WO2022087797A1 - Information transmission method and apparatus - Google Patents

Information transmission method and apparatus Download PDF

Info

Publication number
WO2022087797A1
WO2022087797A1 PCT/CN2020/123784 CN2020123784W WO2022087797A1 WO 2022087797 A1 WO2022087797 A1 WO 2022087797A1 CN 2020123784 W CN2020123784 W CN 2020123784W WO 2022087797 A1 WO2022087797 A1 WO 2022087797A1
Authority
WO
WIPO (PCT)
Prior art keywords
mobility management
terminal device
network element
network
security context
Prior art date
Application number
PCT/CN2020/123784
Other languages
French (fr)
Chinese (zh)
Inventor
张博
李飞
邓娟
何承东
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2020/123784 priority Critical patent/WO2022087797A1/en
Priority to CN202080105755.1A priority patent/CN116250263A/en
Publication of WO2022087797A1 publication Critical patent/WO2022087797A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • the present application relates to the field of communication technologies, and in particular, to an information transmission method and device.
  • the fifth generation (5G) mobile communication network (referred to as 5G network) came into being, and the 5G network can coexist with the existing fourth generation (4G) network. Interoperability can be achieved between the two.
  • 5G network After the user equipment is switched from the 5G network to the 4G network, if the user equipment moves again, the handover between mobility management entities (MMEs) may be triggered.
  • MMEs mobility management entities
  • the user equipment switches from MME1 to MME2, then MME2 determines the security context type corresponding to the UE and MME2 according to the key set identifier (key set identifier in e-utran, eKSI) included in the tracking area update (TAU) request sent by the UE subsequently If the local storage is inconsistent, the MME2 will reject the TAU request of the UE, so that the UE cannot access the network again after a period of time, which affects the service continuity of the user equipment.
  • the eKSI is used to identify the security context corresponding to the 4G network.
  • Security contexts include mapped types and native types.
  • the native type refers to the security context generated in a communication system and used only in the communication system, for example, the local security context used in the 4G network, or the local security context negotiated after the 5G network authentication.
  • the mapped type refers to the context generated in a communication system and used by other communication systems after deduction or processing.
  • the core access and mobility management function (AMF) in the 5G network will deduce the native security context used in the 5G network to get the mapping
  • the security context is the mapped security context, and the mapped security context is sent to MME1. Therefore, the eKSI saved by the UE and MME1 is the mapped security context, and when the UE moves to trigger the switch from MME1 to MME2, MME2 determines the security context received from MME1 as the native security context, and MME2 according to the TAU request sent by the UE
  • the eKSI carried in the message determines that the UE uses the mapped security context. MME2 cannot find the mapped security context locally.
  • MME2 fails to verify the UE's TAU message and sends a rejection message to the UE.
  • the rejection message may also carry a rejection indication. , instructing the UE to access after a period of time, obviously this will seriously affect the continuity of UE services.
  • Embodiments of the present application provide an information transmission method and apparatus, so as to solve the problem of security context synchronization in a terminal device when an MME switch occurs.
  • an embodiment of the present application provides an information transmission method, which is applied to a first mobility management network element.
  • the method includes: receiving a tracking area update TAU request message from a user equipment, and the user equipment switches from the second network to the first network element.
  • network the first mobility management network element belongs to the first network; according to the TAU request message, the security context used between the first mobility management network element and the user equipment is set as the native security context.
  • the first mobility management network element when the user equipment is switched from the second network to the first mobility management network element of the first network, the first mobility management network element can connect the first mobility management network element and the user equipment according to the TAU request message.
  • the security context used between the two is unified as the native security context, and the native security context is the context used in the first network, so that the user equipment needs to be switched from the first mobility management network element to the first mobile management network element due to reasons such as movement.
  • the situation that the access of the user equipment is rejected by other mobility management network elements due to the asynchronous security context can be avoided, the service continuity of the user equipment is guaranteed, and the communication performance is improved.
  • the user equipment in each embodiment of the present application is just an example, and may be other types of terminal equipment.
  • setting the security context used between the first mobility management network element and the user equipment as the native security context includes: the first mobility management network element authenticates the user equipment.
  • the first mobility management network element unifies the security context used with the user equipment into the native security context. Specifically, the first mobility management network element can trigger the authentication of the user, and after the authentication, the security context can be unified. It is the native type used in the first network, so that the security context between the first mobility management network element and other mobility management network elements in the first network and the user equipment can be synchronized, so that the user equipment can be When it is necessary to switch from the first mobility management network element to other mobility management network elements in the first network due to other reasons, the user equipment can be prevented from being rejected when accessing other mobility management network elements, and the service continuity of the user equipment can be guaranteed. sex.
  • the TAU request message includes status information of the user equipment
  • the first mobility management network element authenticates the user equipment, specifically including: if the status information indicates that the user equipment switches from the second network to the first network, Or, the status information indicates the mobility management registration information of the second network of the user equipment, or the status information indicates that the user equipment has the network security capability of the second network, or the status information indicates that the user equipment has the capability of the N1 interface of the second network , the first mobility management network element authenticates the user equipment.
  • the first mobility management network element may trigger the authentication of the user equipment according to the above state information confirming that the user equipment is switched from the second network to the first network, so as to unify the first mobility management network element with the user equipment.
  • the security context used between user equipments is of the native type, so that when the user equipment needs to switch from the first mobility management network element to other mobility management network elements in the first network due to reasons such as movement, it can avoid security In the case that the access of the user equipment is rejected by other mobility management network elements due to the asynchronous context, the service continuity of the user equipment is improved.
  • the judgment condition for triggering the authentication of the user equipment is highly flexible and easy to implement.
  • the security context used between the first mobility management network element and the user equipment is set as the native security context, which specifically includes: the first mobility management network element determines according to the TAU request message The identifier of the user equipment; the first mobility management network element determines that the location of the user equipment changes according to the identifier of the user equipment; the first mobility management network element authenticates the user equipment.
  • the first mobility management network element may determine that the user equipment will be switched between the mobility management network elements according to the position change of the user equipment, thereby triggering the authentication of the user equipment, so as to connect the first mobility management network element with the user equipment.
  • the security context used between user equipments is of the native type, so that when the user equipment needs to switch from the first mobility management network element to other mobility management network elements in the first network due to reasons such as movement, it can avoid security In the case that the access of the user equipment is rejected by other mobility management network elements due to the context synchronization, the service continuity of the user equipment is improved.
  • the first mobility management network element determines that the location information of the user equipment changes according to the identifier of the user equipment, which specifically includes: the first mobility management network element determines, according to the identifier of the user equipment, that the user equipment needs to be switched to the first mobility management network element. 2. Mobile management network element.
  • setting the security context used between the first mobility management network element and the user equipment as the native security context including: determining the identity of the user equipment according to the TAU request message, and the TAU request
  • the message includes an identification; first indication information corresponding to the identification is determined according to the identification, and the indication information comes from the AMF; and authentication of the user equipment is determined according to the first indication information.
  • the first mobility management network element may trigger authentication of the user equipment according to the first indication information, thereby improving the flexibility of security context synchronization and improving the service continuity of the user equipment.
  • the first indication information is at least one of authentication indication information, or a 5G access type, or a tunnel identifier.
  • the first mobility management network element may determine that the user equipment is switched from the 5G network to the first network according to at least one of the authentication indication information, or the 5G access type, or the tunnel identifier, so that the user equipment is switched from the 5G network to the first network. Triggering the authentication of the user equipment, when the user equipment needs to be switched from the first mobility management network element to other mobility management network elements in the first network due to reasons such as movement, it can avoid the security context being out of sync. When the access of the user equipment is rejected by other mobility management network elements, the flexibility of the security context synchronization is improved, and the service continuity of the user equipment is improved.
  • the first network is a 4G network
  • the second network is a 5G network.
  • an information transmission method is provided, which is applied to a first mobility management network element.
  • the method includes: the first mobility management network element determines that a user equipment is switched from a second network to a first network, where the first network includes a first mobility management network.
  • the element authenticates the user equipment.
  • the first mobility management network element can pass the switch to the second mobility management network element.
  • the mobility management network element sends the second indication information, so that the second mobility management network element can synchronize the security context used between the second mobility management network element and the user equipment according to the instruction, thereby preventing the access of the user equipment from being rejected, Improve the business continuity of user equipment.
  • the second indication information includes at least one indication information among 5G security algorithms, or 5G wireless access types, 5G or next-generation wireless security capabilities, or tunnel identifiers.
  • the first mobility management network element may send 5G network-related indication information to the second mobility management network element to indicate that the user equipment is switched from the 5G network to the first network, so that the second mobility management network element
  • the mobility management network element can synchronize the security context with the user equipment through the above-mentioned indication information.
  • the first network is a 4G network
  • the second network is a 5G network.
  • an information transmission method is provided, which is applied to a second mobility management network element, the second mobility management network element belongs to a first network, the first network further includes a first mobility management network element, and a user equipment is a slave from the second network.
  • the method includes: determining that the user equipment is switched from the first mobility management network element to the second mobility management network element; receiving second indication information from the first mobility management network element, the second indication information Indicating the security context of the user equipment is a mapped security context, or instructing the second mobility management network element to authenticate the user equipment; and determining the security context used between the second mobility management network element and the user equipment according to the second indication information.
  • the second mobility management network element determines the synchronization of the security context with the user equipment, thereby preventing the second mobility management network element from rejecting the access of the user equipment, improving the service continuity of the user equipment and improving the communication performance.
  • the second indication information indicates that the security context of the user equipment is a mapped security context
  • determining the security context used between the second mobility management network element and the user equipment according to the second indication information includes: determining the first security context. 2.
  • the security context used between the mobility management network element and the user equipment is the mapped security context.
  • the second mobility management network element may directly determine the security context used with the user equipment according to the security context of the user equipment indicated by the second indication information as the mapped security context, ignoring the locally saved security context type.
  • the security context is mapped, thereby preventing the second mobility management network element from rejecting the access of the user equipment, and improving the service continuity of the user equipment.
  • the second indication information includes at least one type of indication information among 5G security algorithms, or 5G wireless access types, 5G or next-generation network security capabilities, or tunnel identifiers, and is determined according to the second indication information.
  • the security context used between the second mobility management network element and the user equipment includes: determining the security context used between the second mobility management network element and the user equipment as a mapped security context.
  • the second mobility management network element can determine that the user equipment is switched from the 5G network to the first network according to the above indication information, thereby improving the flexibility of the configuration of the second indication information and the synchronization of the security context. It is easier to implement and improves the business continuity of the user equipment.
  • the second indication information instructs the second mobility management network element to authenticate the user equipment
  • the security context used between the second mobility management network element and the user equipment is determined according to the second indication information, including: The second mobility management network element authenticates the user equipment, and sets the security context used between the second mobility management network element and the user equipment as the local native security context.
  • the second mobility management network element may also authenticate the user equipment according to the second indication information, and after the authentication, the security context used between the second mobility management network element and the user equipment can be unified as the local native.
  • the security context avoids the rejection of user equipment access requests and ensures the service continuity of users.
  • the first network is a 4G network
  • the second network is a 5G network.
  • an information transmission apparatus includes a receiving module configured to receive a tracking area update TAU request message from a user equipment, the user equipment switches from a second network to a first network, and the apparatus belongs to the first network; processing; The module is configured to set the security context used between the device and the user equipment as the native security context according to the TAU request message.
  • the processing module is specifically configured to: authenticate the user equipment.
  • the TAU request message includes status information of the user equipment
  • the processing module is specifically configured to: if the status information indicates that the user equipment switches from the second network to the first network, or the status information indicates that the first network of the user equipment
  • the mobility management registration information of the second network or the status information indicates that the user equipment has the network security capability of the second network, or the status information indicates that the user equipment has the capability of the N1 interface of the second network, and the user equipment is authenticated.
  • the processing module is specifically configured to: determine the identity of the user equipment according to the TAU request message; determine that the location of the user equipment changes according to the identity of the user equipment; and authenticate the user equipment.
  • the processing module is specifically configured to: determine, according to the identifier of the user equipment, that the user equipment needs to be handed over to the second mobility management network element.
  • the processing module is specifically configured to: determine the identifier of the user equipment according to the TAU request message, and the TAU request message includes the identifier; determine first indication information corresponding to the identifier according to the identifier, and the first indication information comes from the core Access and mobility management function AMF network element; determine to authenticate the user equipment according to the first indication information.
  • the first indication information is at least one of authentication indication information, or a 5G access type, or a tunnel identifier.
  • the first network is a 4G network
  • the second network is a 5G network.
  • an information transmission apparatus comprising: a processing module configured to determine that the user equipment is switched from the second network to the first network, and determine that the user equipment is switched from the first mobility management network element to the second mobility management network element, the first network includes a device and a second mobility management network element; a sending module is configured to send second indication information to the second mobility management network element, where the second indication information indicates the mapped security context of the user equipment, or indicates the first 2.
  • the mobile management network element authenticates the user equipment.
  • the second indication information includes at least one indication information among 5G security algorithms, or 5G wireless access types, 5G or next-generation wireless security capabilities, or tunnel identifiers.
  • the first network is a 4G network
  • the second network is a 5G network.
  • an information transmission apparatus belongs to a first network, the first network further includes a first mobility management network element, and the user equipment is a user equipment that is switched from the second network to the first network, characterized in that the apparatus It includes: a processing module for determining that the user equipment is switched from the first mobility management network element to the device; a receiving module for receiving second indication information from the first mobility management network element, the second indication information
  • the security context instructing the user equipment is a mapped security context, or instructing the apparatus to authenticate the user equipment; the processing module is further configured to determine the security context used between the apparatus and the user equipment according to the second indication information.
  • the processing module is specifically configured to: when the second indication information indicates that the security context of the user equipment is the mapped security context, determine that the security context used between the apparatus and the user equipment is the mapped security context.
  • the processing module is specifically configured to: when the second indication information includes 5G security algorithm, or 5G wireless access type, 5G or next-generation network security capability, or at least one indication of tunnel identifier , and the security context used between the device and the user equipment is determined to be the mapped security context.
  • the processing module is specifically configured to: when the second indication information instructs the apparatus to authenticate the user equipment, authenticate the user equipment, and set the security context used between the apparatus and the user equipment to local native security context.
  • the first network is a 4G network
  • the second network is a 5G network.
  • a communication device comprising a processor and a transmission interface; wherein the processor is configured to execute instructions stored in a memory, so that the device performs any one of the above-mentioned first aspects. one of the methods described.
  • a computer-readable storage medium comprising a program or an instruction, when the program or instruction is executed by a processor, the method according to any one of the above-mentioned first aspect is performed.
  • a computer program product which, when the computer program product is run on a computer or a processor, causes the computer or the processor to perform the method according to any one of the above first aspects.
  • a tenth aspect provides a communication device, characterized in that the communication device includes a processor and a transmission interface; wherein the processor is configured to execute instructions stored in a memory, so that the device executes the above-mentioned The method of any one of the second aspects.
  • a computer-readable storage medium which is characterized in that it includes a program or an instruction, and when the program or instruction is executed by a processor, the method according to any one of the above-mentioned second aspect is executed. .
  • a twelfth aspect provides a computer program product that, when the computer program product is run on a computer or a processor, causes the computer or the processor to execute the method according to any one of the second aspects above .
  • a thirteenth aspect provides a communication device, characterized in that the communication device includes a processor and a transmission interface; wherein the processor is configured to execute instructions stored in a memory, so that the device executes the The method of any one of the third aspects above.
  • a fourteenth aspect provides a computer-readable storage medium, characterized in that it includes a program or an instruction, and when the program or instruction is executed by a processor, the method according to any one of the third aspect above is executed .
  • a fifteenth aspect provides a computer program product that, when the computer program product is run on a computer or a processor, causes the computer or the processor to execute the method according to any one of the third aspects above .
  • a sixteenth aspect provides a communication system, characterized by comprising the device according to any one of the foregoing second aspect and the device according to any one of the foregoing third aspect.
  • any information transmission method, communication device, communication system, computer-readable storage medium or computer program product provided above can be implemented by the corresponding method provided above. Therefore, it can achieve For the beneficial effects, reference may be made to the beneficial effects in the corresponding methods provided above, which will not be repeated here.
  • FIG. 1 is a schematic diagram of a communication system provided by an embodiment of the present application.
  • FIG. 2 is a schematic flowchart of an information transmission method provided by an embodiment of the present application.
  • FIG. 3 is an implementation flow chart 1 of an information transmission method provided by an embodiment of the present application.
  • FIG. 5 is a second implementation flow chart of an information transmission method provided by an embodiment of the present application.
  • FIG. 6 is a third implementation flowchart of an information transmission method provided by an embodiment of the present application.
  • FIG. 7 is a schematic diagram of an information transmission apparatus provided by an embodiment of the present application.
  • FIG. 8 is a schematic diagram of another information transmission apparatus provided by an embodiment of the present application.
  • FIG. 9 is a schematic diagram of another information transmission apparatus provided by an embodiment of the present application.
  • FIG. 10 is a schematic diagram of a communication apparatus according to an embodiment of the present application.
  • FIG. 1 it is a schematic diagram of the existing 4G network and 5G network interworking architecture.
  • 4G network and 5G network share user plane function (UPF) network element + PDN gateway user plane function (PDN gateway user plane function, PGW-U) network element, session management function (session management function, SMF) Network element + PDN gateway control plane function (PDN gateway control plane function, PGW-C) network element, policy control function (policy control function, PCF) network element + policy and charging rules function (policy and charging rules function, PCRF) Network element, home subscriber server (HSS) + unified data management (unified data management, UDM) network element.
  • UPF user plane function
  • PGW-U PDN gateway user plane function
  • SMF session management function
  • PDN gateway control plane function PDN gateway control plane function
  • PCF policy control function
  • PCRF policy and charging rules function
  • HSS home subscriber server
  • UDM home subscriber server
  • UPF is the user plane function of 5G network
  • PGW-U is the gateway user plane function of 4G network corresponding to UPF
  • SMF is the session management function of 5G network
  • PGW-C is corresponding to SMF
  • the PCF is the policy control function of the 5G network
  • the PCRF is the policy charging rule function of the 4G network corresponding to the PCF.
  • the HSS+UDM network element is referred to as the user data management network element
  • the PGW-C network element+SMF network element is referred to as the control plane function network element.
  • the control plane function network element is referred to as the control plane function network element.
  • other names may also be used for the above-mentioned combined network device, which is not specifically limited in this embodiment of the present application.
  • the above-mentioned 4G network and 5G network interworking architecture may further include an MME and a Serving Gateway (SGW) in the 4G network, and an AMF network element in the 5G network.
  • the 4G network and 5G network interworking architecture may further include a network slice selection function (network slice selection function, NSSF) network element.
  • NSSF network slice selection function
  • the terminal is connected to the 4G network through the evolved universal terrestrial radio access network (E-UTRAN) equipment, and the terminal is connected to the 4G network through the next generation radio access network (NG-RAN) equipment Access to 5G network.
  • E-UTRAN evolved universal terrestrial radio access network
  • NG-RAN next generation radio access network
  • the E-UTRAN device communicates with the MME through the S1-MME interface
  • the E-UTRAN device communicates with the SGW through the S1-U interface
  • the MME communicates with the SGW through the S11 interface
  • the MME communicates with the user data management network element through the S6a interface
  • the MME communicates with the user data management network element through the N26 interface.
  • SGW communicates with PGW-U network element+UPF network element through S5-U interface
  • SGW communicates with PGW-C network element+SMF network element through S5-C interface
  • PGW-U network element+UPF network element Element communicates with NG-RAN equipment through N3 interface
  • PGW-U network element+UPF network element communicates with PGW-C network element+SMF network element through N4 interface
  • PGW-C network element+SMF network element communicates with PCRF network element through N7 interface
  • NE+PCF NE communicates
  • HSS+UDM NE communicates with PGW-C NE+SMF NE through N10 interface
  • HSS+UDM NE communicates with AMF NE through N8 interface
  • PCRF NE+PCF NE communicates with N15
  • the interface communicates with the AMF network element
  • the PGW-C network element + SMF network element communicates with the AMF network element through the N11 interface
  • the AMF network element communicates with the NG
  • the NG-RAN device in the 5G network can also be called an access device, and the access device refers to a device that accesses the core network, such as a base station, a broadband network gateway, BNG), aggregation switches, non-3GPP access devices, etc.
  • the base station may include various forms of base stations, for example, a macro base station, a micro base station (also referred to as a small cell), a relay station, an access point, etc., which are not specifically limited in this embodiment of the present application.
  • 4G network and 5G network may also have other network elements.
  • 4G network may also include general packet radio system (GPRS) service support node (serving GPRS support node, SGSN), etc.
  • GPRS general packet radio system
  • 5G The network may also include an authentication server function (authentication server function, AUSF) network element, etc., which is not specifically limited in this embodiment of the present application.
  • AUSF authentication server function
  • the network architecture and service scenarios described in the embodiments of the present application are for the purpose of illustrating the technical solutions of the embodiments of the present application more clearly, and do not constitute a limitation on the technical solutions provided by the embodiments of the present application.
  • the evolution of the architecture and the emergence of new business scenarios, the technical solutions provided in the embodiments of the present application are also applicable to similar technical problems.
  • this application is mainly applied to the scenario of intercommunication between 5G network and 4G network.
  • 5G network After the user equipment switches from 5G network to 4G network, if the user equipment switches between MMEs again, because User equipment access is denied due to the security context being out of sync.
  • handover means that when the user equipment moves from the coverage area of one base station to the coverage area of another base station during the communication process, or when the communication quality is degraded due to external interference, it needs to switch to a new channel to continue to maintain the service. process.
  • the re-occurrence of handover between MMEs of the user equipment mainly includes the following scenarios 1 and 2.
  • Scenario 1 refers to that after the user equipment moves from the AMF of the 5G network to the MME1 of the 4G network, when the MME1 determines that the movement of the user equipment causes If it is necessary to switch from MME1 to MME2 again, the security context carried in the relocation request message sent by MME1 to MME2 is the mapped security context.
  • MME2 does not obtain the type of the security context.
  • the security context is considered to be the native security context, that is, it is stored as the native security context. context.
  • MME2 After MME2 receives the TAU request sent from the user equipment, according to the inconsistency between the mapped security context carried in the TAU request and the native security context stored locally corresponding to the user equipment, MME2 will reject the TAU request of the user equipment and send The rejection indication, for example, the rejection indication TAU#9 may be sent, so that the user equipment can only access again after a period of time, thus seriously affecting the continuity of the UE service.
  • the rejection indication for example, the rejection indication TAU#9 may be sent, so that the user equipment can only access again after a period of time, thus seriously affecting the continuity of the UE service.
  • the second scenario is that after the user equipment moves from the AMF of the 5G network to the MME1 of the 4G network, the user equipment establishes a non-access stratum (NAS) connection with MME1, and then the user equipment enters the idle state and moves in the idle state.
  • NAS non-access stratum
  • the user equipment sends a TAU request message to MME2, and MME2 determines that the user equipment is from MME1 according to the user identity carried in the TAU request message. Therefore, MME2 actively requests a security context from MME1.
  • MME1 replies with a security context response message to MME2.
  • MME2 does not acquire the security context type, and MME2 does not know whether the received security context is native type or mapped type.
  • MME2 comes from the 4G network MME1, so it will determine the security context as the native context, that is, save it as the native security context. Therefore, according to the inconsistency between the mapped security context carried in the TAU request and the native security context corresponding to the user equipment stored locally, MME2 will reject the TAU request of the user equipment and send a rejection indication, for example, may send a rejection indication TAU#9, As a result, the user equipment can only access again after a period of time, which seriously affects the continuity of UE services.
  • the present application provides an information transmission method to solve the problem of synchronization of security contexts when user equipment is switched over to MME, and to avoid the access of user equipment due to unsynchronized security contexts. the case of rejection.
  • the method may include:
  • the first mobility management network element receives a tracking area update TAU request message from the user equipment.
  • the user equipment is switched from the second network to the first network, and the first mobility management network element belongs to the first network.
  • the first network may be a 4G network
  • the second network may be a 5G network
  • the first mobility management network element may be MME1, that is, the user equipment is connected by switching from the 5G network to the 4G network MME1.
  • the first network may be a 5G network
  • the second network may be a next-generation or previous-generation mobile communication network, such as a sixth generation (6G) network or a 4G network. This application does not specifically limit this.
  • the mobility management network element may specifically be the MME shown in FIG. 1 above, or may be other network elements with similar functions. This application does not specifically limit this.
  • the first mobility management network element sets the security context used between the first mobility management network element and the user equipment as the native security context according to the TAU request message.
  • setting the security context used between the first mobility management network element and the user equipment as the native security context may include:
  • the first mobility management network element triggers authentication of the user equipment, so that the security contexts between the first MME and the user equipment are unified into a native security context.
  • the TAU request message may include state information of the user equipment, and the first mobility management network element determines to trigger the authentication of the user equipment, which may specifically include at least one of the following:
  • the first mobility management network element authenticates the user equipment.
  • the TAU request message may include indication information, and the indication information may be used to indicate that the user equipment is switched from the 5G network to the 4G network, or the indication information may be used to indicate that the TAU request message is that the user equipment is TAU request after switching from 5G network to 4G network. Then MME1 triggers authentication for the UE.
  • the authentication can be performed through the authentication and key agreement (authentication and key agreement, AKA).
  • AKA authentication and key agreement
  • the MME1 if the MME1 does not have the international mobile subscriber identity (IMSI) of the UE, the MME1 sends an identity request message to the UE, and after obtaining the IMSI from the UE, sends the IMSI to the home subscriber server (home subscriber server). , HSS), and obtain the authentication vector, and then perform authentication.
  • HSS home subscriber server
  • the MME1 stores the IMSI or requests the IMSI from other MMEs, it sends the IMSI to the HSS, and after obtaining the authentication vector, performs authentication.
  • the first mobility management network element authenticates the user equipment.
  • the status information available in the TAU request message may be mobility management registration information.
  • it includes UE status, which is used to indicate whether the UE has been registered in 5G mobility management (Mobility Management, MM). If the UE has been registered in 5GMM, MME1 determines the security context corresponding to the UE as mapped.
  • 5G mobility management Mobility Management, MM
  • the first mobility management network element authenticates the user equipment.
  • the TAU request message may include the network security capabilities of the user equipment, for example, UE 5G security capabilities, or next-generation wireless security capabilities.
  • the first mobility management network element authenticates the user equipment.
  • the N1 interface is the interface between the UE and the AMF.
  • the first mobility management network sets the security context used between the first mobility management network element and the user equipment as the native security context according to the TAU request message, which may further include:
  • Step1 The first mobility management network element determines the identifier of the user equipment according to the TAU request message.
  • the TAU request message can carry the identity of the user equipment, for example, a globally unique temporary UE identity (globally unique temporary UE identity, GUTI), or an international mobile subscriber identity (international mobile subscriber identity, IMSI).
  • GUTI globally unique temporary UE identity
  • IMSI international mobile subscriber identity
  • Step 2 The first mobility management network element determines, according to the identifier, first indication information corresponding to the identifier.
  • the first indication information may specifically be authentication indication information, or a tunnel identifier, or an access type.
  • the authentication indication information; or the tunnel identifier, or the access type is used to instruct the user equipment to be authenticated, and the first indication information comes from the AMF network element.
  • the MME1 may determine to trigger authentication for the user according to the authentication indication information, the tunnel identifier, or the access type. For example, if it is determined by the tunnel identifier that the peer end is a 5G network, or it is determined by the access type that it is an access mode of the 5G network, the authentication of the user is triggered.
  • the authentication indication information may be carried in the forward relocation request message from the AMF before the first mobility management network receives the TAU request from the user equipment.
  • the authentication indication information can be used to indicate that the user equipment is from a 5G network, and authentication can be triggered for the device to synchronize the security context.
  • the authentication indication information may also be sent to the AMF after the first mobility management network receives the TAU request from the user equipment, and is carried in the context response message sent by the AMF.
  • the authentication indication information can be used to indicate that the user equipment is from a 5G network, and authentication can be triggered for the device to synchronize the security context.
  • the first indication information may also be a tunnel identifier, where the tunnel identifier includes a tunnel identifier used to indicate that the AMF is an AMF in a 5G network; it may be a tunnel identifier of GTP-C.
  • the first indication information may also be an access type, which is used to indicate that the current network is an access type of a 5G network or an access type of a 5G wireless network; or may be a RAT type.
  • Step 3 The first mobility management network element determines to authenticate the user equipment according to the first indication information.
  • MME1 determines the first indication information corresponding to the UE according to the UE's identity, triggers authentication with the UE, establishes a unified native security context between MME1 and the UE, and then executes the handover process from MME1 to MME2.
  • the MME when the user equipment switches from the second network to the first network, and the user equipment moves in position, so that the user equipment needs to perform handover between the mobility management network elements MMEs, the MME can trigger the user equipment
  • the device is authenticated. For example, when the user equipment is handed over from MME1 to MME2, MME1 may trigger authentication of the user equipment.
  • the authentication process is not necessary, but it is determined in the embodiments of the present application that in this scenario, the MME triggers the authentication of the user equipment to synchronize the type of security context.
  • the native security context is saved between the user equipment and MME1, and when the switching process from MME1 to MME2 is executed, the security context type inconsistency will not occur, and the user equipment will not be blocked due to the inconsistency of security contexts.
  • MME2 denies access, thereby improving the service continuity of the user equipment.
  • the communication process corresponding to the above-mentioned embodiment of the present application will be described by taking the first network as a 4G network, the second network as a 5G network, and the first mobility management network element as the MME1 as an example in combination with the above scenarios.
  • the base station of the 4G network may be an eNB
  • the base station of the 5G network may be a gNB or an ng-eNB.
  • the gNB/ng-eNB sends a handover request message to the AMF.
  • the base station of the 5G network When the base station of the 5G network recognizes that the user equipment needs to be handed over, it sends a handover required message to the AMF.
  • the AMF sends a forward relocation request message, including the eKSI, to MME1.
  • the AMF determines that the user equipment needs to switch to the 4G network, it obtains the eKSI according to the local 5G KSI (referred to as ngKSI) of the AMF, which is used to indicate that the security context corresponding to the user equipment is the mapped security context.
  • ngKSI local 5G KSI
  • the AMF sends a forward relocation request message forward relocation request to MME1, where the forward relocation request message includes the eKSI, and the type of the security context indicated by the forward relocation request message is the mapped security context.
  • the eKSI is used to identify the corresponding security context, for example, it may include the Kasme key; it may also include the protection key and protection algorithm of the NAS.
  • the eKSI information may include a counter for identifying the security context and a type of security context flag (type of security context flag, TSC). Among them, TSC is used to identify the type of security context, which can be native or mapped.
  • MME1 does not know whether the received security context is of native type or mapped type.
  • the forward relocation request message sent by the AMF to the MME1 may further include first indication information, which is used to instruct the MME1 to authenticate the user equipment.
  • the first indication information may be authentication indication information.
  • the first indication information may also be a tunnel identifier, that is, the forward relocation request message sent by the AMF to MME1 may also be Including a tunnel identifier, where the tunnel identifier includes a tunnel identifier used to indicate that the AMF is an AMF in the 5G network; it can be a GTP-C tunnel identifier.
  • the first indication information may also be the access type, that is, the forward relocation request message sent by the AMF to the MME1 may also include the access type, which is used to indicate the current network is the access type of the 5G network or the access type of the 5G wireless network; or the first indication information may also be the access type, such as RAT type.
  • MME1 sends an S1 handover request to the eNB.
  • the eNB sends an S1 handover response to the MME1.
  • the configuration of the eNB will be included here, and the specific content may refer to the relevant description of the prior art, which is not limited in this application.
  • MME1 sends a forward relocation response message to the AMF.
  • MME1 sends a forward relocation response message to AMF.
  • the AMF sends a handover response message to the gNB/ng-eNB.
  • the gNB/ng-eNB sends a handover response message to the user equipment.
  • the user equipment generates eKSI information, and the security context corresponding to the eKSI is the mapped security context.
  • the UE generates an indication that the eKSI is the mapped security context according to the indication that the local ngKSI (used to identify the security context of the 5G network) is the native security context.
  • the location where the UE side generates the eKSI is not limited, and it may be regenerated when sending the TAU request message to the MME1.
  • the user equipment sends a handover complete message to the eNB.
  • the eNB sends a handover request message to MME1.
  • the user equipment sends a TAU request message to MME1.
  • the TAU request message may carry the GUTI identifier of the user equipment and the corresponding eKSI.
  • eKSI indicates a mapped context.
  • the GUTI may be generated for the above steps of MME1 (for example, generated in step 305), and sent to the UE through the AMF.
  • the TAU request message may include the status information of the user equipment.
  • the status information of the user equipment indicates that the user equipment is switched from a 5G network to a 4G network.
  • the status information of the user equipment is UE status to indicate whether the UE has been registered in 5GMM.
  • the status information of the user equipment indicates the 5G wireless security capability of the user equipment, or the indication information such as the wireless security capability of the next generation network.
  • the state information of the user equipment is used to indicate that the TAU request message is a TAU message after switching from 5G to 4G.
  • MME1 may also obtain authentication indication information corresponding to the user equipment according to the GUTI identifier of the user equipment carried in the TAU request message, so that MME1 can obtain authentication indication information corresponding to the user equipment according to the authentication indication information.
  • the tunnel ID, or the access type is determined to trigger authentication for the user. For example, if the peer end is determined to be a 5G network through the tunnel identifier, or the access mode of the previous 5G network is determined through the access type, then the authentication of the user is triggered.
  • the MME1 triggers the authentication of the user equipment according to the TAU request message, and generates a new security context, thereby determining the security context used between the MME1 and the user equipment as the native security context.
  • the user equipment and the MME1 share the native security context.
  • the security context determined by both parties is the native security context.
  • the user equipment after the user equipment is switched from the second network to the first network, the user equipment establishes a NAS connection with the first mobility management network element, which belongs to the connected state, that is, the aforementioned embodiments of the present application can be applied Scene two.
  • the first mobility management network element according to the TAU request message, sets the security context used between the first mobility management network element and the user equipment as the native security context, and specifically can also include:
  • the first mobility management network element may trigger the authentication of the user equipment according to the position change of the user equipment, so that the security context used between the first mobility management network element and the user equipment is set as the native security context.
  • the user equipment can establish a NAS connection with the first mobility management network element (MME1), and the user equipment enters the connection state at this time.
  • MME1 in step 312 may trigger the authentication of the user equipment according to the TAU request message, which may further include:
  • the first mobility management network element may trigger authentication of the user equipment according to the location change of the user.
  • the first mobility management network element triggers authentication of the user equipment according to the location change of the user, which may specifically include:
  • Step 1 The first mobility management network element determines the identifier of the user equipment according to the TAU request message.
  • the UE after the UE switches from the 5G network to the 4G network, the UE establishes a NAS connection with the MME1, which belongs to the connected state.
  • the MME1 may acquire the identity of the user equipment according to the GUTI identity carried in the TAU request message.
  • the identifier of the user equipment here may be a permanent identifier or a GUTI identifier.
  • Step 2 The first mobility management network element determines that the location of the user equipment changes according to the identifier of the user equipment.
  • the determination by the first mobility management network element that the location information of the user equipment has changed according to the identifier of the user equipment mainly refers to: the first mobility management network element determines, according to the identifier of the user equipment, that the user equipment needs to be switched to the second mobility management network element. .
  • the location change of the user equipment may specifically mean that the location of the user equipment moves out of the range of MME1, and the user equipment needs to perform handover between MMEs, for example, handover from MME1 to MME2.
  • the location information of the user equipment may come from the information reported by the network equipment received by the first mobility management network element.
  • the location information of the user equipment may be obtained from the base station, for example, the base station regularly reports the change of the location information of the user equipment.
  • the base station reports the tunnel identifier and measurement information between the base station bound to the user equipment and the MME.
  • the tunnel identifier between the base station and the MME is related to the user equipment. It can be distributed for MME or base station without limitation.
  • the MME determines the identifier of the UE according to the tunnel identifier between the base station and the MME, and then determines whether the handover of the MME needs to be performed according to measurement information and the like.
  • the content of the information uploaded by the specific base station and the operation manner in which the MME 1 determines that the MME handover needs to be performed may refer to the prior art without limitation.
  • the location information of the user equipment may come from a location management network element, and the location management network element is used to monitor the location information of the user equipment.
  • the GUTI or IMSI of the UE may be sent to the location management network element for MME1, and when the location management network element detects that the location of the UE changes, the location information of the UE is sent to the MME1.
  • MME1 may also determine whether to perform MME handover, such as handover from MME1 to MME2, according to the UE location related message carried in the handover request (handover required) sent by the network device eNB.
  • the manner of judging whether the MME handover needs to be performed may refer to the prior art, which is not limited in this application.
  • Step 3 The first mobility management network element authenticates the user equipment.
  • the MME1 determines that the handover of the MME needs to be performed, the MME1 triggers the authentication of the user equipment.
  • MME1 determines that MME handover needs to be performed, and MME1 has performed two-way authentication with the user equipment before, the authentication for the user equipment does not need to be triggered again.
  • MME1 determines that MME handover needs to be performed, and MME1 and the user equipment have been unified into a native security context before, the authentication for the user equipment does not need to be triggered again.
  • MME1 determines that the location of the UE will exceed the range of the tracking area (TA), or exceeds the range covered by MME1, MME1 triggers authentication with the UE, and the MME1 and the UE are unified as the native security context. , and then execute the handover process from MME1 to MME2.
  • TA tracking area
  • the user equipment when the user equipment switches from the second network to the first network, the user equipment moves in position, and when it is determined that the user equipment is about to switch between mobility management network elements, the user equipment is triggered again.
  • the mobility management network element can trigger the authentication of the user equipment, so that the security context between the user equipment and the mobility management network element is synchronized.
  • the handover process between mobility management network elements is performed, the problem of inconsistent security context types will not occur, and the problem of rejection of the TAU request of the user equipment will be avoided, thereby improving the service continuity of the user equipment.
  • the indication information 1 may be authentication indication information; or a tunnel identifier, or an access type. For example, authentication is performed only when inter-MME handover is required, and the TAU carries the state information of the user equipment, or after receiving indication information 1 from the AMF.
  • the user equipment when the user equipment switches from the second network to the first network, the user equipment moves in position and when it is determined that the user equipment is about to switch between mobility management network elements, for example, the user equipment switches to the MME2
  • MME2 In the scenario of requesting to switch from MME1 to MME2, through specific indication information, MME2 can still synchronize the security context with the user equipment, thereby improving the service continuity of the user equipment.
  • This embodiment of the present application provides another method for information transmission. As shown in FIG. 4 , the method may include:
  • the first mobility management network element determines that the user equipment is switched from the second network to the first network.
  • the first network includes a first mobility management network element and a second mobility management network element.
  • the first network may be a 4G network
  • the second network may be a 5G network
  • the first mobility management network element may be MME1
  • the second mobility management network element may be MME2.
  • the UE switches from the 5G network to the 4G network.
  • the first mobility management network element determines that the user equipment needs to be handed over from the first mobility management network element to the second mobility management network element. That is to say, the first mobility management network element determines that the user equipment moves, and it is necessary to perform handover between the mobility management network elements.
  • the first mobility management network element sends second indication information to the second mobility management network element.
  • the second indication information may indicate that the security context corresponding to the user equipment is a mapped security context. Or the second indication information may be to instruct the second mobility management network element to authenticate the user equipment.
  • the second indication information may include at least one indication information among a 5G security algorithm, or a 5G wireless access type, or a 5G wireless security capability, or a tunnel identifier.
  • the second mobility management network element receives the second indication information from the first mobility management network element.
  • the second mobility management network element determines, according to the second indication information, a security context used between the second mobility management network element and the user equipment.
  • the second mobility management network element determines the security context used between the second mobility management network element and the user equipment according to the second indication information, which may specifically include the following three ways.
  • the second indication information indicates that the security context of the user equipment is the mapped security context, and the second mobility management network element determines that the security context used with the user equipment is the mapped security context.
  • the second indication information may be obtained according to some parameters of the user equipment sent by the first mobility management network element.
  • the second indication information includes 5G security algorithm, or 5G wireless access type, 5G or next-generation network security capability, or at least one type of indication information in the tunnel identifier, determine that the security context used between the second mobility management network element and the user equipment is the mapped security context.
  • Mode 3 If the second indication information instructs the second mobility management network element to authenticate the user equipment, the second mobility management network element authenticates the user equipment according to the second indication information, and the second mobility management network element and the user equipment are authenticated.
  • the security context used between them is set or unified to the local native security context.
  • the second mobility management network element may determine to synchronize the security context with the user equipment through the second indication information carried by the first mobility management network element, or the second mobility management network element may use the second mobility management network element to carry the second
  • the instruction information authenticates the user equipment, so that the security context between the second mobility management network element and the user equipment is synchronized as the native security context, then the second mobility management network element will not reject the user equipment due to the inconsistency of the security context types. TAU request, thereby improving the service continuity of the user equipment.
  • the implementation scenario is that the user equipment switches from 5G to After the network is switched to the 4G network, the user equipment moves and needs to be switched from MME1 to MME2 as an example to describe the communication flow corresponding to the above-mentioned embodiment of the present application.
  • the base station of the 4G network may be an eNB
  • the base station of the 5G network may be a gNB or an ng-eNB.
  • the eNB sends a handover request message to MME1.
  • MME1 determines that the user equipment needs to be handed over to MME2.
  • This step may correspond to the description in step 401 in the foregoing embodiment: the first mobility management network element determines that the user equipment needs to be handed over from the first mobility management network element to the second mobility management network element.
  • MME1 may determine that the user equipment needs to be switched to MME2 according to the position movement of the user equipment.
  • MME1 may determine that the user equipment needs to be switched to MME2 according to the position movement of the user equipment.
  • MME1 sends a forward relocation request message to MME2, where the forward relocation request message carries the second indication information.
  • the second indication information may specifically include:
  • the second indication information indicates that the security context of the user equipment is the mapped security context.
  • the second indication information includes at least one indication information among 5G security algorithms, or 5G wireless access types, 5G or next-generation network security capabilities, or tunnel identifiers. It is used to instruct the MME2 to determine the security context according to the first indication information.
  • the second indication information may specifically be authentication indication information, which is used to instruct the MME2 to authenticate the user equipment corresponding to the forward relocation request message.
  • MME2 replies with a forward relocation response message to MME1.
  • the MME2 determines the security context used with the user.
  • This step may correspond to step 404 in the foregoing embodiment, that is, MME2 may determine the security context used between MME2 and the user equipment according to the second indication information from MME1.
  • the MME2 determines whether the security context used with the user equipment is the mapped type or the native type, which may include:
  • the MME2 determines that the security context used with the user equipment is the mapped security context.
  • MME2 determines the security used between the user equipment and the user equipment.
  • the context is the mapped security context.
  • the MME2 saves the authentication indication information corresponding to the user equipment.
  • the MME2 After receiving the TAU request message sent by the user equipment, the MME2 can obtain the corresponding authentication indication information according to the identifier of the user equipment, so as to authenticate the user equipment.
  • the MME2 after receiving the TAU request message sent by the user equipment, the MME2 first determines whether the eKSI of the user equipment has a corresponding security context according to the identity of the user equipment, such as GUTI (for example, the eKSI indicates the mapped type security context, and the local storage is native type security context, the security context corresponding to eKSI is not saved), if there is no corresponding security context, and the authentication indication information corresponding to the user equipment is saved at the same time, then the user equipment is directly triggered according to the authentication indication to be authenticated, so that The security context used between the MME2 and the user equipment is set to the local native security context.
  • GUTI for example, the eKSI indicates the mapped type security context, and the local storage is native type security context, the security context corresponding to eKSI is not saved
  • the forward relocation request message does not carry the second indication information, and MME2 regards the security context received from MME1 as the native type security context by default. After the MME2 receives the TAU request message sent by the user equipment, the following possible manners are performed.
  • MME2 updates the local native security context corresponding to the user equipment to the mapped security context, ignoring the locally saved security context, so as to maintain synchronization with the security context of the user equipment.
  • MME2 can ignore the security context type indicated by eKSI in the TAU request message.
  • eKSI and the locally saved context type are consistent, that is, it is determined that the security context synchronization used between MME2 and the user equipment is of the native type.
  • Manner 3 When the received type is mapped and the locally stored one is native, the MME2 triggers authentication of the user equipment, so that the security context used between the MME2 and the user equipment is synchronized to the native security context.
  • Manner 4 The MME2 triggers authentication of the user equipment according to the authentication indication information carried in the TAU request message sent by the user equipment, so that the security context used between the MME2 and the user equipment is synchronized to the native security context.
  • any of the above manners can realize synchronization of security contexts, and the communication system can preselect at least one of the strategies to configure the network elements designed in the foregoing embodiments, so as to realize synchronization of security contexts of user equipments in the foregoing scenarios.
  • the specific configuration manner is not limited in this application.
  • the second indication information is configured in the slave location request message sent by the MME, so that when the user equipment switches from the 5G network to the 4G network, the user equipment moves in position, and when it is determined that the user equipment is about to occur MME1
  • MME2 may determine to synchronize the security context with the user equipment through the second indication information carried by MME1, or MME2 may authenticate the user equipment through the second indication information carried by MME1, so that there is a connection between MME2 and the user equipment.
  • the security context is synchronized to the native security context, then the MME2 will not reject the TAU request of the user equipment due to the inconsistency of the security context types, thereby improving the service continuity of the user equipment.
  • the embodiment of the present application also provides another information transmission method, which is applicable to the above-mentioned second scenario, that is, after the user equipment moves from the AMF of the 5G network to the MME1 of the 4G network, the user equipment establishes a non-access stratum (non-access layer) with MME1. stratum, NAS) connection, after that, the user equipment enters an idle state, and moves in the idle state.
  • the user equipment moves out of the coverage of MME1, the user equipment sends a TAU request message to MME2.
  • This application provides another information transmission method, so that MME2 can determine the synchronization of the security context used between MME2 and the user equipment according to the message obtained from MME1, thereby avoiding the rejection of the TAU request of the user equipment and affecting the user's services continuity.
  • the specific communication process may include:
  • the user equipment establishes a NAS connection with the MME1.
  • the MME1 receives the TAU request message from the user equipment according to step 311, wherein the TAU request message includes the GUTI representation of the user equipment and the eKSI. MME1 determines that the security context used between MME1 and the user is the mapped security context, and then establishes a NAS connection with the user equipment.
  • the user equipment sends a TAU request message to MME2.
  • the TAU request message may include the GUTI and eKSI of the user equipment.
  • MME2 sends a context request message to MME1.
  • MME2 requests the security context corresponding to the user equipment to MME1 according to the GUTI, that is, sends a context request context request message to MME1.
  • the context request message includes the GUTI of the user equipment.
  • MME1 sends a context response message to MME2.
  • MME1 responds to the security context corresponding to the user equipment to MME2 according to the GUTI, that is, sends a context response message to MME1.
  • the context response message includes eKSI; here eKSI does not include TSC information.
  • the MME2 determines that it is the security context received from the 4G MME1, and determines that the security context is of the native type.
  • the MME2 determines the security context used between the MME2 and the user equipment.
  • the MME2 first determines whether the security context corresponding to the user equipment is stored according to the GUTI and eKSI. If the security context corresponding to the user equipment is stored, but the eKSI in the TAU request message sent by the user equipment indicates that the corresponding security context is of the mapped type, and The security context corresponding to the user equipment saved by the MME2 is of the native type, then the MME2 determines the security context used with the user equipment, which may include the following methods:
  • MME2 updates the local native security context corresponding to the user equipment to the mapped security context, ignoring the locally saved security context, so as to maintain synchronization with the security context of the user equipment.
  • MME2 can ignore the security context type indicated by eKSI in the TAU request message.
  • eKSI and the locally saved context type are consistent, that is, it is determined that the security context synchronization used between MME2 and the user equipment is of the native type.
  • Manner 3 When the received type is mapped and the locally stored one is native, the MME2 triggers authentication of the user equipment, so that the security context used between the MME2 and the user equipment is synchronized to the native security context.
  • Manner 4 The MME2 triggers authentication of the user equipment according to the authentication indication information carried in the TAU request message sent by the user equipment, so that the security context used between the MME2 and the user equipment is synchronized to the native security context.
  • the TAU request message sent by the user equipment to MME2 may include authentication indication information, so that MME2 can Indicates that the authentication for the user equipment is directly triggered to realize the synchronization of the security context.
  • any of the above manners can realize synchronization of security contexts, and the communication system can preselect at least one of the strategies to configure the network elements designed in the foregoing embodiments, so as to realize synchronization of security contexts of user equipments in the foregoing scenarios.
  • the specific configuration manner is not limited in this application.
  • the MME2 can determine that the default is to save locally through a pre-configured method.
  • the native security context type, or the mapped security context indicated by eKSI is updated to the mapped security context, or the user equipment is triggered for authentication and updated to the native security context, so as to avoid MME2 rejecting the TAU of the user equipment due to inconsistent security context types. request to improve the business continuity of the user equipment.
  • the eKSI in the TAU request message sent by the user equipment received by the MME2 indicates that the corresponding security context is of the mapped type, and the security context corresponding to the user equipment saved by the MME2 is of the native type
  • the MME2 Sending a TAU rejection message to the user equipment, wherein the TAU rejection message may carry third indication information, for example, an indication of a TAU failure type, indicating that the security context corresponding to the user equipment does not match; or, instructing the user equipment to perform initial access; Alternatively, the user equipment is instructed to send the IMSI identifier; or, other non-TAU#9 failure type indications.
  • the user equipment can send the IMSI to MME2 to perform initial registration, thereby establishing a native security context with MME2.
  • it mainly refers to not sending a rejection indication that requires the UE to wait for a period of time before accessing, so that the user equipment can immediately perform access at this time, so as to ensure the continuity of the service to the greatest extent.
  • the fourth indication information can be carried in the handover complete message, so that the first mobility management network element can save the fourth indication information , when switching between mobility management network elements occurs in the user equipment, the first mobility management network element may trigger authentication of the user equipment according to the fourth indication information, so as to realize synchronization of the security context.
  • the user equipment sends a handover complete message to the eNB, and the message includes fourth indication information.
  • the handover response message sent by the eNB to the MME1 may include the fourth indication information, and then the MME1 may store the fourth indication information corresponding to the user equipment.
  • MME1 determines the fourth indication information stored locally according to the GUTI, and triggers the user equipment to perform Certification.
  • the native security context will be shared between the user equipment and MME1.
  • the idle state mentioned in the present invention may save context information between the UE and the AMF, and the context includes a security context.
  • the current NAS is in an inactive state, and the security activation of the NAS connection can be completed through NAS messages in the future. After activation, it is in the connected state.
  • an embodiment of the present application further provides an information transmission apparatus.
  • the apparatus 700 includes a receiving module 701 and a processing module 702 .
  • the receiving module 701 is configured to receive a tracking area update TAU request message from a user equipment, where the user equipment switches from the second network to the first network, and the apparatus belongs to the first network.
  • the processing module 702 is configured to set the security context used between the apparatus 700 and the user equipment as the native security context according to the TAU request message.
  • the processing module 702 may perform the processing performed by the first mobility management network element in the foregoing method embodiments, except for sending and receiving, and correspondingly, the receiving module 701 may perform the message receiving processing performed by the first mobility management network element in the foregoing method embodiments. .
  • the processing module 702 is specifically configured to: authenticate the user equipment.
  • the TAU request message includes status information of the user equipment
  • the processing module 702 may be specifically configured to: if the status information indicates that the user equipment switches from the second network to the first network, or if the status information indicates the first network of the user equipment The mobility management registration information of the second network, or the status information indicates that the user equipment has the network security capability of the second network, or the status information indicates that the user equipment has the capability of the N1 interface of the second network, and the user equipment is authenticated.
  • the processing module 702 may be specifically configured to determine the identity of the user equipment according to the TAU request message; determine that the location of the user equipment has changed according to the identity of the user equipment; and authenticate the user equipment.
  • the processing module 702 may be specifically configured to determine, according to the identifier of the user equipment, that the user equipment needs to be handed over to the second mobility management network element.
  • the processing module 702 may be specifically configured to determine the identifier of the user equipment according to the TAU request message, where the TAU request message includes the identifier of the user equipment; and determine the first indication information corresponding to the identifier according to the identifier, the first indication information From the AMF; determine to authenticate the user equipment according to the first indication information.
  • the first indication information is at least one of authentication indication information, or a 5G access type, or a tunnel identifier.
  • the first network is a 4G network
  • the second network is a 5G network.
  • the present application further provides an information transmission apparatus.
  • the apparatus 800 includes a sending module 801 and a processing module 802 .
  • the processing module 801 is configured to determine that the user equipment is switched from the second network to the first network, and determine that the user equipment is switched from the first mobility management network element to the second mobility management network element.
  • the first network includes the apparatus 800 and the second mobility management network element. Manage network elements.
  • the sending module 801 is further configured to send second indication information to the second mobility management network element, where the second indication information indicates the mapped security context of the user equipment, or instructs the second mobility management network element to authenticate the user equipment.
  • the processing module 801 may perform the processing performed by the first mobility management network element in the foregoing method embodiments, except for sending and receiving, and correspondingly, the sending module 801 may perform the message sending processing performed by the first mobility management network element in the foregoing method embodiments. .
  • the second indication information includes at least one indication information among 5G security algorithms, or 5G wireless access types, 5G or next-generation wireless security capabilities, or tunnel identifiers.
  • the first network is a 4G network
  • the second network is a 5G network.
  • the present application further provides an information transmission apparatus.
  • the apparatus 900 includes a receiving module 901 and a processing module 902.
  • the receiving module 901 is configured to receive second indication information from the first mobility management network element, where the second indication information indicates that the security context of the user equipment is a mapped security context, or instructs the apparatus 900 to authenticate the user equipment.
  • the processing module 902 is configured to determine the security context used between the apparatus 900 and the user equipment according to the second indication information.
  • the processing module 902 may perform the processing performed by the second mobility management network element in the foregoing method embodiments, except for sending and receiving, and correspondingly, the receiving module 901 may perform the message receiving processing performed by the second mobility management network element in the foregoing method embodiments. .
  • the processing module 902 is specifically configured to: when the second indication information indicates that the security context of the user equipment is a mapped security context, determine that the security context used between the apparatus 900 and the user equipment is a mapped security context .
  • the processing module 902 is specifically configured to: when the second indication information includes at least one indication information among 5G security algorithms, or 5G wireless access types, 5G or next-generation network security capabilities, or tunnel identifiers, It is determined that the security context used between the apparatus 900 and the user equipment is the mapped security context.
  • the processing module 902 is specifically configured to: when the second indication information instructs the apparatus 900 to authenticate the user equipment, authenticate the user equipment, and set the security context used between the apparatus 900 and the user equipment to be Local native security context.
  • the first network is a 4G network
  • the second network is a 5G network.
  • sending or receiving performed by the sending module or the receiving module described in the above embodiments of the present application may be performed under the control of a processing module (for example, a processor). Therefore, in the embodiments of the present application, Describing the actions of sending or receiving as executed by a processing module (processor) does not affect the understanding of the solution by those skilled in the art.
  • a processing module for example, a processor
  • FIG. 10 is another schematic structural diagram of a communication apparatus (any network element in the foregoing embodiment) provided by an embodiment of the present application.
  • the communication apparatus 1000 includes a processor 1001 and a transceiver 1002 .
  • the communication apparatus 1000 further includes a memory 1003 .
  • the processor 1001, the transceiver 1002 and the memory 1003 can communicate with each other through an internal connection path to transmit control and/or data signals.
  • the computer program is invoked and executed to control the transceiver 1002 to send and receive signals.
  • the communication apparatus 1000 may further include an antenna for transmitting the signaling output by the transceiver 1002 through wireless signals.
  • the above-mentioned processor 1001 and the memory 1003 may be combined into a processing device, and the processor 1001 is configured to execute the program codes stored in the memory 1003 to realize the above-mentioned functions.
  • the memory 1003 may also be integrated in the processor 1001 or independent of the processor 1001 .
  • the communication apparatus 1000 may correspond to various embodiments of the methods according to the embodiments of the present application.
  • each unit in the communication apparatus 1000 and the other operations and/or functions mentioned above are respectively for realizing the corresponding flow in each embodiment of the method.
  • the foregoing processor 1001 may be configured to perform one or more execution actions implemented by the first mobility management network element or the second mobility management network element described in the foregoing method embodiments, and the transceiver 1002 may be configured to execute the foregoing method embodiments.
  • the above-mentioned communication apparatus 1000 may further include a power supply for providing power to various devices or circuits in the communication apparatus.
  • the information transmission device in each of the above device embodiments may completely correspond to the first mobility management network element or the second mobility management network element in the method embodiments, and corresponding steps are performed by corresponding modules or units.
  • the above-mentioned receiving module may be an interface circuit used by the chip to receive signals from other chips or devices.
  • the above unit for sending is an interface circuit of the device, which is used to send signals to other devices.
  • the above-mentioned sending module is used by the chip to send signals to other chips or devices. signal interface circuit.
  • processor in the embodiment of the present application may be a CPU, and the processor may also be other general-purpose processors, digital signal processing (digital signal processing, DSP), application specific integrated circuit (ASIC), field Field Programmable Gate Array (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
  • DSP digital signal processing
  • ASIC application specific integrated circuit
  • FPGA field Field Programmable Gate Array
  • the memory in the embodiments of the present application may be volatile memory or non-volatile memory, or may include both volatile and non-volatile memory.
  • the non-volatile memory may be read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically programmable Erase programmable read-only memory (electrically EPROM, EEPROM) or flash memory.
  • Volatile memory may be random access memory (RAM), which acts as an external cache.
  • RAM random access memory
  • SRAM static random access memory
  • DRAM dynamic random access memory
  • DRAM synchronous dynamic random access memory
  • SDRAM synchronous dynamic random access memory
  • DDR SDRAM double data rate synchronous dynamic random access memory
  • enhanced SDRAM enhanced synchronous dynamic random access memory
  • SLDRAM synchronous connection dynamic random access memory Fetch memory
  • direct memory bus random access memory direct rambus RAM, DR RAM
  • An embodiment of the present application further provides a communication system, and the communication system includes: any one of the first mobility management network elements or the second mobility management network elements provided in the above embodiments of the present application.
  • Embodiments of the present application further provide a computer-readable medium for storing computer program codes, where the computer program includes a method for executing the first mobility management network element in the above method or the method executed in the second mobility management network element. instruction.
  • the readable medium may be a ROM or a RAM, which is not limited in this embodiment of the present application.
  • the present application also provides a computer program product, the computer program product includes an instruction, when the instruction is executed, so that the first mobility management network element or the second mobility management network element respectively executes the first mobility corresponding to the above method.
  • Embodiments of the present application further provide a system chip, which includes: a processing unit and a communication unit, where the processing unit may be, for example, a processor, and the communication unit may be, for example, an input/output interface, a pin, or a circuit.
  • the processing unit can execute computer instructions, so that the communication device to which the chip is applied executes the operations of the first mobility management network element or the second mobility management network element in the methods provided in the foregoing embodiments of the present application.
  • any of the communication apparatuses provided in the foregoing embodiments of the present application may include the system chip.
  • the computer instructions are stored in a storage unit.
  • the storage unit is a storage unit in the chip, such as a register, a cache, etc.
  • the storage unit can also be a storage unit located outside the chip in the communication device, such as a ROM or a storage unit that can store static information and instructions.
  • ROM read-only memory
  • RAM random access memory
  • the processor mentioned in any one of the above may be a CPU, a microprocessor, an ASIC, or one or more integrated circuits used to control the program execution of the above-mentioned method for transmitting feedback information.
  • the processing unit and the storage unit can be decoupled, respectively disposed on different physical devices, and connected in a wired or wireless manner to implement the respective functions of the processing unit and the storage unit, so as to support the system chip to implement the above embodiments various functions in .
  • the processing unit and the memory may also be coupled on the same device.
  • the processor in the embodiments of the present application may be a CPU, and the processor may also be other general-purpose processors, DSP, ASIC, FPGA or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
  • a general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
  • the size of the sequence numbers of the above-mentioned processes does not mean the sequence of execution, and the execution sequence of each process should be determined by its functions and internal logic, and should not be dealt with in the embodiments of the present application. implementation constitutes any limitation.
  • the disclosed system, communication apparatus and method may be implemented in other manners.
  • the apparatus embodiments described above are only illustrative.
  • the division of the units is only a logical function division. In actual implementation, there may be other division methods.
  • multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not implemented.
  • the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of devices or units, and may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution in this embodiment.
  • each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit.
  • the functions, if implemented in the form of software functional units and sold or used as independent products, may be stored in a computer-readable storage medium.
  • the technical solution of the present application can be embodied in the form of a software product in essence, or the part that contributes to the prior art or the part of the technical solution.
  • the computer software product is stored in a storage medium, including Several instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present application.

Abstract

Provided by the present application are an information transmission method and apparatus, relating to the technical field of communications, and solving the problem of security context synchronization when mobility management entity (MME) handover occurs in a terminal device. The method comprises: a first mobility management network element receiving a tracking area update (TAU) request message from a terminal device, said terminal device being handed over from a second network to a first network, said first mobile management network element belonging to said first network; according to the TAU request message, the mobility management network element setting a security context used between the first mobile management network element and the terminal device to be a native security context.

Description

一种信息传输方法及装置An information transmission method and device 技术领域technical field
本申请涉及通信技术领域,尤其涉及一种信息传输方法及装置。The present application relates to the field of communication technologies, and in particular, to an information transmission method and device.
背景技术Background technique
随着无线通信技术的快速发展,第五代(fifth generation,5G)移动通信网络(简称5G网络)应运而生,且5G网络可以与现有的第四代(fourth generation,4G)网络并存,二者之间可以实现互通。当用户设备从5G网络切换到4G网络之后,如果该用户设备再次移动,可能触发移动管理节点(mobility management entity,MME)之间的切换,例如,用户设备(user equipment,UE)从MME1切换到MME2,则MME2根据UE后续发送的跟踪区更新(tracking area update,TAU)请求中包括的密钥集标识符(key set identifier in e-utran,eKSI),判断该UE对应的安全上下文类型与MME2本地保存的不一致,则MME2会拒绝该UE的TAU请求,从而导致该UE间隔一段时候后才能再接入网络,影响用户设备的业务连续性。其中,eKSI用来标识4G网络对应的安全上下文。With the rapid development of wireless communication technology, the fifth generation (5G) mobile communication network (referred to as 5G network) came into being, and the 5G network can coexist with the existing fourth generation (4G) network. Interoperability can be achieved between the two. After the user equipment is switched from the 5G network to the 4G network, if the user equipment moves again, the handover between mobility management entities (MMEs) may be triggered. For example, the user equipment (UE1) switches from MME1 to MME2, then MME2 determines the security context type corresponding to the UE and MME2 according to the key set identifier (key set identifier in e-utran, eKSI) included in the tracking area update (TAU) request sent by the UE subsequently If the local storage is inconsistent, the MME2 will reject the TAU request of the UE, so that the UE cannot access the network again after a period of time, which affects the service continuity of the user equipment. The eKSI is used to identify the security context corresponding to the 4G network.
安全上下文包括mapped类型和native类型。native类型是指某个通信系统内生成并且只在该通信系统内使用的安全上下文,例如,4G网络内使用的本地安全上下文,或者5G网络认证后协商得到的本地安全上下文。mapped类型指某个通信系统内生成,通过推演或者处理后给其他通信系统使用的上下文。Security contexts include mapped types and native types. The native type refers to the security context generated in a communication system and used only in the communication system, for example, the local security context used in the 4G network, or the local security context negotiated after the 5G network authentication. The mapped type refers to the context generated in a communication system and used by other communication systems after deduction or processing.
例如,如果UE从5G网络移动到4G网络之后,5G网络内核心接入与移动管理功能(core access and mobility management function,AMF)会通过对5G网络内使用的native安全上下文进行推演,得到映射后的安全上下文即mapped安全上下文,并发送mapped安全上下文给MME1。因此,UE和MME1保存的eKSI是mapped安全上下文,而当UE移动触发从MME1切换到MME2的时候,MME2将从MME1接收到的安全上下文确定为native安全上下文,而MME2根据该UE发送的TAU请求消息中携带的eKSI确定该UE使用的是mapped安全上下文,MME2在本地无法找到mapped安全上下文,因此MME2对该UE的TAU消息的校验失败,发送拒绝消息给UE,拒绝消息还可能携带拒绝指示,指示该UE间隔一段时间后再接入,显然这会严重影响UE业务的连续性。For example, if the UE moves from a 5G network to a 4G network, the core access and mobility management function (AMF) in the 5G network will deduce the native security context used in the 5G network to get the mapping The security context is the mapped security context, and the mapped security context is sent to MME1. Therefore, the eKSI saved by the UE and MME1 is the mapped security context, and when the UE moves to trigger the switch from MME1 to MME2, MME2 determines the security context received from MME1 as the native security context, and MME2 according to the TAU request sent by the UE The eKSI carried in the message determines that the UE uses the mapped security context. MME2 cannot find the mapped security context locally. Therefore, MME2 fails to verify the UE's TAU message and sends a rejection message to the UE. The rejection message may also carry a rejection indication. , instructing the UE to access after a period of time, obviously this will seriously affect the continuity of UE services.
发明内容SUMMARY OF THE INVENTION
本申请实施例提供一种信息传输方法及装置,以解决终端设备在发生MME切换时安全上下文同步的问题。Embodiments of the present application provide an information transmission method and apparatus, so as to solve the problem of security context synchronization in a terminal device when an MME switch occurs.
为达到上述目的,本申请实施例采用如下技术方案:In order to achieve the above purpose, the embodiment of the present application adopts the following technical solutions:
第一方面,本申请实施例提供一种信息传输方法,应用于第一移动管理网元,该方法包括:接收来自用户设备的跟踪区更新TAU请求消息,用户设备从第二网络切换到第一网络,第一移动管理网元属于第一网络;根据TAU请求消息,将第一移动管理网元与用户设备之间使用的安全上下文设置为native安全上下文。In a first aspect, an embodiment of the present application provides an information transmission method, which is applied to a first mobility management network element. The method includes: receiving a tracking area update TAU request message from a user equipment, and the user equipment switches from the second network to the first network element. network, the first mobility management network element belongs to the first network; according to the TAU request message, the security context used between the first mobility management network element and the user equipment is set as the native security context.
上述技术方案中,当用户设备从第二网络切换到第一网络的第一移动管理网元的情 况下,第一移动管理网元可以根据TAU请求消息将第一移动管理网元与用户设备之间使用的安全上下文统一为native安全上下文,该native安全上下文是在该第一网络内使用的上下文,从而在该用户设备因移动等原因导致需要从该第一移动管理网元切换到该第一网络内的其他移动管理网元时,能够避免由于安全上下文不同步而导致用户设备的接入被其他移动管理网元拒绝的情况,保障了用户设备的业务连续性,提高了通信性能。In the above technical solution, when the user equipment is switched from the second network to the first mobility management network element of the first network, the first mobility management network element can connect the first mobility management network element and the user equipment according to the TAU request message. The security context used between the two is unified as the native security context, and the native security context is the context used in the first network, so that the user equipment needs to be switched from the first mobility management network element to the first mobile management network element due to reasons such as movement. When other mobility management network elements in the network are used, the situation that the access of the user equipment is rejected by other mobility management network elements due to the asynchronous security context can be avoided, the service continuity of the user equipment is guaranteed, and the communication performance is improved.
另,本申请各实施例中的用户设备只是举例,可以是其他类型的终端设备。In addition, the user equipment in each embodiment of the present application is just an example, and may be other types of terminal equipment.
在一种可能的实现方式中,将第一移动管理网元与用户设备之间使用的安全上下文设置为native安全上下文,包括:第一移动管理网元对用户设备进行认证。In a possible implementation manner, setting the security context used between the first mobility management network element and the user equipment as the native security context includes: the first mobility management network element authenticates the user equipment.
上述可能的实现方式中,第一移动管理网元将与用户设备之间使用的安全上下文统一为native安全上下文,具体可以通过第一移动管理网元触发对用户进行认证,认证之后可以统一安全上下文为在该第一网络内使用的native类型,从而第一网络内的第一移动管理网元以及其他移动管理网元与用户设备之间的安全上下文均可实现同步,从而在该用户设备因移动等原因导致需要从该第一移动管理网元切换到该第一网络内的其他移动管理网元时,能够避免该用户设备接入其他移动管理网元时被拒绝,保障了用户设备的业务连续性。In the above possible implementation manner, the first mobility management network element unifies the security context used with the user equipment into the native security context. Specifically, the first mobility management network element can trigger the authentication of the user, and after the authentication, the security context can be unified. It is the native type used in the first network, so that the security context between the first mobility management network element and other mobility management network elements in the first network and the user equipment can be synchronized, so that the user equipment can be When it is necessary to switch from the first mobility management network element to other mobility management network elements in the first network due to other reasons, the user equipment can be prevented from being rejected when accessing other mobility management network elements, and the service continuity of the user equipment can be guaranteed. sex.
在一种可能的实现方式中,TAU请求消息包括用户设备的状态信息,第一移动管理网元对用户设备进行认证,具体包括:若状态信息指示用户设备从第二网络切换到第一网络,或者,状态信息指示用户设备的第二网络的移动性管理注册信息,或者,状态信息指示用户设备具备第二网络的网络安全能力,或者,状态信息指示用户设备具备第二网络的N1接口的能力,则第一移动管理网元对用户设备进行认证。In a possible implementation manner, the TAU request message includes status information of the user equipment, and the first mobility management network element authenticates the user equipment, specifically including: if the status information indicates that the user equipment switches from the second network to the first network, Or, the status information indicates the mobility management registration information of the second network of the user equipment, or the status information indicates that the user equipment has the network security capability of the second network, or the status information indicates that the user equipment has the capability of the N1 interface of the second network , the first mobility management network element authenticates the user equipment.
上述可能的实现方式中,第一移动管理网元可以根据确认该用户设备是从第二网络切换到第一网络的上述状态信息,触发对用户设备进行认证,从而统一第一移动管理网元与用户设备之间使用的安全上下文为native类型,从而在该用户设备因移动等原因导致需要从该第一移动管理网元切换到该第一网络内的其他移动管理网元时,能够避免由于安全上下文不同步而导致用户设备的接入被其他移动管理网元拒绝的情况,提升用户设备的业务连续性。并且,触发对用户设备进行认证的判断条件灵活性高,较易实现。In the above possible implementation manner, the first mobility management network element may trigger the authentication of the user equipment according to the above state information confirming that the user equipment is switched from the second network to the first network, so as to unify the first mobility management network element with the user equipment. The security context used between user equipments is of the native type, so that when the user equipment needs to switch from the first mobility management network element to other mobility management network elements in the first network due to reasons such as movement, it can avoid security In the case that the access of the user equipment is rejected by other mobility management network elements due to the asynchronous context, the service continuity of the user equipment is improved. In addition, the judgment condition for triggering the authentication of the user equipment is highly flexible and easy to implement.
在一种可能的实现方式中,根据TAU请求消息,将第一移动管理网元与用户设备之间使用的安全上下文设置为native安全上下文,具体包括:第一移动管理网元根据TAU请求消息确定用户设备的标识;第一移动管理网元根据用户设备的标识确定用户设备的位置发生变动;第一移动管理网元对用户设备进行认证。In a possible implementation manner, according to the TAU request message, the security context used between the first mobility management network element and the user equipment is set as the native security context, which specifically includes: the first mobility management network element determines according to the TAU request message The identifier of the user equipment; the first mobility management network element determines that the location of the user equipment changes according to the identifier of the user equipment; the first mobility management network element authenticates the user equipment.
上述可能的实现方式中,第一移动管理网元可以根据用户设备位置变动确定用户设备将发生移动管理网元之间的切换,从而触发对用户设备进行认证,以将第一移动管理网元与用户设备之间使用的安全上下文为native类型,从而在该用户设备因移动等原因导致需要从该第一移动管理网元切换到该第一网络内的其他移动管理网元时,能够避免由于安全上下文不同步而导致用户设备的接入被其他移动管理网元拒绝的情况,提高用户设备的业务连续性。In the above possible implementation manner, the first mobility management network element may determine that the user equipment will be switched between the mobility management network elements according to the position change of the user equipment, thereby triggering the authentication of the user equipment, so as to connect the first mobility management network element with the user equipment. The security context used between user equipments is of the native type, so that when the user equipment needs to switch from the first mobility management network element to other mobility management network elements in the first network due to reasons such as movement, it can avoid security In the case that the access of the user equipment is rejected by other mobility management network elements due to the context synchronization, the service continuity of the user equipment is improved.
在一种可能的实现方式中,第一移动管理网元根据用户设备的标识确定用户设备的位置信息发生变动,具体包括:第一移动管理网元根据用户设备的标识确定用户设备需要切换至第二移动管理网元。In a possible implementation manner, the first mobility management network element determines that the location information of the user equipment changes according to the identifier of the user equipment, which specifically includes: the first mobility management network element determines, according to the identifier of the user equipment, that the user equipment needs to be switched to the first mobility management network element. 2. Mobile management network element.
在一种可能的实现方式中,根据TAU请求消息,将第一移动管理网元与用户设备之间使用的安全上下文设置为native安全上下文,包括:根据TAU请求消息确定用户设备的标识,TAU请求消息中包括标识;根据标识确定与标识对应的第一指示信息,指示信息来自AMF;根据第一指示信息确定对用户设备进行认证。In a possible implementation manner, according to the TAU request message, setting the security context used between the first mobility management network element and the user equipment as the native security context, including: determining the identity of the user equipment according to the TAU request message, and the TAU request The message includes an identification; first indication information corresponding to the identification is determined according to the identification, and the indication information comes from the AMF; and authentication of the user equipment is determined according to the first indication information.
上述可能的实现方式中,第一移动管理网元可以根据第一指示信息触发对用户设备进行认证,提高安全上下文同步的灵活性,提高用户设备的业务连续性。In the above possible implementation manner, the first mobility management network element may trigger authentication of the user equipment according to the first indication information, thereby improving the flexibility of security context synchronization and improving the service continuity of the user equipment.
在一种可能的实现方式中,第一指示信息为认证指示信息,或者5G接入类型,或者隧道标识中的至少一项。In a possible implementation manner, the first indication information is at least one of authentication indication information, or a 5G access type, or a tunnel identifier.
上述可能的实现方式中,第一移动管理网元可以根据认证指示信息,或者5G接入类型,或者隧道标识中的至少一项,确定该用户设备是从5G网络切换到第一网络的,从而触发对该用户设备进行认证,在该用户设备因移动等原因导致需要从该第一移动管理网元切换到该第一网络内的其他移动管理网元时,能够避免由于安全上下文不同步而导致用户设备的接入被其他移动管理网元拒绝的情况提高安全上下文同步的灵活性,提高用户设备的业务连续性。In the above possible implementation manner, the first mobility management network element may determine that the user equipment is switched from the 5G network to the first network according to at least one of the authentication indication information, or the 5G access type, or the tunnel identifier, so that the user equipment is switched from the 5G network to the first network. Triggering the authentication of the user equipment, when the user equipment needs to be switched from the first mobility management network element to other mobility management network elements in the first network due to reasons such as movement, it can avoid the security context being out of sync. When the access of the user equipment is rejected by other mobility management network elements, the flexibility of the security context synchronization is improved, and the service continuity of the user equipment is improved.
在一种可能的实现方式中,第一网络为4G网络,第二网络为5G网络。In a possible implementation manner, the first network is a 4G network, and the second network is a 5G network.
第二方面,提供一种信息传输方法,应用于第一移动管理网元,该方法包括:第一移动管理网元确定用户设备从第二网络切换到第一网络,第一网络包括第一移动管理网元和第二移动管理网元;第一移动管理网元向第二移动管理网元发送第二指示信息,第二指示信息指示用户设备的映射mapped安全上下文,或者指示第二移动管理网元对用户设备进行认证。In a second aspect, an information transmission method is provided, which is applied to a first mobility management network element. The method includes: the first mobility management network element determines that a user equipment is switched from a second network to a first network, where the first network includes a first mobility management network. A management network element and a second mobility management network element; the first mobility management network element sends second indication information to the second mobility management network element, where the second indication information indicates the mapped security context of the user equipment, or indicates the second mobility management network The element authenticates the user equipment.
上述可能的实现方式中,在用户设备从第二网络切换到第一网络又发生第一移动管理网元向第二移动管理网元切换的场景下,第一移动管理网元可以通过向第二移动管理网元发送第二指示信息,以使得第二移动管理网元可以根据该指示,同步第二移动管理网元于用户设备之间使用的安全上下文,从而避免用户设备的接入被拒绝,提高用户设备的业务连续性。In the above possible implementation manner, in the scenario where the user equipment switches from the second network to the first network and then switches from the first mobility management network element to the second mobility management network element, the first mobility management network element can pass the switch to the second mobility management network element. The mobility management network element sends the second indication information, so that the second mobility management network element can synchronize the security context used between the second mobility management network element and the user equipment according to the instruction, thereby preventing the access of the user equipment from being rejected, Improve the business continuity of user equipment.
在一种可能的实现方式中,第二指示信息包括5G安全算法,或者5G无线接入类型,5G或者下一代无线安全能力,或者隧道标识中的至少一种指示信息。In a possible implementation manner, the second indication information includes at least one indication information among 5G security algorithms, or 5G wireless access types, 5G or next-generation wireless security capabilities, or tunnel identifiers.
上述可能的实现方式中,第一移动管理网元可以通过向第二移动管理网元发送5G网络相关的指示信息,用于指示该用户设备是从5G网络切换至第一网络的,从而第二移动管理网元可以通过上述的指示信息,同步与用户设备之间的安全上下文。In the above possible implementation manner, the first mobility management network element may send 5G network-related indication information to the second mobility management network element to indicate that the user equipment is switched from the 5G network to the first network, so that the second mobility management network element The mobility management network element can synchronize the security context with the user equipment through the above-mentioned indication information.
在一种可能的实现方式中,第一网络为4G网络,第二网络为5G网络。In a possible implementation manner, the first network is a 4G network, and the second network is a 5G network.
第三方面,提供一种信息传输方法,应用于第二移动管理网元,第二移动管理网元属于第一网络,第一网络还包括第一移动管理网元,用户设备为从第二网络切换到第一网络的用户设备,该方法包括:确定用户设备从第一移动管理网元切换到第二移动管理网元;接收来自第一移动管理网元的第二指示信息,第二指示信息指示用户设备的安全上下文为映射mapped安全上下文,或者指示第二移动管理网元对用户设备进行认证;根据第二指示信息确定第二移动管理网元与用户设备之间使用的安全上下文。In a third aspect, an information transmission method is provided, which is applied to a second mobility management network element, the second mobility management network element belongs to a first network, the first network further includes a first mobility management network element, and a user equipment is a slave from the second network. Switching to the user equipment of the first network, the method includes: determining that the user equipment is switched from the first mobility management network element to the second mobility management network element; receiving second indication information from the first mobility management network element, the second indication information Indicating the security context of the user equipment is a mapped security context, or instructing the second mobility management network element to authenticate the user equipment; and determining the security context used between the second mobility management network element and the user equipment according to the second indication information.
上述可能的实现方式中,在用户设备从第二网络切换到第一网络又发生第一移动管理网元向第二移动管理网元切换的场景下,第二移动管理网元可以通过接收来自第一移动 管理网元的第二指示信息,确定与用户设备之间安全上下文的同步,从而避免第二移动管理网元拒绝用户设备接入,提高用户设备的业务连续性,提升通信性能。In the above possible implementation manner, in the scenario where the user equipment switches from the second network to the first network and the first mobility management network element is switched to the second mobility management network element, the second mobility management network element The second indication information of a mobility management network element determines the synchronization of the security context with the user equipment, thereby preventing the second mobility management network element from rejecting the access of the user equipment, improving the service continuity of the user equipment and improving the communication performance.
在一种可能的实现方式中,第二指示信息指示用户设备的安全上下文为mapped安全上下文,根据第二指示信息确定第二移动管理网元与用户设备之间使用的安全上下文,包括:确定第二移动管理网元与用户设备之间使用的安全上下文为mapped安全上下文。In a possible implementation manner, the second indication information indicates that the security context of the user equipment is a mapped security context, and determining the security context used between the second mobility management network element and the user equipment according to the second indication information includes: determining the first security context. 2. The security context used between the mobility management network element and the user equipment is the mapped security context.
上述可能的实现方式中,第二移动管理网元可以根据第二指示信息指示的用户设备的安全上下文为mapped安全上下文,忽略本地保存的安全上下文类型,直接确定与用户设备之间使用的安全上下文为mapped安全上下文,从而避免第二移动管理网元拒绝用户设备接入,提高用户设备的业务连续性。In the above possible implementation manner, the second mobility management network element may directly determine the security context used with the user equipment according to the security context of the user equipment indicated by the second indication information as the mapped security context, ignoring the locally saved security context type. The security context is mapped, thereby preventing the second mobility management network element from rejecting the access of the user equipment, and improving the service continuity of the user equipment.
在一种可能的实现方式中,第二指示信息包括5G安全算法,或者5G无线接入类型,5G或者下一代网络安全能力,或者隧道标识中的至少一种指示信息,根据第二指示信息确定第二移动管理网元与用户设备之间使用的安全上下文,包括:确定第二移动管理网元与用户设备之间使用的安全上下文为mapped安全上下文。In a possible implementation manner, the second indication information includes at least one type of indication information among 5G security algorithms, or 5G wireless access types, 5G or next-generation network security capabilities, or tunnel identifiers, and is determined according to the second indication information. The security context used between the second mobility management network element and the user equipment includes: determining the security context used between the second mobility management network element and the user equipment as a mapped security context.
上述可能的实现方式中,第二移动管理网元可以根据上述的指示信息,确定用户设备是从5G网络切换到第一网络的,从而提高了第二指示信息配置的灵活性,安全上下文的同步较易实现,提高用户设备的业务连续性。In the above possible implementation manner, the second mobility management network element can determine that the user equipment is switched from the 5G network to the first network according to the above indication information, thereby improving the flexibility of the configuration of the second indication information and the synchronization of the security context. It is easier to implement and improves the business continuity of the user equipment.
在一种可能的实现方式中,第二指示信息指示第二移动管理网元对用户设备进行认证,根据第二指示信息确定第二移动管理网元与用户设备之间使用的安全上下文,包括:第二移动管理网元对用户设备进行认证,将第二移动管理网元与用户设备之间使用的安全上下文设置为本地native安全上下文。In a possible implementation manner, the second indication information instructs the second mobility management network element to authenticate the user equipment, and the security context used between the second mobility management network element and the user equipment is determined according to the second indication information, including: The second mobility management network element authenticates the user equipment, and sets the security context used between the second mobility management network element and the user equipment as the local native security context.
上述可能的实现方式中,第二移动管理网元还可以根据第二指示信息对用户设备进行认证,认证之后,第二移动管理网元与用户设备之间使用的安全上下文即可以统一为本地native安全上下文,避免了对用户设备接入请求的拒绝,保障了用户的业务连续性。In the above possible implementation manner, the second mobility management network element may also authenticate the user equipment according to the second indication information, and after the authentication, the security context used between the second mobility management network element and the user equipment can be unified as the local native. The security context avoids the rejection of user equipment access requests and ensures the service continuity of users.
在一种可能的实现方式中,第一网络为4G网络,所述第二网络为5G网络。In a possible implementation manner, the first network is a 4G network, and the second network is a 5G network.
第四方面,提供一种信息传输装置,该装置包括接收模块,用于接收来自用户设备的跟踪区更新TAU请求消息,用户设备从第二网络切换到第一网络,装置属于第一网络;处理模块,用于根据TAU请求消息,将装置与用户设备之间使用的安全上下文设置为native安全上下文。In a fourth aspect, an information transmission apparatus is provided, the apparatus includes a receiving module configured to receive a tracking area update TAU request message from a user equipment, the user equipment switches from a second network to a first network, and the apparatus belongs to the first network; processing; The module is configured to set the security context used between the device and the user equipment as the native security context according to the TAU request message.
在一种可能的实现方式中,处理模块具体用于:对用户设备进行认证。In a possible implementation manner, the processing module is specifically configured to: authenticate the user equipment.
在一种可能的实现方式中,TAU请求消息包括用户设备的状态信息,处理模块具体用于:若状态信息指示用户设备从第二网络切换到第一网络,或者,状态信息指示用户设备的第二网络的移动性管理注册信息,或者,状态信息指示用户设备具备第二网络的网络安全能力,或者,状态信息指示用户设备具备第二网络的N1接口的能力,对用户设备进行认证。In a possible implementation manner, the TAU request message includes status information of the user equipment, and the processing module is specifically configured to: if the status information indicates that the user equipment switches from the second network to the first network, or the status information indicates that the first network of the user equipment The mobility management registration information of the second network, or the status information indicates that the user equipment has the network security capability of the second network, or the status information indicates that the user equipment has the capability of the N1 interface of the second network, and the user equipment is authenticated.
在一种可能的实现方式中,根据TAU请求消息,处理模块具体用于:根据TAU请求消息确定用户设备的标识;根据用户设备的标识确定用户设备的位置发生变动;对用户设备进行认证。In a possible implementation manner, according to the TAU request message, the processing module is specifically configured to: determine the identity of the user equipment according to the TAU request message; determine that the location of the user equipment changes according to the identity of the user equipment; and authenticate the user equipment.
在一种可能的实现方式中,处理模块具体用于:根据用户设备的标识确定用户设备需要切换至第二移动管理网元。In a possible implementation manner, the processing module is specifically configured to: determine, according to the identifier of the user equipment, that the user equipment needs to be handed over to the second mobility management network element.
在一种可能的实现方式中,处理模块具体用于:根据TAU请求消息确定用户设备的标识,TAU请求消息中包括标识;根据标识确定与标识对应的第一指示信息,第一指示信息来自核心接入与移动管理功能AMF网元;根据第一指示信息确定对用户设备进行认证。In a possible implementation manner, the processing module is specifically configured to: determine the identifier of the user equipment according to the TAU request message, and the TAU request message includes the identifier; determine first indication information corresponding to the identifier according to the identifier, and the first indication information comes from the core Access and mobility management function AMF network element; determine to authenticate the user equipment according to the first indication information.
在一种可能的实现方式中,第一指示信息为认证指示信息,或者5G接入类型,或者隧道标识中的至少一项。In a possible implementation manner, the first indication information is at least one of authentication indication information, or a 5G access type, or a tunnel identifier.
在一种可能的实现方式中,第一网络为4G网络,第二网络为5G网络。In a possible implementation manner, the first network is a 4G network, and the second network is a 5G network.
第五方面,提供一种信息传输装置,该装置包括:处理模块,用于确定用户设备从第二网络切换到第一网络,并确定用户设备从第一移动管理网元切换到第二移动管理网元,第一网络包括装置和第二移动管理网元;发送模块,用于向第二移动管理网元发送第二指示信息,第二指示信息指示用户设备的映射mapped安全上下文,或者指示第二移动管理网元对用户设备进行认证。In a fifth aspect, an information transmission apparatus is provided, the apparatus comprising: a processing module configured to determine that the user equipment is switched from the second network to the first network, and determine that the user equipment is switched from the first mobility management network element to the second mobility management network element, the first network includes a device and a second mobility management network element; a sending module is configured to send second indication information to the second mobility management network element, where the second indication information indicates the mapped security context of the user equipment, or indicates the first 2. The mobile management network element authenticates the user equipment.
在一种可能的实现方式中,第二指示信息包括5G安全算法,或者5G无线接入类型,5G或者下一代无线安全能力,或者隧道标识中的至少一种指示信息。In a possible implementation manner, the second indication information includes at least one indication information among 5G security algorithms, or 5G wireless access types, 5G or next-generation wireless security capabilities, or tunnel identifiers.
在一种可能的实现方式中,第一网络为4G网络,第二网络为5G网络。In a possible implementation manner, the first network is a 4G network, and the second network is a 5G network.
第六方面,提供一种信息传输装置,装置属于第一网络,第一网络还包括第一移动管理网元,用户设备为从第二网络切换到第一网络的用户设备,其特征在于,装置包括:处理模块,用于确定所述用户设备从所述第一移动管理网元切换到所述装置;接收模块,用于接收来自第一移动管理网元的第二指示信息,第二指示信息指示用户设备的安全上下文为映射mapped安全上下文,或者指示装置对用户设备进行认证;处理模块,还用于根据第二指示信息确定装置与用户设备之间使用的安全上下文。In a sixth aspect, an information transmission apparatus is provided, the apparatus belongs to a first network, the first network further includes a first mobility management network element, and the user equipment is a user equipment that is switched from the second network to the first network, characterized in that the apparatus It includes: a processing module for determining that the user equipment is switched from the first mobility management network element to the device; a receiving module for receiving second indication information from the first mobility management network element, the second indication information The security context instructing the user equipment is a mapped security context, or instructing the apparatus to authenticate the user equipment; the processing module is further configured to determine the security context used between the apparatus and the user equipment according to the second indication information.
在一种可能的实现方式中,处理模块具体用于:第二指示信息指示用户设备的安全上下文为mapped安全上下文时,确定装置与用户设备之间使用的安全上下文为mapped安全上下文。In a possible implementation manner, the processing module is specifically configured to: when the second indication information indicates that the security context of the user equipment is the mapped security context, determine that the security context used between the apparatus and the user equipment is the mapped security context.
在一种可能的实现方式中,处理模块具体用于:第二指示信息包括5G安全算法,或者5G无线接入类型,5G或者下一代网络安全能力,或者隧道标识中的至少一种指示信息时,确定装置与用户设备之间使用的安全上下文为mapped安全上下文。In a possible implementation manner, the processing module is specifically configured to: when the second indication information includes 5G security algorithm, or 5G wireless access type, 5G or next-generation network security capability, or at least one indication of tunnel identifier , and the security context used between the device and the user equipment is determined to be the mapped security context.
在一种可能的实现方式中,处理模块具体用于:第二指示信息指示装置对用户设备进行认证时,对用户设备进行认证,将装置与用户设备之间使用的安全上下文设置为本地native安全上下文。In a possible implementation manner, the processing module is specifically configured to: when the second indication information instructs the apparatus to authenticate the user equipment, authenticate the user equipment, and set the security context used between the apparatus and the user equipment to local native security context.
在一种可能的实现方式中,第一网络为4G网络,第二网络为5G网络。In a possible implementation manner, the first network is a 4G network, and the second network is a 5G network.
第七方面,提供一种通信装置,该通信装置包括处理器与传输接口;其中,所述处理器被配置为执行存储在存储器中的指令,以使得所述装置执行如上述第一方面中任一项所述的方法。In a seventh aspect, a communication device is provided, the communication device comprising a processor and a transmission interface; wherein the processor is configured to execute instructions stored in a memory, so that the device performs any one of the above-mentioned first aspects. one of the methods described.
第八方面,提供一种计算机可读存储介质,包括程序或指令,当所述程序或指令被处理器运行时,如权上述第一方面中任意一项所述的方法被执行。In an eighth aspect, a computer-readable storage medium is provided, comprising a program or an instruction, when the program or instruction is executed by a processor, the method according to any one of the above-mentioned first aspect is performed.
第九方面,提供一种计算机程序产品,当所述计算机程序产品在计算机或处理器上运行时,使得所述计算机或所述处理器执行如上述第一方面中任一项所述的方法。In a ninth aspect, there is provided a computer program product which, when the computer program product is run on a computer or a processor, causes the computer or the processor to perform the method according to any one of the above first aspects.
第十方面,提供一种通信装置,其特征在于,所述通信装置包括处理器与传输接 口;其中,所述处理器被配置为执行存储在存储器中的指令,以使得所述装置执行如上述第二方面中任一项所述的方法。A tenth aspect provides a communication device, characterized in that the communication device includes a processor and a transmission interface; wherein the processor is configured to execute instructions stored in a memory, so that the device executes the above-mentioned The method of any one of the second aspects.
第十一方面,提供一种计算机可读存储介质,其特征在于,包括程序或指令,当所述程序或指令被处理器运行时,如上述第二方面中任意一项所述的方法被执行。In an eleventh aspect, a computer-readable storage medium is provided, which is characterized in that it includes a program or an instruction, and when the program or instruction is executed by a processor, the method according to any one of the above-mentioned second aspect is executed. .
第十二方面,提供一种计算机程序产品,当所述计算机程序产品在计算机或处理器上运行时,使得所述计算机或所述处理器执行如上述第二方面中任一项所述的方法。A twelfth aspect provides a computer program product that, when the computer program product is run on a computer or a processor, causes the computer or the processor to execute the method according to any one of the second aspects above .
第十三方面,提供一种通信装置,其特征在于,所述通信装置包括处理器与传输接口;其中,所述处理器被配置为执行存储在存储器中的指令,以使得所述装置执行如上述第三方面中任一项所述的方法。A thirteenth aspect provides a communication device, characterized in that the communication device includes a processor and a transmission interface; wherein the processor is configured to execute instructions stored in a memory, so that the device executes the The method of any one of the third aspects above.
第十四方面,提供一种计算机可读存储介质,其特征在于,包括程序或指令,当所述程序或指令被处理器运行时,如上述第三方面中任意一项所述的方法被执行。A fourteenth aspect provides a computer-readable storage medium, characterized in that it includes a program or an instruction, and when the program or instruction is executed by a processor, the method according to any one of the third aspect above is executed .
第十五方面,提供一种计算机程序产品,当所述计算机程序产品在计算机或处理器上运行时,使得所述计算机或所述处理器执行如上述第三方面中任一项所述的方法。A fifteenth aspect provides a computer program product that, when the computer program product is run on a computer or a processor, causes the computer or the processor to execute the method according to any one of the third aspects above .
第十六方面,提供一种通信系统,其特征在于,包括如上述第二方面任一项所述的装置和上述第三方面任一项所述的装置。A sixteenth aspect provides a communication system, characterized by comprising the device according to any one of the foregoing second aspect and the device according to any one of the foregoing third aspect.
可以理解地,上述提供的任一种信息传输方法、通信装置、通信系统、计算机可读存储介质或计算机程序产品,均可以由上文所提供的对应的方法来实现,因此,其所能达到的有益效果可参考上文所提供的对应的方法中有益效果,此处不再赘述。It can be understood that any information transmission method, communication device, communication system, computer-readable storage medium or computer program product provided above can be implemented by the corresponding method provided above. Therefore, it can achieve For the beneficial effects, reference may be made to the beneficial effects in the corresponding methods provided above, which will not be repeated here.
附图说明Description of drawings
图1为本申请实施例提供的通信系统的示意图;1 is a schematic diagram of a communication system provided by an embodiment of the present application;
图2为本申请实施例提供的一种信息传输方法的流程示意图;FIG. 2 is a schematic flowchart of an information transmission method provided by an embodiment of the present application;
图3为本申请实施例提供的一种信息传输方法的实施流程图一;FIG. 3 is an implementation flow chart 1 of an information transmission method provided by an embodiment of the present application;
图4为本申请实施例提供的另一种信息传输方法的流程示意图;4 is a schematic flowchart of another information transmission method provided by an embodiment of the present application;
图5为本申请实施例提供的一种信息传输方法的实施流程图二;FIG. 5 is a second implementation flow chart of an information transmission method provided by an embodiment of the present application;
图6为本申请实施例提供的一种信息传输方法的实施流程图三;FIG. 6 is a third implementation flowchart of an information transmission method provided by an embodiment of the present application;
图7为本申请实施例提供的一种信息传输装置示意图;FIG. 7 is a schematic diagram of an information transmission apparatus provided by an embodiment of the present application;
图8为本申请实施例提供的另一种信息传输装置示意图;FIG. 8 is a schematic diagram of another information transmission apparatus provided by an embodiment of the present application;
图9为本申请实施例提供的另一种信息传输装置示意图;FIG. 9 is a schematic diagram of another information transmission apparatus provided by an embodiment of the present application;
图10为本申请实施例提供的一种通信装置示意图。FIG. 10 is a schematic diagram of a communication apparatus according to an embodiment of the present application.
具体实施方式Detailed ways
本申请的说明书和权利要求书及附图中的术语“第一”、“第二”和“第三”等是用于区别不同对象,而不是用于限定特定顺序。在本申请实施例中,“示例性的”或者“例如”等词用于表示作例子、例证或说明。本申请实施例中被描述为“示例性的”或者“例如”的任何实施例或设计方案不应被解释为比其它实施例或设计方案更优选或更具优势。确切而言,使用“示例性的”或者“例如”等词旨在以具体方式呈现相关概念。The terms "first", "second" and "third" in the description and claims of the present application and the drawings are used to distinguish different objects, rather than to limit a specific order. In the embodiments of the present application, words such as "exemplary" or "for example" are used to represent examples, illustrations or illustrations. Any embodiments or designs described in the embodiments of the present application as "exemplary" or "such as" should not be construed as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present the related concepts in a specific manner.
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application. Obviously, the described embodiments are only a part of the embodiments of the present application, but not all of the embodiments. Based on the embodiments in the present application, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present application.
首先,为了便于理解本申请,现对本申请实施例涉及到的相关技术进行描述。First, in order to facilitate the understanding of the present application, the related technologies involved in the embodiments of the present application are now described.
4G网络和5G网络互通架构:4G network and 5G network interworking architecture:
如图1所示,为现有的4G网络和5G网络互通架构的示意图。其中,4G网络与5G网络共用用户面功能(user plane function,UPF)网元+PDN网关用户面功能(PDN gateway user plane function,PGW-U)网元、会话管理功能(session management function,SMF)网元+PDN网关控制面功能(PDN gateway control plane function,PGW-C)网元、策略控制功能(policy control function,PCF)网元+策略和计费规则功能(policy and charging rules function,PCRF)网元、归属签约用户服务器(home subscriber server,HSS)+统一数据管理(unified data management,UDM)网元。这里“+”表示合设,UPF为5G网络的用户面功能,PGW-U是与UPF对应的4G网络的网关用户面功能,SMF是5G网络的会话管理功能,PGW-C是与SMF对应的4G网络中的网关控制面功能,PCF是5G网络的策略控制功能、PCRF是与PCF对应的4G网络的策略计费规则功能。本申请实施例中,为方便表述,将HSS+UDM网元称之为用户数据管理网元,将PGW-C网元+SMF网元称之为控制面功能网元,在此进行统一说明,以下不再赘述。当然,上述合设后的网络设备也可以用其他名称,本申请实施例对此不作具体限定。As shown in Figure 1, it is a schematic diagram of the existing 4G network and 5G network interworking architecture. Among them, 4G network and 5G network share user plane function (UPF) network element + PDN gateway user plane function (PDN gateway user plane function, PGW-U) network element, session management function (session management function, SMF) Network element + PDN gateway control plane function (PDN gateway control plane function, PGW-C) network element, policy control function (policy control function, PCF) network element + policy and charging rules function (policy and charging rules function, PCRF) Network element, home subscriber server (HSS) + unified data management (unified data management, UDM) network element. Here "+" means co-location, UPF is the user plane function of 5G network, PGW-U is the gateway user plane function of 4G network corresponding to UPF, SMF is the session management function of 5G network, PGW-C is corresponding to SMF The gateway control plane function in the 4G network, the PCF is the policy control function of the 5G network, and the PCRF is the policy charging rule function of the 4G network corresponding to the PCF. In the embodiments of this application, for the convenience of description, the HSS+UDM network element is referred to as the user data management network element, and the PGW-C network element+SMF network element is referred to as the control plane function network element. The following description will not be repeated. Of course, other names may also be used for the above-mentioned combined network device, which is not specifically limited in this embodiment of the present application.
此外,如图1所示,上述4G网络和5G网络互通架构中还可以包括4G网络中的MME和服务网关(Serving Gateway,SGW),以及,5G网络中的AMF网元。可选的,该4G网络和5G网络互通架构中还可以包括网络切换选择功能(network slice selection function,NSSF)网元。其中,当AMF网元无法为该终端选择网络切片时,AMF网元可以请求该NSSF网元为该终端选择网络切片,本申请实施例对此不作具体限定。In addition, as shown in FIG. 1 , the above-mentioned 4G network and 5G network interworking architecture may further include an MME and a Serving Gateway (SGW) in the 4G network, and an AMF network element in the 5G network. Optionally, the 4G network and 5G network interworking architecture may further include a network slice selection function (network slice selection function, NSSF) network element. Wherein, when the AMF network element cannot select a network slice for the terminal, the AMF network element may request the NSSF network element to select a network slice for the terminal, which is not specifically limited in this embodiment of the present application.
其中,终端通过演进型通用陆地无线接入网(evolved universal terrestrial radio access network,E-UTRAN)设备接入4G网络,终端通过下一代无线接入网(next generation radio access network,NG-RAN)设备接入5G网络。E-UTRAN设备通过S1-MME接口与MME通信,E-UTRAN设备通过S1-U接口与SGW通信,MME通过S11接口与SGW通信,MME通过S6a接口与用户数据管理网元通信,MME通过N26接口与AMF网元通信,SGW通过S5-U接口与PGW-U网元+UPF网元通信,SGW通过S5-C接口与PGW-C网元+SMF网元通信,PGW-U网元+UPF网元通过N3接口与NG-RAN设备通信,PGW-U网元+UPF网元通过N4接口与PGW-C网元+SMF网元通信,PGW-C网元+SMF网元通过N7接口与PCRF网元+PCF网元通信,HSS+UDM网元通过N10接口与PGW-C网元+SMF网元通信,HSS+UDM网元通过N8接口与AMF网元通信,PCRF网元+PCF网元通过N15接口与AMF网元通信,PGW-C网元+SMF网元通过N11接口与AMF网元通信,AMF网元通过N2接口与NG-RAN设备通信,AMF网元通过N1接口与终端通信。Among them, the terminal is connected to the 4G network through the evolved universal terrestrial radio access network (E-UTRAN) equipment, and the terminal is connected to the 4G network through the next generation radio access network (NG-RAN) equipment Access to 5G network. The E-UTRAN device communicates with the MME through the S1-MME interface, the E-UTRAN device communicates with the SGW through the S1-U interface, the MME communicates with the SGW through the S11 interface, the MME communicates with the user data management network element through the S6a interface, and the MME communicates with the user data management network element through the N26 interface. Communicate with AMF network element, SGW communicates with PGW-U network element+UPF network element through S5-U interface, SGW communicates with PGW-C network element+SMF network element through S5-C interface, PGW-U network element+UPF network element Element communicates with NG-RAN equipment through N3 interface, PGW-U network element+UPF network element communicates with PGW-C network element+SMF network element through N4 interface, PGW-C network element+SMF network element communicates with PCRF network element through N7 interface NE+PCF NE communicates, HSS+UDM NE communicates with PGW-C NE+SMF NE through N10 interface, HSS+UDM NE communicates with AMF NE through N8 interface, PCRF NE+PCF NE communicates with N15 The interface communicates with the AMF network element, the PGW-C network element + SMF network element communicates with the AMF network element through the N11 interface, the AMF network element communicates with the NG-RAN equipment through the N2 interface, and the AMF network element communicates with the terminal through the N1 interface.
需要说明的是,图1中的各个网元之间的接口名字只是一个示例,具体实现中接口名字可能为其他名字,本申请实施例对此不作具体限定。It should be noted that the name of the interface between each network element in FIG. 1 is just an example, and the name of the interface may be other names in a specific implementation, which is not specifically limited in this embodiment of the present application.
需要说明的是,5G网络中的NG-RAN设备也可以称之为接入设备,该接入设备指的是接入核心网的设备,例如可以是基站,宽带网络业务网关(broadband network gateway,BNG),汇聚交换机,非3GPP接入设备等。基站可以包括各种形式的基站, 例如:宏基站,微基站(也称为小站),中继站,接入点等,本申请实施例对此不作具体限定。It should be noted that the NG-RAN device in the 5G network can also be called an access device, and the access device refers to a device that accesses the core network, such as a base station, a broadband network gateway, BNG), aggregation switches, non-3GPP access devices, etc. The base station may include various forms of base stations, for example, a macro base station, a micro base station (also referred to as a small cell), a relay station, an access point, etc., which are not specifically limited in this embodiment of the present application.
当然,4G网络和5G网络中还可以有其它的网元,比如,4G网络中还可以包括通用分组无线系统(general packet radio system,GPRS)业务支撑节点(serving GPRS support node,SGSN)等,5G网络中还可以包括鉴权服务功能(authentication server function,AUSF)网元等,本申请实施例对此不作具体限定。Of course, 4G network and 5G network may also have other network elements. For example, 4G network may also include general packet radio system (GPRS) service support node (serving GPRS support node, SGSN), etc. 5G The network may also include an authentication server function (authentication server function, AUSF) network element, etc., which is not specifically limited in this embodiment of the present application.
本申请实施例描述的网络架构以及业务场景是为了更加清楚的说明本申请实施例的技术方案,并不构成对于本申请实施例提供的技术方案的限定,本领域普通技术人员可知,随着网络架构的演变和新业务场景的出现,本申请实施例提供的技术方案对于类似的技术问题,同样适用。The network architecture and service scenarios described in the embodiments of the present application are for the purpose of illustrating the technical solutions of the embodiments of the present application more clearly, and do not constitute a limitation on the technical solutions provided by the embodiments of the present application. The evolution of the architecture and the emergence of new business scenarios, the technical solutions provided in the embodiments of the present application are also applicable to similar technical problems.
结合上述图1所示的通信系统架构,本申请主要应用于5G网络与4G网络互通的场景,当用户设备从5G网络切换到4G网络之后,如果该用户设备再次发生MME之间的切换,由于安全上下文不同步而导致的用户设备接入被拒绝的情况。其中,切换是指当用户设备在通信过程中从一个基站覆盖区移动到另一个基站覆盖区,或者由于外界干扰而造成通信质量下降时,需要转接到一条新的信道上以继续保持业务的过程。Combined with the communication system architecture shown in Figure 1 above, this application is mainly applied to the scenario of intercommunication between 5G network and 4G network. After the user equipment switches from 5G network to 4G network, if the user equipment switches between MMEs again, because User equipment access is denied due to the security context being out of sync. Among them, handover means that when the user equipment moves from the coverage area of one base station to the coverage area of another base station during the communication process, or when the communication quality is degraded due to external interference, it needs to switch to a new channel to continue to maintain the service. process.
其中,用户设备再次发生MME之间的切换主要包括以下的场景一和场景二,其中,场景一是指用户设备从5G网络的AMF移动到4G网络MME1后,当MME1确定该用户设备的移动导致需要从MME1再次发生切换至MME2,则MME1向MME2发送的重定位请求消息中携带的安全上下文是mapped安全上下文。而在现有技术的具体实现中,MME2并未获取该安全上下文的类型,根据该重定位请求消息是从4G网络的MME1发送来的,认为该安全上下文为native安全上下文,即保存为native安全上下文。因此,当MME2接收到来自用户设备发送的TAU请求之后,根据TAU请求中携带的mapped安全上下文与本地保存的该用户设备对应的native安全上下文不一致,MME2会拒绝该用户设备的TAU请求,并发送拒绝指示,例如可能发送拒绝指示TAU#9,导致用户设备需要间隔一段时候后才能再次接入,从而严重影响UE业务的连续性。Wherein, the re-occurrence of handover between MMEs of the user equipment mainly includes the following scenarios 1 and 2. Scenario 1 refers to that after the user equipment moves from the AMF of the 5G network to the MME1 of the 4G network, when the MME1 determines that the movement of the user equipment causes If it is necessary to switch from MME1 to MME2 again, the security context carried in the relocation request message sent by MME1 to MME2 is the mapped security context. In the specific implementation of the prior art, MME2 does not obtain the type of the security context. According to the fact that the relocation request message is sent from the MME1 of the 4G network, the security context is considered to be the native security context, that is, it is stored as the native security context. context. Therefore, after MME2 receives the TAU request sent from the user equipment, according to the inconsistency between the mapped security context carried in the TAU request and the native security context stored locally corresponding to the user equipment, MME2 will reject the TAU request of the user equipment and send The rejection indication, for example, the rejection indication TAU#9 may be sent, so that the user equipment can only access again after a period of time, thus seriously affecting the continuity of the UE service.
场景二是用户设备从5G网络的AMF移动到4G网络MME1后,用户设备与MME1建立非接入层(non-access stratum,NAS)连接,此后用户设备进入空闲态,并且在空闲态下发生移动,当用户设备移动至MME1覆盖范围之外后,用户设备发送TAU请求消息至MME2,MME2根据该TAU请求消息中携带的用户标识确定该用户设备来自MME1,因此,MME2主动向MME1请求安全上下文。MME1向MME2回复安全上下文响应消息,同样的,此时在现有技术的具体实现中,MME2并未获取该安全上下文的类型,MME2不知道接收的安全上下文是native类型还是mapped类型。MME2根据该安全上下文响应消息是来自于4G的网络MME1来的,因此会将此安全上下文确定为native上下文,即保存为native安全上下文。因此,MME2根据TAU请求中携带的mapped安全上下文与本地保存的该用户设备对应的native安全上下文不一致,MME2会拒绝该用户设备的TAU请求,并发送拒绝指示,例如可能发送拒绝指示TAU#9,导致用户设备需要间隔一段时候后才能再次接入,从而严重影响UE业务的连续性。The second scenario is that after the user equipment moves from the AMF of the 5G network to the MME1 of the 4G network, the user equipment establishes a non-access stratum (NAS) connection with MME1, and then the user equipment enters the idle state and moves in the idle state. , when the user equipment moves out of the coverage of MME1, the user equipment sends a TAU request message to MME2, and MME2 determines that the user equipment is from MME1 according to the user identity carried in the TAU request message. Therefore, MME2 actively requests a security context from MME1. MME1 replies with a security context response message to MME2. Similarly, in the specific implementation of the prior art, MME2 does not acquire the security context type, and MME2 does not know whether the received security context is native type or mapped type. According to the security context response message, MME2 comes from the 4G network MME1, so it will determine the security context as the native context, that is, save it as the native security context. Therefore, according to the inconsistency between the mapped security context carried in the TAU request and the native security context corresponding to the user equipment stored locally, MME2 will reject the TAU request of the user equipment and send a rejection indication, for example, may send a rejection indication TAU#9, As a result, the user equipment can only access again after a period of time, which seriously affects the continuity of UE services.
结合图1的通信网络结构和上述的实施场景,本申请提供一种信息传输方法,以解决用户设备在发生MME切换时安全上下文同步的问题,避免由于安全上下文不同步而导致用户设备的接入被拒绝的情况。如图2所示,该方法可以包括:Combined with the communication network structure of FIG. 1 and the above-mentioned implementation scenario, the present application provides an information transmission method to solve the problem of synchronization of security contexts when user equipment is switched over to MME, and to avoid the access of user equipment due to unsynchronized security contexts. the case of rejection. As shown in Figure 2, the method may include:
201:第一移动管理网元接收来自用户设备的跟踪区更新TAU请求消息。201: The first mobility management network element receives a tracking area update TAU request message from the user equipment.
其中,该用户设备是从第二网络切换到第一网络的,第一移动管理网元属于第一网络。The user equipment is switched from the second network to the first network, and the first mobility management network element belongs to the first network.
在一种实施方式中,第一网络可以为4G网络,第二网络可以为5G网络,第一移动管理网元可以为MME1,即该用户设备是从5G网络切换到4G网络的MME1进行连通。或者,在一种实施方式中,第一网络可以为5G网络,第二网络可以为下一代或者上一代移动通信网络,例如第六代(sixth generation,6G)网络或者4G网络等。本申请对此不做具体限定。In one embodiment, the first network may be a 4G network, the second network may be a 5G network, and the first mobility management network element may be MME1, that is, the user equipment is connected by switching from the 5G network to the 4G network MME1. Alternatively, in an embodiment, the first network may be a 5G network, and the second network may be a next-generation or previous-generation mobile communication network, such as a sixth generation (6G) network or a 4G network. This application does not specifically limit this.
在一种实施方式中,移动管理网元具体可以是上述图1中所示的MME,或者可以是其他相似功能的网元。本申请对此不做具体限定。In an implementation manner, the mobility management network element may specifically be the MME shown in FIG. 1 above, or may be other network elements with similar functions. This application does not specifically limit this.
202:第一移动管理网元根据TAU请求消息,将第一移动管理网元与用户设备之间使用的安全上下文设置为native安全上下文。202: The first mobility management network element sets the security context used between the first mobility management network element and the user equipment as the native security context according to the TAU request message.
具体的,上述步骤202中的,将第一移动管理网元与用户设备之间使用的安全上下文设置为native安全上下文,可以包括:Specifically, in the above step 202, setting the security context used between the first mobility management network element and the user equipment as the native security context may include:
第一移动管理网元触发对该用户设备进行认证,以使得第一MME与该用户设备之间的安全上下文统一为native安全上下文。The first mobility management network element triggers authentication of the user equipment, so that the security contexts between the first MME and the user equipment are unified into a native security context.
在一种实施方式中,TAU请求消息中可以包括用户设备的状态信息,则第一移动管理网元确定触发对用户设备进行认证,具体可以包括以下至少一种:In an implementation manner, the TAU request message may include state information of the user equipment, and the first mobility management network element determines to trigger the authentication of the user equipment, which may specifically include at least one of the following:
1、若该用户设备的状态信息指示该用户设备是从第二网络切换到第一网络的,则第一移动管理网元对用户设备进行认证。1. If the state information of the user equipment indicates that the user equipment is switched from the second network to the first network, the first mobility management network element authenticates the user equipment.
示例性的,TAU请求消息中可以包括指示信息,该指示信息可以用于指示该用户设备是从5G网络切换到4G网络的,或者,该指示信息可以用于指示该TAU请求消息是用户设备是从5G网络切换到4G网络后的TAU请求。则MME1对该UE触发认证。Exemplarily, the TAU request message may include indication information, and the indication information may be used to indicate that the user equipment is switched from the 5G network to the 4G network, or the indication information may be used to indicate that the TAU request message is that the user equipment is TAU request after switching from 5G network to 4G network. Then MME1 triggers authentication for the UE.
具体的,可以通过认证与密钥协商协议(authentication and key agreement,AKA)进行认证。示例性的,如果MME1没有该UE的国际移动用户识别码(international mobile subscriber identity,IMSI),则MME1发送身份请求消息至UE,从UE获得IMSI后,发送IMSI至归属签约用户服务器(home subscriber server,HSS),并获得认证向量,进而执行认证。或者如果MME1保存有IMSI或者从其他MME请求获得了IMSI,则发送IMSI至HSS,获得认证向量后,执行认证。Specifically, the authentication can be performed through the authentication and key agreement (authentication and key agreement, AKA). Exemplarily, if the MME1 does not have the international mobile subscriber identity (IMSI) of the UE, the MME1 sends an identity request message to the UE, and after obtaining the IMSI from the UE, sends the IMSI to the home subscriber server (home subscriber server). , HSS), and obtain the authentication vector, and then perform authentication. Or if the MME1 stores the IMSI or requests the IMSI from other MMEs, it sends the IMSI to the HSS, and after obtaining the authentication vector, performs authentication.
进行认证的具体过程可以参考相关技术的描述,本申请对此不做具体限定。For the specific process of performing authentication, reference may be made to the description of the related art, which is not specifically limited in this application.
2、若该用户设备的状态信息指示该用户设备的第二网络的移动性管理注册信息,则第一移动管理网元对用户设备进行认证。2. If the state information of the user equipment indicates the mobility management registration information of the second network of the user equipment, the first mobility management network element authenticates the user equipment.
示例性的,TAU请求消息中可以的状态信息可以为移动性管理注册信息。例如,包括UE status,UE status用来指示该UE是否在5G移动性管理(Mobility Management,MM)有过注册。如果该UE在5GMM有过注册,MME1则将该UE对应的安全上下 文确定为mapped。Exemplarily, the status information available in the TAU request message may be mobility management registration information. For example, it includes UE status, which is used to indicate whether the UE has been registered in 5G mobility management (Mobility Management, MM). If the UE has been registered in 5GMM, MME1 determines the security context corresponding to the UE as mapped.
3、若该用户设备的状态信息指示用户设备具备第二网络的网络安全能力,则第一移动管理网元对用户设备进行认证。3. If the state information of the user equipment indicates that the user equipment has the network security capability of the second network, the first mobility management network element authenticates the user equipment.
例如,TAU请求消息中可以包括用户设备的网络安全能力,例如,UE 5G安全能力,或者下一代无线安全能力等。For example, the TAU request message may include the network security capabilities of the user equipment, for example, UE 5G security capabilities, or next-generation wireless security capabilities.
4、若该用户设备的状态信息指示用户设备具备第二网络的N1接口的能力,则第一移动管理网元对用户设备进行认证。4. If the state information of the user equipment indicates that the user equipment has the capability of the N1 interface of the second network, the first mobility management network element authenticates the user equipment.
例如,N1接口为UE与AMF之间的接口。For example, the N1 interface is the interface between the UE and the AMF.
在另一种实施方式中,上述的步骤202中,第一移动管理网根据TAU请求消息将第一移动管理网元与用户设备之间使用的安全上下文设置为native安全上下文,具体还可以包括:In another embodiment, in the above step 202, the first mobility management network sets the security context used between the first mobility management network element and the user equipment as the native security context according to the TAU request message, which may further include:
Step1:第一移动管理网元根据TAU请求消息确定用户设备的标识。Step1: The first mobility management network element determines the identifier of the user equipment according to the TAU request message.
其中,TAU请求消息中可以携带用户设备的标识,例如,全球唯一临时UE标识(globally unique temporary UE identity,GUTI),或者,国际移动用户识别码(international mobile subscriber identity,IMSI)。Wherein, the TAU request message can carry the identity of the user equipment, for example, a globally unique temporary UE identity (globally unique temporary UE identity, GUTI), or an international mobile subscriber identity (international mobile subscriber identity, IMSI).
Step2:第一移动管理网元根据该标识确定与该标识对应的第一指示信息。Step 2: The first mobility management network element determines, according to the identifier, first indication information corresponding to the identifier.
其中,第一指示信息具体可以为认证指示信息,或者隧道标识,或者接入类型。The first indication information may specifically be authentication indication information, or a tunnel identifier, or an access type.
其中,该认证指示信息;或者隧道标识,或者接入类型用于指示对用户设备进行认证,所述第一指示信息来自AMF网元。Wherein, the authentication indication information; or the tunnel identifier, or the access type is used to instruct the user equipment to be authenticated, and the first indication information comes from the AMF network element.
MME1可以根据该认证指示信息,或者隧道标识,或者接入类型确定对该用户触发认证。例如,如果通过隧道标识确定对端是5G网络,或者通过接入类型确定是5G网络的接入方式,则触发对用户执行认证。The MME1 may determine to trigger authentication for the user according to the authentication indication information, the tunnel identifier, or the access type. For example, if it is determined by the tunnel identifier that the peer end is a 5G network, or it is determined by the access type that it is an access mode of the 5G network, the authentication of the user is triggered.
需要说明的是,该认证指示信息可以是在第一移动管理网接收来自用户设备的TAU请求之前,来自AMF的前向重定位请求forward relocation request消息中携带的。该认证指示信息可以用于指示该用户设备来自于5G网络,可以对该设备触发认证以同步安全上下文。具体的实现流程将在下文的详细实施例中介绍,此处不再赘述。It should be noted that the authentication indication information may be carried in the forward relocation request message from the AMF before the first mobility management network receives the TAU request from the user equipment. The authentication indication information can be used to indicate that the user equipment is from a 5G network, and authentication can be triggered for the device to synchronize the security context. The specific implementation process will be introduced in the following detailed embodiments, and will not be repeated here.
或者,该认证指示信息还可以是在第一移动管理网接收来自用户设备的TAU请求之后,向AMF发送context request消息,并从AMF发送的context response消息中携带的。该认证指示信息可以用于指示该用户设备来自于5G网络,可以对该设备触发认证以同步安全上下文。具体的实现流程将在下文的详细实施例中介绍,此处不再赘述。Alternatively, the authentication indication information may also be sent to the AMF after the first mobility management network receives the TAU request from the user equipment, and is carried in the context response message sent by the AMF. The authentication indication information can be used to indicate that the user equipment is from a 5G network, and authentication can be triggered for the device to synchronize the security context. The specific implementation process will be introduced in the following detailed embodiments, and will not be repeated here.
在一种实施方式中,第一指示信息还可以为隧道标识,这里隧道标识包括用来指示AMF为5G网络内AMF;可以为GTP-C的隧道标识。In an implementation manner, the first indication information may also be a tunnel identifier, where the tunnel identifier includes a tunnel identifier used to indicate that the AMF is an AMF in a 5G network; it may be a tunnel identifier of GTP-C.
另外,第一指示信息还可以为接入类型,用于指示当前网络为5G网络的接入或者5G无线网络的接入类型;或者可以为RAT type。In addition, the first indication information may also be an access type, which is used to indicate that the current network is an access type of a 5G network or an access type of a 5G wireless network; or may be a RAT type.
Step3:第一移动管理网元根据第一指示信息确定对用户设备进行认证。Step 3: The first mobility management network element determines to authenticate the user equipment according to the first indication information.
MME1根据UE的标识确定UE对应的第一指示信息,则触发与该UE之间进行认证,建立MME1与UE之间统一为native安全上下文,之后再执行MME1到MME2 的切换流程。MME1 determines the first indication information corresponding to the UE according to the UE's identity, triggers authentication with the UE, establishes a unified native security context between MME1 and the UE, and then executes the handover process from MME1 to MME2.
通过本申请的上述实施方式,当用户设备从第二网络切换到第一网络,并且用户设备产生位置移动,导致用户设备需要进行移动管理网元MME之间进行切换的场景下MME可以触发对用户设备进行认证。例如,用户设备从MME1切换至MME2,MME1可以触发对用户设备进行认证。在现有技术中该认证过程不是必需的,而本申请的实施例中确定在此场景下,MME触发对用户设备执行认证,以同步安全上下文的类型。Through the above-mentioned embodiments of the present application, when the user equipment switches from the second network to the first network, and the user equipment moves in position, so that the user equipment needs to perform handover between the mobility management network elements MMEs, the MME can trigger the user equipment The device is authenticated. For example, when the user equipment is handed over from MME1 to MME2, MME1 may trigger authentication of the user equipment. In the prior art, the authentication process is not necessary, but it is determined in the embodiments of the present application that in this scenario, the MME triggers the authentication of the user equipment to synchronize the type of security context.
执行认证之后,用户设备与MME1之间保存为native的安全上下文,之后再执行MME1到MME2的切换流程的时候,则不会发生安全上下文类型不一致的问题,避免用户设备由于安全上下文不一致的问题被MME2拒绝接入,从而提高用户设备的业务连续性。After the authentication is performed, the native security context is saved between the user equipment and MME1, and when the switching process from MME1 to MME2 is executed, the security context type inconsistency will not occur, and the user equipment will not be blocked due to the inconsistency of security contexts. MME2 denies access, thereby improving the service continuity of the user equipment.
下面,将结合上述的场景,以第一网络为4G网络,第二网络为5G网络,第一移动管理网元为MME1为例,说明本申请的上述实施方式对应的通信流程。如图3所示,其中,4G网络的基站可以为eNB,5G网络的基站可以为gNB或ng-eNB。In the following, the communication process corresponding to the above-mentioned embodiment of the present application will be described by taking the first network as a 4G network, the second network as a 5G network, and the first mobility management network element as the MME1 as an example in combination with the above scenarios. As shown in FIG. 3 , the base station of the 4G network may be an eNB, and the base station of the 5G network may be a gNB or an ng-eNB.
301:gNB/ng-eNB发送切换请求消息至AMF。301: The gNB/ng-eNB sends a handover request message to the AMF.
当5G网络的基站识别到用户设备需要发生切换时,向AMF发送切换请求handover required消息。When the base station of the 5G network recognizes that the user equipment needs to be handed over, it sends a handover required message to the AMF.
302:AMF向MME1发送前向重定位请求消息,包括eKSI。302: The AMF sends a forward relocation request message, including the eKSI, to MME1.
AMF确定该用户设备需要切换到4G网络时,根据AMF本地的5G KSI(简称为ngKSI)得到eKSI,用于指示该用户设备对应的安全上下文为mapped安全上下文。When the AMF determines that the user equipment needs to switch to the 4G network, it obtains the eKSI according to the local 5G KSI (referred to as ngKSI) of the AMF, which is used to indicate that the security context corresponding to the user equipment is the mapped security context.
AMF向MME1发送前向重定位请求消息forward relocation request,该前向重定位请求消息包括eKSI,其指示的安全上下文的类型为mapped安全上下文。这里eKSI用来标识对应的安全上下文,例如,可以包括Kasme密钥;还可以包括NAS的保护密钥和保护算方法。需要说明的是,eKSI信息可以包括标识安全上下文的计数器和安全上下文标识的类型(type of security context flag,TSC)。其中,TSC用来标识安全上下文的类型,可以为native,或者mapped。The AMF sends a forward relocation request message forward relocation request to MME1, where the forward relocation request message includes the eKSI, and the type of the security context indicated by the forward relocation request message is the mapped security context. Here, the eKSI is used to identify the corresponding security context, for example, it may include the Kasme key; it may also include the protection key and protection algorithm of the NAS. It should be noted that the eKSI information may include a counter for identifying the security context and a type of security context flag (type of security context flag, TSC). Among them, TSC is used to identify the type of security context, which can be native or mapped.
根据标准的具体实现,前向重定位请求消息中仅发送标识安全上下文的计数器,而不包括TSC部分。因此,MME1不知道接收到的安全上下文是native类型,还是mapped类型。According to the specific implementation of the standard, only the counter identifying the security context is sent in the forward relocation request message, but the TSC part is not included. Therefore, MME1 does not know whether the received security context is of native type or mapped type.
另外,根据前述的实施方式中Step2中所示的,该AMF向MME1发送前向重定位请求消息中还可能包括第一指示信息,用于指示MME1对该用户设备进行认证。In addition, as shown in Step 2 in the foregoing embodiment, the forward relocation request message sent by the AMF to the MME1 may further include first indication information, which is used to instruct the MME1 to authenticate the user equipment.
具体的,第一指示信息可以为认证指示信息,根据前述的实施方式中Step2中所示的,第一指示信息还可以为隧道标识,即该AMF向MME1发送前向重定位请求消息中还可能包括隧道标识,这里隧道标识包括用来指示AMF为5G网络内AMF;可以为GTP-C的隧道标识。Specifically, the first indication information may be authentication indication information. According to Step 2 in the foregoing embodiment, the first indication information may also be a tunnel identifier, that is, the forward relocation request message sent by the AMF to MME1 may also be Including a tunnel identifier, where the tunnel identifier includes a tunnel identifier used to indicate that the AMF is an AMF in the 5G network; it can be a GTP-C tunnel identifier.
另外,根据前述的实施方式中Step2中所示的,第一指示信息还可以为接入类型,即该AMF向MME1发送前向重定位请求消息中还可能包括接入类型,用于指示当前网络为5G网络的接入或者5G无线网络的接入类型;或者第一指示信息还可以为接入类型,例如RAT type。In addition, according to what is shown in Step 2 in the foregoing embodiment, the first indication information may also be the access type, that is, the forward relocation request message sent by the AMF to the MME1 may also include the access type, which is used to indicate the current network is the access type of the 5G network or the access type of the 5G wireless network; or the first indication information may also be the access type, such as RAT type.
303:MME1向eNB发送S1切换请求。303: MME1 sends an S1 handover request to the eNB.
304:eNB向MME1发送S1切换响应。304: The eNB sends an S1 handover response to the MME1.
这里会包括对于eNB的配置,具体内容可以参照现有技术的相关描述,本申请对此不做限制。The configuration of the eNB will be included here, and the specific content may refer to the relevant description of the prior art, which is not limited in this application.
305:MME1向AMF发送前向重定位响应消息。305: MME1 sends a forward relocation response message to the AMF.
MME1发送前向重定位响应forward relocation response消息至AMF。MME1 sends a forward relocation response message to AMF.
306:AMF向gNB/ng-eNB发送切换响应消息。306: The AMF sends a handover response message to the gNB/ng-eNB.
307:gNB/ng-eNB向用户设备发送切换响应消息。307: The gNB/ng-eNB sends a handover response message to the user equipment.
308:用户设备生成eKSI信息,eKSI对应的安全上下文为mapped安全上下文。308: The user equipment generates eKSI information, and the security context corresponding to the eKSI is the mapped security context.
具体的,UE根据本地的ngKSI(用于标识5G网络的安全上下文)为native安全上下文的指示,生成eKSI为mapped安全上下文的指示。这里UE侧生成eKSI的位置不做限制,也可以是在向MME1发送TAU请求消息的时候再生成。Specifically, the UE generates an indication that the eKSI is the mapped security context according to the indication that the local ngKSI (used to identify the security context of the 5G network) is the native security context. Here, the location where the UE side generates the eKSI is not limited, and it may be regenerated when sending the TAU request message to the MME1.
309:用户设备向eNB发送切换完成消息。309: The user equipment sends a handover complete message to the eNB.
310:eNB向MME1发送切换请求消息。310: The eNB sends a handover request message to MME1.
311:用户设备向MME1发送TAU请求消息。311: The user equipment sends a TAU request message to MME1.
其中,TAU请求消息可以携带用户设备的GUTI标识和对应的eKSI。eKSI指示为mapped上下文。这里GUTI可以为MME1上述步骤生成(例如305步骤生成),通过AMF发送给UE的。The TAU request message may carry the GUTI identifier of the user equipment and the corresponding eKSI. eKSI indicates a mapped context. Here, the GUTI may be generated for the above steps of MME1 (for example, generated in step 305), and sent to the UE through the AMF.
根据上述实施例中的步骤202中可能的实施方式,TAU请求消息可以包括用户设备的状态信息。例如,该用户设备的状态信息指示该用户设备是从5G网络切换到4G网络的。或者,该用户设备的状态信息为UE status,以指示是否UE在5GMM有过注册。或者,该用户设备的状态信息指示用户设备的5G无线安全能力,或者下一代网络的无线安全能力等指示信息。或者,该用户设备的状态信息用于指示该TAU请求消息是从5G切换4G后的TAU消息。According to a possible implementation of step 202 in the above embodiment, the TAU request message may include the status information of the user equipment. For example, the status information of the user equipment indicates that the user equipment is switched from a 5G network to a 4G network. Or, the status information of the user equipment is UE status to indicate whether the UE has been registered in 5GMM. Or, the status information of the user equipment indicates the 5G wireless security capability of the user equipment, or the indication information such as the wireless security capability of the next generation network. Or, the state information of the user equipment is used to indicate that the TAU request message is a TAU message after switching from 5G to 4G.
另外,根据上述实施例中的Step1~Step3中所示的,MME1还可能可以根据TAU请求消息中携带的用户设备的GUTI标识获取该用户设备对应的认证指示信息,从而MME1可以根据该认证指示信息,或者隧道标识,或者接入类型确定对该用户触发认证。例如,如果通过隧道标识确定对端是5G网络,或者通过接入类型确定是之前5G网络的接入方式,则触发对用户执行认证。In addition, according to Step 1 to Step 3 in the above embodiment, MME1 may also obtain authentication indication information corresponding to the user equipment according to the GUTI identifier of the user equipment carried in the TAU request message, so that MME1 can obtain authentication indication information corresponding to the user equipment according to the authentication indication information. , or the tunnel ID, or the access type is determined to trigger authentication for the user. For example, if the peer end is determined to be a 5G network through the tunnel identifier, or the access mode of the previous 5G network is determined through the access type, then the authentication of the user is triggered.
312:MME1根据TAU请求消息触发对用户设备进行认证,生成新的安全上下文,从而将MME1与用户设备之间使用的安全上下文确定为native安全上下文。312: The MME1 triggers the authentication of the user equipment according to the TAU request message, and generates a new security context, thereby determining the security context used between the MME1 and the user equipment as the native security context.
当用户设备与MME1之间执行完认证,以及NAS的安全模式控制(security mode control,SMC)之后,用户设备与MME1之间共享native安全上下文。根据现有技术描述,当前执行完认证和NAS的安全模式控制之后,双方确定的安全上下文即为native安全上下文。After the authentication between the user equipment and the MME1 and the security mode control (security mode control, SMC) of the NAS are completed, the user equipment and the MME1 share the native security context. According to the description of the prior art, after the authentication and the security mode control of the NAS are currently performed, the security context determined by both parties is the native security context.
在另一种实施方式中,当用户设备从第二网络切换至第一网络之后,用户设备与第一移动管理网元建立NAS连接,属于连接态,也就是前述的本申请实施例可以应用的场景二。则上述步骤202中的,第一移动管理网元根据TAU请求消息,将第一移动 管理网元与用户设备之间使用的安全上下文设置为native安全上下文,具体还可以包括:In another implementation manner, after the user equipment is switched from the second network to the first network, the user equipment establishes a NAS connection with the first mobility management network element, which belongs to the connected state, that is, the aforementioned embodiments of the present application can be applied Scene two. Then in the above-mentioned step 202, the first mobility management network element, according to the TAU request message, sets the security context used between the first mobility management network element and the user equipment as the native security context, and specifically can also include:
第一移动管理网元可以根据用户设备的位置变动触发对用户设备进行认证,以使得第一移动管理网元与用户设备之间使用的安全上下文设置为native安全上下文。The first mobility management network element may trigger the authentication of the user equipment according to the position change of the user equipment, so that the security context used between the first mobility management network element and the user equipment is set as the native security context.
结合具体的实施方式,如图3所示,在上述实施例中的步骤311之后,用户设备可以与第一移动管理网元(MME1)建立NAS连接,则用户设备此时进入连接态。此时,步骤312中的MME1可以根据TAU请求消息触发对用户设备进行认证,具体还可以包括:3, after step 311 in the above embodiment, the user equipment can establish a NAS connection with the first mobility management network element (MME1), and the user equipment enters the connection state at this time. At this time, the MME1 in step 312 may trigger the authentication of the user equipment according to the TAU request message, which may further include:
第一移动管理网元可以根据用户的位置变动触发对用户设备进行认证。The first mobility management network element may trigger authentication of the user equipment according to the location change of the user.
其中,第一移动管理网元根据用户的位置变动触发对用户设备进行认证,具体可以包括:Wherein, the first mobility management network element triggers authentication of the user equipment according to the location change of the user, which may specifically include:
步骤1:第一移动管理网元根据TAU请求消息确定用户设备的标识。Step 1: The first mobility management network element determines the identifier of the user equipment according to the TAU request message.
示例性的,以第一移动管理网元为MME1为例,当UE从5G网络切换至4G网络之后,UE与MME1建立NAS连接,属于连接态。MME1可以根据TAU请求消息中携带的GUTI标识获取该用户设备的标识。可选的,这里用户设备的标识可以为永久标识,或者GUTI标识。Exemplarily, taking the first mobility management network element as MME1 as an example, after the UE switches from the 5G network to the 4G network, the UE establishes a NAS connection with the MME1, which belongs to the connected state. The MME1 may acquire the identity of the user equipment according to the GUTI identity carried in the TAU request message. Optionally, the identifier of the user equipment here may be a permanent identifier or a GUTI identifier.
步骤2:第一移动管理网元根据用户设备的标识确定用户设备的位置发生变动。Step 2: The first mobility management network element determines that the location of the user equipment changes according to the identifier of the user equipment.
其中,第一移动管理网元根据用户设备的标识确定用户设备的位置信息发生变动,主要是指:第一移动管理网元根据用户设备的标识确定此用户设备需要切换至第二移动管理网元。The determination by the first mobility management network element that the location information of the user equipment has changed according to the identifier of the user equipment mainly refers to: the first mobility management network element determines, according to the identifier of the user equipment, that the user equipment needs to be switched to the second mobility management network element. .
示例性的,用户设备的位置发生变动具体可以是指用户设备的位置移动到MME1的范围之外,用户设备需要执行MME之间的切换,例如,MME1到MME2的切换。Exemplarily, the location change of the user equipment may specifically mean that the location of the user equipment moves out of the range of MME1, and the user equipment needs to perform handover between MMEs, for example, handover from MME1 to MME2.
其中,用户设备的位置信息可以来自第一移动管理网元接收的网络设备上报的信息。具体的,用户设备的位置信息可以从基站获得,例如,基站定时上报用户设备的位置信息变化。举例来讲,这里基站上报与用户设备绑定的基站与MME之间的隧道标识,和测量信息等。这里基站与MME之间的隧道标识与用户设备相关。可以为MME或者基站分发的,不做限制。MME根据基站与MME之间的隧道标识确定UE的标识,进而根据测量信息等确定是否需要执行MME的切换。具体基站上传的信息内容,以及MME1确定需要执行MME切换的操作方式,可以参照已有技术,不做限制。Wherein, the location information of the user equipment may come from the information reported by the network equipment received by the first mobility management network element. Specifically, the location information of the user equipment may be obtained from the base station, for example, the base station regularly reports the change of the location information of the user equipment. For example, here the base station reports the tunnel identifier and measurement information between the base station bound to the user equipment and the MME. Here, the tunnel identifier between the base station and the MME is related to the user equipment. It can be distributed for MME or base station without limitation. The MME determines the identifier of the UE according to the tunnel identifier between the base station and the MME, and then determines whether the handover of the MME needs to be performed according to measurement information and the like. The content of the information uploaded by the specific base station and the operation manner in which the MME 1 determines that the MME handover needs to be performed may refer to the prior art without limitation.
或者,用户设备的位置信息可以来自位置管理网元,位置管理网元用于监控用户设备的位置信息。示例性的,可以为MME1发送UE的GUTI或者IMSI至位置管理网元,当位置管理网元检测到UE位置发生变化的时候,则发送UE的位置信息给MME1。Alternatively, the location information of the user equipment may come from a location management network element, and the location management network element is used to monitor the location information of the user equipment. Exemplarily, the GUTI or IMSI of the UE may be sent to the location management network element for MME1, and when the location management network element detects that the location of the UE changes, the location information of the UE is sent to the MME1.
另外,MME1还可能根据网络设备eNB发送的切换请求(handover required)中携带的UE位置的相关消息,判定是否需要执行MME的切换,例如从MME1切换至MME2。这里判断是否需要执行MME切换的方式可以参照现有技术,本申请对此不做限制。In addition, MME1 may also determine whether to perform MME handover, such as handover from MME1 to MME2, according to the UE location related message carried in the handover request (handover required) sent by the network device eNB. Here, the manner of judging whether the MME handover needs to be performed may refer to the prior art, which is not limited in this application.
步骤3:第一移动管理网元对用户设备进行认证。Step 3: The first mobility management network element authenticates the user equipment.
当MME1判定需要执行MME的切换,则MME1触发对用户设备进行认证。When the MME1 determines that the handover of the MME needs to be performed, the MME1 triggers the authentication of the user equipment.
可选的,如果MME1判定需要执行MME切换,并且MME1之前已经与用户设备 做过双向认证,则不需要再触发对于用户设备的认证。Optionally, if MME1 determines that MME handover needs to be performed, and MME1 has performed two-way authentication with the user equipment before, the authentication for the user equipment does not need to be triggered again.
可选的,如果MME1判定需要执行MME切换,并且MME1之前已经与用户设备已经统一为native安全上下文,则不需要再触发对于用户设备的认证。Optionally, if MME1 determines that MME handover needs to be performed, and MME1 and the user equipment have been unified into a native security context before, the authentication for the user equipment does not need to be triggered again.
其中,MME1确定UE的位置将要超出跟踪区(tracking area,TA)的范围,或者超出MME1所覆盖的范围的时候,则MME1触发与UE之间进行认证,MME1与UE之间统一为native安全上下文,之后再执行MME1到MME2的切换流程。Among them, when MME1 determines that the location of the UE will exceed the range of the tracking area (TA), or exceeds the range covered by MME1, MME1 triggers authentication with the UE, and the MME1 and the UE are unified as the native security context. , and then execute the handover process from MME1 to MME2.
通过上述本申请提供的实施方式,当用户设备从第二网络切换到第一网络,用户设备产生位置移动且当判断用户设备将要发生移动管理网元之间的切换的时候,再触发对用户设备进行认证,导致用户设备需要进行移动管理网元之间进行切换的场景下,移动管理网元可以触发对用户设备进行认证,以使得用户设备与移动管理网元之间的安全上下文同步,之后再执行移动管理网元之间的切换流程的时候,则不会发生安全上下文类型不一致的问题,避免用户设备的TAU请求被拒绝的问题,从而提高用户设备的业务连续性。Through the above-mentioned embodiments provided in the present application, when the user equipment switches from the second network to the first network, the user equipment moves in position, and when it is determined that the user equipment is about to switch between mobility management network elements, the user equipment is triggered again. In the scenario where the user equipment needs to perform handover between mobility management network elements due to authentication, the mobility management network element can trigger the authentication of the user equipment, so that the security context between the user equipment and the mobility management network element is synchronized. When the handover process between mobility management network elements is performed, the problem of inconsistent security context types will not occur, and the problem of rejection of the TAU request of the user equipment will be avoided, thereby improving the service continuity of the user equipment.
可选的,这里判断是否需要做认证,还可以组合之前TAU消息中携带的用户设备的状态信息,以及MME1从AMF处接收到的指示信息1进行判断。这里指示信息1可以为认证指示信息;或者隧道标识,或者接入类型。例如当且仅当需要MME间切换,且TAU携带了用户设备的状态信息,或者从AMF接收到指示信息1之后,再执行认证。Optionally, to determine whether authentication is required here, it is also possible to combine the status information of the user equipment carried in the previous TAU message and the indication information 1 received by the MME1 from the AMF. The indication information 1 here may be authentication indication information; or a tunnel identifier, or an access type. For example, authentication is performed only when inter-MME handover is required, and the TAU carries the state information of the user equipment, or after receiving indication information 1 from the AMF.
在另一种实施方式中,当用户设备从第二网络切换到第一网络,用户设备产生位置移动且当判断用户设备将要发生移动管理网元之间的切换的时候,例如,用户设备向MME2请求从MME1切换至MME2的场景下,通过特定的指示信息,使得MME2仍旧可以与用户设备实现安全上下文的同步,提高用户设备的业务连续性。In another embodiment, when the user equipment switches from the second network to the first network, the user equipment moves in position and when it is determined that the user equipment is about to switch between mobility management network elements, for example, the user equipment switches to the MME2 In the scenario of requesting to switch from MME1 to MME2, through specific indication information, MME2 can still synchronize the security context with the user equipment, thereby improving the service continuity of the user equipment.
本申请实施例提供另一种信息传输的方法,如图4所示,该方法可以包括:This embodiment of the present application provides another method for information transmission. As shown in FIG. 4 , the method may include:
401:第一移动管理网元确定用户设备从第二网络切换到第一网络。401: The first mobility management network element determines that the user equipment is switched from the second network to the first network.
第一网络包括第一移动管理网元和第二移动管理网元。The first network includes a first mobility management network element and a second mobility management network element.
示例性的,第一网络可以为4G网络,第二网络可以为5G网络。第一移动管理网元可以为MME1,第二移动管理网元可以为MME2。UE从5G网络切换到4G网络。Exemplarily, the first network may be a 4G network, and the second network may be a 5G network. The first mobility management network element may be MME1, and the second mobility management network element may be MME2. The UE switches from the 5G network to the 4G network.
另外,第一移动管理网元确定用户设备需要从第一移动管理网元切换到第二移动管理网元。也就是说,第一移动管理网元确定用户设备发生移动,需要进行移动管理网元之间的切换。In addition, the first mobility management network element determines that the user equipment needs to be handed over from the first mobility management network element to the second mobility management network element. That is to say, the first mobility management network element determines that the user equipment moves, and it is necessary to perform handover between the mobility management network elements.
402:第一移动管理网元向第二移动管理网元发送第二指示信息。402: The first mobility management network element sends second indication information to the second mobility management network element.
其中,在一种实施方式中,第二指示信息可以指示该用户设备对应的安全上下文为映射mapped安全上下文。或者第二指示信息可以为指示第二移动管理网元对用户设备进行认证。Wherein, in an implementation manner, the second indication information may indicate that the security context corresponding to the user equipment is a mapped security context. Or the second indication information may be to instruct the second mobility management network element to authenticate the user equipment.
在一种实施方式中,若第二网络是5G网络,则第二指示信息可以包括5G安全算法,或者5G无线接入类型,或者5G无线安全能力,或者隧道标识中的至少一种指示信息。In one embodiment, if the second network is a 5G network, the second indication information may include at least one indication information among a 5G security algorithm, or a 5G wireless access type, or a 5G wireless security capability, or a tunnel identifier.
403:第二移动管理网元接收来自第一移动管理网元的第二指示信息。403: The second mobility management network element receives the second indication information from the first mobility management network element.
404:第二移动管理网元根据第二指示信息确定第二移动管理网元与用户设备之间使用的安全上下文。404: The second mobility management network element determines, according to the second indication information, a security context used between the second mobility management network element and the user equipment.
第二移动管理网元根据第二指示信息确定第二移动管理网元与用户设备之间使用的安全上下文,具体可以包括下述的三种方式。The second mobility management network element determines the security context used between the second mobility management network element and the user equipment according to the second indication information, which may specifically include the following three ways.
方式一、第二指示信息指示用户设备的安全上下文为mapped安全上下文,则第二移动管理网元确定与所述用户设备之间使用的安全上下文为mapped安全上下文。Manner 1: The second indication information indicates that the security context of the user equipment is the mapped security context, and the second mobility management network element determines that the security context used with the user equipment is the mapped security context.
方式二、第二指示信息可以是根据第一移动管理网元发送的该用户设备的部分参数得到的,如第二指示信息包括5G安全算法,或者5G无线接入类型,5G或者下一代网络安全能力,或者隧道标识中的至少一种指示信息,则确定第二移动管理网元与用户设备之间使用的安全上下文为mapped安全上下文。Mode 2. The second indication information may be obtained according to some parameters of the user equipment sent by the first mobility management network element. For example, the second indication information includes 5G security algorithm, or 5G wireless access type, 5G or next-generation network security capability, or at least one type of indication information in the tunnel identifier, determine that the security context used between the second mobility management network element and the user equipment is the mapped security context.
方式三、若第二指示信息指示第二移动管理网元对用户设备进行认证,则第二移动管理网元根据第二指示信息对用户设备进行认证,将第二移动管理网元与用户设备之间使用的安全上下文设置或者统一为本地native安全上下文。Mode 3: If the second indication information instructs the second mobility management network element to authenticate the user equipment, the second mobility management network element authenticates the user equipment according to the second indication information, and the second mobility management network element and the user equipment are authenticated. The security context used between them is set or unified to the local native security context.
通过上述本申请提供的实施方式,当用户设备从第二网络切换到第一网络,用户设备产生位置移动且当判断用户设备将要发生第一移动管理网元向第二移动管理网元切换的时候,第二移动管理网元可以通过第一移动管理网元携带的第二指示信息确定与用户设备实现安全上下文的同步,或者第二移动管理网元可以通过第一移动管理网元携带的第二指示信息对用户设备进行认证,使得第二移动管理网元与用户设备之间的安全上下文同步为native安全上下文,则第二移动管理网元就不会因为安全上下文类型不一致的问题,拒绝用户设备的TAU请求,从而提高用户设备的业务连续性。Through the above-mentioned embodiments provided in this application, when the user equipment switches from the second network to the first network, the user equipment moves in position, and when it is determined that the user equipment is about to switch from the first mobility management network element to the second mobility management network element , the second mobility management network element may determine to synchronize the security context with the user equipment through the second indication information carried by the first mobility management network element, or the second mobility management network element may use the second mobility management network element to carry the second The instruction information authenticates the user equipment, so that the security context between the second mobility management network element and the user equipment is synchronized as the native security context, then the second mobility management network element will not reject the user equipment due to the inconsistency of the security context types. TAU request, thereby improving the service continuity of the user equipment.
下面,将结合上述的场景,以第一网络为4G网络,第二网络为5G网络,第一移动管理网元为MME1,第二移动管理网元为MME2为例,实施场景为用户设备从5G网络切换到4G网络之后,用户设备发生移动,需要从MME1切换至MME2的情况为例,说明本申请的上述实施方式对应的通信流程。如图5所示,其中,4G网络的基站可以为eNB,5G网络的基站可以为gNB或ng-eNB。In the following, in combination with the above scenarios, taking the first network as a 4G network, the second network as a 5G network, the first mobility management network element as MME1, and the second mobility management network element as MME2 as an example, the implementation scenario is that the user equipment switches from 5G to After the network is switched to the 4G network, the user equipment moves and needs to be switched from MME1 to MME2 as an example to describe the communication flow corresponding to the above-mentioned embodiment of the present application. As shown in FIG. 5 , the base station of the 4G network may be an eNB, and the base station of the 5G network may be a gNB or an ng-eNB.
步骤301到步骤310可以参照上述实施例中的相关描述。For steps 301 to 310, reference may be made to the relevant descriptions in the foregoing embodiments.
501:eNB向MME1发送切换请求消息。501: The eNB sends a handover request message to MME1.
用于指示该用户设备需要执行切换。It is used to indicate that the user equipment needs to perform handover.
502:MME1确定用户设备需要切换至MME2。502: MME1 determines that the user equipment needs to be handed over to MME2.
该步骤可以对应上述实施例中的步骤401中描述的:第一移动管理网元确定用户设备需要从第一移动管理网元切换到第二移动管理网元。This step may correspond to the description in step 401 in the foregoing embodiment: the first mobility management network element determines that the user equipment needs to be handed over from the first mobility management network element to the second mobility management network element.
具体的,MME1可以根据用户设备的位置移动确定该用户设备需要切换至MME2,具体的实现方式可以参照现有技术的相关描述,本申请实施例对此不做具体限定。Specifically, MME1 may determine that the user equipment needs to be switched to MME2 according to the position movement of the user equipment. For a specific implementation manner, reference may be made to the related description of the prior art, which is not specifically limited in this embodiment of the present application.
503:MME1向MME2发送前向重定位请求消息,该前向重定位请求消息携带第二指示信息。503: MME1 sends a forward relocation request message to MME2, where the forward relocation request message carries the second indication information.
该步骤可以对应上述实施例中的步骤402。第二指示信息具体可以包括:This step may correspond to step 402 in the foregoing embodiment. The second indication information may specifically include:
1、第二指示信息指示用户设备的安全上下文为mapped安全上下文。1. The second indication information indicates that the security context of the user equipment is the mapped security context.
2、第二指示信息包括5G安全算法,或者5G无线接入类型,5G或者下一代网络 安全能力,或者隧道标识中的至少一种指示信息。用于指示MME2根据第一指示信息,确定安全上下文。2. The second indication information includes at least one indication information among 5G security algorithms, or 5G wireless access types, 5G or next-generation network security capabilities, or tunnel identifiers. It is used to instruct the MME2 to determine the security context according to the first indication information.
3、第二指示信息具体可以为认证指示信息,用于指示MME2对该前向重定位请求消息对应的用户设备进行认证。3. The second indication information may specifically be authentication indication information, which is used to instruct the MME2 to authenticate the user equipment corresponding to the forward relocation request message.
504:MME2向MME1回复前向重定位响应消息。504: MME2 replies with a forward relocation response message to MME1.
505:MME2确定与该用户使用的安全上下文。505: The MME2 determines the security context used with the user.
该步骤可以对应上述实施例中的步骤404,即MME2可以根据来自MME1的第二指示信息,确定MME2与该用户设备之间使用的安全上下文。This step may correspond to step 404 in the foregoing embodiment, that is, MME2 may determine the security context used between MME2 and the user equipment according to the second indication information from MME1.
具体的,MME2确定与该用户设备之间使用的安全上下文为mapped类型还是native类型,可以包括:Specifically, the MME2 determines whether the security context used with the user equipment is the mapped type or the native type, which may include:
1、当第二指示信息指示用户设备对应的安全上下文为mapped安全上下文时,则MME2确定与该用户设备之间使用的安全上下文为mapped安全上下文。1. When the second indication information indicates that the security context corresponding to the user equipment is the mapped security context, the MME2 determines that the security context used with the user equipment is the mapped security context.
2、当第二指示信息包括5G安全算法,或者5G无线接入类型,5G或者下一代网络安全能力,或者隧道标识中的至少一种指示信息时,MME2确定与该用户设备之间使用的安全上下文为mapped安全上下文。2. When the second indication information includes 5G security algorithm, or 5G wireless access type, 5G or next-generation network security capability, or at least one kind of indication information of tunnel identification, MME2 determines the security used between the user equipment and the user equipment. The context is the mapped security context.
3、当第二指示信息为认证指示信息时,则MME2保存该用户设备对应的认证指示信息。3. When the second indication information is authentication indication information, the MME2 saves the authentication indication information corresponding to the user equipment.
当MME2接收到用户设备发送的TAU请求消息之后,可以根据该用户设备的标识获取对应的认证指示信息,从而对用户设备进行认证。After receiving the TAU request message sent by the user equipment, the MME2 can obtain the corresponding authentication indication information according to the identifier of the user equipment, so as to authenticate the user equipment.
或者,当MME2接收到用户设备发送的TAU请求消息之后,先根据用户设备的标识,例如GUTI确定该用户设备的eKSI是否保存有对应的安全上下文(例如eKSI指示mapped类型安全上下文,而本地存储为native类型安全上下文,则为未保存eKSI对应的安全上下文),如果没有对应的安全上下文,同时保存有该用户设备对应的认证指示信息,则根据该认证指示直接触发对该用户设备进行认证,使得MME2与用户设备之间使用的安全上下文设置为本地native安全上下文。Or, after receiving the TAU request message sent by the user equipment, the MME2 first determines whether the eKSI of the user equipment has a corresponding security context according to the identity of the user equipment, such as GUTI (for example, the eKSI indicates the mapped type security context, and the local storage is native type security context, the security context corresponding to eKSI is not saved), if there is no corresponding security context, and the authentication indication information corresponding to the user equipment is saved at the same time, then the user equipment is directly triggered according to the authentication indication to be authenticated, so that The security context used between the MME2 and the user equipment is set to the local native security context.
或者,前向重定位请求消息,该前向重定位请求消息未携带第二指示信息,MME2默认将从MME1接受到的安全上下文当做native类型的安全上下文。当MME2接收到用户设备发送的TAU请求消息之后,执行以下可能的方式。Or, in the forward relocation request message, the forward relocation request message does not carry the second indication information, and MME2 regards the security context received from MME1 as the native type security context by default. After the MME2 receives the TAU request message sent by the user equipment, the following possible manners are performed.
方式一、MME2将该用户设备对应的本地native安全上下文更新为mapped安全上下文,忽略本地保存的安全上下文,以保持跟用户设备的安全上下文同步。Manner 1: MME2 updates the local native security context corresponding to the user equipment to the mapped security context, ignoring the locally saved security context, so as to maintain synchronization with the security context of the user equipment.
方式二、MME2可以忽略TAU请求消息中eKSI指示的安全上下文的类型,默认eKSI和本地保存的上下文类型是一致的,即确定MME2与该用户设备之间使用的安全上下文同步为native类型。Manner 2: MME2 can ignore the security context type indicated by eKSI in the TAU request message. By default, the eKSI and the locally saved context type are consistent, that is, it is determined that the security context synchronization used between MME2 and the user equipment is of the native type.
方式三、当接收到的类型为mapped,而本地保存的为native时,MME2触发对该用户设备进行认证,以使得MME2与该用户设备之间使用的安全上下文同步为native安全上下文。Manner 3: When the received type is mapped and the locally stored one is native, the MME2 triggers authentication of the user equipment, so that the security context used between the MME2 and the user equipment is synchronized to the native security context.
方式四、MME2根据用户设备发送的TAU请求消息中携带的认证指示信息,触发对该用户设备进行认证,以使得MME2与该用户设备之间使用的安全上下文同步为native安全上下文。Manner 4: The MME2 triggers authentication of the user equipment according to the authentication indication information carried in the TAU request message sent by the user equipment, so that the security context used between the MME2 and the user equipment is synchronized to the native security context.
上述任一种方式均可以实现安全上下文的同步,通信系统可以预先选择其中至少一种的策略对上述实施方式设计的网元进行配置,以实现用户设备在上述场景中实现安全上下文的同步。具体的配置方式本申请对此不做限定。Any of the above manners can realize synchronization of security contexts, and the communication system can preselect at least one of the strategies to configure the network elements designed in the foregoing embodiments, so as to realize synchronization of security contexts of user equipments in the foregoing scenarios. The specific configuration manner is not limited in this application.
通过上述本申请提供的实施方式,通过对MME发送的从定位请求消息中配置第二指示信息,使得当用户设备从5G网络切换到4G网络,用户设备产生位置移动且当判断用户设备将要发生MME1向MME2切换的时候,MME2可以通过MME1携带的第二指示信息确定与用户设备实现安全上下文的同步,或者MME2可以通过MME1携带的第二指示信息对用户设备进行认证,使得MME2与用户设备之间的安全上下文同步为native安全上下文,则MME2就不会因为安全上下文类型不一致的问题,拒绝用户设备的TAU请求,从而提高用户设备的业务连续性。Through the above-mentioned embodiments provided in this application, the second indication information is configured in the slave location request message sent by the MME, so that when the user equipment switches from the 5G network to the 4G network, the user equipment moves in position, and when it is determined that the user equipment is about to occur MME1 When switching to MME2, MME2 may determine to synchronize the security context with the user equipment through the second indication information carried by MME1, or MME2 may authenticate the user equipment through the second indication information carried by MME1, so that there is a connection between MME2 and the user equipment. The security context is synchronized to the native security context, then the MME2 will not reject the TAU request of the user equipment due to the inconsistency of the security context types, thereby improving the service continuity of the user equipment.
另外,本申请实施例还提供另一种信息传输方法,适用于上述场景二中,即用户设备从5G网络的AMF移动到4G网络MME1后,用户设备与MME1建立非接入层(non-access stratum,NAS)连接,此后用户设备进入空闲态,在空闲态下发生移动,当用户设备移动至MME1覆盖范围之外后,用户设备发送TAU请求消息至MME2。本申请提供另一种信息传输方法,使得MME2可以根据从MME1获取的消息,确定MME2与该用户设备之间使用的安全上文同步同步,从而避免用户设备的TAU请求被拒绝,影响用户的业务连续性。In addition, the embodiment of the present application also provides another information transmission method, which is applicable to the above-mentioned second scenario, that is, after the user equipment moves from the AMF of the 5G network to the MME1 of the 4G network, the user equipment establishes a non-access stratum (non-access layer) with MME1. stratum, NAS) connection, after that, the user equipment enters an idle state, and moves in the idle state. When the user equipment moves out of the coverage of MME1, the user equipment sends a TAU request message to MME2. This application provides another information transmission method, so that MME2 can determine the synchronization of the security context used between MME2 and the user equipment according to the message obtained from MME1, thereby avoiding the rejection of the TAU request of the user equipment and affecting the user's services continuity.
如图6所示,具体的通信流程可以包括:As shown in Figure 6, the specific communication process may include:
步骤301到步骤311可以参照上述实施例中的相关描述。For steps 301 to 311, reference may be made to the relevant descriptions in the foregoing embodiments.
601:用户设备与MME1建立NAS连接。601: The user equipment establishes a NAS connection with the MME1.
此时,MME1根据步骤311接收的来自用户设备的TAU请求消息,其中,TAU请求消息包括用户设备的GUTI表示,和eKSI。MME1确定MME1与该用户之间使用的安全上下文为mapped安全上下文,之后与该用户设备建立NAS连接。At this time, the MME1 receives the TAU request message from the user equipment according to step 311, wherein the TAU request message includes the GUTI representation of the user equipment and the eKSI. MME1 determines that the security context used between MME1 and the user is the mapped security context, and then establishes a NAS connection with the user equipment.
之后,用户设备进入空闲态之后,位置移动至MME2覆盖的范围。After that, after the user equipment enters the idle state, the location moves to the range covered by the MME2.
602:用户设备向MME2发送TAU请求消息。602: The user equipment sends a TAU request message to MME2.
其中,TAU请求消息中可以包括用户设备的GUTI,和eKSI。The TAU request message may include the GUTI and eKSI of the user equipment.
603:MME2向MME1发送上下文请求消息。603: MME2 sends a context request message to MME1.
MME2根据GUTI向MME1请求该用户设备对应的安全上下文,即向MME1发送上下文请求context request消息。MME2 requests the security context corresponding to the user equipment to MME1 according to the GUTI, that is, sends a context request context request message to MME1.
其中,上下文请求context request消息包括用户设备的GUTI。The context request message includes the GUTI of the user equipment.
603:MME1向MME2发送上下文响应消息。603: MME1 sends a context response message to MME2.
MME1根据GUTI向MME2响应该用户设备对应的安全上下文,即向MME1发送上下文响应context response消息。该上下文响应context response消息包括eKSI;这里eKSI不包括TSC的信息。MME2确定是从4G的MME1接收到的安全上下文,则确定此安全上下文为native类型。MME1 responds to the security context corresponding to the user equipment to MME2 according to the GUTI, that is, sends a context response message to MME1. The context response message includes eKSI; here eKSI does not include TSC information. The MME2 determines that it is the security context received from the 4G MME1, and determines that the security context is of the native type.
604:MME2确定MME2与用户设备之间使用的安全上下文。604: The MME2 determines the security context used between the MME2 and the user equipment.
MME2首先根据GUTI和eKSI确定是否保存有该用户设备对应的安全上下文,如果保存有该用户设备对应的安全上下文,但是用户设备发送的TAU请求消息中的eKSI 指示对应的安全上下文为mapped类型,而MME2保存的该用户设备对应的安全上下文为native类型,则MME2确定与用户设备之间使用的安全上下文,具体可以包括以下几种方式:MME2 first determines whether the security context corresponding to the user equipment is stored according to the GUTI and eKSI. If the security context corresponding to the user equipment is stored, but the eKSI in the TAU request message sent by the user equipment indicates that the corresponding security context is of the mapped type, and The security context corresponding to the user equipment saved by the MME2 is of the native type, then the MME2 determines the security context used with the user equipment, which may include the following methods:
方式一、MME2将该用户设备对应的本地native安全上下文更新为mapped安全上下文,忽略本地保存的安全上下文,以保持跟用户设备的安全上下文同步。Manner 1: MME2 updates the local native security context corresponding to the user equipment to the mapped security context, ignoring the locally saved security context, so as to maintain synchronization with the security context of the user equipment.
方式二、MME2可以忽略TAU请求消息中eKSI指示的安全上下文的类型,默认eKSI和本地保存的上下文类型是一致的,即确定MME2与该用户设备之间使用的安全上下文同步为native类型。Manner 2: MME2 can ignore the security context type indicated by eKSI in the TAU request message. By default, the eKSI and the locally saved context type are consistent, that is, it is determined that the security context synchronization used between MME2 and the user equipment is of the native type.
方式三、当接收到的类型为mapped,而本地保存的为native时,MME2触发对该用户设备进行认证,以使得MME2与该用户设备之间使用的安全上下文同步为native安全上下文。Manner 3: When the received type is mapped and the locally stored one is native, the MME2 triggers authentication of the user equipment, so that the security context used between the MME2 and the user equipment is synchronized to the native security context.
方式四、MME2根据用户设备发送的TAU请求消息中携带的认证指示信息,触发对该用户设备进行认证,以使得MME2与该用户设备之间使用的安全上下文同步为native安全上下文。Manner 4: The MME2 triggers authentication of the user equipment according to the authentication indication information carried in the TAU request message sent by the user equipment, so that the security context used between the MME2 and the user equipment is synchronized to the native security context.
在另一种实施方式中,用户设备发生从5G网络切换到4G网络,并从MME1切换到MME2的时候,用户设备向MME2发送的TAU请求消息中可以包括认证指示信息,从而使得MME2可以根据认证指示直接触发对于用户设备的认证,实现安全上下文的同步。In another implementation manner, when the user equipment switches from the 5G network to the 4G network and switches from MME1 to MME2, the TAU request message sent by the user equipment to MME2 may include authentication indication information, so that MME2 can Indicates that the authentication for the user equipment is directly triggered to realize the synchronization of the security context.
上述任一种方式均可以实现安全上下文的同步,通信系统可以预先选择其中至少一种的策略对上述实施方式设计的网元进行配置,以实现用户设备在上述场景中实现安全上下文的同步。具体的配置方式本申请对此不做限定。Any of the above manners can realize synchronization of security contexts, and the communication system can preselect at least one of the strategies to configure the network elements designed in the foregoing embodiments, so as to realize synchronization of security contexts of user equipments in the foregoing scenarios. The specific configuration manner is not limited in this application.
通过本申请提供的上述实施方式,当用户设备从5G网络切换到4G网络并发生MME之间的切换,用户设备向MME2发送TAU请求的时候,MME2可以通过预先配置的方式,确定默认为本地保存的native安全下行文类型,或者eKSI指示的mapped安全上下文,更新为mapped安全上下文,或者对用户设备触发认证,更新为native安全上下文,从而避免MME2因为安全上下文类型不一致的问题,拒绝用户设备的TAU请求,提高用户设备的业务连续性。Through the above-mentioned embodiments provided in this application, when the user equipment switches from the 5G network to the 4G network and switches between MMEs, when the user equipment sends a TAU request to the MME2, the MME2 can determine that the default is to save locally through a pre-configured method. The native security context type, or the mapped security context indicated by eKSI, is updated to the mapped security context, or the user equipment is triggered for authentication and updated to the native security context, so as to avoid MME2 rejecting the TAU of the user equipment due to inconsistent security context types. request to improve the business continuity of the user equipment.
此外,在另一种实施方式中,MME2接收到的用户设备发送的TAU请求消息中的eKSI指示对应的安全上下文为mapped类型,而MME2保存的该用户设备对应的安全上下文为native类型,则MME2向用户设备发送TAU拒绝消息,其中,TAU拒绝消息可以携带第三指示信息,例如,TAU失败类型的指示,指示该用户设备对应的安全上下文不匹配;或者,指示该用户设备进行初始接入;或者,指示该用户设备发送IMSI标识;或者,其他的非TAU#9失败类型的指示。则用户设备接收到TAU拒绝消息中包括的第三指示信息后,可以发送IMSI给MME2,以执行初始注册,从而建立与MME2之间的native安全上下文。这里主要是指不发送需要UE等待一段时候后再接入的拒绝指示,从而使得此时用户设备可以立即执行接入,最大程度的保证业务的连续性。In addition, in another implementation manner, the eKSI in the TAU request message sent by the user equipment received by the MME2 indicates that the corresponding security context is of the mapped type, and the security context corresponding to the user equipment saved by the MME2 is of the native type, then the MME2 Sending a TAU rejection message to the user equipment, wherein the TAU rejection message may carry third indication information, for example, an indication of a TAU failure type, indicating that the security context corresponding to the user equipment does not match; or, instructing the user equipment to perform initial access; Alternatively, the user equipment is instructed to send the IMSI identifier; or, other non-TAU#9 failure type indications. Then, after receiving the third indication information included in the TAU rejection message, the user equipment can send the IMSI to MME2 to perform initial registration, thereby establishing a native security context with MME2. Here, it mainly refers to not sending a rejection indication that requires the UE to wait for a period of time before accessing, so that the user equipment can immediately perform access at this time, so as to ensure the continuity of the service to the greatest extent.
还有一种实施方式,可以通过在用户设备从第二网络切换至第一网络完成的时候,通过在切换完成消息中携带第四指示信息,以使得第一移动管理网元保存该第四指示 信息,当用户设备发生移动管理网元之间的切换的时候,第一移动管理网元可以根据该第四指示信息,触发对用户设备进行认证,以实现安全上下文的同步。In another embodiment, when the user equipment is switched from the second network to the first network, the fourth indication information can be carried in the handover complete message, so that the first mobility management network element can save the fourth indication information , when switching between mobility management network elements occurs in the user equipment, the first mobility management network element may trigger authentication of the user equipment according to the fourth indication information, so as to realize synchronization of the security context.
具体的,结合上述的图3所示,即在上述的步骤309中,用户设备向eNB发送切换完成消息,该消息中包括第四指示信息。然后,eNB向MME1发送的切换响应消息中可以包括此第四指示信息,则MME1可以保存该用户设备对应该第四指示信息。Specifically, with reference to the above-mentioned FIG. 3, that is, in the above-mentioned step 309, the user equipment sends a handover complete message to the eNB, and the message includes fourth indication information. Then, the handover response message sent by the eNB to the MME1 may include the fourth indication information, and then the MME1 may store the fourth indication information corresponding to the user equipment.
后续当用户设备发生MME1切换至MME2的请求时,MME1接收到用户设备发送的TAU请求消息(包括GUTI,eKSI)之后,MME1根据GUTI确定本地保存的第四指示信息,则触发对该用户设备进行认证。完成认证之后,用户设备与MME1之间将共享native安全上下文。此时即使再次发生MME的切换,也不会出现用户设备与MME2之间安全上下文不一致的问题。Subsequently, when the user equipment makes a request for switching from MME1 to MME2, after MME1 receives the TAU request message (including GUTI, eKSI) sent by the user equipment, MME1 determines the fourth indication information stored locally according to the GUTI, and triggers the user equipment to perform Certification. After the authentication is completed, the native security context will be shared between the user equipment and MME1. At this time, even if the handover of the MME occurs again, the problem of inconsistency of the security context between the user equipment and the MME2 will not occur.
需要说明的是,本发明中提到的空闲态,可以为UE与AMF之间保存上下文信息,所述上下文包括安全的上下文。但是当前NAS是未激活的状态,后续可以通过NAS消息,完成NAS连接的安全激活,激活之后就是连接态了。It should be noted that, the idle state mentioned in the present invention may save context information between the UE and the AMF, and the context includes a security context. However, the current NAS is in an inactive state, and the security activation of the NAS connection can be completed through NAS messages in the future. After activation, it is in the connected state.
基于上述图2和图3所述的实施方式,本申请实施例还提供一种信息传输装置,如图7所示,该装置700包括接收模块701和处理模块702。Based on the implementations described in FIG. 2 and FIG. 3 , an embodiment of the present application further provides an information transmission apparatus. As shown in FIG. 7 , the apparatus 700 includes a receiving module 701 and a processing module 702 .
其中,接收模块701用于接收来自用户设备的跟踪区更新TAU请求消息,用户设备从第二网络切换到第一网络,装置属于所述第一网络。The receiving module 701 is configured to receive a tracking area update TAU request message from a user equipment, where the user equipment switches from the second network to the first network, and the apparatus belongs to the first network.
处理模块702用于根据TAU请求消息,将装置700与用户设备之间使用的安全上下文设置为native安全上下文。The processing module 702 is configured to set the security context used between the apparatus 700 and the user equipment as the native security context according to the TAU request message.
处理模块702可以执行前述方法实施例中第一移动管理网元执行的、除了收发之外的处理,相应地,接收模块701可以执行前述方法实施例中第一移动管理网元执行的消息接收处理。The processing module 702 may perform the processing performed by the first mobility management network element in the foregoing method embodiments, except for sending and receiving, and correspondingly, the receiving module 701 may perform the message receiving processing performed by the first mobility management network element in the foregoing method embodiments. .
在一种实施方式中,处理模块702具体用于:对该用户设备进行认证。In an implementation manner, the processing module 702 is specifically configured to: authenticate the user equipment.
在一种实施方式中,TAU请求消息包括用户设备的状态信息,处理模块702具体可以用于:若状态信息指示用户设备从第二网络切换到第一网络,或者,状态信息指示用户设备的第二网络的移动性管理注册信息,或者,状态信息指示用户设备具备第二网络的网络安全能力,或者,状态信息指示用户设备具备第二网络的N1接口的能力,对该用户设备进行认证。In an implementation manner, the TAU request message includes status information of the user equipment, and the processing module 702 may be specifically configured to: if the status information indicates that the user equipment switches from the second network to the first network, or if the status information indicates the first network of the user equipment The mobility management registration information of the second network, or the status information indicates that the user equipment has the network security capability of the second network, or the status information indicates that the user equipment has the capability of the N1 interface of the second network, and the user equipment is authenticated.
在一种实施方式中,根据TAU请求消息,处理模块702具体可以用于根据TAU请求消息确定用户设备的标识;根据用户设备的标识确定用户设备的位置发生变动;对用户设备进行认证。In one embodiment, according to the TAU request message, the processing module 702 may be specifically configured to determine the identity of the user equipment according to the TAU request message; determine that the location of the user equipment has changed according to the identity of the user equipment; and authenticate the user equipment.
在一种实施方式中,处理模块702具体可以用于根据用户设备的标识确定用户设备需要切换至第二移动管理网元。In an implementation manner, the processing module 702 may be specifically configured to determine, according to the identifier of the user equipment, that the user equipment needs to be handed over to the second mobility management network element.
在一种实施方式中,处理模块702具体可以用于根据TAU请求消息确定用户设备的标识,TAU请求消息中包括用户设备的标识;根据标识确定与标识对应的第一指示信息,第一指示信息来自AMF;根据第一指示信息确定对用户设备进行认证。In one embodiment, the processing module 702 may be specifically configured to determine the identifier of the user equipment according to the TAU request message, where the TAU request message includes the identifier of the user equipment; and determine the first indication information corresponding to the identifier according to the identifier, the first indication information From the AMF; determine to authenticate the user equipment according to the first indication information.
在一种实施方式中,第一指示信息为认证指示信息,或者5G接入类型,或者隧道标识中的至少一项。In an embodiment, the first indication information is at least one of authentication indication information, or a 5G access type, or a tunnel identifier.
在一种实施方式中,第一网络为4G网络,所述第二网络为5G网络。In one embodiment, the first network is a 4G network, and the second network is a 5G network.
另外,基于上述图4和图5所示的实施方式中的第一移动管理网元,本申请还提供一种信息传输装置,如图8所示,该装置800包括发送模块801和处理模块802。In addition, based on the first mobility management network element in the embodiments shown in FIG. 4 and FIG. 5 , the present application further provides an information transmission apparatus. As shown in FIG. 8 , the apparatus 800 includes a sending module 801 and a processing module 802 .
其中,处理模块801用于确定用户设备从第二网络切换到第一网络,并确定用户设备从第一移动管理网元切换到第二移动管理网元,第一网络包括装置800和第二移动管理网元。The processing module 801 is configured to determine that the user equipment is switched from the second network to the first network, and determine that the user equipment is switched from the first mobility management network element to the second mobility management network element. The first network includes the apparatus 800 and the second mobility management network element. Manage network elements.
发送模块801还用于向第二移动管理网元发送第二指示信息,第二指示信息指示用户设备的映射mapped安全上下文,或者指示第二移动管理网元对用户设备进行认证。The sending module 801 is further configured to send second indication information to the second mobility management network element, where the second indication information indicates the mapped security context of the user equipment, or instructs the second mobility management network element to authenticate the user equipment.
处理模块801可以执行前述方法实施例中第一移动管理网元执行的、除了收发之外的处理,相应地,发送模块801可以执行前述方法实施例中第一移动管理网元执行的消息发送处理。The processing module 801 may perform the processing performed by the first mobility management network element in the foregoing method embodiments, except for sending and receiving, and correspondingly, the sending module 801 may perform the message sending processing performed by the first mobility management network element in the foregoing method embodiments. .
在一种实施方式中,第二指示信息包括5G安全算法,或者5G无线接入类型,5G或者下一代无线安全能力,或者隧道标识中的至少一种指示信息。In an embodiment, the second indication information includes at least one indication information among 5G security algorithms, or 5G wireless access types, 5G or next-generation wireless security capabilities, or tunnel identifiers.
在一种实施方式中,第一网络为4G网络,第二网络为5G网络。In one embodiment, the first network is a 4G network, and the second network is a 5G network.
相应的,基于上述图4和图5所示的实施方式中的第二移动管理网元,本申请还提供一种信息传输装置,如图9所示,该装置900包括接收模块901和处理模块902。Correspondingly, based on the second mobility management network element in the embodiments shown in FIG. 4 and FIG. 5 , the present application further provides an information transmission apparatus. As shown in FIG. 9 , the apparatus 900 includes a receiving module 901 and a processing module 902.
其中,接收模块901用于接收来自第一移动管理网元的第二指示信息,第二指示信息指示用户设备的安全上下文为映射mapped安全上下文,或者指示装置900对用户设备进行认证。The receiving module 901 is configured to receive second indication information from the first mobility management network element, where the second indication information indicates that the security context of the user equipment is a mapped security context, or instructs the apparatus 900 to authenticate the user equipment.
处理模块902用于根据第二指示信息确定装置900与用户设备之间使用的安全上下文。The processing module 902 is configured to determine the security context used between the apparatus 900 and the user equipment according to the second indication information.
处理模块902可以执行前述方法实施例中第二移动管理网元执行的、除了收发之外的处理,相应地,接收模块901可以执行前述方法实施例中第二移动管理网元执行的消息接收处理。The processing module 902 may perform the processing performed by the second mobility management network element in the foregoing method embodiments, except for sending and receiving, and correspondingly, the receiving module 901 may perform the message receiving processing performed by the second mobility management network element in the foregoing method embodiments. .
在一种实施方式中,处理模块902具体用于:第二指示信息指示所述用户设备的安全上下文为mapped安全上下文时,确定所述装置900与用户设备之间使用的安全上下文为mapped安全上下文。In one embodiment, the processing module 902 is specifically configured to: when the second indication information indicates that the security context of the user equipment is a mapped security context, determine that the security context used between the apparatus 900 and the user equipment is a mapped security context .
在一种实施方式中,处理模块902具体用于:第二指示信息包括5G安全算法,或者5G无线接入类型,5G或者下一代网络安全能力,或者隧道标识中的至少一种指示信息时,确定所述装置900与用户设备之间使用的安全上下文为mapped安全上下文。In one embodiment, the processing module 902 is specifically configured to: when the second indication information includes at least one indication information among 5G security algorithms, or 5G wireless access types, 5G or next-generation network security capabilities, or tunnel identifiers, It is determined that the security context used between the apparatus 900 and the user equipment is the mapped security context.
在一种实施方式中,处理模块902具体用于:第二指示信息指示装置900对用户设备进行认证时,对用户设备进行认证,将所述装置900与用户设备之间使用的安全上下文设置为本地native安全上下文。In one embodiment, the processing module 902 is specifically configured to: when the second indication information instructs the apparatus 900 to authenticate the user equipment, authenticate the user equipment, and set the security context used between the apparatus 900 and the user equipment to be Local native security context.
在一种实施方式中,第一网络为4G网络,所述第二网络为5G网络。In one embodiment, the first network is a 4G network, and the second network is a 5G network.
需要说明的是,上述本申请实施例中所描述的发送模块或者接收模块进行的发送或接收可以是在处理模块(例如处理器)的控制之下执行的,因此,本申请实施例中也可以将发送或接收的动作描述为处理模块(处理器)执行的,并不影响本领域技术 人员对方案的理解。It should be noted that the sending or receiving performed by the sending module or the receiving module described in the above embodiments of the present application may be performed under the control of a processing module (for example, a processor). Therefore, in the embodiments of the present application, Describing the actions of sending or receiving as executed by a processing module (processor) does not affect the understanding of the solution by those skilled in the art.
图10是本申请实施例提供的通信装置(上述实施例中的任一网元)的另一结构示意图。如图10所示,通信装置1000包括处理器1001和收发器1002。可选的,该通信装置1000还包括存储器1003。其中,处理器1001、收发器1002和存储器1003之间可以通过内部连接通路互相通信,传递控制和/或数据信号,该存储器1003用于存储计算机程序,该处理器1001用于从该存储器1003中调用并运行该计算机程序,以控制该收发器1002收发信号。通信装置1000还可以包括天线,用于将收发器1002输出的信令通过无线信号发送出去。FIG. 10 is another schematic structural diagram of a communication apparatus (any network element in the foregoing embodiment) provided by an embodiment of the present application. As shown in FIG. 10 , the communication apparatus 1000 includes a processor 1001 and a transceiver 1002 . Optionally, the communication apparatus 1000 further includes a memory 1003 . Among them, the processor 1001, the transceiver 1002 and the memory 1003 can communicate with each other through an internal connection path to transmit control and/or data signals. The computer program is invoked and executed to control the transceiver 1002 to send and receive signals. The communication apparatus 1000 may further include an antenna for transmitting the signaling output by the transceiver 1002 through wireless signals.
上述处理器1001和存储器1003可以合成一个处理装置,处理器1001用于执行存储器1003中存储的程序代码来实现上述功能。具体实现时,该存储器1003也可以集成在处理器1001中,或者独立于处理器1001。The above-mentioned processor 1001 and the memory 1003 may be combined into a processing device, and the processor 1001 is configured to execute the program codes stored in the memory 1003 to realize the above-mentioned functions. During specific implementation, the memory 1003 may also be integrated in the processor 1001 or independent of the processor 1001 .
具体的,该通信装置1000可对应于根据本申请实施例的方法的各个实施例中。并且,该通信装置1000中的各单元和上述其他操作和/或功能分别为了实现方法的各个实施例中的相应流程。Specifically, the communication apparatus 1000 may correspond to various embodiments of the methods according to the embodiments of the present application. In addition, each unit in the communication apparatus 1000 and the other operations and/or functions mentioned above are respectively for realizing the corresponding flow in each embodiment of the method.
上述处理器1001可以用于执行前面方法实施例中描述的第一移动管理网元或者第二移动管理网元实现的一项或多项执行动作,而收发器1002可以用于执行前面方法实施例中描述的第一移动管理网元或者第二移动管理网元的一项或多项发送或者接收的动作。具体请见前面方法实施例中的描述,此处不再赘述。The foregoing processor 1001 may be configured to perform one or more execution actions implemented by the first mobility management network element or the second mobility management network element described in the foregoing method embodiments, and the transceiver 1002 may be configured to execute the foregoing method embodiments. One or more actions of sending or receiving one or more actions of the first mobility management network element or the second mobility management network element described in . For details, please refer to the descriptions in the foregoing method embodiments, which will not be repeated here.
可选的,上述通信装置1000还可以包括电源,用于给通信装置中的各种器件或电路提供电源。Optionally, the above-mentioned communication apparatus 1000 may further include a power supply for providing power to various devices or circuits in the communication apparatus.
上述各个装置实施例中的信息传输装置可以与方法实施例中的第一移动管理网元或者第二移动管理网元完全对应,由相应的模块或者单元执行相应的步骤,例如,当该装置以芯片的方式实现时,上述的接收模块可以是该芯片用于从其他芯片或者装置接收信号的接口电路。以上用于发送的单元是一种该装置的接口电路,用于向其他装置发送信号,例如,当该装置以芯片的方式实现时,上述的发送模块是该芯片用于向其他芯片或者装置发送信号的接口电路。The information transmission device in each of the above device embodiments may completely correspond to the first mobility management network element or the second mobility management network element in the method embodiments, and corresponding steps are performed by corresponding modules or units. When implemented in the form of a chip, the above-mentioned receiving module may be an interface circuit used by the chip to receive signals from other chips or devices. The above unit for sending is an interface circuit of the device, which is used to send signals to other devices. For example, when the device is implemented in the form of a chip, the above-mentioned sending module is used by the chip to send signals to other chips or devices. signal interface circuit.
应理解,本申请实施例中的处理器可以为CPU,该处理器还可以是其他通用处理器、数字信号处理(digital signal processing,DSP)、专用集成电路(application specific integrated circuit,ASIC)、现场可编程逻辑门阵列(Field Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。It should be understood that the processor in the embodiment of the present application may be a CPU, and the processor may also be other general-purpose processors, digital signal processing (digital signal processing, DSP), application specific integrated circuit (ASIC), field Field Programmable Gate Array (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
还应理解,本申请实施例中的存储器可以是易失性存储器或非易失性存储器,或可包括易失性和非易失性存储器两者。其中,非易失性存储器可以是只读存储器(read-only memory,ROM)、可编程只读存储器(programmable ROM,PROM)、可擦除可编程只读存储器(erasable PROM,EPROM)、电可擦除可编程只读存储器(electrically EPROM,EEPROM)或闪存。易失性存储器可以是随机存取存储器(random access memory,RAM),其用作外部高速缓存。通过示例性但不是限制性说明,许多形式的随机存取存储器(random access memory,RAM)可用,例如静态随机存取存储器(static RAM,SRAM)、动态随机存取存储器(DRAM)、同步动态随机存取存储器(synchronous DRAM,SDRAM)、双倍数据速率同步动态随机存取 存储器(double data rate SDRAM,DDR SDRAM)、增强型同步动态随机存取存储器(enhanced SDRAM,ESDRAM)、同步连接动态随机存取存储器(synchlink DRAM,SLDRAM)和直接内存总线随机存取存储器(direct rambus RAM,DR RAM)。It should also be understood that the memory in the embodiments of the present application may be volatile memory or non-volatile memory, or may include both volatile and non-volatile memory. The non-volatile memory may be read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically programmable Erase programmable read-only memory (electrically EPROM, EEPROM) or flash memory. Volatile memory may be random access memory (RAM), which acts as an external cache. By way of example and not limitation, many forms of random access memory (RAM) are available, such as static random access memory (SRAM), dynamic random access memory (DRAM), synchronous dynamic random access memory (DRAM) Access memory (synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (double data rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous connection dynamic random access memory Fetch memory (synchlink DRAM, SLDRAM) and direct memory bus random access memory (direct rambus RAM, DR RAM).
本申请实施例还提供了一种通信系统,该通信系统包括:上述本申请实施例中提供的任一种第一移动管理网元或者第二移动管理网元。An embodiment of the present application further provides a communication system, and the communication system includes: any one of the first mobility management network elements or the second mobility management network elements provided in the above embodiments of the present application.
本申请实施例还提供了一种计算机可读介质,用于存储计算机程序代码,该计算机程序包括用于执行上述方法中的第一移动管理网元或者第二移动管理网元中所执行方法的指令。该可读介质可以是ROM或RAM,本申请实施例对此不做限制。Embodiments of the present application further provide a computer-readable medium for storing computer program codes, where the computer program includes a method for executing the first mobility management network element in the above method or the method executed in the second mobility management network element. instruction. The readable medium may be a ROM or a RAM, which is not limited in this embodiment of the present application.
本申请还提供了一种计算机程序产品,该计算机程序产品包括指令,当该指令被执行时,以使得第一移动管理网元或者第二移动管理网元分别执行对应于上述方法的第一移动管理网元或者第二移动管理网元的操作。The present application also provides a computer program product, the computer program product includes an instruction, when the instruction is executed, so that the first mobility management network element or the second mobility management network element respectively executes the first mobility corresponding to the above method. The operation of the management network element or the second mobility management network element.
本申请实施例还提供了一种系统芯片,该系统芯片包括:处理单元和通信单元,该处理单元,例如可以是处理器,该通信单元例如可以是输入/输出接口、管脚或电路等。该处理单元可执行计算机指令,以使该芯片所应用的通信装置执行上述本申请实施例提供的方法中的第一移动管理网元或者第二移动管理网元的操作。Embodiments of the present application further provide a system chip, which includes: a processing unit and a communication unit, where the processing unit may be, for example, a processor, and the communication unit may be, for example, an input/output interface, a pin, or a circuit. The processing unit can execute computer instructions, so that the communication device to which the chip is applied executes the operations of the first mobility management network element or the second mobility management network element in the methods provided in the foregoing embodiments of the present application.
可选地,上述本申请实施例中提供的任意一种通信装置可以包括该系统芯片。Optionally, any of the communication apparatuses provided in the foregoing embodiments of the present application may include the system chip.
可选地,该计算机指令被存储在存储单元中。Optionally, the computer instructions are stored in a storage unit.
可选地,该存储单元为该芯片内的存储单元,如寄存器、缓存等,该存储单元还可以是该通信装置内的位于该芯片外部的存储单元,如ROM或可存储静态信息和指令的其他类型的静态存储设备,RAM等。其中,上述任一处提到的处理器,可以是一个CPU,微处理器,ASIC,或一个或多个用于控制上述的反馈信息传输的方法的程序执行的集成电路。该处理单元和该存储单元可以解耦,分别设置在不同的物理设备上,通过有线或者无线的方式连接来实现该处理单元和该存储单元的各自的功能,以支持该系统芯片实现上述实施例中的各种功能。或者,该处理单元和该存储器也可以耦合在同一个设备上。应理解,在本申请实施例中的处理器可以是CPU,该处理器还可以是其他通用处理器、DSP、ASIC、FPGA或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。Optionally, the storage unit is a storage unit in the chip, such as a register, a cache, etc., the storage unit can also be a storage unit located outside the chip in the communication device, such as a ROM or a storage unit that can store static information and instructions. Other types of static storage devices, RAM, etc. Wherein, the processor mentioned in any one of the above may be a CPU, a microprocessor, an ASIC, or one or more integrated circuits used to control the program execution of the above-mentioned method for transmitting feedback information. The processing unit and the storage unit can be decoupled, respectively disposed on different physical devices, and connected in a wired or wireless manner to implement the respective functions of the processing unit and the storage unit, so as to support the system chip to implement the above embodiments various functions in . Alternatively, the processing unit and the memory may also be coupled on the same device. It should be understood that the processor in the embodiments of the present application may be a CPU, and the processor may also be other general-purpose processors, DSP, ASIC, FPGA or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. . A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and brevity of description, the specific working process of the above-described systems, devices and units may refer to the corresponding processes in the foregoing method embodiments, which will not be repeated here.
应理解,在本申请的各种实施例中,上述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本申请实施例的实施过程构成任何限定。It should be understood that, in various embodiments of the present application, the size of the sequence numbers of the above-mentioned processes does not mean the sequence of execution, and the execution sequence of each process should be determined by its functions and internal logic, and should not be dealt with in the embodiments of the present application. implementation constitutes any limitation.
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。Those of ordinary skill in the art can realize that the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each particular application, but such implementations should not be considered beyond the scope of this application.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统、通信装置和方法, 可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed system, communication apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not implemented. On the other hand, the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of devices or units, and may be in electrical, mechanical or other forms.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution in this embodiment.
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit.
所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。The functions, if implemented in the form of software functional units and sold or used as independent products, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application can be embodied in the form of a software product in essence, or the part that contributes to the prior art or the part of the technical solution. The computer software product is stored in a storage medium, including Several instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present application.
最后应说明的是:以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何在本申请揭露的技术范围内的变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。Finally, it should be noted that: the above are only specific embodiments of the present application, but the protection scope of the present application is not limited to this, and any changes or replacements within the technical scope disclosed in the present application should be covered by the present application. within the scope of protection of the application. Therefore, the protection scope of the present application should be subject to the protection scope of the claims.

Claims (42)

  1. 一种信息传输方法,应用于第一移动管理网元,其特征在于,所述方法包括:An information transmission method, applied to a first mobility management network element, characterized in that the method comprises:
    接收来自终端设备的跟踪区更新TAU请求消息,所述终端设备从第二网络切换到第一网络,所述第一移动管理网元属于所述第一网络;receiving a tracking area update TAU request message from a terminal device, the terminal device is switched from a second network to a first network, and the first mobility management network element belongs to the first network;
    根据所述TAU请求消息,将所述第一移动管理网元与所述终端设备之间使用的安全上下文设置为native安全上下文。According to the TAU request message, the security context used between the first mobility management network element and the terminal device is set as the native security context.
  2. 根据权利要求1所述的方法,其特征在于,将所述第一移动管理网元与所述终端设备之间使用的安全上下文设置为native安全上下文,包括:The method according to claim 1, wherein setting the security context used between the first mobility management network element and the terminal device as a native security context, comprising:
    所述第一移动管理网元对所述终端设备进行认证。The first mobility management network element authenticates the terminal device.
  3. 根据权利要求1所述的方法,其特征在于,所述根据所述TAU请求消息,将所述第一移动管理网元与所述终端设备之间使用的安全上下文设置为native安全上下文,具体包括:The method according to claim 1, wherein the setting the security context used between the first mobility management network element and the terminal device as the native security context according to the TAU request message specifically includes: :
    所述第一移动管理网元根据所述TAU请求消息确定所述终端设备的标识;The first mobility management network element determines the identifier of the terminal device according to the TAU request message;
    所述第一移动管理网元根据所述终端设备的标识确定所述终端设备的位置发生变动;determining, by the first mobility management network element, that the location of the terminal device has changed according to the identifier of the terminal device;
    所述第一移动管理网元对所述终端设备进行认证。The first mobility management network element authenticates the terminal device.
  4. 根据权利要求3所述的方法,其特征在于,所述第一移动管理网元根据所述终端设备的标识确定所述终端设备的位置信息发生变动,具体包括:The method according to claim 3, wherein the first mobility management network element determines that the location information of the terminal device changes according to the identifier of the terminal device, which specifically includes:
    所述第一移动管理网元根据所述终端设备的标识确定所述终端设备需要切换至第二移动管理网元。The first mobility management network element determines, according to the identifier of the terminal device, that the terminal device needs to be switched to the second mobility management network element.
  5. 根据权利要求2、3或4所述的方法,其特征在于,所述TAU请求消息包括所述终端设备的状态信息,所述第一移动管理网元对所述终端设备进行认证,具体包括:The method according to claim 2, 3 or 4, wherein the TAU request message includes the state information of the terminal device, and the first mobility management network element authenticates the terminal device, which specifically includes:
    若所述状态信息指示所述终端设备从所述第二网络切换到所述第一网络,或者,所述状态信息指示所述终端设备的第二网络的移动性管理注册信息,或者,所述状态信息指示所述终端设备具备所述第二网络的网络安全能力,或者,所述状态信息指示所述终端设备具备第二网络的N1接口的能力,则所述第一移动管理网元对所述终端设备进行认证。If the status information indicates that the terminal device switches from the second network to the first network, or the status information indicates the mobility management registration information of the second network of the terminal device, or the The status information indicates that the terminal device has the network security capability of the second network, or, the status information indicates that the terminal device has the capability of the N1 interface of the second network, then the first mobility management network element is responsible for the The terminal device is authenticated.
  6. 根据权利要求1所述的方法,其特征在于,所述根据所述TAU请求消息,将所述第一移动管理网元与所述终端设备之间使用的安全上下文设置为native安全上下文,包括:The method according to claim 1, wherein, according to the TAU request message, setting the security context used between the first mobility management network element and the terminal device as a native security context, comprising:
    根据所述TAU请求消息确定所述终端设备的标识,所述TAU请求消息中包括所述标识;Determine the identifier of the terminal device according to the TAU request message, where the TAU request message includes the identifier;
    根据所述标识确定与所述标识对应的第一指示信息,所述第一指示信息来自核心接入与移动管理功能网元;determining first indication information corresponding to the identity according to the identity, where the first indication information comes from a core access and mobility management function network element;
    根据所述第一指示信息确定对所述终端设备进行认证。The terminal device is determined to be authenticated according to the first indication information.
  7. 根据权利要求6所述的方法,其特征在于,所述第一指示信息为认证指示信息,或者5G接入类型,或者隧道标识中的至少一项。The method according to claim 6, wherein the first indication information is at least one of authentication indication information, or a 5G access type, or a tunnel identifier.
  8. 根据权利要求1-7任一项所述的方法,其特征在于,所述第一网络为4G网络,所述第二网络为5G网络。The method according to any one of claims 1-7, wherein the first network is a 4G network, and the second network is a 5G network.
  9. 一种信息传输方法,应用于第一移动管理网元,其特征在于,所述方法包括:An information transmission method, applied to a first mobility management network element, characterized in that the method comprises:
    所述第一移动管理网元确定终端设备从第二网络切换到第一网络,并确定所述终端设备从所述第一移动管理网元切换到第二移动管理网元,所述第一网络包括所述第一移动管理网元和所述第二移动管理网元;The first mobility management network element determines that the terminal device is switched from the second network to the first network, and determines that the terminal device is switched from the first mobility management network element to the second mobility management network element, and the first network including the first mobility management network element and the second mobility management network element;
    所述第一移动管理网元向所述第二移动管理网元发送第二指示信息,所述第二指示信息指示所述终端设备的映射mapped安全上下文,或者指示所述第二移动管理网元对所述终端设备进行认证。The first mobility management network element sends second indication information to the second mobility management network element, where the second indication information indicates the mapped security context of the terminal device, or indicates the second mobility management network element The terminal device is authenticated.
  10. 根据权利要求9所述的方法,其特征在于,所述第二指示信息包括5G安全算法,或者5G无线接入类型,5G或者下一代无线安全能力,或者隧道标识中的至少一种指示信息。The method according to claim 9, wherein the second indication information comprises at least one indication information of a 5G security algorithm, or a 5G wireless access type, a 5G or next-generation wireless security capability, or a tunnel identifier.
  11. 根据权利要求9或10所述的方法,其特征在于,所述第一网络为4G网络,所述第二网络为5G网络。The method according to claim 9 or 10, wherein the first network is a 4G network, and the second network is a 5G network.
  12. 一种信息传输方法,应用于第二移动管理网元,其特征在于,所述第二移动管理网元属于第一网络,所述第一网络还包括第一移动管理网元,终端设备为从第二网络切换到所述第一网络的终端设备,所述方法包括:An information transmission method, applied to a second mobility management network element, characterized in that the second mobility management network element belongs to a first network, the first network further includes a first mobility management network element, and a terminal device is a slave The second network switches to the terminal equipment of the first network, and the method includes:
    确定所述终端设备从所述第一移动管理网元切换到所述第二移动管理网元;determining that the terminal device is switched from the first mobility management network element to the second mobility management network element;
    接收来自所述第一移动管理网元的第二指示信息,所述第二指示信息指示所述终端设备的安全上下文为映射mapped安全上下文,或者指示所述第二移动管理网元对所述终端设备进行认证;Receive second indication information from the first mobility management network element, where the second indication information indicates that the security context of the terminal device is a mapped security context, or instructs the second mobility management network element to equipment for certification;
    根据所述第二指示信息确定所述第二移动管理网元与所述终端设备之间使用的安全上下文。The security context used between the second mobility management network element and the terminal device is determined according to the second indication information.
  13. 根据权利要求12所述的方法,其特征在于,所述第二指示信息指示所述终端设备的安全上下文为mapped安全上下文,根据所述第二指示信息确定所述第二移动管理网元与所述终端设备之间使用的安全上下文,包括:The method according to claim 12, wherein the second indication information indicates that the security context of the terminal device is a mapped security context, and the second mobility management network element is determined according to the second indication information and the The security context used between the end devices, including:
    确定所述第二移动管理网元与所述终端设备之间使用的安全上下文为mapped安全上下文。It is determined that the security context used between the second mobility management network element and the terminal device is a mapped security context.
  14. 根据权利要求12所述的方法,其特征在于,所述第二指示信息包括5G安全算法,或者5G无线接入类型,5G或者下一代网络安全能力,或者隧道标识中的至少一种指示信息,根据所述第二指示信息确定所述第二移动管理网元与所述终端设备之间使用的安全上下文,包括:The method according to claim 12, wherein the second indication information comprises at least one indication information of a 5G security algorithm, or a 5G wireless access type, a 5G or next-generation network security capability, or a tunnel identifier, Determining the security context used between the second mobility management network element and the terminal device according to the second indication information includes:
    确定所述第二移动管理网元与所述终端设备之间使用的安全上下文为mapped安全上下文。It is determined that the security context used between the second mobility management network element and the terminal device is a mapped security context.
  15. 根据权利要求12所述的方法,其特征在于,所述第二指示信息指示所述第二移动管理网元对所述终端设备进行认证,根据所述第二指示信息确定所述第二移动管理网元与所述终端设备之间使用的安全上下文,包括:The method according to claim 12, wherein the second indication information instructs the second mobility management network element to authenticate the terminal device, and the second mobility management network element is determined according to the second indication information The security context used between the network element and the terminal device, including:
    所述第二移动管理网元对所述终端设备进行认证,将所述第二移动管理网元与所述终端设备之间使用的安全上下文设置为本地native安全上下文。The second mobility management network element authenticates the terminal device, and sets the security context used between the second mobility management network element and the terminal device as a local native security context.
  16. 根据权利要求12-15任一项所述的方法,其特征在于,所述第一网络为4G网络,所述第二网络为5G网络。The method according to any one of claims 12-15, wherein the first network is a 4G network, and the second network is a 5G network.
  17. 一种信息传输装置,其特征在于,所述装置包括:An information transmission device, characterized in that the device comprises:
    接收模块,用于接收来自终端设备的跟踪区更新TAU请求消息,所述终端设备从第二网络切换到第一网络,所述装置属于所述第一网络;a receiving module, configured to receive a tracking area update TAU request message from a terminal device, the terminal device is switched from the second network to the first network, and the device belongs to the first network;
    处理模块,用于根据所述TAU请求消息,将所述装置与所述终端设备之间使用的安全上下文设置为native安全上下文。A processing module, configured to set the security context used between the apparatus and the terminal device as a native security context according to the TAU request message.
  18. 根据权利要求17所述的装置,其特征在于,所述处理模块具体用于:The device according to claim 17, wherein the processing module is specifically configured to:
    对所述终端设备进行认证。The terminal device is authenticated.
  19. 根据权利要求17所述的装置,其特征在于,所述处理模块具体用于:The device according to claim 17, wherein the processing module is specifically configured to:
    根据所述TAU请求消息确定所述终端设备的标识;Determine the identity of the terminal device according to the TAU request message;
    根据所述终端设备的标识确定所述终端设备的位置发生变动;Determine that the location of the terminal device changes according to the identifier of the terminal device;
    对所述终端设备进行认证。The terminal device is authenticated.
  20. 根据权利要求19所述的装置,其特征在于,所述处理模块具体用于:The device according to claim 19, wherein the processing module is specifically configured to:
    根据所述终端设备的标识确定所述终端设备需要切换至第二移动管理网元。It is determined according to the identification of the terminal device that the terminal device needs to be switched to the second mobility management network element.
  21. 根据权利要求17、18或19所述的装置,其特征在于,所述TAU请求消息包括所述终端设备的状态信息,所述处理模块具体用于:若所述状态信息指示所述终端设备从所述第二网络切换到所述第一网络,或者,所述状态信息指示所述终端设备的第二网络的移动性管理注册信息,或者,所述状态信息指示所述终端设备具备所述第二网络的网络安全能力,或者,所述状态信息指示所述终端设备具备第二网络的N1接口的能力,对所述终端设备进行认证。The apparatus according to claim 17, 18 or 19, wherein the TAU request message includes status information of the terminal device, and the processing module is specifically configured to: if the status information indicates that the terminal device has The second network switches to the first network, or the status information indicates the mobility management registration information of the second network of the terminal device, or the status information indicates that the terminal device has the first network. The network security capability of the second network, or the status information indicates that the terminal device has the capability of the N1 interface of the second network, and the terminal device is authenticated.
  22. 根据权利要求17所述的装置,其特征在于,所述处理模块具体用于:The device according to claim 17, wherein the processing module is specifically configured to:
    根据所述TAU请求消息确定所述终端设备的标识,所述TAU请求消息中包括所述标识;Determine the identifier of the terminal device according to the TAU request message, where the TAU request message includes the identifier;
    根据所述标识确定与所述标识对应的第一指示信息,所述第一指示信息来自核心接入与移动管理功能AMF网元;determining first indication information corresponding to the identity according to the identity, where the first indication information comes from the core access and mobility management function AMF network element;
    根据所述第一指示信息确定对所述终端设备进行认证。The terminal device is determined to be authenticated according to the first indication information.
  23. 根据权利要求22所述的装置,其特征在于,所述第一指示信息为认证指示信息,或者5G接入类型,或者隧道标识中的至少一项。The apparatus according to claim 22, wherein the first indication information is at least one of authentication indication information, or a 5G access type, or a tunnel identifier.
  24. 根据权利要求17-23任一项所述的装置,其特征在于,所述第一网络为4G网络,所述第二网络为5G网络。The apparatus according to any one of claims 17-23, wherein the first network is a 4G network, and the second network is a 5G network.
  25. 一种信息传输装置,其特征在于,所述装置包括:An information transmission device, characterized in that the device comprises:
    处理模块,用于确定终端设备从第二网络切换到第一网络,并确定所述终端设备从所述装置切换到第二移动管理网元,所述第一网络包括所述装置和所述第二移动管理网元;a processing module, configured to determine that a terminal device is switched from a second network to a first network, and determine that the terminal device is switched from the device to a second mobility management network element, where the first network includes the device and the first network 2. Mobile management network element;
    发送模块,用于向所述第二移动管理网元发送第二指示信息,所述第二指示信息指示所述终端设备的映射mapped安全上下文,或者指示所述第二移动管理网元对所述终端设备进行认证。A sending module, configured to send second indication information to the second mobility management network element, where the second indication information indicates the mapped security context of the terminal device, or instructs the second mobility management network element to The terminal device is authenticated.
  26. 根据权利要求25所述的装置,其特征在于,所述第二指示信息包括5G安全算法,或者5G无线接入类型,5G或者下一代无线安全能力,或者隧道标识中的至少一种指示信息。The apparatus according to claim 25, wherein the second indication information comprises at least one indication information of a 5G security algorithm, a 5G wireless access type, a 5G or next-generation wireless security capability, or a tunnel identifier.
  27. 根据权利要求25或26所述的装置,其特征在于,所述第一网络为4G网络,所述第二网络为5G网络。The apparatus according to claim 25 or 26, wherein the first network is a 4G network, and the second network is a 5G network.
  28. 一种信息传输装置,所述装置属于第一网络,所述第一网络还包括第一移动管理网元,终端设备为从第二网络切换到所述第一网络的终端设备,其特征在于,所述装置包括:An information transmission device, the device belongs to a first network, the first network further includes a first mobility management network element, and a terminal device is a terminal device switched from a second network to the first network, characterized in that: The device includes:
    处理模块,用于确定所述终端设备从所述第一移动管理网元切换到所述装置;a processing module, configured to determine that the terminal equipment is switched from the first mobility management network element to the apparatus;
    接收模块,用于接收来自所述第一移动管理网元的第二指示信息,所述第二指示信息指示所述终端设备的安全上下文为映射mapped安全上下文,或者指示所述装置对所述终端设备进行认证;a receiving module, configured to receive second indication information from the first mobility management network element, where the second indication information indicates that the security context of the terminal device is a mapped security context, or instructs the apparatus to equipment for certification;
    所述处理模块,还用于根据所述第二指示信息确定所述装置与所述终端设备之间使用的安全上下文。The processing module is further configured to determine a security context used between the apparatus and the terminal device according to the second indication information.
  29. 根据权利要求28所述的装置,其特征在于,所述处理模块具体用于:所述第二指示信息指示所述终端设备的安全上下文为mapped安全上下文时,确定所述装置与所述终端设备之间使用的安全上下文为mapped安全上下文。The device according to claim 28, wherein the processing module is specifically configured to: when the second indication information indicates that the security context of the terminal device is a mapped security context, determine whether the device is connected to the terminal device. The security context used between is the mapped security context.
  30. 根据权利要求28所述的装置,其特征在于,所述处理模块具体用于:所述第二指示信息包括5G安全算法,或者5G无线接入类型,5G或者下一代网络安全能力,或者隧道标识中的至少一种指示信息时,确定所述装置与所述终端设备之间使用的安全上下文为mapped安全上下文。The apparatus according to claim 28, wherein the processing module is specifically configured to: the second indication information includes a 5G security algorithm, or a 5G wireless access type, a 5G or next-generation network security capability, or a tunnel identifier When at least one of the indication information is included, it is determined that the security context used between the apparatus and the terminal device is the mapped security context.
  31. 根据权利要求28所述的装置,其特征在于,所述处理模块具体用于:所述第二指示信息指示所述装置对所述终端设备进行认证时,对所述终端设备进行认证,将所述装置与所述终端设备之间使用的安全上下文设置为本地native安全上下文。The apparatus according to claim 28, wherein the processing module is specifically configured to: when the second indication information instructs the apparatus to authenticate the terminal device, authenticate the terminal device, and The security context used between the apparatus and the terminal device is set as the local native security context.
  32. 根据权利要求28-31任一项所述的装置,其特征在于,所述第一网络为4G网络,所述第二网络为5G网络。The apparatus according to any one of claims 28-31, wherein the first network is a 4G network, and the second network is a 5G network.
  33. 一种通信装置,其特征在于,所述通信装置包括处理器与传输接口;A communication device, characterized in that the communication device comprises a processor and a transmission interface;
    其中,所述处理器被配置为执行存储在存储器中的指令,以使得所述装置执行如权利要求1至8中任一项所述的方法。wherein the processor is configured to execute instructions stored in the memory to cause the apparatus to perform the method of any one of claims 1 to 8.
  34. 一种计算机可读存储介质,其特征在于,包括程序或指令,当所述程序或指令被处理器运行时,如权利要求1至8中任意一项所述的方法被执行。A computer-readable storage medium, characterized by comprising a program or an instruction, when the program or the instruction is executed by a processor, the method according to any one of claims 1 to 8 is performed.
  35. 一种计算机程序产品,当所述计算机程序产品在计算机或处理器上运行时,使得所述计算机或所述处理器执行如权利要求1至8中任一项所述的方法。A computer program product which, when run on a computer or processor, causes the computer or the processor to perform the method of any one of claims 1 to 8.
  36. 一种通信装置,其特征在于,所述通信装置包括处理器与传输接口;A communication device, characterized in that the communication device comprises a processor and a transmission interface;
    其中,所述处理器被配置为执行存储在存储器中的指令,以使得所述装置执行如权利要求9至11中任一项所述的方法。wherein the processor is configured to execute instructions stored in the memory to cause the apparatus to perform the method of any one of claims 9 to 11.
  37. 一种计算机可读存储介质,其特征在于,包括程序或指令,当所述程序或指令被处理器运行时,如权利要求9至11中任意一项所述的方法被执行。A computer-readable storage medium, characterized by comprising a program or an instruction, when the program or the instruction is executed by a processor, the method according to any one of claims 9 to 11 is performed.
  38. 一种计算机程序产品,当所述计算机程序产品在计算机或处理器上运行时,使得所述计算机或所述处理器执行如权利要求9至11中任一项所述的方法。A computer program product which, when run on a computer or processor, causes the computer or the processor to perform the method of any one of claims 9 to 11.
  39. 一种通信装置,其特征在于,所述通信装置包括处理器与传输接口;A communication device, characterized in that the communication device comprises a processor and a transmission interface;
    其中,所述处理器被配置为执行存储在存储器中的指令,以使得所述装置执行如 权利要求12至16中任一项所述的方法。wherein the processor is configured to execute instructions stored in the memory to cause the apparatus to perform the method of any of claims 12 to 16.
  40. 一种计算机可读存储介质,其特征在于,包括程序或指令,当所述程序或指令被处理器运行时,如权利要求12至16中任意一项所述的方法被执行。A computer-readable storage medium, characterized by comprising a program or an instruction, when the program or the instruction is executed by a processor, the method according to any one of claims 12 to 16 is performed.
  41. 一种计算机程序产品,当所述计算机程序产品在计算机或处理器上运行时,使得所述计算机或所述处理器执行如权利要求12至16中任一项所述的方法。A computer program product which, when run on a computer or processor, causes the computer or the processor to perform the method of any one of claims 12 to 16.
  42. 一种通信系统,其特征在于,包括如权利要求25-27任一项所述的装置和权利要求28-32任一项所述的装置。A communication system, characterized by comprising the device according to any one of claims 25-27 and the device according to any one of claims 28-32.
PCT/CN2020/123784 2020-10-26 2020-10-26 Information transmission method and apparatus WO2022087797A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2020/123784 WO2022087797A1 (en) 2020-10-26 2020-10-26 Information transmission method and apparatus
CN202080105755.1A CN116250263A (en) 2020-10-26 2020-10-26 Information transmission method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2020/123784 WO2022087797A1 (en) 2020-10-26 2020-10-26 Information transmission method and apparatus

Publications (1)

Publication Number Publication Date
WO2022087797A1 true WO2022087797A1 (en) 2022-05-05

Family

ID=81381603

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/123784 WO2022087797A1 (en) 2020-10-26 2020-10-26 Information transmission method and apparatus

Country Status (2)

Country Link
CN (1) CN116250263A (en)
WO (1) WO2022087797A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100177737A1 (en) * 2009-01-12 2010-07-15 Qualcomm Incorporated Context fetching after inter-system handover
CN110913393A (en) * 2018-09-15 2020-03-24 华为技术有限公司 Switching method and terminal equipment

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100177737A1 (en) * 2009-01-12 2010-07-15 Qualcomm Incorporated Context fetching after inter-system handover
CN110913393A (en) * 2018-09-15 2020-03-24 华为技术有限公司 Switching method and terminal equipment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ERICSSON: "Discussion on the security for interworking between EPC and 5GC", 3GPP DRAFT; S3-172404, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG3, no. Singapore; 20171009 - 20171013, 6 October 2017 (2017-10-06), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , XP051348277 *

Also Published As

Publication number Publication date
CN116250263A (en) 2023-06-09

Similar Documents

Publication Publication Date Title
EP3941109B1 (en) Method for initiating time-sensitive communication service, terminal and storage medium
WO2020098609A1 (en) Method and apparatus for switching network
US10015712B2 (en) Gateway update information notification method, and controller
KR102394891B1 (en) Wireless communications method and device
EP4027684A1 (en) Service configuration method, communication device, and communication system
US20170019945A1 (en) Dual Connectivity Re-Establishment
US11395192B2 (en) Communication method and communications apparatus
US20190260811A1 (en) Packet data unit session establishment method and network entity performing the same
US20220272607A1 (en) Network Access Method and Communication Apparatus
WO2020024971A1 (en) Capability management method and communication device
US20230254922A1 (en) Multipath transmission method and communication apparatus
WO2019225326A1 (en) User device, control device, and communication control method
US20230054991A1 (en) Method for slice information update
CN113422694A (en) Communication method, communication apparatus, communication medium, and electronic device
WO2022199451A1 (en) Session switching method and apparatus
CN110784912B (en) Management method of session correspondence and terminal equipment
US20230032142A1 (en) Information transmission method and device
JP7002564B2 (en) Communication method and equipment
WO2022087797A1 (en) Information transmission method and apparatus
WO2023151888A1 (en) Configuration enhancements for l1/l2 mobility
US20190174386A1 (en) Handover procedure
WO2022151170A1 (en) Handover control method, admission control method, and communication apparatus
WO2021159282A1 (en) Method for sending instruction information, network device, communication apparatus, and core network device
WO2023071974A1 (en) Communication system, communication method, and communication device
EP4351215A1 (en) Transmission mode switching method and related apparatus

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20958962

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20958962

Country of ref document: EP

Kind code of ref document: A1