WO2020025028A1 - 数据保护方法、装置及计算机存储介质 - Google Patents

数据保护方法、装置及计算机存储介质 Download PDF

Info

Publication number
WO2020025028A1
WO2020025028A1 PCT/CN2019/098894 CN2019098894W WO2020025028A1 WO 2020025028 A1 WO2020025028 A1 WO 2020025028A1 CN 2019098894 W CN2019098894 W CN 2019098894W WO 2020025028 A1 WO2020025028 A1 WO 2020025028A1
Authority
WO
WIPO (PCT)
Prior art keywords
network element
gateway
network
address
security
Prior art date
Application number
PCT/CN2019/098894
Other languages
English (en)
French (fr)
Inventor
毛玉欣
闫新成
秦益飞
赵红勋
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2020025028A1 publication Critical patent/WO2020025028A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • H04W76/11Allocation or use of connection identifiers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • H04W76/12Setup of transport tunnels

Definitions

  • This application relates to, but is not limited to, the field of communications.
  • the traditional 2G / 3G / 4G telecommunication network is a closed network composed of a large number of dedicated equipment and single-function network nodes. The software and hardware are deeply bound. After the physical equipment is deployed, it usually does not change.
  • the network architecture can be statically configured. For example, the Internet Protocol IP Security (IPSec) tunnel between the radio access network (RAN) and the core network (CN) can be implemented through pre-configuration.
  • IPSec Internet Protocol IP Security
  • the 5G telecommunications network introduces software definition and virtualization technology to reconstruct the traditional telecommunications network. Through the decoupling of software and hardware, it is possible to build a virtualized elastic network on general hardware resources and provide network services accordingly. Flexible network capacity expansion and contraction. Compared with the traditional 2G / 3G / 4G telecommunication network, the 5G network is a dynamic and flexible network. For example, new network elements can be dynamically generated based on service requirements. In order to ensure the security of data transmission between multiple network elements, it is necessary to establish IPSec tunnel.
  • a data protection method includes: a first network element applies for obtaining second network element security information; and the first network element establishes an IP security tunnel with the second network element according to the second network element security information.
  • a data protection device includes: an application unit configured to apply for obtaining second network element security information; and a tunnel establishment unit configured to be based on the second network element security information and a second network element Establish an IP security tunnel.
  • a data protection device includes: a memory storing a computer program; and a processor configured to implement the method described in the above scheme when the computer program is executed.
  • a computer storage medium in an embodiment of the present disclosure stores a computer program thereon, and when the computer program is executed by a processor, the method according to the foregoing solution is implemented.
  • FIG. 1 is a schematic diagram of a 5G network architecture in some cases
  • FIG. 2 is a schematic diagram of using a network slice to provide services in some cases
  • FIG. 3 is a schematic diagram of establishing an IP security tunnel in some cases
  • FIG. 4 is a schematic diagram of providing services using a network slice scenario according to an embodiment of the present disclosure
  • FIG. 5 is a schematic flowchart of a method according to an embodiment of the present disclosure.
  • FIG. 6 is a schematic flowchart of an example of a method according to an embodiment of the present disclosure.
  • FIG. 7 is a schematic flowchart of another example of a method according to an embodiment of the present disclosure.
  • FIG. 8 is a schematic flowchart of another example of a method according to an embodiment of the present disclosure.
  • FIG. 9 is a schematic flowchart of another example of a method according to an embodiment of the present disclosure.
  • FIG. 10 is a schematic flowchart of another example of a method according to an embodiment of the present disclosure.
  • FIG. 11 is a schematic flowchart of another example of a method according to an embodiment of the present disclosure.
  • FIG. 12 is a schematic diagram of a component module of a device according to an embodiment of the present disclosure.
  • FIG. 13 is a schematic diagram of another component module of a device according to an embodiment of the present disclosure.
  • FIG. 14 is a schematic diagram of a hardware composition of a device according to an embodiment of the present disclosure.
  • the terms “including”, “including” or any other variants thereof are intended to cover non-exclusive inclusion, so that the method or device including a series of elements includes not only the explicitly recorded Elements, but also other elements not explicitly listed, or elements inherent to the implementation of the method or device.
  • the element limited by the sentence "including a " does not exclude that there are other related elements (such as steps in the method or units in the device) in the method or device including the element.
  • the unit may be part of a circuit, part of a processor, part of a program or software, etc.).
  • the data protection method provided by the embodiment of the present disclosure includes a series of steps, but the data protection method provided by the embodiment of the present disclosure is not limited to the recorded steps.
  • the network element device provided by the embodiment of the present disclosure includes A series of units, but the network element device provided by the embodiment of the present disclosure is not limited to the units explicitly listed, and may also include units that need to be set in order to obtain related information or perform processing based on the information.
  • first”, “second”, and the like involved in the embodiments of the present disclosure are merely distinguishing similar objects, and do not represent a specific ordering of objects. It is understandable that “first “,” “Second,” and other terms may be interchanged in a particular order or order. It should be understood that objects distinguished by terms such as “first”, “second”, etc. may be interchanged where appropriate to enable embodiments of the present disclosure described herein to be implemented in an order other than those illustrated or described herein .
  • the 5G telecommunication network introduces software definition and virtualization technology to reconstruct the traditional telecommunications network. Through decoupling of software and hardware, it is possible to build a virtualized elastic network on general hardware resources to provide network services, and to provide network capacity according to application requirements. Scale flexibly. 5G network also breaks the closed model of traditional telecommunication networks, opening network service capabilities to third-party services (such as service providers, enterprises, vertical industries, etc.), allowing third-party services to build network slices as needed to provide network services to suit Rapid business development and changing needs.
  • third-party services such as service providers, enterprises, vertical industries, etc.
  • the communication architecture of the 5G network is shown in Figure 1.
  • the network slice selection function (NSSF, Network Slice Selection Function) is used for network slice selection
  • the authentication service function (AUSF) is used to authenticate users when they register to the network.
  • Rights authentication, unified data management (UDM, Unified Data Management) are mainly used to manage user subscription information
  • access and mobility management functions (AMF, Access and Mobility Management Function) are used for access and mobility management
  • session management functions SMF (Session Management Function) is used for session management
  • Policy Control Function Policy Control Function
  • PCF Policy Control Function
  • QoS Quality of Service
  • AF Application Function
  • the RAN is an access network.
  • the user plane function (UPF, User Plane Function) is mainly used for data interaction between the user and the data network (DN, Data Network).
  • the DN is an external data network.
  • the detailed architecture and The function can refer to 5G system architecture (TS ((Technical Specification) File)) 23.501) is described.
  • N1, N2 ... N22, etc. in FIG. 5 refer to reference points between various functional entities.
  • 5G networks can use network slicing to provide users with network services.
  • Network slicing is a virtual network with complete functions, logical independence, and resource sharing.
  • a network slice is an exemplary scenario to which the embodiments of the present disclosure can be applied.
  • FIG. 2 shows a schematic diagram of using traditional network slices to provide services to users.
  • This scenario includes user equipment (UE) 101, radio access network (RAN, Radio Access Network) 102, and core network (CN, Core Network) 103.
  • RAN is a necessary ground-based infrastructure for third-generation wireless communication devices, which includes high-speed mobile access to the Internet and the like.
  • CN 103 includes: public network element domain 1031.
  • the network orchestration management system orchestrates the network slice 1 marked with 1032 and connects to the vehicle networking application server 105 to provide services for the vehicle networking service.
  • the orchestration network slice 2 is connected to the Internet application server 106 to provide services for Internet business.
  • Network slice 1 and network slice 2 are logically isolated.
  • Both network slice 1 and network slice 2 include a session management function (SMF, Session Management Function) and a user plane function (UDF, User Plane Function).
  • the public network element domain includes public network elements shared by multiple slices, such as AMF, NSSF, AUSF, UDM, and so on. If the UE uses the Internet of Vehicles service, it needs to access network slice 1; if it uses the Internet service, it needs to access network slice 2.
  • the network orchestration management system can create new functional network elements (ie, instantiation of network elements) according to requirements, such as creating a new public network element or a new network slice.
  • network slicing can be terminated to quickly release resources.
  • network slice capacity can be flexibly expanded or contracted based on network traffic, user volume, and so on. Therefore, compared to traditional telecommunication networks, 5G networks are a dynamic and resilient network.
  • a security gateway function (SeGW, Security GateWay) needs to be deployed between the RAN and the CN, an IP security (IPSec, IP Security) tunnel is established, and this part of data is encrypted for transmission.
  • IPSec IP Security
  • FIG. 3 for example, in a 4G network, a SeGW is deployed between an evolved network node (eNB, evolved Network Node) and a mobility management entity (MME, Mobility Management Entity), and IPSec is established to implement data encryption transmission.
  • eNB evolved network node
  • MME Mobility Management Entity
  • FIG. 4 is a schematic diagram of using a network slice to provide services to users in a 5G network.
  • This scenario includes a UE 101, a Radio Access Network (RAN, Radio Access Network) 102, and a Core Network (CN, Core Network) 103.
  • a security gateway (SeGW) 1021 is deployed on the RAN 102 side.
  • CN 103 includes: slice public network element domain 1031.
  • the network orchestration management system orchestrates the network slice 1 marked with 1034 and connects to the connected car application server 105 to provide services for the connected car service.
  • the orchestration network slice 2 is connected to the Internet application server 106 to provide services for Internet business.
  • Network slice 1 and network slice 2 are logically isolated.
  • Both network slice 1 and network slice 2 include a session management function (SMF, Session Management Function) and a user plane function (UDF, User Plane Function).
  • a new security gateway can be instantiated and deployed in the network slice, such as deploying SeGW2 in network slice 1, and deploying SeGW3 in network slice 2.
  • the public network element domain includes public network elements shared by multiple slices, such as AMF, NSSF, AUSF, UDM, and so on. If the UE uses the Internet of Vehicles service, it needs to access network slice 1; if it uses the Internet service, it needs to access network slice 2.
  • a security gateway, such as SeGW1 can also be deployed in the public network element domain. The SeGW deployed in each network slice can establish IPSec with the SeGW on the RAN side.
  • 5G shown in FIG. 4 is an elastic network
  • the network can dynamically generate new core network elements (public network elements and / or network slices) according to service requirements.
  • a corresponding SeGW needs to be deployed between newly generated public network elements and / or network slices and wireless access to establish IPSec.
  • 5G networks support multiple network slices, so there will be multiple IPSecs between RAN and CN, and these IPSecs are dynamically deployed.
  • the traditional static IPSec pre-configuration method is no longer applicable in elastic networks.
  • the keys used for encryption and authentication in the static pre-configuration mode are manually configured. To ensure the long-term security of IPSec, these keys need to be frequently modified.
  • the pre-configuration method is applicable to the situation where the SeGW devices at both ends of the IPSec deployment are relatively fixed.
  • the IP address of the SeGW is pre-assigned, and the SeGW in the elastic network is dynamically deployed. Addresses are allocated dynamically. Therefore, static preconfiguration is not suitable for establishing IPSec in an elastic network. You need to use dynamic negotiation to create IPSec.
  • the encryption end (such as the SeGW on the RAN side) can dynamically obtain the information of the encrypted peer (such as the SeGW on the CN side), such as the IP address of the encrypted peer SeGW, so that An IP security tunnel is established between the encrypted end and the encrypted peer end.
  • FIG. 5 illustrates a data protection method according to an embodiment of the present disclosure. As shown in FIG. 5, the method includes steps S101-S102.
  • step S101 the first network element applies for obtaining the second network element security information.
  • the second network element security information is stored in a network element registration function entity.
  • the first network element can obtain the second network element security information from the network element registration function entity through multiple channels through a dynamic application.
  • step S102 the first network element establishes an IP security (IPSec) tunnel with the second network element according to the second network element security information.
  • IPSec IP security
  • gateway security information such as the gateway security information of the security gateway
  • the network element registration function entity for example, the first gateway security information, the second pass element security information, or when a new gateway is instantiated in the subsequent embodiments (the (Three gateways) also stores third gateway security information.
  • gateway security information include, but are not limited to, information about the security gateway's functional IP address, Fully Qualified Domain Name (FQDN), and security capabilities.
  • the first network element is a first gateway deployed on the first network side (radio access network)
  • the second network element is a second gateway deployed on the second network side (core network)
  • the The method includes steps S210-S203 (not shown).
  • step S201 the first gateway initiates a request for querying the security information of the second network element to the network element registration function entity.
  • step S202 the first gateway receives the second network element security information fed back by the network element registration function entity.
  • the second network element security information is the second gateway security information stored in the network element registration function entity after the second gateway initiates a registration request to the network element registration function entity.
  • step S203 the first gateway establishes the IPSec tunnel with the second gateway according to the security information of the second gateway.
  • the first network element is a first gateway deployed on the first network side (radio access network)
  • the second network element is a second gateway deployed on the second network side (core network)
  • the The method includes steps S301-S302 (not shown).
  • Step S301 After the second communication network element initiates a request for querying the security information of the second network element to the network element registration function entity, the first communication network element receives the feedback from the second communication network element. Second network element security information.
  • the second network element security information is the second gateway security information stored in the network element registration function entity after the second gateway initiates a registration request to the network element registration function entity.
  • Step S302 The first gateway establishes the IPSec tunnel with the second gateway according to the security information of the second gateway.
  • FIG. 6 the processing flow of an example is shown in FIG. 6, and the example includes steps 501-507.
  • step 501 the second security gateway function module applies for registration with the network element registration function module.
  • the registration request includes the function information of the second security gateway.
  • step 502 the second security gateway function information is stored in the network element registration function module.
  • step 503a the first security gateway function module queries the network element registration function module for the second security gateway function information.
  • the network element registration function module returns the second security gateway function information, such as the IP address / FQDN, to the first security gateway function module.
  • the second communication function module queries the network element registration function module for the second security gateway function information, and the second communication function module receives the second network element security information fed back by the network element registration function entity.
  • the second network element security information may be a second gateway IP address.
  • the network element registration function module sends second security gateway function information, such as an IP address / FQDN, etc., to the first communication function module.
  • second security gateway function information such as an IP address / FQDN, etc.
  • the first communication function module sends the second security gateway function information, such as the IP address / FQDN and the like, to the first security gateway function module.
  • the second security gateway function information such as the IP address / FQDN and the like
  • step 506 IKESA negotiation and IPSecSA negotiation are performed between the first security gateway function module and the second security gateway function module.
  • step 507 after the IPSec tunnel is established, IP packets are transmitted.
  • the second network element security information is stored in the network element registration function entity.
  • the first network element may obtain the second network element security information from the network element registration function entity through multiple applications through dynamic applications.
  • the first security gateway function module can obtain the second security gateway function information, such as an IP address / FQDN, from the network element registration function module.
  • the first security gateway function module can obtain the second security gateway function information, such as an IP address / FQDN, from the first communication function module.
  • the second security gateway function module may be located at the second gateway, and the first security gateway function module may be located at the first gateway or a first communication network element that integrates the functions of the first gateway.
  • the first communication function module may be located in the first communication network element
  • the second communication function module may be located in the second communication network element
  • the network element registration function module may be located in the network element registration function entity.
  • the function module of the third security gateway may be located in the third gateway and deployed in the network slice, which is not described in detail later.
  • the first network element is a first gateway deployed on the first network side (radio access network), and the second network element is a second gateway deployed on the second network side (core network), And the method includes: steps S401-S406.
  • step S401 the first communication network element receives a first registration request initiated by the user equipment attached to the network.
  • step S402 the first communication network element initiates an AMF discovery request to the network element registration function entity to find the AMF for serving the user equipment access.
  • step S403 the first gateway receives the first registration request forwarded by the first communication network element, and prepares to establish an IPSec tunnel.
  • step S404 the first gateway initiates a gateway discovery request to the network element registration function entity, and the gateway discovery request includes an AMF IP address parsed from the second registration request.
  • step S405 the first gateway receives the second gateway IP address associated with the AMF IP address and fed back by the network element registration function entity.
  • step S406 the first gateway establishes the IPSec tunnel with the second gateway according to the second gateway IP address.
  • the processing flow of an example is shown in FIG. 7, and this example describes a user-attached registration process initiated by the network.
  • the IPSec between RAN and CN adopts the gateway-to-gateway mode, that is, deploying SeGW1 (first security gateway function) on the RAN side (first communication function), and deploying SeGW2 (second security gateway function) on the public network element domain.
  • Public network element domain network elements such as AMF, AUSF, etc.
  • a Network Storage Function is used for network element registration.
  • the example may include steps 601-609.
  • SeGW2 is instantiated.
  • SeGW2 is used to be deployed on the CN public network element side and registered to the NRF, and includes the IP address and security capabilities (security capabilities include the IKE protocol, encapsulation protocol, encryption algorithm, and authentication algorithm supported by the SeGW2).
  • security capabilities include the IKE protocol, encapsulation protocol, encryption algorithm, and authentication algorithm supported by the SeGW2.
  • the NRF saves the SeGW2 information, and also needs to save the SeGW2 information and the information of the network elements protected by the SeGW2 (such as the communication peer in the embodiment of the present disclosure, that is, AMF, AUSF, UDM (Unified Data Management, Unified Data Management), etc.) connection relation.
  • the IKE protocol may include Internet Key Exchange Protocol Version 1 (IKEv1, Internet Key Exchange Version 1), and the IKEv2 encapsulation protocol includes: Authentication Header (AH), Encapsulating Security Payload (ESP).
  • IKEv1 Internet Key Exchange Protocol Version 1
  • IKEv2 encapsulation protocol includes: Authentication Header (AH), Encapsulating Security Payload (ESP).
  • AH Authentication Header
  • ESP Encapsulating Security Payload
  • the encryption algorithm may include: Data Encryption Standard (DES, Data Encryption Standard), Digital Encryption Standard 3 (Triple DES), and Advanced Encryption Standard (AES, Advanced Encryption Standard).
  • DES Data Encryption Standard
  • Triple DES Digital Encryption Standard
  • AES Advanced Encryption Standard
  • the verification algorithm may include: Message Digest 5 (MD5, Message Digest 5), Secure Hash Algorithm 1 (SHA1, Secure Hash Algorithm 1), and SHA2.
  • SeGW1 can be deployed on the RAN side.
  • next generation user equipment (NG-UE, Next Generation, User Equipment) is attached to the network, and initiates a RAN request, which includes a subscription hidden identifier (SUCI, Subscription Concealed Identifier) / 5G global unique temporary identifier (5G- GUTI, 5G Globally Unique Temporary Identifier) and other information.
  • SUCI subscription hidden identifier
  • 5G- GUTI 5G global unique temporary identifier
  • 5G- GUTI 5G Globally Unique Temporary Identifier
  • the RAN receives the registration request and executes the AMF discovery procedure to find the AMF serving the NG-UE access.
  • the NRF allocates the AMF according to the mobile country code (MCC, Mobile Country Code) and mobile network code (MNC) in SUCI / 5G-GUTI, and returns the AMF's IP address or FQDN.
  • MCC Mobile Country Code
  • MNC mobile network code
  • step 604 the RAN forwards a registration request to the AMF according to the AMF information returned by the NRF.
  • SeGW1 receives the registration request message and prepares to establish an IPSec tunnel. SeGW1 initiates a CN-side SeGW discovery request to the NRF, and the request message includes the AMF IP address (that is, the destination IP address of the registration request message received by SeGW1).
  • step 606 the NRF queries and allocates SeGW2 according to the AMF IP address information, the IP address information of SeGW1, and the association relationship between the SeGW information stored on the NRF and the AMFIP address information, and returns the IP address / FQDN of SeGW2 to SeGW1.
  • SeGW1 For example, you can query the security capabilities of SeGW1 based on the IP address information of SeGW1; you can query the AMF IP address and the IP address of SeGW and the security capabilities of SeGW1 to query the relationship between the AMF IP address and the security capabilities of SeGW1 SeGW. When it is found that SeGW2 meets the requirements, the IP address / FQDN of SeGW2 is returned to SeGW1.
  • SeGW1 negotiates with the Internet Key Exchange Security Association (IKE, SA, Internet Key Exchange, Security Association) and IPSec SA based on the IP address of SeGW2 to establish an IPSec tunnel.
  • IKE Internet Key Exchange Security Association
  • SA Internet Key Exchange, Security Association
  • IPSec SA Internet Key Exchange, Security Association
  • This disclosure establishes IPSec in IKEv2 mode. The establishment process is described as follows. For details, refer to RFC7296 (Request For Comments 7296).
  • the IPSec tunnel negotiation establishment process is divided into security association (IKE SA, Security Association) negotiation and IPSec SA negotiation.
  • the IKESA negotiation process may include: the IKE version, the encapsulation protocol (AH and ESP), the encryption algorithm (DES, 3DES, AES), and the authentication algorithm (MD5, SHA1, Se1, SeGW1 and SeGW2, hereinafter referred to as the two parties). SHA2), identity authentication method and exchange mode, Diffie-Hellman (DH) algorithm, etc. IKE parties exchange each other's key material (such as DH public value, temporary random number, etc.). The IKE and the IKE both perform key calculations in combination with their own authentication methods (pre-shared keys or data certificates participate in the key calculation process).
  • the shared keys generated by the final calculation include three: K1: a key used for integrity verification of IKE negotiation messages; K2: a key used for encryption of IKE negotiation messages; K3: used to derive encryption and verification of IPSec messages Keys, K1 and K2 are used to ensure the security of subsequent IKE negotiation messages, and K3 is used to ensure the security of data packets encapsulated by IPSec.
  • the entire key exchange and calculation process is automatically refreshed at a certain period under the control of the IKE SA timeout period, which avoids the security risks caused by the key being unchanged for a long time.
  • IPSec SA negotiation is used by both parties to negotiate the protected data flow and exchange key materials so that both parties can generate keys for IPSec SA.
  • IKEv2 uses IKE SA initial exchange and IKE authentication exchange to complete the negotiation process between IKE SA and IPSec SA to establish IPSec.
  • IKE and SA parameter negotiation can be performed.
  • the parameters include: SA payload, KE (Key Exchange) payload, and NONCE payload.
  • SA payload is used to negotiate the encryption algorithm and authentication supported by both parties.
  • Algorithm, pseudo-random function, DH value, etc .; KE payload and NONCE payload are used to exchange key material.
  • K1 is used for integrity verification of the second message (IKE authentication exchange)
  • K2 is used for encryption of the second message (IKE authentication exchange)
  • K3 is used for IPSec SA derives encryption materials.
  • IKE authentication exchange is used for identity authentication of both parties, and IPSec SA is created.
  • identity authentication technologies There are three kinds of identity authentication technologies: When the pre-shared key method is adopted, the identity information of SeGW is the IP address or name; when the digital certificate method is used, the identity information of SeGW is the certificate and the hash value of some messages encrypted by the private key of the certificate (signature ); After adopting the Extended Authentication Protocol (EAP, Extensible Authentication Protocol) authentication, the derived key: authentication is mainly performed through the RADIUS protocol, and the exchange process of EAP authentication belongs to the content of the extended exchange.
  • EAP Extended Authentication Protocol
  • the process of creating an IPSec SA involves two parties negotiating a protected data stream and negotiating through a Transport Selector (TS) payload.
  • TS Transport Selector
  • SeGW1 encrypts the registration request message and sends the registration request message to SeGW2.
  • SeGW2 decrypts the message and sends it to the AMF.
  • step 609 the remaining registration procedure refers to the 3GPP TS 23.502 registration procedure.
  • the above embodiment establishes a gateway-to-gateway type IPSec tunnel in the public network element domain of the RAN side and the CN side, and realizes that the RAN and CN side interactive signaling uses IPSec transmission to ensure the security of the signaling transmission.
  • the encryption end SeGW1 discovers the encryption peer SeGW2 through NRF, and negotiates to establish IPSec.
  • the first network element is integrated in a first communication network element
  • the second network element is a second gateway deployed on a second network side (core network)
  • the method includes: S501-S506.
  • step S501 the first communication network element receives a first registration request initiated by the user equipment attached to the network.
  • step S502 the first communication network element initiates an AMF discovery request to the network element registration function entity to find the AMF for serving the user equipment access.
  • step S503 the first communication network element starts the first network element function and prepares to establish an IPSec tunnel.
  • step S504 the first communication network element initiates a gateway discovery request to the network element registration function entity, and the gateway discovery request includes an AMF IP address obtained from the second registration request.
  • step S505 the first communication network element receives the second gateway IP address associated with the AMF IP address and fed back by the network element registration function entity.
  • step S506 the first communication network element establishes the IPSec tunnel with the second gateway according to the second gateway IP address.
  • FIG. 8 a specific processing flow of an example is shown in FIG. 8, and this example describes a user-attached registration process initiated by the network.
  • the IPSec between RAN and CN adopts the point-to-gateway mode, that is, SeGW is not deployed separately on the RAN side.
  • the RAN integrates the SeGW function (first communication function / first security gateway function) and is deployed in the public network element domain (second communication function).
  • SeGW2 Serviced Security Gateway Function
  • the example includes: steps 701-707.
  • SeGW2 is instantiated, and the SeGW2 is used for deployment on the CN public network element side.
  • the registration information includes the IP address, security capabilities (refer to step 601), etc.
  • the NRF saves the information, and establishes and stores the information of the SeGW2 and the information of the network elements protected by the SeGW2 (such as AMF IP Address).
  • SeGW1 is deployed on the RAN side.
  • step 702 the NG-UE attaches to the network and initiates a RAN request, which includes information such as SUCI / 5G-GUTI.
  • the RAN receives the registration request and executes the AMF discovery procedure to find the AMF serving the NG-UE access.
  • the request message carries information such as SUCI / 5G-GUTI.
  • the NRF allocates the AMF according to the MCC and MNC information in the SUCI / 5G-GUTI, and returns the AMF's IP address or FQDN. At the same time, it assigns SeGW2 (for the query and allocation process, refer to step 607). The FQDN is returned to the RAN.
  • step 705 the RAN negotiates IKESA and IPSecSA with SeGW2 according to the IP address of SeGW2 to establish an IPSec tunnel.
  • step 706 the RAN encrypts the registration request message and sends it to SeGW2.
  • SeGW2 decrypts the message and sends it to the AMF.
  • step 707 the remaining registration procedure refers to the 3GPP TS 23.502 registration procedure.
  • the above embodiment establishes a point-to-gateway type IPSec tunnel in the public network element domain of the RAN side and the CN side, and realizes that the RAN and CN side exchange signaling using IPSec to ensure the security of signaling transmission.
  • the RAN obtains SeGW2 through the AMF discovery program. Address information and negotiate to establish IPSec.
  • the first network element is a first gateway deployed on a first network side (radio access network), and the second network element is a second gateway deployed on a second network side (core network).
  • a gateway, the method includes: steps S601-S604.
  • step S601 orchestration generates a network slice, instantiates a new network element to obtain a third gateway, and the third gateway is deployed in the network slice.
  • step S602 the first gateway determines whether an IP security tunnel is established after receiving the uplink data message, and initiates a gateway discovery request to the network element registration function entity.
  • the gateway discovery request includes the destination IP address information parsed from the uplink data message.
  • step S603 the first gateway receives a third gateway IP address associated with the destination IP address information fed back by the network element registration function entity.
  • step S604 the first gateway establishes the IPSec tunnel with the third gateway according to the third gateway IP address.
  • the example describes a process in which a user needs to start a service after being attached to a network, thereby accessing a network slice.
  • the network orchestration system orchestrates new network slices based on demand.
  • the network slice is composed of SMF and UPF.
  • IPSec needs to be established, so the SeGW3 is instantiated while the slice is arranged.
  • a gateway-to-gateway mode is adopted between the RAN and the slice, that is, SeGW1 (the first security gateway function) is separately deployed on the RAN (first communication function) side, and SeGW3 (the first communication function) is deployed in the network slice (the second communication function).
  • SeGW1 the first security gateway function
  • SeGW3 the first communication function
  • Two security gateway functions The examples include steps 801-816.
  • step 801 the SeGW2 deployed on the CN public network element side initiates a registration with the NRF, which includes information such as the IP address and security capabilities.
  • the NRF saves the information of the SeGW2.
  • the SeGW1 information is deployed in the NRF, and the SeGW1 information includes information such as an IP address and security capabilities.
  • step 802 the orchestration generates a network slice, and the orchestration generates a SeGW3, and is deployed in the network slice.
  • SeGW3 initiates a registration request to the NRF.
  • the request contains information such as IP address and security capabilities.
  • the NRF saves the information and establishes the information of the SeGW3 and the network slice information protected by the SeGW3 (such as UPF IP address, SMF IP Address, etc.).
  • step 803 during the NG-UE registration phase, IPSec between SeGW1 and SeGW2 has been established to implement encrypted transmission of interactive signaling (for example, steps 804 and 810) between the NG-UE and the CN public network element.
  • the NG-UE initiates a packet data unit (PDU, Packet Data Unit) session establishment request, and the request carries a single network slice selection assistance information (S-NSSAI, Single Network Selection Selection Information), and a data network name (DNN, Data (Network Name), PDU Session ID (Session ID) and so on.
  • PDU Packet Data Unit
  • S-NSSAI Single Network Selection Selection Information
  • DNN Data network Name
  • DNN Data (Network Name)
  • Session ID PDU Session ID
  • step 805 after receiving the request message, the AMF performs SMF selection according to information such as S-NSSAI and DNN.
  • step 806 the AMF sends a PDU session establishment request to the SMF.
  • step 807 the SMF performs UPF selection according to information such as S-NSSAI, DNN, and the like.
  • step 808 the SMF sends an N4 session establishment / modification request to the UPF, and sends a packet detection rule, tunnel information, and the like.
  • step 809 the SMF returns a PDU session establishment response to the AMF, and provides information such as tunnel information and QoS to the AMF.
  • step 810 the PDU session establishment process is completed between the AMF and the RAN and the RAN and the NG-UE.
  • step 811 the NG-UE sends an uplink data message.
  • step 812 after the uplink data arrives at SeGW1, it is determined according to the outer destination address (ie, the UPF IP address) of the message that there is no IPSec tunnel established between SeGW1 and the network slice corresponding to the UPF.
  • SeGW1 initiates a SeGW information query corresponding to the network slice to the NRF, and the query information includes the UPF IP address.
  • the NRF allocates SeGW3 according to the association relationship between the network slice information (including the UPF IP address) and the SeGW information (refer to step 606), and returns the IP address or FQDN of SeGW3 to SeGW1.
  • SeGW1 initiates IKE SA and IPSec SA negotiation according to the information of SeGW3 to establish an IPSec tunnel.
  • SeGW1 sends the uplink packet to SeGW3 after being encrypted by IPSec.
  • SeGW3 decrypts the message and sends it to the UPF.
  • step 816 the remaining PDU session establishment process refers to the 3GPP TS 23.502 PDU session establishment procedure.
  • a gateway-to-gateway type IPSec tunnel is established in the RAN side and the CN side network slice, and the interaction data between the RAN and the network slice is transmitted using IPSec to ensure data transmission security.
  • SeGW1 is the process of triggering the establishment of IPSec negotiation when receiving the uplink data message (step 814). Query the IP address / FQDN of SeGW3 from NRF through SeGW1 to initiate IPSec negotiation.
  • a first network element is integrated in a first network side (radio access network), and the second network element is a second gateway deployed on a second network side (core network), and the method includes : Steps S701-S702.
  • step S701 orchestration generates a network slice, instantiates a new network element to obtain a third gateway, and the third gateway is deployed in the network slice.
  • step S702 during the N4 session establishment process, a gateway discovery request is initiated to the network element registration function entity, and after the N4 session is established, the IP address of the third gateway is returned to the authentication management function AMF; the first communication network element receives the The IP address of the third gateway, and the first communication network element establishes the IP security tunnel with the third gateway according to the IP address of the third gateway.
  • FIG. 10 a specific processing flow of an example is shown in FIG. 10, and the example describes a process in which a user needs to start a service after being attached to a network, so as to access a network slice.
  • the network orchestration system orchestrates a new network slice according to the requirements (in the embodiment of the present disclosure, the network slice is composed of SMF and UPF).
  • the network slice is composed of SMF and UPF.
  • IPSec needs to be established.
  • orchestration generates SeGW3 and deploys in the network slice.
  • a point-to-gateway mode is adopted between the RAN and the slice, that is, the SeGW is not deployed separately on the RAN side, the RAN integrates the SeGW function (first communication function / first security gateway function), and the slice (second communication function) is deployed inside Independent SeGW3 (second security gateway function).
  • the examples include steps 901 to 919.
  • step 901 the CN public network element side SeGW2 initiates a registration request to the NRF, where the request includes information such as an IP address and security capabilities.
  • NRF holds SeGW2 information.
  • SeGW1 Prior to step 901, SeGW1 is deployed on the RAN side.
  • SeGW3 is deployed in the network slice. For example, when a new UPF is instantiated, a new SeGW3 is instantiated at the same time, and an IP address is assigned to it. SeGW3 initiates a registration request to the NRF. The request includes an IP address, a security capability, and the like. The NRF saves the information and establishes an association between the UPF's IP address and the SeGW3's IP address.
  • step 903 during the NG-UE registration phase, IPSec between SeGW1 and SeGW2 has been established to implement the encryption of interactive control signaling (e.g., step 904, step 913, and step 915) between the NG-UE and the CN public network element. transmission.
  • interactive control signaling e.g., step 904, step 913, and step 915.
  • step 904 the NG-UE initiates a PDU session establishment request, and the request carries information such as S-NSSAI, DNN, and PDU Session ID.
  • step 905 after receiving the request message, the AMF performs SMF selection according to information such as S-NSSAI and DNN.
  • step 906 the AMF sends a PDU session establishment request to the SMF.
  • step 907 the SMF performs UPF selection according to the S-NSSAI, DNN, and other information.
  • step 908 the SMF sends an N4 session establishment / modification request to the UPF, and sends a packet detection rule, tunnel information, and the like.
  • step 909 the UPF executes a SeGW discovery request, initiates a query to the NRF, and carries the UPF IP address information.
  • the NRF allocates SeGW3 according to the association relationship between the network slice information (including the UPF IP address) and the SeGW information, and returns the IP address or FQDN of the SeGW3 to the UPF.
  • step 911 the UPF returns an N4 session establishment / modification response to the SMF, and returns the IP address or FQDN information of the SeGW3 to the SMF.
  • the SMF returns a PDU session establishment response to the AMF, and provides the AMF with the IP address or FQDN information, tunnel information, and quality of service (QoS) of the SeGW3.
  • QoS quality of service
  • step 913 the AMF initiates a N2 session establishment request to the RAN, and provides the IP address or FQDN information of the SeGW3 to the RAN.
  • the information sent between the AMF and the RAN is encrypted using the IPSec tunnel established in step 903.
  • step 914 the radio resource configuration of the PDU session is completed between the RAN and the NG-UE.
  • step 915 the RAN returns an N2 session establishment response to the AMF.
  • step 916 the NG-UE sends an uplink data message.
  • step 917 after the uplink data reaches the RAN, an IKE SA and an IPSec SA negotiation are initiated according to the information of the SeGW3 to establish an IPSec tunnel.
  • the RAN sends the uplink packet to SeGW3 after being encrypted by IPSec.
  • SeGW3 decrypts the message and sends it to the UPF.
  • step 919 the remaining PDU session establishment process refers to the 3GPP TS 23.502 PDU session establishment procedure.
  • a point-to-gateway type IPSec tunnel is established on the RAN side and the network slice, so that the data exchanged between the RAN and the network slice is transmitted using IPSec to ensure data transmission security.
  • the UPF selects the IP address / FQDN information of SeGW3, sends it to the RAN through N4, N2 session messages, and triggers IPSec establishment when the RAN receives an uplink data packet.
  • the IPSec negotiation establishment process may also trigger negotiation establishment after the RAN receives the IP address / FQDN information of the SeGW3 (ie, step 913). In this process, if SeGW1 is deployed separately on the RAN side, the RAN also needs to send the IP address / FQDN information of SeGW3 to SeGW1 through a message.
  • the first network element is a first gateway deployed on the first network side (radio access network), and the second network element is a second gateway deployed on the second network side (core network),
  • the method includes steps S801-S803.
  • step S801 the second gateway initiates a registration request to the network element registration function entity.
  • step S802 after the first communication network element registers with the network element registration function entity, the network element management function entity triggers establishment of an IPSec tunnel.
  • step S803 after the first gateway obtains the IP address of the second gateway, the IP security tunnel is established with the second gateway according to the second gateway IP address.
  • the specific processing flow of an example is shown in Figure 11.
  • the above examples describe that the IPSec tunnel between the RAN and CN is received by CP (Control Plane, Control Plane) / UP (User Plane, User plane) message triggers establishment.
  • This IPSec tunnel establishment method will affect the delay of packet interaction.
  • This example describes that after the SeGW is instantiated (such as when a new AMF is instantiated or when a new network slice is instantiated), the IPSec establishment process between the RAN side and the CN side is started. The establishment process may be triggered by the network element management function, and this establishment manner does not affect the packet interaction delay.
  • This example includes: step 1001-step 1006.
  • SeGW1 first security gateway function
  • SeGW2 registers with the NRF.
  • SeGW2 Second Security Gateway Function
  • SeGW2 initiates registration with the NRF, including information such as IP address and security capabilities.
  • the NRF saves the information and establishes the association between the UPF / AMF IP address and the SeGW2 information.
  • the network element management function (responsible for the operation, management, and maintenance of the deployed network elements, such as EMS (F1ement Management System, Network Management System), OMS (Operation Management System, Operation Management System), MANO (Management Management AND Orchestration , Management and orchestration) and other management network elements) send a message to SeGW1, requesting the establishment of IPSec with the CN side.
  • EMS Fe1ement Management System, Network Management System
  • OMS Operation Management System
  • MANO Management Management AND Orchestration , Management and orchestration
  • SeGW1 initiates a SeGW2 discovery request and queries the NRF for SeGW information on the CN side.
  • step 1004 the NRF returns the IP address / FQDN information of SeGW2 to SeGW1.
  • SeGW1 initiates IKE SA and IPSec SA negotiation according to the IP address of SeGW2 to establish IPSec.
  • step 1006 the CP / UP message occurring in the user registration process or the access network slicing process is encrypted using the IPSec tunnel when passing through between the RAN and the CN.
  • the registration process and access slicing process refer to TS 23.502.
  • the information of the SeGW and the relationship between the information and the information of the protected network element are stored through the NRF for other network elements to query.
  • the SeGW information and the association relationship may also be stored on a DNS (Domain Name System) through a DNS mechanism, for other network elements to query in order to select a suitable SeGW.
  • DNS Domain Name System
  • a data protection device is also provided in the embodiment of the present disclosure, and the device is used to implement the foregoing embodiments or examples.
  • the term "module” may implement a combination of software and / or hardware for a predetermined function.
  • the devices described in the following embodiments may be implemented in software, but implementation of hardware or a combination of software and hardware is also possible and conceived.
  • FIG. 12 is a structural block diagram of a data protection device according to an embodiment of the present disclosure.
  • the data protection device includes: an application unit 51, which is applied to a first network element and configured to apply for security information of a second network element; and a tunnel establishment unit 52. Is applied to the first network element and is configured to establish an IPSec tunnel with the second network element according to the second network element security information.
  • the first network element is a first gateway deployed on the first network side (radio access network), and the second network element is deployed on the second network side (core network)
  • the second gateway of the device further includes: a query unit 53 configured to initiate a request for querying the security information of the second network element with a network element registration function entity; and a first receiving unit 54 configured to receive The second network element security information fed back by the network element registration function entity, wherein the second network element security information is stored in the server after the second gateway initiates a registration request to the network element registration function entity.
  • the second gateway security information of the network element registration function entity is described, and the tunnel establishing unit 52 is further configured to establish the IPSec tunnel with the second gateway according to the second gateway security information.
  • the first network element is a first gateway deployed on a first network side (radio access network), and the second network element is a second gateway deployed on a second network side (core network).
  • the gateway further includes a second receiving unit configured to receive the first communication network element after the second communication network element initiates a request for querying the security information of the second network element with the network element registration function entity.
  • the second network element security information fed back by two communication network elements; wherein the second network element security information is stored in the network element after the second gateway initiates a registration request to the network element registration function entity Register the second gateway security information of the functional entity; and wherein the tunnel establishment unit is further configured to establish the IPSec tunnel with the second gateway according to the second gateway security information.
  • the first network element is a first gateway deployed on a first network side (radio access network), and the second network element is a second gateway deployed on a second network side (core network).
  • a gateway the apparatus further includes: a first requesting unit configured to receive a first registration request initiated by a user equipment attached to a network, initiate an AMF discovery request to the network element registration function entity, and find an access service for the user equipment AMF.
  • the apparatus further includes: a third receiving unit configured to receive a first registration request forwarded by the first communication network element and preparing to establish an IPSec tunnel; a first parsing unit configured to provide The network element registration function entity initiates a gateway discovery request, and the gateway discovery request includes an AMF IP address parsed from the first registration request; and a first information receiving unit configured to receive feedback from the network element registration function entity A second gateway IP address associated with the AMF IP address; wherein the tunnel establishing unit is further configured to establish the IPSec tunnel with the second gateway according to the second gateway IP address.
  • the first network element is integrated in the first communication network element
  • the second network element is a second gateway deployed on the second network side (core network)
  • the device further includes: a second request A unit configured to receive a first registration request initiated by a user equipment attached to a network, initiate an AMF discovery request to the network element registration function entity, and find an AMF serving a user equipment access.
  • the apparatus further includes: a first initiating unit configured to start a first network element function and preparing to establish an IPSec tunnel; and a second parsing unit configured to initiate a gateway with the network element registration function entity A discovery request, wherein the gateway discovery request includes an AMF IP address parsed from the first registration request; and a second information receiving unit configured to receive the AMF IP address and the AMF IP address that are fed back by the network element registration function entity.
  • the first network element is a first gateway deployed on the first network side (radio access network), and the second network element is a second gateway deployed on the second network side (core network),
  • the device further includes a first slice generation unit configured to orchestrate and generate a network slice, instantiate a new network element to obtain a third gateway, and the third gateway is deployed in the network slice.
  • the device further includes a third requesting unit configured to determine whether to prepare to establish an IPSec tunnel after receiving an uplink data message, and to determine that an IP security tunnel is to be established, and initiate a gateway discovery with the network element registration function entity.
  • the gateway discovery request includes the destination IP address information parsed from the uplink data packet; a third information receiving unit configured to receive the destination IP address information fed back by the network element registration function entity An associated third gateway IP address; wherein the tunnel establishing unit is further configured to establish the IPSec tunnel with the third gateway according to the third gateway IP address.
  • the first network element is integrated in a first communication network element
  • the second network element is a second gateway deployed on a second network side (core network)
  • the device further includes: a first The two-slice generation unit is configured to orchestrate and generate a network slice, instantiate a new network element to obtain a third gateway, and the third gateway is deployed in the network slice.
  • the device further includes a fourth requesting unit configured to initiate a gateway discovery request to the network element registration function entity during the N4 session establishment process, and return the IP address of the third gateway to the authentication management function after the N4 session establishment is completed.
  • AMF and a fourth information receiving unit configured to receive the IP address of the third gateway; wherein the tunnel establishing unit is further configured to establish the IPSec tunnel with the third gateway according to the IP address of the third gateway.
  • the first network element is a first gateway deployed on a first network side (radio access network), and the second network element is a second gateway deployed on a second network side (core network).
  • a gateway, the device further comprising: a fifth request unit configured to initiate a first registration request to the network element registration function entity; and a second activation unit configured to register with the network at the second gateway After the meta registration of the functional entity, the establishment of the IPSec tunnel is triggered by the network element management functional entity.
  • the tunnel establishing unit is further configured to establish the IP security tunnel with the second gateway according to the IP address of the second gateway after the first gateway obtains the IP address of the second gateway.
  • the data protection device 410 includes a processor 81 and a memory 82 for storing a computer program capable of running on the processor.
  • the data protection device 410 may further include at least one communication interface 83.
  • the various components in the data protection device 410 are coupled together via a bus system 84. It can be understood that the bus system 84 is used to implement connection and communication between these components.
  • the bus system 84 includes a power bus, a control bus, and a status signal bus in addition to the data bus. However, for the sake of clarity, various buses are marked as the bus system 84 in FIG. 14.
  • the communication interface 83 may be configured to interact with other devices.
  • the memory 82 may be a volatile memory or a non-volatile memory, and may also include both volatile and non-volatile memories.
  • Non-volatile memory can be read-only memory (ROM, Read Only Memory), programmable read-only memory (PROM, Programmable Read-Only Memory), erasable programmable read-only memory (EPROM, Erasable, Programmable, Read-Only memory) ), Electrically Erasable Programmable Read-Only Memory (EEPROM), Magnetic Random Access Memory (FRAM, ferromagnetic random access memory), Flash Memory (Flash Memory), Magnetic Surface Memory, Optical Disk Or CD-ROM (Compact Disc, Read-Only Memory); the magnetic surface memory can be a disk memory or a tape memory.
  • the volatile memory may be random access memory (RAM, Random Access Memory), which is used as an external cache.
  • RAM random access memory
  • RAM Random Access Memory
  • many forms of RAM are available, such as Static Random Access Memory (SRAM, Static Random Access Memory), Synchronous Static Random Access Memory (SSRAM, Static Random Access, Memory), Dynamic Random Access DRAM (Dynamic Random Access Memory), Synchronous Dynamic Random Access Memory (SDRAM), Double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM, Double Data Rate Synchronous Dynamic Random Access Memory), enhanced Type Synchronous Dynamic Random Access Memory (ESDRAM, Enhanced Random Dynamic Access Memory), Synchronous Link Dynamic Random Access Memory (SLDRAM, SyncLink Dynamic Random Access Memory), Direct Memory Bus Random Access Memory (DRRAM, Direct Rambus Random Access Memory) ).
  • the memory 82 described in embodiments of the present disclosure is intended to include, but is not limited to, these and any other suitable types of memory.
  • An embodiment of the present disclosure also provides a computer-readable storage medium configured to store the calculation program provided in the foregoing embodiment, and when the program is executed, the foregoing methods are implemented.
  • the computer-readable storage medium may be a memory such as FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface memory, optical disk, or CD-ROM, or various devices including one or any combination of the above-mentioned memories .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

提供了一种数据保护方法、装置及计算机存储介质。所述方法包括:第一网元申请得到第二网元安全信息;以及第一网元根据所述第二网元安全信息与第二网元建立IP安全隧道。

Description

数据保护方法、装置及计算机存储介质 技术领域
本申请涉及但不限于通信领域。
背景技术
传统2G/3G/4G电信网是由大量专用设备和功能单一的网络节点构成的封闭网络,软件与硬件深度绑定,在物理设备部署之后,通常不会变化,其网络架构可以采用静态配置方式,比如,在无线接入网(RAN)和核心网(CN)之间的互联网协议IP安全(IPSec,Internet Protocol Security)隧道可通过预配置来实现。
5G电信网引入了软件定义和虚拟化技术对传统电信网进行重构,通过软硬件解耦,实现了在通用硬件资源上构建虚拟化弹性网络,并据此提供网络服务,可以根据应用需求对网络容量灵活进行扩缩。相比于传统2G/3G/4G电信网,5G网络是一个动态的弹性网络,比如,可以根据业务需求动态生成新的网元,为了确保在多个网元间数据传输的安全性,需要建立IPSec隧道。对于弹性网络,如果通过预配置来实现IPSec隧道的建立,需要基于业务需求的动态变化进行大量的后期维护(比如,修改预先配置的密钥等),运维成本高。
发明内容
本公开实施例的一种数据保护方法,包括:第一网元申请得到第二网元安全信息;以及第一网元根据所述第二网元安全信息与第二网元建立IP安全隧道。
本公开实施例的一种数据保护装置,包括:申请单元,其设置为申请得到第二网元安全信息;以及隧道建立单元,其设置为根据所述第二网元安全信息与第二网元建立IP安全隧道。
本公开实施例的一种数据保护装置,包括:存储有计算机程序的存储器;以及处理器,其配置为执行所述计算机程序时实现上述方案所述的方法。
本公开实施例的一种计算机存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时实现上述方案所述的方法。
附图说明
图1为在一些情况下5G网络架构的示意图;
图2为在一些情况下采用网络切片提供服务的示意图;
图3为在一些情况下建立IP安全隧道的示意图;
图4为根据本公开实施例的采用网络切片场景来提供服务的示意图;
图5为根据本公开实施例的一种方法的流程示意图;
图6为根据本公开实施例的方法的实例的流程示意图;
图7为根据本公开实施例的方法的又一实例的流程示意图;
图8为根据本公开实施例的方法的又一实例的流程示意图;
图9为根据本公开实施例的方法的又一实例的流程示意图;
图10为根据本公开实施例的方法的又一实例的流程示意图;
图11为根据本公开实施例的方法的又一实例的流程示意图;
图12为根据本公开实施例的一种装置的组成模块示意图;
图13为根据本公开实施例的一种装置的又一组成模块示意图;以及
图14为根据本公开实施例的一种装置的硬件组成示意图。
具体实施方式
以下结合附图及实施例,对本公开进行还详细说明。应当理解,此处所提供的实施例仅用以解释本公开,并不用于限定本公开。另外,以下所提供的实施例是用于实施本公开的部分实施例,而非提供实施本公开的全部实施例,在不冲突的情况下,本公开实施例记载的技术方案可以任意组合的方式实施。
需要说明的是,在本公开实施例中,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的方法或者装置不仅包括所明确记载的要素,而且还包括没有明 确列出的其他要素,或者是还包括为实施方法或者装置所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括该要素的方法或者装置中还存在另外的相关要素(例如方法中的步骤或者装置中的单元,例如的单元可以是部分电路、部分处理器、部分程序或软件等等)。
例如,本公开实施例提供的数据保护方法包含了一系列的步骤,但是本公开实施例提供的该数据保护方法不限于所记载的步骤,同样地,本公开实施例提供的网元设备包括了一系列单元,但是本公开实施例提供的网元设备不限于包括所明确记载的单元,还可以包括为获取相关信息、或基于信息进行处理时所需要设置的单元。
需要说明的是,本公开实施例所涉及的术语“第一”、“第二”等仅仅是区别类似的对象,不代表针对对象的特定排序,可以理解地,在允许的情况下“第一”、“第二”等术语可以互换特定的顺序或先后次序。应该理解由“第一”、“第二”等术语区分的对象在适当情况下可以互换,以使本文描述的本公开的实施例能够以除了在本文图示或描述的那些以外的顺序实施。
5G电信网引入了软件定义和虚拟化技术对传统电信网进行重构,通过软硬件解耦,实现了在通用硬件资源上构建虚拟化弹性网络来提供网络服务,并可以根据应用需求对网络容量灵活进行扩缩。5G网络还打破了传统电信网络的封闭模式,将网络服务能力开放给第三方业务(如业务提供商、企业、垂直行业等),让第三方业务可以按需构建网络切片提供网络服务,以适应各种业务快速发展和不断变化的需求。
5G网络的通信架构如图1所示,网络切片选择功能(NSSF,Network Slice Selection Function)用于网络切片选择,认证服务功能(AUSF,Authenticaiton Server Function)用于用户注册到网络时对用户进行鉴权认证,统一数据管理(UDM,Unified Data Management)主要用于管理用户签约信息,接入和移动性管理功能(AMF,Access and Mobility Management Function)用于接入和移动性管理,会话管理功能(SMF,Session Management Function)用于会 话管理,策略控制功能(PCF,Policy Control Function)用于服务质量(QoS,Quality of Service)策略及切片选择策略的管理,应用功能(AF,Application Function)用于提供应用相关的信息,RAN为接入网络,用户面功能(UPF,User Plane Function)主要用于用户和数据网络(DN,Data Network)之间的数据交互,DN为外部数据网络,详细架构和功能可参考5G的系统构架(TS((Technical Specification,技术文档))23.501)描述。图5中的N1、N2……N22等指的是各功能实体之间的参考点。
5G网络可以采用网络切片形式为用户提供网络服务。网络切片是功能完整、逻辑独立、资源共享的虚拟网络。网络切片是可以应用本公开实施例的一种示例性场景。
如图2所示为传统网络中采用网络切片为用户提供服务的示意图,该场景包括用户设备(User Equipment,UE)101、无线接入网络(RAN,Radio Access Network)102和核心网(CN,Core Network)103。RAN是用于第三代无线通信设备的必需的基于地面的基础架构,其包括到因特网的高速移动接入等。CN 103包括:公共网元域1031。用户接入5G网络后使用网络切片为用户提供服务的过程中,通过网络编排管理系统编排以1032标记的网络切片1连接至车联网应用服务器105,以便为车联网业务提供服务,以1033标记的编排网络切片2连接至互联网应用服务器106,以便为互联网业务提供服务。网络切片1与网络切片2之间逻辑隔离,网络切片1与网络切片2中均包含会话管理功能(SMF,Session Management Function)和用户面功能(UDF,User Plane Function)。公共网元域包括被多个切片共享的公共网元,例如AMF、NSSF、AUSF、UDM等。UE如果使用车联网业务,就需要接入网络切片1;如果使用互联网业务,就需要接入网络切片2。
网络编排管理系统可以根据需求创建新的功能网元(即网元实例化),例如创建新的公共网元或者新的网络切片。当不在需要网络服务时,可终止网络切片,快速释放资源。另外,还可以根据网络流量、用户量等对网络切片容量进行弹性扩缩。因此,相比于传统电信 网,5G网络是一个动态的弹性网络。
对于上述系统架构,由于RAN和CN之间的回传网络可能会跨越非信任域,存在数据被窃取的风险。为了保证信令/数据的传输安全,需要在RAN和CN之间部署安全网关功能(SeGW,Security GateWay),建立IP安全(IPSec,IP Security)隧道,对此部分数据进行加密传输。如图3所示,例如4G网络中,在演进的网络节点(eNB,evolved Network Node)和移动性管理实体(MME,Mobility Management Entity))之间部署SeGW,建立IPSec以实现数据加密传输。图3所示的传统网络由于是静态的,即物理设备部署之后通常不会变化,因此RAN和CN之间的IPSec可通过预配置实现。
如图4所示为5G网络中采用网络切片为用户提供服务的示意图,该场景包括UE 101、无线接入网络(RAN,Radio Access Network)102和核心网(CN,Core Network)103。在RAN 102侧部署安全网关(SeGW)1021。CN 103包括:切片公共网元域1031。用户接入5G网络后使用网络切片为用户提供服务的过程中,通过网络编排管理系统编排以1034标记的网络切片1连接至车联网应用服务器105,以便为车联网业务提供服务,以1035标记的编排网络切片2连接至互联网应用服务器106,以便为互联网业务提供服务。网络切片1与网络切片2之间逻辑隔离,网络切片1与网络切片2中均包含会话管理功能(SMF,Session Management Function)和用户面功能(UDF,User Plane Function)。可以实例化新的安全网关并部署于网络切片中,如在网络切片1中部署SeGW2,在网络切片2中部署SeGW3。公共网元域包括被多个切片共享的公共网元,例如AMF、NSSF、AUSF、UDM等。UE如果使用车联网业务,就需要接入网络切片1;如果使用互联网业务,就需要接入网络切片2。在公共网元域也可以部署安全网关,如SeGW1。在每个网络切片内部署的SeGW可以分别与RAN侧的SeGW建立IPSec。
由于图4所示的5G是弹性网络,因此所述网络可以根据业务需求,动态生成新的核心网元(公网网元和/或网络切片)。为保证数据传输安全性,在新产生的公共网元和/或网络切片与无线接入之间 需要对应部署SeGW,以建立IPSec。5G网络支持多个网络切片,因此在RAN和CN之间会存在多条IPSec,且这些IPSec是动态部署的,传统IPSec静态预配置的方式在弹性网络中不再适用。一方面,静态预配置方式下的加密和验证所使用的密钥都是手工配置,为保证IPSec的长期安全,需要经常修改这些密钥,随着RAN和CN之间的IPSec数量增加,密钥的配置和修改工作量越大;另一方面,预配置的方式适用于IPSec两端的SeGW设备部署相对固定的情况,SeGW的IP地址是预先分配的,而弹性网络中的SeGW是动态部署的,地址都是动态分配的,因此弹性网络中不适合使用静态预配置方式建立IPSec,需要使用动态协商方式创建IPSec。
采用本公开实施例,为了协商建立IPSec,加密端(例如RAN侧的SeGW)可以动态获取加密对端(例如CN侧SeGW)的信息,比如加密对端SeGW的IP地址,从而根据加密对端SeGW的IP地址在加密端和加密对端间建立IP安全隧道。
图5示出了根据本公开实施例的一种数据保护方法。如图5所示,所述方法包括:步骤S101-S102。
在步骤S101,第一网元申请得到第二网元安全信息。
该第二网元安全信息存储于网元注册功能实体中。第一网元通过动态申请可以以多种渠道从网元注册功能实体中得到第二网元安全信息。
在步骤S102,第一网元根据所述第二网元安全信息与第二网元建立IP安全(IPSec)隧道。
在网元注册功能实体中存储所有网元安全信息(如安全网关的网关安全信息),比如,第一网关安全信息,第二关元安全信息或者后续实施例中当实例化新的网关(第三网关)时还存储第三网关安全信息。这些网关安全信息的类型包括但不限于:安全网关功能IP地址、全限定域名(FQDN,Fully Qualified Domain Name)、安全能力等信息。
在一实施例中,第一网元为部署于第一网络侧(无线接入网)的第一网关,第二网元为部署于第二网络侧(核心网)的第二网关, 并且该方法包括:步骤S210-S203(未示出)。
在步骤S201,第一网关向网元注册功能实体发起用于查询所述第二网元安全信息的请求。
在步骤S202,第一网关接收所述网元注册功能实体反馈的第二网元安全信息。
第二网元安全信息为由第二网关向所述网元注册功能实体发起注册请求后存储于所述网元注册功能实体的第二网关安全信息。
在步骤S203,第一网关根据第二网关安全信息与所述第二网关建立所述IPSec隧道。
在一实施例中,第一网元为部署于第一网络侧(无线接入网)的第一网关,第二网元为部署于第二网络侧(核心网)的第二网关,并且该方法包括:步骤S301-S302(未示出)。
步骤S301、在第二通信网元向所述网元注册功能实体发起用于查询所述第二网元安全信息的请求后,第一通信网元接收所述第二通信网元反馈的所述第二网元安全信息。
第二网元安全信息为由所述第二网关向所述网元注册功能实体发起注册请求后存储于所述网元注册功能实体的第二网关安全信息。
步骤S302、第一网关根据第二网关安全信息与第二网关建立所述IPSec隧道。
针对上述两种实施例,一个实例的处理流程如图6所示,该实例包括:步骤501-507。
在步骤501,第二安全网关功能模块向网元注册功能模块申请注册。
注册请求中包含第二安全网关功能信息。
在步骤502,在网元注册功能模块中保存第二安全网关功能信息。
在步骤503a,第一安全网关功能模块向网元注册功能模块查询第二安全网关功能信息。
在步骤504a,网元注册功能模块返回第二安全网关功能信息,如IP地址/FQDN等给第一安全网关功能模块。
在步骤503b,第二通信功能模块向网元注册功能模块查询第二 安全网关功能信息,第二通信功能模块接收到网元注册功能实体反馈的第二网元安全信息。第二网元安全信息可以为第二网关IP地址。
在步骤504b,网元注册功能模块发送第二安全网关功能信息,如IP地址/FQDN等给第一通信功能模块。
在步骤505b,第一通信功能模块发送第二安全网关功能信息,如IP地址/FQDN等给第一安全网关功能模块。
在步骤506,第一安全网关功能模块与第二安全网关功能模块间进行IKE SA协商、IPSecSA协商。
在步骤507,建立IPSec隧道后,传输IP报文。
本实例中,第二网元安全信息存储于网元注册功能实体中。第一网元可以通过动态申请以多种渠道从网元注册功能实体中得到第二网元安全信息。比如,通过步骤503a-步骤504a,第一安全网关功能模块可以从网元注册功能模块得到第二安全网关功能信息,如IP地址/FQDN等。又如,通过步骤503b-步骤505b,第一安全网关功能模块可以从第一通信功能模块得到第二安全网关功能信息,如IP地址/FQDN等。
本文中,第二安全网关功能模块可以位于第二网关,第一安全网关功能模块可以位于第一网关或将第一网关功能集成的第一通信网元。第一通信功能模块可以位于第一通信网元,第二通信功能模块可以位于第二通信网元,网元注册功能模块可以位于网元注册功能实体中。第三安全网关功能模块可以位于第三网关,部署于网络切片中,后续不做赘述。
在一实施例中,第一网元为部署于第一网络侧(无线接入网)的第一网关,所述第二网元为部署于第二网络侧(核心网)的第二网关,并且所述方法包括:步骤S401-S406。
在步骤S401,第一通信网元接收到用户设备附着到网络发起的第一注册请求。
在步骤S402,第一通信网元向网元注册功能实体发起AMF发现请求,寻找为用户设备接入服务的AMF。
在步骤S403,第一网关接收所述第一通信网元转发的所述第一 注册请求,准备建立IPSec隧道。
在步骤S404,第一网关向所述网元注册功能实体发起网关发现请求,所述网关发现请求中包含从所述第二注册请求中解析得到的AMF IP地址。
在步骤S405,第一网关接收所述网元注册功能实体反馈的与所述AMF IP地址关联的第二网关IP地址。
在步骤S406,第一网关根据所述第二网关IP地址与所述第二网关建立所述IPSec隧道。
对于该实施例,一个实例的处理流程如图7所示,该实例描述了用户附着到网络发起的注册流程。RAN和CN之间的IPSec采用网关到网关模式,即在RAN侧(第一通信功能)部署SeGW1(第一安全网关功能),在公共网元域部署SeGW2(第二安全网关功能),所述公共网元域网元(例如AMF、AUSF等)为第二通信功能。网络存储功能(NRF,Network Repository Function)用于网元注册。该实例可以包括:步骤601-609。
在步骤601,实例化SeGW2。SeGW2用于部署在CN公共网元侧并注册到NRF,包含IP地址、安全能力(安全能力包括所述SeGW2支持的IKE协议、封装协议、加密算法、验证算法等)。NRF保存SeGW2信息,同时需要保存所述SeGW2信息与被SeGW2保护网元的信息(例如本公开实施例中的通信对端,即AMF、AUSF、UDM(Unified Data Management,统一数据管理)等)的关联关系。
IKE协议可以包括因特网密钥交换协议版本1(IKEv1,Internet Key Exchange version 1),IKEv2封装协议包括:验证头(AH,Authentication Header)、封装安全载荷(ESP,Encapsulating Security Payload)。
加密算法可以包括:数据加密标准(DES,Data Encryption Standard)、数字加密标准3(3DES,Triple DES)、高级加密标准(AES,Advanced Encryption Standard)。
验证算法可以包括:消息摘要5(MD5,Message Digest 5)、安全哈希算法1(SHA1,Secure Hash Algorithm1)、SHA2。
在步骤601之前,可以在RAN侧部署SeGW1。
在步骤602,下一代用户设备(NG-UE,Next Generation User Equipment)附着到网络,发起RAN请求,所述RAN请求包含签约隐藏标识(SUCI,Subscription Concealed Identifier)/5G全球唯一临时标识(5G-GUTI,5G Globally Unique Temporary Identifier)等信息。
在步骤603,RAN收到注册请求,执行AMF发现程序,寻找为NG-UE接入服务的AMF。NRF根据SUCI/5G-GUTI中的移动国家码(MCC,Mobile Country Code)和移动网络码(MNC,Mobile Network Code)等信息分配AMF,并返回AMF的IP地址或FQDN。
在步骤604,根据NRF返回的AMF信息,RAN向所述AMF转发注册请求。
在步骤605,SeGW1收到所述注册请求消息,准备建立IPSec隧道。SeGW1向NRF发起CN侧SeGW发现请求,请求消息中包含AMF IP地址(即SeGW1所接收的注册请求消息的目的IP地址)。
在步骤606,NRF根据所述AMF IP地址信息、SeGW1的IP地址信息及NRF上保存的SeGW信息与AMFIP地址信息关联关系,查询、分配SeGW2,并将SeGW2的IP地址/FQDN返回给SeGW1。
例如,可以根据SeGW1的IP地址信息,查询SeGW1的安全能力;可以根据AMF IP地址和SeGW的IP地址,并根据SeGW1的安全能力,来查询和AMF IP地址存在关联关系并与SeGW1的安全能力相同的SeGW。当查询到SeGW2符合要求时,则将SeGW2的IP地址/FQDN返回给SeGW1。
在步骤607,SeGW1根据SeGW2的IP地址,和SeGW2进行因特网密钥交换安全联盟(IKE SA,Internet Key Exchange Security Association)和IPSec SA协商,建立IPSec隧道。本公开以IKEv2方式建立IPSec,建立过程如下描述,详细过程可参考RFC7296(Request For Comments 7296)。
IPSec隧道协商建立过程分为安全联盟(IKE SA,Security Association)协商和IPSec SA协商。
IKE SA协商过程可以包括:IKE双方(即SeGW1和SeGW2,下面简称双方)协商采用的IKE版本、封装协议(AH和ESP)、加密算法(DES、3DES、AES)、验证算法(MD5、SHA1、SHA2)、身份认证方法和交换模式、迪菲-赫尔曼秘钥交换(DH,Diffie-Hellman)算法等。IKE双方交换彼此的密钥材料(例如DH公开值、临时随机数等)。IKE双方结合自身配置的身份验证方法各自进行密钥计算(预共享密钥或数据证书参与到密钥计算过程中)。最终计算产生的共享密钥包括三个:K1:用于IKE协商消息完整性验证的密钥;K2:用于IKE协商消息加密的密钥;K3:用于衍生出IPSec报文加密和验证的密钥,其中,K1和K2用于保证后续IKE协商消息的安全性,K3用于保证IPSec封装的数据报文的安全性。
整个密钥交换和计算过程在IKE SA超时时间的控制下以一定的周期进行自动刷新,避免了密钥长期不变带来的安全隐患。
IPSec SA协商用于双方协商被保护的数据流、交换密钥材料以便双方生成用于IPSec SA的密钥。
IKEv2使用IKE SA初始交换和IKE认证交换来完成上述IKE SA和IPSec SA的协商过程,以建立IPSec。
在IKE SA初始交换期间,可以进行IKE SA参数协商,所述参数包括:SA载荷、KE(Key Exchange,密钥交换)载荷、NONCE载荷,其中,SA载荷用于协商双方支持的加密算法、验证算法、伪随机功能、DH值等;KE载荷和NONCE载荷用于交换密钥材料。
IKE SA初始交换之后,双方最终生成三类密钥:K1用于第二条消息(IKE认证交换)的完整性验证,K2用于第二条消息(IKE认证交换)的加密,K3用于为IPSec SA衍生出加密材料。
IKE认证交换用于双方身份认证,并创建IPSec SA。通常有三种身份认证技术:采用预共享密钥方式时,SeGW的身份信息为IP地址或名称;采用数字证书方式时,SeGW的身份信息为证书和通过证书私钥加密的部分消息Hash值(签名);采用扩展认证协议(EAP,Extensible Authentication Protocol)方式认证之后,衍生密钥:主要通过RADIUS协议进行认证,EAP认证的交换过程属于扩展交换 的内容。
创建IPSec SA的过程包括双方协商被保护数据流,通过传输选择器(TS,Traffic Selector)载荷协商。
在步骤608,SeGW1将所述注册请求消息进行IPSec加密后,发送给SeGW2。SeGW2对所述消息进行解密,并发送给AMF。
在步骤609,剩余注册过程参考3GPP TS 23.502注册流程。
上述实施例在RAN侧和CN侧公共网元域建立网关到网关类型的IPSec隧道,实现了RAN和CN侧交互信令使用IPSec传输,保证信令传输安全性。加密端SeGW1通过NRF发现加密对端SeGW2,并协商建立IPSec。
在一实施例中,所述第一网元集成于第一通信网元内,所述第二网元为部署于第二网络侧(核心网)的第二网关,所述方法包括:步聚S501-S506。
在步骤S501,第一通信网元接收到用户设备附着到网络发起的第一注册请求。
在步骤S502,第一通信网元向网元注册功能实体发起AMF发现请求,寻找为用户设备接入服务的AMF。
在步骤S503,第一通信网元启动第一网元功能并准备建立IPSec隧道。
在步骤S504,第一通信网元向所述网元注册功能实体发起网关发现请求,所述网关发现请求中包含从所述第二注册请求中解析得到的AMF IP地址。
在步骤S505,第一通信网元接收所述网元注册功能实体反馈的与所述AMF IP地址关联的第二网关IP地址。
在步骤S506,第一通信网元根据所述第二网关IP地址与所述第二网关建立所述IPSec隧道。
针对该实施例,一个实例的具体处理流程如图8所示,该实例描述了用户附着到网络发起的注册流程。RAN和CN之间的IPSec采用点到网关模式,即RAN侧不单独部署SeGW,RAN集成SeGW功能(第一通信功能/第一安全网关功能),在公共网元域(第二通信功能) 部署SeGW2(第二安全网关功能)。该实例包括:步骤701-707。
在步骤701,实例化SeGW2,所述SeGW2用于部署在CN公共网元侧。
将SeGW2注册于NRF中,注册信息包含IP地址、安全能力(参考步骤601)等,NRF保存所述信息,并建立保存所述SeGW2信息与被所述SeGW2保护的网元的信息(例如AMF IP地址)的关联关系。
在步骤701之前,在RAN侧部署SeGW1。
在步骤702,NG-UE附着到网络,发起RAN请求,所述RAN请求包含SUCI/5G-GUTI等信息。
在步骤703,RAN收到注册请求,执行AMF发现程序,寻找为NG-UE接入服务的AMF。请求消息中携带SUCI/5G-GUTI等信息。
在步骤704,NRF根据SUCI/5G-GUTI中的MCC和MNC等信息分配AMF,并返回AMF的IP地址或FQDN,同时分配SeGW2(查询和分配过程参考步骤607),并将SeGW2的IP地址或FQDN返回给RAN。
在步骤705,RAN根据SeGW2的IP地址,和SeGW2进行IKE SA和IPSec SA协商,建立IPSec隧道。
在步骤706,RAN将所述注册请求消息进行IPSec加密后,发送给SeGW2。SeGW2对所述消息进行解密,并发送给AMF。
在步骤707,剩余注册过程参考3GPP TS 23.502注册流程。
上述实施例在RAN侧和CN侧公共网元域建立点到网关类型的IPSec隧道,实现了RAN和CN侧交互信令使用IPSec传输,保证信令传输安全性,其中RAN通过AMF发现程序获取SeGW2的地址信息,并协商建立IPSec。
在一实施例中,所述第一网元为部署于第一网络侧(无线接入网)的第一网关,所述第二网元为部署于第二网络侧(核心网)的第二网关,所述方法包括:步骤S601-S604。
在步骤S601,编排产生网络切片,实例化新的网元得到第三网关,所述第三网关部署于所述网络切片内。
在步骤S602,第一网关接收到上行数据报文后判断是否建立IP安全隧道,向网元注册功能实体发起网关发现请求。
网关发现请求中包含从所述上行数据报文中解析得到的目的IP地址信息。
在步骤S603,第一网关接收网元注册功能实体反馈的与该目的IP地址信息关联的第三网关IP地址。
在步骤S604,第一网关根据所述第三网关IP地址与所述第三网关建立所述IPSec隧道。
对于本实施例,一个实例的具体处理流程如图9所示,所述实例描述了用户附着到网络之后,需要开展业务,从而接入到网络切片的过程。网络编排系统根据需求编排产生新的网络切片。本实例中,网络切片由SMF和UPF组成,同时为了保证RAN和所述网络切片之间数据传输安全性,需建立IPSec,因此在编排所述切片的同时,实例化SeGW3。RAN和所述切片之间采用网关到网关模式,即在RAN(第一通信功能)侧单独部署SeGW1(第一安全网关功能),在所述网络切片(第二通信功能)内部署SeGW3(第二安全网关功能)。所述实例包括:步骤801-816。
在步骤801,CN公共网元侧部署的SeGW2向NRF发起注册,包含IP地址、安全能力等信息。NRF保存所述SeGW2的信息。
步骤801之前,将SeGW1信息部署于NRF中,所述SeGW1信息包含IP地址以及安全能力等信息。
在步骤802,编排产生网络切片,同时编排产生SeGW3,并部署于所述网络切片内。SeGW3向NRF发起注册请求,所述请求包含IP地址、安全能力等信息,NRF保存所述信息,并建立所述SeGW3的信息与被所述SeGW3保护的网络切片信息(例如UPF IP地址、SMF IP地址等)的关联关系。
在步骤803,在NG-UE注册阶段,已经建立SeGW1和SeGW2之间的IPSec,实现NG-UE与CN公网网元之间交互信令(例如,步骤804和步骤810)的加密传输。
在步骤804,NG-UE发起分组数据单元(PDU,Packet Data Unit)会话建立请求,请求中携带单个网络切片选择辅助信息(S-NSSAI,Single Network Slice Selection Assistance Information)、数 据网络名称(DNN,Data Network Name)、PDU会话标识(Session ID)等信息。
在步骤805,AMF收到所述请求消息后,根据S-NSSAI、DNN等信息执行SMF选择。
在步骤806,AMF向SMF发送PDU会话建立请求。
在步骤807,SMF根据S-NSSAI,DNN等信息执行UPF选择。
在步骤808,SMF向UPF下发N4会话建立/修改请求,下发报文检测规则、隧道信息等。
在步骤809,SMF向AMF返回PDU会话建立响应,提供隧道信息、QoS等信息给AMF。
在步骤810,AMF和RAN以及RAN和NG-UE之间完成PDU会话建立过程。
在步骤811,NG-UE发送上行数据报文。
在步骤812,当上行数据到达SeGW1后,根据报文外层目的地址(即UPF IP地址)判断还没有SeGW1和所述UPF对应的网络切片之间建立IPSec隧道。SeGW1向NRF发起所述网络切片对应的SeGW信息查询,所述查询信息中包含所述UPF IP地址。
在步骤813,NRF根据所述网络切片信息(包含UPF IP地址)与SeGW信息的关联关系,分配SeGW3(参考步骤606),并将SeGW3的IP地址或者FQDN返回给SeGW1。
在步骤814,SeGW1根据SeGW3的信息发起IKE SA和IPSec SA协商,建立IPSec隧道。
在步骤815,SeGW1将所述上行报文经过IPSec加密后,发送给SeGW3。SeGW3对所述消息进行解密,并发送给UPF。
在步骤816,剩余PDU会话建立过程参考3GPP TS 23.502 PDU会话建立流程。
上述实例在RAN侧和CN侧网络切片内建立网关到网关类型的IPSec隧道,实现了RAN和网络切片之间交互数据使用IPSec传输,保证数据传输安全性。SeGW1是在接收到上行数据报文时,触发IPSec协商建立的过程(步骤814)。通过SeGW1向NRF查询SeGW3的IP 地址/FQDN信息,以发起IPSec协商。
在一实施例中,第一网元集成于第一网络侧(无线接入网)内,所述第二网元为部署于第二网络侧(核心网)的第二网关,所述方法包括:步骤S701-S702。
在步骤S701,编排产生网络切片,实例化新的网元得到第三网关,所述第三网关部署于所述网络切片内。
在步骤S702,在N4会话建立过程期间,向网元注册功能实体发起网关发现请求,在N4会话建立完成后将第三网关的IP地址返回给认证管理功能AMF;第一通信网元接收所述第三网关的IP地址,第一通信网元根据第三网关IP地址与所述第三网关建立所述IP安全隧道。
对于该实施例,一个实例的具体处理流程如图10所示,所述实例描述了用户附着到网络之后,需要开展业务,从而接入到网络切片的过程。网络编排系统根据需求编排产生新的网络切片(本公开实施例中,网络切片由SMF和UPF组成),同时为了保证RAN和网络切片之间数据传输安全性,需要建立IPSec,因此在编排所述切片的同时,编排产生SeGW3并部署于所述网络切片内。RAN和所述切片之间采用点到网关模式,即在RAN侧不单独部署SeGW,RAN集成SeGW功能(第一通信功能/第一安全网关功能),所述切片(第二通信功能)内部署独立SeGW3(第二安全网关功能)。所述实例包括:步骤901-步骤919。
在步骤901,CN公共网元侧SeGW2向NRF发起注册请求,所述请求包含IP地址、安全能力等信息。NRF保存SeGW2信息。
在步骤901之前,RAN侧部署SeGW1。
在步骤902,网络切片内部署SeGW3,例如当实例化新的UPF时,同时实例化新的SeGW3,同时为其分配IP地址。SeGW3向NRF发起注册请求,所述请求包含IP地址、安全能力等,NRF保存所述信息,并建立所述UPF的IP地址和所述SeGW3的IP地址关联关系。
在步骤903,在NG-UE注册阶段,已经建立SeGW1和SeGW2之间的IPSec,实现NG-UE和CN公共网元之间交互控制信令(例如,步 骤904、步骤913和步骤915)的加密传输。
在步骤904,NG-UE发起PDU会话建立请求,请求中携带S-NSSAI,DNN,PDU Session ID等信息。
在步骤905,AMF收到所述请求消息后,根据S-NSSAI、DNN等信息执行SMF选择。
在步骤906,AMF向SMF发送PDU会话建立请求。
在步骤907,SMF根据S-NSSAI、DNN等信息执行UPF选择。
在步骤908,SMF向UPF下发N4会话建立/修改请求,下发报文检测规则、隧道信息等。
在步骤909,UPF执行SeGW发现请求,向NRF发起查询,携带UPF IP地址信息。
在步骤910,NRF根据网络切片信息(包含UPF IP地址)与SeGW信息的关联关系,分配SeGW3,并将SeGW3的IP地址或者FQDN返回给所述UPF。
在步骤911,UPF向SMF返回N4会话建立/修改响应,将所述SeGW3的IP地址或者FQDN信息返回给SMF。
在步骤912,SMF向AMF返回PDU会话建立响应,提供SeGW3的IP地址或者FQDN信息、隧道信息、服务质量(QoS,Quality of Service)等信息给AMF。
在步骤913,AMF向RAN发起N2会话建立请求,将所述SeGW3的IP地址或者FQDN信息提供给RAN。AMF和RAN之间发送信息使用步骤903建立的IPSec隧道加密。
在步骤914,RAN和NG-UE之间完成PDU会话无线资源的配置。
在步骤915,RAN向AMF返回N2会话建立响应。
在步骤916,NG-UE发送上行数据报文。
在步骤917,当上行数据到达RAN后,根据SeGW3的信息发起IKE SA和IPSec SA协商,建立IPSec隧道。
在步骤918,RAN将所述上行报文经过IPSec加密后,发送给SeGW3。SeGW3对所述消息进行解密,并发送给UPF。
在步骤919,剩余PDU会话建立过程参考3GPP TS 23.502 PDU 会话建立流程。
上述实施例在RAN侧和网络切片建立点到网关类型的IPSec隧道,实现了RAN和网络切片之间交互的数据使用IPSec传输,保证数据传输安全性。
所述实例实现的是在切片创建阶段,由UPF选择SeGW3的IP地址/FQDN信息,并通过N4、N2会话消息发送给RAN,并由RAN在收到上行数据报文时,触发IPSec建立。需要说明的是,所述IPSec协商建立的过程(步骤917)也可在RAN接收到SeGW3的IP地址/FQDN信息后(即步骤913)触发协商建立。该流程下,如果RAN侧单独部署SeGW1,则RAN还需要通过消息将SeGW3的IP地址/FQDN信息发送给SeGW1。
在一实施例中,第一网元为部署于第一网络侧(无线接入网)的第一网关,所述第二网元为部署于第二网络侧(核心网)的第二网关,所述方法包括:步骤S801-S803。
在步骤S801,第二网关向网元注册功能实体发起注册请求。
在步骤S802,第一通信网元在所述第二网关注册到所述网元注册功能实体后由网元管理功能实体触发IPSec隧道的建立。
在步骤S803,在第一网关获取第二网关的IP地址后,根据该第二网关IP地址与所述第二网关建立所述IP安全隧道。
对于该实施例,一个实例的具体处理流程如图11所示,上述各实例描述了RAN和CN之间的IPSec隧道都是由SeGW1接收到CP(Control Plane,控制面)/UP(User Plane,用户面)报文触发建立。这种IPSec隧道建立方式会影响报文交互的时延。本实例描述了在SeGW实例化后(例如实例化新的AMF,或者实例化产生新的网络切片时),随即启动RAN侧和CN侧之间的IPSec建立过程。所述建立过程可以由网元管理功能触发建立,这种建立方式不会影响报文交互时延。本实例包括:步骤1001-步骤1006。
在RAN(第一通信功能)侧部署SeGW1(第一安全网关功能)。
在步骤1001,SeGW2向NRF注册。
CN侧实例化新的网络切片(本公开实施例中以UPF代表)或者 实例化新的公共网元域(本公开实施例中以AMF代表)时(第二通信功能),实例化新的SeGW2(第二安全网关功能)。SeGW2向NRF发起注册,包含IP地址、安全能力等信息,NRF保存所述信息,并建立UPF/AMF的IP地址和SeGW2信息的关联关系。
在步骤1002,网元管理功能(负责对部署网元的运营、管理、维护,例如EMS(F1ement Management System,网元管理系统)、OMS(Operation Management System,运营管理系统)、MANO(Management ANd Orchestration,管理和编排)等管理网元)向SeGW1下发消息,要求建立和CN侧的IPSec。
在步骤1003,SeGW1发起SeGW2发现请求,向NRF查询CN侧SeGW信息。
在步骤1004,NRF将SeGW2的IP地址/FQDN信息返回给SeGW1。
在步骤1005,SeGW1根据SeGW2的IP地址发起IKE SA和IPSec SA协商,建立IPSec。
在步骤1006,用户注册流程或接入网络切片流程中发生的CP/UP报文在经过RAN和CN之间时使用所述IPSec隧道进行加密。所述注册流程、接入切片流程参考TS 23.502。
本实例是通过NRF保存SeGW的信息,以及所述信息和被保护网元信息的关联关系,供其他网元查询。除此之外,也可以通过DNS机制在DNS(Domain Name System,域名系统)上保存SeGW信息和所述关联关系,供其他网元查询以便选择合适的SeGW。
在本公开实施例中还提供了一种数据保护装置,该装置用于实现上述各实施例或实例。如以下所使用的,术语“模块”可以实现预定功能的软件和/或硬件的组合。以下实施例所描述的装置可以以软件来实现,但是硬件或者软件和硬件的组合的实现也是可能并被构想的。
图12是根据本公开实施例的数据保护装置的结构框图,该数据保护装置包括:申请单元51,应用于第一网元,并设置为申请得到第二网元安全信息;以及隧道建立单元52,应用于第一网元,并设置为根据所述第二网元安全信息与第二网元建立IPSec隧道。
在一实施例中,如图13所示,第一网元为部署于第一网络侧(无线接入网)的第一网关,所述第二网元为部署于第二网络侧(核心网)的第二网关,所述装置还包括:查询单元53,其设置为向网元注册功能实体发起用于查询所述第二网元安全信息的请求;第一接收单元54,其设置为接收所述网元注册功能实体反馈的所述第二网元安全信息,其中,所述第二网元安全信息为由所述第二网关向所述网元注册功能实体发起注册请求后存储于所述网元注册功能实体的第二网关安全信息,并且其中,所述隧道建立单元52还设置为根据所述第二网关安全信息与所述第二网关建立所述IPSec隧道。
在一实施例中,所述第一网元为部署于第一网络侧(无线接入网)的第一网关,所述第二网元为部署于第二网络侧(核心网)的第二网关,所述装置还包括:第二接收单元,其设置为在第二通信网元向所述网元注册功能实体发起用于查询所述第二网元安全信息的请求后,接收所述第二通信网元反馈的所述第二网元安全信息;其中,所述第二网元安全信息为由所述第二网关向所述网元注册功能实体发起注册请求后存储于所述网元注册功能实体的第二网关安全信息;并且其中,所述隧道建立单元还设置为根据所述第二网关安全信息与所述第二网关建立所述IPSec隧道。
在一实施例中,所述第一网元为部署于第一网络侧(无线接入网)的第一网关,所述第二网元为部署于第二网络侧(核心网)的第二网关,所述装置还包括:第一请求单元,其设置为接收到用户设备附着到网络发起的第一注册请求,向所述网元注册功能实体发起AMF发现请求,寻找为用户设备接入服务的AMF。
在一实施例中,所述装置还包括:第三接收单元,其设置为接收所述第一通信网元转发的第一注册请求,准备建立IPSec隧道;第一解析单元,其设置为向所述网元注册功能实体发起网关发现请求,所述网关发现请求中包含从第一注册请求中解析得到的AMF IP地址;以及第一信息接收单元,其设置为接收所述网元注册功能实体反馈的与所述AMF IP地址关联的第二网关IP地址;其中,所述隧道建立单元还设置为根据所述第二网关IP地址与所述第二网关建立所述 IPSec隧道。
在一实施例中,第一网元集成于第一通信网元内,所述第二网元为部署于第二网络侧(核心网)的第二网关,所述装置还包括:第二请求单元,其设置为接收到用户设备附着到网络发起的第一注册请求,向所述网元注册功能实体发起AMF发现请求,寻找为用户设备接入服务的AMF。
在一实施例中,所述装置还包括:第一启动单元,其设置为启动第一网元功能并准备建立IPSec隧道;第二解析单元,其设置为向所述网元注册功能实体发起网关发现请求,所述网关发现请求中包含从所述第一注册请求中解析得到的AMF IP地址;以及第二信息接收单元,其设置为接收所述网元注册功能实体反馈的与所述AMF IP地址关联的第二网关IP地址;其中,所述隧道建立单元还设置为根据所述第二网关IP地址与所述第二网关建立所述IPSec隧道。
在一实施例中,第一网元为部署于第一网络侧(无线接入网)的第一网关,所述第二网元为部署于第二网络侧(核心网)的第二网关,所述装置还包括:第一切片生成单元,其设置为编排产生网络切片,实例化新的网元得到第三网关,所述第三网关部署于所述网络切片内。所述装置还包括:第三请求单元,其设置为接收到上行数据报文后判断是否准备建立IPSec隧道,在判断要建立IP安全隧道的情况下,向所述网元注册功能实体发起网关发现请求,所述网关发现请求中包含从所述上行数据报文中解析得到的目的IP地址信息;第三信息接收单元,其设置为接收所述网元注册功能实体反馈的与该目的IP地址信息关联的第三网关IP地址;其中,所述隧道建立单元还设置为根据所述第三网关IP地址与所述第三网关建立所述IPSec隧道。
在一实施例中,所述第一网元集成于第一通信网元内,所述第二网元为部署于第二网络侧(核心网)的第二网关,所述装置还包括:第二切片生成单元,其设置为编排产生网络切片,实例化新的网元得到第三网关,所述第三网关部署于所述网络切片内。所述装置还包括:第四请求单元,其设置为在N4会话建立过程期间,向网元注册功能实体发起网关发现请求,在N4会话建立完成后将第三网关的IP地址 返回给认证管理功能AMF;以及第四信息接收单元,其设置为接收所述第三网关的IP地址;其中,所述隧道建立单元还设置为根据第三网关IP地址与所述第三网关建立所述IPSec隧道。
在一实施例中,所述第一网元为部署于第一网络侧(无线接入网)的第一网关,所述第二网元为部署于第二网络侧(核心网)的第二网关,所述装置还包括:第五请求单元,其设置为向所述网元注册功能实体发起第一注册请求;以及第二启动单元,其设置为在所述第二网关注册到所述网元注册功能实体后由网元管理功能实体触发IPSec隧道的建立。
在一实施例中,所述隧道建立单元还设置为在第一网关获取第二网关的IP地址后,根据该第二网关IP地址与所述第二网关建立所述IP安全隧道。
本公开实施例还提供一种数据保护装置,如图14所示,所述数据保护装置410包括:处理器81和用于存储能够在处理器上运行的计算机程序的存储器82。当然,实际应用时,如图14所示,数据保护装置410还可以包括至少一个通信接口83。数据保护装置410中的各个组件通过总线系统84耦合在一起。可理解,总线系统84用于实现这些组件之间的连接通信。总线系统84除包括数据总线之外,还包括电源总线、控制总线和状态信号总线。但是为了清楚说明起见,在图14中将各种总线都标为总线系统84。通信接口83可以设置为与其它设备进行交互。
可以理解,存储器82可以是易失性存储器或非易失性存储器,也可包括易失性和非易失性存储器两者。非易失性存储器可以是只读存储器(ROM,Read Only Memory)、可编程只读存储器(PROM,Programmable Read-Only Memory)、可擦除可编程只读存储器(EPROM,Erasable Programmable Read-Only Memory)、电可擦除可编程只读存储器(EEPROM,Electrically Erasable Programmable Read-Only Memory)、磁性随机存取存储器(FRAM,ferromagnetic random access memory)、快闪存储器(Flash Memory)、磁表面存储器、光盘、或只读光盘(CD-ROM,Compact Disc Read-Only Memory);磁表面存 储器可以是磁盘存储器或磁带存储器。易失性存储器可以是随机存取存储器(RAM,Random Access Memory),其用作外部高速缓存。通过示例性但不是限制性说明,许多形式的RAM可用,例如静态随机存取存储器(SRAM,Static Random Access Memory)、同步静态随机存取存储器(SSRAM,Synchronous Static Random Access Memory)、动态随机存取存储器(DRAM,Dynamic Random Access Memory)、同步动态随机存取存储器(SDRAM,Synchronous Dynamic Random Access Memory)、双倍数据速率同步动态随机存取存储器(DDRSDRAM,Double Data Rate Synchronous Dynamic Random Access Memory)、增强型同步动态随机存取存储器(ESDRAM,Enhanced Synchronous Dynamic Random Access Memory)、同步连接动态随机存取存储器(SLDRAM,SyncLink Dynamic Random Access Memory)、直接内存总线随机存取存储器(DRRAM,Direct Rambus Random Access Memory)。本公开实施例描述的存储器82旨在包括但不限于这些和任意其它适合类型的存储器。
本公开实施例还提供一种计算机可读存储介质,其设置为存储上述实施例中提供的计算程序,当所述程序被执行时,使得实现前述各方法。所述计算机可读存储介质可以是FRAM、ROM、PROM、EPROM、EEPROM、Flash Memory、磁表面存储器、光盘、或CD-ROM等存储器;也可以是包括上述存储器之一或任意组合的各种设备。
需要说明的是,在不冲突的情况下,本公开实施例所记载的各时实施例、实例和技术方案可以任意组合。
尽管以上已经公开了各种示例性实施例,但本领域的技术人员将意识到各种改进、修改和替换也是可能的。因此,本公开的范围应当不限于上述实施例,并且所述各种改进、修改和替换也应当落入本公开的保护范围之内。

Claims (28)

  1. 一种数据保护方法,包括:
    第一网元申请得到第二网元安全信息;以及
    第一网元根据所述第二网元安全信息与第二网元建立互联网协议IP安全隧道。
  2. 根据权利要求1所述的方法,其中,所述第一网元为部署于第一网络侧的第一网关,所述第二网元为部署于第二网络侧的第二网关,所述方法还包括:
    所述第一网关向网元注册功能实体发起用于查询所述第二网元安全信息的请求;以及
    所述第一网关接收所述网元注册功能实体反馈的所述第二网元安全信息;
    其中,所述第二网元安全信息为由所述第二网关向所述网元注册功能实体发起注册请求后存储于所述网元注册功能实体的第二网关安全信息,
    并且其中,所述第一网元根据所述第二网元安全信息与第二网元建立IP安全隧道的步骤包括:所述第一网关根据所述第二网关安全信息与所述第二网关建立所述IP安全隧道。
  3. 根据权利要求1所述的方法,其中,所述第一网元为部署于第一网络侧的第一网关,所述第二网元为部署于第二网络侧的第二网关,所述方法还包括:
    在第二通信网元向所述网元注册功能实体发起用于查询所述第二网元安全信息的请求,且所述第二通信网元接收到所述网元注册功能实体反馈的所述第二网元安全信息之后,第一通信网元接收所述第二通信网元反馈的所述第二网元安全信息;
    其中,所述第二网元安全信息为由所述第二网关向所述网元注册功能实体发起注册请求后存储于所述网元注册功能实体的第二网 关IP地址,
    并且其中,所述第一网元根据所述第二网元安全信息与第二网元建立IP安全隧道的步骤包括:所述第一网关根据所述第二网关IP地址与所述第二网关建立所述IP安全隧道。
  4. 根据权利要求1所述的方法,其中,所述第一网元为部署于第一网络侧的第一网关,所述第二网元为部署于第二网络侧的第二网关,所述方法还包括:
    第一通信网元接收到用户设备附着到网络发起的第一注册请求,向网元注册功能实体发起认证管理功能AMF发现请求,寻找为用户设备接入服务的AMF。
  5. 根据权利要求4所述的方法,其中,所述方法还包括:
    所述第一网关接收所述第一通信网元转发的所述第一注册请求,准备建立IP安全隧道;
    所述第一网关向所述网元注册功能实体发起网关发现请求,所述网关发现请求中包含从所述第一注册请求中解析得到的AMF IP地址;以及
    所述第一网关接收所述网元注册功能实体反馈的与所述AMF IP地址关联的第二网关IP地址;
    其中,所述第一网元根据所述第二网元安全信息与第二网元建立IP安全隧道的步骤包括:所述第一网关根据所述第二网关IP地址与所述第二网关建立所述IP安全隧道。
  6. 根据权利要求1所述的方法,其中,所述第一网元集成于第一通信网元内,所述第二网元为部署于第二网络侧的第二网关,所述方法还包括:
    第一通信网元接收到用户设备附着到网络发起的第一注册请求,向所述网元注册功能实体发起认证管理功能AMF发现请求,寻找为用户设备接入服务的AMF。
  7. 根据权利要求6所述的方法,其中,所述方法还包括:
    所述第一通信网元启动第一网元功能并准备建立IP安全隧道;
    所述第一通信网元向所述网元注册功能实体发起网关发现请求,所述网关发现请求中包含从所述第一注册请求中解析得到的AMF IP地址;以及
    所述第一通信网元接收所述网元注册功能实体反馈的与所述AMF IP地址关联的第二网关IP地址;
    其中,所述第一网元根据所述第二网元安全信息与第二网元建立IP安全隧道的步骤包括:所述第一通信网元根据所述第二网关IP地址与所述第二网关建立所述IP安全隧道。
  8. 根据权利要求1所述的方法,其中,所述第一网元为部署于第一网络侧的第一网关,所述第二网元为部署于第二网络侧的第二网关,所述方法还包括:
    编排产生网络切片,实例化新的网元得到第三网关,所述第三网关部署于所述网络切片内。
  9. 根据权利要求8所述的方法,其中,所述方法还包括:
    所述第一网关接收到上行数据报文后判断是否建立IP安全隧道,在判断要建立IP安全隧道的情况下,向所述网元注册功能实体发起网关发现请求,所述网关发现请求中包含从所述上行数据报文中解析得到的目的IP地址信息;
    所述第一网关接收所述网元注册功能实体反馈的与所述目的IP地址信息关联的第三网关IP地址;以及
    所述第一网关根据所述第三网关IP地址与所述第三网关建立所述IP安全隧道。
  10. 根据权利要求1所述的方法,其中,所述第一网元集成于第一通信网元内,所述第二网元为部署于第二网络侧的第二网关,所 述方法还包括:
    编排产生网络切片,实例化新的网元得到第三网关,所述第三网关部署于所述网络切片内。
  11. 根据权利要求10所述的方法,其中,所述方法还包括:
    在N4会话建立过程期间,向网元注册功能实体发起网关发现请求,在N4会话建立完成后将第三网关的IP地址返回给认证管理功能AMF:
    第一通信网元接收所述第三网关的IP地址;以及
    所述第一通信网元根据第三网关IP地址与所述第三网关建立所述IP安全隧道。
  12. 根据权利要求1所述的方法,其中,所述第一网元为部署于第一网络侧的第一网关,所述第二网元为部署于第二网络侧的第二网关,所述方法还包括:
    所述第二网关向所述网元注册功能实体发起注册请求;以及
    第一通信网元在所述第二网关注册到所述网元注册功能实体后由网元管理功能实体触发IP安全隧道的建立。
  13. 根据权利要求12所述的方法,其中,所述方法还包括:
    在所述第一网关获取所述第二网关的IP地址后,根据所述第二网关IP地址与所述第二网关建立所述IP安全隧道。
  14. 一种数据保护装置,包括:
    申请单元,应用于第一网元,并设置为申请得到第二网元安全信息;以及
    隧道建立单元,应用于所述第一网元,并设置为根据所述第二网元安全信息与第二网元建立互联网协议IP安全隧道。
  15. 根据权利要求14所述的装置,其中,所述第一网元为部署 于第一网络侧的第一网关,所述第二网元为部署于第二网络侧的第二网关,所述装置还包括:
    查询单元,其设置为向网元注册功能实体发起用于查询所述第二网元安全信息的请求;以及
    第一接收单元,其设置为接收所述网元注册功能实体反馈的所述第二网元安全信息;
    其中,所述第二网元安全信息为由所述第二网关向所述网元注册功能实体发起注册请求后存储于所述网元注册功能实体的第二网关安全信息;
    并且其中,所述隧道建立单元还设置为根据所述第二网关安全信息与所述第二网关建立所述IP安全隧道。
  16. 根据权利要求14所述的装置,其中,所述第一网元为部署于第一网络侧的第一网关,所述第二网元为部署于第二网络侧的第二网关,所述装置还包括:
    第二接收单元,其设置为在第二通信网元向所述网元注册功能实体发起用于查询所述第二网元安全信息的请求,且所述第二通信网元接收到所述网元注册功能实体反馈的所述第二网元安全信息后,接收所述第二通信网元反馈的所述第二网元安全信息;
    其中,所述第二网元安全信息为由所述第二网关向所述网元注册功能实体发起注册请求后存储于所述网元注册功能实体的第二网关IP地址;
    并且其中,所述隧道建立单元还设置为根据所述第二网关IP地址与所述第二网关建立所述IP安全隧道。
  17. 根据权利要求14所述的装置,其中,所述第一网元为部署于第一网络侧的第一网关,所述第二网元为部署于第二网络侧的第二网关,所述装置还包括:
    第一请求单元,其设置为接收到用户设备附着到网络发起的第一注册请求,向所述网元注册功能实体发起认证管理功能AMF发现请 求,寻找为用户设备接入服务的AMF。
  18. 根据权利要求17所述的装置,其中,所述装置还包括:
    第三接收单元,其设置为接收所述第一通信网元转发的所述第一注册请求,准备建立IP安全隧道;
    第一解析单元,其设置为向所述网元注册功能实体发起网关发现请求,所述网关发现请求中包含从所述第一注册请求中解析得到的AMF IP地址;以及
    第一信息接收单元,其设置为接收所述网元注册功能实体反馈的与所述AMF IP地址关联的第二网关IP地址;
    其中,所述隧道建立单元还设置为根据所述第二网关IP地址与所述第二网关建立所述IP安全隧道。
  19. 根据权利要求14所述的装置,其中,所述第一网元集成于第一通信网元内,所述第二网元为部署于第二网络侧的第二网关,所述装置还包括:
    第二请求单元,其设置为接收到用户设备附着到网络发起的第一注册请求,向所述网元注册功能实体发起认证管理功能AMF发现请求,寻找为用户设备接入服务的AMF。
  20. 根据权利要求19所述的装置,其中,所述装置还包括:
    第一启动单元,其设置为启动第一网元功能并准备建立IP安全隧道;
    第二解析单元,其设置为向所述网元注册功能实体发起网关发现请求,所述网关发现请求中包含从所述第一注册请求中解析得到的AMF IP地址;以及
    第二信息接收单元,其设置为接收所述网元注册功能实体反馈的与所述AMF IP地址关联的第二网关IP地址;
    其中,所述隧道建立单元还设置为根据所述第二网关IP地址与所述第二网关建立所述IP安全隧道。
  21. 根据权利要求14所述的装置,其中,所述第一网元为部署于第一网络侧的第一网关,所述第二网元为部署于第二网络侧的第二网关,所述装置还包括:
    第一切片生成单元,其设置为编排产生网络切片,实例化新的网元得到第三网关,所述第三网关部署于所述网络切片内。
  22. 根据权利要求21所述的装置,其中,所述装置还包括:
    第三请求单元,其设置为接收到上行数据报文后判断是否建立IP安全隧道,在判断要建立IP安全隧道的情况下,向所述网元注册功能实体发起网关发现请求,所述网关发现请求中包含从所述上行数据报文中解析得到的目的IP地址信息;以及
    第三信息接收单元,其设置为接收所述网元注册功能实体反馈的与所述目的IP地址信息关联的第三网关IP地址;
    其中,所述隧道建立单元还设置为根据所述第三网关IP地址与所述第三网关建立所述IP安全隧道。
  23. 根据权利要求14所述的装置,其中,所述第一网元集成于第一通信网元内,所述第二网元为部署于第二网络侧的第二网关,所述装置还包括:
    第二切片生成单元,其设置为编排产生网络切片,实例化新的网元得到第三网关,所述第三网关部署于所述网络切片内。
  24. 根据权利要求23所述的装置,其中,所述装置还包括:
    第四请求单元,其设置为在N4会话建立过程期间,向网元注册功能实体发起网关发现请求,在N4会话建立完成后将第三网关的IP地址返回给认证管理功能AMF;以及
    第四信息接收单元,其设置为接收所述第三网关的IP地址;
    其中,所述隧道建立单元还设置为根据第三网关IP地址与所述第三网关建立所述IP安全隧道。
  25. 根据权利要求14所述的装置,其中,所述第一网元为部署于第一网络侧的第一网关,所述第二网元为部署于第二网络侧的第二网关,所述装置还包括:
    第五请求单元,其设置为向所述网元注册功能实体发起第一注册请求;以及
    第二启动单元,其设置为在所述第二网关注册到所述网元注册功能实体后由网元管理功能实体触发IP安全隧道的建立。
  26. 根据权利要求25所述的装置,其中,所述隧道建立单元还设置为在所述第一网关获取所述第二网关的IP地址后,根据所述第二网关IP地址与所述第二网关建立所述IP安全隧道。
  27. 一种数据保护装置,包括:
    存储有计算机程序的存储器;以及
    处理器,其配置为执行所述计算机程序以实现权利要求1至13中任一项所述的方法。
  28. 一种计算机存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时使得实现权利要求1至13中任一项所述的方法。
PCT/CN2019/098894 2018-08-03 2019-08-01 数据保护方法、装置及计算机存储介质 WO2020025028A1 (zh)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810880301.6A CN110798437B (zh) 2018-08-03 2018-08-03 一种数据保护方法、装置及计算机存储介质
CN201810880301.6 2018-08-03

Publications (1)

Publication Number Publication Date
WO2020025028A1 true WO2020025028A1 (zh) 2020-02-06

Family

ID=69231466

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/098894 WO2020025028A1 (zh) 2018-08-03 2019-08-01 数据保护方法、装置及计算机存储介质

Country Status (2)

Country Link
CN (1) CN110798437B (zh)
WO (1) WO2020025028A1 (zh)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114554598A (zh) * 2020-11-12 2022-05-27 中国移动通信有限公司研究院 一种报文处理方法、装置、设备及可读存储介质
WO2023094009A1 (en) * 2021-11-29 2023-06-01 Nokia Technologies Oy Method, apparatus and computer program
WO2023116638A1 (zh) * 2021-12-21 2023-06-29 中兴通讯股份有限公司 切片配置方法、系统、服务器和存储介质

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116156492A (zh) * 2021-11-22 2023-05-23 华为技术有限公司 一种安全隧道建立方法、装置及通信系统

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101005495A (zh) * 2006-01-18 2007-07-25 华为技术有限公司 一种在通讯系统中保障信息安全的处理方法
CN101645814A (zh) * 2008-08-04 2010-02-10 上海华为技术有限公司 一种接入点接入移动核心网的方法、设备及系统
CN102724102A (zh) * 2011-03-29 2012-10-10 华为技术有限公司 与网管系统建立连接的方法、设备及通信系统
CN104469772A (zh) * 2014-12-29 2015-03-25 迈普通信技术股份有限公司 一种网点设备认证方法、装置及认证系统
US20170295529A1 (en) * 2016-04-08 2017-10-12 Electronics And Telecommunications Research Institute Non-access stratum based access method and terminal supporting the same
CN107707381A (zh) * 2017-08-04 2018-02-16 北京天元创新科技有限公司 虚拟网元智能切片管理系统及方法

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104168173B (zh) * 2010-08-20 2018-01-16 华为技术有限公司 终端穿越私网与ims核心网中服务器通信的方法、装置及网络系统
EP2533466B1 (en) * 2011-06-08 2020-03-04 Alcatel Lucent Method and apparatus for providing network access to a user entity
US9191985B2 (en) * 2011-11-09 2015-11-17 Verizon Patent And Licensing Inc. Connecting to an evolved packet data gateway
CN102711106B (zh) * 2012-05-21 2018-08-10 中兴通讯股份有限公司 建立IPSec隧道的方法及系统
CN108323245B (zh) * 2017-06-19 2021-02-12 华为技术有限公司 一种注册及会话建立的方法、终端和amf实体

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101005495A (zh) * 2006-01-18 2007-07-25 华为技术有限公司 一种在通讯系统中保障信息安全的处理方法
CN101645814A (zh) * 2008-08-04 2010-02-10 上海华为技术有限公司 一种接入点接入移动核心网的方法、设备及系统
CN102724102A (zh) * 2011-03-29 2012-10-10 华为技术有限公司 与网管系统建立连接的方法、设备及通信系统
CN104469772A (zh) * 2014-12-29 2015-03-25 迈普通信技术股份有限公司 一种网点设备认证方法、装置及认证系统
US20170295529A1 (en) * 2016-04-08 2017-10-12 Electronics And Telecommunications Research Institute Non-access stratum based access method and terminal supporting the same
CN107707381A (zh) * 2017-08-04 2018-02-16 北京天元创新科技有限公司 虚拟网元智能切片管理系统及方法

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114554598A (zh) * 2020-11-12 2022-05-27 中国移动通信有限公司研究院 一种报文处理方法、装置、设备及可读存储介质
WO2023094009A1 (en) * 2021-11-29 2023-06-01 Nokia Technologies Oy Method, apparatus and computer program
WO2023116638A1 (zh) * 2021-12-21 2023-06-29 中兴通讯股份有限公司 切片配置方法、系统、服务器和存储介质

Also Published As

Publication number Publication date
CN110798437A (zh) 2020-02-14
CN110798437B (zh) 2023-02-21

Similar Documents

Publication Publication Date Title
US11979798B2 (en) Session establishment to join a group communication
US11659097B2 (en) Charging policy information for a packet data unit session of a wireless device
US10855851B2 (en) Charging control with SMF
US11729712B2 (en) Network slice isolation information of at least one network slice for a wireless device
US11909907B2 (en) Charging policy information for a home session management function
WO2020025028A1 (zh) 数据保护方法、装置及计算机存储介质
US10505718B1 (en) Systems, devices, and techniques for registering user equipment (UE) in wireless networks using a native blockchain platform
US11805409B2 (en) System and method for deriving a profile for a target endpoint device
TW202133587A (zh) 在通訊網路中更新錨定密鑰與應用服務進行安全通訊的方法、裝置和系統
WO2022159725A1 (en) Federated identity management in fifth generation (5g) system
EP3850906B1 (en) Registration of legacy fixed network residential gateway (fn-rg) to a 5g core network
CN114726523B (zh) 密码应用服务系统和量子安全能力开放平台
WO2009012675A1 (fr) Passerelle de réseau d'accès, terminal, procédé et système pour établir une connexion de données
WO2021247725A1 (en) Network slice specific authentication and authorization
KR20220128993A (ko) 서비스 애플리케이션들과의 암호화된 통신을 위한 통신 네트워크에서의 앵커 키 생성 및 관리를 위한 방법, 디바이스, 및 시스템
WO2022078214A1 (zh) 签约数据更新方法、装置、节点和存储介质
WO2020093834A1 (zh) 一种数据安全的实现方法及相关设备
WO2012129934A1 (zh) 一种实现cdn互通的认证方法、装置与系统
CN114097261B (zh) 网络切片特定凭证的动态分配
Kukliński et al. 5g-enabled defence-in-depth for multi-domain operations
WO2023246753A1 (zh) 通信方法和装置
US12132732B2 (en) Dynamic allocation of network slice-specific credentials
WO2022027529A1 (zh) 一种切片认证的方法及装置
WO2022151464A1 (en) Method, device, and system for authentication and authorization with edge data network
WO2023011158A1 (zh) 一种证书管理方法和装置

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19844329

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 18/06/2021)

122 Ep: pct application non-entry in european phase

Ref document number: 19844329

Country of ref document: EP

Kind code of ref document: A1