WO2019223697A1 - Communication method, terminal device and core network device - Google Patents

Communication method, terminal device and core network device Download PDF

Info

Publication number
WO2019223697A1
WO2019223697A1 PCT/CN2019/087839 CN2019087839W WO2019223697A1 WO 2019223697 A1 WO2019223697 A1 WO 2019223697A1 CN 2019087839 W CN2019087839 W CN 2019087839W WO 2019223697 A1 WO2019223697 A1 WO 2019223697A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal device
core network
network device
information
signaling message
Prior art date
Application number
PCT/CN2019/087839
Other languages
French (fr)
Inventor
Yang Xu
Original Assignee
Guangdong Oppo Mobile Telecommunications Corp., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong Oppo Mobile Telecommunications Corp., Ltd. filed Critical Guangdong Oppo Mobile Telecommunications Corp., Ltd.
Priority to CN201980003697.9A priority Critical patent/CN110999256B/en
Publication of WO2019223697A1 publication Critical patent/WO2019223697A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/24Negotiation of communication capabilities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions

Definitions

  • Embodiments of the present application relate generally to the field of communication, and, more particularly, to a communication method, a terminal device, and a core network device.
  • HTTP HyperText Transfer Protocol
  • TLS Transport Layer Security
  • a user equipment or a core network device may support one or more of these methods, and thus it is possible that a mismatch on use of a method of encrypted traffic detection occurs between a user equipment and a core network device.
  • Embodiments of the present application provide a communication method and device which enables a negotiation on use of a method of encrypted traffic detection between a terminal device and a core network device so as to avoid a mismatch on the use.
  • a communication method comprising: sending, by a terminal device, first information indicating one or more methods of encrypted traffic detection supported by the terminal device to a core network device;
  • second information indicating a method of encrypted traffic detection to be used in a communication with the terminal device, which is determined by the core network device based on the first information
  • a negotiation on use of a method of encrypted traffic detection between a terminal device and a core network device can be enabled by sending information about methods supported by the terminal device to the core network device, determining the method to be used based on the information by the core network device and informing the terminal device of the determined method to be used, through which a mismatch on use of the methods can be avoided.
  • sending, by a terminal device, first information indicating one or more methods of encrypted traffic detection supported by the terminal device to a core network device comprises:
  • the terminal device including, by the terminal device, the first information in an uplink signaling message to be sent to the core network device;
  • the first information in an uplink signaling message to be sent to the core network device comprises:
  • the terminal device including, by the terminal device, the first information in an uplink signaling message to be sent to the core network device during at least one of:
  • the uplink signaling message is a registration request of the registration procedure to be sent from the terminal device to the core network device.
  • the uplink signaling message is an attach request of the attach procedure to be sent from the terminal device to the core network device.
  • the uplink signaling message is a PDU session establishment request of the PDU session establishment procedure to be sent from the terminal device to the core network device.
  • the uplink signaling message is a PDU session modification request of the PDU session modification procedure to be sent from the terminal device to the core network device.
  • receiving from the core network device, by the terminal device, second information indicating a method of encrypted traffic detection to be used in a communication with the terminal device comprises:
  • receiving from the core network device, by the terminal device, a downlink signaling message including the second information comprises:
  • the downlink signaling message in a case of receiving from the core network device, by the terminal device, a downlink signaling message including the second information during registration procedure of the terminal device, is a registration response of the registration procedure sent from the core network device to the terminal device.
  • the downlink signaling message in a case of receiving from the core network device, by the terminal device, a downlink signaling message including the second information during attach procedure of the terminal device, is an attach response of the attach procedure sent from the core network device to the terminal device.
  • the downlink signaling message in a case of receiving from the core network device, by the terminal device, a downlink signaling message including the second information during PDU session establishment procedure, is a PDU session establishment response of the PDU session establishment procedure sent from the core network device to the terminal device.
  • the downlink signaling message in a case of receiving from the core network device, by the terminal device, a downlink signaling message including the second information during PDU session modification procedure, is a PDU session modification response of the PDU session modification procedure sent from the core network device to the terminal device.
  • the first information indicates at least one of the following:
  • the first information indicates priorities of the one or more methods determined by the terminal device.
  • the method of encrypted traffic detection to be used is selected by the core network device from the one or more methods indicated in the first information.
  • a communication method comprising:
  • a negotiation on use of a method of encrypted traffic detection between a terminal device and a core network device can be enabled by sending information about methods supported by the terminal device to the core network device, determining the method to be used based on the information by the core network device and informing the terminal device of the determined method to be used, through which a mismatch on use of the methods can be avoided.
  • receiving from a terminal device, by a core network device, first information indicating one or more methods of encrypted traffic detection supported by the terminal device comprises:
  • receiving, by the core network device, an uplink signaling message including the first information sent from the terminal device comprises:
  • the uplink signaling message in a case of receiving, by the core network device, an uplink signaling message including the first information sent from the terminal device during registration procedure of the terminal device, the uplink signaling message is a registration request of the registration procedure sent from the terminal device to the core network device.
  • the uplink signaling message in a case of receiving, by the core network device, an uplink signaling message including the first information sent from the terminal device during attach procedure of the terminal device, is an attach request of the attach procedure sent from the terminal device to the core network device.
  • the uplink signaling message in a case of receiving, by the core network device, an uplink signaling message including the first information sent from the terminal device during PDU session establishment procedure, is a PDU session establishment request of the PDU session establishment procedure to be sent from the terminal device to the core network device.
  • the uplink signaling message in a case of receiving, by the core network device, an uplink signaling message including the first information sent from the terminal device during PDU session modification procedure, is a PDU session modification request of the PDU session modification procedure sent from the terminal device to the core network device.
  • sending, by the core network device, second information indicating the method of encrypted traffic detection to be used to the terminal device comprises:
  • the core network device including, by the core network device, the second information in a downlink signaling message to be sent to the terminal device;
  • the second information in a downlink signaling message to be sent to the terminal device comprises:
  • the core network device including, by the core network device, the second information in a downlink signaling message to be sent to the terminal device during at least one of:
  • the downlink signaling message in a case of including, by the core network device, the second information in a downlink signaling message to be sent to the terminal device during registration procedure of the terminal device, the downlink signaling message is a registration response of the registration procedure to be sent from the core network device to the terminal device.
  • the downlink signaling message in a case of including, by the core network device, the second information in a downlink signaling message to be sent from the core network device to the terminal device during attach procedure of the terminal device, is an attach response of the attach procedure to be sent from the core network device to the terminal device.
  • the downlink signaling message in a case of including, by the core network device, the second information in a downlink signaling message to be sent to the terminal device during PDU session establishment procedure, is a PDU session establishment response of the PDU session establishment procedure to be sent from the core network device to the terminal device.
  • the downlink signaling message in a case of including, by the core network device, the second information in a downlink signaling message to be sent to the terminal device during PDU session modification procedure, is a PDU session modification response of the PDU session modification procedure to be sent from the core network device to the terminal device.
  • the first information indicates at least one of the following:
  • the first information indicates priorities of the one or more methods of encrypted traffic detection determined by the terminal device.
  • determining, by the core network device, a method of encrypted traffic detection to be used in a communication with the terminal device based on the first information comprises:
  • the core network device compares, by the core network device, the one or more methods indicated in the first information with one or more methods supported by the core network device; selecting, by the core network device, at least one from the one or more methods indicated in the first information which is matched with one of the one or more methods supported by the core network device, as the method of encrypted traffic detection to be used.
  • the method further comprises: performing, by the core network device, a processing according to the method of encrypted traffic detection to be used.
  • a communication method comprising: sending, by a core network device, first information indicating one or more methods of encrypted traffic detection to a terminal device, which are determined, by the core network device, as candidates for a method of encrypted traffic detection to be used in a communication with the terminal device;
  • a negotiation on use of a method of encrypted traffic detection between a terminal device and a core network device can be enabled by sending information about candidates for a method of encrypted traffic detection to be used to the terminal device, determining the method to be used based on the information by the terminal device and informing the core network device of the determined method to be used, through which a mismatch on use of the methods can be avoided.
  • sending, by a core network device, first information indicating one or more methods of encrypted traffic detection to a terminal device comprises:
  • the core network device including, by the core network device, the first information in a downlink signaling message to be sent to the terminal device;
  • the first information in a downlink signaling message to be sent to the terminal device comprises:
  • the core network device including, by the core network device, the first information in a user equipment configuration update request to be sent to the terminal device during a user equipment configuration update procedure,
  • receiving from the terminal device, by the core network device, second information indicating the method of encrypted traffic detection to be used in the communication with the terminal device comprises:
  • the first information indicates priorities of the one or more methods of encrypted traffic detection determined by the core network device.
  • the method of encrypted traffic detection to be used is selected by the terminal device from the one or more methods of encrypted traffic detection indicated in the first information.
  • a communication method comprising: receiving from a core network device, by a terminal device, first information indicating one or more methods of encrypted traffic detection which are determined, by the core network device, as candidates for a method of encrypted traffic detection to be used in a communication with the terminal device;
  • a negotiation on use of a method of encrypted traffic detection between a terminal device and a core network device can be enabled by sending information about candidates for a method of encrypted traffic detection to be used to the terminal device, determining the method to be used based on the information by the terminal device and informing the core network device of the determined method to be used, through which a mismatch on use of the methods can be avoided.
  • receiving from a core network device, by a terminal device, first information indicating one or more methods of encrypted traffic detection comprises:
  • receiving from a core network device, by a terminal device, first information indicating one or more methods of encrypted traffic detection comprises:
  • a user equipment configuration update request including the first information sent from the core network device during a user equipment configuration update procedure.
  • determining, by the terminal device, the method of encrypted traffic detection to be used in the communication with the terminal device based on the first information comprises:
  • sending, by the terminal device, second information indicating the method of encrypted traffic detection to be used to the core network device comprises:
  • the terminal device including, by the terminal device, the second information in a uplink signaling message to be sent to the core network device;
  • the second information in a uplink signaling message to be sent to the core network device comprises:
  • the terminal device including, by the terminal device, the second information in an acknowledgement message for a user equipment configuration update request during a user equipment configuration update procedure.
  • the first information indicates priorities of the one or more methods of encrypted traffic detection indicated in the first information.
  • a terminal device comprising units for performing methods in the first aspect or possible implementations thereof, or in the fourth aspect or possible implementations thereof.
  • a core network device comprising units for performing methods in the second aspect or possible implementations thereof, or in the third aspect or possible implementations thereof.
  • a terminal device comprising a processor and a transceiver, wherein the processor is configured to perform methods in the first aspect or possible implementations thereof based on the transceiver, or to perform methods in the fourth aspect or possible implementations thereof based on the transceiver.
  • a core network device comprising a processor and a transceiver, wherein the processor is configured to perform methods in the second aspect or possible implementations thereof based on the transceiver, or to perform methods in the third aspect or possible implementations thereof based on the transceiver.
  • a computer-readable medium used for storing a program code, wherein the program code comprises instructions for performing methods in any one of the first, second, third or fourth aspect or possible implementations thereof.
  • a system on chip comprising a processor and a memory, wherein the processor is configured to perform a code in the memory and to implement methods in any one of the first, second, third or fourth aspect or possible implementations thereof when the code is executed.
  • Fig. 1 is a schematic diagram of a communication system according to embodiments of the present application.
  • Fig. 2 is a schematic flow chart of a communication method 200 according to an embodiment of the present application.
  • Fig. 3 is a schematic diagram of a registration/attach procedure according to an embodiment of the present application.
  • Fig. 4 is a schematic diagram of a PDU session establishment/modification procedure according to an embodiment of the present application.
  • Fig. 5 is a schematic diagram of a communication method 500 according to an embodiment of the present application.
  • Fig. 6 is a schematic block diagram of a terminal device 600 according to an embodiment of the present application.
  • Fig. 7 is a schematic block diagram of a core network device 700 according to an embodiment of the present application.
  • Fig. 8 is a schematic block diagram of a terminal device 800 according to another embodiment of the present application.
  • Fig. 9 is a schematic block diagram of a core network device 900 according to another embodiment of the present application.
  • Fig. 10 is a schematic block diagram of a terminal device 1000 according to an embodiment of the present application.
  • Fig. 11 is a schematic block diagram of a core network device 1100 according to an embodiment of the present application.
  • Fig. 12 is a schematic block diagram of a system on chip 1200 according to an embodiment of the present application.
  • Embodiments of the present application can be applied in various kinds of communication systems such as Global System of Mobile (GSM) communication system, Code Division Multiple Access (CDMA) system, Wideband Code Division Multiple Access (WCDMA) system, General Packet Radio Service (GPRS) , Long Term Evolution (LTE) system, LTE Frequency Division Duplex (FDD) system, LTE Time Division Duplex (TDD) , Universal Mobile Telecommunication System (UMTS) , Worldwide Interoperability for Microwave Access (WiMAX) communication system, a 5G system, a future evolved PLMN (Public Land Mobile Network) , and so on.
  • GSM Global System of Mobile
  • CDMA Code Division Multiple Access
  • WCDMA Wideband Code Division Multiple Access
  • GPRS General Packet Radio Service
  • LTE Long Term Evolution
  • FDD Frequency Division Duplex
  • TDD Time Division Duplex
  • UMTS Universal Mobile Telecommunication System
  • WiMAX Worldwide Interoperability for Microwave Access
  • Fig. 1 illustrates a wireless communication system 100 applied in embodiments of the present application.
  • the wireless communication system 100 may include one or more terminal devices 120, a core network 130 and one or more core network devices 110 located in the core network 130.
  • Three terminal devices 120 are illustrated in Fig. 1 as examples of a terminal device used in embodiments of the present application, and two core network devices 110 are illustrated in Fig. 1 as examples of a core network device used in embodiments of the present application.
  • Each of the one or more terminal devices 120 is capable of accessing the core network 130 for example through an access network and communicating with the one or more core network devices 110.
  • the core network device 100 may be a communication device in a core network of a wireless communication system as described above, which enables or supports some of functions of the core network.
  • the core network device 100 may be a function entity (such as AMF (Access and Mobility Management Function) or PCF (Policy Control Function) ) of the core network in the 5G system.
  • AMF Access and Mobility Management Function
  • PCF Policy Control Function
  • the terminal device 120 may be moving or stationary.
  • the terminal device 120 may be an access terminal, a UE (User Equipment) , a user unit, a user station, a mobile radio station, a mobile station, a remote station, a remote terminal, a mobile device, a user terminal, a terminal, a wireless communication device, a user agent or a user device.
  • UE User Equipment
  • An access terminal may be a cell phone, a cordless phone, an SIP (Session Initiation Protocol) phone, a WLL (Wireless Local Loop) station, a PDA (Personal Digital Assistant) , a hand-held device with a wireless communication function, a computing device or other processing devices connected to a wireless modem, a vehicle-mounted device, a wearable device, a terminal device in a 5G network, a terminal device in a future evolved PLMN (Public Land Mobile Network) , or the like.
  • a 5G system or network may also be called as a NR (New Radio) system or network.
  • the wireless communication system 100 may further include other network entities such as a network controller, a mobility management entity, and the like. Embodiments of the present application do not have any limit on this.
  • system and “network” herein are exchangeable.
  • the term “and/or” herein only describes an association relationship between associated objects and indicates that there may be three relationships. For example, A and/or B may indicate that there are three cases where A exists separately, A and B exist at the same time, and B exists separately.
  • the character “/” herein generally indicates that an “or” relationship exists between associated objects.
  • to send/sending in the present application means directly sending from one party to the other, or indirectly sending between the two, for example by means of forwarding by a third party.
  • to receive/receiving in the present application means directly receiving from one party, or indirectly receiving from the party, for example by means of forwarding by a third party.
  • Type I UE (User Equipment) assisted Control-plane based method
  • UE Upon the specific application data appears, UE will report the application ID and corresponding filter information for the network (such as a core network) to detect the following traffic. There needs a coordination between the 3rd party and UE. To realize it, some new functionalities like ETRF (Encrypted Traffic Reporting) , ETDF (Encrypted Traffic Detection Function) , and ETD (Encrypted Traffic Detection) are introduced.
  • ETRF Encrypted Traffic Reporting
  • ETDF Encrypted Traffic Detection Function
  • ETD Encrypted Traffic Detection
  • Type II UE assisted User-plane based method
  • UE Upon the specific application data appears, UE will add a Token/AppKey into the first user plane packet.
  • the Token can be possibly added in some parts, for example, in the TCP header by using a new TCP Option, in the TLS header by using a new TLS Extension Type, in a new IPv6 Extension Header, or in an Extended header between PDCP and IP layer.
  • an ETDF Encrypted Traffic Detection Function
  • the 3rd party function will provide Application ID list to be detected and Token related material to network and UE.
  • the UE may derive the Token based on the Token related material and add it in the user-plane packet for network to detect.
  • Type III Network based method
  • the 3rd party will inform the network of the application ID and the corresponding characteristics of the encrypted traffic flow including IP-Tuple, SNI, etc. and then the network will install the filter accordingly to perform the encrypted traffic detection.
  • Type I UE assisted Control-plane based method
  • This kind of method does not have impact on the user plane.
  • the impact only focuses on NAS (Non-access stratum) signaling and/or rule distribution.
  • NAS Non-access stratum
  • NF Network Function
  • NF Network Function
  • the supporting SMF can be selected with UE reporting a specific S-NSSAI (Single Network Slice Selection Assistance Information) and/or DNN (Data Network Name) .
  • SMF Single Network Slice Selection Assistance Information
  • DNN Data Network Name
  • Type II UE assisted User-plane based method.
  • Type III network-side based method
  • each method has its own pros and cons, and either UE or network may support a set of these methods. Therefore, in embodiments of the present application, it is proposed to introduce a negotiation for the encrypted traffic detection method so as to avoid mismatch between UE and the network.
  • Fig. 2 is a schematic flow chart of a communication method 200 for the negotiation between a terminal device and a core network device according to an embodiment of the present application.
  • the terminal device and the core network device may be those described in the above and with reference to Fig. 1.
  • the method 200 includes the following.
  • the terminal device sends first information indicating one or more methods of encrypted traffic detection supported by the terminal device to the core network device.
  • the terminal device may send an uplink signaling message including the first information to the core network device.
  • the terminal device includes the first information in an uplink signaling message to be sent to the core network device and then sends the uplink signaling message to the core network device.
  • the terminal device determines the methods of encrypted traffic detection supported by the terminal device itself and generates the first information.
  • the terminal device generates first information indicating all of methods it supports.
  • the terminal device generates first information indicating one or more of methods it supports.
  • the first information indicates at least one of the following:
  • item (1) e.g. whether the terminal device supports any of Type I and II methods as mentioned above, is determined. If the terminal device supports any of Type I and II methods, item (2) is determined so as to determine the type of the methods supported by the terminal device, e.g. Type I or Type II or both of them. Then, the subtype of the supported method (s) is determined (item (3) ) .
  • the subtype of the supported method (s) can be any of the following: Control-plane based type with OTT layer providing detection rules, Control-plane based type with the core network providing detection rules, User-plane based type in which the token can be added to specific layers for traffic detection. It can be seen that levels of items (1) to (3) are gradually lowered one by one.
  • the terminal device if the terminal device can support all of methods with a certain level, then the terminal device does not need to report information about the lower level (s) in the first information. For example, if the terminal device supports all of control-plane based methods while not supporting other types, then it just reports in the first information that the terminal device supports control-plane based methods (level-2) .
  • the first information also indicates priorities of the one or more methods supported by the terminal device.
  • the priorities can be determined by the terminal device and be representative of orders of the terminal device’s preference for using the individual methods.
  • the uplink signaling message may be any of signaling message from the terminal device to the core network device which may be a network function entity in a network such as the core network 130 as shown in Fig. 1.
  • the terminal device includes the first information in an uplink signaling message, for example the first uplink signaling message which is a NAS message, to be sent to the core network device during at least one of: registration procedure of the terminal device; attach procedure of the terminal device; PDU (Protocol Data Unit) session establishment procedure; or PDU session modification procedure.
  • PDU Protocol Data Unit
  • the terminal device firstly sends a registration or attach request to the core network device.
  • the terminal device may include the first information in the registration or attach request and send the registration or attach request including the first information to the core network device.
  • the terminal device may include the first information in the PDU session establishment or modification request and send the PDU session establishment or modification request including the first information to the core network device.
  • the terminal device receives from the core network device second information indicating a method of encrypted traffic detection to be used in a communication with the terminal device.
  • the method of encrypted traffic detection to be used may be determined by the core network device based on the first information (S220) .
  • the method of encrypted traffic detection to be used is selected by the core network device from the one or more methods indicated in the first information.
  • the method to be used is one method.
  • the method to be used is two or more methods, e.g. a prioritized list of the methods. The details of determining the method to be used will be described later in the communication method from the view of the core network device.
  • the terminal device receives from the core network device the second information which is included in a downlink signaling message sent from the core network device to the terminal device.
  • the downlink signaling message may be any of signaling messages sent from the core network device to the terminal device, in particular a downlink signaling message as a response to the uplink message including the first information.
  • the terminal device receives from the core network device a downlink signaling message including the second information during at least one of: registration procedure of the terminal device; attach procedure of the terminal device; PDU session establishment procedure; or PDU session modification procedure.
  • Figs. 3-4 show four examples of the communication method during four procedures as mentioned in the above, respectively.
  • Fig. 3 shows a registration or attach procedure of the terminal device
  • Fig. 4 shows a PDU session establishment or modification procedure initiated by the terminal device. It should be noted that each of Figs. 3 and 4 shows only some of steps of the procedures which are related to embodiments of the negotiation between the terminal device and the core network device according to the present application, rather than a complete registration/attach procedure or a complete PDU session establishment/modification procedure.
  • the first information is included in a registration or attach request and sent from the terminal device to the core network device (S310) .
  • the registration may refer to an initial registration of the terminal device or a registration due to location update.
  • 3GPP the 3rd Generation Partnership Project
  • the terminal device receives the second information through receiving the registration or attach response including the second information sent from the core network device (S320) .
  • the negotiation on use of the method of encrypted traffic detection is achieved during the registration/attach procedure between the terminal device and the core network side.
  • the first information is included in a PDU session establishment or modification request and sent from the terminal device to the core network device (S410) .
  • a PDU session establishment/modification response to the PDU session establishment/modification request is sent from the core network side to the terminal device.
  • the terminal device receives the second information through receiving the PDU session establishment/modification response including the second information sent from the core network device (S420) .
  • the negotiation on use of the method of encrypted traffic detection is achieved during the PDU session establishment/modification procedure between the terminal device and the core network side.
  • the terminal device performs a processing according to the method of encrypted traffic detection to be used.
  • the terminal device After receiving the second information indicating the method of encrypted traffic detection to be used in the communication between the terminal device and the core network side, the terminal device performs a processing according to the method determined to be used. For example, the terminal device reports the application ID and corresponding filter information to the network side if the method to be used is a control-plane based method. For another example, the terminal device adds a Token/AppKey into the first user plane packet to the core network side if the method to be used is a user-plane based method. Correspondingly, the core network side performs the encrypted traffic detection according to the method to be used.
  • the second information may indicate more than one method to be used.
  • the second information also indicates priorities of these methods to be used which may be determined by the core network device and representative of the core network device’s preference.
  • the terminal device may select one from these methods indicated in the second information as the final method to be used and performing a processing according to the final method to be used as mentioned above.
  • the terminal device may optionally select the final method to be used.
  • the terminal device may select the final method based on priorities of the methods indicated in the second information and/or priorities of the methods supported by the terminal device. For example, the terminal device may select the one with the highest priority.
  • the terminal device if the terminal device does not support any of UE assisted methods of encrypted traffic detection, it will indicate this in the first information, or will not report any information about methods supported by the terminal device. If the core network device receives the first information indicating that the terminal device does not support any of UE assisted methods or no information about methods supported by the terminal device for example during those procedures mentioned above, the core network device determines that the terminal device does not support any of UE assisted methods and may use a network-side based method (Type III) for detecting the encrypted traffic.
  • Type III network-side based method
  • the terminal device will not apply any UE assisted method of encrypted traffic detection to the communication with the core network.
  • the communication method includes the following steps.
  • the core network device receives from the terminal device first information indicating one or more methods of encrypted traffic detection supported by the terminal device.
  • This receiving step by the core network device is corresponding to the sending step at S210 by the terminal device as described from the view of the terminal device in the above.
  • the first information can be included in an uplink signaling message sent from the terminal device to the core network device.
  • the core network device receives from the terminal device the first uplink signaling message including the first information during at least one of: registration procedure of the terminal device; attach procedure of the terminal device; PDU (Protocol Data Unit) session establishment procedure; or PDU session modification procedure. More specifically, the core network device receives from the terminal device a registration/attach request including the first information during the registration/attach procedure, or a PDU session establishment/modification request including the first information during the PDU session establishment/modification procedure.
  • the core network device determines a method of encrypted traffic detection to be used in a communication with the terminal device based on the first information.
  • the core network device after receiving and deriving the first information, compares the one or more methods indicated in the first information with one or more methods supported by the core network device, and selects one from the methods indicated in the first information which is matched with one of the methods supported by the core network device, as the method of encrypted traffic detection to be used.
  • the information about methods supported by the core network device is stored in for example a UDM (Unified Data Management) entity, which may be identical or different for different terminal devices.
  • UDM Unified Data Management
  • the core network device after receiving the first information, compares methods indicated in corresponding information stored in UDM with those indicated in the first information, and determines those supported by both the terminal device and the core network device.
  • the core network device determines the one as the method to be used. If the matched method is more than one method, the core network device further selects one from these matched methods. For example, the core network device can select one from the matched methods based on priorities of these matched methods. For example, the core network device selects one from the matched methods which has the highest priority among these matched methods.
  • the priority may refer to priorities of the methods supported by the terminal device which can be indicated in the first information as mentioned in the above. Also, the priority can refer to those for methods supported by the core network device. For example, the information about methods supported by the core network device may indicate priorities of these methods, which may be determined by the core network device and representative of the core network device’s preference for using respective methods. Alternatively, the core network device may select the method to be used from the matched methods based on both the two priorities respective for the terminal device and the core network device.
  • the core network device selects more than one method to be used and returns them back to the terminal device in the second information.
  • the second information indicates priorities of these methods to be used.
  • the terminal can select one from these methods as the final method to be used.
  • the core network device if the result of the comparing shows that no one of methods indicated in the first information is matched with those supported by the core network device, the core network device does not determine any method as the method to be used.
  • the core network device sends second information indicating the method of encrypted traffic detection to be used to the terminal device.
  • This sending step by the core network device is corresponding to the receiving step at S230 by the terminal device as described above from the view of the terminal device.
  • the core network device may include the second information in a downlink signaling message to be sent to the terminal device and send the downlink signaling message to the terminal device.
  • the downlink signaling message may be any of signaling messages sent from the core network device to the terminal device, in particular a downlink signaling message as a response to the uplink message including the first information.
  • the core network device sends a downlink signaling message including the second information during at least one of: registration procedure of the terminal device; attach procedure of the terminal device; PDU session establishment procedure; or PDU session modification procedure.
  • the core network device may include the second information in a registration/attach response during the registration/attach procedure, or in a PDU session establishment/modification response during the PDU session establishment/modification procedure.
  • the core network device may perform a processing according to the method to be used at S240.
  • the core network side performs the encrypted traffic detection according to the method to be used, for example.
  • core network device may refer to one or more communication device in the core network, and each step performed by the core network device may be performed by one or more of the one or more communication device corresponding to the core network device either separately or in combination.
  • a core network device as mentioned in the present application may be corresponding to one or more network function entities.
  • the core network device may refer to an AMF entity, in case of which the AMF entity may perform each of S210-S230 so as to implement the embodiments of the communication method described above.
  • the core network device may refer to both an AMF entity and a PCF entity, in case of which the PCF entity may determine a method to be used at S220 and send the second information to the AMF entity, and in turn the AMF entity forwards the second information to the terminal device, for example by including the second information in a downlink signaling message and sending the downlink signaling message to the terminal device.
  • a negotiation on use of a method of encrypted traffic detection between a terminal device and a core network side can be enabled by sending information about methods supported by the terminal device to the core network device, determining the method to be used based on the information by the core network device and informing the terminal device of the determined method to be used, through which a mismatch on use of the methods can be avoided.
  • Fig. 5 is a schematic flow chart of a communication method 500 for the negotiation between a terminal device and a core network device according to another embodiment of the present application.
  • the terminal device and the core network device may be those described in the above.
  • the core network device sends first information indicating one or more methods of encrypted traffic detection to a terminal device, which are determined, by the core network device, as candidates for a method of encrypted traffic detection to be used in a communication with the terminal device.
  • the core network device may send a downlink signaling message including the first information to the terminal device.
  • the core network device includes the first information in a downlink signaling message to be sent to the terminal device and then sends the downlink signaling message to the core network device.
  • the core network device determines the methods of encrypted traffic detection supported by the core network device itself and generates the first information.
  • the information about methods supported by the core network device is stored in for example a UDM (Unified Data Management) entity, which may be identical or different for different terminal devices.
  • the core network device generates first information indicating all of supported methods.
  • the core network device determines all of methods it supports. That is, all of methods it supports are determined by the core network device as candidates for a method of encrypted traffic detection to be used in a communication with the terminal device.
  • the core network device generates first information indicating one or some of methods it supports. That is, one or some of supported methods are determined by the core network device as candidates for a method of encrypted traffic detection to be used in the communication with the terminal device.
  • the first information indicates at least one of the following:
  • item (1) e.g. whether the core network device supports any of Type I and II methods as mentioned above, is determined. If the core network device supports any of Type I and II methods, item (2) is determined so as to determine the type of the methods supported by the core network device, e.g. Type I or Type II or both of them. Then, the subtype of the supported method (s) is determined (item (3) ) .
  • the subtype of the supported method (s) can be any of the following: Control-plane based type with OTT layer providing detection rules, Control-plane based type with the core network providing detection rules, User-plane based type in which the token can be added to specific layers for traffic detection.
  • levels of items (1) to (3) are gradually lowered one by one.
  • the core network device if the core network device can support all of methods with a certain level, then the core network device does not need to report information about the lower level (s) in the first information. For example, if the core network device supports all of control-plane based methods while not supporting other types, then it just reports in the first information that the core network device supports control-plane based methods (level-2) .
  • the first information also indicates priorities of the one or more methods determined as candidates by the core network device.
  • the priorities can be determined by the core network device and be representative of orders of the core network device’s preference for using the individual methods.
  • the downlink signaling message may be any of signaling message from the core network device to the terminal device.
  • the core network device includes the first information in a UCU (UE Configuration Update) request to be sent to the terminal device during a UCU procedure.
  • UCU UE Configuration Update
  • the core network device receives from the terminal device second information indicating the method of encrypted traffic detection to be used in the communication with the terminal device, which is determined by the terminal device based on the first information.
  • the method of encrypted traffic detection to be used may be determined by the terminal device based on the first information (S220) .
  • the method of encrypted traffic detection to be used is selected by the terminal device from the candidate methods indicated in the first information.
  • the method to be used is one method.
  • the method to be used is two or more methods, e.g. a prioritized list of the methods. The details of determining the method to be used will be described later in the communication method from the view of the terminal device.
  • the core network device receives from the terminal device the second information which is included in an uplink signaling message sent from the terminal device to the core network device.
  • the uplink signaling message may be any of signaling messages sent from the terminal device to the core network device, in particular an uplink signaling message as a response to the downlink message including the first information.
  • the core network device may include the first information in a UCU (UE Configuration Update) request and send to the terminal device during a UCU procedure.
  • the core network device receives an acknowledgement message to the UCU request, which includes the second information, from the terminal device during the UCU procedure.
  • the negotiation on use of the method of encrypted traffic detection is achieved during the UCU procedure by communicating the first and second information between the core network device and the terminal device.
  • the core network device performs a processing according to the method of encrypted traffic detection to be used.
  • the core network device After receiving the second information indicating the method of encrypted traffic detection to be used in the communication between the terminal device and the core network side, the core network device performs a processing according to the method determined to be used. For example, the core network device performs the encrypted traffic detection according to the method to be used. Correspondingly, the terminal device also performs a processing according to the method to be used. For example, the terminal device reports the application ID and corresponding filter information to the network side if the method to be used is a control-plane based method. For another example, the terminal device adds a Token/AppKey into the first user plane packet to the core network side if the method to be used is a user-plane based method.
  • the second information may indicate more than one method to be used.
  • the method to be used indicated in the second information is a prioritized list of one or more methods to be used.
  • the priorities of these methods to be used may be determined by the terminal device and representative of the terminal device’s preference.
  • the core network device may select one from these methods indicated in the second information as the final method to be used and performing a processing according to the final method to be used as mentioned above.
  • the core network device may optionally select the final method to be used.
  • the core network device may select the final method based on priorities of the methods indicated in the second information and/or priorities of the methods supported by the core network device. For example, the core network device may select the one with the highest priority.
  • the core network device if it does not support any of UE assisted methods of encrypted traffic detection, it will indicate this in the first information, or will not report any information about methods supported by the core network device. If the terminal device receives the first information indicating that the core network device does not support any of UE assisted methods or no information about methods supported by the core network device for example during the UCU procedure, the terminal device determines that the core network device does not support any of UE assisted methods and may use a network-side based method (Type III) for detecting the encrypted traffic. Similarly, if the core network device does not receive second information indicating the method to be used from the terminal device, the core network device will not apply any UE assisted method of encrypted traffic detection to the communication with the terminal device.
  • Type III network-side based method
  • the above description is made from the view of the core network device.
  • a description of embodiments of the communication method according to the present application will be made below from the view of the terminal device side with reference to Fig. 5.
  • the communication method includes the following steps.
  • the terminal device receives from the core network device first information indicating one or more methods of encrypted traffic detection which are determined, by the core network device, as candidates for a method of encrypted traffic detection to be used in a communication with the terminal device.
  • This receiving step by the terminal device is corresponding to the sending step at S510 by the core network device as described from the view of the core network device in the above.
  • the first information can be included in a downlink signaling message sent from the core network device to the terminal device.
  • the terminal device receives the UCU request including the first information during the UCU procedure.
  • the terminal device determines the method of encrypted traffic detection to be used in the communication with the terminal device based on the first information.
  • the terminal device after receiving and deriving the first information, compares the one or more methods indicated in the first information with one or more methods supported by the terminal device, and selects one from the methods indicated in the first information which is matched with one of the methods supported by the terminal device, as the method of encrypted traffic detection to be used. In one embodiment of the present application, after receiving the first information, the terminal device compares methods supported by the terminal device with those indicated in the first information, and determines those supported by both the terminal device and the core network device. If the matched method is only one method, the terminal device determines the one as the method to be used. If the matched method is more than one method, the terminal device further selects one from these matched methods.
  • the terminal device can select one from the matched methods based on priorities of these matched methods. For example, the terminal device selects one from the matched methods which has the highest priority among these matched methods.
  • the priority may refer to priorities of the methods supported by the core network device which can be indicated in the first information as mentioned in the above. Also, the priority can refer to those for methods supported by the terminal device.
  • the information about methods supported by the terminal device may indicate priorities of these methods, which may be determined by the terminal device and representative of the terminal device’s preference for using respective methods.
  • the terminal device may select the method to be used from the matched methods based on both the two priorities respective for the terminal device and the core network device.
  • the terminal device selects more than one method to be used and returns them back to the core network device in the second information.
  • the second information indicates priorities of these methods to be used.
  • the core network device can select one from these methods as the final method to be used.
  • the terminal device if the result of the comparing shows that no one of methods indicated in the first information is matched with those supported by the terminal device, the terminal device does not determine any method as the method to be used.
  • the terminal device sends second information indicating the method of encrypted traffic detection to be used to the core network device.
  • This sending step by the terminal device is corresponding to the receiving step at S530 by the core network device as described above from the view of the core network device.
  • the terminal device may include the second information in an uplink signaling message to be sent to the core network device and send the uplink signaling message to the core network device.
  • the uplink signaling message may be any of signaling messages sent from the terminal device to the core network device, in particular an uplink signaling message as a response to the downlink message including the first information.
  • the core network device may include the first information in a UCU request during the UCU procedure.
  • the terminal device includes the second information in an acknowledgement message for the UCU request and sends the acknowledgement message to the core network device during the UCU procedure.
  • the terminal device may perform a processing according to the method to be used at S540. For example, as mentioned above, the terminal device reports the application ID and corresponding filter information to the network side if the method to be used is a control-plane based method, or adds a Token/AppKey into the first user plane packet to the core network side if the method to be used is a user-plane based method.
  • core network device may refer to one or more communication device in the core network, and each step performed by the core network device may be performed by one or more of the one or more communication device corresponding to the core network device either separately or in combination.
  • a core network device as mentioned in the present application may be corresponding to one or more network function entities.
  • the core network device may refer to an AMF entity, in case of which the AMF entity may perform each of S510 and S530 so as to implement the embodiments of the communication method described above.
  • the core network device may refer to both an AMF entity and a PCF entity, in case of which the PCF entity may determine the candidates for a method to be used and send the first information to the AMF entity, and in turn the AMF entity forwards the first information to the terminal device, for example by including the first information in a downlink signaling message and sending the downlink signaling message to the terminal device.
  • a negotiation on use of a method of encrypted traffic detection between a terminal device and a core network device can be enabled by sending information about candidates for a method of encrypted traffic detection to be used to the terminal device, determining the method to be used based on the information by the terminal device and informing the core network device of the determined method to be used, through which a mismatch on use of the methods can be avoided.
  • Fig. 6 is a schematic block diagram of a terminal device 600 according to an embodiment of the present application.
  • the terminal device 600 includes: a transmitting unit 610 configured to send first information indicating one or more methods of encrypted traffic detection supported by the terminal device to a core network device;
  • a receiving unit 620 configured to receive from the core network device second information indicating a method of encrypted traffic detection to be used in a communication with the terminal device, which is determined by the core network device based on the first information;
  • a processing unit 630 configured to enable the terminal device to perform the method of encrypted traffic detection to be used.
  • the transmitting unit 610 is configured to:
  • the transmitting unit 610 is configured to:
  • the uplink signaling message is a registration request of the registration procedure to be sent from the terminal device to the core network device.
  • the uplink signaling message is an attach request of the attach procedure to be sent from the terminal device to the core network device.
  • the uplink signaling message is a PDU session establishment request of the PDU session establishment procedure to be sent from the terminal device to the core network device.
  • the uplink signaling message is a PDU session modification request of the PDU session modification procedure to be sent from the terminal device to the core network device.
  • the receiving unit 620 is configured to:
  • the receiving unit 620 is configured to: receive from the core network device a downlink signaling message including the second information during at least one of:
  • the downlink signaling message is a registration response of the registration procedure sent from the core network device to the terminal device.
  • the downlink signaling message is an attach response of the attach procedure sent from the core network device to the terminal device.
  • the downlink signaling message is a PDU session establishment response of the PDU session establishment procedure sent from the core network device to the terminal device.
  • the downlink signaling message is a PDU session modification response of the PDU session modification procedure sent from the core network device to the terminal device.
  • terminal device 600 can be corresponding to that terminal device in embodiments of the method 200 and can implement corresponding functions of that terminal device, which are omitted herein for the sake of brevity.
  • Fig. 7 is a schematic block diagram of a core network device 700 according to an embodiment of the present application. As shown in Fig. 7, the core network device 700 includes:
  • a receiving unit 710 configured to receive from a terminal device first information indicating one or more methods of encrypted traffic detection supported by the terminal device;
  • a processing unit 720 configured to determine a method of encrypted traffic detection to be used in a communication with the terminal device based on the first information
  • a transmitting unit 730 configured to send second information indicating the method of encrypted traffic detection to be used to the terminal device.
  • the receiving unit 710 is configured to:
  • the receiving unit 710 is configured to:
  • the uplink signaling message is a registration request of the registration procedure sent from the terminal device to the core network device.
  • the uplink signaling message is an attach request of the attach procedure sent from the terminal device to the core network device.
  • the uplink signaling message is a PDU session establishment request of the PDU session establishment procedure to be sent from the terminal device to the core network device.
  • the uplink signaling message is a PDU session modification request of the PDU session modification procedure sent from the terminal device to the core network device.
  • the transmitting unit 730 is configured to:
  • the transmitting unit 730 is configured to:
  • the downlink signaling message is a registration response of the registration procedure to be sent from the core network device to the terminal device.
  • the downlink signaling message is an attach response of the attach procedure to be sent from the core network device to the terminal device.
  • the downlink signaling message is a PDU session establishment response of the PDU session establishment procedure to be sent from the core network device to the terminal device.
  • the downlink signaling message is a PDU session modification response of the PDU session modification procedure to be sent from the core network device to the terminal device.
  • the processing unit 720 is configured to:
  • processing unit 720 is further configured to:
  • the core network device 700 can be corresponding to that core network device in embodiments of the method 200 and can implement corresponding functions of that core network device, which are omitted herein for the sake of brevity.
  • Fig. 8 is a schematic block diagram of a terminal device 800 according to another embodiment of the present application.
  • the terminal device 800 includes: a receiving unit 810 configured to receive from a core network device first information indicating one or more methods of encrypted traffic detection which are determined, by the core network device, as candidates for a method of encrypted traffic detection to be used in a communication with the terminal device;
  • a processing unit 820 configured to determine the method of encrypted traffic detection to be used in the communication with the terminal device based on the first information
  • a transmitting unit 830 configured to send second information indicating the method of encrypted traffic detection to be used to the core network device.
  • the receiving unit 810 is configured to:
  • the receiving unit 810 is configured to:
  • the processing unit 820 is configured to: match the one or more methods of encrypted traffic detection indicated in the first information with one or more methods of encrypted traffic detection supported by the terminal device;
  • the transmitting unit 830 is configured to:
  • the transmitting unit 830 is configured to:
  • terminal device 800 can be corresponding to that terminal device in embodiments of the method 500 and can implement corresponding functions of that terminal device, which are omitted herein for the sake of brevity.
  • Fig. 9 is a schematic block diagram of a core network device 900 according to another embodiment of the present application. As shown in Fig. 9, the core network device 900 includes:
  • a transmitting unit 910 configured to send first information indicating one or more methods of encrypted traffic detection to a terminal device, which are determined, by the core network device, as candidates for a method of encrypted traffic detection to be used in a communication with the terminal device;
  • a receiving unit 920 configured to receive from the terminal device second information indicating the method of encrypted traffic detection to be used in the communication with the terminal device, which is determined by the terminal device based on the first information; a processing unit 930 configured to enable the core network device to perform the method of encrypted traffic detection to be used.
  • the transmitting unit 910 is configured to:
  • the transmitting unit 910 is configured to:
  • the receiving unit is 920 configured to:
  • the core network device 900 can be corresponding to that core network device in embodiments of the method 500 and can implement corresponding functions of that core network device, which are omitted herein for the sake of brevity.
  • Fig. 10 is a schematic block diagram of a terminal device 1000 according to an embodiment of the present application.
  • the terminal device 1000 includes a transceiver 1010 and a processor 1020, wherein the processor 1020 is configured to perform any one of embodiments of the communication method 200 or any one of embodiments of the communication method 500 based on the transceiver 1010.
  • terminal device 1000 can be corresponding to that terminal device in embodiments of the method 200 or 500 and can implement corresponding functions of that terminal device, which are omitted herein for the sake of brevity.
  • Fig. 11 is a schematic block diagram of a core network device 1100 according to an embodiment of the present application.
  • the core network device 1100 includes a transceiver 1110 and a processor 1120, wherein the processor 1120 is configured to perform any one of embodiments of the communication method 200 or any one of embodiments of the communication method 500 based on the transceiver 1110.
  • the core network device 1100 can be corresponding to that core network device in embodiments of the method 200 or 500 and can implement corresponding functions of that core network device, which are omitted herein for the sake of brevity.
  • Fig. 12 is a schematic structure diagram of a system on chip (SoC) according to an embodiment of the present application.
  • the Soc 1200 includes a processor 1210 and a memory 1220, wherein the processor 1210 and the memory 1220 are connected via a bus 1230, and the processor 1210 is configured to execute a code in the memory 1220.
  • the Soc 1200 may further include an input interface 1240 and an output interface 1250, as shown in Fig. 12.
  • the processor 1210 when the code is executed, the processor 1210 implements any one of embodiments of the communication method 200 or 500 in method embodiments implemented by a terminal device, which are omitted herein for the sake of brevity.
  • the processor 1210 when the code is executed, the processor 1210 implements any one of embodiments of the communication method 200 or 500 in method embodiments implemented by a core network device, which are omitted herein for the sake of brevity.
  • the disclosed systems, devices and methods may be implemented by other means.
  • the device embodiments described above are merely schematic.
  • the partitioning of the units may be a partitioning in logical functions. There may be other manners for partitioning in actual implementation. For example, multiple units or components may be combined together or integrated into another system, or some features can be omitted or not executed.
  • mutual couplings or direct couplings or communication connections that are shown or discussed may be indirect couplings or communication connections through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
  • the units described as separated components may be or may not be physically separated.
  • the components shown as units may be or may not be physical units, that is, they may be located in one place or may be distributed on a plurality of network units. Part or all of the units may be selected according to actual needs to achieve the purposes of the methods of the embodiments of the present application.
  • all functional units in the embodiments of the present application may be integrated into one processing unit.
  • each unit exists independently in physics.
  • two or more units may be integrated into one unit.
  • the functional units if implemented in the form of the software functional unit and sold or used as a standalone product, may be stored in a computer-readable storage medium.
  • the technical method of the present application in essence, or the part that contributes to the prior art, or all or part of the technical method, may be embodied in the form of a software product.
  • the computer software product is stored in a storage medium and includes a plurality of instructions for a computer device (which may be a personal computer, a server, a network device or the like) to execute all or part of the steps of the method described in the embodiments of the present application.
  • the foregoing storage medium includes various media that may store program codes, such as a USB flash disk, a mobile hard disk, a read-only memory (ROM) , a random access memory (RAM) , a magnetic disk, an optical disk, or the like.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A communication method comprises: sending, by a terminal device, first information indicating one or more methods of encrypted traffic detection supported by the terminal device to a core network device; receiving from the core network device, by the terminal device, second information indicating a method of encrypted traffic detection to be used in a communication with the terminal device, which is determined by the core network device based on the first information; performing, by the terminal device, a processing according to the method of encrypted traffic detection to be used.

Description

COMMUNICATION METHOD, TERMINAL DEVICE AND CORE NETWORK DEVICE
CROSS-REFERENCE TO RELATED APPLICATIONS
This application is based on and claims priority of U.S. Provisional application Serial No. 62/675,274, filed on May 23, 2018 and entitled “A MECHANISM OF NIGOTIATION OF TRAFFIC DETECTION METHODS BETWEEN UE AND NETWORK” , the entire contents of which are incorporated herein by reference.
TECHNICAL FIELD
Embodiments of the present application relate generally to the field of communication, and, more particularly, to a communication method, a terminal device, and a core network device.
BACKGROUND
In network communication, HTTP (HyperText Transfer Protocol) plus TLS (Transport Layer Security) is becoming a trend, which means more and more HTTP traffics will be encrypted. Currently, in operator’s network, SNI (Server Name Indication) is usually used to identify what kind of service the encrypted traffic belongs to, and then IP-Tuple of the traffic is associated to the filter installed in network for further traffic detection.
However, the problem lies in that SNI is a clear text which can be faked by any attacker even though the SNI will be encrypted in the future TLS protocol. Thus, SNI cannot be used to identify a service’s traffic anymore.
To resolve this problem mentioned above, a number of methods of encrypted traffic detection are proposed, each of which has its own pros and cons. A user equipment or a core network device may support one or more of these methods, and thus it is possible that a mismatch on use of a method of encrypted traffic detection occurs between a user equipment and a core network device.
SUMMARY
Embodiments of the present application provide a communication method and device which enables a negotiation on use of a method of encrypted traffic detection between a terminal device and a core network device so as to avoid a mismatch on the use.
In a first aspect, there is provided a communication method comprising: sending, by a terminal device, first information indicating one or more methods of encrypted traffic detection supported by the terminal device to a core network device;
receiving from the core network device, by the terminal device, second information indicating a method of encrypted traffic detection to be used in a communication with the terminal device, which is determined by the core network device based on the first information;
performing, by the terminal device, a processing according to the method of encrypted traffic detection to be used.
It can be seen that, in the first aspect of embodiments of the present application, a negotiation on use of a method of encrypted traffic detection between a terminal device and a core network device can be enabled by sending information about methods supported by the terminal device to the core network device, determining the method to be used based on the information by the core network device and informing the terminal device of the determined method to be used, through which a mismatch on use of the methods can be avoided.
In combination with the first aspect, in a first possible implementation of the first aspect, sending, by a terminal device, first information indicating one or more methods of encrypted traffic detection supported by the terminal device to a core network device comprises:
including, by the terminal device, the first information in an uplink signaling message to be sent to the core network device;
sending, by the terminal device, the uplink signaling message including the first information to the core network device.
In one embodiment of the present application, including, by the terminal device, the first information in an uplink signaling message to be sent to the core network device comprises:
including, by the terminal device, the first information in an uplink signaling message to be sent to the core network device during at least one of:
registration procedure of the terminal device;
attach procedure of the terminal device;
PDU session establishment procedure;
PDU session modification procedure.
In another embodiment of the present application, in a case of including, by the terminal device, the first information in an uplink signaling message to be sent to the core network device during registration procedure of the terminal device, the uplink signaling message is a registration request of the registration procedure to be sent from the terminal device to the core network device.
In another embodiment of the present application, in a case of including, by the terminal device, the first information in an uplink signaling message to be sent to the core network device during attach procedure of the terminal device, the uplink signaling message is an attach request of the attach procedure to be sent from the terminal device to the core network device.
In another embodiment of the present application, in a case of including, by the terminal device, the first information in an uplink signaling message to be sent to the core network device during PDU session establishment procedure, the uplink signaling message is a PDU session establishment request of the PDU session establishment procedure to be sent from the terminal device to the core network device.
In another embodiment of the present application, in a case of including, by the terminal device, the first information in an uplink signaling message to be sent to the core network device during PDU session modification procedure, the uplink signaling message is a PDU session modification request of the PDU session modification procedure to be sent from the terminal device to the core network device.
In combination with the first aspect or any one of possible implementations above, in a second possible implementation of the first aspect, receiving from the core network device, by the terminal device, second information indicating a method of encrypted traffic detection to be used in a communication with the terminal device comprises:
receiving from the core network device, by the terminal device, a downlink signaling message including the second information.
In one embodiment of the present application, receiving from the core network device, by the terminal device, a downlink signaling message including the second information comprises:
receiving from the core network device, by the terminal device, a downlink signaling message including the second information during at least one of:
registration procedure of the terminal device;
attach procedure of the terminal device;
PDU session establishment procedure;
PDU session modification procedure.
In another embodiment of the present application, in a case of receiving from the core network device, by the terminal device, a downlink signaling message including the second information during registration procedure of the terminal device, the downlink signaling message is a registration response of the registration procedure sent from the core network device to the terminal device.
In another embodiment of the present application, in a case of receiving from the core network device, by the terminal device, a downlink signaling message including the second information during attach procedure of the terminal device, the downlink signaling message is an attach response of the attach procedure sent from the core network device to the terminal device.
In another embodiment of the present application, in a case of receiving from the core network device, by the terminal device, a downlink signaling message including the second information during PDU session establishment procedure, the downlink signaling message is a PDU session establishment response of the PDU session establishment procedure sent from the core network device to the terminal device.
In another embodiment of the present application, in a case of receiving from the core network device, by the terminal device, a downlink signaling message including the second information during PDU session modification procedure, the downlink signaling message is a PDU session modification response of the PDU session modification procedure sent from the core network device to the terminal device.
In combination with the first aspect or any one of possible implementations above, in a third possible implementation of the first aspect, the first information indicates at least one of the following:
whether the terminal device supports a user equipment assisted method of encrypted traffic detection;
type of a user equipment assisted method of encrypted traffic detection supported by the terminal device;
subtype of a user equipment assisted method of encrypted traffic detection supported by the terminal device.
In combination with the first aspect or any one of possible implementations above, in a fourth possible implementation of the first aspect, the first information indicates priorities  of the one or more methods determined by the terminal device.
In combination with the first aspect or any one of possible implementations above, in a fifth possible implementation of the first aspect, the method of encrypted traffic detection to be used is selected by the core network device from the one or more methods indicated in the first information.
In a second aspect, there is provided a communication method comprising:
receiving from a terminal device, by a core network device, first information indicating one or more methods of encrypted traffic detection supported by the terminal device;
determining, by the core network device, a method of encrypted traffic detection to be used in a communication with the terminal device based on the first information;
sending, by the core network device, second information indicating the method of encrypted traffic detection to be used to the terminal device.
It can be seen that, in the second aspect of embodiments of the present application, a negotiation on use of a method of encrypted traffic detection between a terminal device and a core network device can be enabled by sending information about methods supported by the terminal device to the core network device, determining the method to be used based on the information by the core network device and informing the terminal device of the determined method to be used, through which a mismatch on use of the methods can be avoided.
In combination with the second aspect, in a first possible implementation of the second aspect, receiving from a terminal device, by a core network device, first information indicating one or more methods of encrypted traffic detection supported by the terminal device comprises:
receiving, by the core network device, an uplink signaling message including the first information sent from the terminal device.
In combination with the second aspect or any one of possible implementations above, in a second possible implementation of the second aspect, receiving, by the core network device, an uplink signaling message including the first information sent from the terminal device comprises:
receiving, by the core network device, an uplink signaling message including the first information sent from the terminal device during at least one of:
registration procedure of the terminal device;
attach procedure of the terminal device;
PDU session establishment procedure;
PDU session modification procedure.
In combination with the second aspect or any one of possible implementations above, in a third possible implementation of the second aspect, in a case of receiving, by the core network device, an uplink signaling message including the first information sent from the terminal device during registration procedure of the terminal device, the uplink signaling message is a registration request of the registration procedure sent from the terminal device to the core network device.
In combination with the second aspect or any one of possible implementations above, in a fourth possible implementation of the second aspect, in a case of receiving, by the core network device, an uplink signaling message including the first information sent from the terminal device during attach procedure of the terminal device, the uplink signaling message is an attach request of the attach procedure sent from the terminal device to the core network device.
In combination with the second aspect or any one of possible implementations above, in a fifth possible implementation of the second aspect, in a case of receiving, by the core network device, an uplink signaling message including the first information sent from the terminal device during PDU session establishment procedure, the uplink signaling message is a PDU session establishment request of the PDU session establishment procedure to be sent from the terminal device to the core network device.
In combination with the second aspect or any one of possible implementations above, in a sixth possible implementation of the second aspect, in a case of receiving, by the core network device, an uplink signaling message including the first information sent from the terminal device during PDU session modification procedure, the uplink signaling message is a PDU session modification request of the PDU session modification procedure sent from the terminal device to the core network device.
In combination with the second aspect or any one of possible implementations above, in a seventh possible implementation of the second aspect, sending, by the core network device, second information indicating the method of encrypted traffic detection to be used to the terminal device comprises:
including, by the core network device, the second information in a downlink signaling message to be sent to the terminal device;
sending, by the core network device, the downlink signaling message including the second information to the terminal device.
In combination with the second aspect or any one of possible implementations above, in an eighth possible implementation of the second aspect, including, by the core network  device, the second information in a downlink signaling message to be sent to the terminal device comprises:
including, by the core network device, the second information in a downlink signaling message to be sent to the terminal device during at least one of:
registration procedure of the terminal device;
attach procedure of the terminal device;
PDU session establishment procedure;
PDU session modification procedure.
In combination with the second aspect or any one of possible implementations above, in a ninth possible implementation of the second aspect, in a case of including, by the core network device, the second information in a downlink signaling message to be sent to the terminal device during registration procedure of the terminal device, the downlink signaling message is a registration response of the registration procedure to be sent from the core network device to the terminal device.
In combination with the second aspect or any one of possible implementations above, in a tenth possible implementation of the second aspect, in a case of including, by the core network device, the second information in a downlink signaling message to be sent from the core network device to the terminal device during attach procedure of the terminal device, the downlink signaling message is an attach response of the attach procedure to be sent from the core network device to the terminal device.
In combination with the second aspect or any one of possible implementations above, in a eleventh possible implementation of the second aspect, in a case of including, by the core network device, the second information in a downlink signaling message to be sent to the terminal device during PDU session establishment procedure, the downlink signaling message is a PDU session establishment response of the PDU session establishment procedure to be sent from the core network device to the terminal device.
In combination with the second aspect or any one of possible implementations above, in a twelfth possible implementation of the second aspect, in a case of including, by the core network device, the second information in a downlink signaling message to be sent to the terminal device during PDU session modification procedure, the downlink signaling message is a PDU session modification response of the PDU session modification procedure to be sent from the core network device to the terminal device.
In combination with the second aspect or any one of possible implementations above, in a thirteenth possible implementation of the second aspect, the first information indicates at  least one of the following:
whether the terminal device supports a user equipment assisted method of encrypted traffic detection;
type of a user equipment assisted method of encrypted traffic detection supported by the terminal device;
subtype of a user equipment assisted method of encrypted traffic detection supported by the terminal device.
In combination with the second aspect or any one of possible implementations above, in a fourteenth possible implementation of the second aspect, the first information indicates priorities of the one or more methods of encrypted traffic detection determined by the terminal device.
In combination with the second aspect or any one of possible implementations above, in a fifteenth possible implementation of the second aspect, determining, by the core network device, a method of encrypted traffic detection to be used in a communication with the terminal device based on the first information comprises:
comparing, by the core network device, the one or more methods indicated in the first information with one or more methods supported by the core network device; selecting, by the core network device, at least one from the one or more methods indicated in the first information which is matched with one of the one or more methods supported by the core network device, as the method of encrypted traffic detection to be used.
In combination with the second aspect or any one of possible implementations above, in a sixteenth possible implementation of the second aspect, the method further comprises: performing, by the core network device, a processing according to the method of encrypted traffic detection to be used.
In a third aspect, there is provided a communication method comprising: sending, by a core network device, first information indicating one or more methods of encrypted traffic detection to a terminal device, which are determined, by the core network device, as candidates for a method of encrypted traffic detection to be used in a communication with the terminal device;
receiving from the terminal device, by the core network device, second information indicating the method of encrypted traffic detection to be used in the communication with the terminal device, which is determined by the terminal device based on the first information; performing, by the core network device, a processing according to the method of encrypted traffic detection to be used.
It can be seen that, in the third aspect of embodiments of the present application, a negotiation on use of a method of encrypted traffic detection between a terminal device and a core network device can be enabled by sending information about candidates for a method of encrypted traffic detection to be used to the terminal device, determining the method to be used based on the information by the terminal device and informing the core network device of the determined method to be used, through which a mismatch on use of the methods can be avoided.
In combination with the third aspect, in a first possible implementation of the third aspect, sending, by a core network device, first information indicating one or more methods of encrypted traffic detection to a terminal device comprises:
including, by the core network device, the first information in a downlink signaling message to be sent to the terminal device;
sending, by the core network device, the downlink signaling message including the first information to the terminal device.
In combination with the third aspect or any one of possible implementations above, in a second possible implementation of the third aspect, including, by the core network device, the first information in a downlink signaling message to be sent to the terminal device comprises:
including, by the core network device, the first information in a user equipment configuration update request to be sent to the terminal device during a user equipment configuration update procedure,
and wherein receiving from the terminal device, by the core network device, second information indicating the method of encrypted traffic detection to be used in the communication with the terminal device comprises:
receiving from the terminal device, by the core network device, an acknowledgement message for the user equipment configuration update request, which includes the second information.
In combination with the third aspect or any one of possible implementations above, in a third possible implementation of the third aspect, the first information indicates priorities of the one or more methods of encrypted traffic detection determined by the core network device.
In combination with the third aspect or any one of possible implementations above, in a fourth possible implementation of the third aspect, the method of encrypted traffic detection to be used is selected by the terminal device from the one or more methods of  encrypted traffic detection indicated in the first information.
In a fourth aspect, there is provided a communication method comprising: receiving from a core network device, by a terminal device, first information indicating one or more methods of encrypted traffic detection which are determined, by the core network device, as candidates for a method of encrypted traffic detection to be used in a communication with the terminal device;
determining, by the terminal device, the method of encrypted traffic detection to be used in the communication with the terminal device based on the first information;
sending, by the terminal device, second information indicating the method of encrypted traffic detection to be used to the core network device.
It can be seen that, in the fourth aspect of embodiments of the present application, a negotiation on use of a method of encrypted traffic detection between a terminal device and a core network device can be enabled by sending information about candidates for a method of encrypted traffic detection to be used to the terminal device, determining the method to be used based on the information by the terminal device and informing the core network device of the determined method to be used, through which a mismatch on use of the methods can be avoided.
In combination with the fourth aspect, in a first possible implementation of the fourth aspect, receiving from a core network device, by a terminal device, first information indicating one or more methods of encrypted traffic detection comprises:
receiving, by the terminal device, a downlink signaling message including the first information sent from the core network device.
In combination with the fourth aspect, in a second possible implementation of the fourth aspect, receiving from a core network device, by a terminal device, first information indicating one or more methods of encrypted traffic detection comprises:
receiving, by the terminal device, a user equipment configuration update request including the first information sent from the core network device during a user equipment configuration update procedure.
In combination with the fourth aspect, in a third possible implementation of the fourth aspect, determining, by the terminal device, the method of encrypted traffic detection to be used in the communication with the terminal device based on the first information comprises:
comparing, by the terminal device, the one or more methods of encrypted traffic detection indicated in the first information with one or more methods of encrypted traffic detection  supported by the terminal device;
selecting, by the terminal device, at least one from the one or more methods of encrypted traffic detection indicated in the first information which is matched with one of the one or more methods of encrypted traffic detection supported by the terminal device, as the method of encrypted traffic detection to be used.
In combination with the fourth aspect, in a fourth possible implementation of the fourth aspect, sending, by the terminal device, second information indicating the method of encrypted traffic detection to be used to the core network device comprises:
including, by the terminal device, the second information in a uplink signaling message to be sent to the core network device;
sending, by the terminal device, the uplink signaling message to the core network device.
In combination with the fourth aspect, in a fifth possible implementation of the fourth aspect, including, by the terminal device, the second information in a uplink signaling message to be sent to the core network device comprises:
including, by the terminal device, the second information in an acknowledgement message for a user equipment configuration update request during a user equipment configuration update procedure.
In combination with the fourth aspect, in a sixth possible implementation of the fourth aspect, the first information indicates priorities of the one or more methods of encrypted traffic detection indicated in the first information.
In a fifth aspect, there is provided a terminal device comprising units for performing methods in the first aspect or possible implementations thereof, or in the fourth aspect or possible implementations thereof.
In a sixth aspect, there is provided a core network device comprising units for performing methods in the second aspect or possible implementations thereof, or in the third aspect or possible implementations thereof.
In a seventh aspect, there is provided a terminal device comprising a processor and a transceiver, wherein the processor is configured to perform methods in the first aspect or possible implementations thereof based on the transceiver, or to perform methods in the fourth aspect or possible implementations thereof based on the transceiver.
In an eighth aspect, there is provided a core network device comprising a processor and a transceiver, wherein the processor is configured to perform methods in the second aspect or possible implementations thereof based on the transceiver, or to perform methods in the third aspect or possible implementations thereof based on the transceiver.
In a ninth aspect, there is provided a computer-readable medium used for storing a program code, wherein the program code comprises instructions for performing methods in any one of the first, second, third or fourth aspect or possible implementations thereof.
In a tenth aspect, there is provided a system on chip comprising a processor and a memory, wherein the processor is configured to perform a code in the memory and to implement methods in any one of the first, second, third or fourth aspect or possible implementations thereof when the code is executed.
Additional features, advantages, and embodiments of the application may be set forth or apparent from consideration of the following detailed description, drawings, and claims. Moreover, it is to be understood that both the foregoing summary and the following detailed description are exemplary and intended to provide further explanation without limiting the scope of the application claimed. The detailed description and the specific examples, however, indicate only exemplary embodiments of the application.
BRIEF DESCRIPTION OF THE DRAWINGS
Accompanying drawings used to describe embodiments or the prior art will be introduced briefly below in order to illustrate the technical methods of embodiments of the present application more clearly. Obviously, the accompanying drawings in the following description are merely for some embodiments of the present application, and other drawings can also be obtained based on these accompanying drawings by a person having ordinary skill in the art without creative efforts.
Fig. 1 is a schematic diagram of a communication system according to embodiments of the present application.
Fig. 2 is a schematic flow chart of a communication method 200 according to an embodiment of the present application.
Fig. 3 is a schematic diagram of a registration/attach procedure according to an embodiment of the present application.
Fig. 4 is a schematic diagram of a PDU session establishment/modification procedure according to an embodiment of the present application.
Fig. 5 is a schematic diagram of a communication method 500 according to an embodiment of the present application.
Fig. 6 is a schematic block diagram of a terminal device 600 according to an  embodiment of the present application.
Fig. 7 is a schematic block diagram of a core network device 700 according to an embodiment of the present application.
Fig. 8 is a schematic block diagram of a terminal device 800 according to another embodiment of the present application.
Fig. 9 is a schematic block diagram of a core network device 900 according to another embodiment of the present application.
Fig. 10 is a schematic block diagram of a terminal device 1000 according to an embodiment of the present application.
Fig. 11 is a schematic block diagram of a core network device 1100 according to an embodiment of the present application.
Fig. 12 is a schematic block diagram of a system on chip 1200 according to an embodiment of the present application.
DETAILED DESCRIPTION
The technical methods in embodiments of the present application will be described in the following in combination with accompanying drawings of the embodiments of the present application.
Embodiments of the present application can be applied in various kinds of communication systems such as Global System of Mobile (GSM) communication system, Code Division Multiple Access (CDMA) system, Wideband Code Division Multiple Access (WCDMA) system, General Packet Radio Service (GPRS) , Long Term Evolution (LTE) system, LTE Frequency Division Duplex (FDD) system, LTE Time Division Duplex (TDD) , Universal Mobile Telecommunication System (UMTS) , Worldwide Interoperability for Microwave Access (WiMAX) communication system, a 5G system, a future evolved PLMN (Public Land Mobile Network) , and so on.
Fig. 1 illustrates a wireless communication system 100 applied in embodiments of the present application. The wireless communication system 100 may include one or more terminal devices 120, a core network 130 and one or more core network devices 110 located in the core network 130. Three terminal devices 120 are illustrated in Fig. 1 as examples of a terminal device used in embodiments of the present application, and two core network  devices 110 are illustrated in Fig. 1 as examples of a core network device used in embodiments of the present application. Each of the one or more terminal devices 120 is capable of accessing the core network 130 for example through an access network and communicating with the one or more core network devices 110.
As examples, the core network device 100 may be a communication device in a core network of a wireless communication system as described above, which enables or supports some of functions of the core network. For example, the core network device 100 may be a function entity (such as AMF (Access and Mobility Management Function) or PCF (Policy Control Function) ) of the core network in the 5G system.
The terminal device 120 may be moving or stationary. As examples, the terminal device 120 may be an access terminal, a UE (User Equipment) , a user unit, a user station, a mobile radio station, a mobile station, a remote station, a remote terminal, a mobile device, a user terminal, a terminal, a wireless communication device, a user agent or a user device. An access terminal may be a cell phone, a cordless phone, an SIP (Session Initiation Protocol) phone, a WLL (Wireless Local Loop) station, a PDA (Personal Digital Assistant) , a hand-held device with a wireless communication function, a computing device or other processing devices connected to a wireless modem, a vehicle-mounted device, a wearable device, a terminal device in a 5G network, a terminal device in a future evolved PLMN (Public Land Mobile Network) , or the like. Optionally, a 5G system or network may also be called as a NR (New Radio) system or network.
It should be understood that the wireless communication system 100 may further include other network entities such as a network controller, a mobility management entity, and the like. Embodiments of the present application do not have any limit on this.
It should be understood that the terms “system” and “network” herein are exchangeable. The term “and/or” herein only describes an association relationship between associated objects and indicates that there may be three relationships. For example, A and/or B may indicate that there are three cases where A exists separately, A and B exist at the same time, and B exists separately. In addition, the character “/” herein generally indicates that an “or” relationship exists between associated objects.
The term “to send/sending” in the present application means directly sending from  one party to the other, or indirectly sending between the two, for example by means of forwarding by a third party. Likely, the term “to receive/receiving” in the present application means directly receiving from one party, or indirectly receiving from the party, for example by means of forwarding by a third party.
As mentioned above, a number of methods of encrypted traffic detection are proposed, which can be classified into three types as follows.
Type I: UE (User Equipment) assisted Control-plane based method
Upon the specific application data appears, UE will report the application ID and corresponding filter information for the network (such as a core network) to detect the following traffic. There needs a coordination between the 3rd party and UE. To realize it, some new functionalities like ETRF (Encrypted Traffic Reporting) , ETDF (Encrypted Traffic Detection Function) , and ETD (Encrypted Traffic Detection) are introduced.
Type II: UE assisted User-plane based method
Upon the specific application data appears, UE will add a Token/AppKey into the first user plane packet. The Token can be possibly added in some parts, for example, in the TCP header by using a new TCP Option, in the TLS header by using a new TLS Extension Type, in a new IPv6 Extension Header, or in an Extended header between PDCP and IP layer. To realize the application ID transferring and Token derivation, an ETDF (Encrypted Traffic Detection Function) embedded in UE and the 3rd party function are introduced. And the 3rd party function will provide Application ID list to be detected and Token related material to network and UE. The UE may derive the Token based on the Token related material and add it in the user-plane packet for network to detect.
Type III: Network based method
The 3rd party will inform the network of the application ID and the corresponding characteristics of the encrypted traffic flow including IP-Tuple, SNI, etc. and then the network will install the filter accordingly to perform the encrypted traffic detection.
From architectural perspective, each type of these methods has its own pros and cons as below.
For Type I: UE assisted Control-plane based method
Pros:
This kind of method does not have impact on the user plane. The impact only focuses on NAS (Non-access stratum) signaling and/or rule distribution. For UE implementation, it is  easy to realize with extension of NAS message. For network side’s implementation, it is easy to realize due to only needing to enhance the control plane NF (Network Function) . It is also applicable to only deploy a few control plane entities (e.g. SMF) for the ETD feature. In this case, the supporting SMF can be selected with UE reporting a specific S-NSSAI (Single Network Slice Selection Assistance Information) and/or DNN (Data Network Name) . For coordination with other WGs (Working Groups) , it does not need any other WGs or SDOs (Standard Organizations) to extend the current protocol, so the impacts can be limited within SA2 (Service and System Aspect, Working Group #2) . It does not need OTT (Over The Top) server to support Rx trigger.
Cons:
When encrypted traffic happens, the first few packets may be missed before the filter installed well. Moreover, it needs additional signalings.
For Type II: UE assisted User-plane based method.
Pros:
It will not miss any of the encrypted packets. It does not need OTT server to support Rx trigger.
Cons:
For UE implementation, it needs to extend the use plane packets, which is, however, difficult for product design. For network side’s implementation, it needs to deploy the feature on all UPFs (User plane Functions) , otherwise the routing path will be restricted. It is a relatively big challenge for UPF, because UPF must detect the Token added only in the first packet or the first few packets. Moreover, it needs UPF to count the first detected packets to a temporary volume before installing the filter and then correlate the temporary volume into the application ID’s volume. For coordination with other WGs, it may need CT4 (Core network Technology 4) and/or RAN2 (Radio Access Network 2) to extend existing user plane protocols. If reusing the free space defined in other SDO (e.g. IETF (Internet Engineering Task Force) ) , it should be ensured that the free space is not used for other purposes and the space is large enough.
For Type III: network-side based method
Pros:
It does not impact UE and reuse the existing functionalities a lot.
Cons:
For network side’s implementation, it needs every OTT server to connect to the MNO’s  (Mobile Network Operator’s ) PCF (Policy Control Function) . It is very inflexible and expensive for network side’s implementation, which leads to a very long TTM (Time to Market) . It is difficult for a roaming case, e.g. it is difficult to support the outbound roaming in LBO (Local Breakout) case. It is possible that quantities of network signalings which the interface capacity needs will be extended again and again as the service volume increases.
As the above analysis, each method has its own pros and cons, and either UE or network may support a set of these methods. Therefore, in embodiments of the present application, it is proposed to introduce a negotiation for the encrypted traffic detection method so as to avoid mismatch between UE and the network.
Fig. 2 is a schematic flow chart of a communication method 200 for the negotiation between a terminal device and a core network device according to an embodiment of the present application. The terminal device and the core network device may be those described in the above and with reference to Fig. 1. As shown in Fig. 2, from the view of the terminal device, the method 200 includes the following.
At S210, the terminal device sends first information indicating one or more methods of encrypted traffic detection supported by the terminal device to the core network device.
In one embodiment of the present application, the terminal device may send an uplink signaling message including the first information to the core network device. For example, the terminal device includes the first information in an uplink signaling message to be sent to the core network device and then sends the uplink signaling message to the core network device. Specifically, the terminal device determines the methods of encrypted traffic detection supported by the terminal device itself and generates the first information. In an example, the terminal device generates first information indicating all of methods it supports. In another example, the terminal device generates first information indicating one or more of methods it supports.
In one embodiment of the present application, the first information indicates at least one of the following:
(1) whether the terminal device supports a user equipment assisted method of encrypted traffic detection;
(2) type of a user equipment assisted method of encrypted traffic detection supported by the terminal device;
(3) subtype of a user equipment assisted method of encrypted traffic detection supported by  the terminal device.
At first, item (1) , e.g. whether the terminal device supports any of Type I and II methods as mentioned above, is determined. If the terminal device supports any of Type I and II methods, item (2) is determined so as to determine the type of the methods supported by the terminal device, e.g. Type I or Type II or both of them. Then, the subtype of the supported method (s) is determined (item (3) ) . For example, the subtype of the supported method (s) can be any of the following: Control-plane based type with OTT layer providing detection rules, Control-plane based type with the core network providing detection rules, User-plane based type in which the token can be added to specific layers for traffic detection. It can be seen that levels of items (1) to (3) are gradually lowered one by one. In one embodiment of the present application, if the terminal device can support all of methods with a certain level, then the terminal device does not need to report information about the lower level (s) in the first information. For example, if the terminal device supports all of control-plane based methods while not supporting other types, then it just reports in the first information that the terminal device supports control-plane based methods (level-2) .
In one embodiment of the present application, the first information also indicates priorities of the one or more methods supported by the terminal device. The priorities can be determined by the terminal device and be representative of orders of the terminal device’s preference for using the individual methods.
The uplink signaling message may be any of signaling message from the terminal device to the core network device which may be a network function entity in a network such as the core network 130 as shown in Fig. 1. In some embodiments of the present application, the terminal device includes the first information in an uplink signaling message, for example the first uplink signaling message which is a NAS message, to be sent to the core network device during at least one of: registration procedure of the terminal device; attach procedure of the terminal device; PDU (Protocol Data Unit) session establishment procedure; or PDU session modification procedure.
For example, during a registration or attach procedure of the terminal device, the terminal device firstly sends a registration or attach request to the core network device. In this case, the terminal device may include the first information in the registration or attach request and send the registration or attach request including the first information to the core network device. Likely, during a PDU session establishment or modification procedure, the terminal device may include the first information in the PDU session establishment or modification request and send the PDU session establishment or modification request including the first  information to the core network device.
At S230, the terminal device receives from the core network device second information indicating a method of encrypted traffic detection to be used in a communication with the terminal device.
The method of encrypted traffic detection to be used may be determined by the core network device based on the first information (S220) . For example, the method of encrypted traffic detection to be used is selected by the core network device from the one or more methods indicated in the first information. In one example, the method to be used is one method. In another example, the method to be used is two or more methods, e.g. a prioritized list of the methods. The details of determining the method to be used will be described later in the communication method from the view of the core network device.
In one embodiment of the present application, the terminal device receives from the core network device the second information which is included in a downlink signaling message sent from the core network device to the terminal device. The downlink signaling message may be any of signaling messages sent from the core network device to the terminal device, in particular a downlink signaling message as a response to the uplink message including the first information. For example, the terminal device receives from the core network device a downlink signaling message including the second information during at least one of: registration procedure of the terminal device; attach procedure of the terminal device; PDU session establishment procedure; or PDU session modification procedure.
Figs. 3-4 show four examples of the communication method during four procedures as mentioned in the above, respectively. Fig. 3 shows a registration or attach procedure of the terminal device, and Fig. 4 shows a PDU session establishment or modification procedure initiated by the terminal device. It should be noted that each of Figs. 3 and 4 shows only some of steps of the procedures which are related to embodiments of the negotiation between the terminal device and the core network device according to the present application, rather than a complete registration/attach procedure or a complete PDU session establishment/modification procedure.
As shown in Fig. 3, the first information is included in a registration or attach request and sent from the terminal device to the core network device (S310) . The registration may refer to an initial registration of the terminal device or a registration due to location update. As known from for example 3GPP (the 3rd Generation Partnership Project) , when the terminal device is registered or attached with the core network on the registration or attach request, a registration or attach response is sent from the core network side to the terminal  device. In some embodiments of the present application, the terminal device receives the second information through receiving the registration or attach response including the second information sent from the core network device (S320) . As such, the negotiation on use of the method of encrypted traffic detection is achieved during the registration/attach procedure between the terminal device and the core network side.
Likely, as shown in Fig. 4, the first information is included in a PDU session establishment or modification request and sent from the terminal device to the core network device (S410) . Similarly, during the PDU session establishment/modification procedure, a PDU session establishment/modification response to the PDU session establishment/modification request is sent from the core network side to the terminal device. In some embodiments of the present application, the terminal device receives the second information through receiving the PDU session establishment/modification response including the second information sent from the core network device (S420) . As such, the negotiation on use of the method of encrypted traffic detection is achieved during the PDU session establishment/modification procedure between the terminal device and the core network side.
At S240, the terminal device performs a processing according to the method of encrypted traffic detection to be used.
Turn back to Fig. 2. After receiving the second information indicating the method of encrypted traffic detection to be used in the communication between the terminal device and the core network side, the terminal device performs a processing according to the method determined to be used. For example, the terminal device reports the application ID and corresponding filter information to the network side if the method to be used is a control-plane based method. For another example, the terminal device adds a Token/AppKey into the first user plane packet to the core network side if the method to be used is a user-plane based method. Correspondingly, the core network side performs the encrypted traffic detection according to the method to be used.
As mentioned above, the second information may indicate more than one method to be used. In particular, the second information also indicates priorities of these methods to be used which may be determined by the core network device and representative of the core network device’s preference. In this case, after receiving the second information, the terminal device may select one from these methods indicated in the second information as the final method to be used and performing a processing according to the final method to be used as mentioned above. In an example, the terminal device may optionally select the final method  to be used. In another example, the terminal device may select the final method based on priorities of the methods indicated in the second information and/or priorities of the methods supported by the terminal device. For example, the terminal device may select the one with the highest priority.
In one embodiment of the present application, if the terminal device does not support any of UE assisted methods of encrypted traffic detection, it will indicate this in the first information, or will not report any information about methods supported by the terminal device. If the core network device receives the first information indicating that the terminal device does not support any of UE assisted methods or no information about methods supported by the terminal device for example during those procedures mentioned above, the core network device determines that the terminal device does not support any of UE assisted methods and may use a network-side based method (Type III) for detecting the encrypted traffic. Similarly, if the terminal device does not receive a second information indicating the method to be used from the core network device or receive a second information indicating that a network-side based method is determined to be used, the terminal device will not apply any UE assisted method of encrypted traffic detection to the communication with the core network.
The above description is made from the view of the terminal device. A description of embodiments of the communication method according to the present application will be made below from the view of the core network side with reference to Fig. 2. In this case, the communication method includes the following steps.
At S210, the core network device receives from the terminal device first information indicating one or more methods of encrypted traffic detection supported by the terminal device.
This receiving step by the core network device is corresponding to the sending step at S210 by the terminal device as described from the view of the terminal device in the above. As mentioned, the first information can be included in an uplink signaling message sent from the terminal device to the core network device. For example, the core network device receives from the terminal device the first uplink signaling message including the first information during at least one of: registration procedure of the terminal device; attach procedure of the terminal device; PDU (Protocol Data Unit) session establishment procedure; or PDU session modification procedure. More specifically, the core network device receives from the terminal device a registration/attach request including the first information during the registration/attach procedure, or a PDU session establishment/modification request  including the first information during the PDU session establishment/modification procedure.
At S220, the core network device determines a method of encrypted traffic detection to be used in a communication with the terminal device based on the first information.
In one embodiment of the present application, after receiving and deriving the first information, the core network device compares the one or more methods indicated in the first information with one or more methods supported by the core network device, and selects one from the methods indicated in the first information which is matched with one of the methods supported by the core network device, as the method of encrypted traffic detection to be used. In an example, the information about methods supported by the core network device is stored in for example a UDM (Unified Data Management) entity, which may be identical or different for different terminal devices. In this case, after receiving the first information, the core network device compares methods indicated in corresponding information stored in UDM with those indicated in the first information, and determines those supported by both the terminal device and the core network device. If the matched method is only one method, the core network device determines the one as the method to be used. If the matched method is more than one method, the core network device further selects one from these matched methods. For example, the core network device can select one from the matched methods based on priorities of these matched methods. For example, the core network device selects one from the matched methods which has the highest priority among these matched methods. The priority may refer to priorities of the methods supported by the terminal device which can be indicated in the first information as mentioned in the above. Also, the priority can refer to those for methods supported by the core network device. For example, the information about methods supported by the core network device may indicate priorities of these methods, which may be determined by the core network device and representative of the core network device’s preference for using respective methods. Alternatively, the core network device may select the method to be used from the matched methods based on both the two priorities respective for the terminal device and the core network device.
Alternatively, the core network device selects more than one method to be used and returns them back to the terminal device in the second information. In particular, the second information indicates priorities of these methods to be used. As mentioned above, the terminal can select one from these methods as the final method to be used.
In one embodiment of the present application, if the result of the comparing shows that no one of methods indicated in the first information is matched with those supported by the core network device, the core network device does not determine any method as the  method to be used.
At S230, the core network device sends second information indicating the method of encrypted traffic detection to be used to the terminal device.
This sending step by the core network device is corresponding to the receiving step at S230 by the terminal device as described above from the view of the terminal device. The core network device may include the second information in a downlink signaling message to be sent to the terminal device and send the downlink signaling message to the terminal device.
As mentioned in the description from the view of the terminal device, the downlink signaling message may be any of signaling messages sent from the core network device to the terminal device, in particular a downlink signaling message as a response to the uplink message including the first information. For example, the core network device sends a downlink signaling message including the second information during at least one of: registration procedure of the terminal device; attach procedure of the terminal device; PDU session establishment procedure; or PDU session modification procedure. With reference to Figs. 3-4, as examples, the core network device may include the second information in a registration/attach response during the registration/attach procedure, or in a PDU session establishment/modification response during the PDU session establishment/modification procedure.
Additionally, the core network device may perform a processing according to the method to be used at S240. As mentioned above, the core network side performs the encrypted traffic detection according to the method to be used, for example.
For other related details of the method from the view of the core network device, please refer to the description from the view of the terminal device, which are omitted here for the sake of brevity.
It should be noted that the term “core network device” may refer to one or more communication device in the core network, and each step performed by the core network device may be performed by one or more of the one or more communication device corresponding to the core network device either separately or in combination. For example, in 5G network, a core network device as mentioned in the present application may be corresponding to one or more network function entities. As an example, the core network device may refer to an AMF entity, in case of which the AMF entity may perform each of S210-S230 so as to implement the embodiments of the communication method described above. As another example, the core network device may refer to both an AMF entity and a  PCF entity, in case of which the PCF entity may determine a method to be used at S220 and send the second information to the AMF entity, and in turn the AMF entity forwards the second information to the terminal device, for example by including the second information in a downlink signaling message and sending the downlink signaling message to the terminal device.
From description above, it can be seen that a negotiation on use of a method of encrypted traffic detection between a terminal device and a core network side can be enabled by sending information about methods supported by the terminal device to the core network device, determining the method to be used based on the information by the core network device and informing the terminal device of the determined method to be used, through which a mismatch on use of the methods can be avoided.
Fig. 5 is a schematic flow chart of a communication method 500 for the negotiation between a terminal device and a core network device according to another embodiment of the present application. The terminal device and the core network device may be those described in the above.
A description of the communication method 500 will be made below from the view of the terminal device.
At S510, the core network device sends first information indicating one or more methods of encrypted traffic detection to a terminal device, which are determined, by the core network device, as candidates for a method of encrypted traffic detection to be used in a communication with the terminal device.
In one embodiment of the present application, the core network device may send a downlink signaling message including the first information to the terminal device. For example, the core network device includes the first information in a downlink signaling message to be sent to the terminal device and then sends the downlink signaling message to the core network device. Specifically, the core network device determines the methods of encrypted traffic detection supported by the core network device itself and generates the first information. In an example, the information about methods supported by the core network device is stored in for example a UDM (Unified Data Management) entity, which may be identical or different for different terminal devices. In an example, the core network device generates first information indicating all of supported methods. That is, all of methods it supports are determined by the core network device as candidates for a method of encrypted traffic detection to be used in a communication with the terminal device. In another example, the core network device generates first information indicating one or some of methods it  supports. That is, one or some of supported methods are determined by the core network device as candidates for a method of encrypted traffic detection to be used in the communication with the terminal device.
In one embodiment of the present application, the first information indicates at least one of the following:
(1) whether the core network device supports a user equipment assisted method of encrypted traffic detection;
(2) type of a user equipment assisted method of encrypted traffic detection supported by the core network device;
(3) subtype of a user equipment assisted method of encrypted traffic detection supported by the core network device.
At first, item (1) , e.g. whether the core network device supports any of Type I and II methods as mentioned above, is determined. If the core network device supports any of Type I and II methods, item (2) is determined so as to determine the type of the methods supported by the core network device, e.g. Type I or Type II or both of them. Then, the subtype of the supported method (s) is determined (item (3) ) . For example, the subtype of the supported method (s) can be any of the following: Control-plane based type with OTT layer providing detection rules, Control-plane based type with the core network providing detection rules, User-plane based type in which the token can be added to specific layers for traffic detection. It can be seen that levels of items (1) to (3) are gradually lowered one by one. In one embodiment of the present application, if the core network device can support all of methods with a certain level, then the core network device does not need to report information about the lower level (s) in the first information. For example, if the core network device supports all of control-plane based methods while not supporting other types, then it just reports in the first information that the core network device supports control-plane based methods (level-2) .
In one embodiment of the present application, the first information also indicates priorities of the one or more methods determined as candidates by the core network device. The priorities can be determined by the core network device and be representative of orders of the core network device’s preference for using the individual methods.
The downlink signaling message may be any of signaling message from the core network device to the terminal device. For example, the core network device includes the first information in a UCU (UE Configuration Update) request to be sent to the terminal device during a UCU procedure.
At S530, the core network device receives from the terminal device second  information indicating the method of encrypted traffic detection to be used in the communication with the terminal device, which is determined by the terminal device based on the first information.
The method of encrypted traffic detection to be used may be determined by the terminal device based on the first information (S220) . For example, the method of encrypted traffic detection to be used is selected by the terminal device from the candidate methods indicated in the first information. In one example, the method to be used is one method. In another example, the method to be used is two or more methods, e.g. a prioritized list of the methods. The details of determining the method to be used will be described later in the communication method from the view of the terminal device.
In one embodiment of the present application, the core network device receives from the terminal device the second information which is included in an uplink signaling message sent from the terminal device to the core network device. The uplink signaling message may be any of signaling messages sent from the terminal device to the core network device, in particular an uplink signaling message as a response to the downlink message including the first information. As mentioned above, the core network device may include the first information in a UCU (UE Configuration Update) request and send to the terminal device during a UCU procedure. In this case, the core network device receives an acknowledgement message to the UCU request, which includes the second information, from the terminal device during the UCU procedure. As such, the negotiation on use of the method of encrypted traffic detection is achieved during the UCU procedure by communicating the first and second information between the core network device and the terminal device.
At S540, the core network device performs a processing according to the method of encrypted traffic detection to be used.
After receiving the second information indicating the method of encrypted traffic detection to be used in the communication between the terminal device and the core network side, the core network device performs a processing according to the method determined to be used. For example, the core network device performs the encrypted traffic detection according to the method to be used. Correspondingly, the terminal device also performs a processing according to the method to be used. For example, the terminal device reports the application ID and corresponding filter information to the network side if the method to be used is a control-plane based method. For another example, the terminal device adds a Token/AppKey into the first user plane packet to the core network side if the method to be used is a user-plane based method.
As mentioned above, the second information may indicate more than one method to be used. For example, the method to be used indicated in the second information is a prioritized list of one or more methods to be used. The priorities of these methods to be used may be determined by the terminal device and representative of the terminal device’s preference. In this case, after receiving the second information, the core network device may select one from these methods indicated in the second information as the final method to be used and performing a processing according to the final method to be used as mentioned above. In an example, the core network device may optionally select the final method to be used. In another example, the core network device may select the final method based on priorities of the methods indicated in the second information and/or priorities of the methods supported by the core network device. For example, the core network device may select the one with the highest priority.
In one embodiment of the present application, if the core network device does not support any of UE assisted methods of encrypted traffic detection, it will indicate this in the first information, or will not report any information about methods supported by the core network device. If the terminal device receives the first information indicating that the core network device does not support any of UE assisted methods or no information about methods supported by the core network device for example during the UCU procedure, the terminal device determines that the core network device does not support any of UE assisted methods and may use a network-side based method (Type III) for detecting the encrypted traffic. Similarly, if the core network device does not receive second information indicating the method to be used from the terminal device, the core network device will not apply any UE assisted method of encrypted traffic detection to the communication with the terminal device.
The above description is made from the view of the core network device. A description of embodiments of the communication method according to the present application will be made below from the view of the terminal device side with reference to Fig. 5. In this case, the communication method includes the following steps.
At S510, the terminal device receives from the core network device first information indicating one or more methods of encrypted traffic detection which are determined, by the core network device, as candidates for a method of encrypted traffic detection to be used in a communication with the terminal device.
This receiving step by the terminal device is corresponding to the sending step at S510 by the core network device as described from the view of the core network device in the  above. As mentioned, the first information can be included in a downlink signaling message sent from the core network device to the terminal device. For example, the terminal device receives the UCU request including the first information during the UCU procedure.
At S520, the terminal device determines the method of encrypted traffic detection to be used in the communication with the terminal device based on the first information.
In one embodiment of the present application, after receiving and deriving the first information, the terminal device compares the one or more methods indicated in the first information with one or more methods supported by the terminal device, and selects one from the methods indicated in the first information which is matched with one of the methods supported by the terminal device, as the method of encrypted traffic detection to be used. In one embodiment of the present application, after receiving the first information, the terminal device compares methods supported by the terminal device with those indicated in the first information, and determines those supported by both the terminal device and the core network device. If the matched method is only one method, the terminal device determines the one as the method to be used. If the matched method is more than one method, the terminal device further selects one from these matched methods. For example, the terminal device can select one from the matched methods based on priorities of these matched methods. For example, the terminal device selects one from the matched methods which has the highest priority among these matched methods. The priority may refer to priorities of the methods supported by the core network device which can be indicated in the first information as mentioned in the above. Also, the priority can refer to those for methods supported by the terminal device. For example, the information about methods supported by the terminal device may indicate priorities of these methods, which may be determined by the terminal device and representative of the terminal device’s preference for using respective methods. Alternatively, the terminal device may select the method to be used from the matched methods based on both the two priorities respective for the terminal device and the core network device.
Alternatively, the terminal device selects more than one method to be used and returns them back to the core network device in the second information. In particular, the second information indicates priorities of these methods to be used. As mentioned above, the core network device can select one from these methods as the final method to be used.
In one embodiment of the present application, if the result of the comparing shows that no one of methods indicated in the first information is matched with those supported by the terminal device, the terminal device does not determine any method as the method to be  used.
At S530, the terminal device sends second information indicating the method of encrypted traffic detection to be used to the core network device.
This sending step by the terminal device is corresponding to the receiving step at S530 by the core network device as described above from the view of the core network device. The terminal device may include the second information in an uplink signaling message to be sent to the core network device and send the uplink signaling message to the core network device.
As mentioned in the description from the view of the core network device, the uplink signaling message may be any of signaling messages sent from the terminal device to the core network device, in particular an uplink signaling message as a response to the downlink message including the first information. As mentioned, the core network device may include the first information in a UCU request during the UCU procedure. Correspondingly, the terminal device includes the second information in an acknowledgement message for the UCU request and sends the acknowledgement message to the core network device during the UCU procedure.
Additionally, the terminal device may perform a processing according to the method to be used at S540. For example, as mentioned above, the terminal device reports the application ID and corresponding filter information to the network side if the method to be used is a control-plane based method, or adds a Token/AppKey into the first user plane packet to the core network side if the method to be used is a user-plane based method.
For other related details of the method from the view of the terminal device, please refer to the description from the view of the core network device, which are omitted here for the sake of brevity.
It should be noted that the term “core network device” may refer to one or more communication device in the core network, and each step performed by the core network device may be performed by one or more of the one or more communication device corresponding to the core network device either separately or in combination. For example, in 5G network, a core network device as mentioned in the present application may be corresponding to one or more network function entities. As an example, the core network device may refer to an AMF entity, in case of which the AMF entity may perform each of S510 and S530 so as to implement the embodiments of the communication method described above. As another example, the core network device may refer to both an AMF entity and a PCF entity, in case of which the PCF entity may determine the candidates for a method to be  used and send the first information to the AMF entity, and in turn the AMF entity forwards the first information to the terminal device, for example by including the first information in a downlink signaling message and sending the downlink signaling message to the terminal device.
From description above, it can be seen that a negotiation on use of a method of encrypted traffic detection between a terminal device and a core network device can be enabled by sending information about candidates for a method of encrypted traffic detection to be used to the terminal device, determining the method to be used based on the information by the terminal device and informing the core network device of the determined method to be used, through which a mismatch on use of the methods can be avoided.
Fig. 6 is a schematic block diagram of a terminal device 600 according to an embodiment of the present application. As shown in Fig. 6, the terminal device 600 includes: a transmitting unit 610 configured to send first information indicating one or more methods of encrypted traffic detection supported by the terminal device to a core network device;
a receiving unit 620 configured to receive from the core network device second information indicating a method of encrypted traffic detection to be used in a communication with the terminal device, which is determined by the core network device based on the first information;
processing unit 630 configured to enable the terminal device to perform the method of encrypted traffic detection to be used.
In one example, the transmitting unit 610 is configured to:
include the first information in an uplink signaling message to be sent to the core network device;
send the uplink signaling message including the first information to the core network device.
In one example, the transmitting unit 610 is configured to:
include the first information in an uplink signaling message to be sent to the core network device during at least one of:
registration procedure of the terminal device;
attach procedure of the terminal device;
PDU session establishment procedure;
PDU session modification procedure.
In one example, in a case of including the first information in an uplink signaling message to be sent to the core network device during registration procedure of the terminal device, the uplink signaling message is a registration request of the registration procedure to  be sent from the terminal device to the core network device.
In one example, in a case of including the first information in an uplink signaling message to be sent to the core network device during attach procedure of the terminal device, the uplink signaling message is an attach request of the attach procedure to be sent from the terminal device to the core network device.
In one example, in a case of including the first information in an uplink signaling message to be sent to the core network device during PDU session establishment procedure, the uplink signaling message is a PDU session establishment request of the PDU session establishment procedure to be sent from the terminal device to the core network device.
In one example, in a case of including the first information in an uplink signaling message to be sent to the core network device during PDU session modification procedure, the uplink signaling message is a PDU session modification request of the PDU session modification procedure to be sent from the terminal device to the core network device.
In one example, the receiving unit 620 is configured to:
receive from the core network device a downlink signaling message including the second information.
In one example, the receiving unit 620 is configured to: receive from the core network device a downlink signaling message including the second information during at least one of:
registration procedure of the terminal device;
attach procedure of the terminal device;
PDU session establishment procedure;
PDU session modification procedure.
In one example, in a case of receiving from the core network device a downlink signaling message including the second information during registration procedure of the terminal device, the downlink signaling message is a registration response of the registration procedure sent from the core network device to the terminal device.
In one example, in a case of receiving from the core network device a downlink signaling message including the second information during attach procedure of the terminal device, the downlink signaling message is an attach response of the attach procedure sent from the core network device to the terminal device.
In one example, in a case of receiving from the core network device a downlink signaling message including the second information during PDU session establishment procedure, the downlink signaling message is a PDU session establishment response of the  PDU session establishment procedure sent from the core network device to the terminal device.
In one example, in a case of receiving from the core network device a downlink signaling message including the second information during PDU session modification procedure, the downlink signaling message is a PDU session modification response of the PDU session modification procedure sent from the core network device to the terminal device.
It should be understood that the terminal device 600 can be corresponding to that terminal device in embodiments of the method 200 and can implement corresponding functions of that terminal device, which are omitted herein for the sake of brevity.
Fig. 7 is a schematic block diagram of a core network device 700 according to an embodiment of the present application. As shown in Fig. 7, the core network device 700 includes:
a receiving unit 710 configured to receive from a terminal device first information indicating one or more methods of encrypted traffic detection supported by the terminal device;
processing unit 720 configured to determine a method of encrypted traffic detection to be used in a communication with the terminal device based on the first information;
a transmitting unit 730 configured to send second information indicating the method of encrypted traffic detection to be used to the terminal device.
In one example, the receiving unit 710 is configured to:
receive an uplink signaling message including the first information sent from the terminal device.
In one example, the receiving unit 710 is configured to:
receive an uplink signaling message including the first information sent from the terminal device during at least one of:
registration procedure of the terminal device;
attach procedure of the terminal device;
PDU session establishment procedure;
PDU session modification procedure.
In one example, in a case of receiving an uplink signaling message including the first information sent from the terminal device during registration procedure of the terminal device, the uplink signaling message is a registration request of the registration procedure sent from the terminal device to the core network device.
In one example, in a case of receiving, by the core network device, an uplink signaling message including the first information sent from the terminal device during attach procedure of the terminal device, the uplink signaling message is an attach request of the attach procedure sent from the terminal device to the core network device.
In one example, in a case of receiving an uplink signaling message including the first information sent from the terminal device during PDU session establishment procedure, the uplink signaling message is a PDU session establishment request of the PDU session establishment procedure to be sent from the terminal device to the core network device.
In one example, in a case of receiving an uplink signaling message including the first information sent from the terminal device during PDU session modification procedure, the uplink signaling message is a PDU session modification request of the PDU session modification procedure sent from the terminal device to the core network device.
In one example, the transmitting unit 730 is configured to:
include the second information in a downlink signaling message to be sent to the terminal device;
send the downlink signaling message including the second information to the terminal device.
In one example, the transmitting unit 730 is configured to:
include the second information in a downlink signaling message to be sent to the terminal device during at least one of:
registration procedure of the terminal device;
attach procedure of the terminal device;
PDU session establishment procedure;
PDU session modification procedure.
In one example, in a case of including the second information in a downlink signaling message to be sent to the terminal device during registration procedure of the terminal device, the downlink signaling message is a registration response of the registration procedure to be sent from the core network device to the terminal device.
In one example, in a case of including the second information in a downlink signaling message to be sent from the core network device to the terminal device during attach procedure of the terminal device, the downlink signaling message is an attach response of the attach procedure to be sent from the core network device to the terminal device.
In one example, in a case of including the second information in a downlink signaling message to be sent to the terminal device during PDU session establishment procedure, the downlink signaling message is a PDU session establishment response of the  PDU session establishment procedure to be sent from the core network device to the terminal device.
In one example, in a case of including the second information in a downlink signaling message to be sent to the terminal device during PDU session modification procedure, the downlink signaling message is a PDU session modification response of the PDU session modification procedure to be sent from the core network device to the terminal device.
In one example, the processing unit 720 is configured to:
match the one or more methods indicated in the first information with one or more methods supported by the core network device;
select at least one from the one or more methods indicated in the first information which is matched with one of the one or more methods supported by the core network device, as the method of encrypted traffic detection to be used.
In one example, the processing unit 720 is further configured to:
enable the core network device to perform the method of encrypted traffic detection to be used.
It should be understood that the core network device 700 can be corresponding to that core network device in embodiments of the method 200 and can implement corresponding functions of that core network device, which are omitted herein for the sake of brevity.
Fig. 8 is a schematic block diagram of a terminal device 800 according to another embodiment of the present application. As shown in Fig. 8, the terminal device 800 includes: a receiving unit 810 configured to receive from a core network device first information indicating one or more methods of encrypted traffic detection which are determined, by the core network device, as candidates for a method of encrypted traffic detection to be used in a communication with the terminal device;
processing unit 820 configured to determine the method of encrypted traffic detection to be used in the communication with the terminal device based on the first information;
a transmitting unit 830 configured to send second information indicating the method of encrypted traffic detection to be used to the core network device.
In one example, the receiving unit 810 is configured to:
receive a downlink signaling message including the first information sent from the core network device.
In one example, the receiving unit 810 is configured to:
receive a user equipment configuration update request including the first information sent from the core network device during a user equipment configuration update procedure.
In one example, the processing unit 820 is configured to: match the one or more methods of encrypted traffic detection indicated in the first information with one or more methods of encrypted traffic detection supported by the terminal device;
select at least one from the one or more methods of encrypted traffic detection indicated in the first information which is matched with one of the one or more methods of encrypted traffic detection supported by the terminal device, as the method of encrypted traffic detection to be used.
In one example, the transmitting unit 830 is configured to:
include the second information in a uplink signaling message to be sent to the core network device;
send the uplink signaling message to the core network device.
In one example, the transmitting unit 830 is configured to:
include the second information in an acknowledgement message for a user equipment configuration update request during a user equipment configuration update procedure.
It should be understood that the terminal device 800 can be corresponding to that terminal device in embodiments of the method 500 and can implement corresponding functions of that terminal device, which are omitted herein for the sake of brevity.
Fig. 9 is a schematic block diagram of a core network device 900 according to another embodiment of the present application. As shown in Fig. 9, the core network device 900 includes:
a transmitting unit 910 configured to send first information indicating one or more methods of encrypted traffic detection to a terminal device, which are determined, by the core network device, as candidates for a method of encrypted traffic detection to be used in a communication with the terminal device;
a receiving unit 920 configured to receive from the terminal device second information indicating the method of encrypted traffic detection to be used in the communication with the terminal device, which is determined by the terminal device based on the first information; a processing unit 930 configured to enable the core network device to perform the method of encrypted traffic detection to be used.
In one example, the transmitting unit 910 is configured to:
include the first information in a downlink signaling message to be sent to the terminal  device;
send the downlink signaling message including the first information to the terminal device.
In one example, the transmitting unit 910 is configured to:
include the first information in a user equipment configuration update request to be sent to the terminal device during a user equipment configuration update procedure, and wherein the receiving unit is 920 configured to:
receive from the terminal device an acknowledgement message for the user equipment configuration update request, which includes the second information.
It should be understood that the core network device 900 can be corresponding to that core network device in embodiments of the method 500 and can implement corresponding functions of that core network device, which are omitted herein for the sake of brevity.
Fig. 10 is a schematic block diagram of a terminal device 1000 according to an embodiment of the present application. As shown in Fig. 10, the terminal device 1000 includes a transceiver 1010 and a processor 1020, wherein the processor 1020 is configured to perform any one of embodiments of the communication method 200 or any one of embodiments of the communication method 500 based on the transceiver 1010.
It should be understood that the terminal device 1000 can be corresponding to that terminal device in embodiments of the  method  200 or 500 and can implement corresponding functions of that terminal device, which are omitted herein for the sake of brevity.
Fig. 11 is a schematic block diagram of a core network device 1100 according to an embodiment of the present application. As shown in Fig. 11, the core network device 1100 includes a transceiver 1110 and a processor 1120, wherein the processor 1120 is configured to perform any one of embodiments of the communication method 200 or any one of embodiments of the communication method 500 based on the transceiver 1110.
It should be understood that the core network device 1100 can be corresponding to that core network device in embodiments of the  method  200 or 500 and can implement corresponding functions of that core network device, which are omitted herein for the sake of brevity.
Fig. 12 is a schematic structure diagram of a system on chip (SoC) according to an embodiment of the present application. The Soc 1200 includes a processor 1210 and a memory 1220, wherein the processor 1210 and the memory 1220 are connected via a bus 1230, and the processor 1210 is configured to execute a code in the memory 1220. In an  example, the Soc 1200 may further include an input interface 1240 and an output interface 1250, as shown in Fig. 12.
In one example, when the code is executed, the processor 1210 implements any one of embodiments of the  communication method  200 or 500 in method embodiments implemented by a terminal device, which are omitted herein for the sake of brevity.
In one example, when the code is executed, the processor 1210 implements any one of embodiments of the  communication method  200 or 500 in method embodiments implemented by a core network device, which are omitted herein for the sake of brevity.
It may be appreciated by an ordinary person skilled in the art that various units and algorithm steps of various examples described in conjunction with the embodiments disclosed herein may be implemented in electronic hardware, or a combination of electronic hardware and computer software. Whether these functions are implemented in hardware or software depends on specific applications and design constraints of technical methods. A person skilled in the art may implement the described functions with different methods for each of specific applications, but such implementations shall not be regarded as going beyond the scope of the present application.
A person skilled in the art may clearly understand that for the sake of convenience and conciseness in description, corresponding processes in the forgoing method embodiments can be referenced for the specific work processes of the systems, devices and units described in the above, which are not further described herein.
In several embodiments provided by the present application, it should be understood that the disclosed systems, devices and methods may be implemented by other means. For example, the device embodiments described above are merely schematic. For example, the partitioning of the units may be a partitioning in logical functions. There may be other manners for partitioning in actual implementation. For example, multiple units or components may be combined together or integrated into another system, or some features can be omitted or not executed. In addition, mutual couplings or direct couplings or communication connections that are shown or discussed may be indirect couplings or communication connections through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
The units described as separated components may be or may not be physically separated. The components shown as units may be or may not be physical units, that is, they may be located in one place or may be distributed on a plurality of network units. Part or all of the units may be selected according to actual needs to achieve the purposes of the methods of the embodiments of the present application.
In addition, all functional units in the embodiments of the present application may be integrated into one processing unit. Or, each unit exists independently in physics. Or, two or more units may be integrated into one unit.
The functional units, if implemented in the form of the software functional unit and sold or used as a standalone product, may be stored in a computer-readable storage medium. Based on such an understanding, the technical method of the present application in essence, or the part that contributes to the prior art, or all or part of the technical method, may be embodied in the form of a software product. The computer software product is stored in a storage medium and includes a plurality of instructions for a computer device (which may be a personal computer, a server, a network device or the like) to execute all or part of the steps of the method described in the embodiments of the present application. The foregoing storage medium includes various media that may store program codes, such as a USB flash disk, a mobile hard disk, a read-only memory (ROM) , a random access memory (RAM) , a magnetic disk, an optical disk, or the like.
The above description is merely a specific implementation mode of the present application, but the scope of protection of the present application is not limited to this. Any modification or replacement that would be readily conceived by any person skilled in the art within the scope of the technology disclosed in the present application should be within the scope of protection of the present application. Therefore, the scope of protection of the present application shall be defined by the claims.

Claims (101)

  1. A communication method, comprising:
    sending, by a terminal device, first information indicating one or more methods of encrypted traffic detection supported by the terminal device to a core network device;
    receiving from the core network device, by the terminal device, second information indicating a method of encrypted traffic detection to be used in a communication with the terminal device, which is determined by the core network device based on the first information;
    performing, by the terminal device, a processing according to the method of encrypted traffic detection to be used.
  2. The method of claim 1, wherein sending, by a terminal device, first information indicating one or more methods of encrypted traffic detection supported by the terminal device to a core network device comprises:
    including, by the terminal device, the first information in an uplink signaling message to be sent to the core network device;
    sending, by the terminal device, the uplink signaling message including the first information to the core network device.
  3. The method of claim 2, wherein including, by the terminal device, the first information in an uplink signaling message to be sent to the core network device comprises:
    including, by the terminal device, the first information in an uplink signaling message to be sent to the core network device during at least one of:
    registration procedure of the terminal device;
    attach procedure of the terminal device;
    PDU session establishment procedure;
    PDU session modification procedure.
  4. The method of claim 2 or claim 3, wherein in a case of including, by the terminal device, the first information in an uplink signaling message to be sent to the core network device during registration procedure of the terminal device, the uplink signaling message is a registration request of the registration procedure to be sent from the terminal device to the  core network device.
  5. The method of claim 2 or claim 3, wherein in a case of including, by the terminal device, the first information in an uplink signaling message to be sent to the core network device during attach procedure of the terminal device, the uplink signaling message is an attach request of the attach procedure to be sent from the terminal device to the core network device.
  6. The method of claim 2 or claim 3, wherein in a case of including, by the terminal device, the first information in an uplink signaling message to be sent to the core network device during PDU session establishment procedure, the uplink signaling message is a PDU session establishment request of the PDU session establishment procedure to be sent from the terminal device to the core network device.
  7. The method of claim 2 or claim 3, wherein in a case of including, by the terminal device, the first information in an uplink signaling message to be sent to the core network device during PDU session modification procedure, the uplink signaling message is a PDU session modification request of the PDU session modification procedure to be sent from the terminal device to the core network device.
  8. The method of claim 1, wherein receiving from the core network device, by the terminal device, second information indicating a method of encrypted traffic detection to be used in a communication with the terminal device comprises:
    receiving from the core network device, by the terminal device, a downlink signaling message including the second information.
  9. The method of claim 8, wherein receiving from the core network device, by the terminal device, a downlink signaling message including the second information comprises:
    receiving from the core network device, by the terminal device, a downlink signaling message including the second information during at least one of:
    registration procedure of the terminal device;
    attach procedure of the terminal device;
    PDU session establishment procedure;
    PDU session modification procedure.
  10. The method of claim 8 or 9, wherein in a case of receiving from the core network device, by the terminal device, a downlink signaling message including the second information during registration procedure of the terminal device, the downlink signaling message is a registration response of the registration procedure sent from the core network device to the terminal device.
  11. The method of claim 8 or 9, wherein in a case of receiving from the core network device, by the terminal device, a downlink signaling message including the second information during attach procedure of the terminal device, the downlink signaling message is an attach response of the attach procedure sent from the core network device to the terminal device.
  12. The method of claim 8 or 9, wherein in a case of receiving from the core network device, by the terminal device, a downlink signaling message including the second information during PDU session establishment procedure, the downlink signaling message is a PDU session establishment response of the PDU session establishment procedure sent from the core network device to the terminal device.
  13. The method of claim 8 or claim 9, wherein in a case of receiving from the core network device, by the terminal device, a downlink signaling message including the second information during PDU session modification procedure, the downlink signaling message is a PDU session modification response of the PDU session modification procedure sent from the core network device to the terminal device.
  14. The method of any one of claims 1 to 13, wherein the first information indicates at least one of the following:
    whether the terminal device supports a user equipment assisted method of encrypted traffic detection;
    type of a user equipment assisted method of encrypted traffic detection supported by the terminal device;
    subtype of a user equipment assisted method of encrypted traffic detection supported by the terminal device.
  15. The method of any one of claims 1 to 13, wherein the first information indicates priorities  of the one or more methods determined by the terminal device.
  16. The method of any one of claims 1 to 13, wherein the method of encrypted traffic detection to be used is selected by the core network device from the one or more methods indicated in the first information.
  17. The method of any one of claims 1 to 13, wherein the method of encrypted traffic detection to be used which is indicated in the second information comprises a plurality of methods of encrypted traffic detection.
  18. The method of any one of claims 1 to 13, wherein in a case that the method of encrypted traffic detection to be used which is indicated in the second information comprises a plurality of methods of encrypted traffic detection, performing, by the terminal device, a processing according to the method of encrypted traffic detection to be used comprises:
    selecting, by the terminal device, one from the plurality of methods based on priorities of the plurality of methods, as a final method of encrypted traffic detection to be used.
  19. A communication method, comprising:
    receiving from a terminal device, by a core network device, first information indicating one or more methods of encrypted traffic detection supported by the terminal device;
    determining, by the core network device, a method of encrypted traffic detection to be used in a communication with the terminal device based on the first information;
    sending, by the core network device, second information indicating the method of encrypted traffic detection to be used to the terminal device.
  20. The method of claim 19, wherein receiving from a terminal device, by a core network device, first information indicating one or more methods of encrypted traffic detection supported by the terminal device comprises:
    receiving, by the core network device, an uplink signaling message including the first information sent from the terminal device.
  21. The method of claim 20, wherein receiving, by the core network device, an uplink signaling message including the first information sent from the terminal device comprises:
    receiving, by the core network device, an uplink signaling message including the first  information sent from the terminal device during at least one of:
    registration procedure of the terminal device;
    attach procedure of the terminal device;
    PDU session establishment procedure;
    PDU session modification procedure.
  22. The method of claim 20 or 21, wherein in a case of receiving, by the core network device, an uplink signaling message including the first information sent from the terminal device during registration procedure of the terminal device, the uplink signaling message is a registration request of the registration procedure sent from the terminal device to the core network device.
  23. The method of claim 20 or 21, wherein in a case of receiving, by the core network device, an uplink signaling message including the first information sent from the terminal device during attach procedure of the terminal device, the uplink signaling message is an attach request of the attach procedure sent from the terminal device to the core network device.
  24. The method of claim 20 or 21, wherein in a case of receiving, by the core network device, an uplink signaling message including the first information sent from the terminal device during PDU session establishment procedure, the uplink signaling message is a PDU session establishment request of the PDU session establishment procedure to be sent from the terminal device to the core network device.
  25. The method of claim 20 or 21, wherein in a case of receiving, by the core network device, an uplink signaling message including the first information sent from the terminal device during PDU session modification procedure, the uplink signaling message is a PDU session modification request of the PDU session modification procedure sent from the terminal device to the core network device.
  26. The method of claim 19, wherein sending, by the core network device, second information indicating the method of encrypted traffic detection to be used to the terminal device comprises:
    including, by the core network device, the second information in a downlink signaling message to be sent to the terminal device;
    sending, by the core network device, the downlink signaling message including the second information to the terminal device.
  27. The method of claim 26, wherein including, by the core network device, the second information in a downlink signaling message to be sent to the terminal device comprises:
    including, by the core network device, the second information in a downlink signaling message to be sent to the terminal device during at least one of:
    registration procedure of the terminal device;
    attach procedure of the terminal device;
    PDU session establishment procedure;
    PDU session modification procedure.
  28. The method of claim 26 or 27, wherein in a case of including, by the core network device, the second information in a downlink signaling message to be sent to the terminal device during registration procedure of the terminal device, the downlink signaling message is a registration response of the registration procedure to be sent from the core network device to the terminal device.
  29. The method of claim 26 or 27, wherein in a case of including, by the core network device, the second information in a downlink signaling message to be sent from the core network device to the terminal device during attach procedure of the terminal device, the downlink signaling message is an attach response of the attach procedure to be sent from the core network device to the terminal device.
  30. The method of claim 26 or 27, wherein in a case of including, by the core network device, the second information in a downlink signaling message to be sent to the terminal device during PDU session establishment procedure, the downlink signaling message is a PDU session establishment response of the PDU session establishment procedure to be sent from the core network device to the terminal device.
  31. The method of claim 26 or claim 27, wherein in a case of including, by the core network device, the second information in a downlink signaling message to be sent to the terminal device during PDU session modification procedure, the downlink signaling message is a PDU session modification response of the PDU session modification procedure to be sent  from the core network device to the terminal device.
  32. The method of any one of claims 19 to 31, wherein the first information indicates at least one of the following:
    whether the terminal device supports a user equipment assisted method of encrypted traffic detection;
    type of a user equipment assisted method of encrypted traffic detection supported by the terminal device;
    subtype of a user equipment assisted method of encrypted traffic detection supported by the terminal device.
  33. The method of any one of claims 19 to 31, wherein the first information indicates priorities of the one or more methods of encrypted traffic detection determined by the terminal device.
  34. The method of any one of claims 19 to 31, wherein determining, by the core network device, a method of encrypted traffic detection to be used in a communication with the terminal device based on the first information comprises:
    comparing, by the core network device, the one or more methods indicated in the first information with one or more methods supported by the core network device;
    selecting, by the core network device, at least one from the one or more methods indicated in the first information which is matched with one of the one or more methods supported by the core network device, as the method of encrypted traffic detection to be used.
  35. The method of any one of claims 19 to 31, further comprising:
    performing, by the core network device, a processing according to the method of encrypted traffic detection to be used.
  36. A communication method, comprising:
    sending, by a core network device, first information indicating one or more methods of encrypted traffic detection to a terminal device, which are determined, by the core network device, as candidates for a method of encrypted traffic detection to be used in a communication with the terminal device;
    receiving from the terminal device, by the core network device, second information  indicating the method of encrypted traffic detection to be used in the communication with the terminal device, which is determined by the terminal device based on the first information; performing, by the core network device, a processing according to the method of encrypted traffic detection to be used.
  37. The method of claim 36, wherein sending, by a core network device, first information indicating one or more methods of encrypted traffic detection to a terminal device comprises: including, by the core network device, the first information in a downlink signaling message to be sent to the terminal device;
    sending, by the core network device, the downlink signaling message including the first information to the terminal device.
  38. The method of claim 37, wherein including, by the core network device, the first information in a downlink signaling message to be sent to the terminal device comprises:
    including, by the core network device, the first information in a user equipment configuration update request to be sent to the terminal device during a user equipment configuration update procedure,
    wherein receiving from the terminal device, by the core network device, second information indicating the method of encrypted traffic detection to be used in the communication with the terminal device comprises:
    receiving from the terminal device, by the core network device, an acknowledgement message for the user equipment configuration update request, which includes the second information.
  39. The method of any one of claims 36 to 38, wherein the first information indicates at least one of the following:
    whether the core network device supports a user equipment assisted method of encrypted traffic detection;
    type of a user equipment assisted method of encrypted traffic detection supported by the core network device;
    subtype of a user equipment assisted method of encrypted traffic detection supported by the core network device.
  40. The method of any one of claims 36 to 38, wherein the first information indicates  priorities of the one or more methods of encrypted traffic detection determined by the core network device.
  41. The method of any one of claims 36 to 38, wherein the method of encrypted traffic detection to be used is selected by the terminal device from the one or more methods of encrypted traffic detection indicated in the first information.
  42. The method of any one of claims 36 to 38, wherein the method of encrypted traffic detection to be used which is indicated in the second information comprises a plurality of methods of encrypted traffic detection.
  43. The method of any one of claims 36 to 38, wherein in a case that the method of encrypted traffic detection to be used which is indicated in the second information comprises a plurality of methods of encrypted traffic detection, performing, by the core network device, a processing according to the method of encrypted traffic detection to be used comprises:
    selecting, by the core network device, one from the plurality of methods based on priorities of the plurality of methods, as a final method of encrypted traffic detection to be used.
  44. A communication method, comprising:
    receiving from a core network device, by a terminal device, first information indicating one or more methods of encrypted traffic detection which are determined, by the core network device, as candidates for a method of encrypted traffic detection to be used in a communication with the terminal device;
    determining, by the terminal device, the method of encrypted traffic detection to be used in the communication with the terminal device based on the first information;
    sending, by the terminal device, second information indicating the method of encrypted traffic detection to be used to the core network device.
  45. The method of claim 44, wherein receiving from a core network device, by a terminal device, first information indicating one or more methods of encrypted traffic detection comprises:
    receiving, by the terminal device, a downlink signaling message including the first information sent from the core network device.
  46. The method of claim 44 or 45, wherein receiving from a core network device, by a terminal device, first information indicating one or more methods of encrypted traffic detection comprises:
    receiving, by the terminal device, a user equipment configuration update request including the first information sent from the core network device during a user equipment configuration update procedure.
  47. The method of claim 44, wherein determining, by the terminal device, the method of encrypted traffic detection to be used in the communication with the terminal device based on the first information comprises:
    comparing, by the terminal device, the one or more methods of encrypted traffic detection indicated in the first information with one or more methods of encrypted traffic detection supported by the terminal device;
    selecting, by the terminal device, at least one from the one or more methods of encrypted traffic detection indicated in the first information which is matched with one of the one or more methods of encrypted traffic detection supported by the terminal device, as the method of encrypted traffic detection to be used.
  48. The method of claim 44, wherein sending, by the terminal device, second information indicating the method of encrypted traffic detection to be used to the core network device comprises:
    including, by the terminal device, the second information in a uplink signaling message to be sent to the core network device;
    sending, by the terminal device, the uplink signaling message to the core network device.
  49. The method of claim 48, wherein including, by the terminal device, the second information in a uplink signaling message to be sent to the core network device comprises:
    including, by the terminal device, the second information in an acknowledgement message for a user equipment configuration update request during a user equipment configuration update procedure.
  50. The method of any one of claims 44 to 49, wherein the first information indicates at least one of the following:
    whether the core network device supports a user equipment assisted method of encrypted  traffic detection;
    type of a user equipment assisted method of encrypted traffic detection supported by the core network device;
    subtype of a user equipment assisted method of encrypted traffic detection supported by the core network device.
  51. The method of claim 44, wherein the first information indicates priorities of the one or more methods of encrypted traffic detection indicated in the first information.
  52. A terminal device, comprising:
    a transmitting unit configured to send first information indicating one or more methods of encrypted traffic detection supported by the terminal device to a core network device;
    a receiving unit configured to receive from the core network device second information indicating a method of encrypted traffic detection to be used in a communication with the terminal device, which is determined by the core network device based on the first information;
    a processing unit configured to enable the terminal device to perform the method of encrypted traffic detection to be used.
  53. The terminal device of claim 52, wherein the transmitting unit is configured to:
    include the first information in an uplink signaling message to be sent to the core network device;
    send the uplink signaling message including the first information to the core network device.
  54. The terminal device of claim 52 or 53, wherein the transmitting unit is configured to:
    include the first information in an uplink signaling message to be sent to the core network device during at least one of:
    registration procedure of the terminal device;
    attach procedure of the terminal device;
    PDU session establishment procedure;
    PDU session modification procedure.
  55. The terminal device of claim 54, wherein in a case of including the first information in an uplink signaling message to be sent to the core network device during registration procedure  of the terminal device, the uplink signaling message is a registration request of the registration procedure to be sent from the terminal device to the core network device.
  56. The terminal device of claim 54, wherein in a case of including the first information in an uplink signaling message to be sent to the core network device during attach procedure of the terminal device, the uplink signaling message is an attach request of the attach procedure to be sent from the terminal device to the core network device.
  57. The terminal device of claim 54, wherein in a case of including the first information in an uplink signaling message to be sent to the core network device during PDU session establishment procedure, the uplink signaling message is a PDU session establishment request of the PDU session establishment procedure to be sent from the terminal device to the core network device.
  58. The terminal device of claim 54, wherein in a case of including the first information in an uplink signaling message to be sent to the core network device during PDU session modification procedure, the uplink signaling message is a PDU session modification request of the PDU session modification procedure to be sent from the terminal device to the core network device.
  59. The terminal device of claim 52, wherein the receiving unit is configured to:
    receive from the core network device a downlink signaling message including the second information.
  60. The terminal device of claim 52 or 59, wherein the receiving unit is configured to:
    receive from the core network device a downlink signaling message including the second information during at least one of:
    registration procedure of the terminal device;
    attach procedure of the terminal device;
    PDU session establishment procedure;
    PDU session modification procedure.
  61. The terminal device of claim 60, wherein in a case of receiving from the core network device a downlink signaling message including the second information during registration  procedure of the terminal device, the downlink signaling message is a registration response of the registration procedure sent from the core network device to the terminal device.
  62. The terminal device of claim 60, wherein in a case of receiving from the core network device a downlink signaling message including the second information during attach procedure of the terminal device, the downlink signaling message is an attach response of the attach procedure sent from the core network device to the terminal device.
  63. The terminal device of claim 60, wherein in a case of receiving from the core network device a downlink signaling message including the second information during PDU session establishment procedure, the downlink signaling message is a PDU session establishment response of the PDU session establishment procedure sent from the core network device to the terminal device.
  64. The terminal device of claim 60, wherein in a case of receiving from the core network device a downlink signaling message including the second information during PDU session modification procedure, the downlink signaling message is a PDU session modification response of the PDU session modification procedure sent from the core network device to the terminal device.
  65. The terminal device of any one of claims 52 to 64, wherein the first information indicates at least one of the following:
    whether the terminal device supports a user equipment assisted method of encrypted traffic detection;
    type of a user equipment assisted method of encrypted traffic detection supported by the terminal device;
    subtype of a user equipment assisted method of encrypted traffic detection supported by the terminal device.
  66. The terminal device of any one of claims 52 to 64, wherein the first information indicates priorities of the one or more methods determined by the terminal device.
  67. The terminal device of any one of claims 52 to 64, wherein the method of encrypted traffic detection to be used is selected by the core network device from the one or more  methods indicated in the first information.
  68. A core network device, comprising:
    a receiving unit configured to receive from a terminal device first information indicating one or more methods of encrypted traffic detection supported by the terminal device;
    a processing unit configured to determine a method of encrypted traffic detection to be used in a communication with the terminal device based on the first information;
    a transmitting unit configured to send second information indicating the method of encrypted traffic detection to be used to the terminal device.
  69. The core network device of claim 68, wherein the receiving unit is configured to:
    receive an uplink signaling message including the first information sent from the terminal device.
  70. The core network device of claim 68 or 69, wherein the receiving unit is configured to:
    receive an uplink signaling message including the first information sent from the terminal device during at least one of:
    registration procedure of the terminal device;
    attach procedure of the terminal device;
    PDU session establishment procedure;
    PDU session modification procedure.
  71. The core network device of claim 70, wherein in a case of receiving an uplink signaling message including the first information sent from the terminal device during registration procedure of the terminal device, the uplink signaling message is a registration request of the registration procedure sent from the terminal device to the core network device.
  72. The core network device of claim 70, wherein in a case of receiving, by the core network device, an uplink signaling message including the first information sent from the terminal device during attach procedure of the terminal device, the uplink signaling message is an attach request of the attach procedure sent from the terminal device to the core network device.
  73. The core network device of claim 70, wherein in a case of receiving an uplink signaling  message including the first information sent from the terminal device during PDU session establishment procedure, the uplink signaling message is a PDU session establishment request of the PDU session establishment procedure to be sent from the terminal device to the core network device.
  74. The core network device of claim 70, wherein in a case of receiving an uplink signaling message including the first information sent from the terminal device during PDU session modification procedure, the uplink signaling message is a PDU session modification request of the PDU session modification procedure sent from the terminal device to the core network device.
  75. The core network device of claim 68, wherein the transmitting unit is configured to:
    include the second information in a downlink signaling message to be sent to the terminal device;
    send the downlink signaling message including the second information to the terminal device.
  76. The core network device of claim 68 or 75, wherein the transmitting unit is configured to:
    include the second information in a downlink signaling message to be sent to the terminal device during at least one of:
    registration procedure of the terminal device;
    attach procedure of the terminal device;
    PDU session establishment procedure;
    PDU session modification procedure.
  77. The core network device of claim 76, wherein in a case of including the second information in a downlink signaling message to be sent to the terminal device during registration procedure of the terminal device, the downlink signaling message is a registration response of the registration procedure to be sent from the core network device to the terminal device.
  78. The core network device of claim 76, wherein in a case of including the second information in a downlink signaling message to be sent from the core network device to the terminal device during attach procedure of the terminal device, the downlink signaling message is an attach response of the attach procedure to be sent from the core network device  to the terminal device.
  79. The core network device of claim 76, wherein in a case of including the second information in a downlink signaling message to be sent to the terminal device during PDU session establishment procedure, the downlink signaling message is a PDU session establishment response of the PDU session establishment procedure to be sent from the core network device to the terminal device.
  80. The core network device of claim 76, wherein in a case of including the second information in a downlink signaling message to be sent to the terminal device during PDU session modification procedure, the downlink signaling message is a PDU session modification response of the PDU session modification procedure to be sent from the core network device to the terminal device.
  81. The core network device of any one of claims 68 to 80, wherein the first information indicates at least one of the following:
    whether the terminal device supports a user equipment assisted method of encrypted traffic detection;
    type of a user equipment assisted method of encrypted traffic detection supported by the terminal device;
    subtype of a user equipment assisted method of encrypted traffic detection supported by the terminal device.
  82. The core network device of any one of claims 68 to 80, wherein the first information indicates priorities of the one or more methods of encrypted traffic detection determined by the terminal device.
  83. The core network device of any one of claims 68 to 80, wherein the processing unit is configured to:
    match the one or more methods indicated in the first information with one or more methods supported by the core network device;
    select at least one from the one or more methods indicated in the first information which is matched with one of the one or more methods supported by the core network device, as the method of encrypted traffic detection to be used.
  84. The core network device of any one of claims 68 to 80, wherein the processing unit is further configured to:
    enable the core network device to perform the method of encrypted traffic detection to be used.
  85. A core network device, comprising:
    a transmitting unit configured to send first information indicating one or more methods of encrypted traffic detection to a terminal device, which are determined, by the core network device, as candidates for a method of encrypted traffic detection to be used in a communication with the terminal device;
    a receiving unit configured to receive from the terminal device second information indicating the method of encrypted traffic detection to be used in the communication with the terminal device, which is determined by the terminal device based on the first information;
    a processing unit configured to enable the core network device to perform the method of encrypted traffic detection to be used.
  86. The core network device of claim 85, wherein the transmitting unit is configured to:
    include the first information in a downlink signaling message to be sent to the terminal device;
    send the downlink signaling message including the first information to the terminal device.
  87. The core network device of claim 85 or 86, wherein the transmitting unit is configured to: include the first information in a user equipment configuration update request to be sent to the terminal device during a user equipment configuration update procedure,
    and wherein the receiving unit is configured to:
    receive from the terminal device an acknowledgement message for the user equipment configuration update request, which includes the second information.
  88. The core network device of any one of claims 85 to 87, wherein the first information indicates priorities of the one or more methods of encrypted traffic detection determined by the core network device.
  89. The core network device of any one of claims 85 to 87, wherein the method of encrypted  traffic detection to be used is selected by the terminal device from the one or more methods of encrypted traffic detection indicated in the first information.
  90. A terminal device, comprising:
    a receiving unit configured to receive from a core network device first information indicating one or more methods of encrypted traffic detection which are determined, by the core network device, as candidates for a method of encrypted traffic detection to be used in a communication with the terminal device;
    a processing unit configured to determine the method of encrypted traffic detection to be used in the communication with the terminal device based on the first information;
    a transmitting unit configured to send second information indicating the method of encrypted traffic detection to be used to the core network device.
  91. The terminal device of claim 90, wherein the receiving unit is configured to:
    receive a downlink signaling message including the first information sent from the core network device.
  92. The terminal device of claim 90 or 91, wherein the receiving unit is configured to:
    receive a user equipment configuration update request including the first information sent from the core network device during a user equipment configuration update procedure.
  93. The terminal device of claim 90, wherein the processing unit is configured to:
    match the one or more methods of encrypted traffic detection indicated in the first information with one or more methods of encrypted traffic detection supported by the terminal device;
    select at least one from the one or more methods of encrypted traffic detection indicated in the first information which is matched with one of the one or more methods of encrypted traffic detection supported by the terminal device, as the method of encrypted traffic detection to be used.
  94. The terminal device of claim 90, wherein the transmitting unit is configured to:
    include the second information in a uplink signaling message to be sent to the core network device;
    send the uplink signaling message to the core network device.
  95. The terminal device of claim 90 or 94, wherein the transmitting unit is configured to:
    include the second information in an acknowledgement message for a user equipment configuration update request during a user equipment configuration update procedure.
  96. The terminal device of any one of claims 90 to 95, wherein the first information indicates priorities of the one or more methods of encrypted traffic detection indicated in the first information.
  97. A terminal device, comprising a transceiver and a processor, wherein the processor is configured to perform a communication method of any one of claims 1-16 or a communication method of any one of claims 39-45 based on the transceiver.
  98. A core network device, comprising a transceiver and a processor, wherein the processor is configured to perform a communication method of any one of claims 17-33 or a communication method of any one of claims 34-38 based on the transceiver.
  99. A system on a chip comprising a processor and a memory, wherein the processor is configured to perform a code in the memory and to implement a communication method of any one of claims 1-18, or a communication method of any one of claims 19-35, or a communication method of any one of claims 36-43, or a communication method of any one of claims 44-51.
  100. A system on a chip comprising a processor and a memory, wherein the processor is configured to perform a code in the memory and to implement a communication method of any one of claims 1-18, or a communication method of any one of claims 19-35, or a communication method of any one of claims 36-43, or a communication method of any one of claims 44-51.
  101. A computer-readable medium used for storing a program code, wherein the program code comprises instructions for performing a communication method of any one of claims 1-18, or a communication method of any one of claims 19-35, or a communication method of any one of claims 36-43, or a communication method of any one of claims 44-51.
PCT/CN2019/087839 2018-05-23 2019-05-21 Communication method, terminal device and core network device WO2019223697A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201980003697.9A CN110999256B (en) 2018-05-23 2019-05-21 Communication method, terminal equipment and core network equipment

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201862675274P 2018-05-23 2018-05-23
US62/675,274 2018-05-23

Publications (1)

Publication Number Publication Date
WO2019223697A1 true WO2019223697A1 (en) 2019-11-28

Family

ID=68617116

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/087839 WO2019223697A1 (en) 2018-05-23 2019-05-21 Communication method, terminal device and core network device

Country Status (2)

Country Link
CN (1) CN110999256B (en)
WO (1) WO2019223697A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116016284B (en) * 2022-12-09 2024-05-28 中国联合网络通信集团有限公司 Data analysis method, device, electronic equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015128612A1 (en) * 2014-02-28 2015-09-03 British Telecommunications Public Limited Company Malicious encrypted traffic inhibitor
CN105721242A (en) * 2016-01-26 2016-06-29 国家信息技术安全研究中心 Information entropy-based encrypted traffic identification method
US20170013000A1 (en) * 2014-02-28 2017-01-12 British Telecommunications Public Limited Company Profiling for malicious encrypted network traffic identification
US20170317894A1 (en) * 2016-05-02 2017-11-02 Huawei Technologies Co., Ltd. Method and apparatus for communication network quality of service capability exposure

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1549011A1 (en) * 2003-12-26 2005-06-29 Orange France Communication method and system between a terminal and at least a communication device
US7730519B2 (en) * 2004-09-17 2010-06-01 At&T Intellectual Property I, L.P. Detection of encrypted packet streams using feedback probing
US9497682B2 (en) * 2013-06-07 2016-11-15 Intel Corporation Central processing unit and methods for supporting coordinated multipoint transmission in an LTE network
CN104506488B (en) * 2014-11-25 2017-11-21 深圳市金印达科技有限公司 The multi-user's encryption system and its communication means of a kind of automatic identification communication protocol
CN104660589B (en) * 2015-01-20 2021-09-10 中兴通讯股份有限公司 Method, system and terminal for encrypting control and information analysis of information
CN105406993A (en) * 2015-10-28 2016-03-16 中国人民解放军信息工程大学 Encrypted stream recognition method and device
US10601869B2 (en) * 2016-02-15 2020-03-24 Netscout Systems Texas, Llc System and method to estimate quality of experience for consumption of encrypted media network traffic
KR102164823B1 (en) * 2016-02-18 2020-10-13 한국전자통신연구원 Service method for converged core network, universal control entity and converged core network system
CN107360159B (en) * 2017-07-11 2019-12-03 中国科学院信息工程研究所 A kind of method and device of the abnormal encryption flow of identification
CN107547564A (en) * 2017-09-28 2018-01-05 新华三信息安全技术有限公司 A kind of method and device of Message processing

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015128612A1 (en) * 2014-02-28 2015-09-03 British Telecommunications Public Limited Company Malicious encrypted traffic inhibitor
US20170013000A1 (en) * 2014-02-28 2017-01-12 British Telecommunications Public Limited Company Profiling for malicious encrypted network traffic identification
CN105721242A (en) * 2016-01-26 2016-06-29 国家信息技术安全研究中心 Information entropy-based encrypted traffic identification method
US20170317894A1 (en) * 2016-05-02 2017-11-02 Huawei Technologies Co., Ltd. Method and apparatus for communication network quality of service capability exposure

Also Published As

Publication number Publication date
CN110999256A (en) 2020-04-10
CN110999256B (en) 2021-12-03

Similar Documents

Publication Publication Date Title
US10474522B2 (en) Providing a network access failure cause value of a user equipment
US9838998B2 (en) Method of processing downlink data notification message and server therefore
US8874710B2 (en) Access network discovery
US20220394607A1 (en) Network slice configuration update
US20210168151A1 (en) Method for implementing user plane security policy, apparatus, and system
US20150312808A1 (en) Charging Information for WLAN Network Selection in 3GPP-WLAN Data Offloading
EP3720179B1 (en) Data processing method and apparatus
EP2936876B1 (en) Methods and apparatus for differencitating security configurations in a radio local area network
EP2737673B1 (en) Controlling data transmission between a user equipment and a packet data network
US20220394456A1 (en) Methods to enable efficient update of steering of roaming (sor) information
EP3525499B1 (en) Method for managing session
EP3506683B1 (en) Method and user equipment for connecting by means of plurality of accesses in next generation network
US20120259985A1 (en) Method and apparatus for enabling wireless connectivity
CN109429366B (en) PDU session processing method and device
US20150043564A1 (en) Packet-switched network access method, wlan access system and user equipment
CN111491394B (en) Method and device for user plane security protection
WO2019223697A1 (en) Communication method, terminal device and core network device
EP3614714B1 (en) Method for acquiring context configuration information, terminal device and access network device
US9198123B2 (en) Communication system and method
US11109219B2 (en) Mobile terminal, network node server, method and computer program
EP3972142B1 (en) Policy control function fallback
KR20160065168A (en) ON-DEMAND QoS FOR DATA CONNECTIONS
WO2012137173A2 (en) Method and apparatus for enabling wireless connectivity
CN117480820A (en) Access network selection using supported network slice information
GB2489751A (en) Providing information on radio access technologies (RAT) detected by user equipment (UE) to an access network discovery and selection function (ANDSF)

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19807652

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19807652

Country of ref document: EP

Kind code of ref document: A1