WO2021109151A1 - 一种事件上报的方法、装置及系统 - Google Patents
一种事件上报的方法、装置及系统 Download PDFInfo
- Publication number
- WO2021109151A1 WO2021109151A1 PCT/CN2019/123817 CN2019123817W WO2021109151A1 WO 2021109151 A1 WO2021109151 A1 WO 2021109151A1 CN 2019123817 W CN2019123817 W CN 2019123817W WO 2021109151 A1 WO2021109151 A1 WO 2021109151A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- information
- indication information
- event
- report message
- message
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Definitions
- This application relates to the field of wireless communication technology, and in particular to a method, device and system for event reporting.
- edge computing technology is introduced into the 5G network, that is, an edge computing platform is set up closer to the gateway, and the edge computing platform is combined with the operator's 5G system.
- the edge computing technology provides cloud computing capabilities at the edge of the mobile network, so that the terminal can interact with the local server over a short physical distance without accessing the remote server, thereby reducing delay and obtaining a better service experience and achieving maximum service efficiency. ⁇ .
- the remote server only needs to process a small amount of data processed by the edge computing platform, reducing network load.
- the Next Generation Radio Access Network often needs to send the report message of the QoS notification control (QoS notification control, QNC) event to the Application Function (Application Function). , AF).
- QoS notification control QoS notification control
- QNC Application Function
- AF Application Function
- the AF may be deployed on an edge computing platform.
- the NG-RAN sends the event report message to the AF, one way may be as shown in Figure 1.
- the NG-RAN needs to send the event report message via the radio access network (Radio Access Network, RAN), authentication management function (Authentication Management Function, AMF), and session management network element (Session Management).
- SMF Policy Control Function
- PCF Policy Control Function
- NEF Network Exposure Function
- AF Application Function
- UPF user plane function
- the existing scheme of sending the report message corresponding to the event by configuring the user plane path cannot prevent the attacker from sending false messages to the AF or the attacker from performing a man-in-the-middle attack on the path between the UPF and the AF.
- the attacker can send a forged message to the AF Event reporting content or repeating event reporting messages sent by other UPFs affects AF's service to users.
- an attacker can interfere with AF serving users by replaying or tampering with the previous event report message.
- the present application provides an event reporting method, device, and system to provide a safe and time-sensitive event reporting method.
- an event reporting method including:
- the service server determines the first indication information of the first event; the service server generates the first information, and associates the first indication information with the first information, and the first information is used to verify the received pass
- the report message after the security protection of the second information is subjected to the second authority verification; the service server receives the report message of the first event sent by the user plane network element UPF; The report message performs first authority verification, and after passing the first authority verification, the first information corresponding to the first indication information is determined; the service server performs the first authority verification on the report message according to the first information Perform a second authority verification; the service server obtains the report message after passing the second authority verification.
- the embodiment of the present application provides a way to protect the path of event reporting. Further, the AF needs to perform the first authority verification on the event report message sent from the UPF, and after passing the first authority verification After that, the second permission verification is continued, and only the report message of the event that passes the second permission verification will be obtained by the AF, otherwise, the AF discards the report message. Therefore, it is possible to prevent an attacker from performing a security attack on the AF through a report message, and to ensure the security of communication between the user plane network element UPF and the AF.
- the service server determining the first indication information of the first event includes: the service server receiving a response message sent by a network function opening network element NEF, and the response message is the NEF is sent after receiving the report demand message of the first event sent by the service server; the service server determines the first indication information according to the response message; or the service server determines the first indication information according to the The first event generates the first indication information.
- the embodiment of the present application provides multiple ways for AF to determine the first indication information.
- the AF generates the first indication information by itself; for another example, the NEF generates the first indication information.
- the AF acquires the first indication information generated by the NEF.
- the method of determining the first indication information is enriched, and the applicability is stronger.
- the service server associates the first indication information, the first information, and the reporting requirement of the first event.
- a third authorization verification is added according to the reporting requirements of the first event.
- the third authority verification is used for the AF to verify whether the report message meets the report requirement of the event A.
- the first indication message cannot display whether the UPF has the authority to send a report message that meets the reporting requirements, the first indication information, the first information A, and the first event
- the mapping relationship between the two can enable the AF to verify whether the UPF has the authority to send a report message that meets the report requirement. So as to better ensure the safety of incident reporting.
- the service server determines the deduction information of the second information, and notifies the deduction information To the NEF; wherein the second information is the symmetric key of the first information or the second information is the public key of the first information.
- the AF in the embodiment of the present application can also determine the deduction information used to generate the second information, and notify the NEF of the deduction information, and further notify the SMF, so that the SMF can be based on the
- the deduction information determines the second information and sends it to the UPF.
- the UPF protects the report message sent to the AF according to the second information, which improves the security of event reporting.
- the business server determines that the report message passes the first authority verification in the following manner; the business server obtains the first authority verification information carried in the report message, if the business The server determines that the first authority verification information is partially or completely the same as the first indication information, and the service server determines that the report message passes the first authority verification.
- the embodiment of the present application provides how to perform the first permission verification on the reported message according to the first instruction information.
- the business server determines that the report message passes the second authority verification in the following manner: the business server verifies all or part of the report message through the first information, if all If the business server successfully verifies all or part of the report message, the business server determines that the report message passes the second authority verification; wherein, all or part of the report message received by the business server is After the UPF is secured by the second information.
- the embodiment of the present application provides how to perform the second authority verification on the reported message according to the second information.
- an event reporting method including:
- the service server determines the first indication information of the first event; the service server receives the report message of the first event sent by the user plane network element UPF; the service server performs the report message on the report message according to the first indication information First permission verification, and after passing the first permission verification, first information is generated, and the first information is used to perform the second permission verification on the received report message after passing the second information security protection;
- the business server performs a second authority verification on the report message according to the first information; the business server obtains the report message after the verification passes the second authority verification.
- the embodiment of the present application provides a way to configure the event reporting path. Further, the AF needs to perform the first authority verification on the event report message sent from the UPF, and after passing the first authority verification After that, the second permission verification is continued, and only the report message of the event that passes the second permission verification will be obtained by the AF, otherwise, the AF discards the report message. Therefore, it is possible to prevent an attacker from performing a security attack on the AF through a report message, and to ensure the security of communication between the user plane network element UPF and the AF.
- the service server receives a response message sent by a network function opening network element NEF, where the response message is at least one of the first events sent by the service server after the NEF receives Sent after a request message is reported; the service server determines the first indication information according to the response message; or the service server generates the first indication information according to the first event.
- embodiments of the present application provide multiple ways for the AF to determine the first indication information.
- the AF generates the first indication information by itself; for another example, the NEF generates the first indication information.
- First indication information where the AF obtains the first indication information generated by the NEF.
- the method of determining the first indication information is enriched, and the applicability is stronger.
- the business server after the business server generates the first information, the business server associates the first indication information with the first information; or the business server associates the first information with the first information; or An indication information, the first information, and the reporting requirement corresponding to the first event are associated.
- a third authorization verification is added according to the reporting requirements of the first event.
- the third authority verification is used for the AF to verify whether the report message meets the report requirement of the event A.
- the first indication message cannot display whether the UPF has the authority to send a report message that meets the reporting requirements, the first indication information, the first information A, and the first event
- the mapping relationship between the two can enable the AF to verify whether the UPF has the authority to send a report message that meets the report requirement. So as to better ensure the safety of incident reporting.
- the service server determines the deduction information of the second information, and notifies the deduction information To the NEF; wherein the second information is the symmetric key of the first information or the second information is the public key of the first information.
- the AF in the embodiment of the application can also determine the deduction information used to generate the second information, and notify the NEF of the deduction information, and further notify the SMF, so that the SMF can be
- the deduction information determines second information and sends it to the UPF, and the UPF protects the report message sent to the AF according to the second information, which improves the security of event reporting.
- the business server determines that the report message passes the first authority verification in the following manner; the business server obtains the first authority verification information carried in the report message, if the business The server determines that the first authority verification information is partially or completely the same as the first indication information, and the service server determines that the report message passes the first authority verification.
- the embodiment of the present application provides how to perform the first permission verification on the reported message according to the first instruction information.
- the business server determines that the report message passes the second authority verification in the following manner: the business server verifies all or part of the report message through the first information, if all If the business server successfully verifies all or part of the report message, the business server determines that the report message passes the second authority verification; wherein, the report message received by the business server is the UPF Security protection through the second information.
- the embodiment of the present application provides how to perform the second authority verification on the reported message according to the second information.
- an event reporting method including:
- the network function opening network element NEF receives a request message sent from the service server, the request message contains the reporting requirement of the first event; the NEF determines the first indication information of the first event and the service server address; the NEF sends the session management
- the network element SMF sends a notification message, so that the SMF instructs the UPF to send the report message of the first event and the first indication information to the service server according to the notification message, wherein the report message passes
- the second information is securely protected; wherein the first indication information is used by the business server to verify the first authority of the report message, and the second information is used by the business server to perform the first authority verification on the report message. Two authorization verification.
- the embodiment of the present application provides a way to configure the event reporting path. Further, the AF needs to perform the first authority verification on the event report message sent from the UPF, and after passing the first authority verification After that, the second permission verification is continued, and only the report message of the event that passes the second permission verification will be obtained by the AF, otherwise, the AF discards the report message. Therefore, it is possible to prevent an attacker from performing a security attack on the AF through a report message, and to ensure the security of communication between the user plane network element UPF and the AF.
- the NEF obtains the first indication information from the received request message, where the request message includes the first indication information; or the NEF receives After the request message, the first indication information is generated according to the reporting requirement of the first event included in the request message.
- the embodiments of the present application provide multiple ways for NEF to determine the first indication information.
- the NEF generates the first indication information by itself; for another example, the AF generates the first indication information.
- the NEF obtains the first indication information generated by the AF. Therefore, the NEF method for determining the first indication information is enriched, and the applicability is stronger.
- the NEF after the NEF determines the first indication information of the first event, the NEF notifies the service server of the first indication information.
- an embodiment of the present application provides a way for NEF to determine the first indication information and notify the first indication information to the AF, so that the AF is determined to be used for first authorization verification Of the first indication information.
- the notification message includes the first indication information, the service server address, the first event reporting requirement, and the second information, where the second information is the NEF is determined according to the second information generation protocol preset with the service server; or if the request message contains the deduction information used to generate the second information and the reporting requirement of the first event, the notification message includes all The first indication information, the service server address, the first event reporting requirement, and the deduction information; or if the request message contains the deduction information used to generate the second information and the reporting requirement of the first event, then The notification message includes the first indication information, the service server address, the first event reporting requirement, and second information, where the second information is determined by the NEF according to the deduction information; or if If the request message includes the second information and the reporting requirement of the first event, the notification message includes the first indication information, the service server address, the first event reporting requirement, and the second information.
- the notification information described in the embodiments of the present application may contain various information situations, which is more applicable.
- an embodiment of the present application provides an event reporting method, including:
- the session management network element SMF obtains the second indication information sent by the policy control network element PCF; the SMF determines the third indication information according to the second indication information, and the third indication information includes the address information of the service server, the first The reporting requirement of the event, the first indication information and the second information corresponding to the reporting requirement; the SMF sends the third indication information to the user plane network element UPF to instruct the UPF to send to the service server
- the report message of the first event and the first indication information wherein the report message is secured by the second information; wherein, the first indication information is used by the service server to report the report The message performs a first permission verification, and the second information is used by the AF to perform a second permission verification on the reported message.
- the embodiment of the present application provides a way to configure the event reporting path. Further, the AF needs to perform the first authority verification on the event report message sent from the UPF, and after passing the first authority verification After that, the second permission verification is continued, and only the report message of the event that passes the second permission verification will be obtained by the AF, otherwise, the AF discards the report message. Therefore, it is possible to prevent an attacker from performing a security attack on the AF through a report message, and to ensure the security of communication between the user plane network element UPF and the AF.
- the SMF will The second indication information is used as the third indication information; or if the second indication information includes the address information of the service server, the reporting requirement of the first event, the first indication information, and the information used to determine the For the deduction information of the second information, the SMF generates the second information according to the deduction information, and determines the third indication information according to the second indication information and the second information.
- the information contained in the second indication information in the embodiment of the present application may be in various situations, and according to the information contained in the second indication information, multiple SMFs are provided to determine the third indication information. the way. Thereby, the method for the SMF to determine the third indication information is enriched, and the applicability is stronger.
- the SMF before the SMF obtains the second indication information sent by the PCF, the SMF receives a new terminal device PDU session establishment request; or the SMF receives the second indication sent by the PCF Message, the second indication message is used to instruct the SMF to trigger the UPF to send a report message corresponding to the request message to the service server.
- the embodiments of the present application provide multiple ways to trigger the SMF to obtain the second indication information sent by the PCF. For example, if the SMF receives a new terminal device PDU session establishment request, the SMF is triggered to obtain the second indication information of the PCF; for another example, if the SMF receives the second indication message sent by the PCF , The SMF is triggered to obtain the second indication information. Thereby, the ways for the SMF to obtain the second indication information are enriched, and the applicability is stronger.
- the deduction information includes shared information between the network function opening network element NEF and the service server and the first indication information.
- an embodiment of the present application provides an event reporting method, including:
- the user plane network element UPF receives the third indication information sent by the session management network element SMF, where the third indication information is used to instruct the UPF to send a first event report message to the service server; the UPF according to the third indication information Determine the report message of the first event, the first indication information and the second information corresponding to the report message; the UPF uses the second information to securely protect the report message, and protect all the information after the security protection.
- the report message and the first indication information are sent to the service server; wherein the first indication information is used by the service server to verify the first authority of the report message, and the second information is used for all The service server performs second authority verification on the reported message.
- the embodiment of the present application provides a way to configure the event reporting path. Further, the AF needs to perform the first authority verification on the event report message sent from the UPF, and after passing the first authority verification After that, the second permission verification is continued, and only the report message of the event that passes the second permission verification will be obtained by the AF, otherwise, the AF discards the report message. Therefore, it is possible to prevent an attacker from performing a security attack on the AF through a report message, and to ensure the security of communication between the user plane network element UPF and the AF.
- the security protection may be encryption and/or generation of digital signatures.
- an embodiment of the present application provides a communication device, which has the function of implementing the network element in the foregoing embodiment.
- This function can be realized by hardware, or by hardware executing corresponding software.
- the hardware or software includes one or more units or modules corresponding to the above-mentioned functions.
- the communication device may be a NEF network element, or a component that can be used for the NEF network element, such as a chip or a chip system or a circuit
- the communication device may include a transceiver and a processor.
- the processor can be configured to support the communication device to perform the corresponding functions of the NEF shown above, and the transceiver is used to support the communication device and other network elements (such as SMF network elements, PCF network elements) and service servers (such as AF), etc. Communication between.
- the communication device may further include a memory, and the memory may be coupled with the processor, which stores program instructions and data necessary for the communication device.
- the transceiver may be an independent receiver, an independent transmitter, a transceiver with integrated transceiver functions, or an interface circuit.
- the communication device may be an SMF network element, or a component that can be used in the SMF network element, such as a chip or a chip system or a circuit.
- the communication device may include: a transceiver and a processor .
- the processor can be configured to support the communication device to perform the corresponding functions of the SMF shown above, and the transceiver is used to support the communication device and other network elements (such as NEF network elements, PCF network elements) and service servers (such as AF), etc. Communication between.
- the communication device may further include a memory, and the memory may be coupled with the processor, which stores program instructions and data necessary for the communication device.
- the transceiver can be an independent receiver, an independent transmitter, a transceiver with integrated transmitting and receiving functions, or an interface circuit.
- the communication device may be a UPF network element, or a component that can be used in the UPF network element, such as a chip or a chip system or a circuit.
- the communication device may include: a transceiver and a processor .
- the processor may be configured to support the communication device to perform the corresponding functions of the UPF shown above, and the transceiver is used to support the communication device and other network elements (such as NEF network elements, SMF network elements) and service servers (such as AF), etc. Communication between.
- the communication device may further include a memory, and the memory may be coupled with the processor, which stores program instructions and data necessary for the communication device.
- the transceiver may be an independent receiver, an independent transmitter, a transceiver with integrated transceiver functions, or an interface circuit.
- an embodiment of the present application provides a communication device, which has the function of implementing the service server in the foregoing embodiment.
- This function can be realized by hardware, or by hardware executing corresponding software.
- the hardware or software includes one or more units or modules corresponding to the above-mentioned functions.
- the communication device may be a service server, or a component that can be used in the service server, such as a chip or a chip system or circuit, and the communication device may include a transceiver and a processor.
- the processor may be configured to support the communication device to perform the corresponding functions of the service server shown above, and the transceiver is used to support communication between the communication device and other network elements (such as NEF network elements, UPF network elements) and the like.
- the communication device may further include a memory, and the memory may be coupled with the processor, which stores program instructions and data necessary for the communication device.
- the transceiver may be an independent receiver, an independent transmitter, a transceiver with integrated transceiver functions, or an interface circuit.
- an embodiment of the present application provides a communication device, which is used to implement any one of the foregoing first to fifth aspects; or any one of the first to fifth aspects.
- the communication device when it is a business server, it may include: a processing unit and a communication unit:
- the processing unit used to determine first indication information of a first event; generate first information, and associate the first indication information with the first information, and the first information is used to compare the received information
- the report message after the security protection of the second information is used to verify the second authority
- the communication unit is configured to receive the report message of the first event sent by the user plane network element UPF;
- the processing unit is further configured to perform first authority verification on the reported message according to the first instruction information, and after passing the first authority verification, determine the first authority corresponding to the first instruction information Information; Perform a second authority verification on the report message according to the first information; Obtain the report message after passing the second authority verification.
- the communication device when it is a business server, it may include: a processing unit and a communication unit:
- the processing unit used to determine the first indication information of the first event
- the communication unit is configured to receive the report message of the first event sent by the user plane network element UPF;
- the processing unit is further configured to perform first permission verification on the reported message according to the first indication information, and after passing the first permission verification, generate first information, the first information being used to verify
- the report message received after security protection through the second information is subjected to the second permission verification; the report message is subjected to the second permission verification according to the first information; and the second permission verification is obtained after the verification passes the second permission verification. Report the message.
- the communication device when it is a NEF network element, it may include: a processing unit and a communication unit:
- the communication unit used to receive a request message sent from a service server, the request message containing the reporting requirement of the first event;
- the processing unit used to determine the first indication information of the first event and the address of the service server;
- the communication unit is further configured to send a notification message to the session management network element SMF, so that the SMF instructs the UPF to send the report message of the first event and the first event to the service server according to the notification message.
- An indication information wherein the report message is secured by second information; the first indication information is used by the service server to verify the first authority of the report message, and the second information is used for the The business server performs second authority verification on the reported message.
- the communication device when it is an SMF network element, it may include: a processing unit and a communication unit:
- the communication unit used to obtain the second indication information sent by the policy control network element PCF;
- the processing unit is configured to determine third indication information according to the second indication information, where the third indication information includes the address information of the service server, the reporting requirement of the first event, and the first indication corresponding to the reporting requirement Information and second information;
- the communication unit is further configured to send the third indication information to the user plane network element UPF to instruct the UPF to send the report message of the first event and the first indication information to the service server , Wherein the report message is secured by the second information; the first indication information is used by the service server to verify the first authority of the report message, and the second information is used for the service The server performs second authority verification on the reported message.
- the communication device when it is a UPF, it may include: a processing unit and a communication unit:
- the communication unit is configured to receive third indication information sent by the session management network element SMF, where the third indication information is used to instruct the UPF to send a first event report message to the service server;
- the processing unit is configured to determine, according to the third indication information, the report message of the first event, the first indication information and the second information corresponding to the report message; and the report message is processed through the second information Carry out security protection;
- the communication unit is further configured to send the security-protected report message and the first indication information to the service server; wherein the first indication information is used by the service server to report the message Perform a first permission verification, and the second information is used by the service server to perform a second permission verification on the reported message.
- an embodiment of the present application provides a communication system.
- the communication system includes a service server, a NEF network element, an SMF network element, and a UPF network element.
- the service server may be used to execute any one of the first and second aspects or any one of the first and second aspects; the NEF network element may be used to execute the third aspect or the third aspect. Any one of the methods; the SMF network element may be used to perform any of the foregoing fourth aspect or the fourth aspect; the UPF network element may be used to perform any of the foregoing fifth aspect or the fifth aspect a way.
- this application provides a chip system including a processor.
- it may further include a memory, the memory is used to store a computer program, and the processor is used to call and run the computer program from the memory, so that the communication device installed with the chip system executes any one of the first aspect to the fifth aspect; or Perform any one of the methods from the first aspect to the fifth aspect described above.
- an embodiment of the present application provides a computer storage medium, in which instructions are stored, which when run on a communication device, cause the communication device to execute any one of the first aspect to the fifth aspect; Or execute any one of the methods from the first aspect to the fifth aspect described above.
- an embodiment of the present application provides a computer program product containing instructions, which when run on a communication device, causes the communication device to execute any one of the first aspect to the fifth aspect; or execute the first aspect mentioned above. Any one of the aspect to the fifth aspect.
- Figure 1 is a schematic diagram of a path for NG-RAN to send report messages to AF;
- FIG. 2 is a schematic diagram of the existing process of sending a report message through a user plane path
- FIG. 3 is a schematic diagram of a system architecture provided by an embodiment of the application.
- FIG. 4 is a schematic flowchart of the first user plane path configuration provided by an embodiment of this application.
- FIG. 5 is a schematic flowchart of a second user plane path configuration provided by an embodiment of this application.
- FIG. 6 is a schematic flowchart of a third user plane path configuration provided by an embodiment of this application.
- FIG. 7 is a schematic flowchart of a fourth user plane path configuration provided by an embodiment of this application.
- FIG. 8 is a schematic flowchart of a fifth user plane path configuration provided by an embodiment of this application.
- FIG. 9 is a schematic flowchart of a sixth user plane path configuration provided by an embodiment of this application.
- FIG. 10 is a schematic diagram of a flow of sending an event report message provided by an embodiment of the application.
- FIG. 11 is a schematic diagram of the first communication device provided by this application.
- FIG. 12 is a schematic diagram of the second communication device provided by this application.
- FIG. 13 is a schematic diagram of the third communication device provided by this application.
- FIG. 14 is a schematic diagram of a fourth communication device provided by this application.
- FIG. 15 is a schematic diagram of the fifth communication device provided by this application.
- FIG. 16 is a schematic diagram of the sixth communication device provided by this application.
- FIG. 17 is a schematic diagram of the seventh communication device provided by this application.
- FIG. 18 is a schematic diagram of the eighth communication device provided by this application.
- the application-side AF sends the report requirements corresponding to the local event (including whether to require and/or support user plane notification) through the AF request (Request)
- the process is sent to PCF via AF, NEF, UDR (or directly to PCF).
- PCF generates Policy Control and Charging (PCC) rules according to AF’s request, which contains instructions for using user face reporting for an event.
- PCF informs SMF of the PCC rules, and SMF configures the user face path according to the PCF notification NG-RAN and UPF, so that NG-RAN and UPF can use the user plane to directly send report messages corresponding to events that need to be reported to the AF side.
- PCC Policy Control and Charging
- the above scheme of sending report messages through the user plane path cannot prevent the attacker from sending false messages to the AF or the attacker from performing man-in-the-middle attacks on the path between the UPF and the AF.
- the attacker can send a forged event report content or repetition to the AF Event report messages sent by other UPFs affect AF's service to users.
- an attacker can interfere with AF serving users by replaying or tampering with the previous event report message.
- an embodiment of the present application provides an event reporting method.
- the technical solutions of the embodiments of this application can be applied to various communication systems, such as long term evolution (LTE) systems, worldwide interoperability for microwave access (WiMAX) communication systems, and the fifth generation of the future (5th Generation, 5G) systems, such as new radio access technology (NR), and future communication systems, such as 6G systems.
- LTE long term evolution
- WiMAX worldwide interoperability for microwave access
- 5G fifth generation
- NR new radio access technology
- 6G systems future communication systems, such as 6G systems.
- a new communication scenario is defined in the 5G system: Ultra-Reliable and Low-Latency Communication (URLLC), enhanced Mobile broadband (Enhanced Mobile Broadband, eMBB) and Massive Machine Type Communication (mMTC), these communication scenarios have more stringent requirements for the timeliness and security of communication information transmission. Therefore, in the scenario of introducing edge computing technology, AF is arranged on the edge computing platform closer to the user terminal equipment and the local user plane network element UPF, instead of being deployed in a higher position in the network, the network is in the direction of AF. In the process of transmitting the report message corresponding to the event, the timeliness and security of the report message received by the AF need to be considered.
- URLLC Ultra-Reliable and Low-Latency Communication
- eMBB enhanced Mobile broadband
- mMTC Massive Machine Type Communication
- the embodiment of the present application An event reporting method is proposed. Through this method, the report message sent by the user plane network element UPF to the AF needs to be verified by the AF. If the permission is verified, the AF will Obtain the report message, otherwise, the core network device discards the report message.
- the AF verifies the authority of the received report message, and the AF only obtains the report message that passes the authority verification, thereby preventing an attacker from performing security attacks on the AF through the report message , To ensure the security of the communication between the user plane network element UPF and the AF.
- the communication system shown in FIG. 3 is taken as an example to describe in detail the communication system to which the embodiments of the present application are applicable.
- the communication system includes an edge computing platform 300, a core network device 310, and a service server 320.
- the edge computing platform 300 is a network platform for providing cloud computing capabilities at the edge of a mobile network. Wherein, the edge computing platform is set up closer to the gateway, so that the user terminal can interact with the server through a short physical distance without accessing the remote server, thereby reducing delay and obtaining a better service experience. At the same time, the remote server only needs to process a small amount of data processed by the edge computing platform, reducing network load.
- the core network equipment 310 is stipulated in agreement to be a network element that functions as a core switching or call routing.
- the main function is to provide user connection, user management, and overall call signaling control and bearer establishment.
- the core network equipment in the embodiment of the present application may include:
- Authentication Management Function Authentication Management Function, AMF
- UDM Unified data management
- Open function network element the open function network element is configured to notify the SMF network element to perform user plane path configuration after receiving the request for obtaining the report message of the event sent by the service server.
- the open function network element in a 4G network, can be a service capability exposure function (SCEF), and in a 5G network, the open function network element can be a network exposure function (NEF)
- SCEF service capability exposure function
- NEF network exposure function
- future communications such as 6G communications
- the open function network element may still be a NEF network element or have other names, which is not limited in this application.
- PCF Policy Control Function
- SMF Session Management Function
- NG-RAN Next Generation Radio Access Network
- the service server 320 may request the open function network element to obtain the event report message of the terminal or the terminal group according to the service requirements, and report the event report message sent by the terminal or the terminal group to the target address.
- the target address may be the address of the service server, or the address of other servers, or the addresses of other network elements in the 3GPP network.
- the target address may determine the state of the terminal according to the report message of the event sent by the terminal or the terminal group, so as to provide business services for the terminal.
- the service server may be a service capability server/application server (SCS/AS), and in a 5G network, an application function (AF).
- SCS/AS service capability server/application server
- AF application function
- the service server can still be AF or have other names, which is not limited in this application.
- the business server may place a physical part or a logical part in the edge computing platform 300.
- the terminal group includes multiple terminals.
- the service server can request monitoring of all terminals in the terminal group through the terminal group identification.
- the open function network element reports the event of the terminal group to the target address.
- the event report messages of multiple terminals in the terminal group can be reported to the target address in a unified manner by using the terminal group as a unit.
- the terminal may be a UE, and the terminal group may be a group of UEs (a group of UEs).
- FIG. 3 is only a simplified schematic diagram of an example for ease of understanding, and the communication system may also include other service servers and other terminal devices, which are not shown in FIG. 3.
- Edge computing refers to the use of an open platform that integrates network, computing, storage, and application core capabilities on the side close to the source of things or data, and provides nearest-end services nearby. Its applications are initiated on the edge side to generate faster network service responses and meet the industry's basic needs in real-time business, application intelligence, security and privacy protection. Edge computing is between physical entities and industrial connections, or at the top of physical entities. And cloud computing, you can still access the historical data of edge computing.
- edge computing technology For the Internet of Things, breakthroughs in edge computing technology means that many controls will be implemented through local devices without having to hand over to the cloud, and the processing will be completed at the local edge computing layer. This will undoubtedly greatly improve processing efficiency and reduce the load on the cloud. Because it is closer to the user, it can also provide users with a faster response and solve the demand at the edge.
- Replay means that the attacker sends a packet that the destination host has already received to achieve the purpose of deceiving the system.
- the replay attack can be carried out by the initiator or the enemy who intercepts and retransmits the data.
- Transport Layer Security (TLS), and its predecessor Secure Sockets Layer (SSL), is a security protocol that aims to provide security and data integrity protection for Internet communications. It has become the industry standard for confidential communication on the Internet.
- the TLS protocol uses a master-slave architecture model to create a secure connection between two applications through the network to prevent eavesdropping and tampering when exchanging data.
- At least one means one or more
- plural means two or more.
- “And/or” describes the association relationship of the associated objects, indicating that there can be three relationships, for example, A and/or B, which can mean: A alone exists, A and B exist at the same time, and B exists alone, where A , B can be singular or plural.
- the character “/” generally indicates that the associated objects before and after are in an "or” relationship.
- the following at least one item (item) or similar expressions refer to any combination of these items, including any combination of single item (item) or plural items (item).
- at least one item (a) of a, b, or c can mean: a, b, c, ab, ac, bc, or abc, where a, b, and c can be single or multiple .
- the following takes a 5G application scenario as an example, and the service server is an AF, and the event reporting process provided by the embodiments of the present application that can protect the security of event reporting is performed Specific introduction.
- the process of sending an event report to the service server through the UPF user plane path shown in the solid line transfer path in FIG. 1 is mainly selected for specific introduction. It should be noted that the method of protecting the security of event reporting provided by the embodiments of the present application can also be combined with other event reporting processes to improve the security of event reporting. For details, refer to the description provided in the embodiments of the present application. The process of sending an event report to the service server through the UPF user plane path will not be repeated here.
- the AF is mainly used to verify the authority of the received report message to determine whether the reported message is safe.
- the UPF encrypts and protects the report message through the second information, and then sends the first indication information and the protected report message to the AF, where the first indication information and The report message after the second information protection is used to verify the authority of the report message.
- the AF After receiving the report message of the event, the AF performs the first authority verification according to the first indication message carried in the report message, and if the first authority verification is passed, the AF performs the first authority verification according to the first instruction The first information corresponding to the information performs a second authority verification on the report message. If the second authority verification passes, the AF considers the report message to be safe, and the AF obtains the report message.
- the SMF needs to determine the first indication information and the second information that the event report message is used for authorization verification.
- the user plane path event reporting is configured according to the first indication information and the second information.
- Trigger situation 1 The SMF receives a request message sent by the AF, and the request message is a request for obtaining the report message of the event A.
- the number of user plane path configurations performed by the SMF is not limited to the following.
- the AF generates the deduction information of the first indication information and/or the second information, wherein the NEF determines according to the second information generation protocol preset with the AF and/or the deduction information The second information.
- the flow of the configuration method 1 specifically includes the following steps:
- S400 The AF determines the reporting requirement of the event A that needs to be acquired.
- the AF generates first indication information A corresponding to the reporting requirement, where the first indication information is used to perform first permission verification on the received reporting message of the event A.
- the first indication information A in the embodiment of this application may be a token, wherein the token in the embodiment of this application can be used to grant certain operations to certain objects, for example, this application
- the token is only valid for the designated UPF group to send the report message to the AF, and therefore cannot be tampered with. Therefore, the AF described in the embodiment of the present application can determine whether the received report message is valid through the token.
- the AF generates the first indication information A, and the first indication information A is only used for transmission verification between the AF and UPF1, if the AF receives the first indication sent by UPF2 Information A, the AF confirms that the information sent by the UPF2 is invalid information, and no further processing is performed.
- the first indication information A in the embodiment of the present application may also be a random number and/or additional information.
- the AF sends a request message to the NEF, where the request message includes the reporting requirement of the event A and the first indication information A.
- the reporting requirement includes whether the AF needs and/or supports user plane notification.
- the AF may also determine the deduction information used to generate the second information A, and send the deduction information to the NEF, so that the NEF can determine the second information A according to the deduction information.
- the second information A is used by the UPF to protect the report message of the event A sent.
- the AF in the embodiment of the present application may carry the deduction information in the request message, that is, the request message sent by the AF to the NEF includes the reporting requirement of the event A, the The first indication information A and the deduction information; or,
- the AF may carry the deduction information in other transmission messages or directly send the deduction information as a transmission message to the NEF.
- deduction information determined by the AF in the embodiment of the present application may only be used to notify the NEF how to determine the second information A.
- the request message sent by the AF to the NEF carries the deduction information, where the deduction information is used to instruct the NEF to determine the second information according to the first indication information . Therefore, after the NEF receives the request message, the NEF determines the second information A according to the first indication information included in the request message.
- the deduction information determined by the AF in the embodiment of the present application may be used to notify the NEF how to determine the second information A and carry information used to generate the second information A.
- the request message sent by the AF to the NEF carries the deduction information.
- the deduction information is used to instruct the NEF to determine the second information A according to the random number A, and the deduction information carries the random number A, and the random number A is randomly generated by the AF. Therefore, after the NEF receives the request message, the NEF obtains the random number A according to the request message, and generates the second information A according to the random number A.
- the deduction information in the embodiment of the present application can also be used to generate first information A, and the first information is used by the AF to perform the second authority on the report message of the event A sent by the UPF verification.
- the deduction information may be a random number and/or an additional message generated by the AF, and the deduction information is used as an input parameter of an irreversible function in the NEF to generate the second information.
- the NEF receives the request message, and determines an AF address that sends the request message.
- the second information A is used for UPF to protect the report message of the event A sent.
- the NEF may generate the second information A according to a pre-negotiated agreement with the AF.
- the protocol may be instructing the NEF and the AF to generate the second information A according to one or more of the following information:
- the first indication information A the shared information of the connection between the NEF and the AF.
- the shared information may be a parameter describing the TLS connection between the NEF and the AF.
- the NEF generates the second information A according to the deduction information.
- the NEF sends a response message to the AF, where the response message is used to indicate the NEF's reply to the received request message.
- the NEF sends notification information to the PCF, where the notification information includes the reporting requirement of the event A, the first indication information A, the AF address, and the second information A.
- the PCF receives the notification information sent by the NEF, and determines second indication information according to the notification information, where the second indication information is used to instruct the SMF to configure a user plane event reporting path.
- the second indication message may include the PCC rule generated by the PCF according to the reporting requirement of the event A, the AF address, and the second information A.
- the PCF sends second indication information to the SMF.
- the second indication information includes the AF address, the reporting requirement of the event A, the first indication information A, and the second information A.
- the PCF may determine a PCC rule according to the notification information, and the PCC rule includes the AF address, the reporting requirement of the event A, the first indication information A, and the second information A , The PCF sends the PCC rule as the second indication information to the SMF.
- the PCF may determine the PCC rule according to the notification information.
- PCC rules include the following parts of the information:
- the AF address the reporting requirement of the event A, the first indication information A, and the second information A.
- the PCF may send the PCC rules and other information not included in the PCC rules together as the second indication information to the SMF.
- the second indication information includes the PCC rule, the first indication information A, and the second information A .
- S409 The SMF instructs the UPF to perform user plane path configuration according to the second instruction information sent by the PCF.
- the SMF mainly instructs the UPF to perform the following content according to the second indication information:
- S409a Determine the report message of the event A.
- S409b Protect the report message of the event A through the second information A.
- the protection of the report message of the event A may be one or more of the following:
- the second information A is used to perform anti-replay protection on the reported message of the event A.
- the second information A is used to perform integrity protection on the report message of the event A.
- the anti-replay protection may use the second information A to generate a first digital signature for the reported message and the message sequence number when the message is sent.
- the encryption protection may use the second information A to generate a first encrypted message for the report message.
- the integrity protection may use the second information A to generate a second digital signature for the report message.
- the protection of the reported message of the event A in the embodiment of the present application is not limited to the above-mentioned types, and any message protection method that can be applied to the embodiment of the present application belongs to the protection scope of the embodiment of the present application.
- S409c Send the report message and the first indication information protected by the second information A to the AF.
- S410 The AF generates first information A, and the first information A is used to perform a second authority verification on the received report message of the event A.
- the second authority verification may be one or more of the following:
- the AF obtains the first digital signature of the protected report message, and then may use the first information A, all The report message and the message sequence number when sending the message verify the first digital signature.
- the decryption may use the second information A to decrypt the protected report message to obtain the report message. Wherein, if the AF successfully decrypts the protected report message through the second information A, it is confirmed that the report message passes the second authority verification, and the AF can obtain the report message .
- the AF obtains the second digital signature of the protected report message, and the integrity verification may use the second information A and the The report message verifies the second digital signature.
- S411 The AF associates the first indication information A with the first information A.
- the AF associates the first indication information A, the first information A, and the reporting requirement of the event A.
- the third authority verification is used for the AF to verify whether the report message meets the report requirement of the event A. It may also be that when the first indication message cannot display whether the UPF has the authority to send a report message that meets the reporting requirements, the first indication information A, the first information A, and the event A The mapping relationship between them can enable the AF to verify whether the UPF has the authority to send a report message that meets the report requirement.
- S400 to S411 may also be executed after the AF determines that the received report message of the event A passes the first authority verification.
- the AF generates the deduction information of the first indication information and/or the second information, where the SMF is determined according to the second information generation protocol preset with the AF and/or the deduction information The second information.
- the flow of the configuration method 2 specifically includes the following steps:
- S500 The AF determines the reporting requirement of the event A that needs to be acquired.
- S501 The AF generates first indication information A corresponding to the reporting requirement, where the first indication information is used to perform first permission verification on the received reporting message of the event A.
- the first indication information A in the embodiment of this application may be a token, wherein the token in the embodiment of this application can be used to grant certain operations to certain objects, for example, this application
- the token is only valid for the designated UPF group to send the report message to the AF, and therefore cannot be tampered with. Therefore, the AF described in the embodiment of the present application can determine whether the received report message is valid through the token.
- the AF generates the first indication information A, and the first indication information A is only used for transmission verification between the AF and UPF1, if the AF receives the first indication sent by UPF2 Information A, the AF confirms that the information sent by the UPF2 is invalid information, and no further processing is performed.
- the first indication information A in the embodiment of the present application may also be a random number and/or additional information.
- the AF sends a request message to the NEF, where the request message includes the reporting requirement of the event A and the first indication information A.
- the reporting requirement includes whether the AF needs and/or supports user plane notification.
- the AF may also determine the deduction information used to generate the second information A, and send the deduction information to the NEF, so that the NEF can carry the deduction information in the notification sent to the SMF
- the SMF is caused to determine the second information A according to the deduction information
- the second information A is used by the UPF to protect the report message of the event A sent.
- S503 The NEF receives the request message, and determines an AF address that sends the request message.
- S504 The NEF sends a response message to the AF, where the response message is used to indicate the NEF's reply to the received request message.
- the NEF sends notification information to the PCF, where the notification information includes the reporting requirement of the event A, the first indication information A, and the AF address.
- the notification message sent by the NEF to the PCF may also include the derivation information, so that the SMF will The deduction information determines the second information A.
- the PCF receives the notification information sent by the NEF, and determines second indication information according to the notification information, where the second indication information is used to instruct the SMF to configure a user plane event reporting path.
- the second indication information includes the AF address, the reporting requirement of the event A, and the first indication information A.
- the second indication information may also include the derivation information, so that after receiving the second indication information, the SMF will perform the following The deduction information determines the second information A.
- the PCF may determine a PCC rule according to the notification information, and the PCC rule includes the AF address, the reporting requirement of the event A, the first indication information A, and may also include the deduction information , The PCF sends the PCC rule as the second indication information to the SMF.
- the PCF may determine the PCC rule according to the notification information.
- PCC rules include the following parts of the information:
- the AF address The AF address, the reporting requirement of the event A, the first indication information A, and the deduction information.
- the PCF may send the PCC rules and other information not included in the PCC rules together as the second indication information to the SMF.
- the notification message includes the deduction information
- the PCC rule includes the AF address and the reporting requirement of the event A
- the second indication information includes the PCC rule, The first indication information A and the deduction information.
- the PCF sends second indication information to the SMF.
- the SMF generates the second information A.
- the SMF may generate the second information A according to a pre-negotiated agreement with the AF.
- the protocol may be instructing the SMF and the AF to generate the second information A according to one or more of the following information:
- the first indication information A the shared information of the connection between the NEF and the AF.
- the shared information may be a parameter describing the TLS connection between the NEF and the AF.
- the SMF generates the second information A according to the deduction information.
- the SMF generates third indication information according to the second indication information and the second information A.
- the third indication information is used to instruct the UPF to perform user plane path configuration.
- the SMF instructs the UPF to perform user plane path configuration according to the third indication information.
- the SMF mainly instructs the UPF to perform the following content according to the third indication information:
- S510a Determine the report message of the event A.
- S510b Protect the report message of the event A through the second information A.
- S510c Send the report message and the first indication information protected by the second information A to the AF.
- S511 The AF generates first information A, where the first information A is used to perform a second authority verification on the received report message of the event A.
- S512 The AF associates the first indication information A with the first information A.
- the AF associates the first indication information A, the first information A, and the reporting requirement of the event A.
- the third authority verification is used for the AF to verify whether the report message meets the report requirement of the event A. It may also be that when the first indication message cannot display whether the UPF has the authority to send a report message that meets the reporting requirements, the first indication information A, the first information A, and the event A The mapping relationship between them can enable the AF to verify whether the UPF has the authority to send a report message that meets the report requirement.
- S500-S512 in the embodiments of the present application does not limit the sequence, and any content that implements the technical solution of the present application by adjusting the foregoing steps or deleting the foregoing steps belongs to the protection scope of the present application.
- S511 to S512 in the embodiment of this application may be after S501.
- S500 to S512 may also be executed after the AF determines that the received report message of the event A passes the first authority verification.
- the AF obtains the first indication information generated by the NEF, wherein the NEF determines the first indication information generated by the NEF according to a second information generation protocol preset with the AF and/or obtaining deduction information from the AF Second information.
- the process of the configuration method 3 specifically includes the following steps:
- S600 The AF determines the reporting requirement of the event A that needs to be acquired.
- the AF may also determine the deduction information used to generate the second information A, and send the deduction information to the NEF, so that the NEF can determine the second information A according to the deduction information.
- the second information A is used by the UPF to protect the report message of the event A sent.
- the AF sends a request message to the NEF, where the request message includes the reporting requirement of the event A.
- the reporting requirement includes whether the AF needs and/or supports user plane notification.
- the sending request message may also include the deduction information.
- the NEF receives the request message, and determines an AF address that sends the request message.
- the NEF generates first indication information A corresponding to the reporting requirement according to the request message, where the first indication information is used to perform first authority verification on the received reporting message.
- the NEF sends a response message to the AF, where the response message includes the first indication information A.
- the second information A is used by the UPF to protect the report message of the event A sent, and the method for determining the second information A by the NEF is specifically described in S404 above, and details are not described herein.
- the NEF sends notification information to the PCF, where the notification information includes the reporting requirement of the event A, the first indication information A, the AF address, and the second information A.
- the PCF receives the notification information sent by the NEF, and determines second indication information according to the notification information, where the second indication information is used to instruct the SMF to configure a user plane event reporting path.
- the second indication information includes the AF address, the reporting requirement of the event A, the first indication information A, and the second information A.
- the second indication information please refer to the above S408, details are not described here.
- the PCF sends second indication information to the SMF.
- the SMF instructs the UPF to perform user plane path configuration according to the second indication information.
- the SMF mainly instructs the UPF to perform the following content according to the second indication information:
- S609a Determine the report message of the event A.
- S609b Protect the report message of the event A through the second information A.
- S609c Send the report message and the first indication information protected by the second information A to the AF.
- S610 The AF generates first information A, and the first information A is used to perform a second authority verification on the received report message of the event A.
- S611 The AF associates the first indication information A with the first information A.
- the AF associates the first indication information A, the first information A, and the reporting requirement of the event A.
- the third authority verification is used for the AF to verify whether the report message meets the report requirement of the event A. It may also be that when the first indication message cannot display whether the UPF has the authority to send a report message that meets the reporting requirements, the first indication information A, the first information A, and the event A The mapping relationship between them can enable the AF to verify whether the UPF has the authority to send a report message that meets the report requirement.
- S600 to S611 may also be executed after the AF determines that the received report message of the event A passes the first authority verification.
- the AF obtains the first indication information generated by the NEF, where the SMF determines the SMF according to a second information generation protocol preset with the AF and/or obtaining deduction information from the AF Second information.
- the process of the configuration method 4 specifically includes the following steps:
- the AF determines the reporting requirement of the event A that needs to be acquired.
- the AF may also determine the deduction information used to generate the second information A, and send the deduction information to the NEF, so that the NEF can determine the second information A according to the deduction information.
- the second information A is used by the UPF to protect the report message of the event A sent.
- S701 The AF sends a request message to the NEF, where the request message includes the reporting requirement of the event A.
- the reporting requirement includes whether user interface notification is required and/or supported.
- the sending request message may also include the deduction information.
- the NEF receives the request message, and determines an AF address that sends the request message.
- S703 The NEF generates first indication information A corresponding to the reporting requirement according to the request message, where the first indication information is used to perform first authority verification on the received reporting message.
- S704 The NEF sends a response message to the AF, where the response message includes the first indication information A.
- the NEF sends notification information to the PCF, where the notification information includes the reporting requirement of the event A, the first indication information A, and the AF address.
- the notification message sent by the NEF to the PCF may also include the derivation information, so that the SMF will The deduction information determines the second information A.
- the PCF receives the notification information sent by the NEF, and determines second indication information according to the notification information, where the second indication information is used to instruct the SMF to configure a user plane event reporting path.
- the second indication information includes the AF address, the reporting requirement of the event A, and the first indication information A.
- the second indication information includes the AF address, the reporting requirement of the event A, and the first indication information A.
- the second indication information may also include the derivation information, so that after receiving the second indication information, the SMF will perform the following The deduction information determines the second information A.
- the PCF sends second indication information to the SMF.
- S708 The SMF generates the second information A.
- the SMF generates third indication information according to the second indication information and the second information A.
- the third indication information is used to instruct the UPF to perform user plane path configuration.
- the SMF instructs the UPF to perform user plane path configuration according to the third indication information.
- the SMF mainly instructs the UPF to perform the following content according to the third indication information:
- S710a Determine the report message of the event A.
- S710b Protect the report message of the event A through the second information A.
- S710c Send the report message and the first indication information protected by the second information A to the AF.
- S711 The AF generates first information A, where the first information A is used to perform a second authority verification on the received report message of the event A.
- S712 The AF associates the first indication information A with the first information A.
- the AF associates the first indication information A, the first information A, and the reporting requirements of the event A.
- the third authority verification is used for the AF to verify whether the report message meets the report requirement of the event A. It may also be that when the first indication message cannot display whether the UPF has the authority to send a report message that meets the reporting requirements, the first indication information A, the first information A, and the event A The mapping relationship between them can enable the AF to verify whether the UPF has the authority to send a report message that meets the report requirement.
- S700-S712 in the embodiments of the present application does not limit the sequence, and any content that implements the technical solution of the present application by adjusting the foregoing steps or deleting the foregoing steps falls within the protection scope of the present application.
- S711 to S712 in the embodiment of this application may be after S701.
- S700-S712 may also be executed after the AF determines that the received report message of the event A passes the first authority verification.
- Triggering situation 2 The SMF receives a session establishment request sent by a new terminal device PDU.
- the SMF actively obtains the PCC rules from the PCF.
- a group of PCC rules issued by the UE can be stored in the PCF in advance, so that when the subsequent UE accesses, the SMF will actively request the PCF to obtain the PCC rules and use the information issued by the PCF Carry out user-face incident reporting.
- the number of user plane path configurations performed by the SMF is not limited to the following.
- the SMF determines the second information according to pre-configured deduction information.
- the process of triggering case 2 specifically includes the following steps:
- the PCF obtains the AF address corresponding to the event A, the reporting requirement of the event A, and the first indication information A in advance.
- the information obtained in advance by the PCF may further include the deduction information, so that the SMF generates the second information A according to the deduction information.
- the method for the PCF to obtain the foregoing information in advance may be any one of configuration methods 1 to 4.
- information such as the AF address corresponding to the event A, the reporting requirement of the event A, and the first indication information A may be pre-stored in the PCF, so that all The PCF can obtain the above information in advance.
- the AF address corresponding to the event A, the reporting requirement of the event A, the first indication information A and other information may be pre-stored in other third parties with storage functions, thereby The PCF can obtain the above-mentioned information from a third party in advance.
- the AF obtains the first indication information A and the first information A in advance, and maintains a mapping relationship between the first indication information A and the first information A.
- the AF obtains the reporting requirement of the event A, the first indication information A, and the first information A in advance, and maintains the reporting requirement of the event A, the first indication information A, and the The mapping relationship of the first information A.
- the method for the AF to obtain the foregoing information in advance may be any one of configuration methods 1 to 4.
- information such as the first indication information A and the first information A may be pre-stored in the AF, so that the AF can obtain the foregoing information in advance.
- the first indication information A, the first information A and other information may be pre-stored in other third parties with storage functions, so that the AF can be obtained from the third party. Obtain the above information in advance.
- the SMF After receiving the session establishment request sent by the new terminal device PDU, the SMF sends a request for acquiring the second indication information to the PCF.
- the second indication information includes the AF address, the reporting requirement of the event A, and the first indication information A.
- the second indication information may include the AF address, the reporting requirement of the event A, the first indication information A, and The deduction information. It should be noted that the second indication information in the embodiment of the present application may also include other information, which is not limited here.
- the PCF may notify the SMF of the aforementioned information obtained in advance, because the SMF obtains the second indication information to obtain the aforementioned information, therefore, the PCF may notify the aforementioned information obtained in advance Give the SMF.
- the PCF determines the second indication information according to the pre-acquired AF address, the reporting requirement, and the first indication information A.
- the PCF may determine the deduction information according to the AF address, the reporting requirement, the first indication information A, and the deduction information The second instruction information.
- the PCF may determine the PCC rule based on the pre-stored AF address corresponding to the event A, the reporting requirement of the event A, and the deduction information used to determine the second information, and the PCC rule includes the AF address, the reporting requirement of the event A, the first indication information A, and the deduction information, the PCF sends the PCC rule as the second indication information to the SMF.
- the PCF may determine the PCC rule based on the pre-stored AF address corresponding to the event A, the reporting requirement of the event A, and the deduction information used to determine the second information.
- PCC rules include the following parts of the information:
- the AF address The AF address, the reporting requirement of the event A, the first indication information A, and the deduction information.
- the PCF may send the PCC rules and other information not included in the PCC rules together as the second indication information to the SMF.
- the second indication information includes the PCC rule, the first indication information A, and the deduction information.
- S804 The SMF generates the second information A.
- S805 The SMF generates third indication information according to the second indication information and the second information A.
- S806 The SMF instructs the UPF to perform user plane path configuration according to the second indication information and the second information A.
- the SMF mainly instructs the UPF to perform the following content according to the third indication information:
- S806b Protect the report message of the event A through the second information A;
- S806c Send the report message and the first indication information protected by the second information A to the AF.
- the SMF obtains the second information according to pre-configured information.
- the process of triggering case 2 specifically includes the following steps:
- the PCF obtains the AF address corresponding to the event A, the reporting requirement of the event A, and the first indication information A in advance.
- the information pre-stored by the PCF may also include the second information A, where for specific content, refer to the above S800, and details are not described herein.
- the AF obtains the first indication information A and the first information A in advance, and maintains a mapping relationship between the first indication information A and the first information A.
- the AF obtains the reporting requirement of the event A, the first indication information A, and the first information A in advance, and maintains the reporting requirement of the event A, the first indication information A, and the For the mapping relationship of the first information A, for specific content, refer to the foregoing S801, and details are not described herein.
- the SMF After receiving the session establishment request sent by the new terminal device PDU, the SMF sends a request for acquiring the second indication information to the PCF.
- the second indication information includes the AF address, the reporting requirement of the event A, and the first indication information A.
- the second indication information may include the AF address, the reporting requirement of the event A, and the first indication information A and the second information A.
- the second indication information in the embodiment of the present application may also include other information, which is not limited here.
- the PCF sends the second indication information to the SMF.
- the PCF may notify the SMF of the aforementioned information obtained in advance, because the SMF obtains the second indication information to obtain the aforementioned information, therefore, the PCF may notify the aforementioned information obtained in advance Give the SMF.
- the PCF determines the second indication information according to the pre-stored AF address, the reporting requirement, and the first indication information A.
- the PCF may be based on the AF address, the reporting requirement, the first indication information A, and the second information A determines the second indication information.
- the PCF may determine a PCC rule based on the pre-stored AF address corresponding to the event A, the reporting requirement of the event A, and the second information A, and the PCC rule includes the AF address , The reporting requirement of the event A, the first indication information A and the second information A, the PCF sends the PCC rule as the second indication information to the SMF.
- the PCF may determine the PCC rule according to the pre-stored AF address corresponding to the event A, the reporting requirement of the event A, and the second information A.
- PCC rules include the following parts of the information:
- the AF address the reporting requirement of the event A, the first indication information A, and the second information A.
- the PCF may send the PCC rules and other information not included in the PCC rules together as the second indication information to the SMF.
- the second indication information includes the PCC rule, the first indication information A, and the second information A .
- S904 The SMF instructs the UPF to perform user plane path configuration according to the second indication information.
- the SMF mainly instructs the UPF to perform the following content according to the second indication information:
- S904b Protect the report message of the event A through the second information A;
- S904c Send the report message and the first indication information protected by the second information A to the AF.
- the UPF after the UPF receives the second indication information sent by the SMF, as shown in FIG. 10, the UPF sends the The process of AF sending the event report message specifically includes the following steps:
- the UPF receives the third indication information sent by the SMF.
- the second indication information may be used as the third indication information; or,
- the second indication information and the entire second information A may be used as the third indication information.
- the UPF determines the report message of the event A.
- the UPF uses the second information A in the third indication information to protect the report message.
- the UPF may determine the time stamp information and/or message sequence number of the report message that generated the event A, and use the second information A to compare the report message and the time stamp information and/or The message sequence number is encrypted as a whole.
- the AF performs anti-replay verification according to the time stamp information and/or the message sequence number.
- the UPF may use the report message of the event A as input and use an irreversible function to generate a first result, then the first result encrypted by the UPF using the second information is a digital signature, Thereby, after obtaining the report message through the first information, the AF performs an integrity check on the digital signature in the report message according to the first information.
- the UPF sends the report message protected by the second information and the first indication information to the AF.
- the AF determines whether the first indication information that is the same as the received first indication information exists locally, and if so, determines that the report message passes the first authority verification; or,
- the AF determines the reporting requirement corresponding to the received reporting message, and then determines the locally stored first indication information corresponding to the reporting requirement according to the mapping relationship between the reporting requirement and the locally stored first indication information If the first indication information corresponding to the reporting requirement is the same as the received first indication information, it is determined that the reporting message passes the first authorization verification; or,
- the AF obtains the UPF group information in the token that allows sending the report message to the AF, and checks whether the UPF is in the group information, if If the UPF is in the UPF group information, it is determined that the report message passes the first permission verification.
- the UPF group information may be a group of UPF identification information.
- S1005 The AF determines that the report message fails the first authority verification, and discards the report message; otherwise, determines the first information corresponding to the first indication information, and continues to perform S1006.
- the AF performs a second authority verification on the report message protected by the second information through the first information.
- the AF performs the second permission verification on the encrypted report message through the first information, and the specific methods are not limited to the following.
- Verification method 1 If the AF can successfully decrypt the report message protected by the second information through the first information, the AF determines that the report message passes the second authority verification.
- Verification Method 2 If the AF can successfully decrypt the encrypted report message through the first information, and it is determined that the time stamp information and/or message sequence number carried in the report message are valid, the AF determines The reported message passes the second authority verification.
- time stamp information and/or message sequence number is valid can be determined in the following manner:
- the AF obtains the decrypted timestamp information and/or message sequence number and compares it with the timestamp information and/or message sequence number carried in the reported message obtained by the AF, if the comparison result is the same, confirm the The reported message passes the anti-replay check.
- Verification method 3 In integrity verification, the AF can use the second information A to decrypt the digital signature carried in the report message to obtain the first result, and the AF will decrypt the decrypted digital signature.
- the report message is used as an input of an irreversible function to generate a second result, the first result and the second result are compared, and if they are the same, it is confirmed that the report message passes the integrity check.
- the first indication information sent by the UPF to the AF may be expressed as first authority verification information.
- the above-mentioned realization devices include hardware structures and/or software modules corresponding to the respective functions.
- the present application can be implemented in the form of hardware or a combination of hardware and computer software. Whether a certain function is executed by hardware or computer software-driven hardware depends on the specific application and design constraint conditions of the technical solution. Professionals and technicians can use different methods for each specific application to implement the described functions, but such implementation should not be considered beyond the scope of this application.
- an event reporting device of the present application may be the service server described in the embodiment of the present application.
- the service server includes a processor 1100, a memory 1101, and a communication interface 1102. .
- the processor 1100 is responsible for managing the bus architecture and general processing, and the memory 1101 may store data used by the processor 1100 when performing operations.
- the transceiver communication interface 1102 is used to receive and send data under the control of the processor 1100 for data communication with the memory 1101.
- the processor 1100 may be a central processing unit (CPU), a network processor (NP), or a combination of a CPU and an NP.
- the processor 1100 may further include a hardware chip.
- the above-mentioned hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD) or a combination thereof.
- the above-mentioned PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a general array logic (generic array logic, GAL), or any combination thereof.
- the memory 1101 may include: U disk, mobile hard disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), magnetic disk or optical disk and other various media that can store program codes.
- the processor 1100, the memory 1101, and the communication interface 1102 are connected to each other.
- the processor 1100, the memory 1101, and the communication interface 1102 may be connected to each other through a bus 1103; the bus 1103 may be a peripheral component interconnect (PCI) bus or an extended industry Standard structure (extended industry standard architecture, EISA) bus, etc.
- PCI peripheral component interconnect
- EISA extended industry Standard architecture
- the bus can be divided into address bus, data bus, control bus, etc. For ease of representation, only one thick line is used to represent in FIG. 11, but it does not mean that there is only one bus or one type of bus.
- the processor 1100 is configured to read the program in the memory 1101 and execute the method flow executed by the service server in S400-S411 shown in FIG. 4; or execute, for example, the service in S500-S512 shown in FIG.
- the present invention provides a second event reporting device:
- the device may be a service server, including:
- Processing unit 1200 used to determine first indication information of a first event; generate first information, and associate the first indication information with the first information, and the first information is used to check the received pass The report message after the security protection of the second information is subjected to the second authority verification;
- the communication unit 1201 configured to receive the report message of the first event sent by the user plane network element UPF;
- the processing unit 1200 is further configured to perform first authority verification on the reported message according to the first instruction information, and after passing the first authority verification, determine the first information corresponding to the first instruction information ; Perform a second authority verification on the report message according to the first information; obtain the report message after passing the second authority verification.
- the device may be a business server, including:
- Processing unit 1200 used to determine the first indication information of the first event
- the communication unit 1201 configured to receive the report message of the first event sent by the user plane network element UPF;
- the processing unit 1200 is further configured to perform first permission verification on the reported message according to the first indication information, and after passing the first permission verification, generate first information, and the first information is used for receiving
- the received report message after the security protection through the second information is subjected to the second authority verification; the second authority verification is performed on the report message according to the first information; the report after the verification passes the second authority verification is obtained news.
- the functions of the processing unit 1200 and the communication unit 1201 shown in FIG. 12 may be executed by the processor 1100 reading a program in the memory 1101, or executed by the processor 1100 alone.
- the processing unit 1200 and the communication unit 1201 may execute the method flow executed by the service server in S400-S411 as shown in FIG. 4; or execute, for example, as shown in FIG.
- the communication unit 1201 may include different communication units corresponding to different communication interfaces.
- the third event reporting device of the present application may be the NEF network element described in the embodiment of the present application.
- the NEF network element includes a processor 1300, a memory 1301, and Communication interface 1302.
- the processor 1300 is responsible for managing the bus architecture and general processing, and the memory 1301 may store data used by the processor 1300 when performing operations.
- the transceiver communication interface 1302 is used to receive and send data under the control of the processor 1300 for data communication with the memory 1301.
- the processor 1300 may be a central processing unit (CPU), a network processor (NP), or a combination of a CPU and an NP.
- the processor 1300 may further include a hardware chip.
- the above-mentioned hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD) or a combination thereof.
- the above-mentioned PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a general array logic (generic array logic, GAL), or any combination thereof.
- the memory 1301 may include: U disk, mobile hard disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), magnetic disk or optical disk and other various media that can store program codes.
- the processor 1300, the memory 1301, and the communication interface 1302 are connected to each other.
- the processor 1300, the memory 1301, and the communication interface 1302 may be connected to each other through a bus 1303; the bus 1303 may be a peripheral component interconnect (PCI) bus or an extended industry Standard structure (extended industry standard architecture, EISA) bus, etc.
- PCI peripheral component interconnect
- EISA extended industry standard architecture
- the bus can be divided into an address bus, a data bus, a control bus, and so on. For ease of presentation, only one thick line is used in FIG. 13, but it does not mean that there is only one bus or one type of bus.
- the processor 1300 is configured to read the program in the memory 1301 and execute the method procedure executed by the NEF in S400-S411 shown in FIG. 4; or execute, for example, the NEF execution in S500-S512 shown in FIG. Or execute, for example, the method flow executed by NEF in S600-S611 shown in FIG. 6; or execute, for example, the method flow executed by NEF in S700-S712 shown in FIG. 7; or execute, for example, S800- shown in FIG.
- the present invention provides a fourth event reporting device.
- the device may be NEF and includes:
- the communication unit 1401 used to receive a request message sent from the AF, where the request message contains the reporting requirement of the first event;
- Processing unit 1400 used to determine the first indication information of the first event and the AF address;
- the communication unit 1401 is further configured to send a notification message to the session management network element SMF, so that the SMF instructs the UPF to send the report message of the first event and the first indication to the AF according to the notification message Information, wherein the report message is secured by second information; the first indication information is used by the AF to verify the first authority of the report message, and the second information is used by the AF to The reported message is verified for the second authority.
- the functions of the processing unit 1400 and the communication unit 1401 shown in FIG. 14 may be executed by the processor 1300 reading a program in the memory 1301, or executed by the processor 1400 alone.
- the processing unit 1400 and the communication unit 1401 may execute the method procedure executed by the NEF in S400-S411 as shown in FIG. 4; or execute, for example, S500- as shown in FIG.
- the communication unit 1401 may include different communication units corresponding to different communication interfaces.
- the fifth event reporting device of the present application may be the SMF network element described in the embodiment of the present application.
- the SMF network element includes a processor 1500, a memory 1501, and Communication interface 1502.
- the processor 1500 is responsible for managing the bus architecture and general processing, and the memory 1501 can store data used by the processor 1500 when performing operations.
- the transceiver communication interface 1502 is used to receive and send data under the control of the processor 1500 for data communication with the memory 1501.
- the processor 1500 may be a central processing unit (CPU), a network processor (NP), or a combination of a CPU and an NP.
- the processor 1500 may further include a hardware chip.
- the above-mentioned hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD) or a combination thereof.
- the above-mentioned PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a general array logic (generic array logic, GAL), or any combination thereof.
- the memory 1501 may include: U disk, mobile hard disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), magnetic disk or optical disk and other media that can store program codes.
- the processor 1500, the memory 1501, and the communication interface 1502 are connected to each other.
- the processor 1500, the memory 1501, and the communication interface 1502 may be connected to each other through a bus 1503; the bus 1503 may be a peripheral component interconnect (PCI) bus or an extended industry Standard structure (extended industry standard architecture, EISA) bus, etc.
- PCI peripheral component interconnect
- EISA extended industry Standard structure
- the bus can be divided into address bus, data bus, control bus, etc. For ease of representation, only one thick line is used in FIG. 15 to represent it, but it does not mean that there is only one bus or one type of bus.
- the processor 1500 is configured to read the program in the memory 1501 and execute the method flow of the SMF execution in S400-S411 shown in FIG. 4; or execute, for example, the SMF execution in S500-S512 shown in FIG. Or execute the method flow executed by SMF in S600-S611 shown in FIG. 6; or execute the method flow executed by SMF in S700-S712 shown in FIG. 7; or execute S800- shown in FIG.
- the present invention provides a sixth event reporting device.
- the device may be an SMF and includes:
- Communication unit 1601 used to obtain second indication information sent by the policy control network element PCF;
- Processing unit 1600 configured to determine third indication information according to the second indication information, where the third indication information includes the address information of the application function AF, the reporting requirement of the first event, and the first indication corresponding to the reporting requirement Information and second information;
- the communication unit 1601 is further configured to send the third indication information to the user plane network element UPF to instruct the UPF to send the report message of the first event and the first indication information to the AF, where ,
- the report message is secured by the second information;
- the first indication information is used by the AF to verify the first authority of the report message, and the second information is used by the AF to verify the Report the message for second authority verification.
- the functions of the processing unit 1600 and the communication unit 1601 shown in FIG. 16 may be executed by the processor 1500 reading a program in the memory 1501, or executed by the processor 1500 alone.
- the processing unit 1600 and the communication unit 1601 may execute the method flow performed by the SMF in S400-S411 as shown in FIG. 4; or execute, for example, S500- as shown in FIG.
- the method flow of SMF execution in S800-S806 is shown; or the method flow of SMF execution in S900-S904 shown in FIG. 9 is executed; or the method flow of SMF execution in S1000-S1007 shown in FIG. 10 is executed, for example.
- the communication element 1601 may include different communication units corresponding to different communication interfaces.
- the seventh event reporting device of the present application may be the UPF network element described in the embodiment of the present application.
- the UPF network element includes a processor 1700, a memory 1701, and Communication interface 1702.
- the processor 1700 is responsible for managing the bus architecture and general processing, and the memory 1701 can store data used by the processor 1700 when performing operations.
- the transceiver communication interface 1702 is used for receiving and sending data under the control of the processor 1700 for data communication with the memory 1701.
- the processor 1700 may be a central processing unit (CPU), a network processor (NP), or a combination of a CPU and an NP.
- the processor 1700 may further include a hardware chip.
- the above-mentioned hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD) or a combination thereof.
- the above-mentioned PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a general array logic (generic array logic, GAL), or any combination thereof.
- the memory 1701 may include: U disk, mobile hard disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), magnetic disk or optical disk and other various media that can store program codes.
- the processor 1700, the memory 1701, and the communication interface 1702 are connected to each other.
- the processor 1700, the memory 1701, and the communication interface 1702 may be connected to each other through a bus 1703; the bus 1703 may be a peripheral component interconnect (PCI) bus or an extended industry Standard structure (extended industry standard architecture, EISA) bus, etc.
- PCI peripheral component interconnect
- EISA extended industry Standard architecture
- the bus can be divided into address bus, data bus, control bus, etc. For ease of representation, only one thick line is used in FIG. 17, but it does not mean that there is only one bus or one type of bus.
- the processor 1700 is configured to read the program in the memory 1701 and execute the method flow of the UPF execution in S400-S411 shown in FIG. 4; or execute, for example, the UPF execution in S500-S512 shown in FIG. Or execute, for example, the method flow executed by UPF in S600-S611 shown in FIG. 6; or execute, for example, the method flow executed by UPF in S700-S712 shown in FIG. 7; or execute, for example, S800- shown in FIG.
- the present invention provides an eighth event reporting device.
- the device may be a UPF and includes:
- the communication unit 1801 is configured to receive third indication information sent by the session management network element SMF, where the third indication information is used to instruct the UPF to send a first event report message to the application function AF;
- the processing unit 1800 is configured to determine, according to the third indication information, the report message of the first event, the first indication information corresponding to the report message, and the second information; and perform the report message on the report message according to the second information. safety protection;
- the communication unit 1801 is further configured to send the security-protected report message and the first indication information to the AF; wherein the first indication information is used by the AF to perform the first indication of the report message. Authority verification, the second information is used by the AF to perform a second authority verification on the reported message.
- the functions of the processing unit 1800 and the communication unit 1801 shown in FIG. 18 may be executed by the processor 1700 reading a program in the memory 1701, or executed by the processor 1700 alone.
- the processing unit 1800 and the communication unit 1801 may execute the method procedure executed by the UPF in S400-S411 as shown in FIG. 4; or execute, for example, S500- as shown in FIG.
- the flow of the method executed by UPF in S800-S806 is shown; or the flow of the method executed by UPF in S900-S904 shown in FIG. 9 is executed; or the flow of the method executed by UPF in S1000-S1007 shown in FIG. 10 is executed, for example.
- the communication element 1801 may include different communication units corresponding to different communication interfaces.
- various aspects of the event reporting method provided in the embodiments of the present invention can also be implemented in the form of a program product, which includes program code.
- program code runs on a computer device
- the program code is used to make the computer device execute the steps in the event reporting method according to various exemplary embodiments of the application described in this specification.
- the program product can use any combination of one or more readable media.
- the readable medium may be a readable signal medium or a readable storage medium.
- the readable storage medium may be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, device, or device, or a combination of any of the above. Modifications of the readable storage medium.
- Examples (non-exhaustive list) in one implementation of the embodiments of the present application include: electrical connections with one or more wires, portable disks, hard disks, random access memory (RAM), read-only Memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination of the above.
- RAM random access memory
- ROM read-only Memory
- EPROM or flash memory erasable programmable read-only memory
- CD-ROM compact disk read-only memory
- magnetic storage device magnetic storage device, or any suitable combination of the above.
- the program product for event reporting may adopt a portable compact disk read-only memory (CD-ROM) and include program code, and may run on a server device.
- CD-ROM portable compact disk read-only memory
- the program product of the present invention is not limited to this.
- the readable storage medium can be any tangible medium that contains or stores a program, and the program can be used by or in combination with an information transmission, device, or device.
- the readable signal medium may include a data signal propagated in baseband or as a part of a carrier wave, and readable program code is carried therein. This propagated data signal can take many forms, including, but not limited to, electromagnetic signals, optical signals, or any suitable combination of the foregoing.
- the readable signal medium may also be any readable medium other than a readable storage medium, and the readable medium may send, propagate, or transmit a program for use by or in combination with a periodic network action system, apparatus, or device.
- the program code contained on the readable medium can be transmitted by any suitable medium, including, but not limited to, wireless, wired, optical cable, RF, etc., or any suitable combination of the above.
- the program code used to perform the operations of the present invention can be written in any combination of one or more programming languages.
- the programming languages include object-oriented programming languages—such as Java, C++, etc., as well as conventional procedural styles. Programming language-such as "C" language or similar programming language.
- the program code can be executed entirely on the user's computing device, partly on the user's device, executed as an independent software package, partly on the user's computing device and partly executed on the remote computing device, or entirely on the remote computing device or server Executed on.
- the remote computing device may be connected to the user computing device through any kind of network, including a local area network (LAN) or a wide area network (WAN), or may be connected to an external computing device.
- LAN local area network
- WAN wide area network
- the method for reporting an event in the embodiment of the present application also provides a storage medium readable by a computing device, that is, the content is not lost after a power failure.
- the storage medium stores a software program, including program code.
- the program code runs on a computing device, the software program can implement any of the above embodiments of the present application when it is read and executed by one or more processors.
- the plan for reporting the incident is also provided.
- this application may take the form of a computer program product on a computer-usable or computer-readable storage medium, which has a computer-usable or computer-readable program code implemented in the medium to be used or used by the instruction execution system. Used in conjunction with the instruction execution system.
- a computer-usable or computer-readable medium can be any medium that can contain, store, communicate, transmit, or transmit a program for use by an instruction execution system, apparatus, or device, or in combination with an instruction execution system, Device or equipment use.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
本申请公开了一种事件上报的方法、装置及系统,用以提供安全性较强的事件上报方法。方法包括:AF确定第一事件的第一指示信息;生成第一信息,并将第一指示信息与第一信息关联,所述第一信息用于对接收到的通过第二信息进行保护后的上报消息进行第二权限验证;接收用户面网元UPF发送的所述第一事件的上报消息;根据所述第一指示信息对所述上报消息进行第一权限验证,并在通过所述第一权限验证后,根据所述第一信息对所述上报消息进行第二权限验证;获取通过所述第二权限验证后的所述上报消息。该方法中所述AF对接收到的所述上报消息进行权限验证,且仅获取通过所述权限验证的上报消息,保证所述用户面网元UPF与所述AF通信的安全性。
Description
本申请涉及无线通信技术领域,特别涉及一种事件上报的方法、装置及系统。
随着通信传输技术的飞速发展,尤其在引入第五代移动通信技术(5th generation mobile networks或5th generation wireless systems、5th-Generation,5G)后,越来越注重信息传递的速度以及信息传递的时效性。
其中,为了更好的提升信息传递的时效性,在5G网络中引入边缘计算技术,即在离网关较近的位置上设立边缘计算平台,使边缘计算平台与运营商的5G系统结合,通过所述边缘计算技术在移动网络的边缘提供云端计算能力,从而使得终端可以通过较短的物理距离与本地服务器进行交互,无需访问远端服务器,从而减少延迟获得更好的服务体验,达到服务效率最大化。同时远端服务器只需处理由边缘计算平台处理后的少量数据,减少网络负载。
但是,在通信传输过程中,下一代无线接入网络(Next Generation Radio Access Network,NG-RAN)经常需要将服务质量通知控制(QoS notification control,QNC)事件的上报消息发送至应用功能(Application Function,AF)。而在5G系统引入边缘计算技术的背景下,所述AF可能布置在边缘计算平台上,则所述NG-RAN在向所述AF发送所述事件上报消息时,一种方式可以如图1中实线路径所示,所述NG-RAN需要将所述事件的上报消息经由无线接入网络(Radio Access Network,RAN)、验证管理功能(Authentication Management Function,AMF)、会话管理网元(Session Management Function,SMF)、策略控制网元(Policy Control Function,PCF)、网络功能开放网元(Network Exposure Function,NEF)发送至应用功能(Application Function,AF)。而该种方式进行事件上报消息发送过程中,需要经由网络部署位置较高的PCF和NEF再回到边缘计算平台上的AF,引入额外的传输时延,降低事件上报消息的时效性。另一种方式可以如图1中虚线路径所示,所述NG-RAN将所述事件的上报消息使用用户面路径通过用户面网元(User Plane Function,UPF)向AF发送。但是,现有通过配置用户面路径发送事件对应的上报消息的方案无法防止攻击者向AF发送虚假消息或者攻击者对UPF与AF之间路径实施中间人攻击,例如,攻击者可向AF发送伪造的事件上报内容或重复其他UPF发送的事件上报消息来影响AF为用户服务。再例如,攻击者可以通过重放或篡改之前的事件上报消息来干扰AF为用户服务。
综上所述,目前并没有安全且时效性较强的事件上报方法。
发明内容
本申请提供一种事件上报的方法、装置及系统,用以提供一种安全且时效性较强的事件上报方法。
第一方面,本申请实施例提供一种事件上报的方法,包括:
业务服务器确定第一事件的第一指示信息;所述业务服务器生成第一信息,并将所述第一指示信息与所述第一信息进行关联,所述第一信息用于对接收到的通过第二信息进行 安全保护后的上报消息进行第二权限验证;所述业务服务器接收用户面网元UPF发送的所述第一事件的上报消息;所述业务服务器根据所述第一指示信息对所述上报消息进行第一权限验证,并在通过所述第一权限验证后,确定所述第一指示信息对应的所述第一信息;所述业务服务器根据所述第一信息对所述上报消息进行第二权限验证;所述业务服务器获取通过所述第二权限验证后的所述上报消息。
基于该方案,本申请实施例中提供了一种保护事件上报的路径的方式,进一步的,AF对来自所述UPF发送的事件的上报消息需要进行第一权限验证,并在通过第一权限验证后继续进行第二权限验证,且只有通过第二权限验证的所述事件的所述上报消息才会被所述AF获取,反之,所述AF丢弃所述上报消息。从而可以防止攻击者通过上报消息对所述AF进行安全攻击,保证所述用户面网元UPF与所述AF通信的安全性。
在一种可能的实现方式中,所述业务服务器确定所述第一事件的第一指示信息,包括:所述业务服务器接收网络功能开放网元NEF发送的响应消息,所述响应消息是所述NEF在接收到来自所述业务服务器发送的所述第一事件的所述上报需求消息后发送的;所述业务服务器根据所述响应消息确定所述第一指示信息;或所述业务服务器根据所述第一事件生成所述第一指示信息。
基于该方案,本申请实施例提供了多种AF确定所述第一指示信息的方式,例如,所述AF自己生成所述第一指示信息;再例如,所述NEF生成所述第一指示信息,所述AF获取所述NEF生成的所述第一指示信息。从而丰富了确定第一指示信息的方式,适用性更强。
在一种可能的实现方式中,所述业务服务器将所述第一指示信息、所述第一信息以及所述第一事件的所述上报需求进行关联。
基于该方案,本申请实施例中,通过将所述第一事件的所述上报需求与所述第一指示信息以及所述第一信息进行关联,可以实现在所述第一权限验证和第二权限验证基础上,根据所述第一事件的上报需求加入第三权限验证。例如,所述第三权限验证用于所述AF验证所述上报消息是否符合所述事件A的所述上报需求。再例如,在所述第一指示消息无法显示所述UPF是否有权限发送符合所述上报需求的上报消息时,通过所述第一指示信息、所述第一信息A以及所述第一事件之间的映射关系,可以使所述AF验证所述UPF是否有权限发送符合所述上报需求的上报消息。从而更好的保证了事件上报的安全性。
在一种可能的实现方式中,所述业务服务器接收用户面网元UPF发送的所述第一事件的上报消息之前,所述业务服务器确定第二信息的推演信息,并将所述推演信息通知给所述NEF;其中,所述第二信息是所述第一信息的对称密钥或所述第二信息是所述第一信息的公钥。
基于该方案,本申请实施例中所述AF还可以确定用于生成第二信息的推演信息,并将所述推演信息通知给NEF,进一步的通知给所述SMF,从而可以使SMF根据所述推演信息确定第二信息并发送给UPF,所述UPF根据所述第二信息对发送给所述AF的所述上报消息进行保护,提高了事件上报的安全性。
在一种可能的实现方式中,所述业务服务器通过下列方式确定所述上报消息通过所述第一权限验证;所述业务服务器获取所述上报消息携带的第一权限验证信息,若所述业务服务器确定所述第一权限验证信息与所述第一指示信息部分相同或全部相同,则所述业务服务器确定所述上报消息通过所述第一权限验证。
基于该方案,本申请实施例提供了如何根据第一指示信息对所述上报消息进行第一权限验证。
在一种可能的实现方式中,所述业务服务器通过下列方式确定所述上报消息通过第二权限验证:所述业务服务器通过所述第一信息对全部或部分所述上报消息进行验证,若所述业务服务器成功对全部或部分所述上报消息进行验证,则所述业务服务器确定所述上报消息通过所述第二权限验证;其中,所述业务服务器接收到的全部或部分所述上报消息是所述UPF通过第二信息进行安全保护后的。
基于该方案,本申请实施例提供了如何根据第二信息对所述上报消息进行第二权限验证。
第二方面,本申请实施例提供一种事件上报的方法,包括:
业务服务器确定第一事件的第一指示信息;所述业务服务器接收用户面网元UPF发送的所述第一事件的上报消息;所述业务服务器根据所述第一指示信息对所述上报消息进行第一权限验证,并在通过所述第一权限验证后,生成第一信息,所述第一信息用于对接收到的通过第二信息进行安全保护后的上报消息进行第二权限验证;所述业务服务器根据所述第一信息对所述上报消息进行第二权限验证;所述业务服务器获取验证通过所述第二权限验证后的所述上报消息。
基于该方案,本申请实施例中提供了一种配置事件上报的路径的方式,进一步的,AF对来自所述UPF发送的事件的上报消息需要进行第一权限验证,并在通过第一权限验证后继续进行第二权限验证,且只有通过第二权限验证的所述事件的所述上报消息才会被所述AF获取,反之,所述AF丢弃所述上报消息。从而可以防止攻击者通过上报消息对所述AF进行安全攻击,保证所述用户面网元UPF与所述AF通信的安全性。
在一种可能的实现方式中,所述业务服务器接收网络功能开放网元NEF发送的响应消息,所述响应消息是所述NEF在接收到来自所述业务服务器发送的所述第一事件的至少一个上报需求消息后发送的;所述业务服务器根据所述响应消息确定所述第一指示信息;或所述业务服务器根据所述第一事件生成所述第一指示信息。
基于该方案,基于该方案,本申请实施例提供了多种AF确定所述第一指示信息的方式,例如,所述AF自己生成所述第一指示信息;再例如,所述NEF生成所述第一指示信息,所述AF获取所述NEF生成的所述第一指示信息。从而丰富了确定第一指示信息的方式,适用性更强。
在一种可能的实现方式中,所述业务服务器生成所述第一信息之后,所述业务服务器将所述第一指示信息与所述第一信息进行关联;或所述业务服务器将所述第一指示信息、所述第一信息以及所述第一事件对应的上报需求进行关联。
基于该方案,本申请实施例中,通过将所述第一事件的所述上报需求与所述第一指示信息以及所述第一信息进行关联,可以实现在所述第一权限验证和第二权限验证基础上,根据所述第一事件的上报需求加入第三权限验证。例如,所述第三权限验证用于所述AF验证所述上报消息是否符合所述事件A的所述上报需求。再例如,在所述第一指示消息无法显示所述UPF是否有权限发送符合所述上报需求的上报消息时,通过所述第一指示信息、所述第一信息A以及所述第一事件之间的映射关系,可以使所述AF验证所述UPF是否有权限发送符合所述上报需求的上报消息。从而更好的保证了事件上报的安全性。
在一种可能的实现方式中,所述业务服务器接收用户面网元UPF发送的所述第一事件的上报消息之前,所述业务服务器确定第二信息的推演信息,并将所述推演信息通知给所述NEF;其中,所述第二信息是所述第一信息的对称密钥或所述第二信息是所述第一信息的公钥。
基于该方案,本申请实施例中所述AF还可以确定用于生成第二信息的推演信息,并将所述推演信息通知给NEF,进一步通知给所述SMF,从而可以使所述SMF根据所述推演信息确定第二信息并发送给所述UPF,所述UPF根据所述第二信息对发送给所述AF的所述上报消息进行保护,提高了事件上报的安全性。
在一种可能的实现方式中,所述业务服务器通过下列方式确定所述上报消息通过所述第一权限验证;所述业务服务器获取所述上报消息携带的第一权限验证信息,若所述业务服务器确定所述第一权限验证信息与所述第一指示信息部分相同或全部相同,则所述业务服务器确定所述上报消息通过所述第一权限验证。
基于该方案,本申请实施例提供了如何根据第一指示信息对所述上报消息进行第一权限验证。
在一种可能的实现方式中,所述业务服务器通过下列方式确定所述上报消息通过第二权限验证:所述业务服务器通过所述第一信息对全部或部分所述上报消息进行验证,若所述业务服务器成功对全部或部分所述上报消息进行验证,则所述业务服务器确定所述上报消息通过所述第二权限验证;其中,所述业务服务器接收到的所述上报消息是所述UPF通过第二信息进行安全保护的。
本申请实施例提供了如何根据第二信息对所述上报消息进行第二权限验证。
第三方面,本申请实施例提供一种事件上报的方法,包括:
网络功能开放网元NEF接收来自业务服务器发送的请求消息,所述请求消息包含第一事件的上报需求;所述NEF确定第一事件的第一指示信息以及业务服务器地址;所述NEF向会话管理网元SMF发送通知消息,以使所述SMF根据所述通知消息指示所述UPF向所述业务服务器发送所述第一事件的上报消息以及所述第一指示信息,其中,所述上报消息通过第二信息进行安全保护;其中,所述第一指示信息用于所述业务服务器对所述上报消息进行第一权限验证,所述第二信息用于所述业务服务器对所述上报消息进行第二权限验证。
基于该方案,本申请实施例中提供了一种配置事件上报的路径的方式,进一步的,AF对来自所述UPF发送的事件的上报消息需要进行第一权限验证,并在通过第一权限验证后继续进行第二权限验证,且只有通过第二权限验证的所述事件的所述上报消息才会被所述AF获取,反之,所述AF丢弃所述上报消息。从而可以防止攻击者通过上报消息对所述AF进行安全攻击,保证所述用户面网元UPF与所述AF通信的安全性。
在一种可能的实现方式中,所述NEF从接收到的所述请求消息中获取所述第一指示信息,其中,所述请求消息中包含所述第一指示信息;或所述NEF接收到的所述请求消息后,根据所述请求消息中包含的所述第一事件的上报需求生成所述第一指示信息。
基于该方案,本申请实施例提供了多种NEF确定所述第一指示信息的方式,例如,所述NEF自己生成所述第一指示信息;再例如,所述AF生成所述第一指示信息,所述NEF获取所述AF生成的所述第一指示信息。从而丰富了所述NEF确定第一指示信息的方式,适用性更强。
在一种可能的实现方式中,所述NEF确定所述第一事件的第一指示信息之后,所述NEF将所述第一指示信息通知给所述业务服务器。
基于该方案,本申请实施例提供了一种NEF确定所述第一指示信息,并将所述第一指示信息通知给所述AF的方式,以使所述AF确定用于进行第一权限验证的所述第一指示信息。
在一种可能的实现方式中,所述通知消息包含所述第一指示信息、所述业务服务器地址、所述第一事件上报需求以及所述第二信息,其中所述第二信息是所述NEF根据与所述业务服务器预设的第二信息生成协议确定的;或若所述请求消息中包含用于生成第二信息的推演信息以及第一事件的上报需求,则所述通知消息包含所述第一指示信息、所述业务服务器地址、所述第一事件上报需求以及推演信息;或若所述请求消息中包含用于生成第二信息的推演信息以及第一事件的上报需求,则所述通知消息包含所述第一指示信息、所述业务服务器地址、所述第一事件上报需求以及第二信息,其中所述第二信息是所述NEF根据所述推演信息确定的;或若所述请求消息中包含第二信息以及第一事件的上报需求,则所述通知消息包含所述第一指示信息、所述业务服务器地址、所述第一事件上报需求以及所述第二信息。
基于该方案,本申请实施例所述通知信息包含的信息情况可以有多种,适用性更强。
第四方面,本申请实施例提供一种事件上报的方法,包括:
会话管理网元SMF获取策略控制网元PCF发送的第二指示信息;所述SMF根据所述第二指示信息确定第三指示信息,所述第三指示信息中包含业务服务器的地址信息、第一事件的上报需求、所述上报需求对应的第一指示信息以及第二信息;所述SMF向所述用户面网元UPF发送所述第三指示信息,以指示所述UPF向所述业务服务器发送所述第一事件的上报消息以及所述第一指示信息,其中,所述上报消息通过所述第二信息进行安全保护;其中,所述第一指示信息用于所述业务服务器对所述上报消息进行第一权限验证,所述第二信息用于所述AF对所述上报消息进行第二权限验证。
基于该方案,本申请实施例中提供了一种配置事件上报的路径的方式,进一步的,AF对来自所述UPF发送的事件的上报消息需要进行第一权限验证,并在通过第一权限验证后继续进行第二权限验证,且只有通过第二权限验证的所述事件的所述上报消息才会被所述AF获取,反之,所述AF丢弃所述上报消息。从而可以防止攻击者通过上报消息对所述AF进行安全攻击,保证所述用户面网元UPF与所述AF通信的安全性。
在一种可能的实现方式中,若所述第二指示信息中包含业务服务器的地址信息、所述第一事件的上报需求、所述第一指示信息以及第二信息,则所述SMF将所述第二指示信息作为所述第三指示信息;或若所述第二指示信息中包含业务服务器的地址信息、所述第一事件的上报需求、所述第一指示信息以及用于确定所述第二信息的推演信息,则所述SMF根据所述推演信息生成所述第二信息,并根据所述第二指示信息以及所述第二信息确定所述第三指示信息。
基于该方案,本申请实施例所述第二指示信息包含的信息情况可以有多种,且根据所述第二指示信息包含信息的情况不同,提供了多种SMF确定所述第三指示信息的方式。从而丰富了所述SMF确定第三指示信息的方式,适用性更强。
在一种可能的实现方式中,所述SMF获取PCF发送的第二指示信息之前,所述SMF接收到新的终端设备PDU会话建立请求;或所述SMF接收到所述PCF发送的第二指示消 息,所述第二指示消息用于指示所述SMF触发UPF向业务服务器发送与所述请求消息对应的上报消息。
基于该方案,本申请实施例中提供了多种触发所述SMF获取PCF发送的第二指示信息的方式。例如,若所述SMF接收到新的终端设备PDU会话建立请求,则触发所述SMF获取所述PCF的第二指示信息;再例如,若所述SMF接收到所述PCF发送的第二指示消息,则触发所述SMF获取所述第二指示信息。从而丰富了所述SMF获取第二指示信息的方式,适用性更强。
在一种可能的实现方式中,所述推演信息包含网络功能开放网元NEF与业务服务器之间的共享信息以及所述第一指示信息。
基于该方案,提供了一种所述推演信息。
第五方面,本申请实施例提供一种事件上报的方法,包括:
用户面网元UPF接收会话管理网元SMF发送的第三指示信息,所述第三指示信息用于指示所述UPF向业务服务器发送第一事件上报消息;所述UPF根据所述第三指示信息确定所述第一事件的上报消息、所述上报消息对应的第一指示信息以及第二信息;所述UPF通过所述第二信息对所述上报消息进行安全保护,并将安全保护后的所述上报消息以及所述第一指示信息发送给所述业务服务器;其中,所述第一指示信息用于所述业务服务器对所述上报消息进行第一权限验证,所述第二信息用于所述业务服务器对所述上报消息进行第二权限验证。
基于该方案,本申请实施例中提供了一种配置事件上报的路径的方式,进一步的,AF对来自所述UPF发送的事件的上报消息需要进行第一权限验证,并在通过第一权限验证后继续进行第二权限验证,且只有通过第二权限验证的所述事件的所述上报消息才会被所述AF获取,反之,所述AF丢弃所述上报消息。从而可以防止攻击者通过上报消息对所述AF进行安全攻击,保证所述用户面网元UPF与所述AF通信的安全性。
在一种可能的实现方式中,所述安全保护可以是加密和/或生成数字签名。
第六方面,本申请实施例提供一种通信装置,该通信装置具有实现上述实施例中的网元的功能。该功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。该硬件或软件包括一个或多个与上述功能相对应的单元或模块。
在一种可能的实现方式中,该通信装置可以是NEF网元,或者是可用于所述NEF网元的部件,例如芯片或芯片系统或者电路,该通信装置可以包括:收发器和处理器。该处理器可被配置为支持该通信装置执行以上所示NEF的相应功能,该收发器用于支持该通信装置与其他网元(例如SMF网元、PCF网元)和业务服务器(例如AF)等之间的通信。可选地,该通信装置还可以包括存储器,该存储器可以与处理器耦合,其保存该通信装置必要的程序指令和数据。其中,收发器可以为独立的接收器、独立的发射器、集成收发功能的收发器、或者是接口电路。
在另一种可能的实现方式中,该通信装置可以是SMF网元,或者是可用于所述SMF网元的部件,例如芯片或芯片系统或者电路,该通信装置可以包括:收发器和处理器。该处理器可被配置为支持该通信装置执行以上所示SMF的相应功能,该收发器用于支持该通信装置与其他网元(例如NEF网元、PCF网元)和业务服务器(例如AF)等之间的通信。可选地,该通信装置还可以包括存储器,该存储器可以与处理器耦合,其保存该通信装置必要的程序指令和数据。其中,收发器可以为独立的接收器、独立的发射器、集成收 发功能的收发器、或者是接口电路。
在另一种可能的实现方式中,该通信装置可以是UPF网元,或者是可用于所述UPF网元的部件,例如芯片或芯片系统或者电路,该通信装置可以包括:收发器和处理器。该处理器可被配置为支持该通信装置执行以上所示UPF的相应功能,该收发器用于支持该通信装置与其他网元(例如NEF网元、SMF网元)和业务服务器(例如AF)等之间的通信。可选地,该通信装置还可以包括存储器,该存储器可以与处理器耦合,其保存该通信装置必要的程序指令和数据。其中,收发器可以为独立的接收器、独立的发射器、集成收发功能的收发器、或者是接口电路。
第七方面,本申请实施例提供一种通信装置,该通信装置具有实现上述实施例中的业务服务器的功能。该功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。该硬件或软件包括一个或多个与上述功能相对应的单元或模块。
在一种可能的实现方式中,该通信装置可以是业务服务器,或者是可用于所述业务服务器的部件,例如芯片或芯片系统或者电路,该通信装置可以包括:收发器和处理器。该处理器可被配置为支持该通信装置执行以上所示业务服务器的相应功能,该收发器用于支持该通信装置与其他网元(例如NEF网元、UPF网元)等之间的通信。可选地,该通信装置还可以包括存储器,该存储器可以与处理器耦合,其保存该通信装置必要的程序指令和数据。其中,收发器可以为独立的接收器、独立的发射器、集成收发功能的收发器、或者是接口电路。
第八方面,本申请实施例提供一种通信装置,用于实现上述第一方面至第五方面中的任一方面;或第一方面至第五方面中的任意一种方法。
在一种可能的实施方式中,该通信装置为业务服务器时,可以包括:处理单元和通信单元:
所述处理单元:用于确定第一事件的第一指示信息;生成第一信息,并将所述第一指示信息与所述第一信息进行关联,所述第一信息用于对接收到的通过第二信息进行安全保护后的上报消息进行第二权限验证;
所述通信单元:用于接收用户面网元UPF发送的所述第一事件的上报消息;
所述处理单元:还用于根据所述第一指示信息对所述上报消息进行第一权限验证,并在通过所述第一权限验证后,确定所述第一指示信息对应的所述第一信息;根据所述第一信息对所述上报消息进行第二权限验证;获取通过所述第二权限验证后的所述上报消息。
在一种可能的实施方式中,该通信装置为业务服务器时,可以包括:处理单元和通信单元:
所述处理单元:用于确定第一事件的第一指示信息;
所述通信单元:用于接收用户面网元UPF发送的所述第一事件的上报消息;
所述处理单元:还用于根据所述第一指示信息对所述上报消息进行第一权限验证,并在通过所述第一权限验证后,生成第一信息,所述第一信息用于对接收到的通过第二信息进行安全保护后的上报消息进行第二权限验证;根据所述第一信息对所述上报消息进行第二权限验证;获取验证通过所述第二权限验证后的所述上报消息。
在一种可能的实施方式中,该通信装置为NEF网元时,可以包括:处理单元和通信单元:
所述通信单元:用于接收来自业务服务器发送的请求消息,所述请求消息包含第一事 件的上报需求;
所述处理单元:用于确定第一事件的第一指示信息以及业务服务器地址;
所述通信单元:还用于向会话管理网元SMF发送通知消息,以使所述SMF根据所述通知消息指示所述UPF向所述业务服务器发送所述第一事件的上报消息以及所述第一指示信息,其中,所述上报消息通过第二信息进行安全保护;所述第一指示信息用于所述业务服务器对所述上报消息进行第一权限验证,所述第二信息用于所述业务服务器对所述上报消息进行第二权限验证。
在一种可能的实施方式中,该通信装置为SMF网元时,可以包括:处理单元和通信单元:
所述通信单元:用于获取策略控制网元PCF发送的第二指示信息;
所述处理单元:用于根据所述第二指示信息确定第三指示信息,所述第三指示信息中包含业务服务器的地址信息、第一事件的上报需求、所述上报需求对应的第一指示信息以及第二信息;
所述通信单元:还用于向所述用户面网元UPF发送所述第三指示信息,以指示所述UPF向所述业务服务器发送所述第一事件的上报消息以及所述第一指示信息,其中,所述上报消息通过所述第二信息进行安全保护;所述第一指示信息用于所述业务服务器对所述上报消息进行第一权限验证,所述第二信息用于所述业务服务器对所述上报消息进行第二权限验证。
在一种可能的实施方式中,该通信装置为UPF时,可以包括:处理单元和通信单元:
所述通信单元:用于接收会话管理网元SMF发送的第三指示信息,所述第三指示信息用于指示所述UPF向业务服务器发送第一事件上报消息;
所述处理单元:用于根据所述第三指示信息确定所述第一事件的上报消息、所述上报消息对应的第一指示信息以及第二信息;通过所述第二信息对所述上报消息进行安全保护;
所述通信单元:还用于将安全保护后的所述上报消息以及所述第一指示信息发送给所述业务服务器;其中,所述第一指示信息用于所述业务服务器对所述上报消息进行第一权限验证,所述第二信息用于所述业务服务器对所述上报消息进行第二权限验证。
第九方面,本申请实施例提供一种通信系统,该通信系统包括业务服务器、NEF网元、SMF网元、UPF网元。其中,所述业务服务器可以用于执行上述第一、二方面中任意一面或第一、二方面中的任意一种方法;所述NEF网元可以用于执行上述第三方面或第三方面中的任意一种方法;所述SMF网元可以用于执行上述第四方面或第四方面中的任意一种方法;所述UPF网元可以用于执行上述第五方面或第五方面中的任意一种方法。
第十方面,本申请提供了一种芯片系统,包括处理器。可选地,还可包括存储器,存储器用于存储计算机程序,处理器用于从存储器中调用并运行计算机程序,使得安装有芯片系统的通信装置执行上述第一方面至第五面中任意一面;或者执行上述第一方面至第五方面中的任意一种方法。
第十一方面,本申请实施例提供一种计算机存储介质,计算机存储介质中存储有指令,当其在通信装置上运行时,使得该通信装置执行上述第一方面至第五面中任意一面;或执行上述第一方面至第五方面中的任意一种方法。
第十二方面,本申请实施例提供一种包含指令的计算机程序产品,当其在通信装置上运行时,使得该通信装置执行上述第一方面至第五面中任意一面;或执行上述第一方面至 第五方面中的任意一种方法。
图1为NG-RAN向AF发送上报消息的路径示意图;
图2为现有通过用户面路径发送上报消息的流程示意图;
图3为本申请实施例提供的一种系统架构示意图;
图4为本申请实施例提供的第一种用户面路径配置的流程示意图;
图5为本申请实施例提供的第二种用户面路径配置的流程示意图;
图6为本申请实施例提供的第三种用户面路径配置的流程示意图;
图7为本申请实施例提供的第四种用户面路径配置的流程示意图;
图8为本申请实施例提供的第五种用户面路径配置的流程示意图;
图9为本申请实施例提供的第六种用户面路径配置的流程示意图;
图10为本申请实施例提供的发送事件上报消息的流程示意图;
图11为本申请提供的第一种通信装置示意图;
图12为本申请提供的第二种通信装置示意图;
图13为本申请提供的第三种通信装置示意图;
图14为本申请提供的第四种通信装置示意图;
图15为本申请提供的第五种通信装置示意图;
图16为本申请提供的第六种通信装置示意图;
图17为本申请提供的第七种通信装置示意图;
图18为本申请提供的第八种通信装置示意图。
目前,通过用户面路径发送事件对应的上报消息的方案如图2所示,由应用侧AF将本地事件对应的上报需求(其中包含是否需要和/或支持用户面通知)通过AF请求(Request)流程,经由AF、NEF、UDR发送至PCF(也可直接发送至PCF)。PCF根据AF的请求生成策略控制和计费(Policy Control and Charging,PCC)规则,其中包含对某事件使用用户面上报的指示,PCF将该PCC规则告知SMF,SMF根据PCF通知配置用户面路径上的NG-RAN和UPF,使得NG-RAN和UPF可以使用用户面直接将需要进行上报的事件对应的上报消息发送给所述AF侧。
但是,上述通过用户面路径发送上报消息的方案无法防止攻击者向AF发送虚假消息或者攻击者对UPF与AF之间路径实施中间人攻击,例如,攻击者可向AF发送伪造的事件上报内容或重复其他UPF发送的事件上报消息来影响AF为用户服务。再例如,攻击者可以通过重放或篡改之前的事件上报消息来干扰AF为用户服务。
为解决该问题,本申请实施例提供一种事件上报的方法。本申请实施例的技术方案可以应用于各种通信系统,例如:长期演进(long term evolution,LTE)系统,全球互联微波接入(worldwide interoperability for microwave access,WiMAX)通信系统,未来的第五代(5th Generation,5G)系统,如新一代无线接入技术(new radio access technology,NR),及未来的通信系统,如6G系统等。
以5G系统(也可以称为New Radio系统)为例,具体来说,5G系统中定义了新的通信场景:超高可靠低时延通信(Ultra-Reliable and Low-Latency Communication,URLLC)、增强移动宽带(Enhanced Mobile Broadband,eMBB)和海量机器连接通信(Massive Machine Type Communication,mMTC),这些通信场景对通信信息传递的时效性以及安全性有更严苛的需求。因此在引入边缘计算技术的场景下,AF布置在离用户终端设备和本地用户面网元UPF更近的边缘计算平台上,而非集中化部署在网络中较高的位置,因此网络在向AF传输事件对应的上报消息的过程中,需要考虑所述AF接收到的上报消息的时效性以及安全性。
基于网络侧通过用户面网元UPF向AF发送上报消息,以此保证所述上报消息的时效性的前提下,为了更好的保证AF接收到的所述上报消息的安全性,本申请实施例提出了一种事件上报的方法,通过该方法,所述用户面网元UPF向所述AF发送的上报消息需要由所述AF进行权限验证,若通过所述权限验证,则所述AF才会获取所述上报消息,反之,所述核心网设备丢弃所述上报消息。
由于在该方法中所述AF对接收到的所述上报消息进行权限验证,且所述AF仅获取通过所述权限验证的上报消息,从而可以防止攻击者通过上报消息对所述AF进行安全攻击,保证所述用户面网元UPF与所述AF通信的安全性。
为便于理解本申请实施例,首先以图3中示出的通信系统为例详细说明本申请实施例适用的通信系统。如图1所示,该通信系统包括边缘计算平台300、核心网设备310和业务服务器320。
边缘计算平台300,是一种用于在移动网络的边缘提供云端计算能力的网络平台。其中,所述边缘计算平台被设立在离网关较近的位置上,使得用户端可以通过较短的物理距离与服务器进行交互,无需访问远端的服务器,从而减少延迟获得更好的服务体验。同时远端服务器只需处理由边缘计算平台处理后的少量数据,减少网络负载。
核心网设备310从协议上规定就是起到核心交换或者呼叫路由功能的网元,主要作用是提供用户连接、对用户管理以及整个呼叫信令控制和承载建立。
其中,本申请实施例中所述核心网设备可包括:
(1)验证管理功能(AuthenticationManagementFunction,AMF)网元;
(2)统一数据管理(Unified data management,UDM)网元,所述UDM网元用于存储所述核心网设备的信息;
(3)开放功能网元,所述开放功能网元用于在接收到所述业务服务器发送的获取事件的上报消息的请求后,通知SMF网元进行用户面路径配置。其中,在4G网络中,开放功能网元可以为业务能力开放网元(service capability exposure function,SCEF),在5G网络中,开放功能网元可以为网络开放功能网元(network exposure function,NEF),在未来通信如6G通信中,开放功能网元仍可以是NEF网元,或者有其它名称,本申请对此不作限定。
(4)策略控制网元(Policy Control Function,PCF);
(5)会话管理网元(Session Management Function,SMF);
(6)用户面网元(User Plane Function,UPF);
(7)下一代无线接入网络(Next Generation Radio Access Network,NG-RAN)。
业务服务器320,可以根据业务需求向开放功能网元请求获取终端或终端群组的事件上报消息,并将终端或终端群组的发送的所述事件上报消息,上报给目标地址。其中,目标地址可以是业务服务器的地址,也可以是其它服务器的地址,还可以是3GPP网络中的其它网元的地址。目标地址可以根据终端或终端群组的发送的所述事件的上报消息确定终端状态,从而为终端提供业务服务。在4G网络中,业务服务器可以是业务能力服务器/应用服务器(service capability server/application server,SCS/AS),在5G网络中,应用功能(application function,AF)。6G通信中,业务服务器仍可以是AF,或者有其它名称,本申请对此不作限定。
其中,所述业务服务器可将物理部分或者逻辑部分放置到所述边缘计算平台300中。
在本申请实施例中,终端群组包括多个终端,业务服务器可以通过终端群组标识请求对该终端群组中所有终端的监控,开放功能网元在向目标地址上报终端群组的事件上报消息时,可以以终端群组为单位,将终端群组中多个终端的事件上报消息统一上报给目标地址。在一种终端群组的具体实例中,终端可以为UE,终端群组可以为一组UE(a group of UEs)。
本申请实施例描述的网络架构以及业务场景是为了更加清楚的说明本申请实施例的技术方案,并不构成对于本申请实施例提供的技术方案的限定,本领域普通技术人员可知,随着网络架构的演变和新业务场景的出现,本申请实施例提供的技术方案对于类似的技术问题,同样适用。应理解,图3仅为便于理解而示例的简化示意图,该通信系统中还可以包括其他业务服务器以及其他终端设备等,图3中未予以画出。
以下再对本申请实施例中涉及的部分用语进行解释说明,以便于理解。
1)边缘计算,是指在靠近物或数据源头的一侧,采用网络、计算、存储、应用核心能力为一体的开放平台,就近提供最近端服务。其应用程序在边缘侧发起,产生更快的网络服务响应,满足行业在实时业务、应用智能、安全与隐私保护等方面的基本需求。边缘计算处于物理实体和工业连接之间,或处于物理实体的顶端。而云端计算,仍然可以访问边缘计算的历史数据。
对物联网而言,边缘计算技术取得突破,意味着许多控制将通过本地设备实现而无需交由云端,处理过程将在本地边缘计算层完成。这无疑将大大提升处理效率,减轻云端的负荷。由于更加靠近用户,还可为用户提供更快的响应,将需求在边缘端解决。
2)重放,是指攻击者发送一个目的主机已接收过的包,来达到欺骗系统的目的。重放攻击可以由发起者,也可以由拦截并重发该数据的敌方进行。
3)传输层安全性协议(Transport Layer Security,TLS),及其前身安全套接层(Secure Sockets Layer,SSL),是一种安全协议,目的是为互联网通信提供安全及数据完整性保障。目前已成为互联网上保密通信的工业标准。TLS协议采用主从式架构模型,用于在两个应用程序间透过网络创建起安全的连线,防止在交换数据时受到窃听及篡改。
另外,本申请实施例中的术语“系统”和“网络”可被互换使用。“至少一个”是指一个或者多个,“多个”是指两个或两个以上。“和/或”,描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B的情况,其中,A,B可以是单数或者复数。字符“/”一般表示前后关联对象是一种 “或”的关系。以下至少一项(个)下或其类似表达,是指的这些项中的任意组合,包括单项(个)或复数项(个)的任意组合。例如,a,b,或c中的至少一项(个),可以表示:a,b,c,a-b,a-c,b-c,或a-b-c,其中a,b,c可以是单个,也可以是多个。
除非有相反的说明,本申请实施例提及“第一”、“第二”等序数词是用于对多个对象进行区分,不用于限定多个对象的顺序、时序、优先级或者重要程度。
此外,本申请实施例和权利要求书及附图中的术语“包括”和“具有”不是排他的。例如,包括了一系列步骤或模块的过程、方法、系统、产品或设备,不限定于已列出的步骤或模块,还可以包括没有列出的步骤或模块。
通过本申请实施例中上述应用场景的介绍,下面以5G应用场景为例,所述业务服务器为AF的情况,对本申请实施例提供的能够保护事件上报的安全性的所述事件上报的过程进行具体介绍。
其中,本申请实施例中主要选取上述图1中实线传递路径所示的,通过UPF用户面路径向业务服务器发送事件上报的过程进行具体介绍。需要说明的是,本申请实施例提供的保护事件上报的安全性的方式同样可以与其他事件上报过程相结合,从而提升事件上报的安全性,其中,具体内容参见本申请实施例提供的所述通过UPF用户面路径向业务服务器发送事件上报的过程,在此不进行赘述。
本申请实施例中为了更好的保护上报事件的安全性,在进行事件上报的过程中,主要是通过所述AF对接收到的上报消息进行权限验证,以此来确定所述上报消息是否安全。其中,本申请实施例中所述UPF通过第二信息对上报消息进行加密保护,然后将第一指示信息以及所述保护后的上报消息发送给所述AF,其中,所述第一指示信息和经过所述第二信息保护后的上报消息共同用于对所述上报消息进行权限验证。所述AF在接收到所述事件的上报消息后,根据所述上报消息携带的所述第一指示消息进行第一权限验证,若第一权限验证通过,则所述AF根据所述第一指示信息对应的第一信息对所述上报消息进行第二权限验证,若第二权限验证通过,则所述AF认为所述上报消息安全,则并且所述AF获取所述上报消息。
因此,本申请实施例中所述UPF在使用用户面路径向所述AF发送事件上报消息之前,所述SMF需要确定所述事件上报消息用于进行权限验证的第一指示信息以及第二信息,从而根据所述第一指示信息以及所述第二信息对所述用户面路径事件上报进行配置。
其中,本申请实施例中触发所述SMF进行用户面路径事件上报配置的情况有多种,具体并不限于下述几种。
触发情况1:所述SMF接收到AF发送的请求消息,所述请求消息为获取所述事件A的上报消息的请求。
进一步的,在所述触发情况1的场景下,所述SMF进行用户面路径配置的情况有多,具体并不限于下述几种。
配置方式一:所述AF生成第一指示信息和/或第二信息的推演信息,其中,所述NEF根据与所述AF之间预设的第二信息生成协议和/或所述推演信息确定所述第二信息。
参阅图4所示,假设所述AF需要获取的上报消息为事件A对应的上报消息,所述配置方式一的流程中具体包括以下步骤:
S400,所述AF确定需要获取的所述事件A的上报需求。
S401,所述AF生成所述上报需求对应的第一指示信息A,所述第一指示信息用于对接收到的所述事件A的上报消息进行第一权限验证。
可选的,本申请实施例中所述第一指示信息A可以为令牌(token),其中,本申请实施例中所述token可用于对某些对象授予执行某些操作,例如,本申请实施例中,所述token仅对指定UPF群组对所述AF发送所述上报消息有效,且不可篡改因此。因此,本申请实施例中所述的AF可通过所述token确定接收到的上报消息是否有效。
示例性的,假设所述AF生成所述第一指示信息A,所述第一指示信息A仅用于所述AF与UPF1进行传输验证,若所述AF接收到UPF2发送的所述第一指示信息A,则所述AF确认所述UPF2发送的信息为无效信息,不进行继续处理。
可选的,本申请实施例中所述第一指示信息A还可以为随机数和/或附加信息。
S402,所述AF向NEF发送请求消息,所述请求消息中包含所述事件A的上报需求、所述第一指示信息A。其中,所述上报需求包含所述AF是否需要和/或支持用户面通知。
可选的,所述AF还可确定用于生成第二信息A的推演信息,并将所述推演信息发送给所述NEF,从而使所述NEF根据所述推演信息确定第二信息A,所述第二信息A用于UPF对发送的所述事件A的所述上报消息进行保护。
其中,本申请实施例中所述AF可将所述推演信息携带在所述请求消息中,即所述AF向所述NEF发送的所述请求消息中包含所述事件A的上报需求、所述第一指示信息A以及所述推演信息;或者,
所述AF可将所述推演信息携带在其他发送消息中或者直接将所述推演信息作为一条发送消息,发送给所述NEF。
进一步的,本申请实施例中所述AF确定的所述推演信息可以仅用于通知所述NEF如何确定第二信息A。
示例性的,本申请实施例中所述AF向所述NEF发送的所述请求消息中携带所述推演信息,其中,所述推演信息用于指示所述NEF根据第一指示信息确定第二信息。因此,所述NEF在接收到所述请求消息后,所述NEF根据所述请求消息中包含的所述第一指示信息确定所述第二信息A。
可选的,本申请实施例中所述AF确定的所述推演信息可以用于通知所述NEF如何确定第二信息A以及携带用于生成第二信息A的信息。
示例性的,本申请实施例中所述AF向所述NEF发送的所述请求消息中携带所述推演信息。其中,所述推演信息用于指示所述NEF根据随机数A确定第二信息A,并且所述推演信息中携带所述随机数A,所述随机数A为所述AF随机生成的。因此,所述NEF在接收到所述请求消息后,所述NEF根据所述请求消息获取所述随机数A,并根据所述随机数A生成所述第二信息A。
其中,本申请实施例中所述推演信息还可用作生成第一信息A,所述第一信息用于所述AF对所述UPF发送的所述事件A的所述上报消息进行第二权限验证。
示例性的,所述推演信息可以为所述AF生成的随机数和/或附加消息,所述推演信息用作在所述NEF作为不可逆函数的输入参数生成所述第二信息。
S403,所述NEF接收所述请求消息,并确定发送所述请求消息的AF地址。
S404,所述NEF生成第二信息A。
其中,所述第二信息A用于UPF对发送的所述事件A的所述上报消息进行保护。
可选的,所述NEF可以根据与所述AF预先协商的协议,生成所述第二信息A。
示例性的,所述协议可以为指示所述NEF以及所述AF根据以下信息中的一项或几项生成第二信息A:
第一指示信息A、所述NEF与所述AF之间连接的共享信息。
其中,所述共享信息可为所述NEF与所述AF之间描述TLS连接的参数。
可选的,若所述NEF接收到的所述请求消息中还包含所述推演信息,则所述NEF根据所述推演信息生成所述第二信息A。
S405,所述NEF向所述AF发送响应消息,所述响应消息用于表示所述NEF对接收到的所述请求消息的回复。
S406,所述NEF向PCF发送通知信息,所述通知信息包含所述事件A的上报需求、所述第一指示信息A、所述AF地址以及所述第二信息A。
S407,所述PCF接收所述NEF发送的所述通知信息,并根据所述通知信息确定第二指示信息,所述第二指示信息用于指示所述SMF配置用户面事件上报路径。
示例性的,第二指示消息可包含所述PCF根据所述事件A的所述上报需求生成的PCC规则、所述AF地址和所述第二信息A。
S408,所述PCF向所述SMF发送第二指示信息。
其中,所述第二指示信息中包含所述AF地址、所述事件A的上报需求、所述第一指示信息A以及所述第二信息A。
可选的,所述PCF可根据所述通知信息确定PCC规则,所述PCC规则中包含所述AF地址、所述事件A的上报需求、所述第一指示信息A以及所述第二信息A,则所述PCF将所述PCC规则作为所述第二指示信息发送给所述SMF。
可选的,所述PCF可根据所述通知信息确定PCC规则。
其中,所述PCC规则中包含下列信息中的部分:
所述AF地址、所述事件A的上报需求、所述第一指示信息A以及所述第二信息A。
因此,所述PCF可将所述PCC规则以及所述PCC规则未包含的其他信息共同作为第二指示信息发送给所述SMF。
示例性的,假设所述PCF中包含所述AF地址以及所述事件A的上报需求,则所述第二指示信息包含所述PCC规则、所述第一指示信息A以及所述第二信息A。
S409,所述SMF根据所述PCF发送的第二指示信息,指示所述UPF进行用户面路径配置。
具体的,所述SMF主要根据所述第二指示信息指示所述UPF执行以下内容:
S409a,确定所述事件A的所述上报消息。
S409b,通过所述第二信息A对所述事件A的所述上报消息进行保护。
可选的,对所述事件A的所述上报消息进行保护可以为下列中的一种或多种:
使用所述第二信息A对所述事件A的所述上报消息进行防重放保护。
使用所述第二信息A对所述事件A的所述上报消息进行加密保护。
使用所述第二信息A对所述事件A的所述上报消息进行完整性保护。
示例性的,所述防重放保护可使用所述第二信息A对所述上报消息以及发送消息时的消息序号生成第一数字签名。
所述加密保护可使用所述第二信息A对所述上报消息生成第一加密消息。
所述完整性保护可使用所述第二信息A对所述上报消息生成第二数字签名。
需要说明的是,本申请实施例中对所述事件A的所述上报消息进行保护并不限于上述几种,任何能够应用本申请实施例的消息保护方式都属于本申请实施例保护范围。
S409c,将使用所述第二信息A保护过后的所述上报消息以及所述第一指示信息发送给所述AF。
S410,所述AF生成第一信息A,所述第一信息A用于对接收到的所述事件A的所述上报消息进行第二权限验证。
可选的,所述第二权限验证可以为下列中的一种或多种:
对接收到的所述事件A的所述上报消息进行防重放验证;
对接收到的所述事件A的所述上报消息进行解密验证;
对接收到的所述事件A的所述上报消息进行完整性验证。
示例性的,若所述第二权限验证仅需进行防重放验证,则所述AF获取所述保护后的所述上报消息的第一数字签名,然后可使用所述第一信息A、所述上报消息和所述发送消息时消息序号验证第一数字签名。
若所述第二权限验证仅需进行解密验证,则所述解密可使用所述第二信息A对所述保护后的所述上报消息进行解密,以获取所述上报消息。其中,若所述AF通过所述第二信息A成功对所述保护后的所述上报消息进行解密,则确认所述上报消息通过所述第二权限验证,所述AF可以获取所述上报消息。
若所述第二权限验证仅需进行完整性验证,则所述AF获取所述保护后的所述上报消息的第二数字签名,所述完整性验证可使用所述第二信息A和所述上报消息验证所述第二数字签名。
需要说明的是,本申请实施例中所述第二权限验证并不限于上述几种,任何能够应用本申请实施例的验证方式都属于本申请实施例保护范围。
S411,所述AF将所述第一指示信息A与所述第一信息A进行关联。
可选的,所述AF将所述第一指示信息A、所述第一信息A以及所述事件A的所述上报需求进行关联。
本申请实施例中,通过将所述事件A的所述上报需求加上述关联关系,可以实现在所述第一权限验证和第二权限验证基础上,根据所述事件A的上报需求加入第三权限验证。其中,所述第三权限验证用于所述AF验证所述上报消息是否符合所述事件A的所述上报需求。也可以是在所述第一指示消息无法显示所述UPF是否有权限发送符合所述上报需求的上报消息时,通过所述第一指示信息A、所述第一信息A以及所述事件A之间的映射关系,可以使所述AF验证所述UPF是否有权限发送符合所述上报需求的上报消息。
需要说明的是,本申请实施例中对上述S400~S411的描述,并不限制先后顺序,任何通过调整上述步骤或者删减上述步骤以实现本申请技术方案的内容都属于本申请保护范围。例如,本申请实施例中所述S410~S411,可以在S401之后。
可选的,S400~S411还可以在所述AF确定接收到的所述事件A的上报消息通过第一权限验证后执行。
配置方式二:所述AF生成第一指示信息和/或第二信息的推演信息,其中,所述SMF根据与所述AF之间预设的第二信息生成协议和/或所述推演信息确定所述第二信息。
参阅图5所示,假设所述AF需要获取的上报消息为事件A对应的上报消息,所述配置方式二的流程中具体包括以下步骤:
S500,所述AF确定需要获取的所述事件A的上报需求。
S501,所述AF生成所述上报需求对应的第一指示信息A,所述第一指示信息用于对接收到的所述事件A的上报消息进行第一权限验证。
可选的,本申请实施例中所述第一指示信息A可以为令牌(token),其中,本申请实施例中所述token可用于对某些对象授予执行某些操作,例如,本申请实施例中,所述token仅对指定UPF群组对所述AF发送所述上报消息有效,且不可篡改因此。因此,本申请实施例中所述的AF可通过所述token确定接收到的上报消息是否有效。
示例性的,假设所述AF生成所述第一指示信息A,所述第一指示信息A仅用于所述AF与UPF1进行传输验证,若所述AF接收到UPF2发送的所述第一指示信息A,则所述AF确认所述UPF2发送的信息为无效信息,不进行继续处理。
可选的,本申请实施例中所述第一指示信息A还可以为随机数和/或附加信息。
S502,所述AF向NEF发送请求消息,所述请求消息中包含所述事件A的上报需求、所述第一指示信息A。其中,所述上报需求包含所述AF是否需要和/或支持用户面通知。
可选的,所述AF还可确定用于生成第二信息A的推演信息,并将所述推演信息发送给所述NEF,从而使所述NEF将所述推演信息携带在向SMF发送的通知消息中,使所述SMF根据所述推演信息确定第二信息A,所述第二信息A用于UPF对发送的所述事件A的所述上报消息进行保护。
其中,有关所述推演信息的介绍参见上述S402,在此不进行赘述。
S503,所述NEF接收所述请求消息,并确定发送所述请求消息的AF地址。
S504,所述NEF向所述AF发送响应消息,所述响应消息用于表示所述NEF对接收到的所述请求消息的回复。
S505,所述NEF向PCF发送通知信息,所述通知信息包含所述事件A的上报需求、所述第一指示信息A、所述AF地址。
可选的,若所述NEF接收到所述AF发送的推演信息,则所述NEF向所述PCF发送的所述通知消息中,还可以包含所述推演信息,从而使所述SMF根据所述推演信息确定所述第二信息A。
S506,所述PCF接收所述NEF发送的所述通知信息,并根据所述通知信息确定第二指示信息,所述第二指示信息用于指示所述SMF配置用户面事件上报路径。
其中,所述第二指示信息中包含所述AF地址、所述事件A的上报需求、所述第一指示信息A。
可选的,若所述通知消息中包含所述推演信息,则所述第二指示信息中还可以包含所述推演信息,从而使所述SMF在接收到所述第二指示信息后,根据所述推演信息确定所述第二信息A。
进一步的,所述PCF可根据所述通知信息确定PCC规则,所述PCC规则中包含所述AF地址、所述事件A的上报需求、所述第一指示信息A,还可以包含所述推演信息,则所述PCF将所述PCC规则作为所述第二指示信息发送给所述SMF。
可选的,所述PCF可根据所述通知信息确定PCC规则。
其中,所述PCC规则中包含下列信息中的部分:
所述AF地址、所述事件A的上报需求、所述第一指示信息A以及所述推演信息。
因此,所述PCF可将所述PCC规则以及所述PCC规则未包含的其他信息共同作为第二指示信息发送给所述SMF。
示例性的,若所述通知消息中包含所述推演信息时,假设所述PCC规则中包含所述AF地址以及所述事件A的上报需求,则所述第二指示信息包含所述PCC规则、所述第一指示信息A以及所述推演信息。
S507,所述PCF向所述SMF发送第二指示信息。
S508,所述SMF生成所述第二信息A。
可选的,所述SMF可以根据与所述AF预先协商的协议,生成所述第二信息A。
示例性的,所述协议可以为指示所述SMF以及所述AF根据以下信息中的一项或几项生成第二信息A:
第一指示信息A、所述NEF与所述AF之间连接的共享信息。
其中,所述共享信息可为所述NEF与所述AF之间描述TLS连接的参数。
可选的,若所述SMF接收到的所述第二指示信息中还包含所述推演信息,则所述SMF根据所述推演信息生成所述第二信息A。
S509,所述SMF根据所述第二指示信息、所述第二信息A生成第三指示信息。
其中,所述第三指示信息用于指示所述UPF进行用户面路径配置。
S510,所述SMF根据所述第三指示信息指示所述UPF进行用户面路径配置。
具体的,所述SMF主要根据所述第三指示信息指示所述UPF执行以下内容:
S510a,确定所述事件A的所述上报消息。
S510b,通过所述第二信息A对所述事件A的所述上报消息进行保护。
其中,通过所述第二信息A对所述事件A的所述上报消息进行保护的具体内容参见上述S409b,在此不进行赘述。
S510c,将使用所述第二信息A保护过后的所述上报消息以及所述第一指示信息发送给所述AF。
S511,所述AF生成第一信息A,所述第一信息A用于对接收到的所述事件A的所述上报消息进行第二权限验证。
其中,所述AF通过所述第一信息A对接收到的所述事件A的所述上报消息进行第二权限验证的具体内容参见上述S410,在此不进行赘述。
S512,所述AF将所述第一指示信息A与所述第一信息A进行关联。
可选的,所述AF将所述第一指示信息A、所述第一信息A以及所述事件A的所述上报需求进行关联。
本申请实施例中,通过将所述事件A的所述上报需求加上述关联关系,可以实现在所述第一权限验证和第二权限验证基础上,根据所述事件A的上报需求加入第三权限验证。其中,所述第三权限验证用于所述AF验证所述上报消息是否符合所述事件A的所述上报需求。也可以是在所述第一指示消息无法显示所述UPF是否有权限发送符合所述上报需求的上报消息时,通过所述第一指示信息A、所述第一信息A以及所述事件A之间的映射关系,可以使所述AF验证所述UPF是否有权限发送符合所述上报需求的上报消息。
需要说明的是,本申请实施例中对上述S500~S512的描述,并不限制先后顺序,任何通过调整上述步骤或者删减上述步骤以实现本申请技术方案的内容都属于本申请保护范 围。例如,本申请实施例中所述S511~S512,可以在S501之后。
可选的,S500~S512还可以在所述AF确定接收到的所述事件A的上报消息通过第一权限验证后执行。
配置方式三:所述AF获取NEF生成的第一指示信息,其中,所述NEF根据与所述AF之间预设的第二信息生成协议和/或从所述AF中获取推演信息确定所述第二信息。
参阅图6所示,假设所述AF需要获取的上报消息为事件A对应的上报消息,所述配置方式三的流程中具体包括以下步骤:
S600,所述AF确定需要获取的所述事件A的上报需求。
可选的,所述AF还可确定用于生成第二信息A的推演信息,并将所述推演信息发送给所述NEF,从而使所述NEF根据所述推演信息确定第二信息A,所述第二信息A用于UPF对发送的所述事件A的所述上报消息进行保护。
其中,有关所述推演信息的介绍参见上述S402,在此不进行赘述。
S601,所述AF向NEF发送请求消息,所述请求消息中包含所述事件A的上报需求。其中,所述上报需求包含所述AF是否需要和/或支持用户面通知。
可选的,所述发送请求消息中还可以包含所述推演信息。
S602,所述NEF接收所述请求消息,并确定发送所述请求消息的AF地址。
S603,所述NEF根据所述请求消息生成所述上报需求对应的第一指示信息A,所述第一指示信息用于对接收到的上报消息进行第一权限验证。
S604,所述NEF向所述AF发送响应消息,所述响应消息中包含所述第一指示信息A。
S605,所述NEF确定第二信息A。
其中,所述第二信息A用于UPF对发送的所述事件A的所述上报消息进行保护,所述NEF确定所述第二信息A的方式具体参见上述S404,在此不进行赘述。
S606,所述NEF向PCF发送通知信息,所述通知信息包含所述事件A的上报需求、所述第一指示信息A、所述AF地址以及所述第二信息A。
S607,所述PCF接收所述NEF发送的所述通知信息,并根据所述通知信息确定第二指示信息,所述第二指示信息用于指示所述SMF配置用户面事件上报路径。
其中,所述第二指示信息中包含所述AF地址、所述事件A的上报需求、所述第一指示信息A以及所述第二信息A,具体对所述第二指示信息的描述参见上述S408,在此不进行赘述。
S608,所述PCF向所述SMF发送第二指示信息。
S609,所述SMF根据所述第二指示信息指示所述UPF进行用户面路径配置。
具体的,所述SMF主要根据所述第二指示信息指示所述UPF执行以下内容:
S609a,确定所述事件A的所述上报消息。
S609b,通过所述第二信息A对所述事件A的所述上报消息进行保护。
其中,所述UPF通过所述第二信息A对所述事件A的所述上报消息进行保护的方式参见上述S409b,在此不仅赘述。
S609c,将使用所述第二信息A保护过后的所述上报消息以及所述第一指示信息发送给所述AF。
S610,所述AF生成第一信息A,所述第一信息A用于对接收到的所述事件A的所述 上报消息进行第二权限验证。
其中,所述AF根据所述第一信息A对所述事件A的所述上报消息进行第二权限验证的方式参见上述S410,在此不仅赘述。
S611,所述AF将所述第一指示信息A与所述第一信息A进行关联。
可选的,所述AF将所述第一指示信息A、所述第一信息A以及所述事件A的所述上报需求进行关联。
本申请实施例中,通过将所述事件A的所述上报需求加上述关联关系,可以实现在所述第一权限验证和第二权限验证基础上,根据所述事件A的上报需求加入第三权限验证。其中,所述第三权限验证用于所述AF验证所述上报消息是否符合所述事件A的所述上报需求。也可以是在所述第一指示消息无法显示所述UPF是否有权限发送符合所述上报需求的上报消息时,通过所述第一指示信息A、所述第一信息A以及所述事件A之间的映射关系,可以使所述AF验证所述UPF是否有权限发送符合所述上报需求的上报消息。
需要说明的是,本申请实施例中对上述S600~S611的描述,并不限制先后顺序,任何通过调整上述步骤或者删减上述步骤以实现本申请技术方案的内容都属于本申请保护范围。例如,本申请实施例中所述S610~S611,可以在S601后执行。
可选的,S600~S611还可以在所述AF确定接收到的所述事件A的上报消息通过第一权限验证后执行。
配置方式四:所述AF获取NEF生成的第一指示信息,其中,所述SMF根据与所述AF之间预设的第二信息生成协议和/或从所述AF中获取推演信息确定所述第二信息。
参阅图7所示,假设所述AF需要获取的上报消息为事件A对应的上报消息,所述配置方式四的流程中具体包括以下步骤:
S700,所述AF确定需要获取的所述事件A的上报需求。
可选的,所述AF还可确定用于生成第二信息A的推演信息,并将所述推演信息发送给所述NEF,从而使所述NEF根据所述推演信息确定第二信息A,所述第二信息A用于UPF对发送的所述事件A的所述上报消息进行保护。
其中,有关所述推演信息的介绍参见上述S402,在此不进行赘述。
S701,所述AF向NEF发送请求消息,所述请求消息中包含所述事件A的上报需求。
其中,所述上报需求包含是否需要和/或支持用户面通知。
可选的,所述发送请求消息中还可以包含所述推演信息。
S702,所述NEF接收所述请求消息,并确定发送所述请求消息的AF地址。
S703,所述NEF根据所述请求消息生成所述上报需求对应的第一指示信息A,所述第一指示信息用于对接收到的上报消息进行第一权限验证。
S704,所述NEF向所述AF发送响应消息,所述响应消息中包含所述第一指示信息A。
S705,所述NEF向PCF发送通知信息,所述通知信息包含所述事件A的上报需求、所述第一指示信息A、所述AF地址。
可选的,若所述NEF接收到所述AF发送的推演信息,则所述NEF向所述PCF发送的所述通知消息中,还可以包含所述推演信息,从而使所述SMF根据所述推演信息确定所述第二信息A。
S706,所述PCF接收所述NEF发送的所述通知信息,并根据所述通知信息确定第二 指示信息,所述第二指示信息用于指示所述SMF配置用户面事件上报路径。
其中,所述第二指示信息中包含所述AF地址、所述事件A的上报需求、所述第一指示信息A,具体参见上述S506,在此不进行赘述。
可选的,若所述通知消息中包含所述推演信息,则所述第二指示信息中还可以包含所述推演信息,从而使所述SMF在接收到所述第二指示信息后,根据所述推演信息确定所述第二信息A。
S707,所述PCF向所述SMF发送第二指示信息。
S708,所述SMF生成所述第二信息A。
其中,所述SMF生成所述第二信息A的方式参见上述S508,在此不进行赘述。
S709,所述SMF根据所述第二指示信息、所述第二信息A生成第三指示信息。
其中,所述第三指示信息用于指示所述UPF进行用户面路径配置。
S710,所述SMF根据所述第三指示信息指示所述UPF进行用户面路径配置。
具体的,所述SMF主要根据所述第三指示信息指示所述UPF执行以下内容:
S710a,确定所述事件A的所述上报消息。
S710b,通过所述第二信息A对所述事件A的所述上报消息进行保护。
其中,通过所述第二信息A对所述事件A的所述上报消息进行保护的具体内容参见上述S409b,在此不进行赘述。
S710c,将使用所述第二信息A保护过后的所述上报消息以及所述第一指示信息发送给所述AF。
S711,所述AF生成第一信息A,所述第一信息A用于对接收到的所述事件A的上报消息进行第二权限验证。
其中,所述AF通过所述第一信息A对接收到的所述事件A的所述上报消息进行第二权限验证的具体内容参见上述S410,在此不进行赘述。
S712,所述AF将所述第一指示信息A与所述第一信息A进行关联。
可选的,所述AF将所述第一指示信息A、所述第一信息A以及所述事件A的上报需求进行关联。
本申请实施例中,通过将所述事件A的所述上报需求加上述关联关系,可以实现在所述第一权限验证和第二权限验证基础上,根据所述事件A的上报需求加入第三权限验证。其中,所述第三权限验证用于所述AF验证所述上报消息是否符合所述事件A的所述上报需求。也可以是在所述第一指示消息无法显示所述UPF是否有权限发送符合所述上报需求的上报消息时,通过所述第一指示信息A、所述第一信息A以及所述事件A之间的映射关系,可以使所述AF验证所述UPF是否有权限发送符合所述上报需求的上报消息。
需要说明的是,本申请实施例中对上述S700~S712的描述,并不限制先后顺序,任何通过调整上述步骤或者删减上述步骤以实现本申请技术方案的内容都属于本申请保护范围。例如,本申请实施例中所述S711~S712,可以在S701之后。
可选的,S700~S712还可以在所述AF确定接收到的所述事件A的上报消息通过第一权限验证后执行。
触发情况2:所述SMF接收到新的终端设备PDU发送的会话建立请求。
也就是说,所述SMF主动从PCF获取PCC规则。其中,本申请实施例中可预先将一 组UE下发的PCC规则存储在PCF中,从而在到后续UE接入的时候,SMF会向PCF主动请求获取PCC规则,并使用PCF下发的信息进行用户面事件上报。
进一步的,在所述触发情况2的场景下,所述SMF进行用户面路径配置的情况有多,具体并不限于下述几种。
配置方式五:所述SMF根据预先配置的推演信息确定所述第二信息。
参阅图8所示,假设所述AF需要获取的上报消息为事件A对应的上报消息,则所述触发情况2的流程中具体包括以下步骤:
S800,所述PCF预先获取所述事件A对应的AF地址、所述事件A的上报需求、所述第一指示信息A。
可选的,所述PCF预先获取的信息中还可以包括所述推演信息,以使所述SMF根据所述推演信息生成所述第二信息A。
可选的,PCF预先获取上述信息的方法可能是配置方式一至四中任意一种。
可选的,本申请实施例中可以将所述事件A对应的AF地址、所述事件A的上报需求、所述第一指示信息A等信息,预先存储到所述PCF中,从而可以使所述PCF能够预先获取上述信息。或者,本申请实施例中还可以将所述事件A对应的AF地址、所述事件A的上报需求、所述第一指示信息A等信息,预先存储到其他具有存储功能的第三方中,从而可以使所述PCF可以从第三方中预先获取上述信息。
S801,所述AF预先获取所述第一指示信息A以及所述第一信息A,并维护所述第一指示信息A与所述第一信息A的映射关系。
可选的,所述AF预先获取所述事件A的上报需求、所述第一指示信息A以及所述第一信息A,并维护所述事件A的上报需求、所述第一指示信息A以及所述第一信息A的映射关系。
可选的,AF预先获取上述信息的方法可能是配置方式一至四中任意一种。
可选的,本申请实施例中可以将所述第一指示信息A,所述第一信息A等信息,预先存储到所述AF中,从而可以使所述AF能够预先获取上述信息。或者,本申请实施例中还可以将所述第一指示信息A,所述第一信息A等信息,预先存储到其他具有存储功能的第三方中,从而可以使所述AF可以从第三方中预先获取上述信息。
S802,所述SMF接收到新的终端设备PDU发送的会话建立请求后,向所述PCF发送获取所述第二指示信息的请求。
其中,所述第二指示信息中包含所述AF地址、所述事件A的上报需求、所述第一指示信息A。
可选的,若所述PCF预先获取的信息中包含所述推演信息时,所述第二指示信息中可以包含所述AF地址、所述事件A的上报需求、所述第一指示信息A以及所述推演信息。需要说明的是,本申请实施例中所述第二指示信息中还可以包含其他信息,在此不进行限定。
S803,所述PCF向所述SMF发送所述第二指示信息。
其中,所述PCF可将预先获取的上述信息通知给所述SMF,因所述SMF获取所述第二指示信息是为了获取所述上述信息,因此,所述PCF可将预先获取的上述信息通知给所述SMF。
进一步的,所述PCF根据预先获取的所述AF地址、所述上报需求、所述第一指示信 息A确定所述第二指示信息。
可选的,若所述PCF预先存储的信息中包含所述推演信息时,所述PCF可根据所述AF地址、所述上报需求、所述第一指示信息A以及所述推演信息确定所述第二指示信息。
可选的,所述PCF可根据预先存储的所述事件A对应的AF地址、所述事件A的上报需求、用于确定第二信息的推演信息确定PCC规则,所述PCC规则中包含所述AF地址、所述事件A的上报需求、所述第一指示信息A以及所述推演信息,则所述PCF将所述PCC规则作为所述第二指示信息发送给所述SMF。
可选的,所述PCF可根据预先存储的所述事件A对应的AF地址、所述事件A的上报需求、用于确定第二信息的推演信息确定PCC规则。
其中,所述PCC规则中包含下列信息中的部分:
所述AF地址、所述事件A的上报需求、所述第一指示信息A以及所述推演信息。
因此,所述PCF可将所述PCC规则以及所述PCC规则未包含的其他信息共同作为第二指示信息发送给所述SMF。
示例性的,假设所述PCF中包含所述AF地址以及所述事件A的上报需求,则所述第二指示信息包含所述PCC规则、所述第一指示信息A以及所述推演信息。
S804,所述SMF生成所述第二信息A。
其中,所述SMF生成所述第二信息A的方式具体参见上述S508的内容,在此不进行赘述。
S805,所述SMF根据所述第二指示信息、所述第二信息A生成第三指示信息。
S806,所述SMF根据所述第二指示信息以及所述第二信息A指示所述UPF进行用户面路径配置。
具体的,所述SMF主要根据所述第三指示信息指示所述UPF执行以下内容:
S806a,确定所述事件A的所述上报消息;
S806b,通过所述第二信息A对所述事件A的所述上报消息进行保护;
其中,通过所述第二信息A对所述事件A的所述上报消息进行保护的具体内容参见上述S409b,在此不进行赘述。
S806c,将使用所述第二信息A保护过后的所述上报消息以及所述第一指示信息发送给所述AF。
配置方式六:所述SMF根据预先配置的信息获取所述第二信息。
参阅图9所示,假设所述AF需要获取的上报消息为事件A对应的上报消息,则所述触发情况2的流程中具体包括以下步骤:
S900,所述PCF预先获取所述事件A对应的AF地址、所述事件A的上报需求、所述第一指示信息A。
可选的,所述PCF预先存储的信息中还可以包括所述第二信息A,其中,具体内容参见上述S800,在此不进行赘述。
S901,所述AF预先获取所述第一指示信息A以及所述第一信息A,并维护所述第一指示信息A与所述第一信息A的映射关系。
可选的,所述AF预先获取所述事件A的上报需求、所述第一指示信息A以及所述第一信息A,并维护所述事件A的上报需求、所述第一指示信息A以及所述第一信息A的 映射关系,其中,具体内容参见上述S801,在此不进行赘述。
S902,所述SMF接收到新的终端设备PDU发送的会话建立请求后,向所述PCF发送获取所述第二指示信息的请求。
其中,所述第二指示信息中包含所述AF地址、所述事件A的上报需求、所述第一指示信息A。
可选的,若所述PCF预先获取的信息中包含所述第二信息A时,所述第二指示信息中可以包含所述AF地址、所述事件A的上报需求、所述第一指示信息A以及所述第二信息A。
需要说明的是,本申请实施例中所述第二指示信息中还可以包含其他信息,在此不进行限定。
S903,所述PCF向所述SMF发送所述第二指示信息。
其中,所述PCF可将预先获取的上述信息通知给所述SMF,因所述SMF获取所述第二指示信息是为了获取所述上述信息,因此,所述PCF可将预先获取的上述信息通知给所述SMF。
进一步的,所述PCF根据预先存储的所述AF地址、所述上报需求、所述第一指示信息A确定所述第二指示信息。
可选的,若所述PCF预先存储的信息中包含所述第二信息A时,所述PCF可根据所述AF地址、所述上报需求、所述第一指示信息A以及所述第二信息A确定所述第二指示信息。
可选的,所述PCF可根据预先存储的所述事件A对应的AF地址、所述事件A的上报需求、以及所述第二信息A确定PCC规则,所述PCC规则中包含所述AF地址、所述事件A的上报需求、所述第一指示信息A以及所述第二信息A,则所述PCF将所述PCC规则作为所述第二指示信息发送给所述SMF。
可选的,所述PCF可根据预先存储的所述事件A对应的AF地址、所述事件A的上报需求、所述第二信息A确定PCC规则。
其中,所述PCC规则中包含下列信息中的部分:
所述AF地址、所述事件A的上报需求、所述第一指示信息A以及所述第二信息A。
因此,所述PCF可将所述PCC规则以及所述PCC规则未包含的其他信息共同作为第二指示信息发送给所述SMF。
示例性的,假设所述PCF中包含所述AF地址以及所述事件A的上报需求,则所述第二指示信息包含所述PCC规则、所述第一指示信息A以及所述第二信息A。
S904,所述SMF根据所述第二指示信息指示所述UPF进行用户面路径配置。
具体的,所述SMF主要根据所述第二指示信息指示所述UPF执行以下内容:
S904a,确定所述事件A的所述上报消息;
S904b,通过所述第二信息A对所述事件A的所述上报消息进行保护;
其中,通过所述第二信息A对所述事件A的所述上报消息进行保护的具体内容参见上述S409b,在此不进行赘述。
S904c,将使用所述第二信息A保护过后的所述上报消息以及所述第一指示信息发送给所述AF。
进一步的,基于上述配置方式一至配置方式六的任意一种,本申请实施例中所述UPF在接收到所述SMF发送的第二指示信息后,如图10所示,所述UPF向所述AF发送所述事件上报消息的流程中具体包括以下步骤:
S1000,所述UPF接收所述SMF发送的所述第三指示信息。
其中,若所述第二指示信息中包含所述第二信息A,则可将所述第二指示信息作为所述第三指示信息;或,
若所述第二指示信息中未包含所述第二信息A,则可将所述第二指示信息以及所述第二信息A整体作为所述第三指示信息。
S1001,所述UPF确定所述事件A的上报消息。
S1002,所述UPF使用所述第三指示信息中的所述第二信息A对所述上报消息进行保护。
可选的,所述UPF可确定生成所述事件A的所述上报消息的时间戳信息和/或消息序号,通过所述第二信息A对所述上报消息以及所述时间戳信息和/或所述消息序号进行整体加密。
从而使所述AF在通过第一信息获取到所述上报消息以及所述时间戳信息和/或所述消息序号后,根据所述时间戳信息和/或所述消息序号进行防重放验证。
可选的,所述UPF可将所述事件A的所述上报消息作为输入使用不可逆函数生成第一结果,则所述UPF使用所述第二信息加密的所述第一结果即为数字签名,从而使所述AF在通过第一信息获取到所述上报消息后,根据第一信息对所述上报消息中的所述数字签名进行完整性检验。
S1003,所述UPF将使用所述第二信息保护后的所述上报消息以及所述第一指示信息发送给所述AF。
S1004,所述AF接收到使用所述第二信息保护后的所述上报消息以及所述第一指示信息后,根据接收到的所述第一指示信息对所述上报消息进行第一权限验证。
具体的,所述AF确定本地是否存在于接收到的所述第一指示信息相同的第一指示信息,若存在,则确定所述上报消息通过所述第一权限验证;或,
所述AF确定接收到的所述上报消息对应的所述上报需求,然后根据所述上报需求与本地存储的第一指示信息的映射关系,确定本地存储的所述上报需求对应的第一指示信息;若所述上报需求对应的第一指示信息与接收到的所述第一指示信息相同,则确定所述上报消息通过所述第一权限验证;或,
若所述第一指示信息为token,则所述AF获取所述token中允许对所述AF发送所述上报消息的UPF群组信息,并检验所述UPF是否在所述群组信息中,若所述UPF在所述UPF群组信息中,则确定所述上报消息通过所述第一权限验证。其中所述UPF群组信息可为一组UPF的标识信息。
S1005,所述AF确定所述上报消息未通过所述第一权限验证,则丢弃所述上报消息,否则确定所述第一指示信息对应的第一信息,并继续执行S1006。
S1006,所述AF通过所述第一信息对通过第二信息保护后的所述上报消息进行第二权限验证。
进一步的,本申请实施例中所述AF通过所述第一信息对加密后的所述上报消息进行第二权限验证的方式有多种,具体并不限于下述几种。
验证方式1:若所述AF通过所述第一信息可以对通过第二信息保护后的所述上报消息成功解密,则所述AF确定所述上报消息通过所述第二权限验证。
验证方式2:若所述AF通过所述第一信息可以对加密后的所述上报消息成功解密,且确定所述上报消息中携带的时间戳信息和/或消息序号有效,则所述AF确定所述上报消息通过所述第二权限验证。
其中,可以通过下列方式确定所述时间戳信息和/或消息序号是否有效:
若所述AF获取解密后的所述时间戳信息和/或消息序号并与所述AF获取的所述上报消息携带的时间戳信息和/或消息序号作为对比,若对比结果相同则确认所述上报消息通过防重放检验。
验证方式3:完整性验证中,所述AF可使用所述第二信息A对所述上报消息中携带的所述数字签名进行解密获取所述第一结果,所述AF将解密后的所述上报消息作为不可逆函数的输入生成第二结果,将所述第一结果和所述第二结果进行对比,若相同则确认所述上报消息通过完整性检验。
S1007,若所述上报消息未通过所述第二权限验证,则丢弃所述上报消息,否则获取所述上报消息。
需要说明的是,本申请实施例中为了更好的描述,可将所述UPF发送给所述AF的第一指示信息表示为第一权限验证信息。
通过上述对本申请方案的介绍,可以理解的是,上述实现各设备为了实现上述功能,其包含了执行各个功能相应的硬件结构和/或软件模块。本领域技术人员应该很容易意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,本申请能够以硬件或硬件和计算机软件的结合形式来实现。某个功能究竟以硬件还是计算机软件驱动硬件的方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。
基于以上实施例,如图11所示,本申请一种事件上报的装置,该装置可以是本申请实施例中所述的业务服务器,所述业务服务器包括处理器1100、存储器1101和通信接口1102。
处理器1100负责管理总线架构和通常的处理,存储器1101可以存储处理器1100在执行操作时所使用的数据。收发机通信接口1102用于在处理器1100的控制下接收和发送数据与存储器1101进行数据通信。
所述处理器1100可以是中央处理器(central processing unit,CPU),网络处理器(network processor,NP)或者CPU和NP的组合。所述处理器1100还可以进一步包括硬件芯片。上述硬件芯片可以是专用集成电路(application-specific integrated circuit,ASIC),可编程逻辑器件(programmable logic device,PLD)或其组合。上述PLD可以是复杂可编程逻辑器件(complex programmable logic device,CPLD),现场可编程逻辑门阵列(field-programmable gate array,FPGA),通用阵列逻辑(generic array logic,GAL)或其任意组合。存储器1101可以包括:U盘、移动硬盘、只读存储器(read-only memory,ROM)、随机存取存储器(random access memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。
所述处理器1100、所述存储器1101以及所述通信接口1102之间相互连接。可选的, 所述处理器1100、所述存储器1101以及所述通信接口1102可以通过总线1103相互连接;所述总线1103可以是外设部件互连标准(peripheral component interconnect,PCI)总线或扩展工业标准结构(extended industry standard architecture,EISA)总线等。所述总线可以分为地址总线、数据总线、控制总线等。为便于表示,图11中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。
具体地,所述处理器1100,用于读取存储器1101中的程序并执行如图4所示的S400-S411中业务服务器执行的方法流程;或执行例如图5所示的S500-S512中业务服务器执行的方法流程;或执行例如图6所示的S600-S611中业务服务器执行的方法流程;或执行例如图7所示的S700-S712中业务服务器执行的方法流程;或执行例如图8所示的S800-S806中业务服务器执行的方法流程;或执行例如图9所示的S900-S904中业务服务器执行的方法流程;或执行例如图10所示的S1000-S1007中业务服务器执行的方法流程。
如图12所示,本发明提供第二种事件上报的装置:
本申请实施例中一种可选的方式,该装置可以为业务服务器,包括:
处理单元1200:用于确定第一事件的第一指示信息;生成第一信息,并将所述第一指示信息与所述第一信息进行关联,所述第一信息用于对接收到的通过第二信息进行安全保护后的上报消息进行第二权限验证;
通信单元1201:用于接收用户面网元UPF发送的所述第一事件的上报消息;
处理单元1200:还用于根据所述第一指示信息对所述上报消息进行第一权限验证,并在通过所述第一权限验证后,确定所述第一指示信息对应的所述第一信息;根据所述第一信息对所述上报消息进行第二权限验证;获取通过所述第二权限验证后的所述上报消息。
本申请实施例中另一种可选的方式,该装置可以为业务服务器,包括:
处理单元1200:用于确定第一事件的第一指示信息;
通信单元1201:用于接收用户面网元UPF发送的所述第一事件的上报消息;
处理单元1200:还用于根据所述第一指示信息对所述上报消息进行第一权限验证,并在通过所述第一权限验证后,生成第一信息,所述第一信息用于对接收到的通过第二信息进行安全保护后的上报消息进行第二权限验证;根据所述第一信息对所述上报消息进行第二权限验证;获取验证通过所述第二权限验证后的所述上报消息。
上述图12所示的处理单元1200和通信单元1201的功能可以由处理器1100读取存储器1101中的程序执行,或者由处理器1100单独执行。
可选地,当所述业务服务器运行时,所述处理单元1200以及所述通信单元1201可以执行如图4所示的S400-S411中业务服务器执行的方法流程;或执行例如图5所示的S500-S512中业务服务器执行的方法流程;或执行例如图6所示的S600-S611中业务服务器执行的方法流程;或执行例如图7所示的S700-S712中业务服务器执行的方法流程;或执行例如图8所示的S800-S806中业务服务器执行的方法流程;或执行例如图9所示的S900-S904中业务服务器执行的方法流程;或执行例如图10所示的S1000-S1007中业务服务器执行的方法流程。
需要说明的是,所述通信单元1201可以包含不同的通信单元,分别对应不同的通信接口。
关于本申请提供的业务服务器的功能或者执行的操作的详细描述可以参考本申请方 法实施例中所述业务服务器执行的步骤,在此不做赘述。
基于以上实施例,如图13所示,本申请第三种事件上报的装置,该装置可以是本申请实施例中所述的NEF网元,所述NEF网元包括处理器1300、存储器1301和通信接口1302。
处理器1300负责管理总线架构和通常的处理,存储器1301可以存储处理器1300在执行操作时所使用的数据。收发机通信接口1302用于在处理器1300的控制下接收和发送数据与存储器1301进行数据通信。
所述处理器1300可以是中央处理器(central processing unit,CPU),网络处理器(network processor,NP)或者CPU和NP的组合。所述处理器1300还可以进一步包括硬件芯片。上述硬件芯片可以是专用集成电路(application-specific integrated circuit,ASIC),可编程逻辑器件(programmable logic device,PLD)或其组合。上述PLD可以是复杂可编程逻辑器件(complex programmable logic device,CPLD),现场可编程逻辑门阵列(field-programmable gate array,FPGA),通用阵列逻辑(generic array logic,GAL)或其任意组合。存储器1301可以包括:U盘、移动硬盘、只读存储器(read-only memory,ROM)、随机存取存储器(random access memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。
所述处理器1300、所述存储器1301以及所述通信接口1302之间相互连接。可选的,所述处理器1300、所述存储器1301以及所述通信接口1302可以通过总线1303相互连接;所述总线1303可以是外设部件互连标准(peripheral component interconnect,PCI)总线或扩展工业标准结构(extended industry standard architecture,EISA)总线等。所述总线可以分为地址总线、数据总线、控制总线等。为便于表示,图13中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。
具体地,所述处理器1300,用于读取存储器1301中的程序并执行如图4所示的S400-S411中NEF执行的方法流程;或执行例如图5所示的S500-S512中NEF执行的方法流程;或执行例如图6所示的S600-S611中NEF执行的方法流程;或执行例如图7所示的S700-S712中NEF执行的方法流程;或执行例如图8所示的S800-S806中NEF执行的方法流程;或执行例如图9所示的S900-S904中NEF执行的方法流程;或执行例如图10所示的S1000-S1007中NEF执行的方法流程。
如图14所示,本发明提供第四种事件上报的装置,该装置可以为NEF,包括:
通信单元1401:用于接收来自AF发送的请求消息,所述请求消息包含第一事件的上报需求;
处理单元1400:用于确定第一事件的第一指示信息以及AF地址;
通信单元1401:还用于向会话管理网元SMF发送通知消息,以使所述SMF根据所述通知消息指示所述UPF向所述AF发送所述第一事件的上报消息以及所述第一指示信息,其中,所述上报消息通过第二信息进行安全保护;所述第一指示信息用于所述AF对所述上报消息进行第一权限验证,所述第二信息用于所述AF对所述上报消息进行第二权限验证。
上述图14所示的处理单元1400和通信单元1401的功能可以由处理器1300读取存储 器1301中的程序执行,或者由处理器1400单独执行。
可选地,当所述NEF运行时,所述处理单元1400以及所述通信单元1401可以执行如图4所示的S400-S411中NEF执行的方法流程;或执行例如图5所示的S500-S512中NEF执行的方法流程;或执行例如图6所示的S600-S611中NEF执行的方法流程;或执行例如图7所示的S700-S712中NEF执行的方法流程;或执行例如图8所示的S800-S806中NEF执行的方法流程;或执行例如图9所示的S900-S904中NEF执行的方法流程;或执行例如图10所示的S1000-S1007中NEF执行的方法流程。
需要说明的是,所述通信单元1401可以包含不同的通信单元,分别对应不同的通信接口。
关于本申请提供的NEF的功能或者执行的操作的详细描述可以参考本申请方法实施例中所述NEF执行的步骤,在此不做赘述。
基于以上实施例,如图15所示,本申请第五种事件上报的装置,该装置可以是本申请实施例中所述的SMF网元,所述SMF网元包括处理器1500、存储器1501和通信接口1502。
处理器1500负责管理总线架构和通常的处理,存储器1501可以存储处理器1500在执行操作时所使用的数据。收发机通信接口1502用于在处理器1500的控制下接收和发送数据与存储器1501进行数据通信。
所述处理器1500可以是中央处理器(central processing unit,CPU),网络处理器(network processor,NP)或者CPU和NP的组合。所述处理器1500还可以进一步包括硬件芯片。上述硬件芯片可以是专用集成电路(application-specific integrated circuit,ASIC),可编程逻辑器件(programmable logic device,PLD)或其组合。上述PLD可以是复杂可编程逻辑器件(complex programmable logic device,CPLD),现场可编程逻辑门阵列(field-programmable gate array,FPGA),通用阵列逻辑(generic array logic,GAL)或其任意组合。存储器1501可以包括:U盘、移动硬盘、只读存储器(read-only memory,ROM)、随机存取存储器(random access memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。
所述处理器1500、所述存储器1501以及所述通信接口1502之间相互连接。可选的,所述处理器1500、所述存储器1501以及所述通信接口1502可以通过总线1503相互连接;所述总线1503可以是外设部件互连标准(peripheral component interconnect,PCI)总线或扩展工业标准结构(extended industry standard architecture,EISA)总线等。所述总线可以分为地址总线、数据总线、控制总线等。为便于表示,图15中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。
具体地,所述处理器1500,用于读取存储器1501中的程序并执行如图4所示的S400-S411中SMF执行的方法流程;或执行例如图5所示的S500-S512中SMF执行的方法流程;或执行例如图6所示的S600-S611中SMF执行的方法流程;或执行例如图7所示的S700-S712中SMF执行的方法流程;或执行例如图8所示的S800-S806中SMF执行的方法流程;或执行例如图9所示的S900-S904中SMF执行的方法流程;或执行例如图10所示的S1000-S1007中SMF执行的方法流程。
如图16所示,本发明提供第六种事件上报的装置,该装置可以为SMF,包括:
通信单元1601:用于获取策略控制网元PCF发送的第二指示信息;
处理单元1600:用于根据所述第二指示信息确定第三指示信息,所述第三指示信息中包含应用功能AF的地址信息、第一事件的上报需求、所述上报需求对应的第一指示信息以及第二信息;
通信单元1601:还用于向所述用户面网元UPF发送所述第三指示信息,以指示所述UPF向所述AF发送所述第一事件的上报消息以及所述第一指示信息,其中,所述上报消息通过所述第二信息进行安全保护;所述第一指示信息用于所述AF对所述上报消息进行第一权限验证,所述第二信息用于所述AF对所述上报消息进行第二权限验证。
上述图16所示的处理单元1600和通信单元1601的功能可以由处理器1500读取存储器1501中的程序执行,或者由处理器1500单独执行。
可选地,当所述SMF运行时,所述处理单元1600以及所述通信单元1601可以执行如图4所示的S400-S411中SMF执行的方法流程;或执行例如图5所示的S500-S512中SMF执行的方法流程;或执行例如图6所示的S600-S611中SMF执行的方法流程;或执行例如图7所示的S700-S712中SMF执行的方法流程;或执行例如图8所示的S800-S806中SMF执行的方法流程;或执行例如图9所示的S900-S904中SMF执行的方法流程;或执行例如图10所示的S1000-S1007中SMF执行的方法流程。
需要说明的是,所述通信元1601可以包含不同的通信单元,分别对应不同的通信接口。
关于本申请提供的SMF的功能或者执行的操作的详细描述可以参考本申请方法实施例中所述SMF执行的步骤,在此不做赘述。
基于以上实施例,如图17所示,本申请第七种事件上报的装置,该装置可以是本申请实施例中所述的UPF网元,所述UPF网元包括处理器1700、存储器1701和通信接口1702。
处理器1700负责管理总线架构和通常的处理,存储器1701可以存储处理器1700在执行操作时所使用的数据。收发机通信接口1702用于在处理器1700的控制下接收和发送数据与存储器1701进行数据通信。
所述处理器1700可以是中央处理器(central processing unit,CPU),网络处理器(network processor,NP)或者CPU和NP的组合。所述处理器1700还可以进一步包括硬件芯片。上述硬件芯片可以是专用集成电路(application-specific integrated circuit,ASIC),可编程逻辑器件(programmable logic device,PLD)或其组合。上述PLD可以是复杂可编程逻辑器件(complex programmable logic device,CPLD),现场可编程逻辑门阵列(field-programmable gate array,FPGA),通用阵列逻辑(generic array logic,GAL)或其任意组合。存储器1701可以包括:U盘、移动硬盘、只读存储器(read-only memory,ROM)、随机存取存储器(random access memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。
所述处理器1700、所述存储器1701以及所述通信接口1702之间相互连接。可选的,所述处理器1700、所述存储器1701以及所述通信接口1702可以通过总线1703相互连接;所述总线1703可以是外设部件互连标准(peripheral component interconnect,PCI)总线或 扩展工业标准结构(extended industry standard architecture,EISA)总线等。所述总线可以分为地址总线、数据总线、控制总线等。为便于表示,图17中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。
具体地,所述处理器1700,用于读取存储器1701中的程序并执行如图4所示的S400-S411中UPF执行的方法流程;或执行例如图5所示的S500-S512中UPF执行的方法流程;或执行例如图6所示的S600-S611中UPF执行的方法流程;或执行例如图7所示的S700-S712中UPF执行的方法流程;或执行例如图8所示的S800-S806中UPF执行的方法流程;或执行例如图9所示的S900-S904中UPF执行的方法流程;或执行例如图10所示的S1000-S1007中UPF执行的方法流程。
如图18所示,本发明提供第八种事件上报的装置,该装置可以为UPF,包括:
通信单元1801:用于接收会话管理网元SMF发送的第三指示信息,所述第三指示信息用于指示所述UPF向应用功能AF发送第一事件上报消息;
处理单元1800:用于根据所述第三指示信息确定所述第一事件的上报消息、所述上报消息对应的第一指示信息以及第二信息;通过所述第二信息对所述上报消息进行安全保护;
通信单元1801:还用于将安全保护后的所述上报消息以及所述第一指示信息发送给所述AF;其中,所述第一指示信息用于所述AF对所述上报消息进行第一权限验证,所述第二信息用于所述AF对所述上报消息进行第二权限验证。
上述图18所示的处理单元1800和通信单元1801的功能可以由处理器1700读取存储器1701中的程序执行,或者由处理器1700单独执行。
可选地,当所述UPF运行时,所述处理单元1800以及所述通信单元1801可以执行如图4所示的S400-S411中UPF执行的方法流程;或执行例如图5所示的S500-S512中UPF执行的方法流程;或执行例如图6所示的S600-S611中UPF执行的方法流程;或执行例如图7所示的S700-S712中UPF执行的方法流程;或执行例如图8所示的S800-S806中UPF执行的方法流程;或执行例如图9所示的S900-S904中UPF执行的方法流程;或执行例如图10所示的S1000-S1007中UPF执行的方法流程。
需要说明的是,所述通信元1801可以包含不同的通信单元,分别对应不同的通信接口。
关于本申请提供的UPF的功能或者执行的操作的详细描述可以参考本申请方法实施例中所述UPF执行的步骤,在此不做赘述。
在一些可能的实施方式中,本发明实施例提供的事件上报的方法的各个方面还可以实现为一种程序产品的形式,其包括程序代码,当所述程序代码在计算机设备上运行时,所述程序代码用于使所述计算机设备执行本说明书中描述的根据本申请各种示例性实施方式的事件上报的方法中的步骤。
所述程序产品可以采用一个或多个可读介质的任意组合。可读介质可以是可读信号介质或者可读存储介质。可读存储介质例如可以是——但不限于——电、磁、光、电磁、红外线、或半导体的系统、装置或器件,或者任意以上的组合。可读存储介质的更本申请实施例一种实现方式中例子(非穷举的列表)包括:具有一个或多个导线的电连接、便携式盘、硬盘、随机存取存储器(RAM)、只读存储器(ROM)、可擦式可编程只读存储器(EPROM 或闪存)、光纤、便携式紧凑盘只读存储器(CD-ROM)、光存储器件、磁存储器件、或者上述的任意合适的组合。
根据本发明的实施方式的用于事件上报的程序产品,其可以采用便携式紧凑盘只读存储器(CD-ROM)并包括程序代码,并可以在服务器设备上运行。然而,本发明的程序产品不限于此,在本文件中,可读存储介质可以是任何包含或存储程序的有形介质,该程序可以被信息传输、装置或者器件使用或者与其结合使用。
可读信号介质可以包括在基带中或者作为载波一部分传播的数据信号,其中承载了可读程序代码。这种传播的数据信号可以采用多种形式,包括——但不限于——电磁信号、光信号或上述的任意合适的组合。可读信号介质还可以是可读存储介质以外的任何可读介质,该可读介质可以发送、传播或者传输用于由周期网络动作系统、装置或者器件使用或者与其结合使用的程序。
可读介质上包含的程序代码可以用任何适当的介质传输,包括——但不限于——无线、有线、光缆、RF等,或者上述的任意合适的组合。
可以以一种或多种程序设计语言的任意组合来编写用于执行本发明操作的程序代码,所述程序设计语言包括面向对象的程序设计语言—诸如Java、C++等,还包括常规的过程式程序设计语言—诸如“C”语言或类似的程序设计语言。程序代码可以完全地在用户计算设备上执行、部分地在用户设备上执行、作为一个独立的软件包执行、部分在用户计算设备上部分在远程计算设备上执行、或者完全在远程计算设备或服务器上执行。在涉及远程计算设备的情形中,远程计算设备可以通过任意种类的网络——包括局域网(LAN)或广域网(WAN)—连接到用户计算设备,或者,可以连接到外部计算设备。
本申请实施例针对事件上报的方法还提供一种计算设备可读存储介质,即断电后内容不丢失。该存储介质中存储软件程序,包括程序代码,当所述程序代码在计算设备上运行时,该软件程序在被一个或多个处理器读取并执行时可实现本申请实施例上面任何一种事件上报的方案。
以上参照示出根据本申请实施例的方法、装置(系统)和/或计算机程序产品的框图和/或流程图描述本申请。应理解,可以通过计算机程序指令来实现框图和/或流程图示图的一个块以及框图和/或流程图示图的块的组合。可以将这些计算机程序指令提供给通用计算机、专用计算机的处理器和/或其它可编程数据处理装置,以产生机器,使得经由计算机处理器和/或其它可编程数据处理装置执行的指令创建用于实现框图和/或流程图块中所指定的功能/动作的方法。
相应地,还可以用硬件和/或软件(包括固件、驻留软件、微码等)来实施本申请。更进一步地,本申请可以采取计算机可使用或计算机可读存储介质上的计算机程序产品的形式,其具有在介质中实现的计算机可使用或计算机可读程序代码,以由指令执行系统来使用或结合指令执行系统而使用。在本申请上下文中,计算机可使用或计算机可读介质可以是任意介质,其可以包含、存储、通信、传输、或传送程序,以由指令执行系统、装置或设备使用,或结合指令执行系统、装置或设备使用。
尽管结合具体特征及其实施例对本申请进行了描述,显而易见的,在不脱离本申请的精神和范围的情况下,可对其进行各种修改和组合。相应地,本说明书和附图仅仅是所附权利要求所界定的本申请的示例性说明,且视为已覆盖本申请范围内的任意和所有修改、变化、组合或等同物。显然,本领域的技术人员可以对本申请进行各种改动和变型而不脱 离本申请的范围。这样,倘若本申请的这些修改和变型属于本申请权利要求及其等同技术的范围之内,则本申请也意图包括这些改动和变型在内。
Claims (30)
- 一种事件上报的方法,其特征在于,该方法包括:业务服务器确定第一事件的第一指示信息;所述业务服务器生成第一信息,并将所述第一指示信息与所述第一信息进行关联,所述第一信息用于对接收到的通过第二信息进行安全保护后的上报消息进行第二权限验证;所述业务服务器接收用户面网元UPF发送的所述第一事件的上报消息;所述业务服务器根据所述第一指示信息对所述上报消息进行第一权限验证,并在通过所述第一权限验证后,确定所述第一指示信息对应的所述第一信息;所述业务服务器根据所述第一信息对所述上报消息进行第二权限验证;所述业务服务器获取通过所述第二权限验证后的所述上报消息。
- 根据权利要求1所述的方法,其特征在于,所述业务服务器确定所述第一事件的第一指示信息,包括:所述业务服务器接收网络功能开放网元NEF发送的响应消息,所述响应消息是所述NEF在接收到来自所述业务服务器发送的所述第一事件的所述上报需求消息后发送的;所述业务服务器根据所述响应消息确定所述第一指示信息;或所述业务服务器根据所述第一事件生成所述第一指示信息。
- 根据权利要求1或2所述的方法,其特征在于,所述业务服务器将所述第一指示信息与所述第一信息进行关联,还包括:所述业务服务器将所述第一指示信息、所述第一信息以及所述第一事件的所述上报需求进行关联。
- 根据权利要求1~3任一项所述的方法,其特征在于,所述业务服务器接收用户面网元UPF发送的所述第一事件的上报消息之前,还包括:所述业务服务器确定第二信息的推演信息,并将所述推演信息通知给所述NEF;其中,所述第二信息是所述第一信息的对称密钥或所述第二信息是所述第一信息的公钥。
- 根据权利要求1~4任一项所述的方法,其特征在于,所述业务服务器通过下列方式确定所述上报消息通过所述第一权限验证;所述业务服务器获取所述上报消息携带的第一权限验证信息,若所述业务服务器确定所述第一权限验证信息与所述第一指示信息部分相同或全部相同,则所述业务服务器确定所述上报消息通过所述第一权限验证。
- 根据权利要求4所述的方法,其特征在于,所述业务服务器通过下列方式确定所述上报消息通过第二权限验证:所述业务服务器通过所述第一信息对全部或部分所述上报消息进行验证,若所述业务服务器成功对全部或部分所述上报消息进行验证,则所述业务服务器确定所述上报消息通过所述第二权限验证;其中,所述业务服务器接收到的全部或部分所述上报消息是所述UPF通过第二信息进行安全保护后的。
- 一种事件上报的方法,其特征在于,该方法包括:业务服务器确定第一事件的第一指示信息;所述业务服务器接收用户面网元UPF发送的所述第一事件的上报消息;所述业务服务器根据所述第一指示信息对所述上报消息进行第一权限验证,并在通过所述第一权限验证后,生成第一信息,所述第一信息用于对接收到的通过第二信息进行安全保护后的上报消息进行第二权限验证;所述业务服务器根据所述第一信息对所述上报消息进行第二权限验证;所述业务服务器获取验证通过所述第二权限验证后的所述上报消息。
- 根据权利要求7所述的方法,其特征在于,所述业务服务器确定所述第一事件的第一指示信息,包括:所述业务服务器接收网络功能开放网元NEF发送的响应消息,所述响应消息是所述NEF在接收到来自所述业务服务器发送的所述第一事件的至少一个上报需求消息后发送的;所述业务服务器根据所述响应消息确定所述第一指示信息;或所述业务服务器根据所述第一事件生成所述第一指示信息。
- 根据权利要求7或8所述的方法,其特征在于,所述业务服务器生成所述第一信息之后,还包括:所述业务服务器将所述第一指示信息与所述第一信息进行关联;或所述业务服务器将所述第一指示信息、所述第一信息以及所述第一事件对应的上报需求进行关联。
- 根据权利要求7~9任一项所述的方法,其特征在于,所述业务服务器接收用户面网元UPF发送的所述第一事件的上报消息之前,还包括:所述业务服务器确定第二信息的推演信息,并将所述推演信息通知给所述NEF;其中,所述第二信息是所述第一信息的对称密钥或所述第二信息是所述第一信息的公钥。
- 根据权利要求7~10任一项所述的方法,其特征在于,所述业务服务器通过下列方式确定所述上报消息通过所述第一权限验证;所述业务服务器获取所述上报消息携带的第一权限验证信息,若所述业务服务器确定所述第一权限验证信息与所述第一指示信息部分相同或全部相同,则所述业务服务器确定所述上报消息通过所述第一权限验证。
- 根据权利要求10所述的方法,其特征在于,所述业务服务器通过下列方式确定所述上报消息通过第二权限验证:所述业务服务器通过所述第一信息对全部或部分所述上报消息进行验证,若所述业务服务器成功对全部或部分所述上报消息进行验证,则所述业务服务器确定所述上报消息通过所述第二权限验证;其中,所述业务服务器接收到的所述上报消息是所述UPF通过第二信息进行安全保护的。
- 一种事件上报的方法,其特征在于,该方法包括:网络功能开放网元NEF接收来自业务服务器发送的请求消息,所述请求消息包含第一事件的上报需求;所述NEF确定第一事件的第一指示信息以及业务服务器地址;所述NEF向会话管理网元SMF发送通知消息,以使所述SMF根据所述通知消息指示所述UPF向所述业务服务器发送所述第一事件的上报消息以及所述第一指示信息,其中,所述上报消息通过第二信 息进行安全保护;其中,所述第一指示信息用于所述业务服务器对所述上报消息进行第一权限验证,所述第二信息用于所述业务服务器对所述上报消息进行第二权限验证。
- 根据权利要求13所述的方法,其特征在于,所述NEF确定第一事件的第一指示信息,包括:所述NEF从接收到的所述请求消息中获取所述第一指示信息,其中,所述请求消息中包含所述第一指示信息;或所述NEF接收到的所述请求消息后,根据所述请求消息中包含的所述第一事件的上报需求生成所述第一指示信息。
- 根据权利要求13或14所述的方法,其特征在于,所述NEF确定所述第一事件的第一指示信息之后,还包括:所述NEF将所述第一指示信息通知给所述业务服务器。
- 根据权利要求13~15任一项所述的方法,其特征在于,所述方法还包括:所述通知消息包含所述第一指示信息、所述业务服务器地址、所述第一事件上报需求以及所述第二信息,其中所述第二信息是所述NEF根据与所述业务服务器预设的第二信息生成协议确定的;或若所述请求消息中包含用于生成第二信息的推演信息以及第一事件的上报需求,则所述通知消息包含所述第一指示信息、所述业务服务器地址、所述第一事件上报需求以及推演信息;或若所述请求消息中包含用于生成第二信息的推演信息以及第一事件的上报需求,则所述通知消息包含所述第一指示信息、所述业务服务器地址、所述第一事件上报需求以及第二信息,其中所述第二信息是所述NEF根据所述推演信息确定的;或若所述请求消息中包含第二信息以及第一事件的上报需求,则所述通知消息包含所述第一指示信息、所述业务服务器地址、所述第一事件上报需求以及所述第二信息。
- 一种事件上报的方法,其特征在于,该方法包括:会话管理网元SMF获取策略控制网元PCF发送的第二指示信息;所述SMF根据所述第二指示信息确定第三指示信息,所述第三指示信息中包含业务服务器的地址信息、第一事件的上报需求、所述上报需求对应的第一指示信息以及第二信息;所述SMF向所述用户面网元UPF发送所述第三指示信息,以指示所述UPF向所述业务服务器发送所述第一事件的上报消息以及所述第一指示信息,其中,所述上报消息通过所述第二信息进行安全保护;其中,所述第一指示信息用于所述业务服务器对所述上报消息进行第一权限验证,所述第二信息用于所述AF对所述上报消息进行第二权限验证。
- 根据权利要求17所述的方法,其特征在于,所述SMF根据所述第二指示信息确定第三指示信息,包括:若所述第二指示信息中包含业务服务器的地址信息、所述第一事件的上报需求、所述第一指示信息以及第二信息,则所述SMF将所述第二指示信息作为所述第三指示信息;或若所述第二指示信息中包含业务服务器的地址信息、所述第一事件的上报需求、所述 第一指示信息以及用于确定所述第二信息的推演信息,则所述SMF根据所述推演信息生成所述第二信息,并根据所述第二指示信息以及所述第二信息确定所述第三指示信息。
- 根据权利要求17或18所述的方法,其特征在于,所述SMF获取PCF发送的第二指示信息之前,还包括:所述SMF接收到新的终端设备PDU会话建立请求;或所述SMF接收到所述PCF发送的第二指示消息,所述第二指示消息用于指示所述SMF触发UPF向业务服务器发送与所述请求消息对应的上报消息。
- 根据权利要求18或19所述的方法,其特征在于,所述推演信息包含网络功能开放网元NEF与业务服务器之间的共享信息以及所述第一指示信息。
- 一种事件上报的方法,其特征在于,该方法包括:用户面网元UPF接收会话管理网元SMF发送的第三指示信息,所述第三指示信息用于指示所述UPF向业务服务器发送第一事件上报消息;所述UPF根据所述第三指示信息确定所述第一事件的上报消息、所述上报消息对应的第一指示信息以及第二信息;所述UPF通过所述第二信息对所述上报消息进行安全保护,并将安全保护后的所述上报消息以及所述第一指示信息发送给所述业务服务器;其中,所述第一指示信息用于所述业务服务器对所述上报消息进行第一权限验证,所述第二信息用于所述业务服务器对所述上报消息进行第二权限验证。
- 根据权利要求21所述的方法,其特征在于,所述安全保护可以是加密和/或生成数字签名。
- 一种业务服务器,其特征在于,包括:处理单元和通信单元;所述处理单元:用于确定第一事件的第一指示信息;生成第一信息,并将所述第一指示信息与所述第一信息进行关联,所述第一信息用于对接收到的通过第二信息进行安全保护后的上报消息进行第二权限验证;所述通信单元:用于接收用户面网元UPF发送的所述第一事件的上报消息;所述处理单元:还用于根据所述第一指示信息对所述上报消息进行第一权限验证,并在通过所述第一权限验证后,确定所述第一指示信息对应的所述第一信息;根据所述第一信息对所述上报消息进行第二权限验证;获取通过所述第二权限验证后的所述上报消息。
- 一种业务服务器,其特征在于,包括:处理单元和通信单元;所述处理单元:用于确定第一事件的第一指示信息;所述通信单元:用于接收用户面网元UPF发送的所述第一事件的上报消息;所述处理单元:还用于根据所述第一指示信息对所述上报消息进行第一权限验证,并在通过所述第一权限验证后,生成第一信息,所述第一信息用于对接收到的通过第二信息进行安全保护后的上报消息进行第二权限验证;根据所述第一信息对所述上报消息进行第二权限验证;获取验证通过所述第二权限验证后的所述上报消息。
- 一种网元,其特征在于,包括:处理单元和通信单元;所述通信单元:用于接收来自业务服务器发送的请求消息,所述请求消息包含第一事件的上报需求;所述处理单元:用于确定第一事件的第一指示信息以及业务服务器地址;所述通信单元:还用于向会话管理网元SMF发送通知消息,以使所述SMF根据所述 通知消息指示所述UPF向所述业务服务器发送所述第一事件的上报消息以及所述第一指示信息,其中,所述上报消息通过第二信息进行安全保护;所述第一指示信息用于所述业务服务器对所述上报消息进行第一权限验证,所述第二信息用于所述业务服务器对所述上报消息进行第二权限验证。
- 一种网元,其特征在于,包括:处理单元和通信单元;所述通信单元:用于获取策略控制网元PCF发送的第二指示信息;所述处理单元:用于根据所述第二指示信息确定第三指示信息,所述第三指示信息中包含业务服务器的地址信息、第一事件的上报需求、所述上报需求对应的第一指示信息以及第二信息;所述通信单元:还用于向所述用户面网元UPF发送所述第三指示信息,以指示所述UPF向所述业务服务器发送所述第一事件的上报消息以及所述第一指示信息,其中,所述上报消息通过所述第二信息进行安全保护;所述第一指示信息用于所述业务服务器对所述上报消息进行第一权限验证,所述第二信息用于所述业务服务器对所述上报消息进行第二权限验证。
- 一种网元,其特征在于,包括:处理单元和通信单元;所述通信单元:用于接收会话管理网元SMF发送的第三指示信息,所述第三指示信息用于指示所述UPF向业务服务器发送第一事件上报消息;所述处理单元:用于根据所述第三指示信息确定所述第一事件的上报消息、所述上报消息对应的第一指示信息以及第二信息;通过所述第二信息对所述上报消息进行安全保护;所述通信单元:还用于将安全保护后的所述上报消息以及所述第一指示信息发送给所述业务服务器;其中,所述第一指示信息用于所述业务服务器对所述上报消息进行第一权限验证,所述第二信息用于所述业务服务器对所述上报消息进行第二权限验证。
- 一种通信系统,其特征在于,包括:业务服务器、NEF、SMF以及UPF;所述业务服务器,用于确定第一事件的第一指示信息;生成第一信息,并将所述第一指示信息与所述第一信息进行关联,所述第一信息用于对接收到的通过第二信息进行安全保护后的上报消息进行第二权限验证;接收用户面网元UPF发送的所述第一事件的上报消息;根据所述第一指示信息对所述上报消息进行第一权限验证,并在通过所述第一权限验证后,确定所述第一指示信息对应的所述第一信息;根据所述第一信息对所述上报消息进行第二权限验证;获取通过所述第二权限验证后的所述上报消息;或用于确定第一事件的第一指示信息;接收用户面网元UPF发送的所述第一事件的上报消息;根据所述第一指示信息对所述上报消息进行第一权限验证,并在通过所述第一权限验证后,生成第一信息,所述第一信息用于对接收到的通过第二信息进行安全保护后的上报消息进行第二权限验证;根据所述第一信息对所述上报消息进行第二权限验证;获取验证通过所述第二权限验证后的所述上报消息;所述NEF,用于接收来自业务服务器发送的请求消息,所述请求消息包含第一事件的上报需求;确定第一事件的第一指示信息以及业务服务器地址;向会话管理网元SMF发送通知消息,以使所述SMF根据所述通知消息指示所述UPF向所述业务服务器发送所述第一事件的上报消息以及所述第一指示信息,其中,所述上报消息通过第二信息进行安全保护;所述SMF,用于获取策略控制网元PCF发送的第二指示信息;根据所述第二指示信 息确定第三指示信息,所述第三指示信息中包含业务服务器的地址信息、第一事件的上报需求、所述上报需求对应的第一指示信息以及第二信息;向所述用户面网元UPF发送所述第三指示信息,以指示所述UPF向所述业务服务器发送所述第一事件的上报消息以及所述第一指示信息,其中,所述上报消息通过所述第二信息进行安全保护;所述UPF,用于接收会话管理网元SMF发送的第三指示信息,所述第三指示信息用于指示所述UPF向业务服务器发送第一事件上报消息;根据所述第三指示信息确定所述第一事件的上报消息、所述上报消息对应的第一指示信息以及第二信息;通过所述第二信息对所述上报消息进行安全保护;将安全保护后的所述上报消息以及所述第一指示信息发送给所述业务服务器;其中,所述第一指示信息用于所述业务服务器对所述上报消息进行第一权限验证,所述第二信息用于所述业务服务器对所述上报消息进行第二权限验证。
- 一种计算机可读存储介质,其特征在于,包括计算机指令,当所述计算机指令在业务服务器上运行时,使得业务服务器执行如权利要求1~12中任一所述的方法步骤。
- 一种计算机可读存储介质,其特征在于,包括计算机指令,当所述计算机指令在网元上运行时,使得所述网元执行如权利要求13~16中任一所述的方法步骤;或使得所述网元执行如权利要求17~20中任一所述的方法步骤;或所述网元执行如权利要求21~22中任一所述的方法步骤。
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2019/123817 WO2021109151A1 (zh) | 2019-12-06 | 2019-12-06 | 一种事件上报的方法、装置及系统 |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2019/123817 WO2021109151A1 (zh) | 2019-12-06 | 2019-12-06 | 一种事件上报的方法、装置及系统 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2021109151A1 true WO2021109151A1 (zh) | 2021-06-10 |
Family
ID=76222187
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2019/123817 WO2021109151A1 (zh) | 2019-12-06 | 2019-12-06 | 一种事件上报的方法、装置及系统 |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2021109151A1 (zh) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116321272A (zh) * | 2023-03-22 | 2023-06-23 | 广州爱浦路网络技术有限公司 | Af网元中ue地址信息的时效预测方法及装置 |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107667509A (zh) * | 2015-05-21 | 2018-02-06 | 高通股份有限公司 | 使用网络接入令牌控制面办法的针对下行链路话务的高效策略实施 |
CN108810884A (zh) * | 2017-05-06 | 2018-11-13 | 华为技术有限公司 | 密钥配置方法、装置以及系统 |
US10285155B1 (en) * | 2018-09-24 | 2019-05-07 | Cisco Technology, Inc. | Providing user equipment location information indication on user plane |
-
2019
- 2019-12-06 WO PCT/CN2019/123817 patent/WO2021109151A1/zh active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107667509A (zh) * | 2015-05-21 | 2018-02-06 | 高通股份有限公司 | 使用网络接入令牌控制面办法的针对下行链路话务的高效策略实施 |
CN108810884A (zh) * | 2017-05-06 | 2018-11-13 | 华为技术有限公司 | 密钥配置方法、装置以及系统 |
US10285155B1 (en) * | 2018-09-24 | 2019-05-07 | Cisco Technology, Inc. | Providing user equipment location information indication on user plane |
Non-Patent Citations (1)
Title |
---|
INTEL: "Update Solution-2 with reference architecture and impacts", 3GPP DRAFT; S2-185244-6.10-UPDATENTW-BASED-V1, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG2, no. Newport Beach, California, USA; 20180528 - 2018060, 27 May 2018 (2018-05-27), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France, XP051448743 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116321272A (zh) * | 2023-03-22 | 2023-06-23 | 广州爱浦路网络技术有限公司 | Af网元中ue地址信息的时效预测方法及装置 |
CN116321272B (zh) * | 2023-03-22 | 2023-10-03 | 广州爱浦路网络技术有限公司 | Af网元中ue地址信息的时效预测方法及装置 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Wazid et al. | Security in 5G-enabled internet of things communication: issues, challenges, and future research roadmap | |
Oh et al. | Security requirements analysis for the IoT | |
Anitha et al. | A Novel Data Communication with Security Enhancement using Threat Management Scheme over Wireless Mobile Networks | |
WO2020174121A1 (en) | Inter-mobile network communication authorization | |
Oniga et al. | Analysis, design and implementation of secure LoRaWAN sensor networks | |
CN114503507A (zh) | 安全的发布-订阅通信方法和设备 | |
CN111726366A (zh) | 设备通信方法、装置、系统、介质和电子设备 | |
WO2018177385A1 (zh) | 一种传输数据的方法、装置和设备 | |
Muhammad et al. | 5G-based V2V broadcast communications: A security perspective | |
EP3949254A1 (en) | Remotely managing devices using blockchain and dice-riot | |
CN113422768B (zh) | 零信任中的应用接入方法、装置及计算设备 | |
WO2023010880A1 (zh) | 一种数据传输方法及相关设备 | |
WO2021089035A1 (zh) | 一种签约数据的管理方法、装置 | |
CN110266725A (zh) | 密码安全隔离模块及移动办公安全系统 | |
Shokoor et al. | Overview of 5G & beyond security | |
Singh et al. | Dynamic group based efficient access authentication and key agreement protocol for MTC in LTE-A networks | |
CN115603932A (zh) | 一种访问控制方法、访问控制系统及相关设备 | |
WO2021170049A1 (zh) | 一种访问行为的记录方法、装置 | |
WO2021109151A1 (zh) | 一种事件上报的方法、装置及系统 | |
Kamoun-Abid et al. | Secure architecture for Cloud/Fog computing based on firewalls and controllers | |
CN117278275A (zh) | 访问权限调整方法、装置及存储介质 | |
JP2023535474A (ja) | アソシエーション制御方法及び関連装置 | |
Esiner et al. | Message authentication and provenance verification for industrial control systems | |
Jansi et al. | Efficient privacy-preserving fault tolerance aggregation for people-centric sensing system | |
US20230208625A1 (en) | Communication method and related apparatus |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 19955030 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 19955030 Country of ref document: EP Kind code of ref document: A1 |