WO2020177523A1 - 终端设备的注册方法及装置 - Google Patents

终端设备的注册方法及装置 Download PDF

Info

Publication number
WO2020177523A1
WO2020177523A1 PCT/CN2020/075611 CN2020075611W WO2020177523A1 WO 2020177523 A1 WO2020177523 A1 WO 2020177523A1 CN 2020075611 W CN2020075611 W CN 2020075611W WO 2020177523 A1 WO2020177523 A1 WO 2020177523A1
Authority
WO
WIPO (PCT)
Prior art keywords
slice
slices
selection information
authentication
access
Prior art date
Application number
PCT/CN2020/075611
Other languages
English (en)
French (fr)
Inventor
雷中定
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2020177523A1 publication Critical patent/WO2020177523A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W60/00Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W24/00Supervisory, monitoring or testing arrangements
    • H04W24/02Arrangements for optimising operational condition
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • H04W76/12Setup of transport tunnels

Definitions

  • This application relates to the field of mobile communication technology, and in particular to a method and device for registering terminal equipment.
  • the terminal device Before the terminal device accesses the network or the slice, it needs to perform two-way authentication with the slice and obtain authorization from the network.
  • two levels of authentication may be required between terminal equipment and the network.
  • the certification between the terminal equipment and the operator's network is called the first-level certification
  • the certification between the terminal equipment and the third-party network outside the operator's network is called the second-level certification.
  • terminal device initiates a registration request -> first-level authentication of the operator network -> second-level authentication of the third-party network -> network authorization of the slice accessed by the terminal device -> registration completed.
  • timers for registration and authentication. Since the secondary authentication is the authentication between the terminal device and the third-party network, the computing resources of the authentication server responsible for the authentication of the third-party network can be very different, which will also cause the time required to complete the secondary authentication to be different. Furthermore, one registration process can support multiple nested secondary certifications, which will make the time to complete the secondary certification process very different. However, in the specific implementation of the registration and authentication process, a timer will be set in advance for the overall process and each key step. If each timed step or process times out, an operation error will occur.
  • the network can also relieve the timer setting problem by suspending and resuming the timer of the registration process, but this introduces a new problem of complicated timer management.
  • the system setting timer has become a complex and challenging task.
  • This application provides a method and device for registering a terminal device to solve the problem that the registration and authentication timers in the registration process of the terminal device are difficult to set or manage, and the registration process takes a long time to simplify and shorten the timer setting The purpose of the duration of the initial registration process.
  • the terminal device sends a first registration request message to the mobility management network element, where the first registration request message includes selection information of the slice to which access is requested; after the terminal device completes first-level authentication and establishes a security context
  • the terminal device receives a first registration acceptance message from the mobility management network element, the first registration acceptance message includes selection information of slices that are allowed to access, and the selection information of slices that are allowed to access includes the following At least one of the information: selection information of slices that have completed secondary authentication among the slices requested for access, selection information of slices that do not require secondary authentication among the slices requested for access, and no need for network allocation Selection information of the slice for performing secondary authentication; among the slices for which access is requested, secondary authentication is required and the first slice that has not completed secondary authentication has passed the secondary authentication, the terminal device receives information from the mobile
  • the updated access-allowed slice selection information of the network element includes the selection information of the first slice or the information allocated by the network and that of the first slice. Selection information of the slice corresponding to the selection information.
  • the network sends the registration acceptance message earlier than the registration acceptance message in the registration process of the prior art, that is, this application will send the registration acceptance message after completing the primary authentication of the terminal device and establishing the security context (
  • the registration acceptance message is sent after level authentication, which not only solves the problems caused by nested authentication, but also greatly increases the flexibility of access for terminal devices, and makes the setting or management of timers during registration easier .
  • the terminal device can decide when to perform the second-level certification based on the second-level certification information fed back by the network, which is more convenient for the terminal device. For example, the terminal device can access the slice that has been successfully authenticated, establish a session, and send and receive data services. And when it is free at a later time, it requests access to other slices.
  • the first registration acceptance message further includes at least one of the following information: selection information of the slices that require secondary authentication and have not completed secondary authentication among the slices for which access is requested; The estimated time required for the second-level authentication for the slices that require second-level authentication and the slices that have not completed the second-level authentication, the first slice authentication instruction, and the slices that request access do not need to be performed. The selection information of the slice for the secondary authentication, the selection information of the slice that is denied access among the slices requested for access, and at least one temporary identifier; wherein the first slice authentication indication is used to indicate that there is an uncompleted secondary For certified slices, a temporary identifier corresponds to the selection information of one or more slices in the slices that have completed the secondary authentication.
  • the selection information of the slices that require secondary authentication and that have not completed secondary authentication among the slices that request access is carried in a slice selection information list, and the slice selection information in the slice selection information list
  • the order of the slice selection information indicates the priority of the slices in the slice selection information list for secondary authentication.
  • the terminal device sends a first message to the mobility management network element, where the first message is used to request that the slice for which access is requested requires secondary authentication and is not
  • the slices that have completed the secondary certification are subject to secondary certification.
  • the receiving, by the terminal device, the updated selection information of the slice allowed to access includes: the terminal device receives a second message from the mobility management network element, the second message including the updated accessible slice Selection information for slices.
  • the first message includes selection information of a slice that requires secondary authentication and has not completed secondary authentication among the slices for which access is requested, and/or a second slice authentication instruction;
  • the second slice authentication instruction is used to request the second-level authentication for the slices that require the second-level authentication and have not completed the second-level authentication among the slices that are requested to be accessed.
  • the first message is a second registration request message, and the second message is a second registration acceptance message; or, the first message is a slice registration request message, and the second The message is the slice registration acceptance message.
  • the terminal device receiving updated slice selection information that is allowed to be accessed from the mobility management network element includes: the terminal device receiving information from the mobility management network element A configuration update command, where the configuration update command includes the updated selection information of the slice allowed to be accessed.
  • the configuration update command further includes at least one of the following information: among the slices for which access is requested, secondary authentication is required, and among the slices that have not completed secondary authentication, access is denied.
  • Slice selection information updated slice selection information of the slices that require second-level authentication and have not completed second-level authentication among the updated slices that have not completed second-level authentication, and at least one temporary identifier; where one temporary identifier corresponds to the slice that completes second-level authentication Selection information of one or more slices in.
  • the mobility management network element receives a first registration request message from a terminal device, where the first registration request message includes selection information of the slice requesting access; completes first-level authentication and establishes a security context on the terminal device Afterwards, the mobility management network element determines whether the slice requested for access requires secondary authentication; the mobility management network element sends a first registration acceptance message to the terminal device, and the first registration acceptance message It includes selection information of slices that are allowed to access, and the selection information of slices that are allowed to access includes at least one of the following information: selection information of slices that have completed secondary authentication among the slices for which access is requested, and the request Selection information of slices that do not require secondary authentication among the accessed slices, and selection information of slices allocated by the network that do not require secondary authentication; among the slices that are requested to access, secondary authentication is required and secondary authentication is not completed.
  • the mobility management network element After the second-level authentication of the first slice of the level authentication is passed, the mobility management network element sends to the terminal device updated slice selection information that is allowed to access, and the updated slice selection information that is allowed to access includes The selection information of the first slice or the selection information of the slice corresponding to the selection information of the first slice allocated by the network.
  • the network sends the registration acceptance message earlier than the registration acceptance message in the registration process of the prior art, that is, this application will send the registration acceptance message after completing the primary authentication of the terminal device and establishing the security context (
  • the registration acceptance message By sending the registration acceptance message in advance, the registration process can end as soon as possible, but this only represents the temporary (Interim) end, not the complete end, because there are still secondary certifications that have not been completed), and the existing technology waits until all the slices are completed.
  • the registration acceptance message is sent after authentication, which not only solves the problems caused by nested authentication, but also greatly increases the flexibility of access for terminal devices, and makes the setting or management of timers during registration easier.
  • the terminal device can decide when to perform the second-level certification based on the second-level certification information fed back by the network, which is more convenient for the terminal device. For example, the terminal device can access the slice that has been successfully authenticated, establish a session, and send and receive data services. And when it is free at a later time, it requests access to other slices.
  • the first registration acceptance message further includes at least one of the following information: selection information of the slices that require secondary authentication and have not completed secondary authentication among the slices for which access is requested; The estimated time required for the second-level authentication for the slices that require second-level authentication and the slices that have not completed the second-level authentication, the first slice authentication instruction, and the slices that request access do not need to be performed. The selection information of the slice for the secondary authentication, the selection information of the slice that is denied access among the slices requested for access, and at least one temporary identifier; wherein the first slice authentication indication is used to indicate that there is an uncompleted secondary For certified slices, a temporary identifier corresponds to the selection information of one or more slices that have completed secondary authentication.
  • the selection information of the slices that require secondary authentication and that have not completed secondary authentication among the slices that request access is carried in a slice selection information list, and the slice selection information in the slice selection information list
  • the order of the slice selection information indicates the priority of the slices in the slice selection information list for secondary authentication.
  • the mobility management network element receives a first message from the terminal device, and the first message is used to request that the slice for which access is requested requires secondary authentication and The slices that have not completed the second-level authentication are subjected to the second-level authentication; the mobility management network element sends updated selection information of the slices allowed to be accessed to the terminal device, including: the mobility management network element sends the terminal device to the terminal device. Send a second message, where the second message includes the updated slice selection information that is allowed to access.
  • the first message includes selection information of a slice that requires secondary authentication and has not completed secondary authentication among the slices for which access is requested, and/or a second slice authentication instruction;
  • the second slice authentication instruction is used to request the second-level authentication for the slices that require the second-level authentication and have not completed the second-level authentication among the slices that are requested to be accessed.
  • the first message is a second registration request message, and the second message is a second registration acceptance message; or, the first message is a slice registration request message, and the second The message is the slice registration acceptance message.
  • the mobility management network element sending updated access-allowed slice selection information to the terminal device includes: the mobility management network element sending a configuration update to the terminal device Command, the configuration update command includes the updated selection information of the slice allowed to be accessed.
  • the configuration update command further includes at least one of the following information: among the slices for which access is requested, secondary authentication is required, and among the slices that have not completed secondary authentication, access is denied.
  • Slice selection information updated slice selection information of the slices that require second-level authentication and have not completed second-level authentication among the updated slices that have not completed second-level authentication, and at least one temporary identifier; where one temporary identifier corresponds to the slice that completes second-level authentication Selection information of one or more slices in.
  • the terminal device sends a first registration request message to the mobility management network element, where the first registration request message includes selection information of a slice requesting access, and the slice requesting access does not require two A slice of level authentication; after the terminal device completes level 1 authentication and establishes a security context, the terminal device receives a first registration acceptance message from the mobility management network element, where the first registration acceptance message includes permission to access
  • the selection information of the slice that is allowed to access, the selection information of the slice that is allowed to access includes the selection information of the slice that is allowed to access among the slices for which access is requested and/or the slice that is allocated by the network that does not require secondary authentication.
  • the terminal device sends a first message to the mobility management network element, the first message includes the selection information of the slice that requires secondary authentication, and the first message is used to request the The second-level certified slice is subjected to slice authentication; after the second-level authentication of the first slice in the second-level authentication is required, the terminal device receives the second message from the mobility management network element, so The second message includes the updated selection information of the slice that is allowed to access, and the updated selection information of the slice that is allowed to access includes the selection information of the first slice or the information allocated by the network and that of the first slice. Selection information of the slice corresponding to the selection information.
  • the network sends the registration acceptance message earlier than the registration acceptance message in the registration process of the prior art, that is, this application will send the registration acceptance message after completing the primary authentication of the terminal device and establishing the security context (
  • the registration acceptance message By sending the registration acceptance message in advance, the registration process can end as soon as possible, but this only represents the temporary (Interim) end, not the complete end, because there are still secondary certifications that have not been completed), and the existing technology waits until all the slices are completed.
  • the registration acceptance message is sent after authentication, which not only solves the problems caused by nested authentication, but also greatly increases the flexibility of access for terminal devices, and makes the setting or management of timers during registration easier.
  • the terminal device can decide when to perform the second-level certification based on the second-level certification information fed back by the network, which is more convenient for the terminal device. For example, the terminal device can access the slice that has been successfully authenticated, establish a session, and send and receive data services. And when it is free at a later time, it requests access to other slices.
  • the selection information of the slices that require secondary authentication is carried in a slice selection information list, and the sequence of the slice selection information in the slice selection information list indicates the slice selection The priority of the secondary authentication for the slices in the information list.
  • the first message further includes the grouping information indicating the grouping information of the slices requiring secondary authentication, and the grouping information indicating the priority of each grouping for secondary authentication .
  • the first message is a second registration request message, and the second message is a second registration acceptance message; or, the first message is a slice registration request message, and the second The message is the slice registration acceptance message.
  • the mobility management network element receives a first registration request message from a terminal device, where the first registration request message includes selection information of a slice requesting access, and the slice requesting access does not require secondary Authentication slice; after the terminal device completes primary authentication and establishes a security context, the mobility management network element sends a first registration acceptance message to the terminal device, and the first registration acceptance message includes the allowed access Slice selection information, where the selection information of the slices that are allowed to access includes the selection information of the slices that are allowed to be accessed among the slices requested for access and/or the selection information of the slices allocated by the network that do not require secondary authentication
  • the mobility management network element receives a first message from the terminal device, the first message includes the selection information of the slice that requires secondary authentication, and the first message is used to request that the second The slices with level authentication are subjected to slice authentication; after the first slice of the slices requiring level 2 authentication passes the second level authentication, the mobility management network element sends a second message to the terminal device, and the first The second message includes the updated
  • the network sends the registration acceptance message earlier than the registration acceptance message in the registration process of the prior art, that is, this application will send the registration acceptance message after completing the primary authentication of the terminal device and establishing the security context (
  • the registration acceptance message By sending the registration acceptance message in advance, the registration process can end as soon as possible, but this only represents the temporary (Interim) end, not the complete end, because there are still secondary certifications that have not been completed), and the existing technology waits until all the slices are completed.
  • the registration acceptance message is sent after authentication, which not only solves the problems caused by nested authentication, but also greatly increases the flexibility of access for terminal devices, and makes the setting or management of timers during registration easier.
  • the terminal device can decide when to perform the second-level certification based on the second-level certification information fed back by the network, which is more convenient for the terminal device. For example, the terminal device can access the slice that has been successfully authenticated, establish a session, and send and receive data services. And when it is free at a later time, it requests access to other slices.
  • the selection information of the slices that require secondary authentication is carried in a slice selection information list, and the sequence of the slice selection information in the slice selection information list indicates the slice selection The priority of the secondary authentication for the slices in the information list.
  • the first message further includes the grouping information indicating the grouping information of the slices requiring secondary authentication, and the grouping information indicating the priority of each grouping for secondary authentication .
  • the first message is a second registration request message, and the second message is a second registration acceptance message; or, the first message is a slice registration request message, and the second The message is the slice registration acceptance message.
  • the present application provides a communication device, which has the function of implementing any of the foregoing aspects or the implementation method in any aspect.
  • This function can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above-mentioned functions.
  • the present application provides a communication device, including: a processor and a memory; the memory is used to store computer execution instructions, and when the device is running, the processor executes the computer execution instructions stored in the memory to enable the The device executes any aspect or implementation method in any aspect described above.
  • the present application provides a communication device, including: a unit or means for performing each step of any of the above aspects.
  • the present application provides a communication device including a processor and an interface circuit.
  • the processor is configured to communicate with other devices through the interface circuit and execute any method provided in any of the above aspects.
  • the processor includes one or more.
  • the present application provides a communication device, including a processor, configured to be connected to a memory, and configured to call a program stored in the memory to execute the method in any implementation manner of any of the foregoing aspects.
  • the memory can be located inside the device or outside the device.
  • the processor includes one or more.
  • the present application also provides a computer-readable storage medium having instructions stored in the computer-readable storage medium, which when run on a computer, cause a processor to execute the method described in any of the foregoing aspects.
  • the present application also provides a computer program product including instructions, which when run on a computer, cause the computer to execute the method described in any of the above aspects.
  • the present application also provides a chip system, including a processor, configured to execute the methods described in the foregoing aspects.
  • the present application also provides a communication system, including a terminal device for executing any implementation method of the first aspect or the first aspect, and a terminal device for executing any implementation method of the second aspect or the second aspect. Mobility management network element.
  • the present application also provides a communication system, including a terminal device for executing any of the foregoing third aspect or any implementation method of the third aspect and a terminal device for executing any of the foregoing fourth aspect or any implementation method of the fourth aspect Mobility management network element.
  • Figure 1 is a schematic diagram of a possible network architecture provided by this application.
  • FIG. 2 is a schematic flowchart of a method for registering a terminal device provided by this application
  • FIG. 3 is a schematic flowchart of another method for registering a terminal device provided by this application.
  • FIG. 4 is a schematic flowchart of another method for registering a terminal device provided by this application.
  • FIG. 5 is a schematic flowchart of another method for registering a terminal device provided by this application.
  • FIG. 6 is a schematic flowchart of another method for registering a terminal device provided by this application.
  • FIG. 7 is a schematic flowchart of another method for registering a terminal device provided by this application.
  • FIG. 8 is a schematic diagram of a communication device provided by this application.
  • FIG. 9 is a schematic diagram of another communication device provided by this application.
  • FIG. 10 is a schematic diagram of another communication device provided by this application.
  • FIG. 1 it is a schematic diagram of the fifth generation (5G) network architecture based on a service-oriented architecture.
  • the 5G network architecture shown in FIG. 1 may include three parts, namely a terminal equipment part, a data network (DN), and an operator network part.
  • DN data network
  • the operator's network may include network exposure function (NEF) network elements, network storage function (network function repository function, NRF) network elements, policy control function (PCF) network elements, and unified data management (unified data management, UDM) network elements, application function (AF) network elements, authentication server function (authentication server function, AUSF) network elements, access and mobility management function (access and mobility management function, AMF) Network element, session management function (SMF) network element, (radio) access network ((radio) access network, (R)AN), user plane function (UPF) network element, etc.
  • NEF network exposure function
  • NRF network storage function repository function
  • PCF policy control function
  • UDM unified data management
  • AF application function
  • authentication server function authentication server function
  • AUSF access and mobility management function
  • AMF Access and mobility management function
  • SMF session management function
  • R radio access network
  • R user plane function
  • UPF user plane function
  • the terminal equipment of the present application (also referred to as user equipment (UE)) is a device with wireless transceiver function, which can be deployed on land, including indoor or outdoor, handheld or vehicle-mounted; or on the water (Such as ships, etc.); it can also be deployed in the air (such as airplanes, balloons, and satellites, etc.).
  • UE user equipment
  • the terminal may be a mobile phone (mobile phone), a tablet computer (pad), a computer with wireless transceiver function, a virtual reality (VR) terminal, an augmented reality (AR) terminal, and an industrial control (industrial control) Wireless terminals in, self-driving (self-driving), wireless terminals in remote medical, wireless terminals in smart grid, wireless terminals in transportation safety, Wireless terminals in a smart city, wireless terminals in a smart home, etc.
  • the above-mentioned terminal equipment can establish a connection with the operator's network through an interface (such as N1, etc.) provided by the operator's network, and use services such as data and/or voice provided by the operator's network.
  • the terminal device can also access the DN through the operator's network, and use the operator's service deployed on the DN and/or the service provided by a third party.
  • the aforementioned third party may be a service party other than the operator's network and terminal equipment, and may provide other services such as data and/or voice for the terminal equipment.
  • the specific form of expression of the aforementioned third party can be determined according to actual application scenarios, and is not limited here.
  • the RAN is a sub-network of an operator's network, and an implementation system between service nodes and terminal equipment in the operator's network.
  • the terminal device To access the operator's network, the terminal device first passes through the RAN, and then can be connected to the service node of the operator's network through the RAN.
  • the RAN equipment in this application is a type of equipment that provides wireless communication functions for terminal equipment.
  • the access network equipment includes but is not limited to: next-generation base stations (gnodeB, gNB) in 5G, evolved node B (evolved node B) , ENB), radio network controller (RNC), node B (node B, NB), base station controller (BSC), base transceiver station (base transceiver station, BTS), home base station ( For example, home evolved nodeB, or home node B, HNB, baseband unit (BBU), transmission point (transmitting and receiving point, TRP), transmission point (TP), mobile switching center, etc.
  • gnodeB next-generation base stations
  • gNB next-generation base stations
  • 5G evolved node B (evolved node B) , ENB)
  • RNC radio network controller
  • node B node B
  • BSC base station controller
  • BTS base transceiver station
  • home base station For example, home evolved nodeB, or home node B, HNB, baseband unit (BBU), transmission point (transmitting
  • the AMF network element is a control plane network element provided by the operator's network. It is responsible for the access control and mobility management of terminal equipment accessing the operator's network. For example, it includes functions such as mobile status management, allocation of temporary user identities, authentication and authorization of users, etc. .
  • the SMF network element is a control plane network element provided by the operator's network, and is responsible for managing the protocol data unit (protocol data unit, PDU) session of the terminal device.
  • a PDU session is a channel used to transmit PDUs, and terminal devices need to transmit PDUs to each other through the PDU session and DN.
  • the PDU session is established, maintained, and deleted by the SMF network element.
  • SMF network elements include session management (such as session establishment, modification and release, including tunnel maintenance between UPF and AN), UPF network element selection and control, service and session continuity (Service and Session Continuity, SSC) mode selection, Session-related functions such as roaming.
  • the UPF network element is a gateway provided by the operator and a gateway for the communication between the operator's network and the DN.
  • UPF network elements include user plane-related functions such as data packet routing and transmission, packet inspection, service usage reporting, quality of service (QoS) processing, lawful monitoring, upstream packet inspection, and downstream packet storage.
  • QoS quality of service
  • DN also called packet data network (PDN)
  • PDN packet data network
  • the operator’s network can be connected to multiple DNs, and multiple services can be deployed on the DN to provide terminal equipment. Services such as data and/or voice.
  • DN is the private network of a smart factory.
  • the sensors installed in the workshop of the smart factory can be terminal devices.
  • the control server of the sensor is deployed in the DN, and the control server can provide services for the sensors.
  • the sensor can communicate with the control server, obtain instructions from the control server, and transmit the collected sensor data to the control server according to the instructions.
  • a DN is an internal office network of a company.
  • the mobile phones or computers of employees of the company can be terminal devices, and the mobile phones or computers of employees can access information and data resources on the company's internal office network.
  • the UDM network element is a control plane network element provided by the operator. It is responsible for storing the subscriber permanent identifier (SUPI), credential, security context, and subscription data of subscribers in the operator’s network. And other information.
  • the information stored in UDM network elements can be used for authentication and authorization of terminal equipment accessing the operator's network.
  • the contracted users of the above-mentioned operator's network may specifically be users who use the services provided by the operator's network, such as users who use China Telecom's mobile phone core card, or users who use China Mobile's mobile phone core card.
  • the permanent subscription identifier (Subscription Permanent Identifier, SUPI) of the aforementioned subscriber may be the number of the mobile phone core card, etc.
  • the credential and security context of the aforementioned subscriber may be a small file stored such as the encryption key of the mobile phone core card or information related to the encryption of the mobile phone core card for authentication and/or authorization.
  • the aforementioned security context may be data (cookie) or token (token) stored on the user's local terminal (for example, mobile phone).
  • the contract data of the aforementioned subscriber may be the supporting service of the mobile phone core card, such as the data package of the mobile phone core card or the use of the network.
  • permanent identifiers, credentials, security contexts, authentication data (cookies), and tokens are equivalent to information related to authentication and authorization.
  • no distinction or restriction is made for the convenience of description. If no special instructions are given, the embodiments of the present application will be described using a security context as an example, but the embodiments of the present application are also applicable to authentication and/or authorization information in other expression modes.
  • the AUSF network element is a control plane network element provided by the operator, and is usually used for first-level authentication, that is, the authentication between the terminal device (subscriber) and the operator's network. After the AUSF network element receives the authentication request initiated by the subscriber, it can authenticate and/or authorize the subscriber through the authentication information and/or authorization information stored in the UDM network element, or generate the authentication and/or authorization of the subscriber through the UDM network element. Or authorization information. The AUSF network element can feed back authentication information and/or authorization information to the subscriber.
  • NEF network elements are control plane network elements provided by operators. NEF network elements open the external interface of the operator's network to third parties in a safe manner. When the SMF network element needs to communicate with a third-party network element, the NEF network element can serve as a relay for the communication between the SMF network element and the third-party network element. When the NEF network element is used as a relay, it can be used as the translation of the identification information of the subscriber and the translation of the identification information of the third-party network element. For example, when NEF sends the SUPI of the subscriber from the operator network to the third party, it can translate the SUPI into its corresponding external identity (identity, ID). Conversely, when the NEF network element sends the external ID (third-party network element ID) to the operator's network, it can be translated into SUPI.
  • ID external identity
  • the PCF network element is a control plane function provided by the operator to provide the SMF network element with a PDU session strategy.
  • Policies can include charging-related policies, QoS-related policies, and authorization-related policies.
  • Network slice selection function (Network Slice Selection Function, NSSF) network elements (not shown in the figure) are responsible for determining network slice instances, selecting AMF network elements, and so on.
  • NSSF Network Slice Selection Function
  • Nnef, Nausf, Nnrf, Npcf, Nudm, Naf, Namf, Nsmf, N1, N2, N3, N4, and N6 are interface serial numbers.
  • the meaning of these interface serial numbers can refer to the meaning defined in the 3GPP standard protocol, which is not limited here.
  • the mobility management network element in this application may be the AMF network element shown in FIG. 1, or may be a network element having the function of the aforementioned AMF network element in a future communication system.
  • the mobility management network element in this application may also be a mobility management entity (MME) in long term evolution (LTE).
  • MME mobility management entity
  • the mobility management network element As an AMF network element as an example.
  • the AMF network element is referred to as AMF for short, and the terminal device is referred to as UE. That is, the AMF described later in this application can be replaced with a mobility management network element, and the UE can be replaced with a terminal device.
  • Network slicing in this application may also be referred to as “network slicing” or “network slicing instance”, and the three have the same meaning, and are explained here in a unified manner, and will not be repeated in the following.
  • 3rd Generation Partnership Project 3rd Generation Partnership Project
  • 3GPP 3rd Generation Partnership Project
  • network slices do not affect each other. For example, a large number of sudden meter reading services should not affect normal mobile broadband services.
  • 3GPP In order to meet diverse needs and isolation between slices, relatively independent management and operation and maintenance between businesses are required, and tailor-made business functions and analysis capabilities are provided. Instances of different types of services are deployed on different network slices, and different instances of the same service type can also be deployed on different network slices.
  • the slice in the 5G network is a virtual private network, which is composed of a set of network functions and sub-networks.
  • RAN, AMF, SMF, and UPF in Figure 1 can form a slice.
  • Each type of network function in Figure 1 is only schematically drawn, but in actual network deployment, each type of network function or sub-network can have multiple, tens or hundreds.
  • Many network slices can be deployed in the operator's network, and each slice can have different performance to meet the needs of different applications and different vertical industries. Operators can tailor a slice according to the needs of customers in different vertical industries. Operators can also allow some industry customers to enjoy greater autonomy and participate in part of the management and control functions of slicing.
  • slice-level authentication is a network control function participated by industry customers, that is, authentication and authorization of end users to access slices.
  • the selection process of the network slice will be triggered.
  • the slice selection process depends on the user's subscription data, local configuration information, roaming agreement, operator's strategy, and so on. In the selection process of the network slice, the above parameters need to be considered comprehensively to select the best slice type for the UE.
  • the UE may provide the requested network slice to the core network for the core network to select a network slice instance for the UE.
  • the network slice requested by the UE may be represented by a requested network slice collection, or may also be represented as requested network slice selection assistance information (requested NSSAI).
  • the requested NSSAI is composed of one or more single network slice selection assistance information (S-NSSAI).
  • S-NSSAI single network slice selection assistance information
  • Each S-NSSAI is used to identify a network slice type, which can also be understood as S- NSSAI is used to identify network slices, or can be understood as S-NSSAI is identification information of network slices.
  • the core network element (such as AMF or NSSF) comprehensively judges based on the UE's subscription data, the UE's requested NSSAI, roaming agreement, and local configuration information, and selects the set of network slices that the UE is allowed to access.
  • the set of network slices allowed to be accessed can be represented by allowed NSSAI, and the S-NSSAI included in the allowed NSSAI are all S-NSSAIs allowed to be accessed by the current operator network.
  • the UE Before accessing the network or network slice, the UE needs to perform mutual authentication with the network slice and obtain authorization from the network.
  • the network's authentication and authorization of the UE are directly performed by the operator's network.
  • This type of authentication and authorization method is called Primary Authentication.
  • DNs outside of the operator's network such as DNs that serve vertical industries
  • a commercial company provides a game platform to provide game players with game services through the operator's network.
  • the operator's network needs to authenticate and authorize the UE, that is, level 1 authentication.
  • the game player is a customer of a commercial company, and the commercial company also needs to authenticate and authorize game players. If this authentication is based on network slicing, or its granularity is based on slices, the authentication can be It is called slice authentication (slice authentication) or secondary authentication (secondary authentication), or slice-specific secondary authentication (slice-specific secondary authentication).
  • first-level authentication it is for the authentication between the UE (and or a certain user who uses the UE) and the network (operator network or third-party network).
  • the first-level authentication it refers to the authentication between the UE and the operator network.
  • the operator network performs the first-level authentication on the UE during the registration process of the UE. If the first-level authentication is passed, the security context of the UE can be established .
  • secondary authentication it refers to the authentication between the UE (or the user using the UE) and the network outside the operator's network (that is, the third-party network), and the third-party network will notify the operator of the result of the secondary authentication Provider network so that the operator’s network can authorize or deny the UE to access the operator’s network that serves the third-party network.
  • the second-level authentication is sometimes referred to as the second-level authentication of the slice, which actually means: the second-level authentication performed between the UE (or the user who uses the UE) and the third-party network , Its authentication result will determine whether the operator network authorizes the UE to access the slice.
  • Level 1 certification is supported.
  • the network such as UDM, AMF or NSSF and other network functions
  • the authorization information ie allowed NSSAI
  • 3GPP is studying how to effectively support the mechanisms of these two authentications (ie, primary and secondary authentication) at the same time.
  • the following gives a general process of the registration process of a UE that includes both primary and secondary authentication:
  • Step 1 The UE sends a registration application for access to the network to the AMF (for example, the UE sends a registration request message).
  • Step 2 The AMF initiates the first level authentication with the UE based on the UE's subscription information.
  • Step 3 After the first level authentication is successful, the AMF determines whether the UE needs further second level authentication.
  • Step 4 the AMF initiates a secondary authentication process, notifies the UE and DN to perform secondary authentication, and forwards various interactive information required for authentication between the UE and DN.
  • Step 5 After the secondary authentication of the UE and the DN is successful, the DN sends an authentication success message to the AMF.
  • Step 6 The AMF selects slices for the UE according to the authentication success message and other network information, and determines allowed NSSAI.
  • Step 7 The AMF sends the authorization information (that is, allowed NSSAI) to the UE through a registration acceptance message to complete the registration process.
  • the authorization information that is, allowed NSSAI
  • the above registration process is a process called “nested”.
  • the so-called “nested” can be understood in two ways: 1) Level 2 certification and Level 1 certification are nested together in the initial registration process, that is, the complete registration process is: Registration Request -> Level 1 Certification of Operator Network- >Second-level authentication of the third-party network->The network (operator network and third-party network) authorizes the slice accessed by the UE (NSSAI)->Registration is completed; 2) The second-level authentication is nested in the first-level authentication and In the network authorization process, that is, the first-level authentication of the operator's network -> the second-level authentication of the third-party network -> the network authorization (allowed NSSAI) of the slice accessed by the UE.
  • the secondary authentication may adopt the EAP (Extensible Authentication Protocol) standard established by the standard organization IETF (Internet Engineering Task Force) as the basic authentication mechanism, and support multiple EAP authentication methods (EAP methods). Due to different EAP authentication methods, the required authentication process and computing resources are different, and the time required to complete the authentication is also different. Further, the second level authentication is the authentication between the UE (or the user using the UE) and the external network. The computing resources of the authentication server in the external network can be very different. The information exchange between the 3GPP network and the network with different network resources The network congestion situation will also be different, which will also cause differences in the length of time required to complete the secondary certification.
  • EAP Extensible Authentication Protocol
  • IETF Internet Engineering Task Force
  • the first-level registration process can support multiple nested second-level certifications (respectively corresponding to multiple different S-NSSAIs), and the above factors can make the time to complete the second-level certification process vary greatly.
  • a timer will be set in advance for the overall process and each key step. If each timed step or process times out, an operation error will occur.
  • the network can also relieve the timer setting problem by suspending and resuming the timer of the registration process, but this will introduce new problems such as complicated timer management. In short, due to the differences in slice authentication time caused by the above factors, the problem of system setting timers has become a complex and challenging task.
  • the entire registration process may be significantly prolonged due to the drag of the secondary certification, causing other problems such as user experience.
  • UEs or users usually want to use accessible services as soon as possible, rather than waiting for a long time in the registration process.
  • this application provides multiple UE registration methods, which will be described in detail below.
  • FIG. 2 Based on the architecture shown in FIG. 1, as shown in FIG. 2, a schematic flowchart of a UE registration method provided by this application. The method includes the following steps:
  • Step 201 The UE sends a registration request (registration request) message to the AMF, and accordingly, the AMF can receive the registration request message.
  • the registration request message here may also be referred to as the first registration request message in this application.
  • the registration request message is used to request registration to the network.
  • the registration request message includes the selection information of the slice requested for access, and the selection information of the slice requested for access may be referred to as requested NSSAI, and the requested NSSAI includes one or more S-NSSAIs.
  • requested NSSAI ⁇ S-NSSAI1, S-NSSAI2, S-NSSAI3, S-NSSAI4, S-NSSAI5, S-NSSAI6 ⁇ , where S-NSSAI1 corresponds to slice 1, and S-NSSAI2 corresponds to slice 2.
  • S-NSSAI3 corresponds to slice 3
  • S-NSSAI4 corresponds to slice 4
  • S-NSSAI5 corresponds to slice 5
  • S-NSSAI6 corresponds to slice 6, that is, the UE requests to access slice 1, slice 2, slice 3, slice 4, slice 5, and slice 6. .
  • Step 202 After the UE completes the first-level authentication and establishes the security context, the AMF determines whether the slice requested for access needs to be second-level authentication.
  • requested NSSAI ⁇ S-NSSAI1, S-NSSAI2, S-NSSAI3, S-NSSAI4, S-NSSAI5, S-NSSAI6 ⁇ , for example, AMF determines slice 1 corresponding to S-NSSAI1, slice 2 corresponding to S-NSSAI2 The slice 3 corresponding to S-NSSAI3 and the slice 4 corresponding to S-NSSAI4 require secondary authentication, and the slice 5 corresponding to S-NSSAI5 and the slice 6 corresponding to S-NSSAI6 do not require secondary authentication.
  • the establishment of the security context described in step 201 may refer to the establishment of the non-access stratum (NAS) security context, or the NAS security context and the access stratum (Access Stratum, AS) The establishment of security above.
  • NAS non-access stratum
  • AS access stratum
  • step 203 the AMF sends a registration acceptance (registration accept) message to the UE, and accordingly, the UE can receive the registration acceptance message.
  • the registration acceptance message here may also be referred to as the first registration acceptance message in this application.
  • the registration acceptance message includes selection information of slices that are allowed to access, and the selection information of slices that are allowed to access may be, for example, allowed NSSAI, and allowed NSSAI includes one or more S-NSSAIs.
  • the allowed NSSAI includes at least one of the following information:
  • the selection information of the slice that has completed the secondary authentication among the slices that request access may also include the selection information of the slice corresponding to the selection information of the slice that is requested to be allocated by the network.
  • the slice requesting access does not need the slice selection information for the secondary authentication.
  • it may further include slice selection information allocated by the network and corresponding to the slice selection information of the slice requesting access.
  • the selection information of the slices allocated by the network here that do not require secondary authentication specifically refers to: the selection information of the slice allocated by the network is not included in the selection information of the slice requesting access (or the selection information of the slice allocated by the network is not included in the In the selection information of the slice corresponding to the selection information of the imported slice) and the selection information of the slice that does not require secondary authentication.
  • requested NSSAI ⁇ S-NSSAI1, S-NSSAI2, S-NSSAI3, S-NSSAI4, S-NSSAI5, S-NSSAI6 ⁇ , S-NSSAI1 corresponding slice 1, S-NSSAI2 corresponding slice 2, S-NSSAI3 corresponding
  • the slice 3 of S-NSSAI4 and the slice 4 corresponding to S-NSSAI4 require secondary authentication, and the slice 5 corresponding to S-NSSAI5 and the slice 6 corresponding to S-NSSAI6 do not require secondary authentication.
  • the allowed NSSAI may include S-NSSAI5 and S-NSSAI6.
  • the S-NSSAI5 and S-NSSAI6 are the selection information of the slices that do not require secondary authentication among the slices requested to be accessed.
  • the operator network considers that the authentication process of slice 1 is short, and initiates the second-level authentication of slice 1.
  • the allowed NSSAI may also include S-NSSAI1.
  • the S-NSSAI1 here is the selection information of the slice that has completed the secondary authentication among the slices that are requested to access.
  • the operator's network (such as AMF) and the UE have completed the first level authentication, and the operator's network allocates slice 7 for UE access, that is, AMF determines that slice 7 can be authorized for UE access, and slice 7 does not need to be performed
  • allowed NSSAI may also include S-NSSAI7 (corresponding to slice 7).
  • S-NSSAI7 is the slice selection information allocated by the network that does not require secondary authentication.
  • allowed NSSAI may include one or more of the following information: selection information of the slice that has completed secondary authentication in the slice requesting access (ie S-NSSAI1), and the slice requesting access Selection information of slices that do not require secondary authentication (that is, S-NSSAI5 and S-NSSAI6), and selection information of slices that do not require secondary authentication (that is, S-NSSAI7) allocated by the network.
  • allowed NSSAI includes the selection information of the slices that have completed the second-level authentication among the slices requesting access or includes the slices that do not require the second-level authentication. Slice selection information, then the network does not need to allocate additional slice selection information.
  • the allowed NSSAI does not include the selection information of slices that have completed secondary authentication in any slices that request access, or does not include the selection information of slices that do not require secondary authentication in any slices that request access, then the network Must be based on the level 1 certification, assign a slice selection information that does not require level 2 certification.
  • allowed NSSAI includes S-NSSAI1, S-NSSAI5 and S-NSSAI6.
  • the network may no longer allocate S-NSSAI7 to the UE.
  • S-NSSAI5 and S-NSSAI6 are also required but have not yet undergone slice authentication, and slice authentication for S-NSSAI1 is not completed, the network must allocate S-NSSAI7 to the UE to ensure that the UE that has passed the first level authentication has at least An S-NSSAI is in the allowed NSSAI.
  • the above registration request message may further include at least one of the following information:
  • pending NSSAI pending NSSAI
  • IE item
  • requested NSSAI ⁇ S-NSSAI1, S-NSSAI2, S-NSSAI3, S-NSSAI4, S-NSSAI5, S-NSSAI6 ⁇ , S-NSSAI1, S-NSSAI2, S-NSSAI3, S-NSSAI4
  • the selection information of the slices that require secondary authentication and that have not completed secondary authentication among the slices requested for access can be carried in a slice selection information list (or slice selection information S-NSSAI list), and slice selection
  • the order of the selection information of the slices in the information list (or the slice selection information S-NSSAI list) indicates the priority of secondary authentication for the slices in the slice selection information list (or the slice selection information S-NSSAI list).
  • the following "slice selection information list" represents a list of slice selection information S-NSSAI, and will not be repeated.
  • the slice selection information list A indicates that among the slices that are requested to access, the slice selection information that requires secondary authentication and that has not completed secondary authentication includes S-NSSAI2, S- NSSAI3 and S-NSSAI4; on the other hand, the slice selection information list A also indicates that the priority order for secondary authentication is: S-NSSAI2, S-NSSAI3, S-NSSAI4.
  • the estimated time here can enable the UE to determine the sequence of the second-level authentication of the slice when it needs to perform the second-level authentication and the second-level authentication of the slice that has not completed the second-level authentication in the subsequent initiation of the slice for which access is requested.
  • the second level certification for that slice can be given priority.
  • the UE can also request second-level authentication for only part of the slice according to the estimated time. For example, the estimated time of slice 2 is less than a preset value, and the UE only puts S-NSSAI2 in the requested NSSAI list, so that only slice 2 ( Or the corresponding S-NSSAI) for slice authentication.
  • slice certification instructions are used to indicate that there are slices that have not completed the secondary authentication.
  • the slice authentication instruction here may also be referred to as the first slice authentication instruction in this application.
  • slice authentication instructions appearing anywhere in this application can also be referred to as instruction information or second-level authentication instructions. Therefore, the slice authentication instructions here can also be referred to as first instruction information or first-level authentication. Instructions.
  • the "slice authentication instruction" can also be used to indicate that the current registration acceptance message is not the final version, and that S-NSSAI requires authentication to complete the registration process of all slices.
  • the pending NSSAI can implicitly indicate that there are slices that have not completed the secondary authentication and that the current registration acceptance message is not the final version.
  • the slice authentication indication is optional.
  • non-slice authentication NSSAI ⁇ S-NSSAI5, S-NSSAI6 ⁇ .
  • the UE can refer to and optimize the parameters carried by the UE according to this parameter (that is, non-slice authentication NSSAI) in future registration applications.
  • this parameter that is, non-slice authentication NSSAI
  • rejected NSSAI refers to the list of rejected S-NSSAIs.
  • requested NSSAI ⁇ S-NSSAI1, S-NSSAI2, S-NSSAI3, S-NSSAI4, S-NSSAI5, S-NSSAI6 ⁇
  • S-NSSAI2 is rejected for some reason (such as the S-NSSAI2)
  • the rejected S-NSSAI can be carried through the Rejected NSSAI.
  • the registration acceptance message may also carry the reason for rejection.
  • the above-mentioned “allowed NSSAI”, “pending NSSAI”, “non-slice authentication NSSAI”, “rejected NSSAI”, etc. can be combined into one IE, or combined into two or more IEs in a certain combination.
  • One temporary identifier corresponds to the selection information of one or more slices in the slices that have completed the secondary authentication.
  • the temporary identifier here may be, for example, 5G-Globally Unique Temporary UE Identity (5G-GUTI).
  • 5G-GUTI 5G-Globally Unique Temporary UE Identity
  • each 5G-GUTI corresponds to one or more slices; the other way is that there is only one 5G-GUTI, which corresponds to all slice.
  • 5G-GUTI contains routing information.
  • the RAN device can select an appropriate AMF to serve the UE based on this information.
  • Step 204 after the second-level authentication of the first slice that has not completed the second-level authentication is required for the access-requested slices, the UE receives the updated selection information of the slices allowed to be accessed from the AMF, and updates
  • the selection information of the slice that is allowed to access includes the selection information of the first slice or the selection information of the slice corresponding to the selection information of the first slice allocated by the network.
  • the “first slice” here can refer to all the slices in the slices that require secondary authentication and have not completed secondary authentication, or it can also refer to the slices that require access. Part of the slices (such as a slice) that have not completed the second-level certification. That is, the AMF can send updated slice selection information that allows access to the UE after all slices in the slices that need to be second-level authentication and have not completed the second-level authentication have completed the second-level authentication, or it can be After the second-level authentication is completed for some slices in the slices that have not completed the second-level authentication, the updated selection information of the slices allowed to be accessed is sent to the UE.
  • requested NSSAI ⁇ S-NSSAI1, S-NSSAI2, S-NSSAI3, S-NSSAI4, S-NSSAI5, S-NSSAI6 ⁇ , assuming that through the above steps 201 to 203, the following results are obtained:
  • S-NSSAI1, S-NSSAI2, S-NSSAI3, and S-NSSAI4 are the selection information of the slices that require secondary authentication;
  • S-NSSAI5 and S-NSSAI6 are selection information for slices that do not require secondary authentication
  • NSSAI ⁇ S-NSSAI1, S-NSSAI5, S-NSSAI6, S-NSSAI7 ⁇ ;
  • NSSAI ⁇ S-NSSAI 5, S-NSSAI6, S-NSSAI7 ⁇ ;
  • the slice (requested NSSAI for slice authentication) that needs to continue secondary authentication is ⁇ S-NSSAI3, S-NSSAI4 ⁇ .
  • the S-NSSAI in requested NSSAI for slice authentication may also indicate the order of secondary authentication.
  • the requested NSSAI for slice authentication indicates the order of secondary authentication as follows: S-NSSAI3 and S-NSSAI4.
  • the AMF may not determine whether the slice secondary authentication is required.
  • the AMF sends the registration acceptance message sent in step 203 in accordance with the results of the first level authentication to carry the allowed NSSAI allocated by the network, but cannot include the allowed NSSAI and authorize the S that does not require the second level of slice authentication. -NSSAI.
  • Implementation method 1 The registration request message and the registration acceptance message are used to implement the secondary authentication process of the slice that needs to continue secondary authentication.
  • step 204a is further included:
  • Step 204a The UE sends a first message to the AMF, and accordingly, the AMF can receive the first message.
  • step 204a after the AMF receives the first message, it can also include a judgment action, that is, whether the slice requesting access needs to undergo secondary authentication.
  • the judgment action is similar to that in step 202 description of.
  • first-level authentication is required and re-establish the security context, such as confirming that the previous first-level authentication has expired or the security established by the previous first-level authentication When the context has become invalid or deleted, it is confirmed that the first-level authentication can be performed again and the security context is re-established.
  • the establishment of primary authentication and security context is similar to the description of primary authentication and security context establishment in step 202.
  • the first message is used to request the second-level authentication for the slices that require second-level authentication and have not completed the second-level authentication among the slices that are requested to access, that is, the first message is used to request the second-level authentication for the requested NSSAI for slice authentication. .
  • the first message here is specifically a registration request message.
  • the registration request message may also be referred to as the second registration request message in this application.
  • the registration request message is different from the registration request message in step 201 in function and carried information.
  • the registration request message includes the selection information of the slices that require secondary authentication and have not completed secondary authentication among the slices that are requested to access (that is, the above requested NSSAI for slice authentication), and/or the slice authentication instruction (this application will also This slice authentication instruction is called a second slice authentication instruction, or a second level authentication instruction, or instruction information).
  • the slice authentication instruction is used to request the second-level authentication for the slices that require the second-level authentication and that have not completed the second-level authentication.
  • the registration request message includes the requested NSSAI for slice authentication, but does not include the slice authentication instruction, that is, the requested NSSAI for slice authentication can implicitly request the secondary authentication of the requested NSSAI for slice authentication.
  • the registration request message includes a slice authentication instruction, but does not include requested NSSAI for slice authentication, and the AMF determines the requested NSSAI for slice authentication according to the slice authentication instruction.
  • the registration request message includes a slice authentication indication and requested NSSAI for slice authentication.
  • the foregoing step 204 is specifically implemented as: AMF sends a second message to the UE, and correspondingly, the UE can receive the second message, and the second message includes the updated selection information of the slice that is allowed to be accessed.
  • the second message is specifically a registration acceptance message, which may also be referred to as a second registration acceptance message in this application, which is different from the information carried in the registration acceptance message in step 203 (ie, the first registration acceptance message).
  • the updated slice selection information (new allowed NSSAI) where access is allowed here includes the NSSAI that has passed the secondary authentication and is authorized in the requested NSSAI for slice authentication.
  • requested NSSAI for slice authentication ⁇ S-NSSAI3, S-NSSAI4 ⁇
  • new allowed NSSAI ⁇ S-NSSAI3, S-NSSAI4 ⁇ .
  • the new allowed NSSAI may also include the S-NSSAI in the allowed NSSAI before the update.
  • allowed NSSAI ⁇ S-NSSAI1, S-NSSAI5, S-NSSAI6, S-NSSAI7 ⁇
  • new allowed NSSAI ⁇ S-NSSAI1, S-NSSAI3, S-NSSAI4, S-NSSAI5, S -NSSAI6, S-NSSAI7 ⁇ .
  • the slice selection information included in the updated slice selection information allowed for access may be the S-NSSAI in the requested NSSAI for slice authentication, or the S-NSSAI corresponding to the S-NSSAI allocated by the network.
  • NSSAI For example, S-NSSAI3 in requested NSSAI for slice authentication requires secondary authentication. After secondary authentication is passed, under normal circumstances, the network will feed back S-NSSAI3 authorization, but in some scenarios, the network does not support S-NSSAI3, but supports S-NSSAI3a with similar characteristics to S-NSSAI3.
  • the authorized S-NSSAI sent by the network can be S-NSSAI3a, that is, S-NSSAI3a is the S-NSSAI corresponding to S-NSSAI3, and it can also notify the UE : Correspondence between S-NSSAI3 and S-NSSAI3a.
  • step 204a-step 204 can be performed one or more times.
  • step 204 perform step 204 once, and carry new allowed NSSAI. If the S-NSSAI3 level 2 authentication is passed and authorized, the new allowed NSSAI includes S-NSSAI3. If the S-NSSAI3 level-2 authentication fails or is not authorized, then new allowed NSSAI does not include S-NSSAI3 or step 204 does not carry new allowed NSSAI.
  • step 204 again, carrying new allowed NSSAI. If the S-NSSAI4 level 2 authentication is passed and authorized, the new allowed NSSAI includes S-NSSAI4. If the S-NSSAI4 secondary authentication fails or is not authorized, the new allowed NSSAI does not include S-NSSAI4 or step 204 does not carry the new allowed NSSAI.
  • step 204 perform step 204 once, and carry new allowed NSSAI. If the S-NSSAI3 level 2 authentication is passed and authorized, the new allowed NSSAI includes S-NSSAI3. If the S-NSSAI3 level-2 authentication fails or is not authorized, then new allowed NSSAI does not include S-NSSAI3 or step 204 does not carry new allowed NSSAI.
  • step 204 again, carrying new allowed NSSAI. If the S-NSSAI4 level 2 authentication is passed and authorized, the new allowed NSSAI includes S-NSSAI4. If the S-NSSAI4 secondary authentication fails or is not authorized, the new allowed NSSAI does not include S-NSSAI4 or step 204 does not carry the new allowed NSSAI.
  • step 204 perform step 204 once, and carry new allowed NSSAI. If both S-NSSAI3 and S-NSSAI4 pass the second-level authentication and are authorized, the new allowed NSSAI includes S-NSSAI3 and S-NSSAI4. If the S-NSSAI3 level 2 certification is not passed or authorized, and the S-NSSAI4 level 2 certification is passed and authorized, the new allowed NSSAI includes S-NSSAI4 but does not include S-NSSAI3. If the S-NSSAI4 level-2 authentication is not passed or authorized, and the S-NSSAI3 level-2 authentication is passed and authorized, the new allowed NSSAI includes S-NSSAI3 but does not include S-NSSAI4. If both S-NSSAI3 and S-NSSAI4 secondary certifications fail or are not authorized, then new allowed NSSAI does not include S-NSSAI3 and S-NSSAI4, or step 204 does not carry new allowed NSSAI.
  • Implementation method 2 Through the configuration update command to achieve the secondary authentication process of the slice that needs to continue secondary authentication
  • the foregoing step 204 is specifically implemented as: AMF sends a second message to the UE, and correspondingly, the UE can receive the second message, and the second message includes the updated selection information of the slice that is allowed to be accessed.
  • the second message is specifically a configuration update command (UE Configuration Update Command).
  • the registration acceptance message may also be referred to as the second registration acceptance message in this application. It is the same as the registration acceptance message in step 203 (ie, the first registration acceptance message). ) Carries different information.
  • the implementation method uses the registration acceptance message in the registration process (ie step 203), and uses the configuration update command (step 204), and is initiated by the network.
  • the network actively initiates a response to S after step 203.
  • -NSSAI3 and S-NSSAI4 secondary authentication process and send the result of secondary authentication to UE through configuration update command.
  • the updated slice selection information allowed for access is included, and the updated slice selection information (new allowed NSSAI) here includes the NSSAI required for slice authentication in the NSSAI that has passed secondary authentication and is authorized.
  • the new allowed NSSAI may also include the S-NSSAI in the allowed NSSAI before the update.
  • allowed NSSAI ⁇ S-NSSAI1, S-NSSAI5, S-NSSAI6, S-NSSAI7 ⁇
  • new allowed NSSAI ⁇ S-NSSAI1, S-NSSAI3, S-NSSAI4, S-NSSAI5, S -NSSAI6, S-NSSAI7 ⁇ .
  • the slice selection information included in the new allowed NSSAI may be the S-NSSAI in the NSSAI need for slice authentication, or the S-NSSAI corresponding to the S-NSSAI allocated by the network.
  • S-NSSAI3 in NSSAI needs for slice authentication requires secondary authentication. After secondary authentication is passed, under normal circumstances, the network will feed back S-NSSAI3 authorization, but in some scenarios, the network does not support S-NSSAI3, but supports S-NSSAI3a with similar characteristics to S-NSSAI3.
  • the authorized S-NSSAI sent by the network can be S-NSSAI3a, that is, S-NSSAI3a is the S-NSSAI corresponding to S-NSSAI3, and it can also notify the UE : Correspondence between S-NSSAI3 and S-NSSAI3a.
  • the above configuration update command may also include one or more of the following information:
  • At least one temporary identifier corresponds to the selection information of one or more slices in the slices that have completed the secondary authentication.
  • step 204 can be performed one or more times.
  • Step 204 is executed once, and new allowed NSSAI is carried. If the S-NSSAI3 level 2 authentication is passed and authorized, the new allowed NSSAI includes S-NSSAI3. If the S-NSSAI3 level-2 authentication fails or is not authorized, then new allowed NSSAI does not include S-NSSAI3 or step 204 does not carry new allowed NSSAI.
  • step 204 again, carrying new allowed NSSAI. If the S-NSSAI4 level 2 authentication is passed and authorized, the new allowed NSSAI includes S-NSSAI4. If the S-NSSAI4 secondary authentication fails or is not authorized, the new allowed NSSAI does not include S-NSSAI4 or step 204 does not carry the new allowed NSSAI.
  • step 204 perform step 204 once and carry new allowed NSSAI. If both S-NSSAI3 and S-NSSAI4 pass the second-level authentication and are authorized, the new allowed NSSAI includes S-NSSAI3 and S-NSSAI4. If the S-NSSAI3 level-2 certification is not passed or authorized, and the S-NSSAI4 level-2 certification is passed and authorized, the new allowed NSSAI includes S-NSSAI4 but not S-NSSAI3. If the S-NSSAI4 level-2 authentication is not passed or authorized, and the S-NSSAI3 level-2 authentication is passed and authorized, the new allowed NSSAI includes S-NSSAI3 but does not include S-NSSAI4. If both S-NSSAI3 and S-NSSAI4 secondary certifications fail or are not authorized, then new allowed NSSAI does not include S-NSSAI3 and S-NSSAI4, or step 204 does not carry new allowed NSSAI.
  • the registration request message (ie, the second registration request message) of step 204a in the first implementation method above can be replaced with a newly defined message, which is called a slice registration request message here, and the registration in step 204
  • the acceptance message (that is, the second registration acceptance message) is replaced with a defined message, which is referred to as a slice registration acceptance message here, to obtain the third implementation method.
  • the configuration update command in step 204 in the foregoing implementation method 2 can be replaced with a defined message, which is referred to as a slice registration update command here, to obtain the implementation method 3.
  • the network sends the registration acceptance message (that is, the registration acceptance message in step 203 above) earlier than the registration acceptance message in the registration process of the prior art, that is, as long as the application has completed a registration to the UE
  • the registration acceptance message is sent (by sending the registration acceptance message in advance, the registration process can end as soon as possible, but this only represents the temporary (Interim) end, not the complete end, because there is still the second level authentication that has not been completed)
  • the registration acceptance message is not sent until all the slices have completed the secondary authentication.
  • the UE can decide when to perform the second-level authentication according to the second-level authentication information fed back by the network, which is more convenient for the UE. For example, the UE can access the slice according to the slice that has been successfully authenticated, establish a session, and send and receive data services. And when it is free at a later time, it requests access to other slices.
  • FIG. 3 there is a schematic flow diagram of another UE registration method provided for this application.
  • this embodiment is mainly UE
  • the method of de-nesting is realized by optimizing the parameters in the registration request message, and the network protocol does not need or require very small changes.
  • the method includes the following steps:
  • Step 301 The UE sends a registration request (registration request) message to the AMF, and accordingly, the AMF can receive the registration request message.
  • the registration request message here may also be referred to as the first registration request message in this application.
  • the registration request message is used to request registration to the network.
  • the registration request message includes selection information (requested NSSAI) of the slice requested to access, and the slice requested to access is a slice that does not require secondary authentication.
  • the UE can know in advance which S-NSSAIs require secondary authentication and which S-NSSAIs do not require secondary authentication. For example, the UE can use historical access conditions to analyze and determine which S-NSSAIs require secondary authentication Certification, which S-NSSAI does not require secondary certification. For another example, the UE can pre-configure accessible S-NSSAIs, and pre-configure which S-NSSAIs do not require secondary authentication and which require secondary authentication. It is also possible to pre-configure and store the characteristics of related secondary authentication, such as which EAP method is used, and the estimated time required for secondary authentication.
  • the UE can divide the S-NSSAI in the UE into two groups, one group is the S-NSSAI that requires secondary authentication, and the other is the S-NSSAI that does not require secondary authentication.
  • the UE may further divide the aforementioned S-NSSAIs that require secondary authentication into N groups (N is greater than 1), for example, according to the possible length of time for secondary authentication, or according to the sequence of access slices required Grouping.
  • N is greater than 1
  • a registration application can be initiated for each of the N groups.
  • it is also possible to initiate a registration application for each S-NSSAI that requires secondary authentication that is, each S-NSSAI is a group).
  • the order of initiating registration applications can be sorted in advance.
  • the requested NSSAI in step 301 above only carries slices that do not require secondary authentication, and does not carry slices that require secondary authentication.
  • the S-NSSAI in the UE includes S-NSSAI1, S-NSSAI2, S-NSSAI3, S-NSSAI4, S-NSSAI5, S-NSSAI6, where the UE determines the slice 1, S-NSSAI2 corresponding to S-NSSAI1
  • the corresponding slice 2, the slice 3 corresponding to S-NSSAI3, and the slice 4 corresponding to S-NSSAI4 require secondary authentication, and the slice 5 corresponding to S-NSSAI5 and the slice 6 corresponding to S-NSSAI6 do not require secondary authentication.
  • the requested NSSAI of step 301 ⁇ S-NSSAI5, S-NSSAI6 ⁇ .
  • S-NSSAI1, S-NSSAI2, S-NSSAI3, and S-NSSAI4 can be grouped, for example, into four groups, each group includes one S-NSSAI, or two groups, etc., and are different The priority of the second-level authentication corresponding to the group is different.
  • Step 302 After the UE completes the first-level authentication and establishes the security context, the AMF sends a registration acceptance message to the UE, and accordingly, the UE can receive the registration acceptance message.
  • the registration acceptance message includes selection information (allowed NSSAI) of the slice that is allowed to access, and allowed NSSAI includes one or more of the following information:
  • the selection information of the slices that are allowed to be accessed in the slices that are requested to access is the S-NSSAI in the requested NSSAI that does not require secondary authentication. For example, if the S-NSSAI5S-NSSAI6 in the requested NSSAI is directly authorized after the first level authentication is passed, the selection information of the slice that is allowed to be accessed in the slice requested for access is ⁇ S-NSSAI5, S-NSSAI6 ⁇ .
  • the selection information of the slices allocated by the network that do not require secondary authentication herein specifically refers to the selection information of slices allocated by the network that have completed the primary authentication and do not require secondary authentication.
  • the network (such as AMF) completes the first-level authentication for slice 7 corresponding to S-NSSAI7 and is authorized to pass, that is, AMF determines that slice 7 can be authorized for UE access, and this slice 7 is a slice that does not require second-level authentication , Then allowed NSSAI can also include S-NSSAI7.
  • the S-NSSAI7 here is the slice selection information allocated by the network that has completed the first-level authentication and does not require the second-level authentication.
  • allowed NSSAI may include one or more of the following information: selection information of the slices that are requested to be accessed (ie S-NSSAI5 and S-NSSAI6), Selection information for slices that do not require secondary authentication (ie S-NSSAI7).
  • the network may also not need to allocate additional slice selection information.
  • the network must allocate at least one S-NSSAI to the UE that has passed the first-level authentication.
  • allowed NSSAI includes S-NSSAI5 and S-NSSAI6. At this time, the network may no longer allocate S-NSSAI7 to the UE.
  • the network will allocate S-NSSAI7 to UEs that have passed level-1 authentication. In this way, it can be guaranteed that at least one S-NSSAI is in the allowed NSSAI.
  • Step 303 The UE sends a first message to the AMF, and accordingly, the AMF can receive the first message.
  • the first message includes selection information (requested NSSAI for slice authentication) of the slice that needs to be authenticated at the second level, and the first message is used to request slice authentication for the slice that needs to be authenticated at the second level.
  • requested NSSAI for slice authentication includes, for example, S-NSSAI1, S-NSSAI2, S-NSSAI3, and S-NSSAI4.
  • the first message may be sent multiple times, and the first message initiated each time includes a packet of the slice that needs to be authenticated at the second level.
  • the selection information of the slices that require secondary authentication can be carried in a slice selection information list.
  • the order of the slice selection information in the slice selection information list indicates that the slices in the slice selection information list perform the second level. Priority of authentication.
  • the slice selection information list A indicates that among the slices for which access is requested, the selection information of the slices that require secondary authentication and have not completed the secondary authentication include S-NSSAI1, S-NSSAI2, S-NSSAI3, and S-NSSAI4; On the other hand, the slice selection information list A also indicates that the order of performing secondary authentication is: S-NSSAI1, S-NSSAI2, S-NSSAI3, S-NSSAI4.
  • Step 304 After the first slice of the slices that need to be subjected to the second level authentication passes the second level authentication, the AMF sends a second message to the UE, and accordingly, the UE receives the second message from the AMF.
  • the second message includes updated slice selection information (new allowed NSSAI) that is allowed to access, and new allowed NSSAI includes selection information of the first slice or slice selection information allocated by the network corresponding to the selection information of the first slice .
  • new allowed NSSAI includes selection information of the first slice or slice selection information allocated by the network corresponding to the selection information of the first slice .
  • the "first slice” here can refer to all slices in the requested NSSAI for slice authentication, or it can refer to a partial slice (such as a slice) in the requested NSSAI for slice authentication. That is, the AMF can send new allowed NSSAI to the UE after all slices in the requested NSSAI for slice authentication have completed the secondary authentication, or it can send the new allowed NSSAI to the UE after the partial slices in the requested NSSAI for slice authentication have completed the secondary authentication. Send new allowed NSSAI.
  • the network performs processing on the slice corresponding to the slice selection information in the requested NSSAI for slice authentication
  • the new allowed NSSAI ⁇ S-NSSAI1, S-NSSAI2, S- NSSAI3 ⁇
  • the S-NSSAI in requested NSSAI for slice authentication can also indicate the order of secondary authentication.
  • the requested NSSAI for slice authentication indicates the order of secondary authentication is: S-NSSAI1, S-NSSAI2, S -NSSAI3, S-NSSAI4.
  • steps 303 to 304 can be performed one or more times.
  • the specific implementation process is similar to the related description method in the above embodiment of FIG. 2, and reference may be made to the foregoing description.
  • the above-mentioned first message is a registration request message
  • the second message is a registration acceptance message
  • the above-mentioned first message is a slice registration request message
  • the second message is a slice registration acceptance message.
  • the network sends the registration acceptance message (that is, the registration acceptance message in step 302 above) earlier than the registration acceptance message in the registration process of the prior art, that is, as long as the application has completed a registration to the UE
  • the registration acceptance message is sent (by sending the registration acceptance message in advance, the registration process can end as soon as possible, but this only represents the temporary (Interim) end, not the complete end, because there is still the second level authentication that has not been completed)
  • the registration acceptance message is not sent until all the slices have completed the secondary authentication.
  • the UE can decide when to perform the second-level authentication according to the second-level authentication information fed back by the network, which is more convenient for the UE. For example, the UE can access the slice according to the slice that has been successfully authenticated, establish a session, and send and receive data services. And when it is free at a later time, it requests access to other slices.
  • This application provides two UE registration methods through the above-mentioned two embodiments of Figure 2 and Figure 3, and realizes the "de-nested" secondary authentication, that is, it provides a flexible authentication (registration) process so that the primary Certification and second-level certification can be decoupled.
  • the length of a single or several second-level certification processes will not cause significant impact on first-level certification and other second-level certifications, thereby solving the problems introduced by the above-mentioned nested certification process.
  • the processes that are strongly related to authentication and authorization can be divided into functions: 1) the first-level authentication between the network and the UE, 2) the NSSAI authorization of the UE access slice by the network, and 3) the UE and DN Two-level authentication between 4) NAS or AS security establishment (ie, establishment of UE security context).
  • the first level authentication in 1) and the NAS and/or AS security establishment in 4) are not directly related to the second level authentication in 3), and it can be relatively independent from the NSSAI authorization behavior of the slice in 2).
  • the first level authentication is based on the subscription data stored by the UE in the operator network UDM (instead of the DN of the second level authentication.
  • AAA is the authentication, authorization, and accounting (Authentication, Authorization, Accounting, AAA) server).
  • the NAS The key derivation and generation in security are not restricted by NSSAI (NSSAI is not a required parameter for key generation).
  • NSSAI is not a required parameter for key generation.
  • the first level certification and the NAS and/or AS security establishment process can be separated from other processes.
  • the main principle is to complete the required procedures such as first-level certification and NAS security establishment in the registration process as much as possible, and then perform the second-level certification according to the flexible and configurable security policy.
  • the S-NSSAI information for slice authorization it can be sent to the user in time every time the secondary authentication succeeds, or multiple S-NSSAI information can be sent at once.
  • the overall process can be briefly summarized as follows (omitting the NAS security establishment process):
  • Step 1 The UE sends a registration application for access to the network to the network (AMF).
  • Step 2 The network (AMF) performs first-level authentication with the UE based on the UE's subscription information (such as SUPI, etc.).
  • AMF The network
  • Step 3 After the authentication is successful, the network (AMF) determines whether the UE needs further secondary authentication.
  • Step 4 The network (AMF) sends the authorization information allowed NSSAI (but the second level authentication has not been performed) to the UE to complete the "interim" registration process. If second-level authentication is required, the network (AMF) initiates one or a set of second-level authentication procedures to notify the UE and DN to perform the second-level authentication, and forward various interactive information required for authentication between the UE and the DN.
  • the network (AMF) sends the authorization information allowed NSSAI (but the second level authentication has not been performed) to the UE to complete the "interim" registration process. If second-level authentication is required, the network (AMF) initiates one or a set of second-level authentication procedures to notify the UE and DN to perform the second-level authentication, and forward various interactive information required for authentication between the UE and the DN.
  • allowed NSSAI is determined based on network storage information (such as the subscription information stored by the UE in UDM or AMF, etc.) or authorization information (such as through interaction with NSSF).
  • the allowed NSSAI may include the default S-NSSAI allocated by the network and/or the S-NSSAI corresponding to the slice to be accessed that does not require secondary authentication. Which slice or group of secondary authentication is selected can be flexibly configured and determined (according to UE registration request information, subscription information, DN information, etc.)
  • Step 5 The DN sends a second-level authentication success message to the network (AMF) every time the second-level authentication is completed.
  • Step 6 For each level 2 authentication or each group of level 2 authentication, the network (AMF) selects the corresponding slice for the UE (or through NF such as NSSF) according to whether the level 2 authentication is successful, and determines the allowed NSSAI.
  • AMF Access Management Function
  • Step 7 The network (AMF) sends the updated authorization information allowed NSSAI to the UE to complete the registration process (steps 5 to 7 can be repeated as needed).
  • Method 1 Use the messages and procedures in the existing registration procedure, but need to define a new IE (Information Element) and a new behavior (behavior).
  • Method 2 Define a new dedicated message and the corresponding process.
  • the time point of sending "registration accept” (including authorization information “allowed NSSAI"):
  • the network can be after level 1 authentication (before level 2 authentication with DN, or no need for level 2 Authentication), based on information such as the first level authentication result, the subscription information stored in the network (UDM, AMF, etc.), the result of the interaction between AMF and other network functions (such as NSSF), the allowed NSSAI is determined and sent to the UE.
  • the network can send "registration accept” after the first level certification and after completing a part of the second level certification. It should be noted that the second scheme is a partial nesting scheme.
  • the "registration accept” message in addition to "allowed NSSAI", it also needs to include indication information to inform the UE which NSSAIs need to be authenticated at the second level. It can also indicate the preferred authentication methods and priority order of multiple secondary authentications, that is, whether the secondary authentication is to notify the UE after one authentication is completed or to notify the UE after a group of secondary authentications are completed.
  • the order of secondary certification can be sorted according to the length of time required. In addition to ranking, you can also indicate the estimated value of the time required for each level 2 certification.
  • the "registration accept” message it can further indicate which S-NSSAIs are rejected, such as "rejected NSSAI", and which S-NSSAIs do not require secondary authentication.
  • the advantage of the indication is that the UE can store the corresponding status. When requesting access next time, it can avoid repeating applications for access to the rejected S-NSSAI or perform other operations. For example, the UE can notify the UE based on the reason for the rejection. Application or user for further processing. For example, if it is rejected for a long time, the user can check whether there is a problem with the subscription data.
  • the above indication information can be multiple individual IEs, or one IE can have multiple states, which is not limited here.
  • the network can also use the "UE Configuration Update Command” message to notify the UE that secondary authentication is required. Similar to the above description, the "UE Configuration Update Command” message can include various indication information to trigger the UE to perform the subsequent steps of the secondary authentication.
  • new messages can also be defined to complete the information exchange between the network and the UE.
  • the network notifies the UE of the allowed NSSAI information that has been authorized, the S-NSSAI to be second-level authentication, the rejected NSSAI information, and the NSSAI information that does not require second-level authentication. This information can be sent more often, first before the second-level certification, then after each second-level certification, or after each group of second-level certification.
  • this application can solve the nested authentication problem through the network side, and on the other hand, it can also solve and alleviate the problem by enhancing the intelligence of the UE and assisting the network. For example, if the UE can obtain, analyze, and predict which S-NSSAI does not require secondary authentication and the time required for each secondary authentication, the UE can directly inform the network of the UE's choice in the registration request, that is, perform a separate First level certification and registration applications that do not require second level certification, and then each second level certification or each group of second level certification in order.
  • AAA-F in Figure 4 to Figure 6 below refers to the AAA proxy function (AAA-proxy function) network element
  • AAA-S refers to the AAA server (AAA-proxy server), here is a unified description .
  • FIG. 4 it is a schematic flowchart of another UE registration method provided by this application.
  • This embodiment is a specific example of implementing method 1 corresponding to the embodiment shown in FIG. 2 in combination with step 204 therein.
  • the method includes the following steps:
  • Step 401 The UE sends a registration request message to the network (AMF), and the registration request message includes the requested NSSAI.
  • Step 402 After receiving the registration request message, the AMF initiates a first-level authentication process to perform mutual authentication between the UE and the network (including the NAS security establishment process).
  • Step 403 After the first level authentication is successful, the AMF determines whether the slice requested for access requires the second level authentication.
  • Step 404 The AMF sends a registration acceptance message to the UE.
  • the registration acceptance message includes one or more of the following: “allowed NSSAI”, “Pending NSSAI”, “slice authentication indication”, “non-slice authentication NSSAI”, “rejected NSSAI” ", "5G-GUTI”.
  • Step 405 The UE sends a registration request message to the AMF.
  • the message may include an NSSAI request ("requested NSSAI for slice authentication") that requires secondary authentication, "slice authentication indication", “5G-GUTI”, and so on.
  • Step 406 The network and the UE complete the secondary authentication of the slice.
  • the network and the UE complete the secondary authentication process of the slice corresponding to the S-NSSAI in the requested NSSAI for slice authentication.
  • the AMF sends a registration acceptance message to the UE.
  • the message contains the updated "allowed NSSAI" after the second level of authentication, which may include the S-NSSAI authorized by the current authentication and the previously authorized S-NSSAI. It can only include S-NSSAI authorized by the current authentication.
  • FIG. 5 it is a schematic flowchart of another UE registration method provided by this application.
  • This embodiment is a specific example of implementing method 2 corresponding to the embodiment shown in FIG. 2 in combination with step 204 therein.
  • the method includes the following steps:
  • Step 501 to step 504 are the same as step 401 to step 404 in Embodiment 4, and reference may be made to the foregoing description.
  • Step 505 The network initiates and completes the secondary authentication of the slice with the UE.
  • the network and the UE complete the secondary authentication process of the slice corresponding to the S-NSSAI in the NSSAI need for slice authentication.
  • the AMF sends a configuration update command to the UE.
  • the configuration update command includes the updated "allowed NSSAI" after the secondary authentication, which may include the S-NSSAI authorized by the current authentication and the previously authorized S-NSSAI , It can also only include the S-NSSAI authorized by the current authentication.
  • Step 507 The UE sends a configuration update complete message to the network (AMF).
  • This step 507 is optional.
  • steps 505 and 506 can also be performed multiple times. For example, each time the second-level authentication process of one of the slices corresponding to the S-NSSAI in the NSSAI need for slice authentication is completed, and the authorized S -The NSSAI is sent to the UE through step 506. For another example, each time the secondary authentication process of multiple slices in the slice corresponding to the S-NSSAI in the NSSAI need for slice authentication is completed, and the authorized S-NSSAI is sent to the UE through step 506.
  • FIG. 6 a schematic flowchart of another UE registration method provided by this application.
  • This embodiment is a specific example of implementing method 3 corresponding to the embodiment shown in FIG. 2 in combination with step 204 therein.
  • the method includes the following steps:
  • Step 601 to step 604 are the same as step 401 to step 404 of Embodiment 4, and reference may be made to the foregoing description.
  • Step 605 The UE sends a slice registration request message to the AMF.
  • the message may include an NSSAI request ("requested NSSAI for slice authentication") that requires secondary authentication, "slice authentication indication", “5G-GUTI”, and so on.
  • Step 606 The network and the UE complete the secondary authentication of the slice.
  • the network and the UE complete the secondary authentication process of the slice corresponding to the S-NSSAI in the requested NSSAI for slice authentication.
  • Step 607 The AMF sends a slice registration acceptance message to the UE.
  • the message contains the updated "allowed NSSAI" after the second level authentication, which may include the S-NSSAI authorized by the current authentication and the previously authorized S-NSSAI. It can also include only the S-NSSAI authorized by the current authentication.
  • step 605 adopts a newly defined slice registration request message
  • step 607 adopts a newly defined slice registration acceptance message
  • FIG. 7 it is a schematic flowchart of another UE registration method provided by this application.
  • This embodiment is a specific example of the embodiment shown in FIG. 3 above.
  • the method includes the following steps:
  • Step 701 The UE sends a registration request message to the network (AMF), where the registration request message includes requested NSSAI.
  • the requested NSSAI includes the selection information of the slices that are requested for access that do not require secondary authentication.
  • Step 702 After receiving the registration request message, the AMF initiates a first-level authentication process to perform mutual authentication between the UE and the network (including the NAS security establishment process).
  • Step 703 After the first level authentication is successful, the AMF determines whether the slice requested for access requires the second level authentication.
  • the result of the AMF judgment is: all slices corresponding to the S-NSSAI in the requested NSSAI do not require secondary authentication.
  • This step is optional.
  • Step 704 The AMF sends a registration acceptance message to the UE.
  • the registration acceptance message includes one or more of the following: "allowed NSSAI”, “rejected NSSAI”, and "5G-GUTI”.
  • Step 705 The UE sends a registration request message to the AMF.
  • the message may include an NSSAI request ("requested NSSAI for slice authentication") that requires secondary authentication, "slice authentication indication", “5G-GUTI”, and so on.
  • Step 706 The network and the UE complete the secondary authentication of the slice.
  • the network and the UE complete the secondary authentication process of the slice corresponding to the S-NSSAI in the requested NSSAI for slice authentication.
  • the AMF sends a registration acceptance message to the UE.
  • the message contains the updated "allowed NSSAI" after the second level of authentication, which may include the S-NSSAI authorized by the current authentication and the previously authorized S-NSSAI. It can only include S-NSSAI authorized by the current authentication.
  • the registration request message in step 705 can also be replaced by a slice registration request message
  • the registration acceptance message in step 707 can also be replaced by a slice registration acceptance message
  • each network element described above includes hardware structures and/or software modules corresponding to each function.
  • the present invention can be implemented in the form of hardware or a combination of hardware and computer software. Whether a certain function is executed by hardware or computer software-driven hardware depends on the specific application and design constraint conditions of the technical solution. Professionals and technicians can use different methods for each specific application to implement the described functions, but such implementation should not be considered as going beyond the scope of the present invention.
  • the communication device 800 may exist in the form of software or hardware.
  • the communication device 800 may include: a processing unit 802 and a communication unit 803.
  • the communication unit 803 may include a receiving unit and a sending unit.
  • the processing unit 802 is used to control and manage the actions of the communication device 800.
  • the communication unit 803 is used to support communication between the communication device 800 and other network entities.
  • the communication device 800 may further include a storage unit 801 for storing program codes and data of the communication device 800.
  • the processing unit 802 may be a processor or a controller, for example, a general-purpose central processing unit (central processing unit, CPU), a general-purpose processor, a digital signal processing (digital signal processing, DSP), and an application specific integrated circuit (application specific integrated circuit). circuits, ASIC), field programmable gate array (FPGA) or other programmable logic devices, transistor logic devices, hardware components or any combination thereof. It can implement or execute various exemplary logical blocks, modules and circuits described in conjunction with the disclosure of this application.
  • the processor may also be a combination for realizing computing functions, for example, including a combination of one or more microprocessors, a combination of a DSP and a microprocessor, and so on.
  • the storage unit 801 may be a memory.
  • the communication unit 803 is an interface circuit of the device for receiving signals from other devices.
  • the communication unit 803 is an interface circuit for the chip to receive signals from other chips or devices, or an interface circuit for the chip to send signals to other chips or devices.
  • the communication apparatus 800 may be the terminal device in any of the above embodiments, and may also be a chip used for the terminal device.
  • the processing unit 802 may be, for example, a processor
  • the communication unit 803 may be, for example, a transceiver.
  • the transceiver may include a radio frequency circuit
  • the storage unit may be, for example, a memory.
  • the processing unit 802 may be a processor, for example, and the communication unit 803 may be an input/output interface, a pin or a circuit, for example.
  • the processing unit 802 can execute computer-executable instructions stored in the storage unit.
  • the storage unit is a storage unit in the chip, such as a register, a cache, etc., and the storage unit may also be a terminal device located outside the chip.
  • the storage unit such as read-only memory (ROM) or other types of static storage devices that can store static information and instructions, random access memory (RAM), etc.
  • the communication device 800 is a terminal device, and the communication unit 803 includes a sending unit and a receiving unit.
  • the sending unit is configured to send a first registration request message to the mobility management network element, where the first registration request message includes the selection information of the slice to be accessed; the receiving unit is configured to complete the first level authentication and authentication on the terminal device.
  • a first registration acceptance message from the mobility management network element includes selection information of slices that are allowed to access, and the selection information of slices that are allowed to access includes the following At least one of the information: selection information of slices that have completed secondary authentication among the slices requested for access, selection information of slices that do not require secondary authentication among the slices requested for access, and no need for network allocation
  • the selection information of the slice for the second-level authentication is further configured to receive the second-level authentication from the first slice that requires the second-level authentication and has not completed the second-level authentication among the slices for which access is requested.
  • the updated access-allowed slice selection information of the mobility management network element where the updated access-allowed slice selection information includes the first slice selection information or the network-allocated selection information of the first slice
  • the slice selection information corresponds to the slice selection information.
  • the first registration acceptance message further includes at least one of the following information: selection information of the slices that require secondary authentication and have not completed secondary authentication among the slices for which access is requested; The estimated time required for the second-level authentication for the slices that require second-level authentication and the slices that have not completed the second-level authentication, the first slice authentication instruction, and the slices that request access do not need to be performed A slice of the secondary authentication, selection information of a slice that is denied access among the slices requested for access, and at least one temporary identifier; wherein the first slice authentication indication is used to indicate that there is a slice that has not completed the secondary authentication , A temporary identifier corresponds to the selection information of one or more slices in the slices that have completed the secondary authentication.
  • the selection information of the slices that require secondary authentication and that have not completed secondary authentication among the slices that request access is carried in a slice selection information list, and the slice selection information in the slice selection information list
  • the order of the slice selection information indicates the priority of the slices in the slice selection information list for secondary authentication.
  • the sending unit is configured to send a first message to the mobility management network element, where the first message is used to request that the slice for which access is requested requires secondary authentication and is not The slices that have completed the second-level authentication are subjected to the second-level authentication; the receiving unit is specifically configured to receive a second message from the mobility management network element, where the second message includes the updated selection information of the slice that is allowed to be accessed.
  • the first message includes selection information of a slice that requires secondary authentication and has not completed secondary authentication among the slices for which access is requested, and/or a second slice authentication instruction;
  • the second slice authentication instruction is used to request the second-level authentication for the slices that require the second-level authentication and have not completed the second-level authentication among the slices that are requested to be accessed.
  • the first message is a second registration request message, and the second message is a second registration acceptance message; or, the first message is a slice registration request message, and the second The message is the slice registration acceptance message.
  • the receiving unit is configured to receive a configuration update command from the mobility management network element, where the configuration update command includes the updated slice selection information that is allowed to be accessed.
  • the configuration update command further includes at least one of the following information: among the slices for which access is requested, secondary authentication is required, and among the slices that have not completed secondary authentication, access is denied.
  • Slice selection information updated slice selection information of the slices that require second-level authentication and have not completed second-level authentication among the updated slices that have not completed second-level authentication, and at least one temporary identifier; where one temporary identifier corresponds to the slice that completes second-level authentication Selection information of one or more slices in.
  • the communication device 800 is a terminal device, and the communication unit 803 includes a sending unit and a receiving unit.
  • the sending unit is configured to send a first registration request message to the mobility management network element, where the first registration request message includes selection information of a slice requesting access, and the slice requesting access does not require secondary Authentication slice;
  • a receiving unit configured to receive a first registration acceptance message from the mobility management network element after the terminal device completes primary authentication and establishes a security context, where the first registration acceptance message includes permission to access
  • the selection information of the slice that is allowed to access, the selection information of the slice that is allowed to access includes the selection information of the slice that is allowed to access among the slices for which access is requested and/or the slice that is allocated by the network that does not require secondary authentication.
  • the sending unit is further configured to send a first message to the mobility management network element, the first message including selection information of the slice that needs to be authenticated at the second level, and the first message is used to request
  • the slices that require secondary authentication are subjected to slice authentication
  • the receiving unit is further configured to receive from the mobility management network after the first slice of the slices that require secondary authentication passes the secondary authentication.
  • Meta second message the second message includes the updated selection information of the allowed slice, and the updated selection information of the allowed slice includes the selection information of the first slice or the network allocated and The selection information of the slice corresponding to the selection information of the first slice.
  • the selection information of the slices that require secondary authentication is carried in a slice selection information list, and the sequence of the slice selection information in the slice selection information list indicates the slice selection The priority of the secondary authentication for the slices in the information list.
  • the first message further includes the grouping information indicating the grouping information of the slices requiring secondary authentication, and the grouping information indicating the priority of each grouping for secondary authentication .
  • the first message is a second registration request message, and the second message is a second registration acceptance message; or, the first message is a slice registration request message, and the second The message is the slice registration acceptance message.
  • the communication device 900 may exist in the form of software or hardware.
  • the communication device 900 may include: a processing unit 902 and a communication unit 903.
  • the communication unit 903 may include a receiving unit and a sending unit.
  • the processing unit 902 is used to control and manage the actions of the communication device 900.
  • the communication unit 903 is used to support communication between the communication device 900 and other network entities.
  • the communication device 900 may further include a storage unit 901 for storing program codes and data of the communication device 900.
  • the processing unit 902 may be a processor or a controller, for example, a CPU, a general-purpose processor, a DSP, an ASIC, an FPGA, or other programmable logic devices, transistor logic devices, hardware components, or any combination thereof. It can implement or execute various exemplary logical blocks, modules and circuits described in conjunction with the disclosure of this application.
  • the processor may also be a combination for realizing computing functions, for example, including a combination of one or more microprocessors, a combination of a DSP and a microprocessor, and so on.
  • the storage unit 901 may be a memory.
  • the communication unit 903 is an interface circuit of the device for receiving signals from other devices. For example, when the device is implemented as a chip, the communication unit 903 is an interface circuit for the chip to receive signals from other chips or devices, or an interface circuit for the chip to send signals to other chips or devices.
  • the communication device 900 may be the mobility management network element in any of the foregoing embodiments, and may also be a chip for the mobility management network element.
  • the processing unit 902 may be, for example, a processor
  • the communication unit 903 may be, for example, a transceiver.
  • the transceiver may include a radio frequency circuit
  • the storage unit may be, for example, a memory.
  • the processing unit 902 may be, for example, a processor
  • the communication unit 903 may be, for example, an input/output interface, a pin, or a circuit.
  • the processing unit 902 can execute computer execution instructions stored in the storage unit.
  • the storage unit is a storage unit in the chip, such as a register, a cache, etc., and the storage unit may also be a storage unit located in the mobility management network element.
  • the storage unit outside the chip such as ROM or other types of static storage devices that can store static information and instructions, RAM, etc.
  • the communication device 900 is a mobility management network element
  • the communication unit 803 includes a sending unit and a receiving unit.
  • the receiving unit is configured to receive a first registration request message from a terminal device, where the first registration request message includes the selection information of the slice to be accessed;
  • the processing unit is configured to complete first-level authentication and establish security on the terminal device
  • the mobility management network element determines whether the slice requested for access requires secondary authentication;
  • the sending unit is configured to send a first registration acceptance message to the terminal device, where the first registration acceptance message includes Selection information of slices that are allowed to access, and the selection information of slices that are allowed to access includes at least one of the following information: selection information of slices that have completed secondary authentication among the slices that are requested to access, and the requested access
  • the sending unit is also used to perform secondary authentication in the slices for which access is requested.
  • the updated slice selection information that is allowed to access is sent to the terminal device, and the updated slice selection information that is allowed to access includes the The selection information of the first slice or the selection information of the slice corresponding to the selection information of the first slice allocated by the network.
  • the first registration acceptance message further includes at least one of the following information: selection information of the slices that require secondary authentication and have not completed secondary authentication among the slices for which access is requested; The estimated time required for the second-level authentication for the slices that require second-level authentication and the slices that have not completed the second-level authentication, the first slice authentication instruction, and the slices that request access do not need to be performed. The selection information of the slice for the secondary authentication, the selection information of the slice that is denied access among the slices requested for access, and at least one temporary identifier; wherein the first slice authentication indication is used to indicate that there is an uncompleted secondary For certified slices, a temporary identifier corresponds to the selection information of one or more slices that have completed secondary authentication.
  • the selection information of the slices that require secondary authentication and that have not completed secondary authentication among the slices that request access is carried in a slice selection information list, and the slice selection information in the slice selection information list
  • the order of the slice selection information indicates the priority of the slices in the slice selection information list for secondary authentication.
  • the receiving unit is further configured to receive a first message from the terminal device, where the first message is used to request that the slice for which access is requested requires secondary authentication and is not The slices that have completed the second-level authentication are subjected to the second-level authentication; the sending unit is configured to send a second message to the terminal device, where the second message includes the updated selection information of the slice that is allowed to be accessed.
  • the first message includes selection information of a slice that requires secondary authentication and has not completed secondary authentication among the slices for which access is requested, and/or a second slice authentication instruction;
  • the second slice authentication instruction is used to request the second-level authentication for the slices that require the second-level authentication and have not completed the second-level authentication among the slices that are requested to be accessed.
  • the first message is a second registration request message, and the second message is a second registration acceptance message; or, the first message is a slice registration request message, and the second The message is the slice registration acceptance message.
  • the sending unit is configured to send a configuration update command to the terminal device, where the configuration update command includes the updated slice selection information that is allowed to be accessed.
  • the configuration update command further includes at least one of the following information: among the slices for which access is requested, secondary authentication is required, and among the slices that have not completed secondary authentication, access is denied.
  • Slice selection information updated slice selection information of the slices that require second-level authentication and have not completed second-level authentication among the updated slices that have not completed second-level authentication, and at least one temporary identifier; where one temporary identifier corresponds to the slice that completes second-level authentication Selection information of one or more slices in.
  • the communication device 900 is a mobility management network element, and the communication unit 803 includes a sending unit and a receiving unit.
  • a receiving unit configured to receive a first registration request message from a terminal device, where the first registration request message includes selection information of a slice requesting access, and the slice requesting access is a slice that does not require secondary authentication;
  • the sending unit is configured to send a first registration acceptance message to the terminal device after the terminal device completes the first-level authentication and establishes a security context, where the first registration acceptance message includes selection information of slices that are allowed to be accessed, and
  • the access-allowed slice selection information includes the access-allowed slice selection information among the access-requested slices and/or the network-assigned slice selection information that does not require secondary authentication;
  • the receiving unit also uses For receiving a first message from the terminal device, the first message includes selection information of a slice that requires secondary authentication, and the first message is used to request slice authentication for the slice that requires secondary authentication
  • the sending unit is further configured to send a second message to
  • the selection information of the slices that require secondary authentication is carried in a slice selection information list, and the sequence of the slice selection information in the slice selection information list indicates the slice selection The priority of the secondary authentication for the slices in the information list.
  • the first message further includes the grouping information indicating the grouping information of the slices requiring secondary authentication, and the grouping information indicating the priority of each grouping for secondary authentication .
  • the first message is a second registration request message, and the second message is a second registration acceptance message; or, the first message is a slice registration request message, and the second The message is the slice registration acceptance message.
  • the communication device may be the above-mentioned mobility management network element or terminal equipment.
  • the communication device 1000 includes a processor 1002, a communication interface 1003, and a memory 1001.
  • the communication device 1000 may further include a communication line 1004.
  • the communication interface 1003, the processor 1002, and the memory 1001 may be connected to each other through a communication line 1004;
  • the communication line 1004 may be a peripheral component interconnect (PCI) bus or an extended industry standard architecture (extended industry standard architecture). , Referred to as EISA) bus and so on.
  • the communication line 1004 can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is used to represent in FIG. 10, but it does not mean that there is only one bus or one type of bus.
  • the processor 1002 may be a CPU, a microprocessor, an ASIC, or one or more integrated circuits used to control the execution of the programs of the present application.
  • the communication interface 1003 uses any device such as a transceiver to communicate with other devices or communication networks, such as Ethernet, RAN, wireless local area networks (WLAN), wired access networks, etc.
  • a transceiver to communicate with other devices or communication networks, such as Ethernet, RAN, wireless local area networks (WLAN), wired access networks, etc.
  • the memory 1001 may be ROM or other types of static storage devices that can store static information and instructions, RAM or other types of dynamic storage devices that can store information and instructions, or may be an electrically erasable programmable read-only memory (electrically erasable programmable read-only memory).
  • read-only memory EEPROM
  • compact disc read-only memory, CD-ROM
  • optical disc storage including compact disc, laser disc, optical disc, digital universal disc, Blu-ray disc, etc.
  • magnetic disk A storage medium or other magnetic storage device, or any other medium that can be used to carry or store desired program codes in the form of instructions or data structures and that can be accessed by a computer, but is not limited thereto.
  • the memory can exist independently and is connected to the processor through the communication line 1004. The memory can also be integrated with the processor.
  • the memory 1001 is used to store computer execution instructions for executing the solution of the present application, and the processor 1002 controls the execution.
  • the processor 1002 is configured to execute computer-executable instructions stored in the memory 1001, so as to implement the terminal device registration method provided in the foregoing embodiment of the present application.
  • the computer-executable instructions in the embodiments of the present application may also be referred to as application program code, which is not specifically limited in the embodiments of the present application.
  • At least one (piece, species) of a, b, or c can mean: a, b, c, ab, ac, bc, or abc, where a, b, and c can be single or Multiple.
  • Multiple refers to two or more, and other measure words are similar.
  • "a device” means to one or more such devices.
  • the computer program product includes one or more computer instructions.
  • the computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable devices.
  • the computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium. For example, the computer instructions may be transmitted from a website, computer, server, or data center.
  • the computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server or a data center integrated with one or more available media.
  • the usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, a magnetic tape), an optical medium (for example, a DVD), or a semiconductor medium (for example, a solid state disk (SSD)), etc.
  • the various illustrative logic units and circuits described in the embodiments of this application can be implemented by general-purpose processors, digital signal processors, application-specific integrated circuits (ASIC), field programmable gate arrays (FPGA) or other programmable logic devices, Discrete gates or transistor logic, discrete hardware components, or any combination of the above are designed to implement or operate the described functions.
  • the general-purpose processor may be a microprocessor, and optionally, the general-purpose processor may also be any traditional processor, controller, microcontroller, or state machine.
  • the processor can also be implemented by a combination of computing devices, such as a digital signal processor and a microprocessor, multiple microprocessors, one or more microprocessors combined with a digital signal processor core, or any other similar configuration achieve.
  • the steps of the method or algorithm described in the embodiments of the present application can be directly embedded in hardware, a software unit executed by a processor, or a combination of the two.
  • the software unit can be stored in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, removable disk, CD-ROM or any other storage medium in the field.
  • the storage medium may be connected to the processor, so that the processor can read information from the storage medium, and can store and write information to the storage medium.
  • the storage medium may also be integrated into the processor.
  • the processor and the storage medium can be arranged in the ASIC.
  • These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment.
  • the instructions provide steps for implementing functions specified in a flow or multiple flows in the flowchart and/or a block or multiple blocks in the block diagram.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

本申请提供终端设备的注册方法及装置。该方法中,网络发送注册接受消息比现有技术的注册流程中发送注册接受消息的时间更早,即本申请只要完成了对终端设备的一级认证和建立安全上下文之后就发送注册接受消息,而现有技术是等到所有的切片完成二级认证之后才发送注册接受消息,这样不仅可以解决嵌套式认证带来的问题,终端设备也大大增加了接入的灵活性,并且使得注册时的定时器的设置或管理变得更为简便。此时,终端设备可以根据网络反馈的二级认证信息,决定何时进行二级认证对终端设备更方便。比如,终端设备可以根据已经成功认证的切片,接入该切片,建立会话,发送接收数据服务。而在晚些时候空闲时,再请求接入其他切片。

Description

终端设备的注册方法及装置
相关申请的交叉引用
本申请要求在2019年03月04日提交中国专利局、申请号为201910160313.6、申请名称为“终端设备的注册方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。
技术领域
本申请涉及移动通信技术领域,尤其涉及终端设备的注册方法及装置。
背景技术
终端设备在接入网络或切片之前,需要同切片进行双向认证并得到网络的授权。目前,终端设备和网络之间可能需要两级认证。其中,终端设备和运营商网络之间的认证称为一级认证,终端设备和运营商网络之外的第三方网络之间的认证称为二级认证。
目前,一种可能的认证方式为:终端设备发起注册请求->运营商网络的一级认证->第三方网络的二级认证->网络对终端设备接入的切片的授权->注册完成。
上述认证流程主要有以下缺点:
1)、注册、认证的计时器(timer)的设置、管理问题。由于二级认证是终端设备同第三方网络之间的认证,第三方网络负责认证的认证服务器计算资源可以大有不同,这也会造成完成二级认证所需的时间长短有别。再进一步,一次注册流程可以支持嵌套多次的二级认证,这将使得完成二级认证流程的时间大相径庭。然而,注册、认证流程在具体实现中,会针对总体流程以及每个关键步骤事先设定计时器,每个计时的步骤或流程如果超时,就会产生运行错误。另外,当进行二级认证时,网络也可以通过暂停、恢复注册流程的计时器来缓解计时器设定问题,但这由引入了计时器管理复杂的新问题。总之,由于上述因素造成的二级认证时间差异性,使得系统设定计时器问题变成了复杂而具有挑战的任务。
2)、整个注册流程由于二级认证的拖累,可能会被显著延长,造成用户体验等其他问题。终端设备或用户通常希望尽快使用可接入的服务,而不是长时间在注册流程中等待。
发明内容
本申请提供终端设备的注册方法及装置,用以解决终端设备的注册流程中存在的注册、认证的计时器难以设置或管理,注册流程时间较长的问题,以达到简化计时器的设置和缩短初始注册流程的时长的目的。
第一方面,终端设备向移动性管理网元发送第一注册请求消息,所述第一注册请求消息包括请求接入的切片的选择信息;在所述终端设备完成一级认证和建立安全上下文后,所述终端设备接收来自所述移动性管理网元的第一注册接受消息,所述第一注册接受消息包括允许接入的切片的选择信息,所述允许接入的切片的选择信息包括以下信息中的至少一个:所述请求接入的切片中已经完成二级认证的切片的选择信息、所述请求接入的切片中不需要进行二级认证的切片的选择信息、网络分配的不需要进行二级认证的切片的选择 信息;在所述请求接入的切片中需要进行二级认证且未完成二级认证的第一切片二级认证通过后,所述终端设备接收来自所述移动性管理网元的更新的允许接入的切片的选择信息,所述更新的允许接入的切片的选择信息包括所述第一切片的选择信息或网络分配的与所述第一切片的选择信息对应的切片的选择信息。
基于该方案,网络发送注册接受消息比现有技术的注册流程中发送注册接受消息的时间更早,即本申请只要完成了对终端设备的一级认证和建立安全上下文之后就发送注册接受消息(通过提前发送注册接受消息,初始注册流程可以尽早结束,不过这仅仅代表暂时(Interim)结束,而不是完全结束,因为还有二级认证没完成),而现有技术是等到所有的切片完成二级认证之后才发送注册接受消息,这样不仅可以解决嵌套式认证带来的问题,终端设备也大大增加了接入的灵活性,并且使得注册时的定时器的设置或管理变得更为简便。此时,终端设备可以根据网络反馈的二级认证信息,决定何时进行二级认证对终端设备更方便。比如,终端设备可以根据已经成功认证的切片,接入该切片,建立会话,发送接收数据服务。而在晚些时候空闲时,再请求接入其他切片。
在一种可能的实现方法中,所述第一注册接受消息还包括以下信息中的至少一个:所述请求接入的切片中需要进行二级认证且未完成二级认证的切片的选择信息、所述请求接入的切片中需要进行二级认证且未完成二级认证的切片进行二级认证所需的预估时间、第一切片认证指示、所述请求接入的切片中不需要进行二级认证的切片的选择信息、所述请求接入的切片中被拒绝接入的切片的选择信息、至少一个临时标识;其中,所述第一切片认证指示用于指示存在未完成二级认证的切片,一个临时标识对应完成二级认证的切片中的一个或多个切片的选择信息。
在一种可能的实现方法中,所述请求接入的切片中需要进行二级认证且未完成二级认证的切片的选择信息携带于一个切片选择信息列表中,所述切片选择信息列表中的切片的选择信息的顺序指示了所述切片选择信息列表中的切片进行二级认证的优先级。
在一种可能的实现方法中,所述终端设备向所述移动性管理网元发送第一消息,所述第一消息用于请求对所述请求接入的切片中需要进行二级认证且未完成二级认证的切片进行二级认证。所述终端设备接收更新的允许接入的切片的选择信息,包括:所述终端设备接收来自所述移动性管理网元的第二消息,所述第二消息包括所述更新的允许接入的切片的选择信息。
在一种可能的实现方法中,所述第一消息包括所述请求接入的切片中需要进行二级认证且未完成二级认证的切片的选择信息,和/或,第二切片认证指示;所述第二切片认证指示用于请求对所述请求接入的切片中需要进行二级认证且未完成二级认证的切片进行二级认证。
在一种可能的实现方法中,所述第一消息为第二注册请求消息,所述第二消息为第二注册接受消息;或者,所述第一消息为切片注册请求消息,所述第二消息为切片注册接受消息。
在一种可能的实现方法中,所述终端设备接收来自所述移动性管理网元的更新的允许接入的切片的选择信息,包括:所述终端设备接收来自所述移动性管理网元的配置更新命令,所述配置更新命令包括所述更新的允许接入的切片的选择信息。
在一种可能的实现方法中,所述配置更新命令还包括以下信息中的至少一个:所述请求接入的切片中需要进行二级认证且未完成二级认证的切片中被拒绝接入的切片的选择 信息、更新后的所述请求接入的切片中需要进行二级认证且未完成二级认证的切片的选择信息、至少一个临时标识;其中,一个临时标识对应完成二级认证的切片中的一个或多个切片的选择信息。
第二方面,移动性管理网元接收来自终端设备的第一注册请求消息,所述第一注册请求消息包括请求接入的切片的选择信息;在所述终端设备完成一级认证和建立安全上下文后,所述移动性管理网元判断所述请求接入的切片是否需要进行二级认证;所述移动性管理网元向所述终端设备发送第一注册接受消息,所述第一注册接受消息包括允许接入的切片的选择信息,所述允许接入的切片的选择信息包括以下信息中的至少一个:所述请求接入的切片中已经完成二级认证的切片的选择信息、所述请求接入的切片中不需要进行二级认证的切片的选择信息、网络分配的不需要进行二级认证的切片的选择信息;在所述请求接入的切片中需要进行二级认证且未完成二级认证的第一切片二级认证通过后,所述移动性管理网元向所述终端设备发送更新的允许接入的切片的选择信息,所述更新的允许接入的切片的选择信息包括所述第一切片的选择信息或网络分配的与所述第一切片的选择信息对应的切片的选择信息。
基于该方案,网络发送注册接受消息比现有技术的注册流程中发送注册接受消息的时间更早,即本申请只要完成了对终端设备的一级认证和建立安全上下文之后就发送注册接受消息(通过提前发送注册接受消息,注册流程可以尽早结束,不过这仅仅代表暂时(Interim)结束,而不是完全结束,因为还有二级认证没完成),而现有技术是等到所有的切片完成二级认证之后才发送注册接受消息,这样不仅可以解决嵌套式认证带来的问题,终端设备也大大增加了接入的灵活性,并且使得注册时的定时器的设置或管理变得更为简便。此时,终端设备可以根据网络反馈的二级认证信息,决定何时进行二级认证对终端设备更方便。比如,终端设备可以根据已经成功认证的切片,接入该切片,建立会话,发送接收数据服务。而在晚些时候空闲时,再请求接入其他切片。
在一种可能的实现方法中,所述第一注册接受消息还包括以下信息中的至少一个:所述请求接入的切片中需要进行二级认证且未完成二级认证的切片的选择信息、所述请求接入的切片中需要进行二级认证且未完成二级认证的切片进行二级认证所需的预估时间、第一切片认证指示、所述请求接入的切片中不需要进行二级认证的切片的选择信息、所述请求接入的切片中被拒绝接入的切片的选择信息、至少一个临时标识;其中,所述第一切片认证指示用于指示存在未完成二级认证的切片,一个临时标识对应完成二级认证的一个或多个切片的选择信息。
在一种可能的实现方法中,所述请求接入的切片中需要进行二级认证且未完成二级认证的切片的选择信息携带于一个切片选择信息列表中,所述切片选择信息列表中的切片的选择信息的顺序指示了所述切片选择信息列表中的切片进行二级认证的优先级。
在一种可能的实现方法中,所述移动性管理网元接收来自所述终端设备的第一消息,所述第一消息用于请求对所述请求接入的切片中需要进行二级认证且未完成二级认证的切片进行二级认证;所述移动性管理网元向所述终端设备发送更新的允许接入的切片的选择信息,包括:所述移动性管理网元向所述终端设备发送第二消息,所述第二消息包括所述更新的允许接入的切片的选择信息。
在一种可能的实现方法中,所述第一消息包括所述请求接入的切片中需要进行二级认证且未完成二级认证的切片的选择信息,和/或,第二切片认证指示;所述第二切片认证指 示用于请求对所述请求接入的切片中需要进行二级认证且未完成二级认证的切片进行二级认证。
在一种可能的实现方法中,所述第一消息为第二注册请求消息,所述第二消息为第二注册接受消息;或者,所述第一消息为切片注册请求消息,所述第二消息为切片注册接受消息。
在一种可能的实现方法中,所述移动性管理网元向所述终端设备发送更新的允许接入的切片的选择信息,包括:所述移动性管理网元向所述终端设备发送配置更新命令,所述配置更新命令包括所述更新的允许接入的切片的选择信息。
在一种可能的实现方法中,所述配置更新命令还包括以下信息中的至少一个:所述请求接入的切片中需要进行二级认证且未完成二级认证的切片中被拒绝接入的切片的选择信息、更新后的所述请求接入的切片中需要进行二级认证且未完成二级认证的切片的选择信息、至少一个临时标识;其中,一个临时标识对应完成二级认证的切片中的一个或多个切片的选择信息。
第三方面,终端设备向所述移动性管理网元发送第一注册请求消息,所述第一注册请求消息包括请求接入的切片的选择信息,所述请求接入的切片为不需要进行二级认证的切片;在所述终端设备完成一级认证和建立安全上下文后,所述终端设备接收来自所述移动性管理网元的第一注册接受消息,所述第一注册接受消息包括允许接入的切片的选择信息,所述允许接入的切片的选择信息包括所述请求接入的切片中的允许接入的切片的选择信息和/或网络分配的不需要进行二级认证的切片的选择信息;所述终端设备向所述移动性管理网元发送第一消息,所述第一消息包括需要进行二级认证的切片的选择信息,所述第一消息用于请求对所述需要进行二级认证的切片进行切片认证;在所述需要进行二级认证的切片中的第一切片二级认证通过后,所述终端设备接收来自所述移动性管理网元的第二消息,所述第二消息包括更新的允许接入的切片的选择信息,所述更新的允许接入的切片的选择信息包括所述第一切片的选择信息或网络分配的与所述第一切片的选择信息对应的切片的选择信息。
基于该方案,网络发送注册接受消息比现有技术的注册流程中发送注册接受消息的时间更早,即本申请只要完成了对终端设备的一级认证和建立安全上下文之后就发送注册接受消息(通过提前发送注册接受消息,注册流程可以尽早结束,不过这仅仅代表暂时(Interim)结束,而不是完全结束,因为还有二级认证没完成),而现有技术是等到所有的切片完成二级认证之后才发送注册接受消息,这样不仅可以解决嵌套式认证带来的问题,终端设备也大大增加了接入的灵活性,并且使得注册时的定时器的设置或管理变得更为简便。此时,终端设备可以根据网络反馈的二级认证信息,决定何时进行二级认证对终端设备更方便。比如,终端设备可以根据已经成功认证的切片,接入该切片,建立会话,发送接收数据服务。而在晚些时候空闲时,再请求接入其他切片。
在一种可能的实现方法中,所述需要进行二级认证的切片的选择信息携带于一个切片选择信息列表中,所述切片选择信息列表中的切片的选择信息的顺序指示了所述切片选择信息列表中的切片进行二级认证的优先级。
在一种可能的实现方法中,所述第一消息还包括所述分组信息指示了所述需要进行二级认证的切片的分组信息,所述分组信息指示了各分组进行二级认证的优先级。
在一种可能的实现方法中,所述第一消息为第二注册请求消息,所述第二消息为第二 注册接受消息;或者,所述第一消息为切片注册请求消息,所述第二消息为切片注册接受消息。
第四方面,移动性管理网元接收来自终端设备的第一注册请求消息,所述第一注册请求消息包括请求接入的切片的选择信息,所述请求接入的切片为不需要进行二级认证的切片;在所述终端设备完成一级认证和建立安全上下文后,所述移动性管理网元向所述终端设备发送第一注册接受消息,所述第一注册接受消息包括允许接入的切片的选择信息,所述允许接入的切片的选择信息包括所述请求接入的切片中的允许接入的切片的选择信息和/或网络分配的不需要进行二级认证的切片的选择信息;所述移动性管理网元接收来自所述终端设备的第一消息,所述第一消息包括需要进行二级认证的切片的选择信息,所述第一消息用于请求对所述需要进行二级认证的切片进行切片认证;在所述需要进行二级认证的切片中的第一切片二级认证通过后,所述移动性管理网元向所述终端设备发送第二消息,所述第二消息包括更新的允许接入的切片的选择信息,所述更新的允许接入的切片的选择信息包括所述第一切片的选择信息或网络分配的与所述第一切片的选择信息对应的切片的选择信息。
基于该方案,网络发送注册接受消息比现有技术的注册流程中发送注册接受消息的时间更早,即本申请只要完成了对终端设备的一级认证和建立安全上下文之后就发送注册接受消息(通过提前发送注册接受消息,注册流程可以尽早结束,不过这仅仅代表暂时(Interim)结束,而不是完全结束,因为还有二级认证没完成),而现有技术是等到所有的切片完成二级认证之后才发送注册接受消息,这样不仅可以解决嵌套式认证带来的问题,终端设备也大大增加了接入的灵活性,并且使得注册时的定时器的设置或管理变得更为简便。此时,终端设备可以根据网络反馈的二级认证信息,决定何时进行二级认证对终端设备更方便。比如,终端设备可以根据已经成功认证的切片,接入该切片,建立会话,发送接收数据服务。而在晚些时候空闲时,再请求接入其他切片。
在一种可能的实现方法中,所述需要进行二级认证的切片的选择信息携带于一个切片选择信息列表中,所述切片选择信息列表中的切片的选择信息的顺序指示了所述切片选择信息列表中的切片进行二级认证的优先级。
在一种可能的实现方法中,所述第一消息还包括所述分组信息指示了所述需要进行二级认证的切片的分组信息,所述分组信息指示了各分组进行二级认证的优先级。
在一种可能的实现方法中,所述第一消息为第二注册请求消息,所述第二消息为第二注册接受消息;或者,所述第一消息为切片注册请求消息,所述第二消息为切片注册接受消息。
第五方面,本申请提供一种通信装置,该装置具有实现上述任意方面或任意方面中的实现方法的功能。该功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。该硬件或软件包括一个或多个与上述功能相对应的模块。
第六方面,本申请提供一种通信装置,包括:处理器和存储器;该存储器用于存储计算机执行指令,当该装置运行时,该处理器执行该存储器存储的该计算机执行指令,以使该装置执行如上述任意方面或任意方面中的实现方法。
第七方面,本申请提供一种通信装置,包括:包括用于执行以上任意方面各个步骤的单元或手段(means)。
第八方面,本申请提供一种通信装置,包括处理器和接口电路,所述处理器用于通过 接口电路与其它装置通信,并执行以上任意方面提供的任意方法。该处理器包括一个或多个。
第九方面,本申请提供一种通信装置,包括处理器,用于与存储器相连,用于调用所述存储器中存储的程序,以执行上述任意方面的任意实现方式中的方法。该存储器可以位于该装置之内,也可以位于该装置之外。且该处理器包括一个或多个。
第十方面,本申请还提供一种计算机可读存储介质,所述计算机可读存储介质中存储有指令,当其在计算机上运行时,使得处理器执行上述任意方面所述的方法。
第十一方面,本申请还提供一种包括指令的计算机程序产品,当其在计算机上运行时,使得计算机执行上述任意方面所述的方法。
第十二方面,本申请还提供一种芯片系统,包括:处理器,用于执行上述各方面所述的方法。
第十三方面,本申请还提供一种通信系统,包括用于执行上述第一方面或第一方面任一实现方法的终端设备和用于执行上述第二方面或第二方面任一实现方法的移动性管理网元。
第十四方面,本申请还提供一种通信系统,包括用于执行上述第三方面或第三方面任一实现方法的终端设备和用于执行上述第四方面或第四方面任一实现方法的移动性管理网元。
附图说明
图1为本申请提供的一种可能的网络架构示意图;
图2为本申请提供的一种终端设备的注册方法流程示意图;
图3为本申请提供的又一种终端设备的注册方法流程示意图;
图4为本申请提供的又一种终端设备的注册方法流程示意图;
图5为本申请提供的又一种终端设备的注册方法流程示意图;
图6为本申请提供的又一种终端设备的注册方法流程示意图;
图7为本申请提供的又一种终端设备的注册方法流程示意图;
图8为本申请提供的一种通信装置示意图;
图9为本申请提供的又一种通信装置示意图;
图10为本申请提供的又一种通信装置示意图。
具体实施方式
为了使本申请的目的、技术方案和优点更加清楚,下面将结合附图对本申请作进一步地详细描述。方法实施例中的具体操作方法也可以应用于装置实施例或系统实施例中。其中,在本申请的描述中,除非另有说明,“多个”的含义是两个或两个以上。
为了使本申请的目的、技术方案和优点更加清楚,下面将结合附图对本申请作进一步地详细描述。方法实施例中的具体操作方法也可以应用于装置实施例或系统实施例中。其中,在本申请的描述中,除非另有说明,“多个”的含义是两个或两个以上。
如图1所示,为基于服务化架构的第五代(the 5th generation,5G)网络架构示意图。图1所示的5G网络架构中可包括三部分,分别是终端设备部分、数据网络(data network, DN)和运营商网络部分。
其中,运营商网络可包括网络开放功能(network exposure function,NEF)网元、网络存储功能(network function repository function,NRF)网元、策略控制功能(policy control function,PCF)网元、统一数据管理(unified data management,UDM)网元、应用功能(application function,AF)网元、认证服务器功能(authentication server function,AUSF)网元、接入与移动性管理功能(access and mobility management function,AMF)网元、会话管理功能(session management function,SMF)网元、(无线)接入网((radio)access network,(R)AN)以及用户面功能(user plane function,UPF)网元等。上述运营商网络中,除(无线)接入网部分之外部分,称为核心网络部分。为方便说明,后续以(R)AN称为RAN为例进行说明。
本申请的终端设备(也可以称为用户设备(user equipment,UE))是一种具有无线收发功能的设备,可以部署在陆地上,包括室内或室外、手持或车载;也可以部署在水面上(如轮船等);还可以部署在空中(例如飞机、气球和卫星上等)。所述终端可以是手机(mobile phone)、平板电脑(pad)、带无线收发功能的电脑、虚拟现实(virtual reality,VR)终端、增强现实(augmented reality,AR)终端、工业控制(industrial control)中的无线终端、无人驾驶(self driving)中的无线终端、远程医疗(remote medical)中的无线终端、智能电网(smart grid)中的无线终端、运输安全(transportation safety)中的无线终端、智慧城市(smart city)中的无线终端、智慧家庭(smart home)中的无线终端等。
上述终端设备可通过运营商网络提供的接口(例如N1等)与运营商网络建立连接,使用运营商网络提供的数据和/或语音等服务。终端设备还可通过运营商网络访问DN,使用DN上部署的运营商业务,和/或第三方提供的业务。其中,上述第三方可为运营商网络和终端设备之外的服务方,可为终端设备提供他数据和/或语音等服务。其中,上述第三方的具体表现形式,具体可根据实际应用场景确定,在此不做限制。
RAN是运营商网络的子网络,是运营商网络中业务节点与终端设备之间的实施系统。终端设备要接入运营商网络,首先是经过RAN,进而可通过RAN与运营商网络的业务节点连接。本申请中的RAN设备,是一种为终端设备提供无线通信功能的设备,接入网设备包括但不限于:5G中的下一代基站(g nodeB,gNB)、演进型节点B(evolved node B,eNB)、无线网络控制器(radio network controller,RNC)、节点B(node B,NB)、基站控制器(base station controller,BSC)、基站收发台(base transceiver station,BTS)、家庭基站(例如,home evolved nodeB,或home node B,HNB)、基带单元(baseBand unit,BBU)、传输点(transmitting and receiving point,TRP)、发射点(transmitting point,TP)、移动交换中心等。
AMF网元是由运营商网络提供的控制面网元,负责终端设备接入运营商网络的接入控制和移动性管理,例如包括移动状态管理,分配用户临时身份标识,认证和授权用户等功能。
SMF网元是由运营商网络提供的控制面网元,负责管理终端设备的协议数据单元(protocol data unit,PDU)会话。PDU会话是一个用于传输PDU的通道,终端设备需要通过PDU会话与DN互相传送PDU。PDU会话由SMF网元负责建立、维护和删除等。SMF网元包括会话管理(如会话建立、修改和释放,包含UPF和AN之间的隧道维护)、UPF网元的选择和控制、业务和会话连续性(Service and Session Continuity,SSC)模式选 择、漫游等会话相关的功能。
UPF网元是由运营商提供的网关,是运营商网络与DN通信的网关。UPF网元包括数据包路由和传输、包检测、业务用量上报、服务质量(Quality of Service,QoS)处理、合法监听、上行包检测、下行数据包存储等用户面相关的功能。
DN,也可以称为分组数据网络(packet data network,PDN),是位于运营商网络之外的网络,运营商网络可以接入多个DN,DN上可部署多种业务,可为终端设备提供数据和/或语音等服务。例如,DN是某智能工厂的私有网络,智能工厂安装在车间的传感器可为终端设备,DN中部署了传感器的控制服务器,控制服务器可为传感器提供服务。传感器可与控制服务器通信,获取控制服务器的指令,根据指令将采集的传感器数据传送给控制服务器等。又例如,DN是某公司的内部办公网络,该公司员工的手机或者电脑可为终端设备,员工的手机或者电脑可以访问公司内部办公网络上的信息、数据资源等。
UDM网元是由运营商提供的控制面网元,负责存储运营商网络中签约用户的用户永久标识符(subscriber permanent identifier,SUPI)、信任状(credential)、安全上下文(security context)、签约数据等信息。UDM网元所存储的这些信息可用于终端设备接入运营商网络的认证和授权。其中,上述运营商网络的签约用户具体可为使用运营商网络提供的业务的用户,例如使用中国电信的手机芯卡的用户,或者使用中国移动的手机芯卡的用户等。上述签约用户的永久签约标识(Subscription Permanent Identifier,SUPI)可为该手机芯卡的号码等。上述签约用户的信任状、安全上下文可为该手机芯卡的加密密钥或者跟该手机芯卡加密相关的信息等存储的小文件,用于认证和/或授权。上述安全上下文可为存储在用户本地终端(例如手机)上的数据(cookie)或者令牌(token)等。上述签约用户的签约数据可为该手机芯卡的配套业务,例如该手机芯卡的流量套餐或者使用网络等。需要说明的是,永久标识符、信任状、安全上下文、认证数据(cookie)、以及令牌等同认证、授权相关的信息,在本发明本申请文件中,为了描述方便起见不做区分、限制。如果不做特殊说明,本申请实施例将以用安全上下文为例进行来描述,但本申请实施例同样适用于其他表述方式的认证、和/或授权信息。
AUSF网元是由运营商提供的控制面网元,通常用于一级认证,即终端设备(签约用户)与运营商网络之间的认证。AUSF网元接收到签约用户发起的认证请求之后,可通过UDM网元中存储的认证信息和/或授权信息对签约用户进行认证和/或授权,或者通过UDM网元生成签约用户的认证和/或授权信息。AUSF网元可向签约用户反馈认证信息和/或授权信息。
NEF网元是由运营商提供控制面网元。NEF网元以安全的方式对第三方开放运营商网络的对外接口。在SMF网元需要与第三方的网元通信时,NEF网元可作为SMF网元与第三方的网元通信的中继。NEF网元作为中继时,可作为签约用户的标识信息的翻译,以及第三方的网元的标识信息的翻译。比如,NEF将签约用户的SUPI从运营商网络发送到第三方时,可以将SUPI翻译成其对应的外部身份标识(identity,ID)。反之,NEF网元将外部ID(第三方的网元ID)发送到运营商网络时,可将其翻译成SUPI。
PCF网元是由运营商提供的控制面功能,用于向SMF网元提供PDU会话的策略。策略可以包括计费相关策略、QoS相关策略和授权相关策略等。
网络切片选择功能(Network Slice Selection Function,NSSF)网元(图中未示出),负责确定网络切片实例,选择AMF网元等。
图1中Nnef、Nausf、Nnrf、Npcf、Nudm、Naf、Namf、Nsmf、N1、N2、N3、N4,以及N6为接口序列号。这些接口序列号的含义可参见3GPP标准协议中定义的含义,在此不做限制。
本申请中的移动性管理网元可以是图1所示的AMF网元,也可以是未来通信系统中的具有上述AMF网元的功能的网元。或者,本申请中的移动性管理网元还可以是长期演进(long term evolution,LTE)中的移动性管理实体(mobility management entity,MME)等。
为方便说明,本申请后续,以移动性管理网元为AMF网元为例进行说明。进一步地,将AMF网元简称为AMF,将终端设备称为UE,即本申请后续所描述的AMF均可替换为移动性管理网元,UE均可替换为终端设备。
为便于理解本申请内容,下面对本申请涉及的一些通信术语进行解释说明。需要说明的是,该部分内容也作为本申请发明内容的一部分。
一、切片
本申请中的“切片”也可以称为“网络切片”,或称为“网络切片实例”,三者具有相同的含义,这里统一说明,后续不再赘述。
目前,多种多样的场景对第三代合作伙伴计划(3rd Generation Partnership Project,3GPP)生态系统提出了不同的需求,如计费、策略、安全、移动性等需求。3GPP强调了网络切片之间不相互影响,例如突发的大量的抄表业务不应该影响正常的移动宽带业务。为了满足多样性需求和切片间的隔离,需要业务间相对独立的管理和运维,并提供量身定做的业务功能和分析能力。不同类型业务的实例部署在不同的网络切片上,相同业务类型的不同实例也可部署在不同的网络切片上。
5G网络中的切片是一个虚拟的专用网络,它是由一组网络功能、子网络所构成。比如,图1中的RAN、AMF、SMF、UPF可以组成一个切片。图1中的每种网络功能只示意性地画出了一个,而在实际网络部署中,每种网络功能或子网络可以有多个、数十个或上百个。运营商网络中可以部署很多网络切片,每个切片可以有不同的性能来满足不同应用、不同垂直行业的需求。运营商可以根据不同垂直行业客户的需求,“量身定做”一个切片。运营商也可以允许一些行业客户享有较大的自主权,参与切片的部分管理、控制功能。其中,切片级的认证就是由行业客户参与的一种网络控制功能,即对终端用户接入切片进行认证和授权。
当核心网部署了网络切片,用户初始附着(或称为注册)到网络时,会触发网络切片的选择过程。切片的选择过程取决于用户的签约数据,本地配置信息,漫游协议,运营商的策略等等。在网络切片的选择过程中,需要综合考虑以上参数,才能为UE选择最佳的切片类型。
当UE需要接入到某个网络切片时,UE可以提供请求的网络切片给核心网,用于核心网为UE选择网络切片实例。其中,UE请求的网络切片,可以用请求的网络切片集合来表示,或者也可以表示为请求的网络切片选择辅助信息(requested network slice selection assistance information,requested NSSAI)。requested NSSAI是由一个或多个单网络切片选择辅助信息(single network slice selection assistance information,S-NSSAI)来表示构成,每个S-NSSAI用于标识一个网络切片类型,也可以理解为,S-NSSAI用于标识网络切片,或者可以理解为S-NSSAI是网络切片的标识信息。为了简单起见,在以下的描述中,对“网 络切片”或是“S-NSSAI”不做严格区分,可以同样适用。
UE注册到网络之后,核心网网元(如AMF或NSSF)根据UE的签约数据、UE的requested NSSAI、漫游协议以及本地配置等信息综合判断,为UE选择允许接入的网络切片集合。其中,允许接入的网络切片集合可以用允许的(allowed)NSSAI来表示,allowed NSSAI包含的S-NSSAI均为当前运营商网络允许接入的S-NSSAI。
二、接入网络切片的认证与授权
UE在接入网络或网络切片之前,需要同网络切片进行双向认证并得到网络的授权。目前在5G标准中,网络对UE的认证与授权都是由运营商网络直接进行,这类认证授权方法被称为Primary Authentication(一级认证)。随着垂直行业和物联网的发展,可以预见,运营商网络之外的DN(如服务于垂直行业的DN),对于接入到该DN的UE同样有认证与授权的需求。比如,某商业公司提供了游戏平台,通过运营商网络,为游戏玩家提供游戏服务。一方面,由于玩家使用的UE是通过运营商网络接入游戏平台,运营商网络需要对该UE进行认证和授权,即一级认证。游戏玩家是商业公司的客户,该商业公司也需要对游戏玩家进行认证、授权,这种认证如果是基于网络切片的,或者它的颗粒度(granularity)是以切片为单位的,则该认证可以称为切片认证(slice authentication)或称为二级认证(secondary authentication),或称为基于切片的二级认证(slice-specific secondary authentication)。
需要说明的是,不管是上述一级认证,还是二级认证,都是针对UE(及或使用该UE的某个用户)与网络(运营商网络或第三方网络)之间的认证。比如,针对一级认证,指的是UE与运营商网络之间的认证,如在UE的注册流程中运营商网络对UE执行一级认证,若一级认证通过则可以建立该UE的安全上下文。再比如,针对二级认证,指的是UE(或使用该UE的用户)与运营商网络之外的网络(即第三方网络)之间的认证,第三方网络会将二级认证结果通知运营商网络,以便运营商网络授权或拒绝该UE接入为第三方网络服务的运营商网络。
需要说明的是,本申请后续有时也将二级认证称为对切片的二级认证,其具有的含义实际是:UE(或使用该UE的用户)与第三方网络之间执行的二级认证,其认证结果,将会决定运营商网络是否授权UE接入该切片。
在目前已经发布的5G标准中,只支持一级认证。UE需要接入切片时,在一级认证之后,由网络(如UDM、AMF或NSSF等网络功能)根据存储在UDM的UE与网络的签约数据和其他信息,为UE选择适合的切片并由AMF把允许UE接入的切片的授权信息(即allowed NSSAI)发送给UE。
为了更好的支持垂直行业的应用,例如支持上述的游戏公司对玩家的认证与授权,3GPP正在研究如何有效地同时支持这两种认证(即一级认证和二级认证)的机制。
在一种可能的实现方法中,以下给出了一种同时包括一级认证和二级认证的UE的注册流程的大致过程:
步骤1,UE向AMF发送接入网络的注册申请(如UE发送注册请求消息)。
步骤2,AMF根据UE的签约信息,发起同UE进行一级认证。
步骤3,一级认证成功后,AMF确定该UE是否还需要进一步的二级认证。
步骤4,如果需要,AMF发起二级认证流程,通知UE和DN进行二级认证,并转发UE和DN之间认证所需的各种交互信息。
步骤5,当UE和DN的二级认证成功后,DN向AMF发送认证成功消息。
步骤6,AMF根据认证成功消息以及其他网络信息,为UE选择切片,确定allowed NSSAI。
步骤7,AMF将授权信息(即allowed NSSAI)通过注册接受消息发送给UE,完成注册流程。
上述注册流程,是一种被称之为“嵌套式”(nested)的流程。所谓“嵌套”,可以有两种理解:1)二级认证和一级认证被一起嵌套在初始注册流程中,即完整的注册流程是:注册请求->运营商网络的一级认证->第三方网络的二级认证->网络(运营商网络和第三方网络)对UE接入的切片的授权(allowed NSSAI)->注册完成;2)二级认证被嵌套在一级认证和网络授权过程中,即运营商网络的一级认证->第三方网络的二级认证->网络对UE接入的切片的授权(allowed NSSAI)。
上述嵌套式的二级认证流程主要有以下缺点:
1)、注册、认证的计时器(timer)的设置、管理问题。根据目前3GPP标准化的结论,二级认证可能会采用基于标准组织IETF(Internet Engineering Task Force)制定的EAP(Extensible Authentication Protocol)标准作为基本认证机制,并且支持多种EAP认证方法(EAP method)。由于不同的EAP认证方法,所需的认证流程、计算资源不同,完成认证所需的时间也有所不同。进一步,二级认证是UE(或使用UE的用户)同外部网络之间的认证,外部网络负责认证的认证服务器计算资源可以大有不同,3GPP网络与具有不同网络资源的网络之间信息交互的网络拥塞状况也会不同,这也会造成完成二级认证所需的时间长短有别。再进一步,一级注册流程可以支持嵌套多次的二级认证(分别对应多个不同的S-NSSAI),综上因素,都可以使得完成二级认证流程的时间大相径庭。然而,注册、认证流程在具体实现中,会针对总体流程以及每个关键步骤事先设定计时器,每个计时的步骤或流程如果超时,就会产生运行错误。另外,当进行二级认证时,网络也可以以通过暂停、恢复注册流程的计时器来缓解计时器设定问题,但这又会引入计时器管理复杂等新问题。总之,由于上述因素造成的切片认证时间差异性,使得系统设定计时器问题变成了复杂而具有挑战的任务。
2)、整个注册流程由于二级认证的拖累,可能会被显著延长,造成用户体验等其他问题。UE或用户通常希望尽快使用可接入的服务,而不是长时间在注册流程中等待。
3)、一级认证的独立性问题。在已经发布的5G标准中,只要运营商网络的一级认证成功,UE就可以接入网络、建立会话连接等。而上述嵌套式的认证流程中,即使网络的一级认证成功,注册流程还需要等待外部网络的二级认证完成才可以被接入网络。
为解决上述问题,本申请提供多种UE的注册方法,下面具体说明。
基于图1所示的架构,如图2所示,为本申请提供的一种UE的注册方法流程示意图。该方法包括以下步骤:
步骤201,UE向AMF发送注册请求(registration request)消息,相应地,AMF可以接收到该注册请求消息。
这里的注册请求消息在本申请中也可以称为第一注册请求消息。该注册请求消息用于请求注册至网络。
该注册请求消息包括请求接入的切片的选择信息,该请求接入的切片的选择信息可以称为requested NSSAI,requested NSSAI中包括一个或多个S-NSSAI。作为示例,requested  NSSAI={S-NSSAI1、S-NSSAI2、S-NSSAI3、S-NSSAI4、S-NSSAI 5、S-NSSAI 6},其中,S-NSSAI1对应切片1,S-NSSAI2对应切片2,S-NSSAI3对应切片3,S-NSSAI4对应切片4,S-NSSAI5对应切片5,S-NSSAI6对应切片6,即UE请求接入切片1、切片2、切片3、切片4、切片5和切片6。
步骤202,在UE完成一级认证和建立安全上下文后,AMF判断请求接入的切片是否需要进行二级认证。
作为示例,requested NSSAI={S-NSSAI1、S-NSSAI2、S-NSSAI3、S-NSSAI4、S-NSSAI5、S-NSSAI6},比如AMF确定S-NSSAI1对应的切片1、S-NSSAI2对应的切片2、S-NSSAI3对应的切片3、S-NSSAI4对应的切片4需要进行二级认证,S-NSSAI5对应的切片5和S-NSSAI6对应的切片6不需要进行二级认证。
需要说明的是,步骤201中所述的建立安全上下文,可以是指非接入层(Non-Access Stratum,NAS)安全上下文的建立,也可以是指NAS安全上下文和接入层(Access Stratum,AS)安全上文的建立。这里不做限定。需要进一步说明的是,这一点同样适用于本申请中其他处的描述,这里做统一说明,后续不再一一重复说明。
步骤203,AMF向UE发送注册接受(registration accept)消息,相应地,UE可以接收到该注册接受消息。
这里的注册接受消息在本申请中也可以称为第一注册接受消息。
该注册接受消息包括允许接入的切片的选择信息,该允许接入的切片的选择信息比如可以是allowed NSSAI,allowed NSSAI中包括一个或多个S-NSSAI。
具体的,该allowed NSSAI包括以下信息中的至少一个:
1)、请求接入的切片中已经完成二级认证的切片的选择信息。
请求接入的切片中已经完成二级认证的切片的选择信息,在一种实现方法中,还可以包括网络分配的与请求接入的切片的选择信息对应的切片的选择信息。
2)、请求接入的切片中不需要进行二级认证的切片的选择信息。
请求接入的切片中不需要进行二级认证的切片的选择信息,在一种实现方法中,还可以包括网络分配的与请求接入的切片的选择信息对应的切片的选择信息。
3)、网络分配的不需要进行二级认证的切片的选择信息。
这里的网络分配的不需要进行二级认证的切片的选择信息具体指的是:由网络分配的不包含在请求接入的切片的选择信息中的(或者由网络分配的不包含在与请求接入的切片的选择信息相对应的切片的选择信息中的)、且不需要进行二级认证的切片的选择信息。
下面结合上面的示例继续说明。即requested NSSAI={S-NSSAI1、S-NSSAI2、S-NSSAI3、S-NSSAI4、S-NSSAI5、S-NSSAI6},S-NSSAI1对应的切片1、S-NSSAI2对应的切片2、S-NSSAI3对应的切片3、S-NSSAI4对应的切片4需要进行二级认证,S-NSSAI5对应的切片5和S-NSSAI6对应的切片6不需要进行二级认证。
比如,UE和运营商网络之间完成了一级认证、且对切片5和切片6通过了授权(不需要二级认证),则allowed NSSAI可以包括S-NSSAI5、S-NSSAI6。这里的S-NSSAI5和S-NSSAI6即为请求接入的切片中不需要进行二级认证的切片的选择信息。
再比如,在UE和运营商网络完成一级认证和建立安全上下文的过程之后,运营商网络认为切片1的认证过程短暂,并发起了对切片1的二级认证。当UE和运营商网络之外的第三方网络之间针对切片1成功完成了二级认证后,运营商网络允许对切片1通过授权, 则allowed NSSAI还可以包括S-NSSAI1。这里的S-NSSAI1即为请求接入的切片中已经完成二级认证的切片的选择信息。
再比如,运营商网络(如AMF)和UE完成了一级认证,运营商网络分配切片7让UE接入,即AMF确定可以将切片7授权给UE接入,且该切片7是不需要进行二级认证的切片,则allowed NSSAI还可以包括S-NSSAI7(对应切片7)。这里的S-NSSAI7即为网络分配的不需要进行二级认证的切片的选择信息。
综上,在上述示例中,allowed NSSAI可以包括以下信息中的一个或多个:请求接入的切片中已经完成二级认证的切片的选择信息(即S-NSSAI1)、请求接入的切片中不需要进行二级认证的切片的选择信息(即S-NSSAI5和S-NSSAI6)、网络分配的不需要进行二级认证的切片的选择信息(即S-NSSAI7)。
另外需要说明的是,作为一种实现方法,如果allowed NSSAI中包括了请求接入的切片中已经完成二级认证的切片的选择信息或者包括了请求接入的切片中不需要进行二级认证的切片的选择信息,那么网络也可以不用分配额外的切片的选择信息。相反,如果allowed NSSAI中不包括任何请求接入的切片中已经完成二级认证的切片的选择信息,或者不包括任何请求接入的切片中不需要进行二级认证的切片的选择信息,那么网络一定要基于一级认证,分配一个不需要进行二级认证的切片的选择信息。在上述例子中,allowed NSSAI包括了S-NSSAI1,S-NSSAI5和S-NSSAI6,这时,网络可以不再分配S-NSSAI7给UE。相反,如果S-NSSAI5和S-NSSAI6也需要但还没进行切片认证,针对S-NSSAI1的切片认证也没完成,此时网络必须分配S-NSSAI7给UE,保证通过一级认证的UE至少有一个S-NSSAI在allowed NSSAI中。
作为一种实现方法,上述注册请求消息中进一步还可以包括以下信息中的至少一个:
1)、请求接入的切片中需要进行二级认证且未完成二级认证的切片的选择信息。
即requested NSSAI中的需要进行二级认证、且未完成二级认证的切片的S-NSSAI,可以简称为待认证授权的NSSAI(pending NSSAI),即可以在注册接受消息中增加一个项(IE),用于携带pending NSSAI。
比如,针对上述示例,requested NSSAI={S-NSSAI1、S-NSSAI2、S-NSSAI3、S-NSSAI4、S-NSSAI5、S-NSSAI6},S-NSSAI1、S-NSSAI2、S-NSSAI3、S-NSSAI4为需要进行二级认证的切片的选择信息,若S-NSSAI1对应的切片1已经完成了二级认证,则请求接入的切片中需要进行二级认证且未完成二级认证的切片的选择信息为:S-NSSAI2、S-NSSAI3和S-NSSAI4,即pending NSSAI={S-NSSAI2、S-NSSAI3和S-NSSAI4}。
作为一种实现方法,请求接入的切片中需要进行二级认证且未完成二级认证的切片的选择信息可以携带于一个切片选择信息列表(或切片选择信息S-NSSAI列表)中,切片选择信息列表(或切片选择信息S-NSSAI列表)中的切片的选择信息的顺序指示了切片选择信息列表(或切片选择信息S-NSSAI列表)中的切片进行二级认证的优先级。(为了描述简便,以下的“切片选择信息列表”,代表切片选择信息S-NSSAI列表,不再赘述。比如,注册请求消息包括切片选择信息列表A,该切片选择信息列表A={S-NSSAI2、S-NSSAI3、S-NSSAI4}。一方面,该切片选择信息列表A指示了请求接入的切片中需要进行二级认证且未完成二级认证的切片的选择信息包括S-NSSAI2、S-NSSAI3和S-NSSAI4;另一方面,该切片选择信息列表A还指示了进行二级认证的优先顺序依次为:S-NSSAI2、S-NSSAI3、S-NSSAI4。
2)、请求接入的切片中需要进行二级认证且未完成二级认证的切片进行二级认证所需的预估时间。
这里的预估时间可以使得UE在后续发起针对请求接入的切片中需要进行二级认证且未完成二级认证的切片的二级认证时,确定切片的二级认证的先后顺序,比如针对二级认证所需的预估时间较短的切片,则可以优先进行针对该切片的二级认证。UE也可以根据预估时间只请求部分切片的二级认证,比如切片2的预估时间小于一个事先设定的值,UE只把S-NSSAI2放入requested NSSAI列表中,从而只对切片2(或对应的S-NSSAI)进行切片认证。
3)、切片认证指示。该切片认证指示用于指示存在未完成二级认证的切片。
这里的切片认证指示在本申请中也可以称为第一切片认证指示。
需要说明的是,本申请中任意地方出现的切片认证指示也可以称为指示信息、或二级认证指示,因此,这里的切片认证指示也可以称为第一指示信息、或第一二级认证指示。
该“切片认证指示”还可以用于表示当前的注册接受消息不是最终版的,还有S-NSSAI需要认证才能完成所有切片的注册过程。
需要说明的是,在具体实现中,若注册接受消息中携带上述pending NSSAI,则该pending NSSAI可以隐式指示存在未完成二级认证的切片及表示当前的注册接受消息不是最终版的,则此时该切片认证指示是可选的。
4)、请求接入的切片中不需要进行二级认证的切片的选择信息(non-slice authentication NSSAI)。
比如,针对上述示例,requested NSSAI={S-NSSAI1、S-NSSAI2、S-NSSAI3、S-NSSAI4、S-NSSAI5、S-NSSAI6},S-NSSAI5、S-NSSAI6为不需要进行二级认证的切片的选择信息,则non-slice authentication NSSAI={S-NSSAI5、S-NSSAI6}。
UE可以根据该参数(即non-slice authentication NSSAI)在以后的注册申请时,参考优化UE携带的参数。
5)、请求接入的切片中被拒绝接入的切片的选择信息(rejected NSSAI)。
rejected NSSAI指被拒绝的S-NSSAI的列表。比如,针对上述示例,requested NSSAI={S-NSSAI1、S-NSSAI2、S-NSSAI3、S-NSSAI4、S-NSSAI5、S-NSSAI6},若S-NSSAI2因为某种原因被拒绝(如该S-NSSAI同UE不匹配,或签约情况变化,或没有通过二级认证等),则可以通过Rejected NSSAI携带被拒绝的S-NSSAI。可选的,注册接受消息中还可以携带拒绝的原因。
在具体实现中,上述“allowed NSSAI”、“pending NSSAI”、“non-slice authentication NSSAI”、“rejected NSSAI”等可以合并成一个IE,或以某种组合方式合并成2个或多个IE。
6)、至少一个临时标识。一个临时标识对应完成二级认证的切片中的一个或多个切片的选择信息。
这里的临时标识例如可以是5G-全球唯一临时UE标识(5G-Globally Unique Temporary UE Identity,5G-GUTI)。
当有多个切片完成一级认证和二级认证时,一种方式是每个5G-GUTI对应一个或多个切片;另一种方式是,只有一个5G-GUTI,该5G-GUTI对应所有的切片。
5G-GUTI包含路由信息,在UE下次接入时,RAN设备可以根据该信息选择合适的AMF来服务UE。
步骤204,在请求接入的切片中需要进行二级认证且未完成二级认证的第一切片的二级认证通过后,UE接收来自AMF的更新的允许接入的切片的选择信息,更新的允许接入的切片的选择信息包括第一切片的选择信息或网络分配的与第一切片的选择信息对应的切片的选择信息。
需要说明的是,这里的“第一切片”可以指请求接入的切片中需要进行二级认证且未完成二级认证的切片中所有的切片,也可以指请求接入的切片中需要进行二级认证且未完成二级认证的切片中部分切片(如一个切片)。即,AMF可以是在需要进行二级认证且未完成二级认证的切片中的所有切片均完成二级认证后,向UE发送更新的允许接入的切片的选择信息,也可以是在需要进行二级认证且未完成二级认证的切片中的部分切片完成二级认证后,向UE发送更新的允许接入的切片的选择信息。
比如,针对上述示例,requested NSSAI={S-NSSAI1、S-NSSAI2、S-NSSAI3、S-NSSAI4、S-NSSAI5、S-NSSAI6},假设通过上述步骤201-步骤203,得到如下结果:
1)、S-NSSAI1、S-NSSAI2、S-NSSAI3、S-NSSAI4为需要二级认证的切片的选择信息;
2)、S-NSSAI5、S-NSSAI6为不需要二级认证的切片的选择信息;
3)、S-NSSAI1对应的切片1已经通过了二级认证、且授权给UE。
4)、S-NSSAI2对应的切片2运营商网络不支持,即被拒绝;
5)、S-NSSAI3对应的切片3、S-NSSAI4对应的切片4还未完成二级认证和授权。
6)、网络为UE分配的已经通过一级认证且授权、且不需要二级认证的切片7的选择信息(S-NSSAI7)。
因此,在上述步骤203的注册接受消息中的:
allowed NSSAI={S-NSSAI1、S-NSSAI5、S-NSSAI6、S-NSSAI7};
pending NSSAI={S-NSSAI3、S-NSSAI4};
non-slice authentication NSSAI={S-NSSAI 5、S-NSSAI6、S-NSSAI7};
rejected NSSAI={S-NSSAI2}。
则在上述步骤204中,需要继续二级认证的切片(requested NSSAI for slice authentication)即为{S-NSSAI3、S-NSSAI4}。需要说明的是,requested NSSAI for slice authentication中的S-NSSAI还可以指示二级认证的顺序,比如该requested NSSAI for slice authentication指示了二级认证的顺序依次为:S-NSSAI3、S-NSSAI4。
需要说明的是,作为又一种实现方法,在步骤202中,AMF也可以不进行是否需要进行切片二级认证的判断。在这种实现方式下,AMF根据一级认证的结果,在步骤203中发送的注册接受消息中携带网络分配的allowed NSSAI,但无法在allowed NSSAI中包括并授权不需要进行切片二级认证的S-NSSAI。
下面结合示例,给出上述步骤204的不同实现方法。
实现方法一、通过注册请求消息和注册接受消息实现需要继续二级认证的切片的二级认证流程。
基于该实现方法,在上述步骤203之后步骤204之前,还包括以下步骤204a:
步骤204a、UE向AMF发送第一消息,相应地,AMF可以接收到该第一消息。
需要说明的是,步骤204a中,AMF接收到该第一消息后,还可以包括一个判断的动作,即判断请求接入的切片是否需要进行二级认证,这个判断的动作,类似于步骤202中的描述。
更进一步,在判断请求接入的切片是否需要进行二级认证之前,还可以判断是否需要进行一级认证并重新建立安全上下文,比如确认以前的一级认证已经失效或以前一级认证建立的安全上下文已经失效或被删除等情况发生时,则确认可以重新进行一级认证并重新建立安全上下文。一级认证和安全上下文的建立,类似于步骤202中关于一级认证和安全上下文建立的描述。
该第一消息用于请求对请求接入的切片中需要进行二级认证且未完成二级认证的切片进行二级认证,即第一消息用于请求对上述requested NSSAI for slice authentication进行二级认证。
这里的第一消息具体为注册请求消息。该注册请求消息在本申请中也可以称为第二注册请求消息。该注册请求消息与上述步骤201中的注册请求消息的作用及携带的信息不同。
该注册请求消息包括请求接入的切片中需要进行二级认证且未完成二级认证的切片的选择信息(即上述requested NSSAI for slice authentication),和/或,切片认证指示(本申请中也将该切片认证指示称为第二切片认证指示、或第二级认证指示、或指示信息)。
该切片认证指示用于请求对请求接入的切片中需要进行二级认证且未完成二级认证的切片进行二级认证。
在一种实现方法中,该注册请求消息包括requested NSSAI for slice authentication,但不包括该切片认证指示,即requested NSSAI for slice authentication可以隐式请求对requested NSSAI for slice authentication进行二级认证。
在又一种实现方法中,该注册请求消息包括切片认证指示,但不包括requested NSSAI for slice authentication,则由AMF根据切片认证指示,确定requested NSSAI for slice authentication。
在又一种实现方法中,该注册请求消息包括切片认证指示和requested NSSAI for slice authentication。
基于该实现方法,则上述步骤204具体实现为:AMF向UE发送第二消息,相应地,UE可以接收该第二消息,第二消息包括更新的允许接入的切片的选择信息。
该第二消息具体为注册接受消息,该注册接受消息在本申请中也可以称为第二注册接受消息,其与上述步骤203的注册接受消息(即第一注册接受消息)携带的信息不同。
这里的更新的允许接入的切片的选择信息(new allowed NSSAI)包括上述requested NSSAI for slice authentication中二级认证通过且授权的NSSAI。比如针对上述示例,requested NSSAI for slice authentication={S-NSSAI3、S-NSSAI4},若S-NSSAI3、S-NSSAI4均二级认证通过且授权,则new allowed NSSAI={S-NSSAI3、S-NSSAI4}。
进一步的,new allowed NSSAI还可以包括更新前的allowed NSSAI中的S-NSSAI。比如,针对上述示例,allowed NSSAI={S-NSSAI1、S-NSSAI5、S-NSSAI6、S-NSSAI7},则new allowed NSSAI={S-NSSAI1、S-NSSAI3、S-NSSAI4、S-NSSAI5、S-NSSAI6、S-NSSAI7}。
需要说明的是,更新的允许接入的切片的选择信息包括的切片的选择信息可以是requested NSSAI for slice authentication中的S-NSSAI,也可以是由网络分配的与该S-NSSAI对应的S-NSSAI。比如,requested NSSAI for slice authentication中的S-NSSAI3需要二级认证,在二级认证通过后,正常情况下,网络会反馈S-NSSAI3授权,但有些场景,网络不支持S-NSSAI3,而是支持与S-NSSAI3具有类似特性的S-NSSAI3a,这时,网络发送的授权的S-NSSAI则可以是S-NSSAI3a,即S-NSSAI3a是与S-NSSAI3对应的S-NSSAI,同时 还可以通知UE:S-NSSAI3与S-NSSAI3a之间的对应关系。
需要说明的是,上述步骤204a-步骤204可以执行一次或多次。比如,针对requested NSSAI for slice authentication={S-NSSAI3、S-NSSAI4},则有以下不同的实现方式:
1)、执行一次步骤204a,携带的requested NSSAI for slice authentication={S-NSSAI3}。
执行一次步骤204,携带new allowed NSSAI。若S-NSSAI3二级认证通过且授权,则new allowed NSSAI包括S-NSSAI3。若S-NSSAI3二级认证未通过、或未授权,则new allowed NSSAI不包括S-NSSAI3或步骤204不携带new allowed NSSAI。
再执行一次步骤204a,携带的requested NSSAI for slice authentication={S-NSSAI4}。
再执行一次步骤204,携带new allowed NSSAI。若S-NSSAI4二级认证通过且授权,则new allowed NSSAI包括S-NSSAI4。若S-NSSAI4二级认证未通过、或未授权,则new allowed NSSAI不包括S-NSSAI4或步骤204不携带new allowed NSSAI。
2)、执行一次步骤204a,携带的requested NSSAI for slice authentication={S-NSSAI3、S-NSSAI4}。
执行一次步骤204,携带new allowed NSSAI。若S-NSSAI3二级认证通过且授权,则new allowed NSSAI包括S-NSSAI3。若S-NSSAI3二级认证未通过、或未授权,则new allowed NSSAI不包括S-NSSAI3或步骤204不携带new allowed NSSAI。
再执行一次步骤204,携带new allowed NSSAI。若S-NSSAI4二级认证通过且授权,则new allowed NSSAI包括S-NSSAI4。若S-NSSAI4二级认证未通过、或未授权,则new allowed NSSAI不包括S-NSSAI4或步骤204不携带new allowed NSSAI。
3)、执行一次步骤204a,携带的requested NSSAI for slice authentication={S-NSSAI3、S-NSSAI4}。
执行一次步骤204,携带new allowed NSSAI。若S-NSSAI3、S-NSSAI4均二级认证通过且授权,则new allowed NSSAI包括S-NSSAI3和S-NSSAI4。若S-NSSAI3二级认证未通过、或未授权,S-NSSAI4二级认证通过且授权,则new allowed NSSAI包括S-NSSAI4,但不包括S-NSSAI3。若S-NSSAI4二级认证未通过、或未授权,S-NSSAI3二级认证通过且授权,则new allowed NSSAI包括S-NSSAI3,但不包括S-NSSAI4。若S-NSSAI3和S-NSSAI4二级认证均未通过、或未授权,则new allowed NSSAI不包括S-NSSAI3和S-NSSAI4,或步骤204不携带new allowed NSSAI。
实现方法二、通过配置更新命令实现需要继续二级认证的切片的二级认证流程
基于该实现方法,则上述步骤204具体实现为:AMF向UE发送第二消息,相应地,UE可以接收该第二消息,第二消息包括更新的允许接入的切片的选择信息。
该第二消息具体为配置更新命令(UE Configuration Update Command),该注册接受消息在本申请中也可以称为第二注册接受消息,其与上述步骤203的注册接受消息(即第一注册接受消息)携带的信息不同。
该实现方法二,与上述实现方法一的主要区别是:该实现方法利用了注册流程中的注册接受消息(即步骤203),以及利用到了配置更新命令(步骤204),并且是由网络主动发起对请求接入的切片中需要进行二级认证且未完成二级认证的切片(这里称为NSSAI need for slice authentication)进行二级认证,如针对上述示例,网络在上述步骤203之后主动发起针对S-NSSAI3和S-NSSAI4的二级认证流程,并通过配置更新命令向UE发送二级认证的结果。
其中,包括的更新的允许接入的切片的选择信息,这里的更新的允许接入的切片的选择信息(new allowed NSSAI)包括NSSAI need for slice authentication中二级认证通过且授权的NSSAI。比如针对上述示例,NSSAI need for slice authentication={S-NSSAI3、S-NSSAI4},若S-NSSAI3、S-NSSAI4均二级认证通过且授权,则new allowed NSSAI={S-NSSAI3、S-NSSAI4}。
进一步的,new allowed NSSAI还可以包括更新前的allowed NSSAI中的S-NSSAI。比如,针对上述示例,allowed NSSAI={S-NSSAI1、S-NSSAI5、S-NSSAI6、S-NSSAI7},则new allowed NSSAI={S-NSSAI1、S-NSSAI3、S-NSSAI4、S-NSSAI5、S-NSSAI6、S-NSSAI7}。
需要说明的是,new allowed NSSAI包括的切片的选择信息可以是NSSAI need for slice authentication中的S-NSSAI,也可以是由网络分配的与该S-NSSAI对应的S-NSSAI。比如,NSSAI need for slice authentication中的S-NSSAI3需要二级认证,在二级认证通过后,正常情况下,网络会反馈S-NSSAI3授权,但有些场景,网络不支持S-NSSAI3,而是支持与S-NSSAI3具有类似特性的S-NSSAI3a,这时,网络发送的授权的S-NSSAI则可以是S-NSSAI3a,即S-NSSAI3a是与S-NSSAI3对应的S-NSSAI,同时还可以通知UE:S-NSSAI3与S-NSSAI3a之间的对应关系。
进一步的,上述配置更新命令中还可以包括以下信息中的一个或多个:
1)、请求接入的切片中需要进行二级认证且未完成二级认证的切片中被拒绝接入的切片的选择信息。
比如,针对上述NSSAI need for slice authentication={S-NSSAI3、S-NSSAI4},若S-NSSAI3二级认证未通过、或未授权,即S-NSSAI3被拒绝,则可以在配置更新命令中携带rejected NSSAI,rejected NSSAI={S-NSSAI3},可选的,还可以携带拒绝原因(如该S-NSSAI同UE不匹配,或签约情况变化,或没有通过二级认证等)。
2)、更新后的请求接入的切片中需要进行二级认证且未完成二级认证的切片的选择信息(即new NSSAI need for slice authentication)。
比如,针对上述NSSAI need for slice authentication={S-NSSAI3、S-NSSAI4},若S-NSSAI4二级认证通过且授权,则可以在配置更新命令中携带new NSSAI need for slice authentication,new NSSAI need for slice authentication={S-NSSAI3}。
3)、至少一个临时标识,其中,一个临时标识对应完成二级认证的切片中的一个或多个切片的选择信息。
该临时标识的具体含义和作用可以参考前述描述,这里不再赘述。
需要说明的是,上述步骤204可以执行一次或多次。比如,针对NSSAI need for slice authentication={S-NSSAI3、S-NSSAI4},则有以下不同的实现方式:
1)、执行一次步骤204,携带new allowed NSSAI。若S-NSSAI3二级认证通过且授权,则new allowed NSSAI包括S-NSSAI3。若S-NSSAI3二级认证未通过、或未授权,则new allowed NSSAI不包括S-NSSAI3或步骤204不携带new allowed NSSAI。
再执行一次步骤204,携带new allowed NSSAI。若S-NSSAI4二级认证通过且授权,则new allowed NSSAI包括S-NSSAI4。若S-NSSAI4二级认证未通过、或未授权,则new allowed NSSAI不包括S-NSSAI4或步骤204不携带new allowed NSSAI。
2)、执行一次步骤204,携带new allowed NSSAI。若S-NSSAI3、S-NSSAI4均二级认证通过且授权,则new allowed NSSAI包括S-NSSAI3和S-NSSAI4。若S-NSSAI3二级认 证未通过、或未授权,S-NSSAI4二级认证通过且授权,则new allowed NSSAI包括S-NSSAI4,但不包括S-NSSAI3。若S-NSSAI4二级认证未通过、或未授权,S-NSSAI3二级认证通过且授权,则new allowed NSSAI包括S-NSSAI3,但不包括S-NSSAI4。若S-NSSAI3和S-NSSAI4二级认证均未通过、或未授权,则new allowed NSSAI不包括S-NSSAI3和S-NSSAI4,或步骤204不携带new allowed NSSAI。
实现方法三、通过新定义的消息实现需要继续二级认证的切片的二级认证流程
在一种实现方法中,可以将上述实现方法一中的步骤204a的注册请求消息(即第二注册请求消息)更换为一个新定义的消息,这里称为切片注册请求消息,将步骤204的注册接受消息(即第二注册接受消息)更换为一个定义的消息,这里称为切片注册接受消息,从而得到该实现方法三。
在又一种实现方法中,可以将上述实现方法二中的步骤204的配置更新命令更换为一个定义的消息,这里称为切片注册更新命令,从而得到该实现方法三。
基于图2实施例的方案,网络发送注册接受消息(即上述步骤203的注册接受消息)比现有技术的注册流程中发送注册接受消息的时间更早,即本申请只要完成了对UE的一级认证和建立安全上下文之后就发送注册接受消息(通过提前发送注册接受消息,注册流程可以尽早结束,不过这仅仅代表暂时(Interim)结束,而不是完全结束,因为还有二级认证没完成),而现有技术是等到所有的切片完成二级认证之后才发送注册接受消息,这样不仅可以解决嵌套式认证带来的问题,UE也大大增加了接入的灵活性,并且使得注册时的定时器的设置变得更为简便。此时,UE可以根据网络反馈的二级认证信息,决定何时进行二级认证对UE更方便。比如,UE可以根据已经成功认证的切片,接入该切片,建立会话,发送接收数据服务。而在晚些时候空闲时,再请求接入其他切片。
基于图1所示的架构,如图3所示,为本申请提供的又一种UE的注册方法流程示意图,本实施例与上述图2实施例的主要区别在于:本实施例以UE为主,根据其可获得的信息,通过优化注册请求消息中的参数来实现去嵌套的方法,而对网络协议不需要或者需要很小的改动。该方法包括以下步骤:
步骤301,UE向AMF发送注册请求(registration request)消息,相应地,AMF可以接收到该注册请求消息。
这里的注册请求消息在本申请中也可以称为第一注册请求消息。该注册请求消息用于请求注册至网络。
注册请求消息包括请求接入的切片的选择信息(requested NSSAI),请求接入的切片为不需要进行二级认证的切片。
在步骤301之前,UE可以事先获知哪些S-NSSAI需要二级认证,哪些S-NSSAI不需要二级认证,例如UE可以利用历史接入的情况来进行分析,并确定哪些S-NSSAI需要二级认证,哪些S-NSSAI不需要二级认证。又例如,UE可以预先配置可接入的S-NSSAI,并预先配置哪些S-NSSAI不需要二级认证,哪些需要二级认证。也可预先配置存储相关二级认证的特征,如采用哪种EAP方法,预估的二级认证所需时间等。
即UE可以将UE中的S-NSSAI分为两组,一组为需要二级认证的S-NSSAI,另一组为不需要二级认证的S-NSSAI。
或者,UE还可以将上述需要二级认证的S-NSSAI进一步的再分为N个组(N大于1), 比如,根据二级认证可能的时间长短,或根据需要接入切片的先后顺序进行分组。分组后,在UE注册至网络后的后续流程中,可以针对该N个组中的每个组发起一次注册申请。更进一步,也可以针对每个需要二级认证的S-NSSAI发起一次注册申请(即每个S-NSSAI是一个组),同样的,发起注册申请的先后顺序,可以事先进行排序。
在上述步骤301的requested NSSAI,只携带不需要进行二级认证的切片,不携带需要进行二级认证的切片。
作为一个示例,UE中的S-NSSAI包括S-NSSAI1、S-NSSAI2、S-NSSAI3、S-NSSAI4、S-NSSAI5、S-NSSAI6,其中,UE确定S-NSSAI1对应的切片1、S-NSSAI2对应的切片2、S-NSSAI3对应的切片3、S-NSSAI4对应的切片4需要进行二级认证,S-NSSAI5对应的切片5和S-NSSAI6对应的切片6不需要进行二级认证。则该步骤301的requested NSSAI={S-NSSAI5、S-NSSAI6}。
进一步的,还可以将S-NSSAI1、S-NSSAI2、S-NSSAI3、S-NSSAI4进行分组,比如分为四个组,每个组包括一个S-NSSAI,或者分为两个组等,并且不同的分组对应的二级认证的优先级不同。
步骤302,在UE完成一级认证和建立安全上下文后,AMF向UE发送注册接受消息,相应地,UE可以接收到该注册接受消息。
该注册接受消息包括允许接入的切片的选择信息(allowed NSSAI),allowed NSSAI包括以下信息中的一个或多个:
1)、请求接入的切片中的允许接入的切片的选择信息。
请求接入的切片中的允许接入的切片的选择信息即为requested NSSAI中不需要进行二级认证的S-NSSAI。比如,上述requested NSSAI中的S-NSSAI5S-NSSAI6,在一级认证通过后直接授权,则请求接入的切片中的允许接入的切片的选择信息即为{S-NSSAI5,S-NSSAI6}。
2)、网络分配的不需要进行二级认证的切片的选择信息。
这里的网络分配的不需要进行二级认证的切片的选择信息具体指的是:网络分配的已经完成一级认证、且不需要进行二级认证的切片的选择信息。
比如,网络(如AMF)对S-NSSAI7对应的切片7完成了一级认证且授权通过,即AMF确定可以将切片7授权给UE接入,且该切片7是不需要进行二级认证的切片,则allowed NSSAI还可以包括S-NSSAI7。这里的S-NSSAI7即为网络分配的已经完成一级认证、且不需要进行二级认证的切片的选择信息。
综上,在上述示例中,allowed NSSAI可以包括以下信息中的一个或多个:请求接入的切片中的允许接入的切片的选择信息(即S-NSSAI5和S-NSSAI6)、网络分配的不需要进行二级认证的切片的选择信息(即S-NSSAI7)。
需要说明的是,在一种可能的实现方法中,如果allowed NSSAI中已经包括了请求接入的切片中的允许接入的切片的选择信息,那么网络也可以不用分配额外的切片的选择信息。相反,如果allowed NSSAI不包括任何请求接入的切片中的允许接入的切片的选择信息,网络就一定要分配给通过一级认证的UE至少一个S-NSSAI。在上述例子中,allowed NSSAI包括了S-NSSAI5和S-NSSAI6,这时,网络可以不再分配S-NSSAI7给UE。如果,S-NSSAI5和S-NSSAI6也需要进行切片认证,网络才分配S-NSSAI7给通过一级认证的UE,如此,可以保证至少有一个S-NSSAI在allowed NSSAI中。
步骤303,UE向AMF发送第一消息,相应地,AMF可以接收到该第一消息。
第一消息包括需要进行二级认证的切片的选择信息(requested NSSAI for slice authentication),第一消息用于请求对需要进行二级认证的切片进行切片认证。例如,针对上述示例,requested NSSAI for slice authentication例如包括S-NSSAI1、S-NSSAI2、S-NSSAI3、S-NSSAI4。或者也可以多次发送第一消息,每次发起的第一消息中包括需要进行二级认证的切片的一个分组。
作为一种实现方法,需要进行二级认证的切片的选择信息可以携带于一个切片选择信息列表中,切片选择信息列表中的切片的选择信息的顺序指示了切片选择信息列表中的切片进行二级认证的优先级。比如,第一消息包括切片选择信息列表A,该切片选择信息列表A={S-NSSAI1、S-NSSAI2、S-NSSAI3、S-NSSAI4}。一方面,该切片选择信息列表A指示了请求接入的切片中需要进行二级认证且未完成二级认证的切片的选择信息包括S-NSSAI1、S-NSSAI2、S-NSSAI3和S-NSSAI4;另一方面,该切片选择信息列表A还指示了进行二级认证的顺序依次为:S-NSSAI1、S-NSSAI2、S-NSSAI3、S-NSSAI4。
步骤304,在需要进行二级认证的切片中的第一切片二级认证通过后,AMF向UE发送第二消息,相应地,UE接收来自AMF的第二消息。
该第二消息包括更新的允许接入的切片的选择信息(new allowed NSSAI),new allowed NSSAI包括第一切片的选择信息或网络分配的与第一切片的选择信息对应的切片的选择信息。
需要说明的是,这里的“第一切片”可以指requested NSSAI for slice authentication中所有的切片,也可以指requested NSSAI for slice authentication中部分切片(如一个切片)。即,AMF可以是在requested NSSAI for slice authentication中的所有切片均完成二级认证后,向UE发送new allowed NSSAI,也可以是在requested NSSAI for slice authentication中的部分切片完成二级认证后,向UE发送new allowed NSSAI。
下面结合具体示例,对上述过程进行说明。比如,UE将UE中的S-NSSAI1、S-NSSAI2、S-NSSAI3、S-NSSAI4、S-NSSAI5、S-NSSAI6分为了两个分组,其中分组1={S-NSSAI5、S-NSSAI6},分组2={S-NSSAI1、S-NSSAI2、S-NSSAI3、S-NSSAI4},其中分组1包括不需要二级认证的切片的选择信息,分组2包括需要二级认证的切片的选择信息。
上述步骤303的第一消息中的requested NSSAI for slice authentication={S-NSSAI1、S-NSSAI2、S-NSSAI3、S-NSSAI4},网络对requested NSSAI for slice authentication中的切片的选择信息对应的切片进行二级认证,比如对S-NSSAI1、S-NSSAI2、S-NSSAI3认证通过且授权,对S-NSSAI4拒绝,则上述第二消息中的new allowed NSSAI={S-NSSAI1、S-NSSAI2、S-NSSAI3},或者,new allowed NSSAI中还可以包括上述步骤302的allowed NSSAI中的S-NSSAI,比如allowed NSSAI={S-NSSAI5、S-NSSAI7},则new allowed NSSAI={S-NSSAI1、S-NSSAI2、S-NSSAI3、S-NSSAI5、S-NSSAI7}。第二消息还可以携带rejected NSSAI,该rejected NSSAI={S-NSSAI 4},进一步地还可以携带拒绝接入的原因,具体可参考前述描述的各拒绝接入的原因。
需要说明的是,requested NSSAI for slice authentication中的S-NSSAI还可以指示二级认证的顺序,比如该requested NSSAI for slice authentication指示了二级认证的顺序依次为:S-NSSAI1、S-NSSAI2、S-NSSAI3、S-NSSAI4。
需要说明的是,上述步骤303-步骤304可以执行一次或多次。其具体实现过程类似于 上述图2实施例中的相关描述的方法,可参考前述描述。
需要说明的是,在一种实现方法中,上述第一消息是注册请求消息,第二消息是注册接受消息。在又一种实现方法中,上述第一消息是切片注册请求消息,第二消息是切片注册接受消息。
基于图3实施例的方案,网络发送注册接受消息(即上述步骤302的注册接受消息)比现有技术的注册流程中发送注册接受消息的时间更早,即本申请只要完成了对UE的一级认证和建立安全上下文之后就发送注册接受消息(通过提前发送注册接受消息,注册流程可以尽早结束,不过这仅仅代表暂时(Interim)结束,而不是完全结束,因为还有二级认证没完成),而现有技术是等到所有的切片完成二级认证之后才发送注册接受消息,这样不仅可以解决嵌套式认证带来的问题,UE也大大增加了接入的灵活性,并且使得注册时的定时器的设置变得更为简便。此时,UE可以根据网络反馈的二级认证信息,决定何时进行二级认证对UE更方便。比如,UE可以根据已经成功认证的切片,接入该切片,建立会话,发送接收数据服务。而在晚些时候空闲时,再请求接入其他切片。
本申请通过上述图2和图3两个实施例,给出了UE的两种注册方法,实现了“去嵌套化”的二级认证,即提供灵活的认证(注册)流程,使得一级认证和二级认证可以解耦,单一的或几个二级认证流程的长短,不会造成对一级认证以及其他二级认证造成显著影响,从而解决上述嵌套式认证流程所引入的问题。
注册流程中,与认证、授权强相关的流程可以先从功能上进行划分为:1)网络和UE之间的一级认证,2)网络对UE接入切片的NSSAI授权,3)UE和DN之间的二级认证,4)NAS或AS安全建立(即建立UE的安全上下文)。
其中,1)中的一级认证和4)中的NAS和/或AS安全建立,都与3)的二级认证不直接相关,它与2)中切片的NSSAI授权行为也可以是相对独立的。一级认证是基于UE在运营商网络UDM中存储的签约数据(而不是二级认证的DN AAA是认证、授权和计费(Authentication、Authorization、Accounting,AAA)服务器),一级认证之后,NAS安全中的密钥推衍和生成,也不受NSSAI的制约(NSSAI不是密钥生成时所需参数)。也就是说,一级认证以及NAS和/或AS安全建立过程是可以从其他流程中分离出来的。而2)和3)强相关,而且通常有一一对应的关系。也就是说,一个切片的认证成功,会直接对应到一个S-NSSAI的授权,这样2)和3)是需要绑定的,但该绑定又是可以以一次(或一组)二级认证或一个(或一组)S-NSSAI授权的为单位(颗粒度)进行,而不需要把所有的二级认证和S-NSSAI混在一起。
具体实现方法上,主要原则是尽可能的先完成注册流程中一级认证、NAS安全建立等必选流程,然后再按照灵活可配置的安全策略进行二级认证。至于切片授权的S-NSSAI信息,可以每次二级认证成功及时发送给用户,或者一次性发送多个S-NSSAI的信息。与前述嵌套式二级认证相对应,总体流程可以简要概括为(省略NAS安全建立流程):
步骤1,UE向网络(AMF)发送接入网络的注册申请。
步骤2,网络(AMF)根据UE的签约信息(如SUPI等),同UE进行一级认证。
步骤3,认证成功后,网络(AMF)确定该UE是否还需要进一步进行二级认证。
步骤4,网络(AMF)将授权信息allowed NSSAI(但还未进行二级认证)发送给UE,完成“interim”注册流程。如果需要二级认证,网络(AMF)发起一个或者一组二级认证流程,通知UE和DN进行二级认证,并转发UE和DN之间认证所需的各种交互信息。
其中,allowed NSSAI根据网络存储信息(如UE存储在UDM或AMF的签约信息等)或授权信息(如通过与NSSF交互)来确定。allowed NSSAI可以包括网络分配的默认的S-NSSAI,和/或与待访问的不需要二级认证的切片相对应的S-NSSAI。选定哪个切片或哪一组二级认证,可以灵活配置、确定(根据UE注册请求信息、签约信息、DN信息等等)
步骤5,每完成一次二级认证,DN向网络(AMF)发送二级认证成功消息。
步骤6,针对每一次二级认证或者每一组二级认证,网络(AMF)根据二级认证是否成功,为UE选择(或通过NSSF等NF)相对应的切片,确定allowed NSSAI。
步骤7,网络(AMF)将更新的授权信息allowed NSSAI发送给UE,完成注册流程(步骤5-步骤7可以根据需要重复进行)。
在本申请上述认证(注册)流程,在具体实施例中,还需要进一步考虑以下几个方面:
1)、网络给UE发送allowed NSSAI信息的方法,比如,方法1:采用现有注册流程中的消息和流程,但需要定义新的IE(Information Element)及新的动作(behavior)。再比如,方法2:定义新的专用消息及相应的流程。
2)、如果是采用现有注册流程,备选消息有“registration accept”。
3)、发送“registration accept”(包括了授权信息“allowed NSSAI”)的时间点:可选的方案一,网络可以在一级认证之后(还没有与DN进行二级认证之前,或无需二级认证),根据一级认证结果、存储在网络(UDM、AMF等)的签约信息、AMF与其他网络功能(如NSSF)交互的结果等信息,确定allowed NSSAI,并发送给UE。可选的方案二,网络可以在一级认证之后,并且完成了一部分的二级认证之后,发送“registration accept”。需要说明的是,方案二是一种局部的嵌套方案。
4)、“registration accept”消息中,除了可以包括“allowed NSSAI”之外,也需要包括指示信息,通知UE,哪些NSSAI需要进行二级认证。也可以指示多个二级认证的优选认证方式和优先顺序,即二级认证是一个认证完成后通知UE还是一组二级认证完成后通知UE。二级认证的认证顺序,可以根据所需时间长短排序。除了排序,也可以标示,每个二级认证所需时间的估计值。
5)、“registration accept”消息中,还可以进一步指示哪些S-NSSAI被拒绝,比如“rejected NSSAI”,哪些S-NSSAI不需要进行二级认证。指示的好处是,UE可以存储相应的状态,在下次请求接入的时候,可以避免重复申请接入被拒绝的S-NSSAI,或者进行其他操作,比如UE可以根据被拒绝的原因,通知UE上的应用程序或用户进行进一步处理。如,长期被拒绝,用户可以查询签约数据是否存在问题等。
6)、上述指示信息,可以是多个单独的IE,也可以是一个IE多种状态,这里不作限定。
7)、除了利用现有“registration accept”消息之外,网络还可以利用“UE Configuration Update Command”消息,通知UE需要进行二级认证。类似上述描述,在“UE Configuration Update Command”消息中,可以包括各种指示信息,触发UE来进行二级认证的后续步骤。
8)、除了利用现有消息之外,也可以定义新的消息,完成网络和UE之间的信息交互。主要是完成,网络通知UE已经被授权的Allowed NSSAI信息,待二级认证的S-NSSAI,被拒绝的NSSAI信息,不需要二级认证的NSSAI信息。这些信息可以多此发送,首先是在二级认证之前,之后是在每次二级认证之后,或是每组二级认证之后。
9)、本申请一方面可以通过网络侧来解决嵌套式认证问题,另一方面也可以通过增强 UE的智能性和通过网络的协助来解决、缓解该问题。比如,如果UE可以获得、分析、预测到哪些S-NSSAI不需要二级认证,每种二级认证所需的时间,UE可以在注册请求中,直接通知网络UE的选择,即,先进行单独一级认证和无需二级认证的注册申请,然后按顺序进行每个二级认证或每组二级认证。
以上是对上述实施例2和实施例3的总结说明,其中的每项内容的具体实现都已经在实施例中做了具体说明,可以参考前述描述。
下面结合具体示例,对图2和图3所示的实施例进行介绍说明。需要说明的是,以下图4-图6中的AAA-F指的是AAA代理功能(AAA-proxy function)网元,AAA-S指的是AAA服务器(AAA-proxy server),这里做统一说明。
如图4所示,为本申请提供的又一种UE的注册方法流程示意图。该实施例是对上述图2所示的实施例并结合其中的步骤204对应的实现方法一的一个具体示例。该方法包括以下步骤:
步骤401,UE向网络(AMF)发送注册请求消息,该注册请求消息中包括requested NSSAI。
步骤402,AMF收到注册请求消息后,发起一级认证流程进行UE和网络的双向认证(包括NAS安全建立过程)。
步骤403,一级认证成功后,AMF判断请求接入的切片是否需要二级认证。
即判断requested NSSAI中的S-NSSAI对应的切片是否需要二级认证。
步骤404,AMF向UE发送注册接受消息,该注册接受消息包括以下一项或多项:“allowed NSSAI”、“Pending NSSAI”、“切片认证指示”、“non-slice authentication NSSAI”、“rejected NSSAI”、“5G-GUTI”。
步骤405,UE向AMF发送注册请求消息。该消息可以包括需要二级认证的NSSAI请求(“requested NSSAI for slice authentication”)、“切片认证指示”、“5G-GUTI”等。
步骤406,网络与UE完成切片的二级认证。
即网络与UE完成requested NSSAI for slice authentication中的S-NSSAI对应的切片的二级认证的流程。
步骤407,AMF向UE发送注册接受消息,该消息包含了经过二级认证以后的更新了的“allowed NSSAI”,其中可以包括当前认证所授权的S-NSSAI和以前已经授权的S-NSSAI,也可以只包括当前认证所授权的S-NSSAI。
该实施例的上述步骤的具体实现细节可以参考图2所示的实施例的相关内容的描述,该实施例的有益效果的描述也可以参考图2所示的实施例的描述,这里不再赘述。
如图5所示,为本申请提供的又一种UE的注册方法流程示意图。该实施例是对上述图2所示的实施例并结合其中的步骤204对应的实现方法二的一个具体示例。该方法包括以下步骤:
步骤501-步骤504,与实施例4的步骤401-步骤404相同,可参考前述描述。
步骤505,网络发起并完成与UE的切片的二级认证。
即网络与UE完成NSSAI need for slice authentication中的S-NSSAI对应的切片的二级认证的流程。
步骤506,AMF向UE发送配置更新命令,该配置更新命令包含了经过二级认证以后的更新了的“allowed NSSAI”,其中可以包括当前认证所授权的S-NSSAI和以前已经授权的S-NSSAI,也可以只包括当前认证所授权的S-NSSAI。
步骤507,UE向网络(AMF)发送配置更新完成消息。
该步骤507为可选步骤。
需要说明的是,上述步骤505和步骤506也可以执行多次,比如每次完成NSSAI need for slice authentication中的S-NSSAI对应的切片中的一个切片的二级认证的流程,并将授权的S-NSSAI通过步骤506发送给UE。再比如,每次完成NSSAI need for slice authentication中的S-NSSAI对应的切片中的多个切片的二级认证的流程,并将授权的S-NSSAI通过步骤506发送给UE。
该实施例的上述步骤的具体实现细节可以参考图2所示的实施例的相关内容的描述,该实施例的有益效果的描述也可以参考图2所示的实施例的描述,这里不再赘述。
如图6所示,为本申请提供的又一种UE的注册方法流程示意图。该实施例是对上述图2所示的实施例并结合其中的步骤204对应的实现方法三的一个具体示例。该方法包括以下步骤:
步骤601-步骤604,与实施例4的步骤401-步骤404相同,可参考前述描述。
步骤605,UE向AMF发送切片注册请求消息。该消息可以包括需要二级认证的NSSAI请求(“requested NSSAI for slice authentication”)、“切片认证指示”、“5G-GUTI”等。
步骤606,网络与UE完成切片的二级认证。
即网络与UE完成requested NSSAI for slice authentication中的S-NSSAI对应的切片的二级认证的流程。
步骤607,AMF向UE发送切片注册接受消息,该消息包含了经过二级认证以后的更新了的“allowed NSSAI”,其中可以包括当前认证所授权的S-NSSAI和以前已经授权的S-NSSAI,也可以只包括当前认证所授权的S-NSSAI。
该实施例与图4所示的实施例的主要区别是:步骤605采用新定义的切片注册请求消息,步骤607采用新定义的切片注册接受消息,其他都类似。
该实施例的上述步骤的具体实现细节可以参考图2所示的实施例的相关内容的描述,该实施例的有益效果的描述也可以参考图2所示的实施例的描述,这里不再赘述。
如图7所示,为本申请提供的又一种UE的注册方法流程示意图。该实施例是对上述图3所示的实施例的一个具体示例。该方法包括以下步骤:
步骤701,UE向网络(AMF)发送注册请求消息,该注册请求消息中包括requested NSSAI。
其中,requested NSSAI包括请求接入的不需要二级认证的切片的选择信息。
步骤702,AMF收到注册请求消息后,发起一级认证流程进行UE和网络的双向认证(包括NAS安全建立过程)。
步骤703,一级认证成功后,AMF判断请求接入的切片是否需要二级认证。
这里,AMF判断的结果是:requested NSSAI中的所有S-NSSAI对应的切片均不需要二级认证。
该步骤为可选步骤。
步骤704,AMF向UE发送注册接受消息,该注册接受消息包括以下一项或多项:“allowed NSSAI”、“rejected NSSAI”、“5G-GUTI”。
步骤705,UE向AMF发送注册请求消息。该消息可以包括需要二级认证的NSSAI请求(“requested NSSAI for slice authentication”)、“切片认证指示”、“5G-GUTI”等。
步骤706,网络与UE完成切片的二级认证。
即网络与UE完成requested NSSAI for slice authentication中的S-NSSAI对应的切片的二级认证的流程。
步骤707,AMF向UE发送注册接受消息,该消息包含了经过二级认证以后的更新了的“allowed NSSAI”,其中可以包括当前认证所授权的S-NSSAI和以前已经授权的S-NSSAI,也可以只包括当前认证所授权的S-NSSAI。
需要说明的是,上述步骤705的注册请求消息也可以使用切片注册请求消息替代,上述步骤707的注册接受消息也可以使用切片注册接受消息替代。
该实施例的上述步骤的具体实现细节可以参考图3所示的实施例的相关内容的描述,该实施例的有益效果的描述也可以参考图3所示的实施例的描述,这里不再赘述。
上述主要从各个网元之间交互的角度对本申请提供的方案进行了介绍。可以理解的是,上述实现各网元为了实现上述功能,其包含了执行各个功能相应的硬件结构和/或软件模块。本领域技术人员应该很容易意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,本发明能够以硬件或硬件和计算机软件的结合形式来实现。某个功能究竟以硬件还是计算机软件驱动硬件的方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本发明的范围。
如图8所示,为本申请所涉及的通信装置的一种可能的示例性框图,该通信装置800可以以软件或硬件的形式存在。通信装置800可以包括:处理单元802和通信单元803。作为一种实现方式,该通信单元803可以包括接收单元和发送单元。处理单元802用于对通信装置800的动作进行控制管理。通信单元803用于支持通信装置800与其他网络实体的通信。通信装置800还可以包括存储单元801,用于存储通信装置800的程序代码和数据。
其中,处理单元802可以是处理器或控制器,例如可以是通用中央处理器(central processing unit,CPU),通用处理器,数字信号处理(digital signal processing,DSP),专用集成电路(application specific integrated circuits,ASIC),现场可编程门阵列(field programmable gate array,FPGA)或者其他可编程逻辑器件、晶体管逻辑器件、硬件部件或者其任意组合。其可以实现或执行结合本申请公开内容所描述的各种示例性的逻辑方框,模块和电路。所述处理器也可以是实现计算功能的组合,例如包括一个或多个微处理器组合,DSP和微处理器的组合等等。存储单元801可以是存储器。通信单元803是一种该装置的接口电路,用于从其它装置接收信号。例如,当该装置以芯片的方式实现时,该通信单元803是该芯片用于从其它芯片或装置接收信号的接口电路,或者,是该芯片用于向其它芯片或装置发送信号的接口电路。
该通信装置800可以为上述任一实施例中的终端设备,还可以为用于终端设备的芯片。 例如,当通信装置800为终端设备时,该处理单元802例如可以是处理器,该通信单元803例如可以是收发器。可选的,该收发器可以包括射频电路,该存储单元例如可以是存储器。例如,当通信装置800为用于终端设备的芯片时,该处理单元802例如可以是处理器,该通信单元803例如可以是输入/输出接口、管脚或电路等。该处理单元802可执行存储单元存储的计算机执行指令,可选地,该存储单元为该芯片内的存储单元,如寄存器、缓存等,该存储单元还可以是该终端设备内的位于该芯片外部的存储单元,如只读存储器(read-only memory,ROM)或可存储静态信息和指令的其他类型的静态存储设备,随机存取存储器(random access memory,RAM)等。
在第一个实施例中,该通信装置800为终端设备,通信单元803包括发送单元和接收单元。发送单元,用于向移动性管理网元发送第一注册请求消息,所述第一注册请求消息包括请求接入的切片的选择信息;接收单元,用于在所述终端设备完成一级认证和建立安全上下文后,接收来自所述移动性管理网元的第一注册接受消息,所述第一注册接受消息包括允许接入的切片的选择信息,所述允许接入的切片的选择信息包括以下信息中的至少一个:所述请求接入的切片中已经完成二级认证的切片的选择信息、所述请求接入的切片中不需要进行二级认证的切片的选择信息、网络分配的不需要进行二级认证的切片的选择信息;接收单元,还用于在所述请求接入的切片中需要进行二级认证且未完成二级认证的第一切片二级认证通过后,接收来自所述移动性管理网元的更新的允许接入的切片的选择信息,所述更新的允许接入的切片的选择信息包括所述第一切片的选择信息或网络分配的与所述第一切片的选择信息对应的切片的选择信息。
在一种可能的实现方法中,所述第一注册接受消息还包括以下信息中的至少一个:所述请求接入的切片中需要进行二级认证且未完成二级认证的切片的选择信息、所述请求接入的切片中需要进行二级认证且未完成二级认证的切片进行二级认证所需的预估时间、第一切片认证指示、所述请求接入的切片中不需要进行二级认证的切片、所述请求接入的切片中被拒绝接入的切片的选择信息、至少一个临时标识;其中,所述第一切片认证指示用于指示存在未完成二级认证的切片,一个临时标识对应完成二级认证的切片中的一个或多个切片的选择信息。
在一种可能的实现方法中,所述请求接入的切片中需要进行二级认证且未完成二级认证的切片的选择信息携带于一个切片选择信息列表中,所述切片选择信息列表中的切片的选择信息的顺序指示了所述切片选择信息列表中的切片进行二级认证的优先级。
在一种可能的实现方法中发送单元,用于向所述移动性管理网元发送第一消息,所述第一消息用于请求对所述请求接入的切片中需要进行二级认证且未完成二级认证的切片进行二级认证;接收单元,具体用于接收来自所述移动性管理网元的第二消息,所述第二消息包括所述更新的允许接入的切片的选择信息。
在一种可能的实现方法中,所述第一消息包括所述请求接入的切片中需要进行二级认证且未完成二级认证的切片的选择信息,和/或,第二切片认证指示;所述第二切片认证指示用于请求对所述请求接入的切片中需要进行二级认证且未完成二级认证的切片进行二级认证。
在一种可能的实现方法中,所述第一消息为第二注册请求消息,所述第二消息为第二注册接受消息;或者,所述第一消息为切片注册请求消息,所述第二消息为切片注册接受消息。
在一种可能的实现方法中,接收单元,用于接收来自所述移动性管理网元的配置更新命令,所述配置更新命令包括所述更新的允许接入的切片的选择信息。
在一种可能的实现方法中,所述配置更新命令还包括以下信息中的至少一个:所述请求接入的切片中需要进行二级认证且未完成二级认证的切片中被拒绝接入的切片的选择信息、更新后的所述请求接入的切片中需要进行二级认证且未完成二级认证的切片的选择信息、至少一个临时标识;其中,一个临时标识对应完成二级认证的切片中的一个或多个切片的选择信息。
在第二个实施例中,该通信装置800为终端设备,通信单元803包括发送单元和接收单元。发送单元,用于向所述移动性管理网元发送第一注册请求消息,所述第一注册请求消息包括请求接入的切片的选择信息,所述请求接入的切片为不需要进行二级认证的切片;接收单元,用于在所述终端设备完成一级认证和建立安全上下文后,接收来自所述移动性管理网元的第一注册接受消息,所述第一注册接受消息包括允许接入的切片的选择信息,所述允许接入的切片的选择信息包括所述请求接入的切片中的允许接入的切片的选择信息和/或网络分配的不需要进行二级认证的切片的选择信息;所述发送单元,还用于向所述移动性管理网元发送第一消息,所述第一消息包括需要进行二级认证的切片的选择信息,所述第一消息用于请求对所述需要进行二级认证的切片进行切片认证;所述接收单元还用于在所述需要进行二级认证的切片中的第一切片二级认证通过后,接收来自所述移动性管理网元的第二消息,所述第二消息包括更新的允许接入的切片的选择信息,所述更新的允许接入的切片的选择信息包括所述第一切片的选择信息或网络分配的与所述第一切片的选择信息对应的切片的选择信息。
在一种可能的实现方法中,所述需要进行二级认证的切片的选择信息携带于一个切片选择信息列表中,所述切片选择信息列表中的切片的选择信息的顺序指示了所述切片选择信息列表中的切片进行二级认证的优先级。
在一种可能的实现方法中,所述第一消息还包括所述分组信息指示了所述需要进行二级认证的切片的分组信息,所述分组信息指示了各分组进行二级认证的优先级。
在一种可能的实现方法中,所述第一消息为第二注册请求消息,所述第二消息为第二注册接受消息;或者,所述第一消息为切片注册请求消息,所述第二消息为切片注册接受消息。
可以理解的是,该通信装置用于上述终端设备的注册方法时的具体实现过程以及相应的有益效果,可以参考前述方法实施例中的相关描述,这里不再赘述。
如图9所示,为本申请所涉及的通信装置的一种可能的示例性框图,该通信装置900可以以软件或硬件的形式存在。通信装置900可以包括:处理单元902和通信单元903。作为一种实现方式,该通信单元903可以包括接收单元和发送单元。处理单元902用于对通信装置900的动作进行控制管理。通信单元903用于支持通信装置900与其他网络实体的通信。通信装置900还可以包括存储单元901,用于存储通信装置900的程序代码和数据。
其中,处理单元902可以是处理器或控制器,例如可以是CPU,通用处理器,DSP,ASIC,FPGA或者其他可编程逻辑器件、晶体管逻辑器件、硬件部件或者其任意组合。其可以实现或执行结合本申请公开内容所描述的各种示例性的逻辑方框,模块和电路。所述 处理器也可以是实现计算功能的组合,例如包括一个或多个微处理器组合,DSP和微处理器的组合等等。存储单元901可以是存储器。通信单元903是一种该装置的接口电路,用于从其它装置接收信号。例如,当该装置以芯片的方式实现时,该通信单元903是该芯片用于从其它芯片或装置接收信号的接口电路,或者,是该芯片用于向其它芯片或装置发送信号的接口电路。
该通信装置900可以为上述任一实施例中的移动性管理网元,还可以为用于移动性管理网元的芯片。例如,当通信装置900为移动性管理网元时,该处理单元902例如可以是处理器,该通信单元903例如可以是收发器。可选的,该收发器可以包括射频电路,该存储单元例如可以是存储器。例如,当通信装置900为用于移动性管理网元的芯片时,该处理单元902例如可以是处理器,该通信单元903例如可以是输入/输出接口、管脚或电路等。该处理单元902可执行存储单元存储的计算机执行指令,可选地,该存储单元为该芯片内的存储单元,如寄存器、缓存等,该存储单元还可以是该移动性管理网元内的位于该芯片外部的存储单元,如ROM或可存储静态信息和指令的其他类型的静态存储设备,RAM等。
在第一个实施例中,该通信装置900为移动性管理网元,通信单元803包括发送单元和接收单元。接收单元,用于接收来自终端设备的第一注册请求消息,所述第一注册请求消息包括请求接入的切片的选择信息;处理单元,用于在所述终端设备完成一级认证和建立安全上下文后,所述移动性管理网元判断所述请求接入的切片是否需要进行二级认证;发送单元,用于向所述终端设备发送第一注册接受消息,所述第一注册接受消息包括允许接入的切片的选择信息,所述允许接入的切片的选择信息包括以下信息中的至少一个:所述请求接入的切片中已经完成二级认证的切片的选择信息、所述请求接入的切片中不需要进行二级认证的切片的选择信息、网络分配的不需要进行二级认证的切片的选择信息;发送单元,还用于在所述请求接入的切片中需要进行二级认证且未完成二级认证的第一切片二级认证通过后,向所述终端设备发送更新的允许接入的切片的选择信息,所述更新的允许接入的切片的选择信息包括所述第一切片的选择信息或网络分配的与所述第一切片的选择信息对应的切片的选择信息。
在一种可能的实现方法中,所述第一注册接受消息还包括以下信息中的至少一个:所述请求接入的切片中需要进行二级认证且未完成二级认证的切片的选择信息、所述请求接入的切片中需要进行二级认证且未完成二级认证的切片进行二级认证所需的预估时间、第一切片认证指示、所述请求接入的切片中不需要进行二级认证的切片的选择信息、所述请求接入的切片中被拒绝接入的切片的选择信息、至少一个临时标识;其中,所述第一切片认证指示用于指示存在未完成二级认证的切片,一个临时标识对应完成二级认证的一个或多个切片的选择信息。
在一种可能的实现方法中,所述请求接入的切片中需要进行二级认证且未完成二级认证的切片的选择信息携带于一个切片选择信息列表中,所述切片选择信息列表中的切片的选择信息的顺序指示了所述切片选择信息列表中的切片进行二级认证的优先级。
在一种可能的实现方法中,接收单元,还用于接收来自所述终端设备的第一消息,所述第一消息用于请求对所述请求接入的切片中需要进行二级认证且未完成二级认证的切片进行二级认证;发送单元,用于向所述终端设备发送第二消息,所述第二消息包括所述更新的允许接入的切片的选择信息。
在一种可能的实现方法中,所述第一消息包括所述请求接入的切片中需要进行二级认 证且未完成二级认证的切片的选择信息,和/或,第二切片认证指示;所述第二切片认证指示用于请求对所述请求接入的切片中需要进行二级认证且未完成二级认证的切片进行二级认证。
在一种可能的实现方法中,所述第一消息为第二注册请求消息,所述第二消息为第二注册接受消息;或者,所述第一消息为切片注册请求消息,所述第二消息为切片注册接受消息。
在一种可能的实现方法中,发送单元,用于向所述终端设备发送配置更新命令,所述配置更新命令包括所述更新的允许接入的切片的选择信息。
在一种可能的实现方法中,所述配置更新命令还包括以下信息中的至少一个:所述请求接入的切片中需要进行二级认证且未完成二级认证的切片中被拒绝接入的切片的选择信息、更新后的所述请求接入的切片中需要进行二级认证且未完成二级认证的切片的选择信息、至少一个临时标识;其中,一个临时标识对应完成二级认证的切片中的一个或多个切片的选择信息。
在第二个实施例中,该通信装置900为移动性管理网元,通信单元803包括发送单元和接收单元。接收单元,用于接收来自终端设备的第一注册请求消息,所述第一注册请求消息包括请求接入的切片的选择信息,所述请求接入的切片为不需要进行二级认证的切片;发送单元,用于在所述终端设备完成一级认证和建立安全上下文后,向所述终端设备发送第一注册接受消息,所述第一注册接受消息包括允许接入的切片的选择信息,所述允许接入的切片的选择信息包括所述请求接入的切片中的允许接入的切片的选择信息和/或网络分配的不需要进行二级认证的切片的选择信息;接收单元,还用于接收来自所述终端设备的第一消息,所述第一消息包括需要进行二级认证的切片的选择信息,所述第一消息用于请求对所述需要进行二级认证的切片进行切片认证;发送单元,还用于在所述需要进行二级认证的切片中的第一切片二级认证通过后,向所述终端设备发送第二消息,所述第二消息包括更新的允许接入的切片的选择信息,所述更新的允许接入的切片的选择信息包括所述第一切片的选择信息或网络分配的与所述第一切片的选择信息对应的切片的选择信息。
在一种可能的实现方法中,所述需要进行二级认证的切片的选择信息携带于一个切片选择信息列表中,所述切片选择信息列表中的切片的选择信息的顺序指示了所述切片选择信息列表中的切片进行二级认证的优先级。
在一种可能的实现方法中,所述第一消息还包括所述分组信息指示了所述需要进行二级认证的切片的分组信息,所述分组信息指示了各分组进行二级认证的优先级。
在一种可能的实现方法中,所述第一消息为第二注册请求消息,所述第二消息为第二注册接受消息;或者,所述第一消息为切片注册请求消息,所述第二消息为切片注册接受消息。
可以理解的是,该通信装置用于上述终端设备的注册方法时的具体实现过程以及相应的有益效果,可以参考前述方法实施例中的相关描述,这里不再赘述。
如图10所示,为本申请提供的一种通信装置示意图,该通信装置可以是上述移动性管理网元、或终端设备。该通信装置1000包括:处理器1002、通信接口1003、存储器1001。可选的,通信装置1000还可以包括通信线路1004。其中,通信接口1003、处理器1002以及存储器1001可以通过通信线路1004相互连接;通信线路1004可以是外设部件互连 标准(peripheral component interconnect,简称PCI)总线或扩展工业标准结构(extended industry standard architecture,简称EISA)总线等。所述通信线路1004可以分为地址总线、数据总线、控制总线等。为便于表示,图10中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。
处理器1002可以是一个CPU,微处理器,ASIC,或一个或多个用于控制本申请方案程序执行的集成电路。
通信接口1003,使用任何收发器一类的装置,用于与其他设备或通信网络通信,如以太网,RAN,无线局域网(wireless local area networks,WLAN),有线接入网等。
存储器1001可以是ROM或可存储静态信息和指令的其他类型的静态存储设备,RAM或者可存储信息和指令的其他类型的动态存储设备,也可以是电可擦可编程只读存储器(electrically erasable programmable read-only memory,EEPROM)、只读光盘(compact disc read-only memory,CD-ROM)或其他光盘存储、光碟存储(包括压缩光碟、激光碟、光碟、数字通用光碟、蓝光光碟等)、磁盘存储介质或者其他磁存储设备、或者能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质,但不限于此。存储器可以是独立存在,通过通信线路1004与处理器相连接。存储器也可以和处理器集成在一起。
其中,存储器1001用于存储执行本申请方案的计算机执行指令,并由处理器1002来控制执行。处理器1002用于执行存储器1001中存储的计算机执行指令,从而实现本申请上述实施例提供的终端设备的注册方法。
可选的,本申请实施例中的计算机执行指令也可以称之为应用程序代码,本申请实施例对此不作具体限定。
本领域普通技术人员可以理解:本申请中涉及的第一、第二等各种数字编号仅为描述方便进行的区分,并不用来限制本申请实施例的范围,也表示先后顺序。“和/或”,描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。字符“/”一般表示前后关联对象是一种“或”的关系。“至少一个”是指一个或者多个。至少两个是指两个或者多个。“至少一个”、“任意一个”或其类似表达,是指的这些项中的任意组合,包括单项(个)或复数项(个)的任意组合。例如,a,b,或c中的至少一项(个、种),可以表示:a,b,c,a-b,a-c,b-c,或a-b-c,其中a,b,c可以是单个,也可以是多个。“多个”是指两个或两个以上,其它量词与之类似。此外,对于单数形式“a”,“an”和“the”出现的元素(element),除非上下文另有明确规定,否则其不意味着“一个或仅一个”,而是意味着“一个或多于一个”。例如,“a device”意味着对一个或多个这样的device。
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机程序指令时,全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、 服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包括一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质,(例如,软盘、硬盘、磁带)、光介质(例如,DVD)、或者半导体介质(例如固态硬盘(Solid State Disk,SSD))等。
本申请实施例中所描述的各种说明性的逻辑单元和电路可以通过通用处理器,数字信号处理器,专用集成电路(ASIC),现场可编程门阵列(FPGA)或其它可编程逻辑装置,离散门或晶体管逻辑,离散硬件部件,或上述任何组合的设计来实现或操作所描述的功能。通用处理器可以为微处理器,可选地,该通用处理器也可以为任何传统的处理器、控制器、微控制器或状态机。处理器也可以通过计算装置的组合来实现,例如数字信号处理器和微处理器,多个微处理器,一个或多个微处理器联合一个数字信号处理器核,或任何其它类似的配置来实现。
本申请实施例中所描述的方法或算法的步骤可以直接嵌入硬件、处理器执行的软件单元、或者这两者的结合。软件单元可以存储于RAM存储器、闪存、ROM存储器、EPROM存储器、EEPROM存储器、寄存器、硬盘、可移动磁盘、CD-ROM或本领域中其它任意形式的存储媒介中。示例性地,存储媒介可以与处理器连接,以使得处理器可以从存储媒介中读取信息,并可以向存储媒介存写信息。可选地,存储媒介还可以集成到处理器中。处理器和存储媒介可以设置于ASIC中。
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。
尽管结合具体特征及其实施例对本申请进行了描述,显而易见的,在不脱离本申请的精神和范围的情况下,可对其进行各种修改和组合。相应地,本说明书和附图仅仅是所附权利要求所界定的本申请的示例性说明,且视为已覆盖本申请范围内的任意和所有修改、变化、组合或等同物。显然,本领域的技术人员可以对本申请进行各种改动和变型而不脱离本申请的范围。这样,倘若本申请的这些修改和变型属于本申请权利要求及其等同技术的范围之内,则本申请也意图包括这些改动和变型在内。

Claims (30)

  1. 一种终端设备的注册方法,其特征在于,包括:
    终端设备向移动性管理网元发送第一注册请求消息,所述第一注册请求消息包括请求接入的切片的选择信息;
    在所述终端设备完成一级认证和建立安全上下文后,所述终端设备接收来自所述移动性管理网元的第一注册接受消息,所述第一注册接受消息包括允许接入的切片的选择信息,所述允许接入的切片的选择信息包括以下信息中的至少一个:所述请求接入的切片中已经完成二级认证的切片的选择信息、所述请求接入的切片中不需要进行二级认证的切片的选择信息、网络分配的不需要进行二级认证的切片的选择信息;
    在所述请求接入的切片中需要进行二级认证且未完成二级认证的第一切片二级认证通过后,所述终端设备接收来自所述移动性管理网元的更新的允许接入的切片的选择信息,所述更新的允许接入的切片的选择信息包括所述第一切片的选择信息或网络分配的与所述第一切片的选择信息对应的切片的选择信息。
  2. 如权利要求1所述的方法,其特征在于,所述第一注册接受消息还包括以下信息中的至少一个:
    所述请求接入的切片中需要进行二级认证且未完成二级认证的切片的选择信息、所述请求接入的切片中需要进行二级认证且未完成二级认证的切片进行二级认证所需的预估时间、第一切片认证指示、所述请求接入的切片中不需要进行二级认证的切片、所述请求接入的切片中被拒绝接入的切片的选择信息、至少一个临时标识;
    其中,所述第一切片认证指示用于指示存在未完成二级认证的切片,一个临时标识对应完成二级认证的切片中的一个或多个切片的选择信息。
  3. 如权利要求2所述的方法,其特征在于,所述请求接入的切片中需要进行二级认证且未完成二级认证的切片的选择信息携带于一个切片选择信息列表中,所述切片选择信息列表中的切片的选择信息的顺序指示了所述切片选择信息列表中的切片进行二级认证的优先级。
  4. 如权利要求1-3任一所述的方法,其特征在于,还包括:
    所述终端设备向所述移动性管理网元发送第一消息,所述第一消息用于请求对所述请求接入的切片中需要进行二级认证且未完成二级认证的切片进行二级认证;
    所述终端设备接收来自所述移动性管理网元的更新的允许接入的切片的选择信息,包括:
    所述终端设备接收来自所述移动性管理网元的第二消息,所述第二消息包括所述更新的允许接入的切片的选择信息。
  5. 如权利要求4所述的方法,其特征在于,所述第一消息包括所述请求接入的切片中需要进行二级认证且未完成二级认证的切片的选择信息,和/或,第二切片认证指示;
    所述第二切片认证指示用于请求对所述请求接入的切片中需要进行二级认证且未完成二级认证的切片进行二级认证。
  6. 如权利要求4或5所述的方法,其特征在于,所述第一消息为第二注册请求消息,所述第二消息为第二注册接受消息;或者,
    所述第一消息为切片注册请求消息,所述第二消息为切片注册接受消息。
  7. 如权利要求1-3任一所述的方法,其特征在于,所述终端设备接收来自所述移动性管理网元的更新的允许接入的切片的选择信息,包括:
    所述终端设备接收来自所述移动性管理网元的配置更新命令,所述配置更新命令包括所述更新的允许接入的切片的选择信息。
  8. 如权利要求7所述的方法,其特征在于,所述配置更新命令还包括以下信息中的至少一个:
    所述请求接入的切片中需要进行二级认证且未完成二级认证的切片中被拒绝接入的切片的选择信息、更新后的所述请求接入的切片中需要进行二级认证且未完成二级认证的切片的选择信息、至少一个临时标识;
    其中,一个临时标识对应完成二级认证的切片中的一个或多个切片的选择信息。
  9. 一种终端设备的注册方法,其特征在于,包括:
    移动性管理网元接收来自终端设备的第一注册请求消息,所述第一注册请求消息包括请求接入的切片的选择信息;
    在所述终端设备完成一级认证和建立安全上下文后,所述移动性管理网元判断所述请求接入的切片是否需要进行二级认证;
    所述移动性管理网元向所述终端设备发送第一注册接受消息,所述第一注册接受消息包括允许接入的切片的选择信息,所述允许接入的切片的选择信息包括以下信息中的至少一个:所述请求接入的切片中已经完成二级认证的切片的选择信息、所述请求接入的切片中不需要进行二级认证的切片的选择信息、网络分配的不需要进行二级认证的切片的选择信息;
    在所述请求接入的切片中需要进行二级认证且未完成二级认证的第一切片二级认证通过后,所述移动性管理网元向所述终端设备发送更新的允许接入的切片的选择信息,所述更新的允许接入的切片的选择信息包括所述第一切片的选择信息或网络分配的与所述第一切片的选择信息对应的切片的选择信息。
  10. 如权利要求9所述的方法,其特征在于,所述第一注册接受消息还包括以下信息中的至少一个:
    所述请求接入的切片中需要进行二级认证且未完成二级认证的切片的选择信息、所述请求接入的切片中需要进行二级认证且未完成二级认证的切片进行二级认证所需的预估时间、第一切片认证指示、所述请求接入的切片中不需要进行二级认证的切片的选择信息、所述请求接入的切片中被拒绝接入的切片的选择信息、至少一个临时标识;
    其中,所述第一切片认证指示用于指示存在未完成二级认证的切片,一个临时标识对应完成二级认证的一个或多个切片的选择信息。
  11. 如权利要求10所述的方法,其特征在于,所述请求接入的切片中需要进行二级认证且未完成二级认证的切片的选择信息携带于一个切片选择信息列表中,所述切片选择信息列表中的切片的选择信息的顺序指示了所述切片选择信息列表中的切片进行二级认证的优先级。
  12. 如权利要求9-11任一所述的方法,其特征在于,还包括:
    所述移动性管理网元接收来自所述终端设备的第一消息,所述第一消息用于请求对所述请求接入的切片中需要进行二级认证且未完成二级认证的切片进行二级认证;
    所述移动性管理网元向所述终端设备发送更新的允许接入的切片的选择信息,包括:
    所述移动性管理网元向所述终端设备发送第二消息,所述第二消息包括所述更新的允许接入的切片的选择信息。
  13. 如权利要求12所述的方法,其特征在于,所述第一消息包括所述请求接入的切片中需要进行二级认证且未完成二级认证的切片的选择信息,和/或,第二切片认证指示;
    所述第二切片认证指示用于请求对所述请求接入的切片中需要进行二级认证且未完成二级认证的切片进行二级认证。
  14. 一种终端设备的注册方法,其特征在于,包括:
    终端设备向移动性管理网元发送第一注册请求消息,所述第一注册请求消息包括请求接入的切片的选择信息,所述请求接入的切片为不需要进行二级认证的切片;
    在所述终端设备完成一级认证和建立安全上下文后,所述终端设备接收来自所述移动性管理网元的第一注册接受消息,所述第一注册接受消息包括允许接入的切片的选择信息,所述允许接入的切片的选择信息包括所述请求接入的切片中的允许接入的切片的选择信息和/或网络分配的不需要进行二级认证的切片的选择信息;
    所述终端设备向所述移动性管理网元发送第一消息,所述第一消息包括需要进行二级认证的切片的选择信息,所述第一消息用于请求对所述需要进行二级认证的切片进行切片认证;
    在所述需要进行二级认证的切片中的第一切片二级认证通过后,所述终端设备接收来自所述移动性管理网元的第二消息,所述第二消息包括更新的允许接入的切片的选择信息,所述更新的允许接入的切片的选择信息包括所述第一切片的选择信息或网络分配的与所述第一切片的选择信息对应的切片的选择信息。
  15. 一种终端设备的注册方法,其特征在于,包括:
    移动性管理网元接收来自终端设备的第一注册请求消息,所述第一注册请求消息包括请求接入的切片的选择信息,所述请求接入的切片为不需要进行二级认证的切片;
    在所述终端设备完成一级认证和建立安全上下文后,所述移动性管理网元向所述终端设备发送第一注册接受消息,所述第一注册接受消息包括允许接入的切片的选择信息,所述允许接入的切片的选择信息包括所述请求接入的切片中的允许接入的切片的选择信息和/或网络分配的不需要进行二级认证的切片的选择信息;
    所述移动性管理网元接收来自所述终端设备的第一消息,所述第一消息包括需要进行二级认证的切片的选择信息,所述第一消息用于请求对所述需要进行二级认证的切片进行切片认证;
    在所述需要进行二级认证的切片中的第一切片二级认证通过后,所述移动性管理网元向所述终端设备发送第二消息,所述第二消息包括更新的允许接入的切片的选择信息,所述更新的允许接入的切片的选择信息包括所述第一切片的选择信息或网络分配的与所述第一切片的选择信息对应的切片的选择信息。
  16. 一种通信装置,其特征在于,包括发送单元和接收单元;
    所述发送单元,用于向移动性管理网元发送第一注册请求消息,所述第一注册请求消息包括请求接入的切片的选择信息;
    所述接收单元,用于在所述装置完成一级认证和建立安全上下文后,接收来自所述移动性管理网元的第一注册接受消息,所述第一注册接受消息包括允许接入的切片的选择信息,所述允许接入的切片的选择信息包括以下信息中的至少一个:所述请求接入的切片中 已经完成二级认证的切片的选择信息、所述请求接入的切片中不需要进行二级认证的切片的选择信息、网络分配的不需要进行二级认证的切片的选择信息;
    所述接收单元,还用于在所述请求接入的切片中需要进行二级认证且未完成二级认证的第一切片二级认证通过后,接收来自所述移动性管理网元的更新的允许接入的切片的选择信息,所述更新的允许接入的切片的选择信息包括所述第一切片的选择信息或网络分配的与所述第一切片的选择信息对应的切片的选择信息。
  17. 如权利要求16所述的装置,其特征在于,所述第一注册接受消息还包括以下信息中的至少一个:
    所述请求接入的切片中需要进行二级认证且未完成二级认证的切片的选择信息、所述请求接入的切片中需要进行二级认证且未完成二级认证的切片进行二级认证所需的预估时间、第一切片认证指示、所述请求接入的切片中不需要进行二级认证的切片、所述请求接入的切片中被拒绝接入的切片的选择信息、至少一个临时标识;
    其中,所述第一切片认证指示用于指示存在未完成二级认证的切片,一个临时标识对应完成二级认证的切片中的一个或多个切片的选择信息。
  18. 如权利要求17所述的装置,其特征在于,所述请求接入的切片中需要进行二级认证且未完成二级认证的切片的选择信息携带于一个切片选择信息列表中,所述切片选择信息列表中的切片的选择信息的顺序指示了所述切片选择信息列表中的切片进行二级认证的优先级。
  19. 如权利要求16-18任一所述的装置,其特征在于,所述发送单元,还用于向所述移动性管理网元发送第一消息,所述第一消息用于请求对所述请求接入的切片中需要进行二级认证且未完成二级认证的切片进行二级认证;
    所述接收单元,具体用于接收来自所述移动性管理网元的第二消息,所述第二消息包括所述更新的允许接入的切片的选择信息。
  20. 如权利要求19所述的装置,其特征在于,所述第一消息包括所述请求接入的切片中需要进行二级认证且未完成二级认证的切片的选择信息,和/或,第二切片认证指示;
    所述第二切片认证指示用于请求对所述请求接入的切片中需要进行二级认证且未完成二级认证的切片进行二级认证。
  21. 如权利要求19或20所述的装置,其特征在于,所述第一消息为第二注册请求消息,所述第二消息为第二注册接受消息;或者,
    所述第一消息为切片注册请求消息,所述第二消息为切片注册接受消息。
  22. 如权利要求16-18任一所述的装置,其特征在于,所述接收单元,具体用于接收来自所述移动性管理网元的配置更新命令,所述配置更新命令包括所述更新的允许接入的切片的选择信息。
  23. 如权利要求22所述的装置,其特征在于,所述配置更新命令还包括以下信息中的至少一个:
    所述请求接入的切片中需要进行二级认证且未完成二级认证的切片中被拒绝接入的切片的选择信息、更新后的所述请求接入的切片中需要进行二级认证且未完成二级认证的切片的选择信息、至少一个临时标识;
    其中,一个临时标识对应完成二级认证的切片中的一个或多个切片的选择信息。
  24. 一种通信装置,其特征在于,包括发送单元、接收单元和处理单元;
    所述接收单元,用于接收来自终端设备的第一注册请求消息,所述第一注册请求消息包括请求接入的切片的选择信息;
    处理单元,用于在所述终端设备完成一级认证和建立安全上下文后,判断所述请求接入的切片是否需要进行二级认证;
    所述发送单元,用于向所述终端设备发送第一注册接受消息,所述第一注册接受消息包括允许接入的切片的选择信息,所述允许接入的切片的选择信息包括以下信息中的至少一个:所述请求接入的切片中已经完成二级认证的切片的选择信息、所述请求接入的切片中不需要进行二级认证的切片的选择信息、网络分配的不需要进行二级认证的切片的选择信息;
    所述发送单元,还用于在所述请求接入的切片中需要进行二级认证且未完成二级认证的第一切片二级认证通过后,向所述终端设备发送更新的允许接入的切片的选择信息,所述更新的允许接入的切片的选择信息包括所述第一切片的选择信息或网络分配的与所述第一切片的选择信息对应的切片的选择信息。
  25. 如权利要求24所述的装置,其特征在于,所述第一注册接受消息还包括以下信息中的至少一个:
    所述请求接入的切片中需要进行二级认证且未完成二级认证的切片的选择信息、所述请求接入的切片中需要进行二级认证且未完成二级认证的切片进行二级认证所需的预估时间、第一切片认证指示、所述请求接入的切片中不需要进行二级认证的切片的选择信息、所述请求接入的切片中被拒绝接入的切片的选择信息、至少一个临时标识;
    其中,所述第一切片认证指示用于指示存在未完成二级认证的切片,一个临时标识对应完成二级认证的一个或多个切片的选择信息。
  26. 如权利要求25所述的装置,其特征在于,所述请求接入的切片中需要进行二级认证且未完成二级认证的切片的选择信息携带于一个切片选择信息列表中,所述切片选择信息列表中的切片的选择信息的顺序指示了所述切片选择信息列表中的切片进行二级认证的优先级。
  27. 如权利要求24-26任一所述的装置,其特征在于,所述接收单元,还用于接收来自所述终端设备的第一消息,所述第一消息用于请求对所述请求接入的切片中需要进行二级认证且未完成二级认证的切片进行二级认证;
    所述发送单元,具体用于向所述终端设备发送第二消息,所述第二消息包括所述更新的允许接入的切片的选择信息。
  28. 如权利要求27所述的装置,其特征在于,所述第一消息包括所述请求接入的切片中需要进行二级认证且未完成二级认证的切片的选择信息,和/或,第二切片认证指示;
    所述第二切片认证指示用于请求对所述请求接入的切片中需要进行二级认证且未完成二级认证的切片进行二级认证。
  29. 一种通信装置,其特征在于,包括发送单元和接收单元;
    所述发送单元,用于向移动性管理网元发送第一注册请求消息,所述第一注册请求消息包括请求接入的切片的选择信息,所述请求接入的切片为不需要进行二级认证的切片;
    所述接收单元,用于在所述装置完成一级认证和建立安全上下文后,接收来自所述移动性管理网元的第一注册接受消息,所述第一注册接受消息包括允许接入的切片的选择信息,所述允许接入的切片的选择信息包括所述请求接入的切片中的允许接入的切片的选择 信息和/或网络分配的不需要进行二级认证的切片的选择信息;
    所述发送单元,还用于向所述移动性管理网元发送第一消息,所述第一消息包括需要进行二级认证的切片的选择信息,所述第一消息用于请求对所述需要进行二级认证的切片进行切片认证;
    所述接收单元,还用于在所述需要进行二级认证的切片中的第一切片二级认证通过后,接收来自所述移动性管理网元的第二消息,所述第二消息包括更新的允许接入的切片的选择信息,所述更新的允许接入的切片的选择信息包括所述第一切片的选择信息或网络分配的与所述第一切片的选择信息对应的切片的选择信息。
  30. 一种通信装置,其特征在于,包括发送单元和接收单元;
    所述接收单元,用于接收来自终端设备的第一注册请求消息,所述第一注册请求消息包括请求接入的切片的选择信息,所述请求接入的切片为不需要进行二级认证的切片;
    所述发送单元,用于在所述终端设备完成一级认证和建立安全上下文后,向所述终端设备发送第一注册接受消息,所述第一注册接受消息包括允许接入的切片的选择信息,所述允许接入的切片的选择信息包括所述请求接入的切片中的允许接入的切片的选择信息和/或网络分配的不需要进行二级认证的切片的选择信息;
    所述接收单元,还用于接收来自所述终端设备的第一消息,所述第一消息包括需要进行二级认证的切片的选择信息,所述第一消息用于请求对所述需要进行二级认证的切片进行切片认证;
    所述发送单元,还用于在所述需要进行二级认证的切片中的第一切片二级认证通过后,向所述终端设备发送第二消息,所述第二消息包括更新的允许接入的切片的选择信息,所述更新的允许接入的切片的选择信息包括所述第一切片的选择信息或网络分配的与所述第一切片的选择信息对应的切片的选择信息。
PCT/CN2020/075611 2019-03-04 2020-02-17 终端设备的注册方法及装置 WO2020177523A1 (zh)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910160313.6 2019-03-04
CN201910160313.6A CN111654862B (zh) 2019-03-04 2019-03-04 终端设备的注册方法及装置

Publications (1)

Publication Number Publication Date
WO2020177523A1 true WO2020177523A1 (zh) 2020-09-10

Family

ID=72338110

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/075611 WO2020177523A1 (zh) 2019-03-04 2020-02-17 终端设备的注册方法及装置

Country Status (2)

Country Link
CN (1) CN111654862B (zh)
WO (1) WO2020177523A1 (zh)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3913982A1 (en) * 2020-04-16 2021-11-24 T-Mobile USA, Inc. Network slicing with a radio access network node
CN114040410A (zh) * 2021-11-30 2022-02-11 中国电信股份有限公司 终端认证方法、网络侧设备以及存储介质

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114302492A (zh) * 2020-09-23 2022-04-08 维沃移动通信有限公司 切片请求方法、终端及网络侧设备
WO2022116768A1 (zh) * 2020-12-04 2022-06-09 中国电信股份有限公司 终端认证方法、装置和存储介质
CN115551122A (zh) * 2021-06-30 2022-12-30 华为技术有限公司 切片准入控制的方法和通信装置
WO2023122917A1 (zh) * 2021-12-27 2023-07-06 北京小米移动软件有限公司 一种信息处理方法、装置、通信设备及存储介质
CN114339755A (zh) * 2021-12-31 2022-04-12 中国电信股份有限公司 注册验证方法及装置、电子设备和计算机可读存储介质
WO2024098177A1 (en) * 2022-11-07 2024-05-16 Nokia Shanghai Bell Co., Ltd. Authentication procedure for network slice

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018174383A1 (ko) * 2017-03-21 2018-09-27 엘지전자 주식회사 세션 관리 방법 및 smf 노드
US20180317086A1 (en) * 2017-01-27 2018-11-01 Telefonaktiebolaget Lm Ericsson (Publ) Secondary Authentication of a User Equipment
CN109417709A (zh) * 2016-07-05 2019-03-01 三星电子株式会社 用于在移动无线网络系统中认证接入的方法和系统

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107579948B (zh) * 2016-07-05 2022-05-10 华为技术有限公司 一种网络安全的管理系统、方法及装置
EP3358887B1 (en) * 2017-02-06 2020-02-05 Industrial Technology Research Institute User equipment registration method for network slice selection and network controller and network communication system using the same
WO2018145727A1 (en) * 2017-02-07 2018-08-16 Nokia Technologies Oy Control of user equipment initiated change of network slices in a mobile system using network slicing
CN108632808B (zh) * 2017-03-17 2023-04-21 华为技术有限公司 核心网控制面设备选择方法和装置
CN108323245B (zh) * 2017-06-19 2021-02-12 华为技术有限公司 一种注册及会话建立的方法、终端和amf实体
CN109219111B (zh) * 2017-06-29 2020-09-04 华为技术有限公司 切片选择方法和装置

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109417709A (zh) * 2016-07-05 2019-03-01 三星电子株式会社 用于在移动无线网络系统中认证接入的方法和系统
US20180317086A1 (en) * 2017-01-27 2018-11-01 Telefonaktiebolaget Lm Ericsson (Publ) Secondary Authentication of a User Equipment
WO2018174383A1 (ko) * 2017-03-21 2018-09-27 엘지전자 주식회사 세션 관리 방법 및 smf 노드

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
QUALCOMM INCORPORATED ET AL.: "TS 23.502: support of secondary slice authentication", 3GPP TSG-SA WG2 MEETING #131 S2-1902882, 1 March 2019 (2019-03-01), XP051611254, DOI: 20200427163709X *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3913982A1 (en) * 2020-04-16 2021-11-24 T-Mobile USA, Inc. Network slicing with a radio access network node
US11388602B2 (en) 2020-04-16 2022-07-12 T-Mobile Usa, Inc. Network slicing with a radio access network node
CN114040410A (zh) * 2021-11-30 2022-02-11 中国电信股份有限公司 终端认证方法、网络侧设备以及存储介质

Also Published As

Publication number Publication date
CN111654862A (zh) 2020-09-11
CN111654862B (zh) 2021-12-03

Similar Documents

Publication Publication Date Title
WO2020177523A1 (zh) 终端设备的注册方法及装置
EP3627793B1 (en) Session processing method and device
WO2021017550A1 (zh) 一种事件报告的发送方法、装置及系统
WO2021012736A1 (zh) 一种会话管理网元的选择方法、装置及系统
EP3906647B1 (en) Flexible authorization in 5g service based core network
CN107615732B (zh) 将会话接纳至虚拟网络中的方法和移动性管理功能实体
CN112913283A (zh) 配置路由选择策略
US11533610B2 (en) Key generation method and related apparatus
WO2021037175A1 (zh) 一种网络切片的管理方法及相关装置
WO2020224622A1 (zh) 一种信息配置方法及装置
CN112584486B (zh) 一种通信方法及装置
CN111818516B (zh) 认证方法、装置及设备
WO2019033796A1 (zh) 会话处理方法及相关设备
WO2020253408A1 (zh) 二级认证的方法和装置
WO2020220799A1 (zh) 一种通信方法、装置及系统
WO2020200319A1 (zh) 一种终端设备的网络接入管理方法及装置
WO2020248709A1 (zh) 一种mdbv的确定方法、装置及系统
WO2020215331A1 (zh) 一种通信方法及装置
WO2022094812A1 (zh) 一种切片隔离方法、装置及系统
WO2023016160A1 (zh) 一种会话建立方法和相关装置
WO2021026927A1 (zh) 通信方法和相关设备
WO2021042381A1 (zh) 一种通信方法、装置及系统
WO2024082880A1 (zh) 一种通信方法及装置
WO2024077546A1 (zh) 一种能力调用方法及通信装置
EP4456583A2 (en) Methods and apparatus for provisioning private network devices during onboarding

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20767231

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20767231

Country of ref document: EP

Kind code of ref document: A1