WO2022027529A1 - Procédé et appareil d'authentification de tranche - Google Patents

Procédé et appareil d'authentification de tranche Download PDF

Info

Publication number
WO2022027529A1
WO2022027529A1 PCT/CN2020/107588 CN2020107588W WO2022027529A1 WO 2022027529 A1 WO2022027529 A1 WO 2022027529A1 CN 2020107588 W CN2020107588 W CN 2020107588W WO 2022027529 A1 WO2022027529 A1 WO 2022027529A1
Authority
WO
WIPO (PCT)
Prior art keywords
slice
authentication
network
network element
slice identifier
Prior art date
Application number
PCT/CN2020/107588
Other languages
English (en)
Chinese (zh)
Inventor
吴义壮
李�赫
雷骜
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2020/107588 priority Critical patent/WO2022027529A1/fr
Publication of WO2022027529A1 publication Critical patent/WO2022027529A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security

Definitions

  • the present application relates to the field of communication technologies, and in particular, to a method and apparatus for slice authentication.
  • a network slice can consist of a set of logical network functions that support specific communication services.
  • the network can initiate the authentication and authorization process of the network slice as required to determine whether to authorize the terminal to access the network slice.
  • the network slice-specific authentication and authorization function (NSSAAF) network element in the network slice sends the authentication, authorization, and accounting server (authentication, authorization, and accounting server).
  • AAA-S will include single network slice selection support information (S-NSSAI) information.
  • AAA-S can be deployed by a third party
  • the operator's core network element NSSAAF directly sends S-NSSAI to AAA-S, which will cause the operator's internal information, such as S-NSSAI, is obtained by third parties, which may lead to the problem of network slice privacy being exposed.
  • the present application provides a method and apparatus for slice authentication, which is used to propose a specific scheme for completing the authentication and authorization of network slices by using an alternative identifier of S-NSSAI, so as to avoid the privacy of network slices from being exposed.
  • the present application provides a method for slice authentication, the method may include: the access and mobility management network element sends an authentication request message to a terminal; wherein the authentication request message includes a first internal slice identifier ; the first internal slice identifier is used to identify the network slice requiring authentication and authorization within the operator network; the access and mobility management network element receives the first authentication response from the terminal, the first authentication response An authentication response includes slice authentication information and the first internal slice identifier; the access and mobility management network element maps the first internal slice identifier to the first external slice identifier, and then sends the The slice authentication information and the first external slice identifier; wherein, the first external slice identifier is used to identify the network slice that requires authentication and authorization outside the operator's network.
  • the external slice identifier of the network slice requiring authentication and authorization can be identified outside the operator's network, instead of identifying the network slice requiring authentication and authorization inside the operator's network.
  • the internal slice identifier to complete network slice authentication and authorization. This can prevent third parties from obtaining internal slice identifiers, thereby preventing the privacy of network slices from being exposed.
  • the access and mobility management network element acquires configuration data of the terminal; wherein the configuration data includes a correspondence between the first internal slice identifier and the first external slice identifier ; Further, the access and mobility management network element maps the first internal slice identifier to the first external slice identifier, and the specific method is: the access and mobility management network element according to the first An inner slice identifier and the corresponding relationship determine the first outer slice identifier.
  • the access and mobility management network element can directly obtain the correspondence between the first inner slice identifier and the first outer slice identifier from the configuration data of the terminal, so that the access and mobility management The management network element may subsequently perform mapping between the first inner slice identifier and the first outer slice identifier.
  • the configuration data further includes first indication information, where the first indication is used to indicate that the network slice indicated by the first internal slice identifier requires authentication and authorization.
  • the access and mobility management network element can determine, according to the first indication information, network slices that require authentication and authorization.
  • the configuration data is subscription data of the terminal.
  • the access and mobility management network element may obtain the configuration data from a unified data management (Unified Data Management, UDM) network element.
  • UDM Unified Data Management
  • the access and mobility management network element obtains the subscription data of the terminal; according to the subscription data of the terminal, it is determined that the network slice corresponding to the first internal slice identifier requires authentication and authorization;
  • the access and mobility management network element sends an external slice identifier query request to the first network element, and the external slice identifier query request includes the first internal slice identifier;
  • the first network element receives the first external slice identifier;
  • the access and mobility management network element saves the correspondence between the first internal slice identifier and the first external slice identifier.
  • the access and mobility management network element can query the first external slice identifier from the first network element, so as to save the corresponding relationship between the first internal slice identifier and the first external slice identifier, so as to The access and mobility management network element can subsequently perform mapping between the first inner slice identifier and the first outer slice identifier.
  • the slice authentication information is an extensible authentication protocol (extensible authentication protocol, EAP) identifier (identifier, ID).
  • EAP extensible authentication protocol
  • the access and mobility management network element receives a second authentication response from the slice authentication network element, the second authentication response includes the first external slice identification; the access and mobility The mobility management network element maps the first external slice identifier to the first internal slice identifier; the access and mobility management network element sends an authentication command to the terminal, and the authentication command includes the first internal slice identifier.
  • Slice ID the access and mobility management network element can map the first external slice identifier from the slice authentication network element to the first internal slice identifier, so that subsequent terminals can use the first internal slice identifier to complete the process in the existing manner.
  • Slice authentication is mapped to the first external slice identifier from the slice authentication network element to the first internal slice identifier, so that subsequent terminals can use the first internal slice identifier to complete the process in the existing manner.
  • the first network element is a unified data management (unified data management, UDM) network element or a network slice selection function (network slice selection function, NSSF) network element.
  • UDM unified data management
  • NSSF network slice selection function
  • the first internal slice is identified as the S-NSSAI in the home public land mobile network (home public land mobile network, HPLMN) of the network slice requiring authentication and authorization.
  • home public land mobile network home public land mobile network, HPLMN
  • the present application provides a method for slice authentication, the method may include: a first network element receiving a data request message for a terminal from an access and mobility management network element; The access and mobility management network element sends a data response message, where the data response message includes a first external slice identifier; wherein the first external slice identifier is used to identify a network that requires authentication and authorization outside the operator network slice.
  • the access and mobility management network element can obtain, from the first network element, an external slice identifier that identifies a network slice requiring authentication and authorization outside the operator's network, thereby realizing authentication and authorization in the network slice.
  • the network slice authentication and authorization can be completed by using the external slice identifier to replace the internal slice identifier that identifies the network slice that needs authentication and authorization inside the operator's network. This can prevent third parties from obtaining internal slice identifiers, thereby preventing the privacy of network slices from being exposed.
  • the data request message includes a subscription permanent identifier (SUPI) of the terminal; further, the first network element acquires the configuration of the terminal according to the SUPI of the terminal data; the configuration data includes the correspondence between the first internal slice identifier and the first external slice identifier; wherein the first internal slice identifier is used to identify the network slice that requires authentication and authorization within the operator network ;
  • the data response message further includes the first internal slice identifier.
  • SUPI subscription permanent identifier
  • the first network element can directly send the corresponding relationship between the first inner slice identifier and the first outer slice identifier in the configuration data to the access and mobility management network element, so that the The access and mobility management network element obtains the first external slice identifier.
  • the configuration data is subscription data of the terminal.
  • the data request message may be a subscription data acquisition request.
  • the data request message includes a first internal slice identifier; wherein, the first internal slice identifier is used to identify the network slice that requires authentication and authorization within the operator network; further, the The first network element determines the first outer slice identifier according to the first inner slice identifier.
  • the data request message is an external slice identification query request.
  • the first network element can determine the first external slice identifier corresponding to the first internal slice identifier according to the requirements of the access and mobility management network element.
  • the first network element determines a correspondence between the first inner slice identifier and the first outer slice identifier. In this way, the first network element can store the correspondence between the first inner slice identifier and the first outer slice identifier, so that the access and mobility management network element can request the first outer slice identifier.
  • the first network element determines the correspondence between the first internal slice identifier and the first external slice identifier
  • the specific method may be: the first network element receives the first network element from the network open function network element. a request, where the first request includes the first external slice identifier and the network slice requirement; the first network element determines the internal slice identifier corresponding to the network slice that meets the network slice requirement; The corresponding internal slice identifier of the network slice required by the network slice includes the first internal slice identifier; the first network element stores the correspondence between the first internal slice identifier and the first external slice identifier. In this way, the first network element can store the correspondence between the first inner slice identifier and the first outer slice identifier, so that the access and mobility management network element can request the first outer slice identifier.
  • the first network element determines the correspondence between the first internal slice identifier and the first external slice identifier
  • the specific method may be: the first network element opens the function network element from the network receiving a first request, where the first request includes a network slice requirement; the first network element determines a corresponding internal slice identifier of a network slice that meets the network slice requirement; wherein the network slice requirement meets the network slice requirement
  • the corresponding internal slice identifier of the network slice includes the first internal slice identifier; the first network element determines the first external slice identifier corresponding to the first internal slice identifier; the first network element saves the The corresponding relationship between the first inner slice identifier and the first outer slice identifier.
  • the first network element can store the correspondence between the first inner slice identifier and the first outer slice identifier, so that the access and mobility management network element can request the first outer slice identifier.
  • the first network element determines the first external slice identifier corresponding to the first internal slice identifier
  • a specific method may be: the first network element is the first internal slice The first external slice identifier corresponding to the identifier allocation; or, the first network element acquires the first external slice identifier corresponding to the first internal slice identifier from the second network element.
  • the first network element can accurately determine the first external slice identifier corresponding to the first internal slice identifier, so that the correspondence between the first internal slice identifier and the first external slice identifier can be accurately stored subsequently. relation.
  • the first network element sends a first response message to the network opening function network element, where the first response message includes the first external slice identifier.
  • the application function network element can be notified of the first external slice identifier through the network opening function network element.
  • the first request further includes an authentication requirement, where the authentication requirement is used to indicate whether authentication and authorization are required to access a network slice that meets the network slice requirement.
  • the first network element stores the correspondence between the authentication requirement and the first internal slice identifier; or, the first network element determines the first indication according to the authentication requirement, and the The first indication is used to indicate whether authentication and authorization are required to access the network slice that meets the requirements of the network slice; and the corresponding relationship between the first indication and the first internal slice identifier is stored.
  • the authentication requirement can be associated with the network slice corresponding to the first internal slice identifier.
  • the first request further includes first identification information, where the first identification information is used to indicate a terminal that uses a network slice that meets the network slice requirement; further, the first network element The correspondence between the first identification information and the first internal slice identification is stored. In this way, the first identification information can be associated with the network slice corresponding to the first internal slice identification.
  • the first network element determines the correspondence between the first internal slice identifier and the first external slice identifier
  • the specific method may be: the first network element obtains the locally preconfigured first an internal slice identifier and the first external slice identifier; or, the first network element obtains the first internal slice identifier and the first internal slice identifier from an operation, administration and maintenance (OAM) network element An outer slice identifier.
  • OAM operation, administration and maintenance
  • the first network element can store the correspondence between the first internal slice identifier and the first external slice identifier, so that the access and mobility management network element can request the first external slice identifier.
  • the first internal slice is identified as the S-NSSAI of the network slice requiring authentication and authorization in the HPLMN.
  • the first network element is a UDM network element or an NSSF network element.
  • the present application provides a method for slice authentication, the method may include: an access and mobility management network element obtains a first external slice identifier corresponding to a network slice that requires authentication and authorization of a terminal; the first external slice identifier The slice identifier is used to identify the network slice requiring authentication and authorization outside the operator network; the access and mobility management network element sends a first message to the terminal, where the first message includes the first External slice identifier.
  • the external slice identifier of the network slice requiring authentication and authorization can be identified outside the operator's network, instead of identifying the network slice requiring authentication and authorization inside the operator's network.
  • the internal slice identifier to complete network slice authentication and authorization. This can prevent third parties from obtaining internal slice identifiers, thereby preventing the privacy of network slices from being exposed.
  • the access and mobility management network element obtains the first external slice identifier corresponding to the network slice that the terminal needs to authenticate and authorize, which may specifically include: the access and mobility management network element obtains all the configuration data of the terminal; wherein, the configuration data includes the correspondence between the first internal slice identifier and the first external slice identifier; the first internal slice identifier is used to identify the authentication-required and An authorized network slice; the access and mobility management network element determines the first external slice identifier according to the first internal slice identifier and the corresponding relationship.
  • the access and mobility management network element can directly obtain the correspondence between the first inner slice identifier and the first outer slice identifier from the configuration data of the terminal, so that the access and mobility management
  • the management network element may determine the first outer slice identifier corresponding to the first inner slice identifier.
  • the configuration data is subscription data of the terminal.
  • the access and mobility management network element obtains the first external slice identifier corresponding to the network slice that the terminal needs to authenticate and authorize, which may specifically include: the access and mobility management network element obtains all the subscription data of the terminal; the access and mobility management network element determines, according to the subscription data of the terminal, the first internal slice identifier of the network slice that the terminal needs to authenticate and authorize; wherein, the first internal slice The identifier is used to identify the network slice requiring authentication and authorization within the operator network; the access and mobility management network element sends an external slice identifier query request to the first network element, and the external slice identifier query request includes all the first inner slice identifier; the access and mobility management network element receives the first outer slice identifier from the first network element. In this way, the access and mobility management network element can query the first external slice identifier from the first network element.
  • the first message is a registration response message; the registration response message further includes the first internal slice identifier.
  • both the first inner slice identifier and the first outer slice identifier can be sent to the terminal device, so that the terminal can perform mapping between the first inner slice identifier and the first outer slice identifier.
  • the access and mobility management network element receives an authentication response from the terminal, the authentication response including slice authentication information and the first internal slice identifier; the access and mobility The management network element maps the first internal slice identifier to the first external slice identifier; the access and mobility management network element sends the slice authentication information and the first external slice identifier to the slice authentication network element .
  • the access and mobility management network element can complete slice authentication and authorization with the external authentication server through the first external slice identifier, so as to avoid the privacy of the network slice from being exposed.
  • the first message is an authentication request message, and the authentication request message is used to request the terminal to perform network slice authentication and authorization; further, the access and mobility management network element sends the The terminal sends a registration response message; the registration response message further includes the first internal slice identifier.
  • the access and mobility management network element can complete slice authentication and authorization through the first external slice identifier, so as to avoid exposure of the privacy of the network slice.
  • the access and mobility management network element receives an authentication response from the terminal, the authentication response including slice authentication information and the first external slice identifier; the access and mobility management The management network element sends the slice authentication information and the first external slice identifier to the slice authentication network element.
  • the access and mobility management network element can complete slice authentication and authorization through the first external slice identifier, so as to prevent the privacy of the network slice from being exposed.
  • the first message further includes the first internal slice identifier.
  • the first network element may be a UDM network element or an NSSF network element.
  • the first internal slice is identified as the S-NSSAI of the network slice requiring authentication and authorization in the HPLMN.
  • the present application provides a method for slice authentication, the method may include: the terminal receives a first message from an access and mobility management network element, the first message includes a first external slice identifier and a first message An internal slice identifier; the first external slice identifier is used to identify the network slice that requires authentication and authorization outside the operator's network, and the first internal slice identifier is used to identify the network slice that requires authentication and authorization inside the operator's network. network slicing; the terminal device saves the correspondence between the first internal slice identifier and the first external slice identifier. In this way, the terminal can perform the mapping between the first inner slice identifier and the first outer slice identifier.
  • the terminal sends a registration request to the access and mobility management network element; the first message is a registration response message corresponding to the registration request.
  • the terminal receives an authentication request message from the access and mobility management network element, where the authentication request message is used to request the terminal to perform network slice authentication and authorization; the authentication request message includes the first internal slice identifier; the terminal sends an authentication response to the access and mobility management network element, where the authentication response includes slice authentication information and the first internal slice identifier.
  • the terminal can perform mapping between the first internal slice identifier and the first external slice identifier inside the terminal, so as to obtain slice authentication information corresponding to the first external slice identifier.
  • the slice authentication information is the Extensible Authentication Protocol Identifier EAP ID.
  • the first module of the terminal maps the first internal slice identifier included in the authentication request message to the first external slice identifier according to the corresponding relationship;
  • the first module sends request information to the second module of the terminal, where the request information includes the first external slice identifier; in response to the request information, the second module of the terminal sends a response to the first module information, the response information includes the first external slice identifier and the slice authentication information;
  • the first module of the terminal maps the first external slice identifier in the response information according to the corresponding relationship is the first internal slice identifier;
  • the terminal generates the authentication response according to the first internal slice identifier and the slice authentication information.
  • the terminal can perform mapping between the first internal slice identifier and the first external slice identifier inside the terminal, so as to obtain slice authentication information corresponding to the first external slice identifier.
  • the present application provides an apparatus for slice authentication, where the apparatus for slice authentication may be an access and mobility management network element, and the apparatus for slice authentication has various possibilities for implementing the above-mentioned first aspect or the first aspect
  • the functions of the access and mobility management network elements in the design example of can be implemented by hardware, or by executing corresponding software by hardware.
  • the hardware or software includes one or more modules corresponding to the above functions.
  • the structure of the slice authentication apparatus may include a transceiver unit and a processing unit, and these units may implement the access and mobility management network in the first aspect or each possible design example of the first aspect
  • the structure of the slice authentication apparatus may include a transceiver unit and a processing unit, and these units may implement the access and mobility management network in the first aspect or each possible design example of the first aspect
  • the structure of the apparatus for slice authentication includes a transceiver and a processor, and optionally a memory.
  • the transceiver is used to send and receive data, and to communicate and interact with other devices in the communication system.
  • the processor is configured to support the slice authentication apparatus to perform the corresponding functions of the access and mobility management network elements in the first aspect or each possible design example of the first aspect.
  • a memory is coupled to the processor and holds program instructions and data necessary for the slice authentication device.
  • the present application provides a slice authentication apparatus, the slice authentication apparatus may be a first network element, and the slice authentication apparatus has the second aspect or each possible design example of the second aspect.
  • the functions can be implemented by hardware, or by executing corresponding software by hardware.
  • the hardware or software includes one or more modules corresponding to the above functions.
  • the structure of the slice authentication apparatus may include a transceiver unit and a processing unit, and these units may perform the corresponding functions of the first network element in the second aspect or each possible design example of the second aspect , please refer to the detailed description in the method example for details, which will not be repeated here.
  • the structure of the apparatus for slice authentication includes a transceiver and a processor, and optionally a memory.
  • the transceiver is used to send and receive data, and to communicate and interact with other devices in the communication system.
  • the processor is configured to support the slice authentication apparatus to perform corresponding functions of the first network element in the second aspect or each possible design example of the second aspect.
  • a memory is coupled to the processor and holds program instructions and data necessary for the slice authentication device.
  • the present application provides an apparatus for slice authentication.
  • the slice authentication apparatus may be an access and mobility management network element, and the slice authentication apparatus has various possibilities for implementing the third aspect or the third aspect.
  • the functions can be implemented by hardware, or by executing corresponding software by hardware.
  • the hardware or software includes one or more modules corresponding to the above functions.
  • the structure of the slice authentication apparatus may include a transceiver unit and a processing unit, and these units may implement the access and mobility management network in the third aspect or each possible design example of the third aspect
  • the structure of the slice authentication apparatus may include a transceiver unit and a processing unit, and these units may implement the access and mobility management network in the third aspect or each possible design example of the third aspect
  • the structure of the apparatus for slice authentication includes a transceiver and a processor, and optionally a memory.
  • the transceiver is used to send and receive data, and to communicate and interact with other devices in the communication system.
  • the processor is configured to support the slice authentication apparatus to perform the corresponding functions of the access and mobility management network element in the above third aspect or each possible design example of the third aspect.
  • a memory is coupled to the processor and holds program instructions and data necessary for the slice authentication device.
  • the present application provides a slice authentication apparatus.
  • the slice authentication apparatus may be a terminal, and the slice authentication apparatus has a terminal that implements the fourth aspect or each possible design example of the fourth aspect.
  • the functions can be implemented by hardware, or by executing corresponding software by hardware.
  • the hardware or software includes one or more modules corresponding to the above functions.
  • the structure of the slice authentication apparatus may include a transceiver unit and a processing unit, and these units may perform the corresponding functions of the terminal in the fourth aspect or each possible design example of the fourth aspect. For details, see The detailed description in the method example will not be repeated here.
  • the structure of the apparatus for slice authentication includes a transceiver and a processor, and optionally a memory.
  • the transceiver is used to send and receive data, and to communicate and interact with other devices in the communication system.
  • the processor is configured to support the slice authentication apparatus to perform corresponding functions of the terminal in the fourth aspect or each possible design example of the fourth aspect.
  • a memory is coupled to the processor and holds program instructions and data necessary for the slice authentication device.
  • an embodiment of the present application provides a communication system, which may include the above-mentioned access and mobility management network element, a first network element, a terminal, and the like.
  • a computer-readable storage medium stores a program instruction, and when the program instruction is executed on a computer, makes the computer execute the first aspect of the embodiment of the present application and its Any possible design, the second aspect and any possible design thereof, the third aspect and any possible design thereof, or the fourth aspect and any possible design thereof.
  • a computer-readable storage medium can be any available medium that can be accessed by a computer.
  • computer readable media may include non-transitory computer readable media, random-access memory (RAM), read-only memory (ROM), electrically erasable Except programmable read only memory (electrically EPROM, EEPROM), CD-ROM or other optical disk storage, magnetic disk storage medium or other magnetic storage device, or capable of carrying or storing desired program code in the form of instructions or data structures and capable of Any other media accessed by a computer.
  • RAM random-access memory
  • ROM read-only memory
  • EEPROM electrically erasable Except programmable read only memory
  • CD-ROM or other optical disk storage magnetic disk storage medium or other magnetic storage device, or capable of carrying or storing desired program code in the form of instructions or data structures and capable of Any other media accessed by a computer.
  • the embodiments of the present application provide a computer program product including computer program codes or instructions, which, when run on a computer, enables the computer to implement the first aspect and any possible designs thereof, the second aspect, and the A method of any possible design thereof, the third aspect and any possible design thereof, or the fourth aspect and any possible design thereof.
  • the present application further provides a chip, which is coupled to a memory and used to read and execute program instructions stored in the memory, so as to implement the above-mentioned first aspect and any possible designs, A method of the second aspect and any possible design thereof, the third aspect and any possible design thereof, or the fourth aspect and any possible design thereof.
  • FIG. 1 is a schematic diagram of the architecture of a communication system provided by the present application.
  • FIG. 2 is a schematic diagram of an authentication and authorization process of a network slice provided by the present application.
  • FIG. 3 is a schematic diagram of an authentication and authorization process of another network slice provided by the present application.
  • FIG. 5 is a flowchart of an example of a method for slice authentication provided by the present application.
  • FIG. 6 is a flowchart of an example of another slice authentication method provided by the present application.
  • FIG. 7 is a flowchart of another method for slice authentication provided by the present application.
  • FIG. 8 is a flowchart of an example of another slice authentication method provided by the present application.
  • FIG. 9 is a flowchart of an example of another slice authentication method provided by the present application.
  • FIG. 10 is a flowchart of another method for slice authentication provided by the application.
  • FIG. 11 is a flowchart of another example of a method for slice authentication provided by the application.
  • FIG. 12 is a flowchart of another example of a method for slice authentication provided by the application.
  • FIG. 14 is a flowchart of an example of determining the correspondence between the first inner slice identifier and the first outer slice identifier provided by the application;
  • 15 is a flowchart of another example of determining the correspondence between the first inner slice identifier and the first outer slice identifier provided by the application;
  • 16 is a flowchart of another example of determining the correspondence between the first inner slice identifier and the first outer slice identifier provided by the application;
  • 17 is a flowchart of another example of determining the correspondence between the first inner slice identifier and the first outer slice identifier provided by the application;
  • FIG. 18 is a schematic structural diagram of a device for slice authentication provided by the application.
  • FIG. 19 is a structural diagram of an apparatus for slice authentication provided by the present application.
  • Embodiments of the present application provide a method and apparatus for slice authentication, which are used to propose a specific scheme for completing authentication and authorization of network slices by using an alternative identifier of S-NSSAI, so as to avoid the privacy of network slices from being exposed.
  • the method and the device of the present application are based on the same technical concept. Since the principles of the method and the device for solving the problem are similar, the implementation of the device and the method can be referred to each other, and the repetition will not be repeated.
  • the architecture of the communication system may include: an access network and a core network.
  • the access network is used to realize functions related to wireless access, and the access network includes the 3rd generation partnership project (3GPP) access network and the non-3GPP (non-3GPP access network).
  • the core network mainly includes the following key logical network elements: access and mobility management network elements, session management network elements, user plane network elements, policy control network elements, unified data management network elements, and authentication server function network elements.
  • FIG. 1 shows a possible example of the architecture of the communication system, and the architecture of the communication system is shown with a specific example. The specific architecture of the communication system shown in FIG.
  • a terminal using a user equipment (UE) as an example), an access and mobility management function (access and mobility management function, AMF) network element, session management function (SMF) network element, user plane function (UPF) network element, policy control function (PCF) network element, unified data management function network element (unified data management, UDM), authentication server function (AUSF) network elements, network exposure function (NEF) network elements, application function (AF) network elements, network slice-specific authentication and authorization functions (network slice-specific authentication and authorization function, NSSAAF) network element, network slice selection function (NSSF) network element, radio access network (radio access network, RAN) equipment, network storage function (network repository function, NRF) ) network element.
  • AMF access and mobility management function
  • SMF session management function
  • UPF user plane function
  • PCF policy control function
  • unified data management function network element unified data management, UDM
  • AUSF authentication server function
  • NEF network exposure function
  • AF application function
  • NSSAAF network slice-specific authentication and authorization
  • the AMF network element and the access network device can be connected through the N2 interface, the access network device and the UPF can be connected through the N3 interface, the SMF and the UPF can be connected through the N4 interface, and the AMF network element and the UE can be connected through the N4 interface. It can be connected through the N1 interface.
  • the interface name is only an example description, which is not specifically limited in this embodiment of the present application. It should be understood that the embodiments of the present application are not limited to the communication system shown in FIG. 1 , and the names of the network elements shown in FIG. 1 are described here only as an example, not as a communication system applicable to the slice authentication method of the present application Definition of network elements included in the architecture. The following describes the functions of each network element or device in the communication system in detail:
  • Terminal can be UE, handheld terminal, notebook computer, subscriber unit (subscriber unit), cellular phone (cellular phone), smart phone (smart phone), wireless data card, personal digital assistant (personal digital assistant, PDA) computer, tablet computer, wireless modem (modem), handheld device (handheld), laptop computer (laptop computer), cordless phone (cordless phone) or wireless local loop (wireless local loop, WLL) station, machine type communication (machine type) communication, MTC) terminal or other devices that can access the network.
  • PDA personal digital assistant
  • modem modem
  • handheld device handheld
  • laptop computer laptop computer
  • cordless phone cordless phone
  • wireless local loop wireless local loop
  • WLL wireless local loop
  • MTC machine type communication
  • a terminal may also be referred to as a terminal device.
  • the RAN device is mainly a 3GPP network wireless network device, and the AN can be an access network device defined by non-3GPP.
  • RAN equipment It is mainly responsible for functions such as radio resource management, quality of service (QoS) management, data compression and encryption on the air interface side.
  • the access network equipment may include various forms of base stations, such as: a macro base station, a micro base station (also referred to as a small cell), a relay station, an access point, and the like. In systems using different radio access technologies, the names of devices with base station functions may be different.
  • RAN 5G NodeB
  • evolution Node B evolved NodeB, eNB or eNodeB
  • Node B Node B
  • Node B Node B
  • AN Access Network
  • WiMAX worldwide interoperability for microwave access
  • CDMA code division multiple access
  • Access and mobility management function network element mainly responsible for mobility management in the mobile network, such as user location update, user registration network, user handover, etc.
  • the access and mobility management function network elements can be AMF network elements, such as shown in Figure 1; in future communications, such as 6G, the access and mobility management function network elements can still be AMF network elements , or other names, which are not limited in this application.
  • the access and mobility management function network element is an AMF network element, the AMF can provide Namf services.
  • Session management function network element It is mainly responsible for session management in the mobile network, such as session establishment, modification and release. Specific functions such as assigning IP addresses to users and selecting UPFs that provide packet forwarding functions.
  • the session management function network element can be an SMF network element, such as shown in Figure 1; in future communications, such as 6G, the session management function network element can still be an SMF network element, or have other names, this Application is not limited.
  • the SMF can provide Nsmf services.
  • User plane function network element responsible for forwarding and receiving user data in the terminal.
  • User data can be received from the data network and transmitted to the terminal through the access network device; the UPF network element can also receive user data from the terminal through the access network device and forward it to the data network.
  • the transmission resources and scheduling functions that provide services to terminals in the UPF network element are managed and controlled by the SMF network element.
  • the user plane function network element can be a UPF network element, such as shown in Figure 1; in future communications, such as 6G, the user plane function network element can still be a UPF network element, or have other names. Application is not limited.
  • Policy control function network element mainly supports providing a unified policy framework to control network behavior, provides policy rules to the control layer network function, and is responsible for obtaining user subscription information related to policy decision-making.
  • the policy control function network element can be a PCF network element, such as shown in Figure 1; in future communications, such as 6G, the policy control function network element can still be a PCF network element, or have other names, this Application is not limited.
  • the policy control function network element is a PCF network element, the PCF network element can provide Npcf services.
  • Network opening function network element mainly used to support the opening of capabilities and events.
  • the network opening function network element can be a NEF network element, such as shown in Figure 1; in future communications, such as 6G, the network opening function network element can still be a NEF network element, or have other names, this Application is not limited.
  • the network open function network element is an NEF
  • the NEF can provide Nnef services to other network function network elements.
  • Application function network element mainly supports interaction with the 3GPP core network to provide services, such as influencing data routing decisions, policy control functions, or providing some third-party services to the network side.
  • the application function network element may be an AF network element, such as shown in Figure 1; in future communications, such as in 6G, the application function network element may still be an AF network element, or have other names, and this application does not Do limit.
  • the application function network element is the AF network element, the AF network element can provide the Naf service.
  • Unified data management function network element used to generate authentication credential, user identification processing (such as storing and managing user permanent identity, etc.), access authorization control and contract data management, etc.
  • the unified data management function network element can be a UDM network element, such as shown in Figure 1; in future communications, such as in 6G, the unified data management function network element can still be a UDM network element, or have other names , which is not limited in this application.
  • the UDM network element can provide Nudm services.
  • Authentication server function network element used to support the authentication function when the UE accesses the network, and to support the specific authentication and authorization process of the network element slice.
  • the authentication server function network element can be an AUSF network element, such as shown in Figure 1; in future communications, such as 6G, the authentication server function network element can still be an AUSF network element, or have other names, this Application is not limited.
  • the AUSF network element can provide the Nausf service.
  • Network slice-specific authentication and authorization function network element used to support slice-specific authentication and authorization processes, NSSAAF can interact directly with the AAA server, or through authentication, authorization, and accounting proxy (authentication, authorization, and accounting proxy, AAA- P) Interact with the AAA server.
  • network slice-specific authentication and authorization function network elements can be NSSAAF network elements, such as shown in Figure 1; in future communications, such as in 6G, network slice-specific authentication and authorization function network elements can still be NSSAAF network elements
  • the network element, or other names, are not limited in this application.
  • the network slicing-specific authentication and authorization function network element is the NSSAAF network element
  • the NSSAAF network element can provide the Nnssaaf service.
  • Network slice selection function NE which can be used to select network slices that provide services to terminals.
  • the network slice selection function network element can be an NSSF network element, such as shown in Figure 1; in future communications, such as 6G, the network slice selection function network element can still be an NSSF network element, or have other names , which is not limited in this application.
  • the network slice selection function network element is the NSSF network element, the NSSF network element can provide the Nnssf service.
  • the network storage function network element can be used to provide the network element discovery function, and based on the request of other network elements, provide network element information corresponding to the network element type.
  • the NRF network element also provides network element management services, such as network element registration, update, de-registration, and network element status subscription and push.
  • the network storage function network element can be an NRF network element, such as shown in Figure 1; in future communications, such as in 6G, the network storage function network element can still be an NRF network element, or have other names. Application is not limited.
  • the NRF network element can provide the Nnrf service.
  • a data network refers to a service network that provides data transmission services for users, such as IP multi-media service (IMS) and the Internet.
  • IMS IP multi-media service
  • the UE accesses the DN through a protocol data unit (protocol data unit, PDU) session established between the UE and the DN.
  • protocol data unit protocol data unit
  • each network element in the core network can also be called a functional entity or a device, which can be either a network element implemented on dedicated hardware, a software instance running on dedicated hardware, or a virtualization on an appropriate platform.
  • An example of a function, for example, the above-mentioned virtualization platform may be a cloud platform.
  • FIG. 1 the architecture of the communication system shown in FIG. 1 is not limited to including only the network elements shown in the figure, but may also include other devices not shown in the figure, and the specific application will not list them one by one here. .
  • the following description in this application will take the network element shown in FIG. 1 as an example, and the XX network element is directly abbreviated as XX. It should be understood that the names of all network elements in this application are only examples, and may also be referred to as other names in future communications, or the network elements involved in this application may also be identified by other entities or devices with the same function in future communications. Instead, this application does not limit this. A unified description is made here, and will not be repeated in the future.
  • the communication system shown in FIG. 1 does not constitute a limitation of the communication system to which the embodiments of the present application can be applied.
  • the communication system architecture shown in FIG. 1 is a 5G system architecture.
  • the methods in the embodiments of the present application are also applicable to various future communication systems, such as 6G or other communication networks.
  • the network initiates the authentication and authorization process of the network slice according to the requirements, as shown in Figure 2, which may specifically include the following steps:
  • Step 200 After the AMF receives the registration request of the UE, the AMF determines which network slices need to perform the authentication and authorization process according to the subscription information of the UE or the request of the AAA-S.
  • the AMF receives the registration request sent by the UE, and the AMF sends a user data management (Nudm_SubscriberDataManagement) request message to the UDM, where the Nudm_SubscriberDataManagement request message is used to obtain the subscription information of the UE. Further, the AMF receives the Nudm_SubscriberDataManagement response message from the UDM, and the Nudm_SubscriberDataManagement response message includes the subscription information of the UE. Wherein, the subscription information of the UE includes the S-NSSAI(s) that need to perform slice authentication and authorization.
  • the AMF determines which slices require authentication and authorization procedures based on the S-NSSAI(s) received from the UDM that require slice authentication and authorization.
  • the registration request includes indication information of whether the UE supports the NSSAA attribute, and the indication information is used to indicate whether the UE supports the attribute of slice authentication and authorization.
  • the AMF also determines the S-NSSAI that needs to perform slice authentication and authorization according to the indication information.
  • the registration request also includes the S-NSSAI requested by the UE (the S-NSSAI requested by the UE may include one or more S-NSSAIs), and the AMF determines that the S-NSSAI (s-NSSAI(s) required to perform slice authentication and authorization) ) whether the S-NSSAI requested by the UE is included, and if so, determine that the S-NSSAI requested by the UE and included in the S-NSSAI(s) required to perform slice authentication and authorization is the slice required to perform authentication and authorization.
  • the S-NSSAI s-NSSAI(s) required to perform slice authentication and authorization
  • the AMF maps the S-NSSAI requested by the UE to the S-NSSAI in the home network, and further performs slice authentication according to the mapped S-NSSAI and the acquired needs. and authorized S-NSSAI(s) to determine which slices need to perform slice authentication and authorization process.
  • the AAA-S can initiate the slice re-authentication and re-authorization process according to the policy, and send a notification to the AMF through NSSAAF and/or AAA-P message, the AMF performs the slice authentication and authorization process after receiving the notification from the AAA-S.
  • Step 201 For each network slice determined to be authenticated and authorized, the AMF triggers the slice authentication and authorization process respectively.
  • the slice S-NSSAI that requires authentication and authorization is used as an example to illustrate that the AMF sends a first non access stratum (non access stratum, NAS) mobile management (mobile management, MM) transport (transport) message to the UE,
  • the first NAS MM transmission message is used to trigger the process of network slice authentication and authorization.
  • the first NAS MM transmission message includes an Extensible Authentication Protocol (Extensible Authentication Protocol, EAP) identifier (identifier, ID) request and an S-NSSAI that requires authentication and authorization.
  • EAP ID request is used to request an EAP ID; wherein, the EAP ID is used to indicate a user identity that performs EAP authentication on the S-NSSAI.
  • Step 202 In response to the first NAS MM transmission message, the UE sends a second NAS MM transmission message to the AMF, where the second NAS MM transmission message includes an EAP ID response and the S-NSSAI.
  • the EAP ID response is used to respond to the EAP ID request.
  • the EAP ID response includes the EAP ID.
  • Step 203 The AMF sends a first authentication request message to the NSSAAF, where the first authentication request message includes the EAP ID response, the AAA-S address, the generic public subscription identifier (GPSI) and the S-NSSAI.
  • the GPSI is the identifier of the UE, which is used to identify the UE, and the AAA-S address is used to indicate the AAA-S that performs slice authentication and authorization of the S-NSSAI.
  • the first authentication request message may be Nnssaaf_NSSAA_Authenticate Request.
  • Step 204 If there is an AAA-P, the NSSAAF sends a first AAA protocol message to the AAA-P. Otherwise, the NSSAAF directly sends the first AAA protocol message to the AAA-S indicated by the address of the AAA-S.
  • the first AAA protocol message includes the EAP ID response, the AAA-S address, the GPSI and the S-NSSAI.
  • Step 205 The AAA-P sends the first AAA protocol message to the AAA-S indicated by the address of the AAA-S, where the first AAA protocol message includes the EAP ID response, the GPSI and the S-NSSAI.
  • the AAA-S stores the GPSI and EAP ID.
  • the AAA-S uses the EAP-ID and the S-NSSAI identification to perform S-NSSAI authentication and authorization on the user indicated by the EAP ID, and performs the EAP authentication interaction process with the UE (as follows 206 to step 213).
  • Step 206 The AAA-S sends a first AAA protocol response message to the AAA-P, where the first AAA protocol response message includes an EAP message, the GPSI and the S-NSSAI.
  • the EAP message is used by the AAA-S to authenticate whether the UE is authorized to use the S-NSSAI.
  • Step 207 The AAA-P sends a first AAA protocol response message to the NSSAAF, where the first AAA protocol response message includes the EAP message, the GPSI and the S-NSSAI.
  • Step 208 The NSSAAF sends a first authentication response message to the AMF, where the first authentication response message includes the EAP message, the GPSI and the S-NSSAI.
  • Step 209 The AMF sends a third NAS MM transmission message to the UE, where the third NAS MM transmission message includes the EAP message and the S-NSSAI.
  • Step 210 The UE sends a fourth NAS MM transmission message to the AMF, where the fourth NAS MM transmission message includes a new EAP message and the S-NSSAI.
  • the new EAP message is determined by the UE based on the EAP message in the third NAS transport message.
  • Step 211 The AMF sends a second authentication request message to the NSSAAF, where the second authentication request message includes the new EAP message, the GPSI and the S-NSSAI.
  • Step 212 The NSSAAF sends a second AAA protocol message to the AAA-P.
  • the second AAA protocol message includes the new EAP message, the GPSI and the S-NSSAI.
  • Step 213 The AAA-P sends a second AAA protocol message to the AAA-S, where the second AAA protocol message includes the new EAP message, the GPSI and the S-NSSAI.
  • Step 214 EAP authentication is completed. If the authentication is successful, the AAA-S stores the authorized S-NSSAI. The AAA-S sends a second AAA protocol response message to the AAA-P, where the second AAA protocol response message includes EAP-success (Success) information, the GPSI and the S-NSSAI. If the authentication fails, the second AAA protocol response message includes EAP-failure information, the GPSI and the S-NSSAI.
  • the second AAA protocol response message includes EAP-failure information, the GPSI and the S-NSSAI.
  • Step 215 If AAA-P is used, the AAA-P sends the second AAA protocol response message to the NSSAAF, where the second AAA protocol response message includes the EAP-Success information or the EAP-failure information, and the GPSI and the S-NSSAI.
  • Step 216 The NSSAAF sends a second authentication response message to the AMF, where the second authentication response message includes the EAP-Success information or the EAP-failure information, the GPSI and the S-NSSAI.
  • the second authentication response message may be Nnssaaf_NSSAA_Authenticate response.
  • Step 217 The AMF sends a fifth NAS MM transmission message to the UE, where the fifth NAS MM transmission message includes the EAP-Success information or the EAP-failure information.
  • Step 218 If there is a new allowed NSSAI or rejected NSSAI to be transmitted to the UE, the AMF initiates a UE configuration update procedure.
  • the information sent by NSSAAF to AAA-S includes S-NSSAI. Since AAA-S can be deployed by a third party, when AAA-S is deployed by a third party, the operator's core network The network element NSSAAF network element directly sends the S-NSSAI to the AAA-S, which will cause the operator's internal information, such as the S-NSSAI, to be obtained by a third party, which may lead to the problem of network slice privacy being exposed.
  • an alternative identifier of S-NSSAI can be introduced, that is, an alternative identifier of S-NSSAI can be used between NSSAAF and AAA-S, such as network slice public information , NSPI), to interact.
  • the NSSAAF determines the corresponding NSPI according to the S-NSSAI received from the AMF, and the AAA-S performs slice authentication related processing according to the NSPI.
  • AAA-P is an optional deployment. If necessary, NSSAAF interacts with AAA-S through AAA-P. If not required, the NSSAAF interacts directly with the AAA-S.
  • the specific process can refer to the process shown in Figure 3:
  • Steps 301 to 304 are similar to steps 200 to 203 in the flow shown in FIG. 2 , and can be referred to each other, and the description is not repeated here.
  • Step 305 The NSSAAF determines the corresponding NSPI according to the S-NSSAI, and sends a first AAA protocol message to the AAA-S.
  • the first AAA protocol message includes the EAP ID response, the AAA-S address, the GPSI and the NSPI.
  • Step 306 The AAA-S sends a first AAA protocol response message to the NSSAAF, where the first AAA protocol response message includes an EAP message, the GPSI and the NSPI.
  • Step 307 The NSSAAF determines the corresponding S-NSSAI according to the NSPI, and sends a first authentication response message to the AMF, where the first authentication response message includes the EAP message, the GPSI and the S-NSSAI. - NSSAI.
  • Steps 308 to 310 are similar to steps 209 and 211 in the process shown in FIG. 2 , and can be referred to each other, and the description is not repeated here.
  • Step 311 The NSSAAF determines the corresponding NSPI according to the S-NSSAI, and sends a second AAA protocol message to the AAA-S, where the second AAA protocol message includes the new EAP message, the GPSI and the NSPI.
  • Step 312 The EAP authentication is completed. If the authentication is successful, the AAA-S stores the information that the NSPI has been authorized. The AAA-S sends a second AAA protocol response message to the NSSAAF, where the second AAA protocol response message includes EAP-success (Success) information, the GPSI and the NSPI. If the authentication fails, the second AAA protocol response message includes EAP-failure information, the GPSI and the NSPI.
  • Step 313 The NSSAAF determines the corresponding S-NSSAI according to the NSPI, and sends a second authentication response message to the AMF, where the second authentication response message includes the EAP-Success information or the EAP -failure information, and the GPSI and the S-NSSAI.
  • Steps 314 to 315 are similar to steps 217 to 218 in the process shown in FIG. 2 , and can be referred to each other, and the description is not repeated here.
  • the network slice identifier received by the UE from the AMF is S-NSSAI
  • the network slice information received by the AAA-S is the mapped NSPI.
  • the UE when the UE receives the S-NSSAI of the AMF, it cannot acquire the security configuration information corresponding to the acquired network slice interacted with the third party according to the S-NSSAI. That is to say, there is currently no mapping relationship between S-NSSAI and NSPI on the UE. Moreover, the source of the mapping relationship between S-NSSAI and NSPI in NSSAAF is not clearly defined.
  • this application proposes a method for slice authentication, which implements a specific scheme for authentication and authorization of network slices by applying an alternative identifier of S-NSSAI (such as an external slice identifier NSPI), so as to avoid the privacy of network slices from being exposed.
  • an alternative identifier of S-NSSAI such as an external slice identifier NSPI
  • FIG. 4 shows a specific flow of a slice authentication method provided by an embodiment of the present application, and the method may be applied to the communication system shown in FIG. 1 .
  • the access and mobility management network element can obtain the first external slice identifier corresponding to the network slice that the terminal needs to authenticate and authorize (the first external slice identifier is used to identify the A network slice that requires authentication and authorization, such as network slice public information); subsequently, the access and mobility management network elements directly carry the first external slice identifier to perform slice authentication and authorization procedures.
  • the terminal can directly use the first external slice identifier of the third party to obtain slice authentication information subsequently.
  • the process of the method may include:
  • Step 401 The access and mobility management network element obtains the first external slice identifier corresponding to the network slice that requires authentication and authorization of the terminal; the first external slice identifier is used to identify the authentication and authorization outside the operator network. Network Slicing.
  • the access and mobility management network element obtains the first external slice identifier corresponding to the network slice that the terminal needs to authenticate and authorize, and specifically may include the following two methods:
  • Method a1 the access and mobility management network element obtains configuration data of the terminal; wherein the configuration data includes a correspondence between a first internal slice identifier and the first external slice identifier; the first internal slice identifier The slice identifier is used to identify the network slice requiring authentication and authorization within the operator network; the access and mobility management network element determines the first external slice identifier according to the corresponding relationship.
  • the correspondence between the first inner slice identifier and the first outer slice identifier included in the configuration data may be one or more pairs of the first inner slice identifier and the first outer slice identifier.
  • Slice ID The configuration data also includes a correspondence between the first inner slice identifier and the first outer slice identifier and an inner slice identifier and an outer slice identifier other than the first outer slice identifier.
  • the configuration data may be subscription data of the terminal, or may be configuration data from other devices.
  • the access and mobility management network element obtains the subscription data of the terminal
  • the specific method may be: the access and mobility management network
  • the unit sends a subscription data acquisition request for the terminal device to the unified data management network element, where the subscription data acquisition request includes the terminal's user permanent identifier (SUPI); the unified data management network element according to the The SUPI of the terminal acquires the subscription data of the terminal, and sends the subscription data of the terminal to the access and mobility management network element.
  • the unified data management network element may send the subscription data of the terminal to the access and mobility management network element through a data response message.
  • Method a2 The access and mobility management network element obtains the subscription data of the terminal, and determines, according to the subscription data of the terminal, the first internal slice identifier of the network slice that the terminal needs to authenticate and authorize; The first internal slice identifier is used to identify the network slice requiring authentication and authorization within the operator network; the access and mobility management network element sends an external slice identifier query request to the first network element, and the external slice identifier The identity query request includes the first inner slice identity; the access and mobility management network element receives the first outer slice identity from the first network element.
  • first internal slice identifier and the first external slice identifier in the first network element there is a correspondence between the first internal slice identifier and the first external slice identifier in the first network element, and further includes other internal slice identifiers other than the first internal slice identifier, and other internal slice identifiers other than the first internal slice identifier.
  • other external slice identifiers other than the first external slice identifier, the other internal slice identifiers and the other external slice identifiers may correspond.
  • the access and mobility management network element obtains the subscription data of the terminal, which may specifically be: the access and mobility management network element requests the unified data management network element, and the request process is the same as that of the unified data management network element.
  • the process of requesting the access and mobility management network elements to the unified data management network element in the method a1 is similar, and can refer to each other.
  • the contract data includes the first internal identifier, and also includes other internal identifiers.
  • the first internal slice identifier may be the S-NSSAI in the home public land mobile network (home public land mobile network, HPLMN) of the network slice requiring authentication and authorization.
  • home public land mobile network home public land mobile network, HPLMN
  • the access and mobility management network element acquires the configuration data of the terminal
  • the access and mobility management network element acquires the terminal Before the subscription data, the access and mobility management network element further receives a registration request from the terminal, and the registration request further includes the first internal slice identifier corresponding to the network slice that the terminal needs to authenticate and authorize, Or do not contain any internal identification.
  • the above-mentioned subscription data may include S-NSSAI 1, S-NSSAI 2, S-NSSAI 3 and default (default) S-NSSAI that require slice authentication and authorization; when the registration request includes S-NSSAI 1 , then S-NSSAI 1 is the first internal slice identifier; when the registration request does not include S-NSSAI, then the default S-NSSAI is the first internal slice identifier.
  • the registration request also includes an identifier of the terminal, such as a 5G globally unique temporary identifier (GUTI).
  • GUI globally unique temporary identifier
  • the first network element may be a UDM network element or an NSSF network element.
  • Step 402 The access and mobility management network element sends a first message to the terminal, where the first message includes the first external slice identifier.
  • the first message is an authentication request message, and the authentication request message is used to request the terminal to perform network slice authentication and authorization; further, the access and mobility management network
  • the element also sends a registration response message to the terminal; the registration response message may further include the first internal slice identifier.
  • the access and mobility management network element receives an authentication response from the terminal, the authentication response including slice authentication information and the first external slice identifier; the access and the mobility management network element sends the slice authentication information and the first external slice identifier to the slice authentication network element.
  • the slice authentication network element may be an NSSAAF network element.
  • the slice authentication information is used by the AAA-S to perform slice authentication and authorization on the terminal.
  • the first message may further include the first internal slice identifier.
  • the slice authentication information may be EAP ID.
  • the terminal obtains the slice authentication and authorization corresponding slice credentials (credentials) corresponding to the first external slice identifier, and the upper layer of the terminal stores the first external slice identifier and the slice credentials.
  • the slice credential may include the user ID and security materials (such as a certificate, a shared secret key) used for slice authentication, and the like.
  • the terminal may obtain a slice credential corresponding to the first external slice identifier from a third party.
  • the AAA-S managed by the third party is configured with a slice credential for performing slice authentication and authorization with the terminal.
  • stored in the AAA-S are the first external slice identifier and the corresponding slice credential (ie, the network slice used to authenticate whether the user is authorized to use the first external slice identifier).
  • the access and mobility management network element may use the first external slice identifier to initiate a network slice authentication and authorization process.
  • the slice credential on the terminal is obtained by a third party directly interacting with the terminal
  • the terminal can successfully obtain the corresponding slice credential, and interact with the slice authentication server to execute the slice authentication process.
  • a substitute identifier eg, the first external slice identifier
  • the internal slice identifier eg, S-NSSAI
  • the access and mobility management network element is AMF
  • the terminal is UE
  • the unified data management network element is UDM
  • the network slice selection function network element is NSSF
  • the slice authentication network element is NSSAAF
  • (first) The internal slice identifier is the (first) S-NSSAI
  • the configuration data is the subscription data of the UE as an example for description.
  • an example flow of a slice authentication method provided by the present application may be as shown in FIG. 5 , and the specific flow of this example may include:
  • Step 500 UDM stores at least a pair of S-NSSAI and external slice identifiers corresponding to S-NSSAI (that is, stores the correspondence between S-NSSAI and external slice identifiers), and the S-NSSAI is a network that requires slice authentication and authorization.
  • the identity of the slice may be pre-configured, or configured by OAM, or determined according to a request from the AF.
  • the S-NSSAI may be the S-NSSAI in the UE's contracted public land mobile network (PLMN) (also referred to as the home public land mobile network (HPLMN)).
  • PLMN public land mobile network
  • HPLMN home public land mobile network
  • the outer slice identifier may be NPSI or the like.
  • the specific format of the external slice identifier is not limited in this application.
  • the external slice identifier may have the same format as the S-NSSAI format.
  • Step 501 The AMF receives the registration request sent by the UE.
  • Step 502 The AMF interacts with the UDM to obtain the subscription data of the UE, and the subscription data may include: the S-NSSAI(s) of the network slices requiring authentication and authorization and the external slices corresponding to the S-NSSAI(s) logo.
  • the AMF may send a subscription data acquisition request for the UE to the UDM, and then the UDM sends the UE subscription data to the AMF.
  • Step 503 The AMF determines a first S-NSSAI according to the subscription data of the UE, where the first S-NSSAI is used to identify the network slice requiring authentication and authorization within the operator network.
  • the AMF may determine the first NSSAI according to the subscription data of the UE, the first NSSAI is used to indicate a network slice that requires slice authentication and authorization, and the first NSSAI includes one or more networks that require slice authentication and authorization slice.
  • the first S-NSSAI is contained in the NSSAI.
  • Step 504 The AMF sends a registration response message to the UE, where the registration response message includes the first S-NSSAI.
  • the registration response message further includes the mapped S-NSSAI of the first S-NSSAI in the serving PLMN.
  • Step 505 For each network slice requiring authentication and authorization, the AMF initiates network slice authentication and authorization procedures respectively. Specifically, the AMF determines, according to the S-NSSAI(s) requiring slice authentication and authorization and the external slice identifier corresponding to the S-NSSAI(s) (that is, the correspondence between the S-NSSAI and the external slice identifier), a first external slice identifier corresponding to the first S-NSSAI, and a first NAS MM transmission message is generated according to the first external slice identifier, and the first NAS MM transmission message is used to trigger a network initiated by the UE Slice authentication and authorization process.
  • the first NAS MM transport message may be a network slice specific authentication command.
  • the first NAS MM transmission message may be the first message involved in the method of FIG. 4 , and in this implementation, the first message is an authentication request message.
  • the first NAS MM transmission message includes the first outer slice identifier, and also includes an EAP ID request; optionally, the first NAS MM transmission message may also include the first outer slice identifier corresponding to the Describe the first S-NSSAI.
  • the EAP ID request is used to request to obtain the UE's user identity for slice authentication and authorization.
  • Step 506 The AMF sends the first NAS MM transmission message to the UE.
  • Step 507 In response to the first NAS MM transport message, the UE sends a second NAS MM transport message to the AMF, where the second NAS MM transport message may be a network slice specific authentication complete message.
  • the second NAS MM transmission message includes an EAP ID response (the slice authentication information included in the EAP ID response is a user identifier, that is, an EAP ID) and the first outer slice identifier.
  • the The second NAS MM transmission message may also include the first S-NSSAI.
  • the second NAS MM transmission message is the authentication response involved in the method described in FIG. 4 .
  • the NAS layer of the UE sends the EAP ID request and the first outer slice identifier to the upper layer of the UE. layer), optionally the NAS layer of the UE may also send the corresponding first S-NSSAI to the upper layer.
  • the upper layer of the UE determines the EAP ID response according to the first outer slice identifier received from the NAS layer. Specifically, the upper layer of the UE obtains slice authentication information for slice authentication and authorization corresponding to the network slice according to the first external slice identifier, and the slice authentication information may include the user who performs EAP authentication on the S-NSSAI identification (that is, EAP ID); further, the upper layer of the UE generates the EAP ID response according to the user identification.
  • the upper layer of the UE sends the EAP ID response and the first outer slice identifier to the NAS layer, and optionally, the UE also sends the corresponding first S-NSSAI. Then, the NAS layer of the UE generates the second NAS MM transport message.
  • the UE has acquired the slice credentials (credentials) corresponding to the first external slice identifier.
  • the terminal may obtain slice credentials (credentials) corresponding to the first external slice identifier from a third party.
  • the AAA-S managed by the third party is configured with slice credentials (credentials) for the terminal to perform slice authentication and authorization.
  • the slice credential may include: the user ID and security materials (such as a certificate, a shared secret key) used for slice authentication, and the like.
  • the terminal device determines the EAP ID (that is, the user identity) according to the slice credential.
  • Step 508 After receiving the second NAS MM transmission message sent by the UE, the AMF generates a first authentication request, and sends the first authentication request to the NSSAAF, where the first authentication request may include all the The EAP ID response (including the user identity that performs EAP authentication on the first S-NSSAI, that is, the EAP ID), GPSI, the address of the AAA-S, and the first outer slice identity.
  • the EAP ID response including the user identity that performs EAP authentication on the first S-NSSAI, that is, the EAP ID
  • GPSI the address of the AAA-S
  • the first outer slice identity the first outer slice identity
  • the first authentication request may be an NSSAAF authentication (Nnssaaf_Authentication) request.
  • Step 509 The NSSAAF sends a first AAA protocol message to AAA-P, where the first AAA protocol message includes the EAP ID response, the GPSI, the first outer slice identifier and the AAA-S address.
  • Step 510 The AAA-P sends the first AAA protocol message to the AAA-S indicated by the address identifier of the AAA-S.
  • the above steps 508 and 509 are in the case where AAA-P exists; when there is no AAA-P, the above steps 508 and 509 can be replaced with steps: the NSSAAF sends the first AAA protocol message to the AAA-S , the first AAA protocol message contains the EAP ID response, the GPSI, the first outer slice identifier and the address of the AAA-S.
  • Step 511 After receiving the first AAA protocol message, the AAA-S stores the GPSI and EAP ID, where the GPSI is the identifier of the UE, and the EAP ID is the user identifier in the slice, The EAP ID is used by AAA-S to perform slice authentication on the user identified by the EAP ID.
  • a second AAA protocol message is generated, and the second AAA protocol message includes an EAP message (message), the GPSI and the first external Slice ID.
  • the EAP message is used to perform network slice authentication and authorization with the UE.
  • the AAA-S sends the second AAA protocol message to the AAA-P.
  • Step 512 The AAA-P sends the second AAA protocol message to the NSSAAF.
  • steps 511 and 521 may be replaced with steps: the AAA-S sends the second AAA protocol message to the NSSAAF.
  • Step 513 The NSSAAF sends a first authentication response to the AMF, where the first authentication response includes the EAP message, the GPSI and the first outer slice identifier.
  • the first authentication response may be an Nnssaaf_Authentication response.
  • Step 514 The AMF generates a third NAS MM transmission message according to the received first authentication response, and sends the third NAS MM transmission message to the UE.
  • the third NAS MM transmission message includes the EAP message and the first outer slice identifier.
  • the third NAS MM transport message may be a network slice specific authentication command.
  • the third NAS MM transmission message may also be the first message involved in the method of FIG. 4 , and in this implementation, the first message is an authentication request message.
  • Step 515 The UE sends a fourth NAS MM transmission message to the AMF, where the fourth NAS MM transmission message includes a new EAP message and the first outer slice identifier.
  • the NAS layer of the UE sends the EAP message and the first external slice identifier in the third NAS MM transmission message to the upper layer
  • the upper layer generates a new EAP message according to the received information, and then the upper layer sends the new EAP message and the first outer slice identifier to the NAS layer.
  • the NAS layer generates the fourth NAS MM transport message including the new EAP message and the first outer slice identifier, and sends it to the AMF.
  • the fourth NAS MM transmission message may be a network slice specific authentication complete message.
  • the new EAP message includes authentication information determined from the security material in the slice credential.
  • Step 516 After the AMF receives the fourth NAS MM transmission message sent by the UE, the AMF generates a second authentication request, and sends the second authentication request to the NSSAAF; the second authentication request The request contains the new EAP message, the GPSI, the address of the AAA-S and the first outer slice identifier.
  • the second authentication request may be an Nnssaaf_Authentication request.
  • Step 517 The NSSAAF sends a third AAA protocol message to the AAA-P.
  • the third AAA protocol message includes the new EAP message, the GPSI, the first outer slice identifier and the address of the AAA-S.
  • Step 518 The AAA-P sends the third AAA protocol message to the AAA-S indicated by the address of the AAA-S.
  • the NSSAAF sends the third AAA protocol message to the AAA-S.
  • Step 519 When the EAP authentication is completed, that is, the network slice authentication requiring authentication and authorization is completed. If the network slice authentication and authorization are successful, the AAA-S stores the first network external slice identifier and the GPSI. The AAA-S can then further determine to trigger re-authentication and re-authorization or authorization revocation procedures according to the local policy. Further, the AAA-S sends a fourth AAA protocol message to the AAA-P, where the fourth AAA protocol message may include EAP success (Success) information, the GPSI and the first outer slice identifier. If authentication and authorization fail, the AAA-S sends a fourth AAA protocol message to the AAA-P, where the fourth AAA protocol message includes EAP failure (failure) information, the GPSI and the first outer slice logo.
  • Step 520 The AAA-P sends the fourth AAA protocol message to the NSSAAF, where the fourth AAA protocol message includes the EAP success information or the EAP failure information (sent with the AAA-S). consistent), the GPSI and the first network slice identifier.
  • the AAA-P does not exist, the above steps 519 and 520 may be replaced with steps: the AAA-S sends the fourth AAA protocol message to the NSSAAF.
  • Step 521 The NSSAAF sends a second authentication response to the AMF, the second authentication response includes the EAP success/failure information (consistent with that sent by AAA-S), the GPSI and the first external Slice ID.
  • the second authentication response may be an Nnssaaf_Authentication response.
  • Step 522 the AMF generates a fifth NAS MM transmission message, and sends the fifth NAS MM transmission message to the UE; the fifth NAS MM transmission message includes the EAP success/failure information; optional , the fifth NAS MM transmission message may further include the first outer slice identifier.
  • Step 523 For the authenticated network slice, the AMF will trigger the UE configuration update process. Specifically, the AMF sends a new allowed NSSAI to the UE, and the NSSAI includes the S-NSSAI(s) that have been authenticated successfully.
  • the UDM sends both the S-NSSAI and the external slice identifiers corresponding to the S-NSSAI to the AMF, and the AMF further determines the first external slice identifier corresponding to the first S-NSSAI.
  • the AMF may directly request the UDM for the identifier of the first external slice corresponding to the first S-NSSAI, and the UDM first determines the first external slice corresponding to the first S-NSSAI. provided to the AMF after identification. Based on this situation, detailed description is omitted here.
  • the flow of an example of a slice authentication method provided by the present application may be as shown in FIG.
  • the difference is that the S-NSSAI and the corresponding external slice identifier (that is, the correspondence between the S-NSSAI and the external slice identifier) are stored in the NSSF.
  • the specific process of this example can include:
  • Step 600 Store at least a pair of S-NSSAI and external slice identifiers corresponding to S-NSSAI on the NSSF (that is, store the correspondence between S-NSSAI and external slice identifiers), and the S-NSSAI is a network that requires slice authentication and authorization.
  • the identity of the slice may be pre-configured, or configured by OAM, or determined according to a request from the AF.
  • Step 601 The AMF receives the registration request sent by the UE.
  • Step 602 The AMF determines a first S-NSSAI, where the first S-NSSAI is used to identify the network slice requiring authentication and authorization within the operator's network.
  • the illustrated AMF determines the first NSSAI, where the first NSSAI includes the first S-NSSAI, and the first NSSAI is used to indicate a network slice that needs to perform network slice authentication and authorization.
  • the AMF interacts with the UDM to obtain the subscription data of the UE, and the subscription information includes the network slice S-NSSAI(s) requiring authentication and authorization, and the AMF determines the first S-NSSAI(s) according to the subscription data. - NSSAI.
  • Step 603 The AMF interacts with the NSSF according to the first S-NSSAI to obtain a first external slice identifier corresponding to the first S-NSSAI.
  • the AMF may send an external slice identifier query request to the NSSF, where the external slice identifier query request includes the first S-NSSAI;
  • the external slice identifier query request includes the first S-NSSAI;
  • the AMF provides the first S-NSSAI.
  • the AMF may also obtain all S-NSSAIs and corresponding external slice identifiers (that is, the correspondence between S-NSSAI and external slice identifiers) from the NSSF before or after step 602.
  • the S-NSSAI is the identifier of the network slice supported by the AMF, and then the AMF determines the first S-NSSAI corresponding to the first S-NSSAI according to the corresponding relationship between the S-NSSAI and the external slice identifier.
  • the first outer slice identifier, and step 603 is not performed at this time.
  • Steps 604 to 623 are the same as the above-mentioned steps 504 to 523, for details, reference can be made to each other, and details are not repeated here.
  • FIG. 7 shows a specific flow of another slice authentication method provided by an embodiment of the present application, and the method can be applied to the communication system shown in FIG. 1 .
  • the access and mobility management network element can obtain the first external slice identifier corresponding to the network slice that the terminal needs to authenticate and authorize (the first external slice identifier is used to identify the A network slice that requires authentication and authorization, such as network slice public information); subsequent access and mobility management network elements use the first internal slice identifier (the first internal slice identifier is used to identify the required authentication within the operator network) and authorized network slice) and the corresponding first external slice identifier are sent to the terminal, and the terminal internally de-identifies the first internal slice identifier and the corresponding first external slice identifier to perform identifier mapping.
  • the terminal can be made aware of the relationship between the first inner slice identifier and the corresponding first outer slice identifier, so that authentication information can be successfully acquired.
  • the process of the method may include:
  • Step 701 The access and mobility management network element obtains the first external slice identifier corresponding to the network slice that requires authentication and authorization of the terminal; the first external slice identifier is used to identify the authentication and authorization outside the operator network. Network Slicing.
  • step 701 is the same as step 401 involved in the foregoing FIG. 4 , which can be referred to each other, and will not be repeated here.
  • Step 702 The access and mobility management network element sends a first message to the terminal, where the first message includes the first outer slice identifier and the first inner slice identifier; the first inner slice identifier Used to identify the network slice requiring authentication and authorization within the operator's network.
  • the terminal sends a registration request to the access and mobility management network element; the first message is a registration response message; the registration response message is used to respond to the terminal's Registration request.
  • Step 703 The terminal device saves the correspondence between the first inner slice identifier and the first outer slice identifier.
  • the terminal receives an authentication request message from the access and mobility management network element, and the authentication request message is used for the terminal to perform network slice authentication and authorization; the authentication request The message includes the first internal slice identifier; the terminal sends an authentication response to the access and mobility management network element, where the authentication response includes slice authentication information and the first internal slice identifier. Further, the access and mobility management network element maps the first internal slice identifier to the first external slice identifier; the access and mobility management network element sends the slice to the slice authentication network element Authentication information and the first external slice identifier.
  • the slice authentication information may be an EAP ID.
  • the first module of the terminal maps the first internal slice identifier included in the authentication request message to the first external slice identifier according to the corresponding relationship ; the first module of the terminal sends request information to the second module of the terminal (for example, the upper layer of the terminal), and the request information includes the first external slice identifier; in response to the request information, the The second module of the terminal sends response information to the first module, and the response information includes the first external slice identifier and the slice authentication information; the first module of the terminal, according to the corresponding relationship, The first external slice identifier in the response information is mapped to the first internal slice identifier; finally, the terminal generates the authentication response according to the first internal slice identifier and the slice authentication information.
  • the access and mobility management network element is AMF
  • the terminal is UE
  • the unified data management network element is UDM
  • the network slice selection function network element is NSSF
  • the slice authentication network element is NSSAAF
  • (first) The internal slice identifier is the (first) S-NSSA as an example and the configuration data is the subscription data of the UE as an example for description.
  • an example flow of a slice authentication method provided by the present application may be as shown in FIG. 8 , and the specific flow of this example may include:
  • Steps 800 to 802 are similar to the above-mentioned steps 500 to 502, for details, reference can be made to each other, and details are not repeated here.
  • Step 803 The AMF determines a first S-NSSAI according to the subscription data of the UE, where the first S-NSSAI is used to identify the network slice requiring authentication and authorization within the operator's network.
  • the AMF may determine the first NSSAI according to the subscription data of the UE.
  • the first NSSAI includes a first S-NSSAI.
  • the first NSSAI (pending NSSAI) is used to indicate a network slice that needs to perform network slice authentication and authorization.
  • the AMF determines the first outer slice identifier corresponding to the first S-NSSAI. Specifically, the AMF determines the first external slice identifier corresponding to the first S-NSSAI according to the S-NSSAI(s) and the first external slice identifier corresponding to the S-NSSAI(s).
  • Step 804 The AMF sends a registration response message to the UE, where the registration response message includes the first S-NSSAI and the first external slice identifier.
  • the registration response message includes the first S-NSSAI, the mapped S-NSSAI of the first S-NSSAI in the serving PLMN, and the first external slice identifier.
  • the registration response message is the first message involved in the method described in FIG. 7 .
  • the UE stores the correspondence between the first inner slice identifier and the first outer slice identifier.
  • Step 805 For each network slice that requires authentication and authorization, the AMF initiates a network slice authentication and authorization process, respectively. Specifically, the AMF respectively generates an authentication message according to the S-NSSAI that needs authentication and authorization, that is, the first NAS MM transmission message.
  • the specific generation method is the same as the existing one, and will not be described in detail here.
  • Step 806 The AMF sends a first NAS MM transmission message to the UE, where the first NAS MM transmission message includes the EAP ID request and the first S-NSSAI.
  • the first NAS MM transmission message may be the authentication request message involved in the method described in FIG. 7 above.
  • Step 807 After the UE receives the first NAS MM transmission message, the NAS layer of the UE according to the first S-NSSAI and the registration response received from the first NAS MM transmission message The first S-NSSAI and the first outer slice identifier received in the message determine the first outer slice identifier corresponding to the first S-NSSAI. Then, the NAS layer of the UE sends the first outer slice identifier and the EAP ID request to the upper layer of the UE.
  • the NAS layer of the UE is the first module involved in the method described in FIG. 7 above, and the upper layer of the UE is the second module involved in the method described in FIG. 7 above.
  • Step 808 the upper layer of the UE generates an EAP ID response according to the EAP ID request and the first outer slice identifier, and sends the EAP ID response and the first outer slice identifier to the NAS layer of the UE; Wherein, the slice authentication information contained in the EAP ID response is the user identity, that is, the EAP ID.
  • the NAS layer of the UE generates a second NAS MM transmission message according to the received EAP ID response and the first outer slice identifier, and the second NAS MM transmission message includes the first S-NSSAI and the EAP ID response.
  • the NAS layer of the UE determines, according to the first S-NSSAI and the corresponding first external slice identifier, the first S-NSSAI corresponding to the first external slice identifier, and then generates the first S-NSSAI that includes the the first S-NSSAI and the second NAS MM transport message of the EAP message.
  • the first S-NSSAI is the S-NSSAI in the contracted PLMN.
  • the slice authentication information contained in the EAP ID response message is a user identity, that is, the EAP ID.
  • Step 809 the UE sends the second NAS MM transmission message to the AMF.
  • the second NAS MM transmission message is the authentication response involved in the method described in FIG. 7 above.
  • Step 810 The AMF determines the first S-NSSAI corresponding to the first S-NSSAI according to the received second NAS MM transmission message and the first S-NSSAI and the corresponding first external slice identifier.
  • the external slice identifier is generated, and a first authentication request is generated, where the first authentication request includes the first external slice identifier.
  • the first authentication request also includes the EAP ID response (reponse), the address of GPSI and AAA-S.
  • the first authentication request may be an Nnssaaf_Authentication request.
  • Step 811 The AMF sends the first authentication request to the NSSAAF.
  • Step 812 The NSSAAF sends a first AAA protocol message to AAA-P, where the first AAA protocol message includes the EAP ID response, the GPSI, the first outer slice identifier and the AAA-S address.
  • Step 813 The AAA-P sends the first AAA protocol message to the AAA-S indicated by the address of the AAA-S.
  • the above steps 812 and 813 are the case where AAA-P exists; when there is no AAA-P, the above steps 812 and 813 can be replaced with steps: the NSSAAF sends the first AAA protocol message to the AAA-S , the first AAA protocol message contains the EAP ID response, the GPSI, the first outer slice identifier and the address of the AAA-S.
  • Step 814 After the AAA-S determines to perform a network slice authentication process with the UE, a second AAA protocol message is generated, and the second AAA protocol message includes an EAP message (message), the GPSI and the first AAA protocol message. External slice identifier.
  • the EAP messages are used to perform authentication and authorization with the UE.
  • the AAA-S sends the second AAA protocol message to the AAA-P.
  • Step 815 The AAA-P sends the second AAA protocol message to the NSSAAF.
  • steps 814 and 815 may be replaced by steps: the AAA-S sends the second AAA protocol message to the NSSAAF.
  • Step 816 The NSSAAF sends a first authentication response to the AMF, where the first authentication response includes the EAP message, the GPSI and the first outer slice identifier.
  • the first authentication response may be an Nnssaaf_Authentication response.
  • Step 817 After receiving the first authentication response, the AMF generates a third NAS MM transmission message, and sends the third NAS MM transmission message to the UE, where the third NAS MM transmission message includes the the EAP message and the first S-NSSAI.
  • the third NAS MM transmission message may be a network slice specific authentication command.
  • the third NAS MM transmission message is the authentication request message involved in the method described in FIG. 7 above.
  • the first S-NSSAI in the third NAS MM transmission message is mapped by the AMF according to the first external slice identifier in the received first authentication response.
  • Step 818 The UE sends a fourth NAS MM transport message to the AMF, where the fourth NAS MM transport message includes a new EAP message and the first S-NSSAI.
  • the NAS layer of the UE sends the message to the UE according to the received EAP message and the first S-NSSAI
  • the upper layer of the device sends the EAP message and the first outer slice identifier corresponding to the first S-NSSAI.
  • the upper layer of the UE generates the new EAP message according to the EAP message, and sends the new EAP message and the first outer slice identifier to the NAS layer, and the NAS layer of the UE stores the first outer slice identifier.
  • An outer slice identity is mapped to the first S-NSSAI, and a fourth NAS MM message containing the first S-NSSAI and the new EAP message is generated.
  • mapping method of the NAS layer of the UE to the first external slice identifier and the first S-NSSAI is the same as the mapping method involved in steps 807 and 808, which can be referred to each other and will not be described in detail here.
  • Step 819 After receiving the fourth NAS MM transmission message sent by the UE, the AMF generates a second authentication request, and sends the second authentication request to the NSSAAF; the second authentication request includes the New EAP message, the GPSI, the first outer slice identity and the address of the AAA-S.
  • the AMF converts the first S-NSSAI to the first S-NSSAI according to the first S-NSSAI in the fourth NAS MM transmission message, and the first S-NSSAI and the corresponding first external slice identifier
  • the NSSAI is mapped to the first external slice identifier, and the first external slice identifier is further included in the second authentication request.
  • the second authentication request may be an Nnssaaf_Authenticate request.
  • Step 820 The NSSAAF sends a third AAA protocol message to the AAA-P, where the third AAA protocol message includes the new EAP message, the GPSI, the first outer slice identifier and the AAA -S address.
  • Step 821 The AAA-P sends the third AAA protocol message to the AAA-S indicated by the address of the AAA-S.
  • the NSSAAF sends the third AAA protocol message to the AAA-S.
  • Step 822 When the EAP authentication is completed, that is, the network slice authentication requiring authentication and authorization is completed. If the network slice authentication and authorization are successful, the AAA-S stores the first network external slice identifier and GPSI. The AAA-S can then further determine to trigger re-authentication and re-authorization or authorization revocation procedures according to the local policy. Further, the AAA-S sends a fourth AAA protocol message to the AAA-P, where the fourth AAA protocol message may include EAP Success information, the GPSI and the first outer slice identifier. If the network slice authentication and authorization fail, the AAA-S sends a fourth AAA protocol message to the AAA-P, and the fourth AAA protocol message may include EAP failure information, the GPSI and the first external Slice ID.
  • Step 823 The AAA-P sends the fourth AAA protocol message to the NSSAAF, and the fourth AAA protocol message includes the EAP success/failure information (consistent with that sent by the AAA-S), so the GPSI and the first outer slice identifier.
  • the AAA-P does not exist, the above steps 822 and 823 may be replaced by steps: the AAA-S sends the fourth AAA protocol message to the NSSAAF.
  • Step 824 The NSSAAF sends a second authentication response to the AMF, where the second authentication response includes the EAP success/failure information (consistent with that sent by AAA-S), the GPSI and the first external Slice ID.
  • the second authentication response may be an Nnssaaf_Authentication response.
  • Step 825 The AMF generates a fifth NAS MM transmission message, and sends the fifth NAS MM transmission message to the UE, the fifth NAS MM transmission message includes the EAP success/failure information, and the fifth NAS MM transmission message includes the EAP success/failure information.
  • the fifth NAS MM transmission message may further include the first S-NSSAI.
  • the NAS layer of the UE after the UE receives the fifth NAS MM transmission message, the NAS layer of the UE according to the first S-NSSAI and the registration response received from the fifth NAS MM transmission message The first S-NSSAI and the first external slice identifier received in the message (that is, the corresponding relationship saved by the UE), map the first S-NSSAI to the first external slice identifier. Then, the NAS layer of the UE sends the first outer slice identifier and the EAP success/failure information to the upper layer of the UE.
  • Step 826 For the authenticated network slice, the AMF will trigger the UE configuration update process. Specifically, the AMF sends a new allowed NSSAI to the UE, and the NSSAI includes the S-NSSAI(s) that have been authenticated successfully.
  • the UDM sends both the S-NSSAI and the external slice identifiers corresponding to the S-NSSAI to the AMF, and the AMF further determines the first external slice identifier corresponding to the first S-NSSAI.
  • the AMF may directly request the UDM for the identifier of the first outer slice corresponding to the first S-NSSAI, and the UDM first determines the first outer slice corresponding to the first S-NSSAI. provided to the AMF after identification. Based on this situation, detailed description is omitted here.
  • the flow of an example of a slice authentication method provided by the present application may be as shown in FIG.
  • the difference is that the S-NSSAI and the corresponding external slice identifier (that is, the correspondence between the S-NSSAI and the external slice identifier) are stored in the NSSF.
  • the specific process of this example can include:
  • Steps 900 to 903 are similar to the above-mentioned steps 600 to 603, for details, reference can be made to each other, and details are not repeated here.
  • Steps 904 to 926 are the same as the above-mentioned steps 804 to 826, and the details can be referred to each other, and details are not repeated here.
  • FIG. 10 shows a specific flow of another slice authentication method provided by an embodiment of the present application, and the method can be applied to the communication system shown in FIG. 1 .
  • the premise is that, before network slice authentication and authorization, the corresponding relationship between the internal slice identifier and slice credentials (Credentials) in the terminal is configured by a third party through a 5G core network (5G core, 5GC).
  • 5G core 5G core
  • the third party uses the external slice identifier (such as NSPI) and Credentials to perform the configuration.
  • the 5GC determines that the configuration information sent to the UE is the internal slice according to the corresponding relationship between the external slice identifier and the internal slice identifier. Identity and Credentials.
  • the configuration information includes an external slice identifier.
  • the configuration information stored in the upper layer of the UE is the internal slice identifier and Credentials, and optionally the configuration information stored in the upper layer of the UE also includes the external slice identifier; in this embodiment, the access and mobility management network elements are always The first internal slice identifier corresponding to the network slice for which the terminal needs authentication and authorization (the first internal slice identifier is used to identify the network slice requiring authentication and authorization within the operator network) and the corresponding first external slice identifier ( The first external slice identifier is used to identify the network slice requiring authentication and authorization outside the operator's network, such as network slice public information), to map the first internal slice identifier and the first external slice identifier, so as to realize the mapping of the first internal slice identifier to the first external slice identifier.
  • the message sent by the terminal carries the first internal slice identifier
  • the message sent by the slice authentication network element carries the corresponding first external slice identifier.
  • the first external slice identifier can be used to realize the authentication and authorization of the network slice with the third party.
  • the process of the method may include:
  • Step 1001 The access and mobility management network element sends an authentication request message to the terminal; wherein, the authentication request message includes a first internal slice identifier; the first internal slice identifier is used to identify the Describes network slices that require authentication and authorization.
  • Step 1002 The access and mobility management network element receives a first authentication response from the terminal, where the first authentication response includes slice authentication information and the first internal slice identifier.
  • the slice authentication information is EAP ID.
  • Step 1003 The access and mobility management network element maps the first internal slice identifier to a first external slice identifier; the first external slice identifier is used to identify outside the operator network that authentication and authorization are required network slice.
  • the access and mobility management network element may implement the mapping in step 1003 according to the corresponding relationship between the first internal slice identifier and the first external slice identifier.
  • Method b1 The access and mobility management network element acquires configuration data of the terminal; wherein the configuration data includes a correspondence between the first internal slice identifier and the first external slice identifier.
  • a specific method for the access and mobility management network element to map the first internal slice identifier to the first external slice identifier may be: the access and mobility management network element according to the first The corresponding relationship between the inner slice identifier and the first outer slice identifier determines the first outer slice identifier.
  • the correspondence between the first inner slice identifier and the first outer slice identifier may be one or more pairs of the first inner slice identifier and the first outer slice identifier.
  • the configuration data further includes an internal slice identifier and an external slice identifier other than the first internal slice identifier and the first external slice identifier.
  • the configuration data may be subscription data of the terminal, or may be configuration data from other devices.
  • the configuration data may be the subscription data of the terminal
  • the access and mobility acquire the subscription data of the terminal
  • the specific method may be: the access and mobility management network element sends a unified The data management network element sends a subscription data acquisition request for the terminal device, and the subscription data acquisition request includes the SUPI of the terminal; the unified data management network element acquires the subscription data of the terminal according to the SUPI of the terminal, and sending the subscription data of the terminal to the access and mobility management network element.
  • the unified data management network element may send the subscription data of the terminal to the access and mobility management network element through a data response message.
  • the configuration data may further include first indication information, where the first indication is used to indicate that the network slice indicated by the first internal slice identifier requires authentication and authorization.
  • the first indication information may indicate that the network slice indicated by multiple inner slice identifiers including the first inner slice identifier needs authentication and authorization; or, the first indication information may only indicate that the first inner slice identifier A network slice indicated by an internal slice identifier requires authentication and authorization. That is to say, whether network slices indicated by multiple internal slice identifiers require authentication and authorization can be indicated by the same indication information; or whether network slices indicated by different internal slice identifiers require authentication and authorization can be indicated by different indication information; or Based on the first two possible bases, there is no indication information to indicate whether the network slice indicated by the partial internal slice identifier requires authentication and authorization.
  • Method b2 the access and mobility management network element obtains the subscription data of the terminal; according to the subscription data of the terminal, it is determined that the network slice corresponding to the first internal slice identifier needs authentication and authorization; the access and the mobility management network element to send an external slice identifier query request to the first network element, the external slice identifier query request including the first internal slice identifier; the access and mobility management network element from the first network element The element receives the first external slice identifier; the access and mobility management network element saves the correspondence between the first internal slice identifier and the first external slice identifier.
  • the first internal slice identifier and the first external slice identifier exist in the first network element, and further include other internal slice identifiers other than the first internal slice identifier, and other internal slice identifiers except the first internal slice identifier.
  • External slice id other than outer slice id.
  • the access and mobility management network element obtains the subscription data of the terminal, which may specifically be: the access and mobility management network element requests the unified data management network element, and the request process is the same as that of the unified data management network element.
  • the process of the access and mobility management network elements requesting the first network element in the method b1 is similar, and can refer to each other.
  • the contract data includes the first internal identifier, and also includes other internal identifiers.
  • the first internal slice identifier may be the S-NSSAI in the HPLMN of the network slice requiring authentication and authorization.
  • the first network element may be a UDM network element or an NSSF network element.
  • Step 1004 The access and mobility management network element sends the slice authentication information and the first external slice identifier to the slice authentication network element.
  • the access and mobility management network element receives a second authentication response from the slice authentication network element, the second authentication response includes the first external slice identifier; the connection The access and mobility management network element maps the first external slice identifier to the first internal slice identifier; the access and mobility management network element sends an authentication command to the terminal device, and the authentication command includes the first internal slice identifier.
  • An internal slice identifier An internal slice identifier.
  • the access and mobility management network element receives a response message to an authentication command from the terminal, and the response message to the authentication command includes the first internal slice identifier; the The access and mobility management network element maps the first inner slice identifier to the first outer slice identifier; the access and mobility management network element sends a third authentication response message to the slice authentication network element, and the The third authentication response message includes the first external slice identifier.
  • the terminal acquires a first internal slice identifier and slice credentials for authentication and authorization.
  • the terminal receives the first internal slice identity and authentication and authorization credentials from the 3GPP network.
  • the 3GPP network receives the first external slice identifier corresponding to the first internal slice identifier from the third party and the credentials for authentication and authorization, and the 3GPP network determines to send the The first internal slice identifier and authentication and authorization credentials sent by the terminal.
  • the AAA-S configuration managed in the third direction corresponds to the slice authentication and authorization credentials of the first external slice identifier.
  • the authentication and authorization process can be completed between the slice authentication network element and the AAA-S through the first external slice identifier, and the privacy of the network slice will not be exposed.
  • the access and mobility management network element is AMF
  • the terminal is UE
  • the unified data management network element is UDM
  • the network slice selection function network element is NSSF
  • the slice authentication network element is NSSAAF
  • (the first ) The inner slice is identified as the (first) S-NSSAI as an example for description.
  • an example flow of a slice authentication method provided by the present application may be as shown in FIG. 11 , and the specific flow of this example may include:
  • Steps 1100 to 1104 are similar to the above-mentioned steps 500 to 504, and may refer to each other, and will not be repeated here.
  • Step 1105 For each slice requiring authentication and authorization, the AMF initiates a network slice authentication and authorization process, respectively.
  • the AMF sends a first NAS MM transmission message to the UE, where the first NAS MM transmission message includes the EAP ID request and the first S-NSSAI.
  • the first NAS MM transmission message may be the authentication request message involved in the method described in FIG. 10 .
  • Step 1106 The UE sends a second NAS MM transmission message to the AMF, where the second NAS MM transmission message includes an EAP ID response (response) and the first S-NSSAI.
  • the EAP ID response includes a user identity for performing slice authentication.
  • the second NAS MM transmission message may be the first authentication response involved in the method described in FIG. 10 .
  • Step 1107 The AMF determines the first S-NSSAI in the second NAS MM transmission message received from the UE, as well as the S-NSSAI(s) and corresponding external slice identifiers received from the UDM.
  • a first outer slice identifier corresponding to an S-NSSAI That is, the AMF maps the first S-NSSAI to the first outer slice identifier.
  • Step 1108 The AMF generates a first authentication request, and sends the first authentication request to the NSSAAF, where the first authentication request may include the EAP ID response, GPSI, the address of the AAA-S and the first authentication request. External slice identifier.
  • the first authentication request may be an Nnssaaf_Authentication request.
  • Step 1109 The NSSAAF sends a first AAA protocol message to AAA-P, where the first AAA protocol message includes the EAP ID response, the GPSI, the first outer slice identifier and the AAA-S address.
  • Step 1110 The AAA-P sends the first AAA protocol message to the AAA-S indicated by the address of the AAA-S.
  • the above steps 1109 and 1110 are the case where AAA-P exists; when there is no AAA-P, the above steps 1109 and 1110 can be replaced by steps: the NSSAAF sends the first AAA protocol message to the AAA-S .
  • Step 1111 After the AAA-S determines to perform the network slice authentication process with the UE, it generates a second AAA protocol message, and sends the second AAA protocol message to the AAA-P; the second AAA protocol message contains the EAP message (message), the GPSI, and the first outer slice identifier.
  • the EAP messages are used to perform authentication and authorization with the UE.
  • Step 1112 The AAA-P sends the second AAA protocol message to the NSSAAF.
  • steps 1111 and 1112 may be replaced with steps: the AAA-S sends the second AAA protocol message to the NSSAAF.
  • Step 1113 The NSSAAF sends a first authentication response to the AMF, where the first authentication response includes the EAP message, the GPSI and the first outer slice identifier.
  • the first authentication response may be an NSnssaaf_Authentication response.
  • the first authentication response may be the second authentication response involved in the method shown in FIG. 10 .
  • Step 1114 The AMF maps the first external slice identifier in the first authentication response message to the first S-NSSAI.
  • Step 1115 The AMF generates a third NAS MM transmission message, and sends the third NAS MM transmission message to the UE.
  • the third NAS MM transport message includes the EAP message and the first S-NSSAI.
  • the third NAS MM transport message may be a network slice specific authentication command.
  • the third NAS MM transmission message may be an authentication command or an authentication request message involved in the method shown in FIG. 10 .
  • Step 1116 The UE sends a fourth NAS MM transport message to the AMF, where the fourth NAS MM transport message includes a new EAP message and the first S-NSSAI.
  • the fourth NAS MM transmission message may be the response message of the authentication command involved in the method shown in FIG. 10 or the first authentication response.
  • Step 1117 The AMF maps the first S-NSSAI in the fourth NAS MM transmission message to the first outer slice identifier.
  • Step 1118 The AMF sends a second authentication request to the NSSAAF, where the second authentication request includes the new EAP message, the GPSI, the address of the AAA-S and the first outer slice identifier .
  • the second authentication request may be the third authentication response involved in the method shown in FIG. 10 .
  • Step 1119 The NSSAAF sends a third AAA protocol message to the AAA-P, where the third AAA protocol message includes the new EAP message, the GPSI, the first outer slice identifier and the AAA -S address.
  • Step 1120 The AAA-P sends the third protocol message to the AAA-S.
  • the NSSAAF sends the third AAA protocol message to the AAA-S.
  • Step 1121 When the EAP authentication is completed, that is, the network slice authentication requiring authentication and authorization is completed. If the network slice authentication and authorization are successful, the AAA-S stores the first network external slice identifier and the GPSI. The AAA-S can then further determine to trigger re-authentication and re-authorization or authorization revocation procedures according to the local policy. Further, the AAA-S sends a fourth AAA protocol message to the AAA-P, where the fourth AAA protocol message may include EAP Success information, the GPSI and the first outer slice identifier. If the network slice authentication and authorization fail, the AAA-S sends a fourth AAA protocol message to the AAA-P, and the fourth AAA protocol message may include EAP failure information, the GPSI and the first external Slice ID.
  • Step 1122 The AAA-P sends the fourth AAA protocol message to the NSSAAF, where the fourth AAA protocol message includes the EAP success or failure information (consistent with that sent by the AAA-S), the GPSI and the first outer slice identifier.
  • the AAA-P does not exist, the above steps 1121 and 1122 may be replaced by steps: the AAA-S sends the fourth AAA protocol message to the NSSAAF.
  • Step 1123 The NSSAAF sends a second authentication response to the AMF, where the second authentication response includes the EAP success/failure (consistent with that sent by AAA-S), the GPSI and the first outer slice logo.
  • Step 1124 The AMF sends the fifth NAS MM transmission message to the UE; the fifth NAS MM transmission message includes the EAP success/failure information.
  • Step 1125 For the authenticated network slice, the AMF will trigger the UE configuration update process. Specifically, the AMF sends a new allowed NSSAI to the UE, and the NSSAI includes the S-NSSAI(s) that have been authenticated successfully.
  • the UDM sends both the S-NSSAI and the external slice identifiers corresponding to the S-NSSAI to the AMF, and the AMF further determines the first external slice identifier corresponding to the first S-NSSAI.
  • the AMF may directly request the UDM for the identifier of the first outer slice corresponding to the first S-NSSAI, and the UDM first determines the first outer slice corresponding to the first S-NSSAI. provided to the AMF after identification. Based on this situation, detailed description is omitted here.
  • an example flow of a slice authentication method provided by the present application may be as shown in FIG. 12 , which is the same as that in the case where the first network element is a UDM
  • the difference is that the S-NSSAI and the corresponding external slice identifier (that is, the correspondence between the S-NSSAI and the external slice identifier) are stored in the NSSF.
  • the specific process of this example can include:
  • Steps 1200 to 1203 are the same as the above-mentioned steps 600 to 603, for details, reference can be made to each other, and details are not repeated here.
  • Steps 1204 to 1225 are the same as the above-mentioned steps 1104 to 1125, for details, reference can be made to each other, and details are not repeated here.
  • FIG. 4-FIG. 6 show a slice authentication method
  • FIG. 7-FIG. 9 shows another slice authentication method
  • FIG. 10-FIG. 12 shows another slice authentication method.
  • the method it all involves that at least a pair of S-NSSAI (internal slice identifier) and an external slice identifier corresponding to the S-NSSAI are stored in the first network element.
  • the method for the access and mobility network element to acquire the first external slice identifier from the first network element is also the same.
  • an embodiment of the present application also provides a method for slice authentication. Referring to FIG. 13 , the specific process of the method may include:
  • Step 1301 The first network element receives a data request message for the terminal from the access and mobility management network element.
  • the first network element may be a UDM network element or an NSSF network element.
  • Step 1302 The first network element sends a data response message to the access and mobility management network element, where the data response message includes a first external slice identifier; wherein the first external slice identifier is used in the operation A network slice that requires authentication and authorization for external identification of the commercial network.
  • the data request message includes the SUPI of the terminal; further, the first network element acquires the configuration data of the terminal according to the SUPI of the terminal; the configuration data Including the corresponding relationship between the first internal slice identifier and the first external slice identifier; wherein, the first internal slice identifier is used to identify the network slice that requires authentication and authorization within the operator network; the data response message Also includes the first internal slice identifier.
  • the configuration data is subscription data of the terminal, and in this case, the data request message is a subscription data acquisition request.
  • the data request message is an external slice query request.
  • the data request message includes a first internal slice identifier; wherein, the first internal slice identifier is used to identify the network slice requiring authentication and authorization within the operator network; further, the first network element The first inner slice identifier is determined, and the first outer slice identifier is determined.
  • the first internal slice identifier may be the S-NSSAI in the HPLMN of the network slice requiring authentication and authorization.
  • the first network element determines a correspondence between the first inner slice identifier and the first outer slice identifier.
  • determining the correspondence between the first inner slice identifier and the first outer slice identifier by the first network element may specifically include the following methods:
  • Method c1 the first network element receives a first request from a network opening function network element, where the first request includes the first external slice identifier and network slice requirements; the first network element determines that the network is satisfied The internal slice identifier corresponding to the network slice required for slicing; wherein, the corresponding internal slice identifier of the network slice that meets the network slice requirement includes the first internal slice identifier; the first network element stores the first internal slice identifier. The corresponding relationship between the inner slice identifier and the first outer slice identifier.
  • the network slice requirement is used to indicate the type or requirement type of the required network slice, for example, the network slice requirement may be a physical network (Internet of things, IoT) slice, enhanced mobile broadband (enhanced Mobile Broadband, eMBB) slice, IoV slice, deterministic transmission slice or some parameters required by specific QoS, such as delay, packet loss rate, etc.
  • IoT Internet of things
  • eMBB enhanced Mobile Broadband
  • IoV slice deterministic transmission slice or some parameters required by specific QoS, such as delay, packet loss rate, etc.
  • Method c2 The first network element receives a first request from a network opening function network element, where the first request includes a network slice requirement; the first network element determines a corresponding network slice that meets the network slice requirement. An internal slice identifier; wherein, the corresponding internal slice identifier of the network slice that meets the network slice requirement includes the first internal slice identifier; the first network element determines the first internal slice identifier corresponding to the first internal slice identifier. the first external slice identifier; the first network element stores the correspondence between the first internal slice identifier and the first external slice identifier.
  • the first network element determines the first external slice identifier corresponding to the first internal slice identifier
  • a specific method may be: the first network element allocates the corresponding first internal slice identifier to the first internal slice identifier or the first network element obtains the first outer slice identifier corresponding to the first inner slice identifier from the second network element.
  • the second network element is another network element different from the first network element.
  • the first network element sends a first response message to the network opening function network element, where the first response message includes the first external slice identifier.
  • the first network element determines the corresponding internal slice identifier of the network slice that meets the network slice requirement
  • the specific method may be: The network element acquires the corresponding internal slice identifier of the network slice that meets the network slice requirement; or the first network element directly determines the corresponding internal slice identifier of the network slice that meets the network slice requirement.
  • the third network element and the second network element may be the same network element, or may be different network elements.
  • the first request further includes an authentication requirement, and the authentication requirement is used to indicate whether access to a network slice that meets the network slice requirement is required Authenticate and authorize.
  • the first network element stores the corresponding relationship between the authentication requirement and the first internal slice identifier; or, the first network element determines a first indication according to the authentication requirement, and the first indication uses Indicates whether authentication and authorization are required to access a network slice that meets the requirements of the network slice; and stores the correspondence between the first indication and the first internal slice identifier.
  • the first network element may store the correspondence between the first inner slice identifier and the first outer slice identifier, and store the correspondence between the authentication requirement and the first inner slice identifier; or, The first network element may also store the corresponding relationship between the authentication requirement, the first internal slice identifier and the first external slice identifier.
  • the first network element may store the correspondence between the first inner slice identifier and the first outer slice identifier, and store the correspondence between the first indication and the first inner slice identifier; or , the first network element may also store the correspondence between the first indication, the first inner slice identifier and the first outer slice identifier.
  • the first request further includes first identification information, where the first identification information is used to indicate the use of a network that meets the network slicing requirements
  • the terminal of the slice wherein the terminal may be a terminal in a terminal group; further, the first network element stores the corresponding relationship between the first identification information and the first external slice identification.
  • the first network element may store the correspondence between the first inner slice identifier and the first outer slice identifier, and store the correspondence between the first identifier information and the first inner slice identifier; Alternatively, the first network element may also store the correspondence between the first identification information, the first inner slice identifier and the first outer slice identifier.
  • Method c3 The first network element obtains the locally preconfigured first internal slice identifier and the first external slice identifier.
  • Method c4 The first network element acquires the first inner slice identifier and the first outer slice identifier from an operation, administration and maintenance (OAM) network element.
  • OAM operation, administration and maintenance
  • the AF may exchange the first inner slice identifier and the first outer slice identifier with the OAM through the NEF, and then the OAM combines the first inner slice identifier and the first outer slice identifier with the first outer slice identifier.
  • the slice identifier is configured to the first network element.
  • the method for determining the correspondence between the first inner slice identifier and the first outer slice identifier will be described in detail below by using the specific examples shown in FIG. 14 to FIG. 17 .
  • the first network element is a UDM
  • this example defines a process in which a third party dynamically requests an operator to allocate a network slice or lease a network slice from the operator.
  • the specific process of this example may include:
  • Step 1401 The AF sends a slice use request to the NEF, where the slice use request includes network slice requirements, authentication requirements and application service provider (application service provider, ASP) ID.
  • application service provider application service provider
  • the network slice requirement is used to indicate what type of network slice is required or a network slice that meets what kind of requirement (for example, a physical network (Internet of things, IoT) slice, an EMBB slice, or some parameters required by specific QoS, such as delay, packet loss rate, etc.).
  • the authentication requirement is used to indicate whether authentication and authorization are required when the UE accesses a network slice that meets the network slice requirement.
  • the ASP ID is used to indicate the third party requesting the network slice.
  • the slice use request may also include user identification information (that is, the first identification information mentioned above), and the user identification information may be an external identification of the UE or an external identification of the group, which is used to indicate that the use meets the requirements.
  • Step 1402 After receiving the slice use request from the AF, the NEF performs an authorization check, such as whether the ASP indicated by the ASP ID is authorized to execute the slice use request.
  • step 1402 is an optional step.
  • Step 1403 The NEF sends the slice use request (that is, the first request mentioned above) to the UDM.
  • Step 1404 The UDM performs an authorization check, that is, determines whether the ASP indicated by the ASP ID is authorized to perform the slice use request.
  • step 1404 is an optional step.
  • Step 1405 The UDM determines the S-NSSAI corresponding to the network slice that can meet the requirements of the network slice, and the S-NSSAI includes the first S-NSSAI; the UDM allocates the corresponding S-NSSAI to the first S-NSSAI.
  • the first external slice identifier, and the corresponding relationship between the first S-NSSAI, the first external slice identifier and the authentication requirement is stored locally.
  • the UDM stores the user identification information at the same time.
  • the UDM when the UDM stores the corresponding relationship between the first S-NSSAI, the first external slice identifier, and the corresponding relationship between the authentication requirements, there may also be a storage method involved in the method shown in FIG. 13 . Refer to each other and will not be described in detail here.
  • the UDM may acquire the S-NSSAI and the first external slice identifier from another network element (eg, a second network element).
  • another network element eg, a second network element.
  • Step 1406 The UDM sends the first S-NSSAI and the corresponding first external slice identifier and the authentication requirement to the UDR, so that the UDR stores the first S-NSSAI, the first A corresponding relationship between an external slice identifier and the authentication requirement.
  • the user identification information is stored in the UDR at the same time.
  • step 1406 is an optional step.
  • Step 1407 The UDM sends a slice use response message (that is, the above-mentioned first response message) to the NEF, where the slice use response message includes the first external slice identifier.
  • Step 1408 The NEF sends the slice usage response message to the AF.
  • the first network element is a UDM.
  • the first outer slice identifier is provided by AF.
  • the specific process of this example may include:
  • Step 1501 The AF sends a slice use request to the NEF, where the slice use request includes the first external slice identifier, network slice requirements, authentication requirements and ASP ID.
  • the slice use request further includes a user identifier.
  • Step 1502 After receiving the slice use request from the AF, the NEF performs an authorization check, such as whether the ASP indicated by the ASP ID is authorized to execute the slice use request.
  • step 1502 is an optional step.
  • Step 1503 The NEF sends the slice use request (ie the first request mentioned above) to the UDM.
  • Step 1504 The UDM performs an authorization check, that is, determines whether the ASP indicated by the ASP ID is authorized to perform the slice use request.
  • step 1504 is an optional step.
  • Step 1505 The UDM determines the S-NSSAI corresponding to the network slice that can meet the network slice requirements, the S-NSSAI includes the first S-NSSAI; and stores the first S-NSSAI, the first S-NSSAI, the first S-NSSAI Correspondence between external slice identifiers and authentication requirements.
  • the UDM stores the user identification information at the same time.
  • the UDM may acquire the S-NSSAI and the corresponding external slice identifier from other network elements.
  • Step 1506 The UDM sends the first S-NSSAI and the corresponding first external slice identifier and the authentication requirement to the UDR, so that the UDR stores the first S-NSSAI, the first A correspondence between external slice identifiers and authentication requirements.
  • the user identification information is stored in the UDR at the same time.
  • Step 1507 The UDM sends a slice use response message to the NEF.
  • Step 1508 The NEF sends the slice usage response message to the AF.
  • the first network element is the NSSF.
  • the specific process of this example may include:
  • Step 1601 The AF sends a slice usage request to the NEF, where the slice usage request includes the network slice requirement and the ASP ID.
  • the slice use request may further include user identification information.
  • Step 1602 After receiving the slice use request from the AF, the NEF performs an authorization check, such as whether the ASP indicated by the ASP ID is authorized to execute the slice use request.
  • step 1602 is an optional step.
  • Step 1603 The NEF sends the slice use request (that is, the first request mentioned above) to the NSSF.
  • Step 1604 The NSSF performs an authorization check, that is, determines whether the ASP indicated by the ASP ID is authorized to perform the slice use request.
  • step 1604 is an optional step.
  • Step 1605 The NSSF determines the S-NSSAI corresponding to the network slice that can meet the network slice requirements, and the S-NSSAI includes the first S-NSSAI; the NSSF allocates the corresponding S-NSSAI to the first S-NSSAI.
  • the first external slice identifier, and the corresponding relationship between the first S-NSSAI and the first external slice identifier is locally stored.
  • the NSSF may interact with other network elements to obtain the S-NSSAI and the first external slice identifier.
  • Step 1606 The NSSF sends a slice usage response message (that is, the above-mentioned first response message) to the NEF, where the slice usage response message includes the first outer slice identifier.
  • Step 1607 The NEF sends the slice response message to the AF.
  • the first network element is an NSSF.
  • the first outer slice identifier is provided by AF.
  • the specific process of this example may include:
  • Step 1701 The AF sends a slice use request to the NEF, where the slice use request includes the first external slice identifier, the network slice requirement and the ASP ID.
  • the slice use request may further include user identification information.
  • Step 1702 After receiving the slice use request from the AF, the NEF performs an authorization check, such as whether the ASP indicated by the ASP ID is authorized to execute the slice use request.
  • step 1702 is an optional step.
  • Step 1703 The NEF sends the slice use request to the NSSF.
  • Step 1704 The NSSF performs an authorization check, that is, determines whether the ASP indicated by the ASP ID is authorized to perform the slice use request.
  • step 1704 is an optional step.
  • Step 1705 The NSSF determines the S-NSSAI corresponding to the network slice that can meet the slice requirements of the network, and the S-NSSAI includes the first S-NSSAI; and locally stores the first S-NSSAI and the S-NSSAI. The correspondence between the first outer slice identifiers.
  • the NSSF may interact with other network elements to obtain the S-NSSAI corresponding to the network slice that meets the network slice requirement.
  • Step 1706 The NSSF sends a slice use response message to the NEF.
  • Step 1707 The NEF sends the slice usage response message to the AF.
  • the embodiments of the present application further provide an apparatus for slice authentication.
  • the slice authentication apparatus 1800 may include a transceiver unit 1801 and a processing unit 1802 .
  • the transceiver unit 1801 is used for the slice authentication apparatus 1800 to receive information (message or data) or send information (message or data), and the processing unit 1802 is used to perform the action of the slice authentication apparatus 1800 Control management.
  • the processing unit 1802 may also control the steps performed by the transceiving unit 1801 .
  • the slice authentication apparatus 1800 may be the access and mobility management network element in the foregoing embodiment, and may specifically be a processor, or a chip or a chip system in the access and mobility management network element, Or a functional module, etc.; or, the slice authentication apparatus 1800 may be the first network element in the above embodiment, and specifically may be a processor in the first network element, or a chip or a chip system, or a functional module etc.; or, the slice authentication apparatus 1800 may be the terminal in the foregoing embodiment, and may specifically be a processor in the terminal, or a chip or a chip system, or a functional module or the like.
  • the slice authentication apparatus 1800 when used to implement the functions of the access network device in the embodiments shown in FIG. 4 to FIG. 9 in the foregoing embodiment, it may specifically include:
  • the processing unit 1802 is used to obtain the first external slice identifier corresponding to the network slice that the terminal needs to authenticate and authorize; the first external slice identifier is used to identify the network slice that requires authentication and authorization outside the operator's network;
  • the transceiver unit 1801 is configured to send a first message to the terminal, where the first message includes the first external slice identifier.
  • the processing unit 1802 when the processing unit 1802 acquires the first external slice identifier corresponding to the network slice that the terminal needs to authenticate and authorize, the processing unit 1802 is specifically configured to: acquire configuration data of the terminal; wherein the configuration The data includes the corresponding relationship between the first internal slice identifier and the first external slice identifier; the first internal slice identifier is used to identify the network slice that requires authentication and authorization within the operator's network; according to the corresponding relationship, The first outer slice identifier is determined.
  • the configuration data is subscription data of the terminal.
  • the processing unit 1802 when the processing unit 1802 acquires the first external slice identifier corresponding to the network slice that the terminal needs to authenticate and authorize, the processing unit 1802 is specifically configured to: acquire the subscription data of the terminal; The subscription data, determine the first internal slice identifier of the network slice that the terminal needs authentication and authorization; wherein, the first internal slice identifier is used to identify the network slice that requires authentication and authorization within the operator network; control The transceiver unit 1801 sends an external slice identifier query request to the first network element, where the external slice identifier query request includes the first internal slice identifier; and controls the transceiver unit 1801 to receive the first internal slice identifier from the first network element.
  • An outer slice identifier when the processing unit 1802 acquires the first external slice identifier corresponding to the network slice that the terminal needs to authenticate and authorize.
  • the first message is a registration response message; the registration response message further includes the first internal slice identifier.
  • the transceiver unit 1801 is further configured to receive an authentication response from the terminal, where the authentication response includes slice authentication information and the first internal slice identifier; the processing unit 1802 is further configured to convert the first The internal slice identifier is mapped to the first external slice identifier; the transceiver unit 1801 is further configured to send the slice authentication information and the first external slice identifier to the slice authentication network element.
  • the first message is an authentication request message, and the authentication request message is used to request the terminal to perform network slice authentication and authorization; the transceiver unit 1801 is further configured to send a registration response message to the terminal ; the registration response message also includes the first internal slice identifier.
  • the transceiver unit 1801 is further configured to receive an authentication response from the terminal, where the authentication response includes slice authentication information and the first external slice identifier; and send the slice authentication information and the first external slice identifier to the slice authentication network element. the first outer slice identifier.
  • the first message further includes the first internal slice identifier.
  • the first network element is a UDM network element or an NSSF network element.
  • the first internal slice identifier is the S-NSSAI in the HPLMN of the network slice requiring authentication and authorization.
  • the slice authentication apparatus 1800 when configured to implement the function of the first network element in the foregoing embodiment, it may specifically include:
  • the transceiver unit 1801 is configured to receive a data request message for a terminal from an access and mobility management network element; and send a data response message to the access and mobility management network element, where the data response message includes the first An external slice identifier; wherein, the first external slice identifier is used to identify a network slice that requires authentication and authorization outside the operator's network; the processing unit 1802 is used to control the transceiving operation of the transceiving unit 1801 .
  • the data request message includes the SUPI of the terminal; the processing unit 1802 is further configured to acquire configuration data of the terminal according to the SUPI of the terminal; the configuration data includes a first internal slice identifier and the first external slice identifier; wherein the first internal slice identifier is used to identify the network slice requiring authentication and authorization within the operator network; the data response message further includes the First inner slice identifier.
  • the configuration data is subscription data of the terminal.
  • the data request message includes a first internal slice identifier; wherein, the first internal slice identifier is used to identify the network slice requiring authentication and authorization within the operator network;
  • the processing unit 1802 is further configured to determine the first outer slice identifier according to the first inner slice identifier.
  • processing unit 1802 is further configured to determine the correspondence between the first inner slice identifier and the first outer slice identifier.
  • the processing unit 1802 determines the corresponding relationship between the first internal slice identifier and the first external slice identifier
  • the processing unit 1802 is specifically configured to: control the transceiver unit 1801 to receive the first request, the first request includes the first external slice identifier and the network slice requirement; determine the internal slice identifier corresponding to the network slice that meets the network slice requirement; wherein, the network slice that meets the network slice requirement
  • the corresponding internal slice identifier includes the first internal slice identifier; and the corresponding relationship between the first internal slice identifier and the first external slice identifier is saved.
  • the processing unit 1802 determines the correspondence between the first internal slice identifier and the first external slice identifier
  • the processing unit 1802 is specifically configured to: control the transceiver unit 1801 to receive the first a request, where the first request includes network slice requirements; determine the corresponding internal slice identifiers of the network slices that meet the network slice requirements; wherein, the corresponding internal slice identifiers of the network slices that meet the network slice requirements Including the first inner slice identifier; determining the first outer slice identifier corresponding to the first inner slice identifier; and saving the correspondence between the first inner slice identifier and the first outer slice identifier.
  • the processing unit 1802 determines the first outer slice identifier corresponding to the first inner slice identifier
  • the processing unit 1802 is specifically configured to: assign the corresponding first outer slice identifier to the first inner slice identifier ; or, control the transceiver unit 1801 to obtain the first external slice identifier corresponding to the first internal slice identifier from the second network element.
  • the transceiver unit 1801 is further configured to send a first response message to the network opening function network element, where the first response message includes the first external slice identifier.
  • the first request further includes an authentication requirement, where the authentication requirement is used to indicate whether authentication and authorization are required to access a network slice that meets the network slice requirement.
  • the processing unit 1802 is further configured to store the correspondence between the authentication requirement and the first internal slice identifier; or, determine a first indication according to the authentication requirement, where the first indication is used to indicate access Whether the network slice that meets the network slice requirement needs to be authenticated and authorized; and the corresponding relationship between the first indication and the first internal slice identifier is stored.
  • the first request further includes first identification information, where the first identification information is used to indicate a terminal that uses a network slice that meets the network slice requirement; the processing unit 1802 is further configured to store the first identification information. A corresponding relationship between the identification information and the first internal slice identifier.
  • the processing unit 1802 determines the correspondence between the first inner slice identifier and the first outer slice identifier
  • the processing unit 1802 is specifically configured to: obtain the locally preconfigured first inner slice identifier and the first outer slice identifier. or control the transceiver unit 1801 to obtain the first inner slice identifier and the first outer slice identifier from the OAM network element.
  • the first internal slice identifier is the S-NSSAI in the HPLMN of the network slice requiring authentication and authorization.
  • the first network element is a UDM network element or an NSSF network element.
  • the slice authentication apparatus 1800 when used to implement the functions of the terminal in the embodiments shown in FIG. 7 to FIG. 9 in the foregoing embodiment, it may specifically include:
  • the transceiver unit 1801 is configured to receive a first message from an access and mobility management network element, where the first message includes a first external slice identifier and a first internal slice identifier; the first external slice identifier is used for The network slice requiring authentication and authorization is identified outside the operator's network, and the first internal slice identifier is used to identify the network slice requiring authentication and authorization inside the operator's network; the processing unit 1802 is configured to store the first A corresponding relationship between an inner slice identifier and the first outer slice identifier.
  • the transceiver unit 1801 is further configured to send a registration request to the access and mobility management network element; the first message is a registration response message corresponding to the registration request.
  • the transceiver unit 1801 is further configured to receive an authentication request message from the access and mobility management network element, where the authentication request message is used to request the terminal to perform network slice authentication and authorization; the authentication request message including the first internal slice identifier; and sending an authentication response to the access and mobility management network element, where the authentication response includes slice authentication information and the first internal slice identifier.
  • the processing unit 1802 is configured to use the first module to map the first internal slice identifier included in the authentication request message to the first external slice identifier according to the corresponding relationship;
  • the module sends request information to the second module of the terminal, the request information includes the first external slice identifier; in response to the request information, the second module sends response information to the first module, the response
  • the information includes the first external slice identifier and the slice authentication information; the first module maps the first external slice identifier in the response information to the first internal slice identifier according to the corresponding relationship ; By generating the authentication response according to the first internal slice identifier and the slice authentication information.
  • the slice authentication apparatus 1800 when used to implement the functions of the access and mobility management network elements in the embodiments described in FIG. 10 to FIG. 12 in the foregoing embodiment, it may specifically include:
  • the transceiver unit 1801 is configured to send an authentication request message to the terminal, where the authentication request message is used to request the terminal to perform network slice authentication and authorization; wherein the authentication request message includes a first internal slice identifier; the first The internal slice identifier is used to identify the network slice requiring authentication and authorization within the operator network; and receiving a first authentication response from the terminal, the first authentication response includes slice authentication information and the first internal slice identifier; the processing unit 1802 is configured to map the first internal slice identifier to a first external slice identifier; the first external slice identifier is used to identify the network slice requiring authentication and authorization outside the operator network; The transceiver unit 1801 is further configured to send the slice authentication information and the first external slice identifier to the slice authentication network element.
  • the processing unit 1802 is further configured to acquire configuration data of the terminal; wherein the configuration data includes the correspondence between the first inner slice identifier and the first outer slice identifier further, the processing unit 1802 maps the first inner slice identifier to the first outer slice identifier, and is specifically configured to: determine the first inner slice identifier and the corresponding relationship according to the first inner slice identifier and the corresponding relationship. An outer slice identifier.
  • the configuration data further includes first indication information, where the first indication is used to indicate that the network slice indicated by the first internal slice identifier requires authentication and authorization.
  • the configuration data is subscription data of the terminal.
  • the processing unit 1802 is further configured to acquire subscription data of the terminal; according to the subscription data of the terminal, it is determined that the network slice corresponding to the first internal slice identifier needs authentication and authentication authorization; control the transceiver unit 1801 to send an external slice identifier query request to the first network element, where the external slice identifier query request includes the first internal slice identifier; control the transceiver unit 1801 to perform the access and mobility management
  • the network element receives the first external slice identifier from the first network element; and stores the correspondence between the first internal slice identifier and the first external slice identifier.
  • the transceiver unit 1801 is further configured to receive a second authentication response from the slice authentication network element, where the second authentication response includes the first external slice identifier; the processing unit 1802 is further configured to The first external slice identifier is mapped to the first internal slice identifier; the transceiver unit 1801 is further configured to send an authentication command to the terminal device, where the authentication command includes the first internal slice identifier.
  • the first network element is a UDM network element or an NSSF network element.
  • the first internal slice identifier is the S-NSSAI in the HPLMN of the network slice requiring authentication and authorization.
  • each functional unit in the embodiments of the present application may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit.
  • the above-mentioned integrated units may be implemented in the form of hardware, or may be implemented in the form of software functional units.
  • the integrated unit if implemented as a software functional unit and sold or used as a stand-alone product, may be stored in a computer-readable storage medium.
  • the technical solutions of the present application can be embodied in the form of software products in essence, or the parts that contribute to the prior art, or all or part of the technical solutions, and the computer software products are stored in a storage medium , including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) or a processor (processor) to execute all or part of the steps of the methods in the various embodiments of the present application.
  • the aforementioned storage medium includes: U disk, removable hard disk, read-only memory (ROM), random access memory (RAM), magnetic disk or optical disk and other media that can store program codes .
  • the embodiments of the present application further provide an apparatus for slice authentication.
  • the slice authentication apparatus 1900 may include a transceiver 1901 and a processor 1902 .
  • the slice authentication apparatus 1900 may further include a memory 1903 .
  • the memory 1903 may be provided inside the slice authentication apparatus 1900, or may be provided outside the slice authentication apparatus 1900.
  • the processor 1902 can control the transceiver 1901 to receive and transmit data or information.
  • the processor 1902 may be a central processing unit (CPU), a network processor (NP), or a combination of CPU and NP.
  • the processor 1902 may further include hardware chips.
  • the above-mentioned hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD) or a combination thereof.
  • the above-mentioned PLD can be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a general array logic (generic array logic, GAL) or any combination thereof.
  • the transceiver 1901, the processor 1902 and the memory 1903 are connected to each other.
  • the transceiver 1901, the processor 1902 and the memory 1903 are connected to each other through a bus 1904;
  • the bus 1904 may be a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (EISA) ) bus, etc.
  • PCI Peripheral Component Interconnect
  • EISA Extended Industry Standard Architecture
  • the bus can be divided into address bus, data bus, control bus and so on. For ease of presentation, only one thick line is shown in FIG. 19, but it does not mean that there is only one bus or one type of bus.
  • the memory 1903 is used to store programs and the like.
  • the program may include program code, the program code including computer operation instructions.
  • Memory 1903 may include RAM, and may also include non-volatile memory, such as one or more disk memories.
  • the processor 1902 executes the application program stored in the memory 1903 to realize the above-mentioned functions, thereby realizing the function of the slice authentication apparatus 1900 .
  • the slice authentication apparatus 1900 may be the above-mentioned access and mobility management network element, the first network element or the terminal.
  • the slice authentication apparatus 1900 when used to implement the functions of the access network device in the embodiments shown in FIG. 4 to FIG. 9 in the foregoing embodiment, it may specifically include:
  • the processor 1902 is used to obtain the first external slice identifier corresponding to the network slice that the terminal needs authentication and authorization; the first external slice identifier is used to identify the network slice that requires authentication and authorization outside the operator network;
  • the transceiver 1901 is configured to send a first message to the terminal, where the first message includes the first external slice identifier.
  • the processor 1902 when the processor 1902 acquires the first external slice identifier corresponding to the network slice that the terminal needs to authenticate and authorize, the processor 1902 is specifically configured to: acquire configuration data of the terminal; wherein the configuration The data includes the corresponding relationship between the first internal slice identifier and the first external slice identifier; the first internal slice identifier is used to identify the network slice that requires authentication and authorization within the operator's network; according to the corresponding relationship, The first outer slice identifier is determined.
  • the configuration data is subscription data of the terminal.
  • the processor 1902 when the processor 1902 acquires the first external slice identifier corresponding to the network slice that the terminal needs to authenticate and authorize, the processor 1902 is specifically configured to: acquire the subscription data of the terminal; The subscription data, determine the first internal slice identifier of the network slice that the terminal needs authentication and authorization; wherein, the first internal slice identifier is used to identify the network slice that requires authentication and authorization within the operator network; control
  • the transceiver 1901 sends an external slice identifier query request to the first network element, where the external slice identifier query request includes the first internal slice identifier; controls the transceiver 1901 to receive the first internal slice identifier from the first network element.
  • An outer slice identifier when the processor 1902 acquires the first external slice identifier corresponding to the network slice that the terminal needs to authenticate and authorize.
  • the first message is a registration response message; the registration response message further includes the first internal slice identifier.
  • the transceiver 1901 is further configured to receive an authentication response from the terminal, where the authentication response includes slice authentication information and the first internal slice identifier; the processor 1902 is further configured to The internal slice identifier is mapped to the first external slice identifier; the transceiver 1901 is further configured to send the slice authentication information and the first external slice identifier to the slice authentication network element.
  • the first message is an authentication request message, and the authentication request message is used to request the terminal to perform network slice authentication and authorization; the transceiver 1901 is further used to send a registration response message to the terminal ; the registration response message also includes the first internal slice identifier.
  • the transceiver 1901 is further configured to receive an authentication response from the terminal, where the authentication response includes slice authentication information and the first external slice identifier; and send the slice authentication information and the first external slice identifier to the slice authentication network element. the first outer slice identifier.
  • the first message further includes the first internal slice identifier.
  • the first network element is a UDM network element or an NSSF network element.
  • the first internal slice identifier is the S-NSSAI in the HPLMN of the network slice requiring authentication and authorization.
  • the slice authentication apparatus 1900 when configured to implement the function of the first network element in the foregoing embodiment, it may specifically include:
  • the transceiver 1901 is configured to receive a data request message for a terminal from an access and mobility management network element; and send a data response message to the access and mobility management network element, where the data response message includes the first An external slice identifier; wherein, the first external slice identifier is used to identify a network slice that requires authentication and authorization outside the operator's network; the processor 1902 is used to control the transceiver 1901 for sending and receiving operations.
  • the data request message includes the SUPI of the terminal; the processor 1902 is further configured to acquire configuration data of the terminal according to the SUPI of the terminal; the configuration data includes The correspondence between the first internal slice identifier and the first external slice identifier; wherein, the first internal slice identifier is used to identify the network slice that requires authentication and authorization within the operator network; the data response message also Including the first internal slice identifier.
  • the configuration data is subscription data of the terminal.
  • the data request message includes a first internal slice identifier; wherein, the first internal slice identifier is used to identify the network slice requiring authentication and authorization within the operator network;
  • the processor 1902 is further configured to determine the first outer slice identifier according to the first inner slice identifier.
  • the processor 1902 is further configured to determine the correspondence between the first inner slice identifier and the first outer slice identifier.
  • the processor 1902 determines the correspondence between the first internal slice identifier and the first external slice identifier
  • the processor 1902 is specifically configured to: control the transceiver 1901 to receive the first request, the first request includes the first external slice identifier and the network slice requirement; determine the internal slice identifier corresponding to the network slice that meets the network slice requirement; wherein, the network slice that meets the network slice requirement
  • the corresponding internal slice identifier includes the first internal slice identifier; and the corresponding relationship between the first internal slice identifier and the first external slice identifier is saved.
  • the processor 1902 determines the correspondence between the first internal slice identifier and the first external slice identifier
  • the processor 1902 is specifically configured to: control the transceiver 1901 to receive the first a request, where the first request includes network slice requirements; determine the corresponding internal slice identifiers of the network slices that meet the network slice requirements; wherein, the corresponding internal slice identifiers of the network slices that meet the network slice requirements Including the first inner slice identifier; determining the first outer slice identifier corresponding to the first inner slice identifier; and saving the correspondence between the first inner slice identifier and the first outer slice identifier.
  • the processor 1902 determines the first outer slice identifier corresponding to the first inner slice identifier
  • the processor 1902 is specifically configured to: assign the corresponding first outer slice identifier to the first inner slice identifier ; or, control the transceiver 1901 to obtain the first outer slice identifier corresponding to the first inner slice identifier from the second network element.
  • the transceiver 1901 is further configured to send a first response message to the network opening function network element, where the first response message includes the first external slice identifier.
  • the first request further includes an authentication requirement, where the authentication requirement is used to indicate whether authentication and authorization are required to access a network slice that meets the network slice requirement.
  • the processor 1902 is further configured to store the correspondence between the authentication requirement and the first internal slice identifier; or, determine a first indication according to the authentication requirement, where the first indication is used to indicate access Whether the network slice that meets the network slice requirement needs to be authenticated and authorized; and the corresponding relationship between the first indication and the first internal slice identifier is stored.
  • the first request further includes first identification information, where the first identification information is used to indicate a terminal that uses a network slice that meets the network slice requirement; the processor 1902 is further configured to store the first identification information. A corresponding relationship between the identification information and the first internal slice identifier.
  • the processor 1902 determines the correspondence between the first inner slice identifier and the first outer slice identifier
  • the processor 1902 is specifically configured to: acquire the locally preconfigured first inner slice identifier and all the first inner slice identifiers. or the transceiver 1901 is controlled to obtain the first inner slice identifier and the first outer slice identifier from the OAM network element.
  • the first internal slice identifier is the S-NSSAI in the HPLMN of the network slice requiring authentication and authorization.
  • the first network element is a UDM network element or an NSSF network element.
  • the slice authentication apparatus 1900 when used to implement the functions of the terminal in the embodiments shown in FIG. 7 to FIG. 9 in the foregoing embodiment, it may specifically include:
  • the transceiver 1901 is configured to receive a first message from an access and mobility management network element, where the first message includes a first external slice identifier and a first internal slice identifier; the first external slice identifier is used for The network slice requiring authentication and authorization is identified outside the operator network, and the first internal slice identifier is used to identify the network slice requiring authentication and authorization inside the operator network; the processor 1902 is configured to save the first internal slice identifier. A corresponding relationship between an inner slice identifier and the first outer slice identifier.
  • the transceiver 1901 is further configured to send a registration request to the access and mobility management network element; the first message is a registration response message corresponding to the registration request.
  • the transceiver 1901 is further configured to receive an authentication request message from the access and mobility management network element, where the authentication request message is used to request the terminal to perform network slice authentication and authorization; the authentication request message including the first internal slice identifier; and sending an authentication response to the access and mobility management network element, where the authentication response includes slice authentication information and the first internal slice identifier.
  • the processor 1902 is configured to use the first module to map the first internal slice identifier included in the authentication request message to the first external slice identifier according to the corresponding relationship;
  • the module sends request information to the second module of the terminal, the request information includes the first external slice identifier; in response to the request information, the second module sends response information to the first module, the response
  • the information includes the first external slice identifier and the slice authentication information; the first module maps the first external slice identifier in the response information to the first internal slice identifier according to the corresponding relationship ; By generating the authentication response according to the first internal slice identifier and the slice authentication information.
  • the slice authentication apparatus 1900 when used to implement the functions of the access and mobility management network elements in the embodiments described in FIG. 10 to FIG. 12 in the foregoing embodiment, it may specifically include:
  • the transceiver 1901 is configured to send an authentication request message to the terminal, where the authentication request message is used to request the terminal to perform network slice authentication and authorization; wherein the authentication request message includes a first internal slice identifier; the first The internal slice identifier is used to identify the network slice requiring authentication and authorization within the operator network; and receiving a first authentication response from the terminal, the first authentication response includes slice authentication information and the first internal slice identifier; the processor 1902 is configured to map the first internal slice identifier to a first external slice identifier; the first external slice identifier is used to identify the network slice requiring authentication and authorization outside the operator network; The transceiver 1901 is further configured to send the slice authentication information and the first external slice identifier to the slice authentication network element.
  • the processor 1902 is further configured to acquire configuration data of the terminal; wherein the configuration data includes the correspondence between the first inner slice identifier and the first outer slice identifier further, the processor 1902 maps the first internal slice identifier to the first external slice identifier, and is specifically configured to: determine the first internal slice identifier and the corresponding relationship according to the first internal slice identifier and the corresponding relationship. An outer slice identifier.
  • the configuration data further includes first indication information, where the first indication is used to indicate that the network slice indicated by the first internal slice identifier requires authentication and authorization.
  • the configuration data is subscription data of the terminal.
  • the processor 1902 is further configured to acquire subscription data of the terminal; according to the subscription data of the terminal, it is determined that the network slice corresponding to the first internal slice identifier requires authentication and authentication.
  • Authorization controlling the transceiver 1901 to send an external slice identifier query request to the first network element, the external slice identifier query request including the first internal slice identifier; controlling the transceiver 1901 to perform the access and mobility management
  • the network element receives the first external slice identifier from the first network element; and stores the correspondence between the first internal slice identifier and the first external slice identifier.
  • the slice authentication information is the EAP ID.
  • the transceiver 1901 is further configured to receive a second authentication response from a slice authentication network element, where the second authentication response includes the first external slice identifier; the processor 1902 is further configured to The first external slice identifier is mapped to the first internal slice identifier; the transceiver 1901 is further configured to send an authentication command to the terminal device, where the authentication command includes the first internal slice identifier.
  • the first network element is a UDM network element or an NSSF network element.
  • the first internal slice identifier is the S-NSSAI in the HPLMN of the network slice requiring authentication and authorization.
  • the embodiments of the present application provide a communication system, and the communication system may include the access and mobility management network element, the first network element, the terminal, and the like involved in the above embodiments.
  • Embodiments of the present application further provide a computer-readable storage medium, where the computer-readable storage medium is used to store a computer program, and when the computer program is executed by a computer, the computer can implement the slice authentication method provided by the foregoing method embodiments .
  • Embodiments of the present application further provide a computer program product, where the computer program product is used to store a computer program, and when the computer program is executed by a computer, the computer can implement the slice authentication method provided by the above method embodiments.
  • An embodiment of the present application further provides a chip, where the chip is coupled with a memory, and the chip is used to implement the method for slice authentication provided by the above method embodiments.
  • An embodiment of the present application further provides a chip system, where the chip system includes a processor, which is configured to support the above-mentioned communication apparatus to implement the functions involved in the above-mentioned aspects.
  • the chip system further includes a memory for storing necessary program instructions and data of the communication device.
  • the chip system may be composed of chips, or may include chips and other discrete devices.
  • the embodiments of the present application may be provided as a method, a system, or a computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
  • computer-usable storage media including, but not limited to, disk storage, CD-ROM, optical storage, etc.
  • These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory result in an article of manufacture comprising instruction means, the instructions
  • the apparatus implements the functions specified in the flow or flow of the flowcharts and/or the block or blocks of the block diagrams.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente invention concerne un procédé et un appareil d'authentification de tranche pour éviter de mettre à découvert la confidentialité d'une tranche de réseau. Le procédé comprend : l'envoi, par un élément de réseau de gestion d'accès et de mobilité à un terminal, d'un message de demande d'authentification, ledit message de demande d'authentification demandant au terminal d'exécuter une authentification et une autorisation de tranche de réseau, le message de demande d'authentification comprenant une première identification de tranche interne, et la première identification de tranche interne étant utilisée pour identifier, à l'intérieur d'un réseau d'opérateur, des tranches de réseau qui nécessitent une authentification et une autorisation ; la réception, par l'élément de réseau de gestion d'accès et de mobilité, d'une première réponse d'authentification en provenance du terminal, la première réponse d'authentification comprenant des informations d'authentification de tranche et la première identification de tranche interne ; la mise en correspondance, par l'élément de réseau de gestion d'accès et de mobilité, de la première identification de tranche interne avec une première identification de tranche externe, la première identification de tranche externe étant utilisée pour identifier, en dehors du réseau d'opérateur, des tranches de réseau qui nécessitent une authentification et une autorisation ; et l'envoi, par l'élément de réseau de gestion d'accès et de mobilité, des informations d'authentification de tranche et la première identification de tranche externe à un élément de réseau d'authentification de tranche.
PCT/CN2020/107588 2020-08-06 2020-08-06 Procédé et appareil d'authentification de tranche WO2022027529A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2020/107588 WO2022027529A1 (fr) 2020-08-06 2020-08-06 Procédé et appareil d'authentification de tranche

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2020/107588 WO2022027529A1 (fr) 2020-08-06 2020-08-06 Procédé et appareil d'authentification de tranche

Publications (1)

Publication Number Publication Date
WO2022027529A1 true WO2022027529A1 (fr) 2022-02-10

Family

ID=80119841

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/107588 WO2022027529A1 (fr) 2020-08-06 2020-08-06 Procédé et appareil d'authentification de tranche

Country Status (1)

Country Link
WO (1) WO2022027529A1 (fr)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108012267A (zh) * 2016-10-31 2018-05-08 华为技术有限公司 一种网络认证方法、相关设备及系统
US20200053083A1 (en) * 2018-08-13 2020-02-13 Lenovo (Singapore) Pte. Ltd. Network slice authentication
CN111328110A (zh) * 2018-12-13 2020-06-23 华为技术有限公司 网络切片选择的方法、设备及系统

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108012267A (zh) * 2016-10-31 2018-05-08 华为技术有限公司 一种网络认证方法、相关设备及系统
US20200053083A1 (en) * 2018-08-13 2020-02-13 Lenovo (Singapore) Pte. Ltd. Network slice authentication
CN111328110A (zh) * 2018-12-13 2020-06-23 华为技术有限公司 网络切片选择的方法、设备及系统

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
HUAWEI, HISILICON: "Addessing EN on transmitting NSSAI to AAA", 3GPP DRAFT; S3-200158, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG3, no. e-meeting; 20200302 - 20200306, 21 February 2020 (2020-02-21), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , XP051854895 *
HUAWEI, HISILICON: "Sending NSSAI to AAA", 3GPP DRAFT; S3-200787, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG3, no. e-meeting; 20200414 - 20200417, 3 April 2020 (2020-04-03), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , XP051868695 *
HUAWEI, HISILICON: "Sending NSSAI to AAA", 3GPP DRAFT; S3-201154, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG3, no. Online Meeting ;20200511 - 20200515, 1 May 2020 (2020-05-01), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , XP051879793 *

Similar Documents

Publication Publication Date Title
US10505718B1 (en) Systems, devices, and techniques for registering user equipment (UE) in wireless networks using a native blockchain platform
EP3627793B1 (fr) Procédé et dispositif de traitement de session
US20200296142A1 (en) User Group Establishment Method and Apparatus
US20200374698A1 (en) Communication method and communications apparatus
US10123205B2 (en) Admission of a session to a virtual network service
WO2019128671A1 (fr) Procédé, dispositif et système d'établissement de session
US11533610B2 (en) Key generation method and related apparatus
US20220217611A1 (en) Service Configuration Method, Communication Apparatus, and Communication System
US20230319556A1 (en) Key obtaining method and communication apparatus
WO2020224622A1 (fr) Procédé et dispositif de configuration d'informations
WO2022159725A1 (fr) Gestion d'identités fédérée dans un système de cinquième génération (5g)
US20230164523A1 (en) Communication Method, Device, and System
US20230087407A1 (en) Authentication and authorization method and apparatus
WO2021138822A1 (fr) Procédé et dispositif d'acquisition d'informations d'abonnement
WO2022247812A1 (fr) Procédé d'authentification, dispositif de communication et système
US20220263879A1 (en) Multicast session establishment method and network device
EP4319232A1 (fr) Procédé et appareil de communication
EP4262247A1 (fr) Procédé et appareil de communication
WO2023185880A9 (fr) Procédé de détermination de dispositif de réseau d'accès
WO2023087965A1 (fr) Procédé et appareil de communication
WO2023011630A1 (fr) Procédé et appareil de vérification d'autorisation
US20220078795A1 (en) Data processing method and apparatus, and system
WO2022027529A1 (fr) Procédé et appareil d'authentification de tranche
CN115996378A (zh) 鉴权方法及装置
TWI836328B (zh) 通信方法及裝置

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20948424

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20948424

Country of ref document: EP

Kind code of ref document: A1