WO2021219107A1 - Slice authentication and authorization management method, apparatus, and system - Google Patents

Slice authentication and authorization management method, apparatus, and system Download PDF

Info

Publication number
WO2021219107A1
WO2021219107A1 PCT/CN2021/091199 CN2021091199W WO2021219107A1 WO 2021219107 A1 WO2021219107 A1 WO 2021219107A1 CN 2021091199 W CN2021091199 W CN 2021091199W WO 2021219107 A1 WO2021219107 A1 WO 2021219107A1
Authority
WO
WIPO (PCT)
Prior art keywords
network element
slice
authorization
authentication
triggering
Prior art date
Application number
PCT/CN2021/091199
Other languages
French (fr)
Chinese (zh)
Inventor
吴义壮
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2021219107A1 publication Critical patent/WO2021219107A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security

Definitions

  • This application relates to the field of communication technology, and in particular to a method, device and system for slice authentication and authorization management.
  • the 5G era is an era of perception, intelligence and interconnection of all things.
  • Different services have diversified requirements for the network. For example, smart homes and smart grids require a large number of connections and frequent transmission of small data packets; autonomous driving and industrial control require millisecond-level delays and close to 100% reliability; entertainment information services require broadband connections. Therefore, 5G networks need to be more flexible to support the diversified requirements of different services on the network.
  • eMBB enhanced mobile broadband
  • URLLC ultra-high reliability and ultra-low latency communication
  • mMTC massive Internet of Things communication
  • Network slicing technology usually refers to dividing the operator’s physical network into multiple virtual networks. Each virtual network is divided according to different service requirements, such as delay, bandwidth, security, and reliability, to respond flexibly Different types of business. Network slicing can be referred to as slicing for short.
  • the network determines one or more network slices that the terminal is allowed to access, and the network can initiate slice authentication and authorization for the network slices as needed. After the network slice is authenticated and authorized, the network can initiate slice re-authentication and re-authorization, or revoke the slice authorization for the network slice as needed.
  • the 5G network architecture supports dual registration, allowing terminals to register to different networks.
  • the terminal may be registered to two networks belonging to different public land mobile networks (PLMN) through non-third generation partnership project (non-3GPP) access and third generation partnership project (3GPP) access.
  • the terminal can also provide services for the terminal through the respective access and mobility management functions (AMF) of the two networks in the above two networks, and different AMFs are one or more network slices determined by the terminal to allow access. It can include the same slice or different slices.
  • the network can also perform slice authentication and authorization on the slices that the terminal is allowed to access as needed. Subsequently, the network can re-authenticate and re-authorize the slices, or revoke the authorization of the slices as needed.
  • the embodiments of the present application are used to provide a slice authentication and authorization management method, device, and system, which are used to improve communication abnormalities caused by performing slice re-authentication and re-authorization, or performing slice authorization revocation.
  • an embodiment of the present application provides a slice authentication and authorization management method, including: an authentication and authorization network element obtains a trigger network element associated with a first slice serving a terminal device; the authentication and authorization network element notifies the trigger network element Perform slice authentication and authorization processing of the first slice on the terminal device; wherein the slice authentication and authorization processing includes: slice re-authentication and re-authorization, or slice authorization revoking.
  • the authentication and authorization network element can use the slice information to accurately obtain the trigger network element associated with the slice serving the terminal, thereby avoiding that when a terminal is associated with multiple trigger network elements, the wrong acquisition is not related to the An abnormal communication caused by the triggering network element associated with the slice.
  • the authentication and authorization network element obtaining the trigger network element associated with the first slice serving the terminal device includes: the authentication and authorization network element obtains information from the information storage network element and the terminal device and the trigger network element associated with the first slice.
  • the first triggering network element associated with the first slice; the authentication and authorization network element notifying the triggering network element to perform the slice authentication and authorization operation for the first slice on the terminal device includes: the authentication and authorization network element notifying the first trigger
  • the network element performs the slice authentication and authorization processing of the first slice on the terminal device.
  • This embodiment uses information storage network elements to facilitate the sharing and interaction of slice-related information between different networks.
  • the authentication and authorization network element acquiring the trigger network element associated with the first slice serving the terminal device includes: the authentication and authorization network element sends a first request to the information storage network element, and The first request includes the first identification information of the terminal device and the first identification information of the first slice, and the first request is used to obtain the first triggering network element; the authentication and authorization network element receives from the information storage network element A first response, where the first response includes the first identification information of the first triggering network element.
  • the authentication and authorization network element acquiring the trigger network element associated with the first slice serving the terminal device includes: the authentication and authorization network element acquiring the first slice serving the terminal device and the first slice A plurality of first triggering network elements associated with a slice; the authentication and authorization network element notifying the triggering network element to perform the slice authentication and authorization operation for the first slice on the terminal device includes: the authentication and authorization network element notifying the plurality of first The network element is triggered to perform the slice authentication and authorization processing of the first slice on the terminal device.
  • the authentication and authorization network element acquiring a plurality of first triggering network elements associated with the first slice serving the terminal device includes: the authentication and authorization network element obtains from an information storage network element A plurality of first triggering network elements associated with the terminal device and the first slice.
  • the authentication and authorization network element obtains the plurality of first trigger network elements associated with the terminal device and the first slice from the information storage network element, including: the authentication and authorization network element sends the information to the information storage network element.
  • the storage network element sends a first request, the first request includes the first identification information of the terminal device and the first identification information of the first slice, the first request is used to obtain the first triggering network element; the authentication authorization The network element receives a first response from the information storage network element, where the first response includes identification information of the plurality of first triggering network elements.
  • the authentication and authorization network element acquiring a plurality of first triggering network elements associated with the first slice serving the terminal device includes: the authentication and authorization network element obtains from an information storage network element The plurality of second triggering network elements associated with the terminal device and the slices associated with the plurality of second triggering network elements; the authentication and authorization network element slaves according to the first slice and the slices associated with the plurality of second triggering network elements The plurality of first triggering network elements are determined among the plurality of second triggering network elements.
  • the authentication and authorization network element obtains from the information storage network element multiple second trigger network elements associated with the terminal device and slices associated with the multiple second trigger network elements, including: The authentication and authorization network element sends a first request to the information storage network element, the first request includes the first identification information of the terminal device, and the first request is used to obtain the second triggering network element and the second triggering network element Associated slice; the authentication and authorization network element receives a first response from the information storage network element, the first response including the identification information of the plurality of second triggering network elements and the slices associated with the plurality of second triggering network elements ⁇ identification information.
  • the slice authentication and authorization process is the slice re-authentication and re-authorization;
  • the authentication and authorization network element acquiring the trigger network element associated with the first slice serving the terminal device includes: the authentication and authorization The network element obtains a plurality of first triggering network elements associated with the first slice serving the terminal device; the authentication and authorization network element determines a second triggering network element from the plurality of first triggering network elements; the authentication and authorization The network element notifying the triggering network element to perform the slice authentication and authorization processing of the first slice on the terminal device includes: the authentication and authorization network element notifies the second triggering network element to perform the slice re-slicing of the first slice on the terminal device. Authentication and reauthorization.
  • one network element can be selected for the terminal to perform slice re-authentication and re-authorization, which avoids repeated re-authentication and re-authorization and saves signaling.
  • the authentication and authorization network element acquiring a plurality of first triggering network elements associated with the first slice serving the terminal device includes: the authentication and authorization network element obtains from an information storage network element A plurality of first triggering network elements associated with the terminal device and the first slice.
  • the authentication and authorization network element obtains the plurality of first trigger network elements associated with the terminal device and the first slice from the information storage network element, including: the authentication and authorization network element sends the information to the information storage network element.
  • the storage network element sends a first request, the first request includes the first identification information of the terminal device and the first identification information of the first slice, the first request is used to obtain the first triggering network element; the authentication authorization The network element receives a first response from the information storage network element, where the first response includes identification information of the plurality of first triggering network elements.
  • the authentication and authorization network element acquiring a plurality of first triggering network elements associated with the first slice serving the terminal device includes: the authentication and authorization network element obtains from an information storage network element The plurality of second triggering network elements associated with the terminal device and the slices associated with the plurality of second triggering network elements; the authentication and authorization network element slaves according to the first slice and the slices associated with the plurality of second triggering network elements The plurality of first triggering network elements are determined among the plurality of second triggering network elements.
  • the authentication and authorization network element obtains from the information storage network element multiple second trigger network elements associated with the terminal device and slices associated with the multiple second trigger network elements, including: The authentication and authorization network element sends a first request to the information storage network element, the first request includes the first identification information of the terminal device, and the first request is used to obtain the second triggering network element and the second triggering network element Associated slice; the authentication and authorization network element receives a first response from the information storage network element, the first response including the identification information of the plurality of second triggering network elements and the slices associated with the plurality of second triggering network elements ⁇ identification information.
  • the authentication and authorization network element determining the second triggering network element from the plurality of first triggering network elements includes: the authentication and authorization network element determines the second triggering network element according to the relationship between the terminal device and the plurality of first triggering network elements.
  • the connection state of the element determines the second triggering network element from the plurality of first triggering network elements; wherein, the connection state includes a connected state or an idle state.
  • the authentication and authorization network element determining the second triggering network element from the plurality of first triggering network elements according to the connection state of the terminal device and the plurality of first triggering network elements includes: The authentication and authorization network element determines the second trigger network element from the plurality of first trigger network elements, and the connection state between the terminal device and the second trigger network element is the connection state.
  • the authentication and authorization network element determining the second triggering network element from the plurality of first triggering network elements according to the connection state of the terminal device and the plurality of first triggering network elements includes: When the connection state between the terminal device and each first triggering network element of the plurality of first triggering network elements is the idle state, the authentication and authorization network element is based on the access type corresponding to the plurality of first triggering network elements The second triggering network element is determined from the plurality of first triggering network elements; wherein, the access type includes 3GPP access and non-3GPP access.
  • the authentication and authorization network element determines the second triggering network element from the plurality of first triggering network elements according to the access type corresponding to the plurality of first triggering network elements, including: the authentication The authorized network element determines the second triggering network element from the plurality of first triggering network elements, and the access type corresponding to the second triggering network element is the 3GPP access.
  • the authentication and authorization network element determining the second triggering network element from the plurality of first triggering network elements includes: the authentication and authorization network element according to the connection corresponding to the plurality of first triggering network elements
  • the access type determines the second triggering network element from the plurality of first triggering network elements; where the access type includes 3GPP access and non-3GPP access.
  • the authentication and authorization network element determines the second triggering network element from the plurality of first triggering network elements according to the access type corresponding to the plurality of first triggering network elements, including: the authentication The authorized network element determines the second triggering network element from the plurality of first triggering network elements, and the access type corresponding to the second triggering network element is the 3GPP access.
  • the method further includes: the authentication and authorization network element obtains the connection status of the plurality of first triggering network elements from the information storage network element; or, the authentication and authorization network element obtains the connection status of the plurality of first triggering network elements from the plurality of A triggering network element obtains the connection status of the plurality of first triggering network elements.
  • the method further includes: the authentication and authorization network element obtains the access types corresponding to the plurality of first triggering network elements from the information storage network element; or, the authentication and authorization network element obtains the access types from the multiple The first triggering network element obtains the access types corresponding to the multiple first triggering network elements.
  • the first request further includes: a first indication, the first indication is used to indicate that the network element type is AMF; or, a second indication, the second indication is used to indicate the slice authentication authorization deal with.
  • the method further includes: the authentication and authorization network element receives a second request, the second request including the second identification information of the terminal device and the second identification information of the first slice, the The second request is used to request the terminal device to initiate the slice authentication and authorization processing for the first slice.
  • the authentication and authorization network element is NSSAAF
  • the triggering network element is AMF
  • the information storage network element is UDM.
  • an embodiment of the present application provides a slice authentication and authorization management method, including: an information storage network element obtains slice authentication and authorization information, and the slice authentication and authorization information is used to indicate a terminal device and a trigger network associated with the terminal device.
  • the triggering network element is a triggering network element serving the terminal device, and the slice is a slice for which the terminal device is successfully authenticated and authorized on the triggering network element;
  • the information storage network element receives a first request from an authentication and authorization network element, where the first request is used to request to obtain a first trigger network element associated with the terminal device and the first slice; the information storage network element according to the slice
  • the authentication and authorization information and the first request determine the first triggering network element; the information storage network element sends a first response to the authentication and authorization network element, and the first response includes the identification information of the first triggering network element.
  • the information storage network element is UDM, HSS, or HLR.
  • the information storage network element can obtain the terminal, the trigger network element serving the terminal, the slice associated with the terminal and the trigger network element, and can provide the correct trigger network element for authentication according to the request of the authentication and authorization network element Authorize the network element so that the authentication and authorization network element can notify the correct triggering network element to perform slice authentication and authorization processing.
  • the information storage network element determines the first trigger network element according to the slice authentication and authorization information and the first request, including: the information storage network element determines the first trigger network element according to the slice authentication and authorization information and The first request determines a plurality of second triggering network elements associated with the terminal device and the first slice; the information storage network element sends a first response to the authentication and authorization network element, and the first response includes the first
  • the identification information of the triggering network element includes: the information storage network element sends the first response to the authentication and authorization network element, and the first response includes the identification information of the plurality of second triggering network elements.
  • the first request further includes a first indication, the first indication is used to instruct the slice authorization revocation; the information storage network element determines with the slice authentication and authorization information and the first request.
  • the multiple second trigger network elements associated with the terminal device and the first slice include: the information storage network element determines the multiple second trigger network elements according to the slice authentication and authorization information, the first request, and the first instruction Trigger the network element.
  • the information storage network element determines the first trigger network element according to the slice authentication and authorization information and the first request, including: the information storage network element determines the first trigger network element according to the slice authentication and authorization information and The first request determines a third triggering network element among a plurality of second triggering network elements associated with the terminal device and the first slice; the information storage network element sends a first response to the authentication and authorization network element, and The first response includes the identification information of the first triggering network element, including: the information storage network element sends the first response to the authentication and authorization network element, and the first response includes the identification information of the third triggering network element.
  • the information storage network element determines, according to the slice authentication and authorization information and the first request, the first among the plurality of second trigger network elements associated with the terminal device and the first slice.
  • the three-trigger network element includes: the information storage network element determines the plurality of second trigger network elements according to the slice authentication and authorization information and the first request; the information storage network element determines the plurality of second trigger network elements according to the terminal device and the plurality of second triggers
  • the connection status of the network element determines the third triggering network element from the plurality of second triggering network elements; wherein, the connection status includes a connected state or an idle state.
  • the information storage network element determining the third triggering network element from the plurality of second triggering network elements according to the connection state of the terminal device and the plurality of second triggering network elements includes: The information storage network element determines the third trigger network element from the plurality of second trigger network elements, and the connection state between the terminal device and the third trigger network element is the connection state.
  • the information storage network element determining the third triggering network element from the plurality of second triggering network elements according to the connection state of the terminal device and the plurality of second triggering network elements includes: When the connection state between the terminal device and each second triggering network element of the plurality of second triggering network elements is the idle state, the information storage network element is based on the access type corresponding to the plurality of second triggering network elements The third triggering network element is determined from the plurality of second triggering network elements; wherein, the access type includes 3GPP access and non-3GPP access.
  • the information storage network element determines the third trigger network element from the plurality of second trigger network elements according to the access type corresponding to the plurality of second trigger network elements, including: the information The storage network element determines the third trigger network element from the plurality of second trigger network elements, and the access type corresponding to the third trigger network element is the 3GPP access.
  • the information storage network element determines, according to the slice authentication and authorization information and the first request, the first among the plurality of second trigger network elements associated with the terminal device and the first slice.
  • the three trigger network elements include: the information storage network element determines the plurality of second trigger network elements according to the slice authentication and authorization information and the first request; the information storage network element determines the plurality of second trigger network elements corresponding to the plurality of second trigger network elements
  • the access type determines the third triggering network element from the plurality of second triggering network elements; where the access type includes 3GPP access and non-3GPP access.
  • the information storage network element determines the third trigger network element from the plurality of second trigger network elements according to the access type corresponding to the plurality of second trigger network elements, including: the information The storage network element determines the third trigger network element from the plurality of second trigger network elements, and the access type corresponding to the third trigger network element is the 3GPP access.
  • the first request further includes a second indication, and the second indication is used to indicate that the network element type is AMF.
  • an embodiment of the present application provides a slice authentication and authorization management method, which is characterized in that it includes: triggering a network element to send slice authentication and authorization information to an information storage network element, where the slice authentication and authorization information is used to instruct the terminal device, A trigger network element associated with the terminal device and a slice associated with the terminal device and the trigger network element, the trigger network element is a trigger network element serving the terminal device, and the slice is the terminal device in the trigger network element Upper authentication and authorization successful slice; the triggering network element receives a notification from the authentication and authorization network element, and the notification is used to notify the terminal device to perform slice authentication and authorization processing for the slice; where the slice authentication and authorization processing is: slice re-authentication And re-authorization, or revoke the slice authorization.
  • the method further includes: the triggering network element initiates slice authentication and authorization processing of the slice for the terminal device.
  • an embodiment of the present application provides an authentication and authorization network element, including a processor and a memory; the processor is configured to read and execute instructions from the memory to implement the method of the first aspect.
  • an embodiment of the present application provides an information storage network element, including a processor and a memory; the processor is configured to read and execute instructions from the memory to implement the method of the second aspect.
  • an embodiment of the present application provides a trigger network element, including a processor and a memory; the processor is configured to read and execute instructions from the memory to implement the method of the third aspect.
  • an embodiment of the present application provides a network element including a functional unit for implementing the method as in the first aspect.
  • an embodiment of the present application provides a network element including a functional unit for implementing the method of the second aspect.
  • an embodiment of the present application provides a network element including a functional unit for implementing the method of the third aspect.
  • an embodiment of the present application provides a communication system that includes at least two of the following network elements: the authentication and authorization network element of the fourth aspect; the information storage network element of the fifth aspect; the trigger network of the sixth aspect Yuan.
  • an embodiment of the present application provides a computer program product, including instructions.
  • the instructions When the instructions are executed on a computer, the computer realizes the method of the first aspect.
  • embodiments of the present application provide a computer program product, including instructions, which when executed on a computer, cause the computer to implement the method of the second aspect.
  • an embodiment of the present application provides a computer program product, which is characterized by including instructions, which when executed on a computer, cause the computer to implement the method as in the third aspect.
  • an embodiment of the present application provides a computer-readable storage medium, including the computer program product of the eleventh aspect.
  • an embodiment of the present application provides a computer-readable storage medium, including a computer program product as in the twelfth aspect.
  • an embodiment of the present application provides a computer-readable storage medium, which is characterized by including the computer program product of the thirteenth aspect.
  • the triggering network element associated with the slice that serves the terminal can be accurately obtained, thereby ensuring the slice re-authentication and re-authorization process, and the slice authorization revocation process. Proper execution avoids communication errors.
  • Figure 1 is a schematic diagram of a 5G network dual registration scenario
  • Figure 2 is a schematic diagram of a method for terminal A to authenticate and authorize slices in PLMN-1;
  • Figure 3 is a schematic diagram of a method for terminal A to authenticate and authorize slices in PLMN-2;
  • Figure 4 is a schematic diagram of a method for AAA-s to initiate re-authentication and re-authorization of slice 1;
  • Figure 5 is a schematic diagram of a method for AAA-s to initiate re-authentication and re-authorization of slice 2;
  • Fig. 6 is a schematic diagram of another method for AAA-s to initiate re-authentication and re-authorization of slice 2;
  • FIG. 7 is a schematic diagram of a method in which AAA-s initiates the authorization revocation of slice 1;
  • FIG. 8 is a schematic diagram of a method in which AAA-s initiates the authorization revocation of slice 2;
  • FIG. 9 is a schematic diagram of another method for AAA-s to initiate authorization revocation of slice 2;
  • Figure 10 is a schematic diagram of a method for slice authentication and authorization management
  • Fig. 11 is a schematic diagram of a structure of a network element
  • Fig. 12 is a schematic diagram of another structure of a network element.
  • the embodiment of the present application mainly uses a dual registration scenario of a 5G network as an example for description.
  • the 5G network is a new generation of mobile communication network defined by the 3GPP organization after the 4G network.
  • the 5G network architecture includes the access network and the core network.
  • the access network is used to implement functions related to wireless access.
  • the access network is mainly divided into 3GPP access network and non-3GPP access network.
  • the 3GPP access network refers to an access network using 3GPP access technology, such as an access network using NR (new radio, new radio) or LTE (long term evolution) access technology.
  • a non-3GPP access network refers to an access network using non-3GPP access technology, for example, an access network using WiMax or WLAN (wireless local area network, wireless local area network) access technology.
  • the core network is used to implement authentication, access, mobility management, session management, policy management and other related functions.
  • the core network of the 5G network can be referred to as 5GC for short.
  • 5GC adopts an architecture that separates the control plane from the user plane, as well as a service-oriented architecture.
  • the solution of this application is not only applicable to 5G networks, but also applicable to evolved 4G networks or future 6G networks.
  • the network to which the solution of the application is applicable may adopt an architecture in which the control plane and the user plane are separated, or may adopt an architecture in which the control plane and the user plane are integrated.
  • the network to which the solution of this application is applicable may adopt a service-oriented architecture or a non-service-oriented architecture.
  • the logical network elements included in 5GC mainly include: AMF (access and mobility management function), SMF (session management function, session management function), UPF (User Plane Function, user plane function), UDM ( Unified Data Management, unified data management), and AUSF (Authentication Server Function, authentication server function).
  • AMF access and mobility management function
  • SMF session management function, session management function
  • UPF User Plane Function, user plane function
  • UDM Unified Data Management, unified data management
  • AUSF Authentication Server Function, authentication server function
  • Different logical network elements of 5GC can be deployed on the same or different physical devices. As a typical deployment, AMF and SMF can be deployed on the same physical device. In addition, the logical network elements of the 5GC can be deployed on the same physical device as the network elements of the 4G core network.
  • AMF is a network element used for terminal access and mobility management, mainly related to terminal location update, network registration, handover control and other functions.
  • SMF is a network element used to manage the session of the terminal, which mainly involves functions such as session establishment, modification, and release.
  • UPF is a network element used to receive and forward user data. UPF is under the control of SMF.
  • the UDM network element is a network element used to manage user information, which mainly involves functions such as generating an authentication credential, storing and managing user permanent identities, access authorization control, and user subscription data management.
  • AUSF is a network element used to authenticate the terminal access to the network.
  • NSSAAF Network Slice-Specific Authentication and Authorization Function
  • a terminal is a device with a wireless communication function, which can be called a terminal device.
  • a terminal device can be a handheld device with a wireless communication function, a vehicle-mounted device, a wearable device, a computing device, or a water meter, an electric meter, a sensor, a chip, a chip system, a baseband chip, a baseband board, etc. connected to a wireless modem.
  • the terminal may have different names.
  • the terminal may be called a user equipment (UE), a mobile station (MS), a wireless local loop (WLL) station, and so on.
  • DN is a service network that provides business services to users, such as IMS (IP multi-media service, IP multimedia service) network, the Internet, and so on.
  • the 5G network supports terminals to access the network side through different access technologies.
  • the terminal can be registered to the network side through 3GPP access and non-3GPP access respectively.
  • the concept and description of 5G network dual registration can be exemplified by reference to 3GPP TS 23.501 v16.4.0 Chapter 5.3.2.4-Support of user equipment through 3GPP access and non-3GPP access (Support of a UE registered over both 3GPP and Non-3GPP access) )Content.
  • FIG 1 is a schematic diagram of a 5G network dual registration scenario.
  • the terminal accesses different networks through 3GPP access and non-3GPP access, respectively.
  • different networks mean that certain attributes are different among multiple networks.
  • different networks may be networks belonging to different PLMNs (public land mobile networks, public land mobile networks).
  • different networks may be networks using different technologies, such as 5G networks and 4G networks.
  • 3GPP access and non-3GPP access belong to different PLMNs.
  • 3GPP access belongs to PLMN-1
  • non-3GPP access belongs to PLMN-2. Since the 3GPP access and non-3GPP access selected by the terminal belong to different PLMNs, different AMFs will provide services for the terminal.
  • N3IWF non-3GPP interworking function, non-3GPP interworking function
  • the non-3GPP access network can also be a trusted non-3GPP access network.
  • the terminal can interact with the AMF through TNGF (Trusted Non-3GPP Gateway Function).
  • non-3GPP access network can also be a wired 5G access network.
  • terminals can interact with AMF through W-AGF (Wireline Access Gateway Function).
  • W-AGF Wireless Access Gateway Function
  • the 5G network supports the terminal to determine the slices that the terminal is allowed to access when registering to the network.
  • AMF1 can select slice 1 and slice 2 for terminal A to register according to user subscription data and/or terminal A’s request, and initiate a pair The slice authentication and authorization process of slice 1 and slice 2; when the terminal registers to PLMN-2 through non-3GPP access, AMF2 can select slice 1 and slice 3 for terminal A to register according to user subscription data and/or terminal request. And initiate the slice authentication and authorization process for slice 1 and slice 3.
  • the slice authentication and authorization of AMF2 for slice 1 may be determined based on the result of slice authentication and authorization of AMF1 for slice 1.
  • AAA-s authentication, authorization and accounting server, authentication, authorization, and accounting server
  • AAA-s is an authentication server that provides services such as authentication, authorization, and accounting.
  • AAA-s belong to the operator, and can also belong to a third party.
  • Optional AAA-p authentication, authorization and accounting proxy
  • AAA-p is an authentication, authorization and accounting proxy network Yuan, belongs to the operator.
  • AAA-p can be used to transfer information between AUSF (or NSSAAF) and AAA-s.
  • the authentication process, the authorization process, the authentication and authorization process are collectively referred to as the authentication and authorization process, that is, the authentication and authorization process can refer to the authentication process, or the authorization process, or Refers to the process of authentication and authorization.
  • Authentication is sometimes referred to as authentication.
  • the slice authentication and authorization process refers to the authentication and authorization process for slices.
  • AAA-s can initiate a re-authentication and re-authorization process for slices, or a process for revoking the authorization of slices.
  • the re-authentication and re-authorization process can refer to the re-authentication process, or the re-authorization process, or the re-authentication and re-authorization process.
  • the slice re-authentication and re-authorization process refers to the re-authentication and re-authorization process for slices.
  • the process of revoking the authorization of the slice may be referred to as the process of revoking the authorization of the slice.
  • the slice authentication and authorization process can refer to the related content of 3GPP TS 23.502 v16.4.0 Chapter 4.2.9.2-Network Slice-Specific Authentication and Authorization (Network Slice-Specific Authentication and Authorization); the slice re-authentication and re-authorization process can be Refer to 3GPP TS 23.502 v16.4.0 chapter 4.2.9.3-AAA server triggered network slice-specific re-authentication and re-authorization (AAA Server triggered Network Slice-Specific Re-authentication and Re-authorization procedure) related content; slice authorization revocation process Refer to the related content of Section 4.2.9.4-AAA Server Triggered-Specific Authorization Revocation (AAA Server Triggered Slice-Specific Authorization Revocation) in 3GPP TS 23.502 v16.4.0 section 4.2.9.4. It should be noted that the content of the 3GPP standard protocol cited in this application may change, which does not mean that it deviates from the scope of application of the solution of this application.
  • the scheme of this application is not only applicable to the authentication and authorization process, re-authentication and re-authorization process, and authorization revocation process related to slices, but also applicable to the authentication and authorization process of other network functions, re-authentication and re-authentication processes. Re-authorization process, authorization revocation process.
  • AAA-s initiates a slice re-authentication and re-authorization process, or initiates slice authorization for one or more of slice 1, slice 2, or slice 3 When the process is withdrawn, it may cause communication abnormalities.
  • the embodiment of the present application provides a method for authenticating and authorizing a slice, which is used to reduce the above-mentioned communication abnormality.
  • NSSAAF is taken as an example for description. It can be understood that NSSAAF in the following embodiments can be replaced with AUSF. The method will be described below in conjunction with the scenario in FIG. 1.
  • Figure 2 shows a method for terminal A to authenticate and authorize slices in PLMN-1. as shown in picture 2:
  • S201 Complete the authentication and authorization of slice 1 and slice 2 for terminal A through AMF1.
  • AMF1 can trigger the slice authentication and authorization process to perform slice 1 and slice 2 authentication and authorization for terminal A.
  • slice authentication and authorization process please refer to the content in section 4.2.9.2 of 3GPP TS 23.502 v16.4.0.
  • AMF1 can trigger the slice authentication and authorization process for slice 1 and the slice authentication and authorization process for slice 2 respectively for terminal A, that is, initiate the slice authentication and authorization process for each slice.
  • AMF1 may initiate a slice authentication and authorization process to authenticate and authorize slice 1 and slice 2.
  • the S201 part can be performed when terminal A registers with PLMN-1 through AMF1.
  • AMF1 sends slice authentication and authorization information to UDM, where the slice authentication and authorization information is used to instruct terminal A to successfully authenticate and authorize slices on AMF1.
  • AMF1 sends a piece of slice authentication and authorization information to UDM, and the slice authentication and authorization information is used to indicate multiple slices.
  • AMF1 sends multiple pieces of slice authentication and authorization information to UDM, and each piece of slice authentication and authorization information is used to indicate one slice.
  • the AMF1 may send the slice authentication and authorization information corresponding to each slice after the authentication and authorization of each slice is successful.
  • the AMF1 may also send corresponding pieces of slice authentication and authorization information after multiple slices are successfully authenticated and authorized.
  • AMF1 sends the identification information of terminal A, the identification information of slice 1, the identification information of slice 2, and the identification information of AMF1 to UDM.
  • the identification information of terminal A is used to identify terminal A
  • the identification information of slice 1 is used to identify slice 1
  • the identification information of slice 2 is used to identify slice 2
  • the identification information of AMF1 is used to identify AMF1.
  • the identification information of terminal A, the identification information of slice 1, the identification information of slice 2, and the identification information of AMF1 can indicate that the slices that are successfully authenticated and authorized by terminal A on AMF1 are slice 1 and slice 2.
  • the identification information of the terminal A, the identification information of the slice 1, the identification information of the slice 2, and the identification information of the AMF1 can be regarded as a kind of slice authentication and authorization information.
  • AMF1 sends first slice authentication and authorization information to UDM.
  • the first slice authentication and authorization information includes terminal A identification information, slice 1 identification information, and AMF1 identification information.
  • AMF1 sends second slice authentication and authorization information to UDM, where the second slice authentication and authorization information includes the identification information of terminal A, the identification information of slice 2, and the identification information of AMF1.
  • AMF1 can send slice authentication and authorization information to UDM through a Nudm_UESliceAUthentication message.
  • AMF1 sends a Nudm_UESliceAUthentication message to UDM, which carries slice authentication and authorization information.
  • UDM stores slice authentication and authorization information.
  • association relationship between terminal A, AMF1, and slice 1 and the association relationship between terminal A, AMF1, and slice 2 are stored on the UDM. It can be understood that storing the association relationship between A and B means that A is stored, B is stored, and the association relationship between A and B is established.
  • S204 UDM sends a response to slice authentication and authorization information to AMF1. This response is used to inform AMF1 whether it successfully receives the above-mentioned slice authentication and authorization information. For receiving multiple pieces of slice authentication and authorization information, UDM may send the above response to AMF1 for each piece of slice authentication and authorization information. S204 is an optional step.
  • the response may be Nudm_UESliceAUthenticationResponse.
  • S202 can be replaced with S205.
  • the NSSAAF sends slice authentication and authorization information to the UDM, where the slice authentication and authorization information is used to indicate the slice that the terminal has successfully authenticated and authorized on the AMF1.
  • the NSSAAF can send the slice authentication and authorization information corresponding to each slice after the authentication and authorization of each slice is successful.
  • the NSSAAF may also send corresponding multiple pieces of slice authentication and authorization information after multiple slices are successfully authenticated and authorized.
  • NSSAAF will participate in the authentication and authorization of slice 1 and slice 2, and NSSAAF can learn the slices that the terminal has successfully authenticated and authorized on AMF1.
  • NSSAAF sends the identification information of terminal A, the identification information of slice 1, the identification information of slice 2, and the identification information of AMF1 to UDM.
  • the identification information of terminal A For the related content of these identification information, refer to S202.
  • NSSAAF can send a piece of slice authentication and authorization information to UDM, which is used to indicate multiple slices; or NSSAAF can also send multiple pieces of slice authentication and authorization information to UDM, each slice authentication and authorization information The authorization information is used to indicate a slice.
  • the NSSAAF participating in the authentication and authorization of slice 1 may be different from the NSSAAF participating in the authentication and authorization of slice 2.
  • NSSAAF1 participates in the authentication and authorization of slice 1
  • NSSAAF2 participates in the authentication and authorization of slice 2.
  • NSSAAF1 sends first slice authentication and authorization information to UDM.
  • the first slice authentication and authorization information includes the identification information of terminal A, the identification information of slice 1, and the identification information of AMF1.
  • NSSAAF2 sends UDM
  • the second slice authentication and authorization information is sent, and the second slice authentication and authorization information includes the identification information of terminal A, the identification information of slice 2, and the identification information of AMF1.
  • the UDM stores the slice information that the terminal A has successfully authenticated and authorized on the AMF1.
  • subsequent re-authentication and re-authorization or authorization revoking of slice 1 or slice 2 is performed, it can be learned through UDM that the AMF serving terminal A and associated with slice 1 or slice 2 is AMF1.
  • AMF1 in the process of performing slice 1 and slice 2 authentication and authorization for terminal A through AMF1, AMF1 can send slice authentication and authorization process information to AAA-s, and the slice authentication and authorization process
  • the authorization process information includes the identification information of the terminal, the identification information of the slice, and the identification information of the PLMN to which the AMF belongs; for example, the slice authentication and authorization process information includes: the identification information of the terminal A, the identification information of the slice 1, and PLMN-1 ⁇ identification information.
  • AMF can send slice authentication and authorization process information once for each slice, or AMF can send slice authentication and authorization process information once, including identification information of multiple slices.
  • the slice authentication and authorization process information includes: identification information of terminal A, identification information of slice 1, identification information of slice 2, and identification information of PLMN-1.
  • AAA-s can store the slice authentication and authorization process information after the slice authentication and authorization are successful.
  • AMF can send slice authentication and authorization process information to AAA-s through NSSAAF.
  • the AMF may send the identification information of the AMF and the identification information of the PLMN to which the AMF belongs to the UDM, so as to query the AMF corresponding to the PLMN through the identification information of the PLMN.
  • AMF1 sends the identification information of AMF1 and the identification information of PLMN-1 to UDM.
  • the AMF may also send the identification information of the slice to the UDM, for example, the AMF1 sends the identification information of the slice 1 to the UDM.
  • Figure 3 shows a method for terminal A to authenticate and authorize slices in PLMN-2. As shown in Figure 3:
  • S301 Complete the authentication and authorization of slice 2 and slice 3 for terminal A through AMF2.
  • AMF2 can trigger the slice authentication and authorization process to perform slice 2 and slice 3 authentication and authorization for terminal A.
  • slice authentication and authorization process please refer to the content in section 4.2.9.2 of 3GPP TS 23.502 v16.4.0.
  • the AMF2 can trigger the slice authentication and authorization procedures for the slice 2 and the slice authentication and authorization procedures for the slice 3 respectively for the terminal A, that is, initiate the slice authentication and authorization procedures for each slice.
  • AMF1 may initiate a slice authentication and authorization process to authenticate and authorize slice 2 and slice 3.
  • the AMF2 obtains the result of the slice authentication and authorization performed by the terminal A on the AMF1 to determine whether to initiate the slice 2 and slice 3 authentication and authorization processes. If slice 2 on AMF1 has been authenticated and authorized successfully, AMF2 may not initiate the authentication and authorization process of slice 2, and determine that terminal A is authorized to access slice 2.
  • AMF1 may send the slice authentication result to NSSAAF, and NSSAAF sends the result of successful authentication to UDM.
  • the S301 part can be performed when terminal A registers with PLMN-2 through AMF2.
  • AMF2 sends slice authentication and authorization information to UDM, where the slice authentication and authorization information is used to instruct terminal A to successfully authenticate and authorize slices on AMF2.
  • AMF2 sends a piece of slice authentication and authorization information to UDM, and the slice authentication and authorization information is used to indicate multiple slices.
  • AMF2 sends multiple pieces of slice authentication and authorization information to UDM, and each piece of slice authentication and authorization information is used to indicate a slice.
  • AMF2 sends the identification information of terminal A, the identification information of slice 2, the identification information of slice 3, and the identification information of AMF2 to UDM.
  • the identification information of terminal A is used to identify terminal A
  • the identification information of slice 1 is used to identify slice 1
  • the identification information of slice 2 is used to identify slice 2
  • the identification information of AMF2 is used to identify AMF2.
  • the identification information of the terminal A, the identification information of the slice 2, the identification information of the slice 3, and the identification information of the AMF2 can indicate that the slices that are successfully authenticated and authorized by the terminal A on the AMF2 are the slice 2 and the slice 3.
  • the identification information of the terminal A, the identification information of the slice 2, the identification information of the slice 3, and the identification information of the AMF2 can be regarded as a kind of slice authentication and authorization information.
  • AMF2 sends first slice authentication and authorization information to UDM.
  • the first slice authentication and authorization information includes terminal A identification information, slice 2 identification information, and AMF2 identification information.
  • AMF2 sends second slice authentication and authorization information to UDM, where the second slice authentication and authorization information includes the identification information of terminal A, the identification information of slice 3, and the identification information of AMF2.
  • AMF2 can send slice authentication and authorization information to UDM through a Nudm_UESliceAUthentication message.
  • AMF2 sends a Nudm_UESliceAUthentication message to UDM, which carries slice authentication and authorization information.
  • UDM stores slice authentication and authorization information.
  • the association relationship between terminal A, AMF2, and slice 2 and the association relationship between terminal A, AMF2, and slice 3 are stored on the UDM. It can be understood that storing the association relationship between A and B means that A is stored, B is stored, and the association relationship between A and B is established.
  • S304 UDM sends a response to slice authentication and authorization information to AMF2. This response is used to inform AMF2 whether the slice authentication and authorization information is successfully received. For receiving multiple pieces of slice authentication and authorization information, UDM may send the above response to AMF1 for each piece of slice authentication and authorization information. S304 is an optional step.
  • the response may be Nudm_UESliceAUthenticationResponse.
  • S302 can be replaced with S305.
  • NSSAAF sends slice authentication and authorization information to UDM, where the slice authentication and authorization information is used to indicate the slice that the terminal has successfully authenticated and authorized on the AMF2.
  • NSSAAF will participate in slice 2 and slice 3 authentication and authorization, and NSSAAF can learn the slices that the terminal has successfully authenticated and authorized on AMF2.
  • NSSAAF sends the identification information of terminal A, the identification information of slice 2, the identification information of slice 3, and the identification information of AMF2 to UDM.
  • the identification information For the related content of the identification information, refer to S302.
  • NSSAAF can send a piece of slice authentication and authorization information to UDM, which is used to indicate multiple slices; or NSSAAF can also send multiple pieces of slice authentication and authorization information to UDM, each slice authentication and authorization information The authorization information is used to indicate a slice.
  • the NSSAAF participating in the authentication and authorization of slice 2 and the authentication participating in slice 3 may be different from the authorized NSSAAF.
  • NSSAAF2 participates in the authentication and authorization of slice 2
  • NSSAAF3 participates in the authentication and authorization of slice 3.
  • NSSAAF2 sends first slice authentication and authorization information to UDM.
  • the first slice authentication and authorization information includes terminal A identification information, slice 2 identification information, and AMF2 identification information
  • NSSAAF3 sends UDM
  • the second slice authentication and authorization information is sent.
  • the second slice authentication and authorization information includes the identification information of the terminal A, the identification information of the slice 3, and the identification information of the AMF2.
  • the UDM stores information about the slices that the terminal A has successfully authenticated and authorized on the AMF2.
  • the AMF associated with slice 2 or slice 3 serving terminal A is AMF2.
  • the slice authentication and authorization process information includes terminal identification information, slice identification information, and identification information of the PLMN to which the AMF belongs; for example: the slice authentication and authorization process information includes: terminal A identification information, slice 2 identification information, and PLMN-2 ⁇ identification information.
  • AMF can send slice authentication and authorization process information once for each slice, or AMF can send slice authentication and authorization process information once, including identification information of multiple slices.
  • the slice authentication and authorization process information includes: identification information of terminal A, identification information of slice 2, identification information of slice 3, and identification information of PLMN-2.
  • the AAA-s can store the slice authentication and authorization process information after the slice authentication and authorization are successful.
  • AMF can send slice authentication and authorization process information to AAA-s through NSSAAF.
  • the AMF may send the identification information of the AMF and the identification information of the PLMN to which the AMF belongs to the UDM, so as to query the AMF corresponding to the PLMN through the identification information of the PLMN.
  • AMF2 sends the identification information of AMF2 and the identification information of PLMN-2 to UDM.
  • the AMF may also send the identification information of the slice to the UDM, for example, the AMF2 sends the identification information of the slice 2 to the UDM.
  • the identification information of the terminal includes: SUPI (subscription permanent identifier), 5G-GUTI (5G Globally Unique Temporary Identifier, 5G Globally Unique Temporary Identifier), GPSI (Generic Public Subscription Identifier) , General Public User ID) or other IDs that can be used to identify the terminal;
  • AMF ID information includes: ⁇ AMF Region ID> ⁇ AMF Group ID> ⁇ AMF Pointer>( ⁇ AMFRegionID> ⁇ AMFSetID> ⁇ AMFPointer >), FQDN (Fully Qualified Domain Name, fully qualified domain name), AMF example identifier (AMF instance Id), AMF IP address or AMF IPv6 prefix;
  • slice identification information includes: S-NSSAI (Single Network Slice Selection Assistance Information, single Network slice selection support information), or the external identification of the slice.
  • the external identifier is used to identify the slice outside the network.
  • the above-mentioned AMF identification information can also be replaced with PLMN identification information, that is, PLMN identification information can be regarded as a kind of AMF identification information .
  • the corresponding AMF can be found through the identification information of the PLMN.
  • the identification information may be converted during the process of transmission and storage.
  • the converted identification information has the same function as the identification information before the conversion, and both identify the same object. Therefore, it is collectively referred to as identification information in this application.
  • AMF sends the identification information of terminal A to UDM
  • UDM sends the identification information of terminal A to other network elements, which may include the following scheme: AMF sends the SUPI of terminal A to UDM, and UDM can obtain the GPSI corresponding to the SUPI, and Send the GPSI to other network elements.
  • AMF sends S-NSSAI to NSSAAF, and NSSAAF maps S-NSSAI to external slice identifier, and sends the external slice identifier to AAA-s or AAA-p to AAA-s.
  • the slice authentication and authorization information may be converted during transmission and storage.
  • the slice authentication and authorization information after conversion has the same function as the slice authentication and authorization information before conversion. Both are used to instruct the terminal to authenticate and authorize on the AMF.
  • Successfully authorized slices are collectively referred to as slice authentication and authorization information in this application.
  • AMF1 and AMF2 can be regarded as a kind of network elements that trigger authentication and authorization of slices, which are referred to as triggering network elements in this application.
  • UDM can be regarded as a network element that stores the correspondence between slices and AMF, and is referred to as an information storage network element for short in this application.
  • other types of network elements can be used as information storage network elements, such as HSS (home subscriber server, home user server), HLR (home location register, home location register).
  • HSS home subscriber server, home user server
  • HLR home location register, home location register
  • NSSAAF can be regarded as a network element that participates in slice authentication and authorization, which is referred to as authentication and authorization network element for short in this application.
  • AUSF can be regarded as a network element that participates in slice authentication and authorization.
  • other types of network elements can be used as authentication and authorization network elements.
  • terminal A authenticates and authorizes slices in PLMN-1 and PLMN-2, respectively.
  • UDM UDM-Didirectional DDM
  • the AMF associated with slice 1 that serves terminal A is AMF1
  • the AMFs associated with slice 2 that serves terminal A are AMF1 and AMF2
  • the AMF that serves terminal A and associated with slice 3 is AMF2.
  • UDM can store the following information, as shown in Table 1:
  • AAA-s stores the information shown in Table 2:
  • AAA-s can initiate a slice re-authentication and re-authorization process, or initiate a slice authorization revocation process as needed.
  • an embodiment of the present application provides a method for re-authentication and re-authorization of slices. The method will be described below in conjunction with the contents of FIG. 1, FIG. 2 and FIG. 3.
  • Figure 4 shows the method in which AAA-s initiates re-authentication and re-authorization of slice 1. As shown in Figure 4:
  • AAA-s requests NSSAAF to initiate re-authentication and re-authorization of slice 1 for terminal A.
  • the AAA-s sends a first request to the NSSAAF, and the first request is used to request the terminal A to initiate the re-authentication and re-authorization of the slice 1.
  • the first request includes the identification information of the terminal A and the identification information of the slice 1. From the identification information of the terminal A and the identification information of the slice 1, it can be known that the re-authentication and re-authorization of the slice 1 are requested for the terminal A.
  • AAA-p is set between AAA-s and NSSAAF, AAA-s can send the first request to NSSAAF through AAA-p.
  • the identification information of terminal A and the identification information of slice 1 can refer to related content in FIG. 2 and FIG. 3.
  • the identification information of terminal A may be the GPSI of terminal A
  • the identification information of slice 1 may be the S-NSSAI of slice 1 or the external identification of slice 1.
  • the first request may be AAAProcol Re-auth Request.
  • AAA-s when AAA-s requests NSSAAF to initiate re-authentication and re-authorization of slice 1 for terminal A, it can further carry the identification information of PLMN-1 in the request according to the information in Table 2.
  • NSSAAF can obtain the identification information of AMF1 from UDM through the identification information of PLMN-1, so that S405 can be directly executed.
  • NSSAAF requests UDM to obtain the AMF associated with slice 1 serving terminal A.
  • NSSAAF sends a second request to UDM, and the second request is used to request to obtain the AMF associated with slice 1 serving terminal A.
  • the second request includes the identification information of the terminal A and the identification information of the slice 1.
  • the request further includes a first indication, and the first indication is used to indicate that the acquired network element type is AMF.
  • the request further includes a second indication, and the second indication is used to indicate that the related process is a slice re-authentication and re-authorization process.
  • the second request may be Nudm_UECM_GetReq.
  • NSSAAF may obtain the S-NSSAI of slice 1 according to the external identification of slice 1, and then, in S402, the S-NSSAI of slice 1 -NSSAI is sent to UDM.
  • NSSAAF may also send the external identification of slice 1 to UDM.
  • UDM obtains the AMF associated with slice 1 serving terminal A.
  • UDM After adopting the methods in Fig. 2 and Fig. 3, UDM stores the association relationship between terminal A, AMF1, and slice 1.
  • UDM can obtain the identification information of AMF1 according to the received identification information of terminal A and the identification information of slice 1, that is, the AMF associated with slice 1 serving terminal A is AMF1.
  • the UDM may learn that the acquired network element type is AMF according to the first instruction.
  • the UDM may learn that the related process is the slice re-authentication and re-authorization process according to the second instruction, so that the UDM can make corresponding processing.
  • S404 The UDM sends the identification information of the AMF associated with slice 1 that serves the terminal A to the NSSAAF.
  • the UDM may send the identification information of AMF1 obtained in S403 to the NSSAAF.
  • UDM sends a response message to NSSAAF, where the response message includes the identification information of AMF1.
  • the response message may be Nudm_UECM_GetResp.
  • UDM when the identification information of slice 1 obtained by UDM from NSSAAF is the external identification of slice 1, UDM may obtain the S-NSSAI of slice 1 according to the external identification, and combine the S-NSSAI of slice 1 with AMF1.
  • the identification information will be sent to NSSAAF together.
  • S405 NSSAAF notifies AMF1 to initiate a slice authentication and authorization process for slice 1 to terminal A.
  • NSSAAF sends a first notification to AMF1 according to the received identification information of AMF1, and the first notification is used to notify AMF1 to initiate a slice authentication and authorization process for slice 1 to terminal A.
  • the first notification includes: event information, identification information of terminal A, and identification information of slice 1.
  • the identification information of slice 1 may be the S-NSSAI of slice 1.
  • the event information is used to indicate the slice authentication and authorization process.
  • the first notification may be Nnssaaf_NSSAA_Notify.
  • AMF1 triggers the slice authentication and authorization process for slice 1.
  • the AMF1 learns that the slice authentication and authorization process for the slice 1 needs to be initiated for the terminal A.
  • the slice authentication and authorization process can be performed with reference to the method shown in FIG. 2.
  • the NSSAAF can accurately obtain the identification information of the AMF1 associated with the slice 1 serving the terminal A from the UDM by using the identification information of the slice 1.
  • NSSAAF may obtain the identification information of AMF2, thereby notifying AMF2 to trigger
  • the slice authentication and authorization process for slice 1 will cause communication abnormalities. Therefore, through the solution of the present application, the occurrence of communication abnormalities can be reduced.
  • Figure 5 shows a method for AAA-s to initiate re-authentication and re-authorization of slice 2.
  • FIG. 5 shows a method for AAA-s to initiate re-authentication and re-authorization of slice 2.
  • FIG. 5 shows a method for AAA-s to initiate re-authentication and re-authorization of slice 2.
  • AAA-s requests NSSAAF to initiate re-authentication and re-authorization of slice 2 for terminal A.
  • the AAA-s sends a first request to the NSSAAF, and the first request is used to request the terminal A to initiate the re-authentication and re-authorization of the slice 2.
  • the first request includes the identification information of the terminal A and the identification information of the slice 2. From the identification information of the terminal A and the identification information of the slice 2, it can be known that the re-authentication and re-authorization of the slice 2 are requested for the terminal A.
  • AAA-p is set between AAA-s and NSSAAF, AAA-s can send the first request to NSSAAF through AAA-p.
  • the identification information of terminal A and the identification information of slice 2 can refer to related content in FIG. 2 and FIG. 3.
  • the identification information of terminal A may be the GPSI of terminal A
  • the identification information of slice 2 may be the S-NSSAI of slice 2 or the external identification of slice 2.
  • the first request may be AAAProcol Re-auth Request.
  • AAA-s when AAA-s requests NSSAAF to initiate re-authentication and re-authorization of slice 2 for terminal A, it can learn that slice 2 corresponds to PLMN-1 and PLMN-2 according to the information in Table 2, and Determine by yourself to initiate re-authentication and re-authorization in PLMN-1, or initiating re-authentication and re-authorization in PLMN-2, or initiating re-authentication and re-authorization in PLMN-1 and PLMN-2, and further carry PLMN-1 and/or PLMN -2 identification information
  • NSSAAF can obtain the identification information of AMF1 and/or AMF2 from UDM through the identification information of PLMN-1 and/or PLMN-2.
  • AAA-s determines that a PLMN in PLMN-1 and PLMN-2 initiates re-authentication and re-authorization
  • NSSAAF can obtain the identification information of AMF1 or AMF2 from UDM according to the identification information of PLMN-1 or PLMN-2, so that it can Execute S505a or S505b directly.
  • AAA-s can determine which PLMN to initiate re-authentication and re-authorization according to policies or timers.
  • NSSAAF requests UDM to obtain the AMF associated with slice 2 serving terminal A.
  • NSSAAF sends a second request to UDM, where the second request is used to request to obtain the AMF associated with slice 2 serving terminal A.
  • the second request includes the identification information of the terminal A and the identification information of the slice 2.
  • the request further includes a first indication, and the first indication is used to indicate that the acquired network element type is AMF.
  • the request further includes a second indication, and the second indication is used to indicate that the related process is a slice re-authentication and re-authorization process.
  • the second request may be Nudm_UECM_GetReq.
  • NSSAAF may obtain the S-NSSAI of slice 2 according to the external identification of slice 2, and then in S502, the S-NSSAI of slice 2 -NSSAI is sent to UDM.
  • NSSAAF may also send the external identification of slice 2 to UDM.
  • UDM obtains the AMF associated with slice 2 serving terminal A.
  • UDM After adopting the methods of Fig. 2 and Fig. 3, UDM stores the association relationship between terminal A, AMF1, and slice 2, and stores the association relationship between terminal A, AMF2, and slice 2.
  • UDM can obtain the identification information of AMF1 and the identification information of AMF2 according to the received identification information of terminal A and the identification information of slice 1. That is, the AMFs associated with slice 1 serving terminal A are AMF1 and AMF2. .
  • the UDM may learn that the acquired network element type is AMF according to the first instruction.
  • the UDM may learn that the related process is the slice re-authentication and re-authorization process according to the second instruction, so that the UDM can make corresponding processing.
  • the UDM may not further select one of the AMFs.
  • the UDM may further select one of the AMFs.
  • UDM can select one AMF from multiple AMFs according to the connection state of the terminal.
  • the connection state of the terminal includes the connected state and the idle state.
  • the UDM can select one of the AMFs according to the policy or arbitrarily. For example, if the connection status between terminal A and AMF1 is connected, and the connection status with AMF2 is connected, UDM can select one of AMF1 and AMF2 according to a policy or arbitrarily.
  • UDM may select an AMF according to the access type, for example, select an AMF corresponding to 3GPP access.
  • the access type can be divided into 3GPP access and non-3GPP access. For example, if the connection state between terminal A and AMF1 is idle state, and the connection state with AMF2 is idle state, UDM can select 3GPP to access the corresponding AMF, namely AMF1.
  • the UDM can select a terminal and the AMF in the connected state. For example, if the connection state of the terminal A with respect to AMF1 is the connected state and the connection state with respect to AMF2 is the idle state, UDM selects AMF1.
  • the UDM sends the identification information of the AMF associated with the slice 2 serving the terminal A to the NSSAAFNSSAAF.
  • the UDM may send the identification information of AMF1 and the identification information of AMF2 obtained in S503 to the NSSAAF.
  • the UDM may send the identification information of AMF1 or the identification information of AMF2 obtained in S503 to the NSSAAF.
  • the UDM sends a response message to the NSSAAF, where the response message includes the identification information of AMF1 and/or the identification information of AMF2.
  • the response message may be Nudm_UECM_GetResp.
  • UDM when the identification information of slice 2 obtained by UDM from NSSAAF is the external identification of slice 2, UDM may obtain the S-NSSAI of slice 2 according to the external identification, and combine the S-NSSAI of slice 2 with AMF1. The identification information will be sent to NSSAAF together.
  • S505a NSSAAF notifies AMF1 to initiate a slice authentication and authorization process for slice 2 to terminal A.
  • the NSSAAF may select AMF1 and send the first notification to AMF1.
  • the NSSAAF can select AMF1 according to the strategy.
  • the first notification is used to notify AMF1 to initiate a slice authentication and authorization process for slice 2 to terminal A.
  • the first notification includes: event information, identification information of terminal A, and identification information of slice 2.
  • the identification information of slice 2 may be the S-NSSAI of slice 2.
  • the event information is used to indicate the slice authentication and authorization process.
  • the first notification may be Nnssaaf_NSSAA_Notify.
  • S505b NSSAAF notifies AMF2 to initiate a slice authentication and authorization process for slice 2 to terminal A.
  • NSSAAF sends a second notification to AMF2.
  • the NSSAAF may select AMF2 and send a second notification to AMF2.
  • NSSAAF can select AMF2 according to the strategy.
  • the second notification is used to notify AMF1 to initiate a slice authentication and authorization process for slice 2 to terminal A.
  • the second notification includes: event information, identification information of terminal A, and identification information of slice 2.
  • the identification information of slice 2 may be the S-NSSAI of slice 2.
  • the event information is used to indicate the slice authentication and authorization process.
  • the second notification may be Nnssaaf_NSSAA_Notify.
  • NSSAAF can notify AMF1 and AMF2 to terminal A Initiate the slice authentication and authorization process for slice 2. That is, both S505a and S505b are executed.
  • the NSSAAF selects one of the AMF notifications to initiate a slice authentication and authorization process for the terminal, which can save signaling overhead.
  • AMF1 triggers the slice authentication and authorization process for slice 2.
  • the AMF1 learns that the slice authentication and authorization process for the slice 2 needs to be initiated for the terminal A.
  • the slice authentication and authorization process can be performed with reference to the method shown in FIG. 2.
  • S506b AMF2 triggers the slice authentication and authorization process for slice 2.
  • the AMF2 learns that it needs to initiate a slice authentication and authorization process for the slice 2 to the terminal A.
  • the slice authentication and authorization process can be performed with reference to the method shown in FIG. 3.
  • the NSSAAF can accurately obtain the identification information of AMF1 and/or the identification information of AMF2 associated with slice 2 serving the terminal A by using the identification information of the slice 2 from the UDM.
  • NSSAAF may obtain the registration of terminal A other than AMF1 and AMF2.
  • the identification information of the AMF so as to notify the wrong AMF to trigger the slice authentication and authorization process on slice 2, will cause communication abnormalities. Therefore, through the solution of the present application, the occurrence of communication abnormalities can be reduced.
  • the connection status of the terminal is considered to select the appropriate AMF, which can save signaling interaction and improve communication efficiency.
  • Figure 6 shows a method for AAA-s to initiate re-authentication and re-authorization of slice 2.
  • UDM determines the AMF according to the identification information of the slice
  • NSSAAF determines the AMF according to the identification information of the slice.
  • AAA-s requests NSSAAF to initiate re-authentication and re-authorization of slice 2 for terminal A.
  • AAA-s when AAA-s requests NSSAAF to initiate re-authentication and re-authorization of slice 2 for terminal A, it can learn that slice 2 corresponds to PLMN-1 and PLMN-2 according to the information in Table 2, and Determine by yourself to initiate re-authentication and re-authorization in PLMN-1, or initiating re-authentication and re-authorization in PLMN-2, or initiating re-authentication and re-authorization in PLMN-1 and PLMN-2, and further carry PLMN-1 and/or PLMN -2 identification information
  • NSSAAF can obtain the identification information of AMF1 and/or AMF2 from UDM through the identification information of PLMN-1 and/or PLMN-2.
  • AAA-s determines that a PLMN in PLMN-1 and PLMN-2 initiates re-authentication and re-authorization
  • NSSAAF can obtain the identification information of AMF1 or AMF2 from UDM according to the identification information of PLMN-1 or PLMN-2, so that it can Execute S606a or S606b directly.
  • AAA-s can determine which PLMN to initiate re-authentication and re-authorization according to policies or timers.
  • the NSSAAF requests the UDM to obtain the AMF serving the terminal A and the slice associated with the AMF serving the terminal A.
  • the NSSAAF sends a second request to the UDM, the second request is used to request to obtain the AMF serving the terminal A and the slice associated with the AMF serving the terminal A.
  • the second request includes terminal A's identification information.
  • the request further includes a first indication, and the first indication is used to indicate that the acquired network element type is AMF.
  • the request further includes a second indication, and the second indication is used to indicate that the related process is a slice re-authentication and re-authorization process.
  • the second request may be Nudm_UECM_GetReq.
  • the UDM obtains the AMF serving the terminal A and the slice associated with the AMF serving the terminal A.
  • UDM After adopting the methods in Figure 2 and Figure 3, UDM stores the association relationship between the terminal, AMF, and slice as shown in Table 1 above.
  • UDM can obtain ⁇ identification information of AMF1, (identification information of slice 1, identification information of slice 2) ⁇ and ⁇ identification information of AMF2, (identification of slice 2) according to the received identification information of terminal A.
  • Information, the identification information of slice 3) ⁇ that is, the AMFs serving the terminal A are AMF1 and AMF2, the slices associated with AMF1 are slice 1 and slice 2, and the slices associated with AMF2 are slice 2 and slice 3.
  • the UDM may learn that the acquired network element type is AMF according to the first instruction.
  • the UDM may learn that the related process is the slice re-authentication and re-authorization process according to the second instruction, so that the UDM can make corresponding processing.
  • ⁇ A, B ⁇ indicates that A and B have an association relationship
  • (A, B) indicates a set or list, and the set or list includes two elements A and B.
  • the UDM can also obtain the connection status between the terminal and the AMF serving the terminal.
  • the connection state of the terminal includes a connected state and an idle state.
  • the UDM may request the service terminal AMF to obtain the connection status of the terminal.
  • the AMFs serving terminal A are AMF1 and AMF2.
  • UDM can obtain the connection status of terminal A and AMF1 from AMF1, and the connection status of terminal A and AMF2 from AMF2.
  • the UDM may also obtain the access type corresponding to the AMF serving the terminal.
  • the access type corresponding to AMF1 is 3GPP access
  • the access type corresponding to AMF2 is non-3GPP access technology.
  • the UDM sends the identification information of the AMF serving the terminal A and the identification information of the slice associated with the AMF serving the terminal A to the NSSAAF.
  • UDM sends ⁇ identification information of AMF1, (identification information of slice 1, identification information of slice 2) ⁇ , and ⁇ identification information of AMF2, (identification information of slice 2, identification information of slice 3) ⁇ to NSSAAF .
  • UMD sends ⁇ AMF1 identification information, slice 1 identification information ⁇ , ⁇ AMF1 identification information, slice 2 identification information ⁇ , ⁇ AMF2 identification information, slice 2 identification information ⁇ , and ⁇ AMF2 The identification information, the identification information of slice 3 ⁇ .
  • UDM can send connection status information to NSSAAF.
  • the connection status information is used to indicate the connection status between the terminal and the AMF serving the terminal.
  • the connection state information indicates that the connection state between the terminal A and AMF1 is the connected state, and the connection state between the terminal A and AMF2 is the idle state.
  • UDM can send access type information to NSSAAF.
  • the access type information is used to indicate the access type corresponding to the AMF serving the terminal.
  • the access type information indicates that the access type of AMF1 is 3GPP access, and the access type of AMF2 is non-3GPP access.
  • the UDM sends a response message to the NSSAAF.
  • the response message includes the identification information of the AMF serving the terminal A and the identification information of the slice associated with the AMF serving the terminal A.
  • the response message further includes the above-mentioned connection status information.
  • the response message further includes the above-mentioned access type information.
  • the response message may be Nudm_UECM_GetResp.
  • NSSAAF determines the AMF associated with slice 2.
  • the NSSAAF can learn that the AMFs associated with slice 2 serving the terminal A are AMF1 and AMF2.
  • the NSSAAF may not further select one AMF from the multiple AMFs.
  • the NSSAAF may further select one AMF from the multiple AMFs. Compared with the solution of not further determining one AMF among multiple AMFs, further determining one AMF among multiple AMFs is beneficial to save subsequent signaling interaction.
  • NSSAAF can select one AMF from multiple AMFs according to the connection status of the terminal.
  • the connection status of the terminal can be obtained through the connection status information in S604.
  • the NSSAAF can select one of the AMFs according to the policy or arbitrarily. For example, if the connection status between terminal A and AMF1 is connected, and the connection status with AMF2 is connected, NSSAAF can select one of AMF1 and AMF2 according to a policy or arbitrarily.
  • the NSSAAF can select an AMF according to the access type corresponding to the AMF. For example, select an AMF corresponding to 3GPP access.
  • the access type corresponding to the AMF can be obtained through the access type information in S604. For example, if the connection state between terminal A and AMF1 is idle state, and the connection state with AMF2 is idle state, NSSAAF can select 3GPP to access the corresponding AMF, namely AMF1.
  • the NSSAAF can select a terminal and the AMF in the connected state. For example, if the connection state of terminal A relative to AMF1 is connected and the connection state relative to AMF2 is idle, NSSAAF selects AMF1.
  • NSSAAF determines that the AMFs associated with slice 2 are AMF1 and AMF2, then S606a and S606b are executed.
  • NSSAAF determines that the AMF associated with slice 2 is one of AMF1 and AMF2, S606a or S606b is executed.
  • S606a NSSAAF notifies AMF1 to initiate a slice authentication and authorization process for slice 2 to terminal A.
  • NSSAAF sends the first notification to AMF1.
  • the first notification is used to notify AMF1 to initiate a slice authentication and authorization process for slice 2 to terminal A.
  • the first notification includes: event information, identification information of terminal A, and identification information of slice 2.
  • the identification information of slice 2 may be the S-NSSAI of slice 2.
  • the event information is used to indicate the slice authentication and authorization process.
  • the first notification may be Nnssaaf_NSSAA_Notify.
  • S606b NSSAAF notifies AMF2 to initiate a slice authentication and authorization process for slice 2 to terminal A.
  • NSSAAF sends the second notification to AMF2.
  • the second notification includes: event information, identification information of terminal A, and identification information of slice 2.
  • the identification information of slice 2 may be the S-NSSAI of slice 2.
  • the event information is used to indicate the slice authentication and authorization process.
  • the second notification may be Nnssaaf_NSSAA_Notify.
  • AMF1 triggers the slice authentication and authorization process for slice 2.
  • S607a can refer to S506a.
  • AMF2 triggers the slice authentication and authorization process for slice 2.
  • S607b can refer to S506b.
  • the NSSAAF can accurately obtain the identification information of AMF1 and/or the identification information of AMF2 associated with slice 2 serving the terminal A by using the identification information of the slice 2.
  • NSSAAF may obtain the registration of terminal A other than AMF1 and AMF2.
  • the identification information of the AMF so as to notify the wrong AMF to trigger the slice authentication and authorization process on slice 2, will cause communication abnormalities. Therefore, through the solution of the present application, the occurrence of communication abnormalities can be reduced.
  • the connection state of the terminal is considered to select an appropriate AMF, which can save signaling interaction and improve communication efficiency.
  • an embodiment of the present application provides a method for revoking authorization for slices. The method will be described below in conjunction with the contents of FIG. 1, FIG. 2 and FIG. 3.
  • Figure 7 shows a method for AAA-s to initiate the authorization revocation of slice 1. As shown in Figure 7:
  • S701 The AAA-s requests the NSSAAF to initiate the authorization cancellation of the slice 1 for the terminal A.
  • the AAA-s sends a first request to the NSSAAF, and the first request is used to request the terminal A to initiate the authorization revocation of the slice 1.
  • the first request includes the identification information of the terminal A and the identification information of the slice 1. From the identification information of the terminal A and the identification information of the slice 1, it can be known that the terminal A is requested to revoke the authorization of the slice 1.
  • AAA-p is set between AAA-s and NSSAAF, AAA-s can send the first request to NSSAAF through AAA-p.
  • the identification information of terminal A and the identification information of slice 1 can refer to related content in FIG. 2 and FIG. 3.
  • the identification information of terminal A may be the GPSI of terminal A
  • the identification information of slice 1 may be the S-NSSAI of slice 1 or the external identification of slice 1.
  • the first request may be AAA Protocol Revoke Auth Request.
  • AAA-s when AAA-s requests to NSSAAF to initiate the revocation of authorization for slice 1 to terminal A, it can further carry the identification information of PLMN-1 in the request according to the information in Table 2, and NSSAAF passes the PLMN.
  • the identification information of -1 can obtain the identification information of AMF1 from UDM, so that S705 can be directly executed.
  • NSSAAF requests UDM to obtain the AMF associated with slice 1 serving terminal A.
  • NSSAAF sends a second request to UDM, and the second request is used to request to obtain the AMF associated with slice 1 serving terminal A.
  • the second request includes the identification information of the terminal A and the identification information of the slice 1.
  • the request further includes a first indication, and the first indication is used to indicate that the acquired network element type is AMF.
  • the request further includes a second indication, and the second indication is used to indicate that the related process is a slice authorization revocation process.
  • the second request may be Nudm_UECM_GetReq.
  • NSSAAF may obtain the S-NSSAI of slice 1 according to the external identification of slice 1, and then in S702, the S-NSSAI of slice 1 -NSSAI is sent to UDM.
  • NSSAAF may also send the external identification of slice 1 to UDM.
  • UDM obtains the AMF associated with slice 1 serving terminal A.
  • UDM After adopting the methods in Fig. 2 and Fig. 3, UDM stores the association relationship between terminal A, AMF1, and slice 1.
  • the UDM can obtain the identification information of AMF1 according to the received identification information of the terminal A and the identification information of the slice 1, that is, the AMF associated with the slice 1 serving the terminal A is AMF1.
  • the UDM may learn that the acquired network element type is AMF according to the first instruction.
  • the UDM may learn that the related process is the slice authorization revocation process according to the second instruction, so that the UDM can make corresponding processing.
  • the UDM sends the identification information of the AMF associated with slice 1 that serves the terminal A to the NSSAAF.
  • the UDM may send the identification information of AMF1 obtained in S703 to the NSSAAF.
  • UDM sends a response message to NSSAAF, where the response message includes the identification information of AMF1.
  • the response message may be Nudm_UECM_GetResp.
  • UDM when the identification information of slice 1 obtained by UDM from NSSAAF is the external identification of slice 1, UDM may obtain the S-NSSAI of slice 1 according to the external identification, and combine the S-NSSAI of slice 1 with AMF1.
  • the identification information will be sent to NSSAAF together.
  • S705 NSSAAF notifies AMF1 to initiate authorization cancellation for slice 1 to terminal A.
  • the NSSAAF sends a first notification to AMF1 according to the received identification information of AMF1, and the first notification is used to notify AMF1 to initiate the revocation of authorization for slice 1 to terminal A.
  • the first notification includes: event information, identification information of terminal A, and identification information of slice 1.
  • the identification information of slice 1 may be the S-NSSAI of slice 1.
  • the event information is used to indicate that the slice authorization is revoked.
  • the first notification may be Nnssaaf_NSSAA_Notify.
  • S706 AMF1 revokes the authorization of slice 1 to terminal A.
  • the AMF1 learns that the authorization of the terminal A for the slice 1 needs to be revoked.
  • AMF1 to revoke the authorization of slice 1 for terminal A refer to step 5 of section 4.2.9.4 of 3GPP TS 23.502 v16.4.0.
  • the NSSAAF can use the identification information of slice 1 to accurately obtain the identification information of the AMF1 associated with slice 1 serving the terminal A from the UDM.
  • NSSAAF may obtain the identification information of AMF2, thereby notifying AMF2 to trigger Revocation of authorization for slice 1 will result in abnormal communication. Therefore, through the solution of the present application, the occurrence of communication abnormalities can be reduced.
  • Figure 8 shows a method for AAA-s to initiate the authorization revocation of slice 2.
  • FIG. 8 shows a method for AAA-s to initiate the authorization revocation of slice 2.
  • FIG. 8 shows a method for AAA-s to initiate the authorization revocation of slice 2.
  • S801 The AAA-s requests the NSSAAF to initiate the authorization cancellation of the slice 2 for the terminal A.
  • the AAA-s sends a first request to the NSSAAF, and the first request is used to request the terminal A to initiate the revocation of the authorization of the slice 2.
  • the first request includes the identification information of the terminal A and the identification information of the slice 2.
  • the identification information of terminal A and the identification information of the slice 2 can refer to related content in FIG. 2 and FIG. 3.
  • the identification information of terminal A may be the GPSI of terminal A
  • the identification information of slice 2 may be the S-NSSAI of slice 2 or the external identification of slice 2.
  • the first request may be AAA Protocol Revoke Auth Request.
  • AAA-s when AAA-s requests to NSSAAF to initiate the revocation of authorization for slice 2 for terminal A, it can learn that slice 2 corresponds to PLMN-1 and PLMN-2 according to the information in Table 2, and determine whether PLMN-1 initiates authorization revocation, or initiates authorization revocation in PLMN-2, or initiates authorization revocation in PLMN-1 and PLMN-2, and further carries the identification information of PLMN-1 and/or PLMN-2 in the request, and NSSAAF passes the PLMN
  • the identification information of -1 and/or PLMN-2 can obtain the identification information of AMF1 and/or AMF2 from UDM, so that S805a and/or S805b can be directly executed.
  • AAA-s can determine which PLMN to initiate authorization revocation based on policies or timers.
  • NSSAAF requests UDM to obtain the AMF associated with slice 2 serving terminal A.
  • NSSAAF sends a second request to UDM, where the second request is used to request to obtain the AMF associated with slice 2 serving terminal A.
  • the second request includes the identification information of the terminal A and the identification information of the slice 2.
  • the request further includes a first indication, and the first indication is used to indicate that the acquired network element type is AMF.
  • the request further includes a second indication, and the second indication is used to indicate that the related process is a slice authorization revocation process.
  • the second request may be Nudm_UECM_GetReq.
  • NSSAAF may obtain the S-NSSAI of slice 2 according to the external identification of slice 2, and then combine the S-NSSAI of slice 2 in S802. -NSSAI is sent to UDM.
  • NSSAAF may also send the external identification of slice 2 to UDM.
  • UDM obtains the AMF associated with slice 2 serving terminal A.
  • UDM After adopting the methods of Fig. 2 and Fig. 3, UDM stores the association relationship between terminal A, AMF1, and slice 2, and stores the association relationship between terminal A, AMF2, and slice 2.
  • UDM can obtain the identification information of AMF1 and the identification information of AMF2 according to the received identification information of terminal A and the identification information of slice 1. That is, the AMFs associated with slice 1 serving terminal A are AMF1 and AMF2. .
  • the UDM may learn that the acquired network element type is AMF according to the first instruction.
  • the UDM may learn that the related process is the slice authorization revocation process according to the second instruction, so that the UDM can make corresponding processing.
  • the UDM needs to notify the NSSAAF of the multiple AMFs.
  • the UDM sends the identification information of the AMF associated with slice 2 that serves the terminal A to the NSSAAF.
  • the UDM sends the identification information of AMF1 and the identification information of AMF2 obtained in S803 to the NSSAAF.
  • the UDM sends a response message to the NSSAAF, and the response message includes the identification information of AMF1 and the identification information of AMF2.
  • the response message may be Nudm_UECM_GetResp.
  • UDM when the identification information of slice 2 obtained by UDM from NSSAAF is the external identification of slice 2, UDM may obtain the S-NSSAI of slice 2 according to the external identification, and combine the S-NSSAI of slice 2 with AMF1.
  • the identification information will be sent to NSSAAF together.
  • the NSSAAF For the slice authorization revocation process, when the NSSAAF receives the identification information of multiple AMFs, it needs to notify the multiple AMFs to revoke the authorization.
  • S805a NSSAAF notifies AMF1 to initiate authorization cancellation for slice 2 to terminal A.
  • the NSSAAF sends a first notification to AMF1 according to the received identification information of AMF1, and the first notification is used to notify AMF1 to initiate the revocation of authorization for slice 2 to terminal A.
  • the first notification includes: event information, identification information of terminal A, and identification information of slice 2.
  • the identification information of slice 2 may be the S-NSSAI of slice 2.
  • the event information is used to indicate that the slice authorization is revoked.
  • the first notification may be Nnssaaf_NSSAA_Notify.
  • S805b NSSAAF notifies AMF2 to initiate authorization cancellation for slice 2 to terminal A.
  • NSSAAF sends a second notification to AMF2 according to the received identification information of AMF2, and the second notification is used to notify AMF2 to initiate the revocation of authorization for slice 2 to terminal A.
  • the first notification includes: event information, identification information of terminal A, and identification information of slice 2.
  • the identification information of slice 2 may be the S-NSSAI of slice 2.
  • the event information is used to indicate that the slice authorization is revoked.
  • the first notification may be Nnssaaf_NSSAA_Notify.
  • S806a AMF1 revokes the authorization of slice 2 for terminal A.
  • the AMF1 learns that the authorization of the terminal A for the slice 2 needs to be revoked.
  • AMF1 to revoke the authorization of terminal A for slice 2 please refer to step 5 of section 4.2.9.4 of 3GPP TS 23.502 v16.4.0.
  • S806b AMF2 revokes the authorization of slice 2 for terminal A.
  • the AMF2 learns that the authorization of the terminal A for the slice 2 needs to be revoked.
  • AMF2 to revoke the authorization of terminal A for slice 2 please refer to step 5 of section 4.2.9.4 of 3GPP TS 23.502 v16.4.0.
  • the NSSAAF can accurately obtain the identification information of AMF1 and the identification information of AMF2 associated with the slice 2 serving the terminal A by using the identification information of the slice 2 from the UDM.
  • NSSAAF may obtain the registration of terminal A other than AMF1 and AMF2.
  • the identification information of the AMF so as to notify the wrong AMF to revoke the authorization of slice 2, which will cause communication abnormalities.
  • NSSAAF may obtain one of AMF1 and AMF2, and thus does not notify the other AMF revokes the authorization of slice 2, which will cause communication abnormalities. Therefore, through the solution of the present application, the occurrence of communication abnormalities can be reduced.
  • FIG. 9 shows another method for AAA-s to initiate authorization revocation of slice 2.
  • UDM determines the AMF according to the slice identification information
  • NSSAAF determines the AMF according to the slice identification information.
  • S901 The AAA-s requests the NSSAAF to initiate the authorization cancellation of the slice 2 for the terminal A.
  • AAA-s when AAA-s requests to NSSAAF to initiate the revocation of authorization for slice 2 for terminal A, it can learn that slice 2 corresponds to PLMN-1 and PLMN-2 according to the information in Table 2, and determine whether it is in PLMN-1 and PLMN-2.
  • PLMN-1 initiates authorization revocation, or initiates authorization revocation in PLMN-2, or initiates authorization revocation in PLMN-1 and PLMN-2, and further carries the identification information of PLMN-1 and/or PLMN-2 in the request, and NSSAAF passes the PLMN
  • the identification information of -1 and/or PLMN-2 can obtain the identification information of AMF1 and/or AMF2 from UDM, so that S906a and/or S906b can be directly executed.
  • AAA-s can determine which PLMN to initiate authorization revocation based on policies or timers.
  • the NSSAAF requests the UDM to obtain the AMF serving the terminal A and the slice associated with the AMF serving the terminal A.
  • the NSSAAF sends a second request to the UDM, the second request is used to request to obtain the AMF serving the terminal A and the slice associated with the AMF serving the terminal A.
  • the second request includes terminal A's identification information.
  • the request further includes a first indication, and the first indication is used to indicate that the acquired network element type is AMF.
  • the request further includes a second indication, and the second indication is used to indicate that the related process is a slice authorization revocation process.
  • the second request may be Nudm_UECM_GetReq.
  • the UDM obtains the AMF serving the terminal A and the slice associated with the AMF serving the terminal A.
  • UDM After adopting the methods in Figure 2 and Figure 3, UDM stores the association relationship between the terminal, AMF, and slice as shown in Table 1 above.
  • UDM can obtain ⁇ identification information of AMF1, (identification information of slice 1, identification information of slice 2) ⁇ and ⁇ identification information of AMF2, (identification of slice 2) according to the received identification information of terminal A.
  • Information, the identification information of slice 3) ⁇ that is, the AMFs serving the terminal A are AMF1 and AMF2, the slices associated with AMF1 are slice 1 and slice 2, and the slices associated with AMF2 are slice 2 and slice 3.
  • the UDM may learn that the acquired network element type is AMF according to the first instruction.
  • the UDM may learn that the related process is the slice authorization revocation process according to the second instruction, so that the UDM can make corresponding processing.
  • ⁇ A, B ⁇ indicates that A and B have an association relationship
  • (A, B) indicates a set or list, and the set or list includes two elements A and B.
  • the UDM can also obtain the connection status between the terminal and the AMF serving the terminal.
  • the connection state of the terminal includes a connected state and an idle state.
  • the UDM may request the service terminal AMF to obtain the connection status of the terminal.
  • the AMFs serving terminal A are AMF1 and AMF2.
  • UDM can obtain the connection status of terminal A and AMF1 from AMF1, and the connection status of terminal A and AMF2 from AMF2.
  • the UDM may also obtain the access type corresponding to the AMF serving the terminal.
  • the access type can be divided into 3GPP access and non-3GPP access.
  • the access type corresponding to AMF1 is 3GPP access
  • the access type corresponding to AMF2 is non-3GPP access technology.
  • the UDM sends the identification information of the AMF serving the terminal A and the identification information of the slice associated with the AMF serving the terminal A to the NSSAAF.
  • UDM sends ⁇ identification information of AMF1, (identification information of slice 1, identification information of slice 2) ⁇ , and ⁇ identification information of AMF2, (identification information of slice 2, identification information of slice 3) ⁇ to NSSAAF .
  • UMD sends ⁇ AMF1 identification information, slice 1 identification information ⁇ , ⁇ AMF1 identification information, slice 2 identification information ⁇ , ⁇ AMF2 identification information, slice 2 identification information ⁇ , and ⁇ AMF2 The identification information, the identification information of slice 3 ⁇ .
  • UDM can send connection status information to NSSAAF.
  • the connection status information is used to indicate the connection status between the terminal and the AMF serving the terminal.
  • the connection state information indicates that the connection state between the terminal A and AMF1 is the connected state, and the connection state between the terminal A and AMF2 is the idle state.
  • UDM can send access type information to NSSAAF.
  • the access type information is used to indicate the access type corresponding to the AMF serving the terminal.
  • the access type information indicates that the access type of AMF1 is 3GPP access, and the access type of AMF2 is non-3GPP access.
  • the UDM sends a response message to the NSSAAF.
  • the response message includes the identification information of the AMF serving the terminal A and the identification information of the slice associated with the AMF serving the terminal A.
  • the response message further includes the above-mentioned connection status information.
  • the response message further includes the above-mentioned access type information.
  • the response message may be Nudm_UECM_GetResp.
  • NSSAAF determines the AMF associated with slice 2.
  • the NSSAAF can learn that the AMFs associated with slice 2 serving the terminal A are AMF1 and AMF2.
  • the NSSAAF For slice revoking authorization, if there are multiple AMFs associated with the slice serving the terminal, the NSSAAF needs to notify the multiple AMFs to revoke the authorization for the slice. Therefore, NSSAAF notifies AMF1 and AMF2 to initiate slice cancellation of slice 2 to terminal A.
  • S906a NSSAAF notifies AMF1 to initiate authorization cancellation for slice 2 to terminal A.
  • S906a can refer to S805a.
  • S906b NSSAAF notifies AMF2 to initiate authorization cancellation for slice 2 to terminal A.
  • S906b can refer to S805b.
  • S907a The AMF1 revokes the authorization of the slice 2 to the terminal A.
  • S907a can refer to S806a.
  • S907b The AMF2 revokes the authorization of the slice 2 to the terminal A.
  • S907b can refer to S806b.
  • the NSSAAF can accurately obtain the identification information of AMF1 and the identification information of AMF2 associated with the slice 2 serving the terminal A by using the identification information of the slice 2.
  • NSSAAF may obtain the registration of terminal A other than AMF1 and AMF2.
  • the identification information of the AMF so as to notify the wrong AMF to revoke the authorization of slice 2, which will cause communication abnormalities.
  • NSSAAF may obtain one of AMF1 and AMF2, and thus does not notify the other AMF revokes the authorization of slice 2, which will cause communication abnormalities. Therefore, through the solution of the present application, the occurrence of communication abnormalities can be reduced.
  • Figure 10 shows a method for slice authentication and authorization management.
  • this method introduces the solution of the present application in combination with the method of FIG. 2 to FIG. 9.
  • Figure 10 shows a method for slice authentication and authorization management.
  • Terminal A authenticates and authorizes the slice in PLMN-1.
  • S1001 executes the method shown in FIG. 2.
  • Terminal A authenticates and authorizes the slice in PLMN-2.
  • S1002 executes the method shown in FIG. 3.
  • terminal A authenticates and authorizes slices in PLMN-1 and PLMN-2, respectively.
  • the AMF associated with slice 1 that serves terminal A is AMF1
  • the AMFs associated with slice 2 that serves terminal A are AMF1 and AMF2
  • the AMF that serves terminal A and associated with slice 3 is AMF2.
  • AAA-s can initiate a slice re-authentication and re-authorization process, or initiate a slice authorization revocation process as needed.
  • S1003 can be executed.
  • S1004 can be executed.
  • S1003 The slice re-authentication and re-authorization process.
  • S1003 executes the method shown in FIG. 4, FIG. 5, or FIG. 6.
  • S1004 Perform the method shown in FIG. 7, FIG. 8, or FIG. 9.
  • the solution provided by the embodiment of the present application can also be applied to a scenario where the terminal is only registered to one AMF. That is, the same scheme can be used in a scenario where one AMF is registered and a scenario where multiple AMFs are registered. The scheme is implemented under the same scheme framework, which reduces the complexity of implementation.
  • the NSSAAF may obtain the connection state information between the terminal and the AMF from the AMF.
  • the NSSAAF can obtain the access type corresponding to the AMF from the AMF.
  • NSSAAF can also be implemented by AUSF, that is, NSSAAF in the foregoing embodiment can be replaced with AUSF.
  • the network element 1100 shown in FIG. 11 includes a processing unit 1101 and a communication unit 1102. Among them, the processing unit 1101 is mainly used for processing, and the communication unit 1102 is mainly used for communicating with other network elements.
  • the network element 1100 is an authentication and authorization network element, which is used to implement the functions of the NSSAAF as shown in Figs. 2-10.
  • the processing unit 1101 and the communication unit 1102 are used to implement the following method: obtain a trigger network element that serves the terminal device and is associated with the first slice, and notify the trigger network element to perform the operation on the terminal device.
  • the authentication and authorization network element acquiring the triggering network element associated with the first slice serving the terminal device includes: the authentication and authorization network element acquiring the association with the terminal device and the first slice from the information storage network element The first triggering network element; the authentication and authorization network element notifying the triggering network element to perform the first slice authentication and authorization operation on the terminal device, including: the authentication and authorization network element notifying the first triggering network element to the terminal The device performs the slice authentication and authorization processing of the first slice.
  • the authentication and authorization network element acquiring the first trigger network element associated with the terminal device and the first slice from the information storage network element includes: the authentication and authorization network element sends a first request to the information storage network element , The first request includes the first identification information of the terminal device and the first identification information of the first slice, the first request is used to obtain the first triggering network element; the authentication and authorization network element obtains the information from the information storage network The element receives a first response, the first response including the first identification information of the first triggering network element.
  • the authentication and authorization network element acquiring a triggering network element associated with the first slice serving the terminal device includes: the authentication and authorization network element acquiring a plurality of trigger network elements associated with the first slice serving the terminal device A first triggering network element; the authentication and authorization network element notifying the triggering network element to perform the slice authentication and authorization operation of the first slice on the terminal device includes: the authentication and authorization network element notifying the plurality of first triggering network elements to The terminal device performs the slice authentication and authorization processing of the first slice.
  • the authentication and authorization network element acquiring a plurality of first triggering network elements associated with the first slice serving the terminal device includes: the authentication and authorization network element acquiring information from the information storage network element and the terminal device and Multiple first triggering network elements associated with the first slice.
  • the authentication and authorization network element acquiring multiple first trigger network elements associated with the terminal device and the first slice from the information storage network element includes: the authentication and authorization network element sends the first trigger network element to the information storage network element A request, the first request including the first identification information of the terminal device and the first identification information of the first slice, the first request is used to obtain the first triggering network element; the authentication and authorization network element obtains the information from the information
  • the storage network element receives a first response, and the first response includes identification information of the plurality of first triggering network elements.
  • the authentication and authorization network element acquiring a plurality of first triggering network elements associated with the first slice serving the terminal device includes: the authentication and authorization network element acquiring from an information storage network element that is associated with the terminal device The plurality of second triggering network elements and the slices associated with the plurality of second triggering network elements; the authentication and authorization network element obtains data from the plurality of second triggering network elements according to the first slice and the slices associated with the plurality of second triggering network elements The multiple first triggering network elements are determined among the triggering network elements.
  • the authentication and authorization network element obtains from the information storage network element multiple second trigger network elements associated with the terminal device and slices associated with the multiple second trigger network elements, including: The information storage network element sends a first request, the first request includes first identification information of the terminal device, and the first request is used to obtain the second triggering network element and a slice associated with the second triggering network element; the The authentication and authorization network element receives a first response from the information storage network element, where the first response includes identification information of the plurality of second triggering network elements and identification information of slices associated with the plurality of second triggering network elements.
  • the slice authentication and authorization process is the slice re-authentication and re-authorization;
  • the authentication and authorization network element obtaining the trigger network element associated with the first slice serving the terminal device includes: the authentication and authorization network element obtaining the service A plurality of first triggering network elements of the terminal device associated with the first slice; the authentication and authorization network element determines a second triggering network element from the plurality of first triggering network elements; the authentication and authorization network element notifies the trigger
  • the network element performing slice authentication and authorization processing of the first slice on the terminal device includes: the authentication and authorization network element notifies the second triggering network element to perform slice re-authentication and reauthorization of the first slice on the terminal device.
  • the authentication and authorization network element acquiring a plurality of first triggering network elements associated with the first slice serving the terminal device includes: the authentication and authorization network element acquiring information from the information storage network element and the terminal device and Multiple first triggering network elements associated with the first slice.
  • the authentication and authorization network element acquiring multiple first trigger network elements associated with the terminal device and the first slice from the information storage network element includes: the authentication and authorization network element sends the first trigger network element to the information storage network element A request, the first request including the first identification information of the terminal device and the first identification information of the first slice, the first request is used to obtain the first triggering network element; the authentication and authorization network element obtains the information from the information
  • the storage network element receives a first response, and the first response includes identification information of the plurality of first triggering network elements.
  • the authentication and authorization network element acquiring a plurality of first triggering network elements associated with the first slice serving the terminal device includes: the authentication and authorization network element acquiring from an information storage network element that is associated with the terminal device The plurality of second triggering network elements and the slices associated with the plurality of second triggering network elements; the authentication and authorization network element obtains data from the plurality of second triggering network elements according to the first slice and the slices associated with the plurality of second triggering network elements The multiple first triggering network elements are determined among the triggering network elements.
  • the authentication and authorization network element obtains from the information storage network element multiple second trigger network elements associated with the terminal device and slices associated with the multiple second trigger network elements, including: The information storage network element sends a first request, the first request includes first identification information of the terminal device, and the first request is used to obtain the second triggering network element and a slice associated with the second triggering network element; the The authentication and authorization network element receives a first response from the information storage network element, where the first response includes identification information of the plurality of second triggering network elements and identification information of slices associated with the plurality of second triggering network elements.
  • the authentication and authorization network element determining the second triggering network element from the plurality of first triggering network elements includes: the authentication and authorization network element determines from the connection status of the terminal device and the plurality of first triggering network elements from The second triggering network element is determined among the plurality of first triggering network elements; wherein, the connection state includes a connected state or an idle state.
  • the authentication and authorization network element determines the second triggering network element from the plurality of first triggering network elements according to the connection state of the terminal device and the plurality of first triggering network elements, including: the authentication and authorization network element
  • the second triggering network element is determined from the plurality of first triggering network elements, and the connection state between the terminal device and the second triggering network element is the connection state.
  • the authentication and authorization network element determines the second triggering network element from the plurality of first triggering network elements according to the connection state between the terminal device and the plurality of first triggering network elements, including: When the connection state of each first triggering network element of the plurality of first triggering network elements is the idle state, the authentication and authorization network element selects the connection state from the plurality of first triggering network elements according to the access type corresponding to the plurality of first triggering network elements.
  • the second triggering network element is determined in a triggering network element; wherein, the access type includes 3GPP access and non-3GPP access.
  • the authentication and authorization network element determining the second triggering network element from the plurality of first triggering network elements according to the access types corresponding to the plurality of first triggering network elements includes: The second triggering network element is determined among a plurality of first triggering network elements, and the access type corresponding to the second triggering network element is the 3GPP access.
  • the authentication and authorization network element determining the second triggering network element from the plurality of first triggering network elements includes: the authentication and authorization network element determines the second triggering network element from the plurality of first triggering network elements according to the access type corresponding to the plurality of first triggering network elements The second triggering network element is determined among the first triggering network elements; wherein, the access type includes 3GPP access and non-3GPP access.
  • the authentication and authorization network element determining the second triggering network element from the plurality of first triggering network elements according to the access types corresponding to the plurality of first triggering network elements includes: The second triggering network element is determined among a plurality of first triggering network elements, and the access type corresponding to the second triggering network element is the 3GPP access.
  • the method further includes: the authentication and authorization network element obtains the connection status of the plurality of first triggering network elements from the information storage network element; or, the authentication and authorization network element obtains from the plurality of first triggering network elements The connection status of the multiple first trigger network elements.
  • the method further includes: the authentication and authorization network element obtains the access type corresponding to the plurality of first triggering network elements from the information storage network element; or, the authentication and authorization network element obtains from the plurality of first triggering network elements The element obtains the access types corresponding to the plurality of first triggering network elements.
  • the first request further includes: a first indication, which is used to indicate that the network element type is AMF; or, a second indication, which is used to indicate the slice authentication authorization processing.
  • the method further includes: the authentication and authorization network element receives a second request, the second request including second identification information of the terminal device and second identification information of the first slice, and the second request is used for Requesting the terminal device to initiate the slice authentication and authorization processing for the first slice.
  • the authentication and authorization network element is NSSAAF
  • the triggering network element is AMF
  • the information storage network element is UDM.
  • the network element 1100 is an information storage network element, which is used to implement the UDM function as shown in Figs. 2-10.
  • processing unit 1101 and the communication unit 1102 are used to implement the following methods:
  • the information storage network element obtains slice authentication and authorization information, and the slice authentication and authorization information is used to indicate the terminal device, the trigger network element associated with the terminal device, and the slice associated with the terminal device and the trigger network element, the trigger network
  • the element is a triggering network element serving the terminal device, and the slice is a slice for which the terminal device is successfully authenticated and authorized on the triggering network element;
  • the information storage network element receives the first request from the authentication and authorization network element, the first request Used to request to obtain the first triggering network element associated with the terminal device and the first slice;
  • the information storage network element determines the first triggering network element according to the slice authentication and authorization information and the first request;
  • the The information storage network element sends a first response to the authentication and authorization network element, where the first response includes the identification information of the first triggering network element.
  • the information storage network element determines the first triggering network element according to the slice authentication and authorization information and the first request, including: the information storage network element determines according to the slice authentication and authorization information and the first request A plurality of second triggering network elements associated with the terminal device and the first slice; the information storage network element sends a first response to the authentication and authorization network element, the first response including the identification of the first triggering network element
  • the information includes: the information storage network element sends the first response to the authentication and authorization network element, and the first response includes identification information of the plurality of second triggering network elements.
  • the first request further includes a first instruction for instructing the revocation of the slice authorization; the information storage network element determines, according to the slice authentication and authorization information and the first request, the communication between the terminal device and the first request.
  • the multiple second trigger network elements associated with a slice include: the information storage network element determines the multiple second trigger network elements according to the slice authentication and authorization information, the first request, and the first instruction.
  • the information storage network element determines the first triggering network element according to the slice authentication and authorization information and the first request, including: the information storage network element determines according to the slice authentication and authorization information and the first request
  • the third triggering network element of the plurality of second triggering network elements associated with the terminal device and the first slice the information storage network element sends a first response to the authentication and authorization network element, and the first response includes the
  • the identification information of the first triggering network element includes: the information storage network element sends the first response to the authentication and authorization network element, and the first response includes the identification information of the third triggering network element.
  • the information storage network element determines a third trigger network element among a plurality of second trigger network elements associated with the terminal device and the first slice according to the slice authentication and authorization information and the first request, Including: the information storage network element determines the plurality of second trigger network elements according to the slice authentication and authorization information and the first request; the information storage network element determines the plurality of second trigger network elements according to the connection status of the terminal device and the plurality of second trigger network elements
  • the third triggering network element is determined from the plurality of second triggering network elements; wherein, the connection state includes a connected state or an idle state.
  • the information storage network element determines the third trigger network element from the plurality of second trigger network elements according to the connection state between the terminal device and the plurality of second trigger network elements, including: the information storage network element The third triggering network element is determined from the plurality of second triggering network elements, and the connection state between the terminal device and the third triggering network element is the connection state.
  • the information storage network element determines the third trigger network element from the plurality of second trigger network elements according to the connection state of the terminal device and the plurality of second trigger network elements, including: When the connection state of each second triggering network element of the plurality of second triggering network elements is the idle state, the information storage network element selects the connection state from the plurality of second triggering network elements according to the access type corresponding to the plurality of second triggering network elements.
  • the third triggering network element is determined from the second triggering network element; wherein, the access type includes 3GPP access and non-3GPP access.
  • the information storage network element determines the third trigger network element from the plurality of second trigger network elements according to the access types corresponding to the plurality of second trigger network elements, including: the information storage network element obtains information from the The third triggering network element is determined among the plurality of second triggering network elements, and the access type corresponding to the third triggering network element is the 3GPP access.
  • the information storage network element determines a third trigger network element among a plurality of second trigger network elements associated with the terminal device and the first slice according to the slice authentication and authorization information and the first request
  • the method includes: the information storage network element determines the plurality of second trigger network elements according to the slice authentication and authorization information and the first request; the information storage network element obtains data from the The third triggering network element is determined among a plurality of second triggering network elements; wherein, the access type includes 3GPP access and non-3GPP access.
  • the information storage network element determines the third trigger network element from the plurality of second trigger network elements according to the access types corresponding to the plurality of second trigger network elements, including: the information storage network element obtains information from the The third triggering network element is determined among the plurality of second triggering network elements, and the access type corresponding to the third triggering network element is the 3GPP access.
  • the first request further includes a second indication, and the second indication is used to indicate that the network element type is AMF.
  • the network element 1100 is a triggering network element, which is used to implement the functions of AMF1 or AMF2 as shown in Figs. 2-10.
  • processing unit 1101 and the communication unit 1102 are used to implement the following methods:
  • the trigger network element sends slice authentication and authorization information to the information storage network element, where the slice authentication and authorization information is used to indicate the terminal device, the trigger network element associated with the terminal device, and the slice associated with the terminal device and the trigger network element ,
  • the triggering network element is a triggering network element serving the terminal device, and the slice is a slice for which the terminal device is successfully authenticated and authorized on the triggering network element;
  • the triggering network element receives a notification from the authentication and authorization network element, and the notification is used Informing the terminal device to perform the slice authentication and authorization processing of the slice; wherein the slice authentication and authorization processing includes: slice re-authentication and re-authorization, or slice authorization revoking.
  • the method further includes: the triggering network element initiates slice authentication and authorization processing of the slice for the terminal device.
  • FIG. 12 an embodiment of the present application provides a schematic structural diagram of another network element.
  • the network element 1200 shown in FIG. 12 includes at least one processor 1201, a memory 1202, and optionally, a communication interface 1203.
  • the memory 1202 may be a volatile memory, such as random access memory; the memory may also be a non-volatile memory, such as read-only memory, flash memory, hard disk drive (HDD) or solid-state drive (solid-state drive, SSD) or the memory 1202 is any other medium that can be used to carry or store desired program codes in the form of instructions or data structures and that can be accessed by a computer, but is not limited thereto.
  • the memory 1202 may be a combination of the above-mentioned memories.
  • the specific connection medium between the foregoing processor 1201 and the memory 1202 is not limited in the embodiment of the present application.
  • the memory 1202 and the processor 1201 are connected by a bus 1204 in the figure.
  • the bus 1204 is represented by a thick line in the figure. Is limited.
  • the bus 1204 can be divided into an address bus, a data bus, a control bus, and the like. For ease of presentation, only one thick line is used in FIG. 12 to represent it, but it does not mean that there is only one bus or one type of bus.
  • the processor 1201 may have a data transceiver function and can communicate with other devices.
  • an independent data transceiver module such as a communication interface 1203, may be used to send and receive data; the processor 1201 is communicating with other devices. During communication, data transmission can be performed through the communication interface 1203.
  • the network element 1200 is an authentication and authorization network element
  • the processor 1201 can call instructions in the memory 1202 to implement the functions of the NSSAAF in Figures 2-10 and the authentication and authorization network element with the structure shown in Figure 11. Function.
  • the network element 1200 is an information storage network element, and the processor 1201 can call instructions in the memory 1202 to implement the functions of the UDM in Figure 2-10 and the information storage network structure shown in Figure 11. Meta function.
  • the network element 1200 is a trigger network element
  • the processor 1201 can call instructions in the memory 1202 to realize the functions of AMF1 or AMF2 in Figure 2-10, and the trigger network structure shown in Figure 11 Meta function.
  • An embodiment of the present application also provides a communication system, which may include some or all of the authentication and authorization network elements, the information storage network elements, and the trigger network elements in FIG. 2 to FIG. 11.
  • the processing unit used to execute these technologies at a communication device can be implemented in one or more general-purpose processors, digital signal processors ( digital signal processor, DSP), digital signal processing device, application specific integrated circuit (ASIC), programmable logic device, field programmable gate array (FPGA), or other programmable logic device, Discrete gate or transistor logic, discrete hardware components, or any combination of the above.
  • the general-purpose processor may be a microprocessor.
  • the general-purpose processor may also be any traditional processor, controller, microcontroller, or state machine.
  • the processor can also be implemented by a combination of computing devices, such as a digital signal processor and a microprocessor, multiple microprocessors, one or more microprocessors combined with a digital signal processor core, or any other similar configuration. accomplish.
  • the memory in the embodiments of the present application may be a volatile memory or a non-volatile memory, or may include both volatile and non-volatile memory.
  • the non-volatile memory can be read-only memory (ROM), programmable read-only memory (programmable ROM, PROM), erasable programmable read-only memory (erasable PROM, EPROM), and electrically available Erase programmable read-only memory (electrically EPROM, EEPROM) or flash memory.
  • the volatile memory may be random access memory (RAM), which is used as an external cache.
  • RAM random access memory
  • static random access memory static random access memory
  • dynamic RAM dynamic RAM
  • DRAM dynamic random access memory
  • synchronous dynamic random access memory synchronous DRAM, SDRAM
  • double data rate synchronous dynamic random access memory double data rate SDRAM, DDR SDRAM
  • enhanced synchronous dynamic random access memory enhanced SDRAM, ESDRAM
  • synchronous connection dynamic random access memory serial DRAM, SLDRAM
  • direct rambus RAM direct rambus RAM
  • the present application also provides a computer-readable medium on which a computer program is stored, and when the computer program is executed by a computer, the function of any of the foregoing method embodiments is realized.
  • This application also provides a computer program product, which, when executed by a computer, realizes the functions of any of the foregoing method embodiments.
  • the computer program product includes one or more computer instructions.
  • the computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable devices.
  • the computer instructions may be stored in a computer-readable storage medium, or transmitted from one computer-readable storage medium to another computer-readable storage medium.
  • the computer instructions may be transmitted from a website, computer, server, or data center.
  • the computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server or a data center integrated with one or more available media.
  • the usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, and a magnetic tape), an optical medium (for example, a high-density digital video disc (digital video disc, DVD)), or a semiconductor medium (for example, a solid state disk, SSD)) etc.
  • system and “network” in this article are often used interchangeably in this article.
  • the term “and/or” in this article is only an association relationship describing the associated objects, which means that there can be three relationships, for example, A and/or B, which can mean: A alone exists, A and B exist at the same time, exist alone In the three cases of B, A can be singular or plural, and B can be singular or plural.
  • B corresponding to A means that B is associated with A, and B can be determined according to A.
  • determining B based on A does not mean that B is determined only based on A, and B can also be determined based on A and/or other information.
  • the corresponding relationships shown in the tables in this application can be configured or pre-defined.
  • the value of the information in each table is only an example, and can be configured to other values, which is not limited in this application.
  • the corresponding relationship shown in some rows may not be configured.
  • appropriate deformation adjustments can be made based on the above table, such as splitting, merging, and so on.
  • the names of the parameters shown in the titles in the above tables may also be other names that can be understood by the communication device, and the values or expressions of the parameters may also be other values or expressions that can be understood by the communication device.
  • other data structures can also be used, such as arrays, queues, containers, stacks, linear tables, pointers, linked lists, trees, graphs, structures, classes, heaps, hash tables, or hash tables. Wait.
  • the pre-definition in this application can be understood as definition, pre-definition, storage, pre-storage, pre-negotiation, pre-configuration, curing, or pre-fired.
  • the systems, devices, and methods described in this application can also be implemented in other ways.
  • the device embodiments described above are merely illustrative.
  • the division of the units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components may be combined or It can be integrated into another system, or some features can be ignored or not implemented.
  • the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
  • the functional units in the various embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
  • the function is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium.
  • the technical solution of the present application essentially or the part that contributes to the existing technology or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in the various embodiments of the present application.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), magnetic disks or optical disks and other media that can store program codes. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Embodiments of the present application provide a slice authentication and authorization management method, apparatus, and system. The method comprises: an authentication and authorization network element acquiring a trigger network element associated with a first slice and serving a terminal device; and the authentication and authorization network element instructing the trigger network element to perform slice authentication and authorization processing for the terminal device with respect to the first slice, wherein the slice authentication and authorization processing is a slice re-authentication and re-authorization procedure, or a slice authorization revocation procedure. The method can be used in a dual registration scenario, in 3GPP access and non-3GPP access scenarios, and in scenarios related to authentication and authorization of slices or other network functions.

Description

切片认证授权管理方法、装置和系统Slice authentication and authorization management method, device and system 技术领域Technical field
本申请涉及通信技术领域,尤其涉及切片认证授权管理方法、装置和系统。This application relates to the field of communication technology, and in particular to a method, device and system for slice authentication and authorization management.
背景技术Background technique
5G时代是一个万物感知、万物智能和万物互联的时代。不同的服务对于网络的要求是多样化的。例如智能家居和智能电网等需要大量的连接和频繁的小型数据包的传输;自动驾驶和工业控制需要毫秒级的延迟和接近100%的可靠性;娱乐信息服务要求宽带连接。因此,5G网络需要更加灵活以支撑不同服务对于网络的多样化要求。目前,业界将5G时代的业务归纳成三种典型的类型:增强移动宽带(eMBB)业务、超高可靠性超低时延通信(URLLC)业务和海量物联网通信(mMTC)业务。The 5G era is an era of perception, intelligence and interconnection of all things. Different services have diversified requirements for the network. For example, smart homes and smart grids require a large number of connections and frequent transmission of small data packets; autonomous driving and industrial control require millisecond-level delays and close to 100% reliability; entertainment information services require broadband connections. Therefore, 5G networks need to be more flexible to support the diversified requirements of different services on the network. At present, the industry summarizes the services in the 5G era into three typical types: enhanced mobile broadband (eMBB) services, ultra-high reliability and ultra-low latency communication (URLLC) services, and massive Internet of Things communication (mMTC) services.
为了适配不同服务对于网络的差异化需求,网络切片技术随之诞生。网络切片技术,通常是指将运营商的物理网络划分为多个虚拟网络,每一个虚拟网络根据不同的服务需求,例如时延、带宽、安全性和可靠性等,来进行划分,以灵活应对不同类型的业务。网络切片可简称为切片。In order to adapt to the differentiated requirements of different services on the network, network slicing technology was born. Network slicing technology usually refers to dividing the operator’s physical network into multiple virtual networks. Each virtual network is divided according to different service requirements, such as delay, bandwidth, security, and reliability, to respond flexibly Different types of business. Network slicing can be referred to as slicing for short.
终端在注册到网络时,网络为终端确定允许接入的一个或者多个网络切片,网络可以根据需要发起对网络切片的切片认证和授权。在对网络切片的认证和授权后,网络可以根据需要对网络切片发起切片重认证和重授权、或者切片授权撤销。When the terminal registers to the network, the network determines one or more network slices that the terminal is allowed to access, and the network can initiate slice authentication and authorization for the network slices as needed. After the network slice is authenticated and authorized, the network can initiate slice re-authentication and re-authorization, or revoke the slice authorization for the network slice as needed.
在5G的网络架构支持双注册,允许终端注册到不同的网络。例如,终端可以通过非第三代合作伙伴计划(non-3GPP)接入和第三代合作伙伴计划(3GPP)接入注册到两个属于不同公共陆地移动网(PLMN)的网络。终端也可以通过在上述两个网络中,由两个网络各自的接入和移动性管理功能(AMF)为该终端提供服务,不同的AMF为终端确定的允许接入的一个或多个网络切片可以包括相同的切片,也可以包括不同的切片。在双注册的场景中,网络同样可以根据需要对终端允许接入的切片进行切片认证和授权。随后,网络可以根据需要对切片进行切片重认证和重授权、或者切片授权撤销。The 5G network architecture supports dual registration, allowing terminals to register to different networks. For example, the terminal may be registered to two networks belonging to different public land mobile networks (PLMN) through non-third generation partnership project (non-3GPP) access and third generation partnership project (3GPP) access. The terminal can also provide services for the terminal through the respective access and mobility management functions (AMF) of the two networks in the above two networks, and different AMFs are one or more network slices determined by the terminal to allow access. It can include the same slice or different slices. In the dual-registration scenario, the network can also perform slice authentication and authorization on the slices that the terminal is allowed to access as needed. Subsequently, the network can re-authenticate and re-authorize the slices, or revoke the authorization of the slices as needed.
在上述双注册场景中,有2个AMF为同一个终端提供服务,网络在对切片进行切片重认证和重授权、或者切片授权撤销时可能会出现通信异常的现象。这种通信异常的现象可能也会出现在其他的由多个相同类型的网元为终端提供服务的场景下。In the above dual-registration scenario, there are two AMFs that provide services for the same terminal. When the network performs slice reauthentication and reauthorization on the slice, or when the slice authorization is revoked, abnormal communication may occur. This abnormal communication phenomenon may also occur in other scenarios where multiple network elements of the same type provide services for the terminal.
发明内容Summary of the invention
本申请实施例用于提供切片认证授权管理方法、装置以及系统,用于改善由于进行切片重认证和重授权、或者进行切片授权撤销导致的通信异常。The embodiments of the present application are used to provide a slice authentication and authorization management method, device, and system, which are used to improve communication abnormalities caused by performing slice re-authentication and re-authorization, or performing slice authorization revocation.
为了实现以上目的,本申请实施例提供以下方案。In order to achieve the above objectives, the embodiments of the present application provide the following solutions.
第一方面,本申请实施例提供一种切片认证授权管理方法,包括:认证授权网元获取服务于终端装置的与第一切片关联的触发网元;该认证授权网元通知该触发网元对该终端装置进行该第一切片的切片认证授权处理;其中,该切片认证授权处理为:切片重认证和重授权、或者切片授 权撤销。In a first aspect, an embodiment of the present application provides a slice authentication and authorization management method, including: an authentication and authorization network element obtains a trigger network element associated with a first slice serving a terminal device; the authentication and authorization network element notifies the trigger network element Perform slice authentication and authorization processing of the first slice on the terminal device; wherein the slice authentication and authorization processing includes: slice re-authentication and re-authorization, or slice authorization revoking.
通过第一方面的方法,认证授权网元可以利用切片的信息可以准确获取服务于终端的与切片关联的触发网元,从而能避免一个终端关联多个触发网元时,错误的获取不与该切片关联的触发网元而导致的通信异常。Through the method of the first aspect, the authentication and authorization network element can use the slice information to accurately obtain the trigger network element associated with the slice serving the terminal, thereby avoiding that when a terminal is associated with multiple trigger network elements, the wrong acquisition is not related to the An abnormal communication caused by the triggering network element associated with the slice.
作为一种可选的实施方式,该认证授权网元获取服务于终端装置的与第一切片关联的触发网元,包括:该认证授权网元从信息存储网元获取与该终端装置和该第一切片关联的第一触发网元;该认证授权网元通知该触发网元对该终端装置进行该第一切片的切片认证授权操作,包括:该认证授权网元通知该第一触发网元对该终端装置进行该第一切片的该切片认证授权处理。该实施方式利用信息存储网元能够便于不同网络对切片相关信息的共享和交互。As an optional implementation manner, the authentication and authorization network element obtaining the trigger network element associated with the first slice serving the terminal device includes: the authentication and authorization network element obtains information from the information storage network element and the terminal device and the trigger network element associated with the first slice. The first triggering network element associated with the first slice; the authentication and authorization network element notifying the triggering network element to perform the slice authentication and authorization operation for the first slice on the terminal device includes: the authentication and authorization network element notifying the first trigger The network element performs the slice authentication and authorization processing of the first slice on the terminal device. This embodiment uses information storage network elements to facilitate the sharing and interaction of slice-related information between different networks.
作为一种可选的实施方式,该认证授权网元获取服务于终端装置的与第一切片关联的触发网元,包括:该认证授权网元向该信息存储网元发送第一请求,该第一请求包括该终端装置的第一标识信息和该第一切片的第一标识信息,该第一请求用于获取该第一触发网元;该认证授权网元从该信息存储网元接收第一响应,该第一响应包括该第一触发网元的第一标识信息。As an optional implementation manner, the authentication and authorization network element acquiring the trigger network element associated with the first slice serving the terminal device includes: the authentication and authorization network element sends a first request to the information storage network element, and The first request includes the first identification information of the terminal device and the first identification information of the first slice, and the first request is used to obtain the first triggering network element; the authentication and authorization network element receives from the information storage network element A first response, where the first response includes the first identification information of the first triggering network element.
作为一种可选的实施方式,该认证授权网元获取服务于终端装置的与第一切片关联的触发网元,包括:该认证授权网元获取服务于该终端装置的与该第一切片关联的多个第一触发网元;该认证授权网元通知该触发网元对该终端装置进行该第一切片的切片认证授权操作,包括:该认证授权网元通知该多个第一触发网元对该终端装置进行该第一切片的该切片认证授权处理。As an optional implementation manner, the authentication and authorization network element acquiring the trigger network element associated with the first slice serving the terminal device includes: the authentication and authorization network element acquiring the first slice serving the terminal device and the first slice A plurality of first triggering network elements associated with a slice; the authentication and authorization network element notifying the triggering network element to perform the slice authentication and authorization operation for the first slice on the terminal device includes: the authentication and authorization network element notifying the plurality of first The network element is triggered to perform the slice authentication and authorization processing of the first slice on the terminal device.
作为一种可选的实施方式,该认证授权网元获取服务于该终端装置的与该第一切片关联的多个第一触发网元,包括:该认证授权网元从信息存储网元获取与该终端装置和该第一切片关联的多个第一触发网元。As an optional implementation manner, the authentication and authorization network element acquiring a plurality of first triggering network elements associated with the first slice serving the terminal device includes: the authentication and authorization network element obtains from an information storage network element A plurality of first triggering network elements associated with the terminal device and the first slice.
作为一种可选的实施方式,该认证授权网元从信息存储网元获取与该终端装置和该第一切片关联的多个第一触发网元,包括:该认证授权网元向该信息存储网元发送第一请求,该第一请求包括该终端装置的第一标识信息和该第一切片的第一标识信息,该第一请求用于获取该第一触发网元;该认证授权网元从该信息存储网元接收第一响应,该第一响应包括该多个第一触发网元的标识信息。As an optional implementation manner, the authentication and authorization network element obtains the plurality of first trigger network elements associated with the terminal device and the first slice from the information storage network element, including: the authentication and authorization network element sends the information to the information storage network element. The storage network element sends a first request, the first request includes the first identification information of the terminal device and the first identification information of the first slice, the first request is used to obtain the first triggering network element; the authentication authorization The network element receives a first response from the information storage network element, where the first response includes identification information of the plurality of first triggering network elements.
作为一种可选的实施方式,该认证授权网元获取服务于该终端装置的与该第一切片关联的多个第一触发网元,包括:该认证授权网元从信息存储网元获取与该终端装置关联的多个第二触发网元以及该多个第二触发网元关联的切片;该认证授权网元根据该第一切片以及该多个第二触发网元关联的切片从该多个第二触发网元中确定该多个第一触发网元。As an optional implementation manner, the authentication and authorization network element acquiring a plurality of first triggering network elements associated with the first slice serving the terminal device includes: the authentication and authorization network element obtains from an information storage network element The plurality of second triggering network elements associated with the terminal device and the slices associated with the plurality of second triggering network elements; the authentication and authorization network element slaves according to the first slice and the slices associated with the plurality of second triggering network elements The plurality of first triggering network elements are determined among the plurality of second triggering network elements.
作为一种可选的实施方式,该认证授权网元从信息存储网元获取与该终端装置关联的多个第二触发网元以及与该多个第二触发网元关联的切片,包括:该认证授权网元向该信息存储网元发送第一请求,该第一请求包括该终端装置的第一标识信息,该第一请求用于获取该第二触发网元以及与该第二触发网元关联的切片;该认证授权网元从该信息存储网元接收第一响应,该第一响应包括该多个第二触发网元的标识信息、以及与该多个第二触发网元关联的切片的标识信息。As an optional implementation manner, the authentication and authorization network element obtains from the information storage network element multiple second trigger network elements associated with the terminal device and slices associated with the multiple second trigger network elements, including: The authentication and authorization network element sends a first request to the information storage network element, the first request includes the first identification information of the terminal device, and the first request is used to obtain the second triggering network element and the second triggering network element Associated slice; the authentication and authorization network element receives a first response from the information storage network element, the first response including the identification information of the plurality of second triggering network elements and the slices associated with the plurality of second triggering network elements的identification information.
作为一种可选的实施方式,该切片认证授权处理为该切片重认证和重授权;该认证授权网元获取服务于终端装置的与第一切片关联的触发网元,包括:该认证授权网元获取服务于该终端装置的与该第一切片关联的多个第一触发网元;该认证授权网元从该多个第一触发网元中确定第二触发网元;该认证授权网元通知该触发网元对该终端装置进行该第一切片的切片认证授权处理,包括:该认证授权网元通知该第二触发网元对该终端装置进行该第一切片的切片重认证和重授 权。通过该实施方式,在与切片关联有多个触发网元时,能够为终端选择一个网元进行切片重认证和重授权,避免了重复的重认证和重授权,节省了信令。As an optional implementation manner, the slice authentication and authorization process is the slice re-authentication and re-authorization; the authentication and authorization network element acquiring the trigger network element associated with the first slice serving the terminal device includes: the authentication and authorization The network element obtains a plurality of first triggering network elements associated with the first slice serving the terminal device; the authentication and authorization network element determines a second triggering network element from the plurality of first triggering network elements; the authentication and authorization The network element notifying the triggering network element to perform the slice authentication and authorization processing of the first slice on the terminal device includes: the authentication and authorization network element notifies the second triggering network element to perform the slice re-slicing of the first slice on the terminal device. Authentication and reauthorization. Through this embodiment, when multiple triggering network elements are associated with a slice, one network element can be selected for the terminal to perform slice re-authentication and re-authorization, which avoids repeated re-authentication and re-authorization and saves signaling.
作为一种可选的实施方式,该认证授权网元获取服务于该终端装置的与该第一切片关联的多个第一触发网元,包括:该认证授权网元从信息存储网元获取与该终端装置和该第一切片关联的多个第一触发网元。As an optional implementation manner, the authentication and authorization network element acquiring a plurality of first triggering network elements associated with the first slice serving the terminal device includes: the authentication and authorization network element obtains from an information storage network element A plurality of first triggering network elements associated with the terminal device and the first slice.
作为一种可选的实施方式,该认证授权网元从信息存储网元获取与该终端装置和该第一切片关联的多个第一触发网元,包括:该认证授权网元向该信息存储网元发送第一请求,该第一请求包括该终端装置的第一标识信息和该第一切片的第一标识信息,该第一请求用于获取该第一触发网元;该认证授权网元从该信息存储网元接收第一响应,该第一响应包括该多个第一触发网元的标识信息。As an optional implementation manner, the authentication and authorization network element obtains the plurality of first trigger network elements associated with the terminal device and the first slice from the information storage network element, including: the authentication and authorization network element sends the information to the information storage network element. The storage network element sends a first request, the first request includes the first identification information of the terminal device and the first identification information of the first slice, the first request is used to obtain the first triggering network element; the authentication authorization The network element receives a first response from the information storage network element, where the first response includes identification information of the plurality of first triggering network elements.
作为一种可选的实施方式,该认证授权网元获取服务于该终端装置的与该第一切片关联的多个第一触发网元,包括:该认证授权网元从信息存储网元获取与该终端装置关联的多个第二触发网元以及该多个第二触发网元关联的切片;该认证授权网元根据该第一切片以及该多个第二触发网元关联的切片从该多个第二触发网元中确定该多个第一触发网元。As an optional implementation manner, the authentication and authorization network element acquiring a plurality of first triggering network elements associated with the first slice serving the terminal device includes: the authentication and authorization network element obtains from an information storage network element The plurality of second triggering network elements associated with the terminal device and the slices associated with the plurality of second triggering network elements; the authentication and authorization network element slaves according to the first slice and the slices associated with the plurality of second triggering network elements The plurality of first triggering network elements are determined among the plurality of second triggering network elements.
作为一种可选的实施方式,该认证授权网元从信息存储网元获取与该终端装置关联的多个第二触发网元以及与该多个第二触发网元关联的切片,包括:该认证授权网元向该信息存储网元发送第一请求,该第一请求包括该终端装置的第一标识信息,该第一请求用于获取该第二触发网元以及与该第二触发网元关联的切片;该认证授权网元从该信息存储网元接收第一响应,该第一响应包括该多个第二触发网元的标识信息、以及与该多个第二触发网元关联的切片的标识信息。As an optional implementation manner, the authentication and authorization network element obtains from the information storage network element multiple second trigger network elements associated with the terminal device and slices associated with the multiple second trigger network elements, including: The authentication and authorization network element sends a first request to the information storage network element, the first request includes the first identification information of the terminal device, and the first request is used to obtain the second triggering network element and the second triggering network element Associated slice; the authentication and authorization network element receives a first response from the information storage network element, the first response including the identification information of the plurality of second triggering network elements and the slices associated with the plurality of second triggering network elements的identification information.
作为一种可选的实施方式,该认证授权网元从该多个第一触发网元中确定第二触发网元,包括:该认证授权网元根据该终端装置与该多个第一触发网元的连接状态从该多个第一触发网元中确定该第二触发网元;其中,该连接状态包括连接态或空闲态。通过连接状态选择触发网元,能够选取更加合适进行切片认证授权处理的触发网元。As an optional implementation manner, the authentication and authorization network element determining the second triggering network element from the plurality of first triggering network elements includes: the authentication and authorization network element determines the second triggering network element according to the relationship between the terminal device and the plurality of first triggering network elements. The connection state of the element determines the second triggering network element from the plurality of first triggering network elements; wherein, the connection state includes a connected state or an idle state. By selecting the triggering network element through the connection state, it is possible to select a more suitable triggering network element for slice authentication and authorization processing.
作为一种可选的实施方式,该认证授权网元根据该终端装置与该多个第一触发网元的连接状态从该多个第一触发网元中确定该第二触发网元,包括:该认证授权网元从该多个第一触发网元中确定该第二触发网元,该终端装置与该第二触发网元的连接状态为该连接态。As an optional implementation manner, the authentication and authorization network element determining the second triggering network element from the plurality of first triggering network elements according to the connection state of the terminal device and the plurality of first triggering network elements includes: The authentication and authorization network element determines the second trigger network element from the plurality of first trigger network elements, and the connection state between the terminal device and the second trigger network element is the connection state.
作为一种可选的实施方式,该认证授权网元根据该终端装置与该多个第一触发网元的连接状态从该多个第一触发网元中确定该第二触发网元,包括:当该终端装置与该多个第一触发网元中的每个第一触发网元的连接状态为该空闲态时,该认证授权网元根据该多个第一触发网元对应的接入类型从该多个第一触发网元中确定该第二触发网元;其中,该接入类型包括3GPP接入和非3GPP接入。在选取触发网元时进一步考虑接入类型,能够选择出更加合适进行切片认证授权处理的触发网元。As an optional implementation manner, the authentication and authorization network element determining the second triggering network element from the plurality of first triggering network elements according to the connection state of the terminal device and the plurality of first triggering network elements includes: When the connection state between the terminal device and each first triggering network element of the plurality of first triggering network elements is the idle state, the authentication and authorization network element is based on the access type corresponding to the plurality of first triggering network elements The second triggering network element is determined from the plurality of first triggering network elements; wherein, the access type includes 3GPP access and non-3GPP access. When selecting a triggering network element, further considering the access type, it is possible to select a triggering network element that is more suitable for slice authentication and authorization processing.
作为一种可选的实施方式,该认证授权网元根据该多个第一触发网元对应的接入类型从该多个第一触发网元中确定该第二触发网元,包括:该认证授权网元从该多个第一触发网元中确定该第二触发网元,该第二触发网元对应的接入类型为该3GPP接入。As an optional implementation manner, the authentication and authorization network element determines the second triggering network element from the plurality of first triggering network elements according to the access type corresponding to the plurality of first triggering network elements, including: the authentication The authorized network element determines the second triggering network element from the plurality of first triggering network elements, and the access type corresponding to the second triggering network element is the 3GPP access.
作为一种可选的实施方式,该认证授权网元从该多个第一触发网元中确定第二触发网元,包括:该认证授权网元根据该多个第一触发网元对应的接入类型从该多个第一触发网元中确定该第二触发网元;其中,该接入类型包括3GPP接入和非3GPP接入。As an optional implementation manner, the authentication and authorization network element determining the second triggering network element from the plurality of first triggering network elements includes: the authentication and authorization network element according to the connection corresponding to the plurality of first triggering network elements The access type determines the second triggering network element from the plurality of first triggering network elements; where the access type includes 3GPP access and non-3GPP access.
作为一种可选的实施方式,该认证授权网元根据该多个第一触发网元对应的接入类型从该多 个第一触发网元中确定该第二触发网元,包括:该认证授权网元从该多个第一触发网元中确定该第二触发网元,该第二触发网元对应的接入类型为该3GPP接入。As an optional implementation manner, the authentication and authorization network element determines the second triggering network element from the plurality of first triggering network elements according to the access type corresponding to the plurality of first triggering network elements, including: the authentication The authorized network element determines the second triggering network element from the plurality of first triggering network elements, and the access type corresponding to the second triggering network element is the 3GPP access.
作为一种可选的实施方式,该方法还包括:该认证授权网元从该信息存储网元获取该多个第一触发网元的连接状态;或者,该认证授权网元从该多个第一触发网元获取该多个第一触发网元的连接状态。As an optional implementation manner, the method further includes: the authentication and authorization network element obtains the connection status of the plurality of first triggering network elements from the information storage network element; or, the authentication and authorization network element obtains the connection status of the plurality of first triggering network elements from the plurality of A triggering network element obtains the connection status of the plurality of first triggering network elements.
作为一种可选的实施方式,该方法还包括:该认证授权网元从该信息存储网元获取该多个第一触发网元对应的接入类型;或者,该认证授权网元从该多个第一触发网元获取该多个第一触发网元对应的接入类型。As an optional implementation manner, the method further includes: the authentication and authorization network element obtains the access types corresponding to the plurality of first triggering network elements from the information storage network element; or, the authentication and authorization network element obtains the access types from the multiple The first triggering network element obtains the access types corresponding to the multiple first triggering network elements.
作为一种可选的实施方式,该第一请求还包括:第一指示,该第一指示用于指示网元类型为AMF;或者,第二指示,该第二指示用于指示该切片认证授权处理。As an optional implementation manner, the first request further includes: a first indication, the first indication is used to indicate that the network element type is AMF; or, a second indication, the second indication is used to indicate the slice authentication authorization deal with.
作为一种可选的实施方式,该方法还包括:该认证授权网元接收第二请求,该第二请求包括该终端装置的第二标识信息和该第一切片的第二标识信息,该第二请求用于请求对该终端装置发起对该第一切片的该切片认证授权处理。As an optional implementation manner, the method further includes: the authentication and authorization network element receives a second request, the second request including the second identification information of the terminal device and the second identification information of the first slice, the The second request is used to request the terminal device to initiate the slice authentication and authorization processing for the first slice.
作为一种可选的实施方式,该认证授权网元为NSSAAF,该触发网元为AMF。As an optional implementation manner, the authentication and authorization network element is NSSAAF, and the triggering network element is AMF.
作为一种可选的实施方式,该信息存储网元为UDM。As an optional implementation manner, the information storage network element is UDM.
第二方面,本申请实施例提供一种切片认证授权管理方法,包括:信息存储网元获取切片认证和授权信息,该切片认证和授权信息用于指示终端装置、与该终端装置关联的触发网元、和与该终端装置和该触发网元关联的切片,该触发网元为服务于该终端装置的触发网元,该切片为该终端装置在该触发网元上认证和授权成功的切片;该信息存储网元从认证授权网元接收第一请求,该第一请求用于请求获取与该终端装置和该第一切片相关联的第一触发网元;该信息存储网元根据该切片认证和授权信息和该第一请求,确定该第一触发网元;该信息存储网元向该认证授权网元发送第一响应,该第一响应包括该第一触发网元的标识信息。可选的,该信息存储网元为UDM或者HSS,或者HLR。In a second aspect, an embodiment of the present application provides a slice authentication and authorization management method, including: an information storage network element obtains slice authentication and authorization information, and the slice authentication and authorization information is used to indicate a terminal device and a trigger network associated with the terminal device. Element, and a slice associated with the terminal device and the triggering network element, the triggering network element is a triggering network element serving the terminal device, and the slice is a slice for which the terminal device is successfully authenticated and authorized on the triggering network element; The information storage network element receives a first request from an authentication and authorization network element, where the first request is used to request to obtain a first trigger network element associated with the terminal device and the first slice; the information storage network element according to the slice The authentication and authorization information and the first request determine the first triggering network element; the information storage network element sends a first response to the authentication and authorization network element, and the first response includes the identification information of the first triggering network element. Optionally, the information storage network element is UDM, HSS, or HLR.
通过第二方面的方法,信息存储网元可以获得终端,为终端服务的触发网元,与终端以及触发网元关联的切片,并且能够根据认证授权网元的请求提供正确的触发网元给认证授权网元,以便于认证授权网元能够通知正确的触发网元进行切片认证授权处理。Through the method of the second aspect, the information storage network element can obtain the terminal, the trigger network element serving the terminal, the slice associated with the terminal and the trigger network element, and can provide the correct trigger network element for authentication according to the request of the authentication and authorization network element Authorize the network element so that the authentication and authorization network element can notify the correct triggering network element to perform slice authentication and authorization processing.
作为一种可选的实施方式,该信息存储网元根据该切片认证和授权信息和该第一请求,确定该第一触发网元,包括:该信息存储网元根据该切片认证和授权信息和该第一请求确定与该终端装置和该第一切片相关联的多个第二触发网元;该信息存储网元向该认证授权网元发送第一响应,该第一响应包括该第一触发网元的标识信息,包括:该信息存储网元向该认证授权网元发送该第一响应,该第一响应包括该多个第二触发网元的标识信息。As an optional implementation manner, the information storage network element determines the first trigger network element according to the slice authentication and authorization information and the first request, including: the information storage network element determines the first trigger network element according to the slice authentication and authorization information and The first request determines a plurality of second triggering network elements associated with the terminal device and the first slice; the information storage network element sends a first response to the authentication and authorization network element, and the first response includes the first The identification information of the triggering network element includes: the information storage network element sends the first response to the authentication and authorization network element, and the first response includes the identification information of the plurality of second triggering network elements.
作为一种可选的实施方式,该第一请求还包括第一指示,该第一指示用于指示切片授权撤销;该信息存储网元根据该切片认证和授权信息和该第一请求确定与该终端装置和该第一切片相关联的多个第二触发网元,包括:该信息存储网元根据该切片认证和授权信息、该第一请求、和该第一指示确定该多个第二触发网元。As an optional implementation manner, the first request further includes a first indication, the first indication is used to instruct the slice authorization revocation; the information storage network element determines with the slice authentication and authorization information and the first request The multiple second trigger network elements associated with the terminal device and the first slice include: the information storage network element determines the multiple second trigger network elements according to the slice authentication and authorization information, the first request, and the first instruction Trigger the network element.
作为一种可选的实施方式,该信息存储网元根据该切片认证和授权信息和该第一请求,确定该第一触发网元,包括:该信息存储网元根据该切片认证和授权信息和该第一请求确定与该终端装置和该第一切片相关联的多个第二触发网元中的第三触发网元;该信息存储网元向该认证授权网元发送第一响应,该第一响应包括该第一触发网元的标识信息,包括:该信息存储网元向该认 证授权网元发送该第一响应,该第一响应包括该第三触发网元的标识信息。As an optional implementation manner, the information storage network element determines the first trigger network element according to the slice authentication and authorization information and the first request, including: the information storage network element determines the first trigger network element according to the slice authentication and authorization information and The first request determines a third triggering network element among a plurality of second triggering network elements associated with the terminal device and the first slice; the information storage network element sends a first response to the authentication and authorization network element, and The first response includes the identification information of the first triggering network element, including: the information storage network element sends the first response to the authentication and authorization network element, and the first response includes the identification information of the third triggering network element.
作为一种可选的实施方式,该信息存储网元根据该切片认证和授权信息和该第一请求确定与该终端装置和该第一切片相关联的多个第二触发网元中的第三触发网元,包括:该信息存储网元根据该切片认证和授权信息和该第一请求确定该多个第二触发网元;该信息存储网元根据该终端装置与该多个第二触发网元的连接状态从该多个第二触发网元中确定该第三触发网元;其中,该连接状态包括连接态或空闲态。As an optional implementation manner, the information storage network element determines, according to the slice authentication and authorization information and the first request, the first among the plurality of second trigger network elements associated with the terminal device and the first slice. The three-trigger network element includes: the information storage network element determines the plurality of second trigger network elements according to the slice authentication and authorization information and the first request; the information storage network element determines the plurality of second trigger network elements according to the terminal device and the plurality of second triggers The connection status of the network element determines the third triggering network element from the plurality of second triggering network elements; wherein, the connection status includes a connected state or an idle state.
作为一种可选的实施方式,该信息存储网元根据该终端装置与该多个第二触发网元的连接状态从该多个第二触发网元中确定该第三触发网元,包括:该信息存储网元从该多个第二触发网元中确定该第三触发网元,该终端装置与该第三触发网元的连接状态为该连接态。As an optional implementation manner, the information storage network element determining the third triggering network element from the plurality of second triggering network elements according to the connection state of the terminal device and the plurality of second triggering network elements includes: The information storage network element determines the third trigger network element from the plurality of second trigger network elements, and the connection state between the terminal device and the third trigger network element is the connection state.
作为一种可选的实施方式,该信息存储网元根据该终端装置与该多个第二触发网元的连接状态从该多个第二触发网元中确定该第三触发网元,包括:当该终端装置与该多个第二触发网元中的每个第二触发网元的连接状态为该空闲态时,该信息存储网元根据该多个第二触发网元对应的接入类型从该多个第二触发网元中确定该第三触发网元;其中,该接入类型包括3GPP接入和非3GPP接入。As an optional implementation manner, the information storage network element determining the third triggering network element from the plurality of second triggering network elements according to the connection state of the terminal device and the plurality of second triggering network elements includes: When the connection state between the terminal device and each second triggering network element of the plurality of second triggering network elements is the idle state, the information storage network element is based on the access type corresponding to the plurality of second triggering network elements The third triggering network element is determined from the plurality of second triggering network elements; wherein, the access type includes 3GPP access and non-3GPP access.
作为一种可选的实施方式,该信息存储网元根据该多个第二触发网元对应的接入类型从该多个第二触发网元中确定该第三触发网元,包括:该信息存储网元从该多个第二触发网元中确定该第三触发网元,该第三触发网元对应的接入类型为该3GPP接入。As an optional implementation manner, the information storage network element determines the third trigger network element from the plurality of second trigger network elements according to the access type corresponding to the plurality of second trigger network elements, including: the information The storage network element determines the third trigger network element from the plurality of second trigger network elements, and the access type corresponding to the third trigger network element is the 3GPP access.
作为一种可选的实施方式,该信息存储网元根据该切片认证和授权信息和该第一请求确定与该终端装置和该第一切片相关联的多个第二触发网元中的第三触发网元,包括:该信息存储网元根据该切片认证和授权信息和该第一请求确定该多个第二触发网元;该信息存储网元根据该多个第二触发网元对应的接入类型从该多个第二触发网元中确定该第三触发网元;其中,该接入类型包括3GPP接入和非3GPP接入。As an optional implementation manner, the information storage network element determines, according to the slice authentication and authorization information and the first request, the first among the plurality of second trigger network elements associated with the terminal device and the first slice. The three trigger network elements include: the information storage network element determines the plurality of second trigger network elements according to the slice authentication and authorization information and the first request; the information storage network element determines the plurality of second trigger network elements corresponding to the plurality of second trigger network elements The access type determines the third triggering network element from the plurality of second triggering network elements; where the access type includes 3GPP access and non-3GPP access.
作为一种可选的实施方式,该信息存储网元根据该多个第二触发网元对应的接入类型从该多个第二触发网元中确定该第三触发网元,包括:该信息存储网元从该多个第二触发网元中确定该第三触发网元,该第三触发网元对应的接入类型为该3GPP接入。As an optional implementation manner, the information storage network element determines the third trigger network element from the plurality of second trigger network elements according to the access type corresponding to the plurality of second trigger network elements, including: the information The storage network element determines the third trigger network element from the plurality of second trigger network elements, and the access type corresponding to the third trigger network element is the 3GPP access.
作为一种可选的实施方式,该第一请求还包括第二指示,该第二指示用于指示网元类型为AMF。As an optional implementation manner, the first request further includes a second indication, and the second indication is used to indicate that the network element type is AMF.
第三方面,本申请实施例提供一种切片认证授权管理方法,其特征在于,包括:触发网元向信息存储网元发送切片认证和授权信息,该切片认证和授权信息用于指示终端装置、与该终端装置关联的触发网元、和与该终端装置和该触发网元关联的切片,该触发网元为服务于该终端装置的触发网元,该切片为该终端装置在该触发网元上认证和授权成功的切片;该触发网元从认证授权网元接收通知,该通知用于通知对该终端装置进行该切片的切片认证授权处理;其中,该切片认证授权处理为:切片重认证和重授权、或者切片授权撤销。In a third aspect, an embodiment of the present application provides a slice authentication and authorization management method, which is characterized in that it includes: triggering a network element to send slice authentication and authorization information to an information storage network element, where the slice authentication and authorization information is used to instruct the terminal device, A trigger network element associated with the terminal device and a slice associated with the terminal device and the trigger network element, the trigger network element is a trigger network element serving the terminal device, and the slice is the terminal device in the trigger network element Upper authentication and authorization successful slice; the triggering network element receives a notification from the authentication and authorization network element, and the notification is used to notify the terminal device to perform slice authentication and authorization processing for the slice; where the slice authentication and authorization processing is: slice re-authentication And re-authorization, or revoke the slice authorization.
作为一种可选的实施方式,该方法还包括:该触发网元发起对该终端装置进行该切片的切片认证授权处理。As an optional implementation manner, the method further includes: the triggering network element initiates slice authentication and authorization processing of the slice for the terminal device.
第四方面,本申请实施例提供一种认证授权网元,包括处理器和存储器;该处理器用于从该存储器读取并运行指令,以实现第一方面的方法。In a fourth aspect, an embodiment of the present application provides an authentication and authorization network element, including a processor and a memory; the processor is configured to read and execute instructions from the memory to implement the method of the first aspect.
第五方面,本申请实施例提供一种信息存储网元,包括处理器和存储器;该处理器用于从该存储器读取并运行指令,以实现第二方面的方法。In a fifth aspect, an embodiment of the present application provides an information storage network element, including a processor and a memory; the processor is configured to read and execute instructions from the memory to implement the method of the second aspect.
第六方面,本申请实施例提供一种触发网元,包括处理器和存储器;该处理器用于从该存储器读取并运行指令,以实现第三方面的方法。In a sixth aspect, an embodiment of the present application provides a trigger network element, including a processor and a memory; the processor is configured to read and execute instructions from the memory to implement the method of the third aspect.
第七方面,本申请实施例提供一种网元,包括用于实现如第一方面的方法的功能单元。In a seventh aspect, an embodiment of the present application provides a network element including a functional unit for implementing the method as in the first aspect.
第八方面,本申请实施例提供一种网元,包括用于实现如第二方面的方法的功能单元。In an eighth aspect, an embodiment of the present application provides a network element including a functional unit for implementing the method of the second aspect.
第九方面,本申请实施例提供一种网元,包括用于实现如第三方面的方法的功能单元。In a ninth aspect, an embodiment of the present application provides a network element including a functional unit for implementing the method of the third aspect.
第十方面,本申请实施例提供一种通信系统,包括以下网元中的至少2个网元:第四方面的认证授权网元;第五方面的信息存储网元;第六方面的触发网元。In a tenth aspect, an embodiment of the present application provides a communication system that includes at least two of the following network elements: the authentication and authorization network element of the fourth aspect; the information storage network element of the fifth aspect; the trigger network of the sixth aspect Yuan.
第十一方面,本申请实施例提供一种计算机程序产品,包括指令,当指令在计算机执行时,使得该计算机实现如第一方面的方法。In an eleventh aspect, an embodiment of the present application provides a computer program product, including instructions. When the instructions are executed on a computer, the computer realizes the method of the first aspect.
第十二方面,本申请实施例提供一种计算机程序产品,包括指令,当指令在计算机执行时,使得该计算机实现如第二方面的方法。In the twelfth aspect, embodiments of the present application provide a computer program product, including instructions, which when executed on a computer, cause the computer to implement the method of the second aspect.
第十三方面,本申请实施例提供一种计算机程序产品,其特征在于,包括指令,当指令在计算机执行时,使得该计算机实现如第三方面的方法。In a thirteenth aspect, an embodiment of the present application provides a computer program product, which is characterized by including instructions, which when executed on a computer, cause the computer to implement the method as in the third aspect.
第十四方面,本申请实施例提供一种计算机可读存储介质,包括如第十一方面的计算机程序产品。In a fourteenth aspect, an embodiment of the present application provides a computer-readable storage medium, including the computer program product of the eleventh aspect.
第十五方面,本申请实施例提供一种计算机可读存储介质,包括如第十二方面的计算机程序产品。In a fifteenth aspect, an embodiment of the present application provides a computer-readable storage medium, including a computer program product as in the twelfth aspect.
第十六方面,本申请实施例提供一种计算机可读存储介质,其特征在于,包括如第十三方面的计算机程序产品。In a sixteenth aspect, an embodiment of the present application provides a computer-readable storage medium, which is characterized by including the computer program product of the thirteenth aspect.
上述各方面的方案中,通过将切片,终端和触发网元进行关联,可以准确获取服务于终端的与切片关联的触发网元,从而保障切片重认证和重授权流程、和切片授权撤销流程的正确执行,避免了通信错误。In the above solutions, by associating the slice, the terminal, and the triggering network element, the triggering network element associated with the slice that serves the terminal can be accurately obtained, thereby ensuring the slice re-authentication and re-authorization process, and the slice authorization revocation process. Proper execution avoids communication errors.
附图说明Description of the drawings
图1是一种5G网络双注册场景的示意图;Figure 1 is a schematic diagram of a 5G network dual registration scenario;
图2是一种终端A在PLMN-1中对切片进行认证和授权的方法的示意图;Figure 2 is a schematic diagram of a method for terminal A to authenticate and authorize slices in PLMN-1;
图3是一种终端A在PLMN-2中对切片进行认证和授权的方法的示意图;Figure 3 is a schematic diagram of a method for terminal A to authenticate and authorize slices in PLMN-2;
图4是一种AAA-s发起对切片1进行重认证和重授权的方法的示意图;Figure 4 is a schematic diagram of a method for AAA-s to initiate re-authentication and re-authorization of slice 1;
图5是一种AAA-s发起对切片2进行重认证和重授权的方法的示意图;Figure 5 is a schematic diagram of a method for AAA-s to initiate re-authentication and re-authorization of slice 2;
图6是另一种AAA-s发起对切片2进行重认证和重授权的方法的示意图;Fig. 6 is a schematic diagram of another method for AAA-s to initiate re-authentication and re-authorization of slice 2;
图7是一种AAA-s发起对切片1进行授权撤销的方法的示意图;FIG. 7 is a schematic diagram of a method in which AAA-s initiates the authorization revocation of slice 1;
图8是一种AAA-s发起对切片2进行授权撤销的方法的示意图;FIG. 8 is a schematic diagram of a method in which AAA-s initiates the authorization revocation of slice 2;
图9是另一种AAA-s发起对切片2进行授权撤销的方法的示意图;FIG. 9 is a schematic diagram of another method for AAA-s to initiate authorization revocation of slice 2;
图10是一种切片认证授权管理的方法的示意图;Figure 10 is a schematic diagram of a method for slice authentication and authorization management;
图11是网元的一种结构示意图;Fig. 11 is a schematic diagram of a structure of a network element;
图12是网元的另一种结构示意图。Fig. 12 is a schematic diagram of another structure of a network element.
具体实施方式Detailed ways
为了更清楚、完整介绍本申请的技术方案,以下结合附图对本申请实施例进行说明。In order to more clearly and completely introduce the technical solutions of the present application, the embodiments of the present application are described below in conjunction with the accompanying drawings.
本申请的实施例主要以5G网络的双注册场景为例进行说明。The embodiment of the present application mainly uses a dual registration scenario of a 5G network as an example for description.
5G网络是3GPP组织在4G网络之后定义的新一代移动通信网络。5G网络架构包括接入网和核心网。接入网用于实现无线接入有关的功能。接入网主要分为3GPP接入网和non-3GPP接入网。3GPP接入网是指采用3GPP接入技术的接入网,例如采用NR(new radio,新空口)或者LTE(long term evolution,长期演进)接入技术的接入网。non-3GPP接入网是指采用non-3GPP接入技术的接入网,例如采用WiMax或者WLAN(wireless local area network,无线局域网)接入技术的接入网。核心网用于实现鉴权、接入、移动性管理、会话管理、策略管理等有关的功能。5G网络的核心网可简称为5GC。5GC相对于4G的核心网,采用了控制面与用户面相分离的架构,以及服务化架构。需要说明的是,本申请的方案不仅可以适用于5G网络,也可以适用于演进后的4G网络、或未来的6G等网络。本申请方案适用的网络可以采用控制面与用户面相分离的架构,也可以采用控制面与用户面合一的架构。本申请方案适用的网络可以采用服务化架构,也可以采用非服务化架构。The 5G network is a new generation of mobile communication network defined by the 3GPP organization after the 4G network. The 5G network architecture includes the access network and the core network. The access network is used to implement functions related to wireless access. The access network is mainly divided into 3GPP access network and non-3GPP access network. The 3GPP access network refers to an access network using 3GPP access technology, such as an access network using NR (new radio, new radio) or LTE (long term evolution) access technology. A non-3GPP access network refers to an access network using non-3GPP access technology, for example, an access network using WiMax or WLAN (wireless local area network, wireless local area network) access technology. The core network is used to implement authentication, access, mobility management, session management, policy management and other related functions. The core network of the 5G network can be referred to as 5GC for short. Compared with the 4G core network, 5GC adopts an architecture that separates the control plane from the user plane, as well as a service-oriented architecture. It should be noted that the solution of this application is not only applicable to 5G networks, but also applicable to evolved 4G networks or future 6G networks. The network to which the solution of the application is applicable may adopt an architecture in which the control plane and the user plane are separated, or may adopt an architecture in which the control plane and the user plane are integrated. The network to which the solution of this application is applicable may adopt a service-oriented architecture or a non-service-oriented architecture.
5GC包括的逻辑网元主要有:AMF(access and mobility management function,接入和移动性管理功能)、SMF(session management function,会话管理功能)、UPF(User Plane Function,用户面功能)、UDM(Unified Data Management,统一数据管理)、和AUSF(Authentication Server Function,认证服务器功能)。5GC的不同逻辑网元可以部署在相同或者不同的物理设备上。作为一种典型的部署,可以将AMF和SMF部署在同一个物理设备上。另外,5GC的逻辑网元可以和4G核心网的网元部署在同一物理设备上。The logical network elements included in 5GC mainly include: AMF (access and mobility management function), SMF (session management function, session management function), UPF (User Plane Function, user plane function), UDM ( Unified Data Management, unified data management), and AUSF (Authentication Server Function, authentication server function). Different logical network elements of 5GC can be deployed on the same or different physical devices. As a typical deployment, AMF and SMF can be deployed on the same physical device. In addition, the logical network elements of the 5GC can be deployed on the same physical device as the network elements of the 4G core network.
AMF是一种用于对终端进行接入和移动性管理的网元,主要涉及终端的位置更新、网络注册、切换控制等功能。SMF是一种用于对终端的会话进行管理的网元,主要涉及会话建立、修改和释放等功能。UPF是一种用于对用户的数据进行接收和转发的网元。UPF受SMF的控制。UDM网元是一种用于对用户信息进行管理的网元,主要涉及生成认证信任状、存储和管理用户永久身份、接入授权控制、以及用户签约数据管理等功能。AUSF是一种用于对终端接入网络进行认证的网元。需要说明的是,随着5G网络的演进,上述逻辑网元的名称可能发生变化,网元的功能可能发生合并、分离、甚至改变,这些变化并不意味着脱离了本申请方案的适用范围。AMF is a network element used for terminal access and mobility management, mainly related to terminal location update, network registration, handover control and other functions. SMF is a network element used to manage the session of the terminal, which mainly involves functions such as session establishment, modification, and release. UPF is a network element used to receive and forward user data. UPF is under the control of SMF. The UDM network element is a network element used to manage user information, which mainly involves functions such as generating an authentication credential, storing and managing user permanent identities, access authorization control, and user subscription data management. AUSF is a network element used to authenticate the terminal access to the network. It should be noted that with the evolution of the 5G network, the names of the above-mentioned logical network elements may change, and the functions of the network elements may be merged, separated, or even changed. These changes do not mean that they deviate from the scope of application of the solution of this application.
可选的,为了实现对切片进行与认证和授权相关的功能,可以引入NSSAAF(Network Slice-Specific Authentication and Authorization Function,网络切片特定认证和授权功能)网元。Optionally, in order to implement functions related to authentication and authorization of slices, NSSAAF (Network Slice-Specific Authentication and Authorization Function) network elements can be introduced.
通过5G网络,终端可以和数据网络(data network,DN)进行通信。在移动通信中,终端是一种具有无线通信功能的装置,可称为终端装置。例如可以是具有无线通信功能的手持设备、车载设备、可穿戴设备、计算设备或连接到无线调制解调器的水表、电表、传感器、芯片、芯片系统、基带芯片、基带板等。在不同的网络中,终端可以有不同的称呼,例如终端可以称为用户设备(user equipment,UE)、移动台(mobile station,MS)、无线本地环路(wireless local loop,WLL)站等。DN是为用户提供业务服务的服务网络,例如IMS(IP multi-media service,IP多媒体业务)网络、国际互联网(Internet)等。Through the 5G network, the terminal can communicate with the data network (DN). In mobile communication, a terminal is a device with a wireless communication function, which can be called a terminal device. For example, it can be a handheld device with a wireless communication function, a vehicle-mounted device, a wearable device, a computing device, or a water meter, an electric meter, a sensor, a chip, a chip system, a baseband chip, a baseband board, etc. connected to a wireless modem. In different networks, the terminal may have different names. For example, the terminal may be called a user equipment (UE), a mobile station (MS), a wireless local loop (WLL) station, and so on. DN is a service network that provides business services to users, such as IMS (IP multi-media service, IP multimedia service) network, the Internet, and so on.
5G网络支持终端通过不同的接入技术接入网络侧。在5G网络的双注册场景支持终端可以通过3GPP接入和non-3GPP接入分别注册到网络侧。5G网络双注册的概念和说明可示例性的参考3GPP TS 23.501 v16.4.0章节5.3.2.4-支持用户设备通过3GPP接入和非3GPP接入(Support of a UE  registered over both 3GPP and Non-3GPP access)的内容。The 5G network supports terminals to access the network side through different access technologies. In the dual registration scenario of the 5G network, the terminal can be registered to the network side through 3GPP access and non-3GPP access respectively. The concept and description of 5G network dual registration can be exemplified by reference to 3GPP TS 23.501 v16.4.0 Chapter 5.3.2.4-Support of user equipment through 3GPP access and non-3GPP access (Support of a UE registered over both 3GPP and Non-3GPP access) )Content.
图1为一种5G网络双注册场景的示意图。如图1所示,终端分别通过3GPP接入接入和non-3GPP接入接入到不同的网络。可以理解,不同的网络是指多个网络之间某些属性不不相同。例如,不同的网络可以是属于不同PLMN(public land mobile network,公用陆地移动网)的网络。又例如,不同的网络可以是采用不同技术的网络,例如5G网络和4G网络。图1中,3GPP接入和non-3GPP接入属于不同的PLMN。3GPP接入属于PLMN-1,non-3GPP接入属于PLMN-2。由于终端选择的3GPP接入和non-3GPP接入属于不同的PLMN,会由不同的AMF为终端提供服务。在PLMN-1中,由AMF1为终端A提供服务,在PLMN-2中由AMF2为终端A提供服务。由于图1中的non-3GPP接入网络为非可信的non-3GPP接入网络,终端A需要通过N3IWF与AMF2进行交互。N3IWF(non-3GPP interworking function,非3GPP互通功能)是一种用于支持non-3GPP接入网元或节点与3GPP网络的网元进行互通的网元。另外,non-3GPP的接入网络也可以为可信的non-3GPP接入网络。对于可信的non-3GPP接入网络,终端可以通过TNGF(Trusted Non-3GPP Gateway Function,可信的非3GPP网关功能)与AMF进行交互。此外,non-3GPP的接入网络还可以为有线5G接入网络。对于有线5G接入网络,终端可以通过W-AGF(Wireline Access Gateway Function,有线接入网关功能)与AMF交互。需要说明的是,图1所示的双注册场景仅仅是一个示例,本申请的方案也可以适用于其他的由多个相同类型的网元为终端提供服务的场景。Figure 1 is a schematic diagram of a 5G network dual registration scenario. As shown in Figure 1, the terminal accesses different networks through 3GPP access and non-3GPP access, respectively. It can be understood that different networks mean that certain attributes are different among multiple networks. For example, different networks may be networks belonging to different PLMNs (public land mobile networks, public land mobile networks). For another example, different networks may be networks using different technologies, such as 5G networks and 4G networks. In Figure 1, 3GPP access and non-3GPP access belong to different PLMNs. 3GPP access belongs to PLMN-1, and non-3GPP access belongs to PLMN-2. Since the 3GPP access and non-3GPP access selected by the terminal belong to different PLMNs, different AMFs will provide services for the terminal. In PLMN-1, AMF1 provides service for terminal A, and in PLMN-2, AMF2 provides service for terminal A. Since the non-3GPP access network in Figure 1 is an untrusted non-3GPP access network, terminal A needs to interact with AMF2 through N3IWF. N3IWF (non-3GPP interworking function, non-3GPP interworking function) is a network element used to support non-3GPP access network elements or nodes to communicate with network elements of the 3GPP network. In addition, the non-3GPP access network can also be a trusted non-3GPP access network. For a trusted non-3GPP access network, the terminal can interact with the AMF through TNGF (Trusted Non-3GPP Gateway Function). In addition, the non-3GPP access network can also be a wired 5G access network. For wired 5G access networks, terminals can interact with AMF through W-AGF (Wireline Access Gateway Function). It should be noted that the dual registration scenario shown in FIG. 1 is only an example, and the solution of the present application can also be applied to other scenarios where multiple network elements of the same type provide services for the terminal.
5G网络支持终端在注册到网络时为终端确定允许接入的切片。在图1的双注册场景中,终端A通过3GPP接入注册到PLMN-1时,AMF1可以根据用户签约数据和/或终端A的请求为终端A选择切片1和切片2进行注册,并发起对切片1和切片2的切片认证和授权流程;终端通过non-3GPP接入注册到PLMN-2时,AMF2可以根据用户签约数据和/或终端的请求为终端A选择切片1和切片3进行注册,并发起对切片1和切片3的切片认证和授权流程。可选的,AMF2对切片1的切片认证和授权可以基于AMF1对于切片1的切片认证和授权结果确定。用户签约数据可以从UDM中获取,AUSF(或者,NSSAAF)和AAA-s可用于处理对切片的认证和/或授权。其中,AAA-s(authentication,authorization and accounting server,认证、授权和计费服务器)是一种提供认证、授权和计费等服务的验证服务器。AAA-s属于运营商,也可以属于第三方。可选的AUSF(或者,NSSAAF)和AAA-s之间可以架设有AAA-p(authentication,authorization and accounting proxy,认证、授权和计费代理),AAA-p为认证、授权和计费代理网元,属于运营商。AAA-p可用于AUSF(或者,NSSAAF)和AAA-s之间传递信息。在本申请中,进行认证的流程,进行授权的流程,进行认证和授权的流程统称为认证和授权流程,即认证和授权流程可以指代进行认证的流程、或者指代进行授权的流程、或者指代进行认证和授权的流程。认证有时也可称为鉴权。切片认证和授权流程是指对切片进行的认证和授权流程。AAA-s在需要时,可以发起对切片的重认证和重授权流程,或者对切片的授权撤销流程。与认证和授权流程类似,在本申请中,重认证和重授权流程可以指代进行重认证的流程、或者指代进行重授权的流程、或者指代进行重认证和重授权的流程。切片重认证和重授权流程是指对切片进行的重认证和重授权流程。在本申请中,对切片进行授权撤销的流程可称为切片授权撤销流程。The 5G network supports the terminal to determine the slices that the terminal is allowed to access when registering to the network. In the dual registration scenario in Figure 1, when terminal A registers to PLMN-1 through 3GPP access, AMF1 can select slice 1 and slice 2 for terminal A to register according to user subscription data and/or terminal A’s request, and initiate a pair The slice authentication and authorization process of slice 1 and slice 2; when the terminal registers to PLMN-2 through non-3GPP access, AMF2 can select slice 1 and slice 3 for terminal A to register according to user subscription data and/or terminal request. And initiate the slice authentication and authorization process for slice 1 and slice 3. Optionally, the slice authentication and authorization of AMF2 for slice 1 may be determined based on the result of slice authentication and authorization of AMF1 for slice 1. User subscription data can be obtained from UDM, and AUSF (or NSSAAF) and AAA-s can be used to process authentication and/or authorization of slices. Among them, AAA-s (authentication, authorization and accounting server, authentication, authorization, and accounting server) is an authentication server that provides services such as authentication, authorization, and accounting. AAA-s belong to the operator, and can also belong to a third party. Optional AAA-p (authentication, authorization and accounting proxy) can be set up between the optional AUSF (or NSSAAF) and AAA-s. AAA-p is an authentication, authorization and accounting proxy network Yuan, belongs to the operator. AAA-p can be used to transfer information between AUSF (or NSSAAF) and AAA-s. In this application, the authentication process, the authorization process, the authentication and authorization process are collectively referred to as the authentication and authorization process, that is, the authentication and authorization process can refer to the authentication process, or the authorization process, or Refers to the process of authentication and authorization. Authentication is sometimes referred to as authentication. The slice authentication and authorization process refers to the authentication and authorization process for slices. When needed, AAA-s can initiate a re-authentication and re-authorization process for slices, or a process for revoking the authorization of slices. Similar to the authentication and authorization process, in this application, the re-authentication and re-authorization process can refer to the re-authentication process, or the re-authorization process, or the re-authentication and re-authorization process. The slice re-authentication and re-authorization process refers to the re-authentication and re-authorization process for slices. In this application, the process of revoking the authorization of the slice may be referred to as the process of revoking the authorization of the slice.
示例性的,切片认证和授权流程可参考3GPP TS 23.502 v16.4.0章节4.2.9.2-网络切片-特定认证和授权(Network Slice-Specific Authentication and Authorization)的相关内容;切片重认证和重授权流程可参考3GPP TS 23.502 v16.4.0章节4.2.9.3-AAA服务器触发的网络切片-特定重认证和重授权(AAA Server triggered Network Slice-Specific Re-authentication and Re-authorization procedure) 的相关内容;切片授权撤销流程可参考3GPP TS 23.502 v16.4.0章节4.2.9.4-AAA服务器触发的切片-特定授权撤销(AAA Server triggered Slice-Specific Authorization Revocation)的相关内容。需要说明的是,本申请引用的3GPP标准协议的内容可能发生变化,并不意味着脱离了本申请方案的适用范围。Exemplarily, the slice authentication and authorization process can refer to the related content of 3GPP TS 23.502 v16.4.0 Chapter 4.2.9.2-Network Slice-Specific Authentication and Authorization (Network Slice-Specific Authentication and Authorization); the slice re-authentication and re-authorization process can be Refer to 3GPP TS 23.502 v16.4.0 chapter 4.2.9.3-AAA server triggered network slice-specific re-authentication and re-authorization (AAA Server triggered Network Slice-Specific Re-authentication and Re-authorization procedure) related content; slice authorization revocation process Refer to the related content of Section 4.2.9.4-AAA Server Triggered-Specific Authorization Revocation (AAA Server Triggered Slice-Specific Authorization Revocation) in 3GPP TS 23.502 v16.4.0 section 4.2.9.4. It should be noted that the content of the 3GPP standard protocol cited in this application may change, which does not mean that it deviates from the scope of application of the solution of this application.
需要说明的是,本申请的方案不仅可以适用于与切片有关的认证和授权流程,重认证和重授权流程,授权撤销流程,也可以适用于对其他网络功能的认证和授权流程,重认证和重授权流程,授权撤销流程。It should be noted that the scheme of this application is not only applicable to the authentication and authorization process, re-authentication and re-authorization process, and authorization revocation process related to slices, but also applicable to the authentication and authorization process of other network functions, re-authentication and re-authentication processes. Re-authorization process, authorization revocation process.
在图1中,由于AMF1和AMF2都为终端A提供服务,在AAA-s对切片1、切片2、或者切片3中的一个或多个切片发起切片重认证和重授权流程、或者发起切片授权撤销流程时,可能造成通信异常。In Figure 1, since both AMF1 and AMF2 provide services for terminal A, AAA-s initiates a slice re-authentication and re-authorization process, or initiates slice authorization for one or more of slice 1, slice 2, or slice 3 When the process is withdrawn, it may cause communication abnormalities.
鉴于此,本申请实施例提供一种对切片进行认证和授权的方法,用于减少上述通信异常。在以下实施例中,以NSSAAF为例进行说明。可以理解,以下实施例中的NSSAAF可以替换为AUSF。以下结合图1的场景,对该方法进行说明。In view of this, the embodiment of the present application provides a method for authenticating and authorizing a slice, which is used to reduce the above-mentioned communication abnormality. In the following embodiments, NSSAAF is taken as an example for description. It can be understood that NSSAAF in the following embodiments can be replaced with AUSF. The method will be described below in conjunction with the scenario in FIG. 1.
图2示出了终端A在PLMN-1中对切片进行认证和授权的方法。如图2所示:Figure 2 shows a method for terminal A to authenticate and authorize slices in PLMN-1. as shown in picture 2:
S201:通过AMF1完成对终端A进行切片1和切片2的认证和授权。S201: Complete the authentication and authorization of slice 1 and slice 2 for terminal A through AMF1.
AMF1可以触发切片认证和授权流程对终端A进行切片1和切片2的认证和授权。切片认证授权流程可参考3GPP TS 23.502 v16.4.0章节4.2.9.2的内容。AMF1 can trigger the slice authentication and authorization process to perform slice 1 and slice 2 authentication and authorization for terminal A. For the slice authentication and authorization process, please refer to the content in section 4.2.9.2 of 3GPP TS 23.502 v16.4.0.
作为一种实施方式,AMF1可以对终端A分别触发对切片1的切片认证和授权流程,以及对切片2的切片认证和授权流程,即针对每个切片发起切片认证和授权流程。作为另一种实施方式,AMF1可以发起一个切片认证和授权流程来对切片1和切片2进行认证和授权。As an implementation manner, AMF1 can trigger the slice authentication and authorization process for slice 1 and the slice authentication and authorization process for slice 2 respectively for terminal A, that is, initiate the slice authentication and authorization process for each slice. As another implementation manner, AMF1 may initiate a slice authentication and authorization process to authenticate and authorize slice 1 and slice 2.
可选的,S201部分可以在终端A通过AMF1注册到PLMN-1时进行。Optionally, the S201 part can be performed when terminal A registers with PLMN-1 through AMF1.
S202:AMF1向UDM发送切片认证和授权信息,该切片认证和授权信息用于指示终端A在AMF1上认证和授权成功的切片。S202: AMF1 sends slice authentication and authorization information to UDM, where the slice authentication and authorization information is used to instruct terminal A to successfully authenticate and authorize slices on AMF1.
作为一种实施方式,AMF1向UDM发送一条切片认证和授权信息,该切片认证和授权信息用于指示多个切片。作为另一种实施方式,AMF1向UDM发送多条切片认证和授权信息,每条切片认证和授权信息用于指示一个切片。可选的,AMF1可以在每个切片认证和授权成功后,即可发送该切片对应的切片认证和授权信息。可选的,AMF1也可以在多个切片认证和授权成功后,发送对应的多条切片认证和授权信息。As an implementation manner, AMF1 sends a piece of slice authentication and authorization information to UDM, and the slice authentication and authorization information is used to indicate multiple slices. As another implementation manner, AMF1 sends multiple pieces of slice authentication and authorization information to UDM, and each piece of slice authentication and authorization information is used to indicate one slice. Optionally, the AMF1 may send the slice authentication and authorization information corresponding to each slice after the authentication and authorization of each slice is successful. Optionally, the AMF1 may also send corresponding pieces of slice authentication and authorization information after multiple slices are successfully authenticated and authorized.
作为一种举例,AMF1向UDM发送终端A的标识信息,切片1的标识信息,切片2的标识信息,以及AMF1的标识信息。其中,终端A的标识信息用于标识终端A,切片1的标识信息用于标识切片1,切片2的标识信息用于标识切片2,AMF1的标识信息用于标识AMF1。通过终端A的标识信息、切片1的标识信息、切片2的标识信息和AMF1的标识信息可以指示终端A在AMF1上认证和授权成功的切片为切片1和切片2。上述终端A的标识信息、切片1的标识信息、切片2的标识信息和AMF1的标识信息可视为一种切片认证和授权信息。As an example, AMF1 sends the identification information of terminal A, the identification information of slice 1, the identification information of slice 2, and the identification information of AMF1 to UDM. Wherein, the identification information of terminal A is used to identify terminal A, the identification information of slice 1 is used to identify slice 1, the identification information of slice 2 is used to identify slice 2, and the identification information of AMF1 is used to identify AMF1. The identification information of terminal A, the identification information of slice 1, the identification information of slice 2, and the identification information of AMF1 can indicate that the slices that are successfully authenticated and authorized by terminal A on AMF1 are slice 1 and slice 2. The identification information of the terminal A, the identification information of the slice 1, the identification information of the slice 2, and the identification information of the AMF1 can be regarded as a kind of slice authentication and authorization information.
作为另一种举例,AMF1向UDM发送第一切片认证和授权信息,该第一切片认证和授权信息包括终端A的标识信息,切片1的标识信息,以及AMF1的标识信息。以及AMF1向UDM发送第二切片认证和授权信息,该第二切片认证和授权信息包括终端A的标识信息,切片2的标识信息,以及AMF1的标识信息。As another example, AMF1 sends first slice authentication and authorization information to UDM. The first slice authentication and authorization information includes terminal A identification information, slice 1 identification information, and AMF1 identification information. And AMF1 sends second slice authentication and authorization information to UDM, where the second slice authentication and authorization information includes the identification information of terminal A, the identification information of slice 2, and the identification information of AMF1.
作为一种实施方式,AMF1可以通过Nudm_UESliceAUthentication消息向UDM发送切片认证 和授权信息。例如AMF1向UDM发送Nudm_UESliceAUthentication消息,该消息携带切片认证和授权信息。As an implementation manner, AMF1 can send slice authentication and authorization information to UDM through a Nudm_UESliceAUthentication message. For example, AMF1 sends a Nudm_UESliceAUthentication message to UDM, which carries slice authentication and authorization information.
S203:UDM存储切片认证和授权信息。S203: UDM stores slice authentication and authorization information.
通过S203,UDM上存储有终端A、AMF1、和切片1的关联关系,以及终端A、AMF1、和切片2的关联关系。可以理解,存储A和B的关联关系,是指存储了A,存储了B,并建立了A和B的关联关系。Through S203, the association relationship between terminal A, AMF1, and slice 1, and the association relationship between terminal A, AMF1, and slice 2 are stored on the UDM. It can be understood that storing the association relationship between A and B means that A is stored, B is stored, and the association relationship between A and B is established.
S204:UDM向AMF1发送对于切片认证和授权信息的响应。该响应用于通知AMF1是否成功接收上述切片认证和授权信息。对于收到多条切片认证和授权信息,UDM可以针对每条切片认证和授权信息向AMF1发送上述响应。S204为可选步骤。S204: UDM sends a response to slice authentication and authorization information to AMF1. This response is used to inform AMF1 whether it successfully receives the above-mentioned slice authentication and authorization information. For receiving multiple pieces of slice authentication and authorization information, UDM may send the above response to AMF1 for each piece of slice authentication and authorization information. S204 is an optional step.
示例性的,该响应可以为Nudm_UESliceAUthenticationResponse。Exemplarily, the response may be Nudm_UESliceAUthenticationResponse.
作为一种替代,S202可以替换为S205。As an alternative, S202 can be replaced with S205.
S205:NSSAAF向UDM发送切片认证和授权信息,该切片认证和授权信息用于指示终端在AMF1上认证和授权成功的切片。可选的,NSSAAF可以在每个切片认证和授权成功后,即可发送该切片对应的切片认证和授权信息。可选的,NSSAAF也可以在多个切片认证和授权成功后,发送对应的多条切片认证和授权信息。S205: The NSSAAF sends slice authentication and authorization information to the UDM, where the slice authentication and authorization information is used to indicate the slice that the terminal has successfully authenticated and authorized on the AMF1. Optionally, the NSSAAF can send the slice authentication and authorization information corresponding to each slice after the authentication and authorization of each slice is successful. Optionally, the NSSAAF may also send corresponding multiple pieces of slice authentication and authorization information after multiple slices are successfully authenticated and authorized.
在S201的切片认证和授权流程中,NSSAAF会参与切片1和切片2的认证和授权,NSSAAF可以获知终端在AMF1上认证和授权成功的切片。In the slice authentication and authorization process of S201, NSSAAF will participate in the authentication and authorization of slice 1 and slice 2, and NSSAAF can learn the slices that the terminal has successfully authenticated and authorized on AMF1.
和S202类似,作为一种实施方式,NSSAAF向UDM发送终端A的标识信息,切片1的标识信息,切片2的标识信息,以及AMF1的标识信息。这些标识信息的相关内容可参考S202。与S202类似,NSSAAF可以向UDM发送一条切片认证和授权信息,该切片认证和授权信息用于指示多个切片;或者,NSSAAF也可以向UDM发送多条切片认证和授权信息,每条切片认证和授权信息用于指示一个切片。Similar to S202, as an implementation manner, NSSAAF sends the identification information of terminal A, the identification information of slice 1, the identification information of slice 2, and the identification information of AMF1 to UDM. For the related content of these identification information, refer to S202. Similar to S202, NSSAAF can send a piece of slice authentication and authorization information to UDM, which is used to indicate multiple slices; or NSSAAF can also send multiple pieces of slice authentication and authorization information to UDM, each slice authentication and authorization information The authorization information is used to indicate a slice.
作为另一种可能,参与切片1的认证和授权的NSSAAF与参与切片2的认证和授权的NSSAAF可能不同。例如,NSSAAF1参与切片1的认证和授权,NSSAAF2参与切片2的认证和授权。在这种情况下,NSSAAF1向UDM发送第一切片认证和授权信息,该第一切片认证和授权信息包括终端A的标识信息、切片1的标识信息、以及AMF1的标识信息,NSSAAF2向UDM发送第二切片认证和授权信息,该第二切片认证和授权信息包括终端A的标识信息、切片2的标识信息、以及AMF1的标识信息。As another possibility, the NSSAAF participating in the authentication and authorization of slice 1 may be different from the NSSAAF participating in the authentication and authorization of slice 2. For example, NSSAAF1 participates in the authentication and authorization of slice 1, and NSSAAF2 participates in the authentication and authorization of slice 2. In this case, NSSAAF1 sends first slice authentication and authorization information to UDM. The first slice authentication and authorization information includes the identification information of terminal A, the identification information of slice 1, and the identification information of AMF1. NSSAAF2 sends UDM The second slice authentication and authorization information is sent, and the second slice authentication and authorization information includes the identification information of terminal A, the identification information of slice 2, and the identification information of AMF1.
通过上述S202和S203,UDM上存有终端A在AMF1上认证和授权成功的切片的信息。在后续对切片1或切片2进行重认证和重授权或者授权撤销时,可以通过UDM获知服务于终端A的与切片1或切片2关联的(associated with)AMF为AMF1。Through the above S202 and S203, the UDM stores the slice information that the terminal A has successfully authenticated and authorized on the AMF1. When subsequent re-authentication and re-authorization or authorization revoking of slice 1 or slice 2 is performed, it can be learned through UDM that the AMF serving terminal A and associated with slice 1 or slice 2 is AMF1.
作为图2的一种可选的替换方案,在通过AMF1完成对终端A进行切片1和切片2的认证和授权过程中,AMF1可以向AAA-s发送切片认证和授权过程信息,该切片认证和授权过程信息包括终端的标识信息,切片的标识信息,和AMF所属的PLMN的标识信息;例如:该切片认证和授权过程信息包括:终端A的标识信息、切片1的标识信息、以及PLMN-1的标识信息。当有多个切片时,AMF可以针对每个切片发送一次切片认证和授权过程信息,或者AMF可以发送一次切片认证和授权过程信息,其中包括多个切片的标识信息。例如,该切片认证和授权过程信息包括:终端A的标识信息、切片1的标识信息、切片2的标识信息,以及PLMN-1的标识信息。AAA-s收到上述切片认证和授权过程信息后,在切片认证和授权成功后,可以存储该切片认证和授权过 程信息。其中,AMF可以通过NSSAAF向AAA-s发送切片认证和授权过程信息。在该替换方案中,AMF可以向UDM发送AMF的标识信息以及该AMF所属的PLMN的标识信息,以便于通过PLMN的标识信息查询与该PLMN对应的AMF。例如,AMF1向UDM发送AMF1的标识信息和PLMN-1的标识信息。可选的,AMF还可以向UDM发送切片的标识信息,例如AMF1向UDM发送切片1的标识信息。As an optional alternative to Figure 2, in the process of performing slice 1 and slice 2 authentication and authorization for terminal A through AMF1, AMF1 can send slice authentication and authorization process information to AAA-s, and the slice authentication and authorization process The authorization process information includes the identification information of the terminal, the identification information of the slice, and the identification information of the PLMN to which the AMF belongs; for example, the slice authentication and authorization process information includes: the identification information of the terminal A, the identification information of the slice 1, and PLMN-1的identification information. When there are multiple slices, AMF can send slice authentication and authorization process information once for each slice, or AMF can send slice authentication and authorization process information once, including identification information of multiple slices. For example, the slice authentication and authorization process information includes: identification information of terminal A, identification information of slice 1, identification information of slice 2, and identification information of PLMN-1. After receiving the slice authentication and authorization process information, AAA-s can store the slice authentication and authorization process information after the slice authentication and authorization are successful. Among them, AMF can send slice authentication and authorization process information to AAA-s through NSSAAF. In this alternative solution, the AMF may send the identification information of the AMF and the identification information of the PLMN to which the AMF belongs to the UDM, so as to query the AMF corresponding to the PLMN through the identification information of the PLMN. For example, AMF1 sends the identification information of AMF1 and the identification information of PLMN-1 to UDM. Optionally, the AMF may also send the identification information of the slice to the UDM, for example, the AMF1 sends the identification information of the slice 1 to the UDM.
图3示出了终端A在PLMN-2中对切片进行认证和授权的方法。如图3所示:Figure 3 shows a method for terminal A to authenticate and authorize slices in PLMN-2. As shown in Figure 3:
S301:通过AMF2完成对终端A进行切片2和切片3的认证和授权。S301: Complete the authentication and authorization of slice 2 and slice 3 for terminal A through AMF2.
AMF2可以触发切片认证和授权流程对终端A进行切片2和切片3的认证和授权。切片认证授权流程可参考3GPP TS 23.502 v16.4.0章节4.2.9.2的内容。AMF2 can trigger the slice authentication and authorization process to perform slice 2 and slice 3 authentication and authorization for terminal A. For the slice authentication and authorization process, please refer to the content in section 4.2.9.2 of 3GPP TS 23.502 v16.4.0.
作为一种实施方式,AMF2可以对终端A分别触发对切片2的切片认证和授权流程,以及对切片3的切片认证和授权流程,即针对每个切片发起切片认证和授权流程。作为另一种实施方式,AMF1可以发起一个切片认证和授权流程来对切片2和切片3进行认证和授权。作为另一种实施方式,AMF2获取终端A在AMF1上执行的切片认证和授权的结果确定是否发起切片2和切片3的认证和授权流程。若AMF1上切片2已经认证和授权成功,AMF2可以不发起切片2的认证和授权流程,并确定终端A授权接入切片2。对于该实施方式,AMF1可以向NSSAAF发送切片认证结果,并由NSSAAF向UDM发送认证成功的结果。As an implementation manner, the AMF2 can trigger the slice authentication and authorization procedures for the slice 2 and the slice authentication and authorization procedures for the slice 3 respectively for the terminal A, that is, initiate the slice authentication and authorization procedures for each slice. As another implementation manner, AMF1 may initiate a slice authentication and authorization process to authenticate and authorize slice 2 and slice 3. As another implementation manner, the AMF2 obtains the result of the slice authentication and authorization performed by the terminal A on the AMF1 to determine whether to initiate the slice 2 and slice 3 authentication and authorization processes. If slice 2 on AMF1 has been authenticated and authorized successfully, AMF2 may not initiate the authentication and authorization process of slice 2, and determine that terminal A is authorized to access slice 2. For this embodiment, AMF1 may send the slice authentication result to NSSAAF, and NSSAAF sends the result of successful authentication to UDM.
可选的,S301部分可以在终端A通过AMF2注册到PLMN-2时进行。Optionally, the S301 part can be performed when terminal A registers with PLMN-2 through AMF2.
S302:AMF2向UDM发送切片认证和授权信息,该切片认证和授权信息用于指示终端A在AMF2上认证和授权成功的切片。S302: AMF2 sends slice authentication and authorization information to UDM, where the slice authentication and authorization information is used to instruct terminal A to successfully authenticate and authorize slices on AMF2.
作为一种实施方式,AMF2向UDM发送一条切片认证和授权信息,该切片认证和授权信息用于指示多个切片。作为另一种实施方式,AMF2向UDM发送多条切片认证和授权信息,每条切片认证和授权信息用于指示一个切片。As an implementation manner, AMF2 sends a piece of slice authentication and authorization information to UDM, and the slice authentication and authorization information is used to indicate multiple slices. As another implementation manner, AMF2 sends multiple pieces of slice authentication and authorization information to UDM, and each piece of slice authentication and authorization information is used to indicate a slice.
作为一种举例,AMF2向UDM发送终端A的标识信息,切片2的标识信息,切片3的标识信息,以及AMF2的标识信息。其中,终端A的标识信息用于标识终端A,切片1的标识信息用于标识切片1,切片2的标识信息用于标识切片2,AMF2的标识信息用于标识AMF2。通过终端A的标识信息、切片2的标识信息、切片3的标识信息和AMF2的标识信息可以指示终端A在AMF2上认证和授权成功的切片为切片2和切片3。上述终端A的标识信息、切片2的标识信息、切片3的标识信息和AMF2的标识信息可视为一种切片认证和授权信息。As an example, AMF2 sends the identification information of terminal A, the identification information of slice 2, the identification information of slice 3, and the identification information of AMF2 to UDM. Wherein, the identification information of terminal A is used to identify terminal A, the identification information of slice 1 is used to identify slice 1, the identification information of slice 2 is used to identify slice 2, and the identification information of AMF2 is used to identify AMF2. The identification information of the terminal A, the identification information of the slice 2, the identification information of the slice 3, and the identification information of the AMF2 can indicate that the slices that are successfully authenticated and authorized by the terminal A on the AMF2 are the slice 2 and the slice 3. The identification information of the terminal A, the identification information of the slice 2, the identification information of the slice 3, and the identification information of the AMF2 can be regarded as a kind of slice authentication and authorization information.
作为另一种举例,AMF2向UDM发送第一切片认证和授权信息,该第一切片认证和授权信息包括终端A的标识信息,切片2的标识信息,以及AMF2的标识信息。以及AMF2向UDM发送第二切片认证和授权信息,该第二切片认证和授权信息包括终端A的标识信息,切片3的标识信息,以及AMF2的标识信息。As another example, AMF2 sends first slice authentication and authorization information to UDM. The first slice authentication and authorization information includes terminal A identification information, slice 2 identification information, and AMF2 identification information. And AMF2 sends second slice authentication and authorization information to UDM, where the second slice authentication and authorization information includes the identification information of terminal A, the identification information of slice 3, and the identification information of AMF2.
作为一种实施方式,AMF2可以通过Nudm_UESliceAUthentication消息向UDM发送切片认证和授权信息。例如AMF2向UDM发送Nudm_UESliceAUthentication消息,该消息携带切片认证和授权信息。As an implementation manner, AMF2 can send slice authentication and authorization information to UDM through a Nudm_UESliceAUthentication message. For example, AMF2 sends a Nudm_UESliceAUthentication message to UDM, which carries slice authentication and authorization information.
S303:UDM存储切片认证和授权信息。S303: UDM stores slice authentication and authorization information.
通过S303,对于终端A而言,UDM上存储有终端A、AMF2、和切片2的关联关系,以及终端A、AMF2、和切片3的关联关系。可以理解,存储A和B的关联关系,是指存储了A,存储了B,并建立了A和B的关联关系。Through S303, for terminal A, the association relationship between terminal A, AMF2, and slice 2, and the association relationship between terminal A, AMF2, and slice 3 are stored on the UDM. It can be understood that storing the association relationship between A and B means that A is stored, B is stored, and the association relationship between A and B is established.
S304:UDM向AMF2发送对于切片认证和授权信息的响应。该响应用于通知AMF2是否成功接收上述切片认证和授权信息。对于收到多条切片认证和授权信息,UDM可以针对每条切片认证和授权信息向AMF1发送上述响应。S304为可选步骤。S304: UDM sends a response to slice authentication and authorization information to AMF2. This response is used to inform AMF2 whether the slice authentication and authorization information is successfully received. For receiving multiple pieces of slice authentication and authorization information, UDM may send the above response to AMF1 for each piece of slice authentication and authorization information. S304 is an optional step.
示例性的,该响应可以为Nudm_UESliceAUthenticationResponse。Exemplarily, the response may be Nudm_UESliceAUthenticationResponse.
作为一种替代,S302可以替换为S305。As an alternative, S302 can be replaced with S305.
S305:NSSAAF向UDM发送切片认证和授权信息,该切片认证和授权信息用于指示终端在AMF2上认证和授权成功的切片。S305: NSSAAF sends slice authentication and authorization information to UDM, where the slice authentication and authorization information is used to indicate the slice that the terminal has successfully authenticated and authorized on the AMF2.
在S301的切片认证和授权流程中,NSSAAF会参与切片2和切片3的认证和授权,NSSAAF可以获知终端在AMF2上认证和授权成功的切片。In the slice authentication and authorization process of S301, NSSAAF will participate in slice 2 and slice 3 authentication and authorization, and NSSAAF can learn the slices that the terminal has successfully authenticated and authorized on AMF2.
和S302类似,作为一种实施方式,NSSAAF向UDM发送终端A的标识信息,切片2的标识信息,切片3的标识信息,以及AMF2的标识信息。这些标识信息的相关内容可参考S302。与S302类似,NSSAAF可以向UDM发送一条切片认证和授权信息,该切片认证和授权信息用于指示多个切片;或者,NSSAAF也可以向UDM发送多条切片认证和授权信息,每条切片认证和授权信息用于指示一个切片。Similar to S302, as an implementation manner, NSSAAF sends the identification information of terminal A, the identification information of slice 2, the identification information of slice 3, and the identification information of AMF2 to UDM. For the related content of the identification information, refer to S302. Similar to S302, NSSAAF can send a piece of slice authentication and authorization information to UDM, which is used to indicate multiple slices; or NSSAAF can also send multiple pieces of slice authentication and authorization information to UDM, each slice authentication and authorization information The authorization information is used to indicate a slice.
作为另一种可能,参与切片2的认证和授权的NSSAAF与参与切片3的认证都和授权的NSSAAF可能不同。例如,NSSAAF2参与切片2的认证和授权,NSSAAF3参与切片3的认证和授权。在这种情况下,NSSAAF2向UDM发送第一切片认证和授权信息,该第一切片认证和授权信息包括终端A的标识信息、切片2的标识信息、以及AMF2的标识信息,NSSAAF3向UDM发送第二切片认证和授权信息,该第二切片认证和授权信息包括终端A的标识信息、切片3的标识信息、以及AMF2的标识信息。As another possibility, the NSSAAF participating in the authentication and authorization of slice 2 and the authentication participating in slice 3 may be different from the authorized NSSAAF. For example, NSSAAF2 participates in the authentication and authorization of slice 2, and NSSAAF3 participates in the authentication and authorization of slice 3. In this case, NSSAAF2 sends first slice authentication and authorization information to UDM. The first slice authentication and authorization information includes terminal A identification information, slice 2 identification information, and AMF2 identification information, and NSSAAF3 sends UDM The second slice authentication and authorization information is sent. The second slice authentication and authorization information includes the identification information of the terminal A, the identification information of the slice 3, and the identification information of the AMF2.
通过上述S302和S303,UDM上存有终端A在AMF2上认证和授权成功的切片的信息。在后续对切片2或切片3进行重认证和重授权或者授权撤销时,可以通过UDM获知服务于终端A的与切片2或切片3关联的AMF为AMF2。Through the foregoing S302 and S303, the UDM stores information about the slices that the terminal A has successfully authenticated and authorized on the AMF2. When subsequently re-authenticating and re-authorizing or revoking slice 2 or slice 3, it can be learned through UDM that the AMF associated with slice 2 or slice 3 serving terminal A is AMF2.
作为图3的一种可选的替换方案,在通过AMF2完成对终端A进行切片2和切片3的认证和授权过程中,AMF2可以向AAA-s发送切片认证和授权过程信息,该切片认证和授权过程信息包括终端的标识信息,切片的标识信息,和AMF所属的PLMN的标识信息;例如:该切片认证和授权过程信息包括:终端A的标识信息、切片2的标识信息、以及PLMN-2的标识信息。当有多个切片时,AMF可以针对每个切片发送一次切片认证和授权过程信息,或者AMF可以发送一次切片认证和授权过程信息,其中包括多个切片的标识信息。例如,该切片认证和授权过程信息包括:终端A的标识信息、切片2的标识信息、切片3的标识信息,以及PLMN-2的标识信息。AAA-s收到上述切片认证和授权过程信息后,在切片认证和授权成功后,可以存储该切片认证和授权过程信息。其中,AMF可以通过NSSAAF向AAA-s发送切片认证和授权过程信息。在该替换方案中,AMF可以向UDM发送AMF的标识信息、以及该AMF所属的PLMN的标识信息,以便于通过PLMN的标识信息查询与该PLMN对应的AMF。例如,AMF2向UDM发送AMF2的标识信息和PLMN-2的标识信息。可选的,AMF还可以向UDM发送切片的标识信息,例如AMF2向UDM发送切片2的标识信息。As an optional alternative to Fig. 3, after completing the authentication and authorization process of slice 2 and slice 3 for terminal A through AMF2, AMF2 can send slice authentication and authorization process information to AAA-s, the slice authentication and The authorization process information includes terminal identification information, slice identification information, and identification information of the PLMN to which the AMF belongs; for example: the slice authentication and authorization process information includes: terminal A identification information, slice 2 identification information, and PLMN-2的identification information. When there are multiple slices, AMF can send slice authentication and authorization process information once for each slice, or AMF can send slice authentication and authorization process information once, including identification information of multiple slices. For example, the slice authentication and authorization process information includes: identification information of terminal A, identification information of slice 2, identification information of slice 3, and identification information of PLMN-2. After receiving the slice authentication and authorization process information, the AAA-s can store the slice authentication and authorization process information after the slice authentication and authorization are successful. Among them, AMF can send slice authentication and authorization process information to AAA-s through NSSAAF. In this alternative solution, the AMF may send the identification information of the AMF and the identification information of the PLMN to which the AMF belongs to the UDM, so as to query the AMF corresponding to the PLMN through the identification information of the PLMN. For example, AMF2 sends the identification information of AMF2 and the identification information of PLMN-2 to UDM. Optionally, the AMF may also send the identification information of the slice to the UDM, for example, the AMF2 sends the identification information of the slice 2 to the UDM.
在图2和图3的方法中,终端的标识信息包括:SUPI(subscription permanent identifier,用户永久标识)、5G-GUTI(5G Globally Unique Temporary Identifier,5G全球唯一临时标识),GPSI(Generic Public Subscription Identifier,通用公共用户标识)或者其他可以用于标识终端的标识; AMF的标识信息包括:<AMF地区标识><AMF组标识><AMF指针>(<AMF Region ID><AMF Set ID><AMF Pointer>),FQDN(Fully Qualified Domain Name,全限定域名),AMF示例标识(AMF instance Id),AMF IP地址或AMF IPv6前缀;切片的标识信息包括:S-NSSAI(Single Network Slice Selection Assistance Information,单网络切片选择支撑信息),或者切片的外部标识。该外部标识用于在网络外部标识该切片。作为一种可选的方案,由于AMF和PLMN之间存在一一对应的关系,上述AMF的标识信息也可以替换为PLMN的标识信息,即PLMN的标识信息可以视为是一种AMF的标识信息。通过PLMN的标识信息可以找到对应的AMF。In the methods shown in Figures 2 and 3, the identification information of the terminal includes: SUPI (subscription permanent identifier), 5G-GUTI (5G Globally Unique Temporary Identifier, 5G Globally Unique Temporary Identifier), GPSI (Generic Public Subscription Identifier) , General Public User ID) or other IDs that can be used to identify the terminal; AMF ID information includes: <AMF Region ID><AMF Group ID><AMF Pointer>(<AMFRegionID><AMFSetID><AMFPointer >), FQDN (Fully Qualified Domain Name, fully qualified domain name), AMF example identifier (AMF instance Id), AMF IP address or AMF IPv6 prefix; slice identification information includes: S-NSSAI (Single Network Slice Selection Assistance Information, single Network slice selection support information), or the external identification of the slice. The external identifier is used to identify the slice outside the network. As an optional solution, since there is a one-to-one correspondence between AMF and PLMN, the above-mentioned AMF identification information can also be replaced with PLMN identification information, that is, PLMN identification information can be regarded as a kind of AMF identification information . The corresponding AMF can be found through the identification information of the PLMN.
需要说明的是,标识信息在传输和存储的过程中可能会发生转换,转换后的标识信息和转换前的标识信息作用相同,都是标识相同的对象,因此在本申请中统称为标识信息。例如AMF将终端A的标识信息发送给UDM,UDM将终端A的标识信息发给其他网元,可以包括以下方案:AMF将终端A的SUPI发送给UDM,UDM可以获取该SUPI对应的GPSI,并将该GPSI发给其他网元。又例如,AMF向NSSAAF发送S-NSSAI,NSSAAF将S-NSSAI映射为外部切片标识,并将外部切片标识发送给AAA-s或者通过AAA-p发送给AAA-s。同样,切片认证和授权信息在传输和存储的过程中可能会发生转换,转换后的切片认证和授权信息和转换前的切片认证和授权信息作用相同,都是用于指示终端在AMF上认证和授权成功的切片,在本申请中统称为切片认证和授权信息。在图2和图3的对切片进行认证和授权的方法中,AMF1和AMF2可以视为是一种触发对切片进行认证和授权的网元,在本申请中简称为触发网元。在不同的网络架构或场景下,可以由其他类型的网元作为触发网元,来触发对于某一网络功能进行认证和授权。在上述方法中,UDM可以视为是一种存储切片和AMF的对应关系的网元,在本申请中简称为信息存储网元。在不同的网络架构或场景下,可以由其他类型网元作为信息存储网元,例如HSS(home subscriber server,归属用户服务器),HLR(home location register,归属位置寄存器)。在上述方法中,NSSAAF可以视为是一种参与切片认证和授权的网元,在本申请中简称为认证授权网元。同样,在使用AUSF参与上述切片认证和授权过程的网络架构中,AUSF可以视为是一种参与切片认证和授权的网元。在不同的网络架构或场景下,可以由其他类型的网元作为认证授权网元。It should be noted that the identification information may be converted during the process of transmission and storage. The converted identification information has the same function as the identification information before the conversion, and both identify the same object. Therefore, it is collectively referred to as identification information in this application. For example, AMF sends the identification information of terminal A to UDM, and UDM sends the identification information of terminal A to other network elements, which may include the following scheme: AMF sends the SUPI of terminal A to UDM, and UDM can obtain the GPSI corresponding to the SUPI, and Send the GPSI to other network elements. For another example, AMF sends S-NSSAI to NSSAAF, and NSSAAF maps S-NSSAI to external slice identifier, and sends the external slice identifier to AAA-s or AAA-p to AAA-s. Similarly, the slice authentication and authorization information may be converted during transmission and storage. The slice authentication and authorization information after conversion has the same function as the slice authentication and authorization information before conversion. Both are used to instruct the terminal to authenticate and authorize on the AMF. Successfully authorized slices are collectively referred to as slice authentication and authorization information in this application. In the methods for authenticating and authorizing slices in FIGS. 2 and 3, AMF1 and AMF2 can be regarded as a kind of network elements that trigger authentication and authorization of slices, which are referred to as triggering network elements in this application. In different network architectures or scenarios, other types of network elements can be used as triggering network elements to trigger authentication and authorization of a certain network function. In the above method, UDM can be regarded as a network element that stores the correspondence between slices and AMF, and is referred to as an information storage network element for short in this application. In different network architectures or scenarios, other types of network elements can be used as information storage network elements, such as HSS (home subscriber server, home user server), HLR (home location register, home location register). In the above method, NSSAAF can be regarded as a network element that participates in slice authentication and authorization, which is referred to as authentication and authorization network element for short in this application. Similarly, in a network architecture that uses AUSF to participate in the above-mentioned slice authentication and authorization process, AUSF can be regarded as a network element that participates in slice authentication and authorization. In different network architectures or scenarios, other types of network elements can be used as authentication and authorization network elements.
通过图2和图3所示的方法,终端A分别在PLMN-1和PLMN-2对切片进行了认证和授权。通过UDM可获知服务于终端A的与切片1关联的AMF为AMF1,服务于终端A的与切片2关联的AMF为AMF1和AMF2,服务于终端A的与切片3关联的AMF为AMF2。Through the methods shown in FIG. 2 and FIG. 3, terminal A authenticates and authorizes slices in PLMN-1 and PLMN-2, respectively. Through UDM, it can be known that the AMF associated with slice 1 that serves terminal A is AMF1, the AMFs associated with slice 2 that serves terminal A are AMF1 and AMF2, and the AMF that serves terminal A and associated with slice 3 is AMF2.
作为一种示例,通过图2和图3的方法,UDM可以存储如下信息,如表1所示:As an example, through the methods in Figure 2 and Figure 3, UDM can store the following information, as shown in Table 1:
Figure PCTCN2021091199-appb-000001
Figure PCTCN2021091199-appb-000001
表1Table 1
在图2和图3的替换方案中,AAA-s存储有如表2所示的信息:In the alternatives of Figures 2 and 3, AAA-s stores the information shown in Table 2:
Figure PCTCN2021091199-appb-000002
Figure PCTCN2021091199-appb-000002
Figure PCTCN2021091199-appb-000003
Figure PCTCN2021091199-appb-000003
表2Table 2
在图2和图3的替换方案中,UDM存储有如表3所示的信息:In the alternatives of Figures 2 and 3, UDM stores the information shown in Table 3:
Figure PCTCN2021091199-appb-000004
Figure PCTCN2021091199-appb-000004
表3table 3
在终端A分别在PLMN-1和PLMN-2对切片进行了认证和授权后,AAA-s可以根据需要发起切片重认证和重授权流程,或者发起切片授权撤销流程。After terminal A authenticates and authorizes slices in PLMN-1 and PLMN-2, AAA-s can initiate a slice re-authentication and re-authorization process, or initiate a slice authorization revocation process as needed.
为了减少前述的通信异常,本申请实施例提供一种对切片进行重认证和重授权的方法。以下结合图1、图2和图3的内容,对该方法进行说明。In order to reduce the aforementioned communication abnormalities, an embodiment of the present application provides a method for re-authentication and re-authorization of slices. The method will be described below in conjunction with the contents of FIG. 1, FIG. 2 and FIG. 3.
图4示出了AAA-s发起对切片1进行重认证和重授权的方法。如图4所示:Figure 4 shows the method in which AAA-s initiates re-authentication and re-authorization of slice 1. As shown in Figure 4:
S401:AAA-s向NSSAAF请求对终端A发起对切片1的重认证和重授权。S401: AAA-s requests NSSAAF to initiate re-authentication and re-authorization of slice 1 for terminal A.
作为一种实施方式,AAA-s向NSSAAF发送第一请求,该第一请求用于请求对终端A发起对切片1的重认证和重授权。作为一种示例,该第一请求包括终端A的标识信息、和切片1的标识信息。通过终端A的标识信息和切片1的标识信息可以获知是请求对终端A进行切片1的重认证和重授权。若AAA-s和NSSAAF之间设置有AAA-p,AAA-s可以通过AAA-p向NSSAAF发送该第一请求。其中,终端A的标识信息和切片1的标识信息可以参考图2和图3中的相关内容。例如,在S401中,终端A的标识信息可以是终端A的GPSI,切片1的标识信息可以是切片1的S-NSSAI或者切片1的外部标识。As an implementation manner, the AAA-s sends a first request to the NSSAAF, and the first request is used to request the terminal A to initiate the re-authentication and re-authorization of the slice 1. As an example, the first request includes the identification information of the terminal A and the identification information of the slice 1. From the identification information of the terminal A and the identification information of the slice 1, it can be known that the re-authentication and re-authorization of the slice 1 are requested for the terminal A. If AAA-p is set between AAA-s and NSSAAF, AAA-s can send the first request to NSSAAF through AAA-p. Among them, the identification information of terminal A and the identification information of slice 1 can refer to related content in FIG. 2 and FIG. 3. For example, in S401, the identification information of terminal A may be the GPSI of terminal A, and the identification information of slice 1 may be the S-NSSAI of slice 1 or the external identification of slice 1.
示例性的,该第一请求可以是AAA Procol Re-auth Request。Exemplarily, the first request may be AAAProcol Re-auth Request.
作为S401的一种可选的替换,AAA-s向NSSAAF请求对终端A发起对切片1的重认证和重授权时,可以根据表2的信息,进一步携带PLMN-1的标识信息在请求中,NSSAAF通过PLMN-1的标识信息可以从UDM获取AMF1的标识信息,从而可以直接执行S405。As an optional alternative to S401, when AAA-s requests NSSAAF to initiate re-authentication and re-authorization of slice 1 for terminal A, it can further carry the identification information of PLMN-1 in the request according to the information in Table 2. NSSAAF can obtain the identification information of AMF1 from UDM through the identification information of PLMN-1, so that S405 can be directly executed.
S402:NSSAAF向UDM请求获取服务于终端A的与切片1所关联的AMF。S402: NSSAAF requests UDM to obtain the AMF associated with slice 1 serving terminal A.
作为一种实施方式,NSSAAF向UDM发送第二请求,该第二请求用于请求获取服务于终端A的与切片1所关联的AMF。作为一种示例,该第二请求包括终端A的标识信息、以及切片1的标识信息。可选的,该请求还包括第一指示,该第一指示用于指示获取的网元类型为AMF。可选的,该请求还包括第二指示,该第二指示用于指示相关的流程为切片重认证和重授权流程。可选的,该第二请求可以为Nudm_UECM_Get Req。As an implementation manner, NSSAAF sends a second request to UDM, and the second request is used to request to obtain the AMF associated with slice 1 serving terminal A. As an example, the second request includes the identification information of the terminal A and the identification information of the slice 1. Optionally, the request further includes a first indication, and the first indication is used to indicate that the acquired network element type is AMF. Optionally, the request further includes a second indication, and the second indication is used to indicate that the related process is a slice re-authentication and re-authorization process. Optionally, the second request may be Nudm_UECM_GetReq.
可选的,若NSSAAF在S401中收到的切片1的标识信息为切片1的外部标识,NSSAAF可以根据该切片1的外部标识获取切片1的S-NSSAI,并在S402中将切片1的S-NSSAI发送给UDM。可选的,若NSSAAF在S401中收到的切片1的标识信息为切片1的外部标识,NSSAAF也可以将该切片1的外部标识发送给UDM。Optionally, if the identification information of slice 1 received by NSSAAF in S401 is the external identification of slice 1, NSSAAF may obtain the S-NSSAI of slice 1 according to the external identification of slice 1, and then, in S402, the S-NSSAI of slice 1 -NSSAI is sent to UDM. Optionally, if the identification information of slice 1 received by NSSAAF in S401 is the external identification of slice 1, NSSAAF may also send the external identification of slice 1 to UDM.
S403:UDM获取服务于终端A的与切片1所关联的AMF。S403: UDM obtains the AMF associated with slice 1 serving terminal A.
采用图2和图3的方法后,UDM存储了终端A、AMF1、和切片1的关联关系。After adopting the methods in Fig. 2 and Fig. 3, UDM stores the association relationship between terminal A, AMF1, and slice 1.
作为一种实施方式,UDM可以根据接收到的终端A的标识信息和切片1的标识信息得到 AMF1的标识信息,即服务于终端A的与切片1关联的AMF为AMF1。可选的,UDM可以根据第一指示获知获取的网元类型为AMF。可选的,UDM可以根据第二指示获知相关的流程为切片重认证和重授权流程,以便于UDM作出相应的处理。As an implementation manner, UDM can obtain the identification information of AMF1 according to the received identification information of terminal A and the identification information of slice 1, that is, the AMF associated with slice 1 serving terminal A is AMF1. Optionally, the UDM may learn that the acquired network element type is AMF according to the first instruction. Optionally, the UDM may learn that the related process is the slice re-authentication and re-authorization process according to the second instruction, so that the UDM can make corresponding processing.
S404:UDM向NSSAAF发送服务于终端A的与切片1所关联的AMF的标识信息。S404: The UDM sends the identification information of the AMF associated with slice 1 that serves the terminal A to the NSSAAF.
UDM可以向NSSAAF发送在S403获得的AMF1的标识信息。The UDM may send the identification information of AMF1 obtained in S403 to the NSSAAF.
作为一种实施方式,UDM向NSSAAF发送响应消息,该响应消息包括AMF1的标识信息。可选的,该响应消息可以是Nudm_UECM_Get Resp。As an implementation manner, UDM sends a response message to NSSAAF, where the response message includes the identification information of AMF1. Optionally, the response message may be Nudm_UECM_GetResp.
可选的,在S402中,UDM从NSSAAF获取的切片1的标识信息为切片1的外部标识时,UDM可以根据该外部标识获取切片1的S-NSSAI,并将切片1的S-NSSAI与AMF1的标识信息一同发给NSSAAF。Optionally, in S402, when the identification information of slice 1 obtained by UDM from NSSAAF is the external identification of slice 1, UDM may obtain the S-NSSAI of slice 1 according to the external identification, and combine the S-NSSAI of slice 1 with AMF1. The identification information will be sent to NSSAAF together.
S405:NSSAAF通知AMF1对终端A发起对切片1的切片认证和授权流程。S405: NSSAAF notifies AMF1 to initiate a slice authentication and authorization process for slice 1 to terminal A.
作为一种实施方式,NSSAAF根据接收到的AMF1的标识信息,向AMF1发送第一通知,该第一通知用于通知AMF1对终端A发起对切片1的切片认证和授权流程。作为一种示例,该第一通知包括:事件信息、终端A的标识信息、和切片1的标识信息。作为一种示例,在S405中,切片1的标识信息可以是切片1的S-NSSAI。其中,事件信息用于指示进行切片认证和授权流程。可选的,该第一通知可以是Nnssaaf_NSSAA_Notify。As an implementation manner, NSSAAF sends a first notification to AMF1 according to the received identification information of AMF1, and the first notification is used to notify AMF1 to initiate a slice authentication and authorization process for slice 1 to terminal A. As an example, the first notification includes: event information, identification information of terminal A, and identification information of slice 1. As an example, in S405, the identification information of slice 1 may be the S-NSSAI of slice 1. Among them, the event information is used to indicate the slice authentication and authorization process. Optionally, the first notification may be Nnssaaf_NSSAA_Notify.
S406:AMF1触发对切片1的切片认证和授权流程。S406: AMF1 triggers the slice authentication and authorization process for slice 1.
AMF1根据事件信息、终端A的标识信息、和切片1的标识信息获知需要对终端A发起对切片1的切片认证和授权流程。该切片认证和授权流程可以参考图2所示的方法进行。According to the event information, the identification information of the terminal A, and the identification information of the slice 1, the AMF1 learns that the slice authentication and authorization process for the slice 1 needs to be initiated for the terminal A. The slice authentication and authorization process can be performed with reference to the method shown in FIG. 2.
通过S402-S405,NSSAAF利用切片1的标识信息可以从UDM准确获取服务于终端A的与切片1关联的AMF1的标识信息。相比较而言,若UDM上仅存有终端和AMF的关联关系,而没有存储终端、AMF、和切片之间的关联关系时,NSSAAF有可能获取到的是AMF2的标识信息,从而通知AMF2触发对切片1的切片认证和授权流程,会导致通信异常的产生。因此,通过本申请的方案,可以减少通信异常的产生。Through S402-S405, the NSSAAF can accurately obtain the identification information of the AMF1 associated with the slice 1 serving the terminal A from the UDM by using the identification information of the slice 1. In comparison, if there is only the association relationship between the terminal and AMF on the UDM, and the association relationship between the terminal, AMF, and slice is not stored, NSSAAF may obtain the identification information of AMF2, thereby notifying AMF2 to trigger The slice authentication and authorization process for slice 1 will cause communication abnormalities. Therefore, through the solution of the present application, the occurrence of communication abnormalities can be reduced.
图5示出了一种AAA-s发起对切片2进行重认证和重授权的方法。图5中与图4相同的术语和概念可参考图4的相关内容。如图5所示:Figure 5 shows a method for AAA-s to initiate re-authentication and re-authorization of slice 2. For the same terms and concepts in FIG. 5 as those in FIG. 4, reference may be made to the related content of FIG. 4. As shown in Figure 5:
S501:AAA-s向NSSAAF请求对终端A发起对切片2的重认证和重授权。S501: AAA-s requests NSSAAF to initiate re-authentication and re-authorization of slice 2 for terminal A.
作为一种实施方式,AAA-s向NSSAAF发送第一请求,该第一请求用于请求对终端A发起对切片2的重认证和重授权。作为一种示例,该第一请求包括终端A的标识信息、和切片2的标识信息。通过终端A的标识信息和切片2的标识信息可以获知是请求对终端A进行切片2的重认证和重授权。若AAA-s和NSSAAF之间设置有AAA-p,AAA-s可以通过AAA-p向NSSAAF发送该第一请求。其中,终端A的标识信息和切片2的标识信息可以参考图2和图3中的相关内容。例如,在S501中,终端A的标识信息可以是终端A的GPSI,切片2的标识信息可以是切片2的S-NSSAI或者切片2的外部标识。As an implementation manner, the AAA-s sends a first request to the NSSAAF, and the first request is used to request the terminal A to initiate the re-authentication and re-authorization of the slice 2. As an example, the first request includes the identification information of the terminal A and the identification information of the slice 2. From the identification information of the terminal A and the identification information of the slice 2, it can be known that the re-authentication and re-authorization of the slice 2 are requested for the terminal A. If AAA-p is set between AAA-s and NSSAAF, AAA-s can send the first request to NSSAAF through AAA-p. Among them, the identification information of terminal A and the identification information of slice 2 can refer to related content in FIG. 2 and FIG. 3. For example, in S501, the identification information of terminal A may be the GPSI of terminal A, and the identification information of slice 2 may be the S-NSSAI of slice 2 or the external identification of slice 2.
示例性的,该第一请求可以是AAA Procol Re-auth Request。Exemplarily, the first request may be AAAProcol Re-auth Request.
作为S501的一种可选的替换,AAA-s向NSSAAF请求对终端A发起对切片2的重认证和重授权时,可以根据表2的信息获知切片2对应PLMN-1和PLMN-2,并且自行确定在PLMN-1发起重认证和重授权、或者在PLMN-2发起重认证和重授权、或者在PLMN-1和PLMN-2发起重认证和重授权,进一步携带PLMN-1和/或PLMN-2的标识信息在请求中,NSSAAF通过PLMN-1 和/或PLMN-2的标识信息可以从UDM获取AMF1和/或AMF2的标识信息。在AAA-s确定在PLMN-1和PLMN-2中的一个PLMN发起重认证和重授权时,NSSAAF可以根据PLMN-1或PLMN-2的标识信息从UDM获取AMF1或AMF2的标识信息,从而可以直接执行S505a或者S505b。可选的,AAA-s可以根据策略、或者定时器等确定在哪个PLMN发起重认证和重授权。As an optional alternative to S501, when AAA-s requests NSSAAF to initiate re-authentication and re-authorization of slice 2 for terminal A, it can learn that slice 2 corresponds to PLMN-1 and PLMN-2 according to the information in Table 2, and Determine by yourself to initiate re-authentication and re-authorization in PLMN-1, or initiating re-authentication and re-authorization in PLMN-2, or initiating re-authentication and re-authorization in PLMN-1 and PLMN-2, and further carry PLMN-1 and/or PLMN -2 identification information In the request, NSSAAF can obtain the identification information of AMF1 and/or AMF2 from UDM through the identification information of PLMN-1 and/or PLMN-2. When AAA-s determines that a PLMN in PLMN-1 and PLMN-2 initiates re-authentication and re-authorization, NSSAAF can obtain the identification information of AMF1 or AMF2 from UDM according to the identification information of PLMN-1 or PLMN-2, so that it can Execute S505a or S505b directly. Optionally, AAA-s can determine which PLMN to initiate re-authentication and re-authorization according to policies or timers.
S502:NSSAAF向UDM请求获取服务于终端A的与切片2所关联的AMF。S502: NSSAAF requests UDM to obtain the AMF associated with slice 2 serving terminal A.
作为一种实施方式,NSSAAF向UDM发送第二请求,该第二请求用于请求获取服务于终端A的与切片2所关联的AMF。作为一种示例,该第二请求包括终端A的标识信息、以及切片2的标识信息。可选的,该请求还包括第一指示,该第一指示用于指示获取的网元类型为AMF。可选的,该请求还包括第二指示,该第二指示用于指示相关的流程为切片重认证和重授权流程。可选的,该第二请求可以为Nudm_UECM_Get Req。As an implementation manner, NSSAAF sends a second request to UDM, where the second request is used to request to obtain the AMF associated with slice 2 serving terminal A. As an example, the second request includes the identification information of the terminal A and the identification information of the slice 2. Optionally, the request further includes a first indication, and the first indication is used to indicate that the acquired network element type is AMF. Optionally, the request further includes a second indication, and the second indication is used to indicate that the related process is a slice re-authentication and re-authorization process. Optionally, the second request may be Nudm_UECM_GetReq.
可选的,若NSSAAF在S501中收到的切片2的标识信息为切片2的外部标识,NSSAAF可以根据该切片2的外部标识获取切片2的S-NSSAI,并在S502中将切片2的S-NSSAI发送给UDM。可选的,若NSSAAF在S501中收到的切片2的标识信息为切片2的外部标识,NSSAAF也可以将该切片2的外部标识发送给UDM。Optionally, if the identification information of slice 2 received by NSSAAF in S501 is the external identification of slice 2, NSSAAF may obtain the S-NSSAI of slice 2 according to the external identification of slice 2, and then in S502, the S-NSSAI of slice 2 -NSSAI is sent to UDM. Optionally, if the identification information of slice 2 received by NSSAAF in S501 is the external identification of slice 2, NSSAAF may also send the external identification of slice 2 to UDM.
S503:UDM获取服务于终端A的与切片2所关联的AMF。S503: UDM obtains the AMF associated with slice 2 serving terminal A.
采用图2和图3的方法后,UDM存储了终端A、AMF1、和切片2的关联关系,并且存储了终端A、AMF2、和切片2的关联关系。After adopting the methods of Fig. 2 and Fig. 3, UDM stores the association relationship between terminal A, AMF1, and slice 2, and stores the association relationship between terminal A, AMF2, and slice 2.
作为一种实施方式,UDM可以根据接收到的终端A的标识信息和切片1的标识信息得到AMF1的标识信息以及AMF2的标识信息,即服务于终端A的与切片1关联的AMF为AMF1和AMF2。可选的,UDM可以根据第一指示获知获取的网元类型为AMF。可选的,UDM可以根据第二指示获知相关的流程为切片重认证和重授权流程,以便于UDM作出相应的处理。As an implementation manner, UDM can obtain the identification information of AMF1 and the identification information of AMF2 according to the received identification information of terminal A and the identification information of slice 1. That is, the AMFs associated with slice 1 serving terminal A are AMF1 and AMF2. . Optionally, the UDM may learn that the acquired network element type is AMF according to the first instruction. Optionally, the UDM may learn that the related process is the slice re-authentication and re-authorization process according to the second instruction, so that the UDM can make corresponding processing.
可选的,当服务于终端的与切片关联的AMF为多个时,UDM可以不进一步选择其中一个AMF。Optionally, when there are multiple AMFs associated with slices serving the terminal, the UDM may not further select one of the AMFs.
可选的,当服务于终端的与切片关联的AMF为多个时,UDM可以进一步选择其中一个AMF。Optionally, when there are multiple AMFs associated with slices serving the terminal, the UDM may further select one of the AMFs.
对于切片重认证和重授权流程而言,UDM可以根据终端的连接状态在多个AMF中选择一个AMF,终端的连接状态包括连接态和空闲态。作为一种可能,若终端与多个AMF中的每个AMF的连接状态都为连接态,则UDM可以根据策略或者任意选择其中一个AMF。例如,若终端A与AMF1的连接状态为连接态、与AMF2的连接状态为连接态,UDM可以根据策略或者任意选择AMF1和AMF2中的一个。作为另一种可能,若终端与多个AMF中的每个AMF的连接状态都为空闲态,则UDM可以根据接入类型选择一个AMF,例如选择一个3GPP接入对应的AMF。通常,接入类型可分为3GPP接入和non-3GPP接入。例如,若终端A与AMF1的连接状态为空闲态、与AMF2的连接状态为空闲态,UDM可以选择3GPP接入对应的AMF,即AMF1。作为另一种可能,若终端与于多个AMF中的一些AMF的连接状态为连接态、与另一些AMF的连接状态为空闲态,UDM可以选择一个终端与其之间为连接态的AMF。例如,若终端A相对于AMF1的连接状态为连接态、相对于AMF2的连接状态为空闲态,UDM选择AMF1。For the slice re-authentication and re-authorization process, UDM can select one AMF from multiple AMFs according to the connection state of the terminal. The connection state of the terminal includes the connected state and the idle state. As a possibility, if the connection state between the terminal and each of the multiple AMFs is in the connected state, the UDM can select one of the AMFs according to the policy or arbitrarily. For example, if the connection status between terminal A and AMF1 is connected, and the connection status with AMF2 is connected, UDM can select one of AMF1 and AMF2 according to a policy or arbitrarily. As another possibility, if the connection state between the terminal and each of the multiple AMFs is idle, UDM may select an AMF according to the access type, for example, select an AMF corresponding to 3GPP access. Generally, the access type can be divided into 3GPP access and non-3GPP access. For example, if the connection state between terminal A and AMF1 is idle state, and the connection state with AMF2 is idle state, UDM can select 3GPP to access the corresponding AMF, namely AMF1. As another possibility, if the connection state between the terminal and some AMFs of the multiple AMFs is in the connected state, and the connection state with other AMFs is in the idle state, the UDM can select a terminal and the AMF in the connected state. For example, if the connection state of the terminal A with respect to AMF1 is the connected state and the connection state with respect to AMF2 is the idle state, UDM selects AMF1.
S504:UDM向NSSAAFNSSAAF发送服务于终端A的与切片2所关联的AMF的标识信息。S504: The UDM sends the identification information of the AMF associated with the slice 2 serving the terminal A to the NSSAAFNSSAAF.
可选的,UDM可以向NSSAAF发送在S503获得的AMF1的标识信息和AMF2的标识信息。Optionally, the UDM may send the identification information of AMF1 and the identification information of AMF2 obtained in S503 to the NSSAAF.
可选的,UDM可以向NSSAAF发送在S503获得的AMF1的标识信息或者AMF2的标识信息。Optionally, the UDM may send the identification information of AMF1 or the identification information of AMF2 obtained in S503 to the NSSAAF.
作为一种实施方式,UDM向NSSAAF发送响应消息,该响应消息包括AMF1的标识信息和/或AMF2的标识信息。可选的,该响应消息可以是Nudm_UECM_Get Resp。As an implementation manner, the UDM sends a response message to the NSSAAF, where the response message includes the identification information of AMF1 and/or the identification information of AMF2. Optionally, the response message may be Nudm_UECM_GetResp.
可选的,在S502中,UDM从NSSAAF获取的切片2的标识信息为切片2的外部标识时,UDM可以根据该外部标识获取切片2的S-NSSAI,并将切片2的S-NSSAI与AMF1的标识信息一同发给NSSAAF。Optionally, in S502, when the identification information of slice 2 obtained by UDM from NSSAAF is the external identification of slice 2, UDM may obtain the S-NSSAI of slice 2 according to the external identification, and combine the S-NSSAI of slice 2 with AMF1. The identification information will be sent to NSSAAF together.
S505a:NSSAAF通知AMF1对终端A发起对切片2的切片认证和授权流程。S505a: NSSAAF notifies AMF1 to initiate a slice authentication and authorization process for slice 2 to terminal A.
作为一种实施方式,若在S504中NSSAAF接收到的是AMF1的标识信息,NSSAAF向AMF1发送第一通知。作为另一种实施方式,对于切片重认证和重授权流程而言,若在S504中NSSAAF接收到的是AMF1的标识信息和AMF2的标识信息,NSSAAF可以选择AMF1,并向AMF1发送第一通知。可选的,NSSAAF可以根据策略选择AMF1。该第一通知用于通知AMF1对终端A发起对切片2的切片认证和授权流程。作为一种示例,该第一通知包括:事件信息、终端A的标识信息、和切片2的标识信息。作为一种示例,在S505a中,切片2的标识信息可以是切片2的S-NSSAI。其中,事件信息用于指示进行切片认证和授权流程。可选的,该第一通知可以是Nnssaaf_NSSAA_Notify。As an implementation manner, if the NSSAAF received the identification information of AMF1 in S504, the NSSAAF sends the first notification to AMF1. As another implementation manner, for the slice re-authentication and re-authorization process, if the NSSAAF receives the identification information of AMF1 and the identification information of AMF2 in S504, the NSSAAF may select AMF1 and send the first notification to AMF1. Optionally, NSSAAF can select AMF1 according to the strategy. The first notification is used to notify AMF1 to initiate a slice authentication and authorization process for slice 2 to terminal A. As an example, the first notification includes: event information, identification information of terminal A, and identification information of slice 2. As an example, in S505a, the identification information of slice 2 may be the S-NSSAI of slice 2. Among them, the event information is used to indicate the slice authentication and authorization process. Optionally, the first notification may be Nnssaaf_NSSAA_Notify.
S505b:NSSAAF通知AMF2对终端A发起对切片2的切片认证和授权流程。S505b: NSSAAF notifies AMF2 to initiate a slice authentication and authorization process for slice 2 to terminal A.
作为一种实施方式,若在S504中NSSAAF接收到的是AMF2的标识信息,NSSAAF向AMF2发送第二通知。作为另一种实施方式,对于切片重认证和重授权流程而言,若在S504中NSSAAF接收到的是AMF1的标识信息和AMF2的标识信息,NSSAAF可以选择AMF2,并向AMF2发送第二通知。可选的,NSSAAF可以根据策略选择AMF2。该第二通知用于通知AMF1对终端A发起对切片2的切片认证和授权流程。作为一种示例,该第二通知包括:事件信息、终端A的标识信息、和切片2的标识信息。作为一种示例,在S505b中,切片2的标识信息可以是切片2的S-NSSAI。其中,事件信息用于指示进行切片认证和授权流程。可选的,该第二通知可以是Nnssaaf_NSSAA_Notify。As an implementation manner, if the identification information of AMF2 received by NSSAAF in S504, NSSAAF sends a second notification to AMF2. As another implementation manner, for the slice re-authentication and re-authorization process, if the NSSAAF receives the identification information of AMF1 and the identification information of AMF2 in S504, the NSSAAF may select AMF2 and send a second notification to AMF2. Optionally, NSSAAF can select AMF2 according to the strategy. The second notification is used to notify AMF1 to initiate a slice authentication and authorization process for slice 2 to terminal A. As an example, the second notification includes: event information, identification information of terminal A, and identification information of slice 2. As an example, in S505b, the identification information of slice 2 may be the S-NSSAI of slice 2. Among them, the event information is used to indicate the slice authentication and authorization process. Optionally, the second notification may be Nnssaaf_NSSAA_Notify.
可选的,作为另一种实施方式,对于切片重认证和重授权流程而言,若在S504中NSSAAF接收到的是AMF1的标识信息和AMF2的标识信息,NSSAAF可以通知AMF1和AMF2对终端A发起对切片2的切片认证和授权流程。即,S505a和S505b都执行。相比较这种实施方式,NSSAAF选择其中一个AMF通知对终端发起切片认证和授权流程,能够节省信令开销。Optionally, as another implementation manner, for the slice re-authentication and re-authorization process, if in S504 NSSAAF receives the identification information of AMF1 and the identification information of AMF2, NSSAAF can notify AMF1 and AMF2 to terminal A Initiate the slice authentication and authorization process for slice 2. That is, both S505a and S505b are executed. Compared with this embodiment, the NSSAAF selects one of the AMF notifications to initiate a slice authentication and authorization process for the terminal, which can save signaling overhead.
S506a:AMF1触发对切片2的切片认证和授权流程。S506a: AMF1 triggers the slice authentication and authorization process for slice 2.
AMF1根据事件信息、终端A的标识信息、和切片2的标识信息获知需要对终端A发起对切片2的切片认证和授权流程。该切片认证和授权流程可以参考图2所示的方法进行。According to the event information, the identification information of the terminal A, and the identification information of the slice 2, the AMF1 learns that the slice authentication and authorization process for the slice 2 needs to be initiated for the terminal A. The slice authentication and authorization process can be performed with reference to the method shown in FIG. 2.
S506b:AMF2触发对切片2的切片认证和授权流程。S506b: AMF2 triggers the slice authentication and authorization process for slice 2.
AMF2根据事件信息、终端A的标识信息、和切片2的标识信息获知需要对终端A发起对切片2的切片认证和授权流程。该切片认证和授权流程可以参考图3所示的方法进行。According to the event information, the identification information of the terminal A, and the identification information of the slice 2, the AMF2 learns that it needs to initiate a slice authentication and authorization process for the slice 2 to the terminal A. The slice authentication and authorization process can be performed with reference to the method shown in FIG. 3.
通过S502-S505a或S505b,NSSAAF利用切片2的标识信息可以从UDM准确获取服务于终端A的与切片2关联的AMF1的标识信息和/或AMF2的标识信息。相比较而言,若UDM上仅存有终端和AMF的关联关系,而没有存储终端、AMF、和切片之间的关联关系时,NSSAAF有可能获取到的是AMF1和AMF2以外的终端A注册的AMF的标识信息,从而通知错误的AMF对切片2触发切片认证和授权流程,会导致通信异常的产生。因此,通过本申请的方案,可以减少通信异常的产生。另外,当服务于终端的与某个切片关联的AMF为多个时,考虑终端的连接状态 来选择合适的AMF,能够节省信令交互,并能够提高通信效率。Through S502-S505a or S505b, the NSSAAF can accurately obtain the identification information of AMF1 and/or the identification information of AMF2 associated with slice 2 serving the terminal A by using the identification information of the slice 2 from the UDM. In comparison, if there is only the association relationship between the terminal and AMF on the UDM, and the association relationship between the terminal, AMF, and slice is not stored, NSSAAF may obtain the registration of terminal A other than AMF1 and AMF2. The identification information of the AMF, so as to notify the wrong AMF to trigger the slice authentication and authorization process on slice 2, will cause communication abnormalities. Therefore, through the solution of the present application, the occurrence of communication abnormalities can be reduced. In addition, when there are multiple AMFs associated with a certain slice serving the terminal, the connection status of the terminal is considered to select the appropriate AMF, which can save signaling interaction and improve communication efficiency.
图6又示出了一种AAA-s发起对切片2进行重认证和重授权的方法。图6中与图5相同的术语和观念的说明可参考图5的相关内容。相比较图5中由UDM根据切片的标识信息来确定AMF,图6中由NSSAAF根据切片的标识信息来确定AMF。如图6所示:Figure 6 shows a method for AAA-s to initiate re-authentication and re-authorization of slice 2. For the description of the same terms and concepts in FIG. 6 as in FIG. 5, reference may be made to the related content of FIG. 5. Compared with FIG. 5, UDM determines the AMF according to the identification information of the slice, and in FIG. 6 NSSAAF determines the AMF according to the identification information of the slice. As shown in Figure 6:
S601:AAA-s向NSSAAF请求对终端A发起对切片2的重认证和重授权。S601: AAA-s requests NSSAAF to initiate re-authentication and re-authorization of slice 2 for terminal A.
S601可参见S501。See S501 for S601.
作为S601的一种可选的替换,AAA-s向NSSAAF请求对终端A发起对切片2的重认证和重授权时,可以根据表2的信息获知切片2对应PLMN-1和PLMN-2,并且自行确定在PLMN-1发起重认证和重授权、或者在PLMN-2发起重认证和重授权、或者在PLMN-1和PLMN-2发起重认证和重授权,进一步携带PLMN-1和/或PLMN-2的标识信息在请求中,NSSAAF通过PLMN-1和/或PLMN-2的标识信息可以从UDM获取AMF1和/或AMF2的标识信息。在AAA-s确定在PLMN-1和PLMN-2中的一个PLMN发起重认证和重授权时,NSSAAF可以根据PLMN-1或PLMN-2的标识信息从UDM获取AMF1或AMF2的标识信息,从而可以直接执行S606a或者S606b。可选的,AAA-s可以根据策略、或者定时器等确定在哪个PLMN发起重认证和重授权。As an optional alternative to S601, when AAA-s requests NSSAAF to initiate re-authentication and re-authorization of slice 2 for terminal A, it can learn that slice 2 corresponds to PLMN-1 and PLMN-2 according to the information in Table 2, and Determine by yourself to initiate re-authentication and re-authorization in PLMN-1, or initiating re-authentication and re-authorization in PLMN-2, or initiating re-authentication and re-authorization in PLMN-1 and PLMN-2, and further carry PLMN-1 and/or PLMN -2 identification information In the request, NSSAAF can obtain the identification information of AMF1 and/or AMF2 from UDM through the identification information of PLMN-1 and/or PLMN-2. When AAA-s determines that a PLMN in PLMN-1 and PLMN-2 initiates re-authentication and re-authorization, NSSAAF can obtain the identification information of AMF1 or AMF2 from UDM according to the identification information of PLMN-1 or PLMN-2, so that it can Execute S606a or S606b directly. Optionally, AAA-s can determine which PLMN to initiate re-authentication and re-authorization according to policies or timers.
S602:NSSAAF向UDM请求获取服务于终端A的AMF以及与服务于终端A的AMF相关联的切片。S602: The NSSAAF requests the UDM to obtain the AMF serving the terminal A and the slice associated with the AMF serving the terminal A.
作为一种实施方式,NSSAAF向UDM发送第二请求,该第二请求用于请求获取服务于终端A的AMF以及与服务于终端A的AMF相关联的切片。作为一种示例,该第二请求包括终端A的标识信息。可选的,该请求还包括第一指示,该第一指示用于指示获取的网元类型为AMF。可选的,该请求还包括第二指示,该第二指示用于指示相关的流程为切片重认证和重授权流程。可选的,该第二请求可以为Nudm_UECM_Get Req。As an implementation manner, the NSSAAF sends a second request to the UDM, the second request is used to request to obtain the AMF serving the terminal A and the slice associated with the AMF serving the terminal A. As an example, the second request includes terminal A's identification information. Optionally, the request further includes a first indication, and the first indication is used to indicate that the acquired network element type is AMF. Optionally, the request further includes a second indication, and the second indication is used to indicate that the related process is a slice re-authentication and re-authorization process. Optionally, the second request may be Nudm_UECM_GetReq.
S603:UDM获取服务于终端A的AMF以及与服务于终端A的AMF相关联的切片。S603: The UDM obtains the AMF serving the terminal A and the slice associated with the AMF serving the terminal A.
采用图2和图3的方法后,UDM存储了如上表1的终端、AMF和切片的关联关系。After adopting the methods in Figure 2 and Figure 3, UDM stores the association relationship between the terminal, AMF, and slice as shown in Table 1 above.
作为一种实施方式,UDM可以根据接收到的终端A的标识信息得到{AMF1的标识信息,(切片1的标识信息,切片2的标识信息)}以及{AMF2的标识信息,(切片2的标识信息,切片3的标识信息)},即得到服务于终端A的AMF为AMF1和AMF2,与AMF1关联的切片为切片1和切片2,与AMF2关联的切片为切片2和切片3。可选的,UDM可以根据第一指示获知获取的网元类型为AMF。可选的,UDM可以根据第二指示获知相关的流程为切片重认证和重授权流程,以便于UDM作出相应的处理。可以理解,{A,B}表示A和B具有关联关系,(A,B)表示一个集合或列表,该集合或列表包括A,B两个元素。As an implementation manner, UDM can obtain {identification information of AMF1, (identification information of slice 1, identification information of slice 2)} and {identification information of AMF2, (identification of slice 2) according to the received identification information of terminal A. Information, the identification information of slice 3)}, that is, the AMFs serving the terminal A are AMF1 and AMF2, the slices associated with AMF1 are slice 1 and slice 2, and the slices associated with AMF2 are slice 2 and slice 3. Optionally, the UDM may learn that the acquired network element type is AMF according to the first instruction. Optionally, the UDM may learn that the related process is the slice re-authentication and re-authorization process according to the second instruction, so that the UDM can make corresponding processing. It can be understood that {A, B} indicates that A and B have an association relationship, and (A, B) indicates a set or list, and the set or list includes two elements A and B.
可选的,UDM还可以获取终端与服务于终端的AMF的连接状态。终端的连接状态包括连接态和空闲态。作为一种实施方式,UDM可以向服务于终端AMF请求获取终端的连接状态。例如在表1中,服务于终端A的AMF为AMF1和AMF2,UDM可以分别从AMF1获取终端A与AMF1的连接状态,从AMF2获取终端A与AMF2的连接状态。Optionally, the UDM can also obtain the connection status between the terminal and the AMF serving the terminal. The connection state of the terminal includes a connected state and an idle state. As an implementation manner, the UDM may request the service terminal AMF to obtain the connection status of the terminal. For example, in Table 1, the AMFs serving terminal A are AMF1 and AMF2. UDM can obtain the connection status of terminal A and AMF1 from AMF1, and the connection status of terminal A and AMF2 from AMF2.
可选的,UDM还可以获取服务于终端的AMF对应的接入类型。接入类型相关内容可参考S503的相关内容。例如:AMF1对应的接入类型为3GPP接入,AMF2对应的接入类型为non-3GPP接入技术。Optionally, the UDM may also obtain the access type corresponding to the AMF serving the terminal. For related content of the access type, refer to related content of S503. For example, the access type corresponding to AMF1 is 3GPP access, and the access type corresponding to AMF2 is non-3GPP access technology.
S604:UDM向NSSAAF发送服务于终端A的AMF的标识信息和服务于终端A的AMF所关联的切片的标识信息。S604: The UDM sends the identification information of the AMF serving the terminal A and the identification information of the slice associated with the AMF serving the terminal A to the NSSAAF.
示例性的,UDM向NSSAAF发送{AMF1的标识信息,(切片1的标识信息,切片2的标识信息)},以及{AMF2的标识信息,(切片2的标识信息,切片3的标识信息)}。Exemplarily, UDM sends {identification information of AMF1, (identification information of slice 1, identification information of slice 2)}, and {identification information of AMF2, (identification information of slice 2, identification information of slice 3)} to NSSAAF .
示例性的,UMD向NSSAAF发送{AMF1的标识信息,切片1的标识信息}、{AMF1的标识信息,切片2的标识信息}、{AMF2的标识信息,切片2的标识信息},以及{AMF2的标识信息,切片3的标识信息}。Exemplarily, UMD sends {AMF1 identification information, slice 1 identification information}, {AMF1 identification information, slice 2 identification information}, {AMF2 identification information, slice 2 identification information}, and {AMF2 The identification information, the identification information of slice 3}.
可选的,UDM可以向NSSAAF发送连接状态信息。该连接状态信息用于指示终端与服务于该终端的AMF的连接状态。例如,该连接状态信息指示终端A与AMF1的连接状态为连接态,终端A与AMF2的连接状态为空闲态。Optionally, UDM can send connection status information to NSSAAF. The connection status information is used to indicate the connection status between the terminal and the AMF serving the terminal. For example, the connection state information indicates that the connection state between the terminal A and AMF1 is the connected state, and the connection state between the terminal A and AMF2 is the idle state.
可选的,UDM可以向NSSAAF发送接入类型信息。该接入类型信息用于指示服务于终端的AMF对应的接入类型。例如,该接入类型信息指示AMF1的接入类型为3GPP接入,AMF2的接入类型为non-3GPP接入。Optionally, UDM can send access type information to NSSAAF. The access type information is used to indicate the access type corresponding to the AMF serving the terminal. For example, the access type information indicates that the access type of AMF1 is 3GPP access, and the access type of AMF2 is non-3GPP access.
作为一种实施方式,UDM向NSSAAF发送响应消息,该响应消息包括服务于终端A的AMF的标识信息和服务于终端A的AMF所关联的切片的标识信息。可选的,该响应消息还包括上述连接状态信息。可选的,该响应消息还包括上述接入类型信息。可选的,该响应消息可以是Nudm_UECM_Get Resp。As an implementation manner, the UDM sends a response message to the NSSAAF. The response message includes the identification information of the AMF serving the terminal A and the identification information of the slice associated with the AMF serving the terminal A. Optionally, the response message further includes the above-mentioned connection status information. Optionally, the response message further includes the above-mentioned access type information. Optionally, the response message may be Nudm_UECM_GetResp.
S605:NSSAAF确定与切片2关联的AMF。S605: NSSAAF determines the AMF associated with slice 2.
基于在S604收到的信息,NSSAAF可获知服务于终端A的与切片2关联的AMF为AMF1和AMF2。Based on the information received in S604, the NSSAAF can learn that the AMFs associated with slice 2 serving the terminal A are AMF1 and AMF2.
可选的,若服务于终端的与切片关联的AMF为多个,NSSAAF可以不进一步在多个AMF中选择一个AMF。Optionally, if there are multiple AMFs associated with slices serving the terminal, the NSSAAF may not further select one AMF from the multiple AMFs.
可选的,若服务于终端的与切片关联的AMF为多个,NSSAAF可以进一步在多个AMF中选择其中一个AMF。相比较不进一步在多个AMF中确定一个AMF的方案,进一步在多个AMF中确定一个AMF有利于节省后续的信令交互。Optionally, if there are multiple AMFs associated with slices serving the terminal, the NSSAAF may further select one AMF from the multiple AMFs. Compared with the solution of not further determining one AMF among multiple AMFs, further determining one AMF among multiple AMFs is beneficial to save subsequent signaling interaction.
对于切片重认证和重授权流程而言,NSSAAF可以根据终端的连接状态在多个AMF中选择一个AMF。终端的连接状态可以通过S604中的连接状态信息获取。作为一种可能,若终端与多个AMF中的每个AMF的连接状态都为连接态,则NSSAAF可以根据策略或者任意选择其中一个AMF。例如,若终端A与AMF1的连接状态为连接态、与AMF2的连接状态为连接态,NSSAAF可以根据策略或者任意选择AMF1和AMF2中的一个。作为另一种可能,若终端与多个AMF中的每个AMF的连接状态都为空闲态,则NSSAAF可以根据AMF对应的接入类型选择一个AMF。例如选择一个3GPP接入对应的AMF。AMF对应的接入类型可以通过S604中的接入类型信息获取。例如,若终端A与AMF1的连接状态为空闲态、与AMF2的连接状态为空闲态,NSSAAF可以选择3GPP接入对应的AMF,即AMF1。作为另一种可能,若终端与于多个AMF中的一些AMF的连接状态为连接态、与另一些AMF的连接状态为空闲态,NSSAAF可以选择一个终端与其之间为连接态的AMF。例如,若终端A相对于AMF1的连接状态为连接态、相对于AMF2的连接状态为空闲态,NSSAAF选择AMF1。For the slice re-authentication and re-authorization process, NSSAAF can select one AMF from multiple AMFs according to the connection status of the terminal. The connection status of the terminal can be obtained through the connection status information in S604. As a possibility, if the connection state between the terminal and each of the multiple AMFs is in the connected state, the NSSAAF can select one of the AMFs according to the policy or arbitrarily. For example, if the connection status between terminal A and AMF1 is connected, and the connection status with AMF2 is connected, NSSAAF can select one of AMF1 and AMF2 according to a policy or arbitrarily. As another possibility, if the connection state between the terminal and each AMF of the multiple AMFs is in the idle state, the NSSAAF can select an AMF according to the access type corresponding to the AMF. For example, select an AMF corresponding to 3GPP access. The access type corresponding to the AMF can be obtained through the access type information in S604. For example, if the connection state between terminal A and AMF1 is idle state, and the connection state with AMF2 is idle state, NSSAAF can select 3GPP to access the corresponding AMF, namely AMF1. As another possibility, if the connection state between the terminal and some AMFs of the multiple AMFs is in the connected state, and the connection state with other AMFs is in the idle state, the NSSAAF can select a terminal and the AMF in the connected state. For example, if the connection state of terminal A relative to AMF1 is connected and the connection state relative to AMF2 is idle, NSSAAF selects AMF1.
若在S605,NSSAAF确定与切片2关联的AMF为AMF1和AMF2,则执行S606a和S606b。If in S605, NSSAAF determines that the AMFs associated with slice 2 are AMF1 and AMF2, then S606a and S606b are executed.
若在S605,NSSAAF确定与切片2关联的AMF为AMF1和AMF2中的一个,则执行S606a或者S606b。If in S605, NSSAAF determines that the AMF associated with slice 2 is one of AMF1 and AMF2, S606a or S606b is executed.
S606a:NSSAAF通知AMF1对终端A发起对切片2的切片认证和授权流程。S606a: NSSAAF notifies AMF1 to initiate a slice authentication and authorization process for slice 2 to terminal A.
作为一种实施方式,NSSAAF向AMF1发送第一通知。该第一通知用于通知AMF1对终端A发起对切片2的切片认证和授权流程。作为一种示例,该第一通知包括:事件信息、终端A的标识信息、和切片2的标识信息。作为一种示例,在S606a中,切片2的标识信息可以是切片2的S-NSSAI。其中,事件信息用于指示进行切片认证和授权流程。可选的,该第一通知可以是Nnssaaf_NSSAA_Notify。As an implementation manner, NSSAAF sends the first notification to AMF1. The first notification is used to notify AMF1 to initiate a slice authentication and authorization process for slice 2 to terminal A. As an example, the first notification includes: event information, identification information of terminal A, and identification information of slice 2. As an example, in S606a, the identification information of slice 2 may be the S-NSSAI of slice 2. Among them, the event information is used to indicate the slice authentication and authorization process. Optionally, the first notification may be Nnssaaf_NSSAA_Notify.
S606b:NSSAAF通知AMF2对终端A发起对切片2的切片认证和授权流程。S606b: NSSAAF notifies AMF2 to initiate a slice authentication and authorization process for slice 2 to terminal A.
作为一种实施方式,NSSAAF向AMF2发送第二通知。作为一种示例,该第二通知包括:事件信息、终端A的标识信息、和切片2的标识信息。作为一种示例,在S606b中,切片2的标识信息可以是切片2的S-NSSAI。其中,事件信息用于指示进行切片认证和授权流程。可选的,该第二通知可以是Nnssaaf_NSSAA_Notify。As an implementation manner, NSSAAF sends the second notification to AMF2. As an example, the second notification includes: event information, identification information of terminal A, and identification information of slice 2. As an example, in S606b, the identification information of slice 2 may be the S-NSSAI of slice 2. Among them, the event information is used to indicate the slice authentication and authorization process. Optionally, the second notification may be Nnssaaf_NSSAA_Notify.
S607a:AMF1触发对切片2的切片认证和授权流程。S607a: AMF1 triggers the slice authentication and authorization process for slice 2.
S607a可参考S506a。S607a can refer to S506a.
S607b:AMF2触发对切片2的切片认证和授权流程。S607b: AMF2 triggers the slice authentication and authorization process for slice 2.
S607b可参考S506b。S607b can refer to S506b.
通过S602-S606a或S606b,NSSAAF利用切片2的标识信息可以准确获取服务于终端A的与切片2关联的AMF1的标识信息和/或AMF2的标识信息。相比较而言,若UDM上仅存有终端和AMF的关联关系,而没有存储终端、AMF、和切片之间的关联关系时,NSSAAF有可能获取到的是AMF1和AMF2以外的终端A注册的AMF的标识信息,从而通知错误的AMF对切片2触发切片认证和授权流程,会导致通信异常的产生。因此,通过本申请的方案,可以减少通信异常的产生。另外,当服务于终端的与某个切片关联的AMF为多个时,考虑终端的连接状态来选择合适的AMF,能够节省信令交互,并能够提高通信效率。Through S602-S606a or S606b, the NSSAAF can accurately obtain the identification information of AMF1 and/or the identification information of AMF2 associated with slice 2 serving the terminal A by using the identification information of the slice 2. In comparison, if there is only the association relationship between the terminal and AMF on the UDM, and the association relationship between the terminal, AMF, and slice is not stored, NSSAAF may obtain the registration of terminal A other than AMF1 and AMF2. The identification information of the AMF, so as to notify the wrong AMF to trigger the slice authentication and authorization process on slice 2, will cause communication abnormalities. Therefore, through the solution of the present application, the occurrence of communication abnormalities can be reduced. In addition, when there are multiple AMFs associated with a certain slice serving the terminal, the connection state of the terminal is considered to select an appropriate AMF, which can save signaling interaction and improve communication efficiency.
为了减少前述的通信异常,本申请实施例提供一种对切片进行授权撤销的方法。以下结合图1、图2和图3的内容,对该方法进行说明。In order to reduce the aforementioned communication abnormalities, an embodiment of the present application provides a method for revoking authorization for slices. The method will be described below in conjunction with the contents of FIG. 1, FIG. 2 and FIG. 3.
图7示出了一种AAA-s发起对切片1进行授权撤销的方法。如图7所示:Figure 7 shows a method for AAA-s to initiate the authorization revocation of slice 1. As shown in Figure 7:
S701:AAA-s向NSSAAF请求对终端A发起对切片1的授权撤销。S701: The AAA-s requests the NSSAAF to initiate the authorization cancellation of the slice 1 for the terminal A.
作为一种实施方式,AAA-s向NSSAAF发送第一请求,该第一请求用于请求对终端A发起对切片1的授权撤销。作为一种示例,该第一请求包括终端A的标识信息、和切片1的标识信息。通过终端A的标识信息和切片1的标识信息可以获知是请求对终端A进行切片1的授权撤销。若AAA-s和NSSAAF之间设置有AAA-p,AAA-s可以通过AAA-p向NSSAAF发送该第一请求。其中,终端A的标识信息和切片1的标识信息可以参考图2和图3中的相关内容。例如,在701中,终端A的标识信息可以是终端A的GPSI,切片1的标识信息可以是切片1的S-NSSAI或者切片1的外部标识。As an implementation manner, the AAA-s sends a first request to the NSSAAF, and the first request is used to request the terminal A to initiate the authorization revocation of the slice 1. As an example, the first request includes the identification information of the terminal A and the identification information of the slice 1. From the identification information of the terminal A and the identification information of the slice 1, it can be known that the terminal A is requested to revoke the authorization of the slice 1. If AAA-p is set between AAA-s and NSSAAF, AAA-s can send the first request to NSSAAF through AAA-p. Among them, the identification information of terminal A and the identification information of slice 1 can refer to related content in FIG. 2 and FIG. 3. For example, in 701, the identification information of terminal A may be the GPSI of terminal A, and the identification information of slice 1 may be the S-NSSAI of slice 1 or the external identification of slice 1.
示例性的,该第一请求可以是AAA Procol Revoke Auth Request。Exemplarily, the first request may be AAA Protocol Revoke Auth Request.
作为S701的一种可选的替换,AAA-s向NSSAAF请求对终端A发起对切片1的授权撤销时,可以根据表2的信息,进一步携带PLMN-1的标识信息在请求中,NSSAAF通过PLMN-1的标识信息可以从UDM获取AMF1的标识信息,从而可以直接执行S705。As an optional replacement of S701, when AAA-s requests to NSSAAF to initiate the revocation of authorization for slice 1 to terminal A, it can further carry the identification information of PLMN-1 in the request according to the information in Table 2, and NSSAAF passes the PLMN. The identification information of -1 can obtain the identification information of AMF1 from UDM, so that S705 can be directly executed.
S702:NSSAAF向UDM请求获取服务于终端A的与切片1所关联的AMF。S702: NSSAAF requests UDM to obtain the AMF associated with slice 1 serving terminal A.
作为一种实施方式,NSSAAF向UDM发送第二请求,该第二请求用于请求获取服务于终端A的与切片1所关联的AMF。作为一种示例,该第二请求包括终端A的标识信息、以及切片1的 标识信息。可选的,该请求还包括第一指示,该第一指示用于指示获取的网元类型为AMF。可选的,该请求还包括第二指示,该第二指示用于指示相关的流程为切片授权撤销流程。可选的,该第二请求可以为Nudm_UECM_Get Req。As an implementation manner, NSSAAF sends a second request to UDM, and the second request is used to request to obtain the AMF associated with slice 1 serving terminal A. As an example, the second request includes the identification information of the terminal A and the identification information of the slice 1. Optionally, the request further includes a first indication, and the first indication is used to indicate that the acquired network element type is AMF. Optionally, the request further includes a second indication, and the second indication is used to indicate that the related process is a slice authorization revocation process. Optionally, the second request may be Nudm_UECM_GetReq.
可选的,若NSSAAF在S701中收到的切片1的标识信息为切片1的外部标识,NSSAAF可以根据该切片1的外部标识获取切片1的S-NSSAI,并在S702中将切片1的S-NSSAI发送给UDM。可选的,若NSSAAF在S701中收到的切片1的标识信息为切片1的外部标识,NSSAAF也可以将该切片1的外部标识发送给UDM。Optionally, if the identification information of slice 1 received by NSSAAF in S701 is the external identification of slice 1, NSSAAF may obtain the S-NSSAI of slice 1 according to the external identification of slice 1, and then in S702, the S-NSSAI of slice 1 -NSSAI is sent to UDM. Optionally, if the identification information of slice 1 received by NSSAAF in S701 is the external identification of slice 1, NSSAAF may also send the external identification of slice 1 to UDM.
S703:UDM获取服务于终端A的与切片1所关联的AMF。S703: UDM obtains the AMF associated with slice 1 serving terminal A.
采用图2和图3的方法后,UDM存储了终端A、AMF1、和切片1的关联关系。After adopting the methods in Fig. 2 and Fig. 3, UDM stores the association relationship between terminal A, AMF1, and slice 1.
作为一种实施方式,UDM可以根据接收到的终端A的标识信息和切片1的标识信息得到AMF1的标识信息,即服务于终端A的与切片1关联的AMF为AMF1。可选的,UDM可以根据第一指示获知获取的网元类型为AMF。可选的,UDM可以根据第二指示获知相关的流程为切片授权撤销流程,以便于UDM作出相应的处理。As an implementation manner, the UDM can obtain the identification information of AMF1 according to the received identification information of the terminal A and the identification information of the slice 1, that is, the AMF associated with the slice 1 serving the terminal A is AMF1. Optionally, the UDM may learn that the acquired network element type is AMF according to the first instruction. Optionally, the UDM may learn that the related process is the slice authorization revocation process according to the second instruction, so that the UDM can make corresponding processing.
S704:UDM向NSSAAF发送服务于终端A的与切片1所关联的AMF的标识信息。S704: The UDM sends the identification information of the AMF associated with slice 1 that serves the terminal A to the NSSAAF.
UDM可以向NSSAAF发送在S703获得的AMF1的标识信息。The UDM may send the identification information of AMF1 obtained in S703 to the NSSAAF.
作为一种实施方式,UDM向NSSAAF发送响应消息,该响应消息包括AMF1的标识信息。可选的,该响应消息可以是Nudm_UECM_Get Resp。As an implementation manner, UDM sends a response message to NSSAAF, where the response message includes the identification information of AMF1. Optionally, the response message may be Nudm_UECM_GetResp.
可选的,在S702中,UDM从NSSAAF获取的切片1的标识信息为切片1的外部标识时,UDM可以根据该外部标识获取切片1的S-NSSAI,并将切片1的S-NSSAI与AMF1的标识信息一同发给NSSAAF。Optionally, in S702, when the identification information of slice 1 obtained by UDM from NSSAAF is the external identification of slice 1, UDM may obtain the S-NSSAI of slice 1 according to the external identification, and combine the S-NSSAI of slice 1 with AMF1. The identification information will be sent to NSSAAF together.
S705:NSSAAF通知AMF1对终端A发起对切片1的授权撤销。S705: NSSAAF notifies AMF1 to initiate authorization cancellation for slice 1 to terminal A.
作为一种实施方式,NSSAAF根据接收到的AMF1的标识信息,向AMF1发送第一通知,该第一通知用于通知AMF1对终端A发起对切片1的授权撤销。作为一种示例,该第一通知包括:事件信息、终端A的标识信息、和切片1的标识信息。作为一种示例,在S705中,切片1的标识信息可以是切片1的S-NSSAI。其中,事件信息用于指示进行切片授权撤销。可选的,该第一通知可以是Nnssaaf_NSSAA_Notify。As an implementation manner, the NSSAAF sends a first notification to AMF1 according to the received identification information of AMF1, and the first notification is used to notify AMF1 to initiate the revocation of authorization for slice 1 to terminal A. As an example, the first notification includes: event information, identification information of terminal A, and identification information of slice 1. As an example, in S705, the identification information of slice 1 may be the S-NSSAI of slice 1. Among them, the event information is used to indicate that the slice authorization is revoked. Optionally, the first notification may be Nnssaaf_NSSAA_Notify.
S706:AMF1对终端A进行切片1的授权撤销。S706: AMF1 revokes the authorization of slice 1 to terminal A.
AMF1根据事件信息、终端A的标识信息、和切片1的标识信息获知需要对终端A进行对切片1的授权撤销。AMF1对终端A进行对切片1的授权撤销可参考3GPP TS 23.502 v16.4.0章节4.2.9.4的步骤5。According to the event information, the identification information of the terminal A, and the identification information of the slice 1, the AMF1 learns that the authorization of the terminal A for the slice 1 needs to be revoked. For AMF1 to revoke the authorization of slice 1 for terminal A, refer to step 5 of section 4.2.9.4 of 3GPP TS 23.502 v16.4.0.
通过S702-S705,NSSAAF利用切片1的标识信息可以从UDM准确获取服务于终端A的与切片1关联的AMF1的标识信息。相比较而言,若UDM上仅存有终端和AMF的关联关系,而没有存储终端、AMF、和切片之间的关联关系时,NSSAAF有可能获取到的是AMF2的标识信息,从而通知AMF2触发对切片1的授权撤销,会导致通信异常的产生。因此,通过本申请的方案,可以减少通信异常的产生。Through S702-S705, the NSSAAF can use the identification information of slice 1 to accurately obtain the identification information of the AMF1 associated with slice 1 serving the terminal A from the UDM. In comparison, if there is only the association relationship between the terminal and AMF on the UDM, and the association relationship between the terminal, AMF, and slice is not stored, NSSAAF may obtain the identification information of AMF2, thereby notifying AMF2 to trigger Revocation of authorization for slice 1 will result in abnormal communication. Therefore, through the solution of the present application, the occurrence of communication abnormalities can be reduced.
图8示出了一种AAA-s发起对切片2进行授权撤销的方法。图8中与图7相同的术语和概念可参考图7的相关内容。如图7所示:Figure 8 shows a method for AAA-s to initiate the authorization revocation of slice 2. For the same terms and concepts in FIG. 8 as those in FIG. 7, reference may be made to the related content in FIG. 7. As shown in Figure 7:
S801:AAA-s向NSSAAF请求对终端A发起对切片2的授权撤销。S801: The AAA-s requests the NSSAAF to initiate the authorization cancellation of the slice 2 for the terminal A.
作为一种实施方式,AAA-s向NSSAAF发送第一请求,该第一请求用于请求对终端A发起对 切片2的授权撤销。作为一种示例,该第一请求包括终端A的标识信息、和切片2的标识信息。通过终端A的标识信息和切片2的标识信息可以获知是请求对终端A进行切片2的授权撤销。若AAA-s和NSSAAF之间设置有AAA-p,AAA-s可以通过AAA-p向NSSAAF发送该第一请求。其中,终端A的标识信息和切片2的标识信息可以参考图2和图3中的相关内容。例如,在S801中,终端A的标识信息可以是终端A的GPSI,切片2的标识信息可以是切片2的S-NSSAI或者切片2的外部标识。As an implementation manner, the AAA-s sends a first request to the NSSAAF, and the first request is used to request the terminal A to initiate the revocation of the authorization of the slice 2. As an example, the first request includes the identification information of the terminal A and the identification information of the slice 2. Through the identification information of the terminal A and the identification information of the slice 2, it can be known that the authorization of the terminal A is to be revoked for the slice 2. If AAA-p is set between AAA-s and NSSAAF, AAA-s can send the first request to NSSAAF through AAA-p. Among them, the identification information of terminal A and the identification information of slice 2 can refer to related content in FIG. 2 and FIG. 3. For example, in S801, the identification information of terminal A may be the GPSI of terminal A, and the identification information of slice 2 may be the S-NSSAI of slice 2 or the external identification of slice 2.
示例性的,该第一请求可以是AAA Procol Revoke Auth Request。Exemplarily, the first request may be AAA Protocol Revoke Auth Request.
作为S801的一种可选的替换,AAA-s向NSSAAF请求对终端A发起对切片2的授权撤销时,可以根据表2的信息获知切片2对应PLMN-1和PLMN-2,并且自行确定在PLMN-1发起授权撤销、或者在PLMN-2发起授权撤销、或者在PLMN-1和PLMN-2发起授权撤销,进一步携带PLMN-1和/或PLMN-2的标识信息在请求中,NSSAAF通过PLMN-1和/或PLMN-2的标识信息可以从UDM获取AMF1和/或AMF2的标识信息,从而可以直接执行S805a和/或S805b。可选的,AAA-s可以根据策略、或者定时器等确定在哪个PLMN发起授权撤销。As an optional alternative to S801, when AAA-s requests to NSSAAF to initiate the revocation of authorization for slice 2 for terminal A, it can learn that slice 2 corresponds to PLMN-1 and PLMN-2 according to the information in Table 2, and determine whether PLMN-1 initiates authorization revocation, or initiates authorization revocation in PLMN-2, or initiates authorization revocation in PLMN-1 and PLMN-2, and further carries the identification information of PLMN-1 and/or PLMN-2 in the request, and NSSAAF passes the PLMN The identification information of -1 and/or PLMN-2 can obtain the identification information of AMF1 and/or AMF2 from UDM, so that S805a and/or S805b can be directly executed. Optionally, AAA-s can determine which PLMN to initiate authorization revocation based on policies or timers.
S802:NSSAAF向UDM请求获取服务于终端A的与切片2所关联的AMF。S802: NSSAAF requests UDM to obtain the AMF associated with slice 2 serving terminal A.
作为一种实施方式,NSSAAF向UDM发送第二请求,该第二请求用于请求获取服务于终端A的与切片2所关联的AMF。作为一种示例,该第二请求包括终端A的标识信息、以及切片2的标识信息。可选的,该请求还包括第一指示,该第一指示用于指示获取的网元类型为AMF。可选的,该请求还包括第二指示,该第二指示用于指示相关的流程为切片授权撤销流程。可选的,该第二请求可以为Nudm_UECM_Get Req。As an implementation manner, NSSAAF sends a second request to UDM, where the second request is used to request to obtain the AMF associated with slice 2 serving terminal A. As an example, the second request includes the identification information of the terminal A and the identification information of the slice 2. Optionally, the request further includes a first indication, and the first indication is used to indicate that the acquired network element type is AMF. Optionally, the request further includes a second indication, and the second indication is used to indicate that the related process is a slice authorization revocation process. Optionally, the second request may be Nudm_UECM_GetReq.
可选的,若NSSAAF在S801中收到的切片2的标识信息为切片2的外部标识,NSSAAF可以根据该切片2的外部标识获取切片2的S-NSSAI,并在S802中将切片2的S-NSSAI发送给UDM。可选的,若NSSAAF在S801中收到的切片2的标识信息为切片2的外部标识,NSSAAF也可以将该切片2的外部标识发送给UDM。Optionally, if the identification information of slice 2 received by NSSAAF in S801 is the external identification of slice 2, NSSAAF may obtain the S-NSSAI of slice 2 according to the external identification of slice 2, and then combine the S-NSSAI of slice 2 in S802. -NSSAI is sent to UDM. Optionally, if the identification information of slice 2 received by NSSAAF in S801 is the external identification of slice 2, NSSAAF may also send the external identification of slice 2 to UDM.
S803:UDM获取服务于终端A的与切片2所关联的AMF。S803: UDM obtains the AMF associated with slice 2 serving terminal A.
采用图2和图3的方法后,UDM存储了终端A、AMF1、和切片2的关联关系,并且存储了终端A、AMF2、和切片2的关联关系。After adopting the methods of Fig. 2 and Fig. 3, UDM stores the association relationship between terminal A, AMF1, and slice 2, and stores the association relationship between terminal A, AMF2, and slice 2.
作为一种实施方式,UDM可以根据接收到的终端A的标识信息和切片1的标识信息得到AMF1的标识信息以及AMF2的标识信息,即服务于终端A的与切片1关联的AMF为AMF1和AMF2。可选的,UDM可以根据第一指示获知获取的网元类型为AMF。可选的,UDM可以根据第二指示获知相关的流程为切片授权撤销流程,以便于UDM作出相应的处理。As an implementation manner, UDM can obtain the identification information of AMF1 and the identification information of AMF2 according to the received identification information of terminal A and the identification information of slice 1. That is, the AMFs associated with slice 1 serving terminal A are AMF1 and AMF2. . Optionally, the UDM may learn that the acquired network element type is AMF according to the first instruction. Optionally, the UDM may learn that the related process is the slice authorization revocation process according to the second instruction, so that the UDM can make corresponding processing.
对于切片授权撤销流程而言,当服务于终端的与切片关联的AMF为多个时,UDM需要将多个AMF告知NSSAAF。For the slice authorization revocation process, when there are multiple AMFs associated with slices serving the terminal, the UDM needs to notify the NSSAAF of the multiple AMFs.
S804:UDM向NSSAAF发送服务于终端A的与切片2所关联的AMF的标识信息。S804: The UDM sends the identification information of the AMF associated with slice 2 that serves the terminal A to the NSSAAF.
UDM向NSSAAF发送在S803获得的AMF1的标识信息和AMF2的标识信息。The UDM sends the identification information of AMF1 and the identification information of AMF2 obtained in S803 to the NSSAAF.
作为一种实施方式,UDM向NSSAAF发送响应消息,该响应消息包括AMF1的标识信息和AMF2的标识信息。可选的,该响应消息可以是Nudm_UECM_Get Resp。As an implementation manner, the UDM sends a response message to the NSSAAF, and the response message includes the identification information of AMF1 and the identification information of AMF2. Optionally, the response message may be Nudm_UECM_GetResp.
可选的,在S802中,UDM从NSSAAF获取的切片2的标识信息为切片2的外部标识时,UDM可以根据该外部标识获取切片2的S-NSSAI,并将切片2的S-NSSAI与AMF1的标识信息一同发给NSSAAF。Optionally, in S802, when the identification information of slice 2 obtained by UDM from NSSAAF is the external identification of slice 2, UDM may obtain the S-NSSAI of slice 2 according to the external identification, and combine the S-NSSAI of slice 2 with AMF1. The identification information will be sent to NSSAAF together.
对于切片授权撤销流程而言,NSSAAF收到多个AMF的标识信息时,需要通知该多个AMF进行授权撤销。For the slice authorization revocation process, when the NSSAAF receives the identification information of multiple AMFs, it needs to notify the multiple AMFs to revoke the authorization.
S805a:NSSAAF通知AMF1对终端A发起对切片2的授权撤销。S805a: NSSAAF notifies AMF1 to initiate authorization cancellation for slice 2 to terminal A.
作为一种实施方式,NSSAAF根据接收到的AMF1的标识信息,向AMF1发送第一通知,该第一通知用于通知AMF1对终端A发起对切片2的授权撤销。作为一种示例,该第一通知包括:事件信息、终端A的标识信息、和切片2的标识信息。作为一种示例,在S705中,切片2的标识信息可以是切片2的S-NSSAI。其中,事件信息用于指示进行切片授权撤销。可选的,该第一通知可以是Nnssaaf_NSSAA_Notify。As an implementation manner, the NSSAAF sends a first notification to AMF1 according to the received identification information of AMF1, and the first notification is used to notify AMF1 to initiate the revocation of authorization for slice 2 to terminal A. As an example, the first notification includes: event information, identification information of terminal A, and identification information of slice 2. As an example, in S705, the identification information of slice 2 may be the S-NSSAI of slice 2. Among them, the event information is used to indicate that the slice authorization is revoked. Optionally, the first notification may be Nnssaaf_NSSAA_Notify.
S805b:NSSAAF通知AMF2对终端A发起对切片2的授权撤销。S805b: NSSAAF notifies AMF2 to initiate authorization cancellation for slice 2 to terminal A.
作为一种实施方式,NSSAAF根据接收到的AMF2的标识信息,向AMF2发送第二通知,该第二通知用于通知AMF2对终端A发起对切片2的授权撤销。作为一种示例,该第一通知包括:事件信息、终端A的标识信息、和切片2的标识信息。作为一种示例,在S705中,切片2的标识信息可以是切片2的S-NSSAI。其中,事件信息用于指示进行切片授权撤销。可选的,该第一通知可以是Nnssaaf_NSSAA_Notify。As an implementation manner, NSSAAF sends a second notification to AMF2 according to the received identification information of AMF2, and the second notification is used to notify AMF2 to initiate the revocation of authorization for slice 2 to terminal A. As an example, the first notification includes: event information, identification information of terminal A, and identification information of slice 2. As an example, in S705, the identification information of slice 2 may be the S-NSSAI of slice 2. Among them, the event information is used to indicate that the slice authorization is revoked. Optionally, the first notification may be Nnssaaf_NSSAA_Notify.
S806a:AMF1对终端A进行切片2的授权撤销。S806a: AMF1 revokes the authorization of slice 2 for terminal A.
AMF1根据事件信息、终端A的标识信息、和切片2的标识信息获知需要对终端A进行对切片2的授权撤销。AMF1对终端A进行对切片2的授权撤销可参考3GPP TS 23.502 v16.4.0章节4.2.9.4的步骤5。According to the event information, the identification information of the terminal A, and the identification information of the slice 2, the AMF1 learns that the authorization of the terminal A for the slice 2 needs to be revoked. For AMF1 to revoke the authorization of terminal A for slice 2, please refer to step 5 of section 4.2.9.4 of 3GPP TS 23.502 v16.4.0.
S806b:AMF2对终端A进行切片2的授权撤销。S806b: AMF2 revokes the authorization of slice 2 for terminal A.
AMF2根据事件信息、终端A的标识信息、和切片2的标识信息获知需要对终端A进行对切片2的授权撤销。AMF2对终端A进行对切片2的授权撤销可参考3GPP TS 23.502 v16.4.0章节4.2.9.4的步骤5。According to the event information, the identification information of the terminal A, and the identification information of the slice 2, the AMF2 learns that the authorization of the terminal A for the slice 2 needs to be revoked. For AMF2 to revoke the authorization of terminal A for slice 2, please refer to step 5 of section 4.2.9.4 of 3GPP TS 23.502 v16.4.0.
通过S802-S805a或S805b,NSSAAF利用切片2的标识信息可以从UDM准确获取服务于终端A的与切片2关联的AMF1的标识信息和AMF2的标识信息。相比较而言,若UDM上仅存有终端和AMF的关联关系,而没有存储终端、AMF、和切片之间的关联关系时,NSSAAF有可能获取到的是AMF1和AMF2以外的终端A注册的AMF的标识信息,从而通知错误的AMF对切片2进行授权撤销,会导致通信异常的产生。另外,若UDM上仅存有终端和AMF的关联关系,而没有存储终端、AMF、和切片之间的关联关系时,NSSAAF有可能获取到的是AMF1和AMF2中的一个,从而没有通知另一个AMF对切片2进行授权撤销,会造成通信异常。因此,通过本申请的方案,可以减少通信异常的产生。Through S802-S805a or S805b, the NSSAAF can accurately obtain the identification information of AMF1 and the identification information of AMF2 associated with the slice 2 serving the terminal A by using the identification information of the slice 2 from the UDM. In comparison, if there is only the association relationship between the terminal and AMF on the UDM, and the association relationship between the terminal, AMF, and slice is not stored, NSSAAF may obtain the registration of terminal A other than AMF1 and AMF2. The identification information of the AMF, so as to notify the wrong AMF to revoke the authorization of slice 2, which will cause communication abnormalities. In addition, if there is only the association relationship between the terminal and the AMF on the UDM, and the association relationship between the terminal, AMF, and slice is not stored, NSSAAF may obtain one of AMF1 and AMF2, and thus does not notify the other AMF revokes the authorization of slice 2, which will cause communication abnormalities. Therefore, through the solution of the present application, the occurrence of communication abnormalities can be reduced.
图9示出了又一种AAA-s发起对切片2进行授权撤销的方法。图9中与图8相同的术语和观念的说明可参考图8的相关内容。相比较图8中由UDM根据切片的标识信息来确定AMF,图9中由NSSAAF根据切片的标识信息来确定AMF。如图9所示:Fig. 9 shows another method for AAA-s to initiate authorization revocation of slice 2. For the explanation of the same terms and concepts in FIG. 9 as in FIG. 8, reference may be made to the related content in FIG. 8. Compared with FIG. 8 where UDM determines the AMF according to the slice identification information, in FIG. 9 NSSAAF determines the AMF according to the slice identification information. As shown in Figure 9:
S901:AAA-s向NSSAAF请求对终端A发起对切片2的授权撤销。S901: The AAA-s requests the NSSAAF to initiate the authorization cancellation of the slice 2 for the terminal A.
S901可参见S801。See S801 for S901.
作为S901的一种可选的替换,AAA-s向NSSAAF请求对终端A发起对切片2的授权撤销时,可以根据表2的信息获知切片2对应PLMN-1和PLMN-2,并且自行确定在PLMN-1发起授权撤销、或者在PLMN-2发起授权撤销、或者在PLMN-1和PLMN-2发起授权撤销,进一步携带PLMN-1和/或PLMN-2的标识信息在请求中,NSSAAF通过PLMN-1和/或PLMN-2的标识信息可以从UDM 获取AMF1和/或AMF2的标识信息,从而可以直接执行S906a和/或S906b。可选的,AAA-s可以根据策略、或者定时器等确定在哪个PLMN发起授权撤销。As an optional alternative to S901, when AAA-s requests to NSSAAF to initiate the revocation of authorization for slice 2 for terminal A, it can learn that slice 2 corresponds to PLMN-1 and PLMN-2 according to the information in Table 2, and determine whether it is in PLMN-1 and PLMN-2. PLMN-1 initiates authorization revocation, or initiates authorization revocation in PLMN-2, or initiates authorization revocation in PLMN-1 and PLMN-2, and further carries the identification information of PLMN-1 and/or PLMN-2 in the request, and NSSAAF passes the PLMN The identification information of -1 and/or PLMN-2 can obtain the identification information of AMF1 and/or AMF2 from UDM, so that S906a and/or S906b can be directly executed. Optionally, AAA-s can determine which PLMN to initiate authorization revocation based on policies or timers.
S902:NSSAAF向UDM请求获取服务于终端A的AMF以及与服务于终端A的AMF相关联的切片。S902: The NSSAAF requests the UDM to obtain the AMF serving the terminal A and the slice associated with the AMF serving the terminal A.
作为一种实施方式,NSSAAF向UDM发送第二请求,该第二请求用于请求获取服务于终端A的AMF以及与服务于终端A的AMF相关联的切片。作为一种示例,该第二请求包括终端A的标识信息。可选的,该请求还包括第一指示,该第一指示用于指示获取的网元类型为AMF。可选的,该请求还包括第二指示,该第二指示用于指示相关的流程为切片授权撤销流程。可选的,该第二请求可以为Nudm_UECM_Get Req。As an implementation manner, the NSSAAF sends a second request to the UDM, the second request is used to request to obtain the AMF serving the terminal A and the slice associated with the AMF serving the terminal A. As an example, the second request includes terminal A's identification information. Optionally, the request further includes a first indication, and the first indication is used to indicate that the acquired network element type is AMF. Optionally, the request further includes a second indication, and the second indication is used to indicate that the related process is a slice authorization revocation process. Optionally, the second request may be Nudm_UECM_GetReq.
S903:UDM获取服务于终端A的AMF以及与服务于终端A的AMF相关联的切片。S903: The UDM obtains the AMF serving the terminal A and the slice associated with the AMF serving the terminal A.
采用图2和图3的方法后,UDM存储了如上表1的终端、AMF和切片的关联关系。After adopting the methods in Figure 2 and Figure 3, UDM stores the association relationship between the terminal, AMF, and slice as shown in Table 1 above.
作为一种实施方式,UDM可以根据接收到的终端A的标识信息得到{AMF1的标识信息,(切片1的标识信息,切片2的标识信息)}以及{AMF2的标识信息,(切片2的标识信息,切片3的标识信息)},即得到服务于终端A的AMF为AMF1和AMF2,与AMF1关联的切片为切片1和切片2,与AMF2关联的切片为切片2和切片3。可选的,UDM可以根据第一指示获知获取的网元类型为AMF。可选的,UDM可以根据第二指示获知相关的流程为切片授权撤销流程,以便于UDM作出相应的处理。可以理解,{A,B}表示A和B具有关联关系,(A,B)表示一个集合或列表,该集合或列表包括A,B两个元素。As an implementation manner, UDM can obtain {identification information of AMF1, (identification information of slice 1, identification information of slice 2)} and {identification information of AMF2, (identification of slice 2) according to the received identification information of terminal A. Information, the identification information of slice 3)}, that is, the AMFs serving the terminal A are AMF1 and AMF2, the slices associated with AMF1 are slice 1 and slice 2, and the slices associated with AMF2 are slice 2 and slice 3. Optionally, the UDM may learn that the acquired network element type is AMF according to the first instruction. Optionally, the UDM may learn that the related process is the slice authorization revocation process according to the second instruction, so that the UDM can make corresponding processing. It can be understood that {A, B} indicates that A and B have an association relationship, and (A, B) indicates a set or list, and the set or list includes two elements A and B.
可选的,UDM还可以获取终端与服务于终端的AMF的连接状态。终端的连接状态包括连接态和空闲态。作为一种实施方式,UDM可以向服务于终端AMF请求获取终端的连接状态。例如在表1中,服务于终端A的AMF为AMF1和AMF2,UDM可以分别从AMF1获取终端A与AMF1的连接状态,从AMF2获取终端A与AMF2的连接状态。Optionally, the UDM can also obtain the connection status between the terminal and the AMF serving the terminal. The connection state of the terminal includes a connected state and an idle state. As an implementation manner, the UDM may request the service terminal AMF to obtain the connection status of the terminal. For example, in Table 1, the AMFs serving terminal A are AMF1 and AMF2. UDM can obtain the connection status of terminal A and AMF1 from AMF1, and the connection status of terminal A and AMF2 from AMF2.
可选的,UDM还可以获取服务于终端的AMF对应的接入类型。通常,接入类型可分为3GPP接入和non-3GPP接入。例如:AMF1对应的接入类型为3GPP接入,AMF2对应的接入类型为non-3GPP接入技术。Optionally, the UDM may also obtain the access type corresponding to the AMF serving the terminal. Generally, the access type can be divided into 3GPP access and non-3GPP access. For example, the access type corresponding to AMF1 is 3GPP access, and the access type corresponding to AMF2 is non-3GPP access technology.
S904:UDM向NSSAAF发送服务于终端A的AMF的标识信息和服务于终端A的AMF所关联的切片的标识信息。S904: The UDM sends the identification information of the AMF serving the terminal A and the identification information of the slice associated with the AMF serving the terminal A to the NSSAAF.
示例性的,UDM向NSSAAF发送{AMF1的标识信息,(切片1的标识信息,切片2的标识信息)},以及{AMF2的标识信息,(切片2的标识信息,切片3的标识信息)}。Exemplarily, UDM sends {identification information of AMF1, (identification information of slice 1, identification information of slice 2)}, and {identification information of AMF2, (identification information of slice 2, identification information of slice 3)} to NSSAAF .
示例性的,UMD向NSSAAF发送{AMF1的标识信息,切片1的标识信息}、{AMF1的标识信息,切片2的标识信息}、{AMF2的标识信息,切片2的标识信息},以及{AMF2的标识信息,切片3的标识信息}。Exemplarily, UMD sends {AMF1 identification information, slice 1 identification information}, {AMF1 identification information, slice 2 identification information}, {AMF2 identification information, slice 2 identification information}, and {AMF2 The identification information, the identification information of slice 3}.
可选的,UDM可以向NSSAAF发送连接状态信息。该连接状态信息用于指示终端与服务于该终端的AMF的连接状态。例如,该连接状态信息指示终端A与AMF1的连接状态为连接态,终端A与AMF2的连接状态为空闲态。Optionally, UDM can send connection status information to NSSAAF. The connection status information is used to indicate the connection status between the terminal and the AMF serving the terminal. For example, the connection state information indicates that the connection state between the terminal A and AMF1 is the connected state, and the connection state between the terminal A and AMF2 is the idle state.
可选的,UDM可以向NSSAAF发送接入类型信息。该接入类型信息用于指示服务于终端的AMF对应的接入类型。例如,该接入类型信息指示AMF1的接入类型为3GPP接入,AMF2的接入类型为non-3GPP接入。Optionally, UDM can send access type information to NSSAAF. The access type information is used to indicate the access type corresponding to the AMF serving the terminal. For example, the access type information indicates that the access type of AMF1 is 3GPP access, and the access type of AMF2 is non-3GPP access.
作为一种实施方式,UDM向NSSAAF发送响应消息,该响应消息包括服务于终端A的AMF 的标识信息和服务于终端A的AMF所关联的切片的标识信息。可选的,该响应消息还包括上述连接状态信息。可选的,该响应消息还包括上述接入类型信息。可选的,该响应消息可以是Nudm_UECM_Get Resp。As an implementation manner, the UDM sends a response message to the NSSAAF. The response message includes the identification information of the AMF serving the terminal A and the identification information of the slice associated with the AMF serving the terminal A. Optionally, the response message further includes the above-mentioned connection status information. Optionally, the response message further includes the above-mentioned access type information. Optionally, the response message may be Nudm_UECM_GetResp.
S905:NSSAAF确定与切片2关联的AMF。S905: NSSAAF determines the AMF associated with slice 2.
基于在S904收到的信息,NSSAAF可获知服务于终端A的与切片2关联的AMF为AMF1和AMF2。Based on the information received in S904, the NSSAAF can learn that the AMFs associated with slice 2 serving the terminal A are AMF1 and AMF2.
对于切片撤销授权而言,若服务于终端的与切片关联的AMF为多个,NSSAAF需要通知该多个AMF对该切片进行授权撤销。因此,NSSAAF通知AMF1和AMF2对终端A发起对切片2的切片撤销。For slice revoking authorization, if there are multiple AMFs associated with the slice serving the terminal, the NSSAAF needs to notify the multiple AMFs to revoke the authorization for the slice. Therefore, NSSAAF notifies AMF1 and AMF2 to initiate slice cancellation of slice 2 to terminal A.
S906a:NSSAAF通知AMF1对终端A发起对切片2的授权撤销。S906a: NSSAAF notifies AMF1 to initiate authorization cancellation for slice 2 to terminal A.
S906a可参考S805a。S906a can refer to S805a.
S906b:NSSAAF通知AMF2对终端A发起对切片2的授权撤销。S906b: NSSAAF notifies AMF2 to initiate authorization cancellation for slice 2 to terminal A.
S906b可参考S805b。S906b can refer to S805b.
S907a:AMF1对终端A进行切片2的授权撤销。S907a: The AMF1 revokes the authorization of the slice 2 to the terminal A.
S907a可参考S806a。S907a can refer to S806a.
S907b:AMF2对终端A进行切片2的授权撤销。S907b: The AMF2 revokes the authorization of the slice 2 to the terminal A.
S907b可参考S806b。S907b can refer to S806b.
通过S902-S906a和S906b,NSSAAF利用切片2的标识信息可以准确获取服务于终端A的与切片2关联的AMF1的标识信息和AMF2的标识信息。相比较而言,若UDM上仅存有终端和AMF的关联关系,而没有存储终端、AMF、和切片之间的关联关系时,NSSAAF有可能获取到的是AMF1和AMF2以外的终端A注册的AMF的标识信息,从而通知错误的AMF对切片2进行授权撤销,会导致通信异常的产生。另外,若UDM上仅存有终端和AMF的关联关系,而没有存储终端、AMF、和切片之间的关联关系时,NSSAAF有可能获取到的是AMF1和AMF2中的一个,从而没有通知另一个AMF对切片2进行授权撤销,会造成通信异常。因此,通过本申请的方案,可以减少通信异常的产生。Through S902-S906a and S906b, the NSSAAF can accurately obtain the identification information of AMF1 and the identification information of AMF2 associated with the slice 2 serving the terminal A by using the identification information of the slice 2. In comparison, if there is only the association relationship between the terminal and AMF on the UDM, and the association relationship between the terminal, AMF, and slice is not stored, NSSAAF may obtain the registration of terminal A other than AMF1 and AMF2. The identification information of the AMF, so as to notify the wrong AMF to revoke the authorization of slice 2, which will cause communication abnormalities. In addition, if there is only the association relationship between the terminal and the AMF on the UDM, and the association relationship between the terminal, AMF, and slice is not stored, NSSAAF may obtain one of AMF1 and AMF2, and thus does not notify the other AMF revokes the authorization of slice 2, which will cause communication abnormalities. Therefore, through the solution of the present application, the occurrence of communication abnormalities can be reduced.
图10示出了一种切片认证授权管理的方法。该方法在图1的场景下,结合图2-图9的方法对本申请的方案进行了介绍。如图10所示:Figure 10 shows a method for slice authentication and authorization management. In the scenario of FIG. 1, this method introduces the solution of the present application in combination with the method of FIG. 2 to FIG. 9. As shown in Figure 10:
S1001:终端A在PLMN-1对切片进行认证和授权。S1001: Terminal A authenticates and authorizes the slice in PLMN-1.
S1001执行如图2所示的方法。S1001 executes the method shown in FIG. 2.
S1002:终端A在PLMN-2对切片进行认证和授权。S1002: Terminal A authenticates and authorizes the slice in PLMN-2.
S1002执行如图3所示的方法。S1002 executes the method shown in FIG. 3.
通过S1001和S1002,终端A分别在PLMN-1和PLMN-2对切片进行了认证和授权。服务于终端A的与切片1关联的AMF为AMF1,服务于终端A的与切片2关联的AMF为AMF1和AMF2,服务于终端A的与切片3关联的AMF为AMF2。Through S1001 and S1002, terminal A authenticates and authorizes slices in PLMN-1 and PLMN-2, respectively. The AMF associated with slice 1 that serves terminal A is AMF1, the AMFs associated with slice 2 that serves terminal A are AMF1 and AMF2, and the AMF that serves terminal A and associated with slice 3 is AMF2.
在终端A分别在PLMN-1和PLMN-2对切片进行了认证和授权后,AAA-s可以根据需要发起切片重认证和重授权流程,或者发起切片授权撤销流程。After terminal A authenticates and authorizes slices in PLMN-1 and PLMN-2, AAA-s can initiate a slice re-authentication and re-authorization process, or initiate a slice authorization revocation process as needed.
在AAA-s根据需要发起切片重认证和重授权流程的情况下,可以执行S1003。在AAA-s根据需要发起切片授权撤销流程的情况下,可以执行S1004。In the case that AAA-s initiates a slice re-authentication and re-authorization process as needed, S1003 can be executed. In the case that the AAA-s initiates the slice authorization revocation process as needed, S1004 can be executed.
S1003:切片重认证和重授权流程。S1003: The slice re-authentication and re-authorization process.
S1003执行如图4、图5、或图6所示的方法。S1003 executes the method shown in FIG. 4, FIG. 5, or FIG. 6.
S1004:切片授权撤销流程。S1004: The slice authorization revocation process.
S1004:执行如图7、图8、或图9所示的方法。S1004: Perform the method shown in FIG. 7, FIG. 8, or FIG. 9.
通过图10的方法,可以准确获取服务于终端的与切片关联的AMF,从而保障切片重认证和重授权流程和切片授权撤销流程的正确执行,避免了通信错误。Through the method of FIG. 10, it is possible to accurately obtain the AMF associated with the slice serving the terminal, thereby ensuring the correct execution of the slice re-authentication and re-authorization process and the slice authorization revocation process, and avoiding communication errors.
需要说明的是,本申请实施例提供的方案同样可以适用于终端仅注册到一个AMF的场景。即在注册到一个AMF的场景和多个AMF的场景下,可以使用相同的方案。在相同的方案框架下实现方案,降低了实现复杂度。It should be noted that the solution provided by the embodiment of the present application can also be applied to a scenario where the terminal is only registered to one AMF. That is, the same scheme can be used in a scenario where one AMF is registered and a scenario where multiple AMFs are registered. The scheme is implemented under the same scheme framework, which reduces the complexity of implementation.
在上述实施例中,可选的,NSSAAF可以从AMF获取终端与AMF的连接状态信息。可选的,NSSAAF可以从AMF获取AMF对应的接入类型。In the foregoing embodiment, optionally, the NSSAAF may obtain the connection state information between the terminal and the AMF from the AMF. Optionally, the NSSAAF can obtain the access type corresponding to the AMF from the AMF.
上述实施例中,NSSAAF的功能也可以由AUSF实现,即可以将上述实施例中的NSSAAF替换为AUSF。In the foregoing embodiment, the function of NSSAAF can also be implemented by AUSF, that is, NSSAAF in the foregoing embodiment can be replaced with AUSF.
为实现上述图2-图10的技术方案,本申请实施例提供一种网元的结构示意图。请参见图11,图11所示的网元1100包括处理单元1101和通信单元1102。其中,处理单元1101主要用于进行处理,通信单元1102主要用于与其他网元进行通信。In order to implement the above-mentioned technical solutions in FIG. 2 to FIG. 10, an embodiment of the present application provides a schematic structural diagram of a network element. Referring to FIG. 11, the network element 1100 shown in FIG. 11 includes a processing unit 1101 and a communication unit 1102. Among them, the processing unit 1101 is mainly used for processing, and the communication unit 1102 is mainly used for communicating with other network elements.
在一种设计中,网元1100为认证授权网元,用于实现如图2-图10中NSSAAF的功能。In one design, the network element 1100 is an authentication and authorization network element, which is used to implement the functions of the NSSAAF as shown in Figs. 2-10.
作为该设计的一种示例,处理单元1101和通信单元1102用于实现以下方法:获取服务于终端装置的与第一切片关联的触发网元,并且通知该触发网元对该终端装置进行该第一切片的切片认证授权处理;其中,该切片认证授权处理为:切片重认证和重授权、或者切片授权撤销。As an example of this design, the processing unit 1101 and the communication unit 1102 are used to implement the following method: obtain a trigger network element that serves the terminal device and is associated with the first slice, and notify the trigger network element to perform the operation on the terminal device. The slice authentication and authorization processing of the first slice; where the slice authentication and authorization processing includes: slice re-authentication and re-authorization, or slice authorization revoking.
可选的,该认证授权网元获取服务于终端装置的与第一切片关联的触发网元,包括:该认证授权网元从信息存储网元获取与该终端装置和该第一切片关联的第一触发网元;该认证授权网元通知该触发网元对该终端装置进行该第一切片的切片认证授权操作,包括:该认证授权网元通知该第一触发网元对该终端装置进行该第一切片的该切片认证授权处理。Optionally, the authentication and authorization network element acquiring the triggering network element associated with the first slice serving the terminal device includes: the authentication and authorization network element acquiring the association with the terminal device and the first slice from the information storage network element The first triggering network element; the authentication and authorization network element notifying the triggering network element to perform the first slice authentication and authorization operation on the terminal device, including: the authentication and authorization network element notifying the first triggering network element to the terminal The device performs the slice authentication and authorization processing of the first slice.
可选的,该认证授权网元从信息存储网元获取与该终端装置和该第一切片关联的第一触发网元,包括:该认证授权网元向该信息存储网元发送第一请求,该第一请求包括该终端装置的第一标识信息和该第一切片的第一标识信息,该第一请求用于获取该第一触发网元;该认证授权网元从该信息存储网元接收第一响应,该第一响应包括该第一触发网元的第一标识信息。Optionally, the authentication and authorization network element acquiring the first trigger network element associated with the terminal device and the first slice from the information storage network element includes: the authentication and authorization network element sends a first request to the information storage network element , The first request includes the first identification information of the terminal device and the first identification information of the first slice, the first request is used to obtain the first triggering network element; the authentication and authorization network element obtains the information from the information storage network The element receives a first response, the first response including the first identification information of the first triggering network element.
可选的,该认证授权网元获取服务于终端装置的与第一切片关联的触发网元,包括:该认证授权网元获取服务于该终端装置的与该第一切片关联的多个第一触发网元;该认证授权网元通知该触发网元对该终端装置进行该第一切片的切片认证授权操作,包括:该认证授权网元通知该多个第一触发网元对该终端装置进行该第一切片的该切片认证授权处理。Optionally, the authentication and authorization network element acquiring a triggering network element associated with the first slice serving the terminal device includes: the authentication and authorization network element acquiring a plurality of trigger network elements associated with the first slice serving the terminal device A first triggering network element; the authentication and authorization network element notifying the triggering network element to perform the slice authentication and authorization operation of the first slice on the terminal device includes: the authentication and authorization network element notifying the plurality of first triggering network elements to The terminal device performs the slice authentication and authorization processing of the first slice.
可选的,该认证授权网元获取服务于该终端装置的与该第一切片关联的多个第一触发网元,包括:该认证授权网元从信息存储网元获取与该终端装置和该第一切片关联的多个第一触发网元。Optionally, the authentication and authorization network element acquiring a plurality of first triggering network elements associated with the first slice serving the terminal device includes: the authentication and authorization network element acquiring information from the information storage network element and the terminal device and Multiple first triggering network elements associated with the first slice.
可选的,该认证授权网元从信息存储网元获取与该终端装置和该第一切片关联的多个第一触发网元,包括:该认证授权网元向该信息存储网元发送第一请求,该第一请求包括该终端装置的第一标识信息和该第一切片的第一标识信息,该第一请求用于获取该第一触发网元;该认证授权网元从该信息存储网元接收第一响应,该第一响应包括该多个第一触发网元的标识信息。Optionally, the authentication and authorization network element acquiring multiple first trigger network elements associated with the terminal device and the first slice from the information storage network element includes: the authentication and authorization network element sends the first trigger network element to the information storage network element A request, the first request including the first identification information of the terminal device and the first identification information of the first slice, the first request is used to obtain the first triggering network element; the authentication and authorization network element obtains the information from the information The storage network element receives a first response, and the first response includes identification information of the plurality of first triggering network elements.
可选的,该认证授权网元获取服务于该终端装置的与该第一切片关联的多个第一触发网元,包括:该认证授权网元从信息存储网元获取与该终端装置关联的多个第二触发网元以及该多个第 二触发网元关联的切片;该认证授权网元根据该第一切片以及该多个第二触发网元关联的切片从该多个第二触发网元中确定该多个第一触发网元。Optionally, the authentication and authorization network element acquiring a plurality of first triggering network elements associated with the first slice serving the terminal device includes: the authentication and authorization network element acquiring from an information storage network element that is associated with the terminal device The plurality of second triggering network elements and the slices associated with the plurality of second triggering network elements; the authentication and authorization network element obtains data from the plurality of second triggering network elements according to the first slice and the slices associated with the plurality of second triggering network elements The multiple first triggering network elements are determined among the triggering network elements.
可选的,该认证授权网元从信息存储网元获取与该终端装置关联的多个第二触发网元以及与该多个第二触发网元关联的切片,包括:该认证授权网元向该信息存储网元发送第一请求,该第一请求包括该终端装置的第一标识信息,该第一请求用于获取该第二触发网元以及与该第二触发网元关联的切片;该认证授权网元从该信息存储网元接收第一响应,该第一响应包括该多个第二触发网元的标识信息、以及与该多个第二触发网元关联的切片的标识信息。Optionally, the authentication and authorization network element obtains from the information storage network element multiple second trigger network elements associated with the terminal device and slices associated with the multiple second trigger network elements, including: The information storage network element sends a first request, the first request includes first identification information of the terminal device, and the first request is used to obtain the second triggering network element and a slice associated with the second triggering network element; the The authentication and authorization network element receives a first response from the information storage network element, where the first response includes identification information of the plurality of second triggering network elements and identification information of slices associated with the plurality of second triggering network elements.
可选的,该切片认证授权处理为该切片重认证和重授权;该认证授权网元获取服务于终端装置的与第一切片关联的触发网元,包括:该认证授权网元获取服务于该终端装置的与该第一切片关联的多个第一触发网元;该认证授权网元从该多个第一触发网元中确定第二触发网元;该认证授权网元通知该触发网元对该终端装置进行该第一切片的切片认证授权处理,包括:该认证授权网元通知该第二触发网元对该终端装置进行该第一切片的切片重认证和重授权。通过该实施方式,在与切片关联有多个触发网元时,能够为终端选择一个网元进行切片重认证和重授权,避免了重复的重认证和重授权,节省了信令。Optionally, the slice authentication and authorization process is the slice re-authentication and re-authorization; the authentication and authorization network element obtaining the trigger network element associated with the first slice serving the terminal device includes: the authentication and authorization network element obtaining the service A plurality of first triggering network elements of the terminal device associated with the first slice; the authentication and authorization network element determines a second triggering network element from the plurality of first triggering network elements; the authentication and authorization network element notifies the trigger The network element performing slice authentication and authorization processing of the first slice on the terminal device includes: the authentication and authorization network element notifies the second triggering network element to perform slice re-authentication and reauthorization of the first slice on the terminal device. Through this embodiment, when multiple triggering network elements are associated with a slice, one network element can be selected for the terminal to perform slice re-authentication and re-authorization, which avoids repeated re-authentication and re-authorization and saves signaling.
可选的,该认证授权网元获取服务于该终端装置的与该第一切片关联的多个第一触发网元,包括:该认证授权网元从信息存储网元获取与该终端装置和该第一切片关联的多个第一触发网元。Optionally, the authentication and authorization network element acquiring a plurality of first triggering network elements associated with the first slice serving the terminal device includes: the authentication and authorization network element acquiring information from the information storage network element and the terminal device and Multiple first triggering network elements associated with the first slice.
可选的,该认证授权网元从信息存储网元获取与该终端装置和该第一切片关联的多个第一触发网元,包括:该认证授权网元向该信息存储网元发送第一请求,该第一请求包括该终端装置的第一标识信息和该第一切片的第一标识信息,该第一请求用于获取该第一触发网元;该认证授权网元从该信息存储网元接收第一响应,该第一响应包括该多个第一触发网元的标识信息。Optionally, the authentication and authorization network element acquiring multiple first trigger network elements associated with the terminal device and the first slice from the information storage network element includes: the authentication and authorization network element sends the first trigger network element to the information storage network element A request, the first request including the first identification information of the terminal device and the first identification information of the first slice, the first request is used to obtain the first triggering network element; the authentication and authorization network element obtains the information from the information The storage network element receives a first response, and the first response includes identification information of the plurality of first triggering network elements.
可选的,该认证授权网元获取服务于该终端装置的与该第一切片关联的多个第一触发网元,包括:该认证授权网元从信息存储网元获取与该终端装置关联的多个第二触发网元以及该多个第二触发网元关联的切片;该认证授权网元根据该第一切片以及该多个第二触发网元关联的切片从该多个第二触发网元中确定该多个第一触发网元。Optionally, the authentication and authorization network element acquiring a plurality of first triggering network elements associated with the first slice serving the terminal device includes: the authentication and authorization network element acquiring from an information storage network element that is associated with the terminal device The plurality of second triggering network elements and the slices associated with the plurality of second triggering network elements; the authentication and authorization network element obtains data from the plurality of second triggering network elements according to the first slice and the slices associated with the plurality of second triggering network elements The multiple first triggering network elements are determined among the triggering network elements.
可选的,该认证授权网元从信息存储网元获取与该终端装置关联的多个第二触发网元以及与该多个第二触发网元关联的切片,包括:该认证授权网元向该信息存储网元发送第一请求,该第一请求包括该终端装置的第一标识信息,该第一请求用于获取该第二触发网元以及与该第二触发网元关联的切片;该认证授权网元从该信息存储网元接收第一响应,该第一响应包括该多个第二触发网元的标识信息、以及与该多个第二触发网元关联的切片的标识信息。Optionally, the authentication and authorization network element obtains from the information storage network element multiple second trigger network elements associated with the terminal device and slices associated with the multiple second trigger network elements, including: The information storage network element sends a first request, the first request includes first identification information of the terminal device, and the first request is used to obtain the second triggering network element and a slice associated with the second triggering network element; the The authentication and authorization network element receives a first response from the information storage network element, where the first response includes identification information of the plurality of second triggering network elements and identification information of slices associated with the plurality of second triggering network elements.
可选的,该认证授权网元从该多个第一触发网元中确定第二触发网元,包括:该认证授权网元根据该终端装置与该多个第一触发网元的连接状态从该多个第一触发网元中确定该第二触发网元;其中,该连接状态包括连接态或空闲态。通过连接状态选择触发网元,能够选取更加合适进行切片认证授权处理的触发网元。Optionally, the authentication and authorization network element determining the second triggering network element from the plurality of first triggering network elements includes: the authentication and authorization network element determines from the connection status of the terminal device and the plurality of first triggering network elements from The second triggering network element is determined among the plurality of first triggering network elements; wherein, the connection state includes a connected state or an idle state. By selecting the triggering network element through the connection state, it is possible to select a more suitable triggering network element for slice authentication and authorization processing.
可选的,该认证授权网元根据该终端装置与该多个第一触发网元的连接状态从该多个第一触发网元中确定该第二触发网元,包括:该认证授权网元从该多个第一触发网元中确定该第二触发网元,该终端装置与该第二触发网元的连接状态为该连接态。Optionally, the authentication and authorization network element determines the second triggering network element from the plurality of first triggering network elements according to the connection state of the terminal device and the plurality of first triggering network elements, including: the authentication and authorization network element The second triggering network element is determined from the plurality of first triggering network elements, and the connection state between the terminal device and the second triggering network element is the connection state.
可选的,该认证授权网元根据该终端装置与该多个第一触发网元的连接状态从该多个第一触发网元中确定该第二触发网元,包括:当该终端装置与该多个第一触发网元中的每个第一触发网元的连接状态为该空闲态时,该认证授权网元根据该多个第一触发网元对应的接入类型从该多个 第一触发网元中确定该第二触发网元;其中,该接入类型包括3GPP接入和非3GPP接入。在选取触发网元时进一步考虑接入类型,能够选择出更加合适进行切片认证授权处理的触发网元。Optionally, the authentication and authorization network element determines the second triggering network element from the plurality of first triggering network elements according to the connection state between the terminal device and the plurality of first triggering network elements, including: When the connection state of each first triggering network element of the plurality of first triggering network elements is the idle state, the authentication and authorization network element selects the connection state from the plurality of first triggering network elements according to the access type corresponding to the plurality of first triggering network elements. The second triggering network element is determined in a triggering network element; wherein, the access type includes 3GPP access and non-3GPP access. When selecting a triggering network element, further considering the access type, it is possible to select a triggering network element that is more suitable for slice authentication and authorization processing.
可选的,该认证授权网元根据该多个第一触发网元对应的接入类型从该多个第一触发网元中确定该第二触发网元,包括:该认证授权网元从该多个第一触发网元中确定该第二触发网元,该第二触发网元对应的接入类型为该3GPP接入。Optionally, the authentication and authorization network element determining the second triggering network element from the plurality of first triggering network elements according to the access types corresponding to the plurality of first triggering network elements includes: The second triggering network element is determined among a plurality of first triggering network elements, and the access type corresponding to the second triggering network element is the 3GPP access.
可选的,该认证授权网元从该多个第一触发网元中确定第二触发网元,包括:该认证授权网元根据该多个第一触发网元对应的接入类型从该多个第一触发网元中确定该第二触发网元;其中,该接入类型包括3GPP接入和非3GPP接入。Optionally, the authentication and authorization network element determining the second triggering network element from the plurality of first triggering network elements includes: the authentication and authorization network element determines the second triggering network element from the plurality of first triggering network elements according to the access type corresponding to the plurality of first triggering network elements The second triggering network element is determined among the first triggering network elements; wherein, the access type includes 3GPP access and non-3GPP access.
可选的,该认证授权网元根据该多个第一触发网元对应的接入类型从该多个第一触发网元中确定该第二触发网元,包括:该认证授权网元从该多个第一触发网元中确定该第二触发网元,该第二触发网元对应的接入类型为该3GPP接入。Optionally, the authentication and authorization network element determining the second triggering network element from the plurality of first triggering network elements according to the access types corresponding to the plurality of first triggering network elements includes: The second triggering network element is determined among a plurality of first triggering network elements, and the access type corresponding to the second triggering network element is the 3GPP access.
可选的,该方法还包括:该认证授权网元从该信息存储网元获取该多个第一触发网元的连接状态;或者,该认证授权网元从该多个第一触发网元获取该多个第一触发网元的连接状态。Optionally, the method further includes: the authentication and authorization network element obtains the connection status of the plurality of first triggering network elements from the information storage network element; or, the authentication and authorization network element obtains from the plurality of first triggering network elements The connection status of the multiple first trigger network elements.
可选的,该方法还包括:该认证授权网元从该信息存储网元获取该多个第一触发网元对应的接入类型;或者,该认证授权网元从该多个第一触发网元获取该多个第一触发网元对应的接入类型。Optionally, the method further includes: the authentication and authorization network element obtains the access type corresponding to the plurality of first triggering network elements from the information storage network element; or, the authentication and authorization network element obtains from the plurality of first triggering network elements The element obtains the access types corresponding to the plurality of first triggering network elements.
可选的,该第一请求还包括:第一指示,该第一指示用于指示网元类型为AMF;或者,第二指示,该第二指示用于指示该切片认证授权处理。Optionally, the first request further includes: a first indication, which is used to indicate that the network element type is AMF; or, a second indication, which is used to indicate the slice authentication authorization processing.
可选的,该方法还包括:该认证授权网元接收第二请求,该第二请求包括该终端装置的第二标识信息和该第一切片的第二标识信息,该第二请求用于请求对该终端装置发起对该第一切片的该切片认证授权处理。Optionally, the method further includes: the authentication and authorization network element receives a second request, the second request including second identification information of the terminal device and second identification information of the first slice, and the second request is used for Requesting the terminal device to initiate the slice authentication and authorization processing for the first slice.
可选的,该认证授权网元为NSSAAF,该触发网元为AMF。Optionally, the authentication and authorization network element is NSSAAF, and the triggering network element is AMF.
可选的,该信息存储网元为UDM。Optionally, the information storage network element is UDM.
在另一种设计中,网元1100为信息存储网元,用于实现如图2-图10中UDM的功能。In another design, the network element 1100 is an information storage network element, which is used to implement the UDM function as shown in Figs. 2-10.
作为该设计的一种示例,处理单元1101和通信单元1102用于实现以下方法:As an example of this design, the processing unit 1101 and the communication unit 1102 are used to implement the following methods:
信息存储网元获取切片认证和授权信息,该切片认证和授权信息用于指示终端装置、与该终端装置关联的触发网元、和与该终端装置和该触发网元关联的切片,该触发网元为服务于该终端装置的触发网元,该切片为该终端装置在该触发网元上认证和授权成功的切片;该信息存储网元从认证授权网元接收第一请求,该第一请求用于请求获取与该终端装置和该第一切片相关联的第一触发网元;该信息存储网元根据该切片认证和授权信息和该第一请求,确定该第一触发网元;该信息存储网元向该认证授权网元发送第一响应,该第一响应包括该第一触发网元的标识信息。The information storage network element obtains slice authentication and authorization information, and the slice authentication and authorization information is used to indicate the terminal device, the trigger network element associated with the terminal device, and the slice associated with the terminal device and the trigger network element, the trigger network The element is a triggering network element serving the terminal device, and the slice is a slice for which the terminal device is successfully authenticated and authorized on the triggering network element; the information storage network element receives the first request from the authentication and authorization network element, the first request Used to request to obtain the first triggering network element associated with the terminal device and the first slice; the information storage network element determines the first triggering network element according to the slice authentication and authorization information and the first request; the The information storage network element sends a first response to the authentication and authorization network element, where the first response includes the identification information of the first triggering network element.
可选的,该信息存储网元根据该切片认证和授权信息和该第一请求,确定该第一触发网元,包括:该信息存储网元根据该切片认证和授权信息和该第一请求确定与该终端装置和该第一切片相关联的多个第二触发网元;该信息存储网元向该认证授权网元发送第一响应,该第一响应包括该第一触发网元的标识信息,包括:该信息存储网元向该认证授权网元发送该第一响应,该第一响应包括该多个第二触发网元的标识信息。Optionally, the information storage network element determines the first triggering network element according to the slice authentication and authorization information and the first request, including: the information storage network element determines according to the slice authentication and authorization information and the first request A plurality of second triggering network elements associated with the terminal device and the first slice; the information storage network element sends a first response to the authentication and authorization network element, the first response including the identification of the first triggering network element The information includes: the information storage network element sends the first response to the authentication and authorization network element, and the first response includes identification information of the plurality of second triggering network elements.
可选的,该第一请求还包括第一指示,该第一指示用于指示切片授权撤销;该信息存储网元根据该切片认证和授权信息和该第一请求确定与该终端装置和该第一切片相关联的多个第二触发网元,包括:该信息存储网元根据该切片认证和授权信息、该第一请求、和该第一指示确定该多 个第二触发网元。Optionally, the first request further includes a first instruction for instructing the revocation of the slice authorization; the information storage network element determines, according to the slice authentication and authorization information and the first request, the communication between the terminal device and the first request. The multiple second trigger network elements associated with a slice include: the information storage network element determines the multiple second trigger network elements according to the slice authentication and authorization information, the first request, and the first instruction.
可选的,该信息存储网元根据该切片认证和授权信息和该第一请求,确定该第一触发网元,包括:该信息存储网元根据该切片认证和授权信息和该第一请求确定与该终端装置和该第一切片相关联的多个第二触发网元中的第三触发网元;该信息存储网元向该认证授权网元发送第一响应,该第一响应包括该第一触发网元的标识信息,包括:该信息存储网元向该认证授权网元发送该第一响应,该第一响应包括该第三触发网元的标识信息。Optionally, the information storage network element determines the first triggering network element according to the slice authentication and authorization information and the first request, including: the information storage network element determines according to the slice authentication and authorization information and the first request The third triggering network element of the plurality of second triggering network elements associated with the terminal device and the first slice; the information storage network element sends a first response to the authentication and authorization network element, and the first response includes the The identification information of the first triggering network element includes: the information storage network element sends the first response to the authentication and authorization network element, and the first response includes the identification information of the third triggering network element.
可选的,该信息存储网元根据该切片认证和授权信息和该第一请求确定与该终端装置和该第一切片相关联的多个第二触发网元中的第三触发网元,包括:该信息存储网元根据该切片认证和授权信息和该第一请求确定该多个第二触发网元;该信息存储网元根据该终端装置与该多个第二触发网元的连接状态从该多个第二触发网元中确定该第三触发网元;其中,该连接状态包括连接态或空闲态。Optionally, the information storage network element determines a third trigger network element among a plurality of second trigger network elements associated with the terminal device and the first slice according to the slice authentication and authorization information and the first request, Including: the information storage network element determines the plurality of second trigger network elements according to the slice authentication and authorization information and the first request; the information storage network element determines the plurality of second trigger network elements according to the connection status of the terminal device and the plurality of second trigger network elements The third triggering network element is determined from the plurality of second triggering network elements; wherein, the connection state includes a connected state or an idle state.
可选的,该信息存储网元根据该终端装置与该多个第二触发网元的连接状态从该多个第二触发网元中确定该第三触发网元,包括:该信息存储网元从该多个第二触发网元中确定该第三触发网元,该终端装置与该第三触发网元的连接状态为该连接态。Optionally, the information storage network element determines the third trigger network element from the plurality of second trigger network elements according to the connection state between the terminal device and the plurality of second trigger network elements, including: the information storage network element The third triggering network element is determined from the plurality of second triggering network elements, and the connection state between the terminal device and the third triggering network element is the connection state.
可选的,该信息存储网元根据该终端装置与该多个第二触发网元的连接状态从该多个第二触发网元中确定该第三触发网元,包括:当该终端装置与该多个第二触发网元中的每个第二触发网元的连接状态为该空闲态时,该信息存储网元根据该多个第二触发网元对应的接入类型从该多个第二触发网元中确定该第三触发网元;其中,该接入类型包括3GPP接入和非3GPP接入。Optionally, the information storage network element determines the third trigger network element from the plurality of second trigger network elements according to the connection state of the terminal device and the plurality of second trigger network elements, including: When the connection state of each second triggering network element of the plurality of second triggering network elements is the idle state, the information storage network element selects the connection state from the plurality of second triggering network elements according to the access type corresponding to the plurality of second triggering network elements. The third triggering network element is determined from the second triggering network element; wherein, the access type includes 3GPP access and non-3GPP access.
可选的,该信息存储网元根据该多个第二触发网元对应的接入类型从该多个第二触发网元中确定该第三触发网元,包括:该信息存储网元从该多个第二触发网元中确定该第三触发网元,该第三触发网元对应的接入类型为该3GPP接入。Optionally, the information storage network element determines the third trigger network element from the plurality of second trigger network elements according to the access types corresponding to the plurality of second trigger network elements, including: the information storage network element obtains information from the The third triggering network element is determined among the plurality of second triggering network elements, and the access type corresponding to the third triggering network element is the 3GPP access.
可选的,该信息存储网元根据该切片认证和授权信息和该第一请求确定与该终端装置和该第一切片相关联的多个第二触发网元中的第三触发网元,包括:该信息存储网元根据该切片认证和授权信息和该第一请求确定该多个第二触发网元;该信息存储网元根据该多个第二触发网元对应的接入类型从该多个第二触发网元中确定该第三触发网元;其中,该接入类型包括3GPP接入和非3GPP接入。Optionally, the information storage network element determines a third trigger network element among a plurality of second trigger network elements associated with the terminal device and the first slice according to the slice authentication and authorization information and the first request, The method includes: the information storage network element determines the plurality of second trigger network elements according to the slice authentication and authorization information and the first request; the information storage network element obtains data from the The third triggering network element is determined among a plurality of second triggering network elements; wherein, the access type includes 3GPP access and non-3GPP access.
可选的,该信息存储网元根据该多个第二触发网元对应的接入类型从该多个第二触发网元中确定该第三触发网元,包括:该信息存储网元从该多个第二触发网元中确定该第三触发网元,该第三触发网元对应的接入类型为该3GPP接入。Optionally, the information storage network element determines the third trigger network element from the plurality of second trigger network elements according to the access types corresponding to the plurality of second trigger network elements, including: the information storage network element obtains information from the The third triggering network element is determined among the plurality of second triggering network elements, and the access type corresponding to the third triggering network element is the 3GPP access.
可选的,该第一请求还包括第二指示,该第二指示用于指示网元类型为AMF。Optionally, the first request further includes a second indication, and the second indication is used to indicate that the network element type is AMF.
作为又一种设计,网元1100为触发网元,用于实现如图2-图10中AMF1或者AMF2的功能。As another design, the network element 1100 is a triggering network element, which is used to implement the functions of AMF1 or AMF2 as shown in Figs. 2-10.
作为该设计的一种示例,处理单元1101和通信单元1102用于实现以下方法:As an example of this design, the processing unit 1101 and the communication unit 1102 are used to implement the following methods:
触发网元向信息存储网元发送切片认证和授权信息,该切片认证和授权信息用于指示终端装置、与该终端装置关联的触发网元、和与该终端装置和该触发网元关联的切片,该触发网元为服务于该终端装置的触发网元,该切片为该终端装置在该触发网元上认证和授权成功的切片;该触发网元从认证授权网元接收通知,该通知用于通知对该终端装置进行该切片的切片认证授权处理;其中,该切片认证授权处理为:切片重认证和重授权、或者切片授权撤销。The trigger network element sends slice authentication and authorization information to the information storage network element, where the slice authentication and authorization information is used to indicate the terminal device, the trigger network element associated with the terminal device, and the slice associated with the terminal device and the trigger network element , The triggering network element is a triggering network element serving the terminal device, and the slice is a slice for which the terminal device is successfully authenticated and authorized on the triggering network element; the triggering network element receives a notification from the authentication and authorization network element, and the notification is used Informing the terminal device to perform the slice authentication and authorization processing of the slice; wherein the slice authentication and authorization processing includes: slice re-authentication and re-authorization, or slice authorization revoking.
可选的,该方法还包括:该触发网元发起对该终端装置进行该切片的切片认证授权处理。Optionally, the method further includes: the triggering network element initiates slice authentication and authorization processing of the slice for the terminal device.
参见图12,本申请实施例提供了另一种网元的结构示意图。图12所示的网元1200包括至少 一个处理器1201、存储器1202,可选的,还包括通信接口1203。Referring to FIG. 12, an embodiment of the present application provides a schematic structural diagram of another network element. The network element 1200 shown in FIG. 12 includes at least one processor 1201, a memory 1202, and optionally, a communication interface 1203.
存储器1202可以是易失性存储器,例如随机存取存储器;存储器也可以是非易失性存储器,例如只读存储器,快闪存储器,硬盘(hard disk drive,HDD)或固态硬盘(solid-state drive,SSD)、或者存储器1202是能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质,但不限于此。存储器1202可以是上述存储器的组合。The memory 1202 may be a volatile memory, such as random access memory; the memory may also be a non-volatile memory, such as read-only memory, flash memory, hard disk drive (HDD) or solid-state drive (solid-state drive, SSD) or the memory 1202 is any other medium that can be used to carry or store desired program codes in the form of instructions or data structures and that can be accessed by a computer, but is not limited thereto. The memory 1202 may be a combination of the above-mentioned memories.
本申请实施例中不限定上述处理器1201以及存储器1202之间的具体连接介质。本申请实施例在图中以存储器1202和处理器1201之间通过总线1204连接,总线1204在图中以粗线表示,其它部件之间的连接方式,仅是进行示意性说明,并不引以为限。该总线1204可以分为地址总线、数据总线、控制总线等。为便于表示,图12中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。The specific connection medium between the foregoing processor 1201 and the memory 1202 is not limited in the embodiment of the present application. In the embodiment of the present application, the memory 1202 and the processor 1201 are connected by a bus 1204 in the figure. The bus 1204 is represented by a thick line in the figure. Is limited. The bus 1204 can be divided into an address bus, a data bus, a control bus, and the like. For ease of presentation, only one thick line is used in FIG. 12 to represent it, but it does not mean that there is only one bus or one type of bus.
处理器1201可以具有数据收发功能,能够与其他设备进行通信,在如图12装置中,也可以设置独立的数据收发模块,例如通信接口1203,用于收发数据;处理器1201在与其他设备进行通信时,可以通过通信接口1203进行数据传输。The processor 1201 may have a data transceiver function and can communicate with other devices. In the device shown in Figure 12, an independent data transceiver module, such as a communication interface 1203, may be used to send and receive data; the processor 1201 is communicating with other devices. During communication, data transmission can be performed through the communication interface 1203.
在一种设计中,网元1200为认证授权网元,处理器1201可以调用存储器1202中的指令,以实现如图2-图10中NSSAAF的功能,以及图11所示结构的认证授权网元的功能。In one design, the network element 1200 is an authentication and authorization network element, and the processor 1201 can call instructions in the memory 1202 to implement the functions of the NSSAAF in Figures 2-10 and the authentication and authorization network element with the structure shown in Figure 11. Function.
在另一种设计中,网元1200为信息存储网元,处理器1201可以调用存储器1202中的指令,以实现如图2-图10中UDM的功能,以及图11所示结构的信息存储网元的功能。In another design, the network element 1200 is an information storage network element, and the processor 1201 can call instructions in the memory 1202 to implement the functions of the UDM in Figure 2-10 and the information storage network structure shown in Figure 11. Meta function.
在又一种设计中,网元1200为触发网元,处理器1201可以调用存储器1202中的指令,以实现如图2-图10中AMF1或者AMF2的功能,以及图11所示结构的触发网元的功能。In another design, the network element 1200 is a trigger network element, and the processor 1201 can call instructions in the memory 1202 to realize the functions of AMF1 or AMF2 in Figure 2-10, and the trigger network structure shown in Figure 11 Meta function.
通过本申请提供的上述装置,可以准确获取服务于终端的与切片关联的AMF,从而保障切片重认证和重授权流程和切片授权撤销流程的正确执行,避免了通信错误。Through the above-mentioned device provided in this application, it is possible to accurately obtain the AMF associated with the slice serving the terminal, thereby ensuring the correct execution of the slice re-authentication and re-authorization process and the slice authorization revocation process, and avoiding communication errors.
本申请实施例还提供一种通信系统,该系统可以包括图2-图11中的认证授权网元、信息存储网元和触发网元中的部分或者全部。An embodiment of the present application also provides a communication system, which may include some or all of the authentication and authorization network elements, the information storage network elements, and the trigger network elements in FIG. 2 to FIG. 11.
可以理解的是,本申请实施例中的一些可选的特征,在某些场景下,可以不依赖于其他特征,比如其当前所基于的方案,而独立实施,解决相应的技术问题,达到相应的效果,也可以在某些场景下,依据需求与其他特征进行结合。相应的,本申请实施例中给出的装置也可以相应的实现这些特征或功能,在此不予赘述。It is understandable that some optional features in the embodiments of the present application, in some scenarios, may not depend on other features, such as the solutions they are currently based on, but can be implemented independently to solve the corresponding technical problems and achieve the corresponding The effect can also be combined with other features according to requirements in some scenarios. Correspondingly, the devices given in the embodiments of the present application can also implement these features or functions accordingly, which will not be repeated here.
本领域技术人员还可以理解到本申请实施例列出的各种说明性逻辑块(illustrative logical block)和步骤(step)可以通过电子硬件、电脑软件,或两者的结合进行实现。这样的功能是通过硬件还是软件来实现取决于特定的应用和整个系统的设计要求。本领域技术人员对于相应的应用,可以使用各种方法实现所述的功能,但这种实现不应被理解为超出本申请实施例保护的范围。Those skilled in the art can also understand that the various illustrative logical blocks and steps listed in the embodiments of the present application can be implemented by electronic hardware, computer software, or a combination of the two. Whether such a function is implemented by hardware or software depends on the specific application and the design requirements of the entire system. For corresponding applications, those skilled in the art can use various methods to implement the described functions, but such implementation should not be construed as going beyond the protection scope of the embodiments of the present application.
本申请所描述的方案可通过各种方式来实现。例如,这些技术可以用硬件、软件或者硬件结合的方式来实现。对于硬件实现,用于在通信装置(例如,基站,终端、网络实体、核心网网元或芯片)处执行这些技术的处理单元,可以实现在一个或多个通用处理器、数字信号处理器(digital signal processor,DSP)、数字信号处理器件、专用集成电路(application specific integrated circuit,ASIC)、可编程逻辑器件、现场可编程门阵列(field programmable gate array,FPGA)、或其它可编程逻辑装置,离散门或晶体管逻辑,离散硬件部件,或上述任何组合中。通用处理器可以为微处理器,可选地,该通用处理器也可以为任何传统的处理器、控制器、微控制器或状态机。处理器也可以通过计算装置的组合来实现,例如数字信号处理器和微处理器,多个微处理器,一个或 多个微处理器联合一个数字信号处理器核,或任何其它类似的配置来实现。The solution described in this application can be implemented in various ways. For example, these technologies can be implemented in hardware, software, or a combination of hardware. For hardware implementation, the processing unit used to execute these technologies at a communication device (for example, a base station, a terminal, a network entity, a core network network element, or a chip) can be implemented in one or more general-purpose processors, digital signal processors ( digital signal processor, DSP), digital signal processing device, application specific integrated circuit (ASIC), programmable logic device, field programmable gate array (FPGA), or other programmable logic device, Discrete gate or transistor logic, discrete hardware components, or any combination of the above. The general-purpose processor may be a microprocessor. Alternatively, the general-purpose processor may also be any traditional processor, controller, microcontroller, or state machine. The processor can also be implemented by a combination of computing devices, such as a digital signal processor and a microprocessor, multiple microprocessors, one or more microprocessors combined with a digital signal processor core, or any other similar configuration. accomplish.
可以理解,本申请实施例中的存储器可以是易失性存储器或非易失性存储器,或可包括易失性和非易失性存储器两者。其中,非易失性存储器可以是只读存储器(read-only memory,ROM)、可编程只读存储器(programmable ROM,PROM)、可擦除可编程只读存储器(erasable PROM,EPROM)、电可擦除可编程只读存储器(electrically EPROM,EEPROM)或闪存。易失性存储器可以是随机存取存储器(random access memory,RAM),其用作外部高速缓存。通过示例性但不是限制性说明,许多形式的RAM可用,例如静态随机存取存储器(static RAM,SRAM)、动态随机存取存储器(dynamic RAM,DRAM)、同步动态随机存取存储器(synchronous DRAM,SDRAM)、双倍数据速率同步动态随机存取存储器(double data rate SDRAM,DDR SDRAM)、增强型同步动态随机存取存储器(enhanced SDRAM,ESDRAM)、同步连接动态随机存取存储器(synchlink DRAM,SLDRAM)和直接内存总线随机存取存储器(direct rambus RAM,DR RAM)。应注意,本文描述的系统和方法的存储器旨在包括但不限于这些和任意其它适合类型的存储器。It can be understood that the memory in the embodiments of the present application may be a volatile memory or a non-volatile memory, or may include both volatile and non-volatile memory. Among them, the non-volatile memory can be read-only memory (ROM), programmable read-only memory (programmable ROM, PROM), erasable programmable read-only memory (erasable PROM, EPROM), and electrically available Erase programmable read-only memory (electrically EPROM, EEPROM) or flash memory. The volatile memory may be random access memory (RAM), which is used as an external cache. By way of exemplary but not restrictive description, many forms of RAM are available, such as static random access memory (static RAM, SRAM), dynamic random access memory (dynamic RAM, DRAM), and synchronous dynamic random access memory (synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (double data rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous connection dynamic random access memory (synchlink DRAM, SLDRAM) ) And direct memory bus random access memory (direct rambus RAM, DR RAM). It should be noted that the memories of the systems and methods described herein are intended to include, but are not limited to, these and any other suitable types of memories.
本申请还提供了一种计算机可读介质,其上存储有计算机程序,该计算机程序被计算机执行时实现上述任一方法实施例的功能。The present application also provides a computer-readable medium on which a computer program is stored, and when the computer program is executed by a computer, the function of any of the foregoing method embodiments is realized.
本申请还提供了一种计算机程序产品,该计算机程序产品被计算机执行时实现上述任一方法实施例的功能。This application also provides a computer program product, which, when executed by a computer, realizes the functions of any of the foregoing method embodiments.
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机指令时,全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(digital subscriber line,DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质(例如,软盘、硬盘、磁带)、光介质(例如,高密度数字视频光盘(digital video disc,DVD))、或者半导体介质(例如,固态硬盘(solid state disk,SSD))等。In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented by software, it can be implemented in the form of a computer program product in whole or in part. The computer program product includes one or more computer instructions. When the computer instructions are loaded and executed on the computer, the processes or functions described in the embodiments of the present application are generated in whole or in part. The computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable devices. The computer instructions may be stored in a computer-readable storage medium, or transmitted from one computer-readable storage medium to another computer-readable storage medium. For example, the computer instructions may be transmitted from a website, computer, server, or data center. Transmission to another website, computer, server, or data center via wired (such as coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (such as infrared, wireless, microwave, etc.). The computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server or a data center integrated with one or more available media. The usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, and a magnetic tape), an optical medium (for example, a high-density digital video disc (digital video disc, DVD)), or a semiconductor medium (for example, a solid state disk, SSD)) etc.
可以理解,说明书通篇中提到的“实施例”意味着与实施例有关的特定特征、结构或特性包括在本申请的至少一个实施例中。因此,在整个说明书各个实施例未必一定指相同的实施例。此外,这些特定的特征、结构或特性可以任意适合的方式结合在一个或多个实施例中。可以理解,在本申请的各种实施例中,上述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本申请实施例的实施过程构成任何限定。It can be understood that the “embodiment” mentioned throughout the specification means that a specific feature, structure, or characteristic related to the embodiment is included in at least one embodiment of the present application. Therefore, the various embodiments throughout the specification do not necessarily refer to the same embodiment. In addition, these specific features, structures or characteristics can be combined in one or more embodiments in any suitable manner. It can be understood that, in the various embodiments of the present application, the size of the sequence number of the above-mentioned processes does not imply the order of execution, and the execution order of each process should be determined by its function and internal logic, and should not correspond to the embodiments of the present application. The implementation process constitutes any limitation.
可以理解,在本申请中,“当…时”、“若”以及“如果”均指在某种客观情况下装置会做出相应的处理,并非是限定时间,且也不要求装置实现时一定要有判断的动作,也不意味着存在其它限定。It can be understood that in this application, "when", "if" and "if" all mean that the device will make corresponding processing under certain objective circumstances. It is not a time limit, and it does not require the device to be implemented. There must be a judgmental action, and it does not mean that there are other restrictions.
本申请中的“同时”可以理解为在相同的时间点,也可以理解为在一段时间段内,还可以理解为在同一个周期内。The "simultaneous" in this application can be understood as being at the same time point, within a period of time, or within the same period.
本申请中对于使用单数表示的元素旨在用于表示“一个或多个”,而并非表示“一个且仅一个”,除非有特别说明。本申请中,在没有特别说明的情况下,“至少一个”旨在用于表示“一个或者多个”, “多个”旨在用于表示“两个或两个以上”。The use of the singular element in this application is intended to mean "one or more" rather than "one and only one", unless otherwise specified. In this application, unless otherwise specified, "at least one" is intended to mean "one or more", and "multiple" is intended to mean "two or more".
另外,本文中术语“系统”和“网络”在本文中常被可互换使用。本文中术语“和/或”,仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况,其中A可以是单数或者复数,B可以是单数或者复数。In addition, the terms "system" and "network" in this article are often used interchangeably in this article. The term "and/or" in this article is only an association relationship describing the associated objects, which means that there can be three relationships, for example, A and/or B, which can mean: A alone exists, A and B exist at the same time, exist alone In the three cases of B, A can be singular or plural, and B can be singular or plural.
可以理解,在本申请各实施例中,“与A相应的B”表示B与A相关联,根据A可以确定B。但还应理解,根据A确定B并不意味着仅仅根据A确定B,还可以根据A和/或其它信息确定B。It can be understood that in the embodiments of the present application, "B corresponding to A" means that B is associated with A, and B can be determined according to A. However, it should also be understood that determining B based on A does not mean that B is determined only based on A, and B can also be determined based on A and/or other information.
本申请中各表所示的对应关系可以被配置,也可以是预定义的。各表中的信息的取值仅仅是举例,可以配置为其他值,本申请并不限定。在配置信息与各参数的对应关系时,并不一定要求必须配置各表中示意出的所有对应关系。例如,本申请中的表格中,某些行示出的对应关系也可以不配置。又例如,可以基于上述表格做适当的变形调整,例如,拆分,合并等等。上述各表中标题示出参数的名称也可以采用通信装置可理解的其他名称,其参数的取值或表示方式也可以通信装置可理解的其他取值或表示方式。上述各表在实现时,也可以采用其他的数据结构,例如可以采用数组、队列、容器、栈、线性表、指针、链表、树、图、结构体、类、堆、散列表或哈希表等。The corresponding relationships shown in the tables in this application can be configured or pre-defined. The value of the information in each table is only an example, and can be configured to other values, which is not limited in this application. When configuring the correspondence between the information and the parameters, it is not necessarily required to configure all the correspondences indicated in the tables. For example, in the table in this application, the corresponding relationship shown in some rows may not be configured. For another example, appropriate deformation adjustments can be made based on the above table, such as splitting, merging, and so on. The names of the parameters shown in the titles in the above tables may also be other names that can be understood by the communication device, and the values or expressions of the parameters may also be other values or expressions that can be understood by the communication device. When the above tables are implemented, other data structures can also be used, such as arrays, queues, containers, stacks, linear tables, pointers, linked lists, trees, graphs, structures, classes, heaps, hash tables, or hash tables. Wait.
本申请中的预定义可以理解为定义、预先定义、存储、预存储、预协商、预配置、固化、或预烧制。The pre-definition in this application can be understood as definition, pre-definition, storage, pre-storage, pre-negotiation, pre-configuration, curing, or pre-fired.
本领域普通技术人员可以理解,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。A person of ordinary skill in the art can understand that the units and algorithm steps of the examples described in combination with the embodiments disclosed herein can be implemented by electronic hardware or a combination of computer software and electronic hardware. Whether these functions are executed by hardware or software depends on the specific application and design constraint conditions of the technical solution. Professionals and technicians can use different methods for each specific application to implement the described functions, but such implementation should not be considered beyond the scope of this application.
本领域普通技术人员可以理解,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those of ordinary skill in the art can understand that, for the convenience and conciseness of the description, the specific working process of the system, device, and unit described above can refer to the corresponding process in the foregoing method embodiment, and will not be repeated here.
可以理解,本申请中描述的系统、装置和方法也可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。It can be understood that the systems, devices, and methods described in this application can also be implemented in other ways. For example, the device embodiments described above are merely illustrative. For example, the division of the units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components may be combined or It can be integrated into another system, or some features can be ignored or not implemented. In addition, the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。In addition, the functional units in the various embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(read-only memory,ROM)、随机存取存储器(random access memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。If the function is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium. Based on this understanding, the technical solution of the present application essentially or the part that contributes to the existing technology or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), magnetic disks or optical disks and other media that can store program codes. .
本申请中各个实施例之间相同或相似的部分可以互相参考。在本申请中各个实施例、以及各实施例中的各个实施方式/实施方法/实现方法中,如果没有特殊说明以及逻辑冲突,不同的实施例之间、以及各实施例中的各个实施方式/实施方法/实现方法之间的术语和/或描述具有一致性、且可以相互引用,不同的实施例、以及各实施例中的各个实施方式/实施方法/实现方法中的技术特征根据其内在的逻辑关系可以组合形成新的实施例、实施方式、实施方法、或实现方法。以上所述的本申请实施方式并不构成对本申请保护范围的限定。The same or similar parts in the various embodiments of this application may be referred to each other. In each embodiment of this application, and each implementation method/implementation method/implementation method in each embodiment, if there is no special description and logical conflict, between different embodiments and each implementation manner/implementation method in each embodiment/ The terms and/or descriptions between the implementation methods/implementation methods are consistent and can be cited each other. The technical features in different embodiments and various implementation modes/implementation methods/implementation methods in each embodiment are based on their inherent The logical relationship can be combined to form a new embodiment, implementation, implementation method, or implementation method. The implementation manners of the application described above do not constitute a limitation on the protection scope of the application.
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。The above are only specific implementations of this application, but the protection scope of this application is not limited to this. Any person skilled in the art can easily think of changes or substitutions within the technical scope disclosed in this application. Should be covered within the scope of protection of this application.

Claims (41)

  1. 一种切片认证授权管理方法,其特征在于,包括:A method for slice authentication and authorization management, which is characterized in that it comprises:
    认证授权网元获取服务于终端装置的与第一切片关联的触发网元;The authentication and authorization network element obtains the trigger network element associated with the first slice serving the terminal device;
    所述认证授权网元通知所述触发网元对所述终端装置进行所述第一切片的切片认证授权处理;其中,所述切片认证授权处理为:切片重认证和重授权、或者切片授权撤销。The authentication and authorization network element notifies the triggering network element to perform the slice authentication and authorization processing of the first slice on the terminal device; wherein the slice authentication and authorization processing is: slice re-authentication and re-authorization, or slice authorization Revoke.
  2. 根据权利要求1所述的方法,其中,The method of claim 1, wherein:
    所述认证授权网元获取服务于终端装置的与第一切片关联的触发网元,包括:The acquiring, by the authentication and authorization network element, the trigger network element associated with the first slice serving the terminal device includes:
    所述认证授权网元从信息存储网元获取与所述终端装置和所述第一切片关联的第一触发网元;Acquiring, by the authentication and authorization network element, a first triggering network element associated with the terminal device and the first slice from an information storage network element;
    所述认证授权网元通知所述触发网元对所述终端装置进行所述第一切片的切片认证授权操作,包括:The authentication and authorization network element notifying the triggering network element to perform the slice authentication and authorization operation of the first slice on the terminal device includes:
    所述认证授权网元通知所述第一触发网元对所述终端装置进行所述第一切片的所述切片认证授权处理。The authentication and authorization network element notifies the first triggering network element to perform the slice authentication and authorization processing of the first slice on the terminal device.
  3. 根据权利要求2所述的方法,其中,所述认证授权网元从信息存储网元获取与所述终端装置和所述第一切片关联的第一触发网元,包括:The method according to claim 2, wherein the authentication and authorization network element acquiring the first triggering network element associated with the terminal device and the first slice from an information storage network element comprises:
    所述认证授权网元向所述信息存储网元发送第一请求,所述第一请求包括所述终端装置的第一标识信息和所述第一切片的第一标识信息,所述第一请求用于获取所述第一触发网元;The authentication and authorization network element sends a first request to the information storage network element. The first request includes the first identification information of the terminal device and the first identification information of the first slice. The request is used to obtain the first trigger network element;
    所述认证授权网元从所述信息存储网元接收第一响应,所述第一响应包括所述第一触发网元的第一标识信息。The authentication and authorization network element receives a first response from the information storage network element, where the first response includes the first identification information of the first triggering network element.
  4. 根据权利要求1所述的方法,其中,The method of claim 1, wherein:
    所述认证授权网元获取服务于终端装置的与第一切片关联的触发网元,包括:The acquiring, by the authentication and authorization network element, the trigger network element associated with the first slice serving the terminal device includes:
    所述认证授权网元获取服务于所述终端装置的与所述第一切片关联的多个第一触发网元;Acquiring, by the authentication and authorization network element, a plurality of first triggering network elements associated with the first slice serving the terminal device;
    所述认证授权网元通知所述触发网元对所述终端装置进行所述第一切片的切片认证授权操作,包括:The authentication and authorization network element notifying the triggering network element to perform the slice authentication and authorization operation of the first slice on the terminal device includes:
    所述认证授权网元通知所述多个第一触发网元对所述终端装置进行所述第一切片的所述切片认证授权处理。The authentication and authorization network element notifies the plurality of first triggering network elements to perform the slice authentication and authorization processing of the first slice on the terminal device.
  5. 根据权利要求4所述的方法,其中,所述认证授权网元获取服务于所述终端装置的与所述第一切片关联的多个第一触发网元,包括:The method according to claim 4, wherein the acquiring, by the authentication and authorization network element, a plurality of first triggering network elements associated with the first slice serving the terminal device comprises:
    所述认证授权网元从信息存储网元获取与所述终端装置和所述第一切片关联的多个第一触发网元。The authentication and authorization network element acquires a plurality of first trigger network elements associated with the terminal device and the first slice from an information storage network element.
  6. 根据权利要求5所述的方法,其中,所述认证授权网元从信息存储网元获取与所述终端装置和所述第一切片关联的多个第一触发网元,包括:The method according to claim 5, wherein the authentication and authorization network element acquiring a plurality of first triggering network elements associated with the terminal device and the first slice from an information storage network element comprises:
    所述认证授权网元向所述信息存储网元发送第一请求,所述第一请求包括所述终端装置的第一标识信息和所述第一切片的第一标识信息,所述第一请求用于获取所述第一触发网元;The authentication and authorization network element sends a first request to the information storage network element. The first request includes the first identification information of the terminal device and the first identification information of the first slice. The request is used to obtain the first trigger network element;
    所述认证授权网元从所述信息存储网元接收第一响应,所述第一响应包括所述多个第一触发网元的标识信息。The authentication and authorization network element receives a first response from the information storage network element, where the first response includes identification information of the plurality of first triggering network elements.
  7. 根据权利要求4所述的方法,其中,所述认证授权网元获取服务于所述终端装置的与所述第一切片关联的多个第一触发网元,包括:The method according to claim 4, wherein the acquiring, by the authentication and authorization network element, a plurality of first triggering network elements associated with the first slice serving the terminal device comprises:
    所述认证授权网元从信息存储网元获取与所述终端装置关联的多个第二触发网元以及所述多个第二触发网元关联的切片;Acquiring, by the authentication and authorization network element, multiple second trigger network elements associated with the terminal device and slices associated with the multiple second trigger network elements from an information storage network element;
    所述认证授权网元根据所述第一切片以及所述多个第二触发网元关联的切片从所述多个第二触发网元中确定所述多个第一触发网元。The authentication and authorization network element determines the multiple first trigger network elements from the multiple second trigger network elements according to the first slice and the slices associated with the multiple second trigger network elements.
  8. 根据权利要求7所述的方法,其中,所述认证授权网元从信息存储网元获取与所述终端装置关联的多个第二触发网元以及与所述多个第二触发网元关联的切片,包括:The method according to claim 7, wherein the authentication and authorization network element obtains from an information storage network element a plurality of second trigger network elements associated with the terminal device and a plurality of second trigger network elements associated with the plurality of second trigger network elements. Slices, including:
    所述认证授权网元向所述信息存储网元发送第一请求,所述第一请求包括所述终端装置的第一标识信息,所述第一请求用于获取所述第二触发网元以及与所述第二触发网元关联的切片;The authentication and authorization network element sends a first request to the information storage network element, the first request includes the first identification information of the terminal device, the first request is used to obtain the second triggering network element, and A slice associated with the second triggering network element;
    所述认证授权网元从所述信息存储网元接收第一响应,所述第一响应包括所述多个第二触发网元的标识信息、以及与所述多个第二触发网元关联的切片的标识信息。The authentication and authorization network element receives a first response from the information storage network element, where the first response includes identification information of the plurality of second triggering network elements and information associated with the plurality of second triggering network elements The identification information of the slice.
  9. 根据权利要求1所述的方法,其中,所述切片认证授权处理为所述切片重认证和重授权;The method according to claim 1, wherein the slice authentication and authorization process is the slice re-authentication and re-authorization;
    所述认证授权网元获取服务于终端装置的与第一切片关联的触发网元,包括:The acquiring, by the authentication and authorization network element, the trigger network element associated with the first slice serving the terminal device includes:
    所述认证授权网元获取服务于所述终端装置的与所述第一切片关联的多个第一触发网元;Acquiring, by the authentication and authorization network element, a plurality of first triggering network elements associated with the first slice serving the terminal device;
    所述认证授权网元从所述多个第一触发网元中确定第二触发网元;Determining, by the authentication and authorization network element, a second triggering network element from the plurality of first triggering network elements;
    所述认证授权网元通知所述触发网元对所述终端装置进行所述第一切片的切片认证授权处理,包括:The authentication and authorization network element notifying the triggering network element to perform the slice authentication and authorization processing of the first slice on the terminal device includes:
    所述认证授权网元通知所述第二触发网元对所述终端装置进行所述第一切片的切片重认证和重授权。The authentication and authorization network element notifies the second triggering network element to perform slice re-authentication and re-authorization of the first slice on the terminal device.
  10. 根据权利要求9所述的方法,其中,所述认证授权网元获取服务于所述终端装置的与所述第一切片关联的多个第一触发网元,包括:The method according to claim 9, wherein the acquiring, by the authentication and authorization network element, a plurality of first triggering network elements associated with the first slice serving the terminal device comprises:
    所述认证授权网元从信息存储网元获取与所述终端装置和所述第一切片关联的多个第一触发网元。The authentication and authorization network element acquires a plurality of first trigger network elements associated with the terminal device and the first slice from an information storage network element.
  11. 据权利要求10所述的方法,其中,所述认证授权网元从信息存储网元获取与所述终端装置和所述第一切片关联的多个第一触发网元,包括:The method according to claim 10, wherein the authentication and authorization network element acquiring a plurality of first triggering network elements associated with the terminal device and the first slice from an information storage network element comprises:
    所述认证授权网元向所述信息存储网元发送第一请求,所述第一请求包括所述终端装置的第一标识信息和所述第一切片的第一标识信息,所述第一请求用于获取所述第一触发网元;The authentication and authorization network element sends a first request to the information storage network element. The first request includes the first identification information of the terminal device and the first identification information of the first slice. The request is used to obtain the first trigger network element;
    所述认证授权网元从所述信息存储网元接收第一响应,所述第一响应包括所述多个第一触发网元的标识信息。The authentication and authorization network element receives a first response from the information storage network element, where the first response includes identification information of the plurality of first triggering network elements.
  12. 根据权利要求9所述的方法,其中,所述认证授权网元获取服务于所述终端装置的与所述第一切片关联的多个第一触发网元,包括:The method according to claim 9, wherein the acquiring, by the authentication and authorization network element, a plurality of first triggering network elements associated with the first slice serving the terminal device comprises:
    所述认证授权网元从信息存储网元获取与所述终端装置关联的多个第二触发网元以及所述多个第二触发网元关联的切片;Acquiring, by the authentication and authorization network element, multiple second trigger network elements associated with the terminal device and slices associated with the multiple second trigger network elements from an information storage network element;
    所述认证授权网元根据所述第一切片以及所述多个第二触发网元关联的切片从所述多个第二触发网元中确定所述多个第一触发网元。The authentication and authorization network element determines the multiple first trigger network elements from the multiple second trigger network elements according to the first slice and the slices associated with the multiple second trigger network elements.
  13. 根据权利要求12所述的方法,其中,所述认证授权网元从信息存储网元获取与所述终端装置关联的多个第二触发网元以及与所述多个第二触发网元关联的切片,包括:The method according to claim 12, wherein the authentication and authorization network element obtains a plurality of second trigger network elements associated with the terminal device and a plurality of second trigger network elements associated with the plurality of second trigger network elements from an information storage network element. Slices, including:
    所述认证授权网元向所述信息存储网元发送第一请求,所述第一请求包括所述终端装置的第一标识信息,所述第一请求用于获取所述第二触发网元以及与所述第二触发网元关联的切片;The authentication and authorization network element sends a first request to the information storage network element, the first request includes the first identification information of the terminal device, the first request is used to obtain the second triggering network element, and A slice associated with the second triggering network element;
    所述认证授权网元从所述信息存储网元接收第一响应,所述第一响应包括所述多个第二触发 网元的标识信息、以及与所述多个第二触发网元关联的切片的标识信息。The authentication and authorization network element receives a first response from the information storage network element, where the first response includes identification information of the plurality of second triggering network elements and information associated with the plurality of second triggering network elements The identification information of the slice.
  14. 根据权利要求9-13任一所述的方法,其中,所述认证授权网元从所述多个第一触发网元中确定第二触发网元,包括:The method according to any one of claims 9-13, wherein the authentication and authorization network element determining the second triggering network element from the plurality of first triggering network elements comprises:
    所述认证授权网元根据所述终端装置与所述多个第一触发网元的连接状态从所述多个第一触发网元中确定所述第二触发网元;其中,所述连接状态包括连接态或空闲态。The authentication and authorization network element determines the second trigger network element from the plurality of first trigger network elements according to the connection status between the terminal device and the plurality of first trigger network elements; wherein, the connection status Including connected state or idle state.
  15. 根据权利要求14所述的方法,其中,所述认证授权网元根据所述终端装置与所述多个第一触发网元的连接状态从所述多个第一触发网元中确定所述第二触发网元,包括:The method according to claim 14, wherein the authentication and authorization network element determines the first trigger network element from the plurality of first trigger network elements according to the connection status of the terminal device and the plurality of first trigger network elements Two trigger network elements, including:
    所述认证授权网元从所述多个第一触发网元中确定所述第二触发网元,所述终端装置与所述第二触发网元的连接状态为所述连接态。The authentication and authorization network element determines the second trigger network element from the plurality of first trigger network elements, and the connection state between the terminal device and the second trigger network element is the connection state.
  16. 根据权利要求14所述的方法,其中,所述认证授权网元根据所述终端装置与所述多个第一触发网元的连接状态从所述多个第一触发网元中确定所述第二触发网元,包括:The method according to claim 14, wherein the authentication and authorization network element determines the first trigger network element from the plurality of first trigger network elements according to the connection status of the terminal device and the plurality of first trigger network elements Two trigger network elements, including:
    当所述终端装置与所述多个第一触发网元中的每个第一触发网元的连接状态为所述空闲态时,所述认证授权网元根据所述多个第一触发网元对应的接入类型从所述多个第一触发网元中确定所述第二触发网元;其中,所述接入类型包括3GPP接入和非3GPP接入。When the connection state between the terminal device and each first triggering network element of the plurality of first triggering network elements is the idle state, the authentication and authorization network element is based on the plurality of first triggering network elements The corresponding access type determines the second triggering network element from the plurality of first triggering network elements; wherein, the access type includes 3GPP access and non-3GPP access.
  17. 根据权利要求16所述的方法,其中,所述认证授权网元根据所述多个第一触发网元对应的接入类型从所述多个第一触发网元中确定所述第二触发网元,包括:The method according to claim 16, wherein the authentication and authorization network element determines the second trigger network element from the plurality of first trigger network elements according to the access type corresponding to the plurality of first trigger network elements Yuan, including:
    所述认证授权网元从所述多个第一触发网元中确定所述第二触发网元,所述第二触发网元对应的接入类型为所述3GPP接入。The authentication and authorization network element determines the second triggering network element from the plurality of first triggering network elements, and the access type corresponding to the second triggering network element is the 3GPP access.
  18. 根据权利要求9-13任一所述的方法,其中,所述认证授权网元从所述多个第一触发网元中确定第二触发网元,包括:The method according to any one of claims 9-13, wherein the authentication and authorization network element determining the second triggering network element from the plurality of first triggering network elements comprises:
    所述认证授权网元根据所述多个第一触发网元对应的接入类型从所述多个第一触发网元中确定所述第二触发网元;其中,所述接入类型包括3GPP接入和非3GPP接入。The authentication and authorization network element determines the second triggering network element from the plurality of first triggering network elements according to the access types corresponding to the plurality of first triggering network elements; wherein, the access type includes 3GPP Access and non-3GPP access.
  19. 根据权利要求18所述的方法,其中,所述认证授权网元根据所述多个第一触发网元对应的接入类型从所述多个第一触发网元中确定所述第二触发网元,包括:The method according to claim 18, wherein the authentication and authorization network element determines the second trigger network element from the plurality of first trigger network elements according to the access type corresponding to the plurality of first trigger network elements Yuan, including:
    所述认证授权网元从所述多个第一触发网元中确定所述第二触发网元,所述第二触发网元对应的接入类型为所述3GPP接入。The authentication and authorization network element determines the second triggering network element from the plurality of first triggering network elements, and the access type corresponding to the second triggering network element is the 3GPP access.
  20. 根据权利要求14-16任一所述的方法,其中,所述方法还包括:The method according to any one of claims 14-16, wherein the method further comprises:
    所述认证授权网元从所述信息存储网元获取所述多个第一触发网元的连接状态;或者,The authentication and authorization network element obtains the connection status of the plurality of first triggering network elements from the information storage network element; or,
    所述认证授权网元从所述多个第一触发网元获取所述多个第一触发网元的连接状态。The authentication and authorization network element obtains the connection status of the plurality of first triggering network elements from the plurality of first triggering network elements.
  21. 根据权利要求16-19任一所述的方法,其中,所述方法还包括:The method according to any one of claims 16-19, wherein the method further comprises:
    所述认证授权网元从所述信息存储网元获取所述多个第一触发网元对应的接入类型;或者,The authentication and authorization network element obtains the access types corresponding to the plurality of first triggering network elements from the information storage network element; or,
    所述认证授权网元从所述多个第一触发网元获取所述多个第一触发网元对应的接入类型。The authentication and authorization network element obtains the access types corresponding to the plurality of first triggering network elements from the plurality of first triggering network elements.
  22. 根据权利要求3、6、11、和13任一所述的方法,其中,所述第一请求还包括:The method according to any one of claims 3, 6, 11, and 13, wherein the first request further comprises:
    第一指示,所述第一指示用于指示网元类型为AMF;或者,The first indication, the first indication is used to indicate that the network element type is AMF; or,
    第二指示,所述第二指示用于指示所述切片认证授权处理。A second instruction, where the second instruction is used to instruct the slice authentication and authorization processing.
  23. 根据权利要求1-20任一所述的方法,其中,所述方法还包括:The method according to any one of claims 1-20, wherein the method further comprises:
    所述认证授权网元接收第二请求,所述第二请求包括所述终端装置的第二标识信息和所述第一切片的第二标识信息,所述第二请求用于请求对所述终端装置发起对所述第一切片的所述切片认证授权处理。The authentication and authorization network element receives a second request, the second request includes the second identification information of the terminal device and the second identification information of the first slice, and the second request is used to request the The terminal device initiates the slice authentication and authorization processing for the first slice.
  24. 根据权利要求1-23任一所述的方法,其中,所述认证授权网元为NSSAAF,所述触发网元为AMF。The method according to any one of claims 1-23, wherein the authentication and authorization network element is NSSAAF, and the triggering network element is AMF.
  25. 根据权利要求2-3、5-8、和10-13任一所述的方法,其中所述信息存储网元为UDM。The method according to any one of claims 2-3, 5-8, and 10-13, wherein the information storage network element is UDM.
  26. 一种切片认证授权管理方法,其特征在于,包括:A method for slice authentication and authorization management, which is characterized in that it comprises:
    信息存储网元获取切片认证和授权信息,所述切片认证和授权信息用于指示终端装置、与所述终端装置关联的触发网元、和与所述终端装置和所述触发网元关联的切片,所述触发网元为服务于所述终端装置的触发网元,所述切片为所述终端装置在所述触发网元上认证和授权成功的切片;The information storage network element obtains slice authentication and authorization information, where the slice authentication and authorization information is used to indicate a terminal device, a trigger network element associated with the terminal device, and a slice associated with the terminal device and the trigger network element , The triggering network element is a triggering network element serving the terminal device, and the slice is a slice for which the terminal device is successfully authenticated and authorized on the triggering network element;
    所述信息存储网元从认证授权网元接收第一请求,所述第一请求用于请求获取与所述终端装置和所述第一切片相关联的第一触发网元;The information storage network element receives a first request from an authentication and authorization network element, where the first request is used to request to obtain a first trigger network element associated with the terminal device and the first slice;
    所述信息存储网元根据所述切片认证和授权信息和所述第一请求,确定所述第一触发网元;Determining, by the information storage network element, the first triggering network element according to the slice authentication and authorization information and the first request;
    所述信息存储网元向所述认证授权网元发送第一响应,所述第一响应包括所述第一触发网元的标识信息。The information storage network element sends a first response to the authentication and authorization network element, where the first response includes the identification information of the first triggering network element.
  27. 根据权利要求26所述的方法,其中,The method of claim 26, wherein:
    所述信息存储网元根据所述切片认证和授权信息和所述第一请求,确定所述第一触发网元,包括:The information storage network element determining the first triggering network element according to the slice authentication and authorization information and the first request includes:
    所述信息存储网元根据所述切片认证和授权信息和所述第一请求确定与所述终端装置和所述第一切片相关联的多个第二触发网元;Determining, by the information storage network element, a plurality of second triggering network elements associated with the terminal device and the first slice according to the slice authentication and authorization information and the first request;
    所述信息存储网元向所述认证授权网元发送第一响应,所述第一响应包括所述第一触发网元的标识信息,包括:The information storage network element sends a first response to the authentication and authorization network element, where the first response includes identification information of the first triggering network element, including:
    所述信息存储网元向所述认证授权网元发送所述第一响应,所述第一响应包括所述多个第二触发网元的标识信息。The information storage network element sends the first response to the authentication and authorization network element, where the first response includes identification information of the plurality of second triggering network elements.
  28. 根据权利要求27所述的方法,其中,所述第一请求还包括第一指示,所述第一指示用于指示切片授权撤销;The method according to claim 27, wherein the first request further comprises a first instruction, and the first instruction is used to instruct the revocation of the slice authorization;
    所述信息存储网元根据所述切片认证和授权信息和所述第一请求确定与所述终端装置和所述第一切片相关联的多个第二触发网元,包括:The information storage network element determining a plurality of second triggering network elements associated with the terminal device and the first slice according to the slice authentication and authorization information and the first request includes:
    所述信息存储网元根据所述切片认证和授权信息、所述第一请求、和所述第一指示确定所述多个第二触发网元。The information storage network element determines the plurality of second triggering network elements according to the slice authentication and authorization information, the first request, and the first instruction.
  29. 根据权利要求26所述的方法,其中,所述信息存储网元根据所述切片认证和授权信息和所述第一请求,确定所述第一触发网元,包括:The method according to claim 26, wherein the information storage network element determining the first triggering network element according to the slice authentication and authorization information and the first request comprises:
    所述信息存储网元根据所述切片认证和授权信息和所述第一请求确定与所述终端装置和所述第一切片相关联的多个第二触发网元中的第三触发网元;The information storage network element determines, according to the slice authentication and authorization information and the first request, a third trigger network element among a plurality of second trigger network elements associated with the terminal device and the first slice ;
    所述信息存储网元向所述认证授权网元发送第一响应,所述第一响应包括所述第一触发网元的标识信息,包括:The information storage network element sends a first response to the authentication and authorization network element, where the first response includes identification information of the first triggering network element, including:
    所述信息存储网元向所述认证授权网元发送所述第一响应,所述第一响应包括所述第三触发网元的标识信息。The information storage network element sends the first response to the authentication and authorization network element, where the first response includes the identification information of the third triggering network element.
  30. 根据权利要求29所述的方法,其中,所述信息存储网元根据所述切片认证和授权信息和所述第一请求确定与所述终端装置和所述第一切片相关联的多个第二触发网元中的第三触发网元,包括:The method according to claim 29, wherein the information storage network element determines a plurality of first slices associated with the terminal device and the first slice according to the slice authentication and authorization information and the first request. The third trigger network element in the second trigger network element includes:
    所述信息存储网元根据所述切片认证和授权信息和所述第一请求确定所述多个第二触发网元;Determining, by the information storage network element, the plurality of second triggering network elements according to the slice authentication and authorization information and the first request;
    所述信息存储网元根据所述终端装置与所述多个第二触发网元的连接状态从所述多个第二触发网元中确定所述第三触发网元;其中,所述连接状态包括连接态或空闲态。The information storage network element determines the third trigger network element from the plurality of second trigger network elements according to the connection status between the terminal device and the plurality of second trigger network elements; wherein, the connection status Including connected state or idle state.
  31. 根据权利要求30所述的方法,其中,所述信息存储网元根据所述终端装置与所述多个第二触发网元的连接状态从所述多个第二触发网元中确定所述第三触发网元,包括:The method according to claim 30, wherein the information storage network element determines the second trigger network element from the plurality of second trigger network elements according to the connection state of the terminal device and the plurality of second trigger network elements Three trigger network elements, including:
    所述信息存储网元从所述多个第二触发网元中确定所述第三触发网元,所述终端装置与所述第三触发网元的连接状态为所述连接态。The information storage network element determines the third trigger network element from the plurality of second trigger network elements, and the connection state between the terminal device and the third trigger network element is the connection state.
  32. 根据权利要求30所述的方法,其中,所述信息存储网元根据所述终端装置与所述多个第二触发网元的连接状态从所述多个第二触发网元中确定所述第三触发网元,包括:The method according to claim 30, wherein the information storage network element determines the second trigger network element from the plurality of second trigger network elements according to the connection state of the terminal device and the plurality of second trigger network elements Three trigger network elements, including:
    当所述终端装置与所述多个第二触发网元中的每个第二触发网元的连接状态为所述空闲态时,所述信息存储网元根据所述多个第二触发网元对应的接入类型从所述多个第二触发网元中确定所述第三触发网元;其中,所述接入类型包括3GPP接入和非3GPP接入。When the connection state between the terminal device and each second triggering network element of the plurality of second triggering network elements is the idle state, the information storage network element is based on the plurality of second triggering network elements The corresponding access type determines the third triggering network element from the plurality of second triggering network elements; wherein, the access type includes 3GPP access and non-3GPP access.
  33. 根据权利要求32所述的方法,其中,所述信息存储网元根据所述多个第二触发网元对应的接入类型从所述多个第二触发网元中确定所述第三触发网元,包括:The method according to claim 32, wherein the information storage network element determines the third trigger network element from the plurality of second trigger network elements according to the access type corresponding to the plurality of second trigger network elements. Yuan, including:
    所述信息存储网元从所述多个第二触发网元中确定所述第三触发网元,所述第三触发网元对应的接入类型为所述3GPP接入。The information storage network element determines the third trigger network element from the plurality of second trigger network elements, and the access type corresponding to the third trigger network element is the 3GPP access.
  34. 根据权利要求29所述的方法,其中,所述信息存储网元根据所述切片认证和授权信息和所述第一请求确定与所述终端装置和所述第一切片相关联的多个第二触发网元中的第三触发网元,包括:The method according to claim 29, wherein the information storage network element determines a plurality of first slices associated with the terminal device and the first slice according to the slice authentication and authorization information and the first request. The third trigger network element in the second trigger network element includes:
    所述信息存储网元根据所述切片认证和授权信息和所述第一请求确定所述多个第二触发网元;Determining, by the information storage network element, the plurality of second triggering network elements according to the slice authentication and authorization information and the first request;
    所述信息存储网元根据所述多个第二触发网元对应的接入类型从所述多个第二触发网元中确定所述第三触发网元;其中,所述接入类型包括3GPP接入和非3GPP接入。The information storage network element determines the third trigger network element from the plurality of second trigger network elements according to the access type corresponding to the plurality of second trigger network elements; wherein, the access type includes 3GPP Access and non-3GPP access.
  35. 根据权利要求34所述的方法,其中,所述信息存储网元根据所述多个第二触发网元对应的接入类型从所述多个第二触发网元中确定所述第三触发网元,包括:The method according to claim 34, wherein the information storage network element determines the third trigger network element from the plurality of second trigger network elements according to the access type corresponding to the plurality of second trigger network elements Yuan, including:
    所述信息存储网元从所述多个第二触发网元中确定所述第三触发网元,所述第三触发网元对应的接入类型为所述3GPP接入。The information storage network element determines the third trigger network element from the plurality of second trigger network elements, and the access type corresponding to the third trigger network element is the 3GPP access.
  36. 根据权利要求26-35任一所述的方法,其中,所述第一请求还包括第二指示,所述第二指示用于指示网元类型为AMF。The method according to any one of claims 26-35, wherein the first request further includes a second indication, and the second indication is used to indicate that the network element type is AMF.
  37. 一种切片认证授权管理方法,其特征在于,包括:A method for slice authentication and authorization management, which is characterized in that it comprises:
    触发网元向信息存储网元发送切片认证和授权信息,所述切片认证和授权信息用于指示终端装置、与所述终端装置关联的触发网元、和与所述终端装置和所述触发网元关联的切片,所述触发网元为服务于所述终端装置的触发网元,所述切片为所述终端装置在所述触发网元上认证和授权成功的切片;The trigger network element sends slice authentication and authorization information to the information storage network element, where the slice authentication and authorization information is used to indicate the terminal device, the trigger network element associated with the terminal device, and the connection between the terminal device and the trigger network. Element-associated slice, where the triggering network element is a triggering network element serving the terminal device, and the slice is a slice for which the terminal device is successfully authenticated and authorized on the triggering network element;
    所述触发网元从认证授权网元接收通知,所述通知用于通知对所述终端装置进行所述切片的切片认证授权处理;其中,所述切片认证授权处理为:切片重认证和重授权、或者切片授权撤销。The triggering network element receives a notification from the authentication and authorization network element, and the notification is used to notify the terminal device to perform the slice authentication and authorization processing of the slice; wherein the slice authentication and authorization processing includes: slice re-authentication and re-authorization , Or the slice authorization is revoked.
  38. 根据权利要求37所述的方法,其中,所述方法还包括:The method of claim 37, wherein the method further comprises:
    所述触发网元发起对所述终端装置进行所述切片的切片认证授权处理。The triggering network element initiates slice authentication and authorization processing of the slice for the terminal device.
  39. 一种认证授权网元,其特征在于,包括处理器和存储器;An authentication and authorization network element, which is characterized by comprising a processor and a memory;
    所述处理器用于从所述存储器读取并运行指令,以实现如权利要求1-25任一所述的方法。The processor is configured to read and execute instructions from the memory to implement the method according to any one of claims 1-25.
  40. 一种信息存储网元,其特征在于,包括处理器和存储器;An information storage network element, which is characterized by comprising a processor and a memory;
    所述处理器用于从所述存储器读取并运行指令,以实现如权利要求26-36任一所述的方法。The processor is configured to read and execute instructions from the memory to implement the method according to any one of claims 26-36.
  41. 一种触发网元,其特征在于,包括处理器和存储器;A trigger network element, which is characterized by comprising a processor and a memory;
    所述处理器用于从所述存储器读取并运行指令,以实现如权利要求37或38任一所述的方法。The processor is configured to read and execute instructions from the memory to implement the method according to any one of claims 37 or 38.
PCT/CN2021/091199 2020-04-30 2021-04-29 Slice authentication and authorization management method, apparatus, and system WO2021219107A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010366933.8A CN113676903B (en) 2020-04-30 2020-04-30 Slice authentication authorization management method, device and system
CN202010366933.8 2020-04-30

Publications (1)

Publication Number Publication Date
WO2021219107A1 true WO2021219107A1 (en) 2021-11-04

Family

ID=78373326

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/091199 WO2021219107A1 (en) 2020-04-30 2021-04-29 Slice authentication and authorization management method, apparatus, and system

Country Status (2)

Country Link
CN (1) CN113676903B (en)
WO (1) WO2021219107A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109391502A (en) * 2017-08-04 2019-02-26 华为技术有限公司 A kind of information configuring methods and administrative unit
CN109803350A (en) * 2017-11-17 2019-05-24 华为技术有限公司 A kind of safety communicating method and device
US20200053083A1 (en) * 2018-08-13 2020-02-13 Lenovo (Singapore) Pte. Ltd. Network slice authentication

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017214932A1 (en) * 2016-06-16 2017-12-21 华为技术有限公司 Network-slice resource management method and apparatus
US11363524B2 (en) * 2016-12-30 2022-06-14 Telefonaktiebolaget Lm Ericsson (Publ) Network slice selection
CN106982458B (en) * 2017-03-09 2019-12-17 华为技术有限公司 Network slice selection method and device
CN108566289B (en) * 2018-01-09 2021-03-30 重庆邮电大学 Slice architecture design management method based on 5G mobile communication network
CN110213780A (en) * 2018-02-28 2019-09-06 中兴通讯股份有限公司 Management method, management and the layout entity and storage medium of network slice

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109391502A (en) * 2017-08-04 2019-02-26 华为技术有限公司 A kind of information configuring methods and administrative unit
CN109803350A (en) * 2017-11-17 2019-05-24 华为技术有限公司 A kind of safety communicating method and device
US20200053083A1 (en) * 2018-08-13 2020-02-13 Lenovo (Singapore) Pte. Ltd. Network slice authentication

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
HUAWEI, HISILICON: "Update NSSAA for two AMFs serving UE", 3GPP DRAFT; S2-2002219, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG2, no. e-meeting; 20200224 - 20200227, 18 February 2020 (2020-02-18), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , XP051855603 *

Also Published As

Publication number Publication date
CN113676903A (en) 2021-11-19
CN113676903B (en) 2023-03-10

Similar Documents

Publication Publication Date Title
JP7035163B2 (en) Network security management methods and equipment
US20210234706A1 (en) Network function authentication based on public key binding in access token in a communication system
EP3627794A1 (en) Discovery method and apparatus based on service-oriented architecture
GB2560134B (en) Method and apparatus for binding of a user-based public identity to a shared device in an internet protocol multimedia subsystem based communication system
WO2019158819A1 (en) Security management for roaming service authorization in communication systems with service-based architecture
WO2018202284A1 (en) Authorizing access to user data
WO2019041809A1 (en) Registration method and apparatus based on service-oriented architecture
US10499245B2 (en) Method for performing multiple authentications within service registration procedure
US11425636B1 (en) Network function service subscription control
JP2022541760A (en) Techniques for certificate handling in the core network domain
WO2021197347A1 (en) Communication system, method and apparatus
US20220191028A1 (en) Authorization of network request
WO2018045983A1 (en) Information processing method and device, and network system
US20200396088A1 (en) System and method for securely activating a mobile device storing an encryption key
WO2022237693A1 (en) Method for authenticating nswo service, and device and storage medium
US20230030315A1 (en) Network Security
TWI827187B (en) Authentication between user equipment and communication network for onboarding process
WO2021219107A1 (en) Slice authentication and authorization management method, apparatus, and system
EP4319232A1 (en) Communication method and apparatus
WO2022067831A1 (en) Method and apparatus for establishing secure communication
WO2020208295A1 (en) Establishing secure communication paths to multipath connection server with initial connection over private network
WO2023202412A1 (en) Communication method and apparatus
WO2024093923A1 (en) Communication method and communication apparatus
WO2022237838A1 (en) Communication method and communication device
US20230155832A1 (en) Network security

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21795395

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21795395

Country of ref document: EP

Kind code of ref document: A1