WO2020147849A1 - 一种会话配置方法及装置 - Google Patents

一种会话配置方法及装置 Download PDF

Info

Publication number
WO2020147849A1
WO2020147849A1 PCT/CN2020/072868 CN2020072868W WO2020147849A1 WO 2020147849 A1 WO2020147849 A1 WO 2020147849A1 CN 2020072868 W CN2020072868 W CN 2020072868W WO 2020147849 A1 WO2020147849 A1 WO 2020147849A1
Authority
WO
WIPO (PCT)
Prior art keywords
session
security
redundant transmission
information
parameter
Prior art date
Application number
PCT/CN2020/072868
Other languages
English (en)
French (fr)
Inventor
吴�荣
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to EP20740939.2A priority Critical patent/EP3893468A4/en
Publication of WO2020147849A1 publication Critical patent/WO2020147849A1/zh
Priority to US17/377,425 priority patent/US11902325B2/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0654Management of faults, events, alarms or notifications using network fault recovery
    • H04L41/0663Performing the actions predefined by failover planning, e.g. switching to standby network elements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation

Definitions

  • This application relates to the field of communication technology, and in particular to a session configuration method and device.
  • the 3rd generation partnership project (3GPP) defines three major application scenarios in the fifth-generation (fifth-generation, 5G) mobile communication technology, which are enhanced mobile broadband (eMBB) and massive Large connection (massive machine type of communicationm, mMTC) and ultra-reliable low-latency communication (uRLLC).
  • 5G fifth-generation
  • eMBB enhanced mobile broadband
  • mMTC massive Large connection
  • uRLLC ultra-reliable low-latency communication
  • uRLLC has both reliability and latency, and it has a wide range of application scenarios.
  • an idea is proposed: copy the transmission of one data channel to form another identical data channel for redundancy Transmission, in the case that one of the data channels is unreliable or has security problems, the other same data channel can guarantee the normal transmission of data.
  • the data channel can be session granular, bearer granular, or Quality of service flow (quality of service folw, QoS Flow) granularity.
  • This application provides a session configuration method and device, which are used to implement the secure configuration of two sessions for redundant transmission.
  • an embodiment of the present application provides a session configuration method.
  • the method includes: first, an access network device receives redundant transmission security information of a first session from a session management network element, and the redundant transmission security The information is used to indicate the security key and security policy of the first session and the second session that the terminal device needs to establish, where the second session is a redundant session of the first session; after that, the access network device Sending the redundant transmission safety information to the terminal device.
  • the access network device can send the redundant transmission safety information to the terminal device, which can ensure that the access network device and the terminal device are directed to the two sessions for redundant transmission.
  • the security keys and security policies of (the first session and the second session) are kept consistent, thereby ensuring that the security configuration of the two sessions for redundant transmission is completed.
  • the access network device may serve the redundant transmission security information according to the redundant transmission security information
  • the first session and the second session are configured with security keys and security policies.
  • the access network device can conveniently complete the security configuration for the first session and the second session on the access network device side, such as the configuration of the security key and the configuration of the security policy .
  • the access network device may send the first session and the second session to the terminal device Security policy.
  • the terminal device side can complete the security configuration for the first session and the second session , Such as the configuration of security policies.
  • the access network device may also send the first parameter and the second parameter to the terminal device.
  • the first parameter is a parameter used to generate the security key of the first session
  • the second parameter is a parameter used to generate the security key of the second session.
  • the terminal device side can complete the security configuration for the first session and the second session, such as security Key configuration.
  • the redundant transmission security information indicates that the security keys and security policies of the first session and the second session are the same, or indicate that the security keys and the security keys of the first session and the second session are the same
  • the security strategy is different.
  • the indication of the redundant transmission of security information can facilitate the corresponding configuration of the security key and security policy of the first session and the second session by the access network device.
  • an embodiment of the present application provides a session configuration method, the method includes: a terminal device sends a session establishment request to a session management network element, the session establishment request is used to request the establishment of the first session; The terminal device may receive the redundant transmission security information from the access network device, where the redundant transmission security information is used to indicate the security key and security policy of the first session and the second session, and the second The session is a redundant session of the first session.
  • the terminal device receives the redundant transmission safety information from the access network device, which can ensure that the access network device and the terminal device are directed to the two sessions for redundant transmission (section The security key and security policy of the first session and the second session are kept consistent, thereby ensuring the completion of the security configuration of the two sessions for redundant transmission.
  • the terminal device may configure a security key and a security policy for the first session and the second session based on the redundant transmission of security information.
  • the terminal device can conveniently complete the security configuration for the first session and the second session on the terminal device side.
  • the terminal device when the terminal device transmits security information based on the redundant transmission, when configuring security policies for the first session and the second session, the terminal device may first obtain the access network from the access network. The device receives the security policies of the first session and the second session; after that, based on the redundant transmission of security information, the security policies of the first session and the second session are the first session and The second session is configured with a security policy.
  • the terminal device receives the security policies of the first session and the second session through the access network device, so that the terminal device side can complete the security policies for the first session and the second session.
  • the security configuration of the session such as the configuration of security policies.
  • the terminal device when the terminal device transmits security information based on the redundancy, when configuring security keys for the first session and the second session, the terminal device may first access The network device receives a first parameter and a second parameter, where the first parameter is a parameter for generating a security key for the first session, and the second parameter is a security key for generating the second session After that, the terminal device transmits security information based on the redundancy, and configures a security key for the first session and the second session according to the first parameter and the second parameter.
  • the terminal device receives the first parameter and the second parameter through the access network device, so that the terminal device side can complete the communication for the first session and the second session.
  • Security configuration such as security key configuration.
  • the redundant transmission security information indicates that the security keys and security policies of the first session and the second session are the same, or indicate that the security keys and the security keys of the first session and the second session are the same
  • the security strategy is different.
  • the indication of the redundant transmission of security information can facilitate the terminal preparation to configure the security keys and security policies of the first session and the second session.
  • an embodiment of the present application provides a session configuration method.
  • the method includes: first, an access network device configures a security key and a security policy for a first session and a second session to be established by a terminal device, and The second session is a redundant session of the first session; afterwards, an indication message is sent to the terminal device, where the indication message is used to indicate the security keys and security policies of the first session and the second session .
  • the access network device can send the indication message to the terminal device, which can ensure that the access network device and the terminal device are directed to two sessions for redundant transmission (first The security key and security policy of the session and the second session are kept consistent, thereby ensuring that the security configuration of the two sessions for redundant transmission is completed.
  • the access network device may receive data from the session management network
  • the redundant transmission security information of the first session of the element indicates that the security keys and security policies of the first session and the second session are determined by the access network device, and the redundant transmission The security information indicates that the security keys and security policies of the first session and the second session are the same or different.
  • the access network device may, after receiving the redundant transmission security information, determine by itself the security keys and the security keys of the first session and the second session according to the instructions of the redundant transmission security information.
  • Security policy it is also possible to determine the security key and security policy of the first session and the second session without receiving the instruction of the redundant transmission security information, which can configure the first session and the second session more flexibly. The security key and security policy of the second session.
  • the access network device when the access network device configures a security key and a security policy for the first session and the second session to be established by the terminal device, it may determine the first session and the second session according to the first rule.
  • the first rule includes at least one of the following:
  • the load of the access network device the network deployment strategy, and the resource status of the access network device.
  • the access network device can flexibly configure security keys and security policies for the first session and the second session, which can expand the application range.
  • the access network device may send the security policies of the first session and the second session to the terminal device.
  • the terminal device side can conveniently complete the security policies for the first session and the second session.
  • Security configuration such as the configuration of security policies.
  • the access network device may also send a first parameter and a second parameter to the terminal device, where the first parameter is a parameter used to generate a security key for the first session ,
  • the second parameter is a parameter used to generate a security key for the second session.
  • the terminal device side can conveniently complete the security configuration for the first session and the second session, Such as the configuration of the security key.
  • the access network device configures the same security key and security policy for the first session and the second session, and the indication message is used to indicate that the first session is the same as the second session.
  • the security key of the session is the same as the security policy.
  • the terminal device can easily configure the same security key and security policy for the first session and the second session through the instructions of the first instruction message.
  • the access network device configures different security keys and security policies for the first session and the second session, and the indication message is used to indicate that the first session and the second session are different from each other.
  • the security key and security policy of the session are different.
  • the terminal device can conveniently configure different security keys and security policies for the first session and the second session through the instructions of the first instruction message.
  • an embodiment of the present application provides a session configuration method, the method includes: a terminal device first sends a session establishment request to a session management network element, the session establishment request is used to request the establishment of the first session; The terminal device may receive an indication message from the access network device, the indication message is used to indicate the security key and security policy of the first session and the second session, wherein the second session is the first session A redundant session of one session.
  • the terminal device can receive the indication information from the access network device, and it can be ensured that the access network device and the terminal device are directed to two sessions for redundant transmission (the first session).
  • the security key and security policy of the second session are kept consistent, thereby ensuring that the security configuration of the two sessions for redundant transmission is completed.
  • the terminal device configures a security key and a security policy for the first session and the second session based on the instruction message.
  • the terminal device can conveniently complete the security configuration for the first session and the second session on the terminal device side.
  • the terminal device may first receive from the access network device when configuring security policies for the first session and the second session based on the instruction message.
  • Security policies of the first session and the second session are the first session and the second session Configure security keys and security policies.
  • the terminal device receives the security policies of the first session and the second session through the access network device, so that the terminal device side can complete the security policies for the first session and the second session.
  • the security configuration of the session such as the configuration of security policies.
  • the terminal device may first obtain the security key from the access network device Receive a first parameter and a second parameter, where the first parameter is a parameter for generating a security key for the first session, and the second parameter is a parameter for generating a security key for the second session ; Afterwards, based on the indication message, a security key is configured for the first session and the second session according to the first parameter and the second parameter.
  • the terminal device receives the first parameter and the second parameter through the access network device, so that the terminal device side can complete the communication for the first session and the second session.
  • Security configuration such as security key configuration.
  • the indication message indicates that the security key and security policy of the first session and the second session are the same, or indicates that the security key and security policy of the first session and the second session are different .
  • the instructions of the instruction message can facilitate the terminal to prepare the corresponding configuration of the security keys and security policies of the first session and the second session.
  • an embodiment of the present application provides a session configuration method, the method includes: the session management network element may determine the redundant transmission security information of the first session after receiving the session establishment request from the terminal device, so The redundant transmission security information is used to indicate the security key and security policy of the first session and the second session, wherein the session establishment request is used to request the establishment of the first session, and the second session is The redundant session of the first session; afterwards, the session management network element sends the redundant transmission security information to the access network device.
  • the session management network element can ensure that the access network device communicates with the redundant transmission instruction information under the instruction of the redundant transmission instruction information by sending the redundant transmission safety information to the access network device.
  • the terminal device is consistent with the security keys and security policies of the two sessions (the first session and the second session) used for redundant transmission, thereby ensuring that the security configuration of the two sessions for redundant transmission is completed.
  • the session management network element determines the redundant transmission security information of the first session
  • the session management network element determines the redundant transmission security information according to the first information
  • the second One information is part or all of the following:
  • the contract information of the terminal device, the session policy stored locally by the session management network element, and the session policy obtained by the session management network element from the policy control network element is the contract information of the terminal device, the session policy stored locally by the session management network element, and the session policy obtained by the session management network element from the policy control network element.
  • the access network device can flexibly determine the redundant transmission safety information, and thus can expand the application range.
  • the determination of the session management network element may also be to determine the remaining transmission safety information through other network elements.
  • the session management network element receives the redundancy from the policy control network element. Transmission of safety information.
  • the access network device can flexibly determine the redundant transmission safety information, and thus can expand the application range.
  • the session management network element when the session management network element sends the redundant transmission security information to the access network device, it may send the redundant transmission security information to the access network device through the access management network element. information.
  • the access network device can transmit the redundant transmission security information more conveniently.
  • the redundant transmission security information indicates that the security keys and security policies of the first session and the second session are the same, or indicate that the security keys and the security keys of the first session and the second session are the same
  • the security policy is different, or the security key and security policy indicating that the first session and the second session are determined by the access network device.
  • the redundant transmission of the security information instruction can conveniently enable the access network device and the terminal device to configure different security keys and security policies for the first session and the second session.
  • an embodiment of the present application also provides a communication device, which is applied to an access network device, and the beneficial effects can be referred to the description of the first aspect and will not be repeated here.
  • the device has the function of realizing the behavior in the method example of the first aspect described above.
  • the functions can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above functions.
  • the structure of the device includes a receiving unit and a sending unit, and may also include a processing unit. These units can perform the corresponding functions in the method example of the first aspect above. For details, refer to the detailed description in the method example. Do not repeat them here.
  • an embodiment of the present application also provides a communication device, which is applied to a terminal device, and the beneficial effects can be referred to the description of the second aspect and will not be repeated here.
  • the device has the function of realizing the behavior in the method example of the second aspect described above.
  • the functions can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above functions.
  • the structure of the device includes a receiving unit and a sending unit, and may also include a processing unit. These units can perform the corresponding functions in the method example of the second aspect. For details, refer to the detailed description in the method example. Do not repeat them here.
  • an embodiment of the present application also provides a communication device, the communication device is applied to an access network device, and the beneficial effects can be referred to the description of the third aspect and will not be repeated here.
  • the device has the function of realizing the behavior in the method example of the third aspect.
  • the functions can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above functions.
  • the structure of the device includes a processing unit and a sending unit, and may also include a receiving unit. These units can perform the corresponding functions in the method examples of the third aspect. For details, please refer to the detailed description in the method examples. Do not repeat them here.
  • an embodiment of the present application also provides a communication device, the communication device is applied to a terminal device, and the beneficial effects can be referred to the description of the fourth aspect and will not be repeated here.
  • the device has the function of realizing the behavior in the method example of the fourth aspect.
  • the functions can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above functions.
  • the structure of the device includes a receiving unit and a sending unit, and may also include a processing unit. These units can perform the corresponding functions in the method examples of the fourth aspect. For details, refer to the detailed description in the method examples. Do not repeat them here.
  • an embodiment of the present application also provides a communication device, which is applied to a session management network element, and the beneficial effects can be referred to the description of the fifth aspect and will not be repeated here.
  • the device has the function of realizing the behavior in the method example of the fifth aspect.
  • the functions can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above functions.
  • the structure of the device includes a receiving unit, a sending unit, and a processing unit. These units can perform the corresponding functions in the method example of the fifth aspect. For details, please refer to the detailed description in the method example. Do repeat.
  • an embodiment of the present application also provides a communication device, which is applied to an access network device, and the beneficial effects can be referred to the description of the first aspect and will not be repeated here.
  • the structure of the communication device includes a processor and a memory, and the processor is configured to support the terminal to perform the corresponding function in the method of the first aspect.
  • the memory is coupled with the processor, and stores the necessary program instructions and data of the terminal.
  • the structure of the communication device further includes a communication interface for communicating with other devices.
  • an embodiment of the present application also provides a communication device, which is applied to a terminal device, and the beneficial effects can be referred to the description of the second aspect and will not be repeated here.
  • the structure of the communication device includes a processor and a memory, and the processor is configured to support the terminal to perform the corresponding function in the method of the second aspect.
  • the memory is coupled with the processor, and stores the necessary program instructions and data of the terminal.
  • the structure of the communication device further includes a transceiver for communicating with other devices.
  • an embodiment of the present application also provides a communication device, which is applied to an access network device, and the beneficial effects can be referred to the description of the third aspect and will not be repeated here.
  • the structure of the communication device includes a processor and a memory, and the processor is configured to support the terminal to perform the corresponding function in the method of the third aspect.
  • the memory is coupled with the processor, and stores the necessary program instructions and data of the terminal.
  • the structure of the communication device further includes a communication interface for communicating with other devices.
  • the embodiments of the present application also provide a communication device, the communication device is applied to a terminal device, and the beneficial effects can be referred to the description of the fourth aspect and will not be repeated here.
  • the structure of the communication device includes a processor and a memory, and the processor is configured to support the terminal to perform the corresponding functions in the method of the fourth aspect.
  • the memory is coupled with the processor, and stores the necessary program instructions and data of the terminal.
  • the structure of the communication device further includes a transceiver for communicating with other devices.
  • an embodiment of the present application also provides a communication device, which is applied to a session management network element, and the beneficial effects can be referred to the description of the fifth aspect and will not be repeated here.
  • the structure of the communication device includes a processor and a memory, and the processor is configured to support the terminal to perform the corresponding functions in the above-mentioned fifth aspect method.
  • the memory is coupled with the processor, and stores the necessary program instructions and data of the terminal.
  • the structure of the communication device further includes a communication interface for communicating with other devices.
  • this application also provides a computer-readable storage medium that stores instructions in the computer-readable storage medium, which when run on a computer, causes the computer to execute the methods described in the above aspects.
  • this application also provides a computer program product containing instructions, which when run on a computer, causes the computer to execute the methods described in the above aspects.
  • the present application also provides a computer chip connected to a memory, and the chip is configured to read and execute a software program stored in the memory, and execute the methods described in the foregoing aspects.
  • Figure 1 is a schematic diagram of a network architecture provided by this application.
  • FIG. 2 is a schematic diagram of a network architecture provided by this application.
  • 3A to 3B are schematic diagrams of a network architecture provided by this application.
  • Figure 4 is a schematic diagram of a method for establishing data passage in a dual link scenario
  • Figure 5 is a schematic diagram of a network configuration method provided by this application.
  • FIG. 6 is a schematic diagram of a network configuration method provided by this application.
  • FIG. 7 is a schematic diagram of a network configuration method provided by this application.
  • FIG. 8 is a schematic diagram of a network configuration method provided by this application.
  • 9-15 are schematic diagrams of the structure of a communication device provided by this application.
  • the first session and the second session relate to two sessions used for redundant transmission, namely the first session and the second session, and the first session and the second session are used for transmission
  • the same data is used for redundant transmission, and the first session and the second session are mutually redundant sessions; the first session and the second session may be PDU sessions or bearers.
  • the security key refers to the key used for data protection in the session, including encryption key and integrity protection key.
  • the encryption key may be a parameter input when the sender encrypts the plaintext according to the encryption algorithm to generate the ciphertext. If symmetric encryption is used, the encryption key and decryption key are the same.
  • the receiving end can decrypt the ciphertext according to the same encryption algorithm and encryption key. In other words, the sending end and the receiving end can encrypt and decrypt based on the same key.
  • the encryption key may be referred to as K UPenc for short.
  • K UPenc can be generated by a key generation algorithm such as KDF based on the intermediate key, and it can be specifically as follows:
  • K UPenc KDF (K gNB , other parameters), where it can be the type of encryption algorithm, the length of the encryption algorithm type, the identifier of the encryption algorithm, the length of the encryption algorithm identifier, or the parameters mentioned above.
  • the integrity protection key may be a parameter input when the sender performs integrity protection on the plaintext or ciphertext according to the integrity protection algorithm.
  • the receiving end can perform integrity verification on the integrity-protected data according to the same integrity protection algorithm and integrity protection key.
  • the integrity protection key may be referred to as K UPint for short .
  • the integrity protection key K UPint can be generated by a key generation algorithm such as KDF based on the intermediate key, and can be specifically shown as the following formula:
  • K UPint KDF (K gNB , other parameters), where other parameters can be the type of integrity protection algorithm, the length of the integrity protection algorithm type, the identifier of the integrity protection algorithm, the length of the integrity protection algorithm identifier, or the above
  • the intermediate key is the key used to generate the encryption key and the integrity protection key.
  • the intermediate key may include K AMF and K gNB , where K gNB can be divided into K MgNB and K SgNB , and K MgNB is used by MgNB to generate encryption keys and integrity protection keys.
  • K SgNB is an intermediate key used by SgNB to generate encryption keys and integrity protection keys.
  • the intermediate key can also be used to derive other keys, such as the key used in uRLLC scenarios.
  • the key derived based on the intermediate key can continue to be derived into redundant sessions (implemented in this application). In the example corresponding to the first session and the second session) the encryption key and the integrity protection key.
  • KuRLLC is used to denote the key derived based on the intermediate key. This embodiment of the application does not limit the number of KuRLLC . number.
  • K AMF may be the keys respectively obtained by the UE and the AMF network element during the UE registration authentication process.
  • K MgNB may be generated by the UE and the AMF network element based on K AMF , and the AMF network element is based on K AMF after generating K MgNB, K MgNB may be issued to the MgNb; after K SgNB AMF is the UE and the network element based on the generated K AMF, AMF said network element generates based on K K SgNB AMF, it may be K SgNB To the SgNB; in the case that only the MgNB has an interface with AMF, K SgNB can be passed to the SgNB by the MgNB, as another possible way, the UE and the AMF network element only Generate K MgNB , and if the SgNB needs K SgNB , the MgNB can generate K SgNB and
  • the security policy can at least be used to indicate whether to activate encryption protection and/or integrity protection.
  • the security policy may indicate the preference of security protection, for example, may indicate required (required), recommended (preferred), and not required (not needed) security protection. Based on the security protection preference, it can be determined whether to activate encryption protection and/or integrity protection.
  • each security policy can also indicate other more information, such as strength recommendations of security algorithms, etc.
  • the security policy can be obtained based on SMF local configuration, PCF configuration, DN configuration, and operator’s strategy. , Local strategy, third-party configuration, UDM contract information or strategy, and network slice selection assistance information (NSSAI), etc.
  • NSSAI network slice selection assistance information
  • the first parameter includes but is not limited to the identification of the first session (identification, ID), slice identification, NSSAI, random number, character string, algorithm type, algorithm type identifier, algorithm type value, non- Access layer count value (non-access stratum count, NAS COUNT), next hop (Next Hop, NH), packet data convergence protocol count value (packet data convergence protocol count, PDCP COUNT), string, etc.
  • the random number includes count, NONCE, Random Number, and so on.
  • the string may be an indication of uRLLC. If the first session in the embodiment of this application is of bearer granularity, the identifier of the first session may be replaced It is the bearer ID (bear ID).
  • the second parameter is a parameter used to generate a security key for the second session, and the second parameter includes but is not limited to the identifier of the second session, Slice ID, NSSAI, random number, string, algorithm type, algorithm type ID, algorithm type value, NAS COUNT, NH, PDCP COUNT, string, etc.
  • the random number includes COUNT, NONCE, random number, etc., for example, the string may be an indication of uRLLC. If the second session in the embodiment of this application is of bearer granularity, the identity of the second session can be replaced with the identity of the bearer .
  • the load of the base station such as the maximum number of users that the base station can access, or the bandwidth occupancy rate of users accessing the base station in a certain period of time.
  • Network deployment strategies such as capacity deployment of base stations, and capacity has an impact on the load or resource status of base stations.
  • the resource status of the base station is used to characterize the current resource allocation status or usage status of the base station, such as the resource occupancy rate of the base station's memory, etc.
  • the network architecture is 4G network architecture.
  • the network elements in the 4G architecture include terminal equipment.
  • the terminal equipment is a user equipment (UE) as an example.
  • the network architecture also includes MME, serving GPRS support node (serving GPRS support node, SGSN), HSS, serving gateway (serving gateway, S-GW), packet data network gateway (packet data network gateway, PDN gateway, P-GW), Policy and charging rules function (PCRF) entity, evolved universal terrestrial radio access network (E-TURAN), etc.
  • MME serving GPRS support node
  • serving gateway serving gateway
  • S-GW serving gateway
  • packet data network gateway packet data network gateway
  • PDN gateway Packet data network gateway
  • P-GW Policy and charging rules function
  • E-TURAN evolved universal terrestrial radio access network
  • the UEs involved in the embodiments of this application all refer to devices including mobile equipment (ME) and security modules, where the security module may be a universal integrated circuit card (UICC), It may also be a secure storage unit integrated in the ME, and the UICC includes a universal subscriber identity module (USIM).
  • the security module may be a universal integrated circuit card (UICC)
  • UICC universal subscriber identity module
  • E-UTRAN is composed of multiple evolved base stations (evolved nodeB, eNodeB).
  • the eNodeBs are interconnected through the X2 interface.
  • the eNodeB and the evolved packet core (EPC) interact through the S1 interface, and the eNodeB and the UE Through long term evolution (LTE)-Uu interconnection.
  • LTE long term evolution
  • MME Mobility Management Entity
  • TA track area
  • P-GW and S-GW selection MME selection during cross-MME handover
  • 2G/3G SGSN selection user authentication, roaming control and bearer management, and mobility management between core network nodes of different access networks of the 3rd Generation Partnership Project (3GPP) are performed during the process of entering the system.
  • 3GPP 3rd Generation Partnership Project
  • S-GW is a gateway that terminates on the E-UTRAN interface. Its main functions include: when handover between base stations, it serves as a local anchor point and assists in completing the reordering function of base stations; when handover between different 3GPP access systems, it serves as a mobile Anchor point; perform legal interception function; perform routing and forwarding of data packets; perform packet marking on the uplink and downlink transmission layers; used for charging between operators.
  • the P-GW is a gateway facing PDN and terminating at the SGi interface. If the UE accesses multiple PDNs, the UE will correspond to one or more P-GWs.
  • the main functions of the P-GW include user-based packet filtering, lawful interception, Internet protocol (IP) address allocation between the UE’s networks, and data packet transmission level marking in the uplink. Perform uplink and downlink service level charging and service level threshold control, and perform service-based uplink and downlink rate control.
  • IP Internet protocol
  • HSS is a database used to store user subscription information, and the home network can contain one or more HSSs.
  • HSS is responsible for storing user-related information, such as user identification, number and routing information, security information, location information, profile information, etc.
  • SGSN can be used for signaling interaction when moving between 2G/3G and E-UTRAN 3GPP access network, including the selection of P-GW and S-GW, and also for users who switch to E-UTRAN 3GPP access network. Choice of MME.
  • the PCRF entity terminates at the Rx interface and the Gx interface.
  • IP-connectivity access network IP-connectivity access network
  • the network architecture is a 5G network architecture.
  • the network elements in the 5G architecture include terminal equipment.
  • the terminal equipment is the UE as an example.
  • the network architecture also includes radio access network (RAN), access and mobility management function (AMF) network elements, session management function (session management function, SMF) network elements, user plane Function (user plane function, UPF) network element, unified data management (unified data management, UDM) network element, policy control function (PCF) network element, application function (AF) network element, data network (data network, DN), etc.
  • RAN radio access network
  • AMF access and mobility management function
  • SMF session management function
  • UPF user plane Function
  • UDM unified data management
  • PCF policy control function
  • AF application function
  • the main function of the RAN is to control users to wirelessly access the mobile communication network.
  • RAN is a part of mobile communication system. It implements a wireless access technology. Conceptually, it resides between a certain device (such as a mobile phone, a computer, or any remote control machine) and provides a connection to its core network.
  • the RAN may include a base station.
  • the RAN may be a gNB, a node B (NB), an evolved Node B (evolved Node B, eNB), and a radio network controller (RNC).
  • NB node B
  • eNB evolved Node B
  • RNC radio network controller
  • Base station controller BSC
  • base transceiver station base transceiver station
  • BTS base transceiver station
  • home base station for example, Home eNB, or Home Node B
  • BBU baseband unit
  • Access point AP
  • WiMAX BS wireless interoperability for microwave access base station
  • relay node etc.
  • the AMF network element is responsible for terminal access management and mobility management. In practical applications, it includes the mobility management function in the MME in the LTE network framework, and adds the access management function.
  • the SMF network element is responsible for session management, such as user session establishment and modification.
  • the UPF network element is a functional network element of the user plane, which is mainly responsible for connecting to external networks. It includes LTE service gateway (serving gateway, SGW) and public data network gateway (public data network gateway, PDN-GW) related functions .
  • LTE service gateway serving gateway, SGW
  • public data network gateway public data network gateway, PDN-GW
  • the DN is responsible for the network that provides services for the terminal. For example, some DNs provide the terminal with Internet access functions, and other DNs provide the terminal with short message functions.
  • the UDM network element can store the user's subscription information to implement a backend similar to the HSS in 4G.
  • the UDM described in this embodiment of the application stores the session context of the UE.
  • PCF policy and charging rules function
  • the AF network element may be a third-party application function entity or device, or an operator's own device or entity, and the AF network element may provide services for multiple application servers.
  • the terminal device in the application also called user equipment (UE) is a device with wireless transceiver function, which can be deployed on land, including indoor or outdoor, handheld or vehicle-mounted; it can also be deployed on water (Such as ships, etc.); it can also be deployed in the air (such as airplanes, balloons and satellites, etc.).
  • UE user equipment
  • the terminal device may be a mobile phone (mobile phone), a tablet computer (pad), a computer with wireless transceiving function, a virtual reality (VR) terminal, an augmented reality (AR) terminal, an industrial control (industrial control) Wireless terminals in ), wireless terminals in self-driving, wireless terminals in remote medical, wireless terminals in smart grid, wireless terminals in transportation safety (transportation safety) , Wireless terminals in smart city, wireless terminals in smart home, etc.
  • a mobile phone mobile phone
  • a tablet computer pad
  • a computer with wireless transceiving function a virtual reality (VR) terminal, an augmented reality (AR) terminal, an industrial control (industrial control) Wireless terminals in ), wireless terminals in self-driving, wireless terminals in remote medical, wireless terminals in smart grid, wireless terminals in transportation safety (transportation safety) , Wireless terminals in smart city, wireless terminals in smart home, etc.
  • VR virtual reality
  • AR augmented reality
  • industrial control industrial control
  • a terminal device is a UE.
  • the network architecture includes two gNBs, which are represented by a primary base station (MgNB) and a secondary base station (SgNB). Corresponding to MgNB and SgNB, it also includes two UPF network elements, represented by UPF1 and UPF2, respectively.
  • the network architecture also includes AMF network Yuan, SMF, UPF network element, UDM network element, DN.
  • two data channels from UE to DN can be established through two gNB and two UPF network elements, one of which is UE ⁇ -MgNB ⁇ -UPF1 ⁇ -DN, and the other is UE ⁇ -SgNB ⁇ -UPF2 ⁇ -DN, where the data channel can be session granular.
  • the network architecture shown in FIG. 3A may also include PCF network elements, AF network elements, and the like.
  • a terminal device is a UE.
  • the network architecture includes two gNBs, denoted by MgNB and SgNB, respectively.
  • the network architecture also includes UPF network elements, AMF network elements, SMF, UPF network elements, UDM network elements, and DN.
  • two data channels from UE to DN can be established through two gNBs, one of which is UE ⁇ -MgNB ⁇ -UPF ⁇ -DN, and the other is UE ⁇ -SgNB ⁇ -UPF ⁇ -DN .
  • the UE is connected to two gNBs, which are two common network architectures in the dual link scenario; the network architecture shown in Figures 3A to 3B is only based on RAN Taking gNB as an example, the embodiments of the application are not limited to gNB, but may also be other types of equipment, such as eNB, ng-eNB, etc., and may also be equipment that can practice the same function in a 4G network architecture.
  • the establishment process of the data channel is as follows, as shown in Figure 4, the method includes:
  • Step 401 The UE initiates a session establishment procedure, the UE establishes the first session and the second session with the MgNB, and the first session and the second session are redundant sessions with each other.
  • Step 402 The MgNB sends a secondary base station addition/modification request (SgNB addition/modification request) to the SgNB, and the secondary base station addition/modification request carries information about the second session, and The information includes, but is not limited to, the identifier that identifies the second session, slice information corresponding to the second session, QoS flow information corresponding to the session, user plane security policies obtained from SMF, UE security capabilities, and other information.
  • SgNB addition/modification request a secondary base station addition/modification request
  • the information includes, but is not limited to, the identifier that identifies the second session, slice information corresponding to the second session, QoS flow information corresponding to the session, user plane security policies obtained from SMF, UE security capabilities, and other information.
  • Step 403 After the SgNB receives the secondary base station addition/establishment request, the SgNB allocates corresponding resources for the second session, and may select the one with the highest priority in its own list for the second session Encryption algorithms and integrity protection algorithms, these algorithms are also in the security capabilities of the UE.
  • Step 404 The SgNB sends a secondary base station addition/modification acknowledgement message (SgNB addition/modification acknowledgement) to the MgNB, and the secondary base station addition/modification acknowledgement message is used to indicate that the SgNB has allocated a corresponding message for the second session.
  • the secondary base station addition/modification confirmation message may also indicate the encryption and integrity protection algorithm of the second session, and optionally, may also include the resource identifier of the resource allocated for the second session.
  • two data channels can be established between the UE and DN, such as the establishment of two protocol data unit (protocol data unit, PDU) sessions, bearers, or QoS flow.
  • PDU protocol data unit
  • bearers or QoS flow.
  • QoS flow how to configure the two data channels? Configuring the security keys and security policies used on the two data channels has not yet proposed a specific plan.
  • an embodiment of the present application provides a session configuration method.
  • the access network device receives the first session from the session management network element. After the redundant transmission security information of the session, the redundant transmission security information can be sent to the terminal device, so that the access network device and the terminal device can generate a security secret according to the instruction of the redundant transmission security information.
  • the key and security policy can realize the configuration of two sessions for redundant transmission.
  • a session configuration method provided by the embodiment of this application, as shown in Figure As shown in 5, the method includes:
  • Step 501 The UE sends a session establishment request to an SMF network element, where the session establishment request is used to request establishment of the first session.
  • the UE sends the session establishment request to the AMF network element through the base station, and the AMF network element may send the session establishment request to the SMF after selecting the corresponding SMF network element Network element.
  • Step 502 After receiving the session establishment request, the SMF network element determines the redundant transmission security information of the first session, and the redundant transmission security information is used to indicate the security of the first session and the second session Key and security policy, the second session is a redundant session of the first session.
  • the session establishment request sent by the UE carries indication information indicating that the first session is used for redundant transmission.
  • the SMF network element determines that the first session is used for redundant transmission according to the indication information.
  • the session establishment request sent by the UE may not include the indication message that the first session is used for redundant transmission.
  • the SMF network element receives the session After the request is established, the first session is determined to be a redundant transmission session according to one or more of slice information such as NSSAI, DN information, and UE subscription information in the UDM network element, and generates an instruction to indicate the first session.
  • a session is indication information of a redundant transmission session, and the indication message may be stored locally in the SMF network element as information of the first session.
  • the indication information can be redundant transmission/session indication.
  • redundant transmission/session indication 2
  • the indication information may also carry the identifier of the second session; it should be understood that redundant transmission/session indication may also be 0, indicating that the first session does not need to be redundant, etc.
  • the specific indication value is not limited, but the function expression is the same; for example, the indication information may indicate that the first session is used to support uRLLC services, or the indication information may indicate that the session type of the first session is uRLLC
  • the foregoing instruction method is only an example, and the embodiment of the present application is not limited.
  • the redundant transmission security information is used to indicate the security key and security policy of the first session and the second session; exemplary, the redundant transmission security information may indicate the second session The security key and security policy of one session and the second session are the same, and the redundant transmission security information may also indicate that the security key and security policy of the first session and the second session are different. The redundant transmission security information may also indicate that the security key and security policy of the first session and the second session are determined by the base station. For this manner, refer to the embodiment shown in FIG. 7.
  • the SMF network element may use the UE’s subscription information, operator configuration, local configuration, third-party service policy information, DN information, and / Or slice related information such as NSSAI() to judge, three of them are listed below:
  • the SMF network element determines the redundant transmission safety information according to the subscription information of the UE.
  • the subscription information of the UE may include the redundant transmission safety information.
  • the SMF network element may obtain the subscription information of the UE from the UDM network element, and then determine the redundant transmission safety information according to the obtained subscription information of the UE.
  • the SMF network element determines the redundant transmission security information according to the current network status, and the network status is used to characterize the network load, security capability, and other status.
  • the second session When the first session needs to be used for redundant transmission, the second session must be used as a redundant session of the first session, which will occupy certain network resources and affect network load.
  • the SMF network element can determine that the first session can be used for redundant transmission. If the current network security is low, in order to ensure the safety of data transmission Therefore, the security keys and security policies of the first session and the second session can be set to be different, and data isolation can be achieved. If the current network security is relatively high, the security keys and security policies of the first session and the second session can be set to be the same, which can ensure the security of data transmission and save resources.
  • the current network state is not suitable for redundant transmission. If the current network load is high and the available network resources are few, the SMF network element may establish the first session for the UE according to the existing process.
  • the SMF network element determines the redundant transmission safety information through other network elements.
  • the SMF network element may interact with the AF network element, and determine the redundant transmission safety information according to an instruction of the AF network element.
  • the AF network element is an application server of a specific slice.
  • the slice needs to provide high security. Even for redundantly transmitted data, the security isolation of two sessions needs to be ensured. Then the security key and security Different strategies can meet the security requirements in this situation.
  • the redundant transmission security information indicates the security key and security policy of the first session and the second session, and the SMF network element also needs to determine the redundant session of the first session, that is, the The SMF network element needs to determine which session is the second session.
  • the second session may be a session that has been established before the UE initiates the session establishment request, and the SMF network element may determine the second session according to the session establishment request.
  • the session establishment request may carry the identifier of the second session; the SMF network element may also be used when the second session is established , Record related information of the second session, such as the identifier of the second session, and the second session is used for redundant transmission.
  • the SMF After receiving the session establishment request, the network element determines that the second session is a redundant session of the first session according to locally recorded information.
  • the second session may be a session established by the UE after the UE initiates the session establishment request.
  • the SMF network element may The session establishment request sent by the UE for requesting the establishment of the second session determines the second session.
  • the session establishment request may carry the The identifier of the first session indicates that the second session and the first session are mutually redundant sessions, so that it can be determined that the currently established second session is a redundant session of the first session; the SMF network The element may also record related information of the first session, such as an identifier, when the first session is established, and the first session is used for redundant transmission.
  • the SMF network element determines that the second session is a redundant session of the first session according to locally recorded information.
  • the SMF network element may perform step 503 after determining the redundant transmission safety information.
  • Step 503 The SMF network element sends the redundant transmission safety information to the base station.
  • the SMF network element may send the redundant transmission safety information to the base station through the AMF network element.
  • Step 504 After the base station receives the redundant transmission information, the base station sends the redundant transmission security information to the UE.
  • the base station may configure a security key and a security policy for the first session and the second session according to the redundant transmission security information; correspondingly, the UE also It is necessary to configure a security key and a security policy for the first session and the second session according to the redundant transmission security information.
  • Case 1 The redundant transmission security information indicates that the security key and security policy of the first session and the second session are the same.
  • the base station configures the same security key and security policy for the first session and the second session.
  • the base station may query the security key and security policy of the second session to configure the first session The same security key and security policy as the second session.
  • the UE After the second session is established after the first session is established, the UE needs to establish a session in the same manner as described above.
  • the base station can query the security key and security policy of the first session, which is the second
  • the session is configured with the same security key and security policy.
  • the UE when the UE receives the redundant transmission security information, the UE configures the same security key and security policy for the first session and the second session, and the operation performed by the UE is the same as that of the base station.
  • the operations performed on the side are the same. For details, refer to the foregoing content, which is not repeated here.
  • the two gNBs are MgNB and SgNB respectively, and the SMF network element can transmit the redundant transmission
  • the security information is sent to one of the gNBs.
  • the SMF network element can send the redundant transmission security information to the MgNB, and the data channel established through the MgNB is the first session, which is established through the SgNB
  • the data channel of is the second session as an example.
  • a session configuration method provided by an embodiment of this application includes:
  • Step 601 If the MgNB determines that the redundant transmission security information indicates that the security keys and security policies of the first session and the second session are the same, the MgNB may send all the configurations configured on the MgNB side to the SgNB.
  • the security keys of the first session are, for example, K Upenc and K Upint ; the MgNB may send the security policy of the first session configured on the MgNB side to the SgNB.
  • the MgNB may also send an indication message to the SgNB.
  • the indication message may indicate that the first session and the second session are redundant sessions for each other, and may also indicate that the first session and the second session are redundant sessions.
  • the security key is the same as the security policy.
  • the MgNB may carry the security key of the first session in a secondary base station addition/modification request (SgNB addition/modification request), and then send the secondary base station addition/modification request to the SgNB, so
  • the security policy of the first session may also be carried in the secondary base station addition/modification request.
  • Step 602 After receiving the security policy and security key of the first session, the SgNB may directly configure the security policy and security key of the second session, or may subsequently receive it from the MgNB The notification message then configures the security policy and the security key of the second session, where the notification message may indicate that the UE has completed the configuration, or may indicate that the SgNB activates the configuration of the second session.
  • the SgNB sends a secondary base station addition/modification acknowledgement message (SgNB addition/modification acknowledgement) to the MgNB, and the secondary base station addition/modification acknowledgement message is used to indicate that the SgNB has determined to receive the security policy of the first session And a security key, it may also indicate that the SgNB can configure the same security policy and security key for the second session as the first session. If the SgNB has completed the configuration of the security policy and security key of the second session, the secondary base station adds/modify confirmation message is used to also indicate the configuration of the security policy and security key of the second session carry out.
  • SgNB addition/modification acknowledgement secondary base station addition/modification acknowledgement message
  • Step 603 After receiving the secondary base station addition/modification confirmation message, the MgNB may send the redundant transmission security information to the UE.
  • the UE After receiving the redundant transmission security information, the UE may The redundant transmission security information configures the security keys and security policies of the first session and the second session.
  • the redundant transmission security information may be carried in a radio resource control (radio resource control, RRC) message, such as an RRC connection reconfiguration request (RRC connection reconfiguration Request).
  • RRC radio resource control
  • Step 604 After configuring the security key and security policy of the first session and the second session, the UE sends a confirmation message to the MgNB.
  • the confirmation message may also be sent as an RRC message.
  • the confirmation message may be an RRC connection reconfiguration complete (RRC connection reconfiguration complete) message.
  • step 605 after the MgNB receives the confirmation message from the UE, the MgNB may send the notification message to the SgNB.
  • Case 2 The redundant transmission security information indicates that the security keys and security policies of the first session and the second session are different.
  • the base station configures different security keys and security policies for the first session and the second session.
  • the base station can use different security key generation methods to generate the security key of the first session and the security key of the second session.
  • the embodiment of the present application does not limit the security key.
  • any method that can make the security key of the first session and the security key of the second session different is applicable to the embodiments of the present application.
  • the base station may generate the security key of the first session according to the first parameter, and generate the security key of the second session according to the second parameter.
  • the base station may send the first parameter and the second parameter to the UE, and the UE may transmit safety information based on the redundant transmission, and according to the first parameter and the second parameter, the The first session and the second session are configured with a security key. Specifically, after receiving the first parameter and the second parameter, the UE generates the security key of the first session according to the first parameter, and The second parameter generates a security key for the second session.
  • the security keys of the unestablished sessions in the first session and the second session are derived.
  • the base station may query the security key of the second session when establishing the first session, based on all The security key of the second session continues to be derived into the security key of the first session; when the base station continues to derive the security key of the first session based on the security key of the second session , The first parameter may be introduced, and the security key of the first session can be generated according to the security key of the second session and the first parameter.
  • the integrity protection key of the second session is K Upint
  • the encryption key of the second session is K UPenc
  • K Upint and K UPenc may be the integrity protection keys configured when the existing session is established.
  • the key and the encryption key may also be the integrity protection key and the encryption key generated by the base station in other ways; the base station may derive the integrity protection key for the first session based on K Upint and K UPenc.
  • Key and encryption key, the integrity protection key of the first session K Upint-session1 KDF (K Upint , the first parameter).
  • the base station sends the first parameter to the UE, and the UE generates a security key for the first session in the same manner as the base station.
  • the base station may not send the some parameters to the UE.
  • the base station may query the security key of the first session when establishing the second session, based on the first session.
  • the security key of the session continues to be derived into the security key of the second session; when the base station continues to derive the security key of the second session based on the security key of the first session, it may import The second parameter.
  • the base station sends the second parameter to the UE, and the UE generates a security key for the second session in the same manner as the base station.
  • the base station may not send the part of the parameters to the UE.
  • Different security keys are derived based on the intermediate key or a key derived from the intermediate key, and different security keys are configured for the first session and the second session, the intermediate key It can include K AMF , K MgNB , and K SgNB .
  • the base station may generate multiple sets of different security keys based on K gNB , and when receiving the redundant transmission security information, the base station may obtain the multiple sets of different security keys Different security keys are selected as the security keys of the first session and the second session.
  • K Upint-session KDF (KgNB, the first parameter or the second parameter, etc.).
  • KgNB may be K MgNB or K SgNB ; when generating the security key on the MgNB side, K MgNB may be used; when generating the security key on the SgNB side, K SgNB may be used.
  • the AMF network element may generate multiple different K gNBs based on K AMF , and send the generated multiple different K gNBs to the base station, and the base station may be based on different The K gNB generates multiple different security keys, and when receiving the redundant transmission security information, the base station may select a security key from the multiple different security keys as the first session and the The security key for the second session.
  • the AMF network element may also derive the key based on an intermediate key (such as K AMF ), and send the derived key based on the intermediate key (such as K AMF ) to all According to the base station, the base station continues to derive the security key of the session (such as the first session or the second session) according to the key derived based on the intermediate key.
  • an intermediate key such as K AMF
  • K AMF intermediate key
  • the base station continues to derive the security key of the session (such as the first session or the second session) according to the key derived based on the intermediate key.
  • the third parameter is a parameter that is not known by the base station and the UE, and the third parameter includes, but is not limited to, session ID, slice ID, NSSAI, random number, character string, algorithm type, algorithm Type identification, algorithm type value, NAS COUNT, NH, PDCP COUNT, character string, NAS connection identification, service identification (service type), etc.
  • the session in the embodiment of this application is of bearer granularity, the session identifier can be replaced by the bearer Identification.
  • the session identification and NAS COUNT, slice identification may be different, and the random number is also different.
  • the AMF network element When the AMF network element sends the generated KuRLLC to the base station, it can determine which base stations are the base stations that need to establish a session for redundant transmission subsequently, and send multiple KuRLLC transmissions to the determined base station respectively .
  • the AMF may also send all KuRLLCs to one of the primary base stations, and subsequently, when performing the addition/modification operation of the secondary base station, the KuRLLC is carried in the secondary base station addition/modification request and sent to the corresponding Each secondary base station can obtain one or more KuRLLC .
  • the security key of the first session or the second session is continuously derived based on the key derived from the intermediate key, and the UE does not store the key derived from the intermediate key,
  • the base station needs to send a third parameter required to generate the key derived based on the intermediate key to the UE.
  • the UE will generate a key based on the intermediate key and the third parameter, and then based on The key derived from the intermediate key is derived into the security key of the corresponding session (such as the first session and the second session).
  • the base station when the base station generates the security key for the first session, the first parameter is introduced, and the first parameter needs to be sent to the UE, and accordingly, the second parameter is generated When the security key of the session is introduced, the second parameter needs to be sent to the UE.
  • the base station and the UE will exchange the K gNB used when generating the security key, where the first parameter and the second parameter are other than K gNB , and the UE and the base station have not been informed in advance Parameters, newly introduced parameters.
  • Other parameters that the UE and the base station have learned in advance may not be sent, such as a session ID.
  • the UE and the base station usually carry the session ID in the message of the session establishment process, and the two parties already have the session ID, so there is no need to send it.
  • the AMF network element If there are interfaces between the AMF network element and the MgNB and the SgNB, and both maintain corresponding NAS COUNTs for generating security keys, the AMF network element generates K gNB for the MgNB based on K AMF K MgNB is K MgNB , and K AMF generates K gNB for the SgNB as K sgNB . Then, the AMF network element sends K MgNB to the MgNB and K sgNB to the SgNB through the corresponding interface. The MgNB may generate a security key based on the K MgNB , and the SgNB may generate a security key based on the K SgNB .
  • the MgNB and the SgNB can use their own methods Generate a security key.
  • the MgNB may generate K MgNB by itself (for example, generated by K AMF based on NAS COUNT), or may obtain K AMF (K AMF is sent by the AMF network element to the MgNB);
  • K AMF is sent by the AMF network element to the MgNB
  • the MgNB can send K AMF to the SgNB, can also send K MgNB to the SgNB, and can also send a key derived from K AMF or K MgNB (indicated by the generated key being K SgNB ) Sent to the SgNB.
  • the SgNB After the SgNB receives the keys sent by the MgNB (such as K AMF , K MgNB , K SgNB ), the SgNB can generate corresponding keys based on the received keys (such as K AMF , K MgNB , K SgNB ) Security key.
  • the SgNB For the generation of the security key, refer to the aforementioned K Upint and K Upenc generation methods, which will not be repeated here.
  • the fourth parameter includes but is not limited to SgNB ID, SgNB Counter, random number, string length of SgNB Counter, NH, slice ID, NSSAI, string, PDCP COUNT, service type, NAS COUNT, etc.
  • SgNB ID is as described
  • the embodiment of the application does not limit the specific type of the identifier, and any identifier that can indicate the SgNB is applicable to the embodiment of the application.
  • the SgNB Counter is the number of the SgNB currently connected to the MgNB. For one MgNB, multiple SgNBs can be offloaded. Each time the MgNB is connected to one SgNB, the SgNB Counter increases accordingly 1. For the description of random numbers and character strings, see the previous content, so I won’t repeat them here.
  • the MgNB can generate K SgNB in a specific manner, and then generate a security key based on K SgNB , which can ensure that the security key generated by the MgNB and the SgNB are isolated, and further can ensure the security of data transmission Sex.
  • the base station configures different security policies for the first session and the second session.
  • the base station may query the security policy of the second session, and configure the first session with the second session. Different security policies for sessions.
  • the base station If the second session is to be established by the UE after the first session is established, the base station queries the security policy of the first session when establishing the second session, and it is the second session. The session configures a different security policy from the first session.
  • the base station and the UE need to adopt the same security policy, and the base station needs to send the security policy of the first session and the security policy to the terminal device.
  • the security policy of the second session the UE receives the security policies of the first session and the second session from the base station; the UE transmits security information based on the redundancy, and according to the first session and the The security policy of the second session configures security policies for the first session and the second session.
  • the SMF network element may send the redundant transmission security information to the MgNB as follows: the SMF network element may send the redundant transmission security information to the MgNB, and the data channel established through the MgNB is the first session, through the SgNB The established data channel is the second session as an example for description.
  • the MgNB determines that the redundant transmission security information indicates that the security keys and security policies of the first session and the second session are different, the MgNB sends the second parameter to the SgNB or is used to generate the second parameter.
  • the intermediate key of the security key of the second session such as K SgNB and K AMF ; the MgNB may also predetermine the security policy of the second session, and send the security policy of the second session to the SgNB.
  • the MgNB may carry the second parameter or the intermediate key used to generate the security key of the second session in the secondary base station addition/establishment request, and then send the secondary base station to the SgNB.
  • Base station modification/establishment request, the security policy of the second session may also be carried in the secondary base station addition/establishment request.
  • the SgNB may directly configure the security policy and security key of the second session, or After receiving a notification message from the MgNB subsequently, configure the security policy and security key of the second session, where the notification message may indicate that the UE has completed the configuration, and may also indicate that the SgNB activates the Configuration of the second session.
  • the SgNB sends a secondary base station addition/modification acknowledgement message (SgNB addition/modification acknowledgement) to the MgNB, where the secondary base station addition/modification acknowledgement message is used to indicate that the SgNB has determined to receive the message sent by the MgNB, and It may be instructed that the SgNB may configure a security policy and a security key different from those of the first session for the second session. If the SgNB has completed the configuration of the security policy and security key of the second session, the secondary base station adds/modify confirmation message is used to also indicate the configuration of the security policy and security key of the second session carry out.
  • SgNB addition/modification acknowledgement secondary base station addition/modification acknowledgement message
  • the MgNB may send the redundant transmission safety information to the UE.
  • the UE may send the redundant transmission safety information according to the redundant transmission safety information.
  • the remaining transmission security information configures the security keys and security policies of the first session and the second session.
  • the redundant transmission security information may be carried in an RRC message, such as an RRC configuration request; the MgNB will also send the security policy of the first session and the security policy of the second session to the UE If the first parameter is introduced in the security key of the first session, the MgNB will also send the first parameter to the UE; if the security key of the second session is introduced in all The second parameter, the MgNB will also send the second parameter to the UE, the redundant transmission security information, the security policy of the first session, the security policy of the second session, the first A parameter or the second parameter may be carried in a message and sent to the UE.
  • RRC message such as an RRC configuration request
  • the UE After configuring the security key and security policy of the first session and the second session, the UE sends a confirmation message to the MgNB.
  • the confirmation message may also be sent as an RRC message.
  • the confirmation message may be an RRC connection reconfiguration complete message.
  • the MgNB may send the notification message to the SgNB.
  • the data channel is of session granularity.
  • the data channel can also be of QoS flow granularity, that is, two QoS flows are established in one session, such as the first QoS flow and the second QoS flow, for transmission
  • the security key and security policy configuration process of QoS flow is similar to the session configuration method shown in Figure 5.
  • the first QoS flow corresponds to the first session
  • the second QoS flow corresponds to the second session.
  • the SMF network element can be based on the subscription information of the UE and the QoS level strategy in the PCF network element, and according to the QoS corresponding to the session to be established Flows determine redundant QoS flows, that is, the first QoS flow and the second QoS flow, the subscription information of the UE may be obtained by the SMF network element from the UDM network element, and the QoS level strategy and other information may be The SMF is obtained from the UDM, or the SMF network element is obtained from the PCF network element; the SMF network element sends the redundant transmission safety information to the base station, and the redundant transmission
  • the security information indicates the security key and security policy of the first QoS flow and the second QoS flow.
  • the redundant transmission security information indicates that the security keys and security policies of the first session and the second session are different, which means that the security policy of the first session is different from the security policy of the second session
  • the security key of the first session is different from the security key of the second session
  • the redundant transmission security information may also indicate that the security policies of the first session and the second session are the same and that If the security keys of the first session and the second session are different, it may also indicate that the security policies of the first session and the second session are different and that the security keys of the first session and the second session are the same.
  • the base station and the UE may perform corresponding operations according to the instructions of the redundant transmission security information.
  • the redundant transmission security information may also indicate that the security policies of the first session and the second session are the same, and the The security keys of the first session and the second session are different, and different security keys and the same security key are configured for the first session and the second session;
  • the redundant transmission security information may also indicate the The security policies of the first session and the second session are different and the security keys of the first session and the second session are the same, and the same security key and different security keys are configured for the first session and the second session ;
  • For specific configuration methods please refer to the foregoing content, which will not be repeated here.
  • the redundant transmission security information indicates that the security key and security policy of the first session and the second session are determined by the base station.
  • the access network device is used as the base station
  • the session management network element is the SMF network element
  • the terminal device is the UE.
  • Another session configuration method provided in this embodiment of the application is performed. Introduction, this method includes:
  • Step 701 The UE sends a session establishment request to an SMF network element, where the session establishment request is used to request establishment of the first session. It is the same as step 501 in the embodiment shown in FIG. 5, and will not be repeated here.
  • Step 702 After receiving the session establishment request, the SMF network element determines the redundant transmission security information of the first session, and the redundant transmission security information indicates the security keys of the first session and the second session And the security policy is determined by the base station. Similar to step 301 in the embodiment shown in FIG. 5, the difference is that it is different from the content indicated by the redundant transmission security information determined by the SMF network element, which is not repeated here, and can refer to the foregoing content.
  • Step 703 The SMF network element sends the redundant transmission safety information to the base station, and the base station receives the redundant transmission safety information.
  • Step 704 The base station configures a security key and a security policy for the first session and the second session, and the second session is a redundant session of the first session.
  • the base station can determine the first and second sessions according to the first rule. Session configuration security keys and security policies.
  • the first rule may include part or all of the following:
  • the load of the base station the network deployment strategy, and the resource status of the base station.
  • the base station may configure the same security key and security policy for the first session and the second session; when the current load of the base station is low, in order to ensure For the reliability of data transmission, the base station may configure different security keys and security policies for the first session and the second session.
  • the base station may configure the same security key and security policy for the first session and the second session; when the resource status of the base station indicates Currently, the base station has more resources available. To ensure the reliability of data transmission, the base station may configure different security keys and security policies for the first session and the second session.
  • the base station may configure different security keys and security policies for the first session and the second session. According to the unreliability requirement of the base station data transmission, the base station may configure the same security key and security policy for the first session and the second session.
  • Step 705 The base station sends an indication message to the UE, where the indication message is used to indicate the security key and security policy of the first session and the second session.
  • the base station After configuring the security key and security policy for the first session and the second session, the base station needs to inform the UE whether the security key and security policy configured for the first session and the second session are the same .
  • the relationship between the security keys and security policies of the first session and the second session determined by the base station may have the following four situations:
  • the security key and security policy of the first session and the second session are the same; correspondingly, the indication message is used to indicate that the security key and security policy of the first session and the second session are the same .
  • the security keys and security policies of the first session and the second session are different; correspondingly, the indication message is used to indicate that the security keys and security policies of the first session and the second session are different .
  • the security keys of the first session and the second session are different, and the security policies of the first session and the second session are the same; correspondingly, the indication message is used for the first session and the second session
  • the security keys are different, and the security policies of the first session and the second session are the same.
  • the security keys of the first session and the second session are the same, and the security policies of the first session and the second session are different; correspondingly, the indication message is used for the first session and the second session.
  • the security keys are the same, and the security policies of the first session and the second session are different.
  • the method for configuring the security key and security policy of the base station and the UE for the first session and the second session may refer to the embodiment shown in FIG. 5, which will not be repeated here. .
  • the base station will The security policies of the first session and the second session are sent to the UE. After the UE receives the security policies of the first session and the second session, based on the indication message, according to the The security policies of the first session and the second session configure security policies for the first session and the second session.
  • the base station may send to the UE the first session used to generate the security key for the first session.
  • a parameter and a second parameter used to generate a security key for the second session after the UE receives the first parameter and the second parameter, based on the indication message, according to the first parameter.
  • the parameter and the second parameter configure a security key for the first session and the second session, that is, the UE generates the security key for the first session according to the first parameter, and The UE generates a security key for the second session according to the second parameter.
  • the base station receives the redundant transmission security information Later, instead of configuring the security key and security policy for the first session and the second session according to the redundant transmission security information, it is possible to determine the security key and security key and security policy of the first session and the second session by themselves.
  • Security policy for example, the security key and security policy of the first session and the second session are determined according to the first rule
  • the SMF network element may send the redundant transmission security information to the MgNB, the data channel established through the MgNB is the first session, and the data channel established by the SgNB is the second session Examples are explained.
  • the following respectively describes the determination that the security keys and security policies of the first session and the second session are the same or different after the MgNB receives the redundant transmission security information:
  • the MgNB may send a first indication message to the SgNB, and the first indication message may indicate the first session and the second session.
  • the two sessions are mutually redundant sessions, and it may also indicate that the security keys and security policies of the first session and the second session are the same; the MgNB may also send the security key of the first session to the SgNB, and The security policy of the first session.
  • the MgNB may carry the first indication message, the security key of the first session, or the security policy of the first session in the secondary base station addition/modification request, and then send it to the SgNB Sending the secondary base station addition/modification request.
  • the SgNB may determine the security of the second session according to the first indication message
  • the security policy and security key can be configured directly, or the security policy and security key of the second session can be configured after receiving a notification message from the MgNB, where the notification message can indicate the The UE has completed the configuration, and may also instruct the SgNB to activate the configuration of the second session.
  • the SgNB sends a secondary base station addition/modification confirmation message to the MgNB, the MgNB sends the redundant transmission security information to the UE, and the operations of the UE, the MgNB, and the SgNB can refer to
  • the redundant transmission security information indicates that the relevant descriptions in the case where the security keys and security policies of the first session and the second session are the same are not repeated here.
  • the security policy and security key of the session can be determined based on some information (such as the first Instruction message, security policy and security key of other sessions) determine the security policy and security key of the subsequent session to be configured, but the configuration of the security policy and security key of the session has not been completed, but the security policy and security of the session are configured
  • the key refers to activating the configuration of the second session, completing the configuration operation of the second session, such as activating the encryption and/or integrity protection operation indicated in the security policy, or deactivating the encryption and/or encryption indicated in the security policy. /Or integrity protection.
  • the SgNB may not follow the indication of the first indication message, but based on the current load of the SgNB, the network deployment strategy, or the SgNB If it is determined that the same security key and security policy can be configured for the second session, if it is determined that the same security key and security policy can be configured, the configuration can be performed in the above manner; if It is determined that a security key and a security policy different from those of the first session are configured for the second session. In the case that the security keys of the second session and the first session are different, the SgNB may be configured according to the The security key of the first session continues to be derived into the security key of the second session.
  • the SgNB can send the message to the MgNB Sending a request message for requesting the second parameter; obtaining the second parameter from the MgNB to generate a security key for the second session, the second parameter may also be sent to the MgNB in advance
  • the SgNB for the case where the security policy of the second session is different from that of the first session, the SgNB may configure the security policy of the second session according to the security policy of the first session;
  • the SgNB may also send a second indication message to the MgNB, where the second indication message is used to indicate the security key and security policy of the second session ,
  • the second indication message may be an addition/modification confirmation message of the secondary base station.
  • the UE, the MgNB, and the SgNB may refer to the embodiment shown in FIG. 5, where the redundant transmission security information indicates the second
  • the redundant transmission security information indicates the second
  • the relevant description in the case where the security keys and security policies of a session and the second session are different will not be repeated here.
  • the description here only mentions two cases in which the SgNB determines that the second session is configured with a different or the same security key and security policy as the first session. For the same security key, different security policies, and The situation where the security keys are different and the security policy are the same is similar to the above two methods, and will not be repeated here.
  • the MgNB may send a third indication message to the SgNB.
  • the third indication message may indicate the first session and the second session.
  • the two sessions are mutually redundant sessions, and it may also indicate that the security keys and security policies of the third session and the third session are different;
  • the MgNB may also send the security key of the first session, the security key of the first session to the SgNB
  • the security policy of the first session, the second parameter or the intermediate key used to generate the security key of the second session such as K SgNB , K AMF, etc.; the MgNB may also determine the second session And send the security policy of the second session to the SgNB.
  • the MgNB may send the third indication message, the security key of the first session, the security policy of the first session, the second parameter, or the information used to generate the second session
  • the intermediate key of the security key or the key derived based on the intermediate key is carried in the secondary base station addition/establishment request, and then the secondary base station modification/establishment request is sent to the SgNB, and the security policy of the second session It can also be carried in the secondary base station addition/establishment request.
  • the security key of the first session, the security policy of the first session, the second parameter, or the security key used to generate the second session May determine the security key and security policy of the second session according to the receipt of the third indication message; for the security key of the second session, the SgNB may determine the security key of the second session according to the first The security key of the session continues to be derived into the security key of the second session, and the second session may also be generated according to the second parameter or the intermediate key or a key derived based on the intermediate key If the security key of the second session is different, the SgNB may configure the security policy of the second session according to the security policy of the first session; if the security policy of the second session is received Security policy, the security policy of the second session may be used as the session policy subsequently configured for the second session.
  • the SgNB sends a secondary base station addition/modification confirmation message to the MgNB, the MgNB sends the redundant transmission security information to the UE, and then the UE, the MgNB, and the SgNB may refer to FIG. 5
  • the redundant transmission security information indicates the relevant description in the case where the security keys and security policies of the first session and the second session are different, and will not be repeated here.
  • the SgNB may not follow the indication of the third indication message, but based on the current load of the SgNB, the network deployment strategy, or the SgNB If it is determined that a different security key and security policy can be configured for the second session, if it is determined that a different security key and security policy can be configured, the configuration described above can be used; if It is determined that the second session is configured with the same security key and security policy as the first session, the SgNB configures the second session with the same security key and security policy as the first session, and the The SgNB sends a secondary base station addition/modification confirmation message to the MgNB and the MgNB sends the redundant transmission security information to the UE, and then the UE, the MgNB, and the SgNB can be seen as shown in FIG.
  • the redundant transmission security information indicates the relevant description in the case where the security keys and security policies of the first session and the second session are different, which will not be repeated here.
  • the description here only mentions two cases in which the SgNB determines that the second session is configured with a different or the same security key and security policy as the first session. For the same security key, different security policies, and The situation where the security keys are different and the security policy are the same is similar to the above two methods, and will not be repeated here.
  • a session configuration method provided by this embodiment of the application includes :
  • Step 801 The UE sends a session establishment request to the AMF network element, and the session establishment request is used to request the establishment of a first session.
  • the session establishment request may carry indication information indicating that the first session supports the URLLC service, or may not carry the indication information.
  • Step 802 After receiving the session establishment request, the AMF network element sends the session establishment request to the SMF network element.
  • Step 803 The SMF network element determines the redundant transmission safety information.
  • the SMF network element obtains the subscription information associated with the URLLC service in the subscription information of the UE from the UDM network element, and determines the subscription information associated with the URLLC service in the subscription information of the UE.
  • the redundant transmission security information indicates whether two sessions for redundant transmission need to maintain the same security key and security policy.
  • a possible implementation is to set an indication such as Indication of Security policy for URLLC redundant transmission. If they are the same, the indication can be set to "1" and the default is the same; if it is “2", it is different; if it is "0", it is not selected by default, and it is determined and executed by the RAN side node.
  • Step 804 The SMF network element determines the session policy of the first session through the PCF network element.
  • the SMF needs to determine that the first QoS flow and the second QoS flow are determined by the PCF network element or the UDM network element.
  • the QoS flow identifier may be obtained from the fifth-generation mobile communication quality of service identifier (5G QoS identity, 5QI), or it may be the QoS flow identifier (QoS flow ID, QFI).
  • Step 805 The SMF network element sends the session policy of the first session to the UPF network element.
  • Step 806 The SMF network element sends the redundant transmission safety information to the AMF network element.
  • the redundant transmission security information may also carry the identifier of the first session and the identifier of the second session.
  • the redundant transmission security information may also carry the identifiers of the first QoS flow and the second QoS flow.
  • Step 807 The AMF network element sends the redundant transmission safety information to the base station.
  • Step 808 After receiving the redundant transmission safety information, the base station sends the redundant transmission safety information to the UE.
  • the base station may also configure security keys and security policies for the first session and the second session according to the redundant transmission security information; correspondingly, the UE After receiving the redundant transmission security information, according to the redundant transmission security information, a security key and a security policy are configured for the first session and the second session.
  • the base station and the UE configure security keys and security policies for the first session and the second session, see Figures 5 and 6 The illustrated embodiment will not be repeated here.
  • an embodiment of the present application also provides a communication device for executing the method executed by the base station in the embodiment shown in FIGS. 5 and 8.
  • the device includes a receiving unit 901 and a sending unit 902:
  • the receiving unit 901 is configured to receive redundant transmission security information of the first session from the session management network element, and the redundant transmission security information is used to indicate the security secrets of the first session and the second session to be established by the terminal device. Key and security policy, wherein the second session is a redundant session of the first session;
  • the sending unit 902 is configured to send the redundant transmission safety information to the terminal device.
  • the device further includes a processing unit 903. After the receiving unit 901 receives the redundant transmission security information of the first session from the session management network element, The redundant transmission security information configures a security key and a security policy for the first session and the second session.
  • the sending unit 902 may send the security policies of the first session and the second session to the terminal device.
  • the sending unit 902 may send a first parameter and a second parameter to the terminal device, where the first parameter is a parameter used to generate a security key for the first session, The second parameter is a parameter used to generate a security key for the second session.
  • the redundant transmission security information indicates that the security keys and security policies of the first session and the second session are the same, or indicate the security keys of the first session and the second session It is different from the security policy.
  • an embodiment of the present application also provides a communication device for executing the method executed by the terminal device in the embodiment shown in FIGS. 5 and 8.
  • the device includes a sending unit 1001 and a receiving unit 1002:
  • the sending unit 1001 is configured to send a session establishment request to a session management network element, where the session establishment request is used to request establishment of the first session;
  • the receiving unit 1002 is configured to receive the redundant transmission security information from an access network device, where the redundant transmission security information is used to indicate the security key and security policy of the first session and the second session, so The second session is a redundant session of the first session.
  • the device further processes a unit 1003, and the processing unit 1003 may configure a security key and a security key for the first session and the second session based on the redundant transmission security information.
  • the processing unit 1003 may configure a security key and a security key for the first session and the second session based on the redundant transmission security information.
  • the receiving unit 1002 may also receive the security policies of the first session and the second session from the access network device; after that, the processing unit 1003 is based on the Redundant transmission of security information.
  • the security information can be transmitted based on the redundancy, according to the security policies of the first session and the second session.
  • the first session and the second session configure security policies.
  • the receiving unit 1002 may also receive a first parameter and a second parameter from the access network device, where the first parameter is a security key used to generate the first session
  • the second parameter is a parameter used to generate a security key for the second session; after that, the processing unit 1003 transmits security information based on the redundancy to provide the first session and the
  • a security key may be configured for the first session and the second session according to the first parameter and the second parameter.
  • the redundant transmission security information indicates that the security keys and security policies of the first session and the second session are the same, or indicate the security keys of the first session and the second session It is different from the security policy.
  • an embodiment of the application also provides a communication device for executing the method executed by the base station in the embodiment shown in FIGS. 7 and 8.
  • the device includes a processing unit 1101 and a sending unit 1102:
  • the processing unit 1101 is configured to configure a security key and a security policy for a first session and a second session to be established by a terminal device, the second session being a redundant session of the first session;
  • the sending unit 1102 is configured to send an instruction message to the terminal device, where the instruction message is used to indicate a security key and a security policy of the first session and the second session.
  • the device further includes a receiving unit 1103, and the receiving unit 1103 configures a security key and a security key for the first session and the second session to be established by the terminal device in the processing unit 1101.
  • the redundant transmission security information of the first session from the session management network element may be received.
  • the redundant transmission security information indicates that the security keys and security policies of the first and second sessions are controlled by the access Net equipment is determined.
  • the processing unit 1101 when the processing unit 1101 configures a security key and a security policy for the first session and the second session to be established by the terminal device, the processing unit 1101 may determine the first session and the second session according to the first rule.
  • the second session configures a security key and a security policy, the first rule includes some or all of the following:
  • the load of the access network device the network deployment strategy, and the resource status of the access network device.
  • the sending unit 1102 may also send the security policies of the first session and the second session to the terminal device.
  • the sending unit 1102 may also send a first parameter and a second parameter to the terminal device, where the first parameter is a parameter used to generate a security key for the first session ,
  • the second parameter is a parameter used to generate a security key for the second session.
  • the processing unit 1101 configures the same security key and security policy for the first session and the second session, and the indication message is used to indicate that the first session and the second session The security key of the session is the same as the security policy.
  • the processing unit 1101 configures different security keys and security policies for the first session and the second session, and the indication message is used to indicate that the first session and the second session are different from each other.
  • the security key and security policy of the session are different.
  • the embodiment of the present application also provides a communication device for executing the method executed by the terminal device in the embodiment shown in FIGS. 7 and 8.
  • the device includes a receiving unit 1201 and a sending unit 1202:
  • the sending unit 1202 is configured to send a session establishment request to a session management network element, where the session establishment request is used to request establishment of the first session;
  • the receiving unit 1201 is configured to receive an indication message from an access network device, where the indication message is used to indicate a security key and a security policy of the first session and the second session, wherein the second session is The redundant session of the first session.
  • the apparatus further includes a processing unit 1203, and the processing unit 1203 can configure a security key and a security policy for the first session and the second session based on the instruction message.
  • the receiving unit 1201 may first receive the security policies of the first session and the second session from the access network device; after that, the processing unit 1203 is based on the The instruction message, when configuring security policies for the first session and the second session, may be based on the instruction message and according to the security policies of the first session and the second session for the first session and the The second session configures a security key and a security policy.
  • the receiving unit 1201 may first receive a first parameter and a second parameter from the access network device, where the first parameter is a security key used to generate the first session
  • the second parameter is a parameter used to generate a security key for the second session; after that, the processing unit 1203 is based on the indication message to set the parameters for the first session and the second session
  • a security key may be configured for the first session and the second session according to the first parameter and the second parameter based on the instruction message.
  • the indication message indicates that the security key and security policy of the first session and the second session are the same, or indicates the security key and security policy of the first session and the second session different.
  • the embodiment of the application also provides a communication device for executing the method performed by the SMF network element in the embodiment shown in FIGS. 5, 6, 7, and 8.
  • the related features can be Refer to the foregoing method embodiment, which will not be repeated here.
  • the device includes a receiving unit 1301, a processing unit 1302, and a sending unit 1303:
  • the receiving unit 1301 is configured to receive a session establishment request from a terminal device, where the session establishment request is used to request establishment of the first session;
  • the processing unit 1302 is configured to determine the redundant transmission security information of the first session after the receiving unit 1301 receives the session establishment request from the terminal device, and the redundant transmission security information is used to indicate the first The security key and security policy of the session and the second session, wherein the second session is a redundant session of the first session;
  • the sending unit 1303 is configured to send the redundant transmission safety information to the access network device.
  • the processing unit 1302 may determine the redundant transmission security information according to the first information, and the first information is the following Part or all of: the subscription information of the terminal device, the session policy stored locally by the session management network element, and the session policy obtained by the session management network element from the policy control network element.
  • the processing unit 1302 may also receive the redundant transmission safety information from other network elements, such as the policy control network element.
  • the sending unit 1303 when the sending unit 1303 sends the redundant transmission security information of the first session to the access network device, it may send all the information to the access network device through the access management network element.
  • the redundant transmission of safety information when the sending unit 1303 sends the redundant transmission security information of the first session to the access network device, it may send all the information to the access network device through the access management network element. The redundant transmission of safety information.
  • the redundant transmission security information indicates that the security keys and security policies of the first session and the second session are the same, or indicate the security keys of the first session and the second session It is different from the security policy, or indicates that the security key and security policy of the first session and the second session are determined by the access network device.
  • the division of the units in the embodiments of the present application is schematic, and is only a division of logical functions. In actual implementation, there may be other ways of division.
  • the functional units in the embodiments of the present application may be integrated in one process. In the device, it can also exist alone physically, or two or more units can be integrated into one module.
  • the above integrated unit may be implemented in the form of hardware or software function module.
  • the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium.
  • the technical solution of the present application essentially or part of the contribution to the existing technology or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , Including several instructions to enable a terminal device (which may be a personal computer, mobile phone, or network device, etc.) or processor to execute all or part of the steps of the method in various embodiments of the present application.
  • the foregoing storage media include: U disk, mobile hard disk, read-only memory (ROM), random access memory (RAM), magnetic disk or optical disk and other media that can store program codes .
  • the access network device and the terminal device may be presented in the form of dividing each functional module in an integrated manner.
  • the "module” herein may refer to a specific ASIC, circuit, processor and memory that execute one or more software or firmware programs, integrated logic circuits, and/or other devices that can provide the above-mentioned functions.
  • the access network device and the session management network element may adopt the form shown in FIG. 14.
  • the apparatus 1400 shown in FIG. 14 includes at least one processor 1401, a memory 1402, and optionally, a communication interface 1403.
  • the memory 1402 may be a volatile memory, such as a random access memory; the memory may also be a non-volatile memory, such as a read-only memory, flash memory, hard disk drive (HDD), or solid-state drive (solid-state drive, SSD), or the memory 1402 is any other medium that can be used to carry or store a desired program code in the form of instructions or data structures and can be accessed by a computer, but is not limited thereto.
  • the memory 1402 may be a combination of the above memories.
  • connection medium between the foregoing processor 1401 and the memory 1402 is not limited in the embodiment of the present application.
  • the memory 1402 and the processor 1401 are connected by a bus 1404 in the figure, and the bus 1404 is indicated by a thick line in the figure.
  • the connection mode between other components is only for a schematic description and is not cited. Limited.
  • the bus 1404 can be divided into an address bus, a data bus, and a control bus. For ease of representation, only a thick line is used in FIG. 14, but it does not mean that there is only one bus or one type of bus.
  • the processor 1401 may have the function of data transceiving and can communicate with other devices.
  • an independent data transceiving module such as a communication interface 1403, can also be set to send and receive data; the processor 1401 is communicating with other devices. During communication, data transmission can be performed through the communication interface 1403.
  • the processor 1401 in FIG. 14 can call the computer execution instruction stored in the memory 1402, so that the access network device can execute any of the foregoing method embodiments. The method performed by the base station.
  • the functions/implementation processes of the transceiving unit and the processing unit in Fig. 9 and Fig. 11 can be implemented by the processor 1401 in Fig. 14 calling the computer execution instructions stored in the memory 1402.
  • the function/implementation process of the processing unit in FIG. 9 and FIG. 11 can be implemented by the processor 1401 in FIG. 14 calling a computer execution instruction stored in the memory 1402, and the function/implementation of the transceiver unit in FIG. 9 and FIG. 11
  • the process can be implemented through the communication interface 1403 in FIG. 14.
  • the processor 1401 in FIG. 14 can call the computer execution instructions stored in the memory 1402, so that the access network device can execute any of the foregoing method embodiments. SMF network element execution method.
  • the functions/implementation processes of the transceiving unit and the processing unit in FIG. 13 can be implemented by the processor 1401 in FIG. 14 calling a computer execution instruction stored in the memory 1402.
  • the function/implementation process of the processing unit in FIG. 13 may be implemented by the processor 1401 in FIG. 14 calling computer execution instructions stored in the memory 1402
  • the function/implementation process of the transceiver unit in FIG. 13 may be implemented by The communication interface 1403 is implemented.
  • the device provided in the embodiment of the present application can execute the above-mentioned communication method, the technical effects that can be obtained can refer to the above-mentioned method embodiment, and details are not described herein again.
  • the terminal device may adopt the form shown in FIG. 15.
  • the apparatus 1500 shown in FIG. 15 includes at least one processor 1501, a memory 1502, and optionally, a transceiver 1503.
  • the memory 1502 may be a volatile memory, such as random access memory; the memory may also be a non-volatile memory, such as read only memory, flash memory, hard disk drive (HDD) or solid-state drive (solid-state drive, SSD) or the memory 1502 is any other medium that can be used to carry or store desired program codes in the form of instructions or data structures and that can be accessed by a computer, but is not limited thereto.
  • the memory 1502 may be a combination of the above-mentioned memories.
  • connection medium between the processor 1501 and the memory 1502 is not limited in the embodiment of the present application.
  • the memory 1502 and the processor 1501 are connected by a bus 1504 in the figure, and the bus 1504 is represented by a thick line in the figure.
  • the connection modes between other components are only for schematic illustration and are not cited Is limited.
  • the bus 1504 can be divided into address bus, data bus, control bus and so on. For ease of representation, only a thick line is used in FIG. 15, but it does not mean that there is only one bus or one type of bus.
  • the processor 1501 may have a data transceiving function and can communicate with other devices.
  • an independent data transceiving module such as a transceiver 1503, can be set to transmit and receive data; the processor 1501 is communicating with other devices.
  • the transceiver 1503 can be used for data transmission.
  • the processor 1501 in FIG. 15 can invoke the computer execution instructions stored in the memory 1502, so that the terminal device can execute the method executed by the UE in any of the foregoing method embodiments. .
  • the functions/implementation processes of the transceiving unit and the processing unit in FIG. 10 and FIG. 12 can be implemented by the processor 1501 in FIG. 15 calling a computer execution instruction stored in the memory 1502.
  • the function/implementation process of the processing unit in FIG. 10 and FIG. 12 can be implemented by the processor 1501 in FIG. 15 calling a computer execution instruction stored in the memory 1502, and the function/implementation of the transceiver unit in FIG. 10 and FIG. 12
  • the process can be implemented by the transceiver 1503 in FIG. 15.
  • the device provided in the embodiment of the present application can execute the above-mentioned communication method, the technical effects that can be obtained can refer to the above-mentioned method embodiment, and details are not described herein again.
  • These computer program instructions may also be stored in a computer readable memory that can guide a computer or other programmable data processing device to work in a specific manner, so that the instructions stored in the computer readable memory produce an article of manufacture including an instruction device, the instructions
  • the device implements the functions specified in one block or multiple blocks of the flowchart one flow or multiple flows and/or block diagrams.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device, so that a series of operating steps are performed on the computer or other programmable device to generate computer-implemented processing, which is executed on the computer or other programmable device
  • the instructions provide steps for implementing the functions specified in one block or multiple blocks of the flowchart one flow or multiple flows and/or block diagrams.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

一种会话配置方法及装置,在本申请中,终端设备向会话管理网元发送用于请求建立第一会话的会话建立请求;会话管理网元在接收到会话建立请求后,向接入网设备发送冗余传输安全信息;接入网设备在接收到冗余传输安全信息,向终端设备发送冗余传输安全信息,其中,冗余传输安全信息用于指示终端设备需建立的第一会话与第二会话的安全密钥和安全策略,其中,第二会话为第一会话的冗余会话。接入网设备可以将冗余传输安全信息发送给终端设备,可以保证接入网设备和终端设备针对与用于冗余传输的两个会话(第一会话和第二会话)的安全密钥和安全策略保持一致,进而可以保证完成用于冗余传输的两个会话的安全配置。

Description

一种会话配置方法及装置
相关申请的交叉引用
本申请要求在2019年01月18日提交中国专利局、申请号为201910051183.2、申请名称为“一种会话配置方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。
技术领域
本申请涉及通信技术领域,尤其涉及一种会话配置方法及装置。
背景技术
第三代合作伙伴计划(3rd generation partnership project,3GPP)定义了第五代移动通信技术(fifth-generation,5G)中的三大应用场景,分别为增强移动宽带(enhance mobile broadband,eMBB)、海量大连接(massive machine type of communicationm,mMTC)以及超高可靠超低时延通信(ultra-reliable low-latency communication,uRLLC)。
其中,uRLLC兼具可靠性和时延性,应用场景广泛,目前为了保证uRLLC的可靠性,提出了一种设想:对一条数据通道的传输进行复制,形成另一条相同的数据通道,用作冗余传输,在其中一条数据通道传输不可靠或存在安全问题的情况下,另一条相同的数据通道可以保证数据的正常传输,这里数据通道可以是会话粒度的,也可以是承载粒度的,还可以是服务质量流(quality of service folw,QoS Flow)粒度的。
这种方式仅处于设想阶段,如何配置两个数据通道还亟待解决。
发明内容
本申请提供一种会话配置方法及装置,用以实现对用于冗余传输的两个会话的安全配置。
第一方面,本申请实施例提供了一种会话配置方法,所述方法包括:首先,接入网设备接收来自会话管理网元的第一会话的冗余传输安全信息,所述冗余传输安全信息用于指示终端设备需建立的第一会话与第二会话的安全密钥和安全策略,其中,所述第二会话为所述第一会话的冗余会话;之后,所述接入网设备向所述终端设备发送所述冗余传输安全信息。
通过上述方法,所述接入网设备可以将所述冗余传输安全信息发送给所述终端设备,可以保证所述接入网设备和所述终端设备针对与用于冗余传输的两个会话(第一会话和第二会话)的安全密钥和安全策略保持一致,进而可以保证完成用于冗余传输的两个会话的安全配置。
在一种可能的设计中,所述接入网设备接收来自会话管理网元的第一会话的冗余传输安全信息之后,所述接入网设备可以根据所述冗余传输安全信息为所述第一会话和所述第二会话配置安全密钥和安全策略。
通过上述方法,所述接入网设备可以较为方便的完成所述接入网设备侧的针对所述第 一会话和所述第二会话的安全配置,例如安全密钥的配置和安全策略的配置。
在一种可能的设计中,所述接入网设备接收来自会话管理网元的第一会话的冗余传输安全信息之后,可以向所述终端设备发送所述第一会话和所述第二会话的安全策略。
通过上述方法,通过向所述终端设备发送所述第一会话和所述第二会话的安全策略,可以保证所述终端设备侧能够完成针对所述第一会话和所述第二会话的安全配置,如安全策略的配置。
在一种可能的设计中,所述接入网设备接收来自会话管理网元的第一会话的冗余传输安全信息之后,还可以向所述终端设备发送第一参数和第二参数,所述第一参数为用于生成所述第一会话的安全密钥的参数,所述第二参数为用于生成所述第二会话的安全密钥的参数。
通过上述方法,通过向所述终端设备发送所述第一参数和所述第二参数,可以保证所述终端设备侧能够完成针对所述第一会话和所述第二会话的安全配置,如安全密钥的配置。
在一种可能的设计中,所述冗余传输安全信息指示所述第一会话与第二会话的安全密钥和安全策略相同,或指示所述第一会话与第二会话的安全密钥和安全策略不同。
通过上述方法,通过所述冗余传输安全信息的指示可以方便所述接入网设备对所述第一会话与第二会话的安全密钥和安全策略进行相应的配置。
第二方面,本申请实施例提供了一种会话配置方法,所述方法包括:终端设备向会话管理网元发送会话建立请求,所述会话建立请求用于请求建立所述第一会话;之后,所述终端设备可以从接入网设备接收所述冗余传输安全信息,所述冗余传输安全信息用于指示所述第一会话与第二会话的安全密钥和安全策略,所述第二会话为所述第一会话的冗余会话。
通过上述方法,所述终端设备从所述接入网设备接收所述冗余传输安全信息,可以保证所述接入网设备和所述终端设备针对与用于冗余传输的两个会话(第一会话和第二会话)的安全密钥和安全策略保持一致,进而可以保证完成用于冗余传输的两个会话的安全配置。
在一种可能的设计中,所述终端设备可以基于所述冗余传输安全信息,为所述第一会话和所述第二会话配置安全密钥和安全策略。
通过上述方法,所述终端设备可以较为便捷的完成所述终端设备侧的针对所述第一会话和所述第二会话的安全配置。
在一种可能的设计中,所述终端设备基于所述冗余传输安全信息,为所述第一会话和所述第二会话配置安全策略时,可以先所述终端设备从所述接入网设备接收所述第一会话和所述第二会话的安全策略;之后,基于所述冗余传输安全信息,根据所述第一会话和所述第二会话的安全策略为所述第一会话和所述第二会话配置安全策略。
通过上述方法,所述终端设备通过所述接入网设备接收所述第一会话和所述第二会话的安全策略,可以使得所述终端设备侧能够完成针对所述第一会话和所述第二会话的安全配置,如安全策略的配置。
在一种可能的设计中,所述终端设备基于所述冗余传输安全信息,为所述第一会话和所述第二会话配置安全密钥时,所述终端设备可以先从所述接入网设备接收第一参数和第二参数,所述第一参数为用于生成所述第一会话的安全密钥的参数,所述第二参数为用于生成所述第二会话的安全密钥的参数;之后,所述终端设备基于所述冗余传输安全信息,根据所述第一参数和所述第二参数为所述第一会话和所述第二会话配置安全密钥。
通过上述方法,所述终端设备通过所述接入网设备接收所述第一参数和所述第二参数,可以使得所述终端设备侧能够完成针对所述第一会话和所述第二会话的安全配置,如安全密钥的配置。
在一种可能的设计中,所述冗余传输安全信息指示所述第一会话与第二会话的安全密钥和安全策略相同,或指示所述第一会话与第二会话的安全密钥和安全策略不同。
通过上述方法,通过所述冗余传输安全信息的指示可以方便所述终端备对所述第一会话与第二会话的安全密钥和安全策略进行相应的配置。
第三方面,本申请实施例提供了一种会话配置方法,所述方法包括:首先,接入网设备为终端设备需建立的第一会话与第二会话配置安全密钥和安全策略,所述第二会话为所述第一会话的冗余会话;之后,向所述终端设备发送指示消息,所述指示消息用于指示所述第一会话与所述第二会话的安全密钥和安全策略。
通过上述方法,所述接入网设备可以将所述指示消息发送给所述终端设备,可以保证所述接入网设备和所述终端设备针对与用于冗余传输的两个会话(第一会话和第二会话)的安全密钥和安全策略保持一致,进而可以保证完成用于冗余传输的两个会话的安全配置。
在一种可能的设计中,所述接入网设备为终端设备需建立的第一会话与所述第二会话配置安全密钥和安全策略之前,所述接入网设备可以接收来自会话管理网元的第一会话的冗余传输安全信息,所述冗余传输安全信息指示所述第一会话与第二会话的安全密钥和安全策略由所述接入网设备确定,所述冗余传输安全信息指示所述第一会话与第二会话的安全密钥和安全策略相同或不同。
通过上述方法,所述接入网设备可以是在接收所述冗余传输安全信息后,可以根据所述冗余传输安全信息的指示自己确定第一会话与所述第二会话的安全密钥和安全策略,也可以不接收所述冗余传输安全信息的指示自己确定所述第一会话与所述第二会话的安全密钥和安全策略,可以更加灵活的配置所述第一会话与所述第二会话的安全密钥和安全策略。
在一种可能的设计中,所述接入网设备在为终端设备需建立的第一会话与第二会话配置安全密钥和安全策略时,可以根据第一规则确定所述第一会话与第二会话配置安全密钥和安全策略,所述第一规则包括下列的至少一项:
所述接入网设备的负载、网络部署策略、所述接入网设备的资源状态。
通过上述方法,所述接入网设备可以灵活的为所述第一会话与第二会话配置安全密钥和安全策略,可以扩展应用范围。
在一种可能的设计中,所述接入网设备可以向所述终端设备发送所述第一会话和所述第二会话的安全策略。
通过上述方法,通过向所述终端设备发送所述第一会话和所述第二会话的安全策略,可以使得所述终端设备侧能够方便的完成针对所述第一会话和所述第二会话的安全配置,如安全策略的配置。
在一种可能的设计中,所述接入网设备还可以向所述终端设备发送第一参数以及第二参数,所述第一参数为用于生成所述第一会话的安全密钥的参数,所述第二参数为用于生成所述第二会话的安全密钥的参数。
通过上述方法,通过向所述终端设备发送所述第一参数和所述第二参数,可以使得所述终端设备侧能够方便的完成针对所述第一会话和所述第二会话的安全配置,如安全密钥 的配置。
在一种可能的设计中,所述接入网设备为所述第一会话与第二会话配置安全密钥和安全策略相同,所述指示消息用于指示所述第一会话与所述第二会话的安全密钥和安全策略相同。
通过上述方法,通过所述第一指示消息的指示可以方便的使所述终端设备为所述第一会话与第二会话配置相同的安全密钥和安全策略。
在一种可能的设计中,所述接入网设备为所述第一会话与第二会话配置安全密钥和安全策略不同,所述指示消息用于指示所述第一会话与所述第二会话的安全密钥和安全策略不同。
通过上述方法,通过所述第一指示消息的指示可以方便的使所述终端设备为所述第一会话与第二会话配置不同的安全密钥和安全策略。
第四方面,本申请实施例提供了一种会话配置方法,所述方法包括:终端设备先向会话管理网元发送会话建立请求,所述会话建立请求用于请求建立所述第一会话;之后,所述终端设备可以从接入网设备接收指示消息,所述指示消息用于指示所述第一会话与第二会话的安全密钥和安全策略,其中,所述第二会话为所述第一会话的冗余会话。
通过上述方法,所述终端设备可以从所述接入网设备接收所述指示信息,可以保证所述接入网设备和所述终端设备针对与用于冗余传输的两个会话(第一会话和第二会话)的安全密钥和安全策略保持一致,进而可以保证完成用于冗余传输的两个会话的安全配置。
在一种可能的设计中,所述终端设备基于所述指示消息,为所述第一会话和所述第二会话配置安全密钥和安全策略。
通过上述方法,所述终端设备可以较为便捷的完成所述终端设备侧的针对所述第一会话和所述第二会话的安全配置。
在一种可能的设计中,所述终端设备基于所述指示消息,在为所述第一会话和所述第二会话配置安全策略时,所述终端设备可以先从所述接入网设备接收所述第一会话和所述第二会话的安全策略;之后,基于所述指示消息,根据所述第一会话和所述第二会话的安全策略为所述第一会话和所述第二会话配置安全密钥和安全策略。
通过上述方法,所述终端设备通过所述接入网设备接收所述第一会话和所述第二会话的安全策略,可以使得所述终端设备侧能够完成针对所述第一会话和所述第二会话的安全配置,如安全策略的配置。
在一种可能的设计中,所述终端设备基于所述指示消息,在为所述第一会话和所述第二会话配置安全密钥时,所述终端设备可以先从所述接入网设备接收第一参数和第二参数,所述第一参数为用于生成所述第一会话的安全密钥的参数,所述第二参数为用于生成所述第二会话的安全密钥的参数;之后,基于所述指示消息,根据所述第一参数和第二参数为所述第一会话和所述第二会话配置安全密钥。
通过上述方法,所述终端设备通过所述接入网设备接收所述第一参数和所述第二参数,可以使得所述终端设备侧能够完成针对所述第一会话和所述第二会话的安全配置,如安全密钥的配置。
在一种可能的设计中,所述指示消息指示所述第一会话与第二会话的安全密钥和安全策略相同,或指示所述第一会话与第二会话的安全密钥和安全策略不同。
通过上述方法,通过所述指示消息的指示可以方便所述终端备对所述第一会话与第二 会话的安全密钥和安全策略进行相应的配置。
第五方面,本申请实施例提供了一种会话配置方法,所述方法包括:会话管理网元可以在接收到来自终端设备的会话建立请求后,确定第一会话的冗余传输安全信息,所述冗余传输安全信息用于指示所述第一会话与第二会话的安全密钥和安全策略,其中,所述会话建立请求用于请求建立所述第一会话,所述第二会话为所述第一会话的冗余会话;之后,所述会话管理网元向接入网设备发送所述冗余传输安全信息。
通过上述方法,所述会话管理网元通过将所述冗余传输安全信息发送给所述接入网设备可以保证所述接入网设备在所述冗余传输指示信息的指示下,与所述终端设备针对与用于冗余传输的两个会话(第一会话和第二会话)的安全密钥和安全策略保持一致,进而可以保证完成用于冗余传输的两个会话的安全配置。
在一种可能的设计中,所述会话管理网元确定所述第一会话的冗余传输安全信息时,所述会话管理网元根据第一信息确定所述冗余传输安全信息,所述第一信息为下列的部分或全部:
所述终端设备的签约信息,所述会话管理网元本地保存的会话策略、所述会话管理网元从策略控制网元获取的会话策略。
通过上述方法,所述接入网设备可以灵活的确定所述冗余传输安全信息,进而可以扩展应用范围。
在一种可能的设计中,所述会话管理网元确定还可以是通过其他网元确定所述余传输安全信息,示例性的,所述会话管理网元从策略控制网元接收所述冗余传输安全信息。
通过上述方法,所述接入网设备可以灵活的确定所述冗余传输安全信息,进而可以扩展应用范围。
在一种可能的设计中,所述会话管理网元向接入网设备发送所述冗余传输安全信息时,可以通过接入管理网元向所述接入网设备发送所述冗余传输安全信息。
通过上述方法,所述接入网设备可以较为方便的传输所述冗余传输安全信息。
在一种可能的设计中,所述冗余传输安全信息指示所述第一会话与第二会话的安全密钥和安全策略相同,或指示所述第一会话与第二会话的安全密钥和安全策略不同,或指示所述第一会话与第二会话的安全密钥和安全策略由接入网设备确定。
通过上述方法,通过所述冗余传输安全信息的指示可以方便的使所述接入网设备和所述终端设备为所述第一会话与第二会话配置不同的安全密钥和安全策略。
第六方面,本申请实施例还提供了一种通信装置,所述通信装置应用于接入网设备,有益效果可以参见第一方面的描述此处不再赘述。该装置具有实现上述第一方面的方法实例中行为的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的模块。在一个可能的设计中,所述装置的结构中包括接收单元和发送单元,还可以包括处理单元,这些单元可以执行上述第一方面方法示例中的相应功能,具体参见方法示例中的详细描述,此处不做赘述。
第七方面,本申请实施例还提供了一种通信装置,所述通信装置应用于终端设备,有益效果可以参见第二方面的描述此处不再赘述。该装置具有实现上述第二方面的方法实例中行为的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的模块。在一个可能的设计中,所述装置的结构中包括接收单元和发送单元,还可以包括处理单元,这些单元可以执行上述第二方面 方法示例中的相应功能,具体参见方法示例中的详细描述,此处不做赘述。
第八方面,本申请实施例还提供了一种通信装置,所述通信装置应用于接入网设备,有益效果可以参见第三方面的描述此处不再赘述。该装置具有实现上述第三方面的方法实例中行为的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的模块。在一个可能的设计中,所述装置的结构中包括处理单元和发送单元,还可以包括接收单元,这些单元可以执行上述第三方面方法示例中的相应功能,具体参见方法示例中的详细描述,此处不做赘述。
第九方面,本申请实施例还提供了一种通信装置,所述通信装置应用于终端设备,有益效果可以参见第四方面的描述此处不再赘述。该装置具有实现上述第四方面的方法实例中行为的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的模块。在一个可能的设计中,所述装置的结构中包括接收单元和发送单元,还可以包括处理单元,这些单元可以执行上述第四方面方法示例中的相应功能,具体参见方法示例中的详细描述,此处不做赘述。
第十方面,本申请实施例还提供了一种通信装置,所述通信装置应用于会话管理网元,有益效果可以参见第五方面的描述此处不再赘述。该装置具有实现上述第五方面的方法实例中行为的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的模块。在一个可能的设计中,所述装置的结构中包括接收单元、发送单元和处理单元,这些单元可以执行上述第五方面方法示例中的相应功能,具体参见方法示例中的详细描述,此处不做赘述。
第十一方面,本申请实施例还提供了一种通信装置,所述通信装置应用于接入网设备,有益效果可以参见第一方面的描述此处不再赘述。所述通信装置的结构中包括处理器和存储器,所述处理器被配置为支持所述终端执行上述第一方面方法中相应的功能。所述存储器与所述处理器耦合,其保存所述终端必要的程序指令和数据。所述通信装置的结构中还包括通信接口,用于与其他设备进行通信。
第十二方面,本申请实施例还提供了一种通信装置,所述通信装置应用于终端设备,有益效果可以参见第二方面的描述此处不再赘述。所述通信装置的结构中包括处理器和存储器,所述处理器被配置为支持所述终端执行上述第二方面方法中相应的功能。所述存储器与所述处理器耦合,其保存所述终端必要的程序指令和数据。所述通信装置的结构中还包括收发器,用于与其他设备进行通信。
第十三方面,本申请实施例还提供了一种通信装置,所述通信装置应用于接入网设备,有益效果可以参见第三方面的描述此处不再赘述。所述通信装置的结构中包括处理器和存储器,所述处理器被配置为支持所述终端执行上述第三方面方法中相应的功能。所述存储器与所述处理器耦合,其保存所述终端必要的程序指令和数据。所述通信装置的结构中还包括通信接口,用于与其他设备进行通信。
第十四方面,本申请实施例还提供了一种通信装置,所述通信装置应用于终端设备,有益效果可以参见第四方面的描述此处不再赘述。所述通信装置的结构中包括处理器和存储器,所述处理器被配置为支持所述终端执行上述第四方面方法中相应的功能。所述存储器与所述处理器耦合,其保存所述终端必要的程序指令和数据。所述通信装置的结构中还包括收发器,用于与其他设备进行通信。
第十五方面,本申请实施例还提供了一种通信装置,所述通信装置应用于会话管理网 元,有益效果可以参见第五方面的描述此处不再赘述。所述通信装置的结构中包括处理器和存储器,所述处理器被配置为支持所述终端执行上述第五方面方法中相应的功能。所述存储器与所述处理器耦合,其保存所述终端必要的程序指令和数据。所述通信装置的结构中还包括通信接口,用于与其他设备进行通信。
第十六方面,本申请还提供一种计算机可读存储介质,所述计算机可读存储介质中存储有指令,当其在计算机上运行时,使得计算机执行上述各方面所述的方法。
第十七方面,本申请还提供一种包含指令的计算机程序产品,当其在计算机上运行时,使得计算机执行上述各方面所述的方法。
第十八方面,本申请还提供一种计算机芯片,所述芯片与存储器相连,所述芯片用于读取并执行所述存储器中存储的软件程序,执行上述各方面所述的方法。
附图说明
图1为本申请提供的一种网络架构示意图;
图2为本申请提供的一种网络架构示意图;
图3A~3B为本申请提供的一种网络架构示意图;
图4为双链接场景下,数据通过的建立方法示意图;
图5为本申请提供的一种网络配置的方法示意图;
图6为本申请提供的一种网络配置的方法示意图;
图7为本申请提供的一种网络配置的方法示意图;
图8为本申请提供的一种网络配置的方法示意图;
图9~图15为本申请提供的一种通信装置的结构示意图。
具体实施方式
为了使本申请实施例的目的、技术方案和优点更加清楚,下面将结合附图对本申请实施例作进一步地详细描述。方法实施例中的具体操作方法也可以应用于装置实施例或系统实施例中。其中,在本申请的描述中,除非另有说明,“多个”的含义是两个或两个以上。另外,需要理解的是,在本申请实施例的描述中,“第一”、“第二”等词汇,仅用于区分描述的目的,而不能理解为指示或暗示相对重要性,也不能理解为指示或暗示顺序。
为了便于理解,示例性的给出了与本申请相关概念的说明以供参考,如下所示:
1)、第一会话和第二会话,本申请实施例涉及用于冗余传输的两个会话,分别为第一会话和第二会话,所述第一会话和所述第二会话用于传输相同的数据,也就是说用于冗余传输,所述第一会话和所述第二会话互为冗余会话;第一会话和第二会话可以是PDU会话,也可以是承载(bear)。
2)、安全密钥,安全密钥是指会话中数据保护所采用的密钥,包括加密密钥和完整性保护密钥等。
其中,加密密钥可以是发送端根据加密算法对明文进行加密以生成密文时输入的参数。若使用对称加密的方法,加密密钥和解密密钥是相同的。接收端可以根据相同的加密算法和加密密钥对密文进行解密。换句话说,发送端和接收端可以基于同一个密钥去加密和解密。
在本实施例中,该加密密钥可以简称为K UPenc。加密密钥K UPenc可以基于中间密钥由KDF等密钥生成算法生成,具体可以如下式所示:
K UPenc=KDF(K gNB,其他参数),其中,可以是加密算法的类型、加密算法类型的长度、加密算法的标识、加密算法标识的长度或上文所提及的参数。还可以包括一些字符串如“uRLLC”“Redundant Transmission Indication(RTI)”,例如,K UPenc=KDF(K gNB,“uRLLC”,加密算法的类型)。
完整性保护密钥可以是发送端根据完整性保护算法对明文或密文进行完整性保护时输入的参数。接收端可以根据相同的完整性保护算法和完整性保护密钥对进行了完整性保护的数据进行完整性验证。
在本实施例中,该完整性保护密钥可以简称为K UPint。完整性保护密钥K UPint可以基于中间密钥由KDF等密钥生成算法生成,具体可以如下式所示:
K UPint=KDF(K gNB,其他参数),其中,其他参数可以是完整性保护算法的类型、完整性保护算法类型的长度、完整性保护算法的标识、完整性保护算法标识的长度或上文所提及的参数,还可以包括一些字符串如“uRLLC”“Redundant Transmission Indication(RTI)”,例如,K UPint=KDF(K gNB,“uRLLC”,完整性保护算法的类型)。
3)、中间密钥,为用于生成加密密钥和完整性保护密钥所需的密钥。在本申请实施例中,中间密钥可以包括K AMF、K gNB,其中K gNB可以分为K MgNB和K SgNB,K MgNB为MgNB使用的用于生成加密密钥和完整性保护密钥的中间密钥,K SgNB为SgNB使用的用于生成加密密钥和完整性保护密钥的中间密钥。中间密钥还可以用于推衍生成其他密钥,如用于uRLLC场景的密钥,基于中间密钥推衍生成的密钥可以继续进行推衍生成互为冗余会话的(在本申请实施例中对应第一会话和第二会话)加密密钥和完整性保护密钥,为方便说明用K uRLLC表示基于中间密钥推衍生成的密钥,本申请实施例并不限定K uRLLC的个数。
其中,K AMF可以是在UE注册认证过程中所述UE和AMF网元分别获取到的密钥。双连接场景下,在MgNB和SgNB分别都与所述AMF网元有接口的情况下,K MgNB可以是所述UE和所述AMF网元基于K AMF生成的,所述AMF网元基于K AMF生成K MgNB之后,可以将K MgNB发给所述MgNB;K SgNB是所述UE和所述AMF网元基于K AMF生成的,所述AMF网元基于K AMF生成K SgNB之后,可以将K SgNB发给所述SgNB;在只有所述MgNB与AMF有接口的情况下,K SgNB可以由所述MgNB传递给所述SgNB,作为另一种可能的方式,所述UE和所述AMF网元只生成K MgNB,所述SgNB若需要K SgNB,则可以由所述MgNB生成K SgNB并发送给所述SgNB。
4)、安全策略,安全策略至少可用于指示是否激活加密保护和/或完整性保护。在一种实现方式中,安全策略可以指示安全保护的偏好,例如,可以指示需要的(required)、推荐的(preferred)和不需要的(not needed)安全保护。基于该安全保护的偏好可以确定是否激活加密保护和/或完整性保护。可选地,各安全策略还可以指示其他更多的信息,比如安全算法的强度建议等,一般情况下,所述安全策略的获取可以基于SMF本地配置、PCF配置、DN配置、运营商的策略、本地策略、第三方的配置、UDM中签约信息或策略以及网络切片辅助信息(network slice selection assistance information,NSSAI)等。
5)、第一参数,所述第一参数包括但不限于第一会话的标识(identification,ID)、切片标识、NSSAI、随机数、字符串,算法类型、算法类型标识、算法类型值、非接入层计数值(non-access stratum count,NAS COUNT)、下一跳(Next Hop,NH)、分组数据汇聚协 议计数值(packet data convergence protocol count,PDCP COUNT),字符串等。其中随机数包括计数值(count)、NONCE、Random Number等等,示例性的,字符串可以为uRLLC的指示,若本申请实施例中第一会话为承载粒度的,第一会话的标识可以替换为承载的标识(bear ID)。
6)、第二参数,在本申请实施例中,所述第二参数为用于生成所述第二会话的安全密钥的参数,所述第二参数包括但不限于第二会话的标识、切片标识、NSSAI、随机数、字符串,算法类型、算法类型标识、算法类型值、NAS COUNT、NH、PDCP COUNT,字符串等。其中随机数包括COUNT、NONCE、random number等等,示例性的,字符串可以为uRLLC的指示,若本申请实施例中第二会话为承载粒度的,第二会话的标识可以替换为承载的标识。
7)、基站的负载,比如基站所能接入的最大用户数目,或接入基站的用户在某段时间的带宽占用率等。
8)、网络部署策略,比如基站的容量部署,而容量对于基站的负载或者资源状态有影响。
9)、基站的资源状态,用于表征基站当前的资源的分配状态,或使用状态,例如基站的内存等资源占有率等。
参阅图1所示,为本申请适用的一种可能的网络架构示意图。该网络架构为4G网络架构。该4G架构中的网元包括终端设备,图1中以终端设备为用户设备(user equipment,UE)为例。网络架构还包括MME、服务GPRS支持节点(serving GPRS support node,SGSN)、HSS、服务网关(serving gateway,S-GW)、分组数据网络网关(packet data network gateway,PDN gateway,P-GW)、策略与计费规则功能(policy and charging rules function,PCRF)实体、演进的通用陆地无线接入网(evolved universal terrestrial radio access network,E-TURAN)等。
需要说明的是,本申请实施例中涉及的UE均是指包括移动设备(mobile equipment,ME)和安全模块的设备,其中,安全模块可以为通用集成电路卡(universal integrated circuit card,UICC),也可以为集成在ME中的安全存储单元,UICC中包括全球用户身份模块(universal subscriber identity module,USIM)。
E-UTRAN由多个演进的基站(evolved nodeB,eNodeB)组成,eNodeB之间通过X2接口彼此互联,eNodeB与演进分组核心网(evolved packet core,EPC)之间通过S1接口交互,而eNodeB与UE通过长期演进(long term evolution,LTE)-Uu互联。
MME的主要功能是支持NAS信令及其安全、跟踪区域(track area,TA)列表的管理、P-GW和S-GW的选择、跨MME切换时进行MME的选择、在向2G/3G接入系统切换过程中进行SGSN的选择、用户的鉴权、漫游控制以及承载管理、第三代合作伙伴计划(3rd generation partnership project,3GPP)不同接入网络的核心网络节点之间的移动性管理。
S-GW是终止于E-UTRAN接口的网关,其主要功能包括:进行基站间切换时,作为本地锚定点,并协助完成基站的重排序功能;在3GPP不同接入系统间切换时,作为移动性锚点;执行合法侦听功能;进行数据包的路由和前转;在上行和下行传输层进行分组标记;用于运营商间的计费等。
P-GW是面向PDN终结于SGi接口的网关,如果UE访问多个PDN,UE将对应一个或多个P-GW。P-GW的主要功能包括基于用户的包过滤功能、合法侦听功能、UE的网络 之间互连的协议(internet protocol,IP)地址分配功能、在上行链路中进行数据包传送级标记、进行上下行服务等级计费以及服务水平门限的控制、进行基于业务的上下行速率的控制等。
HSS是用于存储用户签约信息的数据库,归属网络中可以包含一个或多个HSS。HSS负责保存跟用户相关的信息,例如用户标识、编号和路由信息、安全信息、位置信息、概要(Profile)信息等。
SGSN可以用于2G/3G和E-UTRAN 3GPP接入网间移动时,进行信令交互,包括对P-GW和S-GW的选择,同时为切换到E-UTRAN 3GPP接入网的用户进行MME的选择。
PCRF实体终结于Rx接口和Gx接口,非漫游场景时,在HPLMN中只有一个PCRF跟UE的一个IP连通性接入网络(ip-connectivity access network)IP-CAN会话相关;在漫游场景并且业务流是本地疏导时,可能会有两个PCRF跟一个UE的IP-CAN会话相关。
参阅图2所示,一种本申请适用的网络架构示意图。该网络架构为5G网络架构。该5G架构中的网元包括终端设备,图2中以终端设备为UE为例。网络架构还包括无线接入网(radio access network,RAN)、接入和移动性管理功能(access and mobility management function,AMF)网元、会话管理功能(session management function,SMF)网元、用户面功能(user plane function,UPF)网元、统一数据管理(unified data management,UDM)网元、策略控制功能(policy control function,PCF)网元、应用功能(application function,AF)网元、数据网络(data network,DN)等。
所述RAN的主要功能是控制用户通过无线接入到移动通信网络。RAN是移动通信系统的一部分。它实现了一种无线接入技术。从概念上讲,它驻留某个设备之间(如移动电话、一台计算机,或任何远程控制机),并提供与其核心网的连接。所述RAN可以包括基站,示例性的,所述RAN可以为gNB、节点B(node B,NB)、演进型节点B(evolved Node B,eNB)、无线网络控制器(radio network controller,RNC)、基站控制器(base station controller,BSC)、基站收发台(base transceiver station,BTS)、家庭基站(例如,Home eNB,或Home Node B)、基带单元(baseband unit,BBU)、接入点(access point,AP)、无线互通微波接入基站(worldwide interoperability for microwave access base station,WiMAX BS)、中继节点Relay等,本申请对此并不限定。
所述AMF网元负责终端的接入管理和移动性管理,在实际应用中,其包括了LTE中网络框架中MME里的移动性管理功能,并加入了接入管理功能。
所述SMF网元负责会话管理,如用户的会话建立、修改等。
所述UPF网元是用户面的功能网元,主要负责连接外部网络,其包括了LTE的服务网关(serving gateway,SGW)和公用数据网网关(public data network GateWay,PDN-GW)的相关功能。
所述DN负责为终端提供服务的网络,如一些DN为终端提供上网功能,另一些DN为终端提供短信功能等等。
所述UDM网元可存储用户的签约信息,实现类似于4G中的HSS的后端,在本申请实施例所述UDM存储有UE的会话上下文。
所述PCF网元的主要功能是执行策略控制,功能包括LTE中的策略与计费规则功能(policy and charging rules function,PCRF)网元的功能,主要负责策略授权、策略控制, 服务质量以及计费规则的生成,并将相应规则下发,比如将业务相关的会话规则下发给SMF网元或其他网元,完成相应策略及规则的安装。
所述AF网元可以是第三方的应用程序功能实体或设备,也可以是运营商自己的设备或实体,所述AF网元可以为多个应用服务器提供服务。
申请中的终端设备,又可以称为用户设备(user equipment,UE),是一种具有无线收发功能的设备,可以部署在陆地上,包括室内或室外、手持或车载;也可以部署在水面上(如轮船等);还可以部署在空中(例如飞机、气球和卫星上等)。所述终端设备可以是手机(mobile phone)、平板电脑(pad)、带无线收发功能的电脑、虚拟现实(virtual reality,VR)终端、增强现实(augmented reality,AR)终端、工业控制(industrial control)中的无线终端、无人驾驶(self driving)中的无线终端、远程医疗(remote medical)中的无线终端、智能电网(smart grid)中的无线终端、运输安全(transportation safety)中的无线终端、智慧城市(smart city)中的无线终端、智慧家庭(smart home)中的无线终端等。
为了保证uRLLC的可靠性,需要在UE和所述DN之间建立两条相同的数据通道,以实现冗余传输,当其中一条数据通道发生问题,可以由另一条数据通道继续进行数据传输,在如图1和图2所示的网络架构基础上,还可以衍生其他本申请实施例适用的网络架构,下面列举两种本申请实施例适用的网络架构:
如图3A所示,为本申请实施例提供的另一种网络架构,如图3A中以终端设备为UE。网络架构中包括两个gNB,分别用主基站(MgNB)和辅基站(SgNB)表示,对应于MgNB和SgNB还包括两个UPF网元,分别用UPF1和UPF2表示,网络架构中还包括AMF网元、SMF、UPF网元、UDM网元、DN。
各个网元相关描述可参见前述内容,此处不再赘述。
在如图3A所示,可以通过两个gNB,两个UPF网元建立两条从UE到DN的数据通道,其中一条为UE<-MgNB<-UPF1<-DN,另一条为UE<-SgNB<-UPF2<-DN,这里数据通道可以是会话粒度的。
尽管未示出,如图3A所示的网络架构中还可以包括PCF网元、AF网元等。
如图3B所示,为本申请实施例提供的另一种网络架构,如图3B中以终端设备为UE。网络架构中包括两个gNB,分别用MgNB和SgNB表示,网络架构中还包括UPF网元、AMF网元、SMF、UPF网元、UDM网元、DN。
在如图3B所示,可以通过两个gNB建立两条从UE到DN的数据通道,其中一条为UE<-MgNB<-UPF<-DN,另一条为UE<-SgNB<-UPF<-DN。
需要说明的是,在图3A~3B所示的网络架构中UE与两个gNB存在连接,是双链接场景下常见的两种网络架构;在图3A~3B所示的网络架构仅是以RAN为gNB为例,本申请实施例中并不限于gNB还可以是其他类型的设备,如eNB,ng-eNB等等,也可以是4G的网络架构中可以实习相同功能的设备。
基于如图3A和3B的网络架构,基于双连接场景下,据通道的建立过程如下,如图4所示,该方法包括:
步骤401:所述UE发起会话建立流程,所述UE与所述MgNB建立所述第一会话和所述第二会话,所述第一会话和所述第二会话互为冗余会话。
步骤402:所述MgNB向所述SgNB发送辅基站增加/建立请求(SgNB addition/modification request),所述辅基站增加/修改请求中携带有所述第二会话的信息, 所述第二会话的信息包括但不限于所述标识第二会话的标识,第二会话相应的切片信息,会话对应的QoS flow信息、从SMF获取到的用户面安全策略、UE的安全能力等信息。
步骤403:所述SgNB在接收到所述辅基站增加/建立请求后,所述SgNB为所述第二会话分配相应的资源,并可以为所述第二会话选择在自身列表中优先级最高的加密算法和完整性保护算法,这些算法也同时在UE的安全能力中。
步骤404:所述SgNB向所述MgNB发送辅基站增加/修改确认消息(SgNB addition/modification acknowledge),所述辅基站增加/修改确认消息用于指示所述SgNB已为所述第二会话分配相应的资源,所述辅基站增加/修改确认消息还可以指示所述第二会话的加密和完整性保护算法,可选的,还可以包含针对所述第二会话分配的资源的资源标识符。
目前,仅是提及可以在UE和DN之间建立两条数据通道,如建立两个协议数据单元(protocol data unit,PDU)会话,承载,或QoS flow,对于如何配置两条数据通道,如何配置两条数据通道上所采用的安全密钥和安全策略,还没有提出具体的方案。
为了配置两条数据通道上所采用的安全密钥和安全策略,本申请实施例提供了一种会话配置方法,在本申请实施例中,接入网设备在从会话管理网元接收到第一会话的冗余传输安全信息后,可以将所述冗余传输安全信息发送给终端设备,可以使得所述接入网设备和所述终端设备根据所述冗余传输安全信息的指示,生成安全密钥和安全策略,可以实现对用于冗余传输的两个会话的配置。
基于如图1~3B所示的网络架构,以接入网设备为基站,会话管理网元为SMF网元,终端设备为UE,对本申请实施例提供的一种会话配置方法进行介绍,如图5所示,该方法包括:
步骤501:所述UE向SMF网元发送会话建立请求,所述会话建立请求用于请求建立所述第一会话。
示例性的,所述UE通过所述基站向所述AMF网元发送所述会话建立请求,所述AMF网元可以在选择相应的SMF网元后,将所述会话建立请求发送给所述SMF网元。
步骤502:所述SMF网元在接收到所述会话建立请求后,确定第一会话的冗余传输安全信息,所述冗余传输安全信息用于指示所述第一会话与第二会话的安全密钥和安全策略,所述第二会话为所述第一会话的冗余会话。
作为一种可能的实施方式,所述UE发送的会话建立请求中携带有指示所述第一会话用于冗余传输的指示信息。所述SMF网元在接收到所述会话建立请求后,根据所述指示信息确定所述第一会话用于冗余传输。
作为另一种可能的实施方式,所述UE发送的会话建立请求中也可以不包括所述第一会话用于冗余传输的指示消息,而是由所述SMF网元在接收到所述会话建立请求后,根据从NSSAI等切片信息、DN信息、所述UDM网元中的UE签约信息中的一个或多个判断所述第一会话为冗余传输会话,并生成用于指示所述第一会话为冗余传输会话的指示信息,所述指示消息可以作为所述第一会话的信息保存在所述SMF网元本地。
其中,所述指示信息指示所述第一会话用于冗余传输的方式有许多种,可以是redundant transmission/session indication,当该字段的值不一样时,可以指示不同的内容,例如redundant transmission/session indication=1,表明所述第一会话为用于冗余传输的第一 个会话或者表明所述第一会话需要被冗余,且目前正在建立的为第一条冗余传输会话,在这种情况下,在所述第一会话建立之后还需要经建立另一个用于冗余传输的会话;redundant transmission/session indication=2,表明所述第一会话为用于冗余传输的第二个会话,在这种情况下,在所述第一会话建立之前已经建立了用于冗余传输的会话(为方便说明,用第二会话标识所述第一会话建立之前已经建立的用于冗余传输的会话),所述指示信息中还可以携带所述第二会话的标识;应需理解的是,redundant transmission/session indication也可能为0,表明所述第一会话不需要被冗余等,具体指示的值不限定,但作用表示一样即可;还例如,所述指示信息可以指示所述第一会话用于支持uRLLC业务,或所述指示信息指示所述第一会话的会话类型为uRLLC业务,上述指示方式仅是举例,本申请实施例并不限定。
在本申请实施例中,所述冗余传输安全信息用于指示所述第一会话与第二会话的安全密钥和安全策略;示例性的,所述冗余传输安全信息可以指示所述第一会话与第二会话的安全密钥和安全策略相同,所述冗余传输安全信息也可以指示所述第一会话与第二会话的安全密钥和安全策略不同。所述冗余传输安全信息也可以指示所述第一会话与第二会话的安全密钥和安全策略由基站确定,这种方式可以参见如图7所示的实施例。
所述SMF网元确定所述冗余传输安全信息的方式有许多种,比如所述SMF网元根据所述UE的签约信息、运营商配置、本地配置、第三方业务策略信息、DN的信息和/或切片相关信息如NSSAI()来判断,下面列举其中三种:
第一、所述SMF网元根据所述UE的签约信息确定所述冗余传输安全信息。
所述UE在与网络签约时,所述UE的签约信息中可以包括所述冗余传输安全信息。所述SMF网元在接收到所述会话建立请求后,可以从所述UDM网元获取所述UE的签约信息,之后,根据获取的所述UE的签约信息确定所述冗余传输安全信息。
第二、所述SMF网元根据当前网络状态确定所述冗余传输安全信息,所述网络状态用于表征网络的负载、安全能力等状态。
当所述第一会话需要用于冗余传输,则必然需要所述第二会话作为所述第一会话的冗余会话,会占用一定的网络资源,会影响网络负载。
若当前网络负载较低,存在较多的可用的网络资源,则所述SMF网元可以确定所述第一会话可以用于冗余传输,如果当前网络安全性较低,为了保证数据传输的安全性,可以设置所述第一会话与第二会话的安全密钥和安全策略不同,能够实现数据隔离。如果当前网络安全性较高,可以设置所述第一会话与第二会话的安全密钥和安全策略相同,可以保证数据传输的安全性,也可以节约资源。
当前网络状态不适用于冗余传输,如当前网络负载较高,能够使用的网络资源较少,则所述SMF网元可以按照现有的流程,为所述UE建立所述第一会话。
第三、所述SMF网元通过其他网元确定所述冗余传输安全信息。
以其他网元为AF网元为例,所述SMF网元可以所述AF网元交互,根据所述AF网元的指示确定所述冗余传输安全信息。
例如,所述AF网元是某个具体的切片的应用服务器,该切片需要提供高安全性,即使对于冗余传输的数据,也需要保证两条会话的安全性隔离,则安全密钥和安全策略不同可以满足这种情况下的安全需求。
上述三种方式仅是举例说明,本申请实施例并不限定所述SMF网元确定所述冗余传 输安全信息的方式。
所述冗余传输安全信息中指示了所述第一会话与所述第二会话的安全密钥和安全策略,所述SMF网元还需要确定所述第一会话的冗余会话,也就是所述SMF网元需要确定哪一个会话为所述第二会话。
作为一种可能的实施方式,所述第二会话可以是在所述UE发起所述会话建立请求之前,已经建立的一个会话,所述SMF网元可以根据所述会话建立请求确定所述第二会话,示例性的,所述UE可以在发起所述会话建立请求时,所述会话建立请求中可以携带所述第二会话的标识;所述SMF网元也可以在所述第二会话建立时,记录所述第二会话的相关信息,如所述第二会话的标识,以及所述第二会话用于进行冗余传输,当所述UE可以在发起所述会话建立请求时,所述SMF网元在接收到所述会话建立请求后,根据本地记录的信息确定所述第二会话为所述第一会话的冗余会话。
作为另一种可能的实施方式,所述第二会话可以是在所述UE发起所述会话建立请求之后,所述UE建立的一个会话,与上述方式类似,所述SMF网元可以根据所述UE发送的用于请求建立所述第二会话的会话建立请求确定所述第二会话,示例性的,所述UE可以在发起所述会话建立请求时,所述会话建立请求中可以携带所述第一会话的标识,指示所述第二会话与所述第一会话互为冗余会话,进而可以确定当前建立的所述第二会话为所述第一会话的冗余会话;所述SMF网元也可以在所述第一会话建立时,记录所述第一会话的相关信息,如标识,以及所述第一会话用于进行冗余传输,当所述UE可以在发起用于请求建立所述第二会话的会话建立请求时,所述SMF网元在接收到所述会话建立请求后,根据本地记录的信息确定所述第二会话为所述第一会话的冗余会话。
所述SMF网元在确定了所述冗余传输安全信息后,可以执行步骤503。
步骤503:所述SMF网元向所述基站发送所述冗余传输安全信息。
所述SMF网元可以通过所述AMF网元向所述基站发送所述冗余传输安全信息。
步骤504:所述基站在接收到所述冗余传输信息后,所述基站向所述UE发送所述冗余传输安全信息。
所述基站在接收到所述冗余传输信息后,可以根据所述冗余传输安全信息为所述第一会话和所述第二会话配置安全密钥和安全策略;相应的,所述UE也需要根据所述冗余传输安全信息为所述第一会话和所述第二会话配置安全密钥和安全策略。
基于所述冗余传输信息指示的内容不同,具体可以分为如下两种情况:
情况一、所述冗余传输安全信息指示所述第一会话与第二会话的安全密钥和安全策略相同。
所述基站为所述第一会话与第二会话配置相同的安全密钥和安全策略。
以所述第二会话是在所述UE发起所述会话建立请求之前已建立的会话为例,所述基站可以查询所述第二会话的安全密钥和安全策略,为所述第一会话配置与所述第二会话相同的安全密钥和安全策略。
所述第二会话在所述第一会话建立之后,所述UE需要建立的会话,与上述方式相同,所述基站可以查询所述第一会话的安全密钥和安全策略,为所述第二会话配置相同的安全密钥和安全策略。
相应的,所述UE在接收到所述冗余传输安全信息,所述UE为所述第一会话与第二会话配置相同的安全密钥和安全策略,所述UE执行的操作与所述基站侧执行的操作相同,具体可以参见前述内容,此处不再赘述。
结合基于如图3A或3B的网络架构,由于所述基站分为两个gNB,用于构建两个数据通道,两个gNB分别为MgNB和SgNB,所述SMF网元可以将所述冗余传输安全信息发送给其中一个gNB,下面以所述SMF网元可以将所述冗余传输安全信息发送给所述MgNB,通过所述MgNB建立的数据通道为所述第一会话,通过所述SgNB建立的数据通道为所述第二会话为例进行说明。
如图6所示,为本申请实施例提供的一种会话配置方法,该方法包括:
步骤601:所述MgNB若确定所述冗余传输安全信息指示所述第一会话与第二会话的安全密钥和安全策略相同,所述MgNB可以向所述SgNB发送所述MgNB侧配置的所述第一会话的安全密钥,例如K Upenc和K Upint;所述MgNB可以向所述SgNB发送所述MgNB侧配置的所述第一会话的安全策略。可选的,所述MgNB也可以向所述SgNB发送指示消息,所述指示消息可以指示所述第一会话和第二会话互为冗余会话,还可以指示所述第一会话与第二会话的安全密钥和安全策略相同。
示例性的,所述MgNB可以将所述第一会话的安全密钥携带辅基站增加/修改请求(SgNB addition/modification request)中,之后向所述SgNB发送所述辅基站增加/修改请求,所述第一会话的安全策略也可以携带在所述辅基站增加/修改请求中。
步骤602:所述SgNB在接收到所述第一会话的安全策略和安全密钥后,可以直接对所述第二会话的安全策略和安全密钥进行配置,也可以在后续从所述MgNB接收通知消息再对所述第二会话的安全策略和安全密钥进行配置,其中,所述通知消息可以指示所述UE已完成配置,也可以指示所述SgNB激活所述第二会话的配置。
所述SgNB向所述MgNB发送辅基站增加/修改确认消息(SgNB addition/modification acknowledge),所述辅基站增加/修改确认消息用于指示所述SgNB已确定收到所述第一会话的安全策略和安全密钥,还可以指示所述SgNB可以为所述第二会话配置与所述第一会话相同的安全策略和安全密钥。若所述SgNB已完成对所述第二会话的安全策略和安全密钥的配置,所述辅基站增加/修改确认消息用于还可以指示所述第二会话的安全策略和安全密钥的配置完成。
步骤603:所述MgNB在接收到所述辅基站增加/修改确认消息后,可以向所述UE发送所述冗余传输安全信息,所述UE在接收到所述冗余传输安全信息后,根据所述冗余传输安全信息对所述第一会话和所述第二会话的安全密钥和安全策略进行配置。示例性的,所述冗余传输安全信息可以携带在无线资源控制(radio resource control,RRC)消息中,例如RRC连接重配置请求(RRC connection reconfiguration Request)。
步骤604:所述UE在对所述第一会话和所述第二会话的安全密钥和安全策略配置完成后,向所述MgNB发送确认消息,所述确认消息也可以RRC消息发送,示例性的,所述确认消息可以为RRC连接重配置完成(RRC connection reconfiguration complete)消息。
步骤605所述MgNB从所述UE接收到所述确认消息后,所述MgNB可以向所述SgNB发送所述通知消息。
情况二、所述冗余传输安全信息指示所述第一会话与第二会话的安全密钥和安全策略 不同。
所述基站为所述第一会话与第二会话配置不同的安全密钥和安全策略。
针对安全密钥,所述基站可以采用不同的安全密钥生成方式,生成所述第一会话的安全密钥和所述第二会话的安全密钥,本申请实施例并不限定安全密钥的生成方式,凡是可以使所述第一会话的安全密钥和所述第二会话的安全密钥的不同的方式均适用于本申请实施例。
示例性的,所述基站可以根据第一参数生成所述第一会话的安全密钥,根据第二参数生成所述第二会话的安全密钥。
所述基站可以将所述第一参数和所述第二参数发送给所述UE,所述UE可以基于所述冗余传输安全信息,根据所述第一参数和所述第二参数为所述第一会话和所述第二会话配置安全密钥,具体的,所述UE在接收到所述第一参数和第二参数后,根据第一参数生成所述第一会话的安全密钥,根据第二参数生成所述第二会话的安全密钥。
下面介绍两种所述第一会话与第二会话的安全密钥的生成方法:
(一),基于所述第一会话和第二会话中已建立的会话的安全密钥推衍生成所述第一会话和第二会话中未建立完成的会话的安全密钥。
若所述第二会话是在所述UE发起所述会话建立请求之前已建立的会话,则所述基站在建立所述第一会话时,可以查询所述第二会话的安全密钥,基于所述第二会话的安全密钥继续推衍生成所述第一会话的安全密钥;所述基站在基于所述第二会话的安全密钥继续推衍生成所述第一会话的安全密钥时,可以引入所述第一参数,根据所述第二会话的安全密钥、所述第一参数生成所述第一会话的安全密钥。
例如,所述第二会话的完整性保护密钥为K Upint,所述第二会话的加密密钥为K UPenc,K Upint和K UPenc可以是现有的会话建立时,配置的完整性保护密钥和加密密钥,也可以是所述基站采用其他方式生成的完整性保护密钥和加密密钥;所述基站可以基于K Upint和K UPenc推衍生成所述第一会话的完整性保护密钥和加密密钥,所述第一会话的完整性保护密钥K Upint-session1=KDF(K Upint,第一参数)。
所述基站将所述第一参数发送给所述UE,所述UE采用与所述基站相同的方式生成所述第一会话的安全密钥。
可选的,如果所述UE已经拥有所述第一参数中的部分参数,比如NAS COUNT,则所述基站可以不发送所述部分参数给所述UE。
若所述第二会话在所述第一会话建立之后所述UE需要建立的会话,则所述基站在建立第二会话时,可以查询所述第一会话的安全密钥,基于所述第一会话的安全密钥继续推衍生成所述第二会话的安全密钥;所述基站在基于所述第一会话的安全密钥继续推衍生成所述第二会话的安全密钥时,可以引入所述第二参数。
所述基站将所述第二参数发送给所述UE,所述UE采用与所述基站相同的方式生成所述第二会话的安全密钥。
可选的,如果所述UE已经拥有所述第二参数中的部分参数,比如NAS COUNT,则所述基站可以不发送所述部分参数给所述UE。
(二)、基于中间密钥或者基于中间密钥推衍的密钥推衍出不同的安全密钥,将不同的安全密钥配置给所述第一会话和第二会话,所述中间密钥可以包括K AMF、K MgNB,K SgNB
作为一种可能的实施方式,所述基站可以基于K gNB可以生成多套不同的安全密钥,当 接收到所述冗余传输安全信息,所述基站可以从所述多套不同的安全密钥中选用不同的安全密钥作为所述第一会话和所述第二会话的安全密钥。比如K Upint-session=KDF(KgNB,第一参数或第二参数等)。其中,KgNB可以为K MgNB或K SgNB;在所述MgNB侧生成安全密钥时,可以使用K MgNB;在所述SgNB侧生成安全密钥时,可以使用K SgNB
作为另一种可能的实施方式,所述AMF网元可以基于K AMF可以生成多个不同的K gNB,并将生成的多个不同的K gNB发送给所述基站,所述基站可以基于不同的K gNB生成多个不同的安全密钥,当接收到所述冗余传输安全信息,所述基站可以从所述多个不同的安全密钥中选用安全密钥作为所述第一会话和所述第二会话的安全密钥。
作为另一种可能的实施方式,所述AMF网元也可以基于中间密钥(如K AMF)推衍密钥,并将所述基于中间密钥(如K AMF)推衍密钥发送给所述基站,所述基站根据所述基于中间密钥推衍的密钥继续推衍生成会话(如第一会话或第二会话)的安全密钥。
例如,所述AMF网元可以基于K AMF生成多个密钥K uRLLC,比如K uRLLC=KDF(K AMF,第三参数,所述AMF网元将生成的K uRLLC发送给所述基站(例如MgNB和SgNB)。所述第三参数是所述基站和所述UE未获知的参数,所述第三参数包括但不限于会话的标识、切片标识、NSSAI、随机数、字符串,算法类型、算法类型标识、算法类型值、NAS COUNT、NH、PDCP COUNT,字符串、NAS连接标识,业务标识(service type)等。若本申请实施例中会话为承载粒度的,会话的标识可以替换为承载的标识。不同的K uRLLC的入参中,会话的标识和NAS COUNT,切片标识可能是不同的,随机数也不同。
所述AMF网元将生成的K uRLLC发送给所述基站时,可以确定哪些基站为后续需要建立用于冗余传输的会话的基站,并将多个K uRLLC发送分别发送给确定的所述基站。
可选的,所述AMF也可以将所有K uRLLC发给其中一个主基站,后续在进行辅基站的增加/修改操作时,将K uRLLC携带在所述辅基站增加/修改请求中分别发送给对应的辅基站,每个辅基站可以获取一个或多个K uRLLC
需要说明的是,所述第一会话或所述第二会话的安全密钥基于中间密钥推衍的密钥继续推衍生成的,所述UE未存储有中间密钥推衍的密钥,所述基站需要将生成所述基于中间密钥推衍的密钥所需的第三参数发送给所述UE,所述UE会基于中间密钥,根据所述第三参数生成密钥,之后基于所述中间密钥推衍的密钥推衍生成对应的会话(如第一会话、第二会话)的安全密钥。
应需理解的是,在所述基站生成所述第一会话的安全密钥时,引入了第一参数,则需要将所述第一参数发送给所述UE,相应的,生成所述第二会话的安全密钥时,引入了第二参数,则需要将所述第二参数发送给所述UE。通常,所述基站和所述UE会交互安全密钥生成时所需使用的K gNB,这里所述第一参数和所述第二参数是除K gNB、所述UE与所述基站未提前获知的参数、新引入的参数。其他所述UE与所述基站已提前获知的参数可以不发送,例如会话ID,所述UE与所述基站通常在会话建立过程的消息中会携带会话ID,双方已经拥有,则不必发送。
结合具体的网络架构,在如图3A和3B的网络架构中,存在MgNB和SgNB,存在两个不同的数据通道,对应两个不同的会话(对应本申请实施例中的第一会话和第二会话)。
若所述AMF网元与所述MgNB和所述SgNB之间均存在接口,并均维持有用于生成安全密钥的对应的NAS COUNT,所述AMF网元基于K AMF为所述MgNB生成K gNB为 K MgNB,基于K AMF为所述SgNB生成K gNB为K sgNB,则所述AMF网元通过相应的接口,将K MgNB发送给所述MgNB,将K sgNB发送给所述SgNB,之后,所述MgNB可以基于所述K MgNB生成安全密钥,所述SgNB可以基于所述K SgNB生成安全密钥。
若所述AMF网元只与所述MgNB和所述SgNB中的一个gNB存在接口,以所述AMF网元只与所述MgNB存在接口为例,所述MgNB和所述SgNB可以采用各自的方式生成安全密钥。
作为一种可能的实施方式,所述MgNB可以自己生成K MgNB(例如由K AMF基于NAS COUNT生成),也可以获取K AMF(K AMF由所述AMF网元发送给所述MgNB);而所述MgNB可以将K AMF发送给所述SgNB,也可以将K MgNB发送给所述SgNB,还可以将经过K AMF或K MgNB推衍的密钥(以所生成的密钥为K SgNB来表示)发送给所述SgNB。所述SgNB根据接收到所述MgNB发送的密钥(如K AMF、K MgNB、K SgNB)之后,所述SgNB可以基于接收到的密钥(如K AMF、K MgNB、K SgNB)生成相应的安全密钥,所述安全密钥的生成可以参考前述K Upint和K Upenc的生成方法,此处不再赘述。
当所述MgNB生成K SgNB时,可以基于K AMF结合其他参数进行推衍,如K SgNB=KDF(K AMF,第四参数),也可以为K SgNB=KDF(K AMF,第四参数)。其中,第四参数包括但不限于SgNB ID,SgNB Counter、随机数、SgNB Counter的字符串长度、NH,切片ID,NSSAI,字符串、PDCP COUNT,业务类型,NAS COUNT等,SgNB ID为所述SgNB的标识,本申请实施例并不限定标识的具体类型,凡是可以指示所述SgNB的标识均适用于本申请实施例。SgNB Counter为当前与所述MgNB的所述SgNB的个数,对于一个所述MgNB,可以由多个所述SgNB为其分流,所述MgNB每接入一个所述SgNB,SgNB Counter就相应的增加1,随机数、字符串的说明还见前内容,此处不再赘述。
采用上述方式,所述MgNB可以采用特定的方式生成K SgNB,之后根据K SgNB生成安全密钥,可以保证所述MgNB和所述SgNB生成的安全密钥是隔离的,进一步可以保证数据传输的安全性。
针对安全策略,所述基站为所述第一会话与第二会话配置不同的安全策略。
若所述第二会话是在所述UE发起所述会话建立请求之前已建立的会话,则所述基站可以查询所述第二会话的安全策略,为所述第一会话配置与所述第二会话不同安全策略。
若所述第二会话在所述第一会话建立之后,所述UE需要建立的会话,所述基站在建立所述第二会话时,查询所述第一会话的安全策略,为所述第二会话配置与所述第一会话不同的安全策略。
对于同一个会话(如第一会话或第二会话),所述基站和所述UE需要采用相同的安全策略,所述基站需要向所述终端设备发送所述第一会话的安全策略和所述第二会话的安全策略,所述UE从所述基站接收所述第一会话和所述第二会话的安全策略;所述UE基于所述冗余传输安全信息,根据所述第一会话和所述第二会话的安全策略为所述第一会话和所述第二会话配置安全策略。
结合具体的网络架构,在如图3A和3B的网络架构中,存在MgNB和SgNB,存在两个不同的数据通道,对应两个不同的会话(对应本申请实施例中的第一会话和第二会话),所述SMF网元可以下面以所述SMF网元可以将所述冗余传输安全信息发送给所述MgNB, 通过所述MgNB建立的数据通道为所述第一会话,通过所述SgNB建立的数据通道为所述第二会话为例进行说明。
所述MgNB若确定所述冗余传输安全信息指示所述第一会话与第二会话的安全密钥和安全策略不同,所述MgNB向所述SgNB所述第二参数或用于生成所述第二会话的安全密钥的中间密钥,例如K SgNB、K AMF;所述MgNB还可以预先确定所述第二会话的安全策略,并向所述SgNB发送所述第二会话的安全策略。
示例性的,所述MgNB可以将所述第二参数或用于生成所述第二会话的安全密钥的中间密钥携带在辅基站增加/建立请求中,之后向所述SgNB发送所述辅基站修改/建立请求,所述第二会话的安全策略也可以携带在所述辅基站增加/建立请求中。
所述SgNB在接收到所述第二参数或用于生成所述第二会话的安全密钥的中间密钥后,可以直接对所述第二会话的安全策略和安全密钥进行配置,也可以在后续从所述MgNB接收通知消息再对所述第二会话的安全策略和安全密钥进行配置,其中,所述通知消息可以指示所述UE已完成配置,还可以指示所述SgNB激活所述第二会话的配置。
所述SgNB向所述MgNB发送辅基站增加/修改确认消息(SgNB addition/modification acknowledge),所述辅基站增加/修改确认消息用于指示所述SgNB已确定收到所述MgNB发送的消息,还可以指示所述SgNB可以为所述第二会话配置与所述第一会话不同的安全策略和安全密钥。若所述SgNB已完成对所述第二会话的安全策略和安全密钥的配置,所述辅基站增加/修改确认消息用于还可以指示所述第二会话的安全策略和安全密钥的配置完成。
所述MgNB在接收到所述辅基站增加/修改确认消息后,可以向所述UE发送所述冗余传输安全信息,所述UE在接收到所述冗余传输安全信息后,根据所述冗余传输安全信息对所述第一会话和所述第二会话的安全密钥和安全策略进行配置。示例性的,所述冗余传输安全信息可以携带在RRC消息中,例如RRC配置请求;所述MgNB还会向所述UE发送所述第一会话的安全策略、所述第二会话的安全策略,若所述第一会话的安全密钥时引入了所述第一参数,所述MgNB还会向所述UE发送所述第一参数;若所述第二会话的安全密钥时引入了所述第二参数,所述MgNB还会向所述UE发送所述第二参数,所述冗余传输安全信息、所述第一会话的安全策略、所述第二会话的安全策略、所述第一参数或所述第二参数可以携带在一个消息中,发送给所述UE。
所述UE在对所述第一会话和所述第二会话的安全密钥和安全策略配置完成后,向所述MgNB发送确认消息,所述确认消息也可以RRC消息发送,示例性的,所述确认消息可以为RRC连接重配置完成消息。
所述MgNB从所述UE接收到所述确认消息后,所述MgNB可以向所述SgNB发送所述通知消息。
在上述举例中,数据通道是会话粒度的,事实上,数据通道也可以是QoS flow粒度,也就是在一个会话中建立两个QoS flow,如第一QoS flow和第二QoS flow,用于传输相同的数据,QoS flow的安全密钥和安全策略配置过程与如图5所示的会话配置方式相似,第一QoS flow对应于第一会话,第二QoS flow对应于第二会话,此处不再赘述,其中的区别在于所述SMF网元在会话建立的过程中,可以基于所述UE的签约信息和所述PCF 网元中的QoS等级策略等信息,根据待建立的会话所对应的QoS flows确定冗余的QoS flows,即第一QoS flow和第二QoS flow,所述UE的签约信息可以是所述SMF网元从所述UDM网元获取的,而所述QoS等级策略等信息可以是所述SMF从所述UDM获取,也可以是所述SMF网元从所述PCF网元获取的;所述SMF网元向所述基站发送所述冗余传输安全信息,所述冗余传输安全信息指示第一QoS flow和第二QoS flow的安全密钥和安全策略。
在上述说明中所述冗余传输安全信息指示所述第一会话与第二会话的安全密钥和安全策略不同,是指所述第一会话的安全策略不同于所述第二会话的安全策略,所述第一会话的安全密钥不同于所述第二会话的安全密钥;事实上,所述冗余传输安全信息也可以指示所述第一会话和第二会话的安全策略相同以及所述第一会话和第二会话的安全密钥不同,还可以指示所述第一会话和第二会话的安全策略不同以及所述第一会话和第二会话的安全密钥相同。
所述基站和所述UE可以根据所述冗余传输安全信息的指示做相应的操作,如所述冗余传输安全信息也可以指示所述第一会话和第二会话的安全策略相同以及所述第一会话和第二会话的安全密钥不同,为所述第一会话和第二会话配置不同的安全密钥、以及相同的安全密钥;如所述冗余传输安全信息也可以指示所述第一会话和第二会话的安全策略不同以及所述第一会话和第二会话的安全密钥相同,为所述第一会话和第二会话配置相同的安全密钥、以及不同的安全密钥;具体的配置方式可以参见前述内容,此处不再赘述。
作为一种可能的实施方式,所述冗余传输安全信息指示所述第一会话与第二会话的安全密钥和安全策略由所述基站确定。
下面对这种情况进行介绍,如图7所示,以接入网设备为基站,会话管理网元为SMF网元,终端设备为UE,对本申请实施例提供的另一种会话配置方法进行介绍,该方法包括:
步骤701:所述UE向SMF网元发送会话建立请求,所述会话建立请求用于请求建立所述第一会话。与如图5所示的实施例中步骤501相同,此处不再赘述。
步骤702:所述SMF网元在接收到所述会话建立请求后,确定第一会话的冗余传输安全信息,所述冗余传输安全信息指示所述第一会话与第二会话的安全密钥和安全策略由所述基站确定。与如图5所示的实施例中步骤301相似,区别在与所述SMF网元确定的所述冗余传输安全信息用于指示的内容不同,此处不再赘述,可以参见前述内容。
步骤703:所述SMF网元向所述基站发送所述冗余传输安全信息,所述基站接收来所述冗余传输安全信息。
步骤704:所述基站为所述第一会话与所述第二会话配置安全密钥和安全策略,所述第二会话为所述第一会话的冗余会话。
由于所述冗余传输安全信息用于指示所述第一会话与第二会话的安全密钥和安全策略由所述基站确定,所述基站可以根据第一规则确定所述第一会话与第二会话配置安全密钥和安全策略。
其中,所述第一规则可以为包括下列的部分或全部:
所述基站的负载、网络部署策略、所述基站的资源状态。
若所述基站当前的负载过大,为了节约资源,所述基站可以为所述第一会话与第二会话配置相同的安全密钥和安全策略;当所述基站当前的负载较低,为了保证数据传输的可靠性,所述基站可以为所述第一会话与第二会话配置不同的安全密钥和安全策略。
若所述基站的资源状态指示当前所述基站可用的资源较少,所述基站可以为所述第一会话与第二会话配置相同的安全密钥和安全策略;当所述基站的资源状态指示当前所述基站可用的资源较多,为了保证数据传输的可靠性,所述基站可以为所述第一会话与第二会话配置不同的安全密钥和安全策略。
若所述网络部署策略指示所述基站需要保证数据传输的可靠性,所述基站可以为所述第一会话与第二会话配置不同的安全密钥和安全策略,若所述网络部署策略对所述基站数据传输的无可靠性要求,所述基站可以为所述第一会话与第二会话配置相同的安全密钥和安全策略。
步骤705:所述基站向所述UE发送指示消息,所述指示消息用于指示所述第一会话与所述第二会话的安全密钥和安全策略。
所述基站在为所述第一会话与所述第二会话配置安全密钥和安全策略后,需要告知所述UE所述第一会话与所述第二会话配置安全密钥和安全策略是否相同。
所述基站确定的所述第一会话与第二会话的安全密钥和安全策略的关系可以存在如下四种情况:
1)、所述第一会话与第二会话的安全密钥和安全策略相同;相应的,所述指示消息用于指示所述第一会话与所述第二会话的安全密钥和安全策略相同。
2)、所述第一会话与第二会话的安全密钥和安全策略不同;相应的,所述指示消息用于指示所述第一会话与所述第二会话的安全密钥和安全策略不同。
3)、所述第一会话与第二会话的安全密钥不同,所述第一会话与第二会话的安全策略相同;相应的,所述指示消息用于所述第一会话与第二会话的安全密钥不同,所述第一会话与第二会话的安全策略相同。
4)、所述第一会话与第二会话的安全密钥相同,所述第一会话与第二会话的安全策略不同;相应的,所述指示消息用于所述第一会话与第二会话的安全密钥相同,所述第一会话与第二会话的安全策略不同。
在上述四种情况下,所述基站和所述UE具体为所述第一会话与第二会话的安全密钥和安全策略配置方法可以参见如图5所示的实施例,此处不再赘述。
针对安全策略,若所述基站为所述第一会话和第二会话配置的安全策略不同,所述基站在为所述第一会话和所述第二会话配置了安全策略后,所述基站会向所述UE发送所述第一会话和所述第二会话的安全策略,所述UE在接收到所述第一会话和所述第二会话的安全策略后,基于所述指示消息,根据所述第一会话和所述第二会话的安全策略为所述第一会话和所述第二会话配置安全策略。
针对安全密钥,若所述基站为所述第一会话和第二会话配置的安全密钥不同,所述基站会可以向所述UE发送用于生成所述第一会话的安全密钥的第一参数和用于生成所述第二会话的安全密钥的第二参数,所述UE在接收到所述第一参数和所述第二参数后,基于所述指示消息,根据所述第一参数和所述第二参数为所述第一会话和所述第二会话配置安全密钥,也就是说,所述UE根据所述第一参数生成所述第一会话的安全密钥,所述UE根据所述第二参数生成所述第二会话的安全密钥。
关于所述第一参数和第二参数的描述,可参见如图5所示的实施例中的相关描述,此处不再赘述。
需要说明的是,当所述冗余传输安全信息指示所述第一会话与第二会话的安全密钥和安全策略不同或相同的情况下,所述基站在接收到所述冗余传输安全信息后,也可以不根据所述冗余传输安全信息,为所述第一会话与第二会话配置安全密钥和安全策略,而是自行确定所述第一会话与第二会话配置安全密钥和安全策略(如根据第一规则确定所述第一会话与第二会话的安全密钥和安全策略),并进行配置。
结合如图3A和3B所示的网络架构,存在MgNB和SgNB,存在两个不同的数据通道,对应两个不同的会话(对应本申请实施例中的第一会话和第二会话),下面以所述SMF网元可以将所述冗余传输安全信息发送给所述MgNB,通过所述MgNB建立的数据通道为所述第一会话,而所述SgNB建立的数据通道为所述第二会话为例进行说明。
下面分别对所述MgNB在接收到所述冗余传输安全信息后,确定所述第一会话与第二会话的安全密钥和安全策略相同或不同分别介绍:
(一)、所述第一会话与第二会话的安全密钥和安全策略相同。
所述MgNB在确定所述第一会话与第二会话的安全密钥和安全策略相同后,可以向所述SgNB发送第一指示消息,所述第一指示消息可以指示所述第一会话和第二会话互为冗余会话,还可以指示所述第一会话与第二会话的安全密钥和安全策略相同;所述MgNB还可以向所述SgNB发送所述第一会话的安全密钥,和所述第一会话的安全策略。
示例性的,所述MgNB可以将所述第一指示消息、所述第一会话的安全密钥、或所述第一会话的安全策略携带在辅基站增加/修改请求中,之后向所述SgNB发送所述辅基站增加/修改请求。
所述SgNB在接收到所述第一指示消息、所述第一会话的安全密钥、或所述第一会话的安全策略后,可以根据所述第一指示消息确定所述第二会话的安全策略和安全密钥,并可以直接进行配置,也可以在后续从所述MgNB接收通知消息再对所述第二会话的安全策略和安全密钥进行配置,其中,所述通知消息可以指示所述UE已完成配置,还可以指示所述SgNB激活所述第二会话的配置。
所述SgNB向所述MgNB发送辅基站增加/修改确认消息、所述MgNB向所述UE发送所述冗余传输安全信息、以及之后所述UE、所述MgNB以及所述SgNB的操作可参见如图5所示的实施例中,所述冗余传输安全信息指示所述第一会话和所述第二会话的安全密钥和安全策略相同的情况下的相关描述,此处不再赘述。
应需理解的是,确定会话的安全策略和安全密钥、与配置会话的安全策略和安全密钥表示的意义不同,确定会话的安全策略和安全密钥是指可以根据一些信息(如第一指示消息、其他会话的安全策略和安全密钥)确定后续需要配置的会话的安全策略和安全密钥,并未完成会话的安全策略和安全密钥的配置操作,而配置会话的安全策略和安全密钥是指激活所述第二会话的配置,完成对所述第二会话的配置操作,比如激活安全策略中指示的加密和/或完整性保护操作,或者去激活安全策略中指示的加密和/或完整性保护。
需要说明的是,所述SgNB在接收到所述第一指示消息后,也可以不根据所述第一指示消息的指示,而是基于所述SgNB当前的负载、网络部署策略、或所述SgNB的资源状态等确定是否可以为所述第二会话配置与所述第一会话相同的安全密钥和安全策略,若确 定可以配置相同的安全密钥和安全策略,可采用上述方式进行配置;若确定为所述第二会话配置与所述第一会话不同的安全密钥和安全策略,对于所述第二会话与所述第一会话的安全密钥不同的情况,所述SgNB可以根据所述第一会话的安全密钥继续进行推衍生成所述第二会话的安全密钥,如果生成所述第二会话的安全密钥还需要所述第二参数,则所述SgNB可以向所述MgNB发送用于请求所述第二参数的请求消息;从所述MgNB获取所述第二参数,生成所述第二会话的安全密钥,所述第二参数也可以是在所述MgNB预先发送给所述SgNB的;对于所述第二会话与所述第一会话的安全策略不同的情况,所述SgNB可以根据所述第一会话的安全策略配置所述第二会话的安全策略;在确定了所述第二会话的安全密钥和安全策略后,所述SgNB还可以向所述MgNB发送第二指示消息,所述第二指示消息用于指示所述第二会话的安全密钥和安全策略,所述第二指示消息可以是所述辅基站增加/修改确认消息。所述MgNB向所述UE发送所述冗余传输安全信息后所述UE、所述MgNB以及所述SgNB可参见如图5所示的实施例中,所述冗余传输安全信息指示所述第一会话和所述第二会话的安全密钥和安全策略不同的情况下的相关描述,此处不再赘述。这里在说明仅提及了所述SgNB确定为所述第二会话配置与所述第一会话不同或相同的安全密钥和安全策略的两种情况,对于安全密钥相同,安全策略不同、以及安全密钥不同,安全策略相同的情况与上述两种方式相似,此处不再赘述。
(二)、所述第一会话与第二会话的安全密钥和安全策略不同。
所述MgNB在确定所述第一会话与第二会话的安全密钥和安全策略不同后,可以向所述SgNB发送第三指示消息,所述第三指示消息可以指示所述第一会话和第二会话互为冗余会话,还可以指示所述第三会话与第三会话的安全密钥和安全策略不同;所述MgNB还可以向所述SgNB发送所述第一会话的安全密钥、所述第一会话的安全策略、所述第二参数或用于生成所述第二会话的安全密钥的中间密钥,例如K SgNB、K AMF等;所述MgNB还可以确定所述第二会话的安全策略,并向所述SgNB发送所述第二会话的安全策略。
示例性的,所述MgNB可以将所述第三指示消息、所述第一会话的安全密钥、所述第一会话的安全策略、所述第二参数或用于生成所述第二会话的安全密钥的中间密钥或基于中间密钥推衍的密钥携带在辅基站增加/建立请求中,之后向所述SgNB发送所述辅基站修改/建立请求,所述第二会话的安全策略也可以携带在所述辅基站增加/建立请求中。
所述SgNB在接收到所述第三指示消息、所述第一会话的安全密钥、所述第一会话的安全策略、所述第二参数或用于生成所述第二会话的安全密钥的中间密钥,可以根据接收到所述第三指示消息,确定所述第二会话的安全密钥和安全策略;对于所述第二会话的安全密钥,所述SgNB可以根据所述第一会话的安全密钥继续进行推衍生成所述第二会话的安全密钥,也可以根据所述第二参数或所述中间密钥或基于中间密钥推衍的密钥生成所述第二会话的安全密钥;对于所述第二会话的安全策略不同的情况,所述SgNB可以根据所述第一会话的安全策略配置所述第二会话的安全策略;若接收到所述第二会话的安全策略,则可以将所述第二会话的安全策略作为后续为所述第二会话配置的会话策略。
所述SgNB向所述MgNB发送辅基站增加/修改确认消息,所述MgNB向所述UE发送所述冗余传输安全信息、以及之后所述UE、所述MgNB以及所述SgNB可参见如图5所示的实施例中,所述冗余传输安全信息指示所述第一会话和所述第二会话的安全密钥和安全策略不同的情况下的相关描述,此处不再赘述。
需要说明的是,所述SgNB在接收到所述第三指示消息后,也可以不根据所述第三指 示消息的指示,而是基于所述SgNB当前的负载、网络部署策略、或所述SgNB的资源状态等确定是否可以为所述第二会话配置与所述第一会话不同的安全密钥和安全策略,若确定可以配置不同的安全密钥和安全策略,可采用上述方式进行配置;若确定为所述第二会话配置与所述第一会话相同的安全密钥和安全策略,所述SgNB为所述第二会话配置与所述第一会话相同的安全密钥和安全策略、所述SgNB向所述MgNB发送辅基站增加/修改确认消息以及所述MgNB向所述UE发送所述冗余传输安全信息、以及之后所述UE、所述MgNB以及所述SgNB可参见如图5所示的实施例中,所述冗余传输安全信息指示所述第一会话和所述第二会话的安全密钥和安全策略不同的情况下的相关描述,此处不再赘述。这里在说明仅提及了所述SgNB确定为所述第二会话配置与所述第一会话不同或相同的安全密钥和安全策略的两种情况,对于安全密钥相同,安全策略不同、以及安全密钥不同,安全策略相同的情况与上述两种方式相似,此处不再赘述。
在上述两种情况的说明中仅提及了所述MgNB确定所述第二会话配置与所述第一会话不同或相同的安全密钥和安全策略的两种情况,对于安全密钥相同,安全策略不同、以及安全密钥不同,安全策略相同的情况与上述两种方式相似,只需分别参见安全密钥相同/不同、安全策略相同/不同相应的描述即可,此处不再赘述。
下面将如图5和7所示的实施例应用于具体场景,对本申请提供的会话配置方法进行进一步介绍,如图8所示,为本申请实施例提供的一种会话配置方法,该方法包括:
步骤801:所述UE向所述AMF网元发送会话建立请求,所述会话建立请求用于请求建立第一会话。
所述会话建立请求中可以携带指示所述第一会话支持URLLC业务的指示信息,也可以不携带所述指示信息。
步骤802:所述AMF网元接收到所述会话建立请求后,向所述SMF网元发送所述会话建立请求。
步骤803:所述SMF网元确定所述冗余传输安全信息。
示例性的,所述SMF网元从所述UDM网元获取所述UE的签约信息中与URLLC业务关联的签约信息,根据所述UE的签约信息中与URLLC业务关联的签约信息,确定所述冗余传输安全信息,所述冗余传输安全信息指示用于冗余传输的两个会话是否需要保持相同的安全密钥和安全策略。
一种可能的实现方式是,可以设置一个指示如Indication of Security policy for URLLC redundant transmission,如果相同则可置该指示为“1”,默认为相同;如果为“2”,则为不同;如果为“0”,则为默认不选择,由RAN侧节点来具体判断执行。
步骤804:所述SMF网元通过所述PCF网元确定所述第一会话的会话策略。
若用于冗余传输的数据通道为QoS粒度的,所述SMF需要确定通过所述PCF网元或者所述UDM网元确定所述第一QoS flow和所述第二QoS flow,如需要确定所述第一QoS flow的和所述第二QoS flow的标识。QoS flow标识可以从第五代移动通信服务质量标识(5G QoS identity,5QI)中获取,也可以是QoS流标识(QoS flow ID,QFI)。
步骤805:所述SMF网元向所述UPF网元发送所述第一会话的会话策略。
步骤806:所述SMF网元向所述AMF网元发送所述冗余传输安全信息。
作为一种可能的实施方式,所述冗余传输安全信息中还可以携带所述第一会话的标识 和所述第二会话的标识。
若用于冗余传输的数据通道为QoS粒度的,所述冗余传输安全信息中还可以携带所述第一QoS flow的和所述第二QoS flow的标识。
步骤807:所述AMF网元向所述基站发送所述冗余传输安全信息。
步骤808:所述基站在接收到所述冗余传输安全信息后,向所述UE发送所述冗余传输安全信息。
所述基站在接收到所述冗余传输安全信息还可以根据所述冗余传输安全信息,为所述第一会话和所述第二会话配置安全密钥和安全策略;相应的,所述UE在接收到所述冗余传输安全信息后,根据所述冗余传输安全信息,为所述第一会话和所述第二会话配置安全密钥和安全策略。
所述基站和所述UE在所述冗余传输安全信息指示的内容不同时,为所述第一会话和所述第二会话配置安全密钥和安全策略的方式可以参见如图5、6所示的实施例,此处不再赘述。
基于与方法实施例同一发明构思,本申请实施例还提供了一种通信装置,用于执行上述如图5、8所示的实施例中基站执行的方法,相关特征可参见上述方法实施例,此处不再赘述,如图9所示,该装置包括接收单元901和发送单元902:
所述接收单元901,用于接收来自会话管理网元的第一会话的冗余传输安全信息,所述冗余传输安全信息用于指示终端设备需建立的第一会话与第二会话的安全密钥和安全策略,其中,所述第二会话为所述第一会话的冗余会话;
所述发送单元902,用于向所述终端设备发送所述冗余传输安全信息。
在一种可能的实施方式中,所述装置还包括处理单元903,所述处理单元903在所述接收单元901接收来自会话管理网元的第一会话的冗余传输安全信息之后,还可以根据所述冗余传输安全信息为所述第一会话和所述第二会话配置安全密钥和安全策略。
在一种可能的实施方式中,所述发送单元902可以向所述终端设备发送所述第一会话和所述第二会话的安全策略。
在一种可能的实施方式中,所述发送单元902可以向所述终端设备发送第一参数和第二参数,所述第一参数为用于生成所述第一会话的安全密钥的参数,所述第二参数为用于生成所述第二会话的安全密钥的参数。
在一种可能的实施方式中,所述冗余传输安全信息指示所述第一会话与第二会话的安全密钥和安全策略相同,或指示所述第一会话与第二会话的安全密钥和安全策略不同。
基于与方法实施例同一发明构思,本申请实施例还提供了一种通信装置,用于执行上述如图5、8所示的实施例中终端设备执行的方法,相关特征可参见上述方法实施例,此处不再赘述,如图10所示,该装置包括发送单元1001和接收单元1002:
所述发送单元1001,用于向会话管理网元发送会话建立请求,所述会话建立请求用于请求建立所述第一会话;
所述接收单元1002,用于从接入网设备接收所述冗余传输安全信息,所述冗余传输安全信息用于指示所述第一会话与第二会话的安全密钥和安全策略,所述第二会话为所述第一会话的冗余会话。
在一种可能的实施方式中,所述装置还处理单元1003,所述处理单元1003可以基于 所述冗余传输安全信息,为所述第一会话和所述第二会话配置安全密钥和安全策略。
在一种可能的实施方式中,所述接收单元1002还可以从所述接入网设备接收所述第一会话和所述第二会话的安全策略;之后,所述处理单元1003在基于所述冗余传输安全信息,为所述第一会话和所述第二会话配置安全策略时,可以基于所述冗余传输安全信息,根据所述第一会话和所述第二会话的安全策略为所述第一会话和所述第二会话配置安全策略。
在一种可能的实施方式中,所述接收单元1002还可以从所述接入网设备接收第一参数和第二参数,所述第一参数为用于生成所述第一会话的安全密钥的参数,所述第二参数为用于生成所述第二会话的安全密钥的参数;之后,所述处理单元1003在基于所述冗余传输安全信息,为所述第一会话和所述第二会话配置安全密钥时,可以基于所述冗余传输安全信息,根据所述第一参数和所述第二参数为所述第一会话和所述第二会话配置安全密钥。
在一种可能的实施方式中,所述冗余传输安全信息指示所述第一会话与第二会话的安全密钥和安全策略相同,或指示所述第一会话与第二会话的安全密钥和安全策略不同。
基于与方法实施例同一发明构思,本申请实施例还提供了一种通信装置,用于执行上述如图7、8所示的实施例中基站执行的方法,相关特征可参见上述方法实施例,此处不再赘述,如图11所示,该装置包括处理单元1101和发送单元1102:
所述处理单元1101,用于为终端设备需建立的第一会话与第二会话配置安全密钥和安全策略,所述第二会话为所述第一会话的冗余会话;
所述发送单元1102,用于向所述终端设备发送指示消息,所述指示消息用于指示所述第一会话与所述第二会话的安全密钥和安全策略。
在一种可能的实施方式中,所述装置还包括接收单元1103,所述接收单元1103在所述处理单元1101为终端设备需建立的第一会话与所述第二会话配置安全密钥和安全策略之前,可以接收来自会话管理网元的第一会话的冗余传输安全信息,所述冗余传输安全信息指示所述第一会话与第二会话的安全密钥和安全策略由所述接入网设备确定。
在一种可能的实施方式中,所述处理单元1101在为终端设备需建立的第一会话与第二会话配置安全密钥和安全策略时,可以根据第一规则确定所述第一会话与第二会话配置安全密钥和安全策略,所述第一规则包括下列的部分或全部:
所述接入网设备的负载、网络部署策略、所述接入网设备的资源状态。
在一种可能的实施方式中,所述发送单元1102还可以向所述终端设备发送所述第一会话和所述第二会话的安全策略。
在一种可能的实施方式中,所述发送单元1102还可以向所述终端设备发送第一参数以及第二参数,所述第一参数为用于生成所述第一会话的安全密钥的参数,所述第二参数为用于生成所述第二会话的安全密钥的参数。
在一种可能的实施方式中,所述处理单元1101为所述第一会话与第二会话配置安全密钥和安全策略相同,所述指示消息用于指示所述第一会话与所述第二会话的安全密钥和安全策略相同。
在一种可能的实施方式中,所述处理单元1101为所述第一会话与第二会话配置安全密钥和安全策略不同,所述指示消息用于指示所述第一会话与所述第二会话的安全密钥和安 全策略不同。
基于与方法实施例同一发明构思,本申请实施例还提供了一种通信装置,用于执行上述如图7、8所示的实施例中终端设备执行的方法,相关特征可参见上述方法实施例,此处不再赘述,如图12所示,该装置包括接收单元1201和发送单元1202:
所述发送单元1202,用于向会话管理网元发送会话建立请求,所述会话建立请求用于请求建立所述第一会话;
所述接收单元1201,用于从接入网设备接收指示消息,所述指示消息用于指示所述第一会话与第二会话的安全密钥和安全策略,其中,所述第二会话为所述第一会话的冗余会话。
在一种可能的实施方式中,所述装置还包括处理单元1203,所述处理单元1203可以基于所述指示消息,为所述第一会话和所述第二会话配置安全密钥和安全策略。
在一种可能的实施方式中,所述接收单元1201可以先从所述接入网设备接收所述第一会话和所述第二会话的安全策略;之后,所述处理单元1203在基于所述指示消息,为所述第一会话和所述第二会话配置安全策略时,可以基于所述指示消息,根据所述第一会话和所述第二会话的安全策略为所述第一会话和所述第二会话配置安全密钥和安全策略。
在一种可能的实施方式中,所述接收单元1201可以先从所述接入网设备接收第一参数和第二参数,所述第一参数为用于生成所述第一会话的安全密钥的参数,所述第二参数为用于生成所述第二会话的安全密钥的参数;之后,所述处理单元1203在基于所述指示消息,为所述第一会话和所述第二会话配置安全密钥时,可以基于所述指示消息,根据所述第一参数和第二参数为所述第一会话和所述第二会话配置安全密钥。
在一种可能的实施方式中,所述指示消息指示所述第一会话与第二会话的安全密钥和安全策略相同,或指示所述第一会话与第二会话的安全密钥和安全策略不同。
基于与方法实施例同一发明构思,本申请实施例还提供了一种通信装置,用于执行上述如图5、6、7、8所示的实施例中SMF网元执行的方法,相关特征可参见上述方法实施例,此处不再赘述,如图13所示,该装置包括接收单元1301、处理单元1302和发送单元1303:
所述接收单元1301,用于接收到来自终端设备的会话建立请求,其中,所述会话建立请求用于请求建立所述第一会话;
所述处理单元1302,用于在所述接收单元1301接收到来自终端设备的会话建立请求后,确定第一会话的冗余传输安全信息,所述冗余传输安全信息用于指示所述第一会话与第二会话的安全密钥和安全策略,其中,所述第二会话为所述第一会话的冗余会话;
所述发送单元1303,用于向接入网设备发送所述冗余传输安全信息。
在一种可能的实施方式中,所述处理单元1302在确定所述第一会话的冗余传输安全信息时,可以根据第一信息确定所述冗余传输安全信息,所述第一信息为下列的部分或全部:所述终端设备的签约信息,所述会话管理网元本地保存的会话策略、所述会话管理网元从策略控制网元获取的会话策略。
在一种可能的实施方式中,所述处理单元1302还可以从其他网元,例如所述策略控制网元接收所述冗余传输安全信息。
在一种可能的实施方式中,所述发送单元1303在向接入网设备发送所述第一会话的冗余传输安全信息时,可以通过接入管理网元向所述接入网设备发送所述冗余传输安全信 息。
在一种可能的实施方式中,所述冗余传输安全信息指示所述第一会话与第二会话的安全密钥和安全策略相同,或指示所述第一会话与第二会话的安全密钥和安全策略不同,或指示所述第一会话与第二会话的安全密钥和安全策略由接入网设备确定。
本申请实施例中对单元的划分是示意性的,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,另外,在本申请各个实施例中的各功能单元可以集成在一个处理器中,也可以是单独物理存在,也可以两个或两个以上单元集成在一个模块中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。
该集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台终端设备(可以是个人计算机,手机,或者网络设备等)或处理器(processor)执行本申请各个实施例该方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(read-only memory,ROM)、随机存取存储器(random access memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。
在本申请实施例中,所述接入网设备、所述终端设备均可以采用集成的方式划分各个功能模块的形式来呈现。这里的“模块”可以指特定ASIC,电路,执行一个或多个软件或固件程序的处理器和存储器,集成逻辑电路,和/或其他可以提供上述功能的器件。
在一个简单的实施例中,本领域的技术人员可以想到所述接入网设备、所述会话管理网元可以采用图14所示的形式。
如图14所示的装置1400,包括至少一个处理器1401、存储器1402,可选的,还可以包括通信接口1403。
存储器1402可以是易失性存储器,例如随机存取存储器;存储器也可以是非易失性存储器,例如只读存储器,快闪存储器,硬盘(hard disk drive,HDD)或固态硬盘(solid-state drive,SSD)、或者存储器1402是能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质,但不限于此。存储器1402可以是上述存储器的组合。
本申请实施例中不限定上述处理器1401以及存储器1402之间的具体连接介质。本申请实施例在图中以存储器1402和处理器1401之间通过总线1404连接,总线1404在图中以粗线表示,其它部件之间的连接方式,仅是进行示意性说明,并不引以为限。该总线1404可以分为地址总线、数据总线、控制总线等。为便于表示,图14中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。
处理器1401可以具有数据收发功能,能够与其他设备进行通信,在如图14装置中,也可以设置独立的数据收发模块,例如通信接口1403,用于收发数据;处理器1401在与其他设备进行通信时,可以通过通信接口1403进行数据传输。
当接入网设备采用图14所示的形式时,图14中的处理器1401可以通过调用存储器1402中存储的计算机执行指令,使得所述接入网设备可以执行上述任一方法实施例中的基站执行的方法。
具体的,图9、图11中的收发单元和处理单元的功能/实现过程均可以通过图14中的 处理器1401调用存储器1402中存储的计算机执行指令来实现。或者,图9、图11中的处理单元的功能/实现过程可以通过图14中的处理器1401调用存储器1402中存储的计算机执行指令来实现,图9、图11中的收发单元的功能/实现过程可以通过图14中的通信接口1403来实现。
当会话管理网元采用图14所示的形式时,图14中的处理器1401可以通过调用存储器1402中存储的计算机执行指令,使得所述接入网设备可以执行上述任一方法实施例中的SMF网元执行的方法。
具体的,图13中的收发单元和处理单元的功能/实现过程均可以通过图14中的处理器1401调用存储器1402中存储的计算机执行指令来实现。或者,图13中的处理单元的功能/实现过程可以通过图14中的处理器1401调用存储器1402中存储的计算机执行指令来实现,图13中的收发单元的功能/实现过程可以通过图14中的通信接口1403来实现。
由于本申请实施例提供的装置可执行上述的通信方法,因此其所能获得的技术效果可参考上述方法实施例,在此不再赘述。
在一个简单的实施例中,本领域的技术人员可以想到所述终端设备可以采用图15所示的形式。
如图15所示的装置1500,包括至少一个处理器1501、存储器1502,可选的,还可以包括收发器1503。
存储器1502可以是易失性存储器,例如随机存取存储器;存储器也可以是非易失性存储器,例如只读存储器,快闪存储器,硬盘(hard disk drive,HDD)或固态硬盘(solid-state drive,SSD)、或者存储器1502是能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质,但不限于此。存储器1502可以是上述存储器的组合。
本申请实施例中不限定上述处理器1501以及存储器1502之间的具体连接介质。本申请实施例在图中以存储器1502和处理器1501之间通过总线1504连接,总线1504在图中以粗线表示,其它部件之间的连接方式,仅是进行示意性说明,并不引以为限。该总线1504可以分为地址总线、数据总线、控制总线等。为便于表示,图15中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。
处理器1501可以具有数据收发功能,能够与其他设备进行通信,在如图15装置中,也可以设置独立的数据收发模块,例如收发器1503,用于收发数据;处理器1501在与其他设备进行通信时,可以通过收发器1503进行数据传输。
当终端设备采用图15所示的形式时,图15中的处理器1501可以通过调用存储器1502中存储的计算机执行指令,使得所述终端设备可以执行上述任一方法实施例中的UE执行的方法。
具体的,图10、图12中的收发单元和处理单元的功能/实现过程均可以通过图15中的处理器1501调用存储器1502中存储的计算机执行指令来实现。或者,图10、图12中的处理单元的功能/实现过程可以通过图15中的处理器1501调用存储器1502中存储的计算机执行指令来实现,图10、图12中的收发单元的功能/实现过程可以通过图15中的收发器1503来实现。
由于本申请实施例提供的装置可执行上述的通信方法,因此其所能获得的技术效果可参考上述方法实施例,在此不再赘述。
本申请是参照根据本申请的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。
显然,本领域的技术人员可以对本申请进行各种改动和变型而不脱离本申请的精神和范围。这样,倘若本申请的这些修改和变型属于本申请权利要求及其等同技术的范围之内,则本申请也意图包含这些改动和变型在内。

Claims (30)

  1. 一种会话配置方法,其特征在于,所述方法包括:
    接入网设备接收来自会话管理网元的第一会话的冗余传输安全信息,所述冗余传输安全信息用于指示终端设备需建立的第一会话与第二会话的安全密钥和安全策略,其中,所述第二会话为所述第一会话的冗余会话;
    所述接入网设备向所述终端设备发送所述冗余传输安全信息。
  2. 如权利要求1所述的方法,其特征在于,所述接入网设备接收来自会话管理网元的第一会话的冗余传输安全信息之后,还包括:
    所述接入网设备根据所述冗余传输安全信息为所述第一会话和所述第二会话配置安全密钥和安全策略。
  3. 如权利要求2所述的方法,其特征在于,所述接入网设备接收来自会话管理网元的第一会话的冗余传输安全信息之后,还包括:
    所述接入网设备向所述终端设备发送所述第一会话和所述第二会话的安全策略。
  4. 如权利要求2或3所述的方法,其特征在于,所述接入网设备接收来自会话管理网元的第一会话的冗余传输安全信息之后,还包括:
    所述接入网设备向所述终端设备发送第一参数和第二参数,所述第一参数为用于生成所述第一会话的安全密钥的参数,所述第二参数为用于生成所述第二会话的安全密钥的参数。
  5. 如权利要求1~3任一所述的方法,其特征在于,所述冗余传输安全信息指示所述第一会话与第二会话的安全密钥和安全策略相同,或指示所述第一会话与第二会话的安全密钥和安全策略不同。
  6. 一种会话配置方法,其特征在于,所述方法包括:
    终端设备向会话管理网元发送会话建立请求,所述会话建立请求用于请求建立所述第一会话;
    所述终端设备从接入网设备接收所述第一会话的冗余传输安全信息,所述冗余传输安全信息用于指示所述第一会话与第二会话的安全密钥和安全策略,所述第二会话为所述第一会话的冗余会话。
  7. 如权利要求6所述的方法,其特征在于,所述方法还包括:
    所述终端设备基于所述冗余传输安全信息,为所述第一会话和所述第二会话配置安全密钥和安全策略。
  8. 如权利要求6所述的方法,其特征在于,所述终端设备基于所述冗余传输安全信息,为所述第一会话和所述第二会话配置安全策略,包括:
    所述终端设备从所述接入网设备接收所述第一会话和所述第二会话的安全策略;
    所述终端设备基于所述冗余传输安全信息,根据所述第一会话和所述第二会话的安全策略为所述第一会话和所述第二会话配置安全策略。
  9. 如权利要求7或8所述的方法,其特征在于,所述终端设备基于所述冗余传输安全信息,为所述第一会话和所述第二会话配置安全密钥,包括:
    所述终端设备从所述接入网设备接收第一参数和第二参数,所述第一参数为用于生成所述第一会话的安全密钥的参数,所述第二参数为用于生成所述第二会话的安全密钥的参 数;
    所述终端设备基于所述冗余传输安全信息,根据所述第一参数和所述第二参数为所述第一会话和所述第二会话配置安全密钥。
  10. 如权利要求6~9任一所述的方法,其特征在于,所述冗余传输安全信息指示所述第一会话与第二会话的安全密钥和安全策略相同,或指示所述第一会话与第二会话的安全密钥和安全策略不同。
  11. 一种会话配置方法,其特征在于,所述方法包括:
    会话管理网元在接收到来自终端设备的会话建立请求后,确定第一会话的冗余传输安全信息,所述冗余传输安全信息用于指示所述第一会话与第二会话的安全密钥和安全策略,其中,所述会话建立请求用于请求建立所述第一会话,所述第二会话为所述第一会话的冗余会话;
    所述会话管理网元向接入网设备发送所述冗余传输安全信息。
  12. 如权利要求11所述的方法,其特征在于,所述会话管理网元确定所述第一会话的冗余传输安全信息,包括:
    所述会话管理网元根据第一信息确定所述冗余传输安全信息,所述第一信息为下列的部分或全部:
    所述终端设备的签约信息,所述会话管理网元本地保存的会话策略、所述会话管理网元从策略控制网元获取的会话策略。
  13. 如权利要求11所述的方法,其特征在于,所述会话管理网元确定所述第一会话的冗余传输安全信息,包括:
    所述会话管理网元从策略控制网元接收所述第一会话的冗余传输安全信息。
  14. 如权利要求11~13任一所述的方法,其特征在于,所述会话管理网元向接入网设备发送所述冗余传输安全信息,包括:
    所述会话管理网元通过接入管理网元向所述接入网设备发送所述冗余传输安全信息。
  15. 如权利要求11~13任一所述的方法,其特征在于,所述冗余传输安全信息指示所述第一会话与第二会话的安全密钥和安全策略相同,或指示所述第一会话与第二会话的安全密钥和安全策略不同,或指示所述第一会话与第二会话的安全密钥和安全策略由接入网设备确定。
  16. 一种通信装置,其特征在于,所述装置包括接收单元和发送单元:
    所述接收单元,用于接收来自会话管理网元的第一会话的冗余传输安全信息,所述冗余传输安全信息用于指示终端设备需建立的第一会话与第二会话的安全密钥和安全策略,其中,所述第二会话为所述第一会话的冗余会话;
    所述发送单元,用于向所述终端设备发送所述冗余传输安全信息。
  17. 如权利要求16所述的装置,其特征在于,所述装置还包括处理单元,所述处理单元在所述接收单元接收来自会话管理网元的第一会话的冗余传输安全信息之后,用于:
    根据所述冗余传输安全信息为所述第一会话和所述第二会话配置安全密钥和安全策略。
  18. 如权利要求17所述的装置,其特征在于,所述发送单元,还用于:
    向所述终端设备发送所述第一会话和所述第二会话的安全策略。
  19. 如权利要求17或18所述的装置,其特征在于,所述发送单元,还用于:
    向所述终端设备发送第一参数和第二参数,所述第一参数为用于生成所述第一会话的安全密钥的参数,所述第二参数为用于生成所述第二会话的安全密钥的参数。
  20. 如权利要求16~19任一所述的装置,其特征在于,所述冗余传输安全信息指示所述第一会话与第二会话的安全密钥和安全策略相同,或指示所述第一会话与第二会话的安全密钥和安全策略不同。
  21. 一种通信装置,其特征在于,所述装置包括发送单元和接收单元:
    所述发送单元,用于向会话管理网元发送会话建立请求,所述会话建立请求用于请求建立所述第一会话;
    所述接收单元,用于从接入网设备接收所述冗余传输安全信息,所述冗余传输安全信息用于指示所述第一会话与第二会话的安全密钥和安全策略,所述第二会话为所述第一会话的冗余会话。
  22. 如权利要求21所述的装置,其特征在于,所述装置还处理单元,所述处理单元用于:
    基于所述冗余传输安全信息,为所述第一会话和所述第二会话配置安全密钥和安全策略。
  23. 如权利要求21所述的装置,其特征在于,所述接收单元,还用于:
    从所述接入网设备接收所述第一会话和所述第二会话的安全策略;
    所述处理单元在基于所述冗余传输安全信息,为所述第一会话和所述第二会话配置安全策略,具体用于:
    基于所述冗余传输安全信息,根据所述第一会话和所述第二会话的安全策略为所述第一会话和所述第二会话配置安全策略。
  24. 如权利要求22或23所述的装置,其特征在于,所述接收单元,还用于:
    从所述接入网设备接收第一参数和第二参数,所述第一参数为用于生成所述第一会话的安全密钥的参数,所述第二参数为用于生成所述第二会话的安全密钥的参数;
    所述处理单元在基于所述冗余传输安全信息,为所述第一会话和所述第二会话配置安全密钥,具体用于:
    基于所述冗余传输安全信息,根据所述第一参数和所述第二参数为所述第一会话和所述第二会话配置安全密钥。
  25. 如权利要求21~24任一所述的装置,其特征在于,所述冗余传输安全信息指示所述第一会话与第二会话的安全密钥和安全策略相同,或指示所述第一会话与第二会话的安全密钥和安全策略不同。
  26. 一种通信装置,其特征在于,所述装置包括接收单元、处理单元和发送单元:
    所述接收单元,用于接收到来自终端设备的会话建立请求,其中,所述会话建立请求用于请求建立所述第一会话;
    所述处理单元,用于在所述接收单元接收到来自终端设备的会话建立请求后,确定第一会话的冗余传输安全信息,所述冗余传输安全信息用于指示所述第一会话与第二会话的安全密钥和安全策略,其中,所述第二会话为所述第一会话的冗余会话;
    所述发送单元,用于向接入网设备发送所述冗余传输安全信息。
  27. 如权利要求26所述的装置,其特征在于,所述处理单元在确定所述第一会话的冗余传输安全信息,具体用于:
    根据第一信息确定所述冗余传输安全信息,所述第一信息为下列的部分或全部:
    所述终端设备的签约信息,所述会话管理网元本地保存的会话策略、所述会话管理网元从策略控制网元获取的会话策略。
  28. 如权利要求26所述的装置,其特征在于,所述处理单元还用于:
    从策略控制网元接收所述冗余传输安全信息。
  29. 如权利要求26~28任一所述的装置,其特征在于,所述发送单元在向接入网设备发送所述冗余传输安全信息,具体用于:
    通过接入管理网元向所述接入网设备发送所述冗余传输安全信息。
  30. 如权利要求26~29任一所述的装置,其特征在于,所述冗余传输安全信息指示所述第一会话与第二会话的安全密钥和安全策略相同,或指示所述第一会话与第二会话的安全密钥和安全策略不同,或指示所述第一会话与第二会话的安全密钥和安全策略由接入网设备确定。
PCT/CN2020/072868 2019-01-18 2020-01-17 一种会话配置方法及装置 WO2020147849A1 (zh)

Priority Applications (2)

Application Number Priority Date Filing Date Title
EP20740939.2A EP3893468A4 (en) 2019-01-18 2020-01-17 SESSION CONFIGURATION METHOD AND DEVICE
US17/377,425 US11902325B2 (en) 2019-01-18 2021-07-16 Session configuration method and apparatus

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910051183.2A CN111464572B (zh) 2019-01-18 2019-01-18 一种会话配置方法及装置
CN201910051183.2 2019-01-18

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US17/377,425 Continuation US11902325B2 (en) 2019-01-18 2021-07-16 Session configuration method and apparatus

Publications (1)

Publication Number Publication Date
WO2020147849A1 true WO2020147849A1 (zh) 2020-07-23

Family

ID=71614281

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/072868 WO2020147849A1 (zh) 2019-01-18 2020-01-17 一种会话配置方法及装置

Country Status (4)

Country Link
US (1) US11902325B2 (zh)
EP (1) EP3893468A4 (zh)
CN (1) CN111464572B (zh)
WO (1) WO2020147849A1 (zh)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2574898A (en) * 2018-06-22 2019-12-25 Nec Corp Communication system
WO2022067480A1 (en) * 2020-09-29 2022-04-07 Qualcomm Incorporated Enhancing connection reliability using motion metrics
CN115134936A (zh) * 2021-03-24 2022-09-30 海能达通信股份有限公司 用户会话的处理方法及相关装置
CN113543119B (zh) * 2021-06-07 2023-10-24 中国联合网络通信集团有限公司 标识符的获取方法和统一数据管理实体、终端
CN114374553A (zh) * 2021-12-30 2022-04-19 中国电信股份有限公司 一种时间同步方法及系统

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108347410A (zh) * 2017-01-24 2018-07-31 华为技术有限公司 安全实现方法、设备以及系统

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8848916B2 (en) * 2010-04-15 2014-09-30 Qualcomm Incorporated Apparatus and method for transitioning from a serving network node that supports an enhanced security context to a legacy serving network node
CN104620536B (zh) * 2012-09-17 2018-02-23 瑞典爱立信有限公司 高可用性、可扩展策略和计费控制系统及用于其的方法
CN105703890B (zh) * 2014-11-28 2020-10-20 电信科学技术研究院 一种进行数据传输的方法和设备
US10624006B2 (en) * 2016-08-05 2020-04-14 Qualcomm Incorporated Techniques for handover of a connection between a wireless device and a local area network, from a source access node to a target access node
EP4228301A1 (en) * 2017-03-17 2023-08-16 Telefonaktiebolaget LM Ericsson (publ) Security solution for switching on and off security for up data between ue and ran in 5g

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108347410A (zh) * 2017-01-24 2018-07-31 华为技术有限公司 安全实现方法、设备以及系统

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
ERICSSON: "Clarifications to solution #1 on dual connectivity based user plane redundancy", 3GPP; S2-188904, 26 August 2018 (2018-08-26), XP051537685 *
QUALCOMM INCORPORATED: "Analysis of URLLC solutions using DC", 3GPP; S2-1811944, 20 November 2018 (2018-11-20), XP051498690 *
See also references of EP3893468A4 *

Also Published As

Publication number Publication date
CN111464572B (zh) 2021-09-07
CN111464572A (zh) 2020-07-28
EP3893468A1 (en) 2021-10-13
US20210344716A1 (en) 2021-11-04
US11902325B2 (en) 2024-02-13
EP3893468A4 (en) 2022-02-09

Similar Documents

Publication Publication Date Title
US10582522B2 (en) Data transmission and reception method and device of terminal in wireless communication system
KR102175874B1 (ko) Ue-ambr을 구성하는 방법
WO2020147849A1 (zh) 一种会话配置方法及装置
US11464067B2 (en) Core network awareness of user equipment, UE, state
US10694383B2 (en) Method and device for transmitting or receiving data by terminal in wireless communication system
US8761107B2 (en) Method and apparatus for maintaining traffic continuity
US10681637B2 (en) Method and apparatus for transmitting and receiving data, by terminal, in wireless communication system
KR102048046B1 (ko) 무선 통신 시스템에서 ladn 이용 방법 및 이를 위한 장치
EP4017102A1 (en) Method, terminal device, and network device used for transmitting data
US10805938B2 (en) Data transmission/reception method and apparatus for terminal in wireless communication system
KR20230160406A (ko) Nas 메시지의 보안 보호를 위한 시스템 및 방법
US11627458B2 (en) Key derivation algorithm negotiation method and apparatus
WO2019096075A1 (zh) 一种消息保护的方法及装置
JP2019511849A (ja) サービスエクスポージャ機能を介して非ipデータのポリシングを実施するための方法
EP3664570B1 (en) Session establishment methods and apparatus
US20170180259A1 (en) Offloading policy negotiation method and apparatus
CN107079371B (zh) 提高在通过无线局域网传输媒体时用户体验的服务质量的方法和装置
KR20180088477A (ko) 데이터 전송 방법 및 기지국과, 데이터 전달 방법 및 코어 노드
US10045391B2 (en) Methods, apparatuses and computer program products for prose communication
CN113557699A (zh) 通信装置、基础设施设备、核心网络设备和方法

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20740939

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2020740939

Country of ref document: EP

Effective date: 20210705

NENP Non-entry into the national phase

Ref country code: DE