WO2020073802A1 - 一种鉴权的方法及装置 - Google Patents
一种鉴权的方法及装置 Download PDFInfo
- Publication number
- WO2020073802A1 WO2020073802A1 PCT/CN2019/107706 CN2019107706W WO2020073802A1 WO 2020073802 A1 WO2020073802 A1 WO 2020073802A1 CN 2019107706 W CN2019107706 W CN 2019107706W WO 2020073802 A1 WO2020073802 A1 WO 2020073802A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- network element
- authentication
- network
- smf
- authentication result
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0893—Assignment of logical groups to network elements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
Definitions
- the present invention relates to the field of communication technology, and in particular, to an authentication method and device.
- the first network slice includes two session management functions (session management function, SMF) network elements SMF-1 and SMF-2, and two user plane functions (User plane function, UPF)
- SMF session management function
- UPF User plane function
- the network elements UPF-1 and UPF2 support different data networks (DN).
- SMF-1 and UPF1 support DN-1
- SMF-2 and UPF2 support DN-2.
- AMF access and mobility management function
- the terminal device When the terminal device establishes a second PDU session on the first network slice, the second PDU session accesses DN-2 through SMF-2 and UPF-2, and the network will authenticate the first network slice again. Therefore, when the second PDU session is established, the network repeatedly authenticates the first network slice, which causes a waste of signaling.
- Embodiments of the present invention provide an authentication method and device.
- an authentication method which includes:
- the first session management function network element (for example, the SMF-2 network element in FIGS. 4 to 13) from the first network element (for example, the UDM network element in FIGS. 4 and 5, the AMF in FIGS. 6 and 7)
- the network element, the NRF network element in FIGS. 8 to 11 and the UDSF network element in FIGS. 12 and 13) receive the second session management function network element (for example, the SMF-1 network element in FIGS. 4 to 13)
- the authentication result of the network slice (for example, the first authentication result in FIGS. 4 to 13), the first session management function network element is located in the network slice, the first session management function network element and the second session management function network Meta supports different data networks.
- the network element of the first session management function determines whether to perform the network slice authentication process according to the authentication result.
- the first SMF network element can obtain the authentication result of the network slice where the second SMF network element is located. Since the first SMF network element and the second SMF network element are located in the same network slice, the first SMF network element can According to the authentication result, it is judged whether to perform the authentication process of the network slice. The repeated authentication of the network slice when the authentication result is successful is avoided, thereby reducing signaling interaction.
- the authentication result is that the authentication is successful, and the first session management function network element determines to abandon the authentication process of the network slice. Therefore, the authentication result is that when the authentication succeeds, the first SMF network element determines to abandon the authentication process of the network slice, thereby avoiding repeated authentication of the network slice and reducing signaling interaction.
- the first network element is a network storage function network element (for example, NRF network element) or an unstructured data storage network element (for example, UDSF network element).
- NRF network element for example, NRF network element
- UDSF network element unstructured data storage network element
- an authentication method which includes:
- the network element of the session management function receives the authentication result of the network slice where the session management function network element is located from the authentication network element.
- the network element of the session management function is directed to the first network element (for example, the UDM network element in FIGS. 4 and 5, the AMF network element in FIGS. 6 and 7, the NRF network element in FIGS. 8 to 11, FIG. 12 and FIG.
- the UDSF network element in 13 sends the first information, and the first information includes the authentication result.
- the second SMF network element can send the authentication result of the network slice to the first network element, and when establishing the second session, the first SMF network element serving the second session can obtain the authentication of the network slice
- the first SMF network element can determine whether to perform the authentication process of the network slice according to the authentication result. The repeated authentication of the network slice when the authentication result is successful is avoided, thereby reducing signaling interaction.
- the authentication result is that the authentication is successful. Therefore, the authentication result is that when the authentication succeeds, the first SMF network element determines to abandon the authentication process of the network slice, thereby avoiding repeated authentication of the network slice and reducing signaling interaction.
- the first information further includes at least one of the identification of the network slice or the identification of the terminal device. Therefore, when establishing the second session, the first SMF network element can learn the authentication result corresponding to the network slice according to at least one of the identifier of the network slice or the identifier of the terminal device.
- the first network element is a network storage function network element or an unstructured data storage network element.
- the session management function network element Before the session management function network element receives the authentication result from the authentication network element, the session management function network element The first network element sends a query request, and the session management function network element receives a query response from the first network element. The query response is used to indicate that the first network element does not include the authentication result of the network slice. Therefore, the network element of the session management function can determine that the authentication before the network slice failed by not including the network slice authentication result in the first network element, or the network slice authentication performed by the session management function network element is the network The first authentication process of slicing.
- an authentication method which includes:
- First network element (for example, UDM network elements in FIGS. 4 and 5, AMF network elements in FIGS. 6 and 7, NRF network elements in FIGS. 8 to 11, UDSF network elements in FIGS. 12 and 13 )
- Receiving first information from the first session management function network element (for example, the SMF-1 network element in FIGS. 4 to 13), the first information including the authentication result of the network slice where the first session management function network element is located.
- the first network element sends the authentication result to the second session management function network element (for example, the SMF-2 network element in FIGS. 4 to 13), the second session management function network element is located in the network slice, and the first session management function
- the network element and the second session management function network element support different data networks.
- the second SMF network element can obtain the authentication result of the network slice where the first SMF network element is located. Since the first SMF network element and the second SMF network element are located in the same network slice, the second SMF network element can According to the authentication result, it is judged whether to perform the authentication process of the network slice. The repeated authentication of the network slice when the authentication result is successful is avoided, thereby reducing signaling interaction.
- the authentication result is that the authentication is successful. Therefore, the authentication result is that when the authentication succeeds, the second SMF network element determines to abandon the authentication process of the network slice, thereby avoiding repeated authentication of the network slice and reducing signaling interaction.
- the first information further includes at least one of the identification of the network slice or the identification of the terminal device.
- the second SMF network element can learn the authentication result corresponding to the network slice according to at least one of the identifier of the network slice or the identifier of the terminal device.
- the first network element receives a deletion request, and the deletion request is used to instruct the first network element to delete the authentication result.
- the first network element may delete the authentication result, thereby saving storage space of the first network element.
- the first network element is a user data management function network element, an access and mobility management function network element, a network storage function network element, or an unstructured data storage network element.
- an authentication method which includes:
- the first network element for example, UDM network element in FIG. 5, AMF network element in FIG. 7, NRF network element in FIG. 9 or FIG. 11, or UDSF network element in FIG. 13
- the session management function network element For example, the SMF-1 network element in FIG. 5, FIG. 7, FIG. 9, FIG. 11, or FIG. 13
- receives the first information receives the deletion request, and the deletion request is used to instruct the first network element to delete the authentication result.
- the first network element can obtain the authentication result of the network slice where the SMF network element is located.
- the authentication result can be deleted, thereby saving the storage space of the first network element.
- the authentication result is that the authentication is successful.
- the first information further includes at least one of the identification of the network slice or the identification of the terminal device. Therefore, when establishing the second session, the second SMF network element can learn the authentication result corresponding to the network slice according to at least one of the identifier of the network slice or the identifier of the terminal device.
- the first network element is a user data management function network element, an access and mobility management function network element, a network storage function network element, or an unstructured data storage network element.
- an embodiment of the present application provides an authentication device having a function to implement the behavior of the first session management function network element (for example, the SMF-2 network element in FIGS. 4 to 13) in the above method .
- the functions can be realized by hardware, or can also be realized by hardware executing corresponding software.
- the hardware or software includes one or more modules corresponding to the above functions.
- the structure of the above device includes a processor and a transceiver, and the processor is configured to process the device to perform the corresponding function in the above method.
- the transceiver is used to implement communication between the above authentication device and the AMF network element / UDM network element / authentication network element / NRF network element / UDSF network element.
- the device may further include a memory for coupling with the processor, which stores necessary program instructions and data of the device.
- an embodiment of the present application provides an authentication device having a network element that implements the session management function in the above method (for example, the SMF-1 network element or the SMF-2 network element in FIGS. 4 to 13 )
- the function of behavior can be realized by hardware, or can also be realized by hardware executing corresponding software.
- the hardware or software includes one or more modules corresponding to the above functions.
- the structure of the above authentication device includes a processor and a transceiver, and the processor is configured to process the device to perform the corresponding function in the above method.
- the transceiver is used to implement communication between the above device and the AMF network element / UDM network element / authentication network element / NRF network element / UDSF network element.
- the device may further include a memory for coupling with the processor, which stores necessary program instructions and data of the device.
- an embodiment of the present application provides an authentication device having the first network element (for example, the UDM network element in FIGS. 4 and 5 and the AMF in FIGS. 6 and 7) for implementing the above method Network elements, NRF network elements in Figures 8 to 11, UDSF network elements in Figures 12 and 13).
- the functions can be realized by hardware, or can also be realized by hardware executing corresponding software.
- the hardware or software includes one or more modules corresponding to the above functions.
- the structure of the above authentication device includes a processor and a transceiver, and the processor is configured to process the device to perform the corresponding function in the above method.
- the transceiver is used to implement communication between the above device and the SMF-1 network element / SMF-2 network element.
- the device may further include a memory for coupling with the processor, which stores necessary program instructions and data of the device.
- an embodiment of the present application provides an authentication device having the first network element (for example, UDM network element in FIG. 5, AMF network element in FIG. 7, or FIG. 9 or (NRF network element in FIG. 11, or UDSF network element in FIG. 13)
- the functions can be realized by hardware, or can also be realized by hardware executing corresponding software.
- the hardware or software includes one or more modules corresponding to the above functions.
- the structure of the above authentication device includes a processor and a transceiver, and the processor is configured to process the device to perform the corresponding function in the above method.
- the transceiver is used to implement communication between the above device and the SMF-1 network element / SMF-2 network element.
- the device may further include a memory for coupling with the processor, which stores necessary program instructions and data of the device.
- an embodiment of the present application provides a computer-readable storage medium that stores instructions, which when executed on a computer, causes the computer to perform the methods described in the above aspects.
- an embodiment of the present application provides a computer program product containing instructions, which when run on a computer, causes the computer to execute the methods described in the above aspects.
- the present application provides a chip system that includes a processor for supporting the foregoing device to implement the functions involved in the foregoing aspects, for example, generating or processing the information involved in the foregoing method.
- the chip system further includes a memory for storing necessary program instructions and data of the data transmission device.
- the chip system may be composed of chips, or may include chips and other discrete devices.
- FIG. 1 is a schematic diagram of a scenario where a network authenticates a first network slice
- FIG. 2 is a schematic diagram of a 5G communication system provided according to an embodiment of the present application.
- FIG. 3 is an authentication method provided according to an embodiment of the present application.
- 11 is another authentication method provided according to an embodiment of the present application.
- FIG. 14A and 14B are schematic structural diagrams of an authentication device according to an embodiment of the present application.
- FIG. 2 shows a schematic diagram of a 5G communication system provided by an embodiment of the present application.
- the control plane function and the forwarding plane function of the mobile gateway are decoupled.
- the separated control plane function and the third generation partnership project (third generation partnership project (3GPP) traditional control network element mobility management Entity (mobility management entity, MME), etc. merge into a unified control plane (control plane).
- the UPF network element can implement the user plane functions (SGW-U and PGW-U) of the serving gateway (SGW) and packet data network gateway (PGW).
- the unified control plane network element can be decomposed into AMF network element and SMF network element.
- the communication system includes at least a terminal 201, an AMF network element 205, an SMF network element 206, and an authentication network element 207.
- the terminal device 201 involved in this system is not limited to the 5G network, including: mobile phones, Internet of Things devices, smart home devices, industrial control devices, vehicle devices, and so on.
- the terminal device may also be called a user equipment (User Equipment, UE), a mobile station (Mobile Station), a mobile station (Mobile), a remote station (Remote Station), a remote terminal (Remote Terminal), and an access terminal (Access Terminal) ), Terminal equipment (User Terminal), terminal agent (User Agent), not limited here.
- the above terminal device may also be an automobile in vehicle-to-vehicle (V2V) communication, a machine in machine type communication, and the like.
- V2V vehicle-to-vehicle
- the Radio Access Network (RAN) device 202 involved in this system is a device for providing wireless communication functions for the terminal device 202.
- the RAN device 202 may include various forms of base stations, such as macro base stations, micro base stations (also called small stations), relay stations, and access points.
- base stations such as macro base stations, micro base stations (also called small stations), relay stations, and access points.
- the names of devices with base station functions may be different.
- eNB evolved Node B
- Node B Node B
- gNodeB gNodeB
- the AMF network element 205 involved in this system may be responsible for terminal device registration, mobility management, and registration update process.
- AMF network elements can also be called AMF equipment or AMF entities.
- the SMF network element 206 involved in this system may be responsible for the session management of the terminal device.
- session management includes user plane device selection, user plane device reselection, internet protocol (IP) address allocation, quality of service (QoS) control, and session establishment, modification, or release.
- IP internet protocol
- QoS quality of service
- the authentication network element 207 involved in this system can be responsible for the authentication and authorization process, and realize the access control to the network slice.
- the authentication network element 207 can be an authentication and authorization (AA) function network element in the data network.
- the authentication network element 207 may be an authentication authorization (Accounting, Authorization and Accounting, AAA) functional network element.
- the authentication network element 207 may be located inside the 3GPP network or in a third-party network.
- the authentication network element 207 may be a separate network element, or may be co-located with other network functions (for example, an authentication service function (authentication server function, AUSF) or a network capability open function (network exposure function, NEF)).
- the authentication network element may also be called an authentication device or an authentication entity or an authentication device or an authentication entity.
- the above-mentioned 5G communication system further includes a UPF network element 203, which can realize the functions of terminal packet forwarding, statistics, and detection.
- UPF network elements may also be called UPF devices or UPF entities.
- the above 5G communication system also includes DN 204.
- the DN may be a service provided by an operator, an Internet access service, or a service provided by a third party.
- the above 5G communication system further includes a unified data management (Unified Data Management, UDM) network element 208.
- the UDM network element 208 can store the contract data of the terminal.
- the contract data of the terminal includes contract data related to mobility management and contract data related to session management.
- the UDM network element may also be called a UDM device or UDM entity.
- the above 5G communication system further includes a network function storage function (Network Function Repository Function, NRF) network element 209.
- the network element can provide a network element service discovery function.
- the NRF network element 209 can also maintain the information of effective network function network elements in the core network.
- the NRF network element 209 can also maintain services supported by effective network function network elements in the core network.
- the above 5G communication system further includes an unstructured data storage (Unstructured Data Storage Function, UDSF) network element 210.
- the network element can provide the function of storing and transferring unstructured data.
- Each of the above network elements may be a network element implemented on dedicated hardware, or a software instance running on dedicated hardware, or an instance of a virtualization function on an appropriate platform.
- the above virtualization platform may be a cloud platform .
- the embodiments of the present application can also be applied to other future-oriented communication technologies.
- the network architecture and business scenarios described in this application are intended to more clearly explain the technical solutions of this application, and do not constitute a limitation on the technical solutions provided by this application. Those of ordinary skill in the art will know that with the evolution of network architecture and new business scenarios The emergence of the technical solutions provided by this application is also applicable to similar technical problems.
- FIG. 3 is an authentication method provided by an embodiment of the present application.
- the first SMF network element can obtain the authentication result of the network slice where the second SMF network element is located, and determine whether to perform the authentication process of the network slice according to the authentication result. Therefore, repeated authentication of the network slice when establishing a session associated with the first SMF network element is avoided.
- the method may include:
- the first session management function network element receives from the first network element the authentication result of the network slice where the second session management function network element is located.
- the first session management function network element is located in the network slice, and the first session management function network element and the second session management function network element support different data networks.
- the first session management function network element is SMF-1 in FIG. 1.
- the second session management function network element is SMF-2 in FIG. 1.
- the network slice where the second session management function network element is located is the first network slice in FIG. 1.
- the data network supported by the first session management function network element is DN-1 in FIG. 1, and the data network supported by the second session management function network element is DN-2 in FIG.
- the first network element is UDM network element 208, AMF network element 205, NRF network element 209, or UDSF network element 210 in FIG.
- the authentication result of the network slice where the second SMF network element is located is authentication success or authentication failure.
- the network element of the first session management function determines whether to perform the network slice authentication process according to the authentication result.
- the first SMF network element determines to abandon the authentication process of the network slice.
- the first SMF network element determines to perform the authentication process of the network slice.
- the first SMF network element can obtain the authentication result of the network slice where the second SMF network element is located. Since the first SMF network element and the second SMF network element are located in the same network slice, the first The SMF network element can determine whether to perform the authentication process of the network slice according to the authentication result. The repeated authentication of the network slice when the authentication result is successful is avoided, thereby reducing signaling interaction.
- FIG. 4 is a flowchart of an authentication method provided by an embodiment of the present application.
- the flowchart shown in FIG. 4 describes the scenario where the first network element is a UDM network element in step S301 of FIG. 3: the first SMF network element receives the authentication result of the network slice where the second SMF network element is located from the UDM network element To determine whether to perform the authentication process of the network slice based on the authentication result. The repeated authentication of the network slice when the authentication result is successful is avoided, thereby reducing signaling interaction.
- Steps S401 to S409 describe the process of the terminal device initiating the first session.
- the SMF-1 network element (the second SMF network element in FIG. 3) sends the UDM
- the network element (the first network element in FIG. 3) sends the authentication result of the first network slice (the network slice in FIG. 3).
- Steps S410 to S419 describe the process of the terminal device initiating the second session.
- the SMF-2 network element (the first SMF network element in FIG. 3) receives the first network slice from the UDM network element The authentication result, and according to the authentication result, determine whether to perform the authentication process of the first network slice.
- the method shown in FIG. 4 may include:
- the terminal device sends a first session establishment request to the AMF network element.
- the AMF network element receives the first session establishment request from the terminal device.
- the terminal device is the terminal device 201 in FIG. 2, and the AMF network element is the AMF network element 205 in FIG. 2.
- the terminal device sends the first session establishment request to the AMF network element according to the allowed network slice selection assistance information (Allowed, Network Selection, Assistance, Information, Allowed) obtained during the registration process.
- the Allowed NSSAI includes single network slice selection assistance information (S-NSSAI) corresponding to the first network slice.
- the first session establishment request message includes the PDU session identifier (ID) ID-1, the S-NSSAI of the first network slice, and the first data network name (DNN) DNN-1.
- the session establishment request further includes a certificate for performing authentication of the first network slice.
- the AMF network element determines the S-NSSAI NSI ID corresponding to NSSAI. In other words, the AMF network element determines the NSI serving the terminal device.
- the AMF network element selects the SMF-1 network element.
- the SMF-1 network element is the SMF-1 network element in FIG.
- the SMF-1 network element supports the first network slice and DNN-1
- the AMF network element selects the SMF-1 network element for the first session according to S-NSSAI and DNN-1 of the first network slice in the session establishment request message.
- the AMF network element sends a session management context creation request to the SMF-1 network element.
- the SMF-1 network element receives a request to create a session management context from the AMF network element.
- the AMF network element invokes a service for creating a session management context request (for example, Nsmf_PDUSession_CreateSMContextRequest) to trigger the SMF-1 network element to create a session management context for the terminal device.
- a session management context request for example, Nsmf_PDUSession_CreateSMContextRequest
- the message sent by the AMF network element to the SMF-1 network element by creating a session management context request service includes the terminal ’s user permanent identifier (SUPI), S-NSSAI, DNN-1 and the first PDU session identifier ID-1.
- the SMF-1 network element registers with the UDM network element.
- the SMF-1 network element calls a registration (eg, Nudm_UECM_Registration) service to register with the UDM network element.
- a registration eg, Nudm_UECM_Registration
- the message sent by the SMF-1 network element to the UDM network element through the registration service includes the SUPI, DNN-1 of the terminal device, and the first PDU session identifier ID-1.
- the UDM network element stores the identifier of the SMF-1 network element, the address of the SMF-1 network element, SUPI, DNN-1, and the first PDU session identifier ID-1.
- the SMF-1 network element obtains the first session management subscription information from the UDM network element.
- the SMF-1 network element obtains the first session management subscription information from the UDM network element by calling a service for obtaining session management subscription information (for example, Nudm_SDM_Get).
- the message sent by the SMF-1 network element to the UDM network element by obtaining the session management subscription information service includes SUPI, DNN-1 and S-NSSAI.
- the SMF-1 network element subscribes to the UDM network element for updating the first session management subscription information of the terminal device by calling a subscription session management subscription information (for example, Nudm_SDM_Subscribe) service.
- a subscription session management subscription information for example, Nudm_SDM_Subscribe
- the message sent by the SMF-1 network element to the UDM network element through the subscription session management subscription information service includes SUPI, DNN-1 and S-NSSAI.
- Steps S404a and S404b are optional steps.
- the SMF-1 network element sends a session management context creation response to the AMF network element.
- the AMF network element receives a response to create a session management context from the SMF-1 network element.
- the SMF-1 network element returns the first session management context to the AMF by calling the create session management context response (eg, Nsmf_PDUSession_CreateSMContext Response) service.
- create session management context response eg, Nsmf_PDUSession_CreateSMContext Response
- the SMF-1 network element determines that authentication of the first network slice needs to be performed.
- the SMF-1 network element determines that authentication of the first network slice needs to be performed through the subscription information of the terminal device.
- the contract information includes the S-NSSAI contracted by the terminal device.
- the subscription information also includes instruction information, used to indicate whether the S-NSSAI needs to perform the network slice authentication process.
- the signed S-NSSAI includes the S-NSSAI of the first network slice, indicating that the first network slice is a network slice allowed by the contract. Therefore, the SMF-1 network element may determine that authentication of the first network slice needs to be performed according to the indication information that the S-NSSAI of the first network slice needs to perform authentication in the subscription information.
- the SMF-1 network element determines that the first network slice needs to be authenticated according to the local configuration information of the SMF-1 network element.
- Step S406 is an optional step.
- the SMF-1 network element sends the first authentication request to the authentication network element.
- the authentication network element receives the first authentication request from the SMF-1 network element.
- the authentication network element is the authentication network element 207 in FIG. 2.
- the first authentication request includes a certificate for authenticating the first network slice.
- the SMF-1 network element sends the first authentication request to the authentication network element through the UPF-1 network element.
- the SMF-1 network element may obtain the certificate by sending a request message to the terminal device, and then Send the certificate to the authentication network element.
- the authentication network element sends the first authentication result to the SMF-1 network element.
- the SMF-1 network element receives the first authentication result from the authentication network element.
- the authentication network element sends the first authentication result to the SMF-1 network element through an authentication response message.
- the authentication response message further includes first cause value information.
- the first cause value information is used to indicate that the reason why the authentication of the first network slice fails is that the certificate that performs the authentication of the first network slice is wrong or invalid.
- the SMF-1 network element sends the first information to the UDM network element.
- the UDM network element receives the first information from the SMF-1 network element.
- the first information includes the first authentication result in step S4O8. That is, when the first authentication result is that the authentication is successful, the SMF-1 network element sends first information indicating that the authentication is successful to the UDM network element. When the first authentication result is that the authentication fails, the SMF-1 network element sends first information indicating the authentication failure to the UDM network element.
- the SMF-1 network element when the first authentication result is that the authentication is successful, sends the first information to the UDM network element.
- the first information may be used to indicate the successful authentication of the first network slice.
- the SMF-1 network element may not need to send the first information to the UDM network element.
- the first information further includes at least one of an identifier of the first network slice (for example, S-NSSAI) or an identifier of the terminal device (for example, SUPI).
- an identifier of the first network slice for example, S-NSSAI
- an identifier of the terminal device for example, SUPI
- the SMF-1 network element sends the first information to the UDM network element by calling a user information update (for example, Nudm_UECM_Update) service.
- a user information update for example, Nudm_UECM_Update
- the UDM network element saves the first information.
- the SMF-1 network element (the second SMF network element in FIG. 3) sends the first network slice to the UDM network element (the first network element in FIG. 3) (Network slice in Figure 3) authentication result.
- the SMF-1 network element continues to execute the first session establishment process; if the first authentication result in step S408 is authentication failure, the first session establishment fails.
- the session management function network element receives the network slice where the session management function network element is located (for example, the first Network slice) authentication result (for example, the first authentication result); the session management function network element sends first information (for example, the first information in step S409) to the first network element (for example, UDM network element),
- the first information includes the authentication result.
- the authentication result is that the authentication is successful.
- the authentication result is authentication failure.
- the network element of the session management function sends the first information to the first network element.
- the network element of the session management function does not need to send the first information to the first network element.
- the first information further includes at least one of an identifier of the network slice (for example, S-NSSAI) or an identifier of the terminal device (for example, SUPI).
- steps S410 to S419 describe that the terminal device initiates the process of establishing the second PDU session when the first PDU session is in the activated state, that is, the first PDU session still exists.
- the terminal device sends a second session establishment request to the AMF network element.
- the AMF network element receives the second session establishment request from the terminal device.
- the terminal device sends the second session establishment request to the AMF network element according to the Allowed NSSAI obtained in the registration process.
- Allowed NSSAI includes the S-NSSAI corresponding to the first network slice.
- the second session establishment request message includes the PDU session identifier ID-2, the S-NSSAI of the first network slice, and the second data network name DNN-2.
- the session establishment request further includes a certificate for performing authentication of the first network slice.
- the AMF network element selects the SMF-2 network element.
- the SMF-2 network element is the SMF-2 network element in FIG.
- the SMF-2 network element supports the first network slice and DNN-2, and the AMF network element selects the SMF-2 network element for the first session according to the S-NSSAI and DNN-2 of the first network slice in the session establishment request message.
- the AMF network element sends a session management context creation request to the SMF-2 network element.
- the SMF-2 network element receives a request to create a session management context from the AMF network element.
- the AMF network element invokes a service for creating a session management context request (for example, Nsmf_PDUSession_CreateSMContext Request) to trigger the SMF-2 network element to create a session management context for the terminal device.
- a session management context request for example, Nsmf_PDUSession_CreateSMContext Request
- the message sent by the AMF network element to the SMF-2 network element by creating a session management context request service includes the SUPI, S-NSSAI, DNN-2 and second PDU session identification ID-2 of the terminal device.
- SMF-2 network element is registered with UDM network element.
- the SMF-2 network element invokes a registration (eg, Nudm_UECM_Registration) service to register with the UDM network element.
- a registration eg, Nudm_UECM_Registration
- the message sent by the SMF-2 network element to the UDM network element through the registration service includes the SUPI, DNN-2, and second PDU session identifier ID-2 of the terminal device.
- the UDM network element stores the identifier of the SMF-2 network element, the address of the SMF-2 network element, SUPI, DNN-2, and the second PDU session identifier ID-2.
- Step S413a is an optional step.
- the SMF-2 network element obtains the second session management subscription information from the UDM network element.
- the SMF-2 network element obtains the second session management subscription information from the UDM network element by calling a service for obtaining session management subscription information (for example, Nudm_SDM_Get).
- the message sent by the SMF-2 network element to the UDM network element by obtaining the session management subscription information service includes SUPI, DNN-2 and S-NSSAI.
- step S409 if the SMF-1 network element sends the first information indicating the success or failure of the authentication to the UDM network element in step S409, the UDM network element receives the first information from the SMF-1 network element For the authentication result, the UDM network element also sends the first authentication result of success or failure to the SMF-2 network element.
- the first authentication result is used in the subsequent step S415 to determine whether to perform the authentication process of the first network slice. In other words, since the SMF-2 network element receives the first authentication result, it is determined that the subsequent step S415 needs to be performed.
- the first authentication result sent by the UDM network element to the SMF-2 network element may also be indication information indicating successful authentication or failed authentication.
- the SMF-1 network element sends the first information to the UDM network element. Then, when the first authentication result is that the authentication is successful, the UDM network element also sends the first authentication result indicating the successful authentication to the SMF-2 network element. Alternatively, the first authentication result sent by the UDM network element to the SMF-2 network element may also be indication information indicating that the authentication is successful. If the SMF-2 network element does not receive the authentication result from the UDM network element, the SMF-2 network element determines that the authentication before the network slice failed, or the network slice authentication performed by the SMF-2 network element is the first One-time authentication process.
- the SMF-2 network element subscribes to the UDM network element to update the second session management subscription information of the terminal device by calling a subscription session management subscription information (for example, Nudm_SDM_Subscribe) service.
- a subscription session management subscription information for example, Nudm_SDM_Subscribe
- the message sent by the SMF-2 network element to the UDM network element through the subscription session management subscription information service includes SUPI, DNN-1 and S-NSSAI.
- the SMF-2 network element sends a session management context creation response to the AMF network element.
- the AMF network element receives a session management context creation response from the SMF-2 network element.
- the SMF-1 network element returns a second session management context to the AMF by invoking a create session management context response (for example, Nsmf_PDUSession_CreateSMContext Response) service.
- a create session management context response for example, Nsmf_PDUSession_CreateSMContext Response
- the SMF-2 network element determines whether to perform the authentication process of the first network slice.
- the SMF-2 network element receives the first authentication result in step S413b, and determines that step S415 needs to be performed.
- the SMF-2 network element determines whether to perform the authentication process of the first network slice according to the first authentication result. If the first authentication result is that the authentication is successful, the SMF-2 network element determines to abandon the authentication process of the first network slice. In other words, the SMF-2 network element judges that the authentication process of the first network slice is not to be performed according to the first authentication result, or that the authentication process of the first network slice is skipped. Therefore, when the first authentication result is that the authentication is successful, the SMF-2 network element executes step S416: the SMF-2 network element determines to abandon the authentication process of the first network slice.
- the SMF-2 network element determines to execute the authentication process of the first network slice. That is, the SMF-2 network element performs the authentication process of the first network slice through steps S417 and S418.
- the SMF-2 network element when the SMF-2 network element receives the information indicating that the authentication is successful from the UDM network element, it can learn that the first network slice has been successfully authenticated, so that it can be determined to give up re-authentication of the first network slice. If the SMF-2 network element does not receive the authentication result from the UDM network element, the SMF-2 network element determines that the authentication before the network slice failed, or the network slice authentication performed by the SMF-2 network element is the first Once the authentication process, it is determined that subsequent steps S417 and S418 can be performed. In this way, the SMF-2 network element learns the authentication result of the first network slice by receiving information indicating that the authentication is successful, and it can also be considered to determine whether to perform the authentication process of the first network slice based on the authentication result.
- the judgment condition of whether to perform the authentication process of the first network slice further includes: subscription information of the terminal device.
- the SMF-2 network element determines that authentication of the first network slice needs to be performed through the subscription information of the terminal device.
- the subscription information includes S-NSSAI subscribed by the terminal device and instruction information indicating whether the S-NSSAI needs to perform the authentication process of network slicing.
- the SMF-2 network element may determine that authentication of the first network slice needs to be performed according to the indication information that the S-NSSAI of the first network slice needs to perform authentication in the contract information.
- the SMF-2 network element determines that the first network slice needs to be authenticated according to the local configuration information of the SMF-2 network element.
- the SMF-2 network element when the SMF-2 network element does not need to perform authentication on the first network slice according to the contract information of the terminal device or local configuration information, the above-mentioned authentication based on the first authentication result or whether the authentication has been received may be skipped Judgment of the information, thereby saving the process.
- the SMF-2 network element sends a second authentication request to the authentication network element.
- the authentication network element receives the second authentication request from the SMF-2 network element.
- the second authentication request includes a certificate for authenticating the first network slice.
- the SMF-1 network element sends an authentication request message to the authentication network element through the UPF-1 network element.
- the SMF network element may obtain the certificate by sending a request message to the terminal device, and then send the certificate Give authentication network elements.
- the authentication network element sends the second authentication result to the SMF-2 network element.
- the SMF-2 network element receives the second authentication result from the authentication network element.
- the authentication network element sends the authentication result to the SMF-2 network element through an authentication response message.
- step S417 the SMF-2 network element executes step S417:
- step S418 the SMF-2 network element executes step S419:
- the SMF-2 network element sends the second information to the UDM network element.
- the UDM network element receives the second information from the SMF-2 network element.
- the first information includes the second authentication result in step S418. That is, when the second authentication result is that the authentication is successful, the SMF-2 network element sends second information indicating that the authentication is successful to the UDM network element. When the second authentication result is that the authentication fails, the SMF-1 network element sends second information indicating the authentication failure to the UDM network element.
- the SMF-2 network element when the second authentication result is that the authentication is successful, sends the second information to the UDM network element.
- the second information may be used to indicate the successful authentication of the first network slice.
- the SMF-2 network element may not need to send the second information to the UDM network element.
- the second information further includes at least one of an identifier of the first network slice (for example, S-NSSAI) or an identifier of the terminal device (for example, SUPI).
- an identifier of the first network slice for example, S-NSSAI
- an identifier of the terminal device for example, SUPI
- the SMF-2 network element sends the second information to the UDM network element by calling a user information update (for example, Nudm_UECM_Update) service.
- a user information update for example, Nudm_UECM_Update
- the UDM network element saves the second information.
- the SMF-1 network element (the second SMF network element in FIG. 3) sends the first message to the UDM network element (the first network element in FIG. 3).
- An authentication result of a network slice (the network slice in FIG. 3).
- the SMF-2 network element receives the authentication result of the first network slice from the UDM network element, and determines whether to execute the first network according to the authentication result Sliced authentication process. Because the SMF-1 network element and the SMF-2 network element are located in the first network slice, the SMF-2 network element can obtain the authentication result of the first network slice from the UDM network element.
- the SMF-2 network element determines to abandon the authentication process of the network slice. The repeated authentication of the network slice when the authentication result is successful is avoided, thereby reducing signaling interaction.
- FIG. 5 is a flowchart of another authentication method provided by an embodiment of the present application.
- the method described in FIG. 5 can be applied to the following scenario: Before step S413b of FIG. 4 is executed, the first session is released, and the authentication result obtained by the UDM network element in step S409 is also deleted. Therefore, when the SMF-2 network element executes step S413b, the first authentication result cannot be obtained from the UDM network element.
- the method shown in FIG. 5 may include:
- Steps S501 to S509 can refer to the description of steps S401 to S409 in FIG. 4 and will not be repeated here.
- the method shown in Figure 5 also includes:
- the SMF-1 network element determines to release the first session.
- the release process of the first session may be triggered by the terminal device or triggered by the network.
- Step S510 is an optional step.
- the SMF-1 network element sends a delete request to the UDM network element.
- the SMF-1 network element sends a delete request to the UDM network element by calling a deregistration (eg, Nudm_UECM_Deregistration) service.
- a deregistration eg, Nudm_UECM_Deregistration
- the message sent by the SMF-1 network element to the UDM network element through the deregistration service includes the identifier of the SMF-1 network element, DNN-1, and the first PDU session identifier ID-1.
- the UDM network element deletes the first information.
- the UDM network element deletes the first information according to the deletion request received in step S511.
- the first network element receives the first information (for example, the first information in step S509) from the session management function network element (for example, SMF-1 network element), the first A piece of information includes the authentication result (for example, the first authentication result) of the network slice where the session management function network element is located (for example, the first network slice); the first network element receives the deletion request (for example, the deletion request in step S511) ), The deletion request is used to instruct the first network element to delete the authentication result.
- the authentication result in this method is that the authentication is successful.
- the first information in the method further includes at least one of an identifier of the network slice (for example, S-NSSAI) or an identifier of the terminal device (for example, SUPI).
- Steps S513 to S521 describe that the terminal device initiates the process of establishing the second PDU session after the first PDU session is released.
- Steps S513 to S516a can refer to the description of steps S410 to S413a in FIG. 4 and will not be repeated here.
- the method further includes step S516b. It should be noted that step S516b occurs after step S512.
- the SMF-2 network element obtains the second session management contract information.
- the SMF-2 network element obtains the second session management subscription information from the UDM network element by calling a service for obtaining session management subscription information (for example, Nudm_SDM_Get).
- the message sent by the SMF-2 network element to the UDM network element by obtaining the session management subscription information service includes SUPI, DNN-2 and S-NSSAI.
- the SMF-2 network element subscribes to the UDM network element to update the second session management subscription information of the terminal device by calling a subscription session management subscription information (for example, Nudm_SDM_Subscribe) service.
- a subscription session management subscription information for example, Nudm_SDM_Subscribe
- the messages sent by the SMF-2 network element to the UDM network element through the subscription session management subscription information service include SUPI, DNN-1 and S-NSSAI.
- the method further includes step S517.
- S517 may refer to the description of step S414 in FIG. 4 and will not be repeated here.
- the method further includes step S518.
- the SMF-2 network element determines that authentication of the first network slice needs to be performed.
- the SMF-2 network element determines that authentication of the first network slice needs to be performed through the subscription information of the terminal device.
- the contract information includes the S-NSSAI contracted by the terminal device.
- the subscription information also includes instruction information, used to indicate whether the S-NSSAI needs to perform the network slice authentication process. Because the first network slice is a network slice allowed by the contract, the signed S-NSSAI includes the S-NSSAI of the first network slice. Therefore, the SMF-2 network element may determine that authentication of the first network slice needs to be performed according to the indication information that the S-NSSAI of the first network slice in the subscription information needs to perform authentication.
- the SMF-2 network element determines that the first network slice needs to be authenticated according to the local configuration information of the SMF-2 network element.
- the method further includes steps S519 to S521.
- steps S519 to S521 reference may be made to the description of steps S417 to S419 in FIG. 4, which will not be repeated here.
- the SMF-1 network element sends the first information to the UDM network element, and the first information includes the authentication result of the first network slice.
- the UDM network element receives the deletion request and deletes the first information. Therefore, after the first session is released, the storage space in the UDM network element can be saved.
- the information received by the SMF-2 network element from the UDM network element does not include the authentication result of the first network slice, and the SMF-2 network element performs authentication of the first network slice, And send the second information including the second authentication result to the UDM network element.
- other SMF network elements different from the SMF-2 network element may obtain the second authentication result from the UDM network element, and determine whether to perform the authentication process of the first network slice according to the second authentication result. Therefore, repeated authentication of the first network slice when the second authentication result is successful authentication is avoided, thereby reducing signaling interaction.
- step S513 occurs after the first session is released, there is only one session initiated by the terminal device. Therefore, the second PDU session identifier ID-2 and the first PDU session identifier ID-1 may be the same or different. If the DNN-2 of the second PDU session is the same as the DNN-1 of the first PDU session, the SMF-2 network element selected by the AMF network element for the second session and the SMF-1 network element of the first session may be the same; if the first The DNN-2 of the second PDU session is different from the DNN-1 of the first PDU session, then the SMF-2 network element selected by the AMF network element for the second session may be different from the SMF-1 network element of the first session. This solution does not limit whether the SMF-2 network element corresponding to the second session and the SMF-1 network element corresponding to the first session are the same or different.
- FIG. 6 is a flowchart of another authentication method provided by an embodiment of the present application.
- the flowchart shown in FIG. 6 describes the scenario where the first network element is an AMF network element in step S301 of FIG. 3: the first SMF network element receives the authentication result of the network slice where the second SMF network element is located from the AMF network element To determine whether to perform the authentication process of the network slice based on the authentication result. The repeated authentication of the network slice when the authentication result is successful is avoided, thereby reducing signaling interaction.
- Steps S601 to S609 describe the process in which the terminal device initiates the first session.
- the SMF-1 network element (the second SMF network element in FIG. 3) sends the AMF
- the network element (the first network element in FIG. 3) sends the authentication result of the first network slice (the network slice in FIG. 3).
- Steps S610 to S620 describe the process of the terminal device initiating the second session.
- the SMF-2 network element receives the first network slice from the AMF network element The authentication result, and according to the authentication result, determine whether to perform the authentication process of the first network slice.
- FIG. 6 may be combined with the description of FIG. 4, and the method shown in FIG. 6 may include:
- Steps S601 to S608 can refer to the description of steps S401 to S408 in FIG. 4 and will not be repeated here.
- the SMF-1 network element sends the first information to the AMF network element.
- the AMF network element receives the first information from the SMF-1 network element.
- the first information includes the first authentication result in step S6O8. That is, when the first authentication result is that the authentication is successful, the SMF-1 network element sends first information indicating that the authentication is successful to the AMF network element. When the first authentication result is that the authentication fails, the SMF-1 network element sends first information indicating the authentication failure to the AMF network element.
- the first information further includes at least one of an identifier of the first network slice (for example, S-NSSAI) or an identifier of the terminal device (for example, SUPI).
- an identifier of the first network slice for example, S-NSSAI
- an identifier of the terminal device for example, SUPI
- the SMF-1 network element sends the first information to the AMF network element by calling an information transmission (for example, Namf_Communication_N1N2MessageTransfer) service.
- an information transmission for example, Namf_Communication_N1N2MessageTransfer
- the message sent by the SMF-1 network element to the AMF network element through the information transmission service also includes SUPI and S-NSSAI of the first network slice.
- the AMF network element saves the first information in the context of the terminal device.
- the SMF-1 network element (the second SMF network element in FIG. 3) sends the first network slice to the AMF network element (the first network element in FIG. 3) (Network slice in Figure 3) authentication result.
- the SMF-1 network element continues to perform the first session establishment process; if the first authentication result in step S608 is authentication failure, the first session establishment fails.
- the session management function network element receives the network slice where the session management function network element is located (for example, the first Network slice) authentication result (for example, the first authentication result); the session management function network element sends first information (for example, the first information in step S609) to the first network element (for example, AMF network element),
- the first information includes the authentication result.
- the authentication result is that the authentication is successful.
- the authentication result is authentication failure.
- the network element of the session management function sends the first information to the first network element.
- the network element of the session management function does not need to send the first information to the first network element.
- the first information further includes at least one of an identifier of the network slice (for example, S-NSSAI) or an identifier of the terminal device (for example, SUPI).
- steps S610 to S620 describe that the terminal device initiates the process of establishing the second PDU session when the first PDU session is in the active state, that is, the first PDU session still exists. .
- Steps S610 to S611 can refer to the description of steps S410 to S411 in FIG. 4 and will not be repeated here.
- the method further includes step S612.
- the AMF network element determines that the network has performed authentication on the first network slice.
- the AMF network element sends a session management context creation request to the SMF-2 network element.
- the SMF-2 network element receives a request to create a session management context from the AMF network element.
- the AMF network element invokes a service for creating a session management context request (for example, Nsmf_PDUSession_CreateSMContext Request) to trigger the SMF-2 network element to create a session management context for the terminal device.
- the message sent by the AMF network element to the SMF-2 network element by creating a session management context request service includes the SUPI, S-NSSAI, DNN-2 and second PDU session identification ID-2 of the terminal device.
- step S609 if the SMF-1 network element sends the first information indicating the success or failure of the authentication to the AMF network element in step S609, the AMF network element receives the first information from the SMF-1 network element For the authentication result, the AMF network element also sends the first authentication result of success or failure to the SMF-2 network element.
- the first authentication result is used in subsequent step S616 to determine whether to perform the authentication process of the first network slice. That is, since the SMF-2 network element receives the first authentication result, it is determined that the subsequent step S616 needs to be performed.
- the first authentication result sent by the AMF network element to the SMF-2 network element may also be indication information indicating successful authentication or failed authentication.
- the SMF-1 network element sends the first information to the AMF network element. Then, when the first authentication result is that the authentication is successful, the AMF network element also sends the first authentication result indicating the successful authentication to the SMF-2 network element. Alternatively, the first authentication result sent by the AMF network element to the SMF-2 network element may also be indication information indicating that the authentication is successful. If the SMF-2 network element does not receive the authentication result from the AMF network element, the SMF-2 network element determines that the authentication before the network slice failed, or the network slice authentication performed by the SMF-2 network element is the first One-time authentication process.
- the method further includes S614a and S614b.
- step S614a reference may be made to the description of step S413a in FIG. 4, which will not be repeated here.
- the SMF-2 network element obtains the second session management subscription information from the UDM network element.
- the SMF-2 network element obtains the second session management subscription information from the UDM network element by calling a service for obtaining session management subscription information (for example, Nudm_SDM_Get).
- the message sent by the SMF-2 network element to the UDM network element by obtaining the session management subscription information service includes SUPI, DNN-2 and S-NSSAI.
- the SMF-2 network element subscribes to the UDM network element to update the second session management subscription information of the terminal device by calling a subscription session management subscription information (for example, Nudm_SDM_Subscribe) service.
- a subscription session management subscription information for example, Nudm_SDM_Subscribe
- the message sent by the SMF-2 network element to the UDM network element through the subscription session management subscription information service includes SUPI, DNN-1 and S-NSSAI.
- the method also includes steps S615 to S617.
- steps S615 and S617 reference may be made to the description of steps S414 and S416 in FIG. 4, which will not be repeated here.
- the SMF-2 network element determines whether to perform the authentication process of the first network slice.
- the SMF-2 network element receives the first authentication result in step S613, and determines that step S616 needs to be performed.
- the SMF-2 network element determines whether to perform the authentication process of the first network slice according to the first authentication result. If the first authentication result is that the authentication is successful, the SMF-2 network element determines to abandon the authentication process of the first network slice. In other words, the SMF-2 network element judges that the authentication process of the first network slice is not to be performed according to the first authentication result, or that the authentication process of the first network slice is skipped. Therefore, when the first authentication result is that the authentication is successful, the SMF-2 network element executes step S617: the SMF-2 network element determines to abandon the authentication process of the first network slice.
- the SMF-2 network element determines to execute the authentication process of the first network slice. That is, the SMF-2 network element performs the authentication process of the first network slice through steps S618 and S619.
- the SMF-2 network element when the SMF-2 network element receives the information indicating that the authentication is successful from the AMF network element, it can learn that the first network slice has been successfully authenticated, so that it can be determined to give up re-authentication of the first network slice. If the SMF-2 network element does not receive the authentication result from the AMF network element, the SMF-2 network element determines that the authentication before the network slice failed, or the network slice authentication performed by the SMF-2 network element is the first Once the authentication process, it is determined that subsequent steps S618 and S619 can be performed. In this way, the SMF-2 network element learns the authentication result of the first network slice by receiving information indicating that the authentication is successful, and it can also be considered to determine whether to perform the authentication process of the first network slice based on the authentication result.
- the judgment condition of whether to perform the authentication process of the first network slice further includes: subscription information of the terminal device.
- the SMF-2 network element determines that authentication of the first network slice needs to be performed through the subscription information of the terminal device.
- the subscription information includes S-NSSAI subscribed by the terminal device and instruction information indicating whether the S-NSSAI needs to perform the authentication process of network slicing.
- the SMF-2 network element may determine that authentication of the first network slice needs to be performed according to the indication information that the S-NSSAI of the first network slice needs to perform authentication in the contract information.
- the SMF-2 network element determines that the first network slice needs to be authenticated according to the local configuration information of the SMF-2 network element.
- the SMF-2 network element does not need to perform authentication on the first network slice according to the contract information of the terminal device or local configuration information
- the above-mentioned authentication based on the first authentication result or whether the authentication has been received may be skipped Judgment of the information, thereby saving the process.
- the method further includes steps S618 to S620.
- steps S618 to S620 reference may be made to the description of steps S417 to S419 in FIG. 4, which will not be repeated here.
- the present invention discloses an authentication method as follows: the first network element (for example, AMF network element) receives the first information from the first session management function network element (for example, SMF-1 network element) (For example, the first information in step S609), the first information includes the authentication result (for example, the first authentication result) of the network slice (for example, the first network slice) where the first session management function network element is located.
- the first network element sends an authentication result to the second session management function network element (for example, SMF-2 network element), the second session management function network element is located in the network slice, and the first session management function network element and the second session
- the management function network element supports different data networks.
- the authentication result in this method is that the authentication is successful.
- the first information in the method further includes at least one of an identifier of the network slice (for example, S-NSSAI) or an identifier of the terminal device (for example, SUPI).
- the SMF-1 network element (the second SMF network element in FIG. 3) sends the first message to the AMF network element (the first network element in FIG. 3).
- An authentication result of a network slice (the network slice in FIG. 3).
- the SMF-2 network element receives the authentication result of the first network slice from the AMF network element, and determines whether to execute the first network according to the authentication result Sliced authentication process. Because the SMF-1 network element and the SMF-2 network element are both located in the first network slice, the SMF-2 network element can obtain the authentication result of the first network slice from the AMF network element.
- the SMF-2 network element determines to abandon the authentication process of the network slice. The repeated authentication of the network slice when the authentication result is successful is avoided, thereby reducing signaling interaction.
- FIG. 7 is a flowchart of another authentication method provided by an embodiment of the present application.
- the method described in FIG. 7 can be applied to the following scenario: Before step S613 of FIG. 6 is executed, the first session is released, and the authentication result obtained by the AMF network element in step S609 is also deleted. Therefore, when the SMF-2 network element executes step S613, the first authentication result cannot be obtained from the AMF network element.
- FIG. 7 will be described in conjunction with FIGS. 5 and 6.
- the method shown in FIG. 7 may include:
- steps S701 to S709 reference may be made to the description of steps S601 to S609 in FIG. 6, which will not be repeated here.
- the method shown in Figure 7 also includes:
- the AMF network element determines to release the first session.
- the release process of the first session may be triggered by the terminal device or triggered by the network.
- the AMF network element receives a deletion request from the terminal device, and the deletion request is used to instruct the first network element to delete the authentication result.
- Step S710 is an optional step.
- the AMF network element deletes the first information.
- the first network element receives the first information (for example, the first information in step S709) from the session management function network element (for example, SMF-1 network element), and A piece of information includes the authentication result (eg, the first authentication result) of the network slice where the session management function network element is located (eg, the first network slice); the first network element receives the deletion request (eg, the deletion request in step S710) ), The deletion request is used to instruct the first network element to delete the authentication result.
- the authentication result in this method is that the authentication is successful.
- the first information in the method further includes at least one of an identifier of the network slice (for example, S-NSSAI) or an identifier of the terminal device (for example, SUPI).
- Steps S712 to S720 describe that the terminal device initiates the process of establishing the second PDU session after the first PDU session is released.
- steps S712 and S713 reference may be made to the description of steps S610 and S611 in FIG. 6, which will not be repeated here.
- the AMF network element sends a session management context creation request to the SMF-2 network element.
- the SMF-2 network element receives a request to create a session management context from the AMF network element.
- the AMF network element invokes a service for creating a session management context request (for example, Nsmf_PDUSession_CreateSMContext Request) to trigger the SMF-2 network element to create a session management context for the terminal device.
- a session management context request for example, Nsmf_PDUSession_CreateSMContext Request
- the message sent by the AMF network element to the SMF-2 network element by creating a session management context request service includes the SUPI, S-NSSAI, DNN-2 and second PDU session identification ID-2 of the terminal device.
- the information sent by the AMF network element does not contain the first authentication result, then the SMF-2 network element determines that the authentication before the network slice failed, or the network slice authentication performed by the SMF-2 network element is the network
- the first authentication flow is sliced, so that steps S717 to S720 are determined to be executed.
- the method also includes steps S715a, S715b and S716.
- the method further includes steps S717 to S720.
- steps S717 to S720 reference may be made to the description of steps S518 to S521 in FIG. 5, which will not be repeated here.
- the SMF-1 network element sends first information to the AMF network element, and the first information includes the authentication result of the first network slice.
- the AMF network element deletes the first information. Therefore, after the first session is released, the storage space in the AMF network element can be saved.
- the information received by the SMF-2 network element from the AMF network element does not include the authentication result of the first network slice, and the SMF-2 network element performs authentication of the first network slice, And send the second information including the second authentication result to the AMF network element.
- other SMF network elements different from the SMF-2 network element may obtain the second authentication result from the AMF network element, and determine whether to perform the authentication process of the first network slice according to the second authentication result. Therefore, repeated authentication of the first network slice when the second authentication result is successful authentication is avoided, thereby reducing signaling interaction.
- step S712 occurs after the first session is released, there is only one session initiated by the terminal device. Therefore, the second PDU session identifier ID-2 and the first PDU session identifier ID-1 may be the same or different. If the DNN-2 of the second PDU session is the same as the DNN-1 of the first PDU session, the SMF-2 network element selected by the AMF network element for the second session and the SMF-1 network element of the first session may be the same; if the first The DNN-2 of the second PDU session is different from the DNN-1 of the first PDU session, then the SMF-2 network element selected by the AMF network element for the second session may be different from the SMF-1 network element of the first session. This solution does not limit whether the SMF-2 network element corresponding to the second session and the SMF-1 network element corresponding to the first session are the same or different.
- FIG. 8 is a flowchart of another authentication method provided by an embodiment of the present application.
- the flowchart shown in FIG. 8 describes the scenario where the first network element is an NRF network element in step S301 of FIG. 3: the first SMF network element receives the authentication result of the network slice where the second SMF network element is located from the NRF network element To determine whether to perform the authentication process of the network slice based on the authentication result. The repeated authentication of the network slice when the authentication result is successful is avoided, thereby reducing signaling interaction.
- Steps S801 to S809 describe the process in which the terminal device initiates the first session.
- the SMF-1 network element (the second SMF network element in FIG. 3) sends a message to the NRF
- the network element (the first network element in FIG. 3) sends the authentication result of the first network slice (the network slice in FIG. 3).
- Steps S810 to S819 describe the process of the terminal device initiating the second session.
- the SMF-2 network element receives the first session from the NRF network element through the AMF network element. An authentication result of a network slice, and judging whether to perform the authentication process of the first network slice according to the authentication result.
- step S801 reference may be made to the description of step S401 in FIG. 4, which will not be repeated here.
- Steps S802a and S802b are specific descriptions of step S402. That is, the AMF network element selects the SMF-1 network element by performing steps S802a and S802b.
- the AMF network element sends a first request to the NRF network element.
- the NRF network element receives the first request from the AMF network element.
- the first request is used to obtain the information of the SMF network element serving the first session.
- the NRF network element is located in the first network slice.
- the AMF network element sends the first request to the NRF network element by calling the discovery request (Nnrf_NFDiscovery_Request) service.
- the first request includes the S-NSSAI, DNN-1 and NSI ID of the first network slice.
- the NRF network element sends a first response to the AMF network element.
- the AMF network element receives the first response from the NRF network element.
- the NRF network element sends a first response to the AMF network element by calling the discovery response (Nnrf_NFDiscoveryResponse) service.
- the first response includes the address or identification information of the SMF-1 network element.
- the SMF-1 network element is located in the first network slice and supports S-NSSAI and DNN-1.
- the NRF network element selects the SMF-1 network element as the first session service.
- Steps S803 to S808 can refer to the description of steps S403 to S408 in FIG. 4 and will not be repeated here.
- the SMF-1 network element sends the first information to the NRF network element.
- the NRF network element receives the first information from the SMF-1 network element.
- the first information includes the first authentication result in step S8O8. That is, when the first authentication result is that the authentication is successful, the SMF-1 network element sends the first information indicating that the authentication is successful to the NRF network element. When the first authentication result is that the authentication fails, the SMF-1 network element sends the first information indicating the authentication failure to the NRF network element.
- the SMF-1 network element when the first authentication result is that the authentication is successful, sends the first information to the NRF network element.
- the first information may be used to indicate the successful authentication of the first network slice.
- the SMF-1 network element may not need to send the first information to the NRF network element.
- the first information further includes at least one of an identifier of the first network slice (for example, S-NSSAI) or an identifier of the terminal device (for example, SUPI).
- an identifier of the first network slice for example, S-NSSAI
- an identifier of the terminal device for example, SUPI
- the SMF-1 network element sends the first information to the NRF network element by invoking a network function update (for example, Nnrf_NFManagement_NFUpdate) service.
- a network function update for example, Nnrf_NFManagement_NFUpdate
- the message sent by the SMF-1 network element to the NRF network element through the network function update service also includes SUPI and S-NSSAI of the first network slice.
- the NRF network element saves the first information.
- the SMF-1 network element (the second SMF network element in FIG. 3) sends the first network slice to the NRF network element (the first network element in FIG. 3) (Network slice in Figure 3) authentication result.
- the SMF-1 network element continues to perform the first session establishment process; if the first authentication result in step S808 is authentication failure, the first session establishment fails.
- the session management function network element receives the network slice where the session management function network element is located (for example, the first Network slice) authentication result (eg, first authentication result); the session management function network element sends first information (eg, first information in step S809) to the first network element (eg, NRF network element),
- the first information includes the authentication result.
- the authentication result is that the authentication is successful.
- the authentication result is authentication failure.
- the network element of the session management function sends the first information to the first network element.
- the network element of the session management function does not need to send the first information to the first network element.
- the first information further includes at least one of an identifier of the network slice (for example, S-NSSAI) or an identifier of the terminal device (for example, SUPI).
- steps S810 to S820 describe that the terminal device initiates the process of establishing a second PDU session when the first PDU session is in an activated state, that is, the first PDU session still exists.
- step S810 reference may be made to the description of step S410 in FIG. 4, which will not be repeated here.
- the AMF network element sends a second request to the NRF network element.
- the NRF network element receives the second request from the AMF network element.
- the second request is used to obtain the information of the SMF network element serving the second session.
- the AMF network element sends a second request to the NRF network element by calling the discovery request (Nnrf_NFDiscovery_Request) service.
- the second request includes the S-NSSAI, DNN-2 and NSI ID of the first network slice.
- the NRF network element sends a second response to the AMF network element.
- the AMF network element receives the second response from the NRF network element.
- the NRF network element sends a second response to the AMF network element by calling the discovery response (Nnrf_NFDiscoveryResponse) service.
- the second response message includes the address or identification information of the SMF-2 network element.
- the SMF-2 network element is located in the first network slice and supports S-NSSAI and DNN-2.
- the NRF network element selects the SMF-2 network element as the second session service.
- step S809 if in step S809 the SMF-1 network element sends the first information indicating the success or failure of the authentication to the NRF network element, the NRF network element receives the first information from the SMF-1 network element For the authentication result, the NRF network element also sends the successful or failed first authentication result to the AMF network element, and then the AMF network element sends the successful or failed first authentication result to the SMF-2 network element.
- the first authentication result is used by the SMF-2 network element in subsequent step S815 to determine whether to perform the authentication process of the first network slice. In other words, since the SMF-2 network element receives the first authentication result, it is determined that the subsequent step S815 needs to be performed.
- the first authentication result sent by the NRF network element to the AMF network element may also be indication information indicating successful authentication or failed authentication.
- the SMF-1 network element sends the first information to the NRF network element. Then, when the first authentication result is that the authentication is successful, the NRF network element also sends the first authentication result indicating the successful authentication to the AMF network element. Alternatively, the first authentication result sent by the NRF network element to the AMF network element may also be indication information indicating that the authentication is successful. If the SMF-2 network element does not receive the authentication result from the AMF network element, the SMF-2 network element determines that the authentication before the network slice failed, or the network slice authentication performed by the SMF-2 network element is the first One-time authentication process.
- steps S812 to S819 reference may be made to the description of steps S613 to S620 in FIG. 6, which will not be repeated here.
- the present invention discloses an authentication method as follows: the first network element (eg, NRF network element) receives the first information from the first session management function network element (eg, SMF-1 network element) (For example, the first information in step S809), the first information includes the authentication result (for example, the first authentication result) of the network slice (for example, the first network slice) where the first session management function network element is located.
- the first network element sends an authentication result to the second session management function network element (for example, SMF-2 network element), the second session management function network element is located in the network slice, and the first session management function network element and the second session
- the management function network element supports different data networks.
- the authentication result in this method is that the authentication is successful.
- the first information in the method further includes at least one of an identifier of the network slice (for example, S-NSSAI) or an identifier of the terminal device (for example, SUPI).
- the SMF-1 network element (the second SMF network element in FIG. 3) sends the first message to the NRF network element (the first network element in FIG. 3).
- An authentication result of a network slice (the network slice in FIG. 3).
- the SMF-2 network element receives the authentication result of the first network slice from the AMF network element, where the authentication result of the first network slice is AMF
- the network element is received from the NRF network element.
- the SMF-2 network element determines whether to perform the authentication process of the first network slice according to the authentication result.
- the SMF-2 network element can obtain the authentication result of the first network slice.
- the SMF-2 network element determines to abandon the authentication process of the network slice. The repeated authentication of the network slice when the authentication result is successful is avoided, thereby reducing signaling interaction.
- FIG. 9 is a flowchart of another authentication method provided by an embodiment of the present application.
- the method described in FIG. 9 can be applied to the following scenario: Before step S811b of FIG. 8 is executed, the first session is released, and the authentication result obtained by the NRF network element in step S809 is also deleted. Therefore, when the NRF network element executes step S811b, it cannot send the first authentication result to the SMF-2 network element.
- FIG. 9 will be described in conjunction with FIGS. 7 and 8.
- the method shown in FIG. 9 may include:
- Steps S901 to S909 can refer to the description of steps S801 to S809 in FIG. 8 and will not be repeated here.
- the method shown in Figure 9 also includes:
- the SMF-1 network element determines to release the first session.
- the release process of the first session may be triggered by the terminal device or triggered by the network.
- Step S910 is an optional step.
- the SMF-1 network element sends a delete request to the NRF network element.
- the SMF-1 network element sends a delete request to the NRF network element by invoking a network function update (for example, Nnrf_NFManagement_NFUpdate) service.
- a network function update for example, Nnrf_NFManagement_NFUpdate
- the message sent by the SMF-1 network element to the NRF network element through the network function update service includes the SUPI of the terminal device and the S-NSSAI of the first network slice.
- the NRF network element deletes the first information.
- the NRF network element deletes the first information according to the deletion request received in step S911.
- the first network element receives the first information (for example, the first information in step S909) from the session management function network element (for example, SMF-1 network element), and A message includes the authentication result (for example, the first authentication result) of the network slice where the session management function network element is located (for example, the first network slice); the first network element receives the deletion request (for example, the deletion request in step S911) ), The deletion request is used to instruct the first network element to delete the authentication result.
- the authentication result in this method is that the authentication is successful.
- the first information in the method further includes at least one of an identifier of the network slice (for example, S-NSSAI) or an identifier of the terminal device (for example, SUPI).
- Steps S913 to S921 describe that the terminal device initiates the process of establishing the second PDU session after the first PDU session is released.
- Steps S912 and S914a can refer to the description of steps S810 and S811a in FIG. 8 and will not be repeated here.
- the method also includes step S914b. It should be noted that step S914b occurs after step S912.
- the NRF network element sends a second response to the AMF network element.
- the AMF network element receives the second response from the NRF network element.
- the NRF network element sends a second response to the AMF network element by calling the discovery response (Nnrf_NFDiscoveryResponse) service.
- the second response includes the address or identification information of the SMF-2 network element.
- the SMF-2 network element is located in the first network slice and supports S-NSSAI and DNN-2.
- the NRF network element selects the SMF-2 network element as the second session service.
- the AMF network element sends a session management context creation request to the SMF-2 network element.
- the SMF-2 network element receives a request to create a session management context from the AMF network element.
- the AMF network element invokes a service for creating a session management context request (for example, Nsmf_PDUSession_CreateSMContext Request) to trigger the SMF-2 network element to create a session management context for the terminal device.
- a session management context request for example, Nsmf_PDUSession_CreateSMContext Request
- the message sent by the AMF network element to the SMF-2 network element by creating a session management context request service includes the SUPI, S-NSSAI, DNN-2 and second PDU session identification ID-2 of the terminal device.
- the information sent by the SMF-2 network element through the AMF network element does not include the first authentication result, and it is determined to perform steps S918 to S921.
- the method also includes steps S916a to S921.
- S916a to S921 can refer to the description of steps S715a to S720 in FIG. 7 and will not be repeated here.
- the SMF-1 network element sends first information to the NRF network element, and the first information includes the authentication result of the first network slice.
- the NRF network element deletes the first information. Therefore, after the first session is released, the storage space in the NRF network element can be saved.
- the information received by the SMF-2 network element from the AMF network element does not include the authentication result of the first network slice, where the information received by the AMF network element from the NRF network element does not include The authentication result of the first network slice.
- the SMF-2 network element performs authentication on the first network slice, and sends second information including the second authentication result to the NRF network element.
- step S913 occurs after the first session is released, there is only one session initiated by the terminal device. Therefore, the second PDU session identifier ID-2 and the first PDU session identifier ID-1 may be the same or different. If the DNN-2 of the second PDU session is the same as the DNN-1 of the first PDU session, the SMF-2 network element selected by the AMF network element for the second session and the SMF-1 network element of the first session may be the same; if the first The DNN-2 of the second PDU session is different from the DNN-1 of the first PDU session, then the SMF-2 network element selected by the AMF network element for the second session may be different from the SMF-1 network element of the first session. This solution does not limit whether the SMF-2 network element corresponding to the second session and the SMF-1 network element corresponding to the first session are the same or different.
- FIG. 10 is a flowchart of another authentication method provided by an embodiment of the present application.
- the flowchart shown in FIG. 10 describes the scenario where the first network element is an NRF network element in step S301 of FIG. 3:
- the first SMF network element receives the authentication result of the network slice where the second SMF network element is located from the NRF network element To determine whether to perform the authentication process of the network slice based on the authentication result.
- the repeated authentication of the network slice when the authentication result is successful is avoided, thereby reducing signaling interaction.
- FIG. 8 the NRF network element sends the first authentication result to the AMF network element when returning the information of the SMF network element serving the second session to the AMF. That is, the NRF network element in FIG. 8 actively sends the first authentication result to the AMF network element through step S811b, and then the AMF network element actively sends the first authentication result to the SMF-2 network element through step S812.
- the NRF network element in FIG. 8 actively sends the first authentication result to the AMF network element through step S811b, and then the AMF network element actively sends the first authentication result to the SMF-2 network element through step S812.
- the NRF network element does not need to send the first authentication result to the AMF network element when returning the information of the SMF network element serving the second session to the AMF, but actively sends the SMF-2 network element to the NRF network When the meta-query first authentication result, the NRF network element returns the first authentication result to the SMF-2 network element through the query response message.
- Steps S1001 to S1010 describe the process in which the terminal device initiates the first session.
- the SMF-1 network element (the second SMF network element in FIG. 3) sends an The network element (the first network element in FIG. 3) sends the authentication result of the first network slice (the network slice in FIG. 3).
- Steps S1011 to S1022 describe the flow of the terminal device initiating the second session.
- the SMF-2 network element (the first SMF network element in FIG. 3) receives the first network slice from the NRF network element The authentication result, and according to the authentication result, determine whether to perform the authentication process of the first network slice.
- the first session is the first session initiated after the terminal device accesses the first network slice
- the second session is the non-first session initiated by the terminal device.
- FIG. 10 can be described in conjunction with FIGS. 8 and 9, and the method shown in FIG. 10 can include:
- Steps S1001 to S1006 can refer to the description of steps S801 to S806 in FIG. 8 and will not be repeated here.
- the method shown in FIG. 10 also includes:
- the SMF-1 network element sends a first query request to the NRF network element.
- the NRF network element receives the first query request from the SMF-1 network element.
- the first query request is used to query the NRF network element: whether the authentication result of the first network slice is stored in the NRF network element.
- the SMF-1 network element sends a first query request to the NRF network element by calling a data discovery (eg, Nnrf_DataDiscovery) service.
- the first query request includes the SUPI of the terminal device.
- the NRF network element sends a first query response to the SMF-1 network element.
- the SMF-1 network element receives the first query response from the NRF network element.
- Steps S1008 to S1010 can refer to the description of steps S807 to S809 in FIG. 8 and will not be repeated here.
- the SMF-1 network element (the second SMF network element in FIG. 3) sends the first network slice to the NRF network element (the first network element in FIG. 3) (Network slice in Figure 3) authentication result.
- the SMF-1 network element continues to perform the first session establishment process; if the first authentication result in step S1009 is authentication failure, the first session establishment fails.
- the session management function network element for example, SMF-1 network element
- receives the authentication result for example, the first authentication result
- the method further includes: the network element of the session management function sends a query request (eg, the first query request) to the first network element (eg, NRF network element), and the network element of the session management function receives the query response (eg, from the first network element) , First query response), the query response is used to indicate that the first network element does not include the authentication result of the network slice (for example, the first network slice).
- steps S1011 to S1022 describe that the terminal device initiates the process of establishing a second PDU session when the first PDU session is active, that is, the first PDU session still exists.
- Steps S1011 to S1016 can refer to the description of steps S913 and S918 in FIG. 9 and will not be repeated here.
- the second query request is used to query the NRF network element: whether the authentication result of the first network slice is stored in the NRF network element.
- the SMF-2 network element sends a second query request to the NRF network element by calling a data discovery (eg, Nnrf_DataDiscovery) service.
- the second query request includes the SUPI of the terminal device.
- the NRF network element sends a second query response to the SMF-2 network element.
- the SMF-2 network element receives the second query response from the NRF network element.
- the NRF network element in response to the second query request in step S1017a, sends a second query response to the SMF-2 network element.
- step S1010 if in step S1010 the SMF-1 network element sends the first information indicating the success or failure of the authentication to the NRF network element, because the NRF network element receives the first information from the SMF-1 network element For the authentication result, the NRF network element also sends the first authentication result of success or failure to the SMF-2 element.
- the first authentication result is used by the SMF-2 network element in subsequent step S1018 to determine whether to perform the authentication process of the first network slice. In other words, since the SMF-2 network element receives the first authentication result, it is determined that the subsequent step S1018 needs to be performed.
- the first authentication result sent by the NRF network element to the SMF-2 network element may also be indication information indicating successful authentication or failed authentication.
- the SMF-1 network element sends the first information to the NRF network element. Then, when the first authentication result is that the authentication is successful, the NRF network element also sends the first authentication result indicating the successful authentication to the SMF-2 network element. Alternatively, the first authentication result sent by the NRF network element to the SMF-2 network element may also be indication information indicating that the authentication is successful. If the SMF-2 network element does not receive the authentication result from the NRF network element, the SMF-2 network element determines that the authentication before the network slice failed, or the network slice authentication performed by the SMF-2 network element is the first One-time authentication process.
- Steps S1018 to S1022 can refer to the description of steps S815 to S819 in FIG. 8 and will not be repeated here.
- the present invention discloses an authentication method as follows: the first network element (eg, NRF network element) receives the first information from the first session management function network element (eg, SMF-1 network element) (For example, the first information in step S1010), the first information includes the authentication result (for example, the first authentication result) of the network slice (for example, the first network slice) where the first session management function network element is located.
- the first network element sends an authentication result to the second session management function network element (for example, SMF-2 network element), the second session management function network element is located in the network slice, and the first session management function network element and the second session
- the management function network element supports different data networks.
- the authentication result in this method is that the authentication is successful.
- the first information in the method further includes at least one of an identifier of the network slice (for example, S-NSSAI) or an identifier of the terminal device (for example, SUPI).
- the SMF-1 network element (the second SMF network element in FIG. 3) sends the first message to the NRF network element (the first network element in FIG. An authentication result of a network slice (the network slice in FIG. 3).
- the SMF-2 network element (the first SMF network element in FIG. 3) obtains the authentication result of the first network slice from the NRF network element through a query request, and judges whether to execute according to the authentication result The authentication process of the first network slice. Because the SMF-1 network element and the SMF-2 network element are both located in the first network slice, the SMF-2 network element can obtain the authentication result of the first network slice.
- the SMF-2 network element determines to abandon the authentication process of the network slice. The repeated authentication of the network slice when the authentication result is successful is avoided, thereby reducing signaling interaction.
- FIG. 11 is a flowchart of another authentication method provided by an embodiment of the present application.
- the method described in FIG. 11 can be applied to the following scenario: Before step S1017b of FIG. 10 is executed, the first session is released, and the authentication result obtained by the NRF network element in step S1010 is also deleted. Therefore, when the NRF network element executes step S1017b, the first authentication result cannot be sent to the SMF-2 network element.
- FIG. 11 will be described in conjunction with FIGS. 9 and 10.
- the method shown in FIG. 11 may include:
- steps S1101 to S1110 reference may be made to the description of steps S1001 to S1010 in FIG. 10, which will not be repeated here.
- Steps S1111 to S1113 can refer to the description of steps S910 to S912 in FIG. 9 and will not be repeated here.
- Steps S1114 to S1123 describe the process that the terminal device initiates the establishment of the second PDU session after the first PDU session is released.
- step S1120a reference may be made to the description of step S1017a in FIG. 10, and details are not described here.
- the method also includes step S1120b. It should be noted that step S1120b occurs after step S1113.
- the NRF network element sends a second query response to the SMF-2 network element.
- the SMF-2 network element receives the second query response from the NRF network element.
- the information sent by the SMF-2 network element through the NRF network element does not contain the first authentication result, and it is determined to execute steps S1121 to S1123.
- the method further includes steps S1121 to S1123.
- S1121 to S1123 can refer to the description of steps S919 to S921 in FIG. 9 and will not be repeated here.
- FIG. 12 is a flowchart of another authentication method provided by an embodiment of the present application.
- the flowchart shown in FIG. 12 describes the scenario where the first network element is a UDSF network element in step S301 of FIG. 3: the first SMF network element receives the authentication result of the network slice where the second SMF network element is located from the UDSF network element To determine whether to perform the authentication process of the network slice based on the authentication result. The repeated authentication of the network slice when the authentication result is successful is avoided, thereby reducing signaling interaction.
- Steps S1201 to S1212 describe the process in which the terminal device initiates the first session.
- the SMF-1 network element (the second SMF network element in FIG. 3) sends the The network element (the first network element in FIG. 3) sends the authentication result of the first network slice (the network slice in FIG. 3).
- Steps S1213 to S1222 describe the process of the terminal device initiating the second session.
- the SMF-2 network element (the first SMF network element in FIG. 3) receives the first network slice from the UDSF network element The authentication result, and according to the authentication result, determine whether to perform the authentication process of the first network slice.
- the first session is the first session initiated after the terminal device accesses the first network slice
- the second session is the non-first session initiated by the terminal device.
- FIG. 12 may be described in conjunction with FIG. 10, and the method shown in FIG. 12 may include:
- Steps S1201 to S1206 can refer to the description of steps S1001 to S1006 in FIG. 10, which will not be repeated here.
- the method shown in Figure 12 also includes:
- the SMF-1 network element sends a third query request to the UDSF network element.
- the UDSF network element receives the third query request from the SMF-1 network element.
- the third query request is used to query the UDSF network element: whether the authentication result of the first network slice is stored in the UDSF network element.
- the SMF-1 network element calls a data management request (for example, Nudsf_UnstructuredDataManagement_Query) service to send a third query request to the UDSF network element.
- a data management request for example, Nudsf_UnstructuredDataManagement_Query
- the third query request includes the SUPI of the terminal device.
- the UDSF network element sends a third query response to the SMF-1 network element.
- the SMF-1 network element receives the third query response from the UDSF network element.
- the authentication result for the first network slice is not stored in the UDSF network element. Then, the third query response does not include the authentication result of the first network slice.
- the SMF-1 network element determines to execute steps S1208 to S1210 according to the third query response.
- steps S1208 and S1209 reference may be made to the description of steps S1008 and S1009 in FIG. 10, which will not be repeated here.
- the SMF-1 network element sends the first information to the UDSF network element.
- the UDSF network element receives the first information from the SMF-1 network element.
- the first information includes the first authentication result in step S12O8. That is, when the first authentication result is that the authentication is successful, the SMF-1 network element sends the UDSF network element first information indicating that the authentication is successful. When the first authentication result is that the authentication fails, the SMF-1 network element sends the first information indicating the authentication failure to the UDSF network element.
- the UDSF network element saves the first information.
- the SMF-1 network element (the second SMF network element in FIG. 3) sends the first network slice to the UDSF network element (the first network element in FIG. 3) (Network slice in Figure 3) authentication result.
- the SMF-1 network element continues to perform the first session establishment process; if the first authentication result in step S1209 is authentication failure, the first session establishment fails.
- the session management function network element receives the network slice where the session management function network element is located (for example, the first Network slice) authentication result (for example, the first authentication result); the session management function network element sends first information (for example, the first information in step S1212) to the first network element (for example, UDSF network element),
- the first information includes the authentication result.
- the authentication result is that the authentication is successful.
- the authentication result is authentication failure.
- the network element of the session management function sends the first information to the first network element.
- the network element of the session management function does not need to send the first information to the first network element.
- the first information further includes at least one of an identifier of the network slice (for example, S-NSSAI) or an identifier of the terminal device (for example, SUPI).
- the method further includes: the session management function network element sends a query request (eg, a third query request) to the first network element (eg, UDSF network element), and the session management function network element receives the query response (eg, , Third query response), the query response is used to indicate that the first network element does not include the authentication result of the network slice (for example, the first network slice).
- a query request eg, a third query request
- the session management function network element receives the query response (eg, , Third query response)
- the query response is used to indicate that the first network element does not include the authentication result of the network slice (for example, the first network slice).
- steps S1211 to S1222 describe that the terminal device initiates the process of establishing the second PDU session when the first PDU session is active, that is, the first PDU session still exists.
- steps S1211 to S1216 reference may be made to the description of steps S1011 and S1016 in FIG. 10, which will not be repeated here.
- the SMF-2 network element sends a fourth query request to the UDSF network element.
- the UDSF network element receives the fourth query request from the SMF-2 network element.
- the fourth query request is used to query the UDSF network element: whether the authentication result of the first network slice is stored in the UDSF network element.
- the SMF-2 network element calls a data management request (for example, Nudsf_UnstructuredDataManagement_Query) service to send a fourth query request to the UDSF network element.
- a data management request for example, Nudsf_UnstructuredDataManagement_Query
- the fourth query request includes the SUPI of the terminal device.
- the UDSF network element sends a fourth query response to the SMF-2 network element.
- the SMF-2 network element receives the fourth query response from the UDSF network element.
- the UDSF network element responds to the fourth query request of step S1217a, and sends the first authentication result obtained by the UDSF network element in step S1210 to the SMF-2 network element through the fourth query response.
- step S1210 if in step S1210 the SMF-1 network element sends the first information indicating successful authentication or failed authentication to the UDSF network element, because the UDSF network element receives the first information from the SMF-1 network element For the authentication result, the UDSF network element also sends the first authentication result of success or failure to the SMF-2 element.
- the first authentication result is used by the SMF-2 network element in subsequent step S1218 to determine whether to perform the authentication process of the first network slice. In other words, since the SMF-2 network element receives the first authentication result, it is determined that the subsequent step S1218 needs to be performed.
- the first authentication result sent by the UDSF network element to the SMF-2 network element may also be indication information indicating successful authentication or failed authentication.
- the SMF-1 network element sends the first information to the UDSF network element. Then, when the first authentication result is that the authentication is successful, the UDSF network element also sends the first authentication result indicating the successful authentication to the SMF-2 network element. Alternatively, the first authentication result sent by the UDSF network element to the SMF-2 network element may also be indication information indicating that the authentication is successful. If the SMF-2 network element does not receive the authentication result from the UDSF network element, the SMF-2 network element determines that the authentication before the network slice failed, or the network slice authentication performed by the SMF-2 network element is the first One-time authentication process.
- Steps S1218 to S1222 can refer to the description of steps S1018 to S1022 in FIG. 10, which will not be repeated here.
- the first network element receives the first information from the first session management function network element (for example, SMF-1 network element) (For example, the first information in step S1210), the first information includes the authentication result (for example, the first authentication result) of the network slice (for example, the first network slice) where the first session management function network element is located.
- the first network element sends an authentication result to the second session management function network element (for example, SMF-2 network element), the second session management function network element is located in the network slice, and the first session management function network element and the second session
- the management function network element supports different data networks.
- the authentication result in this method is that the authentication is successful.
- the first information in the method further includes at least one of an identifier of the network slice (for example, S-NSSAI) or an identifier of the terminal device (for example, SUPI).
- the SMF-1 network element (the second SMF network element in FIG. 3) sends the first An authentication result of a network slice (the network slice in FIG. 3).
- the SMF-2 network element (the first SMF network element in FIG. 3) obtains the authentication result of the first network slice from the UDSF network element through a query request, and judges whether to execute based on the authentication result The authentication process of the first network slice. Because the SMF-1 network element and the SMF-2 network element are both located in the first network slice, the SMF-2 network element can obtain the authentication result of the first network slice.
- the SMF-2 network element determines to abandon the authentication process of the network slice. The repeated authentication of the network slice when the authentication result is successful is avoided, thereby reducing signaling interaction.
- FIG. 13 is a flowchart of another authentication method provided by an embodiment of this application.
- the method described in FIG. 13 can be applied to the following scenario: Before step S1217b of FIG. 12 is executed, the first session is released, and the authentication result obtained by the UDSF network element in step S1210 is also deleted. Therefore, when the UDSF network element executes step S1217b, the first authentication result cannot be sent to the SMF-2 network element.
- FIG. 13 will be described in conjunction with FIG. 12, and the method shown in FIG. 13 may include:
- steps S1301 to S1310 reference may be made to the description of steps S1201 to S1210 in FIG. 12, which will not be repeated here.
- the SMF-1 network element determines to release the first session.
- the release process of the first session may be triggered by the terminal device or triggered by the network.
- Step S1311 is an optional step.
- the SMF-1 network element sends a deletion request to the UDSF network element.
- the SMF-1 network element sends a delete request to the UDSF network element by calling a delete (for example, Nudsf_UnstructuredDataManagement_Delete) service.
- a delete for example, Nudsf_UnstructuredDataManagement_Delete
- the message sent by the SMF-1 network element to the UDSF network element through the deletion service includes the SUPI of the terminal device and the S-NSSAI of the first network slice.
- the UDSF network element deletes the first information.
- the UDSF network element deletes the first information according to the deletion request received in step S1312.
- the first network element receives the first information (for example, the first information in step S1310) from the session management function network element (for example, SMF-1 network element), and A message includes the authentication result (for example, the first authentication result) of the network slice where the session management function network element is located (for example, the first network slice); the first network element receives the deletion request (for example, the deletion request in step S1312) ), The deletion request is used to instruct the first network element to delete the authentication result.
- the authentication result in this method is that the authentication is successful.
- the first information in the method further includes at least one of an identifier of the network slice (for example, S-NSSAI) or an identifier of the terminal device (for example, SUPI).
- Steps S1314 to S1319 describe the process that the terminal device initiates the establishment of the second PDU session after the first PDU session is released.
- steps S1314 to S1320a reference may be made to the description of steps S1211 to S1217a in FIG. 12, which will not be repeated here.
- the method also includes step S1320b. It should be noted that step S1320b occurs after step S1313.
- the UDSF network element sends a fourth query response to the SMF-2 network element.
- the SMF-2 network element receives the fourth query response from the UDSF network element.
- the information sent by the SMF-2 network element through the UDSF network element does not include the first authentication result, and it is determined to execute steps S1321 to S1323.
- the method further includes steps S1321 to S1323.
- S1321 to S1323 can refer to the description of steps S1220 to S1222 in FIG. 12 and will not be repeated here.
- the SMF-1 network element sends the first information to the UDSF network element, and the first information includes the authentication result of the first network slice.
- the UDSF network element deletes the first information. Therefore, after the first session is released, the storage space in the UDSF network element can be saved.
- the SMF-2 network element sends a query request to the UDSF network element, and the information received from the UDSF network element does not include the authentication result of the first network slice.
- the SMF-2 network element performs authentication on the first network slice, and sends second information including the second authentication result to the UDSF network element.
- step S1314 occurs after the first session is released, there is only one session initiated by the terminal device. Therefore, the second PDU session identifier ID-2 and the first PDU session identifier ID-1 may be the same or different. If the DNN-2 of the second PDU session is the same as the DNN-1 of the first PDU session, the SMF-2 network element selected by the AMF network element for the second session and the SMF-1 network element of the first session may be the same; if the first The DNN-2 of the second PDU session is different from the DNN-1 of the first PDU session, then the SMF-2 network element selected by the AMF network element for the second session may be different from the SMF-1 network element of the first session. This solution does not limit whether the SMF-2 network element corresponding to the second session and the SMF-1 network element corresponding to the first session are the same or different.
- each network element and device such as the above-mentioned wireless access network device, access and mobility management function network element, terminal device, data management function network element and network slice selection function network element, in order to achieve the above functions, its Contains the corresponding hardware structure and / or software module to perform each function.
- the present application can be implemented in the form of hardware or a combination of hardware and computer software. Whether a function is executed by hardware or computer software driven hardware depends on the specific application and design constraints of the technical solution. Professional technicians can use different methods to implement the described functions for each specific application, but such implementation should not be considered beyond the scope of this application.
- the authentication device may include a receiving module 1401, a processing module 1402, and a sending module 1403, as shown in FIG. 14A.
- the authentication device may be used to perform the operations of the SMF-2 network element in FIGS. 4 to 13 described above. E.g:
- the receiving module 1401 is configured to receive the authentication result of the network slice where the second session management function network element is located from the first network element.
- the first session management function network element is located in the network slice, and the first session management function network element and the second session The management function network element supports different data networks.
- the processing module 1402 is configured to determine whether to perform the network slice authentication process according to the authentication result.
- the first SMF network element can obtain the authentication result of the network slice where the second SMF network element is located. Since the first SMF network element and the second SMF network element are located in the same network slice, the first An SMF network element can determine whether to perform the authentication process of the network slice according to the authentication result. The repeated authentication of the network slice when the authentication result is successful is avoided, thereby reducing signaling interaction.
- the authentication result is that the authentication is successful, and the processing module 1402 is used to determine the authentication process of giving up the network slice.
- the first network element is a network storage function network element or an unstructured data storage network element
- the sending module 1403 is used to send a query request to the first network element, and the query request is used to obtain an authentication result.
- the receiving module 1401 and the processing module 1402 in the authentication apparatus can also implement other operations or functions of the SMF-2 network element in FIG. 4 to FIG. 13, which will not be repeated here.
- the authentication device shown in FIG. 14A may also be used to perform the operations of the SMF-1 network element or SMF-2 network element in FIGS. 4 to 13 described above.
- the receiving module 1401 is configured to receive the authentication result of the network slice where the session management function network element is located from the authentication network element.
- the sending module 1403 is configured to send first information to the first network element, and the first information includes an authentication result.
- the second SMF network element can send the authentication result of the network slice to the first network element.
- the first SMF network element serving the second session can The authentication result of the network slice is obtained. Since the first SMF network element and the second SMF network element are located in the same network slice, the first SMF network element can determine whether to perform the authentication process of the network slice according to the authentication result. The repeated authentication of the network slice when the authentication result is successful is avoided, thereby reducing signaling interaction.
- the authentication result is that the authentication is successful.
- the first information further includes at least one of the identifier of the network slice or the identifier of the terminal device.
- the first network element is a network storage function network element or an unstructured data storage network element
- the sending module 1403 is further configured to send a query request to the first network element.
- the receiving module 1401 is further configured to receive a query response from the first network element, where the query response is used to indicate that the authentication result of the network slice is not included in the first network element.
- the receiving module 1401 and the processing module 1402 in the authentication apparatus can also implement other operations or functions of the SMF-1 network element or the SMF-2 network element in FIGS. 4 to 13, which will not be repeated here.
- the authentication device shown in FIG. 14A can also be used to perform the UDM network elements in FIGS. 4 and 5, the AMF network elements in FIGS. 6 and 7, and the FIGS. 8 to 11 in FIG. The operation of the NRF network element, or the UDSF network element in FIGS. 12 and 13.
- the receiving module 1401 is configured to receive the first information from the first session management function network element, where the first information includes the authentication result of the network slice where the first session management function network element is located.
- the sending module 1403 is used to send an authentication result to the second session management function network element.
- the second session management function network element is located in a network slice.
- the first session management function network element and the second session management function network element support different data.
- the internet
- the second SMF network element can obtain the authentication result of the network slice where the first SMF network element is located. Since the first SMF network element and the second SMF network element are located in the same network slice, the first The two SMF network elements can determine whether to perform the authentication process of the network slice according to the authentication result. The repeated authentication of the network slice when the authentication result is successful is avoided, thereby reducing signaling interaction.
- the authentication result is that the authentication is successful.
- the first information further includes at least one of the identifier of the network slice or the identifier of the terminal device.
- the first network element is a network storage function network element or an unstructured data storage network element
- the receiving module 1401 is further configured to receive a query request from the first session management function network element.
- the sending module 1403 is also used to send a query response to the first session management function network element, where the query response is used to indicate that the first network element does not include the authentication result of the network slice.
- the receiving module 1401 is further configured to receive a deletion request, and the deletion request is used to instruct the first network element to delete the authentication result.
- the first network element is a user data management function network element, an access and mobility management function network element, a network storage function network element, or an unstructured data storage network element.
- the receiving module 1401 and the processing module 1402 in the authentication apparatus can also implement the UDM network elements in FIGS. 4 and 5, the AMF network elements in FIGS. 6 and 7, and the NRF network elements in FIGS. 8 to 11. , Or other operations or functions of the UDSF network element in FIG. 12 and FIG. 13, will not be repeated here.
- the authentication device shown in FIG. 14A can also be used to perform the UDM network element in FIG. 5, the AMF network element in FIG. 7, the NRF network element in FIG. 9 or FIG. 11, or the diagram The operation of the UDSF network element in 13.
- the receiving module 1401 is configured to receive the first information from the network element of the session management function, where the first information includes the authentication result of the network slice where the network element of the session management function is located.
- the receiving module 1401 is also used to receive a deletion request, and the deletion request is used to instruct the first network element to delete the authentication result.
- the first network element can obtain the authentication result of the network slice where the SMF network element is located.
- the authentication result can be deleted, thereby saving the first network element storage.
- the first information further includes at least one of the identifier of the network slice or the identifier of the terminal device.
- the first network element is a user data management function network element, an access and mobility management function network element, a network storage function network element, or an unstructured data storage network element.
- the receiving module 1401 and the processing module 1402 in the authentication apparatus can also implement the UDM network element in FIG. 5, the AMF network element in FIG. 7, the NRF network element in FIG. 9 or FIG. 11, or the one in FIG. 13. Other operations or functions of UDSF network elements will not be repeated here.
- FIG. 14B shows another possible structural diagram of the authentication device involved in the foregoing embodiment.
- the authentication device includes a transceiver 1404 and a processor 1405, as shown in FIG. 14B.
- the processor 1405 may be a general-purpose microprocessor, data processing circuit, application-specific integrated circuit (ASIC) or field-programmable gate arrays (FPGA) circuit.
- the authentication device may further include a memory 1406, for example, the memory is a random access memory (random access memory, RAM).
- the memory is used to couple with the processor 1405, which stores a computer program 14061 necessary for the authentication device.
- the authentication device involved in the above embodiment also provides a carrier 1407, in which the computer program 14071 of the authentication device is stored, and the computer program 14071 can be loaded into the processor 1405.
- the above carrier may be an optical signal, an electrical signal, an electromagnetic signal, or a computer-readable storage medium (for example, a hard disk).
- the processor 1405 is configured to perform other operations or functions of the first session management function network element (for example, the SMF-2 network element in FIGS. 4 to 13).
- the transceiver 1404 is used to implement communication between the first session management function network element and the AMF network element / UDM network element / authentication network element / NRF network element / UDSF network element.
- the processor 1405 is configured to perform other operations or functions of the session management function network element (for example, the SMF-1 network element or the SMF-2 network element in FIGS. 4 to 13).
- the transceiver 1404 is used to implement the communication between the session management function network element and the AMF network element / UDM network element / authentication network element / NRF network element / UDSF network element.
- the processor 1405 is configured as a first network element (eg, UDM network element in FIGS. 4 and 5, AMF network element in FIGS. 6 and 7, NRF in FIGS. 8 to 11 Network elements, UDSF network elements in FIGS. 12 and 13).
- the transceiver 1404 is used to implement communication between the first network element and the SMF-1 network element / SMF-2 network element.
- the processor 1405 is configured as a first network element (eg, UDM network element in FIG. 5, AMF network element in FIG. 7, NRF network element in FIG. 9 or FIG. 11, or FIG. 13 UDSF network element) in other operations or functions.
- the transceiver 1404 is used to implement communication between the first network element and the SMF-1 network element / SMF-2 network element.
- the controller / processor for performing the above-mentioned authentication device of the present application may be a central processing unit (CPU), a general-purpose processor, a digital signal processor (DSP), an application specific integrated circuit (ASIC), a field programmable gate array ( FPGA) or other programmable logic devices, transistor logic devices, hardware components or any combination thereof. It can implement or execute various exemplary logical blocks, modules, and circuits described in conjunction with the disclosure of the present application.
- the processor may also be a combination of computing functions, for example, including one or more microprocessor combinations, a combination of DSP and microprocessor, and so on.
- the steps of the method or algorithm described in conjunction with the disclosure of the present application may be implemented by hardware, or by a processor executing software instructions.
- the software instructions can be composed of corresponding software modules, which can be stored in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, mobile hard disk, CD-ROM or any other form of storage known in the art Medium.
- An exemplary storage medium is coupled to the processor so that the processor can read information from the storage medium and can write information to the storage medium.
- the storage medium may also be an integral part of the processor.
- the processor and the storage medium may be located in the ASIC.
- the ASIC may be located in the wireless access network device.
- the processor and the storage medium may also exist as discrete components in the wireless access network device.
- the computer program product includes one or more computer instructions.
- the computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable devices.
- the computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be from a website site, computer, server or data center Transmit to another website, computer, server or data center by wired (such as coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (such as infrared, wireless, microwave, etc.).
- the computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device including a server, a data center, and the like integrated with one or more available media.
- the available media may be magnetic media (eg, floppy disk, hard disk, magnetic tape), optical media (eg, DVD), or semiconductor media (eg, Solid State Disk (SSD)), and the like.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
本申请涉及无线通信技术领域,提供了一种鉴权的方法,包括:第一会话管理功能网元从第一网元接收第二会话管理功能网元所在的网络切片的鉴权结果。第一会话管理功能网元位于该网络切片,第一会话管理功能网元与第二会话管理功能网元支持不同的数据网络。第一会话管理功能网元根据该鉴权结果判断是否执行该网络切片的鉴权流程。通过本实施例提供的方案,第一会话管理功能网元可以获知第二会话管理功能网元所在的网络切片的鉴权结果,并根据该鉴权结果判断是否执行该网络切片的鉴权流程,避免了鉴权结果为鉴权成功时对该网络切片的重复鉴权,从而减少了信令的交互。
Description
本申请要求于2018年10月09日提交中国国家知识产权局、申请号为201811171638.6、申请名称为“一种鉴权的方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。
本发明涉及通信技术领域,特别涉及一种鉴权的方法及装置。
第五代(the 5th-Generation,5G)通信时代将有数以千亿计的物联网设备接入网络,不同类型的应用场景对网络的需求是差异化的。网络切片技术通过在同一网络基础设施上虚拟独立逻辑网络的方式,为不同的应用场景提供相互隔离的网络环境,使得不同应用场景可以按照各自的需求定制网络功能和特性,从而保障不同业务的需求。由于终端设备对速率、容量、覆盖率、延迟、可靠性、安全性和带宽的需求不同,所以需要接入的网络切片也不同。当终端设备接入网络切片时,除了基于终端设备的永久标识的鉴权过程之外,还存在基于网络切片粒度的鉴权过程。
目前,如图1所示的场景:第一网络切片中包括两个会话管理功能(session management function,SMF)网元SMF-1和SMF-2、两个用户面功能(User plane function,UPF)网元UPF-1和UPF2,且这两个SMF网元、UPF网元支持不同的数据网络(data network,DN)。其中,SMF-1和UPF1支持DN-1,SMF-2和UPF2支持DN-2。终端设备通过注册流程注册到接入和移动性管理功能(access and mobility management function,AMF)网元之后,在第一网络切片上建立第一分组数据单元(Packet Data Unit,PDU)会话时,网络对第一网络切片进行鉴权,鉴权成功后通过SMF-1和UPF-1接入DN-1。当终端设备在第一网络切片上建立第二PDU会话时,该第二PDU会话通过SMF-2和UPF-2接入DN-2,网络会再次对第一网络切片进行鉴权。因此,在建立第二PDU会话时网络对第一网络切片进行了重复鉴权,造成了信令的浪费。
发明内容
本发明实施例提供了一种鉴权的方法及装置。
一方面,本申请的实施例提供了一种鉴权的方法,该方法包括:
第一会话管理功能网元(例如,图4至图13中的SMF-2网元)从第一网元(例如,图4和图5中的UDM网元、图6和图7中的AMF网元、图8至图11中的NRF网元、图12和图13中的UDSF网元)接收第二会话管理功能网元(例如,图4至图13中的SMF-1网元)所在的网络切片的鉴权结果(例如,图4至图13中的第一鉴权结果),第一会话管理功能网元位于该网络切片,第一会话管理功能网元与第二会话管理功能网元支持不同的数据网络。第一会话管理功能网元根据鉴权结果判断是否执行网络切片的鉴权流程。
根据上述方法,第一SMF网元能够获取第二SMF网元所在的网络切片的鉴权结果,由于第一SMF网元与第二SMF网元位于同一个网络切片,所以第一SMF网元可以根据该鉴权结果 判断是否执行该网络切片的鉴权流程。避免了鉴权结果为鉴权成功时对该网络切片的重复鉴权,从而减少了信令的交互。
在一种可能的设计中,鉴权结果为鉴权成功,第一会话管理功能网元确定放弃网络切片的鉴权流程。由此,鉴权结果为鉴权成功时第一SMF网元确定放弃网络切片的鉴权流程,从而避免了对该网络切片的重复鉴权,减少了信令的交互。
在一种可能的设计中,第一网元为网络存储功能网元(例如,NRF网元)或非结构化数据存储网元(例如,UDSF网元),在第一会话管理功能网元从第一网元接收鉴权结果之前,第一会话管理功能网元向第一网元发送查询请求,查询请求用于获取鉴权结果。由此,第一SMF网元可以获得鉴权结果,后续可以根据该鉴权结果判断是否执行该网络切片的鉴权流程。
又一方面,本申请还公开了一种鉴权的方法,该方法包括:
会话管理功能网元(例如,图4至图13中的SMF-1网元或SMF-2网元)从鉴权网元接收会话管理功能网元所在的网络切片的鉴权结果。会话管理功能网元向第一网元(例如,图4和图5中的UDM网元、图6和图7中的AMF网元、图8至图11中的NRF网元、图12和图13中的UDSF网元)发送第一信息,第一信息包括该鉴权结果。
根据上述方法,第二SMF网元能够将所在的网络切片的鉴权结果发送给第一网元,在建立第二会话时,为第二会话服务的第一SMF网元可以获得网络切片的鉴权结果,由于第一SMF网元与第二SMF网元位于同一个网络切片,所以第一SMF网元可以根据该鉴权结果判断是否执行该网络切片的鉴权流程。避免了鉴权结果为鉴权成功时对该网络切片的重复鉴权,从而减少了信令的交互。
在一种可能的设计中,鉴权结果为鉴权成功。由此,鉴权结果为鉴权成功时第一SMF网元确定放弃网络切片的鉴权流程,从而避免了对该网络切片的重复鉴权,减少了信令的交互。
在一种可能的设计中,第一信息还包括网络切片的标识或终端设备的标识中的至少一项。由此,在建立第二会话时,第一SMF网元可以根据网络切片的标识或终端设备的标识中的至少一项获知该网络切片对应的鉴权结果。
在一种可能的设计中,第一网元为网络存储功能网元或非结构化数据存储网元,在会话管理功能网元从鉴权网元接收鉴权结果之前,会话管理功能网元向第一网元发送查询请求,会话管理功能网元从第一网元接收查询响应,查询响应用于指示第一网元中不包括网络切片的鉴权结果。由此,会话管理功能网元通过第一网元中不包括网络切片的鉴权结果,可以判断该网络切片之前的鉴权失败,或者该会话管理功能网元执行的网络切片鉴权是该网络切片第一次的鉴权流程。
又一方面,本申请还公开了一种鉴权的方法,该方法包括:
第一网元(例如,图4和图5中的UDM网元、图6和图7中的AMF网元、图8至图11中的NRF网元、图12和图13中的UDSF网元)从第一会话管理功能网元(例如,图4至图13中的SMF-1网元)接收第一信息,第一信息包括第一会话管理功能网元所在的网络切片的鉴权结果。第一网元向第二会话管理功能网元(例如,图4至图13中的SMF-2网元)发送鉴权结果,第二会话管理功能网元位于该网络切片,第一会话管理功能网元与第二会话管理功能网元支持不同的数据网络。
根据上述方法,第二SMF网元能够获取第一SMF网元所在的网络切片的鉴权结果,由于第一SMF网元与第二SMF网元位于同一个网络切片,所以第二SMF网元可以根据该鉴权结果判断是否执行该网络切片的鉴权流程。避免了鉴权结果为鉴权成功时对该网络切片的重复鉴权,从而减少了信令的交互。
在一种可能的设计中,鉴权结果为鉴权成功。由此,鉴权结果为鉴权成功时第二SMF网元确定放弃网络切片的鉴权流程,从而避免了对该网络切片的重复鉴权,减少了信令的交互。
在一种可能的设计中,第一信息还包括网络切片的标识或终端设备的标识中的至少一项。由此,在建立第二会话时,第二SMF网元可以根据网络切片的标识或终端设备的标识中的至少一项获知该网络切片对应的鉴权结果。
在一种可能的设计中,第一网元为网络存储功能网元或非结构化数据存储网元,在第一网元从第一会话管理功能网元接收第一信息之前,第一网元从第一会话管理功能网元接收查询请求,第一网元向第一会话管理功能网元发送查询响应,查询响应用于指示第一网元中不包括网络切片的鉴权结果。由此,第一SMF网元通过第一网元中不包括网络切片的鉴权结果,可以判断该网络切片之前的鉴权失败,或者该会话管理功能网元执行的网络切片鉴权是该网络切片第一次的鉴权流程。。
在一种可能的设计中,第一网元接收删除请求,删除请求用于指示第一网元删除鉴权结果。由此,当第一网元接收删除请求后可以删除鉴权结果,从而节省了第一网元的存储空间。
在一种可能的设计中,第一网元为用户数据管理功能网元、接入和移动性管理功能网元、网络存储功能网元或非结构化数据存储网元。
又一方面,本申请还公开了一种鉴权的方法,该方法包括:
第一网元(例如,图5中的UDM网元、图7中的AMF网元、图9或图11中的NRF网元、或图13中的UDSF网元)从会话管理功能网元(例如,图5、图7、图9、图11或图13中的SMF-1网元)接收第一信息,第一信息包括会话管理功能网元所在的网络切片的鉴权结果。第一网元接收删除请求,删除请求用于指示第一网元删除该鉴权结果。
根据上述方法,第一网元可以获得SMF网元所在的网络切片的鉴权结果,当第一网元接收删除请求后可以删除鉴权结果,从而节省了第一网元的存储空间。
在一种可能的设计中,鉴权结果为鉴权成功。
在一种可能的设计中,第一信息还包括网络切片的标识或终端设备的标识中的至少一项。由此,由此,在建立第二会话时,第二SMF网元可以根据网络切片的标识或终端设备的标识中的至少一项获知该网络切片对应的鉴权结果。
在一种可能的设计中,第一网元为用户数据管理功能网元、接入和移动性管理功能网元、网络存储功能网元或非结构化数据存储网元。
又一方面,本申请实施例提供了一种鉴权的装置,该装置具有实现上述方法中第一会话管理功能网元(例如,图4至图13中的SMF-2网元)行为的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的模块。在一个可能的设计中,上述装置的结构中包括处理器和收发器,所述处理器被配置为处理该装置执行上述方法中相应的功能。所述收发器用于实现上述鉴权的装置与AMF网元/UDM网元/鉴权网元/NRF网元/UDSF网元之间的通信。所述装置还可以包括存储器,所述存储器用于与处理器耦合,其保存该装置必要的程序指令和数据。
又一方面,本申请实施例提供了一种鉴权的装置,该装置具有实现上述方法中会话管理功能网元(例如,图4至图13中的SMF-1网元或SMF-2网元)行为的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的模块。在一个可能的设计中,上述鉴权的装置的结构中包括处理器和收发器,所述处理器被配置为处理该装置执行上述方法中相应的功能。所述收发器用于实现上述装置与AMF网元/UDM网元/鉴权网元/NRF网元/UDSF网元之间的通信。所述装置还可以包括存储 器,所述存储器用于与处理器耦合,其保存该装置必要的程序指令和数据。
又一方面,本申请实施例提供了一种鉴权的装置,该装置具有实现上述方法中第一网元(例如,图4和图5中的UDM网元、图6和图7中的AMF网元、图8至图11中的NRF网元、图12和图13中的UDSF网元)行为的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的模块。在一个可能的设计中,上述鉴权的装置的结构中包括处理器和收发器,所述处理器被配置为处理该装置执行上述方法中相应的功能。所述收发器用于实现上述装置与SMF-1网元/SMF-2网元之间的通信。所述装置还可以包括存储器,所述存储器用于与处理器耦合,其保存该装置必要的程序指令和数据。
又一方面,本申请实施例提供了一种鉴权的装置,该装置具有实现上述方法中第一网元(例如,图5中的UDM网元、图7中的AMF网元、图9或图11中的NRF网元、或图13中的UDSF网元)行为的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的模块。在一个可能的设计中,上述鉴权的装置的结构中包括处理器和收发器,所述处理器被配置为处理该装置执行上述方法中相应的功能。所述收发器用于实现上述装置与SMF-1网元/SMF-2网元之间的通信。所述装置还可以包括存储器,所述存储器用于与处理器耦合,其保存该装置必要的程序指令和数据。
又一方面,本申请实施例提供了一种计算机可读存储介质,所述计算机可读存储介质中存储有指令,当其在计算机上运行时,使得计算机执行上述各方面所述的方法。
又一方面,本申请实施例提供了一种包含指令的计算机程序产品,当其在计算机上运行时,使得计算机执行上述各方面所述的方法。
又一方面,本申请提供了一种芯片系统,该芯片系统包括处理器,用于支持上述装置实现上述方面中所涉及的功能,例如,生成或处理上述方法中所涉及的信息。在一种可能的设计中,所述芯片系统还包括存储器,所述存储器,用于保存数据发送设备必要的程序指令和数据。该芯片系统,可以由芯片构成,也可以包含芯片和其他分立器件。
为了更清楚地说明本发明实施例中的技术方案,下面将对本发明实施例或背景技术中所需要使用的附图进行说明。
图1为网络对第一网络切片进行鉴权的场景示意图;
图2为根据本申请实施例提供的5G通信系统示意图;
图3为根据本申请实施例提供的一种鉴权的方法;
图4为根据本申请实施例提供的又一种鉴权的方法;
图5为根据本申请实施例提供的又一种鉴权的方法;
图6为根据本申请实施例提供的又一种鉴权的方法;
图7为根据本申请实施例提供的又一种鉴权的方法;
图8为根据本申请实施例提供的又一种鉴权的方法;
图9为根据本申请实施例提供的又一种鉴权的方法;
图10为根据本申请实施例提供的又一种鉴权的方法;
图11为根据本申请实施例提供的又一种鉴权的方法;
图12为根据本申请实施例提供的又一种鉴权的方法;
图13为根据本申请实施例提供的又一种鉴权的方法;
图14A、14B为根据本申请实施例中提供的一种鉴权的装置的结构示意图。
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚地描述。在本申请的描述中,除非另有说明,“/”表示或的意思,例如,A/B可以表示A或B;本申请中的“和/或”仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。另外,在本申请的描述中,“多个”是指两个或两个以上。
图2示出了本申请实施例提供的5G通信系统示意图。在5G移动网络架构中,移动网关的控制面功能和转发面功能解耦,其分离出来的控制面功能与第三代合作伙伴计划(third generation partnership project,3GPP)传统的控制网元移动性管理实体(mobility management entity,MME)等合并成统一的控制面(control plane)。UPF网元能实现服务网关(serving gateway,SGW)和分组数据网络网关(packet data network gateway,PGW)的用户面功能(SGW-U和PGW-U)。进一步的,统一的控制面网元可以分解成AMF网元和SMF网元。
如图2所示,该通信系统至少包括终端设备(terminal device)201、AMF网元205、SMF网元206和鉴权网元207。
其中,本系统中所涉及到的终端设备201不受限于5G网络,包括:手机、物联网设备、智能家居设备、工业控制设备、车辆设备等等。所述终端设备也可以称为用户设备(User Equipment,UE)、移动站(Mobile Station)、移动台(Mobile)、远程站(Remote Station)、远程终端(Remote Terminal)、接入终端(Access Terminal)、终端设备(User Terminal)、终端代理(User Agent),在此不作限定。上述终端设备还可以车与车(Vehicle-to-vehicle,V2V)通信中的汽车、机器类通信中的机器等。
本系统中所涉及到的无线接入网(Radio Access Network,RAN)设备202是一种用于为终端设备202提供无线通信功能的装置。RAN设备202可以包括各种形式的基站,例如:宏基站,微基站(也称为小站),中继站,接入点等。在采用不同的无线接入技术的系统中,具备基站功能的设备的名称可能会有所不同,例如,在LTE系统中,称为演进的节点B(evolved NodeB,eNB或者eNodeB),在第三代(3rd generation,3G)系统中,称为节点B(Node B)等。在新一代系统中,称为gNB(gNodeB)。
本系统中所涉及到的AMF网元205可负责终端设备的注册、移动性管理、注册更新流程等。AMF网元也可称为AMF设备或AMF实体。
本系统中所涉及到的SMF网元206可负责终端设备的会话管理。例如,会话管理包括用户面设备的选择、用户面设备的重选、网络协议(internet protocol,IP)地址分配、服务质量(quality of service,QoS)控制,以及会话的建立、修改或释放等。
本系统中所涉及到的鉴权网元207可负责鉴权和授权流程,实现对网络切片的访问控制。例如,鉴权网元207可以为数据网络中的鉴权授权(Authentication and Authorization,AA)功能网元。又例如,鉴权网元207可以为鉴权授权计费(Authentication,Authorization and Accounting,AAA)功能网元。例如,鉴权网元207可以位于3GPP网络内部,或者位于第三方网络中。例如,鉴权网元207可以为单独的网元,也可以和其他网络功能(例如,鉴权服务功能(authentication server function,AUSF)或者网络能力开放功能(network exposure function,NEF))合设。鉴权网元也可称为鉴权设备或鉴权实体或认证设备或认证 实体。
可选的,上述5G通信系统中还包括UPF网元203,可以实现终端报文的转发、统计和检测等功能。UPF网元也可称为UPF设备或UPF实体。
可选的,上述5G通信系统中还包括DN 204。例如,DN可以为运营商提供的服务、互联网接入服务,或者第三方提供的服务。
可选的,上述5G通信系统中还包括统一数据管理功能(Unified Data Management,UDM)网元208。UDM网元208能够存储终端的签约数据。例如,终端的签约数据包括移动性管理相关的签约数据以及会话管理相关的签约数据。所述UDM网元也可称为UDM设备或UDM实体。
可选的,上述5G通信系统中还包括网络功能存储功能(Network Function Repository Function,NRF)网元209。该网元能够提供网元服务发现功能。可选的,NRF网元209还能够维护核心网中有效的网络功能网元的信息。可选的,NRF网元209还能够维护核心网中有效的网络功能网元支持的服务。
可选的,上述5G通信系统中还包括非结构化数据存储功能(Unstructured Data Storage Function,UDSF)网元210。该网元能够提供存储和传递非结构化数据的功能。
上述各网元既可以是在专用硬件上实现的网络元件,也可以是在专用硬件上运行的软件实例,或者是在适当平台上虚拟化功能的实例,例如,上述虚拟化平台可以为云平台。
此外,本申请实施例还可以适用于面向未来的其他通信技术。本申请描述的网络架构以及业务场景是为了更加清楚的说明本申请的技术方案,并不构成对本申请提供的技术方案的限定,本领域普通技术人员可知,随着网络架构的演变和新业务场景的出现,本申请提供的技术方案对于类似的技术问题,同样适用。
下面以图2所示的5G通信系统为例,通过一些实施例对本申请的技术方案进行详细说明。下面这几个实施例可以相互结合,对于相同或相似的概念或过程可能在某些实施例不再赘述。
图3为本申请实施例提供的一种鉴权的方法。通过该方法,第一SMF网元能够获得第二SMF网元所在的网络切片的鉴权结果,并根据该鉴权结果判断是否执行网络切片的鉴权流程。从而避免了建立与第一SMF网元关联的会话时对该网络切片的重复鉴权。如图3所示,该方法可以包括:
S301、第一会话管理功能网元从第一网元接收第二会话管理功能网元所在的网络切片的鉴权结果。其中,第一会话管理功能网元位于该网络切片,第一会话管理功能网元与第二会话管理功能网元支持不同的数据网络。
例如,第一会话管理功能网元为图1中的SMF-1。第二会话管理功能网元为图1中的SMF-2。第二会话管理功能网元所在的网络切片为图1中的第一网络切片。第一会话管理功能网元支持的数据网络为图1中的DN-1,第二会话管理功能网元支持的数据网络为图1中的DN-2。第一网元为图2中的UDM网元208、AMF网元205、NRF网元209、或UDSF网元210。
例如,第二SMF网元所在的网络切片的鉴权结果为鉴权成功或者鉴权失败。
S302、第一会话管理功能网元根据鉴权结果判断是否执行网络切片的鉴权流程。
例如,当第二SMF网元所在的网络切片的鉴权结果为鉴权成功时,第一SMF网元确定放弃该网络切片的鉴权流程。
可选的,当第二SMF网元所在的网络切片的鉴权结果为鉴权失败时,第一SMF网元确定执行该网络切片的鉴权流程。
根据本发明实施例的方法,第一SMF网元能够获取第二SMF网元所在的网络切片的鉴权结果,由于第一SMF网元与第二SMF网元位于同一个网络切片,所以第一SMF网元可以根据 该鉴权结果判断是否执行该网络切片的鉴权流程。避免了鉴权结果为鉴权成功时对该网络切片的重复鉴权,从而减少了信令的交互。
图4为本申请实施例提供的一种鉴权的方法的流程图。图4所示的流程图描述了图3的步骤S301中第一网元为UDM网元的场景:第一SMF网元从UDM网元中接收第二SMF网元所在的网络切片的鉴权结果,根据该鉴权结果判断是否执行该网络切片的鉴权流程。避免了鉴权结果为鉴权成功时对该网络切片的重复鉴权,从而减少了信令的交互。
如图4所示的方法:步骤S401至S409描述的是终端设备发起第一会话的流程,在第一会话建立过程中,SMF-1网元(图3中的第二SMF网元)向UDM网元(图3中的第一网元)发送第一网络切片(图3中的网络切片)的鉴权结果。步骤S410至S419描述的是终端设备发起第二会话的流程,在第二会话建立过程中,SMF-2网元(图3中的第一SMF网元)从UDM网元接收第一网络切片的鉴权结果,并根据该鉴权结果判断是否执行第一网络切片的鉴权流程。
图4所示的方法可以包括:
S401、终端设备向AMF网元发送第一会话建立请求。相应的,AMF网元从终端设备接收第一会话建立请求。
例如,终端设备为图2中的终端设备201,AMF网元为图2中的AMF网元205。
例如,终端设备根据在注册流程中获取的允许的网络切片选择辅助信息(Allowed Network Slice Selection Assistance Information,Allowed NSSAI),向AMF网元发送第一会话建立请求。其中,Allowed NSSAI中包括第一网络切片对应的单网络切片选择辅助信息(Single Network Slice Selection Assistance Information,S-NSSAI)。例如,第一会话建立请求消息中包括PDU会话标识(identifier,ID)ID-1、第一网络切片的S-NSSAI和第一数据网络名称(data network name,DNN)DNN-1。
可选的,会话建立请求中还包括用于执行第一网络切片的鉴权的证书。
可选的,如果在注册流程中,网络没有为第一网络切片的S-NSSAI确定该S-NSSAI对应的网络切片实例标识(network slice instance identifier,NSI ID),则AMF网元确定该S-NSSAI对应的NSI ID。也就是说,AMF网元确定为终端设备服务的NSI。
S402、AMF网元选择SMF-1网元。
例如,SMF-1网元为图1中的SMF-1网元。
例如,SMF-1网元支持第一网络切片和DNN-1,AMF网元根据会话建立请求消息中第一网络切片的S-NSSAI和DNN-1为第一会话选择SMF-1网元。
S403、AMF网元向SMF-1网元发送创建会话管理上下文请求。相应的,SMF-1网元从AMF网元接收创建会话管理上下文请求。
例如,AMF网元通过调用创建会话管理上下文请求(例如,Nsmf_PDUSession_CreateSMContext Request)服务,触发SMF-1网元为终端设备创建会话管理上下文。例如,AMF网元通过创建会话管理上下文请求服务向SMF-1网元发送的消息中包括终端设备的用户永久标识(subscription permanent identifier,SUPI)、S-NSSAI、DNN-1和第一PDU会话标识ID-1。
S404a、SMF-1网元向UDM网元注册。
例如,SMF-1网元调用注册(例如,Nudm_UECM_Registration)服务向UDM网元注册。例如,SMF-1网元通过注册服务向UDM网元发送的消息中包括终端设备的SUPI、DNN-1和第一PDU会话标识ID-1。
例如,UDM网元保存SMF-1网元的标识、SMF-1网元的地址、SUPI、DNN-1和第一PDU会话标识ID-1。
S404b、SMF-1网元从UDM网元获取第一会话管理签约信息。
例如,SMF-1网元通过调用获取会话管理签约信息(例如,Nudm_SDM_Get)服务,从UDM网元获取第一会话管理签约信息。SMF-1网元通过获取会话管理签约信息服务向UDM网元发送的消息中包括SUPI、DNN-1和S-NSSAI。
可选的,SMF-1网元通过调用订阅会话管理签约信息(例如,Nudm_SDM_Subscribe)服务,向UDM网元订阅终端设备的第一会话管理签约信息的更新。例如,SMF-1网元通过订阅会话管理签约信息服务向UDM网元发送的消息中包括SUPI、DNN-1和S-NSSAI。
步骤S404a和S404b为可选步骤。
S405、SMF-1网元向AMF网元发送创建会话管理上下文响应。相应的,AMF网元从SMF-1网元接收创建会话管理上下文响应。
例如,SMF-1网元通过调用创建会话管理上下文响应(例如,Nsmf_PDUSession_CreateSMContext Response)服务向AMF返回第一会话管理上下文。
S406、SMF-1网元确定需要对第一网络切片执行鉴权。
在一种可能的实现方式中,SMF-1网元通过终端设备的签约信息确定需要对第一网络切片执行鉴权。例如,签约信息中包括终端设备签约的S-NSSAI。可选的,签约信息中还包括指示信息,用于指示该S-NSSAI是否需要执行网络切片的鉴权流程。签约的S-NSSAI中包括第一网络切片的S-NSSAI,表示第一网络切片是签约允许的网络切片。因此,SMF-1网元可以根据签约信息中第一网络切片的S-NSSAI需要执行鉴权的指示信息,确定需要对第一网络切片执行鉴权。
在另一种可能的实现方式中,SMF-1网元根据SMF-1网元本地的配置信息确定需要对第一网络切片执行鉴权。
步骤S406为可选步骤。
S407、SMF-1网元向鉴权网元发送第一鉴权请求。相应的,鉴权网元从SMF-1网元接收第一鉴权请求。
例如,鉴权网元为图2中的鉴权网元207。
例如,第一鉴权请求中包括用于对第一网络切片进行鉴权的证书。
可选的,如果SMF-1网元与鉴权网元之间不存在直接通信的接口,则SMF-1网元通过UPF-1网元向鉴权网元发送第一鉴权请求。
可选的,如果步骤S401的第一会话建立请求中不包括用于执行第一网络切片的鉴权的证书,SMF-1网元可以通过向终端设备发送请求消息的方式获取该证书,然后再将该证书发送给鉴权网元。
S408、鉴权网元向SMF-1网元发送第一鉴权结果。相应的,SMF-1网元从鉴权网元接收第一鉴权结果。
例如,鉴权网元通过鉴权响应消息向SMF-1网元发送第一鉴权结果。
可选的,当第一鉴权结果为鉴权失败时,鉴权响应消息中还包括第一原因值信息。例如,第一原因值信息用于指示第一网络切片的鉴权失败的原因为:执行第一网络切片的鉴权的证书错误或者失效。
S409、SMF-1网元向UDM网元发送第一信息。相应的,UDM网元从SMF-1网元接收第一信息。
在一种可能的实现方式中,第一信息包括步骤S4O8中的第一鉴权结果。也就是说,当第一鉴权结果为鉴权成功时,SMF-1网元向UDM网元发送指示鉴权成功的第一信息。当第一鉴权结果为鉴权失败时,SMF-1网元向UDM网元发送指示鉴权失败的第一信息。
在另一种可能的实现方式中,当第一鉴权结果为鉴权成功时,SMF-1网元向UDM网元发送第一信息。该第一信息可用于指示第一网络切片的鉴权成功。可选的,当第一鉴权结果为鉴权失败时,SMF-1网元可以不用向UDM网元发送第一信息。
可选的,第一信息还包括第一网络切片的标识(例如,S-NSSAI)或终端设备的标识(例如,SUPI)中的至少一项。
例如,SMF-1网元通过调用用户信息更新(例如,Nudm_UECM_Update)服务,向UDM网元发送第一信息。
可选的,UDM网元保存第一信息。
通过上述步骤S401至S409,在第一会话建立过程中,SMF-1网元(图3中的第二SMF网元)向UDM网元(图3中的第一网元)发送第一网络切片(图3中的网络切片)的鉴权结果。此外,如果步骤S408中第一鉴权结果为鉴权成功,SMF-1网元继续执行第一会话建立流程;如果步骤S408中第一鉴权结果为鉴权失败,则第一会话建立失败。
结合步骤S406至S409的描述,会话管理功能网元(例如,SMF-1网元)从鉴权网元(例如,鉴权网元)接收会话管理功能网元所在的网络切片(例如,第一网络切片)的鉴权结果(例如,第一鉴权结果);会话管理功能网元向第一网元(例如,UDM网元)发送第一信息(例如,步骤S409中的第一信息),该第一信息包括鉴权结果。例如,该鉴权结果为鉴权成功。或者,该鉴权结果为鉴权失败。或者,当第一鉴权结果为鉴权成功时,会话管理功能网元向第一网元发送第一信息。当第一鉴权结果为鉴权失败时,会话管理功能网元不用向第一网元发送第一信息。可选的,该第一信息还包括网络切片的标识(例如,S-NSSAI)或终端设备的标识中(例如,SUPI)的至少一项。
在步骤S409之后,步骤S410至S419描述的是终端设备在第一PDU会话处在激活状态的前提下,又发起了第二PDU会话建立的流程,即第一PDU会话仍然存在。
S410、终端设备向AMF网元发送第二会话建立请求。相应的,AMF网元从终端设备接收第二会话建立请求。
例如,终端设备根据在注册流程中获取的Allowed NSSAI,向AMF网元发送第二会话建立请求。其中,Allowed NSSAI中包括第一网络切片对应的S-NSSAI。例如,第二会话建立请求消息中包括PDU会话标识ID-2、第一网络切片的S-NSSAI和第二数据网络名称DNN-2。
可选的,会话建立请求中还包括用于执行第一网络切片的鉴权的证书。
S411、AMF网元选择SMF-2网元。
例如,SMF-2网元为图1中的SMF-2网元。
例如,SMF-2网元支持第一网络切片和DNN-2,AMF网元根据会话建立请求消息中第一网络切片的S-NSSAI和DNN-2为第一会话选择SMF-2网元。
S412、AMF网元向SMF-2网元发送创建会话管理上下文请求。相应的,SMF-2网元从AMF网元接收创建会话管理上下文请求。
例如,AMF网元通过调用创建会话管理上下文请求(例如,Nsmf_PDUSession_CreateSMContext Request)服务,触发SMF-2网元为终端设备创建会话管理上下文。例如,AMF网元通过创建会话管理上下文请求服务向SMF-2网元发送的消息中包括终端设备的SUPI、S-NSSAI、DNN-2和第二PDU会话标识ID-2。
S413a、SMF-2网元向UDM网元注册。
例如,SMF-2网元调用注册(例如,Nudm_UECM_Registration)服务向UDM网元注册。例如,SMF-2网元通过注册服务向UDM网元发送的消息中包括终端设备的SUPI、DNN-2和第二PDU会话标识ID-2。
例如,UDM网元保存SMF-2网元的标识、SMF-2网元的地址、SUPI、DNN-2和第二PDU会话标识ID-2。
步骤S413a为可选步骤。
S413b、SMF-2网元从UDM网元获取第二会话管理签约信息。
例如,SMF-2网元通过调用获取会话管理签约信息(例如,Nudm_SDM_Get)服务,从UDM网元获取第二会话管理签约信息。SMF-2网元通过获取会话管理签约信息服务向UDM网元发送的消息中包括SUPI、DNN-2和S-NSSAI。
根据上述步骤S409的描述,若在步骤S409中SMF-1网元向UDM网元发送指示鉴权成功或鉴权失败的第一信息,由于UDM网元从SMF-1网元中接收了第一鉴权结果,UDM网元还向SMF-2网元发送成功或失败的第一鉴权结果。该第一鉴权结果用于后续步骤S415判断是否执行第一网络切片的鉴权流程。也就是说,由于SMF-2网元收到了第一鉴权结果,确定需要执行后续步骤S415。或者,UDM网元向SMF-2网元发送的第一鉴权结果也可以为指示鉴权成功或鉴权失败的指示信息。
或者,若在步骤S409中当第一鉴权结果为鉴权成功时,SMF-1网元向UDM网元发送第一信息。那么,当第一鉴权结果为鉴权成功时,UDM网元还向SMF-2网元发送指示鉴权成功的第一鉴权结果。或者,UDM网元向SMF-2网元发送的第一鉴权结果也可以为指示指示鉴权成功的指示信息。如果SMF-2网元从UDM网元中没有接收鉴权结果,则SMF-2网元判断该网络切片之前的鉴权失败,或者SMF-2网元执行的网络切片鉴权是该网络切片第一次的鉴权流程。
可选的,SMF-2网元通过调用订阅会话管理签约信息(例如,Nudm_SDM_Subscribe)服务,向UDM网元订阅终端设备的第二会话管理签约信息的更新。例如,SMF-2网元通过订阅会话管理签约信息服务向UDM网元发送的消息中包括SUPI、DNN-1和S-NSSAI。
S414、SMF-2网元向AMF网元发送创建会话管理上下文响应。相应的,AMF网元从SMF-2网元接收创建会话管理上下文响应。
例如,SMF-1网元通过调用创建会话管理上下文响应(例如,Nsmf_PDUSession_CreateSMContext Response)服务向AMF返回第二会话管理上下文。
S415、SMF-2网元判断是否执行第一网络切片的鉴权流程。
例如,SMF-2网元在步骤S413b中收到了第一鉴权结果,确定需要执行步骤S415。
例如,SMF-2网元根据第一鉴权结果判断是否执行第一网络切片的鉴权流程。如果第一鉴权结果为鉴权成功,SMF-2网元确定放弃第一网络切片的鉴权流程。也就是说,SMF-2网元根据第一鉴权结果判断不执行第一网络切片的鉴权流程,或者说,跳过第一网络切片的鉴权过程。因此,当第一鉴权结果为鉴权成功,SMF-2网元即执行步骤S416:SMF-2网元确定放弃第一网络切片的鉴权流程。可选的,如果第一鉴权结果为鉴权失败,SMF-2网元判断执行第一网络切片的鉴权流程。也就是说,SMF-2网元通过步骤S417和S418执行第一网络切片的鉴权流程。
或者,当SMF-2网元从UDM网元收到了指示鉴权成功的信息,就可获知第一网络切片已鉴权成功,从而可以确定放弃对第一网络切片的再次鉴权。如果SMF-2网元从UDM网元中没有接收鉴权结果,则SMF-2网元判断该网络切片之前的鉴权失败,或者SMF-2网元执行的网 络切片鉴权是该网络切片第一次的鉴权流程,从而确定可以执行后续步骤S417和S418。通过该种方式,SMF-2网元通过是否接收到指示鉴权成功的信息获知第一网络切片的鉴权结果,也可认为是根据鉴权结果判断是否执行第一网络切片的鉴权流程。
可选的,是否执行第一网络切片的鉴权流程的判断条件还包括:终端设备的签约信息。SMF-2网元通过终端设备的签约信息确定需要对第一网络切片执行鉴权。例如,签约信息中包括终端设备签约的S-NSSAI和用于指示该S-NSSAI是否需要执行网络切片的鉴权流程的指示信息。SMF-2网元可以根据签约信息中第一网络切片的S-NSSAI需要执行鉴权的指示信息,确定需要对第一网络切片执行鉴权。在另一种可能的实现方式中,SMF-2网元根据SMF-2网元本地的配置信息确定需要对第一网络切片执行鉴权。进一步可选的,当SMF-2网元根据终端设备的签约信息或者本地配置信息无需对第一网络切片执行鉴权,可跳过上述根据第一鉴权结果或是否收到过指示鉴权成功的信息的判断,从而节约流程。S417、SMF-2网元向鉴权网元发送第二鉴权请求。相应的,鉴权网元从SMF-2网元接收第二鉴权请求。
例如,第二鉴权请求中包括用于对第一网络切片进行鉴权的证书。
可选的,如果SMF-1网元与鉴权网元之间不存在直接通信的接口,则SMF-1网元通过UPF-1网元向鉴权网元发送鉴权请求消息。
可选的,如果步骤S410的会话建立请求中不包括用于执行第一网络切片的鉴权的证书,SMF网元可以通过向终端设备发送请求消息的方式获取该证书,然后再将该证书发送给鉴权网元。
S418、鉴权网元向SMF-2网元发送第二鉴权结果。相应的,SMF-2网元从鉴权网元接收第二鉴权结果。
例如,鉴权网元通过鉴权响应消息向SMF-2网元发送鉴权结果。
可选的,在步骤S418之前,SMF-2网元执行步骤S417:
可选的,在步骤S418之后,SMF-2网元执行步骤S419:
S419、SMF-2网元向UDM网元发送第二信息。相应的,UDM网元从SMF-2网元接收第二信息。
在一种可能的实现方式中,第一信息包括步骤S418中的第二鉴权结果。也就是说,当第二鉴权结果为鉴权成功时,SMF-2网元向UDM网元发送指示鉴权成功的第二信息。当第二鉴权结果为鉴权失败时,SMF-1网元向UDM网元发送指示鉴权失败的第二信息。
在另一种可能的实现方式中,当第二鉴权结果为鉴权成功时,SMF-2网元向UDM网元发送第二信息。该第二信息可用于指示第一网络切片的鉴权成功。可选的,当第一鉴权结果为鉴权失败时,SMF-2网元可以不用向UDM网元发送第二信息。
可选的,第二信息还包括第一网络切片的标识(例如,S-NSSAI)或终端设备的标识(例如,SUPI)中的至少一项。
例如,SMF-2网元通过调用用户信息更新(例如,Nudm_UECM_Update)服务,向UDM网元发送第二信息。
可选的,UDM网元保存第二信息。
结合图4的描述,本发明公开了一种鉴权的方法如下:第一网元(例如,UDM网元)从第一会话管理功能网元(例如,SMF-1网元)接收第一信息(例如,步骤S409中的第一信息),第一信息包括第一会话管理功能网元所在的网络切片(例如,第一网络切片)的鉴权结果(例如,第一鉴权结果)。第一网元向第二会话管理功能网元(例如,SMF-2网元)向发送鉴权结果,第二会话管理功能网元位于该网络切片,第一会话管理功能网元与第二会话管理功能网 元支持不同的数据网络。可选的,该方法中的鉴权结果为鉴权成功。可选的,该方法中的第一信息还包括网络切片的标识(例如,S-NSSAI)或终端设备的标识(例如,SUPI)中的至少一项。
因此,根据本发明实施例的方法,在第一会话建立过程中,SMF-1网元(图3中的第二SMF网元)向UDM网元(图3中的第一网元)发送第一网络切片(图3中的网络切片)的鉴权结果。在第二会话建立过程中,SMF-2网元(图3中的第一SMF网元)从UDM网元接收第一网络切片的鉴权结果,并根据该鉴权结果判断是否执行第一网络切片的鉴权流程。因为SMF-1网元和SMF-2网元都位于第一网络切片中,SMF-2网元从UDM网元中可以获取第一网络切片的鉴权结果。当鉴权结果为鉴权成功时,SMF-2网元确定放弃该网络切片的鉴权流程。避免了鉴权结果为鉴权成功时对该网络切片的重复鉴权,从而减少了信令的交互。
图5为本申请实施例提供的又一种鉴权的方法的流程图。结合图4的描述,图5描述的方法可以适用于以下场景:在图4的步骤S413b执行之前,第一会话被释放,UDM网元在步骤S409中获得的鉴权结果也会被删除。因此,当SMF-2网元执行步骤S413b时,无法从UDM网元中获取到第一鉴权结果。图5所示的方法可以包括:
步骤S501至S509可参考图4中步骤S401至S409的描述,此处不再赘述。
图5所示的方法还包括:
S510、SMF-1网元确定释放第一会话。
例如,第一会话的释放流程可以由终端设备触发或者由网络触发。
步骤S510为可选步骤。
S511、SMF-1网元向UDM网元发送删除请求。
例如,SMF-1网元通过调用去注册(例如,Nudm_UECM_Deregistration)服务向UDM网元发送删除请求。例如,SMF-1网元通过去注册服务向UDM网元发送的消息中包括SMF-1网元的标识、DNN-1和第一PDU会话标识ID-1。
S512、UDM网元删除第一信息。
例如,UDM网元根据步骤S511中接收的删除请求,删除第一信息。
通过上述步骤S509至S512,第一网元(例如,UDM网元)从会话管理功能网元(例如,SMF-1网元)接收第一信息(例如,步骤S509中的第一信息),第一信息包括会话管理功能网元所在的网络切片(例如,第一网络切片)的鉴权结果(例如,第一鉴权结果);第一网元接收删除请求(例如,步骤S511中的删除请求),删除请求用于指示第一网元删除鉴权结果。可选的,该方法中的鉴权结果为鉴权成功。可选的,该方法中的第一信息还包括网络切片的标识(例如,S-NSSAI)或终端设备的标识(例如,SUPI)中的至少一项。
步骤S513至S521描述的是终端设备在第一PDU会话释放之后,发起了第二PDU会话建立的流程。
步骤S513至S516a可参考图4中步骤S410至S413a的描述,此处不再赘述。
可选的,该方法还包括步骤S516b。需要说明的是,步骤S516b发生在步骤S512之后。
S516b、SMF-2网元获取第二会话管理签约信息。
例如,SMF-2网元通过调用获取会话管理签约信息(例如,Nudm_SDM_Get)服务,从UDM网元获取第二会话管理签约信息。SMF-2网元通过获取会话管理签约信息服务向UDM网元发送的消息中包括SUPI、DNN-2和S-NSSAI。
可选的,SMF-2网元通过调用订阅会话管理签约信息(例如,Nudm_SDM_Subscribe)服务,向UDM网元订阅终端设备的第二会话管理签约信息的更新。例如,SMF-2网元通过订阅 会话管理签约信息服务向UDM网元发送的消息中包括SUPI、DNN-1和S-NSSAI。
可选的,UDM网元返回的信息中没有包含第一鉴权结果,则SMF-2网元判断该网络切片之前的鉴权失败,或者SMF-2网元执行的网络切片鉴权是该网络切片第一次的鉴权流程,从而确定执行可以步骤S518至S521。
该方法还包括步骤S517,S517可参考图4中步骤S414的描述,此处不再赘述。
可选的,该方法还包括步骤S518。
S518、SMF-2网元确定需要对第一网络切片执行鉴权。
在一种可能的实现方式中,SMF-2网元通过终端设备的签约信息确定需要对第一网络切片执行鉴权。例如,签约信息中包括终端设备签约的S-NSSAI。可选的,签约信息中还包括指示信息,用于指示该S-NSSAI是否需要执行网络切片的鉴权流程。因为第一网络切片是签约允许的网络切片,所以签约的S-NSSAI中包括第一网络切片的S-NSSAI。因此,SMF-2网元可以根据签约信息中第一网络切片的S-NSSAI需要执行鉴权的指示信息,确定需要对第一网络切片执行鉴权。
在另一种可能的实现方式中,SMF-2网元根据SMF-2网元本地的配置信息确定需要对第一网络切片执行鉴权。
可选的,该方法还包括步骤S519至S521。S519至S521可参考图4中步骤S417至S419的描述,此处不再赘述。
因此,根据本发明实施例的方法,在第一会话建立过程中,SMF-1网元向UDM网元发送第一信息,第一信息中包括第一网络切片的鉴权结果。当第一会话释放时,UDM网元接收删除请求,并删除第一信息。由此,第一会话释放后,可以节省UDM网元中的存储空间。进一步的,在第二会话建立过程中,SMF-2网元从UDM网元接收的信息中不包括第一网络切片的鉴权结果,SMF-2网元执行对第一网络切片的鉴权,并向UDM网元发送包括第二鉴权结果的第二信息。可以在后续建立PDU会话时,不同于SMF-2网元的其他SMF网元从UDM网元中获取第二鉴权结果,根据第二鉴权结果判断是否执行第一网络切片的鉴权流程。从而避免了第二鉴权结果为鉴权成功时对第一网络切片的重复鉴权,从而减少了信令的交互。
需要说明的是,在图5中,如果步骤S513发生在第一会话释放之后,则终端设备发起的会话只有一个。所以第二PDU会话标识ID-2与第一PDU会话标识ID-1可以相同或者不同。如果第二PDU会话的DNN-2与第一PDU会话的DNN-1相同,则AMF网元为第二会话选择的SMF-2网元与第一会话的SMF-1网元可以相同;如果第二PDU会话的DNN-2与第一PDU会话的DNN-1不同,则AMF网元为第二会话选择的SMF-2网元与第一会话的SMF-1网元可以不同。本方案对第二会话对应的SMF-2网元与第一会话对应的SMF-1网元是否相同或者不同不作限制。
图6为本申请实施例提供的又一种鉴权的方法的流程图。图6所示的流程图描述了图3的步骤S301中第一网元为AMF网元的场景:第一SMF网元从AMF网元中接收第二SMF网元所在的网络切片的鉴权结果,根据该鉴权结果判断是否执行该网络切片的鉴权流程。避免了鉴权结果为鉴权成功时对该网络切片的重复鉴权,从而减少了信令的交互。
如图6所示的方法:步骤S601至S609描述的是终端设备发起第一会话的流程,在第一会话建立过程中,SMF-1网元(图3中的第二SMF网元)向AMF网元(图3中的第一网元)发送第一网络切片(图3中的网络切片)的鉴权结果。步骤S610至S620描述的是终端设备发起第二会话的流程,在第二会话建立过程中,SMF-2网元(图3中的第一SMF网元)从AMF网元接收第一网络切片的鉴权结果,并根据该鉴权结果判断是否执行第一网络切片的鉴权流程。
图6可以结合图4的描述,图6所示的方法可以包括:
步骤S601至S608可参考图4中步骤S401至S408的描述,此处不再赘述。
S609、SMF-1网元向AMF网元发送第一信息。相应的,AMF网元从SMF-1网元接收第一信息。
在一种可能的实现方式中,第一信息包括步骤S6O8中的第一鉴权结果。也就是说,当第一鉴权结果为鉴权成功时,SMF-1网元向AMF网元发送指示鉴权成功的第一信息。当第一鉴权结果为鉴权失败时,SMF-1网元向AMF网元发送指示鉴权失败的第一信息。
在另一种可能的实现方式中,当第一鉴权结果为鉴权成功时,SMF-1网元向AMF网元发送第一信息。该第一信息可用于指示第一网络切片的鉴权成功。可选的,当第一鉴权结果为鉴权失败时,SMF-1网元可以不用向AMF网元发送第一信息。
可选的,第一信息还包括第一网络切片的标识(例如,S-NSSAI)或终端设备的标识(例如,SUPI)中的至少一项。
例如,SMF-1网元通过调用信息传输(例如,Namf_Communication_N1N2MessageTransfer)服务,向AMF网元发送第一信息。可选的,SMF-1网元通过信息传输服务向AMF网元发送的消息中还包括SUPI和第一网络切片的S-NSSAI。
可选的,AMF网元将第一信息保存在终端设备的上下文中。
通过上述步骤S601至S609,在第一会话建立过程中,SMF-1网元(图3中的第二SMF网元)向AMF网元(图3中的第一网元)发送第一网络切片(图3中的网络切片)的鉴权结果。此外,如果步骤S608中第一鉴权结果为鉴权成功,SMF-1网元继续执行第一会话建立流程;如果步骤S608中第一鉴权结果为鉴权失败,则第一会话建立失败。
结合步骤S606至S609的描述,会话管理功能网元(例如,SMF-1网元)从鉴权网元(例如,鉴权网元)接收会话管理功能网元所在的网络切片(例如,第一网络切片)的鉴权结果(例如,第一鉴权结果);会话管理功能网元向第一网元(例如,AMF网元)发送第一信息(例如,步骤S609中的第一信息),该第一信息包括鉴权结果。例如,该鉴权结果为鉴权成功。或者,该鉴权结果为鉴权失败。或者,当第一鉴权结果为鉴权成功时,会话管理功能网元向第一网元发送第一信息。当第一鉴权结果为鉴权失败时,会话管理功能网元不用向第一网元发送第一信息。可选的,该第一信息还包括网络切片的标识(例如,S-NSSAI)或终端设备的标识中(例如,SUPI)的至少一项。
在步骤S609之后,步骤S610至S620描述的是终端设备在第一PDU会话处在激活状态的前提下,又发起了第二PDU会话建立的流程,即第一PDU会话仍然存在。。
步骤S610至S611可参考图4中步骤S410至S411的描述,此处不再赘述。
可选的,该方法还包括步骤S612。
S612、AMF网元确定网络已经执行过对第一网络切片鉴权。
例如,AMF网元根据步骤S609中从SMF-1网元接收的第一信息可以确定网络已经执行过对第一网络切片的鉴权。由此AMF网元确定执行以下步骤S613。
S613、AMF网元向SMF-2网元发送创建会话管理上下文请求。相应的,SMF-2网元从AMF网元接收创建会话管理上下文请求。例如,AMF网元通过调用创建会话管理上下文请求(例如,Nsmf_PDUSession_CreateSMContext Request)服务,触发SMF-2网元为终端设备创建会话管理上下文。例如,AMF网元通过创建会话管理上下文请求服务向SMF-2网元发送的消息中包括终端设备的SUPI、S-NSSAI、DNN-2和第二PDU会话标识ID-2。
根据上述步骤S609的描述,若在步骤S609中SMF-1网元向AMF网元发送指示鉴权成功 或鉴权失败的第一信息,由于AMF网元从SMF-1网元中接收了第一鉴权结果,AMF网元还向SMF-2网元发送成功或失败的第一鉴权结果。该第一鉴权结果用于后续步骤S616判断是否执行第一网络切片的鉴权流程。也就是说,由于SMF-2网元收到了第一鉴权结果,确定需要执行后续步骤S616。或者,AMF网元向SMF-2网元发送的第一鉴权结果也可以为指示鉴权成功或鉴权失败的指示信息。
或者,若在步骤S609中当第一鉴权结果为鉴权成功时,SMF-1网元向AMF网元发送第一信息。那么,当第一鉴权结果为鉴权成功时,AMF网元还向SMF-2网元发送指示鉴权成功的第一鉴权结果。或者,AMF网元向SMF-2网元发送的第一鉴权结果也可以为指示指示鉴权成功的指示信息。如果SMF-2网元从AMF网元中没有接收鉴权结果,则SMF-2网元判断该网络切片之前的鉴权失败,或者SMF-2网元执行的网络切片鉴权是该网络切片第一次的鉴权流程。
可选的,该方法还包括S614a和S614b。步骤S614a可参考图4中步骤S413a的描述,此处不再赘述。
S614b、SMF-2网元从UDM网元获取第二会话管理签约信息。
例如,SMF-2网元通过调用获取会话管理签约信息(例如,Nudm_SDM_Get)服务,从UDM网元获取第二会话管理签约信息。SMF-2网元通过获取会话管理签约信息服务向UDM网元发送的消息中包括SUPI、DNN-2和S-NSSAI。
可选的,SMF-2网元通过调用订阅会话管理签约信息(例如,Nudm_SDM_Subscribe)服务,向UDM网元订阅终端设备的第二会话管理签约信息的更新。例如,SMF-2网元通过订阅会话管理签约信息服务向UDM网元发送的消息中包括SUPI、DNN-1和S-NSSAI。
该方法还包括步骤S615至S617。S615和S617可参考图4中步骤S414和S416的描述,此处不再赘述。
S616、SMF-2网元判断是否执行第一网络切片的鉴权流程。
例如,SMF-2网元在步骤S613中收到了第一鉴权结果,确定需要执行步骤S616。
例如,SMF-2网元根据第一鉴权结果判断是否执行第一网络切片的鉴权流程。如果第一鉴权结果为鉴权成功,SMF-2网元确定放弃第一网络切片的鉴权流程。也就是说,SMF-2网元根据第一鉴权结果判断不执行第一网络切片的鉴权流程,或者说,跳过第一网络切片的鉴权过程。因此,当第一鉴权结果为鉴权成功,SMF-2网元即执行步骤S617:SMF-2网元确定放弃第一网络切片的鉴权流程。
可选的,如果第一鉴权结果为鉴权失败,SMF-2网元判断执行第一网络切片的鉴权流程。也就是说,SMF-2网元通过步骤S618和S619执行第一网络切片的鉴权流程。
或者,当SMF-2网元从AMF网元收到了指示鉴权成功的信息,就可获知第一网络切片已鉴权成功,从而可以确定放弃对第一网络切片的再次鉴权。如果SMF-2网元从AMF网元中没有接收鉴权结果,则SMF-2网元判断该网络切片之前的鉴权失败,或者SMF-2网元执行的网络切片鉴权是该网络切片第一次的鉴权流程,从而确定可以执行后续步骤S618和S619。通过该种方式,SMF-2网元通过是否接收到指示鉴权成功的信息获知第一网络切片的鉴权结果,也可认为是根据鉴权结果判断是否执行第一网络切片的鉴权流程。
可选的,是否执行第一网络切片的鉴权流程的判断条件还包括:终端设备的签约信息。SMF-2网元通过终端设备的签约信息确定需要对第一网络切片执行鉴权。例如,签约信息中包括终端设备签约的S-NSSAI和用于指示该S-NSSAI是否需要执行网络切片的鉴权流程的指示信息。SMF-2网元可以根据签约信息中第一网络切片的S-NSSAI需要执行鉴权的指示信息,确定需要对第一网络切片执行鉴权。在另一种可能的实现方式中,SMF-2网元根据SMF-2网 元本地的配置信息确定需要对第一网络切片执行鉴权。进一步可选的,当SMF-2网元根据终端设备的签约信息或者本地配置信息无需对第一网络切片执行鉴权,可跳过上述根据第一鉴权结果或是否收到过指示鉴权成功的信息的判断,从而节约流程。
可选的,该方法还包括步骤S618至S620。步骤S618至S620可参考图4中步骤S417至S419的描述,此处不再赘述。
结合图6的描述,本发明公开了一种鉴权的方法如下:第一网元(例如,AMF网元)从第一会话管理功能网元(例如,SMF-1网元)接收第一信息(例如,步骤S609中的第一信息),第一信息包括第一会话管理功能网元所在的网络切片(例如,第一网络切片)的鉴权结果(例如,第一鉴权结果)。第一网元向第二会话管理功能网元(例如,SMF-2网元)向发送鉴权结果,第二会话管理功能网元位于该网络切片,第一会话管理功能网元与第二会话管理功能网元支持不同的数据网络。可选的,该方法中的鉴权结果为鉴权成功。可选的,该方法中的第一信息还包括网络切片的标识(例如,S-NSSAI)或终端设备的标识(例如,SUPI)中的至少一项。
因此,根据本发明实施例的方法,在第一会话建立过程中,SMF-1网元(图3中的第二SMF网元)向AMF网元(图3中的第一网元)发送第一网络切片(图3中的网络切片)的鉴权结果。在第二会话建立过程中,SMF-2网元(图3中的第一SMF网元)从AMF网元接收第一网络切片的鉴权结果,并根据该鉴权结果判断是否执行第一网络切片的鉴权流程。因为SMF-1网元和SMF-2网元都位于第一网络切片中,SMF-2网元从AMF网元中可以获取第一网络切片的鉴权结果。当鉴权结果为鉴权成功时,SMF-2网元确定放弃该网络切片的鉴权流程。避免了鉴权结果为鉴权成功时对该网络切片的重复鉴权,从而减少了信令的交互。
图7为本申请实施例提供的又一种鉴权的方法的流程图。结合图6的描述,图7描述的方法可以适用于以下场景:在图6的步骤S613执行之前,第一会话被释放,AMF网元在步骤S609中获得的鉴权结果也会被删除。因此,当SMF-2网元执行步骤S613时,无法从AMF网元中获取到第一鉴权结果。图7将结合图5和图6进行描述,图7所示的方法可以包括:
步骤S701至S709可参考图6中步骤S601至S609的描述,此处不再赘述。
图7所示的方法还包括:
S710、AMF网元确定释放第一会话。
例如,第一会话的释放流程可以由终端设备触发或者由网络触发。
例如,第一会话的释放流程由终端设备触发时,AMF网元从终端设备接收删除请求,删除请求用于指示第一网元删除鉴权结果。
步骤S710为可选步骤。
S711、AMF网元删除第一信息。
通过上述步骤S709至S711,第一网元(例如,AMF网元)从会话管理功能网元(例如,SMF-1网元)接收第一信息(例如,步骤S709中的第一信息),第一信息包括会话管理功能网元所在的网络切片(例如,第一网络切片)的鉴权结果(例如,第一鉴权结果);第一网元接收删除请求(例如,步骤S710中的删除请求),删除请求用于指示第一网元删除鉴权结果。可选的,该方法中的鉴权结果为鉴权成功。可选的,该方法中的第一信息还包括网络切片的标识(例如,S-NSSAI)或终端设备的标识(例如,SUPI)中的至少一项。
步骤S712至S720描述的是终端设备在第一PDU会话释放之后,发起了第二PDU会话建立的流程。
步骤S712和S713可参考图6中步骤S610和S611的描述,此处不再赘述。
该方法还包括步骤S714。需要说明的是,步骤S714发生在步骤S711之后。
S714、AMF网元向SMF-2网元发送创建会话管理上下文请求。相应的,SMF-2网元从AMF网元接收创建会话管理上下文请求。
例如,AMF网元通过调用创建会话管理上下文请求(例如,Nsmf_PDUSession_CreateSMContext Request)服务,触发SMF-2网元为终端设备创建会话管理上下文。例如,AMF网元通过创建会话管理上下文请求服务向SMF-2网元发送的消息中包括终端设备的SUPI、S-NSSAI、DNN-2和第二PDU会话标识ID-2。
可选的,AMF网元发送的信息中没有包含第一鉴权结果,则SMF-2网元判断该网络切片之前的鉴权失败,或者SMF-2网元执行的网络切片鉴权是该网络切片第一次的鉴权流程,从而确定执行步骤S717至S720。
该方法还包括步骤S715a、S715b和S716。S715a、S715b和S716可参考图6中步骤S614a、S614b和S615的描述,此处不再赘述。
可选的,该方法还包括步骤S717至S720。S717至S720可参考图5中步骤S518至S521的描述,此处不再赘述。
因此,根据本发明实施例的方法,在第一会话建立过程中,SMF-1网元向AMF网元发送第一信息,第一信息中包括第一网络切片的鉴权结果。当第一会话释放时,AMF网元删除第一信息。由此,第一会话释放后,可以节省AMF网元中的存储空间。进一步的,在第二会话建立过程中,SMF-2网元从AMF网元接收的信息中不包括第一网络切片的鉴权结果,SMF-2网元执行对第一网络切片的鉴权,并向AMF网元发送包括第二鉴权结果的第二信息。可以在后续建立PDU会话时,不同于SMF-2网元的其他SMF网元从AMF网元中获取第二鉴权结果,根据第二鉴权结果判断是否执行第一网络切片的鉴权流程。从而避免了第二鉴权结果为鉴权成功时对第一网络切片的重复鉴权,从而减少了信令的交互。
需要说明的是,在图7中,如果步骤S712发生在第一会话释放之后,则终端设备发起的会话只有一个。所以第二PDU会话标识ID-2与第一PDU会话标识ID-1可以相同或者不同。如果第二PDU会话的DNN-2与第一PDU会话的DNN-1相同,则AMF网元为第二会话选择的SMF-2网元与第一会话的SMF-1网元可以相同;如果第二PDU会话的DNN-2与第一PDU会话的DNN-1不同,则AMF网元为第二会话选择的SMF-2网元与第一会话的SMF-1网元可以不同。本方案对第二会话对应的SMF-2网元与第一会话对应的SMF-1网元是否相同或者不同不作限制。
图8为本申请实施例提供的又一种鉴权的方法的流程图。图8所示的流程图描述了图3的步骤S301中第一网元为NRF网元的场景:第一SMF网元从NRF网元中接收第二SMF网元所在的网络切片的鉴权结果,根据该鉴权结果判断是否执行该网络切片的鉴权流程。避免了鉴权结果为鉴权成功时对该网络切片的重复鉴权,从而减少了信令的交互。
如图8所示的方法:步骤S801至S809描述的是终端设备发起第一会话的流程,在第一会话建立过程中,SMF-1网元(图3中的第二SMF网元)向NRF网元(图3中的第一网元)发送第一网络切片(图3中的网络切片)的鉴权结果。步骤S810至S819描述的是终端设备发起第二会话的流程,在第二会话建立过程中,SMF-2网元(图3中的第一SMF网元)通过AMF网元从NRF网元接收第一网络切片的鉴权结果,并根据该鉴权结果判断是否执行第一网络切片的鉴权流程。
图8可以结合图4和图6的描述,图8所示的方法可以包括:
步骤S801可参考图4中步骤S401的描述,此处不再赘述。
步骤S802a和S802b是对步骤S402的具体描述。也就是说,AMF网元通过执行步骤S802a 和S802b选择SMF-1网元。
S802a、AMF网元向NRF网元发送第一请求。相应的,NRF网元从AMF网元接收第一请求。第一请求用于获取为第一会话服务的SMF网元的信息。
例如,NRF网元位于第一网络切片中。
例如,AMF网元通过调用发现请求(Nnrf_NFDiscovery_Request)服务向NRF网元发送第一请求。第一请求中包括第一网络切片的S-NSSAI、DNN-1和NSI ID。
S802b、NRF网元向AMF网元发送第一响应。相应的,AMF网元从NRF网元接收第一响应。
例如,NRF网元通过调用发现响应(Nnrf_NFDiscoveryResponse)服务向AMF网元发送第一响应。第一响应中包括SMF-1网元的地址或者标识信息。其中,SMF-1网元位于第一网络切片内,且支持S-NSSAI和DNN-1。NRF网元选择SMF-1网元为第一会话服务。
步骤S803至S808可参考图4中步骤S403至S408的描述,此处不再赘述。
S809、SMF-1网元向NRF网元发送第一信息。相应的,NRF网元从SMF-1网元接收第一信息。
在一种可能的实现方式中,第一信息包括步骤S8O8中的第一鉴权结果。也就是说,当第一鉴权结果为鉴权成功时,SMF-1网元向NRF网元发送指示鉴权成功的第一信息。当第一鉴权结果为鉴权失败时,SMF-1网元向NRF网元发送指示鉴权失败的第一信息。
在另一种可能的实现方式中,当第一鉴权结果为鉴权成功时,SMF-1网元向NRF网元发送第一信息。该第一信息可用于指示第一网络切片的鉴权成功。可选的,当第一鉴权结果为鉴权失败时,SMF-1网元可以不用向NRF网元发送第一信息。
可选的,第一信息还包括第一网络切片的标识(例如,S-NSSAI)或终端设备的标识(例如,SUPI)中的至少一项。
例如,SMF-1网元通过调用网络功能更新(例如,Nnrf_NFManagement_NFUpdate)服务,向NRF网元发送第一信息。可选的,SMF-1网元通过网络功能更新服务向NRF网元发送的消息中还包括SUPI和第一网络切片的S-NSSAI。
可选的,NRF网元保存第一信息。
通过上述步骤S801至S809,在第一会话建立过程中,SMF-1网元(图3中的第二SMF网元)向NRF网元(图3中的第一网元)发送第一网络切片(图3中的网络切片)的鉴权结果。此外,如果步骤S808中第一鉴权结果为鉴权成功,SMF-1网元继续执行第一会话建立流程;如果步骤S808中第一鉴权结果为鉴权失败,则第一会话建立失败。
结合步骤S808至S809的描述,会话管理功能网元(例如,SMF-1网元)从鉴权网元(例如,鉴权网元)接收会话管理功能网元所在的网络切片(例如,第一网络切片)的鉴权结果(例如,第一鉴权结果);会话管理功能网元向第一网元(例如,NRF网元)发送第一信息(例如,步骤S809中的第一信息),该第一信息包括鉴权结果。例如,该鉴权结果为鉴权成功。或者,该鉴权结果为鉴权失败。或者,当第一鉴权结果为鉴权成功时,会话管理功能网元向第一网元发送第一信息。当第一鉴权结果为鉴权失败时,会话管理功能网元不用向第一网元发送第一信息。可选的,该第一信息还包括网络切片的标识(例如,S-NSSAI)或终端设备的标识中(例如,SUPI)的至少一项。
在步骤S809之后,步骤S810至S820描述的是终端设备在第一PDU会话处在激活状态的前提下,又发起了第二PDU会话建立的流程,即第一PDU会话仍然存在。
步骤S810可参考图4中步骤S410的描述,此处不再赘述。
S811a、AMF网元向NRF网元发送第二请求。相应的,NRF网元从AMF网元接收第二请求。 第二请求用于获取为第二会话服务的SMF网元的信息。
例如,AMF网元通过调用发现请求(Nnrf_NFDiscovery_Request)服务向NRF网元发送第二请求。第二请求中包括第一网络切片的S-NSSAI、DNN-2和NSI ID。
S811b、NRF网元向AMF网元发送第二响应。相应的,AMF网元从NRF网元接收第二响应。
例如,NRF网元通过调用发现响应(Nnrf_NFDiscoveryResponse)服务向AMF网元发送第二响应。第二响应消息中包括SMF-2网元的地址或者标识信息。其中,SMF-2网元位于第一网络切片内,且支持S-NSSAI和DNN-2。NRF网元选择SMF-2网元为第二会话服务。
根据上述步骤S809的描述,若在步骤S809中SMF-1网元向NRF网元发送指示鉴权成功或鉴权失败的第一信息,由于NRF网元从SMF-1网元中接收了第一鉴权结果,NRF网元还向AMF网元发送成功或失败的第一鉴权结果,再由AMF网元向SMF-2网元发送成功或失败的第一鉴权结果。该第一鉴权结果用于后续步骤S815中SMF-2网元判断是否执行第一网络切片的鉴权流程。也就是说,由于SMF-2网元收到了第一鉴权结果,确定需要执行后续步骤S815。或者,NRF网元向AMF网元发送的第一鉴权结果也可以为指示鉴权成功或鉴权失败的指示信息。
或者,若在步骤S809中当第一鉴权结果为鉴权成功时,SMF-1网元向NRF网元发送第一信息。那么,当第一鉴权结果为鉴权成功时,NRF网元还向AMF网元发送指示鉴权成功的第一鉴权结果。或者,NRF网元向AMF网元发送的第一鉴权结果也可以为指示指示鉴权成功的指示信息。如果SMF-2网元从AMF网元中没有接收鉴权结果,则SMF-2网元判断该网络切片之前的鉴权失败,或者SMF-2网元执行的网络切片鉴权是该网络切片第一次的鉴权流程。
步骤S812至S819可参考图6中步骤S613至S620的描述,此处不再赘述。
结合图8的描述,本发明公开了一种鉴权的方法如下:第一网元(例如,NRF网元)从第一会话管理功能网元(例如,SMF-1网元)接收第一信息(例如,步骤S809中的第一信息),第一信息包括第一会话管理功能网元所在的网络切片(例如,第一网络切片)的鉴权结果(例如,第一鉴权结果)。第一网元向第二会话管理功能网元(例如,SMF-2网元)向发送鉴权结果,第二会话管理功能网元位于该网络切片,第一会话管理功能网元与第二会话管理功能网元支持不同的数据网络。可选的,该方法中的鉴权结果为鉴权成功。可选的,该方法中的第一信息还包括网络切片的标识(例如,S-NSSAI)或终端设备的标识(例如,SUPI)中的至少一项。
因此,根据本发明实施例的方法,在第一会话建立过程中,SMF-1网元(图3中的第二SMF网元)向NRF网元(图3中的第一网元)发送第一网络切片(图3中的网络切片)的鉴权结果。在第二会话建立过程中,SMF-2网元(图3中的第一SMF网元)从AMF网元接收第一网络切片的鉴权结果,其中,第一网络切片的鉴权结果为AMF网元从NRF网元接收的。SMF-2网元根据该鉴权结果判断是否执行第一网络切片的鉴权流程。因为SMF-1网元和SMF-2网元都位于第一网络切片中,SMF-2网元可以获取第一网络切片的鉴权结果。当鉴权结果为鉴权成功时,SMF-2网元确定放弃该网络切片的鉴权流程。避免了鉴权结果为鉴权成功时对该网络切片的重复鉴权,从而减少了信令的交互。
图9为本申请实施例提供的又一种鉴权的方法的流程图。结合图8的描述,图9描述的方法可以适用于以下场景:在图8的步骤S811b执行之前,第一会话被释放,NRF网元在步骤S809中获得的鉴权结果也会被删除。因此,当NRF网元执行步骤S811b时,无法向SMF-2网元发送第一鉴权结果。图9将结合图7和图8进行描述,图9所示的方法可以包括:
步骤S901至S909可参考图8中步骤S801至S809的描述,此处不再赘述。
图9所示的方法还包括:
S910、SMF-1网元确定释放第一会话。
例如,第一会话的释放流程可以由终端设备触发或者由网络触发。
步骤S910为可选步骤。
S911、SMF-1网元向NRF网元发送删除请求。
例如,SMF-1网元通过调用网络功能更新(例如,Nnrf_NFManagement_NFUpdate)服务向NRF网元发送删除请求。例如,SMF-1网元通过网络功能更新服务向NRF网元发送的消息中包括终端设备的SUPI和第一网络切片的S-NSSAI。
S912、NRF网元删除第一信息。
例如,NRF网元根据步骤S911中接收的删除请求,删除第一信息。
通过上述步骤S909至S912,第一网元(例如,NRF网元)从会话管理功能网元(例如,SMF-1网元)接收第一信息(例如,步骤S909中的第一信息),第一信息包括会话管理功能网元所在的网络切片(例如,第一网络切片)的鉴权结果(例如,第一鉴权结果);第一网元接收删除请求(例如,步骤S911中的删除请求),删除请求用于指示第一网元删除鉴权结果。可选的,该方法中的鉴权结果为鉴权成功。可选的,该方法中的第一信息还包括网络切片的标识(例如,S-NSSAI)或终端设备的标识(例如,SUPI)中的至少一项。
步骤S913至S921描述的是终端设备在第一PDU会话释放之后,发起了第二PDU会话建立的流程。
步骤S912和S914a可参考图8中步骤S810和S811a的描述,此处不再赘述。
该方法还包括步骤S914b。需要说明的是,步骤S914b发生在步骤S912之后。
S914b、NRF网元向AMF网元发送第二响应。相应的,AMF网元从NRF网元接收第二响应。
例如,NRF网元通过调用发现响应(Nnrf_NFDiscoveryResponse)服务向AMF网元发送第二响应。第二响应中包括SMF-2网元的地址或者标识信息。其中,SMF-2网元位于第一网络切片内,且支持S-NSSAI和DNN-2。NRF网元选择SMF-2网元为第二会话服务。
S915、AMF网元向SMF-2网元发送创建会话管理上下文请求。相应的,SMF-2网元从AMF网元接收创建会话管理上下文请求。
例如,AMF网元通过调用创建会话管理上下文请求(例如,Nsmf_PDUSession_CreateSMContext Request)服务,触发SMF-2网元为终端设备创建会话管理上下文。例如,AMF网元通过创建会话管理上下文请求服务向SMF-2网元发送的消息中包括终端设备的SUPI、S-NSSAI、DNN-2和第二PDU会话标识ID-2。
可选的,SMF-2网元可以通过AMF网元发送的信息中没有包含第一鉴权结果,确定执行步骤S918至S921。
该方法还包括步骤S916a至S921。S916a至S921可参考图7中步骤S715a至S720的描述,此处不再赘述。
因此,根据本发明实施例的方法,在第一会话建立过程中,SMF-1网元向NRF网元发送第一信息,第一信息中包括第一网络切片的鉴权结果。当第一会话释放时,NRF网元删除第一信息。由此,第一会话释放后,可以节省NRF网元中的存储空间。进一步的,在第二会话建立过程中,SMF-2网元从AMF网元接收的信息中不包括第一网络切片的鉴权结果,其中,AMF网元从NRF网元接收的信息中不包括第一网络切片的鉴权结果。SMF-2网元执行对第一网络切片的鉴权,并向NRF网元发送包括第二鉴权结果的第二信息。可以在后续建立PDU会话时,不同于SMF-2网元的其他SMF网元获取第二鉴权结果,根据第二鉴权结果判断是否执行 第一网络切片的鉴权流程。从而避免了第二鉴权结果为鉴权成功时对第一网络切片的重复鉴权,从而减少了信令的交互。
需要说明的是,在图9中,如果步骤S913发生在第一会话释放之后,则终端设备发起的会话只有一个。所以第二PDU会话标识ID-2与第一PDU会话标识ID-1可以相同或者不同。如果第二PDU会话的DNN-2与第一PDU会话的DNN-1相同,则AMF网元为第二会话选择的SMF-2网元与第一会话的SMF-1网元可以相同;如果第二PDU会话的DNN-2与第一PDU会话的DNN-1不同,则AMF网元为第二会话选择的SMF-2网元与第一会话的SMF-1网元可以不同。本方案对第二会话对应的SMF-2网元与第一会话对应的SMF-1网元是否相同或者不同不作限制。
图10为本申请实施例提供的又一种鉴权的方法的流程图。图10所示的流程图描述了图3的步骤S301中第一网元为NRF网元的场景:第一SMF网元从NRF网元中接收第二SMF网元所在的网络切片的鉴权结果,根据该鉴权结果判断是否执行该网络切片的鉴权流程。避免了鉴权结果为鉴权成功时对该网络切片的重复鉴权,从而减少了信令的交互。
图10与图8的区别为:在图8中,NRF网元在向AMF返回为第二会话服务的SMF网元的信息时向AMF网元发送第一鉴权结果。也就是说,图8中NRF网元通过步骤S811b将第一鉴权结果主动发送给AMF网元,再由AMF网元通过步骤S812将第一鉴权结果主动发送给SMF-2网元。然而在图10中,NRF网元在向AMF返回为第二会话服务的SMF网元的信息时可以不用向AMF网元发送第一鉴权结果,而是在SMF-2网元主动向NRF网元查询第一鉴权结果时,NRF网元通过查询响应消息向SMF-2网元返回第一鉴权结果。
如图10所示的方法:步骤S1001至S1010描述的是终端设备发起第一会话的流程,在第一会话建立过程中,SMF-1网元(图3中的第二SMF网元)向NRF网元(图3中的第一网元)发送第一网络切片(图3中的网络切片)的鉴权结果。步骤S1011至S1022描述的是终端设备发起第二会话的流程,在第二会话建立过程中,SMF-2网元(图3中的第一SMF网元)从NRF网元接收第一网络切片的鉴权结果,并根据该鉴权结果判断是否执行第一网络切片的鉴权流程。
需要说明的是,在图10所描述的场景中,第一会话是终端设备接入第一网络切片后发起的第一个会话,第二会话是终端设备发起的非第一个会话。
图10可以结合图8和图9进行描述,图10所示的方法可以包括:
步骤S1001至S1006可参考图8中步骤S801至S806的描述,此处不再赘述。
图10所示的方法还包括:
S1007a、SMF-1网元向NRF网元发送第一查询请求。相应的,NRF网元从SMF-1网元接收第一查询请求。
例如,第一查询请求用于向NRF网元查询:该NRF网元中是否存储有对第一网络切片的的鉴权结果。
例如,SMF-1网元通过调用数据发现(例如,Nnrf_DataDiscovery)服务向NRF网元发送第一查询请求。例如,第一查询请求中包括终端设备的SUPI。
S1007b、NRF网元向SMF-1网元发送第一查询响应。相应的,SMF-1网元从NRF网元接收第一查询响应。
例如,由于第一会话是终端设备接入第一网络切片后发起的第一个会话,所以NRF网元中没有存储对第一网络切片的鉴权结果。则第一查询响应中不包括第一网络切片的鉴权结果。SMF-1网元根据第一查询响应确定执行步骤S1008至S1010。
步骤S1008至S1010可参考图8中步骤S807至S809的描述,此处不再赘述。
通过上述步骤S1001至S1010,在第一会话建立过程中,SMF-1网元(图3中的第二SMF网元)向NRF网元(图3中的第一网元)发送第一网络切片(图3中的网络切片)的鉴权结果。此外,如果步骤S1009中第一鉴权结果为鉴权成功,SMF-1网元继续执行第一会话建立流程;如果步骤S1009中第一鉴权结果为鉴权失败,则第一会话建立失败。
结合步骤S1009至S1010的描述,会话管理功能网元(例如,SMF-1网元)从鉴权网元(例如,鉴权网元)接收会话管理功能网元所在的网络切片(例如,第一网络切片)的鉴权结果(例如,第一鉴权结果);会话管理功能网元向第一网元(例如,NRF网元)发送第一信息(例如,步骤S1010中的第一信息),该第一信息包括鉴权结果。例如,该鉴权结果为鉴权成功。或者,该鉴权结果为鉴权失败。或者,当第一鉴权结果为鉴权成功时,会话管理功能网元向第一网元发送第一信息。当第一鉴权结果为鉴权失败时,会话管理功能网元不用向第一网元发送第一信息。可选的,该第一信息还包括网络切片的标识(例如,S-NSSAI)或终端设备的标识中(例如,SUPI)的至少一项。
结合步骤S1007a至S1007b的描述,在会话管理功能网元(例如,SMF-1网元)从鉴权网元(例如,鉴权网元)接收鉴权结果(例如,第一鉴权结果)之前,该方法还包括:会话管理功能网元向第一网元(例如,NRF网元)发送查询请求(例如,第一查询请求),会话管理功能网元从第一网元接收查询响应(例如,第一查询响应),查询响应用于指示第一网元中不包括网络切片(例如,第一网络切片)的鉴权结果。
在步骤S1010之后,步骤S1011至S1022描述的是终端设备在第一PDU会话处在激活状态的前提下,又发起了第二PDU会话建立的流程,即第一PDU会话仍然存在。
步骤S1011至S1016可参考图9中步骤S913和S918的描述,此处不再赘述。
S1017a、SMF-2网元向NRF网元发送第二查询请求。相应的,NRF网元从SMF-2网元接收第二查询请求。
例如,第二查询请求用于向NRF网元查询:该NRF网元中是否存储有对第一网络切片的的鉴权结果。
例如,SMF-2网元通过调用数据发现(例如,Nnrf_DataDiscovery)服务向NRF网元发送第二查询请求。例如,第二查询请求中包括终端设备的SUPI。
S1017b、NRF网元向SMF-2网元发送第二查询响应。相应的,SMF-2网元从NRF网元接收第二查询响应。
例如,NRF网元响应步骤S1017a的第二查询请求,向SMF-2网元发送第二查询响应。
根据上述步骤S1010的描述,若在步骤S1010中SMF-1网元向NRF网元发送指示鉴权成功或鉴权失败的第一信息,由于NRF网元从SMF-1网元中接收了第一鉴权结果,NRF网元还向SMF-2元发送成功或失败的第一鉴权结果。该第一鉴权结果用于后续步骤S1018中SMF-2网元判断是否执行第一网络切片的鉴权流程。也就是说,由于SMF-2网元收到了第一鉴权结果,确定需要执行后续步骤S1018。或者,NRF网元向SMF-2网元发送的第一鉴权结果也可以为指示鉴权成功或鉴权失败的指示信息。
或者,若在步骤S1010中当第一鉴权结果为鉴权成功时,SMF-1网元向NRF网元发送第一信息。那么,当第一鉴权结果为鉴权成功时,NRF网元还向SMF-2网元发送指示鉴权成功的第一鉴权结果。或者,NRF网元向SMF-2网元发送的第一鉴权结果也可以为指示指示鉴权成功的指示信息。如果SMF-2网元从NRF网元中没有接收鉴权结果,则SMF-2网元判断该网络切片之前的鉴权失败,或者SMF-2网元执行的网络切片鉴权是该网络切片第一次的鉴权流程。
步骤S1018至S1022可参考图8中步骤S815至S819的描述,此处不再赘述。
结合图10的描述,本发明公开了一种鉴权的方法如下:第一网元(例如,NRF网元)从第一会话管理功能网元(例如,SMF-1网元)接收第一信息(例如,步骤S1010中的第一信息),第一信息包括第一会话管理功能网元所在的网络切片(例如,第一网络切片)的鉴权结果(例如,第一鉴权结果)。第一网元向第二会话管理功能网元(例如,SMF-2网元)向发送鉴权结果,第二会话管理功能网元位于该网络切片,第一会话管理功能网元与第二会话管理功能网元支持不同的数据网络。可选的,该方法中的鉴权结果为鉴权成功。可选的,该方法中的第一信息还包括网络切片的标识(例如,S-NSSAI)或终端设备的标识(例如,SUPI)中的至少一项。
因此,根据本发明实施例的方法,在第一会话建立过程中,SMF-1网元(图3中的第二SMF网元)向NRF网元(图3中的第一网元)发送第一网络切片(图3中的网络切片)的鉴权结果。在第二会话建立过程中,SMF-2网元(图3中的第一SMF网元)通过查询请求从NRF网元获取第一网络切片的鉴权结果,并根据该鉴权结果判断是否执行第一网络切片的鉴权流程。因为SMF-1网元和SMF-2网元都位于第一网络切片中,SMF-2网元可以获取第一网络切片的鉴权结果。当鉴权结果为鉴权成功时,SMF-2网元确定放弃该网络切片的鉴权流程。避免了鉴权结果为鉴权成功时对该网络切片的重复鉴权,从而减少了信令的交互。
图11为本申请实施例提供的又一种鉴权的方法的流程图。结合图10的描述,图11描述的方法可以适用于以下场景:在图10的步骤S1017b执行之前,第一会话被释放,NRF网元在步骤S1010中获得的鉴权结果也会被删除。因此,当NRF网元执行步骤S1017b时,无法向SMF-2网元发送第一鉴权结果。图11将结合图9和图10进行描述,图11所示的方法可以包括:
步骤S1101至S1110可参考图10中步骤S1001至S1010的描述,此处不再赘述。
步骤S1111至S1113可参考图9中步骤S910至S912的描述,此处不再赘述。
通过上述步骤S1110至S1113,第一网元(例如,NRF网元)从会话管理功能网元(例如,SMF-1网元)接收第一信息(例如,步骤S1110中的第一信息),第一信息包括会话管理功能网元所在的网络切片(例如,第一网络切片)的鉴权结果(例如,第一鉴权结果);第一网元接收删除请求(例如,步骤S1112中的删除请求),删除请求用于指示第一网元删除鉴权结果。可选的,该方法中的鉴权结果为鉴权成功。可选的,该方法中的第一信息还包括网络切片的标识(例如,S-NSSAI)或终端设备的标识(例如,SUPI)中的至少一项。
步骤S1114至S1123描述的是终端设备在第一PDU会话释放之后,发起了第二PDU会话建立的流程。
步骤S1114至S1119可参考图9中步骤S913至S918的描述,此处不再赘述。
步骤S1120a可参考图10中步骤S1017a的描述,此处不再赘述。
该方法还包括步骤S1120b。需要说明的是,步骤S1120b发生在步骤S1113之后。
S1120b、NRF网元向SMF-2网元发送第二查询响应。相应的,SMF-2网元从NRF网元接收第二查询响应。
例如,SMF-2网元可以通过NRF网元发送的信息中没有包含第一鉴权结果,确定执行步骤S1121至S1123。
可选的,该方法还包括步骤S1121至S1123。S1121至S1123可参考图9中步骤S919至S921的描述,此处不再赘述。
因此,根据本发明实施例的方法,在第一会话建立过程中,SMF-1网元向NRF网元发送 第一信息,第一信息中包括第一网络切片的鉴权结果。当第一会话释放时,NRF网元删除第一信息。由此,第一会话释放后,可以节省NRF网元中的存储空间。进一步的,在第二会话建立过程中,SMF-2网元从通过向NRF网元发送查询请求,从NRF网元接收的信息中不包括第一网络切片的鉴权结果。SMF-2网元执行对第一网络切片的鉴权,并向NRF网元发送包括第二鉴权结果的第二信息。可以在后续建立PDU会话时,不同于SMF-2网元的其他SMF网元获取第二鉴权结果,根据第二鉴权结果判断是否执行第一网络切片的鉴权流程。从而避免了第二鉴权结果为鉴权成功时对第一网络切片的重复鉴权,从而减少了信令的交互。
需要说明的是,在图11中,如果步骤S1114发生在第一会话释放之后,则终端设备发起的会话只有一个。所以第二PDU会话标识ID-2与第一PDU会话标识ID-1可以相同或者不同。如果第二PDU会话的DNN-2与第一PDU会话的DNN-1相同,则AMF网元为第二会话选择的SMF-2网元与第一会话的SMF-1网元可以相同;如果第二PDU会话的DNN-2与第一PDU会话的DNN-1不同,则AMF网元为第二会话选择的SMF-2网元与第一会话的SMF-1网元可以不同。本方案对第二会话对应的SMF-2网元与第一会话对应的SMF-1网元是否相同或者不同不作限制。
图12为本申请实施例提供的又一种鉴权的方法的流程图。图12所示的流程图描述了图3的步骤S301中第一网元为UDSF网元的场景:第一SMF网元从UDSF网元中接收第二SMF网元所在的网络切片的鉴权结果,根据该鉴权结果判断是否执行该网络切片的鉴权流程。避免了鉴权结果为鉴权成功时对该网络切片的重复鉴权,从而减少了信令的交互。
如图12所示的方法:步骤S1201至S1212描述的是终端设备发起第一会话的流程,在第一会话建立过程中,SMF-1网元(图3中的第二SMF网元)向UDSF网元(图3中的第一网元)发送第一网络切片(图3中的网络切片)的鉴权结果。步骤S1213至S1222描述的是终端设备发起第二会话的流程,在第二会话建立过程中,SMF-2网元(图3中的第一SMF网元)从UDSF网元接收第一网络切片的鉴权结果,并根据该鉴权结果判断是否执行第一网络切片的鉴权流程。
需要说明的是,在图12所描述的场景中,第一会话是终端设备接入第一网络切片后发起的第一个会话,第二会话是终端设备发起的非第一个会话。
图12可以结合图10进行描述,图12所示的方法可以包括:
步骤S1201至S1206可参考图10中步骤S1001至S1006的描述,此处不再赘述。
图12所示的方法还包括:
S1207a、SMF-1网元向UDSF网元发送第三查询请求。相应的,UDSF网元从SMF-1网元接收第三查询请求。
例如,第三查询请求用于向UDSF网元查询:该UDSF网元中是否存储有对第一网络切片的的鉴权结果。
例如,SMF-1网元调用数据管理请求(例如,Nudsf_UnstructuredDataManagement_Query)服务向UDSF网元发送第三查询请求。例如,第三查询请求中包括终端设备的SUPI。
S1207b、UDSF网元向SMF-1网元发送第三查询响应。相应的,SMF-1网元从UDSF网元接收第三查询响应。
例如,由于第一会话是终端设备接入第一网络切片后发起的第一个会话,所以UDSF网元中没有存储对第一网络切片的鉴权结果。则第三查询响应中不包括第一网络切片的鉴权结果。SMF-1网元根据第三查询响应确定执行步骤S1208至S1210。
步骤S1208和S1209可参考图10中步骤S1008和S1009的描述,此处不再赘述。
S1210、SMF-1网元向UDSF网元发送第一信息。相应的,UDSF网元从SMF-1网元接收第 一信息。
在一种可能的实现方式中,第一信息包括步骤S12O8中的第一鉴权结果。也就是说,当第一鉴权结果为鉴权成功时,SMF-1网元向UDSF网元发送指示鉴权成功的第一信息。当第一鉴权结果为鉴权失败时,SMF-1网元向UDSF网元发送指示鉴权失败的第一信息。
在另一种可能的实现方式中,当第一鉴权结果为鉴权成功时,SMF-1网元向UDSF网元发送第一信息。该第一信息可用于指示第一网络切片的鉴权成功。可选的,当第一鉴权结果为鉴权失败时,SMF-1网元可以不用向UDSF网元发送第一信息。
可选的,第一信息还包括第一网络切片的标识(例如,S-NSSAI)或终端设备的标识(例如,SUPI)中的至少一项。
可选的,UDSF网元保存第一信息。
通过上述步骤S1201至S1210,在第一会话建立过程中,SMF-1网元(图3中的第二SMF网元)向UDSF网元(图3中的第一网元)发送第一网络切片(图3中的网络切片)的鉴权结果。此外,如果步骤S1209中第一鉴权结果为鉴权成功,SMF-1网元继续执行第一会话建立流程;如果步骤S1209中第一鉴权结果为鉴权失败,则第一会话建立失败。
结合步骤S1209至S1210的描述,会话管理功能网元(例如,SMF-1网元)从鉴权网元(例如,鉴权网元)接收会话管理功能网元所在的网络切片(例如,第一网络切片)的鉴权结果(例如,第一鉴权结果);会话管理功能网元向第一网元(例如,UDSF网元)发送第一信息(例如,步骤S1212中的第一信息),该第一信息包括鉴权结果。例如,该鉴权结果为鉴权成功。或者,该鉴权结果为鉴权失败。或者,当第一鉴权结果为鉴权成功时,会话管理功能网元向第一网元发送第一信息。当第一鉴权结果为鉴权失败时,会话管理功能网元不用向第一网元发送第一信息。可选的,该第一信息还包括网络切片的标识(例如,S-NSSAI)或终端设备的标识中(例如,SUPI)的至少一项。
结合步骤S1207a至S1207b的描述,在会话管理功能网元(例如,SMF-1网元)从鉴权网元(例如,鉴权网元)接收鉴权结果(例如,第一鉴权结果)之前,该方法还包括:会话管理功能网元向第一网元(例如,UDSF网元)发送查询请求(例如,第三查询请求),会话管理功能网元从第一网元接收查询响应(例如,第三查询响应),查询响应用于指示第一网元中不包括网络切片(例如,第一网络切片)的鉴权结果。
在步骤S1210之后,步骤S1211至S1222描述的是终端设备在第一PDU会话处在激活状态的前提下,又发起了第二PDU会话建立的流程,即第一PDU会话仍然存在。
步骤S1211至S1216可参考图10中步骤S1011和S1016的描述,此处不再赘述。
S1217a、SMF-2网元向UDSF网元发送第四查询请求。相应的,UDSF网元从SMF-2网元接收第四查询请求。
例如,第四查询请求用于向UDSF网元查询:该UDSF网元中是否存储有对第一网络切片的的鉴权结果。
例如,SMF-2网元调用数据管理请求(例如,Nudsf_UnstructuredDataManagement_Query)服务向UDSF网元发送第四查询请求。例如,第四查询请求中包括终端设备的SUPI。
S1217b、UDSF网元向SMF-2网元发送第四查询响应。相应的,SMF-2网元从UDSF网元接收第四查询响应。
例如,UDSF网元响应步骤S1217a的第四查询请求,通过第四查询响应向SMF-2网元发送UDSF网元在步骤S1210中获取的第一鉴权结果。
根据上述步骤S1210的描述,若在步骤S1210中SMF-1网元向UDSF网元发送指示鉴权成 功或鉴权失败的第一信息,由于UDSF网元从SMF-1网元中接收了第一鉴权结果,UDSF网元还向SMF-2元发送成功或失败的第一鉴权结果。该第一鉴权结果用于后续步骤S1218中SMF-2网元判断是否执行第一网络切片的鉴权流程。也就是说,由于SMF-2网元收到了第一鉴权结果,确定需要执行后续步骤S1218。或者,UDSF网元向SMF-2网元发送的第一鉴权结果也可以为指示鉴权成功或鉴权失败的指示信息。
或者,若在步骤S1210中当第一鉴权结果为鉴权成功时,SMF-1网元向UDSF网元发送第一信息。那么,当第一鉴权结果为鉴权成功时,UDSF网元还向SMF-2网元发送指示鉴权成功的第一鉴权结果。或者,UDSF网元向SMF-2网元发送的第一鉴权结果也可以为指示指示鉴权成功的指示信息。如果SMF-2网元从UDSF网元中没有接收鉴权结果,则SMF-2网元判断该网络切片之前的鉴权失败,或者SMF-2网元执行的网络切片鉴权是该网络切片第一次的鉴权流程。
步骤S1218至S1222可参考图10中步骤S1018至S1022的描述,此处不再赘述。
结合图12的描述,本发明公开了一种鉴权的方法如下:第一网元(例如,UDSF网元)从第一会话管理功能网元(例如,SMF-1网元)接收第一信息(例如,步骤S1210中的第一信息),第一信息包括第一会话管理功能网元所在的网络切片(例如,第一网络切片)的鉴权结果(例如,第一鉴权结果)。第一网元向第二会话管理功能网元(例如,SMF-2网元)向发送鉴权结果,第二会话管理功能网元位于该网络切片,第一会话管理功能网元与第二会话管理功能网元支持不同的数据网络。可选的,该方法中的鉴权结果为鉴权成功。可选的,该方法中的第一信息还包括网络切片的标识(例如,S-NSSAI)或终端设备的标识(例如,SUPI)中的至少一项。
因此,根据本发明实施例的方法,在第一会话建立过程中,SMF-1网元(图3中的第二SMF网元)向UDSF网元(图3中的第一网元)发送第一网络切片(图3中的网络切片)的鉴权结果。在第二会话建立过程中,SMF-2网元(图3中的第一SMF网元)通过查询请求从UDSF网元获取第一网络切片的鉴权结果,并根据该鉴权结果判断是否执行第一网络切片的鉴权流程。因为SMF-1网元和SMF-2网元都位于第一网络切片中,SMF-2网元可以获取第一网络切片的鉴权结果。当鉴权结果为鉴权成功时,SMF-2网元确定放弃该网络切片的鉴权流程。避免了鉴权结果为鉴权成功时对该网络切片的重复鉴权,从而减少了信令的交互。
图13为本申请实施例提供的又一种鉴权的方法的流程图。结合图12的描述,图13描述的方法可以适用于以下场景:在图12的步骤S1217b执行之前,第一会话被释放,UDSF网元在步骤S1210中获得的鉴权结果也会被删除。因此,当UDSF网元执行步骤S1217b时,无法向SMF-2网元发送第一鉴权结果。图13将结合图12进行描述,图13所示的方法可以包括:
步骤S1301至S1310可参考图12中步骤S1201至S1210的描述,此处不再赘述。
S1311、SMF-1网元确定释放第一会话。
例如,第一会话的释放流程可以由终端设备触发或者由网络触发。
步骤S1311为可选步骤。
S1312、SMF-1网元向UDSF网元发送删除请求。
例如,SMF-1网元通过调用删除(例如,Nudsf_UnstructuredDataManagement_Delete)服务向UDSF网元发送删除请求。例如,SMF-1网元通过删除服务向UDSF网元发送的消息中包括终端设备的SUPI和第一网络切片的S-NSSAI。
S1312、UDSF网元删除第一信息。
例如,UDSF网元根据步骤S1312中接收的删除请求,删除第一信息。
通过上述步骤S1312至S1313,第一网元(例如,UDSF网元)从会话管理功能网元(例如,SMF-1网元)接收第一信息(例如,步骤S1310中的第一信息),第一信息包括会话管理功能网元所在的网络切片(例如,第一网络切片)的鉴权结果(例如,第一鉴权结果);第一网元接收删除请求(例如,步骤S1312中的删除请求),删除请求用于指示第一网元删除鉴权结果。可选的,该方法中的鉴权结果为鉴权成功。可选的,该方法中的第一信息还包括网络切片的标识(例如,S-NSSAI)或终端设备的标识(例如,SUPI)中的至少一项。
步骤S1314至S1319描述的是终端设备在第一PDU会话释放之后,发起了第二PDU会话建立的流程。
步骤S1314至S1320a可参考图12中步骤S1211至S1217a的描述,此处不再赘述。
该方法还包括步骤S1320b。需要说明的是,步骤S1320b发生在步骤S1313之后。
S1320b、UDSF网元向SMF-2网元发送第四查询响应。相应的,SMF-2网元从UDSF网元接收第四查询响应。
例如,SMF-2网元可以通过UDSF网元发送的信息中没有包含第一鉴权结果,确定执行步骤S1321至S1323。
可选的,该方法还包括步骤S1321至S1323。S1321至S1323可参考图12中步骤S1220至S1222的描述,此处不再赘述。
因此,根据本发明实施例的方法,在第一会话建立过程中,SMF-1网元向UDSF网元发送第一信息,第一信息中包括第一网络切片的鉴权结果。当第一会话释放时,UDSF网元删除第一信息。由此,第一会话释放后,可以节省UDSF网元中的存储空间。进一步的,在第二会话建立过程中,SMF-2网元从通过向UDSF网元发送查询请求,从UDSF网元接收的信息中不包括第一网络切片的鉴权结果。SMF-2网元执行对第一网络切片的鉴权,并向UDSF网元发送包括第二鉴权结果的第二信息。可以在后续建立PDU会话时,不同于SMF-2网元的其他SMF网元获取第二鉴权结果,根据第二鉴权结果判断是否执行第一网络切片的鉴权流程。从而避免了第二鉴权结果为鉴权成功时对第一网络切片的重复鉴权,从而减少了信令的交互。
需要说明的是,在图13中,如果步骤S1314发生在第一会话释放之后,则终端设备发起的会话只有一个。所以第二PDU会话标识ID-2与第一PDU会话标识ID-1可以相同或者不同。如果第二PDU会话的DNN-2与第一PDU会话的DNN-1相同,则AMF网元为第二会话选择的SMF-2网元与第一会话的SMF-1网元可以相同;如果第二PDU会话的DNN-2与第一PDU会话的DNN-1不同,则AMF网元为第二会话选择的SMF-2网元与第一会话的SMF-1网元可以不同。本方案对第二会话对应的SMF-2网元与第一会话对应的SMF-1网元是否相同或者不同不作限制。
上述本申请提供的实施例中,分别从各个网元本身、以及从各个网元之间交互的角度对本申请实施例提供的通信方法的各方案进行了介绍。可以理解的是,各个网元和设备,例如上述无线接入网设备、接入及移动性管理功能网元、终端设备、数据管理功能网元和网络切片选择功能网元为了实现上述功能,其包含了执行各个功能相应的硬件结构和/或软件模块。本领域技术人员应该很容易意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,本申请能够以硬件或硬件和计算机软件的结合形式来实现。某个功能究竟以硬件还是计算机软件驱动硬件的方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。
例如,当上述网元通过软件模块来实现相应的功能。该鉴权的装置可包括接收模块1401、处理模块1402和发送模块1403,如图14A所示。
在一个实施例中,该鉴权的装置可用于执行上述图4至图13中的SMF-2网元的操作。例如:
接收模块1401,用于从第一网元接收第二会话管理功能网元所在的网络切片的鉴权结果,第一会话管理功能网元位于网络切片,第一会话管理功能网元与第二会话管理功能网元支持不同的数据网络。处理模块1402,用于根据鉴权结果判断是否执行网络切片的鉴权流程。
由此,本发明实施例中,第一SMF网元能够获取第二SMF网元所在的网络切片的鉴权结果,由于第一SMF网元与第二SMF网元位于同一个网络切片,所以第一SMF网元可以根据该鉴权结果判断是否执行该网络切片的鉴权流程。避免了鉴权结果为鉴权成功时对该网络切片的重复鉴权,从而减少了信令的交互。
可选的,鉴权结果为鉴权成功,处理模块1402用于确定放弃网络切片的鉴权流程。
可选的,第一网元为网络存储功能网元或非结构化数据存储网元,发送模块1403用于向第一网元发送查询请求,查询请求用于获取鉴权结果。
此外,鉴权的装置中的接收模块1401和处理模块1402还可实现图4至图13中的SMF-2网元的其他操作或功能,此处不再赘述。
在另一个实施例中,图14A所示的鉴权的装置还可用于执行上述图4至图13中的SMF-1网元或SMF-2网元的操作。例如:
接收模块1401,用于从鉴权网元接收会话管理功能网元所在的网络切片的鉴权结果。发送模块1403,用于向第一网元发送第一信息,第一信息包括鉴权结果。
由此,本发明实施例中,第二SMF网元能够将所在的网络切片的鉴权结果发送给第一网元,在建立第二会话时,为第二会话服务的第一SMF网元可以获得网络切片的鉴权结果,由于第一SMF网元与第二SMF网元位于同一个网络切片,所以第一SMF网元可以根据该鉴权结果判断是否执行该网络切片的鉴权流程。避免了鉴权结果为鉴权成功时对该网络切片的重复鉴权,从而减少了信令的交互。
可选的,鉴权结果为鉴权成功。
可选的,第一信息还包括网络切片的标识或终端设备的标识中的至少一项。
可选的,第一网元为网络存储功能网元或非结构化数据存储网元,发送模块1403还用于向第一网元发送查询请求。接收模块1401还用于从第一网元接收查询响应,查询响应用于指示第一网元中不包括网络切片的鉴权结果。
此外,鉴权的装置中的接收模块1401和处理模块1402还可实现图4至图13中的SMF-1网元或SMF-2网元的其他操作或功能,此处不再赘述。
在另一个实施例中,图14A所示的鉴权的装置还可用于执行上述图4和图5中的UDM网元、图6和图7中的AMF网元、图8至图11中的NRF网元、或图12和图13中的UDSF网元的操作。例如:
接收模块1401,用于从第一会话管理功能网元接收第一信息,第一信息包括第一会话管理功能网元所在的网络切片的鉴权结果。发送模块1403,用于向第二会话管理功能网元向发送鉴权结果,第二会话管理功能网元位于网络切片,第一会话管理功能网元与第二会话管理功能网元支持不同的数据网络。
由此,本发明实施例中,第二SMF网元能够获取第一SMF网元所在的网络切片的鉴权结果,由于第一SMF网元与第二SMF网元位于同一个网络切片,所以第二SMF网元可以根据该鉴权结果判断是否执行该网络切片的鉴权流程。避免了鉴权结果为鉴权成功时对该网络切片的重复鉴权,从而减少了信令的交互。
可选的,鉴权结果为鉴权成功。
可选的,第一信息还包括网络切片的标识或终端设备的标识中的至少一项。
可选的,第一网元为网络存储功能网元或非结构化数据存储网元,接收模块1401还用于从第一会话管理功能网元接收查询请求。发送模块1403还用于向第一会话管理功能网元发送查询响应,查询响应用于指示第一网元中不包括网络切片的鉴权结果。
可选的,接收模块1401还用于接收删除请求,删除请求用于指示第一网元删除鉴权结果。
可选的,第一网元为用户数据管理功能网元、接入和移动性管理功能网元、网络存储功能网元或非结构化数据存储网元。
此外,鉴权的装置中的接收模块1401和处理模块1402还可实现图4和图5中的UDM网元、图6和图7中的AMF网元、图8至图11中的NRF网元、或图12和图13中的UDSF网元的其他操作或功能,此处不再赘述。
在另一个实施例中,图14A所示的鉴权的装置还可用于执行上述图5中的UDM网元、图7中的AMF网元、图9或图11中的NRF网元、或图13中的UDSF网元的操作。例如:
接收模块1401,用于从会话管理功能网元接收第一信息,第一信息包括会话管理功能网元所在的网络切片的鉴权结果。接收模块1401,还用于接收删除请求,删除请求用于指示第一网元删除鉴权结果。
由此,本发明实施例中,第一网元可以获得SMF网元所在的网络切片的鉴权结果,当第一网元接收删除请求后可以删除鉴权结果,从而节省了第一网元的存储空间。
可选的,鉴权结果为鉴权成功。
可选的,第一信息还包括网络切片的标识或终端设备的标识中的至少一项。
可选的,第一网元为用户数据管理功能网元、接入和移动性管理功能网元、网络存储功能网元或非结构化数据存储网元。
此外,鉴权的装置中的接收模块1401和处理模块1402还可实现图5中的UDM网元、图7中的AMF网元、图9或图11中的NRF网元、或图13中的UDSF网元的其他操作或功能,此处不再赘述。
图14B示出了上述实施例中所涉及的鉴权的装置的另一种可能的结构示意图。鉴权的装置包括收发器1404和处理器1405,如图14B所示。例如,处理器1405可以为通用微处理器、数据处理电路、专用集成电路(application specific integrated circuit,ASIC)或者现场可编程门阵列(field-programmable gate arrays,FPGA)电路。所述鉴权的装置还可以包括存储器1406,例如,存储器为随机存取存储器(random access memory,RAM)。所述存储器用于与处理器1405耦合,其保存该鉴权的装置必要的计算机程序14061。
此外,上述实施例中所涉及的鉴权的装置还提供了一种载体1407,所述载体内保存有该鉴权的装置的计算机程序14071,可以将计算机程序14071加载到处理器1405中。上述载体可以为光信号、电信号、电磁信号或者计算机可读存储介质(例如,硬盘)。
当上述计算机程序14061或14071在计算机(例如,处理器1405)上运行时,可使得计算机执行上述的方法。
例如,在一个实施例中,处理器1405被配置为第一会话管理功能网元(例如,图4至图13中的SMF-2网元)的其他操作或功能。收发器1404用于实现第一会话管理功能网元与AMF网元/UDM网元/鉴权网元/NRF网元/UDSF网元之间的通信。
在另一个实施例中,处理器1405被配置为会话管理功能网元(例如,图4至图13中的SMF-1网元或SMF-2网元)的其他操作或功能。收发器1404用于实现会话管理功能网元与AMF 网元/UDM网元/鉴权网元/NRF网元/UDSF网元之间的通信。
在另一个实施例中,处理器1405被配置为第一网元(例如,图4和图5中的UDM网元、图6和图7中的AMF网元、图8至图11中的NRF网元、图12和图13中的UDSF网元)的其他操作或功能。收发器1404用于实现第一网元与SMF-1网元/SMF-2网元之间的通信。
在另一个实施例中,处理器1405被配置为第一网元(例如,图5中的UDM网元、图7中的AMF网元、图9或图11中的NRF网元、或图13中的UDSF网元)的其他操作或功能。收发器1404用于实现第一网元与SMF-1网元/SMF-2网元之间的通信。
用于执行本申请上述鉴权的装置的控制器/处理器可以是中央处理器(CPU),通用处理器、数字信号处理器(DSP)、专用集成电路(ASIC),现场可编程门阵列(FPGA)或者其他可编程逻辑器件、晶体管逻辑器件,硬件部件或者其任意组合。其可以实现或执行结合本申请公开内容所描述的各种示例性的逻辑方框,模块和电路。所述处理器也可以是实现计算功能的组合,例如包含一个或多个微处理器组合,DSP和微处理器的组合等等。
结合本申请公开内容所描述的方法或者算法的步骤可以硬件的方式来实现,也可以是由处理器执行软件指令的方式来实现。软件指令可以由相应的软件模块组成,软件模块可以被存放于RAM存储器、闪存、ROM存储器、EPROM存储器、EEPROM存储器、寄存器、硬盘、移动硬盘、CD-ROM或者本领域熟知的任何其它形式的存储介质中。一种示例性的存储介质耦合至处理器,从而使处理器能够从该存储介质读取信息,且可向该存储介质写入信息。当然,存储介质也可以是处理器的组成部分。处理器和存储介质可以位于ASIC中。另外,该ASIC可以位于无线接入网设备中。当然,处理器和存储介质也可以作为分立组件存在于无线接入网设备中。
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机程序指令时,全部或部分地产生按照本发明实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质,(例如,软盘、硬盘、磁带)、光介质(例如,DVD)、或者半导体介质(例如固态硬盘Solid State Disk(SSD))等。
以上所述的具体实施方式,对本发明的目的、技术方案和有益效果进行了进一步详细说明,所应理解的是,以上所述仅为本发明的具体实施方式而已,并不用于限定本发明的保护范围,凡在本发明的技术方案的基础之上,所做的任何修改、等同替换、改进等,均应包括在本发明的保护范围之内。
Claims (27)
- 一种鉴权的方法,其特征在于,包括:第一会话管理功能网元从第一网元接收第二会话管理功能网元所在的网络切片的鉴权结果,所述第一会话管理功能网元位于所述网络切片,所述第一会话管理功能网元与所述第二会话管理功能网元支持不同的数据网络;所述第一会话管理功能网元根据所述鉴权结果判断是否执行所述网络切片的鉴权流程。
- 根据权利要求1所述的方法,其特征在于,所述鉴权结果为鉴权成功,所述第一会话管理功能网元根据所述鉴权结果判断是否执行所述网络切片的鉴权流程,包括:所述第一会话管理功能网元确定放弃所述网络切片的鉴权流程。
- 根据权利要求1或2所述的方法,其特征在于,所述第一网元为网络存储功能网元或非结构化数据存储网元,在所述第一会话管理功能网元从第一网元接收鉴权结果之前,所述方法还包括:所述第一会话管理功能网元向所述第一网元发送查询请求,所述查询请求用于获取所述鉴权结果。
- 一种鉴权的方法,其特征在于,包括:会话管理功能网元从鉴权网元接收所述会话管理功能网元所在的网络切片的鉴权结果;所述会话管理功能网元向第一网元发送第一信息,所述第一信息包括所述鉴权结果。
- 根据权利要求4所述的方法,其特征在于,所述鉴权结果为鉴权成功。
- 根据权利要求4或5所述的方法,其特征在于,所述第一信息还包括所述网络切片的标识或终端设备的标识中的至少一项。
- 根据权利要求4至6任一所述的方法,其特征在于,所述第一网元为网络存储功能网元或非结构化数据存储网元,在所述会话管理功能网元从鉴权网元接收鉴权结果之前,还包括:所述会话管理功能网元向所述第一网元发送查询请求,所述会话管理功能网元从所述第一网元接收查询响应,所述查询响应用于指示所述第一网元中不包括所述网络切片的鉴权结果。
- 一种鉴权的方法,其特征在于,包括:第一网元从第一会话管理功能网元接收第一信息,所述第一信息包括所述第一会话管理功能网元所在的网络切片的鉴权结果;所述第一网元向第二会话管理功能网元向发送所述鉴权结果,所述第二会话管理功能网元位于所述网络切片,所述第一会话管理功能网元与所述第二会话管理功能网元支持不同的数据网络。
- 根据权利要求8所述的方法,其特征在于,所述鉴权结果为鉴权成功。
- 根据权利要求8或9所述的方法,其特征在于,所述第一信息还包括所述网络切片的标识或终端设备的标识中的至少一项。
- 根据权利要求8至10任一所述的方法,其特征在于,所述第一网元为网络存储功能网元或非结构化数据存储网元,在所述第一网元从第一会话管理功能网元接收第一信息之前, 还包括:所述第一网元从所述第一会话管理功能网元接收查询请求,所述第一网元向所述第一会话管理功能网元发送查询响应,所述查询响应用于指示所述第一网元中不包括所述网络切片的鉴权结果。
- 根据权利要求8至11任一所述的方法,其特征在于,还包括:所述第一网元接收删除请求,所述删除请求用于指示所述第一网元删除所述鉴权结果。
- 根据权利要求1、2、4-6、8-10、或12任一所述的方法,其特征在于,所述第一网元为用户数据管理功能网元、接入和移动性管理功能网元、网络存储功能网元或非结构化数据存储网元。
- 一种鉴权的装置,其特征在于,包括:接收模块,用于从第一网元接收第二会话管理功能网元所在的网络切片的鉴权结果,所述第一会话管理功能网元位于所述网络切片,所述第一会话管理功能网元与所述第二会话管理功能网元支持不同的数据网络;处理模块,用于根据所述鉴权结果判断是否执行所述网络切片的鉴权流程。
- 根据权利要求14所述的装置,其特征在于,所述鉴权结果为鉴权成功,所述处理模块用于确定放弃所述网络切片的鉴权流程。
- 根据权利要求14或15所述的装置,其特征在于,所述第一网元为网络存储功能网元或非结构化数据存储网元,所述装置还包括:发送模块,用于向所述第一网元发送查询请求,所述查询请求用于获取所述鉴权结果。
- 一种鉴权的装置,其特征在于,包括:接收模块,用于从鉴权网元接收所述会话管理功能网元所在的网络切片的鉴权结果;发送模块,用于向第一网元发送第一信息,所述第一信息包括所述鉴权结果。
- 根据权利要求17所述的装置,其特征在于,所述鉴权结果为鉴权成功。
- 根据权利要求17或18所述的装置,其特征在于,所述第一信息还包括所述网络切片的标识或终端设备的标识中的至少一项。
- 根据权利要求17至19任一所述的装置,其特征在于,所述第一网元为网络存储功能网元或非结构化数据存储网元,所述发送模块还用于向所述第一网元发送查询请求;所述接收模块还用于从所述第一网元接收查询响应,所述查询响应用于指示所述第一网元中不包括所述网络切片的鉴权结果。
- 一种鉴权的装置,其特征在于,包括:接收模块,用于从第一会话管理功能网元接收第一信息,所述第一信息包括所述第一会话管理功能网元所在的网络切片的鉴权结果;发送模块,用于向第二会话管理功能网元向发送所述鉴权结果,所述第二会话管理功能网元位于所述网络切片,所述第一会话管理功能网元与所述第二会话管理功能网元支持不同的数据网络。
- 根据权利要求21所述的装置,其特征在于,所述鉴权结果为鉴权成功。
- 根据权利要求21或22所述的装置,其特征在于,所述第一信息还包括所述网络切片的标识或终端设备的标识中的至少一项。
- 根据权利要求21至23任一所述的装置,其特征在于,所述第一网元为网络存储功能网元或非结构化数据存储网元,所述接收模块还用于从所述第一会话管理功能网元接收查询请求;所述发送模块还用于向所述第一会话管理功能网元发送查询响应,所述查询响应用于指示所述第一网元中不包括所述网络切片的鉴权结果。
- 根据权利要求21至24任一所述的装置,其特征在于,所述接收模块还用于接收删除请求,所述删除请求用于指示所述第一网元删除所述鉴权结果。
- 根据权利要求14、15、17-19、21-23、或25任一所述的装置,其特征在于,所述第一网元为用户数据管理功能网元、接入和移动性管理功能网元、网络存储功能网元或非结构化数据存储网元。
- 一种计算机可读存储介质,包括指令,当其在计算机上运行时,使得计算机执行如权利要求1至13任意一项所述的方法。
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811171638.6 | 2018-10-09 | ||
CN201811171638.6A CN111031538B (zh) | 2018-10-09 | 2018-10-09 | 一种鉴权的方法及装置 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2020073802A1 true WO2020073802A1 (zh) | 2020-04-16 |
Family
ID=70164265
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2019/107706 WO2020073802A1 (zh) | 2018-10-09 | 2019-09-25 | 一种鉴权的方法及装置 |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN111031538B (zh) |
WO (1) | WO2020073802A1 (zh) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113015265A (zh) * | 2021-02-24 | 2021-06-22 | 西安广和通无线软件有限公司 | 网络会话自愈方法、装置、系统、计算机设备和存储介质 |
CN114640993A (zh) * | 2020-12-16 | 2022-06-17 | 中国电信股份有限公司 | 网络切片鉴权认证方法、系统和相关设备 |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113573297B (zh) * | 2020-04-10 | 2023-04-07 | 华为技术有限公司 | 一种通信方法及装置 |
CN111638997A (zh) * | 2020-05-28 | 2020-09-08 | 中国联合网络通信集团有限公司 | 数据恢复方法、装置及网络设备 |
CN114095925A (zh) * | 2020-08-07 | 2022-02-25 | 华为技术有限公司 | 一种切片鉴权方法及对应装置 |
CN114173336B (zh) * | 2020-08-21 | 2024-06-11 | 维沃移动通信有限公司 | 鉴权失败的处理方法、装置、终端及网络侧设备 |
CN115226103A (zh) * | 2021-04-21 | 2022-10-21 | 华为技术有限公司 | 一种通信方法及装置 |
CN115843027A (zh) * | 2021-09-19 | 2023-03-24 | 华为技术有限公司 | 通信方法和通信设备 |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20170332421A1 (en) * | 2016-05-12 | 2017-11-16 | Convida Wireless, Llc | Connecting to Virtualized Mobile Core Networks |
CN108347729A (zh) * | 2017-01-24 | 2018-07-31 | 电信科学技术研究院 | 网络切片内鉴权方法、切片鉴权代理实体及会话管理实体 |
WO2018166329A1 (zh) * | 2017-03-17 | 2018-09-20 | 电信科学技术研究院有限公司 | 会话重建的方法和装置、访问和移动性管理功能实体、会话管理功能实体及终端 |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105792200B (zh) * | 2014-12-26 | 2019-05-10 | 中国移动通信集团公司 | 一种鉴权方法、系统及相关装置 |
CN106549911A (zh) * | 2015-09-17 | 2017-03-29 | 中兴通讯股份有限公司 | 一种终端接入方法及装置 |
CN106550410B (zh) * | 2015-09-17 | 2020-07-07 | 华为技术有限公司 | 一种通信控制方法和控制器、用户设备、相关装置 |
US10142994B2 (en) * | 2016-04-18 | 2018-11-27 | Electronics And Telecommunications Research Institute | Communication method and apparatus using network slicing |
US10362511B2 (en) * | 2016-05-17 | 2019-07-23 | Lg Electronics Inc. | Method and apparatus for determining PDU session identity in wireless communication system |
KR102228471B1 (ko) * | 2017-06-19 | 2021-03-16 | 후아웨이 테크놀러지 컴퍼니 리미티드 | 등록 방법, 세션 구축 방법, 단말 및 amf 엔티티 |
-
2018
- 2018-10-09 CN CN201811171638.6A patent/CN111031538B/zh active Active
-
2019
- 2019-09-25 WO PCT/CN2019/107706 patent/WO2020073802A1/zh active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20170332421A1 (en) * | 2016-05-12 | 2017-11-16 | Convida Wireless, Llc | Connecting to Virtualized Mobile Core Networks |
CN108347729A (zh) * | 2017-01-24 | 2018-07-31 | 电信科学技术研究院 | 网络切片内鉴权方法、切片鉴权代理实体及会话管理实体 |
WO2018166329A1 (zh) * | 2017-03-17 | 2018-09-20 | 电信科学技术研究院有限公司 | 会话重建的方法和装置、访问和移动性管理功能实体、会话管理功能实体及终端 |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114640993A (zh) * | 2020-12-16 | 2022-06-17 | 中国电信股份有限公司 | 网络切片鉴权认证方法、系统和相关设备 |
CN114640993B (zh) * | 2020-12-16 | 2024-03-15 | 中国电信股份有限公司 | 网络切片鉴权认证方法、系统和相关设备 |
CN113015265A (zh) * | 2021-02-24 | 2021-06-22 | 西安广和通无线软件有限公司 | 网络会话自愈方法、装置、系统、计算机设备和存储介质 |
CN113015265B (zh) * | 2021-02-24 | 2023-07-18 | 西安广和通无线软件有限公司 | 网络会话自愈方法、装置、系统、计算机设备和存储介质 |
Also Published As
Publication number | Publication date |
---|---|
CN111031538A (zh) | 2020-04-17 |
CN111031538B (zh) | 2021-12-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3720048B1 (en) | User policy acquisition | |
WO2020073802A1 (zh) | 一种鉴权的方法及装置 | |
CN108574969B (zh) | 多接入场景中的连接处理方法和装置 | |
US10841302B2 (en) | Method and apparatus for authenticating UE between heterogeneous networks in wireless communication system | |
US11962998B2 (en) | Method and device for accessing a network | |
WO2020073838A1 (zh) | 一种网络切片接入控制的方法及装置 | |
WO2018145654A1 (zh) | 实现多接入管理的方法、装置及计算机存储介质 | |
WO2020224596A1 (zh) | 通信方法及装置 | |
WO2019174505A1 (zh) | 一种基于网络切片的通信方法及装置 | |
WO2019029235A1 (zh) | 会话信息管理方法和装置 | |
JP7287534B2 (ja) | Mmeデバイスにおいて実行される方法及びmmeデバイス | |
WO2021136211A1 (zh) | 授权结果的确定方法及装置 | |
EP2936876B1 (en) | Methods and apparatus for differencitating security configurations in a radio local area network | |
WO2021047454A1 (zh) | 位置信息获取、位置服务配置方法和通信设备 | |
WO2017147772A1 (zh) | 一种消息传输方法及核心网接口设备 | |
US20190313477A1 (en) | Packet data unit session release method and network entity performing the same | |
US20230029714A1 (en) | Authorization method, policy control function device, and access and mobility management function device | |
WO2018137152A1 (zh) | 短消息传输方法、设备和系统 | |
US20230087407A1 (en) | Authentication and authorization method and apparatus | |
WO2019037500A1 (zh) | 一种选择无线接入网设备的方法及装置 | |
WO2023087965A1 (zh) | 一种通信方法及装置 | |
WO2016112674A1 (zh) | 一种实现通信的方法、终端、系统及计算机存储介质 | |
WO2022170798A1 (zh) | 确定策略的方法和通信装置 | |
WO2022148469A1 (zh) | 一种安全保护方法、装置和系统 | |
WO2023213209A1 (zh) | 密钥管理方法及通信装置 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 19871791 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 19871791 Country of ref document: EP Kind code of ref document: A1 |