WO2020164432A1 - Communication method and apparatus - Google Patents

Communication method and apparatus Download PDF

Info

Publication number
WO2020164432A1
WO2020164432A1 PCT/CN2020/074406 CN2020074406W WO2020164432A1 WO 2020164432 A1 WO2020164432 A1 WO 2020164432A1 CN 2020074406 W CN2020074406 W CN 2020074406W WO 2020164432 A1 WO2020164432 A1 WO 2020164432A1
Authority
WO
WIPO (PCT)
Prior art keywords
network device
access network
security
qos flow
communication
Prior art date
Application number
PCT/CN2020/074406
Other languages
French (fr)
Chinese (zh)
Inventor
王瑞
戴明增
曾清海
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2020164432A1 publication Critical patent/WO2020164432A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • H04W76/15Setup of multiple wireless link connections
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/30Connection release

Definitions

  • the embodiments of the present application relate to the field of communication technologies, and in particular, to a communication method and device.
  • the 5th generation mobile communication technology (5G) system introduces security protection for the air interface user plane, where security protection refers to integrity protection (referred to as complete protection) and/or Encryption protection.
  • security protection refers to integrity protection (referred to as complete protection) and/or Encryption protection.
  • PDU protocol data unit
  • the core network device sends a request message to the base station to request the allocation of resources for the PDU session, and at the same time, the core network device sends A security instruction indicating that the PDU session must, or is not required, or recommended to protect the PDU session; if the security instruction is used to indicate that the PDU session is recommended to be secured, the base station can determine whether to protect the PDU session by itself, that is, the base station You can determine the safety results yourself.
  • PDU protocol data unit
  • gNB a base station that uses a new radio (NR) in a 5G system
  • ng-eNB next generation base station
  • the embodiments of the present application provide a communication method and device, and provide a security protection method for an air interface user plane in a 5G dual-connection communication system.
  • a communication method is provided.
  • the communication method is applied to a dual-connection communication system including a first access network device and a second access network device.
  • the first access network device obtains a first quality of service. service, QoS) flow and the first security result of the protocol data unit (protocol data unit, PDU) session.
  • the first access network device carries the first QoS flow, and performs the first QoS flow according to the first security result.
  • safety protection The first QoS flow here belongs to the PDU session, the first security result is determined by the first access network device or the second access network device, and the first security result is used to indicate whether to perform security protection on the PDU session.
  • the security protection includes complete At least one of sexual protection and encryption protection.
  • the first access network device is the primary or secondary station of the dual-connection communication system.
  • the first access network device performs security protection on the first QoS flow according to the first security result determined by itself/the second access network device to achieve In order to protect the security of the air interface user plane.
  • the first access network device and the second access network device of this application use the same security result to securely protect QoS flows belonging to the same PDU session , To ensure the consistency of the security protection of the air interface user plane by the first access network device and the second access network device.
  • the foregoing PDU session includes a second QoS flow
  • the second QoS flow is carried by a second access network device. That is, before the first access network device carries the first QoS flow, the second access network device carries the second QoS flow.
  • all QoS flows of the PDU session can be carried on the second access network device.
  • the first security result is determined by the second access network device.
  • the first safety result is determined by the master station of the dual-connection communication system.
  • all QoS flows of the PDU session are carried on the second access network device; the first security result It is determined by the second access network device.
  • the first access network device also carries the third QoS flow in the PDU session.
  • the first security result is determined by the first access network device; if the second access network device is the master station of the dual-connection communication system, the first security result is determined by the second access network device.
  • the first security result is determined by the second access network device, before the second access network device determines the first security result, the first security result
  • the access network device carries all QoS flows in the PDU session, and determines the second security result of the PDU session.
  • the second security result is used to indicate whether to protect the PDU session.
  • the second security result is the same as the first security result.
  • the first access network device releases all QoS flows in the PDU session, and sends the first request message to the second access network device; if the first access network device is the master station of the dual-connection communication system , The second access network device is a secondary station of the communication system, the first request message is used to request the allocation of resources for the PDU session, and the first security result is determined according to the first security indication information; if the first access network device is dual connectivity The secondary station of the communication system, the second access network device is the primary station of the communication system, and the first request message is used to request the release of all QoS flows in the PDU session.
  • the first security indication information is used to indicate to perform security protection on the QoS flow released by the first access network device, or to indicate whether to perform security protection on the QoS flow released by the first access network device by itself.
  • the second access network device can determine the security result of the PDU session by itself.
  • the first access network device if the first access network device is the master station of the dual-connection communication system, and the second access network device is the auxiliary station of the communication system, After the access network device determines the first security result, the first access network device also receives the first security result from the second access network device. If the first security result is different from the second security result, the first access network device also sends the first security result to the core network device for the core network device to determine that the security result of the PDU session has changed.
  • the first access network device is the primary station and the second access network device is the secondary station, if the security result of the PDU session is changed from the second security result to the first security result, and the second security result is If a security result is determined by the second access network device, the first access network device needs to communicate with the second access network device so that the first access network device sends the first security result to the core network device so that The core network device completes the corresponding configuration according to the first security result.
  • the first access network device after obtaining the first security result, the first access network device further stores the first security result.
  • the above-mentioned method of "the first access network device obtaining the first security result of the PDU session" is: the first access network device obtains the first security result locally.
  • the first access network device may obtain the first security result locally. If the first security result is determined by the second access network device, after the first access network device obtains the first security result from the second access network device, the first security result may or may not be stored. A safe result. If the first access network device stores the first security result, the first access network device can obtain the first security result locally.
  • the first security result is determined by the second access network device, after performing security protection on the first QoS flow according to the first security result, the first security result is An access network device also releases the fourth QoS flow, and sends a second request message to the second access network device for requesting security protection for the fourth QoS flow according to the first security result, and the fourth QoS flow belongs to the PDU Conversation.
  • the first access network device and the second access network device both carry the QoS flow of the PDU session, if both of them perform security protection on the QoS flow carried by each according to the first security result, the first access After the network device releases the fourth QoS flow carried by itself, the second access network device can carry the fourth QoS flow and protect it according to the first security result.
  • a communication device which can implement the functions in the first aspect and any one of its possible implementation manners. These functions can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above-mentioned functions.
  • the communication device may include a processing unit, and the processing unit may perform the corresponding function in the communication method of the foregoing first aspect and any one of its possible implementation manners.
  • a processing unit for obtaining a first quality of service QoS flow which belongs to a PDU session; and for obtaining a first security result of the PDU session, the first security result being determined by the first access network device , Or determined for the second access network device, the security result of the PDU session here is used to indicate whether to perform security protection on the PDU session, and the security protection includes at least one of integrity protection and encryption protection;
  • a QoS flow, and security protection is performed on the first QoS flow according to the first security result.
  • a communication device in a third aspect, includes a processor, the processor is configured to be coupled with a memory, read and execute instructions in the memory, so as to implement the first aspect and any one of its possibilities. Implement the communication method described in the mode.
  • the communication device may further include a memory for storing program instructions and data of the communication device.
  • the communication device may further include a transceiver, which is used to execute the communication method described in the first aspect and any one of its possible implementations under the control of the processor of the communication device The step of sending and receiving data, signaling or information, for example, receiving a first request message and sending a second request message.
  • the communication device may be the first access network device, or a part of the devices in the first access network device, such as a chip system in the first access network device.
  • the chip system is used to support the first access network device to implement the functions involved in the first aspect and any one of its possible implementations, for example, receiving, sending or processing the data and/or information involved in the aforementioned communication methods .
  • the chip system includes a chip, and may also include other discrete devices or circuit structures.
  • a computer-readable storage medium stores instructions; when it runs on a communication device, the communication device is caused to execute the above-mentioned first aspect and various possible implementations thereof The communication method described in the method.
  • a computer program product including instructions is also provided, which when running on a communication device, causes the communication device to execute the communication method as described in the first aspect and various possible implementations thereof.
  • a communication method is provided.
  • the first access network device obtains from the core network device and indicates that a preset QoS flow or a preset evolved packet system (EPS) bearer is carried according to the first security result.
  • Instruction information for security protection at least one of integrity protection and encryption protection
  • the first access network device determines the target DRB, and performs security protection on the target DRB according to the first security result, where the target DRB is The preset QoS flow is carried, or the target DRB corresponds to the preset EPS bearer.
  • the basic granularity of the QoS control of the 4G system is the EPS bearer.
  • the data streams of the same EPS bearer get the same QoS guarantee, and the DRB and EPS bearers are mapped one by one.
  • multiple QoS flows of PDU sessions are mapped to one or more DRBs. If the core network device instructs to perform security protection on the specified QoS flow or the specified EPS bearer according to the first security result, the first access network device performs security protection on the target DRB according to the instruction.
  • it achieves Security protection with a smaller granularity can effectively reduce the power consumption of the terminal and increase the data transmission and reception rate.
  • the first access network device may also release the preset QoS flow or the preset EPS bearer , And send a security request message to the second access network device, which is used to request security protection for the released object (the preset QoS flow or the preset EPS bearer) according to the first security result.
  • the first access network device transfers the preset QoS flow or the preset EPS bearer to the second access network device, it needs to instruct the second access network device according to the first security result Protect it safely.
  • a communication device which can implement the functions in the first aspect and any one of its possible implementation manners. These functions can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above-mentioned functions.
  • the communication device may include a processing unit, and the processing unit may perform the corresponding function in the communication method of the foregoing first aspect and any one of its possible implementation manners.
  • the processing unit is used to obtain indication information from the core network device, the indication information is used to indicate the security protection of the preset QoS flow or the preset EPS bearer according to the first security result, and the security protection includes integrity protection and encryption At least one of protection; and used to determine a target DRB that carries a preset QoS flow, or the target DRB corresponds to a preset EPS bearer; and used to secure the target DRB according to the first security result protection.
  • a communication device includes a processor configured to couple with a memory, read and execute instructions in the memory, so as to implement the sixth aspect and any one of the possibilities thereof. Implement the communication method described in the mode.
  • the communication device may further include a memory, and the memory is used to store program instructions and data of the communication device.
  • the communication device may further include a transceiver, which is configured to perform the communication described in the sixth aspect and any one of its possible implementation manners under the control of the processor of the communication device. The step of sending and receiving data, signaling or information in the method, for example, sending a security request message.
  • the communication device may be the first access network device, or a part of the devices in the first access network device, such as a chip system in the first access network device.
  • the chip system is used to support the first access network device to implement the functions involved in the sixth aspect and any one of its possible implementations, such as receiving, sending or processing the data and/or information involved in the aforementioned communication methods .
  • the chip system includes a chip, and may also include other discrete devices or circuit structures.
  • a computer-readable storage medium stores instructions; when it runs on a communication device, the communication device executes the sixth aspect and various possible implementations as described above The communication method described in the method.
  • a computer program product including instructions is also provided, which when running on a communication device, causes the communication device to execute the communication method as described in the sixth aspect and various possible implementations thereof.
  • a communication system in an eleventh aspect, includes the communication device according to any one of the second to fifth aspects, and a second access network device, the communication device and the second access The connected devices are dual-connected.
  • the communication system includes the communication device according to any one of the seventh aspect to the tenth aspect, and a core network device.
  • the communication system further includes a second access network device, and the second access The network equipment is dual-connected to the communication device.
  • a chip system is provided, and the chip system is applied to a communication device.
  • the chip system includes one or more interface circuits and one or more processors.
  • the interface circuit and the processor are interconnected by wires.
  • the interface circuit is used to receive a signal from the memory of the communication device and send the signal to the processor, and the signal includes a computer instruction stored in the memory.
  • the communication device executes the communication method described in the first aspect and various possible implementations thereof, or executes the sixth aspect and various possible implementations thereof The communication method described in the method.
  • the name of the aforementioned communication device does not constitute a limitation on the device or functional module itself. In actual implementation, these devices or functional modules may appear under other names. As long as the function of each device or functional module is similar to that of this application, it falls within the scope of the claims of this application and equivalent technologies.
  • Figure 1 is a schematic diagram of a network structure in which a 4G system and a 5G system coexist;
  • Figure 2 is a schematic diagram of the communication system structure of the ENDC scenario
  • Figure 3 is a schematic diagram of the communication system structure of the NEDC scenario
  • Figure 4 is a schematic diagram of the communication system structure of the NG-ENDC scenario
  • FIG. 5 is a schematic diagram of the hardware structure of a communication device provided by an embodiment of the application.
  • FIG. 6 is a first schematic flowchart of a communication method provided by an embodiment of this application.
  • FIG. 7 is a second schematic diagram of the flow of a communication method provided by an embodiment of this application.
  • FIG. 8 is a third schematic flowchart of a communication method provided by an embodiment of this application.
  • FIG. 9 is a fourth flowchart of a communication method provided by an embodiment of this application.
  • FIG. 10 is a flow diagram of the communication method provided by an embodiment of the application.
  • FIG. 11 is a sixth flowchart of a communication method provided by an embodiment of this application.
  • FIG. 12 is a seventh schematic flowchart of a communication method provided by an embodiment of this application.
  • FIG. 13 is an eighth flowchart of a communication method provided by an embodiment of this application.
  • FIG. 14 is a first structural diagram of a communication device provided by an embodiment of this application.
  • FIG. 15 is a second structural diagram of a communication device provided by an embodiment of this application.
  • words such as “exemplary” or “for example” are used as examples, illustrations, or illustrations. Any embodiment or design solution described as “exemplary” or “for example” in the embodiments of the present application should not be construed as being more preferable or advantageous than other embodiments or design solutions. To be precise, words such as “exemplary” or “for example” are used to present related concepts in a specific manner.
  • first and second are only used for descriptive purposes, and cannot be understood as indicating or implying relative importance or implicitly indicating the number of indicated technical features. Thus, the features defined with “first” and “second” may explicitly or implicitly include one or more of these features. In the description of the embodiments of the present application, unless otherwise specified, “plurality” means two or more.
  • the evolved node base station (eNB) in the fourth generation mobile communication technology (4G) system is called 4G eNB, and the user equipment in the 4G system is referred to as 4G eNB.
  • UE is called 4G UE, and UE in 5G system is called 5G UE.
  • the evolved UMTS terrestrial radio access network (E-UTRAN) equipment is an access network equipment, which can be a 4G eNB that provides a radio network interface for 4G UEs.
  • the 4G UE accesses the network through an E-UTRAN device, and the E-UTRAN device is connected to a mobility management entity (MME) in the 4G system.
  • MME mobility management entity
  • the core network equipment of the 4G system also includes a serving gateway (serving gateway, SGW) and a public data network gateway (public data network gateway, PGW).
  • SGW serving gateway
  • PGW public data network gateway
  • the PGW is connected to an external data network (data network, DN).
  • a 4G UE in order to communicate with a peer entity, a 4G UE will establish an end-to-end service with the peer entity.
  • the evolved packet core (EPC) network establishes a connection with the Internet through an external bearer, and establishes a connection with a 4G UE through an EPS bearer (bearer).
  • EPC evolved packet core
  • a data radio bearer (DRB) transmits data of an EPS bearer between the 4G UE and the 4G eNB (Uu interface). If there is a DRB, there is a one-to-one mapping relationship between the DRB and the EPS bearer.
  • the basic granularity of QoS control in the 4G system is EPS bearer, and data streams of the same EPS bearer get the same QoS guarantee.
  • a radio access network (RAN) device is an access network device of the 5G network, and may be a base station that provides an interface for 5G UEs to access the wireless network.
  • the 5G UE accesses the network through a RAN device, and the RAN device is connected to an access management function (AMF) entity in the 5G system.
  • AMF access management function
  • the core network equipment of the 5G system also includes a session management function (SMF) entity and a user plane function (UPF) entity, and the UPF is connected to an external DN.
  • SMF session management function
  • UPF user plane function
  • each PDU session contains one or more QoS flows (flow). If the RAN device accepts the establishment of a certain PDU session, the RAN device can map multiple QoS flows in the PDU session to one or more DRBs, that is, one or more DRBs are associated with the same PDU session .
  • the basic granularity of QoS control in the 5G system is PDU session, and QoS flows in the same PDU session get the same QoS guarantee.
  • QoS guarantee is also called security protection, and may include at least one of integrity protection (IP) and encryption protection (confidentiality protection, CP). Integrity protection can also be referred to as complete protection for short. All subsequent security protections include at least one of integrity protection and encryption protection.
  • IP integrity protection
  • CP encryption protection
  • Integrity protection can also be referred to as complete protection for short. All subsequent security protections include at least one of integrity protection and encryption protection.
  • the security protection of a PDU session in the 5G system can be achieved by performing the following steps:
  • Step 1 When a new PDU session needs to be established for the 5G UE, the core network device sends a request message to the RAN device through the interface between the core network device and the RAN device (such as the NG interface) to request the RAN device to be a 5G UE
  • the PDU session allocates resources, and at the same time, the core network device sends security indication (security indication) information, which is used to indicate whether to perform security protection for the PDU session.
  • security indication security indication
  • the security indication information includes integrity protection indication (integrity protection indication) information and/or encryption protection indication (confidentiality protection indication) information.
  • the integrity protection indication information and the encryption protection indication information have three values, which are required, recommended, and not needed.
  • the integrity protection indication information is used to indicate that the integrity protection of the PDU session must be performed; if the value of the integrity protection indication information is recommended, the The integrity protection indication information is used to indicate whether to perform integrity protection for the PDU session by itself; if the value of the integrity protection indication information is not required, the integrity protection indication information is used to indicate that there is no need to perform integrity protection on the PDU session protection.
  • Step 2 If the RAN device accepts (admit) the PDU session, the RAN device determines the security result of the PDU session according to the security indication information.
  • the security result here is used to indicate whether to perform security protection on the PDU session.
  • the security result includes an integrity protection result and/or an encryption protection result.
  • the RAN device will protect the PDU session; if the value of the security indication information is not required, the RAN device will not protect the PDU session; if the value of the security indication information is recommended, Then the RAN device determines by itself whether to perform security protection on the PDU session, and sends the determined security result to the core network device.
  • the security result determined by the RAN device may be: security protection is required, and security protection is not required.
  • both the integrity protection result and the encryption protection result can be: required and not needed.
  • the RAN device determines to perform integrity protection on the PDU session, that is, the integrity protection result is that integrity protection must be performed, the RAN device sends to the core network device information indicating that integrity protection is performed on the PDU session.
  • Step 3 The RAN device allocates one or more DRBs for air interface transmission for the PDU session, and sends the security result of the DRB to the 5G UE.
  • One or more DRBs in the 5G system are associated with the same PDU session. Therefore, when the RAN device determines the security result of the PDU session, it can determine the security result of the DRB associated with the PDU session. Subsequently, the RAN device sends the security result of the DRB to the 5G UE, so that the 5G UE subsequently performs integrity check and/or decryption on the downlink data according to the security result, and performs integrity protection on the uplink data according to the security result/ Encryption protection.
  • FIG. 1 shows the structure of a communication system in which a 4G system and a 5G system coexist.
  • N2, S1, S11, N11, and N4 in FIG. 1 are all interfaces. You can refer to the definition and description in the existing standard protocol, which will not be described in detail here.
  • MR-DC dual connectivity
  • the MR-DC communication system includes ENDC (E-UTRA NR DC), NEDC (NR E-UTRA DC), and NG-ENDC (next generation E-UTRA NR DC).
  • ENDC E-UTRA NR DC
  • NEDC NR E-UTRA DC
  • NG-ENDC next generation E-UTRA NR DC
  • the evolved node base station (eNB) (or next generation eNB, ng-eNB) in the long term evolution (LTE) system and gNB (through The new radio (NR) technology provides wireless transmission resources for the terminal for dual connection.
  • eNB evolved node base station
  • ng-eNB next generation eNB
  • gNB next generation eNB
  • NR new radio
  • the ng-eNB can provide the terminal with the 5th generation core network (the 5th generation core network, 5GCN) service, and can also provide the terminal with the EPC service.
  • the ng-eNB can only connect with 5GCN/EPC, or connect with 5GCN and EPC at the same time.
  • 5GCN can also be called 5GC.
  • LTE eNB is a master node (master node, MN)
  • gNB is a secondary node (secondary node, SN)
  • MN is connected to EPC
  • both MN and SN provide air interface transmission resources for data between UE and EPC.
  • FIG 2 (a) in Figure 2 is a schematic structural diagram of the Option 3 communication system, and (b) in Figure 2 is a schematic structural diagram of the Option 3A communication system.
  • the LTE eNB is connected to the EPC through the S1 interface (including the S1-C interface and the S1-U interface), and the LTE eNB is connected to the gNB through the X2 interface.
  • the gNB is also connected to the EPC through the S1-U interface.
  • the dashed line in Figure 2 indicates the connection of the control plane.
  • NEDC is also called Option 4/4A.
  • gNB is MN
  • ng-eNB is SN
  • MN is connected to 5GC
  • MN and SN provide air interface transmission resources for data between the terminal and 5GC.
  • FIG. 3 (a) in FIG. 3 is a schematic diagram of the structure of the Option 4 communication system, and (b) in FIG. 3 is a schematic diagram of the structure of the Option 4A communication system.
  • gNB is connected to 5GC through NG interface (including NG-C interface and NG-U interface), and ng-eNB is connected to gNB through Xn interface.
  • the ng-eNB is also connected to the 5GC through the NG-U interface.
  • the dashed line in Figure 3 indicates the connection of the control plane.
  • NG-ENDC is also called Option 7/7A/7X.
  • ng-eNB is MN
  • gNB is SN
  • MN is connected to 5GC.
  • MN and SN provide air interface transmission resources for data between the terminal and 5GC.
  • FIG. 4 (a) in FIG. 4 is a schematic structural diagram of the Option 7 communication system, and (b) in FIG. 4 is a schematic structural diagram of the Option 7A communication system.
  • ng-eNB is connected to 5GC through NG interface (including NG-C interface and NG-U interface), ng-eNB is connected to gNB through Xn interface.
  • the gNB is also connected to the 5GC through the NG-U interface.
  • the dashed line in Figure 4 indicates the connection of the control plane.
  • the dual-connection communication system may also include a scenario where the gNB and gNB are dual-connected.
  • embodiments of the present application provide a communication method and device.
  • the first access network device (dual-connection communication system After obtaining the first QoS flow belonging to the PDU session and the first security result of the PDU session (the primary station/secondary station in the dual-connectivity communication system), it bears the first QoS flow, and The security protection (at least one of integrity protection and encryption protection) is performed on the first QoS flow according to the first security result, and the security protection of the user plane of the air interface in the communication system is realized.
  • the first security result is used to indicate whether to perform security protection on the PDU session.
  • FIG. 5 is a schematic diagram of the composition of a communication device provided by an embodiment of the application.
  • the communication device may include at least one processor 51, a memory 52, a transceiver 53, and a bus 54.
  • each component of the communication device is specifically introduced in conjunction with FIG. 5:
  • the processor 51 is the control center of the communication device, and may be a processor or a collective name for multiple processing elements.
  • the processor 51 is a central processing unit (CPU), or an application specific integrated circuit (ASIC), or one or more integrated circuits configured to implement the embodiments of the present application
  • CPU central processing unit
  • ASIC application specific integrated circuit
  • DSP digital signal processors
  • FPGA field programmable gate arrays
  • the processor 51 can execute various functions of the communication device by running or executing a software program stored in the memory 52 and calling data stored in the memory 52.
  • the processor 51 may include one or more CPUs, such as CPU 0 and CPU 1 shown in FIG. 5.
  • the communication device may include multiple processors, such as the processor 51 and the processor 55 shown in FIG. 5.
  • processors can be a single-core processor (single-CPU) or a multi-core processor (multi-CPU).
  • the processor here may refer to one or more devices, circuits, and/or processing cores for processing data (e.g., computer program instructions).
  • the memory 52 may be a read-only memory (ROM) or other types of static storage devices that can store static information and instructions, random access memory (RAM), or other types that can store information and instructions
  • the dynamic storage device can also be electrically erasable programmable read-only memory (EEPROM), compact disc read-only memory (CD-ROM) or other optical disk storage, disk storage
  • EEPROM electrically erasable programmable read-only memory
  • CD-ROM compact disc read-only memory
  • the memory 52 may exist independently and is connected to the processor 51 through a bus 54.
  • the memory 52 may also be integrated with the processor 51.
  • the memory 52 is used to store a software program for executing the solution of the present application, and the processor 51 controls the execution.
  • the transceiver 53 uses any device such as a transceiver to communicate with other equipment or communication networks, such as Ethernet, radio access network (RAN), wireless local area networks (WLAN), etc. .
  • the transceiver 53 may include a receiving unit to implement a receiving function, and a transmitting unit to implement a transmitting function.
  • the bus 54 may be an industry standard architecture (ISA) bus, a peripheral component (PCI) bus, or an extended industry standard architecture (EISA) bus, etc.
  • ISA industry standard architecture
  • PCI peripheral component
  • EISA extended industry standard architecture
  • the bus can be divided into address bus, data bus, control bus, etc. For ease of presentation, only one thick line is used in FIG. 5 to represent, but it does not mean that there is only one bus or one type of bus.
  • the device structure shown in FIG. 5 does not constitute a limitation on the communication device.
  • the communication device may include more or less components than those shown in the figure, or a combination Certain components, or different component arrangements.
  • FIG. 6 is a schematic flowchart of a communication method provided by an embodiment of this application. Referring to Fig. 6, the communication method includes the following steps.
  • the first access network device acquires the first QoS flow belonging to the PDU session.
  • the first access network device is the master station or the auxiliary station in the dual-connection communication system.
  • the second access network device has accepted (admit) the PDU session when the first access network device acquires the first QoS flow, it is said that the second access network device bears the PDU session. If the second access network device does not admit (admit) the PDU session when the first access network device acquires the first QoS flow, it is said that the second access network device does not carry the PDU session.
  • accepting a PDU session refers to successfully allocating resources for the PDU session and using the allocated resources for data transmission for the PDU session. Refer to this description for all subsequent "admission of PDU sessions”.
  • the first QoS flow acquired by the first access network device may be newly allocated by the core network device.
  • the first QoS flow acquired by the first access network device may also be released by the second access network device.
  • the first QoS flow can be specifically obtained by the master station from the auxiliary station request or released by the auxiliary station itself.
  • the first access network device obtains the first QoS flow from the core network device. If the first QoS flow is newly allocated by the core network device and the first access network device is the secondary station, the first access network device obtains the first QoS flow from the second access network device (in this case, the master station) .
  • the "obtaining the first QoS flow" referred to in the embodiments of the present application refers to obtaining the instruction information for establishing the QoS flow.
  • the first access network device obtains the first security result of the PDU session.
  • the first security result is used to indicate whether to perform security protection on the PDU session, and the security protection includes at least one of integrity protection and encryption protection.
  • the first security result in the embodiment of the present application is determined by the first access network device or the second access network device.
  • the first security result is determined by the first access network device, and accordingly, the first access network device directly obtains the first security result locally.
  • the first security result can be determined by the second access network device.
  • the first access network device may receive the first security result sent from the second access network device to obtain the first security result.
  • the first access network device may store the first security result, and subsequently After obtaining the first QoS flow, the first access network device obtains the first security result locally. This process can refer to the description of FIG. 7, FIG. 8, or FIG. 9 below.
  • the session The first safety result is determined by the master station of the dual-connection communication system. If the first access network device is the master station of the dual-connection communication system, the first access network device obtains the first security result locally after obtaining the first QoS flow. If the second access network device is the master station of the dual-connection communication system, the first access network device communicates with the second access network device to obtain the first security result.
  • the first access network device carries the first QoS flow, and performs security protection on the first QoS flow according to the first security result.
  • the security processing process is completed by the packet data convergence protocol (PDCP) entity. Therefore, “the first access network device performs security protection on the first QoS flow according to the first security result” is specifically "the PDCP entity of the first access network device performs security protection on the first QoS flow according to the first security result".
  • the QoS flow is carried by the first access network device means that the PDCP entity corresponding to the QoS flow is deployed on the first access network device.
  • the subsequent "QoS flow carried by the second access network device" means that the PDCP entity corresponding to the QoS flow is deployed on the second access network device.
  • the first access network device is the primary station or the secondary station in the dual-connection communication system, and the security protection of the first QoS flow is realized by executing the above S601-S603.
  • the first access network device only needs to execute the above S601 ⁇ S603 to realize the security protection of the air interface user plane, which is not described in detail here. .
  • the first access network device needs to communicate with the second access network device. Get the first safety result.
  • the following content of the embodiment of the present application mainly describes a scenario where the first security result is determined by the second access network device.
  • the first access network device is the master station and the second access network device is the auxiliary station is described.
  • the second access network device determines the first security result, before the first access network device obtains the first QoS flow, the first The second access network device can carry the remaining QoS flows except the first QoS flow in the PDU session, determine the first security result, and send the first security result to the first access network device.
  • the communication method provided by the embodiment of the present application further includes:
  • the second access network device carries all QoS flows in the PDU session, and determines the first security result.
  • the first access network device when the PDU session is initially established, the first access network device does not carry the QoS flow in the PDU session, and the second access network device obtains the QoS flow through the first access network device. All QoS flows in the PDU session, and carry the acquired QoS flows, and determine the first security result.
  • the second access network device receives the first security indication information from the first access network device, and determines the first security result.
  • the first security indication information is obtained by the first access network device from the core network.
  • the first access network device carries all QoS flows of the PDU session, and subsequently, under certain conditions (such as the first access network device releasing all QoS flows in the PDU session or The first access network device obtains a new QoS flow belonging to the PDU session from the core network device), and the first access network device sends to the second access network device a first request message for requesting admission of the PDU session, specifically Is used to request the allocation of resources for the PDU session, and determine the first security result according to the first security indication information.
  • the second access network device accepts the PDU session, bears all QoS flows in the PDU session, and determines the first security result.
  • FIG. 8 or FIG. 9 For the specific process of this implementation, refer to the description of FIG. 8 or FIG. 9 below.
  • the second access network device sends a first security result to the first access network device.
  • the first access network device sends the first security result to the core network device.
  • the first access network device may store the first security result.
  • the first access network device after S701, the first access network device also sends the first security result to the core network device, so that the core network device can learn the latest security result of the PDU session , Complete the corresponding configuration according to the first safety result.
  • the first access network device may send the first security result to the core network device.
  • the first access network device may not send the first security result to the core network device.
  • Figure 7 is represented by a dotted line.
  • the communication method provided in the embodiment of the present application further includes:
  • the first access network device carries all QoS flows of the PDU session.
  • all QoS flows carried by the first access network device at this moment are referred to as the first QoS flow set.
  • the first access network device determines a second security result.
  • the second safety result here is the same or different from the first safety result.
  • the first access network device sends the second security result to the core network device, so that the core network device can complete the corresponding configuration according to the second security result.
  • the first access network device sends a first request message for requesting admission of the PDU session to the second access network device.
  • the first access network device after the first access network device releases all QoS flows in the PDU session, that is, after releasing the first QoS flow set, the first access network device sends the first request message to the second access network device; or, After the first access network device obtains a new QoS flow (such as QoS flow 1) belonging to the PDU session from the core network, the first access network device releases the QoS flow of the PDU session carried by it, and sends it to the second access network. The network device sends the first request message.
  • a new QoS flow such as QoS flow 1
  • the first request message includes a first identifier and first safety indication information.
  • the first identifier is used to indicate the first QoS flow set, or used to indicate the first QoS flow set and QoS flow 1.
  • the first security indication information is used to indicate to perform security protection on the QoS flow indicated by the first identifier, or to indicate whether to perform security protection on the QoS flow indicated by the first identifier.
  • the first access network device releases all QoS flows in the PDU session can also be described as “the first access network device transfers all QoS flows in the PDU session to the second access network device”.
  • the first access network device after S701, if the first security result is different from the second security result, the first access network device will send the first security result to the core network device, so that the core network device can complete the process again.
  • the first access network device may also store the first security result, that is, execute S803.
  • the core network device does not need to reconfigure related information. Therefore, the first access network device does not need to send the first security result to the core network device.
  • the above S602 is specifically that the first access network device obtains the first security result locally; if the first access network device does not perform S803, the above S602 is specifically the first The access network device communicates with the second access network device to obtain the first security result. That is, in the scenario where the first access network device performs S803, the above S602 can be replaced with S602a; in the scenario where the first access network device does not perform S803, the above S602 can be replaced with S602b.
  • the first access network device obtains a first security result locally.
  • the first access network device communicates with the second access network device to obtain the first security result.
  • the first access network device may also release all/part of the QoS flow (for example, the fourth QoS flow) in the PDU session carried by it, and subsequently, the second access The network access device bears the QoS flow released by the first access network device.
  • the QoS flow for example, the fourth QoS flow
  • the communication method provided by the embodiment of the present application includes:
  • the first access network device releases the fourth QoS flow belonging to the PDU session.
  • the fourth QoS flow may be all QoS flows in the PDU session carried by the first access network device, or part of the QoS flows in the PDU session carried by the first access network device, which is not specifically limited here.
  • the first access network device may decide to release the fourth QoS flow by itself, or it may release the fourth QoS flow after acquiring a new QoS flow belonging to the PDU session from the core network device. This is not specifically limited.
  • the first access network device sends a second request message to the second access network device.
  • the second request message is used to instruct to perform security protection on the fourth QoS flow according to the first security result.
  • the first access network device and the second access network device simultaneously carry the QoS flow of the PDU session, and both are based on the first security result.
  • Security protection is performed on the QoS flows carried by each, and the first security result is determined by the second radio access network device. Therefore, after the first access network device releases the fourth QoS flow, the fourth QoS flow also needs to adopt the first A safety result is to protect it safely.
  • the second access network device performs security protection on the fourth QoS flow according to the first security result.
  • the second access network device may also release part of the QoS flow in the PDU session carried by it. Subsequently, the first access network device bears the QoS flow released by the second access network device, and according to The first security result performs security protection on the QoS flow. This process is similar to the above S900-S902, and will not be described in detail here.
  • the secondary station can change the security result of the PDU session to the first security result. If after the secondary station determines the first security result of the PDU session, the primary station obtains part of the QoS flow belonging to the PDU session (such as the first QoS flow), the primary station needs to use the first security result to protect the first QoS flow , That is, the master station cannot change the security result of the PDU session.
  • both the first access network device and the second access network device can protect the QoS flow in the PDU session. Realize the security protection of the air interface user plane. Moreover, when the first access network device and the second access network device both carry the QoS flow of the PDU session, the first access network device and the second access network device use the same security result to belong to the same PDU session The security protection of the QoS flow realizes the consistency of the security protection of the first access network device and the second access network device.
  • the first access network device can also be a secondary station, and the second access network device can be a master station.
  • the following describes the case where the first access network device is the secondary station and the second access network device is the primary station.
  • the second access network device If the first access network device is the secondary station, the second access network device is the master station, and the second access network device determines the first security result, the second access network device will accept the PDU session before the first access network device The network access device can carry the remaining QoS flows except the first QoS flow in the PDU session, and determine the first security result.
  • the communication method provided by the embodiment of the present application further includes:
  • the second access network device carries all QoS flows in the PDU session, and determines the first security result.
  • the first access network device when the PDU session is initially established, the first access network device does not carry the QoS flow in the PDU session, and the second access network device carries all QoS flows in the PDU session, and determines The first safety result.
  • the first access network device carries all QoS flows of the PDU session, and subsequently, under certain conditions (for example, the first access network device releases all QoS flows in the PDU session), the first The access network device sends to the second access network device a request message including a second identifier used to indicate all second QoS flows in the PDU session.
  • the second access network device accepts the PDU session and bears the PDU session. All QoS flows, and determine the first safety result.
  • FIG. 11 or FIG. 12 For the specific process of this implementation, refer to the description of FIG. 11 or FIG. 12 below.
  • the second access network device after determining the first security result, sends the first security result to the core network device, so that the core network device can complete related configurations according to the first security result.
  • the second access network device performs security protection on all QoS flows in the PDU session according to the first security result.
  • the second access network device may determine to release the first QoS flow by itself, or may determine to release the first QoS flow after acquiring a new QoS flow belonging to the PDU session from the core network device. Subsequently, the second access network device sends the first QoS flow and the first security result to the first access network device. Correspondingly, the first access network device obtains the first QoS flow and the first security result.
  • S601 and S602 can be replaced with the following S601a and S601b.
  • the first access network device releases the first QoS flow.
  • the second access network device sends the first QoS flow and the first security result to the second access network device.
  • the communication method provided in the embodiment of the present application further includes:
  • the first access network device carries all QoS flows of the PDU session.
  • all QoS flows carried by the first access network device at this moment are referred to as the first QoS flow set.
  • the first access network device determines a second security result, and performs security protection on the QoS flow in the first QoS flow set according to the second security result.
  • the second security result is used to indicate whether to perform security protection on the PDU session.
  • the second safety result is the same or different from the first safety result.
  • the first access network device sends a second security result to the second access network device.
  • the second access network device sends a second security result to the core network device.
  • the core network device After receiving the second security result, the core network device completes the corresponding configuration according to the second security result.
  • the second access network device may store the second security result. That is, after S1102, the second access network device can perform S1104.
  • the second access network device stores the second security result.
  • S1104 is an optional step, it is represented by a dashed frame in FIG. 11.
  • the first access network device releases all QoS flows in the PDU session, and sends a first request message to the second access network device.
  • the first request message includes a second identifier, and the second identifier is used to indicate all QoS flows in the PDU session, that is, the second identifier is used to indicate the first QoS flow set.
  • the first request message may also include at least one of the second security result and second security indication information, where the second security indication information is used to indicate security protection for the QoS flow indicated by the second identifier, or to indicate Determine by itself whether to perform security protection on the QoS flow indicated by the second identifier.
  • the second request message includes the second security result.
  • the subsequent second access network device can determine whether it is the same as the first security result and the second security result. Core network equipment communication.
  • the second access network device determines the first security result .
  • the first security result is also sent to the core network device, that is, after S1000, S1106 is also executed.
  • the first access network device may also release all/part of the QoS flow (for example, the fourth QoS flow) in the PDU session carried by it, and subsequently, the second access The network access device bears the QoS flow released by the first access network device.
  • the QoS flow for example, the fourth QoS flow
  • the communication method provided in the embodiment of the present application includes:
  • the first access network device releases the fourth QoS flow belonging to the PDU session.
  • the fourth QoS flow may be all QoS flows in the PDU session carried by the first access network device, or part of the QoS flows in the PDU session carried by the first access network device, which is not specifically limited here.
  • the first access network device may determine to release the fourth QoS flow by itself, or it may release the fourth QoS flow after receiving the request sent by the second access network device, which is not specifically limited in the embodiment of the application .
  • the first access network device sends a second request message to the second access network device.
  • the second request message is used to instruct to perform security protection on the fourth QoS flow according to the first security result.
  • the second access network device performs security protection on the fourth QoS flow according to the first security result.
  • the first access network device and the second access network device simultaneously carry the QoS flow of the PDU session, and both are based on the first security result.
  • Security protection is performed on the QoS flows carried by each, and the first security result is determined by the second radio access network device. Therefore, after the first access network device releases the fourth QoS flow, the fourth QoS flow also needs to adopt the first A safety result is to protect it safely.
  • the second access network device performs security protection on the fourth QoS flow according to the first security result.
  • the second access network device may also release part of the QoS flow in the PDU session carried by it. Subsequently, the first access network device bears the QoS flow released by the second access network device, and according to The first security result performs security protection on the QoS flow. This process is similar to the above S1200 ⁇ S1202, and will not be described in detail here.
  • the primary station can change the security result of the PDU session to the first security result. If after the primary station determines the first security result of the PDU session, the secondary station obtains part of the QoS flow belonging to the PDU session (such as the first QoS flow), the secondary station needs to use the first security result to protect the first QoS flow , That is, the secondary station cannot change the security result of the PDU session.
  • both the first access network device and the second access network device can protect the QoS flow in the PDU session. Realize the security protection of the air interface user plane. Moreover, when the first access network device and the second access network device both carry the QoS flow of the PDU session, the first access network device and the second access network device use the same security result to belong to the same PDU session The security protection of the QoS flow realizes the consistency of the security protection of the first access network device and the second access network device.
  • the core network device in the embodiment of the present application may send instruction information to the access network device (such as the first access network device) connected to the core network device, so that the access network device can respond to the corresponding instruction information DRB performs security protection.
  • the communication method provided by the embodiment of the present application includes:
  • the core network device sends instruction information to the first access network device, where the instruction information is used to instruct to perform security protection on the preset QoS flow or the preset EPS bearer according to the first security result.
  • the first security result is mandatory, that is, the indication information is used to indicate that the preset QoS flow or EPS bearer must be secured.
  • the preset QoS flow is a QoS flow designated for security protection by the core network device
  • the preset EPS bearer may be a default bearer or an EPS bearer designated for security protection for the core network device.
  • the first access network device determines the target DRB, and performs security protection on the target DRB according to the first security result.
  • the target DRB is a DRB carrying a preset QoS flow
  • the preset QoS flow is a QoS flow designated by the core network device for security protection; or, the target DRB corresponds to a preset EPS bearer.
  • the first access network device releases the preset QoS flow/preset EPS bearer, and sends a security request message to the second access network device.
  • the first access network device transfers the preset QoS flow/preset EPS bearer to the second access network device
  • the first access network device sends a security request message to the second access network device.
  • the security request message includes identification information (used to identify the preset QoS flow/used to identify the preset EPS bearer), the first security result, and security indication information, and the security indication information is used to indicate that the identification is performed according to the first security result.
  • the object (preset QoS flow/preset EPS bearer) identified by the information is secured.
  • the second access network device determines the DRB corresponding to the object identified by the identification information, and performs security protection on the determined DRB according to the first security result.
  • steps S1300 to S1301 can be used individually in a single connection scenario or a dual connection scenario, and steps S1302 to S1303 are omitted at this time.
  • An embodiment of the present application provides a communication device 14, which may be a first access network device, or may be a part of the device in the first access network device, such as a chip system in the first access network device.
  • the chip system is used to support the first access network device to implement the functions involved in the method embodiments shown in FIGS. 6 to 12, such as receiving, sending, or processing data involved in the above methods And/or information.
  • the chip system includes a chip, and may also include other discrete devices or circuit structures.
  • the communication device 14 is used to execute the steps performed by the first access network device in the methods shown in FIGS. 6 to 12 above.
  • the communication device 14 provided in the embodiment of the present application may include modules corresponding to corresponding steps.
  • the embodiment of the present application may divide the communication device 14 into functional modules according to the foregoing method examples.
  • each functional module may be divided corresponding to each function, or two or more functions may be integrated into one processing module.
  • the above-mentioned integrated modules can be implemented in the form of hardware or software functional modules.
  • the division of modules in the embodiments of the present application is illustrative, and is only a logical function division, and there may be other division methods in actual implementation.
  • FIG. 14 shows a possible structural schematic diagram of the communication device 14 in this embodiment.
  • the communication device 14 includes a processing unit 141.
  • the processing unit 141 is used to support the communication device 14 to perform operations such as acquisition, bearing, security protection, and determination shown in FIGS. 6-12, such as: S601, S602, S603, S800, S801, S900, S1000, S1001, S1105, S1200, etc., and/or other processes used in the techniques described herein.
  • the communication device 14 provided in the embodiment of the present application includes but is not limited to the aforementioned modules.
  • the communication device 14 may also include a sending unit 142, a receiving unit 143, and a storage unit 144.
  • the sending unit 142 is used to support the communication device 14 to perform the sending operations shown in FIGS. 6-12, such as: S802, S702, S901, S1105, S1201, etc., and/or other processes used in the technology described herein .
  • the receiving unit 143 is configured to support the communication device 14 to perform the receiving operations shown in FIGS. 6-12, such as S601b, S602b, S701, etc., and/or other processes used in the technology described herein.
  • the storage unit 144 can be used to store the program code of the communication device 14 and can also be used to store the first security result.
  • the above-mentioned processing unit 141 may be the processor 51 in FIG. 5, the sending unit 142 and the receiving unit 143 may be the transceiver 53 in FIG. 5, and the storage unit 144 may be the memory 52 in FIG. 5.
  • Another embodiment of the present application also provides a computer-readable storage medium.
  • the computer-readable storage medium stores instructions.
  • the communication device 14 executes the instructions shown in FIGS. 6-12.
  • a computer program product includes computer-executable instructions that are stored in a computer-readable storage medium; the processor of the communication device 14 can be accessed from a computer The reading storage medium reads the computer-executed instruction, and the processor executes the computer-executed instruction to cause the communication device 14 to execute the steps of the first access network device in the communication method of the embodiments shown in FIGS. 6-12.
  • An embodiment of the present application provides a communication device 15.
  • the communication device 15 may be a first access network device, or may be a part of the first access network device, such as a chip system in the first access network device.
  • the chip system is used to support the first access network device to implement the functions involved in the method embodiment shown in FIG. 13, for example, receiving, sending, or processing the data and/or data involved in the above method information.
  • the chip system includes a chip, and may also include other discrete devices or circuit structures.
  • the communication device 15 is used to execute the steps executed by the first access network device in the method shown in FIG. 13.
  • the communication device 15 provided by the embodiment of the present application may include modules corresponding to corresponding steps.
  • the embodiment of the present application may divide the communication device 15 into functional modules according to the foregoing method examples.
  • each functional module may be divided corresponding to each function, or two or more functions may be integrated into one processing module.
  • the above-mentioned integrated modules can be implemented in the form of hardware or software functional modules.
  • the division of modules in the embodiments of the present application is illustrative, and is only a logical function division, and there may be other division methods in actual implementation.
  • FIG. 15 shows a possible structural schematic diagram of the communication device 15.
  • the communication device 15 includes a processing unit 151.
  • the processing unit 151 is configured to support the communication device 15 to perform operations such as determination and security protection shown in FIG. 13, such as S1301, S1302, etc., and/or other processes used in the technology described herein.
  • the communication device 15 provided by the embodiment of the present application includes but is not limited to the aforementioned modules.
  • the communication device 15 may also include a sending unit 152, a receiving unit 153, and a storage unit 154.
  • the sending unit 152 is used to support the communication device 15 to perform the sending operation shown in FIG. 13, for example: S1302, etc., and/or other processes used in the technology described herein.
  • the receiving unit 153 is used to support the communication device 15 to perform the receiving operation shown in FIG. 13, for example: S1300, etc., and/or other processes used in the technology described herein.
  • the storage unit 154 can be used to store the program code of the communication device 15 and can also be used to store the first security result.
  • the aforementioned processing unit 152 may be the processor 41 in FIG. 4, the sending unit 153 and the receiving unit 151 may be the transceiver 43 in FIG. 4, and the storage unit 154 may be 4 in the memory 42.
  • Another embodiment of the present application also provides a computer-readable storage medium that stores instructions in the computer-readable storage medium.
  • the communication device 15 executes the embodiment shown in FIG. 13 The step of the first access network device in the communication method.
  • a computer program product in another embodiment of the present application, includes computer-executable instructions stored in a computer-readable storage medium; the processor of the communication device 15 can be accessed from the computer The storage medium reads the computer-executable instruction, and the processor executes the computer-executed instruction to cause the communication device 15 to execute the steps of the first access network device in the communication method of the embodiment shown in FIG. 13.
  • the above embodiments it may be implemented in whole or in part by software, hardware, firmware or any combination thereof.
  • a software program it may appear in the form of a computer program product in whole or in part.
  • the computer program product includes one or more computer instructions.
  • the computer program instructions When the computer program instructions are loaded and executed on the computer, the processes or functions according to the embodiments of the present application are generated in whole or in part.
  • the computer can be a general-purpose computer, a dedicated computer, a computer network, or other programmable devices.
  • Computer instructions may be stored in a computer-readable storage medium, or transmitted from one computer-readable storage medium to another computer-readable storage medium.
  • computer instructions may be transmitted from a website, computer, server, or data center through a cable (such as Coaxial cable, optical fiber, digital subscriber line) or wireless (such as infrared, wireless, microwave, etc.) to another website site, computer, server or data center.
  • the computer-readable storage medium may be any available medium that can be accessed by a computer or a data first access network device such as a server or a data center integrated with one or more available media.
  • the usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, and a magnetic tape), or a semiconductor medium (for example, a solid state disk (SSD)).
  • the disclosed device and method may be implemented in other ways.
  • the device embodiments described above are merely illustrative.
  • the division of the modules or units is only a logical function division.
  • there may be other division methods for example, multiple units or components may be It can be combined or integrated into another device, or some features can be omitted or not implemented.
  • the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
  • the units described as separate parts may or may not be physically separate.
  • the parts displayed as units may be one physical unit or multiple physical units, that is, they may be located in one place, or they may be distributed to multiple different places. . Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
  • each unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
  • the above-mentioned integrated unit can be implemented in the form of hardware or software functional unit.
  • the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a readable storage medium.
  • the technical solutions of the embodiments of the present application are essentially or the part that contributes to the prior art, or all or part of the technical solutions can be embodied in the form of software products, which are stored in a storage medium.
  • a device which may be a single-chip microcomputer, a chip, etc.
  • a processor processor
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), magnetic disk or optical disk and other media that can store program code .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Disclosed are a communication method and apparatus, which relate to the technical field of communications. The method is applied to a dual connectivity communication system comprising a first access network device and a second access network device, wherein the first access network device acquires a first QoS flow and a first security result of a PDU session, bears the first QoS flow, and carries out security protection on the first QoS flow according to the first security result. The first QoS flow belongs to the PDU session, and the first security result is determined by the first access network device, or is determined by the second access network device; and the first security result is used for indicating whether the security protection has been carried out on the PDU session, wherein the security protection comprises at least one of integrity protection and encryption protection, thus realizing security protection for an air interface user plane in the 5G dual connectivity communication system.

Description

一种通信方法及装置Communication method and device
本申请要求于2019年02月14日提交国家知识产权局、申请号为201910115213.1、发明名称为“一种通信方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the State Intellectual Property Office on February 14, 2019, the application number is 201910115213.1, and the invention title is "a communication method and device", the entire content of which is incorporated into this application by reference .
技术领域Technical field
本申请实施例涉及通信技术领域,尤其涉及一种通信方法及装置。The embodiments of the present application relate to the field of communication technologies, and in particular, to a communication method and device.
背景技术Background technique
为了提高数据的安全性,第五代通信技术(the 5 generation mobile communication technology,5G)系统引入了空口用户面的安全保护,其中,安全保护是指完整性保护(简称为完保)和/或加密保护。具体的,当为终端建立某一协议数据单元(protocol data unit,PDU)会话(session)时,核心网设备向基站发送请求消息,请求为该PDU session分配资源,同时,核心网设备发送用于指示必须、或无需、或建议对该PDU session进行安全保护的安全指示;若安全指示用于指示建议对该PDU session进行安全保护,则基站可以自行确定是否对该PDU session进行安全保护,即基站可以自行确定安全结果。In order to improve data security, the 5th generation mobile communication technology (5G) system introduces security protection for the air interface user plane, where security protection refers to integrity protection (referred to as complete protection) and/or Encryption protection. Specifically, when a certain protocol data unit (PDU) session (session) is established for the terminal, the core network device sends a request message to the base station to request the allocation of resources for the PDU session, and at the same time, the core network device sends A security instruction indicating that the PDU session must, or is not required, or recommended to protect the PDU session; if the security instruction is used to indicate that the PDU session is recommended to be secured, the base station can determine whether to protect the PDU session by itself, that is, the base station You can determine the safety results yourself.
但是,对于双连接(dual connectivity,DC)通信系统而言,如由gNB(5G系统中使用新空口(new radio,NR)的基站)与下一代基站(next generation eNB,ng-eNB)协同组网,目前还不存在空口用户面的安全保护方法。However, for dual connectivity (DC) communication systems, for example, gNB (a base station that uses a new radio (NR) in a 5G system) and a next generation base station (next generation eNB, ng-eNB) cooperative group For the Internet, there is currently no security protection method for the air interface user plane.
发明内容Summary of the invention
本申请实施例提供一种通信方法及装置,提供了在5G的双连接通信系统中空口用户面的安全保护方法。The embodiments of the present application provide a communication method and device, and provide a security protection method for an air interface user plane in a 5G dual-connection communication system.
为达到上述目的,本申请实施例采用如下技术方案:In order to achieve the foregoing objectives, the following technical solutions are adopted in the embodiments of this application:
第一方面,提供一种通信方法,该通信方法应用于包括第一接入网设备和第二接入网设备的双连接通信系统中,第一接入网设备获取第一服务质量(quality of service,QoS)流和协议数据单元(protocol data unit,PDU)会话的第一安全结果,之后,该第一接入网设备承载第一QoS流,并根据第一安全结果对第一QoS流进行安全保护。这里的第一QoS流属于PDU会话,第一安全结果为第一接入网设备或者第二接入网设备确定的,第一安全结果用于指示是否对PDU会话进行安全保护,安全保护包括完整性保护和加密保护中的至少一种。In a first aspect, a communication method is provided. The communication method is applied to a dual-connection communication system including a first access network device and a second access network device. The first access network device obtains a first quality of service. service, QoS) flow and the first security result of the protocol data unit (protocol data unit, PDU) session. After that, the first access network device carries the first QoS flow, and performs the first QoS flow according to the first security result. safety protection. The first QoS flow here belongs to the PDU session, the first security result is determined by the first access network device or the second access network device, and the first security result is used to indicate whether to perform security protection on the PDU session. The security protection includes complete At least one of sexual protection and encryption protection.
第一接入网设备为双连接通信系统的主站或辅站,该第一接入网设备根据自身/第二接入网设备确定的第一安全结果对第一QoS流进行安全保护,实现了对空口用户面的安全保护。The first access network device is the primary or secondary station of the dual-connection communication system. The first access network device performs security protection on the first QoS flow according to the first security result determined by itself/the second access network device to achieve In order to protect the security of the air interface user plane.
此外,若第一安全结果为第二接入网设备确定的,则本申请的第一接入网设备和第二接入网设备使用相同的安全结果对属于同一PDU会话的QoS流进行安全保护,保证了第一接入网设备和第二接入网设备对空口用户面的安全保护的一致性。In addition, if the first security result is determined by the second access network device, the first access network device and the second access network device of this application use the same security result to securely protect QoS flows belonging to the same PDU session , To ensure the consistency of the security protection of the air interface user plane by the first access network device and the second access network device.
可选的,在本申请的一种可能的实现方式中,上述PDU会话包括第二QoS流, 该第二QoS流承载于第二接入网设备。也就是说,在第一接入网设备承载第一QoS流之前,第二接入网设备承载有第二QoS流。Optionally, in a possible implementation manner of the present application, the foregoing PDU session includes a second QoS flow, and the second QoS flow is carried by a second access network device. That is, before the first access network device carries the first QoS flow, the second access network device carries the second QoS flow.
一种实现方式中,在第一接入网设备承载第一QoS流之前,PDU会话的所有QoS流可以均承载于第二接入网设备,这样的话,第一安全结果由第二接入网设备确定。In an implementation manner, before the first access network device carries the first QoS flow, all QoS flows of the PDU session can be carried on the second access network device. In this way, the first security result is determined by the second access network device. Equipment OK.
在另一种实现方式中,在第一接入网设备承载第一QoS流之前,第二接入网设备承载有第二QoS流,第一接入网设备承载有PDU会话的其他QoS流,这样的话,第一安全结果由双连接通信系统的主站确定。In another implementation manner, before the first access network device carries the first QoS flow, the second access network device carries the second QoS flow, and the first access network device carries other QoS flows of the PDU session, In this case, the first safety result is determined by the master station of the dual-connection communication system.
可选的,在本申请的另一种可能的实现方式中,在第一接入网设备获取第一QoS流之前,PDU会话的所有QoS流承载于第二接入网设备;第一安全结果是由第二接入网设备确定的。Optionally, in another possible implementation manner of the present application, before the first access network device obtains the first QoS flow, all QoS flows of the PDU session are carried on the second access network device; the first security result It is determined by the second access network device.
可选的,在本申请的另一种可能的实现方式中,第一接入网设备还承载PDU会话中的第三QoS流,这样,若第一接入网设备为双连接通信系统的主站,第一安全结果是由第一接入网设备确定的;若第二接入网设备为双连接通信系统的主站,第一安全结果是由第二接入网设备确定的。Optionally, in another possible implementation manner of the present application, the first access network device also carries the third QoS flow in the PDU session. In this way, if the first access network device is the master of the dual connectivity communication system Station, the first security result is determined by the first access network device; if the second access network device is the master station of the dual-connection communication system, the first security result is determined by the second access network device.
可选的,在本申请的另一种可能的实现方式中,若第一安全结果为第二接入网设备确定出的,则在第二接入网设备确定第一安全结果之前,第一接入网设备承载PDU会话中的所有QoS流,并确定PDU会话的第二安全结果,该第二安全结果用于指示是否对PDU会话进行安全保护,该第二安全结果与上述第一安全结果相同或不同;后续,第一接入网设备释放PDU会话中的所有QoS流,并向第二接入网设备发送第一请求消息;若第一接入网设备为双连接通信系统的主站,第二接入网设备为通信系统的辅站,第一请求消息用于请求为PDU会话分配资源,并根据第一安全指示信息确定第一安全结果;若第一接入网设备为双连接通信系统的辅站,第二接入网设备为通信系统的主站,第一请求消息用于请求释放PDU会话中的所有QoS流。第一安全指示信息用于指示对第一接入网设备释放的QoS流进行安全保护,或者用于指示自行确定是否对第一接入网设备释放的QoS流进行安全保护。Optionally, in another possible implementation manner of the present application, if the first security result is determined by the second access network device, before the second access network device determines the first security result, the first security result The access network device carries all QoS flows in the PDU session, and determines the second security result of the PDU session. The second security result is used to indicate whether to protect the PDU session. The second security result is the same as the first security result. Same or different; subsequently, the first access network device releases all QoS flows in the PDU session, and sends the first request message to the second access network device; if the first access network device is the master station of the dual-connection communication system , The second access network device is a secondary station of the communication system, the first request message is used to request the allocation of resources for the PDU session, and the first security result is determined according to the first security indication information; if the first access network device is dual connectivity The secondary station of the communication system, the second access network device is the primary station of the communication system, and the first request message is used to request the release of all QoS flows in the PDU session. The first security indication information is used to indicate to perform security protection on the QoS flow released by the first access network device, or to indicate whether to perform security protection on the QoS flow released by the first access network device by itself.
在第一接入网设备释放PDU会话的所有QoS流后,第二接入网设备可以自行确定PDU会话的安全结果。After the first access network device releases all QoS flows of the PDU session, the second access network device can determine the security result of the PDU session by itself.
可选的,在本申请的另一种可能的实现方式中,若第一接入网设备为双连接通信系统的主站,第二接入网设备为通信系统的辅站,则在第二接入网设备确定出第一安全结果后,第一接入网设备还接收来自第二接入网设备的第一安全结果。若第一安全结果与第二安全结果不同,第一接入网设备还向核心网设备发送第一安全结果,用于该核心网设备确定PDU会话的安全结果发生改变。Optionally, in another possible implementation manner of this application, if the first access network device is the master station of the dual-connection communication system, and the second access network device is the auxiliary station of the communication system, After the access network device determines the first security result, the first access network device also receives the first security result from the second access network device. If the first security result is different from the second security result, the first access network device also sends the first security result to the core network device for the core network device to determine that the security result of the PDU session has changed.
容易理解的是,在第一接入网设备为主站,第二接入网设备为辅站的场景中,若PDU会话的安全结果从第二安全结果变更为第一安全结果,且该第一安全结果为第二接入网设备确定出的,则需要第一接入网设备与第二接入网设备通信,使得该第一接入网设备向核心网设备发送第一安全结果,以便于核心网设备根据该第一安全结果完成相应的配置。It is easy to understand that in a scenario where the first access network device is the primary station and the second access network device is the secondary station, if the security result of the PDU session is changed from the second security result to the first security result, and the second security result is If a security result is determined by the second access network device, the first access network device needs to communicate with the second access network device so that the first access network device sends the first security result to the core network device so that The core network device completes the corresponding configuration according to the first security result.
可选的,在本申请的另一种可能的实现方式中,第一接入网设备在获取到第一安全结果后,还存储第一安全结果。相应的,上述“第一接入网设备获取PDU会话的第 一安全结果”的方法为:第一接入网设备从本地获取第一安全结果。Optionally, in another possible implementation manner of this application, after obtaining the first security result, the first access network device further stores the first security result. Correspondingly, the above-mentioned method of "the first access network device obtaining the first security result of the PDU session" is: the first access network device obtains the first security result locally.
若第一接入网设备自身确定出第一安全结果,则第一接入网设备可以从本地获取到该第一安全结果。若第一安全结果为第二接入网设备确定出,第一接入网设备从第二接入网设备获取到第一安全结果后,可以存储该第一安全结果,也可以不存储该第一安全结果。若第一接入网设备存储第一安全结果,则该第一接入网设备可以从本地获取到第一安全结果。If the first access network device itself determines the first security result, the first access network device may obtain the first security result locally. If the first security result is determined by the second access network device, after the first access network device obtains the first security result from the second access network device, the first security result may or may not be stored. A safe result. If the first access network device stores the first security result, the first access network device can obtain the first security result locally.
可选的,在本申请的另一种可能的实现方式中,若第一安全结果为第二接入网设备确定的,则在根据第一安全结果对第一QoS流进行安全保护后,第一接入网设备还释放第四QoS流,并向第二接入网设备发送第二请求消息,用于请求根据第一安全结果对第四QoS流进行安全保护,该第四QoS流属于PDU会话。Optionally, in another possible implementation manner of the present application, if the first security result is determined by the second access network device, after performing security protection on the first QoS flow according to the first security result, the first security result is An access network device also releases the fourth QoS flow, and sends a second request message to the second access network device for requesting security protection for the fourth QoS flow according to the first security result, and the fourth QoS flow belongs to the PDU Conversation.
在第一接入网设备和第二接入网设备均承载有PDU会话的QoS流的场景中,若二者均根据第一安全结果对各自承载的QoS流进行安全保护,则第一接入网设备在释放自身承载的第四QoS流后,第二接入网设备可承载该第四QoS流,并根据第一安全结果对其进行安全保护。In the scenario where the first access network device and the second access network device both carry the QoS flow of the PDU session, if both of them perform security protection on the QoS flow carried by each according to the first security result, the first access After the network device releases the fourth QoS flow carried by itself, the second access network device can carry the fourth QoS flow and protect it according to the first security result.
第二方面,提供一种通信装置,该通信装置能够实现第一方面及其任意一种可能的实现方式中的功能。这些功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。硬件或软件包括一个或多个与上述功能相对应的模块。In a second aspect, a communication device is provided, which can implement the functions in the first aspect and any one of its possible implementation manners. These functions can be realized by hardware, or by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above-mentioned functions.
在本申请的一种可能的方式中,该通信装置可以包括处理单元,该处理单元可以执行上述第一方面及其任意一种可能的实现方式的通信方法中的相应功能。例如:处理单元,用于获取第一服务质量QoS流,该第一QoS流属于PDU会话;以及用于获取PDU会话的第一安全结果,该第一安全结果为第一接入网设备确定的,或者为第二接入网设备确定的,这里的PDU会话的安全结果用于指示是否对PDU会话进行安全保护,安全保护包括完整性保护和加密保护中的至少一种;以及用于承载第一QoS流,并根据第一安全结果对第一QoS流进行安全保护。In a possible manner of the present application, the communication device may include a processing unit, and the processing unit may perform the corresponding function in the communication method of the foregoing first aspect and any one of its possible implementation manners. For example: a processing unit for obtaining a first quality of service QoS flow, which belongs to a PDU session; and for obtaining a first security result of the PDU session, the first security result being determined by the first access network device , Or determined for the second access network device, the security result of the PDU session here is used to indicate whether to perform security protection on the PDU session, and the security protection includes at least one of integrity protection and encryption protection; A QoS flow, and security protection is performed on the first QoS flow according to the first security result.
第三方面,提供一种通信装置,该通信装置包括处理器,所述处理器用于与存储器耦合,读取并执行所述存储器中的指令,以实现上述第一方面及其任意一种可能的实现方式所述的通信方法。In a third aspect, a communication device is provided. The communication device includes a processor, the processor is configured to be coupled with a memory, read and execute instructions in the memory, so as to implement the first aspect and any one of its possibilities. Implement the communication method described in the mode.
可选的,该通信装置还可以包括存储器,该存储器用于保存该通信装置的程序指令和数据。进一步可选的,该通信装置还可以包括收发器,该收发器用于在所述通信装置的处理器的控制下,执行上述第一方面及其任意一种可能的实现方式所述的通信方法中收发数据、信令或信息的步骤,例如,接收第一请求消息、发送第二请求消息。Optionally, the communication device may further include a memory for storing program instructions and data of the communication device. Further optionally, the communication device may further include a transceiver, which is used to execute the communication method described in the first aspect and any one of its possible implementations under the control of the processor of the communication device The step of sending and receiving data, signaling or information, for example, receiving a first request message and sending a second request message.
可选的,该通信装置可以是第一接入网设备,也可以是第一接入网设备中的一部分装置,例如第一接入网设备中的芯片系统。该芯片系统用于支持第一接入网设备实现第一方面及其任意一种可能的实现方式中所涉及的功能,例如,接收,发送或处理上述通信方法中所涉及的数据和/或信息。该芯片系统包括芯片,也可以包括其他分立器件或电路结构。Optionally, the communication device may be the first access network device, or a part of the devices in the first access network device, such as a chip system in the first access network device. The chip system is used to support the first access network device to implement the functions involved in the first aspect and any one of its possible implementations, for example, receiving, sending or processing the data and/or information involved in the aforementioned communication methods . The chip system includes a chip, and may also include other discrete devices or circuit structures.
第四方面,还提供一种计算机可读存储介质,该计算机可读存储介质中存储有指令;当其在通信装置上运行时,使得通信装置执行如上述第一方面及其各种可能的实现方式所述的通信方法。In a fourth aspect, a computer-readable storage medium is also provided, the computer-readable storage medium stores instructions; when it runs on a communication device, the communication device is caused to execute the above-mentioned first aspect and various possible implementations thereof The communication method described in the method.
第五方面,还提供一种包括指令的计算机程序产品,当其在通信装置上运行时,使得通信装置执行如上述第一方面及其各种可能的实现方式所述的通信方法。In a fifth aspect, a computer program product including instructions is also provided, which when running on a communication device, causes the communication device to execute the communication method as described in the first aspect and various possible implementations thereof.
需要说明的是,上述指令可以全部或者部分存储在第一计算机存储介质上,其中,第一计算机存储介质可以与处理器封装在一起的,也可以与处理器单独封装,本申请对此不作具体限定。It should be noted that the above instructions may be stored in whole or in part on the first computer storage medium, where the first computer storage medium may be packaged with the processor or separately packaged with the processor. This application will not specifically describe this. limited.
本申请中第二方面、第三方面、第四方面、第五方面及其各种实现方式的具体描述,可以参考第一方面及其各种实现方式中的详细描述;并且,第二方面、第三方面、第四方面、第五方面及其各种实现方式的有益效果,可以参考第一方面及其各种实现方式中的有益效果分析,此处不再赘述。For the specific description of the second aspect, third aspect, fourth aspect, fifth aspect and various implementation manners of this application, reference may be made to the detailed description in the first aspect and various implementation manners; and, the second aspect, For the beneficial effects of the third aspect, the fourth aspect, the fifth aspect and their various implementation manners, reference may be made to the analysis of the beneficial effects in the first aspect and the various implementation manners, which will not be repeated here.
第六方面,提供一种通信方法,第一接入网设备从核心网设备获取用于指示根据第一安全结果对预设的QoS流或预设的演进分组系统(evolved packet system,EPS)承载进行安全保护(完整性保护和加密保护中的至少一种)的指示信息;然后,该第一接入网设备确定目标DRB,并根据第一安全结果对目标DRB进行安全保护,这里的目标DRB承载有所述预设的QoS流,或者,目标DRB与所述预设的EPS承载对应。In a sixth aspect, a communication method is provided. The first access network device obtains from the core network device and indicates that a preset QoS flow or a preset evolved packet system (EPS) bearer is carried according to the first security result. Instruction information for security protection (at least one of integrity protection and encryption protection); then, the first access network device determines the target DRB, and performs security protection on the target DRB according to the first security result, where the target DRB is The preset QoS flow is carried, or the target DRB corresponds to the preset EPS bearer.
一般的,4G系统的QoS控制的基本粒度为EPS承载(bearer),同一EPS承载的数据流得到相同的QoS保障,DRB与EPS承载一一映射。5G系统中PDU会话的多个QoS流映射到一个或多个DRB中。若核心网设备指示根据第一安全结果对指定的QoS流或指定的EPS承载进行安全保护,则第一接入网设备根据该指示对目标DRB进行安全保护,与现有技术相比较,实现了对更小粒度的安全保护,能够有效地降低终端的功耗,提高数据的收发速率。Generally, the basic granularity of the QoS control of the 4G system is the EPS bearer. The data streams of the same EPS bearer get the same QoS guarantee, and the DRB and EPS bearers are mapped one by one. In the 5G system, multiple QoS flows of PDU sessions are mapped to one or more DRBs. If the core network device instructs to perform security protection on the specified QoS flow or the specified EPS bearer according to the first security result, the first access network device performs security protection on the target DRB according to the instruction. Compared with the prior art, it achieves Security protection with a smaller granularity can effectively reduce the power consumption of the terminal and increase the data transmission and reception rate.
可选的,在本申请的一种可能的实现方式中,第一接入网设备在根据第一安全结果对目标DRB进行安全保护后,还可以释放预设的QoS流或预设的EPS承载,并向第二接入网设备发送安全请求消息,用于请求根据第一安全结果对已释放的对象(预设的QoS流或预设的EPS承载)进行安全保护。Optionally, in a possible implementation manner of the present application, after the first access network device performs security protection on the target DRB according to the first security result, it may also release the preset QoS flow or the preset EPS bearer , And send a security request message to the second access network device, which is used to request security protection for the released object (the preset QoS flow or the preset EPS bearer) according to the first security result.
即使在后续过程中,第一接入网设备将预设的QoS流或所述预设的EPS承载转移到第二接入网设备,也需要指示该第二接入网设备根据第一安全结果对其进行安全保护。Even if in the subsequent process, the first access network device transfers the preset QoS flow or the preset EPS bearer to the second access network device, it needs to instruct the second access network device according to the first security result Protect it safely.
第七方面,提供一种通信装置,该通信装置能够实现第一方面及其任意一种可能的实现方式中的功能。这些功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。硬件或软件包括一个或多个与上述功能相对应的模块。In a seventh aspect, a communication device is provided, which can implement the functions in the first aspect and any one of its possible implementation manners. These functions can be realized by hardware, or by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above-mentioned functions.
在本申请的一种可能的方式中,该通信装置可以包括处理单元,该处理单元可以执行上述第一方面及其任意一种可能的实现方式的通信方法中的相应功能。例如:处理单元,用于从核心网设备获取指示信息,该指示信息用于指示根据第一安全结果对预设的QoS流或预设的EPS承载进行安全保护,安全保护包括完整性保护和加密保护中的至少一种;以及用于确定目标DRB,该目标DRB承载有预设的QoS流,或者,目标DRB与预设的EPS承载对应;以及用于根据第一安全结果对目标DRB进行安全保护。In a possible manner of the present application, the communication device may include a processing unit, and the processing unit may perform the corresponding function in the communication method of the foregoing first aspect and any one of its possible implementation manners. For example: the processing unit is used to obtain indication information from the core network device, the indication information is used to indicate the security protection of the preset QoS flow or the preset EPS bearer according to the first security result, and the security protection includes integrity protection and encryption At least one of protection; and used to determine a target DRB that carries a preset QoS flow, or the target DRB corresponds to a preset EPS bearer; and used to secure the target DRB according to the first security result protection.
第八方面,提供一种通信装置,该通信装置包括处理器,所述处理器用于与存储器耦合,读取并执行所述存储器中的指令,以实现上述第六方面及其任意一种可能的 实现方式所述的通信方法。According to an eighth aspect, a communication device is provided. The communication device includes a processor configured to couple with a memory, read and execute instructions in the memory, so as to implement the sixth aspect and any one of the possibilities thereof. Implement the communication method described in the mode.
可选的,该通信装置还可以包括存储器,该存储器用于保存通信装置的程序指令和数据。进一步地,可选的,该通信装置还可以包括收发器,该收发器用于在所述通信装置的处理器的控制下,执行上述第六方面及其任意一种可能的实现方式所述的通信方法中收发数据、信令或信息的步骤,例如,发送安全请求消息。Optionally, the communication device may further include a memory, and the memory is used to store program instructions and data of the communication device. Further, optionally, the communication device may further include a transceiver, which is configured to perform the communication described in the sixth aspect and any one of its possible implementation manners under the control of the processor of the communication device. The step of sending and receiving data, signaling or information in the method, for example, sending a security request message.
可选的,该通信装置可以是第一接入网设备,也可以是第一接入网设备中的一部分装置,例如第一接入网设备中的芯片系统。该芯片系统用于支持第一接入网设备实现第六方面及其任意一种可能的实现方式中所涉及的功能,例如,接收,发送或处理上述通信方法中所涉及的数据和/或信息。该芯片系统包括芯片,也可以包括其他分立器件或电路结构。Optionally, the communication device may be the first access network device, or a part of the devices in the first access network device, such as a chip system in the first access network device. The chip system is used to support the first access network device to implement the functions involved in the sixth aspect and any one of its possible implementations, such as receiving, sending or processing the data and/or information involved in the aforementioned communication methods . The chip system includes a chip, and may also include other discrete devices or circuit structures.
第九方面,还提供一种计算机可读存储介质,该计算机可读存储介质中存储有指令;当其在通信装置上运行时,使得通信装置执行如上述第六方面及其各种可能的实现方式所述的通信方法。In a ninth aspect, a computer-readable storage medium is also provided, the computer-readable storage medium stores instructions; when it runs on a communication device, the communication device executes the sixth aspect and various possible implementations as described above The communication method described in the method.
第十方面,还提供一种包括指令的计算机程序产品,当其在通信装置上运行时,使得通信装置执行如上述第六方面及其各种可能的实现方式所述的通信方法。In a tenth aspect, a computer program product including instructions is also provided, which when running on a communication device, causes the communication device to execute the communication method as described in the sixth aspect and various possible implementations thereof.
需要说明的是,上述指令可以全部或者部分存储在第一计算机存储介质上,其中,第一计算机存储介质可以与处理器封装在一起的,也可以与处理器单独封装,本申请对此不作具体限定。It should be noted that the above instructions may be stored in whole or in part on the first computer storage medium, where the first computer storage medium may be packaged with the processor or separately packaged with the processor. This application will not specifically describe this. limited.
本申请中第七方面、第八方面、第九方面、第十方面及其各种实现方式的具体描述,可以参考第六方面及其各种实现方式中的详细描述;并且,第七方面、第八方面、第九方面、第十方面及其各种实现方式的有益效果,可以参考第六方面及其各种实现方式中的有益效果分析,此处不再赘述。For specific descriptions of the seventh aspect, eighth aspect, ninth aspect, tenth aspect and various implementation manners of this application, reference may be made to the detailed description in the sixth aspect and various implementation manners; and, the seventh aspect, For the beneficial effects of the eighth aspect, the ninth aspect, the tenth aspect and various implementation manners thereof, reference may be made to the analysis of the beneficial effects in the sixth aspect and various implementation manners, which will not be repeated here.
第十一方面,提供一种通信系统,该通信系统包括如第二方面至第五方面任一方面所述的通信装置,以及第二接入网设备,所述通信装置和所述第二接入网设备进行双连接。或者,该通信系统包括如第七方面至第十方面中任一方面所述的通信装置,以及核心网设备,可选的,该通信系统还包括第二接入网设备,该第二接入网设备与所述通信装置进行双连接。In an eleventh aspect, a communication system is provided. The communication system includes the communication device according to any one of the second to fifth aspects, and a second access network device, the communication device and the second access The connected devices are dual-connected. Alternatively, the communication system includes the communication device according to any one of the seventh aspect to the tenth aspect, and a core network device. Optionally, the communication system further includes a second access network device, and the second access The network equipment is dual-connected to the communication device.
第十二方面,提供一种芯片系统,该芯片系统应用于通信装置。具体的,该芯片系统包括一个或多个接口电路,以及一个或多个处理器。所述接口电路和所述处理器通过线路互联。所述接口电路用于从所述通信设备的存储器接收信号,并向所述处理器发送所述信号,所述信号包括所述存储器中存储的计算机指令。当所述处理器执行所述计算机指令时,所述通信装置执行如上述第一方面及其各种可能的实现方式所述的通信方法,或者执行如上述第六方面及其各种可能的实现方式所述的通信方法。In a twelfth aspect, a chip system is provided, and the chip system is applied to a communication device. Specifically, the chip system includes one or more interface circuits and one or more processors. The interface circuit and the processor are interconnected by wires. The interface circuit is used to receive a signal from the memory of the communication device and send the signal to the processor, and the signal includes a computer instruction stored in the memory. When the processor executes the computer instruction, the communication device executes the communication method described in the first aspect and various possible implementations thereof, or executes the sixth aspect and various possible implementations thereof The communication method described in the method.
在本申请中,上述通信装置的名字对设备或功能模块本身不构成限定,在实际实现中,这些设备或功能模块可以以其他名称出现。只要各个设备或功能模块的功能和本申请类似,属于本申请权利要求及其等同技术的范围之内。In this application, the name of the aforementioned communication device does not constitute a limitation on the device or functional module itself. In actual implementation, these devices or functional modules may appear under other names. As long as the function of each device or functional module is similar to that of this application, it falls within the scope of the claims of this application and equivalent technologies.
本申请的这些方面或其他方面在以下的描述中会更加简明易懂。These and other aspects of the application will be more concise and understandable in the following description.
附图说明Description of the drawings
图1为4G系统与5G系统共存的网络结构示意图;Figure 1 is a schematic diagram of a network structure in which a 4G system and a 5G system coexist;
图2为ENDC场景的通信系统结构示意图;Figure 2 is a schematic diagram of the communication system structure of the ENDC scenario;
图3为NEDC场景的通信系统结构示意图;Figure 3 is a schematic diagram of the communication system structure of the NEDC scenario;
图4为NG-ENDC场景的通信系统结构示意图;Figure 4 is a schematic diagram of the communication system structure of the NG-ENDC scenario;
图5为本申请实施例提供的通信装置的硬件结构示意图;5 is a schematic diagram of the hardware structure of a communication device provided by an embodiment of the application;
图6为本申请实施例提供的通信方法的流程示意图一;FIG. 6 is a first schematic flowchart of a communication method provided by an embodiment of this application;
图7为本申请实施例提供的通信方法的流程示意图二;FIG. 7 is a second schematic diagram of the flow of a communication method provided by an embodiment of this application;
图8为本申请实施例提供的通信方法的流程示意图三;FIG. 8 is a third schematic flowchart of a communication method provided by an embodiment of this application;
图9为本申请实施例提供的通信方法的流程示意图四;FIG. 9 is a fourth flowchart of a communication method provided by an embodiment of this application;
图10为本申请实施例提供的通信方法的流程示意五;FIG. 10 is a flow diagram of the communication method provided by an embodiment of the application; FIG.
图11为本申请实施例提供的通信方法的流程示意图六;FIG. 11 is a sixth flowchart of a communication method provided by an embodiment of this application;
图12为本申请实施例提供的通信方法的流程示意图七;FIG. 12 is a seventh schematic flowchart of a communication method provided by an embodiment of this application;
图13为本申请实施例提供的通信方法的流程示意图八;FIG. 13 is an eighth flowchart of a communication method provided by an embodiment of this application;
图14为本申请实施例提供的通信装置的结构示意图一;FIG. 14 is a first structural diagram of a communication device provided by an embodiment of this application;
图15为本申请实施例提供的通信装置的结构示意图二。FIG. 15 is a second structural diagram of a communication device provided by an embodiment of this application.
具体实施方式detailed description
在本申请实施例中,“示例性的”或者“例如”等词用于表示作例子、例证或说明。本申请实施例中被描述为“示例性的”或者“例如”的任何实施例或设计方案不应被解释为比其它实施例或设计方案更优选或更具优势。确切而言,使用“示例性的”或者“例如”等词旨在以具体方式呈现相关概念。In the embodiments of the present application, words such as "exemplary" or "for example" are used as examples, illustrations, or illustrations. Any embodiment or design solution described as "exemplary" or "for example" in the embodiments of the present application should not be construed as being more preferable or advantageous than other embodiments or design solutions. To be precise, words such as "exemplary" or "for example" are used to present related concepts in a specific manner.
以下,术语“第一”、“第二”仅用于描述目的,而不能理解为指示或暗示相对重要性或者隐含指明所指示的技术特征的数量。由此,限定有“第一”、“第二”的特征可以明示或者隐含地包括一个或者更多个该特征。在本申请实施例的描述中,除非另有说明,“多个”的含义是两个或两个以上。Hereinafter, the terms "first" and "second" are only used for descriptive purposes, and cannot be understood as indicating or implying relative importance or implicitly indicating the number of indicated technical features. Thus, the features defined with "first" and "second" may explicitly or implicitly include one or more of these features. In the description of the embodiments of the present application, unless otherwise specified, "plurality" means two or more.
本申请实施例将第四代通信技术(the 4 generation mobile communication technology,4G)系统中的演进式基站(evolved node base station,eNB)称为4G eNB,将4G系统中的用户设备(user equipment,UE)称为4G UE,将5G系统中的UE称为5G UE。In the embodiments of this application, the evolved node base station (eNB) in the fourth generation mobile communication technology (4G) system is called 4G eNB, and the user equipment in the 4G system is referred to as 4G eNB. UE) is called 4G UE, and UE in 5G system is called 5G UE.
在4G系统中,演进的UMTS陆地无线接入网(evolved umts terrestrial radio access network,E-UTRAN)设备是接入网设备,可以是为4G UE提供接入无线网络接口的4G eNB。具体的,4G UE通过E-UTRAN设备接入网络,E-UTRAN设备与4G系统中的移动性管理实体(mobility management entity,MME)连接。除MME之外,4G系统的核心网设备还包括服务网关(serving gateway,SGW)和公用数据网网关(public data network gateway,PGW)。PGW与外部数据网络(data network,DN)连接。In the 4G system, the evolved UMTS terrestrial radio access network (E-UTRAN) equipment is an access network equipment, which can be a 4G eNB that provides a radio network interface for 4G UEs. Specifically, the 4G UE accesses the network through an E-UTRAN device, and the E-UTRAN device is connected to a mobility management entity (MME) in the 4G system. In addition to the MME, the core network equipment of the 4G system also includes a serving gateway (serving gateway, SGW) and a public data network gateway (public data network gateway, PGW). The PGW is connected to an external data network (data network, DN).
一般的,4G系统中,4G UE为了与对端实体进行通信,会与对端实体建立一个端到端的服务(end-to-end service)。分组核心演进(the evolved packet core,EPC)网通过外部承载(external bearer)与因特网建立连接,并通过EPS承载(bearer)与4G UE建立连接。也就是说,EPC与4G UE之间的数据通信是承载在EPS bearer上的。一个数据无线承载(data radio bearer,DRB)在4G UE与4G eNB之间(Uu接口)传输一个EPS bearer的数据。如果存在一个DRB,在该DRB与EPS bearer存在一一映 射关系。Generally, in a 4G system, in order to communicate with a peer entity, a 4G UE will establish an end-to-end service with the peer entity. The evolved packet core (EPC) network establishes a connection with the Internet through an external bearer, and establishes a connection with a 4G UE through an EPS bearer (bearer). In other words, the data communication between EPC and 4G UE is carried on the EPS bearer. A data radio bearer (DRB) transmits data of an EPS bearer between the 4G UE and the 4G eNB (Uu interface). If there is a DRB, there is a one-to-one mapping relationship between the DRB and the EPS bearer.
4G系统的QoS控制的基本粒度为EPS bearer,同一EPS bearer的数据流得到相同的QoS保障。The basic granularity of QoS control in the 4G system is EPS bearer, and data streams of the same EPS bearer get the same QoS guarantee.
在5G系统中,无线连接网络(radio access network,RAN)设备是5G网络的接入网设备,可以是为5G UE提供接入无线网络接口的基站。具体的,5G UE通过RAN设备接入网络,RAN设备与5G系统中的接入管理功能(access management function,AMF)实体连接。除AMF实体之外,5G系统的核心网设备还包括会话管理功能(session management function,SMF)实体和用户面功能实体(user plane function,UPF),UPF与外部DN连接。In a 5G system, a radio access network (RAN) device is an access network device of the 5G network, and may be a base station that provides an interface for 5G UEs to access the wireless network. Specifically, the 5G UE accesses the network through a RAN device, and the RAN device is connected to an access management function (AMF) entity in the 5G system. In addition to the AMF entity, the core network equipment of the 5G system also includes a session management function (SMF) entity and a user plane function (UPF) entity, and the UPF is connected to an external DN.
5G系统引入了PDU会话(session)的概念,每个PDU会话包含一个或多个QoS流(flow)。若RAN设备接受某一个PDU会话的建立,则该RAN设备可以将该PDU会话中的多个QoS流映射到一个或多个DRB中,也就是说,一个或多个DRB关联到同一个PDU会话。The 5G system introduces the concept of PDU session (session), each PDU session contains one or more QoS flows (flow). If the RAN device accepts the establishment of a certain PDU session, the RAN device can map multiple QoS flows in the PDU session to one or more DRBs, that is, one or more DRBs are associated with the same PDU session .
5G系统中QoS控制的基本粒度为PDU会话,同一PDU会话中的QoS流得到相同的QoS保障。The basic granularity of QoS control in the 5G system is PDU session, and QoS flows in the same PDU session get the same QoS guarantee.
QoS保障也称为安全保护,可以包括完整性保护(integrity protection,IP)和加密保护(confidentiality protection,CP)中的至少一种。完整性保护也可简称为完保。后续涉及到的安全保护均包括完整性保护和加密保护中的至少一种。QoS guarantee is also called security protection, and may include at least one of integrity protection (IP) and encryption protection (confidentiality protection, CP). Integrity protection can also be referred to as complete protection for short. All subsequent security protections include at least one of integrity protection and encryption protection.
目前,可以通过执行下述步骤实现对5G系统中的某一PDU会话的安全保护:Currently, the security protection of a PDU session in the 5G system can be achieved by performing the following steps:
步骤1:当需要为5G UE建立一个新的PDU会话时,核心网设备通过核心网设备与RAN设备之间的接口(例如NG接口)向RAN设备发送请求消息,用于请求RAN设备为5G UE的PDU会话分配资源,同时,核心网设备发送安全指示(security indication)信息,该安全指示信息用于指示是否对该PDU会话进行安全保护。Step 1: When a new PDU session needs to be established for the 5G UE, the core network device sends a request message to the RAN device through the interface between the core network device and the RAN device (such as the NG interface) to request the RAN device to be a 5G UE The PDU session allocates resources, and at the same time, the core network device sends security indication (security indication) information, which is used to indicate whether to perform security protection for the PDU session.
其中,安全指示信息包含完整性保护指示(integrity protection indication)信息和/或加密保护指示(confidentiality protection indication)信息。Wherein, the security indication information includes integrity protection indication (integrity protection indication) information and/or encryption protection indication (confidentiality protection indication) information.
可选的,完整性保护指示信息和加密保护指示信息均有三种取值,分别为必须(required)、建议(preferred)、无需(not needed)。Optionally, the integrity protection indication information and the encryption protection indication information have three values, which are required, recommended, and not needed.
示例性的,若完整性保护指示信息的取值为必须,则该完整性保护指示信息用于指示必须对该PDU会话进行完整性保护;若完整性保护指示信息的取值为建议,则该完整性保护指示信息用于指示自行确定是否对该PDU会话进行完整性保护;若完整性保护指示信息的取值为无需,则该完整性保护指示信息用于指示无需对该PDU会话进行完整性保护。Exemplarily, if the value of the integrity protection indication information is required, the integrity protection indication information is used to indicate that the integrity protection of the PDU session must be performed; if the value of the integrity protection indication information is recommended, the The integrity protection indication information is used to indicate whether to perform integrity protection for the PDU session by itself; if the value of the integrity protection indication information is not required, the integrity protection indication information is used to indicate that there is no need to perform integrity protection on the PDU session protection.
步骤2:若RAN设备接受(admit)该PDU会话,则该RAN设备根据安全指示信息,确定PDU会话的安全结果。Step 2: If the RAN device accepts (admit) the PDU session, the RAN device determines the security result of the PDU session according to the security indication information.
这里的安全结果用于指示是否对PDU会话进行安全保护。具体的,安全结果包含完整性保护结果和/或加密保护结果。The security result here is used to indicate whether to perform security protection on the PDU session. Specifically, the security result includes an integrity protection result and/or an encryption protection result.
若安全指示信息的取值为必须,则RAN设备对PDU会话进行安全保护;若安全指示信息的取值为无需,则RAN设备不对PDU会话进行安全保护;若安全指示信息的取值为建议,则RAN设备自行确定是否对该PDU会话进行安全保护,并向核心网 设备发送确定出的安全结果。If the value of the security indication information is necessary, the RAN device will protect the PDU session; if the value of the security indication information is not required, the RAN device will not protect the PDU session; if the value of the security indication information is recommended, Then the RAN device determines by itself whether to perform security protection on the PDU session, and sends the determined security result to the core network device.
可以看出,RAN设备确定出的安全结果可以为:必须(required)进行安全保护、无需(not needed)进行安全保护。It can be seen that the security result determined by the RAN device may be: security protection is required, and security protection is not required.
相应的,完整性保护结果和加密保护结果均可以为:必须(required)、无需(not needed)。Correspondingly, both the integrity protection result and the encryption protection result can be: required and not needed.
示例性的,若RAN设备确定对PDU会话进行完整性保护,即完整性保护结果为必须进行完整性保护,则RAN设备向核心网设备发送用于表示对PDU会话进行完整性保护的信息。Exemplarily, if the RAN device determines to perform integrity protection on the PDU session, that is, the integrity protection result is that integrity protection must be performed, the RAN device sends to the core network device information indicating that integrity protection is performed on the PDU session.
步骤3:RAN设备为该PDU会话分配用于空口传输的一个或多个DRB,并向5G UE发送所述DRB的安全结果。Step 3: The RAN device allocates one or more DRBs for air interface transmission for the PDU session, and sends the security result of the DRB to the 5G UE.
5G系统中的一个或多个DRB关联到同一个PDU会话,因此,RAN设备在确定出PDU会话的安全结果,即可确定出关联到该PDU会话的DRB的安全结果。后续,RAN设备向5G UE发送所述DRB的安全结果,以便于5G UE后续根据该安全结果对下行数据执行完整性校验和/或解密,并根据该安全结果对上行数据进行完整性保护/加密保护。One or more DRBs in the 5G system are associated with the same PDU session. Therefore, when the RAN device determines the security result of the PDU session, it can determine the security result of the DRB associated with the PDU session. Subsequently, the RAN device sends the security result of the DRB to the 5G UE, so that the 5G UE subsequently performs integrity check and/or decryption on the downlink data according to the security result, and performs integrity protection on the uplink data according to the security result/ Encryption protection.
在实际应用中,4G系统向5G系统演进的过程中,会存在4G系统和5G系统共存的场景。图1示出了4G系统和5G系统共存的通信系统的结构。图1示出的各个设备可以参考上述描述,这里不再进行详细赘述。图1中的N2、S1、S11、N11和N4均为接口,可以参考现有标准协议中的定义描述,这里不再进行详细赘述。In practical applications, in the process of 4G system evolution to 5G system, there will be scenarios where 4G system and 5G system coexist. Fig. 1 shows the structure of a communication system in which a 4G system and a 5G system coexist. For each device shown in FIG. 1, reference may be made to the above description, which will not be described in detail here. N2, S1, S11, N11, and N4 in FIG. 1 are all interfaces. You can refer to the definition and description in the existing standard protocol, which will not be described in detail here.
具体的,在4G系统和5G系统共存的场景中,会存在多个无线接入技术的双连接(multiple RATs dual connectivity,MR-DC)通信系统。Specifically, in a scenario where a 4G system and a 5G system coexist, there will be multiple RATs dual connectivity (MR-DC) communication systems of multiple wireless access technologies.
可选的,MR-DC通信系统包括ENDC(E-UTRA NR DC)、NEDC(NR E-UTRA DC)以及NG-ENDC(next generation E-UTRA NR DC)。Optionally, the MR-DC communication system includes ENDC (E-UTRA NR DC), NEDC (NR E-UTRA DC), and NG-ENDC (next generation E-UTRA NR DC).
在这三种通信系统中,长期演进(long term evolution,LTE)系统中的演进式基站(evolved node base station,eNB)(或下一代基站(next generation eNB,ng-eNB))与gNB(通过新空口(new radio,NR)技术为终端提供无线传输资源)进行双连接。Among the three communication systems, the evolved node base station (eNB) (or next generation eNB, ng-eNB) in the long term evolution (LTE) system and gNB (through The new radio (NR) technology provides wireless transmission resources for the terminal for dual connection.
其中,ng-eNB可以为终端提供第五代核心网(the 5th generation core network,5GCN)的服务,也可以为终端提供EPC的服务。在实际部署中,ng-eNB可以仅仅与5GCN/EPC连接,也可以同时与5GCN和EPC连接。5GCN也可以称为5GC。Among them, the ng-eNB can provide the terminal with the 5th generation core network (the 5th generation core network, 5GCN) service, and can also provide the terminal with the EPC service. In actual deployment, the ng-eNB can only connect with 5GCN/EPC, or connect with 5GCN and EPC at the same time. 5GCN can also be called 5GC.
上述ENDC也称为Option 3/3A/3X。ENDC通信系统中,LTE eNB为主站(master node,MN),gNB为辅站(secondary node,SN),MN与EPC连接,MN和SN均为UE与EPC之间的数据提供空口传输资源。The above-mentioned ENDC is also called Option 3/3A/3X. In the ENDC communication system, LTE eNB is a master node (master node, MN), gNB is a secondary node (secondary node, SN), MN is connected to EPC, and both MN and SN provide air interface transmission resources for data between UE and EPC.
如图2所示,图2中的(a)为Option 3通信系统的结构示意图,图2中的(b)为Option 3A通信系统的结构示意图。Option 3通信系统中,LTE eNB通过S1接口(包括S1-C接口和S1-U接口)与EPC连接,LTE eNB与gNB通过X2接口连接。与Option3通信系统不同的是,Option 3A通信系统中,gNB还通过S1-U接口与EPC连接。为了便于区分,图2中用虚线表示控制面的连接。As shown in Figure 2, (a) in Figure 2 is a schematic structural diagram of the Option 3 communication system, and (b) in Figure 2 is a schematic structural diagram of the Option 3A communication system. In the Option 3 communication system, the LTE eNB is connected to the EPC through the S1 interface (including the S1-C interface and the S1-U interface), and the LTE eNB is connected to the gNB through the X2 interface. Different from the Option 3 communication system, in the Option 3A communication system, the gNB is also connected to the EPC through the S1-U interface. In order to facilitate the distinction, the dashed line in Figure 2 indicates the connection of the control plane.
NEDC也称为Option 4/4A。在NEDC通信系统中,gNB为MN,ng-eNB为SN,并且MN与5GC连接,MN与SN为终端与5GC之间的数据提供空口传输资源。NEDC is also called Option 4/4A. In the NEDC communication system, gNB is MN, ng-eNB is SN, and MN is connected to 5GC, MN and SN provide air interface transmission resources for data between the terminal and 5GC.
如图3所示,图3中的(a)为Option 4通信系统的结构示意图,图3中的(b)为Option 4A通信系统的结构示意图。Option 4通信系统中,gNB通过NG接口(包括NG-C接口和NG-U接口)与5GC连接,ng-eNB与gNB通过Xn接口连接。与Option4通信系统不同的是,Option 4A通信系统中,ng-eNB还通过NG-U接口与5GC连接。为了便于区分,图3中用虚线表示控制面的连接。As shown in FIG. 3, (a) in FIG. 3 is a schematic diagram of the structure of the Option 4 communication system, and (b) in FIG. 3 is a schematic diagram of the structure of the Option 4A communication system. In Option 4 communication system, gNB is connected to 5GC through NG interface (including NG-C interface and NG-U interface), and ng-eNB is connected to gNB through Xn interface. Different from the Option 4 communication system, in the Option 4A communication system, the ng-eNB is also connected to the 5GC through the NG-U interface. In order to facilitate the distinction, the dashed line in Figure 3 indicates the connection of the control plane.
NG-ENDC也称为Option 7/7A/7X。在NG-ENDC通信系统中,ng-eNB为MN,gNB为SN,并且MN与5GC连接。与上述ENDC通信系统不同的是,NG-ENDC通信系统中,MN与SN为终端与5GC之间的数据提供空口传输资源。NG-ENDC is also called Option 7/7A/7X. In the NG-ENDC communication system, ng-eNB is MN, gNB is SN, and MN is connected to 5GC. Different from the above-mentioned ENDC communication system, in the NG-ENDC communication system, MN and SN provide air interface transmission resources for data between the terminal and 5GC.
如图4所示,图4中的(a)为Option 7通信系统的结构示意图,图4中的(b)为Option 7A通信系统的结构示意图。Option 7通信系统中,ng-eNB通过NG接口(包括NG-C接口和NG-U接口)与5GC连接,ng-eNB与gNB通过Xn接口连接。与Option7通信系统不同的是,Option 7A通信系统中,gNB还通过NG-U接口与5GC连接。为了便于区分,图4中用虚线表示控制面的连接。As shown in FIG. 4, (a) in FIG. 4 is a schematic structural diagram of the Option 7 communication system, and (b) in FIG. 4 is a schematic structural diagram of the Option 7A communication system. In Option 7 communication system, ng-eNB is connected to 5GC through NG interface (including NG-C interface and NG-U interface), ng-eNB is connected to gNB through Xn interface. Different from the Option 7 communication system, in the Option 7A communication system, the gNB is also connected to the 5GC through the NG-U interface. In order to facilitate the distinction, the dashed line in Figure 4 indicates the connection of the control plane.
当然,双连接通信系统还可以包括gNB与gNB进行双连接的场景。Of course, the dual-connection communication system may also include a scenario where the gNB and gNB are dual-connected.
但是,对于上述双连接通信系统,目前还不存在空口用户面的安全保护方法。However, for the aforementioned dual-connection communication system, there is currently no security protection method for the air interface user plane.
针对这一问题,本申请实施例提供一种通信方法及装置,在包括第一接入网设备和第二接入网设备的双连接通信系统中,第一接入网设备(双连接通信系统中的主站/辅站)在获取到属于PDU会话的第一QoS流和PDU会话的第一安全结果(双连接通信系统的主站确定/辅站确定)后,承载第一QoS流,并根据第一安全结果对第一QoS流进行安全保护(完整性保护和加密保护中的至少一种),实现了该通信系统中空口用户面的安全保护。其中,第一安全结果用于指示是否对PDU会话进行安全保护。In response to this problem, embodiments of the present application provide a communication method and device. In a dual-connection communication system including a first access network device and a second access network device, the first access network device (dual-connection communication system After obtaining the first QoS flow belonging to the PDU session and the first security result of the PDU session (the primary station/secondary station in the dual-connectivity communication system), it bears the first QoS flow, and The security protection (at least one of integrity protection and encryption protection) is performed on the first QoS flow according to the first security result, and the security protection of the user plane of the air interface in the communication system is realized. Among them, the first security result is used to indicate whether to perform security protection on the PDU session.
本申请实施例提供的通信方法适用于图1~图4所示的通信系统。图1~图4中的各个设备均属于通信装置。在具体实现时,通信装置具有图5所示部件。图5为本申请实施例提供的一种通信装置的组成示意图,如图5所示,该通信装置可以包括至少一个处理器51,存储器52、收发器53、总线54。下面结合图5对通信装置的各个构成部件进行具体的介绍:The communication method provided by the embodiment of the present application is applicable to the communication system shown in FIG. 1 to FIG. 4. Each device in Figure 1 to Figure 4 is a communication device. In specific implementation, the communication device has the components shown in FIG. 5. FIG. 5 is a schematic diagram of the composition of a communication device provided by an embodiment of the application. As shown in FIG. 5, the communication device may include at least one processor 51, a memory 52, a transceiver 53, and a bus 54. In the following, each component of the communication device is specifically introduced in conjunction with FIG. 5:
处理器51是通信装置的控制中心,可以是一个处理器,也可以是多个处理元件的统称。例如,处理器51是一个中央处理器(central processing unit,CPU),也可以是特定集成电路(application specific integrated circuit,ASIC),或者是被配置成实施本申请实施例的一个或多个集成电路,例如:一个或多个数字信号处理器(digital signal processor,DSP),或,一个或者多个现场可编程门阵列(field programmable gate array,FPGA)。The processor 51 is the control center of the communication device, and may be a processor or a collective name for multiple processing elements. For example, the processor 51 is a central processing unit (CPU), or an application specific integrated circuit (ASIC), or one or more integrated circuits configured to implement the embodiments of the present application For example: one or more digital signal processors (DSP), or one or more field programmable gate arrays (FPGA).
其中,处理器51可以通过运行或执行存储在存储器52内的软件程序,以及调用存储在存储器52内的数据,执行通信装置的各种功能。Among them, the processor 51 can execute various functions of the communication device by running or executing a software program stored in the memory 52 and calling data stored in the memory 52.
在具体的实现中,作为一种实施例,处理器51可以包括一个或多个CPU,例如图5中所示的CPU 0和CPU 1。In a specific implementation, as an embodiment, the processor 51 may include one or more CPUs, such as CPU 0 and CPU 1 shown in FIG. 5.
在具体实现中,作为一种实施例,通信装置可以包括多个处理器,例如图5中所示的处理器51和处理器55。这些处理器中的每一个可以是一个单核处理器(single-CPU),也可以是一个多核处理器(multi-CPU)。这里的处理器可以指一个 或多个设备、电路、和/或用于处理数据(例如计算机程序指令)的处理核。In specific implementation, as an embodiment, the communication device may include multiple processors, such as the processor 51 and the processor 55 shown in FIG. 5. Each of these processors can be a single-core processor (single-CPU) or a multi-core processor (multi-CPU). The processor here may refer to one or more devices, circuits, and/or processing cores for processing data (e.g., computer program instructions).
存储器52可以是只读存储器(read-only memory,ROM)或可存储静态信息和指令的其他类型的静态存储设备,随机存取存储器(random access memory,RAM)或者可存储信息和指令的其他类型的动态存储设备,也可以是电可擦可编程只读存储器(electrically erasable programmable read-only memory,EEPROM)、只读光盘(compact disc read-only memory,CD-ROM)或其他光盘存储、磁盘存储介质或者其他磁存储设备、或者能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质,但不限于此。存储器52可以是独立存在,通过总线54与处理器51相连接。存储器52也可以和处理器51集成在一起。The memory 52 may be a read-only memory (ROM) or other types of static storage devices that can store static information and instructions, random access memory (RAM), or other types that can store information and instructions The dynamic storage device can also be electrically erasable programmable read-only memory (EEPROM), compact disc read-only memory (CD-ROM) or other optical disk storage, disk storage The medium or other magnetic storage device, or any other medium that can be used to carry or store the desired program code in the form of instructions or data structure and that can be accessed by the computer, but is not limited thereto. The memory 52 may exist independently and is connected to the processor 51 through a bus 54. The memory 52 may also be integrated with the processor 51.
其中,存储器52用于存储执行本申请方案的软件程序,并由处理器51来控制执行。Among them, the memory 52 is used to store a software program for executing the solution of the present application, and the processor 51 controls the execution.
收发器53,使用任何收发器一类的装置,用于与其他设备或通信网络通信,如以太网,无线接入网(radio access network,RAN),无线局域网(wireless local area networks,WLAN)等。收发器53可以包括接收单元实现接收功能,以及发送单元实现发送功能。The transceiver 53 uses any device such as a transceiver to communicate with other equipment or communication networks, such as Ethernet, radio access network (RAN), wireless local area networks (WLAN), etc. . The transceiver 53 may include a receiving unit to implement a receiving function, and a transmitting unit to implement a transmitting function.
总线54,可以是工业标准体系结构(industry standard architecture,ISA)总线、外部设备互连(peripheral component,PCI)总线或扩展工业标准体系结构(extended industry standard architecture,EISA)总线等。该总线可以分为地址总线、数据总线、控制总线等。为便于表示,图5中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。The bus 54 may be an industry standard architecture (ISA) bus, a peripheral component (PCI) bus, or an extended industry standard architecture (EISA) bus, etc. The bus can be divided into address bus, data bus, control bus, etc. For ease of presentation, only one thick line is used in FIG. 5 to represent, but it does not mean that there is only one bus or one type of bus.
需要指出的是,图5中示出的设备结构并不构成对该通信装置的限定,除图5所示部件之外,该通信装置可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置。It should be pointed out that the device structure shown in FIG. 5 does not constitute a limitation on the communication device. In addition to the components shown in FIG. 5, the communication device may include more or less components than those shown in the figure, or a combination Certain components, or different component arrangements.
下面结合图1~图4所示的通信系统,图5所示的通信装置对本申请实施例提供的通信方法进行描述。其中,下述方法实施例中提及的各个设备均可以具有图5所示组成部分,不再赘述。The communication method provided by the embodiment of the present application will be described below in conjunction with the communication system shown in FIGS. 1 to 4 and the communication device shown in FIG. 5. Among them, each device mentioned in the following method embodiments may have the component parts shown in FIG. 5, which will not be repeated.
图6为本申请实施例提供的一种通信方法的流程示意图。参见图6,该通信方法包括如下步骤。FIG. 6 is a schematic flowchart of a communication method provided by an embodiment of this application. Referring to Fig. 6, the communication method includes the following steps.
S601、第一接入网设备获取属于PDU会话的第一QoS流。S601. The first access network device acquires the first QoS flow belonging to the PDU session.
第一接入网设备为双连接通信系统中的主站或辅站。The first access network device is the master station or the auxiliary station in the dual-connection communication system.
若第一接入网设备获取第一QoS流时,第二接入网设备已经接纳(admit)该PDU会话,则称为第二接入网设备承载了该PDU会话。若第一接入网设备获取第一QoS流时,第二接入网设备未接纳(admit)该PDU会话,则称为第二接入网设备没有承载该PDU会话。If the second access network device has accepted (admit) the PDU session when the first access network device acquires the first QoS flow, it is said that the second access network device bears the PDU session. If the second access network device does not admit (admit) the PDU session when the first access network device acquires the first QoS flow, it is said that the second access network device does not carry the PDU session.
上述“接纳PDU会话”是指成功为PDU会话分配资源,并利用分配的资源为该PDU会话进行数据传输。后续涉及到的“接纳PDU会话”均可以参考该描述。The above-mentioned "accepting a PDU session" refers to successfully allocating resources for the PDU session and using the allocated resources for data transmission for the PDU session. Refer to this description for all subsequent "admission of PDU sessions".
第一接入网设备获取到的第一QoS流可以为核心网设备新分配的。此外,若第二接入网设备承载了PDU会话,则第一接入网设备获取到的第一QoS流也可以为第二接入网设备释放出的。The first QoS flow acquired by the first access network device may be newly allocated by the core network device. In addition, if the second access network device bears the PDU session, the first QoS flow acquired by the first access network device may also be released by the second access network device.
当然,若第一接入网设备为双连接通信系统的主站,则第一QoS流具体可以为主 站从辅站请求获取到的或者为辅站自行确定释放出的。Of course, if the first access network device is the master station of the dual-connection communication system, the first QoS flow can be specifically obtained by the master station from the auxiliary station request or released by the auxiliary station itself.
若第一QoS流为核心网设备新分配的,且第一接入网设备为主站,则第一接入网设备从核心网设备获取第一QoS流。若第一QoS流为核心网设备新分配的,且第一接入网设备为辅站时,第一接入网设备从第二接入网设备(此时为主站)获取第一QoS流。If the first QoS flow is newly allocated by the core network device and the first access network device is the master station, the first access network device obtains the first QoS flow from the core network device. If the first QoS flow is newly allocated by the core network device and the first access network device is the secondary station, the first access network device obtains the first QoS flow from the second access network device (in this case, the master station) .
本申请实施例中涉及到的“获取第一QoS流”指获取建立该QoS流的指示信息。The "obtaining the first QoS flow" referred to in the embodiments of the present application refers to obtaining the instruction information for establishing the QoS flow.
S602、第一接入网设备获取PDU会话的第一安全结果。S602. The first access network device obtains the first security result of the PDU session.
第一安全结果用于指示是否对PDU会话进行安全保护,安全保护包括完整性保护和加密保护中的至少一种。The first security result is used to indicate whether to perform security protection on the PDU session, and the security protection includes at least one of integrity protection and encryption protection.
本申请实施例中的第一安全结果由第一接入网设备或第二接入网设备确定。The first security result in the embodiment of the present application is determined by the first access network device or the second access network device.
具体的,若第二接入网设备没有承载PDU会话,则第一安全结果由第一接入网设备确定,相应的,第一接入网设备直接从本地获取第一安全结果。Specifically, if the second access network device does not carry the PDU session, the first security result is determined by the first access network device, and accordingly, the first access network device directly obtains the first security result locally.
若在第一接入网设备获取第一QoS流时,第二接入网设备也承载了PDU会话,且PDU会话中除第一QoS流之外的剩余QoS流均承载于第二接入网设备(即在第一接入网设备获取第一QoS流之前,第二接入网设备承载PDU会话的所有QoS流),第一安全结果可以由第二接入网设备确定。相应的,第一接入网设备可以接收来自第二接入网设备发送的第一安全结果,以获取第一安全结果。If when the first access network device acquires the first QoS flow, the second access network device also carries the PDU session, and the remaining QoS flows in the PDU session except the first QoS flow are all carried on the second access network Device (that is, before the first access network device acquires the first QoS flow, the second access network device carries all QoS flows of the PDU session), the first security result can be determined by the second access network device. Correspondingly, the first access network device may receive the first security result sent from the second access network device to obtain the first security result.
可选的,第二接入网设备接纳PDU会话,确定第一安全结果并向第一接入网设备发送该第一安全结果后,第一接入网设备可以存储该第一安全结果,后续,第一接入网设备获取到第一QoS流后,从本地获取第一安全结果。这一过程可以参考下述图7、图8或图9的描述。Optionally, after the second access network device accepts the PDU session, determines the first security result, and sends the first security result to the first access network device, the first access network device may store the first security result, and subsequently After obtaining the first QoS flow, the first access network device obtains the first security result locally. This process can refer to the description of FIG. 7, FIG. 8, or FIG. 9 below.
若在初始过程中,第一接入网设备还承载有属于PDU会话的第三QoS流,第二接入网设备也承载了PDU会话的部分QoS流(例如第二QoS流),则该会话的第一安全结果由双连接通信系统的主站确定。若第一接入网设备为双连接通信系统的主站,则该第一接入网设备在获取到第一QoS流后,从本地获取第一安全结果。若第二接入网设备为双连接通信系统的主站,则第一接入网设备与第二接入网设备通信,以获取第一安全结果。If in the initial process, the first access network device also carries the third QoS flow belonging to the PDU session, and the second access network device also carries part of the QoS flow of the PDU session (for example, the second QoS flow), then the session The first safety result is determined by the master station of the dual-connection communication system. If the first access network device is the master station of the dual-connection communication system, the first access network device obtains the first security result locally after obtaining the first QoS flow. If the second access network device is the master station of the dual-connection communication system, the first access network device communicates with the second access network device to obtain the first security result.
S603、第一接入网设备承载第一QoS流,并根据第一安全结果对第一QoS流进行安全保护。S603. The first access network device carries the first QoS flow, and performs security protection on the first QoS flow according to the first security result.
一般的,安全处理过程由分组数据汇聚协议(packet data convergence protocol,PDCP)实体完成。因此,“第一接入网设备根据第一安全结果对第一QoS流进行安全保护”具体为“第一接入网设备的PDCP实体根据第一安全结果对第一QoS流进行安全保护”。相应的,“QoS流承载于第一接入网设备”是指QoS流对应的PDCP实体部署于第一接入网设备。Generally, the security processing process is completed by the packet data convergence protocol (PDCP) entity. Therefore, "the first access network device performs security protection on the first QoS flow according to the first security result" is specifically "the PDCP entity of the first access network device performs security protection on the first QoS flow according to the first security result". Correspondingly, "the QoS flow is carried by the first access network device" means that the PDCP entity corresponding to the QoS flow is deployed on the first access network device.
同理,后续“QoS流承载于第二接入网设备”是指QoS流对应的PDCP实体部署于第二接入网设备。In the same way, the subsequent "QoS flow carried by the second access network device" means that the PDCP entity corresponding to the QoS flow is deployed on the second access network device.
第一接入网设备为双连接通信系统中的主站或辅站,通过执行上述S601~S603实现了对第一QoS流的安全保护。The first access network device is the primary station or the secondary station in the dual-connection communication system, and the security protection of the first QoS flow is realized by executing the above S601-S603.
容易理解的是,若第一安全结果由第一接入网设备确定,则第一接入网设备只需 执行上述S601~S603即可实现对空口用户面的安全保护,这里对此不作具体描述。It is easy to understand that if the first security result is determined by the first access network device, the first access network device only needs to execute the above S601~S603 to realize the security protection of the air interface user plane, which is not described in detail here. .
若第一安全结果由第二接入网设备确定,第二接入网设备承载有PDU会话中的第二QoS流,则第一接入网设备需要与第二接入网设备通信,才可获取到第一安全结果。If the first security result is determined by the second access network device, and the second access network device carries the second QoS flow in the PDU session, the first access network device needs to communicate with the second access network device. Get the first safety result.
本申请实施例下述内容主要对第一安全结果由第二接入网设备确定的场景进行描述。The following content of the embodiment of the present application mainly describes a scenario where the first security result is determined by the second access network device.
现在对第一接入网设备为主站,第二接入网设备为辅站的情况进行描述。Now, the case where the first access network device is the master station and the second access network device is the auxiliary station is described.
若第一接入网设备为主站,第二接入网设备为辅站,且第二接入网设备确定第一安全结果,则在第一接入网设备获取第一QoS流之前,第二接入网设备可以承载PDU会话中除第一QoS流之外的剩余QoS流,并确定第一安全结果,以及向第一接入网设备发送第一安全结果。If the first access network device is the primary station, the second access network device is the secondary station, and the second access network device determines the first security result, before the first access network device obtains the first QoS flow, the first The second access network device can carry the remaining QoS flows except the first QoS flow in the PDU session, determine the first security result, and send the first security result to the first access network device.
结合上述图6,如图7所示,在S601之前,本申请实施例提供的通信方法还包括:With reference to FIG. 6 above, as shown in FIG. 7, before S601, the communication method provided by the embodiment of the present application further includes:
S700、第二接入网设备承载PDU会话中的所有QoS流,并确定第一安全结果。S700. The second access network device carries all QoS flows in the PDU session, and determines the first security result.
在第一种可选的实现方式中,在初始建立PDU会话时,第一接入网设备并未承载该PDU会话中的QoS流,第二接入网设备通过第一接入网设备获取该PDU会话中的所有QoS流,并承载获取到的QoS流,以及确定第一安全结果。可选的,第二接入网设备接收来自第一接入网设备的第一安全指示信息,确定第一安全结果。所述第一安全指示信息为第一接入网设备从核心网获取的。In the first optional implementation manner, when the PDU session is initially established, the first access network device does not carry the QoS flow in the PDU session, and the second access network device obtains the QoS flow through the first access network device. All QoS flows in the PDU session, and carry the acquired QoS flows, and determine the first security result. Optionally, the second access network device receives the first security indication information from the first access network device, and determines the first security result. The first security indication information is obtained by the first access network device from the core network.
在第二种可选的实现方式中,第一接入网设备承载有PDU会话的所有QoS流,后续,在某一条件下(如第一接入网设备释放PDU会话中的所有QoS流或第一接入网设备从核心网设备获取到新的属于PDU会话的QoS流),第一接入网设备向第二接入网设备发送用于请求接纳该PDU会话的第一请求消息,具体的用于请求为PDU会话分配资源,并根据第一安全指示信息确定第一安全结果。相应的,第二接入网设备接纳PDU会话,承载PDU会话中的所有QoS流,并确定第一安全结果。该实现方式的具体过程可以参见下述图8或图9的描述。In the second optional implementation manner, the first access network device carries all QoS flows of the PDU session, and subsequently, under certain conditions (such as the first access network device releasing all QoS flows in the PDU session or The first access network device obtains a new QoS flow belonging to the PDU session from the core network device), and the first access network device sends to the second access network device a first request message for requesting admission of the PDU session, specifically Is used to request the allocation of resources for the PDU session, and determine the first security result according to the first security indication information. Correspondingly, the second access network device accepts the PDU session, bears all QoS flows in the PDU session, and determines the first security result. For the specific process of this implementation, refer to the description of FIG. 8 or FIG. 9 below.
S701、第二接入网设备向第一接入网设备发送第一安全结果。S701. The second access network device sends a first security result to the first access network device.
S702(可选的)、第一接入网设备向核心网设备发送第一安全结果。S702 (optional): The first access network device sends the first security result to the core network device.
可选的,第一接入网设备在获取到第一安全结果后,可以存储该第一安全结果。Optionally, after obtaining the first security result, the first access network device may store the first security result.
对于S700中的第一种可选的实现方式而言,在S701之后,第一接入网设备还向核心网设备发送第一安全结果,以便于核心网设备获知该PDU会话的最新的安全结果,根据该第一安全结果完成相应配置。For the first optional implementation in S700, after S701, the first access network device also sends the first security result to the core network device, so that the core network device can learn the latest security result of the PDU session , Complete the corresponding configuration according to the first safety result.
对于S700中的第二种可选的实现方式而言,在S701之后,第一接入网设备可以向核心网设备发送第一安全结果。此外,对于S700中的第二种可选的实现方式而言,在S701之后,第一接入网设备也可以不向核心网设备发送第一安全结果。For the second optional implementation manner in S700, after S701, the first access network device may send the first security result to the core network device. In addition, for the second optional implementation manner in S700, after S701, the first access network device may not send the first security result to the core network device.
由于S702为可选步骤,因此图7采用虚线表示。Since S702 is an optional step, Figure 7 is represented by a dotted line.
现在对S700中的第二种可选的实现方式进行描述。具体的,结合上述图7,如图8所示,在S700之前,本申请实施例提供的通信方法还包括:The second optional implementation in S700 will now be described. Specifically, in conjunction with the foregoing FIG. 7, as shown in FIG. 8, before S700, the communication method provided in the embodiment of the present application further includes:
S800、第一接入网设备承载有PDU会话的所有QoS流。S800. The first access network device carries all QoS flows of the PDU session.
本申请实施例将这一时刻第一接入网设备承载的所有QoS流称为第一QoS流集 合。In this embodiment of the application, all QoS flows carried by the first access network device at this moment are referred to as the first QoS flow set.
S801、第一接入网设备确定第二安全结果。S801. The first access network device determines a second security result.
这里的第二安全结果与第一安全结果相同或不同。The second safety result here is the same or different from the first safety result.
容易理解的是,在S800和S801后,第一接入网设备向核心网设备发送第二安全结果,以便于核心网设备根据第二安全结果完成相应配置。It is easy to understand that after S800 and S801, the first access network device sends the second security result to the core network device, so that the core network device can complete the corresponding configuration according to the second security result.
S802、第一接入网设备向第二接入网设备发送用于请求接纳该PDU会话的第一请求消息。S802. The first access network device sends a first request message for requesting admission of the PDU session to the second access network device.
可选的,在第一接入网设备释放PDU会话中的所有QoS流,即释放第一QoS流集合后,第一接入网设备向第二接入网设备发送第一请求消息;或者,在第一接入网设备从核心网获取到新的属于PDU会话的QoS流(例如QoS流1)后,第一接入网设备释放其承载的PDU会话的QoS流,并向第二接入网设备发送第一请求消息。Optionally, after the first access network device releases all QoS flows in the PDU session, that is, after releasing the first QoS flow set, the first access network device sends the first request message to the second access network device; or, After the first access network device obtains a new QoS flow (such as QoS flow 1) belonging to the PDU session from the core network, the first access network device releases the QoS flow of the PDU session carried by it, and sends it to the second access network. The network device sends the first request message.
该第一请求消息包括第一标识和第一安全指示信息。第一标识用于表示第一QoS流集合,或者用于表示第一QoS流集合和QoS流1。第一安全指示信息用于指示对第一标识表示的QoS流进行安全保护,或者用于指示自行确定是否对第一标识表示的QoS流进行安全保护。The first request message includes a first identifier and first safety indication information. The first identifier is used to indicate the first QoS flow set, or used to indicate the first QoS flow set and QoS flow 1. The first security indication information is used to indicate to perform security protection on the QoS flow indicated by the first identifier, or to indicate whether to perform security protection on the QoS flow indicated by the first identifier.
本申请实施例中“第一接入网设备释放PDU会话中的所有QoS流”也可描述为“第一接入网设备向第二接入网设备转移PDU会话中的所有QoS流”。In the embodiment of the present application, "the first access network device releases all QoS flows in the PDU session" can also be described as "the first access network device transfers all QoS flows in the PDU session to the second access network device".
在图8示出的场景中,在S701之后,若第一安全结果与第二安全结果不同,则第一接入网设备会向核心网设备发送第一安全结果,以便于核心网设备重新完成相关配置,此外,第一接入网设备还可能存储该第一安全结果,即执行S803。In the scenario shown in FIG. 8, after S701, if the first security result is different from the second security result, the first access network device will send the first security result to the core network device, so that the core network device can complete the process again. Related configuration, in addition, the first access network device may also store the first security result, that is, execute S803.
S803(可选的)、若第一安全结果与第二安全结果不同,第一接入网设备存储第一安全结果。S803 (optional): If the first security result is different from the second security result, the first access network device stores the first security result.
容易理解的是,若第一安全结果与第二安全结果相同,核心网设备无需重新配置相关信息,因此,第一接入网设备无需向核心网设备发送第一安全结果。It is easy to understand that if the first security result is the same as the second security result, the core network device does not need to reconfigure related information. Therefore, the first access network device does not need to send the first security result to the core network device.
具体的,若第一接入网设备执行S803,则上述S602具体为第一接入网设备从本地获取第一安全结果;若第一接入网设备不执行S803,则上述S602具体为第一接入网设备与第二接入网设备通信,以获取第一安全结果。也就是说,在第一接入网设备执行S803的场景中,上述S602可以替换为S602a;在第一接入网设备不执行S803的场景中,上述S602可以替换为S602b。Specifically, if the first access network device performs S803, the above S602 is specifically that the first access network device obtains the first security result locally; if the first access network device does not perform S803, the above S602 is specifically the first The access network device communicates with the second access network device to obtain the first security result. That is, in the scenario where the first access network device performs S803, the above S602 can be replaced with S602a; in the scenario where the first access network device does not perform S803, the above S602 can be replaced with S602b.
S602a、第一接入网设备从本地获取第一安全结果。S602a. The first access network device obtains a first security result locally.
S602b、第一接入网设备与第二接入网设备通信,以获取第一安全结果。S602b. The first access network device communicates with the second access network device to obtain the first security result.
进一步地,在图8示出的场景中,在S603之后,第一接入网设备还可以释放其承载的PDU会话中的全部/部分QoS流(例如第四QoS流),后续,第二接入网设备承载第一接入网设备释放出的QoS流。Further, in the scenario shown in FIG. 8, after S603, the first access network device may also release all/part of the QoS flow (for example, the fourth QoS flow) in the PDU session carried by it, and subsequently, the second access The network access device bears the QoS flow released by the first access network device.
结合上述图8,如图9所示,在S603之后,本申请实施例提供的通信方法包括:With reference to Figure 8 above, as shown in Figure 9, after S603, the communication method provided by the embodiment of the present application includes:
S900、第一接入网设备释放属于PDU会话的第四QoS流。S900. The first access network device releases the fourth QoS flow belonging to the PDU session.
该第四QoS流可以为第一接入网设备承载的PDU会话中的所有QoS流,也可以为第一接入网设备承载的PDU会话中的部分QoS流,这里对此不作具体限定。The fourth QoS flow may be all QoS flows in the PDU session carried by the first access network device, or part of the QoS flows in the PDU session carried by the first access network device, which is not specifically limited here.
可选的,第一接入网设备可以自行确定释放第四QoS流,也可以在从核心网设备 获取到新的属于该PDU会话的QoS流后,释放第四QoS流,本申请实施例对此不作具体限定。Optionally, the first access network device may decide to release the fourth QoS flow by itself, or it may release the fourth QoS flow after acquiring a new QoS flow belonging to the PDU session from the core network device. This is not specifically limited.
S901、第一接入网设备向第二接入网设备发送第二请求消息。S901: The first access network device sends a second request message to the second access network device.
该第二请求消息用于指示根据第一安全结果对第四QoS流进行安全保护。The second request message is used to instruct to perform security protection on the fourth QoS flow according to the first security result.
容易理解的是,图8示出的方法流程中,在S603这一时刻,第一接入网设备和第二接入网设备同时承载有PDU会话的QoS流,二者均根据第一安全结果对各自承载的QoS流进行安全保护,且第一安全结果由第二无线接入网设备确定,因此,在第一接入网设备释放第四QoS流后,该第四QoS流也需要采用第一安全结果对其进行安全保护。It is easy to understand that in the method flow shown in FIG. 8, at the moment of S603, the first access network device and the second access network device simultaneously carry the QoS flow of the PDU session, and both are based on the first security result. Security protection is performed on the QoS flows carried by each, and the first security result is determined by the second radio access network device. Therefore, after the first access network device releases the fourth QoS flow, the fourth QoS flow also needs to adopt the first A safety result is to protect it safely.
S902、第二接入网设备根据第一安全结果对第四QoS流进行安全保护。S902. The second access network device performs security protection on the fourth QoS flow according to the first security result.
同理,在S603之后,第二接入网设备也可以释放其承载的PDU会话中的部分QoS流,后续,第一接入网设备承载第二接入网设备释放出的QoS流,并根据第一安全结果对该QoS流进行安全保护。这一流程与上述S900~S902类似,这里不再进行详细赘述。In the same way, after S603, the second access network device may also release part of the QoS flow in the PDU session carried by it. Subsequently, the first access network device bears the QoS flow released by the second access network device, and according to The first security result performs security protection on the QoS flow. This process is similar to the above S900-S902, and will not be described in detail here.
综上所述,若主站确定出PDU会话的第二安全结果,则在主站释放该PDU会话的所有QoS流后,辅站可以变更该PDU会话的安全结果为第一安全结果。若在辅站确定出PDU会话的第一安全结果后,主站获取属于PDU会话的部分QoS流(如第一QoS流),则主站需要使用第一安全结果对第一QoS流进行安全保护,即主站无法变更PDU会话的安全结果。In summary, if the primary station determines the second security result of the PDU session, after the primary station releases all QoS flows of the PDU session, the secondary station can change the security result of the PDU session to the first security result. If after the secondary station determines the first security result of the PDU session, the primary station obtains part of the QoS flow belonging to the PDU session (such as the first QoS flow), the primary station needs to use the first security result to protect the first QoS flow , That is, the master station cannot change the security result of the PDU session.
在第一接入网设备为主站,第二接入网设备为辅站的情况下,第一接入网设备和第二接入网设备均可以对PDU会话中的QoS流进行安全保护,实现了对空口用户面的安全保护。而且,当第一接入网设备和第二接入网设备均承载有PDU会话的QoS流时,第一接入网设备和第二接入网设备采用相同的安全结果对属于同一PDU会话中的QoS流进行安全保护,实现了第一接入网设备和第二接入网设备的安全保护的一致性。In the case where the first access network device is the master station and the second access network device is the auxiliary station, both the first access network device and the second access network device can protect the QoS flow in the PDU session. Realize the security protection of the air interface user plane. Moreover, when the first access network device and the second access network device both carry the QoS flow of the PDU session, the first access network device and the second access network device use the same security result to belong to the same PDU session The security protection of the QoS flow realizes the consistency of the security protection of the first access network device and the second access network device.
由上面描述可知,第一接入网设备还可以为辅站,第二接入网设备为主站。下面对第一接入网设备为辅站,第二接入网设备为主站的情况进行描述。It can be seen from the above description that the first access network device can also be a secondary station, and the second access network device can be a master station. The following describes the case where the first access network device is the secondary station and the second access network device is the primary station.
若第一接入网设备为辅站,第二接入网设备为主站,且第二接入网设备确定第一安全结果,则在第一接入网设备接纳PDU会话之前,第二接入网设备可以承载PDU会话中除第一QoS流之外的剩余QoS流,并确定第一安全结果。If the first access network device is the secondary station, the second access network device is the master station, and the second access network device determines the first security result, the second access network device will accept the PDU session before the first access network device The network access device can carry the remaining QoS flows except the first QoS flow in the PDU session, and determine the first security result.
结合上述图6,如图10所示,在S601之前,本申请实施例提供的通信方法还包括:With reference to FIG. 6 above, as shown in FIG. 10, before S601, the communication method provided by the embodiment of the present application further includes:
S1000、第二接入网设备承载PDU会话中的所有QoS流,并确定第一安全结果。S1000. The second access network device carries all QoS flows in the PDU session, and determines the first security result.
在可选实现方式A中,在初始建立PDU会话时,第一接入网设备并未承载该PDU会话中的QoS流,第二接入网设备承载有PDU会话中的所有QoS流,并确定第一安全结果。In optional implementation A, when the PDU session is initially established, the first access network device does not carry the QoS flow in the PDU session, and the second access network device carries all QoS flows in the PDU session, and determines The first safety result.
在可选实现方式B中,第一接入网设备承载有PDU会话的所有QoS流,后续,在某一条件下(如第一接入网设备释放PDU会话中的所有QoS流),第一接入网设备向第二接入网设备发送包括用于表示PDU会话中的所有第二QoS流的第二标识的 请求消息,相应的,第二接入网设备接纳PDU会话,承载PDU会话中的所有QoS流,并确定第一安全结果。该实现方式的具体过程可以参见下述图11或图12的描述。In optional implementation B, the first access network device carries all QoS flows of the PDU session, and subsequently, under certain conditions (for example, the first access network device releases all QoS flows in the PDU session), the first The access network device sends to the second access network device a request message including a second identifier used to indicate all second QoS flows in the PDU session. Correspondingly, the second access network device accepts the PDU session and bears the PDU session. All QoS flows, and determine the first safety result. For the specific process of this implementation, refer to the description of FIG. 11 or FIG. 12 below.
可选的,第二接入网设备在确定出第一安全结果后,向核心网设备发送该第一安全结果,以便于核心网设备根据该第一安全结果完成相关配置。Optionally, after determining the first security result, the second access network device sends the first security result to the core network device, so that the core network device can complete related configurations according to the first security result.
S1001、第二接入网设备根据第一安全结果,对PDU会话中的所有QoS流进行安全保护。S1001. The second access network device performs security protection on all QoS flows in the PDU session according to the first security result.
第二接入网设备在执行S1001后,可能自行确定释放第一QoS流,也可能在从核心网设备获取到新的属于PDU会话的QoS流后,确定释放第一QoS流。后续,第二接入网设备向第一接入网设备发送第一QoS流和第一安全结果。相应的,第一接入网设备获取该第一QoS流和第一安全结果。After performing S1001, the second access network device may determine to release the first QoS flow by itself, or may determine to release the first QoS flow after acquiring a new QoS flow belonging to the PDU session from the core network device. Subsequently, the second access network device sends the first QoS flow and the first security result to the first access network device. Correspondingly, the first access network device obtains the first QoS flow and the first security result.
也就是说,在图10示出的场景中,S601和S602可以替换为下述S601a和S601b。That is, in the scenario shown in FIG. 10, S601 and S602 can be replaced with the following S601a and S601b.
S601a、第一接入网设备释放第一QoS流。S601a. The first access network device releases the first QoS flow.
S601b、第二接入网设备向第二接入网设备发送第一QoS流和第一安全结果。S601b. The second access network device sends the first QoS flow and the first security result to the second access network device.
从上面描述可知,S1000的可选实现方式B中,第二接入网设备承载PDU会话中的所有QoS流之前,第一接入网设备承载PDU会话中的所有QoS流。It can be seen from the above description that in alternative implementation B of S1000, before the second access network device carries all QoS flows in the PDU session, the first access network device carries all QoS flows in the PDU session.
现在对S1000的可选实现方式B进行详细描述。具体的,结合上述图10,如图11所示,在S1000之前,本申请实施例提供的通信方法还包括:Now the optional implementation B of S1000 will be described in detail. Specifically, with reference to FIG. 10, as shown in FIG. 11, before S1000, the communication method provided in the embodiment of the present application further includes:
S1100、第一接入网设备承载有PDU会话的所有QoS流。S1100. The first access network device carries all QoS flows of the PDU session.
本申请实施例将这一时刻第一接入网设备承载的所有QoS流称为第一QoS流集合。In this embodiment of the application, all QoS flows carried by the first access network device at this moment are referred to as the first QoS flow set.
S1101、第一接入网设备确定第二安全结果,并根据第二安全结果对第一QoS流集合中的QoS流进行安全保护。S1101. The first access network device determines a second security result, and performs security protection on the QoS flow in the first QoS flow set according to the second security result.
第二安全结果用于指示是否对PDU会话进行安全保护。其中,第二安全结果与第一安全结果相同或不同。The second security result is used to indicate whether to perform security protection on the PDU session. Among them, the second safety result is the same or different from the first safety result.
S1102、第一接入网设备向第二接入网设备发送第二安全结果。S1102. The first access network device sends a second security result to the second access network device.
S1103、第二接入网设备向核心网设备发送第二安全结果。S1103. The second access network device sends a second security result to the core network device.
核心网设备在接收到第二安全结果后,根据该第二安全结果完成相应配置。After receiving the second security result, the core network device completes the corresponding configuration according to the second security result.
可选的,第二接入网设备在接收到第一接入网设备发送的第二安全结果后,可以存储该第二安全结果。即在S1102后,第二接入网设备可以执行S1104。Optionally, after receiving the second security result sent by the first access network device, the second access network device may store the second security result. That is, after S1102, the second access network device can perform S1104.
S1104(可选的)、第二接入网设备存储第二安全结果。S1104 (optional): The second access network device stores the second security result.
由于S1104为可选步骤,因此图11中采用虚线框表示。Since S1104 is an optional step, it is represented by a dashed frame in FIG. 11.
S1105、第一接入网设备释放PDU会话中的全部QoS流,并向第二接入网设备发送第一请求消息。S1105. The first access network device releases all QoS flows in the PDU session, and sends a first request message to the second access network device.
其中,第一请求消息包括第二标识,该第二标识用于表示PDU会话中的所有QoS流,即第二标识用于表示第一QoS流集合。The first request message includes a second identifier, and the second identifier is used to indicate all QoS flows in the PDU session, that is, the second identifier is used to indicate the first QoS flow set.
可选的,第一请求消息还可以包括第二安全结果和第二安全指示信息中的至少一个,第二安全指示信息用于指示对第二标识表示的QoS流进行安全保护,或者用于指示自行确定是否对第二标识表示的QoS流进行安全保护。Optionally, the first request message may also include at least one of the second security result and second security indication information, where the second security indication information is used to indicate security protection for the QoS flow indicated by the second identifier, or to indicate Determine by itself whether to perform security protection on the QoS flow indicated by the second identifier.
容易理解的是,若第二接入网设备未执行S1104,则第二请求消息包括第二安全 结果,这样,后续第二接入网设备可根据第一安全结果和第二安全结果确定是否与核心网设备通信。It is easy to understand that if the second access network device does not perform S1104, the second request message includes the second security result. In this way, the subsequent second access network device can determine whether it is the same as the first security result and the second security result. Core network equipment communication.
在图11示出的流程中,若第一安全结果与第二安全结果不同,且第二接入网设备存储了第二安全结果,则第二接入网设备在确定出第一安全结果后,还向核心网设备发送第一安全结果,即在S1000后,还执行S1106。In the process shown in FIG. 11, if the first security result is different from the second security result, and the second access network device stores the second security result, the second access network device determines the first security result , The first security result is also sent to the core network device, that is, after S1000, S1106 is also executed.
S1106、若第一安全结果与第二安全结果不同,第二接入网设备向核心网设备发送第一安全结果。S1106: If the first security result is different from the second security result, the second access network device sends the first security result to the core network device.
进一步地,在图11示出的场景中,在S603之后,第一接入网设备还可以释放其承载的PDU会话中的全部/部分QoS流(例如第四QoS流),后续,第二接入网设备承载第一接入网设备释放出的QoS流。Further, in the scenario shown in FIG. 11, after S603, the first access network device may also release all/part of the QoS flow (for example, the fourth QoS flow) in the PDU session carried by it, and subsequently, the second access The network access device bears the QoS flow released by the first access network device.
结合上述图11,如图12所示,在S603之后,本申请实施例提供的通信方法包括:With reference to FIG. 11, as shown in FIG. 12, after S603, the communication method provided in the embodiment of the present application includes:
S1200、第一接入网设备释放属于PDU会话的第四QoS流。S1200. The first access network device releases the fourth QoS flow belonging to the PDU session.
该第四QoS流可以为第一接入网设备承载的PDU会话中的所有QoS流,也可以为第一接入网设备承载的PDU会话中的部分QoS流,这里对此不作具体限定。The fourth QoS flow may be all QoS flows in the PDU session carried by the first access network device, or part of the QoS flows in the PDU session carried by the first access network device, which is not specifically limited here.
可选的,第一接入网设备可以自行确定释放第四QoS流,也可以在接收到第二接入网设备发送的请求后,释放第四QoS流,本申请实施例对此不作具体限定。Optionally, the first access network device may determine to release the fourth QoS flow by itself, or it may release the fourth QoS flow after receiving the request sent by the second access network device, which is not specifically limited in the embodiment of the application .
S1201、第一接入网设备向第二接入网设备发送第二请求消息。S1201. The first access network device sends a second request message to the second access network device.
该第二请求消息用于指示根据第一安全结果对第四QoS流进行安全保护。相应的,第二接入网设备在接收到第二请求消息后,根据第一安全结果对第四QoS流进行安全保护。The second request message is used to instruct to perform security protection on the fourth QoS flow according to the first security result. Correspondingly, after receiving the second request message, the second access network device performs security protection on the fourth QoS flow according to the first security result.
容易理解的是,图11示出的方法流程中,在S603这一时刻,第一接入网设备和第二接入网设备同时承载有PDU会话的QoS流,二者均根据第一安全结果对各自承载的QoS流进行安全保护,且第一安全结果由第二无线接入网设备确定,因此,在第一接入网设备释放第四QoS流后,该第四QoS流也需要采用第一安全结果对其进行安全保护。It is easy to understand that in the method flow shown in FIG. 11, at the moment of S603, the first access network device and the second access network device simultaneously carry the QoS flow of the PDU session, and both are based on the first security result. Security protection is performed on the QoS flows carried by each, and the first security result is determined by the second radio access network device. Therefore, after the first access network device releases the fourth QoS flow, the fourth QoS flow also needs to adopt the first A safety result is to protect it safely.
S1202、第二接入网设备根据第一安全结果对第四QoS流进行安全保护。S1202. The second access network device performs security protection on the fourth QoS flow according to the first security result.
同理,在S603之后,第二接入网设备也可以释放其承载的PDU会话中的部分QoS流,后续,第一接入网设备承载第二接入网设备释放出的QoS流,并根据第一安全结果对该QoS流进行安全保护。这一流程与上述S1200~S1202类似,这里不再进行详细赘述。In the same way, after S603, the second access network device may also release part of the QoS flow in the PDU session carried by it. Subsequently, the first access network device bears the QoS flow released by the second access network device, and according to The first security result performs security protection on the QoS flow. This process is similar to the above S1200~S1202, and will not be described in detail here.
综上所述,若辅站确定出PDU会话的第二安全结果,则在辅站释放该PDU会话的所有QoS流后,主站可以变更该PDU会话的安全结果为第一安全结果。若在主站确定出PDU会话的第一安全结果后,辅站获取属于PDU会话的部分QoS流(如第一QoS流),则辅站需要使用第一安全结果对第一QoS流进行安全保护,即辅站无法变更PDU会话的安全结果。In summary, if the secondary station determines the second security result of the PDU session, after the secondary station releases all QoS flows of the PDU session, the primary station can change the security result of the PDU session to the first security result. If after the primary station determines the first security result of the PDU session, the secondary station obtains part of the QoS flow belonging to the PDU session (such as the first QoS flow), the secondary station needs to use the first security result to protect the first QoS flow , That is, the secondary station cannot change the security result of the PDU session.
在第一接入网设备为辅站,第二接入网设备为主站的情况下,第一接入网设备和第二接入网设备均可以对PDU会话中的QoS流进行安全保护,实现了对空口用户面的安全保护。而且,当第一接入网设备和第二接入网设备均承载有PDU会话的QoS流时,第一接入网设备和第二接入网设备采用相同的安全结果对属于同一PDU会话中 的QoS流进行安全保护,实现了第一接入网设备和第二接入网设备的安全保护的一致性。When the first access network device is the auxiliary station and the second access network device is the master station, both the first access network device and the second access network device can protect the QoS flow in the PDU session. Realize the security protection of the air interface user plane. Moreover, when the first access network device and the second access network device both carry the QoS flow of the PDU session, the first access network device and the second access network device use the same security result to belong to the same PDU session The security protection of the QoS flow realizes the consistency of the security protection of the first access network device and the second access network device.
在实际应用中,当某一UE与对端通信时,可能只需要对部分数据进行安全保护。对于该场景,本申请实施例中的核心网设备可以向与该核心网设备连接的接入网设备(如第一接入网设备)发送指示信息,以便接入网设备对与指示信息对应的DRB进行安全保护。In practical applications, when a certain UE communicates with the opposite end, it may only need to protect part of the data. For this scenario, the core network device in the embodiment of the present application may send instruction information to the access network device (such as the first access network device) connected to the core network device, so that the access network device can respond to the corresponding instruction information DRB performs security protection.
为了便于描述,以第一接入网设备为主站为例进行说明。具体的,如图13所示,本申请实施例提供的通信方法包括:For ease of description, take the first access network device as the master station as an example for description. Specifically, as shown in FIG. 13, the communication method provided by the embodiment of the present application includes:
S1300、核心网设备向第一接入网设备发送指示信息,该指示信息用于指示根据第一安全结果对预设的QoS流或预设的EPS承载进行安全保护。S1300. The core network device sends instruction information to the first access network device, where the instruction information is used to instruct to perform security protection on the preset QoS flow or the preset EPS bearer according to the first security result.
这里第一安全结果为必须,即指示信息用于指示必须对预设的QoS流或EPS承载进行安全保护。Here, the first security result is mandatory, that is, the indication information is used to indicate that the preset QoS flow or EPS bearer must be secured.
可选的,预设的QoS流为核心网设备指定进行安全保护的QoS流,预设的EPS承载可以为默认承载或者为核心网设备指定进行安全保护的EPS承载。Optionally, the preset QoS flow is a QoS flow designated for security protection by the core network device, and the preset EPS bearer may be a default bearer or an EPS bearer designated for security protection for the core network device.
S1301、第一接入网设备确定目标DRB,并根据第一安全结果对目标DRB进行安全保护。S1301. The first access network device determines the target DRB, and performs security protection on the target DRB according to the first security result.
可选的,目标DRB是承载有预设的QoS流的DRB,该预设的QoS流为核心网设备指定进行安全保护的QoS流;或者,目标DRB与预设的EPS承载对应。Optionally, the target DRB is a DRB carrying a preset QoS flow, and the preset QoS flow is a QoS flow designated by the core network device for security protection; or, the target DRB corresponds to a preset EPS bearer.
S1302、第一接入网设备释放预设的QoS流/预设的EPS承载,并向第二接入网设备发送安全请求消息。S1302. The first access network device releases the preset QoS flow/preset EPS bearer, and sends a security request message to the second access network device.
具体的,在第一接入网设备向第二接入网设备转移预设的QoS流/预设的EPS承载时,第一接入网设备向第二接入网设备发送安全请求消息。该安全请求消息包括标识信息(用于标识预设的QoS流/用于标识预设的EPS承载)、第一安全结果和安全指示信息,该安全指示信息用于指示根据第一安全结果对标识信息所标识的对象(预设的QoS流/预设的EPS承载)进行安全保护。Specifically, when the first access network device transfers the preset QoS flow/preset EPS bearer to the second access network device, the first access network device sends a security request message to the second access network device. The security request message includes identification information (used to identify the preset QoS flow/used to identify the preset EPS bearer), the first security result, and security indication information, and the security indication information is used to indicate that the identification is performed according to the first security result. The object (preset QoS flow/preset EPS bearer) identified by the information is secured.
S1303、第二接入网设备确定与标识信息所标识的对象对应的DRB,并根据第一安全结果对确定出的DRB进行安全保护。S1303. The second access network device determines the DRB corresponding to the object identified by the identification information, and performs security protection on the determined DRB according to the first security result.
需要说明的是,步骤S1300~S1301可以在单连接场景或双连接场景下单独使用,此时省略步骤S1302~S1303。It should be noted that steps S1300 to S1301 can be used individually in a single connection scenario or a dual connection scenario, and steps S1302 to S1303 are omitted at this time.
本申请实施例提供一种通信装置14,该通信装置14可以为第一接入网设备,也可以为第一接入网设备中的部分装置,例如第一接入网设备中的芯片系统。可选的,该芯片系统,用于支持第一接入网设备实现上述图6~图12所示方法实施例中所涉及的功能,例如,接收,发送,或处理上述方法中所涉及的数据和/或信息。该芯片系统包括芯片,也可以包括其他分立器件或电路结构。An embodiment of the present application provides a communication device 14, which may be a first access network device, or may be a part of the device in the first access network device, such as a chip system in the first access network device. Optionally, the chip system is used to support the first access network device to implement the functions involved in the method embodiments shown in FIGS. 6 to 12, such as receiving, sending, or processing data involved in the above methods And/or information. The chip system includes a chip, and may also include other discrete devices or circuit structures.
该通信装置14用于执行以上图6~图12所示方法中的第一接入网设备所执行的步骤。本申请实施例提供的通信装置14可以包括相应步骤所对应的模块。The communication device 14 is used to execute the steps performed by the first access network device in the methods shown in FIGS. 6 to 12 above. The communication device 14 provided in the embodiment of the present application may include modules corresponding to corresponding steps.
本申请实施例可以根据上述方法示例对通信装置14进行功能模块的划分,例如,可以对应各个功能划分各个功能模块,也可以将两个或两个以上的功能集成在一个处理模块中。上述集成的模块既可以采用硬件的形式实现,也可以采用软件功能模块的 形式实现。本申请实施例中对模块的划分是示意性的,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式。The embodiment of the present application may divide the communication device 14 into functional modules according to the foregoing method examples. For example, each functional module may be divided corresponding to each function, or two or more functions may be integrated into one processing module. The above-mentioned integrated modules can be implemented in the form of hardware or software functional modules. The division of modules in the embodiments of the present application is illustrative, and is only a logical function division, and there may be other division methods in actual implementation.
在采用对应各个功能划分各个功能模块的情况下,图14示出了本实施例中通信装置14的一种可能的结构示意图。如图14所示,通信装置14包括处理单元141。In the case of dividing each functional module corresponding to each function, FIG. 14 shows a possible structural schematic diagram of the communication device 14 in this embodiment. As shown in FIG. 14, the communication device 14 includes a processing unit 141.
处理单元141用于支持该通信装置14执行上述图6~图12中所示的获取、承载、安全保护、确定等操作,例如:S601、S602、S603、S800、S801、S900、S1000、S1001、S1105、S1200等,和/或用于本文所描述的技术的其它过程。The processing unit 141 is used to support the communication device 14 to perform operations such as acquisition, bearing, security protection, and determination shown in FIGS. 6-12, such as: S601, S602, S603, S800, S801, S900, S1000, S1001, S1105, S1200, etc., and/or other processes used in the techniques described herein.
其中,上述方法实施例涉及的各步骤的所有相关内容均可以援引到对应功能模块的功能描述,在此不再赘述。Among them, all relevant content of each step involved in the above method embodiment can be cited in the function description of the corresponding function module, and will not be repeated here.
当然,本申请实施例提供的通信装置14包括但不限于上述模块,例如通信装置14还可以包括发送单元142、接收单元143和存储单元144。Of course, the communication device 14 provided in the embodiment of the present application includes but is not limited to the aforementioned modules. For example, the communication device 14 may also include a sending unit 142, a receiving unit 143, and a storage unit 144.
发送单元142用于支持该通信装置14执行上述图6~图12中所示的发送操作,例如:S802、S702、S901、S1105、S1201等,和/或用于本文所描述的技术的其它过程。The sending unit 142 is used to support the communication device 14 to perform the sending operations shown in FIGS. 6-12, such as: S802, S702, S901, S1105, S1201, etc., and/or other processes used in the technology described herein .
接收单元143用于支持该通信装置14执行上述图6~图12中所示的接收操作,例如:S601b、S602b、S701等,和/或用于本文所描述的技术的其它过程。The receiving unit 143 is configured to support the communication device 14 to perform the receiving operations shown in FIGS. 6-12, such as S601b, S602b, S701, etc., and/or other processes used in the technology described herein.
存储单元144可以用于存储该通信装置14的程序代码,还可以用于存储第一安全结果。The storage unit 144 can be used to store the program code of the communication device 14 and can also be used to store the first security result.
本申请提供的通信装置14的实体框图可以参考上述图5。上述处理单元141可以是图5中的处理器51,发送单元142和接收单元143可以是图5中的收发器53,存储单元144可以是图5中的存储器52。For the physical block diagram of the communication device 14 provided in this application, reference may be made to FIG. 5 above. The above-mentioned processing unit 141 may be the processor 51 in FIG. 5, the sending unit 142 and the receiving unit 143 may be the transceiver 53 in FIG. 5, and the storage unit 144 may be the memory 52 in FIG. 5.
本申请另一实施例还提供一种计算机可读存储介质,该计算机可读存储介质中存储有指令,当指令在通信装置14上运行时,该通信装置14执行如图6~图12所示的实施例的通信方法中第一接入网设备的步骤。Another embodiment of the present application also provides a computer-readable storage medium. The computer-readable storage medium stores instructions. When the instructions run on the communication device 14, the communication device 14 executes the instructions shown in FIGS. 6-12. The step of the first access network device in the communication method of the embodiment.
在本申请的另一实施例中,还提供一种计算机程序产品,该计算机程序产品包括计算机执行指令,该计算机执行指令存储在计算机可读存储介质中;通信装置14的处理器可以从计算机可读存储介质读取该计算机执行指令,处理器执行该计算机执行指令使得通信装置14执行如图6~图12所示的实施例的通信方法中第一接入网设备的步骤。In another embodiment of the present application, a computer program product is also provided. The computer program product includes computer-executable instructions that are stored in a computer-readable storage medium; the processor of the communication device 14 can be accessed from a computer The reading storage medium reads the computer-executed instruction, and the processor executes the computer-executed instruction to cause the communication device 14 to execute the steps of the first access network device in the communication method of the embodiments shown in FIGS. 6-12.
本申请实施例提供一种通信装置15,该通信装置15可以为第一接入网设备,也可以为第一接入网设备中的部分装置,例如第一接入网设备中的芯片系统。可选的,该芯片系统,用于支持第一接入网设备实现上述图13所示方法实施例中所涉及的功能,例如,接收,发送,或处理上述方法中所涉及的数据和/或信息。该芯片系统包括芯片,也可以包括其他分立器件或电路结构。An embodiment of the present application provides a communication device 15. The communication device 15 may be a first access network device, or may be a part of the first access network device, such as a chip system in the first access network device. Optionally, the chip system is used to support the first access network device to implement the functions involved in the method embodiment shown in FIG. 13, for example, receiving, sending, or processing the data and/or data involved in the above method information. The chip system includes a chip, and may also include other discrete devices or circuit structures.
该通信装置15用于执行图13所示方法中的第一接入网设备所执行的步骤。本申请实施例提供的通信装置15可以包括相应步骤所对应的模块。The communication device 15 is used to execute the steps executed by the first access network device in the method shown in FIG. 13. The communication device 15 provided by the embodiment of the present application may include modules corresponding to corresponding steps.
本申请实施例可以根据上述方法示例对通信装置15进行功能模块的划分,例如,可以对应各个功能划分各个功能模块,也可以将两个或两个以上的功能集成在一个处理模块中。上述集成的模块既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。本申请实施例中对模块的划分是示意性的,仅仅为一种逻辑功能划分,实 际实现时可以有另外的划分方式。The embodiment of the present application may divide the communication device 15 into functional modules according to the foregoing method examples. For example, each functional module may be divided corresponding to each function, or two or more functions may be integrated into one processing module. The above-mentioned integrated modules can be implemented in the form of hardware or software functional modules. The division of modules in the embodiments of the present application is illustrative, and is only a logical function division, and there may be other division methods in actual implementation.
在采用对应各个功能划分各个功能模块的情况下,图15示出通信装置15的一种可能的结构示意图。如图15所示,通信装置15包括处理单元151。In the case of dividing each functional module corresponding to each function, FIG. 15 shows a possible structural schematic diagram of the communication device 15. As shown in FIG. 15, the communication device 15 includes a processing unit 151.
处理单元151用于支持该通信装置15执行上述图13中所示的确定、进行安全保护等操作,例如:S1301、S1302等,和/或用于本文所描述的技术的其它过程。The processing unit 151 is configured to support the communication device 15 to perform operations such as determination and security protection shown in FIG. 13, such as S1301, S1302, etc., and/or other processes used in the technology described herein.
其中,上述方法实施例涉及的各步骤的所有相关内容均可以援引到对应功能模块的功能描述,在此不再赘述。Among them, all relevant content of each step involved in the above method embodiment can be cited in the function description of the corresponding function module, and will not be repeated here.
当然,本申请实施例提供的通信装置15包括但不限于上述模块,例如通信装置15还可以包括发送单元152、接收单元153和存储单元154。Of course, the communication device 15 provided by the embodiment of the present application includes but is not limited to the aforementioned modules. For example, the communication device 15 may also include a sending unit 152, a receiving unit 153, and a storage unit 154.
发送单元152用于支持该通信装置15执行上述图13中所示的发送操作,例如:S1302、等,和/或用于本文所描述的技术的其它过程。The sending unit 152 is used to support the communication device 15 to perform the sending operation shown in FIG. 13, for example: S1302, etc., and/or other processes used in the technology described herein.
接收单元153用于支持该通信装置15执行上述图13中所示的接收操作,例如:S1300等,和/或用于本文所描述的技术的其它过程。The receiving unit 153 is used to support the communication device 15 to perform the receiving operation shown in FIG. 13, for example: S1300, etc., and/or other processes used in the technology described herein.
存储单元154可以用于存储该通信装置15的程序代码,还可以用于存储第一安全结果。The storage unit 154 can be used to store the program code of the communication device 15 and can also be used to store the first security result.
当通信装置15为第一接入网设备时,上述处理单元152可以是图4中的处理器41,发送单元153和接收单元151可以是图4中的收发器43,存储单元154可以是图4中的存储器42。When the communication device 15 is the first access network device, the aforementioned processing unit 152 may be the processor 41 in FIG. 4, the sending unit 153 and the receiving unit 151 may be the transceiver 43 in FIG. 4, and the storage unit 154 may be 4 in the memory 42.
本申请另一实施例还提供一种计算机可读存储介质,该计算机可读存储介质中存储有指令,当指令在通信装置15上运行时,该通信装置15执行如图13所示的实施例的通信方法中第一接入网设备的步骤。Another embodiment of the present application also provides a computer-readable storage medium that stores instructions in the computer-readable storage medium. When the instructions run on the communication device 15, the communication device 15 executes the embodiment shown in FIG. 13 The step of the first access network device in the communication method.
在本申请的另一实施例中,还提供一种计算机程序产品,该计算机程序产品包括计算机执行指令,该计算机执行指令存储在计算机可读存储介质中;通信装置15的处理器可以从计算机可读存储介质读取该计算机执行指令,处理器执行该计算机执行指令使得通信装置15执行如图13所示的实施例的通信方法中第一接入网设备的步骤。In another embodiment of the present application, a computer program product is also provided. The computer program product includes computer-executable instructions stored in a computer-readable storage medium; the processor of the communication device 15 can be accessed from the computer The storage medium reads the computer-executable instruction, and the processor executes the computer-executed instruction to cause the communication device 15 to execute the steps of the first access network device in the communication method of the embodiment shown in FIG. 13.
在上述实施例中,可以全部或部分的通过软件,硬件,固件或者其任意组合来实现。当使用软件程序实现时,可以全部或部分地以计算机程序产品的形式出现。计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行计算机程序指令时,全部或部分地产生按照本申请实施例的流程或功能。计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线)或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心传输。计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包括一个或多个可用介质集成的服务器、数据中心等数据第一接入网设备。该可用介质可以是磁性介质,(例如,软盘,硬盘、磁带)、或者半导体介质(例如固态硬盘solid state disk(SSD))等。In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware or any combination thereof. When implemented using a software program, it may appear in the form of a computer program product in whole or in part. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on the computer, the processes or functions according to the embodiments of the present application are generated in whole or in part. The computer can be a general-purpose computer, a dedicated computer, a computer network, or other programmable devices. Computer instructions may be stored in a computer-readable storage medium, or transmitted from one computer-readable storage medium to another computer-readable storage medium. For example, computer instructions may be transmitted from a website, computer, server, or data center through a cable (such as Coaxial cable, optical fiber, digital subscriber line) or wireless (such as infrared, wireless, microwave, etc.) to another website site, computer, server or data center. The computer-readable storage medium may be any available medium that can be accessed by a computer or a data first access network device such as a server or a data center integrated with one or more available media. The usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, and a magnetic tape), or a semiconductor medium (for example, a solid state disk (SSD)).
通过以上的实施方式的描述,所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,仅以上述各功能模块的划分进行举例说明,实际应用中,可以根据需要 而将上述功能分配由不同的功能模块完成,即将装置的内部结构划分成不同的功能模块,以完成以上描述的全部或者部分功能。Through the description of the above embodiments, those skilled in the art can clearly understand that for the convenience and brevity of the description, only the division of the above-mentioned functional modules is used as an example for illustration. In practical applications, the above-mentioned functions can be allocated as required. It is completed by different functional modules, that is, the internal structure of the device is divided into different functional modules to complete all or part of the functions described above.
在本申请所提供的几个实施例中,应该理解到,所揭露的装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述模块或单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个装置,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed device and method may be implemented in other ways. For example, the device embodiments described above are merely illustrative. For example, the division of the modules or units is only a logical function division. In actual implementation, there may be other division methods, for example, multiple units or components may be It can be combined or integrated into another device, or some features can be omitted or not implemented. In addition, the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是一个物理单元或多个物理单元,即可以位于一个地方,或者也可以分布到多个不同地方。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate parts may or may not be physically separate. The parts displayed as units may be one physical unit or multiple physical units, that is, they may be located in one place, or they may be distributed to multiple different places. . Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, the functional units in each embodiment of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit. The above-mentioned integrated unit can be implemented in the form of hardware or software functional unit.
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个可读取存储介质中。基于这样的理解,本申请实施例的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该软件产品存储在一个存储介质中,包括若干指令用以使得一个设备(可以是单片机,芯片等)或处理器(processor)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(read-only memory,ROM)、随机存取存储器(random access memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。If the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a readable storage medium. Based on this understanding, the technical solutions of the embodiments of the present application are essentially or the part that contributes to the prior art, or all or part of the technical solutions can be embodied in the form of software products, which are stored in a storage medium There are several instructions to make a device (which may be a single-chip microcomputer, a chip, etc.) or a processor (processor) execute all or part of the steps of the methods described in the embodiments of the present application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), magnetic disk or optical disk and other media that can store program code .
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何在本申请揭露的技术范围内的变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。The above are only specific implementations of this application, but the protection scope of this application is not limited to this. Any change or replacement within the technical scope disclosed in this application shall be covered by the protection scope of this application . Therefore, the protection scope of this application should be subject to the protection scope of the claims.

Claims (28)

  1. 一种通信方法,其特征在于,应用于包括第一接入网设备和第二接入网设备的双连接通信系统中,包括:A communication method, characterized in that it is applied to a dual-connection communication system including a first access network device and a second access network device, and includes:
    所述第一接入网设备获取第一服务质量QoS流,所述第一QoS流属于协议数据单元PDU会话;Acquiring, by the first access network device, a first quality of service QoS flow, where the first QoS flow belongs to a protocol data unit PDU session;
    所述第一接入网设备获取所述PDU会话的第一安全结果,所述第一安全结果为所述第一接入网设备确定的,或者为所述第二接入网设备确定的,其中,所述第一安全结果用于指示是否对所述PDU会话进行安全保护,所述安全保护包括完整性保护和加密保护中的至少一种;Acquiring, by the first access network device, a first security result of the PDU session, where the first security result is determined by the first access network device or determined by the second access network device, The first security result is used to indicate whether to perform security protection on the PDU session, and the security protection includes at least one of integrity protection and encryption protection;
    所述第一接入网设备承载所述第一QoS流,并根据所述第一安全结果对所述第一QoS流进行安全保护。The first access network device carries the first QoS flow, and performs security protection on the first QoS flow according to the first security result.
  2. 根据权利要求1所述的通信方法,其特征在于,所述PDU会话还包括第二QoS流,所述第二QoS流承载于所述第二接入网设备。The communication method according to claim 1, wherein the PDU session further includes a second QoS flow, and the second QoS flow is carried by the second access network device.
  3. 根据权利要求2所述的通信方法,其特征在于,在所述第一接入网设备获取所述第一QoS流之前,所述PDU会话中所有QoS流承载于所述第二接入网设备,所述第一安全结果是由所述第二接入网设备确定的。The communication method according to claim 2, wherein before the first access network device acquires the first QoS flow, all QoS flows in the PDU session are carried by the second access network device , The first security result is determined by the second access network device.
  4. 根据权利要求2所述的通信方法,其特征在于,所述第一接入网设备还承载所述PDU会话中的第三QoS流;The communication method according to claim 2, wherein the first access network device also carries the third QoS flow in the PDU session;
    若所述第一接入网设备为所述双连接通信系统的主站,所述第一安全结果是由所述第一接入网设备确定的;If the first access network device is the master station of the dual-connection communication system, the first security result is determined by the first access network device;
    若所述第二接入网设备为所述双连接通信系统的主站,所述第一安全结果是由所述第二接入网设备确定的。If the second access network device is the master station of the dual connectivity communication system, the first security result is determined by the second access network device.
  5. 根据权利要求3所述的通信方法,其特征在于,所述通信方法还包括:The communication method according to claim 3, wherein the communication method further comprises:
    在所述第二接入网设备确定所述第一安全结果之前,所述第一接入网设备承载所述PDU会话中的所有QoS流;Before the second access network device determines the first security result, the first access network device carries all QoS flows in the PDU session;
    所述第一接入网设备确定所述PDU会话的第二安全结果,所述第二安全结果用于指示是否对所述PDU会话进行安全保护,所述第二安全结果与所述第一安全结果相同或不同;The first access network device determines a second security result of the PDU session, where the second security result is used to indicate whether to perform security protection on the PDU session, and the second security result is identical to the first security result. Same or different results;
    所述第一接入网设备释放所述PDU会话中的所有QoS流,并向所述第二接入网设备发送第一请求消息,若所述第一接入网设备为所述双连接通信系统的主站,所述第二接入网设备为所述通信系统的辅站,所述第一请求消息用于请求为所述PDU会话分配资源,并根据第一安全指示信息确定所述第一安全结果;若所述第一接入网设备为所述双连接通信系统的辅站,所述第二接入网设备为所述通信系统的主站,所述第一请求消息用于请求释放所述PDU会话中的所有QoS流;The first access network device releases all QoS flows in the PDU session, and sends a first request message to the second access network device, if the first access network device is the dual-connection communication The primary station of the system, the second access network device is the secondary station of the communication system, the first request message is used to request the allocation of resources for the PDU session, and the first request message is determined according to the first security indication information A security result; if the first access network device is the secondary station of the dual-connection communication system, and the second access network device is the primary station of the communication system, the first request message is used to request Release all QoS flows in the PDU session;
    其中,所述第一安全指示信息用于指示对所述第一接入网设备释放的QoS流进行安全保护,或者用于指示自行确定是否对所述第一接入网设备释放的QoS流进行安全保护。Wherein, the first security indication information is used to indicate to perform security protection on the QoS flow released by the first access network device, or to indicate to determine whether to perform security protection on the QoS flow released by the first access network device. safety protection.
  6. 根据权利要求5所述的通信方法,其特征在于,若所述第一接入网设备为所述双连接通信系统的主站,所述第二接入网设备为所述通信系统的辅站,所述通信方法 还包括:The communication method according to claim 5, wherein if the first access network device is the primary station of the dual-connection communication system, the second access network device is the secondary station of the communication system , The communication method further includes:
    所述第一接入网设备接收来自所述第二接入网设备的所述第一安全结果;Receiving, by the first access network device, the first security result from the second access network device;
    若所述第一安全结果与所述第二安全结果不同,所述第一接入网设备向核心网设备发送所述第一安全结果。If the first security result is different from the second security result, the first access network device sends the first security result to the core network device.
  7. 根据权利要求1-6中任意一项所述的通信方法,其特征在于,所述通信方法还包括:The communication method according to any one of claims 1-6, wherein the communication method further comprises:
    所述第一接入网设备存储所述第一安全结果;Storing the first security result by the first access network device;
    所述第一接入网设备获取所述PDU会话的第一安全结果,包括:The acquiring, by the first access network device, the first security result of the PDU session includes:
    所述第一接入网设备从本地获取所述第一安全结果。The first access network device obtains the first security result locally.
  8. 根据权利要求1-7中任意一项所述的通信方法,其特征在于,所述第一安全结果为所述第二接入网设备确定的,所述通信方法还包括:The communication method according to any one of claims 1-7, wherein the first security result is determined by the second access network device, and the communication method further comprises:
    在根据所述第一安全结果对所述第一QoS流进行安全保护后,所述第一接入网设备释放第四QoS流,所述第四QoS流属于所述PDU会话;After performing security protection on the first QoS flow according to the first security result, the first access network device releases a fourth QoS flow, and the fourth QoS flow belongs to the PDU session;
    所述第一接入网设备向所述第二接入网设备发送第二请求消息,所述第二请求消息用于请求根据所述第一安全结果对所述第四QoS流进行安全保护。The first access network device sends a second request message to the second access network device, where the second request message is used to request security protection for the fourth QoS flow according to the first security result.
  9. 一种通信方法,其特征在于,包括:A communication method, characterized in that it comprises:
    第一接入网设备从核心网设备获取指示信息,所述指示信息用于指示根据第一安全结果对预设的服务质量QoS流或预设的演进分组系统EPS承载进行安全保护,所述安全保护包括完整性保护和加密保护中的至少一种;The first access network device obtains indication information from the core network device, where the indication information is used to indicate that the preset quality of service QoS flow or the preset evolved packet system EPS bearer is secured according to the first security result. Protection includes at least one of integrity protection and encryption protection;
    所述第一接入网设备确定目标DRB,所述目标DRB承载有所述预设的QoS流,或者,所述目标DRB与所述预设的EPS承载对应;The first access network device determines a target DRB, the target DRB carries the preset QoS flow, or the target DRB corresponds to the preset EPS bearer;
    所述第一接入网设备根据所述第一安全结果对所述目标DRB进行安全保护。The first access network device performs security protection on the target DRB according to the first security result.
  10. 根据权利要求9所述的通信方法,其特征在于,所述通信方法还包括:The communication method according to claim 9, wherein the communication method further comprises:
    所述第一接入网设备释放所述预设的QoS流或所述预设的EPS承载;Releasing the preset QoS flow or the preset EPS bearer by the first access network device;
    所述第一接入网设备向第二接入网设备发送安全请求消息,所述安全请求消息用于请求根据所述第一安全结果对已释放的对象进行安全保护。The first access network device sends a security request message to the second access network device, where the security request message is used to request security protection of the released object according to the first security result.
  11. 一种通信装置,其特征在于,应用于包括第一接入网设备和第二接入网设备的双连接通信系统中,所述通信装置为第一接入网设备,所述通信装置包括处理器,所述处理器用于与存储器耦合,读取并执行所述存储器中的指令,以实现:A communication device, characterized in that it is applied to a dual-connection communication system including a first access network device and a second access network device, the communication device is a first access network device, and the communication device includes processing The processor is used to couple with the memory, read and execute the instructions in the memory, to realize:
    获取第一服务质量QoS流,所述第一QoS流属于协议数据单元PDU会话;Acquiring a first quality of service QoS flow, the first QoS flow belonging to a protocol data unit PDU session;
    获取所述PDU会话的第一安全结果,所述第一安全结果为所述第一接入网设备确定的,或者为所述第二接入网设备确定的;所述第一安全结果用于指示是否对所述PDU会话进行安全保护,所述安全保护包括完整性保护和加密保护中的至少一种;Acquire a first security result of the PDU session, where the first security result is determined by the first access network device or determined for the second access network device; the first security result is used for Indicating whether to perform security protection on the PDU session, where the security protection includes at least one of integrity protection and encryption protection;
    承载所述第一QoS流,并根据所述第一安全结果对所述第一QoS流进行安全保护。Carrying the first QoS flow, and performing security protection on the first QoS flow according to the first security result.
  12. 根据权利要求11所述的通信装置,其特征在于,所述PDU会话包括第二QoS流,所述第二QoS流承载于所述第二接入网设备。The communication device according to claim 11, wherein the PDU session includes a second QoS flow, and the second QoS flow is carried by the second access network device.
  13. 根据权利要求12所述的通信装置,其特征在于,在所述处理器获取所述第一QoS流之前,所述PDU会话中所有QoS流承载于所述第二接入网设备;所述第一安全结果是由所述第二接入网设备确定的。The communication device according to claim 12, wherein, before the processor acquires the first QoS flow, all QoS flows in the PDU session are carried by the second access network device; A security result is determined by the second access network device.
  14. 根据权利要求12所述的通信装置,其特征在于,所述处理器还承载所述PDU会话中的第三QoS流;The communication device according to claim 12, wherein the processor also carries a third QoS flow in the PDU session;
    若所述通信装置为所述双连接通信系统的主站,所述第一安全结果是由所述处理器确定的;If the communication device is the master station of the dual-connection communication system, the first security result is determined by the processor;
    若所述第二接入网设备为所述双连接通信系统的主站,所述第一安全结果是由所述第二接入网设备确定的。If the second access network device is the master station of the dual connectivity communication system, the first security result is determined by the second access network device.
  15. 根据权利要求13所述的通信装置,其特征在于,所述处理器还用于:The communication device according to claim 13, wherein the processor is further configured to:
    在所述第二接入网设备确定所述第一安全结果之前,承载所述PDU会话中的所有QoS流;Before the second access network device determines the first security result, bear all QoS flows in the PDU session;
    确定所述PDU会话的第二安全结果,所述第二安全结果用于指示是否对所述PDU会话进行安全保护,所述第二安全结果与所述第一安全结果相同或不同;Determining a second security result of the PDU session, where the second security result is used to indicate whether to perform security protection on the PDU session, and the second security result is the same as or different from the first security result;
    释放所述PDU会话中的所有QoS流,并向所述第二接入网设备发送第一请求消息;若所述通信装置为所述双连接通信系统的主站,所述第二接入网设备为所述通信系统的辅站,所述第一请求消息用于请求为所述PDU会话分配资源,并根据第一安全指示信息确定所述第一安全结果;若所述通信装置为所述双连接通信系统的辅站,所述第二接入网设备为所述通信系统的主站,所述第一请求消息用于请求释放所述PDU会话中的所有QoS流;Release all QoS flows in the PDU session, and send a first request message to the second access network device; if the communication device is the master station of the dual connectivity communication system, the second access network The device is a secondary station of the communication system, and the first request message is used to request the allocation of resources for the PDU session, and the first security result is determined according to the first security indication information; if the communication device is the A secondary station of a dual-connection communication system, the second access network device is the primary station of the communication system, and the first request message is used to request the release of all QoS flows in the PDU session;
    其中,所述第一安全指示信息用于指示对所述处理器释放的QoS流进行安全保护,或者用于指示自行确定是否对所述处理器释放的QoS流进行安全保护。Wherein, the first security indication information is used to instruct to perform security protection on the QoS flow released by the processor, or to indicate whether to perform security protection on the QoS flow released by the processor by itself.
  16. 根据权利要求15所述的通信装置,其特征在于,若所述通信装置为所述双连接通信系统的主站,所述第二接入网设备为所述通信系统的辅站,所述处理器还用于:The communication device according to claim 15, wherein if the communication device is the master station of the dual-connection communication system and the second access network device is the auxiliary station of the communication system, the processing The device is also used for:
    接收来自所述第二接入网设备的所述第一安全结果;Receiving the first security result from the second access network device;
    若所述第一安全结果与所述第二安全结果不同,向核心网设备发送所述第一安全结果。If the first security result is different from the second security result, sending the first security result to the core network device.
  17. 根据权利要求11-16中任意一项所述的通信装置,其特征在于,The communication device according to any one of claims 11-16, wherein:
    所述存储器,还用于存储所述第一安全结果;The memory is also used to store the first security result;
    所述处理器,具体用于从所述存储器中获取所述第一安全结果。The processor is specifically configured to obtain the first security result from the memory.
  18. 根据权利要求11-17中任意一项所述的通信装置,其特征在于,所述第一安全结果为所述第二接入网设备确定的,所述处理器还用于:The communication device according to any one of claims 11-17, wherein the first security result is determined by the second access network device, and the processor is further configured to:
    在根据所述第一安全结果对所述第一QoS流进行安全保护后,释放第四QoS流,所述第四QoS流属于所述PDU会话;After performing security protection on the first QoS flow according to the first security result, release a fourth QoS flow, where the fourth QoS flow belongs to the PDU session;
    向所述第二接入网设备发送第二请求消息,所述第二请求消息用于请求根据所述第一安全结果对所述第四QoS流进行安全保护。Send a second request message to the second access network device, where the second request message is used to request security protection for the fourth QoS flow according to the first security result.
  19. 一种通信装置,其特征在于,所述通信装置为第一接入网设备,所述通信装置包括处理器,所述处理器用于与存储器耦合,读取并执行所述存储器中的指令,以实现:A communication device, characterized in that, the communication device is a first access network device, and the communication device includes a processor for coupling with a memory, reading and executing instructions in the memory, and achieve:
    从核心网设备获取指示信息,所述指示信息用于指示根据第一安全结果对预设的服务质量QoS流或预设的演进分组系统EPS承载进行安全保护,所述安全保护包括完整性保护和加密保护中的至少一种;Obtain indication information from the core network device, the indication information is used to indicate the security protection of the preset quality of service QoS flow or the preset evolved packet system EPS bearer according to the first security result, and the security protection includes integrity protection and At least one of encryption protection;
    确定目标DRB,所述目标DRB承载有所述预设的QoS流,或者,所述目标DRB与所述预设的EPS承载对应;Determine a target DRB, where the target DRB carries the preset QoS flow, or the target DRB corresponds to the preset EPS bearer;
    根据所述第一安全结果对所述目标DRB进行安全保护。Perform security protection on the target DRB according to the first security result.
  20. 根据权利要求19所述的通信装置,其特征在于,所述处理器还用于:The communication device according to claim 19, wherein the processor is further configured to:
    释放所述预设的QoS流或所述预设的EPS承载;Releasing the preset QoS flow or the preset EPS bearer;
    向第二接入网设备发送安全请求消息,所述安全请求消息用于请求根据所述第一安全结果对已释放的对象进行安全保护。Send a security request message to the second access network device, where the security request message is used to request security protection of the released object according to the first security result.
  21. 一种计算机可读存储介质,该计算机可读存储介质中存储有指令,其特征在于,当所述指令在通信装置上运行时,使得所述通信装置执行如权利要求1-8中任意一项所述的通信方法,或者执行如权利要求9-10中任意一项所述的通信方法。A computer-readable storage medium in which instructions are stored, characterized in that, when the instructions are run on a communication device, the communication device is caused to execute any one of claims 1-8 The communication method, or the communication method according to any one of claims 9-10.
  22. 一种通信装置,其特征在于,应用于包括第一接入网设备和第二接入网设备的双连接通信系统中,所述通信装置包括存储单元和处理单元;所述存储单元用于存储计算机程序代码,所述计算机程序代码包括计算机指令;当所述处理单元执行所述计算机指令时,所述通信装置执行如权利要求1-8中任意一项所述的通信方法。A communication device, characterized in that it is applied to a dual-connection communication system including a first access network device and a second access network device. The communication device includes a storage unit and a processing unit; the storage unit is used for storing Computer program code, the computer program code includes computer instructions; when the processing unit executes the computer instructions, the communication device executes the communication method according to any one of claims 1-8.
  23. 一种通信装置,其特征在于,所述通信装置包括存储单元和处理单元;所述存储单元用于存储计算机程序代码,所述计算机程序代码包括计算机指令;当所述处理单元执行所述计算机指令时,所述通信装置执行如权利要求9或10所述的通信方法。A communication device, characterized in that the communication device includes a storage unit and a processing unit; the storage unit is used to store computer program code, and the computer program code includes computer instructions; when the processing unit executes the computer instructions When the communication device executes the communication method according to claim 9 or 10.
  24. 一种芯片系统,其特征在于,所述芯片系统应用于通信装置;所述芯片系统包括一个或多个接口电路,以及一个或多个处理器;所述接口电路和所述处理器通过线路互联;所述接口电路用于从所述通信装置的存储器接收信号,并向所述处理器发送所述信号,所述信号包括所述存储器中存储的计算机指令;当所述处理器执行所述计算机指令时,所述通信装置执行如权利要求1-8中任意一项所述的通信方法,或者执行如权利要求9-10中任意一项所述的通信方法。A chip system, characterized in that the chip system is applied to a communication device; the chip system includes one or more interface circuits, and one or more processors; the interface circuit and the processor are interconnected by wires The interface circuit is used to receive a signal from the memory of the communication device and send the signal to the processor, and the signal includes a computer instruction stored in the memory; when the processor executes the computer When instructed, the communication device executes the communication method according to any one of claims 1-8, or executes the communication method according to any one of claims 9-10.
  25. 一种计算机程序产品,其特征在于,包括计算机指令,当所述计算机指令在通信装置上运行时,使得所述通信装置执行如权利要求1-8中任意一项所述的通信方法,或者执行如权利要求9-10中任意一项所述的通信方法。A computer program product, characterized by comprising computer instructions, which when the computer instructions run on a communication device, cause the communication device to execute the communication method according to any one of claims 1-8, or execute The communication method according to any one of claims 9-10.
  26. 一种通信系统,其特征在于,所述通信系统包括第一接入网设备,以及第二接入网设备;所述第一接入网设备和所述第二接入网设备进行双连接,其中,所述第一接入网设备用于执行如权利要求1-8中任意一项所述的通信方法。A communication system, characterized in that the communication system includes a first access network device and a second access network device; the first access network device and the second access network device are dual-connected, Wherein, the first access network device is used to execute the communication method according to any one of claims 1-8.
  27. 一种通信系统,其特征在于,所述通信系统包括第一接入网设备,以及核心网设备,其中,所述第一接入网设备用于执行如权利要求9或10所述的通信方法。A communication system, wherein the communication system comprises a first access network device and a core network device, wherein the first access network device is used to execute the communication method according to claim 9 or 10. .
  28. 根据权利要求27所述的通信系统,其特征在于,所述通信系统还包括第二接入网设备;所述第二接入网设备与所述第一接入网设备进行双连接。The communication system according to claim 27, wherein the communication system further comprises a second access network device; the second access network device is dual-connected to the first access network device.
PCT/CN2020/074406 2019-02-14 2020-02-06 Communication method and apparatus WO2020164432A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910115213.1A CN111565391B (en) 2019-02-14 2019-02-14 Communication method and device
CN201910115213.1 2019-02-14

Publications (1)

Publication Number Publication Date
WO2020164432A1 true WO2020164432A1 (en) 2020-08-20

Family

ID=72045131

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/074406 WO2020164432A1 (en) 2019-02-14 2020-02-06 Communication method and apparatus

Country Status (2)

Country Link
CN (1) CN111565391B (en)
WO (1) WO2020164432A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022237699A1 (en) * 2021-05-08 2022-11-17 华为技术有限公司 Method for activating security, and communications apparatus

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018008983A1 (en) * 2016-07-05 2018-01-11 Samsung Electronics Co., Ltd. Method and system for authenticating access in mobile wireless network system
WO2018167307A1 (en) * 2017-03-17 2018-09-20 Telefonaktiebolaget Lm Ericsson (Publ) Security solution for switching on and off security for up data between ue and ran in 5g

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2908570B1 (en) * 2012-11-13 2019-06-19 Huawei Technologies Co., Ltd. Method and base station for transmitting data
EP3338481B1 (en) * 2015-08-19 2021-09-29 Samsung Electronics Co., Ltd. Method and wireless communication system for handling offloading of drbs to wlan carrier
CN108377567B (en) * 2016-11-01 2021-02-23 北京三星通信技术研究有限公司 Method, device and system for establishing double-connection data transmission under 5G architecture
CN110248382B (en) * 2017-01-05 2020-09-08 华为技术有限公司 Information transmission method and device

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018008983A1 (en) * 2016-07-05 2018-01-11 Samsung Electronics Co., Ltd. Method and system for authenticating access in mobile wireless network system
WO2018167307A1 (en) * 2017-03-17 2018-09-20 Telefonaktiebolaget Lm Ericsson (Publ) Security solution for switching on and off security for up data between ue and ran in 5g

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
HUAWEI: "(TP for NR BL CR for TS 38.413): PDU Session Split", 3GPP TSG-RAN3 MEETING #101-BIS, R3-185772, 12 October 2018 (2018-10-12), XP051529041, DOI: 20200414155343A *
NOKIA ET AL.: "(TP for NR BL CR for TS 38.423): Correction of UP Security", 3GPP TSG-RAN WG3#NR AH1807, R3-183637, 6 July 2018 (2018-07-06), XP051467931, DOI: 20200414155040X *
ZTE: "Further Discussion and TS38.413 pCR for UP Security Handling", 3GPP TSG RAN WG3#100, R3-182628, 25 May 2018 (2018-05-25), XP051445132, DOI: 20200414154758X *
ZTE: "TS38.423 pCR for UP Security Handling", 3GPP TSG RAN WG3#100, R3-182629, 25 May 2018 (2018-05-25), XP051445133, DOI: 20200414154836A *

Also Published As

Publication number Publication date
CN111565391A (en) 2020-08-21
CN111565391B (en) 2022-04-05

Similar Documents

Publication Publication Date Title
JP6938650B2 (en) QOS flow processing methods and devices, and communication systems
US10973067B2 (en) Bearer setup method, related apparatus, and system
WO2018228505A1 (en) Communication method and system, network device and terminal device
US20210368417A1 (en) Communication method and apparatus
EP3637846A1 (en) Method and device for use in configuring novel quality of service architecture in dual connectivity system
EP3557939B1 (en) Dual connection method and access network equipment
WO2022001761A1 (en) Communication method and apparatus
WO2013064104A1 (en) Data transmission method, mobility management entity and mobile terminal
WO2013152472A1 (en) Communication method and system, access network device, and application server
WO2009049529A1 (en) Load bearing establishment method and related device
WO2018127018A1 (en) Multi-link communication method and device, and terminal
WO2017219355A1 (en) Multi-connection communications method and device
JP2019524039A (en) Multi-connectivity communication method and apparatus
JP2016503999A (en) D2D communication logical channel handling method, user apparatus and base station
WO2020001064A1 (en) Data processing method and device
US20230156833A1 (en) Packet Forwarding Method, Apparatus, and System
WO2020034971A1 (en) Method and apparatus for allocating ebi
WO2020164436A1 (en) Communication method, apparatus and system
CN113825251A (en) Session establishing method, device, system and computer storage medium
WO2022033543A1 (en) Relay communication method, and communication apparatus
WO2020164432A1 (en) Communication method and apparatus
CN111491370B (en) Communication method, network element, system and storage medium
WO2023087965A1 (en) Communication method and apparatus
WO2020211538A1 (en) Data transmission method and apparatus
EP3713337B1 (en) Message sending method and device, policy sending method and device, storage medium, and processor

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20756148

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20756148

Country of ref document: EP

Kind code of ref document: A1