WO2020227942A1 - Mechanism for improving security of communication system - Google Patents

Mechanism for improving security of communication system Download PDF

Info

Publication number
WO2020227942A1
WO2020227942A1 PCT/CN2019/086911 CN2019086911W WO2020227942A1 WO 2020227942 A1 WO2020227942 A1 WO 2020227942A1 CN 2019086911 W CN2019086911 W CN 2019086911W WO 2020227942 A1 WO2020227942 A1 WO 2020227942A1
Authority
WO
WIPO (PCT)
Prior art keywords
data packet
identification information
donor
identification
iab
Prior art date
Application number
PCT/CN2019/086911
Other languages
French (fr)
Inventor
Esa Malkamäki
Matti Laitila
Xiang Xu
Original Assignee
Nokia Shanghai Bell Co., Ltd.
Nokia Solutions And Networks Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Shanghai Bell Co., Ltd., Nokia Solutions And Networks Oy filed Critical Nokia Shanghai Bell Co., Ltd.
Priority to PCT/CN2019/086911 priority Critical patent/WO2020227942A1/en
Priority to CN201980096391.2A priority patent/CN113826335B/en
Publication of WO2020227942A1 publication Critical patent/WO2020227942A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04BTRANSMISSION
    • H04B7/00Radio transmission systems, i.e. using radiation field
    • H04B7/14Relay systems
    • H04B7/15Active relay systems
    • H04B7/155Ground-based stations
    • H04B7/15528Control of operation parameters of a relay station to exploit the physical medium

Definitions

  • Embodiments of the present disclosure generally relate to the field of communications and in particular, to a method, device, apparatus and computer readable storage medium for improving security of the communication system.
  • the 3rd Generation Partnership Project (3GPP) determines standards and specifications for new radio (NR) Integrated Access and Backhaul (IAB) (e.g., via TR38.874) .
  • NR new radio
  • IAB Integrated Access and Backhaul
  • L2 Layer 2
  • L3 layer 3
  • L2 an IAB node contains a distributed unit (DU) and packets are forwarded by the radio layers below packet data convergence protocol (PDCP) layer.
  • PDCP packet data convergence protocol
  • an IAB node contains a DU and/or a gNB, and packets are forwarded at layers above PDCP layer.
  • intermediate IAB nodes perform hop-by-hop routing to maintain connectivity between a serving IAB node for a terminal device and an IAB donor that has a non-wireless connection to upstream nodes.
  • a first device comprising at least one processor; and at least one memory including computer program codes; the at least one memory and the computer program codes are configured to, with the at least one processor, cause the first device to receive a data packet from a third device to the first device, the data packet comprising first identification information of the data packet.
  • the first device is further caused to obtain second identification information of the data packet from the first identification information based on mapping information received from a second device.
  • the first device is also caused to transmit the data packet to the second device, the data packet comprising the actual further identification information.
  • a third device comprises at least one processor; and at least one memory including computer program codes; the at least one memory and the computer program codes are configured to, with the at least one processor, cause the third device to generate, at the third device, first identification information of a data packet based on mapping information received from a second device.
  • the third device is further caused to add the first identification into the data packet.
  • the third device is also caused to transmit the data packet to a first device, the transmitting data packet comprising the first identification information such the first device determines second identification from the first identification.
  • a method comprising receiving a data packet from a second device to a first device, the data packet comprising identification information which is used by the first device for processing the data packet.
  • the method also comprises modifying the data packet to exclude the identification information.
  • the method further comprises transmitting the modified data packet to a third device.
  • a method comprising generating, at a third device, first identification information of a data packet based on mapping information received from a second device.
  • the method also comprises adding the first identification into the data packet.
  • the method further comprises transmitting the data packet to a first device, the transmitting data packet comprising the first identification information such that the first device determines second identification from the first identification.
  • an apparatus comprising means for receiving a data packet from a second device to a first device, the data packet comprising identification information which is used by the donor distributed unit for processing the data packet.
  • the apparatus also comprises means for modifying the data packet to exclude the identification information.
  • the apparatus further comprises means for transmitting the modified data packet to a third device.
  • an apparatus comprising means for receiving a data packet from a third device to a first device, the data packet comprising first identification information of the data packet.
  • the apparatus also comprises means for obtaining second identification information of the data packet from the first identification information based on mapping information received from a second device.
  • the apparatus further comprises means for transmitting the data packet to the second device, the data packet comprising the second identification information.
  • an apparatus comprising means for generating, at a third device, first identification information of a data packet based on mapping information received from a second device.
  • the apparatus also comprises means for adding the first identification into the data packet.
  • the apparatus further comprises means for transmitting the data packet to a first device, the transmitting data packet comprising the first identification information such that the first device determines second identification from the first identification.
  • Fig. 3 illustrates a schematic diagram of a protocol architecture for the IAB
  • Fig. 5 illustrates a schematic diagram of interactions among devices according to embodiments of the present disclosure
  • Fig. 6 illustrates schematic diagrams of structures of data packets according to embodiments of the present disclosure
  • Fig. 8 illustrates schematic diagrams of structures of data packets according to embodiments of the present disclosure
  • Fig. 9 illustrates a flow chart of a method implemented at a network device according to embodiments of the present disclosure
  • Fig. 10 illustrates a flow chart of a method implemented at a device according to embodiments of the present disclosure
  • Fig. 12 illustrates a schematic diagram of a device according to embodiments of the present disclosure.
  • Fig. 13 shows an example computer readable medium in accordance with some embodiments of the present disclosure.
  • references in the present disclosure to “one embodiment, ” “an embodiment, ” “an example embodiment, ” and the like indicate that the embodiment described may include a particular feature, structure, or characteristic, but it is not necessary that every embodiment includes the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it is submitted that it is within the knowledge of one skilled in the art to affect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.
  • first and second etc. may be used herein to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another. For example, a first element could be termed a second element, and similarly, a second element could be termed a first element, without departing from the scope of example embodiments.
  • the term “and/or” includes any and all combinations of one or more of the listed terms.
  • circuitry may refer to one or more or all of the following:
  • circuitry also covers an implementation of merely a hardware circuit or processor (or multiple processors) or portion of a hardware circuit or processor and its (or their) accompanying software and/or firmware.
  • circuitry also covers, for example and if applicable to the particular claim element, a baseband integrated circuit or processor integrated circuit for a mobile device or a similar integrated circuit in server, a cellular network device, or other computing or network device.
  • the term “communication network” refers to a network following any suitable communication standards, such as Long Term Evolution (LTE) , LTE-Advanced (LTE-A) , Wideband Code Division Multiple Access (WCDMA) , High-Speed Packet Access (HSPA) , Narrow Band Internet of Things (NB-IoT) and so on.
  • LTE Long Term Evolution
  • LTE-A LTE-Advanced
  • WCDMA Wideband Code Division Multiple Access
  • HSPA High-Speed Packet Access
  • NB-IoT Narrow Band Internet of Things
  • the communications between a user equipment and a network device in the communication network may be performed according to any suitable generation communication protocols, including, but not limited to, the first generation (1G) , the second generation (2G) , 2.5G, 2.75G, the third generation (3G) , the fourth generation (4G) , 4.5G, the fifth generation (5G) communication protocols, and/or any other protocols either currently known or to be developed in the future.
  • suitable generation communication protocols including, but not limited to, the first generation (1G) , the second generation (2G) , 2.5G, 2.75G, the third generation (3G) , the fourth generation (4G) , 4.5G, the fifth generation (5G) communication protocols, and/or any other protocols either currently known or to be developed in the future.
  • Embodiments of the present disclosure may be applied in various communication systems. Given the rapid development in communications, there will of course also be future type communication technologies and systems with which the present disclosure may be embodied. It should not be seen as limiting the scope of the present disclosure to only the aforementioned system
  • the term “network device” refers to a node in a communication network via which a user equipment accesses the network and receives services therefrom.
  • the network device may refer to a base station (BS) or an access point (AP) , for example, a node B (NodeB or NB) , an evolved NodeB (eNodeB or eNB) , a NR NB (also referred to as a gNB) , a Remote Radio Unit (RRU) , a radio header (RH) , a remote radio head (RRH) , a relay, a low power node such as a femto, a pico, and so forth, depending on the applied terminology and technology.
  • BS base station
  • AP access point
  • NodeB or NB node B
  • eNodeB or eNB evolved NodeB
  • NR NB also referred to as a gNB
  • RRU Remote Radio Unit
  • RH radio header
  • the network device may refer to a gNB distributed unit (gNB-DU) or a gNB centralized unit (gNB-CU) or an Integrated Access and Backhaul node (IAB-node) or an IAB-node DU.
  • gNB-DU gNB distributed unit
  • gNB-CU gNB centralized unit
  • IAB-node Integrated Access and Backhaul node
  • IAB-node DU Integrated Access and Backhaul node
  • terminal device refers to any end device that may be capable of wireless communication.
  • a terminal device may also be referred to as a communication device, user equipment (UE) , a Subscriber Station (SS) , a Portable Subscriber Station, a Mobile Station (MS) , or an Access Terminal (AT) .
  • UE user equipment
  • SS Subscriber Station
  • MS Mobile Station
  • AT Access Terminal
  • the terminal device may include, but not limited to, a mobile phone, a cellular phone, a smart phone, voice over IP (VoIP) phones, wireless local loop phones, a tablet, a wearable terminal device, a personal digital assistant (PDA) , portable computers, desktop computer, image capture terminal devices such as digital cameras, gaming terminal devices, music storage and playback appliances, vehicle-mounted wireless terminal devices, wireless endpoints, mobile stations, laptop-embedded equipment (LEE) , laptop-mounted equipment (LME) , USB dongles, smart devices, wireless customer-premises equipment (CPE) , an Internet of Things (loT) device, a watch or other wearable, a head-mounted display (HMD) , a vehicle, a drone, a medical device and applications (e.g., remote surgery) , an industrial device and applications (e.g., a robot and/or other wireless devices operating in an industrial and/or an automated processing chain contexts) , a consumer electronics device, a device operating on commercial and/
  • Fig. 1 illustrates schematic diagrams of structures of data packets.
  • the conventional data packet may comprise an original IP header 1010 and an original data payload 1020.
  • IPsec internet protocol security
  • the IPsec is a secure network protocol suite that authenticates and encrypts the packets of data sent over an internet protocol network.
  • the data packet in transport mode 110 may have the original IP header 1010, an Encapsulating Security Payload (ESP) header 1030, the original data payload 1020, an ESP trailer portion 1040 and an ESP authentication portion 1050.
  • Transport mode provides a secure connection between two endpoints by encapsulating IP payload into security header.
  • the original data payload 1020 and the ESP trailer portion 1040 have been encrypted.
  • the data packet in tunnel mode 120 may comprise a new IP header 1060, the ESP header 1030, the original IP header 1010, the original data 1020, the ESP trailer portion 1040 and the ESP authentication portion 1050.
  • tunnel mode the entire original IP packet is secured, including the original IP header 1010 and the new IP header 1060 is created for tunnel routing information.
  • Transport mode is used between end nodes, while tunnel mode is typically used together with security gateways. Tunnel mode can be used also between end nodes.
  • Fig. 2 illustrates a schematic diagram of IAB architecture with CU-DU split.
  • the IAB-node 210 hosts Mobile Termination (MT) part 2020 and Distributed Unit (DU) part 2010.
  • the MT part 2020 has UE functionality and connects to the parent node DU.
  • the parent node can be either IAB-donor or another IAB-node 220.
  • Backhaul Radio Link Control (RLC) channel (s) are setup between the MT part 2020/2040 and the parent nodes DU part 2050 and adaptation layer called Backhaul Adaptation Protocol (BAP) is agreed to be on top of the RLC layer.
  • RLC Radio Link Control
  • BAP Backhaul Adaptation Protocol
  • the IAB-node DU 2030 part connects to the IAB-donor CU 2060 with F1 interface which is enhanced to support IAB functions.
  • IAB F1 packets (GTP-U/UDP/IP for user plane (UP) and F1AP/SCTP/IP for control plane (CP) ) are transported on top of the adaptation layer.
  • IAB thus implements L2 relaying.
  • An IAB node represents a co-located resource providing NR access coverage and backhauling over the air interface. As such, an IAB node may take on both the personality of UE (MT part) for transferring backhaul traffic or that of gNB (or gNB-DU) serving connected UEs and forwarding backhaul traffic to the next hop.
  • MT part personality of UE
  • gNB or gNB-DU
  • Fig. 3 shows an example protocol stack for the user plane.
  • 3GPP is working on NR Integrated Access and Backhaul (as discussed in 3GPP technical report (TR) 38.874) .
  • TR 3GPP technical report
  • Architecture 1a which is has been defined.
  • the donor-DU removes/resets identification information (for example, flow label or DSCP) from the data packet to protect the identification information, thereby improving the security of communications.
  • identification information for example, flow label or DSCP
  • FIG. 4 shows an example IAB system 400 in which example embodiments of the present disclosure can be implemented.
  • the IAB system 400 includes an IAB donor 410 and IAB nodes 420-1, 420-2, 420-3, ..., 420-N (where N is a suitable integer number) underneath the IAB donor 110.
  • the IAB nodes AB nodes 420-1, 420-2, 420-3, ..., 420-N may be collectively referred to as IAB node 420.
  • IAB node 420 may be collectively referred to as IAB node 420.
  • embodiments of the present disclosure can be implemented in any suitable systems. Only for the purpose of illustrations, embodiments of the present disclosure are described to be implemented in the IAB system.
  • the IAB donor 410 may be implemented as a gNB that terminates wireless backhaul radio interface from one or more IAB nodes.
  • the IAB donor 410 has wired/fiber connectivity with a core network.
  • the IAB donor 410 may include a central unit (CU) 410-11 and one or more DUs.
  • FIG. 4 shows that the IAB donor 410 includes a DU 410-12 by way of example.
  • the CU of the IAB donor is also referred to as Donor-CU or donor central unit; and the DU of the IAB donor is also referred to as Donor-DU or donor distributed unit.
  • a CU (such as Donor-CU or CU of an IAB node) may be a logical node which may include the functions (for example, gNB functions) such as transfer of user data, mobility control, radio access network sharing, positioning, session management etc., except those functions allocated exclusively to DUs.
  • the CU may control the operation of the DUs over a front-haul (F1) interface.
  • a DU is a logical node which may include a subset of the functions (for example, gNB functions) , depending on the functional split option. The operations of the DUs may be controlled by the CU.
  • IAB nodes and terminal devices connected to the IAB nodes is only for the purpose of illustration without suggesting any limitations.
  • the IAB system may include any suitable number of IAB nodes and terminal devices adapted for implementing example embodiments of the present disclosure.
  • the system 400 may include any suitable number of network devices and terminal devices adapted for implementing embodiments of the present disclosure.
  • Communications in the communication system 400 may be implemented according to any proper communication protocol (s) , comprising, but not limited to, cellular communication protocols of the first generation (1G) , the second generation (2G) , the third generation (3G) , the fourth generation (4G) and the fifth generation (5G) and on the like, wireless local network communication protocols such as Institute for Electrical and Electronics Engineers (IEEE) 802.11 and the like, and/or any other protocols currently known or to be developed in the future.
  • s cellular communication protocols of the first generation (1G) , the second generation (2G) , the third generation (3G) , the fourth generation (4G) and the fifth generation (5G) and on the like, wireless local network communication protocols such as Institute for Electrical and Electronics Engineers (IEEE) 802.11 and the like, and/or any other protocols currently known or to be developed in the future.
  • IEEE Institute for Electrical and Electronics Engineers
  • the communication may utilize any proper wireless communication technology, comprising but not limited to: Code Division Multiple Access (CDMA) , Frequency Division Multiple Access (FDMA) , Time Division Multiple Access (TDMA) , Frequency Division Duplex (FDD) , Time Division Duplex (TDD) , Multiple-Input Multiple-Output (MIMO) , Orthogonal Frequency Division Multiple (OFDM) , Discrete Fourier Transform spread OFDM (DFT-s-OFDM) and/or any other technologies currently known or to be developed in the future.
  • CDMA Code Division Multiple Access
  • FDMA Frequency Division Multiple Access
  • TDMA Time Division Multiple Access
  • FDD Frequency Division Duplex
  • TDD Time Division Duplex
  • MIMO Multiple-Input Multiple-Output
  • OFDM Orthogonal Frequency Division Multiple
  • DFT-s-OFDM Discrete Fourier Transform spread OFDM
  • Fig. 5 illustrates a schematic diagram of interactions 500 in accordance with embodiments of the present disclosure.
  • the interactions 500 may be implemented at any suitable devices. Only for the purpose of illustrations, the interactions 500 are described to be implemented at the donor-CU 410-11, the donor-DU 410-12 and the IAB node 420-1. It should be noted that embodiments of the present disclosure can be implemented among any suitable devices.
  • the donor-CU 410-11 transmits 5005 the first data packet to the donor-DU 410-12.
  • the first data packet may be transmitted in any suitable protocols. Only for the purpose of illustrations, the first data packet is described to be transmitted in IPv6.
  • the first data packet comprises identification information which is needed by the donor DU 410-12.
  • the identification information may comprise an identity of a bearer, such as GTP-U TEID.
  • the identity of the bearer may be inserted in an optional extension header. Alternatively, the identity of the bearer may be in source addresses.
  • the identification information may comprise flow label of the first data packet.
  • the donor-CU 410-11 may map IPv6 Flow Label to GPRS Tunneling protocol tunnel endpoint identifier (GTP-U TEID) .
  • the identification information may comprise a differential service code point (DSCP) which is used for quality-of-service (QoS) mapping.
  • DSCP differential service code point
  • QoS quality-of-service
  • the identification information may be any other extension headers which are only needed by the donor DU 410-12 and which are not part of the integrity protection.
  • Fig. 6 illustrates schematic diagrams of data packets according to embodiments of the present disclosure.
  • the first data packet 610 may be in transport mode and may comprise the original IP header 6010-1, the ESP header 6030-1, the original data payload 6020-1, the ESP trailer portion 6040-1 and the ESP authentication portion 6050-1.
  • the original data payload 6020-1 and the ESP trailer portion 6040-1 are encrypted.
  • the identification information may be comprised in the original IP header 6010-1.
  • the first data packet 620 may be in tunnel mode and comprise the new IP header 6060, the ESP header 6030-2, the original IP header 6010-2, the original data payload 6020-2, the ESP trailer portion 6040-2 and the ESP authentication portion 6050-2.
  • the original IP header 6010-2, the original data payload 6020-2 and the ESP trailer portion 6040-2 may be encrypted.
  • the identification information may be comprised in the new IP header 6060.
  • the donor-DU 410-12 may obtain 5010 the identification information from the first data packet.
  • the donor-DU 410-12 may obtain the identification information from the original IP header 6010-1.
  • the donor-DU 410-12 may obtain the identification information from the new IP header 6060.
  • the donor-DU 410-12 modifies 5015 the first data packet to hide the identification information.
  • the donor-DU 410-12 may remove the identification information.
  • the donor-DU 410-12 may reset the identification information.
  • the donor-DU 410-12 may set the identification information to be a predetermined value.
  • the donor-DU 410-12 may set the identification information to be all zeros. It should be noted that the identification information may be set to any suitable values.
  • the donor-DU 410-12 may generate a random value and set the identification information to be the random value. In this way, the identification information is protected, thereby improving the security of communications.
  • the donor-DU 410-12 may map 5020 the first data packet to a channel based on the flow label. For example, the donor-DU 410-12 may map the data packet to a backhaul (BH) radio link control (RLC) channel. Alternatively or in addition, the donor-DU 410-12 may map the data packet to a logical channel.
  • BH backhaul
  • RLC radio link control
  • the donor-DU 410-12 may perform 5025 the QoS mapping on the first data packet. For example, the donor-DU 410-12 may map the first data packet to a backhaul RLC channel or logical channel based on the QoS priority. The donor-DU 410-12 may map the first data packet to a backhaul RLC channel or logical channel with proper priority. The donor-DU 410-12 transmits 5030 the modified first data packet to the IAB 420-1.
  • Fig. 7 illustrates a schematic diagram of interactions 700 in accordance with embodiments of the present disclosure.
  • the interactions 700 may be implemented at any suitable devices. Only for the purpose of illustrations, the interactions 700 are described to be implemented at the donor-CU 410-11, the donor-DU 410-12 and the IAB node 420-1.
  • the IAB node 420-1 may generate the second data packet.
  • the IAB node 420-1 may generate the second data packet in transport mode.
  • the IAB node 420-1 may generate the second data packet in tunnel mode.
  • Fig. 8 illustrates schematic diagrams of data packets according to embodiments of the present disclosure.
  • the second data packet 810 may be in transport mode and may comprise the original IP header 8010-1, the ESP header 8030-1, the original data payload 8020-1, the ESP trailer portion 8040-1 and the ESP authentication portion 8050-1.
  • the original data payload 8020-1 and the ESP trailer portion 8040-1 are encrypted.
  • the second data packet 820 may be in tunnel mode and comprise the new IP header 8060, the ESP header 8030-2, the original IP header 8010-2, the original data payload 8020-2, the ESP trailer portion 8040-2 and the ESP authentication portion 8050-2.
  • the original IP header 8010-2 and the original data payload 8020-2 as well as the ESP trailer portion 8040-2 may be encrypted.
  • the IAB node 420-1 generates 7010 the first identification information.
  • the first identification information is not the actual identification information of the second data packet.
  • the IAB node 420-1 may generate a random value to be the first identification information.
  • the donor-CU 410-11 may transmit 7008 the mapping information to the IAB node 420-1.
  • the IAB node 420-1 may generate the first identification information based on the received mapping information.
  • the IAB node 420-1 adds 7012 the first identification information to the second data packet.
  • the first identification information may be in the original IP header 8010-1.
  • the first identification information may be in the new IP header 8060.
  • the IAB node 420-1 may generate 7015 the second identification information which is the actual identification information of the second data packet.
  • the IAB node 420-1 may also encrypt 7020 the second identification information and add the second information into the second data packet.
  • the second identification information may be added to the original IP header 8010-2. In this way, the traffic over the interface is difficult to analyze, thereby improving the security.
  • the IAB node 420-1 transmits 7025 the second data packet to the donor-DU 410-12.
  • the IAB node 420-1 obtains 7030 the second identification from the first identification.
  • the donor-CU 410-11 may transmit 7005 the mapping information to the donor-DU 410-12, the donor-DU 410-12 obtains the second identification from the first identification based on the mapping information.
  • the donor-CU 410-11 may configure different flow labels for UL and DL packets related to a specific UE bearer.
  • the donor-DU 410-12 may modify 7035 the second data packet to include the second identification information into the second data packet. For example, if the first information is in the original IP header 8010-1, the donor-DU 410-12 may replace the first identification information with the second identification information in the original IP header 8010-1. For example, if the first information is in the new IP header 8060, the donor-DU 410-12 may replace the first identification information with the second identification information in the new IP header 8060. The second identification in the original IP header 8010-2 may remain untouched. The donor-DU 410-12 may transmit 7040 the modified second data packet to the donor-CU 410-11.
  • Fig. 9 is a flowchart of a method 900 implemented at a donor-DU in an IAB system according to some example embodiments of the present disclosure.
  • the method can be implemented at the donor-DU 410-12 as shown in Fig. 4.
  • the method 900 will be described with reference to Fig. 4.
  • the donor-DU 410-12 receives the data packet, for instance, from the donor-CU 410-11, comprising identification information which is used by the donor-DU 410-12.
  • the data packet may be transmitted in any suitable protocols. Only for the purpose of illustrations, the data packet is described to be transmitted in IPv6.
  • the data packet comprises identification information which is dedicated to the donor DU 410-12.
  • the identification information may comprise flow label of the data packet.
  • the donor-CU 410-11 may map IPv6 Flow Label to GPRS Tunneling protocol tunnel endpoint identifier (GTP-U TEID) .
  • the identification information may comprise a differential service code point (DSCP) which is used for quality-of-service (QoS) mapping.
  • DSCP differential service code point
  • QoS quality-of-service
  • the identification information may be any other extension headers which are only needed by the donor DU 410-12.
  • the donor-DU 410-12 may obtain the identification information from the data packet.
  • the donor-DU 410-12 may obtain the identification information from the original IP header.
  • the donor-DU 410-12 may obtain the identification information from the new IP header or an outer IP header.
  • the donor-DU 410-12 modifies the data packet to hide the identification information.
  • the donor-DU 410-12 may remove the identification information.
  • the donor-DU 410-12 may reset the identification information.
  • the donor-DU 410-12 may set the identification information to be a predetermined value.
  • the donor-DU 410-12 may set the identification information to be all zeros. It should be noted that the identification information may be set to any suitable values.
  • the donor-DU 410-12 may generate a random value and set the identification information to be the random value.
  • the donor-DU 410-12 transmits the modified data packet to the IAB 420-1.
  • the donor-DU 410-12 transmits the modified data packet.
  • the donor-DU 410-12 may map the data packet to a channel based on the flow label.
  • the donor-DU 410-12 may map the carrier to a backhaul (BH) radio link control (RLC) channel or logical channel.
  • the donor-DU 410-12 may transmit the mapped modified data packet to the IAB node 420-1.
  • the donor-DU 410-12 may perform the QoS mapping on the data packet. For example, the donor-DU 410-12 may map the data packet to backhaul RLC channel or logical channel according to QoS priority of the data packet. The donor-DU 410-12 may transmit the modified data packet that has been performed the QoS mapping to the IAB node 420-1.
  • Fig. 10 is a flowchart of a method 1000 implemented at a donor-DU in an IAB system according to some example embodiments of the present disclosure.
  • the method can be implemented at the donor-DU 410-12 as shown in Fig. 4.
  • the method 1000 will be described with reference to Fig. 4.
  • the donor-DU 410-12 receives data packet from the IAB node 420-1.
  • the data packet comprises the first identification information of the data packet.
  • the data packet may be in transport mode and may comprise the original IP header, the ESP header, the original data payload, the ESP trailer portion and the ESP authentication portion.
  • the original data payload 8020-1 and the ESP trailer portion 8040-1 are encrypted.
  • the data packet may be in tunnel mode and comprise the new IP header, the ESP header, the original IP header, the original data payload, the ESP trailer portion and the ESP authentication portion.
  • the original IP header and the original data payload as well as the ESP trailer may be encrypted.
  • the donor-DU 410-12 obtains the second identification information from the first identification.
  • the donor-CU 410-11 may transmit the mapping information to the donor-DU 410-12, the donor-DU 410-12 obtains the second identification from the first identification based on the mapping information.
  • the donor-CU 410-11 may configure different flow labels for UL and DL packets related to a specific UE bearer.
  • the donor-DU 410-12 may modify the data packet to include the second identification information into the data packet. For example, if the first information is in the original IP header, the donor-DU 410-12 may replace the first identification information with the second identification information in the original IP header. For example, if the first information is in the new IP header 8060, the donor-DU 410-12 may replace the first identification information with the second identification information in the new IP header. The second identification in the original IP header 8010-2 may remain untouched.
  • the donor-DU 410-12 transmits the data packet to the donor-CU 410-11.
  • the data packet comprises the second identification information.
  • Fig. 11 is a flowchart of a method 1100 implemented at an IAB node in an IAB system according to some example embodiments of the present disclosure.
  • the method can be implemented at the IAB node 420-1 as shown in Fig. 4.
  • the method 1100 will be described with reference to Fig. 4.
  • the IAB node 420-1 may generate the data packet.
  • the IAB node 420-1 may generate the data packet in transport mode.
  • the IAB node 420-1 may generate the data packet in tunnel mode.
  • the data packet may be in transport mode and may comprise the original IP header, the ESP header, the original data payload, the ESP trailer portion and the ESP authentication portion.
  • the original data payload and the ESP trailer portion are encrypted.
  • the data packet may be in tunnel mode and comprise the new IP header, the ESP header, the original IP header, the original data payload, the ESP trailer portion and the ESP authentication portion.
  • the original IP header and the original data payload as well as the ESP trailer may be encrypted.
  • the IAB node 420-1 generates the first identification information.
  • the first identification information is not the actual identification information of the data packet.
  • the IAB node 420-1 may generate a random value to be the first identification information.
  • the donor-CU 410-11 may transmit the mapping information to the IAB node 420-1.
  • the IAB node 420-1 may generate the first identification information based on the received mapping information.
  • the IAB node 420-1 adds the first identification information to the data packet.
  • the first identification information may be in the original IP header.
  • the first identification information may be in the new IP header.
  • the IAB node 420-1 may generate the second identification information which is the actual identification information of the data packet.
  • the IAB node 420-1 may also add the second information into the data packet and encrypt the second identification information.
  • the second identification information may be added to the original IP header.
  • the second identification information comprises at least one of: a flow label and a differential service code point. In this way, the traffic over the interface is difficult to analyze, thereby improving the security.
  • the IAB node 420-1 transmits the data packet to the donor-DU 410-12.
  • an apparatus for performing the method 900 may comprise respective means for performing the corresponding steps in the method 900.
  • These means may be implemented in any suitable manners. For example, it can be implemented by circuitry or software modules.
  • the apparatus comprises: means for receiving a data packet from a second device to the first device, the data packet comprising identification information which is used by the first device for processing the data packet; means for modifying the data packet to exclude the identification information; and means for transmitting the modified data packet to a third device.
  • the identification information comprises at least one of: a flow label, a differential service code point and an identity of a bearer.
  • the means for transmitting the modified data packet comprises: means for mapping the modified data packet to a channel based on the identification information; and; and means for transmitting the mapped modified data packet to the third device.
  • the means for modifying the data packet to exclude the identification information comprises: means for removing the identification information from the data packet.
  • the means for modifying the data packet to exclude the identification information comprises: means for setting the identification information to be a predetermined value or a randomly generated value.
  • the first network device is a donor distributed unit
  • the second network device is a donor centralized unit
  • the third network device is an integrated access and backhaul (IAB) node.
  • an apparatus for performing the method 1000 may comprise respective means for performing the corresponding steps in the method 1000.
  • These means may be implemented in any suitable manners. For example, it can be implemented by circuitry or software modules.
  • the apparatus comprises: means for receiving a data packet from a third device to the first device, the data packet comprising first identification information of the data packet; means for obtaining second identification information of the data packet from the first identification information based on mapping information received from a second device; and means for transmitting the data packet to the second device, the data packet comprising the second identification information.
  • the second identification information comprises at least one of: a flow label, a differential service code point and an identity of a bearer.
  • the first device is a donor distributed unit
  • the second device is a donor centralized unit
  • the third device is an integrated access and backhaul (IAB) node.
  • IAB integrated access and backhaul
  • an apparatus for performing the method 1100 may comprise respective means for performing the corresponding steps in the method 1100.
  • These means may be implemented in any suitable manners. For example, it can be implemented by circuitry or software modules.
  • the program 1230 may be tangibly contained in a computer readable medium which may be included in the device 1200 (such as in the memory 1220) or other storage devices that are accessible by the device 1200.
  • the device 1200 may load the program 1230 from the computer readable medium to the RAM 1222 for execution.
  • the computer readable medium may include any types of tangible non-volatile storage, such as ROM, EPROM, a flash memory, a hard disk, CD, DVD, and the like.
  • Fig. 13 shows an example of the computer readable medium 1300 in form of CD or DVD.
  • the computer readable medium has the program 1230 stored thereon.
  • various embodiments of the present disclosure may be implemented in hardware or special purpose circuits, software, logic or any combination thereof. Some aspects may be implemented in hardware, while other aspects may be implemented in firmware or software which may be executed by a controller, microprocessor or other computing device. While various aspects of embodiments of the present disclosure are illustrated and described as block diagrams, flowcharts, or using some other pictorial representations, it is to be understood that the block, apparatus, system, technique or method described herein may be implemented in, as non-limiting examples, hardware, software, firmware, special purpose circuits or logic, general purpose hardware or controller or other computing devices, or some combination thereof.
  • the present disclosure also provides at least one computer program product tangibly stored on a non-transitory computer readable storage medium.
  • the computer program product includes computer-executable instructions, such as those included in program modules, being executed in a device on a target real or virtual processor, to carry out the methods 900 to 1100 as described above with reference to Figs. 9-11.
  • program modules include routines, programs, libraries, objects, classes, components, data structures, or the like that perform particular tasks or implement particular abstract data types.
  • the functionality of the program modules may be combined or split between program modules as desired in various embodiments.
  • Machine-executable instructions for program modules may be executed within a local or distributed device. In a distributed device, program modules may be located in both local and remote storage media.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Embodiments of the present disclosure relate to mechanism for improving security of the communication system. According to embodiments of the present disclosure, the donor-DU removes/resets identification information (for example, flow label or DSCP) from the data packet to protect the identification information, thereby improving the security of communications.

Description

MECHANISM FOR IMPROVING SECURITY OF COMMUNICATION SYSTEM FIELD
Embodiments of the present disclosure generally relate to the field of communications and in particular, to a method, device, apparatus and computer readable storage medium for improving security of the communication system.
BACKGROUND
In recent communication field, several new communication technologies have been proposed. The 3rd Generation Partnership Project (3GPP) determines standards and specifications for new radio (NR) Integrated Access and Backhaul (IAB) (e.g., via TR38.874) . Various layer 2 ( “L2” ) and layer 3 ( “L3” ) based solutions have been proposed. In the L2-based solutions, an IAB node contains a distributed unit (DU) and packets are forwarded by the radio layers below packet data convergence protocol (PDCP) layer. In the L3-based solutions, an IAB node contains a DU and/or a gNB, and packets are forwarded at layers above PDCP layer. In both cases, intermediate IAB nodes perform hop-by-hop routing to maintain connectivity between a serving IAB node for a terminal device and an IAB donor that has a non-wireless connection to upstream nodes.
SUMMARY
Generally, embodiments of the present disclosure relate to a method for improving security of the communication system and the corresponding communication devices.
In a first aspect, there is provided a first device. The first device comprises at least one processor; and at least one memory including computer program codes; the at least one memory and the computer program codes are configured to, with the at least one processor, cause the first device to receive a data packet from a second device to the first device, the data packet comprising identification information which is used by the first device for processing the data packet. The first device is also caused to modify the data  packet to exclude the identification information. The first device is further caused to transmitting the modified data packet to a third device.
In a second aspect, there is provided a first device. The first device comprises at least one processor; and at least one memory including computer program codes; the at least one memory and the computer program codes are configured to, with the at least one processor, cause the first device to receive a data packet from a third device to the first device, the data packet comprising first identification information of the data packet. The first device is further caused to obtain second identification information of the data packet from the first identification information based on mapping information received from a second device. The first device is also caused to transmit the data packet to the second device, the data packet comprising the actual further identification information.
In a third aspect, there is provided a third device. The third device comprises at least one processor; and at least one memory including computer program codes; the at least one memory and the computer program codes are configured to, with the at least one processor, cause the third device to generate, at the third device, first identification information of a data packet based on mapping information received from a second device. The third device is further caused to add the first identification into the data packet. The third device is also caused to transmit the data packet to a first device, the transmitting data packet comprising the first identification information such the first device determines second identification from the first identification.
In a fourth aspect, there is provided a method. The method comprises receiving a data packet from a second device to a first device, the data packet comprising identification information which is used by the first device for processing the data packet. The method also comprises modifying the data packet to exclude the identification information. The method further comprises transmitting the modified data packet to a third device.
In a fifth aspect, there is provided a method. The method comprises receiving a data packet from a third device to a first device, the data packet comprising first identification information of the data packet. The method also comprises obtaining second identification information of the data packet from the first identification information based on mapping information received from a second device. The method further comprises transmitting the data packet to the second device, the data packet comprising the second identification information.
In a sixth aspect, there is provided a method. The method comprises generating, at a third device, first identification information of a data packet based on mapping information received from a second device. The method also comprises adding the first identification into the data packet. The method further comprises transmitting the data packet to a first device, the transmitting data packet comprising the first identification information such that the first device determines second identification from the first identification.
In a seventh aspect, there is provided an apparatus. The apparatus comprises means for receiving a data packet from a second device to a first device, the data packet comprising identification information which is used by the donor distributed unit for processing the data packet. The apparatus also comprises means for modifying the data packet to exclude the identification information. The apparatus further comprises means for transmitting the modified data packet to a third device.
In an eighth aspect, there is provided an apparatus. The apparatus comprises means for receiving a data packet from a third device to a first device, the data packet comprising first identification information of the data packet. The apparatus also comprises means for obtaining second identification information of the data packet from the first identification information based on mapping information received from a second device. The apparatus further comprises means for transmitting the data packet to the second device, the data packet comprising the second identification information.
In a ninth aspect, there is provided an apparatus. The apparatus comprises means for generating, at a third device, first identification information of a data packet based on mapping information received from a second device. The apparatus also comprises means for adding the first identification into the data packet. The apparatus further comprises means for transmitting the data packet to a first device, the transmitting data packet comprising the first identification information such that the first device determines second identification from the first identification.
In a tenth aspect, there is provided a non-transitory computer readable medium comprising program instructions for causing an apparatus to perform at least the method according to any one of the above fourth to sixth aspects.
It is to be understood that the summary section is not intended to identify key or essential features of embodiments of the present disclosure, nor is it intended to be used to  limit the scope of the present disclosure. Other features of the present disclosure will become easily comprehensible through the following description.
BRIEF DESCRIPTION OF THE DRAWINGS
Some example embodiments will now be described with reference to the accompanying drawings, where:
Fig. 1 illustrates schematic diagrams of structures of data packets;
Fig. 2 illustrates a schematic diagram of an IAB architecture with CU-DU split;
Fig. 3 illustrates a schematic diagram of a protocol architecture for the IAB;
Fig. 4 illustrates a schematic diagram of a communication system according to embodiments of the present disclosure;
Fig. 5 illustrates a schematic diagram of interactions among devices according to embodiments of the present disclosure;
Fig. 6 illustrates schematic diagrams of structures of data packets according to embodiments of the present disclosure;
Fig. 7 illustrates a schematic diagram of interactions among devices according to embodiments of the present disclosure;
Fig. 8 illustrates schematic diagrams of structures of data packets according to embodiments of the present disclosure;
Fig. 9 illustrates a flow chart of a method implemented at a network device according to embodiments of the present disclosure;
Fig. 10 illustrates a flow chart of a method implemented at a device according to embodiments of the present disclosure;
Fig. 11 illustrates a flow chart of a method implemented at a device according to embodiments of the present disclosure;
Fig. 12 illustrates a schematic diagram of a device according to embodiments of the present disclosure; and
Fig. 13 shows an example computer readable medium in accordance with some embodiments of the present disclosure.
Throughout the drawings, the same or similar reference numerals represent the same or similar element.
DETAILED DESCRIPTION
Principle of the present disclosure will now be described with reference to some example embodiments. It is to be understood that these embodiments are described only for the purpose of illustration and help those skilled in the art to understand and implement the present disclosure, without suggesting any limitation as to the scope of the disclosure. The disclosure described herein can be implemented in various manners other than the ones described below.
In the following description and claims, unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skills in the art to which this disclosure belongs.
References in the present disclosure to “one embodiment, ” “an embodiment, ” “an example embodiment, ” and the like indicate that the embodiment described may include a particular feature, structure, or characteristic, but it is not necessary that every embodiment includes the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it is submitted that it is within the knowledge of one skilled in the art to affect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.
It shall be understood that although the terms “first” and “second” etc. may be used herein to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another. For example, a first element could be termed a second element, and similarly, a second element could be termed a first element, without departing from the scope of example embodiments. As used herein, the term “and/or” includes any and all combinations of one or more of the listed terms.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments. As used herein, the singular forms “a” , “an” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the  terms “comprises” , “comprising” , “has” , “having” , “includes” and/or “including” , when used herein, specify the presence of stated features, elements, and/or components etc., but do not preclude the presence or addition of one or more other features, elements, components and/or combinations thereof.
As used in this application, the term “circuitry” may refer to one or more or all of the following:
(a) hardware-only circuit implementations (such as implementations in only analog and/or digital circuitry) and
(b) combinations of hardware circuits and software, such as (as applicable) :
(i) a combination of analog and/or digital hardware circuit (s) with software/firmware and
(ii) any portions of hardware processor (s) with software (including digital signal processor (s) ) , software, and memory (ies) that work together to cause an apparatus, such as a mobile phone or server, to perform various functions) and
(c) hardware circuit (s) and or processor (s) , such as a microprocessor (s) or a portion of a microprocessor (s) , that requires software (e.g., firmware) for operation, but the software may not be present when it is not needed for operation.
This definition of circuitry applies to all uses of this term in this application, including in any claims. As a further example, as used in this application, the term circuitry also covers an implementation of merely a hardware circuit or processor (or multiple processors) or portion of a hardware circuit or processor and its (or their) accompanying software and/or firmware. The term circuitry also covers, for example and if applicable to the particular claim element, a baseband integrated circuit or processor integrated circuit for a mobile device or a similar integrated circuit in server, a cellular network device, or other computing or network device.
As used herein, the term “communication network” refers to a network following any suitable communication standards, such as Long Term Evolution (LTE) , LTE-Advanced (LTE-A) , Wideband Code Division Multiple Access (WCDMA) , High-Speed Packet Access (HSPA) , Narrow Band Internet of Things (NB-IoT) and so on. Furthermore, the communications between a user equipment and a network device in the communication network may be performed according to any suitable generation communication protocols, including, but not limited to, the first generation (1G) , the second  generation (2G) , 2.5G, 2.75G, the third generation (3G) , the fourth generation (4G) , 4.5G, the fifth generation (5G) communication protocols, and/or any other protocols either currently known or to be developed in the future. Embodiments of the present disclosure may be applied in various communication systems. Given the rapid development in communications, there will of course also be future type communication technologies and systems with which the present disclosure may be embodied. It should not be seen as limiting the scope of the present disclosure to only the aforementioned system.
As used herein, the term “network device” refers to a node in a communication network via which a user equipment accesses the network and receives services therefrom. The network device may refer to a base station (BS) or an access point (AP) , for example, a node B (NodeB or NB) , an evolved NodeB (eNodeB or eNB) , a NR NB (also referred to as a gNB) , a Remote Radio Unit (RRU) , a radio header (RH) , a remote radio head (RRH) , a relay, a low power node such as a femto, a pico, and so forth, depending on the applied terminology and technology. The network device may refer to a gNB distributed unit (gNB-DU) or a gNB centralized unit (gNB-CU) or an Integrated Access and Backhaul node (IAB-node) or an IAB-node DU.
The term “terminal device” refers to any end device that may be capable of wireless communication. By way of example rather than limitation, a terminal device may also be referred to as a communication device, user equipment (UE) , a Subscriber Station (SS) , a Portable Subscriber Station, a Mobile Station (MS) , or an Access Terminal (AT) . The terminal device may include, but not limited to, a mobile phone, a cellular phone, a smart phone, voice over IP (VoIP) phones, wireless local loop phones, a tablet, a wearable terminal device, a personal digital assistant (PDA) , portable computers, desktop computer, image capture terminal devices such as digital cameras, gaming terminal devices, music storage and playback appliances, vehicle-mounted wireless terminal devices, wireless endpoints, mobile stations, laptop-embedded equipment (LEE) , laptop-mounted equipment (LME) , USB dongles, smart devices, wireless customer-premises equipment (CPE) , an Internet of Things (loT) device, a watch or other wearable, a head-mounted display (HMD) , a vehicle, a drone, a medical device and applications (e.g., remote surgery) , an industrial device and applications (e.g., a robot and/or other wireless devices operating in an industrial and/or an automated processing chain contexts) , a consumer electronics device, a device operating on commercial and/or industrial wireless networks, and the like. In the  following description, the terms “terminal device” , “communication device” , “terminal” , “user equipment” and “UE” may be used interchangeably.
Fig. 1 illustrates schematic diagrams of structures of data packets. The conventional data packet may comprise an original IP header 1010 and an original data payload 1020. A technology of internet protocol security (IPsec) has been proposed. The IPsec is a secure network protocol suite that authenticates and encrypts the packets of data sent over an internet protocol network. There may be two IPsec modes: transport mode and tunnel mode. The data packet in transport mode 110 may have the original IP header 1010, an Encapsulating Security Payload (ESP) header 1030, the original data payload 1020, an ESP trailer portion 1040 and an ESP authentication portion 1050. Transport mode provides a secure connection between two endpoints by encapsulating IP payload into security header. The original data payload 1020 and the ESP trailer portion 1040 have been encrypted.
The data packet in tunnel mode 120 may comprise a new IP header 1060, the ESP header 1030, the original IP header 1010, the original data 1020, the ESP trailer portion 1040 and the ESP authentication portion 1050. As shown, in tunnel mode, the entire original IP packet is secured, including the original IP header 1010 and the new IP header 1060 is created for tunnel routing information. Transport mode is used between end nodes, while tunnel mode is typically used together with security gateways. Tunnel mode can be used also between end nodes.
Fig. 2 illustrates a schematic diagram of IAB architecture with CU-DU split. The IAB-node 210 hosts Mobile Termination (MT) part 2020 and Distributed Unit (DU) part 2010. The MT part 2020 has UE functionality and connects to the parent node DU. The parent node can be either IAB-donor or another IAB-node 220. Backhaul Radio Link Control (RLC) channel (s) are setup between the MT part 2020/2040 and the parent nodes DU part 2050 and adaptation layer called Backhaul Adaptation Protocol (BAP) is agreed to be on top of the RLC layer. The IAB-node DU 2030 part connects to the IAB-donor CU 2060 with F1 interface which is enhanced to support IAB functions. F1 packets (GTP-U/UDP/IP for user plane (UP) and F1AP/SCTP/IP for control plane (CP) ) are transported on top of the adaptation layer. IAB thus implements L2 relaying. An IAB node represents a co-located resource providing NR access coverage and backhauling over the air interface. As such, an IAB node may take on both the personality of UE (MT part)  for transferring backhaul traffic or that of gNB (or gNB-DU) serving connected UEs and forwarding backhaul traffic to the next hop.
Fig. 3 shows an example protocol stack for the user plane. Currently, 3GPP is working on NR Integrated Access and Backhaul (as discussed in 3GPP technical report (TR) 38.874) . Among all IAB architectures under consideration, there is one called Architecture 1a which is has been defined.
According to embodiments of the present disclosure, the donor-DU removes/resets identification information (for example, flow label or DSCP) from the data packet to protect the identification information, thereby improving the security of communications.
FIG. 4 shows an example IAB system 400 in which example embodiments of the present disclosure can be implemented. The IAB system 400 includes an IAB donor 410 and IAB nodes 420-1, 420-2, 420-3, ..., 420-N (where N is a suitable integer number) underneath the IAB donor 110. The IAB nodes AB nodes 420-1, 420-2, 420-3, ..., 420-N may be collectively referred to as IAB node 420. It should be noted that embodiments of the present disclosure can be implemented in any suitable systems. Only for the purpose of illustrations, embodiments of the present disclosure are described to be implemented in the IAB system.
The IAB donor 410 may be implemented as a gNB that terminates wireless backhaul radio interface from one or more IAB nodes. The IAB donor 410 has wired/fiber connectivity with a core network. The IAB donor 410 may include a central unit (CU) 410-11 and one or more DUs. FIG. 4 shows that the IAB donor 410 includes a DU 410-12 by way of example. Hereinafter, the CU of the IAB donor is also referred to as Donor-CU or donor central unit; and the DU of the IAB donor is also referred to as Donor-DU or donor distributed unit.
A CU (such as Donor-CU or CU of an IAB node) may be a logical node which may include the functions (for example, gNB functions) such as transfer of user data, mobility control, radio access network sharing, positioning, session management etc., except those functions allocated exclusively to DUs. The CU may control the operation of the DUs over a front-haul (F1) interface. A DU is a logical node which may include a subset of the functions (for example, gNB functions) , depending on the functional split option. The operations of the DUs may be controlled by the CU.
It is to be understood that the number of IAB nodes and terminal devices connected to the IAB nodes is only for the purpose of illustration without suggesting any limitations. The IAB system may include any suitable number of IAB nodes and terminal devices adapted for implementing example embodiments of the present disclosure.
It is to be understood that the numbers of CU, DU and the IAB nodes are only for the purpose of illustration without suggesting any limitations. The system 400 may include any suitable number of network devices and terminal devices adapted for implementing embodiments of the present disclosure.
Communications in the communication system 400 may be implemented according to any proper communication protocol (s) , comprising, but not limited to, cellular communication protocols of the first generation (1G) , the second generation (2G) , the third generation (3G) , the fourth generation (4G) and the fifth generation (5G) and on the like, wireless local network communication protocols such as Institute for Electrical and Electronics Engineers (IEEE) 802.11 and the like, and/or any other protocols currently known or to be developed in the future. Moreover, the communication may utilize any proper wireless communication technology, comprising but not limited to: Code Division Multiple Access (CDMA) , Frequency Division Multiple Access (FDMA) , Time Division Multiple Access (TDMA) , Frequency Division Duplex (FDD) , Time Division Duplex (TDD) , Multiple-Input Multiple-Output (MIMO) , Orthogonal Frequency Division Multiple (OFDM) , Discrete Fourier Transform spread OFDM (DFT-s-OFDM) and/or any other technologies currently known or to be developed in the future.
Fig. 5 illustrates a schematic diagram of interactions 500 in accordance with embodiments of the present disclosure. The interactions 500 may be implemented at any suitable devices. Only for the purpose of illustrations, the interactions 500 are described to be implemented at the donor-CU 410-11, the donor-DU 410-12 and the IAB node 420-1. It should be noted that embodiments of the present disclosure can be implemented among any suitable devices.
The donor-CU 410-11 transmits 5005 the first data packet to the donor-DU 410-12. It should be noted that the first data packet may be transmitted in any suitable protocols. Only for the purpose of illustrations, the first data packet is described to be transmitted in IPv6. The first data packet comprises identification information which is needed by the donor DU 410-12. The identification information may comprise an identity of a bearer,  such as GTP-U TEID. The identity of the bearer may be inserted in an optional extension header. Alternatively, the identity of the bearer may be in source addresses. For example, the identification information may comprise flow label of the first data packet. In some embodiments, the donor-CU 410-11 may map IPv6 Flow Label to GPRS Tunneling protocol tunnel endpoint identifier (GTP-U TEID) . Alternatively or in addition, the identification information may comprise a differential service code point (DSCP) which is used for quality-of-service (QoS) mapping. In some embodiments, the identification information may be any other extension headers which are only needed by the donor DU 410-12 and which are not part of the integrity protection.
Fig. 6 illustrates schematic diagrams of data packets according to embodiments of the present disclosure. In some embodiments, the first data packet 610 may be in transport mode and may comprise the original IP header 6010-1, the ESP header 6030-1, the original data payload 6020-1, the ESP trailer portion 6040-1 and the ESP authentication portion 6050-1. The original data payload 6020-1 and the ESP trailer portion 6040-1 are encrypted. In this situation, the identification information may be comprised in the original IP header 6010-1.
In other embodiments, the first data packet 620 may be in tunnel mode and comprise the new IP header 6060, the ESP header 6030-2, the original IP header 6010-2, the original data payload 6020-2, the ESP trailer portion 6040-2 and the ESP authentication portion 6050-2. The original IP header 6010-2, the original data payload 6020-2 and the ESP trailer portion 6040-2 may be encrypted. In this situation, the identification information may be comprised in the new IP header 6060.
The donor-DU 410-12 may obtain 5010 the identification information from the first data packet. For example, the donor-DU 410-12 may obtain the identification information from the original IP header 6010-1. Alternatively, the donor-DU 410-12 may obtain the identification information from the new IP header 6060.
The donor-DU 410-12 modifies 5015 the first data packet to hide the identification information. The donor-DU 410-12 may remove the identification information. Alternatively, the donor-DU 410-12 may reset the identification information. The donor-DU 410-12 may set the identification information to be a predetermined value. For example, the donor-DU 410-12 may set the identification information to be all zeros. It  should be noted that the identification information may be set to any suitable values. In other embodiments, the donor-DU 410-12 may generate a random value and set the identification information to be the random value. In this way, the identification information is protected, thereby improving the security of communications.
In some embodiments, if the identification information is the flow label, the donor-DU 410-12 may map 5020 the first data packet to a channel based on the flow label. For example, the donor-DU 410-12 may map the data packet to a backhaul (BH) radio link control (RLC) channel. Alternatively or in addition, the donor-DU 410-12 may map the data packet to a logical channel.
In some embodiments, if the identification information is the DSCP, the donor-DU 410-12 may perform 5025 the QoS mapping on the first data packet. For example, the donor-DU 410-12 may map the first data packet to a backhaul RLC channel or logical channel based on the QoS priority. The donor-DU 410-12 may map the first data packet to a backhaul RLC channel or logical channel with proper priority. The donor-DU 410-12 transmits 5030 the modified first data packet to the IAB 420-1.
Fig. 7 illustrates a schematic diagram of interactions 700 in accordance with embodiments of the present disclosure. The interactions 700 may be implemented at any suitable devices. Only for the purpose of illustrations, the interactions 700 are described to be implemented at the donor-CU 410-11, the donor-DU 410-12 and the IAB node 420-1.
The IAB node 420-1 may generate the second data packet. For example, the IAB node 420-1 may generate the second data packet in transport mode. Alternatively, the IAB node 420-1 may generate the second data packet in tunnel mode. Fig. 8 illustrates schematic diagrams of data packets according to embodiments of the present disclosure. In some embodiments, the second data packet 810 may be in transport mode and may comprise the original IP header 8010-1, the ESP header 8030-1, the original data payload 8020-1, the ESP trailer portion 8040-1 and the ESP authentication portion 8050-1. The original data payload 8020-1 and the ESP trailer portion 8040-1 are encrypted.
In other embodiments, the second data packet 820 may be in tunnel mode and comprise the new IP header 8060, the ESP header 8030-2, the original IP header 8010-2, the original data payload 8020-2, the ESP trailer portion 8040-2 and the ESP authentication portion 8050-2. The original IP header 8010-2 and the original data payload 8020-2 as well as the ESP trailer portion 8040-2 may be encrypted.
The IAB node 420-1 generates 7010 the first identification information. The first identification information is not the actual identification information of the second data packet. In some embodiments, the IAB node 420-1 may generate a random value to be the first identification information. In other embodiments, the donor-CU 410-11 may transmit 7008 the mapping information to the IAB node 420-1. In some embodiments, the IAB node 420-1 may generate the first identification information based on the received mapping information.
The IAB node 420-1 adds 7012 the first identification information to the second data packet. In some embodiments, the first identification information may be in the original IP header 8010-1. Alternatively, the first identification information may be in the new IP header 8060.
In some embodiments, the IAB node 420-1 may generate 7015 the second identification information which is the actual identification information of the second data packet. The IAB node 420-1 may also encrypt 7020 the second identification information and add the second information into the second data packet. For example, the second identification information may be added to the original IP header 8010-2. In this way, the traffic over the interface is difficult to analyze, thereby improving the security.
The IAB node 420-1 transmits 7025 the second data packet to the donor-DU 410-12. The IAB node 420-1 obtains 7030 the second identification from the first identification. For example, the donor-CU 410-11 may transmit 7005 the mapping information to the donor-DU 410-12, the donor-DU 410-12 obtains the second identification from the first identification based on the mapping information. In some embodiments, the donor-CU 410-11 may configure different flow labels for UL and DL packets related to a specific UE bearer.
In some embodiments, the donor-DU 410-12 may modify 7035 the second data packet to include the second identification information into the second data packet. For example, if the first information is in the original IP header 8010-1, the donor-DU 410-12 may replace the first identification information with the second identification information in the original IP header 8010-1. For example, if the first information is in the new IP header 8060, the donor-DU 410-12 may replace the first identification information with the second identification information in the new IP header 8060. The second identification in  the original IP header 8010-2 may remain untouched. The donor-DU 410-12 may transmit 7040 the modified second data packet to the donor-CU 410-11.
Fig. 9 is a flowchart of a method 900 implemented at a donor-DU in an IAB system according to some example embodiments of the present disclosure. The method can be implemented at the donor-DU 410-12 as shown in Fig. 4. For the purpose of discussion, the method 900 will be described with reference to Fig. 4.
At block 910, the donor-DU 410-12 receives the data packet, for instance, from the donor-CU 410-11, comprising identification information which is used by the donor-DU 410-12. It should be noted that the data packet may be transmitted in any suitable protocols. Only for the purpose of illustrations, the data packet is described to be transmitted in IPv6. The data packet comprises identification information which is dedicated to the donor DU 410-12. For example, the identification information may comprise flow label of the data packet. In some embodiments, the donor-CU 410-11 may map IPv6 Flow Label to GPRS Tunneling protocol tunnel endpoint identifier (GTP-U TEID) . Alternatively or in addition, the identification information may comprise a differential service code point (DSCP) which is used for quality-of-service (QoS) mapping. In some embodiments, the identification information may be any other extension headers which are only needed by the donor DU 410-12.
The donor-DU 410-12 may obtain the identification information from the data packet. For example, the donor-DU 410-12 may obtain the identification information from the original IP header. Alternatively, the donor-DU 410-12 may obtain the identification information from the new IP header or an outer IP header.
At block 920, the donor-DU 410-12 modifies the data packet to hide the identification information. The donor-DU 410-12 may remove the identification information. Alternatively, the donor-DU 410-12 may reset the identification information. The donor-DU 410-12 may set the identification information to be a predetermined value. For example, the donor-DU 410-12 may set the identification information to be all zeros. It should be noted that the identification information may be set to any suitable values.
In other embodiments, the donor-DU 410-12 may generate a random value and set the identification information to be the random value. The donor-DU 410-12 transmits the modified data packet to the IAB 420-1.
At block 930, the donor-DU 410-12 transmits the modified data packet. In some  embodiments, if the identification information is the flow label, the donor-DU 410-12 may map the data packet to a channel based on the flow label. In some embodiments, the donor-DU 410-12 may map the carrier to a backhaul (BH) radio link control (RLC) channel or logical channel. The donor-DU 410-12 may transmit the mapped modified data packet to the IAB node 420-1.
In some embodiments, if the identification information is the DSCP, the donor-DU 410-12 may perform the QoS mapping on the data packet. For example, the donor-DU 410-12 may map the data packet to backhaul RLC channel or logical channel according to QoS priority of the data packet. The donor-DU 410-12 may transmit the modified data packet that has been performed the QoS mapping to the IAB node 420-1.
Fig. 10 is a flowchart of a method 1000 implemented at a donor-DU in an IAB system according to some example embodiments of the present disclosure. The method can be implemented at the donor-DU 410-12 as shown in Fig. 4. For the purpose of discussion, the method 1000 will be described with reference to Fig. 4.
At block 1010, the donor-DU 410-12 receives data packet from the IAB node 420-1. The data packet comprises the first identification information of the data packet. In some embodiments, the data packet may be in transport mode and may comprise the original IP header, the ESP header, the original data payload, the ESP trailer portion and the ESP authentication portion. The original data payload 8020-1 and the ESP trailer portion 8040-1 are encrypted.
In other embodiments, the data packet may be in tunnel mode and comprise the new IP header, the ESP header, the original IP header, the original data payload, the ESP trailer portion and the ESP authentication portion. The original IP header and the original data payload as well as the ESP trailer may be encrypted.
At block 1020, the donor-DU 410-12 obtains the second identification information from the first identification. For example, the donor-CU 410-11 may transmit the mapping information to the donor-DU 410-12, the donor-DU 410-12 obtains the second identification from the first identification based on the mapping information. In some embodiments, the donor-CU 410-11 may configure different flow labels for UL and DL packets related to a specific UE bearer.
In some embodiments, the donor-DU 410-12 may modify the data packet to include the second identification information into the data packet. For example, if the first  information is in the original IP header, the donor-DU 410-12 may replace the first identification information with the second identification information in the original IP header. For example, if the first information is in the new IP header 8060, the donor-DU 410-12 may replace the first identification information with the second identification information in the new IP header. The second identification in the original IP header 8010-2 may remain untouched.
At block 1030, the donor-DU 410-12 transmits the data packet to the donor-CU 410-11. The data packet comprises the second identification information.
Fig. 11 is a flowchart of a method 1100 implemented at an IAB node in an IAB system according to some example embodiments of the present disclosure. The method can be implemented at the IAB node 420-1 as shown in Fig. 4. For the purpose of discussion, the method 1100 will be described with reference to Fig. 4.
In some embodiments, the IAB node 420-1 may generate the data packet. For example, the IAB node 420-1 may generate the data packet in transport mode. Alternatively, the IAB node 420-1 may generate the data packet in tunnel mode.
In some embodiments, the data packet may be in transport mode and may comprise the original IP header, the ESP header, the original data payload, the ESP trailer portion and the ESP authentication portion. The original data payload and the ESP trailer portion are encrypted.
In other embodiments, the data packet may be in tunnel mode and comprise the new IP header, the ESP header, the original IP header, the original data payload, the ESP trailer portion and the ESP authentication portion. The original IP header and the original data payload as well as the ESP trailer may be encrypted.
At block 1110, the IAB node 420-1 generates the first identification information. The first identification information is not the actual identification information of the data packet. In some embodiments, the IAB node 420-1 may generate a random value to be the first identification information. In other embodiments, the donor-CU 410-11 may transmit the mapping information to the IAB node 420-1. In some embodiments, the IAB node 420-1 may generate the first identification information based on the received mapping information.
At block 1120, the IAB node 420-1 adds the first identification information to the data packet. In some embodiments, the first identification information may be in the  original IP header. Alternatively, the first identification information may be in the new IP header.
In some embodiments, the IAB node 420-1 may generate the second identification information which is the actual identification information of the data packet. The IAB node 420-1 may also add the second information into the data packet and encrypt the second identification information. For example, the second identification information may be added to the original IP header. The second identification information comprises at least one of: a flow label and a differential service code point. In this way, the traffic over the interface is difficult to analyze, thereby improving the security.
At block 1130, the IAB node 420-1 transmits the data packet to the donor-DU 410-12.
In some embodiments, an apparatus for performing the method 900 (for example, the donor-DU 410-12) may comprise respective means for performing the corresponding steps in the method 900. These means may be implemented in any suitable manners. For example, it can be implemented by circuitry or software modules.
In some embodiments, the apparatus comprises: means for receiving a data packet from a second device to the first device, the data packet comprising identification information which is used by the first device for processing the data packet; means for modifying the data packet to exclude the identification information; and means for transmitting the modified data packet to a third device.
In some embodiments, the identification information comprises at least one of: a flow label, a differential service code point and an identity of a bearer.
In some embodiments, the means for transmitting the modified data packet comprises: means for mapping the modified data packet to a channel based on the identification information; and; and means for transmitting the mapped modified data packet to the third device.
In some embodiments, the means for modifying the data packet to exclude the identification information comprises: means for removing the identification information from the data packet.
In some embodiments, the means for modifying the data packet to exclude the identification information comprises: means for setting the identification information to be a predetermined value or a randomly generated value.
In some embodiments, the first network device is a donor distributed unit, the second network device is a donor centralized unit and the third network device is an integrated access and backhaul (IAB) node.
In some embodiments, an apparatus for performing the method 1000 (for example, the donor-DU 410-12) may comprise respective means for performing the corresponding steps in the method 1000. These means may be implemented in any suitable manners. For example, it can be implemented by circuitry or software modules.
In some embodiments, the apparatus comprises: means for receiving a data packet from a third device to the first device, the data packet comprising first identification information of the data packet; means for obtaining second identification information of the data packet from the first identification information based on mapping information received from a second device; and means for transmitting the data packet to the second device, the data packet comprising the second identification information.
In some embodiments, the second identification information comprises at least one of: a flow label, a differential service code point and an identity of a bearer.
In some embodiments, the first device is a donor distributed unit, the second device is a donor centralized unit and the third device is an integrated access and backhaul (IAB) node.
In some embodiments, an apparatus for performing the method 1100 (for example, the IAB node 420-1) may comprise respective means for performing the corresponding steps in the method 1100. These means may be implemented in any suitable manners. For example, it can be implemented by circuitry or software modules.
In some embodiments, the apparatus comprises means for generating, at the third device, first identification information of a data packet based on mapping information received from a second device; means for adding the first identification into the data packet; and means for transmitting the data packet to a first device, the transmitting data packet comprising the first identification information such that the first device determines second identification from the first identification.
In some embodiments, the first device is a donor distributed unit, the second device is a donor centralized unit and the third device is an integrated access and backhaul (IAB) node.
In some embodiments, wherein the second identification information comprises at least one of: a flow label, a differential service code point and an identity of a bearer.
FIG. 12 is a simplified block diagram of a device 1200 that is suitable for implementing embodiments of the present disclosure. The device 1200 may be provided to implement the communication device, for example the network device 120 or the terminal devices 110 as shown in Fig. 1. As shown, the device 1200 includes one or more processors 1210, one or more memories 1220 coupled to the processor 1210, and one or more communication module (for example, transmitters and/or receivers (TX/RX) ) 1240 coupled to the processor 1210.
The communication module 1240 is for bidirectional communications. The communication module 1240 has at least one antenna to facilitate communication. The communication interface may represent any interface that is necessary for communication with other network elements.
The processor 1210 may be of any type suitable to the local technical network and may include one or more of the following: general purpose computers, special purpose computers, microprocessors, digital signal processors (DSPs) and processors based on multicore processor architecture, as non-limiting examples. The device 1200 may have multiple processors, such as an application specific integrated circuit chip that is slaved in time to a clock which synchronizes the main processor.
The memory 1220 may include one or more non-volatile memories and one or more volatile memories. Examples of the non-volatile memories include, but are not limited to, a Read Only Memory (ROM) 1224, an electrically programmable read only memory (EPROM) , a flash memory, a hard disk, a compact disc (CD) , a digital video disk (DVD) , and other magnetic storage and/or optical storage. Examples of the volatile memories include, but are not limited to, a random access memory (RAM) 1222 and other volatile memories that will not last in the power-down duration.
computer program 1230 includes computer executable instructions that are executed by the associated processor 1210. The program 1230 may be stored in the ROM  1224. The processor 1210 may perform any suitable actions and processing by loading the program 1230 into the RAM 1222.
The embodiments of the present disclosure may be implemented by means of the program 1230 so that the device 1200 may perform any process of the disclosure as discussed with reference to Figs. 5-11. The embodiments of the present disclosure may also be implemented by hardware or by a combination of software and hardware.
In some embodiments, the program 1230 may be tangibly contained in a computer readable medium which may be included in the device 1200 (such as in the memory 1220) or other storage devices that are accessible by the device 1200. The device 1200 may load the program 1230 from the computer readable medium to the RAM 1222 for execution. The computer readable medium may include any types of tangible non-volatile storage, such as ROM, EPROM, a flash memory, a hard disk, CD, DVD, and the like. Fig. 13 shows an example of the computer readable medium 1300 in form of CD or DVD. The computer readable medium has the program 1230 stored thereon.
Generally, various embodiments of the present disclosure may be implemented in hardware or special purpose circuits, software, logic or any combination thereof. Some aspects may be implemented in hardware, while other aspects may be implemented in firmware or software which may be executed by a controller, microprocessor or other computing device. While various aspects of embodiments of the present disclosure are illustrated and described as block diagrams, flowcharts, or using some other pictorial representations, it is to be understood that the block, apparatus, system, technique or method described herein may be implemented in, as non-limiting examples, hardware, software, firmware, special purpose circuits or logic, general purpose hardware or controller or other computing devices, or some combination thereof.
The present disclosure also provides at least one computer program product tangibly stored on a non-transitory computer readable storage medium. The computer program product includes computer-executable instructions, such as those included in program modules, being executed in a device on a target real or virtual processor, to carry out the methods 900 to 1100 as described above with reference to Figs. 9-11. Generally, program modules include routines, programs, libraries, objects, classes, components, data structures, or the like that perform particular tasks or implement particular abstract data types. The functionality of the program modules may be combined or split between  program modules as desired in various embodiments. Machine-executable instructions for program modules may be executed within a local or distributed device. In a distributed device, program modules may be located in both local and remote storage media.
Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the program codes, when executed by the processor or controller, cause the functions/operations specified in the flowcharts and/or block diagrams to be implemented. The program code may execute entirely on a machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of the present disclosure, the computer program codes or related data may be carried by any suitable carrier to enable the device, apparatus or processor to perform various processes and operations as described above. Examples of the carrier include a signal, computer readable medium, and the like.
The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable medium may include but not limited to an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of the computer readable storage medium would include an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM) , a read-only memory (ROM) , an erasable programmable read-only memory (EPROM or Flash memory) , an optical fiber, a portable compact disc read-only memory (CD-ROM) , an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
Further, while operations are depicted in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. In certain circumstances, multitasking and parallel processing may be advantageous. Likewise, while several specific implementation details are contained in the above discussions, these should not be construed as limitations on the scope of the present disclosure, but rather as descriptions of features that may be specific to particular  embodiments. Certain features that are described in the context of separate embodiments may also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment may also be implemented in multiple embodiments separately or in any suitable sub-combination.
Although the present disclosure has been described in languages specific to structural features and/or methodological acts, it is to be understood that the present disclosure defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims.

Claims (32)

  1. A first device comprising:
    at least one processor; and
    at least one memory including computer program codes;
    the at least one memory and the computer program codes are configured to, with the at least one processor, cause the first device to:
    receive a data packet from a second device to the first device, the data packet comprising identification information which is used by the first device for processing the data packet;
    modify the data packet to exclude the identification information; and
    transmit the modified data packet to an third device.
  2. The first device of claim 1, wherein the identification information comprises at least one of: a flow label, a differential service code point and an identity of a bearer.
  3. The first device of claim 1, wherein the first device is caused to transmit the modified data packet by:
    mapping the modified data packet to a channel based on the identification information; and
    transmitting the mapped modified data packet to the third device.
  4. The first device of claim 3, wherein the channel is a backhaul radio link control channel or a logical channel.
  5. The first device of claim 1, wherein the first device is caused to modify the data packet to exclude the identification information by:
    removing the identification information from the data packet.
  6. The first device of claim 1, wherein the first device is caused to modify the data packet to exclude the identification information by:
    setting the identification information to be a predetermined value or a randomly generated value.
  7. The first device of any claim 1-6, wherein the first network device is a donor distributed unit, the second network device is a donor centralized unit and the third network device is an integrated access and backhaul (IAB) node.
  8. A first device comprising:
    at least one processor; and
    at least one memory including computer program codes;
    the at least one memory and the computer program codes are configured to, with the at least one processor, cause the first device to:
    receive a data packet from a third device to the first device, the data packet comprising first identification information of the data packet;
    obtain second identification information of the data packet from the first identification information based on mapping information received from a second device; and
    transmit the data packet to the second device, the data packet comprising the second identification information.
  9. The first device of claim 8, wherein the second identification information comprises at least one of: a flow label, a differential service code point and an identity of a bearer.
  10. The first device of claim 8 or 9, wherein the first device is a donor distributed unit, the second device is a donor centralized unit and the third device is an integrated access and backhaul (IAB) node.
  11. A third device comprising:
    at least one processor; and
    at least one memory including computer program codes;
    the at least one memory and the computer program codes are configured to, with the at least one processor, cause the third device to:
    generate, at the third device, first identification information of a data packet based on mapping information received from a second device;
    add the first identification into the data packet; and;
    transmit the data packet to a first device, the transmitting data packet comprising the first identification information such that the first device determines second identification from the first identification.
  12. The third device of claim 11, wherein the second identification information comprises at least one of: a flow label, a differential service code point and an identity of a bearer.
  13. The third device of claim 11 or 12, wherein the first device is a donor distributed unit, the second device is a donor centralized unit and the third device is an integrated access and backhaul (IAB) node.
  14. A method comprising:
    receiving a data packet from a second device to a first device, the data packet comprising identification information which is used by the first device for processing the data packet;
    modifying the data packet to exclude the identification information; and
    transmitting the modified data packet to an third device.
  15. The method of claim 14, wherein the identification information comprises at least one of: a flow label, a differential service code point and an identity of a bearer.
  16. The method of claim 14, wherein transmitting the modified data packet comprises:
    mapping the modified data packet to a channel based on the identification information; and
    transmitting the mapped modified data packet to the third device.
  17. The method of claim 16, wherein the channel is a backhaul radio link control channel or a logical channel.
  18. The method of claim 14, wherein modifying the data packet to exclude the identification information comprises:
    removing the identification information from the data packet.
  19. The method of claim 14, wherein modifying the data packet to exclude the identification information comprises:
    setting the identification information to be a predetermined value or a randomly generated value.
  20. The method of any claim 14-19, wherein the first device is a donor distributed unit, the second device is a donor centralized unit and the third device is an integrated access and backhaul (IAB) node.
  21. A method comprising:
    receiving a data packet from a third device to a first device, the data packet comprising first identification information of the data packet;
    obtaining second identification information of the data packet from the first identification information based on mapping information received from a second device; and
    transmitting the data packet to the second device, the data packet comprising the second identification information.
  22. The method of claim 21, wherein the second identification information comprises at least one of: a flow label, a differential service code point and an identity of a bearer.
  23. The method of claim 21 or 22, wherein the first device is a donor distributed unit, the second device is a donor centralized unit and the third device is an integrated access and backhaul (IAB) node.
  24. A method comprising:
    generating, at a third device, first identification information of a data packet based on mapping information received from a second device;
    adding the first identification into the data packet; and
    transmitting the data packet to a first device, the transmitting data packet comprising the first identification information such that the first device determines second identification from the first identification.
  25. The method of claim 24, wherein the second identification information comprises at least one of: a flow label, a differential service code point and an identity of a bearer.
  26. The method of claim 24 or 25, wherein the first device is a donor distributed unit, the second device is a donor centralized unit and the third device is an integrated access and backhaul (IAB) node.
  27. An apparatus comprising:
    means for receiving a data packet from a second device to a first device, the data packet comprising identification information which is used by the first device for processing the data packet;
    means for modifying the data packet to exclude the identification information; and
    means for transmitting the modified data packet to an third device.
  28. An apparatus comprising:
    means for receiving a third device to a first device, the data packet comprising first identification information of the data packet;
    means for obtaining second identification information of the data packet from the first identification information based on mapping information received from a second device; and
    means for transmitting the data packet to the second device, the data packet comprising the second identification information.
  29. An apparatus comprising:
    means for generating, at a third device, first identification information of a data packet based on mapping information received from a second device;
    means for adding the first identification into the data packet; and
    means for transmitting the data packet to a first device, the transmitting data packet comprising the first identification information such that the first device determines second identification from the first identification.
  30. A computer readable medium storing instructions thereon, the instructions, when executed by at least one processing unit of a machine, causing the machine to perform the method according to any one of claims 14-20.
  31. A computer readable medium storing instructions thereon, the instructions, when executed by at least one processing unit of a machine, causing the machine to perform the method according to any one of claims 21-23.
  32. A computer readable medium storing instructions thereon, the instructions, when executed by at least one processing unit of a machine, causing the machine to perform the method according to any one of claims 24-26.
PCT/CN2019/086911 2019-05-14 2019-05-14 Mechanism for improving security of communication system WO2020227942A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2019/086911 WO2020227942A1 (en) 2019-05-14 2019-05-14 Mechanism for improving security of communication system
CN201980096391.2A CN113826335B (en) 2019-05-14 2019-05-14 Mechanism for improving security of communication system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2019/086911 WO2020227942A1 (en) 2019-05-14 2019-05-14 Mechanism for improving security of communication system

Publications (1)

Publication Number Publication Date
WO2020227942A1 true WO2020227942A1 (en) 2020-11-19

Family

ID=73289985

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/086911 WO2020227942A1 (en) 2019-05-14 2019-05-14 Mechanism for improving security of communication system

Country Status (2)

Country Link
CN (1) CN113826335B (en)
WO (1) WO2020227942A1 (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109257212A (en) * 2018-09-10 2019-01-22 武汉虹信通信技术有限责任公司 A kind of method of the base station IAB access

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10015203B2 (en) * 2014-10-31 2018-07-03 Intel Corporation Apparatus, system and method of differentiating between an IMS connection and a non-IMS connection
US10855814B2 (en) * 2017-10-20 2020-12-01 Comcast Cable Communications, Llc Non-access stratum capability information

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109257212A (en) * 2018-09-10 2019-01-22 武汉虹信通信技术有限责任公司 A kind of method of the base station IAB access

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
ERICSSON ET AL.: "TP to TR 38.874: Harmonizing the UP alternatives for architecture group 1a.", 3GPP TSG RAN WG3 MEETING #102, R3-186740., 2 November 2018 (2018-11-02), XP051482858, DOI: 20200108095125X *
SAMSUNG: "Overview on routing in IAB network.", 3GPP TSG-RAN WG3 MEETING #103,R3-190438., 15 February 2019 (2019-02-15), XP051604379, DOI: 20200108101832A *
ZTE: "Discussion on IAB architectures.", 3GPP TSG-RAN WG2 MEETING #101BI, R2-1804782., 6 April 2018 (2018-04-06), XP051415655, DOI: 20200108101721A *

Also Published As

Publication number Publication date
CN113826335B (en) 2023-07-21
CN113826335A (en) 2021-12-21

Similar Documents

Publication Publication Date Title
US10149213B2 (en) Group handover methods and systems
WO2022151917A1 (en) Message processing method and apparatus, terminal, and network side device
US20230328625A1 (en) Transferring traffic in integrated access and backhaul communication
US20230232234A1 (en) Partial integrity protection in telecommunication systems
WO2020227942A1 (en) Mechanism for improving security of communication system
EP4022977B1 (en) Signaling reduction at handover of an iab node
US20230292191A1 (en) Mechanism for cell identity management
US20220312287A1 (en) Device, method, apparatus and computer readable medium for inter-cu topology adaptation
US20240015530A1 (en) Routing in Integrated Access and Backhaul Communication
WO2022226838A1 (en) Packets re-routing
WO2023283878A1 (en) Tsn fully distributed model enhancement
WO2023151096A1 (en) Service request in an integrated access and backhaul network
WO2024055172A1 (en) Traffic transferring in user equipment-to-network relay scenario
WO2023236065A1 (en) Configuration of time sensitive networking
WO2021217424A1 (en) Backup traffic handling
WO2023004697A1 (en) User plane forwarding between user plane function and application function
WO2023230882A1 (en) Traffic offloading
WO2022027380A1 (en) Device, method, apparatus and computer readable medium for iab communication
US20230345251A1 (en) Method, device and computer readable medium for communications
WO2020227906A1 (en) Mapping of bearer identification into ipv6 architecture
WO2023019413A1 (en) Enhancement on integrated access and backhaul network
WO2023216032A1 (en) Security communication in prose u2n relay
WO2024065523A1 (en) Devices, methods and apparatuses for reconfiguration operation
WO2024093430A1 (en) Data handling based on pdu set configuration
WO2022155795A1 (en) Medium access control protocol data unit forwarding

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19928761

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19928761

Country of ref document: EP

Kind code of ref document: A1