WO2021244342A1 - 一种确定用户面安全执行信息的方法、装置及系统 - Google Patents

一种确定用户面安全执行信息的方法、装置及系统 Download PDF

Info

Publication number
WO2021244342A1
WO2021244342A1 PCT/CN2021/095434 CN2021095434W WO2021244342A1 WO 2021244342 A1 WO2021244342 A1 WO 2021244342A1 CN 2021095434 W CN2021095434 W CN 2021095434W WO 2021244342 A1 WO2021244342 A1 WO 2021244342A1
Authority
WO
WIPO (PCT)
Prior art keywords
user plane
terminal device
session
network element
plane security
Prior art date
Application number
PCT/CN2021/095434
Other languages
English (en)
French (fr)
Inventor
吴义壮
李�赫
胡力
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to EP21816870.6A priority Critical patent/EP4161116A4/en
Priority to KR1020227046268A priority patent/KR20230017311A/ko
Publication of WO2021244342A1 publication Critical patent/WO2021244342A1/zh
Priority to US18/071,314 priority patent/US20230090543A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/033Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/50Secure pairing of devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • H04W12/102Route integrity, e.g. using trusted paths
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • H04W12/37Managing security policies for mobile devices or for controlling mobile applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W28/00Network traffic management; Network resource management
    • H04W28/02Traffic management, e.g. flow control or congestion control
    • H04W28/0268Traffic management, e.g. flow control or congestion control using specific QoS parameters for wireless networks, e.g. QoS class identifier [QCI] or guaranteed bit rate [GBR]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • H04W76/14Direct-mode setup
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • H04W76/11Allocation or use of connection identifiers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • H04W76/18Management of setup rejection or failure
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/02Terminal devices
    • H04W88/04Terminal devices adapted for relaying to or from another terminal or user
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/14Backbone network devices

Definitions

  • This application relates to the field of communication technology, and in particular to a method, device, and system for determining user plane security execution information.
  • D2D device-to-device
  • UE user equipment
  • a remote UE When a remote UE is outside the coverage of the communication network, or when the communication quality with the access network equipment in the communication network is poor, it can be based on D2D communication through a relay device
  • the (relay UE) establishes indirect communication with the communication network.
  • the relay device can establish a protocol data unit (PDU) session for transmitting the remote device, and transmit the data received from the remote device to the remote device through the PDU session.
  • PDU protocol data unit
  • Data network or send the data obtained from the data network through the PDU session to the remote device.
  • the session management network element obtains the identity of the relay device, and uses the identity of the relay device to obtain the user plane security policy of the session from the unified data management network element or locally.
  • the further session management network element is based on the user
  • the security policy is used to determine the user-plane security execution information of the session, and the user-plane security execution information is used by the access network device to configure the security activation state between the relay device and the access network device.
  • the session management network element determines the user plane security execution information of the established PDU session according to the subscription information or pre-configured information of the relay device. In the PDU session of the service between the end device and the data network, only the subscription information or pre-configured information of the relay device is used to determine the security protection method of the user plane, which may not meet the security requirements of the remote device for data transmission.
  • This application provides a method, device, and system for determining user plane security execution information to ensure the security requirements of remote equipment for data transmission.
  • an embodiment of the present application provides a method for determining user plane security execution information.
  • the method includes: first, a session management network element may receive a first request from a mobile access management network element, and the first request is used to request creation For a session of the relay type of the first terminal device, the first request includes first information, and the first information is used to indicate that the type of the session is a relay type; then, the session management network element determines the first user plane security of the session according to the first information Execution information; and then send the first user plane security execution information of the session to the access network device, the first user plane execution information of the session is used to determine the first user plane security of the session between the first terminal device and the access network device Active state.
  • the session management network element can obtain the user plane security policy of the relay type session through the first information. After that, the determined first user plane security execution information can better meet the security requirements of the remote device and ensure the remote The security of the data of the end device.
  • the first request may include N1 SM container, and N1 SM container includes the first information.
  • the first request may be a session establishment request; the first request may also include the first information and N1 SM container, in this case, the first request includes a session establishment request and first information.
  • the N1 SM container comes from the first terminal device.
  • the first terminal device can send the N1 SM container including the first information to the session management network element through the mobile access management network element, and the first information can also be sent from the mobile access management network element to the session management network element , That is, the first request has multiple forms, which are suitable for different application scenarios.
  • the session management network element may first obtain the first user plane security policy according to the first information; Directly use the first user plane security policy as the first user plane security execution information of the session, or combine other judgment information (such as service quality requirements) for further analysis, and determine the first user plane of the session according to the first user plane security policy Safe execution information.
  • the session management network element After the session management network element obtains the first user plane security policy, it can determine the first user plane security execution information in a variety of ways.
  • the session management network element acquiring the first user plane security policy according to the first information includes: the session management network element sends the first subscription information acquisition request to the unified data management network element, and the first subscription information acquisition request
  • the user plane security policy subscribed by the first terminal device may be requested; the user plane security policy subscribed by the first terminal device indicates the user plane security policy for the relay type session of the first terminal device and the user plane security policy for the non-relay type session ;
  • the session management network element receives the first subscription information acquisition response from the unified data management network element, the first subscription information acquisition response includes the user plane security policy subscribed by the first terminal device; the session management network element obtains the first subscription information from the first
  • the user plane security policy subscribed by the terminal device determines the first user plane security policy, and the user plane security policy of the first terminal device relay type session is determined as the first user plane security policy.
  • the session management network element After the session management network element obtains the user plane security policy subscribed by the first terminal device from the unified data management network element, it can select the first user plane based on the first information from the user plane security policy subscribed by the first terminal device.
  • the security policy makes it possible to finally determine the user plane security execution information suitable for the relay session.
  • the session management network element obtains the first user plane security policy according to the first information:
  • the session management network element may send a first subscription information acquisition request to the unified data management network element; the first subscription information acquisition request includes a relay indication; the relay indication is used to request the user plane of the first terminal device relay type session Security policy; the relay instruction may be the first information (for this manner, see the foregoing content), the relay instruction may also be determined according to the first information.
  • the session management network element receives the first subscription information acquisition response from the unified data management network element, the first subscription information acquisition response includes the user plane security policy subscribed by the first terminal device; the user plane security policy subscribed by the first terminal device includes all Describe the first user plane security strategy.
  • the session management network element After the session management network element obtains the user plane security policy subscribed by the first terminal device from the unified data management network element, it can be based on the relay instruction.
  • the relay instruction can adopt an explicit instruction method, so that the unified data management network element does not need to recognize the identifier of the second terminal device, and can determine quickly The user plane security policy subscribed by the first terminal device.
  • the first information when the first information implicitly indicates that the type of the session is the relay type, for example, the first information may be the temporary identification or anonymization identification of the second terminal device, and the session management network element is in When obtaining the first user plane security policy according to the first request, the SUPI of the second terminal device may be obtained first according to the temporary identification or anonymization identification of the second terminal device.
  • the session management network element may obtain the second terminal device from the unified data management network element. 2. SUPI of terminal equipment.
  • the session management network element may send a first subscription information acquisition request to the unified data management network element, and the first subscription information acquisition request includes the SUPI of the second terminal device; after that, the session management network element receives the first subscription information acquisition request from the unified data management network element.
  • the information carried in the first subscription information acquisition response may be any of the following:
  • the first subscription information acquisition response includes the first user plane security policy.
  • the first subscription information acquisition response includes the user plane security policy of the first terminal device relay type session; afterwards, the session management network element determines the first terminal device relay type user plane security policy according to the user plane security policy of the first terminal device relay type session.
  • a user-side security strategy is
  • the first subscription information acquisition response includes the user plane security policy subscribed by the second terminal device.
  • the session management network element determines the first user plane security policy according to the user plane security policy subscribed by the second terminal device.
  • the session management network element can obtain the first user plane security policy from the unified data management network element in a variety of different ways.
  • the session management network element when the session management network element obtains the first user plane security policy according to the first request, the session management network element may send the first subscription information acquisition request to the unified data management network element, and the first subscription information acquisition The request includes the first information; the session management network element receives the first subscription information acquisition response from the unified data management network element, and the first subscription information acquisition response includes the first user plane security policy.
  • the session management network element can directly obtain the first user plane security policy from the unified data management network element, which is simpler and more efficient.
  • the first information to indicate that the type of the session is a relay type.
  • the first information adopts an explicit way of indicating, for example, the first information may be a pre-appointed field or character.
  • the first information may also adopt an implicit indication method.
  • the first information is the identifier of the second terminal device, and the identifier of the second terminal device includes some or all of the following:
  • the temporary identification of the second terminal device the anonymized identification of the second terminal device, or the permanent user identification SUPI of the second terminal device.
  • the first information can flexibly indicate that the type of the session is the relay type in different ways.
  • the first user plane security policy indicates that integrity protection is preferred
  • the session management network element may also refer to the first user plane security execution information when determining the first user plane security execution information of the session according to the first user plane security policy.
  • the maximum data rate of the integrity protection of the terminal equipment For example, if the session management network element determines that the maximum data rate of the integrity protection of the first terminal device is less than the data rate required by the session, it can determine that the integrity protection of the session is not required, that is, the first user plane safely executes the session information in the first user plane. Integrity protection is not required.
  • the first user plane security execution information determined by the session management network element can not only ensure the security requirements of the second terminal device, but also ensure that the first terminal device can effectively transmit the data of the second terminal device through the session.
  • the session management network element may, after determining that the maximum data rate of integrity protection of the first terminal device is less than the data rate required by the session, send a request to the first user plane.
  • the terminal device sends a session establishment rejection response, which is used to indicate that the session establishment is rejected.
  • the session management network element determines that the first terminal device cannot support the data transmission of the second terminal device when the integrity protection is turned on, and can refuse to establish the session, thus ensuring the security of the data of the second terminal device.
  • the session management network element may also receive a third request, the third request may be used to instruct the third terminal device to use the session, and the third request includes the identifier of the third terminal device; the third request may be The session modification request can also be other requests.
  • the session management network element determines that the third terminal device uses the session according to the identifier of the third terminal device. After that, it can determine the second user plane security execution information of the session, and send the second user plane security execution information of the session to the access network device. Information, the second user plane security execution information of the session is used to determine the second user plane security activation state of the session between the first terminal device and the access network device.
  • the session management network element can update the user plane security execution information of the session to meet the security requirements of the third terminal device.
  • the session management network element when the session management network element determines the second user plane security execution information of the session based on the identifier of the third terminal device, it may determine the second user plane security policy based on the identifier of the third terminal device; after that, The second user plane security policy can be directly used as the second user plane security execution information of the session, or it can be combined with other judgment information (such as service quality requirements) to determine the first user plane security execution of the session according to the second user plane security policy information.
  • the second user plane security policy can be directly used as the second user plane security execution information of the session, or it can be combined with other judgment information (such as service quality requirements) to determine the first user plane security execution of the session according to the second user plane security policy information.
  • the session management network element After the session management network element obtains the second user plane security policy, it can determine the second user plane security execution information in a variety of ways.
  • the identification of the third terminal device includes some or all of the following:
  • the temporary identifier of the third terminal device the anonymized identifier of the third terminal device, or the SUPI of the third terminal device.
  • any of the following methods may be adopted:
  • the session management network element determines the second user plane security execution information of the session according to the second user plane security policy and the first user plane security execution information of the session.
  • the session management network element determines the second user plane security execution information of the session according to the second user plane security policy and the first user plane security policy.
  • Manner 3 The session management network element only determines the second user plane security execution information of the session according to the second user plane security policy.
  • the session management network element can determine the second user plane security execution information in a variety of different ways, which is suitable for different application scenarios.
  • the session management network element when the session management network element obtains the second user plane security policy according to the identifier of the third terminal device, it is similar to obtaining the first user plane security policy.
  • the session management network element sends a second subscription information acquisition request to the unified data management network element, the second subscription information acquisition request includes the identification of the third terminal device; the session management network element receives the second subscription information acquisition request from the unified data management network element In response, the second subscription information acquisition response includes the second user plane security policy.
  • the session management network element may also determine the second user plane security policy from the user plane security policy subscribed by the first terminal device according to the identifier of the third terminal device.
  • the session management network element sends a second subscription information acquisition request to the unified data management network element, the second subscription information acquisition request includes the identifier of the third terminal device; the session management network element receives the second subscription information from the unified data management network element Obtaining the response, the second subscription information obtaining response includes the user plane security policy of the first terminal device relay type session, and the session management network element determines the second user plane security according to the user plane security policy of the first terminal device relay type session Strategy.
  • the session management network element sends a second subscription information acquisition request to the unified data management network element, the second subscription information acquisition request includes the identifier of the third terminal device; the session management network element receives the second subscription information from the unified data management network element The acquisition response, the second subscription information acquisition response includes the user plane security policy subscribed by the third terminal device, and the session management network element determines the second user plane security policy according to the user plane security policy subscribed by the third terminal device.
  • the session management network element can obtain the second user plane security policy more flexibly, effectively expanding the application scenario.
  • the session management network element may send the first user plane security execution information of the session to the access network device.
  • the session management network element may send the first user plane security execution information of the session to the access network device.
  • the session management network element may not send the second user plane security execution information of the session to the access network device.
  • the second user plane security policy indicates that the integrity protection of the session is preferred, and the session management network element determines the second user plane security execution information of the session according to the second user plane security policy.
  • the second user plane security execution information determined by the session management network element can not only ensure the security requirements of the third terminal device, but also ensure that the first terminal device can effectively transmit the data of the third terminal device through the session.
  • an embodiment of the present application provides a method for determining user plane security execution information.
  • the method includes: first, the first terminal device may send a second request to the mobile access management network element, and the second request is used to request creation For a relay type session, the second request includes second information, and the second information indicates that the type of the session is a relay type; after that, the first terminal device can receive the first indication information from the access network device, and the first indication information is used To indicate the first user plane security activation state of the session between the first terminal device and the access network device. The first terminal device configures the first user plane security activation state according to the first indication information.
  • the first terminal device when the first terminal device initiates the session creation process, it can indicate the session type of the session at the same time, so that the session management network element can determine the user plane security execution information of the session.
  • the first terminal device may receive the first direct communication request sent by the second terminal device, the first direct communication request is used to establish communication with the first terminal device, and the first terminal device may determine that it needs to establish The second request is sent for the relay type session.
  • the first terminal device may create a relay type session in advance, that is, the first terminal device may send the second request before receiving the first direct communication request of the second terminal device.
  • the first terminal device can determine that a relay-type session needs to be created in different scenarios, and send the second request.
  • the second request may include the N1 SM container, and the N1 SM container includes the second information; in this case, the first request may be a session establishment request.
  • the second request may also include the second information and N1 SM container.
  • the second request includes a session establishment request (that is, N1 SM container) and second information.
  • the second request has multiple composition forms, which are suitable for different application scenarios.
  • the second information to indicate that the type of the session is a relay type.
  • the second information adopts an explicit indication method.
  • the second information can be a pre-appointed field or character.
  • the second information may also adopt an implicit indication method.
  • the second information is the identification of the second terminal device, and the identification of the second terminal device is one of the following: the temporary identification of the second terminal device, the second terminal device The anonymized identification of the second terminal device, the permanent user identification SUPI of the second terminal device.
  • the session is used to transmit the data of the second terminal device.
  • the second information can flexibly indicate that the type of the session is the relay type in different ways.
  • the first terminal device may also receive a second direct communication request sent by the third terminal device.
  • the second direct communication request is used to establish communication with the first terminal device;
  • the direct communication request determines that the third terminal device uses the session; after that, a third request is sent.
  • the third request is used to instruct the third terminal device to use the session, and the third request includes the identity of the third terminal device.
  • the third request may be a session modification request or another request.
  • the first terminal device can notify the session management network element by sending a third request that the third terminal device wants to reuse the session, so that the session management network element can re-determine User plane security execution information.
  • the identifier of the third terminal device includes some or all of the following: the temporary identifier of the third terminal device, the anonymized identifier of the third terminal device, or the SUPI of the third terminal device.
  • the identifier of the third terminal device can be different types of identifiers, which are suitable for different application scenarios.
  • the first terminal device may determine the first terminal device and the first user plane security activation state according to the first user plane security activation state. 2. The security activation status of the terminal device.
  • the first terminal device can configure the security activation state of the PC5 port (the communication interface between the first terminal device and the second terminal device) to ensure the data security of the second terminal device.
  • the first terminal device configures the security activation states of the first terminal device and the second terminal device according to the first user plane security activation state
  • the integrity protection maximum data rate or QoS control information of the second terminal device that is, determine whether to enable the first terminal device and the second terminal according to the integrity protection maximum data rate or QoS control information of the second terminal device. Integrity protection between devices.
  • the user plane security activation state of the first terminal device and the second terminal device can not only ensure the data security of the second terminal device, but also ensure that the second terminal device can effectively transmit data to the first terminal device.
  • the first terminal device determines that the user plane security policy of the second terminal device indicates that integrity protection is required (this information can be carried In the case of the first direct communication request), a direct communication rejection message is sent to the second terminal device.
  • the first terminal device can refuse to establish direct communication when it is determined that the second terminal device cannot support data transmission when the integrity protection is turned on, so that the security of the data of the second terminal device can be guaranteed.
  • the first terminal device may also receive second indication information from the access network device, and the second indication information is used to indicate the second user of the session between the first terminal device and the access network device
  • the security activation status of the first user plane is updated according to the second instruction information. That is, the first user plane security activation state is updated to the second user plane security activation state according to the second instruction information.
  • the first terminal device can update the user plane security activation state between the first terminal device and the access network device, so as to ensure the data security of the third terminal device.
  • the first terminal device may also update the user plane security activation of the first terminal device and the second terminal device according to whether the second user plane security activation state state.
  • the first terminal device can update the security activation state of the PC5 port (the communication interface between the first terminal device and the third terminal device) to ensure the data security of the third terminal device.
  • integrity protection is necessary in the second user plane security activation state, and when the first terminal device updates the security activation states of the first terminal device and the second terminal device according to the second user plane security activation state
  • This may consider the integrity protection maximum data rate or QoS control information of the third terminal device, and determine whether to enable the first terminal device and the second terminal device according to the integrity protection maximum data rate or the quality of service QoS control information of the third terminal device Integrity protection between.
  • the user plane security activation state of the first terminal device and the third terminal device can not only ensure the data security of the third terminal device, but also can ensure that the third terminal device can effectively transmit data to the first terminal device.
  • an embodiment of the present application provides a method for determining user plane security execution information.
  • the method includes: first, a mobile access management network element receives a second request sent by a first terminal device, and the second request includes second information, The second request is used to request the creation of a session of the relay type of the first terminal device, and the second information is used to indicate that the type of the session is the relay type; after that, the mobile access management network element sends the second request to the session management network element according to the second request.
  • a request, the first request includes first information, the first information is used to indicate that the type of the session is a relay type, and the first request is used to request the creation of a session of the first terminal device relay type.
  • the mobile access management network element after receiving the second request including the second information, the mobile access management network element sends the first request including the first information to the session management network element in time, so that the session management network element can be based on the first information Determine the user plane security execution information of the session.
  • the second information is the same as the first information.
  • the first request and the second request include the N1 SM container, and the N1 SM container includes the second information.
  • the first request and the second request can be Establish a request for the session. That is, the first request and the second request are the same, and the mobile access management network element may directly transmit the first request to the session management network element.
  • the second request includes the second information and the N1 SM container; the first request includes the first information and the N1 SM container.
  • the mobile access management network element can identify the second information, and further determine the first information that needs to be carried in the first request.
  • the mobile access management network element when the mobile access management network element sends the first request to the session management network element based on the second information, it may first determine whether the first terminal device is authorized to establish the session based on the second information. The terminal device authorizes the establishment of the session, and then sends the first request to the session management network element; otherwise, it may directly refuse to establish the session.
  • the mobile access management network element can perform authorization check on the first terminal device according to the second information in advance, so as to ensure that the session can be established more efficiently in the future.
  • the second information is the temporary identification or anonymization identification of the second terminal device
  • the mobile access management network element may determine the SUPI of the second terminal device according to the second information, and the SUPI of the second terminal device may be As the first information.
  • the mobile access management network element can determine the SUPI of the second terminal device, and the first terminal device does not need to transmit the SUPI of the second terminal device between them, which ensures the safety of the SUPI of the second terminal device.
  • the second information to indicate that the type of the session is a relay type.
  • the second information adopts an explicit way of indicating, for example, the second information may be a pre-appointed field or character.
  • the second information may also adopt an implicit indication method.
  • the second information is the identification of the second terminal device, and the identification of the second terminal device is one of the following: the temporary identification of the second terminal device, the second terminal device The anonymized identification of the second terminal device, the permanent user identification SUPI of the second terminal device.
  • the second information can flexibly indicate that the type of the session is the relay type in different ways.
  • the first information to indicate that the type of the session is a relay type.
  • the first information adopts an explicit way of indicating, for example, the first information may be a pre-appointed field or character.
  • the first information may also adopt an implicit indication method.
  • the first information is the identifier of the second terminal device, and the identifier of the second terminal device includes some or all of the following:
  • the temporary identification of the second terminal device the anonymized identification of the second terminal device, or the permanent user identification SUPI of the second terminal device.
  • the first information can flexibly indicate that the type of the session is the relay type in different ways.
  • the mobile access management network element may also determine according to the second information that the first terminal device is authorized to establish a session for the second terminal device.
  • the mobile access management network element can perform authorization check on the second terminal device in advance according to the second information, so as to ensure that the first terminal device can transmit the data of the second terminal device.
  • the embodiments of the present application provide a method for determining user plane security execution information.
  • the method includes: a unified data management network element can provide a first user plane security policy to a session management network element. The following two methods are provided:
  • the unified data management network element may receive the first subscription information acquisition request from the session management network element, the first subscription information acquisition request includes first information, and the first information is used to indicate that the type of the session is a relay type; unified data management The network element determines the first user plane security policy according to the first information; then, the unified data management network element sends a first subscription information acquisition response to the session management network element, and the first subscription information acquisition response includes the first user plane security policy.
  • the unified data management network element can directly determine the first user plane security policy and feed it back to the session management network element.
  • the unified data management network element receives the first subscription information acquisition request from the session management network element.
  • the first subscription information acquisition request is used to request the user plane security policy of the first terminal device signing, and the user plane security of the first terminal device signing
  • the policy indicates the user plane security policy of the relay type session of the first terminal device and the user plane security policy of the non-relay type session;
  • the unified data management network element sends the first subscription information acquisition response to the session management network element, and the first subscription
  • the information acquisition response includes the user plane security policy subscribed by the first terminal device, and the user plane security policy subscribed by the first terminal device includes the first user plane security policy.
  • the unified data management network element may only need to feed back the user plane security policy subscribed by the first terminal device to the session management network element, and then the session management network element may determine the first user plane security policy by itself.
  • the unified data management network element when the unified data management network element determines the first user plane security policy based on the first information, the unified data management network element may determine the first user plane security policy based on the first information and the user plane security policy signed by the first terminal device.
  • User plane security policy where the user plane security policy subscribed by the first terminal device indicates the user plane security policy of the relay type and non-relay type sessions of the first terminal device;
  • the unified data management network element can determine the relay type of the session according to the first information, and then can determine the first user plane security policy.
  • the first information is the identification of the second terminal device
  • the unified data management network element determines the first user plane security policy according to the first information
  • the unified data management network element obtains information from the identification of the second terminal device.
  • the user plane security policy subscribed by the second terminal device determines the first user plane security policy.
  • the first user plane security policy determined according to the user plane security policy subscribed by the second terminal device can ensure the security requirements of the second terminal device.
  • the unified data management network element receives the second subscription information acquisition request from the session management network element, and the second subscription information acquisition request includes the identifier of the third terminal device;
  • the identifier of the terminal device determines the second user plane security policy; after that, it sends a second subscription information acquisition response to the session management network element, and the second subscription information acquisition response includes the second user plane security policy.
  • the unified data management network element can determine the relay type of the session according to the second information, and then can determine the second user plane security policy.
  • an embodiment of the present application also provides a communication device, which is applied to a session management network element, and the beneficial effects can be referred to the description of the first aspect and will not be repeated here.
  • the device has the function of realizing the behavior in the method example of the first aspect described above.
  • the functions can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above-mentioned functions.
  • the structure of the device includes a receiving unit, a processing unit, and a sending unit. These units can perform the corresponding functions in the above-mentioned method example of the first aspect. For details, please refer to the detailed description in the method example. Do repeats.
  • the embodiments of the present application also provide a communication device, the communication device is applied to the first terminal device, and the beneficial effects can be referred to the description of the second aspect and will not be repeated here.
  • the device has the function of realizing the behavior in the method example of the second aspect.
  • the functions can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above-mentioned functions.
  • the structure of the device includes a receiving unit, a sending unit, and optionally, a processing unit. These units can perform the corresponding functions in the method examples of the second aspect above. For details, refer to the method examples in The detailed description will not be repeated here.
  • an embodiment of the present application also provides a communication device, which is applied to a mobile access management network element, and the beneficial effects can be referred to the description of the third aspect and will not be repeated here.
  • the device has the function of realizing the behavior in the method example of the third aspect.
  • the functions can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above-mentioned functions.
  • the structure of the device includes a receiving unit, a sending unit, and optionally, a processing unit. These units can perform the corresponding functions in the method examples of the third aspect above. For details, refer to the method examples in The detailed description will not be repeated here.
  • an embodiment of the present application also provides a communication device, which is applied to a unified data management network element, and the beneficial effects can be referred to the description of the fourth aspect and will not be repeated here.
  • the device has the function of realizing the behavior in the method example of the fourth aspect.
  • the functions can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above-mentioned functions.
  • the structure of the device includes a receiving unit, a sending unit, and optionally, a processing unit. These units can perform the corresponding functions in the method example of the fourth aspect. For details, please refer to the method example in The detailed description will not be repeated here.
  • an embodiment of the present application also provides a communication device, which is applied to a session management network element, and the beneficial effects can be referred to the description of the first aspect and will not be repeated here.
  • the structure of the communication device includes a processor and a memory, and the processor is configured to support the session management network element to perform the corresponding functions in the above-mentioned method in the first aspect.
  • the memory is coupled with the processor, and stores program instructions and data necessary for the communication device.
  • the structure of the communication device also includes a communication interface for communicating with other devices.
  • an embodiment of the present application also provides a communication device, which is applied to a first terminal device, and the beneficial effects can be referred to the description of the second aspect and will not be repeated here.
  • the structure of the communication device includes a processor and a memory, and the processor is configured to support the first terminal device to perform the corresponding function in the method of the second aspect described above.
  • the memory is coupled with the processor, and stores program instructions and data necessary for the communication device.
  • the structure of the communication device also includes a transceiver for communicating with other devices.
  • an embodiment of the present application also provides a communication device, which is applied to a mobile access management network element, and the beneficial effects can be referred to the description of the third aspect and will not be repeated here.
  • the structure of the communication device includes a processor and a memory, and the processor is configured to support the mobile access management network element to perform the corresponding functions in the above-mentioned third aspect method.
  • the memory is coupled with the processor, and stores program instructions and data necessary for the communication device.
  • the structure of the communication device also includes a communication interface for communicating with other devices.
  • the embodiments of the present application also provide a communication device, the communication device is applied to a unified data management network element, and the beneficial effects can be referred to the description of the fourth aspect and will not be repeated here.
  • the structure of the communication device includes a processor and a memory, and the processor is configured to support the unified data management network element to perform the corresponding function in the above-mentioned fourth aspect method.
  • the memory is coupled with the processor, and it stores program instructions and data necessary for the communication device.
  • the structure of the communication device also includes a communication interface for communicating with other devices.
  • the embodiments of the present application also provide a communication system.
  • the communication system includes a session management network element and a unified data management network element;
  • a session management network element configured to send a first subscription information acquisition request to a unified data management network element, where the first subscription information acquisition request includes a relay instruction, and the relay instruction is used to request the first terminal device to relay User plane security policy for the type of session;
  • the unified data management network element is used to receive the first subscription information acquisition request, and determine the first user plane security policy from the user plane security policy signed by the first terminal device according to the first information, and the user plane security policy signed by the first terminal device Including the user plane security policy of the first terminal device relay type and non-relay type session; and sending a first subscription information acquisition response to the session management network element, the first subscription information acquisition response including the first user plane security policy;
  • the session management network element is also used to receive the first subscription information acquisition response.
  • the system also includes mobility management network elements:
  • the mobile access management network element is configured to send a first request to the session management network element, where the first request is used to request the establishment of a relay type session for the first terminal device, and the first request includes first information.
  • the first information is used to indicate that the type of the session is a relay type;
  • the session management network element is configured to receive the first request, and the relay indication is the first information or is determined according to the first information.
  • the session is used to transmit data of the second terminal device
  • the first information is the identification of the second terminal device
  • the identification of the second terminal device includes some or all of the following:
  • the temporary identifier of the second terminal device the anonymized identifier of the second terminal device, or the SUPI of the second terminal device.
  • the system also includes access network equipment.
  • the session management network element is further configured to send the first user plane security execution information of the session to the access network device after determining the first user plane security execution information of the session according to the first user plane security policy.
  • the access network device is used to receive the first user plane security execution information of the session, and activate the first user plane security activation state of the session between the first terminal device and the access network device according to the first user plane security execution information of the session .
  • the system also includes a first terminal device
  • the access network device is further configured to send a first indication message to the first terminal device, where the first indication message is used to indicate the first user plane security activation state of the session between the first terminal device and the access network device in the session.
  • the first terminal device is configured to receive the first instruction message, activate the first user plane security activation state of the access network device according to the first instruction information; and configure the first terminal device and the second terminal device according to the first user plane security activation state The security activation status of the terminal device.
  • the first terminal device is further configured to send a second request to the session management network element after determining that the third terminal device uses the session, the second request is used to request to modify the session, and the second request includes the first 3.
  • the session management network element is further configured to obtain a second user plane security policy according to the identifier of the third terminal device; and after determining the second user plane security execution information of the session according to the second user plane security policy, send the session to the access network device The second user plane safely executes information.
  • the access network device is also used to receive the second user plane security execution information of the session, update the first user plane security activation state according to the second user plane security execution information of the session, and update the first user plane security activation state to the second User plane security activation status.
  • the identification of the third terminal device includes some or all of the following:
  • the temporary identifier of the third terminal device the anonymized identifier of the third terminal device, or the SUPI of the third terminal device.
  • the access network device is also used to send a second indication message to the first terminal device, and the second indication message is used to indicate the second session of the session between the first terminal device and the access network device.
  • User plane security activation status is also used to indicate the second session of the session between the first terminal device and the access network device.
  • the first terminal device is configured to receive the second instruction message, update the first user plane security activation state according to the second instruction information, and update the first user plane security activation state to the second user plane security activation state; and according to the second user plane
  • the security activation status updates the security activation status of the first terminal device and the second terminal device.
  • the first user plane security policy indicates that integrity protection is preferred
  • the session management network element determines the first user plane security execution information of the session according to the first user plane security policy, which is specifically used for:
  • the session management network element is also used to determine that the maximum data rate of integrity protection of the first terminal device is lower than the data rate required by the session. , Sending a session establishment rejection response to the first terminal device, which is used to indicate that the session establishment is rejected.
  • the session management network element determines the second user plane security execution information of the session according to the second user plane security policy, which is specifically used for:
  • the session management network element obtains the second user plane security policy according to the identifier of the third terminal device, which is specifically used for:
  • the unified data management network element is used to receive the second subscription information acquisition request, determine the second user plane security policy according to the identifier of the third terminal device; send the second user plane security policy to the session management network element;
  • the session management network element also receives the second user plane security policy from the unified data management network element.
  • the session management network element before the session management network element sends the second user plane security execution information of the session to the access network device, it is also used to:
  • the second user plane security policy indicates that the integrity protection of the session is preferred, and the session management network element determines the second user plane security execution information of the session according to the second user plane security policy, which is specifically used for:
  • this application also provides a computer-readable storage medium that stores instructions in the computer-readable storage medium, which when run on a computer, causes the computer to execute the methods described in the above aspects.
  • this application also provides a computer program product containing instructions, which when run on a computer, causes the computer to execute the methods described in the above aspects.
  • the present application also provides a computer chip connected to a memory, and the chip is configured to read and execute a software program stored in the memory, and execute the methods described in the foregoing aspects.
  • FIG. 1 is an architecture diagram of a system provided by an embodiment of the application
  • FIG. 2 is a schematic diagram of a method for determining user plane security execution information provided by an embodiment of the application
  • FIG. 3 is a schematic diagram of a method for determining user plane security execution information provided by an embodiment of this application.
  • FIG. 4 is a schematic diagram of a method for determining user plane security execution information provided by an embodiment of the application
  • FIG. 5 is a schematic diagram of a method for determining user plane security execution information provided by an embodiment of this application.
  • FIG. 6 is a schematic diagram of a method for determining user plane security execution information provided by an embodiment of this application.
  • Figures 7 to 13 are schematic structural diagrams of a communication device provided by embodiments of this application.
  • the network architecture is the network architecture of the 5G system.
  • the network elements in the 5G architecture include terminal equipment (user equipment, UE).
  • the network architecture also includes radio access network (RAN), access and mobility management function (access and mobility management function, AMF) network elements, session management function (session management function, SMF) network elements, and user plane Function (user plane function, UPF) network element, unified data management (unified data management, UDM) network element, application function (AF) network element, data network (data network, DN), etc.
  • RAN radio access network
  • AMF access and mobility management function
  • SMF session management function
  • UPF user plane Function
  • UPF unified data management
  • UDM application function
  • AF application function
  • a terminal device is a device with wireless transceiver function, which can be deployed on land, including indoor or outdoor, handheld or vehicle-mounted; it can also be deployed on the water (such as ships, etc.); it can also be deployed in the air (such as airplanes, balloons, etc.). Satellite class).
  • the terminal device may be a mobile phone (mobile phone), a tablet computer (pad), a computer with wireless transceiver function, a virtual reality (VR) terminal, an augmented reality (AR) terminal, an industrial control (industrial control) Wireless terminals in ), wireless terminals in self-driving, wireless terminals in remote medical, wireless terminals in smart grid, and wireless terminals in transportation safety , Wireless terminals in smart cities, wireless terminals in smart homes, etc.
  • terminal equipment can be divided into two types, namely remote UEs (such as second terminal equipment, third terminal equipment, and relay UE (such as first terminal equipment)).
  • remote UEs such as second terminal equipment, third terminal equipment, and relay UE (such as first terminal equipment)
  • relay UE such as first terminal equipment
  • the remote UE may send a direct communication request (such as a first direct communication request and a second direct communication request) to the relay UE to establish a PC5 communication connection with the relay UE, and the relay
  • the UE can initiate a session establishment process to the SMF network element to establish a session for transmitting data transmission between the remote UE and the DN (the session is essentially a session established by the relay UE through the access network and the network for The data that needs to be transmitted between the remote UE and the data network can also be referred to as a relay session).
  • the relay UE initiates the session establishment process, it may directly send the identifier of the remote UE or the indication information indicating that the established session is a relay session to the SMF network element.
  • the relay UE initiates the session establishment process, it can also send the identification or indication information of the remote UE to the SMF network element through the AMF network element.
  • RAN The main function of RAN is to control terminal equipment to access the mobile communication network through wireless.
  • RAN is a part of mobile communication system. It implements a wireless access technology. Conceptually, it resides between a certain device (such as a mobile phone, a computer, or any remote control machine) and provides a connection to its core network.
  • the AMF network element is responsible for the terminal's access management and mobility management. In practical applications, it includes the mobility management function in the MME in the LTE network framework, and adds the access management function.
  • the SMF network element is responsible for session management, such as user session establishment, modification, or deletion.
  • the SMF network element can determine that the session created by the relay UE is a relay session according to the identifier or indication information of the remote UE. , Obtain the user plane security policy of the relay session from the UDM network element, and determine the user plane security execution information of the session required by the RAN based on the user plane security policy of the relay session.
  • the UPF network element is a functional network element of the user plane, which is mainly responsible for connecting to external networks. It includes the related functions of the LTE serving gateway (serving gateway, SGW) and the public data network gateway (public data network gateway, PDN-GW).
  • serving gateway serving gateway
  • PDN-GW public data network gateway
  • the DN is responsible for the network that provides services to the terminal. For example, some DNs provide the terminal with Internet access, and some other DNs provide the terminal with short message functions, and so on.
  • the UDM network element can store the user's subscription information, which is similar to the HSS in 4G.
  • UDM can determine the user's permanent identifier of the terminal device according to the anonymized identifier or temporary identifier of the remote UE.
  • SUPI the UDM network element also stores the subscriber plane security policy of the relay UE.
  • the subscriber plane security policy of the relay UE includes the user plane security policy of the relay session.
  • the UDM network element receives the security policy of the SMF network element. After the subscription information acquisition request, the user plane security policy of the relay session is fed back to the SMF network element.
  • the AF network element can be a third-party application server or a device deployed by the operator itself, such as proxy-call session control function (P-CSCF).
  • P-CSCF proxy-call session control function
  • the AF network element can provide multiple application servers. Serve.
  • the core network network element also includes a unified data repository (UDR) network element, and a user identification de-concealing function network element (Subscription Identifier de-concealing function, SIDF).
  • UDR unified data repository
  • SIDF Subscribescription Identifier de-concealing function
  • the UDR network element is mainly used to store user-related subscription data, policy data (such as the user plane security policy of the UE subscription), open structured data, and application data.
  • the SIDF network element in this embodiment of the application, the SIDF network element can parse the anonymization identifier (SUCI) of the UE to obtain SUPI.
  • SIDF network elements can be deployed independently or co-deployed with other network elements. For example, SIDF network elements can be co-deployed with UDM network elements.
  • the relay UE when it determines that it needs to create a relay session, it can initiate a session establishment process to the session management network element to establish a relay type session, and the session type will be indicated in the session establishment process
  • the first information that is the relay type is sent to the session management network element, and the session management network element determines the first user plane security policy according to the first information, and determines the first user plane of the session based on the first user plane security policy
  • the security execution information, the first user plane security execution information of the session is sent to the access network device, the access network device can use the first user plane security execution information of the session to determine the first user plane security activation status, and the first user
  • the plane security activation state is used to indicate whether the integrity protection of the user plane between the relay UE and the access network device is turned on or off, and the encryption protection is turned on or off.
  • the session management network element can obtain the user plane security policy of the relay type session, thereby determining the security execution information of the user plane of the session, so that the access network is based on the user plane of the session.
  • the security activation state determined by the security execution information can meet the security requirements of the remote UE.
  • the method for determining the user plane security activation state has two methods, one is that the mobile access management network is not required.
  • Element participation The session management network element determines the user plane security of the session based on the identification or indication information of the second terminal device. The other is the participation of the mobile access management network element.
  • the mobile access management network element needs to be based on the first terminal After the information sent by the device is further processed, it determines or obtains or generates instruction information and sends it to the session management network element, and the session management network element determines the user plane security policy mode of the session based on the information.
  • the two methods are described below:
  • a method for determining user plane security execution information includes:
  • Step 201 The second terminal device sends a first direct communication request to the first terminal device for requesting to establish a communication connection with the first terminal device.
  • the first direct communication request may include the identification of the second terminal device.
  • the identifier of the second terminal device includes, but is not limited to: a temporary identifier, an anonymized identifier, and a user permanent identifier (subscription permanent identifier, SUPI) of the second terminal device.
  • the temporary identifier is an identifier allocated in advance for the second terminal device
  • the anonymized identifier can be a permanent identifier that hides the terminal device. Only a specific network element can obtain the hidden terminal device in the anonymized identifier through the anonymized identifier.
  • the anonymized identifier can be a subscription concealed identifier (SUCI), and SUCI is a privacy protection identifier that includes SUPI.
  • Step 202 After receiving the first direct communication request, the first terminal device determines that it needs to create a session for transmitting the data of the second terminal device, that is, it needs to create a relay type session of the first terminal device, and send it to the session management network element.
  • a session establishment request which is used to request the establishment of a session of the first terminal device relay type.
  • the session establishment request may include a session identifier, and the session created in the embodiment of the present application may be a PDU session.
  • a relay type session may also be referred to as a relay session.
  • the relay session refers to a session established by the first terminal device as the relay UE to support data transmission between the remote UE and the data network.
  • the non-relay type session may also be referred to as a non-relay session.
  • a subsequent session is a session established by the first terminal device for itself to support data transmission between the first terminal device and the data network.
  • the first terminal device may carry first information in the session establishment request, the first information indicating that the type of the session is a relay type.
  • the embodiment of the present application does not limit the manner in which the first information indicates that the type of the session is a relay type.
  • the first information may adopt an explicit indicating manner, and the first information may be a pre-appointed field or character.
  • the first information may adopt an implicit indication manner, and the first information may be an identifier of the second terminal device.
  • the first terminal device When the first terminal device sends a session establishment request to the session management network element, it may first send the session establishment request to the mobile access management network element. After receiving the session establishment request, the mobile access management network element forwards the session establishment request To the session management network element.
  • the first terminal device sends the session establishment request to the mobile access management network element by including the session establishment request in the NAS message.
  • the NAS message also includes the data network name (DNN) and/or the single network slice selection auxiliary information ( single-network slice selection assistance information, S-NSSAI).
  • DNN data network name
  • S-NSSAI single-network slice selection assistance information
  • Step 203 After receiving the session establishment request, the session management network element determines the first user plane security policy according to the first information.
  • Step 204 After obtaining the first user plane security policy, the session management network element may determine the first user plane security execution information of the relay session according to the first user plane security policy, where the first user plane security execution information of the relay session The security execution information can be used to determine the first user plane security activation state of the session between the first terminal device and the access network device.
  • the first user plane security activation state of the session between the first terminal device and the access network device is essentially the first user plane security activation state of the communication interface between the first terminal device and the access network device Status, for convenience of description, the communication interface between the first terminal device and the access network device is referred to as the first interface.
  • Step 205 After determining the first user plane security execution information of the relay session, the session management network element may send the first user plane security execution information of the relay session to the access network device.
  • the embodiment of the present application does not limit the manner in which the session management network element determines the first user plane security policy based on the first information.
  • Four of the manners are listed below:
  • the session management network element obtains the information of the subscription of the first terminal device.
  • the subscription information of the first terminal device includes the relay identification information and the user plane security policy subscribed by the first terminal device.
  • the relay identification information is used to indicate the A terminal device is authorized to establish a relay type session, that is, whether it is allowed to be a relay device.
  • the user plane security policy subscribed by the first terminal device includes the user plane security policy when the first terminal device is allowed to act as a relay device.
  • the user plane security policy when the first terminal device is allowed to be the relay device includes the user plane security policy of the first terminal device relaying session.
  • the user plane security policy when the first terminal device is allowed to be a relay device also includes a user plane security policy that the first terminal device allows non-relay sessions when the first terminal device is a relay device, that is, the first terminal device is non-relay The user plane security policy of the session.
  • the user plane security policy subscribed by the first terminal device may also include a user plane security policy when the first terminal device is not acting as a relay device.
  • the user plane security policy of the first terminal device that allows non-relay sessions when acting as a relay device and the user plane security policy when the first terminal device is not acting as a relay device belong to the user plane security policies of the first terminal device's non-relay session ,
  • the difference lies in whether the first terminal device is allowed to be a relay device.
  • the user plane security policy 1 is a user plane security policy identified by the relay identification information, and is a user plane security policy when the first terminal device is used as a relay device.
  • User plane security policy 2 is a user plane security policy when the first terminal device is not used as a relay device.
  • User plane security policy 1 may be used as a user plane security policy for the relay session of the first terminal device, and user plane security policy 2 may be used as a user plane security policy for a non-relay session of the first terminal device.
  • Face security strategy 1 is used as a user face security strategy.
  • the user plane security policy 1 and the user plane security policy 2 are user plane security policies identified by the relay identification information
  • the user plane security policy 5 is the user plane security policy when the first terminal device is not used as a relay device.
  • user-plane security policy 3 and user-plane security policy 4 do not carry relay identification information, they have distinguished between relayed sessions and non-relayed sessions. That is to say, the first terminal device can be used as a relay device.
  • the implicit manner indicates that the first terminal device is allowed to serve as a relay UE, which is essentially a user plane security policy when the first terminal device serves as a relay device.
  • User-plane security policy 1 and user-plane security policy 3 are user-plane security policies for the first terminal device to relay the session
  • user-plane security policy 2 user-plane security policy 4
  • user-plane security policy 5 are for the first terminal device non-relay The user plane security policy of the session.
  • the user plane security policy signed by the first terminal device can also be distinguished between the user plane security policy when the first terminal device is allowed to act as a relay device and the user plane security policy when the first terminal device is not acting as a relay device. , Only adding relay identification information to the subscription information is used to indicate that the first terminal device is authorized to establish a relay type session, that is, it can be used as a relay device.
  • the session management network element may select the corresponding user plane security policy according to the DNN and/or S-NSSAI corresponding to the session.
  • the session management network element obtains the subscription information of the first terminal device (including the user plane security policy signed by the first terminal device), and the session management network element uses the first information and the user plane security policy signed by the first terminal device Determine the first user plane security policy.
  • the user plane security policy subscribed by the first terminal device is a subscribed user plane security policy pre-configured by the operator's network for the first terminal device.
  • the user plane security policy subscribed by the first terminal device may include the session of the first terminal device relay type.
  • the user plane security policy may also include a user plane security policy for non-relay type sessions.
  • the user plane security policy subscribed by the first terminal device includes the first user plane security policy and/or the second user plane security policy, and may also include the user plane security policy of the non-relay session.
  • the information included in the user plane security policy subscribed by the first terminal device is shown in Table 3:
  • the user plane security policy subscribed by the first terminal device may further include the identifier of the second terminal device.
  • the identifier of the second terminal device is used to indicate the terminal device to which the data to be transmitted by the relay session belongs.
  • the user plane security policy subscribed by the first terminal device includes the user plane security policy when the sessions established with one or more data networks are relayed sessions and non-relayed sessions.
  • the data network can be indicated by the DNN of the data network.
  • the user plane security policy subscribed by the first terminal device may also include single-network slice selection assistance information (S-NSSAI), which is used to identify or indicate network slices.
  • S-NSSAI single-network slice selection assistance information
  • the information included in the user-plane security policy indicates whether to enable encryption protection and integrity protection.
  • the user plane security strategy includes a user plane encryption protection strategy (indicating whether to enable encryption protection) and a user plane integrity protection strategy (indicating whether to enable integrity protection).
  • There are three possible values for the user plane encryption protection strategy namely not needed, preferred, and required.
  • the user plane integrity protection strategy has three possible values, namely not needed and preferred. And required. Among them, not required means that it does not need to be turned on, preferred means that it can be turned on or not, and required means that it must be turned on.
  • the above three possible values can be indicated by 2 bits, for example, 00 indicates that it does not need to be turned on, 01 indicates that it can be turned on or not, and 11 indicates that it must be turned on.
  • the specific method used by the user plane encryption protection strategy and the user plane integrity protection strategy to indicate the three possible values is not limited in the embodiment of the present application.
  • User-plane encryption protection is to protect the confidentiality of data during transmission (so it can also be called user-plane confidentiality protection). Confidentiality means that the transmitted data cannot be directly seen as the true content.
  • User plane integrity protection means protecting the integrity of data during user plane transmission. Integrity means that the data is original and has not been tampered with.
  • the user plane security policy subscribed by the first terminal device may be stored locally by the session management network element, or may be obtained by the session management network element from the unified data management network element.
  • the session management network element may After receiving the session establishment request, obtain the user plane security policy subscribed by the first terminal device from the unified data management network element.
  • the session management network element may send the first subscription information acquisition request to the unified data management network element.
  • the first subscription information acquisition request may carry a relay indication, which is used to request the user plane security policy of the first terminal device relay type session; the relay indication may be the first information or based on The first information is determined.
  • the relay indication may use an explicit indication method to indicate that the type of the session is the relay type, so as to request the user plane of the session of the relay type of the first terminal device.
  • Security policy After receiving the first subscription information acquisition request, the unified data management network element can directly determine the user plane security policy that needs to feed back the relay type session of the first terminal device according to the relay instruction.
  • the unified data management network element sends a first subscription information acquisition response to the session management network element, and the first subscription information acquisition response includes the user plane security policy subscribed by the first terminal device.
  • the session management network element receives the first subscription information acquisition response from the unified data management network element.
  • the session management network element selects the corresponding user plane security policy from the user plane security policy subscribed by the first terminal device as the first user plane security policy according to the first information carried in the session establishment request. That is, the user plane security policy of the relay type session is selected as the first user plane security policy.
  • the session management network element When the session management network element obtains the user plane security policy subscribed by the first terminal device from the unified data management network element, it may also obtain only part of the user plane security policy in the user plane security policy subscribed by the first terminal device, for example, only obtain the first terminal device security policy.
  • the session management network element can send the first subscription information acquisition request to the unified data management network element
  • the session management network element sends the first subscription information acquisition request to the unified data management network element
  • the first subscription information acquisition request is used for A user plane security policy for requesting a subscription by the first terminal device, wherein the first subscription information acquisition request includes the first information (which may also be a relay instruction).
  • the unified data management network element After the unified data management network element receives the first subscription information acquisition request, it may determine the user plane security policy of the first terminal device relay session from the user plane security policy subscribed by the first terminal device according to the first information.
  • the unified data management network element sends a first subscription information acquisition response to the session management network element, where the first subscription information acquisition response includes a user plane security policy for the first terminal device to relay the session.
  • the session management network element determines whether the session is a relay session according to the first information carried in the session establishment request. If the session is a relay session, the user plane security policy can be selected from the user plane security policy of the relay session of the first terminal device As the first user plane security strategy.
  • the session management network element may also determine whether the session is a relay session according to the first information carried in the session establishment request. If the session is a relay session, it may directly request the first user plane from the unified data management network element. security strategy. That is to say, the session management network element may send a request message for requesting the user plane security policy of the session whose session type is the relay type to the unified data management network element. After receiving the request message, the unified data management network sends the request message from the relay The first user plane security policy is determined in the user plane security policy of the session, and the first user plane security policy is fed back to the session management network element.
  • the session management network element obtains the user plane security policy subscribed by the first terminal device from the unified data management network element as an example. In fact, the session management network element can also obtain it from the unified data management network element through the first information.
  • the user plane security policy subscribed by the second terminal device That is, after the unified data management network element receives the first subscription acquisition request including the first information, if the first information is the identifier of the second terminal device, the unified data management network element determines the second terminal device according to the first information The user plane security policy of the subscription is carried in the first subscription information acquisition request.
  • the session management network element determines the first user plane security policy according to the user plane security policy subscribed by the second terminal device.
  • the session management network element may locally store DNN and/or S-NSSAI granular user plane security policy information.
  • the DNN and/or S-NSSAI granular user plane security policy includes DNN and/or The user plane security policy of the relay session corresponding to the S-NSSAI and/or the user plane security policy of the non-relay session.
  • the session management network element can select the corresponding user plane security policy according to the DNN and/or S-NSSAI corresponding to the session .
  • the first information is the anonymization or temporary identification of the second terminal device.
  • the session management network element first determines the permanent user identification of the second terminal device, and then obtains the first terminal device relay from the unified data management network element According to the user plane security policy of the type of session, the first user plane security policy is determined according to the first information.
  • the session management network element may first obtain the user permanent identification of the second terminal device from the unified data management network element according to the first information.
  • the session management network element may send a request message carrying the first information to the unified data management network element for requesting to obtain the permanent user identification of the second terminal device.
  • the unified data management network element can obtain the permanent user identification of the second terminal device according to the first message, and then feed back a response message carrying the permanent user identification of the second terminal device to the session management network element .
  • the request message may be a newly-added message, or it may be a message that the session management network element needs to send to the unified data management network element in the existing interaction process.
  • the embodiment of the present application does not limit the manner in which the unified data management network element obtains the permanent user identification of the second terminal device according to the first message.
  • the unified data management network element may store the temporary identification of the second terminal device and the user The corresponding relationship between the permanent identifier, or the corresponding relationship between the anonymized identifier of the second terminal device and the permanent identifier of the user, after the unified management network element obtains the first information, the second information can be determined based on the stored corresponding relationship.
  • Permanent user identification of the terminal device may also have an identity resolution capability, which can resolve the anonymized identity of the second terminal device into a permanent user identity of the second terminal device.
  • the unified data management network element may also obtain the permanent user identification of the second terminal device by interacting with the identification resolution network element (such as the SIDF network element). For example, the unified data management network element may identify the anonymization of the second terminal device It is sent to the identity resolution network element, and the user permanent identity of the second terminal device is obtained from the identity resolution network element.
  • the identification resolution network element such as the SIDF network element
  • the session management network element After the session management network element obtains the permanent user identification of the second terminal device, it may obtain the user plane of the first terminal device relay type session from the unified data management network element according to the permanent user identification of the second terminal device. security strategy.
  • the session management network element may send a first subscription information acquisition request carrying a permanent user identifier of the second terminal device to the unified data management network element to request to acquire the user plane of the first terminal device relay type session.
  • the security policy optionally, the first subscription information acquisition request may also include DNN and/or S-NSSAI.
  • the unified data management network element then feeds back to the session management network element the first subscription information acquisition response carrying the user plane security policy of the session of the relay type of the first terminal device.
  • the session management network element receives the user plane security policy of the first terminal device relay type session from the unified data management network element.
  • the unified data management network element may also determine the second terminal according to the user permanent identification of the second terminal device.
  • the user plane security policy subscribed by the device uses the user plane security policy subscribed by the second terminal device as the first user plane security policy. If the user plane security policy subscribed by the second terminal device includes multiple user plane security policies, the unified data management network element may select one of the user plane security policies as the first user plane security policy. Exemplarily, the unified data management network element may determine the first user plane security policy from multiple user plane security policies according to DNN and/or S-NSSAI, and then feed back the first user plane security policy to the session management network element.
  • the user plane security policy subscribed by the second terminal device is a subscribed user plane security policy pre-configured by the operator's network for the second terminal device.
  • the information indicated by the user plane security policy subscribed by the second terminal device may be similar to the information indicated by the user plane security policy subscribed by the first terminal device, that is, the user plane security policy subscribed by the second terminal device may be Instructing the second terminal device as the user plane security policy of the relay session when the remote UE accesses the network through the relay UE, and instructing the user plane security policy of the non-relay session when the second terminal device directly creates the session.
  • the unified data management network element determines the first user plane security policy, it may determine the first user plane security policy according to the user plane security policy of the relay session when the second terminal device is a remote UE accessing the network through the relay UE.
  • the session management network element directly obtains the first user plane security policy from the unified data management network element.
  • the session management network element may directly send the first subscription information acquisition request carrying the first information to the unified data management network element to request the acquisition of the first user plane security policy.
  • the first subscription information acquisition request may also be It includes DNN and/or S-NSSAI, and is used for unified data management network elements to obtain the subscription information corresponding to DNN and/or S-NSSAI, and the subscription information includes the corresponding user plane security policy.
  • the session management network element may also determine relay indication information according to the first information, and the relay indication information may indicate that the type of the session is medium.
  • the relay type that is, the session management network element generates a relay indication according to the first information, and carries the relay indication in the first subscription information acquisition request.
  • the first information and the relay indication may indicate that the type of the session is the relay type in different ways.
  • the relay indication may also be the same as the first information, that is, the session management network element carries the first information in the first subscription information acquisition request.
  • the unified data management network element may determine, according to the first information, that it needs to acquire the subscription information of the relay type session, that is, determine the first user plane security policy.
  • the unified data management network element may obtain the first user plane security policy from the user plane security policy subscribed by the first terminal device.
  • the unified data management network element may also provide the user plane security policy subscribed by the second terminal device to the session management network element, and the session management network element may assign the user plane subscribed by the second terminal device to the session management network element.
  • the security policy serves as the first user plane security policy.
  • the subscription information of the second terminal device may include the user plane security policy of the relay session when the second terminal device as a remote UE accesses the network through the relay UE, the unified data network element may use the user plane security policy as The first user plane security policy is provided to the session management network element.
  • the first information is the temporary identification or anonymization identification of the second terminal device
  • the unified data management network element may determine the permanent identification of the user of the second terminal device according to the temporary identification or anonymization identification of the second terminal device, and then , The unified data management network element obtains the user plane security policy subscribed by the second terminal device according to the permanent user identification of the second terminal device and provides it to the session management network element, and the session management network element assigns the user plane security policy subscribed by the second terminal device As the first user plane security strategy.
  • the unified data management network element After the unified data management network element determines the first user plane security policy, it feeds back the first subscription information acquisition response carrying the first user plane security policy to the session management network element.
  • the session management network element receives the first user plane security policy from the unified data management network element.
  • the information exchanged between the session management network element and the unified data management network element is uniformly named the first subscription information acquisition request and the first subscription information acquisition response, but in different In an implementation manner, the information carried in the first subscription information acquisition request and the first subscription information acquisition response may be different.
  • the first user plane security execution information of the relay session determined in step 204 is similar to the first user plane security policy, and can indicate whether encryption protection is enabled between the first terminal device and the access network device in the relay session And integrity protection, where the values of encryption protection and integrity protection are similar to the values of the user plane encryption protection strategy and the user plane integrity protection strategy in the foregoing description. For details, please refer to the foregoing content and will not be repeated here.
  • the session management network element may directly use the first user plane security policy as the first user plane security execution information of the relay session.
  • the session management network element may also analyze the information of the first terminal device.
  • the information of the first terminal device includes, but is not limited to, the integrity protection maximum data rate of the first terminal device, and the quality of service of the first terminal device.
  • QoS QoS
  • control information such as the data rate required by the relay session of the first terminal device
  • the session management network element may also analyze the information of the first terminal device, modify the first user plane security policy, and determine the first user plane security execution information of the relay session.
  • the first user plane security policy indicates that the user plane encryption protection strategy is preferred, and the session management network element needs to further determine whether the encryption protection of the first interface is enabled, and then determine the first user plane security execution information of the relay session.
  • the first user plane security policy indicates that the user plane encryption protection strategy and the user plane integrity protection strategy are both preferred, and the session management network element needs to further determine whether to enable the encryption protection and integrity protection of the first interface.
  • the session management network element may further determine the security execution information of the first user plane of the relay session, which is not limited in the embodiment of the present application.
  • the session management network element may determine the first user plane security execution information of the relay session according to the integrity protection maximum data rate of the first terminal device.
  • the integrity protection maximum data rate of the first terminal device is used to indicate the data transmission rate supported by the first terminal device after the integrity protection is turned on. If the first user plane security policy indicates that the user plane integrity protection policy is preferred, the session management network element determines whether the data transmission rate supported by the first terminal device after the integrity protection is turned on can meet the data rate required by the relay session.
  • the data rate required by the relay session is determined by the session management network element according to the DNN and/or S-NSSAI of the session and/or other parameters used to determine the data rate.
  • the data rate required by the relay session may be session management
  • the network element is obtained from a unified data management network element or a policy control network element (such as a PCF network element), or it can be obtained according to local configuration.
  • the session management network element can determine that the integrity protection in the user plane security execution information is not required, that is, turn off the first terminal device. Integrity protection of an interface.
  • the session management network element can determine that the integrity protection in the user plane security execution information is necessary, that is, turn it on Integrity protection of the first interface.
  • the session management network element may create the relay session and execute step 205.
  • the session management network element may also refuse to establish the relay session according to the maximum data rate of integrity protection of the first terminal device.
  • the first user plane security policy indicates that the user plane integrity protection policy is enabled. If the maximum data rate of the integrity protection of the first terminal device is less than the data rate required by the relay session, that is, after the integrity protection is enabled, The first terminal device cannot transmit data at the data rate required by the relay session.
  • the session management network element may refuse to establish the relay session, and send a session establishment rejection response to the first terminal device.
  • the access network device may configure the first user plane security activation state of the first interface, and the first user plane security activation state indicates the first user plane security activation state in the relay session. Whether to enable encryption protection and integrity protection between the terminal device and the access network device, and send indication information indicating the security activation status of the first user plane of the first interface to the first terminal device to inform the first terminal device of the status of the first interface Whether to enable encryption protection and integrity protection.
  • the encryption protection in the first user plane security activation state has only two states, one is on and the other is off; the integrity protection in the first user plane security activation state also has only two states, one One is open and one is closed.
  • the first user plane security activation state is the finally determined user plane security activation state of the first interface.
  • the first terminal device may determine the security activation of the first terminal device and the second terminal device according to the security activation state of the first user plane of the first interface state.
  • the security activation status of the first terminal device and the second terminal device is used to indicate whether to enable encryption protection and integrity protection when the first terminal device and the second terminal device perform data transmission.
  • the security activation state of the first terminal device and the second terminal device is essentially the security activation state of the communication interface between the first terminal device and the second terminal device, and there are only two types of encryption protection in the security activation state. There are only two states for integrity protection in the safety activation state, one is on and the other is off.
  • the security activation state is the final security activation state of the communication interface between the first terminal device and the second terminal device.
  • the communication interface between the first terminal device and the second terminal device is referred to as the second interface.
  • the first terminal device may set the security activation state of the second interface to be consistent with the security activation state of the first user plane of the first interface.
  • the first terminal device may analyze the security activation state of the first user plane of the first interface to determine the security activation state of the second interface. If the first user plane security activation state of the first interface indicates that the integrity protection of the first interface is enabled, the first terminal device may further determine whether the integrity protection of the second interface is enabled.
  • the first terminal device determines the security activation state of the second interface, which is not limited in this embodiment of the application.
  • the first terminal device may determine the security activation state of the second interface according to the integrity protection maximum data rate or quality of service (QoS) control information of the second terminal device.
  • the integrity protection maximum data rate or QoS control information of the second terminal device may be carried in the first direct communication request.
  • the first terminal device can determine the security activation state of the second interface according to the integrity protection maximum data rate of the second terminal device and the session management network element determines the first user of the session according to the integrity protection maximum data rate of the first terminal device The way to execute the information safely is the same, so I won’t repeat it here.
  • the QoS control information of the second terminal device is used to indicate the requirements of the second terminal device during data transmission, such as the required bandwidth, data transmission rate, time delay, and packet loss rate.
  • the first terminal device may determine whether the second terminal device can support turning on the integrity protection according to the QoS control information of the second terminal device.
  • the QoS control information of the second terminal device indicates that the second terminal device must transmit data, but the bandwidth required for the second terminal device to transmit data must be 100 megabytes, and the bandwidth that can be supported after the integrity protection is turned on is 50 megabytes.
  • the first terminal device may determine that integrity protection is not turned on.
  • the user plane security policy of the relay session created by the first terminal device is determined based on the first information that the first terminal device can transmit the data of the second terminal device through the relay session to ensure the transmitted data Data security.
  • the first terminal device may also establish communication with other terminal devices, and the other terminal devices may interact with the data network through the session of the first terminal device.
  • the first terminal device can also use the established relay session to transmit data of other terminal devices.
  • the relay session is reused by other terminal devices, and the user plane of the relay session may need to be determined again. security strategy.
  • the other device as the third terminal device as an example, the method of re-determining the user plane security policy of the relay session will be described.
  • the third terminal device may send a second direct communication request to the first terminal device, and the second direct communication request is used to request to establish communication with the first terminal device.
  • the second direct communication request may include the identification of the third terminal device.
  • the identification of the third terminal device includes but is not limited to: the temporary identification, anonymization identification and SUPI of the third terminal device.
  • the first terminal device After receiving the second direct communication request, the first terminal device determines that the established session still needs to transmit data of the third terminal device, that is, the third terminal device needs to use the relay session.
  • the first terminal device sends a session modification request to the session management network element, and the session modification request is used to request modification of the relay session.
  • the session modification request may also be other session management messages or newly defined session management messages.
  • the session modification request may include the identifier of the third terminal device, and may also carry the identifier of the relay session, which is used to indicate the relay session that needs to be modified.
  • the session management network element After the session management network element receives the session modification request, it can determine that the third terminal device uses the relay session according to the identifier of the third terminal device.
  • the session management network element can determine the second user plane security policy, and the session management network element can determine the second user plane security policy.
  • the manner of the user plane security policy is similar to step 203, and the details can be referred to the foregoing content and will not be repeated here. Further, the session management network determines whether to update the user plane security execution information of the relay session according to the second user plane security policy.
  • the session management network element After the session management network element determines the second user plane security policy, it may determine the second user plane security execution information of the relay session according to the second user plane security policy.
  • the second user plane security execution information of the relay session can be used to determine the second user plane security activation state of the session between the first terminal device and the access network device.
  • session management network element determines the second user plane security execution information of the relay session according to the second user plane security policy, three of which are listed below:
  • the session management network element only determines the second user plane security execution information of the relay session based on the second user plane security policy. This method is similar to step 204, and the details can be referred to the foregoing content and will not be repeated here.
  • the session management network element can compare the second user plane security execution information of the relay session with the first user plane security execution information of the relay session, if the second user plane security execution information of the relay session is compared with the first user of the relay session If the plane security execution information is consistent, it means that the first user plane security activation state of the first interface can remain unchanged, and the session management network element may no longer notify the access network device of the second user plane security execution information. If they are inconsistent, the session management network element may need to notify the access network device of the second user plane security execution information, so that the access network device can configure the second user plane security activation state of the first interface, and send an instruction to the first terminal device.
  • the indication information of the security activation state of the second user plane of an interface informs the first terminal device whether encryption protection and integrity protection are enabled for the first interface.
  • the first terminal device After receiving the indication information indicating the security activation status of the second user plane of the first interface, the first terminal device can update the security activation status of the second interface according to the security activation status of the second user plane of the first interface.
  • the method of updating the security activation status of the second interface according to the security activation status of the second user plane of the first interface is similar to the way that the first terminal device determines the security activation status of the second interface according to the security activation status of the first user plane of the first interface.
  • the session management network element determines the second user plane security execution information of the relay session according to the second user plane security policy and the first user plane security policy.
  • the session management network element determines whether the first interface enables encryption protection and integrity protection according to the second user plane security policy and the first user plane security policy.
  • the first user plane security policy indicates that the user plane encryption protection strategy is preferred and the user plane integrity protection strategy is not required
  • the second user plane security policy indicates that the user plane encryption protection strategy is required and the user plane integrity protection policy is required.
  • the session management network element may determine that the encryption protection of the first interface is necessary, and the user plane integrity protection is necessary.
  • the first user plane security policy indicates that the user plane encryption protection strategy is required and the user plane integrity protection strategy is not required
  • the second user plane security policy indicates that the user plane encryption protection policy is required and the user plane integrity protection is required.
  • the session management network element may determine that the encryption protection of the first interface is necessary, and the integrity protection is necessary.
  • the session management network element can retain the user plane encryption protection strategy or user plane integrity protection strategy that is consistent in the second user plane security policy and the first user plane security policy, and encrypt the reserved user plane encryption protection strategy or user plane integrity protection strategy The second user plane as the first interface safely executes corresponding encryption protection or integrity protection in the information.
  • the session management network element can give priority to selecting user-plane integrity protection strategies or user-plane encryption protection strategies that can improve security. For example, select the user-plane integrity protection strategy as Required, the user plane encryption protection strategy is required, and the preferred user plane integrity protection strategy or user plane encryption protection strategy is used as the corresponding integrity protection or encryption protection in the second user plane security execution information of the first interface.
  • the session management network element can compare the second user plane security execution information of the relay session with the first user plane security execution information of the relay session.
  • the session management network element For the operations performed after the comparison and the operations performed by the first terminal device, please refer to the description in the first manner, which will not be repeated here.
  • the third type is that the session management network element determines the second user plane security execution information of the relay session according to the second user plane security policy and the first user plane security execution information of the relay session.
  • the method for the session management network element to determine the second user plane security execution information of the relay session according to the second user plane security policy and the first user plane security execution information of the relay session is similar to the second method, and the session management network element can retain The second user plane security policy is consistent with the encryption protection or integrity protection in the first user plane security execution information of the subsequent session, and the reserved encryption protection or integrity protection is used as the corresponding in the second user plane security execution information of the first interface Encryption protection or integrity protection.
  • the session management network element can preferentially select integrity protection or encryption protection that can improve security, such as selecting encryption protection to be on, and integrity protection to be on.
  • the session management network element can compare the second user plane security execution information of the relay session with the first user plane security execution information of the relay session.
  • the session management network element The operations performed after the comparison and the operations performed by the first terminal device can be referred to the description in the first manner.
  • the session management network element determines the second user plane security execution information of the relay session according to the second user plane security policy, it may also consider the QoS control information and/or integrity protection maximum data of the first terminal device
  • the method that the session management network element combines the QoS control information of the first terminal device and/or the maximum data rate of integrity protection to determine the second user plane security execution information of the relay session is combined with the session management network element of the first terminal device
  • the manner in which the QoS control information and/or the integrity protection maximum data rate determines the security execution information of the first user plane of the relay session is similar. For details, please refer to the foregoing content, which will not be repeated here.
  • Manner 2 Refer to Fig. 3, which is another method for determining user plane security execution information provided by this embodiment of the present application.
  • the method includes:
  • Step 301 Step 201 is the same. For details, please refer to the related description of step 201, which will not be repeated here.
  • Step 302 After receiving the first direct communication request, the first terminal device determines that it needs to create a session for transmitting the second terminal device, that is, it needs to create a relay session, and sends the session establishment request and the second terminal device to the mobile access management network element.
  • Second information the session establishment request is used to request the creation of a session of the relay type of the first terminal device, and the second information is used to indicate that the type of the session is a relay type.
  • the manner in which the second information indicates that the type of the session is a relay type is similar to the manner in which the first information indicates that the type of the session is a relay type. For details, please refer to the foregoing description and will not be repeated here.
  • the first terminal device may send an N1 message to the mobile access management network element, where the N1 message includes the second information and the session establishment request.
  • the session establishment request is included in the N1 SM container.
  • the session establishment request may also carry the integrity protection maximum data rate of the first terminal device.
  • Step 303 The mobile access management network element determines the first information according to the second information.
  • the first information determined by the mobile access management network element according to the second information is also different, which will be described separately as follows:
  • the second information is an anonymization identifier or a temporary identifier of the second terminal device
  • the first information is a permanent user identifier of the second terminal device or an explicit method is used to indicate that the type of the session is a relay type.
  • the manner in which the mobile access management network element determines the permanent user identification of the second terminal device according to the anonymization identification or temporary identification of the second terminal device is the same as that of the session management network element in the embodiment shown in FIG. 2 according to the anonymization of the second terminal device.
  • the identification or temporary identification determines the permanent identification of the user of the second terminal device in a similar manner.
  • the mobile access management network element can obtain the permanent identification of the user of the second terminal device from the unified data management network element according to the anonymization identification or temporary identification of the second terminal device. For details, please refer to the foregoing content and will not repeat them here.
  • the second information may also be a permanent user identification of the second terminal device
  • the first information may also be a permanent user identification of the second terminal device or an explicit way is used to indicate that the type of the session is a relay type.
  • the mobile access management network element may determine that the established session is a relay session according to the second information, perform an authorization check on the first terminal device, and determine whether the first terminal device has the authority to create the relay session.
  • the mobile access management network element may obtain the contract information of the first terminal device from the unified data management network element or other network elements (network elements that support storage of contract information), and determine whether the first terminal device is authorized to establish a relay session according to the contract information.
  • the subscription information is used to indicate whether the first terminal device is allowed to be a relay device and/or is authorized to establish a relay session corresponding to the requested DNN and/or S-NSSAI (as mentioned above, it can be explicitly indicated by the relay identification information
  • the first terminal device is allowed to be a relay device, and the user plane security policy can also be used to distinguish between relayed and non-relayed sessions to implicitly indicate that the first terminal device is allowed to be a relay device.
  • the relay session corresponding to the S-NSSAI can be determined by whether the user plane security policy corresponding to the DNN and/or S-NSSAI has relay identification information or whether it is distinguished by a relay session or a non-relay session).
  • the mobile access management network element can check whether the first terminal device can establish a specific type of relay session. Such as a relay session corresponding to a specific DNN and/or S-NSSAI.
  • the mobile access management network element may determine to initiate an authorization check process to other network elements according to the second information, so that the authorization check network element determines whether the first terminal device is authorized to create a relay session and/or determines whether the first terminal is authorized to create a relay session It can be used as a relay device for the second terminal.
  • the mobile access management network element determines whether the first terminal is authorized to establish a relay session and/or determines whether the first terminal can act as a relay device of the second terminal according to the result sent by the authorization check network element.
  • the mobility management network element may also determine whether the first terminal can serve as the relay device of the second terminal according to the second information.
  • the mobile access management network element may also perform an authorization check on the second terminal device according to the second information to determine whether the second terminal device can perform data transmission through the relay UE.
  • the mobile access management network element may obtain the contract information of the second terminal device from the unified data management network element or other network elements, and determine whether the second terminal device is authorized to use the relay session according to the contract information.
  • the subscription information is used to indicate whether the second terminal device can perform data transmission through the relay UE.
  • the mobile access management network element If the mobile access management network element passes the authorization check of the first terminal device, the first information may be sent to the session management network element. Otherwise, the mobile access management network element may reject the session establishment request of the first terminal device.
  • the first information uses an explicit way to indicate that the type of the session is a relay type.
  • the mobile access management network element may determine that the session that the first terminal device needs to create is a relay session, that is, the session needs to transmit data of the second terminal device subsequently.
  • the mobile access management network element may perform an authorization check on the first terminal device according to the second information to determine whether the first terminal device has the authority to create a relay session.
  • the mobile access management network element may obtain the contract information of the first terminal device from the unified data management network element or other network elements (network elements that support storage of contract information), and determine whether the first terminal device is authorized to establish a relay session according to the contract information.
  • the subscription information is used to indicate whether the first terminal device is authorized to be a relay UE and/or is authorized to establish a relay session corresponding to the requested DNN and/or S-NSSAI.
  • the mobile access management network element can check whether the first terminal device can establish a specific type of relay session. Such as a relay session corresponding to a specific DNN and/or S-NSSAI.
  • the mobile access management network element may determine according to the second information to initiate an authorization check process to other network elements, so that the authorization check network element determines whether the first terminal device is authorized to create a relay session.
  • the mobile access management network element may also perform an authorization check on the second terminal device according to the second information to determine whether the second terminal device can perform data transmission through the relay UE.
  • the mobile access management network element may obtain the contract information of the second terminal device from the unified data management network element or other network elements, and determine whether the second terminal device is authorized to use the relay session according to the contract information.
  • the subscription information is used to indicate whether the second terminal device can perform data transmission through the relay UE.
  • the mobile access management network element If the mobile access management network element passes the authorization check of the first terminal device, the first information may be sent to the session management network element. Otherwise, the mobile access management network element may reject the session establishment request of the first terminal device.
  • the first information is the same as the second information.
  • the mobile access management network element can perform authorization check on the first terminal device based on the second information. If the mobile access management network element passes the authorization check of the first terminal device, it can report to the session management network element Sending the first information, that is, the first information sent by the mobile access management network element to the session management network element is the same as the second information sent by the first terminal device to the mobile access management network element. Otherwise, the mobile access management network element may reject the session establishment request of the first terminal device.
  • Step 304 The mobile access management network element sends a session establishment request and first information to the session management network element.
  • Step 305 It is the same as step 203.
  • Step 305 It is the same as step 203.
  • Step 305 please refer to the related description and description of step 203, which will not be repeated here.
  • Step 306 It is the same as step 204.
  • Step 306 It is the same as step 204.
  • Step 307 It is the same as step 205.
  • Step 307 It is the same as step 205.
  • the user plane security policy of the relay session created by the first terminal device is determined based on the first information, and the first terminal device can transmit the data of the second terminal device through the relay session to ensure the transmission The security of your data.
  • the first terminal device may also establish communication with other terminal devices, and the other terminal devices may interact with the data network through the session of the first terminal device.
  • the first terminal device can also use the established relay session to transmit data of other terminal devices.
  • the relay session is reused by other terminal devices, and the user plane of the relay session may need to be determined again. security strategy.
  • the third terminal device reuses the relay session and re-determines the user plane security policy of the relay session. Refer to the related description in FIG. 2 and it will not be repeated here.
  • the first terminal device may also send the temporary identification or anonymization identification of the third terminal device to the mobile access management network element in the manner shown in FIG. 3 .
  • the mobile access management network element can also determine the permanent user identification of the third terminal device in a similar manner, and then send a session modification request to the session management network element (the session modification request does not carry the identification of the third terminal device) and Permanent user identification of the third terminal device.
  • the first terminal device requests the creation of a relay session after the second terminal device initiates the first direct communication request as an example.
  • the first terminal device may also pre-establish a relay session before the second terminal device initiates the first direct communication request, that is, send a session establishment request to the session management network element.
  • the first The information can adopt an explicit indication method to directly indicate that the type of the session is a relay type.
  • the unified data management network element is the UDM network element
  • the session management network element is the SMF network element
  • the mobile access management network element is the AMF network element
  • the first terminal device is the relay UE.
  • the second terminal device is a remote UE as an example, and the method for determining user plane security execution information as shown in FIG. 2 is further introduced.
  • a method for determining user plane security execution information provided by an embodiment of this application includes:
  • Step 401 Configure the user plane security policy of the relay UE subscription on the UDM network element, which includes the user plane security policy of the relay session.
  • the user plane security policy of the relay UE subscription may be as shown in Table 1 to Table 3.
  • the table is only a way of presenting data.
  • the embodiment of the present application does not limit the presentation of the subscriber plane security policy of the relay UE.
  • the subscriber plane security policy of the relay UE may also be presented in the form of data mapping.
  • Step 402 The relay UE sends a session establishment request to the SMF network element to request the creation of a relay UE relay type session.
  • the session establishment request includes first information, and the first information is used to indicate the session
  • the type is the relay type.
  • Step 403 The SMF network element sends a first subscription information acquisition request to the UDM network element, where the first subscription information acquisition request includes the first information.
  • the first subscription information acquisition request is used to request acquisition of the subscription information of the first terminal device, and the subscription information includes the user plane security policy of the relay UE subscription.
  • Step 404 After receiving the first subscription information acquisition request, the UDM network element determines the user plane security policy of the relay UE subscription.
  • Step 405 The UDM network element sends a first subscription information acquisition response to the SMF network element, and the first subscription information acquisition response includes the user plane security policy of the relay UE subscription.
  • the first subscription information acquisition request sent by the SMF network element to the UDM network element may be used to request all the subscription information of the first terminal device, including the user plane security policy of the first terminal device relay session (the The user plane security policy of the subsequent session includes the first user plane security policy and other user plane security policies of the relay session) and the user plane security policy of the non-relay session.
  • the first subscription information acquisition response sent by the UDM network element to the SMF network element includes all the subscription information of the first terminal device.
  • the SMF network element may determine the first user plane security policy from all the subscription information of the first terminal device.
  • the first subscription information acquisition request sent by the SMF network element to the UDM network element may be used to request the first terminal device to relay all the subscription information corresponding to the DNN/S-NSSAI of the session. Further, the SMF network element determines the first user plane security policy from all the subscription information.
  • the first subscription information acquisition request sent by the SMF network element to the UDM network element may also be used to request part of the subscription information of the first terminal device, for example, the first terminal device acts as a relay UE for the subscription information ,
  • the subscription information of the first terminal device as the relay UE includes the user plane security policy of the relay session of the first terminal device (the user plane security policy of the relay session includes the first user plane security policy and other user planes of the relay session). security strategy).
  • the first subscription information acquisition response sent by the UDM network element to the SMF network element may include all the subscription information of the first terminal device as a relay UE, such as the first user plane security policy and other user plane security policies of the relay session; or Only include the first terminal device as the relay UE partial subscription information, for example, only include the user plane security policy of the relay session of the first terminal device.
  • the SMF network element receives the user plane security policy of the relay session of the first terminal device, and determines the first user plane security policy from the user plane security policy of the relay session of the first terminal device.
  • Step 406 The SMF network element determines the first user plane security execution information of the relay session according to the first user plane security policy.
  • the first user plane security execution information indicates the first user plane security activation state of the first interface, and the first interface may also be referred to as a UU port.
  • Step 407 The SMF network element sends the first user plane security execution information of the relay session to the RAN, and the RAN configures the first user plane security activation state of the first interface according to the first user plane security execution information of the relay session, and activates the relay The user plane security activation status of the session.
  • Step 408 The RAN sends first indication information to the relay UE, where the first indication information is used to indicate the first user plane security activation state of the first interface.
  • Step 409 The remote UE sends a first direct communication request to the relay UE, where the first direct communication request includes the identifier of the remote UE.
  • the integrity protection maximum data rate of the remote UE can also be included.
  • Step 410 After the relay UE receives the first direct communication request, it is determined that the relay session needs to be created and the data of the second terminal device needs to be transmitted, and the security activation status of the PC5 air interface is determined according to the security activation status of the first user plane of the first interface information.
  • the PC5 air interface is the communication interface between the relay UE and the remote UE.
  • the relay UE may set the security activation state of the first user plane of the first interface to the security activation state of the PC5 port.
  • PC5 the encryption protection of the port is also turned on, and the integrity protection is turned off.
  • the relay UE may determine whether to activate the integrity protection according to the UE integrity protection maximum data rate and/or QoS control information of the remote UE.
  • Step 411 The relay UE sends a first direct security mode command to the remote UE.
  • the first direct security mode command includes an encryption protection instruction and an integrity protection instruction, respectively indicating whether data encryption is enabled and integrity protection is enabled.
  • Step 412 After receiving the first direct security mode command, the remote UE configures the encryption protection and integrity protection of the PC5 port according to the first direct security mode command, and sends a first direct security mode completion message to the relay UE.
  • Step 413 The relay UE sends a first direct communication response to the remote UE.
  • the relay session creation process (steps 402 to 408) is performed before the second terminal device initiates the direct communication process (step 409).
  • the relay session creation process The process can also be executed after step 409.
  • the relay UE can initiate the creation of a new relay session if the relay session is not established or the established relay session is not reusable.
  • the identifier of the remote UE can be used as the first information in the session establishment request.
  • the unified data management network element is the UDM network element
  • the session management network element is the SMF network element
  • the mobile access management network element is the AMF network element
  • the first terminal device is the relay UE.
  • the second terminal device is a remote UE
  • the method for determining user plane security execution information as shown in FIG. 3 is further introduced.
  • a method for determining a user plane security policy provided by an embodiment of this application includes:
  • Step 501 the same as step 409, for details, please refer to the related description of step 409 and will not be repeated here.
  • Step 502 After receiving the first direct communication request, the relay UE determines that a relay session needs to be established, and the relay UE sends a first N1 message to the AMF network element.
  • the first N1 message includes the identity of the remote UE and the first N1 message.
  • Step 503 After the AMF network element receives the first N1 message, the AMF network element can determine that the session that the relay UE needs to create is a relay session according to the identifier of the remote UE. The AMF network element performs authorization checks on the relay UE to determine the relay The UE has the authority to create a relay session.
  • the AMF network element may obtain the SUPI of the remote UE from the UDM network element according to the remote UE identifier.
  • the AMF network element performs authorization checks on the remote UE based on the SUPI of the remote UE, and determines that the remote UE can transmit data through the relay UE.
  • Step 504 After passing the authorization check for the relay UE, the AMF network element sends a first Nsmf service message to the SMF network element, where the first Nsmf service message includes the SUPI of the remote UE and the first N1 SM container.
  • Step 505 After receiving the first NSMF network element service message, the SMF network element sends a first subscription information acquisition request carrying the SUPI of the remote UE to the UDM network element.
  • the first subscription information acquisition request also includes the DNN and S of the relay session. -NSSAI.
  • Step 506 The UDM network element determines the first user plane security policy according to the SUPI of the remote UE and the user plane security policy subscribed from the relay UE, and then sends a first subscription information acquisition response to the SMF network element.
  • the first subscription information acquisition response includes the first subscription information acquisition response.
  • Step 507 The same as step 406. For details, please refer to the related description of step 406 and will not be repeated here.
  • Step 508 the same as step 407, for details, please refer to the related description of step 407 and will not be repeated here.
  • Step 509 the same as step 408, for details, please refer to the related description of step 406, which will not be repeated here.
  • Step 510 the same as step 410, for details, please refer to the related description of step 410 and will not be repeated here.
  • Step 511 the same as step 411, for details, please refer to the related description of step 411 and will not be repeated here.
  • Step 512 The same as step 412. For details, please refer to the relevant description of step 412 and will not be repeated here.
  • Step 513 the same as step 413, for details, please refer to the related description of step 413 and will not be repeated here.
  • the unified data management network element is the UDM network element
  • the session management network element is the SMF network element
  • the mobile access management network element is the AMF network element
  • the first terminal device is the relay UE.
  • the second terminal device is the remote UE1 and the third terminal device is the remote UE2 as an example
  • the third terminal device reuses the relay session for the method for determining the user plane security policy shown in Figure 2 and Figure 3, and updates the relay
  • the user plane security strategy of the session is further introduced.
  • a method for determining user plane security execution information provided by an embodiment of this application includes:
  • Step 601 The relay UE transmits the data of the remote UE1 through the relay session.
  • the relay UE transmits the data of the remote UE1 through the relay session.
  • For the establishment of the relay session refer to the embodiments shown in FIGS. 2 to 5.
  • Step 602 The remote UE2 sends a second direct communication request to the relay UE.
  • the second direct communication request carries the integrity protection maximum data rate of the remote UE2.
  • Step 603 After receiving the second direct communication request, the relay UE determines that the remote UE2 reuses the established relay session.
  • Step 604 The relay UE sends a second N1 message to the AMF network element.
  • the second N1 message includes the identifier of the remote UE2 and the second N1 SM container.
  • the second N1 SM container contains the session modification request.
  • the session modification process may not be initiated, that is, step 604 and subsequent steps do not need to be performed.
  • Step 605 After receiving the second N1 message, the AMF network element may send a second Nsmf service message to the SMF network element, where the second Nsmf service message includes the identifier of the remote UE2 and the second N1 SM container.
  • Step 606 After the SMF network element receives the second NSMF network element service message, if the identifier of the remote UE2 is a temporary identifier or an anonymized identifier, the SMF network element may first obtain the SUPI of the remote UE2 from the UDM network element according to the identifier of the remote UE2 .
  • Step 607 The SMF network element sends a second subscription information acquisition request carrying the SUPI of the remote UE2 to the UDM network element.
  • the second subscription information acquisition request also includes the DNN and S-NSSAI of the relay session.
  • Step 608 The UDM network element sends a second subscription information acquisition response to the SMF network element, where the second subscription information acquisition response includes the second user plane security policy.
  • Step 609 The SMF network element determines the second user plane security execution information of the relay session according to the second user plane security policy.
  • the SMF network element determines the second user plane security execution information of the relay session according to the first user plane security policy and the second user plane security policy. After that, the SMF network element compares the first user plane security execution information of the relay session with the second user plane security execution information of the relay session, and if they are different, step 609 is executed.
  • the SMF network element may determine the relay session's integrity protection based on the maximum data rate of the relay UE’s integrity protection. The second user plane safely executes the information.
  • the SMF network element determines the second user plane security execution information of the relay session according to the second user plane security policy and the first user plane security execution information, and then the SMF network element performs information on the first user plane security execution information of the relay session It is compared with the second user plane security execution information of the relay session, and if it is different, step 609 is executed.
  • the SMF network element may determine the second of the relay session according to the maximum data rate of the integrity protection of the relay UE. User plane security execution information.
  • the SMF network element determines the second user plane security execution information of the relay session according to the second user plane security policy. After that, the SMF network element compares the first user plane security execution information of the relay session with the second user plane security execution information of the relay session, and if they are different, step 609 is executed.
  • Step 610 The SMF network element sends the second user plane security execution information of the relay session to the RAN, and the RAN configures the second user plane security activation state of the first interface according to the second user plane security execution information of the relay session, and activates the relay The user plane security activation status of the session.
  • Step 611 The RAN sends second indication information to the relay UE, where the second indication information is used to indicate the second user plane security activation status of the first interface.
  • Step 612 The relay UE updates the security activation status of the PC5 air interface according to the security activation status of the second user plane of the first interface.
  • Step 613 The relay UE sends a second direct security mode command to the remote UE2.
  • the second direct security mode command includes an encryption protection instruction and an integrity protection instruction, respectively indicating whether encryption protection is enabled and integrity protection is enabled.
  • Step 614 After receiving the second direct security mode command, the remote UE configures the encryption protection and integrity protection of the PC5 port according to the second direct security mode command, and sends a second direct security mode completion message to the relay UE.
  • Step 615 The relay UE sends a second direct communication response to the remote UE.
  • the embodiment of the application also provides a communication device for executing the method performed by the session management network element or the SMF network element in the above method embodiment.
  • the device includes a receiving unit 701, a processing unit 702, and a sending unit 703:
  • the receiving unit 701 is configured to receive a first request, where the first request is used to request the creation of a first terminal device relay type session, the first request includes first information, and the first information is used to indicate that the type of the session is a relay type;
  • the processing unit 702 is configured to determine the first user plane security execution information of the session according to the first information
  • the sending unit 703 is configured to send the first user plane security execution information of the session to the access network device, and the first user plane execution information of the session is used to determine the first user plane security of the session between the first terminal device and the access network device Active state.
  • the first request includes the N1 SM container, and the N1 SM container includes the first information; the first request includes the first information and the N1 SM container.
  • the processing unit 702 when the processing unit 702 determines the first user plane security execution information of the session according to the first information, it may obtain the first user plane security policy according to the first information; after that, it may directly send the first user plane security policy to The security policy is used as the first user-plane security execution information of the session, and the first user-plane security policy may also be analyzed, and the first user-plane security execution information of the session may be determined according to the first user-plane security policy.
  • the sending unit 703 may send the first subscription information acquisition request to the unified data management network element;
  • the user plane security policy indicates the user plane security policy of the relay type session of the first terminal device and the user plane security policy of the non-relay type session; after that, the receiving unit 701 receives the first subscription information acquisition from the unified data management network element
  • the first subscription information acquisition response includes the user plane security policy subscribed by the first terminal device; the processing unit 702 then determines the user plane security policy of the first terminal device relay type session as the The first user plane security strategy.
  • the sending unit 703 may send the first subscription information acquisition request to the unified data management network element, and the first subscription information acquisition request Including a relay indication; a relay indication is used to request a user plane security policy for a relay type session of the first terminal device; after that, the receiving unit 701 receives the first subscription information acquisition response from the unified data management network element, the first subscription information
  • the acquisition response includes the user plane security policy subscribed by the first terminal device (including the first user plane security policy); the processing unit 702 then determines the first user plane security according to the first information according to the user plane security policy subscribed by the first terminal device Strategy.
  • the first information is the temporary identification or anonymization identification of the second terminal device.
  • the processing unit 702 may The temporary identifier or anonymized identifier of the device acquires the SUPI of the second terminal device; then, the sending unit 703 may send the first subscription information acquisition request to the unified data management network element, and the first subscription information acquisition request includes the SUPI of the second terminal device;
  • the receiving unit 701 may receive the first subscription information acquisition response from the unified data management network element, and the information carried in the first subscription information acquisition response may be any of the following:
  • the first subscription information acquisition response includes the first user plane security policy.
  • the first subscription information acquisition response includes the user plane security policy of the first terminal device relay type session; after that, the processing unit 702 determines the first user plane security policy according to the user plane security policy of the first terminal device relay type session.
  • User plane security strategy
  • the first subscription information acquisition response includes the user plane security policy subscribed by the second terminal device, and then the processing unit 702 determines the first user plane security policy according to the user plane security policy subscribed by the second terminal device.
  • the sending unit 703 may send the first subscription information acquisition request to the unified data management network element, and the first subscription information acquisition request The first information is included; after that, the receiving unit 701 receives the first subscription information acquisition response from the unified data management network element, and the first subscription information acquisition response includes the first user plane security policy.
  • the first information is an identifier of the second terminal device
  • the identifier of the second terminal device includes one or more of the following:
  • the temporary identification of the second terminal device the anonymized identification of the second terminal device, or the permanent user identification SUPI of the second terminal device.
  • the first user plane security policy indicates that integrity protection is preferred, and the processing unit 702 may determine the first user plane security execution information of the session according to the first user plane security policy. After the maximum data rate of the integrity protection of the terminal device is less than the data rate required by the session, it is determined that the integrity protection of the session is not required.
  • the processing unit 702 may determine whether the maximum data rate of integrity protection of the first terminal device is less than the data rate required by the session, and the sending unit 703 After the processing unit 702 determines that the maximum data rate of integrity protection of the first terminal device is less than the data rate required by the session, it sends a session establishment rejection response to the first terminal device to indicate that the session establishment is rejected.
  • the receiving unit 701 may also receive a third request, the third request is used to instruct the third terminal device to use the session, and the third request includes the identifier of the third terminal device;
  • the processing unit 702 may The identification of the terminal device determines the second user plane security execution information of the session;
  • the sending unit 703 may send the second user plane security execution information of the session to the access network device, and the second user plane security execution information of the session is used to determine the first terminal The second user plane security activation state of the session between the device and the access network device.
  • the processing unit 702 when the processing unit 702 determines the second user plane security execution information of the session according to the identifier of the third terminal device, it may determine the second user plane security policy according to the identifier of the third terminal device; after that, According to the second user plane security policy, the information is safely executed according to the second user plane of the session.
  • the identifier of the third terminal device includes one or more of the following:
  • the temporary identification of the third terminal device the anonymized identification of the third terminal device, or the permanent user identification SUPI of the third terminal device.
  • the processing unit 702 when the processing unit 702 determines the second user plane security execution information of the session according to the second user plane security policy, it may use the second user plane security policy and the first user plane security execution information of the session.
  • the second user plane security execution information of the session is determined; the second user plane security execution information of the session can also be determined according to the second user plane security policy and the first user plane security policy, and the session can also be determined only according to the second user plane security policy The second user plane safely executes information.
  • the sending unit 703 may send the second subscription information acquisition request to the unified data management network element, and the second subscription information
  • the information acquisition request includes the identifier of the third terminal device
  • the receiving unit 701 may receive the second subscription information acquisition response from the unified data management network element, and the second subscription information acquisition response includes the second user plane security policy.
  • the processing unit 702 when the processing unit 702 obtains the second user plane security policy according to the identity of the third terminal device, the processing unit 702 may use the identity of the third terminal device and the user plane security contracted by the first terminal device. The strategy determines the second user plane security strategy.
  • the sending unit 703 sends the second subscription information acquisition request to the unified data management network element, and the second subscription information
  • the acquisition request includes the identifier of the third terminal device
  • the receiving unit 701 receives the second subscription information acquisition response from the unified data management network element, and the second subscription information acquisition response includes the user plane security policy of the first terminal device relay type session, and processes
  • the unit 702 determines the second user plane security policy according to the user plane security policy of the session of the relay type of the first terminal device.
  • the sending unit 703 sends the second subscription information acquisition request to the unified data management network element, and the second subscription information
  • the acquisition request includes the identification of the third terminal device; the receiving unit 701 receives the second subscription information acquisition response from the unified data management network element.
  • the second subscription information acquisition response includes the user plane security policy subscribed by the third terminal device.
  • the processing unit 702 The third user plane security policy signed by the terminal device determines the second user plane security policy.
  • the processing unit 702 may determine the first user plane security execution information of the session and the second user of the session The safety execution information is different.
  • the second user plane security policy indicates that the integrity protection of the session is preferred, and the processing unit 702 determines the second user plane security execution information of the session according to the second user plane security policy, when determining the first After the maximum data rate of the integrity protection of the terminal device is less than the data rate required by the session, it is determined to close the integrity protection of the session.
  • the embodiment of the application also provides a communication device for executing the method performed by the first terminal device or the relay UE in the above method embodiment.
  • the device includes a sending unit 801 and a receiving unit 802:
  • the sending unit 801 is configured to send a second request to the mobile access management network element, the second request is used to request the creation of a relay type session, the second request includes second information, and the second information indicates that the type of the session is the relay type ;
  • the receiving unit 802 is configured to receive first indication information sent by the access network device, where the first indication information is used to indicate the first user plane security activation state of the session between the first terminal device and the access network device.
  • the receiving unit 802 may receive the first direct communication request sent by the second terminal device.
  • the first direct communication request is used to establish a connection with the first terminal device. Communication.
  • the second request includes the N1 SM container, and the N1 SM container includes the second information; or the second request includes the second information and the N1 SM container.
  • the session is used to transmit data of the second terminal device, and the second information includes one or more of the following:
  • the temporary identifier of the second terminal device the anonymized identifier of the second terminal device, or the SUPI of the second terminal device.
  • the device further includes a processing unit 803:
  • the receiving unit 802 may receive the second direct communication request sent by the third terminal device, the second direct communication request is used to establish communication with the first terminal device; after that, the processing unit 803 may determine the third terminal according to the second direct communication request
  • the device uses the session; the sending unit 801 may send a third request to the mobile access management network element, the third request is used to instruct the third terminal device to use the session, and the third request includes the identity of the third terminal device.
  • the identifier of the third terminal device includes one or more of the following:
  • the temporary identifier of the third terminal device the anonymized identifier of the third terminal device, or the SUPI of the third terminal device.
  • the processing unit 803 may communicate with the first user plane of the access network device according to the The security activation status determines the security activation status of the first terminal device and the second terminal device.
  • the processing unit 803 configures the security activation states of the first terminal device and the second terminal device according to the first user plane security activation state. It can be determined whether to enable the integrity protection between the first terminal device and the second terminal device according to the maximum data rate of integrity protection of the second terminal device or the QoS control information.
  • the sending unit 801 may send a message to the user plane security policy of the second terminal device indicating that the integrity protection is necessary The second terminal device sends a direct communication rejection message.
  • the receiving unit 802 may also receive second indication information sent by the access network device.
  • the second indication information is used for the second user plane security of the session between the first terminal device and the access network device. Active state
  • the processing unit 803 may update the first user plane security activation state to the second user plane security activation state according to the second instruction information.
  • the processing unit 803 may update the security of the first terminal device and the second terminal device according to the second user plane security activation status. Active state.
  • integrity protection is necessary in the second user plane security activation state, and the processing unit 803 updates the security activation states of the first terminal device and the second terminal device according to the second user plane security activation state. It can be determined whether to enable the integrity protection between the first terminal device and the second terminal device according to the maximum data rate of integrity protection of the third terminal device or the QoS control information.
  • the embodiment of the application also provides a communication device for executing the method executed by the mobile access management network element or the AMF network element in the above method embodiment.
  • the device includes a receiving unit 901 and a sending unit 902:
  • the receiving unit 901 is configured to receive a second request sent by the first terminal device, the second request includes second information, the second request is used to request the creation of a session of the first terminal device relay type, and the second information is used to indicate the type of the session Is the relay type;
  • the sending unit 902 is configured to send a first request to the session management network element according to the second request, the first request includes first information, the first information is used to indicate that the type of the session is a relay type, and the first request is used to request to create a second A session of the terminal device relay type.
  • the second information is the same as the first information
  • the first request and the second request include the N1SM container
  • the N1SM container includes the second information
  • the second request includes the second information and the N1 SM container; the first request includes the first information and the N1 SM container.
  • the apparatus includes a processing unit 903, and the processing unit 903 may determine that the first terminal device is authorized to establish a session according to the second information.
  • the sending unit 902 sends the first request to the session management network element after the processing unit 903 determines that the first terminal device is authorized to establish the session according to the second information.
  • the second information is the temporary identification or anonymization identification of the second terminal device
  • the first information is the SUPI of the second terminal device.
  • the second information includes one or more of the following:
  • the temporary identifier of the second terminal device the anonymized identifier of the second terminal device, and the SUPI of the second terminal device.
  • the processing unit 903 may determine according to the second information that the first terminal device is authorized to establish a session for the second terminal device.
  • the embodiment of the application also provides a communication device for executing the method executed by the unified data management network element or UDM network element in the above method embodiment.
  • the device includes a receiving unit 1001, a processing unit 1002, and a sending unit 1003:
  • the receiving unit 1001 is configured to receive a first subscription information acquisition request from a session management network element, the first subscription information acquisition request is used to request a user plane security policy for the first terminal device to subscribe, and the first subscription information acquisition request includes first information, The first information is used to indicate that the type of the session is a relay type;
  • the processing unit 1002 is configured to determine a first user plane security policy according to the first information
  • the sending unit 1003 is configured to send a first subscription information acquisition response to the session management network element, where the first subscription information acquisition response includes the first user plane security policy.
  • the processing unit 1002 when the processing unit 1002 determines the first user plane security policy according to the first information, it may determine the first user plane security policy according to the first information and the user plane security policy signed by the first terminal device.
  • a user plane security policy subscribed by a terminal device indicates the user plane security policy of the relay type and non-relay type sessions of the first terminal device;
  • the first information is the identifier of the second terminal device.
  • the processing unit 1002 determines the first user plane security policy according to the first information
  • the processing unit 1002 obtains information from the second terminal device according to the identifier of the second terminal device.
  • the user plane security policy subscribed by the device determines the first user plane security policy.
  • the receiving unit 1001 may receive the second subscription information acquisition request from the session management network element, where the second subscription information acquisition request includes the identifier of the third terminal device.
  • the processing unit 1002 may determine the second user plane security policy according to the identifier of the third terminal device.
  • the sending unit 1003 may send a second subscription information acquisition response to the session management network element, where the second subscription information acquisition response includes the second user plane security policy.
  • the identifier of the third terminal device includes one or more of the following:
  • the temporary identification of the third terminal device the anonymized identification of the third terminal device, or the permanent user identification SUPI of the third terminal device.
  • the embodiment of the application also provides a communication device for executing the method executed by the unified data management network element or UDM network element in the above method embodiment.
  • the device includes a receiving unit 1101 or a sending unit 1102:
  • the receiving unit 1101 is configured to receive a first subscription information acquisition request from the session management network element, the first subscription information acquisition request is used to request a user plane security policy for the first terminal device to sign up, and an indication of the user plane security policy for the first terminal device to sign up.
  • the sending unit 1102 is configured to send a first subscription information acquisition response to the session management network element, where the first subscription information acquisition response includes a user plane security policy subscribed by the first terminal device.
  • the device further includes a processing unit 1103:
  • the receiving unit 1101 may receive a second subscription information acquisition request from the session management network element, the second subscription information acquisition request includes the identifier of the third terminal device, and the processing unit 1103 may determine the second user plane security policy according to the identifier of the third terminal device;
  • the sending unit 1102 may send a second subscription information acquisition response to the session management network element, where the second subscription information acquisition response includes the second user plane security policy.
  • the division of units in the embodiments of this application is illustrative, and is only a logical function division. In actual implementation, there may be other division methods.
  • the functional units in each embodiment of this application can be integrated into one processing unit. In the device, it can also exist alone physically, or two or more units can be integrated into one module.
  • the above-mentioned integrated unit can be realized in the form of hardware or software function module.
  • the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium.
  • the technical solution of the present application essentially or the part that contributes to the existing technology or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , Including several instructions to enable a terminal device (which may be a personal computer, a mobile phone, or a network device, etc.) or a processor to execute all or part of the steps of the method in each embodiment of the present application.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), magnetic disk or optical disk and other media that can store program code .
  • the unified data management network element, the session management network element, the mobile access management network element, and the first terminal device may all be presented in the form of dividing various functional modules in an integrated manner.
  • the "module” here may refer to a specific ASIC, a circuit, a processor and memory that executes one or more software or firmware programs, an integrated logic circuit, and/or other devices that can provide the above-mentioned functions.
  • the unified data management network element, the session management network element, and the mobile access management network element can all adopt the form shown in FIG. 12.
  • the communication device 1200 shown in FIG. 12 includes at least one processor 1201, a memory 1202, and optionally, a communication interface 1203.
  • the memory 1202 may be a volatile memory, such as a random access memory; the memory may also be a non-volatile memory, such as a read-only memory, flash memory, hard disk drive (HDD) or solid-state drive (solid-state drive, SSD) or the memory 1202 is any other medium that can be used to carry or store desired program codes in the form of instructions or data structures and that can be accessed by a computer, but is not limited thereto.
  • the memory 1202 may be a combination of the above-mentioned memories.
  • connection medium between the foregoing processor 1201 and the memory 1202 is not limited in the embodiment of the present application.
  • the memory 1202 and the processor 1201 are connected by a bus 1204 in the figure, and the bus 1204 is represented by a thick line in the figure.
  • the connection mode between other components is only for schematic illustration, and is not quoted. Is limited.
  • the bus 1204 can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is used to represent in FIG. 12, but it does not mean that there is only one bus or one type of bus.
  • the processor 1201 may have a data transceiver function and can communicate with other devices.
  • an independent data transceiver module such as a communication interface 1203, may be used to send and receive data; the processor 1201 is communicating with other devices. During communication, data transmission can be performed through the communication interface 1203.
  • the processor 1201 in FIG. 12 can call the computer execution instructions stored in the memory 1202, so that the session management network element can execute any of the foregoing method embodiments The session management network element or the method performed by the SMF network element in.
  • the functions/implementation processes of the sending unit, the receiving unit, and the processing unit in FIG. 7 can all be implemented by the processor 1201 in FIG. 12 calling a computer execution instruction stored in the memory 1202.
  • the function/implementation process of the processing unit in FIG. 7 may be implemented by the processor 1201 in FIG. 12 calling a computer execution instruction stored in the memory 1202
  • the function/implementation process of the sending unit and the receiving unit in FIG. 7 may be implemented by The communication interface 1203 in FIG. 12 is implemented.
  • the processor 1201 in FIG. 12 can execute instructions by calling a computer stored in the memory 1202, so that the mobile access management network element can execute any of the foregoing.
  • the functions/implementation processes of the receiving unit, the sending unit, and the processing unit in FIG. 9 can all be implemented by the processor 1201 in FIG. 12 calling a computer execution instruction stored in the memory 1202.
  • the function/implementation process of the processing unit in FIG. 9 may be implemented by the processor 1201 in FIG. 12 calling computer execution instructions stored in the memory 1202
  • the function/implementation process of the receiving unit and the sending unit in FIG. 9 may be implemented by The communication interface 1203 in FIG. 12 is implemented.
  • the processor 1201 in FIG. 12 can call the computer execution instructions stored in the memory 1202, so that the unified data management network element can execute any of the above methods.
  • the functions/implementation processes of the sending unit, the receiving unit, and the processing unit in FIG. 10 or 11 may all be implemented by the processor 1201 in FIG. 12 calling a computer execution instruction stored in the memory 1202.
  • the function/implementation process of the processing unit in FIG. 10 or 11 may be implemented by the processor 1201 in FIG. 12 calling a computer execution instruction stored in the memory 1202, and the functions/implementation of the sending unit and the receiving unit in FIG. 10 or 11
  • the implementation process can be implemented through the communication interface 1203 in FIG. 12.
  • the first terminal device can all adopt the form shown in FIG. 13.
  • the communication device 1300 shown in FIG. 13 includes at least one processor 1301, a memory 1302, and optionally, a transceiver 1303.
  • the processor 1301 and the memory 1302 are similar to the processor 1201 and the memory 1202, and the details can be referred to the foregoing content, which will not be repeated here.
  • the specific connection medium between the foregoing processor 1301 and the memory 1302 is not limited in the embodiment of the present application.
  • the memory 1302 and the processor 1301 are connected by a bus 1304 in the figure, and the bus 1304 is represented by a thick line in the figure. Is limited.
  • the bus 1304 can be divided into an address bus, a data bus, a control bus, and so on. For ease of representation, only one thick line is used in FIG. 13, but it does not mean that there is only one bus or one type of bus.
  • the processor 1301 can have data transceiving functions and can communicate with other devices.
  • an independent data transceiving module such as a transceiver 1303, can be set to send and receive data; the processor 1301 is communicating with other devices.
  • the transceiver 1303 can be used for data transmission.
  • the processor 1301 in FIG. 13 can call the computer execution instructions stored in the memory 1302, so that the first terminal device can execute any of the foregoing method embodiments.
  • the functions/implementation processes of the sending unit, the receiving unit, and the processing unit in FIG. 8 can all be implemented by the processor 1301 in FIG. 13 calling a computer execution instruction stored in the memory 1302.
  • the function/implementation process of the processing unit in FIG. 8 may be implemented by the processor 1301 in FIG. 13 calling a computer execution instruction stored in the memory 1302, and the function/implementation process of the sending unit and the receiving unit in FIG. 8 may be implemented by The transceiver 1303 in FIG. 13 is implemented.
  • These computer program instructions can also be stored in a computer-readable memory that can direct a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device.
  • the device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
  • These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment.
  • the instructions provide steps for implementing functions specified in a flow or multiple flows in the flowchart and/or a block or multiple blocks in the block diagram.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

一种确定用户面安全执行信息的方法、装置及系统,用以保证远端设备传输数据的安全需求。本申请中会话管理网元可以接收第一请求,第一请求用于请求创建第一终端设备中继类型的会话,第一请求包括第一信息,第一信息用于指示会话的类型为中继类型;之后,会话管理网元根据第一信息确定会话的第一用户面安全执行信息;再向接入网设备发送会话的第一用户面安全执行信息,会话的第一用户面执行信息用于确定第一终端设备与接入网设备之间该会话的第一用户面安全激活状态。会话管理网元确定的第一用户面安全执行信息能够较好的满足远端设备的安全需求,保证远端设备的数据的安全性。

Description

一种确定用户面安全执行信息的方法、装置及系统
相关申请的交叉引用
本申请要求在2020年05月30日提交中国专利局、申请号为202010480965.0、申请名称为“一种确定用户面安全执行信息的方法、装置及系统”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。
技术领域
本申请涉及通信技术领域,尤其涉及一种确定用户面安全执行信息的方法、装置及系统。
背景技术
目前,设备到设备(device to device,D2D)通信允许用户设备(user equipment,UE)之间直接进行通信。
当某一远端设备(remote UE)处于通信网络的覆盖范围之外,或者在与通信网络中的接入网设备之间的通信质量较差的情况下,可以基于D2D通信,通过中继设备(relay UE)与通信网络建立非直接通信,中继设备可以建立用于传输远端设备的协议数据单元(protocol data unit,PDU)会话,将从远端设备接收的数据通过该PDU会话传输至数据网络,或将通过PDU会话从数据网络获取的数据发送至远端设备。
在建立PDU会话的过程中,会话管理网元获取中继设备的标识,并使用中继设备的标识从统一数据管理网元或者本地获取会话的用户面安全策略,进一步的会话管理网元根据用户面安全策略来确定会话的用户面安全执行信息,该用户面安全执行信息用于接入网设备配置中继设备与接入网设备之间的安全激活状态。在PDU会话的用户面安全策略的确定过程中,会话管理网元根据中继设备的签约信息或预配置的信息确定建立的PDU会话的用户面安全执行信息,由于建立的PDU会话可以为传输远端设备和数据网络之间业务的PDU会话,仅使用中继设备的签约信息或预配置的信息确定用户面的安全保护方法会存在不能满足远端设备传输数据的安全需求的可能。
发明内容
本申请提供一种确定用户面安全执行信息的方法、装置及系统,用以保证远端设备传输数据的安全需求。
第一方面,本申请实施例提供了一种确定用户面安全执行信息的方法,方法包括:首先,会话管理网元可以从移动接入管理网元接收第一请求,第一请求用于请求创建第一终端设备中继类型的会话,第一请求包括第一信息,第一信息用于指示会话的类型为中继类型;之后,会话管理网元根据第一信息确定会话的第一用户面安全执行信息;再向接入网设备发送会话的第一用户面安全执行信息,会话的第一用户面执行信息用于确定第一终端设备与接入网设备之间该会话的第一用户面安全激活状态。
通过上述方法,会话管理网元通过第一信息可以获取中继类型的会话的用户面安全策 略,之后,确定的第一用户面安全执行信息能够较好的满足远端设备的安全需求,保证远端设备的数据的安全性。
在一种可能的设计中,第一请求可以包括N1 SM container,N1 SM container包括第一信息,这种情况下,第一请求可以为会话建立请求;第一请求也可以包括第一信息和N1 SM container,这种情况下,第一请求包括会话建立请求和第一信息。其中,N1 SM container来自第一终端设备。
通过上述方法,第一终端设备可以通过移动接入管理网元将包括第一信息的N1 SM container发送给会话管理网元,第一信息也可以由移动接入管理网元发送给会话管理网元,也即第一请求有多种组成形式,适用于不同的应用场景。
在一种可能的设计中,会话管理网元在根据第一信息确定会话的第一用户面安全执行信息时,会话管理网元可以先根据第一信息获取第一用户面安全策略;之后,可以直接将第一用户面安全策略作为会话的第一用户面安全执行信息,也可以结合其他的判断信息(如服务质量需求)进行进一步分析,根据第一用户面安全策略确定会话的第一用户面安全执行信息。
通过上述方法,会话管理网元获取第一用户面安全策略后,可以采用多种方式确定第一用户面安全执行信息。
在一种可能的设计中,会话管理网元在根据第一信息获取第一用户面安全策略包括,会话管理网元向统一数据管理网元发送第一签约信息获取请求,第一签约信息获取请求可以请求第一终端设备签约的用户面安全策略;第一终端设备签约的用户面安全策略指示第一终端设备中继类型的会话的用户面安全策略和非中继类型的会话的用户面安全策略;之后,会话管理网元从统一数据管理网元接收第一签约信息获取响应,第一签约信息获取响应包括第一终端设备签约的用户面安全策略;会话管理网元根据第一信息从第一终端设备签约的用户面安全策略确定第一用户面安全策略,将第一终端设备中继类型的会话的用户面安全策略确定为第一用户面安全策略。
通过上述方法,会话管理网元在从统一数据管理网元获取第一终端设备签约的用户面安全策略后,可以基于第一信息从该第一终端设备签约的用户面安全策略选择第一用户面安全策略,使得能够最终确定出适用于中继会话的用户面安全执行信息。
在一种可能的设计中,会话管理网元根据第一信息获取第一用户面安全策略时:
会话管理网元可以向统一数据管理网元发送第一签约信息获取请求;第一签约信息获取请求包括中继指示;中继指示用于请求所述第一终端设备中继类型的会话的用户面安全策略;该中继指示可以为第一信息(该种方式可以参见前述内容),该中继指示也可以是根据第一信息确定的。之后,会话管理网元从统一数据管理网元接收第一签约信息获取响应,第一签约信息获取响应包括第一终端设备签约的用户面安全策略;第一终端设备签约的用户面安全策略包括所述第一用户面安全策略。
通过上述方法,会话管理网元在从统一数据管理网元获取第一终端设备签约的用户面安全策略后,可以基于中继指示。例如,当第一信息为第二终端设备的标识时,该中继指示可以采用显式的指示方式,这样便于统一数据管理网元无需再识别第二终端设备的标识,能够较快的确定出该第一终端设备签约的用户面安全策略。
在一种可能的设计中,当第一信息采用隐式的方式指示会话的类型为中继类型时,例如第一信息可以为第二终端设备的临时标识或匿名化标识,会话管理网元在根据第一请求 获取第一用户面安全策略时,可以先根据第二终端设备的临时标识或匿名化标识获取第二终端设备的SUPI,例如,会话管理网元可以从统一数据管理网元获取第二终端设备的SUPI。之后,会话管理网元可以向统一数据管理网元发送第一签约信息获取请求,第一签约信息获取请求包括第二终端设备的SUPI;之后,会话管理网元从统一数据管理网元接收第一签约信息获取响应,第一签约信息获取响应中携带的信息可以为如下任一种:
第一种、第一签约信息获取响应中包括第一用户面安全策略。
第二种、第一签约信息获取响应中包括第一终端设备中继类型的会话的用户面安全策略;之后,会话管理网元根据第一终端设备中继类型的会话的用户面安全策略确定第一用户面安全策略。
第三种、第一签约信息获取响应中包括第二终端设备签约的用户面安全策略,之后,会话管理网元根据第二终端设备签约的用户面安全策略确定第一用户面安全策略。
通过上述方法,会话管理网元可以通过多种不同的方式从统一数据管理网元获取第一用户面安全策略。
在一种可能的设计中,会话管理网元在根据第一请求获取第一用户面安全策略时,会话管理网元可以向统一数据管理网元发送第一签约信息获取请求,第一签约信息获取请求包括第一信息;会话管理网元从统一数据管理网元接收第一签约信息获取响应,第一签约信息获取响应包括第一用户面安全策略。
通过上述方法,会话管理网元可以直接从统一数据管理网元获取第一用户面安全策略,这种方式更加简单、高效。
在一种可能的设计中,第一信息指示会话的类型为中继类型的方式有许多种,例如第一信息采用显式的指示方式,如第一信息可以为预先约定的字段或字符。又例如,第一信息也可以采用隐式的指示方式,如第一信息为第二终端设备的标识,第二终端设备的标识包括下列的部分或全部:
第二终端设备的临时标识、第二终端设备的匿名化标识、或者第二终端设备的用户永久性标识SUPI。
通过上述方法,第一信息可以通过不同的方式灵活的指示会话的类型为中继类型。
在一种可能的设计中,第一用户面安全策略指示完整性保护为优选,会话管理网元在根据第一用户面安全策略确定会话的第一用户面安全执行信息时,还可以参考第一终端设备的完整性保护最大数据率。例如,会话管理网元若确定第一终端设备的完整性保护最大数据率小于会话要求的数据率后,可以确定会话的完整性保护为不需要,也即第一用户面安全执行信息中会话的完整性保护为不需要。
通过上述方法,会话管理网元确定的第一用户面安全执行信息除了能够保证第二终端设备的安全需求,还可以保证第一终端设备能够通过该会话有效的传输第二终端设备的数据。
在一种可能的设计中,若第一用户面安全策略指示完整性保护为必须,会话管理网元在确定第一终端设备的完整性保护最大数据率小于会话要求的数据率,可以向第一终端设备发送会话建立拒绝响应,用于指示拒绝建立会话。
通过上述方法,会话管理网元在确定第一终端设备无法在开启完整性保护的情况下支持第二终端设备的数据传输,可以拒绝建立该会话,这样可以保证第二终端设备的数据的安全性。
在一种可能的设计中,会话管理网元还可以接收第三请求,第三请求可以用于指示第三终端设备使用会话,第三请求包括第三终端设备的标识;该第三请求可以为会话修改请求,也可以为其他请求。会话管理网元根据第三终端设备的标识确定第三终端设备使用该会话,之后,可以确定该会话的第二用户面安全执行信息,并向接入网设备发送会话的第二用户面安全执行信息,会话的第二用户面安全执行信息用于确定第一终端设备与接入网设备之间该会话的第二用户面安全激活状态。
通过上述方法,会话管理网元可以更新该会话的用户面安全执行信息,以适用于第三终端设备的安全需求。
在一种可能的设计中,会话管理网元在根据第三终端设备的标识确定会话的第二用户面安全执行信息时,可以根据第三终端设备的标识确定第二用户面安全策略;之后,可以直接将第二用户面安全策略作为会话的第二用户面安全执行信息,也可以结合其他的判断信息(如服务质量需求),根据第二用户面安全策略确定会话的第一用户面安全执行信息。
通过上述方法,会话管理网元获取第二用户面安全策略后,可以采用多种方式确定第二用户面安全执行信息。
在一种可能的设计中,第三终端设备的标识包括下列的部分或全部:
第三终端设备的临时标识、第三终端设备的匿名化标识、或者第三终端设备的SUPI。
通过上述方法,不同的标识指示第三终端设备,适用于多种场景。
在一种可能的设计中,会话管理网元在根据第二用户面安全策略确定会话的第二用户面安全执行信息时,可以采用如下任一方式:
方式一、会话管理网元根据第二用户面安全策略和会话的第一用户面安全执行信息确定会话的第二用户面安全执行信息。
方式二、会话管理网元根据第二用户面安全策略和第一用户面安全策略确定会话的第二用户面安全执行信息。
方式三、会话管理网元仅根据第二用户面安全策略确定会话的第二用户面安全执行信息。
通过上述方法,会话管理网元可以采用多种不同的方式确定第二用户面安全执行信息,适用于不同应用场景。
在一种可能的设计中,会话管理网元在根据第三终端设备的标识获取第二用户面安全策略时,与获取第一用户面安全策略类似。
例如,会话管理网元向统一数据管理网元发送第二签约信息获取请求,第二签约信息获取请求包括第三终端设备的标识;会话管理网元从统一数据管理网元接收第二签约信息获取响应,第二签约信息获取响应包括第二用户面安全策略。
又例如,会话管理网元也可以根据第三终端设备的标识从第一终端设备签约的用户面安全策略确定第二用户面安全策略。
又例如,会话管理网元向统一数据管理网元发送第二签约信息获取请求,第二签约信息获取请求包括第三终端设备的标识;会话管理网元从统一数据管理网元接收第二签约信息获取响应,第二签约信息获取响应包括第一终端设备中继类型的会话的用户面安全策略,会话管理网元根据第一终端设备中继类型的会话的用户面安全策略确定第二用户面安全策略。
又例如,会话管理网元向统一数据管理网元发送第二签约信息获取请求,第二签约信 息获取请求包括第三终端设备的标识;会话管理网元从统一数据管理网元接收第二签约信息获取响应,第二签约信息获取响应包括第三终端设备签约的用户面安全策略,会话管理网元根据第三终端设备签约的用户面安全策略确定第二用户面安全策略。
通过上述方法,会话管理网元可以较为灵活的获取第二用户面安全策略,有效的扩展了应用场景。
在一种可能的设计中,会话管理网元在确定会话的第一用户面安全执行信息与会话的第二用户面安全执行信息不同后,会话管理网元可以向接入网设备发送会话的第二用户面安全执行信息。会话管理网元在确定会话的第一用户面安全执行信息与会话的第二用户面安全执行信息相同,会话管理网元可以不向接入网设备发送会话的第二用户面安全执行信息。
通过上述方法,通过比较会话的第一用户面安全执行信息与会话的第二用户面安全执行信息,在确定是否发送会话的第二用户面安全执行信息,能够较好的减少会话管理网元与接入网设备之间的信息交互。
在一种可能的设计中,第二用户面安全策略指示会话的完整性保护为优选,会话管理网元根据第二用户面安全策略确定会话的第二用户面安全执行信息,也可以参考第一终端设备的完整性保护最大数据率。例如,会话管理网元在确定第一终端设备的完整性保护最大数据率小于会话要求的数据率后,确定关闭会话的完整性保护,也即第二用户面安全执行信息中会话的完整性保护为不需要。
通过上述方法,会话管理网元确定的第二用户面安全执行信息除了能够保证第三终端设备的安全需求,还可以保证第一终端设备能够通过该会话有效的传输第三终端设备的数据。
第二方面,本申请实施例提供了一种确定用户面安全执行信息的方法,方法包括:首先,第一终端设备可以向移动接入管理网元发送第二请求,第二请求用于请求创建中继类型的会话,第二请求包括第二信息,第二信息指示会话的类型为中继类型;之后,第一终端设备可以接收来自接入网设备的第一指示信息,第一指示信息用于指示第一终端设备与接入网设备之间会话的第一用户面安全激活状态。第一终端设备根据第一指示信息配置第一用户面安全激活状态。
通过上述方法,第一终端设备在发起会话创建流程时,可以同时指示该会话的会话类型,以便会话管理网元可以确定该会话的用户面安全执行信息。
在一种可能的设计中,第一终端设备可以接收第二终端设备发送的第一直接通信请求,第一直接通信请求用于建立与第一终端设备的通信,第一终端设备可以确定需要建立中继类型的会话发送第二请求。第一终端设备可以预先创建中继类型的会话,也即第一终端设备可以在接收到第二终端设备的第一直接通信请求之前,发送第二请求。
通过上述方法,第一终端设备可以在不同的场景下,确定需要创建中继类型的会话,发送第二请求。
在一种可能的设计中,第二请求可以包括N1 SM container,N1 SM container包括第二信息;这种情况下,第一请求可以为会话建立请求。第二请求也可以包括第二信息和N1 SM container。这种情况下,第二请求包括会话建立请求(也即N1 SM container)和第二信息。
通过上述方法,第二请求有多种组成形式,适用于不同的应用场景。
在一种可能的设计中,第二信息指示会话的类型为中继类型的方式有许多种,例如第 二信息采用显式的指示方式,如第二信息可以为预先约定的字段或字符。又例如,第二信息也可以采用隐式的指示方式,如第二信息为第二终端设备的标识,第二终端设备的标识为下列之一:第二终端设备的临时标识、第二终端设备的匿名化标识、第二终端设备的用户永久性标识SUPI。这种情况下,该会话用于传输第二终端设备的数据。
通过上述方法,第二信息可以通过不同的方式灵活的指示会话的类型为中继类型。
在一种可能的设计中,第一终端设备还可以接收第三终端设备发送的第二直接通信请求,第二直接通信请求用于建立与第一终端设备的通信;第一终端设备根据第二直接通信请求,确定第三终端设备使用会话;之后,发送第三请求,第三请求用于指示第三终端设备使用会话,第三请求包括第三终端设备的标识。该第三请求可以为会话修改请求,也可以为其他请求。
通过上述方法,在第三终端设备要重用该会话的情况下,第一终端设备可以通过发送第三请求的方式告知会话管理网元第三终端设备要重用该会话,以便会话管理网元重新确定用户面安全执行信息。
在一种可能的设计中,第三终端设备的标识包括下列的部分或全部:第三终端设备的临时标识、第三终端设备的匿名化标识、或者第三终端设备的SUPI。
通过上述方法,第三终端设备的标识可以为不同类型的标识,适用于不同的应用场景。
在一种可能的设计中,第一终端设备在接收来自接入网设备指示第一用户面安全激活状态的第一指示信息之后,可以根据第一用户面安全激活状态确定第一终端设备与第二终端设备的安全激活状态。
通过上述方法,第一终端设备可以配置PC5口(第一终端设备与第二终端设备之间的通信接口)的安全激活状态,以保证第二终端设备的数据安全性。
在一种可能的设计中,若第一用户面安全激活状态中完整性保护为必须,第一终端设备在根据第一用户面安全激活状态配置第一终端设备与第二终端设备的安全激活状态时,还可以参考第二终端设备的完整性保护最大数据率或QoS控制信息,也即根据第二终端设备的完整性保护最大数据率或QoS控制信息确定是否开启第一终端设备与第二终端设备之间的完整性保护。
通过上述方法,第一终端设备与第二终端设备的用户面安全激活状态除了能够保证第二终端设备的数据安全性,也可以保证第二终端设备可以有效的将数据传输至第一终端设备。
在一种可能的设计中,若第一用户面安全激活状态中完整性保护为不需要,第一终端设备在确定第二终端设备的用户面安全策略指示完整性保护为必须(该信息可以携带在第一直接通信请求中)的情况下,向第二终端设备发送直连通信拒绝消息。
通过上述方法,第一终端设备在确定第二终端设备无法在开启完整性保护的情况下支持数据传输,可以拒绝建立直接通信,这样可以保证第二终端设备的数据的安全性。
在一种可能的设计中,第一终端设备还可以接收来自接入网设备的第二指示信息,第二指示信息用于指示第一终端设备与接入网设备之间该会话的第二用户面安全激活状态;之后,根据第二指示信息更新第一用户面安全激活状态。也即根据所述第二指示信息将第一用户面安全激活状态更新为第二用户面安全激活状态。
通过上述方法,第一终端设备可以更新第一终端设备与接入网设备之间的用户面安全激活状态,以保证第三终端设备的数据安全性。
在一种可能的设计中,第一终端设备接收接入网设备发送第二指示信息之后,还可以根据第二用户面安全激活状态是否更新第一终端设备与第二终端设备的用户面安全激活状态。
通过上述方法,第一终端设备可以更新PC5口(第一终端设备与第三终端设备之间的通信接口)的安全激活状态,以保证第三终端设备的数据安全性。
在一种可能的设计中,第二用户面安全激活状态中完整性保护为必须,第一终端设备在根据第二用户面安全激活状态更新第一终端设备与第二终端设备的安全激活状态时,该可以考虑第三终端设备的完整性保护最大数据率或QoS控制信息,根据第三终端设备的完整性保护最大数据率或服务质量QoS控制信息确定是否开启第一终端设备与第二终端设备之间的完整性保护。
通过上述方法,第一终端设备与第三终端设备的用户面安全激活状态除了能够保证第三终端设备的数据安全性,也可以保证第三终端设备可以有效的将数据传输至第一终端设备。
第三方面,本申请实施例提供了一种确定用户面安全执行信息的方法,方法包括:首先,移动接入管理网元接收第一终端设备发送第二请求,第二请求包括第二信息,第二请求用于请求创建第一终端设备中继类型的会话,第二信息用于指示会话的类型为中继类型;之后,移动接入管理网元根据第二请求向会话管理网元发送第一请求,第一请求包括第一信息,第一信息用于指示会话的类型为中继类型,第一请求用于请求创建第一终端设备中继类型的会话。
通过上述方法,移动接入管理网元在接收到包括第二信息的第二请求后,及时的向会话管理网元发送包括第一信息的第一请求,以便会话管理网元可以根据第一信息确定该会话的用户面安全执行信息。
在一种可能的设计中,第二信息与第一信息相同,第一请求和第二请求包括N1 SM container,N1 SM container包括第二信息,这种情况下,第一请求和第二请求可以为会话建立请求。也即第一请求和第二请求相同,移动接入管理网元可以将第一请求直接传输给会话管理网元。
在一种可能的设计中,第二请求包括第二信息和N1 SM container;第一请求包括第一信息和N1 SM container。
通过上述方法,由于第二信息位于N1 SM container之外,移动接入管理网元可以识别该第二信息,进一步确定需要携带在第一请求中的第一信息。
在一种可能的设计中,移动接入管理网元在根据第二信息向会话管理网元发送第一请求时,可以先根据第二信息确定第一终端设备是否授权建立会话,若确定第一终端设备授权建立会话,则向会话管理网元发送第一请求,否则,可以直接拒绝建立该会话。
通过上述方法,移动接入管理网元可以预先根据第二信息对第一终端设备进行授权检查,以保证后续可以较为高效的建立该会话。
在一种可能的设计中,第二信息为第二终端设备的临时标识或匿名化标识,移动接入管理网元可以根据第二信息确定第二终端设备的SUPI,第二终端设备的SUPI可以作为第一信息。
通过上述方法,移动接入管理网元可以确定该第二终端设备的SUPI,第一终端设备无需之间传输该第二终端设备的SUPI,保证了第二终端设备的SUPI的安全性。
在一种可能的设计中,第二信息指示会话的类型为中继类型的方式有许多种,例如第二信息采用显式的指示方式,如第二信息可以为预先约定的字段或字符。又例如,第二信息也可以采用隐式的指示方式,如第二信息为第二终端设备的标识,第二终端设备的标识为下列之一:第二终端设备的临时标识、第二终端设备的匿名化标识、第二终端设备的用户永久性标识SUPI。
通过上述方法,第二信息可以通过不同的方式灵活的指示会话的类型为中继类型。
在一种可能的设计中,第一信息指示会话的类型为中继类型的方式有许多种,例如第一信息采用显式的指示方式,如第一信息可以为预先约定的字段或字符。又例如,第一信息也可以采用隐式的指示方式,如第一信息为第二终端设备的标识,第二终端设备的标识包括下列的部分或全部:
第二终端设备的临时标识、第二终端设备的匿名化标识、或者第二终端设备的用户永久性标识SUPI。
通过上述方法,第一信息可以通过不同的方式灵活的指示会话的类型为中继类型。
在一种可能的设计中,移动接入管理网元在根据第二请求向会话管理网元发送第一请求之前,还可以根据第二信息确定第一终端设备授权为第二终端设备建立会话。
通过上述方法,移动接入管理网元可以预先根据第二信息对第二终端设备进行授权检查,以保证第一终端设备能够传输该第二终端设备的数据。
第四方面,本申请实施例提供了一种确定用户面安全执行信息的方法,方法包括:统一数据管理网元可以向会话管理网元提供第一用户面安全策略,下面提供两种方式:
方式一、统一数据管理网元可以从会话管理网元接收第一签约信息获取请求,第一签约信息获取请求包括第一信息,第一信息用于指示会话的类型为中继类型;统一数据管理网元根据第一信息确定第一用户面安全策略;之后,统一数据管理网元向会话管理网元发送第一签约信息获取响应,第一签约信息获取响应包括第一用户面安全策略。
在上述方式中,统一数据管理网元可以直接确定第一用户面安全策略,并反馈给会话管理网元。
方式二、统一数据管理网元从会话管理网元接收第一签约信息获取请求,第一签约信息获取请求用于请求第一终端设备签约的用户面安全策略,第一终端设备签约的用户面安全策略指示第一终端设备中继类型的会话的用户面安全策略和非中继类型的会话的用户面安全策略;统一数据管理网元向会话管理网元发送第一签约信息获取响应,第一签约信息获取响应包括第一终端设备签约的用户面安全策略,第一终端设备签约的用户面安全策略包括第一用户面安全策略。
在上述方式中,统一数据管理网元可以只需将第一终端设备签约的用户面安全策略反馈给会话管理网元,之后会话管理网元可以自行确定第一用户面安全策略。
在一种可能的设计中,统一数据管理网元根据第一信息确定第一用户面安全策略时,统一数据管理网元可以根据第一信息和第一终端设备签约的用户面安全策略确定第一用户面安全策略,第一终端设备签约的用户面安全策略指示第一终端设备中继类型和非中继类型的会话的用户面安全策略;
通过上述方法,统一数据管理网元可以根据第一信息确定该会话的中继类型的会话,进而可以确定第一用户面安全策略。
在一种可能的设计中,第一信息为第二终端设备的标识,统一数据管理网元根据第一 信息确定第一用户面安全策略时,统一数据管理网元根据第二终端设备的标识从第二终端设备签约的用户面安全策略确定第一用户面安全策略。
通过上述方法,根据第二终端设备签约的用户面安全策略确定的第一用户面安全策略能够保证第二终端设备的安全需求。
在一种可能的设计中,统一数据管理网元从会话管理网元接收第二签约信息获取请求,第二签约信息获取请求包括第三终端设备的标识;之后,统一数据管理网元根据第三终端设备的标识确定第二用户面安全策略;之后,向会话管理网元发送第二签约信息获取响应,第二签约信息获取响应包括第二用户面安全策略。
通过上述方法,统一数据管理网元可以根据第二信息确定该会话的中继类型的会话,进而可以确定第二用户面安全策略。
第五方面,本申请实施例还提供了一种通信装置,所述通信装置应用于会话管理网元,有益效果可以参见第一方面的描述此处不再赘述。该装置具有实现上述第一方面的方法实例中行为的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的模块。在一个可能的设计中,所述装置的结构中包括接收单元、处理单元和发送单元,这些单元可以执行上述第一方面方法示例中的相应功能,具体参见方法示例中的详细描述,此处不做赘述。
第六方面,本申请实施例还提供了一种通信装置,所述通信装置应用于第一终端设备,有益效果可以参见第二方面的描述此处不再赘述。该装置具有实现上述第二方面的方法实例中行为的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的模块。在一个可能的设计中,所述装置的结构中包括接收单元和发送单元、可选的,还包括处理单元,这些单元可以执行上述第二方面方法示例中的相应功能,具体参见方法示例中的详细描述,此处不做赘述。
第七方面,本申请实施例还提供了一种通信装置,所述通信装置应用于移动接入管理网元,有益效果可以参见第三方面的描述此处不再赘述。该装置具有实现上述第三方面的方法实例中行为的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的模块。在一个可能的设计中,所述装置的结构中包括接收单元和发送单元、可选的,还包括处理单元,这些单元可以执行上述第三方面方法示例中的相应功能,具体参见方法示例中的详细描述,此处不做赘述。
第八方面,本申请实施例还提供了一种通信装置,所述通信装置应用于统一数据管理网元,有益效果可以参见第四方面的描述此处不再赘述。该装置具有实现上述第四方面的方法实例中行为的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的模块。在一个可能的设计中,所述装置的结构中包括接收单元和发送单元、可选的,还包括处理单元,这些单元可以执行上述第四方面方法示例中的相应功能,具体参见方法示例中的详细描述,此处不做赘述。
第九方面,本申请实施例还提供了一种通信装置,所述通信装置应用于会话管理网元,有益效果可以参见第一方面的描述此处不再赘述。所述通信装置的结构中包括处理器和存储器,所述处理器被配置为支持所述会话管理网元执行上述第一方面方法中相应的功能。所述存储器与所述处理器耦合,其保存所述通信装置必要的程序指令和数据。所述通信装置的结构中还包括通信接口,用于与其他设备进行通信。
第十方面,本申请实施例还提供了一种通信装置,所述通信装置应用于第一终端设备, 有益效果可以参见第二方面的描述此处不再赘述。所述通信装置的结构中包括处理器和存储器,所述处理器被配置为支持所述第一终端设备执行上述第二方面方法中相应的功能。所述存储器与所述处理器耦合,其保存所述通信装置必要的程序指令和数据。所述通信装置的结构中还包括收发器,用于与其他设备进行通信。
第十一方面,本申请实施例还提供了一种通信装置,所述通信装置应用于移动接入管理网元,有益效果可以参见第三方面的描述此处不再赘述。所述通信装置的结构中包括处理器和存储器,所述处理器被配置为支持所述移动接入管理网元执行上述第三方面方法中相应的功能。所述存储器与所述处理器耦合,其保存所述通信装置必要的程序指令和数据。所述通信装置的结构中还包括通信接口,用于与其他设备进行通信。
第十二方面,本申请实施例还提供了一种通信装置,所述通信装置应用于统一数据管理网元,有益效果可以参见第四方面的描述此处不再赘述。所述通信装置的结构中包括处理器和存储器,所述处理器被配置为支持所述统一数据管理网元执行上述第四方面方法中相应的功能。所述存储器与所述处理器耦合,其保存所述通信装置必要的程序指令和数据。所述通信装置的结构中还包括通信接口,用于与其他设备进行通信。
第十三方面,本申请实施例还提供了一种通信系统,有益效果可以参见上个各个方面的描述此处不再赘述,所述通信系统包括会话管理网元和统一数据管理网元;
会话管理网元,用于向统一数据管理网元发送第一签约信息获取请求,所述第一签约信息获取请求包括中继指示,所述中继指示用于请求所述第一终端设备中继类型的会话的用户面安全策略;
统一数据管理网元,用于接收第一签约信息获取请求,根据第一信息从第一终端设备签约的用户面安全策略中确定第一用户面安全策略,第一终端设备签约的用户面安全策略包括第一终端设备中继类型与非中继类型的会话的用户面安全策略;以及向会话管理网元发送第一签约信息获取响应,第一签约信息获取响应包括第一用户面安全策略;
会话管理网元,还用于接收第一签约信息获取响应。
在一种可能的设计中,该系统还包括移动管理网元:
移动接入管理网元,用于向会话管理网元发送第一请求,所述第一请求用于请求为第一终端设备建立中继类型的会话,所述第一请求包括第一信息,该第一信息用于指示会话的类型为中继类型;
会话管理网元,用于接收第一请求,所述中继指示为第一信息或根据所述第一信息确定的。
在一种可能的设计中,会话用于传输第二终端设备的数据,第一信息为第二终端设备的标识,第二终端设备的标识包括下列的部分或全部:
第二终端设备的临时标识、第二终端设备的匿名化标识、或者第二终端设备的SUPI。
在一种可能的设计中,系统还包括接入网设备。
会话管理网元,还用于根据第一用户面安全策略确定会话的第一用户面安全执行信息后,向接入网设备发送会话的第一用户面安全执行信息。
接入网设备,用于接收会话的第一用户面安全执行信息,根据会话的第一用户面安全执行信息激活第一终端设备与接入网设备之间该会话的第一用户面安全激活状态。
在一种可能的设计中,系统还包括第一终端设备;
接入网设备,还用于向第一终端设备发送第一指示消息,第一指示消息用于指示会话 中第一终端设备与接入网设备之间该会话的第一用户面安全激活状态。
第一终端设备,用于接收第一指示消息,根据第一指示信息激活与接入网设备的第一用户面安全激活状态;以及根据第一用户面安全激活状态配置第一终端设备与第二终端设备的安全激活状态。
在一种可能的设计中,第一终端设备,还用于在确定第三终端设备使用会话后,向会话管理网元发送第二请求,第二请求用于请求修改会话,第二请求包括第三终端设备的标识;
会话管理网元,还用于根据第三终端设备的标识获取第二用户面安全策略;以及根据第二用户面安全策略确定会话的第二用户面安全执行信息后,向接入网设备发送会话的第二用户面安全执行信息。
接入网设备,还用于接收会话的第二用户面安全执行信息,根据会话的第二用户面安全执行信息更新第一用户面安全激活状态,将第一用户面安全激活状态更新为第二用户面安全激活状态。
在一种可能的设计中,第三终端设备的标识包括下列的部分或全部:
第三终端设备的临时标识、第三终端设备的匿名化标识、或者第三终端设备的SUPI。
在一种可能的设计中,接入网设备,还用于向第一终端设备发送第二指示消息,第二指示消息用于指示第一终端设备与接入网设备之间该会话的第二用户面安全激活状态。
第一终端设备,用于接收第二指示消息,根据第二指示信息更新第一用户面安全激活状态,将第一用户面安全激活状态更新为第二用户面安全激活状态;以及根据第二用户面安全激活状态更新第一终端设备与第二终端设备的安全激活状态。
在一种可能的设计中,第一用户面安全策略指示完整性保护为优选,会话管理网元在根据第一用户面安全策略确定会话的第一用户面安全执行信息,具体用于:
在确定第一终端设备的完整性保护最大数据率小于会话要求的数据率后,确定关闭会话的完整性保护。
一种可能的设计中,若第一用户面安全策略指示完整性保护为必须,会话管理网元,还用于在确定第一终端设备的完整性保护最大数据率低于会话要求的数据率后,向第一终端设备发送会话建立拒绝响应,用于指示拒绝建立会话。
在一种可能的设计中,会话管理网元在根据第二用户面安全策略确定会话的第二用户面安全执行信息,具体用于:
根据第二用户面安全策略和会话的第一用户面安全执行信息确定会话的第二用户面安全执行信息;或
根据第二用户面安全策略和第一用户面安全策略确定会话的第二用户面安全执行信息。
在一种可能的设计中,会话管理网元根据第三终端设备的标识获取第二用户面安全策略,具体用于:
向统一数据管理网元发送第二签约信息获取请求,第二签约信息获取请求包括第三终端设备的标识;
统一数据管理网元,用于接收第二签约信息获取请求,根据第三终端设备的标识确定第二用户面安全策略;向会话管理网元发送第二用户面安全策略;
会话管理网元,还从统一数据管理网元接收第二用户面安全策略。
在一种可能的设计中,会话管理网元向接入网设备发送会话的第二用户面安全执行信息之前,还用于:
确定会话的第一用户面安全执行信息与会话的第二用户面安全执行信息不同。
在一种可能的设计中,第二用户面安全策略指示会话的完整性保护为优选,会话管理网元在根据第二用户面安全策略确定会话的第二用户面安全执行信息,具体用于:
在确定第一终端设备的完整性保护最大数据率小于会话要求的数据率后,确定关闭会话的完整性保护。
第十四方面,本申请还提供一种计算机可读存储介质,所述计算机可读存储介质中存储有指令,当其在计算机上运行时,使得计算机执行上述各方面所述的方法。
第十五方面,本申请还提供一种包含指令的计算机程序产品,当其在计算机上运行时,使得计算机执行上述各方面所述的方法。
第十六方面,本申请还提供一种计算机芯片,所述芯片与存储器相连,所述芯片用于读取并执行所述存储器中存储的软件程序,执行上述各方面所述的方法。
附图说明
图1为本申请实施例提供的一种系统的架构图;
图2为本申请实施例提供的一种确定用户面安全执行信息的方法示意图;
图3为本申请实施例提供的一种确定用户面安全执行信息的方法示意图;
图4为本申请实施例提供的一种确定用户面安全执行信息的方法示意图;
图5为本申请实施例提供的一种确定用户面安全执行信息的方法示意图;
图6为本申请实施例提供的一种确定用户面安全执行信息的方法示意图;
图7~图13为本申请实施例提供的一种通信装置的结构示意图。
具体实施方式
参阅图1所示,一种本申请适用的具体的网络架构示意图。该网络架构为5G系统的网络架构。该5G架构中的网元包括终端设备(user equipment,UE)。网络架构还包括无线接入网(radio access network,RAN)、接入和移动性管理功能(access and mobility management function,AMF)网元、会话管理功能(session management function,SMF)网元、用户面功能(user plane function,UPF)网元、统一数据管理(unified data management,UDM)网元、应用功能(application function,AF)网元、数据网络(data network,DN)等。
终端设备是一种具有无线收发功能的设备,可以部署在陆地上,包括室内或室外、手持或车载;也可以部署在水面上(如轮船等);还可以部署在空中(例如飞机、气球和卫星上等)。所述终端设备可以是手机(mobile phone)、平板电脑(pad)、带无线收发功能的电脑、虚拟现实(virtual reality,VR)终端、增强现实(augmented reality,AR)终端、工业控制(industrial control)中的无线终端、无人驾驶(self driving)中的无线终端、远程医疗(remote medical)中的无线终端、智能电网(smart grid)中的无线终端、运输安全(transportation safety)中的无线终端、智慧城市(smart city)中的无线终端、智慧家庭(smart home)中的无线终端等。在本申请实施例中终端设备可以分为两种,分别为远端UE(如 第二终端设备、第三终端设备和中继UE(如第一终端设备),远端UE是指需要借助中继UE与数据网络进行通信的UE,中继UE为可以与数据网络直接进行通信的UE。
在本申请实施例中,远端UE可以向中继UE发送直接通信请求(如第一直接通信请求和第二直接通信请求),用于与中继UE建立PC5口的通信连接,而中继UE可以向SMF网元发起会话建立流程,用于建立用于传输远端UE与DN之间的数据传输的会话(该会话实质上为中继UE通过接入网与网络建立的会话,用于需要传输远端UE和数据网络之间交互的数据,也可以称为中继会话)。中继UE发起会话建立流程时,可以直接将远端UE的标识、或指示建立的会话为中继会话的指示信息发送给SMF网元。中继UE发起会话建立流程时,也可以通过AMF网元将远端UE的标识或指示信息发送SMF网元。
RAN的主要功能是控制终端设备通过无线接入到移动通信网络。RAN是移动通信系统的一部分。它实现了一种无线接入技术。从概念上讲,它驻留某个设备之间(如移动电话、一台计算机,或任何远程控制机),并提供与其核心网的连接。
AMF网元负责终端的接入管理和移动性管理,在实际应用中,其包括了LTE中网络框架中MME里的移动性管理功能,并加入了接入管理功能。
SMF网元负责会话管理,如用户的会话建立、修改或者删除等,在本申请实施例中SMF网元可以根据远端UE的标识或指示信息确定该中继UE所创建的会话为中继会话,从UDM网元获取中继会话的用户面安全策略,并基于该中继会话的用户面安全策略确定RAN所需的会话的用户面安全执行信息。
UPF网元是用户面的功能网元,主要负责连接外部网络,其包括了LTE的服务网关(serving gateway,SGW)和公用数据网网关(public data network gateway,PDN-GW)的相关功能。
DN负责为终端提供服务的网络,如一些DN为终端提供上网功能,另一些DN为终端提供短信功能等等。
UDM网元可存储用户的签约信息,实现类似于4G中的HSS,在本申请实施例中,UDM能够根据远端UE的匿名化标识或临时标识确定终端设备的用户永久性标识(subscription permanent identifier,SUPI),UDM网元还存储有中继UE的签约用户面安全策略,该中继UE的签约用户面安全策略包括中继会话的用户面安全策略,UDM网元接收到该SMF网元的签约信息获取请求后,向SMF网元反馈中继会话的用户面安全策略。
AF网元可以是第三方的应用服务器,也可以是运营商自己部署的设备,如代理呼叫会话控制功能(proxy-call session control function,P-CSCF),AF网元可以为多个应用服务器提供服务。
尽管未示出,核心网网元还包括统一数据仓储(unified data repository,UDR)网元、用户标识去隐藏功能网元(subscription identifier de-concealing function,SIDF)。UDR网元主要用来存储用户相关的签约数据、策略数据(如UE签约的用户面安全策略)、用于开放的结构化数据、应用数据。SIDF网元,在本申请实施例中,SIDF网元能够解析UE的匿名化标识(SUCI),获取SUPI。SIDF网元可以独立部署,也可以与其他网元共部署,如SIDF网元可以与UDM网元共部署。
在本申请实施例中,中继UE在确定需要创建中继会话时,可以向会话管理网元发起会话建立流程,用于建立中继类型的会话,并在会话建立流程中将指示会话的类型为中继类型的第一信息发送给会话管理网元,由会话管理网元根据第一信息确定该第一用户面安 全策略,并基于该第一用户面安全策略确定该会话的第一用户面安全执行信息,将该会话的第一用户面安全执行信息发送到接入网设备,接入网设备可以利用该会话的第一用户面安全执行信息确定第一用户面安全激活状态,第一用户面安全激活状态用于指示中继UE与接入网设备之间的用户面的完整性保护开启或关闭、加密保护开启或关闭。在本申请实施例中,通过接收第一信息,会话管理网元能够获取中继类型会话的用户面安全策略,从而确定该会话的用户面的安全执行信息,使得接入网根据会话的用户面安全执行信息确定的安全激活状态能够满足远端UE的安全需求。
下面结合附图,对本申请实施例提供的确定用户面安全策略的方法进行说明,在本申请实施例中确定用户面安全激活状态的方法由两种方式,一种为不需移动接入管理网元参与,由会话管理网元基于第二终端设备的标识或指示信息确定会话的用户面安全的方式,另一种为移动接入管理网元参与,移动接入管理网元需要根据第一终端设备发送的信息做进一步处理后,然后确定或获取或生成指示信息发送给会话管理网元,再由会话管理网元基于该信息确定会话的用户面安全策略的方式。下面对这两种方式分别进行说明:
方式一、参见图2,为本申请实施例提供的一种确定用户面安全执行信息的方法,该方法包括:
步骤201:第二终端设备向第一终端设备发送第一直接通信请求,用于请求与第一终端设备建立通信连接。第一直接通信请求中可以包括第二终端设备的标识。
第二终端设备的标识包括但不限于:第二终端设备的临时标识、匿名化标识以及用户永久性标识(subscription permanent identifier,SUPI)。
其中,临时标识是预先为第二终端设备分配的标识,匿名化标识可以为一种隐藏了终端设备的永久性标识,只有特定网元可以通过匿名化标识获取该匿名化标识中隐藏的终端设备的永久性标识,例如,匿名化标识可以为用户隐藏标识(subscription concealed identifier,SUCI),SUCI为包含SUPI的隐私保护标识。
步骤202:第一终端设备接收到第一直接通信请求后,确定需要创建用于传输第二终端设备数据的会话,也即需要创建第一终端设备中继类型的会话,向会话管理网元发送会话建立请求,会话建立请求用于请求创建第一终端设备中继类型的会话。会话建立请求可以包括会话标识,在本申请实施例中所创建的会话可以为PDU会话。
需要说明的是,在本申请实施例中中继类型的会话也可以称为中继会话。其中,中继会话即第一终端设备作为中继UE建立的用于支持远端UE与数据网络之间数据传输的会话。相应的,除了第一终端设备中继类型的会话,还有第一终端设备非中继类型的会话,在本申请实施例中非中继类型的会话也可以称为非中继会话,非中继会话即第一终端设备为自己建立的用于支持第一终端设备与数据网络之间数据传输的会话。
为了告知会话管理网元第一终端设备所请求创建的会话为中继会话,第一终端设备可以在该会话建立请求中携带第一信息,该第一信息指示该会话的类型为中继类型。
本申请实施例并不限定第一信息指示该会话的类型为中继类型的方式,例如,第一信息可以采用显式的指示方式,第一信息可以是预先约定的字段或字符。又例如,第一信息可以采用隐式的指示方式,第一信息可以是第二终端设备的标识。
第一终端设备在向会话管理网元发送会话建立请求时,可以先将会话建立请求发送至移动接入管理网元,移动接入管理网元在接收到会话建立请求后,将会话建立请求转发给 会话管理网元。
进一步的,第一终端设备通过将会话建立请求包含在NAS消息中发送给移动接入管理网元,NAS消息还包括数据网络名称(data network name,DNN)和/或单网络切片选择辅助信息(single-network slice selection assistance information,S-NSSAI)。也就是说,会话建立请求包含在N1 SM container中。
步骤203:会话管理网元接收到会话建立请求后,根据该第一信息确定该第一用户面安全策略。
步骤204:会话管理网元在获取该第一用户面安全策略后,可以根据第一用户面安全策略确定该中继会话的第一用户面安全执行信息,其中,中继会话的第一用户面安全执行信息能够用于确定第一终端设备与接入网设备之间该会话的第一用户面安全激活状态。
需要说明的是,第一终端设备与接入网设备之间该会话的第一用户面安全激活状态实质上是第一终端设备与接入网设备之间的通信接口的第一用户面安全激活状态,为方便说明,将第一终端设备与接入网设备之间的通信接口称为第一接口。
步骤205:会话管理网元在确定了中继会话的第一用户面安全执行信息后,可以向接入网设备发送中继会话的第一用户面安全执行信息。
本申请实施例并不限定会话管理网元根据该第一信息确定该第一用户面安全策略的方式,下面列举其中四种方式:
(1)、会话管理网元获取第一终端设备的签约的信息,第一终端设备的签约信息包括中继标识信息和第一终端设备签约的用户面安全策略,中继标识信息用于指示第一终端设备授权建立中继类型的会话,也即是否允许作为中继设备。
第一终端设备签约的用户面安全策略包括第一终端设备允许作为中继设备时的用户面安全策略。第一终端设备允许作为中继设备时的用户面安全策略包括第一终端设备中继会话的用户面安全策略。可选的,第一终端设备允许作为中继设备时的用户面安全策略还包括第一终端设备允许作为中继设备时非中继会话的用户面安全策略,也即第一终端设备非中继会话的用户面安全策略。
可选的,第一终端设备签约的用户面安全策略还可以包括第一终端设备不作为中继设备时的用户面安全策略。
第一终端设备允许作为中继设备时非中继会话的用户面安全策略和第一终端设备不作为中继设备时的用户面安全策略均属于第一终端设备非中继会话的用户面安全策略,区别在于,第一终端设备是否允许作为中继设备。
第一终端设备签约的用户面安全策略标识第一终端设备允许作为中继设备时的用户面安全策略和第一终端设备不允许作为中继设备时的用户面安全策略的方式有很多种,例如,可以用中继标识信息显式的标识,也可以利用中继会话和非中继会话标识用户面安全策略。在利用中继会话和非中继会话标识用户面安全策略的方式中由于区分了中继会话和非中继会话,也就说明第一终端设备是允许作为中继设备的。
下面列举几种第一终端设备签约的用户面安全策略,参见表1和表2。
表1
Figure PCTCN2021095434-appb-000001
Figure PCTCN2021095434-appb-000002
其中,用户面安全策略1为利用中继标识信息标识的用户面安全策略,是第一终端设备作为中继设备时的用户面安全策略。用户面安全策略2为第一终端设备不作为中继设备时的用户面安全策略。用户面安全策略1可以作为第一终端设备中继会话的用户面安全策略,用户面安全策略2可以作为第一终端设备非中继会话的用户面安全策略。这里需要说明的是,由于用户面安全策略1并未区分中继会话或非中继会话,也就是说,当第一终端设备非中继会话的数据网络为数据网络1时,也可以选择用户面安全策略1作为用户面安全策略。
表2
Figure PCTCN2021095434-appb-000003
其中,用户面安全策略1和用户面安全策略2为利用中继标识信息标识的用户面安全策略,用户面安全策略5为第一终端设备不作为中继设备时的用户面安全策略。用户面安全策3和用户面安全策略4虽然没有带有中继标识信息,但已区分了中继会话和非中继会话,也就是说第一终端设备可以作为中继设备,是采用一种隐式的方式指示该第一终端设备允许作为中继UE,其实质为第一终端设备作为中继设备时的用户面安全策略。
用户面安全策略1和用户面安全策略3为第一终端设备中继会话的用户面安全策略,用户面安全策略2、用户面安全策略4和用户面安全策略5为第一终端设备非中继会话的用户面安全策略。
需要说明的是,第一终端设备签约的用户面安全策略中也可以区分第一终端设备允许作为中继设备时的用户面安全策略和第一终端设备不作为中继设备时的用户面安全策略,只是在签约信息中增加中继标识信息,用于指示第一终端设备授权建立中继类型的会话,也即可以作为中继设备。会话管理网元可根据会话对应的DNN和/或S-NSSAI选择对应的用户面安全策略。
(2)、会话管理网元获取第一终端设备的签约信息(其中包括第一终端设备签约的用户面安全策略),会话管理网元根据第一信息和第一终端设备签约的用户面安全策略确定该第一用户面安全策略。
第一终端设备签约的用户面安全策略为运营商网络为第一终端设备预配置的签约用户面安全策略,第一终端设备签约的用户面安全策略可以包括第一终端设备中继类型的会话的用户面安全策略,还可以包括非中继类型的会话的用户面安全策略。
在本申请实施例中,第一终端设备签约的用户面安全策略中包括第一用户面安全策略和/或第二用户面安全策略,还可以包括非中继会话的用户面安全策略。
举例来说,第一终端设备签约的用户面安全策略所包括的信息如表3所示:
表3
Figure PCTCN2021095434-appb-000004
可选的,该第一终端设备签约的用户面安全策略中还可以包括第二终端设备的标识。第二终端设备的标识用于指示该中继会话所需传输的数据所属的终端设备。
从表1中可以看出,第一终端设备签约的用户面安全策略包括与一个或多个数据网络建立的会话为中继会话以及非中继会话时、会话的用户面安全策略。数据网络可以用数据网络的DNN指示。可选的,第一终端设备签约的用户面安全策略还可以包括单网络切片选择辅助信息(single-network slice selection assistance information,S-NSSAI),用于标识或指示网络切片。
这里对用户面安全策略包括的信息进行说明,用户面安全策略指示是否开启加密保护以及完整性保护。具体的,用户面安全策略包括用户面加密保护策略(指示是否开启加密保护)和用户面完整性保护策略(指示是否开启完整性保护)。用户面加密保护策略存在三种可能的值,分别为不需要(not needed)、优选(preferred)和必须(required),用户面完整性保护策略存在三种可能的值,分别为not needed、preferred和required。其中,not needed表示不需要开启,preferred表示可以开启也可以不开启,required表示必须开启。上述三种可能的值可以采用2比特(bit)来指示,例如00指示不需要开启,01指示可以开启可以不开启,11指示必须开启。用户面加密保护策略和用户面完整性保护策略具体采用何种方式对三种可能的值进行指示,在本申请实施例中不作限定。
用户面加密保护即保护数据在传输过程中的机密性(因此又可以被称作用户面机密性保护),机密性是指被传输的数据无法被直接看出真实内容。用户面完整性保护即保护数据在用户面传输过程中的完整性,完整性是指数据是原始的没有被窜改的。
在本申请实施例中,第一终端设备签约的用户面安全策略可以是会话管理网元本地保存的,也可以是会话管理网元从统一数据管理网元获取的,例如,会话管理网元可以在接收到会话建立请求后,从统一数据管理网元获取第一终端设备签约的用户面安全策略。
示例性的,会话管理网元可以向统一数据管理网元发送第一签约信息获取请求。该第一签约信息获取请求中可以携带中继指示,中继指示用于请求该第一终端设备中继类型的会话的用户面安全策略;该中继指示可以是第一信息,也可以是根据第一信息确定的。
例如,当第一信息为第二终端设备的标识时,中继指示可以采用显式的指示方式指示会话的类型为中继类型,以此来请求第一终端设备中继类型的会话的用户面安全策略,统一数据管理网元在接收到该第一签约信息获取请求后,根据中继指示可以直接确定需要反馈第一终端设备中继类型的会话的用户面安全策略。
之后,统一数据管理网元向会话管理网元发送第一签约信息获取响应,第一签约信息获取响应包括第一终端设备签约的用户面安全策略。会话管理网元从统一数据管理网元接收第一签约信息获取响应。
会话管理网元根据会话建立请求中携带的第一信息从第一终端设备签约的用户面安全策略选择对应的用户面安全策略作为第一用户面安全策略。即选择中继类型的会话的用户面安全策略作为第一用户面安全策略。
会话管理网元从统一数据管理网元获取的第一终端设备签约的用户面安全策略时,也可以只获取第一终端设备签约的用户面安全策略中的部分用户面安全策略,例如只获取第一终端设备中继会话的用户面安全策略。
仍以会话管理网元可以向统一数据管理网元发送第一签约信息获取请求为例,会话管理网元向统一数据管理网元发送第一签约信息获取请求,该第一签约信息获取请求用于请求第一终端设备签约的用户面安全策略,其中,该第一签约信息获取请求中包括该第一信息(也可以是中继指示)。
统一数据管理网元接收到第一签约信息获取请求后,可以根据该第一信息从第一终端设备签约的用户面安全策略中确定第一终端设备中继会话的用户面安全策略。
统一数据管理网元向会话管理网元发送第一签约信息获取响应,该第一签约信息获取响应包括第一终端设备中继会话的用户面安全策略。
会话管理网元根据会话建立请求中携带的第一信息确定该会话是否为中继会话,若该会话是中继会话,可以从第一终端设备中继会话的用户面安全策略选择用户面安全策略作为第一用户面安全策略。
可选的,会话管理网元也可以根据会话建立请求中携带的第一信息确定该会话是否为中继会话,若该会话是中继会话,可以直接向统一数据管理网元请求第一用户面安全策略。也就是说,会话管理网元可以向统一数据管理网元发送用于请求会话类型为中继类型的会话的用户面安全策略的请求消息,统一数据管理网在接收到该请求消息后,从中继会话的用户面安全策略中确定第一用户面安全策略,向会话管理网元反馈该第一用户面安全策略。
在上述说明的是,会话管理网元从统一数据管理网元获取第一终端设备签约的用户面安全策略为例,事实上,会话管理网元也可以通过第一信息从统一数据管理网元获取第二终端设备签约的用户面安全策略。也即统一数据管理网元在接收到包括第一信息的第一签约获取请求后,若该第一信息为第二终端设备的标识,统一数据管理网元根据该第一信息确定第二终端设备签约的用户面安全策略,将该第二终端设备签约的用户面安全策略携带在第一签约信息获取请求。会话管理网元根据第二终端设备签约的用户面安全策略确定第一用户面安全策略。
作为一种可能的实现方式,会话管理网元可以本地存储DNN和/或S-NSSAI粒度的用户面安全策略信息,所述DNN和/或S-NSSAI粒度的用户面安全策略包括DNN和/或S-NSSAI对应的中继会话的用户面安全策略和/或非中继会话的用户面安全策略,会话管理网元可以根据该会话对应的DNN和/或S-NSSAI选择对应的用户面安全策略。
(3)、第一信息为第二终端设备的匿名化标识或临时标识,会话管理网元先确定第二终端设备的用户永久性标识,之后从统一数据管理网元获取第一终端设备中继类型的会话的用户面安全策略,再根据第一信息确定第一用户面安全策略。
会话管理网元可以根据该第一信息先从统一数据管理网元获取第二终端设备的用户永久性标识。
示例性的,会话管理网元可以向统一数据管理网元发送携带有第一信息的请求消息,用于请求获取该第二终端设备的用户永久性标识。统一数据管理网元接收到该请求消息后,可以根据该第一消息获取该第二终端设备的用户永久性标识,之后向会话管理网元反馈携带第二终端设备的用户永久性标识的响应消息。其中该请求消息可以是新增的消息,也可以是现有的交互流程中,会话管理网元需要向统一数据管理网元发送的消息。
本申请实施例并不限定统一数据管理网元根据该第一消息获取该第二终端设备的用户永久性标识的方式,例如,统一数据管理网元可以存储有第二终端设备的临时标识与用户永久性标识的对应关系、或第二终端设备的匿名化标识与用户永久性标识的对应关系,统一管理网元在获取第一信息后,可以基于存储的对应关系,根据第一信息确定第二终端设备的用户永久性标识。又例如,统一数据管理网元也可以具备标识解析能力,能够将第二终端设备的匿名化标识解析为第二终端设备的用户永久标识。又例如,统一数据管理网元也可以通过与标识解析网元(如SIDF网元)交互获取第二终端设备的用户永久性标识,例如,统一数据管理网元将第二终端设备的匿名化标识发送给标识解析网元,从标识解析网元获取第二终端设备的用户永久性标识。
会话管理网元在获取了该第二终端设备的用户永久性标识后,可以根据该第二终端设备的用户永久性标识从统一数据管理网元获取第一终端设备中继类型的会话的用户面安全策略。
例如,会话管理网元可以向统一数据管理网元发送携带有第二终端设备的用户永久性标识的第一签约信息获取请求,用于请求获取该第一终端设备中继类型的会话的用户面安全策略,可选的,第一签约信息获取请求还可以包括DNN和/或S-NSSAI。统一数据管理网元接收到第一签约信息获取请求后,根据该第二终端设备的用户永久性标识确定该会话为中继会话,之后,再从第一终端设备签约的用户面安全策略确定第一终端设备中继类型的会话的用户面安全策略。统一数据管理网元之后向会话管理网元反馈携带第一终端设备中继类型的会话的用户面安全策略的第一签约信息获取响应。会话管理网元从统一数据管理网元接收该第一终端设备中继类型的会话的用户面安全策略。
作为一种可能的实施方式,统一数据管理网元接收到携带有第二终端设备的用户永久性标识第一签约信息获取请求后,也可以根据第二终端设备的用户永久性标识确定第二终端设备签约的用户面安全策略,将第二终端设备签约的用户面安全策略作为第一用户面安全策略。若第二终端设备签约的用户面安全策略中包括多个用户面安全策略,统一数据管理网元可以选择其中一个用户面安全策略作为第一用户面安全策略。示例性的,统一数据管理网元可以根据DNN和/或S-NSSAI从多个用户面安全策略中确定第一用户面安全策略, 之后将该第一用户面安全策略反馈给会话管理网元。其中,第二终端设备签约的用户面安全策略为运营商网络为第二终端设备预配置的签约用户面安全策略。
需要说明的是,第二终端设备签约的用户面安全策略指示的信息可以与第一终端设备签约的用户面安全策略指示的信息类似,也就是说,第二终端设备签约的用户面安全策略可以指示第二终端设备作为远端UE通过中继UE接入网络时中继会话的用户面安全策略,还可以指示第二终端设备直接创建会话时非中继会话的用户面安全策略。统一数据管理网元在确定第一用户面安全策略时,可以根据第二终端设备作为远端UE通过中继UE接入网络时中继会话的用户面安全策略确定第一用户面安全策略。
(4)、会话管理网元直接从统一数据管理网元获取该第一用户面安全策略。
会话管理网元可以直接向统一数据管理网元发送携带有第一信息的第一签约信息获取请求,用于请求获取该第一用户面安全策略,可选的,第一签约信息获取请求还可以包括DNN和/或S-NSSAI,用于统一数据管理网元获取DNN和/或S-NSSAI对应的签约信息,签约信息中包含对应的用户面安全策略。
这里以第一签约信息获取请求中携带第一信息为例,在实际应用中,会话管理网元也可以根据第一信息确定中继指示信息,该中继指示信息可以指示该会话的类型为中继类型,也就是说,会话管理网元根据第一信息,生成中继指示,将该中继指示携带在第一签约信息获取请求中。第一信息与该中继指示可以采用不同的方式指示该会话的类型为中继类型。作为一种可能的实施方式,该中继指示也可以与第一信息相同,也即会话管理网元将第一信息携带在第一签约信息获取请求中。
统一数据管理网元接收到第一签约信息获取请求后,统一数据管理网元可以根据第一信息确定需要获取中继类型会话的签约信息,即确定第一用户面安全策略。
统一数据管理网元在确定第一用户面安全策略时,可以从第一终端设备签约的用户面安全策略获取第一用户面安全策略。
若第一信息为第二终端设备的标识,统一数据管理网元也可以将第二终端设备签约的用户面安全策略提供给会话管理网元,会话管理网元将第二终端设备签约的用户面安全策略作为第一用户面安全策略。进一步的,若第二终端设备签约信息中可以包括第二终端设备作为远端UE通过中继UE接入网络时中继会话的用户面安全策略,统一数据网元可以将该用户面安全策略作为第一用户面安全策略提供给会话管理网元。
示例性的,第一信息为第二终端设备的临时标识或匿名化标识,统一数据管理网元可以根据第二终端设备的临时标识或匿名化标识确定第二终端设备的用户永久性标识,之后,统一数据管理网元根据第二终端设备的用户永久性标识获取第二终端设备签约的用户面安全策略并提供给会话管理网元,会话管理网元将第二终端设备签约的用户面安全策略作为第一用户面安全策略。
统一数据管理网元确定第一用户面安全策略之后,向会话管理网元反馈携带第一用户面安全策略的第一签约信息获取响应。会话管理网元从统一数据管理网元接收该第一用户面安全策略。
需要说明的是,在上述几种可能的实施方式中,将会话管理网元与统一数据管理网元交互的信息统一命名为第一签约信息获取请求和第一签约信息获取响应,但在不同的实施方式中,第一签约信息获取请求和第一签约信息获取响应中携带的信息可能不同。
在步骤204中确定的该中继会话的第一用户面安全执行信息与第一用户面安全策略类 似,可以指示在该中继会话中第一终端设备与接入网设备之间是否开启加密保护以及完整性保护,其中,加密保护以及完整性保护的取值与前述说明中用户面加密保护策略和用户面完整性保护策略的取值类似,具体可参见前述内容,此处不再赘述。在执行步骤204时,会话管理网元可以直接将第一用户面安全策略作为该中继会话的第一用户面安全执行信息。例如,第一用户面安全策略指示用户面加密保护策略为必须,用户面完整性保护策略为不需要,则该中继会话的第一用户面安全执行信息指示第一接口的加密保护为必须,完整性保护为不需要。会话管理网元也可以对第一终端设备的信息进行分析,第一终端设备的信息包括但不限于第一终端设备的完整性保护最大数据率、第一终端设备的服务质量(quality of service,QoS)控制信息(如第一终端设备的中继会话要求的数据率),在对第一终端设备的信息分析后,确定将第一用户面安全策略作为中继会话的第一用户面安全执行信息。会话管理网元还可以对第一终端设备的信息分析后,对第一用户面安全策略进行修改,确定该中继会话的第一用户面安全执行信息。
例如,第一用户面安全策略指示用户面加密保护策略为优选,会话管理网元需要进一步确定第一接口的加密保护是否开启,之后,再确定该中继会话的第一用户面安全执行信息。
又例如,第一用户面安全策略指示用户面加密保护策略和用户面完整性保护策略均为优选,会话管理网元需要进一步确定是否开启第一接口的加密保护和完整性保护。
会话管理网元进一步确定中继会话的第一用户面安全执行信息的方式有许多种,本申请实施例并不限定。示例性的,会话管理网元可以根据第一终端设备的完整性保护最大数据率确定中继会话的第一用户面安全执行信息。
第一终端设备的完整性保护最大数据率用于指示在开启完整性保护后第一终端设备所支持的数据传输速率。若第一用户面安全策略指示用户面完整性保护策略为preferred,会话管理网元确定在开启完整性保护之后的第一终端设备所支持的数据传输速率是否能满足该中继会话要求的数据率,该中继会话要求的数据率是会话管理网元根据会话的DNN和/或S-NSSAI和/或其他的用于确定数据率的参数确定的,中继会话要求的数据率可以是会话管理网元从统一数据管理网元或策略控制网元(如PCF网元)获取,也可以是根据本地配置获取。
若在开启完整性保护之后第一终端设备所支持的数据传输速率小于中继会话要求的数据率,会话管理网元可以确定用户面安全执行信息中的完整性保护为不需要,也即关闭第一接口的完整性保护。
若在开启完整性保护之后的第一终端设备所支持的数据传输速率不小于中继会话要求的数据率,会话管理网元可以确定用户面安全执行信息中的完整性保护为必须,也即开启第一接口的完整性保护。
会话管理网元在确定中继会话的第一用户面安全执行信息后,可以创建该中继会话,执行步骤205。
需要说明的是,会话管理网元也可以根据第一终端设备的完整性保护最大数据率拒绝建立该中继会话。例如,第一用户面安全策略指示用户面完整性保护策略为开启,若第一终端设备的完整性保护最大数据率小于中继会话要求的数据率,也就是说,在开启完整性保护后,第一终端设备并不能按照中继会话要求的数据率传输数据。会话管理网元可以拒绝建立该中继会话,向第一终端设备发送会话拒绝建立响应。
接入网设备在接收到中继会话的第一用户面安全执行信息后,可以配置第一接口的第一用户面安全激活状态,该第一用户面安全激活状态指示该中继会话中第一终端设备与接入网设备之间是否开启加密保护以及完整性保护,并向第一终端设备发送指示第一接口的第一用户面安全激活状态的指示信息,告知第一终端设备第一接口的是否开启加密保护以及完整性保护。
值得注意的是,该第一用户面安全激活状态中加密保护只有两种状态,一种为开启,一种为关闭;该第一用户面安全激活状态中完整性保护也只有两种状态,一种为开启,一种为关闭。该第一用户面安全激活状态是最终确定的第一接口的用户面安全激活状态。
第一终端设备在接收到指示第一接口的第一用户面安全激活状态的指示信息后,可以根据第一接口的第一用户面安全激活状态确定第一终端设备与第二终端设备的安全激活状态。第一终端设备与第二终端设备的安全激活状态用于指示第一终端设备与第二终端设备进行数据传输时的是否开启加密保护以及完整性保护。
需要说明的是,第一终端设备与第二终端设备的安全激活状态实质上是第一终端设备与第二终端设备之间的通信接口的安全激活状态,该安全激活状态中加密保护只有两种状态,一种为开启,一种为关闭;该安全激活状态中完整性保护也只有两种状态,一种为开启,一种为关闭。该安全激活状态是最终确定的第一终端设备与第二终端设备之间的通信接口的安全激活状态。为方便说明,将第一终端设备与第二终端设备之间的通信接口称为第二接口。
例如,第一终端设备可以设置第二接口的安全激活状态与第一接口的第一用户面安全激活状态一致。
又例如,第一终端设备可以对第一接口的第一用户面安全激活状态进行分析后,确定第二接口的安全激活状态。如第一接口的第一用户面安全激活状态指示第一接口的完整性保护为开启,第一终端设备可以进一步确定第二接口的是否开启完整性保护。
第一终端设备确定第二接口的安全激活状态方式有很多种,本申请实施例并不限定。
示例性的,第一终端设备可以根据第二终端设备的完整性保护最大数据率或服务质量(quality of service,QoS)控制信息确定第二接口的安全激活状态。第二终端设备的完整性保护最大数据率或QoS控制信息可以是携带在第一直接通信请求中的。
第一终端设备可以根据第二终端设备的完整性保护最大数据率确定第二接口的安全激活状态的方式与会话管理网元根据第一终端设备的完整性保护最大数据率确定会话的第一用户面安全执行信息的方式相同,此处不再赘述。
第二终端设备的QoS控制信息用于指示第二终端设备在进行数据传输时的要求,如所需的带宽、数据传输速率、时延、丢包率等。
第一终端设备可以根据第二终端设备的QoS控制信息确定第二终端设备是否能够支持开启完整性保护。
例如,第二终端设备的QoS控制信息指示第二终端设备进行必须传输数据,但第二终端设备进行必须传输数据要求的带宽为100兆,开启完整性保护之后所能支持的带宽为50兆,第一终端设备可以确定不开启完整性保护。
通过步骤201~205,第一终端设备的所创建的中继会话的用户面安全策略是基于第一信息确定的第一终端设备可以通过中继会话传输第二终端设备的数据,保证所传输的数据 的安全性。
在实际应用中,第一终端设备还可以与其他终端设备建立通信,其他终端设备可以通过第一终端设备的会话与数据网络进行数据交互。也就是说,第一终端设备还可以利用已建立的中继会话传输其他终端设备的数据,这种情况下,该中继会话被其他终端设备重用,可能需要再次确定该中继会话的用户面安全策略。下面以其他设备为第三终端设备为例,对重新确定中继会话的用户面安全策略的方式进行说明。
第三终端设备可以向第一终端设备发送第二直接通信请求,第二直接通信请求用于请求与第一终端设备建立通信。第二直接通信请求中可以包括第三终端设备的标识。
第三终端设备的标识包括但不限于:第三终端设备的临时标识、匿名化标识以及SUPI。
第一终端设备接收到第二直接通信请求后,确定已建立的会话还需要传输第三终端设备的数据,也即该第三终端设备需使用该中继会话。第一终端设备向会话管理网元发送会话修改请求,会话修改请求用于请求修改该中继会话。所述会话修改请求也可以为其他的会话管理消息或新定义的会话管理消息。
会话修改请求可以包括第三终端设备的标识,还可以携带该中继会话的标识,用于指示所需修改的中继会话。
会话管理网元接收到会话修改请求后,可以根据第三终端设备的标识确定第三终端设备使用该中继会话,会话管理网元可以确定第二用户面安全策略,会话管理网元确定第二用户面安全策略的方式与步骤203类似,具体可以参见前述内容此处不再赘述。进一步的,会话管理网络根据第二用户面安全策略确定是否更新中继会话的用户面安全执行信息。
会话管理网元确定第二用户面安全策略后,可以根据第二用户面安全策略确定中继会话的第二用户面安全执行信息。中继会话的第二用户面安全执行信息能够用于确定第一终端设备与接入网设备之间该会话的第二用户面安全激活状态。
会话管理网元根据第二用户面安全策略确定中继会话的第二用户面安全执行信息的方式有许多种,下面列举其中三种:
第一种、会话管理网元仅是基于第二用户面安全策略确定中继会话的第二用户面安全执行信息。该方式与步骤204类似,具体可以参见前述内容此处不再赘述。
会话管理网元可以比较中继会话的第二用户面安全执行信息与中继会话的第一用户面安全执行信息,若中继会话的第二用户面安全执行信息与中继会话的第一用户面安全执行信息一致,说明第一接口的第一用户面安全激活状态可以维持不变,会话管理网元可以不再通知接入网设备第二用户面安全执行信息。若不一致,会话管理网元可以需要通知接入网设备第二用户面安全执行信息,以便接入网设备可以配置第一接口的第二用户面安全激活状态,并向第一终端设备发送指示第一接口的第二用户面安全激活状态的指示信息,告知第一终端设备第一接口的是否开启加密保护以及完整性保护。
第一终端设备在接收到指示第一接口的第二用户面安全激活状态的指示信息后,可以根据第一接口的第二用户面安全激活状态更新第二接口的安全激活状态,第一终端设备根据第一接口的第二用户面安全激活状态更新第二接口的安全激活状态的方式与第一终端设备根据第一接口的第一用户面安全激活状态确定第二接口的安全激活状态的方式类似,具体可以参见前述说明,此处不再赘述。
第二种、会话管理网元根据第二用户面安全策略和第一用户面安全策略确定中继会话 的第二用户面安全执行信息。
会话管理网元根据第二用户面安全策略和第一用户面安全策略确定第一接口是否开启加密保护以及完整性保护。
例如,第一用户面安全策略指示用户面加密保护策略为优选、用户面完整性保护策略为不需要,第二用户面安全策略指示用户面加密保护策略为必须、用户面完整性保护策略为必须,则会话管理网元可以确定第一接口的加密保护为必须、用户面完整性保护为必须。又例如,第一用户面安全策略指示用户面加密保护策略为必须、用户面完整性保护策略为不需要,第二用户面安全策略指示用户面加密保护策略为必须、用户面完整性保护为必须,则会话管理网元可以确定第一接口的加密保护为必须、完整性保护为必须。
会话管理网元可以保留第二用户面安全策略和第一用户面安全策略中一致的用户面加密保护策略或用户面完整性保护策略,将保留的用户面加密保护策略或用户面完整性保护策略作为第一接口的第二用户面安全执行信息中对应的加密保护或完整性保护。
对于不一致的用户面完整性保护策略或用户面加密保护策略,会话管理网元可以优先选择能够提升安全性的用户面完整性保护策略或用户面加密保护策略,如选择用户面完整性保护策略为必须,用户面加密保护策略为必须,将优先选择的用户面完整性保护策略或用户面加密保护策略作为第一接口的第二用户面安全执行信息中对应的完整性保护或加密保护。
会话管理网元在确定了第一接口的第二用户面安全执行信息后,可以比较中继会话的第二用户面安全执行信息与中继会话的第一用户面安全执行信息,会话管理网元比较后执行的操作以及第一终端设备执行的操作可以参见第一种方式中的说明,此处不再赘述。
第三种、会话管理网元根据第二用户面安全策略和中继会话的第一用户面安全执行信息确定中继会话的第二用户面安全执行信息。
会话管理网元根据第二用户面安全策略和中继会话的第一用户面安全执行信息确定中继会话的第二用户面安全执行信息的方式与第二种方式类似,会话管理网元可以保留第二用户面安全策略和继会话的第一用户面安全执行信息中一致的加密保护或完整性保护,将保留的加密保护或完整性保护作为第一接口的第二用户面安全执行信息中对应的加密保护或完整性保护。
对于不一致的完整性保护或加密保护,会话管理网元可以优先选择能够提升安全性的完整性保护或加密保护,如选择加密保护为开启,完整性保护为开启。
会话管理网元在确定了第一接口的第二用户面安全执行信息后,可以比较中继会话的第二用户面安全执行信息与中继会话的第一用户面安全执行信息,会话管理网元比较后执行的操作以及第一终端设备执行的操作可以参见第一种方式中的说明。
需要说明的是,会话管理网元在根据第二用户面安全策略确定中继会话的第二用户面安全执行信息时,还可以考虑第一终端设备的QoS控制信息和/或完整性保护最大数据率,会话管理网元结合第一终端设备的QoS控制信息和/或完整性保护最大数据率确定中继会话的第二用户面安全执行信息的方式,与会话管理网元结合第一终端设备的QoS控制信息和/或完整性保护最大数据率确定中继会话的第一用户面安全执行信息的方式类似,具体可以参见前述内容,此处不再赘述。
方式二、参见图3,为本申请实施例提供的另一种确定用户面安全执行信息的方法, 该方法包括:
步骤301:步骤201相同,具体可参见步骤201的相关描述,此处不再赘述。
步骤302:第一终端设备接收到第一直接通信请求后,确定需要创建用于传输第二终端设备的会话,也即需要创建中继会话,向移动接入管理网元发送会话建立请求和第二信息,会话建立请求用于请求创建第一终端设备中继类型的会话,第二信息用于指示该会话的类型为中继类型。第二信息指示该会话的类型为中继类型的方式与第一信息指示该会话的类型为中继类型的方式类似,具体可以参见前述说明,此处不再赘述。
第一终端设备可以向移动接入管理网元发送N1消息,其中N1消息包括第二信息以及会话建立请求。会话建立请求包含在N1 SM container中,可选的,该会话建立请求中还可以携带第一终端设备的完整性保护最大数据率。
步骤303:移动接入管理网元根据第二信息确定第一信息。
对于不同的第二信息,移动接入管理网元根据第二信息确定的第一信息也不同,下面分别进行说明:
1、第二信息为第二终端设备匿名化标识或临时标识,第一信息为第二终端设备的用户永久性标识或者采用显式的方式指示会话的类型为中继类型。
移动接入管理网元根据第二终端设备匿名化标识或临时标识确定第二终端设备的用户永久性标识的方式与如图2所示的实施例中会话管理网元根据第二终端设备匿名化标识或临时标识确定第二终端设备的用户永久性标识的方式类似,移动接入管理网元可以根据第二终端设备匿名化标识或临时标识从统一数据管理网元获取第二终端设备的用户永久性标识,具体可参见前述内容此处不再赘述。
可选的,第二信息还可以为第二终端设备的用户永久标识,第一信息也为第二终端设备的用户永久标识或者采用显式的方式指示会话的类型为中继类型。
移动接入管理网元可以根据第二信息确定建立的会话为中继会话,对第一终端设备进行授权检查,确定第一终端设备是否具备创建中继会话的权限。移动接入管理网元可以从统一数据管理网元或者其他网元(支持存储签约信息的网元)获取第一终端设备的签约信息,根据签约信息确定第一终端设备是否授权建立中继会话。签约信息用于指示第一终端设备是否允许作为中继设备和/或是否授权建立请求的DNN和/或S-NSSAI对应的中继会话(如前述内容,可以通过中继标识信息显式的指示第一终端设备允许作为中继设备,也可以利用中继会话和非中继会话区分用户面安全策略隐式的指示第一终端设备允许作为中继设备。指示是否授权建立请求的DNN和/或S-NSSAI对应的中继会话可以通过DNN和/或S-NSSAI对应的用户面安全策略是否带有中继标识信息或是否用中继会话或非中继会话区分来确定)。移动接入管理网元可以检查第一终端设备是否能建立特定类型的中继会话。如特定DNN和/或S-NSSAI对应的中继会话。
可选的,移动接入管理网元可以根据第二信息确定向其他网元发起授权检查流程,以使得授权检查网元确定第一终端设备是否授权创建中继会话和/或确定第一终端是否能够作为第二终端的中继设备。移动接入管理网元根据授权检查网元发送的结果确定第一终端是否授权建立中继会话和/或确定第一终端是否能够作为第二终端的中继设备。
可选的,移动管理网元还可以根据第二信息确定第一终端是否能够作为第二终端的中继设备。
可选的,移动接入管理网元还可以根据第二信息对第二终端设备进行授权检查,确定 第二终端设备是否可以通过中继UE进行数据传输。移动接入管理网元可以从统一数据管理网元或者其他网元获取第二终端设备的签约信息,根据签约信息确定第二终端设备是否授权使用中继会话。签约信息用于指示第二终端设备是否可以通过中继UE进行数据传输。
若移动接入管理网元对第一终端设备授权检查通过后,可以向会话管理网元发送第一信息。否则,移动接入管理网元可以拒绝第一终端设备的会话建立请求。
2、第一信息采用显式方式指示该会话的类型为中继类型。
移动接入管理网元在接收到第二信息后,可以确定第一终端设备需要创建的会话为中继会话,也即该会话后续需要传输第二终端设备的数据。
移动接入管理网元可以根据第二信息对第一终端设备进行授权检查,确定第一终端设备是否具备创建中继会话的权限。移动接入管理网元可以从统一数据管理网元或者其他网元(支持存储签约信息的网元)获取第一终端设备的签约信息,根据签约信息确定第一终端设备是否授权建立中继会话。签约信息用于指示第一终端设备是否授权作为中继UE和/或是否授权建立请求的DNN和/或S-NSSAI对应的中继会话。移动接入管理网元可以检查第一终端设备是否能建立特定类型的中继会话。如特定DNN和/或S-NSSAI对应的中继会话。
可选的,移动接入管理网元可以根据第二信息确定向其他网元发起授权检查流程,以使得授权检查网元确定第一终端设备是否授权创建中继会话。
可选的,移动接入管理网元也可以根据第二信息对第二终端设备进行授权检查,确定第二终端设备是否可以通过中继UE进行数据传输。移动接入管理网元可以从统一数据管理网元或者其他网元获取第二终端设备的签约信息,根据签约信息确定第二终端设备是否授权使用中继会话。签约信息用于指示第二终端设备是否可以通过中继UE进行数据传输。
若移动接入管理网元对第一终端设备授权检查通过后,可以向会话管理网元发送第一信息。否则,移动接入管理网元可以拒绝第一终端设备的会话建立请求。
3、第一信息与第二信息相同。
与前一种情况类似,移动接入管理网元可以根据第二信息对第一终端设备进行授权检查,若移动接入管理网元对第一终端设备授权检查通过后,可以向会话管理网元发送该第一信息,也即移动接入管理网元向会话管理网元发送的第一信息与第一终端设备向移动接入管理网元发送的第二信息相同。否则,移动接入管理网元可以拒绝第一终端设备的会话建立请求。
步骤304:移动接入管理网元向会话管理网元发送会话建立请求和第一信息。
步骤305:与步骤203相同,具体可参见步骤203的相关描与述,此处不再赘述。
步骤306:与步骤204相同,具体可参见步骤204的相关描与述,此处不再赘述。
步骤307:与步骤205相同,具体可参见步骤205的相关描与述,此处不再赘述。
通过步骤301~307,第一终端设备的所创建的中继会话的用户面安全策略是基于第一信息确定的,第一终端设备可以通过中继会话传输第二终端设备的数据,保证所传输的数据的安全性。
在实际应用中,第一终端设备还可以与其他终端设备建立通信,其他终端设备可以通过第一终端设备的会话与数据网络进行数据交互。也就是说,第一终端设备还可以利用已建立的中继会话传输其他终端设备的数据,这种情况下,该中继会话被其他终端设备重用,可能需要再次确定该中继会话的用户面安全策略。第三终端设备重用该中继会话,重新确 定中继会话的用户面安全策略的方式可参见图2中的相关说明,此处不再赘述。
需要说明的是,在第三终端设备重用该中继会话时,第一终端设备也可以采用与图3所示的方式向移动接入管理网元发送第三终端设备的临时标识或匿名化标识,移动接入管理网元也可以采用类似的方式确定第三终端设备的用户永久性标识,再向会话管理网元发送会话修改请求(该会话修改请求中不携带第三终端设备的标识)和第三终端设备的用户永久性标识。
值得注意的是,在如图2~3所示的实施例中均是以第二终端设备发起第一直接通信请求之后,第一终端设备请求创建中继会话为例。在实际应用中,第一终端设备也可以在第二终端设备发起第一直接通信请求之前,预先建立中继会话,也即向会话管理网元发送会话建立请求,在这种情况下,第一信息可以采用显式的指示方式,直接指示该会话的类型为中继类型。
下面基于如图1所示的网络架构,以统一数据管理网元为UDM网元、会话管理网元为SMF网元、移动接入管理网元为AMF网元、第一终端设备为中继UE,第二终端设备为远端UE为例,对如图2所示的确定用户面安全执行信息的方法进行进一步介绍。如图4所示,为本申请实施例提供的一种确定用户面安全执行信息的方法,该方法包括:
步骤401:UDM网元上配置中继UE签约的用户面安全策略,其中包括中继会话的用户面安全策略。中继UE签约的用户面安全策略可以如表1~表3所示。表格仅是一种数据的呈现方式,本申请实施例并不限定中继UE的签约用户面安全策略的呈现方式,例如还可以采用数据映射的方式呈现该中继UE的签约用户面安全策略。
步骤402:中继UE向SMF网元发送会话建立请求,用于请求创建中继UE中继类型的会话,所述会话建立请求中包含第一信息,该第一信息用于指示所述会话的类型为中继类型。
步骤403:SMF网元向UDM网元发送第一签约信息获取请求,该第一签约信息获取请求中包含第一信息。第一签约信息获取请求用于请求获取第一终端设备的签约信息,该签约信息包括中继UE签约的用户面安全策略。
步骤404:UDM网元接收到第一签约信息获取请求后,确定中继UE签约的用户面安全策略。
步骤405:UDM网元向SMF网元发送第一签约信息获取响应,第一签约信息获取响应中包括中继UE签约的用户面安全策略。
需要说明的是,SMF网元向UDM网元发送的第一签约信息获取请求可以用于请求第一终端设备所有的签约信息,其中包括第一终端设备中继会话的用户面安全策略(该中继会话的用户面安全策略包括第一用户面安全策略和中继会话的其他用户面安全策略)以及非中继会话的用户面安全策略。UDM网元向SMF网元发送的第一签约信息获取响应中包括该第一终端设备的所有的签约信息。SMF网元可以从第一终端设备的所有的签约信息中确定第一用户面安全策略。进一步的,SMF网元向UDM网元发送的第一签约信息获取请求可以用于请求第一终端设备中继会话的DNN/S-NSSAI对应的所有的签约信息。进一步的,SMF网元从该所有的签约信息中确定第一用户面安全策略。
作为另一种可能的实施方式,SMF网元向UDM网元发送的第一签约信息获取请求也可以用于请求第一终端设备的部分签约信息,例如第一终端设备作为中继UE的签约信息,第一终端设备作为中继UE的签约信息包括第一终端设备中继会话的用户面安全策略(该 中继会话的用户面安全策略包括第一用户面安全策略和中继会话的其他用户面安全策略)。UDM网元向SMF网元发送的第一签约信息获取响应可以包括该第一终端设备作为中继UE所有签约信息,如第一用户面安全策略和中继会话的其他用户面安全策略;也可以只包括该第一终端设备作为中继UE部分签约信息,如只包括第一终端设备中继会话的用户面安全策略。SMF网元在接收到第一终端设备中继会话的用户面安全策略,从第一终端设备中继会话的用户面安全策略中确定第一用户面安全策略。
步骤406:SMF网元根据第一用户面安全策略确定中继会话的第一用户面安全执行信息。第一用户面安全执行信息指示第一接口的第一用户面安全激活状态,第一接口也可以称为UU口。
步骤407:SMF网元向RAN发送中继会话的第一用户面安全执行信息,RAN根据中继会话的第一用户面安全执行信息配置第一接口的第一用户面安全激活状态,激活中继会话的用户面安全激活状态。
步骤408:RAN向中继UE发送第一指示信息,该第一指示信息用于指示第一接口的第一用户面安全激活状态。
步骤409:远端UE向中继UE发送第一直接通信请求,该第一直接通信请求中包括远端UE的标识。可选的,还可以包远端UE的完整性保护最大数据率。
步骤410:中继UE接收到第一直接通信请求后,确定需已创建中继会话需要传输第二终端设备的数据,根据第一接口的第一用户面安全激活状态确定PC5空口的安全激活状态信息。PC5空口为中继UE与远端UE的通信接口。
例如,中继UE可以将第一接口的第一用户面安全激活状态设置为PC5口的安全激活状态,示例性的,若第一接口的加密保护为必须,完整性保护为不需要,则PC5口的加密保护也为开启,完整性保护为关闭。
又例如,若第一接口的完整性保护为开启,中继UE可以根据远程UE的UE完整性保护最大数据率和/或QoS控制信息,确定是否激活完整性保护。
步骤411:中继UE向远程UE发送第一直接安全模式命令,第一直接安全模式命令中包括加密保护指示和完整性保护指示,分别指示数据加密是否开启和完整性保护是否开启。
步骤412:远端UE在接收到第一直接安全模式命令后,根据第一直接安全模式命令配置PC5口的加密保护和完整性保护,向中继UE发送第一直接安全模式完成消息。
步骤413:中继UE向远端UE发送第一直接通信响应。
需要说明的是,在上述说明中是以中继会话创建流程(步骤402~步骤408)在第二终端设备发起直接通信流程(步骤409)开始之前进行的,在实际应用中,中继会话创建流程也可以在步骤409之后执行。也就是说,中继UE接收到远端UE的第一直接通信请求之后,在未建立中继会话或建立的中继会话不可重用的情况下,中继UE可以发起创建新的中继会话的流程,这种情况下,会话建立请求中可以将远端UE的标识作为第一信息。
下面基于如图1所示的网络架构,以统一数据管理网元为UDM网元、会话管理网元为SMF网元、移动接入管理网元为AMF网元、第一终端设备为中继UE,第二终端设备为远端UE为例,对如图3所示的确定用户面安全执行信息的方法进行进一步介绍。如图5所示,为本申请实施例提供的一种确定用户面安全策略的方法,该方法包括:
步骤501:同步骤409,具体可参见步骤409的相关说明此处不再赘述。
步骤502:中继UE在接收到第一直接通信请求后,确定需要建立中继会话,中继UE 向AMF网元发送第一N1消息,该第一N1消息包括远端UE的标识以及第一N1 SM container,第一N1 SM container包含会话建立请求,该第一N1 SM container中包含中继UE的完整性保护最大数据率。
步骤503:AMF网元接收第一N1消息后,AMF网元可以根据远端UE的标识确定中继UE需要创建的会话为中继会话,AMF网元对中继UE进行授权检查,确定中继UE具备创建中继会话的权限。
可选的,若远程UE的标识为临时标识或者匿名化标识,AMF网元可以根据远程UE标识从UDM网元获取远程UE的SUPI。AMF网元根据远端UE的SUPI对远端UE进行授权检查,确定远端UE可通过中继UE传输数据。
步骤504:AMF网元在对中继UE授权检查通过后,向SMF网元发送第一Nsmf服务消息,第一Nsmf服务消息包括远程UE的SUPI和第一N1 SM container。
步骤505:SMF网元接收到第一NSMF网元服务消息后,向UDM网元发送携带远程UE的SUPI的第一签约信息获取请求,第一签约信息获取请求还包括中继会话的DNN和S-NSSAI。
步骤506:UDM网元根据远程UE的SUPI和从中继UE签约的用户面安全策略确定第一用户面安全策略,之后向SMF网元发送第一签约信息获取响应,第一签约信息获取响应包括第一用户面安全策略。
步骤507:同步骤406,具体可参见步骤406的相关说明此处不再赘述。
步骤508:同步骤407,具体可参见步骤407的相关说明此处不再赘述。
步骤509:同步骤408,具体可参见步骤406的相关说明此处不再赘述。
步骤510:同步骤410,具体可参见步骤410的相关说明此处不再赘述。
步骤511:同步骤411,具体可参见步骤411的相关说明此处不再赘述。
步骤512:同步骤412,具体可参见步骤412的相关说明此处不再赘述。
步骤513:同步骤413,具体可参见步骤413的相关说明此处不再赘述。
下面基于如图1所示的网络架构,以统一数据管理网元为UDM网元、会话管理网元为SMF网元、移动接入管理网元为AMF网元以及第一终端设备为中继UE,第二终端设备为远端UE1、第三终端设备为远端UE2为例,对如图2和图3所示的确定用户面安全策略的方法第三终端设备重用中继会话,更新中继会话的用户面安全策略的方式进行进一步介绍。如图6所示,为本申请实施例提供的一种确定用户面安全执行信息的方法,该方法包括:
步骤601:中继UE通过中继会话传输远端UE1的数据,其中,中继会话的建立方式可以参见如图2~5所示的实施例。
步骤602:远端UE2向中继UE发送第二直接通信请求,第二直接通信请求中携带远程UE2的完整性保护最大数据率。
步骤603:中继UE接收到第二直接通信请求后,确定远端UE2重用已建立的中继会话。
步骤604:中继UE向AMF网元发送第二N1消息,该第二N1消息包括远端UE2的标识以及第二N1 SM container。第二N1 SM container包含会话修改请求。
需要说明的是,若中继会话的加密保护为加密、完整性保护为开启,也可以不发起会话修改流程,也即不需要执行步骤604以及后续步骤。
步骤605:AMF网元接收第二N1消息后,可以向SMF网元发送第二Nsmf服务消息,第二Nsmf服务消息包括远端UE2的标识和第二N1 SM container。
步骤606:SMF网元接收第二NSMF网元服务消息后,若远端UE2的标识为临时标识或者匿名化标识,SMF网元可以先根据远端UE2的标识从UDM网元获取远程UE2的SUPI。
步骤607:SMF网元向UDM网元发送携带远程UE2的SUPI的第二签约信息获取请求,第二签约信息获取请求还包括中继会话的DNN和S-NSSAI。
步骤608:UDM网元向SMF网元发送第二签约信息获取响应,第二签约信息获取响应包括第二用户面安全策略。
步骤609:SMF网元根据第二用户面安全策略确定中继会话的第二用户面安全执行信息。
例如,SMF网元根据第一用户面安全策略和第二用户面安全策略确定中继会话的第二用户面安全执行信息。之后SMF网元对中继会话的第一用户面安全执行信息与中继会话的第二用户面安全执行信息进行比较,若不同则执行步骤609。
其中,若第二用户面安全策略以及第一用户面安全策略指示中继会话的完整性保护为开启或优选开启,SMF网元可以根据中继UE的完整性保护最大数据率确定中继会话的第二用户面安全执行信息。
又例如,SMF网元根据第二用户面安全策略和第一用户面安全执行信息确定中继会话的第二用户面安全执行信息,之后SMF网元对中继会话的第一用户面安全执行信息与中继会话的第二用户面安全执行信息进行比较,若不同则执行步骤609。
其中,若第二用户面安全策略以及第一用户面安全执行信息指示完整性保护为开启或优选开启,,SMF网元可以根据中继UE的完整性保护最大数据率确定中继会话的第二用户面安全执行信息。
又例如,SMF网元根据第二用户面安全策略确定中继会话的第二用户面安全执行信息。之后SMF网元对中继会话的第一用户面安全执行信息与中继会话的第二用户面安全执行信息进行比较,若不同则执行步骤609。
步骤610:SMF网元向RAN发送中继会话的第二用户面安全执行信息,RAN根据中继会话的第二用户面安全执行信息配置第一接口的第二用户面安全激活状态,激活中继会话的用户面安全激活状态。
步骤611:RAN向中继UE发送第二指示信息,该第二指示信息用于指示第一接口的第二用户面安全激活状态。
步骤612:中继UE根据第一接口的第二用户面安全激活状态更新PC5空口的安全激活状态。
步骤613:中继UE向远程UE2发送第二直接安全模式命令,第二直接安全模式命令中包括加密保护指示和完整性保护指示,分别指示加密保护是否开启和完整性保护是否开启。
步骤614:远端UE在接收到第二直接安全模式命令后,根据第二直接安全模式命令配置PC5口的加密保护和完整性保护,向中继UE发送第二直接安全模式完成消息。
步骤615:中继UE向远端UE发送第二直接通信响应。
基于与方法实施例同一发明构思,本申请实施例还提供了一种通信装置,用于执行上 述方法实施例中会话管理网元或SMF网元执行的方法,相关特征可参见上述方法实施例,此处不再赘述,如图7所示,该装置包括接收单元701、处理单元702以及发送单元703:
接收单元701,用于接收第一请求,第一请求用于请求创建第一终端设备中继类型的会话,第一请求包括第一信息,第一信息用于指示会话的类型为中继类型;
处理单元702,用于根据第一信息确定会话的第一用户面安全执行信息;
发送单元703,用于向接入网设备发送会话的第一用户面安全执行信息,会话的第一用户面执行信息用于确定第一终端设备与接入网设备的会话的第一用户面安全激活状态。
在一种可能的实施方式中,第一请求包括N1 SM container,N1 SM container包括第一信息;第一请求包括第一信息和N1 SM container。
在一种可能的实施方式中,处理单元702在根据第一信息确定会话的第一用户面安全执行信息时,可以根据第一信息获取第一用户面安全策略;之后,可以直接将第一用户面安全策略作为会话的第一用户面安全执行信息,也可以对第一用户面安全策略进行分析,根据第一用户面安全策略确定会话的第一用户面安全执行信息。
在一种可能的实施方式中,处理单元702在根据第一信息获取第一用户面安全策略时,发送单元703可以向统一数据管理网元发送第一签约信息获取请求;第一终端设备签约的用户面安全策略指示第一终端设备中继类型的会话的用户面安全策略和非中继类型的会话的用户面安全策略;之后,接收单元701接收来自统一数据管理网元的第一签约信息获取响应,第一签约信息获取响应包括第一终端设备签约的用户面安全策略;处理单元702再根据第一信息,将所述第一终端设备中继类型的会话的用户面安全策略确定为所述第一用户面安全策略。
在一种可能的实施方式中,处理单元702在根据第一信息获取第一用户面安全策略时,发送单元703可以向统一数据管理网元发送第一签约信息获取请求,第一签约信息获取请求包括中继指示;中继指示用于请求第一终端设备中继类型的会话的用户面安全策略;之后,接收单元701接收来自统一数据管理网元的第一签约信息获取响应,第一签约信息获取响应包括第一终端设备签约的用户面安全策略(其中,包括第一用户面安全策略);处理单元702再根据第一信息根据第一终端设备签约的用户面安全策略确定第一用户面安全策略。
在一种可能的实施方式中,第一信息为第二终端设备的临时标识或匿名化标识,处理单元702在根据第一信息获取第一用户面安全策略时,处理单元702可以根据第二终端设备的临时标识或匿名化标识获取第二终端设备的SUPI;之后,发送单元703可以向统一数据管理网元发送第一签约信息获取请求,第一签约信息获取请求包括第二终端设备的SUPI;接收单元701可以接收来自统一数据管理网元的第一签约信息获取响应,第一签约信息获取响应中携带的信息可以为如下任一种:
第一种、第一签约信息获取响应中包括第一用户面安全策略。
第二种、第一签约信息获取响应中包括第一终端设备中继类型的会话的用户面安全策略;之后,处理单元702根据第一终端设备中继类型的会话的用户面安全策略确定第一用户面安全策略。
第三种、第一签约信息获取响应中包括第二终端设备签约的用户面安全策略,之后处理单元702根据第二终端设备签约的用户面安全策略确定第一用户面安全策略。
在一种可能的实施方式中,处理单元702在根据第一信息获取第一用户面安全策略时, 发送单元703可以向统一数据管理网元发送第一签约信息获取请求,第一签约信息获取请求包括第一信息;之后,接收单元701从统一数据管理网元接收第一签约信息获取响应,第一签约信息获取响应包括第一用户面安全策略。
在一种可能的实施方式中,第一信息为第二终端设备的标识,第二终端设备的标识包括下列的一个或多个:
第二终端设备的临时标识、第二终端设备的匿名化标识、或者第二终端设备的用户永久性标识SUPI。
在一种可能的实施方式中,第一用户面安全策略指示完整性保护为优选,处理单元702在根据第一用户面安全策略确定会话的第一用户面安全执行信息时,可以在确定第一终端设备的完整性保护最大数据率小于会话要求的数据率后,确定会话的完整性保护为不需要。
在一种可能的实施方式中,若第一用户面安全策略指示完整性保护为必须,处理单元702可以确定第一终端设备的完整性保护最大数据率是否小于会话要求的数据率,发送单元703在处理单元702确定第一终端设备的完整性保护最大数据率小于会话要求的数据率后,向第一终端设备发送会话建立拒绝响应,用于指示拒绝建立会话。
在一种可能的实施方式中,接收单元701还可以接收第三请求,第三请求用于指示第三终端设备使用会话,第三请求包括第三终端设备的标识;处理单元702可以根据第三终端设备的标识确定会话的第二用户面安全执行信息;发送单元703可以向接入网设备发送会话的第二用户面安全执行信息,会话的第二用户面安全执行信息用于确定第一终端设备与接入网设备之间该会话的第二用户面安全激活状态。
在一种可能的实施方式中,处理单元702在根据第三终端设备的标识确定会话的第二用户面安全执行信息时,可以根据第三终端设备的标识确定第二用户面安全策略;之后,根据第二用户面安全策略根据会话的第二用户面安全执行信息。
在一种可能的实施方式中,第三终端设备的标识包括下列的一个或多个:
第三终端设备的临时标识、第三终端设备的匿名化标识、或者第三终端设备的用户永久性标识SUPI。
在一种可能的实施方式中,处理单元702在根据第二用户面安全策略确定会话的第二用户面安全执行信息时,可以根据第二用户面安全策略和会话的第一用户面安全执行信息确定会话的第二用户面安全执行信息;也可以根据第二用户面安全策略和第一用户面安全策略确定会话的第二用户面安全执行信息,还可以仅根据第二用户面安全策略确定会话的第二用户面安全执行信息。
在一种可能的实施方式中,处理单元702在根据第三终端设备的标识获取第二用户面安全策略时,发送单元703可以向统一数据管理网元发送第二签约信息获取请求,第二签约信息获取请求包括第三终端设备的标识;接收单元701可以从统一数据管理网元接收第二签约信息获取响应,第二签约信息获取响应包括第二用户面安全策略。
在一种可能的实施方式中,处理单元702在根据第三终端设备的标识获取第二用户面安全策略时,处理单元702可以根据第三终端设备的标识和第一终端设备签约的用户面安全策略确定第二用户面安全策略。
在一种可能的实施方式中,处理单元702在根据第三终端设备的标识获取第二用户面安全策略时,发送单元703向统一数据管理网元发送第二签约信息获取请求,第二签约信息获取请求包括第三终端设备的标识;接收单元701从统一数据管理网元接收第二签约信 息获取响应,第二签约信息获取响应包括第一终端设备中继类型的会话的用户面安全策略,处理单元702根据第一终端设备中继类型的会话的用户面安全策略确定第二用户面安全策略。
在一种可能的实施方式中,处理单元702在根据第三终端设备的标识获取第二用户面安全策略时,发送单元703向统一数据管理网元发送第二签约信息获取请求,第二签约信息获取请求包括第三终端设备的标识;接收单元701从统一数据管理网元接收第二签约信息获取响应,第二签约信息获取响应包括第三终端设备签约的用户面安全策略,处理单元702根据第三终端设备签约的用户面安全策略确定第二用户面安全策略。
在一种可能的实施方式中,发送单元703在向接入网设备发送会话的第二用户面安全执行信息之前,处理单元702可以确定会话的第一用户面安全执行信息与会话的第二用户面安全执行信息不同。
在一种可能的实施方式中,第二用户面安全策略指示会话的完整性保护为优选,处理单元702根据第二用户面安全策略确定会话的第二用户面安全执行信息时,在确定第一终端设备的完整性保护最大数据率小于会话要求的数据率后,确定关闭会话的完整性保护。
基于与方法实施例同一发明构思,本申请实施例还提供了一种通信装置,用于执行上述方法实施例中第一终端设备或中继UE执行的方法,相关特征可参见上述方法实施例,此处不再赘述,如图8所示,该装置包括发送单元801、接收单元802:
发送单元801,用于向移动接入管理网元发送第二请求,第二请求用于请求创建中继类型的会话,第二请求包括第二信息,第二信息指示会话的类型为中继类型;
接收单元802,用于接收接入网设备发送第一指示信息,第一指示信息用于指示第一终端设备与接入网设备的会话的第一用户面安全激活状态。
在一种可能的实施方式中,发送单元801在发送第二请求之前,接收单元802可以接收第二终端设备发送的第一直接通信请求,第一直接通信请求用于建立与第一终端设备的通信。
在一种可能的实施方式中,第二请求包括N1 SM container,N1 SM container包括第二信息;或第二请求包括第二信息和N1 SM container。
在一种可能的实施方式中,会话用于传输第二终端设备的数据,第二信息包括下列的一个或多个:
第二终端设备的临时标识、第二终端设备的匿名化标识、或者第二终端设备的SUPI。
在一种可能的实施方式中,该装置还包括处理单元803:
接收单元802可以接收第三终端设备发送的第二直接通信请求,第二直接通信请求用于建立与第一终端设备的通信;之后,处理单元803可以根据第二直接通信请求,确定第三终端设备使用会话;发送单元801可以向移动接入管理网元发送第三请求,第三请求用于指示第三终端设备使用会话,第三请求包括第三终端设备的标识。
在一种可能的实施方式中,第三终端设备的标识包括下列的一个或多个:
第三终端设备的临时标识、第三终端设备的匿名化标识、或者第三终端设备的SUPI。
在一种可能的实施方式中,处理单元803在接收单元802接收来自接入网设备的指示第一用户面安全激活状态的第一指示信息之后,可以根据与接入网设备的第一用户面安全激活状态确定第一终端设备与第二终端设备的安全激活状态。
在一种可能的实施方式中,若第一用户面安全激活状态中完整性保护为必须,处理单元803根据第一用户面安全激活状态配置第一终端设备与第二终端设备的安全激活状态时,可以根据第二终端设备的完整性保护最大数据率或QoS控制信息确定是否开启第一终端设备与第二终端设备之间的完整性保护。
在一种可能的实施方式中,若第一用户面安全激活状态中完整性保护为不需要,发送单元801在第二终端设备的用户面安全策略指示完整性保护为必须的情况下,可以向第二终端设备发送直连通信拒绝消息。
在一种可能的实施方式中,接收单元802还可以接收接入网设备发送第二指示信息,第二指示信息用于第一终端设备与接入网设备之间该会话的第二用户面安全激活状态;
处理单元803可以根据第二指示信息将第一用户面安全激活状态更新为第二用户面安全激活状态。
在一种可能的实施方式中,处理单元803在接收单元802接收来自接入网设备的第二指示信息之后,可以根据第二用户面安全激活状态更新第一终端设备与第二终端设备的安全激活状态。
在一种可能的实施方式中,第二用户面安全激活状态中完整性保护为必须,处理单元803在根据第二用户面安全激活状态更新第一终端设备与第二终端设备的安全激活状态时,可以根据第三终端设备的完整性保护最大数据率或QoS控制信息确定是否开启第一终端设备与第二终端设备之间的完整性保护。
基于与方法实施例同一发明构思,本申请实施例还提供了一种通信装置,用于执行上述方法实施例中移动接入管理网元或AMF网元执行的方法,相关特征可参见上述方法实施例,此处不再赘述,如图9所示,该装置包括接收单元901和发送单元902:
接收单元901,用于接收第一终端设备发送第二请求,第二请求包括第二信息,第二请求用于请求创建第一终端设备中继类型的会话,第二信息用于指示会话的类型为中继类型;
发送单元902,用于根据第二请求向会话管理网元发送第一请求,第一请求包括第一信息,第一信息用于指示会话的类型为中继类型,第一请求用于请求创建第一终端设备中继类型的会话。
在一种可能的实施方式中,第二信息与第一信息相同,第一请求和第二请求包括N1SM container,N1 SM container包括第二信息。
在一种可能的实施方式中,第二请求包括第二信息和N1 SM container;第一请求包括第一信息和N1 SM container。
在一种可能的实施方式中,该装置包括处理单元903,处理单元903可以根据第二信息确定第一终端设备授权建立会话。发送单元902在处理单元903根据第二信息确定第一终端设备授权建立会话后,向会话管理网元发送第一请求。
在一种可能的实施方式中,第二信息为第二终端设备的临时标识或匿名化标识,第一信息为第二终端设备的SUPI。
在一种可能的实施方式中,第二信息包括下列的一个或多个:
第二终端设备的临时标识、第二终端设备的匿名化标识、第二终端设备的SUPI。
在一种可能的实施方式中,发送单元902在根据第二请求向会话管理网元发送第一请求之前,处理单元903可以根据第二信息确定第一终端设备授权为第二终端设备建立会话。
基于与方法实施例同一发明构思,本申请实施例还提供了一种通信装置,用于执行上述方法实施例中统一数据管理网元或UDM网元执行的方法,相关特征可参见上述方法实施例,此处不再赘述,如图10所示,该装置包括接收单元1001、处理单元1002以及发送单元1003:
接收单元1001,用于从会话管理网元接收第一签约信息获取请求,第一签约信息获取请求用于请求第一终端设备签约的用户面安全策略,第一签约信息获取请求包括第一信息,第一信息用于指示会话的类型为中继类型;
处理单元1002,用于根据第一信息确定第一用户面安全策略;
发送单元1003,用于向会话管理网元发送第一签约信息获取响应,第一签约信息获取响应包括第一用户面安全策略。
在一种可能的实施方式中,处理单元1002根据第一信息确定第一用户面安全策略时,可以根据第一信息和第一终端设备签约的用户面安全策略确定第一用户面安全策略,第一终端设备签约的用户面安全策略指示第一终端设备中继类型和非中继类型的会话的用户面安全策略;
在一种可能的实施方式中,第一信息为第二终端设备的标识,处理单元1002根据第一信息确定第一用户面安全策略时,处理单元1002根据第二终端设备的标识从第二终端设备签约的用户面安全策略确定第一用户面安全策略。
在一种可能的实施方式中,接收单元1001可以从会话管理网元接收第二签约信息获取请求,第二签约信息获取请求包括第三终端设备的标识。
处理单元1002可以根据第三终端设备的标识确定第二用户面安全策略。
发送单元1003可以向会话管理网元发送第二签约信息获取响应,第二签约信息获取响应包括第二用户面安全策略。
在一种可能的实施方式中,第三终端设备的标识包括下列的一个或多个:
第三终端设备的临时标识、第三终端设备的匿名化标识、或者第三终端设备的用户永久性标识SUPI。
基于与方法实施例同一发明构思,本申请实施例还提供了一种通信装置,用于执行上述方法实施例中统一数据管理网元或UDM网元执行的方法,相关特征可参见上述方法实施例,此处不再赘述,如图11所示,该装置包括接收单元1101或发送单元1102:
接收单元1101,用于从会话管理网元接收第一签约信息获取请求,第一签约信息获取请求用于请求第一终端设备签约的用户面安全策略,第一终端设备签约的用户面安全策略指示第一终端设备中继类型的会话的用户面安全策略和非中继类型的会话的用户面安全策略;
发送单元1102,用于向会话管理网元发送第一签约信息获取响应,第一签约信息获取响应包括第一终端设备签约的用户面安全策略。
在一种可能的实施方式中,装置还包括处理单元1103:
接收单元1101可以从会话管理网元接收第二签约信息获取请求,第二签约信息获取请求包括第三终端设备的标识,处理单元1103可以根据第三终端设备的标识确定第二用户面安全策略;
发送单元1102可以向会话管理网元发送第二签约信息获取响应,第二签约信息获取响应包括第二用户面安全策略。
本申请实施例中对单元的划分是示意性的,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,另外,在本申请各个实施例中的各功能单元可以集成在一个处理器中,也可以是单独物理存在,也可以两个或两个以上单元集成在一个模块中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。
该集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台终端设备(可以是个人计算机,手机,或者网络设备等)或处理器(processor)执行本申请各个实施例该方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(read-only memory,ROM)、随机存取存储器(random access memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。
在本申请实施例中,所述统一数据管理网元、所述会话管理网元以及移动接入管理网元以及第一终端设备均可以采用集成的方式划分各个功能模块的形式来呈现。这里的“模块”可以指特定ASIC,电路,执行一个或多个软件或固件程序的处理器和存储器,集成逻辑电路,和/或其他可以提供上述功能的器件。
在一个简单的实施例中,本领域的技术人员可以想到所述统一数据管理网元、所述会话管理网元以及移动接入管理网元均可采用图12所示的形式。
如图12所示的通信装置1200,包括至少一个处理器1201、存储器1202,可选的,还可以包括通信接口1203。
存储器1202可以是易失性存储器,例如随机存取存储器;存储器也可以是非易失性存储器,例如只读存储器,快闪存储器,硬盘(hard disk drive,HDD)或固态硬盘(solid-state drive,SSD)、或者存储器1202是能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质,但不限于此。存储器1202可以是上述存储器的组合。
本申请实施例中不限定上述处理器1201以及存储器1202之间的具体连接介质。本申请实施例在图中以存储器1202和处理器1201之间通过总线1204连接,总线1204在图中以粗线表示,其它部件之间的连接方式,仅是进行示意性说明,并不引以为限。该总线1204可以分为地址总线、数据总线、控制总线等。为便于表示,图12中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。
处理器1201可以具有数据收发功能,能够与其他设备进行通信,在如图12装置中,也可以设置独立的数据收发模块,例如通信接口1203,用于收发数据;处理器1201在与其他设备进行通信时,可以通过通信接口1203进行数据传输。
当所述会话管理网元采用图12所示的形式时,图12中的处理器1201可以通过调用存储器1202中存储的计算机执行指令,使得所述会话管理网元可以执行上述任一方法实施例中的所述会话管理网元或SMF网元执行的方法。
具体的,图7中的发送单元、接收单元和处理单元的功能/实现过程均可以通过图12中的处理器1201调用存储器1202中存储的计算机执行指令来实现。或者,图7中的处理单元的功能/实现过程可以通过图12中的处理器1201调用存储器1202中存储的计算机执行指令来实现,图7中的发送单元和接收单元的功能/实现过程可以通过图12中的通信接 口1203来实现。
当所述移动接入管理网元采用图12所示的形式时,图12中的处理器1201可以通过调用存储器1202中存储的计算机执行指令,使得所述移动接入管理网元可以执行上述任一方法实施例中的移动接入管理网元或AMF网元执行的方法。
具体的,图9中的接收单元、发送单元和处理单元的功能/实现过程均可以通过图12中的处理器1201调用存储器1202中存储的计算机执行指令来实现。或者,图9中的处理单元的功能/实现过程可以通过图12中的处理器1201调用存储器1202中存储的计算机执行指令来实现,图9中的接收单元、发送单元的功能/实现过程可以通过图12中的通信接口1203来实现。
当所述统一数据管理网元采用图12所示的形式时,图12中的处理器1201可以通过调用存储器1202中存储的计算机执行指令,使得所述统一数据管理网元可以执行上述任一方法实施例中的所述统一数据管理网元或UDM网元执行的方法。
具体的,图10或11中的发送单元、接收单元和处理单元的功能/实现过程均可以通过图12中的处理器1201调用存储器1202中存储的计算机执行指令来实现。或者,图10或11中的处理单元的功能/实现过程可以通过图12中的处理器1201调用存储器1202中存储的计算机执行指令来实现,图10或11中的发送单元和接收单元的功能/实现过程可以通过图12中的通信接口1203来实现。
在一个简单的实施例中,本领域的技术人员可以想到所述第一终端设备均可采用图13所示的形式。
如图13所示的通信装置1300,包括至少一个处理器1301、存储器1302,可选的,还可以包括收发器1303。
处理器1301和存储器1302与处理器1201和存储器1202类似,具体可以参见前述内容,此处不再赘述。
本申请实施例中不限定上述处理器1301以及存储器1302之间的具体连接介质。本申请实施例在图中以存储器1302和处理器1301之间通过总线1304连接,总线1304在图中以粗线表示,其它部件之间的连接方式,仅是进行示意性说明,并不引以为限。该总线1304可以分为地址总线、数据总线、控制总线等。为便于表示,图13中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。
处理器1301可以具有数据收发功能,能够与其他设备进行通信,在如图13装置中,也可以设置独立的数据收发模块,例如收发器1303,用于收发数据;处理器1301在与其他设备进行通信时,可以通过收发器1303进行数据传输。
当第一终端设备采用图13所示的形式时,图13中的处理器1301可以通过调用存储器1302中存储的计算机执行指令,使得所述第一终端设备可以执行上述任一方法实施例中的所述第一终端设备或中继UE执行的方法。
具体的,图8中的发送单元、接收单元和处理单元的功能/实现过程均可以通过图13中的处理器1301调用存储器1302中存储的计算机执行指令来实现。或者,图8中的处理单元的功能/实现过程可以通过图13中的处理器1301调用存储器1302中存储的计算机执行指令来实现,图8中的发送单元和接收单元的功能/实现过程可以通过图13中的收发器1303来实现。
在该方法中:本领域内的技术人员应明白,本申请的实施例可提供为方法、系统、或 计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。
本申请是参照根据本申请的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。
显然,本领域的技术人员可以对本申请进行各种改动和变型而不脱离本申请和范围。这样,倘若本申请的这些修改和变型属于本申请权利要求及其等同技术的范围之内,则本申请也意图包含这些改动和变型在内。

Claims (68)

  1. 一种确定用户面安全执行信息的方法,其特征在于,所述方法包括:
    会话管理网元接收第一请求,所述第一请求用于请求创建第一终端设备中继类型的会话,所述第一请求包括第一信息,所述第一信息用于指示所述会话的类型为中继类型;
    所述会话管理网元根据所述第一信息确定所述会话的第一用户面安全执行信息;
    所述会话管理网元向接入网设备发送所述会话的第一用户面安全执行信息,所述会话的第一用户面执行信息用于确定所述第一终端设备与所述接入网设备之间所述会话的第一用户面安全激活状态。
  2. 如权利要求1所述的方法,其特征在于,所述第一请求包括N1 SM容器container,所述N1 SM container包括所述第一信息;或
    所述第一请求包括第一信息和N1 SM container。
  3. 如权利要求1或2所述的方法,其特征在于,所述会话管理网元根据所述第一信息确定所述会话的第一用户面安全执行信息,包括:
    所述会话管理网元根据所述第一信息获取第一用户面安全策略;
    所述会话管理网元根据所述第一用户面安全策略确定所述会话的第一用户面安全执行信息。
  4. 如权利要求3所述的方法,其特征在于,所述会话管理网元根据所述第一信息获取第一用户面安全策略,包括:
    所述会话管理网元向统一数据管理网元发送第一签约信息获取请求;
    所述会话管理网元从所述统一数据管理网元接收第一签约信息获取响应,所述第一签约信息获取响应包括所述第一终端设备签约的用户面安全策略;所述第一终端设备签约的用户面安全策略包括:所述第一终端设备中继类型的会话的用户面安全策略和非中继类型的会话的用户面安全策略;
    所述会话管理网元根据所述第一信息,将所述第一终端设备中继类型的会话的用户面安全策略确定为所述第一用户面安全策略。
  5. 如权利要求3所述的方法,其特征在于,所述会话管理网元根据所述第一信息获取第一用户面安全策略,包括:
    所述会话管理网元向统一数据管理网元发送第一签约信息获取请求;所述第一签约信息获取请求包括中继指示;所述中继指示用于请求所述第一终端设备中继类型的会话的用户面安全策略;
    所述会话管理网元从所述统一数据管理网元接收第一签约信息获取响应,所述第一签约信息获取响应包括所述第一终端设备签约的用户面安全策略;所述第一终端设备签约的用户面安全策略包括所述第一用户面安全策略。
  6. 如权利要求4或5所述的方法,其特征在于,所述第一信息可以为第二终端设备的临时标识或匿名化标识,所述第一签约信息获取响应中包括下列任一:
    所述第一用户面安全策略、所述第一终端设备中继类型的会话的用户面安全策略、所述第二终端设备签约的用户面安全策略。
  7. 如权利要求3所述的方法,其特征在于,所述会话管理网元根据所述第一信息确定所述会话的第一用户面安全执行信息,包括:
    所述会话管理网元向统一数据管理网元发送第一签约信息获取请求,所述第一签约信息获取请求包括所述第一信息;
    所述会话管理网元从所述统一数据管理网元接收第一签约信息获取响应,所述第一签约信息获取响应包括第一用户面安全策略。
  8. 如权利要求1~7任一所述的方法,其特征在于,所述第一信息为所述第二终端设备的标识,所述第二终端设备的标识包括下面一个或者多个:
    所述第二终端设备的临时标识、所述第二终端设备的匿名化标识或者所述第二终端设备的用户永久性标识SUPI。
  9. 如权利要求3~8任一所述的方法,其特征在于,所述第一用户面安全策略指示完整性保护为优选,所述会话管理网元根据所述第一用户面安全策略确定所述会话的第一用户面安全执行信息,包括:
    所述会话管理网元在确定所述第一终端设备的完整性保护最大数据率小于会话要求的数据率后,确定所述第一用户面安全执行信息中会话的完整性保护为不需要。
  10. 如权利要求3~8任一所述的方法,其特征在于,所述第一用户面安全策略指示完整性保护为必须,所述会话管理网元根据所述第一用户面安全策略确定所述会话的第一用户面安全执行信息,包括:
    所述会话管理网元在确定所述第一终端设备的完整性保护最大数据率小于会话要求的数据率,向所述第一终端设备发送会话建立拒绝响应,所述会话建立拒绝响应用于指示拒绝建立会话。
  11. 如权利要求1~10任一所述的方法,其特征在于,所述方法还包括:
    所述会话管理网元接收第三请求,所述第三请求用于指示第三终端设备使用所述会话,所述第三请求包括所述第三终端设备的标识;
    所述会话管理网元根据所述第三终端设备的标识确定所述会话的第二用户面安全执行信息;
    所述会话管理网元向所述接入网设备发送所述会话的第二用户面安全执行信息,所述会话的第二用户面安全执行信息用于确定所述第一终端设备与所述接入网设备之间所述会话的第二用户面安全激活状态。
  12. 如权利要求11所述的方法,其特征在于,所述会话管理网元根据所述第三终端设备的标识确定所述会话的第二用户面安全执行信息,包括:
    所述会话管理网元所述根据所述第三终端设备的标识确定第二用户面安全策略;
    所述会话管理网元根据所述第二用户面安全策略确定所述会话的第二用户面安全执行信息。
  13. 如权利要求11或12所述的方法,其特征在于,所述会话管理网元向接入网设备发送所述会话的第二用户面安全执行信息之前,还包括:
    所述会话管理网元确定所述会话的第一用户面安全执行信息与所述会话的第二用户面安全执行信息不同。
  14. 如权利要求11~13任一所述的方法,其特征在于,所述第三终端设备的标识包括下列的部分或全部:
    所述第三终端设备的临时标识、所述第三终端设备的匿名化标识、或者所述第三终端设备的SUPI。
  15. 如权利要求12~14任一所述的方法,其特征在于,所述会话管理网元根据所述第二用户面安全策略确定所述会话的第二用户面安全执行信息,包括:
    所述会话管理网元根据所述第二用户面安全策略和所述会话的第一用户面安全执行信息确定所述会话的第二用户面安全执行信息;或
    所述会话管理网元根据所述第二用户面安全策略和所述第一用户面安全策略确定所述会话的第二用户面安全执行信息;或
    所述会话管理网元根据所述第二用户面安全策略确定所述会话的第二用户面安全执行信息。
  16. 如权利要求12~15任一所述的方法,其特征在于,所述会话管理网元所述根据所述第三终端设备的标识确定第二用户面安全策略,包括:
    所述会话管理网元向统一数据管理网元发送第二签约信息获取请求,所述第二签约信息获取请求包括所述第三终端设备的标识;
    所述会话管理网元从所述统一数据管理网元接收第二签约信息获取响应,所述第二签约信息获取响应包括所述第二用户面安全策略;或
    所述会话管理网元根据所述第三终端设备的标识从所述第一终端设备签约的用户面安全策略确定所述第二用户面安全策略。
  17. 如权利要求12~15任一所述的方法,其特征在于,所述会话管理网元所述根据所述第三终端设备的标识确定第二用户面安全策略,包括:
    所述会话管理网元向所述统一数据管理网元发送第二签约信息获取请求,所述第二签约信息获取请求包括所述第三终端设备的标识;
    所述会话管理网元从所述统一数据管理网元接收第二签约信息获取响应,所述第二签约信息获取响应包括所述第一终端设备中继类型的会话的用户面安全策略;
    所述会话管理网元根据所述第一终端设备中继类型的会话的用户面安全策略确定所述第二用户面安全策略。
  18. 如权利要求12~15任一所述的方法,其特征在于,所述会话管理网元所述根据所述第三终端设备的标识确定第二用户面安全策略,包括:
    所述会话管理网元向所述统一数据管理网元发送第二签约信息获取请求,所述第二签约信息获取请求包括所述第三终端设备的标识;
    所述会话管理网元从所述统一数据管理网元接收所述第二签约信息获取响应,所述第二签约信息获取响应包括第三终端设备签约的用户面安全策略;
    所述会话管理网元根据所述第三终端设备签约的用户面安全策略确定所述第二用户面安全策略。
  19. 如权利要求12~18任一所述的方法,其特征在于,所述第二用户面安全策略指示会话的完整性保护为优选,所述会话管理网元根据所述第二用户面安全策略确定所述会话的第二用户面安全执行信息,包括;
    所述会话管理网元在确定所述第一终端设备的完整性保护最大数据率小于会话要求的数据率后,确定所述第二用户面安全执行信息中会话的完整性保护为不需要。
  20. 一种确定用户面安全执行信息的方法,其特征在于,所述方法包括:
    向移动接入管理网元发送第二请求,所述第二请求用于请求创建中继类型的会话,所述第二请求包括第二信息,所述第二信息指示所述会话的类型为中继类型;
    接收来自接入网设备的第一指示信息,所述第一指示信息用于指示第一终端设备与所述接入网设备之间所述会话的第一用户面安全激活状态。
  21. 如权利要求20所述的方法,其特征在于,所述向移动接入管理网元发送第二请求之前,还包括:
    接收第二终端设备发送的第一直接通信请求,所述第一直接通信请求用于建立与第一终端设备的通信。
  22. 如权利要求20或21所述的方法,其特征在于,所述第二请求包括N1 SM container,所述N1 SM container包括所述第二信息;或所述第二请求包括第二信息和N1 SM container。
  23. 如权利要求20~22任一所述的方法,其特征在于,所述会话用于传输第二终端设备的数据,所述第二信息包括下列一个或者多个:
    所述第二终端设备的临时标识、所述第二终端设备的匿名化标识或者所述第二终端设备的用户永久性标识SUPI。
  24. 如权利要求20~23任一所述的方法,其特征在于,所述方法包括:
    接收第三终端设备发送的第二直接通信请求,所述第二直接通信请求用于建立与所述第一终端设备的通信;
    根据所述第二直接通信请求,确定所述第三终端设备使用所述会话;
    向所述移动接入管理网元发送第三请求,所述第三请求用于指示所述第三终端设备使用所述会话,所述第三请求包括所述第三终端设备的标识。
  25. 如权利要求24所述的方法,其特征在于,所述第三终端设备的标识包括下列一个或者多个:
    所述第三终端设备的临时标识、所述第三终端设备的匿名化标识或者所述第三终端设备的用户永久性标识SUPI。
  26. 如权利要求20~25任一所述的方法,其特征在于,所述接收来自接入网设备的第一用指示信息之后,还包括:
    根据所述第一用户面安全激活状态确定所述第一终端设备与所述第二终端设备的安全激活状态。
  27. 如权利要求26所述的方法,其特征在于,所述第一用户面安全激活状态中完整性保护为必须,所述根据所述第一用户面安全激活状态确定所述第一终端设备与所述第二终端设备的安全激活状态,包括:
    根据所述第二终端设备的完整性保护最大数据率或QoS控制信息确定是否开启所述第一终端设备与第二终端设备之间的完整性保护。
  28. 如权利要求20~27任一所述的方法,其特征在于,所述第一用户面安全激活状态中完整性保护为不需要,所述方法还包括:
    在确定所述第二终端设备的用户面安全策略指示完整性保护为必须的情况下,向所述第二终端设备发送直连通信拒绝消息。
  29. 如权利要求20~28任一所述的方法,其特征在于,所述方法还包括:
    接收接入网设备发送第二指示信息,所述第二指示信息用于指示所述第一终端设备与所述接入网设备之间所述会话的第二用户面安全激活状态;
    根据所述第二指示信息将所述第一用户面安全激活状态更新为第二用户面安全激活状态。
  30. 如权利要求29所述的方法,其特征在于,所述接收接入网设备发送第二指示信息之后,还包括:
    根据所述第二用户面安全激活状态更新所述第一终端设备与所述第二终端设备的用户面安全激活状态。
  31. 如权利要求29或30所述的方法,其特征在于,所述第二用户面安全激活状态中完整性保护为必须,所述根据所述第一用户面安全激活状态确定所述第一终端设备与所述第二终端设备的安全激活状态,包括:
    根据第三终端设备的完整性保护最大数据率或服务质量QoS控制信息确定是否开启所述第一终端设备与所述第二终端设备之间的完整性保护。
  32. 一种确定用户面安全执行信息的方法,其特征在于,所述方法包括:
    移动接入管理网元接收第一终端设备发送第二请求,所述第二请求包括第二信息,所述第二请求用于请求创建所述第一终端设备中继类型的会话,所述第二信息用于指示所述会话的类型为中继类型;
    所述移动接入管理网元根据所述第二请求向所述会话管理网元发送第一请求,所述第一请求包括所述第一信息,所述第一信息用于指示所述会话的类型为中继类型,所述第一请求用于请求创建所述第一终端设备中继类型的会话。
  33. 如权利要求32所述的方法,其特征在于,所述第二信息与所述第一信息相同,所述第一请求和所述第二请求包括N1 SM container,所述N1 SM container包括所述第二信息。
  34. 如权利要求32所述的方法,其特征在于,所述第二请求包括所述第二信息和N1 SM container;所述第一请求包括所述第一信息和所述N1 SM container。
  35. 如权利要求32~34任一所述的方法,其特征在于,所述移动接入管理网元在根据所述第二信息向所述会话管理网元发送第一请求,包括:
    所述移动接入管理网元在根据所述第二信息确定所述第一终端设备授权建立所述会话后,向所述会话管理网元发送所述第一请求。
  36. 如权利要求32~35任一所述的方法,其特征在于,所述第二信息包括下列一个或多个:
    所述第二终端设备的临时标识、所述第二终端设备的匿名化标识和所述第二终端设备的用户永久性标识SUPI。
  37. 如权利要求32~36任一所述的方法,其特征在于,所述移动接入管理网元根据所述第二请求向所述会话管理网元发送第一请求之前,还包括:
    所述移动接入管理网元根据所述第二信息确定所述第一终端设备授权为所述第二终端设备建立会话。
  38. 一种确定用户面安全执行信息的方法,其特征在于,所述方法包括:
    统一数据管理网元向会话管理网元提供第一用户面安全策略。
  39. 如权利要求38所述的方法,其特征在于,所述统一数据管理网元向会话管理网元提供第一用户面安全策略,包括:
    所述统一数据管理网元从所述会话管理网元接收第一签约信息获取请求,所述第一签约信息获取请求包括第一信息,所述第一信息用于指示会话的类型为中继类型;
    所述统一数据管理网元根据所述第一信息确定所述第一用户面安全策略;
    所述统一数据管理网元向所述会话管理网元发送第一签约信息获取响应,所述第一签约信息获取响应包括第一用户面安全策略。
  40. 如权利要求38所述的方法,其特征在于,所述统一数据管理网元向会话管理网元提供第一用户面安全策略,包括:
    所述统一数据管理网元从所述会话管理网元接收第一签约信息获取请求,所述第一签约信息获取请求用于请求所述第一终端设备签约的用户面安全策略,所述第一终端设备签约的用户面安全策略指示所述第一终端设备中继类型的会话的用户面安全策略和非中继类型的会话的用户面安全策略;
    所述统一数据管理网元向所述会话管理网元发送第一签约信息获取响应,所述第一签约信息获取响应包括所述第一终端设备签约的用户面安全策略,所述第一终端设备签约的用户面安全策略包括第一用户面安全策略。
  41. 如权利要求39所述的方法,其特征在于,所述统一数据管理网元根据所述第一信息确定所述第一用户面安全策略,包括:
    所述统一数据管理网元根据所述第一信息和所述第一终端设备签约的用户面安全策略确定所述第一用户面安全策略,所述第一终端设备签约的用户面安全策略指示所述第一终端设备中继类型和非中继类型的会话的用户面安全策略。
  42. 如权利要求39或41所述的方法,其特征在于,所述第一信息为第二终端设备的标识,所述统一数据管理网元根据所述第一信息确定所述第一用户面安全策略,包括:
    所述统一数据管理网元根据所述第二终端设备的标识从所述第二终端设备签约的用户面安全策略确定所述第一用户面安全策略。
  43. 如权利要求38~42任一所述的方法,其特征在于,所述方法还包括:
    所述统一数据管理网元从所述会话管理网元接收第二签约信息获取请求,所述第二签约信息获取请求包括第三终端设备的标识;
    所述统一数据管理网元根据所述第三终端设备的标识确定第二用户面安全策略;向所述会话管理网元发送第二签约信息获取响应,所述第二签约信息获取响应包括所述第二用户面安全策略。
  44. 一种通信系统,其特征在于,所述通信系统包括会话管理网元和统一数据管理网元;
    所述会话管理网元,用于向所述统一数据管理网元发送第一签约信息获取请求;所述第一签约信息获取请求包括中继指示,所述中继指示用于请求所述第一终端设备中继类型的会话的用户面安全策略;
    所述统一数据管理网元,用于接收所述第一签约信息获取请求,根据所述第一信息从第一终端设备签约的用户面安全策略中确定所述第一用户面安全策略,所述第一终端设备签约的用户面安全策略包括第一终端设备中继类型与非中继类型的会话的用户面安全策略;以及向所述会话管理网元发送第一签约信息获取响应,所述第一签约信息获取响应包括所述第一用户面安全策略;
    所述会话管理网元,还用于接收所述第一签约信息获取响应。
  45. 如权利要求44所述的系统,其特征在于,所述系统还包括移动管理网元:
    所述移动接入管理网元,用于向所述会话管理网元发送第一请求,所述第一请求用于请求为第一终端设备建立中继类型的会话,所述第一请求包括第一信息,该第一信息用于指示会话的类型为中继类型;
    所述会话管理网元,用于接收所述第一请求,所述中继指示为第一信息或根据所述第一信息确定的。
  46. 如权利要求44所述的系统,其特征在于,所述会话用于传输所述第二终端设备的数据,所述第一信息为所述第二终端设备的标识,所述第二终端设备的标识包括下面一个或者多个:
    所述第二终端设备的临时标识、所述第二终端设备的匿名化标识或者所述第二终端设备的用户永久性标识SUPI。
  47. 如权利要求44~46任一所述的系统,其特征在于,所述系统还包括接入网设备,
    所述会话管理网元,还用于根据所述第一用户面安全策略确定所述会话的第一用户面安全执行信息后,向所述接入网设备发送所述会话的第一用户面安全执行信息;
    所述接入网设备,用于接收所述会话的第一用户面安全执行信息,根据所述会话的第一用户面安全执行信息激活所述第一终端设备与所述接入网设备之间所述会话的第一用户面安全激活状态。
  48. 如权利要求47所述的系统,其特征在于,所述系统还包括第一终端设备;
    所述接入网设备,还用于向所述第一终端设备发送第一指示消息,所述第一指示消息用于指示所述会话中所述第一终端设备与所述接入网设备之间所述会话的第一用户面安全激活状态;
    所述第一终端设备,用于接收所述第一指示消息,根据所述第一指示信息配置所述第一用户面安全激活状态;以及根据所述第一用户面安全激活状态配置所述第一终端设备与所述第二终端设备的安全激活状态。
  49. 如权利要求44~48任一所述的系统,其特征在于,
    所述第一终端设备,还用于在确定第三终端设备使用所述会话后,向所述会话管理网元发送第二请求,所述第二请求指示所述第三终端设备使用所述会话,所述第二请求包括所述第三终端设备的标识;
    所述会话管理网元,还用于根据所述第三终端设备的标识获取所述第二用户面安全策略;以及根据所述第二用户面安全策略确定所述会话的第二用户面安全执行信息后,向所述接入网设备发送所述会话的第二用户面安全执行信息;
    所述接入网设备,还用于接收所述会话的第二用户面安全执行信息,根据所述会话的第二用户面安全执行信息将所述第一用户面安全激活状态更新为第二用户面安全激活状态。
  50. 如权利要求49所述的系统,其特征在于,所述第三终端设备的标识包括下列的部分或全部:
    所述第三终端设备的临时标识、所述第三终端设备的匿名化标识、或者所述第三终端设备的SUPI。
  51. 如权利要求49或50所述的系统,其特征在于,
    所述接入网设备,还用于向所述第一终端设备发送第二指示消息,所述第二指示消息用于指示所述会话中所述第一终端设备与所述接入网设备之间所述会话的第二用户面安全激活状态;
    所述第一终端设备,用于接收所述第二指示消息,根据所述第二指示信息更新与所述接入网设备的第一用户面安全激活状态;以及根据所述第二用户面安全激活状态更新所述 第一终端设备与所述第二终端设备的安全激活状态。
  52. 如权利要求44~51任一所述的系统,其特征在于,所述第一用户面安全策略指示完整性保护为优选,所述会话管理网元在根据所述第一用户面安全策略确定所述会话的第一用户面安全执行信息时,具体用于:
    在确定所述第一终端设备的完整性保护最大数据率小于会话要求的数据率后,确定关闭所述会话的完整性保护。
  53. 如权利要求44~52任一所述的系统,其特征在于,若所述第一用户面安全策略指示完整性保护为必须,所述会话管理网元,还用于:
    在确定所述第一终端设备的完整性保护最大数据率低于会话要求的数据率后,向所述第一终端设备发送会话建立拒绝响应,所述会话建立拒绝响应用于指示拒绝建立会话。
  54. 如权利要求47~53任一所述的系统,其特征在于,所述会话管理网元在根据所述第二用户面安全策略确定所述会话的第二用户面安全执行信息,具体用于:
    根据所述第二用户面安全策略和所述会话的第一用户面安全执行信息确定所述会话的第二用户面安全执行信息;或
    根据所述第二用户面安全策略和所述第一用户面安全策略确定所述会话的第二用户面安全执行信息。
  55. 如权利要求47~53任一所述的系统,其特征在于,所述会话管理网元根据所述第三终端设备的标识获取第二用户面安全策略,具体用于:
    向所述统一数据管理网元发送第二签约信息获取请求,所述第二签约信息获取请求包括所述第三终端设备的标识;
    所述统一数据管理网元,用于接收所述第二签约信息获取请求,根据所述第三终端设备的标识确定所述第二用户面安全策略;向所述会话管理网元发送第二用户面安全策略;
    所述会话管理网元,还用于:从所述统一数据管理网元接收所述第二用户面安全策略。
  56. 如权利要求47~54所述的系统,其特征在于,所述会话管理网元向接入网设备发送所述会话的第二用户面安全执行信息之前,还用于:
    确定所述会话的第一用户面安全执行信息与所述会话的第二用户面安全执行信息不同。
  57. 如权利要求47~56所述的系统,其特征在于,所述第二用户面安全策略指示会话的完整性保护为优选,所述会话管理网元在根据所述第二用户面安全策略确定所述会话的第二用户面安全执行信息,具体用于:
    在确定所述第一终端设备的完整性保护最大数据率小于会话要求的数据率后,确定关闭所述会话的完整性保护。
  58. 一种通信装置,其特征在于,用于实现如权利要求1至19任一项所述的方法。
  59. 一种通信装置,其特征在于,用于实现如权利要求20至31任一项所述的方法。
  60. 一种通信装置,其特征在于,用于实现如权利要求32至37任一项所述的方法。
  61. 一种通信装置,其特征在于,用于实现如权利要求38至43任一项所述的方法。
  62. 一种通信装置,其特征在于,包括处理器和存储器,所述存储器中存储有指令,所述处理器执行所述指令时,使得所述装置执行权利要求1至19任一项所述的方法。
  63. 一种通信装置,其特征在于,包括处理器和存储器,所述存储器中存储有指令,所述处理器执行所述指令时,使得所述装置执行权利要求20至31任一项所述的方法。
  64. 一种通信装置,其特征在于,包括处理器和存储器,所述存储器中存储有指令,所述处理器执行所述指令时,使得所述装置执行权利要求32至37任一项所述的方法。
  65. 一种通信装置,其特征在于,包括处理器和存储器,所述存储器中存储有指令,所述处理器执行所述指令时,使得所述装置执行权利要求38至43任一项所述的方法。
  66. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质中存储有指令,当其在计算机上运行时,使得所述计算机执行如权利要求1~43任一项所述的方法。
  67. 一种计算机程序产品,其特征在于,当所述计算机程序产品在计算机上运行时,使得所述计算机执行如权利要求1~43任一项所述的方法。
  68. 一种计算机芯片,其特征在于,所述芯片与存储器相连,所述芯片用于读取并执行所述存储器中存储的软件程序,执行如权利要求1~43任一项所述的方法。
PCT/CN2021/095434 2020-05-30 2021-05-24 一种确定用户面安全执行信息的方法、装置及系统 WO2021244342A1 (zh)

Priority Applications (3)

Application Number Priority Date Filing Date Title
EP21816870.6A EP4161116A4 (en) 2020-05-30 2021-05-24 METHOD, APPARATUS AND SYSTEM FOR DETERMINING SECURITY EXECUTION INFORMATION AT THE USER LEVEL
KR1020227046268A KR20230017311A (ko) 2020-05-30 2021-05-24 사용자 평면 보안 시행 정보 결정 방법, 장치 및 시스템
US18/071,314 US20230090543A1 (en) 2020-05-30 2022-11-29 User Plane Security Enforcement Information Determining Method, Apparatus, and System

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010480965.0 2020-05-30
CN202010480965.0A CN113810902A (zh) 2020-05-30 2020-05-30 一种确定用户面安全执行信息的方法、装置及系统

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US18/071,314 Continuation US20230090543A1 (en) 2020-05-30 2022-11-29 User Plane Security Enforcement Information Determining Method, Apparatus, and System

Publications (1)

Publication Number Publication Date
WO2021244342A1 true WO2021244342A1 (zh) 2021-12-09

Family

ID=78830646

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/095434 WO2021244342A1 (zh) 2020-05-30 2021-05-24 一种确定用户面安全执行信息的方法、装置及系统

Country Status (5)

Country Link
US (1) US20230090543A1 (zh)
EP (1) EP4161116A4 (zh)
KR (1) KR20230017311A (zh)
CN (1) CN113810902A (zh)
WO (1) WO2021244342A1 (zh)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114286339A (zh) * 2021-12-21 2022-04-05 中国电信股份有限公司 安全策略的确定方法及系统

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190082325A1 (en) * 2017-09-08 2019-03-14 Futurewei Technologies, Inc. Method and Device for Negotiating Security and Integrity Algorithms
CN110447252A (zh) * 2017-03-17 2019-11-12 瑞典爱立信有限公司 5g中用于开启和关闭ue和ran之间的up数据安全的安全解决方案
CN110830991A (zh) * 2018-08-10 2020-02-21 华为技术有限公司 安全会话方法和装置
CN110913389A (zh) * 2018-09-15 2020-03-24 华为技术有限公司 获取安全上下文的方法和装置

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101152782B1 (ko) * 2007-08-16 2012-06-12 삼성전자주식회사 통신 중계 방법 및 그 장치와, 통신 중계 제어 방법 및 그장치
CN104620537A (zh) * 2012-09-11 2015-05-13 全仁瑛 具有防火墙功能的安全移动通信中继器

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110447252A (zh) * 2017-03-17 2019-11-12 瑞典爱立信有限公司 5g中用于开启和关闭ue和ran之间的up数据安全的安全解决方案
US20190082325A1 (en) * 2017-09-08 2019-03-14 Futurewei Technologies, Inc. Method and Device for Negotiating Security and Integrity Algorithms
CN110830991A (zh) * 2018-08-10 2020-02-21 华为技术有限公司 安全会话方法和装置
CN110913389A (zh) * 2018-09-15 2020-03-24 华为技术有限公司 获取安全上下文的方法和装置

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
SAMSUNG: "Solution to support UE-to-Network Relay", 3GPP SA WG2 MEETING #136 S2-1911343, 22 November 2019 (2019-11-22), XP051821435 *
See also references of EP4161116A4 *

Also Published As

Publication number Publication date
EP4161116A4 (en) 2023-11-29
CN113810902A (zh) 2021-12-17
US20230090543A1 (en) 2023-03-23
KR20230017311A (ko) 2023-02-03
EP4161116A1 (en) 2023-04-05

Similar Documents

Publication Publication Date Title
US11917498B2 (en) Communication method and communications apparatus
US10798579B2 (en) Communication method and related apparatus
CN111436160B (zh) 一种局域网通信方法、装置及系统
EP3675549B1 (en) Network slice management method, device and system
JP7389225B2 (ja) セキュリティ保護モードを決定するための方法および装置
US20230046157A1 (en) Communication method and apparatus
WO2022052798A1 (zh) QoS控制方法、装置及处理器可读存储介质
CN114079995A (zh) 一种中继管理方法及通信装置
CN111194051A (zh) 传输路径的配置方法及装置
JP2022507816A (ja) V2xメッセージ送信方法、装置、及びシステム
US20230232196A1 (en) Data communication method and communication apparatus
US20220263879A1 (en) Multicast session establishment method and network device
US20220272577A1 (en) Communication method and communication apparatus
WO2021244342A1 (zh) 一种确定用户面安全执行信息的方法、装置及系统
WO2018170707A1 (zh) 控制面连接管理方法和装置
WO2021136287A1 (zh) 一种通信的方法及装置
WO2023087965A1 (zh) 一种通信方法及装置
CN113518475A (zh) 通信方法、装置及系统
US20240008117A1 (en) Dual-connection device enabling service advertisement and discovery of services between networks, user device and system
WO2022105785A1 (zh) 无线连接建立方法及通信装置
WO2021208059A1 (zh) 连接建立方法、装置、设备及存储介质
WO2021196011A1 (zh) 一种终端设备标识的获取方法、装置及系统
WO2021031746A1 (zh) 一种安全算法配置方法、控制平面中心节点及终端
JP2023541662A (ja) データステアリング方法および装置
CN113747367A (zh) 一种通信方法及通信装置

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21816870

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 20227046268

Country of ref document: KR

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2021816870

Country of ref document: EP

Effective date: 20221228