WO2019205934A1 - Procédé de transmission d'informations et dispositif associé - Google Patents
Procédé de transmission d'informations et dispositif associé Download PDFInfo
- Publication number
- WO2019205934A1 WO2019205934A1 PCT/CN2019/082017 CN2019082017W WO2019205934A1 WO 2019205934 A1 WO2019205934 A1 WO 2019205934A1 CN 2019082017 W CN2019082017 W CN 2019082017W WO 2019205934 A1 WO2019205934 A1 WO 2019205934A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- user plane
- data packet
- encrypted
- plane data
- address
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/162—Implementing security features at a particular protocol layer at the data link layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/164—Implementing security features at a particular protocol layer at the network layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
Definitions
- the present application relates to the field of wireless communications technologies, and in particular, to an information transmission method and related devices.
- the uplink data sent by the user equipment (UE) is transmitted to the core network through the base station (eNodeB, eNB), and the uplink data needs to undergo the following encryption/decryption process, as shown in FIG.
- a base station encryption diagram includes: 1. The UE performs air interface encryption on the uplink data to protect the uplink data in the wireless transmission process; 2. After receiving the uplink data sent by the UE, the eNB decrypts the uplink data, and Before the decrypted uplink data is sent to the core network, encryption is performed again to protect the security of the network transmission process of the uplink data on the backhaul network. Similarly, the downlink data sent from the core network to the UE also needs to undergo two encryption and decryption processes.
- a conventional eNB node can be decomposed into a central unit (CU) and a plurality of distributed units (DUs), and communication between the CU and the DU needs to cross the backhaul network.
- CU central unit
- DU distributed units
- IPSec Internet Protocol Security
- IPSec encryption/decryption requires a large amount of CPU resources to be consumed, resulting in an increase in cost.
- the embodiment of the present application provides an information transmission method and related device, which are used to reduce CPU consumption and reduce cost while ensuring data security.
- a first aspect of the embodiments of the present application provides an information transmission method, including: performing a security negotiation between a central unit CU and a user equipment UE, and obtaining a negotiation result, where the negotiation result is used to indicate between the CU and the UE.
- the air interface is encrypted using a packet data convergence layer PDCP protocol
- the CU transmitting a first message to the distributed unit DU; when the negotiation result indicates that the air interface is encrypted using the PDCP protocol, the first message is used
- the user plane bearer between the CU and the DU is indicated not to be encrypted using the Internet Protocol Secure IPSec protocol.
- the DU is provided with a first interface, where the first interface is a user plane communication between the DU and the CU.
- the first interface is configured with a first encrypted address and a first unencrypted address, where the first encrypted address is used to indicate that the user plane data packet is subjected to encryption/decryption processing using the IPSec protocol;
- the unencrypted address is used to indicate that the IPSec protocol is not used to perform encryption/decryption processing on the user plane data packet; after the CU sends the first message to the DU, the method further includes: the CU receiving the sent by the DU And a first response message, where the first response message is used to indicate that the address carried by the user plane at the DU end is the first unencrypted address.
- the method further includes: using the CU The PDCP protocol encrypts the downlink user plane data packet; the CU sets the destination address of the downlink user plane data packet to the first unencrypted address; and the CU determines according to the first unencrypted address.
- the downlink user plane data packet is not encrypted by using the IPSec protocol; the CU sends the downlink user plane data packet to the DU.
- the negotiation result indicates that the air interface does not use the PDCP protocol to encrypt
- the first message is used. And indicating that the user plane bearer is encrypted by using the IPSec protocol; the first response message is used to indicate that the address that the user plane bears at the DU end is the first encrypted address.
- the method further includes: The CU sets the destination address of the downlink user plane data packet to the first encrypted address, and the CU determines, according to the first encrypted address, the downlink user plane data packet to be encrypted by using the IPSec protocol. Obtaining the encrypted downlink user plane data packet; the CU sends the encrypted downlink user plane data packet to the DU.
- the method further includes: the CU encrypts the downlink user plane data packet by using the PDCP protocol; and the CU sets the destination address of the downlink user plane data packet to The first non-encrypted address; the CU sends the downlink user plane data packet to the SeGW.
- the method further includes: the CU setting a destination address of the downlink user plane data packet as the first encrypted address; and sending, by the CU, the downlink user plane data packet The SeGW.
- the CU has a second interface, where the second interface is a user plane communication between the CU and the DU
- the second interface is configured with a second encrypted address and a second unencrypted address, where the second encrypted address is used to indicate that the user plane data packet is encrypted/decrypted using the IPSec protocol;
- the non-encrypted address is used to indicate that the user plane data message is not subjected to encryption/decryption processing using the IPSec protocol.
- the first message when the negotiation result indicates that the air interface does not use the PDCP protocol to encrypt, the first message carries The second encrypted address.
- the first message when the negotiation result indicates that the air interface is encrypted by using the PDCP protocol, the first message carries Said second non-encrypted address.
- the method further includes: the CU receiving a target user plane data packet; and when the target user plane data packet When the protocol port number used is included in the first interval, the CU determines to use the IPSec protocol to encrypt/decrypt the target user plane data packet; when the protocol port number used by the target user plane data packet includes In the second interval, the CU determines to use the IPSec protocol to encrypt/decrypt the target user plane data packet; or, when the protocol used by the target user plane data packet is the first protocol, The CU determines to use the IPSec protocol to add/decrypt the target user plane data packet; when the protocol used by the target user plane data packet is the second protocol, the CU determines not to use the IPSec The protocol adds/decrypts the target user plane data message.
- a second aspect of the embodiments of the present application provides an information transmission method, including: when an air interface between a central unit CU and a user equipment UE is encrypted by using a packet data convergence layer PDCP protocol, the distributed unit DU receives the CU transmission.
- the first message is used to indicate that the user plane bearer between the CU and the DU is not encrypted using the Internet Protocol Secure IPSec protocol.
- the DU is provided with a first interface, where the first interface is user plane communication between the DU and the CU.
- the first interface is configured with a first encrypted address and a first unencrypted address, where the first encrypted address is used to indicate that the user plane data packet is subjected to encryption/decryption processing using the IPSec protocol;
- the non-encrypted address is used to indicate that the user plane data packet is not subjected to encryption/decryption processing using the IPSec protocol;
- the method further includes: the DU to the CU Sending a first response message, where the first response message is used to indicate that the address carried by the user plane on the DU end is the first unencrypted address.
- the method when the air interface is encrypted by using the PDCP protocol, the method further includes: the DU receiving the UE And sending, by the DU, the source address of the uplink user plane data packet to the first unencrypted address; the DU determining, according to the first unencrypted address, not using the The IPSec protocol encrypts the uplink user plane data packet, and the DU sends the uplink user plane data packet to the CU.
- the first message is used to indicate the user plane.
- the bearer is encrypted by using the IPSec protocol; the first response message is used to indicate that the address carried by the user plane on the DU end is the first encrypted address.
- the method when the air interface does not use the PDCP protocol encryption, the method further includes: the DU receiving the The uplink user plane data packet sent by the UE; the DU sets the source address of the uplink user plane data packet to the first encrypted address; the DU determines, according to the first encrypted address, the IPSec The protocol encrypts the uplink user plane data packet to obtain the encrypted uplink user plane data packet, and the DU sends the encrypted uplink user plane data packet to the CU.
- the method further includes: the DU receiving an uplink user plane data packet sent by the UE; the DU setting a source address of the uplink user plane data packet as the first unencrypted address; The DU is determined according to the first unencrypted address, and the uplink user plane data packet is not encrypted by using the IPSec protocol; the DU sends the uplink user plane data packet to the SeGW.
- the method further includes: the DU receiving an uplink user plane data packet sent by the UE; and the DU setting a source address of the uplink user plane data packet as the first encrypted address; Determining, according to the first encrypted address, that the uplink user plane data packet is encrypted by using the IPSec protocol, to obtain an encrypted uplink user plane data packet; and the DU will be the encrypted uplink user.
- the face data message is sent to the SeGW.
- the CU has a second interface, where the second interface is a user plane communication between the CU and the DU.
- the second interface is configured with a second encrypted address and a second unencrypted address, where the second encrypted address is used to indicate that the user plane data packet is encrypted/decrypted using the IPSec protocol;
- the non-encrypted address is used to indicate that the user plane data message is not subjected to encryption/decryption processing using the IPSec protocol.
- the first message when the air interface is encrypted by using the PDCP protocol, the first message carries the second non-encrypted address.
- the first message carries the second encryption address.
- the method when the air interface is encrypted by using the PDCP protocol, the method further includes: the DU receiving the UE The uplink user plane data packet sent; the DU sets the destination address of the uplink user plane data packet to the second unencrypted address; the DU determines according to the second unencrypted address, and does not use the The IPSec protocol encrypts the uplink user plane data packet, and the DU sends the uplink user plane data packet to the CU.
- the method when the air interface does not use the PDCP protocol encryption, the method further includes: the DU receiving station An uplink user plane data packet sent by the UE; the DU sets a destination address of the uplink user plane data packet as the second encryption address; and the DU determines, according to the second encryption address, using the The IPSec protocol encrypts the uplink user plane data packet to obtain the encrypted uplink user plane data packet, and the DU sends the encrypted uplink user plane data packet to the CU.
- the method further includes: the DU receiving an uplink user plane data packet sent by the UE; the DU setting a destination address of the uplink packet to the second unencrypted address; Determining, according to the second unencrypted address, the uplink user plane data packet is not encrypted by using the second protocol; the DU sending the uplink user plane data packet to the SeGW.
- the method further includes: the DU receiving an uplink user plane data packet sent by the UE; the DU setting a destination address of the uplink user plane data packet as the second encrypted address; Determining, according to the second encrypted address, that the uplink user plane data packet is encrypted by using the IPSec protocol, to obtain an encrypted uplink user plane data packet; and the DU will be the encrypted
- the uplink user plane data packet is sent to the SeGW.
- a third aspect of the embodiments of the present application provides a central unit CU, including: a first transceiver unit, configured to perform security negotiation with a user equipment UE, to obtain a negotiation result, where the negotiation result is used to indicate the CU and the Whether the air interface between the UEs is encrypted using the packet data convergence layer PDCP protocol; the second transceiver unit is configured to send the first message to the distributed unit DU; when the negotiation result indicates that the air interface uses the PDCP protocol to encrypt The first message is used to indicate that the user plane bearer between the CU and the DU is not encrypted using the Internet Protocol Secure IPSec protocol.
- a first transceiver unit configured to perform security negotiation with a user equipment UE, to obtain a negotiation result, where the negotiation result is used to indicate the CU and the Whether the air interface between the UEs is encrypted using the packet data convergence layer PDCP protocol
- the second transceiver unit is configured to send the first message to the distributed unit DU; when the negotiation result indicates
- the DU has a first interface, where the first interface is a user plane communication between the DU and the CU.
- the first interface is configured with a first encrypted address and a first unencrypted address, where the first encrypted address is used to indicate that the user plane data packet is subjected to encryption/decryption processing using the IPSec protocol;
- the non-encrypted address is used to indicate that the IPSec protocol is not used to perform encryption/decryption processing on the user plane data packet;
- the second transceiver unit is further configured to: receive the first response message sent by the DU, the first response The message is used to indicate that the address carried by the user plane on the DU end is the first unencrypted address.
- the CU further includes: a processing unit, configured to encrypt, by using the PDCP protocol, a downlink user plane data packet; Setting a destination address of the downlink user plane data packet to the first unencrypted address, and determining, configured to determine, according to the first unencrypted address, the downlink user plane data by using the IPSec protocol The packet is encrypted.
- the second transceiver unit is further configured to send the downlink user plane data packet to the DU.
- the negotiation result indicates that the air interface does not use the PDCP protocol to encrypt
- the first message is used. And indicating that the user plane bearer is encrypted by using the IPSec protocol; the first response message is used to indicate that the address that the user plane bears at the DU end is the first encrypted address.
- the processing unit is further configured to: encrypt the downlink user plane data packet by using the PDCP protocol; and use the destination address of the downlink user plane data packet
- the third transceiver unit is configured to send the downlink user plane data packet to the SeGW.
- the CU has a second interface, where the second interface is a user plane communication between the CU and the DU.
- the second interface is configured with a second encrypted address and a second unencrypted address, where the second encrypted address is used to indicate that the user plane data packet is encrypted/decrypted using the IPSec protocol;
- the non-encrypted address is used to indicate that the user plane data message is not subjected to encryption/decryption processing using the IPSec protocol.
- a fourth aspect of the present application provides a distributed unit DU, including: a first transceiver unit, configured to receive when an air interface between a central unit CU and a user equipment UE is encrypted using a packet data convergence layer PDCP protocol.
- the first message sent by the CU is used to indicate that the user plane bearer between the CU and the DU is not encrypted using the Internet Protocol Secure IPSec protocol.
- the DU has a first interface, and the first interface is a user plane communication between the DU and the CU.
- the first interface is configured with a first encrypted address and a first unencrypted address, where the first encrypted address is used to indicate that the user plane data packet is subjected to encryption/decryption processing using the IPSec protocol;
- the non-encrypted address is used to indicate that the IPSec protocol is not used to perform encryption/decryption processing on the user plane data packet;
- the first transceiver unit is further configured to: The CU sends a first response message, where the first response message is used to indicate that the address carried by the user plane on the DU end is the first unencrypted address.
- the DU when the air interface is encrypted by using the PDCP protocol, the DU further includes: the second transceiver unit, And the processing unit is configured to: set a source address of the uplink user plane data packet to the first unencrypted address; the determining unit is further configured to: Determining, according to the first unencrypted address, that the uplink user plane data packet is not encrypted by using the IPSec protocol; the first transceiver unit is further configured to send the uplink user plane data packet to The CU.
- the second transceiver unit is further configured to: receive an uplink user plane data packet sent by the UE; the processing unit is further configured to: source the uplink user plane data packet Setting the address as the first non-encrypted address; the determining unit is further configured to: according to the first unencrypted address, encrypt the uplink user plane data packet without using the IPSec protocol; The third transceiver unit is further configured to send the uplink user plane data packet to the SeGW.
- the CU has a second interface, where the second interface is a user plane communication between the CU and the DU.
- the second interface is configured with a second encrypted address and a second unencrypted address, where the second encrypted address is used to indicate that the user plane data packet is encrypted/decrypted using the IPSec protocol;
- the non-encrypted address is used to indicate that the IPSec protocol is not used to perform encryption/decryption processing on the user plane data packet;
- the DU further includes: the second transceiver unit,
- the processing unit is further configured to: set the destination address of the uplink user plane data packet to the second unencrypted address; the determining unit is further configured to receive the uplink user plane data packet sent by the UE.
- the method further includes: determining, according to the second unencrypted address, that the uplink user plane data packet is encrypted by using the IPSec
- a fifth aspect of the present application provides a computer readable storage medium having stored therein instructions that, when executed on a computer, cause the computer to perform the methods described in the above aspects.
- a sixth aspect of the present application provides a computer program product comprising instructions which, when run on a computer, cause the computer to perform the methods described in the various aspects above.
- the embodiment of the present application has the following advantages: the central unit CU performs security negotiation with the user equipment UE, and obtains a negotiation result, where the negotiation result is used to indicate an air interface between the CU and the UE. Whether to use the packet data convergence layer PDCP protocol encryption; the CU sends a first message to the distributed unit DU; when the negotiation result indicates that the air interface uses the PDCP protocol to encrypt, the first message is used to indicate The user plane bearer between the CU and the DU is not encrypted using the Internet Protocol Secure IPSec protocol.
- the CU when the result of the negotiation between the CU and the UE is that the air interface between the CU and the UE is encrypted by using the PDCP protocol, the CU notifies the user plane bearer between the DUCU and the DU that the IPSec protocol is not used for encryption, and the data is guaranteed. At the same time of security, it also reduces CPU resource consumption and reduces costs.
- 1 is a schematic diagram of a possible existing base station encryption
- FIG. 2 is a schematic diagram of a possible function provided by an embodiment of the present application.
- FIG. 3 is a schematic diagram of a possible data encryption transmission according to an embodiment of the present application.
- 4a is a flowchart of a possible information transmission method according to an embodiment of the present application.
- FIG. 4b is a flowchart of another possible information transmission method according to an embodiment of the present application.
- 4c is a schematic diagram of a possible interface provided by an embodiment of the present application.
- FIG. 4 is a schematic diagram of a possible data packet transmission according to an embodiment of the present application.
- FIG. 5 is a flowchart of another possible information transmission method according to an embodiment of the present application.
- FIG. 5b is a flowchart of another possible information transmission method according to an embodiment of the present application.
- FIG. 6 is a flowchart of another possible method for transmitting information according to an embodiment of the present application.
- FIG. 6b is a flowchart of another possible information transmission method according to an embodiment of the present application.
- FIG. 7 is a schematic diagram of another possible data encryption transmission provided by an embodiment of the present application.
- FIG. 7b is a flowchart of another possible information transmission method according to an embodiment of the present application.
- FIG. 7c is a flowchart of another possible method for transmitting information according to an embodiment of the present application.
- FIG. 8 is a flowchart of another possible information transmission method according to an embodiment of the present application.
- FIG. 8b is a flowchart of another possible information transmission method according to an embodiment of the present application.
- FIG. 9 is a flowchart of another possible information transmission method according to an embodiment of the present application.
- FIG. 9b is a flowchart of another possible information transmission method according to an embodiment of the present application.
- FIG. 10 is a schematic diagram of an embodiment of a possible central unit according to an embodiment of the present application.
- FIG. 11 is a schematic diagram of an embodiment of a possible distributed unit according to an embodiment of the present disclosure.
- FIG. 12 is a schematic block diagram of a communication apparatus according to an embodiment of the present application.
- FIG. 13 is a schematic structural diagram of a communication apparatus according to an embodiment of the present application.
- FIG. 14 is a schematic structural diagram of a system according to an embodiment of the present application.
- the embodiment of the present application provides an information transmission method and related equipment, which are used to ensure data security, reduce CPU resource consumption, and speed up the system.
- the function of the eNB node is split into two parts: CU and DU, and the functions of the CU and the DU are separated and deployed.
- the DU is deployed in the original access network and the CU is moved closer to the core network.
- FIG. 2 a possible function diagram of the present application is provided.
- the air interface of the eNB adopts a hierarchical structure, and the radio link control (RRC) is sequentially from top to bottom.
- RRC radio link control
- eNB through the S1 interface and evolved packet core network (evolved packet Core, EPC) is connected for signaling or data transmission.
- RLC radio link control
- MAC media access control
- PHY physical layer
- eNB evolved packet core network
- RRC and PDCP in the original eNB are deployed on the CU
- RLC, MAC, and PHY are deployed on the DU
- the CU and EPC pass.
- the S1 interface is connected, and the CU and the DU are connected by the new interface Itf-CuDu to transmit signaling or data. It should be noted that the naming manner of the new interface is not limited in this application.
- the user data transmitted by the UE is transmitted to the CU, and needs to undergo the following encryption/decryption process.
- FIG. 3 it is a possible data encryption transmission diagram, including: user data flow. The process from the UE through the DU to the CU, where
- the air interface is encrypted between the UE and the CU to ensure the security of the user data in the wireless transmission process. It should be noted that the air interface encryption/decryption is handled by the PDCP in the 3gpp protocol, so there is corresponding processing on the UE and the CU.
- the module is responsible for PDCP encryption and PDCP decryption;
- the IPSec protocol is introduced between the CU and the DU for encryption to ensure the security of user data transmission between the CU and the DU. Therefore, there are corresponding processing modules on the DU and the CU to be responsible for IPSec encryption and IPSec decryption.
- the user data of the UE to the CU has been PDCP encrypted in many scenarios, and the user data is transmitted on the CU-DU interface. From the perspective of user data security, it is unnecessary to use IPSec encryption again, and IPSec encryption and decryption also consume a lot of CPU resources.
- the embodiment of the present application provides a data encryption method, which can be applied to various application scenarios, including:
- the first interface on the DU side is configured with a specific IP address on the DU side to establish a user plane bearer.
- the specific IP address on the DU side is used to distinguish whether the user plane bearer between the DU and the CU is encrypted by using the IPSec protocol.
- the specific IP address of the DU side includes a first encrypted address and a first unencrypted address, where the first encrypted address is used to indicate that the user plane data packet is encrypted/decrypted by using the IPSec protocol, and the first non-encrypted address is used.
- the user interface is instructed to perform encryption/decryption processing on the user plane data packet without using the IPSec protocol, and the first interface is an interface for the user plane communication between the DU and the CU.
- the IP address on the second interface on the CU side does not need to distinguish between the DU and the Whether the user plane bearer between the CUs is encrypted by using the IPSec protocol, where the second interface is an interface for the user plane communication between the CU and the DU;
- Scenario 2 The first interface on the DU side is configured with a specific IP address on the DU side to establish a user plane bearer, and the second interface on the CU side is also configured with a specific IP address on the CU side to establish a user plane bearer.
- the IP address is used to distinguish whether the user plane bearer between the CU and the DU is encrypted by using the IPSec protocol, for example, the specific IP address of the CU side includes a second encrypted address and a second unencrypted address, where the second encrypted address is used to indicate The user plane data packet is encrypted/decrypted by using the IPSec protocol, and the second non-encrypted address is used to indicate that the user plane data packet is not encrypted/decrypted by using the IPSec protocol;
- the second interface on the CU side is configured with a specific IP address on the CU side to establish a user plane bearer, and the IP address on the first interface on the DU side does not need to distinguish whether the user plane bearer between the DU and the CU is encrypted by using the IPSec protocol. .
- the first interface on the DU side is configured with a specific IP address on the DU side to establish a user plane bearer, and the IP address on the second interface on the CU side does not need to distinguish whether the user plane bearer between the DU and the CU uses the IPSec protocol. encryption;
- Scenario 5 The first interface on the DU side is configured with a specific IP address on the DU side to establish a user plane bearer, and the second interface on the CU side is also configured with a specific IP address on the CU side to establish a user plane bearer.
- the second interface on the CU side is configured with a specific IP address on the CU side to establish a user plane bearer, and the IP address on the first interface on the DU side does not need to distinguish whether the user plane bearer between the DU and the CU is encrypted by using the IPSec protocol. .
- an embodiment of the method in the scenario 1 of the embodiment of the present application is introduced, which specifically includes:
- the CU performs security negotiation with the UE to obtain a negotiation result.
- the CU performs security negotiation with the UE, and obtains a negotiation result.
- the negotiation result is used to indicate whether the air interface between the CU and the UE is encrypted using the PDCP protocol, where the air interface is an interface between the UE and the base station.
- the CU and the UE perform the security negotiation to obtain the negotiation result in multiple manners, including: the UE sends the algorithm set information to the CU, where the algorithm set information includes information of the algorithm supported by the UE; and the CU receives the algorithm set information. After comparing the algorithm in the algorithm set information with the algorithm supported by the CU, the intersection algorithm is determined, and the intersection algorithm is an algorithm supported by both the CU and the UE. It can be understood that the intersection algorithm may include one or more algorithms. When the intersection algorithm includes an algorithm, the CU sends the information of the intersection algorithm to the UE.
- the negotiation result is CU and The air interface between the UEs is encrypted using the PDCP protocol; if the intersection algorithm is an unencrypted algorithm, the result of the negotiation is that the air interface between the CU and the UE is not encrypted using the PDCP protocol.
- the intersection algorithm includes multiple algorithms, the CU may select one of the multiple algorithms to send to the UE, that is, the negotiation result is encrypted by the air interface using the PDCP protocol; or the CU may select any one of the multiple algorithms.
- An algorithm sends to the UE.
- the negotiation result is that the air interface uses the PDCP protocol to encrypt; otherwise, the negotiation result is that the air interface does not use the PDCP protocol to encrypt.
- the CU and the DU perform security negotiation to obtain the negotiation result, which is not limited herein.
- steps 402-411 in FIG. 4a are performed; if the negotiation result indicates that the air interface between the CU and the UE is not used. If the PDCP protocol is encrypted, steps 412-421 in Figure 4b are performed; the details are as follows:
- the CU sends the first indication information to the DU.
- the CU When the result of the negotiation indicates that the air interface is encrypted by using the PDCP protocol, the CU sends a first message to the DU through the first control plane interface, where the first message carries the first indication information, where the first indication information is used to indicate the CU and the DU.
- the user plane bearer is not encrypted by using the IPSec protocol, and the first control plane interface is an interface for the control plane communication between the CU and the DU.
- a 1-bit encryption indication bit may be set in the first message.
- the encryption indication bit When the encryption indication bit is set to 0, it indicates that the user plane bearer between the CU and the DU is not encrypted using the IPSec protocol; when the encryption indication bit is set to At 1 o'clock, it indicates that the user plane bearer between the CU and the DU is encrypted by using the IPSec protocol; optionally, the 2 bit encryption indication bit may be set in the first message, and when the encryption indication bit is set to 01, the CU and the DU are indicated. The user plane bearer between the two is not encrypted by using the IPSec protocol; when the encryption indicator bit is set to 10, it indicates that the user plane bearer between the CU and the DU is encrypted using the IPSec protocol. Therefore, the CU indicates to the DU whether the user plane bearer is encrypted by using the IPSec protocol, which is not limited in this application.
- the user plane bearer between the CU and the DU can be understood as a GTP-U tunnel established between the CU and the DU for transmitting the user plane data stream.
- the first message may be a user plane bearer setup request message, or may be other existing messages or new messages, which is not limited in this application.
- the first message when the first message is a user plane bearer setup request message, the first message may carry a user plane address on the CU side.
- the DU sends a first response message to the CU.
- the first interface on the DU side is configured with a specific IP address on the DU side to establish a user plane bearer with the CU, and the specific IP address on the DU side is used to distinguish the user plane bearer between the DU and the CU.
- IPSec protocol encryption Whether to use IPSec protocol encryption.
- FIG. 4c is a schematic diagram of a possible DU side interface provided by the embodiment of the present application.
- the first interface is an interface used by the DU side to communicate with the CU, and the first interface includes at least two specific interfaces.
- the user plane IP address that is, the first non-encrypted address and the second unencrypted address, wherein the first encrypted address is used in an IPSec communication scenario, and indicates that the user plane data packet is encrypted/decrypted by using the IPSec protocol;
- the encrypted address is used in the non-IPSec communication scenario, indicating that the user plane data packet is not encrypted/decrypted by using the IPSec protocol.
- FIG. 4c is merely an exemplary diagram in which the first interface, the first encrypted address, and the second unencrypted address may be understood as a logical concept, but not physically.
- the DU determines, according to the first indication information, that the user plane bearer between the DU and the CU does not need to perform IPSec encryption, and selects the first unencrypted address as the first
- the user plane address of the interface is used to establish a user plane bearer, that is, a GTP-U tunnel between the CU and the DU, and send a first response message to the CU in response to the first message, where the first response message carries the first response.
- the first response information includes a first unencrypted address to indicate to the CU that the address of the user plane carried between the DU and the CU at the DU end is the first unencrypted address.
- the first response message may be a user plane bearer setup response message, or may be another existing message or a new message, which is not limited in this application. Therefore, when the DU obtains the user plane address on the CU side, and the CU obtains the user plane address on the DU side, the establishment of the user plane bearer between the CU and the DU can be realized.
- the UE sends a first uplink user plane data packet to the DU.
- the UE transmits the user plane data to the core network through the DU and the CU.
- the negotiation result between the CU and the UE is that the air interface between the CU and the UE is encrypted by using the PDCP protocol
- the UE performs PDCP encryption processing on the first uplink user plane data packet, and performs encryption processing on the air interface.
- the first uplink user plane data packet is sent to the DU.
- the DU determines to encrypt the first uplink user plane data packet by using the IPSec protocol.
- the DU sends a first uplink user plane data packet to the CU.
- FIG. 4d is a schematic diagram of a possible data packet transmission.
- the UE sends a data packet, and the data packet is marked with the address of the UE as the source address, and the server on the Internet to be reached.
- the address is the destination address, and the UE transmits the data packet to the eNB.
- the eNB encapsulates the data packet into a GTP packet that can be transmitted in the GTP tunnel, and the source address of the data packet is replaced with the address of the eNB, and the destination address is Replace with the address of the serving gateway (SGW) that will arrive.
- SGW serving gateway
- the source address of the data packet is changed to the address of the SGW
- the destination address of the data packet is changed to the address of the packet data network gateway (P-GW)
- the transmitted tunnel is also changed by the S1GTP tunnel.
- the P-GW unpacks the data packet, obtains its real destination address, and then sends the data packet to the server corresponding to the destination address to complete a data packet from the UE to the Internet. Upload.
- the DU uses the first unencrypted address as the source address of the first uplink user plane data packet to complete the encapsulation of the GTP-U tunnel. .
- the DU determines, according to the first unencrypted address, that the first uplink user plane data packet is not encrypted by using the IPSec protocol, and the first uplink user plane data packet is directly sent to the CU by using the first interface on the DU side.
- the CU determines to decrypt the first uplink user plane data packet by using the IPSec protocol.
- the CU sends a first uplink user plane data packet to the SGW.
- the CU After receiving the first uplink user plane data packet that is not encrypted by the IPSec protocol, the CU performs GTP-U decapsulation on the first uplink user plane data packet, and obtains the decapsulated
- the first uplink user plane data packet is directly processed for subsequent processing, where the CU uses the PDCP protocol to perform air interface decryption on the first uplink user plane data packet, and the first uplink user plane datagram is used.
- the first uplink user plane data packet Before the message is sent to the SGW, the first uplink user plane data packet is encrypted again to ensure the security of the first uplink user plane data packet transmitted between the CU and the SGW. Therefore, the CU sends the first uplink user plane data packet after the subsequent processing to the SGW.
- the SGW sends a first downlink user plane data packet to the CU.
- the CU determines that the first downlink user plane data packet is not encrypted by using the IPSec protocol.
- the CU sends the first downlink user plane data packet to the DU.
- the CU When the core network needs to send the first downlink user plane data packet to the UE through the CU and the DU, the CU receives the first downlink user plane data packet from the core network. If the result of the negotiation between the CU and the UE is that the air interface between the CU and the UE needs to be encrypted by using the PDCP protocol, the CU needs to perform PDCP encryption processing on the first downlink data.
- the CU uses the first unencrypted address as the destination address of the first downlink user plane data packet to complete the encapsulation of the GTP-U tunnel. And the CU determines, according to the first unencrypted address, that the first downlink user plane data packet is not encrypted by using the IPSec protocol, and sends the first downlink user plane data packet directly to the second interface on the CU side to the first downlink user plane data packet. DU.
- the DU determines to decrypt the first downlink user plane data packet by using the IPSec protocol.
- the DU sends a first downlink user plane data packet to the UE.
- the DU After receiving the first downlink user plane data packet that is not encrypted by the IPSec protocol, the DU can determine, by using the format of the first downlink user plane data packet, that the IPSec protocol is not used.
- the first downlink user plane data packet is decrypted, and then the first downlink user plane data packet is directly GTP-U decapsulated, and the decapsulated first downlink user plane data packet is obtained, and then performed.
- Processing, wherein the subsequent processing includes: sending, by using an air interface, the first downlink user plane data packet to the UE, so that the UE decrypts the first downlink user plane data packet by using a PDCP protocol to obtain the decrypted A downlink user plane data message.
- the first uplink user plane data packet is transmitted from the UE to the SGW through steps 404 to 407b, and the first downlink user plane data packet is implemented from the SGW to the UE through steps 408a to 411.
- steps 404 to 407b may be performed first, or steps 408a to 411 may be performed first, or may be performed at the same time, which is not limited herein.
- FIG. 4b which specifically includes:
- the CU sends the second indication information to the DU.
- the first message sent by the CU to the DU through the first control plane interface carries the second indication information, where the second indication information is used to indicate the user plane between the CU and the DU.
- the bearer is encrypted using the IPSec protocol.
- the DU sends a second response message to the CU.
- the DU After receiving the second indication information carried by the first message sent by the CU, the DU determines, according to the second indication information, that the user plane bearer between the DU and the CU needs to perform IPSec encryption, and uses the first encrypted address as the user of the first interface.
- a face address to establish a user plane bearer between the CU and the DU, that is, a GTP-U tunnel, and send a first response message carrying the second response information to the CU, where the second response information includes the first encrypted address to the CU.
- the address indicating that the user plane between the DU and the CU is carried on the DU end is the first encrypted address.
- the UE sends a second uplink user plane data packet to the DU.
- the UE when the result of the negotiation between the CU and the UE is that the air interface between the CU and the UE is not encrypted by using the PDCP protocol, the UE does not perform PDCP encryption processing on the second uplink user plane data packet, but uses the air interface to The second uplink user plane data packet is directly sent to the DU.
- the DU determines to encrypt the second uplink user plane data packet by using the IPSec protocol.
- the DU sends a second uplink user plane data packet to the CU.
- the DU uses the first encrypted address as the source address of the second uplink user plane data packet to complete the encapsulation of the GTP-U tunnel.
- the DU determines, according to the first encrypted address, the IPSec protocol to encrypt the second uplink user plane data packet, and then obtains the IPSec encrypted second uplink user plane data packet, to complete the second uplink user plane datagram.
- IPSec encryption Therefore, the DU sends the IPSec-encrypted second uplink user plane data packet directly to the CU through the first interface on the DU side.
- the CU determines to decrypt the second uplink user plane data packet by using the IPSec protocol.
- the CU sends a second uplink user plane data packet to the SGW.
- the CU After receiving the second uplink user plane data packet, the CU decrypts the second uplink user plane data packet by using the IPSec protocol, and then decapsulates the GTP-U tunnel to obtain a solution.
- the second uplink user plane data packet after the packet is sealed.
- the CU After the CU sends the second uplink user plane data packet to the SGW, the CU performs subsequent processing on the second uplink user plane data packet, where the subsequent processing may include: according to the security configuration between the CU and the SGW,
- the IPSec protocol is used to encrypt the second uplink user plane data packet to ensure the security of the second uplink user plane data packet transmission between the CU and the core network.
- the CU then sends the second uplink user plane data packet after the subsequent processing to the SGW.
- the SGW sends a second downlink user plane data packet to the CU.
- the CU determines to encrypt the second downlink user plane data packet by using the IPSec protocol.
- the CU sends a second downlink user plane data packet to the DU.
- the CU receives the second downlink user plane data packet from the core network.
- the CU determines, according to the negotiation result, that the second downlink user plane data packet is encrypted without using the PDCP protocol.
- the CU uses the first encrypted address as the destination address of the second downlink user plane data packet to complete the encapsulation of the GTP-U tunnel.
- the CU determines, according to the first encrypted address, that the second downlink user plane data packet is to be encrypted by using the IPSec protocol, to obtain the second downlink user plane data packet after the IPSec encryption.
- the IPSec-encrypted second downlink user plane data packet is sent to the DU through the second interface on the CU side.
- the DU determines to decrypt the second downlink user plane data packet by using the IPSec protocol.
- the DU sends a second downlink user plane data packet to the UE.
- the DU After receiving the second downlink user plane data packet, the DU uses the IPSec protocol to decrypt the second uplink user plane data packet, and then decapsulates the GTP-U tunnel to obtain a solution.
- the second downlink user plane data packet after the packet is sealed. And performing the subsequent processing on the decapsulated second downlink user plane data packet, where the subsequent processing includes: sending the decapsulated second downlink user plane data packet to the UE by using the air interface, and the UE does not need to use the PDCP
- the protocol decrypts the decapsulated second downlink user plane data packet.
- the second uplink user plane data packet is transmitted from the UE to the core network through steps 414 to 417b, and the second downlink user plane data packet is implemented from the core network through steps 418a to 411.
- steps 414 to 417b may be performed first, or steps 418a to 421 may be performed first, or may be performed at the same time, which is not limited herein.
- the first interface of the DU is configured with the first encrypted address and the first unencrypted address to distinguish whether the user plane data stream needs IPSec encryption.
- IPSec IPSec encryption
- the user plane data stream encrypted by IPSec uses the port number of 30000-49999; or it is distinguished based on the protocol type: for example, the user plane data stream requiring IPSec encryption uses the GTPU protocol, and the user plane data stream that does not require IPSec encryption uses the UDP protocol. Therefore, there are various ways to distinguish whether IPSec encryption is required, and the specifics are not limited herein.
- the embodiment of the present application can be implemented not only in the network architecture of the LTE, but also in the 5G radio access network, the mobile communication system (UMTS), and the code division multiple access (code division multiple access, CDMA) or wideband code division multiple access (WCDMA) network architecture.
- UMTS mobile communication system
- CDMA code division multiple access
- WCDMA wideband code division multiple access
- IPSec encryption/decryption it is possible to flexibly determine whether the transmission of the user plane data stream in the CU-DU interface uses IPSec encryption/decryption according to whether the UE air interface performs PDCP encryption, that is, when the UE air interface performs PDCP encryption, the user plane
- the transmission of the data stream in the CU-DU interface does not use IPSec encryption/decryption; when the UE air interface does not perform PDCP encryption, the transmission of the user plane data stream in the CU-DU interface needs to use IPSec encryption/decryption, which is guaranteed.
- more flexible IPSec encryption/decryption reduces CPU resource consumption and speeds up the system.
- an embodiment of the method in the scenario 2 of the embodiment of the present application includes:
- the CU performs security negotiation with the UE to obtain a negotiation result.
- step 502-511 in FIG. 5a is performed; if the negotiation result indicates the air between the CU and the UE. If the interface does not use PDCP encryption, perform steps 512-521 in Figure 5b; the details are as follows:
- the CU sends the first indication information to the DU.
- the DU sends a first response message to the CU.
- the UE sends a first uplink user plane data packet to the DU.
- the steps 501 to 504 are similar to the steps 401 to 404 in the embodiment shown in FIG. 4a, and details are not described herein again.
- the DU determines to encrypt the first uplink user plane data packet by using the IPSec protocol.
- the DU sends a first uplink user plane data packet to the CU.
- the second interface on the CU side is also configured with a specific IP address on the CU side to establish a user plane bearer, and the specific IP address on the CU side is used to distinguish the user between the CU and the DU.
- the bearer is encrypted by using the IPSec protocol, and includes a second encrypted address and a second unencrypted address, where the second encrypted address is used in an IPSec communication scenario, indicating that the packet is encrypted/decrypted using the IPSec protocol; and the second non-encrypted The address is used in a non-IPSec communication scenario, indicating that the packet is not encrypted or decrypted using the IPSec protocol.
- the DU uses the second unencrypted address as the destination address of the first uplink user plane data packet to complete the encapsulation of the GTP-U tunnel.
- the DU determines, according to the second unencrypted address, that the first uplink user plane data packet is not encrypted by using the IPSec protocol, and the first uplink user plane data packet is directly sent to the CU by using the first interface on the DU side.
- the CU determines that the first uplink user plane data packet is not decrypted by using the IPSec protocol.
- the CU sends a first uplink user plane data packet to the SGW.
- the CU may determine, by using the format of the first uplink user plane data packet, that the first IPSec protocol is not used.
- the uplink user plane data packet is decrypted, and then the first uplink user plane data packet is directly GTP-U decapsulated, and the decapsulated first uplink user plane data packet is obtained.
- performing the subsequent processing on the first uplink user plane data packet where the CU uses the PDCP protocol to perform air interface decryption on the first uplink user plane data packet, and performs the first uplink on the first uplink user plane data packet.
- the first uplink user plane data packet is encrypted again to ensure the security of the first uplink user plane data packet transmitted between the CU and the core network. Therefore, the CU sends the first uplink user plane data packet after the subsequent processing to the SGW.
- the SGW sends a first downlink user plane data packet to the CU.
- the CU determines that the first downlink user plane data packet is not encrypted by using the IPSec protocol.
- the CU sends the first downlink user plane data packet to the DU.
- the DU determines to decrypt the first downlink user plane data packet by using the IPSec protocol.
- the DU sends a first downlink user plane data packet to the UE.
- the steps 508a to 511 are similar to the steps 408a to 411 in the embodiment shown in FIG. 4a, and details are not described herein again.
- the transmission of the first uplink data from the UE to the SGW is implemented by using the steps 504 to 507b, and the transmission of the first downlink data from the SGW to the UE is implemented by using the steps 508a to 511.
- steps 504 to 507b may be performed first, or steps 508a to 511 may be performed first, or may be performed at the same time, which is not limited herein.
- FIG. 5b which specifically includes:
- the CU sends the second indication information to the DU.
- the DU sends a second response message to the CU.
- the UE sends a second uplink user plane data packet to the DU.
- the steps 512 to 514 are similar to the steps 412 to 414 in the embodiment shown in FIG. 4b, and details are not described herein again.
- the DU determines to encrypt the second uplink user plane data packet by using the IPSec protocol.
- the DU sends a second uplink user plane data packet to the CU.
- the DU uses the second encrypted address as the destination address of the second uplink user plane data packet to complete the encapsulation of the GTP-U tunnel.
- the DU determines, according to the second encrypted address, the IPSec protocol to encrypt the second uplink user plane data packet, and sends the second uplink user plane data packet to the CU directly through the first interface on the DU side.
- the CU determines to decrypt the second uplink user plane data packet by using the IPSec protocol.
- the CU sends a second uplink user plane data packet to the SGW.
- the CU After receiving the second uplink user plane data packet, the CU decrypts the second uplink user plane data packet by using the IPSec protocol, and then decapsulates the GTP-U tunnel to obtain a solution.
- the second uplink user plane data packet after the packet is sealed. And performing the subsequent processing on the decapsulated second uplink user plane data packet, where the subsequent processing may include: performing security configuration between the CU and the SGW before sending the second uplink user plane data packet to the SGW.
- the second uplink user plane data packet is encrypted by using the IPSec protocol to ensure the security of the second uplink user plane data packet transmitted between the CU and the core network.
- the CU then sends the second uplink user plane data packet after the subsequent processing to the SGW.
- the SGW sends a second downlink user plane data packet to the CU.
- the CU determines to encrypt the second downlink user plane data packet by using the IPSec protocol.
- the CU sends a second downlink user plane data packet to the DU.
- the DU determines to decrypt the second downlink user plane data packet by using the IPSec protocol.
- the DU sends a second downlink user plane data packet to the UE.
- the steps 518 to 521 are similar to the steps 418 to 421 in the embodiment shown in FIG. 4a, and details are not described herein again.
- the transmission of the second uplink data from the UE to the SGW is implemented by using steps 514 to 517b, and the transmission of the second downlink data from the SGW to the UE is implemented by steps 518a to 511, between the two processes.
- steps 514 to 517b may be performed first, or steps 518a to 521 may be performed first, or may be performed at the same time, which is not limited herein.
- the second interface and the second unencrypted address may be configured on the second interface of the CU to distinguish whether the IPSec-encrypted user plane data stream is required, and the achievable manner of the embodiment of the present application is added.
- an embodiment of the method in the scenario 3 is performed in the scenario of the embodiment.
- the second interface on the CU side is also configured with a specific IP address on the CU side to establish a user plane bearer.
- the specific IP address of the CU is used to distinguish whether the user plane bearer between the CU and the DU is encrypted by using the IPSec protocol, and includes a second encrypted address and a second unencrypted address, where the second encrypted address is used in the IPSec communication scenario. Indicates that the packet is encrypted/decrypted by using the IPSec protocol.
- the second non-encrypted address is used in the non-IPSec communication scenario, indicating that the packet is not encrypted or decrypted by using the IPSec protocol.
- the IP address of the first interface on the DU side does not need to distinguish whether the user plane bearer between the DU and the CU is encrypted using the IPSec protocol.
- the CU performs security negotiation with the UE to obtain a negotiation result.
- the step 601 is similar to the step 401 in the embodiment shown in FIG. 4a, and details are not described herein again.
- steps 602-611 in FIG. 6a are performed; if the negotiation result indicates that the air interface between the CU and the UE does not use the PDCP protocol. Encryption, then perform steps 612-621 in Figure 6b; the details are as follows:
- the CU sends the first indication information to the DU.
- the first message sent by the CU to the DU through the first control plane interface carries the first indication information, where the second indication information is used to indicate the user plane bearer between the CU and the DU.
- the IPSec protocol is not used for encryption, and the second unencrypted address is used as the user plane address of the second interface, that is, the address carried by the user plane between the CU and the DU at the CU end is the second unencrypted address.
- the DU sends a first response message to the CU.
- the DU After receiving the first indication information carried by the first message sent by the CU, the DU determines, according to the first indication information, that the user plane bearer between the DU and the CU does not need to perform IPSec encryption, and determines that the second unencrypted address is the second CU side. User plane address of the interface.
- the DU in response to the first message carrying the first indication information, the DU sends a first response message to the CU, where the first response message includes first response information, where the first response information includes a user plane bearer address on the DU side. .
- the UE sends a first uplink user plane data packet to the DU.
- the DU determines to encrypt the first uplink user plane data packet by using the IPSec protocol.
- the DU sends a first uplink user plane data packet to the CU.
- the CU determines that the first uplink user plane data packet is not decrypted by using the IPSec protocol.
- the CU sends a first uplink user plane data packet to the SGW.
- the steps 604 to 607b are similar to the steps 504 to 507b in the embodiment shown in FIG. 5a, and details are not described herein again.
- the SGW sends a first downlink user plane data packet to the CU.
- the CU determines that the first downlink user plane data packet is not encrypted by using the IPSec protocol.
- the CU sends a first downlink user plane data packet to the DU.
- the CU When the SGW needs to send the first downlink user plane data packet to the UE through the CU and the DU, the CU receives the first downlink user plane data packet from the SGW. If the result of the negotiation between the CU and the UE is that the air interface between the CU and the UE needs to be encrypted by using the PDCP protocol, the CU needs to perform PDCP encryption processing on the first downlink data.
- the CU uses the second unencrypted address as the source address of the first downlink user plane data packet to complete the encapsulation of the GTP-U tunnel. And the CU determines, according to the second unencrypted address, that the first downlink user plane data packet is not encrypted by using the IPSec protocol, and sends the first downlink user plane data packet directly to the second interface on the CU side to the first downlink user plane data packet. DU.
- the DU determines to decrypt the first downlink user plane data packet by using the IPSec protocol.
- the DU sends a first downlink user plane data packet to the UE.
- the steps 610 to 611 are similar to the steps 410 to 411 in the embodiment shown in FIG. 4a, and details are not described herein again.
- the first uplink user plane data packet is transmitted from the UE to the SGW through steps 604 to 607b, and the first downlink user plane data packet is implemented from the core network through steps 608a to 611.
- steps 604 to 607b may be performed first, or steps 608a to 611 may be performed first, or may be performed at the same time, which is not limited herein.
- FIG. 6b which specifically includes:
- the CU sends the second indication information to the DU.
- the first message sent by the CU to the DU through the first control plane interface carries the second indication information, where the second indication information is used to indicate the user plane between the CU and the DU.
- the bearer is encrypted by using the IPSec protocol, and the second encrypted address is used as the user plane address of the second interface, that is, the address carried by the user plane between the CU and the DU at the CU end is the second encrypted address.
- the DU sends a second response message to the CU.
- the DU After receiving the second indication information carried by the first message sent by the CU, the DU determines, according to the second indication information, that the user plane bearer between the DU and the CU needs to perform IPSec encryption, and determines that the second encrypted address is the second interface on the CU side. User face address.
- the DU in response to the first message carrying the second indication information, the DU sends a first response message carrying the second response information to the CU, where the second response information includes a user plane bearer address on the DU side.
- the UE sends a second uplink user plane data packet to the DU.
- the DU determines to encrypt the second uplink user plane data packet by using the IPSec protocol.
- the DU sends a second uplink user plane data packet to the CU.
- the CU determines to decrypt the second uplink user plane data packet by using the IPSec protocol.
- the CU sends a second uplink user plane data packet to the SGW.
- the steps 614 to 617b are similar to the steps 514 to 517b in the embodiment shown in FIG. 5b, and details are not described herein again.
- the SGW sends a second downlink user plane data packet to the CU.
- the CU determines to encrypt the second downlink user plane data packet by using the IPSec protocol.
- the CU sends a second downlink user plane data packet to the DU.
- the CU receives the second downlink user plane data packet from the SGW.
- the CU determines, according to the negotiation result, that the second downlink user plane data packet is encrypted without using the PDCP protocol.
- the CU uses the second encrypted address as the source address of the second downlink user plane data packet to complete the encapsulation of the GTP-U tunnel. And the CU determines, according to the second encrypted address, that the second downlink user plane data packet is to be encrypted by using the IPSec protocol, to obtain the second downlink user plane data packet that is encrypted by the IPSec protocol. And sending the encrypted second downlink user plane data packet to the DU through the second interface on the CU side.
- the DU determines to use the IPSec protocol to decrypt the second downlink user plane data packet.
- the DU sends a second downlink user plane data packet to the UE.
- the steps 620 to 621 are similar to the steps 520 to 521 in the embodiment shown in FIG. 5b, and details are not described herein again.
- the second uplink user plane data packet is transmitted from the UE to the SGW through steps 614 to 617b, and the second downlink user plane data packet is implemented from the SGW to the UE through steps 618a to 611.
- steps 614 to 617b may be performed first, or steps 618a to 611 may be performed first, or may be performed at the same time, which is not limited herein.
- FIG. 7a is another possible data encryption transmission diagram, including: the user data stream passes through the DU from the UE in sequence. SeGW to CU process, where
- the air interface is encrypted between the UE and the CU to ensure the security of the user data in the wireless transmission process. It should be noted that the air interface encryption/decryption is handled by the PDCP in the 3gpp protocol, so there is corresponding processing on the UE and the CU.
- the module is responsible for PDCP encryption and PDCP decryption;
- the IPSec protocol is used for encryption between the DU and the SeGW to ensure the security of user data transmission on the backhaul network. Therefore, there are corresponding processing modules on the DU and SeGW to be responsible for IPSec encryption and IPSec decryption.
- the CU performs security negotiation with the UE to obtain a negotiation result.
- the step 701 is similar to the step 401 in the embodiment shown in FIG. 4a, and details are not described herein again.
- steps 702-713 in FIG. 4a are performed; if the negotiation result indicates that the air interface between the CU and the UE does not use the PDCP protocol. Encryption, then perform steps 714-725 in Figure 4b; as follows:
- the CU sends the first indication information to the DU.
- the first indication information sent by the CU to the DU in step 702 is similar to the first indication information sent by the CU to the DU in step 402 in the embodiment shown in FIG. 4a, specifically No longer.
- the CU sends the first indication information to the DU through the transit of the SeGW.
- the DU sends a first response message to the CU.
- the first response information sent by the CU to the DU in step 703 is similar to the first response information sent by the CU to the DU in step 403 in the embodiment shown in FIG. 4a, specifically No longer.
- the DU sends the first response information to the CU through the transit of the SeGW.
- the UE sends a first uplink user plane data packet to the DU.
- the DU determines to encrypt the first uplink user plane data packet by using the IPSec protocol.
- the steps 704 to 705 are similar to the steps 404 to 405 in the embodiment shown in FIG. 4a, and details are not described herein again.
- the DU sends a first uplink user plane data packet to the SeGW.
- the DU determines, according to the first unencrypted address, that the first uplink user plane data packet is not encrypted by using the IPSec protocol, and then sends the first uplink user plane data packet to the SeGW.
- the SeGW determines that the first uplink user plane data packet is not decrypted by using the IPSec protocol.
- the SeGW After receiving the first uplink user plane data packet, the SeGW determines, according to the packet format of the first uplink user plane data packet, that the first uplink user plane data packet is not decrypted by using the IPSec protocol.
- the SeGW sends a first uplink user plane data packet to the CU.
- the CU sends a first uplink user plane data packet to the SGW.
- the GW After the GW is used to decrypt the first uplink user plane data packet, the GW sends the first uplink user plane data packet to the CU, so that the CU performs GTP-U on the first uplink user plane data packet.
- the tunnel unblocking process obtains the first uplink user plane data packet after decapsulation.
- the CU performs a subsequent operation on the decapsulated first uplink user plane data packet, where the subsequent processing includes: the CU uses the PDCP protocol to perform the air interface decryption on the first uplink user plane data packet, and Before the uplink user plane data packet is sent to the core network, the first uplink user plane data packet is encrypted again to ensure the security of the first uplink user plane data packet transmitted between the CU and the core network. Therefore, the CU sends the first uplink user plane data packet after the subsequent processing to the SGW.
- the SGW sends a first downlink user plane data packet to the CU.
- the CU sends the first downlink user plane data packet to the SwGW.
- the CU receives the first downlink user plane data packet from the SGW.
- the result of the negotiation between the CU and the UE is that the air interface between the CU and the UE needs to be encrypted by using the PDCP protocol, and the CU performs PDCP encryption processing on the first downlink data based on the negotiation result.
- the CU uses the first non-encrypted address as the destination address of the first downlink user plane data packet to complete the encapsulation of the GTP-U tunnel, and sends the encapsulated first downlink user plane data packet to the SeGW. .
- the SeGW determines that the first downlink user plane data packet is not encrypted by using the IPSec protocol.
- the SeGW sends the first downlink user plane data packet to the DU.
- the SeGW After receiving the first downlink user plane data packet, the SeGW obtains the first non-encrypted address of the first downlink user plane data packet, and determines, according to the first non-encrypted address, that the IPSec protocol is not used.
- the first downlink user plane data packet is encrypted, and the first downlink user plane data packet is directly sent to the DU.
- the DU determines to decrypt the first downlink user plane data packet by using the IPSec protocol.
- the DU sends a first downlink user plane data packet to the UE.
- the DU After receiving the first downlink user plane data packet, the DU determines whether to use the IPSec protocol to decrypt the first downlink user plane data packet, and then performs the decapsulation of the GTP-U tunnel, including: the DU passes the first The format of the downlink user plane data packet determines that the first downlink user plane data packet is not decrypted by using the IPSec protocol, so the GTP-U tunnel is directly decapsulated for the first downlink user plane data packet. The first downlink user plane data packet after decapsulation is obtained. and
- Performing a subsequent processing on the decapsulated first downlink user plane data packet includes: sending the first downlink user plane data packet to the UE by using an air interface, so that the UE uses the PDCP protocol to The first downlink user plane data packet is decrypted to obtain the decrypted first downlink user plane data packet.
- the first uplink user plane data packet is transmitted from the UE to the SGW through steps 704 to 708b, and the first downlink user plane data packet is implemented from the SGW to the UE through steps 709a to 713.
- steps 704 to 708b may be performed first, or steps 709a to 713 may be performed first, or may be performed at the same time, which is not limited herein.
- FIG. 7c which specifically includes:
- the CU sends the second indication information to the DU.
- the second indication information sent by the CU to the DU in step 714 is similar to the second indication information sent by the CU to the DU in step 412 in the embodiment shown in FIG. 4a, specifically No longer.
- the CU sends the second indication information to the DU through the transit of the SeGW.
- the DU sends a second response message to the CU.
- the second response information sent by the CU to the DU in step 715 is similar to the second response information sent by the CU to the DU in step 413 in the embodiment shown in FIG. 4a, specifically No longer.
- the DU sends the second response information to the CU through the transit of the SeGW.
- the UE sends a second uplink user plane data packet to the DU.
- the DU determines to encrypt the second uplink user plane data packet by using the IPSec protocol.
- the steps 716 to 717 are similar to the steps 414 to 415 in the embodiment shown in FIG. 4b, and details are not described herein again.
- the DU sends a second uplink user plane data packet to the SeGW.
- the IPSec After the IPSec protocol is used to encrypt the second uplink user plane data packet, the IPSec encrypts the second uplink user plane data packet, and obtains the second uplink user plane encrypted by the IPSec protocol.
- the data packet is sent to the SeGW by the encrypted second uplink user plane data packet.
- the SeGW determines to decrypt the second uplink user plane data packet by using the IPSec protocol.
- the SeGW After receiving the second uplink user plane data packet, the SeGW obtains the source address of the second uplink user plane data packet as the first encrypted address, and determines that the second uplink user plane data packet needs to be decrypted by using the IPSec protocol. .
- the SeGW sends a second uplink user plane data packet to the CU.
- the CU sends a second uplink user plane data packet to the SGW.
- the IPSec protocol decrypts the second uplink user plane data packet to obtain the decrypted second uplink user plane data packet, and then The decrypted second uplink user plane data packet is sent to the CU, so that the CU performs GTP-U tunnel decapsulation on the second uplink user plane data packet, and obtains the decapsulated second uplink user plane data packet.
- the CU performs subsequent processing on the decapsulated second uplink user plane data packet, where the subsequent processing may include: before sending the decapsulated second uplink user plane data packet to the core network,
- the decapsulated second uplink user plane data packet is encrypted to ensure the security of the second uplink user plane data packet transmitted between the CU and the core network.
- the SGW sends a second downlink user plane data packet to the CU.
- the CU sends a second downlink user plane data packet to the SeGW.
- the CU receives the second downlink user plane data packet from the core network.
- the CU determines, according to the negotiation result, that the second downlink user plane data packet is encrypted without using the PDCP protocol.
- the CU uses the first encrypted address as the destination address of the second downlink user plane data packet to complete the encapsulation of the GTP-U tunnel, and sends the encapsulated second downlink user plane data packet to the SeGW.
- the SeGW determines to encrypt the second downlink user plane data packet by using the IPSec protocol.
- the SeGW After receiving the second downlink user plane data packet sent by the CU, the SeGW obtains the destination address of the second downlink user plane data packet as the first encrypted address, and determines, according to the first encrypted address, that the IPSec protocol is used.
- the second downlink user plane data packet is encrypted.
- the SeGW sends a second downlink user plane data packet to the DU.
- the IPSec After the GWec uses the IPSec protocol to encrypt the second downlink user plane data packet, the IPSec encrypts the second downlink user plane data packet to obtain the encrypted second downlink user plane data packet. The encrypted second downlink user plane data packet is sent to the DU.
- the DU determines to decrypt the second downlink user plane data packet by using the IPSec protocol.
- the DU sends a second downlink user plane data packet to the UE.
- the DU After receiving the second downlink user plane data packet that is encrypted by the IPSec protocol, the DU decrypts the second downlink user plane data packet by using the IPSec protocol, and then decapsulates the GTP-U tunnel to obtain a solution.
- the DU performs subsequent processing on the decapsulated second downlink user plane data packet.
- the subsequent processing includes: sending the second downlink user plane data packet to the UE by using the air interface, and the UE does not need to use the PDCP protocol to decrypt the second downlink user plane data packet.
- the transmission of the second uplink data from the UE to the SGW is implemented through steps 716 to 720b, and the transmission of the second downlink data from the SGW to the UE is implemented through steps 721a to 725.
- steps 716 to 720b may be performed first, or steps 721a to 725 may be performed first, or may be performed at the same time, which is not limited herein.
- the PDCP encryption may be flexibly determined according to whether the UE air interface performs the IPSec encryption/decryption in the DU-SeGW, thereby reducing the CPU.
- the consumption of resources reduces costs.
- an embodiment of the method in the scenario 5 of the embodiment of the present application includes:
- the CU performs security negotiation with the UE to obtain a negotiation result.
- steps 802-813 in FIG. 8a are performed; if the negotiation result indicates that the air interface between the CU and the UE does not use the PDCP protocol. Encryption, then perform steps 814-825 in Figure 8b; the details are as follows:
- the CU sends the first indication information to the DU.
- the DU sends a first response message to the CU.
- the UE sends a first uplink user plane data packet to the DU.
- the steps 801 to 804 are similar to the steps 701 to 704 shown in FIG. 7b, and details are not described herein again.
- the DU determines to encrypt the first uplink user plane data packet by using the IPSec protocol.
- the step 805 is similar to the step 505 shown in FIG. 5a, and details are not described herein again.
- the DU sends a first uplink user plane data packet to the SeGW.
- the step 806 is similar to the step 706 shown in FIG. 7b, and details are not described herein again.
- the SeGW determines that the first uplink user plane data packet is not decrypted by using the IPSec protocol.
- the SeGW may determine, according to the format of the first uplink user plane data packet, that the first uplink user plane data packet is not decrypted by using the IPSec protocol. .
- the SeGW sends a first uplink user plane data packet to the CU.
- the CU sends a first uplink user plane data packet to the SGW.
- the SGW sends the first downlink user plane data packet to the CU.
- the CU sends the first downlink user plane data packet to the SwGW.
- the SeGW determines that the first downlink user plane data packet is not encrypted by using the IPSec protocol.
- the SeGW sends a first downlink user plane data packet to the DU.
- the DU determines to decrypt the first downlink user plane data packet by using the IPSec protocol.
- the DU sends a first downlink user plane data packet to the UE.
- the steps 808a to 813 are similar to the steps 708a to 713 shown in FIG. 7b, and are not limited herein.
- the CU sends the second indication information to the DU.
- the DU sends a second response message to the CU.
- the UE sends a second uplink user plane data packet to the DU.
- the steps 814 to 816 are similar to the steps 714 to 716 shown in FIG. 7c, which are not limited herein.
- the DU determines to encrypt the second uplink user plane data packet by using the IPSec protocol.
- the step 817 is similar to the step 515 shown in FIG. 5b, and details are not described herein again.
- the DU sends a second uplink user plane data packet to the SeGW.
- the step 818 is similar to the step 718 shown in FIG. 7c, which is not limited herein.
- the SeGW determines to decrypt the second uplink user plane data packet by using the IPSec protocol.
- the SeGW After receiving the second uplink user plane data packet, the SeGW obtains the destination address of the second uplink user plane data packet as the second encrypted address, and determines the format of the second uplink user plane data packet, and uses IPSec. The protocol decrypts the second uplink user plane data packet.
- the SeGW sends a second uplink user plane data packet to the CU.
- the CU sends a second uplink user plane data packet to the SGW.
- the SGW sends a second downlink user plane data packet to the CU.
- the CU sends a second downlink user plane data packet to the SeGW.
- the SeGW determines to encrypt the second downlink user plane data packet by using the IPSec protocol.
- the SeGW sends a second downlink user plane data packet to the DU.
- the DU determines to use the IPSec protocol to decrypt the second downlink user plane data packet.
- the DU sends a second downlink user plane data packet to the UE.
- the steps 820a to 825 are similar to the steps 720a to 725 shown in FIG. 7c, which are not limited herein.
- the second interface of the CU side may be configured with the second encrypted address and the second unencrypted address to distinguish whether the IPSec encrypted user plane data stream is required, and The achievable manner of the embodiment of the present application.
- an embodiment of the method in the scenario 6 of the embodiment of the present application includes:
- the CU performs security negotiation with the UE to obtain a negotiation result.
- steps 902-913 in FIG. 9a are performed; if the negotiation result indicates that the air interface between the CU and the UE does not use the PDCP protocol. Encryption, then steps 914-925 in Figure 9b are performed; the details are as follows:
- the CU sends the first indication information to the DU.
- the DU sends a first response message to the CU.
- the UE sends a first uplink user plane data packet to the DU.
- the DU determines to encrypt the first uplink user plane data packet by using the IPSec protocol.
- the steps 901 to 905 are similar to the steps 601 to 605 shown in FIG. 6a, and details are not described herein again.
- the DU sends a first uplink user plane data packet to the SeGW.
- the SeGW determines that the first uplink user plane data packet is not decrypted by using the IPSec protocol.
- the SeGW sends a first uplink user plane data packet to the CU.
- the CU sends a first uplink user plane data packet to the SGW.
- the steps 906 to 908b are similar to the steps 806 to 808b shown in FIG. 8a, and details are not described herein again.
- the SGW sends a first downlink user plane data packet to the CU.
- the CU sends the first downlink user plane data packet to the SwGW.
- the CU When the SGW needs to send the first downlink user plane data packet to the UE through the CU and the DU, the CU receives the first downlink user plane data packet from the core network. If the result of the negotiation between the CU and the UE is that the air interface between the CU and the UE needs to be encrypted by using the PDCP protocol, the CU needs to perform PDCP encryption processing on the first downlink data.
- the CU uses the second unencrypted address as the source address of the first downlink user plane data packet to complete the encapsulation of the GTP-U tunnel, and directly sends the encapsulated first downlink user plane data packet.
- SeGW the second unencrypted address
- the SeGW determines that the first downlink user plane data packet is not encrypted by using the IPSec protocol.
- the SeGW determines that the first downlink user plane data packet is not encrypted by using the IPSec protocol, and the CU determines in step 608 of FIG. 6a that the IPSec protocol is not used for the first downlink user.
- the manner in which the data packets are encrypted is similar, and details are not described here.
- the SeGW sends the first downlink user plane data packet to the DU.
- the SeGW determines that the first downlink user plane data packet is not directly encrypted by using the IPSec protocol, and the first downlink user plane data packet is directly sent to the DU.
- the DU determines to decrypt the first downlink user plane data packet by using the IPSec protocol.
- the DU sends a first downlink user plane data packet to the UE.
- the steps 912 to 913 are similar to the steps 610 to 611 shown in FIG. 6a, and details are not described herein again.
- FIG. 9b which specifically includes:
- the CU sends the second indication information to the DU.
- the DU sends a second response message to the CU.
- the UE sends a second uplink user plane data packet to the DU.
- the DU determines to encrypt the second uplink user plane data packet by using the IPSec protocol.
- the steps 914 to 917 are similar to the steps 612 to 615 shown in FIG. 6b, and details are not described herein again.
- the DU sends a second uplink user plane data packet to the SeGW.
- the SeGW determines to decrypt the second uplink user plane data packet by using the IPSec protocol.
- the SeGW sends a second uplink user plane data packet to the CU.
- the CU sends a second uplink user plane data packet to the SGW.
- the steps 918 to 920b are similar to the steps 818 to 820b shown in FIG. 8b, and details are not described herein again.
- the SGW sends a second downlink user plane data packet to the CU.
- the CU sends a second downlink user plane data packet to the SeGW.
- the step 921a is similar to the step 821a shown in FIG. 8b, and details are not described herein again.
- the manner in which the CU sends the second downlink user plane data packet to the SeGW in step 921b is similar to the manner in which the CU sends the second downlink user plane data packet to the DU in the step 619 shown in FIG. 6b, and details are not described herein again.
- the SeGW determines to use the IPSec protocol to encrypt the second downlink user plane data packet.
- the SeGW determines the manner of encrypting the second downlink user plane data packet by using the IPSec protocol, and the step 618 shown in FIG. 6b determines that the IPSec protocol uses the IPSec protocol to the second downlink user plane data packet.
- the manner of encryption is similar, and will not be described here.
- the SeGW sends a second downlink user plane data packet to the DU.
- the SeGW determines to use the IPSec protocol to encrypt the second downlink user plane data packet, and then sends the encrypted second downlink user plane data packet to the DU.
- the DU determines to decrypt the second downlink user plane data packet by using the IPSec protocol.
- the DU sends a second downlink user plane data packet to the UE.
- the steps 924 to 925 are similar to the steps 824 to 825 shown in FIG. 8b, and are not limited herein.
- the second interface and the second unencrypted address may be configured on the second interface on the CU side to distinguish whether the IPSec encrypted user plane data stream is required.
- the achievable manner of the embodiment of the present application is added.
- the information transmission method in the embodiment of the present application is described above.
- the following describes the central unit in the embodiment of the present application.
- the central unit may perform the foregoing method.
- the operation of the CU in the embodiment, the CU includes:
- the first transceiver unit 1001 is configured to perform security negotiation with the user equipment UE to obtain a negotiation result, where the negotiation result is used to indicate whether an air interface between the CU and the UE is encrypted by using a packet data convergence layer PDCP protocol;
- the second transceiver unit 1002 is configured to send a first message to the distributed unit DU.
- the negotiation result indicates that the air interface is encrypted by using the PDCP protocol
- the first message is used to indicate that the user plane bearer between the CU and the DU is not encrypted using the Internet Protocol Secure IPSec protocol.
- the DU is provided with a first interface, where the first interface is an interface for the DU to perform user plane communication with the CU; An address and a first non-encrypted address, where the first encrypted address is used to indicate that the user plane data packet is encrypted/decrypted using the IPSec protocol; and the first non-encrypted address is used to indicate that the IPSec protocol is not used. Adding/decrypting the user plane data message;
- the second transceiver unit 1002 is further configured to:
- the CU further includes:
- the processing unit 1003 is configured to encrypt the downlink user plane data packet by using the PDCP protocol, and set the destination address of the downlink user plane data packet to the first unencrypted address;
- the determining unit 1004 is configured to determine, according to the first unencrypted address, that the downlink user plane data packet is not encrypted by using the IPSec protocol;
- the second transceiver unit 1002 is further configured to send the downlink user plane data packet to the DU.
- the first message is used to indicate that the user plane bearer is encrypted by using the IPSec protocol.
- the first response message is used to indicate that the address carried by the user plane on the DU end is the first encrypted address.
- the CU when the negotiation result indicates that the air interface is encrypted by using the PDCP protocol, and the communication between the CU and the DU passes through a security gateway SeGW, the CU also includes:
- the processing unit 1003 is further configured to: encrypt, by using the PDCP protocol, a downlink user plane data packet; and set a destination address of the downlink user plane data packet to the first unencrypted address;
- the third transceiver unit 1005 is configured to send the downlink user plane data packet to the SeGW.
- the CU has a second interface, where the second interface is an interface for the CU to perform user plane communication with the DU; and the second interface is configured with a second encryption.
- An address and a second unencrypted address where the second encrypted address is used to indicate that the user plane data packet is encrypted/decrypted using the IPSec protocol; and the second non-encrypted address is used to indicate that the IPSec protocol is not used. Add/decrypt the user plane data message.
- the distributed unit may perform the operation of the DU in the foregoing method embodiment, where the DU includes:
- the first transceiver unit 1101 is configured to receive a first message sent by the CU when the air interface between the central unit CU and the user equipment UE is encrypted by using a packet data convergence layer PDCP protocol, where the first message is used to indicate The user plane bearer between the CU and the DU is not encrypted using the Internet Protocol Secure IPSec protocol.
- the DU is provided with a first interface, where the first interface is an interface for the DU to perform user plane communication with the CU; An address and a first non-encrypted address, where the first encrypted address is used to indicate that the user plane data packet is encrypted/decrypted using the IPSec protocol; and the first non-encrypted address is used to indicate that the IPSec protocol is not used. Adding/decrypting the user plane data message;
- the first transceiver unit 1101 is further configured to:
- the DU when the air interface is encrypted by using the PDCP protocol, the DU further includes:
- the second transceiver unit 1103 is further configured to receive an uplink user plane data packet sent by the UE.
- the processing unit 1104 is configured to: set a source address of the uplink user plane data packet to the first unencrypted address;
- the determining unit 1102 is configured to determine, according to the first unencrypted address, that the uplink user plane data packet is not encrypted by using the IPSec protocol;
- the first transceiver unit 1101 is further configured to send the uplink user plane data packet to the CU.
- the DU when the air interface is encrypted by using the PDCP protocol, and the communication between the DU and the CU passes through the SeGW, the DU further includes:
- the second transceiver unit 1103 is further configured to receive an uplink user plane data packet sent by the UE;
- the processing unit 1104 is further configured to: set a source address of the uplink user plane data packet to the first unencrypted address;
- the determining unit 1102 is further configured to: determine, according to the first unencrypted address, that the uplink user plane data packet is encrypted by using the IPSec protocol;
- the third transceiver unit 1105 is configured to send the uplink user plane data packet to the SeGW.
- the CU has a second interface, where the second interface is an interface for the CU to perform user plane communication with the DU; and the second interface is configured with a second encryption.
- An address and a second unencrypted address where the second encrypted address is used to indicate that the user plane data packet is encrypted/decrypted using the IPSec protocol; and the second non-encrypted address is used to indicate that the IPSec protocol is not used.
- the DU further includes:
- the second transceiver unit 1103 is further configured to receive an uplink user plane data packet sent by the UE.
- the processing unit 1104 is further configured to set a destination address of the uplink user plane data packet to the second unencrypted address;
- the determining unit 1102 is further configured to: determine, according to the second unencrypted address, that the uplink user plane data packet is encrypted by using the IPSec protocol;
- the first transceiver unit 1101 is further configured to send the uplink user plane data packet to the CU.
- the CU and the DU in the embodiment of the present application are described in detail from the perspective of the modular functional entity, and the CU and the DU in the embodiment of the present application are described in detail below.
- Figure 12 shows a possible schematic diagram of a communication device.
- the communication device 1200 includes a processing unit 1202 and a communication unit 1203.
- the processing unit 1202 is configured to control and manage the operation of the communication device.
- the communication device 1200 can also include a storage unit 1201 for storing program codes and data required by the communication device.
- the communication device can be the CU described above.
- the processing unit 1202 is configured to support the CU to perform step 401, steps 407a and 408b in FIG. 4a, step 401, step 417a and step 418b in FIG. 4b, step 501, steps 507a and 508b in FIG. 5a, in FIG. 5b Step 501, step 517a and step 518b, steps 601, 607a and 608b in Fig. 6a, step 601, step 617a and step 618b in Fig. 6b, and/or other processes for the techniques described herein.
- the communication unit 1203 is configured to support communication between the CU and other devices.
- the communication unit 1203 is configured to support the CU to perform steps 402 to 403, step 406, step 407b, step 408a, and step 409 in FIG. 4a, step 412 in FIG. 4b. 413, 416, 417b, 418a and 419, steps 502 to 503, 506, 507b, 508a and 509 in FIG. 5a, steps 512 to 513, 516, 517b in FIG. 5b Step 518a and step 519, steps 602 to 603, step 606, step 607b, step 608a and step 609 in Fig. 6a, steps 612 to 613, step 616, step 617b, step 618a and step 619 in Fig. 6a, steps 612 to 613, step 616, step 617b, step 618a and step 619 in Fig.
- the communication device can be the DU described above.
- the processing unit 1202 is configured to support the DU to perform step 405, step 410 in FIG. 4a, step 415 in step 4b, step 420, step 505 in step 5a, step 510, step 515 in step 5b, step 520, Step 605 in step 6a, step 610, step 615 in step 6b, step 620, step 705 in step 7b, step 712, step 717 in step 7c, step 724, step 805 in step 8a, step 812, Step 817, step 824, step 905, step 912 of Figure 9a, step 917, step 924 of Figure 9b, and/or other processes for the techniques described herein.
- the communication unit 1203 is configured to support communication of the DU with other devices.
- the communication unit 1203 is configured to support the DU to perform steps 402 to 404, step 406, step 409, and step 411 in FIG. 4a, steps 412 to 414 in FIG. 4b.
- the processing unit 1202 may be a processor or a controller, for example, may be a central processing unit (CPU), a general-purpose processor, a digital signal processor (DSP), and an application-specific integrated circuit (application-specific). Integrated circuit (ASIC), field programmable gate array (FPGA) or other programmable logic device, transistor logic device, hardware component, or any combination thereof. It is possible to implement or carry out the various illustrative logical blocks, modules and circuits described in connection with the present disclosure.
- the processor can also be a combination of computing functions, for example, including one or more microprocessor combinations, a combination of a DSP and a microprocessor, and the like.
- the communication unit 1203 may be a communication interface, a transceiver, a transceiver circuit, etc., wherein the communication interface is a collective name and may include one or more interfaces, such as a transceiver interface.
- the storage unit 701 can be a memory.
- the processing unit 1202 can be a processor, the communication unit 1203 can be a communication interface, and when the storage unit 1201 can be a memory, as shown in FIG. 13, the communication device 1310 includes a processor 1312, a communication interface 1313, and a memory 1311. Alternatively, the communication device 1310 may further include a bus 1314.
- the communication interface 1313, the processor 1312, and the memory 1311 may be connected to each other through a bus 1314; the bus 1314 may be a peripheral component interconnect (PCI) bus or an extended industry standard architecture (EISA). Bus, etc.
- PCI peripheral component interconnect
- EISA extended industry standard architecture
- Bus 1314 can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in FIG. 13, but it does not mean that there is only one bus or one type of bus.
- communication device 1310 can be used to indicate the steps of the CU described above. In another embodiment, communication device 1310 can be used to indicate the steps of DU described above. I will not repeat them here.
- the embodiment of the present application further provides a system, as shown in FIG. 14 , which is a schematic structural diagram of a possible system provided by the present application.
- the system may include one or more central processing unit 1422 and memory 1432, one or more.
- a storage medium 1430 of storage application 1442 or data 1444 (eg, one or one storage device in Shanghai).
- the memory 1432 and the storage medium 1430 may be short-term storage or persistent storage.
- Programs stored on storage medium 1430 may include one or more modules (not shown), each of which may include a series of instruction operations in the system.
- central processor 1422 can be configured to communicate with storage medium 1430, executing a series of instruction operations in storage medium 1430 on system 1400.
- System 1400 can also include one or more power sources 1426, one or more wired or wireless network interfaces 1450, one or more input and output interfaces 1458, and/or one or more operating systems 1441, such as Windows Server, Mac OS X, Unix, Linux, FreeBSD, etc.
- operating systems 1441 such as Windows Server, Mac OS X, Unix, Linux, FreeBSD, etc.
- the computer program product includes one or more computer instructions.
- the computer can be a general purpose computer, a special purpose computer, a computer network, or other programmable device.
- the computer instructions can be stored in a computer readable storage medium or transferred from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions can be from a website site, computer, server or data center Transmission to another website site, computer, server or data center via wired (eg coaxial cable, fiber optic, digital subscriber line (DSL)) or wireless (eg infrared, wireless, microwave, etc.).
- wired eg coaxial cable, fiber optic, digital subscriber line (DSL)
- wireless eg infrared, wireless, microwave, etc.
- the computer readable storage medium can be any available media that can be stored by a computer or a data storage device such as a server, data center, or the like that includes one or more available media.
- the usable medium may be a magnetic medium (eg, a floppy disk, a hard disk, a magnetic tape), an optical medium (eg, a DVD), or a semiconductor medium (such as a solid state disk (SSD)) or the like.
- the disclosed system, apparatus, and method may be implemented in other manners.
- the device embodiments described above are merely illustrative.
- the division of the unit is only a logical function division.
- there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
- the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
- the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
- each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
- the above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
- the integrated unit if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium.
- a computer readable storage medium A number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present application.
- the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like, which can store program codes. .
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
- Small-Scale Networks (AREA)
Abstract
L'invention concerne un procédé de transmission d'informations et un dispositif associé. Ceux-ci sont utilisés pour réduire la consommation de ressources d'un CPU et réduire le coût tout en assurant la sécurité des données. Le procédé selon les modes de réalisation de la présente invention comporte les étapes suivantes: une unité centrale (CU) réalise une négociation de sécurité avec un équipement d'utilisateur (UE) pour obtenir un résultat de négociation, le résultat de négociation étant utilisé pour indiquer si une interface radio entre la CU et l'UE est cryptée à l'aide d'un protocole de convergence de données par paquets (PDCP); et la CU envoie un premier message à une unité distribuée (DU), le premier message indiquant, lorsque le résultat de négociation indique que l'interface radio est crypté à l'aide du protocole PDCP, qu'un support de plan d'utilisateur entre la CU et la DU n'est pas cryptée à l'aide d'un protocole de type protocole de sécurité Internet (IPSec).
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810391847.5 | 2018-04-26 | ||
CN201810391847.5A CN110417708B (zh) | 2018-04-26 | 2018-04-26 | 一种信息传输方法以及相关设备 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2019205934A1 true WO2019205934A1 (fr) | 2019-10-31 |
Family
ID=68293500
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2019/082017 WO2019205934A1 (fr) | 2018-04-26 | 2019-04-10 | Procédé de transmission d'informations et dispositif associé |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN110417708B (fr) |
WO (1) | WO2019205934A1 (fr) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111757322B (zh) * | 2020-06-19 | 2023-11-17 | 兴唐通信科技有限公司 | 基站密码服务中心化的蜂窝移动通信网保护方法及系统 |
CN113438178B (zh) * | 2021-06-22 | 2023-04-18 | 北京天融信网络安全技术有限公司 | 报文转发方法、装置、计算机设备和存储介质 |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107079023A (zh) * | 2014-10-29 | 2017-08-18 | 高通股份有限公司 | 用于下一代蜂窝网络的用户面安全 |
WO2017171925A1 (fr) * | 2016-03-31 | 2017-10-05 | Intel IP Corporation | Maintien d'une connexion wifi pendant le transfert intercellulaire d'un équipement utilisateur dans un réseau d'évolution à long terme (lte) |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070258591A1 (en) * | 2006-05-05 | 2007-11-08 | Interdigital Technology Corporation | Ciphering control and synchronization in a wireless communication system |
CN102246552B (zh) * | 2009-09-27 | 2014-12-03 | 华为技术有限公司 | 信令传输方法和装置 |
CN106714153B (zh) * | 2015-11-13 | 2022-06-10 | 华为技术有限公司 | 密钥分发、生成和接收方法以及相关装置 |
-
2018
- 2018-04-26 CN CN201810391847.5A patent/CN110417708B/zh active Active
-
2019
- 2019-04-10 WO PCT/CN2019/082017 patent/WO2019205934A1/fr active Application Filing
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107079023A (zh) * | 2014-10-29 | 2017-08-18 | 高通股份有限公司 | 用于下一代蜂窝网络的用户面安全 |
WO2017171925A1 (fr) * | 2016-03-31 | 2017-10-05 | Intel IP Corporation | Maintien d'une connexion wifi pendant le transfert intercellulaire d'un équipement utilisateur dans un réseau d'évolution à long terme (lte) |
Non-Patent Citations (1)
Title |
---|
VODAFONE: "High Layer Functional Spilt with Separated Control and User Planes", 3GPP TSG-RAN WG3 #95BIS, R?????, 7 April 2017 (2017-04-07) * |
Also Published As
Publication number | Publication date |
---|---|
CN110417708A (zh) | 2019-11-05 |
CN110417708B (zh) | 2021-04-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR102441359B1 (ko) | 암호화된 클라이언트 디바이스 컨텍스트들에 의한 네트워크 아키텍처 및 보안 | |
USRE48631E1 (en) | Method and system for selective protection of data exchanged between user equipment and network | |
CN111835767B (zh) | 在用户装备之间执行设备到设备通信的方法 | |
US9686787B2 (en) | Pooled transport and control functions in a 3GPP LTE network | |
US9226142B2 (en) | Mobile communication system, communication control method, and radio base station | |
WO2018202102A1 (fr) | Procédé de transmission de données et dispositif de communication | |
KR20110090812A (ko) | 이동 통신 시스템에서 pdcp 기능을 선택적으로 적용하는 방법 | |
JP2018537912A5 (fr) | ||
TW201828736A (zh) | 基地台以及可在兩基地台間切換的通訊裝置 | |
US10742476B2 (en) | Data packet processing method and device | |
JP4344750B2 (ja) | 無線局の暗号化及び復号化をインラインする方法及び装置 | |
WO2020001355A1 (fr) | Procédé et dispositif pour éviter la fragmentation de paquets | |
TW201705780A (zh) | 具有加密的網路可達性上下文的網路架構和安全 | |
WO2019205934A1 (fr) | Procédé de transmission d'informations et dispositif associé | |
US20130242765A1 (en) | Error detection | |
EP3654579A1 (fr) | Procédés et dispositifs pour fournir un code d'authentification de message approprié pour des messages courts | |
WO2017088194A1 (fr) | Procédé et entité de traitement de messages de signalisation | |
JP4843660B2 (ja) | 無線通信システムのpdcp層においてデータを暗号化する方法及び装置 | |
US9397831B2 (en) | Encrypted communication device and method for performing encrypted communication while reducing traffic in communication system | |
US12028747B2 (en) | Methods and apparatus for reducing communications delay | |
WO2021238813A1 (fr) | Procédé et appareil d'obtention de clé | |
EP3881490B1 (fr) | Procédés et dispositifs pour fournir un code d'authentification de message approprié pour des messages courts | |
WO2018228444A1 (fr) | Procédé et terminal de gestion de connexion et dispositif de réseau d'accès radio | |
US20240357423A1 (en) | Methods and apparatus for reducing communications delay | |
CN108391252B (zh) | 一种数据包处理方法和装置 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 19791683 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 19791683 Country of ref document: EP Kind code of ref document: A1 |