所述CU接收所述DU发送的第一响应消息后,所述方法还包括:The method according to claim 2, wherein after the CU receives the first response message sent by the DU, the method further includes:
    所述CU使用所述PDCP协议对下行用户面数据报文进行加密;The CU encrypts the downlink user plane data packet by using the PDCP protocol;
    所述CU将所述下行用户面数据报文的目的地址设置为所述第一非加密地址;Setting, by the CU, a destination address of the downlink user plane data packet as the first unencrypted address;
    所述CU根据所述第一非加密地址确定,不使用所述IPSec协议对所述下行用户面数据报文进行加密;The CU determines, according to the first unencrypted address, that the downlink user plane data packet is not encrypted by using the IPSec protocol;
    所述CU向所述DU发送所述下行用户面数据报文。The CU sends the downlink user plane data packet to the DU.
  4. 根据权利要求2所述的方法,其特征在于,当所述协商结果表示所述空中接口不使用所述PDCP协议加密时,所述第一消息用于指示所述用户面承载使用所述IPSec协议加密;所述第一响应消息用于指示所述用户面承载在所述DU端的地址为所述第一加密地址。The method according to claim 2, wherein when the negotiation result indicates that the air interface does not use the PDCP protocol to encrypt, the first message is used to indicate that the user plane bearer uses the IPSec protocol. The first response message is used to indicate that the address carried by the user plane on the DU end is the first encrypted address.
  5. 根据权利要求2所述的方法,其特征在于,当所述协商结果表示所述空中接口使用所述PDCP协议加密,且所述CU与所述DU之间的通信经过安全网关SeGW时,所述方法还包括:The method according to claim 2, wherein when the negotiation result indicates that the air interface is encrypted using the PDCP protocol, and the communication between the CU and the DU passes through a security gateway SeGW, The method also includes:
    所述CU使用所述PDCP协议对下行用户面数据报文进行加密;The CU encrypts the downlink user plane data packet by using the PDCP protocol;
    所述CU将所述下行用户面数据报文的目的地址设置为所述第一非加密地址;Setting, by the CU, a destination address of the downlink user plane data packet as the first unencrypted address;
    所述CU将所述下行用户面数据报文发送给所述SeGW。The CU sends the downlink user plane data packet to the SeGW.
  6. 根据权利要求1至5中任一项所述的方法,其特征在于,所述CU带有第二接口,所述第二接口为所述CU与所述DU进行用户面通信的接口;所述第二接口配置第二加密地址和第二非加密地址,所述第二加密地址用于指示使用所述IPSec协议对用户面数据报文进行加/解密处理;所述第二非加密地址用于指示不使用所述IPSec协议对用户面数据报文进行加/解密处理。The method according to any one of claims 1 to 5, wherein the CU has a second interface, and the second interface is an interface for the CU to perform user plane communication with the DU; The second interface is configured with a second encrypted address and a second unencrypted address, where the second encrypted address is used to indicate that the user plane data packet is encrypted/decrypted using the IPSec protocol; and the second non-encrypted address is used for The user is instructed to perform encryption/decryption processing on the user plane data message without using the IPSec protocol.
  7. 一种信息传输方法,其特征在于,包括:An information transmission method, comprising:
    当中央单元CU与用户设备UE之间的空中接口使用分组数据汇聚层PDCP协议加密时,分布式单元DU接收所述CU发送的第一消息,所述第一消息用于指示所述CU与所述DU之间的用户面承载不使用因特网协议安全IPSec协议加密。When the air interface between the central unit CU and the user equipment UE is encrypted by using the packet data convergence layer PDCP protocol, the distributed unit DU receives the first message sent by the CU, where the first message is used to indicate the CU and the The user plane bearer between the DUs is not encrypted using the Internet Protocol Secure IPSec protocol.
  8. 根据权利要求7所述的方法,其特征在于,所述DU带有第一接口,所述第一接口为所述DU与所述CU进行用户面通信的接口;所述第一接口配置第一加密地址和第一非加密地址,所述第一加密地址用于指示使用所述IPSec协议对用户面数据报文进行加/解密处理;所述第一非加密地址用于指示不使用所述IPSec协议对用户面数据报文进行加/解密处理;The method according to claim 7, wherein the DU has a first interface, and the first interface is an interface for the DU to perform user plane communication with the CU; And an encrypted address and a first unencrypted address, where the first encrypted address is used to indicate that the user plane data packet is encrypted/decrypted using the IPSec protocol; and the first non-encrypted address is used to indicate that the IPSec is not used. The protocol performs encryption/decryption processing on the user plane data message;
    当所述空中接口使用所述PDCP协议加密时,所述方法还包括:When the air interface is encrypted using the PDCP protocol, the method further includes:
    所述DU向所述CU发送第一响应消息,所述第一响应消息用于指示所述用户面承载在所述DU端的地址为所述第一非加密地址。The DU sends a first response message to the CU, where the first response message is used to indicate that the address carried by the user plane on the DU end is the first unencrypted address.
  9. 根据权利要求8所述的方法,其特征在于,当所述空中接口使用所述PDCP协议加密时,所述方法还包括:The method according to claim 8, wherein when the air interface is encrypted using the PDCP protocol, the method further comprises:
    所述DU接收所述UE发送的上行用户面数据报文;Receiving, by the DU, an uplink user plane data packet sent by the UE;
    所述DU将所述上行用户面数据报文的源地址设置为所述第一非加密地址;Setting, by the DU, a source address of the uplink user plane data packet as the first unencrypted address;
    所述DU根据所述第一非加密地址确定,不使用所述IPSec协议对所述上行用户面数据报文进行加密;Determining, according to the first unencrypted address, that the uplink user plane data packet is not encrypted by using the IPSec protocol;
    所述DU将所述上行用户面数据报文发送给所述CU。The DU sends the uplink user plane data packet to the CU.
  10. 根据权利要求8所述的方法,其特征在于,当所述空中接口使用所述PDCP协议加密,且所述DU与所述CU之间的通信经过SeGW时,所述方法还包括:The method according to claim 8, wherein when the air interface is encrypted using the PDCP protocol, and the communication between the DU and the CU passes through the SeGW, the method further includes:
    所述DU接收所述UE发送的上行用户面数据报文;Receiving, by the DU, an uplink user plane data packet sent by the UE;
    所述DU将所述上行用户面数据报文的源地址设置为所述第一非加密地址;Setting, by the DU, a source address of the uplink user plane data packet as the first unencrypted address;
    所述DU根据所述第一非加密地址确定,不使用所述IPSec协议对所述上行用户面数据报文进行加密;Determining, according to the first unencrypted address, that the uplink user plane data packet is not encrypted by using the IPSec protocol;
    所述DU将所述上行用户面数据报文发送给所述SeGW。The DU sends the uplink user plane data packet to the SeGW.
  11. 根据权利要求7至10中任一项所述的方法,其特征在于,所述CU带有第二接口,所述第二接口为所述CU与所述DU进行用户面通信的接口;所述第二接口配置第二加密地址和第二非加密地址,所述第二加密地址用于指示使用所述IPSec协议对用户面数据报文进行加/解密处理;所述第二非加密地址用于指示不使用所述IPSec协议对用户面数据报文进行加/解密处理。The method according to any one of claims 7 to 10, wherein the CU has a second interface, and the second interface is an interface for the CU to perform user plane communication with the DU; The second interface is configured with a second encrypted address and a second unencrypted address, where the second encrypted address is used to indicate that the user plane data packet is encrypted/decrypted using the IPSec protocol; and the second non-encrypted address is used for The user is instructed to perform encryption/decryption processing on the user plane data message without using the IPSec protocol.
  12. 根据权利要求11所述的方法,其特征在于,当所述空中接口使用所述PDCP协议加密时,所述方法还包括:The method of claim 11, wherein when the air interface is encrypted using the PDCP protocol, the method further comprises:
    所述DU接收所述UE发送的上行用户面数据报文;Receiving, by the DU, an uplink user plane data packet sent by the UE;
    所述DU将所述上行用户面数据报文的目的地址设置为所述第二非加密地址;Setting, by the DU, a destination address of the uplink user plane data packet as the second unencrypted address;
    所述DU根据所述第二非加密地址确定,不使用所述IPSec协议对所述上行用户面数据报文进行加密;Determining, according to the second unencrypted address, that the uplink user plane data packet is not encrypted by using the IPSec protocol;
    所述DU将所述上行用户面数据报文发送给所述CU。The DU sends the uplink user plane data packet to the CU.
  13. 一种中央单元CU,其特征在于,包括:A central unit CU, comprising:
    第一收发单元,用于与用户设备UE进行安全协商,得到协商结果,所述协商结果用于表示所述CU与所述UE之间的空中接口是否使用分组数据汇聚层PDCP协议加密;a first transceiver unit, configured to perform security negotiation with the user equipment UE, to obtain a negotiation result, where the negotiation result is used to indicate whether an air interface between the CU and the UE is encrypted by using a packet data convergence layer PDCP protocol;
    第二收发单元,用于向分布式单元DU发送第一消息;a second transceiver unit, configured to send a first message to the distributed unit DU;
    当所述协商结果表示所述空中接口使用所述PDCP协议加密时,所述第一消息用于指示所述CU与所述DU之间的用户面承载不使用因特网协议安全IPSec协议加密。When the negotiation result indicates that the air interface is encrypted by using the PDCP protocol, the first message is used to indicate that the user plane bearer between the CU and the DU is not encrypted using the Internet Protocol Secure IPSec protocol.
  14. 根据权利要求13所述的CU,其特征在于,所述DU带有第一接口,所述第一接口为所述DU与所述CU进行用户面通信的接口;所述第一接口配置第一加密地址和第一非加密地址,所述第一加密地址用于指示使用所述IPSec协议对用户面数据报文进行加/解密处理;所述第一非加密地址用于指示不使用所述IPSec协议对用户面数据报文进行加/解密处理;The CU according to claim 13, wherein the DU has a first interface, and the first interface is an interface for the DU to perform user plane communication with the CU; And an encrypted address and a first unencrypted address, where the first encrypted address is used to indicate that the user plane data packet is encrypted/decrypted using the IPSec protocol; and the first non-encrypted address is used to indicate that the IPSec is not used. The protocol performs encryption/decryption processing on the user plane data message;
    所述第二收发单元还用于:The second transceiver unit is further configured to:
    接收所述DU发送的第一响应消息,所述第一响应消息用于指示所述用户面承载在所述DU端的地址为所述第一非加密地址。Receiving a first response message sent by the DU, where the first response message is used to indicate that the address carried by the user plane on the DU end is the first unencrypted address.
  15. 根据权利要求14所述的CU,其特征在于,所述CU还包括:The CU according to claim 14, wherein the CU further comprises:
    处理单元,用于使用所述PDCP协议对下行用户面数据报文进行加密;将所述下行用户面数据报文的目的地址设置为所述第一非加密地址;a processing unit, configured to encrypt, by using the PDCP protocol, a downlink user plane data packet; and set a destination address of the downlink user plane data packet to the first unencrypted address;
    确定单元,用于根据所述第一非加密地址确定,不使用所述IPSec协议对所述下行用户面数据报文进行加密;a determining unit, configured to determine, according to the first non-encrypted address, that the downlink user plane data packet is encrypted by using the IPSec protocol;
    所述第二收发单元还用于,向所述DU发送所述下行用户面数据报文。The second transceiver unit is further configured to send the downlink user plane data packet to the DU.
  16. 根据权利要求14所述的CU,其特征在于,当所述协商结果表示所述空中接口不使用所述PDCP协议加密时,所述第一消息用于指示所述用户面承载使用所述IPSec协议加密;所述第一响应消息用于指示所述用户面承载在所述DU端的地址为所述第一加密地址。The CU according to claim 14, wherein the first message is used to indicate that the user plane bearer uses the IPSec protocol, when the negotiation result indicates that the air interface does not use the PDCP protocol to encrypt. The first response message is used to indicate that the address carried by the user plane on the DU end is the first encrypted address.
  17. 根据权利要求14所述的CU,其特征在于,当所述协商结果表示所述空中接口使用所述PDCP协议加密,且所述CU与所述DU之间的通信经过安全网关SeGW时,所述CU还包括:The CU according to claim 14, wherein when the negotiation result indicates that the air interface is encrypted using the PDCP protocol, and the communication between the CU and the DU passes through a security gateway SeGW, The CU also includes:
    所述处理单元还用于,使用所述PDCP协议对下行用户面数据报文进行加密;将所述下行用户面数据报文的目的地址设置为所述第一非加密地址;The processing unit is further configured to: encrypt the downlink user plane data packet by using the PDCP protocol; and set a destination address of the downlink user plane data packet to the first unencrypted address;
    第三收发单元,用于将所述下行用户面数据报文发送给所述SeGW。The third transceiver unit is configured to send the downlink user plane data packet to the SeGW.
  18. 根据权利要求13至17中任一项所述的CU,其特征在于,所述CU带有第二接口,所述第二接口为所述CU与所述DU进行用户面通信的接口;所述第二接口配置第二加密地址和第二非加密地址,所述第二加密地址用于指示使用所述IPSec协议对用户面数据报文进行加/解密处理;所述第二非加密地址用于指示不使用所述IPSec协议对用户面数据报文进行加/解密处理。The CU according to any one of claims 13 to 17, wherein the CU has a second interface, and the second interface is an interface for the CU to perform user plane communication with the DU; The second interface is configured with a second encrypted address and a second unencrypted address, where the second encrypted address is used to indicate that the user plane data packet is encrypted/decrypted using the IPSec protocol; and the second non-encrypted address is used for The user is instructed to perform encryption/decryption processing on the user plane data message without using the IPSec protocol.
  19. 一种分布式单元DU,其特征在于,包括:A distributed unit DU, comprising:
    第一收发单元,当中央单元CU与用户设备UE之间的空中接口使用分组数据汇聚层PDCP协议加密时,用于接收所述CU发送的第一消息,所述第一消息用于指示所述CU与所述DU 之间的用户面承载不使用因特网协议安全IPSec协议加密。a first transceiver unit, configured to receive a first message sent by the CU, where the air interface between the central unit CU and the user equipment UE is encrypted by using a packet data convergence layer PDCP protocol, where the first message is used to indicate the The user plane bearer between the CU and the DU is not encrypted using the Internet Protocol Secure IPSec protocol.
  20. 根据权利要求19所述的DU,其特征在于,所述DU带有第一接口,所述第一接口为所述DU与所述CU进行用户面通信的接口;所述第一接口配置第一加密地址和第一非加密地址,所述第一加密地址用于指示使用所述IPSec协议对用户面数据报文进行加/解密处理;所述第一非加密地址用于指示不使用所述IPSec协议对用户面数据报文进行加/解密处理;The DU according to claim 19, wherein the DU has a first interface, and the first interface is an interface for the DU to perform user plane communication with the CU; And an encrypted address and a first unencrypted address, where the first encrypted address is used to indicate that the user plane data packet is encrypted/decrypted using the IPSec protocol; and the first non-encrypted address is used to indicate that the IPSec is not used. The protocol performs encryption/decryption processing on the user plane data message;
    当所述空中接口使用所述PDCP协议加密时,所述第一收发单元还用于:When the air interface is encrypted by using the PDCP protocol, the first transceiver unit is further configured to:
    向所述CU发送第一响应消息,所述第一响应消息用于指示所述用户面承载在所述DU端的地址为所述第一非加密地址。Sending a first response message to the CU, where the first response message is used to indicate that the address carried by the user plane on the DU end is the first unencrypted address.
  21. 根据权利要求20所述的DU,其特征在于,当所述空中接口使用所述PDCP协议加密时,所述DU还包括:The DU according to claim 20, wherein when the air interface is encrypted using the PDCP protocol, the DU further includes:
    所述第二收发单元,还用于接收所述UE发送的上行用户面数据报文;The second transceiver unit is further configured to receive an uplink user plane data packet sent by the UE;
    处理单元还用于,将所述上行用户面数据报文的源地址设置为所述第一非加密地址;The processing unit is further configured to: set a source address of the uplink user plane data packet to the first unencrypted address;
    所述确定单元,还用于根据所述第一非加密地址确定,不使用所述IPSec协议对所述上行用户面数据报文进行加密;The determining unit is further configured to: determine, according to the first unencrypted address, that the uplink user plane data packet is encrypted by using the IPSec protocol;
    所述第一收发单元还用于,将所述上行用户面数据报文发送给所述CU。The first transceiver unit is further configured to send the uplink user plane data packet to the CU.
  22. 根据权利要求21所述的DU,其特征在于,当所述空中接口使用所述PDCP协议加密,且所述DU与所述CU之间的通信经过SeGW时,所述DU还包括:The DU according to claim 21, wherein when the air interface is encrypted using the PDCP protocol, and the communication between the DU and the CU passes through the SeGW, the DU further includes:
    所述第二收发单元还用于,接收所述UE发送的上行用户面数据报文;The second transceiver unit is further configured to receive an uplink user plane data packet sent by the UE;
    所述处理单元还用于,将所述上行用户面数据报文的源地址设置为所述第一非加密地址;The processing unit is further configured to: set a source address of the uplink user plane data packet to the first unencrypted address;
    所述确定单元,还用于根据所述第一非加密地址确定,不使用所述IPSec协议对所述上行用户面数据报文进行加密;The determining unit is further configured to: determine, according to the first unencrypted address, that the uplink user plane data packet is encrypted by using the IPSec protocol;
    所述第三收发单元还用于,将所述上行用户面数据报文发送给所述SeGW。The third transceiver unit is further configured to send the uplink user plane data packet to the SeGW.
  23. 根据权利要求19到22中任一项所述的DU,其特征在于,所述CU带有第二接口,所述第二接口为所述CU与所述DU进行用户面通信的接口;所述第二接口配置第二加密地址和第二非加密地址,所述第二加密地址用于指示使用所述IPSec协议对用户面数据报文进行加/解密处理;所述第二非加密地址用于指示不使用所述IPSec协议对用户面数据报文进行加/解密处理;The DU according to any one of claims 19 to 22, wherein the CU has a second interface, and the second interface is an interface for the CU to perform user plane communication with the DU; The second interface is configured with a second encrypted address and a second unencrypted address, where the second encrypted address is used to indicate that the user plane data packet is encrypted/decrypted using the IPSec protocol; and the second non-encrypted address is used for Instructing to perform encryption/decryption processing on the user plane data packet without using the IPSec protocol;
    当所述空中接口使用所述PDCP协议加密时,所述DU还包括:When the air interface is encrypted using the PDCP protocol, the DU further includes:
    所述第二收发单元,还用于接收所述UE发送的上行用户面数据报文;The second transceiver unit is further configured to receive an uplink user plane data packet sent by the UE;
    所述处理单元,用于将所述上行用户面数据报文的目的地址设置为所述第二非加密地址;The processing unit is configured to set a destination address of the uplink user plane data packet to the second unencrypted address;
    所述确定单元,还用于根据所述第二非加密地址确定,不使用所述IPSec协议对所述上行用户面数据报文进行加密;The determining unit is further configured to: determine, according to the second unencrypted address, that the uplink user plane data packet is encrypted by using the IPSec protocol;
    所述第一收发单元,还用于将所述上行用户面数据报文发送给所述CU。The first transceiver unit is further configured to send the uplink user plane data packet to the CU.
  24. 一种计算机可读存储介质,其特征在于,包括指令,当所述指令在计算机上运行 时,使得计算机执行如权利要求1至12中任一项所述的方法。A computer readable storage medium, comprising instructions for causing a computer to perform the method of any one of claims 1 to 12 when the instructions are run on a computer.
  25. 一种信息传输系统,其特征在于,所述信息传输系统包括如权利要求13至18中的任一项所述的中央单元CU,以及如权利要求19至23中的任一项所述的分布式单元DU。An information transmission system, characterized in that the information transmission system comprises the central unit CU according to any one of claims 13 to 18, and the distribution according to any one of claims 19 to 23. Unit DU.
PCT/CN2019/082017 2018-04-26 2019-04-10 Information transmission method and relevant device WO2019205934A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810391847.5A CN110417708B (en) 2018-04-26 2018-04-26 Information transmission method and related equipment
CN201810391847.5 2018-04-26

Publications (1)

Publication Number Publication Date
WO2019205934A1 true WO2019205934A1 (en) 2019-10-31

Family

ID=68293500

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/082017 WO2019205934A1 (en) 2018-04-26 2019-04-10 Information transmission method and relevant device

Country Status (2)

Country Link
CN (1) CN110417708B (en)
WO (1) WO2019205934A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111757322B (en) * 2020-06-19 2023-11-17 兴唐通信科技有限公司 Cellular mobile communication network protection method and system for base station password service centralization
CN113438178B (en) * 2021-06-22 2023-04-18 北京天融信网络安全技术有限公司 Message forwarding method and device, computer equipment and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107079023A (en) * 2014-10-29 2017-08-18 高通股份有限公司 User plane safety for next generation cellular network
WO2017171925A1 (en) * 2016-03-31 2017-10-05 Intel IP Corporation Maintaining a wifi connection during handover of a user equipment in a lte network

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070258591A1 (en) * 2006-05-05 2007-11-08 Interdigital Technology Corporation Ciphering control and synchronization in a wireless communication system
CN102246552B (en) * 2009-09-27 2014-12-03 华为技术有限公司 Method and apparatus for signaling transmission
CN106714153B (en) * 2015-11-13 2022-06-10 华为技术有限公司 Key distribution, generation and reception method and related device

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107079023A (en) * 2014-10-29 2017-08-18 高通股份有限公司 User plane safety for next generation cellular network
WO2017171925A1 (en) * 2016-03-31 2017-10-05 Intel IP Corporation Maintaining a wifi connection during handover of a user equipment in a lte network

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
VODAFONE: "High Layer Functional Spilt with Separated Control and User Planes", 3GPP TSG-RAN WG3 #95BIS, R?????, 7 April 2017 (2017-04-07) *

Also Published As

Publication number Publication date
CN110417708A (en) 2019-11-05
CN110417708B (en) 2021-04-20

Similar Documents

Publication Publication Date Title
KR102441359B1 (en) Network architecture and security with encrypted client device contexts
USRE49491E1 (en) Method and system for selective protection of data exchanged between user equipment and network
US10149213B2 (en) Group handover methods and systems
KR102312670B1 (en) Method of performing device to device communication between user equipments
US9686787B2 (en) Pooled transport and control functions in a 3GPP LTE network
US9226142B2 (en) Mobile communication system, communication control method, and radio base station
WO2018202102A1 (en) Data transmission method and communication device
KR20110090812A (en) Method of selectively applying a pdcp function in wireless communication system
JP2018537912A5 (en)
KR20080085694A (en) Method for processing radio protocol in mobile telecommunications system and transmitter of mobile telecommunications
TW201828736A (en) Base station and communication device can switch between two base stations
US10742476B2 (en) Data packet processing method and device
TW201705780A (en) Network architecture and security with encrypted network reachability contexts
WO2019205934A1 (en) Information transmission method and relevant device
US20130242765A1 (en) Error detection
JP2007512764A (en) Method and apparatus for in-line encryption and decryption of radio station
EP3654579A1 (en) Methods and devices for providing message authentication code suitable for short messages
WO2017088194A1 (en) Signaling message processing method and entity
JP4843660B2 (en) Method and apparatus for encrypting data in the PDCP layer of a wireless communication system
US9397831B2 (en) Encrypted communication device and method for performing encrypted communication while reducing traffic in communication system
WO2021238813A1 (en) Method and apparatus for obtaining key
EP3881490B1 (en) Methods and devices for providing message authentication code suitable for short messages
WO2018228444A1 (en) Method and terminal for connection management and radio access network device
US20220400405A1 (en) Methods and apparatus for reducing communications delay
CN108391252B (en) Data packet processing method and device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19791683

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19791683

Country of ref document: EP

Kind code of ref document: A1