WO2020034864A1 - 一种用户面安全策略实现方法、装置及系统 - Google Patents
一种用户面安全策略实现方法、装置及系统 Download PDFInfo
- Publication number
- WO2020034864A1 WO2020034864A1 PCT/CN2019/099309 CN2019099309W WO2020034864A1 WO 2020034864 A1 WO2020034864 A1 WO 2020034864A1 CN 2019099309 W CN2019099309 W CN 2019099309W WO 2020034864 A1 WO2020034864 A1 WO 2020034864A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- user plane
- plane security
- information
- pdu session
- application
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W76/00—Connection management
- H04W76/10—Connection setup
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W76/00—Connection management
- H04W76/10—Connection setup
- H04W76/12—Setup of transport tunnels
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L5/00—Arrangements affording multiple use of the transmission path
- H04L5/003—Arrangements for allocating sub-channels of the transmission path
- H04L5/0053—Allocation of signaling, i.e. of overhead other than pilot signals
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/164—Implementing security features at a particular protocol layer at the network layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/60—Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
- H04L67/61—Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources taking into account QoS or priority requirements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/164—Adaptation or special uses of UDP protocol
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
- H04W12/033—Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/30—Security of mobile devices; Security of mobile applications
- H04W12/37—Managing security policies for mobile devices or for controlling mobile applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W88/00—Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
- H04W88/14—Backbone network devices
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W92/00—Interfaces specially adapted for wireless communication networks
- H04W92/16—Interfaces between hierarchically similar devices
- H04W92/24—Interfaces between hierarchically similar devices between backbone network devices
Definitions
- the present application relates to the field of wireless communication technologies, and in particular, to a method, a device, and a system for implementing a user plane security policy.
- the terminal may select a packet data unit (PDU) session for transmitting an application data packet according to an application transmission requirement. If the PDU session established by the terminal does not have a PDU session that meets the application transmission requirements, the terminal may request to establish a new PDU session to meet the transmission requirements of the application.
- PDU packet data unit
- an application needs to encrypt data packets and protect integrity, or only needs to encrypt data packets, or only needs to protect integrity of data packets.
- the user plane security policy of the application is not considered.
- a network device executes a security policy
- a corresponding user plane security policy is set for a PDU session.
- the user plane security policy is based on the slice and the data network (DN) of the PDU session. definite.
- the data packets transmitted on the PDU session all use the same user plane security policy, and do not consider the requirements of different applications.
- application A has implemented encryption at the application layer. If the network device performs encryption again, it will increase unnecessary load and delay.
- application B has a high requirement for delay, and integrity protection of data packets will cause a relatively large delay, resulting in policy conflicts.
- the present application provides a method, device, and system for implementing a user plane security policy, which are used to implement meeting user plane requirements of an application.
- an embodiment of the present application provides a method for implementing a user plane security policy, including:
- the terminal device receives user plane security instruction information sent by the network device, and the user plane security instruction information is used to indicate the user plane security attribute requirements of the application.
- the terminal device associates or establishes a PDU session according to the user plane security requirements.
- the terminal when the terminal selects an associated PDU session for the application according to the user plane security instruction information of the application, the user plane security attribute requirements of the application are considered, so that the associated PDU session meets the user plane security attribute requirements of the application, which helps To avoid unnecessary security protection or security protection does not meet the needs of the application.
- the terminal device when the terminal device establishes a PDU session according to a user plane attribute requirement, when there is no PDU session in the established PDU session that satisfies the user plane security attribute requirement of the above application, the terminal device sends The PDU session establishment request information is used to request to establish a PDU session that meets the user plane security attribute requirements of the application.
- the terminal device requests to establish a PDU session according to the user plane security attribute and associates the application with the established PDU session, so that the associated PDU session can meet the user plane security attribute requirements of the application.
- the PDU session establishment request information includes a user plane security parameter determined according to the user plane security instruction information.
- the terminal device when the terminal device associates the PDU session according to the user plane attribute requirement, when there is a first PDU session in the established PDU session that meets the user plane security attribute requirement of the application, the terminal device Data of the application is transmitted in the first PDU session.
- the above-mentioned user plane security indication information is carried in a user equipment routing policy (UE routing selection policy, URSP) and sent to the terminal device.
- UE routing selection policy UE routing selection policy
- the terminal device selects a PDU session according to the URSP, and carries the user-plane security instruction information of the application in the URSP, which makes minor changes to the existing protocol and is easy to implement.
- an embodiment of the present application provides a method for implementing a user plane security policy, including:
- the policy control function (policy control function, PCF) sends user plane security instruction information, and the user plane security instruction information is used for the terminal device to associate or establish a PDU session.
- the user plane security instruction information sent by the PCF may be sent to the terminal device via other network elements, so that the terminal device associates the PDU session according to the user plane security instruction information, so that the associated PDU session and the user plane security attribute of the application The needs match.
- the above method further includes: the PCF receives a policy rule request sent by a session management function (SMF), the request includes user plane security parameter information, and the user plane security parameter information It is determined by the terminal device according to the user plane security instruction information of the application.
- the PCF determines user plane security policy information according to the user plane security parameter information, and sends the determined user plane security policy information to the SMF.
- the PCF sends the user plane security parameter information to the SMF, so that the SMF and other network elements can execute the corresponding security policy on the PDU session according to the user plane parameter information to ensure the user plane security attribute requirements .
- the PCF determines user plane security indication information of the application according to the contract information of the terminal device.
- the above-mentioned user plane security indication information is carried in a user equipment routing policy (UE routing selection policy, URSP) and sent to the terminal device.
- UE routing selection policy UE routing selection policy, URSP
- an embodiment of the present application provides a method for implementing a user plane security policy, including: unified data management (UDM) receiving PDU session registration information sent by an SMF, where the registration information includes information from a terminal device User plane security parameters.
- UDM unified data management
- the UDM When the user plane parameter is a parameter that is allowed to be configured for the PDU session of the terminal device, the UDM sends indication information to the SMF to allow establishment of a PDU.
- the UDM When the user plane parameter is not a parameter allowed to be configured for the PDU session of the terminal device, the UDM sends indication information to the SMF to refuse to establish a PDU session.
- the PDU session registration information sent by the SMF includes user plane security parameters, so that the established PDU session can meet the user plane security attribute requirements of the application, and UDM can authenticate the user plane security parameters.
- the parameter is a parameter allowed to be configured for the terminal device PDU session, and it is allowed to establish a PDU session to ensure that the established PDU session is consistent with the contract information of the terminal device.
- an embodiment of the present application provides a method for implementing a user plane security policy, including: a PCF receiving user plane security attribute requirement information of an application sent by an application function (AF), and the user plane security attribute requirement information It is used to indicate the user plane security attribute requirements of the application; the PCF sends service plane data (service data flow (SDF)) user plane security parameter information to the SMF, and the user plane security parameter information of the SDF is based on the user of the application
- SDF service data flow
- the PCF can obtain the user plane security attribute requirement information of the application from the AF, and send it to the SMF, so that the SMF can bind the QoS flow according to the application user plane security attribute requirement, thereby satisfying the application user plane security Property requirements.
- an embodiment of the present application provides a method for implementing a user plane security policy, including: SMF receiving a user plane security parameter of an SDF sent by a PCF, and the user plane security parameter information of the SDF is included in policy and charging control (In the policy and control (PCC) rule, the user plane security parameter information of the SDF is determined according to the user plane security attribute requirements of the application, and the user plane security parameter information is used to indicate the user plane security parameters; the SMF is based at least on the The user plane security parameters of the SDF are bound to the PCC and the QoS flow.
- PCC policy and control
- the SMF when there is a first QoS flow in the established QoS flow that meets the security parameters of the user plane, the SMF performs a quality of service flow QoS flow with the application SDF and the first Q Binding oS flow for binding; and / or, when there is no first QoS flow that meets the user plane security parameters in the established QoS flow, the SMF requests establishment of a second QoS flow, and the second QoS flow Meet the user plane security parameters.
- the PCC rules received by the SMF include user plane security parameter information, so that the SMF can bind QoS flow according to the user plane security instruction information of the application, that is, the SDF of the application and the user plane security that can meet its user plane security
- the QoS flow of attribute requirements is bound to meet the user plane security attribute requirements of the application.
- an embodiment of the present application provides a terminal device, including a processor, a memory, and a communication interface, for implementing the method according to any one of the first aspect.
- an embodiment of the present application provides a PCF, including a processor, a memory, and a communication interface, for implementing the method according to any one of the second aspect.
- an embodiment of the present application provides a UDM, including a processor, a memory, and a communication interface, for implementing the method according to any one of the third aspects.
- an embodiment of the present application provides a PCF, including a processor, a memory, and a communication interface, for implementing the method according to any one of the fourth aspect.
- an embodiment of the present application provides an SMF, including a processor, a memory, and a communication interface, for implementing the method according to any one of the fifth aspect.
- an embodiment of the present application provides a communication system, including the terminal device according to any one of the sixth aspects, the PCF according to any one of the seventh aspects, and the device according to any one of the eighth aspects. Described UDM.
- An embodiment of the present application provides a communication system, including the PCF according to any one of the ninth aspects and the SMF according to any one of the tenth aspects.
- an embodiment of the present application provides a computer-readable storage medium.
- the computer-readable storage medium stores computer instructions.
- the instructions When the instructions are run on a computer, the computer executes the operations as described in the first to fifth aspects.
- FIG. 1 is a QoS architecture provided by an embodiment of this application.
- FIG. 3 (a)-(f) are schematic diagrams of a network architecture applicable to embodiments of the present application.
- FIG. 4 is a schematic flowchart of a method for implementing a user plane security policy according to an embodiment of the present application
- 5 and 6 are schematic flowcharts of a specific embodiment provided by an embodiment of the present application.
- FIG. 7 is a schematic flowchart of another method for implementing a user plane security policy according to an embodiment of the present application.
- FIG. 8 is a schematic flowchart of another specific embodiment according to an embodiment of the present application.
- FIG. 9 is a schematic structural diagram of a terminal device according to an embodiment of the present application.
- FIG. 10 is a schematic structural diagram of another terminal device according to an embodiment of the present application.
- FIG. 11 is a schematic structural diagram of a PCF according to an embodiment of the present application.
- a terminal device can establish one or more packet data unit (PDU) sessions with the 5G core network, and a radio access network (RAN) establishes one or more data for each PDU session.
- a DRB contains one or more QoS flows.
- QFI QoS flow identifier
- QFI uniquely identifies a QoS in a PDU session. flow.
- Data packets transmitted using the same QoS flow are processed using the same transmission, such as scheduling and admission threshold.
- the radio access network controls the granularity of PDU sessions for user plane security.
- the process of establishing a PDU session can be shown in FIG. 2 and includes the following steps:
- Step 201 The terminal sends a PDU session establishment request to the AMF.
- Step 202 AMF selects SMF.
- Step 203 The AMF sends a PDU session establishment request to the selected SMF.
- Step 204 The SMF performs registration in the UDM, and obtains from the UDM the DN where the PDU session requested to be established is located, and the contract information of the network slice.
- the contract information includes user plane security policies.
- Step 205 The SMF sends a PDU session establishment request response to the AMF, and the response is used to indicate whether the establishment of a PDU session is allowed. If a PDU session is refused to be established, the response may carry the reason for the refusal to be established.
- Step 206 Authentication / authorization of the PDU session.
- Step 207 The SMF selects a PCF.
- the SMF requests the selected PCF to obtain the PCC rules of the PDU session.
- the SMF may obtain the dynamic user plane security policy of the PDU session from the PCF.
- Step 208 The SMF selects UPF.
- Step 209 The SMF reports session-related information to the PCF, such as information about the terminal's IP address, IP prefix, and trigger conditions.
- Step 210 The SMF sends tunnel information, PCC rule information, and the like to the UPF.
- Step 211 The SMF sends a PDU session identifier (PDU ID), session management information (N2 SM information) on the N2 interface, and a session management container (N1SM container) on the N1 interface to the AMF.
- PDU ID PDU session identifier
- N2 SM information session management information
- N1SM container session management container
- the target receiver of N2 SM information is RAN, which is forwarded by AMF; the target receiver of N2 SM information is terminal, which is transparently transmitted to the terminal by AMF and RAN.
- N2SM Information includes user plane policy enforcement (user plane policy enforcement).
- Step 212 The AMF sends a PDU session request to the RAN, and the request includes N2 SM information and non-access stratum (NAS) messages.
- N2SM Information includes user and plane policy enforcement.
- Steps 213 to 220 are other steps in the process of establishing a PDU session, which are not related to the embodiments of the present application, and will not be described in detail this time. For details, refer to related communication protocols.
- the security policy implemented by the RAN only considers the DN and network slice subscription information, and does not consider the user of the application General security attribute requirements.
- some applications may have implemented encryption at the application layer. If the network device is encrypted again, it will increase unnecessary load and delay. Or, some applications have higher delay requirements. If the network device performs data packets on the application, Integrity protection (this process takes a long time), then the data packet will have a large delay.
- embodiments of the present application provide a method and device for implementing a user plane security policy, which are used to implement meeting user plane requirements of an application.
- the method for implementing a user plane security policy provided by the embodiment of the present application can be applied to the non-roaming network architecture shown in FIG. 3 (a) and FIG. 3 (b), and also can be applied to FIG. 3 (c) and FIG. 3 (
- the local breakout roaming scenario shown in d) can also be applied to the home routed roaming scenario shown in FIG. 3 (e) and FIG. 3 (f).
- (R) AN It is mainly used to control the terminal to wirelessly access the mobile communication network.
- UPF It is mainly used for user plane related functions such as data packet routing and transmission, packet detection, service usage reporting, QoS processing, legal monitoring, uplink packet detection, and downlink data packet storage.
- AMF It is mainly used for access and mobility-related functions such as connection management, mobility management, registration management, access authentication and authorization, reachability management, and security context management.
- SMF mainly used for session management (such as session establishment, modification, and release, including tunnel maintenance between UPF and AN, etc.), selection and control of UPF, service and session continuity (SSC) mode selection, Session related features such as roaming.
- session management such as session establishment, modification, and release, including tunnel maintenance between UPF and AN, etc.
- SSC service and session continuity
- PCF It is mainly used for policy-related functions such as unified policy formulation, provision of policy control, and acquisition of contract decision information related to policy decisions from a unified database (UDR).
- UDR unified database
- Network slice selection function mainly used to select a set of network slice instances for the terminal, determine the network slice selection assistance information (NSSAI), and determine the AMF set that can serve the terminal Wait.
- NSSAI network slice selection assistance information
- NF Network Storage Function
- NRF Network Storage Function
- Application function Interaction with 3GPP core network to provide services or services, including interaction with network open function (NEF), policy framework interaction, etc.
- NEF network open function
- policy framework interaction etc.
- NEF It is mainly used for secure services and capabilities provided by open 3GPP network functions, including internal openness and openness to third parties. Transform or translate information interacting with AF and information interacting with internal network functions, such as AF service identification and 5G core network information, such as data network name (DNN), and unit network slice selection assistance information (single network network selection selection information) information, S-NSSAI).
- AF service identification and 5G core network information such as data network name (DNN), and unit network slice selection assistance information (single network network selection selection information) information, S-NSSAI).
- UDM It is mainly used to support authentication credential processing, user identity processing, access authorization, registration and mobility management, contract management, short message management, etc. in 3GPP authentication and key agreement mechanisms.
- Authentication server function It is mainly used to interact with the UDM to obtain user information and perform authentication-related functions, such as generating intermediate keys.
- FIGS. 3 (a) to 3 (f) are merely examples and do not constitute a limitation on the embodiments of the present application.
- the network architectures applicable to the embodiments of the present application may include More or fewer network elements.
- FIG. 4 a schematic flowchart of a method for implementing a user plane security policy according to an embodiment of the present application. As shown in the figure, the method may include the following steps:
- Step 401 The PCF sends user plane security instruction information of the application, where the user plane security instruction information is used to indicate a user plane security attribute requirement of the application, so that the terminal device associates or establishes a PDU session according to the user plane security attribute requirement of the application.
- the PCF can obtain the user plane security attribute requirements of the contracted application in advance.
- both application A and application B have contracted with the operator, and the user plane security attribute requirements of the application A obtained by the PCF are :
- the data packet of Application A needs to be integrity protected and encrypted.
- the obtained user plane security attributes of Application B are:
- the data packet of Application B needs to be encrypted.
- the user plane security indication information of the application sent by the PCF is determined according to the contract information of the terminal device.
- the PCF can obtain the contract information of the terminal device in advance, and the acquired contract information of the terminal device can add the user plane security attribute requirements of the application.
- the PCF determines the user plane security indication information according to the acquired user plane security attribute requirements.
- the PCF may carry the user plane security attribute requirements of the application in a URSP and send it to the terminal device.
- the terminal device determines whether the detected application can be associated with an established PDU session, whether it can be offloaded to non-3GPP access outside the PDU session, or whether it can trigger the establishment of a new PDU session.
- URSP can include one or more URSP rules, as shown in Table 1.
- the user plane security indication is added in the embodiment of the present application, and is used to indicate the user plane security attribute requirements of the application. It should be understood that the information contained in the URP shown in Table 1 is only an example. In actual application, the URP may include more information or less information than Table 1. For example, although the user plane security instruction information in Table 1 is only used to indicate whether integrity protection or encryption protection is required, in actual use, the user plane security instruction information can also be used to indicate that integrity protection and encryption protection are required, or You can also indicate the need for additional security protection.
- the user plane security instruction information is carried in the URSP and sent to the terminal device, and there are minor changes to the existing protocol.
- the user plane security instruction information may be carried in other messages and sent to the terminal.
- the URSP may include user plane security instruction information of all or part of the applications that have been contracted, regardless of whether the terminal device is installed with an application corresponding to the user plane security instruction information in the USRP for the terminal device to download After installing these applications, you can associate or establish a PDU session according to the corresponding user-plane security instructions.
- the PCF may also obtain in advance which signed applications are installed on the terminal, and the user plane security instruction information of these applications is carried in the URSP and sent.
- Step 402 After receiving the user plane security instruction information sent by the PCF, the AMF may send the user plane security instruction information to the terminal.
- Step 403 The terminal device manages to establish a PDU session according to user plane security attribute requirements.
- the terminal device if there is no PDU session that meets the user plane security attribute requirements of the application in the established PDU session, the terminal device sends a PDU session establishment request for requesting to establish a PDU session that meets the user plane security attribute requirements of the application. PDU session.
- the PDU session establishment request sent by the terminal device includes: a user plane security parameter determined according to the user plane security instruction information.
- the meaning of the user plane security parameter generated by the terminal device is consistent with the meaning of the user plane security attribute requirement of the application indicated by the PCF. For example, if the user plane security instruction information of the application indicated by the PCF indicates that integrity protection is required, Then the user plane security parameter determined by the terminal device according to the user plane security indication information also indicates that integrity protection is required, but because of different signaling, the field that requires integrity protection and the value of this field may be slightly different.
- the terminal device can also generate user-plane security parameters based on the user-plane security instruction information and other information. For example, if the terminal device itself still has some security attribute requirements, then the terminal device needs its own security attribute requirements and the user-plane security requirements of the application.
- the generated user plane security parameters may also have different meanings from the user plane security instruction information sent by the PCF.
- the AMF selects the SMF and sends a PDU session establishment request to the selected SMF.
- the request carries the above user plane security. parameter.
- the SMF may then send the PDU session registration information to the UDM, where the registration information includes the above-mentioned user plane security parameters.
- the UDM determines whether the user plane security parameters included in the PDU session registration information are PDU session configuration parameters that allow the terminal device to be configured.
- the UDM can report to the SMF Sending instructions that allow the establishment of a PDU session; when the user plane security parameters included in the PDU session registration information are deployed to allow the terminal device to configure the PDU session configuration parameters, the UDM can send instructions to the SMF to refuse to establish a PDU session.
- the SMF may generate a policy rule request to the PCF to request the PCF to send the PCC rule of the PDU session requested to be created, and the request also includes the above-mentioned user plane security parameters.
- the PCF determines the user plane security policy information of the PDU session according to the user plane security parameters, and sends the determined user plane security policy information to the SMF.
- the terminal device may associate the first PDU session with the application, that is, in the first The data of the application is transmitted in a PDU session.
- the terminal when the terminal selects an associated PDU session for the application according to the user plane security indication information of the application sent by the PCF, the user plane security attribute requirements of the application are considered, so that the associated PDU session and the user plane security attribute of the application The requirements are consistent, and applications related to the same PDU session have the same user plane security attribute requirements, which avoids the situation where the user plane security attributes of the PDU session do not match the application.
- FIG. 5 exemplarily shows a schematic diagram of a URSP delivery process. As shown in the figure, the process may include the following steps:
- Step 501 The PCF sends the URSP to the AMF.
- the URSP contains user plane security indication information of the application A determined by the PCF according to the contract information.
- Step 502 The AMF transparently transmits the URSP to the terminal device.
- URSP contains the above user, plane, and security indications.
- Step 503 The terminal device sends a response to the AMF, indicating that the URP was successfully received.
- Step 504 The AMF reports to the PCF that the terminal successfully receives the URSP event.
- the PCF may return an event report response to the AMF.
- FIG. 6 illustrates a schematic diagram of a PDU session establishment process. As shown in the figure, the process may include the following steps:
- Step 601 The terminal device sends a PDU session establishment request to the AMF.
- the terminal device generates a user plane security parameter according to the user plane security instruction information of the application A, and carries the parameter in a PDU home establishment request to request the establishment of a PDU session that meets the user plane security attribute requirements of the application A.
- Step 602 AMF selects SMF.
- Step 603 The AMF sends a PDU session establishment request to the selected SMF.
- the request includes the above-mentioned user plane security parameters.
- Step 604 The SMF sends PDU session registration information to the UDM.
- the registration information includes the above-mentioned user plane security parameters.
- Step 605 If the UDM determines that the user plane security parameters included in the registration information are PDU session configuration parameters that allow the terminal device to configure, it returns a registration response to the SMF indicating that the PDU session is allowed to be established.
- the UDM sends an indication to the SMF to refuse to establish the PDU session.
- the indication information may further include a reason for rejection, that is, the user plane security parameter is not allowed.
- Step 606 The SMF sends a PDU session establishment request response to the AMF.
- the response instructs the AMF to refuse to establish the PDU session.
- the response may further include the reason for the rejection.
- Step 607 Authentication / authorization of the PDU session.
- Step 608 The SMF selects the PCF.
- the SMF requests the selected PCF to obtain the PCC rules of the PDU session, and the request includes the above-mentioned user plane security parameters.
- Step 609 The PCF determines a user plane security policy that authorizes the PDU session according to the user plane security parameters, and sends the user plane security policy to the SMF.
- an embodiment of the present application further provides a method for implementing a user plane security policy, which is used to implement meeting a user plane requirement of an application.
- a schematic flowchart of the method can be shown in FIG. 7 and includes the following steps:
- Step 701 The PCF receives user plane security attribute requirement information of the application sent by the AF, and the user plane security attribute requirement information is used to indicate the user plane security attribute requirement of the application.
- the user plane security attribute requirements of the application can be added to the application information or service information, so that the PCF is based on the user of the application Generating PCC rules for security attribute requirements.
- Step 702 The PCF sends the user plane security parameter information of the application to the SMF, or sends the user plane security parameter information of the SDF of the application to the SMF.
- the user plane security parameter information is used to indicate user plane security parameters.
- the user plane security parameter information is determined according to the user plane security attribute requirements of the application, and is carried in the PCC rule and sent to the SMF.
- Step 703 After receiving the user plane security parameter information sent by the PCF, the SMF binds the PCC and the QoS flow according to the user plane security parameter information.
- the binding mechanism associates SDF (defined by the SDF template in the PCC rule) with QoS. Specifically, it includes session binding, PCC rule authentication, and QoS flow binding. Among them, the QoS flow binding corresponds to the PCC rules and QoS flow, and is executed by the SMF.
- the SMF binds the applied SDF to the first QoS flow; and / or, if it determines that the If there is no first QoS flow that meets user-plane security parameters in the QoS flow, the SMF requests establishment of a second QoS flow, requests establishment of a second QoS flow, and establishes the above-mentioned PCC and second QoS flow binding.
- Two QoS flows conform to the above-mentioned user plane security parameters.
- the implemented user plane security control policy is QoS flow granularity, that is, the user plane security parameters of SDFs bound to the same QoS flow are the same, and different QoS flows in the same PDU session can correspond Different user plane security parameters.
- FIG. 8 exemplarily illustrates a flowchart of a method for implementing a user plane security policy. As shown in the figure, the method may include the following steps:
- Step 801a The AF provides the user plane security attribute requirements of the application to the PCF.
- Step 801b The CHF sends an overhead limit report to the PCF.
- Step 801c The UDR sends a notification to the PCF.
- Step 801d an internal event occurs.
- Step 802 The overhead limit report is resumed.
- steps 801 to 802 are all steps that may trigger the PCF to make a strategic decision, and step 801 is a step closely related to the embodiment of the present application.
- Step 803 The PCF makes a policy decision according to the user plane security attribute requirements.
- Step 804 The PCF sends a PCC rule to the SMF.
- the PCC rule includes a user plane security parameter (user plane security parameter) determined according to the user plane security requirements, indicating a user plane security tendency of an SDF or an application data stream.
- Step 805 The SMF sends a PCC rule response to the PCF.
- Step 806 The SMF performs QoS flow binding for the SDF of the application according to the user plane security parameters, that is, the QoS flow used to transmit the application data packet is a QoS flow that meets the user plane security parameters.
- an embodiment of the present application further provides a terminal device, which is used to implement the functions of the terminal device in the foregoing method embodiments.
- the terminal device may include a receiving unit 901 and a processing unit 902, and may further include a sending unit 903.
- the receiving unit 901 is configured to receive user plane security instruction information sent by a network device, where the user plane security instruction information is used to indicate a user plane security attribute requirement of an application.
- the processing unit 902 associates or establishes a packet data unit PDU session according to the user plane security attribute requirement.
- the processing unit 902 is specifically configured to: when the established PDU session does not exist a PDU session that satisfies the user plane security attribute requirements of the application, control the sending unit 903 to send the PDU session establishment Request information is used to request to establish a PDU session that meets the user plane security attribute requirements of the application.
- the PDU session establishment request information includes a user plane security parameter determined according to the user plane security indication information.
- the processing unit 902 is specifically configured to control the sending unit 903 and the receiving unit 901 when a first PDU session that satisfies a user plane security attribute requirement of the application exists in the established PDU session.
- the data of the application is transmitted in the first PDU session.
- the embodiment of the present application further provides a PCF, which is used to implement the function of the PCF in the foregoing method embodiment.
- the PCF may include a sending unit, and may further include a processing unit and a receiving unit, and its structure is similar to that shown in FIG. 9.
- the sending unit is configured to send user plane security instruction information of the application, and the user plane security instruction information is used for the terminal device to associate or establish a PDU session.
- the receiving unit is configured to receive a policy rule request sent by the session management function SMF, where the request includes user plane security parameter information, and the user plane security parameter information is obtained by the terminal device according to the Determined by the application's security instructions.
- a processing unit configured to determine user plane security policy information according to the user plane security parameter information
- the sending unit is configured to send the determined user plane security policy information to the SMF.
- the user plane security indication information of the application is determined by the PCF according to the contract information of the terminal device.
- the embodiments of the present application further provide a UDM, which is used to implement the functions of the UDM in the foregoing method embodiments.
- the UDM may include a receiving unit, a processing unit, and a sending unit, and its structure is similar to that shown in FIG. 9.
- the receiving unit is configured to receive PDU session registration information sent by the SMF, where the registration information includes user plane security parameters from the terminal device.
- a processing unit configured to: when the user plane security parameter is a parameter allowed to be configured for the PDU session of the terminal device, control the sending unit to send an indication to the SMF that the information allows the establishment of a PDU session; when the user plane security parameter is It is not a parameter that is allowed to be configured for the PDU session of the terminal device, and controls to send to the SMF indication information for refusing to establish a PDU session.
- an embodiment of the present application further provides a terminal device, which includes a processor 1001, a memory 1002, and a communication interface 1003, and may further include a communication bus 1004, as shown in FIG.
- the memory 1002 is used to store a program.
- the processor 1001 calls a program stored in the memory 1002 to execute:
- the processor 1001 is specifically configured to:
- the PDU session establishment request information is sent through the communication interface 1003 for requesting establishment of a user plane security attribute satisfying the application.
- the required PDU session is sent through the communication interface 1003 for requesting establishment of a user plane security attribute satisfying the application.
- the PDU session establishment request information includes a user plane security parameter determined according to the user plane security indication information.
- the processor 1001 is specifically configured to:
- the embodiment of the present application provides a PCF, which includes: a processor, a memory, and a communication interface; its structure is similar to that shown in FIG. 10.
- the memory is used to store a program
- the processor calling a program stored in the memory to execute:
- the user plane security instruction information of the application is sent through the communication interface, and the user plane security instruction information is used for the terminal device to associate or establish a PDU session.
- the processor is further configured to:
- the request includes user plane security parameter information, and the user plane security parameter information is obtained by the terminal device according to the application's user interface security instruction information. determine;
- the user plane security indication information of the application is determined by the PCF according to the contract information of the terminal device.
- a UDM including: a processor, a memory, and a communication interface
- the memory is used to store a program
- the processor calling a program stored in the memory to execute:
- the user plane security parameter is a parameter that is allowed to be configured for the PDU session of the terminal device, sending information to the SMF through the communication interface to indicate information allowing the establishment of a PDU session;
- the SMF sends, through the communication interface, indication information for refusing to establish a PDU session.
- An embodiment of the present application further provides a communication system, including any one of the terminal devices, any PCF, and UDM.
- the embodiment of the present application further provides a PCF, which is used to implement the function of the PCF in the foregoing method embodiment.
- the PCF may include a receiving unit 1101 and a sending unit 1102, and its structure is shown in FIG. 11.
- the receiving unit 1101 is configured to receive user plane security attribute requirement information of an application sent by the application function AF, and the user plane security attribute requirement information is used to indicate the user plane security attribute requirement of the application.
- the sending unit 1102 is configured to send user plane security parameter information of the SDF to the session management function SMF, and the user plane security parameter information of the SDF is determined according to a user plane security attribute requirement of the application.
- the embodiments of the present application further provide an SMF, which is used to implement the functions of the SMF in the foregoing method embodiments.
- the PCF may include a receiving unit and a processing unit, and may further include a sending unit, and its structure is similar to that shown in FIG. 9.
- the receiving unit is configured to receive user plane security parameter information of the SDF sent by the policy control function PCF.
- the user plane security parameter information of the SDF is included in the PCC.
- the user plane security parameter information of the SDF is based on the user plane security attribute requirements of the application. It is determined that the user plane security parameter information is used to indicate a user plane security parameter.
- the processing unit is configured to bind the PCC and the quality of service flow QoS flow according to at least the user plane security parameters of the SDF.
- the processing unit is specifically configured to:
- the embodiment of the present application further provides a PCF, including: a processor, a memory, and a communication interface, for implementing the functions of the PCF in the foregoing method embodiment, and the structure is similar to that shown in FIG. 10.
- a PCF including: a processor, a memory, and a communication interface, for implementing the functions of the PCF in the foregoing method embodiment, and the structure is similar to that shown in FIG. 10.
- the memory is used to store a program
- the processor calling a program stored in the memory to execute:
- the user plane security parameter information of the SDF is sent to the session management function SMF through the communication interface, and the user plane security parameter information of the SDF is determined according to a user plane security attribute requirement of the application.
- an embodiment of the present application further provides an SMF, including: a processor, a memory, and a communication interface, which are used to implement the functions of the SMF in the foregoing method embodiment, and its structure is similar to that shown in FIG. 10.
- the memory is used to store a program
- the processor calling a program stored in the memory to execute:
- the user plane security parameter information of the SDF is included in the PCC, and the user plane security parameter information of the SDF is based on the user plane security attribute of the application Determined by requirements, the user plane security parameter information is used to indicate the user plane security parameters;
- At least the PCC and the QoS flow are bound according to the user plane security parameters of the SDF.
- the processor is specifically configured to:
- An embodiment of the present application further provides a communication system including the PCF and any SMF.
- An embodiment of the present application provides a computer-readable storage medium.
- the computer-readable storage medium stores computer instructions, and when the instructions are run on a computer, the computer is caused to execute the terminal device, the PCF, and the UDM in the method embodiment described above. Or SMF functions.
- the embodiment of the present application provides a computer program product containing instructions, which when executed on a computer, causes the computer to execute the functions of the terminal device, PCF, UDM, or SMF in the method embodiment described above.
- This application provides a chip, which is connected to a memory, and is used to read and execute a software program stored in the memory, so as to implement the functions of the terminal device, PCF, UDM, or SMF in the foregoing method embodiments.
- this application may be provided as a method, a system, or a computer program product. Therefore, this application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Moreover, this application may take the form of a computer program product implemented on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.
- computer-usable storage media including, but not limited to, disk storage, CD-ROM, optical storage, etc.
- These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing device to work in a particular manner such that the instructions stored in the computer-readable memory produce a manufactured article including an instruction device, the instructions
- the device implements the functions specified in one or more flowcharts and / or one or more blocks of the block diagram.
- These computer program instructions can also be loaded on a computer or other programmable data processing device, so that a series of steps can be performed on the computer or other programmable device to produce a computer-implemented process, which can be executed on the computer or other programmable device.
- the instructions provide steps for implementing the functions specified in one or more flowcharts and / or one or more blocks of the block diagrams.
Landscapes
- Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
本申请公开了一种用户面安全策略实现方法、装置及系统。在一种方式中,终端装置可以根据网络设备发送的应用的用户面安全指示信息,关联或建立PDU会话;在另一种方式中,PCF将获取到的应用的用户面安全属性需求,携带在PCC规则中发送给SMF,以使SMF根据用户面安全属性需求进行QoS flow绑定。通过上述方法,可以满足应用的用户面安全属性需求。
Description
相关申请的交叉引用
本申请要求在2018年08月13日提交中国专利局、申请号为201810918762.8、申请名称为“一种用户面安全策略实现方法、装置及系统”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。
本申请涉及无线通信技术领域,尤其涉及一种用户面安全策略实现方法、装置及系统。
终端可以根据应用的传输需求,选择用于传输该应用数据包的分组数据单元(packet data unit,PDU)会话。若该终端已建立的PDU会话中没有符合该应用传输需要的PDU会话,则终端可以请求建立一个新的PDU会话,以满足该应用的传输需求。
不同的应用,可以有不同的用户面安全策略,例如,一个应用需要对数据包进行加密以及完整性保护,或者仅需要对数据包进行加密即可,或者仅需要对数据包进行完整性保护。
然而,终端在为应用选择PDU会话时,没有考虑应用的用户面安全策略。而网络设备在执行安全策略时,在建立PDU会话时,为一个PDU会话设置了相应的用户面安全策略,该用户面安全策略是根据该PDU会话所在的切片以及数据网络(data network,DN)确定的。在该PDU会话上传输的数据包均使用相同的用户面安全策略,也没有考虑到不同应用的需求。例如,应用A已经在应用层实现了加密,若网络设备再进行加密,则会增加无谓的负载和时延。又例如,应用B对时延要求较高,而对数据包进行完整性保护则会产生相对较大的时延,导致策略冲突。
发明内容
本申请提供一种用户面安全策略实现方法、装置及系统,用于实现满足应用的用户面需求。
第一方面,本申请实施例提供了一种用户面安全策略实现方法,包括:
终端装置接收网络设备发送的用户面安全指示信息,该用户面安全指示信息用于指示应用的用户面安全属性需求。
终端装置根据上述用户面安全需求关联或建立PDU会话。
在上述方法中,终端根据应用的用户面安全指示信息为应用选择关联PDU会话时,考虑了应用的用户面安全属性需求,使得关联的PDU会话与应用的用户面安全属性需求相符合,有助于避免不必要的安全性保护或安全性保护不符合应用的需求。
在一种可能的实现方式中,终端装置在根据用户面属性需求建立PDU会话时,当已建立的PDU会话中不存在满足上述应用的用户面安全属性需求的PDU会话时,所述终端装置发送PDU会话建立请求信息,用于请求建立满足所述应用的用户面安全属性需求的 PDU会话。终端装置根据用户面安全属性请求建立PDU会话,并将该应用于建立的PDU会话相关联,使得关联的PDU会话能够满足应用的用户面安全属性需求。
在一种可能的实现方式中,上述PDU会话建立请求信息中包括根据上述用户面安全指示信息确定出的用户面安全参数。
在一种可能的实现方式中,终端装置在根据用户面属性需求关联PDU会话时,当已建立的PDU会话中存在满足所述应用的用户面安全属性需求的第一PDU会话时,该终端装置在该第一PDU会话中传输所述应用的数据。
在一种可能的实现方式中,上述用户面安全指示信息携带在用户设备路由选择策略(UE route selection policy,URSP)中发送给所述终端装置。终端装置根据URSP选择PDU会话,将应用的用户面安全指示信息携带在URSP中,对现有协议改动较小、易于实现。
第二方面,本申请实施例提供了一种用户面安全策略实现方法,包括:
策略控制功能(policy control function,PCF)发送用户面安全指示信息,所述用户面安全指示信息用于终端装置关联或建立PDU会话。
在上述方法中,PCF发送的用户面安全指示信息可以经由其他网元发送给终端装置,以使终端装置根据该用户面安全指示信息关联PDU会话,使得关联的PDU会话与应用的用户面安全属性需求相符合。
在一种可能的实现方式中,上述方法还包括:PCF接收会话管理功能(session management function,SMF)发送的策略规则请求,所述请求中包括用户面安全参数信息,所述用户面安全参数信息为所述终端装置根据所述应用的用户面安全指示信息确定的。PCF根据所述用户面安全参数信息,确定用户面安全策略信息,并将确定出的用户面安全策略信息发送给所述SMF。PCF在接收到策略规则请求后,将用户面安全参数信息发送给SMF,以使SMF以及其他网元能够根据该用户面参数信息对PDU会话执行相应的安全策略,保证应用的用户面安全属性需求。
在一种可能的实现方式中,PCF根据所述终端装置的签约信息确定所述应用的用户面安全指示信息。
在一种可能的实现方式中,上述用户面安全指示信息携带在用户设备路由选择策略(UE route selection policy,URSP)中发送给所述终端装置。
第三方面,本申请实施例提供了一种用户面安全策略实现方法,包括:统一数据管理(unified data management,UDM)接收SMF发送的PDU会话注册信息,所述注册信息中包括来自终端装置的用户面安全参数。
当所述用户面参数是允许为所述终端装置的PDU会话配置的参数,所述UDM向所述SMF发送允许建立PDU的指示信息。
当所述用户面参数不是允许为所述终端装置的PDU会话配置的参数,所述UDM向所述SMF发送拒绝建立PDU会话的指示信息。
在上述方法中,SMF发送的PDU会话注册信息中包括用户面安全参数,以使建立的PDU会话能够满足应用的用户面安全属性需求,而UDM可以对该用户面安全参数进行鉴权,在该参数为允许为终端装置PDU会话配置的参数,则允许建立PDU会话,以保证建立的PDU会话与该终端装置的签约信息一致。
第四方面,本申请实施例提供了一种用户面安全策略实现方法,包括:PCF接收应用功能(application function,AF)发送的应用的用户面安全属性需求信息,所述用户面安全 属性需求信息用于指示所述应用的用户面安全属性需求;PCF向SMF发送业务数据流(service data flow,SDF)的用户面安全参数信息,所述SDF的用户面安全参数信息是根据所述应用的用户面安全属性需求确定的。
在上述方法中,PCF可以从AF获取应用的用户面安全属性需求信息,并发送给SMF,以使SMF能够根据应用的用户面安全属性需求进行QoS flow的绑定,从而满足应用的用户面安全属性需求。
第五方面,本申请实施例提供了一种用户面安全策略实现方法,包括:SMF接收PCF发送的SDF的用户面安全参数,所述SDF的用户面安全参数信息包含于策略与计费控制(policy and charging control,PCC)规则中,所述SDF的用户面安全参数信息根据应用的用户面安全属性需求所确定,所述用户面安全参数信息用于指示用户面安全参数;SMF至少根据所述SDF的用户面安全参数绑定PCC和服务质量流(QoS flow)。
在一种可能实现方式中,当已建立的QoS flow中存在符合所述用户面安全参数的第一QoS flow,所述SMF将所述应用的SDF与所述第一Q进行服务质量流QoS flow绑定oS flow进行绑定;和/或,当已建立的QoS flow中不存在符合所述用户面安全参数的第一QoS flow,所述SMF请求建立第二QoS flow,所述第二QoS flow符合所述用户面安全参数。
在上述方法中,SMF接收到的PCC规则中包括用户面安全参数信息,使得SMF能够根据应用的用户面安全指示信息进行QoS flow的绑定,即,将应用的SDF与能够满足其用户面安全属性需求的QoS flow进行绑定,从而满足应用的用户面安全属性需求。
第六方面,本申请实施例提供了一种终端装置,包括处理器、存储器和通信接口,用于实现如第一方面中任一项所述方法。
第七方面,本申请实施例提供了一种PCF,包括处理器、存储器和通信接口,用于实现如第二方面中任一项所述方法。
第八方面,本申请实施例提供了一种UDM,包括处理器、存储器和通信接口,用于实现如第三方面中任一项所述方法。
第九方面,本申请实施例提供了一种PCF,包括处理器、存储器和通信接口,用于实现如第四方面中任一项所述方法。
第十方面,本申请实施例提供了一种SMF,包括处理器、存储器和通信接口,用于实现如第五方面中任一项所述方法。
第十一方面,本申请实施例提供了一种通信系统,包括如第六方面任一项所述的终端装置、如第七方面任一项所述的PCF以及如第八方面任一项所述的UDM。
第十二方法,本申请实施例提供了一种通信系统,包括如第九方面任一项所述的PCF以及如第十方面任一项所述的SMF。
第十三方面,本申请实施例提供了一种计算机可读存储介质,该计算机可读存储介质存储有计算机指令,当所述指令在计算机上运行时,使得计算机执行如第一方面至第五方面中任一项所述方法。
图1为本申请实施例提供的QoS架构;
图2为现有技术中的PDU会话建立过程;
图3(a)-图3(f)为可适用于本申请实施例的网络架构示意图;
图4为本申请实施例提供的用户面安全策略实现方法的流程示意图;
图5和图6为本申请实施例提供的一个具体实施例流程示意图;
图7为本申请实施例提供的另一种用户面安全策略实现方法的流程示意图;
图8为本申请实施例提供的另一个具体实施例流程示意图;
图9为本申请实施例提供的一种终端装置的结构示意图;
图10为本申请实施例提供的另一种终端装置的结构示意图;
图11为本申请实施例提供的一种PCF的结构示意图。
为了使本申请的目的、技术方案和优点更加清楚,下面将结合附图对本申请作进一步地详细描述。
在第5代移动通信(the 5th generation,5G)新空口(new radio,NR)中,为了保证端到端的服务质量(quality of service,QoS),提出了基于服务质量流(QoS flow)的QoS架构,可以如图1所示。其中,一个终端装置,可以与5G核心网建立一个或者多个分组数据单元(packet data unit,PDU)会话,无线接入网(radio access network,RAN)为每一个PDU会话建立一个或者多个数据无线承载(data radio bearer,DRB),一个DRB中包含有一个或多个QoS flow,每个QoS flow由一个QoS流标识(QoS flow identifier,QFI)识别,QFI在一个PDU会话中唯一标识一个QoS flow。使用同一个QoS flow传输的数据包采用相同的传输处理,如调度、准入门限等。
在5G中,无线接入网(radio access network,RAN)对于用户面安全做PDU会话粒度的控制。PDU会话建立过程可以如图2所示,包括以下步骤:
步骤201、终端向AMF发送PDU会话建立请求。
步骤202、AMF选择SMF。
步骤203、AMF向选择出的SMF发送PDU会话建立请求。
步骤204、SMF在UDM中进行注册,并从UDM中获取请求建立的PDU会话所在的DN、网络切片的签约信息。签约信息中包括用户面安全策略(user plane security policy)。
步骤205、SMF向AMF发送PDU会话建立请求应答,该应答用于指示是否允许建立PDU会话。若拒绝建立PDU会话,该应答中可以携带拒绝建立的原因。
步骤206、PDU会话的鉴权/授权。
步骤207、SMF选择PCF。SMF向选择出的PCF请求获取该PDU会话的PCC规则。SMF可能会从PCF得到PDU会话的动态的用户面安全策略。
步骤208、SMF选择UPF。
步骤209、SMF向PCF上报会话相关的信息,如终端的IP地址、IP前缀、触发器的情况等信息。
步骤210、SMF向UPF发送隧道信息、PCC规则信息等。
步骤211、SMF向AMF发送PDU会话标识(PDU session ID)、N2接口上的会话管理信息(N2 SM information)以及N1接口上的会话管理容器(N1SM container)。
其中,N2 SM information的目标接收方为RAN,由AMF转发给RAN;N2 SM information的目标接收方为终端,由AMF和RAN透传给终端。N2 SM information中包括 用户面策略实施(user plane policy enforcement)。
步骤212、AMF向RAN发送PDU会话请求,该请求中包括N2 SM information和非接入层(non-access stratum,NAS)消息。N2 SM Information中包括user plane policy enforcement。
步骤213-220,为PDU会话建立过程中的其他步骤,与本申请实施例无关,此次不再详细说明,具体可参见相关通信协议。
在上述PDU会话建立过程中,由于UDM和PCF中没有与该PDU会话绑定的应用的信息,因此,RAN所执行的安全策略仅考虑到DN、网络切片的签约信息,而没有考虑应用的用户面安全属性需求。然而,有些应用可能已经实现了应用层的加密,若网络设备再进行加密则会增加无谓的负载和时延;或者,有些应用对时延要求较高,若网络设备对该应用的数据包进行完整性保护(该过程耗时较长),则该数据包将会产生较大时延。
为了解决上述问题,本申请实施例提供了一种用户面安全策略实现方法及装置,用于实现满足应用的用户面需求。
本申请实施例提供的用户面安全策略实现方法可以应用于如图3(a)和图3(b)所示的非漫游网络架构中,也可以应用于如图3(c)和图3(d)所示的本地疏导(local breakout)漫游场景中,还可以应用于如图3(e)和图3(f)所示的归属地路由(home routed)漫游场景中。
其中,(R)AN:主要用于控制终端通过无线接入到移动通信网络中来。
UPF:主要用于数据包路由和传输、包检测、业务用量上报、QoS处理、合法监听、上行包检测、下行数据包存储等用户面相关的功能。
AMF:主要用于连接管理、移动性管理、注册管理、接入认证和授权、可达性管理、安全上下文管理等接入和移动性相关的功能。
SMF:主要用于会话管理(如会话建立、修改和释放,包含UPF和AN之间的隧道维护等)、UPF的选择和控制、业务和会话连续性(service and session continuity,SSC)模式选择、漫游等会话相关的功能。
PCF:主要用于统一策略制定、策略控制的提供和从统一数据库(unified data repository,UDR)中获取策略决策相关的签约信息等策略相关的功能。
网络切片选择功能(network slice selection function,NSSF):主要用于为终端选择一组网络切片实例、确定允许的网络切片选择辅助信息(network slice selection assistance information,NSSAI)和确定可以服务终端的AMF集等。
网络存储功能(NF repository function,NRF):主要用于服务发现功能,维护可用的网络功能(NF,network function)实例的NF文本以及他们支持的服务。
应用功能(application function,AF):与3GPP核心网交互提供业务或者服务,包括与网络开放功能(network exposure function,NEF)交互,策略架构交互等。
NEF:主要用于安全的开放3GPP网络功能提供的业务和能力,包括内部开放和开放给第三方等。转化或翻译与AF交互的信息和内部网络功能交互的信息,如AF服务标识和5G核心网信息,如数据网络名称(data network name,DNN),单元网络切片选择辅助信息(single network slice selection assistance information,S-NSSAI)等。
UDM:主要用于支持3GPP认证和秘钥协商机制中的认证信任状处理,用户身份处理,接入授权,注册和移动性管理,签约管理,短消息管理等。
认证服务器功能(authentication server function,AUSF):主要用于与UDM交互获取用户信息,并执行认证相关的功能,如生成中间秘钥等。
应当理解,图3(a)至图3(f)所示的网络架构仅为举例,并不构成对本申请实施例的限制,本申请实施例可以应用的网络架构可以包括比图中所示更多或更少的网元。
参见图4,为本申请实施例提供的用户面安全策略实现方法的流程示意图,如图所示,该方法可以包括以下步骤:
步骤401、PCF发送应用的用户面安全指示信息,该用户面安全指示信息用于指示应用的用户面安全属性需求,以使终端装置根据应用的用户面安全属性需求关联或建立PDU会话。
在本申请实施例中,PCF可以预先获取已签约的应用的用户面安全属性需求,例如,应用A和应用B均与运营商进行了签约,PCF获取到的应用A的用户面安全属性需求为:需要对应用A的数据包进行完整性保护和加密,获取到的应用B的用户面安全属性需求为:需要对应用B的数据包进行加密。
可选地,PCF发送的应用的用户面安全指示信息,是根据终端装置的签约信息确定的。具体地,PCF可以预先获取终端装置的签约信息,在获取到的终端装置的签约信息中,可以添加有应用的用户面安全属性需求。PCF根据获取的用户面安全属性需求确定用户面安全指示信息。
在一些实施例中,PCF可以将应用的用户面安全属性需求携带在URSP中发送给终端装置。终端装置根据URSP确定检测到的应用是否可以与已建立的PDU会话相关联,是否可以在PDU会话之外将其卸载到非3GPP访问,或者是否可以触发新的PDU会话的建立。
URSP中可以包括一条或多条URSP规则,如表1所示。
表1
其中,用户面安全指示为本申请实施例增加的,用于指示应用的用户面安全属性需求。应当理解,表1中示出的URSP中包含的信息仅为举例,在实际应用时,URSP可以包括比表1更多的信息或更少的信息。例如,虽然表1中的用户面安全指示信息仅用于指示是否需要完整性保护或加密保护,实际使用时,该用户面安全指示信息也可以用于指示需要完整性保护和以及加密保护,或者还可以指示需求其他安全性保护。
将用户面安全指示信息携带在URSP中发送给终端装置,对现有协议的改动较小,当然,也可以将用户面安全指示信息携带在其他消息中发送给终端。
在一种可能的设计中,该URSP中可以包括已签约的全部或部分应用的用户面安全指示信息,不论终端装置是否安装有USRP中用户面安全指示信息所对应的应用,以备终端装置下载并安装这些应用后,可以根据相应的用户面安全指示信息关联或建立PDU会话。在另外一种可能的实现方式中,PCF也可以预先获取终端安装有哪些已签约的应用,并这些应用的用户面安全指示信息携带在URSP中发送。
步骤402、AMF在接收到PCF发送的用户面安全指示信息后,可以将该用户面安全指示信息发送给终端。
步骤403、终端装置根据用户面安全属性需求管理建立PDU会话。
在一些实施例中,若已建立的PDU会话中不存在满足上述应用的用户面安全属性需求的PDU会话,终端装置发送PDU会话建立请求,用于请求建立满足该应用的用户面安全属性需求的PDU会话。
具体地,终端装置发送的PDU会话建立请求中包括:根据上述用户面安全指示信息确定出的用户面安全参数。一般来说,终端装置生成的用户面安全参数所表示的含义与PCF指示的应用的用户面安全属性需求的含义一致,例如,若PCF指示的应用的用户面安全指示信息表示需要完整性保护,那么终端装置根据该用户面安全指示信息确定出的用户面安全参数也表示需要完整性保护,但由于信令不同表示需要完整性保护的字段以及该字段的取值可能略有不同。当然,终端装置也可以根据该用户面安全指示信息以及其他信息生成用户面安全参数,例如,若终端装置自身还有一些安全属性需求,那么终端装置根据自身安全属性需求以及应用的用户面安全需求生成的用户面安全参数,也可能与PCF发送的用户面安全指示信息的含义有所不同。
进一步地,PDU会话建立过程中,AMF在接收到包含有用户面安全参数的PDU会话建立请求后,选择SMF,并向选择出的SMF发送PDU会话建立请求,该请求中携带有上述用户面安全参数。然后SMF可以向UDM发送PDU会话注册信息,该注册信息中包括上述用户面安全参数。UDM判断PDU会话注册信息中包含的用户面安全参数是否为允许该终端装置配置的PDU会话配置参数,当PDU会话注册信息中包含的用户面安全参数是允许的PDU会话配置参数,UDM可以向SMF发送允许建立PDU会话的指示信息;当PDU会话注册信息中包含的用户面安全参数部署允许该终端装置配置的PDU会话配置参数是,UDM可以向SMF发送拒绝建立PDU会话的指示信息。
此外,在PDU会话建立过程中,SMF可以向PCF发生策略规则请求,用于请求PCF发送请求创建的PDU会话的PCC规则,该请求中也包括上述用户面安全参数。PCF根据用户面安全参数确定该PDU会话的用户面安全策略信息,并将确定出的用户面安全策略信息发送给SMF。
在另外一些实施例中,若已建立的PDU会话中存在满足该应用的用户面安全属性需求的第一PDU会话,那么终端装置可以将该第一PDU会话与该应用进行关联,即,在第一PDU会话中传输该应用的数据。
在本申请上述实施例中,终端根据PCF发送的应用的用户面安全指示信息为应用选择关联PDU会话时,考虑了应用的用户面安全属性需求,使得关联的PDU会话与应用的用户面安全属性需求相符合,而被关联到同一PDU会话的应用,具有相同的用户面安全属性需求,避免了PDU会话的用户面安全属性与应用不相符的情况发生。
为了更清楚说明本申请上述实施例,下面结合图5和图6进行详细说明。
图5示例性的给出了一种URSP的下发过程示意图,如图所示,该过程可以包括以下步骤:
步骤501、PCF将URSP发送给AMF。URSP中包含PCF根据签约信息确定的应用A的用户面安全指示信息(user plane security indication)。
步骤502、AMF将URSP透传给终端装置。URSP中包含上述user plane security indication。
步骤503、终端装置向AMF发送响应,表示成功接收URSP。
步骤504、AMF将终端成功接收URSP事件上报给PCF。
进一步地,PCF可以向AMF返回事件上报响应。
终端装置在使用应用A时,根据获取到的应用A的用户面安全指示信息,确定已建立的PDU会话中不存在满足应用A的用户面安全属性需求,则发起PDU会话建立过程。图 6实例性的给出了一种PDU会话建立流程示意图,如图所示,该流程可以包括以下步骤:
步骤601、终端装置向AMF发送PDU会话建立请求。
具体地,终端装置根据应用A的用户面安全指示信息生成用户面安全参数,并将该参数携带在PDU回家建立请求中,以请求建立满足应用A的用户面安全属性需求的PDU会话。
步骤602、AMF选择SMF。
步骤603、AMF向选择出的SMF发送PDU会话建立请求。该请求中包括上述用户面安全参数。
步骤604、SMF向UDM发送PDU会话注册信息,该注册信息中包括上述用户面安全参数。
步骤605、UDM若确定该注册信息中包括的用户面安全参数是允许终端装置配置的PDU会话配置参数,则向SMF返回注册响应,指示允许建立PDU会话。
否则,UDM向SMF发送拒绝建立该PDU会话的指示信息。进一步地,该指示信息中还可以包括拒绝的原因,即,用户面安全参数不被允许。
步骤606、SMF向AMF发送PDU会话建立请求应答。
若步骤605中UDM指示拒绝建立PDU会话,则该应答则指示AMF拒绝建立该PDU会话。该应答中也可以进一步包括拒绝的原因。
步骤607、PDU会话的鉴权/授权。
步骤608、SMF选择PCF,SMF向选择出的PCF请求获取该PDU会话的PCC规则,该请求中包括上述用户面安全参数。
步骤609、PCF根据用户面安全参数确定授权该PDU会话的用户面安全策略,并发送给SMF。
后面的步骤与图2中步骤208~步骤220类似,此处不再赘述。
为了解决同一技术问题,本申请实施例还提供了一种用户面安全策略实现方法,用于实现满足应用的用户面需求。该方法的流程示意图可以如图7所示,包括以下步骤:
步骤701、PCF接收AF发送的应用的用户面安全属性需求信息,该用户面安全属性需求信息用于指示该应用的用户面安全属性需求。
在该实施例中,AF在向PCF提供应用信息(application information)或服务信息(service information)时,可以在应用信息或服务信息中添加应用的用户面安全属性需求,以使PCF根据应用的用户面安全属性需求生成PCC规则。
步骤702、PCF向SMF发送该应用的用户面安全参数信息,或者向SMF发送该应用的SDF的用户面安全参数信息。其中,用户面安全参数信息用于指示用户面安全参数,该用户面安全参数信息是根据该应用的用户面安全属性需求确定的,携带在PCC规则中发送给SMF。
步骤703、SMF在接收到PCF发送的用户面安全参数信息后,根据该用户面安全参数信息绑定PCC和QoS flow。
绑定机制是将SDF(通过PCC规则中的SDF模板定义)与QoS进行关联。具体包括会话绑定、PCC规则鉴权以及QoS flow绑定。其中,QoS flow绑定是将PCC规则和QoS Flow做对应,由SMF来执行。
具体地,SMF若确定已建立的QoS flow中存在符合上述用户面安全参数的第一QoS flow,则SMF将应用的SDF与该第一QoS flow间绑定;和/或,若确定已建立的QoS flow中不存在符合用户面安全参数的第一QoS flow,则SMF请求建立第二QoS flow,请求建立的第二QoS flow,并间建立的上述PCC和第二QoS flow绑定,即,第二QoS flow符合上述用户面安全参数。
在上述实施例中,执行的用户面安全控制策略,是QoS flow粒度的,即,被绑定到同一QoS flow上的SDF的用户面安全参数相同,而同样PDU会话中的不同QoS flow可以对应不同的用户面安全参数。
为了清楚说明本申请上述实施例,下面结合图8进行详细说明。
图8示例性的给出了一种用户面安全策略实现方法的流程示意图,如图所示,可以包括以下步骤:
步骤801a、AF向PCF提供应用的用户面安全属性需求。
步骤801b、CHF向PCF发送开销限制报告(spending limit report)。
步骤801c、UDR向PCF发送通知(notify)。
步骤801d、内部事件发生。
步骤802、开销限制报告恢复(spending limit report retrieval)。
上述步骤801~步骤802均为可能触发PCF作策略决策的步骤,其中,步骤801为与本申请实施例密切相关的步骤。
步骤803、PCF根据用户面安全属性需求进行策略决策。
步骤804、PCF向SMF发送PCC规则,该PCC规则中包括根据上述用户面安全需求确定的用户面安全参数(user plane security parameter),表明一个SDF或一个应用的数据流的用户面安全倾向。
步骤805、SMF向PCF发送PCC规则响应。
步骤806、SMF根据上述用户面安全参数为该应用的SDF进行QoS Flow绑定,即,用于传输该应用数据包的QoS flow为满足上述用户面安全参数的QoS flow。
基于相同的技术构思,本申请实施例还提供了一种终端装置,用于实现上述方法实施例中终端装置的功能。如图9所示,该终端装置可以包括接收单元901、处理单元902,进一步还可以包括发送单元903。
接收单元901用于接收网络设备发送的用户面安全指示信息,所述用户面安全指示信息用于指示应用的用户面安全属性需求。
处理单元902根据所述用户面安全属性需求关联或建立分组数据单元PDU会话。
在一种可能的实现方式中,处理单元902具体用于:当已建立的PDU会话中不存在满足所述应用的用户面安全属性需求的PDU会话时,控制所述发送单元903发送PDU会话建立请求信息,用于请求建立满足所述应用的用户面安全属性需求的PDU会话。
在一种可能的实现方式中,所述PDU会话建立请求信息中包括根据所述用户面安全指示信息确定出的用户面安全参数。
在一种可能的实现方式中,处理单元902具体用于:当已建立的PDU会话中存在满足所述应用的用户面安全属性需求的第一PDU会话,控制所述发送单元903和接收单元901在所述第一PDU会话中传输所述应用的数据。
基于相同的技术构思,本申请实施例还提供了一种PCF,用于实现上述方法实施例中PCF的功能。该PCF可以包括发送单元,进一步还可以包括处理单元和接收单元,其结构与图9所示结构类似。
发送单元用于发送应用的用户面安全指示信息,所述用户面安全指示信息用于终端装置关联或建立PDU会话。
在一种可能的实现方式中,接收单元用于接收会话管理功能SMF发送的策略规则请求,所述请求中包括用户面安全参数信息,所述用户面安全参数信息为所述终端装置根据所述应用的户面安全指示信息所确定。
处理单元用于根据所述用户面安全参数信息,确定用户面安全策略信息;
发送单元用于将所述确定出的用户面安全策略信息发送给所述SMF。
在一种可能的实现方式中,所述应用的用户面安全指示信息,是所述PCF根据终端装置的签约信息确定的。
基于相同的技术构思,本申请实施例还提供了一种UDM,用于实现上述方法实施例中UDM的功能。该UDM可以包括接收单元、处理单元和发送单元,其结构与图9所示结构类似。
接收单元,用于接收SMF发送的PDU会话注册信息,所述注册信息中包括来自终端装置的用户面安全参数。
处理单元,用于当所述用户面安全参数是允许为所述终端装置的PDU会话配置的参数,控制发送单元向所述SMF发送信息允许建立PDU会话的指示信息;当所述用户面安全参数不是允许为所述终端装置的PDU会话配置的参数,控制向所述SMF发送拒绝建立PDU会话的指示信息。
基于相同的技术构思,本申请实施例还提供了一种终端装置,包括:处理器1001、存储器1002和通信接口1003,进一步还可以包括通信总线1004,如图10所示。
所述存储器1002用于存储程序。
所述处理器1001调用所述存储器1002存储的程序执行:
通过所述通信接口1003接收网络设备发送的用户面安全指示信息,所述用户面安全指示信息用于指示应用的用户面安全属性需求;
根据所述用户面安全属性需求关联或建立分组数据单元PDU会话。
在一种可能的实现方式中,所述处理器1001具体用于:
当已建立的PDU会话中不存在满足所述应用的用户面安全属性需求的PDU会话时,通过所述通信接口1003发送PDU会话建立请求信息,用于请求建立满足所述应用的用户面安全属性需求的PDU会话。
在一种可能的实现方式中,所述PDU会话建立请求信息中包括根据所述用户面安全指示信息确定出的用户面安全参数。
在一种可能的实现方式中,所述处理器1001具体用于:
当已建立的PDU会话中存在满足所述应用的用户面安全属性需求的第一PDU会话,通过所述通信接口1003在所述第一PDU会话中传输所述应用的数据。
基于相同的技术构思,本申请实施例提供了PCF,包括:处理器、存储器和通信接口;其结构与图10所示类似。
所述存储器用于存储程序;
所述处理器调用所述存储器存储的程序执行:
通过所述通信接口发送应用的用户面安全指示信息,所述用户面安全指示信息用于终端装置关联或建立PDU会话。
在一种可能的实现方式中,所述处理器还用于:
通过所述通信接口接收会话管理功能SMF发送的策略规则请求,所述请求中包括用户面安全参数信息,所述用户面安全参数信息为所述终端装置根据所述应用的户面安全指示信息所确定;
根据所述用户面安全参数信息,确定用户面安全策略信息;
通过所述通信接口将所述确定出的用户面安全策略信息发送给所述SMF。
在一种可能的实现方式中,所述应用的用户面安全指示信息,是所述PCF根据终端装置的签约信息确定的。
基于相同的技术构思,本申请实施例提供了UDM,包括:处理器、存储器和通信接口;
所述存储器用于存储程序;
所述处理器调用所述存储器存储的程序执行:
通过所述通信接口接收会话管理功能SMF发送的分组数据单元PDU会话注册信息,所述注册信息中包括来自终端装置的用户面安全参数;
当所述用户面安全参数是允许为所述终端装置的PDU会话配置的参数,通过所述通信接口向所述SMF发送信息允许建立PDU会话的指示信息;
当所述用户面安全参数不是允许为所述终端装置的PDU会话配置的参数,通过所述通信接口向所述SMF发送拒绝建立PDU会话的指示信息。
本申请实施例还提供了一种通信系统,包括上述任一项终端装置、任一项PCF以及UDM。
基于相同的技术构思,本申请实施例还提供了一种PCF,用于实现上述方法实施例中PCF的功能。该PCF可以包括接收单元1101和发送单元1102,其结构如图11所示。
接收单元1101用于接收应用功能AF发送的应用的用户面安全属性需求信息,上述用户面安全属性需求信息用于指示所述应用的用户面安全属性需求。
发送单元1102用于向会话管理功能SMF发送SDF的用户面安全参数信息,所述SDF的用户面安全参数信息根据所述应用的用户面安全属性需求所确定。
基于相同的技术构思,本申请实施例还提供了一种SMF,用于实现上述方法实施例中SMF的功能。该PCF可以包括接收单元和处理单元,进一步可以包括发送单元,其结构与图9所示结构类似。
接收单元用于接收策略控制功能PCF发送的SDF的用户面安全参数信息,所述SDF的用户面安全参数信息包含于PCC中,所述SDF的用户面安全参数信息根据应用的用户面安全属性需求所确定,所述用户面安全参数信息用于指示用户面安全参数。
处理单元用于至少根据所述SDF的用户面安全参数绑定PCC和服务质量流QoS flow。
在一种可能的实现方式或者,处理单元具体用于:
当已建立的QoS flow的中存在符合所述用户面安全参数的第一QoS flow,将所述应用的SDF与所述第一QoS flow进行绑定;和/或,当已建立的QoS flow的中不存在符合所述 用户面安全参数的第一QoS flow,通过所述发送单元请求建立第二QoS flow,所述第二QoS flow符合所述用户面安全参数。
基于相同的技术构思,本申请实施例还提供了一种PCF,包括:处理器、存储器和通信接口,用于实现上述方法实施例PCF的功能,其结构与图10所示类似。
所述存储器用于存储程序;
所述处理器调用所述存储器存储的程序执行:
通过所述通信接口接收应用功能AF发送的应用的用户面安全属性需求信息,上述用户面安全属性需求信息用于指示所述应用的用户面安全属性需求;
通过所述通信接口向会话管理功能SMF发送SDF的用户面安全参数信息,所述SDF的用户面安全参数信息根据所述应用的用户面安全属性需求所确定。
基于相同的技术构思,本申请实施例还提供了一种SMF,包括:处理器、存储器和通信接口,用于实现上述方法实施例SMF的功能,其结构与图10所示类似。
所述存储器用于存储程序;
所述处理器调用所述存储器存储的程序执行:
通过所述通信接口接收策略控制功能PCF发送的SDF的用户面安全参数信息,所述SDF的用户面安全参数信息包含于PCC中,所述SDF的用户面安全参数信息根据应用的用户面安全属性需求所确定,所述用户面安全参数信息用于指示用户面安全参数;
至少根据所述SDF的用户面安全参数绑定PCC和服务质量流QoS flow。
在一种可能的实现方式中,所述处理器具体用于:
当已建立的QoS flow的中存在符合所述用户面安全参数的第一QoS flow,将所述应用的SDF与所述第一QoS flow进行绑定;和/或,当已建立的QoS flow的中不存在符合所述用户面安全参数的第一QoS flow,通过所述通信接口请求建立第二QoS flow,所述第二QoS flow符合所述用户面安全参数。
本申请实施例还提供了一种通信系统,包括上述PCF以及任一项SMF。
本申请实施例提供了一种计算机可读存储介质,该计算机可读存储介质存储有计算机指令,当所述指令在计算机上运行时,使得计算机执行如上述方法实施例中终端装置、PCF、UDM或SMF的功能。
本申请实施例提供了一种包含指令的计算机程序产品,当其在计算机上运行时,使得计算机执行如上述方法实施例中终端装置、PCF、UDM或SMF的功能。
本申请提供一种芯片,所述芯片与存储器相连,用于读取并执行所述存储器中存储的软件程序,以实现上述方法实施例中终端装置、PCF、UDM或SMF的功能。
本领域内的技术人员应明白,本申请的实施例可提供为方法、系统、或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。
本申请是参照根据本申请的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/ 或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。
显然,本领域的技术人员可以对本申请进行各种改动和变型而不脱离本申请的精神和范围。这样,倘若本申请的这些修改和变型属于本申请权利要求及其等同技术的范围之内,则本申请也意图包含这些改动和变型在内。
Claims (29)
- 一种用户面安全策略实现方法,其特征在于,包括:终端装置接收网络设备发送的用户面安全指示信息,所述用户面安全指示信息用于指示应用的用户面安全属性需求;所述终端装置根据所述用户面安全属性需求关联或建立分组数据单元PDU会话。
- 如权利要求1所述的方法,其特征在于,所述终端装置根据所述用户面属性需求建立分组数据单元PDU会话,包括:当已建立的PDU会话中不存在满足所述应用的用户面安全属性需求的PDU会话时,所述终端装置发送PDU会话建立请求信息,用于请求建立满足所述应用的用户面安全属性需求的PDU会话。
- 如权利要求2所述的方法,其特征在于,所述PDU会话建立请求信息中包括根据所述用户面安全指示信息确定出的用户面安全参数。
- 如权利要求1所述的方法,其特征在于,所述终端装置根据所述用户面属性需求选择分组数据单元PDU会话,包括:当已建立的PDU会话中存在满足所述应用的用户面安全属性需求的第一PDU会话,所述终端装置在所述第一PDU会话中传输所述应用的数据。
- 一种用户面安全策略实现方法,其特征在于,包括:策略控制功能PCF发送应用的用户面安全指示信息,所述用户面安全指示信息用于终端装置关联或建立PDU会话。
- 如权利要求5所述的方法,其特征在于,还包括:所述PCF接收会话管理功能SMF发送的策略规则请求,所述请求中包括用户面安全参数信息,所述用户面安全参数信息为所述终端装置根据所述应用的户面安全指示信息所确定;所述PCF根据所述用户面安全参数信息,确定用户面安全策略信息;所述PCF将所述确定出的用户面安全策略信息发送给所述SMF。
- 如权利要求5所述的方法,其特征在于,所述应用的用户面安全指示信息,是所述PCF根据终端装置的签约信息确定的。
- 一种用户面安全策略实现方法,其特征在于,包括:统一数据管理UDM接收会话管理功能SMF发送的分组数据单元PDU会话注册信息,所述注册信息中包括来自终端装置的用户面安全参数;当所述用户面安全参数是允许为所述终端装置的PDU会话配置的参数,所述UDM向所述SMF发送信息允许建立PDU会话的指示信息;当所述用户面安全参数不是允许为所述终端装置的PDU会话配置的参数,所述UDM向所述SMF发送拒绝建立PDU会话的指示信息。
- 一种用户面安全策略实现方法,其特征在于,包括:策略控制功能PCF接收应用功能AF发送的应用的用户面安全属性需求信息,上述用户面安全属性需求信息用于指示所述应用的用户面安全属性需求;所述PCF向会话管理功能SMF发送SDF的用户面安全参数信息,所述SDF的用户面安全参数信息根据所述应用的用户面安全属性需求所确定。
- 一种用户面安全策略实现方法,其特征在于,包括:会话管理功能SMF接收策略控制功能PCF发送的SDF的用户面安全参数信息,所述SDF的用户面安全参数信息包含于PCC中,所述SDF的用户面安全参数信息根据应用的用户面安全属性需求所确定,所述用户面安全参数信息用于指示用户面安全参数;所述SMF至少根据所述SDF的用户面安全参数绑定PCC和服务质量流QoS flow。
- 如权利要求10所述的方法,其特征在于,所述SMF根据所述用户面安全参数的进行QoS flow绑定,包括:当已建立的QoS flow的中存在符合所述用户面安全参数的第一QoS flow,所述SMF将所述应用的SDF与所述第一QoS flow进行绑定;和/或当已建立的QoS flow的中不存在符合所述用户面安全参数的第一QoS flow,所述SMF请求建立第二QoS flow,所述第二QoS flow符合所述用户面安全参数。
- 一种终端装置,其特征在于,包括:处理器、存储器和通信接口;所述存储器用于存储程序;所述处理器调用所述存储器存储的程序执行:通过所述通信接口接收网络设备发送的用户面安全指示信息,所述用户面安全指示信息用于指示应用的用户面安全属性需求;根据所述用户面安全属性需求关联或建立分组数据单元PDU会话。
- 如权利要求12所述的终端装置,其特征在于,所述处理器具体用于:当已建立的PDU会话中不存在满足所述应用的用户面安全属性需求的PDU会话时,通过所述通信接口发送PDU会话建立请求信息,用于请求建立满足所述应用的用户面安全属性需求的PDU会话。
- 如权利要求13所述的终端装置,其特征在于,所述PDU会话建立请求信息中包括根据所述用户面安全指示信息确定出的用户面安全参数。
- 如权利要求12所述的终端装置,其特征在于,所述处理器具体用于:当已建立的PDU会话中存在满足所述应用的用户面安全属性需求的第一PDU会话,通过所述通信接口在所述第一PDU会话中传输所述应用的数据。
- 一种策略控制功能PCF,其特征在于,包括:处理器、存储器和通信接口;所述存储器用于存储程序;所述处理器调用所述存储器存储的程序执行:通过所述通信接口发送应用的用户面安全指示信息,所述用户面安全指示信息用于终端装置关联或建立PDU会话。
- 如权利要求16所述的PCF,其特征在于,所述处理器还用于:通过所述通信接口接收会话管理功能SMF发送的策略规则请求,所述请求中包括用户面安全参数信息,所述用户面安全参数信息为所述终端装置根据所述应用的户面安全指示信息所确定;根据所述用户面安全参数信息,确定用户面安全策略信息;通过所述通信接口将所述确定出的用户面安全策略信息发送给所述SMF。
- 如权利要求16所述的PCF,其特征在于,所述应用的用户面安全指示信息,是所述PCF根据终端装置的签约信息确定的。
- 一种统一数据管理UDM,其特征在于,包括:处理器、存储器和通信接口;所述存储器用于存储程序;所述处理器调用所述存储器存储的程序执行:通过所述通信接口接收会话管理功能SMF发送的分组数据单元PDU会话注册信息,所述注册信息中包括来自终端装置的用户面安全参数;当所述用户面安全参数是允许为所述终端装置的PDU会话配置的参数,通过所述通信接口向所述SMF发送信息允许建立PDU会话的指示信息;当所述用户面安全参数不是允许为所述终端装置的PDU会话配置的参数,通过所述通信接口向所述SMF发送拒绝建立PDU会话的指示信息。
- 一种策略控制功能PCF,其特征在于,包括:处理器、存储器和通信接口;所述存储器用于存储程序;所述处理器调用所述存储器存储的程序执行:通过所述通信接口接收应用功能AF发送的应用的用户面安全属性需求信息,上述用户面安全属性需求信息用于指示所述应用的用户面安全属性需求;通过所述通信接口向会话管理功能SMF发送SDF的用户面安全参数信息,所述SDF的用户面安全参数信息根据所述应用的用户面安全属性需求所确定。
- 一种会话管理功能SMF,其特征在于,处理器、存储器和通信接口;所述存储器用于存储程序;所述处理器调用所述存储器存储的程序执行:通过所述通信接口接收策略控制功能PCF发送的SDF的用户面安全参数信息,所述SDF的用户面安全参数信息包含于PCC中,所述SDF的用户面安全参数信息根据应用的用户面安全属性需求所确定,所述用户面安全参数信息用于指示用户面安全参数;至少根据所述SDF的用户面安全参数绑定PCC和服务质量流QoS flow。
- 如权利要求21所述的SMF,其特征在于,所述处理器具体用于:当已建立的QoS flow的中存在符合所述用户面安全参数的第一QoS flow,将所述应用的SDF与所述第一QoS flow进行绑定;和/或当已建立的QoS flow的中不存在符合所述用户面安全参数的第一QoS flow,通过所述通信接口请求建立第二QoS flow,所述第二QoS flow符合所述用户面安全参数。
- 一种通信系统,其特征在于,包括如权利要求12-15中任一项所述终端装置、如权利要求16-18任一项所述的策略控制功能PCF以及如权利要求19所述的统一数据管理UDM。
- 一种通信系统,其特征在于,包括如权利要求20所述的策略控制功能PCF以及如权利要求21或22所述的会话管理功能SMF。
- 一种终端装置,其特征在于,所述终端装置用于执行权利要求1至4任一所述的方法。
- 一种网络装置,其特征在于,所述网络装置用于执行权利要求5-7任一所述的方法。
- 一种网络装置,其特征在于,所述网络装置用于执行权利要求8所述的方法。
- 一种网络装置,其特征在于,所述网络装置用于执行权利要求9所述的方法。
- 一种网络装置,其特征在于,所述网络装置用于执行权利要求10或11任一所述的方法。
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP19850342.7A EP3833150A4 (en) | 2018-08-13 | 2019-08-05 | USER, DEVICE, AND SYSTEM SECURITY POLICY IMPLEMENTATION PROCESS |
US17/174,749 US12058139B2 (en) | 2018-08-13 | 2021-02-12 | Method for implementing user plane security policy, apparatus, and system |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810918762.8A CN110831243B (zh) | 2018-08-13 | 2018-08-13 | 一种用户面安全策略实现方法、装置及系统 |
CN201810918762.8 | 2018-08-13 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/174,749 Continuation US12058139B2 (en) | 2018-08-13 | 2021-02-12 | Method for implementing user plane security policy, apparatus, and system |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2020034864A1 true WO2020034864A1 (zh) | 2020-02-20 |
Family
ID=69525210
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2019/099309 WO2020034864A1 (zh) | 2018-08-13 | 2019-08-05 | 一种用户面安全策略实现方法、装置及系统 |
Country Status (4)
Country | Link |
---|---|
US (1) | US12058139B2 (zh) |
EP (1) | EP3833150A4 (zh) |
CN (1) | CN110831243B (zh) |
WO (1) | WO2020034864A1 (zh) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114362984A (zh) * | 2020-10-13 | 2022-04-15 | 华为技术有限公司 | 一种接口安全性保护方法及装置 |
US12126658B2 (en) | 2022-03-24 | 2024-10-22 | Nokia Technologies Oy | Security enforcement and assurance utilizing policy control framework and security enhancement of analytics function in communication network |
Families Citing this family (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR102686161B1 (ko) * | 2019-05-03 | 2024-07-18 | 삼성전자 주식회사 | 이동통신 시스템에서 시간 또는 서비스 지역에 따른 단말의 세션 설정 관리 방법 및 장치 |
US12114159B2 (en) * | 2019-10-03 | 2024-10-08 | Telefonaktiebolaget Lm Ericsson (Publ) | Security settings for user plane data sent over different accesses of a network |
WO2021196051A1 (zh) * | 2020-03-31 | 2021-10-07 | 华为技术有限公司 | 一种通信方法、装置及系统 |
CN113676907B (zh) * | 2020-04-30 | 2023-08-04 | 华为技术有限公司 | 一种确定服务质量流的方法,装置,设备及计算机可读存储介质 |
KR20230020870A (ko) * | 2021-08-04 | 2023-02-13 | 삼성전자주식회사 | 무선 통신 시스템에서 pdu 세션에 대해 사용자 보안 평면 정책을 적용하는 방법 및 장치 |
EP4274306B1 (en) * | 2022-05-04 | 2024-07-03 | Deutsche Telekom AG | Method for using or applying user equipment route selection policy information when operating a user equipment connected to a telecommunications network, user equipment, system or telecommunications network, program and computer program product |
WO2024030574A1 (en) * | 2022-08-05 | 2024-02-08 | Intel Corporation | Enhanced quality of service-level security for wireless communications |
CN116528227B (zh) * | 2023-06-30 | 2023-09-29 | 中国电信股份有限公司 | 用户面安全配置方法、装置、电子设备及存储介质 |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104813708A (zh) * | 2012-11-22 | 2015-07-29 | 株式会社Ntt都科摩 | 移动通信系统、无线基站以及移动台 |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20130079564A (ko) * | 2010-09-28 | 2013-07-10 | 리서치 인 모션 리미티드 | Ue가 주택/기업 네트워크 커버리지 밖으로 이동할 때 로컬 gw와의 연결을 해제시키는 방법 및 장치 |
GB2509937A (en) * | 2013-01-17 | 2014-07-23 | Nec Corp | Providing security information to a mobile device in which user plane data and control plane signalling are communicated via different base stations |
CN107566115B (zh) * | 2016-07-01 | 2022-01-14 | 华为技术有限公司 | 密钥配置及安全策略确定方法、装置 |
US10728952B2 (en) * | 2017-01-09 | 2020-07-28 | Huawei Technologies Co., Ltd. | System and methods for session management |
WO2018128528A1 (ko) * | 2017-01-09 | 2018-07-12 | 엘지전자(주) | 무선 통신 시스템에서 pdu 세션 관리 방법 및 이를 위한 장치 |
US10375665B2 (en) * | 2017-02-06 | 2019-08-06 | Huawei Technologies Co., Ltd. | Method and apparatus for supporting access control and mobility management |
-
2018
- 2018-08-13 CN CN201810918762.8A patent/CN110831243B/zh active Active
-
2019
- 2019-08-05 EP EP19850342.7A patent/EP3833150A4/en active Pending
- 2019-08-05 WO PCT/CN2019/099309 patent/WO2020034864A1/zh unknown
-
2021
- 2021-02-12 US US17/174,749 patent/US12058139B2/en active Active
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104813708A (zh) * | 2012-11-22 | 2015-07-29 | 株式会社Ntt都科摩 | 移动通信系统、无线基站以及移动台 |
Non-Patent Citations (5)
Title |
---|
LG ELECTRONICS: "TS 23.502: Clarification on QoS Parameters", SA WG2 MEETING #124 S2-178453, 1 December 2017 (2017-12-01), XP051379466 * |
NEC: "Further Update to User Plane Security Impact on NG Interface", 3GPP TSG-RAN3#99 R3-180878, 2 March 2018 (2018-03-02), XP051401378 * |
NEC: "UP Integrity Protection Granularity", 3GPP TSG-RAN WG2 #101 R2-1803611, 2 March 2018 (2018-03-02), pages 1 - 6, XP051400637 * |
OPPO ET AL.: "Adding PRA Related Description in 23.502", SA WG2 MEETING #124, S2-179174, 1 December 2017 (2017-12-01), pages 3 - 19, XP051365639 * |
See also references of EP3833150A4 * |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114362984A (zh) * | 2020-10-13 | 2022-04-15 | 华为技术有限公司 | 一种接口安全性保护方法及装置 |
CN114362984B (zh) * | 2020-10-13 | 2023-05-09 | 华为技术有限公司 | 一种接口安全性保护方法及装置 |
US12126658B2 (en) | 2022-03-24 | 2024-10-22 | Nokia Technologies Oy | Security enforcement and assurance utilizing policy control framework and security enhancement of analytics function in communication network |
Also Published As
Publication number | Publication date |
---|---|
US12058139B2 (en) | 2024-08-06 |
EP3833150A1 (en) | 2021-06-09 |
EP3833150A4 (en) | 2021-12-08 |
CN110831243A (zh) | 2020-02-21 |
US20210168151A1 (en) | 2021-06-03 |
CN110831243B (zh) | 2021-10-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2020034864A1 (zh) | 一种用户面安全策略实现方法、装置及系统 | |
US11818608B2 (en) | Third party charging in a wireless network | |
US11102828B2 (en) | User plane function selection for isolated network slice | |
US11690005B2 (en) | Network slice for visited network | |
US11533401B2 (en) | Charging policy information for a packet data unit session in a wireless network | |
US11659097B2 (en) | Charging policy information for a packet data unit session of a wireless device | |
US10660016B2 (en) | Location based coexistence rules for network slices in a telecommunication network | |
US10999447B2 (en) | Charging control in roaming scenario | |
US11259207B2 (en) | QoS control method and device | |
US20190150081A1 (en) | AMF Selection for Isolated Network Slice | |
WO2020224622A1 (zh) | 一种信息配置方法及装置 | |
US9642032B2 (en) | Third party interface for provisioning bearers according to a quality of service subscription | |
EP3288325B1 (en) | Service chain policy making method and device | |
WO2018064987A9 (zh) | 策略控制方法及装置 | |
US9647935B2 (en) | Inter-layer quality of service preservation | |
KR102318746B1 (ko) | 가상 id를 이용하여 복수의 pdu 세션들을 처리하는 방법 및 상기 방법을 수행하는 smf |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 19850342 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 2019850342 Country of ref document: EP Effective date: 20210304 |