WO2021136211A1

WO2021136211A1 - Method and device for determining authorization result

Info

Publication number: WO2021136211A1
Application number: PCT/CN2020/140406
Authority: WO
Inventors: 张博
Original assignee: 华为技术有限公司
Priority date: 2019-12-31
Filing date: 2020-12-28
Publication date: 2021-07-08
Also published as: CN113132334B; CN113132334A

Abstract

Disclosed are a method and device for determining an authorization result, comprising: an access network device receives a first message transmitted by a second terminal device, the first message being used for instructing a first terminal device to request access to a network via the second terminal device, and the first message comprising identification information of the second terminal device; the access network device determines an authorization result of the second terminal device on the basis of the identification information of the second terminal device; the access network device transmits a second message to a core network device, the second message comprising an authorization result of the second terminal device; and the access network device receives a response message transmitted by the first core network device for the second message. The implementation of the present application effectively determines a relay service of a relay terminal device, thus preventing a terminal device from accessing a network via an unauthorized relay terminal device.

Description

Method and device for determining authorization result

This application claims the priority of a Chinese patent application filed with the Chinese Patent Office on December 31, 2019, the application number is 201911425151.0, and the application name is "Method and Apparatus for Determining Authorization Results", the entire content of which is incorporated into this application by reference .

Technical field

This application relates to the field of communication technology, and in particular to a method and device for determining an authorization result.

Background technique

With the evolution of communication technology, the Internet of Everything is also accelerating. The Internet of Everything technology includes not only narrowband internet of things, NB-LOT) technology and enhanced machine type communication (eMTC) technology, It may also include IoT, end-to-end (device to device, D2D) technology, and so on.

Generally, IoT or end-to-end technology can also be referred to as proximity-based services (Proximity-based services, ProSe). Based on the ProSe, a terminal device can communicate with the network through another terminal device. For example, one terminal device can access the operator's network through another terminal device to perform registration procedures, data transmission and other services. Wherein, the other terminal device may also be referred to as a relay terminal device.

Therefore, in the process of terminal equipment accessing the network through the relay terminal equipment, how to determine the relay service of the relay terminal equipment is a problem that needs to be solved.

Summary of the invention

The embodiments of the present application provide a method and device for determining an authorization result, which can effectively determine the relay service of a relay terminal device and prevent the terminal device from accessing the network through an unauthorized relay terminal device.

In the first aspect, an embodiment of the present application provides a method for determining an authorization result, and the method includes:

The access network device receives a first message sent by a second terminal device, where the first message is used to instruct the first terminal device to request access to the network through the second terminal device, and the first message includes the second terminal device. Identification information of the terminal device; the access network device determines the authorization result of the second terminal device according to the identification information of the second terminal device; the access network device sends a second message to the first core network device, The second message includes the authorization result of the second terminal device; the access network device receives a response message of the second message sent by the first core network device.

In the embodiment of the present application, the authorization result of the second terminal device may be the result of the second terminal device being authorized to perform the relay service.

In the embodiment of this application, when UE1 requests to access the network through UE2, the RAN determines that UE2 is authorized to perform the relay service, and then sends a second message including the authorization result of UE2 to AMF1, so that the AMF1 can be based on the UE2's authorization result. The authorization result allows UE1 to access the network through UE2. Implementing the embodiments of this application can enable AMF1 to obtain the authorization result of UE2, thereby safely and effectively allowing UE1 to access the network through UE2.

In a possible implementation manner, the access network device stores the authorization result of the second terminal device.

In a possible implementation manner, before the access network device determines the authorization result of the second terminal device according to the identification information of the second terminal device, the method further includes: The second core network device sends a third message, the third message includes the identification information of the second terminal device, and the third message is used to request the authorization result of the second terminal device; the access network The device receives a response message of a third message sent by the second core network device, where the response message of the third message includes the authorization result of whether the second terminal device is authorized to perform the relay service; the access network device Save the authorization result of the second terminal device.

In a possible implementation manner, the identification information of the second terminal device includes a relay identification of the second terminal device.

In a possible implementation manner, the method further includes: the access network device sends a response message of the first message to the second terminal device, and the response message of the first message is used to indicate the first message A terminal device is allowed to access the network through the second terminal device.

In a possible implementation manner, the response message of the first message includes the authorization result of the second terminal device.

In a second aspect, an embodiment of the present application provides a method for determining an authorization result, and the method includes:

The first core network device receives a second message sent by the access network device, where the second message includes the authorization result of the second terminal device; the first core network device determines the The second terminal device is authorized to perform a relay service; the first core network device sends a response message of the second message to the access network device.

In a possible implementation manner, before the first core network device receives the second message sent by the access network device, the method further includes: the access network device receives the first message sent by the second terminal device. A message; wherein, the first message is used to instruct the first terminal device to request access to the network through the second terminal device, and the first message includes the identification information of the second terminal device; the access The network device determines that the second terminal device is authorized to perform the relay service, and sends the second message to the first core network device.

In a possible implementation manner, before the access network device determines that the second terminal device is authorized to perform the relay service, the method further includes: the access network device sends the second core network device to the second core network device. Three messages, the third message includes the identification information of the second terminal device, and the third message is used to request the authorization result of the second terminal device; the second core network device receives the access The third message sent by the network device, and sending a response message of the third message to the access network device;

The determining by the access network device that the second terminal device is authorized to perform the relay service includes: the access network device determines that the second terminal device is authorized to perform the relay according to the response message of the third message business.

The beneficial effects of the second aspect can be referred to the beneficial effects of the first aspect, which will not be repeated here.

In a third aspect, embodiments of the present application provide a communication device, which may be a network device, a device in a network device, or a device that can be used in conjunction with a network device. Wherein, the communication device may also be a chip system. The communication device can execute the methods described in the first aspect and various possible implementation manners of the first aspect. Alternatively, the communication device may execute the methods described in the second aspect and various possible implementation manners of the second aspect. The function of the communication device can be realized by hardware, or by hardware executing corresponding software. The hardware or software includes one or more units corresponding to the above-mentioned functions. The unit can be software and/or hardware.

Optionally, the network device may be an access network device. Alternatively, the network device may be the first core network device. Or, the network device may be a second core network device.

In a fourth aspect, an embodiment of the present application provides a communication system, the communication system includes: a first core network device, configured to receive a second message sent by an access network device, the second message including the authorization of the second terminal device Result; the first core network device is also used to determine that the second terminal device is authorized to perform relay services according to the authorization result of the second terminal device; the first core network device is also used to The access network device sends a response message to the second message.

In a possible implementation manner, the system further includes: an access network device, configured to receive a first message sent by the second terminal device; wherein, the first message is used to instruct the first terminal The device requests to access the network through the second terminal device, and the first message includes the identification information of the second terminal device; the access network device is also used to determine that the second terminal device is authorized to perform relay Service, sending the second message to the first core network device.

In a possible implementation manner, the access network device is further configured to send a third message to the second core network device, where the third message includes the identification information of the second terminal device, and The third message is used to request the authorization result of the second terminal device;

The system further includes: a second core network device, configured to receive the third message sent by the access network device, and send a response message of the third message to the access network device; The network access device is specifically configured to determine, according to the response message of the third message, that the second terminal device is authorized to perform the relay service.

In a possible implementation manner, the access network device is further configured to send a response message of a first message to the first terminal device, and the response message of the first message is used to instruct the first terminal The device allows access to the network through the second terminal device.

In a fifth aspect, an embodiment of the present application provides a communication device, the communication device includes a processor, and when the processor invokes a computer program in a memory, as in the first aspect and various possible implementation manners of the first aspect The method described is executed.

In a possible implementation manner, when the processor invokes the computer program in the memory, the methods described in the second aspect and various possible implementation manners of the second aspect are executed. For example, when the processor calls the computer program, the method described in any one of the first core network device, the second core network device, and the access network device is executed.

In a sixth aspect, an embodiment of the present application provides a communication device. The communication device includes a processor and a memory. The memory is used to store computer-executable instructions; the processor is used to execute the computer-executable instructions to enable the The communication device executes the methods described in the first aspect and various possible implementation manners of the first aspect.

In a possible implementation manner, when the processor invokes the computer to execute instructions, the methods described in the second aspect and various possible implementation manners of the second aspect are executed. For example, when the processor invokes the computer to execute instructions, the method described in any one of the first core network device, the second core network device, and the access network device is executed.

In a seventh aspect, an embodiment of the present application provides a communication device. The communication device includes a processor, a memory, and a transceiver. The transceiver is used to receive signals or send signals; and the memory is used to store program codes; The processor is configured to call the program code to execute the method described in the first aspect.

In a possible implementation manner, when the processor calls the program code, the methods described in the second aspect and various possible implementation manners of the second aspect are executed. For example, when the processor calls the program code, the method described in any one of the first core network device, the second core network device, and the access network device is executed.

In an eighth aspect, an embodiment of the present application provides a communication device. The communication device includes a processor and an interface circuit. The interface circuit is configured to receive code instructions and transmit them to the processor; the processor runs the The code instructions execute the methods described in the first aspect and various possible implementations of the first aspect.

In a possible implementation manner, the processor runs the code instructions to execute the methods described in the second aspect and various possible implementation manners of the second aspect. For example, the method described in any one of the first core network device, the second core network device, and the access network device is executed.

In a ninth aspect, an embodiment of the present application provides a computer-readable storage medium, the computer-readable storage medium is used to store instructions, and when the instructions are executed, the first aspect and the various possibilities of the first aspect Implementation The method described is implemented.

In a possible implementation manner, when the instruction is executed, the methods described in the second aspect and various possible implementation manners of the second aspect are implemented. For example, the method described in any one of the first core network device, the second core network device, and the access network device is implemented.

In a tenth aspect, embodiments of the present application provide a computer program product including instructions, which when executed, enable the methods described in the first aspect and various possible implementations of the first aspect to be implemented.

In an eleventh aspect, an embodiment of the present application provides a computer program for executing the first aspect and various possible implementation manners of the first aspect.

In a twelfth aspect, an embodiment of the present application provides a computer program for executing the second aspect and various possible implementation manners of the second aspect.

Optionally, the computer program is used to execute the method described in any one of the first core network device, the second core network device, and the access network device.

Description of the drawings

FIG. 1 is a schematic diagram of a network architecture provided by an embodiment of the present application;

FIG. 2 is a schematic diagram of a network architecture provided by an embodiment of the present application;

FIG. 3 is a schematic flowchart of a method for determining an authorization result provided by an embodiment of the present application;

FIG. 4 is a schematic flowchart of a method for determining an authorization result provided by an embodiment of the present application;

FIG. 5 is a schematic structural diagram of a communication device provided by an embodiment of the present application;

FIG. 6 is a schematic structural diagram of a communication system provided by an embodiment of the present application;

FIG. 7 is a schematic structural diagram of a communication device provided by an embodiment of the present application;

FIG. 8 is a schematic flowchart of a method for determining an authorization result provided by an embodiment of the present application.

Detailed ways

In order to make the purpose, technical solutions, and advantages of the present application clearer, the present application will be further described in detail below with reference to the accompanying drawings.

The terms "first" and "second" in the specification, claims, and drawings of this application are used to distinguish different objects, rather than to describe a specific sequence. In addition, the terms "including" and "having" and any variations of them are intended to cover non-exclusive inclusions. For example, a process, method, system, product, or device that includes a series of steps or units is not limited to the listed steps or units, but optionally includes unlisted steps or units, or optionally also includes Other steps or units inherent to these processes, methods, products or equipment.

The reference to "embodiments" herein means that a specific feature, structure, or characteristic described in conjunction with the embodiments may be included in at least one embodiment of the present application. The appearance of the phrase in various places in the specification does not necessarily refer to the same embodiment, nor is it an independent or alternative embodiment mutually exclusive with other embodiments. Those skilled in the art clearly and implicitly understand that the embodiments described herein can be combined with other embodiments.

In this application, "at least one (item)" refers to one or more, "multiple" refers to two or more than two, and "at least two (item)" refers to two or three and three Above, "and/or" is used to describe the association relationship of associated objects, which means that there can be three kinds of relationships. For example, "A and/or B" can mean: there is only A, only B, and both A and B. In this case, A and B can be singular or plural. The character "/" generally indicates that the associated objects before and after are in an "or" relationship. "The following at least one item (a)" or similar expressions refers to any combination of these items, including any combination of a single item (a) or a plurality of items (a). For example, at least one of a, b, or c can mean: a, b, c, "a and b", "a and c", "b and c", or "a and b and c" ", where a, b, and c can be single or multiple.

The embodiments of the present application will be described below in conjunction with the drawings.

First, the network architecture involved in the embodiments of the present application is introduced.

The method for determining the authorization result provided in this application can be applied to various communication systems, such as the Internet of Things (IoT) system, the narrowband Internet of Things (NB-IoT) system, and the long-term evolution ( Long term evolution, LTE) system, it can also be the fifth generation (5th-generation, 5G) communication system, it can also be a hybrid architecture of LTE and 5G, it can also be a 5G new radio (NR) system, and future communications New communication systems, etc. appearing in development.

Referring to FIG. 1, FIG. 1 is a schematic diagram of a network architecture provided by an embodiment of the present application. The various parts involved in FIG. 1 are as follows:

The terminal device 110 is also referred to as user equipment (UE), terminal, and so on. A terminal device is a device with a wireless transceiver function. It can be connected to one or more core networks (core networks) via the (radio) access network ((radio) access network, (R) AN) 120 access network equipment, CN) to communicate. It can be deployed on land, including indoor or outdoor, handheld, wearable, or vehicle-mounted; it can also be deployed on the water, such as on a ship, and it can also be deployed in the air, such as on an airplane, balloon, or satellite. Terminal devices can be mobile phones, tablets, computers with wireless transceiver functions, virtual reality (VR) terminal devices, augmented reality (AR) terminal devices, industrial control (industrial control) Wireless terminals in ), wireless terminals in self-driving, wireless terminals in remote medical, wireless terminals in smart grid, and wireless terminals in transportation safety , Wireless terminals in smart cities, wireless terminals in smart homes, etc.

In the embodiment of the present application, the terminal equipment includes a remote terminal equipment (remote UE) and a relay terminal equipment (relay UE). For example, a relay UE can be understood as a UE that can directly access the network (or a base station); or, a relay UE can be understood as a UE that can be covered by a signal; or, a relay UE can be understood as a UE in the coverage area of the base station. Or, a relay UE can be understood as a UE with a relay function, where the relay function refers to a UE without signal coverage, and can access the operator's network through a relay UE with signal coverage. The remote UE can be understood as a UE that cannot be covered by the signal. In other words, the remote UE needs to rely on a relay UE to be able to access the network.

Refer to FIG. 2, which is a schematic diagram of a network architecture provided by an embodiment of the present application. As shown in FIG. 2, the network architecture includes UE1, UE2, and UE3, and the UE1, UE2, and UE3 belong to the same ProSe group. Further, UE1 and UE2 can be understood as remote UEs, and UE3 can be understood as relay UEs. The remote UE can access the operator's network through a relay UE, perform a registration process, or establish a protocol data unit (protocol data unit, PDU) session, send user data, and so on. The relay UE can establish a communication connection with the remote UE to provide services for the remote UE to access the network. For example, the remote UE can use Internet services, use the call function, and so on through the relay UE. Optionally, the remote UE and the relay UE may communicate through proximity-based services (Proximity-based services, ProSe). The short-distance-based service may include a device-to-device (D2D) service or a vehicle-to-everything (V2X) service and so on. It can be understood that the relay UE may also be referred to as a UE-to-network relay.

(Radio) access network ((radio) access network, (R) AN) 120, used to provide network access functions for authorized terminal equipment in a specific area, and can use different quality transmissions according to the level of terminal equipment, business needs, etc. tunnel. For example, (R)AN can manage wireless resources, provide access services for terminal devices, and then complete the forwarding of control information and/or data information between the terminal device and the core network (CN).

The access network device in the embodiment of the present application is a device that provides a wireless communication function for terminal devices, and may also be referred to as a network device. For example, the access network equipment may include: next generation node base station (gNB) in 5G system, evolved node B (evolved node B, eNB) in long term evolution (LTE), wireless Network controller (radio network controller, RNC), node B (node B, NB), base station controller (BSC), base transceiver station (BTS), home base station (for example, home evolved nodeB) , Or home node B (HNB), base band unit (BBU), transmission point (transmitting and receiving point, TRP) (or called transmission receiving point), transmission point (TP), small base station equipment (pico), mobile switching center, or network equipment in the future network. It can be understood that the embodiment of the present application does not limit the specific type of the access network device. In systems with different wireless access technologies, the names of devices with access network device functions may be different.

The user plane function (UPF) network function 130 is used for packet routing and forwarding, quality of service (QoS) processing of user plane data, and so on.

The data network (DN) network function 140 is used to provide a data transmission network.

Access and mobility management function (AMF) network function 150, mainly used for mobility management and access management, etc., can be used to implement mobility management entity (mobility management entity, MME) functions except session management Other functions, such as lawful interception and access authorization/authentication functions. It can be understood that the AMF network function is hereinafter referred to as AMF. In the embodiment of the present application, the AMF network function includes a remote AMF and a relay AMF. The remote AMF is: an AMF used to provide services for a remote UE; the relay AMF is: a relay AMF is used to provide services for a relay UE AMF.

The session management function (SMF) 160 is mainly used for session management, terminal device Internet protocol (IP) address allocation and management, selection of manageable user plane functions, policy control and charging function interfaces End point and downlink data notification, etc.

The policy control network function 170, such as a policy control function (PCF), is a unified policy framework used to guide network behavior, and provides policy rule information for control plane functions (such as AMF, SMF network functions, etc.).

The authentication server function (authentication server function, AUSF) 180 is used for authentication services, generating keys to implement two-way authentication for terminal devices, and supporting a unified authentication framework.

The unified data management (UDM) network function 190 can be used to process terminal device identification, access authentication, registration, and mobility management. It can be understood that the UDM network function is hereinafter referred to as UDM for short.

The application function (AF) 1100 is used for data routing affected by applications, access to network opening functions, and interaction with the policy framework for policy control.

The network slice selection function (NSSF) can be used to determine network slice instances, select AMF network functions, and so on.

Network storage network functions, such as including network repository function (NRF), can be used to maintain real-time information of all network functions and services in the network.

It can be understood that the network architecture shown in FIG. 1 may also include a ProSe function, and the ProSe function may be used to perform the management and control of the ProSe service, and so on.

The mobility management network function in the embodiment of the present application may be the AMF network function 150 shown in FIG. 1, or may be other network functions having the aforementioned AMF network function 150 in the future communication system. Alternatively, the mobility management network function in this application may also be a mobility management entity (MME) in long term evolution (LTE), etc.

For the convenience of description, the AMF network function 150 is referred to as AMF for short, and the terminal device 110 is referred to as UE. That is, the AMF described later in the embodiments of this application can be replaced with mobility management network functions or core network equipment, and the UE can be either Replace with terminal equipment.

The network architecture shown in Figure 1 (such as the 5G network architecture) adopts a service-based architecture. The traditional network element functions (or network functions) are split into several self-contained, self-contained, network functions based on network function virtualization (NFV) technology. Self-management and reusable network function service modules can realize customized network function reconstruction through flexible definition of service module collections, and form business processes through a unified service call interface externally. The schematic diagram of the network architecture shown in FIG. 1 can be understood as a schematic diagram of a service-based 5G network architecture in a non-roaming scenario. For roaming scenarios, the embodiments of this application are also applicable.

It is understandable that the terms introduced above may have different names in different fields or different standards. Therefore, the names shown above should not be construed as limiting the embodiments of the present application. The aforementioned network function or function may be a network element in a hardware device, a software function running on dedicated hardware, or a virtualization function instantiated on a platform (for example, a cloud platform).

The method for determining the authorization result provided by the embodiment of the application will be described in detail below. It can be understood that, for ease of description, in the various methods shown below, the remote terminal device is UE1, the relay terminal device is UE2, and the AMF that provides services for the remote terminal device is AMF1, which provides services for the relay terminal device. The AMF is AMF2, and the access network equipment is RAN.

Referring to FIG. 3, FIG. 3 is a schematic flowchart of a method for determining an authorization result provided by an embodiment of the present application. This method can be applied to the network architecture shown in FIG. 1 and/or FIG. 2. As shown in Figure 3, the method includes:

302. The RAN receives a first message sent by UE2, where the first message is used to instruct UE1 to request access to the network through UE2, and the first message includes identification information of UE2.

In the embodiment of the present application, the identification information of UE2 is included in the first message, so that after receiving the first message, the RAN knows that UE1 requests to access the network through UE2. Optionally, the identification information of UE2 may include an identifier (identifier, ID) of UE2. The ID of the UE2 may include the permanent identity of UE2, such as the international mobile subscriber identity (IMSI), the subscription permanent identifier (SUPI), the subscriber encapsulated identifier (SUCI) or general public subscription. Any one or more of ID (generic public subscription identifier, GPSI). Alternatively, the ID of the UE2 may include the temporary identity of the UE2, such as a globally unique temporary UE identity (GUTI). Alternatively, the ID of the UE2 may also include the relay ID of the UE2; the relay ID of the UE2 may be the UE identification of the relay service, or the relay ID of the UE2 may be the UE identification of the ProSe service. For example, the identification information of UE2 may include any one or more of IMSI, SUPI, SUCI, GPSI, or relay ID of UE2. It can be understood that, in order to distinguish the permanent identity, temporary identity, and relay identity of UE2, the identification information of UE2 in the following description is UE2's ID and/or UE2's relay ID.

In a possible implementation manner, the first message may also include the identification information of UE1. The identification information of the UE1 may include the ID of the UE1, and the ID of the UE1 may include the permanent identification of the UE1, such as any one or more of the IMSI, SUPI, and SUCI of the UE1. Alternatively, the ID of the UE1 may include the temporary identification of the UE1, such as the GUTI of the UE1. Alternatively, the ID of the UE1 may also include the remote ID of the UE1. By including the ID of UE1, the RAN can know which UE (such as UE1) needs to access the network through UE2. For example, the identification information of UE1 may include IMSI, SUPI, SUCI, GPSI, etc. of UE1, or any one or more of the relay IDs. It can be understood that, in order to distinguish the permanent identity, temporary identity and relay identity of UE1, the identification information of UE1 in the following description is the ID of UE1 and/or the remote ID of UE1.

It can be understood that the remote ID of UE1 and the relay ID of UE2 can be configured by the short-distance service function. That is, the identification information related to the service can be configured by the short-distance service function. The specific format of the identification information related to the service is not limited in the embodiment of the present application.

It is understandable that the first message may be a message sent by UE1 to the RAN through UE2; or, the first message may be a message sent by UE2 to the RAN. Wherein, the first message is a message sent by UE2 to the RAN, which can be understood as: UE1 sends a fourth message to UE2; then, after UE2 receives the fourth message, it parses the fourth message and generates the first message. For example, one processing method of parsing is to encapsulate the fourth message in the first message, so that the UE2 sends the first message to the RAN. Optionally, the identification information of UE2 may be carried in the fourth message itself, or may be encapsulated in the first message together with the fourth message after UE2 receives the fourth message. Optionally, the identification information of UE1 may be carried in the fourth message itself. Hereinafter, the method shown in FIG. 3 will be described by taking the first message as an example that the UE2 sends to the RAN.

In a possible implementation manner, before step 302, the method shown in FIG. 3 further includes:

301. UE1 sends a fourth message to UE2, where the fourth message is used to request access to the network, and the fourth message includes identification information of UE1; correspondingly, UE2 receives the fourth message.

In this case, when UE2 receives the fourth message, it can encapsulate the identification information of UE1 in the first message, so as to send the first message to the RAN. Alternatively, when the UE2 receives the fourth message, the fourth message may be encapsulated in the first message, so as to send the first message to the RAN.

It is understandable that the fourth message may also include a non-access stratum (NAS) request. For example, the NAS request may include a registration access request and so on. In this case, UE2 may encapsulate the NAS request in the first message, or encapsulate the fourth message in the first message, so as to send the first message to the RAN. The NAS request may also be a normal uplink NAS message. To further illustrate the method of generating the fourth message, as an example, the fourth message includes the NAS request and the identification information of UE1, and UE2 receives the fourth message, and may encapsulate the NAS request and the identification information of UE1 in the first message. Thus, the first message is sent to the RAN.

Optionally, if step 302 is included, the first message may also include first indication information (indicator), and the first indication information is used to indicate that the data contained in the first message is for the remote UE of the relay. Data; or, the first indication information is used to indicate that the first message includes information in the fourth message from UE1. Optionally, the first indication information may be included in the NAS request, or the first indication information may be information encapsulated in the first message together with the fourth message when the UE2 receives the fourth message.

Optionally, before UE1 sends the fourth message to UE2, the method shown in FIG. 3 further includes: AMF1 checks UE1 to determine the authorization result of UE1. The authorization result of the UE1 includes the result of whether the UE1 is applicable to the ProSe service, and/or the result of whether the UE1 is authorized to perform the remote UE service.

Wherein, the method for the AMF1 to verify the UE1, for example, the AMF1 can perform the verification according to the subscription information of the UE1. As for how the AMF1 obtains the subscription information of the UE1, this embodiment of the application does not limit it. For example, the subscription information may be acquired by AMF1 from UDM, or the subscription information may also be acquired by AMF1 from the short-distance service function. For another example, the AMF1 may also obtain second indication information from the UDM or the short-distance service function, and the second indication information is used to indicate the authorization result of the UE1.

303. The RAN determines the authorization result of the UE2 according to the identification information of the UE2; and sends a second message to the AMF1; the second message includes the authorization result of the UE2. Correspondingly, AMF1 receives the second message.

In the embodiment of the present application, the authorization result of the UE2 may include the result of whether the UE2 is applicable to the ProSe service, and/or the result of whether the UE2 is authorized to perform the relay service. For example, the authorization result of UE2 may include the result that UE2 is authorized to perform the relay service. For another example, the authorization result of the UE2 may include the application of the ProSe service to the UE2 and the result of the UE2 being authorized to perform the relay service. For another example, the authorization result of the UE2 may include the result that the UE2 applies the ProSe service and the UE2 is not authorized to perform the relay service. The UE2 being authorized to perform the relay service can also be understood as: the UE2 can be authorized to perform the relay function; alternatively, the UE2 can be the relay node of the remote UE. And the UE2 is authorized to perform the relay service, which may also indicate that the UE2 applies the ProSe service.

Optionally, the RAN may determine whether the UE2 is authorized to perform the relay service according to stored information, and the stored information includes the identification information of the UE2 and the authorization result of the UE2. The authorization result of the UE2 may be sent by AMF2 to the RAN voluntarily, so that the RAN saves it. Alternatively, the authorization result of the UE2 may also be stored by the RAN by requesting the AMF2 to send the authorization result by the RAN. Optionally, the RAN may also request the authorization result from AMF2 after receiving the second message. For the above-mentioned method for the RAN to determine whether UE2 is authorized to perform the relay service, the details can be as follows:

3031) The RAN sends a third message to AMF2, the third message includes the identification information of UE2, and the third message is used to request the authorization result of UE2. Correspondingly, the AMF2 receives the third message.

3032) The AMF2 sends a response message of the third message to the RAN. Correspondingly, the RAN receives the response message of the third message sent by the AMF2.

It can be understood that the embodiment of the present application does not limit how the RAN determines AMF2. For example, the temporary identity of UE2 includes the address of AMF2, or the RAN can determine AMF2 according to the network information in the identity information of UE2.

In the embodiment of the present application, after the AMF2 receives the third message for requesting the authorization result of the UE2, it can send the authorization result of the UE2 to the RAN. Optionally, the response message of the third message may include the authorization result of the UE2. Optionally, the response message of the third message may also include the identification information of UE2. The steps 3031) and 3032) shown above can be applied to the following scenarios.

scene one,

Step 3031) and step 3032) may be the third message sent by the RAN to the AMF2 to determine the authorization result of the UE2 after the RAN receives the first message of the UE2.

Optionally, the response message of the third message may also include rejection information, and the rejection information may be used to indicate that UE1 is denied access to the network through UE2. Optionally, the response message of the third message may also include a rejection type, and the rejection type is used to indicate that the UE2 is not authorized to perform a relay function. Further, in the case that the RAN determines that the UE2 is not authorized to perform the relay service according to the identification information of the UE2, the RAN may discard the first message.

Scene two,

The method shown in step 3031) and step 3032) may also be a third message sent by the RAN to the AMF2 in order to determine the authorization result of the UE2 before receiving the first message.

In this case, the RAN can save the authorization result of UE2 after receiving the authorization result of UE2. Therefore, after receiving the first message, the authorization result of the UE2 can be sent to the AMF1. For scenario 2, the third message can be a message from UE2; alternatively, it can be a message sent by UE2 to the RAN, and then sent to the AMF2 through the RAN; or, it can also be sent by UE1 to UE2, and then UE2 through RAN Message sent to this AMF2. It can be understood that by including the identification information of the UE2, the AMF2 can clearly know the UE (such as UE2) requesting authorization of the relay service. Specifically, the third message may be understood as: the third message is used to request authorization for the relay service of UE2. For example, the third message can be applied to the following scenario: UE1 notifies UE2 to request access to the network, and UE2 requests AMF2 to authorize its own relay service.

For scenario 2, after step 3031) and before step 3032), the method shown in the embodiment of the present application may further include: 3033) the AMF2 verifies the UE2 to determine the authorization result of the UE2.

Specifically, the AMF2 may determine the authorization result of the UE2 according to the subscription information of the UE2. For example, the AMF2 may obtain the subscription information of the UE2 from UDM, or the AMF2 may also obtain the subscription information of the UE2 from the ProSe function. Alternatively, the AMF2 sends a message for requesting the authorization result of UE2 to the proximity service function; after receiving the message, the proximity service function stores UE2 subscription information in UDM or unified data repository (UDR), etc. The entity requests subscription information. Optionally, the contract information can be issued by the operator's network and stored in the UDM or short-distance service function. Optionally, the AMF2 may also obtain third indication information from the UDM or the short-distance service function, and the third indication information is used to indicate the authorization result of the UE2. That is, the third indication information may be used to indicate whether the UE2 is authorized to perform the ProSe service and/or whether it is authorized to perform the relay function of the ProSe service.

304. AMF1 sends a response message of the second message to the RAN. Correspondingly, the RAN receives the response message of the second message sent by the AMF1.

Optionally, the second message may include the authorization result of UE2, and may also include part or all of the information in the first message. Alternatively, in addition to the authorization result of UE2 and part or all of the information in the first message, the second message may also include part or all of the information in the fourth message. For example, after UE2 receives the fourth message, it can encapsulate the fourth message in the first message; thereby sending the first message to the RAN, the RAN receives the first message, and encapsulates the first message in the second message ; Then send the second message to AMF1. For another example, UE2 receives the fourth message, and encapsulates the non-access stratum request in the fourth message in the first message, thereby sending the first message to the RAN. For another example, the RAN receives the first message, and encapsulates the identification information of the UE2 in the first message in the first message, thereby sending the second message to AMF1. It can be understood that the embodiment of the present application does not limit the manner in which the message is generated. For another example, if the RAN receives a first message, and the first message includes the first indication information, the RAN may encapsulate the first indication information in a second message, so as to send the second message to AMF1. By including the first indication information in the second message, the AMF1 can receive the first indication information and verify the relay service of the UE2.

Optionally, the response message of the second message includes a non-access stratum (NAS) message sent to UE1. The NAS message may be used to respond to the NAS request included in the fourth message. Specifically, the NAS message may also have integrity protection, that is, it can be a NAS message after NAS activation, or a NAS security mode instruction message, and so on. By performing integrity protection on the NAS, other attackers can be prevented from modifying the content in the response message of the second message. In this case, the response message of the second message may be used to indicate that AMF1 has processed the NAS request sent by UE1 to UE2. It can be understood that, in the case that the response message of the second message includes a NAS message, it may also indicate that AMF1 has processed the NAS request sent by UE1, which indicates that AMF1 authorizes UE1 to access the network through UE2. Optionally, AMF1 informs UE1 that the UE2 it accesses is authorized to use the ProSe service and/or relay function by sending a NAS message carrying the authorization result of UE2 to UE1.

Optionally, the response message of the second message may also include the authorization result of UE1.

In a possible implementation manner, after AMF1 receives the second message, it can also verify the relay service of UE2. If the check is passed, AMF1 sends a response message of the second message to the RAN. The response message of the second message is used to indicate that UE1 is allowed to access the network through UE2. If the check fails, AMF2 may discard the second message; or, the response message of the second message may be used to indicate that UE1 is denied access to the network. Wherein, the method for the AMF1 to verify the relay service of the UE2, such as: the AMF1 judges whether the identification information of the UE2 included in the message for requesting access to the network is consistent with the identification information of the UE2 included in the second message ; If they are consistent; AMF1 can determine that UE1 can access the network through UE2; if they are not consistent, AMF1 can determine that the relay UE requested by UE1 and the relay UE authorized by the RAN are not the same UE, then the AMF1 can discard the second news. Alternatively, the response message of the second message may include rejection information or rejection reason, and so on.

305. The RAN sends a response message of the first message to UE2, where the response message of the first message is used to indicate that UE1 is allowed to access the network through UE2. Correspondingly, the UE2 receives the response message of the first message.

Optionally, the response message of the first message may include the authorization result of UE1. If UE1 is not authorized to perform remote UE functions and/or short-distance communication service functions, UE2 can reject UE1's access, disconnect the connection or send a rejection message to UE1. The rejection message may also include a rejection identifier, which is used to indicate that the UE1 is not authorized to perform the function of the remote UE and/or the short-distance communication service function.

Optionally, the response message of the first message may be the response message of the second message of AMF1 forwarded by the RAN. Optionally, the response message of the first message may also include the authorization result of UE2. Alternatively, the response message of the first message may include part or all of the information in the response message of the second message, part or all of the information in the second message, part or all of the information in the first message, and part of the fourth message. Or any one or more of all the information. For the response message of the first message, refer to the description of the response message of the fourth message or the second message for analogy, which will not be repeated here.

In a possible implementation manner, the method shown in FIG. 3 may further include:

306. UE2 sends a response message of the fourth message to UE1. Correspondingly, the UE1 receives the response message of the fourth message.

Optionally, the response message of the fourth message may include the authorization result of UE2, part or all of the information in the response message of the first message, part or all of the information in the response message of the second message, and part of the second message. Or any one or more of all the information, part or all of the information in the first message, and part or all of the information in the fourth message. For the response message of the fourth message, refer to the description of the response message of the second message for analogy, which will not be repeated here. For example, the response message of the fourth message may include a non-access stratum (NAS) message sent by AMF1 to UE1, and the NAS message includes information indicating whether UE2 is authorized to perform the relay function. Through the indication information, the UE1 can determine whether the accessing UE2 is authorized.

In a possible implementation manner, the above step 303 can be replaced with:

313) The RAN sends a fifth message to AMF2, the fifth message is used to request the authorization result of UE2, and the fifth message includes the address of AMF1 and identification information of UE2. Correspondingly, the AMF2 receives the fifth message.

And the AMF2 sends a response message of the fifth message to AMF1, and the response message of the fifth message includes the authorization result of UE2 and the identification information of UE2. Correspondingly, AMF1 receives the response message of the fifth message.

In the embodiment of the present application, the AMF2 can determine the authorization result of the UE2 according to the identification information of the UE2. For how the AMF2 determines the authorization result of the UE2, please refer to the foregoing description, which will not be described in detail here. The address of AMF1 included in the fifth message can be used to instruct AMF2 to send the authorization result of UE2 to AMF1. The RAN can determine the address of AMF2 according to the identification information of UE2, and determine the address of AMF1 according to the identification information of UE1. Therefore, by sending the address of AMF1 to AMF2, AMF2 can directly send the authorization result of UE2 to AMF1. It is understandable that AMF2 may directly send a response message of the fifth message to AMF1, and may also send a response message of the fifth message to AMF1 through other network elements.

In the embodiment of this application, when UE1 requests to access the network through UE2, the RAN determines that UE2 is authorized to perform the relay service, and then sends a second message including the authorization result of UE2 to AMF1, so that the AMF1 can be based on the UE2's authorization result. The authorization result allows UE1 to access the network through UE2. Implementing the embodiments of this application can enable AMF1 to obtain the authorization result of UE2, thereby allowing UE1 to access the network through UE2 in time.

For a more detailed understanding of the method for determining the authorization result provided in the embodiment of the present application. Referring to FIG. 4, FIG. 4 is a schematic diagram of a scenario of a method for determining an authorization result provided by an embodiment of the present application. As shown in Figure 4, the method includes:

401. UE2 accesses AMF2 through RAN, completes the network registration process, and accesses the operator network.

402. UE1 accesses AMF1 through RAN, completes the network registration process, and accesses the operator network.

403. The UE2 determines whether the UE2 applies the ProSe service through the AMF2 or the ProSe function. And the UE1 determines whether the UE1 is applicable to the ProSe service through the AMF1 or the ProSe function.

Specifically, AMF2 may obtain UE2's subscription information from UDM, and determine whether the UE2 can use the ProSe service according to the UE2's subscription information, and/or determine whether the UE2 can perform the relay service. Alternatively, AMF2 may obtain UE2's subscription information and so on from the short-distance service function. Optionally, the above step 403 may also be implemented when the UE2 accesses the AMF2 and performs the registration procedure. For example, in the registration process, AMF2 can obtain the subscription information of UE2 from the UDM or short-range service function according to the request of UE2 to determine whether the UE2 can be authorized to perform the ProSe service, or to determine whether the UE2 is authorized to perform the service Following the business. Then obtain the authorization result of the UE2. And the AMF2 can also save the authorization result of the UE2, such as saving the UE2 ID and the authorization result of the UE2, or save the relay ID of the UE2 and the authorization result of the UE2.

Optionally, when the UE1 accesses the AMF1 and performs the registration process, the AMF1 may also obtain the subscription information of the UE1 from the UDM or the short-distance service function according to the registration request of the UE1. Therefore, the AMF1 determines whether the UE1 can use the ProSe service, and/or determines whether the UE1 can perform the service of the remote UE, and then obtains the authorization result of the UE1. And the AMF1 can also save the authorization result of the UE1, such as saving the UE1 ID and the authorization result of the UE1, or saving the remote ID of the UE1 and the authorization result of the UE1.

404. UE1 executes the discovery process.

Among them, UE1 performs the discovery process, which can be understood as: UE1 discovers that it can access the network through UE2. Alternatively, it can also be understood as: UE1 finds that the distance to UE2 is closer than the distance to the base station. For example, UE1 may determine that UE2 is a relay UE by receiving a broadcast message of UE2.

405. UE1 sends an indirect communication request to UE2, where the indirect communication request includes UE1 ID and/or remote ID. Correspondingly, the UE2 receives the indirect communication request.

406. The UE2 sends a relay service request (relay UE service request) to the AMF2 through the RAN. The relay service request includes the UE2 ID and/or the UE2 relay ID. Correspondingly, AMF2 receives the relay service request.

Optionally, the relay service request may also include the ID of UE1 and/or the remote ID of UE1.

It can be understood that the relay service request in step 406 can be understood as the third message in step 3031) shown in FIG. 3.

407. AMF2 checks UE2 to determine the authorization result of UE2.

The AMF2 can verify whether the UE2 is authorized to perform the relay function; or, the AMF2 can also verify whether the UE2 is authorized to perform the relay service function of the remote UE through the relay UE. Optionally, if AMF2 has verified UE2 in step 403, then in step 407, AMF2 may determine the authorization result of UE2 according to locally stored information. Optionally, if the above step 403 is not performed, the AMF2 may obtain the authorization result of the UE2 from the UDM or the short-distance service function.

408. AMF2 sends an NG interface application protocol (NG application protocol, NGAP) message to the RAN, where the NGAP message includes proximity authorization indication (ProSe authorized) information. The RAN receives the NGAP message and saves the short-range authorization instruction.

Among them, the short-range authorization indication information is used to indicate that the UE2 non-access communication request is authorized. Optionally, the NGAP message may also include authorization success indication information, which is used to indicate that the UE2 is authorized to perform the relay function; or used to indicate that the remote UE is authorized to perform the relay service through the relay UE. Optionally, the NGAP message may also include UE2's ID and/or UE2's relay ID. Optionally, the NGAP message may also include the ID of UE1 and/or the remote ID of UE1. Optionally, in addition to storing the authorization result of UE2, the RAN may also store the UE2 ID and/or the relay ID of UE2, as well as the UE1 ID and/or the remote ID of UE1.

It can be understood that the NGAP message in step 408 can be understood as a response message to the third message shown in FIG. 3.

409. The RAN sends a radio resource control (radio resource control, RRC) message to UE2.

Optionally, the RRC message includes short-range authorization indication information. Correspondingly, the UE2 receives the RRC message.

410. UE2 sends a response message to UE1.

It can be understood that the response message is used to indicate that UE2 is allowed to use the indirect communication service.

The above steps 405-410 can be understood as the following scenario: if the UE1 informs the UE2 to request access to the network, the UE2 requests the AMF2 to authorize its own relay service.

It can be understood that if UE2 has been authorized to perform relay services, the method shown in FIG. 4 may not include steps 406-409 and may not be done.

Optionally, when the UE2 receives the indirect communication request sent by the UE1, the UE2 may also send the identification information of the UE1 to the AMF1 through the RAN. Thus, the AMF1 can determine whether the UE1 is authorized to use the short-range communication service and/or the remote service (that is, the function of the remote UE) according to the identification information of the UE1. After the AMF1 verification is passed, the authorization result of UE1 is sent to UE2. If the verification is successful, UE2 continues to perform; otherwise, UE2 interrupts the process or sends a rejection message to UE1. The rejection message may also include a rejection indication, indicating that the UE1 is not authorized to use the near field communication service and/or the function of the remote UE.

411. UE1 sends a remote UE non-access request (remote UE NAS request) to UE2, where the remote UE non-access request includes UE1 ID and/or UE1's remote ID. Correspondingly, UE2 receives the remote UE non-access request.

Optionally, the remote UE non-access request may also include UE2's ID and/or UE2's relay ID. The UE2 ID and/or the relay ID of UE2 may be obtained by UE1 in step 404; or may be obtained in step 410, and so on.

Optionally, the UE2 can also check whether it is in the same PLMN service network as the UE1; if it is not in the same PLMN service network, the process is interrupted or a rejection message is sent to UE1. The rejection message may also include a rejection indication, indicating that UE1 and UE2 belong to different PLMN service networks. The verification method here can be determined by the service network identifier carried in the identifier of UE1 or the service network identifier separately sent by UE1 to UE2 to compare whether it is the same as the service network accessed by UE2.

It can be understood that the remote UE non-access request can be understood as the fourth message in step 301 shown in FIG. 3.

412. UE2 sends an uplink RRC message to the RAN, where the uplink RRC message includes a non-access request. Correspondingly, the RAN receives the uplink RRC message.

It can be understood that the uplink RRC message can be understood as the first message in step 301 shown in FIG. 3.

413. The RAN determines that UE2 is authorized to perform the relay service.

In the embodiment of the present application, the method for the RAN to determine that the UE2 is authorized to perform the relay service can be determined according to the authorization result and the identification information saved by the RAN in step 408, for example.

414. The RAN sends an NGAP message to AMF1, where the NGAP message includes the authorization result of UE2 and the ID of UE2; or, the NGAP message includes the authorization result of UE2 and the relay ID of UE2.

Optionally, the NGAP message also includes a non-access request.

It can be understood that the NGAP message can be understood as the second message in step 303 shown in FIG. 3.

415. AMF1 determines that UE2 is authorized to perform the relay service. For a specific authorization verification method, refer to the embodiment in FIG. 3.

Optionally, AMF1 determines whether the UE2 ID in the NGAP message sent by the RAN is consistent with the UE2 ID in the remote UE non-access request sent by UE1; if they are the same, it is determined that the authorization of UE2 is successful; if they are inconsistent, UE1 is denied access Network request. Alternatively, the AMF1 may also discard the NGAP message and so on.

416. AMF1 sends a downlink NAS message to UE1 through RAN and UE2, where the downlink NAS message is used to instruct UE1 to access the network through UE2 or to authorize UE2 to perform a relay service.

It can be understood that the downlink NAS message can be understood as a response message to the second message in step 304 shown in FIG. 3. Or, the downlink NAS message may be understood as the response message of the first message in step 305 shown in FIG. 3; or the response message of the fourth message in step 306.

The downlink NAS message also includes the UE2 ID and/or relay ID.

417. The UE1 determines the authorization to access the network according to the downlink NAS message.

Optionally, the UE1 may also determine whether the relay ID of the UE2 in the downlink NAS message is consistent with the ID of the relay UE discovered in the discovery process. If they are consistent, it is determined to access the network; if they are inconsistent, the UE1 The process of accessing the network can also be interrupted; or another relay UE can be reselected to access the network.

In the embodiment of the present application, the transfer of the authorization information of the UE2 is completed by the base station, which avoids the transfer of authorization parameters between AMFs and reduces the impact between AMFs.

In a possible implementation manner, the methods shown in steps 413-415 above can also be replaced with:

423) The RAN forwards the uplink RRC message sent by UE2 to AMF1. Correspondingly, the AMF1 receives the uplink RRC message.

424) AMF1 sends a request message to AMF2, and the request message is used to request the authorization result of UE2. Correspondingly, the AMF2 receives the request message. The request message carries UE2 ID and/or relay ID.

The AMF1 may determine the address of the AMF2 according to the UE2 ID and/or the relay ID of the UE2 included in the uplink RRC message. The AMF2 can determine whether the UE2 is authorized to perform the relay service according to the UE2 ID and/or the relay ID of the UE2. In the case that the AMF2 determines that the UE2 is authorized to perform the relay service, the AMF2 performs step 425).

425) AMF2 sends a response message of the request message to AMF1. Correspondingly, the AMF1 receives the response message of the request message. And the AMF1 determines that the UE2 is authorized to perform the relay service according to the response message of the request message.

433) The RAN forwards the uplink RRC message sent by UE2 to AMF1. Correspondingly, the AMF1 receives the uplink RRC message.

434) AMF1 sends a request message to UDM or the short-distance service function, and the request message is used to request the authorization result of UE2. Correspondingly, the UDM or short-distance service function receives the request message. The request message carries UE2 ID and/or relay ID.

435) The UDM or short-distance service function sends a response message of the request message to AMF1. Correspondingly, the AMF1 receives the response message of the request message. And the AMF1 determines that the UE2 is authorized to perform the relay service according to the response message of the request message.

In the embodiment of the present application, the data transfer is completed through the interface between AMFs, which avoids the transfer of authorization parameters and the like through the base station.

The method shown in the embodiment of this application uses AMF2 as an example to verify whether UE2 is authorized to perform relay services or short-distance service functions; or AMF1 as an example to verify whether UE1 is authorized to perform remote services or short-distance services service function. In some embodiments, the above method may also be executed by SMF.

Take SMF1 as an example to describe: Here, UE1 accesses SMF1 through UE2, RAN and AMF1. At this time, SMF1 checks whether UE2 can use the relay function. The specific method is as follows: AMF1 sends the authorization result of UE2 to SMF1; or, SMF1 is determined according to the identification information of UE2 (the specific confirmation method is the same as that determined by AMF2 according to the identification information of UE2); or SMF1 requests AMF2 and obtains it from AMF2. If SMF1 successfully verifies UE2, it sends a verification success indication to AMF1, and then AMF1 continues to execute other processes without restriction.

The embodiment of the present application also includes the following possibility. If the AMF1 successfully verifies the UE2, it may not send the UE2 authorization verification success indication to the RAN, or the UE2, or the UE1. AMF1 can normally perform UE1's business processes, such as UE1 registration, session establishment, and so on. The business process is not interrupted, which means that the authorization verification of UE2 is successful.

The embodiment of the present application also includes the following possibility. If the RAN verifies UE2 successfully, the UE2 authorization verification success indication may not be sent to UE2 or UE1. The RAN can normally perform UE1's service procedures, such as UE1 registration, session establishment, and so on. The business process is not interrupted, which means that the authorization verification of UE2 is successful.

The method provided in the embodiment of the present application is described in detail above, and the device provided in the embodiment of the present application will be described in detail below.

Referring to FIG. 5, FIG. 5 is a schematic structural diagram of a communication device provided by an embodiment of the present application. The wireless communication device can be used to execute the method for determining the authorization result provided in this application. As shown in Figure 5,

The transceiver unit 501 is configured to receive a first message sent by a second terminal device, where the first message is used to instruct the first terminal device to request access to the network through the second terminal device, and the first message includes the second terminal device ’S identification information;

The processing unit 502 is configured to determine the authorization result of the second terminal device according to the identification information of the second terminal device;

The transceiver unit 501 is further configured to send a second message to the first core network device, the second message including the authorization result of the second terminal device; and also to receive a second message sent by the first core network device Response message.

In a possible implementation manner, the transceiver unit 501 is further configured to send a third message to the second core network device, the third message includes the identification information of the second terminal device, and the third message is used to request The authorization result of the second terminal device;

The transceiver unit 501 is further configured to receive a response message of the third message sent by the second core network device;

The processing unit 502 is also used to save the authorization result of the second terminal device.

In a possible implementation manner, the identification information of the second terminal device includes the relay identification of the second terminal device.

In a possible implementation manner, the transceiving unit 501 is further configured to send a response message of the first message to the second terminal device, and the response message of the first message is used to indicate that the first terminal device is allowed to pass through the second terminal device. 2. The terminal equipment is connected to the network.

In a possible implementation manner, the processing unit 502 may be implemented by one or more processors, and the transceiver unit 501 may be implemented by a transceiver. In a possible implementation manner, the processing unit 502 can be implemented by one or more processing circuits, and the transceiver unit 501 can be implemented by an interface circuit (or an input/output interface, a communication interface, an interface, etc.).

It can be understood that, for the specific implementation of the communication device shown in FIG. 5, reference may be made to the steps performed by the access network device such as the RAN shown in FIG. 3 and FIG. 4, which are not described in detail here.

Refer to FIG. 6, which is a schematic structural diagram of a communication system provided by an embodiment of the present application. The communication system can be used to implement the methods shown in FIG. 3 and FIG. 4. As shown in Figure 6, the communication system includes:

The first core network device 601 is configured to receive a second message sent by the access network device, where the second message includes the authorization result of the second terminal device;

The first core network device 601 is further configured to determine that the second terminal device is authorized to perform the relay service according to the authorization result of the second terminal device;

The first core network device 601 is further configured to send a response message of the second message to the access network device.

In a possible implementation manner, the system further includes:

The access network device 602 is configured to receive a first message sent by the second terminal device; where the first message is used to instruct the first terminal device to request access to the network through the second terminal device, and the first message includes Identification information of the second terminal device;

The access network device 602 is also used to determine that the second terminal device is authorized to perform a relay service, and send the second message to the first core network device.

In a possible implementation manner, the access network device 602 is further configured to send a third message to the second core network device, the third message includes the identification information of the second terminal device, and the third message is used To request the authorization result of the second terminal device;

The second core network device 603 is configured to receive the third message sent by the access network device, and send a response message of the third message to the access network device;

The access network device 602 is specifically configured to determine, according to the response message of the third message, that the second terminal device is authorized to perform the relay service.

In a possible implementation manner, the access network device 602 is also used to send a response message of the first message to the second terminal device, and the response message of the first message is used to instruct the first terminal device to allow passage through The second terminal device accesses the network.

As an example, the foregoing first core network device may include a processing unit and a transceiving unit, and the transceiving unit may be used to perform a method related to transceiving signals. For example, the transceiver unit may be used to receive a second message sent by an access network device, and send a response message of the second message to the access network device. For example, the processing unit may be configured to determine that the second terminal device is authorized to perform the relay service according to the authorization result of the second terminal device. For another example, the processing unit is also used to verify the ProSe service of the first terminal device and so on.

As an example, the foregoing second core network device may include a processing unit and a transceiving unit. For example, the transceiver unit may be used to receive the third message sent by the access network device. For another example, the transceiver unit is also configured to send a response message of the third message to the access network device. For example, the processing unit may be used to verify the terminal device and determine the authorization result of the second terminal device.

It can be understood that, for the specific implementation of each device in the communication system shown in FIG. 6, reference may be made to the methods shown in FIG. 3 and FIG. 4, which are not described in detail here.

Refer to FIG. 7, which is a schematic structural diagram of a communication device provided by an embodiment of the present application.

In an embodiment, the communication device may be used as an access network device. In another embodiment, the communication device may be used as the first core network device. In another embodiment, the communication device can be used as a second core network device. For each of the above embodiments, the specific implementation of the communication device can refer to the methods shown in FIG. 3 and FIG. 4.

As an example, when the processing unit 502 in the device shown in FIG. 5 is implemented by a processor, and the transceiver unit 501 is implemented by a transceiver, as shown in FIG. 7, the device 70 includes at least one processor 720 for implementing the implementation of this application. The function of the access network equipment in the method provided in the example. Or, when the processing unit of the first core network device or the second core network device (not shown in the drawings) is implemented by a processor, and the transceiver unit is implemented by a transceiver, as shown in FIG. 7, the apparatus 70 includes at least one processing unit. The device 720 is configured to implement the function of the first core network device or the second core network device in the method provided in the embodiment of the present application.

And the device 70 may also include a transceiver 710. The transceiver can be used to communicate with other devices through the transmission medium. The processor 720 uses the transceiver 710 to send and receive data (such as sending and receiving messages, etc.), and is used to implement the method described in the foregoing method embodiment.

Optionally, the device 70 may further include at least one memory 730 for storing program instructions and/or data. The memory 730 and the processor 720 are coupled. The coupling in the embodiments of the present application is an indirect coupling or communication connection between devices, units or modules, and may be in electrical, mechanical or other forms, and is used for information exchange between devices, units or modules. The processor 720 may operate in cooperation with the memory 730. The processor 720 may execute program instructions stored in the memory 730.

The specific connection medium between the above-mentioned transceiver 710, the processor 720, and the memory 730 is not limited in the embodiment of the present application. In the embodiment of the present application, the memory 730, the processor 720, and the transceiver 710 are connected by a bus 740 in FIG. 7, and the bus is represented by a thick line in FIG. 7. The connection mode between other components is only for schematic illustration. , Is not limited. The bus can be divided into an address bus, a data bus, a control bus, and so on. For ease of representation, only one thick line is used in FIG. 7, but it does not mean that there is only one bus or one type of bus.

In the embodiments of the present application, the processor may be a general-purpose processor, a digital signal processor, an application specific integrated circuit, a field programmable gate array or other programmable logic device, a discrete gate or transistor logic device, or a discrete hardware component, which may implement or Perform the methods, steps, and logic block diagrams disclosed in the embodiments of the present application. The general-purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in combination with the embodiments of the present application may be directly embodied as execution and completion by a hardware processor, or execution and completion by a combination of hardware and software modules in the processor.

The memory in the embodiments of the present application may be volatile memory or non-volatile memory, or may include both volatile and non-volatile memory. Among them, the non-volatile memory can be read-only memory (ROM), programmable read-only memory (programmable ROM, PROM), erasable programmable read-only memory (erasable PROM, EPROM), and electrically available Erase programmable read-only memory (electrically EPROM, EEPROM) or flash memory. The volatile memory may be random access memory (RAM), which is used as an external cache. By way of exemplary but not restrictive description, many forms of RAM are available, such as static random access memory (static RAM, SRAM), dynamic random access memory (dynamic RAM, DRAM), and synchronous dynamic random access memory (synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (double data rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous connection dynamic random access memory (synchlink DRAM, SLDRAM) ) And direct memory bus random access memory (direct rambus RAM, DR RAM). It should be noted that the memories of the systems and methods described herein are intended to include, but are not limited to, these and any other suitable types of memories.

According to the method provided in the embodiments of the present application, the present application also provides a computer program product, the computer program product includes: computer program code, when the computer program code runs on a computer, the computer executes FIG. 3 and/or FIG. 4 shows the method in the embodiment.

According to the method provided in the embodiments of the present application, the present application also provides a computer-readable medium that stores program code, and when the program code runs on a computer, the computer executes FIG. 3 and/or FIG. 4 shows the method in the embodiment.

According to the method provided in the embodiment of the present application, the present application also provides a computer program that can be used to execute the method in the embodiment shown in FIG. 3 and/or FIG. 4.

In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented by software, it can be implemented in the form of a computer program product in whole or in part. The computer program product includes one or more computer instructions. When the computer instructions are loaded and executed on the computer, the processes or functions described in the embodiments of the present application are generated in whole or in part. The computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable devices. The computer instructions may be stored in a computer-readable storage medium, or transmitted from one computer-readable storage medium to another computer-readable storage medium. For example, the computer instructions may be transmitted from a website, computer, server, or data center. Transmission to another website, computer, server, or data center via wired (such as coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (such as infrared, wireless, microwave, etc.). The computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server or a data center integrated with one or more available media. The usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, and a magnetic tape), an optical medium (for example, a high-density digital video disc (digital video disc, DVD)), or a semiconductor medium (for example, a solid state disk (solid state disc, SSD)) etc.

The terms "component", "module", "system", etc. used in this specification are used to denote computer-related entities, hardware, firmware, a combination of hardware and software, software, or software in execution. For example, the component may be, but is not limited to, a process, a processor, an object, an executable file, an execution thread, a program, and/or a computer running on a processor. Through the illustration, both the application running on the computing device and the computing device can be components. One or more components may reside in processes and/or threads of execution, and components may be located on one computer and/or distributed between two or more computers. In addition, these components can be executed from various computer readable media having various data structures stored thereon. The component can be based on, for example, a signal having one or more data packets (e.g. data from two components interacting with another component in a local system, a distributed system, and/or a network, such as the Internet that interacts with other systems through a signal) Communicate through local and/or remote processes.

Those of ordinary skill in the art may realize that the various illustrative logical blocks and steps described in the embodiments disclosed herein can be implemented by electronic hardware or a combination of computer software and electronic hardware. achieve. Whether these functions are executed by hardware or software depends on the specific application and design constraint conditions of the technical solution. Professionals and technicians can use different methods for each specific application to implement the described functions, but such implementation should not be considered beyond the scope of this application.

Those skilled in the art can clearly understand that, for the convenience and conciseness of description, the specific working process of the system, device and unit described above can refer to the corresponding process in the foregoing method embodiment, which will not be repeated here.

The above are only specific implementations of this application, but the protection scope of this application is not limited to this. Any person skilled in the art can easily think of changes or substitutions within the technical scope disclosed in this application. Should be covered within the scope of protection of this application. Therefore, the protection scope of this application should be subject to the protection scope of the claims.

In addition to the above authorization whether UE1 can perform remote UE services and/or whether UE2 is authorized to perform relay UE services, this application also includes methods for authorizing UE1 to allow access to certain slices and/or sessions through relay UE2 .

For a more detailed understanding of the method for determining related authorization results such as slices provided in this application, refer to FIG. 8. FIG. 8 is a schematic diagram of a scenario of another authorization result determination method provided by this application. As shown in Figure 8, the method includes:

800. UE2 accesses AMF2 through RAN, completes the network registration process, and accesses the operator's network. AMF2 stores UE2's subscription information. This subscription information is received from UDM when AMF2 sends a subscription data acquisition request to UDM during UE2 registration. The UE2 subscription information includes the slice information that the UE2 is allowed to access; or the UE2 subscription information includes the slice information for which the UE2 is allowed to provide the service of the relay function. The slice information here can be a slice identifier, or network slice selection assistance information (NSSAI), or single network slice selection assistance information (S-NSSAI), S-NSSAI, etc. Information or identification of the slice.

Note that here UE1 finds that UE2 has two modes. Mode 1 is that UE2 broadcasts information. UE1 uses the broadcast information of UE2 to determine to use the relay service provided by UE2, and then access UE2. Mode 2 is that UE1 sends broadcast information to broadcast that it wants to use the relay service, and UE2 determines that it can provide the relay service for UE1, and then responds to UE1's broadcast information.

For the mode of mode 1, the method shown in FIG. 8 may further include step 801 and step 802.

801. UE2 serves as a relay to send broadcast information, where the broadcast information includes slice information 2 or the code of slice information 2. Slice information 2 is used to indicate which slices UE2 can provide relay services for as a relay. Optionally, the coding of slice information 2 can also be broadcast here; but the receiver UE1 can determine the corresponding slice information 2 according to the coding of slice information 2. Here, the slice information 2 or the code of slice information 2 may also be carried in the relay service code of the broadcast message for transmission.

802. UE1 receives the broadcast information sent by UE2, and determines that it wants to access slice information 2 or the slice service corresponding to the code of slice information 2 through UE2, then UE1 sends SUCI1 and slice information 1 to UE2, where slice information 1 is UE1 hopes to pass. The slice information corresponding to the accessed slice service. Optionally, it can be sent to UE2 through a PC5 communication request. Here, the UE1 may determine the slice information 2 according to the encoding of the slice information 2. Optionally, the UE1 may preset a list of slice information 2 corresponding to the encoding of the slice information 2, or during the registration process, receive this list from the UDM through the AMF network element, and then determine the slice information 2. Here, the slice corresponding to the slice information 2 or the encoding of the slice information 2 may be the same as the slice corresponding to the slice information 1, or include the slice corresponding to the slice information 1. For example, slice information 2 includes 5 S-NSSAIs, and slice information 1 is 1 of the above 5 S-NSSAIs.

For the mode of mode 2, the method shown in FIG. 8 may include step 802. That is, step 801 is optional. UE1 sends PC5 communication request information, which includes slice information 1 and SUCI1. Here, slice information 1 is slice information corresponding to the slice service that UE1 wants to access through the relay. The UE2 determines that it can provide the relay service for the slice information 1 for the UE1, and then continues. Optionally send a response that can provide a relay service to UE1.

803. UE2 sends a relay service request to AMF2, which includes SUCI1 and slice information 1, where SUCI1 and slice information 1 are information corresponding to remote UE1.

Optionally, UE2 determines whether to provide a relay service for the slice corresponding to slice information 1. Here, UE2 may save the slice information configured to UE2 by the network to allow UE2 to provide relay services. According to the saved slice information, UE2 can determine whether to provide a relay service for slice information 1 sent by UE1. If the service can be provided, continue execution; otherwise, send a rejection message to UE1.

Optionally, UE2 also sends a relay indication 1 to tell AMF2 that this service request is a relay service request.

Optionally, the foregoing relay service request is a special request message type that can be used to instruct UE2 to perform a message sent by the relay function.

Optionally, SUCI1 and slice information 1 can be placed in a special container and sent to AMF2. This container is used to indicate that it is the container sent by the UE2 performing the relay function, which includes the SUCI1 and slice information 1 of the remote UE1.

Here, AMF2 can be the AMF2 that saves UE2's subscription information in step 800; or a new AMF, but can request the AMF2 that saves UE2's subscription information, and obtain UE2's subscription information. For the convenience of description, AMF2 is used here.

804. Optionally, the AMF2 determines according to the relay indication 1 that the message 803 is a message sent by the UE2 performing the relay function; then the following verification in step 804 is triggered.

Optionally, step 804 can also be replaced with: AMF2 determines according to the message type of the relay service request that it is a message sent by UE2 performing the relay function; then the following verification is triggered.

Optionally, step 804 can also be replaced with: AMF2 determines according to a special container that it is the container sent by UE2 performing the relay function; then the following verification is triggered.

Optionally, AMF2 determines whether UE2 can provide a relay service for slice information 1 according to UE2's subscription information. Specifically, AMF2 determines whether slice information 1 is one of the slice information that UE2 is allowed to access in the subscription information of UE2; and/or one of slice information that allows UE2 to serve as a relay function in the UE2 subscription information. If the slice information 1 meets the above-mentioned first checksum/or the second check, AMF2 continues to execute; otherwise, AMF2 sends a rejection message to UE2. The optional rejection message carries a rejection indication, which is used to indicate that UE2 is not allowed to provide a relay service for slice information 1. After UE2 receives the rejection message sent by AMF2, it sends a PC5 communication rejection message to UE1, rejecting UE1 to use the relay function of UE2. The optional rejection message carries a rejection indication, which is used to indicate that UE2 cannot provide a relay service for slice information 1.

If the slice information 1 matches the first checksum/or the second check, AMF2 continues to execute. AMF sends an authentication request to AUSF, which includes SUCI1.

805. AUSF obtains the authentication vector of SUCI1 corresponding to UE1 and SUPI1 (ie, SUPI of UE1) from UDM, which is the identifier of UE1 corresponding to SUPI1 after SUPI1 is decrypted by SUCI1.

806. AUSF and UE1 perform authentication through UE2, RAN and AMF2.

807. After the authentication is successful, AUSF sends an authentication response to AMF2, which carries SUPI1.

It can be understood that the authentication methods shown in steps 805-807 provided in the embodiments of the present application are not limited. Exemplarily, the authentication method may be executed according to the current 5G authentication process. Or, it can be implemented in accordance with relevant standards or agreements.

808. AMF2 sends a subscription data acquisition request, which carries SUPI1. Optionally, SUPI2 can also be carried. Here, SUPI2 may be the permanent identifier of UE2 saved by AMF2 in step 800.

Optionally, AMF2 can also send slice information 1.

Optionally, AMF2 may also send a relay service indication 2 indicating that this is a request for subscription information corresponding to the remote UE1, that is, the subscription information corresponding to SUPI1; or indicating that this is a request for performing authorization determination of the remote UE1, such as slice information 1. Whether it is authorized or not.

809. UDM determines UE1 subscription information according to SUPI1, and sends UE1 subscription information to AMF2 through a subscription data acquisition response message. The UE1 subscription information includes at least one of the slice information that UE1 is allowed to access, the slice information that UE1 is allowed to access as a remote UE, whether it is allowed to use remote UE services, and whether the slice information to which it belongs needs to perform slice authentication.

Optionally, the UDM receives the relay service indication 2 and SUPI2, and determines according to the relay service indication 2 that this is a request for subscription information corresponding to the remote UE1, that is, the subscription information corresponding to SUPI1; or indicates that this is to perform the authorization of the remote UE1 Determine the request, and then determine whether the UE corresponding to SUPI2 (such as UE2) is allowed to perform the relay function. This can be determined based on the contract information corresponding to SUPI2. If the relay function is allowed, the subscription information of UE1 is determined according to SUPI1.

Optionally, the UDM receives the relay service indication 2 and determines that this is the subscription information corresponding to the remote UE1 requested by the AMF2, that is, the subscription information corresponding to the SUPI1; then the UE1 subscription information is determined.

Optionally, the UDM receives the relay service indication 2 and determines that this is the authorization determination request of the remote UE1, such as the authorization determination of the slice information 1. The UE1 subscription information is first determined according to SUPI1, and then the UDM determines whether the slice information 1 is UE1 One of the slice information that the UE1 is allowed to access in the subscription information; determine whether the slice information 1 is one of the slice information that the UE accesses as a remote UE; or determine whether the UE1 is allowed to use the remote UE service. If at least one of the above judgments is passed, an indication that the authorization judgment is successful is sent to AMF2, and AMF executes step 811. Otherwise, UDM sends an indication of authorization failure to AMF2. At this time, AMF2 can send a rejection message to UE2. The optional rejection message carries a rejection indication, which is used to indicate that the UE1 is not allowed to access the slice service corresponding to the slice information 1, or the remote UE serves. After UE2 receives the rejection message sent by AMF2, it sends a PC5 communication rejection message to UE1, rejecting UE1 to use the relay function of UE2. Optionally, the rejection message carries a rejection indication, which is used to indicate that UE1 is not allowed to access the slice service corresponding to slice information 1. At this time, UDM optionally does not need to send UE1 subscription information to AMF2. After the above UDM verification is passed, the method shown in FIG. 8 may further include step 810 and subsequent steps shown below.

810. Optionally, AMF2 determines whether slice information 1 is one of the slice information that UE1 is allowed to access in the UE subscription information.

Optionally, the AMF2 may also determine whether the slice information 1 is one of the slice information that the remote end allows the UE to access as UE1;

Optionally, AMF2 determines whether UE1 is allowed to use remote UE services;

After the above AMF2 verification is passed, if all three conditions in the above 810 are passed (if all are yes), and if any one or two conditions in the above 810 are passed, AMF2 continues to execute . Otherwise, AMF2 sends a rejection message to UE2. The optional rejection message carries a rejection indication, which is used to indicate that the UE1 is not allowed to access the slice service corresponding to the slice information 1, or the remote UE serves. After UE2 receives the rejection message sent by AMF2, it sends a PC5 communication rejection message to UE1, rejecting UE1 to use the relay function of UE2. Optionally, the rejection message carries a rejection indication, which is used to indicate that UE1 is not allowed to access the slice service corresponding to slice information 1.

Optionally, the AMF2 determines whether the service corresponding to the slice information 1 needs to perform slice authentication according to the subscription information of the UE1. If slice authentication needs to be performed, a slice authentication process is triggered, and slice authentication between UE1 and AMF2, network slice specific authentication and authorization (NSSAAF) and AAA is completed. If AMF2 determines that the slice authentication is successful, it continues; otherwise, AMF2 sends a rejection message to UE2. The optional rejection message carries a rejection indication, which is used to indicate that UE1 is not allowed to access the slice service corresponding to slice information 1, or the remote UE serves. After UE2 receives the rejection message sent by AMF2, it sends a PC5 communication rejection message to UE1, rejecting UE1 to use the relay function of UE2. Optionally, the rejection message carries a rejection indication, which is used to indicate that UE1 is not allowed to access the slice service corresponding to slice information 1.

Optionally, in 804, the action of AMF2 to verify UE2 can also be executed in this step. The embodiment of the present application does not limit the sequence of step 804 and step 810.

811. AMF2 sends an authorization result to UE2. The authorization result includes whether UE1 is allowed to access the slice service corresponding to slice information 1 through UE2; or whether UE1 is allowed to use the slice corresponding to slice information 1.

Optionally, the above authorization result may not be sent. If AMF2 does not send a rejection message to UE2, it can also mean that the authorization verification of AMF2 has passed.

812. If the authorization result indicates that UE1 is authorized to access the slice service corresponding to slice information 1 through UE2, or is authorized to use the slice service corresponding to slice information 1, continue execution. Otherwise, send a rejection message to UE1. The optional rejection message carries a rejection indication, which is used to indicate that UE1 is not allowed to access the slice service corresponding to slice information 1.

813. If the execution continues, UE2 sends a PC5 communication response message to UE1. If UE1 does not receive the PC5 communication rejection message, it means that the slice information 1 of UE1 has passed the verification.

Optionally, the above-mentioned slice information 2 may also be data network name (data network name, DNN) information. Here, the DNN information is used to indicate the information of the DNN network that UE1 wants to access through UE2. The authorization check of whether the UE1 is allowed to access the DNN through the relay UE2 is similar to the check of the slice information described above, and will not be repeated.

It can be understood that the communication device provided in the embodiment of the present application may also be used to execute the method shown in FIG. 8, which will not be described in detail here.

Claims

A method for determining authorization results, characterized in that the method includes:

The access network device receives a first message sent by a second terminal device, where the first message is used to instruct the first terminal device to request access to the network through the second terminal device, and the first message includes the second terminal device. Identification information of the terminal equipment;

Determining, by the access network device, the authorization result of the second terminal device according to the identification information of the second terminal device;

Sending, by the access network device, a second message to the first core network device, where the second message includes the authorization result of the second terminal device;

The access network device receives a response message of the second message sent by the first core network device.
The method according to claim 1, wherein the access network device stores an authorization result of the second terminal device.
The method according to claim 2, wherein before the access network device determines the authorization result of the second terminal device according to the identification information of the second terminal device, the method further comprises:

The access network device sends a third message to the second core network device, the third message includes the identification information of the second terminal device, and the third message is used to request authorization of the second terminal device result;

Receiving, by the access network device, a response message of a third message sent by the second core network device, where the response message of the third message includes an authorization result of whether the second terminal device is authorized to perform a relay service;

The access network device saves the authorization result of the second terminal device.
The method according to any one of claims 1 to 3, wherein the identification information of the second terminal device includes a relay identification of the second terminal device.
The method according to any one of claims 1-4, wherein the method further comprises:

The access network device sends a response message of the first message to the second terminal device, the response message of the first message includes the authorization result of the second terminal device, and the response of the first message The message is used to instruct the first terminal device to allow access to the network through the second terminal device.
A method for determining authorization results, characterized in that the method includes:

The first core network device receives a second message sent by the access network device, where the second message includes the authorization result of the second terminal device;

Determining, by the first core network device, that the second terminal device is authorized to perform the relay service according to the authorization result of the second terminal device;

The first core network device sends a response message of the second message to the access network device.
The method according to claim 6, wherein before the first core network device receives the second message sent by the access network device, the method further comprises:

The access network device receives the first message sent by the second terminal device; wherein, the first message is used to instruct the first terminal device to request access to the network through the second terminal device, and the The first message includes identification information of the second terminal device;

The access network device determines that the second terminal device is authorized to perform the relay service, and sends the second message to the first core network device.
The method according to claim 7, wherein before the access network device determines that the second terminal device is authorized to perform the relay service, the method further comprises:

The access network device sends a third message to the second core network device, the third message includes the identification information of the second terminal device, and the third message is used to request authorization of the second terminal device result;

Receiving, by the second core network device, the third message sent by the access network device, and sending a response message of the third message to the access network device;

The determining by the access network device that the second terminal device is authorized to perform a relay service includes:

According to the response message of the third message, the access network device determines that the second terminal device is authorized to perform the relay service.
The method according to any one of claims 6-8, wherein the method further comprises:

The access network device sends a response message of the first message to the second terminal device, where the response message of the first message is used to instruct the first terminal device to allow access through the second terminal device The internet.
A communication device, characterized in that the device comprises:

The transceiver unit is configured to receive a first message sent by a second terminal device, where the first message is used to instruct the first terminal device to request access to the network through the second terminal device, and the first message includes the first message 2. Identification information of the terminal equipment;

A processing unit, configured to determine an authorization result of the second terminal device according to the identification information of the second terminal device;

The transceiver unit is further configured to send a second message to the first core network device, where the second message includes the authorization result of the second terminal device;

The transceiving unit is further configured to receive a response message of the second message sent by the first core network device.
The apparatus according to claim 10, wherein the access network device stores an authorization result of the second terminal device.
The device according to claim 11, wherein:

The transceiving unit is further configured to send a third message to the second core network device, the third message includes the identification information of the second terminal device, and the third message is used to request the second terminal device Authorization result;

The transceiver unit is further configured to receive a response message of a third message sent by the second core network device, where the response message of the third message includes the authorization result of whether the second terminal device is authorized to perform the relay service ；

The processing unit is also used to save the authorization result of the second terminal device.
The apparatus according to any one of claims 10-12, wherein the identification information of the second terminal device includes a relay identification of the second terminal device.
The device according to any one of claims 10-13, wherein:

The transceiver unit is further configured to send a response message of the first message to the second terminal device, the response message of the first message includes the authorization result of the second terminal device, and the first message The response message of is used to instruct the first terminal device to allow access to the network through the second terminal device.
A communication system, characterized in that the system includes:

The first core network device is configured to receive a second message sent by the access network device, where the second message includes the authorization result of the second terminal device;

The first core network device is further configured to determine that the second terminal device is authorized to perform a relay service according to an authorization result of the second terminal device;

The first core network device is further configured to send a response message of the second message to the access network device.
The system according to claim 15, wherein the system further comprises:

The access network device is configured to receive a first message sent by the second terminal device; wherein, the first message is used to instruct the first terminal device to request access to the network through the second terminal device, and The first message includes identification information of the second terminal device;

The access network device is further configured to determine that the second terminal device is authorized to perform a relay service, and send the second message to the first core network device.
The system of claim 16, wherein:

The access network device is further configured to send a third message to a second core network device, where the third message includes identification information of the second terminal device, and the third message is used to request the second core network device. Authorization result of terminal equipment;

The system also includes:

A second core network device, configured to receive the third message sent by the access network device, and send a response message of the third message to the access network device;

The access network device is specifically configured to determine that the second terminal device is authorized to perform the relay service according to the response message of the third message.
The system according to any one of claims 15-17, wherein:

The access network device is further configured to send a response message of the first message to the second terminal device, and the response message of the first message is used to instruct the first terminal device to allow the second terminal device to pass through the second terminal device. The terminal device is connected to the network.